npm - react-doctor - Versions diffs - 0.2.13-dev.adbec28 → 0.2.14-dev.3ceb748 - Mend

react-doctor 0.2.13-dev.adbec28 → 0.2.14-dev.3ceb748

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +12 -1
package/dist/{cli-logger-CSZagq1E.js → cli-logger-BgVL1vBI.js} +176 -18
package/dist/cli.js +42 -14
package/dist/index.d.ts +9 -3
package/dist/index.js +173 -16
package/package.json +5 -5

package/README.md CHANGED Viewed

@@ -1,7 +1,7 @@
 <picture>
   <source media="(prefers-color-scheme: dark)" srcset="./assets/react-doctor-readme-logo-dark.svg">
   <source media="(prefers-color-scheme: light)" srcset="./assets/react-doctor-readme-logo-light.svg">
-  <img alt="React Doctor" src="./assets/react-doctor-readme-logo-light.svg" width="239" height="40">
+  <img alt="React Doctor" src="./assets/react-doctor-readme-logo-light.svg" width="134" height="36">
 </picture>
 [![version](https://img.shields.io/npm/v/react-doctor?style=flat&colorA=000000&colorB=000000)](https://npmjs.com/package/react-doctor)
@@ -71,6 +71,17 @@ React Doctor scans the files changed in the pull request, emits inline annotatio
 [Add GitHub Action →](https://github.com/marketplace/actions/react-doctor)
+### 4. Configure rules in `react-doctor.config.json`
+Point the `$schema` key at `https://react.doctor/schema/config.json` to get autocomplete, hover docs, and typo warnings for every option in any editor that understands JSON Schema.
+```jsonc
+{
+  "$schema": "https://react.doctor/schema/config.json",
+  "lint": true,
+}
+```
 ## Contributing
 [Issues welcome!](https://github.com/millionco/react-doctor/issues)

package/dist/{cli-logger-CSZagq1E.js → cli-logger-BgVL1vBI.js} RENAMED Viewed

@@ -3189,6 +3189,7 @@ const isTailwindAtLeast = (detected, required) => {
 const JSX_FILE_PATTERN = /\.(tsx|jsx)$/;
 const MILLISECONDS_PER_SECOND = 1e3;
 const SCORE_API_URL = "https://www.react.doctor/api/score";
+const ENTERPRISE_CONTACT_URL = "https://react.doctor/enterprise";
 const SHARE_BASE_URL = "https://www.react.doctor/share";
 const PROMPTS_RULES_BASE_URL = "https://www.react.doctor/prompts/rules";
 const FETCH_TIMEOUT_MS = 1e4;
@@ -5909,6 +5910,149 @@ const appendReanimatedSharedValueHint = (help, rule, project) => {
 	if (!help) return REANIMATED_SHARED_VALUE_HINT;
 	return `${help}\n\n${REANIMATED_SHARED_VALUE_HINT}`;
 };
+const REDACTED_PLACEHOLDER = "<redacted>";
+const KEEP_PREFIX = `$1${REDACTED_PLACEHOLDER}`;
+const KNOWN_SECRET_RULES = [
+	{
+		pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /(?<=:\/\/)[^\s/:@]+:[^\s/@]+(?=@)/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\b(AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA|A3T[A-Z0-9])[0-9A-Z]{16,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(gh[pousr]_)[A-Za-z0-9]{36,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(github_pat_)[A-Za-z0-9_]{22,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(glpat-)[A-Za-z0-9_-]{20,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(xox[baprs]-)[A-Za-z0-9-]{10,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /(?<=hooks\.slack\.com\/services\/)[A-Za-z0-9/+_-]{20,}/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\b((?:sk|rk)_(?:live|test)_)[0-9A-Za-z]{10,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(sk-(?:proj-|ant-)?)[A-Za-z0-9_-]{20,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(AIza)[0-9A-Za-z_-]{35,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(ya29\.)[0-9A-Za-z_-]{20,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(npm_)[A-Za-z0-9]{36,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(SG\.)[A-Za-z0-9_-]{22,}\.[A-Za-z0-9_-]{43,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(SK)[0-9a-fA-F]{32,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(dop_v1_)[a-f0-9]{64,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(shp(?:at|ca|pa|ss)_)[a-fA-F0-9]{32,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(sq0[a-z]{3}-)[0-9A-Za-z_-]{22,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b([0-9]{8,10}:AA)[0-9A-Za-z_-]{32,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /(?<=\bBearer\s)[A-Za-z0-9._~+/=-]{16,}/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,
+		replacement: REDACTED_PLACEHOLDER
+	}
+];
+const CANDIDATE_TOKEN_PATTERN = /[A-Za-z0-9_][A-Za-z0-9_-]*/g;
+const GIT_OBJECT_ID_PATTERN = /^(?:[0-9a-f]{40}|[0-9a-f]{64})$/;
+const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const HAS_LETTER_PATTERN = /[A-Za-z]/;
+const HAS_DIGIT_PATTERN = /[0-9]/;
+const shannonEntropyBits = (value) => {
+	const counts = /* @__PURE__ */ new Map();
+	for (const char of value) counts.set(char, (counts.get(char) ?? 0) + 1);
+	let bits = 0;
+	for (const count of counts.values()) {
+		const probability = count / value.length;
+		bits -= probability * Math.log2(probability);
+	}
+	return bits;
+};
+const looksLikeHighEntropySecret = (token) => {
+	if (token.length < 32) return false;
+	if (!HAS_LETTER_PATTERN.test(token) || !HAS_DIGIT_PATTERN.test(token)) return false;
+	if (GIT_OBJECT_ID_PATTERN.test(token) || UUID_PATTERN.test(token)) return false;
+	return shannonEntropyBits(token) >= 3;
+};
+const redactHighEntropyTokens = (text) => text.replace(CANDIDATE_TOKEN_PATTERN, (token) => looksLikeHighEntropySecret(token) ? REDACTED_PLACEHOLDER : token);
+/**
+* Masks API keys, tokens, private keys, credentialed URLs, and emails
+* found anywhere inside a free-text string, returning the scrubbed text.
+* Applied to every diagnostic's `message` / `help` at construction time
+* so secrets never reach the terminal, the JSON report, or the score
+* API — react-doctor must never echo or transmit a user's secrets.
+*
+* Provider tokens keep their non-secret, type-identifying prefix (e.g.
+* `sk_live_<redacted>`, `ghp_<redacted>`, `AKIA<redacted>`) so the leaked
+* credential's type stays visible; structural or unknown-format secrets
+* with no meaningful prefix are masked whole.
+*
+* Runs the high-precision known-shape detectors first, then a generic
+* entropy-gated sweep for unknown-format secrets. Idempotent: the inert
+* `<redacted>` placeholder matches none of the detectors and is too
+* short for the generic sweep, so re-running leaves the text unchanged.
+*
+* Accepts `unknown` on purpose: callers feed it diagnostic `message` /
+* `help` that originate from oxlint JSON, which is only shape-checked at
+* the top level (the per-field `string` types are assumed, not validated).
+* A malformed non-string value returns `""` instead of throwing on
+* `.replace`, so one bad diagnostic can't abort parsing the whole batch.
+*/
+const redactSensitiveText = (text) => {
+	if (typeof text !== "string" || text === "") return "";
+	let redacted = text;
+	for (const rule of KNOWN_SECRET_RULES) redacted = redacted.replace(rule.pattern, rule.replacement);
+	return redactHighEntropyTokens(redacted);
+};
 const REACT_MODULE_SOURCE = "react";
 const REQUIRE_IDENTIFIER = "require";
 const USE_IDENTIFIER = "use";
@@ -6230,6 +6374,13 @@ const getRuleRecommendation = (ruleName, project) => {
 };
 const getRuleCategory = (ruleName) => reactDoctorPlugin.rules[ruleName]?.category;
 const cleanDiagnosticMessage = (message, help, plugin, rule, project) => {
+	const cleaned = resolveCleanedDiagnostic(typeof message === "string" ? message : "", typeof help === "string" ? help : "", plugin, rule, project);
+	return {
+		message: redactSensitiveText(cleaned.message),
+		help: redactSensitiveText(cleaned.help)
+	};
+};
+const resolveCleanedDiagnostic = (message, help, plugin, rule, project) => {
 	if (plugin === "react-hooks-js") return {
 		message: REACT_COMPILER_MESSAGE,
 		help: appendReanimatedSharedValueHint(message.replace(FILEPATH_WITH_LOCATION_PATTERN, "").trim() || help, rule, project)
@@ -6434,11 +6585,14 @@ const spawnLintBatches = async (input) => {
 				onFileProgress(scannedFileCount + batchFileIndex, totalFileCount);
 			}
 		}, 50) : null;
-		const batchDiagnostics = await spawnLintBatch(batch);
-		if (progressInterval !== null) clearInterval(progressInterval);
-		allDiagnostics.push(...batchDiagnostics);
-		scannedFileCount += batch.length;
-		onFileProgress?.(scannedFileCount, totalFileCount);
+		try {
+			const batchDiagnostics = await spawnLintBatch(batch);
+			allDiagnostics.push(...batchDiagnostics);
+			scannedFileCount += batch.length;
+			onFileProgress?.(scannedFileCount, totalFileCount);
+		} finally {
+			if (progressInterval !== null) clearInterval(progressInterval);
+		}
 	}
 	if (droppedFiles.length > 0 && onPartialFailure) {
 		const previewFiles = droppedFiles.slice(0, 3).join(", ");
@@ -6787,17 +6941,21 @@ var Reporter = class Reporter extends Context.Service()("react-doctor/Reporter")
 		});
 	}));
 };
-const parseScoreResult = (value) => {
-	if (typeof value !== "object" || value === null) return null;
-	if (!("score" in value) || !("label" in value)) return null;
-	const scoreValue = Reflect.get(value, "score");
-	const labelValue = Reflect.get(value, "label");
-	if (typeof scoreValue !== "number" || typeof labelValue !== "string") return null;
-	return {
-		score: scoreValue,
-		label: labelValue
-	};
-};
+const RulePrioritySchema = Schema.Struct({
+	priority: Schema.NullOr(Schema.Number),
+	tier: Schema.Literals([
+		"P0",
+		"P1",
+		"P2",
+		"P3"
+	])
+});
+const ScoreApiResponseSchema = Schema.Struct({
+	score: Schema.Number,
+	label: Schema.String,
+	rules: Schema.optional(Schema.Record(Schema.String, RulePrioritySchema))
+});
+const parseScoreResult = (value) => Option.getOrNull(Schema.decodeUnknownOption(ScoreApiResponseSchema)(value));
 const stripFilePaths = (diagnostics) => diagnostics.map(({ filePath: _filePath, ...rest }) => rest);
 const isAbortError = (error) => error instanceof Error && (error.name === "AbortError" || error.name === "TimeoutError");
 const describeFailure = (error) => {
@@ -7559,6 +7717,6 @@ const cliLogger = {
 	}
 };
 //#endregion
-export { isMonorepoRoot as A, filterDiagnosticsForSurface as C, getDiffInfo as D, formatReactDoctorError as E, restoreLegacyThrow as F, runInspect as I, toRelativePath as L, layerOtlp as M, listWorkspacePackages as N, groupBy as O, resolveScanTarget as P, discoverReactSubprojects as S, formatErrorChain as T, Score as _, DeadCode as a, buildJsonReportError as b, LintPartialFailures as c, OXLINT_NODE_REQUIREMENT as d, Progress as f, SKILL_NAME as g, SHARE_BASE_URL as h, Config as i, isReactDoctorError as j, highlighter as k, Linter as l, Reporter as m, cli_logger_exports as n, Files as o, Project as p, CANONICAL_GITHUB_URL as r, Git as s, cliLogger as t, NodeResolver as u, StagedFiles as v, filterSourceFiles as w, buildRulePromptUrl as x, buildJsonReport as y };
+export { highlighter as A, discoverReactSubprojects as C, formatReactDoctorError as D, formatErrorChain as E, resolveScanTarget as F, restoreLegacyThrow as I, runInspect as L, isReactDoctorError as M, layerOtlp as N, getDiffInfo as O, listWorkspacePackages as P, toRelativePath as R, buildRulePromptUrl as S, filterSourceFiles as T, SKILL_NAME as _, DeadCode as a, buildJsonReport as b, Git as c, NodeResolver as d, OXLINT_NODE_REQUIREMENT as f, SHARE_BASE_URL as g, Reporter as h, Config as i, isMonorepoRoot as j, groupBy as k, LintPartialFailures as l, Project as m, cli_logger_exports as n, ENTERPRISE_CONTACT_URL as o, Progress as p, CANONICAL_GITHUB_URL as r, Files as s, cliLogger as t, Linter as u, Score as v, filterDiagnosticsForSurface as w, buildJsonReportError as x, StagedFiles as y };
-//# sourceMappingURL=cli-logger-CSZagq1E.js.map
+//# sourceMappingURL=cli-logger-BgVL1vBI.js.map

package/dist/cli.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { i as __toESM, n as __exportAll, r as __require, t as __commonJSMin } from "./rolldown-runtime-uZX_iqCz.js";
-import { A as isMonorepoRoot, C as filterDiagnosticsForSurface, D as getDiffInfo, E as formatReactDoctorError, F as restoreLegacyThrow, I as runInspect, L as toRelativePath, M as layerOtlp, N as listWorkspacePackages, O as groupBy, P as resolveScanTarget, S as discoverReactSubprojects, T as formatErrorChain, _ as Score, a as DeadCode, b as buildJsonReportError, c as LintPartialFailures, d as OXLINT_NODE_REQUIREMENT, f as Progress, g as SKILL_NAME, h as SHARE_BASE_URL, i as Config, j as isReactDoctorError, k as highlighter, l as Linter, m as Reporter, o as Files, p as Project, r as CANONICAL_GITHUB_URL, s as Git, t as cliLogger, u as NodeResolver, v as StagedFiles, w as filterSourceFiles, x as buildRulePromptUrl, y as buildJsonReport } from "./cli-logger-CSZagq1E.js";
+import { A as highlighter, C as discoverReactSubprojects, D as formatReactDoctorError, E as formatErrorChain, F as resolveScanTarget, I as restoreLegacyThrow, L as runInspect, M as isReactDoctorError, N as layerOtlp, O as getDiffInfo, P as listWorkspacePackages, R as toRelativePath, S as buildRulePromptUrl, T as filterSourceFiles, _ as SKILL_NAME, a as DeadCode, b as buildJsonReport, c as Git, d as NodeResolver, f as OXLINT_NODE_REQUIREMENT, g as SHARE_BASE_URL, h as Reporter, i as Config, j as isMonorepoRoot, k as groupBy, l as LintPartialFailures, m as Project, o as ENTERPRISE_CONTACT_URL, p as Progress, r as CANONICAL_GITHUB_URL, s as Files, t as cliLogger, u as Linter, v as Score, w as filterDiagnosticsForSurface, x as buildJsonReportError, y as StagedFiles } from "./cli-logger-BgVL1vBI.js";
 import { createRequire } from "node:module";
 import { execFileSync, execSync } from "node:child_process";
 import path, { join } from "node:path";
@@ -6161,6 +6161,12 @@ const makeNoopConsole = () => ({
 	warn: () => {}
 });
 //#endregion
+//#region src/cli/utils/build-no-score-message.ts
+const ENTERPRISE_CONTACT_HINT = `Want something custom to your company? Contact us at ${ENTERPRISE_CONTACT_URL}.`;
+const buildNoScoreMessage = (isScoreDisabled) => {
+	return `${isScoreDisabled ? "Score disabled by --no-score." : "Score unavailable (could not reach the score API)."} ${ENTERPRISE_CONTACT_HINT}`;
+};
+//#endregion
 //#region src/cli/utils/render-agent-guidance.ts
 const AGENT_GUIDANCE_LINES = [
 	"Treat React Doctor diagnostics as starting hypotheses. Read the relevant code before confirming or suppressing each finding.",
@@ -6192,7 +6198,22 @@ const SEVERITY_ORDER = {
 	warning: 1
 };
 const colorizeBySeverity = (text, severity) => severity === "error" ? highlighter.error(text) : highlighter.warn(text);
-const sortByImportance = (diagnosticGroups) => diagnosticGroups.toSorted(([, diagnosticsA], [, diagnosticsB]) => {
+const buildRulePriorityMap = (scores) => {
+	const rulePriority = /* @__PURE__ */ new Map();
+	for (const score of scores) {
+		if (!score?.rules) continue;
+		for (const [ruleKey, info] of Object.entries(score.rules)) if (typeof info.priority === "number") rulePriority.set(ruleKey, info.priority);
+	}
+	return rulePriority;
+};
+const effectivePriority = (ruleKey, diagnostics, rulePriority) => {
+	const known = rulePriority?.get(ruleKey);
+	if (known !== void 0) return known;
+	return diagnostics[0].severity === "error" ? 55 : 35;
+};
+const sortByImportance = (diagnosticGroups, rulePriority) => diagnosticGroups.toSorted(([ruleKeyA, diagnosticsA], [ruleKeyB, diagnosticsB]) => {
+	const priorityDelta = effectivePriority(ruleKeyB, diagnosticsB, rulePriority) - effectivePriority(ruleKeyA, diagnosticsA, rulePriority);
+	if (priorityDelta !== 0) return priorityDelta;
 	const severityDelta = SEVERITY_ORDER[diagnosticsA[0].severity] - SEVERITY_ORDER[diagnosticsB[0].severity];
 	if (severityDelta !== 0) return severityDelta;
 	return diagnosticsB.length - diagnosticsA.length;
@@ -6229,14 +6250,20 @@ const buildCompactRuleGroupLine = (ruleKey, ruleDiagnostics, ruleNameColumnWidth
 	return `  ${icon} ${siteCountBadge.length > 0 ? colorizeBySeverity(padRuleNameToColumn(ruleKey, ruleNameColumnWidth), firstDiagnostic.severity) : colorizeBySeverity(ruleKey, firstDiagnostic.severity)}${siteCountBadge.length > 0 ? ` ${highlighter.gray(siteCountBadge)}` : ""}`;
 };
 const getWorstSeverity = (diagnostics) => diagnostics.some((diagnostic) => diagnostic.severity === "error") ? "error" : "warning";
-const buildCategoryDiagnosticGroups = (diagnostics) => {
+const categoryTopPriority = (categoryGroup, rulePriority) => {
+	const [topRuleKey, topDiagnostics] = categoryGroup.ruleGroups[0];
+	return effectivePriority(topRuleKey, topDiagnostics, rulePriority);
+};
+const buildCategoryDiagnosticGroups = (diagnostics, rulePriority) => {
 	return [...groupBy(diagnostics, (diagnostic) => diagnostic.category).entries()].map(([category, categoryDiagnostics]) => {
 		return {
 			category,
 			diagnostics: categoryDiagnostics,
-			ruleGroups: sortByImportance([...groupBy(categoryDiagnostics, (diagnostic) => `${diagnostic.plugin}/${diagnostic.rule}`).entries()])
+			ruleGroups: sortByImportance([...groupBy(categoryDiagnostics, (diagnostic) => `${diagnostic.plugin}/${diagnostic.rule}`).entries()], rulePriority)
 		};
 	}).toSorted((categoryGroupA, categoryGroupB) => {
+		const priorityDelta = categoryTopPriority(categoryGroupB, rulePriority) - categoryTopPriority(categoryGroupA, rulePriority);
+		if (priorityDelta !== 0) return priorityDelta;
 		const severityDelta = SEVERITY_ORDER[getWorstSeverity(categoryGroupA.diagnostics)] - SEVERITY_ORDER[getWorstSeverity(categoryGroupB.diagnostics)];
 		if (severityDelta !== 0) return severityDelta;
 		if (categoryGroupA.diagnostics.length !== categoryGroupB.diagnostics.length) return categoryGroupB.diagnostics.length - categoryGroupA.diagnostics.length;
@@ -6267,8 +6294,8 @@ const buildVerboseRuleGroupLines = (ruleKey, ruleDiagnostics, ruleNameColumnWidt
 	lines.push("");
 	return lines;
 };
-const buildDefaultDiagnosticsLines = (diagnostics) => {
-	const categoryGroups = buildCategoryDiagnosticGroups(diagnostics);
+const buildDefaultDiagnosticsLines = (diagnostics, rulePriority) => {
+	const categoryGroups = buildCategoryDiagnosticGroups(diagnostics, rulePriority);
 	const lines = [];
 	for (const categoryGroup of categoryGroups) lines.push(buildCompactCategoryLine(categoryGroup));
 	lines.push("");
@@ -6280,11 +6307,11 @@ const buildDefaultDiagnosticsLines = (diagnostics) => {
 * single Effect.forEach over Console.log so failures or fiber
 * interruption produce predictable partial output.
 */
-const printDiagnostics = (diagnostics, isVerbose, rootDirectory) => Effect.gen(function* () {
+const printDiagnostics = (diagnostics, isVerbose, rootDirectory, rulePriority) => Effect.gen(function* () {
 	let lines;
-	if (!isVerbose) lines = buildDefaultDiagnosticsLines(diagnostics);
+	if (!isVerbose) lines = buildDefaultDiagnosticsLines(diagnostics, rulePriority);
 	else {
-		const sortedRuleGroups = sortByImportance([...groupBy(diagnostics, (diagnostic) => `${diagnostic.plugin}/${diagnostic.rule}`).entries()]);
+		const sortedRuleGroups = sortByImportance([...groupBy(diagnostics, (diagnostic) => `${diagnostic.plugin}/${diagnostic.rule}`).entries()], rulePriority);
 		const ruleNameColumnWidth = computeRuleNameColumnWidth(sortedRuleGroups.map(([ruleKey]) => ruleKey));
 		lines = sortedRuleGroups.flatMap(([ruleKey, ruleDiagnostics]) => buildVerboseRuleGroupLines(ruleKey, ruleDiagnostics, ruleNameColumnWidth));
 	}
@@ -6580,6 +6607,7 @@ const shouldSelectAllChoices = (choiceStates) => {
 //#endregion
 //#region src/cli/utils/unref-stdin.ts
 const unrefStdin = () => {
+	if (process.stdin.isTTY) return;
 	process.stdin.unref?.();
 };
 //#endregion
@@ -6679,7 +6707,7 @@ const resolveOxlintNodeEffect = (isLintEnabled, isQuiet) => Effect.gen(function*
 const resolveOxlintNode = (isLintEnabled, isQuiet) => Effect.runPromise(resolveOxlintNodeEffect(isLintEnabled, isQuiet).pipe(Effect.provide(NodeResolver.layerNode)));
 //#endregion
 //#region src/cli/utils/version.ts
-const VERSION = "0.2.13-dev.adbec28";
+const VERSION = "0.2.14-dev.3ceb748";
 //#endregion
 //#region src/inspect.ts
 const silentConsole = makeNoopConsole();
@@ -6803,7 +6831,7 @@ const finalizeAndRender = (input) => Effect.gen(function* () {
 	if (didLintFail) skippedChecks.push("lint");
 	if (didDeadCodeFail) skippedChecks.push("dead-code");
 	const hasSkippedChecks = skippedChecks.length > 0;
-	const noScoreMessage = options.noScore ? "Score disabled by --no-score." : "Score unavailable (could not reach the score API).";
+	const noScoreMessage = buildNoScoreMessage(options.noScore);
 	const skippedCheckReasons = {};
 	if (didLintFail && lintFailureReason !== null) skippedCheckReasons.lint = lintFailureReason;
 	else if (lintPartialFailures.length > 0) skippedCheckReasons["lint:partial"] = lintPartialFailures.join("; ");
@@ -6840,7 +6868,7 @@ const finalizeAndRender = (input) => Effect.gen(function* () {
 		return buildResult();
 	}
 	yield* Console.log("");
-	yield* printDiagnostics([...surfaceDiagnostics], options.verbose, directory);
+	yield* printDiagnostics([...surfaceDiagnostics], options.verbose, directory, buildRulePriorityMap([score]));
 	if (options.isNonInteractiveEnvironment && options.outputSurface !== "prComment") yield* printAgentGuidance();
 	if (demotedDiagnosticCount > 0) {
 		yield* Console.log(highlighter.gray(`  ${demotedDiagnosticCount} demoted from the ${options.outputSurface} surface (e.g. design cleanup) — run \`npx react-doctor@latest .\` locally for the full list.`));
@@ -7229,7 +7257,7 @@ const printMultiProjectSummary = (input) => Effect.gen(function* () {
 	const surfaceDiagnostics = filterDiagnosticsForSurface(completedScans.flatMap((scan) => scan.result.diagnostics), "cli", userConfig);
 	if (surfaceDiagnostics.length > 0) {
 		yield* Console.log("");
-		yield* printDiagnostics(surfaceDiagnostics, verbose, "");
+		yield* printDiagnostics(surfaceDiagnostics, verbose, "", buildRulePriorityMap(completedScans.map((scan) => scan.result.score)));
 	}
 	const aggregateScore = computeAggregateScore(completedScans);
 	const totalSourceFileCount = completedScans.reduce((sum, scan) => sum + scan.result.project.sourceFileCount, 0);
@@ -7500,7 +7528,7 @@ const warnSetupPromptFailure = async (options, error) => {
 		return;
 	}
 	try {
-		const { cliLogger } = await import("./cli-logger-CSZagq1E.js").then((n) => n.n);
+		const { cliLogger } = await import("./cli-logger-BgVL1vBI.js").then((n) => n.n);
 		cliLogger.warn(message);
 	} catch {}
 };

package/dist/index.d.ts CHANGED Viewed

@@ -20,9 +20,9 @@ interface ReactDoctorIgnoreConfig {
  * locally but excluded from PR comments, the score, or the CI gate:
  *
  * - `cli` — local terminal output from `react-doctor` (`printDiagnostics`).
- * - `prComment` — output captured by the GitHub Action for the sticky
- *   PR comment. Enabled when the CLI is run with `--pr-comment` (the
- *   action sets this automatically when `github-token` is provided).
+ * - `prComment` — diagnostics destined for a sticky pull-request
+ *   summary comment. Selected by running the CLI with `--pr-comment`
+ *   (sets `outputSurface: "prComment"`).
  * - `score` — diagnostics shipped to the React Doctor score API
  *   (or counted toward local score calculations).
  * - `ciFailure` — diagnostics that count toward the `--fail-on` exit
@@ -349,9 +349,15 @@ interface ProjectInfo {
 }
 //#endregion
 //#region src/types/score.d.ts
+type RuleTier = "P0" | "P1" | "P2" | "P3";
+interface RulePriority {
+  readonly priority: number | null;
+  readonly tier: RuleTier;
+}
 interface ScoreResult {
   score: number;
   label: string;
+  readonly rules?: Readonly<Record<string, RulePriority>>;
 } //#endregion
 //#region src/types/diagnose.d.ts
 interface DiagnoseOptions {

package/dist/index.js CHANGED Viewed

@@ -5939,6 +5939,149 @@ const appendReanimatedSharedValueHint = (help, rule, project) => {
 	if (!help) return REANIMATED_SHARED_VALUE_HINT;
 	return `${help}\n\n${REANIMATED_SHARED_VALUE_HINT}`;
 };
+const REDACTED_PLACEHOLDER = "<redacted>";
+const KEEP_PREFIX = `$1${REDACTED_PLACEHOLDER}`;
+const KNOWN_SECRET_RULES = [
+	{
+		pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /(?<=:\/\/)[^\s/:@]+:[^\s/@]+(?=@)/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\b(AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA|A3T[A-Z0-9])[0-9A-Z]{16,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(gh[pousr]_)[A-Za-z0-9]{36,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(github_pat_)[A-Za-z0-9_]{22,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(glpat-)[A-Za-z0-9_-]{20,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(xox[baprs]-)[A-Za-z0-9-]{10,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /(?<=hooks\.slack\.com\/services\/)[A-Za-z0-9/+_-]{20,}/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\b((?:sk|rk)_(?:live|test)_)[0-9A-Za-z]{10,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(sk-(?:proj-|ant-)?)[A-Za-z0-9_-]{20,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(AIza)[0-9A-Za-z_-]{35,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(ya29\.)[0-9A-Za-z_-]{20,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(npm_)[A-Za-z0-9]{36,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(SG\.)[A-Za-z0-9_-]{22,}\.[A-Za-z0-9_-]{43,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(SK)[0-9a-fA-F]{32,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(dop_v1_)[a-f0-9]{64,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(shp(?:at|ca|pa|ss)_)[a-fA-F0-9]{32,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(sq0[a-z]{3}-)[0-9A-Za-z_-]{22,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b([0-9]{8,10}:AA)[0-9A-Za-z_-]{32,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /(?<=\bBearer\s)[A-Za-z0-9._~+/=-]{16,}/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,
+		replacement: REDACTED_PLACEHOLDER
+	}
+];
+const CANDIDATE_TOKEN_PATTERN = /[A-Za-z0-9_][A-Za-z0-9_-]*/g;
+const GIT_OBJECT_ID_PATTERN = /^(?:[0-9a-f]{40}|[0-9a-f]{64})$/;
+const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const HAS_LETTER_PATTERN = /[A-Za-z]/;
+const HAS_DIGIT_PATTERN = /[0-9]/;
+const shannonEntropyBits = (value) => {
+	const counts = /* @__PURE__ */ new Map();
+	for (const char of value) counts.set(char, (counts.get(char) ?? 0) + 1);
+	let bits = 0;
+	for (const count of counts.values()) {
+		const probability = count / value.length;
+		bits -= probability * Math.log2(probability);
+	}
+	return bits;
+};
+const looksLikeHighEntropySecret = (token) => {
+	if (token.length < 32) return false;
+	if (!HAS_LETTER_PATTERN.test(token) || !HAS_DIGIT_PATTERN.test(token)) return false;
+	if (GIT_OBJECT_ID_PATTERN.test(token) || UUID_PATTERN.test(token)) return false;
+	return shannonEntropyBits(token) >= 3;
+};
+const redactHighEntropyTokens = (text) => text.replace(CANDIDATE_TOKEN_PATTERN, (token) => looksLikeHighEntropySecret(token) ? REDACTED_PLACEHOLDER : token);
+/**
+* Masks API keys, tokens, private keys, credentialed URLs, and emails
+* found anywhere inside a free-text string, returning the scrubbed text.
+* Applied to every diagnostic's `message` / `help` at construction time
+* so secrets never reach the terminal, the JSON report, or the score
+* API — react-doctor must never echo or transmit a user's secrets.
+*
+* Provider tokens keep their non-secret, type-identifying prefix (e.g.
+* `sk_live_<redacted>`, `ghp_<redacted>`, `AKIA<redacted>`) so the leaked
+* credential's type stays visible; structural or unknown-format secrets
+* with no meaningful prefix are masked whole.
+*
+* Runs the high-precision known-shape detectors first, then a generic
+* entropy-gated sweep for unknown-format secrets. Idempotent: the inert
+* `<redacted>` placeholder matches none of the detectors and is too
+* short for the generic sweep, so re-running leaves the text unchanged.
+*
+* Accepts `unknown` on purpose: callers feed it diagnostic `message` /
+* `help` that originate from oxlint JSON, which is only shape-checked at
+* the top level (the per-field `string` types are assumed, not validated).
+* A malformed non-string value returns `""` instead of throwing on
+* `.replace`, so one bad diagnostic can't abort parsing the whole batch.
+*/
+const redactSensitiveText = (text) => {
+	if (typeof text !== "string" || text === "") return "";
+	let redacted = text;
+	for (const rule of KNOWN_SECRET_RULES) redacted = redacted.replace(rule.pattern, rule.replacement);
+	return redactHighEntropyTokens(redacted);
+};
 const REACT_MODULE_SOURCE = "react";
 const REQUIRE_IDENTIFIER = "require";
 const USE_IDENTIFIER = "use";
@@ -6260,6 +6403,13 @@ const getRuleRecommendation = (ruleName, project) => {
 };
 const getRuleCategory = (ruleName) => reactDoctorPlugin.rules[ruleName]?.category;
 const cleanDiagnosticMessage = (message, help, plugin, rule, project) => {
+	const cleaned = resolveCleanedDiagnostic(typeof message === "string" ? message : "", typeof help === "string" ? help : "", plugin, rule, project);
+	return {
+		message: redactSensitiveText(cleaned.message),
+		help: redactSensitiveText(cleaned.help)
+	};
+};
+const resolveCleanedDiagnostic = (message, help, plugin, rule, project) => {
 	if (plugin === "react-hooks-js") return {
 		message: REACT_COMPILER_MESSAGE,
 		help: appendReanimatedSharedValueHint(message.replace(FILEPATH_WITH_LOCATION_PATTERN, "").trim() || help, rule, project)
@@ -6464,11 +6614,14 @@ const spawnLintBatches = async (input) => {
 				onFileProgress(scannedFileCount + batchFileIndex, totalFileCount);
 			}
 		}, 50) : null;
-		const batchDiagnostics = await spawnLintBatch(batch);
-		if (progressInterval !== null) clearInterval(progressInterval);
-		allDiagnostics.push(...batchDiagnostics);
-		scannedFileCount += batch.length;
-		onFileProgress?.(scannedFileCount, totalFileCount);
+		try {
+			const batchDiagnostics = await spawnLintBatch(batch);
+			allDiagnostics.push(...batchDiagnostics);
+			scannedFileCount += batch.length;
+			onFileProgress?.(scannedFileCount, totalFileCount);
+		} finally {
+			if (progressInterval !== null) clearInterval(progressInterval);
+		}
 	}
 	if (droppedFiles.length > 0 && onPartialFailure) {
 		const previewFiles = droppedFiles.slice(0, 3).join(", ");
@@ -6817,17 +6970,21 @@ var Reporter = class Reporter extends Context.Service()("react-doctor/Reporter")
 		});
 	}));
 };
-const parseScoreResult = (value) => {
-	if (typeof value !== "object" || value === null) return null;
-	if (!("score" in value) || !("label" in value)) return null;
-	const scoreValue = Reflect.get(value, "score");
-	const labelValue = Reflect.get(value, "label");
-	if (typeof scoreValue !== "number" || typeof labelValue !== "string") return null;
-	return {
-		score: scoreValue,
-		label: labelValue
-	};
-};
+const RulePrioritySchema = Schema.Struct({
+	priority: Schema.NullOr(Schema.Number),
+	tier: Schema.Literals([
+		"P0",
+		"P1",
+		"P2",
+		"P3"
+	])
+});
+const ScoreApiResponseSchema = Schema.Struct({
+	score: Schema.Number,
+	label: Schema.String,
+	rules: Schema.optional(Schema.Record(Schema.String, RulePrioritySchema))
+});
+const parseScoreResult = (value) => Option.getOrNull(Schema.decodeUnknownOption(ScoreApiResponseSchema)(value));
 const stripFilePaths = (diagnostics) => diagnostics.map(({ filePath: _filePath, ...rest }) => rest);
 const isAbortError = (error) => error instanceof Error && (error.name === "AbortError" || error.name === "TimeoutError");
 const describeFailure = (error) => {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "react-doctor",
-  "version": "0.2.13-dev.adbec28",
+  "version": "0.2.14-dev.3ceb748",
   "description": "Diagnose and fix React codebases for security, performance, correctness, accessibility, bundle-size, and architecture issues",
   "keywords": [
     "accessibility",
@@ -52,20 +52,20 @@
     "@effect/platform-node-shared": "4.0.0-beta.70",
     "agent-install": "0.0.5",
     "conf": "^15.1.0",
-    "deslop-js": "^0.0.13",
+    "deslop-js": "^0.0.14",
     "effect": "4.0.0-beta.70",
     "eslint-plugin-react-hooks": "^7.1.1",
     "oxlint": "^1.66.0",
     "prompts": "^2.4.2",
     "typescript": ">=5.0.4 <7",
-    "oxlint-plugin-react-doctor": "0.2.13-dev.adbec28"
+    "oxlint-plugin-react-doctor": "0.2.14-dev.3ceb748"
   },
   "devDependencies": {
     "@types/prompts": "^2.4.9",
     "commander": "^14.0.3",
     "ora": "^9.4.0",
-    "@react-doctor/api": "0.2.13",
-    "@react-doctor/core": "0.2.13"
+    "@react-doctor/api": "0.2.14",
+    "@react-doctor/core": "0.2.14"
   },
   "engines": {
     "node": "^20.19.0 || >=22.12.0"