npm - proof-pr - Versions diffs - 0.1.3 → 0.1.6 - Mend

proof-pr 0.1.3 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -2,25 +2,37 @@
 ProofPR 的命令行工具。
-ProofPR 帮助维护者在投入深入 review 之前，先检查 PR 的证据、范围和安全风险。
+ProofPR 帮助维护者在投入深入 review 之前，先检查 PR 的证据、范围和安全风险。报告会输出风险等级、0-100 证据评分，以及 Review 门禁建议。
+## 它什么时候运行？
+作为 GitHub Action 使用时，ProofPR 默认在 PR 打开、PR 分支更新、PR 重新打开时运行。普通分支 push 不会单独生成报告。
+报告会出现在 PR 评论区、GitHub Actions job summary 和 PR checks 状态里。
+`v0.1.5` 起还可以输出 GitHub annotations，并通过 `sarif-output` 写出 SARIF 文件。当前版本还会识别依赖大版本升级、包生命周期脚本和 `pull_request_target` workflow 触发器。
 ## 使用
 可以直接通过 npm 使用：
 ```bash
-npx proof-pr init
-npx proof-pr scan --base origin/main --head HEAD
-npx proof-pr scan --base origin/main --head HEAD --locale zh-CN
-npx proof-pr scan --base origin/main --pr-body-file pr-body.md --format json
+npx proof-pr@latest init
+npx proof-pr@latest init --preset security-strict
+npx proof-pr@latest scan --base origin/main --head HEAD
+npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN
+npx proof-pr@latest scan --base origin/main --pr-body-file pr-body.md --format json
 ```
+可用预设：`balanced`、`open-source-maintainer`、`security-strict`、`ai-generated-pr`、`mcp-security`、`dependency-careful`。
 ## GitHub Action
 ```yaml
-- uses: linsk27/proof-pr@v0.1.3
+- uses: linsk27/proof-pr@v0.1.5
   with:
     fail-on: high
+    comment: "true"
+    annotations: "true"
 ```
 完整文档见仓库 README：

package/dist/index.js CHANGED Viewed

@@ -23112,47 +23112,138 @@ function preprocess(fn, schema) {
 const riskLevelSchema = schemas_enum(["low", "medium", "high"]);
 const localeSchema = schemas_enum(["en", "zh-CN"]);
+const configPresetSchema = schemas_enum([
+    "balanced",
+    "open-source-maintainer",
+    "security-strict",
+    "ai-generated-pr",
+    "mcp-security",
+    "dependency-careful"
+]);
+const CONFIG_PRESETS = [
+    "balanced",
+    "open-source-maintainer",
+    "security-strict",
+    "ai-generated-pr",
+    "mcp-security",
+    "dependency-careful"
+];
+const DEFAULT_SENSITIVE_PATHS = [
+    ".github/workflows/**",
+    ".github/actions/**",
+    "**/.env*",
+    "**/mcp*.json",
+    "**/*mcp*.json",
+    "Dockerfile",
+    "**/Dockerfile",
+    "package.json",
+    "pnpm-lock.yaml",
+    "package-lock.json",
+    "yarn.lock",
+    "bun.lockb",
+    "requirements.txt",
+    "pyproject.toml",
+    "Cargo.toml",
+    "Cargo.lock",
+    "go.mod",
+    "go.sum"
+];
+const DEFAULT_TEST_PATHS = ["src/**", "packages/**/src/**", "app/**", "lib/**"];
+const PRESET_DEFAULTS = {
+    balanced: {},
+    "open-source-maintainer": {
+        riskThreshold: "high",
+        sensitivePaths: DEFAULT_SENSITIVE_PATHS,
+        requireTests: {
+            enabled: true,
+            paths: DEFAULT_TEST_PATHS
+        }
+    },
+    "security-strict": {
+        riskThreshold: "medium",
+        sensitivePaths: [
+            ...DEFAULT_SENSITIVE_PATHS,
+            ".npmrc",
+            "**/.npmrc",
+            ".pypirc",
+            "**/.pypirc",
+            ".dockerignore",
+            "docker-compose*.yml",
+            "**/docker-compose*.yml",
+            ".github/dependabot.yml",
+            ".github/codeql/**",
+            "terraform/**/*.tf",
+            "**/*.pem",
+            "**/*.key"
+        ],
+        requireTests: {
+            enabled: true,
+            paths: ["src/**", "packages/**/src/**", "app/**", "lib/**", "server/**", "api/**"]
+        }
+    },
+    "ai-generated-pr": {
+        riskThreshold: "medium",
+        sensitivePaths: DEFAULT_SENSITIVE_PATHS,
+        requireTests: {
+            enabled: true,
+            paths: ["src/**", "packages/**/src/**", "app/**", "lib/**", "server/**", "api/**", "components/**"]
+        }
+    },
+    "mcp-security": {
+        riskThreshold: "medium",
+        sensitivePaths: [
+            ...DEFAULT_SENSITIVE_PATHS,
+            ".cursor/**",
+            ".vscode/**"
+        ],
+        requireTests: {
+            enabled: true,
+            paths: DEFAULT_TEST_PATHS
+        }
+    },
+    "dependency-careful": {
+        riskThreshold: "medium",
+        sensitivePaths: [
+            ...DEFAULT_SENSITIVE_PATHS,
+            "poetry.lock",
+            "Pipfile",
+            "Pipfile.lock",
+            "pom.xml",
+            "build.gradle",
+            "build.gradle.kts",
+            "Gemfile",
+            "Gemfile.lock"
+        ],
+        requireTests: {
+            enabled: true,
+            paths: DEFAULT_TEST_PATHS
+        }
+    }
+};
 const configSchema = object({
+    preset: configPresetSchema.default("balanced"),
     locale: localeSchema.default("en"),
     riskThreshold: riskLevelSchema.default("high"),
     ignorePaths: array(schemas_string()).default([]),
-    sensitivePaths: array(schemas_string())
-        .default([
-        ".github/workflows/**",
-        ".github/actions/**",
-        "**/.env*",
-        "**/mcp*.json",
-        "**/*mcp*.json",
-        "Dockerfile",
-        "**/Dockerfile",
-        "package.json",
-        "pnpm-lock.yaml",
-        "package-lock.json",
-        "yarn.lock",
-        "bun.lockb",
-        "requirements.txt",
-        "pyproject.toml",
-        "Cargo.toml",
-        "Cargo.lock",
-        "go.mod",
-        "go.sum"
-    ]),
+    sensitivePaths: array(schemas_string()).default(DEFAULT_SENSITIVE_PATHS),
     requireTests: object({
         enabled: schemas_boolean().default(true),
-        paths: array(schemas_string())
-            .default(["src/**", "packages/**/src/**", "app/**", "lib/**"])
+        paths: array(schemas_string()).default(DEFAULT_TEST_PATHS)
     })
-        .default({ enabled: true, paths: ["src/**", "packages/**/src/**", "app/**", "lib/**"] }),
+        .default({ enabled: true, paths: DEFAULT_TEST_PATHS }),
     secrets: object({ enabled: schemas_boolean().default(true) }).default({ enabled: true }),
     dependencies: object({
         flagNewPackages: schemas_boolean().default(true),
-        flagMajorUpgrades: schemas_boolean().default(true)
+        flagMajorUpgrades: schemas_boolean().default(true),
+        flagLifecycleScripts: schemas_boolean().default(true)
     })
-        .default({ flagNewPackages: true, flagMajorUpgrades: true }),
+        .default({ flagNewPackages: true, flagMajorUpgrades: true, flagLifecycleScripts: true }),
     comment: object({ enabled: schemas_boolean().default(true) }).default({ enabled: true })
 });
 function parseConfig(input) {
-    return configSchema.parse(input ?? {});
+    const raw = isRecord(input) ? input : {};
+    const preset = configPresetSchema.parse(raw.preset ?? "balanced");
+    return configSchema.parse(deepMerge(PRESET_DEFAULTS[preset], raw, { preset }));
 }
 async function loadConfig(path) {
     try {
@@ -23180,6 +23271,33 @@ function parseLocale(value, fallback = "en") {
     const result = localeSchema.safeParse(value);
     return result.success ? result.data : fallback;
 }
+function parsePreset(value, fallback = "balanced") {
+    const result = configPresetSchema.safeParse(value);
+    return result.success ? result.data : fallback;
+}
+function listConfigPresets() {
+    return CONFIG_PRESETS;
+}
+function deepMerge(...items) {
+    const output = {};
+    for (const item of items) {
+        if (!isRecord(item)) {
+            continue;
+        }
+        for (const [key, value] of Object.entries(item)) {
+            if (isRecord(value) && isRecord(output[key])) {
+                output[key] = deepMerge(output[key], value);
+            }
+            else {
+                output[key] = value;
+            }
+        }
+    }
+    return output;
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
 function isMissingFileError(error) {
     return (typeof error === "object" &&
         error !== null &&
@@ -23244,6 +23362,8 @@ function renderEnglishMarkdownReport(result) {
         "# ProofPR Review",
         "",
         `Risk: **${result.risk}**`,
+        `Evidence score: **${result.evidenceScore.value}/100 (${formatEvidenceGrade(result.evidenceScore.grade, "en")})**`,
+        `Review gate: **${formatReviewDecision(result.reviewDecision, "en")}**`,
         "",
         "## Evidence",
         "",
@@ -23257,6 +23377,8 @@ function renderEnglishMarkdownReport(result) {
         `- Reproduction context: ${formatBoolean(result.summary.reproductionEvidence)}`,
         ""
     ];
+    appendEvidenceScoreSection(lines, result, "en");
+    appendReviewPlanSection(lines, result, "en");
     if (result.findings.length === 0) {
         lines.push("## Findings", "", "No review-risk findings detected by the enabled rules.", "");
         return lines.join("\n");
@@ -23274,6 +23396,8 @@ function renderChineseMarkdownReport(result) {
         "# ProofPR 审查报告",
         "",
         `风险等级：**${translateRisk(result.risk)}**`,
+        `证据评分：**${result.evidenceScore.value}/100（${formatEvidenceGrade(result.evidenceScore.grade, "zh-CN")}）**`,
+        `Review 门禁：**${formatReviewDecision(result.reviewDecision, "zh-CN")}**`,
         "",
         "## 证据概览",
         "",
@@ -23287,6 +23411,8 @@ function renderChineseMarkdownReport(result) {
         `- 复现上下文：${formatChineseBoolean(result.summary.reproductionEvidence)}`,
         ""
     ];
+    appendEvidenceScoreSection(lines, result, "zh-CN");
+    appendReviewPlanSection(lines, result, "zh-CN");
     if (result.findings.length === 0) {
         lines.push("## 风险发现", "", "启用的规则没有发现需要优先关注的 review 风险。", "");
         return lines.join("\n");
@@ -23298,6 +23424,52 @@ function renderChineseMarkdownReport(result) {
     lines.push("## 维护者关注点", "", ...maintainerFocus(result.findings, "zh-CN").map((item) => `- ${item}`), "");
     return lines.join("\n");
 }
+function appendEvidenceScoreSection(lines, result, locale) {
+    lines.push(locale === "zh-CN" ? "## 证据评分细节" : "## Evidence Score", "");
+    if (result.evidenceScore.strengths.length > 0) {
+        for (const strength of result.evidenceScore.strengths) {
+            lines.push(locale === "zh-CN"
+                ? `- 证据优势：${translateScoreMessage(strength)}`
+                : `- Strength: ${strength}`);
+        }
+    }
+    else {
+        lines.push(locale === "zh-CN" ? "- 证据优势：暂无明显优势信号。" : "- Strength: No strong evidence signals detected.");
+    }
+    if (result.evidenceScore.deductions.length > 0) {
+        for (const deduction of result.evidenceScore.deductions) {
+            lines.push(locale === "zh-CN"
+                ? `- 扣分项：-${deduction.points}，${translateDeduction(deduction.reasonId, deduction.message)}`
+                : `- Deduction: -${deduction.points}, ${deduction.message}`);
+        }
+    }
+    else {
+        lines.push(locale === "zh-CN" ? "- 扣分项：无。" : "- Deduction: none.");
+    }
+    lines.push("");
+}
+function appendReviewPlanSection(lines, result, locale) {
+    lines.push(locale === "zh-CN" ? "## Review 行动清单" : "## Review Plan", "");
+    if (result.reviewPlan.actionItems.length > 0) {
+        for (const action of result.reviewPlan.actionItems) {
+            lines.push(locale === "zh-CN"
+                ? `- [ ] ${translateReviewActionTitle(action.actionId, action.title)}（${formatPriority(action.priority, locale)}）：${translateReviewActionDetail(action.actionId, action.detail)}`
+                : `- [ ] ${action.title} (${formatPriority(action.priority, locale)}): ${action.detail}`);
+        }
+    }
+    else {
+        lines.push(locale === "zh-CN" ? "- [ ] 没有额外行动项。" : "- [ ] No additional action items.");
+    }
+    if (result.reviewPlan.focusFiles.length > 0) {
+        lines.push("", locale === "zh-CN" ? "重点文件：" : "Focus files:");
+        for (const file of result.reviewPlan.focusFiles) {
+            lines.push(locale === "zh-CN"
+                ? `- \`${file.path}\`（${formatPriority(file.priority, locale)}）：${translateFocusReason(file.reasonId, file.reason)}`
+                : `- \`${file.path}\` (${formatPriority(file.priority, locale)}): ${file.reason}`);
+        }
+    }
+    lines.push("");
+}
 function formatEnglishFinding(finding) {
     const lines = [
         `### ${finding.title}`,
@@ -23372,6 +23544,21 @@ function maintainerFocus(findings, locale) {
                 ? "要求拆分 PR，或提供逐文件 review 指南。"
                 : "Request a smaller PR or a file-by-file review guide.");
         }
+        else if (finding.ruleId === "dependency-major-upgrade") {
+            focus.add(locale === "zh-CN"
+                ? "重点核查依赖大版本升级的迁移说明、兼容性和测试覆盖。"
+                : "Review dependency major upgrade migration notes, compatibility, and test coverage.");
+        }
+        else if (finding.ruleId === "dependency-lifecycle-script") {
+            focus.add(locale === "zh-CN"
+                ? "合并前审查包生命周期脚本是否会在安装或发布时执行非预期代码。"
+                : "Review package lifecycle scripts for unexpected install or publish-time execution.");
+        }
+        else if (finding.ruleId === "workflow-dangerous-trigger") {
+            focus.add(locale === "zh-CN"
+                ? "重点审查 pull_request_target 是否会用高权限 token 执行不可信 PR 代码。"
+                : "Review whether pull_request_target can execute untrusted PR code with privileged tokens.");
+        }
         else if (finding.ruleId === "mcp-credential-risk") {
             focus.add(locale === "zh-CN"
                 ? "重点审查 MCP command、args 和凭证处理方式。"
@@ -23433,6 +23620,20 @@ function translateFinding(finding) {
             recommendation: "请确认包名、许可证、来源可信度，以及 lockfile 是否匹配预期依赖变化。"
         };
     }
+    if (finding.ruleId === "dependency-major-upgrade") {
+        return {
+            title: "依赖发生大版本升级",
+            message: finding.path ? `${finding.path} 中有依赖跨越了大版本边界。` : finding.message,
+            recommendation: "请核查 changelog、迁移说明、peer dependencies 影响，以及测试是否覆盖升级后的关键路径。"
+        };
+    }
+    if (finding.ruleId === "dependency-lifecycle-script") {
+        return {
+            title: "包生命周期脚本发生变更",
+            message: finding.path ? `${finding.path} 新增或修改了安装/发布阶段可能自动执行的脚本。` : finding.message,
+            recommendation: "请确认该脚本是否必要，是否下载或执行远程代码，以及是否会影响安装该包的用户。"
+        };
+    }
     if (finding.ruleId === "workflow-permission-change") {
         return {
             title: "Workflow 权限发生变更",
@@ -23440,6 +23641,13 @@ function translateFinding(finding) {
             recommendation: "请确认 workflow 是否真的需要写权限或 token 权限，并检查不可信 PR 是否能触达该 workflow。"
         };
     }
+    if (finding.ruleId === "workflow-dangerous-trigger") {
+        return {
+            title: "Workflow 使用了 pull_request_target",
+            message: finding.path ? `${finding.path} 新增了 pull_request_target 触发器。` : finding.message,
+            recommendation: "请确认该 workflow 不会用高权限 token、secret 或写权限执行不可信 PR 代码。"
+        };
+    }
     if (finding.ruleId === "mcp-credential-risk") {
         return {
             title: "MCP 配置需要重点审查",
@@ -23472,6 +23680,122 @@ function translateSeverity(severity) {
 function translateDescriptionState(state) {
     return { unavailable: "不可用", missing: "缺失", thin: "过薄", present: "充足" }[state] ?? state;
 }
+function formatEvidenceGrade(grade, locale) {
+    if (locale === "zh-CN") {
+        return {
+            strong: "证据充分",
+            adequate: "基本充分",
+            thin: "证据偏薄",
+            risky: "证据不足"
+        }[grade] ?? grade;
+    }
+    return grade;
+}
+function formatReviewDecision(decision, locale) {
+    if (locale === "zh-CN") {
+        return {
+            ready: "可以进入常规 review",
+            "review-carefully": "带着重点进入 review",
+            "needs-evidence": "先要求补充证据",
+            "block-merge": "处理风险前不建议合并"
+        }[decision] ?? decision;
+    }
+    return {
+        ready: "Ready for normal review",
+        "review-carefully": "Review with focused attention",
+        "needs-evidence": "Ask for evidence before deep review",
+        "block-merge": "Block merge until risks are handled"
+    }[decision] ?? decision;
+}
+function formatPriority(priority, locale) {
+    if (locale === "zh-CN") {
+        return { low: "低优先级", medium: "中优先级", high: "高优先级" }[priority] ?? priority;
+    }
+    return `${priority} priority`;
+}
+function translateReviewActionTitle(actionId, fallback) {
+    return {
+        "block-merge-until-resolved": "风险处理前不要合并",
+        "ask-for-evidence-before-review": "深入 review 前先要求补充证据",
+        "review-with-focus": "带着重点清单进行 review",
+        "normal-review": "进入常规 review",
+        "improve-pr-description": "要求补充更清楚的 PR 描述",
+        "add-verification-evidence": "要求补充测试或手动验证证据",
+        "add-reproduction-context": "要求补充复现或 before/after 上下文",
+        "rotate-secret": "轮换并移除暴露的凭证",
+        "justify-workflow-permissions": "要求说明 workflow 权限最小化理由",
+        "review-privileged-pr-trigger": "审查 pull_request_target 高权限触发器",
+        "review-package-lifecycle-script": "审查包生命周期脚本",
+        "review-mcp-execution-surface": "审查 MCP 命令、参数和凭证处理",
+        "request-review-map-or-split": "要求拆分 PR 或提供逐文件 review map",
+        "verify-dependency-change": "核查依赖来源和 lockfile 影响",
+        "review-major-dependency-upgrade": "核查依赖大版本升级影响",
+        "assign-sensitive-file-review": "安排敏感文件重点 review"
+    }[actionId] ?? fallback;
+}
+function translateReviewActionDetail(actionId, fallback) {
+    return {
+        "block-merge-until-resolved": "在高风险 finding 被解释、降低或移除前，把这个 PR 视为不可合并。",
+        "ask-for-evidence-before-review": "要求测试、截图、复现步骤或更清楚的 PR 描述，再投入详细 review。",
+        "review-with-focus": "优先使用下面的风险发现和重点文件作为第一轮 review map。",
+        "normal-review": "当前证据足够支撑维护者进行常规 review。",
+        "improve-pr-description": "贡献者应说明为什么改、改了什么、如何验证，以及是否有发布或兼容性风险。",
+        "add-verification-evidence": "要求测试输出、CI 链接、截图，或简短的手动验证说明。",
+        "add-reproduction-context": "PR 应包含复现步骤、预期/实际行为，或相关 before/after 截图。",
+        "rotate-secret": "在 secret 从 PR 中移除并完成轮换前，不要合并。",
+        "justify-workflow-permissions": "确认写权限或 OIDC 是否必要，并检查不可信 PR 是否能触发该 workflow。",
+        "review-privileged-pr-trigger": "确认 workflow 不会用写权限 token、secret 或仓库权限执行不可信 PR 代码。",
+        "review-package-lifecycle-script": "检查 install、postinstall、prepare 或 publish 脚本是否会执行非预期代码。",
+        "review-mcp-execution-surface": "检查 MCP 配置是否提交凭证，或意外扩大本地执行面。",
+        "request-review-map-or-split": "要求贡献者拆分无关改动，或标出最需要重点 review 的文件。",
+        "verify-dependency-change": "检查包名、维护者、许可证、安装脚本，以及 lockfile 是否符合预期依赖变化。",
+        "review-major-dependency-upgrade": "检查 changelog、迁移说明、peer dependencies，以及测试是否覆盖升级后的关键路径。",
+        "assign-sensitive-file-review": "合并前由维护者有意识地检查敏感文件改动。"
+    }[actionId] ?? fallback;
+}
+function translateFocusReason(reasonId, fallback) {
+    return {
+        "change-size": "review 面积相关 finding",
+        "sensitive-path": "敏感路径发生变更",
+        "dependency-added": "依赖清单发生变更",
+        "dependency-major-upgrade": "依赖发生大版本升级",
+        "dependency-lifecycle-script": "包生命周期脚本发生变更",
+        "workflow-permission-change": "workflow 权限发生变更",
+        "workflow-dangerous-trigger": "workflow 使用了高风险触发器",
+        "mcp-credential-risk": "MCP 配置存在执行面或凭证风险",
+        "missing-tests": "代码改动缺少测试或验证证据"
+    }[reasonId] ?? fallback;
+}
+function translateScoreMessage(message) {
+    return {
+        "PR description provides review context.": "PR 描述提供了 review 上下文。",
+        "Verification evidence was found.": "检测到测试或手动验证证据。",
+        "Reproduction or before/after context was found.": "检测到复现步骤或 before/after 上下文。",
+        "Test files changed with the PR.": "PR 同时修改了测试文件。",
+        "No configured sensitive files changed.": "没有改动已配置的敏感文件。"
+    }[message] ?? message;
+}
+function translateDeduction(reasonId, fallback) {
+    return {
+        "missing-pr-description": "PR 描述缺失。",
+        "thin-pr-description": "PR 描述过薄，不足以支撑可靠 review。",
+        "no-pr-context": "扫描时没有可用的 PR 描述上下文。",
+        "missing-verification": "没有检测到测试或手动验证证据。",
+        "missing-reproduction-context": "没有检测到复现步骤、before/after 或预期/实际上下文。",
+        "secret-detected": "检测到疑似已提交 secret。",
+        "workflow-permission-change": "Workflow 权限变化需要重点审查。",
+        "mcp-credential-risk": "MCP 配置扩大了本地执行面或凭证风险。",
+        "large-review-surface": "PR 规模过大，常规 review 可靠性会下降。",
+        "broad-review-surface": "PR review 面积偏大。",
+        "sensitive-path-high": "高敏感文件发生变更，需要重点 review。",
+        "sensitive-path-medium": "敏感文件发生变更，需要重点 review。",
+        "dependency-change": "依赖清单发生变更。",
+        "dependency-major-upgrade": "依赖发生大版本升级。",
+        "dependency-lifecycle-script": "包生命周期脚本可能在安装或发布阶段执行代码。",
+        "workflow-dangerous-trigger": "pull_request_target workflow 需要重点审查高权限触发路径。",
+        "missing-tests": "代码发生变更，但缺少测试变更或验证说明。"
+    }[reasonId] ?? fallback;
+}
 function formatBoolean(value) {
     return value ? "yes" : "no";
 }
@@ -23780,6 +24104,7 @@ function analyzeDiffFiles(files, config, pullRequest) {
     findings.push(...analyzePullRequestEvidence(activeFiles, pullRequest));
     findings.push(...analyzeDependencyChanges(activeFiles, config));
     findings.push(...analyzeWorkflowPermissions(activeFiles));
+    findings.push(...analyzeWorkflowDangerousTriggers(activeFiles));
     findings.push(...analyzeMcpConfigs(activeFiles));
     if (config.secrets.enabled) {
         for (const file of activeFiles) {
@@ -23905,58 +24230,137 @@ function analyzePullRequestEvidence(files, pullRequest) {
     return findings;
 }
 function analyzeDependencyChanges(files, config) {
-    if (!config.dependencies.flagNewPackages) {
-        return [];
-    }
     const findings = [];
     for (const file of files.filter((candidate) => isDependencyManifest(candidate.path))) {
-        const addedDependencyLines = file.addedLines
-            .map((line) => line.value.trim())
-            .filter((line) => isDependencyLikeAddition(file.path, line));
-        if (addedDependencyLines.length === 0) {
-            continue;
+        if (config.dependencies.flagNewPackages) {
+            const addedDependencyLines = file.addedLines.filter((line) => isDependencyLikeAddition(file.path, line.value.trim()));
+            if (addedDependencyLines.length > 0) {
+                findings.push({
+                    ruleId: "dependency-added",
+                    title: "Dependency manifest changed",
+                    message: `${file.path} adds or changes dependency-like entries.`,
+                    severity: "medium",
+                    path: file.path,
+                    evidence: addedDependencyLines.slice(0, 5).map(formatEvidenceLine),
+                    recommendation: "Verify package names, licenses, provenance, and whether the lockfile matches the intended dependency change."
+                });
+            }
+        }
+        if (config.dependencies.flagMajorUpgrades) {
+            findings.push(...analyzeMajorDependencyUpgrades(file));
+        }
+        if (config.dependencies.flagLifecycleScripts) {
+            findings.push(...analyzeLifecycleScripts(file));
         }
-        findings.push({
-            ruleId: "dependency-added",
-            title: "Dependency manifest changed",
-            message: `${file.path} adds or changes dependency-like entries.`,
-            severity: "medium",
-            path: file.path,
-            evidence: addedDependencyLines.slice(0, 5),
-            recommendation: "Verify package names, licenses, provenance, and whether the lockfile matches the intended dependency change."
-        });
     }
     return findings;
 }
 function isDependencyLikeAddition(path, line) {
+    return parseDependencyLine(path, { value: line }) !== undefined;
+}
+function analyzeMajorDependencyUpgrades(file) {
+    const removedDependencies = new Map();
+    for (const line of file.removedLines) {
+        const parsed = parseDependencyLine(file.path, line);
+        if (parsed) {
+            removedDependencies.set(parsed.name, parsed);
+        }
+    }
+    const upgrades = file.addedLines
+        .map((line) => parseDependencyLine(file.path, line))
+        .filter((line) => Boolean(line))
+        .map((added) => ({ added, removed: removedDependencies.get(added.name) }))
+        .filter((change) => change.removed !== undefined && isMajorUpgrade(change.removed.version, change.added.version));
+    if (upgrades.length === 0) {
+        return [];
+    }
+    return [
+        {
+            ruleId: "dependency-major-upgrade",
+            title: "Dependency major version upgrade",
+            message: `${file.path} upgrades one or more dependencies across a major version boundary.`,
+            severity: "medium",
+            path: file.path,
+            evidence: upgrades.slice(0, 5).map(({ added, removed }) => `${added.line.lineNumber ? `line ${added.line.lineNumber}: ` : ""}${added.name} ${removed.version} -> ${added.version}`),
+            recommendation: "Check changelogs, migration notes, peer dependency impact, and whether tests cover the upgraded package surface."
+        }
+    ];
+}
+function analyzeLifecycleScripts(file) {
+    if (!file.path.endsWith("package.json")) {
+        return [];
+    }
+    const lifecycleLines = file.addedLines.filter((line) => /^"(?:preinstall|install|postinstall|prepare|prepublish|prepublishOnly)"\s*:/.test(line.value.trim()));
+    if (lifecycleLines.length === 0) {
+        return [];
+    }
+    return [
+        {
+            ruleId: "dependency-lifecycle-script",
+            title: "Package lifecycle script changed",
+            message: `${file.path} adds or changes npm lifecycle scripts that may run during install or publish.`,
+            severity: "high",
+            path: file.path,
+            evidence: lifecycleLines.slice(0, 5).map(formatEvidenceLine),
+            recommendation: "Review whether the lifecycle script is necessary, whether it downloads or executes remote code, and whether it can affect consumers during install."
+        }
+    ];
+}
+function parseDependencyLine(path, line) {
+    const value = line.value.trim();
     if (path.endsWith("package.json")) {
-        const match = /^"(?<key>[@A-Za-z0-9_.-]+)"\s*:\s*"(?<value>[^"]*)"/.exec(line);
+        const match = /^"(?<key>[@A-Za-z0-9_.-]+)"\s*:\s*"(?<version>[^"]*)"/.exec(value);
         if (!match?.groups) {
-            return false;
+            return undefined;
         }
-        const { key, value } = match.groups;
-        if (!key || !value || PACKAGE_JSON_NON_DEPENDENCY_KEYS.has(key)) {
-            return false;
+        const { key, version } = match.groups;
+        if (!key || !version || PACKAGE_JSON_NON_DEPENDENCY_KEYS.has(key)) {
+            return undefined;
         }
-        return /^(?:\^|~|>=?|<=?|\d|workspace:|npm:|file:|link:|portal:|git\+|https?:|github:)/.test(value);
+        if (!/^(?:\^|~|>=?|<=?|\d|workspace:|npm:|file:|link:|portal:|git\+|https?:|github:)/.test(version)) {
+            return undefined;
+        }
+        return { name: key, version, line };
     }
     if (path.endsWith("requirements.txt")) {
-        return /^[A-Za-z0-9_.-]+(?:\[.*\])?\s*(?:==|>=|<=|~=|>|<)\s*[^#\s]+/.test(line);
+        const match = /^(?<name>[A-Za-z0-9_.-]+)(?:\[.*\])?\s*(?:==|>=|<=|~=|>|<)\s*(?<version>[^#\s]+)/.exec(value);
+        return match?.groups?.name && match.groups.version
+            ? { name: match.groups.name, version: match.groups.version, line }
+            : undefined;
     }
     if (path.endsWith("pyproject.toml") || path.endsWith("Cargo.toml")) {
-        return /^[A-Za-z0-9_.-]+\s*=\s*"(?:\^|~|>=?|<=?|\d|workspace:|path\s*=|git\s*=)[^"]*"/.test(line);
+        const match = /^(?<name>[A-Za-z0-9_.-]+)\s*=\s*"(?<version>(?:\^|~|>=?|<=?|\d|workspace:|path\s*=|git\s*=)[^"]*)"/.exec(value);
+        return match?.groups?.name && match.groups.version
+            ? { name: match.groups.name, version: match.groups.version, line }
+            : undefined;
     }
     if (path.endsWith("go.mod")) {
-        return /^(?:require\s+)?[A-Za-z0-9_.\-/]+\s+v\d+\.\d+\.\d+/.test(line);
+        const match = /^(?:require\s+)?(?<name>[A-Za-z0-9_.\-/]+)\s+(?<version>v\d+\.\d+\.\d+)/.exec(value);
+        return match?.groups?.name && match.groups.version
+            ? { name: match.groups.name, version: match.groups.version, line }
+            : undefined;
     }
-    return false;
+    return undefined;
+}
+function isMajorUpgrade(previousVersion, nextVersion) {
+    const previousMajor = extractMajorVersion(previousVersion);
+    const nextMajor = extractMajorVersion(nextVersion);
+    return previousMajor !== undefined && nextMajor !== undefined && nextMajor > previousMajor;
+}
+function extractMajorVersion(version) {
+    const normalized = version
+        .replace(/^workspace:/, "")
+        .replace(/^npm:[^@]+@/, "")
+        .replace(/^[~^<>=\s]+/, "")
+        .replace(/^v/, "");
+    const match = /(?<major>\d+)\.\d+\.\d+/.exec(normalized);
+    const major = match?.groups?.major ? Number(match.groups.major) : undefined;
+    return major !== undefined && Number.isInteger(major) ? major : undefined;
 }
 function analyzeWorkflowPermissions(files) {
     const findings = [];
     for (const file of files.filter((candidate) => isWorkflowPath(candidate.path))) {
-        const permissionLines = file.addedLines
-            .map((line) => line.value.trim())
-            .filter((line) => /permissions:|contents:\s*write|packages:\s*write|id-token:\s*write|pull-requests:\s*write/.test(line));
+        const permissionLines = file.addedLines.filter((line) => /permissions:|contents:\s*write|packages:\s*write|id-token:\s*write|pull-requests:\s*write/.test(line.value.trim()));
         if (permissionLines.length === 0) {
             continue;
         }
@@ -23966,18 +24370,35 @@ function analyzeWorkflowPermissions(files) {
             message: `${file.path} adds or changes GitHub Actions permissions.`,
             severity: "high",
             path: file.path,
-            evidence: permissionLines.slice(0, 5),
+            evidence: permissionLines.slice(0, 5).map(formatEvidenceLine),
             recommendation: "Check whether the workflow really needs write or token permissions and whether untrusted pull requests can reach it."
         });
     }
     return findings;
 }
+function analyzeWorkflowDangerousTriggers(files) {
+    const findings = [];
+    for (const file of files.filter((candidate) => isWorkflowPath(candidate.path))) {
+        const triggerLines = file.addedLines.filter((line) => /\bpull_request_target\b/.test(line.value.trim()));
+        if (triggerLines.length === 0) {
+            continue;
+        }
+        findings.push({
+            ruleId: "workflow-dangerous-trigger",
+            title: "Workflow uses pull_request_target",
+            message: `${file.path} adds pull_request_target, which runs with base repository context and can be risky for untrusted PRs.`,
+            severity: "high",
+            path: file.path,
+            evidence: triggerLines.slice(0, 5).map(formatEvidenceLine),
+            recommendation: "Confirm the workflow does not check out or execute untrusted PR code with privileged tokens or write permissions."
+        });
+    }
+    return findings;
+}
 function analyzeMcpConfigs(files) {
     const findings = [];
     for (const file of files.filter((candidate) => isMcpConfigPath(candidate.path))) {
-        const riskyLines = file.addedLines
-            .map((line) => line.value.trim())
-            .filter((line) => /env|token|secret|password|api[_-]?key|command|args/i.test(line));
+        const riskyLines = file.addedLines.filter((line) => /env|token|secret|password|api[_-]?key|command|args/i.test(line.value.trim()));
         if (riskyLines.length === 0) {
             continue;
         }
@@ -23987,12 +24408,16 @@ function analyzeMcpConfigs(files) {
             message: `${file.path} adds MCP configuration lines related to commands or credentials.`,
             severity: "high",
             path: file.path,
-            evidence: riskyLines.slice(0, 5),
+            evidence: riskyLines.slice(0, 5).map(formatEvidenceLine),
             recommendation: "Avoid committing credentials in MCP config. Review command and args values as local execution surface."
         });
     }
     return findings;
 }
+function formatEvidenceLine(line) {
+    const value = line.value.trim();
+    return line.lineNumber ? `line ${line.lineNumber}: ${value}` : value;
+}
 function sensitivePathSeverity(path) {
     if (matchesAny(path, [
         "**/.env*",
@@ -24015,8 +24440,14 @@ function scanDiff(diffText, options = {}) {
     const files = parseUnifiedDiff(diffText);
     const findings = dedupeFindings(analyzeDiffFiles(files, config, options.pullRequest));
     const summary = summarizeDiffFiles(files, config, options.pullRequest);
+    const risk = calculateRisk(findings);
+    const evidenceScore = calculateEvidenceScore(summary, findings);
+    const reviewDecision = calculateReviewDecision(risk, evidenceScore, findings);
     return {
-        risk: calculateRisk(findings),
+        risk,
+        evidenceScore,
+        reviewDecision,
+        reviewPlan: buildReviewPlan(reviewDecision, findings, evidenceScore),
         summary,
         findings
     };
@@ -24033,6 +24464,373 @@ function calculateRisk(findings) {
     }
     return "low";
 }
+function calculateEvidenceScore(summary, findings) {
+    const deductions = new Map();
+    const addDeduction = (reasonId, points, message) => {
+        const existing = deductions.get(reasonId);
+        if (existing) {
+            existing.points = Math.max(existing.points, points);
+            return;
+        }
+        deductions.set(reasonId, { message, points });
+    };
+    if (summary.pullRequestDescription === "missing") {
+        addDeduction("missing-pr-description", 25, "PR description is missing.");
+    }
+    else if (summary.pullRequestDescription === "thin") {
+        addDeduction("thin-pr-description", 15, "PR description is too thin for confident review.");
+    }
+    else if (summary.pullRequestDescription === "unavailable") {
+        addDeduction("no-pr-context", 10, "PR description was not available to the scanner.");
+    }
+    const needsVerificationEvidence = findings.some((finding) => [
+        "change-size",
+        "sensitive-path",
+        "missing-tests",
+        "dependency-added",
+        "dependency-major-upgrade",
+        "dependency-lifecycle-script",
+        "workflow-permission-change",
+        "workflow-dangerous-trigger",
+        "mcp-credential-risk"
+    ].includes(finding.ruleId));
+    if (needsVerificationEvidence && !summary.verificationEvidence) {
+        addDeduction("missing-verification", 20, "No test or manual verification evidence was found.");
+    }
+    if ((summary.sensitiveFilesChanged > 0 || summary.filesChanged >= 5) && !summary.reproductionEvidence) {
+        addDeduction("missing-reproduction-context", 15, "No reproduction, before/after, or expected/actual context was found.");
+    }
+    for (const finding of findings) {
+        if (finding.ruleId.startsWith("secret-detected")) {
+            addDeduction("secret-detected", 40, "Possible committed secret detected.");
+        }
+        else if (finding.ruleId === "workflow-permission-change") {
+            addDeduction("workflow-permission-change", 25, "Workflow permission changes need deliberate review.");
+        }
+        else if (finding.ruleId === "workflow-dangerous-trigger") {
+            addDeduction("workflow-dangerous-trigger", 30, "pull_request_target workflows need privileged trigger review.");
+        }
+        else if (finding.ruleId === "mcp-credential-risk") {
+            addDeduction("mcp-credential-risk", 25, "MCP configuration expands local execution or credential risk.");
+        }
+        else if (finding.ruleId === "change-size") {
+            addDeduction(finding.severity === "high" ? "large-review-surface" : "broad-review-surface", finding.severity === "high" ? 20 : 10, finding.severity === "high"
+                ? "The PR is large enough that normal review is likely unreliable."
+                : "The PR has a broad review surface.");
+        }
+        else if (finding.ruleId === "sensitive-path") {
+            addDeduction(`sensitive-path-${finding.severity}`, finding.severity === "high" ? 20 : 10, "Sensitive files changed and need focused review.");
+        }
+        else if (finding.ruleId === "dependency-added") {
+            addDeduction("dependency-change", 10, "Dependency manifest changed.");
+        }
+        else if (finding.ruleId === "dependency-major-upgrade") {
+            addDeduction("dependency-major-upgrade", 15, "Dependency major version changed.");
+        }
+        else if (finding.ruleId === "dependency-lifecycle-script") {
+            addDeduction("dependency-lifecycle-script", 25, "Package lifecycle scripts can run during install or publish.");
+        }
+        else if (finding.ruleId === "missing-tests") {
+            addDeduction("missing-tests", finding.severity === "medium" ? 20 : 12, "Code changed without test changes or verification notes.");
+        }
+    }
+    const strengths = collectEvidenceStrengths(summary);
+    const value = clampScore(100 - [...deductions.values()].reduce((sum, item) => sum + item.points, 0));
+    return {
+        value,
+        grade: gradeEvidenceScore(value),
+        strengths,
+        deductions: [...deductions.entries()].map(([reasonId, item]) => ({
+            reasonId,
+            message: item.message,
+            points: item.points
+        }))
+    };
+}
+function collectEvidenceStrengths(summary) {
+    const strengths = [];
+    if (summary.pullRequestDescription === "present") {
+        strengths.push("PR description provides review context.");
+    }
+    if (summary.verificationEvidence) {
+        strengths.push("Verification evidence was found.");
+    }
+    if (summary.reproductionEvidence) {
+        strengths.push("Reproduction or before/after context was found.");
+    }
+    if (summary.testFilesChanged > 0) {
+        strengths.push("Test files changed with the PR.");
+    }
+    if (summary.filesChanged > 0 && summary.sensitiveFilesChanged === 0) {
+        strengths.push("No configured sensitive files changed.");
+    }
+    return strengths;
+}
+function gradeEvidenceScore(value) {
+    if (value >= 85) {
+        return "strong";
+    }
+    if (value >= 70) {
+        return "adequate";
+    }
+    if (value >= 50) {
+        return "thin";
+    }
+    return "risky";
+}
+function calculateReviewDecision(risk, evidenceScore, findings) {
+    const hasBlockingSecurityFinding = findings.some((finding) => finding.ruleId.startsWith("secret-detected") ||
+        finding.ruleId === "workflow-permission-change" ||
+        finding.ruleId === "workflow-dangerous-trigger" ||
+        finding.ruleId === "dependency-lifecycle-script" ||
+        finding.ruleId === "mcp-credential-risk");
+    if (hasBlockingSecurityFinding || evidenceScore.value < 50 || risk === "high") {
+        return "block-merge";
+    }
+    if (evidenceScore.value < 70 ||
+        findings.some((finding) => finding.ruleId === "missing-tests" || finding.ruleId === "thin-pr-description")) {
+        return "needs-evidence";
+    }
+    if (risk === "medium") {
+        return "review-carefully";
+    }
+    return "ready";
+}
+function clampScore(value) {
+    return Math.max(0, Math.min(100, value));
+}
+function buildReviewPlan(reviewDecision, findings, evidenceScore) {
+    const actionItems = dedupeReviewActions([
+        ...reviewDecisionActions(reviewDecision),
+        ...evidenceScoreActions(evidenceScore),
+        ...findings.flatMap((finding) => reviewActionsForFinding(finding))
+    ]);
+    const focusFiles = dedupeFocusFiles(findings
+        .filter((finding) => finding.path)
+        .map((finding) => ({
+        path: finding.path,
+        reasonId: finding.ruleId,
+        reason: finding.title,
+        priority: finding.severity === "high" ? "high" : finding.severity === "medium" ? "medium" : "low"
+    })));
+    return {
+        actionItems: actionItems.slice(0, 8),
+        focusFiles: focusFiles.slice(0, 8)
+    };
+}
+function reviewDecisionActions(reviewDecision) {
+    if (reviewDecision === "block-merge") {
+        return [
+            {
+                actionId: "block-merge-until-resolved",
+                title: "Block merge until the flagged risks are handled.",
+                detail: "Treat this PR as not ready for merge until the high-risk findings are explained, reduced, or removed.",
+                priority: "high",
+                relatedRuleIds: []
+            }
+        ];
+    }
+    if (reviewDecision === "needs-evidence") {
+        return [
+            {
+                actionId: "ask-for-evidence-before-review",
+                title: "Ask for missing evidence before deep review.",
+                detail: "Request tests, screenshots, reproduction steps, or a clearer PR description before spending detailed review time.",
+                priority: "medium",
+                relatedRuleIds: []
+            }
+        ];
+    }
+    if (reviewDecision === "review-carefully") {
+        return [
+            {
+                actionId: "review-with-focus",
+                title: "Review with a focused checklist.",
+                detail: "Use the findings and focus files below as the first-pass review map.",
+                priority: "medium",
+                relatedRuleIds: []
+            }
+        ];
+    }
+    return [
+        {
+            actionId: "normal-review",
+            title: "Proceed with normal review.",
+            detail: "The PR has enough evidence for a standard maintainer review pass.",
+            priority: "low",
+            relatedRuleIds: []
+        }
+    ];
+}
+function evidenceScoreActions(evidenceScore) {
+    return evidenceScore.deductions.flatMap((deduction) => {
+        if (deduction.reasonId === "missing-pr-description" ||
+            deduction.reasonId === "thin-pr-description" ||
+            deduction.reasonId === "no-pr-context") {
+            return [
+                {
+                    actionId: "improve-pr-description",
+                    title: "Ask for a clearer PR description.",
+                    detail: "The contributor should explain why the change is needed, what changed, how it was verified, and any rollout or compatibility risk.",
+                    priority: "medium",
+                    relatedRuleIds: ["thin-pr-description"]
+                }
+            ];
+        }
+        if (deduction.reasonId === "missing-verification" || deduction.reasonId === "missing-tests") {
+            return [
+                {
+                    actionId: "add-verification-evidence",
+                    title: "Ask for test or manual verification evidence.",
+                    detail: "Require test output, CI links, screenshots, or a short manual verification note before approving.",
+                    priority: "medium",
+                    relatedRuleIds: ["missing-tests"]
+                }
+            ];
+        }
+        if (deduction.reasonId === "missing-reproduction-context") {
+            return [
+                {
+                    actionId: "add-reproduction-context",
+                    title: "Ask for reproduction or before/after context.",
+                    detail: "The PR should include steps to reproduce, expected and actual behavior, or before/after screenshots where relevant.",
+                    priority: "medium",
+                    relatedRuleIds: ["missing-reproduction-context"]
+                }
+            ];
+        }
+        return [];
+    });
+}
+function reviewActionsForFinding(finding) {
+    if (finding.ruleId.startsWith("secret-detected")) {
+        return [
+            {
+                actionId: "rotate-secret",
+                title: "Rotate and remove the exposed credential.",
+                detail: "Do not merge until the secret is removed from the PR and any exposed value has been rotated.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "workflow-permission-change") {
+        return [
+            {
+                actionId: "justify-workflow-permissions",
+                title: "Require a least-privilege explanation for workflow permissions.",
+                detail: "Confirm whether write permissions or OIDC are necessary and whether untrusted PRs can reach this workflow.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "workflow-dangerous-trigger") {
+        return [
+            {
+                actionId: "review-privileged-pr-trigger",
+                title: "Review privileged pull_request_target usage.",
+                detail: "Confirm the workflow does not execute untrusted PR code with write tokens, secrets, or repository permissions.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "dependency-lifecycle-script") {
+        return [
+            {
+                actionId: "review-package-lifecycle-script",
+                title: "Review package lifecycle scripts before merge.",
+                detail: "Check whether install, postinstall, prepare, or publish scripts can execute unexpected code for contributors or consumers.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "mcp-credential-risk") {
+        return [
+            {
+                actionId: "review-mcp-execution-surface",
+                title: "Review MCP commands, args, and credential handling.",
+                detail: "Check that MCP config does not commit secrets and does not unexpectedly expand local execution surface.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "change-size") {
+        return [
+            {
+                actionId: "request-review-map-or-split",
+                title: "Request a smaller PR or a file-by-file review map.",
+                detail: "Ask the contributor to split unrelated changes or identify the files that need the closest review.",
+                priority: finding.severity === "high" ? "high" : "medium",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "dependency-added") {
+        return [
+            {
+                actionId: "verify-dependency-change",
+                title: "Verify dependency provenance and lockfile impact.",
+                detail: "Check package name, maintainer, license, install scripts, and whether the lockfile matches the intended dependency change.",
+                priority: "medium",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "dependency-major-upgrade") {
+        return [
+            {
+                actionId: "review-major-dependency-upgrade",
+                title: "Review major dependency upgrade impact.",
+                detail: "Check changelogs, migration notes, peer dependencies, and whether tests cover the upgraded surface.",
+                priority: "medium",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "sensitive-path") {
+        return [
+            {
+                actionId: "assign-sensitive-file-review",
+                title: "Assign focused review for sensitive files.",
+                detail: "Have a maintainer deliberately inspect the sensitive file changes before approval.",
+                priority: finding.severity === "high" ? "high" : "medium",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    return [];
+}
+function dedupeReviewActions(actions) {
+    const seen = new Set();
+    const unique = [];
+    for (const action of actions.sort((left, right) => priorityRank(right.priority) - priorityRank(left.priority))) {
+        if (seen.has(action.actionId)) {
+            continue;
+        }
+        seen.add(action.actionId);
+        unique.push(action);
+    }
+    return unique;
+}
+function dedupeFocusFiles(files) {
+    const seen = new Set();
+    const unique = [];
+    for (const file of files.sort((left, right) => priorityRank(right.priority) - priorityRank(left.priority))) {
+        if (seen.has(file.path)) {
+            continue;
+        }
+        seen.add(file.path);
+        unique.push(file);
+    }
+    return unique;
+}
+function priorityRank(priority) {
+    return { low: 1, medium: 2, high: 3 }[priority];
+}
 function dedupeFindings(findings) {
     const seen = new Set();
     const unique = [];
@@ -24066,7 +24864,7 @@ const build_program = new Command();
 build_program
     .name("proof-pr")
     .description("Review pull request evidence, scope, and safety before maintainers spend time on it.")
-    .version("0.1.3");
+    .version("0.1.6");
 build_program
     .command("scan", { isDefault: true })
     .description("Scan a git diff and print a ProofPR report.")
@@ -24102,10 +24900,11 @@ build_program
     .description("Create a starter .proofpr.yml and GitHub Actions workflow.")
     .option("--config-path <path>", "Path to write the ProofPR configuration file.", ".proofpr.yml")
     .option("--workflow-path <path>", "Path to write the GitHub Actions workflow.", ".github/workflows/proofpr.yml")
+    .option("--preset <preset>", `Config preset: ${listConfigPresets().join(", ")}.`, parsePresetOption, "open-source-maintainer")
     .option("--fail-on <level>", "Workflow failure threshold: low, medium, high, or never.", parseFailLevel, "high")
     .option("--force", "Overwrite existing files.", false)
     .action(async (options) => {
-    await writeIfMissing(options.configPath, renderConfigTemplate(), options.force);
+    await writeIfMissing(options.configPath, renderConfigTemplate(options.preset), options.force);
     await writeIfMissing(options.workflowPath, renderWorkflowTemplate(options.failOn), options.force);
     process.stdout.write(`ProofPR initialized:\n- ${options.configPath}\n- ${options.workflowPath}\n`);
 });
@@ -24144,42 +24943,56 @@ async function pathExists(path) {
         return false;
     }
 }
-function renderConfigTemplate() {
+function renderConfigTemplate(preset) {
     return `locale: zh-CN
-riskThreshold: high
-sensitivePaths:
-  - ".github/workflows/**"
-  - ".github/actions/**"
-  - "**/.env*"
-  - "**/mcp*.json"
-  - "**/*mcp*.json"
-  - "Dockerfile"
-  - "**/Dockerfile"
-  - "package.json"
-  - "pnpm-lock.yaml"
-  - "package-lock.json"
-  - "yarn.lock"
-  - "bun.lockb"
-requireTests:
-  enabled: true
-  paths:
-    - "src/**"
-    - "packages/**/src/**"
-    - "app/**"
-    - "lib/**"
-secrets:
-  enabled: true
-dependencies:
-  flagNewPackages: true
-  flagMajorUpgrades: true
+preset: ${preset}
 comment:
   enabled: true
+# 如需更严格或更宽松，可以先换 preset：
+# preset: security-strict
+#
+# 可用预设：
+# - balanced
+# - open-source-maintainer
+# - security-strict
+# - ai-generated-pr
+# - mcp-security
+# - dependency-careful
+#
+# 也可以取消注释下面这些字段，覆盖 preset 的默认值。
+# riskThreshold: high
+#
+# sensitivePaths:
+#   - ".github/workflows/**"
+#   - ".github/actions/**"
+#   - "**/.env*"
+#   - "**/mcp*.json"
+#   - "**/*mcp*.json"
+#   - "Dockerfile"
+#   - "**/Dockerfile"
+#   - "package.json"
+#   - "pnpm-lock.yaml"
+#   - "package-lock.json"
+#   - "yarn.lock"
+#   - "bun.lockb"
+#
+# requireTests:
+#   enabled: true
+#   paths:
+#     - "src/**"
+#     - "packages/**/src/**"
+#     - "app/**"
+#     - "lib/**"
+#
+# secrets:
+#   enabled: true
+#
+# dependencies:
+#   flagNewPackages: true
+#   flagMajorUpgrades: true
+#   flagLifecycleScripts: true
 `;
 }
 function renderWorkflowTemplate(failOn) {
@@ -24198,10 +25011,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: linsk27/proof-pr@v0.1.3
+      - uses: linsk27/proof-pr@v0.1.6
         with:
           fail-on: ${failOn}
           comment: "true"
+          annotations: "true"
 `;
 }
 function renderOutput(result, format, locale) {
@@ -24225,4 +25039,11 @@ function parseFailLevel(value) {
     }
     throw new InvalidArgumentError("fail-on must be one of: low, medium, high, never");
 }
+function parsePresetOption(value) {
+    const preset = parsePreset(value);
+    if (preset === value) {
+        return preset;
+    }
+    throw new InvalidArgumentError(`preset must be one of: ${listConfigPresets().join(", ")}`);
+}
 //# sourceMappingURL=index.js.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-pr",
-  "version": "0.1.3",
+  "version": "0.1.6",
   "description": "CLI for ProofPR, a maintainer-focused pull request evidence scanner.",
   "license": "MIT",
   "type": "module",
@@ -27,6 +27,8 @@
     "secrets-scanning",
     "github-actions-security",
     "dependency-review",
+    "sarif",
+    "code-scanning",
     "ai-coding",
     "ai-generated-code",
     "mcp",

package/dist/index.d.ts DELETED Viewed

	@@ -1,2 +0,0 @@
1	- #!/usr/bin/env node
2	- export {};

package/dist/index.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AAC1D,OAAO,EACL,UAAU,EACV,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,QAAQ,EAET,MAAM,gBAAgB,CAAC;AAExB,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAwB1C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,UAAU,CAAC;KAChB,WAAW,CAAC,sFAAsF,CAAC;KACnG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;KACpC,WAAW,CAAC,6CAA6C,CAAC;KAC1D,MAAM,CAAC,cAAc,EAAE,yDAAyD,CAAC;KACjF,MAAM,CAAC,cAAc,EAAE,gCAAgC,EAAE,MAAM,CAAC;KAChE,MAAM,CAAC,oBAAoB,EAAE,8DAA8D,CAAC;KAC5F,MAAM,CAAC,oBAAoB,EAAE,8CAA8C,CAAC;KAC5E,MAAM,CAAC,kBAAkB,EAAE,6CAA6C,CAAC;KACzE,MAAM,CAAC,uBAAuB,EAAE,gDAAgD,CAAC;KACjF,MAAM,CAAC,iBAAiB,EAAE,uBAAuB,EAAE,cAAc,CAAC;KAClE,MAAM,CAAC,mBAAmB,EAAE,0CAA0C,EAAE,WAAW,EAAE,UAAU,CAAC;KAChG,MAAM,CAAC,mBAAmB,EAAE,8DAA8D,EAAE,cAAc,EAAE,OAAO,CAAC;KACpH,MAAM,CAAC,KAAK,EAAE,OAA2B,EAAE,EAAE;IAC5C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ;QAC/B,CAAC,CAAC,MAAM,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC;QAC1C,CAAC,CAAC,MAAM,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAElD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,WAAW,GACf,OAAO,CAAC,OAAO,KAAK,SAAS,IAAI,MAAM,KAAK,SAAS;QACnD,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE;QAC1C,CAAC,CAAC,SAAS,CAAC;IAChB,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAEpD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,IAAI,CAAC,CAAC;IAEpC,IAAI,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACpD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IACvB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,4DAA4D,CAAC;KACzE,MAAM,CAAC,sBAAsB,EAAE,+CAA+C,EAAE,cAAc,CAAC;KAC/F,MAAM,CACL,wBAAwB,EACxB,4CAA4C,EAC5C,+BAA+B,CAChC;KACA,MAAM,CAAC,mBAAmB,EAAE,0DAA0D,EAAE,cAAc,EAAE,MAAM,CAAC;KAC/G,MAAM,CAAC,SAAS,EAAE,2BAA2B,EAAE,KAAK,CAAC;KACrD,MAAM,CAAC,KAAK,EAAE,OAA2B,EAAE,EAAE;IAC5C,MAAM,cAAc,CAAC,OAAO,CAAC,UAAU,EAAE,oBAAoB,EAAE,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAChF,MAAM,cAAc,CAAC,OAAO,CAAC,YAAY,EAAE,sBAAsB,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAClG,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,2BAA2B,OAAO,CAAC,UAAU,OAAO,OAAO,CAAC,YAAY,IAAI,CAC7E,CAAC;AACJ,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,KAAc,EAAE,EAAE;IACxD,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,OAAO,IAAI,CAAC,CAAC;IACrD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,WAAW,CAAC,IAAwB,EAAE,IAAY;IAC/D,MAAM,IAAI,GAAG,CAAC,MAAM,EAAE,eAAe,EAAE,aAAa,CAAC,CAAC;IAEtD,IAAI,IAAI,EAAE,CAAC;QACT,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,MAAM,IAAI,EAAE,CAAC,CAAC;IACjC,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC,CAAC;IACrF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,OAA2B;IAC5D,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,OAAO,CAAC,MAAM,CAAC;AACxB,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,IAAY,EAAE,QAAgB,EAAE,KAAc;IAC1E,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,UAAU,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,gDAAgD,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,MAAM,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;AAC1C,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,IAAY;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB;IAC3B,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiCR,CAAC;AACF,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAiB;IAC/C,OAAO;;;;;;;;;;;;;;;;;qBAiBY,MAAM;;CAE1B,CAAC;AACF,CAAC;AAED,SAAS,YAAY,CAAC,MAAmC,EAAE,MAAoB;IAC7E,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,oBAAoB,CAAC,MAAM,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,UAAU,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QAClE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,IAAI,oBAAoB,CAAC,8CAA8C,CAAC,CAAC;AACjF,CAAC;AAED,SAAS,cAAc,CAAC,KAAa;IACnC,IAAI,KAAK,KAAK,KAAK,IAAI,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QACnF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,IAAI,oBAAoB,CAAC,kDAAkD,CAAC,CAAC;AACrF,CAAC"}