semlint-cli 0.1.5 → 0.1.7

package/.semlint/rules/SEMLINT_NAMING_001.json

@@ -0,0 +1,12 @@
+{
+  "id": "SEMLINT_NAMING_001",
+  "title": "Ambient naming convention consistency",
+  "severity_default": "warn",
+  "include_globs": ["src/**/*.ts"],
+  "exclude_globs": ["**/*.test.ts", "**/*.spec.ts"],
+  "diff_regex": [
+    "^[+-].*\\b(const|let|var|function|class|interface|type|enum)\\b",
+    "^[+-].*\\b[A-Za-z_][A-Za-z0-9_]*\\b"
+  ],
+  "prompt": "Verify naming is consistent with the ambient naming conventions already used in surrounding code. Both in term of semantic and casing."
+}

package/.semlint/rules/SEMLINT_PATTERN_002.json

@@ -0,0 +1,12 @@
+{
+  "id": "SEMLINT_PATTERN_002",
+  "title": "Ambient pattern is respected",
+  "severity_default": "warn",
+  "include_globs": ["src/**/*.ts"],
+  "exclude_globs": ["**/*.test.ts", "**/*.spec.ts"],
+  "diff_regex": [
+    "^[+-].*\\b(async|await|Promise|try|catch|throw|switch|map|filter|reduce|forEach)\\b",
+    "^[+-].*\\b(import|export|class|interface|type|function|return)\\b"
+  ],
+  "prompt": "Check whether ambient implementation patterns are respected. Compare new or changed code against nearby established patterns. Flag clear regressions where the proposed change deviates from consistent local patterns without obvious justification."
+}

package/.semlint/rules/SEMLINT_SWE_003.json

@@ -0,0 +1,12 @@
+{
+  "id": "SEMLINT_SWE_003",
+  "title": "Obvious SWE mistakes",
+  "severity_default": "warn",
+  "include_globs": ["src/**/*.ts"],
+  "exclude_globs": ["**/*.test.ts", "**/*.spec.ts"],
+  "diff_regex": [
+    "^[+-].*\\b(any|as\\s+any|TODO|FIXME|console\\.log|@ts-ignore|throw\\s+new\\s+Error|catch\\s*\\()\\b",
+    "^[+-].*\\b(if|else|switch|return|await|Promise|map|forEach|reduce)\\b"
+  ],
+  "prompt": "Find obvious software-engineering mistakes in the proposed change that are likely unintended. Do not nitpick style or architecture unless the issue is clearly harmful. Report only high-signal findings."
+}

package/README.md

@@ -1,5 +1,13 @@
 # Semlint CLI MVP
 
+## Motivation
+
+Upstream instruction files (`AGENTS.md`, `CURSOR.md`, etc.) are the standard way to guide coding agents — but a [recent study (Gloaguen et al., 2026)](https://arxiv.org/abs/2602.11988) found that such context files tend to *reduce* task success rates compared to providing no context at all, while increasing inference cost by over 20%. The root cause: agents respect the instructions, but unnecessary or over-specified requirements make tasks harder, with no feedback mechanism to catch when rules are ignored or misapplied.
+
+Semlint takes a different approach. Instead of providing guidance upfront and hoping for the best, rules are enforced *after the fact* as a lint pass on the diff — giving agents a deterministic red/green signal and closing the feedback loop.
+
+---
+
 Semlint is a deterministic semantic lint CLI that:
 
 - reads a git diff,
@@ -75,7 +83,6 @@ Unknown fields are ignored.
 ```json
 {
   "backend": "cursor-cli",
-  "model": "auto",
   "budgets": {
     "timeout_ms": 120000
   },
@@ -85,15 +92,23 @@ Unknown fields are ignored.
   "execution": {
     "batch": false
   },
+  "security": {
+    "secret_guard": true,
+    "allow_patterns": [],
+    "allow_files": [],
+    "ignore_files": [".gitignore", ".cursorignore", ".semlintignore", ".cursoringore"]
+  },
   "rules": {
-    "disable": ["SEMLINT_EXAMPLE_001"],
+    "disable": [],
     "severity_overrides": {
       "SEMLINT_API_001": "error"
     }
   },
   "backends": {
     "cursor-cli": {
-      "executable": "agent"
+      "executable": "cursor",
+      "model": "auto",
+      "args": ["agent", "{prompt}", "--model", "{model}", "--print", "--mode", "ask", "--output-format", "text"]
     }
   }
 }
@@ -115,11 +130,11 @@ This creates `./semlint.json` and auto-detects installed coding agent CLIs in th
 
 If no known CLI is detected, Semlint falls back to `cursor-cli` + executable `cursor`.
 
-Use `semlint init --force` to overwrite an existing config file. Init also creates `.semlint/rules/` and a starter rule `SEMLINT_EXAMPLE_001.json` (with a placeholder title and prompt) if they do not exist.
+Use `semlint init --force` to overwrite an existing config file. Init also creates `.semlint/rules/` and copies the bundled Semlint rule files into it.
 
 ## Rule files
 
-Rule JSON files are loaded from `.semlint/rules/`. Run `semlint init` to create this folder and an example rule you can edit.
+Rule JSON files are loaded from `.semlint/rules/`. Run `semlint init` to create this folder and copy bundled rules into it.
 
 Required fields:
 
@@ -138,16 +153,32 @@ Invalid rules cause runtime failure with exit code `2`.
 
 ## Backend contract
 
-For backend `cursor-cli`, Semlint executes:
+Semlint is fully config-driven at runtime. For the selected `backend`, it executes:
 
-```bash
-cursor agent "<prompt>" --model <model> --print --output-format text
-```
+- `backends.<backend>.executable` as the binary
+- `backends.<backend>.model` as the backend-specific model (unless `--model` is passed)
+- `backends.<backend>.args` as the argument template
+
+`args` supports placeholder tokens:
+
+- `{prompt}`: replaced with the generated prompt
+- `{model}`: replaced with the configured model
 
-For `cursor-cli`, Semlint always uses `cursor agent` directly.
-Other backend names still resolve executables from config:
+Placeholders are exact-match substitutions on whole args. Backends must be fully configured in `semlint.json`; there are no runtime fallbacks.
 
-- `backends.<backend>.executable` if provided
+Example:
+
+```json
+{
+  "backends": {
+    "cursor-cli": {
+      "executable": "cursor",
+      "model": "auto",
+      "args": ["agent", "{prompt}", "--model", "{model}", "--print", "--mode", "ask", "--output-format", "text"]
+    }
+  }
+}
+```
 
 Backend stdout must be valid JSON with shape:
 
@@ -168,6 +199,44 @@ Backend stdout must be valid JSON with shape:
 If parsing fails, Semlint retries once with appended instruction:
 `Return valid JSON only.`
 
+If backend execution still fails and Semlint is running in an interactive terminal (TTY), it automatically performs one interactive passthrough run so you can satisfy backend setup prompts (for example auth/workspace trust), then retries machine parsing once.
+
+## Secret guard
+
+Semlint uses a fail-closed secret guard before any backend call:
+
+- Filters diff chunks using path ignore rules from `.gitignore`, `.cursorignore`, `.semlintignore`
+- Applies additional built-in sensitive path deny patterns (`.env*`, key files, secrets/credentials folders)
+- Scans added diff lines for high-signal secret keywords and token prefixes (password/token/api key/private key/JWT/provider key prefixes)
+- If any potential secrets are found, Semlint exits with code `2` and sends nothing to the backend
+
+Config:
+
+```json
+{
+  "security": {
+    "secret_guard": true,
+    "allow_patterns": [],
+    "allow_files": [],
+    "ignore_files": [".gitignore", ".cursorignore", ".semlintignore", ".cursoringore"]
+  }
+}
+```
+
+- `secret_guard`: enable/disable secret blocking (default `true`)
+- `allow_patterns`: regex list to suppress known-safe fixtures from triggering the guard
+- `allow_files`: file glob allowlist to skip secret scanning for known-safe files (example: `["src/test-fixtures/**"]`)
+- `ignore_files`: ignore files Semlint reads for path-level filtering (default: `.gitignore`, `.cursorignore`, `.semlintignore`, `.cursoringore`)
+
+## Prompt files
+
+Core system prompts are externalized under `prompts/` so prompt behavior is easy to inspect and iterate:
+
+- `prompts/common-contract.md`: shared output schema and base rules used by both modes
+- `prompts/rule.md`: single-rule evaluation prompt
+- `prompts/batch.md`: batch evaluation prompt
+- `prompts/retry-json.md`: strict JSON retry instruction
+
 ## Batch mode
 
 Use batch mode to reduce cost by evaluating all runnable rules in a single backend call:

package/dist/adapters.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BUILTIN_ADAPTERS = void 0;
+exports.BUILTIN_ADAPTERS = {
+    "cursor-cli": {
+        defaultExecutable: "cursor",
+        buildArgs: (prompt, model) => [
+            "agent",
+            prompt,
+            "--model",
+            model,
+            "--print",
+            "--mode",
+            "ask",
+            "--output-format",
+            "text"
+        ]
+    },
+    "claude-code": {
+        defaultExecutable: "claude",
+        buildArgs: (prompt, model) => [prompt, "--model", model, "--output-format", "json"]
+    },
+    "codex-cli": {
+        defaultExecutable: "codex",
+        buildArgs: (prompt, model) => [prompt, "--model", model]
+    }
+};

package/dist/backend.js

@@ -2,34 +2,39 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createBackendRunner = createBackendRunner;
 const node_child_process_1 = require("node:child_process");
-const STRICT_JSON_RETRY_INSTRUCTION = [
-    "Return valid JSON only.",
-    "Do not include markdown fences.",
-    "Do not include commentary, headings, or any text before/after JSON.",
-    "The first character of your response must be '{' and the last must be '}'.",
-    'Output must match: {"diagnostics":[{"rule_id":"<id>","severity":"error|warn|info","message":"<text>","file":"<path>","line":1}]}'
-].join(" ");
+const prompts_1 = require("./prompts");
+const utils_1 = require("./utils");
+const STRICT_JSON_RETRY_INSTRUCTION = (0, prompts_1.getStrictJsonRetryInstruction)();
 function isEnoentError(error) {
     return (typeof error === "object" &&
         error !== null &&
         "code" in error &&
         error.code === "ENOENT");
 }
-function debugLog(enabled, message) {
-    if (enabled) {
-        process.stderr.write(`[debug] ${message}\n`);
-    }
+function logBackendCommand(label, executable, args, prompt) {
+    const printableParts = [executable, ...args.map((arg) => (arg === prompt ? "<prompt-redacted>" : arg))];
+    process.stderr.write(`[semlint] ${label}: ${printableParts.join(" ")}\n`);
 }
 function resolveCommandSpecs(config) {
-    if (config.backend === "cursor-cli") {
-        // Always use `cursor agent` directly for cursor-cli.
-        return [{ executable: "cursor", argsPrefix: ["agent"] }];
-    }
-    const configuredExecutable = config.backendExecutables[config.backend];
-    if (!configuredExecutable) {
-        throw new Error(`No executable configured for backend "${config.backend}". Configure it under backends.${config.backend}.executable`);
+    const configuredBackend = config.backendConfigs[config.backend];
+    if (!configuredBackend) {
+        throw new Error(`Backend "${config.backend}" is not configured. Add it under backends.${config.backend} in semlint.json (run "semlint init" to scaffold a complete config).`);
     }
-    return [{ executable: configuredExecutable, argsPrefix: [] }];
+    return [
+        {
+            executable: configuredBackend.executable,
+            args: configuredBackend.args
+        }
+    ];
+}
+function interpolateArgs(args, prompt, model) {
+    return args.map((arg) => {
+        if (arg === "{prompt}")
+            return prompt;
+        if (arg === "{model}")
+            return model;
+        return arg;
+    });
 }
 function executeBackendCommand(executable, args, timeoutMs) {
     return new Promise((resolve, reject) => {
@@ -68,6 +73,26 @@ function executeBackendCommand(executable, args, timeoutMs) {
         });
     });
 }
+function executeBackendCommandInteractive(executable, args) {
+    return new Promise((resolve, reject) => {
+        const child = (0, node_child_process_1.spawn)(executable, args, {
+            stdio: "inherit"
+        });
+        child.on("error", (error) => {
+            reject(error);
+        });
+        child.on("close", (code) => {
+            if (code !== 0) {
+                reject(new Error(`Interactive backend command failed with code ${code}`));
+                return;
+            }
+            resolve();
+        });
+    });
+}
+function canUseInteractiveRecovery() {
+    return Boolean(process.stdin.isTTY && process.stdout.isTTY && process.stderr.isTTY);
+}
 function extractFirstJsonObject(raw) {
     let start = -1;
     let depth = 0;
@@ -137,62 +162,73 @@ function parseBackendResult(raw) {
 }
 function createBackendRunner(config) {
     const commandSpecs = resolveCommandSpecs(config);
+    async function runWithRetry(spec, input) {
+        const commandName = spec.executable;
+        const firstPrompt = input.prompt;
+        const firstArgs = interpolateArgs(spec.args, firstPrompt, config.model);
+        let interactiveRecoveryAttempted = false;
+        try {
+            if (config.debug) {
+                logBackendCommand(`${input.label} attempt 1`, spec.executable, firstArgs, firstPrompt);
+            }
+            (0, utils_1.debugLog)(config.debug, `${input.label}: backend attempt 1 via "${commandName}" (timeout ${input.timeoutMs}ms)`);
+            const first = await executeBackendCommand(spec.executable, firstArgs, input.timeoutMs);
+            (0, utils_1.debugLog)(config.debug, `${input.label}: backend attempt 1 completed in ${first.elapsedMs}ms`);
+            return parseBackendResult(first.stdout.trim());
+        }
+        catch (firstError) {
+            (0, utils_1.debugLog)(config.debug, `${input.label}: backend attempt 1 failed (${firstError instanceof Error ? firstError.message : String(firstError)})`);
+            const retryPrompt = `${input.prompt}\n\n${STRICT_JSON_RETRY_INSTRUCTION}`;
+            const retryArgs = interpolateArgs(spec.args, retryPrompt, config.model);
+            try {
+                if (config.debug) {
+                    logBackendCommand(`${input.label} attempt 2`, spec.executable, retryArgs, retryPrompt);
+                }
+                (0, utils_1.debugLog)(config.debug, `${input.label}: backend attempt 2 via "${commandName}" (timeout ${input.timeoutMs}ms)`);
+                const second = await executeBackendCommand(spec.executable, retryArgs, input.timeoutMs);
+                (0, utils_1.debugLog)(config.debug, `${input.label}: backend attempt 2 completed in ${second.elapsedMs}ms`);
+                return parseBackendResult(second.stdout.trim());
+            }
+            catch (secondError) {
+                (0, utils_1.debugLog)(config.debug, `${input.label}: backend attempt 2 failed (${secondError instanceof Error ? secondError.message : String(secondError)})`);
+                if (!interactiveRecoveryAttempted &&
+                    !isEnoentError(firstError) &&
+                    !isEnoentError(secondError) &&
+                    canUseInteractiveRecovery()) {
+                    interactiveRecoveryAttempted = true;
+                    process.stderr.write("[semlint] Backend requires interactive setup. Switching to interactive passthrough once...\n");
+                    await executeBackendCommandInteractive(spec.executable, firstArgs);
+                    (0, utils_1.debugLog)(config.debug, `${input.label}: interactive setup completed; retrying backend in machine mode`);
+                    const recovered = await executeBackendCommand(spec.executable, firstArgs, input.timeoutMs);
+                    return parseBackendResult(recovered.stdout.trim());
+                }
+                if (isEnoentError(secondError) || isEnoentError(firstError)) {
+                    return null;
+                }
+                throw firstError;
+            }
+        }
+    }
     return {
         async runPrompt(input) {
             let lastError;
             for (const spec of commandSpecs) {
-                const commandName = [spec.executable, ...spec.argsPrefix].join(" ");
-                const baseArgs = [
-                    ...spec.argsPrefix,
-                    input.prompt,
-                    "--model",
-                    config.model,
-                    "--print",
-                    "--mode",
-                    "ask",
-                    "--output-format",
-                    "text"
-                ];
                 try {
-                    debugLog(config.debug, `${input.label}: backend attempt 1 via "${commandName}" (timeout ${input.timeoutMs}ms)`);
-                    const first = await executeBackendCommand(spec.executable, baseArgs, input.timeoutMs);
-                    debugLog(config.debug, `${input.label}: backend attempt 1 completed in ${first.elapsedMs}ms`);
-                    return parseBackendResult(first.stdout.trim());
-                }
-                catch (firstError) {
-                    debugLog(config.debug, `${input.label}: backend attempt 1 failed (${firstError instanceof Error ? firstError.message : String(firstError)})`);
-                    const retryPrompt = `${input.prompt}\n\n${STRICT_JSON_RETRY_INSTRUCTION}`;
-                    const retryArgs = [
-                        ...spec.argsPrefix,
-                        retryPrompt,
-                        "--model",
-                        config.model,
-                        "--print",
-                        "--mode",
-                        "ask",
-                        "--output-format",
-                        "text"
-                    ];
-                    try {
-                        debugLog(config.debug, `${input.label}: backend attempt 2 via "${commandName}" (timeout ${input.timeoutMs}ms)`);
-                        const second = await executeBackendCommand(spec.executable, retryArgs, input.timeoutMs);
-                        debugLog(config.debug, `${input.label}: backend attempt 2 completed in ${second.elapsedMs}ms`);
-                        return parseBackendResult(second.stdout.trim());
-                    }
-                    catch (secondError) {
-                        debugLog(config.debug, `${input.label}: backend attempt 2 failed (${secondError instanceof Error ? secondError.message : String(secondError)})`);
-                        lastError = secondError;
-                        if (isEnoentError(secondError)) {
-                            continue;
-                        }
-                        if (isEnoentError(firstError)) {
-                            continue;
-                        }
-                        throw firstError;
+                    const result = await runWithRetry(spec, input);
+                    if (result) {
+                        return result;
                     }
+                    continue;
                 }
+                catch (error) {
+                    lastError = error;
+                    throw error;
+                }
+            }
+            if (lastError) {
+                throw lastError instanceof Error ? lastError : new Error(String(lastError));
             }
-            throw lastError instanceof Error ? lastError : new Error(String(lastError));
+            throw new Error(`No backend command could be executed for "${config.backend}"`);
         },
         async runRule(input) {
             return this.runPrompt({

package/dist/config.js

@@ -7,7 +7,7 @@ exports.resolveConfigPath = resolveConfigPath;
 exports.loadEffectiveConfig = loadEffectiveConfig;
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
-const VALID_SEVERITIES = new Set(["error", "warn", "info"]);
+const utils_1 = require("./utils");
 const DEFAULTS = {
     backend: "cursor-cli",
     model: "auto",
@@ -20,8 +20,12 @@ const DEFAULTS = {
     batchMode: false,
     rulesDisable: [],
     severityOverrides: {},
-    backendExecutables: {
-        "cursor-cli": "cursor"
+    backendConfigs: {},
+    security: {
+        secretGuard: true,
+        allowPatterns: [],
+        ignoreFiles: [".gitignore", ".cursorignore", ".semlintignore"],
+        allowFiles: []
     }
 };
 function readJsonIfExists(filePath) {
@@ -54,39 +58,96 @@ function sanitizeSeverityOverrides(value) {
     if (!value) {
         return {};
     }
-    const out = {};
-    for (const [ruleId, severity] of Object.entries(value)) {
-        if (typeof severity === "string" && VALID_SEVERITIES.has(severity)) {
-            out[ruleId] = severity;
+    return Object.fromEntries(Object.entries(value).flatMap(([ruleId, severity]) => typeof severity === "string" && utils_1.VALID_SEVERITIES.has(severity)
+        ? [[ruleId, severity]]
+        : []));
+}
+function sanitizeBackendConfigs(value) {
+    if (!value) {
+        return {};
+    }
+    return Object.fromEntries(Object.entries(value).flatMap(([name, candidate]) => {
+        if (typeof candidate !== "object" || candidate === null) {
+            return [];
+        }
+        const executable = "executable" in candidate && typeof candidate.executable === "string"
+            ? candidate.executable.trim()
+            : "";
+        const args = "args" in candidate ? candidate.args : undefined;
+        const model = "model" in candidate && typeof candidate.model === "string"
+            ? candidate.model.trim()
+            : undefined;
+        if (!executable || !Array.isArray(args) || args.some((arg) => typeof arg !== "string")) {
+            return [];
+        }
+        const normalizedArgs = args;
+        if (!normalizedArgs.includes("{prompt}")) {
+            return [];
+        }
+        return [[name, { executable, args: normalizedArgs, model: model && model !== "" ? model : undefined }]];
+    }));
+}
+function sanitizeAllowPatterns(value) {
+    if (!Array.isArray(value)) {
+        return [];
+    }
+    return value.flatMap((candidate) => {
+        if (typeof candidate !== "string" || candidate.trim() === "") {
+            return [];
         }
+        try {
+            new RegExp(candidate);
+            return [candidate];
+        }
+        catch {
+            return [];
+        }
+    });
+}
+function sanitizeIgnoreFiles(value) {
+    if (!Array.isArray(value)) {
+        return [...DEFAULTS.security.ignoreFiles];
     }
-    return out;
+    const normalized = value.flatMap((candidate) => {
+        if (typeof candidate !== "string") {
+            return [];
+        }
+        const trimmed = candidate.trim();
+        if (trimmed === "") {
+            return [];
+        }
+        return [trimmed];
+    });
+    return normalized.length > 0 ? normalized : [...DEFAULTS.security.ignoreFiles];
 }
-function sanitizeBackendExecutables(value) {
-    const out = {
-        ...DEFAULTS.backendExecutables
-    };
-    if (!value) {
-        return out;
+function sanitizeAllowFiles(value) {
+    if (!Array.isArray(value)) {
+        return [];
     }
-    for (const [name, candidate] of Object.entries(value)) {
-        if (typeof candidate === "object" &&
-            candidate !== null &&
-            "executable" in candidate &&
-            typeof candidate.executable === "string" &&
-            candidate.executable.trim() !== "") {
-            out[name] = candidate.executable.trim();
+    return value.flatMap((candidate) => {
+        if (typeof candidate !== "string") {
+            return [];
         }
+        const trimmed = candidate.trim();
+        return trimmed === "" ? [] : [trimmed];
+    });
+}
+function ensureSelectedBackendIsConfigured(backend, backendConfigs) {
+    if (!(backend in backendConfigs)) {
+        throw new Error(`Backend "${backend}" is not configured. Add it under backends.${backend} with executable and args (including "{prompt}") in semlint.json.`);
     }
-    return out;
 }
 function loadEffectiveConfig(options) {
     const configPath = resolveConfigPath(options.configPath);
     const parsed = configPath ? readJsonIfExists(configPath) : undefined;
     const fileConfig = (parsed ?? {});
+    const backend = options.backend ?? fileConfig.backend ?? DEFAULTS.backend;
+    const backendConfigs = sanitizeBackendConfigs((fileConfig.backends ?? undefined));
+    ensureSelectedBackendIsConfigured(backend, backendConfigs);
+    const backendModel = backendConfigs[backend]?.model;
     return {
-        backend: options.backend ?? fileConfig.backend ?? DEFAULTS.backend,
-        model: options.model ?? fileConfig.model ?? DEFAULTS.model,
+        backend,
+        model: options.model ?? backendModel ?? DEFAULTS.model,
         timeoutMs: typeof fileConfig.budgets?.timeout_ms === "number"
             ? fileConfig.budgets.timeout_ms
             : DEFAULTS.timeoutMs,
@@ -103,6 +164,14 @@ function loadEffectiveConfig(options) {
             ? fileConfig.rules?.disable.filter((item) => typeof item === "string")
             : DEFAULTS.rulesDisable,
         severityOverrides: sanitizeSeverityOverrides((fileConfig.rules?.severity_overrides ?? undefined)),
-        backendExecutables: sanitizeBackendExecutables((fileConfig.backends ?? undefined))
+        backendConfigs,
+        security: {
+            secretGuard: typeof fileConfig.security?.secret_guard === "boolean"
+                ? fileConfig.security.secret_guard
+                : DEFAULTS.security.secretGuard,
+            allowPatterns: sanitizeAllowPatterns(fileConfig.security?.allow_patterns),
+            ignoreFiles: sanitizeIgnoreFiles(fileConfig.security?.ignore_files),
+            allowFiles: sanitizeAllowFiles(fileConfig.security?.allow_files)
+        }
     };
 }

package/dist/diagnostics.js

@@ -8,23 +8,19 @@ exports.sortDiagnostics = sortDiagnostics;
 exports.hasBlockingDiagnostic = hasBlockingDiagnostic;
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
-const VALID_SEVERITIES = new Set(["error", "warn", "info"]);
-function isPositiveInteger(value) {
-    return typeof value === "number" && Number.isInteger(value) && value >= 1;
-}
+const utils_1 = require("./utils");
 /**
  * @param resolveRoot - Directory to resolve diagnostic file paths against (e.g. git repo root).
  *   Git diff paths are repo-relative; resolving from repo root ensures paths exist when running from subdirs.
  */
 function normalizeDiagnostics(ruleId, diagnostics, debug, resolveRoot) {
-    const out = [];
     const baseDir = resolveRoot && resolveRoot.length > 0 ? resolveRoot : process.cwd();
-    for (const raw of diagnostics) {
+    return diagnostics.flatMap((raw) => {
         if (typeof raw !== "object" || raw === null || Array.isArray(raw)) {
             if (debug) {
                 process.stderr.write(`[debug] Dropped diagnostic for ${ruleId}: not an object\n`);
             }
-            continue;
+            return [];
         }
         const candidate = raw;
         const severity = candidate.severity;
@@ -39,34 +35,34 @@ function normalizeDiagnostics(ruleId, diagnostics, debug, resolveRoot) {
             typeof message !== "string" ||
             message.trim() === "" ||
             typeof severity !== "string" ||
-            !VALID_SEVERITIES.has(severity) ||
-            !isPositiveInteger(line)) {
+            !utils_1.VALID_SEVERITIES.has(severity) ||
+            !(0, utils_1.isPositiveInteger)(line)) {
             if (debug) {
                 process.stderr.write(`[debug] Dropped diagnostic for ${ruleId}: failed required field validation\n`);
             }
-            continue;
+            return [];
         }
-        const absolute = node_path_1.default.resolve(baseDir, file);
-        if (!node_fs_1.default.existsSync(absolute)) {
+        if (!node_fs_1.default.existsSync(node_path_1.default.resolve(baseDir, file))) {
             if (debug) {
                 process.stderr.write(`[debug] Dropped diagnostic for ${ruleId}: file does not exist (${file})\n`);
             }
-            continue;
+            return [];
         }
-        out.push({
-            rule_id: candidateRuleId,
-            severity: severity,
-            message,
-            file,
-            line,
-            column: isPositiveInteger(candidate.column) ? candidate.column : undefined,
-            end_line: isPositiveInteger(candidate.end_line) ? candidate.end_line : undefined,
-            end_column: isPositiveInteger(candidate.end_column) ? candidate.end_column : undefined,
-            evidence: typeof candidate.evidence === "string" ? candidate.evidence : undefined,
-            confidence: typeof candidate.confidence === "number" ? candidate.confidence : undefined
-        });
-    }
-    return out;
+        return [
+            {
+                rule_id: candidateRuleId,
+                severity: severity,
+                message,
+                file,
+                line,
+                column: (0, utils_1.isPositiveInteger)(candidate.column) ? candidate.column : undefined,
+                end_line: (0, utils_1.isPositiveInteger)(candidate.end_line) ? candidate.end_line : undefined,
+                end_column: (0, utils_1.isPositiveInteger)(candidate.end_column) ? candidate.end_column : undefined,
+                evidence: typeof candidate.evidence === "string" ? candidate.evidence : undefined,
+                confidence: typeof candidate.confidence === "number" ? candidate.confidence : undefined
+            }
+        ];
+    });
 }
 const SEVERITY_ORDER = {
     error: 3,