semlint-cli 0.1.9 → 0.1.10

package/README.md

@@ -57,7 +57,6 @@ pnpm check
 
 Default diff behavior (without `--base`/`--head`) uses your local branch state:
 
-- tracked changes across commits since merge-base,
 - staged changes,
 - unstaged changes,
 - untracked files.
@@ -67,6 +66,8 @@ If you pass `--base` or `--head`, Semlint uses explicit `git diff <base> <head>`
 Before backend execution, Semlint shows the included and excluded diff files and asks for confirmation by default.
 Use `--yes` / `-y` to skip this prompt.
 
+You can configure local diff selection and path filtering via `diff.file_kinds`, `diff.include_globs`, and `diff.exclude_globs` in `semlint.json`.
+
 ## Exit codes
 
 - `0`: no blocking diagnostics
@@ -96,6 +97,11 @@ Unknown fields are ignored.
   "execution": {
     "batch": false
   },
+  "diff": {
+    "file_kinds": ["staged", "unstaged", "untracked"],
+    "include_globs": [],
+    "exclude_globs": []
+  },
   "security": {
     "secret_guard": true,
     "allow_patterns": [],
@@ -118,6 +124,26 @@ Unknown fields are ignored.
 }
 ```
 
+## Diff management
+
+Use the `diff` section to control which local change kinds and file paths are included:
+
+```json
+{
+  "diff": {
+    "file_kinds": ["staged", "unstaged", "untracked"],
+    "include_globs": ["src/**/*.ts"],
+    "exclude_globs": ["**/*.test.ts"]
+  }
+}
+```
+
+- `file_kinds`: local diff sources included by default (`staged`, `unstaged`, `untracked`)
+- `include_globs`: optional allowlist of changed files to keep
+- `exclude_globs`: optional denylist applied after include globs (exclude wins)
+
+`diff.*` settings are applied before security ignore filtering and secret scanning.
+
 ## Config scaffolding and auto-detection
 
 Run:

package/dist/config.js

@@ -8,6 +8,7 @@ exports.loadEffectiveConfig = loadEffectiveConfig;
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
 const utils_1 = require("./utils");
+const VALID_DIFF_FILE_KINDS = new Set(["staged", "unstaged", "untracked"]);
 const DEFAULTS = {
     backend: "cursor-cli",
     model: "auto",
@@ -18,6 +19,11 @@ const DEFAULTS = {
     head: "HEAD",
     debug: false,
     batchMode: false,
+    diff: {
+        fileKinds: ["staged", "unstaged", "untracked"],
+        includeGlobs: [],
+        excludeGlobs: []
+    },
     rulesDisable: [],
     severityOverrides: {},
     rulesIncludeGlobs: [],
@@ -146,6 +152,18 @@ function sanitizeGlobList(value) {
         return trimmed === "" ? [] : [trimmed];
     });
 }
+function sanitizeDiffFileKinds(value) {
+    if (!Array.isArray(value)) {
+        return [...DEFAULTS.diff.fileKinds];
+    }
+    return value.flatMap((candidate) => {
+        if (typeof candidate !== "string") {
+            return [];
+        }
+        const normalized = candidate.trim();
+        return VALID_DIFF_FILE_KINDS.has(normalized) ? [normalized] : [];
+    });
+}
 function ensureSelectedBackendIsConfigured(backend, backendConfigs) {
     if (!(backend in backendConfigs)) {
         throw new Error(`Backend "${backend}" is not configured. Add it under backends.${backend} with executable and args (including "{prompt}") in semlint.json.`);
@@ -174,6 +192,11 @@ function loadEffectiveConfig(options) {
             (typeof fileConfig.execution?.batch === "boolean"
                 ? fileConfig.execution.batch
                 : DEFAULTS.batchMode),
+        diff: {
+            fileKinds: sanitizeDiffFileKinds(fileConfig.diff?.file_kinds),
+            includeGlobs: sanitizeGlobList(fileConfig.diff?.include_globs),
+            excludeGlobs: sanitizeGlobList(fileConfig.diff?.exclude_globs)
+        },
         rulesDisable: Array.isArray(fileConfig.rules?.disable)
             ? fileConfig.rules?.disable.filter((item) => typeof item === "string")
             : DEFAULTS.rulesDisable,

package/dist/filter.js

@@ -4,6 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.extractChangedFilesFromDiff = extractChangedFilesFromDiff;
+exports.filterDiffByPathGlobs = filterDiffByPathGlobs;
 exports.getRuleCandidateFiles = getRuleCandidateFiles;
 exports.shouldRunRule = shouldRunRule;
 exports.buildScopedDiff = buildScopedDiff;
@@ -29,6 +30,31 @@ function extractChangedFilesFromDiff(diff) {
     }
     return Array.from(files);
 }
+function filterDiffByPathGlobs(diff, includeGlobs = [], excludeGlobs = []) {
+    const chunks = (0, diff_1.splitDiffIntoFileChunks)(diff);
+    const includeMatcher = includeGlobs.length > 0 ? (0, picomatch_1.default)(includeGlobs) : null;
+    const excludeMatcher = excludeGlobs.length > 0 ? (0, picomatch_1.default)(excludeGlobs) : null;
+    const excludedFiles = [];
+    const filteredDiff = chunks
+        .filter((chunk) => {
+        if (chunk.file === "") {
+            return true;
+        }
+        const included = includeMatcher ? includeMatcher(chunk.file) : true;
+        const excluded = excludeMatcher ? excludeMatcher(chunk.file) : false;
+        const keep = included && !excluded;
+        if (!keep) {
+            excludedFiles.push(chunk.file);
+        }
+        return keep;
+    })
+        .map((chunk) => chunk.chunk)
+        .join("\n");
+    return {
+        filteredDiff,
+        excludedFiles: Array.from(new Set(excludedFiles)).sort((a, b) => a.localeCompare(b))
+    };
+}
 function matchesAnyRegex(diff, regexes) {
     for (const candidate of regexes) {
         try {

package/dist/filter.test.js

@@ -40,3 +40,45 @@ function makeRule(overrides = {}) {
     const candidates = (0, filter_1.getRuleCandidateFiles)(rule, changedFiles, ["src/**/*.ts"], []);
     strict_1.default.deepEqual(candidates, ["docs/readme.md"]);
 });
+(0, node_test_1.default)("filterDiffByPathGlobs applies include and exclude globs", () => {
+    const diff = [
+        "diff --git a/src/a.ts b/src/a.ts",
+        "--- a/src/a.ts",
+        "+++ b/src/a.ts",
+        "@@ -0,0 +1 @@",
+        "+const a = 1;",
+        "diff --git a/src/a.test.ts b/src/a.test.ts",
+        "--- a/src/a.test.ts",
+        "+++ b/src/a.test.ts",
+        "@@ -0,0 +1 @@",
+        "+const test = 1;",
+        "diff --git a/docs/readme.md b/docs/readme.md",
+        "--- a/docs/readme.md",
+        "+++ b/docs/readme.md",
+        "@@ -0,0 +1 @@",
+        "+# docs"
+    ].join("\n");
+    const result = (0, filter_1.filterDiffByPathGlobs)(diff, ["src/**/*.ts"], ["**/*.test.ts"]);
+    strict_1.default.match(result.filteredDiff, /src\/a\.ts/);
+    strict_1.default.doesNotMatch(result.filteredDiff, /src\/a\.test\.ts/);
+    strict_1.default.doesNotMatch(result.filteredDiff, /docs\/readme\.md/);
+    strict_1.default.deepEqual(result.excludedFiles, ["docs/readme.md", "src/a.test.ts"]);
+});
+(0, node_test_1.default)("filterDiffByPathGlobs keeps all files when include/exclude are empty", () => {
+    const diff = [
+        "diff --git a/src/a.ts b/src/a.ts",
+        "--- a/src/a.ts",
+        "+++ b/src/a.ts",
+        "@@ -0,0 +1 @@",
+        "+const a = 1;",
+        "diff --git a/docs/readme.md b/docs/readme.md",
+        "--- a/docs/readme.md",
+        "+++ b/docs/readme.md",
+        "@@ -0,0 +1 @@",
+        "+# docs"
+    ].join("\n");
+    const result = (0, filter_1.filterDiffByPathGlobs)(diff, [], []);
+    strict_1.default.match(result.filteredDiff, /src\/a\.ts/);
+    strict_1.default.match(result.filteredDiff, /docs\/readme\.md/);
+    strict_1.default.deepEqual(result.excludedFiles, []);
+});

package/dist/git.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getGitDiff = getGitDiff;
 exports.getRepoRoot = getRepoRoot;
 exports.getLocalBranchDiff = getLocalBranchDiff;
+exports.selectLocalBranchDiffChunks = selectLocalBranchDiffChunks;
 const node_child_process_1 = require("node:child_process");
 const node_os_1 = require("node:os");
 function runGitCommand(args, okExitCodes = [0]) {
@@ -69,18 +70,42 @@ async function getNoIndexDiffForFile(filePath) {
  * - Untracked files (as full-file diffs)
  * Does not include already-committed changes on the branch.
  */
-async function getLocalBranchDiff() {
-    const stagedResult = await runGitCommand(["diff", "--cached"]);
-    const unstagedResult = await runGitCommand(["diff"]);
-    const untrackedFiles = await getUntrackedFiles();
-    const untrackedDiffChunks = [];
-    for (const filePath of untrackedFiles) {
-        const fileDiff = await getNoIndexDiffForFile(filePath);
-        if (fileDiff.trim() !== "") {
-            untrackedDiffChunks.push(fileDiff);
+async function getLocalBranchDiff(fileKinds = ["staged", "unstaged", "untracked"]) {
+    const parts = {
+        stagedDiff: "",
+        unstagedDiff: "",
+        untrackedDiffs: []
+    };
+    if (fileKinds.includes("staged")) {
+        const stagedResult = await runGitCommand(["diff", "--cached"]);
+        parts.stagedDiff = stagedResult.stdout;
+    }
+    if (fileKinds.includes("unstaged")) {
+        const unstagedResult = await runGitCommand(["diff"]);
+        parts.unstagedDiff = unstagedResult.stdout;
+    }
+    if (fileKinds.includes("untracked")) {
+        const untrackedFiles = await getUntrackedFiles();
+        for (const filePath of untrackedFiles) {
+            const fileDiff = await getNoIndexDiffForFile(filePath);
+            if (fileDiff.trim() !== "") {
+                parts.untrackedDiffs.push(fileDiff);
+            }
         }
     }
-    return [stagedResult.stdout, unstagedResult.stdout, ...untrackedDiffChunks]
-        .filter((chunk) => chunk !== "")
-        .join("\n");
+    return selectLocalBranchDiffChunks(parts, fileKinds);
+}
+function selectLocalBranchDiffChunks(parts, fileKinds = ["staged", "unstaged", "untracked"]) {
+    const selectedKinds = new Set(fileKinds);
+    const chunks = [];
+    if (selectedKinds.has("staged") && parts.stagedDiff !== "") {
+        chunks.push(parts.stagedDiff);
+    }
+    if (selectedKinds.has("unstaged") && parts.unstagedDiff !== "") {
+        chunks.push(parts.unstagedDiff);
+    }
+    if (selectedKinds.has("untracked")) {
+        chunks.push(...parts.untrackedDiffs.filter((chunk) => chunk !== ""));
+    }
+    return chunks.join("\n");
 }

package/dist/git.test.js

@@ -0,0 +1,24 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const strict_1 = __importDefault(require("node:assert/strict"));
+const node_test_1 = __importDefault(require("node:test"));
+const git_1 = require("./git");
+(0, node_test_1.default)("selectLocalBranchDiffChunks includes only selected change kinds", () => {
+    const combined = (0, git_1.selectLocalBranchDiffChunks)({
+        stagedDiff: "STAGED_DIFF",
+        unstagedDiff: "UNSTAGED_DIFF",
+        untrackedDiffs: ["UNTRACKED_ONE", "", "UNTRACKED_TWO"]
+    }, ["staged", "untracked"]);
+    strict_1.default.equal(combined, ["STAGED_DIFF", "UNTRACKED_ONE", "UNTRACKED_TWO"].join("\n"));
+});
+(0, node_test_1.default)("selectLocalBranchDiffChunks returns empty string for empty selection", () => {
+    const combined = (0, git_1.selectLocalBranchDiffChunks)({
+        stagedDiff: "STAGED_DIFF",
+        unstagedDiff: "UNSTAGED_DIFF",
+        untrackedDiffs: ["UNTRACKED_ONE"]
+    }, []);
+    strict_1.default.equal(combined, "");
+});

package/dist/init.js

@@ -87,6 +87,11 @@ function scaffoldConfig(force = false) {
         execution: {
             batch: false
         },
+        diff: {
+            file_kinds: ["staged", "unstaged", "untracked"],
+            include_globs: ["src/**"],
+            exclude_globs: []
+        },
         security: {
             secret_guard: true,
             allow_patterns: [],

package/dist/main.js

@@ -103,8 +103,10 @@ async function runSemlint(options) {
         const repoRoot = await timedAsync(config.debug, "Resolved git repo root", () => (0, git_1.getRepoRoot)());
         const scanRoot = repoRoot ?? process.cwd();
         (0, utils_1.debugLog)(config.debug, `Using diff/ignore scan root: ${scanRoot}`);
-        const rawDiff = await timedAsync(config.debug, "Computed git diff", () => useLocalBranchDiff ? (0, git_1.getLocalBranchDiff)() : (0, git_1.getGitDiff)(config.base, config.head));
-        const { filteredDiff: diff, excludedFiles } = timed(config.debug, "Filtered diff by ignore rules", () => (0, secrets_1.filterDiffByIgnoreRules)(rawDiff, scanRoot, config.security.ignoreFiles));
+        const rawDiff = await timedAsync(config.debug, "Computed git diff", () => useLocalBranchDiff ? (0, git_1.getLocalBranchDiff)(config.diff.fileKinds) : (0, git_1.getGitDiff)(config.base, config.head));
+        const { filteredDiff: globFilteredDiff, excludedFiles: globExcludedFiles } = timed(config.debug, "Filtered diff by configured include/exclude globs", () => (0, filter_1.filterDiffByPathGlobs)(rawDiff, config.diff.includeGlobs, config.diff.excludeGlobs));
+        const { filteredDiff: diff, excludedFiles: ignoreExcludedFiles } = timed(config.debug, "Filtered diff by ignore rules", () => (0, secrets_1.filterDiffByIgnoreRules)(globFilteredDiff, scanRoot, config.security.ignoreFiles));
+        const excludedFiles = Array.from(new Set([...globExcludedFiles, ...ignoreExcludedFiles])).sort((a, b) => a.localeCompare(b));
         if (excludedFiles.length > 0) {
             (0, utils_1.debugLog)(config.debug, `Excluded ${excludedFiles.length} file(s) by ignore/security rules: ${excludedFiles.join(", ")}`);
         }

package/dist/rules.js

@@ -13,7 +13,7 @@ function assertNonEmptyString(value, fieldName, filePath) {
     }
     return value;
 }
-function assertStringArray(value, fieldName, filePath) {
+function assert_string_array(value, fieldName, filePath) {
     if (value === undefined) {
         return undefined;
     }
@@ -36,9 +36,9 @@ function validateRuleObject(raw, filePath) {
         title: assertNonEmptyString(obj.title, "title", filePath),
         severity_default: severity,
         prompt: assertNonEmptyString(obj.prompt, "prompt", filePath),
-        include_globs: assertStringArray(obj.include_globs, "include_globs", filePath),
-        exclude_globs: assertStringArray(obj.exclude_globs, "exclude_globs", filePath),
-        diff_regex: assertStringArray(obj.diff_regex, "diff_regex", filePath)
+        include_globs: assert_string_array(obj.include_globs, "include_globs", filePath),
+        exclude_globs: assert_string_array(obj.exclude_globs, "exclude_globs", filePath),
+        diff_regex: assert_string_array(obj.diff_regex, "diff_regex", filePath)
     };
 }
 function loadRules(rulesDir, disabledRuleIds, severityOverrides) {

package/dist/secrets.js

@@ -93,7 +93,8 @@ function parseAllowMatchers(patterns) {
     });
 }
 function filterDiffByIgnoreRules(diff, cwd, ignoreFiles) {
-    const ignorePatterns = [...readIgnorePatterns(cwd, ignoreFiles), ...BUILTIN_SENSITIVE_GLOBS];
+    // Keep built-ins first so repo-specific negation patterns can carve out safe exceptions.
+    const ignorePatterns = [...BUILTIN_SENSITIVE_GLOBS, ...readIgnorePatterns(cwd, ignoreFiles)];
     const ignoreMatcher = createIgnoreMatcher(ignorePatterns);
     const chunks = (0, diff_1.splitDiffIntoFileChunks)(diff);
     const excludedFiles = chunks

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "semlint-cli",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Semantic lint CLI — runs LLM-backed rules on your git diff and returns CI-friendly exit codes",
   "type": "commonjs",
   "main": "dist/main.js",