aislop 0.5.0 → 0.5.1

package/dist/cli.js

@@ -12,6 +12,7 @@ import { fileURLToPath } from "node:url";
 import os from "node:os";
 import ts from "typescript";
 import wcwidth from "wcwidth";
+import crypto from "node:crypto";
 import { isCancel, multiselect, select, text } from "@clack/prompts";
 
 //#region \0rolldown/runtime.js
@@ -982,7 +983,7 @@ const detectSwallowedExceptions = async (context) => {
 };
 
 //#endregion
-//#region src/engines/ai-slop/narrative-comments.ts
+//#region src/engines/ai-slop/narrative-comments-patterns.ts
 const DECORATIVE_SEPARATOR = /^[-=─━~_*#]{6,}$/;
 const DECORATIVE_SECTION_HEADER = /^[-=─━~_*#]{3,}[\s\S]+?[-=─━~_*#]{3,}$/;
 const SECTION_HEADER = /^(Phase|Step|Section|Part)\s+\d+[:.-]/i;
@@ -1041,6 +1042,19 @@ const SUPPORTED_EXTS = new Set([
 	".java",
 	".php"
 ]);
+const DECL_START = /^(\s*)(export\s+)?(async\s+)?(const|let|var|function|class|type|interface|enum|abstract\s+class)\s+/;
+const EXPORT_DEFAULT = /^\s*export\s+default\b/;
+const TS_MEMBER_DECL_START = /^\s*(?:readonly\s+|static\s+|public\s+|private\s+|protected\s+|abstract\s+|override\s+)*[\w$]+\??\s*:/;
+const PY_DECL_START = /^\s*(async\s+def|def|class)\s+/;
+const GO_DECL_START = /^\s*(func|type|var|const)\s+/;
+const RUST_DECL_START = /^\s*(pub\s+)?(async\s+)?(fn|struct|enum|trait|impl|const|static|type|mod)\s+/;
+const RUBY_DECL_START = /^\s*(class|module|def)\s+/;
+const JAVA_DECL_START = /^\s*(?:public|private|protected|static|final|abstract|sealed|non-sealed|\s)+(?:class|interface|enum|record|@interface|\w[^(){};=]*\s+\w+\s*\()/;
+const JAVA_DECL_START_FALLBACK = /^\s*(class|interface|enum|record|@interface)\s+/;
+const PHP_DECL_START = /^\s*(?:public|private|protected|static|final|abstract|readonly\s+)*(function|class|interface|trait|enum|const)\s+/;
+
+//#endregion
+//#region src/engines/ai-slop/narrative-comments.ts
 const stripJsdocLine = (line) => line.replace(/^\s*\/\*\*+\s?/, "").replace(/\s*\*+\/\s*$/, "").replace(/^\s*\*\s?/, "").trim();
 const stripLineComment = (line) => line.replace(/^\s*(?:(?:\/\/)|#)\s?/, "");
 const getCommentSyntax = (ext) => {
@@ -1132,16 +1146,6 @@ const collectBlocks = (sourceLines, syntax) => {
 	}
 	return blocks;
 };
-const DECL_START = /^(\s*)(export\s+)?(async\s+)?(const|let|var|function|class|type|interface|enum|abstract\s+class)\s+/;
-const EXPORT_DEFAULT = /^\s*export\s+default\b/;
-const TS_MEMBER_DECL_START = /^\s*(?:readonly\s+|static\s+|public\s+|private\s+|protected\s+|abstract\s+|override\s+)*[\w$]+\??\s*:/;
-const PY_DECL_START = /^\s*(async\s+def|def|class)\s+/;
-const GO_DECL_START = /^\s*(func|type|var|const)\s+/;
-const RUST_DECL_START = /^\s*(pub\s+)?(async\s+)?(fn|struct|enum|trait|impl|const|static|type|mod)\s+/;
-const RUBY_DECL_START = /^\s*(class|module|def)\s+/;
-const JAVA_DECL_START = /^\s*(?:public|private|protected|static|final|abstract|sealed|non-sealed|\s)+(?:class|interface|enum|record|@interface|\w[^(){};=]*\s+\w+\s*\()/;
-const JAVA_DECL_START_FALLBACK = /^\s*(class|interface|enum|record|@interface)\s+/;
-const PHP_DECL_START = /^\s*(?:public|private|protected|static|final|abstract|readonly\s+)*(function|class|interface|trait|enum|const)\s+/;
 const looksLikeDeclarationPreamble = (nextLine, ext) => {
 	if (nextLine === null) return false;
 	if (DECL_START.test(nextLine) || EXPORT_DEFAULT.test(nextLine)) return true;
@@ -1682,72 +1686,12 @@ const architectureEngine = {
 };
 
 //#endregion
-//#region src/engines/code-quality/complexity.ts
-const FUNCTION_PATTERNS = [
-	{
-		regex: /^\s*(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\(([^)]*)\)/,
-		langFilter: [
-			".js",
-			".ts",
-			".jsx",
-			".tsx",
-			".mjs",
-			".cjs"
-		]
-	},
-	{
-		regex: /^\s*(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s+)?\(([^)]*)\)\s*(?:=>|:\s*\w)/,
-		langFilter: [
-			".js",
-			".ts",
-			".jsx",
-			".tsx",
-			".mjs",
-			".cjs"
-		]
-	},
-	{
-		regex: /^\s*def\s+(\w+)\s*\(([^)]*)\)/,
-		langFilter: [".py"]
-	},
-	{
-		regex: /^\s*func\s+(?:\([^)]*\)\s+)?(\w+)\s*\(([^)]*)\)/,
-		langFilter: [".go"]
-	},
-	{
-		regex: /^\s*fn\s+(\w+)\s*\(([^)]*)\)/,
-		langFilter: [".rs"]
-	},
-	{
-		regex: /^\s*(?:public|private|protected)?\s*(?:static\s+)?(?:\w+\s+)(\w+)\s*\(([^)]*)\)/,
-		langFilter: [
-			".java",
-			".cs",
-			".cpp",
-			".c",
-			".php"
-		]
-	}
-];
-const countParams = (p) => p.trim() ? p.split(",").length : 0;
-const matchFunctionOnLine = (line, ext) => {
-	for (let i = 0; i < FUNCTION_PATTERNS.length; i++) {
-		const pattern = FUNCTION_PATTERNS[i];
-		if (!pattern.langFilter.includes(ext)) continue;
-		const match = line.match(pattern.regex);
-		if (match) return {
-			name: match[1],
-			params: match[2] ?? "",
-			patternIndex: i
-		};
-	}
-	return null;
-};
+//#region src/engines/code-quality/function-boundaries.ts
 const PYTHON_CONTROL_FLOW_RE = /^\s*(?:if|for|while|with|try|except|else|elif|finally|def|class)\b/;
-const findFunctionEnd = (lines, startIndex, isPython) => {
-	if (isPython) return findPythonFunctionEnd(lines, startIndex);
-	return findBraceFunctionEnd(lines, startIndex);
-};
+const ARROW_BLOCK_RE = /* @__PURE__ */ new RegExp("=>\\s*\\{");
+const ARROW_END_RE = /* @__PURE__ */ new RegExp("=>\\s*$");
+const BRACE_START_RE = /* @__PURE__ */ new RegExp("^\\s*\\{");
+const NEW_STATEMENT_RE = /* @__PURE__ */ new RegExp("^(?:export\\s+)?(?:const|let|var|function|class)\\s");
 const isControlFlowBrace = (lineText, braceIndex) => {
 	const before = lineText.substring(0, braceIndex).trimEnd();
 	if (before.endsWith(")")) return true;
@@ -1827,16 +1771,10 @@ const findPythonFunctionEnd = (lines, startIndex) => {
 		maxNesting
 	};
 };
-const isDataFile = (content) => {
-	const nonEmpty = content.split("\n").filter((l) => l.trim().length > 0);
-	if (nonEmpty.length === 0) return false;
-	const dataLinePattern = /^\s*[{}[\]"']/;
-	return nonEmpty.filter((l) => dataLinePattern.test(l)).length / nonEmpty.length > .8;
+const findFunctionEnd = (lines, startIndex, isPython) => {
+	if (isPython) return findPythonFunctionEnd(lines, startIndex);
+	return findBraceFunctionEnd(lines, startIndex);
 };
-const ARROW_BLOCK_RE = /* @__PURE__ */ new RegExp("=>\\s*\\{");
-const ARROW_END_RE = /* @__PURE__ */ new RegExp("=>\\s*$");
-const BRACE_START_RE = /* @__PURE__ */ new RegExp("^\\s*\\{");
-const NEW_STATEMENT_RE = /* @__PURE__ */ new RegExp("^(?:export\\s+)?(?:const|let|var|function|class)\\s");
 const isBlockArrow = (lines, startIndex) => {
 	if (ARROW_BLOCK_RE.test(lines[startIndex])) return true;
 	if (ARROW_END_RE.test(lines[startIndex])) {
@@ -1872,6 +1810,75 @@ const countTemplateLines = (bodyLines) => {
 	}
 	return templateLineCount;
 };
+
+//#endregion
+//#region src/engines/code-quality/complexity.ts
+const FUNCTION_PATTERNS = [
+	{
+		regex: /^\s*(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\(([^)]*)\)/,
+		langFilter: [
+			".js",
+			".ts",
+			".jsx",
+			".tsx",
+			".mjs",
+			".cjs"
+		]
+	},
+	{
+		regex: /^\s*(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s+)?\(([^)]*)\)\s*(?:=>|:\s*\w)/,
+		langFilter: [
+			".js",
+			".ts",
+			".jsx",
+			".tsx",
+			".mjs",
+			".cjs"
+		]
+	},
+	{
+		regex: /^\s*def\s+(\w+)\s*\(([^)]*)\)/,
+		langFilter: [".py"]
+	},
+	{
+		regex: /^\s*func\s+(?:\([^)]*\)\s+)?(\w+)\s*\(([^)]*)\)/,
+		langFilter: [".go"]
+	},
+	{
+		regex: /^\s*fn\s+(\w+)\s*\(([^)]*)\)/,
+		langFilter: [".rs"]
+	},
+	{
+		regex: /^\s*(?:public|private|protected)?\s*(?:static\s+)?(?:\w+\s+)(\w+)\s*\(([^)]*)\)/,
+		langFilter: [
+			".java",
+			".cs",
+			".cpp",
+			".c",
+			".php"
+		]
+	}
+];
+const countParams = (p) => p.trim() ? p.split(",").length : 0;
+const matchFunctionOnLine = (line, ext) => {
+	for (let i = 0; i < FUNCTION_PATTERNS.length; i++) {
+		const pattern = FUNCTION_PATTERNS[i];
+		if (!pattern.langFilter.includes(ext)) continue;
+		const match = line.match(pattern.regex);
+		if (match) return {
+			name: match[1],
+			params: match[2] ?? "",
+			patternIndex: i
+		};
+	}
+	return null;
+};
+const isDataFile = (content) => {
+	const nonEmpty = content.split("\n").filter((l) => l.trim().length > 0);
+	if (nonEmpty.length === 0) return false;
+	const dataLinePattern = /^\s*[{}[\]"']/;
+	return nonEmpty.filter((l) => dataLinePattern.test(l)).length / nonEmpty.length > .8;
+};
 const analyzeFunctions = (content, ext) => {
 	const lines = content.split("\n");
 	const functions = [];
@@ -1894,13 +1901,14 @@ const analyzeFunctions = (content, ext) => {
 	}
 	return functions;
 };
+const JSX_FILE_LOC_MULTIPLIER = 1.5;
 const checkFileDiagnostics = (relativePath, content, limits) => {
 	const results = [];
 	const lineCount = content.split("\n").length;
 	const ext = path.extname(relativePath).toLowerCase();
 	if (isDataFile(content)) return results;
-	const effectiveMax = ext === ".jsx" || ext === ".tsx" ? limits.maxFileLoc * 2 : limits.maxFileLoc;
-	if (lineCount > Math.ceil(effectiveMax * 1.1)) results.push({
+	const effectiveMax = ext === ".jsx" || ext === ".tsx" ? Math.ceil(limits.maxFileLoc * JSX_FILE_LOC_MULTIPLIER) : limits.maxFileLoc;
+	if (lineCount > effectiveMax) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/file-too-large",
@@ -3581,6 +3589,216 @@ const runCargoAudit = async (rootDir, timeout) => {
 	}
 };
 
+//#endregion
+//#region src/utils/source-masker.ts
+const JS_EXTS = new Set([
+	".ts",
+	".tsx",
+	".js",
+	".jsx",
+	".mjs",
+	".cjs"
+]);
+const PY_EXTS = new Set([".py"]);
+const RB_EXTS = new Set([".rb"]);
+const PHP_EXTS = new Set([".php"]);
+const familyForExt = (ext) => {
+	if (JS_EXTS.has(ext)) return "js";
+	if (PY_EXTS.has(ext)) return "py";
+	if (RB_EXTS.has(ext)) return "rb";
+	if (PHP_EXTS.has(ext)) return "php";
+	return "none";
+};
+const maskStringsAndComments = (content, ext) => {
+	const family = familyForExt(ext);
+	if (family === "none") return content;
+	if (family === "js") return maskJs(content);
+	return maskSimple(content, family);
+};
+const maskJs = (content) => {
+	const out = content.split("");
+	const len = content.length;
+	const tplStack = [];
+	let i = 0;
+	const mask = (start, end) => {
+		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
+	};
+	while (i < len) {
+		const c = content[i];
+		const next = content[i + 1];
+		if (tplStack.length > 0) {
+			if (c === "{") {
+				tplStack[tplStack.length - 1]++;
+				i++;
+				continue;
+			}
+			if (c === "}") {
+				if (tplStack[tplStack.length - 1] === 0) {
+					tplStack.pop();
+					const scan = consumeTemplateString(content, i + 1);
+					mask(i + 1, scan.maskEnd);
+					if (scan.openedInterp) tplStack.push(0);
+					i = scan.resumeAt;
+					continue;
+				}
+				tplStack[tplStack.length - 1]--;
+				i++;
+				continue;
+			}
+			if (c === "\"" || c === "'") {
+				const strStart = i;
+				i = consumeQuotedString(content, i, c);
+				mask(strStart + 1, i - 1);
+				continue;
+			}
+			if (c === "`") {
+				const scan = consumeTemplateString(content, i + 1);
+				mask(i + 1, scan.maskEnd);
+				if (scan.openedInterp) tplStack.push(0);
+				i = scan.resumeAt;
+				continue;
+			}
+			if (c === "/" && next === "/") {
+				const strStart = i;
+				while (i < len && content[i] !== "\n") i++;
+				mask(strStart, i);
+				continue;
+			}
+			if (c === "/" && next === "*") {
+				const strStart = i;
+				i += 2;
+				while (i < len - 1 && !(content[i] === "*" && content[i + 1] === "/")) i++;
+				if (i < len - 1) i += 2;
+				mask(strStart, i);
+				continue;
+			}
+			i++;
+			continue;
+		}
+		if (c === "\"" || c === "'") {
+			const strStart = i;
+			i = consumeQuotedString(content, i, c);
+			mask(strStart + 1, i - 1);
+			continue;
+		}
+		if (c === "`") {
+			const scan = consumeTemplateString(content, i + 1);
+			mask(i + 1, scan.maskEnd);
+			if (scan.openedInterp) tplStack.push(0);
+			i = scan.resumeAt;
+			continue;
+		}
+		if (c === "/" && next === "/") {
+			const strStart = i;
+			while (i < len && content[i] !== "\n") i++;
+			mask(strStart, i);
+			continue;
+		}
+		if (c === "/" && next === "*") {
+			const strStart = i;
+			i += 2;
+			while (i < len - 1 && !(content[i] === "*" && content[i + 1] === "/")) i++;
+			if (i < len - 1) i += 2;
+			mask(strStart, i);
+			continue;
+		}
+		i++;
+	}
+	return out.join("");
+};
+const consumeQuotedString = (content, start, quote) => {
+	const len = content.length;
+	let i = start + 1;
+	while (i < len) {
+		const c = content[i];
+		if (c === "\\" && i + 1 < len) {
+			i += 2;
+			continue;
+		}
+		if (c === quote) return i + 1;
+		if (c === "\n") return i;
+		i++;
+	}
+	return i;
+};
+const consumeTemplateString = (content, start) => {
+	const len = content.length;
+	let i = start;
+	while (i < len) {
+		const c = content[i];
+		if (c === "\\" && i + 1 < len) {
+			i += 2;
+			continue;
+		}
+		if (c === "`") return {
+			maskEnd: i,
+			resumeAt: i + 1,
+			openedInterp: false
+		};
+		if (c === "$" && content[i + 1] === "{") return {
+			maskEnd: i,
+			resumeAt: i + 2,
+			openedInterp: true
+		};
+		i++;
+	}
+	return {
+		maskEnd: i,
+		resumeAt: i,
+		openedInterp: false
+	};
+};
+const maskSimple = (content, family) => {
+	const out = content.split("");
+	const len = content.length;
+	let i = 0;
+	const mask = (start, end) => {
+		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
+	};
+	while (i < len) {
+		const c = content[i];
+		const next = content[i + 1];
+		if (family === "py" && (c === "\"" || c === "'")) {
+			if (content[i + 1] === c && content[i + 2] === c) {
+				const triple = c + c + c;
+				const end = content.indexOf(triple, i + 3);
+				const stop = end === -1 ? len : end + 3;
+				mask(i + 3, stop - 3);
+				i = stop;
+				continue;
+			}
+		}
+		if (c === "\"" || c === "'") {
+			const strStart = i;
+			i = consumeQuotedString(content, i, c);
+			mask(strStart + 1, i - 1);
+			continue;
+		}
+		if ((family === "py" || family === "rb" || family === "php") && c === "#") {
+			const strStart = i;
+			while (i < len && content[i] !== "\n") i++;
+			mask(strStart, i);
+			continue;
+		}
+		if (family === "php" && c === "/" && next === "/") {
+			const strStart = i;
+			while (i < len && content[i] !== "\n") i++;
+			mask(strStart, i);
+			continue;
+		}
+		if (family === "php" && c === "/" && next === "*") {
+			const strStart = i;
+			i += 2;
+			while (i < len - 1 && !(content[i] === "*" && content[i + 1] === "/")) i++;
+			if (i < len - 1) i += 2;
+			mask(strStart, i);
+			continue;
+		}
+		i++;
+	}
+	return out.join("");
+};
+
 //#endregion
 //#region src/engines/security/risky.ts
 const ev = "eval";
@@ -3710,12 +3928,13 @@ const detectRiskyConstructs = async (context) => {
 		const relativePath = path.relative(context.rootDirectory, filePath);
 		const normalizedPath = relativePath.split(path.sep).join("/");
 		const isMigrationOrSeeder = /(?:^|\/)(migrations|seeders|seeds|migrate)\//.test(normalizedPath);
+		const masked = maskStringsAndComments(content, ext);
 		for (const { pattern, extensions, name, message, help } of RISKY_PATTERNS) {
 			if (!extensions.includes(ext)) continue;
 			if (isMigrationOrSeeder && name === "sql-injection") continue;
 			const regex = new RegExp(pattern.source, pattern.flags);
 			let match;
-			while ((match = regex.exec(content)) !== null) {
+			while ((match = regex.exec(masked)) !== null) {
 				const line = content.slice(0, match.index).split("\n").length;
 				if (name === "innerhtml") {
 					const beforeMatch = content.slice(Math.max(0, match.index - 200), match.index);
@@ -4472,7 +4691,7 @@ const getStagedFiles = (cwd) => {
 * Application version — injected at build time by tsdown from package.json.
 * The fallback should always match the "version" field in package.json.
 */
-const APP_VERSION = "0.5.0";
+const APP_VERSION = "0.5.1";
 
 //#endregion
 //#region src/utils/telemetry.ts
@@ -6071,42 +6290,40 @@ const runExpoDoctor = async (context) => {
 
 //#endregion
 //#region src/commands/fix-force.ts
-const getJsAuditFixCommand = (rootDirectory) => {
-	if (fs.existsSync(path.join(rootDirectory, "pnpm-lock.yaml"))) return {
-		command: "pnpm",
-		args: ["audit", "--fix"]
-	};
-	if (fs.existsSync(path.join(rootDirectory, "package-lock.json")) || fs.existsSync(path.join(rootDirectory, "package.json"))) return {
-		command: "npm",
-		args: ["audit", "fix"]
-	};
+const INSTALL_TIMEOUT = 1800 * 1e3;
+const AUDIT_TIMEOUT = 60 * 1e3;
+const detectPackageManager = (rootDirectory) => {
+	if (fs.existsSync(path.join(rootDirectory, "pnpm-lock.yaml"))) return "pnpm";
+	if (fs.existsSync(path.join(rootDirectory, "package-lock.json")) || fs.existsSync(path.join(rootDirectory, "package.json"))) return "npm";
 	return null;
 };
-const INSTALL_TIMEOUT = 1800 * 1e3;
 const fixDependencyAudit = async (context, onProgress) => {
-	const auditFix = getJsAuditFixCommand(context.rootDirectory);
-	if (!auditFix) return;
-	onProgress?.(`Dependency audit fixes · running ${auditFix.command} audit fix (can take a few minutes)`);
-	const result = await runSubprocess(auditFix.command, auditFix.args, {
-		cwd: context.rootDirectory,
+	const pm = detectPackageManager(context.rootDirectory);
+	if (!pm) return;
+	if (pm === "npm") {
+		await runNpmAuditFix(context.rootDirectory, onProgress);
+		await tryNpmOverrides(context.rootDirectory, onProgress);
+		return;
+	}
+	await tryPnpmOverrides(context.rootDirectory, onProgress);
+};
+const runNpmAuditFix = async (rootDir, onProgress) => {
+	onProgress?.("Dependency audit fixes · running npm audit fix (can take a few minutes)");
+	const result = await runSubprocess("npm", ["audit", "fix"], {
+		cwd: rootDir,
 		timeout: INSTALL_TIMEOUT
 	});
-	if (result.exitCode !== 0 && !result.stdout && !result.stderr) throw new Error(`${auditFix.command} audit fix failed`);
-	onProgress?.(`Dependency audit fixes · running ${auditFix.command} install`);
-	const installResult = await runSubprocess(auditFix.command, ["install"], {
-		cwd: context.rootDirectory,
+	if (result.exitCode !== 0 && !result.stdout && !result.stderr) throw new Error("npm audit fix failed");
+	onProgress?.("Dependency audit fixes · running npm install");
+	const installResult = await runSubprocess("npm", ["install"], {
+		cwd: rootDir,
 		timeout: INSTALL_TIMEOUT
 	});
-	if (installResult.exitCode !== 0) throw new Error(installResult.stderr || installResult.stdout || `${auditFix.command} install failed after audit fix`);
-	if (auditFix.command === "npm") await tryNpmOverrides(context.rootDirectory, onProgress);
+	if (installResult.exitCode !== 0) throw new Error(installResult.stderr || installResult.stdout || "npm install failed after audit fix");
 };
-/**
-* For unresolvable transitive vulnerabilities, attempt to add npm overrides
-* in package.json. This forces a newer version of the vulnerable transitive dep.
-*/
-const fetchLatestVersion = async (rootDir, pkgName) => {
+const fetchLatestVersion = async (rootDir, pkgName, pm) => {
 	try {
-		const result = await runSubprocess("npm", [
+		const result = await runSubprocess(pm, [
 			"view",
 			pkgName,
 			"version",
@@ -6120,11 +6337,11 @@ const fetchLatestVersion = async (rootDir, pkgName) => {
 		return null;
 	}
 };
-const collectOverrides = async (rootDir, vulnerabilities) => {
+const collectNpmOverrides = async (rootDir, vulnerabilities) => {
 	const overrides = {};
 	for (const [pkgName, vuln] of Object.entries(vulnerabilities)) {
 		if (vuln.fixAvailable !== false || !vuln.range) continue;
-		const latest = await fetchLatestVersion(rootDir, pkgName);
+		const latest = await fetchLatestVersion(rootDir, pkgName, "npm");
 		if (latest) overrides[pkgName] = latest;
 	}
 	return overrides;
@@ -6133,12 +6350,12 @@ const tryNpmOverrides = async (rootDir, onProgress) => {
 	try {
 		const auditResult = await runSubprocess("npm", ["audit", "--json"], {
 			cwd: rootDir,
-			timeout: 3e4
+			timeout: AUDIT_TIMEOUT
 		});
 		if (!auditResult.stdout) return;
 		const vulnerabilities = JSON.parse(auditResult.stdout).vulnerabilities;
 		if (!vulnerabilities) return;
-		const overrides = await collectOverrides(rootDir, vulnerabilities);
+		const overrides = await collectNpmOverrides(rootDir, vulnerabilities);
 		if (Object.keys(overrides).length === 0) return;
 		const pkgPath = path.join(rootDir, "package.json");
 		const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
@@ -6146,7 +6363,7 @@ const tryNpmOverrides = async (rootDir, onProgress) => {
 			...pkg.overrides || {},
 			...overrides
 		};
-		fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + "\n");
+		fs.writeFileSync(pkgPath, `${JSON.stringify(pkg, null, 2)}\n`);
 		onProgress?.("Dependency audit fixes · applying npm overrides (npm install)");
 		await runSubprocess("npm", ["install"], {
 			cwd: rootDir,
@@ -6154,6 +6371,61 @@ const tryNpmOverrides = async (rootDir, onProgress) => {
 		});
 	} catch {}
 };
+const patchedRangeToVersion = (patched) => {
+	const match = patched.match(/^\s*>=?\s*([0-9]+\.[0-9]+\.[0-9]+[^\s]*)/);
+	return match ? `^${match[1]}` : null;
+};
+const overrideKey = (name, vulnerable, patched) => {
+	if (vulnerable && vulnerable.trim().length > 0 && !/^\*$/.test(vulnerable.trim())) return `${name}@${vulnerable.trim()}`;
+	const first = patched.match(/([0-9]+\.[0-9]+\.[0-9]+)/)?.[1];
+	return first ? `${name}@<${first}` : name;
+};
+const collectPnpmOverrides = (advisories) => {
+	const overrides = {};
+	for (const adv of Object.values(advisories)) {
+		if (!adv.module_name || !adv.patched_versions) continue;
+		const target = patchedRangeToVersion(adv.patched_versions);
+		if (!target) continue;
+		const key = overrideKey(adv.module_name, adv.vulnerable_versions, adv.patched_versions);
+		overrides[key] = target;
+	}
+	return overrides;
+};
+const tryPnpmOverrides = async (rootDir, onProgress) => {
+	onProgress?.("Dependency audit fixes · running pnpm audit");
+	const auditResult = await runSubprocess("pnpm", ["audit", "--json"], {
+		cwd: rootDir,
+		timeout: AUDIT_TIMEOUT
+	});
+	if (!auditResult.stdout) return;
+	let parsed;
+	try {
+		parsed = JSON.parse(auditResult.stdout);
+	} catch {
+		return;
+	}
+	const advisories = parsed.advisories;
+	if (!advisories || Object.keys(advisories).length === 0) return;
+	const overrides = collectPnpmOverrides(advisories);
+	if (Object.keys(overrides).length === 0) return;
+	const pkgPath = path.join(rootDir, "package.json");
+	const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+	const pnpmBlock = pkg.pnpm ?? {};
+	const existing = pnpmBlock.overrides ?? {};
+	pkg.pnpm = {
+		...pnpmBlock,
+		overrides: {
+			...existing,
+			...overrides
+		}
+	};
+	fs.writeFileSync(pkgPath, `${JSON.stringify(pkg, null, 2)}\n`);
+	onProgress?.("Dependency audit fixes · applying pnpm overrides (pnpm install)");
+	await runSubprocess("pnpm", ["install"], {
+		cwd: rootDir,
+		timeout: INSTALL_TIMEOUT
+	});
+};
 const fixExpoDependencies = async (context, onProgress) => {
 	await removeDisallowedExpoPackages(context.rootDirectory, onProgress);
 	onProgress?.("Expo dependency alignment · running expo install --fix (can take a few minutes)");
@@ -6178,10 +6450,6 @@ const fixExpoDependencies = async (context, onProgress) => {
 	});
 	if (checkResult.exitCode !== 0) throw new Error(checkResult.stderr || checkResult.stdout || "expo dependency check failed");
 };
-/**
-* Run expo-doctor to detect packages that should not be installed directly,
-* then uninstall them. No hardcoded list — expo-doctor is the source of truth.
-*/
 const removeDisallowedExpoPackages = async (rootDir, onProgress) => {
 	try {
 		onProgress?.("Expo dependency alignment · running expo-doctor");
@@ -6268,8 +6536,9 @@ const runFormattingStep = async (deps) => {
 const runForceSteps = async (deps) => {
 	if (!deps.force) return;
 	if (deps.config.engines["code-quality"] && hasJsOrTs(deps.projectInfo)) await deps.runStep("Remove unused files", () => runKnipUnusedFiles(deps.resolvedDir), () => fixUnusedFiles(deps.resolvedDir));
-	if (deps.config.engines.security) await deps.runStep("Dependency audit fixes", () => runDependencyAudit(deps.context), () => fixDependencyAudit(deps.context, deps.rail.setActiveLabel));
-	if (deps.projectInfo.frameworks.includes("expo")) await deps.runStep("Expo dependency alignment", () => runExpoDoctor(deps.context), () => fixExpoDependencies(deps.context, deps.rail.setActiveLabel));
+	const railUpdate = (label) => deps.rail.setActiveLabel(label);
+	if (deps.config.engines.security) await deps.runStep("Dependency audit fixes", () => runDependencyAudit(deps.context), () => fixDependencyAudit(deps.context, railUpdate));
+	if (deps.projectInfo.frameworks.includes("expo")) await deps.runStep("Expo dependency alignment", () => runExpoDoctor(deps.context), () => fixExpoDependencies(deps.context, railUpdate));
 };
 
 //#endregion
@@ -6433,6 +6702,344 @@ const fixCommand = async (directory, config, options = {
 	}
 };
 
+//#endregion
+//#region src/hooks/feedback.ts
+const MAX_FINDINGS = 20;
+const toFinding = (d, rootDirectory) => {
+	if (d.severity !== "error" && d.severity !== "warning") return null;
+	const file = path.isAbsolute(d.filePath) ? path.relative(rootDirectory, d.filePath) : d.filePath;
+	return {
+		ruleId: d.rule,
+		severity: d.severity,
+		category: d.category,
+		file,
+		line: d.line,
+		col: d.column || void 0,
+		message: d.message
+	};
+};
+const buildNextSteps = (findings) => {
+	const steps = [];
+	const errorCount = findings.filter((f) => f.severity === "error").length;
+	if (errorCount > 0) steps.push(`Fix ${errorCount} error${errorCount === 1 ? "" : "s"} before the next turn.`);
+	const byFile = /* @__PURE__ */ new Map();
+	for (const f of findings) {
+		const list = byFile.get(f.file) ?? [];
+		list.push(f);
+		byFile.set(f.file, list);
+	}
+	for (const [file, list] of Array.from(byFile.entries()).slice(0, 3)) {
+		const lines = list.map((f) => f.line).slice(0, 3).join(", ");
+		steps.push(`Address ${list.length} finding${list.length === 1 ? "" : "s"} in ${file} (line${list.length === 1 ? "" : "s"} ${lines}).`);
+	}
+	return steps;
+};
+const buildFeedback = (diagnostics, score, rootDirectory, baseline) => {
+	const all = diagnostics.map((d) => toFinding(d, rootDirectory)).filter((x) => x !== null);
+	const capped = all.slice(0, MAX_FINDINGS);
+	const elided = all.length > MAX_FINDINGS ? all.length - MAX_FINDINGS : void 0;
+	const counts = {
+		error: diagnostics.filter((d) => d.severity === "error").length,
+		warning: diagnostics.filter((d) => d.severity === "warning").length,
+		fixable: diagnostics.filter((d) => d.fixable).length,
+		total: all.length
+	};
+	return {
+		schema: "aislop.hook.v1",
+		score,
+		baseline,
+		regressed: typeof baseline === "number" ? score < baseline : false,
+		counts,
+		findings: capped,
+		elided,
+		nextSteps: buildNextSteps(capped)
+	};
+};
+
+//#endregion
+//#region src/hooks/adapters/claude.ts
+const extractFiles = (stdin) => {
+	const files = /* @__PURE__ */ new Set();
+	const input = stdin.tool_input ?? {};
+	if (typeof input.file_path === "string" && input.file_path.length > 0) files.add(input.file_path);
+	if (Array.isArray(input.edits)) {
+		for (const e of input.edits) if (e && typeof e.file_path === "string" && e.file_path.length > 0) files.add(e.file_path);
+	}
+	return Array.from(files);
+};
+const parseClaudeStdin = (raw) => {
+	if (!raw.trim()) return {};
+	try {
+		return JSON.parse(raw);
+	} catch {
+		return {};
+	}
+};
+const readStdin = async () => {
+	if (process.stdin.isTTY) return "";
+	const chunks = [];
+	for await (const chunk of process.stdin) chunks.push(chunk);
+	return Buffer.concat(chunks).toString("utf-8");
+};
+const existingAbsolutePaths = (cwd, files) => files.map((f) => path.isAbsolute(f) ? f : path.join(cwd, f)).filter((p) => {
+	try {
+		return fs.statSync(p).isFile();
+	} catch {
+		return false;
+	}
+});
+const runScopedScan = async (cwd, filePaths) => {
+	const project = await discoverProject(cwd);
+	const config = loadConfig(cwd);
+	const configDir = findConfigDir(project.rootDirectory);
+	const rulesPath = configDir ? path.join(configDir, RULES_FILE) : void 0;
+	const diagnostics = (await runEngines({
+		rootDirectory: project.rootDirectory,
+		languages: project.languages,
+		frameworks: project.frameworks,
+		files: filterProjectFiles(project.rootDirectory, filePaths),
+		installedTools: project.installedTools,
+		config: {
+			quality: config.quality,
+			security: {
+				audit: false,
+				auditTimeout: 0
+			},
+			architectureRulesPath: config.engines.architecture ? rulesPath : void 0
+		}
+	}, {
+		format: config.engines.format,
+		lint: config.engines.lint,
+		"code-quality": config.engines["code-quality"],
+		"ai-slop": config.engines["ai-slop"],
+		architecture: config.engines.architecture,
+		security: false
+	})).flatMap((r) => r.diagnostics);
+	const { score } = calculateScore(diagnostics, config.scoring.weights, config.scoring.thresholds, project.sourceFileCount, config.scoring.smoothing);
+	return {
+		diagnostics,
+		score,
+		rootDirectory: project.rootDirectory
+	};
+};
+const renderClaudeOutput = (additional, block) => {
+	const out = { hookSpecificOutput: {
+		hookEventName: "PostToolUse",
+		additionalContext: additional
+	} };
+	if (block) {
+		out.decision = "block";
+		out.reason = block.reason;
+	}
+	return out;
+};
+const runClaudeHook = async (deps = {}) => {
+	const getStdin = deps.stdin ?? readStdin;
+	const write = deps.write ?? ((s) => process.stdout.write(s));
+	const input = parseClaudeStdin(await getStdin());
+	const cwd = input.cwd && path.isAbsolute(input.cwd) ? input.cwd : process.cwd();
+	const absFiles = existingAbsolutePaths(cwd, extractFiles(input));
+	if (absFiles.length === 0) return 0;
+	try {
+		const { diagnostics, score, rootDirectory } = await runScopedScan(cwd, absFiles);
+		const feedback = buildFeedback(diagnostics, score, rootDirectory);
+		const envelope = renderClaudeOutput(JSON.stringify(feedback));
+		write(JSON.stringify(envelope));
+		return 0;
+	} catch {
+		return 0;
+	}
+};
+
+//#endregion
+//#region src/hooks/assets.ts
+const AISLOP_MD_BODY = `# aislop — agent instructions
+
+[aislop](https://github.com/heavykenny/aislop) is your guardrail for shipping clean, maintainable, production-grade code. It catches the patterns AI coding tools leave behind: dead imports, redundant code, duplicate logic, unsafe any-typed casts, narrative comments, swallowed errors, oversized functions, risky security constructs — and grades the project out of 100 so regressions are visible. Treat its findings as blocking, not advisory: the goal is code a human maintainer would happily inherit.
+
+## On every edit
+
+A PostToolUse hook runs \`aislop hook claude\` after every Edit, Write, or MultiEdit. It scans the touched files and returns findings as JSON \`additionalContext\` shaped like \`AislopFeedback\` (schema \`aislop.hook.v1\`). Act on them the same turn.
+
+## Severity ladder
+
+- \`error\` — MUST fix this turn.
+- \`warning\` + \`fixable: true\` — MUST fix this turn.
+- \`warning\` + \`fixable: false\` — fix if trivially mechanical, otherwise surface in your reply.
+
+## Rules
+
+- \`.aislop/config.yaml\` — thresholds and engine toggles. Treat as authoritative; don't edit without user consent.
+- \`.aislop/rules.yaml\` — project-specific architecture rules (may be absent). When a finding cites \`architecture/*\`, open this file and follow it.
+- Custom rules can change between sessions. Trust what the scan returns, not a cached understanding of what the rules are.
+
+## Principles
+
+- Do not disable rules to pass the scan. Fix the underlying issue.
+- If a finding is a false positive, leave it and explain in your reply — do not delete the rule config.
+- The findings payload includes \`nextSteps[]\` — treat those as your plan for the turn.
+`;
+
+//#endregion
+//#region src/hooks/io/atomic-write.ts
+const atomicWrite = (targetPath, content) => {
+	const dir = path.dirname(targetPath);
+	fs.mkdirSync(dir, { recursive: true });
+	const rand = Math.random().toString(36).slice(2, 10);
+	const tmp = path.join(dir, `.aislop-tmp-${process.pid}-${rand}`);
+	fs.writeFileSync(tmp, content, "utf-8");
+	fs.renameSync(tmp, targetPath);
+};
+const readIfExists = (targetPath) => {
+	try {
+		return fs.readFileSync(targetPath, "utf-8");
+	} catch {
+		return null;
+	}
+};
+
+//#endregion
+//#region src/hooks/io/json-patch.ts
+const AISLOP_SENTINEL_KEY = "__aislop";
+const isAislopManaged = (x) => typeof x === "object" && x !== null && AISLOP_SENTINEL_KEY in x && x[AISLOP_SENTINEL_KEY] != null;
+const groupIsAislop = (group) => {
+	if (typeof group !== "object" || group === null) return false;
+	const hooks = group.hooks;
+	if (!Array.isArray(hooks)) return false;
+	return hooks.some((h) => isAislopManaged(h));
+};
+const upsertHookGroup = (config, event, group) => {
+	const next = { ...config };
+	const hooks = next.hooks && typeof next.hooks === "object" ? next.hooks : {};
+	const cleaned = (Array.isArray(hooks[event]) ? hooks[event] : []).filter((g) => !groupIsAislop(g));
+	next.hooks = {
+		...hooks,
+		[event]: [...cleaned, group]
+	};
+	return next;
+};
+
+//#endregion
+//#region src/hooks/io/sentinel.ts
+const sentinelHash = (content) => `sha256:${crypto.createHash("sha256").update(content).digest("hex").slice(0, 32)}`;
+const BEGIN_RE = /<!--\s*aislop:begin\s+v(\d+)(?:\s+hash=([^\s>]+))?\s*-->/;
+const END_RE = /<!--\s*aislop:end\s+v\d+\s*-->/;
+const renderFence = (body, hash) => [
+	`<!-- aislop:begin v1 hash=${hash} -->`,
+	body.trimEnd(),
+	"<!-- aislop:end v1 -->"
+].join("\n");
+const upsertMarkdownFence = (existing, body, hash) => {
+	const fenced = renderFence(body, hash);
+	if (existing == null || existing.length === 0) return {
+		nextContent: `${fenced}\n`,
+		replaced: false
+	};
+	const begin = existing.match(BEGIN_RE);
+	const end = existing.match(END_RE);
+	if (begin && end && (end.index ?? 0) > (begin.index ?? 0)) return {
+		nextContent: `${existing.slice(0, begin.index)}${fenced}${existing.slice((end.index ?? 0) + end[0].length)}`,
+		replaced: true
+	};
+	return {
+		nextContent: `${existing}${existing.endsWith("\n") ? "" : "\n"}\n${fenced}\n`,
+		replaced: false
+	};
+};
+
+//#endregion
+//#region src/hooks/install/claude.ts
+const resolveClaudePaths = (home) => ({
+	settings: path.join(home, ".claude", "settings.json"),
+	aislopMd: path.join(home, ".claude", "AISLOP.md"),
+	claudeMd: path.join(home, ".claude", "CLAUDE.md")
+});
+const buildHookGroup = () => {
+	const hashBody = JSON.stringify({
+		command: "aislop hook claude",
+		matcher: "Edit|Write|MultiEdit"
+	});
+	return {
+		matcher: "Edit|Write|MultiEdit",
+		hooks: [{
+			type: "command",
+			command: "aislop hook claude",
+			[AISLOP_SENTINEL_KEY]: {
+				v: 1,
+				managed: true,
+				hash: sentinelHash(hashBody)
+			}
+		}]
+	};
+};
+const installClaude = (opts = { home: os.homedir() }) => {
+	const paths = resolveClaudePaths(opts.home);
+	const wrote = [];
+	const skipped = [];
+	const existingSettingsRaw = readIfExists(paths.settings);
+	let settingsObj = {};
+	if (existingSettingsRaw) try {
+		settingsObj = JSON.parse(existingSettingsRaw);
+	} catch {
+		atomicWrite(`${paths.settings}.aislop-bak`, existingSettingsRaw);
+	}
+	const nextSettings = upsertHookGroup(settingsObj, "PostToolUse", buildHookGroup());
+	const nextSettingsStr = `${JSON.stringify(nextSettings, null, 2)}\n`;
+	if (nextSettingsStr !== existingSettingsRaw) {
+		atomicWrite(paths.settings, nextSettingsStr);
+		wrote.push(paths.settings);
+	} else skipped.push(paths.settings);
+	const mdHash = sentinelHash(AISLOP_MD_BODY);
+	const existingMd = readIfExists(paths.aislopMd);
+	const fenced = upsertMarkdownFence(existingMd, AISLOP_MD_BODY, mdHash);
+	if (fenced.nextContent !== existingMd) {
+		atomicWrite(paths.aislopMd, fenced.nextContent);
+		wrote.push(paths.aislopMd);
+	} else skipped.push(paths.aislopMd);
+	const existingClaudeMd = readIfExists(paths.claudeMd) ?? "";
+	const marker = "@AISLOP.md";
+	if (!existingClaudeMd.includes(marker)) {
+		const joiner = existingClaudeMd.endsWith("\n") || existingClaudeMd.length === 0 ? "" : "\n";
+		const nextClaudeMd = `${existingClaudeMd.length === 0 ? "" : `${existingClaudeMd}${joiner}\n`}${marker}\n`;
+		atomicWrite(paths.claudeMd, nextClaudeMd);
+		wrote.push(paths.claudeMd);
+	} else skipped.push(paths.claudeMd);
+	return {
+		wrote,
+		skipped
+	};
+};
+
+//#endregion
+//#region src/commands/hook.ts
+const hookInstall = async (opts) => {
+	if (opts.agent !== "claude") {
+		process.stderr.write(`hook install: agent "${opts.agent}" not implemented yet\n`);
+		process.exitCode = 1;
+		return;
+	}
+	if (!opts.global) {
+		process.stderr.write("hook install: only --global supported in this release\n");
+		process.exitCode = 1;
+		return;
+	}
+	const result = installClaude({ home: os.homedir() });
+	if (result.wrote.length === 0) {
+		process.stdout.write("hook install: nothing to do (already up to date)\n");
+		return;
+	}
+	for (const f of result.wrote) process.stdout.write(`wrote  ${f}\n`);
+	for (const f of result.skipped) process.stdout.write(`skip   ${f}\n`);
+};
+const hookRun = async (agent) => {
+	if (agent !== "claude") {
+		process.stderr.write(`hook: agent "${agent}" not implemented yet\n`);
+		process.exit(0);
+	}
+	const exitCode = await runClaudeHook();
+	process.exit(exitCode);
+};
+
 //#endregion
 //#region src/commands/init.ts
 const buildInitSuccessRender = (input) => {
@@ -7004,6 +7611,16 @@ program.command("ci [directory]").description("CI-friendly JSON output with exit
 program.command("rules [directory]").description("List all available rules").action(async (directory = ".") => {
 	await rulesCommand(directory);
 });
+const hook = program.command("hook").description("Install or invoke AI-agent integration hooks");
+hook.command("install").description("Install an agent-integration hook (Claude Code supported)").option("--agent <name>", "target agent (claude)", "claude").option("-g, --global", "install to the user-scope config", true).action(async (opts) => {
+	await hookInstall({
+		agent: opts.agent,
+		global: Boolean(opts.global)
+	});
+});
+hook.command("claude").description("Internal: Claude Code PostToolUse callback (reads stdin)").action(async () => {
+	await hookRun("claude");
+});
 const main = async () => {
 	await program.parseAsync();
 	await flushTelemetry();