semlint-cli 0.1.6 → 0.1.7

package/.semlint/rules/SEMLINT_NAMING_001.json

@@ -0,0 +1,12 @@
+{
+  "id": "SEMLINT_NAMING_001",
+  "title": "Ambient naming convention consistency",
+  "severity_default": "warn",
+  "include_globs": ["src/**/*.ts"],
+  "exclude_globs": ["**/*.test.ts", "**/*.spec.ts"],
+  "diff_regex": [
+    "^[+-].*\\b(const|let|var|function|class|interface|type|enum)\\b",
+    "^[+-].*\\b[A-Za-z_][A-Za-z0-9_]*\\b"
+  ],
+  "prompt": "Verify naming is consistent with the ambient naming conventions already used in surrounding code. Both in term of semantic and casing."
+}

package/.semlint/rules/SEMLINT_PATTERN_002.json

@@ -0,0 +1,12 @@
+{
+  "id": "SEMLINT_PATTERN_002",
+  "title": "Ambient pattern is respected",
+  "severity_default": "warn",
+  "include_globs": ["src/**/*.ts"],
+  "exclude_globs": ["**/*.test.ts", "**/*.spec.ts"],
+  "diff_regex": [
+    "^[+-].*\\b(async|await|Promise|try|catch|throw|switch|map|filter|reduce|forEach)\\b",
+    "^[+-].*\\b(import|export|class|interface|type|function|return)\\b"
+  ],
+  "prompt": "Check whether ambient implementation patterns are respected. Compare new or changed code against nearby established patterns. Flag clear regressions where the proposed change deviates from consistent local patterns without obvious justification."
+}

package/.semlint/rules/SEMLINT_SWE_003.json

@@ -0,0 +1,12 @@
+{
+  "id": "SEMLINT_SWE_003",
+  "title": "Obvious SWE mistakes",
+  "severity_default": "warn",
+  "include_globs": ["src/**/*.ts"],
+  "exclude_globs": ["**/*.test.ts", "**/*.spec.ts"],
+  "diff_regex": [
+    "^[+-].*\\b(any|as\\s+any|TODO|FIXME|console\\.log|@ts-ignore|throw\\s+new\\s+Error|catch\\s*\\()\\b",
+    "^[+-].*\\b(if|else|switch|return|await|Promise|map|forEach|reduce)\\b"
+  ],
+  "prompt": "Find obvious software-engineering mistakes in the proposed change that are likely unintended. Do not nitpick style or architecture unless the issue is clearly harmful. Report only high-signal findings."
+}

package/README.md

@@ -1,5 +1,13 @@
 # Semlint CLI MVP
 
+## Motivation
+
+Upstream instruction files (`AGENTS.md`, `CURSOR.md`, etc.) are the standard way to guide coding agents — but a [recent study (Gloaguen et al., 2026)](https://arxiv.org/abs/2602.11988) found that such context files tend to *reduce* task success rates compared to providing no context at all, while increasing inference cost by over 20%. The root cause: agents respect the instructions, but unnecessary or over-specified requirements make tasks harder, with no feedback mechanism to catch when rules are ignored or misapplied.
+
+Semlint takes a different approach. Instead of providing guidance upfront and hoping for the best, rules are enforced *after the fact* as a lint pass on the diff — giving agents a deterministic red/green signal and closing the feedback loop.
+
+---
+
 Semlint is a deterministic semantic lint CLI that:
 
 - reads a git diff,
@@ -84,8 +92,14 @@ Unknown fields are ignored.
   "execution": {
     "batch": false
   },
+  "security": {
+    "secret_guard": true,
+    "allow_patterns": [],
+    "allow_files": [],
+    "ignore_files": [".gitignore", ".cursorignore", ".semlintignore", ".cursoringore"]
+  },
   "rules": {
-    "disable": ["SEMLINT_EXAMPLE_001"],
+    "disable": [],
     "severity_overrides": {
       "SEMLINT_API_001": "error"
     }
@@ -116,11 +130,11 @@ This creates `./semlint.json` and auto-detects installed coding agent CLIs in th
 
 If no known CLI is detected, Semlint falls back to `cursor-cli` + executable `cursor`.
 
-Use `semlint init --force` to overwrite an existing config file. Init also creates `.semlint/rules/` and a starter rule `SEMLINT_EXAMPLE_001.json` (with a placeholder title and prompt) if they do not exist.
+Use `semlint init --force` to overwrite an existing config file. Init also creates `.semlint/rules/` and copies the bundled Semlint rule files into it.
 
 ## Rule files
 
-Rule JSON files are loaded from `.semlint/rules/`. Run `semlint init` to create this folder and an example rule you can edit.
+Rule JSON files are loaded from `.semlint/rules/`. Run `semlint init` to create this folder and copy bundled rules into it.
 
 Required fields:
 
@@ -187,6 +201,33 @@ If parsing fails, Semlint retries once with appended instruction:
 
 If backend execution still fails and Semlint is running in an interactive terminal (TTY), it automatically performs one interactive passthrough run so you can satisfy backend setup prompts (for example auth/workspace trust), then retries machine parsing once.
 
+## Secret guard
+
+Semlint uses a fail-closed secret guard before any backend call:
+
+- Filters diff chunks using path ignore rules from `.gitignore`, `.cursorignore`, `.semlintignore`
+- Applies additional built-in sensitive path deny patterns (`.env*`, key files, secrets/credentials folders)
+- Scans added diff lines for high-signal secret keywords and token prefixes (password/token/api key/private key/JWT/provider key prefixes)
+- If any potential secrets are found, Semlint exits with code `2` and sends nothing to the backend
+
+Config:
+
+```json
+{
+  "security": {
+    "secret_guard": true,
+    "allow_patterns": [],
+    "allow_files": [],
+    "ignore_files": [".gitignore", ".cursorignore", ".semlintignore", ".cursoringore"]
+  }
+}
+```
+
+- `secret_guard`: enable/disable secret blocking (default `true`)
+- `allow_patterns`: regex list to suppress known-safe fixtures from triggering the guard
+- `allow_files`: file glob allowlist to skip secret scanning for known-safe files (example: `["src/test-fixtures/**"]`)
+- `ignore_files`: ignore files Semlint reads for path-level filtering (default: `.gitignore`, `.cursorignore`, `.semlintignore`, `.cursoringore`)
+
 ## Prompt files
 
 Core system prompts are externalized under `prompts/` so prompt behavior is easy to inspect and iterate:

package/dist/config.js

@@ -20,7 +20,13 @@ const DEFAULTS = {
     batchMode: false,
     rulesDisable: [],
     severityOverrides: {},
-    backendConfigs: {}
+    backendConfigs: {},
+    security: {
+        secretGuard: true,
+        allowPatterns: [],
+        ignoreFiles: [".gitignore", ".cursorignore", ".semlintignore"],
+        allowFiles: []
+    }
 };
 function readJsonIfExists(filePath) {
     if (!node_fs_1.default.existsSync(filePath)) {
@@ -81,6 +87,51 @@ function sanitizeBackendConfigs(value) {
         return [[name, { executable, args: normalizedArgs, model: model && model !== "" ? model : undefined }]];
     }));
 }
+function sanitizeAllowPatterns(value) {
+    if (!Array.isArray(value)) {
+        return [];
+    }
+    return value.flatMap((candidate) => {
+        if (typeof candidate !== "string" || candidate.trim() === "") {
+            return [];
+        }
+        try {
+            new RegExp(candidate);
+            return [candidate];
+        }
+        catch {
+            return [];
+        }
+    });
+}
+function sanitizeIgnoreFiles(value) {
+    if (!Array.isArray(value)) {
+        return [...DEFAULTS.security.ignoreFiles];
+    }
+    const normalized = value.flatMap((candidate) => {
+        if (typeof candidate !== "string") {
+            return [];
+        }
+        const trimmed = candidate.trim();
+        if (trimmed === "") {
+            return [];
+        }
+        return [trimmed];
+    });
+    return normalized.length > 0 ? normalized : [...DEFAULTS.security.ignoreFiles];
+}
+function sanitizeAllowFiles(value) {
+    if (!Array.isArray(value)) {
+        return [];
+    }
+    return value.flatMap((candidate) => {
+        if (typeof candidate !== "string") {
+            return [];
+        }
+        const trimmed = candidate.trim();
+        return trimmed === "" ? [] : [trimmed];
+    });
+}
 function ensureSelectedBackendIsConfigured(backend, backendConfigs) {
     if (!(backend in backendConfigs)) {
         throw new Error(`Backend "${backend}" is not configured. Add it under backends.${backend} with executable and args (including "{prompt}") in semlint.json.`);
@@ -113,6 +164,14 @@ function loadEffectiveConfig(options) {
             ? fileConfig.rules?.disable.filter((item) => typeof item === "string")
             : DEFAULTS.rulesDisable,
         severityOverrides: sanitizeSeverityOverrides((fileConfig.rules?.severity_overrides ?? undefined)),
-        backendConfigs
+        backendConfigs,
+        security: {
+            secretGuard: typeof fileConfig.security?.secret_guard === "boolean"
+                ? fileConfig.security.secret_guard
+                : DEFAULTS.security.secretGuard,
+            allowPatterns: sanitizeAllowPatterns(fileConfig.security?.allow_patterns),
+            ignoreFiles: sanitizeIgnoreFiles(fileConfig.security?.ignore_files),
+            allowFiles: sanitizeAllowFiles(fileConfig.security?.allow_files)
+        }
     };
 }

package/dist/diff.js

@@ -0,0 +1,54 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseDiffGitHeader = parseDiffGitHeader;
+exports.splitDiffIntoFileChunks = splitDiffIntoFileChunks;
+function unquoteDiffPath(raw) {
+    if (raw.startsWith("\"") && raw.endsWith("\"") && raw.length >= 2) {
+        return raw.slice(1, -1).replace(/\\"/g, "\"").replace(/\\\\/g, "\\");
+    }
+    return raw;
+}
+function parseDiffGitHeader(line) {
+    const match = line.match(/^diff --git (?:"a\/((?:[^"\\]|\\.)+)"|a\/(\S+)) (?:"b\/((?:[^"\\]|\\.)+)"|b\/(\S+))$/);
+    if (!match) {
+        return undefined;
+    }
+    const aRaw = match[1] ?? match[2];
+    const bRaw = match[3] ?? match[4];
+    if (!aRaw || !bRaw) {
+        return undefined;
+    }
+    return {
+        aPath: unquoteDiffPath(aRaw),
+        bPath: unquoteDiffPath(bRaw)
+    };
+}
+function splitDiffIntoFileChunks(diff) {
+    const lines = diff.split("\n");
+    const chunks = [];
+    let currentLines = [];
+    let currentFile = "";
+    const flush = () => {
+        if (currentLines.length === 0) {
+            return;
+        }
+        chunks.push({
+            file: currentFile,
+            chunk: currentLines.join("\n")
+        });
+        currentLines = [];
+        currentFile = "";
+    };
+    for (const line of lines) {
+        if (line.startsWith("diff --git ")) {
+            flush();
+            const parsed = parseDiffGitHeader(line);
+            if (parsed) {
+                currentFile = parsed.bPath;
+            }
+        }
+        currentLines.push(line);
+    }
+    flush();
+    return chunks;
+}

package/dist/filter.js

@@ -8,29 +8,9 @@ exports.getRuleCandidateFiles = getRuleCandidateFiles;
 exports.shouldRunRule = shouldRunRule;
 exports.buildScopedDiff = buildScopedDiff;
 exports.buildRulePrompt = buildRulePrompt;
+const diff_1 = require("./diff");
 const picomatch_1 = __importDefault(require("picomatch"));
 const prompts_1 = require("./prompts");
-function unquoteDiffPath(raw) {
-    if (raw.startsWith("\"") && raw.endsWith("\"") && raw.length >= 2) {
-        return raw.slice(1, -1).replace(/\\"/g, "\"").replace(/\\\\/g, "\\");
-    }
-    return raw;
-}
-function parseDiffGitHeader(line) {
-    const match = line.match(/^diff --git (?:"a\/((?:[^"\\]|\\.)+)"|a\/(\S+)) (?:"b\/((?:[^"\\]|\\.)+)"|b\/(\S+))$/);
-    if (!match) {
-        return undefined;
-    }
-    const aRaw = match[1] ?? match[2];
-    const bRaw = match[3] ?? match[4];
-    if (!aRaw || !bRaw) {
-        return undefined;
-    }
-    return {
-        aPath: unquoteDiffPath(aRaw),
-        bPath: unquoteDiffPath(bRaw)
-    };
-}
 function extractChangedFilesFromDiff(diff) {
     const files = new Set();
     const lines = diff.split("\n");
@@ -38,7 +18,7 @@ function extractChangedFilesFromDiff(diff) {
         if (!line.startsWith("diff --git ")) {
             continue;
         }
-        const parsed = parseDiffGitHeader(line);
+        const parsed = (0, diff_1.parseDiffGitHeader)(line);
         if (!parsed) {
             continue;
         }
@@ -88,41 +68,12 @@ function shouldRunRule(rule, changedFiles, diff) {
     }
     return true;
 }
-function splitDiffIntoFileChunks(diff) {
-    const lines = diff.split("\n");
-    const chunks = [];
-    let currentLines = [];
-    let currentFile = "";
-    const flush = () => {
-        if (currentLines.length === 0) {
-            return;
-        }
-        chunks.push({
-            file: currentFile,
-            chunk: currentLines.join("\n")
-        });
-        currentLines = [];
-        currentFile = "";
-    };
-    for (const line of lines) {
-        if (line.startsWith("diff --git ")) {
-            flush();
-            const parsed = parseDiffGitHeader(line);
-            if (parsed) {
-                currentFile = parsed.bPath;
-            }
-        }
-        currentLines.push(line);
-    }
-    flush();
-    return chunks;
-}
 function buildScopedDiff(rule, fullDiff, changedFiles) {
     const candidateFiles = new Set(getRuleCandidateFiles(rule, changedFiles));
     if (candidateFiles.size === 0) {
         return fullDiff;
     }
-    const chunks = splitDiffIntoFileChunks(fullDiff);
+    const chunks = (0, diff_1.splitDiffIntoFileChunks)(fullDiff);
     const scoped = chunks
         .filter((chunk) => chunk.file !== "" && candidateFiles.has(chunk.file))
         .map((chunk) => chunk.chunk)

package/dist/init.js

@@ -87,6 +87,12 @@ function scaffoldConfig(force = false) {
         execution: {
             batch: false
         },
+        security: {
+            secret_guard: true,
+            allow_patterns: [],
+            ignore_files: [".gitignore", ".cursorignore", ".semlintignore"],
+            allow_files: []
+        },
         rules: {
             disable: [],
             severity_overrides: {}
@@ -107,16 +113,23 @@ function scaffoldConfig(force = false) {
         node_fs_1.default.mkdirSync(rulesDir, { recursive: true });
         process.stdout.write(picocolors_1.default.green(`Created ${node_path_1.default.join(".semlint", "rules")}/\n`));
     }
-    const exampleRulePath = node_path_1.default.join(rulesDir, "SEMLINT_EXAMPLE_001.json");
-    if (!node_fs_1.default.existsSync(exampleRulePath)) {
-        const exampleRule = {
-            id: "SEMLINT_EXAMPLE_001",
-            title: "My first rule",
-            severity_default: "warn",
-            prompt: "Describe what the agent should check in the changed code. Example: flag when new functions lack JSDoc, or when error handling is missing."
-        };
-        node_fs_1.default.writeFileSync(exampleRulePath, `${JSON.stringify(exampleRule, null, 2)}\n`, "utf8");
-        process.stdout.write(picocolors_1.default.green(`Created ${node_path_1.default.join(".semlint", "rules", "SEMLINT_EXAMPLE_001.json")} `) + picocolors_1.default.dim(`(edit the title and prompt to define your rule)\n`));
+    const bundledRulesDir = node_path_1.default.resolve(__dirname, "..", ".semlint", "rules");
+    if (!node_fs_1.default.existsSync(bundledRulesDir) || !node_fs_1.default.statSync(bundledRulesDir).isDirectory()) {
+        process.stderr.write(picocolors_1.default.yellow(`No bundled rules found at ${bundledRulesDir}. Add rule files manually under ${node_path_1.default.join(".semlint", "rules")}.\n`));
+        return 0;
+    }
+    const bundledRules = node_fs_1.default
+        .readdirSync(bundledRulesDir)
+        .filter((name) => name.endsWith(".json"))
+        .sort((a, b) => a.localeCompare(b));
+    for (const fileName of bundledRules) {
+        const source = node_path_1.default.join(bundledRulesDir, fileName);
+        const target = node_path_1.default.join(rulesDir, fileName);
+        if (!force && node_fs_1.default.existsSync(target)) {
+            continue;
+        }
+        node_fs_1.default.copyFileSync(source, target);
+        process.stdout.write(picocolors_1.default.green(`Copied ${node_path_1.default.join(".semlint", "rules", fileName)}\n`));
     }
     return 0;
 }

package/dist/main.js

@@ -16,6 +16,7 @@ const filter_1 = require("./filter");
 const git_1 = require("./git");
 const reporter_1 = require("./reporter");
 const rules_1 = require("./rules");
+const secrets_1 = require("./secrets");
 const utils_1 = require("./utils");
 function timed(enabled, label, action) {
     const startedAt = Date.now();
@@ -39,13 +40,33 @@ async function runSemlint(options) {
         (0, utils_1.debugLog)(config.debug, `Loaded ${rules.length} rule(s)`);
         (0, utils_1.debugLog)(config.debug, `Rule IDs: ${rules.map((rule) => rule.id).join(", ")}`);
         const useLocalBranchDiff = !options.base && !options.head;
-        const diff = await timedAsync(config.debug, "Computed git diff", () => useLocalBranchDiff ? (0, git_1.getLocalBranchDiff)() : (0, git_1.getGitDiff)(config.base, config.head));
+        const repoRoot = await timedAsync(config.debug, "Resolved git repo root", () => (0, git_1.getRepoRoot)());
+        const scanRoot = repoRoot ?? process.cwd();
+        (0, utils_1.debugLog)(config.debug, `Using diff/ignore scan root: ${scanRoot}`);
+        const rawDiff = await timedAsync(config.debug, "Computed git diff", () => useLocalBranchDiff ? (0, git_1.getLocalBranchDiff)() : (0, git_1.getGitDiff)(config.base, config.head));
+        const { filteredDiff: diff, excludedFiles } = timed(config.debug, "Filtered diff by ignore rules", () => (0, secrets_1.filterDiffByIgnoreRules)(rawDiff, scanRoot, config.security.ignoreFiles));
+        if (excludedFiles.length > 0) {
+            (0, utils_1.debugLog)(config.debug, `Excluded ${excludedFiles.length} file(s) by ignore/security rules: ${excludedFiles.join(", ")}`);
+        }
+        if (config.security.secretGuard) {
+            const findings = timed(config.debug, "Scanned diff for secrets", () => (0, secrets_1.scanDiffForSecrets)(diff, config.security.allowPatterns, config.security.allowFiles));
+            if (findings.length > 0) {
+                process.stderr.write(picocolors_1.default.red("Secret guard blocked analysis: potential secrets were detected in the diff. Nothing was sent to the backend.\n"));
+                process.stderr.write("Allow a known-safe file by adding a glob to security.allow_files in semlint.json (example: \"allow_files\": [\"src/test2.ts\"]).\n");
+                findings.slice(0, 20).forEach((finding) => {
+                    process.stderr.write(`  ${finding.file}:${finding.line}  ${finding.kind}  sample=${finding.redactedSample}\n`);
+                });
+                if (findings.length > 20) {
+                    process.stderr.write(`  ...and ${findings.length - 20} more finding(s)\n`);
+                }
+                return 2;
+            }
+        }
         const changedFiles = timed(config.debug, "Parsed changed files from diff", () => (0, filter_1.extractChangedFilesFromDiff)(diff));
         (0, utils_1.debugLog)(config.debug, useLocalBranchDiff
             ? "Using local branch diff (staged + unstaged + untracked only)"
             : `Using explicit ref diff (${config.base}..${config.head})`);
         (0, utils_1.debugLog)(config.debug, `Detected ${changedFiles.length} changed file(s)`);
-        const repoRoot = await timedAsync(config.debug, "Resolved git repo root", () => (0, git_1.getRepoRoot)());
         const backend = timed(config.debug, "Initialized backend runner", () => (0, backend_1.createBackendRunner)(config));
         const runnableRules = rules.filter((rule) => {
             const filterStartedAt = Date.now();

package/dist/secrets.js

@@ -0,0 +1,153 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.filterDiffByIgnoreRules = filterDiffByIgnoreRules;
+exports.scanDiffForSecrets = scanDiffForSecrets;
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const picomatch_1 = __importDefault(require("picomatch"));
+const diff_1 = require("./diff");
+const BUILTIN_SENSITIVE_GLOBS = [
+    ".env",
+    ".env.*",
+    "*.pem",
+    "*.key",
+    "id_rsa",
+    "id_rsa.*",
+    "**/secrets/**",
+    "**/credentials/**",
+    "**/*credentials*.json"
+];
+const SECRET_KEYWORDS = [
+    "password",
+    "passwd",
+    "secret",
+    "token",
+    "api_key",
+    "apikey",
+    "x-api-key",
+    "access_token",
+    "refresh_token",
+    "id_token",
+    "client_secret",
+    "auth_token",
+    "authorization",
+    "bearer ",
+    "private_key",
+    "private key",
+    "certificate",
+    "cert",
+    "connectionstring",
+    "database_url",
+    "postgres://",
+    "mongodb+srv://",
+    "mysql://",
+    "redis://",
+    "sk-",
+    "sk_",
+    "ghp_",
+    "github_pat_",
+    "xoxb-",
+    "xoxp-",
+    "akia",
+    "-----begin",
+    "key"
+];
+function readIgnorePatterns(cwd, ignoreFiles) {
+    return ignoreFiles.flatMap((fileName) => {
+        const filePath = node_path_1.default.join(cwd, fileName);
+        if (!node_fs_1.default.existsSync(filePath)) {
+            return [];
+        }
+        return node_fs_1.default
+            .readFileSync(filePath, "utf8")
+            .split("\n")
+            .map((line) => line.trim())
+            .filter((line) => line !== "" && !line.startsWith("#"));
+    });
+}
+function redactSample(sample) {
+    const compact = sample.trim();
+    if (compact.length <= 6) {
+        return "***";
+    }
+    return `${compact.slice(0, 2)}***${compact.slice(-2)}`;
+}
+function parseAllowMatchers(patterns) {
+    return patterns.flatMap((pattern) => {
+        try {
+            return [new RegExp(pattern)];
+        }
+        catch {
+            return [];
+        }
+    });
+}
+function filterDiffByIgnoreRules(diff, cwd, ignoreFiles) {
+    const ignorePatterns = [...readIgnorePatterns(cwd, ignoreFiles), ...BUILTIN_SENSITIVE_GLOBS];
+    const ignoreMatcher = (0, picomatch_1.default)(ignorePatterns, { dot: true });
+    const chunks = (0, diff_1.splitDiffIntoFileChunks)(diff);
+    const excludedFiles = chunks
+        .filter((chunk) => chunk.file !== "" && ignoreMatcher(chunk.file))
+        .map((chunk) => chunk.file);
+    const filteredDiff = chunks
+        .filter((chunk) => chunk.file === "" || !ignoreMatcher(chunk.file))
+        .map((chunk) => chunk.chunk)
+        .join("\n");
+    return {
+        filteredDiff,
+        excludedFiles: Array.from(new Set(excludedFiles)).sort((a, b) => a.localeCompare(b))
+    };
+}
+function scanDiffForSecrets(diff, allowPatterns, allowFiles) {
+    const findings = [];
+    const allowMatchers = parseAllowMatchers(allowPatterns);
+    const allowFileMatcher = allowFiles.length > 0 ? (0, picomatch_1.default)(allowFiles, { dot: true }) : undefined;
+    const lines = diff.split("\n");
+    let currentFile = "(unknown)";
+    let newLine = 1;
+    for (const line of lines) {
+        if (line.startsWith("diff --git ")) {
+            const parsed = (0, diff_1.parseDiffGitHeader)(line);
+            if (parsed) {
+                currentFile = parsed.bPath;
+            }
+            continue;
+        }
+        const hunk = line.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
+        if (hunk) {
+            newLine = Number(hunk[1]);
+            continue;
+        }
+        if (line.startsWith("+") && !line.startsWith("+++")) {
+            const fileAllowed = allowFileMatcher?.(currentFile) ?? false;
+            if (fileAllowed) {
+                newLine += 1;
+                continue;
+            }
+            const added = line.slice(1);
+            const allowed = allowMatchers.some((matcher) => matcher.test(added));
+            if (!allowed) {
+                const lowered = added.toLowerCase();
+                const matchedKeyword = SECRET_KEYWORDS.find((keyword) => lowered.includes(keyword));
+                if (matchedKeyword) {
+                    findings.push({
+                        file: currentFile,
+                        line: newLine,
+                        kind: `keyword:${matchedKeyword}`,
+                        redactedSample: redactSample(added)
+                    });
+                }
+            }
+            newLine += 1;
+            continue;
+        }
+        if (line.startsWith(" ")) {
+            newLine += 1;
+            continue;
+        }
+    }
+    return findings;
+}

package/dist/secrets.test.js

@@ -0,0 +1,83 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const strict_1 = __importDefault(require("node:assert/strict"));
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_os_1 = __importDefault(require("node:os"));
+const node_path_1 = __importDefault(require("node:path"));
+const node_test_1 = __importDefault(require("node:test"));
+const secrets_1 = require("./secrets");
+(0, node_test_1.default)("filterDiffByIgnoreRules aggregates ignore files", () => {
+    const cwd = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "semlint-ignore-"));
+    try {
+        node_fs_1.default.writeFileSync(node_path_1.default.join(cwd, ".cursorignore"), "cursor-only/**\n", "utf8");
+        node_fs_1.default.writeFileSync(node_path_1.default.join(cwd, ".semlintignore"), "semlint-only/**\n", "utf8");
+        node_fs_1.default.writeFileSync(node_path_1.default.join(cwd, ".cursoringore"), "typo-ignore/**\n", "utf8");
+        const diff = [
+            "diff --git a/cursor-only/a.ts b/cursor-only/a.ts",
+            "--- a/cursor-only/a.ts",
+            "+++ b/cursor-only/a.ts",
+            "@@ -0,0 +1 @@",
+            "+const a = 1;",
+            "diff --git a/semlint-only/b.ts b/semlint-only/b.ts",
+            "--- a/semlint-only/b.ts",
+            "+++ b/semlint-only/b.ts",
+            "@@ -0,0 +1 @@",
+            "+const b = 1;",
+            "diff --git a/typo-ignore/c.ts b/typo-ignore/c.ts",
+            "--- a/typo-ignore/c.ts",
+            "+++ b/typo-ignore/c.ts",
+            "@@ -0,0 +1 @@",
+            "+const c = 1;",
+            "diff --git a/src/safe.ts b/src/safe.ts",
+            "--- a/src/safe.ts",
+            "+++ b/src/safe.ts",
+            "@@ -0,0 +1 @@",
+            "+const safe = 1;"
+        ].join("\n");
+        const result = (0, secrets_1.filterDiffByIgnoreRules)(diff, cwd, [
+            ".cursorignore",
+            ".semlintignore",
+            ".cursoringore"
+        ]);
+        strict_1.default.deepEqual(result.excludedFiles, [
+            "cursor-only/a.ts",
+            "semlint-only/b.ts",
+            "typo-ignore/c.ts"
+        ]);
+        strict_1.default.match(result.filteredDiff, /src\/safe\.ts/);
+        strict_1.default.doesNotMatch(result.filteredDiff, /cursor-only\/a\.ts/);
+        strict_1.default.doesNotMatch(result.filteredDiff, /semlint-only\/b\.ts/);
+        strict_1.default.doesNotMatch(result.filteredDiff, /typo-ignore\/c\.ts/);
+    }
+    finally {
+        node_fs_1.default.rmSync(cwd, { recursive: true, force: true });
+    }
+});
+(0, node_test_1.default)("scanDiffForSecrets flags keyword matches on added lines", () => {
+    const diff = [
+        "diff --git a/src/test2.ts b/src/test2.ts",
+        "--- a/src/test2.ts",
+        "+++ b/src/test2.ts",
+        "@@ -0,0 +4 @@",
+        '+const payload = { "PASSWORD": "password", "API_KEY": "api-key" };'
+    ].join("\n");
+    const findings = (0, secrets_1.scanDiffForSecrets)(diff, [], []);
+    strict_1.default.ok(findings.length >= 1);
+    strict_1.default.equal(findings[0].file, "src/test2.ts");
+    strict_1.default.equal(findings[0].line, 4);
+    strict_1.default.match(findings[0].kind, /^keyword:/);
+});
+(0, node_test_1.default)("scanDiffForSecrets skips files listed in allow_files", () => {
+    const diff = [
+        "diff --git a/src/test2.ts b/src/test2.ts",
+        "--- a/src/test2.ts",
+        "+++ b/src/test2.ts",
+        "@@ -0,0 +1 @@",
+        '+const password = "should-not-block-when-allowed";'
+    ].join("\n");
+    const findings = (0, secrets_1.scanDiffForSecrets)(diff, [], ["src/test2.ts"]);
+    strict_1.default.equal(findings.length, 0);
+});

package/dist/test2.js

@@ -0,0 +1,5 @@
+"use strict";
+const a = {
+    "PASSWORD": "password",
+    "API_KEY": "api-key"
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "semlint-cli",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "Semantic lint CLI — runs LLM-backed rules on your git diff and returns CI-friendly exit codes",
   "type": "commonjs",
   "main": "dist/main.js",
@@ -10,11 +10,12 @@
   "files": [
     "dist",
     "prompts",
-    "rules",
+    ".semlint/rules",
     "README.md"
   ],
   "scripts": {
     "build": "tsc -p tsconfig.json",
+    "test": "pnpm run build && node --test \"dist/*.test.js\"",
     "prepublishOnly": "pnpm run build",
     "check": "node dist/cli.js check",
     "start": "node dist/cli.js check",