semlint-cli 0.1.7 → 0.1.10

package/.semlint/rules/SEMLINT_COUPLING_004.json

@@ -0,0 +1,8 @@
+{
+  "id": "SEMLINT_COUPLING_004",
+  "title": "Check for unwanted hidden coupling",
+  "severity_default": "warn",
+  "include_globs": [],
+  "exclude_globs": [],
+  "prompt": "Flag any coupling that is not obvious at first glance. (hidden/implicit coupling, and forms of connascence)"
+}

package/.semlint/rules/SEMLINT_NAMING_001.json

@@ -2,11 +2,7 @@
   "id": "SEMLINT_NAMING_001",
   "title": "Ambient naming convention consistency",
   "severity_default": "warn",
-  "include_globs": ["src/**/*.ts"],
-  "exclude_globs": ["**/*.test.ts", "**/*.spec.ts"],
-  "diff_regex": [
-    "^[+-].*\\b(const|let|var|function|class|interface|type|enum)\\b",
-    "^[+-].*\\b[A-Za-z_][A-Za-z0-9_]*\\b"
-  ],
+  "include_globs": [],
+  "exclude_globs": [],
   "prompt": "Verify naming is consistent with the ambient naming conventions already used in surrounding code. Both in term of semantic and casing."
 }

package/.semlint/rules/SEMLINT_PATTERN_002.json

@@ -2,11 +2,7 @@
   "id": "SEMLINT_PATTERN_002",
   "title": "Ambient pattern is respected",
   "severity_default": "warn",
-  "include_globs": ["src/**/*.ts"],
-  "exclude_globs": ["**/*.test.ts", "**/*.spec.ts"],
-  "diff_regex": [
-    "^[+-].*\\b(async|await|Promise|try|catch|throw|switch|map|filter|reduce|forEach)\\b",
-    "^[+-].*\\b(import|export|class|interface|type|function|return)\\b"
-  ],
-  "prompt": "Check whether ambient implementation patterns are respected. Compare new or changed code against nearby established patterns. Flag clear regressions where the proposed change deviates from consistent local patterns without obvious justification."
+  "include_globs": [],
+  "exclude_globs": [],
+  "prompt": "Any change that breaks an established local pattern should be flagged by default. Consistency with adjacent implementations is the enforced invariant."
 }

package/.semlint/rules/SEMLINT_SWE_003.json

@@ -2,11 +2,7 @@
   "id": "SEMLINT_SWE_003",
   "title": "Obvious SWE mistakes",
   "severity_default": "warn",
-  "include_globs": ["src/**/*.ts"],
-  "exclude_globs": ["**/*.test.ts", "**/*.spec.ts"],
-  "diff_regex": [
-    "^[+-].*\\b(any|as\\s+any|TODO|FIXME|console\\.log|@ts-ignore|throw\\s+new\\s+Error|catch\\s*\\()\\b",
-    "^[+-].*\\b(if|else|switch|return|await|Promise|map|forEach|reduce)\\b"
-  ],
+  "include_globs": [],
+  "exclude_globs": [],
   "prompt": "Find obvious software-engineering mistakes in the proposed change that are likely unintended. Do not nitpick style or architecture unless the issue is clearly harmful. Report only high-signal findings."
 }

package/README.md

@@ -51,18 +51,23 @@ pnpm check
 - `--head <ref>`: head git ref for explicit ref-to-ref diff
 - `--fail-on <error|warn|never>`: failure threshold (default `error`)
 - `--batch`: run all selected rules in one backend call
+- `--yes` / `-y`: auto-accept diff file confirmation (useful for CI)
 - `--debug`: enable debug logs to stderr
 - `init --force`: overwrite an existing `semlint.json`
 
 Default diff behavior (without `--base`/`--head`) uses your local branch state:
 
-- tracked changes across commits since merge-base,
 - staged changes,
 - unstaged changes,
 - untracked files.
 
 If you pass `--base` or `--head`, Semlint uses explicit `git diff <base> <head>` mode.
 
+Before backend execution, Semlint shows the included and excluded diff files and asks for confirmation by default.
+Use `--yes` / `-y` to skip this prompt.
+
+You can configure local diff selection and path filtering via `diff.file_kinds`, `diff.include_globs`, and `diff.exclude_globs` in `semlint.json`.
+
 ## Exit codes
 
 - `0`: no blocking diagnostics
@@ -92,6 +97,11 @@ Unknown fields are ignored.
   "execution": {
     "batch": false
   },
+  "diff": {
+    "file_kinds": ["staged", "unstaged", "untracked"],
+    "include_globs": [],
+    "exclude_globs": []
+  },
   "security": {
     "secret_guard": true,
     "allow_patterns": [],
@@ -114,6 +124,26 @@ Unknown fields are ignored.
 }
 ```
 
+## Diff management
+
+Use the `diff` section to control which local change kinds and file paths are included:
+
+```json
+{
+  "diff": {
+    "file_kinds": ["staged", "unstaged", "untracked"],
+    "include_globs": ["src/**/*.ts"],
+    "exclude_globs": ["**/*.test.ts"]
+  }
+}
+```
+
+- `file_kinds`: local diff sources included by default (`staged`, `unstaged`, `untracked`)
+- `include_globs`: optional allowlist of changed files to keep
+- `exclude_globs`: optional denylist applied after include globs (exclude wins)
+
+`diff.*` settings are applied before security ignore filtering and secret scanning.
+
 ## Config scaffolding and auto-detection
 
 Run:
@@ -228,6 +258,16 @@ Config:
 - `allow_files`: file glob allowlist to skip secret scanning for known-safe files (example: `["src/test-fixtures/**"]`)
 - `ignore_files`: ignore files Semlint reads for path-level filtering (default: `.gitignore`, `.cursorignore`, `.semlintignore`, `.cursoringore`)
 
+Ignore file patterns are evaluated with standard gitignore semantics (including basename matching and `!` negation).
+
+## Security responsibility model
+
+Security in Semlint is shared, and the repository owner remains responsible for secure setup:
+
+- **Diff-level (your responsibility):** carefully configure ignore files and Semlint security settings so sensitive files/content never enter the analyzed diff.
+- **Semlint guard (best-effort control):** Semlint filters diff paths and scans added lines, but this is not a complete prevention system.
+- **Agent/runtime level (handled by your backend tool):** after Semlint sends a prompt to your configured CLI, what the agent can do is controlled by the native agent/backend configuration.
+
 ## Prompt files
 
 Core system prompts are externalized under `prompts/` so prompt behavior is easy to inspect and iterate:

package/dist/cli.js

@@ -7,18 +7,22 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const picocolors_1 = __importDefault(require("picocolors"));
 const init_1 = require("./init");
 const main_1 = require("./main");
+const security_1 = require("./security");
 const HELP_TEXT = [
     "Usage:",
-    "  semlint check [--backend <name>] [--model <name>] [--config <path>] [--format <text|json>] [--base <ref>] [--head <ref>] [--fail-on <error|warn|never>] [--batch] [--debug]",
-    "  semlint init [--force]",
-    "  semlint --help",
+    " semlint-cli check [--backend <name>] [--model <name>] [--config <path>] [--format <text|json>] [--base <ref>] [--head <ref>] [--fail-on <error|warn|never>] [--batch] [--yes|-y] [--debug]",
+    " semlint-cli init [--force]",
+    " semlint-cli security",
+    " semlint-cli --help",
     "",
     "Commands:",
     "  check   Run semantic lint rules against your git diff",
     "  init    Create semlint.json, .semlint/rules/, and an example rule to edit",
+    "  security  Show security responsibility guidance",
     "",
     "Options:",
-    "  -h, --help   Show this help text"
+    "  -h, --help   Show this help text",
+    "  -y, --yes    Auto-accept diff file confirmation"
 ].join("\n");
 class HelpRequestedError extends Error {
     constructor() {
@@ -45,7 +49,7 @@ function parseArgs(argv) {
         throw new HelpRequestedError();
     }
     const [command, ...rest] = argv;
-    if (!command || (command !== "check" && command !== "init")) {
+    if (!command || (command !== "check" && command !== "init" && command !== "security")) {
         throw new Error(HELP_TEXT);
     }
     if (command === "init") {
@@ -62,12 +66,25 @@ function parseArgs(argv) {
         }
         return options;
     }
+    if (command === "security") {
+        if (rest.length > 0) {
+            throw new Error(`Unknown flag for security: ${rest[0]}`);
+        }
+        return {
+            command: "security",
+            debug: false
+        };
+    }
     const options = {
         command: "check",
         debug: false
     };
     for (let i = 0; i < rest.length; i += 1) {
         const token = rest[i];
+        if (token === "--yes" || token === "-y") {
+            options.autoAccept = true;
+            continue;
+        }
         if (token === "--debug") {
             options.debug = true;
             continue;
@@ -121,7 +138,11 @@ function parseArgs(argv) {
 async function main() {
     try {
         const options = parseArgs(process.argv.slice(2));
-        const exitCode = options.command === "init" ? (0, init_1.scaffoldConfig)(options.force) : await (0, main_1.runSemlint)(options);
+        const exitCode = options.command === "init"
+            ? (0, init_1.scaffoldConfig)(options.force)
+            : options.command === "security"
+                ? (0, security_1.printSecurityGuide)()
+                : await (0, main_1.runSemlint)(options);
         process.exitCode = exitCode;
     }
     catch (error) {

package/dist/config.js

@@ -8,6 +8,7 @@ exports.loadEffectiveConfig = loadEffectiveConfig;
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
 const utils_1 = require("./utils");
+const VALID_DIFF_FILE_KINDS = new Set(["staged", "unstaged", "untracked"]);
 const DEFAULTS = {
     backend: "cursor-cli",
     model: "auto",
@@ -18,8 +19,15 @@ const DEFAULTS = {
     head: "HEAD",
     debug: false,
     batchMode: false,
+    diff: {
+        fileKinds: ["staged", "unstaged", "untracked"],
+        includeGlobs: [],
+        excludeGlobs: []
+    },
     rulesDisable: [],
     severityOverrides: {},
+    rulesIncludeGlobs: [],
+    rulesExcludeGlobs: [],
     backendConfigs: {},
     security: {
         secretGuard: true,
@@ -132,6 +140,30 @@ function sanitizeAllowFiles(value) {
         return trimmed === "" ? [] : [trimmed];
     });
 }
+function sanitizeGlobList(value) {
+    if (!Array.isArray(value)) {
+        return [];
+    }
+    return value.flatMap((candidate) => {
+        if (typeof candidate !== "string") {
+            return [];
+        }
+        const trimmed = candidate.trim();
+        return trimmed === "" ? [] : [trimmed];
+    });
+}
+function sanitizeDiffFileKinds(value) {
+    if (!Array.isArray(value)) {
+        return [...DEFAULTS.diff.fileKinds];
+    }
+    return value.flatMap((candidate) => {
+        if (typeof candidate !== "string") {
+            return [];
+        }
+        const normalized = candidate.trim();
+        return VALID_DIFF_FILE_KINDS.has(normalized) ? [normalized] : [];
+    });
+}
 function ensureSelectedBackendIsConfigured(backend, backendConfigs) {
     if (!(backend in backendConfigs)) {
         throw new Error(`Backend "${backend}" is not configured. Add it under backends.${backend} with executable and args (including "{prompt}") in semlint.json.`);
@@ -160,10 +192,17 @@ function loadEffectiveConfig(options) {
             (typeof fileConfig.execution?.batch === "boolean"
                 ? fileConfig.execution.batch
                 : DEFAULTS.batchMode),
+        diff: {
+            fileKinds: sanitizeDiffFileKinds(fileConfig.diff?.file_kinds),
+            includeGlobs: sanitizeGlobList(fileConfig.diff?.include_globs),
+            excludeGlobs: sanitizeGlobList(fileConfig.diff?.exclude_globs)
+        },
         rulesDisable: Array.isArray(fileConfig.rules?.disable)
             ? fileConfig.rules?.disable.filter((item) => typeof item === "string")
             : DEFAULTS.rulesDisable,
         severityOverrides: sanitizeSeverityOverrides((fileConfig.rules?.severity_overrides ?? undefined)),
+        rulesIncludeGlobs: sanitizeGlobList(fileConfig.rules?.include_globs),
+        rulesExcludeGlobs: sanitizeGlobList(fileConfig.rules?.exclude_globs),
         backendConfigs,
         security: {
             secretGuard: typeof fileConfig.security?.secret_guard === "boolean"

package/dist/dispatch.js

@@ -24,7 +24,7 @@ async function runBatchDispatch(input) {
     let backendErrors = 0;
     (0, utils_1.debugLog)(config.debug, `Running ${rules.length} rule(s) in batch mode`);
     const combinedDiff = rules
-        .map((rule) => (0, filter_1.buildScopedDiff)(rule, diff, changedFiles))
+        .map((rule) => (0, filter_1.buildScopedDiff)(rule, diff, changedFiles, config.rulesIncludeGlobs, config.rulesExcludeGlobs))
         .filter((chunk) => chunk.trim() !== "")
         .join("\n");
     const batchPrompt = buildBatchPrompt(rules, combinedDiff || diff);
@@ -68,7 +68,7 @@ async function runParallelDispatch(input) {
     const runResults = await Promise.all(rules.map(async (rule) => {
         const ruleStartedAt = Date.now();
         (0, utils_1.debugLog)(config.debug, `Rule ${rule.id}: started`);
-        const scopedDiff = (0, filter_1.buildScopedDiff)(rule, diff, changedFiles);
+        const scopedDiff = (0, filter_1.buildScopedDiff)(rule, diff, changedFiles, config.rulesIncludeGlobs, config.rulesExcludeGlobs);
         const prompt = (0, filter_1.buildRulePrompt)(rule, scopedDiff);
         try {
             const result = await backend.runRule({

package/dist/filter.js

@@ -4,6 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.extractChangedFilesFromDiff = extractChangedFilesFromDiff;
+exports.filterDiffByPathGlobs = filterDiffByPathGlobs;
 exports.getRuleCandidateFiles = getRuleCandidateFiles;
 exports.shouldRunRule = shouldRunRule;
 exports.buildScopedDiff = buildScopedDiff;
@@ -29,6 +30,31 @@ function extractChangedFilesFromDiff(diff) {
     }
     return Array.from(files);
 }
+function filterDiffByPathGlobs(diff, includeGlobs = [], excludeGlobs = []) {
+    const chunks = (0, diff_1.splitDiffIntoFileChunks)(diff);
+    const includeMatcher = includeGlobs.length > 0 ? (0, picomatch_1.default)(includeGlobs) : null;
+    const excludeMatcher = excludeGlobs.length > 0 ? (0, picomatch_1.default)(excludeGlobs) : null;
+    const excludedFiles = [];
+    const filteredDiff = chunks
+        .filter((chunk) => {
+        if (chunk.file === "") {
+            return true;
+        }
+        const included = includeMatcher ? includeMatcher(chunk.file) : true;
+        const excluded = excludeMatcher ? excludeMatcher(chunk.file) : false;
+        const keep = included && !excluded;
+        if (!keep) {
+            excludedFiles.push(chunk.file);
+        }
+        return keep;
+    })
+        .map((chunk) => chunk.chunk)
+        .join("\n");
+    return {
+        filteredDiff,
+        excludedFiles: Array.from(new Set(excludedFiles)).sort((a, b) => a.localeCompare(b))
+    };
+}
 function matchesAnyRegex(diff, regexes) {
     for (const candidate of regexes) {
         try {
@@ -43,10 +69,18 @@ function matchesAnyRegex(diff, regexes) {
     }
     return false;
 }
-function getRuleCandidateFiles(rule, changedFiles) {
+function resolveRuleGlobs(ruleGlobs, globalGlobs) {
+    if (ruleGlobs === undefined) {
+        return globalGlobs;
+    }
+    return ruleGlobs;
+}
+function getRuleCandidateFiles(rule, changedFiles, globalIncludeGlobs = [], globalExcludeGlobs = []) {
     let fileCandidates = changedFiles;
-    const includeMatcher = rule.include_globs && rule.include_globs.length > 0 ? (0, picomatch_1.default)(rule.include_globs) : null;
-    const excludeMatcher = rule.exclude_globs && rule.exclude_globs.length > 0 ? (0, picomatch_1.default)(rule.exclude_globs) : null;
+    const effectiveIncludeGlobs = resolveRuleGlobs(rule.include_globs, globalIncludeGlobs);
+    const effectiveExcludeGlobs = resolveRuleGlobs(rule.exclude_globs, globalExcludeGlobs);
+    const includeMatcher = effectiveIncludeGlobs.length > 0 ? (0, picomatch_1.default)(effectiveIncludeGlobs) : null;
+    const excludeMatcher = effectiveExcludeGlobs.length > 0 ? (0, picomatch_1.default)(effectiveExcludeGlobs) : null;
     if (includeMatcher) {
         fileCandidates = changedFiles.filter((filePath) => includeMatcher(filePath));
         if (fileCandidates.length === 0) {
@@ -58,8 +92,8 @@ function getRuleCandidateFiles(rule, changedFiles) {
     }
     return fileCandidates;
 }
-function shouldRunRule(rule, changedFiles, diff) {
-    const fileCandidates = getRuleCandidateFiles(rule, changedFiles);
+function shouldRunRule(rule, changedFiles, diff, globalIncludeGlobs = [], globalExcludeGlobs = []) {
+    const fileCandidates = getRuleCandidateFiles(rule, changedFiles, globalIncludeGlobs, globalExcludeGlobs);
     if (fileCandidates.length === 0) {
         return false;
     }
@@ -68,8 +102,8 @@ function shouldRunRule(rule, changedFiles, diff) {
     }
     return true;
 }
-function buildScopedDiff(rule, fullDiff, changedFiles) {
-    const candidateFiles = new Set(getRuleCandidateFiles(rule, changedFiles));
+function buildScopedDiff(rule, fullDiff, changedFiles, globalIncludeGlobs = [], globalExcludeGlobs = []) {
+    const candidateFiles = new Set(getRuleCandidateFiles(rule, changedFiles, globalIncludeGlobs, globalExcludeGlobs));
     if (candidateFiles.size === 0) {
         return fullDiff;
     }

package/dist/filter.test.js

@@ -0,0 +1,84 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const strict_1 = __importDefault(require("node:assert/strict"));
+const node_test_1 = __importDefault(require("node:test"));
+const filter_1 = require("./filter");
+function makeRule(overrides = {}) {
+    return {
+        id: "SEMLINT_TEST_001",
+        title: "Test rule",
+        severity_default: "warn",
+        prompt: "Test",
+        sourcePath: "/tmp/SEMLINT_TEST_001.json",
+        effectiveSeverity: "warn",
+        ...overrides
+    };
+}
+(0, node_test_1.default)("getRuleCandidateFiles inherits global include/exclude globs", () => {
+    const changedFiles = ["src/a.ts", "src/a.test.ts", "docs/readme.md"];
+    const rule = makeRule();
+    const candidates = (0, filter_1.getRuleCandidateFiles)(rule, changedFiles, ["src/**/*.ts"], ["**/*.test.ts", "**/*.spec.ts"]);
+    strict_1.default.deepEqual(candidates, ["src/a.ts"]);
+});
+(0, node_test_1.default)("getRuleCandidateFiles lets empty rule globs disable global filters", () => {
+    const changedFiles = ["src/a.ts", "src/a.test.ts", "docs/readme.md"];
+    const rule = makeRule({
+        include_globs: [],
+        exclude_globs: []
+    });
+    const candidates = (0, filter_1.getRuleCandidateFiles)(rule, changedFiles, ["src/**/*.ts"], ["**/*.test.ts", "**/*.spec.ts"]);
+    strict_1.default.deepEqual(candidates, changedFiles);
+});
+(0, node_test_1.default)("getRuleCandidateFiles uses explicit rule globs instead of globals", () => {
+    const changedFiles = ["src/a.ts", "docs/readme.md"];
+    const rule = makeRule({
+        include_globs: ["docs/**/*.md"]
+    });
+    const candidates = (0, filter_1.getRuleCandidateFiles)(rule, changedFiles, ["src/**/*.ts"], []);
+    strict_1.default.deepEqual(candidates, ["docs/readme.md"]);
+});
+(0, node_test_1.default)("filterDiffByPathGlobs applies include and exclude globs", () => {
+    const diff = [
+        "diff --git a/src/a.ts b/src/a.ts",
+        "--- a/src/a.ts",
+        "+++ b/src/a.ts",
+        "@@ -0,0 +1 @@",
+        "+const a = 1;",
+        "diff --git a/src/a.test.ts b/src/a.test.ts",
+        "--- a/src/a.test.ts",
+        "+++ b/src/a.test.ts",
+        "@@ -0,0 +1 @@",
+        "+const test = 1;",
+        "diff --git a/docs/readme.md b/docs/readme.md",
+        "--- a/docs/readme.md",
+        "+++ b/docs/readme.md",
+        "@@ -0,0 +1 @@",
+        "+# docs"
+    ].join("\n");
+    const result = (0, filter_1.filterDiffByPathGlobs)(diff, ["src/**/*.ts"], ["**/*.test.ts"]);
+    strict_1.default.match(result.filteredDiff, /src\/a\.ts/);
+    strict_1.default.doesNotMatch(result.filteredDiff, /src\/a\.test\.ts/);
+    strict_1.default.doesNotMatch(result.filteredDiff, /docs\/readme\.md/);
+    strict_1.default.deepEqual(result.excludedFiles, ["docs/readme.md", "src/a.test.ts"]);
+});
+(0, node_test_1.default)("filterDiffByPathGlobs keeps all files when include/exclude are empty", () => {
+    const diff = [
+        "diff --git a/src/a.ts b/src/a.ts",
+        "--- a/src/a.ts",
+        "+++ b/src/a.ts",
+        "@@ -0,0 +1 @@",
+        "+const a = 1;",
+        "diff --git a/docs/readme.md b/docs/readme.md",
+        "--- a/docs/readme.md",
+        "+++ b/docs/readme.md",
+        "@@ -0,0 +1 @@",
+        "+# docs"
+    ].join("\n");
+    const result = (0, filter_1.filterDiffByPathGlobs)(diff, [], []);
+    strict_1.default.match(result.filteredDiff, /src\/a\.ts/);
+    strict_1.default.match(result.filteredDiff, /docs\/readme\.md/);
+    strict_1.default.deepEqual(result.excludedFiles, []);
+});

package/dist/git.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getGitDiff = getGitDiff;
 exports.getRepoRoot = getRepoRoot;
 exports.getLocalBranchDiff = getLocalBranchDiff;
+exports.selectLocalBranchDiffChunks = selectLocalBranchDiffChunks;
 const node_child_process_1 = require("node:child_process");
 const node_os_1 = require("node:os");
 function runGitCommand(args, okExitCodes = [0]) {
@@ -69,18 +70,42 @@ async function getNoIndexDiffForFile(filePath) {
  * - Untracked files (as full-file diffs)
  * Does not include already-committed changes on the branch.
  */
-async function getLocalBranchDiff() {
-    const stagedResult = await runGitCommand(["diff", "--cached"]);
-    const unstagedResult = await runGitCommand(["diff"]);
-    const untrackedFiles = await getUntrackedFiles();
-    const untrackedDiffChunks = [];
-    for (const filePath of untrackedFiles) {
-        const fileDiff = await getNoIndexDiffForFile(filePath);
-        if (fileDiff.trim() !== "") {
-            untrackedDiffChunks.push(fileDiff);
+async function getLocalBranchDiff(fileKinds = ["staged", "unstaged", "untracked"]) {
+    const parts = {
+        stagedDiff: "",
+        unstagedDiff: "",
+        untrackedDiffs: []
+    };
+    if (fileKinds.includes("staged")) {
+        const stagedResult = await runGitCommand(["diff", "--cached"]);
+        parts.stagedDiff = stagedResult.stdout;
+    }
+    if (fileKinds.includes("unstaged")) {
+        const unstagedResult = await runGitCommand(["diff"]);
+        parts.unstagedDiff = unstagedResult.stdout;
+    }
+    if (fileKinds.includes("untracked")) {
+        const untrackedFiles = await getUntrackedFiles();
+        for (const filePath of untrackedFiles) {
+            const fileDiff = await getNoIndexDiffForFile(filePath);
+            if (fileDiff.trim() !== "") {
+                parts.untrackedDiffs.push(fileDiff);
+            }
         }
     }
-    return [stagedResult.stdout, unstagedResult.stdout, ...untrackedDiffChunks]
-        .filter((chunk) => chunk !== "")
-        .join("\n");
+    return selectLocalBranchDiffChunks(parts, fileKinds);
+}
+function selectLocalBranchDiffChunks(parts, fileKinds = ["staged", "unstaged", "untracked"]) {
+    const selectedKinds = new Set(fileKinds);
+    const chunks = [];
+    if (selectedKinds.has("staged") && parts.stagedDiff !== "") {
+        chunks.push(parts.stagedDiff);
+    }
+    if (selectedKinds.has("unstaged") && parts.unstagedDiff !== "") {
+        chunks.push(parts.unstagedDiff);
+    }
+    if (selectedKinds.has("untracked")) {
+        chunks.push(...parts.untrackedDiffs.filter((chunk) => chunk !== ""));
+    }
+    return chunks.join("\n");
 }

package/dist/git.test.js

@@ -0,0 +1,24 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const strict_1 = __importDefault(require("node:assert/strict"));
+const node_test_1 = __importDefault(require("node:test"));
+const git_1 = require("./git");
+(0, node_test_1.default)("selectLocalBranchDiffChunks includes only selected change kinds", () => {
+    const combined = (0, git_1.selectLocalBranchDiffChunks)({
+        stagedDiff: "STAGED_DIFF",
+        unstagedDiff: "UNSTAGED_DIFF",
+        untrackedDiffs: ["UNTRACKED_ONE", "", "UNTRACKED_TWO"]
+    }, ["staged", "untracked"]);
+    strict_1.default.equal(combined, ["STAGED_DIFF", "UNTRACKED_ONE", "UNTRACKED_TWO"].join("\n"));
+});
+(0, node_test_1.default)("selectLocalBranchDiffChunks returns empty string for empty selection", () => {
+    const combined = (0, git_1.selectLocalBranchDiffChunks)({
+        stagedDiff: "STAGED_DIFF",
+        unstagedDiff: "UNSTAGED_DIFF",
+        untrackedDiffs: ["UNTRACKED_ONE"]
+    }, []);
+    strict_1.default.equal(combined, "");
+});

package/dist/init.js

@@ -87,6 +87,11 @@ function scaffoldConfig(force = false) {
         execution: {
             batch: false
         },
+        diff: {
+            file_kinds: ["staged", "unstaged", "untracked"],
+            include_globs: ["src/**"],
+            exclude_globs: []
+        },
         security: {
             secret_guard: true,
             allow_patterns: [],
@@ -95,6 +100,8 @@ function scaffoldConfig(force = false) {
         },
         rules: {
             disable: [],
+            include_globs: ["src/**/*.ts"],
+            exclude_globs: [],
             severity_overrides: {}
         },
         backends: {
@@ -108,6 +115,10 @@ function scaffoldConfig(force = false) {
     node_fs_1.default.writeFileSync(targetPath, `${JSON.stringify(scaffold, null, 2)}\n`, "utf8");
     process.stdout.write(picocolors_1.default.green(`Created ${targetPath}\n`));
     process.stdout.write(picocolors_1.default.cyan(`Backend setup: ${detected.backend} (${detected.reason})\n`));
+    process.stderr.write(`${picocolors_1.default.bgRed(picocolors_1.default.white(picocolors_1.default.bold(" SECURITY WARNING ")))}
+${picocolors_1.default.red("Semlint can only filter and scan diff content before invoking your backend. You must configure ignore files and security settings for your repository.")}
+${picocolors_1.default.red("During backend execution, security is handled by your agent/backend native configuration.")}
+${picocolors_1.default.yellow("Review semlint.json security.*, ignore files, and backend/org security settings before use.\n")}`);
     const rulesDir = node_path_1.default.join(process.cwd(), ".semlint", "rules");
     if (!node_fs_1.default.existsSync(rulesDir)) {
         node_fs_1.default.mkdirSync(rulesDir, { recursive: true });

package/dist/main.js

@@ -7,6 +7,8 @@ exports.runSemlint = runSemlint;
 const picocolors_1 = __importDefault(require("picocolors"));
 const nanospinner_1 = require("nanospinner");
 const node_path_1 = __importDefault(require("node:path"));
+const promises_1 = __importDefault(require("node:readline/promises"));
+const node_process_1 = require("node:process");
 const package_json_1 = require("../package.json");
 const backend_1 = require("./backend");
 const config_1 = require("./config");
@@ -30,6 +32,64 @@ async function timedAsync(enabled, label, action) {
     (0, utils_1.debugLog)(enabled, `${label} in ${Date.now() - startedAt}ms`);
     return result;
 }
+function formatFileList(title, files) {
+    if (files.length === 0) {
+        return `${title} (0):\n  (none)\n`;
+    }
+    return `${title} (${files.length}):\n${files.map((file) => `  - ${file}`).join("\n")}\n`;
+}
+async function confirmDiffPreview(includedFiles, excludedFiles, autoAccept) {
+    const boxWidth = 80;
+    const boxBorder = picocolors_1.default.dim(`+${"-".repeat(boxWidth - 2)}+`);
+    // INFO : https://patorjk.com/software/taag/#p=display&f=Terrace&t=Semlint&x=none&v=4&h=4&w=80&we=false
+    const semlintAscii = [
+        "  ░██████                              ░██ ░██              ░██    ",
+        " ░██   ░██                             ░██                  ░██    ",
+        "░██          ░███████  ░█████████████  ░██ ░██░████████  ░████████ ",
+        " ░████████  ░██    ░██ ░██   ░██   ░██ ░██ ░██░██    ░██    ░██    ",
+        "        ░██ ░█████████ ░██   ░██   ░██ ░██ ░██░██    ░██    ░██    ",
+        " ░██   ░██  ░██        ░██   ░██   ░██ ░██ ░██░██    ░██    ░██    ",
+        "  ░██████    ░███████  ░██   ░██   ░██ ░██ ░██░██    ░██     ░████ ",
+        "                                                                   ",
+        "                                                                   "
+    ];
+    const boxLine = (text = "", style = (value) => value) => {
+        const visibleText = text.length > boxWidth - 4 ? `${text.slice(0, boxWidth - 7)}...` : text;
+        const padded = visibleText.padEnd(boxWidth - 4, " ");
+        return `${picocolors_1.default.dim("|")} ${style(padded)} ${picocolors_1.default.dim("|")}\n`;
+    };
+    process.stdout.write("\n");
+    process.stdout.write(`${picocolors_1.default.cyan(semlintAscii.join("\n"))}\n\n`);
+    process.stdout.write(`${picocolors_1.default.dim(`Semlint v${package_json_1.version} (alpha) - Use at your own risk.`)}\n`);
+    process.stdout.write(`${boxBorder}\n`);
+    process.stdout.write(boxLine("Diff preview", (value) => picocolors_1.default.bold(value)));
+    process.stdout.write(boxLine("Review which files are included before sending this diff to your agent.", picocolors_1.default.dim));
+    process.stdout.write(boxLine());
+    process.stdout.write(boxLine("! Security warning", (value) => picocolors_1.default.red(picocolors_1.default.bold(value))));
+    process.stdout.write(boxLine("Run `semlint-cli security` to review security guidance.", picocolors_1.default.dim));
+    process.stdout.write(`${boxBorder}\n\n`);
+    process.stdout.write(formatFileList(picocolors_1.default.bold("Included files"), includedFiles));
+    process.stdout.write("\n");
+    process.stdout.write(formatFileList(picocolors_1.default.bold("Excluded files"), excludedFiles));
+    process.stdout.write("\n");
+    if (autoAccept) {
+        process.stdout.write(picocolors_1.default.dim("Auto-accepted with --yes.\n\n"));
+        return true;
+    }
+    if (!process.stdin.isTTY || !process.stdout.isTTY) {
+        process.stderr.write(picocolors_1.default.red("Diff confirmation is required by default. Re-run with --yes (-y) to auto-accept in non-interactive environments.\n"));
+        return false;
+    }
+    const rl = promises_1.default.createInterface({ input: node_process_1.stdin, output: node_process_1.stdout });
+    try {
+        const answer = await rl.question(picocolors_1.default.yellow("Proceed with Semlint analysis? [y/N] "));
+        const normalized = answer.trim().toLowerCase();
+        return normalized === "y" || normalized === "yes";
+    }
+    finally {
+        rl.close();
+    }
+}
 async function runSemlint(options) {
     const startedAt = Date.now();
     let spinner = null;
@@ -43,8 +103,10 @@ async function runSemlint(options) {
         const repoRoot = await timedAsync(config.debug, "Resolved git repo root", () => (0, git_1.getRepoRoot)());
         const scanRoot = repoRoot ?? process.cwd();
         (0, utils_1.debugLog)(config.debug, `Using diff/ignore scan root: ${scanRoot}`);
-        const rawDiff = await timedAsync(config.debug, "Computed git diff", () => useLocalBranchDiff ? (0, git_1.getLocalBranchDiff)() : (0, git_1.getGitDiff)(config.base, config.head));
-        const { filteredDiff: diff, excludedFiles } = timed(config.debug, "Filtered diff by ignore rules", () => (0, secrets_1.filterDiffByIgnoreRules)(rawDiff, scanRoot, config.security.ignoreFiles));
+        const rawDiff = await timedAsync(config.debug, "Computed git diff", () => useLocalBranchDiff ? (0, git_1.getLocalBranchDiff)(config.diff.fileKinds) : (0, git_1.getGitDiff)(config.base, config.head));
+        const { filteredDiff: globFilteredDiff, excludedFiles: globExcludedFiles } = timed(config.debug, "Filtered diff by configured include/exclude globs", () => (0, filter_1.filterDiffByPathGlobs)(rawDiff, config.diff.includeGlobs, config.diff.excludeGlobs));
+        const { filteredDiff: diff, excludedFiles: ignoreExcludedFiles } = timed(config.debug, "Filtered diff by ignore rules", () => (0, secrets_1.filterDiffByIgnoreRules)(globFilteredDiff, scanRoot, config.security.ignoreFiles));
+        const excludedFiles = Array.from(new Set([...globExcludedFiles, ...ignoreExcludedFiles])).sort((a, b) => a.localeCompare(b));
         if (excludedFiles.length > 0) {
             (0, utils_1.debugLog)(config.debug, `Excluded ${excludedFiles.length} file(s) by ignore/security rules: ${excludedFiles.join(", ")}`);
         }
@@ -52,7 +114,7 @@ async function runSemlint(options) {
             const findings = timed(config.debug, "Scanned diff for secrets", () => (0, secrets_1.scanDiffForSecrets)(diff, config.security.allowPatterns, config.security.allowFiles));
             if (findings.length > 0) {
                 process.stderr.write(picocolors_1.default.red("Secret guard blocked analysis: potential secrets were detected in the diff. Nothing was sent to the backend.\n"));
-                process.stderr.write("Allow a known-safe file by adding a glob to security.allow_files in semlint.json (example: \"allow_files\": [\"src/test2.ts\"]).\n");
+                process.stderr.write("Allow a known-safe file by adding a glob to security.allow_files in semlint.json (example: \"allow_files\": [\"src/my-sensitive-file.ts\"]).\n");
                 findings.slice(0, 20).forEach((finding) => {
                     process.stderr.write(`  ${finding.file}:${finding.line}  ${finding.kind}  sample=${finding.redactedSample}\n`);
                 });
@@ -63,6 +125,11 @@ async function runSemlint(options) {
             }
         }
         const changedFiles = timed(config.debug, "Parsed changed files from diff", () => (0, filter_1.extractChangedFilesFromDiff)(diff));
+        const confirmed = await timedAsync(config.debug, "User confirmation", () => confirmDiffPreview(changedFiles, excludedFiles, options.autoAccept));
+        if (!confirmed) {
+            process.stderr.write("Aborted by user.\n");
+            return 2;
+        }
         (0, utils_1.debugLog)(config.debug, useLocalBranchDiff
             ? "Using local branch diff (staged + unstaged + untracked only)"
             : `Using explicit ref diff (${config.base}..${config.head})`);
@@ -70,7 +137,7 @@ async function runSemlint(options) {
         const backend = timed(config.debug, "Initialized backend runner", () => (0, backend_1.createBackendRunner)(config));
         const runnableRules = rules.filter((rule) => {
             const filterStartedAt = Date.now();
-            const shouldRun = (0, filter_1.shouldRunRule)(rule, changedFiles, diff);
+            const shouldRun = (0, filter_1.shouldRunRule)(rule, changedFiles, diff, config.rulesIncludeGlobs, config.rulesExcludeGlobs);
             (0, utils_1.debugLog)(config.debug, `Rule ${rule.id}: filter check in ${Date.now() - filterStartedAt}ms`);
             if (!shouldRun) {
                 (0, utils_1.debugLog)(config.debug, `Skipping rule ${rule.id}: filters did not match`);

package/dist/rules.js

@@ -13,7 +13,7 @@ function assertNonEmptyString(value, fieldName, filePath) {
     }
     return value;
 }
-function assertStringArray(value, fieldName, filePath) {
+function assert_string_array(value, fieldName, filePath) {
     if (value === undefined) {
         return undefined;
     }
@@ -36,9 +36,9 @@ function validateRuleObject(raw, filePath) {
         title: assertNonEmptyString(obj.title, "title", filePath),
         severity_default: severity,
         prompt: assertNonEmptyString(obj.prompt, "prompt", filePath),
-        include_globs: assertStringArray(obj.include_globs, "include_globs", filePath),
-        exclude_globs: assertStringArray(obj.exclude_globs, "exclude_globs", filePath),
-        diff_regex: assertStringArray(obj.diff_regex, "diff_regex", filePath)
+        include_globs: assert_string_array(obj.include_globs, "include_globs", filePath),
+        exclude_globs: assert_string_array(obj.exclude_globs, "exclude_globs", filePath),
+        diff_regex: assert_string_array(obj.diff_regex, "diff_regex", filePath)
     };
 }
 function loadRules(rulesDir, disabledRuleIds, severityOverrides) {

package/dist/secrets.js

@@ -7,18 +7,21 @@ exports.filterDiffByIgnoreRules = filterDiffByIgnoreRules;
 exports.scanDiffForSecrets = scanDiffForSecrets;
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
+const ignore_1 = __importDefault(require("ignore"));
 const picomatch_1 = __importDefault(require("picomatch"));
 const diff_1 = require("./diff");
 const BUILTIN_SENSITIVE_GLOBS = [
     ".env",
+    "*.env",
     ".env.*",
+    "*.env.*",
     "*.pem",
     "*.key",
     "id_rsa",
     "id_rsa.*",
-    "**/secrets/**",
-    "**/credentials/**",
-    "**/*credentials*.json"
+    "secrets/",
+    "credentials/",
+    "*credentials*.json"
 ];
 const SECRET_KEYWORDS = [
     "password",
@@ -68,6 +71,10 @@ function readIgnorePatterns(cwd, ignoreFiles) {
             .filter((line) => line !== "" && !line.startsWith("#"));
     });
 }
+function createIgnoreMatcher(patterns) {
+    const matcher = (0, ignore_1.default)().add(patterns);
+    return (filePath) => matcher.ignores(filePath);
+}
 function redactSample(sample) {
     const compact = sample.trim();
     if (compact.length <= 6) {
@@ -86,8 +93,9 @@ function parseAllowMatchers(patterns) {
     });
 }
 function filterDiffByIgnoreRules(diff, cwd, ignoreFiles) {
-    const ignorePatterns = [...readIgnorePatterns(cwd, ignoreFiles), ...BUILTIN_SENSITIVE_GLOBS];
-    const ignoreMatcher = (0, picomatch_1.default)(ignorePatterns, { dot: true });
+    // Keep built-ins first so repo-specific negation patterns can carve out safe exceptions.
+    const ignorePatterns = [...BUILTIN_SENSITIVE_GLOBS, ...readIgnorePatterns(cwd, ignoreFiles)];
+    const ignoreMatcher = createIgnoreMatcher(ignorePatterns);
     const chunks = (0, diff_1.splitDiffIntoFileChunks)(diff);
     const excludedFiles = chunks
         .filter((chunk) => chunk.file !== "" && ignoreMatcher(chunk.file))

package/dist/secrets.test.js

@@ -81,3 +81,77 @@ const secrets_1 = require("./secrets");
     const findings = (0, secrets_1.scanDiffForSecrets)(diff, [], ["src/test2.ts"]);
     strict_1.default.equal(findings.length, 0);
 });
+(0, node_test_1.default)("filterDiffByIgnoreRules matches basename ignores in nested paths", () => {
+    const cwd = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "semlint-ignore-basename-"));
+    try {
+        node_fs_1.default.writeFileSync(node_path_1.default.join(cwd, ".semlintignore"), ".env\n*.env\n", "utf8");
+        const diff = [
+            "diff --git a/src/secret.env b/src/secret.env",
+            "--- a/src/secret.env",
+            "+++ b/src/secret.env",
+            "@@ -0,0 +1 @@",
+            "+API_KEY=abc",
+            "diff --git a/src/safe.ts b/src/safe.ts",
+            "--- a/src/safe.ts",
+            "+++ b/src/safe.ts",
+            "@@ -0,0 +1 @@",
+            "+const safe = true;"
+        ].join("\n");
+        const result = (0, secrets_1.filterDiffByIgnoreRules)(diff, cwd, [".semlintignore"]);
+        strict_1.default.deepEqual(result.excludedFiles, ["src/secret.env"]);
+        strict_1.default.match(result.filteredDiff, /src\/safe\.ts/);
+        strict_1.default.doesNotMatch(result.filteredDiff, /src\/secret\.env/);
+    }
+    finally {
+        node_fs_1.default.rmSync(cwd, { recursive: true, force: true });
+    }
+});
+(0, node_test_1.default)("filterDiffByIgnoreRules supports gitignore negation patterns", () => {
+    const cwd = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "semlint-ignore-negation-"));
+    try {
+        node_fs_1.default.writeFileSync(node_path_1.default.join(cwd, ".semlintignore"), "*.env\n!src/public.env\n", "utf8");
+        const diff = [
+            "diff --git a/src/secret.env b/src/secret.env",
+            "--- a/src/secret.env",
+            "+++ b/src/secret.env",
+            "@@ -0,0 +1 @@",
+            "+API_KEY=blocked",
+            "diff --git a/src/public.env b/src/public.env",
+            "--- a/src/public.env",
+            "+++ b/src/public.env",
+            "@@ -0,0 +1 @@",
+            "+SAFE=true"
+        ].join("\n");
+        const result = (0, secrets_1.filterDiffByIgnoreRules)(diff, cwd, [".semlintignore"]);
+        strict_1.default.deepEqual(result.excludedFiles, ["src/secret.env"]);
+        strict_1.default.match(result.filteredDiff, /src\/public\.env/);
+        strict_1.default.doesNotMatch(result.filteredDiff, /src\/secret\.env/);
+    }
+    finally {
+        node_fs_1.default.rmSync(cwd, { recursive: true, force: true });
+    }
+});
+(0, node_test_1.default)("filterDiffByIgnoreRules excludes *.env by builtin sensitive globs", () => {
+    const cwd = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "semlint-ignore-builtin-env-"));
+    try {
+        const diff = [
+            "diff --git a/src/secret.env b/src/secret.env",
+            "--- a/src/secret.env",
+            "+++ b/src/secret.env",
+            "@@ -0,0 +1 @@",
+            "+API_KEY=blocked",
+            "diff --git a/src/safe.ts b/src/safe.ts",
+            "--- a/src/safe.ts",
+            "+++ b/src/safe.ts",
+            "@@ -0,0 +1 @@",
+            "+const safe = true;"
+        ].join("\n");
+        const result = (0, secrets_1.filterDiffByIgnoreRules)(diff, cwd, [".semlintignore"]);
+        strict_1.default.deepEqual(result.excludedFiles, ["src/secret.env"]);
+        strict_1.default.match(result.filteredDiff, /src\/safe\.ts/);
+        strict_1.default.doesNotMatch(result.filteredDiff, /src\/secret\.env/);
+    }
+    finally {
+        node_fs_1.default.rmSync(cwd, { recursive: true, force: true });
+    }
+});

package/dist/security.js

@@ -0,0 +1,26 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.printSecurityGuide = printSecurityGuide;
+const picocolors_1 = __importDefault(require("picocolors"));
+const SECURITY_TEXT = [
+    picocolors_1.default.bold("Semlint security guide"),
+    "",
+    "Semlint applies security controls before backend execution:",
+    "- It filters diff paths using ignore files and built-in sensitive globs.",
+    "- It scans added lines for high-signal secret patterns.",
+    "- It blocks backend execution when potential secrets are found.",
+    "",
+    "Your responsibilities:",
+    "- Keep `.gitignore`, `.cursorignore`, `.semlintignore` (and configured `security.ignore_files`) up to date.",
+    "- Tune `security.allow_patterns` and `security.allow_files` only for known-safe cases.",
+    "- Review your agent native access and security policy.",
+    "",
+    "More details: README.md#security-responsibility-model"
+].join("\n");
+function printSecurityGuide() {
+    process.stdout.write(`${SECURITY_TEXT}\n`);
+    return 0;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "semlint-cli",
-  "version": "0.1.7",
+  "version": "0.1.10",
   "description": "Semantic lint CLI — runs LLM-backed rules on your git diff and returns CI-friendly exit codes",
   "type": "commonjs",
   "main": "dist/main.js",
@@ -42,6 +42,7 @@
   },
   "packageManager": "pnpm@10.29.2",
   "dependencies": {
+    "ignore": "^7.0.5",
     "nanospinner": "^1.2.2",
     "picocolors": "^1.1.1",
     "picomatch": "^4.0.3"