npm - proof-pr - Versions diffs - 0.1.3 → 0.1.5 - Mend

proof-pr 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -2,25 +2,37 @@
 ProofPR 的命令行工具。
-ProofPR 帮助维护者在投入深入 review 之前，先检查 PR 的证据、范围和安全风险。
+ProofPR 帮助维护者在投入深入 review 之前，先检查 PR 的证据、范围和安全风险。报告会输出风险等级、0-100 证据评分，以及 Review 门禁建议。
+## 它什么时候运行？
+作为 GitHub Action 使用时，ProofPR 默认在 PR 打开、PR 分支更新、PR 重新打开时运行。普通分支 push 不会单独生成报告。
+报告会出现在 PR 评论区、GitHub Actions job summary 和 PR checks 状态里。
+`v0.1.5` 起还可以输出 GitHub annotations，并通过 `sarif-output` 写出 SARIF 文件。
 ## 使用
 可以直接通过 npm 使用：
 ```bash
-npx proof-pr init
-npx proof-pr scan --base origin/main --head HEAD
-npx proof-pr scan --base origin/main --head HEAD --locale zh-CN
-npx proof-pr scan --base origin/main --pr-body-file pr-body.md --format json
+npx proof-pr@latest init
+npx proof-pr@latest init --preset security-strict
+npx proof-pr@latest scan --base origin/main --head HEAD
+npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN
+npx proof-pr@latest scan --base origin/main --pr-body-file pr-body.md --format json
 ```
+可用预设：`balanced`、`open-source-maintainer`、`security-strict`、`ai-generated-pr`、`mcp-security`、`dependency-careful`。
 ## GitHub Action
 ```yaml
-- uses: linsk27/proof-pr@v0.1.3
+- uses: linsk27/proof-pr@v0.1.5
   with:
     fail-on: high
+    comment: "true"
+    annotations: "true"
 ```
 完整文档见仓库 README：

package/dist/index.js CHANGED Viewed

@@ -23112,37 +23112,125 @@ function preprocess(fn, schema) {
 const riskLevelSchema = schemas_enum(["low", "medium", "high"]);
 const localeSchema = schemas_enum(["en", "zh-CN"]);
+const configPresetSchema = schemas_enum([
+    "balanced",
+    "open-source-maintainer",
+    "security-strict",
+    "ai-generated-pr",
+    "mcp-security",
+    "dependency-careful"
+]);
+const CONFIG_PRESETS = [
+    "balanced",
+    "open-source-maintainer",
+    "security-strict",
+    "ai-generated-pr",
+    "mcp-security",
+    "dependency-careful"
+];
+const DEFAULT_SENSITIVE_PATHS = [
+    ".github/workflows/**",
+    ".github/actions/**",
+    "**/.env*",
+    "**/mcp*.json",
+    "**/*mcp*.json",
+    "Dockerfile",
+    "**/Dockerfile",
+    "package.json",
+    "pnpm-lock.yaml",
+    "package-lock.json",
+    "yarn.lock",
+    "bun.lockb",
+    "requirements.txt",
+    "pyproject.toml",
+    "Cargo.toml",
+    "Cargo.lock",
+    "go.mod",
+    "go.sum"
+];
+const DEFAULT_TEST_PATHS = ["src/**", "packages/**/src/**", "app/**", "lib/**"];
+const PRESET_DEFAULTS = {
+    balanced: {},
+    "open-source-maintainer": {
+        riskThreshold: "high",
+        sensitivePaths: DEFAULT_SENSITIVE_PATHS,
+        requireTests: {
+            enabled: true,
+            paths: DEFAULT_TEST_PATHS
+        }
+    },
+    "security-strict": {
+        riskThreshold: "medium",
+        sensitivePaths: [
+            ...DEFAULT_SENSITIVE_PATHS,
+            ".npmrc",
+            "**/.npmrc",
+            ".pypirc",
+            "**/.pypirc",
+            ".dockerignore",
+            "docker-compose*.yml",
+            "**/docker-compose*.yml",
+            ".github/dependabot.yml",
+            ".github/codeql/**",
+            "terraform/**/*.tf",
+            "**/*.pem",
+            "**/*.key"
+        ],
+        requireTests: {
+            enabled: true,
+            paths: ["src/**", "packages/**/src/**", "app/**", "lib/**", "server/**", "api/**"]
+        }
+    },
+    "ai-generated-pr": {
+        riskThreshold: "medium",
+        sensitivePaths: DEFAULT_SENSITIVE_PATHS,
+        requireTests: {
+            enabled: true,
+            paths: ["src/**", "packages/**/src/**", "app/**", "lib/**", "server/**", "api/**", "components/**"]
+        }
+    },
+    "mcp-security": {
+        riskThreshold: "medium",
+        sensitivePaths: [
+            ...DEFAULT_SENSITIVE_PATHS,
+            ".cursor/**",
+            ".vscode/**"
+        ],
+        requireTests: {
+            enabled: true,
+            paths: DEFAULT_TEST_PATHS
+        }
+    },
+    "dependency-careful": {
+        riskThreshold: "medium",
+        sensitivePaths: [
+            ...DEFAULT_SENSITIVE_PATHS,
+            "poetry.lock",
+            "Pipfile",
+            "Pipfile.lock",
+            "pom.xml",
+            "build.gradle",
+            "build.gradle.kts",
+            "Gemfile",
+            "Gemfile.lock"
+        ],
+        requireTests: {
+            enabled: true,
+            paths: DEFAULT_TEST_PATHS
+        }
+    }
+};
 const configSchema = object({
+    preset: configPresetSchema.default("balanced"),
     locale: localeSchema.default("en"),
     riskThreshold: riskLevelSchema.default("high"),
     ignorePaths: array(schemas_string()).default([]),
-    sensitivePaths: array(schemas_string())
-        .default([
-        ".github/workflows/**",
-        ".github/actions/**",
-        "**/.env*",
-        "**/mcp*.json",
-        "**/*mcp*.json",
-        "Dockerfile",
-        "**/Dockerfile",
-        "package.json",
-        "pnpm-lock.yaml",
-        "package-lock.json",
-        "yarn.lock",
-        "bun.lockb",
-        "requirements.txt",
-        "pyproject.toml",
-        "Cargo.toml",
-        "Cargo.lock",
-        "go.mod",
-        "go.sum"
-    ]),
+    sensitivePaths: array(schemas_string()).default(DEFAULT_SENSITIVE_PATHS),
     requireTests: object({
         enabled: schemas_boolean().default(true),
-        paths: array(schemas_string())
-            .default(["src/**", "packages/**/src/**", "app/**", "lib/**"])
+        paths: array(schemas_string()).default(DEFAULT_TEST_PATHS)
     })
-        .default({ enabled: true, paths: ["src/**", "packages/**/src/**", "app/**", "lib/**"] }),
+        .default({ enabled: true, paths: DEFAULT_TEST_PATHS }),
     secrets: object({ enabled: schemas_boolean().default(true) }).default({ enabled: true }),
     dependencies: object({
         flagNewPackages: schemas_boolean().default(true),
@@ -23152,7 +23240,9 @@ const configSchema = object({
     comment: object({ enabled: schemas_boolean().default(true) }).default({ enabled: true })
 });
 function parseConfig(input) {
-    return configSchema.parse(input ?? {});
+    const raw = isRecord(input) ? input : {};
+    const preset = configPresetSchema.parse(raw.preset ?? "balanced");
+    return configSchema.parse(deepMerge(PRESET_DEFAULTS[preset], raw, { preset }));
 }
 async function loadConfig(path) {
     try {
@@ -23180,6 +23270,33 @@ function parseLocale(value, fallback = "en") {
     const result = localeSchema.safeParse(value);
     return result.success ? result.data : fallback;
 }
+function parsePreset(value, fallback = "balanced") {
+    const result = configPresetSchema.safeParse(value);
+    return result.success ? result.data : fallback;
+}
+function listConfigPresets() {
+    return CONFIG_PRESETS;
+}
+function deepMerge(...items) {
+    const output = {};
+    for (const item of items) {
+        if (!isRecord(item)) {
+            continue;
+        }
+        for (const [key, value] of Object.entries(item)) {
+            if (isRecord(value) && isRecord(output[key])) {
+                output[key] = deepMerge(output[key], value);
+            }
+            else {
+                output[key] = value;
+            }
+        }
+    }
+    return output;
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
 function isMissingFileError(error) {
     return (typeof error === "object" &&
         error !== null &&
@@ -23244,6 +23361,8 @@ function renderEnglishMarkdownReport(result) {
         "# ProofPR Review",
         "",
         `Risk: **${result.risk}**`,
+        `Evidence score: **${result.evidenceScore.value}/100 (${formatEvidenceGrade(result.evidenceScore.grade, "en")})**`,
+        `Review gate: **${formatReviewDecision(result.reviewDecision, "en")}**`,
         "",
         "## Evidence",
         "",
@@ -23257,6 +23376,8 @@ function renderEnglishMarkdownReport(result) {
         `- Reproduction context: ${formatBoolean(result.summary.reproductionEvidence)}`,
         ""
     ];
+    appendEvidenceScoreSection(lines, result, "en");
+    appendReviewPlanSection(lines, result, "en");
     if (result.findings.length === 0) {
         lines.push("## Findings", "", "No review-risk findings detected by the enabled rules.", "");
         return lines.join("\n");
@@ -23274,6 +23395,8 @@ function renderChineseMarkdownReport(result) {
         "# ProofPR 审查报告",
         "",
         `风险等级：**${translateRisk(result.risk)}**`,
+        `证据评分：**${result.evidenceScore.value}/100（${formatEvidenceGrade(result.evidenceScore.grade, "zh-CN")}）**`,
+        `Review 门禁：**${formatReviewDecision(result.reviewDecision, "zh-CN")}**`,
         "",
         "## 证据概览",
         "",
@@ -23287,6 +23410,8 @@ function renderChineseMarkdownReport(result) {
         `- 复现上下文：${formatChineseBoolean(result.summary.reproductionEvidence)}`,
         ""
     ];
+    appendEvidenceScoreSection(lines, result, "zh-CN");
+    appendReviewPlanSection(lines, result, "zh-CN");
     if (result.findings.length === 0) {
         lines.push("## 风险发现", "", "启用的规则没有发现需要优先关注的 review 风险。", "");
         return lines.join("\n");
@@ -23298,6 +23423,52 @@ function renderChineseMarkdownReport(result) {
     lines.push("## 维护者关注点", "", ...maintainerFocus(result.findings, "zh-CN").map((item) => `- ${item}`), "");
     return lines.join("\n");
 }
+function appendEvidenceScoreSection(lines, result, locale) {
+    lines.push(locale === "zh-CN" ? "## 证据评分细节" : "## Evidence Score", "");
+    if (result.evidenceScore.strengths.length > 0) {
+        for (const strength of result.evidenceScore.strengths) {
+            lines.push(locale === "zh-CN"
+                ? `- 证据优势：${translateScoreMessage(strength)}`
+                : `- Strength: ${strength}`);
+        }
+    }
+    else {
+        lines.push(locale === "zh-CN" ? "- 证据优势：暂无明显优势信号。" : "- Strength: No strong evidence signals detected.");
+    }
+    if (result.evidenceScore.deductions.length > 0) {
+        for (const deduction of result.evidenceScore.deductions) {
+            lines.push(locale === "zh-CN"
+                ? `- 扣分项：-${deduction.points}，${translateDeduction(deduction.reasonId, deduction.message)}`
+                : `- Deduction: -${deduction.points}, ${deduction.message}`);
+        }
+    }
+    else {
+        lines.push(locale === "zh-CN" ? "- 扣分项：无。" : "- Deduction: none.");
+    }
+    lines.push("");
+}
+function appendReviewPlanSection(lines, result, locale) {
+    lines.push(locale === "zh-CN" ? "## Review 行动清单" : "## Review Plan", "");
+    if (result.reviewPlan.actionItems.length > 0) {
+        for (const action of result.reviewPlan.actionItems) {
+            lines.push(locale === "zh-CN"
+                ? `- [ ] ${translateReviewActionTitle(action.actionId, action.title)}（${formatPriority(action.priority, locale)}）：${translateReviewActionDetail(action.actionId, action.detail)}`
+                : `- [ ] ${action.title} (${formatPriority(action.priority, locale)}): ${action.detail}`);
+        }
+    }
+    else {
+        lines.push(locale === "zh-CN" ? "- [ ] 没有额外行动项。" : "- [ ] No additional action items.");
+    }
+    if (result.reviewPlan.focusFiles.length > 0) {
+        lines.push("", locale === "zh-CN" ? "重点文件：" : "Focus files:");
+        for (const file of result.reviewPlan.focusFiles) {
+            lines.push(locale === "zh-CN"
+                ? `- \`${file.path}\`（${formatPriority(file.priority, locale)}）：${translateFocusReason(file.reasonId, file.reason)}`
+                : `- \`${file.path}\` (${formatPriority(file.priority, locale)}): ${file.reason}`);
+        }
+    }
+    lines.push("");
+}
 function formatEnglishFinding(finding) {
     const lines = [
         `### ${finding.title}`,
@@ -23472,6 +23643,110 @@ function translateSeverity(severity) {
 function translateDescriptionState(state) {
     return { unavailable: "不可用", missing: "缺失", thin: "过薄", present: "充足" }[state] ?? state;
 }
+function formatEvidenceGrade(grade, locale) {
+    if (locale === "zh-CN") {
+        return {
+            strong: "证据充分",
+            adequate: "基本充分",
+            thin: "证据偏薄",
+            risky: "证据不足"
+        }[grade] ?? grade;
+    }
+    return grade;
+}
+function formatReviewDecision(decision, locale) {
+    if (locale === "zh-CN") {
+        return {
+            ready: "可以进入常规 review",
+            "review-carefully": "带着重点进入 review",
+            "needs-evidence": "先要求补充证据",
+            "block-merge": "处理风险前不建议合并"
+        }[decision] ?? decision;
+    }
+    return {
+        ready: "Ready for normal review",
+        "review-carefully": "Review with focused attention",
+        "needs-evidence": "Ask for evidence before deep review",
+        "block-merge": "Block merge until risks are handled"
+    }[decision] ?? decision;
+}
+function formatPriority(priority, locale) {
+    if (locale === "zh-CN") {
+        return { low: "低优先级", medium: "中优先级", high: "高优先级" }[priority] ?? priority;
+    }
+    return `${priority} priority`;
+}
+function translateReviewActionTitle(actionId, fallback) {
+    return {
+        "block-merge-until-resolved": "风险处理前不要合并",
+        "ask-for-evidence-before-review": "深入 review 前先要求补充证据",
+        "review-with-focus": "带着重点清单进行 review",
+        "normal-review": "进入常规 review",
+        "improve-pr-description": "要求补充更清楚的 PR 描述",
+        "add-verification-evidence": "要求补充测试或手动验证证据",
+        "add-reproduction-context": "要求补充复现或 before/after 上下文",
+        "rotate-secret": "轮换并移除暴露的凭证",
+        "justify-workflow-permissions": "要求说明 workflow 权限最小化理由",
+        "review-mcp-execution-surface": "审查 MCP 命令、参数和凭证处理",
+        "request-review-map-or-split": "要求拆分 PR 或提供逐文件 review map",
+        "verify-dependency-change": "核查依赖来源和 lockfile 影响",
+        "assign-sensitive-file-review": "安排敏感文件重点 review"
+    }[actionId] ?? fallback;
+}
+function translateReviewActionDetail(actionId, fallback) {
+    return {
+        "block-merge-until-resolved": "在高风险 finding 被解释、降低或移除前，把这个 PR 视为不可合并。",
+        "ask-for-evidence-before-review": "要求测试、截图、复现步骤或更清楚的 PR 描述，再投入详细 review。",
+        "review-with-focus": "优先使用下面的风险发现和重点文件作为第一轮 review map。",
+        "normal-review": "当前证据足够支撑维护者进行常规 review。",
+        "improve-pr-description": "贡献者应说明为什么改、改了什么、如何验证，以及是否有发布或兼容性风险。",
+        "add-verification-evidence": "要求测试输出、CI 链接、截图，或简短的手动验证说明。",
+        "add-reproduction-context": "PR 应包含复现步骤、预期/实际行为，或相关 before/after 截图。",
+        "rotate-secret": "在 secret 从 PR 中移除并完成轮换前，不要合并。",
+        "justify-workflow-permissions": "确认写权限或 OIDC 是否必要，并检查不可信 PR 是否能触发该 workflow。",
+        "review-mcp-execution-surface": "检查 MCP 配置是否提交凭证，或意外扩大本地执行面。",
+        "request-review-map-or-split": "要求贡献者拆分无关改动，或标出最需要重点 review 的文件。",
+        "verify-dependency-change": "检查包名、维护者、许可证、安装脚本，以及 lockfile 是否符合预期依赖变化。",
+        "assign-sensitive-file-review": "合并前由维护者有意识地检查敏感文件改动。"
+    }[actionId] ?? fallback;
+}
+function translateFocusReason(reasonId, fallback) {
+    return {
+        "change-size": "review 面积相关 finding",
+        "sensitive-path": "敏感路径发生变更",
+        "dependency-added": "依赖清单发生变更",
+        "workflow-permission-change": "workflow 权限发生变更",
+        "mcp-credential-risk": "MCP 配置存在执行面或凭证风险",
+        "missing-tests": "代码改动缺少测试或验证证据"
+    }[reasonId] ?? fallback;
+}
+function translateScoreMessage(message) {
+    return {
+        "PR description provides review context.": "PR 描述提供了 review 上下文。",
+        "Verification evidence was found.": "检测到测试或手动验证证据。",
+        "Reproduction or before/after context was found.": "检测到复现步骤或 before/after 上下文。",
+        "Test files changed with the PR.": "PR 同时修改了测试文件。",
+        "No configured sensitive files changed.": "没有改动已配置的敏感文件。"
+    }[message] ?? message;
+}
+function translateDeduction(reasonId, fallback) {
+    return {
+        "missing-pr-description": "PR 描述缺失。",
+        "thin-pr-description": "PR 描述过薄，不足以支撑可靠 review。",
+        "no-pr-context": "扫描时没有可用的 PR 描述上下文。",
+        "missing-verification": "没有检测到测试或手动验证证据。",
+        "missing-reproduction-context": "没有检测到复现步骤、before/after 或预期/实际上下文。",
+        "secret-detected": "检测到疑似已提交 secret。",
+        "workflow-permission-change": "Workflow 权限变化需要重点审查。",
+        "mcp-credential-risk": "MCP 配置扩大了本地执行面或凭证风险。",
+        "large-review-surface": "PR 规模过大，常规 review 可靠性会下降。",
+        "broad-review-surface": "PR review 面积偏大。",
+        "sensitive-path-high": "高敏感文件发生变更，需要重点 review。",
+        "sensitive-path-medium": "敏感文件发生变更，需要重点 review。",
+        "dependency-change": "依赖清单发生变更。",
+        "missing-tests": "代码发生变更，但缺少测试变更或验证说明。"
+    }[reasonId] ?? fallback;
+}
 function formatBoolean(value) {
     return value ? "yes" : "no";
 }
@@ -23910,9 +24185,7 @@ function analyzeDependencyChanges(files, config) {
     }
     const findings = [];
     for (const file of files.filter((candidate) => isDependencyManifest(candidate.path))) {
-        const addedDependencyLines = file.addedLines
-            .map((line) => line.value.trim())
-            .filter((line) => isDependencyLikeAddition(file.path, line));
+        const addedDependencyLines = file.addedLines.filter((line) => isDependencyLikeAddition(file.path, line.value.trim()));
         if (addedDependencyLines.length === 0) {
             continue;
         }
@@ -23922,7 +24195,7 @@ function analyzeDependencyChanges(files, config) {
             message: `${file.path} adds or changes dependency-like entries.`,
             severity: "medium",
             path: file.path,
-            evidence: addedDependencyLines.slice(0, 5),
+            evidence: addedDependencyLines.slice(0, 5).map(formatEvidenceLine),
             recommendation: "Verify package names, licenses, provenance, and whether the lockfile matches the intended dependency change."
         });
     }
@@ -23954,9 +24227,7 @@ function isDependencyLikeAddition(path, line) {
 function analyzeWorkflowPermissions(files) {
     const findings = [];
     for (const file of files.filter((candidate) => isWorkflowPath(candidate.path))) {
-        const permissionLines = file.addedLines
-            .map((line) => line.value.trim())
-            .filter((line) => /permissions:|contents:\s*write|packages:\s*write|id-token:\s*write|pull-requests:\s*write/.test(line));
+        const permissionLines = file.addedLines.filter((line) => /permissions:|contents:\s*write|packages:\s*write|id-token:\s*write|pull-requests:\s*write/.test(line.value.trim()));
         if (permissionLines.length === 0) {
             continue;
         }
@@ -23966,7 +24237,7 @@ function analyzeWorkflowPermissions(files) {
             message: `${file.path} adds or changes GitHub Actions permissions.`,
             severity: "high",
             path: file.path,
-            evidence: permissionLines.slice(0, 5),
+            evidence: permissionLines.slice(0, 5).map(formatEvidenceLine),
             recommendation: "Check whether the workflow really needs write or token permissions and whether untrusted pull requests can reach it."
         });
     }
@@ -23975,9 +24246,7 @@ function analyzeWorkflowPermissions(files) {
 function analyzeMcpConfigs(files) {
     const findings = [];
     for (const file of files.filter((candidate) => isMcpConfigPath(candidate.path))) {
-        const riskyLines = file.addedLines
-            .map((line) => line.value.trim())
-            .filter((line) => /env|token|secret|password|api[_-]?key|command|args/i.test(line));
+        const riskyLines = file.addedLines.filter((line) => /env|token|secret|password|api[_-]?key|command|args/i.test(line.value.trim()));
         if (riskyLines.length === 0) {
             continue;
         }
@@ -23987,12 +24256,16 @@ function analyzeMcpConfigs(files) {
             message: `${file.path} adds MCP configuration lines related to commands or credentials.`,
             severity: "high",
             path: file.path,
-            evidence: riskyLines.slice(0, 5),
+            evidence: riskyLines.slice(0, 5).map(formatEvidenceLine),
             recommendation: "Avoid committing credentials in MCP config. Review command and args values as local execution surface."
         });
     }
     return findings;
 }
+function formatEvidenceLine(line) {
+    const value = line.value.trim();
+    return line.lineNumber ? `line ${line.lineNumber}: ${value}` : value;
+}
 function sensitivePathSeverity(path) {
     if (matchesAny(path, [
         "**/.env*",
@@ -24015,8 +24288,14 @@ function scanDiff(diffText, options = {}) {
     const files = parseUnifiedDiff(diffText);
     const findings = dedupeFindings(analyzeDiffFiles(files, config, options.pullRequest));
     const summary = summarizeDiffFiles(files, config, options.pullRequest);
+    const risk = calculateRisk(findings);
+    const evidenceScore = calculateEvidenceScore(summary, findings);
+    const reviewDecision = calculateReviewDecision(risk, evidenceScore, findings);
     return {
-        risk: calculateRisk(findings),
+        risk,
+        evidenceScore,
+        reviewDecision,
+        reviewPlan: buildReviewPlan(reviewDecision, findings, evidenceScore),
         summary,
         findings
     };
@@ -24033,6 +24312,325 @@ function calculateRisk(findings) {
     }
     return "low";
 }
+function calculateEvidenceScore(summary, findings) {
+    const deductions = new Map();
+    const addDeduction = (reasonId, points, message) => {
+        const existing = deductions.get(reasonId);
+        if (existing) {
+            existing.points = Math.max(existing.points, points);
+            return;
+        }
+        deductions.set(reasonId, { message, points });
+    };
+    if (summary.pullRequestDescription === "missing") {
+        addDeduction("missing-pr-description", 25, "PR description is missing.");
+    }
+    else if (summary.pullRequestDescription === "thin") {
+        addDeduction("thin-pr-description", 15, "PR description is too thin for confident review.");
+    }
+    else if (summary.pullRequestDescription === "unavailable") {
+        addDeduction("no-pr-context", 10, "PR description was not available to the scanner.");
+    }
+    const needsVerificationEvidence = findings.some((finding) => [
+        "change-size",
+        "sensitive-path",
+        "missing-tests",
+        "dependency-added",
+        "workflow-permission-change",
+        "mcp-credential-risk"
+    ].includes(finding.ruleId));
+    if (needsVerificationEvidence && !summary.verificationEvidence) {
+        addDeduction("missing-verification", 20, "No test or manual verification evidence was found.");
+    }
+    if ((summary.sensitiveFilesChanged > 0 || summary.filesChanged >= 5) && !summary.reproductionEvidence) {
+        addDeduction("missing-reproduction-context", 15, "No reproduction, before/after, or expected/actual context was found.");
+    }
+    for (const finding of findings) {
+        if (finding.ruleId.startsWith("secret-detected")) {
+            addDeduction("secret-detected", 40, "Possible committed secret detected.");
+        }
+        else if (finding.ruleId === "workflow-permission-change") {
+            addDeduction("workflow-permission-change", 25, "Workflow permission changes need deliberate review.");
+        }
+        else if (finding.ruleId === "mcp-credential-risk") {
+            addDeduction("mcp-credential-risk", 25, "MCP configuration expands local execution or credential risk.");
+        }
+        else if (finding.ruleId === "change-size") {
+            addDeduction(finding.severity === "high" ? "large-review-surface" : "broad-review-surface", finding.severity === "high" ? 20 : 10, finding.severity === "high"
+                ? "The PR is large enough that normal review is likely unreliable."
+                : "The PR has a broad review surface.");
+        }
+        else if (finding.ruleId === "sensitive-path") {
+            addDeduction(`sensitive-path-${finding.severity}`, finding.severity === "high" ? 20 : 10, "Sensitive files changed and need focused review.");
+        }
+        else if (finding.ruleId === "dependency-added") {
+            addDeduction("dependency-change", 10, "Dependency manifest changed.");
+        }
+        else if (finding.ruleId === "missing-tests") {
+            addDeduction("missing-tests", finding.severity === "medium" ? 20 : 12, "Code changed without test changes or verification notes.");
+        }
+    }
+    const strengths = collectEvidenceStrengths(summary);
+    const value = clampScore(100 - [...deductions.values()].reduce((sum, item) => sum + item.points, 0));
+    return {
+        value,
+        grade: gradeEvidenceScore(value),
+        strengths,
+        deductions: [...deductions.entries()].map(([reasonId, item]) => ({
+            reasonId,
+            message: item.message,
+            points: item.points
+        }))
+    };
+}
+function collectEvidenceStrengths(summary) {
+    const strengths = [];
+    if (summary.pullRequestDescription === "present") {
+        strengths.push("PR description provides review context.");
+    }
+    if (summary.verificationEvidence) {
+        strengths.push("Verification evidence was found.");
+    }
+    if (summary.reproductionEvidence) {
+        strengths.push("Reproduction or before/after context was found.");
+    }
+    if (summary.testFilesChanged > 0) {
+        strengths.push("Test files changed with the PR.");
+    }
+    if (summary.filesChanged > 0 && summary.sensitiveFilesChanged === 0) {
+        strengths.push("No configured sensitive files changed.");
+    }
+    return strengths;
+}
+function gradeEvidenceScore(value) {
+    if (value >= 85) {
+        return "strong";
+    }
+    if (value >= 70) {
+        return "adequate";
+    }
+    if (value >= 50) {
+        return "thin";
+    }
+    return "risky";
+}
+function calculateReviewDecision(risk, evidenceScore, findings) {
+    const hasBlockingSecurityFinding = findings.some((finding) => finding.ruleId.startsWith("secret-detected") ||
+        finding.ruleId === "workflow-permission-change" ||
+        finding.ruleId === "mcp-credential-risk");
+    if (hasBlockingSecurityFinding || evidenceScore.value < 50 || risk === "high") {
+        return "block-merge";
+    }
+    if (evidenceScore.value < 70 || findings.some((finding) => finding.ruleId === "missing-tests" || finding.ruleId === "thin-pr-description")) {
+        return "needs-evidence";
+    }
+    if (risk === "medium") {
+        return "review-carefully";
+    }
+    return "ready";
+}
+function clampScore(value) {
+    return Math.max(0, Math.min(100, value));
+}
+function buildReviewPlan(reviewDecision, findings, evidenceScore) {
+    const actionItems = dedupeReviewActions([
+        ...reviewDecisionActions(reviewDecision),
+        ...evidenceScoreActions(evidenceScore),
+        ...findings.flatMap((finding) => reviewActionsForFinding(finding))
+    ]);
+    const focusFiles = dedupeFocusFiles(findings
+        .filter((finding) => finding.path)
+        .map((finding) => ({
+        path: finding.path,
+        reasonId: finding.ruleId,
+        reason: finding.title,
+        priority: finding.severity === "high" ? "high" : finding.severity === "medium" ? "medium" : "low"
+    })));
+    return {
+        actionItems: actionItems.slice(0, 8),
+        focusFiles: focusFiles.slice(0, 8)
+    };
+}
+function reviewDecisionActions(reviewDecision) {
+    if (reviewDecision === "block-merge") {
+        return [
+            {
+                actionId: "block-merge-until-resolved",
+                title: "Block merge until the flagged risks are handled.",
+                detail: "Treat this PR as not ready for merge until the high-risk findings are explained, reduced, or removed.",
+                priority: "high",
+                relatedRuleIds: []
+            }
+        ];
+    }
+    if (reviewDecision === "needs-evidence") {
+        return [
+            {
+                actionId: "ask-for-evidence-before-review",
+                title: "Ask for missing evidence before deep review.",
+                detail: "Request tests, screenshots, reproduction steps, or a clearer PR description before spending detailed review time.",
+                priority: "medium",
+                relatedRuleIds: []
+            }
+        ];
+    }
+    if (reviewDecision === "review-carefully") {
+        return [
+            {
+                actionId: "review-with-focus",
+                title: "Review with a focused checklist.",
+                detail: "Use the findings and focus files below as the first-pass review map.",
+                priority: "medium",
+                relatedRuleIds: []
+            }
+        ];
+    }
+    return [
+        {
+            actionId: "normal-review",
+            title: "Proceed with normal review.",
+            detail: "The PR has enough evidence for a standard maintainer review pass.",
+            priority: "low",
+            relatedRuleIds: []
+        }
+    ];
+}
+function evidenceScoreActions(evidenceScore) {
+    return evidenceScore.deductions.flatMap((deduction) => {
+        if (deduction.reasonId === "missing-pr-description" ||
+            deduction.reasonId === "thin-pr-description" ||
+            deduction.reasonId === "no-pr-context") {
+            return [
+                {
+                    actionId: "improve-pr-description",
+                    title: "Ask for a clearer PR description.",
+                    detail: "The contributor should explain why the change is needed, what changed, how it was verified, and any rollout or compatibility risk.",
+                    priority: "medium",
+                    relatedRuleIds: ["thin-pr-description"]
+                }
+            ];
+        }
+        if (deduction.reasonId === "missing-verification" || deduction.reasonId === "missing-tests") {
+            return [
+                {
+                    actionId: "add-verification-evidence",
+                    title: "Ask for test or manual verification evidence.",
+                    detail: "Require test output, CI links, screenshots, or a short manual verification note before approving.",
+                    priority: "medium",
+                    relatedRuleIds: ["missing-tests"]
+                }
+            ];
+        }
+        if (deduction.reasonId === "missing-reproduction-context") {
+            return [
+                {
+                    actionId: "add-reproduction-context",
+                    title: "Ask for reproduction or before/after context.",
+                    detail: "The PR should include steps to reproduce, expected and actual behavior, or before/after screenshots where relevant.",
+                    priority: "medium",
+                    relatedRuleIds: ["missing-reproduction-context"]
+                }
+            ];
+        }
+        return [];
+    });
+}
+function reviewActionsForFinding(finding) {
+    if (finding.ruleId.startsWith("secret-detected")) {
+        return [
+            {
+                actionId: "rotate-secret",
+                title: "Rotate and remove the exposed credential.",
+                detail: "Do not merge until the secret is removed from the PR and any exposed value has been rotated.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "workflow-permission-change") {
+        return [
+            {
+                actionId: "justify-workflow-permissions",
+                title: "Require a least-privilege explanation for workflow permissions.",
+                detail: "Confirm whether write permissions or OIDC are necessary and whether untrusted PRs can reach this workflow.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "mcp-credential-risk") {
+        return [
+            {
+                actionId: "review-mcp-execution-surface",
+                title: "Review MCP commands, args, and credential handling.",
+                detail: "Check that MCP config does not commit secrets and does not unexpectedly expand local execution surface.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "change-size") {
+        return [
+            {
+                actionId: "request-review-map-or-split",
+                title: "Request a smaller PR or a file-by-file review map.",
+                detail: "Ask the contributor to split unrelated changes or identify the files that need the closest review.",
+                priority: finding.severity === "high" ? "high" : "medium",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "dependency-added") {
+        return [
+            {
+                actionId: "verify-dependency-change",
+                title: "Verify dependency provenance and lockfile impact.",
+                detail: "Check package name, maintainer, license, install scripts, and whether the lockfile matches the intended dependency change.",
+                priority: "medium",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "sensitive-path") {
+        return [
+            {
+                actionId: "assign-sensitive-file-review",
+                title: "Assign focused review for sensitive files.",
+                detail: "Have a maintainer deliberately inspect the sensitive file changes before approval.",
+                priority: finding.severity === "high" ? "high" : "medium",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    return [];
+}
+function dedupeReviewActions(actions) {
+    const seen = new Set();
+    const unique = [];
+    for (const action of actions.sort((left, right) => priorityRank(right.priority) - priorityRank(left.priority))) {
+        if (seen.has(action.actionId)) {
+            continue;
+        }
+        seen.add(action.actionId);
+        unique.push(action);
+    }
+    return unique;
+}
+function dedupeFocusFiles(files) {
+    const seen = new Set();
+    const unique = [];
+    for (const file of files.sort((left, right) => priorityRank(right.priority) - priorityRank(left.priority))) {
+        if (seen.has(file.path)) {
+            continue;
+        }
+        seen.add(file.path);
+        unique.push(file);
+    }
+    return unique;
+}
+function priorityRank(priority) {
+    return { low: 1, medium: 2, high: 3 }[priority];
+}
 function dedupeFindings(findings) {
     const seen = new Set();
     const unique = [];
@@ -24066,7 +24664,7 @@ const build_program = new Command();
 build_program
     .name("proof-pr")
     .description("Review pull request evidence, scope, and safety before maintainers spend time on it.")
-    .version("0.1.3");
+    .version("0.1.5");
 build_program
     .command("scan", { isDefault: true })
     .description("Scan a git diff and print a ProofPR report.")
@@ -24102,10 +24700,11 @@ build_program
     .description("Create a starter .proofpr.yml and GitHub Actions workflow.")
     .option("--config-path <path>", "Path to write the ProofPR configuration file.", ".proofpr.yml")
     .option("--workflow-path <path>", "Path to write the GitHub Actions workflow.", ".github/workflows/proofpr.yml")
+    .option("--preset <preset>", `Config preset: ${listConfigPresets().join(", ")}.`, parsePresetOption, "open-source-maintainer")
     .option("--fail-on <level>", "Workflow failure threshold: low, medium, high, or never.", parseFailLevel, "high")
     .option("--force", "Overwrite existing files.", false)
     .action(async (options) => {
-    await writeIfMissing(options.configPath, renderConfigTemplate(), options.force);
+    await writeIfMissing(options.configPath, renderConfigTemplate(options.preset), options.force);
     await writeIfMissing(options.workflowPath, renderWorkflowTemplate(options.failOn), options.force);
     process.stdout.write(`ProofPR initialized:\n- ${options.configPath}\n- ${options.workflowPath}\n`);
 });
@@ -24144,42 +24743,55 @@ async function pathExists(path) {
         return false;
     }
 }
-function renderConfigTemplate() {
+function renderConfigTemplate(preset) {
     return `locale: zh-CN
-riskThreshold: high
-sensitivePaths:
-  - ".github/workflows/**"
-  - ".github/actions/**"
-  - "**/.env*"
-  - "**/mcp*.json"
-  - "**/*mcp*.json"
-  - "Dockerfile"
-  - "**/Dockerfile"
-  - "package.json"
-  - "pnpm-lock.yaml"
-  - "package-lock.json"
-  - "yarn.lock"
-  - "bun.lockb"
-requireTests:
-  enabled: true
-  paths:
-    - "src/**"
-    - "packages/**/src/**"
-    - "app/**"
-    - "lib/**"
-secrets:
-  enabled: true
-dependencies:
-  flagNewPackages: true
-  flagMajorUpgrades: true
+preset: ${preset}
 comment:
   enabled: true
+# 如需更严格或更宽松，可以先换 preset：
+# preset: security-strict
+#
+# 可用预设：
+# - balanced
+# - open-source-maintainer
+# - security-strict
+# - ai-generated-pr
+# - mcp-security
+# - dependency-careful
+#
+# 也可以取消注释下面这些字段，覆盖 preset 的默认值。
+# riskThreshold: high
+#
+# sensitivePaths:
+#   - ".github/workflows/**"
+#   - ".github/actions/**"
+#   - "**/.env*"
+#   - "**/mcp*.json"
+#   - "**/*mcp*.json"
+#   - "Dockerfile"
+#   - "**/Dockerfile"
+#   - "package.json"
+#   - "pnpm-lock.yaml"
+#   - "package-lock.json"
+#   - "yarn.lock"
+#   - "bun.lockb"
+#
+# requireTests:
+#   enabled: true
+#   paths:
+#     - "src/**"
+#     - "packages/**/src/**"
+#     - "app/**"
+#     - "lib/**"
+#
+# secrets:
+#   enabled: true
+#
+# dependencies:
+#   flagNewPackages: true
+#   flagMajorUpgrades: true
 `;
 }
 function renderWorkflowTemplate(failOn) {
@@ -24198,10 +24810,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: linsk27/proof-pr@v0.1.3
+      - uses: linsk27/proof-pr@v0.1.5
         with:
           fail-on: ${failOn}
           comment: "true"
+          annotations: "true"
 `;
 }
 function renderOutput(result, format, locale) {
@@ -24225,4 +24838,11 @@ function parseFailLevel(value) {
     }
     throw new InvalidArgumentError("fail-on must be one of: low, medium, high, never");
 }
+function parsePresetOption(value) {
+    const preset = parsePreset(value);
+    if (preset === value) {
+        return preset;
+    }
+    throw new InvalidArgumentError(`preset must be one of: ${listConfigPresets().join(", ")}`);
+}
 //# sourceMappingURL=index.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-pr",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "CLI for ProofPR, a maintainer-focused pull request evidence scanner.",
   "license": "MIT",
   "type": "module",
@@ -27,6 +27,8 @@
     "secrets-scanning",
     "github-actions-security",
     "dependency-review",
+    "sarif",
+    "code-scanning",
     "ai-coding",
     "ai-generated-code",
     "mcp",