semlint-cli 0.1.7 → 0.1.9

package/.semlint/rules/SEMLINT_COUPLING_004.json

@@ -0,0 +1,8 @@
+{
+  "id": "SEMLINT_COUPLING_004",
+  "title": "Check for unwanted hidden coupling",
+  "severity_default": "warn",
+  "include_globs": [],
+  "exclude_globs": [],
+  "prompt": "Flag any coupling that is not obvious at first glance. (hidden/implicit coupling, and forms of connascence)"
+}

package/.semlint/rules/SEMLINT_NAMING_001.json

@@ -2,11 +2,7 @@
   "id": "SEMLINT_NAMING_001",
   "title": "Ambient naming convention consistency",
   "severity_default": "warn",
-  "include_globs": ["src/**/*.ts"],
-  "exclude_globs": ["**/*.test.ts", "**/*.spec.ts"],
-  "diff_regex": [
-    "^[+-].*\\b(const|let|var|function|class|interface|type|enum)\\b",
-    "^[+-].*\\b[A-Za-z_][A-Za-z0-9_]*\\b"
-  ],
+  "include_globs": [],
+  "exclude_globs": [],
   "prompt": "Verify naming is consistent with the ambient naming conventions already used in surrounding code. Both in term of semantic and casing."
 }

package/.semlint/rules/SEMLINT_PATTERN_002.json

@@ -2,11 +2,7 @@
   "id": "SEMLINT_PATTERN_002",
   "title": "Ambient pattern is respected",
   "severity_default": "warn",
-  "include_globs": ["src/**/*.ts"],
-  "exclude_globs": ["**/*.test.ts", "**/*.spec.ts"],
-  "diff_regex": [
-    "^[+-].*\\b(async|await|Promise|try|catch|throw|switch|map|filter|reduce|forEach)\\b",
-    "^[+-].*\\b(import|export|class|interface|type|function|return)\\b"
-  ],
-  "prompt": "Check whether ambient implementation patterns are respected. Compare new or changed code against nearby established patterns. Flag clear regressions where the proposed change deviates from consistent local patterns without obvious justification."
+  "include_globs": [],
+  "exclude_globs": [],
+  "prompt": "Any change that breaks an established local pattern should be flagged by default. Consistency with adjacent implementations is the enforced invariant."
 }

package/.semlint/rules/SEMLINT_SWE_003.json

@@ -2,11 +2,7 @@
   "id": "SEMLINT_SWE_003",
   "title": "Obvious SWE mistakes",
   "severity_default": "warn",
-  "include_globs": ["src/**/*.ts"],
-  "exclude_globs": ["**/*.test.ts", "**/*.spec.ts"],
-  "diff_regex": [
-    "^[+-].*\\b(any|as\\s+any|TODO|FIXME|console\\.log|@ts-ignore|throw\\s+new\\s+Error|catch\\s*\\()\\b",
-    "^[+-].*\\b(if|else|switch|return|await|Promise|map|forEach|reduce)\\b"
-  ],
+  "include_globs": [],
+  "exclude_globs": [],
   "prompt": "Find obvious software-engineering mistakes in the proposed change that are likely unintended. Do not nitpick style or architecture unless the issue is clearly harmful. Report only high-signal findings."
 }

package/README.md

@@ -51,6 +51,7 @@ pnpm check
 - `--head <ref>`: head git ref for explicit ref-to-ref diff
 - `--fail-on <error|warn|never>`: failure threshold (default `error`)
 - `--batch`: run all selected rules in one backend call
+- `--yes` / `-y`: auto-accept diff file confirmation (useful for CI)
 - `--debug`: enable debug logs to stderr
 - `init --force`: overwrite an existing `semlint.json`
 
@@ -63,6 +64,9 @@ Default diff behavior (without `--base`/`--head`) uses your local branch state:
 
 If you pass `--base` or `--head`, Semlint uses explicit `git diff <base> <head>` mode.
 
+Before backend execution, Semlint shows the included and excluded diff files and asks for confirmation by default.
+Use `--yes` / `-y` to skip this prompt.
+
 ## Exit codes
 
 - `0`: no blocking diagnostics
@@ -228,6 +232,16 @@ Config:
 - `allow_files`: file glob allowlist to skip secret scanning for known-safe files (example: `["src/test-fixtures/**"]`)
 - `ignore_files`: ignore files Semlint reads for path-level filtering (default: `.gitignore`, `.cursorignore`, `.semlintignore`, `.cursoringore`)
 
+Ignore file patterns are evaluated with standard gitignore semantics (including basename matching and `!` negation).
+
+## Security responsibility model
+
+Security in Semlint is shared, and the repository owner remains responsible for secure setup:
+
+- **Diff-level (your responsibility):** carefully configure ignore files and Semlint security settings so sensitive files/content never enter the analyzed diff.
+- **Semlint guard (best-effort control):** Semlint filters diff paths and scans added lines, but this is not a complete prevention system.
+- **Agent/runtime level (handled by your backend tool):** after Semlint sends a prompt to your configured CLI, what the agent can do is controlled by the native agent/backend configuration.
+
 ## Prompt files
 
 Core system prompts are externalized under `prompts/` so prompt behavior is easy to inspect and iterate:

package/dist/cli.js

@@ -7,18 +7,22 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const picocolors_1 = __importDefault(require("picocolors"));
 const init_1 = require("./init");
 const main_1 = require("./main");
+const security_1 = require("./security");
 const HELP_TEXT = [
     "Usage:",
-    "  semlint check [--backend <name>] [--model <name>] [--config <path>] [--format <text|json>] [--base <ref>] [--head <ref>] [--fail-on <error|warn|never>] [--batch] [--debug]",
-    "  semlint init [--force]",
-    "  semlint --help",
+    " semlint-cli check [--backend <name>] [--model <name>] [--config <path>] [--format <text|json>] [--base <ref>] [--head <ref>] [--fail-on <error|warn|never>] [--batch] [--yes|-y] [--debug]",
+    " semlint-cli init [--force]",
+    " semlint-cli security",
+    " semlint-cli --help",
     "",
     "Commands:",
     "  check   Run semantic lint rules against your git diff",
     "  init    Create semlint.json, .semlint/rules/, and an example rule to edit",
+    "  security  Show security responsibility guidance",
     "",
     "Options:",
-    "  -h, --help   Show this help text"
+    "  -h, --help   Show this help text",
+    "  -y, --yes    Auto-accept diff file confirmation"
 ].join("\n");
 class HelpRequestedError extends Error {
     constructor() {
@@ -45,7 +49,7 @@ function parseArgs(argv) {
         throw new HelpRequestedError();
     }
     const [command, ...rest] = argv;
-    if (!command || (command !== "check" && command !== "init")) {
+    if (!command || (command !== "check" && command !== "init" && command !== "security")) {
         throw new Error(HELP_TEXT);
     }
     if (command === "init") {
@@ -62,12 +66,25 @@ function parseArgs(argv) {
         }
         return options;
     }
+    if (command === "security") {
+        if (rest.length > 0) {
+            throw new Error(`Unknown flag for security: ${rest[0]}`);
+        }
+        return {
+            command: "security",
+            debug: false
+        };
+    }
     const options = {
         command: "check",
         debug: false
     };
     for (let i = 0; i < rest.length; i += 1) {
         const token = rest[i];
+        if (token === "--yes" || token === "-y") {
+            options.autoAccept = true;
+            continue;
+        }
         if (token === "--debug") {
             options.debug = true;
             continue;
@@ -121,7 +138,11 @@ function parseArgs(argv) {
 async function main() {
     try {
         const options = parseArgs(process.argv.slice(2));
-        const exitCode = options.command === "init" ? (0, init_1.scaffoldConfig)(options.force) : await (0, main_1.runSemlint)(options);
+        const exitCode = options.command === "init"
+            ? (0, init_1.scaffoldConfig)(options.force)
+            : options.command === "security"
+                ? (0, security_1.printSecurityGuide)()
+                : await (0, main_1.runSemlint)(options);
         process.exitCode = exitCode;
     }
     catch (error) {

package/dist/config.js

@@ -20,6 +20,8 @@ const DEFAULTS = {
     batchMode: false,
     rulesDisable: [],
     severityOverrides: {},
+    rulesIncludeGlobs: [],
+    rulesExcludeGlobs: [],
     backendConfigs: {},
     security: {
         secretGuard: true,
@@ -132,6 +134,18 @@ function sanitizeAllowFiles(value) {
         return trimmed === "" ? [] : [trimmed];
     });
 }
+function sanitizeGlobList(value) {
+    if (!Array.isArray(value)) {
+        return [];
+    }
+    return value.flatMap((candidate) => {
+        if (typeof candidate !== "string") {
+            return [];
+        }
+        const trimmed = candidate.trim();
+        return trimmed === "" ? [] : [trimmed];
+    });
+}
 function ensureSelectedBackendIsConfigured(backend, backendConfigs) {
     if (!(backend in backendConfigs)) {
         throw new Error(`Backend "${backend}" is not configured. Add it under backends.${backend} with executable and args (including "{prompt}") in semlint.json.`);
@@ -164,6 +178,8 @@ function loadEffectiveConfig(options) {
             ? fileConfig.rules?.disable.filter((item) => typeof item === "string")
             : DEFAULTS.rulesDisable,
         severityOverrides: sanitizeSeverityOverrides((fileConfig.rules?.severity_overrides ?? undefined)),
+        rulesIncludeGlobs: sanitizeGlobList(fileConfig.rules?.include_globs),
+        rulesExcludeGlobs: sanitizeGlobList(fileConfig.rules?.exclude_globs),
         backendConfigs,
         security: {
             secretGuard: typeof fileConfig.security?.secret_guard === "boolean"

package/dist/dispatch.js

@@ -24,7 +24,7 @@ async function runBatchDispatch(input) {
     let backendErrors = 0;
     (0, utils_1.debugLog)(config.debug, `Running ${rules.length} rule(s) in batch mode`);
     const combinedDiff = rules
-        .map((rule) => (0, filter_1.buildScopedDiff)(rule, diff, changedFiles))
+        .map((rule) => (0, filter_1.buildScopedDiff)(rule, diff, changedFiles, config.rulesIncludeGlobs, config.rulesExcludeGlobs))
         .filter((chunk) => chunk.trim() !== "")
         .join("\n");
     const batchPrompt = buildBatchPrompt(rules, combinedDiff || diff);
@@ -68,7 +68,7 @@ async function runParallelDispatch(input) {
     const runResults = await Promise.all(rules.map(async (rule) => {
         const ruleStartedAt = Date.now();
         (0, utils_1.debugLog)(config.debug, `Rule ${rule.id}: started`);
-        const scopedDiff = (0, filter_1.buildScopedDiff)(rule, diff, changedFiles);
+        const scopedDiff = (0, filter_1.buildScopedDiff)(rule, diff, changedFiles, config.rulesIncludeGlobs, config.rulesExcludeGlobs);
         const prompt = (0, filter_1.buildRulePrompt)(rule, scopedDiff);
         try {
             const result = await backend.runRule({

package/dist/filter.js

@@ -43,10 +43,18 @@ function matchesAnyRegex(diff, regexes) {
     }
     return false;
 }
-function getRuleCandidateFiles(rule, changedFiles) {
+function resolveRuleGlobs(ruleGlobs, globalGlobs) {
+    if (ruleGlobs === undefined) {
+        return globalGlobs;
+    }
+    return ruleGlobs;
+}
+function getRuleCandidateFiles(rule, changedFiles, globalIncludeGlobs = [], globalExcludeGlobs = []) {
     let fileCandidates = changedFiles;
-    const includeMatcher = rule.include_globs && rule.include_globs.length > 0 ? (0, picomatch_1.default)(rule.include_globs) : null;
-    const excludeMatcher = rule.exclude_globs && rule.exclude_globs.length > 0 ? (0, picomatch_1.default)(rule.exclude_globs) : null;
+    const effectiveIncludeGlobs = resolveRuleGlobs(rule.include_globs, globalIncludeGlobs);
+    const effectiveExcludeGlobs = resolveRuleGlobs(rule.exclude_globs, globalExcludeGlobs);
+    const includeMatcher = effectiveIncludeGlobs.length > 0 ? (0, picomatch_1.default)(effectiveIncludeGlobs) : null;
+    const excludeMatcher = effectiveExcludeGlobs.length > 0 ? (0, picomatch_1.default)(effectiveExcludeGlobs) : null;
     if (includeMatcher) {
         fileCandidates = changedFiles.filter((filePath) => includeMatcher(filePath));
         if (fileCandidates.length === 0) {
@@ -58,8 +66,8 @@ function getRuleCandidateFiles(rule, changedFiles) {
     }
     return fileCandidates;
 }
-function shouldRunRule(rule, changedFiles, diff) {
-    const fileCandidates = getRuleCandidateFiles(rule, changedFiles);
+function shouldRunRule(rule, changedFiles, diff, globalIncludeGlobs = [], globalExcludeGlobs = []) {
+    const fileCandidates = getRuleCandidateFiles(rule, changedFiles, globalIncludeGlobs, globalExcludeGlobs);
     if (fileCandidates.length === 0) {
         return false;
     }
@@ -68,8 +76,8 @@ function shouldRunRule(rule, changedFiles, diff) {
     }
     return true;
 }
-function buildScopedDiff(rule, fullDiff, changedFiles) {
-    const candidateFiles = new Set(getRuleCandidateFiles(rule, changedFiles));
+function buildScopedDiff(rule, fullDiff, changedFiles, globalIncludeGlobs = [], globalExcludeGlobs = []) {
+    const candidateFiles = new Set(getRuleCandidateFiles(rule, changedFiles, globalIncludeGlobs, globalExcludeGlobs));
     if (candidateFiles.size === 0) {
         return fullDiff;
     }

package/dist/filter.test.js

@@ -0,0 +1,42 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const strict_1 = __importDefault(require("node:assert/strict"));
+const node_test_1 = __importDefault(require("node:test"));
+const filter_1 = require("./filter");
+function makeRule(overrides = {}) {
+    return {
+        id: "SEMLINT_TEST_001",
+        title: "Test rule",
+        severity_default: "warn",
+        prompt: "Test",
+        sourcePath: "/tmp/SEMLINT_TEST_001.json",
+        effectiveSeverity: "warn",
+        ...overrides
+    };
+}
+(0, node_test_1.default)("getRuleCandidateFiles inherits global include/exclude globs", () => {
+    const changedFiles = ["src/a.ts", "src/a.test.ts", "docs/readme.md"];
+    const rule = makeRule();
+    const candidates = (0, filter_1.getRuleCandidateFiles)(rule, changedFiles, ["src/**/*.ts"], ["**/*.test.ts", "**/*.spec.ts"]);
+    strict_1.default.deepEqual(candidates, ["src/a.ts"]);
+});
+(0, node_test_1.default)("getRuleCandidateFiles lets empty rule globs disable global filters", () => {
+    const changedFiles = ["src/a.ts", "src/a.test.ts", "docs/readme.md"];
+    const rule = makeRule({
+        include_globs: [],
+        exclude_globs: []
+    });
+    const candidates = (0, filter_1.getRuleCandidateFiles)(rule, changedFiles, ["src/**/*.ts"], ["**/*.test.ts", "**/*.spec.ts"]);
+    strict_1.default.deepEqual(candidates, changedFiles);
+});
+(0, node_test_1.default)("getRuleCandidateFiles uses explicit rule globs instead of globals", () => {
+    const changedFiles = ["src/a.ts", "docs/readme.md"];
+    const rule = makeRule({
+        include_globs: ["docs/**/*.md"]
+    });
+    const candidates = (0, filter_1.getRuleCandidateFiles)(rule, changedFiles, ["src/**/*.ts"], []);
+    strict_1.default.deepEqual(candidates, ["docs/readme.md"]);
+});

package/dist/init.js

@@ -95,6 +95,8 @@ function scaffoldConfig(force = false) {
         },
         rules: {
             disable: [],
+            include_globs: ["src/**/*.ts"],
+            exclude_globs: [],
             severity_overrides: {}
         },
         backends: {
@@ -108,6 +110,10 @@ function scaffoldConfig(force = false) {
     node_fs_1.default.writeFileSync(targetPath, `${JSON.stringify(scaffold, null, 2)}\n`, "utf8");
     process.stdout.write(picocolors_1.default.green(`Created ${targetPath}\n`));
     process.stdout.write(picocolors_1.default.cyan(`Backend setup: ${detected.backend} (${detected.reason})\n`));
+    process.stderr.write(`${picocolors_1.default.bgRed(picocolors_1.default.white(picocolors_1.default.bold(" SECURITY WARNING ")))}
+${picocolors_1.default.red("Semlint can only filter and scan diff content before invoking your backend. You must configure ignore files and security settings for your repository.")}
+${picocolors_1.default.red("During backend execution, security is handled by your agent/backend native configuration.")}
+${picocolors_1.default.yellow("Review semlint.json security.*, ignore files, and backend/org security settings before use.\n")}`);
     const rulesDir = node_path_1.default.join(process.cwd(), ".semlint", "rules");
     if (!node_fs_1.default.existsSync(rulesDir)) {
         node_fs_1.default.mkdirSync(rulesDir, { recursive: true });

package/dist/main.js

@@ -7,6 +7,8 @@ exports.runSemlint = runSemlint;
 const picocolors_1 = __importDefault(require("picocolors"));
 const nanospinner_1 = require("nanospinner");
 const node_path_1 = __importDefault(require("node:path"));
+const promises_1 = __importDefault(require("node:readline/promises"));
+const node_process_1 = require("node:process");
 const package_json_1 = require("../package.json");
 const backend_1 = require("./backend");
 const config_1 = require("./config");
@@ -30,6 +32,64 @@ async function timedAsync(enabled, label, action) {
     (0, utils_1.debugLog)(enabled, `${label} in ${Date.now() - startedAt}ms`);
     return result;
 }
+function formatFileList(title, files) {
+    if (files.length === 0) {
+        return `${title} (0):\n  (none)\n`;
+    }
+    return `${title} (${files.length}):\n${files.map((file) => `  - ${file}`).join("\n")}\n`;
+}
+async function confirmDiffPreview(includedFiles, excludedFiles, autoAccept) {
+    const boxWidth = 80;
+    const boxBorder = picocolors_1.default.dim(`+${"-".repeat(boxWidth - 2)}+`);
+    // INFO : https://patorjk.com/software/taag/#p=display&f=Terrace&t=Semlint&x=none&v=4&h=4&w=80&we=false
+    const semlintAscii = [
+        "  ░██████                              ░██ ░██              ░██    ",
+        " ░██   ░██                             ░██                  ░██    ",
+        "░██          ░███████  ░█████████████  ░██ ░██░████████  ░████████ ",
+        " ░████████  ░██    ░██ ░██   ░██   ░██ ░██ ░██░██    ░██    ░██    ",
+        "        ░██ ░█████████ ░██   ░██   ░██ ░██ ░██░██    ░██    ░██    ",
+        " ░██   ░██  ░██        ░██   ░██   ░██ ░██ ░██░██    ░██    ░██    ",
+        "  ░██████    ░███████  ░██   ░██   ░██ ░██ ░██░██    ░██     ░████ ",
+        "                                                                   ",
+        "                                                                   "
+    ];
+    const boxLine = (text = "", style = (value) => value) => {
+        const visibleText = text.length > boxWidth - 4 ? `${text.slice(0, boxWidth - 7)}...` : text;
+        const padded = visibleText.padEnd(boxWidth - 4, " ");
+        return `${picocolors_1.default.dim("|")} ${style(padded)} ${picocolors_1.default.dim("|")}\n`;
+    };
+    process.stdout.write("\n");
+    process.stdout.write(`${picocolors_1.default.cyan(semlintAscii.join("\n"))}\n\n`);
+    process.stdout.write(`${picocolors_1.default.dim(`Semlint v${package_json_1.version} (alpha) - Use at your own risk.`)}\n`);
+    process.stdout.write(`${boxBorder}\n`);
+    process.stdout.write(boxLine("Diff preview", (value) => picocolors_1.default.bold(value)));
+    process.stdout.write(boxLine("Review which files are included before sending this diff to your agent.", picocolors_1.default.dim));
+    process.stdout.write(boxLine());
+    process.stdout.write(boxLine("! Security warning", (value) => picocolors_1.default.red(picocolors_1.default.bold(value))));
+    process.stdout.write(boxLine("Run `semlint-cli security` to review security guidance.", picocolors_1.default.dim));
+    process.stdout.write(`${boxBorder}\n\n`);
+    process.stdout.write(formatFileList(picocolors_1.default.bold("Included files"), includedFiles));
+    process.stdout.write("\n");
+    process.stdout.write(formatFileList(picocolors_1.default.bold("Excluded files"), excludedFiles));
+    process.stdout.write("\n");
+    if (autoAccept) {
+        process.stdout.write(picocolors_1.default.dim("Auto-accepted with --yes.\n\n"));
+        return true;
+    }
+    if (!process.stdin.isTTY || !process.stdout.isTTY) {
+        process.stderr.write(picocolors_1.default.red("Diff confirmation is required by default. Re-run with --yes (-y) to auto-accept in non-interactive environments.\n"));
+        return false;
+    }
+    const rl = promises_1.default.createInterface({ input: node_process_1.stdin, output: node_process_1.stdout });
+    try {
+        const answer = await rl.question(picocolors_1.default.yellow("Proceed with Semlint analysis? [y/N] "));
+        const normalized = answer.trim().toLowerCase();
+        return normalized === "y" || normalized === "yes";
+    }
+    finally {
+        rl.close();
+    }
+}
 async function runSemlint(options) {
     const startedAt = Date.now();
     let spinner = null;
@@ -52,7 +112,7 @@ async function runSemlint(options) {
             const findings = timed(config.debug, "Scanned diff for secrets", () => (0, secrets_1.scanDiffForSecrets)(diff, config.security.allowPatterns, config.security.allowFiles));
             if (findings.length > 0) {
                 process.stderr.write(picocolors_1.default.red("Secret guard blocked analysis: potential secrets were detected in the diff. Nothing was sent to the backend.\n"));
-                process.stderr.write("Allow a known-safe file by adding a glob to security.allow_files in semlint.json (example: \"allow_files\": [\"src/test2.ts\"]).\n");
+                process.stderr.write("Allow a known-safe file by adding a glob to security.allow_files in semlint.json (example: \"allow_files\": [\"src/my-sensitive-file.ts\"]).\n");
                 findings.slice(0, 20).forEach((finding) => {
                     process.stderr.write(`  ${finding.file}:${finding.line}  ${finding.kind}  sample=${finding.redactedSample}\n`);
                 });
@@ -63,6 +123,11 @@ async function runSemlint(options) {
             }
         }
         const changedFiles = timed(config.debug, "Parsed changed files from diff", () => (0, filter_1.extractChangedFilesFromDiff)(diff));
+        const confirmed = await timedAsync(config.debug, "User confirmation", () => confirmDiffPreview(changedFiles, excludedFiles, options.autoAccept));
+        if (!confirmed) {
+            process.stderr.write("Aborted by user.\n");
+            return 2;
+        }
         (0, utils_1.debugLog)(config.debug, useLocalBranchDiff
             ? "Using local branch diff (staged + unstaged + untracked only)"
             : `Using explicit ref diff (${config.base}..${config.head})`);
@@ -70,7 +135,7 @@ async function runSemlint(options) {
         const backend = timed(config.debug, "Initialized backend runner", () => (0, backend_1.createBackendRunner)(config));
         const runnableRules = rules.filter((rule) => {
             const filterStartedAt = Date.now();
-            const shouldRun = (0, filter_1.shouldRunRule)(rule, changedFiles, diff);
+            const shouldRun = (0, filter_1.shouldRunRule)(rule, changedFiles, diff, config.rulesIncludeGlobs, config.rulesExcludeGlobs);
             (0, utils_1.debugLog)(config.debug, `Rule ${rule.id}: filter check in ${Date.now() - filterStartedAt}ms`);
             if (!shouldRun) {
                 (0, utils_1.debugLog)(config.debug, `Skipping rule ${rule.id}: filters did not match`);

package/dist/secrets.js

@@ -7,18 +7,21 @@ exports.filterDiffByIgnoreRules = filterDiffByIgnoreRules;
 exports.scanDiffForSecrets = scanDiffForSecrets;
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
+const ignore_1 = __importDefault(require("ignore"));
 const picomatch_1 = __importDefault(require("picomatch"));
 const diff_1 = require("./diff");
 const BUILTIN_SENSITIVE_GLOBS = [
     ".env",
+    "*.env",
     ".env.*",
+    "*.env.*",
     "*.pem",
     "*.key",
     "id_rsa",
     "id_rsa.*",
-    "**/secrets/**",
-    "**/credentials/**",
-    "**/*credentials*.json"
+    "secrets/",
+    "credentials/",
+    "*credentials*.json"
 ];
 const SECRET_KEYWORDS = [
     "password",
@@ -68,6 +71,10 @@ function readIgnorePatterns(cwd, ignoreFiles) {
             .filter((line) => line !== "" && !line.startsWith("#"));
     });
 }
+function createIgnoreMatcher(patterns) {
+    const matcher = (0, ignore_1.default)().add(patterns);
+    return (filePath) => matcher.ignores(filePath);
+}
 function redactSample(sample) {
     const compact = sample.trim();
     if (compact.length <= 6) {
@@ -87,7 +94,7 @@ function parseAllowMatchers(patterns) {
 }
 function filterDiffByIgnoreRules(diff, cwd, ignoreFiles) {
     const ignorePatterns = [...readIgnorePatterns(cwd, ignoreFiles), ...BUILTIN_SENSITIVE_GLOBS];
-    const ignoreMatcher = (0, picomatch_1.default)(ignorePatterns, { dot: true });
+    const ignoreMatcher = createIgnoreMatcher(ignorePatterns);
     const chunks = (0, diff_1.splitDiffIntoFileChunks)(diff);
     const excludedFiles = chunks
         .filter((chunk) => chunk.file !== "" && ignoreMatcher(chunk.file))

package/dist/secrets.test.js

@@ -81,3 +81,77 @@ const secrets_1 = require("./secrets");
     const findings = (0, secrets_1.scanDiffForSecrets)(diff, [], ["src/test2.ts"]);
     strict_1.default.equal(findings.length, 0);
 });
+(0, node_test_1.default)("filterDiffByIgnoreRules matches basename ignores in nested paths", () => {
+    const cwd = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "semlint-ignore-basename-"));
+    try {
+        node_fs_1.default.writeFileSync(node_path_1.default.join(cwd, ".semlintignore"), ".env\n*.env\n", "utf8");
+        const diff = [
+            "diff --git a/src/secret.env b/src/secret.env",
+            "--- a/src/secret.env",
+            "+++ b/src/secret.env",
+            "@@ -0,0 +1 @@",
+            "+API_KEY=abc",
+            "diff --git a/src/safe.ts b/src/safe.ts",
+            "--- a/src/safe.ts",
+            "+++ b/src/safe.ts",
+            "@@ -0,0 +1 @@",
+            "+const safe = true;"
+        ].join("\n");
+        const result = (0, secrets_1.filterDiffByIgnoreRules)(diff, cwd, [".semlintignore"]);
+        strict_1.default.deepEqual(result.excludedFiles, ["src/secret.env"]);
+        strict_1.default.match(result.filteredDiff, /src\/safe\.ts/);
+        strict_1.default.doesNotMatch(result.filteredDiff, /src\/secret\.env/);
+    }
+    finally {
+        node_fs_1.default.rmSync(cwd, { recursive: true, force: true });
+    }
+});
+(0, node_test_1.default)("filterDiffByIgnoreRules supports gitignore negation patterns", () => {
+    const cwd = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "semlint-ignore-negation-"));
+    try {
+        node_fs_1.default.writeFileSync(node_path_1.default.join(cwd, ".semlintignore"), "*.env\n!src/public.env\n", "utf8");
+        const diff = [
+            "diff --git a/src/secret.env b/src/secret.env",
+            "--- a/src/secret.env",
+            "+++ b/src/secret.env",
+            "@@ -0,0 +1 @@",
+            "+API_KEY=blocked",
+            "diff --git a/src/public.env b/src/public.env",
+            "--- a/src/public.env",
+            "+++ b/src/public.env",
+            "@@ -0,0 +1 @@",
+            "+SAFE=true"
+        ].join("\n");
+        const result = (0, secrets_1.filterDiffByIgnoreRules)(diff, cwd, [".semlintignore"]);
+        strict_1.default.deepEqual(result.excludedFiles, ["src/secret.env"]);
+        strict_1.default.match(result.filteredDiff, /src\/public\.env/);
+        strict_1.default.doesNotMatch(result.filteredDiff, /src\/secret\.env/);
+    }
+    finally {
+        node_fs_1.default.rmSync(cwd, { recursive: true, force: true });
+    }
+});
+(0, node_test_1.default)("filterDiffByIgnoreRules excludes *.env by builtin sensitive globs", () => {
+    const cwd = node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "semlint-ignore-builtin-env-"));
+    try {
+        const diff = [
+            "diff --git a/src/secret.env b/src/secret.env",
+            "--- a/src/secret.env",
+            "+++ b/src/secret.env",
+            "@@ -0,0 +1 @@",
+            "+API_KEY=blocked",
+            "diff --git a/src/safe.ts b/src/safe.ts",
+            "--- a/src/safe.ts",
+            "+++ b/src/safe.ts",
+            "@@ -0,0 +1 @@",
+            "+const safe = true;"
+        ].join("\n");
+        const result = (0, secrets_1.filterDiffByIgnoreRules)(diff, cwd, [".semlintignore"]);
+        strict_1.default.deepEqual(result.excludedFiles, ["src/secret.env"]);
+        strict_1.default.match(result.filteredDiff, /src\/safe\.ts/);
+        strict_1.default.doesNotMatch(result.filteredDiff, /src\/secret\.env/);
+    }
+    finally {
+        node_fs_1.default.rmSync(cwd, { recursive: true, force: true });
+    }
+});

package/dist/security.js

@@ -0,0 +1,26 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.printSecurityGuide = printSecurityGuide;
+const picocolors_1 = __importDefault(require("picocolors"));
+const SECURITY_TEXT = [
+    picocolors_1.default.bold("Semlint security guide"),
+    "",
+    "Semlint applies security controls before backend execution:",
+    "- It filters diff paths using ignore files and built-in sensitive globs.",
+    "- It scans added lines for high-signal secret patterns.",
+    "- It blocks backend execution when potential secrets are found.",
+    "",
+    "Your responsibilities:",
+    "- Keep `.gitignore`, `.cursorignore`, `.semlintignore` (and configured `security.ignore_files`) up to date.",
+    "- Tune `security.allow_patterns` and `security.allow_files` only for known-safe cases.",
+    "- Review your agent native access and security policy.",
+    "",
+    "More details: README.md#security-responsibility-model"
+].join("\n");
+function printSecurityGuide() {
+    process.stdout.write(`${SECURITY_TEXT}\n`);
+    return 0;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "semlint-cli",
-  "version": "0.1.7",
+  "version": "0.1.9",
   "description": "Semantic lint CLI — runs LLM-backed rules on your git diff and returns CI-friendly exit codes",
   "type": "commonjs",
   "main": "dist/main.js",
@@ -42,6 +42,7 @@
   },
   "packageManager": "pnpm@10.29.2",
   "dependencies": {
+    "ignore": "^7.0.5",
     "nanospinner": "^1.2.2",
     "picocolors": "^1.1.1",
     "picomatch": "^4.0.3"