prism-pr 1.0.0-alpha.47

package/dist/guard/ast-grep-strategy.js

@@ -0,0 +1,112 @@
+import path from 'node:path';
+import { Lang, parse as sgParse } from '@ast-grep/napi';
+// Map our AstGrepLanguage strings to ast-grep string values.
+// Lang enum only covers Html, JavaScript, Tsx, Css, TypeScript.
+// All others are passed as CustomLang (string & {}) — structurally valid per string.
+const LANG_MAP = {
+    typescript: Lang.TypeScript,
+    javascript: Lang.JavaScript,
+    tsx: Lang.Tsx,
+    // jsx is not in Lang enum — fall back to JavaScript
+    jsx: Lang.JavaScript,
+    css: Lang.Css,
+    html: Lang.Html,
+    // The following are CustomLang strings (supported at runtime via dynamic language loading)
+    python: 'Python',
+    go: 'Go',
+    java: 'Java',
+    rust: 'Rust',
+    c: 'C',
+    cpp: 'Cpp',
+    php: 'Php',
+    'c-sharp': 'CSharp',
+};
+// Map file extensions to our AstGrepLanguage strings
+const EXT_MAP = {
+    '.ts': 'typescript',
+    '.tsx': 'tsx',
+    '.js': 'javascript',
+    '.mjs': 'javascript',
+    '.cjs': 'javascript',
+    '.jsx': 'jsx',
+    '.py': 'python',
+    '.go': 'go',
+    '.java': 'java',
+    '.rs': 'rust',
+    '.c': 'c',
+    '.cpp': 'cpp',
+    '.cc': 'cpp',
+    '.cxx': 'cpp',
+    '.cs': 'c-sharp',
+    '.php': 'php',
+    '.css': 'css',
+    '.html': 'html',
+    '.htm': 'html',
+};
+/**
+ * Infer the AstGrepLanguage from a file path or extension.
+ * Accepts either a full path (e.g. "src/foo.ts") or a bare extension (e.g. ".ts").
+ * Returns null when the extension is not recognized.
+ */
+export function inferLanguage(filePath) {
+    const ext = filePath.startsWith('.')
+        ? filePath.toLowerCase()
+        : path.extname(filePath).toLowerCase();
+    return EXT_MAP[ext] ?? null;
+}
+/**
+ * Error type for ast-grep parse failures. Exported for consumer use but never
+ * thrown by AstGrepMatchStrategy — errors are swallowed and [] is returned.
+ */
+export class AstGrepParseError extends Error {
+    filePath;
+    cause;
+    constructor(message, filePath, cause) {
+        super(message);
+        this.filePath = filePath;
+        this.cause = cause;
+        this.name = 'AstGrepParseError';
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}
+/**
+ * Async match strategy that uses ast-grep's structural search.
+ * Returns 1-based start line numbers for each match, sorted and deduplicated.
+ */
+export class AstGrepMatchStrategy {
+    async matchFile(fileContent, filePath, pattern) {
+        // Short-circuit: empty or whitespace-only content
+        if (!fileContent.trim()) {
+            return [];
+        }
+        // Short-circuit: no rule defined
+        if (!pattern.rule) {
+            return [];
+        }
+        // Resolve language: explicit pattern.language takes precedence
+        const lang = pattern.language ?? inferLanguage(filePath);
+        if (lang === null) {
+            return [];
+        }
+        // Map to native lang
+        const nativeLang = LANG_MAP[lang];
+        if (nativeLang === undefined) {
+            return [];
+        }
+        try {
+            const root = sgParse(nativeLang, fileContent).root();
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            const nodes = root.findAll({ rule: pattern.rule });
+            const lineSet = new Set();
+            for (const node of nodes) {
+                const startLine = node.range().start.line + 1;
+                lineSet.add(startLine);
+            }
+            return Array.from(lineSet).sort((a, b) => a - b);
+        }
+        catch {
+            return [];
+        }
+    }
+}
+//# sourceMappingURL=ast-grep-strategy.js.map

package/dist/guard/ast-grep-strategy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ast-grep-strategy.js","sourceRoot":"","sources":["../../src/guard/ast-grep-strategy.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,IAAI,EAAE,KAAK,IAAI,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAIxD,6DAA6D;AAC7D,gEAAgE;AAChE,qFAAqF;AACrF,MAAM,QAAQ,GAAoC;IAChD,UAAU,EAAE,IAAI,CAAC,UAAU;IAC3B,UAAU,EAAE,IAAI,CAAC,UAAU;IAC3B,GAAG,EAAE,IAAI,CAAC,GAAG;IACb,oDAAoD;IACpD,GAAG,EAAE,IAAI,CAAC,UAAU;IACpB,GAAG,EAAE,IAAI,CAAC,GAAG;IACb,IAAI,EAAE,IAAI,CAAC,IAAI;IACf,2FAA2F;IAC3F,MAAM,EAAE,QAAkB;IAC1B,EAAE,EAAE,IAAc;IAClB,IAAI,EAAE,MAAgB;IACtB,IAAI,EAAE,MAAgB;IACtB,CAAC,EAAE,GAAa;IAChB,GAAG,EAAE,KAAe;IACpB,GAAG,EAAE,KAAe;IACpB,SAAS,EAAE,QAAkB;CAC9B,CAAC;AAEF,qDAAqD;AACrD,MAAM,OAAO,GAAoC;IAC/C,KAAK,EAAE,YAAY;IACnB,MAAM,EAAE,KAAK;IACb,KAAK,EAAE,YAAY;IACnB,MAAM,EAAE,YAAY;IACpB,MAAM,EAAE,YAAY;IACpB,MAAM,EAAE,KAAK;IACb,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,IAAI;IACX,OAAO,EAAE,MAAM;IACf,KAAK,EAAE,MAAM;IACb,IAAI,EAAE,GAAG;IACT,MAAM,EAAE,KAAK;IACb,KAAK,EAAE,KAAK;IACZ,MAAM,EAAE,KAAK;IACb,KAAK,EAAE,SAAS;IAChB,MAAM,EAAE,KAAK;IACb,MAAM,EAAE,KAAK;IACb,OAAO,EAAE,MAAM;IACf,MAAM,EAAE,MAAM;CACf,CAAC;AAEF;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB;IAC5C,MAAM,GAAG,GAAG,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE;QACxB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IACzC,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;AAC9B,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAGxB;IACS;IAH3B,YACE,OAAe,EACC,QAAgB,EACP,KAAe;QAExC,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,aAAQ,GAAR,QAAQ,CAAQ;QACP,UAAK,GAAL,KAAK,CAAU;QAGxC,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,oBAAoB;IAC/B,KAAK,CAAC,SAAS,CACb,WAAmB,EACnB,QAAgB,EAChB,OAAqB;QAErB,kDAAkD;QAClD,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC;YACxB,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,iCAAiC;QACjC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,+DAA+D;QAC/D,MAAM,IAAI,GAA2B,OAAO,CAAC,QAAQ,IAAI,aAAa,CAAC,QAAQ,CAAC,CAAC;QACjF,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAClB,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,qBAAqB;QACrB,MAAM,UAAU,GAAuB,QAAQ,CAAC,IAAI,CAAC,CAAC;QACtD,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,OAAO,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,IAAI,EAAE,CAAC;YACrD,8DAA8D;YAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAS,CAAC,CAAC;YAE1D,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;YAClC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC;gBAC9C,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACzB,CAAC;YAED,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF"}

package/dist/guard/diff-pattern-matcher.d.ts

@@ -0,0 +1,52 @@
+import type { DiffFile } from '../types/index.js';
+import type { PrismPattern } from '../rules-engine/types.js';
+import type { FindingSeverity } from '../types/review-finding.js';
+import type { GuardMatch, GuardContextLine } from './types.js';
+export interface MatchStrategy {
+    matches(lineContent: string, pattern: PrismPattern): boolean;
+}
+/**
+ * Keyword-based matching with three signal sources:
+ * 1. Enriched code indicators (highest precision — known code patterns)
+ * 2. Identifiers from description backtick code (high precision — actual code snippets)
+ * 3. Long tokens from patternKey (moderate precision — likely function/class names)
+ *
+ * Patterns without any matchable keywords produce no matches by design —
+ * better to miss an abstract pattern than to falsely flag every line.
+ */
+export declare class KeywordMatchStrategy implements MatchStrategy {
+    private readonly keywordMap;
+    constructor(patterns: PrismPattern[]);
+    matches(lineContent: string, pattern: PrismPattern): boolean;
+    private extractKeywords;
+    /**
+     * Extract code identifiers from backtick-delimited snippets in description.
+     * Only keeps identifiers that are specific enough to be function/class/variable names.
+     */
+    private extractCodeFromDescription;
+    private enrichWithCodeIndicators;
+}
+/**
+ * Check if a file path matches any of the given globs.
+ * Globs are in `*.ext` format — uses simple endsWith matching.
+ */
+export declare function fileMatchesGlobs(filePath: string, globs: string[]): boolean;
+/**
+ * Collect all addition line numbers from all hunks in a file.
+ * Returns a Set of 1-based line numbers.
+ */
+export declare function buildAdditionLineSet(file: DiffFile): Set<number>;
+/**
+ * Build context lines from all hunks for a given match line number.
+ * Searches all hunks for the line, then grabs CONTEXT_RADIUS lines before/after.
+ * Returns [] if the line is not found in any hunk.
+ */
+export declare function buildContextFromHunk(file: DiffFile, matchLineNumber: number, contextRadius: number): GuardContextLine[];
+/**
+ * Match patterns against addition lines in parsed diff files.
+ * Supports dual-mode matching: ast-grep (when fileContentMap is provided and has the file)
+ * and keyword fallback (when file is absent from map or pattern has no rule).
+ * Returns deduplicated, sorted GuardMatch array.
+ */
+export declare function matchPatterns(files: DiffFile[], patterns: PrismPattern[], minSeverity?: FindingSeverity, fileContentMap?: ReadonlyMap<string, string>): Promise<GuardMatch[]>;
+//# sourceMappingURL=diff-pattern-matcher.d.ts.map

package/dist/guard/diff-pattern-matcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"diff-pattern-matcher.d.ts","sourceRoot":"","sources":["../../src/guard/diff-pattern-matcher.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAsC/D,MAAM,WAAW,aAAa;IAC5B,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC;CAC9D;AAED;;;;;;;;GAQG;AACH,qBAAa,oBAAqB,YAAW,aAAa;IACxD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA+B;gBAE9C,QAAQ,EAAE,YAAY,EAAE;IAMpC,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO;IAa5D,OAAO,CAAC,eAAe;IAiBvB;;;OAGG;IACH,OAAO,CAAC,0BAA0B;IAkBlC,OAAO,CAAC,wBAAwB;CA+BjC;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAS3E;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,CAUhE;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,QAAQ,EACd,eAAe,EAAE,MAAM,EACvB,aAAa,EAAE,MAAM,GACpB,gBAAgB,EAAE,CAqBpB;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,QAAQ,EAAE,EACjB,QAAQ,EAAE,YAAY,EAAE,EACxB,WAAW,CAAC,EAAE,eAAe,EAC7B,cAAc,CAAC,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,GAC3C,OAAO,CAAC,UAAU,EAAE,CAAC,CAyJvB"}

package/dist/guard/diff-pattern-matcher.js

@@ -0,0 +1,325 @@
+import { resolveStrategy } from './match-strategy.js';
+import { AstGrepMatchStrategy } from './ast-grep-strategy.js';
+const NOISE_WORDS = new Set([
+    // English common words
+    'with', 'that', 'this', 'from', 'have', 'will', 'your', 'they',
+    'been', 'type', 'the', 'for', 'and', 'not', 'are', 'use',
+    // Spanish common words
+    'sin', 'del', 'los', 'las', 'una', 'por', 'como', 'para',
+    'cuando', 'lugar', 'campo', 'nuevo', 'archivo',
+    // Programming keywords (too generic for code matching)
+    'return', 'function', 'method', 'class', 'const', 'null',
+    'void', 'result', 'value', 'query', 'error', 'throw', 'catch',
+    'async', 'await', 'fetch', 'data', 'list', 'item', 'count',
+    'index', 'array', 'object', 'string', 'number', 'boolean',
+    'public', 'private', 'protected', 'static', 'final', 'abstract',
+    'import', 'export', 'require', 'module', 'default', 'extends',
+    'implements', 'interface', 'package', 'select', 'where', 'limit',
+    'order', 'group', 'table', 'column', 'field', 'param', 'props',
+]);
+/** Minimum length for tokens extracted from patternKey (filters generic words) */
+const MIN_PATTERN_TOKEN_LENGTH = 10;
+/** Minimum length for identifiers extracted from description backtick code.
+ * Set high enough to filter framework names (Illuminate=10, Collection=10)
+ * while keeping specific identifiers (fetchAuthorizationRows=22). */
+const MIN_DESC_IDENTIFIER_LENGTH = 12;
+/** Lines of diff context to show before and after each match */
+const CONTEXT_RADIUS = 2;
+const SEV_ORDER = {
+    critical: 0, high: 1, medium: 2, low: 3, info: 4,
+};
+/**
+ * Keyword-based matching with three signal sources:
+ * 1. Enriched code indicators (highest precision — known code patterns)
+ * 2. Identifiers from description backtick code (high precision — actual code snippets)
+ * 3. Long tokens from patternKey (moderate precision — likely function/class names)
+ *
+ * Patterns without any matchable keywords produce no matches by design —
+ * better to miss an abstract pattern than to falsely flag every line.
+ */
+export class KeywordMatchStrategy {
+    keywordMap = new Map();
+    constructor(patterns) {
+        for (const p of patterns) {
+            this.keywordMap.set(p.id, this.extractKeywords(p));
+        }
+    }
+    matches(lineContent, pattern) {
+        const keywords = this.keywordMap.get(pattern.id);
+        if (!keywords || keywords.length === 0)
+            return false;
+        const trimmed = lineContent.trim();
+        if (trimmed.length === 0)
+            return false;
+        const lower = trimmed.toLowerCase();
+        return keywords.some((kw) => kw === kw.toLowerCase() ? lower.includes(kw) : trimmed.includes(kw));
+    }
+    extractKeywords(pattern) {
+        // 1. Enriched code indicators (highest priority)
+        const indicators = this.enrichWithCodeIndicators([], pattern);
+        // 2. Identifiers from description backtick code
+        const descIds = this.extractCodeFromDescription(pattern.description);
+        indicators.push(...descIds);
+        // 3. Long tokens from patternKey (only very specific identifiers)
+        const tokens = pattern.patternKey
+            .split('-')
+            .filter((t) => t.length >= MIN_PATTERN_TOKEN_LENGTH && !NOISE_WORDS.has(t));
+        indicators.push(...tokens);
+        return [...new Set(indicators)];
+    }
+    /**
+     * Extract code identifiers from backtick-delimited snippets in description.
+     * Only keeps identifiers that are specific enough to be function/class/variable names.
+     */
+    extractCodeFromDescription(description) {
+        const identifiers = [];
+        const backtickRegex = /`([^`]+)`/g;
+        let m;
+        while ((m = backtickRegex.exec(description)) !== null) {
+            const snippet = m[1] ?? '';
+            const ids = snippet.match(new RegExp(`[a-zA-Z_]\\w{${MIN_DESC_IDENTIFIER_LENGTH - 1},}`, 'g'));
+            if (ids) {
+                for (const id of ids) {
+                    if (!NOISE_WORDS.has(id.toLowerCase())) {
+                        identifiers.push(id);
+                    }
+                }
+            }
+        }
+        return [...new Set(identifiers)];
+    }
+    enrichWithCodeIndicators(tokens, pattern) {
+        const indicators = [...tokens];
+        const key = pattern.patternKey.toLowerCase();
+        if (key.includes('explicit-any') || key.includes('no-any') || key.includes('tipo-any')) {
+            indicators.push(': any', 'as any', ': Any');
+        }
+        if (key.includes('console-log') || (key.includes('console') && key.includes('log'))) {
+            indicators.push('console.log', 'console.warn', 'console.error');
+        }
+        if (key.includes('debugger')) {
+            indicators.push('debugger');
+        }
+        // Use title words to avoid false match from slugified Spanish
+        // (e.g. "método" → "m-todo" triggering TODO enrichment)
+        const titleWords = pattern.title.toLowerCase().split(/\s+/);
+        if (titleWords.includes('todo') || titleWords.includes('fixme')) {
+            indicators.push('TODO', 'FIXME', 'HACK', 'XXX');
+        }
+        if (key.includes('eval')) {
+            indicators.push('eval(', 'new Function(');
+        }
+        if (key.includes('strict-types') || key.includes('strict_types')) {
+            indicators.push('strict_types');
+        }
+        if (key.includes('construct')) {
+            indicators.push('__construct');
+        }
+        return indicators;
+    }
+}
+/**
+ * Check if a file path matches any of the given globs.
+ * Globs are in `*.ext` format — uses simple endsWith matching.
+ */
+export function fileMatchesGlobs(filePath, globs) {
+    if (globs.length === 0)
+        return true;
+    return globs.some((glob) => {
+        if (glob.startsWith('*.')) {
+            const ext = glob.slice(1); // e.g. ".ts"
+            return filePath.endsWith(ext);
+        }
+        return filePath === glob;
+    });
+}
+/**
+ * Collect all addition line numbers from all hunks in a file.
+ * Returns a Set of 1-based line numbers.
+ */
+export function buildAdditionLineSet(file) {
+    const lineSet = new Set();
+    for (const hunk of file.hunks) {
+        for (const line of hunk.lines) {
+            if (line.type === 'addition' && line.lineNumber !== null) {
+                lineSet.add(line.lineNumber);
+            }
+        }
+    }
+    return lineSet;
+}
+/**
+ * Build context lines from all hunks for a given match line number.
+ * Searches all hunks for the line, then grabs CONTEXT_RADIUS lines before/after.
+ * Returns [] if the line is not found in any hunk.
+ */
+export function buildContextFromHunk(file, matchLineNumber, contextRadius) {
+    for (const hunk of file.hunks) {
+        const hunkLines = hunk.lines;
+        const lineIdx = hunkLines.findIndex((l) => l.lineNumber === matchLineNumber);
+        if (lineIdx === -1)
+            continue;
+        const ctxStart = Math.max(0, lineIdx - contextRadius);
+        const ctxEnd = Math.min(hunkLines.length - 1, lineIdx + contextRadius);
+        const contextLines = [];
+        for (let ci = ctxStart; ci <= ctxEnd; ci++) {
+            const cl = hunkLines[ci];
+            contextLines.push({
+                type: cl.type,
+                content: cl.content,
+                lineNumber: cl.lineNumber,
+                isMatch: ci === lineIdx,
+            });
+        }
+        return contextLines;
+    }
+    return [];
+}
+/**
+ * Match patterns against addition lines in parsed diff files.
+ * Supports dual-mode matching: ast-grep (when fileContentMap is provided and has the file)
+ * and keyword fallback (when file is absent from map or pattern has no rule).
+ * Returns deduplicated, sorted GuardMatch array.
+ */
+export async function matchPatterns(files, patterns, minSeverity, fileContentMap) {
+    if (patterns.length === 0)
+        return [];
+    // Filter patterns by minimum severity
+    const minSevIdx = minSeverity ? (SEV_ORDER[minSeverity] ?? 4) : 4;
+    const activePatterns = patterns.filter((p) => {
+        const idx = SEV_ORDER[p.severity] ?? 4;
+        return idx <= minSevIdx;
+    });
+    if (activePatterns.length === 0)
+        return [];
+    // Partition patterns by strategy
+    const astPatterns = activePatterns.filter((p) => resolveStrategy(p) === 'ast-grep');
+    const kwPatterns = activePatterns.filter((p) => resolveStrategy(p) === 'keyword');
+    const astStrategy = new AstGrepMatchStrategy();
+    const matches = [];
+    const seen = new Set();
+    for (const file of files) {
+        if (file.isBinary || file.isDeleted)
+            continue;
+        const filePath = file.newPath;
+        // Pre-build addition line set for this file (used by both paths)
+        const additionLines = buildAdditionLineSet(file);
+        // Collect ast patterns that fall back to keyword for this file
+        const astFallbackPatterns = [];
+        // -----------------------------------------------------------------------
+        // AST-grep path: only when fileContentMap is provided and has this file
+        // -----------------------------------------------------------------------
+        if (fileContentMap !== undefined) {
+            const fileContent = fileContentMap.get(filePath);
+            for (const pattern of astPatterns) {
+                if (!fileMatchesGlobs(filePath, pattern.fileGlobs))
+                    continue;
+                if (fileContent !== undefined) {
+                    // File is available → use ast-grep
+                    const matchedLines = await astStrategy.matchFile(fileContent, filePath, pattern);
+                    for (const matchedLine of matchedLines) {
+                        // Only report if the line is an addition in the diff
+                        if (!additionLines.has(matchedLine))
+                            continue;
+                        const dedupKey = `${filePath}:${matchedLine}:${pattern.id}`;
+                        if (seen.has(dedupKey))
+                            continue;
+                        seen.add(dedupKey);
+                        const contextLines = buildContextFromHunk(file, matchedLine, CONTEXT_RADIUS);
+                        // Find the matched line content from contextLines (isMatch === true)
+                        const matchCtxLine = contextLines.find((cl) => cl.isMatch);
+                        const lineContent = matchCtxLine?.content.trim() ?? '';
+                        matches.push({
+                            id: dedupKey,
+                            patternId: pattern.id,
+                            patternTitle: pattern.title,
+                            patternDescription: pattern.description,
+                            severity: pattern.severity,
+                            category: pattern.category,
+                            agentId: pattern.agentId,
+                            filePath,
+                            lineNumber: matchedLine,
+                            lineContent,
+                            matchedGlob: pattern.fileGlobs.find((g) => fileMatchesGlobs(filePath, [g])) ?? '*',
+                            contextLines,
+                        });
+                    }
+                }
+                else {
+                    // File NOT in map → fall back to keyword for this pattern
+                    astFallbackPatterns.push(pattern);
+                }
+            }
+        }
+        // When fileContentMap is undefined: astFallbackPatterns stays empty — all patterns
+        // (including astPatterns) are handled via activePatterns in kwPatternsForFile below.
+        // -----------------------------------------------------------------------
+        // Keyword path: kwPatterns + ast fallbacks
+        // -----------------------------------------------------------------------
+        // When fileContentMap is undefined all patterns fall through to keyword.
+        // When fileContentMap is provided, only kwPatterns + ast fallbacks run here.
+        const kwPatternsForFile = fileContentMap === undefined
+            ? activePatterns
+            : [...kwPatterns, ...astFallbackPatterns];
+        const strategy = new KeywordMatchStrategy(kwPatternsForFile);
+        for (const pattern of kwPatternsForFile) {
+            if (!fileMatchesGlobs(filePath, pattern.fileGlobs))
+                continue;
+            for (const hunk of file.hunks) {
+                const hunkLines = hunk.lines;
+                for (let lineIdx = 0; lineIdx < hunkLines.length; lineIdx++) {
+                    const line = hunkLines[lineIdx];
+                    if (line.type !== 'addition')
+                        continue;
+                    if (line.lineNumber === null)
+                        continue;
+                    if (strategy.matches(line.content, pattern)) {
+                        const dedupKey = `${filePath}:${line.lineNumber}:${pattern.id}`;
+                        if (seen.has(dedupKey))
+                            continue;
+                        seen.add(dedupKey);
+                        // Capture surrounding context lines (2 before, 2 after)
+                        const ctxStart = Math.max(0, lineIdx - CONTEXT_RADIUS);
+                        const ctxEnd = Math.min(hunkLines.length - 1, lineIdx + CONTEXT_RADIUS);
+                        const contextLines = [];
+                        for (let ci = ctxStart; ci <= ctxEnd; ci++) {
+                            const cl = hunkLines[ci];
+                            contextLines.push({
+                                type: cl.type,
+                                content: cl.content,
+                                lineNumber: cl.lineNumber,
+                                isMatch: ci === lineIdx,
+                            });
+                        }
+                        matches.push({
+                            id: dedupKey,
+                            patternId: pattern.id,
+                            patternTitle: pattern.title,
+                            patternDescription: pattern.description,
+                            severity: pattern.severity,
+                            category: pattern.category,
+                            agentId: pattern.agentId,
+                            filePath,
+                            lineNumber: line.lineNumber,
+                            lineContent: line.content.trim(),
+                            matchedGlob: pattern.fileGlobs.find((g) => fileMatchesGlobs(filePath, [g])) ?? '*',
+                            contextLines,
+                        });
+                    }
+                }
+            }
+        }
+    }
+    // Sort: severity DESC (lower index = higher severity), filePath ASC, lineNumber ASC
+    matches.sort((a, b) => {
+        const sevDiff = (SEV_ORDER[a.severity] ?? 4) - (SEV_ORDER[b.severity] ?? 4);
+        if (sevDiff !== 0)
+            return sevDiff;
+        const fileDiff = a.filePath.localeCompare(b.filePath);
+        if (fileDiff !== 0)
+            return fileDiff;
+        return a.lineNumber - b.lineNumber;
+    });
+    return matches;
+}
+//# sourceMappingURL=diff-pattern-matcher.js.map

package/dist/guard/diff-pattern-matcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diff-pattern-matcher.js","sourceRoot":"","sources":["../../src/guard/diff-pattern-matcher.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAE9D,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;IAC1B,uBAAuB;IACvB,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAC9D,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK;IACxD,uBAAuB;IACvB,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM;IACxD,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS;IAC9C,uDAAuD;IACvD,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM;IACxD,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO;IAC7D,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO;IAC1D,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS;IACzD,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU;IAC/D,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS;IAC7D,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO;IAChE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO;CAC/D,CAAC,CAAC;AAEH,kFAAkF;AAClF,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAEpC;;qEAEqE;AACrE,MAAM,0BAA0B,GAAG,EAAE,CAAC;AAEtC,gEAAgE;AAChE,MAAM,cAAc,GAAG,CAAC,CAAC;AAEzB,MAAM,SAAS,GAA2B;IACxC,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;CACjD,CAAC;AAMF;;;;;;;;GAQG;AACH,MAAM,OAAO,oBAAoB;IACd,UAAU,GAAG,IAAI,GAAG,EAAoB,CAAC;IAE1D,YAAY,QAAwB;QAClC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED,OAAO,CAAC,WAAmB,EAAE,OAAqB;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAErD,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAEvC,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QACpC,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAC1B,EAAE,KAAK,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CACpE,CAAC;IACJ,CAAC;IAEO,eAAe,CAAC,OAAqB;QAC3C,iDAAiD;QACjD,MAAM,UAAU,GAAG,IAAI,CAAC,wBAAwB,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAE9D,gDAAgD;QAChD,MAAM,OAAO,GAAG,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QACrE,UAAU,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC;QAE5B,kEAAkE;QAClE,MAAM,MAAM,GAAG,OAAO,CAAC,UAAU;aAC9B,KAAK,CAAC,GAAG,CAAC;aACV,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,wBAAwB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9E,UAAU,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;QAE3B,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;IAClC,CAAC;IAED;;;OAGG;IACK,0BAA0B,CAAC,WAAmB;QACpD,MAAM,WAAW,GAAa,EAAE,CAAC;QACjC,MAAM,aAAa,GAAG,YAAY,CAAC;QACnC,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACtD,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,gBAAgB,0BAA0B,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;YAC/F,IAAI,GAAG,EAAE,CAAC;gBACR,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;oBACrB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;wBACvC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACvB,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;IACnC,CAAC;IAEO,wBAAwB,CAAC,MAAgB,EAAE,OAAqB;QACtE,MAAM,UAAU,GAAa,CAAC,GAAG,MAAM,CAAC,CAAC;QACzC,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;QAE7C,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACvF,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACpF,UAAU,CAAC,IAAI,CAAC,aAAa,EAAE,cAAc,EAAE,eAAe,CAAC,CAAC;QAClE,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7B,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9B,CAAC;QACD,8DAA8D;QAC9D,wDAAwD;QACxD,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC5D,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAChE,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QAClD,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACzB,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACjE,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC9B,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACjC,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB,EAAE,KAAe;IAChE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;QACzB,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa;YACxC,OAAO,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;QACD,OAAO,QAAQ,KAAK,IAAI,CAAC;IAC3B,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAc;IACjD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QAC9B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;gBACzD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAClC,IAAc,EACd,eAAuB,EACvB,aAAqB;IAErB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC;QAC7B,MAAM,OAAO,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,eAAe,CAAC,CAAC;QAC7E,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,SAAS;QAE7B,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,aAAa,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,OAAO,GAAG,aAAa,CAAC,CAAC;QACvE,MAAM,YAAY,GAAuB,EAAE,CAAC;QAC5C,KAAK,IAAI,EAAE,GAAG,QAAQ,EAAE,EAAE,IAAI,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;YAC3C,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAE,CAAC;YAC1B,YAAY,CAAC,IAAI,CAAC;gBAChB,IAAI,EAAE,EAAE,CAAC,IAAI;gBACb,OAAO,EAAE,EAAE,CAAC,OAAO;gBACnB,UAAU,EAAE,EAAE,CAAC,UAAU;gBACzB,OAAO,EAAE,EAAE,KAAK,OAAO;aACxB,CAAC,CAAC;QACL,CAAC;QACD,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAiB,EACjB,QAAwB,EACxB,WAA6B,EAC7B,cAA4C;IAE5C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAErC,sCAAsC;IACtC,MAAM,SAAS,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAClE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC3C,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACvC,OAAO,GAAG,IAAI,SAAS,CAAC;IAC1B,CAAC,CAAC,CAAC;IAEH,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE3C,iCAAiC;IACjC,MAAM,WAAW,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,KAAK,UAAU,CAAC,CAAC;IACpF,MAAM,UAAU,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;IAElF,MAAM,WAAW,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC/C,MAAM,OAAO,GAAiB,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,SAAS;YAAE,SAAS;QAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC;QAE9B,iEAAiE;QACjE,MAAM,aAAa,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;QAEjD,+DAA+D;QAC/D,MAAM,mBAAmB,GAAmB,EAAE,CAAC;QAE/C,0EAA0E;QAC1E,wEAAwE;QACxE,0EAA0E;QAC1E,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YACjC,MAAM,WAAW,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAEjD,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;gBAClC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,SAAS,CAAC;oBAAE,SAAS;gBAE7D,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;oBAC9B,mCAAmC;oBACnC,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,WAAW,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;oBAEjF,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;wBACvC,qDAAqD;wBACrD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,WAAW,CAAC;4BAAE,SAAS;wBAE9C,MAAM,QAAQ,GAAG,GAAG,QAAQ,IAAI,WAAW,IAAI,OAAO,CAAC,EAAE,EAAE,CAAC;wBAC5D,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;4BAAE,SAAS;wBACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;wBAEnB,MAAM,YAAY,GAAG,oBAAoB,CAAC,IAAI,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;wBAE7E,qEAAqE;wBACrE,MAAM,YAAY,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC;wBAC3D,MAAM,WAAW,GAAG,YAAY,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;wBAEvD,OAAO,CAAC,IAAI,CAAC;4BACX,EAAE,EAAE,QAAQ;4BACZ,SAAS,EAAE,OAAO,CAAC,EAAE;4BACrB,YAAY,EAAE,OAAO,CAAC,KAAK;4BAC3B,kBAAkB,EAAE,OAAO,CAAC,WAAW;4BACvC,QAAQ,EAAE,OAAO,CAAC,QAA2B;4BAC7C,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;4BACxB,QAAQ;4BACR,UAAU,EAAE,WAAW;4BACvB,WAAW;4BACX,WAAW,EAAE,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG;4BAClF,YAAY;yBACb,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,0DAA0D;oBAC1D,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC;QACH,CAAC;QACD,mFAAmF;QACnF,qFAAqF;QAErF,0EAA0E;QAC1E,2CAA2C;QAC3C,0EAA0E;QAE1E,yEAAyE;QACzE,6EAA6E;QAC7E,MAAM,iBAAiB,GACrB,cAAc,KAAK,SAAS;YAC1B,CAAC,CAAC,cAAc;YAChB,CAAC,CAAC,CAAC,GAAG,UAAU,EAAE,GAAG,mBAAmB,CAAC,CAAC;QAE9C,MAAM,QAAQ,GAAG,IAAI,oBAAoB,CAAC,iBAAiB,CAAC,CAAC;QAE7D,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;YACxC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,SAAS,CAAC;gBAAE,SAAS;YAE7D,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC;gBAC7B,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;oBAC5D,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAE,CAAC;oBACjC,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU;wBAAE,SAAS;oBACvC,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI;wBAAE,SAAS;oBAEvC,IAAI,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,CAAC;wBAC5C,MAAM,QAAQ,GAAG,GAAG,QAAQ,IAAI,IAAI,CAAC,UAAU,IAAI,OAAO,CAAC,EAAE,EAAE,CAAC;wBAChE,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;4BAAE,SAAS;wBACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;wBAEnB,wDAAwD;wBACxD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,cAAc,CAAC,CAAC;wBACvD,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,OAAO,GAAG,cAAc,CAAC,CAAC;wBACxE,MAAM,YAAY,GAAuB,EAAE,CAAC;wBAC5C,KAAK,IAAI,EAAE,GAAG,QAAQ,EAAE,EAAE,IAAI,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;4BAC3C,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAE,CAAC;4BAC1B,YAAY,CAAC,IAAI,CAAC;gCAChB,IAAI,EAAE,EAAE,CAAC,IAAI;gCACb,OAAO,EAAE,EAAE,CAAC,OAAO;gCACnB,UAAU,EAAE,EAAE,CAAC,UAAU;gCACzB,OAAO,EAAE,EAAE,KAAK,OAAO;6BACxB,CAAC,CAAC;wBACL,CAAC;wBAED,OAAO,CAAC,IAAI,CAAC;4BACX,EAAE,EAAE,QAAQ;4BACZ,SAAS,EAAE,OAAO,CAAC,EAAE;4BACrB,YAAY,EAAE,OAAO,CAAC,KAAK;4BAC3B,kBAAkB,EAAE,OAAO,CAAC,WAAW;4BACvC,QAAQ,EAAE,OAAO,CAAC,QAA2B;4BAC7C,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;4BACxB,QAAQ;4BACR,UAAU,EAAE,IAAI,CAAC,UAAU;4BAC3B,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE;4BAChC,WAAW,EAAE,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gBAAgB,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG;4BAClF,YAAY;yBACb,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,oFAAoF;IACpF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACpB,MAAM,OAAO,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5E,IAAI,OAAO,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAClC,MAAM,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACtD,IAAI,QAAQ,KAAK,CAAC;YAAE,OAAO,QAAQ,CAAC;QACpC,OAAO,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/guard/file-fetcher.d.ts

@@ -0,0 +1,3 @@
+export declare const MAX_CONCURRENT_FETCHES = 5;
+export declare function fetchFileContents(filePaths: string[], fetcher: (path: string) => Promise<string | null>): Promise<ReadonlyMap<string, string>>;
+//# sourceMappingURL=file-fetcher.d.ts.map

package/dist/guard/file-fetcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-fetcher.d.ts","sourceRoot":"","sources":["../../src/guard/file-fetcher.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,sBAAsB,IAAI,CAAC;AAExC,wBAAsB,iBAAiB,CACrC,SAAS,EAAE,MAAM,EAAE,EACnB,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,GAChD,OAAO,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAwBtC"}

package/dist/guard/file-fetcher.js

@@ -0,0 +1,21 @@
+export const MAX_CONCURRENT_FETCHES = 5;
+export async function fetchFileContents(filePaths, fetcher) {
+    const result = new Map();
+    if (filePaths.length === 0)
+        return result;
+    let idx = 0;
+    async function next() {
+        while (idx < filePaths.length) {
+            const currentIdx = idx++;
+            const filePath = filePaths[currentIdx];
+            const content = await fetcher(filePath).catch(() => null);
+            if (content !== null) {
+                result.set(filePath, content);
+            }
+        }
+    }
+    const workers = Array.from({ length: Math.min(MAX_CONCURRENT_FETCHES, filePaths.length) }, () => next());
+    await Promise.all(workers);
+    return result;
+}
+//# sourceMappingURL=file-fetcher.js.map

package/dist/guard/file-fetcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-fetcher.js","sourceRoot":"","sources":["../../src/guard/file-fetcher.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC;AAExC,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,SAAmB,EACnB,OAAiD;IAEjD,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACzC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAE1C,IAAI,GAAG,GAAG,CAAC,CAAC;IAEZ,KAAK,UAAU,IAAI;QACjB,OAAO,GAAG,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC;YAC9B,MAAM,UAAU,GAAG,GAAG,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,SAAS,CAAC,UAAU,CAAE,CAAC;YACxC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;YAC1D,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;gBACrB,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CACxB,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,sBAAsB,EAAE,SAAS,CAAC,MAAM,CAAC,EAAE,EAC9D,GAAG,EAAE,CAAC,IAAI,EAAE,CACb,CAAC;IACF,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAE3B,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/guard/guard-engine.d.ts

@@ -0,0 +1,8 @@
+import type { GuardInput, GuardResult } from './types.js';
+/**
+ * Run the guard engine: load patterns → parse diff → match → build result.
+ * Throws PatternsFileError if patterns file is missing or invalid.
+ * Never throws on malformed diff — returns empty matches.
+ */
+export declare function runGuard(input: GuardInput): Promise<GuardResult>;
+//# sourceMappingURL=guard-engine.d.ts.map

package/dist/guard/guard-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard-engine.d.ts","sourceRoot":"","sources":["../../src/guard/guard-engine.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAgB,MAAM,YAAY,CAAC;AAExE;;;;GAIG;AACH,wBAAsB,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,CAmEtE"}

package/dist/guard/guard-engine.js

@@ -0,0 +1,78 @@
+import { parseDiff } from '../utils/diff-parser.js';
+import { loadPatterns } from './patterns-loader.js';
+import { PatternsFileError } from './patterns-loader.js';
+import { matchPatterns, fileMatchesGlobs } from './diff-pattern-matcher.js';
+import { fetchFileContents } from './file-fetcher.js';
+import { resolveStrategy } from './match-strategy.js';
+/**
+ * Run the guard engine: load patterns → parse diff → match → build result.
+ * Throws PatternsFileError if patterns file is missing or invalid.
+ * Never throws on malformed diff — returns empty matches.
+ */
+export async function runGuard(input) {
+    const startMs = performance.now();
+    // 1. Resolve patterns source
+    if (!input.patternsPath && !input.remoteRules) {
+        throw new PatternsFileError('No patterns source: set patternsPath or remoteRules.');
+    }
+    let patternsFile;
+    if (input.remoteRules) {
+        if (!input.rulesRepoClient) {
+            throw new PatternsFileError('remoteRules requires a rulesRepoClient.');
+        }
+        const result = await input.rulesRepoClient.fetchPatterns(input.remoteRules.workspace, input.remoteRules.repo);
+        patternsFile = result.patternsFile;
+    }
+    else {
+        patternsFile = await loadPatterns(input.patternsPath);
+    }
+    // 2. Parse diff (never throws)
+    const files = parseDiff(input.rawDiff);
+    // 3. Filter to scannable files
+    const scannable = files.filter((f) => !f.isBinary && !f.isDeleted);
+    // 4. Identify files needing full content (ast-grep patterns)
+    const activePatterns = patternsFile.patterns;
+    const astGrepPatterns = activePatterns.filter((p) => resolveStrategy(p) === 'ast-grep');
+    let fileContentMap;
+    if (input.fileContentFetcher !== undefined && astGrepPatterns.length > 0) {
+        const eligiblePaths = scannable
+            .map((f) => f.newPath)
+            .filter((filePath) => astGrepPatterns.some((p) => fileMatchesGlobs(filePath, p.fileGlobs)));
+        if (eligiblePaths.length > 0) {
+            fileContentMap = await fetchFileContents(eligiblePaths, input.fileContentFetcher);
+        }
+    }
+    // 5. Match patterns against added lines
+    const matches = await matchPatterns(scannable, activePatterns, input.minSeverity, fileContentMap);
+    // 6. Build summary
+    const summary = buildSummary(matches);
+    const duration = Math.round(performance.now() - startMs);
+    return {
+        matches,
+        patternsLoaded: activePatterns.length,
+        filesScanned: scannable.length,
+        duration,
+        summary,
+    };
+}
+function buildSummary(matches) {
+    const bySeverity = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        info: 0,
+    };
+    const fileCountMap = new Map();
+    for (const m of matches) {
+        bySeverity[m.severity]++;
+        fileCountMap.set(m.filePath, (fileCountMap.get(m.filePath) ?? 0) + 1);
+    }
+    const byFile = [...fileCountMap.entries()].map(([filePath, count]) => ({ filePath, count }));
+    return {
+        total: matches.length,
+        bySeverity,
+        byFile,
+    };
+}
+//# sourceMappingURL=guard-engine.js.map