aislop 0.9.0 → 0.9.1

package/dist/mcp.js

@@ -4,8 +4,8 @@ import { createRequire, isBuiltin } from "node:module";
 import { performance } from "node:perf_hooks";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
-import path from "node:path";
 import { spawn, spawnSync } from "node:child_process";
+import path from "node:path";
 import { z } from "zod";
 import fs from "node:fs";
 import YAML from "yaml";
@@ -26,6 +26,7 @@ const DEFAULT_CONFIG = {
 		"build",
 		"coverage"
 	],
+	include: [],
 	engines: {
 		format: true,
 		lint: true,
@@ -61,7 +62,7 @@ const DEFAULT_CONFIG = {
 		smoothing: 20
 	},
 	ci: {
-		failBelow: 0,
+		failBelow: 70,
 		format: "json"
 	},
 	telemetry: { enabled: true }
@@ -151,7 +152,7 @@ const ScoringSchema = z$1.object({
 	smoothing: z$1.number().nonnegative().default(20)
 });
 const CiSchema = z$1.object({
-	failBelow: z$1.number().default(0),
+	failBelow: z$1.number().default(70),
 	format: z$1.enum(["json"]).default("json")
 });
 const TelemetrySchema = z$1.object({ enabled: z$1.boolean().default(true) });
@@ -185,7 +186,7 @@ const AislopConfigSchema = z$1.object({
 		smoothing: 20
 	})),
 	ci: CiSchema.default(() => ({
-		failBelow: 0,
+		failBelow: 70,
 		format: "json"
 	})),
 	telemetry: TelemetrySchema.default(() => ({ enabled: true })),
@@ -195,7 +196,8 @@ const AislopConfigSchema = z$1.object({
 		"dist",
 		"build",
 		"coverage"
-	])
+	]),
+	include: z$1.array(z$1.string()).default(() => [])
 });
 const defaults = AislopConfigSchema.parse({});
 /**
@@ -275,31 +277,68 @@ const EXCLUDED_DIRS = [
 	"dist",
 	"build",
 	".git",
+	".agents",
 	"vendor",
+	"examples",
+	"example",
+	"demos",
+	"demo",
+	"bench",
+	"benches",
+	"benchmarks",
+	"fixtures",
+	"fixture",
+	"samples",
+	"sample",
+	"tutorials",
+	"tutorial",
+	"code_samples",
+	"code-samples",
+	"notebooks",
 	"tests",
 	"test",
 	"__tests__",
 	"__test__",
 	"spec",
 	"__mocks__",
-	"fixtures",
 	"test_data",
 	".next",
 	".nuxt",
 	"coverage",
-	".turbo"
+	".turbo",
+	"public"
 ];
 const FIND_PRUNE_DIRS = [
 	"node_modules",
 	"dist",
 	"build",
 	".git",
+	".agents",
 	"vendor",
+	"examples",
+	"example",
+	"demos",
+	"demo",
+	"bench",
+	"benches",
+	"benchmarks",
+	"fixtures",
+	"fixture",
+	"samples",
+	"sample",
+	"tutorials",
+	"tutorial",
+	"code_samples",
+	"code-samples",
+	"notebooks",
 	".next",
 	".nuxt",
 	"coverage",
-	".turbo"
+	".turbo",
+	"public"
 ];
+const BUILD_CACHE_FILE_PATTERNS = [/\.timestamp-\d+-[a-z0-9]+\.[mc]?js$/i];
+const isBuildCacheFile = (filePath) => BUILD_CACHE_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
 const TEST_FILE_PATTERNS = [
 	/(?:^|\/).*\.test\.[^/]+$/i,
 	/(?:^|\/).*\.spec\.[^/]+$/i,
@@ -324,6 +363,7 @@ const hasAllowedExtension = (filePath, extraExtensions) => {
 	return SOURCE_EXTENSIONS.has(extension) || extraExtensions.has(extension);
 };
 const isExcludedPath = (filePath) => EXCLUDED_DIRS.some((dir) => filePath === dir || filePath.startsWith(`${dir}/`) || filePath.includes(`/${dir}/`));
+const isExcludedFromScan = (relativePath) => isExcludedPath(relativePath) || isBuildCacheFile(relativePath);
 const isTestFile$2 = (filePath) => TEST_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
 const getIgnoredPaths = (rootDirectory, files) => {
 	if (files.length === 0) return /* @__PURE__ */ new Set();
@@ -382,7 +422,7 @@ const normalizeExcludePatterns = (patterns) => {
 		return [p];
 	});
 };
-const filterProjectFiles = (rootDirectory, files, extraExtensions = [], exclude = []) => {
+const filterProjectFiles = (rootDirectory, files, extraExtensions = [], exclude = [], include = []) => {
 	const extraSet = new Set(extraExtensions);
 	const normalizedFiles = files.map((file) => {
 		const absolutePath = path.isAbsolute(file) ? file : path.resolve(rootDirectory, file);
@@ -397,8 +437,16 @@ const filterProjectFiles = (rootDirectory, files, extraExtensions = [], exclude
 		if (!normalizedExcludePatterns.length) return false;
 		return micromatch.isMatch(relativePath, normalizedExcludePatterns, { dot: true });
 	};
+	const hasIncludePatterns = include.length > 0;
+	const isUserIncluded = (relativePath) => {
+		if (!hasIncludePatterns) return true;
+		return micromatch.isMatch(relativePath, include, { dot: true });
+	};
 	return normalizedFiles.filter(({ absolutePath, relativePath }) => {
-		return hasAllowedExtension(relativePath, extraSet) && !isExcludedPath(relativePath) && !isTestFile$2(relativePath) && !ignoredPaths.has(relativePath) && !isUserExcluded(relativePath) && fs.existsSync(absolutePath);
+		if (!fs.existsSync(absolutePath) || !isWithinProject(relativePath) || isExcludedPath(relativePath) || isTestFile$2(relativePath) || ignoredPaths.has(relativePath)) return false;
+		if (!isUserIncluded(relativePath)) return false;
+		if (isUserExcluded(relativePath)) return false;
+		return hasAllowedExtension(relativePath, extraSet);
 	}).map(({ absolutePath }) => absolutePath);
 };
 const filterExplicitFiles = (rootDirectory, files, extraExtensions = []) => {
@@ -1128,6 +1176,86 @@ const PYTHON_IMPORT_TO_PIP = {
 	redis: "redis"
 };
 
+//#endregion
+//#region src/engines/ai-slop/python-manifest.ts
+const addPyDep = (pyDeps, name) => {
+	const normalized = name.toLowerCase().replace(/_/g, "-");
+	pyDeps.add(normalized);
+};
+const collectFromRequirementsTxt = (rootDir, pyDeps) => {
+	const reqPath = path.join(rootDir, "requirements.txt");
+	if (!fs.existsSync(reqPath)) return false;
+	try {
+		const content = fs.readFileSync(reqPath, "utf-8");
+		for (const line of content.split("\n")) {
+			const trimmed = line.trim();
+			if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith("-")) continue;
+			const match = trimmed.match(/^([a-zA-Z0-9_\-.]+)/);
+			if (match) addPyDep(pyDeps, match[1]);
+		}
+		return true;
+	} catch {
+		return false;
+	}
+};
+const collectFromPyproject = (rootDir, pyDeps) => {
+	const pyprojPath = path.join(rootDir, "pyproject.toml");
+	if (!fs.existsSync(pyprojPath)) return false;
+	try {
+		const content = fs.readFileSync(pyprojPath, "utf-8");
+		const projectNameMatch = content.match(/\[project\][\s\S]*?^\s*name\s*=\s*["']([^"']+)/m);
+		if (projectNameMatch) addPyDep(pyDeps, projectNameMatch[1]);
+		const poetryNameMatch = content.match(/\[tool\.poetry\][\s\S]*?^\s*name\s*=\s*["']([^"']+)/m);
+		if (poetryNameMatch) addPyDep(pyDeps, poetryNameMatch[1]);
+		const pep621 = content.match(/^\s*dependencies\s*=\s*\[([\s\S]*?)\]/m);
+		if (pep621) for (const line of pep621[1].split("\n")) {
+			const m = line.match(/["']\s*([a-zA-Z0-9_\-.]+)/);
+			if (m) addPyDep(pyDeps, m[1]);
+		}
+		const poetryRe = /\[tool\.poetry(?:\.group\.[a-z]+)?\.dependencies\]([\s\S]*?)(?=\n\[|$)/g;
+		let match = poetryRe.exec(content);
+		while (match !== null) {
+			for (const line of match[1].split("\n")) {
+				const m = line.trim().match(/^([a-zA-Z0-9_\-.]+)\s*=/);
+				if (m && m[1] !== "python") addPyDep(pyDeps, m[1]);
+			}
+			match = poetryRe.exec(content);
+		}
+		return true;
+	} catch {
+		return false;
+	}
+};
+const collectFromPipfile = (rootDir, pyDeps) => {
+	const pipfilePath = path.join(rootDir, "Pipfile");
+	if (!fs.existsSync(pipfilePath)) return false;
+	try {
+		const content = fs.readFileSync(pipfilePath, "utf-8");
+		const sectionRe = /\[(packages|dev-packages)\]([\s\S]*?)(?=\n\[|$)/g;
+		let match = sectionRe.exec(content);
+		while (match !== null) {
+			for (const line of match[2].split("\n")) {
+				const m = line.trim().match(/^([a-zA-Z0-9_\-.]+)\s*=/);
+				if (m) addPyDep(pyDeps, m[1]);
+			}
+			match = sectionRe.exec(content);
+		}
+		return true;
+	} catch {
+		return false;
+	}
+};
+const collectPythonDeps = (rootDir) => {
+	const pyDeps = /* @__PURE__ */ new Set();
+	const hasReq = collectFromRequirementsTxt(rootDir, pyDeps);
+	const hasPyproject = collectFromPyproject(rootDir, pyDeps);
+	const hasPipfile = collectFromPipfile(rootDir, pyDeps);
+	return {
+		pyDeps,
+		hasPyManifest: hasReq || hasPyproject || hasPipfile
+	};
+};
+
 //#endregion
 //#region src/engines/ai-slop/hallucinated-imports.ts
 const JS_EXTENSIONS$1 = new Set([
@@ -1264,10 +1392,26 @@ const buildAliasMatcher = (key) => {
 };
 const collectAliasMatchersFromConfig = (configPath, matchers) => {
 	const opts = readJson(configPath)?.compilerOptions;
-	if (!opts || typeof opts !== "object") return;
+	if (!opts) return;
 	const paths = opts.paths;
-	if (!paths || typeof paths !== "object") return;
-	for (const key of Object.keys(paths)) matchers.push(buildAliasMatcher(key));
+	if (paths && typeof paths === "object") for (const key of Object.keys(paths)) matchers.push(buildAliasMatcher(key));
+	const baseUrl = opts.baseUrl;
+	if (typeof baseUrl === "string") {
+		const baseUrlDir = path.resolve(path.dirname(configPath), baseUrl);
+		let entries;
+		try {
+			entries = fs.readdirSync(baseUrlDir);
+		} catch {
+			return;
+		}
+		const baseSpecifiers = /* @__PURE__ */ new Set();
+		for (const entry of entries) {
+			if (entry.startsWith(".") || entry === "node_modules") continue;
+			const base = entry.replace(/\.(?:[jt]sx?|mjs|cjs|d\.ts)$/i, "");
+			if (base.length > 0) baseSpecifiers.add(base);
+		}
+		for (const name of baseSpecifiers) matchers.push((spec) => spec === name || spec.startsWith(`${name}/`));
+	}
 };
 const collectTsPathAliases = (rootDir) => {
 	const matchers = [];
@@ -1275,97 +1419,35 @@ const collectTsPathAliases = (rootDir) => {
 	for (const dir of dirs) for (const fname of TS_CONFIG_FILES) collectAliasMatchersFromConfig(path.join(dir, fname), matchers);
 	return matchers;
 };
-const addPyDep = (pyDeps, name) => {
-	const normalized = name.toLowerCase().replace(/_/g, "-");
-	pyDeps.add(normalized);
-};
-const collectFromRequirementsTxt = (rootDir, pyDeps) => {
-	const reqPath = path.join(rootDir, "requirements.txt");
-	if (!fs.existsSync(reqPath)) return false;
-	try {
-		const content = fs.readFileSync(reqPath, "utf-8");
-		for (const line of content.split("\n")) {
-			const trimmed = line.trim();
-			if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith("-")) continue;
-			const match = trimmed.match(/^([a-zA-Z0-9_\-.]+)/);
-			if (match) addPyDep(pyDeps, match[1]);
-		}
-		return true;
-	} catch {
-		return false;
-	}
-};
-const collectFromPyproject = (rootDir, pyDeps) => {
-	const pyprojPath = path.join(rootDir, "pyproject.toml");
-	if (!fs.existsSync(pyprojPath)) return false;
-	try {
-		const content = fs.readFileSync(pyprojPath, "utf-8");
-		const projectNameMatch = content.match(/\[project\][\s\S]*?^\s*name\s*=\s*["']([^"']+)/m);
-		if (projectNameMatch) addPyDep(pyDeps, projectNameMatch[1]);
-		const poetryNameMatch = content.match(/\[tool\.poetry\][\s\S]*?^\s*name\s*=\s*["']([^"']+)/m);
-		if (poetryNameMatch) addPyDep(pyDeps, poetryNameMatch[1]);
-		const pep621 = content.match(/^\s*dependencies\s*=\s*\[([\s\S]*?)\]/m);
-		if (pep621) for (const line of pep621[1].split("\n")) {
-			const m = line.match(/["']\s*([a-zA-Z0-9_\-.]+)/);
-			if (m) addPyDep(pyDeps, m[1]);
-		}
-		const poetryRe = /\[tool\.poetry(?:\.group\.[a-z]+)?\.dependencies\]([\s\S]*?)(?=\n\[|$)/g;
-		let match = poetryRe.exec(content);
-		while (match !== null) {
-			for (const line of match[1].split("\n")) {
-				const m = line.trim().match(/^([a-zA-Z0-9_\-.]+)\s*=/);
-				if (m && m[1] !== "python") addPyDep(pyDeps, m[1]);
-			}
-			match = poetryRe.exec(content);
-		}
-		return true;
-	} catch {
-		return false;
-	}
-};
-const collectFromPipfile = (rootDir, pyDeps) => {
-	const pipfilePath = path.join(rootDir, "Pipfile");
-	if (!fs.existsSync(pipfilePath)) return false;
-	try {
-		const content = fs.readFileSync(pipfilePath, "utf-8");
-		const sectionRe = /\[(packages|dev-packages)\]([\s\S]*?)(?=\n\[|$)/g;
-		let match = sectionRe.exec(content);
-		while (match !== null) {
-			for (const line of match[2].split("\n")) {
-				const m = line.trim().match(/^([a-zA-Z0-9_\-.]+)\s*=/);
-				if (m) addPyDep(pyDeps, m[1]);
-			}
-			match = sectionRe.exec(content);
-		}
-		return true;
-	} catch {
-		return false;
-	}
-};
 const loadManifest = (rootDir) => {
 	const jsDeps = /* @__PURE__ */ new Set();
-	const pyDeps = /* @__PURE__ */ new Set();
 	const hasJsManifest = collectJsDeps(rootDir, jsDeps);
-	const hasReq = collectFromRequirementsTxt(rootDir, pyDeps);
-	const hasPyproject = collectFromPyproject(rootDir, pyDeps);
-	const hasPipfile = collectFromPipfile(rootDir, pyDeps);
+	const { pyDeps, hasPyManifest } = collectPythonDeps(rootDir);
 	return {
 		jsDeps,
 		pyDeps,
 		hasJsManifest,
-		hasPyManifest: hasReq || hasPyproject || hasPipfile
+		hasPyManifest
 	};
 };
 const isJsRelativeOrAbsolute = (spec) => spec.startsWith(".") || spec.startsWith("/") || spec.startsWith("~/");
+const RUNTIME_BUILTINS = new Set(["bun"]);
 const isJsBuiltin = (spec) => {
+	if (RUNTIME_BUILTINS.has(spec)) return true;
 	return isBuiltin(spec.startsWith("node:") ? spec.slice(5) : spec) || isBuiltin(spec);
 };
 const VIRTUAL_MODULE_PREFIXES = [
 	"astro:",
 	"virtual:",
-	"bun:"
+	"bun:",
+	"~icons/"
 ];
 const isJsVirtualModule = (spec) => VIRTUAL_MODULE_PREFIXES.some((p) => spec.startsWith(p));
+const stripImportQuery = (spec) => {
+	const idx = spec.indexOf("?");
+	return idx === -1 ? spec : spec.slice(0, idx);
+};
+const VIRTUAL_ASSET_FILES = { "unfonts.css": "unplugin-fonts" };
 const TEMPLATE_PLACEHOLDER_RE = /\$\{/;
 const isLikelyRealImportSpec = (spec) => {
 	if (spec.length === 0) return false;
@@ -1432,10 +1514,14 @@ const extractPyImports = (content) => {
 	}
 	return results;
 };
-const checkJsImport = (spec, manifest, tsAliasMatchers) => {
+const checkJsImport = (rawSpec, manifest, tsAliasMatchers) => {
+	const spec = stripImportQuery(rawSpec);
+	if (spec.length === 0) return null;
 	if (isJsRelativeOrAbsolute(spec)) return null;
 	if (isJsBuiltin(spec)) return null;
 	if (isJsVirtualModule(spec)) return null;
+	const virtualOwner = VIRTUAL_ASSET_FILES[spec];
+	if (virtualOwner && manifest.jsDeps.has(virtualOwner)) return null;
 	if (tsAliasMatchers.some((m) => m(spec))) return null;
 	const pkg = packageNameFromImport(spec);
 	if (manifest.jsDeps.has(pkg)) return null;
@@ -2790,64 +2876,88 @@ const analyzeFunctions = (content, ext) => {
 	}
 	return functions;
 };
-const JSX_FILE_LOC_MULTIPLIER = 1.5;
+const FILE_LOC_MULTIPLIERS = {
+	".tsx": 1.5,
+	".jsx": 1.5,
+	".rs": 2.5,
+	".go": 1.5
+};
+const DECLARATION_FILE_RE = /\.d\.ts$/i;
+const fileLocBudget = (ext, relativePath, base) => {
+	if (DECLARATION_FILE_RE.test(relativePath)) return Number.POSITIVE_INFINITY;
+	const multiplier = FILE_LOC_MULTIPLIERS[ext] ?? 1;
+	return Math.ceil(base * multiplier);
+};
 const checkFileDiagnostics = (relativePath, content, limits) => {
 	const results = [];
 	const lineCount = content.split("\n").length;
 	const ext = path.extname(relativePath).toLowerCase();
 	if (isDataFile(content)) return results;
-	const configuredMax = ext === ".jsx" || ext === ".tsx" ? Math.ceil(limits.maxFileLoc * JSX_FILE_LOC_MULTIPLIER) : limits.maxFileLoc;
+	const configuredMax = fileLocBudget(ext, relativePath, limits.maxFileLoc);
+	if (!Number.isFinite(configuredMax)) return results;
 	if (lineCount > Math.ceil(configuredMax * 1.1)) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/file-too-large",
 		severity: "warning",
-		message: `File has ${lineCount} lines (max: ${configuredMax})`,
+		message: `File too large (max: ${configuredMax})`,
 		help: "Consider splitting this file into smaller modules",
 		line: 0,
 		column: 0,
 		category: "Complexity",
-		fixable: false
+		fixable: false,
+		detail: `${lineCount} lines`
 	});
 	return results;
 };
-const checkFunctionDiagnostics = (relativePath, fn, limits) => {
+const JSX_EXTENSIONS = new Set([".tsx", ".jsx"]);
+const isComponentFunction = (name, ext) => JSX_EXTENSIONS.has(ext) && /^[A-Z]/.test(name);
+const functionLocBudget = (fn, ext, base) => {
+	if (isComponentFunction(fn.name, ext)) return Math.ceil(base * 2);
+	if (ext === ".rs") return Math.ceil(base * 1.5);
+	return base;
+};
+const checkFunctionDiagnostics = (relativePath, fn, limits, ext) => {
 	const results = [];
-	if (fn.lineCount - fn.templateLines > Math.ceil(limits.maxFunctionLoc * 1.1)) results.push({
+	const fnMax = functionLocBudget(fn, ext, limits.maxFunctionLoc);
+	if (fn.lineCount - fn.templateLines > Math.ceil(fnMax * 1.1)) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/function-too-long",
 		severity: "warning",
-		message: `Function '${fn.name}' has ${fn.lineCount} lines (max: ${limits.maxFunctionLoc})`,
+		message: `Function too long (max: ${fnMax})`,
 		help: "Consider breaking this function into smaller pieces",
 		line: fn.startLine,
 		column: 0,
 		category: "Complexity",
-		fixable: false
+		fixable: false,
+		detail: `${fn.name} · ${fn.lineCount} lines`
 	});
 	if (fn.maxNesting > limits.maxNesting) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/deep-nesting",
 		severity: "warning",
-		message: `Function '${fn.name}' has nesting depth ${fn.maxNesting} (max: ${limits.maxNesting})`,
+		message: `Function nested too deeply (max: ${limits.maxNesting})`,
 		help: "Consider using early returns or extracting nested logic",
 		line: fn.startLine,
 		column: 0,
 		category: "Complexity",
-		fixable: false
+		fixable: false,
+		detail: `${fn.name} · depth ${fn.maxNesting}`
 	});
 	if (fn.paramCount > limits.maxParams) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/too-many-params",
 		severity: "warning",
-		message: `Function '${fn.name}' has ${fn.paramCount} parameters (max: ${limits.maxParams})`,
+		message: `Function has too many parameters (max: ${limits.maxParams})`,
 		help: "Consider using an options object parameter",
 		line: fn.startLine,
 		column: 0,
 		category: "Complexity",
-		fixable: false
+		fixable: false,
+		detail: `${fn.name} · ${fn.paramCount} params`
 	});
 	return results;
 };
@@ -2862,7 +2972,7 @@ const checkFileComplexity = (filePath, rootDirectory, limits) => {
 	}
 	const ext = path.extname(filePath).toLowerCase();
 	const diagnostics = checkFileDiagnostics(relativePath, content, limits);
-	for (const fn of analyzeFunctions(content, ext)) diagnostics.push(...checkFunctionDiagnostics(relativePath, fn, limits));
+	for (const fn of analyzeFunctions(content, ext)) diagnostics.push(...checkFunctionDiagnostics(relativePath, fn, limits, ext));
 	return diagnostics;
 };
 const checkComplexity = async (context) => {
@@ -2967,17 +3077,19 @@ const findDuplicateBlocks = (content, relativePath) => {
 		});
 	}
 	return reports.map((r) => {
+		const span = r.currentEnd - r.currentStart + 1;
 		return {
 			filePath: relativePath,
 			engine: "code-quality",
 			rule: "code-quality/duplicate-block",
 			severity: "warning",
-			message: `${r.currentEnd - r.currentStart + 1}-line block at line ${r.currentStart} duplicates a block starting at line ${r.priorStart}. Extract a shared helper.`,
+			message: "Duplicate code block — extract a shared helper",
 			help: `Pull the shared logic into a function both sites can call. Keeps one version of the truth and makes future changes one-shot instead of N-shot.`,
 			line: r.currentStart,
 			column: 0,
 			category: "Complexity",
-			fixable: false
+			fixable: false,
+			detail: `${span} lines duplicate block at L${r.priorStart}`
 		};
 	});
 };
@@ -3519,16 +3631,34 @@ const isToolAvailable = async (toolName) => {
 	return isToolInstalled(toolName);
 };
 
+//#endregion
+//#region src/engines/python-targets.ts
+const PYTHON_EXTENSIONS = new Set([".py", ".pyi"]);
+const normalizeProjectPath = (filePath) => filePath.split(path.sep).join("/");
+const getPythonTargets = (context) => {
+	const targets = (context.files ?? getSourceFiles(context)).filter((filePath) => PYTHON_EXTENSIONS.has(path.extname(filePath).toLowerCase())).map((filePath) => {
+		const absolutePath = path.isAbsolute(filePath) ? filePath : path.resolve(context.rootDirectory, filePath);
+		return normalizeProjectPath(path.relative(context.rootDirectory, absolutePath));
+	}).filter((filePath) => filePath.length > 0 && !filePath.startsWith(".."));
+	return [...new Set(targets)];
+};
+const getRuffDiagnosticPath = (rootDirectory, filePath) => {
+	const normalizedPath = filePath.replace(/^a\//, "");
+	return normalizeProjectPath(path.isAbsolute(normalizedPath) ? path.relative(rootDirectory, normalizedPath) : normalizedPath);
+};
+
 //#endregion
 //#region src/engines/format/ruff-format.ts
 const runRuffFormat = async (context) => {
 	const ruffBinary = resolveToolBinary("ruff");
+	const targets = getPythonTargets(context);
+	if (targets.length === 0) return [];
 	try {
 		const result = await runSubprocess(ruffBinary, [
 			"format",
 			"--check",
 			"--diff",
-			context.rootDirectory
+			...targets
 		], {
 			cwd: context.rootDirectory,
 			timeout: 6e4
@@ -3544,9 +3674,9 @@ const parseRuffFormatOutput = (output, rootDir) => {
 	const filePattern = /^--- (.+)$/gm;
 	let match;
 	while ((match = filePattern.exec(output)) !== null) {
-		const filePath = match[1].replace(/^a\//, "");
+		const filePath = getRuffDiagnosticPath(rootDir, match[1]);
 		diagnostics.push({
-			filePath: path.relative(rootDir, filePath),
+			filePath,
 			engine: "format",
 			rule: "python-formatting",
 			severity: "warning",
@@ -3816,6 +3946,95 @@ const resolveOxlintBinary = () => {
 		return "oxlint";
 	}
 };
+const VITE_QUERY_RE = /["'][^"']*\?(worker|sharedworker|worker-url|url|raw|inline|init)\b/;
+const isViteVirtualImportFalsePositive = (rule, message) => rule.startsWith("import/") && VITE_QUERY_RE.test(message);
+const AMBIENT_GLOBAL_DEPS = [
+	"unplugin-icons",
+	"@types/bun",
+	"bun-types"
+];
+const SST_PLATFORM_REF_RE = /\/\/\/\s*<reference\s+path=["'][^"']*sst[\\/]+platform[\\/]+config\.d\.ts["']/;
+const ICON_AUTOIMPORT_RE = /^Icon[A-Z]/;
+const NO_UNDEF_IDENT_RE = /^['‘"`]([^'’"`]+)['’"`]/;
+const detectAmbientSources = (rootDir) => {
+	const found = /* @__PURE__ */ new Set();
+	const skipDirs = new Set([
+		"node_modules",
+		".git",
+		"dist",
+		"build",
+		"out",
+		"target",
+		"coverage",
+		".next",
+		".turbo"
+	]);
+	const walk = (dir, depth) => {
+		if (depth > 4 || found.size === AMBIENT_GLOBAL_DEPS.length) return;
+		let entries;
+		try {
+			entries = fs.readdirSync(dir, { withFileTypes: true });
+		} catch {
+			return;
+		}
+		for (const entry of entries) {
+			if (found.size === AMBIENT_GLOBAL_DEPS.length) return;
+			if (entry.name.startsWith(".") && entry.name !== ".github") continue;
+			if (skipDirs.has(entry.name)) continue;
+			const full = path.join(dir, entry.name);
+			if (entry.isDirectory()) walk(full, depth + 1);
+			else if (entry.name === "package.json") try {
+				const pkg = JSON.parse(fs.readFileSync(full, "utf-8"));
+				const allDeps = {
+					...pkg.dependencies ?? {},
+					...pkg.devDependencies ?? {},
+					...pkg.peerDependencies ?? {}
+				};
+				for (const dep of AMBIENT_GLOBAL_DEPS) if (dep in allDeps) found.add(dep);
+			} catch {}
+		}
+	};
+	walk(rootDir, 0);
+	return found;
+};
+const extractNoUndefIdentifier = (message) => {
+	return NO_UNDEF_IDENT_RE.exec(message)?.[1] ?? null;
+};
+const isAmbientFalsePositive = (rule, message, sources) => {
+	if (rule !== "eslint/no-undef") return false;
+	const ident = extractNoUndefIdentifier(message);
+	if (!ident) return false;
+	if (sources.has("unplugin-icons") && ICON_AUTOIMPORT_RE.test(ident)) return true;
+	if ((sources.has("@types/bun") || sources.has("bun-types")) && ident === "Bun") return true;
+	return false;
+};
+const sstReferencedFiles = /* @__PURE__ */ new Map();
+const fileReferencesSstPlatform = (rootDir, relativeFilePath) => {
+	const cached = sstReferencedFiles.get(relativeFilePath);
+	if (cached !== void 0) return cached;
+	const absolute = path.isAbsolute(relativeFilePath) ? relativeFilePath : path.join(rootDir, relativeFilePath);
+	let referenced = false;
+	try {
+		const fd = fs.openSync(absolute, "r");
+		try {
+			const buf = Buffer.alloc(512);
+			const bytesRead = fs.readSync(fd, buf, 0, 512, 0);
+			referenced = SST_PLATFORM_REF_RE.test(buf.toString("utf-8", 0, bytesRead));
+		} finally {
+			fs.closeSync(fd);
+		}
+	} catch {
+		referenced = false;
+	}
+	sstReferencedFiles.set(relativeFilePath, referenced);
+	return referenced;
+};
+const UNUSED_VAR_IDENT_RE = /(?:Variable|Parameter|Catch parameter) '([^']+)' (?:is declared but never used|is caught but never used)/;
+const isUnderscoreUnusedVar = (rule, message) => {
+	if (rule !== "eslint/no-unused-vars") return false;
+	const match = UNUSED_VAR_IDENT_RE.exec(message);
+	return match ? match[1].startsWith("_") : false;
+};
 const parseRuleCode = (code) => {
 	if (!code) return {
 		plugin: "eslint",
@@ -3854,6 +4073,8 @@ const runOxlint = async (context) => {
 		framework: context.frameworks.find((f) => f !== "none"),
 		testFramework: detectTestFramework(context.rootDirectory)
 	});
+	const ambientSources = detectAmbientSources(context.rootDirectory);
+	sstReferencedFiles.clear();
 	try {
 		fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
 		const args = [
@@ -3893,6 +4114,11 @@ const runOxlint = async (context) => {
 				fixable: false
 			};
 		}).filter((d) => {
+			if (isExcludedFromScan(path.isAbsolute(d.filePath) ? path.relative(context.rootDirectory, d.filePath) : d.filePath)) return false;
+			if (isViteVirtualImportFalsePositive(d.rule, d.message)) return false;
+			if (isAmbientFalsePositive(d.rule, d.message, ambientSources)) return false;
+			if (isUnderscoreUnusedVar(d.rule, d.message)) return false;
+			if (d.rule === "eslint/no-undef" && fileReferencesSstPlatform(context.rootDirectory, d.filePath)) return false;
 			const key = `${d.filePath}:${d.line}:${d.rule}:${d.message}`;
 			if (seen.has(key)) return false;
 			seen.add(key);
@@ -3907,18 +4133,20 @@ const runOxlint = async (context) => {
 //#region src/engines/lint/ruff.ts
 const runRuffLint = async (context) => {
 	const ruffBinary = resolveToolBinary("ruff");
+	const targets = getPythonTargets(context);
+	if (targets.length === 0) return [];
 	try {
 		const output = (await runSubprocess(ruffBinary, [
 			"check",
 			"--output-format=json",
-			context.rootDirectory
+			...targets
 		], {
 			cwd: context.rootDirectory,
 			timeout: 6e4
 		})).stdout;
 		if (!output) return [];
 		return JSON.parse(output).map((d) => ({
-			filePath: path.relative(context.rootDirectory, d.filename),
+			filePath: getRuffDiagnosticPath(context.rootDirectory, d.filename),
 			engine: "lint",
 			rule: `ruff/${d.code}`,
 			severity: d.code.startsWith("E") || d.code.startsWith("F") ? "error" : "warning",
@@ -4013,56 +4241,94 @@ const runPnpmAuditWithFallback = async (rootDir, timeout) => {
 		return [];
 	}
 };
+const SEVERITY_RANK = {
+	critical: 4,
+	high: 3,
+	moderate: 2,
+	low: 1
+};
 const toSeverity = (value) => value === "critical" || value === "high" ? "error" : "warning";
-const defaultAuditFixCommand = (source) => source === "pnpm audit" ? "pnpm audit --fix" : "npm audit fix";
+const upsertVuln = (bucket, packageName, severity, recommendation) => {
+	const existing = bucket.get(packageName);
+	if (existing) {
+		existing.advisories++;
+		if ((SEVERITY_RANK[severity] ?? 0) > (SEVERITY_RANK[existing.worstSeverity] ?? 0)) existing.worstSeverity = severity;
+		if (recommendation) existing.recommendations.add(recommendation);
+	} else bucket.set(packageName, {
+		packageName,
+		worstSeverity: severity,
+		advisories: 1,
+		recommendations: recommendation ? new Set([recommendation]) : /* @__PURE__ */ new Set()
+	});
+};
+const SEMVER_RE = /(\d+)\.(\d+)\.(\d+)/;
+const cmpSemver = (a, b) => {
+	const [, a1, a2, a3] = SEMVER_RE.exec(a) ?? [
+		"",
+		"0",
+		"0",
+		"0"
+	];
+	const [, b1, b2, b3] = SEMVER_RE.exec(b) ?? [
+		"",
+		"0",
+		"0",
+		"0"
+	];
+	if (Number(a1) !== Number(b1)) return Number(a1) - Number(b1);
+	if (Number(a2) !== Number(b2)) return Number(a2) - Number(b2);
+	return Number(a3) - Number(b3);
+};
+const pickBestRecommendation = (recs) => {
+	if (recs.length <= 1) return recs[0] ?? "";
+	const versioned = recs.filter((r) => SEMVER_RE.test(r));
+	if (versioned.length === 0) return recs[0];
+	return versioned.reduce((best, r) => cmpSemver(r, best) > 0 ? r : best);
+};
+const cleanRecommendation = (raw) => {
+	const t = raw.trim();
+	if (!t || t.toLowerCase() === "none") return "no fix available";
+	return t;
+};
+const aggregateToDiagnostic = (agg, source) => {
+	const best = cleanRecommendation(pickBestRecommendation([...agg.recommendations]));
+	const countLabel = agg.advisories > 1 ? ` (${agg.advisories} advisories)` : "";
+	const recLabel = best ? ` — ${best}` : "";
+	return {
+		filePath: "package.json",
+		engine: "security",
+		rule: "security/vulnerable-dependency",
+		severity: toSeverity(agg.worstSeverity),
+		message: `${agg.packageName} (${agg.worstSeverity})${recLabel}${countLabel}`,
+		help: "",
+		line: 0,
+		column: 0,
+		category: "Security",
+		fixable: false,
+		detail: source === "npm audit" ? "npm" : "pnpm"
+	};
+};
 const parseLegacyAdvisories = (advisories, source) => {
-	const diagnostics = [];
-	for (const [key, advisory] of Object.entries(advisories)) {
-		const packageName = advisory.module_name ?? advisory.name ?? advisory.package ?? key;
-		const severity = (advisory.severity ?? "moderate").toLowerCase();
-		const recommendation = advisory.recommendation ?? advisory.title ?? `Run \`${defaultAuditFixCommand(source)}\` to resolve`;
-		diagnostics.push({
-			filePath: "package.json",
-			engine: "security",
-			rule: "security/vulnerable-dependency",
-			severity: toSeverity(severity),
-			message: `Vulnerable dependency (${source}): ${packageName} (${severity})`,
-			help: withFixHint(recommendation),
-			line: 0,
-			column: 0,
-			category: "Security",
-			fixable: false
-		});
-	}
-	return diagnostics;
+	const bucket = /* @__PURE__ */ new Map();
+	for (const [key, advisory] of Object.entries(advisories)) upsertVuln(bucket, advisory.module_name ?? advisory.name ?? advisory.package ?? key, (advisory.severity ?? "moderate").toLowerCase(), advisory.recommendation ?? advisory.title ?? "");
+	return [...bucket.values()].map((agg) => aggregateToDiagnostic(agg, source));
 };
 const parseModernVulnerabilities = (vulnerabilities, source) => {
-	const diagnostics = [];
+	const bucket = /* @__PURE__ */ new Map();
 	for (const [packageName, vulnerability] of Object.entries(vulnerabilities)) {
 		const severity = (vulnerability.severity ?? "moderate").toLowerCase();
 		const fixAvailable = vulnerability.fixAvailable;
 		const isDirect = vulnerability.isDirect === true;
-		let recommendation = `Run \`${defaultAuditFixCommand(source)}\` to resolve`;
-		if (fixAvailable === false) recommendation = isDirect ? "No automatic fix — check for a newer major version" : "Transitive with no fix — add an override or upgrade the parent";
-		else if (!isDirect && fixAvailable === true) recommendation = "Transitive dep — may need an override or parent upgrade";
+		let recommendation = "";
+		if (fixAvailable === false) recommendation = isDirect ? "no automatic fix" : "transitive — needs override or parent upgrade";
+		else if (!isDirect && fixAvailable === true) recommendation = "transitive — may need override or parent upgrade";
 		else if (fixAvailable && typeof fixAvailable === "object" && "name" in fixAvailable && "version" in fixAvailable) {
 			const target = fixAvailable;
-			if (target.name && target.version) recommendation = `Upgrade to ${target.name}@${target.version}.`;
+			if (target.name && target.version) recommendation = `upgrade to ${target.name}@${target.version}`;
 		}
-		diagnostics.push({
-			filePath: "package.json",
-			engine: "security",
-			rule: "security/vulnerable-dependency",
-			severity: toSeverity(severity),
-			message: `Vulnerable dependency (${source}): ${packageName} (${severity})`,
-			help: withFixHint(recommendation),
-			line: 0,
-			column: 0,
-			category: "Security",
-			fixable: false
-		});
+		upsertVuln(bucket, packageName, severity, recommendation);
 	}
-	return diagnostics;
+	return [...bucket.values()].map((agg) => aggregateToDiagnostic(agg, source));
 };
 const parseJsAudit = (output, source) => {
 	if (!output) return [];
@@ -4978,10 +5244,17 @@ const runScan = async (cwd) => {
 	const config = loadConfig(cwd);
 	const diagnostics = (await runEngines(buildEngineContext(project.rootDirectory, project, config), enabledEnginesFromConfig(config))).flatMap((r) => r.diagnostics);
 	const { score } = calculateScore(diagnostics, config.scoring.weights, config.scoring.thresholds, project.sourceFileCount, config.scoring.smoothing);
+	const errorCount = diagnostics.filter((d) => d.severity === "error").length;
+	const failBelow = config.ci.failBelow;
 	return {
 		project,
 		diagnostics,
-		score
+		score,
+		qualityGate: {
+			failBelow,
+			passed: errorCount === 0 && score >= failBelow,
+			errorCount
+		}
 	};
 };
 const aislopScanInputSchema = z.object({ path: z.string().optional().describe("Project directory to scan. Defaults to the MCP server's cwd.") });
@@ -4991,10 +5264,11 @@ const aislopScanTool = {
 	inputSchema: aislopScanInputSchema
 };
 const handleAislopScan = async (input) => {
-	const { project, diagnostics, score } = await runScan(resolveCwd(input.path));
+	const { project, diagnostics, score, qualityGate } = await runScan(resolveCwd(input.path));
 	const summary = summariseDiagnostics(diagnostics, project.rootDirectory);
 	return {
 		score,
+		qualityGate,
 		fileCount: project.sourceFileCount,
 		languages: project.languages,
 		frameworks: project.frameworks,
@@ -5095,7 +5369,7 @@ const handleAislopBaseline = (input) => {
 
 //#endregion
 //#region src/version.ts
-const APP_VERSION = "0.9.0";
+const APP_VERSION = "0.9.1";
 
 //#endregion
 //#region src/telemetry/env.ts