devrail 0.1.0

package/dist/chunk-ZDEEHXE7.js

@@ -0,0 +1,1298 @@
+import {
+  getRuleById,
+  rules
+} from "./chunk-J22FFU7Z.js";
+
+// src/types/config.ts
+import { z } from "zod";
+var RuleSeveritySchema = z.enum(["info", "warn", "error"]);
+var RuleScopeSchema = z.enum(["changed", "all"]);
+var LevelSchema = z.enum(["basic", "standard", "strict"]);
+var PresetSchema = z.enum([
+  "node-api",
+  "nextjs-app",
+  "python-api",
+  "cli-tool",
+  "library",
+  "monorepo"
+]);
+var RuleConfigSchema = z.object({
+  enabled: z.boolean().default(true),
+  severity: RuleSeveritySchema.optional(),
+  autofix: z.boolean().optional(),
+  blocking: z.boolean().optional(),
+  scope: RuleScopeSchema.optional(),
+  options: z.record(z.unknown()).optional()
+});
+var VibeGuardConfigSchema = z.object({
+  preset: PresetSchema.optional(),
+  level: LevelSchema.default("standard"),
+  rules: z.record(z.union([z.boolean(), RuleConfigSchema])).optional(),
+  include: z.array(z.string()).optional(),
+  exclude: z.array(z.string()).optional(),
+  ci: z.object({
+    failOn: RuleSeveritySchema.default("error"),
+    reportFormat: z.enum(["console", "json", "sarif"]).default("console")
+  }).optional(),
+  tools: z.object({
+    eslint: z.boolean().default(true),
+    semgrep: z.boolean().default(true),
+    gitleaks: z.boolean().default(true),
+    osvScanner: z.boolean().default(true)
+  }).optional()
+});
+
+// src/presets/node-api.ts
+var nodeApiPreset = {
+  name: "node-api",
+  description: "Node.js API backend (Express, Fastify, Koa, etc.)",
+  rules: {
+    basic: [
+      "secrets.no-plaintext",
+      "secrets.no-env-commit",
+      "secrets.gitignore-required",
+      "deps.lockfile.required",
+      "deps.no-vulnerable",
+      "deps.no-typosquatting",
+      "security.cors.safe-default",
+      "security.no-eval",
+      "security.no-prototype-pollution",
+      "auth.no-weak-jwt",
+      "auth.no-hardcoded-credentials",
+      "api.no-sensitive-logging",
+      "sql.no-string-concat",
+      "tests.no-skipped",
+      "code.no-unused-vars"
+    ],
+    standard: [
+      "secrets.no-plaintext",
+      "secrets.no-env-commit",
+      "secrets.gitignore-required",
+      "deps.lockfile.required",
+      "deps.no-unpinned",
+      "deps.no-git-deps",
+      "deps.no-vulnerable",
+      "deps.no-typosquatting",
+      "security.headers.required",
+      "security.cors.safe-default",
+      "security.no-eval",
+      "security.no-unsafe-regex",
+      "security.no-prototype-pollution",
+      "auth.no-weak-jwt",
+      "auth.no-hardcoded-credentials",
+      "auth.session-secure",
+      "api.validation.required",
+      "api.no-sensitive-logging",
+      "sql.no-string-concat",
+      "tests.unit.required",
+      "tests.coverage.min-50",
+      "tests.no-skipped",
+      "logging.no-pii",
+      "logging.no-console",
+      "code.no-any",
+      "code.strict-mode",
+      "code.no-unused-vars",
+      "config.node-version",
+      "config.editor-config"
+    ],
+    strict: [
+      "secrets.no-plaintext",
+      "secrets.no-env-commit",
+      "secrets.gitignore-required",
+      "deps.lockfile.required",
+      "deps.no-unpinned",
+      "deps.no-git-deps",
+      "deps.no-vulnerable",
+      "deps.no-typosquatting",
+      "deps.license-check",
+      "security.headers.required",
+      "security.cors.safe-default",
+      "security.no-eval",
+      "security.no-unsafe-regex",
+      "security.no-prototype-pollution",
+      "auth.no-weak-jwt",
+      "auth.no-hardcoded-credentials",
+      "auth.session-secure",
+      "api.validation.required",
+      "api.rate-limiting",
+      "api.no-sensitive-logging",
+      "sql.no-string-concat",
+      "sql.no-raw-queries",
+      "tests.unit.required",
+      "tests.coverage.min-80",
+      "tests.no-skipped",
+      "logging.no-pii",
+      "logging.no-console",
+      "code.no-any",
+      "code.strict-mode",
+      "code.no-unused-vars",
+      "config.node-version",
+      "config.editor-config"
+    ]
+  },
+  tools: ["eslint", "semgrep", "gitleaks", "osv-scanner", "vitest"],
+  eslintExtends: [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/recommended",
+    "plugin:security/recommended-legacy"
+  ],
+  semgrepRules: [
+    "p/javascript",
+    "p/typescript",
+    "p/nodejs",
+    "p/jwt",
+    "p/sql-injection",
+    "p/secrets"
+  ]
+};
+
+// src/presets/nextjs-app.ts
+var nextjsAppPreset = {
+  name: "nextjs-app",
+  description: "Next.js full-stack application",
+  rules: {
+    basic: [
+      "secrets.no-plaintext",
+      "secrets.no-env-commit",
+      "secrets.gitignore-required",
+      "deps.lockfile.required",
+      "deps.no-vulnerable",
+      "deps.no-typosquatting",
+      "security.cors.safe-default",
+      "security.no-eval",
+      "security.no-prototype-pollution",
+      "auth.no-weak-jwt",
+      "auth.no-hardcoded-credentials",
+      "api.no-sensitive-logging",
+      "sql.no-string-concat",
+      "tests.no-skipped",
+      "code.no-unused-vars"
+    ],
+    standard: [
+      "secrets.no-plaintext",
+      "secrets.no-env-commit",
+      "secrets.gitignore-required",
+      "deps.lockfile.required",
+      "deps.no-unpinned",
+      "deps.no-git-deps",
+      "deps.no-vulnerable",
+      "deps.no-typosquatting",
+      "security.headers.required",
+      "security.cors.safe-default",
+      "security.no-eval",
+      "security.no-unsafe-regex",
+      "security.no-prototype-pollution",
+      "auth.no-weak-jwt",
+      "auth.no-hardcoded-credentials",
+      "auth.session-secure",
+      "api.validation.required",
+      "api.no-sensitive-logging",
+      "sql.no-string-concat",
+      "tests.unit.required",
+      "tests.coverage.min-50",
+      "tests.no-skipped",
+      "logging.no-pii",
+      "logging.no-console",
+      "code.no-any",
+      "code.strict-mode",
+      "code.no-unused-vars",
+      "config.node-version",
+      "config.editor-config"
+    ],
+    strict: [
+      "secrets.no-plaintext",
+      "secrets.no-env-commit",
+      "secrets.gitignore-required",
+      "deps.lockfile.required",
+      "deps.no-unpinned",
+      "deps.no-git-deps",
+      "deps.no-vulnerable",
+      "deps.no-typosquatting",
+      "deps.license-check",
+      "security.headers.required",
+      "security.cors.safe-default",
+      "security.no-eval",
+      "security.no-unsafe-regex",
+      "security.no-prototype-pollution",
+      "auth.no-weak-jwt",
+      "auth.no-hardcoded-credentials",
+      "auth.session-secure",
+      "api.validation.required",
+      "api.rate-limiting",
+      "api.no-sensitive-logging",
+      "sql.no-string-concat",
+      "sql.no-raw-queries",
+      "tests.unit.required",
+      "tests.coverage.min-80",
+      "tests.no-skipped",
+      "logging.no-pii",
+      "logging.no-console",
+      "code.no-any",
+      "code.strict-mode",
+      "code.no-unused-vars",
+      "config.node-version",
+      "config.editor-config"
+    ]
+  },
+  tools: ["eslint", "semgrep", "gitleaks", "osv-scanner", "vitest"],
+  eslintExtends: [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/recommended",
+    "plugin:security/recommended-legacy",
+    "next/core-web-vitals"
+  ],
+  semgrepRules: [
+    "p/javascript",
+    "p/typescript",
+    "p/nodejs",
+    "p/react",
+    "p/nextjs",
+    "p/jwt",
+    "p/sql-injection",
+    "p/secrets"
+  ]
+};
+
+// src/presets/index.ts
+var presets = {
+  "node-api": nodeApiPreset,
+  "nextjs-app": nextjsAppPreset,
+  "python-api": nodeApiPreset,
+  // TODO: implement
+  "cli-tool": nodeApiPreset,
+  // TODO: implement
+  library: nodeApiPreset,
+  // TODO: implement
+  monorepo: nodeApiPreset
+  // TODO: implement
+};
+function getPreset(name) {
+  const preset = presets[name];
+  if (!preset) {
+    throw new Error(`Unknown preset: ${name}`);
+  }
+  return preset;
+}
+function listPresets() {
+  return Object.keys(presets);
+}
+
+// src/engine/config-loader.ts
+import { cosmiconfig } from "cosmiconfig";
+import { z as z2 } from "zod";
+var explorer = cosmiconfig("vibeguard", {
+  searchPlaces: [
+    "vibeguard.config.js",
+    "vibeguard.config.mjs",
+    "vibeguard.config.cjs",
+    "vibeguard.config.json",
+    "vibeguard.config.yaml",
+    "vibeguard.config.yml",
+    ".vibeguardrc",
+    ".vibeguardrc.json",
+    ".vibeguardrc.yaml",
+    ".vibeguardrc.yml",
+    "package.json"
+  ]
+});
+async function loadConfig(cwd = process.cwd()) {
+  try {
+    const result = await explorer.search(cwd);
+    if (!result || result.isEmpty) {
+      return null;
+    }
+    const validated = VibeGuardConfigSchema.parse(result.config);
+    return {
+      config: validated,
+      filepath: result.filepath,
+      isEmpty: false
+    };
+  } catch (error) {
+    if (error instanceof z2.ZodError) {
+      const issues = error.issues.map((i) => `  - ${i.path.join(".")}: ${i.message}`).join("\n");
+      throw new Error(`Invalid vibeguard config:
+${issues}`);
+    }
+    throw error;
+  }
+}
+async function loadConfigFromFile(filepath) {
+  const result = await explorer.load(filepath);
+  if (!result || result.isEmpty) {
+    throw new Error(`Config file is empty: ${filepath}`);
+  }
+  const validated = VibeGuardConfigSchema.parse(result.config);
+  return {
+    config: validated,
+    filepath: result.filepath,
+    isEmpty: false
+  };
+}
+function getDefaultConfig() {
+  return {
+    level: "standard",
+    ci: {
+      failOn: "error",
+      reportFormat: "console"
+    },
+    tools: {
+      eslint: true,
+      semgrep: true,
+      gitleaks: true,
+      osvScanner: true
+    }
+  };
+}
+
+// src/engine/rule-engine.ts
+function resolveRules(config) {
+  const level = config.level ?? "standard";
+  let activeRuleIds = [];
+  if (config.preset) {
+    const preset = getPreset(config.preset);
+    activeRuleIds = preset.rules[level] ?? [];
+  } else {
+    activeRuleIds = rules.filter((r) => r.levels[level]).map((r) => r.id);
+  }
+  const resolvedRules = [];
+  for (const ruleId of activeRuleIds) {
+    const definition = getRuleById(ruleId);
+    if (!definition) continue;
+    const ruleConfig = config.rules?.[ruleId];
+    let enabled = true;
+    let severity = definition.severity;
+    let blocking = definition.blocking;
+    let autofix = definition.autofix;
+    if (typeof ruleConfig === "boolean") {
+      enabled = ruleConfig;
+    } else if (ruleConfig) {
+      enabled = ruleConfig.enabled ?? true;
+      severity = ruleConfig.severity ?? severity;
+      blocking = ruleConfig.blocking ?? blocking;
+      autofix = ruleConfig.autofix ?? autofix;
+    }
+    if (enabled) {
+      resolvedRules.push({
+        definition,
+        severity,
+        enabled,
+        blocking,
+        autofix
+      });
+    }
+  }
+  if (config.rules) {
+    for (const [ruleId, ruleConfig] of Object.entries(config.rules)) {
+      if (activeRuleIds.includes(ruleId)) continue;
+      const definition = getRuleById(ruleId);
+      if (!definition) continue;
+      let enabled = true;
+      if (typeof ruleConfig === "boolean") {
+        enabled = ruleConfig;
+      } else {
+        enabled = ruleConfig.enabled ?? true;
+      }
+      if (enabled) {
+        resolvedRules.push({
+          definition,
+          severity: typeof ruleConfig === "object" ? ruleConfig.severity ?? definition.severity : definition.severity,
+          enabled,
+          blocking: typeof ruleConfig === "object" ? ruleConfig.blocking ?? definition.blocking : definition.blocking,
+          autofix: typeof ruleConfig === "object" ? ruleConfig.autofix ?? definition.autofix : definition.autofix
+        });
+      }
+    }
+  }
+  return resolvedRules;
+}
+function groupRulesByTool(resolvedRules) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const rule of resolvedRules) {
+    const tool = rule.definition.tool;
+    const existing = grouped.get(tool) ?? [];
+    existing.push(rule);
+    grouped.set(tool, existing);
+  }
+  return grouped;
+}
+function calculateScore(results) {
+  if (results.length === 0) return 100;
+  const weights = { error: 10, warn: 3, info: 1 };
+  let totalPenalty = 0;
+  for (const result of results) {
+    totalPenalty += weights[result.severity] ?? 0;
+  }
+  const score = Math.max(0, 100 - totalPenalty);
+  return Math.round(score);
+}
+function shouldFail(results, failOn) {
+  const severityOrder = ["info", "warn", "error"];
+  const failIndex = severityOrder.indexOf(failOn);
+  return results.some((r) => severityOrder.indexOf(r.severity) >= failIndex);
+}
+
+// src/engine/stack-detector.ts
+import { readFile, readdir } from "fs/promises";
+import { join } from "path";
+async function detectStack(cwd) {
+  const result = {
+    preset: "node-api",
+    confidence: 0,
+    language: "unknown",
+    hasTests: false,
+    hasTypeScript: false,
+    hasCi: false,
+    issues: []
+  };
+  const files = await safeReadDir(cwd);
+  if (files.includes("package-lock.json")) {
+    result.packageManager = "npm";
+  } else if (files.includes("yarn.lock")) {
+    result.packageManager = "yarn";
+  } else if (files.includes("pnpm-lock.yaml")) {
+    result.packageManager = "pnpm";
+  } else if (files.includes("bun.lockb")) {
+    result.packageManager = "bun";
+  }
+  if (files.includes("tsconfig.json")) {
+    result.hasTypeScript = true;
+    result.language = "typescript";
+  }
+  if (files.includes(".github")) {
+    const githubFiles = await safeReadDir(join(cwd, ".github"));
+    if (githubFiles.includes("workflows")) {
+      result.hasCi = true;
+    }
+  }
+  if (files.includes(".gitlab-ci.yml")) {
+    result.hasCi = true;
+  }
+  const testIndicators = ["test", "tests", "__tests__", "spec", "specs", "vitest.config.ts", "jest.config.js"];
+  result.hasTests = testIndicators.some((t) => files.includes(t));
+  if (files.includes("package.json")) {
+    result.language = result.hasTypeScript ? "typescript" : "javascript";
+    const pkg = await readPackageJson(cwd);
+    if (pkg) {
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+      if (allDeps["next"]) {
+        result.preset = "nextjs-app";
+        result.framework = "next.js";
+        result.confidence = 95;
+      } else if (allDeps["express"] || allDeps["fastify"] || allDeps["koa"] || allDeps["hono"]) {
+        result.preset = "node-api";
+        result.framework = allDeps["express"] ? "express" : allDeps["fastify"] ? "fastify" : allDeps["koa"] ? "koa" : "hono";
+        result.confidence = 90;
+      } else if (pkg.main || pkg.exports) {
+        result.preset = "library";
+        result.confidence = 70;
+      } else {
+        result.preset = "node-api";
+        result.confidence = 50;
+      }
+      if (pkg.workspaces || files.includes("lerna.json") || files.includes("pnpm-workspace.yaml")) {
+        result.preset = "monorepo";
+        result.confidence = 85;
+      }
+    }
+  }
+  if (files.includes("requirements.txt") || files.includes("pyproject.toml") || files.includes("setup.py")) {
+    result.language = "python";
+    result.preset = "python-api";
+    result.confidence = 80;
+    if (files.includes("pyproject.toml")) {
+      const content = await safeReadFile(join(cwd, "pyproject.toml"));
+      if (content?.includes("fastapi")) {
+        result.framework = "fastapi";
+        result.confidence = 95;
+      } else if (content?.includes("django")) {
+        result.framework = "django";
+        result.confidence = 95;
+      } else if (content?.includes("flask")) {
+        result.framework = "flask";
+        result.confidence = 95;
+      }
+    }
+  }
+  await collectIssues(cwd, files, result);
+  return result;
+}
+async function collectIssues(cwd, files, result) {
+  if (!files.includes(".gitignore")) {
+    result.issues.push("Missing .gitignore file");
+  } else {
+    const gitignore = await safeReadFile(join(cwd, ".gitignore"));
+    if (gitignore && !gitignore.includes(".env")) {
+      result.issues.push(".gitignore missing .env pattern");
+    }
+  }
+  const envFiles = files.filter((f) => f.startsWith(".env") && !f.endsWith(".example"));
+  if (envFiles.length > 0) {
+    result.issues.push(`Potential secrets: ${envFiles.join(", ")}`);
+  }
+  if (result.language !== "python" && !result.packageManager) {
+    result.issues.push("No lockfile found (npm/yarn/pnpm)");
+  }
+  if (!result.hasTests) {
+    result.issues.push("No test files detected");
+  }
+  if (result.hasTypeScript) {
+    const tsconfig = await safeReadFile(join(cwd, "tsconfig.json"));
+    if (tsconfig && !tsconfig.includes('"strict": true')) {
+      result.issues.push("TypeScript strict mode not enabled");
+    }
+  }
+  if (!result.hasCi) {
+    result.issues.push("No CI/CD configuration found");
+  }
+}
+async function safeReadDir(path) {
+  try {
+    return await readdir(path);
+  } catch {
+    return [];
+  }
+}
+async function safeReadFile(path) {
+  try {
+    return await readFile(path, "utf-8");
+  } catch {
+    return null;
+  }
+}
+async function readPackageJson(cwd) {
+  try {
+    const content = await readFile(join(cwd, "package.json"), "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+
+// src/engine/baseline.ts
+import { readFile as readFile2, writeFile, mkdir } from "fs/promises";
+import { join as join2, dirname } from "path";
+import { createHash } from "crypto";
+var BASELINE_VERSION = "1.0";
+var DEFAULT_BASELINE_PATH = ".devrail/baseline.json";
+function createFingerprint(result) {
+  const content = [result.ruleId, result.file ?? "", result.message].join("|");
+  return createHash("sha256").update(content).digest("hex").slice(0, 16);
+}
+async function loadBaseline(cwd, path) {
+  const baselinePath = join2(cwd, path ?? DEFAULT_BASELINE_PATH);
+  try {
+    const content = await readFile2(baselinePath, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function saveBaseline(cwd, baseline, path) {
+  const baselinePath = join2(cwd, path ?? DEFAULT_BASELINE_PATH);
+  await mkdir(dirname(baselinePath), { recursive: true });
+  await writeFile(baselinePath, JSON.stringify(baseline, null, 2), "utf-8");
+}
+function createBaseline(results) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return {
+    version: BASELINE_VERSION,
+    createdAt: now,
+    updatedAt: now,
+    entries: results.map((r) => ({
+      ruleId: r.ruleId,
+      file: r.file,
+      line: r.line,
+      fingerprint: createFingerprint(r),
+      message: r.message,
+      createdAt: now
+    }))
+  };
+}
+function filterNewIssues(results, baseline) {
+  if (!baseline) {
+    return results;
+  }
+  const baselineFingerprints = new Set(baseline.entries.map((e) => e.fingerprint));
+  return results.filter((result) => {
+    const fingerprint = createFingerprint(result);
+    return !baselineFingerprints.has(fingerprint);
+  });
+}
+function getBaselinedIssues(results, baseline) {
+  if (!baseline) {
+    return [];
+  }
+  const baselineFingerprints = new Set(baseline.entries.map((e) => e.fingerprint));
+  return results.filter((result) => {
+    const fingerprint = createFingerprint(result);
+    return baselineFingerprints.has(fingerprint);
+  });
+}
+function getBaselineStats(results, baseline) {
+  if (!baseline) {
+    return {
+      total: results.length,
+      new: results.length,
+      baselined: 0,
+      fixed: 0
+    };
+  }
+  const currentFingerprints = new Set(results.map((r) => createFingerprint(r)));
+  const baselineFingerprints = new Set(baseline.entries.map((e) => e.fingerprint));
+  const newIssues = results.filter((r) => !baselineFingerprints.has(createFingerprint(r)));
+  const baselinedIssues = results.filter((r) => baselineFingerprints.has(createFingerprint(r)));
+  const fixedIssues = baseline.entries.filter((e) => !currentFingerprints.has(e.fingerprint));
+  return {
+    total: results.length,
+    new: newIssues.length,
+    baselined: baselinedIssues.length,
+    fixed: fixedIssues.length
+  };
+}
+function updateBaseline(baseline, results) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const currentFingerprints = new Set(results.map((r) => createFingerprint(r)));
+  const existingEntries = baseline.entries.filter((e) => currentFingerprints.has(e.fingerprint));
+  const existingFingerprints = new Set(existingEntries.map((e) => e.fingerprint));
+  const newEntries = results.filter((r) => !existingFingerprints.has(createFingerprint(r))).map((r) => ({
+    ruleId: r.ruleId,
+    file: r.file,
+    line: r.line,
+    fingerprint: createFingerprint(r),
+    message: r.message,
+    createdAt: now
+  }));
+  return {
+    ...baseline,
+    updatedAt: now,
+    entries: [...existingEntries, ...newEntries]
+  };
+}
+
+// src/engine/diff-mode.ts
+import { execa } from "execa";
+async function getChangedFiles(cwd, base) {
+  try {
+    const baseRef = base ?? await getDefaultBranch(cwd);
+    const mergeBase = await getMergeBase(cwd, baseRef);
+    const result = await execa("git", ["diff", "--name-status", mergeBase], {
+      cwd,
+      reject: false
+    });
+    if (result.exitCode !== 0) {
+      return await getUncommittedChanges(cwd);
+    }
+    return parseGitDiff(result.stdout);
+  } catch {
+    return [];
+  }
+}
+async function getUncommittedChanges(cwd) {
+  try {
+    const result = await execa("git", ["status", "--porcelain"], {
+      cwd,
+      reject: false
+    });
+    if (result.exitCode !== 0) {
+      return [];
+    }
+    return parseGitStatus(result.stdout);
+  } catch {
+    return [];
+  }
+}
+async function getStagedFiles(cwd) {
+  try {
+    const result = await execa("git", ["diff", "--name-status", "--cached"], {
+      cwd,
+      reject: false
+    });
+    if (result.exitCode !== 0) {
+      return [];
+    }
+    return parseGitDiff(result.stdout);
+  } catch {
+    return [];
+  }
+}
+async function getDefaultBranch(cwd) {
+  try {
+    const result = await execa("git", ["remote", "show", "origin"], {
+      cwd,
+      reject: false
+    });
+    const match = result.stdout.match(/HEAD branch: (.+)/);
+    if (match) {
+      return `origin/${match[1]}`;
+    }
+  } catch {
+  }
+  try {
+    await execa("git", ["rev-parse", "--verify", "origin/main"], { cwd });
+    return "origin/main";
+  } catch {
+    try {
+      await execa("git", ["rev-parse", "--verify", "origin/master"], { cwd });
+      return "origin/master";
+    } catch {
+      return "HEAD~1";
+    }
+  }
+}
+async function getMergeBase(cwd, base) {
+  try {
+    const result = await execa("git", ["merge-base", "HEAD", base], {
+      cwd,
+      reject: false
+    });
+    if (result.exitCode === 0 && result.stdout.trim()) {
+      return result.stdout.trim();
+    }
+  } catch {
+  }
+  return base;
+}
+function parseGitDiff(output) {
+  const files = [];
+  for (const line of output.split("\n")) {
+    if (!line.trim()) continue;
+    const [status, ...pathParts] = line.split("	");
+    const path = pathParts.join("	");
+    if (!path) continue;
+    let fileStatus;
+    switch (status?.[0]) {
+      case "A":
+        fileStatus = "added";
+        break;
+      case "M":
+        fileStatus = "modified";
+        break;
+      case "D":
+        fileStatus = "deleted";
+        break;
+      case "R":
+        fileStatus = "renamed";
+        break;
+      default:
+        fileStatus = "modified";
+    }
+    files.push({ path, status: fileStatus });
+  }
+  return files;
+}
+function parseGitStatus(output) {
+  const files = [];
+  for (const line of output.split("\n")) {
+    if (!line.trim()) continue;
+    const status = line.slice(0, 2);
+    const path = line.slice(3);
+    if (!path) continue;
+    let fileStatus;
+    if (status.includes("A") || status === "??") {
+      fileStatus = "added";
+    } else if (status.includes("D")) {
+      fileStatus = "deleted";
+    } else if (status.includes("R")) {
+      fileStatus = "renamed";
+    } else {
+      fileStatus = "modified";
+    }
+    files.push({ path, status: fileStatus });
+  }
+  return files;
+}
+function filterResultsByFiles(results, changedFiles) {
+  const changedPaths = new Set(changedFiles.map((f) => f.path));
+  return results.filter((r) => {
+    if (!r.file) return true;
+    return changedPaths.has(r.file);
+  });
+}
+
+// src/tools/base.ts
+import { execa as execa2 } from "execa";
+async function checkCommand(command) {
+  try {
+    await execa2("which", [command]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function runCommand(command, args, cwd) {
+  try {
+    const result = await execa2(command, args, { cwd, reject: false });
+    return {
+      stdout: result.stdout,
+      stderr: result.stderr,
+      exitCode: result.exitCode ?? 0
+    };
+  } catch (error) {
+    const execaError = error;
+    return {
+      stdout: String(execaError.stdout ?? ""),
+      stderr: String(execaError.stderr ?? ""),
+      exitCode: typeof execaError.exitCode === "number" ? execaError.exitCode : 1
+    };
+  }
+}
+function parseSeverity(level) {
+  const normalized = level.toLowerCase();
+  if (normalized === "error" || normalized === "high" || normalized === "critical") {
+    return "error";
+  }
+  if (normalized === "warning" || normalized === "warn" || normalized === "medium") {
+    return "warn";
+  }
+  return "info";
+}
+
+// src/tools/gitleaks.ts
+var gitleaksRunner = {
+  name: "gitleaks",
+  async isInstalled() {
+    return checkCommand("gitleaks");
+  },
+  async getVersion() {
+    const result = await runCommand("gitleaks", ["version"], process.cwd());
+    if (result.exitCode === 0) {
+      return result.stdout.trim();
+    }
+    return null;
+  },
+  async run(cwd, _files) {
+    const args = ["detect", "--source", cwd, "--report-format", "json", "--report-path", "-", "--no-git"];
+    const result = await runCommand("gitleaks", args, cwd);
+    if (result.exitCode === 0) {
+      return [];
+    }
+    try {
+      const findings = JSON.parse(result.stdout || "[]");
+      return findings.map((finding) => ({
+        ruleId: `secrets.${finding.RuleID}`,
+        severity: "error",
+        message: `Secret detected: ${finding.Description}`,
+        file: finding.File,
+        line: finding.StartLine,
+        column: finding.StartColumn,
+        endLine: finding.EndLine,
+        endColumn: finding.EndColumn
+      }));
+    } catch {
+      if (result.stdout.includes("no leaks found")) {
+        return [];
+      }
+      return [
+        {
+          ruleId: "secrets.no-plaintext",
+          severity: "error",
+          message: `Gitleaks error: ${result.stderr || "Unknown error"}`
+        }
+      ];
+    }
+  }
+};
+
+// src/tools/semgrep.ts
+var semgrepRunner = {
+  name: "semgrep",
+  async isInstalled() {
+    return checkCommand("semgrep");
+  },
+  async getVersion() {
+    const result = await runCommand("semgrep", ["--version"], process.cwd());
+    if (result.exitCode === 0) {
+      return result.stdout.trim();
+    }
+    return null;
+  },
+  async run(cwd, files) {
+    const args = [
+      "scan",
+      "--json",
+      "--config",
+      "auto",
+      "--metrics",
+      "off"
+    ];
+    if (files && files.length > 0) {
+      args.push(...files);
+    } else {
+      args.push(cwd);
+    }
+    const result = await runCommand("semgrep", args, cwd);
+    try {
+      const output = JSON.parse(result.stdout);
+      const results = [];
+      for (const finding of output.results) {
+        results.push({
+          ruleId: finding.check_id,
+          severity: parseSeverity(finding.extra.severity),
+          message: finding.extra.message,
+          file: finding.path,
+          line: finding.start.line,
+          column: finding.start.col,
+          endLine: finding.end.line,
+          endColumn: finding.end.col,
+          fix: finding.extra.fix ? { description: "Apply suggested fix", replacement: finding.extra.fix } : void 0
+        });
+      }
+      return results;
+    } catch {
+      if (result.exitCode === 0) {
+        return [];
+      }
+      return [
+        {
+          ruleId: "semgrep.error",
+          severity: "error",
+          message: `Semgrep error: ${result.stderr || "Unknown error"}`
+        }
+      ];
+    }
+  }
+};
+
+// src/tools/osv-scanner.ts
+var osvScannerRunner = {
+  name: "osv-scanner",
+  async isInstalled() {
+    return checkCommand("osv-scanner");
+  },
+  async getVersion() {
+    const result = await runCommand("osv-scanner", ["--version"], process.cwd());
+    if (result.exitCode === 0) {
+      return result.stdout.trim();
+    }
+    return null;
+  },
+  async run(cwd, _files) {
+    const args = ["--format", "json", "--recursive", cwd];
+    const result = await runCommand("osv-scanner", args, cwd);
+    if (result.exitCode === 0 && !result.stdout.trim()) {
+      return [];
+    }
+    try {
+      const output = JSON.parse(result.stdout);
+      const results = [];
+      for (const source of output.results || []) {
+        for (const pkg of source.packages || []) {
+          for (const vuln of pkg.vulnerabilities || []) {
+            const severity = vuln.severity?.[0]?.score;
+            let severityLevel = "warn";
+            if (severity) {
+              const score = parseFloat(severity);
+              if (score >= 7) severityLevel = "error";
+              else if (score >= 4) severityLevel = "warn";
+              else severityLevel = "info";
+            }
+            results.push({
+              ruleId: `deps.vulnerability.${vuln.id}`,
+              severity: severityLevel,
+              message: `${pkg.package.name}@${pkg.package.version}: ${vuln.summary || vuln.id}`,
+              file: source.source.path
+            });
+          }
+        }
+      }
+      return results;
+    } catch {
+      if (result.exitCode === 0) {
+        return [];
+      }
+      return [
+        {
+          ruleId: "deps.no-vulnerable",
+          severity: "error",
+          message: `OSV Scanner error: ${result.stderr || "Unknown error"}`
+        }
+      ];
+    }
+  }
+};
+
+// src/tools/builtin.ts
+import { readFile as readFile3, access as access2, readdir as readdir2 } from "fs/promises";
+import { join as join3 } from "path";
+async function checkGitignore(cwd) {
+  const results = [];
+  const gitignorePath = join3(cwd, ".gitignore");
+  try {
+    await access2(gitignorePath);
+    const content = await readFile3(gitignorePath, "utf-8");
+    const requiredPatterns = [".env", "node_modules", ".env.local", ".env*.local"];
+    const missingPatterns = requiredPatterns.filter(
+      (pattern) => !content.includes(pattern)
+    );
+    if (missingPatterns.length > 0) {
+      results.push({
+        ruleId: "secrets.gitignore-required",
+        severity: "warn",
+        message: `.gitignore is missing patterns: ${missingPatterns.join(", ")}`,
+        file: ".gitignore",
+        fix: {
+          description: `Add missing patterns to .gitignore`,
+          replacement: missingPatterns.join("\n")
+        }
+      });
+    }
+  } catch {
+    results.push({
+      ruleId: "secrets.gitignore-required",
+      severity: "warn",
+      message: ".gitignore file not found",
+      fix: {
+        description: "Create .gitignore with common patterns"
+      }
+    });
+  }
+  return results;
+}
+async function checkEnvFiles(cwd) {
+  const results = [];
+  try {
+    const files = await readdir2(cwd);
+    const envFiles = files.filter(
+      (f) => f.startsWith(".env") && !f.endsWith(".example") && !f.endsWith(".template")
+    );
+    const gitignorePath = join3(cwd, ".gitignore");
+    let gitignoreContent = "";
+    try {
+      gitignoreContent = await readFile3(gitignorePath, "utf-8");
+    } catch {
+    }
+    for (const envFile of envFiles) {
+      const isIgnored = gitignoreContent.includes(envFile) || gitignoreContent.includes(".env");
+      if (!isIgnored) {
+        results.push({
+          ruleId: "secrets.no-env-commit",
+          severity: "error",
+          message: `${envFile} may be committed to git. Add it to .gitignore.`,
+          file: envFile,
+          fix: {
+            description: `Add ${envFile} to .gitignore`
+          }
+        });
+      }
+    }
+  } catch {
+  }
+  return results;
+}
+async function checkLockfile(cwd) {
+  const results = [];
+  const lockfiles = ["package-lock.json", "yarn.lock", "pnpm-lock.yaml", "bun.lockb"];
+  try {
+    const files = await readdir2(cwd);
+    const hasLockfile = lockfiles.some((lf) => files.includes(lf));
+    const hasPackageJson = files.includes("package.json");
+    if (hasPackageJson && !hasLockfile) {
+      results.push({
+        ruleId: "deps.lockfile.required",
+        severity: "error",
+        message: "No lockfile found. Run npm install, yarn, or pnpm install.",
+        fix: {
+          description: "Generate lockfile by running package manager install"
+        }
+      });
+    }
+  } catch {
+  }
+  return results;
+}
+async function checkUnpinnedDeps(cwd) {
+  const results = [];
+  const packageJsonPath = join3(cwd, "package.json");
+  try {
+    const content = await readFile3(packageJsonPath, "utf-8");
+    const pkg = JSON.parse(content);
+    const checkDeps = (deps, type) => {
+      if (!deps) return;
+      for (const [name, version] of Object.entries(deps)) {
+        if (version.startsWith("^") || version.startsWith("~") || version === "*" || version === "latest") {
+          results.push({
+            ruleId: "deps.no-unpinned",
+            severity: "warn",
+            message: `${type} "${name}" has unpinned version: ${version}`,
+            file: "package.json"
+          });
+        }
+      }
+    };
+    checkDeps(pkg.dependencies, "Dependency");
+    checkDeps(pkg.devDependencies, "DevDependency");
+  } catch {
+  }
+  return results;
+}
+async function checkGitDeps(cwd) {
+  const results = [];
+  const packageJsonPath = join3(cwd, "package.json");
+  try {
+    const content = await readFile3(packageJsonPath, "utf-8");
+    const pkg = JSON.parse(content);
+    const checkDeps = (deps) => {
+      if (!deps) return;
+      for (const [name, version] of Object.entries(deps)) {
+        if (version.startsWith("git://") || version.startsWith("git+") || version.startsWith("github:") || version.includes("github.com")) {
+          results.push({
+            ruleId: "deps.no-git-deps",
+            severity: "warn",
+            message: `Dependency "${name}" uses git URL: ${version}`,
+            file: "package.json"
+          });
+        }
+      }
+    };
+    checkDeps(pkg.dependencies);
+    checkDeps(pkg.devDependencies);
+  } catch {
+  }
+  return results;
+}
+async function checkTestsExist(cwd) {
+  const results = [];
+  try {
+    const testPatterns = ["test", "tests", "__tests__", "spec", "specs"];
+    const files = await readdir2(cwd);
+    const hasTestDir = testPatterns.some((p) => files.includes(p));
+    const hasTestFiles = files.some(
+      (f) => f.endsWith(".test.ts") || f.endsWith(".test.js") || f.endsWith(".spec.ts") || f.endsWith(".spec.js")
+    );
+    if (!hasTestDir && !hasTestFiles) {
+      results.push({
+        ruleId: "tests.unit.required",
+        severity: "warn",
+        message: "No test files or test directory found"
+      });
+    }
+  } catch {
+  }
+  return results;
+}
+async function checkTsConfig(cwd) {
+  const results = [];
+  const tsconfigPath = join3(cwd, "tsconfig.json");
+  try {
+    const content = await readFile3(tsconfigPath, "utf-8");
+    const tsconfig = JSON.parse(content);
+    if (!tsconfig.compilerOptions?.strict) {
+      results.push({
+        ruleId: "code.strict-mode",
+        severity: "warn",
+        message: "TypeScript strict mode is not enabled",
+        file: "tsconfig.json",
+        fix: {
+          description: 'Add "strict": true to compilerOptions'
+        }
+      });
+    }
+  } catch {
+  }
+  return results;
+}
+async function checkNodeVersion(cwd) {
+  const results = [];
+  try {
+    const files = await readdir2(cwd);
+    const hasNvmrc = files.includes(".nvmrc");
+    const hasNodeVersion = files.includes(".node-version");
+    let hasEngines = false;
+    try {
+      const pkgContent = await readFile3(join3(cwd, "package.json"), "utf-8");
+      const pkg = JSON.parse(pkgContent);
+      hasEngines = !!pkg.engines?.node;
+    } catch {
+    }
+    if (!hasNvmrc && !hasNodeVersion && !hasEngines) {
+      results.push({
+        ruleId: "config.node-version",
+        severity: "info",
+        message: "Node.js version not specified (.nvmrc, .node-version, or engines.node)",
+        fix: {
+          description: "Create .nvmrc or add engines.node to package.json"
+        }
+      });
+    }
+  } catch {
+  }
+  return results;
+}
+async function checkEditorConfig(cwd) {
+  const results = [];
+  try {
+    await access2(join3(cwd, ".editorconfig"));
+  } catch {
+    results.push({
+      ruleId: "config.editor-config",
+      severity: "info",
+      message: ".editorconfig not found",
+      fix: {
+        description: "Create .editorconfig for consistent formatting"
+      }
+    });
+  }
+  return results;
+}
+async function runBuiltinChecks(cwd, ruleIds) {
+  const results = [];
+  const checks = {
+    "secrets.gitignore-required": () => checkGitignore(cwd),
+    "secrets.no-env-commit": () => checkEnvFiles(cwd),
+    "deps.lockfile.required": () => checkLockfile(cwd),
+    "deps.no-unpinned": () => checkUnpinnedDeps(cwd),
+    "deps.no-git-deps": () => checkGitDeps(cwd),
+    "tests.unit.required": () => checkTestsExist(cwd),
+    "code.strict-mode": () => checkTsConfig(cwd),
+    "config.node-version": () => checkNodeVersion(cwd),
+    "config.editor-config": () => checkEditorConfig(cwd)
+  };
+  for (const ruleId of ruleIds) {
+    const check = checks[ruleId];
+    if (check) {
+      const checkResults = await check();
+      results.push(...checkResults);
+    }
+  }
+  return results;
+}
+
+export {
+  RuleSeveritySchema,
+  RuleScopeSchema,
+  LevelSchema,
+  PresetSchema,
+  RuleConfigSchema,
+  VibeGuardConfigSchema,
+  presets,
+  getPreset,
+  listPresets,
+  loadConfig,
+  loadConfigFromFile,
+  getDefaultConfig,
+  resolveRules,
+  groupRulesByTool,
+  calculateScore,
+  shouldFail,
+  detectStack,
+  createFingerprint,
+  loadBaseline,
+  saveBaseline,
+  createBaseline,
+  filterNewIssues,
+  getBaselinedIssues,
+  getBaselineStats,
+  updateBaseline,
+  getChangedFiles,
+  getUncommittedChanges,
+  getStagedFiles,
+  filterResultsByFiles,
+  checkCommand,
+  runCommand,
+  parseSeverity,
+  gitleaksRunner,
+  semgrepRunner,
+  osvScannerRunner,
+  runBuiltinChecks
+};
+//# sourceMappingURL=chunk-ZDEEHXE7.js.map