technical-debt-radar 1.10.0 → 1.11.0

package/dist/index.js

@@ -18867,7 +18867,7 @@ var require_cross_file_ai = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.analyzeCrossFileWithAI = analyzeCrossFileWithAI2;
     var sdk_1 = __importDefault(require("@anthropic-ai/sdk"));
-    var MODEL4 = "claude-sonnet-4-20250514";
+    var MODEL3 = "claude-sonnet-4-20250514";
     var MAX_TOKENS = 3e3;
     async function analyzeCrossFileWithAI2(suspects, framework, orm, apiKey) {
       if (suspects.length === 0)
@@ -18922,7 +18922,7 @@ ${suspectsText}
 For each, determine if it's a real risk. Return JSON array.`;
       try {
         const response = await client.messages.create({
-          model: MODEL4,
+          model: MODEL3,
           max_tokens: MAX_TOKENS,
           system: systemPrompt,
           messages: [{ role: "user", content: userPrompt }]
@@ -20725,6 +20725,18 @@ var RadarApiClient = class _RadarApiClient {
       body: JSON.stringify(data)
     });
   }
+  async requestFix(data) {
+    return this.fetch("/cli/ai/fix", {
+      method: "POST",
+      body: JSON.stringify(data)
+    });
+  }
+  async requestFixGrouped(data) {
+    return this.fetch("/cli/ai/fix-grouped", {
+      method: "POST",
+      body: JSON.stringify(data)
+    });
+  }
 };
 
 // src/commands/scan.ts
@@ -21940,200 +21952,6 @@ var path5 = __toESM(require("path"));
 var import_chalk4 = __toESM(require("chalk"));
 var import_inquirer2 = __toESM(require("inquirer"));
 var import_analyzers3 = __toESM(require_dist3());
-
-// src/ai/fix-generator.ts
-var import_sdk3 = __toESM(require("@anthropic-ai/sdk"));
-var MODEL3 = "claude-sonnet-4-20250514";
-var MAX_FIX_TOKENS = 2e3;
-async function generateFix(request, apiKey) {
-  const client = new import_sdk3.default({ apiKey });
-  const ruleHint = getRuleSpecificHints(request.violation.ruleId, request.framework);
-  const systemPrompt = `You are a senior Node.js/TypeScript developer fixing code violations found by a static analysis tool called Technical Debt Radar.
-
-RULES:
-- Return ONLY the fixed code snippet, not the entire file
-- Keep the fix minimal \u2014 change only what's needed to resolve the violation
-- Preserve existing code style, indentation, and conventions
-- Add imports if needed (show them separately)
-- Use the project's framework patterns (${request.framework}, ${request.orm})
-${ruleHint ? `
-SPECIFIC GUIDANCE FOR THIS RULE:
-${ruleHint}` : ""}
-
-RESPONSE FORMAT (JSON only, no markdown):
-{
-  "originalCode": "the exact lines that need to change",
-  "fixedCode": "the replacement code",
-  "explanation": "one sentence explaining the fix",
-  "startLine": <first line number to replace>,
-  "endLine": <last line number to replace>,
-  "newImports": ["import { X } from 'y'"] or [],
-  "confidence": "high" | "medium" | "low"
-}`;
-  const userPrompt = `Fix this violation:
-
-RULE: ${request.violation.ruleId}
-MESSAGE: ${request.violation.message}
-FILE: ${request.violation.file}
-LINE: ${request.violation.line}
-SEVERITY: ${request.violation.severity}
-
-SURROUNDING CODE (lines ${Math.max(1, request.violation.line - 15)}-${request.violation.line + 15}):
-\`\`\`typescript
-${request.surroundingCode}
-\`\`\`
-
-FULL FILE (for context):
-\`\`\`typescript
-${request.fileContent}
-\`\`\`
-
-Generate the minimal fix. Return JSON only.`;
-  const response = await client.messages.create({
-    model: MODEL3,
-    max_tokens: MAX_FIX_TOKENS,
-    system: systemPrompt,
-    messages: [{ role: "user", content: userPrompt }]
-  });
-  const textBlock = response.content.find((b) => b.type === "text");
-  if (!textBlock || textBlock.type !== "text") {
-    throw new Error("No text content in AI response");
-  }
-  const cleaned = textBlock.text.replace(/^```json\s*/m, "").replace(/^```\s*/m, "").replace(/```\s*$/m, "").trim();
-  const parsed = JSON.parse(cleaned);
-  return {
-    violation: request.violation,
-    originalCode: String(parsed.originalCode || ""),
-    fixedCode: String(parsed.fixedCode || ""),
-    explanation: String(parsed.explanation || ""),
-    startLine: Number(parsed.startLine),
-    endLine: Number(parsed.endLine),
-    newImports: Array.isArray(parsed.newImports) ? parsed.newImports.map(String) : [],
-    confidence: validateConfidence(parsed.confidence)
-  };
-}
-async function generateGroupedFix(request, apiKey) {
-  const client = new import_sdk3.default({ apiKey });
-  const ruleHints = request.violations.map((v) => getRuleSpecificHints(v.ruleId, request.framework)).filter(Boolean);
-  const hintsBlock = ruleHints.length > 0 ? `
-SPECIFIC GUIDANCE:
-${ruleHints.join("\n")}` : "";
-  const systemPrompt = `You are a senior Node.js/TypeScript developer fixing code violations found by a static analysis tool called Technical Debt Radar.
-
-RULES:
-- Return ONLY the fixed code snippet, not the entire file
-- Keep the fix minimal \u2014 change only what's needed to resolve ALL violations listed
-- Preserve existing code style, indentation, and conventions
-- Add imports if needed (show them separately)
-- Use the project's framework patterns (${request.framework}, ${request.orm})
-- You MUST address EVERY violation listed \u2014 do not skip any
-${hintsBlock}
-
-RESPONSE FORMAT (JSON only, no markdown):
-{
-  "originalCode": "the exact lines that need to change",
-  "fixedCode": "the replacement code",
-  "explanation": "one sentence explaining the fix",
-  "startLine": <first line number to replace>,
-  "endLine": <last line number to replace>,
-  "newImports": ["import { X } from 'y'"] or [],
-  "confidence": "high" | "medium" | "low"
-}`;
-  const violationList = request.violations.map((v, i) => `  ${i + 1}. [${v.ruleId}] ${v.message} (line ${v.line}, severity: ${v.severity})`).join("\n");
-  const refLine = request.violations[0].line;
-  const userPrompt = `Fix these ${request.violations.length} violations in the same code section:
-
-${violationList}
-
-FILE: ${request.violations[0].file}
-
-SURROUNDING CODE (lines ${Math.max(1, refLine - 15)}-${refLine + 15}):
-\`\`\`typescript
-${request.surroundingCode}
-\`\`\`
-
-FULL FILE (for context):
-\`\`\`typescript
-${request.fileContent}
-\`\`\`
-
-Generate ONE fix that addresses ALL ${request.violations.length} violations. Return JSON only.`;
-  const response = await client.messages.create({
-    model: MODEL3,
-    max_tokens: MAX_FIX_TOKENS,
-    system: systemPrompt,
-    messages: [{ role: "user", content: userPrompt }]
-  });
-  const textBlock = response.content.find((b) => b.type === "text");
-  if (!textBlock || textBlock.type !== "text") {
-    throw new Error("No text content in AI response");
-  }
-  const cleaned = textBlock.text.replace(/^```json\s*/m, "").replace(/^```\s*/m, "").replace(/```\s*$/m, "").trim();
-  const parsed = JSON.parse(cleaned);
-  return {
-    violation: request.violations[0],
-    originalCode: String(parsed.originalCode || ""),
-    fixedCode: String(parsed.fixedCode || ""),
-    explanation: String(parsed.explanation || ""),
-    startLine: Number(parsed.startLine),
-    endLine: Number(parsed.endLine),
-    newImports: Array.isArray(parsed.newImports) ? parsed.newImports.map(String) : [],
-    confidence: validateConfidence(parsed.confidence)
-  };
-}
-function validateConfidence(value) {
-  if (value === "high" || value === "medium" || value === "low") {
-    return value;
-  }
-  return "medium";
-}
-function getRuleSpecificHints(ruleId, framework) {
-  const hints = {
-    "missing-null-guard": `Add a null/undefined check after the query. In ${framework === "NestJS" ? "NestJS, throw new NotFoundException()" : 'Express, return res.status(404).json({ error: "Not found" })'}. Check BEFORE any property access.`,
-    "sync-fs-in-handler": "Replace fs.readFileSync/writeFileSync with await fs.promises.readFile/writeFile. Make the function async if needed.",
-    "sync-crypto": "Replace crypto.pbkdf2Sync with the async crypto.pbkdf2 wrapped in a Promise, or use argon2/bcrypt async alternatives.",
-    "sync-compression": "Replace zlib.deflateSync/gzipSync with the async stream or callback versions.",
-    "redos-vulnerable-regex": "Rewrite the regex to avoid nested quantifiers. Remove patterns like (a+)+, (a|b)*, or use a regex linting library.",
-    "n-plus-one-query": "Replace the loop + individual query pattern with a batch query. Use include/join/populate for relations, or WHERE IN for ID lists.",
-    "unbounded-find-many": "Add pagination: { take: 20, skip: offset } for Prisma, { limit: 20, offset } for Sequelize, .limit(20) for Mongoose/Drizzle/Knex.",
-    "find-many-no-where": "Add a where/filter clause to prevent full table scans.",
-    "raw-sql-no-limit": "Add LIMIT clause to the SQL query.",
-    "unhandled-promise-rejection": "Add await before the async call, or explicitly handle the promise with .catch().",
-    "external-call-no-timeout": "Add { timeout: 10000 } (10s) to the HTTP client config. For axios: axios.post(url, data, { timeout: 10000 }). For fetch: use AbortController.",
-    "empty-catch-block": "Add error logging inside the catch block: console.error(error) or logger.error(error).",
-    "retry-without-backoff": "Replace fixed delay with exponential backoff: delay * Math.pow(2, attempt).",
-    "missing-error-logging": "Add a logging statement in the catch block.",
-    "missing-try-catch": "Wrap the multiple await calls in a try/catch block with proper error handling.",
-    "transaction-no-timeout": "Add a timeout option to the transaction: { timeout: 5000 }.",
-    "unfiltered-count-large-table": "Add a where/filter clause to the count query."
-  };
-  return hints[ruleId] || "";
-}
-
-// src/commands/fix.ts
-function buildFixInstruction(violation) {
-  const lines = [];
-  lines.push(`In ${violation.file} line ${violation.line}:`);
-  if (violation.suggestion) {
-    lines.push(`   ${violation.suggestion}`);
-  } else {
-    lines.push(`   ${violation.message}`);
-  }
-  return lines.join("\n");
-}
-function formatFixPrompt(violations) {
-  if (violations.length === 0) {
-    return "No issues found \u2014 nothing to fix.";
-  }
-  const lines = [];
-  lines.push("Fix these issues in my codebase:");
-  lines.push("");
-  violations.forEach((v, i) => {
-    lines.push(`${i + 1}. ${buildFixInstruction(v)}`);
-    lines.push("");
-  });
-  return lines.join("\n").trimEnd();
-}
 function applyFix(filePath, fix) {
   const content = fsSync2.readFileSync(filePath, "utf-8");
   const lines = content.split("\n");
@@ -22185,33 +22003,6 @@ async function runScan(targetPath, options) {
     policy
   };
 }
-async function runTextOnlyFix(targetPath, options) {
-  const { compiled: policy } = await loadPolicy(options.config, options.rules);
-  const files = await collectTsFiles(targetPath);
-  if (files.length === 0) {
-    console.log(import_chalk4.default.yellow("No .ts/.tsx files found."));
-    process.exit(0);
-  }
-  const changedFiles = await Promise.all(
-    files.map(async (filePath) => ({
-      path: filePath,
-      content: await fs5.readFile(filePath, "utf-8"),
-      status: "added"
-    }))
-  );
-  const input = { changedFiles, policy, headSha: "local", projectRoot: path5.resolve(targetPath) };
-  const result = await (0, import_analyzers3.runFullAnalysis)(input);
-  let violations = result.violations.filter((v) => v.severity === "critical" || v.severity === "warning").sort((a, b) => {
-    if (a.severity === "critical" && b.severity !== "critical") return -1;
-    if (a.severity !== "critical" && b.severity === "critical") return 1;
-    return b.debtPoints - a.debtPoints;
-  });
-  if (options.severity === "critical") {
-    violations = violations.filter((v) => v.severity === "critical");
-  }
-  const output = formatFixPrompt(violations);
-  console.log(output);
-}
 function groupBy(items, key) {
   const result = {};
   for (const item of items) {
@@ -22224,22 +22015,24 @@ function groupBy(items, key) {
 async function fixCommand(targetPath, options) {
   const client = RadarApiClient.fromConfigOrEnv();
   if (!client) {
-    console.error(import_chalk4.default.red("Authentication required. Run: radar login"));
+    console.error(import_chalk4.default.red("\u274C Authentication required. Run: radar login"));
     process.exit(1);
   }
-  const apiKey = options.apiKey || process.env.ANTHROPIC_API_KEY;
-  if (!apiKey) {
-    console.log(import_chalk4.default.yellow("No API key found."));
-    console.log("  Set ANTHROPIC_API_KEY environment variable");
-    console.log("  Or use: radar fix --api-key sk-ant-...");
-    console.log("");
-    console.log(import_chalk4.default.dim("Tip: Set ANTHROPIC_API_KEY for AI-powered auto-fixes"));
-    console.log(import_chalk4.default.dim("    export ANTHROPIC_API_KEY=sk-ant-..."));
-    console.log(import_chalk4.default.dim("    Then run: radar fix ."));
-    console.log("");
-    console.log(import_chalk4.default.dim("Without AI, showing fix instructions only:"));
-    console.log("");
-    return runTextOnlyFix(targetPath, options);
+  let verified;
+  try {
+    verified = await client.verifyToken();
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.includes("Network error")) {
+      console.error(import_chalk4.default.red("\u26A0\uFE0F  Could not reach Radar API. Check your connection."));
+    } else {
+      console.error(import_chalk4.default.red("\u274C Authentication failed. Run: radar login"));
+    }
+    process.exit(1);
+  }
+  if (!verified?.valid) {
+    console.error(import_chalk4.default.red("\u274C Invalid or expired token. Run: radar login"));
+    process.exit(1);
   }
   console.log(import_chalk4.default.blue("Scanning for violations..."));
   const scanResult = await runScan(targetPath, {
@@ -22265,7 +22058,9 @@ async function fixCommand(targetPath, options) {
   let totalFixed = 0;
   let totalSkipped = 0;
   let totalFailed = 0;
-  let totalCost = 0;
+  let totalCreditsUsed = 0;
+  let creditsRemaining = -1;
+  let fixCount = 0;
   let applyAll = false;
   let quit = false;
   const framework = scanResult.config?.stack?.framework || "NestJS";
@@ -22297,9 +22092,9 @@ ${relativePath} (${fileViolations.length} violations)
     const lineGroups = [...byLine.entries()].sort((a, b) => b[0] - a[0]);
     for (const [lineNum, lineViolations] of lineGroups) {
       if (quit) break;
-      if (totalCost >= options.maxCost) {
+      if (options.maxFixes > 0 && fixCount >= options.maxFixes) {
         console.log(import_chalk4.default.yellow(`
-  Cost ceiling reached ($${totalCost.toFixed(2)}). Stopping AI fixes.`));
+  Fix limit reached (${options.maxFixes}). Stopping.`));
         quit = true;
         break;
       }
@@ -22318,46 +22113,43 @@ ${relativePath} (${fileViolations.length} violations)
       }
       console.log("");
       try {
+        console.log(import_chalk4.default.dim("  Requesting AI fix from Radar..."));
         let fix;
         if (lineViolations.length > 1) {
-          fix = await generateGroupedFix(
-            {
-              violations: lineViolations.map((v) => ({
-                file: v.file,
-                line: v.line,
-                ruleId: v.ruleId,
-                message: v.message,
-                severity: v.severity,
-                category: v.category
-              })),
-              fileContent,
-              surroundingCode,
-              framework,
-              orm
-            },
-            apiKey
-          );
+          fix = await client.requestFixGrouped({
+            violations: lineViolations.map((v) => ({
+              file: v.file,
+              line: v.line,
+              ruleId: v.ruleId,
+              message: v.message,
+              severity: v.severity,
+              category: v.category
+            })),
+            fileContent,
+            surroundingCode,
+            framework,
+            orm
+          });
         } else {
           const violation = lineViolations[0];
-          fix = await generateFix(
-            {
-              violation: {
-                file: violation.file,
-                line: violation.line,
-                ruleId: violation.ruleId,
-                message: violation.message,
-                severity: violation.severity,
-                category: violation.category
-              },
-              fileContent,
-              surroundingCode,
-              framework,
-              orm
+          fix = await client.requestFix({
+            violation: {
+              file: violation.file,
+              line: violation.line,
+              ruleId: violation.ruleId,
+              message: violation.message,
+              severity: violation.severity,
+              category: violation.category
             },
-            apiKey
-          );
+            fileContent,
+            surroundingCode,
+            framework,
+            orm
+          });
         }
-        totalCost += 3e-3 * lineViolations.length;
+        totalCreditsUsed += fix.creditsUsed;
+        creditsRemaining = fix.creditsRemaining;
+        fixCount++;
         console.log(import_chalk4.default.red("  BEFORE:"));
         fix.originalCode.split("\n").forEach((l) => console.log(import_chalk4.default.red(`  - ${l}`)));
         console.log("");
@@ -22366,6 +22158,7 @@ ${relativePath} (${fileViolations.length} violations)
         console.log("");
         console.log(import_chalk4.default.dim(`  ${fix.explanation}`));
         console.log(import_chalk4.default.dim(`  Confidence: ${fix.confidence}`));
+        console.log(import_chalk4.default.cyan(`  ${fix.creditsUsed} AI credit used (${fix.creditsRemaining} remaining)`));
         console.log("");
         let shouldApply = false;
         if (options.dryRun) {
@@ -22411,8 +22204,22 @@ ${relativePath} (${fileViolations.length} violations)
         }
       } catch (error) {
         const message = error instanceof Error ? error.message : String(error);
-        console.log(import_chalk4.default.red(`  AI fix failed: ${message}`));
-        totalFailed += lineViolations.length;
+        if (message.includes("403") && message.includes("credits exhausted")) {
+          console.log(import_chalk4.default.red(`  \u274C AI credits exhausted. Upgrade for more: radar upgrade`));
+          quit = true;
+          break;
+        } else if (message.includes("403") && message.includes("Solo")) {
+          console.log(import_chalk4.default.red(`  \u274C radar fix requires Solo plan or higher. Upgrade: radar upgrade`));
+          quit = true;
+          break;
+        } else if (message.includes("401")) {
+          console.log(import_chalk4.default.red(`  \u274C Authentication failed. Run: radar login`));
+          quit = true;
+          break;
+        } else {
+          console.log(import_chalk4.default.red(`  AI fix failed: ${message}`));
+          totalFailed += lineViolations.length;
+        }
       }
     }
   }
@@ -22423,7 +22230,10 @@ ${relativePath} (${fileViolations.length} violations)
   console.log(import_chalk4.default.green(`  Fixed:   ${totalFixed}`));
   console.log(import_chalk4.default.yellow(`  Skipped: ${totalSkipped}`));
   if (totalFailed > 0) console.log(import_chalk4.default.red(`  Failed:  ${totalFailed}`));
-  console.log(import_chalk4.default.dim(`  AI cost: $${totalCost.toFixed(3)}`));
+  console.log(import_chalk4.default.cyan(`  AI credits used: ${totalCreditsUsed}`));
+  if (creditsRemaining >= 0) {
+    console.log(import_chalk4.default.cyan(`  Credits remaining: ${creditsRemaining}`));
+  }
   console.log("");
   if (totalFixed > 0 && !options.dryRun) {
     console.log(import_chalk4.default.blue("Re-scanning to verify fixes...\n"));
@@ -22817,10 +22627,10 @@ program.command("check <file>").description("Check a single file against policy"
 program.command("init").description("Generate radar.yml + rules.yml from project structure").option("--path <dir>", "Target directory", ".").option("--architecture <pattern>", "Force architecture: ddd, hexagonal, clean, layered, mvc, event-driven").option("--regenerate-rules", "Regenerate rules.yml from existing radar.yml", false).option("--no-ai", "Skip AI refinement (deterministic only)").action(async (options) => {
   await initCommand(options);
 });
-program.command("fix <path>").description("AI-powered fix: generates code diffs, applies with confirmation").option("-c, --config <path>", "Path to radar.yml", "./radar.yml").option("-r, --rules <path>", "Path to rules.yml (default: ./rules.yml)").option("--severity <level>", "Only include: critical, all", "all").option("--dry-run", "Show fixes without applying", false).option("--auto", "Apply all high-confidence fixes without asking", false).option("--file <file>", "Fix single file only").option("--max-cost <amount>", "Max AI cost in dollars", "1.00").option("--api-key <key>", "Anthropic API key (or ANTHROPIC_API_KEY env var)").action(async (targetPath, options) => {
+program.command("fix <path>").description("AI-powered fix: generates code diffs, applies with confirmation").option("-c, --config <path>", "Path to radar.yml", "./radar.yml").option("-r, --rules <path>", "Path to rules.yml (default: ./rules.yml)").option("--severity <level>", "Only include: critical, all", "all").option("--dry-run", "Show fixes without applying", false).option("--auto", "Apply all high-confidence fixes without asking", false).option("--file <file>", "Fix single file only").option("--max-fixes <count>", "Max number of AI fixes to generate (0 = unlimited)", "0").action(async (targetPath, options) => {
   await fixCommand(targetPath, {
     ...options,
-    maxCost: parseFloat(options.maxCost)
+    maxFixes: parseInt(options.maxFixes, 10)
   });
 });
 program.command("validate").description("Validate radar.yml + rules.yml syntax and cross-references").option("-c, --config <path>", "Path to radar.yml", "./radar.yml").option("-r, --rules <path>", "Path to rules.yml (default: ./rules.yml)").action(async (options) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "technical-debt-radar",
-  "version": "1.10.0",
+  "version": "1.11.0",
   "description": "Stop Node.js production crashes before merge. 47 detection patterns across 5 categories.",
   "bin": {
     "radar": "dist/index.js",