aislop 0.10.2 → 0.11.0

package/dist/index.js

@@ -1,8 +1,8 @@
-import { t as APP_VERSION } from "./version-BfJVwhN2.js";
-import { n as getEngineLabel, t as ENGINE_INFO } from "./engine-info-Cpt36DqZ.js";
-import { n as runSubprocess, t as isToolInstalled } from "./subprocess-0uXz8HdE.js";
-import { r as runGenericLinter, t as fixRubyLint } from "./generic-BsQa13CS.js";
-import { n as runExpoDoctor } from "./expo-doctor-c-jE6pR2.js";
+import { i as getEngineLabel, r as ENGINE_INFO, t as summarizeFindingAssessments } from "./finding-assessment-PCl1fnok.js";
+import { n as runSubprocess, t as isToolInstalled } from "./subprocess-CQUJDGgn.js";
+import { t as APP_VERSION } from "./version-BJA3AcRM.js";
+import { r as runGenericLinter, t as fixRubyLint } from "./generic-D_T4cUaC.js";
+import { n as runExpoDoctor } from "./expo-doctor-BwLKXF__.js";
 import { createRequire, isBuiltin } from "node:module";
 import fs from "node:fs";
 import path from "node:path";
@@ -18,6 +18,8 @@ import ts from "typescript";
 import os from "node:os";
 import { randomUUID } from "node:crypto";
 import { isCancel, multiselect, select, text } from "@clack/prompts";
+import * as readline from "node:readline";
+import { Writable } from "node:stream";
 
 //#region src/config/defaults.ts
 const DEFAULT_CONFIG = {
@@ -62,7 +64,8 @@ const DEFAULT_CONFIG = {
 			good: 75,
 			ok: 50
 		},
-		smoothing: 20
+		smoothing: 20,
+		maxPerRule: 40
 	},
 	ci: {
 		failBelow: 70,
@@ -85,9 +88,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: scanaislop/aislop@v${APP_VERSION}
+      - uses: scanaislop/aislop@v1
         with:
-          version: ${APP_VERSION}
+          version: latest
 `;
 const DEFAULT_RULES_YAML = `# Architecture rules (BYO)
 # Uncomment and customize to enforce your project's conventions.
@@ -186,7 +189,8 @@ const ScoringSchema = z.object({
 		good: 75,
 		ok: 50
 	})),
-	smoothing: z.number().nonnegative().default(20)
+	smoothing: z.number().nonnegative().default(20),
+	maxPerRule: z.number().positive().default(40)
 });
 const CiSchema = z.object({
 	failBelow: z.number().default(70),
@@ -226,7 +230,8 @@ const AislopConfigSchema = z.object({
 			good: 75,
 			ok: 50
 		},
-		smoothing: 20
+		smoothing: 20,
+		maxPerRule: 40
 	})),
 	ci: CiSchema.default(() => ({
 		failBelow: 70,
@@ -390,7 +395,7 @@ const renderHeader = (input, _deps = {}) => {
 
 //#endregion
 //#region src/ui/invocation.ts
-const detectInvocation = () => "npx aislop";
+const detectInvocation = () => "aislop";
 
 //#endregion
 //#region src/ui/symbols.ts
@@ -546,6 +551,19 @@ const padStart = (s, target, fill = " ") => {
 	if (w >= target) return s;
 	return fill.repeat(target - w) + s;
 };
+const truncate = (s, max, ellipsis = "…") => {
+	if (stringWidth(s) <= max) return s;
+	const limit = Math.max(0, max - stringWidth(ellipsis));
+	let out = "";
+	let w = 0;
+	for (const ch of s) {
+		const cw = wcwidth(ch.codePointAt(0) ?? 0);
+		if (w + cw > limit) break;
+		out += ch;
+		w += cw;
+	}
+	return out + ellipsis;
+};
 
 //#endregion
 //#region src/utils/source-files.ts
@@ -1049,7 +1067,7 @@ const buildDoctorRender = (input) => {
 	};
 	const header = renderHeader({
 		version: APP_VERSION,
-		command: "doctor",
+		command: "Doctor report",
 		context: [input.projectName, input.languageLabel].filter((s) => s.length > 0),
 		brand: input.printBrand !== false
 	}, deps);
@@ -1767,8 +1785,8 @@ const PHP_DECL_START = /^\s*(?:(?:public|private|protected|static|final|abstract
 
 //#endregion
 //#region src/engines/ai-slop/non-production-paths.ts
-const DIR_PATTERN = /(?:^|\/)(?:scripts|bin|examples?|demos?|docs?|bench|benches|benchmarks?|fixtures?|__fixtures__|__mocks__|__tests__|vendor|_vendor|vendored|third_party|blib2to3|lib2to3|cli|cli-[\w-]+|[\w-]+-cli)\//i;
-const BASENAME_PATTERN = /(?:^|\/)(?:benchmark|bench|demo|example|script|seed|migrate|profile|smoke|stress|load|debug|repro)[-_.][^/]*\.[mc]?[jt]sx?$|(?:^|\/)[^/]+[-_](?:benchmark|bench|demo|example)\.[mc]?[jt]sx?$/i;
+const DIR_PATTERN = /(?:^|\/)(?:scripts|bin|examples?|demos?|docs?|bench|benches|benchmarks?|fixtures?|__fixtures__|__mocks__|__tests__|prototypes?|experiments?|vendor|_vendor|vendored|third_party|blib2to3|lib2to3|cli|cli-[\w-]+|[\w-]+-cli)\//i;
+const BASENAME_PATTERN = /(?:^|\/)(?:(?:prototype|experiment)(?:[-_.][^/]*)?|(?:benchmark|bench|demo|example|script|seed|migrate|profile|smoke|stress|load|debug|repro)[-_.][^/]*)\.[mc]?[jt]sx?$|(?:^|\/)[^/]+[-_](?:benchmark|bench|demo|example|prototype|experiment)\.[mc]?[jt]sx?$/i;
 const isNonProductionPath = (relativePath) => DIR_PATTERN.test(relativePath) || BASENAME_PATTERN.test(relativePath);
 
 //#endregion
@@ -1884,7 +1902,7 @@ const JS_EXTENSIONS$4 = new Set([
 	".mjs",
 	".cjs"
 ]);
-const CONSOLE_LOG_PATTERN = /\bconsole\.(?:log|debug|info|trace|dir|table)\s*\(/;
+const CONSOLE_CALL_PATTERN = /\bconsole\.(log|debug|info|trace|dir|table)\s*\(/;
 const slop = (filePath, line, rule, severity, message, help, fixable) => ({
 	filePath,
 	engine: "ai-slop",
@@ -1898,20 +1916,35 @@ const slop = (filePath, line, rule, severity, message, help, fixable) => ({
 	fixable
 });
 const LOGGER_FILE_PATTERN = /(?:^|\/)(?:logger|logging|log)\.[^/]+$/i;
+const CLI_ENTRYPOINT_PATTERN = /(?:^|\/)(?:cli|cli[-_.][^/]*|[^/]+[-_]cli)\.[mc]?[jt]sx?$/i;
+const ENTRYPOINT_GUARD_PATTERN = /\b(?:import\.meta\.main|require\.main\s*===\s*module)\b/;
+const OPERATIONAL_LOG_PATTERN = /\bconsole\.(?:log|info)\s*\(\s*(?:`|["'])\s*\[[^\]\n]{1,48}\]/;
+const DEBUG_SIGNAL_PATTERN = /\b(?:debug|dbg|trace|dump|inspect|todo|tmp|temp|remove\s+me|leftover|here|checkpoint)\b/i;
+const shouldFlagConsoleCall = (trimmed) => {
+	const match = CONSOLE_CALL_PATTERN.exec(trimmed);
+	if (!match) return false;
+	const method = match[1];
+	if (method === "trace" || method === "dir" || method === "table") return true;
+	if (method === "debug") return DEBUG_SIGNAL_PATTERN.test(trimmed) || !OPERATIONAL_LOG_PATTERN.test(trimmed);
+	if (method === "info" || method === "log") {
+		if (/console\.log\(\s*JSON\.stringify\b/.test(trimmed)) return false;
+		if (OPERATIONAL_LOG_PATTERN.test(trimmed)) return false;
+		return true;
+	}
+	return false;
+};
 const detectConsoleLeftovers = (content, relativePath, ext) => {
 	if (!JS_EXTENSIONS$4.has(ext)) return [];
 	if (LOGGER_FILE_PATTERN.test(relativePath)) return [];
-	if (isNonProductionPath(relativePath)) return [];
+	if (isNonProductionPath(relativePath) || CLI_ENTRYPOINT_PATTERN.test(relativePath)) return [];
+	if (content.startsWith("#!")) return [];
+	if (ENTRYPOINT_GUARD_PATTERN.test(content)) return [];
 	const diagnostics = [];
 	const lines = content.split("\n");
 	for (let i = 0; i < lines.length; i++) {
 		const trimmed = lines[i].trim();
 		if (trimmed.startsWith("//") || trimmed.startsWith("*")) continue;
-		if (CONSOLE_LOG_PATTERN.test(trimmed)) {
-			if (/console\.(?:error|warn)\s*\(/.test(trimmed)) continue;
-			if (/console\.log\(\s*JSON\.stringify\b/.test(trimmed)) continue;
-			diagnostics.push(slop(relativePath, i + 1, "ai-slop/console-leftover", "warning", "console.log/debug/info statement left in production code", "Remove debugging console statements or replace with a proper logger", true));
-		}
+		if (shouldFlagConsoleCall(trimmed)) diagnostics.push(slop(relativePath, i + 1, "ai-slop/console-leftover", "warning", "console.log/debug/info statement left in production code", "Remove debugging console statements or replace with a proper logger", true));
 	}
 	return diagnostics;
 };
@@ -1939,6 +1972,7 @@ const isGuardedSingleLineExit = (lines, lineIndex) => {
 	const control = contextLines.join(" ");
 	return /(?:^|[}\s])(?:if|else\s+if|for|while)\s*\(/.test(control) && !/{\s*$/.test(control);
 };
+const isPropertyNoopAssignment = (trimmed) => /^(?:[\w$]+\.)+[\w$]+\s*=\s*(?:function\s*)?\([^)]*\)\s*(?:=>)?\s*\{\s*\}\s*;?$/.test(trimmed);
 const detectTodoStubs = (content, relativePath) => {
 	const diagnostics = [];
 	const lines = content.split("\n");
@@ -1960,7 +1994,7 @@ const detectDeadCodePatterns = (content, relativePath, ext) => {
 		const nextLine = i + 1 < lines.length ? lines[i + 1]?.trim() : void 0;
 		if (JS_EXTENSIONS$4.has(ext) && /^(?:return|throw)\b/.test(trimmed) && trimmed.endsWith(";") && nextLine && nextLine.length > 0 && !isGuardedSingleLineExit(lines, i) && !isBlockCloserAfterReturn(nextLine) && !nextLine.startsWith("//") && !nextLine.startsWith("/*") && !nextLine.startsWith("case ") && !nextLine.startsWith("default:") && !nextLine.startsWith("if ") && !nextLine.startsWith("if(") && !nextLine.startsWith("else")) diagnostics.push(slop(relativePath, i + 2, "ai-slop/unreachable-code", "warning", "Code after return/throw statement is unreachable", "Remove the unreachable code or restructure the control flow", false));
 		if (/\bif\s*\(\s*(?:false|true|0|1)\s*\)/.test(trimmed) && !trimmed.startsWith("//") && !trimmed.startsWith("*") && !/["'`].*\bif\s*\(/.test(trimmed) && !/\/.*\bif\s*\(/.test(trimmed.replace(/\/\/.*$/, ""))) diagnostics.push(slop(relativePath, i + 1, "ai-slop/constant-condition", "warning", "Conditional with a constant value — likely debugging leftover", "Remove the constant condition or replace with proper logic", false));
-		if (JS_EXTENSIONS$4.has(ext) && /(?:function\s+\w+\s*\([^)]*\)|=>\s*)\s*\{\s*\}\s*;?\s*$/.test(trimmed) && !trimmed.startsWith("interface") && !trimmed.startsWith("type ")) diagnostics.push(slop(relativePath, i + 1, "ai-slop/empty-function", "info", "Empty function body — possible stub or unfinished implementation", "Implement the function body or add a comment explaining why it's empty", false));
+		if (JS_EXTENSIONS$4.has(ext) && /(?:function\s+\w+\s*\([^)]*\)|=>\s*)\s*\{\s*\}\s*;?\s*$/.test(trimmed) && !trimmed.startsWith("interface") && !trimmed.startsWith("type ") && !isPropertyNoopAssignment(trimmed)) diagnostics.push(slop(relativePath, i + 1, "ai-slop/empty-function", "info", "Empty function body — possible stub or unfinished implementation", "Implement the function body or add a comment explaining why it's empty", false));
 	}
 	return diagnostics;
 };
@@ -2458,7 +2492,7 @@ const JS_RESOLUTION_EXTENSIONS = [
 	"/index.js",
 	"/index.jsx"
 ];
-const readJson$2 = (filePath) => {
+const readJson$3 = (filePath) => {
 	try {
 		return JSON.parse(fs.readFileSync(filePath, "utf-8"));
 	} catch {
@@ -2473,7 +2507,7 @@ const buildAliasMatcher = (key) => {
 	return (spec) => spec.length >= before.length + after.length && spec.startsWith(before) && spec.endsWith(after);
 };
 const collectAliasMatchersFromConfig = (configPath, matchers) => {
-	const opts = readJson$2(configPath)?.compilerOptions;
+	const opts = readJson$3(configPath)?.compilerOptions;
 	if (!opts || typeof opts !== "object") return;
 	const configDir = path.dirname(configPath);
 	const paths = opts.paths;
@@ -2496,7 +2530,7 @@ const collectTsPathAliases = (rootDir, workspaceDirs) => {
 
 //#endregion
 //#region src/engines/ai-slop/js-workspaces.ts
-const readJson$1 = (filePath) => {
+const readJson$2 = (filePath) => {
 	try {
 		return JSON.parse(fs.readFileSync(filePath, "utf-8"));
 	} catch {
@@ -2516,7 +2550,7 @@ const readWorkspaceGlobs = (rootDir, rootPkg) => {
 			}
 		}
 	}
-	const lerna = readJson$1(path.join(rootDir, "lerna.json"));
+	const lerna = readJson$2(path.join(rootDir, "lerna.json"));
 	if (lerna && Array.isArray(lerna.packages)) {
 		for (const g of lerna.packages) if (typeof g === "string") globs.push(g);
 	}
@@ -2917,7 +2951,7 @@ const JS_EXTENSIONS$2 = new Set([
 	".cjs"
 ]);
 const PY_EXTENSIONS$2 = new Set([".py"]);
-const readJson = (filePath) => {
+const readJson$1 = (filePath) => {
 	try {
 		return JSON.parse(fs.readFileSync(filePath, "utf-8"));
 	} catch {
@@ -2961,7 +2995,7 @@ const collectNestedManifests = (rootDir, jsDeps) => {
 			const full = path.join(dir, entry.name);
 			if (entry.isDirectory()) walk(full, depth + 1);
 			else if (entry.name === "package.json" && depth > 0) {
-				const wsPkg = readJson(full);
+				const wsPkg = readJson$1(full);
 				if (!wsPkg) continue;
 				if (typeof wsPkg.name === "string") jsDeps.add(wsPkg.name);
 				addDepsFromPkg(wsPkg, jsDeps);
@@ -2973,13 +3007,13 @@ const collectNestedManifests = (rootDir, jsDeps) => {
 const collectJsDeps = (rootDir, jsDeps) => {
 	const pkgPath = path.join(rootDir, "package.json");
 	if (!fs.existsSync(pkgPath)) return false;
-	const pkg = readJson(pkgPath);
+	const pkg = readJson$1(pkgPath);
 	if (!pkg || typeof pkg !== "object") return false;
 	addDepsFromPkg(pkg, jsDeps);
 	if (typeof pkg.name === "string") jsDeps.add(pkg.name);
 	const workspaceDirs = collectWorkspaceDirs(rootDir, pkg);
 	for (const wsDir of workspaceDirs) {
-		const wsPkg = readJson(path.join(wsDir, "package.json"));
+		const wsPkg = readJson$1(path.join(wsDir, "package.json"));
 		if (!wsPkg) continue;
 		if (typeof wsPkg.name === "string") jsDeps.add(wsPkg.name);
 		addDepsFromPkg(wsPkg, jsDeps);
@@ -3008,7 +3042,11 @@ const VIRTUAL_MODULE_PREFIXES = [
 	"astro:",
 	"virtual:",
 	"bun:",
-	"file:"
+	"file:",
+	"http:",
+	"https:",
+	"jsr:",
+	"npm:"
 ];
 const isJsVirtualModule = (spec, manifest) => {
 	if (VIRTUAL_MODULE_PREFIXES.some((p) => spec.startsWith(p))) return true;
@@ -3137,7 +3175,7 @@ const checkPyImport = (spec, manifest) => {
 	return root;
 };
 const detectHallucinatedImports = async (context) => {
-	const rootPkg = readJson(path.join(context.rootDirectory, "package.json"));
+	const rootPkg = readJson$1(path.join(context.rootDirectory, "package.json"));
 	const workspaceDirs = collectWorkspaceDirs(context.rootDirectory, rootPkg);
 	const manifest = loadManifest(context.rootDirectory);
 	if (!manifest.hasJsManifest && !manifest.hasPyManifest) return [];
@@ -3242,6 +3280,9 @@ const VENDOR_API_DOMAINS = [
 ];
 const isVendorApiHost = (host) => VENDOR_API_DOMAINS.some((d) => host === d || host.endsWith(`.${d}`));
 const PLACEHOLDER_ID_RE = /^(?:changeme|replace[_-]?me|your[_-]|example|placeholder|todo)/i;
+const PROVIDER_ID_RE = /^(?:price|prod|cus|sub|acct|org|app|tenant|workspace|project|client|key|tok|token|sk|pk)_[A-Za-z0-9][A-Za-z0-9_-]{7,}$/i;
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+const READABLE_KEY_RE = /^[a-z][a-z0-9]*(?:[_-][a-z0-9]+){2,}$/;
 const HARDCODED_URL_FINDING = {
 	rule: "ai-slop/hardcoded-url",
 	message: "Hardcoded environment URL in production code",
@@ -3279,8 +3320,10 @@ const safeUrlHost = (urlText) => {
 	}
 };
 const isEnvBackedLine = (line) => ENV_REFERENCE_RE.test(line);
+const TEMPLATE_INTERPOLATION_START = "${";
 const shouldFlagUrlLiteral = (line, urlText) => {
 	if (isEnvBackedLine(line)) return false;
+	if (urlText.includes(TEMPLATE_INTERPOLATION_START) && /\bnew\s+URL\s*\(/.test(line)) return false;
 	const host = safeUrlHost(urlText);
 	if (!host) return false;
 	if (PLACEHOLDER_HOSTS.has(host)) return false;
@@ -3295,7 +3338,11 @@ const hasUsefulIdShape = (value) => {
 	if (ENV_VAR_NAME_RE.test(value)) return false;
 	if (/^https?:\/\//i.test(value)) return false;
 	if (/^[A-Za-z]+$/.test(value)) return false;
-	return /[0-9]/.test(value);
+	if (READABLE_KEY_RE.test(value) && !PROVIDER_ID_RE.test(value)) return false;
+	if (PROVIDER_ID_RE.test(value)) return true;
+	if (UUID_RE.test(value)) return true;
+	if (!/[0-9]/.test(value)) return false;
+	return value.length >= 24 && !/[_-]/.test(value) && /[a-z]/.test(value) && /[A-Z]/.test(value);
 };
 const scanLineForConfigLiterals = (line, relativePath, ext, lineNumber) => {
 	const diagnostics = [];
@@ -5309,8 +5356,8 @@ const shouldIncludeIssue = (issueType, filePath) => {
 	return !filePath.replace(/\\/g, "/").includes(".github/workflows/");
 };
 const DEPENDENCY_HELP = {
-	dependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `npx aislop fix`.",
-	devDependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `npx aislop fix`.",
+	dependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `aislop fix`.",
+	devDependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `aislop fix`.",
 	unlisted: "This package is imported in code but not declared in package.json. Run `npm install` to add it.",
 	unresolved: "This import cannot be resolved. Check for typos or missing packages.",
 	binaries: "This binary is used but its package is not in package.json."
@@ -5659,7 +5706,7 @@ const parseBiomeJsonOutput = (output, rootDir) => {
 				rule: "formatting",
 				severity,
 				message,
-				help: "Run `npx aislop fix` to auto-format",
+				help: "Run `aislop fix` to auto-format",
 				line: entry.location?.start?.line ?? 0,
 				column: entry.location?.start?.column ?? 0,
 				category: "Format",
@@ -5698,7 +5745,7 @@ const FORMATTERS = {
 					rule: "rust-formatting",
 					severity: "warning",
 					message: "Rust file is not formatted correctly",
-					help: "Run `npx aislop fix` to auto-format with rustfmt",
+					help: "Run `aislop fix` to auto-format with rustfmt",
 					line: parseInt(match[2], 10),
 					column: 0,
 					category: "Format",
@@ -5731,7 +5778,7 @@ const FORMATTERS = {
 					rule: offense.cop_name ?? "ruby-formatting",
 					severity: "warning",
 					message: offense.message ?? "Ruby formatting issue",
-					help: "Run `npx aislop fix` to auto-format",
+					help: "Run `aislop fix` to auto-format",
 					line: offense.location?.start_line ?? 0,
 					column: offense.location?.start_column ?? 0,
 					category: "Format",
@@ -5762,7 +5809,7 @@ const FORMATTERS = {
 					rule: "php-formatting",
 					severity: "warning",
 					message: "PHP file is not formatted correctly",
-					help: "Run `npx aislop fix` to auto-format",
+					help: "Run `aislop fix` to auto-format",
 					line: 0,
 					column: 0,
 					category: "Format",
@@ -5815,7 +5862,7 @@ const runGofmt = async (context) => {
 			rule: "go-formatting",
 			severity: "warning",
 			message: "Go file is not formatted correctly",
-			help: "Run `npx aislop fix` to auto-format with gofmt",
+			help: "Run `aislop fix` to auto-format with gofmt",
 			line: 0,
 			column: 0,
 			category: "Format",
@@ -5881,7 +5928,7 @@ const parseRuffFormatOutput = (output, rootDir) => {
 			rule: "python-formatting",
 			severity: "warning",
 			message: "Python file is not formatted correctly",
-			help: "Run `npx aislop fix` to auto-format with ruff",
+			help: "Run `aislop fix` to auto-format with ruff",
 			line: 0,
 			column: 0,
 			category: "Format",
@@ -6293,6 +6340,7 @@ const AMBIENT_GLOBAL_DEPS = [
 const SST_PLATFORM_REF_RE = /\/\/\/\s*<reference\s+path=["'][^"']*sst[\\/]+platform[\\/]+config\.d\.ts["']/;
 const ICON_AUTOIMPORT_RE = /^Icon[A-Z]/;
 const NO_UNDEF_IDENT_RE = /^['‘"`]([^'’"`]+)['’"`]/;
+const SUPABASE_FUNCTION_PATH_RE = /(?:^|\/)supabase\/functions\/[^/]+\/.+\.[cm]?[jt]sx?$/;
 const detectAmbientSources = (rootDir) => {
 	const found = /* @__PURE__ */ new Set();
 	const skipDirs = new Set([
@@ -6337,6 +6385,36 @@ const detectAmbientSources = (rootDir) => {
 const extractNoUndefIdentifier = (message) => {
 	return NO_UNDEF_IDENT_RE.exec(message)?.[1] ?? null;
 };
+const looksLikeChromeExtensionManifest = (filePath) => {
+	try {
+		const manifest = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+		return typeof manifest.manifest_version === "number" && ("background" in manifest || "content_scripts" in manifest || "permissions" in manifest);
+	} catch {
+		return false;
+	}
+};
+const chromeExtensionFileCache = /* @__PURE__ */ new Map();
+const isChromeExtensionFile = (rootDir, relativeFilePath) => {
+	const cacheKey = `${rootDir}:${relativeFilePath.split(path.sep).join("/")}`;
+	const cached = chromeExtensionFileCache.get(cacheKey);
+	if (cached !== void 0) return cached;
+	const absolute = path.isAbsolute(relativeFilePath) ? relativeFilePath : path.join(rootDir, relativeFilePath);
+	const root = path.resolve(rootDir);
+	let dir = path.dirname(path.resolve(absolute));
+	let matched = false;
+	while (true) {
+		const relativeToRoot = path.relative(root, dir);
+		if (relativeToRoot.startsWith("..") || path.isAbsolute(relativeToRoot)) break;
+		if (looksLikeChromeExtensionManifest(path.join(dir, "manifest.json"))) {
+			matched = true;
+			break;
+		}
+		if (dir === root) break;
+		dir = path.dirname(dir);
+	}
+	chromeExtensionFileCache.set(cacheKey, matched);
+	return matched;
+};
 const isAmbientFalsePositive = (rule, message, sources) => {
 	if (rule !== "eslint/no-undef") return false;
 	const ident = extractNoUndefIdentifier(message);
@@ -6345,9 +6423,19 @@ const isAmbientFalsePositive = (rule, message, sources) => {
 	if ((sources.has("@types/bun") || sources.has("bun-types")) && ident === "Bun") return true;
 	return false;
 };
+const isRuntimeGlobalFalsePositive = (rule, message, rootDir, relativeFilePath) => {
+	if (rule !== "eslint/no-undef") return false;
+	const ident = extractNoUndefIdentifier(message);
+	if (!ident) return false;
+	const normalized = relativeFilePath.split(path.sep).join("/");
+	if (ident === "Deno" && SUPABASE_FUNCTION_PATH_RE.test(normalized)) return true;
+	if (ident === "chrome" && isChromeExtensionFile(rootDir, relativeFilePath)) return true;
+	return false;
+};
 const sstReferencedFiles = /* @__PURE__ */ new Map();
 const clearSstReferenceCache = () => {
 	sstReferencedFiles.clear();
+	chromeExtensionFileCache.clear();
 };
 const fileReferencesSstPlatform = (rootDir, relativeFilePath) => {
 	const cached = sstReferencedFiles.get(relativeFilePath);
@@ -6399,6 +6487,32 @@ const collectPackageNames = (dir) => {
 	}
 	return names;
 };
+const readJson = (filePath) => {
+	const raw = readTextFile$1(filePath);
+	if (!raw) return null;
+	try {
+		const parsed = JSON.parse(raw);
+		return parsed && typeof parsed === "object" ? parsed : null;
+	} catch {
+		return null;
+	}
+};
+const hasBunRuntime = (rootDir, projectFiles) => {
+	if (fs.existsSync(path.join(rootDir, "bun.lock")) || fs.existsSync(path.join(rootDir, "bun.lockb")) || fs.existsSync(path.join(rootDir, "bunfig.toml"))) return true;
+	const hasBunFiles = projectFiles.some((filePath) => /(?:^|\/)bunfig\.toml$|(?:^|\/)bun\.lockb?$/.test(filePath));
+	const pkg = readJson(path.join(rootDir, "package.json"));
+	if (!pkg) return hasBunFiles;
+	if (typeof pkg.packageManager === "string" && /^bun@/i.test(pkg.packageManager)) return true;
+	const scripts = pkg.scripts;
+	if (scripts && typeof scripts === "object") {
+		for (const command of Object.values(scripts)) if (typeof command === "string" && /(?:^|[;&|()\s])bunx?\s/.test(command)) return true;
+	}
+	return hasBunFiles;
+};
+const hasDenoRuntime = (rootDir, projectFiles) => {
+	if (fs.existsSync(path.join(rootDir, "deno.json")) || fs.existsSync(path.join(rootDir, "deno.jsonc"))) return true;
+	return projectFiles.some((filePath) => /(?:^|\/)deno\.jsonc?$/.test(filePath));
+};
 const AMBIENT_GLOBAL_RE = /^\s*(?:declare\s+)?(?:const|let|var|function|class)\s+([A-Za-z_$][\w$]*)/gm;
 const collectAmbientGlobals = (rootDir) => {
 	const globals = /* @__PURE__ */ new Set();
@@ -6410,7 +6524,8 @@ const collectAmbientGlobals = (rootDir) => {
 		for (const match of content.matchAll(AMBIENT_GLOBAL_RE)) globals.add(match[1]);
 	}
 	const deps = collectPackageNames(rootDir);
-	if (deps.has("@types/bun") || deps.has("bun-types")) globals.add("Bun");
+	if (deps.has("@types/bun") || deps.has("bun-types") || hasBunRuntime(rootDir, projectFiles)) globals.add("Bun");
+	if (hasDenoRuntime(rootDir, projectFiles)) globals.add("Deno");
 	if (projectFiles.some((filePath) => /(?:^|\/)sst\.config\.ts$/.test(filePath))) for (const name of [
 		"$app",
 		"$config",
@@ -6566,6 +6681,37 @@ const removeDuplicateKeyLines = (rootDirectory, diagnostics) => {
 		fs.writeFileSync(filePath, filtered.join("\n"));
 	}
 };
+const toDiagnostic = (d) => {
+	const { plugin, rule } = parseRuleCode(d.code);
+	const label = d.labels[0];
+	return {
+		filePath: d.filename,
+		engine: "lint",
+		rule: `${plugin}/${rule}`,
+		severity: d.severity,
+		message: d.message.replace(/\S+\.\w+:\d+:\d+[\s\S]*$/, "").trim() || d.message,
+		help: d.help || "",
+		line: label?.span.line ?? 0,
+		column: label?.span.column ?? 0,
+		category: plugin === "react" ? "React" : plugin === "import" ? "Imports" : "Lint",
+		fixable: false
+	};
+};
+const shouldKeepOxlintDiagnostic = (context, ambientSources, seen, d) => {
+	const relativePath = path.isAbsolute(d.filePath) ? path.relative(context.rootDirectory, d.filePath) : d.filePath;
+	if (isExcludedFromScan(relativePath)) return false;
+	if (isViteVirtualImportFalsePositive(d.rule, d.message)) return false;
+	if (isAmbientFalsePositive(d.rule, d.message, ambientSources)) return false;
+	if (isRuntimeGlobalFalsePositive(d.rule, d.message, context.rootDirectory, relativePath)) return false;
+	if (isSolidRefFalsePositive(context, d)) return false;
+	if (isContextualTypeScriptFalsePositive(d)) return false;
+	if (isUnderscoreUnusedVar(d.rule, d.message)) return false;
+	if (d.rule === "eslint/no-undef" && fileReferencesSstPlatform(context.rootDirectory, d.filePath)) return false;
+	const key = `${d.filePath}:${d.line}:${d.rule}:${d.message}`;
+	if (seen.has(key)) return false;
+	seen.add(key);
+	return true;
+};
 const runOxlint = async (context) => {
 	const configPath = path.join(os.tmpdir(), `aislop-oxlintrc-${process.pid}.json`);
 	const framework = context.frameworks.find((f) => f !== "none");
@@ -6602,34 +6748,7 @@ const runOxlint = async (context) => {
 			return [];
 		}
 		const seen = /* @__PURE__ */ new Set();
-		return output.diagnostics.map((d) => {
-			const { plugin, rule } = parseRuleCode(d.code);
-			const label = d.labels[0];
-			return {
-				filePath: d.filename,
-				engine: "lint",
-				rule: `${plugin}/${rule}`,
-				severity: d.severity,
-				message: d.message.replace(/\S+\.\w+:\d+:\d+[\s\S]*$/, "").trim() || d.message,
-				help: d.help || "",
-				line: label?.span.line ?? 0,
-				column: label?.span.column ?? 0,
-				category: plugin === "react" ? "React" : plugin === "import" ? "Imports" : "Lint",
-				fixable: false
-			};
-		}).filter((d) => {
-			if (isExcludedFromScan(path.isAbsolute(d.filePath) ? path.relative(context.rootDirectory, d.filePath) : d.filePath)) return false;
-			if (isViteVirtualImportFalsePositive(d.rule, d.message)) return false;
-			if (isAmbientFalsePositive(d.rule, d.message, ambientSources)) return false;
-			if (isSolidRefFalsePositive(context, d)) return false;
-			if (isContextualTypeScriptFalsePositive(d)) return false;
-			if (isUnderscoreUnusedVar(d.rule, d.message)) return false;
-			if (d.rule === "eslint/no-undef" && fileReferencesSstPlatform(context.rootDirectory, d.filePath)) return false;
-			const key = `${d.filePath}:${d.line}:${d.rule}:${d.message}`;
-			if (seen.has(key)) return false;
-			seen.add(key);
-			return true;
-		});
+		return output.diagnostics.map(toDiagnostic).filter((d) => shouldKeepOxlintDiagnostic(context, ambientSources, seen, d));
 	} finally {
 		if (fs.existsSync(configPath)) fs.unlinkSync(configPath);
 	}
@@ -6755,9 +6874,9 @@ const lintEngine = {
 		const promises = [];
 		if (languages.includes("typescript") || languages.includes("javascript")) {
 			promises.push(runOxlint(context));
-			if (context.config.lint.typecheck) promises.push(import("./typecheck-BdQ7uFyK.js").then((mod) => mod.runTypecheck(context)));
+			if (context.config.lint.typecheck) promises.push(import("./typecheck-DQSzG8fX.js").then((mod) => mod.runTypecheck(context)));
 		}
-		if (context.frameworks.includes("expo")) promises.push(import("./expo-doctor-c-jE6pR2.js").then((n) => n.t).then((mod) => mod.runExpoDoctor(context)));
+		if (context.frameworks.includes("expo")) promises.push(import("./expo-doctor-BwLKXF__.js").then((n) => n.t).then((mod) => mod.runExpoDoctor(context)));
 		if (languages.includes("python") && installedTools.ruff) promises.push(runRuffLint(context));
 		if (languages.includes("go") && installedTools["golangci-lint"]) promises.push(runGolangciLint(context));
 		if (languages.includes("rust") && installedTools.cargo) promises.push(runGenericLinter(context, "rust"));
@@ -6923,7 +7042,7 @@ const parseJsAudit = (output, source) => {
 			rule: "security/dependency-audit-skipped",
 			severity: "info",
 			message: `Dependency audit skipped (${source}): lockfile is missing`,
-			help: error.detail ?? "Generate a lockfile, then re-run `npx aislop scan` for dependency vulnerability checks.",
+			help: error.detail ?? "Generate a lockfile, then re-run `aislop scan` for dependency vulnerability checks.",
 			line: 0,
 			column: 0,
 			category: "Security",
@@ -7040,6 +7159,194 @@ const runCargoAudit = async (rootDir, timeout) => {
 	}
 };
 
+//#endregion
+//#region src/engines/security/html-safety.ts
+const SAFE_EMPTY_INNER_HTML_RE = /^\.innerHTML\s*=\s*(?:""|''|``)\s*;?/;
+const SAFE_SANITIZED_INNER_HTML_RE = /^\.innerHTML\s*=\s*(?:escapeHtml|sanitizeHtml|sanitizeHTML|DOMPurify\.sanitize)\s*\([^;\n]*\)\s*;?(?:\n|$)/;
+const SANITIZER_EXPR_RE = /^(?:escapeHtml|escapeHTML|sanitizeHtml|sanitizeHTML|DOMPurify\.sanitize)\s*\([^;\n]*\)$/;
+const IDENT_RE = /^[A-Za-z_$][\w$]*$/;
+const STATIC_STRING_RE = /^(?:"(?:\\.|[^"\\])*"|'(?:\\.|[^'\\])*'|`(?:\\.|[^`\\$])*`)$/;
+const NUMERICISH_EXPR_RE = /^(?:[-+]?\d+(?:\.\d+)?|[A-Za-z_$][\w$]*(?:\.[A-Za-z_$][\w$]*)*(?:\s*\|\|\s*[-+]?\d+(?:\.\d+)?)?)$/;
+const NUMERICISH_NAME_RE = /(?:^|\.)(?:count|length|size|width|height|top|right|bottom|left|duration|elapsed|timestamp|time|ms|port|pid|attempt|attempts|index|total|x|y)$|(?:count|length|size|width|height|duration|elapsed|timestamp|time|port|pid|attempt|index|total)$/i;
+const SAFE_FORMAT_CALL_RE = /^(?:format[A-Z]\w*|fmt[A-Z]?\w*)\s*\((.*)\)$/;
+const consumeQuotedLiteral = (content, startIndex, quote) => {
+	let i = startIndex + 1;
+	while (i < content.length) {
+		const char = content[i];
+		if (char === "\\") {
+			i += 2;
+			continue;
+		}
+		if (char === quote) return { endIndex: i };
+		if (char === "\n") return null;
+		i++;
+	}
+	return null;
+};
+const consumeTemplateLiteral = (content, startIndex) => {
+	const openIndex = content.indexOf("`", startIndex);
+	if (openIndex === -1) return null;
+	let i = openIndex + 1;
+	while (i < content.length) {
+		const char = content[i];
+		if (char === "\\") {
+			i += 2;
+			continue;
+		}
+		if (char === "`") return {
+			body: content.slice(openIndex + 1, i),
+			endIndex: i
+		};
+		i++;
+	}
+	return null;
+};
+const assignmentTailIsClosed = (content, endIndex) => /^\s*(?:;[^\n]*)?(?:\n|$)/.test(content.slice(endIndex + 1));
+const assignmentRhsStart = (content, matchIndex) => {
+	const match = /^\.innerHTML\s*=\s*/.exec(content.slice(matchIndex));
+	return match ? matchIndex + match[0].length : null;
+};
+const templateExpressions = (templateBody) => [...templateBody.matchAll(/\$\{\s*([^}]+?)\s*\}/g)].map((match) => match[1].trim());
+const staticTernaryRe = /^\s*[^?]+\?\s*(?:"[^"]*"|'[^']*'|`[^`$]*`)\s*:\s*(?:"[^"]*"|'[^']*'|`[^`$]*`)\s*$/;
+const splitTopLevelTernary = (expr) => {
+	let quote = null;
+	let depth = 0;
+	let question = -1;
+	let colon = -1;
+	for (let i = 0; i < expr.length; i++) {
+		const char = expr[i];
+		if (char === "\\") {
+			i++;
+			continue;
+		}
+		if ((char === "'" || char === "\"" || char === "`") && quote === null) {
+			quote = char;
+			continue;
+		}
+		if (char === quote) {
+			quote = null;
+			continue;
+		}
+		if (quote) continue;
+		if (char === "(" || char === "[" || char === "{") depth++;
+		else if (char === ")" || char === "]" || char === "}") depth = Math.max(0, depth - 1);
+		else if (char === "?" && depth === 0 && question === -1) question = i;
+		else if (char === ":" && depth === 0 && question !== -1) {
+			colon = i;
+			break;
+		}
+	}
+	if (question === -1 || colon === -1) return null;
+	return {
+		whenTrue: expr.slice(question + 1, colon).trim(),
+		whenFalse: expr.slice(colon + 1).trim()
+	};
+};
+const isNumericishExpression = (expr) => {
+	const normalized = expr.trim();
+	if (/^(?:Math\.\w+|Number|parseInt|parseFloat)\s*\(/.test(normalized)) return true;
+	if (!NUMERICISH_EXPR_RE.test(normalized)) return false;
+	return /\d/.test(normalized) || NUMERICISH_NAME_RE.test(normalized);
+};
+const isSafeTemplateLiteralExpression = (expr, safeNames) => {
+	if (!expr.startsWith("`") || !expr.endsWith("`")) return false;
+	return templateExpressions(expr.slice(1, -1)).every((part) => isSafeHtmlExpression(part, safeNames));
+};
+const collectSafeHtmlNames = (content, matchIndex) => {
+	const safeNames = /* @__PURE__ */ new Set();
+	const prefix = content.slice(Math.max(0, matchIndex - 8e3), matchIndex);
+	for (const rawLine of prefix.split("\n")) {
+		const line = rawLine.trim();
+		let match = /\b(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*=\s*(.+?)\s*;?$/.exec(line);
+		if (match) {
+			const [, name, expr] = match;
+			if (isSafeHtmlExpression(expr.trim(), safeNames)) safeNames.add(name);
+			else safeNames.delete(name);
+			continue;
+		}
+		match = /^([A-Za-z_$][\w$]*)\s*\+=\s*(.+?)\s*;?$/.exec(line);
+		if (match) {
+			const [, name, expr] = match;
+			if (safeNames.has(name) && isSafeHtmlExpression(expr.trim(), safeNames)) safeNames.add(name);
+			else safeNames.delete(name);
+			continue;
+		}
+		match = /^([A-Za-z_$][\w$]*)\s*=\s*(.+?)\s*;?$/.exec(line);
+		if (match) {
+			const [, name, expr] = match;
+			if (isSafeHtmlExpression(expr.trim(), safeNames)) safeNames.add(name);
+			else safeNames.delete(name);
+		}
+	}
+	return safeNames;
+};
+const isSafeHtmlExpression = (expr, safeNames) => {
+	const normalized = expr.trim();
+	if (SANITIZER_EXPR_RE.test(normalized)) return true;
+	if (STATIC_STRING_RE.test(normalized)) return true;
+	if (staticTernaryRe.test(expr)) return true;
+	if (isNumericishExpression(normalized)) return true;
+	if (IDENT_RE.test(normalized) && safeNames.has(normalized)) return true;
+	if (isSafeTemplateLiteralExpression(normalized, safeNames)) return true;
+	const ternary = splitTopLevelTernary(normalized);
+	if (ternary && isSafeHtmlExpression(ternary.whenTrue, safeNames) && isSafeHtmlExpression(ternary.whenFalse, safeNames)) return true;
+	const formatCall = SAFE_FORMAT_CALL_RE.exec(normalized);
+	if (formatCall) return formatCall[1].split(",").map((arg) => arg.trim()).filter((arg) => arg.length > 0).every((arg) => isNumericishExpression(arg) || IDENT_RE.test(arg) && safeNames.has(arg));
+	return false;
+};
+const readSingleLineRhs = (content, rhsStart) => {
+	const lineEnd = content.indexOf("\n", rhsStart);
+	const line = content.slice(rhsStart, lineEnd === -1 ? content.length : lineEnd);
+	let quote = null;
+	for (let i = 0; i < line.length; i++) {
+		const char = line[i];
+		if (char === "\\") {
+			i++;
+			continue;
+		}
+		if ((char === "'" || char === "\"" || char === "`") && quote === null) {
+			quote = char;
+			continue;
+		}
+		if (char === quote) {
+			quote = null;
+			continue;
+		}
+		if (char === ";" && quote === null) return line.slice(0, i).trim();
+	}
+	return line.trim();
+};
+const isSafeMapJoinHtmlAssignment = (content, rhsStart) => {
+	const head = content.slice(rhsStart);
+	const mapMatch = /^[A-Za-z_$][\w$.]*\.map\(\s*[A-Za-z_$][\w$]*\s*=>\s*`/.exec(head);
+	if (!mapMatch) return false;
+	const template = consumeTemplateLiteral(content, rhsStart + mapMatch[0].length - 1);
+	if (!template) return false;
+	if (!/^\s*\)\.join\(\s*(?:""|'')\s*\)/.test(content.slice(template.endIndex + 1))) return false;
+	const safeNames = collectSafeHtmlNames(content, rhsStart);
+	return templateExpressions(template.body).every((expr) => isSafeHtmlExpression(expr, safeNames));
+};
+const isSafeInnerHtmlAssignment = (content, matchIndex) => {
+	const tail = content.slice(matchIndex);
+	if (SAFE_EMPTY_INNER_HTML_RE.test(tail) || SAFE_SANITIZED_INNER_HTML_RE.test(tail)) return true;
+	const rhsStart = assignmentRhsStart(content, matchIndex);
+	if (rhsStart === null) return false;
+	const first = content[rhsStart];
+	const safeNames = collectSafeHtmlNames(content, matchIndex);
+	if (isSafeHtmlExpression(readSingleLineRhs(content, rhsStart), safeNames)) return true;
+	if (isSafeMapJoinHtmlAssignment(content, rhsStart)) return true;
+	if (first === "'" || first === "\"") {
+		const quoted = consumeQuotedLiteral(content, rhsStart, first);
+		return Boolean(quoted && assignmentTailIsClosed(content, quoted.endIndex));
+	}
+	if (first !== "`") return false;
+	const template = consumeTemplateLiteral(content, rhsStart);
+	if (!template || !assignmentTailIsClosed(content, template.endIndex)) return false;
+	const expressions = templateExpressions(template.body);
+	if (expressions.length === 0) return true;
+	return expressions.every((expr) => isSafeHtmlExpression(expr, safeNames));
+};
+
 //#endregion
 //#region src/engines/security/risky.ts
 const ev = "eval";
@@ -7165,6 +7472,30 @@ const isStructuredDataScript = (content, matchIndex) => {
 	const after = content.slice(matchIndex, Math.min(content.length, matchIndex + 180));
 	return /__html\s*:\s*JSON\.stringify\s*\(/.test(after);
 };
+const isSafeShellSpawnArray = (content, matchIndex) => /^spawn\s*\(\s*\[/.test(content.slice(matchIndex)) && !/^\s*spawn\s*\(\s*\[\s*["'](?:sh|bash|zsh|cmd|cmd\.exe|powershell|pwsh)["']\s*,\s*["'](?:-c|\/c|\/C)["']/i.test(content.slice(matchIndex)) && !/shell\s*:\s*true\b/.test(content.slice(matchIndex, matchIndex + 500));
+const PLACEHOLDER_EXPR_RE = /^(?:placeholders?|placeholderList|bindMarkers?|bindingMarkers?|bindPlaceholders?|bindingPlaceholders?|parameterPlaceholders?|sqlPlaceholders?)(?:\.\w+\([^)]*\))?$/i;
+const SQL_PLACEHOLDER_LITERAL_RE = /["'](?:\?|\$\d+|\$\{[^}]+\})["']/;
+const escapeRegExp = (value) => value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+const isGeneratedPlaceholderList = (content, matchIndex, placeholderExpr) => {
+	const name = placeholderExpr.match(/^([A-Za-z_$][\w$]*)/)?.[1];
+	if (!name) return false;
+	const prefix = content.slice(Math.max(0, matchIndex - 4e3), matchIndex);
+	const declarationRe = new RegExp(`\\b(?:const|let|var)\\s+${escapeRegExp(name)}\\s*=\\s*([^;\\n]+)`, "g");
+	const declaration = [...prefix.matchAll(declarationRe)].at(-1);
+	if (!declaration) return false;
+	const expr = declaration[1];
+	if (!/\.join\s*\(/.test(expr)) return false;
+	return /\.map\s*\(/.test(expr) && /=>/.test(expr) && SQL_PLACEHOLDER_LITERAL_RE.test(expr) || /\.fill\s*\(/.test(expr) && SQL_PLACEHOLDER_LITERAL_RE.test(expr);
+};
+const isSafeSqlPlaceholderTemplate = (content, matchIndex) => {
+	const template = consumeTemplateLiteral(content, matchIndex);
+	if (!template) return false;
+	const afterTemplate = content.slice(template.endIndex + 1);
+	if (!(/^\s*,/.test(afterTemplate) || /^\s*\)\s*\.(?:all|get|run|values)\s*\(/.test(afterTemplate))) return false;
+	const expressions = [...template.body.matchAll(/\$\{\s*([^}]+?)\s*\}/g)].map((match) => match[1].trim());
+	if (expressions.length === 0) return false;
+	return expressions.every((expr) => PLACEHOLDER_EXPR_RE.test(expr) && isGeneratedPlaceholderList(content, matchIndex, expr));
+};
 const detectRiskyConstructs = async (context) => {
 	const files = getSourceFiles(context);
 	const diagnostics = [];
@@ -7189,8 +7520,11 @@ const detectRiskyConstructs = async (context) => {
 				const line = content.slice(0, match.index).split("\n").length;
 				if (name === "innerhtml") {
 					const beforeMatch = content.slice(Math.max(0, match.index - 200), match.index);
+					if (isSafeInnerHtmlAssignment(content, match.index)) continue;
 					if (/(?:template|tmpl|tpl)$/i.test(beforeMatch.trimEnd()) || /createElement\s*\(\s*['"]template['"]\s*\)$/.test(beforeMatch.trimEnd())) continue;
 				}
+				if (name === "sql-injection" && isSafeSqlPlaceholderTemplate(content, match.index)) continue;
+				if (name === "shell-injection" && isSafeShellSpawnArray(content, match.index)) continue;
 				if (name === "dangerously-set-innerhtml") {
 					if (hasDangerouslySetInnerHtmlIgnore(lines, line - 1)) continue;
 					if (isStructuredDataScript(content, match.index)) continue;
@@ -7287,7 +7621,28 @@ const PLACEHOLDER_EXACT = new Set([
 	"todo",
 	"replace_me"
 ]);
+const PLACEHOLDER_URL_PARTS = new Set([
+	"example",
+	"host",
+	"localhost",
+	"pass",
+	"password",
+	"pw",
+	"user",
+	"username"
+]);
+const isPlaceholderCredentialUrl = (matchedText) => {
+	const credentialMatch = matchedText.match(/^[a-z]+:\/\/([^:@/\s]+):([^@/\s]+)@/i);
+	if (credentialMatch) return PLACEHOLDER_URL_PARTS.has(credentialMatch[1].toLowerCase()) && PLACEHOLDER_URL_PARTS.has(credentialMatch[2].toLowerCase());
+	try {
+		const parsed = new URL(matchedText);
+		return PLACEHOLDER_URL_PARTS.has(parsed.username.toLowerCase()) && PLACEHOLDER_URL_PARTS.has(parsed.password.toLowerCase()) && PLACEHOLDER_URL_PARTS.has(parsed.hostname.toLowerCase());
+	} catch {
+		return false;
+	}
+};
 const isPlaceholderValue = (matchedText) => {
+	if (isPlaceholderCredentialUrl(matchedText)) return true;
 	if (/env\(/i.test(matchedText)) return true;
 	if (matchedText.includes("process.env")) return true;
 	if (matchedText.includes("os.environ")) return true;
@@ -7408,23 +7763,36 @@ const STYLE_RULES = new Set([
 	"complexity/function-too-long"
 ]);
 const STYLE_WEIGHT = .5;
+const COMMENT_STYLE_RULE_CAP = 12;
+const COMMENT_STYLE_RULES = new Set(["ai-slop/trivial-comment", "ai-slop/narrative-comment"]);
 const getEffectiveFileCount = (diagnostics, sourceFileCount) => {
 	if (typeof sourceFileCount === "number" && sourceFileCount > 0) return sourceFileCount;
 	const filesWithDiagnostics = new Set(diagnostics.map((d) => d.filePath)).size;
 	return Math.max(1, filesWithDiagnostics);
 };
-const calculateScore = (diagnostics, weights, thresholds, sourceFileCount, smoothing) => {
+const calculateScore = (diagnostics, weights, thresholds, sourceFileCount, smoothing, maxPerRule) => {
 	if (diagnostics.length === 0) return {
 		score: PERFECT_SCORE,
 		label: "Healthy"
 	};
-	let deductions = 0;
+	const deductionsByRule = /* @__PURE__ */ new Map();
 	for (const d of diagnostics) {
 		const engineWeight = weights[d.engine] ?? 1;
 		const severityPenalty = d.severity === "error" ? 3 : d.severity === "warning" ? 1 : .25;
 		const styleFactor = STYLE_RULES.has(d.rule) ? STYLE_WEIGHT : 1;
-		deductions += severityPenalty * engineWeight * styleFactor;
-	}
+		const key = `${d.engine}:${d.rule}`;
+		deductionsByRule.set(key, (deductionsByRule.get(key) ?? 0) + severityPenalty * engineWeight * styleFactor);
+	}
+	const defaultRuleCap = typeof maxPerRule === "number" && maxPerRule > 0 ? maxPerRule : null;
+	const capForRule = (key) => {
+		const rule = key.slice(key.indexOf(":") + 1);
+		if (COMMENT_STYLE_RULES.has(rule)) return defaultRuleCap ? Math.min(defaultRuleCap, COMMENT_STYLE_RULE_CAP) : COMMENT_STYLE_RULE_CAP;
+		return defaultRuleCap;
+	};
+	const deductions = [...deductionsByRule.entries()].reduce((total, [key, value]) => {
+		const cap = capForRule(key);
+		return total + (cap ? Math.min(value, cap) : value);
+	}, 0);
 	const effectiveFileCount = getEffectiveFileCount(diagnostics, sourceFileCount);
 	const smoothingConstant = typeof smoothing === "number" ? smoothing : 10;
 	const issueDensity = Math.min(1, diagnostics.length / (effectiveFileCount + smoothingConstant));
@@ -8067,7 +8435,7 @@ const buildAgentPrompt = (rootDirectory, diagnostics, score) => {
 	}
 	lines.push("---");
 	lines.push("Fix each issue following the guidance above. Prioritize errors over warnings.");
-	lines.push("After making changes, run `npx aislop scan` to verify all issues are resolved and the score improves.");
+	lines.push("After making changes, run `aislop scan` to verify all issues are resolved and the score improves.");
 	return lines.join("\n");
 };
 const SUPPORTED_AGENT_NAMES = Object.keys(AGENT_CONFIGS);
@@ -9274,7 +9642,7 @@ const runLintSteps = async (deps) => {
 	if (hasJsOrTs(deps.projectInfo)) await deps.runStep("Lint fixes (js/ts)", () => runOxlint(deps.context), () => fixOxlint(deps.context, { force: deps.force }));
 	if (deps.projectInfo.languages.includes("python") && deps.projectInfo.installedTools.ruff) await deps.runStep("Lint fixes (python)", () => runRuffLint(deps.context), () => deps.force ? fixRuffLintForce(deps.resolvedDir) : fixRuffLint(deps.resolvedDir));
 	else if (deps.projectInfo.languages.includes("python")) log.warn("Python detected but ruff is not installed; skipping Python lint fixes.");
-	if (deps.projectInfo.languages.includes("ruby") && deps.projectInfo.installedTools.rubocop) await deps.runStep("Lint fixes (ruby)", () => import("./generic-BsQa13CS.js").then((n) => n.n).then((mod) => mod.runGenericLinter(deps.context, "ruby")), () => fixRubyLint(deps.resolvedDir));
+	if (deps.projectInfo.languages.includes("ruby") && deps.projectInfo.installedTools.rubocop) await deps.runStep("Lint fixes (ruby)", () => import("./generic-D_T4cUaC.js").then((n) => n.n).then((mod) => mod.runGenericLinter(deps.context, "ruby")), () => fixRubyLint(deps.resolvedDir));
 	else if (deps.projectInfo.languages.includes("ruby")) log.warn("Ruby detected but rubocop is not installed; skipping Ruby lint fixes.");
 };
 const runDependencyStep = async (deps) => {
@@ -9620,6 +9988,121 @@ var LiveGrid = class {
 	}
 };
 
+//#endregion
+//#region src/utils/git.ts
+const MAX_BUFFER = 50 * 1024 * 1024;
+const baseRefExists = (cwd, ref) => {
+	const result = spawnSync("git", [
+		"rev-parse",
+		"--verify",
+		"--quiet",
+		`${ref}^{commit}`
+	], {
+		cwd,
+		encoding: "utf-8",
+		maxBuffer: MAX_BUFFER
+	});
+	return !result.error && result.status === 0;
+};
+const getChangedFiles = (cwd, base) => {
+	const diff = spawnSync("git", [
+		"diff",
+		"--name-only",
+		"--diff-filter=ACMR",
+		base ?? "HEAD"
+	], {
+		cwd,
+		encoding: "utf-8",
+		maxBuffer: MAX_BUFFER
+	});
+	if (diff.error || diff.status !== 0) return [];
+	const untracked = spawnSync("git", [
+		"ls-files",
+		"--others",
+		"--exclude-standard"
+	], {
+		cwd,
+		encoding: "utf-8",
+		maxBuffer: MAX_BUFFER
+	});
+	const names = /* @__PURE__ */ new Set();
+	for (const line of diff.stdout.split("\n")) if (line.length > 0) names.add(line);
+	if (!untracked.error && untracked.status === 0) {
+		for (const line of untracked.stdout.split("\n")) if (line.length > 0) names.add(line);
+	}
+	return Array.from(names).map((f) => path.resolve(cwd, f));
+};
+const getStagedFiles = (cwd) => {
+	const result = spawnSync("git", [
+		"diff",
+		"--cached",
+		"--name-only",
+		"--diff-filter=ACMR"
+	], {
+		cwd,
+		encoding: "utf-8",
+		maxBuffer: MAX_BUFFER
+	});
+	if (result.error || result.status !== 0) return [];
+	return result.stdout.split("\n").filter((f) => f.length > 0).map((f) => path.resolve(cwd, f));
+};
+
+//#endregion
+//#region src/utils/history.ts
+const HISTORY_FILE = "history.jsonl";
+const isHistoryDisabled = (env = process.env) => env.AISLOP_NO_HISTORY === "1";
+const historyPath = (directory) => path.join(path.resolve(directory), CONFIG_DIR, HISTORY_FILE);
+/**
+* Append a compact scan record to .aislop/history.jsonl. Best-effort: never
+* throws, so a read-only checkout or missing config dir can't break a scan.
+*/
+const appendHistory = (input) => {
+	if (isHistoryDisabled()) return;
+	const configDir = path.join(path.resolve(input.directory), CONFIG_DIR);
+	if (!fs.existsSync(configDir)) return;
+	const record = {
+		timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+		score: input.score,
+		errors: input.errors,
+		warnings: input.warnings,
+		files: input.files,
+		cliVersion: APP_VERSION
+	};
+	try {
+		fs.appendFileSync(historyPath(input.directory), `${JSON.stringify(record)}\n`);
+	} catch {}
+};
+
+//#endregion
+//#region src/commands/scan-coverage.ts
+const coverageReason = (c) => {
+	if (c.supportedFiles === 0 && c.dominantUnsupported) return `This repository is ${c.dominantUnsupported} (${c.unsupportedFiles} files), which aislop does not analyze. No score — it would not reflect this code.`;
+	if (c.supportedFiles === 0) return "No files in a language aislop analyzes (TypeScript, JavaScript, Python, Go, Rust, Ruby, PHP, Java). Nothing to score.";
+	const lang = c.dominantUnsupported ?? "an unsupported language";
+	const files = `${c.supportedFiles} supported file${c.supportedFiles === 1 ? "" : "s"}`;
+	return `This repository is mostly ${lang} (${c.unsupportedFiles} files); aislop analyzed only ${files}. Score withheld — it would represent a sliver of the codebase.`;
+};
+const renderCoverageNotice = (projectInfo, includeHeader) => {
+	const deps = {
+		theme: createTheme(),
+		symbols: createSymbols({ plain: false })
+	};
+	return `${includeHeader === false ? "" : renderHeader({
+		version: APP_VERSION,
+		command: "Scan result",
+		context: [
+			projectInfo.projectName,
+			projectInfo.languages[0] ?? "unknown",
+			`${projectInfo.sourceFileCount} files`
+		],
+		brand: true
+	}, deps)}  ${coverageReason(projectInfo.coverage)}\n\n`;
+};
+
+//#endregion
+//#region src/commands/scan-exit-code.ts
+const computeScanExitCode = (opts) => opts.hasErrors || opts.scoreable && opts.score < opts.failBelow ? 1 : 0;
+
 //#endregion
 //#region src/output/rule-labels.ts
 const RULE_LABELS = {
@@ -9704,11 +10187,85 @@ const RULE_LABELS = {
 	"unicorn/no-useless-spread": "Useless spread",
 	"unicorn/no-single-promise-in-promise-methods": "Single-element Promise.all"
 };
+const RULE_DESCRIPTIONS = {
+	formatting: "File needs standard formatter output.",
+	"code-quality/duplicate-block": "Large repeated code block should be shared or simplified.",
+	"code-quality/repeated-chained-call": "Same chained call is repeated instead of stored once.",
+	"code-quality/unused-declaration": "Declared symbol is not referenced.",
+	"complexity/file-too-large": "File is large enough to be hard to review safely.",
+	"complexity/function-too-long": "Function is doing too much in one body.",
+	"complexity/deep-nesting": "Nested branches make the path hard to follow.",
+	"complexity/too-many-params": "Function takes more arguments than readers can track.",
+	"knip/files": "Source file is not imported or referenced.",
+	"knip/dependencies": "Production dependency is listed but unused.",
+	"knip/devDependencies": "Dev dependency is listed but unused.",
+	"knip/unlisted": "Code imports a package missing from package.json.",
+	"knip/unresolved": "Import cannot be resolved from the project.",
+	"knip/binaries": "Package binary is listed but unused.",
+	"knip/exports": "Exported value is not imported anywhere.",
+	"knip/types": "Exported type is not imported anywhere.",
+	"knip/duplicates": "Same export is declared more than once.",
+	"ai-slop/trivial-comment": "Comment repeats obvious code instead of explaining intent.",
+	"ai-slop/swallowed-exception": "Catch block hides an error without handling it.",
+	"ai-slop/silent-recovery": "Error path logs or defaults, then continues as if safe.",
+	"ai-slop/meta-comment": "Comment describes editing steps, plans, or generated-code process.",
+	"ai-slop/redundant-try-catch": "try/catch only rethrows or adds no useful handling.",
+	"ai-slop/redundant-type-coercion": "Conversion does not change the value meaningfully.",
+	"ai-slop/duplicate-type-declaration": "Same exported type shape appears more than once.",
+	"ai-slop/thin-wrapper": "Wrapper function adds no behavior or clearer contract.",
+	"ai-slop/generic-naming": "Name is too vague to explain its role.",
+	"ai-slop/unused-import": "Imported symbol is never used.",
+	"ai-slop/console-leftover": "console/debug output was left in application code.",
+	"ai-slop/todo-stub": "TODO/FIXME/stub marks unfinished behavior.",
+	"ai-slop/unreachable-code": "Code path cannot execute.",
+	"ai-slop/constant-condition": "Condition is always true or always false.",
+	"ai-slop/empty-function": "Function body is empty or placeholder-only.",
+	"ai-slop/unsafe-type-assertion": "Type assertion bypasses useful checking.",
+	"ai-slop/double-type-assertion": "Value is cast through unknown/any to force a type.",
+	"ai-slop/ts-directive": "TypeScript error is suppressed with a directive.",
+	"ai-slop/narrative-comment": "Comment narrates implementation instead of adding context.",
+	"ai-slop/duplicate-import": "Same module is imported more than once.",
+	"ai-slop/hardcoded-url": "URL-like value is embedded directly in code.",
+	"ai-slop/hardcoded-id": "Provider/account/test ID is embedded directly in code.",
+	"ai-slop/python-bare-except": "Bare except catches everything, including system exits.",
+	"ai-slop/python-broad-except": "Broad exception catch hides specific failure modes.",
+	"ai-slop/python-mutable-default": "Mutable default argument is shared across calls.",
+	"ai-slop/python-print-debug": "print/debug output was left in Python source.",
+	"ai-slop/python-range-len-loop": "Loop uses indexes where direct iteration is clearer.",
+	"ai-slop/python-chained-dict-get": "Nested get chain hides shape assumptions.",
+	"ai-slop/python-repetitive-dispatch": "Repeated if/elif dispatch should be table-driven.",
+	"ai-slop/python-isinstance-ladder": "Long isinstance ladder is brittle polymorphism.",
+	"ai-slop/go-library-panic": "Library code panics instead of returning an error.",
+	"ai-slop/rust-non-test-unwrap": "Production Rust uses unwrap instead of handling failure.",
+	"ai-slop/rust-todo-stub": "Rust todo!/unimplemented! leaves behavior unfinished.",
+	"ai-slop/hallucinated-import": "Import names a package not declared by the project.",
+	"security/hardcoded-secret": "Secret-looking token is embedded in source.",
+	"security/vulnerable-dependency": "Dependency audit reported a known vulnerability.",
+	"security/dependency-audit-skipped": "Audit could not run because inputs/tools are missing.",
+	"security/eval": "Dynamic code execution can run attacker-controlled input.",
+	"security/innerhtml": "Raw HTML assignment can introduce XSS.",
+	"security/dangerously-set-innerhtml": "React raw HTML escape hatch can introduce XSS.",
+	"security/sql-injection": "SQL is built from interpolated or concatenated input.",
+	"security/shell-injection": "Shell command is built from unsanitized input.",
+	"oxlint/*": "JavaScript/TypeScript lint finding from oxlint.",
+	"ruff/*": "Python lint finding from ruff.",
+	"go/*": "Go lint finding from bundled checks.",
+	"clippy/*": "Rust lint finding from clippy.",
+	"rubocop/*": "Ruby lint finding from rubocop.",
+	"typescript/*": "TypeScript compiler finding.",
+	"import-order": "Imports need deterministic ordering.",
+	"python-formatting": "Python file needs ruff formatting.",
+	"go-formatting": "Go file needs gofmt.",
+	"rust-formatting": "Rust file needs rustfmt.",
+	"ruby-formatting": "Ruby file needs rubocop formatting.",
+	"php-formatting": "PHP file needs php-cs-fixer formatting."
+};
 const prettifyFallback = (ruleId) => {
 	const spaced = (ruleId.includes("/") ? ruleId.slice(ruleId.indexOf("/") + 1) : ruleId).replace(/[-_]/g, " ").replace(/\//g, " · ");
 	return spaced.charAt(0).toUpperCase() + spaced.slice(1);
 };
 const labelForRule = (ruleId) => RULE_LABELS[ruleId] ?? prettifyFallback(ruleId);
+const descriptionForRule = (ruleId) => RULE_DESCRIPTIONS[ruleId] ?? labelForRule(ruleId);
 
 //#endregion
 //#region src/ui/summary.ts
@@ -9718,6 +10275,18 @@ const scoreToken = (score, thresholds) => {
 	if (score >= thresholds.ok) return "warn";
 	return "danger";
 };
+const renderFindingAssessment = (assessment, t, sep) => {
+	if (assessment.rows.length === 0) return [];
+	const parts = assessment.rows.filter((row) => row.count > 0).map((row) => `${row.count} ${row.label}`);
+	if (parts.length === 0) return [];
+	const high = assessment.byConfidence.high;
+	const medium = assessment.byConfidence.medium;
+	const confidenceParts = [];
+	if (high > 0) confidenceParts.push(`${high} high-confidence`);
+	if (medium > 0) confidenceParts.push(`${medium} medium-confidence`);
+	const confidence = confidenceParts.length > 0 ? `  ${sep}  ${style(t, "muted", confidenceParts.join(", "))}` : "";
+	return [`   ${style(t, "muted", "Verdict mix:")} ${parts.join(`  ${sep}  `)}${confidence}`];
+};
 const renderSummary = (input, deps = {}) => {
 	const t = deps.theme ?? theme;
 	const s = deps.symbols ?? symbols;
@@ -9736,6 +10305,10 @@ const renderSummary = (input, deps = {}) => {
 		`   ${style(t, "muted", `${input.files} files`)}  ${sep}  ${style(t, "muted", `${input.engines} engines`)}  ${sep}  ${style(t, "muted", elapsed(input.elapsedMs))}`,
 		""
 	];
+	if (input.findingAssessment) {
+		lines.push(...renderFindingAssessment(input.findingAssessment, t, sep));
+		lines.push("");
+	}
 	if (input.breakdown && input.breakdown.rows.length > 0) {
 		lines.push(` ${style(t, "bold", "Top findings")}`);
 		const maxCountWidth = input.breakdown.rows.reduce((w, r) => Math.max(w, String(r.errors + r.warnings + r.info).length), 0);
@@ -9790,112 +10363,7 @@ const renderCleanRun = (input, deps = {}) => {
 };
 
 //#endregion
-//#region src/utils/git.ts
-const MAX_BUFFER = 50 * 1024 * 1024;
-const getChangedFiles = (cwd, base) => {
-	const diff = spawnSync("git", [
-		"diff",
-		"--name-only",
-		"--diff-filter=ACMR",
-		base ?? "HEAD"
-	], {
-		cwd,
-		encoding: "utf-8",
-		maxBuffer: MAX_BUFFER
-	});
-	if (diff.error || diff.status !== 0) return [];
-	const untracked = spawnSync("git", [
-		"ls-files",
-		"--others",
-		"--exclude-standard"
-	], {
-		cwd,
-		encoding: "utf-8",
-		maxBuffer: MAX_BUFFER
-	});
-	const names = /* @__PURE__ */ new Set();
-	for (const line of diff.stdout.split("\n")) if (line.length > 0) names.add(line);
-	if (!untracked.error && untracked.status === 0) {
-		for (const line of untracked.stdout.split("\n")) if (line.length > 0) names.add(line);
-	}
-	return Array.from(names).map((f) => path.resolve(cwd, f));
-};
-const getStagedFiles = (cwd) => {
-	const result = spawnSync("git", [
-		"diff",
-		"--cached",
-		"--name-only",
-		"--diff-filter=ACMR"
-	], {
-		cwd,
-		encoding: "utf-8",
-		maxBuffer: MAX_BUFFER
-	});
-	if (result.error || result.status !== 0) return [];
-	return result.stdout.split("\n").filter((f) => f.length > 0).map((f) => path.resolve(cwd, f));
-};
-
-//#endregion
-//#region src/utils/history.ts
-const HISTORY_FILE = "history.jsonl";
-const isHistoryDisabled = (env = process.env) => env.AISLOP_NO_HISTORY === "1";
-const historyPath = (directory) => path.join(path.resolve(directory), CONFIG_DIR, HISTORY_FILE);
-/**
-* Append a compact scan record to .aislop/history.jsonl. Best-effort: never
-* throws, so a read-only checkout or missing config dir can't break a scan.
-*/
-const appendHistory = (input) => {
-	if (isHistoryDisabled()) return;
-	const configDir = path.join(path.resolve(input.directory), CONFIG_DIR);
-	if (!fs.existsSync(configDir)) return;
-	const record = {
-		timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-		score: input.score,
-		errors: input.errors,
-		warnings: input.warnings,
-		files: input.files,
-		cliVersion: APP_VERSION
-	};
-	try {
-		fs.appendFileSync(historyPath(input.directory), `${JSON.stringify(record)}\n`);
-	} catch {}
-};
-
-//#endregion
-//#region src/commands/scan-coverage.ts
-const coverageReason = (c) => {
-	if (c.supportedFiles === 0 && c.dominantUnsupported) return `This repository is ${c.dominantUnsupported} (${c.unsupportedFiles} files), which aislop does not analyze. No score — it would not reflect this code.`;
-	if (c.supportedFiles === 0) return "No files in a language aislop analyzes (TypeScript, JavaScript, Python, Go, Rust, Ruby, PHP, Java). Nothing to score.";
-	const lang = c.dominantUnsupported ?? "an unsupported language";
-	const files = `${c.supportedFiles} supported file${c.supportedFiles === 1 ? "" : "s"}`;
-	return `This repository is mostly ${lang} (${c.unsupportedFiles} files); aislop analyzed only ${files}. Score withheld — it would represent a sliver of the codebase.`;
-};
-const renderCoverageNotice = (projectInfo, includeHeader) => {
-	const deps = {
-		theme: createTheme(),
-		symbols: createSymbols({ plain: false })
-	};
-	return `${includeHeader === false ? "" : renderHeader({
-		version: APP_VERSION,
-		command: "scan",
-		context: [
-			projectInfo.projectName,
-			projectInfo.languages[0] ?? "unknown",
-			`${projectInfo.sourceFileCount} files`
-		],
-		brand: true
-	}, deps)}  ${coverageReason(projectInfo.coverage)}\n\n`;
-};
-
-//#endregion
-//#region src/commands/scan-exit-code.ts
-const computeScanExitCode = (opts) => opts.hasErrors || opts.scoreable && opts.score < opts.failBelow ? 1 : 0;
-
-//#endregion
-//#region src/commands/scan.ts
-const isMachineOutput = (options) => Boolean(options.json) || Boolean(options.sarif);
-const shouldUseSpinner = () => Boolean(process.stderr.isTTY) && process.env.CI !== "true" && process.env.CI !== "1";
-const ALL_ENGINE_NAMES = Object.keys(ENGINE_INFO);
+//#region src/commands/scan-render.ts
 const BREAKDOWN_TOP_N = 10;
 const computeBreakdown = (diagnostics) => {
 	const byRule = /* @__PURE__ */ new Map();
@@ -9937,7 +10405,7 @@ const buildScanRender = (input) => {
 	const invocation = detectInvocation();
 	const header = input.includeHeader === false ? "" : renderHeader({
 		version: APP_VERSION,
-		command: "scan",
+		command: "Scan result",
 		context: [
 			input.projectName,
 			input.language,
@@ -9980,9 +10448,16 @@ const buildScanRender = (input) => {
 		elapsedMs: input.elapsedMs,
 		nextSteps,
 		breakdown: computeBreakdown(input.diagnostics),
+		findingAssessment: summarizeFindingAssessments(input.diagnostics),
 		thresholds: input.thresholds
 	}, deps)}${starCta}`;
 };
+
+//#endregion
+//#region src/commands/scan.ts
+const isMachineOutput = (options) => Boolean(options.json) || Boolean(options.sarif);
+const shouldUseSpinner = () => Boolean(process.stderr.isTTY) && process.env.CI !== "true" && process.env.CI !== "1";
+const ALL_ENGINE_NAMES = Object.keys(ENGINE_INFO);
 const scanCommand = async (directory, config, options) => {
 	const resolvedDir = path.resolve(directory);
 	if (!fs.existsSync(resolvedDir)) {
@@ -9997,6 +10472,12 @@ const scanCommand = async (directory, config, options) => {
 		else log.error(msg);
 		return { exitCode: 1 };
 	}
+	if (options.changes && options.base && !baseRefExists(resolvedDir, options.base)) {
+		const msg = `Could not resolve base ref "${options.base}". Make sure it exists and was fetched (e.g. \`git fetch origin ${options.base}\`).`;
+		if (options.json) console.log(JSON.stringify({ error: msg }, null, 2));
+		else log.error(msg);
+		return { exitCode: 1 };
+	}
 	const projectInfo = await discoverProject(resolvedDir, [...config.exclude, ...readAislopIgnorePatterns(resolvedDir)]);
 	return withCommandLifecycle({
 		command: options.command ?? "scan",
@@ -10010,14 +10491,30 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 	const showHeader = options.showHeader !== false;
 	const machineOutput = isMachineOutput(options);
 	const useLiveProgress = !machineOutput && shouldUseSpinner();
+	const projectName = projectInfo.projectName ?? "project";
+	const language = projectInfo.languages[0] ?? "unknown";
+	const printedHumanHeader = !machineOutput && showHeader;
+	if (printedHumanHeader) process.stdout.write(renderHeader({
+		version: APP_VERSION,
+		command: "Scan result",
+		context: [
+			projectName,
+			language,
+			`${projectInfo.sourceFileCount} files`
+		],
+		brand: options.printBrand !== false
+	}));
 	const excludePatterns = [...config.exclude, ...readAislopIgnorePatterns(resolvedDir)];
 	let files;
 	if (options.staged) {
 		files = filterProjectFiles(resolvedDir, getStagedFiles(resolvedDir), [], excludePatterns);
 		if (!machineOutput) log.muted(`Scope: ${files.length} staged file(s)`);
 	} else if (options.changes) {
-		files = filterProjectFiles(resolvedDir, getChangedFiles(resolvedDir), [], excludePatterns);
-		if (!machineOutput) log.muted(`Scope: ${files.length} changed file(s)`);
+		files = filterProjectFiles(resolvedDir, getChangedFiles(resolvedDir, options.base), [], excludePatterns);
+		if (!machineOutput) {
+			const scope = options.base ? `changed vs ${options.base}` : "changed";
+			log.muted(`Scope: ${files.length} ${scope} file(s)`);
+		}
 	} else {
 		files = filterProjectFiles(resolvedDir, listProjectFiles(resolvedDir), [], excludePatterns);
 		if (!machineOutput) log.muted(`Scope: ${files.length} file(s) after exclusions`);
@@ -10080,7 +10577,7 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 	if (suppressedCount > 0 && !machineOutput) log.muted(`Suppressed ${suppressedCount} finding(s) via aislop-ignore directives`);
 	const allDiagnostics = results.flatMap((r) => r.diagnostics);
 	const elapsedMs = performance.now() - startTime;
-	const scoreResult = calculateScore(allDiagnostics, config.scoring.weights, config.scoring.thresholds, projectInfo.sourceFileCount, config.scoring.smoothing);
+	const scoreResult = calculateScore(allDiagnostics, config.scoring.weights, config.scoring.thresholds, projectInfo.sourceFileCount, config.scoring.smoothing, config.scoring.maxPerRule);
 	const scoreable = projectInfo.coverage.scoreable;
 	const exitCode = computeScanExitCode({
 		hasErrors: allDiagnostics.some((d) => d.severity === "error"),
@@ -10106,19 +10603,19 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 		engineTimings
 	};
 	if (options.sarif) {
-		const { buildSarifLog } = await import("./sarif-cy5SiDDq.js");
+		const { buildSarifLog } = await import("./sarif-BXUicqQU.js");
 		console.log(JSON.stringify(buildSarifLog(results), null, 2));
 		return completion;
 	}
 	if (options.json) {
-		const { buildJsonOutput } = await import("./json-B01i-GOz.js");
+		const { buildJsonOutput } = await import("./json-0lJPTrwO.js");
 		const jsonOut = buildJsonOutput(results, scoreResult, projectInfo.sourceFileCount, elapsedMs, projectInfo.coverage);
 		console.log(JSON.stringify(jsonOut, null, 2));
 		return completion;
 	}
 	if (!scoreable) {
 		if (!machineOutput) {
-			process.stdout.write(renderCoverageNotice(projectInfo, showHeader));
+			process.stdout.write(renderCoverageNotice(projectInfo, !printedHumanHeader && showHeader));
 			if (allDiagnostics.length > 0) process.stdout.write(renderDiagnostics(allDiagnostics, options.verbose ?? false));
 		}
 		return completion;
@@ -10130,8 +10627,6 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 		warnings: completion.warningCount,
 		files: projectInfo.sourceFileCount
 	});
-	const projectName = projectInfo.projectName ?? "project";
-	const language = projectInfo.languages[0] ?? "unknown";
 	process.stdout.write(buildScanRender({
 		projectName,
 		language,
@@ -10142,7 +10637,7 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 		elapsedMs,
 		thresholds: config.scoring.thresholds,
 		verbose: options.verbose,
-		includeHeader: showHeader,
+		includeHeader: !printedHumanHeader && showHeader,
 		printBrand: options.printBrand
 	}));
 	return completion;
@@ -10185,7 +10680,7 @@ const runFixBody = async (resolvedDir, config, options, projectInfo) => {
 	const projectName = projectInfo.projectName ?? "project";
 	if (showHeader) process.stdout.write(renderHeader({
 		version: APP_VERSION,
-		command: "fix",
+		command: "Fix run",
 		context: [projectName],
 		brand: options.printBrand !== false
 	}));
@@ -10243,10 +10738,11 @@ const runFixBody = async (resolvedDir, config, options, projectInfo) => {
 		label: "Verification complete"
 	});
 	const allDiagnostics = scanResults.flatMap((r) => r.diagnostics);
-	const scoreResult = calculateScore(allDiagnostics, config.scoring.weights, config.scoring.thresholds, projectInfo.sourceFileCount, config.scoring.smoothing);
+	const scoreResult = calculateScore(allDiagnostics, config.scoring.weights, config.scoring.thresholds, projectInfo.sourceFileCount, config.scoring.smoothing, config.scoring.maxPerRule);
 	const errors = allDiagnostics.filter((d) => d.severity === "error").length;
 	const warnings = allDiagnostics.filter((d) => d.severity === "warning").length;
 	const remaining = errors + warnings;
+	const actionableDiagnostics = allDiagnostics.filter((d) => d.severity !== "info");
 	if (steps.length === 0) rail.complete({
 		status: "skipped",
 		label: "No applicable auto-fixers found"
@@ -10264,7 +10760,7 @@ const runFixBody = async (resolvedDir, config, options, projectInfo) => {
 			language,
 			fileCount: projectInfo.sourceFileCount,
 			results: scanResults,
-			diagnostics: allDiagnostics,
+			diagnostics: actionableDiagnostics,
 			score: scoreResult,
 			elapsedMs: performance.now() - startTime,
 			thresholds: config.scoring.thresholds,
@@ -10274,7 +10770,7 @@ const runFixBody = async (resolvedDir, config, options, projectInfo) => {
 		}));
 	}
 	if (options.agent) {
-		launchAgent(options.agent, resolvedDir, allDiagnostics, scoreResult.score);
+		launchAgent(options.agent, resolvedDir, actionableDiagnostics, scoreResult.score);
 		return {
 			exitCode: 0,
 			score: scoreResult.score,
@@ -10283,7 +10779,7 @@ const runFixBody = async (resolvedDir, config, options, projectInfo) => {
 		};
 	}
 	if (options.prompt) {
-		printPrompt(resolvedDir, allDiagnostics, scoreResult.score);
+		printPrompt(resolvedDir, actionableDiagnostics, scoreResult.score);
 		return {
 			exitCode: 0,
 			score: scoreResult.score,
@@ -10311,7 +10807,7 @@ const buildInitSuccessRender = (input) => {
 	};
 	const header = input.includeHeader === false ? "" : renderHeader({
 		version: APP_VERSION,
-		command: "init",
+		command: "Setup",
 		context: [],
 		brand: input.printBrand !== false
 	}, deps);
@@ -10446,7 +10942,8 @@ const writeAislopConfig = (configDir, configPath, choices) => {
 		scoring: {
 			weights: { ...DEFAULT_CONFIG.scoring.weights },
 			thresholds: { ...DEFAULT_CONFIG.scoring.thresholds },
-			smoothing: DEFAULT_CONFIG.scoring.smoothing
+			smoothing: DEFAULT_CONFIG.scoring.smoothing,
+			maxPerRule: DEFAULT_CONFIG.scoring.maxPerRule
 		},
 		ci: {
 			failBelow: choices.failBelow,
@@ -10462,7 +10959,7 @@ const initCommand = async (directory, options = {}) => {
 	const printBrand = options.printBrand !== false;
 	process.stdout.write(renderHeader({
 		version: APP_VERSION,
-		command: "init",
+		command: "Setup",
 		context: [],
 		brand: printBrand
 	}));
@@ -10527,13 +11024,254 @@ const initCommand = async (directory, options = {}) => {
 	}));
 };
 
+//#endregion
+//#region src/ui/search-select.ts
+const silentOutput = new Writable({ write(_chunk, _encoding, callback) {
+	callback();
+} });
+const filterSearchItems = (items, query) => {
+	const q = query.trim().toLowerCase();
+	if (q.length === 0) return items;
+	return items.map((item, index) => {
+		const label = item.label.toLowerCase();
+		const value = String(item.value).toLowerCase();
+		const hint = item.hint?.toLowerCase() ?? "";
+		const keywords = (item.keywords ?? []).join(" ").toLowerCase();
+		const haystack = [
+			label,
+			value,
+			hint,
+			keywords
+		].filter((v) => v.length > 0).join(" ");
+		if (!q.split(/\s+/).every((part) => haystack.includes(part))) return null;
+		let rank = 80;
+		if (label === q || value === q) rank = 0;
+		else if (label.startsWith(q) || value.startsWith(q)) rank = 10;
+		else if (label.includes(q) || value.includes(q)) rank = 20;
+		else if (keywords.includes(q)) rank = 40;
+		else if (hint.includes(q)) rank = 60;
+		return {
+			item,
+			index,
+			rank
+		};
+	}).filter((entry) => entry !== null).sort((a, b) => {
+		if (a.rank !== b.rank) return a.rank - b.rank;
+		return a.index - b.index;
+	}).map((entry) => entry.item);
+};
+const countRows = (lines, columns) => {
+	const width = columns && columns > 0 ? columns : 80;
+	return lines.reduce((sum, line) => sum + Math.max(1, Math.ceil(stringWidth(line) / width)), 0);
+};
+const renderSearchLines = (options) => {
+	const maxVisible = options.maxVisible ?? 8;
+	const filtered = filterSearchItems(options.items, options.query);
+	const cursor = Math.max(0, Math.min(options.cursor, Math.max(0, filtered.length - 1)));
+	const start = Math.max(0, Math.min(cursor - Math.floor(maxVisible / 2), filtered.length - maxVisible));
+	const visible = filtered.slice(start, start + maxVisible);
+	const lines = [];
+	const marker = options.state === "cancel" ? style(theme, "danger", symbols.fail) : options.state === "submit" ? style(theme, "success", symbols.stepDone) : style(theme, "accent", symbols.stepActive);
+	lines.push(` ${marker} ${style(theme, "bold", options.message)}`);
+	if (options.state === "cancel") {
+		lines.push(` ${style(theme, "muted", symbols.rail)} ${style(theme, "muted", "Cancelled")}`);
+		return lines;
+	}
+	if (options.state === "submit") {
+		const selected = options.items.filter((item) => options.selected.has(item.value));
+		const label = selected.length > 0 ? selected.map((item) => item.label).join(", ") : "No selection";
+		lines.push(` ${style(theme, "muted", symbols.rail)} ${style(theme, "muted", label)}`);
+		return lines;
+	}
+	lines.push(` ${style(theme, "muted", symbols.rail)} ${style(theme, "muted", "Search:")} ${options.query}${style(theme, "dim", "_")}`);
+	lines.push(` ${style(theme, "muted", symbols.rail)} ${style(theme, "muted", options.mode === "multi" ? "type to filter, arrows move, space toggles, enter confirms" : "type to filter, arrows move, enter selects")}`);
+	lines.push(` ${style(theme, "muted", symbols.rail)}`);
+	if (visible.length === 0) lines.push(` ${style(theme, "muted", symbols.rail)} ${style(theme, "muted", "No matches")}`);
+	else for (const [offset, item] of visible.entries()) {
+		const active = start + offset === cursor;
+		const selected = options.selected.has(item.value);
+		const pointer = active ? style(theme, "info", symbols.engineActive) : " ";
+		const radio = options.mode === "multi" ? selected ? style(theme, "success", symbols.pass) : style(theme, "muted", symbols.pending) : active ? style(theme, "accent", symbols.bullet) : style(theme, "muted", symbols.pending);
+		const label = active ? style(theme, "bold", item.label) : item.label;
+		const hint = item.hint ? ` ${style(theme, "muted", truncate(item.hint, 72))}` : "";
+		lines.push(` ${style(theme, "muted", symbols.rail)} ${pointer} ${radio} ${label}${hint}`);
+	}
+	const hiddenBefore = start;
+	const hiddenAfter = Math.max(0, filtered.length - (start + visible.length));
+	if (hiddenBefore > 0 || hiddenAfter > 0) {
+		const parts = [];
+		if (hiddenBefore > 0) parts.push(`up ${hiddenBefore} more`);
+		if (hiddenAfter > 0) parts.push(`down ${hiddenAfter} more`);
+		lines.push(` ${style(theme, "muted", symbols.rail)} ${style(theme, "muted", parts.join(" · "))}`);
+	}
+	if (options.mode === "multi") {
+		const picked = options.items.filter((item) => options.selected.has(item.value));
+		const summary = picked.length === 0 ? "Selected: none" : picked.length <= 3 ? `Selected: ${picked.map((item) => item.label).join(", ")}` : `Selected: ${picked.slice(0, 3).map((item) => item.label).join(", ")} +${picked.length - 3} more`;
+		lines.push(` ${style(theme, "muted", symbols.rail)}`);
+		lines.push(` ${style(theme, "muted", symbols.rail)} ${style(theme, "success", summary)}`);
+	}
+	lines.push(` ${style(theme, "muted", symbols.railEnd)}`);
+	return lines;
+};
+const runSearchPrompt = async (options) => {
+	if (!process.stdin.isTTY || !process.stdout.isTTY) return options.mode === "multi" ? options.initialSelected ?? [] : null;
+	return new Promise((resolve) => {
+		const rl = readline.createInterface({
+			input: process.stdin,
+			output: silentOutput,
+			terminal: false
+		});
+		readline.emitKeypressEvents(process.stdin, rl);
+		process.stdin.setRawMode(true);
+		let query = "";
+		let cursor = 0;
+		let lastRows = 0;
+		const selected = new Set(options.initialSelected ?? []);
+		const clear = () => {
+			if (lastRows === 0) return;
+			process.stdout.write(`\x1b[${lastRows}A`);
+			for (let i = 0; i < lastRows; i++) process.stdout.write("\x1B[2K\x1B[1B");
+			process.stdout.write(`\x1b[${lastRows}A`);
+		};
+		const render = (state = "active") => {
+			clear();
+			const lines = renderSearchLines({
+				...options,
+				query,
+				cursor,
+				selected,
+				state
+			});
+			process.stdout.write(`${lines.join("\n")}\n`);
+			lastRows = countRows(lines, process.stdout.columns);
+		};
+		const cleanup = () => {
+			process.stdin.removeListener("keypress", onKeypress);
+			process.stdin.setRawMode(false);
+			rl.close();
+		};
+		const submit = () => {
+			const item = filterSearchItems(options.items, query)[cursor];
+			if (options.mode === "single") {
+				if (!item) {
+					if (options.required) return;
+					render("cancel");
+					cleanup();
+					resolve(null);
+					return;
+				}
+				selected.clear();
+				selected.add(item.value);
+				render("submit");
+				cleanup();
+				resolve(item.value);
+				return;
+			}
+			if (options.required && selected.size === 0) return;
+			render("submit");
+			cleanup();
+			resolve([...selected]);
+		};
+		const cancel = () => {
+			render("cancel");
+			cleanup();
+			resolve(null);
+		};
+		const onKeypress = (_str, key) => {
+			if (!key) return;
+			const filtered = filterSearchItems(options.items, query);
+			if (key.name === "return") {
+				submit();
+				return;
+			}
+			if (key.name === "escape" || key.ctrl && key.name === "c") {
+				cancel();
+				return;
+			}
+			if (key.name === "up") {
+				cursor = Math.max(0, cursor - 1);
+				render();
+				return;
+			}
+			if (key.name === "down") {
+				cursor = Math.min(Math.max(0, filtered.length - 1), cursor + 1);
+				render();
+				return;
+			}
+			if (key.name === "space" && options.mode === "multi") {
+				const item = filtered[cursor];
+				if (item) if (selected.has(item.value)) selected.delete(item.value);
+				else selected.add(item.value);
+				render();
+				return;
+			}
+			if (key.name === "backspace") {
+				query = query.slice(0, -1);
+				cursor = 0;
+				render();
+				return;
+			}
+			if (key.sequence && !key.ctrl && !key.meta && key.sequence.length === 1) {
+				query += key.sequence;
+				cursor = 0;
+				render();
+			}
+		};
+		process.stdin.on("keypress", onKeypress);
+		render();
+	});
+};
+const searchSelect = async (options) => await runSearchPrompt({
+	...options,
+	mode: "single"
+});
+
 //#endregion
 //#region src/commands/rules.ts
+const ENGINE_PRESENTATION = {
+	"ai-slop": {
+		label: "AI Slop",
+		summary: "Generated-code leftovers: vague comments, unsafe casts, stubs, swallowed errors.",
+		order: 10
+	},
+	security: {
+		label: "Security",
+		summary: "Secrets, injection, XSS, shell execution, and vulnerable dependencies.",
+		order: 20
+	},
+	"code-quality": {
+		label: "Code Quality",
+		summary: "Dead code, duplicate code, complexity, and dependency hygiene.",
+		order: 30
+	},
+	format: {
+		label: "Format",
+		summary: "Formatter and import-order checks that aislop can usually fix.",
+		order: 40
+	},
+	lint: {
+		label: "Lint",
+		summary: "Language linter and compiler findings from bundled or system tools.",
+		order: 50
+	},
+	architecture: {
+		label: "Architecture",
+		summary: "Project-specific import and layering rules from .aislop/rules.yml.",
+		order: 60
+	}
+};
+const presentationFor = (engine) => ENGINE_PRESENTATION[engine] ?? {
+	label: engine,
+	summary: "Project-specific rules.",
+	order: 100
+};
+const severityLabel = (severity) => severity === "warning" ? "warn" : severity;
+const fixModeLabel = (fixable) => fixable ? "auto" : "review";
 const buildRulesRender = (input) => {
-	const header = renderHeader({
+	const header = input.includeHeader === false ? "" : renderHeader({
 		version: APP_VERSION,
-		command: "rules",
-		context: [],
+		command: "Rules catalog",
+		context: [`${input.rules.length} checks`],
 		brand: input.printBrand !== false
 	});
 	const byEngine = /* @__PURE__ */ new Map();
@@ -10542,23 +11280,50 @@ const buildRulesRender = (input) => {
 		list.push(r);
 		byEngine.set(r.engine, list);
 	}
-	const engines = [...byEngine.keys()].sort();
+	const engines = [...byEngine.keys()].sort((a, b) => {
+		const pa = presentationFor(a);
+		const pb = presentationFor(b);
+		if (pa.order !== pb.order) return pa.order - pb.order;
+		return pa.label.localeCompare(pb.label);
+	});
 	const idWidth = Math.max(20, ...input.rules.map((r) => r.id.length));
-	const lines = [];
+	const lines = [` ${style(theme, "muted", "auto = aislop fix can change it; review = inspect and fix with a developer or agent.")}`, ""];
 	for (const engine of engines) {
-		lines.push(` ${style(theme, "accent", engine)}`);
+		const presentation = presentationFor(engine);
+		lines.push(` ${style(theme, "accent", presentation.label)}`);
+		lines.push(`   ${style(theme, "muted", presentation.summary)}`);
+		lines.push(`   ${style(theme, "dim", padEnd("Rule ID", idWidth))}  ${style(theme, "dim", "Sev")}    ${style(theme, "dim", "Fix")}     ${style(theme, "dim", "Meaning")}`);
 		const rules = (byEngine.get(engine) ?? []).sort((a, b) => a.id.localeCompare(b.id));
 		for (const r of rules) {
-			const severity = style(theme, r.severity === "error" ? "danger" : "warn", padEnd(r.severity, 8));
-			const fixable = r.fixable ? style(theme, "accent", "fixable") : style(theme, "muted", "manual");
-			lines.push(`   ${padEnd(r.id, idWidth)}  ${severity}  ${fixable}`);
+			const severityText = severityLabel(r.severity);
+			const severity = style(theme, r.severity === "error" ? "danger" : "warn", padEnd(severityText, 5));
+			const fixable = r.fixable ? style(theme, "accent", padEnd("auto", 6)) : style(theme, "muted", padEnd("review", 6));
+			lines.push(`   ${padEnd(r.id, idWidth)}  ${severity}  ${fixable}  ${descriptionForRule(r.id)}`);
 		}
 		lines.push("");
 	}
 	const invocation = input.invocation ?? detectInvocation();
-	const tail = renderHintLine(`Run ${invocation} scan to apply these rules`) + renderHintLine(`Run ${invocation} init to customize which engines are enabled`);
+	const tail = renderHintLine(`Run ${invocation} scan to check your project against these rules`) + renderHintLine(`Run ${invocation} init to choose engines and CI settings`);
 	return `${header}${lines.join("\n")}\n${tail}`;
 };
+const buildRuleDetailRender = (rule, input = {}) => {
+	const presentation = presentationFor(rule.engine);
+	const header = input.includeHeader === false ? "" : renderHeader({
+		version: APP_VERSION,
+		command: "Rule detail",
+		context: [presentation.label],
+		brand: input.printBrand !== false
+	});
+	const rows = [
+		["Rule", rule.id],
+		["Engine", `${presentation.label} — ${presentation.summary}`],
+		["Severity", severityLabel(rule.severity)],
+		["Fix", `${fixModeLabel(rule.fixable)}${rule.fixable ? " (aislop fix can change it)" : " (review and fix intentionally)"}`],
+		["Meaning", descriptionForRule(rule.id)]
+	];
+	const labelWidth = Math.max(...rows.map(([label]) => label.length));
+	return `${header}${rows.map(([label, value]) => ` ${style(theme, "muted", padEnd(label, labelWidth))}  ${style(theme, label === "Severity" && rule.severity === "error" ? "danger" : "fg", value)}`).join("\n")}\n\n${renderHintLine(rule.fixable ? "Run aislop fix to apply the automatic fix" : "Use the meaning above to fix or review the finding")}`;
+};
 const AI_SLOP_FIXABLE = new Set([
 	"ai-slop/trivial-comment",
 	"ai-slop/unused-import",
@@ -10691,7 +11456,7 @@ const toRuleEntry = (engine, ruleId) => {
 		fixable: false
 	};
 };
-const rulesCommand = async (directory, options = {}) => {
+const collectRuleEntries = (directory) => {
 	const resolvedDir = path.resolve(directory);
 	const entries = [];
 	for (const { engine, rules } of BUILTIN_RULES) for (const rule of rules) entries.push(toRuleEntry(engine, rule));
@@ -10705,6 +11470,41 @@ const rulesCommand = async (directory, options = {}) => {
 			fixable: false
 		});
 	}
+	return entries;
+};
+const runRulesExplorer = async (entries, options) => {
+	const selected = await searchSelect({
+		message: "Search rules",
+		items: entries.map((rule) => {
+			const presentation = presentationFor(rule.engine);
+			return {
+				value: rule,
+				label: rule.id,
+				hint: `${presentation.label} · ${severityLabel(rule.severity)} · ${descriptionForRule(rule.id)}`,
+				keywords: [
+					presentation.label,
+					rule.engine,
+					rule.severity,
+					fixModeLabel(rule.fixable),
+					descriptionForRule(rule.id)
+				]
+			};
+		}),
+		maxVisible: 10,
+		required: true
+	});
+	if (selected === null) return;
+	process.stdout.write(`${buildRuleDetailRender(selected, {
+		printBrand: options.printBrand,
+		includeHeader: true
+	})}\n`);
+};
+const rulesCommand = async (directory, options = {}) => {
+	const entries = collectRuleEntries(directory);
+	if (options.interactive && process.stdin.isTTY && process.stdout.isTTY) {
+		await runRulesExplorer(entries, options);
+		return;
+	}
 	process.stdout.write(`${buildRulesRender({
 		rules: entries,
 		invocation: detectInvocation(),
@@ -10713,4 +11513,4 @@ const rulesCommand = async (directory, options = {}) => {
 };
 
 //#endregion
-export { buildDoctorRender, buildInitSuccessRender, buildRulesRender, calculateScore, discoverProject, doctorCommand, fixCommand, initCommand, loadConfig, rulesCommand, scanCommand };
+export { buildDoctorRender, buildInitSuccessRender, buildRuleDetailRender, buildRulesRender, calculateScore, discoverProject, doctorCommand, fixCommand, initCommand, loadConfig, rulesCommand, scanCommand };