dingdawg-code-review 1.0.0 → 2.0.0

package/src/index.ts

@@ -1,11 +1,17 @@
 #!/usr/bin/env node
 /**
- * dingdawg-code-review — AI Code Review Agent MCP Server
+ * dingdawg-code-review v2 — Thin Client MCP Server
  *
- * Governed. Receipted. Production-ready.
+ * FREE tier: basic local pattern-matching code review (the hook)
+ * PAID tier: LLM-powered deep analysis via DingDawg API
  *
  * Install: npx dingdawg-code-review
  * Claude Code: claude mcp add dingdawg-code-review npx dingdawg-code-review
+ *
+ * Set DINGDAWG_API_KEY for paid features:
+ *   export DINGDAWG_API_KEY=your_key
+ *
+ * Optional: DINGDAWG_MODEL to choose the analysis model (default: gpt-5.4-mini)
  */
 
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
@@ -16,24 +22,33 @@ import * as os from "os";
 import * as path from "path";
 import * as crypto from "crypto";
 
+// ---------------------------------------------------------------------------
+// Configuration
+// ---------------------------------------------------------------------------
+
+const API_BASE = process.env.DINGDAWG_API_URL || "https://api-production-f951.up.railway.app";
+const API_ENDPOINT = `${API_BASE}/v1/govern/execute`;
+const API_KEY = process.env.DINGDAWG_API_KEY || "";
+const MODEL = process.env.DINGDAWG_MODEL || "gpt-5.4-mini";
+
 // ---------------------------------------------------------------------------
 // Persistent rate limiting — survives process restart via filesystem
 // ---------------------------------------------------------------------------
 
+const FREE_TIER_LIMIT = 10;
 const RATE_FILE = path.join(os.homedir(), ".dingdawg", "code-review-usage.json");
 
 const MACHINE_ID = crypto.createHash("sha256")
   .update(`${os.hostname()}-${os.userInfo().username}-${os.platform()}-${os.arch()}`)
   .digest("hex").slice(0, 16);
 
-const FREE_LIMITS: Record<string, number> = {
-  review_code: 10,
-  review_pr: 5,
-  suggest_fix: 20,
-};
-
 function checkFreeRateLimit(tool: string): { allowed: boolean; remaining: number } {
-  const limit = FREE_LIMITS[tool] ?? 10;
+  const limits: Record<string, number> = {
+    review_code: 10,
+    review_pr: 5,
+    suggest_fix: 20,
+  };
+  const limit = limits[tool] ?? FREE_TIER_LIMIT;
   const key = `${MACHINE_ID}_${tool}`;
   const now = Date.now();
   const dayMs = 24 * 60 * 60 * 1000;
@@ -64,50 +79,72 @@ function checkFreeRateLimit(tool: string): { allowed: boolean; remaining: number
 }
 
 // ---------------------------------------------------------------------------
-// Receipt & governance helpers
+// API Client — calls DingDawg API for paid features
 // ---------------------------------------------------------------------------
 
-function generateReceiptId(): string {
-  return `rcpt_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
+interface ApiResponse {
+  success: boolean;
+  data?: Record<string, unknown>;
+  error?: string;
 }
 
-function governanceEnvelope(
+async function callApi(
   tool: string,
-  findings: Finding[],
-  extra: Record<string, unknown> = {},
-): Record<string, unknown> {
-  const severityCounts: Record<string, number> = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
-  for (const f of findings) {
-    severityCounts[f.severity] = (severityCounts[f.severity] || 0) + 1;
+  input: Record<string, unknown>,
+): Promise<ApiResponse> {
+  if (!API_KEY) {
+    return { success: false, error: "no_api_key" };
   }
 
-  return {
-    receipt_id: generateReceiptId(),
-    timestamp: new Date().toISOString(),
-    tool,
-    governance_policy: "dingdawg-code-review/v1.0.0",
-    rules_checked: [
-      "security-vulnerabilities",
-      "code-quality",
-      "performance",
-      "best-practices",
-    ],
-    findings_count: findings.length,
-    findings_by_severity: severityCounts,
-    governed: true,
-    ...extra,
-  };
+  try {
+    const res = await fetch(API_ENDPOINT, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${API_KEY}`,
+      },
+      body: JSON.stringify({
+        agent: "code-review",
+        tool,
+        input,
+        model: MODEL,
+      }),
+    });
+
+    if (!res.ok) {
+      const body = await res.text().catch(() => "");
+      return { success: false, error: `API returned ${res.status}: ${body}` };
+    }
+
+    const data = await res.json() as Record<string, unknown>;
+    return { success: true, data };
+  } catch (err: unknown) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { success: false, error: `API request failed: ${message}` };
+  }
+}
+
+function upgradeMessage(): string {
+  return [
+    "",
+    "━━━ Upgrade to DingDawg Pro ━━━",
+    "Get LLM-powered deep code analysis, architecture review,",
+    "security audit, and automated fix generation.",
+    "",
+    "  export DINGDAWG_API_KEY=your_key",
+    "",
+    "Get your key at: https://dingdawg.com/developers",
+    "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━",
+  ].join("\n");
 }
 
 // ---------------------------------------------------------------------------
-// Finding types
+// Local analysis — FREE tier (basic pattern matching only)
 // ---------------------------------------------------------------------------
 
-type Severity = "critical" | "high" | "medium" | "low" | "info";
-
 interface Finding {
   id: string;
-  severity: Severity;
+  severity: "critical" | "high" | "medium" | "low" | "info";
   category: "security" | "quality" | "performance" | "best-practice";
   title: string;
   description: string;
@@ -115,14 +152,10 @@ interface Finding {
   suggestion?: string;
 }
 
-// ---------------------------------------------------------------------------
-// Code analysis engine
-// ---------------------------------------------------------------------------
-
 interface AnalysisRule {
   id: string;
   pattern: RegExp;
-  severity: Severity;
+  severity: Finding["severity"];
   category: Finding["category"];
   title: string;
   description: string;
@@ -130,284 +163,32 @@ interface AnalysisRule {
 }
 
 const ANALYSIS_RULES: AnalysisRule[] = [
-  // --- Security ---
-  {
-    id: "SEC-001",
-    pattern: /eval\s*\(/g,
-    severity: "critical",
-    category: "security",
-    title: "Use of eval()",
-    description: "eval() executes arbitrary code and is a major injection vector. Attackers can exploit this to run malicious code.",
-    suggestion: "Replace eval() with JSON.parse() for data, or use a safe expression parser. Never pass user input to eval().",
-  },
-  {
-    id: "SEC-002",
-    pattern: /exec\s*\(\s*(['"`]|[^)]*\+)/g,
-    severity: "critical",
-    category: "security",
-    title: "Command injection risk",
-    description: "String concatenation in exec/spawn calls can allow command injection if user input is included.",
-    suggestion: "Use parameterized commands with execFile() or spawn() with an argument array instead of shell strings.",
-  },
-  {
-    id: "SEC-003",
-    pattern: /innerHTML\s*=\s*[^'"`]/g,
-    severity: "high",
-    category: "security",
-    title: "Potential XSS via innerHTML",
-    description: "Setting innerHTML with dynamic content can introduce cross-site scripting vulnerabilities.",
-    suggestion: "Use textContent for plain text, or sanitize HTML with DOMPurify before assignment.",
-  },
-  {
-    id: "SEC-004",
-    pattern: /(?:password|secret|api_?key|token|private_?key)\s*[:=]\s*['"`][^'"`]{3,}/gi,
-    severity: "critical",
-    category: "security",
-    title: "Hardcoded secret detected",
-    description: "Credentials or API keys appear to be hardcoded in source. These will be exposed in version control.",
-    suggestion: "Move secrets to environment variables or a secrets manager. Never commit credentials to source code.",
-  },
-  {
-    id: "SEC-005",
-    pattern: /\bhttp:\/\/(?!localhost|127\.0\.0\.1)/g,
-    severity: "medium",
-    category: "security",
-    title: "Insecure HTTP URL",
-    description: "Non-localhost HTTP URLs transmit data in plaintext, vulnerable to man-in-the-middle attacks.",
-    suggestion: "Use HTTPS for all external URLs. Enforce TLS in production.",
-  },
-  {
-    id: "SEC-006",
-    pattern: /(?:SELECT|INSERT|UPDATE|DELETE)\s+.*\+\s*(?:req\.|params\.|query\.|body\.|input|user)/gi,
-    severity: "critical",
-    category: "security",
-    title: "SQL injection risk",
-    description: "SQL query built with string concatenation using user input. This is a classic SQL injection vector.",
-    suggestion: "Use parameterized queries or prepared statements. Never concatenate user input into SQL strings.",
-  },
-  {
-    id: "SEC-007",
-    pattern: /dangerouslySetInnerHTML/g,
-    severity: "high",
-    category: "security",
-    title: "React dangerouslySetInnerHTML",
-    description: "dangerouslySetInnerHTML bypasses React's XSS protections. If the content includes user input, XSS is possible.",
-    suggestion: "Sanitize content with DOMPurify before passing to dangerouslySetInnerHTML, or restructure to avoid it.",
-  },
-  {
-    id: "SEC-008",
-    pattern: /new\s+Function\s*\(/g,
-    severity: "high",
-    category: "security",
-    title: "Dynamic function constructor",
-    description: "new Function() is equivalent to eval() and poses the same code injection risks.",
-    suggestion: "Refactor to avoid dynamic code generation. Use lookup tables or strategy patterns instead.",
-  },
-  {
-    id: "SEC-009",
-    pattern: /(?:cors|Access-Control-Allow-Origin)\s*[:=]\s*['"`]\*['"`]/gi,
-    severity: "medium",
-    category: "security",
-    title: "Wildcard CORS policy",
-    description: "Allowing all origins (\\*) in CORS can expose your API to cross-origin attacks from malicious sites.",
-    suggestion: "Restrict CORS to specific trusted origins in production.",
-  },
-
-  // --- Code Quality ---
-  {
-    id: "QUAL-001",
-    pattern: /\bcatch\s*\(\s*\w*\s*\)\s*\{\s*\}/g,
-    severity: "medium",
-    category: "quality",
-    title: "Empty catch block",
-    description: "Swallowing exceptions silently hides errors and makes debugging extremely difficult.",
-    suggestion: "Log the error, rethrow it, or handle it explicitly. At minimum add a comment explaining why it's empty.",
-  },
-  {
-    id: "QUAL-002",
-    pattern: /\/\/\s*TODO(?::|\s)/gi,
-    severity: "low",
-    category: "quality",
-    title: "TODO comment found",
-    description: "TODO comments indicate unfinished work that may be forgotten.",
-    suggestion: "Track TODOs in your issue tracker. Resolve before merging to main.",
-  },
-  {
-    id: "QUAL-003",
-    pattern: /console\.(log|warn|error|debug|info)\s*\(/g,
-    severity: "low",
-    category: "quality",
-    title: "Console statement in code",
-    description: "Console statements should not be in production code. They leak information and clutter output.",
-    suggestion: "Use a structured logging library (winston, pino) or remove debug statements before committing.",
-  },
-  {
-    id: "QUAL-004",
-    pattern: /any(?:\s*[;,)\]}]|\s*$)/gm,
-    severity: "medium",
-    category: "quality",
-    title: "TypeScript 'any' type usage",
-    description: "Using 'any' disables type checking, defeating the purpose of TypeScript and hiding potential bugs.",
-    suggestion: "Replace 'any' with a specific type, 'unknown', or a generic. Use type narrowing for dynamic data.",
-  },
-  {
-    id: "QUAL-005",
-    pattern: /(?:^|\n).{200,}/g,
-    severity: "low",
-    category: "quality",
-    title: "Overly long line",
-    description: "Lines exceeding 200 characters hurt readability and make code reviews harder.",
-    suggestion: "Break long lines into multiple shorter lines. Configure your formatter to enforce a max line length.",
-  },
-  {
-    id: "QUAL-006",
-    pattern: /\bvar\s+/g,
-    severity: "medium",
-    category: "quality",
-    title: "Use of 'var' keyword",
-    description: "'var' has function scope and hoisting behavior that leads to subtle bugs.",
-    suggestion: "Use 'const' for values that don't change, 'let' for values that do. Never use 'var'.",
-  },
-  {
-    id: "QUAL-007",
-    pattern: /==(?!=)/g,
-    severity: "low",
-    category: "quality",
-    title: "Loose equality operator",
-    description: "== performs type coercion which can produce unexpected results (e.g., '' == 0 is true).",
-    suggestion: "Use === (strict equality) to avoid type coercion surprises.",
-  },
-
-  // --- Performance ---
-  {
-    id: "PERF-001",
-    pattern: /new\s+RegExp\s*\(/g,
-    severity: "low",
-    category: "performance",
-    title: "Regex compiled inside function/loop",
-    description: "Creating RegExp objects inside frequently-called code recompiles the regex on every call.",
-    suggestion: "Move the RegExp to a module-level constant so it's compiled once.",
-  },
-  {
-    id: "PERF-002",
-    pattern: /JSON\.parse\s*\(\s*JSON\.stringify\s*\(/g,
-    severity: "medium",
-    category: "performance",
-    title: "Deep clone via JSON round-trip",
-    description: "JSON.parse(JSON.stringify(obj)) is slow for large objects and drops functions, Dates, undefined, etc.",
-    suggestion: "Use structuredClone() (Node 17+/modern browsers) or a dedicated deep-clone library.",
-  },
-  {
-    id: "PERF-003",
-    pattern: /\.forEach\s*\(\s*async/g,
-    severity: "high",
-    category: "performance",
-    title: "Async callback in forEach",
-    description: "Array.forEach does not await async callbacks. All iterations fire simultaneously with no error handling.",
-    suggestion: "Use a for...of loop with await, or Promise.all(arr.map(async ...)) for controlled concurrency.",
-  },
-  {
-    id: "PERF-004",
-    pattern: /await\s+.*\bfor\s*\(/g,
-    severity: "medium",
-    category: "performance",
-    title: "Await inside loop",
-    description: "Awaiting inside a loop runs operations sequentially when they could run in parallel.",
-    suggestion: "Collect promises and use Promise.all() for parallel execution, or use for await...of for async iterables.",
-  },
-  {
-    id: "PERF-005",
-    pattern: /document\.querySelector(?:All)?\s*\([^)]+\)/g,
-    severity: "low",
-    category: "performance",
-    title: "DOM query in potential hot path",
-    description: "Repeated DOM queries are expensive. If this runs in a loop or event handler, cache the result.",
-    suggestion: "Cache the DOM reference in a variable outside the loop/handler.",
-  },
-
-  // --- Best Practices ---
-  {
-    id: "BP-001",
-    pattern: /(?:^|\n)\s*(?:export\s+)?(?:async\s+)?function\s+\w+\s*\([^)]{100,}\)/g,
-    severity: "medium",
-    category: "best-practice",
-    title: "Function with too many parameters",
-    description: "Functions with many parameters are hard to call correctly and maintain.",
-    suggestion: "Use an options/config object parameter instead. Destructure for clarity.",
-  },
-  {
-    id: "BP-002",
-    pattern: /catch\s*\(\s*\w+\s*\)\s*\{[^}]*throw\s+\w+\s*;?\s*\}/g,
-    severity: "low",
-    category: "best-practice",
-    title: "Catch and rethrow without modification",
-    description: "Catching an error only to rethrow it adds noise without value.",
-    suggestion: "Remove the try/catch if you're not modifying the error, or wrap it with additional context.",
-  },
-  {
-    id: "BP-003",
-    pattern: /(?:^|\n)\s*(?:\/\*[\s\S]*?\*\/|\/\/[^\n]*\n)\s*(?:\/\*[\s\S]*?\*\/|\/\/[^\n]*\n)\s*(?:\/\*[\s\S]*?\*\/|\/\/[^\n]*\n)\s*(?:\/\*[\s\S]*?\*\/|\/\/[^\n]*\n)/g,
-    severity: "low",
-    category: "best-practice",
-    title: "Excessive consecutive comments",
-    description: "Large blocks of comments may indicate commented-out code or over-documentation.",
-    suggestion: "Remove commented-out code. Use clear naming and small functions instead of excessive comments.",
-  },
-  {
-    id: "BP-004",
-    pattern: /(?:process\.exit|os\._exit|sys\.exit)\s*\(\s*[^)]*\)/g,
-    severity: "medium",
-    category: "best-practice",
-    title: "Hard process exit",
-    description: "Calling process.exit() skips cleanup, open handles, and graceful shutdown procedures.",
-    suggestion: "Throw an error or return an error code to let the application shut down gracefully.",
-  },
-  {
-    id: "BP-005",
-    pattern: /(?:\.then\s*\([^)]*\)\s*){3,}/g,
-    severity: "medium",
-    category: "best-practice",
-    title: "Deeply chained promises",
-    description: "Long .then() chains are hard to read and debug compared to async/await.",
-    suggestion: "Refactor to async/await for better readability and error handling.",
-  },
-  {
-    id: "BP-006",
-    pattern: /(?:^|\n)(?:.*\n){300,}/g,
-    severity: "medium",
-    category: "best-practice",
-    title: "File exceeds 300 lines",
-    description: "Large files are harder to navigate, test, and maintain.",
-    suggestion: "Consider splitting into smaller, focused modules with clear responsibilities.",
-  },
+  { id: "SEC-001", pattern: /eval\s*\(/g, severity: "critical", category: "security", title: "Use of eval()", description: "eval() executes arbitrary code and is a major injection vector.", suggestion: "Replace eval() with JSON.parse() or a safe expression parser." },
+  { id: "SEC-002", pattern: /exec\s*\(\s*(['"`]|[^)]*\+)/g, severity: "critical", category: "security", title: "Command injection risk", description: "String concatenation in exec/spawn calls can allow command injection.", suggestion: "Use execFile() or spawn() with argument array." },
+  { id: "SEC-003", pattern: /innerHTML\s*=\s*[^'"`]/g, severity: "high", category: "security", title: "Potential XSS via innerHTML", description: "Setting innerHTML with dynamic content can introduce XSS.", suggestion: "Use textContent or sanitize with DOMPurify." },
+  { id: "SEC-004", pattern: /(?:password|secret|api_?key|token|private_?key)\s*[:=]\s*['"`][^'"`]{3,}/gi, severity: "critical", category: "security", title: "Hardcoded secret detected", description: "Credentials appear to be hardcoded in source.", suggestion: "Move secrets to environment variables." },
+  { id: "SEC-005", pattern: /\bhttp:\/\/(?!localhost|127\.0\.0\.1)/g, severity: "medium", category: "security", title: "Insecure HTTP URL", description: "Non-localhost HTTP URLs transmit data in plaintext.", suggestion: "Use HTTPS for all external URLs." },
+  { id: "SEC-006", pattern: /(?:SELECT|INSERT|UPDATE|DELETE)\s+.*\+\s*(?:req\.|params\.|query\.|body\.|input|user)/gi, severity: "critical", category: "security", title: "SQL injection risk", description: "SQL query built with string concatenation using user input.", suggestion: "Use parameterized queries or prepared statements." },
+  { id: "QUAL-001", pattern: /\bcatch\s*\(\s*\w*\s*\)\s*\{\s*\}/g, severity: "medium", category: "quality", title: "Empty catch block", description: "Swallowing exceptions silently hides errors.", suggestion: "Log or handle the error explicitly." },
+  { id: "QUAL-002", pattern: /\/\/\s*TODO(?::|\s)/gi, severity: "low", category: "quality", title: "TODO comment found", description: "TODO comments indicate unfinished work.", suggestion: "Resolve before merging to main." },
+  { id: "QUAL-003", pattern: /console\.(log|warn|error|debug|info)\s*\(/g, severity: "low", category: "quality", title: "Console statement in code", description: "Console statements should not be in production code.", suggestion: "Use a structured logging library." },
+  { id: "PERF-001", pattern: /\.forEach\s*\(\s*async/g, severity: "high", category: "performance", title: "Async callback in forEach", description: "Array.forEach does not await async callbacks.", suggestion: "Use for...of with await or Promise.all(arr.map(...))." },
+  { id: "BP-001", pattern: /\bvar\s+/g, severity: "medium", category: "best-practice", title: "Use of 'var' keyword", description: "'var' has function scope and hoisting issues.", suggestion: "Use 'const' or 'let' instead." },
 ];
 
-function analyzeCode(code: string, language?: string): Finding[] {
+function analyzeCodeLocal(code: string): Finding[] {
   const findings: Finding[] = [];
-  const lines = code.split("\n");
 
   for (const rule of ANALYSIS_RULES) {
-    // Skip DOM-specific rules for non-frontend code
-    if (rule.id === "PERF-005" && language && !["javascript", "typescript", "jsx", "tsx"].includes(language)) {
-      continue;
-    }
-
-    // Reset regex state
     rule.pattern.lastIndex = 0;
-
     let match: RegExpExecArray | null;
     const matchedLines: string[] = [];
 
     while ((match = rule.pattern.exec(code)) !== null) {
-      // Find the line number
       const beforeMatch = code.slice(0, match.index);
       const lineNum = beforeMatch.split("\n").length;
       matchedLines.push(`line ${lineNum}`);
-
-      // Prevent infinite loops on zero-width matches
-      if (match[0].length === 0) {
-        rule.pattern.lastIndex++;
-      }
+      if (match[0].length === 0) { rule.pattern.lastIndex++; }
     }
 
     if (matchedLines.length > 0) {
@@ -423,162 +204,29 @@ function analyzeCode(code: string, language?: string): Finding[] {
     }
   }
 
-  // Sort findings: critical first, then high, medium, low, info
-  const severityOrder: Record<Severity, number> = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+  const severityOrder: Record<string, number> = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
   findings.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
-
   return findings;
 }
 
-// ---------------------------------------------------------------------------
-// PR diff analysis
-// ---------------------------------------------------------------------------
-
-interface PRReviewResult {
-  decision: "approve" | "request-changes";
-  findings: Finding[];
-  summary: string;
-  breaking_change_risk: "none" | "low" | "medium" | "high";
-  test_coverage_gaps: string[];
-}
-
-function analyzePRDiff(diff: string, title?: string): PRReviewResult {
-  const findings: Finding[] = [];
-  const testCoverageGaps: string[] = [];
-
-  // Extract only added lines for analysis (lines starting with +, not ++)
-  const addedLines = diff.split("\n")
-    .filter((line) => line.startsWith("+") && !line.startsWith("+++"))
-    .map((line) => line.slice(1))
-    .join("\n");
-
-  // Run the standard code analysis on added lines
-  const codeFindings = analyzeCode(addedLines);
-  findings.push(...codeFindings);
-
-  // Check for breaking change patterns in the diff
-  let breakingRisk: PRReviewResult["breaking_change_risk"] = "none";
-
-  const breakingPatterns = [
-    { pattern: /^-\s*export\s+/gm, risk: "high" as const, desc: "Exported symbol removed" },
-    { pattern: /^-\s*(?:public|protected)\s+/gm, risk: "medium" as const, desc: "Public/protected API removed" },
-    { pattern: /^-.*(?:interface|type)\s+\w+/gm, risk: "medium" as const, desc: "Type definition removed" },
-    { pattern: /^-\s*(?:app|router)\.\s*(?:get|post|put|delete|patch)\s*\(/gm, risk: "high" as const, desc: "API endpoint removed" },
-    { pattern: /(?:DROP\s+TABLE|ALTER\s+TABLE.*DROP\s+COLUMN)/gi, risk: "high" as const, desc: "Database schema destructive change" },
-  ];
-
-  const riskOrder: Record<string, number> = { none: 0, low: 1, medium: 2, high: 3 };
-
-  for (const bp of breakingPatterns) {
-    bp.pattern.lastIndex = 0;
-    if (bp.pattern.test(diff)) {
-      if (riskOrder[bp.risk] > riskOrder[breakingRisk]) {
-        breakingRisk = bp.risk;
-      }
-      findings.push({
-        id: `BREAK-${findings.length + 1}`,
-        severity: bp.risk === "high" ? "high" : "medium",
-        category: "quality",
-        title: `Breaking change: ${bp.desc}`,
-        description: `This diff appears to ${bp.desc.toLowerCase()}. This could break downstream consumers.`,
-        suggestion: "Ensure backward compatibility or document the breaking change in release notes.",
-      });
-    }
-  }
-
-  // Test coverage gap detection
-  const addedFiles = diff.match(/^\+\+\+\s+b\/(.+)/gm)?.map((l) => l.replace(/^\+\+\+\s+b\//, "")) ?? [];
-  const hasTestFiles = addedFiles.some((f) =>
-    f.includes("test") || f.includes("spec") || f.includes("__tests__"),
-  );
-  const hasSourceChanges = addedFiles.some((f) =>
-    !f.includes("test") && !f.includes("spec") && !f.includes("__tests__") &&
-    (f.endsWith(".ts") || f.endsWith(".js") || f.endsWith(".py") || f.endsWith(".go") || f.endsWith(".rs")),
-  );
-
-  if (hasSourceChanges && !hasTestFiles) {
-    testCoverageGaps.push("Source files modified but no test files included in this PR.");
-  }
-
-  // Check for new functions without corresponding tests
-  const newFunctions = addedLines.match(/(?:function|const|let)\s+(\w+)\s*(?:=\s*(?:async\s*)?\(|\()/g);
-  if (newFunctions && newFunctions.length > 3 && !hasTestFiles) {
-    testCoverageGaps.push(`${newFunctions.length} new functions added without test coverage.`);
-  }
-
-  // Check for new API endpoints without tests
-  const newEndpoints = addedLines.match(/(?:app|router)\.\s*(?:get|post|put|delete|patch)\s*\(/g);
-  if (newEndpoints && !hasTestFiles) {
-    testCoverageGaps.push(`${newEndpoints.length} new API endpoint(s) added without test coverage.`);
-  }
-
-  // Decision logic
-  const hasCritical = findings.some((f) => f.severity === "critical");
-  const hasHigh = findings.some((f) => f.severity === "high");
-  const decision: PRReviewResult["decision"] =
-    hasCritical || (hasHigh && findings.filter((f) => f.severity === "high").length >= 2)
-      ? "request-changes"
-      : "approve";
-
-  // Summary
-  const categoryCount: Record<string, number> = {};
-  for (const f of findings) {
-    categoryCount[f.category] = (categoryCount[f.category] || 0) + 1;
-  }
-
-  const summaryParts = [];
-  if (findings.length === 0) {
-    summaryParts.push("Clean PR. No issues detected.");
-  } else {
-    summaryParts.push(`Found ${findings.length} issue(s):`);
-    for (const [cat, count] of Object.entries(categoryCount)) {
-      summaryParts.push(`${count} ${cat}`);
-    }
-  }
-  if (testCoverageGaps.length > 0) {
-    summaryParts.push(`Test coverage gaps: ${testCoverageGaps.length}`);
-  }
-
-  return {
-    decision,
-    findings,
-    summary: summaryParts.join(" "),
-    breaking_change_risk: breakingRisk,
-    test_coverage_gaps: testCoverageGaps,
-  };
-}
-
-// ---------------------------------------------------------------------------
-// Fix suggestion engine
-// ---------------------------------------------------------------------------
-
-function generateFix(findingId: string, code: string): { fix: string; explanation: string } | null {
-  const rule = ANALYSIS_RULES.find((r) => r.id === findingId);
-  if (!rule) return null;
-
-  return {
-    fix: rule.suggestion,
-    explanation: `${rule.title}: ${rule.description}\n\nRecommended approach: ${rule.suggestion}`,
-  };
-}
-
 // ---------------------------------------------------------------------------
 // MCP Server
 // ---------------------------------------------------------------------------
 
 const server = new McpServer({
   name: "dingdawg-code-review",
-  version: "1.0.0",
+  version: "2.0.0",
 });
 
 // ---------------------------------------------------------------------------
-// review_code — FREE: 10 reviews/day
+// review_code — FREE local scan + API deep analysis
 // ---------------------------------------------------------------------------
 
 server.tool(
   "review_code",
   "Scan code for security vulnerabilities, code quality issues, performance problems, and best practice violations. " +
-  "Returns findings with severity levels, line hints, and fix suggestions. FREE: 10 reviews/day.",
+  "Returns findings with severity levels, line hints, and fix suggestions. FREE: 10 reviews/day. " +
+  "Deep LLM-powered analysis available with API key.",
   {
     code: z.string().min(1, "Code cannot be empty").describe("The code snippet or file contents to review"),
     language: z.string().optional().describe("Programming language (typescript, javascript, python, etc.)"),
@@ -591,32 +239,63 @@ server.tool(
         content: [{
           type: "text" as const,
           text: JSON.stringify({
-            error: "Free tier limit reached (10 code reviews per 24 hours). Your limit resets automatically.",
-            upgrade: "Get unlimited access with an API key at dingdawg.com/developers",
-            ...governanceEnvelope("review_code", []),
-          }, null, 2),
+            error: "Free tier limit reached (10 code reviews per 24 hours). Resets automatically.",
+            upgrade: "Get unlimited access: export DINGDAWG_API_KEY=your_key — https://dingdawg.com/developers",
+            governed: true,
+          }),
         }],
       };
     }
 
-    const findings = analyzeCode(code, language);
+    // Local analysis — free tier
+    const localFindings = analyzeCodeLocal(code);
+
+    // If API key is set, enhance with LLM-powered deep analysis
+    if (API_KEY) {
+      const apiResult = await callApi("review_code", {
+        code,
+        language: language || "",
+        filename: filename || "",
+      });
 
+      if (apiResult.success && apiResult.data) {
+        return {
+          content: [{
+            type: "text" as const,
+            text: JSON.stringify({
+              mode: "deep_analysis",
+              powered_by: "DingDawg Code Review API",
+              ...apiResult.data,
+              receipt_id: `cr_${Date.now().toString(36)}`,
+              governed: true,
+            }, null, 2),
+          }],
+        };
+      }
+    }
+
+    // Free tier response with teaser
     return {
       content: [{
         type: "text" as const,
         text: JSON.stringify({
+          mode: "local_basic",
           filename: filename || "inline",
           language: language || "auto-detected",
           lines_scanned: code.split("\n").length,
-          findings,
+          findings: localFindings.slice(0, 5),
+          total_issues: localFindings.length,
+          teaser: localFindings.length > 0
+            ? `Found ${localFindings.length} issue(s). Get LLM-powered deep analysis, architecture review, and automated fixes with: export DINGDAWG_API_KEY=your_key`
+            : "No issues detected with basic scan. Deep LLM analysis catches 10x more. Get your key at https://dingdawg.com/developers",
+          upgrade_url: "https://dingdawg.com/developers",
           also_available: {
-            suggest_fix: "Run suggest_fix with a finding ID to get a detailed fix recommendation.",
-            review_pr: "Run review_pr to review an entire PR diff with breaking change detection.",
-            compliance: "Run npx dingdawg-compliance for AI compliance reports.",
-            shield: "Run npx dingdawg-shield for AI security scanning.",
+            suggest_fix: "Run suggest_fix with a finding ID for fix suggestions.",
+            review_pr: "Run review_pr to review a PR diff.",
           },
+          receipt_id: `cr_${Date.now().toString(36)}`,
           free_reviews_remaining: rateCheck.remaining,
-          ...governanceEnvelope("review_code", findings),
+          governed: true,
         }, null, 2),
       }],
     };
@@ -624,13 +303,14 @@ server.tool(
 );
 
 // ---------------------------------------------------------------------------
-// review_pr — FREE: 5 PR reviews/day
+// review_pr — FREE basic + PAID deep PR review
 // ---------------------------------------------------------------------------
 
 server.tool(
   "review_pr",
   "Review a pull request diff. Checks for breaking changes, security issues, test coverage gaps. " +
-  "Returns structured review with approve/request-changes decision. FREE: 5 PR reviews/day.",
+  "Returns structured review with approve/request-changes decision. FREE: 5 PR reviews/day. " +
+  "Deep LLM-powered review available with API key.",
   {
     diff: z.string().min(1, "Diff cannot be empty").describe("The unified diff content of the pull request"),
     title: z.string().optional().describe("PR title for context"),
@@ -643,32 +323,65 @@ server.tool(
         content: [{
           type: "text" as const,
           text: JSON.stringify({
-            error: "Free tier limit reached (5 PR reviews per 24 hours). Your limit resets automatically.",
-            upgrade: "Get unlimited access with an API key at dingdawg.com/developers",
-            ...governanceEnvelope("review_pr", []),
-          }, null, 2),
+            error: "Free tier limit reached (5 PR reviews per 24 hours). Resets automatically.",
+            upgrade: "Get unlimited access: export DINGDAWG_API_KEY=your_key — https://dingdawg.com/developers",
+            governed: true,
+          }),
         }],
       };
     }
 
-    const result = analyzePRDiff(diff, title);
+    // If API key is set, use deep analysis
+    if (API_KEY) {
+      const apiResult = await callApi("review_pr", {
+        diff,
+        title: title || "",
+        description: description || "",
+      });
+
+      if (apiResult.success && apiResult.data) {
+        return {
+          content: [{
+            type: "text" as const,
+            text: JSON.stringify({
+              mode: "deep_analysis",
+              powered_by: "DingDawg Code Review API",
+              ...apiResult.data,
+              receipt_id: `pr_${Date.now().toString(36)}`,
+              governed: true,
+            }, null, 2),
+          }],
+        };
+      }
+    }
+
+    // Free tier — basic analysis on added lines
+    const addedLines = diff.split("\n")
+      .filter((line) => line.startsWith("+") && !line.startsWith("+++"))
+      .map((line) => line.slice(1))
+      .join("\n");
+
+    const findings = analyzeCodeLocal(addedLines);
+    const hasCritical = findings.some((f) => f.severity === "critical");
+    const highCount = findings.filter((f) => f.severity === "high").length;
+    const decision = hasCritical || highCount >= 2 ? "request-changes" : "approve";
 
     return {
       content: [{
         type: "text" as const,
         text: JSON.stringify({
+          mode: "local_basic",
           pr_title: title || "untitled",
-          decision: result.decision,
-          summary: result.summary,
-          breaking_change_risk: result.breaking_change_risk,
-          test_coverage_gaps: result.test_coverage_gaps,
-          findings: result.findings,
-          also_available: {
-            suggest_fix: "Run suggest_fix with a finding ID to get a detailed fix recommendation.",
-            review_code: "Run review_code on specific files for deeper analysis.",
-          },
+          decision,
+          findings_count: findings.length,
+          top_findings: findings.slice(0, 3),
+          teaser: findings.length > 0
+            ? `Found ${findings.length} issue(s) in added lines. Deep LLM review catches breaking changes, test gaps, and architecture issues. export DINGDAWG_API_KEY=your_key`
+            : "Basic scan clean. LLM-powered review provides breaking change detection, test coverage analysis, and architecture review.",
+          upgrade_url: "https://dingdawg.com/developers",
+          receipt_id: `pr_${Date.now().toString(36)}`,
           free_pr_reviews_remaining: rateCheck.remaining,
-          ...governanceEnvelope("review_pr", result.findings),
+          governed: true,
         }, null, 2),
       }],
     };
@@ -676,15 +389,15 @@ server.tool(
 );
 
 // ---------------------------------------------------------------------------
-// suggest_fix — FREE: 20 suggestions/day
+// suggest_fix — FREE basic + PAID LLM fix generation
 // ---------------------------------------------------------------------------
 
 server.tool(
   "suggest_fix",
-  "Given a finding ID from review_code or review_pr, generate a detailed fix suggestion with explanation. " +
-  "FREE: 20 suggestions/day.",
+  "Given a finding ID from review_code or review_pr, generate a fix suggestion. " +
+  "FREE: 20 suggestions/day. LLM-powered code generation available with API key.",
   {
-    finding_id: z.string().describe("The finding ID from a review (e.g., SEC-001, QUAL-003, PERF-002)"),
+    finding_id: z.string().describe("The finding ID from a review (e.g., SEC-001, QUAL-003)"),
     code_context: z.string().optional().describe("The code surrounding the finding for a more targeted fix"),
   },
   async ({ finding_id, code_context }) => {
@@ -694,56 +407,67 @@ server.tool(
         content: [{
           type: "text" as const,
           text: JSON.stringify({
-            error: "Free tier limit reached (20 fix suggestions per 24 hours). Your limit resets automatically.",
-            upgrade: "Get unlimited access with an API key at dingdawg.com/developers",
-            ...governanceEnvelope("suggest_fix", []),
-          }, null, 2),
+            error: "Free tier limit reached (20 fix suggestions per 24 hours). Resets automatically.",
+            upgrade: "Get unlimited access: export DINGDAWG_API_KEY=your_key — https://dingdawg.com/developers",
+            governed: true,
+          }),
         }],
       };
     }
 
-    const fix = generateFix(finding_id, code_context || "");
+    // If API key is set, get LLM-powered fix
+    if (API_KEY) {
+      const apiResult = await callApi("suggest_fix", {
+        finding_id,
+        code_context: code_context || "",
+      });
+
+      if (apiResult.success && apiResult.data) {
+        return {
+          content: [{
+            type: "text" as const,
+            text: JSON.stringify({
+              mode: "deep_analysis",
+              powered_by: "DingDawg Code Review API",
+              ...apiResult.data,
+              receipt_id: `fix_${Date.now().toString(36)}`,
+              governed: true,
+            }, null, 2),
+          }],
+        };
+      }
+    }
 
-    if (!fix) {
+    // Free tier — match against local rules
+    const rule = ANALYSIS_RULES.find((r) => r.id === finding_id);
+    if (!rule) {
       return {
         content: [{
           type: "text" as const,
           text: JSON.stringify({
             finding_id,
-            error: `No rule found for finding ID '${finding_id}'. Valid IDs start with SEC-, QUAL-, PERF-, BP-, or BREAK-.`,
-            available_ids: ANALYSIS_RULES.map((r) => r.id),
-            ...governanceEnvelope("suggest_fix", []),
+            error: `No rule found for '${finding_id}'. Valid IDs: ${ANALYSIS_RULES.map((r) => r.id).join(", ")}`,
+            governed: true,
           }, null, 2),
         }],
       };
     }
 
-    // Build a contextual finding for governance
-    const rule = ANALYSIS_RULES.find((r) => r.id === finding_id)!;
-    const finding: Finding = {
-      id: rule.id,
-      severity: rule.severity,
-      category: rule.category,
-      title: rule.title,
-      description: rule.description,
-      suggestion: rule.suggestion,
-    };
-
     return {
       content: [{
         type: "text" as const,
         text: JSON.stringify({
+          mode: "local_basic",
           finding_id,
           severity: rule.severity,
           category: rule.category,
-          fix: fix.fix,
-          explanation: fix.explanation,
-          also_available: {
-            review_code: "Run review_code to scan an entire file for issues.",
-            review_pr: "Run review_pr to review a full PR diff.",
-          },
+          fix: rule.suggestion,
+          explanation: `${rule.title}: ${rule.description}\n\nRecommended: ${rule.suggestion}`,
+          teaser: "Get LLM-powered code generation with actual fix diffs using: export DINGDAWG_API_KEY=your_key",
+          upgrade_url: "https://dingdawg.com/developers",
+          receipt_id: `fix_${Date.now().toString(36)}`,
           free_suggestions_remaining: rateCheck.remaining,
-          ...governanceEnvelope("suggest_fix", [finding]),
+          governed: true,
         }, null, 2),
       }],
     };