tryassay 0.28.2 → 0.30.1

package/dist/lib/learned-rules/starter-catalog.js

@@ -0,0 +1,402 @@
+/**
+ * Starter Catalog — ~15 high-signal learned rules that ship with the npm package.
+ *
+ * These rules were curated from 214 rules harvested from real PR diffs in
+ * popular open-source TypeScript projects. Selection criteria:
+ *   - Valid, compilable regex
+ *   - High or critical severity preferred
+ *   - General-purpose (not tied to a specific project)
+ *   - Good coverage across categories (security, error handling, etc.)
+ *   - Useful fixDescription
+ *
+ * All starter rules have `source: "bundled"` to distinguish them from
+ * user-harvested rules. Local rules with the same ID take precedence.
+ */
+const NOW = '2026-03-14T00:00:00.000Z';
+export const STARTER_RULES = [
+    // ─── SECURITY ───────────────────────────────────────────────
+    {
+        id: 'starter_security_token_logging',
+        pattern: {
+            id: 'starter_security_token_logging',
+            description: 'Avoid logging sensitive data (like JWT tokens, access tokens, or API keys) directly to console. They can be intercepted by browser extensions, leaked in log aggregators, or exposed in CI output.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: '(?i)console\\.log.*\\{token|\\[access_token\\]|\\[JWT\\]',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'security',
+            severity: 'critical',
+            evidenceTemplate: '{file}:{line} logs sensitive token data: \'{match}\'. Remove or redact before shipping.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Remove console.log statements that print raw token values, or replace sensitive values with a placeholder like "[REDACTED]".',
+        confirmationCount: 4,
+    },
+    {
+        id: 'starter_security_webhook_ssrf',
+        pattern: {
+            id: 'starter_security_webhook_ssrf',
+            description: 'Webhook URLs should be validated against private/internal IP ranges before processing to prevent SSRF and data leakage through internal network access.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: '(?:await\\s+)?(?:\\w+\\.)*(?:create|update|send).*webhook',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'security',
+            severity: 'high',
+            evidenceTemplate: '{file}:{line} performs webhook operation without visible private-URL validation: {match}',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Add a validation check after URL extraction to ensure the target is not a private/loopback/link-local IP before performing webhook operations.',
+        confirmationCount: 1,
+    },
+    {
+        id: 'starter_security_hardcoded_credentials',
+        pattern: {
+            id: 'starter_security_hardcoded_credentials',
+            description: 'Hardcoded service account emails or credentials in source code should be replaced by environment variables to support multi-tenant deployments and prevent credential leakage.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: "^const [A-Z][A-Z_]*(EMAIL|PASSWORD|SECRET|TOKEN|KEY)\\s*=\\s*['\"][^'\"]+['\"];?$",
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'security',
+            severity: 'high',
+            evidenceTemplate: '{file}:{line} contains hardcoded credential constant: {match}. Use environment variables instead.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Replace hardcoded credential constants with process.env lookups (e.g., process.env.SERVICE_ACCOUNT_EMAIL) with appropriate fallback handling.',
+        confirmationCount: 2,
+    },
+    // ─── CONCURRENCY ────────────────────────────────────────────
+    {
+        id: 'starter_concurrency_version_increment',
+        pattern: {
+            id: 'starter_concurrency_version_increment',
+            description: 'Application-side version increments (read-modify-write) introduce TOCTOU race conditions. Version counters should be managed atomically within the database query.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: 'version:\\s+.*\\.version\\s*\\+\\s*1',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'concurrency',
+            severity: 'high',
+            evidenceTemplate: '{file}:{line} has non-atomic version increment: {match}. Use db.raw() or .increment() inside the SQL query instead.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Replace application-side version arithmetic with an atomic database operation (e.g., db.raw("?? + 1", [...]) or .increment()) inside the SQL query.',
+        confirmationCount: 1,
+    },
+    // ─── ERROR HANDLING ─────────────────────────────────────────
+    {
+        id: 'starter_error_dynamic_import_unhandled',
+        pattern: {
+            id: 'starter_error_dynamic_import_unhandled',
+            description: 'Dynamic imports with .then() but no .catch() will silently fail, leaving the component in a null/undefined state that causes missing UI elements or runtime errors.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: '(import\\(.*\\)\\.then\\()\\s*\\([^)]+\\)',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'error-handling',
+            severity: 'high',
+            evidenceTemplate: '{file}:{line} has dynamic import without error handling: {match}. Add .catch() to handle module load failures.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Add a .catch() handler to the dynamic import that sets an error state and logs the failure. Ensure dependent logic handles the error state gracefully.',
+        confirmationCount: 1,
+    },
+    {
+        id: 'starter_error_void_import_no_catch',
+        pattern: {
+            id: 'starter_error_void_import_no_catch',
+            description: 'Fire-and-forget dynamic imports (void import("...").then()) silently swallow rejections, corrupting component state when the module fails to load.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: 'void import\\("([^"]+)"\\).then\\([^)]+\\);',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'error-handling',
+            severity: 'high',
+            evidenceTemplate: '{file}:{line} uses fire-and-forget dynamic import without error handling: {match}. If this rejects, the app enters a silent error state.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Wrap the dynamic import to catch errors, set a failure state flag, and ensure dependent logic falls back to raw data or a sensible default.',
+        confirmationCount: 1,
+    },
+    {
+        id: 'starter_error_fragile_nth_child_selector',
+        pattern: {
+            id: 'starter_error_fragile_nth_child_selector',
+            description: 'CSS selectors relying on DOM structure (like nth-child) in E2E tests break when UI layout changes. Use data-testid attributes for stable element targeting.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: 'page\\.locator\\([^)]*nth-child[^)]*\\)',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'test-robustness',
+            severity: 'high',
+            evidenceTemplate: '{file}:{line} uses fragile nth-child selector: {match}. Replace with getByTestId() for stable targeting.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Replace nth-child or text-based locators with getByTestId() targeting explicit data-testid attributes on the DOM elements.',
+        confirmationCount: 2,
+    },
+    {
+        id: 'starter_error_nested_transactions',
+        pattern: {
+            id: 'starter_error_nested_transactions',
+            description: 'Nested database transactions waste resources and can cause deadlocks. When an external transaction is already provided, use it directly instead of opening a new one.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: '(await\\s+[a-zA-Z_]+\\.transaction\\(\\)|\\.transaction\\(\\))\\s*;?\\s*(?!;)',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'error-handling',
+            severity: 'medium',
+            evidenceTemplate: '{file}:{line} opens a transaction that may be nested: {match}. Check if an external transaction is already in scope.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Check whether an external transaction (trx) is already available before opening a new one. Pass the existing transaction through instead of nesting.',
+        confirmationCount: 2,
+    },
+    {
+        id: 'starter_error_usestate_true_default',
+        pattern: {
+            id: 'starter_error_usestate_true_default',
+            description: 'Initializing a boolean useState to true without checking if dependent data exists causes unintended side effects (e.g., enabling a feature before its prerequisites are loaded).',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: '^\\s*const \\[([^,]+,\\s*[^\\]]+)\\]\\s*=\\s*useState\\((?:(?!&&|&&&).)*true\\);',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'error-handling',
+            severity: 'high',
+            evidenceTemplate: '{file}:{line} initializes state to true without verifying dependent data: {match}. Consider defaulting to false and setting true only when prerequisites are confirmed.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Default the useState flag to false and set it to true only after confirming the dependent value (e.g., email, config) exists. Use a useEffect or derive the initial value from props.',
+        confirmationCount: 1,
+    },
+    // ─── TYPE SAFETY ────────────────────────────────────────────
+    {
+        id: 'starter_typesafety_truthy_array_guard',
+        pattern: {
+            id: 'starter_typesafety_truthy_array_guard',
+            description: 'Using `|| []` to guard against non-array inputs fails for empty objects `{}` (which are truthy). Use Array.isArray() for correct type narrowing before calling .map().',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: '(\\w+)\\.map\\(.*\\)\\s*=>\\s*\\((\\w+)\\.map.*|\\1||\\[\\]\\)',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'type-safety',
+            severity: 'high',
+            evidenceTemplate: '{file}:{line} uses truthy guard instead of Array.isArray(): {match}. Empty objects {} will pass the truthy check and throw on .map().',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Replace `value || []` with `Array.isArray(value) ? value : []` before calling .map() to correctly handle non-array truthy values like empty objects.',
+        confirmationCount: 1,
+    },
+    // ─── REACT PATTERNS ────────────────────────────────────────
+    {
+        id: 'starter_react_ref_mutation_during_render',
+        pattern: {
+            id: 'starter_react_ref_mutation_during_render',
+            description: 'Mutating Refs (.current.set(), .current.push()) directly during render violates React rules and causes inconsistent UI. Move mutations to useEffect hooks.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: '(\\s*const\\s+\\w+\\s*=\\s*[\\[\\(]\\w+\\.forEach.*?\\{[^}]*Ref\\.|\\.current\\.set\\(|\\.current\\.push\\()',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'react-best-practices',
+            severity: 'high',
+            evidenceTemplate: '{file}:{line} mutates a Ref during render: {match}. Wrap in useEffect to avoid inconsistent state.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Move Ref mutations (.current.set(), .current.push()) into a useEffect hook with appropriate dependency arrays.',
+        confirmationCount: 1,
+    },
+    // ─── VALIDATION ─────────────────────────────────────────────
+    {
+        id: 'starter_validation_form_submit_no_check',
+        pattern: {
+            id: 'starter_validation_form_submit_no_check',
+            description: 'Calling formRef.current.submit() or .reset() without checking form validity bypasses HTML5 validation constraints, allowing invalid data to be submitted.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: '\\s+formRef\\.current\\?\\.(submit|reset)\\(',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'validation',
+            severity: 'medium',
+            evidenceTemplate: '{file}:{line} submits form without validity check: {match}. Call formRef.current.checkValidity() first.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Guard manual form submission with a validity check: if (formRef.current?.checkValidity()) { formRef.current.submit(); }',
+        confirmationCount: 1,
+    },
+    // ─── LOGGING ────────────────────────────────────────────────
+    {
+        id: 'starter_logging_console_with_objects',
+        pattern: {
+            id: 'starter_logging_console_with_objects',
+            description: 'Direct console.error/log/warn calls with non-string arguments (objects, errors) bypass centralized logging infrastructure, causing inconsistent log formatting and missing observability.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: "(\\s)(?:console\\.error|console\\.log|console\\.info|console\\.warn)\\((?![\"'`])",
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'logging',
+            severity: 'medium',
+            evidenceTemplate: '{file}:{line} uses direct console call with non-string arg: {match}. Use a structured logger instead.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Replace direct console.error/log/warn calls with your application\'s structured logger (e.g., logger.error(), winston, pino) for consistent formatting and observability.',
+        confirmationCount: 1,
+    },
+    // ─── NULL SAFETY ────────────────────────────────────────────
+    {
+        id: 'starter_null_promise_all_conditional',
+        pattern: {
+            id: 'starter_null_promise_all_conditional',
+            description: 'Promise.all() with conditional expressions that may resolve to null can silently pass null values to subsequent function calls. Assign results to intermediate variables and check for null before use.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: 'await Promise\\.all\\(\\[([\\w\\s:<>]+)\\?.*?:.*?null,',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'null-safety',
+            severity: 'high',
+            evidenceTemplate: '{file}:{line} has Promise.all with conditional null: {match}. Destructure results and null-check before use.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Destructure Promise.all results into named variables and explicitly check for null before passing to subsequent function calls.',
+        confirmationCount: 1,
+    },
+    // ─── INTERNATIONALIZATION ───────────────────────────────────
+    {
+        id: 'starter_i18n_suspense_hardcoded_text',
+        pattern: {
+            id: 'starter_i18n_suspense_hardcoded_text',
+            description: 'String literals inside Suspense fallback components or other UI elements should be wrapped with i18n translation functions (Trans, t()) to support internationalization.',
+            kind: 'regex',
+            languages: ['typescript', 'javascript'],
+            regexPattern: '<Suspense[^>]*fallback=[^>]*><div[^>]*>([^<]+)</div>',
+            fileGlob: '**/*.{ts,tsx,js,jsx}',
+            matchBehavior: 'presence_is_bad',
+            claimCategory: 'i18n',
+            severity: 'medium',
+            evidenceTemplate: '{file}:{line} has hardcoded text in Suspense fallback: {match}. Wrap with <Trans> or t() for i18n support.',
+        },
+        status: 'promoted',
+        createdAt: NOW,
+        updatedAt: NOW,
+        fireCount: 0,
+        truePositiveCount: 0,
+        falsePositiveCount: 0,
+        sourceFindings: [],
+        source: 'bundled',
+        fixDescription: 'Wrap hardcoded string literals in Suspense fallbacks and other UI elements with the i18n translation component (e.g., <Trans>) or function (e.g., t()).',
+        confirmationCount: 1,
+    },
+];
+//# sourceMappingURL=starter-catalog.js.map

package/dist/lib/learned-rules/starter-catalog.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"starter-catalog.js","sourceRoot":"","sources":["../../../src/lib/learned-rules/starter-catalog.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,MAAM,GAAG,GAAG,0BAA0B,CAAC;AAEvC,MAAM,CAAC,MAAM,aAAa,GAA2B;IACnD,+DAA+D;IAE/D;QACE,EAAE,EAAE,gCAAgC;QACpC,OAAO,EAAE;YACP,EAAE,EAAE,gCAAgC;YACpC,WAAW,EACT,oMAAoM;YACtM,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EAAE,0DAA0D;YACxE,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,UAAU;YACzB,QAAQ,EAAE,UAAU;YACpB,gBAAgB,EACd,yFAAyF;SAC5F;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,8HAA8H;QAChI,iBAAiB,EAAE,CAAC;KACrB;IAED;QACE,EAAE,EAAE,+BAA+B;QACnC,OAAO,EAAE;YACP,EAAE,EAAE,+BAA+B;YACnC,WAAW,EACT,yJAAyJ;YAC3J,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EAAE,2DAA2D;YACzE,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,UAAU;YACzB,QAAQ,EAAE,MAAM;YAChB,gBAAgB,EACd,0FAA0F;SAC7F;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,gJAAgJ;QAClJ,iBAAiB,EAAE,CAAC;KACrB;IAED;QACE,EAAE,EAAE,wCAAwC;QAC5C,OAAO,EAAE;YACP,EAAE,EAAE,wCAAwC;YAC5C,WAAW,EACT,gLAAgL;YAClL,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EACV,mFAAmF;YACrF,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,UAAU;YACzB,QAAQ,EAAE,MAAM;YAChB,gBAAgB,EACd,mGAAmG;SACtG;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,+IAA+I;QACjJ,iBAAiB,EAAE,CAAC;KACrB;IAED,+DAA+D;IAE/D;QACE,EAAE,EAAE,uCAAuC;QAC3C,OAAO,EAAE;YACP,EAAE,EAAE,uCAAuC;YAC3C,WAAW,EACT,oKAAoK;YACtK,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EAAE,sCAAsC;YACpD,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,aAAa;YAC5B,QAAQ,EAAE,MAAM;YAChB,gBAAgB,EACd,qHAAqH;SACxH;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,qJAAqJ;QACvJ,iBAAiB,EAAE,CAAC;KACrB;IAED,+DAA+D;IAE/D;QACE,EAAE,EAAE,wCAAwC;QAC5C,OAAO,EAAE;YACP,EAAE,EAAE,wCAAwC;YAC5C,WAAW,EACT,qKAAqK;YACvK,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EAAE,2CAA2C;YACzD,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,gBAAgB;YAC/B,QAAQ,EAAE,MAAM;YAChB,gBAAgB,EACd,gHAAgH;SACnH;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,wJAAwJ;QAC1J,iBAAiB,EAAE,CAAC;KACrB;IAED;QACE,EAAE,EAAE,oCAAoC;QACxC,OAAO,EAAE;YACP,EAAE,EAAE,oCAAoC;YACxC,WAAW,EACT,oJAAoJ;YACtJ,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EAAE,6CAA6C;YAC3D,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,gBAAgB;YAC/B,QAAQ,EAAE,MAAM;YAChB,gBAAgB,EACd,0IAA0I;SAC7I;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,6IAA6I;QAC/I,iBAAiB,EAAE,CAAC;KACrB;IAED;QACE,EAAE,EAAE,0CAA0C;QAC9C,OAAO,EAAE;YACP,EAAE,EAAE,0CAA0C;YAC9C,WAAW,EACT,6JAA6J;YAC/J,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EAAE,yCAAyC;YACvD,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,iBAAiB;YAChC,QAAQ,EAAE,MAAM;YAChB,gBAAgB,EACd,0GAA0G;SAC7G;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,4HAA4H;QAC9H,iBAAiB,EAAE,CAAC;KACrB;IAED;QACE,EAAE,EAAE,mCAAmC;QACvC,OAAO,EAAE;YACP,EAAE,EAAE,mCAAmC;YACvC,WAAW,EACT,uKAAuK;YACzK,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EACV,+EAA+E;YACjF,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,gBAAgB;YAC/B,QAAQ,EAAE,QAAQ;YAClB,gBAAgB,EACd,sHAAsH;SACzH;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,sJAAsJ;QACxJ,iBAAiB,EAAE,CAAC;KACrB;IAED;QACE,EAAE,EAAE,qCAAqC;QACzC,OAAO,EAAE;YACP,EAAE,EAAE,qCAAqC;YACzC,WAAW,EACT,kLAAkL;YACpL,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EACV,kFAAkF;YACpF,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,gBAAgB;YAC/B,QAAQ,EAAE,MAAM;YAChB,gBAAgB,EACd,yKAAyK;SAC5K;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,uLAAuL;QACzL,iBAAiB,EAAE,CAAC;KACrB;IAED,+DAA+D;IAE/D;QACE,EAAE,EAAE,uCAAuC;QAC3C,OAAO,EAAE;YACP,EAAE,EAAE,uCAAuC;YAC3C,WAAW,EACT,wKAAwK;YAC1K,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EAAE,gEAAgE;YAC9E,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,aAAa;YAC5B,QAAQ,EAAE,MAAM;YAChB,gBAAgB,EACd,uIAAuI;SAC1I;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,sJAAsJ;QACxJ,iBAAiB,EAAE,CAAC;KACrB;IAED,8DAA8D;IAE9D;QACE,EAAE,EAAE,0CAA0C;QAC9C,OAAO,EAAE;YACP,EAAE,EAAE,0CAA0C;YAC9C,WAAW,EACT,4JAA4J;YAC9J,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EACV,8GAA8G;YAChH,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,sBAAsB;YACrC,QAAQ,EAAE,MAAM;YAChB,gBAAgB,EACd,oGAAoG;SACvG;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,gHAAgH;QAClH,iBAAiB,EAAE,CAAC;KACrB;IAED,+DAA+D;IAE/D;QACE,EAAE,EAAE,yCAAyC;QAC7C,OAAO,EAAE;YACP,EAAE,EAAE,yCAAyC;YAC7C,WAAW,EACT,2JAA2J;YAC7J,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EAAE,8CAA8C;YAC5D,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,YAAY;YAC3B,QAAQ,EAAE,QAAQ;YAClB,gBAAgB,EACd,yGAAyG;SAC5G;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,yHAAyH;QAC3H,iBAAiB,EAAE,CAAC;KACrB;IAED,+DAA+D;IAE/D;QACE,EAAE,EAAE,sCAAsC;QAC1C,OAAO,EAAE;YACP,EAAE,EAAE,sCAAsC;YAC1C,WAAW,EACT,2LAA2L;YAC7L,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EAAE,mFAAmF;YACjG,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,SAAS;YACxB,QAAQ,EAAE,QAAQ;YAClB,gBAAgB,EACd,uGAAuG;SAC1G;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,2KAA2K;QAC7K,iBAAiB,EAAE,CAAC;KACrB;IAED,+DAA+D;IAE/D;QACE,EAAE,EAAE,sCAAsC;QAC1C,OAAO,EAAE;YACP,EAAE,EAAE,sCAAsC;YAC1C,WAAW,EACT,yMAAyM;YAC3M,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EAAE,wDAAwD;YACtE,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,aAAa;YAC5B,QAAQ,EAAE,MAAM;YAChB,gBAAgB,EACd,8GAA8G;SACjH;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,iIAAiI;QACnI,iBAAiB,EAAE,CAAC;KACrB;IAED,+DAA+D;IAE/D;QACE,EAAE,EAAE,sCAAsC;QAC1C,OAAO,EAAE;YACP,EAAE,EAAE,sCAAsC;YAC1C,WAAW,EACT,0KAA0K;YAC5K,IAAI,EAAE,OAAO;YACb,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;YACvC,YAAY,EAAE,sDAAsD;YACpE,QAAQ,EAAE,sBAAsB;YAChC,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE,MAAM;YACrB,QAAQ,EAAE,QAAQ;YAClB,gBAAgB,EACd,4GAA4G;SAC/G;QACD,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,CAAC;QACZ,iBAAiB,EAAE,CAAC;QACpB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,EAAE;QAClB,MAAM,EAAE,SAAkB;QAC1B,cAAc,EACZ,yJAAyJ;QAC3J,iBAAiB,EAAE,CAAC;KACrB;CACO,CAAC"}

package/dist/lib/learned-rules/types.d.ts

@@ -0,0 +1,196 @@
+/**
+ * Types for the self-expanding formal verification system (Phase 1).
+ *
+ * When the LLM verifier finds a bug and it's confirmed correct,
+ * the system extracts the pattern and codifies it as a deterministic rule.
+ * Future scans use the formal rule instead of the LLM.
+ */
+/** The kind of detection pattern extracted from a confirmed finding. */
+export type PatternKind = 'regex' | 'ast_pattern' | 'type_constraint';
+/** A generalizable pattern extracted from a confirmed LLM finding. */
+export interface ExtractedPattern {
+    /** Unique pattern ID (e.g., "lp_001"). */
+    readonly id: string;
+    /** Human-readable description of what this pattern catches. */
+    readonly description: string;
+    /** The kind of detection used. */
+    readonly kind: PatternKind;
+    /** Languages this pattern applies to. */
+    readonly languages: readonly string[];
+    /** The regex pattern string for detection (kind='regex'). */
+    readonly regexPattern?: string;
+    /** Glob for which files to scan. */
+    readonly fileGlob: string;
+    /** Whether the pattern should be PRESENT (and it's bad) or ABSENT (and it's bad if present). */
+    readonly matchBehavior: 'presence_is_bad' | 'absence_is_bad';
+    /** The original claim category that triggered this pattern. */
+    readonly claimCategory: string;
+    /** Severity when this pattern fires. */
+    readonly severity: 'critical' | 'high' | 'medium';
+    /** Evidence template using {match}, {file}, etc. */
+    readonly evidenceTemplate: string;
+}
+/** Status lifecycle of a learned rule. */
+export type LearnedRuleStatus = 'candidate' | 'validated' | 'promoted' | 'rejected' | 'deprecated';
+/** A rule generated from a confirmed LLM finding. */
+export interface LearnedRule {
+    /** Unique rule ID (e.g., "lr_001"). */
+    readonly id: string;
+    /** The pattern this rule detects. */
+    readonly pattern: ExtractedPattern;
+    /** Current lifecycle status. */
+    readonly status: LearnedRuleStatus;
+    /** When the rule was first created. */
+    readonly createdAt: string;
+    /** When the rule was last updated. */
+    readonly updatedAt: string;
+    /** How many times this rule has fired across all scans. */
+    readonly fireCount: number;
+    /** How many times a human confirmed a fire was correct. */
+    readonly truePositiveCount: number;
+    /** How many times a human marked a fire as false positive. */
+    readonly falsePositiveCount: number;
+    /** The original finding that spawned this rule. */
+    readonly sourceFindings: readonly SourceFinding[];
+    /** Validation results from the harness. */
+    readonly validationResults?: ValidationResult;
+    /** Whether this rule was discovered via code scanning, PR review mining, or ships bundled. */
+    readonly source?: 'scan' | 'pr' | 'bundled';
+    /** Human-readable description of how to fix the detected issue. */
+    readonly fixDescription?: string;
+    /** Regex replacement pattern for auto-fix suggestions. */
+    readonly fixPattern?: string;
+    /** Number of distinct PRs/repos where this pattern was independently confirmed. */
+    readonly confirmationCount?: number;
+}
+/** Reference to the original LLM finding that spawned a learned rule. */
+export interface SourceFinding {
+    /** The claim ID from the original verification. */
+    readonly claimId: string;
+    /** Description of the claim. */
+    readonly claimDescription: string;
+    /** The code snippet that contained the bug. */
+    readonly codeSnippet: string;
+    /** The file path where the bug was found. */
+    readonly filePath: string;
+    /** The language of the code. */
+    readonly language: string;
+    /** When this finding was recorded. */
+    readonly timestamp: string;
+}
+/** Results from running a rule through the validation harness. */
+export interface ValidationResult {
+    /** Whether the rule passed validation. */
+    readonly passed: boolean;
+    /** True positives: correctly flagged known-bad code. */
+    readonly truePositives: number;
+    /** False positives: incorrectly flagged known-good code. */
+    readonly falsePositives: number;
+    /** True negatives: correctly passed known-good code. */
+    readonly trueNegatives: number;
+    /** False negatives: missed known-bad code. */
+    readonly falseNegatives: number;
+    /** Precision = TP / (TP + FP). */
+    readonly precision: number;
+    /** Recall = TP / (TP + FN). */
+    readonly recall: number;
+    /** Validation timestamp. */
+    readonly validatedAt: string;
+    /** Synthetic test cases used. */
+    readonly testCases: readonly TestCase[];
+}
+/** A test case for validating a learned rule. */
+export interface TestCase {
+    /** Description of what this test case checks. */
+    readonly description: string;
+    /** The code to test. */
+    readonly code: string;
+    /** Whether this code SHOULD trigger the rule. */
+    readonly shouldMatch: boolean;
+    /** Whether the rule DID match. */
+    readonly didMatch: boolean;
+}
+/** Input to the pattern extractor. */
+export interface PatternExtractionInput {
+    /** The verified claim (LLM found a real bug). */
+    readonly claim: {
+        readonly id: string;
+        readonly category: string;
+        readonly severity: 'critical' | 'high' | 'medium' | 'low';
+        readonly description: string;
+        readonly assertion: string;
+    };
+    /** The verification result (confirmed FAIL). */
+    readonly verification: {
+        readonly verdict: 'FAIL';
+        readonly reasoning: string;
+        readonly evidence?: string;
+    };
+    /** The code that was verified. */
+    readonly code: string;
+    /** The language of the code. */
+    readonly language: string;
+    /** The file path of the code. */
+    readonly filePath: string;
+}
+/** Output of the pattern extractor. */
+export interface PatternExtractionResult {
+    /** Whether extraction succeeded. */
+    readonly success: boolean;
+    /** The extracted pattern, if successful. */
+    readonly pattern?: ExtractedPattern;
+    /** Why extraction failed, if it did. */
+    readonly failureReason?: string;
+}
+/** A review comment from a PR code review. */
+export interface PRReviewComment {
+    readonly body: string;
+    readonly path: string;
+    readonly line: number | null;
+}
+/** A merged PR discovered for rule mining. */
+export interface DiscoveredPR {
+    readonly repo: string;
+    readonly prNumber: number;
+    readonly title: string;
+    readonly labels: string[];
+    readonly mergeCommit: string;
+    readonly reviewComments: PRReviewComment[];
+    readonly files: string[];
+}
+/** A single hunk from a parsed PR diff. */
+export interface DiffHunk {
+    readonly file: string;
+    readonly removedLines: string[];
+    readonly addedLines: string[];
+    readonly context: string[];
+    readonly startLine: number;
+}
+/** A PR with its parsed diff hunks. */
+export interface ParsedPRDiff {
+    readonly pr: DiscoveredPR;
+    readonly hunks: DiffHunk[];
+}
+/** A generalized rule extracted from PR review patterns. */
+export interface GeneralizedRule {
+    readonly category: string;
+    readonly severity: 'low' | 'medium' | 'high' | 'critical';
+    readonly description: string;
+    readonly detection: {
+        readonly pattern: string;
+        readonly language: string;
+    };
+    readonly fix: {
+        readonly description: string;
+        readonly pattern: string;
+    };
+    readonly fileGlob: string;
+    readonly matchBehavior: 'presence_is_bad' | 'absence_is_bad';
+    readonly evidenceTemplate: string;
+    readonly provenance: {
+        readonly repo: string;
+        readonly pr: number;
+        readonly file: string;
+        readonly reviewComment?: string;
+    };
+}

package/dist/lib/learned-rules/types.js

@@ -0,0 +1,9 @@
+/**
+ * Types for the self-expanding formal verification system (Phase 1).
+ *
+ * When the LLM verifier finds a bug and it's confirmed correct,
+ * the system extracts the pattern and codifies it as a deterministic rule.
+ * Future scans use the formal rule instead of the LLM.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/lib/learned-rules/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/lib/learned-rules/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG"}

package/dist/lib/learned-rules/validation-harness.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Validation Harness — tests learned rules before promotion to the formal catalog.
+ *
+ * Every auto-generated rule must pass validation:
+ * 1. Fires correctly on the ORIGINAL code that triggered it
+ * 2. Fires correctly on synthetic "known-bad" variations
+ * 3. Does NOT fire on synthetic "known-good" variations
+ *
+ * Only rules with precision >= 0.8 and recall >= 0.5 are promoted.
+ */
+import type { LearnedRule, ValidationResult } from './types.js';
+/**
+ * Validate a learned rule against synthetic test cases.
+ *
+ * @param rule - The candidate rule to validate.
+ * @returns The validation result with precision/recall metrics.
+ */
+export declare function validateRule(rule: LearnedRule): ValidationResult;
+/**
+ * Get the validation thresholds.
+ */
+export declare function getValidationThresholds(): {
+    minPrecision: number;
+    minRecall: number;
+    minTestCases: number;
+};