ghagga-core 2.5.0 → 2.6.0

package/dist/utils/context-levels.js

@@ -0,0 +1,255 @@
+/**
+ * Progressive context loading system (L0/L1/L2).
+ *
+ * For small models with tight token budgets (e.g., Groq free tier: 4-6K total),
+ * the full static analysis and memory context can consume the entire context budget,
+ * leaving little room for the actual diff. This module provides three fidelity
+ * levels that are automatically selected based on the available token budget.
+ *
+ * Levels:
+ *   L0 (~20-50 tokens)  — One-sentence summary
+ *   L1 (~100-200 tokens) — Bullet list with key details
+ *   L2 (full)            — Current behavior, unchanged
+ */
+// ─── Constants ──────────────────────────────────────────────────
+/** Rough chars-per-token heuristic (same as diff.ts truncateDiff). */
+const CHARS_PER_TOKEN = 4;
+/**
+ * L1 budget ceiling: if the context budget is at least this many tokens,
+ * we can afford the bullet-list (L1) representation. Below this → L0.
+ */
+const L1_MIN_BUDGET = 150;
+// ─── Token estimation ───────────────────────────────────────────
+/**
+ * Estimate token count from text using the 4-chars-per-token heuristic.
+ * Matches the same approximation used in `truncateDiff()`.
+ */
+export function estimateTokens(text) {
+    return Math.ceil(text.length / CHARS_PER_TOKEN);
+}
+// ─── Level selection ────────────────────────────────────────────
+/**
+ * Choose the optimal context fidelity level based on available budget.
+ *
+ * Decision tree:
+ *   1. If the full (L2) context fits within the budget → L2
+ *   2. If the budget can accommodate an L1 summary (≥150 tokens) → L1
+ *   3. Otherwise → L0
+ *
+ * @param contextBudget - Available tokens for context from `calculateTokenBudget()`
+ * @param estimatedFullTokens - Token estimate for the full (L2) context
+ */
+export function chooseContextLevel(contextBudget, estimatedFullTokens) {
+    if (estimatedFullTokens <= contextBudget) {
+        return 'L2';
+    }
+    if (contextBudget >= L1_MIN_BUDGET) {
+        return 'L1';
+    }
+    return 'L0';
+}
+// ─── Static analysis helpers ────────────────────────────────────
+/**
+ * Extract all findings from a StaticAnalysisResult (all tools, dynamic).
+ */
+export function collectAllFindings(staticResult) {
+    const findings = [];
+    for (const toolResult of Object.values(staticResult)) {
+        if (toolResult && typeof toolResult === 'object' && 'findings' in toolResult) {
+            findings.push(...toolResult.findings);
+        }
+    }
+    return findings;
+}
+/**
+ * Extract the names of all tools that ran successfully.
+ */
+export function collectToolNames(staticResult) {
+    return Object.entries(staticResult)
+        .filter(([, toolResult]) => toolResult &&
+        typeof toolResult === 'object' &&
+        'status' in toolResult &&
+        toolResult.status === 'success')
+        .map(([name]) => name);
+}
+// ─── Severity grouping helper ───────────────────────────────────
+/**
+ * Group findings by severity, returning counts.
+ * E.g. { critical: 1, high: 2, medium: 3 }
+ */
+function countBySeverity(findings) {
+    const counts = {};
+    for (const f of findings) {
+        counts[f.severity] = (counts[f.severity] ?? 0) + 1;
+    }
+    return counts;
+}
+/**
+ * Format severity counts into a compact string like "2 high, 3 medium".
+ * Ordered by severity: critical → high → medium → low → info.
+ */
+function formatSeverityCounts(counts) {
+    const order = ['critical', 'high', 'medium', 'low', 'info'];
+    return order
+        .filter((s) => (counts[s] ?? 0) > 0)
+        .map((s) => `${counts[s]} ${s}`)
+        .join(', ');
+}
+// ─── Static Context Formatters ──────────────────────────────────
+/**
+ * L0: One-sentence summary of static analysis findings.
+ *
+ * Output: "Static analysis (semgrep, trivy): 5 findings (2 high, 3 medium)"
+ * Or:     "Static analysis: no findings"
+ *
+ * @param findings - All findings from static analysis tools
+ * @param toolNames - Names of tools that ran successfully
+ */
+export function formatStaticContextL0(findings, toolNames) {
+    const toolList = toolNames.length > 0 ? ` (${toolNames.join(', ')})` : '';
+    if (findings.length === 0) {
+        return `Static analysis${toolList}: no findings`;
+    }
+    const counts = countBySeverity(findings);
+    const severityStr = formatSeverityCounts(counts);
+    return `Static analysis${toolList}: ${findings.length} finding(s) (${severityStr})`;
+}
+/**
+ * L1: Bullet list with file, line, severity, and rule name.
+ *
+ * Output:
+ * ## Static Analysis Summary
+ * - [high] auth.ts:45 — SQL injection (semgrep)
+ * - [medium] db.ts:12 — Unparameterized query (semgrep)
+ *
+ * Caps at 15 findings to stay within ~200 tokens. Sorted by severity.
+ *
+ * @param findings - All findings from static analysis tools
+ */
+export function formatStaticContextL1(findings) {
+    if (findings.length === 0)
+        return '';
+    const SEVERITY_ORDER = {
+        critical: 0,
+        high: 1,
+        medium: 2,
+        low: 3,
+        info: 4,
+    };
+    const sorted = [...findings].sort((a, b) => (SEVERITY_ORDER[a.severity] ?? 4) - (SEVERITY_ORDER[b.severity] ?? 4));
+    const cap = 15;
+    const capped = sorted.slice(0, cap);
+    const lines = ['## Static Analysis Summary (do NOT repeat these)', ''];
+    for (const f of capped) {
+        const location = f.line ? `${f.file}:${f.line}` : f.file;
+        lines.push(`- [${f.severity}] ${location} — ${f.message} (${f.source})`);
+    }
+    if (findings.length > cap) {
+        lines.push(`- ... and ${findings.length - cap} more`);
+    }
+    return lines.join('\n');
+}
+// ─── Memory Context Formatters ──────────────────────────────────
+/**
+ * Count the number of observation items in a memory context string.
+ * Observations are headed by "### [TYPE] Title" lines.
+ */
+function countMemoryObservations(memory) {
+    const matches = memory.match(/^### \[/gm);
+    return matches?.length ?? 0;
+}
+/**
+ * L0: One-sentence summary of available memory context.
+ *
+ * Output: "Memory: 3 past observations about this codebase available"
+ * Or:     "" (if no memory)
+ *
+ * @param memory - The full memory context string, or null
+ */
+export function formatMemoryContextL0(memory) {
+    if (!memory)
+        return '';
+    const count = countMemoryObservations(memory);
+    if (count === 0)
+        return '';
+    return `Memory: ${count} past observation(s) about this codebase available`;
+}
+/**
+ * L1: Abbreviated bullet list of memory items (titles only).
+ *
+ * Output:
+ * ## Past Review Memory (summary)
+ * - [DECISION] Switched from sessions to JWT
+ * - [BUGFIX] Fixed N+1 in user list
+ *
+ * @param memory - The full memory context string, or null
+ */
+export function formatMemoryContextL1(memory) {
+    if (!memory)
+        return '';
+    // Extract "### [TYPE] Title" headers from the memory context
+    const headerRegex = /^### \[([A-Z]+)\] (.+)$/gm;
+    const items = [];
+    let match = headerRegex.exec(memory);
+    while (match !== null) {
+        items.push(`- [${match[1]}] ${match[2]}`);
+        match = headerRegex.exec(memory);
+    }
+    if (items.length === 0)
+        return '';
+    return ['## Past Review Memory (summary)', '', ...items].join('\n');
+}
+/**
+ * Build context strings at the optimal fidelity level for the available budget.
+ *
+ * The budget is split: static analysis gets priority, then memory fills remaining.
+ * Stack hints pass through unchanged (they are already compact).
+ *
+ * @returns Context strings and chosen levels for logging
+ */
+export function buildProgressiveContext(input) {
+    const { staticResult, memoryContext, stackHints, contextBudget, fullStaticContext } = input;
+    // Estimate full token costs
+    const fullStaticTokens = estimateTokens(fullStaticContext);
+    const fullMemoryTokens = memoryContext ? estimateTokens(memoryContext) : 0;
+    const stackHintTokens = estimateTokens(stackHints);
+    // Stack hints always pass through — they're already very compact
+    const remainingBudget = Math.max(0, contextBudget - stackHintTokens);
+    // Allocate: 60% to static, 40% to memory (of remaining budget)
+    const staticBudget = Math.floor(remainingBudget * 0.6);
+    const memoryBudget = remainingBudget - staticBudget;
+    // Choose static level
+    const staticLevel = chooseContextLevel(staticBudget, fullStaticTokens);
+    let adjustedStaticContext;
+    if (staticLevel === 'L2') {
+        adjustedStaticContext = fullStaticContext;
+    }
+    else {
+        const allFindings = collectAllFindings(staticResult);
+        const toolNames = collectToolNames(staticResult);
+        adjustedStaticContext =
+            staticLevel === 'L1'
+                ? formatStaticContextL1(allFindings)
+                : formatStaticContextL0(allFindings, toolNames);
+    }
+    // Choose memory level
+    const memoryLevel = chooseContextLevel(memoryBudget, fullMemoryTokens);
+    let adjustedMemory;
+    if (memoryLevel === 'L2') {
+        adjustedMemory = memoryContext;
+    }
+    else if (memoryLevel === 'L1') {
+        adjustedMemory = formatMemoryContextL1(memoryContext) || null;
+    }
+    else {
+        adjustedMemory = formatMemoryContextL0(memoryContext) || null;
+    }
+    return {
+        staticContext: adjustedStaticContext,
+        memoryContext: adjustedMemory,
+        stackHints,
+        staticLevel,
+        memoryLevel,
+    };
+}
+//# sourceMappingURL=context-levels.js.map

package/dist/utils/context-levels.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context-levels.js","sourceRoot":"","sources":["../../src/utils/context-levels.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAQH,mEAAmE;AAEnE,sEAAsE;AACtE,MAAM,eAAe,GAAG,CAAC,CAAC;AAE1B;;;GAGG;AACH,MAAM,aAAa,GAAG,GAAG,CAAC;AAE1B,mEAAmE;AAEnE;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,eAAe,CAAC,CAAC;AAClD,CAAC;AAED,mEAAmE;AAEnE;;;;;;;;;;GAUG;AACH,MAAM,UAAU,kBAAkB,CAChC,aAAqB,EACrB,mBAA2B;IAE3B,IAAI,mBAAmB,IAAI,aAAa,EAAE,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,aAAa,IAAI,aAAa,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,mEAAmE;AAEnE;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,YAAkC;IACnE,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,KAAK,MAAM,UAAU,IAAI,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;QACrD,IAAI,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,IAAI,UAAU,EAAE,CAAC;YAC7E,QAAQ,CAAC,IAAI,CAAC,GAAI,UAAyB,CAAC,QAAQ,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,YAAkC;IACjE,OAAO,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC;SAChC,MAAM,CACL,CAAC,CAAC,EAAE,UAAU,CAAC,EAAE,EAAE,CACjB,UAAU;QACV,OAAO,UAAU,KAAK,QAAQ;QAC9B,QAAQ,IAAI,UAAU;QACtB,UAAU,CAAC,MAAM,KAAK,SAAS,CAClC;SACA,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;AAC3B,CAAC;AAED,mEAAmE;AAEnE;;;GAGG;AACH,SAAS,eAAe,CAAC,QAAyB;IAChD,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,MAA8B;IAC1D,MAAM,KAAK,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC5D,OAAO,KAAK;SACT,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;SACnC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;SAC/B,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED,mEAAmE;AAEnE;;;;;;;;GAQG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAyB,EAAE,SAAmB;IAClF,MAAM,QAAQ,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAE1E,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,kBAAkB,QAAQ,eAAe,CAAC;IACnD,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,WAAW,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAEjD,OAAO,kBAAkB,QAAQ,KAAK,QAAQ,CAAC,MAAM,gBAAgB,WAAW,GAAG,CAAC;AACtF,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAyB;IAC7D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAErC,MAAM,cAAc,GAA2B;QAC7C,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;QACN,IAAI,EAAE,CAAC;KACR,CAAC;IAEF,MAAM,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CAC/B,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAChF,CAAC;IAEF,MAAM,GAAG,GAAG,EAAE,CAAC;IACf,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAEpC,MAAM,KAAK,GAAG,CAAC,kDAAkD,EAAE,EAAE,CAAC,CAAC;IAEvE,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACzD,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,KAAK,QAAQ,MAAM,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IAC3E,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,mEAAmE;AAEnE;;;GAGG;AACH,SAAS,uBAAuB,CAAC,MAAc;IAC7C,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAC1C,OAAO,OAAO,EAAE,MAAM,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAqB;IACzD,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IAEvB,MAAM,KAAK,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,KAAK,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE3B,OAAO,WAAW,KAAK,oDAAoD,CAAC;AAC9E,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAqB;IACzD,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IAEvB,6DAA6D;IAC7D,MAAM,WAAW,GAAG,2BAA2B,CAAC;IAChD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACrC,OAAO,KAAK,KAAK,IAAI,EAAE,CAAC;QACtB,KAAK,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC1C,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAElC,OAAO,CAAC,iCAAiC,EAAE,EAAE,EAAE,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtE,CAAC;AA+BD;;;;;;;GAOG;AACH,MAAM,UAAU,uBAAuB,CAAC,KAA8B;IACpE,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,aAAa,EAAE,iBAAiB,EAAE,GAAG,KAAK,CAAC;IAE5F,4BAA4B;IAC5B,MAAM,gBAAgB,GAAG,cAAc,CAAC,iBAAiB,CAAC,CAAC;IAC3D,MAAM,gBAAgB,GAAG,aAAa,CAAC,CAAC,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3E,MAAM,eAAe,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;IAEnD,iEAAiE;IACjE,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,aAAa,GAAG,eAAe,CAAC,CAAC;IAErE,+DAA+D;IAC/D,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,GAAG,GAAG,CAAC,CAAC;IACvD,MAAM,YAAY,GAAG,eAAe,GAAG,YAAY,CAAC;IAEpD,sBAAsB;IACtB,MAAM,WAAW,GAAG,kBAAkB,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAC;IAEvE,IAAI,qBAA6B,CAAC;IAClC,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACzB,qBAAqB,GAAG,iBAAiB,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,MAAM,WAAW,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;QACjD,qBAAqB;YACnB,WAAW,KAAK,IAAI;gBAClB,CAAC,CAAC,qBAAqB,CAAC,WAAW,CAAC;gBACpC,CAAC,CAAC,qBAAqB,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IACtD,CAAC;IAED,sBAAsB;IACtB,MAAM,WAAW,GAAG,kBAAkB,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAC;IAEvE,IAAI,cAA6B,CAAC;IAClC,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACzB,cAAc,GAAG,aAAa,CAAC;IACjC,CAAC;SAAM,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QAChC,cAAc,GAAG,qBAAqB,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC;IAChE,CAAC;SAAM,CAAC;QACN,cAAc,GAAG,qBAAqB,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC;IAChE,CAAC;IAED,OAAO;QACL,aAAa,EAAE,qBAAqB;QACpC,aAAa,EAAE,cAAc;QAC7B,UAAU;QACV,WAAW;QACX,WAAW;KACZ,CAAC;AACJ,CAAC"}

package/dist/utils/diff.d.ts

@@ -36,6 +36,31 @@ export declare function parseDiffFiles(diff: string): DiffFile[];
  * @returns Filtered array with ignored files removed
  */
 export declare function filterIgnoredFiles(files: DiffFile[], patterns: string[]): DiffFile[];
+/**
+ * Result of applying all three filtering tiers to diff files.
+ */
+export interface FilterDiffResult {
+    /** Files that passed all tiers — ready for LLM review. */
+    filtered: DiffFile[];
+    /** File paths blocked by ZERO_ACCESS tier (for logging). */
+    blocked: string[];
+    /** File paths redacted by REDACT tier (for logging). */
+    redacted: string[];
+}
+/**
+ * Apply all three tiers of file filtering in order:
+ *   1. ZERO_ACCESS — hardcoded security patterns (blocked entirely)
+ *   2. REDACT — sensitive templates (content replaced, path visible)
+ *   3. User ignorePatterns — configurable exclusions
+ *
+ * This is the recommended entry point for the pipeline. It applies
+ * non-overridable security filtering before user-configurable patterns.
+ *
+ * @param files - Array of DiffFile objects from the parsed diff
+ * @param ignorePatterns - User-configurable glob patterns to exclude
+ * @returns Object with filtered files, blocked paths, and redacted paths
+ */
+export declare function filterDiffFiles(files: DiffFile[], ignorePatterns: string[]): FilterDiffResult;
 /**
  * Truncate a diff string to fit within a token budget.
  *

package/dist/utils/diff.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../../src/utils/diff.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,8DAA8D;AAC9D,MAAM,WAAW,QAAQ;IACvB,gDAAgD;IAChD,IAAI,EAAE,MAAM,CAAC;IAEb,4BAA4B;IAC5B,SAAS,EAAE,MAAM,CAAC;IAElB,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAC;IAElB,mEAAmE;IACnE,OAAO,EAAE,MAAM,CAAC;CACjB;AAYD;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,EAAE,CA2CvD;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,QAAQ,EAAE,CAOpF;AAED;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAChB;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,OAAO,CAAA;CAAE,CAc9C"}
+{"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../../src/utils/diff.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAOH,8DAA8D;AAC9D,MAAM,WAAW,QAAQ;IACvB,gDAAgD;IAChD,IAAI,EAAE,MAAM,CAAC;IAEb,4BAA4B;IAC5B,SAAS,EAAE,MAAM,CAAC;IAElB,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAC;IAElB,mEAAmE;IACnE,OAAO,EAAE,MAAM,CAAC;CACjB;AAYD;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,EAAE,CA2CvD;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,QAAQ,EAAE,CAOpF;AAID;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,0DAA0D;IAC1D,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAErB,4DAA4D;IAC5D,OAAO,EAAE,MAAM,EAAE,CAAC;IAElB,wDAAwD;IACxD,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAe7F;AAID;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAChB;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,OAAO,CAAA;CAAE,CAc9C"}

package/dist/utils/diff.js

@@ -6,6 +6,7 @@
  * large diffs to fit within LLM token budgets.
  */
 import { minimatch } from 'minimatch';
+import { applyPathProtection } from './path-protection.js';
 // ─── Constants ──────────────────────────────────────────────────
 /**
  * Regex to match the start of a file diff block.
@@ -79,6 +80,33 @@ export function filterIgnoredFiles(files, patterns) {
         return !patterns.some((pattern) => minimatch(file.path, pattern, { dot: true }));
     });
 }
+/**
+ * Apply all three tiers of file filtering in order:
+ *   1. ZERO_ACCESS — hardcoded security patterns (blocked entirely)
+ *   2. REDACT — sensitive templates (content replaced, path visible)
+ *   3. User ignorePatterns — configurable exclusions
+ *
+ * This is the recommended entry point for the pipeline. It applies
+ * non-overridable security filtering before user-configurable patterns.
+ *
+ * @param files - Array of DiffFile objects from the parsed diff
+ * @param ignorePatterns - User-configurable glob patterns to exclude
+ * @returns Object with filtered files, blocked paths, and redacted paths
+ */
+export function filterDiffFiles(files, ignorePatterns) {
+    // Tier 1 & 2: Security filtering (non-overridable)
+    const { allowed, redacted, blocked } = applyPathProtection(files);
+    // Tier 3: User ignore patterns (applied to allowed files only)
+    const userFiltered = filterIgnoredFiles(allowed, ignorePatterns);
+    // Combine user-filtered files with redacted files for final output
+    const filtered = [...userFiltered, ...redacted];
+    return {
+        filtered,
+        blocked,
+        redacted: redacted.map((f) => f.path),
+    };
+}
+// ─── Truncation ─────────────────────────────────────────────────
 /**
  * Truncate a diff string to fit within a token budget.
  *

package/dist/utils/diff.js.map

@@ -1 +1 @@
-{"version":3,"file":"diff.js","sourceRoot":"","sources":["../../src/utils/diff.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAmBtC,mEAAmE;AAEnE;;;GAGG;AACH,MAAM,cAAc,GAAG,4BAA4B,CAAC;AAEpD,mEAAmE;AAEnE;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,MAAM,KAAK,GAAe,EAAE,CAAC;IAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE/B,IAAI,WAAW,GAAoB,IAAI,CAAC;IACxC,MAAM,YAAY,GAAa,EAAE,CAAC;IAElC,SAAS,YAAY;QACnB,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9C,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACxB,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,KAAK,EAAE,CAAC;YACV,uCAAuC;YACvC,YAAY,EAAE,CAAC;YACf,WAAW,GAAG;gBACZ,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE;gBACpB,SAAS,EAAE,CAAC;gBACZ,SAAS,EAAE,CAAC;gBACZ,OAAO,EAAE,EAAE;aACZ,CAAC;YACF,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;aAAM,IAAI,WAAW,EAAE,CAAC;YACvB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAExB,wEAAwE;YACxE,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBACpD,WAAW,CAAC,SAAS,EAAE,CAAC;YAC1B,CAAC;iBAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3D,WAAW,CAAC,SAAS,EAAE,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,YAAY,EAAE,CAAC;IAEf,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAiB,EAAE,QAAkB;IACtE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAExC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;QAC3B,wDAAwD;QACxD,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,YAAY,CAC1B,IAAY,EACZ,SAAiB;IAEjB,MAAM,QAAQ,GAAG,SAAS,GAAG,CAAC,CAAC;IAE/B,IAAI,IAAI,CAAC,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC5B,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;IAClD,CAAC;IAED,uEAAuE;IACvE,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,MAAM,SAAS,GACb,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC9D,kDAAkD,CAAC;IAErD,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;AAC3C,CAAC"}
+{"version":3,"file":"diff.js","sourceRoot":"","sources":["../../src/utils/diff.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAmB3D,mEAAmE;AAEnE;;;GAGG;AACH,MAAM,cAAc,GAAG,4BAA4B,CAAC;AAEpD,mEAAmE;AAEnE;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,MAAM,KAAK,GAAe,EAAE,CAAC;IAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE/B,IAAI,WAAW,GAAoB,IAAI,CAAC;IACxC,MAAM,YAAY,GAAa,EAAE,CAAC;IAElC,SAAS,YAAY;QACnB,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9C,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACxB,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,KAAK,EAAE,CAAC;YACV,uCAAuC;YACvC,YAAY,EAAE,CAAC;YACf,WAAW,GAAG;gBACZ,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE;gBACpB,SAAS,EAAE,CAAC;gBACZ,SAAS,EAAE,CAAC;gBACZ,OAAO,EAAE,EAAE;aACZ,CAAC;YACF,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;aAAM,IAAI,WAAW,EAAE,CAAC;YACvB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAExB,wEAAwE;YACxE,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBACpD,WAAW,CAAC,SAAS,EAAE,CAAC;YAC1B,CAAC;iBAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3D,WAAW,CAAC,SAAS,EAAE,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,YAAY,EAAE,CAAC;IAEf,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAiB,EAAE,QAAkB;IACtE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAExC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;QAC3B,wDAAwD;QACxD,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;AACL,CAAC;AAkBD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,eAAe,CAAC,KAAiB,EAAE,cAAwB;IACzE,mDAAmD;IACnD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAElE,+DAA+D;IAC/D,MAAM,YAAY,GAAG,kBAAkB,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;IAEjE,mEAAmE;IACnE,MAAM,QAAQ,GAAG,CAAC,GAAG,YAAY,EAAE,GAAG,QAAQ,CAAC,CAAC;IAEhD,OAAO;QACL,QAAQ;QACR,OAAO;QACP,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;KACtC,CAAC;AACJ,CAAC;AAED,mEAAmE;AAEnE;;;;;;;;;GASG;AACH,MAAM,UAAU,YAAY,CAC1B,IAAY,EACZ,SAAiB;IAEjB,MAAM,QAAQ,GAAG,SAAS,GAAG,CAAC,CAAC;IAE/B,IAAI,IAAI,CAAC,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC5B,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;IAClD,CAAC;IAED,uEAAuE;IACvE,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAChD,MAAM,SAAS,GACb,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC9D,kDAAkD,CAAC;IAErD,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;AAC3C,CAAC"}

package/dist/utils/llm-timeout.d.ts

@@ -0,0 +1,38 @@
+/**
+ * LLM call timeout utility.
+ *
+ * Wraps the AI SDK's `generateText` with a configurable timeout
+ * (default 60 seconds). When the timeout fires, the call is aborted
+ * and the function returns `null` so callers can gracefully fall back
+ * to static-analysis-only results.
+ */
+import { type GenerateTextResult, generateText } from 'ai';
+/** Default timeout for LLM calls: 60 seconds. */
+export declare const LLM_TIMEOUT_MS = 60000;
+/**
+ * Options accepted by `generateTextWithTimeout`.
+ *
+ * Same as `generateText` parameters, but `abortSignal` is managed
+ * internally (any caller-provided signal is combined via `AbortSignal.any`).
+ */
+type GenerateTextParams = Parameters<typeof generateText>[0];
+/**
+ * Call `generateText` with an automatic timeout.
+ *
+ * - Creates an `AbortController` with a 60-second timeout.
+ * - If the caller already provides an `abortSignal`, both signals
+ *   are combined so either one can cancel the request.
+ * - On timeout (or abort), logs a warning and returns `null`.
+ * - On any other error, **re-throws** so the caller's existing
+ *   error handling continues to work.
+ *
+ * @param params - Standard `generateText` parameters
+ * @param context - Optional metadata for the warning log (provider, model)
+ * @returns The `generateText` result, or `null` if the call timed out
+ */
+export declare function generateTextWithTimeout(params: GenerateTextParams, context?: {
+    provider?: string;
+    model?: string;
+}): Promise<GenerateTextResult<any, any> | null>;
+export {};
+//# sourceMappingURL=llm-timeout.d.ts.map

package/dist/utils/llm-timeout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm-timeout.d.ts","sourceRoot":"","sources":["../../src/utils/llm-timeout.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,kBAAkB,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAE3D,iDAAiD;AACjD,eAAO,MAAM,cAAc,QAAS,CAAC;AAErC;;;;;GAKG;AACH,KAAK,kBAAkB,GAAG,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;AAE7D;;;;;;;;;;;;;GAaG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,kBAAkB,EAC1B,OAAO,CAAC,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GAE9C,OAAO,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC,CAwC9C"}

package/dist/utils/llm-timeout.js

@@ -0,0 +1,76 @@
+/**
+ * LLM call timeout utility.
+ *
+ * Wraps the AI SDK's `generateText` with a configurable timeout
+ * (default 60 seconds). When the timeout fires, the call is aborted
+ * and the function returns `null` so callers can gracefully fall back
+ * to static-analysis-only results.
+ */
+import { generateText } from 'ai';
+/** Default timeout for LLM calls: 60 seconds. */
+export const LLM_TIMEOUT_MS = 60_000;
+/**
+ * Call `generateText` with an automatic timeout.
+ *
+ * - Creates an `AbortController` with a 60-second timeout.
+ * - If the caller already provides an `abortSignal`, both signals
+ *   are combined so either one can cancel the request.
+ * - On timeout (or abort), logs a warning and returns `null`.
+ * - On any other error, **re-throws** so the caller's existing
+ *   error handling continues to work.
+ *
+ * @param params - Standard `generateText` parameters
+ * @param context - Optional metadata for the warning log (provider, model)
+ * @returns The `generateText` result, or `null` if the call timed out
+ */
+export async function generateTextWithTimeout(params, context) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), LLM_TIMEOUT_MS);
+    // Combine with any caller-provided signal
+    let signal = controller.signal;
+    if (params.abortSignal) {
+        signal = AbortSignal.any([controller.signal, params.abortSignal]);
+    }
+    const startTime = Date.now();
+    try {
+        const result = await generateText({
+            ...params,
+            abortSignal: signal,
+        });
+        return result;
+    }
+    catch (error) {
+        const elapsed = Date.now() - startTime;
+        // Check if this was an abort/timeout
+        if (isAbortError(error)) {
+            const providerInfo = context?.provider && context?.model ? `${context.provider}/${context.model}` : 'unknown';
+            console.warn(`[ghagga] LLM call timed out after ${(elapsed / 1000).toFixed(1)}s ` +
+                `(limit: ${LLM_TIMEOUT_MS / 1000}s) — provider: ${providerInfo}. ` +
+                'Falling back to static-analysis-only results.');
+            return null;
+        }
+        // Not a timeout — re-throw for the caller's existing error handling
+        throw error;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * Detect whether an error is an abort/timeout error.
+ *
+ * The AI SDK and Node.js throw different shapes depending on the
+ * runtime, so we check multiple patterns.
+ */
+function isAbortError(error) {
+    if (error instanceof DOMException && error.name === 'AbortError')
+        return true;
+    if (error instanceof Error) {
+        if (error.name === 'AbortError')
+            return true;
+        if (error.message.includes('aborted') || error.message.includes('AbortError'))
+            return true;
+    }
+    return false;
+}
+//# sourceMappingURL=llm-timeout.js.map

package/dist/utils/llm-timeout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm-timeout.js","sourceRoot":"","sources":["../../src/utils/llm-timeout.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAA2B,YAAY,EAAE,MAAM,IAAI,CAAC;AAE3D,iDAAiD;AACjD,MAAM,CAAC,MAAM,cAAc,GAAG,MAAM,CAAC;AAUrC;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,MAA0B,EAC1B,OAA+C;IAG/C,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,cAAc,CAAC,CAAC;IAEnE,0CAA0C;IAC1C,IAAI,MAAM,GAAgB,UAAU,CAAC,MAAM,CAAC;IAC5C,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACvB,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC;YAChC,GAAG,MAAM;YACT,WAAW,EAAE,MAAM;SACpB,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAEvC,qCAAqC;QACrC,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,YAAY,GAChB,OAAO,EAAE,QAAQ,IAAI,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;YAE3F,OAAO,CAAC,IAAI,CACV,qCAAqC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;gBAClE,WAAW,cAAc,GAAG,IAAI,kBAAkB,YAAY,IAAI;gBAClE,+CAA+C,CAClD,CAAC;YAEF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,oEAAoE;QACpE,MAAM,KAAK,CAAC;IACd,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,YAAY,YAAY,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IAC9E,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;QAC3B,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY;YAAE,OAAO,IAAI,CAAC;QAC7C,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7F,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/utils/path-protection.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Three-tier path protection for sensitive files.
+ *
+ * Provides a non-overridable security layer that filters sensitive files
+ * BEFORE user-configurable ignorePatterns are applied. This ensures that
+ * secrets, credentials, and private keys are never sent to the LLM for review.
+ *
+ * Tiers:
+ *   1. ZERO_ACCESS  — hardcoded, content never sent to LLM, non-overridable
+ *   2. REDACT       — content replaced with redaction notice, path still visible
+ *   3. User ignore  — existing configurable ignorePatterns (handled in diff.ts)
+ */
+import type { DiffFile } from './diff.js';
+/** Redaction notice used to replace content of REDACT-tier files. */
+export declare const REDACTED_CONTENT = "[REDACTED \u2014 sensitive file detected by GHAGGA path protection]";
+/**
+ * Tier 1 — ZERO_ACCESS patterns.
+ *
+ * Files matching these patterns are completely blocked from the review
+ * pipeline. Their content is never sent to the LLM. These patterns are
+ * hardcoded and cannot be overridden by user configuration.
+ */
+export declare const ZERO_ACCESS_PATTERNS: readonly string[];
+/**
+ * Tier 2 — REDACT patterns.
+ *
+ * Files matching these patterns have their content replaced with a
+ * redaction notice. The file path is still visible in the review so
+ * reviewers know the file was changed, but the actual content is not
+ * sent to the LLM.
+ */
+export declare const REDACT_PATTERNS: readonly string[];
+/**
+ * Result of applying path protection to a set of diff files.
+ */
+export interface PathProtectionResult {
+    /** Files that passed all protection tiers — content untouched. */
+    allowed: DiffFile[];
+    /** Files matching REDACT patterns — content replaced with redaction notice. */
+    redacted: DiffFile[];
+    /** File paths matching ZERO_ACCESS patterns — completely blocked. */
+    blocked: string[];
+}
+/**
+ * Apply three-tier path protection to a set of diff files.
+ *
+ * This function is pure and deterministic. It processes files in the
+ * following order:
+ *   1. Check against REDACT patterns first — these are specific exceptions
+ *      (e.g., `.env.example`) that would otherwise be caught by broader
+ *      ZERO_ACCESS globs (e.g., `.env.*`). Content is replaced.
+ *   2. Check against ZERO_ACCESS patterns — block entirely
+ *   3. Everything else passes through untouched
+ *
+ * @param files - Array of DiffFile objects from the parsed diff
+ * @returns Object with allowed, redacted, and blocked files
+ */
+export declare function applyPathProtection(files: DiffFile[]): PathProtectionResult;
+//# sourceMappingURL=path-protection.d.ts.map

package/dist/utils/path-protection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-protection.d.ts","sourceRoot":"","sources":["../../src/utils/path-protection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAI1C,qEAAqE;AACrE,eAAO,MAAM,gBAAgB,wEAAmE,CAAC;AAEjG;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,EAAE,SAAS,MAAM,EA6CxC,CAAC;AAEX;;;;;;;GAOG;AACH,eAAO,MAAM,eAAe,EAAE,SAAS,MAAM,EAYnC,CAAC;AASX;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,kEAAkE;IAClE,OAAO,EAAE,QAAQ,EAAE,CAAC;IAEpB,+EAA+E;IAC/E,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAErB,qEAAqE;IACrE,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,QAAQ,EAAE,GAAG,oBAAoB,CAyB3E"}