npm - proof-pr - Versions diffs - 0.1.2 → 0.1.5 - Mend

proof-pr 0.1.2 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -2,24 +2,37 @@
 ProofPR 的命令行工具。
-ProofPR 帮助维护者在投入深入 review 之前，先检查 PR 的证据、范围和安全风险。
+ProofPR 帮助维护者在投入深入 review 之前，先检查 PR 的证据、范围和安全风险。报告会输出风险等级、0-100 证据评分，以及 Review 门禁建议。
+## 它什么时候运行？
+作为 GitHub Action 使用时，ProofPR 默认在 PR 打开、PR 分支更新、PR 重新打开时运行。普通分支 push 不会单独生成报告。
+报告会出现在 PR 评论区、GitHub Actions job summary 和 PR checks 状态里。
+`v0.1.5` 起还可以输出 GitHub annotations，并通过 `sarif-output` 写出 SARIF 文件。
 ## 使用
 可以直接通过 npm 使用：
 ```bash
-npx proof-pr init
-npx proof-pr scan --base origin/main --head HEAD
-npx proof-pr scan --base origin/main --pr-body-file pr-body.md --format json
+npx proof-pr@latest init
+npx proof-pr@latest init --preset security-strict
+npx proof-pr@latest scan --base origin/main --head HEAD
+npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN
+npx proof-pr@latest scan --base origin/main --pr-body-file pr-body.md --format json
 ```
+可用预设：`balanced`、`open-source-maintainer`、`security-strict`、`ai-generated-pr`、`mcp-security`、`dependency-careful`。
 ## GitHub Action
 ```yaml
-- uses: linsk27/proof-pr@v0.1.2
+- uses: linsk27/proof-pr@v0.1.5
   with:
     fail-on: high
+    comment: "true"
+    annotations: "true"
 ```
 完整文档见仓库 README：

package/dist/index.js CHANGED Viewed

@@ -23111,36 +23111,126 @@ function preprocess(fn, schema) {
 const riskLevelSchema = schemas_enum(["low", "medium", "high"]);
+const localeSchema = schemas_enum(["en", "zh-CN"]);
+const configPresetSchema = schemas_enum([
+    "balanced",
+    "open-source-maintainer",
+    "security-strict",
+    "ai-generated-pr",
+    "mcp-security",
+    "dependency-careful"
+]);
+const CONFIG_PRESETS = [
+    "balanced",
+    "open-source-maintainer",
+    "security-strict",
+    "ai-generated-pr",
+    "mcp-security",
+    "dependency-careful"
+];
+const DEFAULT_SENSITIVE_PATHS = [
+    ".github/workflows/**",
+    ".github/actions/**",
+    "**/.env*",
+    "**/mcp*.json",
+    "**/*mcp*.json",
+    "Dockerfile",
+    "**/Dockerfile",
+    "package.json",
+    "pnpm-lock.yaml",
+    "package-lock.json",
+    "yarn.lock",
+    "bun.lockb",
+    "requirements.txt",
+    "pyproject.toml",
+    "Cargo.toml",
+    "Cargo.lock",
+    "go.mod",
+    "go.sum"
+];
+const DEFAULT_TEST_PATHS = ["src/**", "packages/**/src/**", "app/**", "lib/**"];
+const PRESET_DEFAULTS = {
+    balanced: {},
+    "open-source-maintainer": {
+        riskThreshold: "high",
+        sensitivePaths: DEFAULT_SENSITIVE_PATHS,
+        requireTests: {
+            enabled: true,
+            paths: DEFAULT_TEST_PATHS
+        }
+    },
+    "security-strict": {
+        riskThreshold: "medium",
+        sensitivePaths: [
+            ...DEFAULT_SENSITIVE_PATHS,
+            ".npmrc",
+            "**/.npmrc",
+            ".pypirc",
+            "**/.pypirc",
+            ".dockerignore",
+            "docker-compose*.yml",
+            "**/docker-compose*.yml",
+            ".github/dependabot.yml",
+            ".github/codeql/**",
+            "terraform/**/*.tf",
+            "**/*.pem",
+            "**/*.key"
+        ],
+        requireTests: {
+            enabled: true,
+            paths: ["src/**", "packages/**/src/**", "app/**", "lib/**", "server/**", "api/**"]
+        }
+    },
+    "ai-generated-pr": {
+        riskThreshold: "medium",
+        sensitivePaths: DEFAULT_SENSITIVE_PATHS,
+        requireTests: {
+            enabled: true,
+            paths: ["src/**", "packages/**/src/**", "app/**", "lib/**", "server/**", "api/**", "components/**"]
+        }
+    },
+    "mcp-security": {
+        riskThreshold: "medium",
+        sensitivePaths: [
+            ...DEFAULT_SENSITIVE_PATHS,
+            ".cursor/**",
+            ".vscode/**"
+        ],
+        requireTests: {
+            enabled: true,
+            paths: DEFAULT_TEST_PATHS
+        }
+    },
+    "dependency-careful": {
+        riskThreshold: "medium",
+        sensitivePaths: [
+            ...DEFAULT_SENSITIVE_PATHS,
+            "poetry.lock",
+            "Pipfile",
+            "Pipfile.lock",
+            "pom.xml",
+            "build.gradle",
+            "build.gradle.kts",
+            "Gemfile",
+            "Gemfile.lock"
+        ],
+        requireTests: {
+            enabled: true,
+            paths: DEFAULT_TEST_PATHS
+        }
+    }
+};
 const configSchema = object({
+    preset: configPresetSchema.default("balanced"),
+    locale: localeSchema.default("en"),
     riskThreshold: riskLevelSchema.default("high"),
     ignorePaths: array(schemas_string()).default([]),
-    sensitivePaths: array(schemas_string())
-        .default([
-        ".github/workflows/**",
-        ".github/actions/**",
-        "**/.env*",
-        "**/mcp*.json",
-        "**/*mcp*.json",
-        "Dockerfile",
-        "**/Dockerfile",
-        "package.json",
-        "pnpm-lock.yaml",
-        "package-lock.json",
-        "yarn.lock",
-        "bun.lockb",
-        "requirements.txt",
-        "pyproject.toml",
-        "Cargo.toml",
-        "Cargo.lock",
-        "go.mod",
-        "go.sum"
-    ]),
+    sensitivePaths: array(schemas_string()).default(DEFAULT_SENSITIVE_PATHS),
     requireTests: object({
         enabled: schemas_boolean().default(true),
-        paths: array(schemas_string())
-            .default(["src/**", "packages/**/src/**", "app/**", "lib/**"])
+        paths: array(schemas_string()).default(DEFAULT_TEST_PATHS)
     })
-        .default({ enabled: true, paths: ["src/**", "packages/**/src/**", "app/**", "lib/**"] }),
+        .default({ enabled: true, paths: DEFAULT_TEST_PATHS }),
     secrets: object({ enabled: schemas_boolean().default(true) }).default({ enabled: true }),
     dependencies: object({
         flagNewPackages: schemas_boolean().default(true),
@@ -23150,7 +23240,9 @@ const configSchema = object({
     comment: object({ enabled: schemas_boolean().default(true) }).default({ enabled: true })
 });
 function parseConfig(input) {
-    return configSchema.parse(input ?? {});
+    const raw = isRecord(input) ? input : {};
+    const preset = configPresetSchema.parse(raw.preset ?? "balanced");
+    return configSchema.parse(deepMerge(PRESET_DEFAULTS[preset], raw, { preset }));
 }
 async function loadConfig(path) {
     try {
@@ -23174,6 +23266,37 @@ function riskMeetsThreshold(risk, threshold) {
 function riskRank(risk) {
     return { low: 1, medium: 2, high: 3 }[risk];
 }
+function parseLocale(value, fallback = "en") {
+    const result = localeSchema.safeParse(value);
+    return result.success ? result.data : fallback;
+}
+function parsePreset(value, fallback = "balanced") {
+    const result = configPresetSchema.safeParse(value);
+    return result.success ? result.data : fallback;
+}
+function listConfigPresets() {
+    return CONFIG_PRESETS;
+}
+function deepMerge(...items) {
+    const output = {};
+    for (const item of items) {
+        if (!isRecord(item)) {
+            continue;
+        }
+        for (const [key, value] of Object.entries(item)) {
+            if (isRecord(value) && isRecord(output[key])) {
+                output[key] = deepMerge(output[key], value);
+            }
+            else {
+                output[key] = value;
+            }
+        }
+    }
+    return output;
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
 function isMissingFileError(error) {
     return (typeof error === "object" &&
         error !== null &&
@@ -23183,35 +23306,11 @@ function isMissingFileError(error) {
 //# sourceMappingURL=config.js.map
 ;// CONCATENATED MODULE: ../core/dist/reporters.js
 const REPORT_MARKER = "<!-- proof-pr-report -->";
-function renderMarkdownReport(result) {
-    const lines = [
-        REPORT_MARKER,
-        "# ProofPR Review",
-        "",
-        `Risk: **${result.risk}**`,
-        "",
-        "## Evidence",
-        "",
-        `- Files changed: ${result.summary.filesChanged}`,
-        `- Additions: ${result.summary.additions}`,
-        `- Deletions: ${result.summary.deletions}`,
-        `- Test files changed: ${result.summary.testFilesChanged}`,
-        `- Sensitive files changed: ${result.summary.sensitiveFilesChanged}`,
-        `- PR description: ${result.summary.pullRequestDescription}`,
-        `- Verification evidence: ${formatBoolean(result.summary.verificationEvidence)}`,
-        `- Reproduction context: ${formatBoolean(result.summary.reproductionEvidence)}`,
-        ""
-    ];
-    if (result.findings.length === 0) {
-        lines.push("## Findings", "", "No review-risk findings detected by the enabled rules.", "");
-        return lines.join("\n");
+function renderMarkdownReport(result, locale = "en") {
+    if (locale === "zh-CN") {
+        return renderChineseMarkdownReport(result);
     }
-    lines.push("## Findings", "");
-    for (const finding of result.findings) {
-        lines.push(formatFinding(finding), "");
-    }
-    lines.push("## Maintainer Focus", "", ...maintainerFocus(result.findings).map((item) => `- ${item}`), "");
-    return lines.join("\n");
+    return renderEnglishMarkdownReport(result);
 }
 function getReportMarker() {
     return REPORT_MARKER;
@@ -23234,7 +23333,7 @@ function renderSarifReport(result) {
                 tool: {
                     driver: {
                         name: "ProofPR",
-                        informationUri: "https://github.com/proof-pr/proof-pr",
+                        informationUri: "https://github.com/linsk27/proof-pr",
                         rules: [...rules.values()]
                     }
                 },
@@ -23256,7 +23355,121 @@ function renderSarifReport(result) {
         ]
     }, null, 2);
 }
-function formatFinding(finding) {
+function renderEnglishMarkdownReport(result) {
+    const lines = [
+        REPORT_MARKER,
+        "# ProofPR Review",
+        "",
+        `Risk: **${result.risk}**`,
+        `Evidence score: **${result.evidenceScore.value}/100 (${formatEvidenceGrade(result.evidenceScore.grade, "en")})**`,
+        `Review gate: **${formatReviewDecision(result.reviewDecision, "en")}**`,
+        "",
+        "## Evidence",
+        "",
+        `- Files changed: ${result.summary.filesChanged}`,
+        `- Additions: ${result.summary.additions}`,
+        `- Deletions: ${result.summary.deletions}`,
+        `- Test files changed: ${result.summary.testFilesChanged}`,
+        `- Sensitive files changed: ${result.summary.sensitiveFilesChanged}`,
+        `- PR description: ${result.summary.pullRequestDescription}`,
+        `- Verification evidence: ${formatBoolean(result.summary.verificationEvidence)}`,
+        `- Reproduction context: ${formatBoolean(result.summary.reproductionEvidence)}`,
+        ""
+    ];
+    appendEvidenceScoreSection(lines, result, "en");
+    appendReviewPlanSection(lines, result, "en");
+    if (result.findings.length === 0) {
+        lines.push("## Findings", "", "No review-risk findings detected by the enabled rules.", "");
+        return lines.join("\n");
+    }
+    lines.push("## Findings", "");
+    for (const finding of result.findings) {
+        lines.push(formatEnglishFinding(finding), "");
+    }
+    lines.push("## Maintainer Focus", "", ...maintainerFocus(result.findings, "en").map((item) => `- ${item}`), "");
+    return lines.join("\n");
+}
+function renderChineseMarkdownReport(result) {
+    const lines = [
+        REPORT_MARKER,
+        "# ProofPR 审查报告",
+        "",
+        `风险等级：**${translateRisk(result.risk)}**`,
+        `证据评分：**${result.evidenceScore.value}/100（${formatEvidenceGrade(result.evidenceScore.grade, "zh-CN")}）**`,
+        `Review 门禁：**${formatReviewDecision(result.reviewDecision, "zh-CN")}**`,
+        "",
+        "## 证据概览",
+        "",
+        `- 改动文件数：${result.summary.filesChanged}`,
+        `- 新增行数：${result.summary.additions}`,
+        `- 删除行数：${result.summary.deletions}`,
+        `- 测试文件改动数：${result.summary.testFilesChanged}`,
+        `- 敏感文件改动数：${result.summary.sensitiveFilesChanged}`,
+        `- PR 描述质量：${translateDescriptionState(result.summary.pullRequestDescription)}`,
+        `- 验证证据：${formatChineseBoolean(result.summary.verificationEvidence)}`,
+        `- 复现上下文：${formatChineseBoolean(result.summary.reproductionEvidence)}`,
+        ""
+    ];
+    appendEvidenceScoreSection(lines, result, "zh-CN");
+    appendReviewPlanSection(lines, result, "zh-CN");
+    if (result.findings.length === 0) {
+        lines.push("## 风险发现", "", "启用的规则没有发现需要优先关注的 review 风险。", "");
+        return lines.join("\n");
+    }
+    lines.push("## 风险发现", "");
+    for (const finding of result.findings) {
+        lines.push(formatChineseFinding(finding), "");
+    }
+    lines.push("## 维护者关注点", "", ...maintainerFocus(result.findings, "zh-CN").map((item) => `- ${item}`), "");
+    return lines.join("\n");
+}
+function appendEvidenceScoreSection(lines, result, locale) {
+    lines.push(locale === "zh-CN" ? "## 证据评分细节" : "## Evidence Score", "");
+    if (result.evidenceScore.strengths.length > 0) {
+        for (const strength of result.evidenceScore.strengths) {
+            lines.push(locale === "zh-CN"
+                ? `- 证据优势：${translateScoreMessage(strength)}`
+                : `- Strength: ${strength}`);
+        }
+    }
+    else {
+        lines.push(locale === "zh-CN" ? "- 证据优势：暂无明显优势信号。" : "- Strength: No strong evidence signals detected.");
+    }
+    if (result.evidenceScore.deductions.length > 0) {
+        for (const deduction of result.evidenceScore.deductions) {
+            lines.push(locale === "zh-CN"
+                ? `- 扣分项：-${deduction.points}，${translateDeduction(deduction.reasonId, deduction.message)}`
+                : `- Deduction: -${deduction.points}, ${deduction.message}`);
+        }
+    }
+    else {
+        lines.push(locale === "zh-CN" ? "- 扣分项：无。" : "- Deduction: none.");
+    }
+    lines.push("");
+}
+function appendReviewPlanSection(lines, result, locale) {
+    lines.push(locale === "zh-CN" ? "## Review 行动清单" : "## Review Plan", "");
+    if (result.reviewPlan.actionItems.length > 0) {
+        for (const action of result.reviewPlan.actionItems) {
+            lines.push(locale === "zh-CN"
+                ? `- [ ] ${translateReviewActionTitle(action.actionId, action.title)}（${formatPriority(action.priority, locale)}）：${translateReviewActionDetail(action.actionId, action.detail)}`
+                : `- [ ] ${action.title} (${formatPriority(action.priority, locale)}): ${action.detail}`);
+        }
+    }
+    else {
+        lines.push(locale === "zh-CN" ? "- [ ] 没有额外行动项。" : "- [ ] No additional action items.");
+    }
+    if (result.reviewPlan.focusFiles.length > 0) {
+        lines.push("", locale === "zh-CN" ? "重点文件：" : "Focus files:");
+        for (const file of result.reviewPlan.focusFiles) {
+            lines.push(locale === "zh-CN"
+                ? `- \`${file.path}\`（${formatPriority(file.priority, locale)}）：${translateFocusReason(file.reasonId, file.reason)}`
+                : `- \`${file.path}\` (${formatPriority(file.priority, locale)}): ${file.reason}`);
+        }
+    }
+    lines.push("");
+}
+function formatEnglishFinding(finding) {
     const lines = [
         `### ${finding.title}`,
         "",
@@ -23276,39 +23489,270 @@ function formatFinding(finding) {
     }
     return lines.join("\n");
 }
-function maintainerFocus(findings) {
+function formatChineseFinding(finding) {
+    const translated = translateFinding(finding);
+    const lines = [
+        `### ${translated.title}`,
+        "",
+        `- 规则：\`${finding.ruleId}\``,
+        `- 严重程度：\`${translateSeverity(finding.severity)}\``,
+        finding.path ? `- 路径：\`${finding.path}\`` : undefined,
+        `- 详情：${translated.message}`
+    ].filter((line) => Boolean(line));
+    if (finding.evidence && finding.evidence.length > 0) {
+        lines.push("- 证据：");
+        for (const item of finding.evidence) {
+            lines.push(`  - \`${translateEvidence(item)}\``);
+        }
+    }
+    if (translated.recommendation) {
+        lines.push(`- 建议：${translated.recommendation}`);
+    }
+    return lines.join("\n");
+}
+function maintainerFocus(findings, locale) {
     const focus = new Set();
     for (const finding of findings) {
         if (finding.ruleId.startsWith("secret-detected")) {
-            focus.add("Rotate any exposed credential and block the PR until secrets are removed.");
+            focus.add(locale === "zh-CN"
+                ? "轮换任何可能暴露的凭证，并在移除 secret 前阻止合并。"
+                : "Rotate any exposed credential and block the PR until secrets are removed.");
         }
         else if (finding.ruleId === "workflow-permission-change") {
-            focus.add("Review GitHub Actions permissions before merging.");
+            focus.add(locale === "zh-CN"
+                ? "合并前重点审查 GitHub Actions 权限。"
+                : "Review GitHub Actions permissions before merging.");
         }
         else if (finding.ruleId === "missing-tests") {
-            focus.add("Ask for tests or a manual verification note.");
+            focus.add(locale === "zh-CN"
+                ? "要求补充测试或清晰的手动验证说明。"
+                : "Ask for tests or a manual verification note.");
         }
         else if (finding.ruleId === "thin-pr-description") {
-            focus.add("Ask for a clearer PR description before deep review.");
+            focus.add(locale === "zh-CN"
+                ? "深入 review 前要求补充更清楚的 PR 描述。"
+                : "Ask for a clearer PR description before deep review.");
         }
         else if (finding.ruleId === "missing-reproduction-context") {
-            focus.add("Ask for reproduction steps or before/after context.");
+            focus.add(locale === "zh-CN"
+                ? "要求补充复现步骤或 before/after 上下文。"
+                : "Ask for reproduction steps or before/after context.");
         }
         else if (finding.ruleId === "change-size") {
-            focus.add("Request a smaller PR or a file-by-file review guide.");
+            focus.add(locale === "zh-CN"
+                ? "要求拆分 PR，或提供逐文件 review 指南。"
+                : "Request a smaller PR or a file-by-file review guide.");
         }
         else if (finding.ruleId === "mcp-credential-risk") {
-            focus.add("Review MCP commands, args, and credential handling.");
+            focus.add(locale === "zh-CN"
+                ? "重点审查 MCP command、args 和凭证处理方式。"
+                : "Review MCP commands, args, and credential handling.");
         }
     }
     if (focus.size === 0) {
-        focus.add("Review the listed sensitive files and ask for evidence where context is thin.");
+        focus.add(locale === "zh-CN"
+            ? "审查列出的敏感文件；如果上下文不足，要求贡献者补充证据。"
+            : "Review the listed sensitive files and ask for evidence where context is thin.");
     }
     return [...focus];
 }
+function translateFinding(finding) {
+    if (finding.ruleId === "change-size") {
+        const files = finding.evidence?.find((item) => item.startsWith("files: "))?.replace("files: ", "");
+        const lines = finding.evidence?.find((item) => item.startsWith("changed lines: "))?.replace("changed lines: ", "");
+        return {
+            title: finding.severity === "high" ? "review 面积过大" : "review 面积偏大",
+            message: files && lines ? `该改动涉及 ${files} 个文件、${lines} 行变更。` : finding.message,
+            recommendation: finding.severity === "high"
+                ? "建议要求拆分 PR，或提供清晰的 review map 后再投入深度 review。"
+                : "建议要求贡献者解释改动边界，并标出最需要重点 review 的文件。"
+        };
+    }
+    if (finding.ruleId === "sensitive-path") {
+        return {
+            title: "敏感文件发生变更",
+            message: finding.path ? `${finding.path} 命中了敏感路径配置。` : finding.message,
+            recommendation: "请重点审查权限、凭证、发布、依赖和 CI 相关变更。"
+        };
+    }
+    if (finding.ruleId === "missing-tests") {
+        return {
+            title: "缺少验证证据",
+            message: "代码发生变更，但没有检测到测试文件改动或 PR 验证说明。",
+            recommendation: "建议要求补充测试，或提供清晰的手动验证说明后再深入 review。"
+        };
+    }
+    if (finding.ruleId === "thin-pr-description") {
+        const missing = finding.title.toLowerCase().includes("missing");
+        return {
+            title: missing ? "PR 描述为空" : "PR 描述过薄",
+            message: missing ? "PR 正文为空，维护者缺少 review 前的上下文。" : "PR 正文较短，可能不足以支撑有效 review。",
+            recommendation: "建议要求补充改动动机、验证证据、兼容性和发布影响说明。"
+        };
+    }
+    if (finding.ruleId === "missing-reproduction-context") {
+        return {
+            title: "缺少复现或 before/after 上下文",
+            message: "PR 未提到复现步骤、预期行为、实际行为或 before/after 说明。",
+            recommendation: "建议要求补充复现步骤或 before/after 说明，方便 reviewer 验证改动路径。"
+        };
+    }
+    if (finding.ruleId === "dependency-added") {
+        return {
+            title: "依赖清单发生变更",
+            message: finding.path ? `${finding.path} 中新增或修改了类似依赖的条目。` : finding.message,
+            recommendation: "请确认包名、许可证、来源可信度，以及 lockfile 是否匹配预期依赖变化。"
+        };
+    }
+    if (finding.ruleId === "workflow-permission-change") {
+        return {
+            title: "Workflow 权限发生变更",
+            message: finding.path ? `${finding.path} 新增或修改了 GitHub Actions 权限。` : finding.message,
+            recommendation: "请确认 workflow 是否真的需要写权限或 token 权限，并检查不可信 PR 是否能触达该 workflow。"
+        };
+    }
+    if (finding.ruleId === "mcp-credential-risk") {
+        return {
+            title: "MCP 配置需要重点审查",
+            message: finding.path ? `${finding.path} 新增了与命令或凭证相关的 MCP 配置。` : finding.message,
+            recommendation: "避免在 MCP 配置中提交凭证，并审查 command 与 args 是否会扩大本地执行面。"
+        };
+    }
+    if (finding.ruleId.startsWith("secret-detected")) {
+        return {
+            title: "可能提交了 secret",
+            message: finding.message.replace("Added line looks like it contains", "新增行疑似包含"),
+            recommendation: "请将凭证移到 secret manager 或 CI secret store，轮换任何已暴露的值，并只提交占位符。"
+        };
+    }
+    return finding;
+}
+function translateEvidence(item) {
+    return item
+        .replace("files: ", "文件数：")
+        .replace("changed lines: ", "变更行数：")
+        .replace("line ", "第 ")
+        .replace(": ", " 行：");
+}
+function translateRisk(risk) {
+    return { low: "低", medium: "中", high: "高" }[risk] ?? risk;
+}
+function translateSeverity(severity) {
+    return { info: "信息", low: "低", medium: "中", high: "高" }[severity] ?? severity;
+}
+function translateDescriptionState(state) {
+    return { unavailable: "不可用", missing: "缺失", thin: "过薄", present: "充足" }[state] ?? state;
+}
+function formatEvidenceGrade(grade, locale) {
+    if (locale === "zh-CN") {
+        return {
+            strong: "证据充分",
+            adequate: "基本充分",
+            thin: "证据偏薄",
+            risky: "证据不足"
+        }[grade] ?? grade;
+    }
+    return grade;
+}
+function formatReviewDecision(decision, locale) {
+    if (locale === "zh-CN") {
+        return {
+            ready: "可以进入常规 review",
+            "review-carefully": "带着重点进入 review",
+            "needs-evidence": "先要求补充证据",
+            "block-merge": "处理风险前不建议合并"
+        }[decision] ?? decision;
+    }
+    return {
+        ready: "Ready for normal review",
+        "review-carefully": "Review with focused attention",
+        "needs-evidence": "Ask for evidence before deep review",
+        "block-merge": "Block merge until risks are handled"
+    }[decision] ?? decision;
+}
+function formatPriority(priority, locale) {
+    if (locale === "zh-CN") {
+        return { low: "低优先级", medium: "中优先级", high: "高优先级" }[priority] ?? priority;
+    }
+    return `${priority} priority`;
+}
+function translateReviewActionTitle(actionId, fallback) {
+    return {
+        "block-merge-until-resolved": "风险处理前不要合并",
+        "ask-for-evidence-before-review": "深入 review 前先要求补充证据",
+        "review-with-focus": "带着重点清单进行 review",
+        "normal-review": "进入常规 review",
+        "improve-pr-description": "要求补充更清楚的 PR 描述",
+        "add-verification-evidence": "要求补充测试或手动验证证据",
+        "add-reproduction-context": "要求补充复现或 before/after 上下文",
+        "rotate-secret": "轮换并移除暴露的凭证",
+        "justify-workflow-permissions": "要求说明 workflow 权限最小化理由",
+        "review-mcp-execution-surface": "审查 MCP 命令、参数和凭证处理",
+        "request-review-map-or-split": "要求拆分 PR 或提供逐文件 review map",
+        "verify-dependency-change": "核查依赖来源和 lockfile 影响",
+        "assign-sensitive-file-review": "安排敏感文件重点 review"
+    }[actionId] ?? fallback;
+}
+function translateReviewActionDetail(actionId, fallback) {
+    return {
+        "block-merge-until-resolved": "在高风险 finding 被解释、降低或移除前，把这个 PR 视为不可合并。",
+        "ask-for-evidence-before-review": "要求测试、截图、复现步骤或更清楚的 PR 描述，再投入详细 review。",
+        "review-with-focus": "优先使用下面的风险发现和重点文件作为第一轮 review map。",
+        "normal-review": "当前证据足够支撑维护者进行常规 review。",
+        "improve-pr-description": "贡献者应说明为什么改、改了什么、如何验证，以及是否有发布或兼容性风险。",
+        "add-verification-evidence": "要求测试输出、CI 链接、截图，或简短的手动验证说明。",
+        "add-reproduction-context": "PR 应包含复现步骤、预期/实际行为，或相关 before/after 截图。",
+        "rotate-secret": "在 secret 从 PR 中移除并完成轮换前，不要合并。",
+        "justify-workflow-permissions": "确认写权限或 OIDC 是否必要，并检查不可信 PR 是否能触发该 workflow。",
+        "review-mcp-execution-surface": "检查 MCP 配置是否提交凭证，或意外扩大本地执行面。",
+        "request-review-map-or-split": "要求贡献者拆分无关改动，或标出最需要重点 review 的文件。",
+        "verify-dependency-change": "检查包名、维护者、许可证、安装脚本，以及 lockfile 是否符合预期依赖变化。",
+        "assign-sensitive-file-review": "合并前由维护者有意识地检查敏感文件改动。"
+    }[actionId] ?? fallback;
+}
+function translateFocusReason(reasonId, fallback) {
+    return {
+        "change-size": "review 面积相关 finding",
+        "sensitive-path": "敏感路径发生变更",
+        "dependency-added": "依赖清单发生变更",
+        "workflow-permission-change": "workflow 权限发生变更",
+        "mcp-credential-risk": "MCP 配置存在执行面或凭证风险",
+        "missing-tests": "代码改动缺少测试或验证证据"
+    }[reasonId] ?? fallback;
+}
+function translateScoreMessage(message) {
+    return {
+        "PR description provides review context.": "PR 描述提供了 review 上下文。",
+        "Verification evidence was found.": "检测到测试或手动验证证据。",
+        "Reproduction or before/after context was found.": "检测到复现步骤或 before/after 上下文。",
+        "Test files changed with the PR.": "PR 同时修改了测试文件。",
+        "No configured sensitive files changed.": "没有改动已配置的敏感文件。"
+    }[message] ?? message;
+}
+function translateDeduction(reasonId, fallback) {
+    return {
+        "missing-pr-description": "PR 描述缺失。",
+        "thin-pr-description": "PR 描述过薄，不足以支撑可靠 review。",
+        "no-pr-context": "扫描时没有可用的 PR 描述上下文。",
+        "missing-verification": "没有检测到测试或手动验证证据。",
+        "missing-reproduction-context": "没有检测到复现步骤、before/after 或预期/实际上下文。",
+        "secret-detected": "检测到疑似已提交 secret。",
+        "workflow-permission-change": "Workflow 权限变化需要重点审查。",
+        "mcp-credential-risk": "MCP 配置扩大了本地执行面或凭证风险。",
+        "large-review-surface": "PR 规模过大，常规 review 可靠性会下降。",
+        "broad-review-surface": "PR review 面积偏大。",
+        "sensitive-path-high": "高敏感文件发生变更，需要重点 review。",
+        "sensitive-path-medium": "敏感文件发生变更，需要重点 review。",
+        "dependency-change": "依赖清单发生变更。",
+        "missing-tests": "代码发生变更，但缺少测试变更或验证说明。"
+    }[reasonId] ?? fallback;
+}
 function formatBoolean(value) {
     return value ? "yes" : "no";
 }
+function formatChineseBoolean(value) {
+    return value ? "有" : "无";
+}
 function sarifLevel(severity) {
     if (severity === "high") {
         return "error";
@@ -23579,6 +24023,29 @@ function redactLine(line) {
+const PACKAGE_JSON_NON_DEPENDENCY_KEYS = new Set([
+    "author",
+    "bin",
+    "bugs",
+    "description",
+    "engines",
+    "exports",
+    "files",
+    "homepage",
+    "keywords",
+    "license",
+    "main",
+    "module",
+    "name",
+    "packageManager",
+    "private",
+    "publishConfig",
+    "repository",
+    "scripts",
+    "type",
+    "types",
+    "version"
+]);
 function analyzeDiffFiles(files, config, pullRequest) {
     const activeFiles = files.filter((file) => !matchesAny(file.path, config.ignorePaths));
     const findings = [];
@@ -23718,9 +24185,7 @@ function analyzeDependencyChanges(files, config) {
     }
     const findings = [];
     for (const file of files.filter((candidate) => isDependencyManifest(candidate.path))) {
-        const addedDependencyLines = file.addedLines
-            .map((line) => line.value.trim())
-            .filter((line) => isDependencyLikeAddition(file.path, line));
+        const addedDependencyLines = file.addedLines.filter((line) => isDependencyLikeAddition(file.path, line.value.trim()));
         if (addedDependencyLines.length === 0) {
             continue;
         }
@@ -23730,7 +24195,7 @@ function analyzeDependencyChanges(files, config) {
             message: `${file.path} adds or changes dependency-like entries.`,
             severity: "medium",
             path: file.path,
-            evidence: addedDependencyLines.slice(0, 5),
+            evidence: addedDependencyLines.slice(0, 5).map(formatEvidenceLine),
             recommendation: "Verify package names, licenses, provenance, and whether the lockfile matches the intended dependency change."
         });
     }
@@ -23738,7 +24203,15 @@ function analyzeDependencyChanges(files, config) {
 }
 function isDependencyLikeAddition(path, line) {
     if (path.endsWith("package.json")) {
-        return /^"[@A-Za-z0-9_.-]+"\s*:\s*"(?:\^|~|>=?|<=?|\d|workspace:|npm:|file:|link:|portal:|git\+|https?:|github:)[^"]*"/.test(line);
+        const match = /^"(?<key>[@A-Za-z0-9_.-]+)"\s*:\s*"(?<value>[^"]*)"/.exec(line);
+        if (!match?.groups) {
+            return false;
+        }
+        const { key, value } = match.groups;
+        if (!key || !value || PACKAGE_JSON_NON_DEPENDENCY_KEYS.has(key)) {
+            return false;
+        }
+        return /^(?:\^|~|>=?|<=?|\d|workspace:|npm:|file:|link:|portal:|git\+|https?:|github:)/.test(value);
     }
     if (path.endsWith("requirements.txt")) {
         return /^[A-Za-z0-9_.-]+(?:\[.*\])?\s*(?:==|>=|<=|~=|>|<)\s*[^#\s]+/.test(line);
@@ -23754,9 +24227,7 @@ function isDependencyLikeAddition(path, line) {
 function analyzeWorkflowPermissions(files) {
     const findings = [];
     for (const file of files.filter((candidate) => isWorkflowPath(candidate.path))) {
-        const permissionLines = file.addedLines
-            .map((line) => line.value.trim())
-            .filter((line) => /permissions:|contents:\s*write|packages:\s*write|id-token:\s*write|pull-requests:\s*write/.test(line));
+        const permissionLines = file.addedLines.filter((line) => /permissions:|contents:\s*write|packages:\s*write|id-token:\s*write|pull-requests:\s*write/.test(line.value.trim()));
         if (permissionLines.length === 0) {
             continue;
         }
@@ -23766,7 +24237,7 @@ function analyzeWorkflowPermissions(files) {
             message: `${file.path} adds or changes GitHub Actions permissions.`,
             severity: "high",
             path: file.path,
-            evidence: permissionLines.slice(0, 5),
+            evidence: permissionLines.slice(0, 5).map(formatEvidenceLine),
             recommendation: "Check whether the workflow really needs write or token permissions and whether untrusted pull requests can reach it."
         });
     }
@@ -23775,9 +24246,7 @@ function analyzeWorkflowPermissions(files) {
 function analyzeMcpConfigs(files) {
     const findings = [];
     for (const file of files.filter((candidate) => isMcpConfigPath(candidate.path))) {
-        const riskyLines = file.addedLines
-            .map((line) => line.value.trim())
-            .filter((line) => /env|token|secret|password|api[_-]?key|command|args/i.test(line));
+        const riskyLines = file.addedLines.filter((line) => /env|token|secret|password|api[_-]?key|command|args/i.test(line.value.trim()));
         if (riskyLines.length === 0) {
             continue;
         }
@@ -23787,12 +24256,16 @@ function analyzeMcpConfigs(files) {
             message: `${file.path} adds MCP configuration lines related to commands or credentials.`,
             severity: "high",
             path: file.path,
-            evidence: riskyLines.slice(0, 5),
+            evidence: riskyLines.slice(0, 5).map(formatEvidenceLine),
             recommendation: "Avoid committing credentials in MCP config. Review command and args values as local execution surface."
         });
     }
     return findings;
 }
+function formatEvidenceLine(line) {
+    const value = line.value.trim();
+    return line.lineNumber ? `line ${line.lineNumber}: ${value}` : value;
+}
 function sensitivePathSeverity(path) {
     if (matchesAny(path, [
         "**/.env*",
@@ -23815,8 +24288,14 @@ function scanDiff(diffText, options = {}) {
     const files = parseUnifiedDiff(diffText);
     const findings = dedupeFindings(analyzeDiffFiles(files, config, options.pullRequest));
     const summary = summarizeDiffFiles(files, config, options.pullRequest);
+    const risk = calculateRisk(findings);
+    const evidenceScore = calculateEvidenceScore(summary, findings);
+    const reviewDecision = calculateReviewDecision(risk, evidenceScore, findings);
     return {
-        risk: calculateRisk(findings),
+        risk,
+        evidenceScore,
+        reviewDecision,
+        reviewPlan: buildReviewPlan(reviewDecision, findings, evidenceScore),
         summary,
         findings
     };
@@ -23833,6 +24312,325 @@ function calculateRisk(findings) {
     }
     return "low";
 }
+function calculateEvidenceScore(summary, findings) {
+    const deductions = new Map();
+    const addDeduction = (reasonId, points, message) => {
+        const existing = deductions.get(reasonId);
+        if (existing) {
+            existing.points = Math.max(existing.points, points);
+            return;
+        }
+        deductions.set(reasonId, { message, points });
+    };
+    if (summary.pullRequestDescription === "missing") {
+        addDeduction("missing-pr-description", 25, "PR description is missing.");
+    }
+    else if (summary.pullRequestDescription === "thin") {
+        addDeduction("thin-pr-description", 15, "PR description is too thin for confident review.");
+    }
+    else if (summary.pullRequestDescription === "unavailable") {
+        addDeduction("no-pr-context", 10, "PR description was not available to the scanner.");
+    }
+    const needsVerificationEvidence = findings.some((finding) => [
+        "change-size",
+        "sensitive-path",
+        "missing-tests",
+        "dependency-added",
+        "workflow-permission-change",
+        "mcp-credential-risk"
+    ].includes(finding.ruleId));
+    if (needsVerificationEvidence && !summary.verificationEvidence) {
+        addDeduction("missing-verification", 20, "No test or manual verification evidence was found.");
+    }
+    if ((summary.sensitiveFilesChanged > 0 || summary.filesChanged >= 5) && !summary.reproductionEvidence) {
+        addDeduction("missing-reproduction-context", 15, "No reproduction, before/after, or expected/actual context was found.");
+    }
+    for (const finding of findings) {
+        if (finding.ruleId.startsWith("secret-detected")) {
+            addDeduction("secret-detected", 40, "Possible committed secret detected.");
+        }
+        else if (finding.ruleId === "workflow-permission-change") {
+            addDeduction("workflow-permission-change", 25, "Workflow permission changes need deliberate review.");
+        }
+        else if (finding.ruleId === "mcp-credential-risk") {
+            addDeduction("mcp-credential-risk", 25, "MCP configuration expands local execution or credential risk.");
+        }
+        else if (finding.ruleId === "change-size") {
+            addDeduction(finding.severity === "high" ? "large-review-surface" : "broad-review-surface", finding.severity === "high" ? 20 : 10, finding.severity === "high"
+                ? "The PR is large enough that normal review is likely unreliable."
+                : "The PR has a broad review surface.");
+        }
+        else if (finding.ruleId === "sensitive-path") {
+            addDeduction(`sensitive-path-${finding.severity}`, finding.severity === "high" ? 20 : 10, "Sensitive files changed and need focused review.");
+        }
+        else if (finding.ruleId === "dependency-added") {
+            addDeduction("dependency-change", 10, "Dependency manifest changed.");
+        }
+        else if (finding.ruleId === "missing-tests") {
+            addDeduction("missing-tests", finding.severity === "medium" ? 20 : 12, "Code changed without test changes or verification notes.");
+        }
+    }
+    const strengths = collectEvidenceStrengths(summary);
+    const value = clampScore(100 - [...deductions.values()].reduce((sum, item) => sum + item.points, 0));
+    return {
+        value,
+        grade: gradeEvidenceScore(value),
+        strengths,
+        deductions: [...deductions.entries()].map(([reasonId, item]) => ({
+            reasonId,
+            message: item.message,
+            points: item.points
+        }))
+    };
+}
+function collectEvidenceStrengths(summary) {
+    const strengths = [];
+    if (summary.pullRequestDescription === "present") {
+        strengths.push("PR description provides review context.");
+    }
+    if (summary.verificationEvidence) {
+        strengths.push("Verification evidence was found.");
+    }
+    if (summary.reproductionEvidence) {
+        strengths.push("Reproduction or before/after context was found.");
+    }
+    if (summary.testFilesChanged > 0) {
+        strengths.push("Test files changed with the PR.");
+    }
+    if (summary.filesChanged > 0 && summary.sensitiveFilesChanged === 0) {
+        strengths.push("No configured sensitive files changed.");
+    }
+    return strengths;
+}
+function gradeEvidenceScore(value) {
+    if (value >= 85) {
+        return "strong";
+    }
+    if (value >= 70) {
+        return "adequate";
+    }
+    if (value >= 50) {
+        return "thin";
+    }
+    return "risky";
+}
+function calculateReviewDecision(risk, evidenceScore, findings) {
+    const hasBlockingSecurityFinding = findings.some((finding) => finding.ruleId.startsWith("secret-detected") ||
+        finding.ruleId === "workflow-permission-change" ||
+        finding.ruleId === "mcp-credential-risk");
+    if (hasBlockingSecurityFinding || evidenceScore.value < 50 || risk === "high") {
+        return "block-merge";
+    }
+    if (evidenceScore.value < 70 || findings.some((finding) => finding.ruleId === "missing-tests" || finding.ruleId === "thin-pr-description")) {
+        return "needs-evidence";
+    }
+    if (risk === "medium") {
+        return "review-carefully";
+    }
+    return "ready";
+}
+function clampScore(value) {
+    return Math.max(0, Math.min(100, value));
+}
+function buildReviewPlan(reviewDecision, findings, evidenceScore) {
+    const actionItems = dedupeReviewActions([
+        ...reviewDecisionActions(reviewDecision),
+        ...evidenceScoreActions(evidenceScore),
+        ...findings.flatMap((finding) => reviewActionsForFinding(finding))
+    ]);
+    const focusFiles = dedupeFocusFiles(findings
+        .filter((finding) => finding.path)
+        .map((finding) => ({
+        path: finding.path,
+        reasonId: finding.ruleId,
+        reason: finding.title,
+        priority: finding.severity === "high" ? "high" : finding.severity === "medium" ? "medium" : "low"
+    })));
+    return {
+        actionItems: actionItems.slice(0, 8),
+        focusFiles: focusFiles.slice(0, 8)
+    };
+}
+function reviewDecisionActions(reviewDecision) {
+    if (reviewDecision === "block-merge") {
+        return [
+            {
+                actionId: "block-merge-until-resolved",
+                title: "Block merge until the flagged risks are handled.",
+                detail: "Treat this PR as not ready for merge until the high-risk findings are explained, reduced, or removed.",
+                priority: "high",
+                relatedRuleIds: []
+            }
+        ];
+    }
+    if (reviewDecision === "needs-evidence") {
+        return [
+            {
+                actionId: "ask-for-evidence-before-review",
+                title: "Ask for missing evidence before deep review.",
+                detail: "Request tests, screenshots, reproduction steps, or a clearer PR description before spending detailed review time.",
+                priority: "medium",
+                relatedRuleIds: []
+            }
+        ];
+    }
+    if (reviewDecision === "review-carefully") {
+        return [
+            {
+                actionId: "review-with-focus",
+                title: "Review with a focused checklist.",
+                detail: "Use the findings and focus files below as the first-pass review map.",
+                priority: "medium",
+                relatedRuleIds: []
+            }
+        ];
+    }
+    return [
+        {
+            actionId: "normal-review",
+            title: "Proceed with normal review.",
+            detail: "The PR has enough evidence for a standard maintainer review pass.",
+            priority: "low",
+            relatedRuleIds: []
+        }
+    ];
+}
+function evidenceScoreActions(evidenceScore) {
+    return evidenceScore.deductions.flatMap((deduction) => {
+        if (deduction.reasonId === "missing-pr-description" ||
+            deduction.reasonId === "thin-pr-description" ||
+            deduction.reasonId === "no-pr-context") {
+            return [
+                {
+                    actionId: "improve-pr-description",
+                    title: "Ask for a clearer PR description.",
+                    detail: "The contributor should explain why the change is needed, what changed, how it was verified, and any rollout or compatibility risk.",
+                    priority: "medium",
+                    relatedRuleIds: ["thin-pr-description"]
+                }
+            ];
+        }
+        if (deduction.reasonId === "missing-verification" || deduction.reasonId === "missing-tests") {
+            return [
+                {
+                    actionId: "add-verification-evidence",
+                    title: "Ask for test or manual verification evidence.",
+                    detail: "Require test output, CI links, screenshots, or a short manual verification note before approving.",
+                    priority: "medium",
+                    relatedRuleIds: ["missing-tests"]
+                }
+            ];
+        }
+        if (deduction.reasonId === "missing-reproduction-context") {
+            return [
+                {
+                    actionId: "add-reproduction-context",
+                    title: "Ask for reproduction or before/after context.",
+                    detail: "The PR should include steps to reproduce, expected and actual behavior, or before/after screenshots where relevant.",
+                    priority: "medium",
+                    relatedRuleIds: ["missing-reproduction-context"]
+                }
+            ];
+        }
+        return [];
+    });
+}
+function reviewActionsForFinding(finding) {
+    if (finding.ruleId.startsWith("secret-detected")) {
+        return [
+            {
+                actionId: "rotate-secret",
+                title: "Rotate and remove the exposed credential.",
+                detail: "Do not merge until the secret is removed from the PR and any exposed value has been rotated.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "workflow-permission-change") {
+        return [
+            {
+                actionId: "justify-workflow-permissions",
+                title: "Require a least-privilege explanation for workflow permissions.",
+                detail: "Confirm whether write permissions or OIDC are necessary and whether untrusted PRs can reach this workflow.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "mcp-credential-risk") {
+        return [
+            {
+                actionId: "review-mcp-execution-surface",
+                title: "Review MCP commands, args, and credential handling.",
+                detail: "Check that MCP config does not commit secrets and does not unexpectedly expand local execution surface.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "change-size") {
+        return [
+            {
+                actionId: "request-review-map-or-split",
+                title: "Request a smaller PR or a file-by-file review map.",
+                detail: "Ask the contributor to split unrelated changes or identify the files that need the closest review.",
+                priority: finding.severity === "high" ? "high" : "medium",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "dependency-added") {
+        return [
+            {
+                actionId: "verify-dependency-change",
+                title: "Verify dependency provenance and lockfile impact.",
+                detail: "Check package name, maintainer, license, install scripts, and whether the lockfile matches the intended dependency change.",
+                priority: "medium",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "sensitive-path") {
+        return [
+            {
+                actionId: "assign-sensitive-file-review",
+                title: "Assign focused review for sensitive files.",
+                detail: "Have a maintainer deliberately inspect the sensitive file changes before approval.",
+                priority: finding.severity === "high" ? "high" : "medium",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    return [];
+}
+function dedupeReviewActions(actions) {
+    const seen = new Set();
+    const unique = [];
+    for (const action of actions.sort((left, right) => priorityRank(right.priority) - priorityRank(left.priority))) {
+        if (seen.has(action.actionId)) {
+            continue;
+        }
+        seen.add(action.actionId);
+        unique.push(action);
+    }
+    return unique;
+}
+function dedupeFocusFiles(files) {
+    const seen = new Set();
+    const unique = [];
+    for (const file of files.sort((left, right) => priorityRank(right.priority) - priorityRank(left.priority))) {
+        if (seen.has(file.path)) {
+            continue;
+        }
+        seen.add(file.path);
+        unique.push(file);
+    }
+    return unique;
+}
+function priorityRank(priority) {
+    return { low: 1, medium: 2, high: 3 }[priority];
+}
 function dedupeFindings(findings) {
     const seen = new Set();
     const unique = [];
@@ -23866,7 +24664,7 @@ const build_program = new Command();
 build_program
     .name("proof-pr")
     .description("Review pull request evidence, scope, and safety before maintainers spend time on it.")
-    .version("0.1.2");
+    .version("0.1.5");
 build_program
     .command("scan", { isDefault: true })
     .description("Scan a git diff and print a ProofPR report.")
@@ -23878,6 +24676,7 @@ build_program
     .option("--pr-body-file <path>", "Read a pull request body from a Markdown file.")
     .option("--config <path>", "Path to .proofpr.yml.", ".proofpr.yml")
     .option("--format <format>", "Output format: markdown, json, or sarif.", parseFormat, "markdown")
+    .option("--locale <locale>", "Report language: en or zh-CN.")
     .option("--fail-on <level>", "Exit with code 1 on risk level: low, medium, high, or never.", parseFailLevel, "never")
     .action(async (options) => {
     const diffText = options.diffFile
@@ -23889,7 +24688,8 @@ build_program
         ? { title: options.prTitle, body: prBody }
         : undefined;
     const result = scanDiff(diffText, { config, pullRequest });
-    const output = renderOutput(result, options.format);
+    const locale = parseLocale(options.locale, config.locale);
+    const output = renderOutput(result, options.format, locale);
     process.stdout.write(`${output}\n`);
     if (riskMeetsThreshold(result.risk, options.failOn)) {
         process.exitCode = 1;
@@ -23900,10 +24700,11 @@ build_program
     .description("Create a starter .proofpr.yml and GitHub Actions workflow.")
     .option("--config-path <path>", "Path to write the ProofPR configuration file.", ".proofpr.yml")
     .option("--workflow-path <path>", "Path to write the GitHub Actions workflow.", ".github/workflows/proofpr.yml")
+    .option("--preset <preset>", `Config preset: ${listConfigPresets().join(", ")}.`, parsePresetOption, "open-source-maintainer")
     .option("--fail-on <level>", "Workflow failure threshold: low, medium, high, or never.", parseFailLevel, "high")
     .option("--force", "Overwrite existing files.", false)
     .action(async (options) => {
-    await writeIfMissing(options.configPath, renderConfigTemplate(), options.force);
+    await writeIfMissing(options.configPath, renderConfigTemplate(options.preset), options.force);
     await writeIfMissing(options.workflowPath, renderWorkflowTemplate(options.failOn), options.force);
     process.stdout.write(`ProofPR initialized:\n- ${options.configPath}\n- ${options.workflowPath}\n`);
 });
@@ -23942,40 +24743,55 @@ async function pathExists(path) {
         return false;
     }
 }
-function renderConfigTemplate() {
-    return `riskThreshold: high
-sensitivePaths:
-  - ".github/workflows/**"
-  - ".github/actions/**"
-  - "**/.env*"
-  - "**/mcp*.json"
-  - "**/*mcp*.json"
-  - "Dockerfile"
-  - "**/Dockerfile"
-  - "package.json"
-  - "pnpm-lock.yaml"
-  - "package-lock.json"
-  - "yarn.lock"
-  - "bun.lockb"
-requireTests:
-  enabled: true
-  paths:
-    - "src/**"
-    - "packages/**/src/**"
-    - "app/**"
-    - "lib/**"
-secrets:
-  enabled: true
-dependencies:
-  flagNewPackages: true
-  flagMajorUpgrades: true
+function renderConfigTemplate(preset) {
+    return `locale: zh-CN
+preset: ${preset}
 comment:
   enabled: true
+# 如需更严格或更宽松，可以先换 preset：
+# preset: security-strict
+#
+# 可用预设：
+# - balanced
+# - open-source-maintainer
+# - security-strict
+# - ai-generated-pr
+# - mcp-security
+# - dependency-careful
+#
+# 也可以取消注释下面这些字段，覆盖 preset 的默认值。
+# riskThreshold: high
+#
+# sensitivePaths:
+#   - ".github/workflows/**"
+#   - ".github/actions/**"
+#   - "**/.env*"
+#   - "**/mcp*.json"
+#   - "**/*mcp*.json"
+#   - "Dockerfile"
+#   - "**/Dockerfile"
+#   - "package.json"
+#   - "pnpm-lock.yaml"
+#   - "package-lock.json"
+#   - "yarn.lock"
+#   - "bun.lockb"
+#
+# requireTests:
+#   enabled: true
+#   paths:
+#     - "src/**"
+#     - "packages/**/src/**"
+#     - "app/**"
+#     - "lib/**"
+#
+# secrets:
+#   enabled: true
+#
+# dependencies:
+#   flagNewPackages: true
+#   flagMajorUpgrades: true
 `;
 }
 function renderWorkflowTemplate(failOn) {
@@ -23994,20 +24810,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: linsk27/proof-pr@v0.1.1
+      - uses: linsk27/proof-pr@v0.1.5
         with:
           fail-on: ${failOn}
           comment: "true"
+          annotations: "true"
 `;
 }
-function renderOutput(result, format) {
+function renderOutput(result, format, locale) {
     if (format === "json") {
         return JSON.stringify(result, null, 2);
     }
     if (format === "sarif") {
         return renderSarifReport(result);
     }
-    return renderMarkdownReport(result);
+    return renderMarkdownReport(result, locale);
 }
 function parseFormat(value) {
     if (value === "json" || value === "markdown" || value === "sarif") {
@@ -24021,4 +24838,11 @@ function parseFailLevel(value) {
     }
     throw new InvalidArgumentError("fail-on must be one of: low, medium, high, never");
 }
+function parsePresetOption(value) {
+    const preset = parsePreset(value);
+    if (preset === value) {
+        return preset;
+    }
+    throw new InvalidArgumentError(`preset must be one of: ${listConfigPresets().join(", ")}`);
+}
 //# sourceMappingURL=index.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-pr",
-  "version": "0.1.2",
+  "version": "0.1.5",
   "description": "CLI for ProofPR, a maintainer-focused pull request evidence scanner.",
   "license": "MIT",
   "type": "module",
@@ -27,6 +27,8 @@
     "secrets-scanning",
     "github-actions-security",
     "dependency-review",
+    "sarif",
+    "code-scanning",
     "ai-coding",
     "ai-generated-code",
     "mcp",