aislop 0.9.4 → 0.9.6

package/dist/mcp.js

@@ -11,9 +11,9 @@ import fs from "node:fs";
 import YAML from "yaml";
 import { z as z$1 } from "zod/v4";
 import micromatch from "micromatch";
+import ts from "typescript";
 import { fileURLToPath } from "node:url";
 import os from "node:os";
-import "typescript";
 import { randomUUID } from "node:crypto";
 
 //#region src/config/defaults.ts
@@ -65,7 +65,8 @@ const DEFAULT_CONFIG = {
 		failBelow: 70,
 		format: "json"
 	},
-	telemetry: { enabled: true }
+	telemetry: { enabled: true },
+	rules: {}
 };
 
 //#endregion
@@ -156,6 +157,12 @@ const CiSchema = z$1.object({
 	format: z$1.enum(["json"]).default("json")
 });
 const TelemetrySchema = z$1.object({ enabled: z$1.boolean().default(true) });
+const RuleSeverityOverride = z$1.enum([
+	"error",
+	"warning",
+	"off"
+]);
+const RulesSchema = z$1.record(z$1.string(), RuleSeverityOverride).default(() => ({}));
 const AislopConfigSchema = z$1.object({
 	version: z$1.number().default(1),
 	engines: EnginesSchema.default(() => ({
@@ -190,6 +197,7 @@ const AislopConfigSchema = z$1.object({
 		format: "json"
 	})),
 	telemetry: TelemetrySchema.default(() => ({ enabled: true })),
+	rules: RulesSchema,
 	exclude: z$1.array(z$1.string()).default(() => [
 		"node_modules",
 		".git",
@@ -258,7 +266,7 @@ const loadConfig = (directory) => {
 //#endregion
 //#region src/utils/source-files.ts
 const MAX_BUFFER = 50 * 1024 * 1024;
-const SOURCE_EXTENSIONS = new Set([
+const SOURCE_EXTENSIONS$1 = new Set([
 	".ts",
 	".tsx",
 	".js",
@@ -366,7 +374,7 @@ const toProjectPath = (rootDirectory, filePath) => {
 const isWithinProject = (relativePath) => relativePath.length > 0 && !relativePath.startsWith("..");
 const hasAllowedExtension = (filePath, extraExtensions) => {
 	const extension = path.extname(filePath);
-	return SOURCE_EXTENSIONS.has(extension) || extraExtensions.has(extension);
+	return SOURCE_EXTENSIONS$1.has(extension) || extraExtensions.has(extension);
 };
 const isExcludedPath = (filePath) => EXCLUDED_DIRS.some((dir) => filePath === dir || filePath.startsWith(`${dir}/`) || filePath.includes(`/${dir}/`));
 const isExcludedFromScan = (relativePath) => isExcludedPath(relativePath) || isBuildCacheFile(relativePath);
@@ -505,7 +513,7 @@ const getSourceFilesWithExtras = (context, extraExtensions) => {
 
 //#endregion
 //#region src/engines/ai-slop/abstractions.ts
-const JS_EXTS$1 = new Set([
+const JS_EXTS$2 = new Set([
 	".ts",
 	".tsx",
 	".js",
@@ -516,11 +524,11 @@ const JS_EXTS$1 = new Set([
 const THIN_WRAPPER_PATTERNS = [
 	{
 		pattern: /(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\([^)]*\)\s*(?::\s*\w[^{]*)?\{\s*\n?\s*return\s+\w+\([^)]*\);\s*\n?\s*\}/g,
-		extensions: JS_EXTS$1
+		extensions: JS_EXTS$2
 	},
 	{
 		pattern: /(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s+)?\([^)]*\)\s*(?::\s*\w[^=]*)?\s*=>\s*\w+\([^)]*\);/g,
-		extensions: JS_EXTS$1
+		extensions: JS_EXTS$2
 	},
 	{
 		pattern: /def\s+(\w+)\s*\([^)]*\)(?:\s*->[^:]*)?:\s*\n\s+return\s+\w+\([^)]*\)\s*$/gm,
@@ -753,6 +761,12 @@ const COMMENTED_CODE_CHARS = /[({=;}\]>]/;
 const MAX_TRIVIAL_COMMENT_LENGTH = 60;
 const isJsComment = (trimmed) => trimmed.startsWith("//") && !trimmed.startsWith("///") && !trimmed.startsWith("//!");
 const isPythonComment = (trimmed) => trimmed.startsWith("#") && !trimmed.startsWith("#!");
+const isLineComment = (trimmed) => isJsComment(trimmed) || isPythonComment(trimmed);
+const isInMultiLineCommentRun = (lines, index) => {
+	const prev = index > 0 ? lines[index - 1].trim() : "";
+	const next = index + 1 < lines.length ? lines[index + 1].trim() : "";
+	return isLineComment(prev) || isLineComment(next);
+};
 /**
 * Extract just the comment text after the comment marker.
 */
@@ -805,6 +819,7 @@ const scanFileForTrivialComments = (content, relativePath, ext) => {
 	const lines = content.split("\n");
 	for (let i = 0; i < lines.length; i++) {
 		if (!isTrivialComment(lines[i].trim(), i + 1 < lines.length ? lines[i + 1] : void 0)) continue;
+		if (isInMultiLineCommentRun(lines, i)) continue;
 		if (isDocCommentForDeclaration(lines, i, ext)) continue;
 		diagnostics.push({
 			filePath: relativePath,
@@ -966,6 +981,177 @@ const detectDeadPatterns = async (context) => {
 	return diagnostics;
 };
 
+//#endregion
+//#region src/engines/ai-slop/defensive-patterns.ts
+const JS_TS_EXTENSIONS = new Set([
+	".ts",
+	".tsx",
+	".js",
+	".jsx",
+	".mjs",
+	".cjs"
+]);
+const TS_EXTENSIONS = new Set([".ts", ".tsx"]);
+const COERCION_CTORS = {
+	string: "String",
+	number: "Number",
+	boolean: "Boolean"
+};
+const scriptKindFor = (ext) => {
+	switch (ext) {
+		case ".tsx": return ts.ScriptKind.TSX;
+		case ".jsx": return ts.ScriptKind.JSX;
+		case ".js":
+		case ".mjs":
+		case ".cjs": return ts.ScriptKind.JS;
+		default: return ts.ScriptKind.TS;
+	}
+};
+const lineFor = (sourceFile, node) => sourceFile.getLineAndCharacterOfPosition(node.getStart(sourceFile)).line + 1;
+const makeDiagnostic = (filePath, line, rule, message, help) => ({
+	filePath,
+	engine: "ai-slop",
+	rule,
+	severity: "warning",
+	message,
+	help,
+	line,
+	column: 0,
+	category: "AI Slop",
+	fixable: false
+});
+const isFunctionNode = (node) => ts.isFunctionDeclaration(node) || ts.isFunctionExpression(node) || ts.isArrowFunction(node) || ts.isMethodDeclaration(node) || ts.isConstructorDeclaration(node) || ts.isGetAccessorDeclaration(node) || ts.isSetAccessorDeclaration(node);
+const primitiveKindOf = (node) => {
+	if (!node) return null;
+	switch (node.kind) {
+		case ts.SyntaxKind.StringKeyword: return "string";
+		case ts.SyntaxKind.NumberKeyword: return "number";
+		case ts.SyntaxKind.BooleanKeyword: return "boolean";
+		default: return null;
+	}
+};
+const hasExportModifier = (node) => node.modifiers?.some((modifier) => modifier.kind === ts.SyntaxKind.ExportKeyword) ?? false;
+const primitiveParamsOf = (node) => {
+	const params = /* @__PURE__ */ new Map();
+	for (const param of node.parameters) {
+		if (!ts.isIdentifier(param.name)) continue;
+		const kind = primitiveKindOf(param.type);
+		if (!kind) continue;
+		params.set(param.name.text, kind);
+	}
+	return params;
+};
+const isRethrowStatement = (statement, errorName) => ts.isThrowStatement(statement) && statement.expression !== void 0 && ts.isIdentifier(statement.expression) && statement.expression.text === errorName;
+const isPromiseRejectRethrow = (statement, errorName) => {
+	if (!ts.isReturnStatement(statement) || !statement.expression) return false;
+	const expression = statement.expression;
+	if (!ts.isCallExpression(expression) || expression.arguments.length !== 1) return false;
+	const [arg] = expression.arguments;
+	if (!ts.isIdentifier(arg) || arg.text !== errorName) return false;
+	if (!ts.isPropertyAccessExpression(expression.expression)) return false;
+	const target = expression.expression;
+	return ts.isIdentifier(target.expression) && target.expression.text === "Promise" && target.name.text === "reject";
+};
+const detectRedundantTryCatch = (sourceFile, relativePath) => {
+	const diagnostics = [];
+	const visit = (node) => {
+		if (ts.isTryStatement(node) && node.catchClause && !node.finallyBlock) {
+			const catchNameNode = node.catchClause.variableDeclaration?.name;
+			const [onlyStatement] = node.catchClause.block.statements;
+			if (catchNameNode && ts.isIdentifier(catchNameNode) && node.catchClause.block.statements.length === 1 && onlyStatement && (isRethrowStatement(onlyStatement, catchNameNode.text) || isPromiseRejectRethrow(onlyStatement, catchNameNode.text))) diagnostics.push(makeDiagnostic(relativePath, lineFor(sourceFile, node.catchClause), "ai-slop/redundant-try-catch", "Catch block only rethrows the same error", "Remove the try/catch or add useful context, cleanup, or recovery. Rethrowing unchanged errors is usually defensive agent noise."));
+		}
+		ts.forEachChild(node, visit);
+	};
+	visit(sourceFile);
+	return diagnostics;
+};
+const detectPrimitiveCoercions = (sourceFile, relativePath) => {
+	const diagnostics = [];
+	const scanFunctionBody = (node, params) => {
+		const body = node.body;
+		if (!body || params.size === 0) return;
+		const visitBody = (child) => {
+			if (child !== body && isFunctionNode(child)) return;
+			if (ts.isCallExpression(child) && ts.isIdentifier(child.expression)) {
+				const [arg] = child.arguments;
+				if (arg && ts.isIdentifier(arg)) {
+					const primitive = params.get(arg.text);
+					if (primitive && child.expression.text === COERCION_CTORS[primitive]) diagnostics.push(makeDiagnostic(relativePath, lineFor(sourceFile, child), "ai-slop/redundant-type-coercion", `Parameter '${arg.text}' is already typed as ${primitive} but is coerced again`, "Trust the typed boundary or validate unknown input before this function. Re-coercing already typed parameters is usually defensive agent noise."));
+				}
+			}
+			ts.forEachChild(child, visitBody);
+		};
+		visitBody(body);
+	};
+	const visit = (node) => {
+		if (isFunctionNode(node)) scanFunctionBody(node, primitiveParamsOf(node));
+		ts.forEachChild(node, visit);
+	};
+	visit(sourceFile);
+	return diagnostics;
+};
+const normalizedTypeDeclaration = (sourceFile, node) => sourceFile.text.slice(node.getStart(sourceFile), node.getEnd()).replace(/\bexport\b/g, "").replace(/\bdeclare\b/g, "").replace(/\s+/g, " ").trim();
+const exportedTypesOf = (parsed) => {
+	const declarations = [];
+	const visit = (node) => {
+		if ((ts.isInterfaceDeclaration(node) || ts.isTypeAliasDeclaration(node)) && hasExportModifier(node)) declarations.push({
+			name: node.name.text,
+			signature: normalizedTypeDeclaration(parsed.sourceFile, node),
+			filePath: parsed.relativePath,
+			line: lineFor(parsed.sourceFile, node)
+		});
+		ts.forEachChild(node, visit);
+	};
+	visit(parsed.sourceFile);
+	return declarations;
+};
+const duplicateTypeKeyOf = (declaration) => `${declaration.name}\0${declaration.signature}`;
+const detectDuplicateExportedTypes = (parsedSources) => {
+	const diagnostics = [];
+	const seen = /* @__PURE__ */ new Map();
+	for (const parsed of parsedSources) {
+		if (!TS_EXTENSIONS.has(parsed.ext)) continue;
+		for (const declaration of exportedTypesOf(parsed)) {
+			const key = duplicateTypeKeyOf(declaration);
+			const previous = seen.get(key);
+			if (!previous) {
+				seen.set(key, declaration);
+				continue;
+			}
+			if (previous.filePath === declaration.filePath) continue;
+			diagnostics.push(makeDiagnostic(declaration.filePath, declaration.line, "ai-slop/duplicate-type-declaration", `Exported type '${declaration.name}' duplicates an existing declaration`, `Reuse or import the existing type from ${previous.filePath} instead of re-declaring the same shape in another file.`));
+		}
+	}
+	return diagnostics;
+};
+const detectDefensivePatterns = async (context) => {
+	const diagnostics = [];
+	const parsedSources = [];
+	for (const filePath of getSourceFiles(context)) {
+		if (isAutoGenerated(filePath)) continue;
+		let content;
+		try {
+			content = fs.readFileSync(filePath, "utf-8");
+		} catch {
+			continue;
+		}
+		const relativePath = path.relative(context.rootDirectory, filePath);
+		if (isNonProductionPath(relativePath)) continue;
+		const ext = path.extname(filePath);
+		if (!JS_TS_EXTENSIONS.has(ext)) continue;
+		const sourceFile = ts.createSourceFile(filePath, content, ts.ScriptTarget.Latest, true, scriptKindFor(ext));
+		parsedSources.push({
+			sourceFile,
+			relativePath,
+			ext
+		});
+		diagnostics.push(...detectRedundantTryCatch(sourceFile, relativePath));
+		if (TS_EXTENSIONS.has(ext)) diagnostics.push(...detectPrimitiveCoercions(sourceFile, relativePath));
+	}
+	diagnostics.push(...detectDuplicateExportedTypes(parsedSources));
+	return diagnostics;
+};
+
 //#endregion
 //#region src/engines/ai-slop/duplicate-imports.ts
 const JS_EXTENSIONS$2 = new Set([
@@ -976,7 +1162,16 @@ const JS_EXTENSIONS$2 = new Set([
 	".mjs",
 	".cjs"
 ]);
-const IMPORT_FROM_RE = /^\s*import\s+[^;]*?from\s+["']([^"']+)["']/;
+const IMPORT_FROM_RE = /^\s*import\s+([^;]*?)\s+from\s+["']([^"']+)["']/;
+const TYPE_ONLY_RE = /^\s*type\b/;
+const VALUE_BINDING_RE = /\{([^}]*)\}/;
+const isTypeOnly = (clause) => {
+	if (TYPE_ONLY_RE.test(clause)) return true;
+	const braces = VALUE_BINDING_RE.exec(clause);
+	if (!braces) return false;
+	const members = braces[1].split(",").map((member) => member.trim()).filter((member) => member.length > 0);
+	return members.length > 0 && members.every((member) => /^type\b/.test(member));
+};
 const extractImportLines = (content) => {
 	const lines = content.split("\n");
 	const results = [];
@@ -985,8 +1180,9 @@ const extractImportLines = (content) => {
 		const match = IMPORT_FROM_RE.exec(line);
 		if (!match) continue;
 		results.push({
-			spec: match[1],
-			line: i + 1
+			spec: match[2],
+			line: i + 1,
+			typeOnly: isTypeOnly(match[1])
 		});
 	}
 	return results;
@@ -1005,14 +1201,16 @@ const detectDuplicateImports = async (context) => {
 		}
 		const imports = extractImportLines(content);
 		if (imports.length < 2) continue;
-		const bySpec = /* @__PURE__ */ new Map();
+		const byBucket = /* @__PURE__ */ new Map();
 		for (const imp of imports) {
-			const list = bySpec.get(imp.spec) ?? [];
+			const key = `${imp.typeOnly ? "type" : "value"}\0${imp.spec}`;
+			const list = byBucket.get(key) ?? [];
 			list.push(imp);
-			bySpec.set(imp.spec, list);
+			byBucket.set(key, list);
 		}
 		const relPath = path.relative(context.rootDirectory, filePath);
-		for (const [spec, occurrences] of bySpec) {
+		for (const occurrences of byBucket.values()) {
+			const { spec } = occurrences[0];
 			if (occurrences.length < 2) continue;
 			for (const dup of occurrences.slice(1)) {
 				const firstLine = occurrences[0].line;
@@ -1217,6 +1415,141 @@ const detectGoPatterns = async (context) => {
 	return diagnostics;
 };
 
+//#endregion
+//#region src/engines/ai-slop/hardcoded-config.ts
+const SOURCE_EXTENSIONS = new Set([
+	".ts",
+	".tsx",
+	".js",
+	".jsx",
+	".mjs",
+	".cjs",
+	".py",
+	".go",
+	".rs",
+	".rb",
+	".java",
+	".php"
+]);
+const URL_LITERAL_RE = /(["'`])(https?:\/\/[^"'`\s<>]+)\1/g;
+const ID_LITERAL_RE = /(["'])([A-Za-z][A-Za-z0-9_-]{15,})\1/g;
+const ENV_REFERENCE_RE = /\b(?:process\.env|import\.meta\.env|Deno\.env|os\.environ|getenv|env\()\b/i;
+const DOC_URL_CONTEXT_RE = /\b(?:docs?|documentation|homepage|repository|bugs|license|readme|source|svgUrl|pageUrl|href|link|install)\b/i;
+const URL_CONFIG_CONTEXT_RE = /\b(?:api|base[_-]?url|baseUrl|endpoint|host|origin|webhook|callback|redirect|server|service|domain|url)\b/i;
+const ENVIRONMENT_HOST_RE = /(?:^|[.-])(?:api|app|admin|auth|staging|stage|prod|dev|sandbox|webhook|internal)(?:[.-]|$)|^(?:localhost|127\.0\.0\.1|0\.0\.0\.0)$/i;
+const ID_CONTEXT_RE = /(?:^|[^A-Za-z0-9])(?:api[_-]?key|client[_-]?id|project[_-]?id|org(?:anization)?[_-]?id|workspace[_-]?id|tenant[_-]?id|price[_-]?id|product[_-]?id|customer[_-]?id|subscription[_-]?id|account[_-]?id|app[_-]?id|key|token|secret)(?:$|[^A-Za-z0-9])/i;
+const MIGRATION_PATH_RE$1 = /(?:^|[\\/])(?:migrations?|db[\\/]migrate)[\\/]/i;
+const PLACEHOLDER_HOSTS = new Set([
+	"example.com",
+	"example.org",
+	"example.net"
+]);
+const LOOPBACK_HOSTS = new Set([
+	"localhost",
+	"127.0.0.1",
+	"0.0.0.0",
+	"::1"
+]);
+const PLACEHOLDER_ID_RE = /^(?:changeme|replace[_-]?me|your[_-]|example|placeholder|todo)/i;
+const HARDCODED_URL_FINDING = {
+	rule: "ai-slop/hardcoded-url",
+	message: "Hardcoded environment URL in production code",
+	help: "Move deployment-specific URLs to environment variables or a typed config module. Keep only stable documentation/public links inline."
+};
+const HARDCODED_ID_FINDING = {
+	rule: "ai-slop/hardcoded-id",
+	message: "Hardcoded provider/project ID in production code",
+	help: "Move provider IDs, tenant IDs, price IDs, and similar deployment-specific identifiers to env/config so agents do not bake one environment into source."
+};
+const makeFinding = (filePath, line, spec) => ({
+	filePath,
+	engine: "ai-slop",
+	rule: spec.rule,
+	severity: "warning",
+	message: spec.message,
+	help: spec.help,
+	line,
+	column: 0,
+	category: "AI Slop",
+	fixable: false
+});
+const isCommentOnlyLine = (trimmed) => trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*") || trimmed.startsWith("/*");
+const commentStartsBefore = (line, index, ext) => {
+	const prefix = line.slice(0, index);
+	if (ext === ".py" || ext === ".rb") return prefix.includes("#");
+	if (ext === ".php") return prefix.includes("//") || prefix.includes("#");
+	return prefix.includes("//") || prefix.includes("/*");
+};
+const safeUrlHost = (urlText) => {
+	try {
+		return new URL(urlText).hostname.toLowerCase();
+	} catch {
+		return null;
+	}
+};
+const isEnvBackedLine = (line) => ENV_REFERENCE_RE.test(line);
+const shouldFlagUrlLiteral = (line, urlText) => {
+	if (isEnvBackedLine(line)) return false;
+	const host = safeUrlHost(urlText);
+	if (!host) return false;
+	if (PLACEHOLDER_HOSTS.has(host)) return false;
+	if (LOOPBACK_HOSTS.has(host)) return false;
+	if (DOC_URL_CONTEXT_RE.test(line) && !ENVIRONMENT_HOST_RE.test(host)) return false;
+	return URL_CONFIG_CONTEXT_RE.test(line) || ENVIRONMENT_HOST_RE.test(host);
+};
+const ENV_VAR_NAME_RE = /^[A-Z][A-Z0-9]*(?:_[A-Z0-9]+)+$/;
+const hasUsefulIdShape = (value) => {
+	if (PLACEHOLDER_ID_RE.test(value)) return false;
+	if (ENV_VAR_NAME_RE.test(value)) return false;
+	if (/^https?:\/\//i.test(value)) return false;
+	if (/^[A-Za-z]+$/.test(value)) return false;
+	return /[0-9]/.test(value);
+};
+const scanLineForConfigLiterals = (line, relativePath, ext, lineNumber) => {
+	const diagnostics = [];
+	if (isCommentOnlyLine(line.trim())) return diagnostics;
+	URL_LITERAL_RE.lastIndex = 0;
+	let urlMatch;
+	while ((urlMatch = URL_LITERAL_RE.exec(line)) !== null) {
+		const urlText = urlMatch[2];
+		if (commentStartsBefore(line, urlMatch.index, ext)) continue;
+		if (!shouldFlagUrlLiteral(line, urlText)) continue;
+		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_URL_FINDING));
+	}
+	if (!ID_CONTEXT_RE.test(line) || isEnvBackedLine(line) || DOC_URL_CONTEXT_RE.test(line)) return diagnostics;
+	ID_LITERAL_RE.lastIndex = 0;
+	let idMatch;
+	while ((idMatch = ID_LITERAL_RE.exec(line)) !== null) {
+		const value = idMatch[2];
+		if (commentStartsBefore(line, idMatch.index, ext)) continue;
+		if (!hasUsefulIdShape(value)) continue;
+		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_ID_FINDING));
+	}
+	return diagnostics;
+};
+const scanFileForConfigLiterals = (content, relativePath, ext) => {
+	if (!SOURCE_EXTENSIONS.has(ext)) return [];
+	if (isNonProductionPath(relativePath)) return [];
+	if (MIGRATION_PATH_RE$1.test(relativePath)) return [];
+	return content.split("\n").flatMap((line, index) => scanLineForConfigLiterals(line, relativePath, ext, index + 1));
+};
+const detectHardcodedConfigLiterals = async (context) => {
+	const diagnostics = [];
+	for (const filePath of getSourceFiles(context)) {
+		if (isAutoGenerated(filePath)) continue;
+		let content;
+		try {
+			content = fs.readFileSync(filePath, "utf-8");
+		} catch {
+			continue;
+		}
+		const relativePath = path.relative(context.rootDirectory, filePath);
+		const ext = path.extname(filePath);
+		diagnostics.push(...scanFileForConfigLiterals(content, relativePath, ext));
+	}
+	return diagnostics;
+};
+
 //#endregion
 //#region src/engines/ai-slop/js-import-aliases.ts
 const TS_CONFIG_FILES = ["tsconfig.json", "jsconfig.json"];
@@ -1484,23 +1817,88 @@ const PYTHON_STDLIB = new Set([
 	"zoneinfo"
 ]);
 const PYTHON_IMPORT_TO_PIP = {
-	yaml: "pyyaml",
-	PIL: "pillow",
-	dateutil: "python-dateutil",
-	cv2: "opencv-python",
-	sklearn: "scikit-learn",
-	bs4: "beautifulsoup4",
-	typing_extensions: "typing-extensions",
-	google: "google-api-python-client",
-	jose: "python-jose",
-	jwt: "pyjwt",
-	OpenSSL: "pyopenssl",
-	magic: "python-magic",
-	docx: "python-docx",
-	pptx: "python-pptx",
-	git: "gitpython",
-	socks: "pysocks",
-	redis: "redis"
+	yaml: ["pyyaml"],
+	PIL: ["pillow"],
+	dateutil: ["python-dateutil"],
+	cv2: [
+		"opencv-python",
+		"opencv-python-headless",
+		"opencv-contrib-python"
+	],
+	sklearn: ["scikit-learn"],
+	bs4: ["beautifulsoup4"],
+	typing_extensions: ["typing-extensions"],
+	dotenv: ["python-dotenv"],
+	genai: ["google-genai"],
+	google: [
+		"google-genai",
+		"google-generativeai",
+		"google-api-python-client",
+		"google-cloud-storage",
+		"google-cloud-aiplatform",
+		"google-auth",
+		"protobuf"
+	],
+	jose: ["python-jose"],
+	jwt: ["pyjwt"],
+	OpenSSL: ["pyopenssl"],
+	Crypto: ["pycryptodome", "pycryptodomex"],
+	Cryptodome: ["pycryptodomex", "pycryptodome"],
+	magic: ["python-magic"],
+	docx: ["python-docx"],
+	pptx: ["python-pptx"],
+	git: ["gitpython"],
+	socks: ["pysocks"],
+	psycopg2: ["psycopg2-binary", "psycopg2"],
+	redis: ["redis"],
+	cairo: ["pycairo"],
+	serial: ["pyserial"],
+	usb: ["pyusb"],
+	gi: ["pygobject"],
+	Xlib: ["python-xlib"],
+	ldap: ["python-ldap"],
+	slugify: ["python-slugify"],
+	memcache: ["python-memcached"],
+	dns: ["dnspython"],
+	attr: ["attrs"],
+	attrs: ["attrs"],
+	zoneinfo_data: ["tzdata"],
+	pkg_resources: ["setuptools"],
+	setuptools: ["setuptools"],
+	wx: ["wxpython"],
+	skimage: ["scikit-image"],
+	OpenGL: ["pyopengl"],
+	win32api: ["pywin32"],
+	win32con: ["pywin32"],
+	win32com: ["pywin32"],
+	pythoncom: ["pywin32"],
+	pywintypes: ["pywin32"],
+	rest_framework: ["djangorestframework"],
+	allauth: ["django-allauth"],
+	corsheaders: ["django-cors-headers"],
+	debug_toolbar: ["django-debug-toolbar"],
+	environ: ["django-environ"],
+	flask_cors: ["flask-cors"],
+	flask_sqlalchemy: ["flask-sqlalchemy"],
+	flask_migrate: ["flask-migrate"],
+	flask_login: ["flask-login"],
+	jwt_extended: ["flask-jwt-extended"],
+	dateparser: ["dateparser"],
+	yaml_include: ["pyyaml-include"],
+	lxml_html_clean: ["lxml-html-clean"],
+	grpc: ["grpcio"],
+	grpc_status: ["grpcio-status"],
+	google_crc32c: ["google-crc32c"],
+	pkg_about: ["pkg-about"],
+	mpl_toolkits: ["matplotlib"],
+	dotmap: ["dotmap"],
+	pydantic_settings: ["pydantic-settings"],
+	telegram: ["python-telegram-bot"],
+	discord: ["discord-py"],
+	nacl: ["pynacl"],
+	jwcrypto: ["jwcrypto"],
+	humanfriendly: ["humanfriendly"],
+	multipart: ["python-multipart"]
 };
 
 //#endregion
@@ -1539,6 +1937,8 @@ const collectFromPyproject = (rootDir, pyDeps) => {
 			const m = line.match(/["']\s*([a-zA-Z0-9_\-.]+)/);
 			if (m) addPyDep(pyDeps, m[1]);
 		}
+		const extras = content.match(/\[project\.optional-dependencies\]([\s\S]*?)(?=\n\[|$)/);
+		if (extras) for (const m of extras[1].matchAll(/["']\s*([a-zA-Z][a-zA-Z0-9_\-.]+)/g)) addPyDep(pyDeps, m[1]);
 		const poetryRe = /\[tool\.poetry(?:\.group\.[a-z]+)?\.dependencies\]([\s\S]*?)(?=\n\[|$)/g;
 		let match = poetryRe.exec(content);
 		while (match !== null) {
@@ -1737,6 +2137,11 @@ const packageNameFromImport = (spec) => {
 	}
 	return spec.split("/")[0];
 };
+const typesPackageName = (pkg) => {
+	if (pkg.startsWith("@types/")) return pkg;
+	if (pkg.startsWith("@")) return `@types/${pkg.slice(1).replace("/", "__")}`;
+	return `@types/${pkg}`;
+};
 const STATIC_IMPORT_RE = /^\s*import\s+(?:[\w*{},\s]+\s+from\s+)?["']([^"']+)["']/;
 const DYNAMIC_IMPORT_RE = /(?:import|require)\s*\(\s*["']([^"']+)["']/g;
 const extractJsImports = (content) => {
@@ -1801,15 +2206,16 @@ const checkJsImport = (rawSpec, manifest, tsAliasMatchers) => {
 		const realPkg = pkg.slice(7);
 		if (manifest.jsDeps.has(realPkg)) return null;
 	}
+	if (manifest.jsDeps.has(typesPackageName(pkg))) return null;
 	return pkg;
 };
+const normalizePyName = (name) => name.toLowerCase().replace(/_/g, "-");
 const checkPyImport = (spec, manifest) => {
 	const root = spec.split(".")[0];
 	if (PYTHON_STDLIB.has(root)) return null;
-	const normalized = root.toLowerCase().replace(/_/g, "-");
+	const normalized = normalizePyName(root);
 	if (manifest.pyDeps.has(normalized)) return null;
-	const pipName = PYTHON_IMPORT_TO_PIP[root];
-	if (pipName && manifest.pyDeps.has(pipName)) return null;
+	if ((PYTHON_IMPORT_TO_PIP[root] ?? PYTHON_IMPORT_TO_PIP[normalized])?.some((dist) => manifest.pyDeps.has(normalizePyName(dist)))) return null;
 	return root;
 };
 const detectHallucinatedImports = async (context) => {
@@ -1959,6 +2365,85 @@ const collectBlocks = (sourceLines, syntax) => {
 	return blocks;
 };
 
+//#endregion
+//#region src/engines/ai-slop/meta-comment.ts
+const PLAN_REFERENCE_RES = [
+	/\b(?:stage|step|phase)\s+\d+\b(?!\s*[:.]?\s*(?:bytes|ms|seconds|of\s+\d))/i,
+	/\bstep\s+\d+\s+of\s+the\s+plan\b/i,
+	/\bas\s+(?:per|requested)\s+(?:the\s+)?(?:requirements?|spec|task|ticket|prompt|instructions?)\b/i,
+	/\bper\s+the\s+(?:spec|requirements?|task|ticket|plan|prompt|instructions?)\b/i,
+	/\bfrom\s+the\s+(?:task|todo|plan|spec|ticket|prompt|requirements?)\b/i,
+	/\bimplement(?:ing|s|ed)?\s+use\s*case\s+\d*/i,
+	/\b(?:requirements?\s+doc|requirement\s+\d+)\b/i,
+	/\bas\s+(?:instructed|specified|outlined)\s+(?:above|below|in\s+the)\b/i
+];
+const BEFORE_AFTER_RES = [
+	/\bpreviously[,:]?\s+(?:this|we|it|the)\b/i,
+	/\bused\s+to\s+(?:be|use|call|return|do|have|rely)\b/i,
+	/\bchanged\s+(?:\w+\s+){0,3}from\s+.+\bto\b/i,
+	/\bno\s+longer\s+(?:needed|used|required|necessary|calls?|returns?|does)\b/i,
+	/\bthis\s+was\s+.+\bbut\s+now\b/i,
+	/\bwe\s+(?:now|used\s+to)\s+(?:no\s+longer\s+)?(?:use|call|return|do|have)\b/i,
+	/\breplaced\s+the\s+(?:old|previous|former)\b/i,
+	/\b(?:was|were)\s+(?:renamed|moved|removed|refactored|extracted)\s+(?:from|to|out\s+of)\b/i
+];
+const WHY_OR_TODO_RE = /\b(?:because|since|otherwise|todo|fixme|hack|note:|reason:|workaround|see\s+(?:issue|#))\b/i;
+const looksLikeLicenseHeader$1 = (block) => {
+	if (block.startLine !== 1) return false;
+	const text = block.rawLines.join(" ").toLowerCase();
+	return text.includes("copyright") || text.includes("license") || text.includes("spdx-license-identifier");
+};
+const looksLikeSuppressDirective$1 = (block) => block.rawLines.some((line) => /\b(?:biome-ignore|eslint-disable|ts-ignore|ts-expect-error|@ts-\w+|noqa|pylint:\s*disable|rubocop:disable|noinspection|phpcs:disable)\b/.test(line));
+const matchMetaSignal = (block) => {
+	if (looksLikeLicenseHeader$1(block)) return null;
+	if (looksLikeSuppressDirective$1(block)) return null;
+	if (block.kind === "jsdoc" && block.hasMeaningfulJsdocTag) return null;
+	if (block.isRustDoc) return null;
+	const joined = block.prose.join(" ");
+	if (joined.trim().length === 0) return null;
+	if (WHY_OR_TODO_RE.test(joined)) return null;
+	if (PLAN_REFERENCE_RES.some((re) => re.test(joined))) return "plan/process reference";
+	if (BEFORE_AFTER_RES.some((re) => re.test(joined))) return "before/after state narration";
+	return null;
+};
+const detectMetaComments = async (context) => {
+	const files = getSourceFiles(context);
+	const diagnostics = [];
+	for (const filePath of files) {
+		const ext = path.extname(filePath);
+		if (!SUPPORTED_EXTS.has(ext)) continue;
+		if (isAutoGenerated(filePath)) continue;
+		const syntax = getCommentSyntax(ext);
+		if (!syntax) continue;
+		const relativePath = path.relative(context.rootDirectory, filePath);
+		if (isNonProductionPath(relativePath)) continue;
+		let content;
+		try {
+			content = fs.readFileSync(filePath, "utf-8");
+		} catch {
+			continue;
+		}
+		const blocks = collectBlocks(content.split("\n"), syntax);
+		for (const block of blocks) {
+			const reason = matchMetaSignal(block);
+			if (!reason) continue;
+			diagnostics.push({
+				filePath: relativePath,
+				engine: "ai-slop",
+				rule: "ai-slop/meta-comment",
+				severity: "warning",
+				message: `Meta/plan comment (${reason})`,
+				help: "Remove — references to the build plan or before/after code state belong in PR descriptions and commit messages, not source.",
+				line: block.startLine,
+				column: 0,
+				category: "Comments",
+				fixable: false
+			});
+		}
+	}
+	return diagnostics;
+};
+
 //#endregion
 //#region src/engines/ai-slop/narrative-comments.ts
 const looksLikeDeclarationPreamble = (nextLine, ext) => {
@@ -2567,6 +3052,143 @@ const detectRustPatterns = async (context) => {
 	return diagnostics;
 };
 
+//#endregion
+//#region src/engines/ai-slop/silent-recovery.ts
+const JS_EXTS$1 = new Set([
+	".ts",
+	".tsx",
+	".js",
+	".jsx",
+	".mjs",
+	".cjs"
+]);
+const CATCH_HEAD_RE = /\bcatch\s*(?:\([^)]*\))?\s*\{/g;
+const LOG_STATEMENT_RE = /^(?:console|[\w$]+(?:\.[\w$]+)*)\.(?:log|info|warn|warning|error|debug|trace)\s*\(/;
+const HANDLING_TOKEN_RE = /\b(?:throw|return|reject|next|process\.exit|continue|break)\b/;
+const stripBlockComments = (text) => text.replace(/\/\*[\s\S]*?\*\//g, "");
+const extractCatchBody = (content, openBraceIndex) => {
+	let depth = 0;
+	let inString = null;
+	for (let i = openBraceIndex; i < content.length; i += 1) {
+		const ch = content[i];
+		const prev = content[i - 1];
+		if (inString) {
+			if (ch === inString && prev !== "\\") inString = null;
+			continue;
+		}
+		if (ch === "\"" || ch === "'" || ch === "`") {
+			inString = ch;
+			continue;
+		}
+		if (ch === "{") depth += 1;
+		else if (ch === "}") {
+			depth -= 1;
+			if (depth === 0) return content.slice(openBraceIndex + 1, i);
+		}
+	}
+	return null;
+};
+const isLogOnlyBody = (body) => {
+	const statements = stripBlockComments(body).split("\n").map((line) => line.replace(/\/\/.*$/, "").trim()).filter((line) => line.length > 0 && line !== ";");
+	if (statements.length === 0) return false;
+	if (statements.some((line) => HANDLING_TOKEN_RE.test(line))) return false;
+	let sawLog = false;
+	for (const statement of statements) {
+		const normalized = statement.replace(/;+$/, "");
+		if (LOG_STATEMENT_RE.test(normalized)) {
+			sawLog = true;
+			continue;
+		}
+		if (/^[\w$"'`{[(),.\s+:-]+$/.test(normalized) && !/[=(]\s*(?:async\s+)?\(/.test(normalized)) continue;
+		return false;
+	}
+	return sawLog;
+};
+const detectJsSilentRecovery = (content, relPath) => {
+	const out = [];
+	CATCH_HEAD_RE.lastIndex = 0;
+	let match;
+	while ((match = CATCH_HEAD_RE.exec(content)) !== null) {
+		const body = extractCatchBody(content, match.index + match[0].length - 1);
+		if (body === null) continue;
+		if (!isLogOnlyBody(body)) continue;
+		const line = content.slice(0, match.index).split("\n").length;
+		out.push({
+			filePath: relPath,
+			engine: "ai-slop",
+			rule: "ai-slop/silent-recovery",
+			severity: "warning",
+			message: "Catch only logs then continues, leaving execution in a possibly broken state",
+			help: "Handle the error: rethrow, return an error value, or recover explicitly. Logging alone lets the program proceed as if nothing failed.",
+			line,
+			column: 0,
+			category: "AI Slop",
+			fixable: false
+		});
+	}
+	return out;
+};
+const PY_EXCEPT_RE = /^(\s*)except\b[^\n]*:\s*(?:#.*)?$/;
+const PY_LOG_STATEMENT_RE = /^(?:logging|logger|log|self\.log|self\.logger|print)(?:\.(?:debug|info|warning|warn|error|exception|critical))?\s*\(/;
+const PY_HANDLING_TOKEN_RE = /^(?:raise\b|return\b|continue\b|break\b|self\.|[\w.]+\s*=)/;
+const detectPySilentRecovery = (content, relPath) => {
+	const out = [];
+	const lines = content.split("\n");
+	for (let i = 0; i < lines.length; i += 1) {
+		const exceptMatch = PY_EXCEPT_RE.exec(lines[i]);
+		if (!exceptMatch) continue;
+		const indent = exceptMatch[1].length;
+		const bodyLines = [];
+		let j = i + 1;
+		for (; j < lines.length; j += 1) {
+			const raw = lines[j];
+			if (raw.trim() === "") continue;
+			if (raw.length - raw.trimStart().length <= indent) break;
+			bodyLines.push(raw.trim());
+		}
+		if (bodyLines.length === 0) continue;
+		if (bodyLines.some((line) => PY_HANDLING_TOKEN_RE.test(line))) continue;
+		if (bodyLines.some((line) => line === "pass")) continue;
+		const allLogs = bodyLines.every((line) => PY_LOG_STATEMENT_RE.test(line) || /^[\w"'(),.\s+:%{}[\]-]+$/.test(line));
+		const sawLog = bodyLines.some((line) => PY_LOG_STATEMENT_RE.test(line));
+		if (!allLogs || !sawLog) continue;
+		out.push({
+			filePath: relPath,
+			engine: "ai-slop",
+			rule: "ai-slop/silent-recovery",
+			severity: "warning",
+			message: "except only logs then continues, leaving execution in a possibly broken state",
+			help: "Handle the error: re-raise, return an error value, or recover explicitly. Logging alone lets the program proceed as if nothing failed.",
+			line: i + 1,
+			column: 0,
+			category: "AI Slop",
+			fixable: false
+		});
+	}
+	return out;
+};
+const detectSilentRecovery = async (context) => {
+	const files = getSourceFiles(context);
+	const diagnostics = [];
+	for (const filePath of files) {
+		if (isAutoGenerated(filePath)) continue;
+		const ext = path.extname(filePath);
+		const isJs = JS_EXTS$1.has(ext);
+		if (!isJs && !(ext === ".py")) continue;
+		const relPath = path.relative(context.rootDirectory, filePath);
+		if (isNonProductionPath(relPath)) continue;
+		let content;
+		try {
+			content = fs.readFileSync(filePath, "utf-8");
+		} catch {
+			continue;
+		}
+		if (isJs) diagnostics.push(...detectJsSilentRecovery(content, relPath));
+		else diagnostics.push(...detectPySilentRecovery(content, relPath));
+	}
+	return diagnostics;
+};
+
 //#endregion
 //#region src/engines/ai-slop/unused-imports.ts
 const JS_EXTENSIONS = new Set([
@@ -2755,15 +3377,19 @@ const aiSlopEngine = {
 		const results = await Promise.allSettled([
 			detectTrivialComments(context),
 			detectSwallowedExceptions(context),
+			detectDefensivePatterns(context),
 			detectOverAbstraction(context),
 			detectDeadPatterns(context),
 			detectUnusedImports(context),
 			detectNarrativeComments(context),
 			detectDuplicateImports(context),
+			detectHardcodedConfigLiterals(context),
 			detectPythonPatterns(context),
 			detectGoPatterns(context),
 			detectRustPatterns(context),
-			detectHallucinatedImports(context)
+			detectHallucinatedImports(context),
+			detectSilentRecovery(context),
+			detectMetaComments(context)
 		]);
 		for (const result of results) if (result.status === "fulfilled") diagnostics.push(...result.value);
 		return {
@@ -5164,7 +5790,7 @@ const RISKY_PATTERNS = [
 		help: "Use JSON, MessagePack, or other safe serialization formats for untrusted data"
 	},
 	{
-		pattern: new RegExp(`\\bexec\\s*\\(`, "g"),
+		pattern: new RegExp(`(?<![\\w.>:\\\\])\\bexec\\s*\\(`, "g"),
 		extensions: [".py"],
 		name: "python-exec",
 		message: "Use of exec() can execute arbitrary code",
@@ -5842,7 +6468,7 @@ const handleAislopBaseline = (input) => {
 
 //#endregion
 //#region src/version.ts
-const APP_VERSION = "0.9.4";
+const APP_VERSION = "0.9.6";
 
 //#endregion
 //#region src/telemetry/env.ts
@@ -5974,8 +6600,8 @@ const redactProperties = (props) => {
 
 //#endregion
 //#region src/telemetry/client.ts
-const POSTHOG_HOST = "https://eu.i.posthog.com";
-const POSTHOG_KEY = "phc_eY2cOMFva9q24GrWeOuvuVIOhCIdjOALxeAR3ItrqbJ";
+const POSTHOG_HOST = process.env.AISLOP_POSTHOG_HOST ?? "https://eu.i.posthog.com";
+const POSTHOG_KEY = process.env.AISLOP_POSTHOG_KEY ?? "phc_eY2cOMFva9q24GrWeOuvuVIOhCIdjOALxeAR3ItrqbJ";
 const SCHEMA_VERSION = "v2";
 const REQUEST_TIMEOUT_MS = 3e3;
 const isTelemetryDisabled = (config) => {