docguard-cli 0.9.11 → 0.11.0

package/cli/validators/security.mjs

@@ -58,6 +58,7 @@ export function validateSecurity(projectDir, config) {
   const results = { name: 'security', errors: [], warnings: [], passed: 0, total: 0 };
 
   const findings = [];
+  let scanned = 0;
 
   walkDir(projectDir, (filePath) => {
     const ext = extname(filePath);
@@ -73,13 +74,17 @@ export function validateSecurity(projectDir, config) {
     // Apply config ignore patterns (securityIgnore + global ignore)
     if (shouldIgnore(relPath, config, 'securityIgnore')) return;
 
+    scanned++;
     const content = readFileSync(filePath, 'utf-8');
-    const lines = content.split('\n');
+    let lines = null;
 
     for (const { pattern, label } of SECRET_PATTERNS) {
       pattern.lastIndex = 0;
       const match = pattern.exec(content);
       if (match) {
+        // Lazily initialize lines only when a match is found
+        if (!lines) lines = content.split('\n');
+
         // Find the line containing this match for context-aware filtering
         const matchPos = match.index;
         let charCount = 0;
@@ -100,13 +105,21 @@ export function validateSecurity(projectDir, config) {
     }
   });
 
-  results.total = 1;
-  if (findings.length === 0) {
-    results.passed = 1;
-  } else {
-    for (const f of findings) {
-      results.errors.push(`${f.file}: possible ${f.label} found`);
+  // Only count the secret scan as a passed check if we actually scanned files.
+  // An empty scan that reports "no secrets" is a dangerous false ✅ — surface it.
+  if (scanned > 0) {
+    results.total++;
+    if (findings.length === 0) {
+      results.passed++;
+    } else {
+      for (const f of findings) {
+        results.errors.push(`${f.file}: possible ${f.label} found`);
+      }
     }
+  } else {
+    results.warnings.push(
+      'No source files were scanned for secrets — check config.sourceRoot / ignore patterns'
+    );
   }
 
   // Check .gitignore includes .env

package/cli/validators/structure.mjs

@@ -76,7 +76,14 @@ export function validateDocSections(projectDir, config) {
 
     for (const section of sections) {
       results.total++;
-      if (content.includes(section)) {
+      // Match an actual heading at line start (any level), not a substring that
+      // could appear in a table-of-contents link or a code block.
+      const headingText = section.replace(/^#+\s*/, '');
+      const headingRe = new RegExp(
+        '^#{2,6}\\s+' + headingText.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') + '\\b',
+        'm'
+      );
+      if (headingRe.test(content)) {
         results.passed++;
       } else {
         results.warnings.push(`${file}: missing section "${section}"`);

package/cli/validators/test-spec.mjs

@@ -5,6 +5,7 @@
 
 import { existsSync, readFileSync, readdirSync, statSync } from 'node:fs';
 import { resolve } from 'node:path';
+import { resolveSourceRoots } from '../shared-source.mjs';
 
 export function validateTestSpec(projectDir, config) {
   const results = { name: 'test-spec', errors: [], warnings: [], passed: 0, total: 0 };
@@ -43,6 +44,9 @@ export function validateTestSpec(projectDir, config) {
       // Skip template/example rows and italic placeholder rows
       if (sourceFile.startsWith('<!--') || sourceFile === 'Source File' || sourceFile.startsWith('*')) continue;
 
+      // Author-declared gaps (❌/⚠️) are surfaced as warnings. A ✅ glyph is the
+      // author's CLAIM, not proof — it is NOT counted as a pass. The real pass
+      // comes from the file-existence checks below (code truth, not the glyph).
       if (status && status.includes('❌')) {
         results.total++;
         results.warnings.push(
@@ -53,9 +57,6 @@ export function validateTestSpec(projectDir, config) {
         results.warnings.push(
           `TEST-SPEC declares ${sourceFile} as ⚠️ — partial coverage`
         );
-      } else if (status && status.includes('✅')) {
-        results.total++;
-        results.passed++;
       }
 
       // ── File existence checks ───────────────────────────────────────
@@ -122,34 +123,41 @@ export function validateTestSpec(projectDir, config) {
           results.warnings.push(
             `E2E Journey #${num} (${journey}) — missing test: ${testFile}`
           );
-        } else if (status && status.includes('✅')) {
+          continue;
+        }
+
+        // For a ✅ journey, verify the referenced test file actually exists
+        // rather than trusting the glyph.
+        const cleanTest = testFile ? testFile.replace(/`/g, '').trim() : '';
+        if (cleanTest && cleanTest !== '—' && !cleanTest.includes('N/A')) {
           results.total++;
-          results.passed++;
+          if (existsSync(resolve(projectDir, cleanTest))) {
+            results.passed++;
+          } else {
+            results.warnings.push(
+              `E2E Journey #${num} (${journey}) marked ✅ but test file not found: ${cleanTest}`
+            );
+          }
         }
       }
     }
   }
 
-  // If no test spec entries parsed, check if tests exist anywhere
+  // If TEST-SPEC.md declared no service-to-test mappings, there is nothing to
+  // verify against. Do NOT manufacture a 1/1 pass just because tests exist
+  // somewhere — that rendered a confident green ✅ for a doc that mapped nothing.
   if (results.total === 0) {
-    results.total = 1;
-
     // 1. Check top-level test dirs
     const commonTestDirs = ['tests', 'test', '__tests__', 'spec'];
     const hasTestDir = commonTestDirs.some(d =>
       existsSync(resolve(projectDir, d))
     );
 
-    // 2. Check co-located tests (src/**/__tests__/, src/**/*.test.*)
+    // 2. Check co-located tests (honors config.sourceRoot + workspaces)
     let hasColocated = false;
     if (!hasTestDir) {
-      const sourceRoots = ['src', 'app', 'lib', 'packages'];
-      for (const root of sourceRoots) {
-        const rootPath = resolve(projectDir, root);
-        if (existsSync(rootPath) && hasTestFilesRecursive(rootPath)) {
-          hasColocated = true;
-          break;
-        }
+      for (const rootPath of resolveSourceRoots(projectDir, config)) {
+        if (hasTestFilesRecursive(rootPath)) { hasColocated = true; break; }
       }
     }
 
@@ -161,7 +169,8 @@ export function validateTestSpec(projectDir, config) {
     }
 
     if (hasTestDir || hasColocated || hasConfigTests) {
-      results.passed = 1;
+      // Tests exist but the spec maps none of them → not applicable, not a pass.
+      results.note = 'TEST-SPEC.md declares no service-to-test mappings';
     } else {
       results.warnings.push(
         'No test directory or co-located test files found. ' +

package/cli/validators/todo-tracking.mjs

@@ -67,7 +67,7 @@ export function validateTodoTracking(projectDir, config) {
   results.passed += skipResults.passed;
   results.total += skipResults.total;
 
-  // ── Part 2: Untracked TODOs/FIXMEs ──
+  // ── Part 2: Untracked Annotations ──
   const todoResults = checkUntrackedTodos(projectDir, config);
   results.errors.push(...todoResults.errors);
   results.warnings.push(...todoResults.warnings);
@@ -105,6 +105,10 @@ function checkSkippedTests(projectDir, config) {
     let content;
     try { content = readFileSync(fullPath, 'utf-8'); } catch { continue; }
 
+    // Fast early-return: skip expensive string split if no skip patterns exist
+    const hasSkip = SKIP_PATTERNS.some(p => p.test(content));
+    if (!hasSkip) continue;
+
     const lines = content.split('\n');
 
     for (let i = 0; i < lines.length; i++) {
@@ -151,7 +155,7 @@ function checkSkippedTests(projectDir, config) {
   return { errors, warnings, passed, total };
 }
 
-// ──── Untracked TODOs ──────────────────────────────────────────────────────
+// ──── Untracked Annotations ────────────────────────────────────────────────
 
 /**
  * Scan source files for TODO/FIXME annotations and check if they appear
@@ -183,15 +187,19 @@ function checkUntrackedTodos(projectDir, config) {
   for (const todo of todos) {
     // Check if the TODO is tracked in documentation
     // Improved matching: check full text AND file location context
+    // ⚡ Bolt: Precompute string lowercasing and trimming once per TODO
+    // instead of inside the trackingContent.some loop
+    const todoTextLower = todo.text.toLowerCase().trim();
+    const searchText = todoTextLower.length > 20
+      ? todoTextLower.substring(0, 40)
+      : todoTextLower;
+
     const isTracked = trackingContent.some(doc => {
       const content = doc.content;
-      const contentLower = content.toLowerCase();
-      const todoTextLower = todo.text.toLowerCase().trim();
+      // ⚡ Bolt: use the precomputed lowercased content
+      const contentLower = doc.contentLower;
 
       // Match 1: Full TODO text appears in the doc (at least 20 chars or full text)
-      const searchText = todoTextLower.length > 20
-        ? todoTextLower.substring(0, 40)
-        : todoTextLower;
       const hasText = contentLower.includes(searchText);
 
       // Match 2: File location appears nearby in the doc
@@ -240,7 +248,9 @@ function loadTrackingDocs(projectDir, config) {
     const fullPath = resolve(projectDir, file);
     if (existsSync(fullPath)) {
       try {
-        docs.push({ file, content: readFileSync(fullPath, 'utf-8') });
+        const content = readFileSync(fullPath, 'utf-8');
+        // ⚡ Bolt: Precompute lowercased content during file load to avoid N*M overhead
+        docs.push({ file, content, contentLower: content.toLowerCase() });
       } catch { /* ignore */ }
     }
   }
@@ -306,6 +316,9 @@ function findTodos(rootDir, dir, todos, config) {
       let content;
       try { content = readFileSync(full, 'utf-8'); } catch { continue; }
 
+      // Fast early-return: skip expensive string split if no TODO patterns exist
+      if (!TODO_PATTERN.test(content)) continue;
+
       const lines = content.split('\n');
 
       for (let i = 0; i < lines.length; i++) {

package/cli/validators/traceability.mjs

@@ -130,13 +130,16 @@ export function validateTraceability(projectDir, config) {
     }
 
     // Count matching source files
-    let totalSources = 0;
+    // ⚡ Bolt: Fast early return using .some() instead of .filter()
+    let hasSource = false;
     for (const pattern of traceInfo.sourcePatterns) {
-      const matches = projectFiles.filter(f => pattern.glob.test(f));
-      totalSources += matches.length;
+      if (projectFiles.some(f => pattern.glob.test(f))) {
+        hasSource = true;
+        break;
+      }
     }
 
-    if (totalSources > 0) {
+    if (hasSource) {
       passed++;
     } else {
       warnings.push(`${docName} — exists but no matching source code found (unlinked doc)`);
@@ -186,6 +189,46 @@ function validateRequirementTraceability(projectDir, config, projectFiles) {
     : DEFAULT_REQ_PATTERNS;
 
   // ── Step 1: Collect requirement IDs from documentation ──
+  const reqIds = collectRequirementIds(projectDir, config, patterns);
+
+  // If no requirement IDs found, silently pass — this project doesn't use them
+  if (reqIds.size === 0) {
+    return { errors, warnings, passed, total };
+  }
+
+  // ── Step 2: Scan test files for requirement ID references ──
+  const testRefs = scanTestFilesForReferences(projectDir, projectFiles, patterns);
+
+  // ── Step 3: Report traceability results ──
+
+  // Check each documented requirement has at least one test reference
+  for (const [reqId, location] of reqIds) {
+    total++;
+    if (testRefs.has(reqId)) {
+      passed++;
+    } else {
+      warnings.push(
+        `Requirement ${reqId} (${location.file}:${location.line}) has no test coverage. ` +
+        `Add @req ${reqId} comment to the test that verifies this requirement`
+      );
+    }
+  }
+
+  // Check for orphaned test refs (tests referencing non-existent requirements)
+  for (const [reqId, refs] of testRefs) {
+    if (!reqIds.has(reqId)) {
+      total++;
+      warnings.push(
+        `Test references ${reqId} (${refs[0].file}:${refs[0].line}) but no requirement ` +
+        `with this ID exists in documentation. Remove the reference or add the requirement to docs`
+      );
+    }
+  }
+
+  return { errors, warnings, passed, total };
+}
+
+function collectRequirementIds(projectDir, config, patterns) {
   const reqIds = new Map(); // reqId → { file, line }
   const docSearchPaths = getRequirementDocPaths(projectDir, config);
 
@@ -193,6 +236,11 @@ function validateRequirementTraceability(projectDir, config, projectFiles) {
     if (!existsSync(docPath)) continue;
 
     const content = readFileSync(docPath, 'utf-8');
+
+    // Fast early-return: skip expensive string split if no requirement patterns exist
+    const hasMatch = patterns.some(p => { p.lastIndex = 0; return p.test(content); });
+    if (!hasMatch) continue;
+
     const lines = content.split('\n');
     const docName = relative(projectDir, docPath);
 
@@ -211,12 +259,10 @@ function validateRequirementTraceability(projectDir, config, projectFiles) {
     }
   }
 
-  // If no requirement IDs found, silently pass — this project doesn't use them
-  if (reqIds.size === 0) {
-    return { errors, warnings, passed, total };
-  }
+  return reqIds;
+}
 
-  // ── Step 2: Scan test files for requirement ID references ──
+function scanTestFilesForReferences(projectDir, projectFiles, patterns) {
   const testFiles = projectFiles.filter(f =>
     /\.(test|spec)\.(mjs|cjs|[jt]sx?)$/.test(f) ||
     /__tests__\//.test(f) ||
@@ -231,6 +277,11 @@ function validateRequirementTraceability(projectDir, config, projectFiles) {
 
     let content;
     try { content = readFileSync(fullPath, 'utf-8'); } catch { continue; }
+
+    // Fast early-return: skip expensive string split if no requirement patterns exist
+    const hasMatch = patterns.some(p => { p.lastIndex = 0; return p.test(content); });
+    if (!hasMatch) continue;
+
     const lines = content.split('\n');
 
     for (let i = 0; i < lines.length; i++) {
@@ -246,33 +297,7 @@ function validateRequirementTraceability(projectDir, config, projectFiles) {
     }
   }
 
-  // ── Step 3: Report traceability results ──
-
-  // Check each documented requirement has at least one test reference
-  for (const [reqId, location] of reqIds) {
-    total++;
-    if (testRefs.has(reqId)) {
-      passed++;
-    } else {
-      warnings.push(
-        `Requirement ${reqId} (${location.file}:${location.line}) has no test coverage. ` +
-        `Add @req ${reqId} comment to the test that verifies this requirement`
-      );
-    }
-  }
-
-  // Check for orphaned test refs (tests referencing non-existent requirements)
-  for (const [reqId, refs] of testRefs) {
-    if (!reqIds.has(reqId)) {
-      total++;
-      warnings.push(
-        `Test references ${reqId} (${refs[0].file}:${refs[0].line}) but no requirement ` +
-        `with this ID exists in documentation. Remove the reference or add the requirement to docs`
-      );
-    }
-  }
-
-  return { errors, warnings, passed, total };
+  return testRefs;
 }
 
 /**

package/cli/writers/api-reference.mjs

@@ -0,0 +1,101 @@
+/**
+ * API-REFERENCE.md Writer — deterministic, structural edits only.
+ *
+ * Used by `docguard fix --write` to MECHANICALLY remove endpoints that are
+ * documented but no longer exist in the actual API surface. This performs NO
+ * content rewriting (that needs an LLM) — it only deletes the structural pieces
+ * that document a now-absent endpoint:
+ *   1. its summary-table row:   | `GET` | `/api/...` | ... |
+ *   2. its detail block:        #### GET `/api/...`  … up to the next heading
+ *
+ * Pure string transform — idempotent, no disk I/O here.
+ *
+ * Zero NPM dependencies — pure Node.js built-ins only.
+ */
+
+import { normalizePath, endpointKey } from '../scanners/api-doc.mjs';
+
+const HTTP_METHODS = new Set(['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'HEAD', 'OPTIONS']);
+const HEADING_RE = /^#{1,6}\s/;
+// An endpoint detail heading: "#### GET `/path`" (backticks optional, any level).
+const ENDPOINT_HEADING_RE = /^#{2,6}\s+`?(GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS)`?\s+`?(\/[^\s`|]+)`?/i;
+
+/** True if the doc is DocGuard-generated (safe for `--write` to edit). */
+export function hasGeneratedMarker(content) {
+  return /<!--\s*docguard:generated\s+true\s*-->/i.test(content || '');
+}
+
+/**
+ * If a markdown line is an API summary-table row, return its endpoint key.
+ * Row shape: | `GET` | `/api/...` | ... |
+ */
+function tableRowKey(line) {
+  if (!line.includes('|')) return null;
+  const cells = line.split('|').map(s => s.trim()).filter(s => s.length > 0);
+  if (cells.length < 2) return null;
+  const method = cells[0].replace(/`/g, '').trim().toUpperCase();
+  if (!HTTP_METHODS.has(method)) return null;
+  for (let i = 1; i < cells.length; i++) {
+    const cand = cells[i].replace(/`/g, '').trim();
+    if (cand.startsWith('/')) return endpointKey(method, cand);
+  }
+  return null;
+}
+
+/** If a line is an endpoint detail heading, return its endpoint key. */
+function headingKey(line) {
+  const m = line.match(ENDPOINT_HEADING_RE);
+  if (!m) return null;
+  return endpointKey(m[1], m[2]);
+}
+
+/**
+ * Remove the table row(s) and detail block(s) for the given endpoints.
+ *
+ * @param {string} content - API-REFERENCE.md content
+ * @param {Array<{method:string,path:string}>} endpoints - endpoints to remove
+ * @returns {{ content: string, removed: string[] }} new content + removed keys
+ */
+export function removeEndpoints(content, endpoints) {
+  const targets = new Set((endpoints || []).map(e => endpointKey(e.method, e.path)));
+  if (targets.size === 0) return { content, removed: [] };
+
+  const lines = content.split('\n');
+  const out = [];
+  const removed = new Set();
+  let skippingBlock = false;
+
+  for (const line of lines) {
+    const isHeading = HEADING_RE.test(line);
+
+    if (isHeading) {
+      // Any heading terminates a block we were skipping.
+      const hk = headingKey(line);
+      if (hk && targets.has(hk)) {
+        // Start (or continue into a new) skipped detail block.
+        skippingBlock = true;
+        removed.add(hk);
+        continue; // drop the heading line itself
+      }
+      // A non-target heading ends skipping and is kept.
+      skippingBlock = false;
+      out.push(line);
+      continue;
+    }
+
+    if (skippingBlock) continue; // inside a removed detail block
+
+    // Not skipping: drop a matching summary-table row.
+    const rk = tableRowKey(line);
+    if (rk && targets.has(rk)) {
+      removed.add(rk);
+      continue;
+    }
+
+    out.push(line);
+  }
+
+  return { content: out.join('\n'), removed: [...removed] };
+}
+
+export { normalizePath };

package/cli/writers/mechanical.mjs

@@ -0,0 +1,116 @@
+/**
+ * Mechanical Fix Registry — applies deterministic, no-LLM fixes in place.
+ *
+ * Validators surface structured `fixes[]` actions; this module knows how to
+ * apply each TYPE safely and idempotently. These are surgical token/structure
+ * edits the validator already located precisely — never prose rewrites.
+ *
+ * Fix types:
+ *   - replace-count   : stale "N validators/checks" → actual count (Metrics-Consistency)
+ *   - replace-version : stale version ref → current version (Metadata-Sync)
+ *   - insert-changelog-unreleased : add a `## [Unreleased]` header (Changelog)
+ *   - remove-endpoint : delete a documented-but-absent endpoint (API-Surface; delegated)
+ *
+ * Pure file edits, no LLM. Zero NPM dependencies.
+ */
+
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { removeEndpoints, hasGeneratedMarker } from './api-reference.mjs';
+
+const esc = (s) => String(s).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+
+/** replace-count: "<found> <label>" → "<actual> <label>" in the file. */
+function applyReplaceCount(projectDir, fix) {
+  const full = resolve(projectDir, fix.file);
+  if (!existsSync(full)) return { applied: false };
+  const content = readFileSync(full, 'utf-8');
+  const re = new RegExp(`\\b${esc(fix.found)}(\\s+(?:automated\\s+)?${esc(fix.label)}\\b)`, 'g');
+  const next = content.replace(re, `${fix.actual}$1`);
+  if (next === content) return { applied: false };
+  writeFileSync(full, next, 'utf-8');
+  return { applied: true, detail: `${fix.file}: "${fix.found} ${fix.label}" → "${fix.actual} ${fix.label}"` };
+}
+
+/** replace-version: stale version → current, ONLY in actionable contexts. */
+function applyReplaceVersion(projectDir, fix) {
+  const full = resolve(projectDir, fix.file);
+  if (!existsSync(full)) return { applied: false };
+  const content = readFileSync(full, 'utf-8');
+  const f = esc(fix.found);
+  // Mirror metadata-sync's actionable detection so we never touch prose.
+  const patterns = [
+    new RegExp(`((?:archive|tags|releases|download)\\/v?)${f}`, 'g'),
+    new RegExp(`(@)${f}`, 'g'),
+    new RegExp(`(version:\\s*["']?)${f}`, 'g'),
+  ];
+  let next = content;
+  for (const re of patterns) next = next.replace(re, `$1${fix.actual}`);
+  if (next === content) return { applied: false };
+  writeFileSync(full, next, 'utf-8');
+  return { applied: true, detail: `${fix.file}: v${fix.found} → v${fix.actual}` };
+}
+
+/** insert-changelog-unreleased: add `## [Unreleased]` after the title/intro. */
+function applyInsertChangelogUnreleased(projectDir, fix) {
+  const full = resolve(projectDir, fix.file);
+  if (!existsSync(full)) return { applied: false };
+  const content = readFileSync(full, 'utf-8');
+  if (/\[unreleased\]/i.test(content)) return { applied: false }; // idempotent
+  const lines = content.split('\n');
+  // Insert before the first version heading `## [x.y.z]`, else after the H1, else top.
+  let idx = lines.findIndex(l => /^##\s*\[\d/.test(l));
+  if (idx < 0) {
+    const h1 = lines.findIndex(l => /^#\s/.test(l));
+    idx = h1 >= 0 ? h1 + 1 : 0;
+  }
+  const block = idx > 0 && lines[idx - 1].trim() !== '' ? ['', '## [Unreleased]', ''] : ['## [Unreleased]', ''];
+  lines.splice(idx, 0, ...block);
+  writeFileSync(full, lines.join('\n'), 'utf-8');
+  return { applied: true, detail: `${fix.file}: added ## [Unreleased]` };
+}
+
+/** remove-endpoint: delegate to the API-REFERENCE writer (marker-gated). */
+function applyRemoveEndpoint(projectDir, fix, { force = false } = {}) {
+  const full = resolve(projectDir, fix.doc || 'docs-canonical/API-REFERENCE.md');
+  if (!existsSync(full)) return { applied: false };
+  const content = readFileSync(full, 'utf-8');
+  if (!hasGeneratedMarker(content) && !force) {
+    return { applied: false, skipped: `${fix.doc} not docguard:generated (use --force)` };
+  }
+  const { content: next, removed } = removeEndpoints(content, [{ method: fix.method, path: fix.path }]);
+  if (removed.length === 0 || next === content) return { applied: false };
+  writeFileSync(full, next, 'utf-8');
+  return { applied: true, detail: `${fix.doc}: removed ${fix.method} ${fix.path}` };
+}
+
+const APPLIERS = {
+  'replace-count': applyReplaceCount,
+  'replace-version': applyReplaceVersion,
+  'insert-changelog-unreleased': applyInsertChangelogUnreleased,
+  'remove-endpoint': applyRemoveEndpoint,
+};
+
+export const MECHANICAL_FIX_TYPES = Object.keys(APPLIERS);
+
+/** Apply a single structured fix. Returns { applied, detail?, skipped? }. */
+export function applyMechanicalFix(projectDir, fix, opts = {}) {
+  const fn = APPLIERS[fix.type];
+  if (!fn) return { applied: false, skipped: `unknown fix type: ${fix.type}` };
+  return fn(projectDir, fix, opts);
+}
+
+/**
+ * Apply a batch of fixes; returns a summary.
+ * @returns {{ applied: object[], skipped: object[] }}
+ */
+export function applyMechanicalFixes(projectDir, fixes, opts = {}) {
+  const applied = [];
+  const skipped = [];
+  for (const fix of fixes) {
+    const r = applyMechanicalFix(projectDir, fix, opts);
+    if (r.applied) applied.push({ ...fix, detail: r.detail });
+    else if (r.skipped) skipped.push({ ...fix, reason: r.skipped });
+  }
+  return { applied, skipped };
+}