jstar-reviewer 3.0.0 → 3.0.1

package/README.md

@@ -1,49 +1,49 @@
-# J-Star Code Reviewer
-
-Local-first, context-aware code review with a deterministic security audit layer.
-
-## What it does
-
-- Builds a local vector index for repo-aware reviews
-- Runs hybrid reviews with deterministic checks plus LLM analysis
-- Produces machine-readable review output for automation
-- Runs a standalone deterministic security audit with markdown and JSON reports
-
-## Quick start
-
-```bash
-pnpm install
-pnpm run index:init
-git add .
-pnpm run review
-pnpm run audit
-```
-
-Review output:
-- `.jstar/last-review.md`
-- `.jstar/session.json`
-
-Audit output:
-- `.jstar/audit_report.md`
-- `.jstar/audit_report.json`
-
-## CLI
-
-```bash
-jstar setup
-jstar init
-jstar review
-jstar review --pr
-jstar audit
-jstar audit --path src
-jstar audit --json
-jstar chat --headless
-```
-
-## Notes
-
-- `review` requires `GEMINI_API_KEY` and `GROQ_API_KEY`
-- `audit` and `detect` do not require model keys
-- deterministic audit ignores live in `.jstar/audit-ignore.json`
-
-See [ONBOARDING.md](./ONBOARDING.md) and [docs/features/cli-commands.md](./docs/features/cli-commands.md) for details.
+# J-Star Code Reviewer
+
+Local-first, context-aware code review with a deterministic security audit layer.
+
+## What it does
+
+- Builds a local vector index for repo-aware reviews
+- Runs hybrid reviews with deterministic checks plus LLM analysis
+- Produces machine-readable review output for automation
+- Runs a standalone deterministic security audit with markdown and JSON reports
+
+## Quick start
+
+```bash
+pnpm install
+pnpm run index:init
+git add .
+pnpm run review
+pnpm run audit
+```
+
+Review output:
+- `.jstar/last-review.md`
+- `.jstar/session.json`
+
+Audit output:
+- `.jstar/audit_report.md`
+- `.jstar/audit_report.json`
+
+## CLI
+
+```bash
+jstar setup
+jstar init
+jstar review
+jstar review --pr
+jstar audit
+jstar audit --path src
+jstar audit --json
+jstar chat --headless
+```
+
+## Notes
+
+- `review` requires `GEMINI_API_KEY` and `GROQ_API_KEY`
+- `audit` and `detect` do not require model keys
+- deterministic audit ignores live in `.jstar/audit-ignore.json`
+
+See [ONBOARDING.md](./ONBOARDING.md) and [docs/features/cli-commands.md](./docs/features/cli-commands.md) for details.

package/bin/jstar.js

@@ -29,7 +29,7 @@ function log(msg) {
 
 function printHelp() {
     log(`
-${COLORS.bold}🌟 J-Star Reviewer v3.0.0${COLORS.reset}
+${COLORS.bold}🌟 J-Star Reviewer v3.0.1${COLORS.reset}
 
 ${COLORS.dim}AI-powered code review with local embeddings${COLORS.reset}
 
@@ -162,12 +162,12 @@ function runScript(scriptName) {
     });
 }
 
-const REQUIRED_ENV_VARS = {
-    'GEMINI_API_KEY': '# Required: Gemini API key (or GOOGLE_API_KEY)\nGEMINI_API_KEY=your_gemini_api_key_here',
-    'GROQ_API_KEY': '# Required: Groq API key for LLM reviews\nGROQ_API_KEY=your_groq_api_key_here',
-    'GEMINI_EMBEDDING_MODEL': '# Optional: Override the embedding model\n# GEMINI_EMBEDDING_MODEL=gemini-embedding-001',
-    'REVIEW_MODEL_NAME': '# Optional: Override the default model\n# REVIEW_MODEL_NAME=moonshotai/kimi-k2-instruct-0905'
-};
+const REQUIRED_ENV_VARS = {
+    'GEMINI_API_KEY': '# Required: Gemini API key (or GOOGLE_API_KEY)\nGEMINI_API_KEY=your_gemini_api_key_here',
+    'GROQ_API_KEY': '# Required: Groq API key for LLM reviews\nGROQ_API_KEY=your_groq_api_key_here',
+    'GEMINI_EMBEDDING_MODEL': '# Optional: Override the embedding model\n# GEMINI_EMBEDDING_MODEL=gemini-embedding-001',
+    'REVIEW_MODEL_NAME': '# Optional: Override the default model\n# REVIEW_MODEL_NAME=moonshotai/kimi-k2-instruct-0905'
+};
 
 function createSetupFiles() {
     const cwd = process.cwd();

package/dist/scripts/core/deterministic-audit.js

@@ -44,19 +44,237 @@ exports.runDeterministicAudit = runDeterministicAudit;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const simple_git_1 = __importDefault(require("simple-git"));
+const typescript_1 = __importDefault(require("typescript"));
+const logger_1 = require("../utils/logger");
 const project_1 = require("./project");
 exports.RULES_VERSION = "security-audit-v1";
+function readStringLiteral(source, start) {
+    const quote = source[start];
+    if (quote !== '"' && quote !== "'") {
+        return null;
+    }
+    let value = "";
+    for (let index = start + 1; index < source.length; index++) {
+        const char = source[index];
+        if (char === "\r" || char === "\n") {
+            return null;
+        }
+        if (char === "\\") {
+            if (index + 1 >= source.length) {
+                return null;
+            }
+            value += source.slice(index, index + 2);
+            index++;
+            continue;
+        }
+        if (char === quote) {
+            return { value, end: index + 1 };
+        }
+        value += char;
+    }
+    return null;
+}
+function isStatementTerminated(source, index) {
+    let cursor = index;
+    while (cursor < source.length) {
+        const char = source[cursor];
+        if (char === " " || char === "\t" || char === "\v" || char === "\f") {
+            cursor++;
+            continue;
+        }
+        if (char === ";") {
+            return true;
+        }
+        if (source.startsWith("//", cursor)) {
+            return true;
+        }
+        if (source.startsWith("/*", cursor)) {
+            const commentEnd = source.indexOf("*/", cursor + 2);
+            if (commentEnd === -1) {
+                return false;
+            }
+            cursor = commentEnd + 2;
+            continue;
+        }
+        return false;
+    }
+    return true;
+}
+function isUseClientDirectiveStatement(statement) {
+    const directive = readStringLiteral(statement, 0);
+    return directive?.value === "use client" && isStatementTerminated(statement, directive.end);
+}
+function collectStatementLines(content) {
+    const statements = [];
+    const lines = content.split(/\r?\n/);
+    let inBlockComment = false;
+    nextLine: for (let index = 0; index < lines.length; index++) {
+        const rawLine = lines[index];
+        const line = index === 0 ? rawLine.replace(/^\uFEFF/, "") : rawLine;
+        if (!inBlockComment && index === 0 && line.startsWith("#!")) {
+            continue;
+        }
+        let cursor = 0;
+        while (cursor < line.length) {
+            if (inBlockComment) {
+                const commentEnd = line.indexOf("*/", cursor);
+                if (commentEnd === -1) {
+                    continue nextLine;
+                }
+                inBlockComment = false;
+                cursor = commentEnd + 2;
+                continue;
+            }
+            const char = line[cursor];
+            if (char === " " || char === "\t" || char === "\v" || char === "\f") {
+                cursor++;
+                continue;
+            }
+            if (line.startsWith("//", cursor)) {
+                continue nextLine;
+            }
+            if (line.startsWith("/*", cursor)) {
+                inBlockComment = true;
+                cursor += 2;
+                continue;
+            }
+            statements.push({
+                line: index + 1,
+                text: line.slice(cursor),
+            });
+            continue nextLine;
+        }
+    }
+    return statements;
+}
+function hasUseClientAsFirstStatement(content) {
+    const firstStatement = collectStatementLines(content)[0];
+    return firstStatement ? isUseClientDirectiveStatement(firstStatement.text) : false;
+}
+function findUseClientDirectiveLine(content) {
+    return collectStatementLines(content).find((statement) => isUseClientDirectiveStatement(statement.text))?.line;
+}
+function getLanguageVariant(normalizedPath) {
+    return /\.(?:[jt]sx)$/i.test(normalizedPath) ? typescript_1.default.LanguageVariant.JSX : typescript_1.default.LanguageVariant.Standard;
+}
+function getScriptKind(normalizedPath) {
+    if (/\.tsx$/i.test(normalizedPath)) {
+        return typescript_1.default.ScriptKind.TSX;
+    }
+    if (/\.jsx$/i.test(normalizedPath)) {
+        return typescript_1.default.ScriptKind.JSX;
+    }
+    if (/\.js$/i.test(normalizedPath)) {
+        return typescript_1.default.ScriptKind.JS;
+    }
+    return typescript_1.default.ScriptKind.TS;
+}
+function maskTriviaText(text) {
+    return text.replace(/[^\r\n]/g, " ");
+}
+function shouldMaskInCodeView(kind) {
+    return (kind === typescript_1.default.SyntaxKind.SingleLineCommentTrivia ||
+        kind === typescript_1.default.SyntaxKind.MultiLineCommentTrivia ||
+        kind === typescript_1.default.SyntaxKind.ShebangTrivia ||
+        kind === typescript_1.default.SyntaxKind.StringLiteral ||
+        kind === typescript_1.default.SyntaxKind.NoSubstitutionTemplateLiteral ||
+        kind === typescript_1.default.SyntaxKind.TemplateHead ||
+        kind === typescript_1.default.SyntaxKind.TemplateMiddle ||
+        kind === typescript_1.default.SyntaxKind.TemplateTail ||
+        kind === typescript_1.default.SyntaxKind.JsxText ||
+        kind === typescript_1.default.SyntaxKind.JsxTextAllWhiteSpaces ||
+        kind === typescript_1.default.SyntaxKind.RegularExpressionLiteral);
+}
+function buildCodeView(content, normalizedPath) {
+    const scanner = typescript_1.default.createScanner(typescript_1.default.ScriptTarget.Latest, false, getLanguageVariant(normalizedPath), content);
+    let masked = "";
+    let cursor = 0;
+    for (let token = scanner.scan(); token !== typescript_1.default.SyntaxKind.EndOfFileToken; token = scanner.scan()) {
+        const tokenStart = scanner.getTokenPos();
+        const tokenEnd = scanner.getTextPos();
+        const tokenText = scanner.getTokenText();
+        if (tokenStart > cursor) {
+            masked += content.slice(cursor, tokenStart);
+        }
+        masked += shouldMaskInCodeView(token) ? maskTriviaText(tokenText) : tokenText;
+        cursor = tokenEnd;
+    }
+    if (cursor < content.length) {
+        masked += content.slice(cursor);
+    }
+    return masked;
+}
+function isTriviaToken(kind) {
+    return (kind === typescript_1.default.SyntaxKind.SingleLineCommentTrivia ||
+        kind === typescript_1.default.SyntaxKind.MultiLineCommentTrivia ||
+        kind === typescript_1.default.SyntaxKind.NewLineTrivia ||
+        kind === typescript_1.default.SyntaxKind.WhitespaceTrivia ||
+        kind === typescript_1.default.SyntaxKind.ShebangTrivia);
+}
+function collectSignificantTokens(content, normalizedPath) {
+    const sourceFile = typescript_1.default.createSourceFile(normalizedPath, content, typescript_1.default.ScriptTarget.Latest, false, getScriptKind(normalizedPath));
+    const scanner = typescript_1.default.createScanner(typescript_1.default.ScriptTarget.Latest, false, getLanguageVariant(normalizedPath), content);
+    const tokens = [];
+    for (let kind = scanner.scan(); kind !== typescript_1.default.SyntaxKind.EndOfFileToken; kind = scanner.scan()) {
+        if (isTriviaToken(kind)) {
+            continue;
+        }
+        tokens.push({
+            kind,
+            line: typescript_1.default.getLineAndCharacterOfPosition(sourceFile, scanner.getTokenPos()).line + 1,
+            text: scanner.getTokenText(),
+        });
+    }
+    return tokens;
+}
+const SECRET_NAME_PATTERN = /^(?:api[_-]?key|password|(?:access|auth|bearer|client|refresh|session)?[_-]?(?:secret|token))$/i;
+function normalizeTokenName(token) {
+    if (token.kind === typescript_1.default.SyntaxKind.Identifier) {
+        return token.text;
+    }
+    if (token.kind === typescript_1.default.SyntaxKind.StringLiteral) {
+        return token.text.slice(1, -1);
+    }
+    return null;
+}
+function readStringTokenValue(token) {
+    if (token.kind === typescript_1.default.SyntaxKind.StringLiteral || token.kind === typescript_1.default.SyntaxKind.NoSubstitutionTemplateLiteral) {
+        return token.text.slice(1, -1);
+    }
+    return null;
+}
+function scanHardcodedSecrets(content, normalizedPath) {
+    const findings = [];
+    const tokens = collectSignificantTokens(content, normalizedPath);
+    for (let index = 0; index < tokens.length - 2; index++) {
+        const token = tokens[index];
+        const candidateName = normalizeTokenName(token);
+        if (!candidateName || !SECRET_NAME_PATTERN.test(candidateName)) {
+            continue;
+        }
+        const operator = tokens[index + 1];
+        if (operator.kind !== typescript_1.default.SyntaxKind.EqualsToken && operator.kind !== typescript_1.default.SyntaxKind.ColonToken) {
+            continue;
+        }
+        const value = readStringTokenValue(tokens[index + 2]);
+        if (!value || value.length < 10) {
+            continue;
+        }
+        findings.push({
+            ruleId: "SEC-001",
+            title: "Hardcoded secret in source",
+            severity: "CRITICAL",
+            category: "SECURITY",
+            file: normalizedPath,
+            line: token.line,
+            message: "Possible hardcoded credential detected in source.",
+            recommendation: "Move the credential to environment configuration and rotate the exposed secret.",
+            source: "deterministic",
+        });
+    }
+    return findings;
+}
 const LINE_RULES = [
-    {
-        id: "SEC-001",
-        title: "Hardcoded secret in source",
-        severity: "CRITICAL",
-        category: "SECURITY",
-        recommendation: "Move the credential to environment configuration and rotate the exposed secret.",
-        pattern: /(api[_-]?key|secret|password|token)\s*[:=]\s*['"`][A-Za-z0-9._-]{10,}['"`]/i,
-        excludePattern: /(^|\/)(test|tests|fixtures?|mocks?|spec)\//i,
-        buildMessage: () => "Possible hardcoded credential detected in source.",
-    },
     {
         id: "SEC-002",
         title: "Dynamic code execution",
@@ -66,6 +284,7 @@ const LINE_RULES = [
         pattern: /\b(?:eval|Function)\s*\(/,
         excludePattern: /(^|\/)(test|tests|fixtures?|mocks?|spec)\//i,
         buildMessage: () => "Dynamic code execution can allow arbitrary code paths and should be avoided.",
+        sourceView: "code",
     },
     {
         id: "SEC-003",
@@ -76,6 +295,7 @@ const LINE_RULES = [
         pattern: /\b(?:\$queryRawUnsafe|\$executeRawUnsafe|queryRawUnsafe|executeRawUnsafe)\s*\(/,
         excludePattern: /(^|\/)(test|tests|fixtures?|mocks?|spec)\//i,
         buildMessage: () => "Unsafe raw SQL helper detected; untrusted input can reach the database without parameterization.",
+        sourceView: "code",
     },
     {
         id: "SEC-004",
@@ -86,6 +306,7 @@ const LINE_RULES = [
         pattern: /dangerouslySetInnerHTML\s*=\s*\{\{/,
         excludePattern: /(^|\/)(test|tests|fixtures?|mocks?|spec)\//i,
         buildMessage: () => "Raw HTML injection sink detected.",
+        sourceView: "code",
     },
     {
         id: "QLT-001",
@@ -96,6 +317,7 @@ const LINE_RULES = [
         pattern: /console\.log\(/,
         excludePattern: /(bin\/jstar\.js|scripts\/utils\/logger\.ts|setup\.js|test\/)/i,
         buildMessage: () => "console.log left in source can leak noisy or sensitive runtime details.",
+        sourceView: "code",
     },
     {
         id: "QLT-002",
@@ -113,15 +335,24 @@ const FILE_RULES = [
         title: '"use client" is not the first statement',
         severity: "HIGH",
         category: "LOGIC",
-        recommendation: 'Move the "use client" directive to the top of the module before imports or comments.',
+        recommendation: 'Move the "use client" directive above imports and executable statements so it stays the first statement in the module.',
         filePattern: /\.tsx?$/i,
         excludePattern: /(scripts|test)\//i,
-        test: /^(?!(?:\s*|(?:\/\/[^\n]*\n)|(?:\/\*[\s\S]*?\*\/))*['"]use client['"]).*['"]use client['"]/s,
-        message: 'Next.js requires "use client" to appear before any other statement in the file.',
-        line: 1,
+        test: (content) => Boolean(findUseClientDirectiveLine(content)) && !hasUseClientAsFirstStatement(content),
+        message: 'Next.js requires "use client" to be the first statement in the file.',
+        line: (content) => findUseClientDirectiveLine(content) ?? 1,
     },
 ];
 const CUSTOM_RULES = [
+    {
+        id: "SEC-001",
+        title: "Hardcoded secret in source",
+        severity: "CRITICAL",
+        category: "SECURITY",
+        recommendation: "Move the credential to environment configuration and rotate the exposed secret.",
+        excludePattern: /(^|\/)(test|tests|fixtures?|mocks?|spec)\//i,
+        scan: (content, normalizedPath) => scanHardcodedSecrets(content, normalizedPath),
+    },
     {
         id: "SEC-005",
         title: "Server env var referenced in client module",
@@ -131,38 +362,39 @@ const CUSTOM_RULES = [
         filePattern: /\.tsx?$/i,
         excludePattern: /(^|\/)(test|tests|fixtures?|mocks?|spec)\//i,
         scan: (content, normalizedPath) => {
-            if (!/^\s*['"]use client['"]/m.test(content)) {
+            if (!hasUseClientAsFirstStatement(content)) {
                 return [];
             }
             const findings = [];
-            const lines = content.split("\n");
+            const codeView = buildCodeView(content, normalizedPath);
+            const sourceFile = typescript_1.default.createSourceFile(normalizedPath, content, typescript_1.default.ScriptTarget.Latest, false, getScriptKind(normalizedPath));
             const envPattern = /process\.env\.([A-Z0-9_]+)/g;
-            lines.forEach((line, index) => {
-                let match;
-                while ((match = envPattern.exec(line)) !== null) {
-                    const envName = match[1];
-                    if (envName.startsWith("NEXT_PUBLIC_")) {
-                        continue;
-                    }
-                    findings.push({
-                        ruleId: "SEC-005",
-                        title: "Server env var referenced in client module",
-                        severity: "CRITICAL",
-                        category: "SECURITY",
-                        file: normalizedPath,
-                        line: index + 1,
-                        message: `Client component references server-only environment variable "${envName}".`,
-                        recommendation: "Move the access to a server-only boundary or expose a safe NEXT_PUBLIC_ value instead.",
-                        source: "deterministic",
-                    });
+            let match;
+            envPattern.lastIndex = 0;
+            while ((match = envPattern.exec(codeView)) !== null) {
+                const envName = match[1];
+                if (envName.startsWith("NEXT_PUBLIC_")) {
+                    continue;
                 }
-            });
+                findings.push({
+                    ruleId: "SEC-005",
+                    title: "Server env var referenced in client module",
+                    severity: "CRITICAL",
+                    category: "SECURITY",
+                    file: normalizedPath,
+                    line: typescript_1.default.getLineAndCharacterOfPosition(sourceFile, match.index).line + 1,
+                    message: `Client component references server-only environment variable "${envName}".`,
+                    recommendation: "Move the access to a server-only boundary or expose a safe NEXT_PUBLIC_ value instead.",
+                    source: "deterministic",
+                });
+            }
             return findings;
         },
     },
 ];
 const AUDIT_IGNORE_FILE = path.join(".jstar", "audit-ignore.json");
 const REQUIRED_GITIGNORE_PATTERNS = [".env", ".env.local", "node_modules", "*.pem", "*.key"];
+const MAX_AUDIT_FILE_SIZE_BYTES = 1024 * 1024;
 const SEVERITY_RANK = {
     CRITICAL: 0,
     HIGH: 1,
@@ -221,12 +453,15 @@ function mapAuditSeverityToReviewSeverity(severity) {
 }
 function scanFileContent(content, normalizedPath) {
     const findings = [];
-    const lines = content.split("\n");
+    const rawLines = content.split(/\r?\n/);
+    const codeLines = buildCodeView(content, normalizedPath).split(/\r?\n/);
     for (const rule of LINE_RULES) {
         if (!shouldApplyRule(rule, normalizedPath)) {
             continue;
         }
+        const lines = rule.sourceView === "code" ? codeLines : rawLines;
         lines.forEach((line, index) => {
+            rule.pattern.lastIndex = 0;
             if (!rule.pattern.test(line)) {
                 return;
             }
@@ -247,16 +482,17 @@ function scanFileContent(content, normalizedPath) {
         if (!shouldApplyRule(rule, normalizedPath)) {
             continue;
         }
-        if (!rule.test.test(content)) {
+        if (!rule.test(content)) {
             continue;
         }
+        const line = typeof rule.line === "function" ? rule.line(content) : rule.line;
         findings.push({
             ruleId: rule.id,
             title: rule.title,
             severity: rule.severity,
             category: rule.category,
             file: normalizedPath,
-            line: rule.line,
+            line,
             message: rule.message,
             recommendation: rule.recommendation,
             source: "deterministic",
@@ -381,6 +617,7 @@ async function runRepositoryChecks(cwd) {
         });
     }
     catch {
+        logger_1.Logger.warn("Repository checks skipped: unable to access git metadata.");
         // Repository checks are best-effort outside git worktrees.
     }
     return findings;
@@ -396,12 +633,22 @@ async function runDeterministicAudit(options) {
         .filter((filePath) => (0, project_1.isCodeFile)(filePath))
         .sort((left, right) => left.localeCompare(right));
     const rawFindings = [];
+    let scannedFiles = 0;
     for (const filePath of uniqueFiles) {
         const absolutePath = path.resolve(cwd, filePath);
-        if (!fs.existsSync(absolutePath) || !fs.statSync(absolutePath).isFile()) {
+        if (!fs.existsSync(absolutePath)) {
+            continue;
+        }
+        const fileStats = fs.statSync(absolutePath);
+        if (!fileStats.isFile()) {
+            continue;
+        }
+        if (fileStats.size > MAX_AUDIT_FILE_SIZE_BYTES) {
+            logger_1.Logger.warn(`Skipping deterministic audit for "${filePath}" because it exceeds ${MAX_AUDIT_FILE_SIZE_BYTES} bytes.`);
             continue;
         }
         const content = fs.readFileSync(absolutePath, "utf-8");
+        scannedFiles++;
         rawFindings.push(...scanFileContent(content, filePath));
     }
     if (includeRepositoryChecks) {
@@ -410,7 +657,7 @@ async function runDeterministicAudit(options) {
     const ignores = loadAuditIgnores(cwd);
     const { findings, ignoredFindings } = applyIgnores(sortFindings(rawFindings), ignores);
     const summary = {
-        filesScanned: uniqueFiles.length,
+        filesScanned: scannedFiles,
         findings: findings.length,
         critical: findings.filter((finding) => finding.severity === "CRITICAL").length,
         high: findings.filter((finding) => finding.severity === "HIGH").length,

package/dist/scripts/core/review-findings.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.severityMax = severityMax;
+exports.mergeFindings = mergeFindings;
+const SEVERITY_RANK = {
+    P0_CRITICAL: 0,
+    P1_HIGH: 1,
+    P2_MEDIUM: 2,
+    LGTM: 3,
+};
+function severityMax(left, right) {
+    return SEVERITY_RANK[left] <= SEVERITY_RANK[right] ? left : right;
+}
+function buildIssueKey(issue) {
+    return `${issue.line ?? 0}:${issue.title.trim().toLowerCase()}`;
+}
+function issuePriority(issue) {
+    return (issue.source === "deterministic" ? 10 : 0) + (issue.confidenceScore ?? 0);
+}
+function mergeIssue(existing, incoming) {
+    const preferred = issuePriority(existing) >= issuePriority(incoming) ? existing : incoming;
+    const fallback = preferred === existing ? incoming : existing;
+    const confidenceScore = Math.max(existing.confidenceScore ?? 0, incoming.confidenceScore ?? 0);
+    return {
+        ...fallback,
+        ...preferred,
+        description: preferred.description.length >= fallback.description.length ? preferred.description : fallback.description,
+        fixPrompt: preferred.fixPrompt.length >= fallback.fixPrompt.length ? preferred.fixPrompt : fallback.fixPrompt,
+        confidenceScore: confidenceScore > 0 ? confidenceScore : undefined,
+        ruleId: preferred.ruleId ?? fallback.ruleId,
+        source: preferred.source ?? fallback.source,
+        status: preferred.status ?? fallback.status,
+    };
+}
+function dedupeIssues(issues) {
+    const deduped = new Map();
+    issues.forEach((issue) => {
+        const key = buildIssueKey(issue);
+        const existing = deduped.get(key);
+        if (!existing) {
+            deduped.set(key, { ...issue });
+            return;
+        }
+        deduped.set(key, mergeIssue(existing, issue));
+    });
+    return [...deduped.values()];
+}
+function mergeFindings(primary, secondary) {
+    const grouped = new Map();
+    const insert = (finding) => {
+        const existing = grouped.get(finding.file);
+        if (!existing) {
+            grouped.set(finding.file, {
+                ...finding,
+                issues: dedupeIssues(finding.issues),
+            });
+            return;
+        }
+        existing.severity = severityMax(existing.severity, finding.severity);
+        existing.issues = dedupeIssues([...existing.issues, ...finding.issues]);
+    };
+    primary.forEach(insert);
+    secondary.forEach(insert);
+    return [...grouped.values()]
+        .map((finding) => ({
+        ...finding,
+        issues: finding.issues.sort((left, right) => {
+            const lineDelta = (left.line ?? 0) - (right.line ?? 0);
+            if (lineDelta !== 0) {
+                return lineDelta;
+            }
+            return left.title.localeCompare(right.title);
+        }),
+    }))
+        .sort((left, right) => left.file.localeCompare(right.file));
+}