tryassay 0.29.0 → 0.30.1

package/dist/lib/learned-rules/validation-harness.js

@@ -0,0 +1,260 @@
+/**
+ * Validation Harness — tests learned rules before promotion to the formal catalog.
+ *
+ * Every auto-generated rule must pass validation:
+ * 1. Fires correctly on the ORIGINAL code that triggered it
+ * 2. Fires correctly on synthetic "known-bad" variations
+ * 3. Does NOT fire on synthetic "known-good" variations
+ *
+ * Only rules with precision >= 0.8 and recall >= 0.5 are promoted.
+ */
+import { executeRule } from './rule-codifier.js';
+// ── Thresholds ───────────────────────────────────────────────
+const MIN_PRECISION = 0.8; // At most 20% false positive rate
+const MIN_RECALL = 0.5; // Catch at least half the real bugs
+const MIN_TEST_CASES = 3; // At least 3 test cases required
+// ── Synthetic Test Case Generation ───────────────────────────
+/**
+ * Generate synthetic test cases from the original source finding.
+ * Creates variations of the original code that should and shouldn't
+ * trigger the rule.
+ */
+function generateTestCases(rule) {
+    const cases = [];
+    const pattern = rule.pattern;
+    // Test 1: Original code should trigger the rule
+    for (const finding of rule.sourceFindings) {
+        cases.push({
+            description: `Original finding: ${finding.claimDescription}`,
+            code: finding.codeSnippet,
+            shouldMatch: pattern.matchBehavior === 'presence_is_bad',
+            didMatch: false, // Will be filled during validation
+        });
+    }
+    // Test 2: Generate "fixed" version that should NOT trigger
+    for (const finding of rule.sourceFindings) {
+        const fixedCode = generateFixedCode(finding.codeSnippet, pattern, finding.language);
+        if (fixedCode) {
+            cases.push({
+                description: `Fixed version of: ${finding.claimDescription}`,
+                code: fixedCode,
+                shouldMatch: false,
+                didMatch: false,
+            });
+        }
+    }
+    // Test 3: Generate additional "bad" variations
+    for (const finding of rule.sourceFindings) {
+        const variation = generateBadVariation(finding.codeSnippet, pattern, finding.language);
+        if (variation) {
+            cases.push({
+                description: `Bad variation of: ${finding.claimDescription}`,
+                code: variation,
+                shouldMatch: pattern.matchBehavior === 'presence_is_bad',
+                didMatch: false,
+            });
+        }
+    }
+    // Test 4: Known-good code that should never trigger
+    const safeCode = generateSafeCode(pattern, rule.sourceFindings[0]?.language ?? 'typescript');
+    if (safeCode) {
+        cases.push({
+            description: 'Known-good code (should not trigger)',
+            code: safeCode,
+            shouldMatch: false,
+            didMatch: false,
+        });
+    }
+    return cases;
+}
+/**
+ * Generate a "fixed" version of buggy code.
+ * Applies the obvious fix based on the pattern category.
+ */
+function generateFixedCode(code, pattern, language) {
+    const lang = language.toLowerCase();
+    const category = pattern.claimCategory;
+    if (category === 'error-handling') {
+        // Wrap in try/catch
+        if (['ts', 'tsx', 'typescript', 'js', 'jsx', 'javascript'].includes(lang)) {
+            return `try {\n${code}\n} catch (error) {\n  console.error('Operation failed:', error);\n  throw error;\n}`;
+        }
+        if (['py', 'python'].includes(lang)) {
+            const indented = code.split('\n').map(l => '    ' + l).join('\n');
+            return `try:\n${indented}\nexcept Exception as e:\n    raise`;
+        }
+    }
+    if (category === 'security' && pattern.regexPattern?.includes('SELECT|INSERT|UPDATE|DELETE')) {
+        // Replace string interpolation with parameterized query
+        if (['ts', 'tsx', 'typescript', 'js', 'jsx', 'javascript'].includes(lang)) {
+            return code
+                .replace(/`([^`]*)\$\{(\w+)\}([^`]*)`/g, "'$1?' + ',$3'")
+                .replace(/(['"])([^'"]*)\1\s*\+\s*(\w+)/g, "'$2?'")
+                + '\n// Parameters passed separately: [userId]';
+        }
+    }
+    if (category === 'edge-case' || category === 'correctness') {
+        // Add null check before the function body
+        if (['ts', 'tsx', 'typescript', 'js', 'jsx', 'javascript'].includes(lang)) {
+            const funcMatch = code.match(/(function\s+\w+\s*\([^)]*\)\s*\{)/);
+            if (funcMatch) {
+                return code.replace(funcMatch[1], funcMatch[1] + '\n  if (arguments[0] === null || arguments[0] === undefined) throw new Error("Invalid input");');
+            }
+        }
+    }
+    return null;
+}
+/**
+ * Generate a "bad" variation of buggy code.
+ * Creates a similar but different instance of the same bug class.
+ */
+function generateBadVariation(code, pattern, language) {
+    const lang = language.toLowerCase();
+    if (pattern.claimCategory === 'error-handling') {
+        if (['ts', 'tsx', 'typescript', 'js', 'jsx', 'javascript'].includes(lang)) {
+            // Generate another async call without error handling
+            return `async function processData(input: unknown) {\n  const result = await fetch('/api/data');\n  return result.json();\n}`;
+        }
+    }
+    if (pattern.claimCategory === 'security') {
+        if (['ts', 'tsx', 'typescript', 'js', 'jsx', 'javascript'].includes(lang)) {
+            return 'const query = `SELECT * FROM users WHERE id = ${userId}`;';
+        }
+    }
+    return null;
+}
+/**
+ * Generate known-good code that should never trigger the rule.
+ */
+function generateSafeCode(pattern, language) {
+    const lang = language.toLowerCase();
+    if (pattern.claimCategory === 'error-handling') {
+        if (['ts', 'tsx', 'typescript', 'js', 'jsx', 'javascript'].includes(lang)) {
+            return `async function safeOp() {\n  try {\n    const result = await fetch('/api/data');\n    return await result.json();\n  } catch (error) {\n    console.error('Failed:', error);\n    throw error;\n  }\n}`;
+        }
+    }
+    if (pattern.claimCategory === 'security') {
+        if (['ts', 'tsx', 'typescript', 'js', 'jsx', 'javascript'].includes(lang)) {
+            return "const result = await db.query('SELECT * FROM users WHERE id = ?', [userId]);";
+        }
+    }
+    if (pattern.claimCategory === 'edge-case' || pattern.claimCategory === 'correctness') {
+        if (['ts', 'tsx', 'typescript', 'js', 'jsx', 'javascript'].includes(lang)) {
+            return `function safeProcess(input: string | null) {\n  if (input === null || input === undefined) {\n    throw new Error('Input required');\n  }\n  return input.trim();\n}`;
+        }
+    }
+    return null;
+}
+// ── Validation Execution ─────────────────────────────────────
+/**
+ * Validate a learned rule against synthetic test cases.
+ *
+ * @param rule - The candidate rule to validate.
+ * @returns The validation result with precision/recall metrics.
+ */
+export function validateRule(rule) {
+    const testCases = generateTestCases(rule);
+    // PR-sourced rules: if we have fewer synthetic cases but the regex fires on
+    // the original buggy code, accept it. The merged PR is the human confirmation.
+    if (testCases.length < MIN_TEST_CASES && rule.source === 'pr') {
+        return validatePRRule(rule, testCases);
+    }
+    if (testCases.length < MIN_TEST_CASES) {
+        return {
+            passed: false,
+            truePositives: 0,
+            falsePositives: 0,
+            trueNegatives: 0,
+            falseNegatives: 0,
+            precision: 0,
+            recall: 0,
+            validatedAt: new Date().toISOString(),
+            testCases,
+        };
+    }
+    // Run each test case
+    const language = rule.sourceFindings[0]?.language ?? 'typescript';
+    const executedCases = [];
+    let tp = 0, fp = 0, tn = 0, fn = 0;
+    for (const testCase of testCases) {
+        const { fires } = executeRule(rule, testCase.code, language);
+        const executed = {
+            ...testCase,
+            didMatch: fires,
+        };
+        executedCases.push(executed);
+        if (testCase.shouldMatch && fires)
+            tp++;
+        else if (testCase.shouldMatch && !fires)
+            fn++;
+        else if (!testCase.shouldMatch && fires)
+            fp++;
+        else
+            tn++;
+    }
+    const precision = tp + fp > 0 ? tp / (tp + fp) : 0;
+    const recall = tp + fn > 0 ? tp / (tp + fn) : 0;
+    const passed = precision >= MIN_PRECISION && recall >= MIN_RECALL;
+    return {
+        passed,
+        truePositives: tp,
+        falsePositives: fp,
+        trueNegatives: tn,
+        falseNegatives: fn,
+        precision,
+        recall,
+        validatedAt: new Date().toISOString(),
+        testCases: executedCases,
+    };
+}
+/**
+ * Lightweight validation for PR-sourced rules.
+ * The merged PR is the human confirmation — we just need to verify
+ * the regex actually fires on the buggy code from the diff.
+ */
+function validatePRRule(rule, testCases) {
+    const language = rule.sourceFindings[0]?.language ?? 'typescript';
+    let firesOnOriginal = false;
+    // Test: does the regex fire on any source finding's code snippet?
+    for (const finding of rule.sourceFindings) {
+        if (!finding.codeSnippet || finding.codeSnippet.startsWith('PR #'))
+            continue;
+        const { fires } = executeRule(rule, finding.codeSnippet, language);
+        if (fires) {
+            firesOnOriginal = true;
+            break;
+        }
+    }
+    // Also check: does it compile as valid regex?
+    let regexValid = false;
+    try {
+        if (rule.pattern.regexPattern) {
+            new RegExp(rule.pattern.regexPattern, 'gi');
+            regexValid = true;
+        }
+    }
+    catch { /* invalid */ }
+    const passed = firesOnOriginal && regexValid;
+    return {
+        passed,
+        truePositives: firesOnOriginal ? 1 : 0,
+        falsePositives: 0,
+        trueNegatives: 0,
+        falseNegatives: firesOnOriginal ? 0 : 1,
+        precision: firesOnOriginal ? 1.0 : 0,
+        recall: firesOnOriginal ? 1.0 : 0,
+        validatedAt: new Date().toISOString(),
+        testCases,
+    };
+}
+/**
+ * Get the validation thresholds.
+ */
+export function getValidationThresholds() {
+    return {
+        minPrecision: MIN_PRECISION,
+        minRecall: MIN_RECALL,
+        minTestCases: MIN_TEST_CASES,
+    };
+}
+//# sourceMappingURL=validation-harness.js.map

package/dist/lib/learned-rules/validation-harness.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation-harness.js","sourceRoot":"","sources":["../../../src/lib/learned-rules/validation-harness.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAOH,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEjD,gEAAgE;AAEhE,MAAM,aAAa,GAAG,GAAG,CAAC,CAAG,kCAAkC;AAC/D,MAAM,UAAU,GAAG,GAAG,CAAC,CAAM,oCAAoC;AACjE,MAAM,cAAc,GAAG,CAAC,CAAC,CAAI,iCAAiC;AAE9D,gEAAgE;AAEhE;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,IAAiB;IAC1C,MAAM,KAAK,GAAe,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;IAE7B,gDAAgD;IAChD,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,KAAK,CAAC,IAAI,CAAC;YACT,WAAW,EAAE,qBAAqB,OAAO,CAAC,gBAAgB,EAAE;YAC5D,IAAI,EAAE,OAAO,CAAC,WAAW;YACzB,WAAW,EAAE,OAAO,CAAC,aAAa,KAAK,iBAAiB;YACxD,QAAQ,EAAE,KAAK,EAAE,mCAAmC;SACrD,CAAC,CAAC;IACL,CAAC;IAED,2DAA2D;IAC3D,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,iBAAiB,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpF,IAAI,SAAS,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC;gBACT,WAAW,EAAE,qBAAqB,OAAO,CAAC,gBAAgB,EAAE;gBAC5D,IAAI,EAAE,SAAS;gBACf,WAAW,EAAE,KAAK;gBAClB,QAAQ,EAAE,KAAK;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,oBAAoB,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QACvF,IAAI,SAAS,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC;gBACT,WAAW,EAAE,qBAAqB,OAAO,CAAC,gBAAgB,EAAE;gBAC5D,IAAI,EAAE,SAAS;gBACf,WAAW,EAAE,OAAO,CAAC,aAAa,KAAK,iBAAiB;gBACxD,QAAQ,EAAE,KAAK;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,oDAAoD;IACpD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,QAAQ,IAAI,YAAY,CAAC,CAAC;IAC7F,IAAI,QAAQ,EAAE,CAAC;QACb,KAAK,CAAC,IAAI,CAAC;YACT,WAAW,EAAE,sCAAsC;YACnD,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,KAAK;YAClB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB,CACxB,IAAY,EACZ,OAAyD,EACzD,QAAgB;IAEhB,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IACpC,MAAM,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC;IAEvC,IAAI,QAAQ,KAAK,gBAAgB,EAAE,CAAC;QAClC,oBAAoB;QACpB,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1E,OAAO,UAAU,IAAI,sFAAsF,CAAC;QAC9G,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClE,OAAO,SAAS,QAAQ,qCAAqC,CAAC;QAChE,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,UAAU,IAAI,OAAO,CAAC,YAAY,EAAE,QAAQ,CAAC,6BAA6B,CAAC,EAAE,CAAC;QAC7F,wDAAwD;QACxD,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1E,OAAO,IAAI;iBACR,OAAO,CAAC,8BAA8B,EAAE,eAAe,CAAC;iBACxD,OAAO,CAAC,gCAAgC,EAAE,OAAO,CAAC;kBACjD,6CAA6C,CAAC;QACpD,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;QAC3D,0CAA0C;QAC1C,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;YAClE,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO,IAAI,CAAC,OAAO,CACjB,SAAS,CAAC,CAAC,CAAC,EACZ,SAAS,CAAC,CAAC,CAAC,GAAG,gGAAgG,CAChH,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAC3B,IAAY,EACZ,OAAkC,EAClC,QAAgB;IAEhB,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAEpC,IAAI,OAAO,CAAC,aAAa,KAAK,gBAAgB,EAAE,CAAC;QAC/C,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1E,qDAAqD;YACrD,OAAO,sHAAsH,CAAC;QAChI,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,aAAa,KAAK,UAAU,EAAE,CAAC;QACzC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1E,OAAO,2DAA2D,CAAC;QACrE,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,OAAkC,EAClC,QAAgB;IAEhB,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAEpC,IAAI,OAAO,CAAC,aAAa,KAAK,gBAAgB,EAAE,CAAC;QAC/C,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1E,OAAO,wMAAwM,CAAC;QAClN,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,aAAa,KAAK,UAAU,EAAE,CAAC;QACzC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1E,OAAO,8EAA8E,CAAC;QACxF,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,aAAa,KAAK,WAAW,IAAI,OAAO,CAAC,aAAa,KAAK,aAAa,EAAE,CAAC;QACrF,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1E,OAAO,sKAAsK,CAAC;QAChL,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,gEAAgE;AAEhE;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,IAAiB;IAC5C,MAAM,SAAS,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAE1C,4EAA4E;IAC5E,+EAA+E;IAC/E,IAAI,SAAS,CAAC,MAAM,GAAG,cAAc,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;QAC9D,OAAO,cAAc,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,SAAS,CAAC,MAAM,GAAG,cAAc,EAAE,CAAC;QACtC,OAAO;YACL,MAAM,EAAE,KAAK;YACb,aAAa,EAAE,CAAC;YAChB,cAAc,EAAE,CAAC;YACjB,aAAa,EAAE,CAAC;YAChB,cAAc,EAAE,CAAC;YACjB,SAAS,EAAE,CAAC;YACZ,MAAM,EAAE,CAAC;YACT,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,SAAS;SACV,CAAC;IACJ,CAAC;IAED,qBAAqB;IACrB,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,QAAQ,IAAI,YAAY,CAAC;IAClE,MAAM,aAAa,GAAe,EAAE,CAAC;IACrC,IAAI,EAAE,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IAEnC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,EAAE,KAAK,EAAE,GAAG,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAE7D,MAAM,QAAQ,GAAa;YACzB,GAAG,QAAQ;YACX,QAAQ,EAAE,KAAK;SAChB,CAAC;QACF,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAE7B,IAAI,QAAQ,CAAC,WAAW,IAAI,KAAK;YAAE,EAAE,EAAE,CAAC;aACnC,IAAI,QAAQ,CAAC,WAAW,IAAI,CAAC,KAAK;YAAE,EAAE,EAAE,CAAC;aACzC,IAAI,CAAC,QAAQ,CAAC,WAAW,IAAI,KAAK;YAAE,EAAE,EAAE,CAAC;;YACzC,EAAE,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,SAAS,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,SAAS,IAAI,aAAa,IAAI,MAAM,IAAI,UAAU,CAAC;IAElE,OAAO;QACL,MAAM;QACN,aAAa,EAAE,EAAE;QACjB,cAAc,EAAE,EAAE;QAClB,aAAa,EAAE,EAAE;QACjB,cAAc,EAAE,EAAE;QAClB,SAAS;QACT,MAAM;QACN,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,SAAS,EAAE,aAAa;KACzB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,cAAc,CAAC,IAAiB,EAAE,SAAqB;IAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,QAAQ,IAAI,YAAY,CAAC;IAClE,IAAI,eAAe,GAAG,KAAK,CAAC;IAE5B,kEAAkE;IAClE,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,IAAI,CAAC,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,SAAS;QAC7E,MAAM,EAAE,KAAK,EAAE,GAAG,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACnE,IAAI,KAAK,EAAE,CAAC;YACV,eAAe,GAAG,IAAI,CAAC;YACvB,MAAM;QACR,CAAC;IACH,CAAC;IAED,8CAA8C;IAC9C,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,CAAC;QACH,IAAI,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;YAC9B,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;YAC5C,UAAU,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;IAEzB,MAAM,MAAM,GAAG,eAAe,IAAI,UAAU,CAAC;IAE7C,OAAO;QACL,MAAM;QACN,aAAa,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACtC,cAAc,EAAE,CAAC;QACjB,aAAa,EAAE,CAAC;QAChB,cAAc,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACvC,SAAS,EAAE,eAAe,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACjC,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB;IAKrC,OAAO;QACL,YAAY,EAAE,aAAa;QAC3B,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,cAAc;KAC7B,CAAC;AACJ,CAAC"}

package/dist/lib/rule-harvester/diff-parser.d.ts

@@ -0,0 +1,9 @@
+import type { DiffHunk } from '../learned-rules/types.js';
+/**
+ * Parse a GitHub PR file `patch` string (unified diff format) into typed hunks.
+ */
+export declare function parsePatch(filePath: string, patch: string): DiffHunk[];
+/**
+ * Filter out noise hunks: import-only, comment-only, whitespace-only, <2 meaningful lines.
+ */
+export declare function filterHunks(hunks: DiffHunk[]): DiffHunk[];

package/dist/lib/rule-harvester/diff-parser.js

@@ -0,0 +1,77 @@
+/**
+ * Parse a GitHub PR file `patch` string (unified diff format) into typed hunks.
+ */
+export function parsePatch(filePath, patch) {
+    if (!patch)
+        return [];
+    const hunks = [];
+    const lines = patch.split('\n');
+    let currentHunk = null;
+    for (const line of lines) {
+        const headerMatch = line.match(/^@@ -(\d+)/);
+        if (headerMatch) {
+            if (currentHunk) {
+                hunks.push(makeHunk(filePath, currentHunk));
+            }
+            currentHunk = {
+                removed: [],
+                added: [],
+                context: [],
+                startLine: parseInt(headerMatch[1], 10),
+            };
+            continue;
+        }
+        if (!currentHunk)
+            continue;
+        if (line.startsWith('-')) {
+            currentHunk.removed.push(line.slice(1));
+        }
+        else if (line.startsWith('+')) {
+            currentHunk.added.push(line.slice(1));
+        }
+        else if (line.startsWith(' ')) {
+            currentHunk.context.push(line);
+        }
+    }
+    if (currentHunk) {
+        hunks.push(makeHunk(filePath, currentHunk));
+    }
+    return hunks;
+}
+function makeHunk(file, raw) {
+    return {
+        file,
+        removedLines: raw.removed,
+        addedLines: raw.added,
+        context: raw.context,
+        startLine: raw.startLine,
+    };
+}
+/**
+ * Filter out noise hunks: import-only, comment-only, whitespace-only, <2 meaningful lines.
+ */
+export function filterHunks(hunks) {
+    return hunks.filter((hunk) => {
+        const removed = hunk.removedLines;
+        const added = hunk.addedLines;
+        if (Math.max(removed.length, added.length) < 2)
+            return false;
+        const allImports = [...removed, ...added].every((l) => l.trim().startsWith('import ') || (l.trim().startsWith('export ') && l.includes('from')));
+        if (allImports)
+            return false;
+        const allComments = [...removed, ...added].every((l) => {
+            const trimmed = l.trim();
+            return trimmed.startsWith('//') || trimmed.startsWith('/*') || trimmed.startsWith('*') || trimmed === '';
+        });
+        if (allComments)
+            return false;
+        const removedNormalized = removed.map((l) => l.replace(/\s+/g, ' ').trim());
+        const addedNormalized = added.map((l) => l.replace(/\s+/g, ' ').trim());
+        if (removedNormalized.length === addedNormalized.length &&
+            removedNormalized.every((l, i) => l === addedNormalized[i])) {
+            return false;
+        }
+        return true;
+    });
+}
+//# sourceMappingURL=diff-parser.js.map

package/dist/lib/rule-harvester/diff-parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diff-parser.js","sourceRoot":"","sources":["../../../src/lib/rule-harvester/diff-parser.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,QAAgB,EAAE,KAAa;IACxD,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IAEtB,MAAM,KAAK,GAAe,EAAE,CAAC;IAC7B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,WAAW,GAAwF,IAAI,CAAC;IAE5G,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAC7C,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,WAAW,EAAE,CAAC;gBAChB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC;YAC9C,CAAC;YACD,WAAW,GAAG;gBACZ,OAAO,EAAE,EAAE;gBACX,KAAK,EAAE,EAAE;gBACT,OAAO,EAAE,EAAE;gBACX,SAAS,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;aACxC,CAAC;YACF,SAAS;QACX,CAAC;QAED,IAAI,CAAC,WAAW;YAAE,SAAS;QAE3B,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAED,IAAI,WAAW,EAAE,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,QAAQ,CACf,IAAY,EACZ,GAAiF;IAEjF,OAAO;QACL,IAAI;QACJ,YAAY,EAAE,GAAG,CAAC,OAAO;QACzB,UAAU,EAAE,GAAG,CAAC,KAAK;QACrB,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,SAAS,EAAE,GAAG,CAAC,SAAS;KACzB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,KAAiB;IAC3C,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC;QAClC,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC;QAE9B,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAE7D,MAAM,UAAU,GAAG,CAAC,GAAG,OAAO,EAAE,GAAG,KAAK,CAAC,CAAC,KAAK,CAC7C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAChG,CAAC;QACF,IAAI,UAAU;YAAE,OAAO,KAAK,CAAC;QAE7B,MAAM,WAAW,GAAG,CAAC,GAAG,OAAO,EAAE,GAAG,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;YACrD,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACzB,OAAO,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,KAAK,EAAE,CAAC;QAC3G,CAAC,CAAC,CAAC;QACH,IAAI,WAAW;YAAE,OAAO,KAAK,CAAC;QAE9B,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC5E,MAAM,eAAe,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACxE,IACE,iBAAiB,CAAC,MAAM,KAAK,eAAe,CAAC,MAAM;YACnD,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,eAAe,CAAC,CAAC,CAAC,CAAC,EAC3D,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/lib/rule-harvester/file-selector.d.ts

@@ -0,0 +1,10 @@
+export type FileCandidate = {
+    path: string;
+    lineCount: number;
+};
+export type SelectedFile = {
+    path: string;
+    reason: string;
+    priority: number;
+};
+export declare function selectFiles(candidates: FileCandidate[]): SelectedFile[];

package/dist/lib/rule-harvester/file-selector.js

@@ -0,0 +1,59 @@
+const MAX_FILES = 20;
+const MAX_LINE_COUNT = 800;
+const SKIP_PATTERNS = [
+    /\.test\./,
+    /\.spec\./,
+    /__tests__\//,
+    /\.d\.ts$/,
+    /\.config\.(js|ts)$/,
+    /tsconfig/,
+    /package\.json$/,
+    /\/generated\//,
+    /node_modules/,
+    /tailwind\.config/,
+    /next\.config/,
+    /vite\.config/,
+    /jest\.config/,
+    /vitest\.config/,
+    /eslint\.config/,
+    /prettier\.config/,
+    /\.eslintrc/,
+    /\.prettierrc/,
+];
+function shouldSkip(path) {
+    return SKIP_PATTERNS.some((pattern) => pattern.test(path));
+}
+function assignPriority(path) {
+    if (/\/api\/|\/routes\/|\/middleware\//.test(path)) {
+        return { priority: 1, reason: 'API/route/middleware file' };
+    }
+    if (/\/auth/.test(path)) {
+        return { priority: 2, reason: 'Auth-related file' };
+    }
+    if (/\/db\/|\/database\/|\/models\/|\/entities\//.test(path)) {
+        return { priority: 3, reason: 'Database/model file' };
+    }
+    if (/\/services\/|\/handlers\/|\/controllers\//.test(path)) {
+        return { priority: 4, reason: 'Service/handler/controller file' };
+    }
+    if (/\/lib\/|\/utils\/|\/helpers\//.test(path)) {
+        return { priority: 5, reason: 'Library/utility/helper file' };
+    }
+    if (/\.ts$/.test(path)) {
+        return { priority: 6, reason: 'TypeScript file' };
+    }
+    if (/\.tsx$/.test(path)) {
+        return { priority: 7, reason: 'TypeScript React file' };
+    }
+    return { priority: 99, reason: 'Other file' };
+}
+export function selectFiles(candidates) {
+    const filtered = candidates.filter((c) => !shouldSkip(c.path) && c.lineCount <= MAX_LINE_COUNT);
+    const scored = filtered.map((c) => {
+        const { priority, reason } = assignPriority(c.path);
+        return { path: c.path, reason, priority };
+    });
+    scored.sort((a, b) => a.priority - b.priority);
+    return scored.slice(0, MAX_FILES);
+}
+//# sourceMappingURL=file-selector.js.map

package/dist/lib/rule-harvester/file-selector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-selector.js","sourceRoot":"","sources":["../../../src/lib/rule-harvester/file-selector.ts"],"names":[],"mappings":"AAWA,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,cAAc,GAAG,GAAG,CAAC;AAE3B,MAAM,aAAa,GAAa;IAC9B,UAAU;IACV,UAAU;IACV,aAAa;IACb,UAAU;IACV,oBAAoB;IACpB,UAAU;IACV,gBAAgB;IAChB,eAAe;IACf,cAAc;IACd,kBAAkB;IAClB,cAAc;IACd,cAAc;IACd,cAAc;IACd,gBAAgB;IAChB,gBAAgB;IAChB,kBAAkB;IAClB,YAAY;IACZ,cAAc;CACf,CAAC;AAEF,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,IAAI,mCAAmC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;IAC9D,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IACtD,CAAC;IACD,IAAI,6CAA6C,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;IACxD,CAAC;IACD,IAAI,2CAA2C,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3D,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;IACpE,CAAC;IACD,IAAI,+BAA+B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/C,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;IAChE,CAAC;IACD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACpD,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC;IAC1D,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,UAA2B;IACrD,MAAM,QAAQ,GAAG,UAAU,CAAC,MAAM,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,SAAS,IAAI,cAAc,CAC5D,CAAC;IAEF,MAAM,MAAM,GAAmB,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAChD,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACpD,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;IAE/C,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;AACpC,CAAC"}

package/dist/lib/rule-harvester/ground-truth.d.ts

@@ -0,0 +1,19 @@
+export interface ClaimForConfirmation {
+    claimId: string;
+    category: string;
+    description: string;
+    verdict: string;
+}
+export interface GroundTruthResult {
+    claimId: string;
+    confirmed: boolean;
+    method: 'compiler' | 'test' | 'grep';
+    evidence: string;
+}
+export declare function runTscCheck(repoDir: string): {
+    errors: string;
+    exitCode: number;
+} | null;
+export declare function tscReportsErrorInFile(tscOutput: string, filePath: string): boolean;
+export declare function confirmByGrep(code: string, claim: ClaimForConfirmation): GroundTruthResult;
+export declare function parseConfirmation(code: string, claim: ClaimForConfirmation, tscOutput: string | null, filePath: string): GroundTruthResult;

package/dist/lib/rule-harvester/ground-truth.js

@@ -0,0 +1,156 @@
+import { execSync } from 'node:child_process';
+export function runTscCheck(repoDir) {
+    try {
+        execSync('npx tsc --noEmit 2>&1', {
+            cwd: repoDir,
+            timeout: 120_000,
+            encoding: 'utf-8',
+        });
+        return { errors: '', exitCode: 0 };
+    }
+    catch (err) {
+        const e = err;
+        if (e.status === undefined) {
+            return null;
+        }
+        const combined = ((e.stdout ?? '') + (e.stderr ?? '')).trim();
+        return { errors: combined, exitCode: e.status };
+    }
+}
+export function tscReportsErrorInFile(tscOutput, filePath) {
+    return tscOutput.includes(filePath);
+}
+export function confirmByGrep(code, claim) {
+    const cat = claim.category.toLowerCase();
+    const desc = claim.description.toLowerCase();
+    // error-handling: await without surrounding try/catch or .catch()
+    if (cat.includes('error-handling') ||
+        desc.includes('error handling') ||
+        desc.includes('try/catch')) {
+        const hasAwait = /\bawait\b/.test(code);
+        const hasTryCatch = /\btry\s*\{/.test(code);
+        const hasCatchChain = /\.catch\s*\(/.test(code);
+        const confirmed = hasAwait && !hasTryCatch && !hasCatchChain;
+        return {
+            claimId: claim.claimId,
+            confirmed,
+            method: 'grep',
+            evidence: confirmed
+                ? 'Found await without try/catch or .catch()'
+                : 'await is wrapped in try/catch or .catch()',
+        };
+    }
+    // security + SQL injection: template literals with SQL keywords and ${
+    if ((cat.includes('security') &&
+        (desc.includes('sql') ||
+            desc.includes('injection') ||
+            desc.includes('query'))) ||
+        cat.includes('injection')) {
+        const sqlTemplatePattern = /`[^`]*(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE)[^`]*\$\{/i;
+        const confirmed = sqlTemplatePattern.test(code);
+        return {
+            claimId: claim.claimId,
+            confirmed,
+            method: 'grep',
+            evidence: confirmed
+                ? 'Found SQL template literal with ${} interpolation'
+                : 'No SQL injection pattern found',
+        };
+    }
+    // hardcoded secrets: key|secret|token|password|api_key = "long_string"
+    if (cat.includes('hardcoded') ||
+        cat.includes('secret') ||
+        desc.includes('hardcoded') ||
+        desc.includes('secret') ||
+        desc.includes('api key') ||
+        desc.includes('api_key')) {
+        const secretPattern = /\b(?:key|secret|token|password|api_key)\s*=\s*["'][^"']{8,}["']/i;
+        const confirmed = secretPattern.test(code);
+        return {
+            claimId: claim.claimId,
+            confirmed,
+            method: 'grep',
+            evidence: confirmed
+                ? 'Found hardcoded secret assignment'
+                : 'No hardcoded secret pattern found',
+        };
+    }
+    // edge-case / null/undefined: nested property access without optional chaining or null checks
+    if (cat.includes('edge-case') ||
+        cat.includes('null') ||
+        cat.includes('undefined') ||
+        desc.includes('null') ||
+        desc.includes('undefined') ||
+        desc.includes('optional')) {
+        // Match a.b.c patterns where there's no ?. in the chain
+        const unsafeAccessPattern = /\b\w+\.\w+\.\w+/;
+        const safeAccessPattern = /\b\w+\??\.\w+\??\.\w+/;
+        const hasUnsafe = unsafeAccessPattern.test(code);
+        const hasSafe = /\?\.\w+/.test(code);
+        const confirmed = hasUnsafe && !hasSafe;
+        return {
+            claimId: claim.claimId,
+            confirmed,
+            method: 'grep',
+            evidence: confirmed
+                ? 'Found nested property access without optional chaining'
+                : 'Optional chaining or null checks present',
+        };
+    }
+    // input validation: req.body/params/query without validation
+    if (cat.includes('input validation') ||
+        cat.includes('validation') ||
+        desc.includes('input validation') ||
+        desc.includes('req.body') ||
+        desc.includes('req.params') ||
+        desc.includes('req.query')) {
+        const hasDirectAccess = /req\.(body|params|query)/.test(code);
+        const hasValidation = /validate|schema|zod|yup|joi|\.parse\(|\.safeParse\(/.test(code);
+        const confirmed = hasDirectAccess && !hasValidation;
+        return {
+            claimId: claim.claimId,
+            confirmed,
+            method: 'grep',
+            evidence: confirmed
+                ? 'Found req.body/params/query without validation'
+                : 'Validation present',
+        };
+    }
+    // unhandled promise: floating promise without await
+    if (cat.includes('unhandled promise') ||
+        cat.includes('promise') ||
+        desc.includes('unhandled promise') ||
+        desc.includes('floating promise')) {
+        // Look for function calls that return promises but are not awaited
+        const floatingPattern = /^\s+(?!.*await\s)\w+\s*\(.*\)\s*;/m;
+        const confirmed = floatingPattern.test(code);
+        return {
+            claimId: claim.claimId,
+            confirmed,
+            method: 'grep',
+            evidence: confirmed
+                ? 'Found potential floating promise (unawaited call)'
+                : 'No floating promise pattern found',
+        };
+    }
+    return {
+        claimId: claim.claimId,
+        confirmed: false,
+        method: 'grep',
+        evidence: `No grep strategy for category "${claim.category}"`,
+    };
+}
+export function parseConfirmation(code, claim, tscOutput, filePath) {
+    if (tscOutput !== null &&
+        claim.category.toLowerCase().includes('type-safety') &&
+        tscReportsErrorInFile(tscOutput, filePath)) {
+        return {
+            claimId: claim.claimId,
+            confirmed: true,
+            method: 'compiler',
+            evidence: `tsc reported error in ${filePath}`,
+        };
+    }
+    return confirmByGrep(code, claim);
+}
+//# sourceMappingURL=ground-truth.js.map

package/dist/lib/rule-harvester/ground-truth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ground-truth.js","sourceRoot":"","sources":["../../../src/lib/rule-harvester/ground-truth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAgB9C,MAAM,UAAU,WAAW,CACzB,OAAe;IAEf,IAAI,CAAC;QACH,QAAQ,CAAC,uBAAuB,EAAE;YAChC,GAAG,EAAE,OAAO;YACZ,OAAO,EAAE,OAAO;YAChB,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;IACrC,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,CAAC,GAAG,GAA4D,CAAC;QACvE,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9D,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;IAClD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,SAAiB,EACjB,QAAgB;IAEhB,OAAO,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,IAAY,EACZ,KAA2B;IAE3B,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IACzC,MAAM,IAAI,GAAG,KAAK,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;IAE7C,kEAAkE;IAClE,IACE,GAAG,CAAC,QAAQ,CAAC,gBAAgB,CAAC;QAC9B,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC;QAC/B,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAC1B,CAAC;QACD,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,WAAW,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,aAAa,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChD,MAAM,SAAS,GAAG,QAAQ,IAAI,CAAC,WAAW,IAAI,CAAC,aAAa,CAAC;QAC7D,OAAO;YACL,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS;YACT,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,SAAS;gBACjB,CAAC,CAAC,2CAA2C;gBAC7C,CAAC,CAAC,2CAA2C;SAChD,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,IACE,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC;QACvB,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;YACnB,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC1B,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAC5B,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EACzB,CAAC;QACD,MAAM,kBAAkB,GACtB,0DAA0D,CAAC;QAC7D,MAAM,SAAS,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChD,OAAO;YACL,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS;YACT,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,SAAS;gBACjB,CAAC,CAAC,mDAAmD;gBACrD,CAAC,CAAC,gCAAgC;SACrC,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,IACE,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;QACzB,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACtB,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC1B,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACvB,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QACxB,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EACxB,CAAC;QACD,MAAM,aAAa,GACjB,kEAAkE,CAAC;QACrE,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,OAAO;YACL,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS;YACT,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,SAAS;gBACjB,CAAC,CAAC,mCAAmC;gBACrC,CAAC,CAAC,mCAAmC;SACxC,CAAC;IACJ,CAAC;IAED,8FAA8F;IAC9F,IACE,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;QACzB,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;QACpB,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;QACzB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;QACrB,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC1B,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EACzB,CAAC;QACD,wDAAwD;QACxD,MAAM,mBAAmB,GAAG,iBAAiB,CAAC;QAC9C,MAAM,iBAAiB,GAAG,uBAAuB,CAAC;QAClD,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,SAAS,GAAG,SAAS,IAAI,CAAC,OAAO,CAAC;QACxC,OAAO;YACL,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS;YACT,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,SAAS;gBACjB,CAAC,CAAC,wDAAwD;gBAC1D,CAAC,CAAC,0CAA0C;SAC/C,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,IACE,GAAG,CAAC,QAAQ,CAAC,kBAAkB,CAAC;QAChC,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC;QAC1B,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC;QACjC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QACzB,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;QAC3B,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAC1B,CAAC;QACD,MAAM,eAAe,GAAG,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,MAAM,aAAa,GACjB,qDAAqD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,MAAM,SAAS,GAAG,eAAe,IAAI,CAAC,aAAa,CAAC;QACpD,OAAO;YACL,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS;YACT,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,SAAS;gBACjB,CAAC,CAAC,gDAAgD;gBAClD,CAAC,CAAC,oBAAoB;SACzB,CAAC;IACJ,CAAC;IAED,oDAAoD;IACpD,IACE,GAAG,CAAC,QAAQ,CAAC,mBAAmB,CAAC;QACjC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC;QACvB,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC;QAClC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EACjC,CAAC;QACD,mEAAmE;QACnE,MAAM,eAAe,GAAG,oCAAoC,CAAC;QAC7D,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7C,OAAO;YACL,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS;YACT,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,SAAS;gBACjB,CAAC,CAAC,mDAAmD;gBACrD,CAAC,CAAC,mCAAmC;SACxC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,kCAAkC,KAAK,CAAC,QAAQ,GAAG;KAC9D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,IAAY,EACZ,KAA2B,EAC3B,SAAwB,EACxB,QAAgB;IAEhB,IACE,SAAS,KAAK,IAAI;QAClB,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,aAAa,CAAC;QACpD,qBAAqB,CAAC,SAAS,EAAE,QAAQ,CAAC,EAC1C,CAAC;QACD,OAAO;YACL,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,IAAI;YACf,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,yBAAyB,QAAQ,EAAE;SAC9C,CAAC;IACJ,CAAC;IAED,OAAO,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACpC,CAAC"}

package/dist/lib/rule-harvester/harvest.d.ts

@@ -0,0 +1,26 @@
+export interface HarvestConfig {
+    repoList: Array<{
+        owner: string;
+        name: string;
+        category: string;
+    }>;
+    /** Assay project root — where rules go */
+    catalogPath: string;
+    /** Where progress.json lives */
+    progressDir: string;
+    /** Where run reports go */
+    runsDir: string;
+    /** Temp dir for clones (e.g. /private/tmp/assay-harvester) */
+    workDir: string;
+    /** Model name for reporting */
+    model: string;
+    /** Max repos to scan */
+    limit?: number;
+    /** Only scan these repos (owner/name format) */
+    repoFilter?: string[];
+    /** Skip completed repos */
+    resume?: boolean;
+    /** Logging callback */
+    onLog?: (msg: string) => void;
+}
+export declare function harvestRepos(config: HarvestConfig): Promise<void>;