npm - aislop - Versions diffs - 0.10.2 → 0.11.0 - Mend

aislop 0.10.2 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/README.md +151 -69
package/dist/cli.js +1803 -374
package/dist/{expo-doctor-T4DswmX5.js → expo-doctor-BM2JR6f6.js} +1 -1
package/dist/{expo-doctor-c-jE6pR2.js → expo-doctor-BwLKXF__.js} +2 -2
package/dist/finding-assessment-PCl1fnok.js +149 -0
package/dist/{generic-BsQa13CS.js → generic-D_T4cUaC.js} +1 -1
package/dist/index.d.ts +10 -2
package/dist/index.js +1015 -215
package/dist/{json-B01i-GOz.js → json-0lJPTrwO.js} +5 -3
package/dist/{json-CXV4D0Ib.js → json-pHsqtKkz.js} +4 -2
package/dist/mcp.js +540 -97
package/dist/{sarif-cy5SiDDq.js → sarif-BXUicqQU.js} +1 -1
package/dist/{sarif-CZVuavf_.js → sarif-CjxSBcqx.js} +1 -1
package/dist/{typecheck-BdQ7uFyK.js → typecheck-DQSzG8fX.js} +1 -1
package/dist/{typecheck-wVSohmOX.js → typecheck-yOGXIIGU.js} +1 -1
package/dist/version-BJA3AcRM.js +7 -0
package/package.json +2 -2
package/dist/engine-info-Cpt36DqZ.js +0 -31
package/dist/version-BfJVwhN2.js +0 -5
/package/dist/{subprocess-0uXz8HdE.js → subprocess-CQUJDGgn.js} +0 -0

package/dist/mcp.js CHANGED Viewed

@@ -16,10 +16,6 @@ import { fileURLToPath } from "node:url";
 import os from "node:os";
 import { randomUUID } from "node:crypto";
-//#region src/version.ts
-const APP_VERSION = "0.10.2";
-//#endregion
 //#region src/config/defaults.ts
 const DEFAULT_CONFIG = {
 	version: 1,
@@ -63,7 +59,8 @@ const DEFAULT_CONFIG = {
 			good: 75,
 			ok: 50
 		},
-		smoothing: 20
+		smoothing: 20,
+		maxPerRule: 40
 	},
 	ci: {
 		failBelow: 70,
@@ -72,22 +69,6 @@ const DEFAULT_CONFIG = {
 	telemetry: { enabled: true },
 	rules: {}
 };
-const DEFAULT_GITHUB_WORKFLOW_YAML = `name: aislop
-on:
-  push:
-    branches: [main]
-  pull_request:
-jobs:
-  quality-gate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: scanaislop/aislop@v${APP_VERSION}
-        with:
-          version: ${APP_VERSION}
-`;
 //#endregion
 //#region src/config/extends.ts
@@ -170,7 +151,8 @@ const ScoringSchema = z$1.object({
 		good: 75,
 		ok: 50
 	})),
-	smoothing: z$1.number().nonnegative().default(20)
+	smoothing: z$1.number().nonnegative().default(20),
+	maxPerRule: z$1.number().positive().default(40)
 });
 const CiSchema = z$1.object({
 	failBelow: z$1.number().default(70),
@@ -210,7 +192,8 @@ const AislopConfigSchema = z$1.object({
 			good: 75,
 			ok: 50
 		},
-		smoothing: 20
+		smoothing: 20,
+		maxPerRule: 40
 	})),
 	ci: CiSchema.default(() => ({
 		failBelow: 70,
@@ -979,8 +962,8 @@ const PHP_DECL_START = /^\s*(?:(?:public|private|protected|static|final|abstract
 //#endregion
 //#region src/engines/ai-slop/non-production-paths.ts
-const DIR_PATTERN = /(?:^|\/)(?:scripts|bin|examples?|demos?|docs?|bench|benches|benchmarks?|fixtures?|__fixtures__|__mocks__|__tests__|vendor|_vendor|vendored|third_party|blib2to3|lib2to3|cli|cli-[\w-]+|[\w-]+-cli)\//i;
-const BASENAME_PATTERN = /(?:^|\/)(?:benchmark|bench|demo|example|script|seed|migrate|profile|smoke|stress|load|debug|repro)[-_.][^/]*\.[mc]?[jt]sx?$|(?:^|\/)[^/]+[-_](?:benchmark|bench|demo|example)\.[mc]?[jt]sx?$/i;
+const DIR_PATTERN = /(?:^|\/)(?:scripts|bin|examples?|demos?|docs?|bench|benches|benchmarks?|fixtures?|__fixtures__|__mocks__|__tests__|prototypes?|experiments?|vendor|_vendor|vendored|third_party|blib2to3|lib2to3|cli|cli-[\w-]+|[\w-]+-cli)\//i;
+const BASENAME_PATTERN = /(?:^|\/)(?:(?:prototype|experiment)(?:[-_.][^/]*)?|(?:benchmark|bench|demo|example|script|seed|migrate|profile|smoke|stress|load|debug|repro)[-_.][^/]*)\.[mc]?[jt]sx?$|(?:^|\/)[^/]+[-_](?:benchmark|bench|demo|example|prototype|experiment)\.[mc]?[jt]sx?$/i;
 const isNonProductionPath = (relativePath) => DIR_PATTERN.test(relativePath) || BASENAME_PATTERN.test(relativePath);
 //#endregion
@@ -1096,7 +1079,7 @@ const JS_EXTENSIONS$3 = new Set([
 	".mjs",
 	".cjs"
 ]);
-const CONSOLE_LOG_PATTERN = /\bconsole\.(?:log|debug|info|trace|dir|table)\s*\(/;
+const CONSOLE_CALL_PATTERN = /\bconsole\.(log|debug|info|trace|dir|table)\s*\(/;
 const slop = (filePath, line, rule, severity, message, help, fixable) => ({
 	filePath,
 	engine: "ai-slop",
@@ -1110,20 +1093,35 @@ const slop = (filePath, line, rule, severity, message, help, fixable) => ({
 	fixable
 });
 const LOGGER_FILE_PATTERN = /(?:^|\/)(?:logger|logging|log)\.[^/]+$/i;
+const CLI_ENTRYPOINT_PATTERN = /(?:^|\/)(?:cli|cli[-_.][^/]*|[^/]+[-_]cli)\.[mc]?[jt]sx?$/i;
+const ENTRYPOINT_GUARD_PATTERN = /\b(?:import\.meta\.main|require\.main\s*===\s*module)\b/;
+const OPERATIONAL_LOG_PATTERN = /\bconsole\.(?:log|info)\s*\(\s*(?:`|["'])\s*\[[^\]\n]{1,48}\]/;
+const DEBUG_SIGNAL_PATTERN = /\b(?:debug|dbg|trace|dump|inspect|todo|tmp|temp|remove\s+me|leftover|here|checkpoint)\b/i;
+const shouldFlagConsoleCall = (trimmed) => {
+	const match = CONSOLE_CALL_PATTERN.exec(trimmed);
+	if (!match) return false;
+	const method = match[1];
+	if (method === "trace" || method === "dir" || method === "table") return true;
+	if (method === "debug") return DEBUG_SIGNAL_PATTERN.test(trimmed) || !OPERATIONAL_LOG_PATTERN.test(trimmed);
+	if (method === "info" || method === "log") {
+		if (/console\.log\(\s*JSON\.stringify\b/.test(trimmed)) return false;
+		if (OPERATIONAL_LOG_PATTERN.test(trimmed)) return false;
+		return true;
+	}
+	return false;
+};
 const detectConsoleLeftovers = (content, relativePath, ext) => {
 	if (!JS_EXTENSIONS$3.has(ext)) return [];
 	if (LOGGER_FILE_PATTERN.test(relativePath)) return [];
-	if (isNonProductionPath(relativePath)) return [];
+	if (isNonProductionPath(relativePath) || CLI_ENTRYPOINT_PATTERN.test(relativePath)) return [];
+	if (content.startsWith("#!")) return [];
+	if (ENTRYPOINT_GUARD_PATTERN.test(content)) return [];
 	const diagnostics = [];
 	const lines = content.split("\n");
 	for (let i = 0; i < lines.length; i++) {
 		const trimmed = lines[i].trim();
 		if (trimmed.startsWith("//") || trimmed.startsWith("*")) continue;
-		if (CONSOLE_LOG_PATTERN.test(trimmed)) {
-			if (/console\.(?:error|warn)\s*\(/.test(trimmed)) continue;
-			if (/console\.log\(\s*JSON\.stringify\b/.test(trimmed)) continue;
-			diagnostics.push(slop(relativePath, i + 1, "ai-slop/console-leftover", "warning", "console.log/debug/info statement left in production code", "Remove debugging console statements or replace with a proper logger", true));
-		}
+		if (shouldFlagConsoleCall(trimmed)) diagnostics.push(slop(relativePath, i + 1, "ai-slop/console-leftover", "warning", "console.log/debug/info statement left in production code", "Remove debugging console statements or replace with a proper logger", true));
 	}
 	return diagnostics;
 };
@@ -1151,6 +1149,7 @@ const isGuardedSingleLineExit = (lines, lineIndex) => {
 	const control = contextLines.join(" ");
 	return /(?:^|[}\s])(?:if|else\s+if|for|while)\s*\(/.test(control) && !/{\s*$/.test(control);
 };
+const isPropertyNoopAssignment = (trimmed) => /^(?:[\w$]+\.)+[\w$]+\s*=\s*(?:function\s*)?\([^)]*\)\s*(?:=>)?\s*\{\s*\}\s*;?$/.test(trimmed);
 const detectTodoStubs = (content, relativePath) => {
 	const diagnostics = [];
 	const lines = content.split("\n");
@@ -1172,7 +1171,7 @@ const detectDeadCodePatterns = (content, relativePath, ext) => {
 		const nextLine = i + 1 < lines.length ? lines[i + 1]?.trim() : void 0;
 		if (JS_EXTENSIONS$3.has(ext) && /^(?:return|throw)\b/.test(trimmed) && trimmed.endsWith(";") && nextLine && nextLine.length > 0 && !isGuardedSingleLineExit(lines, i) && !isBlockCloserAfterReturn(nextLine) && !nextLine.startsWith("//") && !nextLine.startsWith("/*") && !nextLine.startsWith("case ") && !nextLine.startsWith("default:") && !nextLine.startsWith("if ") && !nextLine.startsWith("if(") && !nextLine.startsWith("else")) diagnostics.push(slop(relativePath, i + 2, "ai-slop/unreachable-code", "warning", "Code after return/throw statement is unreachable", "Remove the unreachable code or restructure the control flow", false));
 		if (/\bif\s*\(\s*(?:false|true|0|1)\s*\)/.test(trimmed) && !trimmed.startsWith("//") && !trimmed.startsWith("*") && !/["'`].*\bif\s*\(/.test(trimmed) && !/\/.*\bif\s*\(/.test(trimmed.replace(/\/\/.*$/, ""))) diagnostics.push(slop(relativePath, i + 1, "ai-slop/constant-condition", "warning", "Conditional with a constant value — likely debugging leftover", "Remove the constant condition or replace with proper logic", false));
-		if (JS_EXTENSIONS$3.has(ext) && /(?:function\s+\w+\s*\([^)]*\)|=>\s*)\s*\{\s*\}\s*;?\s*$/.test(trimmed) && !trimmed.startsWith("interface") && !trimmed.startsWith("type ")) diagnostics.push(slop(relativePath, i + 1, "ai-slop/empty-function", "info", "Empty function body — possible stub or unfinished implementation", "Implement the function body or add a comment explaining why it's empty", false));
+		if (JS_EXTENSIONS$3.has(ext) && /(?:function\s+\w+\s*\([^)]*\)|=>\s*)\s*\{\s*\}\s*;?\s*$/.test(trimmed) && !trimmed.startsWith("interface") && !trimmed.startsWith("type ") && !isPropertyNoopAssignment(trimmed)) diagnostics.push(slop(relativePath, i + 1, "ai-slop/empty-function", "info", "Empty function body — possible stub or unfinished implementation", "Implement the function body or add a comment explaining why it's empty", false));
 	}
 	return diagnostics;
 };
@@ -1670,7 +1669,7 @@ const JS_RESOLUTION_EXTENSIONS = [
 	"/index.js",
 	"/index.jsx"
 ];
-const readJson$2 = (filePath) => {
+const readJson$3 = (filePath) => {
 	try {
 		return JSON.parse(fs.readFileSync(filePath, "utf-8"));
 	} catch {
@@ -1685,7 +1684,7 @@ const buildAliasMatcher = (key) => {
 	return (spec) => spec.length >= before.length + after.length && spec.startsWith(before) && spec.endsWith(after);
 };
 const collectAliasMatchersFromConfig = (configPath, matchers) => {
-	const opts = readJson$2(configPath)?.compilerOptions;
+	const opts = readJson$3(configPath)?.compilerOptions;
 	if (!opts || typeof opts !== "object") return;
 	const configDir = path.dirname(configPath);
 	const paths = opts.paths;
@@ -1708,7 +1707,7 @@ const collectTsPathAliases = (rootDir, workspaceDirs) => {
 //#endregion
 //#region src/engines/ai-slop/js-workspaces.ts
-const readJson$1 = (filePath) => {
+const readJson$2 = (filePath) => {
 	try {
 		return JSON.parse(fs.readFileSync(filePath, "utf-8"));
 	} catch {
@@ -1728,7 +1727,7 @@ const readWorkspaceGlobs = (rootDir, rootPkg) => {
 			}
 		}
 	}
-	const lerna = readJson$1(path.join(rootDir, "lerna.json"));
+	const lerna = readJson$2(path.join(rootDir, "lerna.json"));
 	if (lerna && Array.isArray(lerna.packages)) {
 		for (const g of lerna.packages) if (typeof g === "string") globs.push(g);
 	}
@@ -2129,7 +2128,7 @@ const JS_EXTENSIONS$1 = new Set([
 	".cjs"
 ]);
 const PY_EXTENSIONS$2 = new Set([".py"]);
-const readJson = (filePath) => {
+const readJson$1 = (filePath) => {
 	try {
 		return JSON.parse(fs.readFileSync(filePath, "utf-8"));
 	} catch {
@@ -2173,7 +2172,7 @@ const collectNestedManifests = (rootDir, jsDeps) => {
 			const full = path.join(dir, entry.name);
 			if (entry.isDirectory()) walk(full, depth + 1);
 			else if (entry.name === "package.json" && depth > 0) {
-				const wsPkg = readJson(full);
+				const wsPkg = readJson$1(full);
 				if (!wsPkg) continue;
 				if (typeof wsPkg.name === "string") jsDeps.add(wsPkg.name);
 				addDepsFromPkg(wsPkg, jsDeps);
@@ -2185,13 +2184,13 @@ const collectNestedManifests = (rootDir, jsDeps) => {
 const collectJsDeps = (rootDir, jsDeps) => {
 	const pkgPath = path.join(rootDir, "package.json");
 	if (!fs.existsSync(pkgPath)) return false;
-	const pkg = readJson(pkgPath);
+	const pkg = readJson$1(pkgPath);
 	if (!pkg || typeof pkg !== "object") return false;
 	addDepsFromPkg(pkg, jsDeps);
 	if (typeof pkg.name === "string") jsDeps.add(pkg.name);
 	const workspaceDirs = collectWorkspaceDirs(rootDir, pkg);
 	for (const wsDir of workspaceDirs) {
-		const wsPkg = readJson(path.join(wsDir, "package.json"));
+		const wsPkg = readJson$1(path.join(wsDir, "package.json"));
 		if (!wsPkg) continue;
 		if (typeof wsPkg.name === "string") jsDeps.add(wsPkg.name);
 		addDepsFromPkg(wsPkg, jsDeps);
@@ -2220,7 +2219,11 @@ const VIRTUAL_MODULE_PREFIXES = [
 	"astro:",
 	"virtual:",
 	"bun:",
-	"file:"
+	"file:",
+	"http:",
+	"https:",
+	"jsr:",
+	"npm:"
 ];
 const isJsVirtualModule = (spec, manifest) => {
 	if (VIRTUAL_MODULE_PREFIXES.some((p) => spec.startsWith(p))) return true;
@@ -2349,7 +2352,7 @@ const checkPyImport = (spec, manifest) => {
 	return root;
 };
 const detectHallucinatedImports = async (context) => {
-	const rootPkg = readJson(path.join(context.rootDirectory, "package.json"));
+	const rootPkg = readJson$1(path.join(context.rootDirectory, "package.json"));
 	const workspaceDirs = collectWorkspaceDirs(context.rootDirectory, rootPkg);
 	const manifest = loadManifest(context.rootDirectory);
 	if (!manifest.hasJsManifest && !manifest.hasPyManifest) return [];
@@ -2454,6 +2457,9 @@ const VENDOR_API_DOMAINS = [
 ];
 const isVendorApiHost = (host) => VENDOR_API_DOMAINS.some((d) => host === d || host.endsWith(`.${d}`));
 const PLACEHOLDER_ID_RE = /^(?:changeme|replace[_-]?me|your[_-]|example|placeholder|todo)/i;
+const PROVIDER_ID_RE = /^(?:price|prod|cus|sub|acct|org|app|tenant|workspace|project|client|key|tok|token|sk|pk)_[A-Za-z0-9][A-Za-z0-9_-]{7,}$/i;
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+const READABLE_KEY_RE = /^[a-z][a-z0-9]*(?:[_-][a-z0-9]+){2,}$/;
 const HARDCODED_URL_FINDING = {
 	rule: "ai-slop/hardcoded-url",
 	message: "Hardcoded environment URL in production code",
@@ -2491,8 +2497,10 @@ const safeUrlHost = (urlText) => {
 	}
 };
 const isEnvBackedLine = (line) => ENV_REFERENCE_RE.test(line);
+const TEMPLATE_INTERPOLATION_START = "${";
 const shouldFlagUrlLiteral = (line, urlText) => {
 	if (isEnvBackedLine(line)) return false;
+	if (urlText.includes(TEMPLATE_INTERPOLATION_START) && /\bnew\s+URL\s*\(/.test(line)) return false;
 	const host = safeUrlHost(urlText);
 	if (!host) return false;
 	if (PLACEHOLDER_HOSTS.has(host)) return false;
@@ -2507,7 +2515,11 @@ const hasUsefulIdShape = (value) => {
 	if (ENV_VAR_NAME_RE.test(value)) return false;
 	if (/^https?:\/\//i.test(value)) return false;
 	if (/^[A-Za-z]+$/.test(value)) return false;
-	return /[0-9]/.test(value);
+	if (READABLE_KEY_RE.test(value) && !PROVIDER_ID_RE.test(value)) return false;
+	if (PROVIDER_ID_RE.test(value)) return true;
+	if (UUID_RE.test(value)) return true;
+	if (!/[0-9]/.test(value)) return false;
+	return value.length >= 24 && !/[_-]/.test(value) && /[a-z]/.test(value) && /[A-Z]/.test(value);
 };
 const scanLineForConfigLiterals = (line, relativePath, ext, lineNumber) => {
 	const diagnostics = [];
@@ -4458,8 +4470,8 @@ const shouldIncludeIssue = (issueType, filePath) => {
 	return !filePath.replace(/\\/g, "/").includes(".github/workflows/");
 };
 const DEPENDENCY_HELP = {
-	dependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `npx aislop fix`.",
-	devDependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `npx aislop fix`.",
+	dependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `aislop fix`.",
+	devDependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `aislop fix`.",
 	unlisted: "This package is imported in code but not declared in package.json. Run `npm install` to add it.",
 	unresolved: "This import cannot be resolved. Check for typos or missing packages.",
 	binaries: "This binary is used but its package is not in package.json."
@@ -4766,7 +4778,7 @@ const parseBiomeJsonOutput = (output, rootDir) => {
 				rule: "formatting",
 				severity,
 				message,
-				help: "Run `npx aislop fix` to auto-format",
+				help: "Run `aislop fix` to auto-format",
 				line: entry.location?.start?.line ?? 0,
 				column: entry.location?.start?.column ?? 0,
 				category: "Format",
@@ -4795,7 +4807,7 @@ const FORMATTERS = {
 					rule: "rust-formatting",
 					severity: "warning",
 					message: "Rust file is not formatted correctly",
-					help: "Run `npx aislop fix` to auto-format with rustfmt",
+					help: "Run `aislop fix` to auto-format with rustfmt",
 					line: parseInt(match[2], 10),
 					column: 0,
 					category: "Format",
@@ -4828,7 +4840,7 @@ const FORMATTERS = {
 					rule: offense.cop_name ?? "ruby-formatting",
 					severity: "warning",
 					message: offense.message ?? "Ruby formatting issue",
-					help: "Run `npx aislop fix` to auto-format",
+					help: "Run `aislop fix` to auto-format",
 					line: offense.location?.start_line ?? 0,
 					column: offense.location?.start_column ?? 0,
 					category: "Format",
@@ -4859,7 +4871,7 @@ const FORMATTERS = {
 					rule: "php-formatting",
 					severity: "warning",
 					message: "PHP file is not formatted correctly",
-					help: "Run `npx aislop fix` to auto-format",
+					help: "Run `aislop fix` to auto-format",
 					line: 0,
 					column: 0,
 					category: "Format",
@@ -4903,7 +4915,7 @@ const runGofmt = async (context) => {
 			rule: "go-formatting",
 			severity: "warning",
 			message: "Go file is not formatted correctly",
-			help: "Run `npx aislop fix` to auto-format with gofmt",
+			help: "Run `aislop fix` to auto-format with gofmt",
 			line: 0,
 			column: 0,
 			category: "Format",
@@ -4995,7 +5007,7 @@ const parseRuffFormatOutput = (output, rootDir) => {
 			rule: "python-formatting",
 			severity: "warning",
 			message: "Python file is not formatted correctly",
-			help: "Run `npx aislop fix` to auto-format with ruff",
+			help: "Run `aislop fix` to auto-format with ruff",
 			line: 0,
 			column: 0,
 			category: "Format",
@@ -5273,6 +5285,7 @@ const AMBIENT_GLOBAL_DEPS = [
 const SST_PLATFORM_REF_RE = /\/\/\/\s*<reference\s+path=["'][^"']*sst[\\/]+platform[\\/]+config\.d\.ts["']/;
 const ICON_AUTOIMPORT_RE = /^Icon[A-Z]/;
 const NO_UNDEF_IDENT_RE = /^['‘"`]([^'’"`]+)['’"`]/;
+const SUPABASE_FUNCTION_PATH_RE = /(?:^|\/)supabase\/functions\/[^/]+\/.+\.[cm]?[jt]sx?$/;
 const detectAmbientSources = (rootDir) => {
 	const found = /* @__PURE__ */ new Set();
 	const skipDirs = new Set([
@@ -5317,6 +5330,36 @@ const detectAmbientSources = (rootDir) => {
 const extractNoUndefIdentifier = (message) => {
 	return NO_UNDEF_IDENT_RE.exec(message)?.[1] ?? null;
 };
+const looksLikeChromeExtensionManifest = (filePath) => {
+	try {
+		const manifest = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+		return typeof manifest.manifest_version === "number" && ("background" in manifest || "content_scripts" in manifest || "permissions" in manifest);
+	} catch {
+		return false;
+	}
+};
+const chromeExtensionFileCache = /* @__PURE__ */ new Map();
+const isChromeExtensionFile = (rootDir, relativeFilePath) => {
+	const cacheKey = `${rootDir}:${relativeFilePath.split(path.sep).join("/")}`;
+	const cached = chromeExtensionFileCache.get(cacheKey);
+	if (cached !== void 0) return cached;
+	const absolute = path.isAbsolute(relativeFilePath) ? relativeFilePath : path.join(rootDir, relativeFilePath);
+	const root = path.resolve(rootDir);
+	let dir = path.dirname(path.resolve(absolute));
+	let matched = false;
+	while (true) {
+		const relativeToRoot = path.relative(root, dir);
+		if (relativeToRoot.startsWith("..") || path.isAbsolute(relativeToRoot)) break;
+		if (looksLikeChromeExtensionManifest(path.join(dir, "manifest.json"))) {
+			matched = true;
+			break;
+		}
+		if (dir === root) break;
+		dir = path.dirname(dir);
+	}
+	chromeExtensionFileCache.set(cacheKey, matched);
+	return matched;
+};
 const isAmbientFalsePositive = (rule, message, sources) => {
 	if (rule !== "eslint/no-undef") return false;
 	const ident = extractNoUndefIdentifier(message);
@@ -5325,9 +5368,19 @@ const isAmbientFalsePositive = (rule, message, sources) => {
 	if ((sources.has("@types/bun") || sources.has("bun-types")) && ident === "Bun") return true;
 	return false;
 };
+const isRuntimeGlobalFalsePositive = (rule, message, rootDir, relativeFilePath) => {
+	if (rule !== "eslint/no-undef") return false;
+	const ident = extractNoUndefIdentifier(message);
+	if (!ident) return false;
+	const normalized = relativeFilePath.split(path.sep).join("/");
+	if (ident === "Deno" && SUPABASE_FUNCTION_PATH_RE.test(normalized)) return true;
+	if (ident === "chrome" && isChromeExtensionFile(rootDir, relativeFilePath)) return true;
+	return false;
+};
 const sstReferencedFiles = /* @__PURE__ */ new Map();
 const clearSstReferenceCache = () => {
 	sstReferencedFiles.clear();
+	chromeExtensionFileCache.clear();
 };
 const fileReferencesSstPlatform = (rootDir, relativeFilePath) => {
 	const cached = sstReferencedFiles.get(relativeFilePath);
@@ -5379,6 +5432,32 @@ const collectPackageNames = (dir) => {
 	}
 	return names;
 };
+const readJson = (filePath) => {
+	const raw = readTextFile$1(filePath);
+	if (!raw) return null;
+	try {
+		const parsed = JSON.parse(raw);
+		return parsed && typeof parsed === "object" ? parsed : null;
+	} catch {
+		return null;
+	}
+};
+const hasBunRuntime = (rootDir, projectFiles) => {
+	if (fs.existsSync(path.join(rootDir, "bun.lock")) || fs.existsSync(path.join(rootDir, "bun.lockb")) || fs.existsSync(path.join(rootDir, "bunfig.toml"))) return true;
+	const hasBunFiles = projectFiles.some((filePath) => /(?:^|\/)bunfig\.toml$|(?:^|\/)bun\.lockb?$/.test(filePath));
+	const pkg = readJson(path.join(rootDir, "package.json"));
+	if (!pkg) return hasBunFiles;
+	if (typeof pkg.packageManager === "string" && /^bun@/i.test(pkg.packageManager)) return true;
+	const scripts = pkg.scripts;
+	if (scripts && typeof scripts === "object") {
+		for (const command of Object.values(scripts)) if (typeof command === "string" && /(?:^|[;&|()\s])bunx?\s/.test(command)) return true;
+	}
+	return hasBunFiles;
+};
+const hasDenoRuntime = (rootDir, projectFiles) => {
+	if (fs.existsSync(path.join(rootDir, "deno.json")) || fs.existsSync(path.join(rootDir, "deno.jsonc"))) return true;
+	return projectFiles.some((filePath) => /(?:^|\/)deno\.jsonc?$/.test(filePath));
+};
 const AMBIENT_GLOBAL_RE = /^\s*(?:declare\s+)?(?:const|let|var|function|class)\s+([A-Za-z_$][\w$]*)/gm;
 const collectAmbientGlobals = (rootDir) => {
 	const globals = /* @__PURE__ */ new Set();
@@ -5390,7 +5469,8 @@ const collectAmbientGlobals = (rootDir) => {
 		for (const match of content.matchAll(AMBIENT_GLOBAL_RE)) globals.add(match[1]);
 	}
 	const deps = collectPackageNames(rootDir);
-	if (deps.has("@types/bun") || deps.has("bun-types")) globals.add("Bun");
+	if (deps.has("@types/bun") || deps.has("bun-types") || hasBunRuntime(rootDir, projectFiles)) globals.add("Bun");
+	if (hasDenoRuntime(rootDir, projectFiles)) globals.add("Deno");
 	if (projectFiles.some((filePath) => /(?:^|\/)sst\.config\.ts$/.test(filePath))) for (const name of [
 		"$app",
 		"$config",
@@ -5488,6 +5568,37 @@ const detectTestFramework = (rootDir) => {
 	return null;
 };
 const getOxlintTargets = (context) => getSourceFiles(context).filter((filePath) => OXLINT_EXTENSIONS.has(path.extname(filePath).toLowerCase())).filter((filePath) => !isAutoGenerated(filePath)).map((filePath) => path.relative(context.rootDirectory, filePath).split(path.sep).join("/"));
+const toDiagnostic = (d) => {
+	const { plugin, rule } = parseRuleCode(d.code);
+	const label = d.labels[0];
+	return {
+		filePath: d.filename,
+		engine: "lint",
+		rule: `${plugin}/${rule}`,
+		severity: d.severity,
+		message: d.message.replace(/\S+\.\w+:\d+:\d+[\s\S]*$/, "").trim() || d.message,
+		help: d.help || "",
+		line: label?.span.line ?? 0,
+		column: label?.span.column ?? 0,
+		category: plugin === "react" ? "React" : plugin === "import" ? "Imports" : "Lint",
+		fixable: false
+	};
+};
+const shouldKeepOxlintDiagnostic = (context, ambientSources, seen, d) => {
+	const relativePath = path.isAbsolute(d.filePath) ? path.relative(context.rootDirectory, d.filePath) : d.filePath;
+	if (isExcludedFromScan(relativePath)) return false;
+	if (isViteVirtualImportFalsePositive(d.rule, d.message)) return false;
+	if (isAmbientFalsePositive(d.rule, d.message, ambientSources)) return false;
+	if (isRuntimeGlobalFalsePositive(d.rule, d.message, context.rootDirectory, relativePath)) return false;
+	if (isSolidRefFalsePositive(context, d)) return false;
+	if (isContextualTypeScriptFalsePositive(d)) return false;
+	if (isUnderscoreUnusedVar(d.rule, d.message)) return false;
+	if (d.rule === "eslint/no-undef" && fileReferencesSstPlatform(context.rootDirectory, d.filePath)) return false;
+	const key = `${d.filePath}:${d.line}:${d.rule}:${d.message}`;
+	if (seen.has(key)) return false;
+	seen.add(key);
+	return true;
+};
 const runOxlint = async (context) => {
 	const configPath = path.join(os.tmpdir(), `aislop-oxlintrc-${process.pid}.json`);
 	const framework = context.frameworks.find((f) => f !== "none");
@@ -5524,34 +5635,7 @@ const runOxlint = async (context) => {
 			return [];
 		}
 		const seen = /* @__PURE__ */ new Set();
-		return output.diagnostics.map((d) => {
-			const { plugin, rule } = parseRuleCode(d.code);
-			const label = d.labels[0];
-			return {
-				filePath: d.filename,
-				engine: "lint",
-				rule: `${plugin}/${rule}`,
-				severity: d.severity,
-				message: d.message.replace(/\S+\.\w+:\d+:\d+[\s\S]*$/, "").trim() || d.message,
-				help: d.help || "",
-				line: label?.span.line ?? 0,
-				column: label?.span.column ?? 0,
-				category: plugin === "react" ? "React" : plugin === "import" ? "Imports" : "Lint",
-				fixable: false
-			};
-		}).filter((d) => {
-			if (isExcludedFromScan(path.isAbsolute(d.filePath) ? path.relative(context.rootDirectory, d.filePath) : d.filePath)) return false;
-			if (isViteVirtualImportFalsePositive(d.rule, d.message)) return false;
-			if (isAmbientFalsePositive(d.rule, d.message, ambientSources)) return false;
-			if (isSolidRefFalsePositive(context, d)) return false;
-			if (isContextualTypeScriptFalsePositive(d)) return false;
-			if (isUnderscoreUnusedVar(d.rule, d.message)) return false;
-			if (d.rule === "eslint/no-undef" && fileReferencesSstPlatform(context.rootDirectory, d.filePath)) return false;
-			const key = `${d.filePath}:${d.line}:${d.rule}:${d.message}`;
-			if (seen.has(key)) return false;
-			seen.add(key);
-			return true;
-		});
+		return output.diagnostics.map(toDiagnostic).filter((d) => shouldKeepOxlintDiagnostic(context, ambientSources, seen, d));
 	} finally {
 		if (fs.existsSync(configPath)) fs.unlinkSync(configPath);
 	}
@@ -5602,7 +5686,7 @@ const lintEngine = {
 			promises.push(runOxlint(context));
 			if (context.config.lint.typecheck) promises.push(import("./typecheck-By967nny.js").then((mod) => mod.runTypecheck(context)));
 		}
-		if (context.frameworks.includes("expo")) promises.push(import("./expo-doctor-T4DswmX5.js").then((mod) => mod.runExpoDoctor(context)));
+		if (context.frameworks.includes("expo")) promises.push(import("./expo-doctor-BM2JR6f6.js").then((mod) => mod.runExpoDoctor(context)));
 		if (languages.includes("python") && installedTools.ruff) promises.push(runRuffLint(context));
 		if (languages.includes("go") && installedTools["golangci-lint"]) promises.push(runGolangciLint(context));
 		if (languages.includes("rust") && installedTools.cargo) promises.push(runGenericLinter(context, "rust"));
@@ -5620,7 +5704,7 @@ const lintEngine = {
 //#endregion
 //#region src/ui/invocation.ts
-const detectInvocation = () => "npx aislop";
+const detectInvocation = () => "aislop";
 //#endregion
 //#region src/engines/security/audit.ts
@@ -5772,7 +5856,7 @@ const parseJsAudit = (output, source) => {
 			rule: "security/dependency-audit-skipped",
 			severity: "info",
 			message: `Dependency audit skipped (${source}): lockfile is missing`,
-			help: error.detail ?? "Generate a lockfile, then re-run `npx aislop scan` for dependency vulnerability checks.",
+			help: error.detail ?? "Generate a lockfile, then re-run `aislop scan` for dependency vulnerability checks.",
 			line: 0,
 			column: 0,
 			category: "Security",
@@ -5889,6 +5973,194 @@ const runCargoAudit = async (rootDir, timeout) => {
 	}
 };
+//#endregion
+//#region src/engines/security/html-safety.ts
+const SAFE_EMPTY_INNER_HTML_RE = /^\.innerHTML\s*=\s*(?:""|''|``)\s*;?/;
+const SAFE_SANITIZED_INNER_HTML_RE = /^\.innerHTML\s*=\s*(?:escapeHtml|sanitizeHtml|sanitizeHTML|DOMPurify\.sanitize)\s*\([^;\n]*\)\s*;?(?:\n|$)/;
+const SANITIZER_EXPR_RE = /^(?:escapeHtml|escapeHTML|sanitizeHtml|sanitizeHTML|DOMPurify\.sanitize)\s*\([^;\n]*\)$/;
+const IDENT_RE = /^[A-Za-z_$][\w$]*$/;
+const STATIC_STRING_RE = /^(?:"(?:\\.|[^"\\])*"|'(?:\\.|[^'\\])*'|`(?:\\.|[^`\\$])*`)$/;
+const NUMERICISH_EXPR_RE = /^(?:[-+]?\d+(?:\.\d+)?|[A-Za-z_$][\w$]*(?:\.[A-Za-z_$][\w$]*)*(?:\s*\|\|\s*[-+]?\d+(?:\.\d+)?)?)$/;
+const NUMERICISH_NAME_RE = /(?:^|\.)(?:count|length|size|width|height|top|right|bottom|left|duration|elapsed|timestamp|time|ms|port|pid|attempt|attempts|index|total|x|y)$|(?:count|length|size|width|height|duration|elapsed|timestamp|time|port|pid|attempt|index|total)$/i;
+const SAFE_FORMAT_CALL_RE = /^(?:format[A-Z]\w*|fmt[A-Z]?\w*)\s*\((.*)\)$/;
+const consumeQuotedLiteral = (content, startIndex, quote) => {
+	let i = startIndex + 1;
+	while (i < content.length) {
+		const char = content[i];
+		if (char === "\\") {
+			i += 2;
+			continue;
+		}
+		if (char === quote) return { endIndex: i };
+		if (char === "\n") return null;
+		i++;
+	}
+	return null;
+};
+const consumeTemplateLiteral = (content, startIndex) => {
+	const openIndex = content.indexOf("`", startIndex);
+	if (openIndex === -1) return null;
+	let i = openIndex + 1;
+	while (i < content.length) {
+		const char = content[i];
+		if (char === "\\") {
+			i += 2;
+			continue;
+		}
+		if (char === "`") return {
+			body: content.slice(openIndex + 1, i),
+			endIndex: i
+		};
+		i++;
+	}
+	return null;
+};
+const assignmentTailIsClosed = (content, endIndex) => /^\s*(?:;[^\n]*)?(?:\n|$)/.test(content.slice(endIndex + 1));
+const assignmentRhsStart = (content, matchIndex) => {
+	const match = /^\.innerHTML\s*=\s*/.exec(content.slice(matchIndex));
+	return match ? matchIndex + match[0].length : null;
+};
+const templateExpressions = (templateBody) => [...templateBody.matchAll(/\$\{\s*([^}]+?)\s*\}/g)].map((match) => match[1].trim());
+const staticTernaryRe = /^\s*[^?]+\?\s*(?:"[^"]*"|'[^']*'|`[^`$]*`)\s*:\s*(?:"[^"]*"|'[^']*'|`[^`$]*`)\s*$/;
+const splitTopLevelTernary = (expr) => {
+	let quote = null;
+	let depth = 0;
+	let question = -1;
+	let colon = -1;
+	for (let i = 0; i < expr.length; i++) {
+		const char = expr[i];
+		if (char === "\\") {
+			i++;
+			continue;
+		}
+		if ((char === "'" || char === "\"" || char === "`") && quote === null) {
+			quote = char;
+			continue;
+		}
+		if (char === quote) {
+			quote = null;
+			continue;
+		}
+		if (quote) continue;
+		if (char === "(" || char === "[" || char === "{") depth++;
+		else if (char === ")" || char === "]" || char === "}") depth = Math.max(0, depth - 1);
+		else if (char === "?" && depth === 0 && question === -1) question = i;
+		else if (char === ":" && depth === 0 && question !== -1) {
+			colon = i;
+			break;
+		}
+	}
+	if (question === -1 || colon === -1) return null;
+	return {
+		whenTrue: expr.slice(question + 1, colon).trim(),
+		whenFalse: expr.slice(colon + 1).trim()
+	};
+};
+const isNumericishExpression = (expr) => {
+	const normalized = expr.trim();
+	if (/^(?:Math\.\w+|Number|parseInt|parseFloat)\s*\(/.test(normalized)) return true;
+	if (!NUMERICISH_EXPR_RE.test(normalized)) return false;
+	return /\d/.test(normalized) || NUMERICISH_NAME_RE.test(normalized);
+};
+const isSafeTemplateLiteralExpression = (expr, safeNames) => {
+	if (!expr.startsWith("`") || !expr.endsWith("`")) return false;
+	return templateExpressions(expr.slice(1, -1)).every((part) => isSafeHtmlExpression(part, safeNames));
+};
+const collectSafeHtmlNames = (content, matchIndex) => {
+	const safeNames = /* @__PURE__ */ new Set();
+	const prefix = content.slice(Math.max(0, matchIndex - 8e3), matchIndex);
+	for (const rawLine of prefix.split("\n")) {
+		const line = rawLine.trim();
+		let match = /\b(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*=\s*(.+?)\s*;?$/.exec(line);
+		if (match) {
+			const [, name, expr] = match;
+			if (isSafeHtmlExpression(expr.trim(), safeNames)) safeNames.add(name);
+			else safeNames.delete(name);
+			continue;
+		}
+		match = /^([A-Za-z_$][\w$]*)\s*\+=\s*(.+?)\s*;?$/.exec(line);
+		if (match) {
+			const [, name, expr] = match;
+			if (safeNames.has(name) && isSafeHtmlExpression(expr.trim(), safeNames)) safeNames.add(name);
+			else safeNames.delete(name);
+			continue;
+		}
+		match = /^([A-Za-z_$][\w$]*)\s*=\s*(.+?)\s*;?$/.exec(line);
+		if (match) {
+			const [, name, expr] = match;
+			if (isSafeHtmlExpression(expr.trim(), safeNames)) safeNames.add(name);
+			else safeNames.delete(name);
+		}
+	}
+	return safeNames;
+};
+const isSafeHtmlExpression = (expr, safeNames) => {
+	const normalized = expr.trim();
+	if (SANITIZER_EXPR_RE.test(normalized)) return true;
+	if (STATIC_STRING_RE.test(normalized)) return true;
+	if (staticTernaryRe.test(expr)) return true;
+	if (isNumericishExpression(normalized)) return true;
+	if (IDENT_RE.test(normalized) && safeNames.has(normalized)) return true;
+	if (isSafeTemplateLiteralExpression(normalized, safeNames)) return true;
+	const ternary = splitTopLevelTernary(normalized);
+	if (ternary && isSafeHtmlExpression(ternary.whenTrue, safeNames) && isSafeHtmlExpression(ternary.whenFalse, safeNames)) return true;
+	const formatCall = SAFE_FORMAT_CALL_RE.exec(normalized);
+	if (formatCall) return formatCall[1].split(",").map((arg) => arg.trim()).filter((arg) => arg.length > 0).every((arg) => isNumericishExpression(arg) || IDENT_RE.test(arg) && safeNames.has(arg));
+	return false;
+};
+const readSingleLineRhs = (content, rhsStart) => {
+	const lineEnd = content.indexOf("\n", rhsStart);
+	const line = content.slice(rhsStart, lineEnd === -1 ? content.length : lineEnd);
+	let quote = null;
+	for (let i = 0; i < line.length; i++) {
+		const char = line[i];
+		if (char === "\\") {
+			i++;
+			continue;
+		}
+		if ((char === "'" || char === "\"" || char === "`") && quote === null) {
+			quote = char;
+			continue;
+		}
+		if (char === quote) {
+			quote = null;
+			continue;
+		}
+		if (char === ";" && quote === null) return line.slice(0, i).trim();
+	}
+	return line.trim();
+};
+const isSafeMapJoinHtmlAssignment = (content, rhsStart) => {
+	const head = content.slice(rhsStart);
+	const mapMatch = /^[A-Za-z_$][\w$.]*\.map\(\s*[A-Za-z_$][\w$]*\s*=>\s*`/.exec(head);
+	if (!mapMatch) return false;
+	const template = consumeTemplateLiteral(content, rhsStart + mapMatch[0].length - 1);
+	if (!template) return false;
+	if (!/^\s*\)\.join\(\s*(?:""|'')\s*\)/.test(content.slice(template.endIndex + 1))) return false;
+	const safeNames = collectSafeHtmlNames(content, rhsStart);
+	return templateExpressions(template.body).every((expr) => isSafeHtmlExpression(expr, safeNames));
+};
+const isSafeInnerHtmlAssignment = (content, matchIndex) => {
+	const tail = content.slice(matchIndex);
+	if (SAFE_EMPTY_INNER_HTML_RE.test(tail) || SAFE_SANITIZED_INNER_HTML_RE.test(tail)) return true;
+	const rhsStart = assignmentRhsStart(content, matchIndex);
+	if (rhsStart === null) return false;
+	const first = content[rhsStart];
+	const safeNames = collectSafeHtmlNames(content, matchIndex);
+	if (isSafeHtmlExpression(readSingleLineRhs(content, rhsStart), safeNames)) return true;
+	if (isSafeMapJoinHtmlAssignment(content, rhsStart)) return true;
+	if (first === "'" || first === "\"") {
+		const quoted = consumeQuotedLiteral(content, rhsStart, first);
+		return Boolean(quoted && assignmentTailIsClosed(content, quoted.endIndex));
+	}
+	if (first !== "`") return false;
+	const template = consumeTemplateLiteral(content, rhsStart);
+	if (!template || !assignmentTailIsClosed(content, template.endIndex)) return false;
+	const expressions = templateExpressions(template.body);
+	if (expressions.length === 0) return true;
+	return expressions.every((expr) => isSafeHtmlExpression(expr, safeNames));
+};
 //#endregion
 //#region src/engines/security/risky.ts
 const ev = "eval";
@@ -6014,6 +6286,30 @@ const isStructuredDataScript = (content, matchIndex) => {
 	const after = content.slice(matchIndex, Math.min(content.length, matchIndex + 180));
 	return /__html\s*:\s*JSON\.stringify\s*\(/.test(after);
 };
+const isSafeShellSpawnArray = (content, matchIndex) => /^spawn\s*\(\s*\[/.test(content.slice(matchIndex)) && !/^\s*spawn\s*\(\s*\[\s*["'](?:sh|bash|zsh|cmd|cmd\.exe|powershell|pwsh)["']\s*,\s*["'](?:-c|\/c|\/C)["']/i.test(content.slice(matchIndex)) && !/shell\s*:\s*true\b/.test(content.slice(matchIndex, matchIndex + 500));
+const PLACEHOLDER_EXPR_RE = /^(?:placeholders?|placeholderList|bindMarkers?|bindingMarkers?|bindPlaceholders?|bindingPlaceholders?|parameterPlaceholders?|sqlPlaceholders?)(?:\.\w+\([^)]*\))?$/i;
+const SQL_PLACEHOLDER_LITERAL_RE = /["'](?:\?|\$\d+|\$\{[^}]+\})["']/;
+const escapeRegExp = (value) => value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+const isGeneratedPlaceholderList = (content, matchIndex, placeholderExpr) => {
+	const name = placeholderExpr.match(/^([A-Za-z_$][\w$]*)/)?.[1];
+	if (!name) return false;
+	const prefix = content.slice(Math.max(0, matchIndex - 4e3), matchIndex);
+	const declarationRe = new RegExp(`\\b(?:const|let|var)\\s+${escapeRegExp(name)}\\s*=\\s*([^;\\n]+)`, "g");
+	const declaration = [...prefix.matchAll(declarationRe)].at(-1);
+	if (!declaration) return false;
+	const expr = declaration[1];
+	if (!/\.join\s*\(/.test(expr)) return false;
+	return /\.map\s*\(/.test(expr) && /=>/.test(expr) && SQL_PLACEHOLDER_LITERAL_RE.test(expr) || /\.fill\s*\(/.test(expr) && SQL_PLACEHOLDER_LITERAL_RE.test(expr);
+};
+const isSafeSqlPlaceholderTemplate = (content, matchIndex) => {
+	const template = consumeTemplateLiteral(content, matchIndex);
+	if (!template) return false;
+	const afterTemplate = content.slice(template.endIndex + 1);
+	if (!(/^\s*,/.test(afterTemplate) || /^\s*\)\s*\.(?:all|get|run|values)\s*\(/.test(afterTemplate))) return false;
+	const expressions = [...template.body.matchAll(/\$\{\s*([^}]+?)\s*\}/g)].map((match) => match[1].trim());
+	if (expressions.length === 0) return false;
+	return expressions.every((expr) => PLACEHOLDER_EXPR_RE.test(expr) && isGeneratedPlaceholderList(content, matchIndex, expr));
+};
 const detectRiskyConstructs = async (context) => {
 	const files = getSourceFiles(context);
 	const diagnostics = [];
@@ -6038,8 +6334,11 @@ const detectRiskyConstructs = async (context) => {
 				const line = content.slice(0, match.index).split("\n").length;
 				if (name === "innerhtml") {
 					const beforeMatch = content.slice(Math.max(0, match.index - 200), match.index);
+					if (isSafeInnerHtmlAssignment(content, match.index)) continue;
 					if (/(?:template|tmpl|tpl)$/i.test(beforeMatch.trimEnd()) || /createElement\s*\(\s*['"]template['"]\s*\)$/.test(beforeMatch.trimEnd())) continue;
 				}
+				if (name === "sql-injection" && isSafeSqlPlaceholderTemplate(content, match.index)) continue;
+				if (name === "shell-injection" && isSafeShellSpawnArray(content, match.index)) continue;
 				if (name === "dangerously-set-innerhtml") {
 					if (hasDangerouslySetInnerHtmlIgnore(lines, line - 1)) continue;
 					if (isStructuredDataScript(content, match.index)) continue;
@@ -6136,7 +6435,28 @@ const PLACEHOLDER_EXACT = new Set([
 	"todo",
 	"replace_me"
 ]);
+const PLACEHOLDER_URL_PARTS = new Set([
+	"example",
+	"host",
+	"localhost",
+	"pass",
+	"password",
+	"pw",
+	"user",
+	"username"
+]);
+const isPlaceholderCredentialUrl = (matchedText) => {
+	const credentialMatch = matchedText.match(/^[a-z]+:\/\/([^:@/\s]+):([^@/\s]+)@/i);
+	if (credentialMatch) return PLACEHOLDER_URL_PARTS.has(credentialMatch[1].toLowerCase()) && PLACEHOLDER_URL_PARTS.has(credentialMatch[2].toLowerCase());
+	try {
+		const parsed = new URL(matchedText);
+		return PLACEHOLDER_URL_PARTS.has(parsed.username.toLowerCase()) && PLACEHOLDER_URL_PARTS.has(parsed.password.toLowerCase()) && PLACEHOLDER_URL_PARTS.has(parsed.hostname.toLowerCase());
+	} catch {
+		return false;
+	}
+};
 const isPlaceholderValue = (matchedText) => {
+	if (isPlaceholderCredentialUrl(matchedText)) return true;
 	if (/env\(/i.test(matchedText)) return true;
 	if (matchedText.includes("process.env")) return true;
 	if (matchedText.includes("os.environ")) return true;
@@ -6257,23 +6577,36 @@ const STYLE_RULES = new Set([
 	"complexity/function-too-long"
 ]);
 const STYLE_WEIGHT = .5;
+const COMMENT_STYLE_RULE_CAP = 12;
+const COMMENT_STYLE_RULES = new Set(["ai-slop/trivial-comment", "ai-slop/narrative-comment"]);
 const getEffectiveFileCount = (diagnostics, sourceFileCount) => {
 	if (typeof sourceFileCount === "number" && sourceFileCount > 0) return sourceFileCount;
 	const filesWithDiagnostics = new Set(diagnostics.map((d) => d.filePath)).size;
 	return Math.max(1, filesWithDiagnostics);
 };
-const calculateScore = (diagnostics, weights, thresholds, sourceFileCount, smoothing) => {
+const calculateScore = (diagnostics, weights, thresholds, sourceFileCount, smoothing, maxPerRule) => {
 	if (diagnostics.length === 0) return {
 		score: PERFECT_SCORE,
 		label: "Healthy"
 	};
-	let deductions = 0;
+	const deductionsByRule = /* @__PURE__ */ new Map();
 	for (const d of diagnostics) {
 		const engineWeight = weights[d.engine] ?? 1;
 		const severityPenalty = d.severity === "error" ? 3 : d.severity === "warning" ? 1 : .25;
 		const styleFactor = STYLE_RULES.has(d.rule) ? STYLE_WEIGHT : 1;
-		deductions += severityPenalty * engineWeight * styleFactor;
-	}
+		const key = `${d.engine}:${d.rule}`;
+		deductionsByRule.set(key, (deductionsByRule.get(key) ?? 0) + severityPenalty * engineWeight * styleFactor);
+	}
+	const defaultRuleCap = typeof maxPerRule === "number" && maxPerRule > 0 ? maxPerRule : null;
+	const capForRule = (key) => {
+		const rule = key.slice(key.indexOf(":") + 1);
+		if (COMMENT_STYLE_RULES.has(rule)) return defaultRuleCap ? Math.min(defaultRuleCap, COMMENT_STYLE_RULE_CAP) : COMMENT_STYLE_RULE_CAP;
+		return defaultRuleCap;
+	};
+	const deductions = [...deductionsByRule.entries()].reduce((total, [key, value]) => {
+		const cap = capForRule(key);
+		return total + (cap ? Math.min(value, cap) : value);
+	}, 0);
 	const effectiveFileCount = getEffectiveFileCount(diagnostics, sourceFileCount);
 	const smoothingConstant = typeof smoothing === "number" ? smoothing : 10;
 	const issueDensity = Math.min(1, diagnostics.length / (effectiveFileCount + smoothingConstant));
@@ -6516,6 +6849,107 @@ const readBaseline = (cwd) => {
 	}
 };
+//#endregion
+//#region src/output/finding-assessment.ts
+const FINDING_KIND_LABELS = {
+	"confirmed-defect": "confirmed defects",
+	"conservative-security": "conservative security",
+	"style-policy": "style/policy",
+	"ai-slop-indicator": "AI-slop indicators"
+};
+const STYLE_POLICY_RULES = new Set([
+	"ai-slop/trivial-comment",
+	"ai-slop/narrative-comment",
+	"ai-slop/meta-comment",
+	"ai-slop/console-leftover",
+	"ai-slop/ts-directive",
+	"complexity/file-too-large",
+	"complexity/function-too-long",
+	"complexity/deep-nesting",
+	"complexity/too-many-params",
+	"code-quality/duplicate-block",
+	"eslint/no-empty",
+	"eslint/no-unused-vars",
+	"eslint/no-useless-escape",
+	"eslint/no-unused-expressions",
+	"unicorn/no-useless-fallback-in-spread",
+	"unicorn/prefer-string-starts-ends-with",
+	"unicorn/no-new-array",
+	"unicorn/no-useless-spread"
+]);
+const CONFIRMED_DEFECT_RULES = new Set([
+	"ai-slop/hallucinated-import",
+	"eslint/no-undef",
+	"eslint/no-unreachable",
+	"security/vulnerable-dependency"
+]);
+const LOW_CONFIDENCE_SECURITY_RULES = new Set(["security/innerhtml", "security/dangerously-set-innerhtml"]);
+const confidenceFor = (diagnostic, kind) => {
+	if (kind === "confirmed-defect") return "high";
+	if (kind === "style-policy") return "medium";
+	if (kind === "conservative-security") {
+		if (LOW_CONFIDENCE_SECURITY_RULES.has(diagnostic.rule)) return "medium";
+		return diagnostic.severity === "error" ? "high" : "medium";
+	}
+	return diagnostic.severity === "error" ? "high" : "medium";
+};
+const classifyKind = (diagnostic) => {
+	if (CONFIRMED_DEFECT_RULES.has(diagnostic.rule)) return "confirmed-defect";
+	if (diagnostic.engine === "security") return "conservative-security";
+	if (STYLE_POLICY_RULES.has(diagnostic.rule)) return "style-policy";
+	if (diagnostic.engine === "format" || diagnostic.engine === "code-quality") return "style-policy";
+	if (diagnostic.engine === "ai-slop") return "ai-slop-indicator";
+	if (diagnostic.severity === "error") return "confirmed-defect";
+	return "style-policy";
+};
+const assessDiagnostic = (diagnostic) => {
+	const kind = classifyKind(diagnostic);
+	return {
+		kind,
+		confidence: confidenceFor(diagnostic, kind),
+		label: FINDING_KIND_LABELS[kind]
+	};
+};
+const summarizeFindingAssessments = (diagnostics) => {
+	const byKind = {
+		"confirmed-defect": 0,
+		"conservative-security": 0,
+		"style-policy": 0,
+		"ai-slop-indicator": 0
+	};
+	const byConfidence = {
+		high: 0,
+		medium: 0,
+		low: 0
+	};
+	const rows = /* @__PURE__ */ new Map();
+	for (const diagnostic of diagnostics) {
+		const assessment = assessDiagnostic(diagnostic);
+		byKind[assessment.kind]++;
+		byConfidence[assessment.confidence]++;
+		const row = rows.get(assessment.kind) ?? {
+			kind: assessment.kind,
+			label: assessment.label,
+			count: 0,
+			errors: 0,
+			warnings: 0,
+			info: 0,
+			fixable: 0
+		};
+		row.count++;
+		if (diagnostic.severity === "error") row.errors++;
+		else if (diagnostic.severity === "warning") row.warnings++;
+		else row.info++;
+		if (diagnostic.fixable) row.fixable++;
+		rows.set(assessment.kind, row);
+	}
+	return {
+		rows: [...rows.values()].sort((a, b) => b.count - a.count),
+		byKind,
+		byConfidence
+	};
+};
 //#endregion
 //#region src/mcp/tools.ts
 const MAX_FINDINGS = 25;
@@ -6553,27 +6987,32 @@ const summariseDiagnostic = (d, rootDirectory) => ({
 	column: d.column,
 	rule: d.rule,
 	severity: d.severity,
+	assessment: assessDiagnostic(d),
 	message: d.message,
 	fixable: d.fixable,
 	help: d.help || void 0
 });
 const summariseDiagnostics = (diagnostics, rootDirectory) => {
+	const counts = {
+		error: diagnostics.filter((d) => d.severity === "error").length,
+		warning: diagnostics.filter((d) => d.severity === "warning").length,
+		fixable: diagnostics.filter((d) => d.fixable).length,
+		total: diagnostics.length
+	};
+	const findings = diagnostics.slice(0, MAX_FINDINGS).map((d) => summariseDiagnostic(d, rootDirectory));
+	const elided = diagnostics.length > MAX_FINDINGS ? diagnostics.length - MAX_FINDINGS : 0;
 	return {
-		counts: {
-			error: diagnostics.filter((d) => d.severity === "error").length,
-			warning: diagnostics.filter((d) => d.severity === "warning").length,
-			fixable: diagnostics.filter((d) => d.fixable).length,
-			total: diagnostics.length
-		},
-		findings: diagnostics.slice(0, MAX_FINDINGS).map((d) => summariseDiagnostic(d, rootDirectory)),
-		elided: diagnostics.length > MAX_FINDINGS ? diagnostics.length - MAX_FINDINGS : 0
+		counts,
+		findingAssessment: summarizeFindingAssessments(diagnostics),
+		findings,
+		elided
 	};
 };
 const runScan = async (cwd) => {
 	const project = await discoverProject(cwd);
 	const config = loadConfig(cwd);
 	const diagnostics = (await runEngines(buildEngineContext(project.rootDirectory, project, config), enabledEnginesFromConfig(config))).flatMap((r) => r.diagnostics);
-	const { score } = calculateScore(diagnostics, config.scoring.weights, config.scoring.thresholds, project.sourceFileCount, config.scoring.smoothing);
+	const { score } = calculateScore(diagnostics, config.scoring.weights, config.scoring.thresholds, project.sourceFileCount, config.scoring.smoothing, config.scoring.maxPerRule);
 	const errorCount = diagnostics.filter((d) => d.severity === "error").length;
 	const failBelow = config.ci.failBelow;
 	return {
@@ -6697,6 +7136,10 @@ const handleAislopBaseline = (input) => {
 	};
 };
+//#endregion
+//#region src/version.ts
+const APP_VERSION = "0.11.0";
 //#endregion
 //#region src/telemetry/env.ts
 const detectPackageManager = (env = process.env) => {