technical-debt-radar 1.9.0 → 1.11.0

package/dist/index.js

@@ -231,11 +231,11 @@ var require_plans = __commonJS({
       [PlanId.FREE]: {
         id: PlanId.FREE,
         name: "Free",
-        description: "Unlimited scans, warn mode",
+        description: "5 scans/month, warn mode",
         priceMonthly: 0,
         priceAnnual: 0,
         priceMonthlyIfAnnual: 0,
-        limits: { maxRepos: 2, maxMembers: 1, aiCreditsPerMonth: 0, maxOrgs: 1, scansPerMonth: -1 },
+        limits: { maxRepos: 2, maxMembers: 1, aiCreditsPerMonth: 0, maxOrgs: 1, scansPerMonth: 5 },
         features: {
           ...ALL_CLI,
           cliFixAI: false,
@@ -270,7 +270,7 @@ var require_plans = __commonJS({
         priceMonthly: 15,
         priceAnnual: 144,
         priceMonthlyIfAnnual: 12,
-        limits: { maxRepos: 5, maxMembers: 1, aiCreditsPerMonth: 50, maxOrgs: 1, scansPerMonth: -1 },
+        limits: { maxRepos: 5, maxMembers: 1, aiCreditsPerMonth: 50, maxOrgs: 1, scansPerMonth: 200 },
         features: {
           ...ALL_CLI,
           cliFixAI: true,
@@ -305,7 +305,7 @@ var require_plans = __commonJS({
         priceMonthly: 49,
         priceAnnual: 468,
         priceMonthlyIfAnnual: 39,
-        limits: { maxRepos: -1, maxMembers: -1, aiCreditsPerMonth: 500, maxOrgs: 3, scansPerMonth: -1 },
+        limits: { maxRepos: -1, maxMembers: -1, aiCreditsPerMonth: 500, maxOrgs: 3, scansPerMonth: 1e3 },
         features: {
           ...ALL_CLI,
           cliFixAI: true,
@@ -340,7 +340,7 @@ var require_plans = __commonJS({
         priceMonthly: 99,
         priceAnnual: 948,
         priceMonthlyIfAnnual: 79,
-        limits: { maxRepos: -1, maxMembers: -1, aiCreditsPerMonth: 1800, maxOrgs: 10, scansPerMonth: -1 },
+        limits: { maxRepos: -1, maxMembers: -1, aiCreditsPerMonth: 1800, maxOrgs: 10, scansPerMonth: 5e3 },
         features: {
           ...ALL_FEATURES_TRUE,
           sso: false,
@@ -399,6 +399,145 @@ var require_plans = __commonJS({
   }
 });
 
+// ../../packages/shared/dist/graph-builder.js
+var require_graph_builder = __commonJS({
+  "../../packages/shared/dist/graph-builder.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.buildImportGraphData = buildImportGraphData2;
+    var LAYER_COLORS = {
+      api: "#4CAF50",
+      application: "#2196F3",
+      domain: "#FF9800",
+      infrastructure: "#F44336",
+      shared: "#9C27B0",
+      common: "#9C27B0",
+      presentation: "#4CAF50",
+      business: "#2196F3",
+      "data-access": "#F44336",
+      models: "#FF9800",
+      controllers: "#4CAF50",
+      views: "#9E9E9E",
+      ports: "#2196F3",
+      adapters: "#F44336",
+      handlers: "#4CAF50",
+      commands: "#2196F3",
+      queries: "#FF9800",
+      events: "#9C27B0",
+      config: "#607D8B"
+    };
+    function buildImportGraphData2(edges, violations, files, modules) {
+      const nodeMap = /* @__PURE__ */ new Map();
+      const violationsByFile = /* @__PURE__ */ new Map();
+      for (const v of violations) {
+        violationsByFile.set(v.file, (violationsByFile.get(v.file) ?? 0) + 1);
+      }
+      const fileLoc = /* @__PURE__ */ new Map();
+      for (const f of files) {
+        if (f.linesOfCode) {
+          fileLoc.set(f.path, f.linesOfCode);
+        }
+      }
+      const ensureNode = (filePath, layer, module3) => {
+        if (nodeMap.has(filePath))
+          return;
+        const parts = filePath.split("/");
+        const fileName = parts[parts.length - 1] ?? filePath;
+        const label = fileName.replace(/\.(ts|tsx|js|jsx)$/, "");
+        const ext = fileName.match(/\.(service|controller|module|entity|repository|guard|pipe|middleware|dto|resolver|gateway)/);
+        nodeMap.set(filePath, {
+          id: filePath,
+          label,
+          module: module3 ?? void 0,
+          layer: layer ?? void 0,
+          type: ext ? ext[1] : "file",
+          violations: violationsByFile.get(filePath) ?? 0,
+          complexity: 0,
+          linesOfCode: fileLoc.get(filePath) ?? 0,
+          isHotspot: (violationsByFile.get(filePath) ?? 0) >= 3
+        });
+      };
+      for (const edge of edges) {
+        ensureNode(edge.source, edge.sourceLayer, edge.sourceModule);
+        ensureNode(edge.target, edge.targetLayer, edge.targetModule);
+      }
+      const circularFiles = /* @__PURE__ */ new Set();
+      for (const v of violations) {
+        if (v.type === "circular_dependency") {
+          circularFiles.add(v.file);
+        }
+      }
+      const graphEdges = edges.map((e) => {
+        const isCircular = circularFiles.has(e.source) && circularFiles.has(e.target);
+        const matchingViolation = violations.find((v) => v.category === "architecture" && v.file === e.source && v.message.includes(e.target.split("/").pop() ?? ""));
+        const isViolation = !!matchingViolation || isCircular;
+        let type = "import";
+        let violationType = null;
+        let message = null;
+        if (isCircular) {
+          type = "circular";
+          violationType = "circular-dependency";
+          message = `Circular dependency involving ${e.source} and ${e.target}`;
+        } else if (matchingViolation) {
+          type = "violation";
+          violationType = matchingViolation.type;
+          message = matchingViolation.message;
+        }
+        return { source: e.source, target: e.target, type, isViolation, violationType, message };
+      });
+      const moduleMap = /* @__PURE__ */ new Map();
+      for (const node of nodeMap.values()) {
+        if (node.module) {
+          const existing = moduleMap.get(node.module);
+          if (existing) {
+            existing.nodeCount++;
+            existing.violations += node.violations;
+          } else {
+            const policyMod = modules?.find((m) => m.name === node.module);
+            moduleMap.set(node.module, {
+              nodeCount: 1,
+              violations: node.violations,
+              path: policyMod?.pathPattern ?? ""
+            });
+          }
+        }
+      }
+      const graphModules = Array.from(moduleMap.entries()).map(([name, data]) => ({
+        name,
+        path: data.path,
+        nodeCount: data.nodeCount,
+        violations: data.violations
+      }));
+      const layerSet = /* @__PURE__ */ new Set();
+      for (const node of nodeMap.values()) {
+        if (node.layer)
+          layerSet.add(node.layer);
+      }
+      const layers = Array.from(layerSet).map((name) => ({
+        name,
+        color: LAYER_COLORS[name] ?? "#9E9E9E"
+      }));
+      const nodes = Array.from(nodeMap.values());
+      const violationEdgeCount = graphEdges.filter((e) => e.isViolation && e.type !== "circular").length;
+      const circularEdgeCount = graphEdges.filter((e) => e.type === "circular").length;
+      return {
+        nodes,
+        edges: graphEdges,
+        modules: graphModules,
+        layers,
+        stats: {
+          totalNodes: nodes.length,
+          totalEdges: graphEdges.length,
+          violationEdges: violationEdgeCount,
+          circularEdges: circularEdgeCount,
+          modules: graphModules.length,
+          layers: layers.length
+        }
+      };
+    }
+  }
+});
+
 // ../../packages/shared/dist/index.js
 var require_dist = __commonJS({
   "../../packages/shared/dist/index.js"(exports2) {
@@ -420,9 +559,14 @@ var require_dist = __commonJS({
       for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.buildImportGraphData = void 0;
     __exportStar(require_types(), exports2);
     __exportStar(require_constants(), exports2);
     __exportStar(require_plans(), exports2);
+    var graph_builder_1 = require_graph_builder();
+    Object.defineProperty(exports2, "buildImportGraphData", { enumerable: true, get: function() {
+      return graph_builder_1.buildImportGraphData;
+    } });
   }
 });
 
@@ -18723,7 +18867,7 @@ var require_cross_file_ai = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.analyzeCrossFileWithAI = analyzeCrossFileWithAI2;
     var sdk_1 = __importDefault(require("@anthropic-ai/sdk"));
-    var MODEL4 = "claude-sonnet-4-20250514";
+    var MODEL3 = "claude-sonnet-4-20250514";
     var MAX_TOKENS = 3e3;
     async function analyzeCrossFileWithAI2(suspects, framework, orm, apiKey) {
       if (suspects.length === 0)
@@ -18778,7 +18922,7 @@ ${suspectsText}
 For each, determine if it's a real risk. Return JSON array.`;
       try {
         const response = await client.messages.create({
-          model: MODEL4,
+          model: MODEL3,
           max_tokens: MAX_TOKENS,
           system: systemPrompt,
           messages: [{ role: "user", content: userPrompt }]
@@ -20261,6 +20405,7 @@ var os2 = __toESM(require("os"));
 var import_chalk = __toESM(require("chalk"));
 var import_policy_engine = __toESM(require_dist2());
 var import_analyzers = __toESM(require_dist3());
+var import_shared = __toESM(require_dist());
 var import_analyzers2 = __toESM(require_dist3());
 
 // src/ai/scan-summary-generator.ts
@@ -20580,6 +20725,18 @@ var RadarApiClient = class _RadarApiClient {
       body: JSON.stringify(data)
     });
   }
+  async requestFix(data) {
+    return this.fetch("/cli/ai/fix", {
+      method: "POST",
+      body: JSON.stringify(data)
+    });
+  }
+  async requestFixGrouped(data) {
+    return this.fetch("/cli/ai/fix-grouped", {
+      method: "POST",
+      body: JSON.stringify(data)
+    });
+  }
 };
 
 // src/commands/scan.ts
@@ -20819,6 +20976,12 @@ async function scanCommand(targetPath, options) {
     const blocking = result.violations.filter((v) => v.gateAction === "block");
     const warns = result.violations.filter((v) => v.gateAction === "warn");
     const byCat = countByCategory(result.violations);
+    const graphData = result.importGraph && result.importGraph.length > 0 ? (0, import_shared.buildImportGraphData)(
+      result.importGraph,
+      result.violations,
+      changedFiles.map((f) => ({ path: f.path, linesOfCode: f.content?.split("\n").length })),
+      policy.modules
+    ) : void 0;
     const reportData = {
       repoName: path2.basename(path2.resolve(targetPath)),
       violations: result.violations.map((v) => ({
@@ -20842,6 +21005,7 @@ async function scanCommand(targetPath, options) {
       duration: Date.now() - scanStart,
       usedAi: shouldRunAi,
       aiCreditsUsed: 0,
+      importGraphData: graphData,
       // PR metadata from CI environment (set by GitHub Action or GitLab CI)
       ...process.env.RADAR_PR_NUMBER ? {
         prNumber: parseInt(process.env.RADAR_PR_NUMBER, 10),
@@ -21788,200 +21952,6 @@ var path5 = __toESM(require("path"));
 var import_chalk4 = __toESM(require("chalk"));
 var import_inquirer2 = __toESM(require("inquirer"));
 var import_analyzers3 = __toESM(require_dist3());
-
-// src/ai/fix-generator.ts
-var import_sdk3 = __toESM(require("@anthropic-ai/sdk"));
-var MODEL3 = "claude-sonnet-4-20250514";
-var MAX_FIX_TOKENS = 2e3;
-async function generateFix(request, apiKey) {
-  const client = new import_sdk3.default({ apiKey });
-  const ruleHint = getRuleSpecificHints(request.violation.ruleId, request.framework);
-  const systemPrompt = `You are a senior Node.js/TypeScript developer fixing code violations found by a static analysis tool called Technical Debt Radar.
-
-RULES:
-- Return ONLY the fixed code snippet, not the entire file
-- Keep the fix minimal \u2014 change only what's needed to resolve the violation
-- Preserve existing code style, indentation, and conventions
-- Add imports if needed (show them separately)
-- Use the project's framework patterns (${request.framework}, ${request.orm})
-${ruleHint ? `
-SPECIFIC GUIDANCE FOR THIS RULE:
-${ruleHint}` : ""}
-
-RESPONSE FORMAT (JSON only, no markdown):
-{
-  "originalCode": "the exact lines that need to change",
-  "fixedCode": "the replacement code",
-  "explanation": "one sentence explaining the fix",
-  "startLine": <first line number to replace>,
-  "endLine": <last line number to replace>,
-  "newImports": ["import { X } from 'y'"] or [],
-  "confidence": "high" | "medium" | "low"
-}`;
-  const userPrompt = `Fix this violation:
-
-RULE: ${request.violation.ruleId}
-MESSAGE: ${request.violation.message}
-FILE: ${request.violation.file}
-LINE: ${request.violation.line}
-SEVERITY: ${request.violation.severity}
-
-SURROUNDING CODE (lines ${Math.max(1, request.violation.line - 15)}-${request.violation.line + 15}):
-\`\`\`typescript
-${request.surroundingCode}
-\`\`\`
-
-FULL FILE (for context):
-\`\`\`typescript
-${request.fileContent}
-\`\`\`
-
-Generate the minimal fix. Return JSON only.`;
-  const response = await client.messages.create({
-    model: MODEL3,
-    max_tokens: MAX_FIX_TOKENS,
-    system: systemPrompt,
-    messages: [{ role: "user", content: userPrompt }]
-  });
-  const textBlock = response.content.find((b) => b.type === "text");
-  if (!textBlock || textBlock.type !== "text") {
-    throw new Error("No text content in AI response");
-  }
-  const cleaned = textBlock.text.replace(/^```json\s*/m, "").replace(/^```\s*/m, "").replace(/```\s*$/m, "").trim();
-  const parsed = JSON.parse(cleaned);
-  return {
-    violation: request.violation,
-    originalCode: String(parsed.originalCode || ""),
-    fixedCode: String(parsed.fixedCode || ""),
-    explanation: String(parsed.explanation || ""),
-    startLine: Number(parsed.startLine),
-    endLine: Number(parsed.endLine),
-    newImports: Array.isArray(parsed.newImports) ? parsed.newImports.map(String) : [],
-    confidence: validateConfidence(parsed.confidence)
-  };
-}
-async function generateGroupedFix(request, apiKey) {
-  const client = new import_sdk3.default({ apiKey });
-  const ruleHints = request.violations.map((v) => getRuleSpecificHints(v.ruleId, request.framework)).filter(Boolean);
-  const hintsBlock = ruleHints.length > 0 ? `
-SPECIFIC GUIDANCE:
-${ruleHints.join("\n")}` : "";
-  const systemPrompt = `You are a senior Node.js/TypeScript developer fixing code violations found by a static analysis tool called Technical Debt Radar.
-
-RULES:
-- Return ONLY the fixed code snippet, not the entire file
-- Keep the fix minimal \u2014 change only what's needed to resolve ALL violations listed
-- Preserve existing code style, indentation, and conventions
-- Add imports if needed (show them separately)
-- Use the project's framework patterns (${request.framework}, ${request.orm})
-- You MUST address EVERY violation listed \u2014 do not skip any
-${hintsBlock}
-
-RESPONSE FORMAT (JSON only, no markdown):
-{
-  "originalCode": "the exact lines that need to change",
-  "fixedCode": "the replacement code",
-  "explanation": "one sentence explaining the fix",
-  "startLine": <first line number to replace>,
-  "endLine": <last line number to replace>,
-  "newImports": ["import { X } from 'y'"] or [],
-  "confidence": "high" | "medium" | "low"
-}`;
-  const violationList = request.violations.map((v, i) => `  ${i + 1}. [${v.ruleId}] ${v.message} (line ${v.line}, severity: ${v.severity})`).join("\n");
-  const refLine = request.violations[0].line;
-  const userPrompt = `Fix these ${request.violations.length} violations in the same code section:
-
-${violationList}
-
-FILE: ${request.violations[0].file}
-
-SURROUNDING CODE (lines ${Math.max(1, refLine - 15)}-${refLine + 15}):
-\`\`\`typescript
-${request.surroundingCode}
-\`\`\`
-
-FULL FILE (for context):
-\`\`\`typescript
-${request.fileContent}
-\`\`\`
-
-Generate ONE fix that addresses ALL ${request.violations.length} violations. Return JSON only.`;
-  const response = await client.messages.create({
-    model: MODEL3,
-    max_tokens: MAX_FIX_TOKENS,
-    system: systemPrompt,
-    messages: [{ role: "user", content: userPrompt }]
-  });
-  const textBlock = response.content.find((b) => b.type === "text");
-  if (!textBlock || textBlock.type !== "text") {
-    throw new Error("No text content in AI response");
-  }
-  const cleaned = textBlock.text.replace(/^```json\s*/m, "").replace(/^```\s*/m, "").replace(/```\s*$/m, "").trim();
-  const parsed = JSON.parse(cleaned);
-  return {
-    violation: request.violations[0],
-    originalCode: String(parsed.originalCode || ""),
-    fixedCode: String(parsed.fixedCode || ""),
-    explanation: String(parsed.explanation || ""),
-    startLine: Number(parsed.startLine),
-    endLine: Number(parsed.endLine),
-    newImports: Array.isArray(parsed.newImports) ? parsed.newImports.map(String) : [],
-    confidence: validateConfidence(parsed.confidence)
-  };
-}
-function validateConfidence(value) {
-  if (value === "high" || value === "medium" || value === "low") {
-    return value;
-  }
-  return "medium";
-}
-function getRuleSpecificHints(ruleId, framework) {
-  const hints = {
-    "missing-null-guard": `Add a null/undefined check after the query. In ${framework === "NestJS" ? "NestJS, throw new NotFoundException()" : 'Express, return res.status(404).json({ error: "Not found" })'}. Check BEFORE any property access.`,
-    "sync-fs-in-handler": "Replace fs.readFileSync/writeFileSync with await fs.promises.readFile/writeFile. Make the function async if needed.",
-    "sync-crypto": "Replace crypto.pbkdf2Sync with the async crypto.pbkdf2 wrapped in a Promise, or use argon2/bcrypt async alternatives.",
-    "sync-compression": "Replace zlib.deflateSync/gzipSync with the async stream or callback versions.",
-    "redos-vulnerable-regex": "Rewrite the regex to avoid nested quantifiers. Remove patterns like (a+)+, (a|b)*, or use a regex linting library.",
-    "n-plus-one-query": "Replace the loop + individual query pattern with a batch query. Use include/join/populate for relations, or WHERE IN for ID lists.",
-    "unbounded-find-many": "Add pagination: { take: 20, skip: offset } for Prisma, { limit: 20, offset } for Sequelize, .limit(20) for Mongoose/Drizzle/Knex.",
-    "find-many-no-where": "Add a where/filter clause to prevent full table scans.",
-    "raw-sql-no-limit": "Add LIMIT clause to the SQL query.",
-    "unhandled-promise-rejection": "Add await before the async call, or explicitly handle the promise with .catch().",
-    "external-call-no-timeout": "Add { timeout: 10000 } (10s) to the HTTP client config. For axios: axios.post(url, data, { timeout: 10000 }). For fetch: use AbortController.",
-    "empty-catch-block": "Add error logging inside the catch block: console.error(error) or logger.error(error).",
-    "retry-without-backoff": "Replace fixed delay with exponential backoff: delay * Math.pow(2, attempt).",
-    "missing-error-logging": "Add a logging statement in the catch block.",
-    "missing-try-catch": "Wrap the multiple await calls in a try/catch block with proper error handling.",
-    "transaction-no-timeout": "Add a timeout option to the transaction: { timeout: 5000 }.",
-    "unfiltered-count-large-table": "Add a where/filter clause to the count query."
-  };
-  return hints[ruleId] || "";
-}
-
-// src/commands/fix.ts
-function buildFixInstruction(violation) {
-  const lines = [];
-  lines.push(`In ${violation.file} line ${violation.line}:`);
-  if (violation.suggestion) {
-    lines.push(`   ${violation.suggestion}`);
-  } else {
-    lines.push(`   ${violation.message}`);
-  }
-  return lines.join("\n");
-}
-function formatFixPrompt(violations) {
-  if (violations.length === 0) {
-    return "No issues found \u2014 nothing to fix.";
-  }
-  const lines = [];
-  lines.push("Fix these issues in my codebase:");
-  lines.push("");
-  violations.forEach((v, i) => {
-    lines.push(`${i + 1}. ${buildFixInstruction(v)}`);
-    lines.push("");
-  });
-  return lines.join("\n").trimEnd();
-}
 function applyFix(filePath, fix) {
   const content = fsSync2.readFileSync(filePath, "utf-8");
   const lines = content.split("\n");
@@ -22033,33 +22003,6 @@ async function runScan(targetPath, options) {
     policy
   };
 }
-async function runTextOnlyFix(targetPath, options) {
-  const { compiled: policy } = await loadPolicy(options.config, options.rules);
-  const files = await collectTsFiles(targetPath);
-  if (files.length === 0) {
-    console.log(import_chalk4.default.yellow("No .ts/.tsx files found."));
-    process.exit(0);
-  }
-  const changedFiles = await Promise.all(
-    files.map(async (filePath) => ({
-      path: filePath,
-      content: await fs5.readFile(filePath, "utf-8"),
-      status: "added"
-    }))
-  );
-  const input = { changedFiles, policy, headSha: "local", projectRoot: path5.resolve(targetPath) };
-  const result = await (0, import_analyzers3.runFullAnalysis)(input);
-  let violations = result.violations.filter((v) => v.severity === "critical" || v.severity === "warning").sort((a, b) => {
-    if (a.severity === "critical" && b.severity !== "critical") return -1;
-    if (a.severity !== "critical" && b.severity === "critical") return 1;
-    return b.debtPoints - a.debtPoints;
-  });
-  if (options.severity === "critical") {
-    violations = violations.filter((v) => v.severity === "critical");
-  }
-  const output = formatFixPrompt(violations);
-  console.log(output);
-}
 function groupBy(items, key) {
   const result = {};
   for (const item of items) {
@@ -22072,22 +22015,24 @@ function groupBy(items, key) {
 async function fixCommand(targetPath, options) {
   const client = RadarApiClient.fromConfigOrEnv();
   if (!client) {
-    console.error(import_chalk4.default.red("Authentication required. Run: radar login"));
+    console.error(import_chalk4.default.red("\u274C Authentication required. Run: radar login"));
     process.exit(1);
   }
-  const apiKey = options.apiKey || process.env.ANTHROPIC_API_KEY;
-  if (!apiKey) {
-    console.log(import_chalk4.default.yellow("No API key found."));
-    console.log("  Set ANTHROPIC_API_KEY environment variable");
-    console.log("  Or use: radar fix --api-key sk-ant-...");
-    console.log("");
-    console.log(import_chalk4.default.dim("Tip: Set ANTHROPIC_API_KEY for AI-powered auto-fixes"));
-    console.log(import_chalk4.default.dim("    export ANTHROPIC_API_KEY=sk-ant-..."));
-    console.log(import_chalk4.default.dim("    Then run: radar fix ."));
-    console.log("");
-    console.log(import_chalk4.default.dim("Without AI, showing fix instructions only:"));
-    console.log("");
-    return runTextOnlyFix(targetPath, options);
+  let verified;
+  try {
+    verified = await client.verifyToken();
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg.includes("Network error")) {
+      console.error(import_chalk4.default.red("\u26A0\uFE0F  Could not reach Radar API. Check your connection."));
+    } else {
+      console.error(import_chalk4.default.red("\u274C Authentication failed. Run: radar login"));
+    }
+    process.exit(1);
+  }
+  if (!verified?.valid) {
+    console.error(import_chalk4.default.red("\u274C Invalid or expired token. Run: radar login"));
+    process.exit(1);
   }
   console.log(import_chalk4.default.blue("Scanning for violations..."));
   const scanResult = await runScan(targetPath, {
@@ -22113,7 +22058,9 @@ async function fixCommand(targetPath, options) {
   let totalFixed = 0;
   let totalSkipped = 0;
   let totalFailed = 0;
-  let totalCost = 0;
+  let totalCreditsUsed = 0;
+  let creditsRemaining = -1;
+  let fixCount = 0;
   let applyAll = false;
   let quit = false;
   const framework = scanResult.config?.stack?.framework || "NestJS";
@@ -22145,9 +22092,9 @@ ${relativePath} (${fileViolations.length} violations)
     const lineGroups = [...byLine.entries()].sort((a, b) => b[0] - a[0]);
     for (const [lineNum, lineViolations] of lineGroups) {
       if (quit) break;
-      if (totalCost >= options.maxCost) {
+      if (options.maxFixes > 0 && fixCount >= options.maxFixes) {
         console.log(import_chalk4.default.yellow(`
-  Cost ceiling reached ($${totalCost.toFixed(2)}). Stopping AI fixes.`));
+  Fix limit reached (${options.maxFixes}). Stopping.`));
         quit = true;
         break;
       }
@@ -22166,46 +22113,43 @@ ${relativePath} (${fileViolations.length} violations)
       }
       console.log("");
       try {
+        console.log(import_chalk4.default.dim("  Requesting AI fix from Radar..."));
         let fix;
         if (lineViolations.length > 1) {
-          fix = await generateGroupedFix(
-            {
-              violations: lineViolations.map((v) => ({
-                file: v.file,
-                line: v.line,
-                ruleId: v.ruleId,
-                message: v.message,
-                severity: v.severity,
-                category: v.category
-              })),
-              fileContent,
-              surroundingCode,
-              framework,
-              orm
-            },
-            apiKey
-          );
+          fix = await client.requestFixGrouped({
+            violations: lineViolations.map((v) => ({
+              file: v.file,
+              line: v.line,
+              ruleId: v.ruleId,
+              message: v.message,
+              severity: v.severity,
+              category: v.category
+            })),
+            fileContent,
+            surroundingCode,
+            framework,
+            orm
+          });
         } else {
           const violation = lineViolations[0];
-          fix = await generateFix(
-            {
-              violation: {
-                file: violation.file,
-                line: violation.line,
-                ruleId: violation.ruleId,
-                message: violation.message,
-                severity: violation.severity,
-                category: violation.category
-              },
-              fileContent,
-              surroundingCode,
-              framework,
-              orm
+          fix = await client.requestFix({
+            violation: {
+              file: violation.file,
+              line: violation.line,
+              ruleId: violation.ruleId,
+              message: violation.message,
+              severity: violation.severity,
+              category: violation.category
             },
-            apiKey
-          );
+            fileContent,
+            surroundingCode,
+            framework,
+            orm
+          });
         }
-        totalCost += 3e-3 * lineViolations.length;
+        totalCreditsUsed += fix.creditsUsed;
+        creditsRemaining = fix.creditsRemaining;
+        fixCount++;
         console.log(import_chalk4.default.red("  BEFORE:"));
         fix.originalCode.split("\n").forEach((l) => console.log(import_chalk4.default.red(`  - ${l}`)));
         console.log("");
@@ -22214,6 +22158,7 @@ ${relativePath} (${fileViolations.length} violations)
         console.log("");
         console.log(import_chalk4.default.dim(`  ${fix.explanation}`));
         console.log(import_chalk4.default.dim(`  Confidence: ${fix.confidence}`));
+        console.log(import_chalk4.default.cyan(`  ${fix.creditsUsed} AI credit used (${fix.creditsRemaining} remaining)`));
         console.log("");
         let shouldApply = false;
         if (options.dryRun) {
@@ -22259,8 +22204,22 @@ ${relativePath} (${fileViolations.length} violations)
         }
       } catch (error) {
         const message = error instanceof Error ? error.message : String(error);
-        console.log(import_chalk4.default.red(`  AI fix failed: ${message}`));
-        totalFailed += lineViolations.length;
+        if (message.includes("403") && message.includes("credits exhausted")) {
+          console.log(import_chalk4.default.red(`  \u274C AI credits exhausted. Upgrade for more: radar upgrade`));
+          quit = true;
+          break;
+        } else if (message.includes("403") && message.includes("Solo")) {
+          console.log(import_chalk4.default.red(`  \u274C radar fix requires Solo plan or higher. Upgrade: radar upgrade`));
+          quit = true;
+          break;
+        } else if (message.includes("401")) {
+          console.log(import_chalk4.default.red(`  \u274C Authentication failed. Run: radar login`));
+          quit = true;
+          break;
+        } else {
+          console.log(import_chalk4.default.red(`  AI fix failed: ${message}`));
+          totalFailed += lineViolations.length;
+        }
       }
     }
   }
@@ -22271,7 +22230,10 @@ ${relativePath} (${fileViolations.length} violations)
   console.log(import_chalk4.default.green(`  Fixed:   ${totalFixed}`));
   console.log(import_chalk4.default.yellow(`  Skipped: ${totalSkipped}`));
   if (totalFailed > 0) console.log(import_chalk4.default.red(`  Failed:  ${totalFailed}`));
-  console.log(import_chalk4.default.dim(`  AI cost: $${totalCost.toFixed(3)}`));
+  console.log(import_chalk4.default.cyan(`  AI credits used: ${totalCreditsUsed}`));
+  if (creditsRemaining >= 0) {
+    console.log(import_chalk4.default.cyan(`  Credits remaining: ${creditsRemaining}`));
+  }
   console.log("");
   if (totalFixed > 0 && !options.dryRun) {
     console.log(import_chalk4.default.blue("Re-scanning to verify fixes...\n"));
@@ -22665,10 +22627,10 @@ program.command("check <file>").description("Check a single file against policy"
 program.command("init").description("Generate radar.yml + rules.yml from project structure").option("--path <dir>", "Target directory", ".").option("--architecture <pattern>", "Force architecture: ddd, hexagonal, clean, layered, mvc, event-driven").option("--regenerate-rules", "Regenerate rules.yml from existing radar.yml", false).option("--no-ai", "Skip AI refinement (deterministic only)").action(async (options) => {
   await initCommand(options);
 });
-program.command("fix <path>").description("AI-powered fix: generates code diffs, applies with confirmation").option("-c, --config <path>", "Path to radar.yml", "./radar.yml").option("-r, --rules <path>", "Path to rules.yml (default: ./rules.yml)").option("--severity <level>", "Only include: critical, all", "all").option("--dry-run", "Show fixes without applying", false).option("--auto", "Apply all high-confidence fixes without asking", false).option("--file <file>", "Fix single file only").option("--max-cost <amount>", "Max AI cost in dollars", "1.00").option("--api-key <key>", "Anthropic API key (or ANTHROPIC_API_KEY env var)").action(async (targetPath, options) => {
+program.command("fix <path>").description("AI-powered fix: generates code diffs, applies with confirmation").option("-c, --config <path>", "Path to radar.yml", "./radar.yml").option("-r, --rules <path>", "Path to rules.yml (default: ./rules.yml)").option("--severity <level>", "Only include: critical, all", "all").option("--dry-run", "Show fixes without applying", false).option("--auto", "Apply all high-confidence fixes without asking", false).option("--file <file>", "Fix single file only").option("--max-fixes <count>", "Max number of AI fixes to generate (0 = unlimited)", "0").action(async (targetPath, options) => {
   await fixCommand(targetPath, {
     ...options,
-    maxCost: parseFloat(options.maxCost)
+    maxFixes: parseInt(options.maxFixes, 10)
   });
 });
 program.command("validate").description("Validate radar.yml + rules.yml syntax and cross-references").option("-c, --config <path>", "Path to radar.yml", "./radar.yml").option("-r, --rules <path>", "Path to rules.yml (default: ./rules.yml)").action(async (options) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "technical-debt-radar",
-  "version": "1.9.0",
+  "version": "1.11.0",
   "description": "Stop Node.js production crashes before merge. 47 detection patterns across 5 categories.",
   "bin": {
     "radar": "dist/index.js",