karajan-code 1.16.0 → 1.18.0

package/src/config.js

@@ -17,7 +17,8 @@ const DEFAULTS = {
     tester: { provider: null, model: null },
     security: { provider: null, model: null },
     triage: { provider: null, model: null },
-    discover: { provider: null, model: null }
+    discover: { provider: null, model: null },
+    architect: { provider: null, model: null }
   },
   pipeline: {
     planner: { enabled: false },
@@ -27,7 +28,8 @@ const DEFAULTS = {
     tester: { enabled: true },
     security: { enabled: true },
     triage: { enabled: true },
-    discover: { enabled: false }
+    discover: { enabled: false },
+    architect: { enabled: false }
   },
   review_mode: "standard",
   max_iterations: 5,
@@ -138,6 +140,25 @@ const DEFAULTS = {
     max_backoff_ms: 30000,
     backoff_multiplier: 2,
     jitter_factor: 0.1
+  },
+  guards: {
+    output: {
+      enabled: true,
+      patterns: [],
+      protected_files: [],
+      on_violation: "block"
+    },
+    perf: {
+      enabled: true,
+      patterns: [],
+      block_on_warning: false,
+      frontend_extensions: []
+    },
+    intent: {
+      enabled: false,
+      patterns: [],
+      confidence_threshold: 0.85
+    }
   }
 };
 
@@ -221,96 +242,144 @@ export async function writeConfig(configPath, config) {
   await fs.writeFile(configPath, yaml.dump(config, { lineWidth: 120 }), "utf8");
 }
 
-export function applyRunOverrides(config, flags) {
-  const out = mergeDeep(config, {});
-  out.coder_options = out.coder_options || {};
-  out.reviewer_options = out.reviewer_options || {};
-  out.session = out.session || {};
-  out.git = out.git || {};
-  out.development = out.development || {};
-  out.sonarqube = out.sonarqube || {};
-  if (out.max_budget_usd === undefined || out.max_budget_usd === null) {
-    out.max_budget_usd = out.session.max_budget_usd ?? null;
-  }
-  out.budget = mergeDeep(DEFAULTS.budget, out.budget || {});
-  out.roles = mergeDeep(DEFAULTS.roles, out.roles || {});
-  out.pipeline = mergeDeep(DEFAULTS.pipeline, out.pipeline || {});
+// Declarative mappings for applyRunOverrides to reduce cognitive complexity.
+
+// Role provider flags: [flagName, roleName] — truthy check
+const ROLE_PROVIDER_FLAGS = [
+  ["planner", "planner"], ["coder", "coder"], ["reviewer", "reviewer"],
+  ["refactorer", "refactorer"], ["solomon", "solomon"], ["researcher", "researcher"],
+  ["tester", "tester"], ["security", "security"], ["triage", "triage"],
+  ["discover", "discover"], ["architect", "architect"]
+];
+
+// Role model flags: [flagName, roleName] — truthy check, String coercion
+const ROLE_MODEL_FLAGS = [
+  ["plannerModel", "planner"], ["coderModel", "coder"], ["reviewerModel", "reviewer"],
+  ["refactorerModel", "refactorer"], ["solomonModel", "solomon"], ["discoverModel", "discover"],
+  ["architectModel", "architect"]
+];
 
-  if (flags.planner) out.roles.planner.provider = flags.planner;
+// Pipeline enable flags: [flagName, pipelineKey] — !== undefined check, Boolean coercion
+const PIPELINE_ENABLE_FLAGS = [
+  ["enablePlanner", "planner"], ["enableRefactorer", "refactorer"],
+  ["enableSolomon", "solomon"], ["enableResearcher", "researcher"],
+  ["enableTester", "tester"], ["enableSecurity", "security"],
+  ["enableTriage", "triage"], ["enableDiscover", "discover"],
+  ["enableArchitect", "architect"]
+];
+
+// Scalar flags: [flagName, setter] — truthy check
+const SCALAR_FLAGS = [
+  ["mode", (out, v) => { out.review_mode = v; }],
+  ["maxIterations", (out, v) => { out.max_iterations = Number(v); }],
+  ["maxIterationMinutes", (out, v) => { out.session.max_iteration_minutes = Number(v); }],
+  ["maxTotalMinutes", (out, v) => { out.session.max_total_minutes = Number(v); }],
+  ["checkpointInterval", (out, v) => { out.session.checkpoint_interval_minutes = Number(v); }],
+  ["baseBranch", (out, v) => { out.base_branch = v; }],
+  ["coderFallback", (out, v) => { out.coder_options.fallback_coder = v; }],
+  ["reviewerFallback", (out, v) => { out.reviewer_options.fallback_reviewer = v; }],
+  ["taskType", (out, v) => { out.taskType = String(v); }],
+  ["branchPrefix", (out, v) => { out.git.branch_prefix = String(v); }]
+];
+
+// Boolean/undefined-check flags: [flagName, setter] — !== undefined check
+const UNDEF_CHECK_FLAGS = [
+  ["reviewerRetries", (out, v) => { out.reviewer_options.retries = Number(v); }],
+  ["autoCommit", (out, v) => { out.git.auto_commit = Boolean(v); }],
+  ["autoPush", (out, v) => { out.git.auto_push = Boolean(v); }],
+  ["autoPr", (out, v) => { out.git.auto_pr = Boolean(v); }],
+  ["autoRebase", (out, v) => { out.git.auto_rebase = Boolean(v); }],
+  ["enableSerena", (out, v) => { out.serena.enabled = Boolean(v); }]
+];
+
+function applyRoleOverrides(out, flags) {
+  for (const [flag, role] of ROLE_PROVIDER_FLAGS) {
+    if (flags[flag]) out.roles[role].provider = flags[flag];
+  }
+  // coder/reviewer also update top-level aliases
   if (flags.coder) out.coder = flags.coder;
-  if (flags.coder) out.roles.coder.provider = flags.coder;
   if (flags.reviewer) out.reviewer = flags.reviewer;
-  if (flags.reviewer) out.roles.reviewer.provider = flags.reviewer;
-  if (flags.refactorer) out.roles.refactorer.provider = flags.refactorer;
-  if (flags.solomon) out.roles.solomon.provider = flags.solomon;
-  if (flags.researcher) out.roles.researcher.provider = flags.researcher;
-  if (flags.tester) out.roles.tester.provider = flags.tester;
-  if (flags.security) out.roles.security.provider = flags.security;
-  if (flags.triage) out.roles.triage.provider = flags.triage;
-  if (flags.discover) out.roles.discover.provider = flags.discover;
-  if (flags.discoverModel) out.roles.discover.model = String(flags.discoverModel);
-  if (flags.enableDiscover !== undefined) out.pipeline.discover.enabled = Boolean(flags.enableDiscover);
-  if (flags.plannerModel) out.roles.planner.model = String(flags.plannerModel);
-  if (flags.coderModel) {
-    out.roles.coder.model = String(flags.coderModel);
+
+  for (const [flag, role] of ROLE_MODEL_FLAGS) {
+    if (flags[flag]) out.roles[role].model = String(flags[flag]);
   }
-  if (flags.reviewerModel) {
-    out.roles.reviewer.model = String(flags.reviewerModel);
-    out.reviewer_options.model = String(flags.reviewerModel);
+  // reviewerModel also updates reviewer_options
+  if (flags.reviewerModel) out.reviewer_options.model = String(flags.reviewerModel);
+}
+
+function applyPipelineOverrides(out, flags) {
+  for (const [flag, key] of PIPELINE_ENABLE_FLAGS) {
+    if (flags[flag] !== undefined) out.pipeline[key].enabled = Boolean(flags[flag]);
   }
-  if (flags.refactorerModel) out.roles.refactorer.model = String(flags.refactorerModel);
-  if (flags.solomonModel) out.roles.solomon.model = String(flags.solomonModel);
-  if (flags.enablePlanner !== undefined) out.pipeline.planner.enabled = Boolean(flags.enablePlanner);
-  if (flags.enableRefactorer !== undefined) out.pipeline.refactorer.enabled = Boolean(flags.enableRefactorer);
-  if (flags.enableSolomon !== undefined) out.pipeline.solomon.enabled = Boolean(flags.enableSolomon);
-  if (flags.enableResearcher !== undefined) out.pipeline.researcher.enabled = Boolean(flags.enableResearcher);
-  if (flags.enableTester !== undefined) out.pipeline.tester.enabled = Boolean(flags.enableTester);
-  if (flags.enableSecurity !== undefined) out.pipeline.security.enabled = Boolean(flags.enableSecurity);
   if (flags.enableReviewer !== undefined) {
     out.pipeline.reviewer = out.pipeline.reviewer || {};
     out.pipeline.reviewer.enabled = Boolean(flags.enableReviewer);
   }
-  if (flags.enableTriage !== undefined) out.pipeline.triage.enabled = Boolean(flags.enableTriage);
-  if (flags.mode) out.review_mode = flags.mode;
-  if (flags.maxIterations) out.max_iterations = Number(flags.maxIterations);
-  if (flags.maxIterationMinutes) out.session.max_iteration_minutes = Number(flags.maxIterationMinutes);
-  if (flags.maxTotalMinutes) out.session.max_total_minutes = Number(flags.maxTotalMinutes);
-  if (flags.checkpointInterval) out.session.checkpoint_interval_minutes = Number(flags.checkpointInterval);
-  if (flags.baseBranch) out.base_branch = flags.baseBranch;
-  if (flags.coderFallback) out.coder_options.fallback_coder = flags.coderFallback;
-  if (flags.reviewerFallback) out.reviewer_options.fallback_reviewer = flags.reviewerFallback;
-  if (flags.reviewerRetries !== undefined) out.reviewer_options.retries = Number(flags.reviewerRetries);
-  if (flags.autoCommit !== undefined) out.git.auto_commit = Boolean(flags.autoCommit);
-  if (flags.autoPush !== undefined) out.git.auto_push = Boolean(flags.autoPush);
-  if (flags.autoPr !== undefined) out.git.auto_pr = Boolean(flags.autoPr);
-  if (flags.autoRebase !== undefined) out.git.auto_rebase = Boolean(flags.autoRebase);
-  if (flags.branchPrefix) out.git.branch_prefix = String(flags.branchPrefix);
-  if (flags.methodology) {
-    const methodology = String(flags.methodology).toLowerCase();
-    out.development = out.development || {};
-    out.development.methodology = methodology;
-    out.development.require_test_changes = methodology === "tdd";
+}
+
+function applyScalarAndBooleanOverrides(out, flags) {
+  for (const [flag, setter] of SCALAR_FLAGS) {
+    if (flags[flag]) setter(out, flags[flag]);
+  }
+  for (const [flag, setter] of UNDEF_CHECK_FLAGS) {
+    if (flags[flag] !== undefined) setter(out, flags[flag]);
   }
-  if (flags.taskType) out.taskType = String(flags.taskType);
-  if (flags.noSonar || flags.sonar === false) out.sonarqube.enabled = false;
-  out.serena = out.serena || { enabled: false };
-  if (flags.enableSerena !== undefined) out.serena.enabled = Boolean(flags.enableSerena);
+}
+
+function applyMethodologyOverride(out, flags) {
+  if (!flags.methodology) return;
+  const methodology = String(flags.methodology).toLowerCase();
+  out.development.methodology = methodology;
+  out.development.require_test_changes = methodology === "tdd";
+}
+
+function applyBecariaOverride(out, flags) {
   out.becaria = out.becaria || { enabled: false };
-  if (flags.enableBecaria !== undefined) {
-    out.becaria.enabled = Boolean(flags.enableBecaria);
-    // BecarIA requires git automation (commit + push + PR)
-    if (out.becaria.enabled) {
-      out.git.auto_commit = true;
-      out.git.auto_push = true;
-      out.git.auto_pr = true;
-    }
+  if (flags.enableBecaria === undefined) return;
+  out.becaria.enabled = Boolean(flags.enableBecaria);
+  // BecarIA requires git automation (commit + push + PR)
+  if (out.becaria.enabled) {
+    out.git.auto_commit = true;
+    out.git.auto_push = true;
+    out.git.auto_pr = true;
   }
+}
+
+function applyMiscOverrides(out, flags) {
+  if (flags.noSonar || flags.sonar === false) out.sonarqube.enabled = false;
+
   out.planning_game = out.planning_game || {};
   if (flags.pgTask) out.planning_game.enabled = true;
   if (flags.pgProject) out.planning_game.project_id = flags.pgProject;
+
   out.model_selection = out.model_selection || { enabled: true, tiers: {}, role_overrides: {} };
   if (flags.smartModels === true) out.model_selection.enabled = true;
   if (flags.smartModels === false || flags.noSmartModels === true) out.model_selection.enabled = false;
+}
+
+export function applyRunOverrides(config, flags) {
+  const out = mergeDeep(config, {});
+  out.coder_options = out.coder_options || {};
+  out.reviewer_options = out.reviewer_options || {};
+  out.session = out.session || {};
+  out.git = out.git || {};
+  out.development = out.development || {};
+  out.sonarqube = out.sonarqube || {};
+  if (out.max_budget_usd === undefined || out.max_budget_usd === null) {
+    out.max_budget_usd = out.session.max_budget_usd ?? null;
+  }
+  out.budget = mergeDeep(DEFAULTS.budget, out.budget || {});
+  out.roles = mergeDeep(DEFAULTS.roles, out.roles || {});
+  out.pipeline = mergeDeep(DEFAULTS.pipeline, out.pipeline || {});
+  out.serena = out.serena || { enabled: false };
+
+  applyRoleOverrides(out, flags);
+  applyPipelineOverrides(out, flags);
+  applyScalarAndBooleanOverrides(out, flags);
+  applyMethodologyOverride(out, flags);
+  applyBecariaOverride(out, flags);
+  applyMiscOverrides(out, flags);
+
   return out;
 }
 
@@ -323,45 +392,57 @@ export function resolveRole(config, role) {
   let provider = roleConfig.provider ?? null;
   if (!provider && role === "coder") provider = legacyCoder;
   if (!provider && role === "reviewer") provider = legacyReviewer;
-  if (!provider && (role === "planner" || role === "refactorer" || role === "solomon" || role === "researcher" || role === "tester" || role === "security" || role === "triage" || role === "discover")) {
+  if (!provider && (role === "planner" || role === "refactorer" || role === "solomon" || role === "researcher" || role === "tester" || role === "security" || role === "triage" || role === "discover" || role === "architect")) {
     provider = roles.coder?.provider || legacyCoder;
   }
 
   let model = roleConfig.model ?? null;
   if (!model && role === "coder") model = config?.coder_options?.model ?? null;
   if (!model && role === "reviewer") model = config?.reviewer_options?.model ?? null;
-  if (!model && (role === "planner" || role === "refactorer" || role === "solomon" || role === "researcher" || role === "tester" || role === "security" || role === "triage" || role === "discover")) {
+  if (!model && (role === "planner" || role === "refactorer" || role === "solomon" || role === "researcher" || role === "tester" || role === "security" || role === "triage" || role === "discover" || role === "architect")) {
     model = config?.coder_options?.model ?? null;
   }
 
   return { provider, model };
 }
 
+// Pipeline roles checked when commandName is "run": [pipelineKey, roleName]
+const RUN_PIPELINE_ROLES = [
+  ["reviewer", "reviewer"], ["triage", "triage"], ["planner", "planner"],
+  ["refactorer", "refactorer"], ["researcher", "researcher"],
+  ["tester", "tester"], ["security", "security"]
+];
+
+// Direct command-to-role mapping for non-"run" commands
+const COMMAND_ROLE_MAP = {
+  discover: ["discover"],
+  plan: ["planner"],
+  code: ["coder"],
+  review: ["reviewer"]
+};
+
 function requiredRolesFor(commandName, config) {
-  if (commandName === "run") {
-    const required = ["coder"];
-    if (config?.pipeline?.reviewer?.enabled !== false) required.push("reviewer");
-    if (config?.pipeline?.triage?.enabled) required.push("triage");
-    if (config?.pipeline?.planner?.enabled) required.push("planner");
-    if (config?.pipeline?.refactorer?.enabled) required.push("refactorer");
-    if (config?.pipeline?.researcher?.enabled) required.push("researcher");
-    if (config?.pipeline?.tester?.enabled) required.push("tester");
-    if (config?.pipeline?.security?.enabled) required.push("security");
-    return required;
+  if (commandName !== "run") {
+    return COMMAND_ROLE_MAP[commandName] || [];
+  }
+  const required = ["coder"];
+  for (const [pipelineKey, roleName] of RUN_PIPELINE_ROLES) {
+    const pipelineEntry = config?.pipeline?.[pipelineKey];
+    // reviewer defaults to enabled (only excluded if explicitly false)
+    const isEnabled = pipelineKey === "reviewer"
+      ? pipelineEntry?.enabled !== false
+      : Boolean(pipelineEntry?.enabled);
+    if (isEnabled) required.push(roleName);
   }
-  if (commandName === "discover") return ["discover"];
-  if (commandName === "plan") return ["planner"];
-  if (commandName === "code") return ["coder"];
-  if (commandName === "review") return ["reviewer"];
-  return [];
+  return required;
 }
 
 export function validateConfig(config, commandName = "run") {
   const errors = [];
-  if (!["paranoid", "strict", "standard", "relaxed", "custom"].includes(config.review_mode)) {
+  if (!new Set(["paranoid", "strict", "standard", "relaxed", "custom"]).has(config.review_mode)) {
     errors.push(`Invalid review_mode: ${config.review_mode}`);
   }
-  if (!["tdd", "standard"].includes(config.development?.methodology)) {
+  if (!new Set(["tdd", "standard"]).has(config.development?.methodology)) {
     errors.push(`Invalid development.methodology: ${config.development?.methodology}`);
   }
 

package/src/git/automation.js

@@ -19,7 +19,7 @@ import {
 
 export function commitMessageFromTask(task) {
   const clean = String(task || "")
-    .replace(/\s+/g, " ")
+    .replaceAll(/\s+/g, " ")
     .trim();
   return `feat: ${clean.slice(0, 72) || "karajan update"}`;
 }
@@ -72,8 +72,7 @@ export function buildPrBody({ task, stageResults }) {
   const shouldDecompose = stageResults?.triage?.shouldDecompose;
   const pendingSubtasks = shouldDecompose && triageSubtasks?.length > 1 ? triageSubtasks.slice(1) : [];
   if (pendingSubtasks.length > 0) {
-    sections.push("", "## Pending subtasks");
-    sections.push("This PR addresses part of a larger task. The following subtasks were identified but not included:");
+    sections.push("", "## Pending subtasks", "This PR addresses part of a larger task. The following subtasks were identified but not included:");
     for (const subtask of pendingSubtasks) {
       sections.push(`- [ ] ${subtask}`);
     }
@@ -115,7 +114,7 @@ export async function earlyPrCreation({ gitCtx, task, logger, session, stageResu
   logger.info(`Early PR created: ${prUrl}`);
 
   // Extract PR number from URL (e.g. https://github.com/owner/repo/pull/42)
-  const prNumber = parseInt(prUrl.split("/").pop(), 10) || null;
+  const prNumber = Number.parseInt(prUrl.split("/").pop(), 10) || null;
   return { prNumber, prUrl, commits };
 }
 

package/src/guards/intent-guard.js

@@ -0,0 +1,123 @@
+import { VALID_TASK_TYPES } from "./policy-resolver.js";
+
+/**
+ * Built-in intent patterns for deterministic pre-triage classification.
+ * Each pattern maps keywords/regex to a taskType + complexity level.
+ * Evaluated top-down; first match with confidence >= threshold wins.
+ */
+const INTENT_PATTERNS = [
+  // Documentation-only tasks
+  {
+    id: "doc-readme",
+    keywords: ["readme", "docs", "documentation", "jsdoc", "typedoc", "changelog"],
+    taskType: "doc",
+    level: "trivial",
+    confidence: 0.95,
+    message: "Documentation-only task detected",
+  },
+  // Test-only tasks
+  {
+    id: "add-tests",
+    keywords: ["add test", "write test", "missing test", "test coverage", "add spec", "write spec", "unit test", "integration test"],
+    taskType: "add-tests",
+    level: "simple",
+    confidence: 0.9,
+    message: "Test-addition task detected",
+  },
+  // Refactoring tasks
+  {
+    id: "refactor",
+    keywords: ["refactor", "rename", "extract method", "extract function", "clean up", "cleanup", "reorganize", "restructure", "simplify"],
+    taskType: "refactor",
+    level: "simple",
+    confidence: 0.85,
+    message: "Refactoring task detected",
+  },
+  // Infrastructure / DevOps tasks
+  {
+    id: "infra-devops",
+    keywords: ["ci/cd", "pipeline", "dockerfile", "docker-compose", "kubernetes", "k8s", "terraform", "deploy", "nginx", "github actions", "gitlab ci"],
+    taskType: "infra",
+    level: "simple",
+    confidence: 0.85,
+    message: "Infrastructure/DevOps task detected",
+  },
+  // Trivial fixes (typos, comments, formatting)
+  {
+    id: "trivial-fix",
+    keywords: ["typo", "fix typo", "spelling", "comment", "fix comment", "formatting", "lint", "fix lint", "whitespace"],
+    taskType: "sw",
+    level: "trivial",
+    confidence: 0.9,
+    message: "Trivial fix detected",
+  },
+];
+
+/**
+ * Compile custom intent patterns from config.guards.intent.patterns
+ * Custom patterns are evaluated BEFORE built-in ones.
+ */
+export function compileIntentPatterns(configGuards) {
+  const custom = Array.isArray(configGuards?.intent?.patterns)
+    ? configGuards.intent.patterns.map(p => ({
+        id: p.id || "custom-intent",
+        keywords: Array.isArray(p.keywords) ? p.keywords : [],
+        taskType: VALID_TASK_TYPES.has(p.taskType) ? p.taskType : "sw",
+        level: p.level || "simple",
+        confidence: typeof p.confidence === "number" ? p.confidence : 0.85,
+        message: p.message || "Custom intent pattern matched",
+      }))
+    : [];
+
+  return [...custom, ...INTENT_PATTERNS];
+}
+
+/**
+ * Check if a task description matches any of the keywords.
+ * Returns true if at least one keyword (case-insensitive substring) appears in the task.
+ */
+function matchesKeywords(task, keywords) {
+  const lower = task.toLowerCase();
+  for (const kw of keywords) {
+    if (lower.includes(kw.toLowerCase())) {
+      return true;
+    }
+  }
+  return false;
+}
+
+/**
+ * Classify a task description using deterministic keyword patterns.
+ *
+ * Returns:
+ *   { classified: true, taskType, level, confidence, patternId, message }
+ *   or { classified: false } if no pattern matches above threshold
+ */
+export function classifyIntent(task, config = {}) {
+  if (!task || typeof task !== "string") {
+    return { classified: false };
+  }
+
+  const configGuards = config?.guards || {};
+  const threshold = configGuards?.intent?.confidence_threshold ?? 0.85;
+  const patterns = compileIntentPatterns(configGuards);
+
+  for (const pattern of patterns) {
+    if (!matchesKeywords(task, pattern.keywords)) continue;
+
+    if (pattern.confidence >= threshold) {
+      return {
+        classified: true,
+        taskType: pattern.taskType,
+        level: pattern.level,
+        confidence: pattern.confidence,
+        patternId: pattern.id,
+        message: pattern.message,
+      };
+    }
+  }
+
+  return { classified: false };
+}
+
+export { INTENT_PATTERNS };

package/src/guards/output-guard.js

@@ -0,0 +1,158 @@
+import { runCommand } from "../utils/process.js";
+
+// Built-in destructive patterns
+const DESTRUCTIVE_PATTERNS = [
+  { id: "rm-rf", pattern: /rm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+|--force\s+)*-[a-zA-Z]*r/, severity: "critical", message: "Recursive file deletion detected" },
+  { id: "drop-table", pattern: /DROP\s+(TABLE|DATABASE|SCHEMA)/i, severity: "critical", message: "SQL destructive operation detected" },
+  { id: "git-reset-hard", pattern: /git\s+reset\s+--hard/i, severity: "critical", message: "Hard git reset detected" },
+  { id: "git-push-force", pattern: /git\s+push\s+.*--force/i, severity: "critical", message: "Force push detected" },
+  { id: "truncate-table", pattern: /TRUNCATE\s+TABLE/i, severity: "critical", message: "SQL truncate detected" },
+  { id: "format-disk", pattern: /mkfs\.|fdisk|dd\s+if=/, severity: "critical", message: "Disk format operation detected" },
+];
+
+// Built-in credential patterns
+const CREDENTIAL_PATTERNS = [
+  { id: "aws-key", pattern: /AKIA[0-9A-Z]{16}/, severity: "critical", message: "AWS access key exposed" },
+  { id: "private-key", pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----/, severity: "critical", message: "Private key exposed" },
+  { id: "generic-secret", pattern: /(password|secret|token|api_key|apikey)\s*[:=]\s*["'][^"']{8,}["']/i, severity: "warning", message: "Potential secret/credential exposed" },
+  { id: "github-token", pattern: /gh[pousr]_[A-Za-z0-9_]{36,}/, severity: "critical", message: "GitHub token exposed" },
+  { id: "npm-token", pattern: /npm_[A-Za-z0-9]{36,}/, severity: "critical", message: "npm token exposed" },
+];
+
+// Default protected files (block if these appear in added/modified lines)
+const DEFAULT_PROTECTED_FILES = [
+  ".env",
+  ".env.local",
+  ".env.production",
+  "serviceAccountKey.json",
+  "credentials.json",
+];
+
+export function compilePatterns(configGuards) {
+  const customPatterns = Array.isArray(configGuards?.output?.patterns)
+    ? configGuards.output.patterns.map(p => ({
+        id: p.id || "custom",
+        pattern: typeof p.pattern === "string" ? new RegExp(p.pattern, p.flags || "") : p.pattern,
+        severity: p.severity || "warning",
+        message: p.message || "Custom pattern matched",
+      }))
+    : [];
+
+  return [...DESTRUCTIVE_PATTERNS, ...CREDENTIAL_PATTERNS, ...customPatterns];
+}
+
+export function compileProtectedFiles(configGuards) {
+  const custom = Array.isArray(configGuards?.output?.protected_files)
+    ? configGuards.output.protected_files
+    : [];
+  return [...new Set([...DEFAULT_PROTECTED_FILES, ...custom])];
+}
+
+/**
+ * Parse a unified diff to extract only added lines (lines starting with +, not ++)
+ */
+export function extractAddedLines(diff) {
+  if (!diff) return [];
+  const results = [];
+  let currentFile = null;
+  let lineNum = 0;
+
+  for (const line of diff.split("\n")) {
+    if (line.startsWith("+++ b/")) {
+      currentFile = line.slice(6);
+      continue;
+    }
+    if (line.startsWith("@@ ")) {
+      const match = /@@ -\d+(?:,\d+)? \+(\d+)/.exec(line);
+      lineNum = match ? Number.parseInt(match[1], 10) - 1 : 0;
+      continue;
+    }
+    if (line.startsWith("+") && !line.startsWith("+++")) {
+      lineNum += 1;
+      results.push({ file: currentFile, line: lineNum, content: line.slice(1) });
+    } else if (!line.startsWith("-")) {
+      lineNum += 1;
+    }
+  }
+  return results;
+}
+
+/**
+ * Check if any modified files are in the protected list
+ */
+export function checkProtectedFiles(diff, protectedFiles) {
+  const violations = [];
+  const modifiedFiles = [];
+
+  for (const line of diff.split("\n")) {
+    if (line.startsWith("+++ b/")) {
+      modifiedFiles.push(line.slice(6));
+    }
+  }
+
+  for (const file of modifiedFiles) {
+    const basename = file.split("/").pop();
+    if (protectedFiles.some(pf => file === pf || file.endsWith(`/${pf}`) || basename === pf)) {
+      violations.push({
+        id: "protected-file",
+        severity: "critical",
+        file,
+        line: 0,
+        message: `Protected file modified: ${file}`,
+        matchedContent: "",
+      });
+    }
+  }
+
+  return violations;
+}
+
+/**
+ * Scan a diff for pattern violations.
+ * Returns { pass: boolean, violations: Array<{id, severity, file, line, message, matchedContent}> }
+ */
+export function scanDiff(diff, config = {}) {
+  if (!diff || typeof diff !== "string") {
+    return { pass: true, violations: [] };
+  }
+
+  const configGuards = config?.guards || {};
+  const patterns = compilePatterns(configGuards);
+  const protectedFiles = compileProtectedFiles(configGuards);
+  const addedLines = extractAddedLines(diff);
+  const violations = [];
+
+  // Check patterns against added lines
+  for (const { file, line, content } of addedLines) {
+    for (const { id, pattern, severity, message } of patterns) {
+      if (pattern.test(content)) {
+        violations.push({ id, severity, file, line, message, matchedContent: content.trim().slice(0, 200) });
+      }
+    }
+  }
+
+  // Check protected files
+  violations.push(...checkProtectedFiles(diff, protectedFiles));
+
+  const hasCritical = violations.some(v => v.severity === "critical");
+  return { pass: !hasCritical, violations };
+}
+
+/**
+ * Run output guard on the current git diff.
+ * This is the main entry point for the pipeline integration.
+ */
+export async function runOutputGuard(config = {}, baseBranch = "main") {
+  const diffResult = await runCommand("git", ["diff", `origin/${baseBranch}...HEAD`]);
+  if (diffResult.exitCode !== 0) {
+    // Fallback: diff against HEAD~1
+    const fallback = await runCommand("git", ["diff", "HEAD~1"]);
+    if (fallback.exitCode !== 0) {
+      return { pass: true, violations: [], error: "Could not generate diff" };
+    }
+    return scanDiff(fallback.stdout, config);
+  }
+  return scanDiff(diffResult.stdout, config);
+}
+
+export { DESTRUCTIVE_PATTERNS, CREDENTIAL_PATTERNS, DEFAULT_PROTECTED_FILES };