aislop 0.8.3 → 0.9.1

package/dist/cli.js

@@ -4,14 +4,14 @@ import { Command } from "commander";
 import os from "node:os";
 import fs from "node:fs";
 import path from "node:path";
+import crypto, { randomUUID } from "node:crypto";
+import { performance } from "node:perf_hooks";
 import YAML from "yaml";
 import { z } from "zod/v4";
-import { performance } from "node:perf_hooks";
 import { execSync, spawn, spawnSync } from "node:child_process";
 import micromatch from "micromatch";
 import { fileURLToPath } from "node:url";
 import ts from "typescript";
-import crypto from "node:crypto";
 import { isCancel, multiselect, select, text } from "@clack/prompts";
 import pc from "picocolors";
 import wcwidth from "wcwidth";
@@ -32,6 +32,366 @@ var __exportAll = (all, no_symbols) => {
 	return target;
 };
 
+//#endregion
+//#region src/version.ts
+const APP_VERSION = "0.9.1";
+
+//#endregion
+//#region src/telemetry/env.ts
+const detectPackageManager$1 = (env = process.env) => {
+	const execPath = env.npm_execpath ?? "";
+	if (execPath.includes("npx")) return "npx";
+	const userAgent = env.npm_config_user_agent ?? "";
+	if (userAgent.startsWith("pnpm/")) return "pnpm";
+	if (userAgent.startsWith("yarn/")) return "yarn";
+	if (userAgent.startsWith("bun/")) return "bun";
+	if (userAgent.startsWith("npm/")) return "npm";
+	if (execPath.includes("pnpm")) return "pnpm";
+	if (execPath.includes("yarn")) return "yarn";
+	if (execPath.includes("bun")) return "bun";
+	if (execPath.includes("npm")) return "npm";
+	return "unknown";
+};
+const CI_ENV_KEYS = [
+	"CI",
+	"GITHUB_ACTIONS",
+	"GITLAB_CI",
+	"CIRCLECI",
+	"TRAVIS",
+	"BUILDKITE",
+	"DRONE",
+	"TEAMCITY_VERSION",
+	"TF_BUILD"
+];
+const isCiEnv = (env = process.env) => CI_ENV_KEYS.some((k) => {
+	const v = env[k];
+	return v === "true" || v === "1" || v != null && v.length > 0 && k !== "CI";
+}) || env.CI === "true" || env.CI === "1";
+const fileCountBucket = (count) => {
+	if (count < 10) return "0-10";
+	if (count < 50) return "10-50";
+	if (count < 100) return "50-100";
+	if (count < 500) return "100-500";
+	if (count < 1e3) return "500-1000";
+	return "1000+";
+};
+const scoreBucket = (score) => {
+	if (score >= 75) return "75-100";
+	if (score >= 50) return "50-75";
+	if (score >= 25) return "25-50";
+	return "0-25";
+};
+
+//#endregion
+//#region src/telemetry/identity.ts
+const FILE_BASENAME = "install_id";
+const resolveInstallIdPath = (homedir = os.homedir(), env = process.env) => {
+	if (process.platform === "linux" && env.XDG_STATE_HOME) return path.join(env.XDG_STATE_HOME, "aislop", FILE_BASENAME);
+	return path.join(homedir, ".aislop", FILE_BASENAME);
+};
+const ensureInstallId = (idPath = resolveInstallIdPath()) => {
+	if (fs.existsSync(idPath)) {
+		const existing = fs.readFileSync(idPath, "utf-8").trim();
+		if (existing.length > 0) return {
+			installId: existing,
+			created: false
+		};
+	}
+	const dir = path.dirname(idPath);
+	fs.mkdirSync(dir, { recursive: true });
+	const installId = randomUUID();
+	const tmpPath = `${idPath}.${process.pid}.tmp`;
+	fs.writeFileSync(tmpPath, `${installId}\n`, { mode: 384 });
+	try {
+		fs.renameSync(tmpPath, idPath);
+		return {
+			installId,
+			created: true
+		};
+	} catch {
+		fs.rmSync(tmpPath, { force: true });
+		return {
+			installId: fs.readFileSync(idPath, "utf-8").trim(),
+			created: false
+		};
+	}
+};
+
+//#endregion
+//#region src/telemetry/redaction.ts
+const SAFE_PROPERTY_NAMES = new Set([
+	"aislop_version",
+	"node_version",
+	"os",
+	"arch",
+	"schema_version",
+	"anonymous_install_id",
+	"package_manager",
+	"is_ci",
+	"command",
+	"language_summary",
+	"lang_typescript",
+	"lang_javascript",
+	"lang_python",
+	"lang_java",
+	"file_count_bucket",
+	"exit_code",
+	"duration_ms",
+	"error_kind",
+	"score",
+	"score_bucket",
+	"finding_count",
+	"error_count",
+	"warning_count",
+	"fixable_count",
+	"fix_steps",
+	"fix_resolved",
+	"fix_score_delta",
+	"engine_format_issues",
+	"engine_format_ms",
+	"engine_lint_issues",
+	"engine_lint_ms",
+	"engine_code_quality_issues",
+	"engine_code_quality_ms",
+	"engine_ai_slop_issues",
+	"engine_ai_slop_ms",
+	"engine_architecture_issues",
+	"engine_architecture_ms",
+	"engine_security_issues",
+	"engine_security_ms",
+	"tool",
+	"ok",
+	"agent",
+	"score_delta"
+]);
+const redactProperties = (props) => {
+	const clean = {};
+	const dropped = [];
+	for (const [key, value] of Object.entries(props)) {
+		if (value === void 0) continue;
+		if (SAFE_PROPERTY_NAMES.has(key)) clean[key] = value;
+		else dropped.push(key);
+	}
+	return {
+		clean,
+		dropped
+	};
+};
+
+//#endregion
+//#region src/telemetry/client.ts
+const POSTHOG_HOST = "https://eu.i.posthog.com";
+const POSTHOG_KEY = "phc_eY2cOMFva9q24GrWeOuvuVIOhCIdjOALxeAR3ItrqbJ";
+const SCHEMA_VERSION = "v2";
+const REQUEST_TIMEOUT_MS = 3e3;
+const isTelemetryDisabled = (config) => {
+	const env = process.env;
+	if (env.AISLOP_NO_TELEMETRY === "1" || env.DO_NOT_TRACK === "1") return true;
+	if (config?.enabled === false) return true;
+	if (config?.enabled === true) return false;
+	if (env.CI === "true" || env.CI === "1") return true;
+	return false;
+};
+const isDebug = () => process.env.AISLOP_TELEMETRY_DEBUG === "1";
+const pendingRequests = /* @__PURE__ */ new Set();
+let cachedInstallId = null;
+let installCreated = false;
+const baseProperties = (installId) => ({
+	aislop_version: APP_VERSION,
+	node_version: process.version,
+	os: os.platform(),
+	arch: os.arch(),
+	schema_version: SCHEMA_VERSION,
+	anonymous_install_id: installId,
+	package_manager: detectPackageManager$1(),
+	is_ci: isCiEnv()
+});
+const track = (input) => {
+	if (isTelemetryDisabled(input.config)) return { installCreated: false };
+	if (cachedInstallId == null) {
+		const ensured = ensureInstallId(resolveInstallIdPath());
+		cachedInstallId = ensured.installId;
+		installCreated = ensured.created;
+	}
+	const { clean, dropped } = redactProperties({
+		...baseProperties(cachedInstallId),
+		...input.properties
+	});
+	if (isDebug()) {
+		const compact = JSON.stringify({
+			event: input.event,
+			properties: clean
+		});
+		process.stderr.write(`[telemetry] ${compact}\n`);
+		if (dropped.length > 0) for (const key of dropped) process.stderr.write(`[telemetry] dropped non-allowlisted property: ${key}\n`);
+	}
+	if (process.env.AISLOP_TELEMETRY_DRY_RUN === "1") return { installCreated };
+	const payload = {
+		api_key: POSTHOG_KEY,
+		event: input.event,
+		distinct_id: cachedInstallId,
+		properties: clean,
+		timestamp: (/* @__PURE__ */ new Date()).toISOString()
+	};
+	const request = fetch(`${POSTHOG_HOST}/capture/`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify(payload),
+		signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+	}).then(() => {}).catch(() => {}).finally(() => {
+		pendingRequests.delete(request);
+	});
+	pendingRequests.add(request);
+	return { installCreated };
+};
+const flushTelemetry = async () => {
+	if (pendingRequests.size === 0) return;
+	await Promise.all(pendingRequests);
+};
+
+//#endregion
+//#region src/telemetry/language.ts
+const ALL_LANGUAGES = [
+	"typescript",
+	"javascript",
+	"python",
+	"java"
+];
+const buildLanguageProperties = (detected) => {
+	const present = new Set(detected);
+	const summary = [...present].filter((l) => ALL_LANGUAGES.includes(l));
+	summary.sort();
+	return {
+		language_summary: summary.join(","),
+		lang_typescript: present.has("typescript"),
+		lang_javascript: present.has("javascript"),
+		lang_python: present.has("python"),
+		lang_java: present.has("java")
+	};
+};
+
+//#endregion
+//#region src/telemetry/events.ts
+const buildCommandStartedProps = (input) => {
+	const props = { command: input.command };
+	if (input.languages) Object.assign(props, buildLanguageProperties(input.languages));
+	if (typeof input.fileCount === "number") props.file_count_bucket = fileCountBucket(input.fileCount);
+	return props;
+};
+const ENGINE_KEY_MAP = {
+	format: "engine_format",
+	lint: "engine_lint",
+	"code-quality": "engine_code_quality",
+	"ai-slop": "engine_ai_slop",
+	architecture: "engine_architecture",
+	security: "engine_security"
+};
+const flattenEngineStats = (issues, timings) => {
+	const out = {};
+	for (const [engine, count] of Object.entries(issues)) {
+		const key = ENGINE_KEY_MAP[engine];
+		if (key != null && typeof count === "number") out[`${key}_issues`] = count;
+	}
+	for (const [engine, ms] of Object.entries(timings)) {
+		const key = ENGINE_KEY_MAP[engine];
+		if (key != null && typeof ms === "number") out[`${key}_ms`] = Math.round(ms);
+	}
+	return out;
+};
+const buildCommandCompletedProps = (input) => {
+	const props = {
+		...input.startProps,
+		exit_code: input.exitCode,
+		duration_ms: Math.round(input.durationMs)
+	};
+	if (input.errorKind) props.error_kind = input.errorKind;
+	if (typeof input.score === "number") {
+		props.score = input.score;
+		props.score_bucket = scoreBucket(input.score);
+	}
+	if (typeof input.findingCount === "number") props.finding_count = input.findingCount;
+	if (typeof input.errorCount === "number") props.error_count = input.errorCount;
+	if (typeof input.warningCount === "number") props.warning_count = input.warningCount;
+	if (typeof input.fixableCount === "number") props.fixable_count = input.fixableCount;
+	if (input.engineIssues && input.engineTimings) Object.assign(props, flattenEngineStats(input.engineIssues, input.engineTimings));
+	if (typeof input.fixSteps === "number") props.fix_steps = input.fixSteps;
+	if (typeof input.fixResolved === "number") props.fix_resolved = input.fixResolved;
+	if (typeof input.fixScoreDelta === "number") props.fix_score_delta = input.fixScoreDelta;
+	return props;
+};
+const buildHookScanCompletedProps = (input) => {
+	const props = {
+		agent: input.agent,
+		score: input.score,
+		score_bucket: scoreBucket(input.score),
+		finding_count: input.findingCount,
+		file_count_bucket: fileCountBucket(input.fileCount)
+	};
+	if (typeof input.scoreDelta === "number") props.score_delta = input.scoreDelta;
+	return props;
+};
+const errorKindFromException = (error) => {
+	const message = error instanceof Error ? error.message.toLowerCase() : String(error).toLowerCase();
+	if (message.includes("timeout") || message.includes("timed out")) return "timeout";
+	if (message.includes("invalid config") || message.includes("config_invalid")) return "config_invalid";
+	if (message.includes("engine") && message.includes("crash")) return "engine_crash";
+	return "unknown";
+};
+
+//#endregion
+//#region src/telemetry/lifecycle.ts
+const withCommandLifecycle = async (start, run) => {
+	const startProps = buildCommandStartedProps({
+		command: start.command,
+		languages: start.languages,
+		fileCount: start.fileCount
+	});
+	track({
+		event: "cli_command_started",
+		properties: startProps,
+		config: start.config
+	});
+	const startedAt = performance.now();
+	try {
+		const result = await run();
+		const durationMs = performance.now() - startedAt;
+		track({
+			event: "cli_command_completed",
+			properties: buildCommandCompletedProps({
+				startProps,
+				exitCode: result.exitCode,
+				durationMs,
+				score: result.score,
+				findingCount: result.findingCount,
+				errorCount: result.errorCount,
+				warningCount: result.warningCount,
+				fixableCount: result.fixableCount,
+				engineIssues: result.engineIssues,
+				engineTimings: result.engineTimings,
+				fixSteps: result.fixSteps,
+				fixResolved: result.fixResolved,
+				fixScoreDelta: result.fixScoreDelta
+			}),
+			config: start.config
+		});
+		await flushTelemetry();
+		return result;
+	} catch (error) {
+		track({
+			event: "cli_command_completed",
+			properties: buildCommandCompletedProps({
+				startProps,
+				exitCode: 1,
+				durationMs: performance.now() - startedAt,
+				errorKind: errorKindFromException(error)
+			}),
+			config: start.config
+		});
+		await flushTelemetry();
+		throw error;
+	}
+};
+
 //#endregion
 //#region src/hooks/feedback.ts
 const fingerprintFinding = (f) => `${f.file}:${f.line}:${f.ruleId}`;
@@ -104,7 +464,21 @@ const buildSuggestedActions = (diagnostics, findings, regressed, delta) => {
 	});
 	return actions;
 };
-const buildFeedback = (diagnostics, score, rootDirectory, baseline) => {
+const buildAccountability = (meta, findings, regressed, newSinceBaseline) => {
+	if (!meta?.agent && (!meta?.touchedFiles || meta.touchedFiles.length === 0)) return void 0;
+	const touchedFiles = Array.from(new Set(meta.touchedFiles ?? []));
+	const newFindingCount = newSinceBaseline?.length ?? findings.length;
+	const mustFixBeforeDone = regressed || findings.some((f) => f.severity === "error");
+	const reason = mustFixBeforeDone ? regressed ? "Score regressed against the captured baseline. The agent should fix or justify the new findings before finishing." : "Error-severity findings remain in files touched by this agent turn." : "No blocking regression detected for this agent turn.";
+	return {
+		agent: meta.agent,
+		touchedFiles,
+		newFindingCount,
+		mustFixBeforeDone,
+		reason
+	};
+};
+const buildFeedback = (diagnostics, score, rootDirectory, baseline, meta) => {
 	const all = diagnostics.map((d) => toFinding(d, rootDirectory)).filter((x) => x !== null);
 	const capped = all.slice(0, MAX_FINDINGS);
 	const elided = all.length > MAX_FINDINGS ? all.length - MAX_FINDINGS : void 0;
@@ -132,6 +506,7 @@ const buildFeedback = (diagnostics, score, rootDirectory, baseline) => {
 		baseline: baselineScore,
 		delta,
 		regressed,
+		accountability: buildAccountability(meta, capped, regressed, newSinceBaseline),
 		counts,
 		findings: capped,
 		elided,
@@ -188,6 +563,7 @@ const DEFAULT_CONFIG = {
 		"build",
 		"coverage"
 	],
+	include: [],
 	engines: {
 		format: true,
 		lint: true,
@@ -223,7 +599,7 @@ const DEFAULT_CONFIG = {
 		smoothing: 20
 	},
 	ci: {
-		failBelow: 0,
+		failBelow: 70,
 		format: "json"
 	},
 	telemetry: { enabled: true }
@@ -349,7 +725,7 @@ const ScoringSchema = z.object({
 	smoothing: z.number().nonnegative().default(20)
 });
 const CiSchema = z.object({
-	failBelow: z.number().default(0),
+	failBelow: z.number().default(70),
 	format: z.enum(["json"]).default("json")
 });
 const TelemetrySchema = z.object({ enabled: z.boolean().default(true) });
@@ -383,7 +759,7 @@ const AislopConfigSchema = z.object({
 		smoothing: 20
 	})),
 	ci: CiSchema.default(() => ({
-		failBelow: 0,
+		failBelow: 70,
 		format: "json"
 	})),
 	telemetry: TelemetrySchema.default(() => ({ enabled: true })),
@@ -393,7 +769,8 @@ const AislopConfigSchema = z.object({
 		"dist",
 		"build",
 		"coverage"
-	])
+	]),
+	include: z.array(z.string()).default(() => [])
 });
 const defaults = AislopConfigSchema.parse({});
 /**
@@ -473,31 +850,68 @@ const EXCLUDED_DIRS = [
 	"dist",
 	"build",
 	".git",
+	".agents",
 	"vendor",
+	"examples",
+	"example",
+	"demos",
+	"demo",
+	"bench",
+	"benches",
+	"benchmarks",
+	"fixtures",
+	"fixture",
+	"samples",
+	"sample",
+	"tutorials",
+	"tutorial",
+	"code_samples",
+	"code-samples",
+	"notebooks",
 	"tests",
 	"test",
 	"__tests__",
 	"__test__",
 	"spec",
 	"__mocks__",
-	"fixtures",
 	"test_data",
 	".next",
 	".nuxt",
 	"coverage",
-	".turbo"
+	".turbo",
+	"public"
 ];
 const FIND_PRUNE_DIRS = [
 	"node_modules",
 	"dist",
 	"build",
 	".git",
+	".agents",
 	"vendor",
+	"examples",
+	"example",
+	"demos",
+	"demo",
+	"bench",
+	"benches",
+	"benchmarks",
+	"fixtures",
+	"fixture",
+	"samples",
+	"sample",
+	"tutorials",
+	"tutorial",
+	"code_samples",
+	"code-samples",
+	"notebooks",
 	".next",
 	".nuxt",
 	"coverage",
-	".turbo"
+	".turbo",
+	"public"
 ];
+const BUILD_CACHE_FILE_PATTERNS = [/\.timestamp-\d+-[a-z0-9]+\.[mc]?js$/i];
+const isBuildCacheFile = (filePath) => BUILD_CACHE_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
 const TEST_FILE_PATTERNS = [
 	/(?:^|\/).*\.test\.[^/]+$/i,
 	/(?:^|\/).*\.spec\.[^/]+$/i,
@@ -522,6 +936,7 @@ const hasAllowedExtension = (filePath, extraExtensions) => {
 	return SOURCE_EXTENSIONS.has(extension) || extraExtensions.has(extension);
 };
 const isExcludedPath = (filePath) => EXCLUDED_DIRS.some((dir) => filePath === dir || filePath.startsWith(`${dir}/`) || filePath.includes(`/${dir}/`));
+const isExcludedFromScan = (relativePath) => isExcludedPath(relativePath) || isBuildCacheFile(relativePath);
 const isTestFile$2 = (filePath) => TEST_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
 const getIgnoredPaths = (rootDirectory, files) => {
 	if (files.length === 0) return /* @__PURE__ */ new Set();
@@ -580,7 +995,7 @@ const normalizeExcludePatterns = (patterns) => {
 		return [p];
 	});
 };
-const filterProjectFiles = (rootDirectory, files, extraExtensions = [], exclude = []) => {
+const filterProjectFiles = (rootDirectory, files, extraExtensions = [], exclude = [], include = []) => {
 	const extraSet = new Set(extraExtensions);
 	const normalizedFiles = files.map((file) => {
 		const absolutePath = path.isAbsolute(file) ? file : path.resolve(rootDirectory, file);
@@ -595,8 +1010,16 @@ const filterProjectFiles = (rootDirectory, files, extraExtensions = [], exclude
 		if (!normalizedExcludePatterns.length) return false;
 		return micromatch.isMatch(relativePath, normalizedExcludePatterns, { dot: true });
 	};
+	const hasIncludePatterns = include.length > 0;
+	const isUserIncluded = (relativePath) => {
+		if (!hasIncludePatterns) return true;
+		return micromatch.isMatch(relativePath, include, { dot: true });
+	};
 	return normalizedFiles.filter(({ absolutePath, relativePath }) => {
-		return hasAllowedExtension(relativePath, extraSet) && !isExcludedPath(relativePath) && !isTestFile$2(relativePath) && !ignoredPaths.has(relativePath) && !isUserExcluded(relativePath) && fs.existsSync(absolutePath);
+		if (!fs.existsSync(absolutePath) || !isWithinProject(relativePath) || isExcludedPath(relativePath) || isTestFile$2(relativePath) || ignoredPaths.has(relativePath)) return false;
+		if (!isUserIncluded(relativePath)) return false;
+		if (isUserExcluded(relativePath)) return false;
+		return hasAllowedExtension(relativePath, extraSet);
 	}).map(({ absolutePath }) => absolutePath);
 };
 const filterExplicitFiles = (rootDirectory, files, extraExtensions = []) => {
@@ -1326,6 +1749,86 @@ const PYTHON_IMPORT_TO_PIP = {
 	redis: "redis"
 };
 
+//#endregion
+//#region src/engines/ai-slop/python-manifest.ts
+const addPyDep = (pyDeps, name) => {
+	const normalized = name.toLowerCase().replace(/_/g, "-");
+	pyDeps.add(normalized);
+};
+const collectFromRequirementsTxt = (rootDir, pyDeps) => {
+	const reqPath = path.join(rootDir, "requirements.txt");
+	if (!fs.existsSync(reqPath)) return false;
+	try {
+		const content = fs.readFileSync(reqPath, "utf-8");
+		for (const line of content.split("\n")) {
+			const trimmed = line.trim();
+			if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith("-")) continue;
+			const match = trimmed.match(/^([a-zA-Z0-9_\-.]+)/);
+			if (match) addPyDep(pyDeps, match[1]);
+		}
+		return true;
+	} catch {
+		return false;
+	}
+};
+const collectFromPyproject = (rootDir, pyDeps) => {
+	const pyprojPath = path.join(rootDir, "pyproject.toml");
+	if (!fs.existsSync(pyprojPath)) return false;
+	try {
+		const content = fs.readFileSync(pyprojPath, "utf-8");
+		const projectNameMatch = content.match(/\[project\][\s\S]*?^\s*name\s*=\s*["']([^"']+)/m);
+		if (projectNameMatch) addPyDep(pyDeps, projectNameMatch[1]);
+		const poetryNameMatch = content.match(/\[tool\.poetry\][\s\S]*?^\s*name\s*=\s*["']([^"']+)/m);
+		if (poetryNameMatch) addPyDep(pyDeps, poetryNameMatch[1]);
+		const pep621 = content.match(/^\s*dependencies\s*=\s*\[([\s\S]*?)\]/m);
+		if (pep621) for (const line of pep621[1].split("\n")) {
+			const m = line.match(/["']\s*([a-zA-Z0-9_\-.]+)/);
+			if (m) addPyDep(pyDeps, m[1]);
+		}
+		const poetryRe = /\[tool\.poetry(?:\.group\.[a-z]+)?\.dependencies\]([\s\S]*?)(?=\n\[|$)/g;
+		let match = poetryRe.exec(content);
+		while (match !== null) {
+			for (const line of match[1].split("\n")) {
+				const m = line.trim().match(/^([a-zA-Z0-9_\-.]+)\s*=/);
+				if (m && m[1] !== "python") addPyDep(pyDeps, m[1]);
+			}
+			match = poetryRe.exec(content);
+		}
+		return true;
+	} catch {
+		return false;
+	}
+};
+const collectFromPipfile = (rootDir, pyDeps) => {
+	const pipfilePath = path.join(rootDir, "Pipfile");
+	if (!fs.existsSync(pipfilePath)) return false;
+	try {
+		const content = fs.readFileSync(pipfilePath, "utf-8");
+		const sectionRe = /\[(packages|dev-packages)\]([\s\S]*?)(?=\n\[|$)/g;
+		let match = sectionRe.exec(content);
+		while (match !== null) {
+			for (const line of match[2].split("\n")) {
+				const m = line.trim().match(/^([a-zA-Z0-9_\-.]+)\s*=/);
+				if (m) addPyDep(pyDeps, m[1]);
+			}
+			match = sectionRe.exec(content);
+		}
+		return true;
+	} catch {
+		return false;
+	}
+};
+const collectPythonDeps = (rootDir) => {
+	const pyDeps = /* @__PURE__ */ new Set();
+	const hasReq = collectFromRequirementsTxt(rootDir, pyDeps);
+	const hasPyproject = collectFromPyproject(rootDir, pyDeps);
+	const hasPipfile = collectFromPipfile(rootDir, pyDeps);
+	return {
+		pyDeps,
+		hasPyManifest: hasReq || hasPyproject || hasPipfile
+	};
+};
+
 //#endregion
 //#region src/engines/ai-slop/hallucinated-imports.ts
 const JS_EXTENSIONS$2 = new Set([
@@ -1462,10 +1965,26 @@ const buildAliasMatcher = (key) => {
 };
 const collectAliasMatchersFromConfig = (configPath, matchers) => {
 	const opts = readJson(configPath)?.compilerOptions;
-	if (!opts || typeof opts !== "object") return;
+	if (!opts) return;
 	const paths = opts.paths;
-	if (!paths || typeof paths !== "object") return;
-	for (const key of Object.keys(paths)) matchers.push(buildAliasMatcher(key));
+	if (paths && typeof paths === "object") for (const key of Object.keys(paths)) matchers.push(buildAliasMatcher(key));
+	const baseUrl = opts.baseUrl;
+	if (typeof baseUrl === "string") {
+		const baseUrlDir = path.resolve(path.dirname(configPath), baseUrl);
+		let entries;
+		try {
+			entries = fs.readdirSync(baseUrlDir);
+		} catch {
+			return;
+		}
+		const baseSpecifiers = /* @__PURE__ */ new Set();
+		for (const entry of entries) {
+			if (entry.startsWith(".") || entry === "node_modules") continue;
+			const base = entry.replace(/\.(?:[jt]sx?|mjs|cjs|d\.ts)$/i, "");
+			if (base.length > 0) baseSpecifiers.add(base);
+		}
+		for (const name of baseSpecifiers) matchers.push((spec) => spec === name || spec.startsWith(`${name}/`));
+	}
 };
 const collectTsPathAliases = (rootDir) => {
 	const matchers = [];
@@ -1473,97 +1992,35 @@ const collectTsPathAliases = (rootDir) => {
 	for (const dir of dirs) for (const fname of TS_CONFIG_FILES) collectAliasMatchersFromConfig(path.join(dir, fname), matchers);
 	return matchers;
 };
-const addPyDep = (pyDeps, name) => {
-	const normalized = name.toLowerCase().replace(/_/g, "-");
-	pyDeps.add(normalized);
-};
-const collectFromRequirementsTxt = (rootDir, pyDeps) => {
-	const reqPath = path.join(rootDir, "requirements.txt");
-	if (!fs.existsSync(reqPath)) return false;
-	try {
-		const content = fs.readFileSync(reqPath, "utf-8");
-		for (const line of content.split("\n")) {
-			const trimmed = line.trim();
-			if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith("-")) continue;
-			const match = trimmed.match(/^([a-zA-Z0-9_\-.]+)/);
-			if (match) addPyDep(pyDeps, match[1]);
-		}
-		return true;
-	} catch {
-		return false;
-	}
-};
-const collectFromPyproject = (rootDir, pyDeps) => {
-	const pyprojPath = path.join(rootDir, "pyproject.toml");
-	if (!fs.existsSync(pyprojPath)) return false;
-	try {
-		const content = fs.readFileSync(pyprojPath, "utf-8");
-		const projectNameMatch = content.match(/\[project\][\s\S]*?^\s*name\s*=\s*["']([^"']+)/m);
-		if (projectNameMatch) addPyDep(pyDeps, projectNameMatch[1]);
-		const poetryNameMatch = content.match(/\[tool\.poetry\][\s\S]*?^\s*name\s*=\s*["']([^"']+)/m);
-		if (poetryNameMatch) addPyDep(pyDeps, poetryNameMatch[1]);
-		const pep621 = content.match(/^\s*dependencies\s*=\s*\[([\s\S]*?)\]/m);
-		if (pep621) for (const line of pep621[1].split("\n")) {
-			const m = line.match(/["']\s*([a-zA-Z0-9_\-.]+)/);
-			if (m) addPyDep(pyDeps, m[1]);
-		}
-		const poetryRe = /\[tool\.poetry(?:\.group\.[a-z]+)?\.dependencies\]([\s\S]*?)(?=\n\[|$)/g;
-		let match = poetryRe.exec(content);
-		while (match !== null) {
-			for (const line of match[1].split("\n")) {
-				const m = line.trim().match(/^([a-zA-Z0-9_\-.]+)\s*=/);
-				if (m && m[1] !== "python") addPyDep(pyDeps, m[1]);
-			}
-			match = poetryRe.exec(content);
-		}
-		return true;
-	} catch {
-		return false;
-	}
-};
-const collectFromPipfile = (rootDir, pyDeps) => {
-	const pipfilePath = path.join(rootDir, "Pipfile");
-	if (!fs.existsSync(pipfilePath)) return false;
-	try {
-		const content = fs.readFileSync(pipfilePath, "utf-8");
-		const sectionRe = /\[(packages|dev-packages)\]([\s\S]*?)(?=\n\[|$)/g;
-		let match = sectionRe.exec(content);
-		while (match !== null) {
-			for (const line of match[2].split("\n")) {
-				const m = line.trim().match(/^([a-zA-Z0-9_\-.]+)\s*=/);
-				if (m) addPyDep(pyDeps, m[1]);
-			}
-			match = sectionRe.exec(content);
-		}
-		return true;
-	} catch {
-		return false;
-	}
-};
 const loadManifest = (rootDir) => {
 	const jsDeps = /* @__PURE__ */ new Set();
-	const pyDeps = /* @__PURE__ */ new Set();
 	const hasJsManifest = collectJsDeps(rootDir, jsDeps);
-	const hasReq = collectFromRequirementsTxt(rootDir, pyDeps);
-	const hasPyproject = collectFromPyproject(rootDir, pyDeps);
-	const hasPipfile = collectFromPipfile(rootDir, pyDeps);
+	const { pyDeps, hasPyManifest } = collectPythonDeps(rootDir);
 	return {
 		jsDeps,
 		pyDeps,
 		hasJsManifest,
-		hasPyManifest: hasReq || hasPyproject || hasPipfile
+		hasPyManifest
 	};
 };
 const isJsRelativeOrAbsolute = (spec) => spec.startsWith(".") || spec.startsWith("/") || spec.startsWith("~/");
+const RUNTIME_BUILTINS = new Set(["bun"]);
 const isJsBuiltin = (spec) => {
+	if (RUNTIME_BUILTINS.has(spec)) return true;
 	return isBuiltin(spec.startsWith("node:") ? spec.slice(5) : spec) || isBuiltin(spec);
 };
 const VIRTUAL_MODULE_PREFIXES = [
 	"astro:",
 	"virtual:",
-	"bun:"
+	"bun:",
+	"~icons/"
 ];
 const isJsVirtualModule = (spec) => VIRTUAL_MODULE_PREFIXES.some((p) => spec.startsWith(p));
+const stripImportQuery = (spec) => {
+	const idx = spec.indexOf("?");
+	return idx === -1 ? spec : spec.slice(0, idx);
+};
+const VIRTUAL_ASSET_FILES = { "unfonts.css": "unplugin-fonts" };
 const TEMPLATE_PLACEHOLDER_RE = /\$\{/;
 const isLikelyRealImportSpec = (spec) => {
 	if (spec.length === 0) return false;
@@ -1630,10 +2087,14 @@ const extractPyImports = (content) => {
 	}
 	return results;
 };
-const checkJsImport = (spec, manifest, tsAliasMatchers) => {
+const checkJsImport = (rawSpec, manifest, tsAliasMatchers) => {
+	const spec = stripImportQuery(rawSpec);
+	if (spec.length === 0) return null;
 	if (isJsRelativeOrAbsolute(spec)) return null;
 	if (isJsBuiltin(spec)) return null;
 	if (isJsVirtualModule(spec)) return null;
+	const virtualOwner = VIRTUAL_ASSET_FILES[spec];
+	if (virtualOwner && manifest.jsDeps.has(virtualOwner)) return null;
 	if (tsAliasMatchers.some((m) => m(spec))) return null;
 	const pkg = packageNameFromImport(spec);
 	if (manifest.jsDeps.has(pkg)) return null;
@@ -2989,64 +3450,88 @@ const analyzeFunctions = (content, ext) => {
 	}
 	return functions;
 };
-const JSX_FILE_LOC_MULTIPLIER = 1.5;
+const FILE_LOC_MULTIPLIERS = {
+	".tsx": 1.5,
+	".jsx": 1.5,
+	".rs": 2.5,
+	".go": 1.5
+};
+const DECLARATION_FILE_RE = /\.d\.ts$/i;
+const fileLocBudget = (ext, relativePath, base) => {
+	if (DECLARATION_FILE_RE.test(relativePath)) return Number.POSITIVE_INFINITY;
+	const multiplier = FILE_LOC_MULTIPLIERS[ext] ?? 1;
+	return Math.ceil(base * multiplier);
+};
 const checkFileDiagnostics = (relativePath, content, limits) => {
 	const results = [];
 	const lineCount = content.split("\n").length;
 	const ext = path.extname(relativePath).toLowerCase();
 	if (isDataFile(content)) return results;
-	const configuredMax = ext === ".jsx" || ext === ".tsx" ? Math.ceil(limits.maxFileLoc * JSX_FILE_LOC_MULTIPLIER) : limits.maxFileLoc;
+	const configuredMax = fileLocBudget(ext, relativePath, limits.maxFileLoc);
+	if (!Number.isFinite(configuredMax)) return results;
 	if (lineCount > Math.ceil(configuredMax * 1.1)) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/file-too-large",
 		severity: "warning",
-		message: `File has ${lineCount} lines (max: ${configuredMax})`,
+		message: `File too large (max: ${configuredMax})`,
 		help: "Consider splitting this file into smaller modules",
 		line: 0,
 		column: 0,
 		category: "Complexity",
-		fixable: false
+		fixable: false,
+		detail: `${lineCount} lines`
 	});
 	return results;
 };
-const checkFunctionDiagnostics = (relativePath, fn, limits) => {
+const JSX_EXTENSIONS = new Set([".tsx", ".jsx"]);
+const isComponentFunction = (name, ext) => JSX_EXTENSIONS.has(ext) && /^[A-Z]/.test(name);
+const functionLocBudget = (fn, ext, base) => {
+	if (isComponentFunction(fn.name, ext)) return Math.ceil(base * 2);
+	if (ext === ".rs") return Math.ceil(base * 1.5);
+	return base;
+};
+const checkFunctionDiagnostics = (relativePath, fn, limits, ext) => {
 	const results = [];
-	if (fn.lineCount - fn.templateLines > Math.ceil(limits.maxFunctionLoc * 1.1)) results.push({
+	const fnMax = functionLocBudget(fn, ext, limits.maxFunctionLoc);
+	if (fn.lineCount - fn.templateLines > Math.ceil(fnMax * 1.1)) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/function-too-long",
 		severity: "warning",
-		message: `Function '${fn.name}' has ${fn.lineCount} lines (max: ${limits.maxFunctionLoc})`,
+		message: `Function too long (max: ${fnMax})`,
 		help: "Consider breaking this function into smaller pieces",
 		line: fn.startLine,
 		column: 0,
 		category: "Complexity",
-		fixable: false
+		fixable: false,
+		detail: `${fn.name} · ${fn.lineCount} lines`
 	});
 	if (fn.maxNesting > limits.maxNesting) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/deep-nesting",
 		severity: "warning",
-		message: `Function '${fn.name}' has nesting depth ${fn.maxNesting} (max: ${limits.maxNesting})`,
+		message: `Function nested too deeply (max: ${limits.maxNesting})`,
 		help: "Consider using early returns or extracting nested logic",
 		line: fn.startLine,
 		column: 0,
 		category: "Complexity",
-		fixable: false
+		fixable: false,
+		detail: `${fn.name} · depth ${fn.maxNesting}`
 	});
 	if (fn.paramCount > limits.maxParams) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/too-many-params",
 		severity: "warning",
-		message: `Function '${fn.name}' has ${fn.paramCount} parameters (max: ${limits.maxParams})`,
+		message: `Function has too many parameters (max: ${limits.maxParams})`,
 		help: "Consider using an options object parameter",
 		line: fn.startLine,
 		column: 0,
 		category: "Complexity",
-		fixable: false
+		fixable: false,
+		detail: `${fn.name} · ${fn.paramCount} params`
 	});
 	return results;
 };
@@ -3061,7 +3546,7 @@ const checkFileComplexity = (filePath, rootDirectory, limits) => {
 	}
 	const ext = path.extname(filePath).toLowerCase();
 	const diagnostics = checkFileDiagnostics(relativePath, content, limits);
-	for (const fn of analyzeFunctions(content, ext)) diagnostics.push(...checkFunctionDiagnostics(relativePath, fn, limits));
+	for (const fn of analyzeFunctions(content, ext)) diagnostics.push(...checkFunctionDiagnostics(relativePath, fn, limits, ext));
 	return diagnostics;
 };
 const checkComplexity = async (context) => {
@@ -3166,17 +3651,19 @@ const findDuplicateBlocks = (content, relativePath) => {
 		});
 	}
 	return reports.map((r) => {
+		const span = r.currentEnd - r.currentStart + 1;
 		return {
 			filePath: relativePath,
 			engine: "code-quality",
 			rule: "code-quality/duplicate-block",
 			severity: "warning",
-			message: `${r.currentEnd - r.currentStart + 1}-line block at line ${r.currentStart} duplicates a block starting at line ${r.priorStart}. Extract a shared helper.`,
+			message: "Duplicate code block — extract a shared helper",
 			help: `Pull the shared logic into a function both sites can call. Keeps one version of the truth and makes future changes one-shot instead of N-shot.`,
 			line: r.currentStart,
 			column: 0,
 			category: "Complexity",
-			fixable: false
+			fixable: false,
+			detail: `${span} lines duplicate block at L${r.priorStart}`
 		};
 	});
 };
@@ -3842,16 +4329,34 @@ const isToolAvailable = async (toolName) => {
 	return isToolInstalled(toolName);
 };
 
+//#endregion
+//#region src/engines/python-targets.ts
+const PYTHON_EXTENSIONS = new Set([".py", ".pyi"]);
+const normalizeProjectPath = (filePath) => filePath.split(path.sep).join("/");
+const getPythonTargets = (context) => {
+	const targets = (context.files ?? getSourceFiles(context)).filter((filePath) => PYTHON_EXTENSIONS.has(path.extname(filePath).toLowerCase())).map((filePath) => {
+		const absolutePath = path.isAbsolute(filePath) ? filePath : path.resolve(context.rootDirectory, filePath);
+		return normalizeProjectPath(path.relative(context.rootDirectory, absolutePath));
+	}).filter((filePath) => filePath.length > 0 && !filePath.startsWith(".."));
+	return [...new Set(targets)];
+};
+const getRuffDiagnosticPath = (rootDirectory, filePath) => {
+	const normalizedPath = filePath.replace(/^a\//, "");
+	return normalizeProjectPath(path.isAbsolute(normalizedPath) ? path.relative(rootDirectory, normalizedPath) : normalizedPath);
+};
+
 //#endregion
 //#region src/engines/format/ruff-format.ts
 const runRuffFormat = async (context) => {
 	const ruffBinary = resolveToolBinary("ruff");
+	const targets = getPythonTargets(context);
+	if (targets.length === 0) return [];
 	try {
 		const result = await runSubprocess(ruffBinary, [
 			"format",
 			"--check",
 			"--diff",
-			context.rootDirectory
+			...targets
 		], {
 			cwd: context.rootDirectory,
 			timeout: 6e4
@@ -3867,9 +4372,9 @@ const parseRuffFormatOutput = (output, rootDir) => {
 	const filePattern = /^--- (.+)$/gm;
 	let match;
 	while ((match = filePattern.exec(output)) !== null) {
-		const filePath = match[1].replace(/^a\//, "");
+		const filePath = getRuffDiagnosticPath(rootDir, match[1]);
 		diagnostics.push({
-			filePath: path.relative(rootDir, filePath),
+			filePath,
 			engine: "format",
 			rule: "python-formatting",
 			severity: "warning",
@@ -4378,6 +4883,95 @@ const resolveOxlintBinary = () => {
 		return "oxlint";
 	}
 };
+const VITE_QUERY_RE = /["'][^"']*\?(worker|sharedworker|worker-url|url|raw|inline|init)\b/;
+const isViteVirtualImportFalsePositive = (rule, message) => rule.startsWith("import/") && VITE_QUERY_RE.test(message);
+const AMBIENT_GLOBAL_DEPS = [
+	"unplugin-icons",
+	"@types/bun",
+	"bun-types"
+];
+const SST_PLATFORM_REF_RE = /\/\/\/\s*<reference\s+path=["'][^"']*sst[\\/]+platform[\\/]+config\.d\.ts["']/;
+const ICON_AUTOIMPORT_RE = /^Icon[A-Z]/;
+const NO_UNDEF_IDENT_RE = /^['‘"`]([^'’"`]+)['’"`]/;
+const detectAmbientSources = (rootDir) => {
+	const found = /* @__PURE__ */ new Set();
+	const skipDirs = new Set([
+		"node_modules",
+		".git",
+		"dist",
+		"build",
+		"out",
+		"target",
+		"coverage",
+		".next",
+		".turbo"
+	]);
+	const walk = (dir, depth) => {
+		if (depth > 4 || found.size === AMBIENT_GLOBAL_DEPS.length) return;
+		let entries;
+		try {
+			entries = fs.readdirSync(dir, { withFileTypes: true });
+		} catch {
+			return;
+		}
+		for (const entry of entries) {
+			if (found.size === AMBIENT_GLOBAL_DEPS.length) return;
+			if (entry.name.startsWith(".") && entry.name !== ".github") continue;
+			if (skipDirs.has(entry.name)) continue;
+			const full = path.join(dir, entry.name);
+			if (entry.isDirectory()) walk(full, depth + 1);
+			else if (entry.name === "package.json") try {
+				const pkg = JSON.parse(fs.readFileSync(full, "utf-8"));
+				const allDeps = {
+					...pkg.dependencies ?? {},
+					...pkg.devDependencies ?? {},
+					...pkg.peerDependencies ?? {}
+				};
+				for (const dep of AMBIENT_GLOBAL_DEPS) if (dep in allDeps) found.add(dep);
+			} catch {}
+		}
+	};
+	walk(rootDir, 0);
+	return found;
+};
+const extractNoUndefIdentifier = (message) => {
+	return NO_UNDEF_IDENT_RE.exec(message)?.[1] ?? null;
+};
+const isAmbientFalsePositive = (rule, message, sources) => {
+	if (rule !== "eslint/no-undef") return false;
+	const ident = extractNoUndefIdentifier(message);
+	if (!ident) return false;
+	if (sources.has("unplugin-icons") && ICON_AUTOIMPORT_RE.test(ident)) return true;
+	if ((sources.has("@types/bun") || sources.has("bun-types")) && ident === "Bun") return true;
+	return false;
+};
+const sstReferencedFiles = /* @__PURE__ */ new Map();
+const fileReferencesSstPlatform = (rootDir, relativeFilePath) => {
+	const cached = sstReferencedFiles.get(relativeFilePath);
+	if (cached !== void 0) return cached;
+	const absolute = path.isAbsolute(relativeFilePath) ? relativeFilePath : path.join(rootDir, relativeFilePath);
+	let referenced = false;
+	try {
+		const fd = fs.openSync(absolute, "r");
+		try {
+			const buf = Buffer.alloc(512);
+			const bytesRead = fs.readSync(fd, buf, 0, 512, 0);
+			referenced = SST_PLATFORM_REF_RE.test(buf.toString("utf-8", 0, bytesRead));
+		} finally {
+			fs.closeSync(fd);
+		}
+	} catch {
+		referenced = false;
+	}
+	sstReferencedFiles.set(relativeFilePath, referenced);
+	return referenced;
+};
+const UNUSED_VAR_IDENT_RE = /(?:Variable|Parameter|Catch parameter) '([^']+)' (?:is declared but never used|is caught but never used)/;
+const isUnderscoreUnusedVar = (rule, message) => {
+	if (rule !== "eslint/no-unused-vars") return false;
+	const match = UNUSED_VAR_IDENT_RE.exec(message);
+	return match ? match[1].startsWith("_") : false;
+};
 const parseRuleCode = (code) => {
 	if (!code) return {
 		plugin: "eslint",
@@ -4474,6 +5068,8 @@ const runOxlint = async (context) => {
 		framework: context.frameworks.find((f) => f !== "none"),
 		testFramework: detectTestFramework(context.rootDirectory)
 	});
+	const ambientSources = detectAmbientSources(context.rootDirectory);
+	sstReferencedFiles.clear();
 	try {
 		fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
 		const args = [
@@ -4513,6 +5109,11 @@ const runOxlint = async (context) => {
 				fixable: false
 			};
 		}).filter((d) => {
+			if (isExcludedFromScan(path.isAbsolute(d.filePath) ? path.relative(context.rootDirectory, d.filePath) : d.filePath)) return false;
+			if (isViteVirtualImportFalsePositive(d.rule, d.message)) return false;
+			if (isAmbientFalsePositive(d.rule, d.message, ambientSources)) return false;
+			if (isUnderscoreUnusedVar(d.rule, d.message)) return false;
+			if (d.rule === "eslint/no-undef" && fileReferencesSstPlatform(context.rootDirectory, d.filePath)) return false;
 			const key = `${d.filePath}:${d.line}:${d.rule}:${d.message}`;
 			if (seen.has(key)) return false;
 			seen.add(key);
@@ -4576,18 +5177,20 @@ const fixOxlint = async (context, options = {}) => {
 //#region src/engines/lint/ruff.ts
 const runRuffLint = async (context) => {
 	const ruffBinary = resolveToolBinary("ruff");
+	const targets = getPythonTargets(context);
+	if (targets.length === 0) return [];
 	try {
 		const output = (await runSubprocess(ruffBinary, [
 			"check",
 			"--output-format=json",
-			context.rootDirectory
+			...targets
 		], {
 			cwd: context.rootDirectory,
 			timeout: 6e4
 		})).stdout;
 		if (!output) return [];
 		return JSON.parse(output).map((d) => ({
-			filePath: path.relative(context.rootDirectory, d.filename),
+			filePath: getRuffDiagnosticPath(context.rootDirectory, d.filename),
 			engine: "lint",
 			rule: `ruff/${d.code}`,
 			severity: d.code.startsWith("E") || d.code.startsWith("F") ? "error" : "warning",
@@ -4636,7 +5239,7 @@ const lintEngine = {
 		const promises = [];
 		if (languages.includes("typescript") || languages.includes("javascript")) {
 			promises.push(runOxlint(context));
-			if (context.config.lint.typecheck) promises.push(import("./typecheck-B1MXNAy-.js").then((mod) => mod.runTypecheck(context)));
+			if (context.config.lint.typecheck) promises.push(import("./typecheck-wVSohmOX.js").then((mod) => mod.runTypecheck(context)));
 		}
 		if (context.frameworks.includes("expo")) promises.push(Promise.resolve().then(() => expo_doctor_exports).then((mod) => mod.runExpoDoctor(context)));
 		if (languages.includes("python") && installedTools["ruff"]) promises.push(runRuffLint(context));
@@ -4705,56 +5308,94 @@ const runPnpmAuditWithFallback = async (rootDir, timeout) => {
 		return [];
 	}
 };
+const SEVERITY_RANK = {
+	critical: 4,
+	high: 3,
+	moderate: 2,
+	low: 1
+};
 const toSeverity = (value) => value === "critical" || value === "high" ? "error" : "warning";
-const defaultAuditFixCommand = (source) => source === "pnpm audit" ? "pnpm audit --fix" : "npm audit fix";
+const upsertVuln = (bucket, packageName, severity, recommendation) => {
+	const existing = bucket.get(packageName);
+	if (existing) {
+		existing.advisories++;
+		if ((SEVERITY_RANK[severity] ?? 0) > (SEVERITY_RANK[existing.worstSeverity] ?? 0)) existing.worstSeverity = severity;
+		if (recommendation) existing.recommendations.add(recommendation);
+	} else bucket.set(packageName, {
+		packageName,
+		worstSeverity: severity,
+		advisories: 1,
+		recommendations: recommendation ? new Set([recommendation]) : /* @__PURE__ */ new Set()
+	});
+};
+const SEMVER_RE = /(\d+)\.(\d+)\.(\d+)/;
+const cmpSemver = (a, b) => {
+	const [, a1, a2, a3] = SEMVER_RE.exec(a) ?? [
+		"",
+		"0",
+		"0",
+		"0"
+	];
+	const [, b1, b2, b3] = SEMVER_RE.exec(b) ?? [
+		"",
+		"0",
+		"0",
+		"0"
+	];
+	if (Number(a1) !== Number(b1)) return Number(a1) - Number(b1);
+	if (Number(a2) !== Number(b2)) return Number(a2) - Number(b2);
+	return Number(a3) - Number(b3);
+};
+const pickBestRecommendation = (recs) => {
+	if (recs.length <= 1) return recs[0] ?? "";
+	const versioned = recs.filter((r) => SEMVER_RE.test(r));
+	if (versioned.length === 0) return recs[0];
+	return versioned.reduce((best, r) => cmpSemver(r, best) > 0 ? r : best);
+};
+const cleanRecommendation = (raw) => {
+	const t = raw.trim();
+	if (!t || t.toLowerCase() === "none") return "no fix available";
+	return t;
+};
+const aggregateToDiagnostic = (agg, source) => {
+	const best = cleanRecommendation(pickBestRecommendation([...agg.recommendations]));
+	const countLabel = agg.advisories > 1 ? ` (${agg.advisories} advisories)` : "";
+	const recLabel = best ? ` — ${best}` : "";
+	return {
+		filePath: "package.json",
+		engine: "security",
+		rule: "security/vulnerable-dependency",
+		severity: toSeverity(agg.worstSeverity),
+		message: `${agg.packageName} (${agg.worstSeverity})${recLabel}${countLabel}`,
+		help: "",
+		line: 0,
+		column: 0,
+		category: "Security",
+		fixable: false,
+		detail: source === "npm audit" ? "npm" : "pnpm"
+	};
+};
 const parseLegacyAdvisories = (advisories, source) => {
-	const diagnostics = [];
-	for (const [key, advisory] of Object.entries(advisories)) {
-		const packageName = advisory.module_name ?? advisory.name ?? advisory.package ?? key;
-		const severity = (advisory.severity ?? "moderate").toLowerCase();
-		const recommendation = advisory.recommendation ?? advisory.title ?? `Run \`${defaultAuditFixCommand(source)}\` to resolve`;
-		diagnostics.push({
-			filePath: "package.json",
-			engine: "security",
-			rule: "security/vulnerable-dependency",
-			severity: toSeverity(severity),
-			message: `Vulnerable dependency (${source}): ${packageName} (${severity})`,
-			help: withFixHint(recommendation),
-			line: 0,
-			column: 0,
-			category: "Security",
-			fixable: false
-		});
-	}
-	return diagnostics;
+	const bucket = /* @__PURE__ */ new Map();
+	for (const [key, advisory] of Object.entries(advisories)) upsertVuln(bucket, advisory.module_name ?? advisory.name ?? advisory.package ?? key, (advisory.severity ?? "moderate").toLowerCase(), advisory.recommendation ?? advisory.title ?? "");
+	return [...bucket.values()].map((agg) => aggregateToDiagnostic(agg, source));
 };
 const parseModernVulnerabilities = (vulnerabilities, source) => {
-	const diagnostics = [];
+	const bucket = /* @__PURE__ */ new Map();
 	for (const [packageName, vulnerability] of Object.entries(vulnerabilities)) {
 		const severity = (vulnerability.severity ?? "moderate").toLowerCase();
 		const fixAvailable = vulnerability.fixAvailable;
 		const isDirect = vulnerability.isDirect === true;
-		let recommendation = `Run \`${defaultAuditFixCommand(source)}\` to resolve`;
-		if (fixAvailable === false) recommendation = isDirect ? "No automatic fix — check for a newer major version" : "Transitive with no fix — add an override or upgrade the parent";
-		else if (!isDirect && fixAvailable === true) recommendation = "Transitive dep — may need an override or parent upgrade";
+		let recommendation = "";
+		if (fixAvailable === false) recommendation = isDirect ? "no automatic fix" : "transitive — needs override or parent upgrade";
+		else if (!isDirect && fixAvailable === true) recommendation = "transitive — may need override or parent upgrade";
 		else if (fixAvailable && typeof fixAvailable === "object" && "name" in fixAvailable && "version" in fixAvailable) {
 			const target = fixAvailable;
-			if (target.name && target.version) recommendation = `Upgrade to ${target.name}@${target.version}.`;
+			if (target.name && target.version) recommendation = `upgrade to ${target.name}@${target.version}`;
 		}
-		diagnostics.push({
-			filePath: "package.json",
-			engine: "security",
-			rule: "security/vulnerable-dependency",
-			severity: toSeverity(severity),
-			message: `Vulnerable dependency (${source}): ${packageName} (${severity})`,
-			help: withFixHint(recommendation),
-			line: 0,
-			column: 0,
-			category: "Security",
-			fixable: false
-		});
+		upsertVuln(bucket, packageName, severity, recommendation);
 	}
-	return diagnostics;
+	return [...bucket.values()].map((agg) => aggregateToDiagnostic(agg, source));
 };
 const parseJsAudit = (output, source) => {
 	if (!output) return [];
@@ -5854,7 +6495,20 @@ const runClaudeHook = async (deps = {}) => {
 		const feedback = buildFeedback(diagnostics, score, rootDirectory, baseline ? {
 			score: baseline.score,
 			findingFingerprints: baseline.findingFingerprints
-		} : void 0);
+		} : void 0, {
+			agent: "claude",
+			touchedFiles: files
+		});
+		track({
+			event: "hook_scan_completed",
+			properties: buildHookScanCompletedProps({
+				agent: "claude",
+				score,
+				scoreDelta: baseline ? score - baseline.score : null,
+				findingCount: diagnostics.length,
+				fileCount: files.length
+			})
+		});
 		const envelope = renderClaudeOutput(JSON.stringify(feedback));
 		write(JSON.stringify(envelope));
 		return 0;
@@ -5925,6 +6579,9 @@ const runClaudeStopHook = async (deps = {}) => {
 		const feedback = buildFeedback(diagnostics, score, rootDirectory, {
 			score: baseline.score,
 			findingFingerprints: baseline.findingFingerprints
+		}, {
+			agent: "claude",
+			touchedFiles: sessionFiles
 		});
 		if (!feedback.regressed) {
 			clearSessionFiles(cwd);
@@ -5985,7 +6642,19 @@ const runCursorHook = async (deps = {}) => {
 	if (!release) return 0;
 	try {
 		const { diagnostics, score, rootDirectory } = await runScopedScan(cwd, files);
-		const feedback = buildFeedback(diagnostics, score, rootDirectory);
+		const feedback = buildFeedback(diagnostics, score, rootDirectory, void 0, {
+			agent: "cursor",
+			touchedFiles: files
+		});
+		track({
+			event: "hook_scan_completed",
+			properties: buildHookScanCompletedProps({
+				agent: "cursor",
+				score,
+				findingCount: diagnostics.length,
+				fileCount: files.length
+			})
+		});
 		const serialized = JSON.stringify(feedback);
 		write(JSON.stringify(renderCursorOutput(serialized)));
 		writeErr(`${serialized}\n`);
@@ -6035,7 +6704,19 @@ const runGeminiHook = async (deps = {}) => {
 	if (!release) return 0;
 	try {
 		const { diagnostics, score, rootDirectory } = await runScopedScan(cwd, files);
-		const feedback = buildFeedback(diagnostics, score, rootDirectory);
+		const feedback = buildFeedback(diagnostics, score, rootDirectory, void 0, {
+			agent: "gemini",
+			touchedFiles: files
+		});
+		track({
+			event: "hook_scan_completed",
+			properties: buildHookScanCompletedProps({
+				agent: "gemini",
+				score,
+				findingCount: diagnostics.length,
+				fileCount: files.length
+			})
+		});
 		write(JSON.stringify(renderGeminiOutput(JSON.stringify(feedback))));
 		return 0;
 	} catch {
@@ -7050,12 +7731,18 @@ const registerInstall = (hook) => {
 	install.action(async (positional, opts) => {
 		const agents = await pickAgents("install", opts, positional);
 		if (agents === null || agents.length === 0) return;
-		await hookInstall({
-			agents,
-			scope: resolveScope(opts),
-			dryRun: Boolean(opts.dryRun),
-			yes: Boolean(opts.yes),
-			qualityGate: Boolean(opts.qualityGate)
+		await withCommandLifecycle({
+			command: "hook_install",
+			config: loadConfig(process.cwd()).telemetry
+		}, async () => {
+			await hookInstall({
+				agents,
+				scope: resolveScope(opts),
+				dryRun: Boolean(opts.dryRun),
+				yes: Boolean(opts.yes),
+				qualityGate: Boolean(opts.qualityGate)
+			});
+			return { exitCode: 0 };
 		});
 	});
 };
@@ -7065,21 +7752,39 @@ const registerUninstall = (hook) => {
 	uninstall.action(async (positional, opts) => {
 		const agents = await pickAgents("uninstall", opts, positional);
 		if (agents === null || agents.length === 0) return;
-		await hookUninstall({
-			agents,
-			scope: resolveScope(opts),
-			dryRun: Boolean(opts.dryRun),
-			yes: true,
-			qualityGate: false
+		await withCommandLifecycle({
+			command: "hook_uninstall",
+			config: loadConfig(process.cwd()).telemetry
+		}, async () => {
+			await hookUninstall({
+				agents,
+				scope: resolveScope(opts),
+				dryRun: Boolean(opts.dryRun),
+				yes: true,
+				qualityGate: false
+			});
+			return { exitCode: 0 };
 		});
 	});
 };
 const registerCallbacks = (hook) => {
 	hook.command("status").description("Show which agent hooks are installed").action(async () => {
-		await hookStatus();
+		await withCommandLifecycle({
+			command: "hook_status",
+			config: loadConfig(process.cwd()).telemetry
+		}, async () => {
+			await hookStatus();
+			return { exitCode: 0 };
+		});
 	});
 	hook.command("baseline").description("Capture the current project score as the quality-gate baseline").action(async () => {
-		await hookBaseline();
+		await withCommandLifecycle({
+			command: "hook_baseline",
+			config: loadConfig(process.cwd()).telemetry
+		}, async () => {
+			await hookBaseline();
+			return { exitCode: 0 };
+		});
 	});
 	hook.command("claude").description("Internal: Claude Code PostToolUse / Stop / FileChanged callback (reads stdin)").option("--stop", "run in Stop-hook mode for the quality gate").option("--on-file-changed", "run in FileChanged mode (refresh baseline on watched file change)").action(async (opts) => {
 		await hookRun("claude", {
@@ -7333,8 +8038,53 @@ const wrapHelpText = (text, maxWidth, indent) => {
 };
 const terminalWidth = () => {
 	const raw = process.stdout.columns;
-	if (typeof raw !== "number" || raw <= 0) return 100;
-	return Math.min(raw, 100);
+	if (typeof raw !== "number" || raw <= 0) return 120;
+	return Math.min(raw, 120);
+};
+const renderRuleHeader = (first, count, lines) => {
+	const level = toSeverityLabel(first.severity);
+	const countLabel = count > 1 ? ` (${count})` : "";
+	const status = colorBySeverity(level, first.severity);
+	const fixableTag = first.fixable ? ` ${style(theme, "muted", "[auto]")}` : "";
+	const fixableWidth = first.fixable ? 7 : 0;
+	const badgePrefix = `    [${status}]${fixableTag} `;
+	const badgePrefixWidth = 5 + level.length + 1 + fixableWidth + 1;
+	const wrapped = wrapText(`${first.message}${countLabel}`, terminalWidth(), badgePrefixWidth, "      ");
+	lines.push(`${badgePrefix}${wrapped[0]}`);
+	for (let i = 1; i < wrapped.length; i++) lines.push(wrapped[i]);
+};
+const renderLocations = (ruleDiags, verbose, lines) => {
+	const unique = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const d of ruleDiags) {
+		const label = toLocationLabel(d);
+		const detail = d.detail ?? "";
+		const key = `${label}|${detail}`;
+		if (seen.has(key)) continue;
+		seen.add(key);
+		unique.push({
+			label,
+			detail
+		});
+	}
+	const shown = verbose ? unique : unique.slice(0, 3);
+	const maxLabel = shown.reduce((w, l) => Math.max(w, l.label.length), 0);
+	for (const { label, detail } of shown) {
+		const padded = detail ? `${label.padEnd(maxLabel)}  ${detail}` : label;
+		lines.push(style(theme, "muted", `      ${padded}`));
+	}
+	if (!verbose && unique.length > shown.length) lines.push(style(theme, "muted", `      +${unique.length - shown.length} more location(s), use -d for full list`));
+};
+const renderHiddenFooter = (sorted, maxRules, lines) => {
+	const hidden = sorted.slice(maxRules);
+	const hiddenErrors = hidden.reduce((acc, [, diags]) => acc + (diags[0].severity === "error" ? diags.length : 0), 0);
+	const hiddenWarnings = hidden.reduce((acc, [, diags]) => acc + (diags[0].severity === "warning" ? diags.length : 0), 0);
+	const parts = [];
+	if (hiddenErrors > 0) parts.push(`${hiddenErrors} error${hiddenErrors === 1 ? "" : "s"}`);
+	if (hiddenWarnings > 0) parts.push(`${hiddenWarnings} warning${hiddenWarnings === 1 ? "" : "s"}`);
+	const detail = parts.length > 0 ? ` (${parts.join(", ")})` : "";
+	lines.push(style(theme, "muted", `    ... and ${hidden.length} more rules hidden${detail}. Run with -v or --verbose to see full output.`));
+	lines.push("");
 };
 const renderDiagnostics = (diagnostics, verbose) => {
 	const lines = [];
@@ -7343,29 +8093,23 @@ const renderDiagnostics = (diagnostics, verbose) => {
 		const label = getEngineLabel(engine);
 		lines.push(`  ${style(theme, "bold", `${symbols.engineActive} ${label}`)}`);
 		const sorted = [...groupBy(engineDiags, (d) => `${d.rule}:${d.message}`).entries()].sort(([, a], [, b]) => {
-			return (a[0].severity === "error" ? 0 : a[0].severity === "warning" ? 1 : 2) - (b[0].severity === "error" ? 0 : b[0].severity === "warning" ? 1 : 2);
+			const sa = a[0].severity === "error" ? 0 : a[0].severity === "warning" ? 1 : 2;
+			const sb = b[0].severity === "error" ? 0 : b[0].severity === "warning" ? 1 : 2;
+			if (sa !== sb) return sa - sb;
+			return b.length - a.length;
 		});
-		for (const [, ruleDiags] of sorted) {
+		const maxRules = verbose ? Infinity : 40;
+		for (const [, ruleDiags] of sorted.slice(0, maxRules)) {
 			const first = ruleDiags[0];
-			const level = toSeverityLabel(first.severity);
-			const count = ruleDiags.length > 1 ? ` (${ruleDiags.length})` : "";
-			const status = colorBySeverity(level, first.severity);
-			const fixableTag = first.fixable ? ` ${style(theme, "muted", "[auto]")}` : "";
-			const fixableWidth = first.fixable ? 7 : 0;
-			const badgePrefix = `    [${status}]${fixableTag} `;
-			const badgePrefixWidth = 5 + level.length + 1 + fixableWidth + 1;
-			const wrappedMsg = wrapText(`${first.message}${count}`, terminalWidth(), badgePrefixWidth, "      ");
-			lines.push(`${badgePrefix}${wrappedMsg[0]}`);
-			for (let i = 1; i < wrappedMsg.length; i++) lines.push(wrappedMsg[i]);
-			const locations = verbose ? ruleDiags : ruleDiags.slice(0, 3);
-			for (const diagnostic of locations) lines.push(style(theme, "muted", `      ${toLocationLabel(diagnostic)}`));
-			if (!verbose && ruleDiags.length > locations.length) lines.push(style(theme, "muted", `      +${ruleDiags.length - locations.length} more location(s), use -d for full list`));
+			renderRuleHeader(first, ruleDiags.length, lines);
+			renderLocations(ruleDiags, verbose, lines);
 			if (first.help) {
 				const wrapped = wrapHelpText(first.help, terminalWidth(), "      ");
 				for (const line of wrapped) lines.push(style(theme, "muted", line));
 			}
 			lines.push("");
 		}
+		if (sorted.length > maxRules) renderHiddenFooter(sorted, maxRules, lines);
 	}
 	return `${lines.join("\n")}\n`;
 };
@@ -7544,6 +8288,81 @@ var LiveGrid = class {
 	}
 };
 
+//#endregion
+//#region src/output/rule-labels.ts
+const RULE_LABELS = {
+	formatting: "Code not formatted",
+	"code-quality/duplicate-block": "Duplicate code block",
+	"complexity/file-too-large": "File too large",
+	"complexity/function-too-long": "Function too long",
+	"complexity/deep-nesting": "Deeply nested code",
+	"complexity/too-many-params": "Too many parameters",
+	"knip/files": "Unused file",
+	"knip/dependencies": "Unused dependency",
+	"knip/devDependencies": "Unused dev dependency",
+	"knip/unlisted": "Used but not in package.json",
+	"knip/unresolved": "Unresolved import",
+	"knip/binaries": "Unused binary",
+	"knip/exports": "Unused export",
+	"knip/types": "Unused type",
+	"ai-slop/trivial-comment": "Trivial restating comment",
+	"ai-slop/swallowed-exception": "Empty catch (swallowed error)",
+	"ai-slop/thin-wrapper": "Thin function wrapper",
+	"ai-slop/generic-naming": "Generic/vague identifier name",
+	"ai-slop/unused-import": "Unused import",
+	"ai-slop/console-leftover": "console.log left in code",
+	"ai-slop/todo-stub": "Unresolved TODO/FIXME",
+	"ai-slop/unreachable-code": "Unreachable code",
+	"ai-slop/constant-condition": "Constant condition",
+	"ai-slop/empty-function": "Empty function body",
+	"ai-slop/unsafe-type-assertion": "Unsafe type cast",
+	"ai-slop/double-type-assertion": "Double type cast",
+	"ai-slop/ts-directive": "@ts-ignore / @ts-expect-error",
+	"ai-slop/narrative-comment": "Narrative comment block",
+	"ai-slop/duplicate-import": "Duplicate import statement",
+	"ai-slop/python-bare-except": "Bare except",
+	"ai-slop/python-broad-except": "Broad except",
+	"ai-slop/python-mutable-default": "Mutable default argument",
+	"ai-slop/python-print-debug": "print() left in code",
+	"ai-slop/go-library-panic": "panic() in Go library code",
+	"ai-slop/rust-non-test-unwrap": "Rust .unwrap() in production code",
+	"ai-slop/rust-todo-stub": "Rust todo!() stub",
+	"ai-slop/hallucinated-import": "Import not in package.json",
+	"security/hardcoded-secret": "Possible hardcoded secret",
+	"security/vulnerable-dependency": "Vulnerable dependency",
+	"security/eval": "eval() usage",
+	"security/innerhtml": "innerHTML assignment",
+	"security/dangerously-set-innerhtml": "dangerouslySetInnerHTML (XSS risk)",
+	"security/sql-injection": "Possible SQL injection",
+	"security/shell-injection": "Possible shell injection",
+	"eslint/no-undef": "Undefined identifier",
+	"eslint/no-unused-vars": "Unused variable",
+	"eslint/no-unassigned-vars": "Variable never assigned",
+	"eslint/no-empty": "Empty block statement",
+	"eslint/no-unused-expressions": "Unused expression",
+	"eslint/no-shadow-restricted-names": "Shadowing restricted name",
+	"eslint/no-constant-binary-expression": "Constant binary expression",
+	"eslint/no-unsafe-optional-chaining": "Unsafe optional chaining",
+	"eslint/require-yield": "Generator with no yield",
+	"import/no-duplicates": "Duplicate import path",
+	"import/default": "Missing default export",
+	"import/named": "Missing named export",
+	"import/namespace": "Invalid namespace import",
+	"typescript-eslint/triple-slash-reference": "Triple-slash reference",
+	"unicorn/no-useless-fallback-in-spread": "Useless spread fallback",
+	"unicorn/no-invalid-remove-event-listener": "Invalid removeEventListener",
+	"unicorn/no-empty-file": "Empty file",
+	"unicorn/no-useless-length-check": "Useless array length check",
+	"unicorn/no-new-array": "Avoid new Array(n)",
+	"unicorn/no-useless-spread": "Useless spread",
+	"unicorn/no-single-promise-in-promise-methods": "Single-element Promise.all"
+};
+const prettifyFallback = (ruleId) => {
+	const spaced = (ruleId.includes("/") ? ruleId.slice(ruleId.indexOf("/") + 1) : ruleId).replace(/[-_]/g, " ").replace(/\//g, " · ");
+	return spaced.charAt(0).toUpperCase() + spaced.slice(1);
+};
+const labelForRule = (ruleId) => RULE_LABELS[ruleId] ?? prettifyFallback(ruleId);
+
 //#endregion
 //#region src/ui/summary.ts
 const elapsed = (ms) => ms < 1e3 ? `${Math.round(ms)}ms` : `${(ms / 1e3).toFixed(1)}s`;
@@ -7570,6 +8389,34 @@ const renderSummary = (input, deps = {}) => {
 		`   ${style(t, "muted", `${input.files} files`)}  ${sep}  ${style(t, "muted", `${input.engines} engines`)}  ${sep}  ${style(t, "muted", elapsed(input.elapsedMs))}`,
 		""
 	];
+	if (input.breakdown && input.breakdown.rows.length > 0) {
+		lines.push(` ${style(t, "bold", "Top findings")}`);
+		const maxCountWidth = input.breakdown.rows.reduce((w, r) => Math.max(w, String(r.errors + r.warnings + r.info).length), 0);
+		const labels = input.breakdown.rows.map((r) => labelForRule(r.rule));
+		const maxLabelWidth = labels.reduce((w, l) => Math.max(w, l.length), 0);
+		for (let i = 0; i < input.breakdown.rows.length; i++) {
+			const row = input.breakdown.rows[i];
+			const total = row.errors + row.warnings + row.info;
+			const count = String(total).padStart(maxCountWidth);
+			const label = padEnd(labels[i], maxLabelWidth);
+			const tags = [];
+			if (row.errors > 0) tags.push(style(t, "danger", `${row.errors} err`));
+			if (row.warnings > 0) tags.push(style(t, "warn", `${row.warnings} warn`));
+			if (row.info > 0) tags.push(style(t, "muted", `${row.info} info`));
+			if (row.fixable > 0) tags.push(style(t, "success", `${row.fixable} fix`));
+			const tagBlock = tags.length > 0 ? `  ${style(t, "muted", "·")}  ${tags.join("  ")}` : "";
+			const ruleHint = style(t, "muted", `(${row.rule})`);
+			lines.push(`   ${style(t, "muted", count)}  ${label}  ${ruleHint}${tagBlock}`);
+		}
+		if (input.breakdown.hiddenRules > 0) {
+			const hiddenParts = [];
+			if (input.breakdown.hiddenErrors > 0) hiddenParts.push(`${input.breakdown.hiddenErrors} error${input.breakdown.hiddenErrors === 1 ? "" : "s"}`);
+			if (input.breakdown.hiddenWarnings > 0) hiddenParts.push(`${input.breakdown.hiddenWarnings} warning${input.breakdown.hiddenWarnings === 1 ? "" : "s"}`);
+			const detail = hiddenParts.length > 0 ? ` (${hiddenParts.join(", ")})` : "";
+			lines.push(style(t, "muted", `   +${input.breakdown.hiddenRules} more rule${input.breakdown.hiddenRules === 1 ? "" : "s"}${detail}. Run with -v for the full list.`));
+		}
+		lines.push("");
+	}
 	if (input.nextSteps.length > 0) {
 		for (const step of input.nextSteps) {
 			const glyph = step.emphasis === "primary" ? s.hint : s.bullet;
@@ -7592,77 +8439,43 @@ const renderCleanRun = (input, deps = {}) => {
 	return `\n ${parts.join(`  ${sep}  `)}\n`;
 };
 
-//#endregion
-//#region src/version.ts
-const APP_VERSION = "0.8.3";
-
-//#endregion
-//#region src/utils/telemetry.ts
-const POSTHOG_HOST = "https://eu.i.posthog.com";
-const POSTHOG_KEY = "phc_eY2cOMFva9q24GrWeOuvuVIOhCIdjOALxeAR3ItrqbJ";
-/**
-* Returns true if telemetry should be disabled.
-* Telemetry is opt-out: it runs unless explicitly disabled.
-*/
-const isTelemetryDisabled = (configEnabled) => {
-	if (process.env.AISLOP_NO_TELEMETRY === "1" || process.env.DO_NOT_TRACK === "1") return true;
-	if (process.env.CI === "true" || process.env.CI === "1") return true;
-	if (configEnabled === false) return true;
-	return false;
-};
-const getScoreBucket = (score) => {
-	if (score >= 75) return "75-100";
-	if (score >= 50) return "50-75";
-	if (score >= 25) return "25-50";
-	return "0-25";
-};
-const getAnonymousId = () => {
-	const raw = `${os.hostname()}-${os.platform()}-${os.arch()}`;
-	let hash = 5381;
-	for (let i = 0; i < raw.length; i++) hash = hash * 33 ^ raw.charCodeAt(i);
-	return `aislop_${(hash >>> 0).toString(36)}`;
-};
-/** Pending telemetry request — kept alive so Node doesn't exit before it completes. */
-let pendingRequest = null;
-const trackEvent = (event) => {
-	const payload = {
-		api_key: POSTHOG_KEY,
-		event: `cli_${event.command}`,
-		distinct_id: getAnonymousId(),
-		properties: {
-			version: APP_VERSION,
-			node_version: process.version,
-			os: os.platform(),
-			arch: os.arch(),
-			languages: event.languages,
-			score_bucket: event.scoreBucket,
-			engine_issues: event.engineIssues,
-			engine_timings: event.engineTimings,
-			elapsed_ms: event.elapsedMs,
-			file_count: event.fileCount,
-			fix_steps: event.fixSteps,
-			fix_resolved: event.fixResolved
-		},
-		timestamp: (/* @__PURE__ */ new Date()).toISOString()
-	};
-	pendingRequest = fetch(`${POSTHOG_HOST}/capture/`, {
-		method: "POST",
-		headers: { "Content-Type": "application/json" },
-		body: JSON.stringify(payload),
-		signal: AbortSignal.timeout(3e3)
-	}).then(() => {}).catch(() => {});
-};
-const flushTelemetry = async () => {
-	if (pendingRequest) {
-		await pendingRequest;
-		pendingRequest = null;
-	}
-};
-
 //#endregion
 //#region src/commands/scan.ts
 const shouldUseSpinner = () => Boolean(process.stderr.isTTY) && process.env.CI !== "true" && process.env.CI !== "1";
 const ALL_ENGINE_NAMES = Object.keys(ENGINE_INFO);
+const BREAKDOWN_TOP_N = 10;
+const computeBreakdown = (diagnostics) => {
+	const byRule = /* @__PURE__ */ new Map();
+	for (const d of diagnostics) {
+		const row = byRule.get(d.rule) ?? {
+			rule: d.rule,
+			errors: 0,
+			warnings: 0,
+			info: 0,
+			fixable: 0
+		};
+		if (d.severity === "error") row.errors++;
+		else if (d.severity === "warning") row.warnings++;
+		else row.info++;
+		if (d.fixable) row.fixable++;
+		byRule.set(d.rule, row);
+	}
+	const sorted = [...byRule.values()].sort((a, b) => {
+		const aTotal = a.errors + a.warnings + a.info;
+		const bTotal = b.errors + b.warnings + b.info;
+		if (aTotal !== bTotal) return bTotal - aTotal;
+		if (a.errors !== b.errors) return b.errors - a.errors;
+		return a.rule.localeCompare(b.rule);
+	});
+	const rows = sorted.slice(0, BREAKDOWN_TOP_N);
+	const hidden = sorted.slice(BREAKDOWN_TOP_N);
+	return {
+		rows,
+		hiddenRules: hidden.length,
+		hiddenErrors: hidden.reduce((acc, r) => acc + r.errors, 0),
+		hiddenWarnings: hidden.reduce((acc, r) => acc + r.warnings, 0)
+	};
+};
 const buildScanRender = (input) => {
 	const deps = {
 		theme: createTheme(),
@@ -7712,11 +8525,11 @@ const buildScanRender = (input) => {
 		engines: input.results.length,
 		elapsedMs: input.elapsedMs,
 		nextSteps,
+		breakdown: computeBreakdown(input.diagnostics),
 		thresholds: input.thresholds
 	}, deps)}`;
 };
 const scanCommand = async (directory, config, options) => {
-	const startTime = performance.now();
 	const resolvedDir = path.resolve(directory);
 	if (!fs.existsSync(resolvedDir)) {
 		const msg = `Path does not exist: ${resolvedDir}`;
@@ -7730,9 +8543,18 @@ const scanCommand = async (directory, config, options) => {
 		else log.error(msg);
 		return { exitCode: 1 };
 	}
+	const projectInfo = await discoverProject(resolvedDir);
+	return withCommandLifecycle({
+		command: options.command ?? "scan",
+		config: config.telemetry,
+		languages: projectInfo.languages,
+		fileCount: projectInfo.sourceFileCount
+	}, () => runScanBody(resolvedDir, config, options, projectInfo));
+};
+const runScanBody = async (resolvedDir, config, options, projectInfo) => {
+	const startTime = performance.now();
 	const showHeader = options.showHeader !== false;
 	const useLiveProgress = !options.json && shouldUseSpinner();
-	const projectInfo = await discoverProject(resolvedDir);
 	let files;
 	if (options.staged) {
 		files = filterProjectFiles(resolvedDir, getStagedFiles(resolvedDir), [], config.exclude);
@@ -7799,28 +8621,27 @@ const scanCommand = async (directory, config, options) => {
 	const elapsedMs = performance.now() - startTime;
 	const scoreResult = calculateScore(allDiagnostics, config.scoring.weights, config.scoring.thresholds, projectInfo.sourceFileCount, config.scoring.smoothing);
 	const exitCode = allDiagnostics.some((d) => d.severity === "error") || scoreResult.score < config.ci.failBelow ? 1 : 0;
-	if (!isTelemetryDisabled(config.telemetry?.enabled)) {
-		const engineIssues = {};
-		const engineTimings = {};
-		for (const r of results) {
-			engineIssues[r.engine] = r.diagnostics.length;
-			engineTimings[r.engine] = Math.round(r.elapsed);
-		}
-		trackEvent({
-			command: options.command ?? "scan",
-			languages: projectInfo.languages,
-			scoreBucket: getScoreBucket(scoreResult.score),
-			engineIssues,
-			engineTimings,
-			elapsedMs: Math.round(elapsedMs),
-			fileCount: projectInfo.sourceFileCount
-		});
-	}
+	const engineIssues = {};
+	const engineTimings = {};
+	for (const r of results) {
+		engineIssues[r.engine] = r.diagnostics.length;
+		engineTimings[r.engine] = Math.round(r.elapsed);
+	}
+	const completion = {
+		exitCode,
+		score: scoreResult.score,
+		findingCount: allDiagnostics.length,
+		errorCount: allDiagnostics.filter((d) => d.severity === "error").length,
+		warningCount: allDiagnostics.filter((d) => d.severity === "warning").length,
+		fixableCount: allDiagnostics.filter((d) => d.fixable).length,
+		engineIssues,
+		engineTimings
+	};
 	if (options.json) {
-		const { buildJsonOutput } = await import("./json-BbMwrgyd.js");
+		const { buildJsonOutput } = await import("./json-OIzja7OM.js");
 		const jsonOut = buildJsonOutput(results, scoreResult, projectInfo.sourceFileCount, elapsedMs);
 		console.log(JSON.stringify(jsonOut, null, 2));
-		return { exitCode };
+		return completion;
 	}
 	const projectName = projectInfo.projectName ?? "project";
 	const language = projectInfo.languages[0] ?? "unknown";
@@ -7837,7 +8658,7 @@ const scanCommand = async (directory, config, options) => {
 		includeHeader: showHeader,
 		printBrand: options.printBrand
 	}));
-	return { exitCode };
+	return completion;
 };
 
 //#endregion
@@ -9785,15 +10606,23 @@ const fixCommand = async (directory, config, options = {
 	verbose: false,
 	showHeader: true
 }) => {
-	const startTime = performance.now();
 	const resolvedDir = path.resolve(directory);
 	if (!fs.existsSync(resolvedDir) || !fs.statSync(resolvedDir).isDirectory()) {
 		const msg = !fs.existsSync(resolvedDir) ? `Path does not exist: ${resolvedDir}` : `Not a directory: ${resolvedDir}`;
 		log.error(msg);
 		return;
 	}
-	const showHeader = options.showHeader !== false;
 	const projectInfo = await discoverProject(resolvedDir);
+	await withCommandLifecycle({
+		command: "fix",
+		config: config.telemetry,
+		languages: projectInfo.languages,
+		fileCount: projectInfo.sourceFileCount
+	}, () => runFixBody(resolvedDir, config, options, projectInfo));
+};
+const runFixBody = async (resolvedDir, config, options, projectInfo) => {
+	const startTime = performance.now();
+	const showHeader = options.showHeader !== false;
 	const projectName = projectInfo.projectName ?? "project";
 	if (showHeader) process.stdout.write(renderHeader({
 		version: APP_VERSION,
@@ -9830,12 +10659,6 @@ const fixCommand = async (directory, config, options = {
 	await runFormattingStep(pipelineDeps);
 	await runForceSteps(pipelineDeps);
 	const totalResolved = steps.reduce((sum, s) => sum + s.resolvedIssues, 0);
-	if (!isTelemetryDisabled(config.telemetry?.enabled)) trackEvent({
-		command: "fix",
-		languages: projectInfo.languages,
-		fixSteps: steps.length,
-		fixResolved: totalResolved
-	});
 	const configDir = findConfigDir(resolvedDir);
 	const rulesPath = configDir ? path.join(configDir, RULES_FILE) : void 0;
 	const engineConfig = {
@@ -9858,7 +10681,9 @@ const fixCommand = async (directory, config, options = {
 	});
 	const allDiagnostics = scanResults.flatMap((r) => r.diagnostics);
 	const scoreResult = calculateScore(allDiagnostics, config.scoring.weights, config.scoring.thresholds, projectInfo.sourceFileCount, config.scoring.smoothing);
-	const remaining = allDiagnostics.filter((d) => d.severity === "error").length + allDiagnostics.filter((d) => d.severity === "warning").length;
+	const errors = allDiagnostics.filter((d) => d.severity === "error").length;
+	const warnings = allDiagnostics.filter((d) => d.severity === "warning").length;
+	const remaining = errors + warnings;
 	if (steps.length === 0) rail.complete({
 		status: "skipped",
 		label: "No applicable auto-fixers found"
@@ -9887,12 +10712,31 @@ const fixCommand = async (directory, config, options = {
 	}
 	if (options.agent) {
 		launchAgent(options.agent, resolvedDir, allDiagnostics, scoreResult.score);
-		return;
+		return {
+			exitCode: 0,
+			score: scoreResult.score,
+			fixSteps: steps.length,
+			fixResolved: totalResolved
+		};
 	}
 	if (options.prompt) {
 		printPrompt(resolvedDir, allDiagnostics, scoreResult.score);
-		return;
+		return {
+			exitCode: 0,
+			score: scoreResult.score,
+			fixSteps: steps.length,
+			fixResolved: totalResolved
+		};
 	}
+	return {
+		exitCode: 0,
+		score: scoreResult.score,
+		findingCount: allDiagnostics.length,
+		errorCount: errors,
+		warningCount: warnings,
+		fixSteps: steps.length,
+		fixResolved: totalResolved
+	};
 };
 
 //#endregion
@@ -10008,10 +10852,18 @@ const promptForConfigChoices = async () => {
 	return {
 		engines: enginesSelection,
 		failBelow: Number(failBelowRaw),
+		typecheck: DEFAULT_CONFIG.lint.typecheck,
 		telemetryEnabled: telemetryChoice === "enabled",
 		writeGithubWorkflow: workflowChoice === "yes"
 	};
 };
+const strictChoices = () => ({
+	engines: Object.keys(DEFAULT_CONFIG.engines),
+	failBelow: 85,
+	typecheck: true,
+	telemetryEnabled: DEFAULT_CONFIG.telemetry.enabled,
+	writeGithubWorkflow: true
+});
 const writeAislopConfig = (configDir, configPath, choices) => {
 	const selected = new Set(choices.engines);
 	const engines = {
@@ -10026,6 +10878,7 @@ const writeAislopConfig = (configDir, configPath, choices) => {
 		version: DEFAULT_CONFIG.version,
 		engines,
 		quality: { ...DEFAULT_CONFIG.quality },
+		lint: { typecheck: choices.typecheck },
 		security: { ...DEFAULT_CONFIG.security },
 		scoring: {
 			weights: { ...DEFAULT_CONFIG.scoring.weights },
@@ -10078,7 +10931,7 @@ const initCommand = async (directory, options = {}) => {
 			return;
 		}
 	}
-	const choices = await promptForConfigChoices();
+	const choices = options.strict ? strictChoices() : await promptForConfigChoices();
 	if (!choices) return;
 	writeAislopConfig(configDir, configPath, choices);
 	const steps = [{
@@ -10375,29 +11228,38 @@ const interactiveCommand = async (directory, config) => {
 //#region src/cli.ts
 process.on("SIGINT", () => process.exit(0));
 process.on("SIGTERM", () => process.exit(0));
-const excludeParser = (value, previous = []) => {
+const fireInstalledOnce = () => {
+	if (isTelemetryDisabled(loadConfig(process.cwd()).telemetry)) return;
+	if (ensureInstallId(resolveInstallIdPath()).created) track({
+		event: "cli_installed",
+		config: loadConfig(process.cwd()).telemetry
+	});
+};
+const commaSeparatedParser = (value, previous = []) => {
 	const parts = value.split(",").map((v) => v.trim()).filter(Boolean);
 	return [...previous, ...parts];
 };
 const runScan = async (directory, flags) => {
 	const config = loadConfig(directory);
-	const { exitCode } = await scanCommand(directory, flags.exclude?.length ? {
+	const { exitCode } = await scanCommand(directory, {
 		...config,
-		exclude: [...config.exclude ?? [], ...flags.exclude]
-	} : config, {
+		exclude: [...config.exclude ?? [], ...flags.exclude ?? []],
+		include: [...config.include ?? [], ...flags.include ?? []]
+	}, {
 		changes: Boolean(flags.changes),
 		staged: Boolean(flags.staged),
 		verbose: Boolean(flags.verbose),
 		json: Boolean(flags.json),
-		exclude: flags.exclude
+		exclude: flags.exclude,
+		include: flags.include
 	});
 	if (exitCode !== 0) {
 		await flushTelemetry();
-		process.exit(exitCode);
+		process.exitCode = exitCode;
 	}
 };
-const noFlagsPassed = (flags) => !flags.changes && !flags.staged && !flags.verbose && !flags.json && !(flags.exclude && flags.exclude.length > 0);
-const program = new Command().name("aislop").description("The unified code quality CLI").version(APP_VERSION, "-v, --version").argument("[directory]", "project directory to scan", ".").option("--changes", "only scan changed files (git diff)").option("--staged", "only scan staged files").option("-d, --verbose", "show file details per rule").option("--json", "output JSON instead of terminal UI").option("--exclude <patterns>", "comma-separated or repeatable list of paths and files to exclude", excludeParser, []).action(async (directory, flags) => {
+const noFlagsPassed = (flags) => !flags.changes && !flags.staged && !flags.verbose && !flags.json && !(flags.exclude && flags.exclude.length > 0) && !(flags.include && flags.include.length > 0);
+const program = new Command().name("aislop").description("The unified code quality CLI").version(APP_VERSION, "-v, --version").argument("[directory]", "project directory to scan", ".").option("--changes", "only scan changed files (git diff)").option("--staged", "only scan staged files").option("-d, --verbose", "show file details per rule").option("--json", "output JSON instead of terminal UI").option("--exclude <patterns>", "comma-separated or repeatable list of paths and files to exclude", commaSeparatedParser, []).option("--include <patterns>", "comma-separated or repeatable list of paths and files to include", commaSeparatedParser, []).action(async (directory, flags) => {
 	if (noFlagsPassed(flags) && process.stdin.isTTY) try {
 		await interactiveCommand(directory, loadConfig(directory));
 		return;
@@ -10433,7 +11295,7 @@ ${style(theme, "dim", "Examples:")}
   npx aislop scan --exclude node_modules --exclude dist --exclude **/*.ts
 ${renderHintLine("Run npx aislop scan to scan your project").trimEnd()}
 `);
-program.command("scan [directory]").description("Run full code quality scan").option("--changes", "only scan changed files").option("--staged", "only scan staged files").option("-d, --verbose", "show file details per rule").option("--json", "output JSON").option("--exclude <patterns>", "comma-separated or repeatable list of paths and files to exclude", excludeParser, []).action(async (directory = ".", _flags, command) => {
+program.command("scan [directory]").description("Run full code quality scan").option("--changes", "only scan changed files").option("--staged", "only scan staged files").option("-d, --verbose", "show file details per rule").option("--json", "output JSON").option("--exclude <patterns>", "comma-separated or repeatable list of paths and files to exclude", commaSeparatedParser, []).option("--include <patterns>", "comma-separated or repeatable list of paths and files to include", commaSeparatedParser, []).action(async (directory = ".", _flags, command) => {
 	await runScan(directory, command.optsWithGlobals());
 });
 const FIX_AGENT_FLAGS = [
@@ -10522,43 +11384,70 @@ fixProgram.action(async (directory = ".", _flags, command) => {
 		agent: matchFixAgent(flags)
 	});
 });
-program.command("init [directory]").description("Initialize aislop config in project").action(async (directory = ".") => {
-	await initCommand(directory);
+program.command("init [directory]").description("Initialize aislop config in project").option("--strict", "write an enterprise-grade default config: all engines, typecheck on, CI failBelow 85, workflow included").action(async (directory = ".", _flags, command) => {
+	const flags = command.optsWithGlobals();
+	await withCommandLifecycle({
+		command: "init",
+		config: loadConfig(directory).telemetry
+	}, async () => {
+		await initCommand(directory, { strict: Boolean(flags.strict) });
+		return { exitCode: 0 };
+	});
 });
 program.command("doctor [directory]").description("Check installed tools and environment").action(async (directory = ".") => {
-	await doctorCommand(directory);
+	await withCommandLifecycle({
+		command: "doctor",
+		config: loadConfig(directory).telemetry
+	}, async () => {
+		await doctorCommand(directory);
+		return { exitCode: 0 };
+	});
 });
 program.command("ci [directory]").description("CI-friendly JSON output with exit codes").option("--human", "render the human-friendly scan design instead of JSON").action(async (directory = ".", _flags, command) => {
 	const flags = command.optsWithGlobals();
 	const { exitCode } = await ciCommand(directory, loadConfig(directory), { human: Boolean(flags.human) });
 	if (exitCode !== 0) {
 		await flushTelemetry();
-		process.exit(exitCode);
+		process.exitCode = exitCode;
 	}
 });
 program.command("rules [directory]").description("List all available rules").action(async (directory = ".") => {
-	await rulesCommand(directory);
+	await withCommandLifecycle({
+		command: "rules",
+		config: loadConfig(directory).telemetry
+	}, async () => {
+		await rulesCommand(directory);
+		return { exitCode: 0 };
+	});
 });
 program.command("badge [directory]").description("Print the public score badge URL + README markdown for this repo").option("--owner <owner>", "GitHub owner (auto-detected from git remote if omitted)").option("--repo <repo>", "GitHub repo name (auto-detected from git remote if omitted)").option("--json", "emit machine-readable JSON instead of the rendered output").action(async (directory = ".", _flags, command) => {
 	const flags = command.optsWithGlobals();
 	try {
-		await badgeCommand({
-			directory,
-			owner: flags.owner,
-			repo: flags.repo,
-			json: Boolean(flags.json)
+		await withCommandLifecycle({
+			command: "badge",
+			config: loadConfig(directory).telemetry
+		}, async () => {
+			await badgeCommand({
+				directory,
+				owner: flags.owner,
+				repo: flags.repo,
+				json: Boolean(flags.json)
+			});
+			return { exitCode: 0 };
 		});
 	} catch (err) {
-		process.stderr.write(`${err?.message ?? "Failed to print badge"}\n`);
+		const message = err instanceof Error ? err.message : "Failed to print badge";
+		process.stderr.write(`${message}\n`);
 		process.exit(1);
 	}
 });
 registerHookCommand(program);
 const main = async () => {
+	fireInstalledOnce();
 	await program.parseAsync();
 	await flushTelemetry();
 };
 main();
 
 //#endregion
-export { ENGINE_INFO as n, runSubprocess as r, APP_VERSION as t };
+export { runSubprocess as n, APP_VERSION as r, ENGINE_INFO as t };