vibecop 0.1.2 → 0.2.0

package/dist/cli.js

@@ -44,6 +44,7 @@ var __export = (target, all) => {
       set: __exportSetter.bind(all, name)
     });
 };
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 // node_modules/commander/lib/error.js
@@ -9044,9 +9045,274 @@ var require_dist = __commonJS((exports) => {
   exports.visitAsync = visit.visitAsync;
 });
 
-// src/cli.ts
+// src/init.ts
+var exports_init = {};
+__export(exports_init, {
+  runInit: () => runInit
+});
 import { execSync } from "node:child_process";
-import { existsSync as existsSync4, readFileSync as readFileSync5 } from "node:fs";
+import { existsSync as existsSync4, mkdirSync, readFileSync as readFileSync6, writeFileSync } from "node:fs";
+import { join as join5 } from "node:path";
+function detectTools(cwd) {
+  const tools = [];
+  tools.push({
+    name: "Claude Code",
+    detected: existsSync4(join5(cwd, ".claude")),
+    reason: existsSync4(join5(cwd, ".claude")) ? ".claude/ directory found" : "not found"
+  });
+  tools.push({
+    name: "Cursor",
+    detected: existsSync4(join5(cwd, ".cursor")),
+    reason: existsSync4(join5(cwd, ".cursor")) ? ".cursor/ directory found" : "not found"
+  });
+  tools.push({
+    name: "Codex CLI",
+    detected: existsSync4(join5(cwd, ".codex")),
+    reason: existsSync4(join5(cwd, ".codex")) ? ".codex/ directory found" : "not found"
+  });
+  let aiderInstalled = false;
+  try {
+    execSync("which aider", { stdio: "pipe" });
+    aiderInstalled = true;
+  } catch {
+    aiderInstalled = false;
+  }
+  tools.push({
+    name: "Aider",
+    detected: aiderInstalled,
+    reason: aiderInstalled ? "aider installed" : "not found"
+  });
+  tools.push({
+    name: "Windsurf",
+    detected: existsSync4(join5(cwd, ".windsurf")),
+    reason: existsSync4(join5(cwd, ".windsurf")) ? ".windsurf/ directory found" : "not found"
+  });
+  tools.push({
+    name: "GitHub Copilot",
+    detected: existsSync4(join5(cwd, ".github")),
+    reason: existsSync4(join5(cwd, ".github")) ? ".github/ directory found" : "not found"
+  });
+  const clineDetected = existsSync4(join5(cwd, ".cline")) || existsSync4(join5(cwd, ".clinerules"));
+  tools.push({
+    name: "Cline",
+    detected: clineDetected,
+    reason: clineDetected ? existsSync4(join5(cwd, ".cline")) ? ".cline/ directory found" : ".clinerules found" : "not found"
+  });
+  return tools;
+}
+function generateConfigs(cwd, tools) {
+  const generated = [];
+  for (const tool of tools) {
+    if (!tool.detected)
+      continue;
+    switch (tool.name) {
+      case "Claude Code": {
+        const settingsPath = join5(cwd, ".claude", "settings.json");
+        if (existsSync4(settingsPath)) {
+          generated.push({
+            path: ".claude/settings.json",
+            description: "already exists, skipped"
+          });
+        } else {
+          mkdirSync(join5(cwd, ".claude"), { recursive: true });
+          const settings = {
+            hooks: {
+              PostToolUse: [
+                {
+                  matcher: "Edit|Write|MultiEdit",
+                  hooks: [
+                    {
+                      type: "command",
+                      command: SCAN_CMD
+                    }
+                  ]
+                }
+              ]
+            }
+          };
+          writeFileSync(settingsPath, `${JSON.stringify(settings, null, 2)}
+`);
+          generated.push({
+            path: ".claude/settings.json",
+            description: "PostToolUse hook (blocks on findings)"
+          });
+        }
+        break;
+      }
+      case "Cursor": {
+        mkdirSync(join5(cwd, ".cursor"), { recursive: true });
+        const hooksPath = join5(cwd, ".cursor", "hooks.json");
+        const hooks = {
+          hooks: {
+            afterFileEdit: [{ command: SCAN_CMD }]
+          }
+        };
+        writeFileSync(hooksPath, `${JSON.stringify(hooks, null, 2)}
+`);
+        generated.push({
+          path: ".cursor/hooks.json",
+          description: "afterFileEdit hook"
+        });
+        mkdirSync(join5(cwd, ".cursor", "rules"), { recursive: true });
+        const rulesPath = join5(cwd, ".cursor", "rules", "vibecop.md");
+        const rulesContent = `---
+trigger: always_on
+---
+
+After every code edit, review vibecop findings and fix issues before proceeding.
+Run: ${SCAN_CMD}
+`;
+        writeFileSync(rulesPath, rulesContent);
+        generated.push({
+          path: ".cursor/rules/vibecop.md",
+          description: "always-on lint rule"
+        });
+        break;
+      }
+      case "Codex CLI": {
+        mkdirSync(join5(cwd, ".codex"), { recursive: true });
+        const codexPath = join5(cwd, ".codex", "hooks.json");
+        const codexHooks = {
+          hooks: {
+            PostToolUse: [
+              {
+                matcher: "Edit|Write|MultiEdit",
+                hooks: [
+                  {
+                    type: "command",
+                    command: SCAN_CMD
+                  }
+                ]
+              }
+            ]
+          }
+        };
+        writeFileSync(codexPath, `${JSON.stringify(codexHooks, null, 2)}
+`);
+        generated.push({
+          path: ".codex/hooks.json",
+          description: "PostToolUse hook (blocks on findings)"
+        });
+        break;
+      }
+      case "Aider": {
+        const aiderPath = join5(cwd, ".aider.conf.yml");
+        const aiderContent = `lint-cmd:
+  - "typescript: npx vibecop scan --format text"
+  - "javascript: npx vibecop scan --format text"
+  - "python: npx vibecop scan --format text"
+auto-lint: true
+`;
+        writeFileSync(aiderPath, aiderContent);
+        generated.push({
+          path: ".aider.conf.yml",
+          description: "lint-cmd per language"
+        });
+        break;
+      }
+      case "Windsurf": {
+        mkdirSync(join5(cwd, ".windsurf", "rules"), { recursive: true });
+        const windsurfPath = join5(cwd, ".windsurf", "rules", "vibecop.md");
+        const windsurfContent = `---
+trigger: always_on
+---
+
+After every code edit, review vibecop findings and fix issues before proceeding.
+Run: ${SCAN_CMD}
+`;
+        writeFileSync(windsurfPath, windsurfContent);
+        generated.push({
+          path: ".windsurf/rules/vibecop.md",
+          description: "always-on lint rule"
+        });
+        break;
+      }
+      case "GitHub Copilot": {
+        mkdirSync(join5(cwd, ".github"), { recursive: true });
+        const copilotPath = join5(cwd, ".github", "copilot-instructions.md");
+        const vibecopSection = `
+## vibecop
+
+After every code edit, run \`${SCAN_CMD}\` and fix any findings before proceeding.
+`;
+        if (existsSync4(copilotPath)) {
+          const existing = readFileSync6(copilotPath, "utf-8");
+          if (existing.includes("vibecop")) {
+            generated.push({
+              path: ".github/copilot-instructions.md",
+              description: "already contains vibecop, skipped"
+            });
+          } else {
+            writeFileSync(copilotPath, existing + vibecopSection);
+            generated.push({
+              path: ".github/copilot-instructions.md",
+              description: "appended vibecop instructions"
+            });
+          }
+        } else {
+          writeFileSync(copilotPath, vibecopSection);
+          generated.push({
+            path: ".github/copilot-instructions.md",
+            description: "copilot instructions"
+          });
+        }
+        break;
+      }
+      case "Cline": {
+        const clinePath = join5(cwd, ".clinerules");
+        const clineContent = `After every code edit, run \`${SCAN_CMD}\` and fix any findings before proceeding.
+`;
+        writeFileSync(clinePath, clineContent);
+        generated.push({
+          path: ".clinerules",
+          description: "always-on lint rule"
+        });
+        break;
+      }
+    }
+  }
+  return generated;
+}
+function padEnd(str, len) {
+  return str + " ".repeat(Math.max(0, len - str.length));
+}
+async function runInit(cwd) {
+  const root = cwd ?? process.cwd();
+  console.log("");
+  console.log("  vibecop — agent integration setup");
+  console.log("");
+  const tools = detectTools(root);
+  const anyDetected = tools.some((t) => t.detected);
+  if (!anyDetected) {
+    console.log("  No supported AI coding tools detected.");
+    console.log("  See docs/agent-integration.md for manual setup.");
+    console.log("");
+    return;
+  }
+  console.log("  Detected tools:");
+  for (const tool of tools) {
+    const icon = tool.detected ? "✓" : "✗";
+    console.log(`    ${icon} ${tool.name} (${tool.reason})`);
+  }
+  console.log("");
+  const generated = generateConfigs(root, tools);
+  if (generated.length > 0) {
+    const maxPath = Math.max(...generated.map((g) => g.path.length));
+    console.log("  Generated:");
+    for (const file of generated) {
+      console.log(`    ${padEnd(file.path, maxPath)}  — ${file.description}`);
+    }
+    console.log("");
+  }
+  console.log("  Done! vibecop will now run automatically in your agent workflow.");
+  console.log("");
+}
+var SCAN_CMD = "npx vibecop scan --diff HEAD --format agent";
+var init_init = () => {};
+
+// src/cli.ts
+import { execSync as execSync2 } from "node:child_process";
+import { existsSync as existsSync5, readFileSync as readFileSync7 } from "node:fs";
 import { extname as extname2, relative as relative2, resolve as resolve4 } from "node:path";
 
 // node_modules/commander/esm.mjs
@@ -13110,6 +13376,35 @@ function isNodeError(err) {
   return err instanceof Error && "code" in err;
 }
 
+// src/detectors/utils.ts
+function makeFinding(detectorId, ctx, node, message, severity, suggestion) {
+  const range = node.range();
+  return {
+    detectorId,
+    message,
+    severity,
+    file: ctx.file.path,
+    line: range.start.line + 1,
+    column: range.start.column + 1,
+    endLine: range.end.line + 1,
+    endColumn: range.end.column + 1,
+    ...suggestion != null && { suggestion }
+  };
+}
+function makeLineFinding(detectorId, ctx, line, column, message, severity, suggestion, endLine, endColumn) {
+  return {
+    detectorId,
+    message,
+    severity,
+    file: ctx.file.path,
+    line,
+    column,
+    ...suggestion != null && { suggestion },
+    ...endLine != null && { endLine },
+    ...endColumn != null && { endColumn }
+  };
+}
+
 // src/detectors/empty-error-handler.ts
 var CONSOLE_METHODS = new Set(["console.log", "console.error", "console.warn"]);
 var PYTHON_LOG_FUNCTIONS = new Set(["print", "logging.debug", "logging.info", "logging.warning", "logging.error"]);
@@ -13140,19 +13435,8 @@ function detectJavaScriptCatchBlocks(ctx) {
     const hasComment = body.children().some((ch) => ch.kind() === "comment");
     if (hasComment)
       continue;
-    const range = catchNode.range();
     if (bodyChildren.length === 0) {
-      findings.push({
-        detectorId: "empty-error-handler",
-        message: "Empty catch block silently swallows errors",
-        severity: "warning",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: "Add error handling, re-throw the error, or add a comment explaining why the error is intentionally ignored"
-      });
+      findings.push(makeFinding("empty-error-handler", ctx, catchNode, "Empty catch block silently swallows errors", "warning", "Add error handling, re-throw the error, or add a comment explaining why the error is intentionally ignored"));
       continue;
     }
     if (bodyChildren.length === 1) {
@@ -13160,17 +13444,7 @@ function detectJavaScriptCatchBlocks(ctx) {
       if (stmt.kind() === "expression_statement") {
         const stmtText = stmt.text().replace(/;$/, "").trim();
         if (isLogOnlyCall(stmtText)) {
-          findings.push({
-            detectorId: "empty-error-handler",
-            message: "Catch block only logs the error without handling it",
-            severity: "warning",
-            file: ctx.file.path,
-            line: range.start.line + 1,
-            column: range.start.column + 1,
-            endLine: range.end.line + 1,
-            endColumn: range.end.column + 1,
-            suggestion: "Add proper error handling: re-throw, return a fallback value, or propagate the error"
-          });
+          findings.push(makeFinding("empty-error-handler", ctx, catchNode, "Catch block only logs the error without handling it", "warning", "Add proper error handling: re-throw, return a fallback value, or propagate the error"));
         }
       }
     }
@@ -13187,38 +13461,17 @@ function detectPythonExceptBlocks(ctx) {
     if (!block)
       continue;
     const blockChildren = block.children();
-    const range = exceptNode.range();
     const exceptText = exceptNode.text();
     if (exceptText.includes("#"))
       continue;
     if (blockChildren.length === 1 && blockChildren[0].kind() === "pass_statement") {
-      findings.push({
-        detectorId: "empty-error-handler",
-        message: "Except block with only 'pass' silently swallows errors",
-        severity: "warning",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: "Add error handling, re-raise the exception, or add a comment explaining why the error is intentionally ignored"
-      });
+      findings.push(makeFinding("empty-error-handler", ctx, exceptNode, "Except block with only 'pass' silently swallows errors", "warning", "Add error handling, re-raise the exception, or add a comment explaining why the error is intentionally ignored"));
       continue;
     }
     if (blockChildren.length === 1 && blockChildren[0].kind() === "expression_statement") {
       const stmtText = blockChildren[0].text().trim();
       if (isPythonLogOnlyCall(stmtText)) {
-        findings.push({
-          detectorId: "empty-error-handler",
-          message: "Except block only logs the error without handling it",
-          severity: "warning",
-          file: ctx.file.path,
-          line: range.start.line + 1,
-          column: range.start.column + 1,
-          endLine: range.end.line + 1,
-          endColumn: range.end.column + 1,
-          suggestion: "Add proper error handling: re-raise, return a fallback value, or propagate the error"
-        });
+        findings.push(makeFinding("empty-error-handler", ctx, exceptNode, "Except block only logs the error without handling it", "warning", "Add proper error handling: re-raise, return a fallback value, or propagate the error"));
       }
     }
   }
@@ -13297,33 +13550,12 @@ function detectJavaScriptTrivialAssertions(ctx) {
       if (!LITERAL_KINDS_JS.has(expectArg.kind()))
         continue;
       const methodName = property.text();
-      const range = call.range();
       if (methodName === "toBeTruthy" && expectArg.text() === "true") {
-        findings.push({
-          detectorId: "trivial-assertion",
-          message: "Trivial assertion: expect(true).toBeTruthy() always passes",
-          severity: "warning",
-          file: ctx.file.path,
-          line: range.start.line + 1,
-          column: range.start.column + 1,
-          endLine: range.end.line + 1,
-          endColumn: range.end.column + 1,
-          suggestion: "Replace with a meaningful assertion that tests actual behavior"
-        });
+        findings.push(makeFinding("trivial-assertion", ctx, call, "Trivial assertion: expect(true).toBeTruthy() always passes", "warning", "Replace with a meaningful assertion that tests actual behavior"));
         continue;
       }
       if (methodName === "toBeFalsy" && expectArg.text() === "false") {
-        findings.push({
-          detectorId: "trivial-assertion",
-          message: "Trivial assertion: expect(false).toBeFalsy() always passes",
-          severity: "warning",
-          file: ctx.file.path,
-          line: range.start.line + 1,
-          column: range.start.column + 1,
-          endLine: range.end.line + 1,
-          endColumn: range.end.column + 1,
-          suggestion: "Replace with a meaningful assertion that tests actual behavior"
-        });
+        findings.push(makeFinding("trivial-assertion", ctx, call, "Trivial assertion: expect(false).toBeFalsy() always passes", "warning", "Replace with a meaningful assertion that tests actual behavior"));
         continue;
       }
       if (methodName !== "toBe" && methodName !== "toEqual")
@@ -13341,17 +13573,7 @@ function detectJavaScriptTrivialAssertions(ctx) {
         areSame = expectArg.text() === matcherArg.text();
       }
       if (areSame) {
-        findings.push({
-          detectorId: "trivial-assertion",
-          message: `Trivial assertion: expect(${expectArg.text()}).${methodName}(${matcherArg.text()}) always passes`,
-          severity: "warning",
-          file: ctx.file.path,
-          line: range.start.line + 1,
-          column: range.start.column + 1,
-          endLine: range.end.line + 1,
-          endColumn: range.end.column + 1,
-          suggestion: "Replace with a meaningful assertion that tests actual behavior"
-        });
+        findings.push(makeFinding("trivial-assertion", ctx, call, `Trivial assertion: expect(${expectArg.text()}).${methodName}(${matcherArg.text()}) always passes`, "warning", "Replace with a meaningful assertion that tests actual behavior"));
       }
     }
   }
@@ -13366,19 +13588,8 @@ function detectPythonTrivialAssertions(ctx) {
     if (children.length < 2)
       continue;
     const expr = children[1];
-    const range = assertNode.range();
     if (expr.kind() === "true" || expr.kind() === "false") {
-      findings.push({
-        detectorId: "trivial-assertion",
-        message: `Trivial assertion: assert ${expr.text()} always ${expr.kind() === "true" ? "passes" : "fails"}`,
-        severity: "warning",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: "Replace with a meaningful assertion that tests actual behavior"
-      });
+      findings.push(makeFinding("trivial-assertion", ctx, assertNode, `Trivial assertion: assert ${expr.text()} always ${expr.kind() === "true" ? "passes" : "fails"}`, "warning", "Replace with a meaningful assertion that tests actual behavior"));
       continue;
     }
     if (expr.kind() === "comparison_operator") {
@@ -13394,17 +13605,7 @@ function detectPythonTrivialAssertions(ctx) {
             areSame = left.text() === right.text();
           }
           if (areSame) {
-            findings.push({
-              detectorId: "trivial-assertion",
-              message: `Trivial assertion: assert ${left.text()} == ${right.text()} always passes`,
-              severity: "warning",
-              file: ctx.file.path,
-              line: range.start.line + 1,
-              column: range.start.column + 1,
-              endLine: range.end.line + 1,
-              endColumn: range.end.column + 1,
-              suggestion: "Replace with a meaningful assertion that tests actual behavior"
-            });
+            findings.push(makeFinding("trivial-assertion", ctx, assertNode, `Trivial assertion: assert ${left.text()} == ${right.text()} always passes`, "warning", "Replace with a meaningful assertion that tests actual behavior"));
           }
         }
       }
@@ -13465,18 +13666,7 @@ function detectRejectUnauthorized(root, ctx, findings) {
     const key = children.find((ch) => ch.kind() === "property_identifier" || ch.kind() === "string");
     const value = children.find((ch) => ch.kind() === "false");
     if (key && value && key.text().replace(/["']/g, "") === "rejectUnauthorized") {
-      const range = pair.range();
-      findings.push({
-        detectorId: "insecure-defaults",
-        message: "TLS certificate verification is disabled (rejectUnauthorized: false)",
-        severity: "error",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: "Remove rejectUnauthorized: false to enable TLS certificate verification"
-      });
+      findings.push(makeFinding("insecure-defaults", ctx, pair, "TLS certificate verification is disabled (rejectUnauthorized: false)", "error", "Remove rejectUnauthorized: false to enable TLS certificate verification"));
     }
   }
 }
@@ -13486,18 +13676,7 @@ function detectEvalUsage(root, ctx, findings) {
     const children = call.children();
     const fn = children[0];
     if (fn && fn.kind() === "identifier" && fn.text() === "eval") {
-      const range = call.range();
-      findings.push({
-        detectorId: "insecure-defaults",
-        message: "eval() executes arbitrary code and is a security risk",
-        severity: "error",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: "Avoid eval(). Use JSON.parse() for data, or refactor to avoid dynamic code execution"
-      });
+      findings.push(makeFinding("insecure-defaults", ctx, call, "eval() executes arbitrary code and is a security risk", "error", "Avoid eval(). Use JSON.parse() for data, or refactor to avoid dynamic code execution"));
     }
   }
 }
@@ -13507,18 +13686,7 @@ function detectNewFunction(root, ctx, findings) {
     const children = newExpr.children();
     const constructorNode = children.find((ch) => ch.kind() === "identifier");
     if (constructorNode && constructorNode.text() === "Function") {
-      const range = newExpr.range();
-      findings.push({
-        detectorId: "insecure-defaults",
-        message: "new Function() creates functions from strings and is a security risk",
-        severity: "error",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: "Avoid new Function(). Refactor to use static function definitions"
-      });
+      findings.push(makeFinding("insecure-defaults", ctx, newExpr, "new Function() creates functions from strings and is a security risk", "error", "Avoid new Function(). Refactor to use static function definitions"));
     }
   }
 }
@@ -13546,18 +13714,7 @@ function detectHardcodedCredentialsJS(root, ctx, findings) {
       continue;
     if (looksLikeNonCredential(strContent))
       continue;
-    const range = pair.range();
-    findings.push({
-      detectorId: "insecure-defaults",
-      message: `Hardcoded credential detected in property '${keyName}'`,
-      severity: "error",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Use environment variables or a secrets manager instead of hardcoding credentials"
-    });
+    findings.push(makeFinding("insecure-defaults", ctx, pair, `Hardcoded credential detected in property '${keyName}'`, "error", "Use environment variables or a secrets manager instead of hardcoding credentials"));
   }
 }
 function checkCredentialAssignment(node, ctx, findings) {
@@ -13574,18 +13731,7 @@ function checkCredentialAssignment(node, ctx, findings) {
     return;
   if (looksLikeNonCredential(strContent))
     return;
-  const range = node.range();
-  findings.push({
-    detectorId: "insecure-defaults",
-    message: `Hardcoded credential detected in variable '${varName}'`,
-    severity: "error",
-    file: ctx.file.path,
-    line: range.start.line + 1,
-    column: range.start.column + 1,
-    endLine: range.end.line + 1,
-    endColumn: range.end.column + 1,
-    suggestion: "Use environment variables or a secrets manager instead of hardcoding credentials"
-  });
+  findings.push(makeFinding("insecure-defaults", ctx, node, `Hardcoded credential detected in variable '${varName}'`, "error", "Use environment variables or a secrets manager instead of hardcoding credentials"));
 }
 function detectWeakCiphers(root, ctx, findings) {
   const callExprs = root.findAll({ rule: { kind: "call_expression" } });
@@ -13607,18 +13753,7 @@ function detectWeakCiphers(root, ctx, findings) {
     if (firstArg.kind() === "string") {
       const cipher = firstArg.text().slice(1, -1).toLowerCase();
       if (WEAK_CIPHERS.has(cipher)) {
-        const range = call.range();
-        findings.push({
-          detectorId: "insecure-defaults",
-          message: `Weak cipher algorithm '${cipher}' detected`,
-          severity: "error",
-          file: ctx.file.path,
-          line: range.start.line + 1,
-          column: range.start.column + 1,
-          endLine: range.end.line + 1,
-          endColumn: range.end.column + 1,
-          suggestion: "Use a strong cipher algorithm like 'aes-256-gcm' instead"
-        });
+        findings.push(makeFinding("insecure-defaults", ctx, call, `Weak cipher algorithm '${cipher}' detected`, "error", "Use a strong cipher algorithm like 'aes-256-gcm' instead"));
       }
     }
   }
@@ -13641,18 +13776,7 @@ function detectPythonVerifyFalse(root, ctx, findings) {
     const key = children.find((ch) => ch.kind() === "identifier");
     const value = children.find((ch) => ch.kind() === "false");
     if (key && value && key.text() === "verify") {
-      const range = kwarg.range();
-      findings.push({
-        detectorId: "insecure-defaults",
-        message: "TLS certificate verification is disabled (verify=False)",
-        severity: "error",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: "Remove verify=False to enable TLS certificate verification"
-      });
+      findings.push(makeFinding("insecure-defaults", ctx, kwarg, "TLS certificate verification is disabled (verify=False)", "error", "Remove verify=False to enable TLS certificate verification"));
     }
   }
 }
@@ -13663,18 +13787,7 @@ function detectPythonShellTrue(root, ctx, findings) {
     const key = children.find((ch) => ch.kind() === "identifier");
     const value = children.find((ch) => ch.kind() === "true");
     if (key && value && key.text() === "shell") {
-      const range = kwarg.range();
-      findings.push({
-        detectorId: "insecure-defaults",
-        message: "shell=True in subprocess call allows shell injection attacks",
-        severity: "error",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: "Use shell=False (the default) and pass arguments as a list"
-      });
+      findings.push(makeFinding("insecure-defaults", ctx, kwarg, "shell=True in subprocess call allows shell injection attacks", "error", "Use shell=False (the default) and pass arguments as a list"));
     }
   }
 }
@@ -13684,18 +13797,7 @@ function detectPythonEval(root, ctx, findings) {
     const children = call.children();
     const fn = children[0];
     if (fn && fn.kind() === "identifier" && fn.text() === "eval") {
-      const range = call.range();
-      findings.push({
-        detectorId: "insecure-defaults",
-        message: "eval() executes arbitrary code and is a security risk",
-        severity: "error",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: "Avoid eval(). Use ast.literal_eval() for safe expression evaluation"
-      });
+      findings.push(makeFinding("insecure-defaults", ctx, call, "eval() executes arbitrary code and is a security risk", "error", "Avoid eval(). Use ast.literal_eval() for safe expression evaluation"));
     }
   }
 }
@@ -13721,18 +13823,7 @@ function detectPythonHardcodedCredentials(root, ctx, findings) {
     }
     if (strContent.length === 0)
       continue;
-    const range = assign.range();
-    findings.push({
-      detectorId: "insecure-defaults",
-      message: `Hardcoded credential detected in variable '${varName}'`,
-      severity: "error",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Use environment variables or a secrets manager instead of hardcoding credentials"
-    });
+    findings.push(makeFinding("insecure-defaults", ctx, assign, `Hardcoded credential detected in variable '${varName}'`, "error", "Use environment variables or a secrets manager instead of hardcoding credentials"));
   }
 }
 var insecureDefaults = {
@@ -14248,18 +14339,7 @@ function detectJavaScriptUndeclaredImports(ctx) {
     const nearestDeps = findNearestJsDependencies(ctx.file.absolutePath, scanRoot);
     if (nearestDeps.has(packageName))
       continue;
-    const range = importNode.range();
-    findings.push({
-      detectorId: "undeclared-import",
-      message: `Import '${packageName}' is not declared in project dependencies`,
-      severity: "error",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: `Add '${packageName}' to your package.json dependencies`
-    });
+    findings.push(makeFinding("undeclared-import", ctx, importNode, `Import '${packageName}' is not declared in project dependencies`, "error", `Add '${packageName}' to your package.json dependencies`));
   }
   const callExprs = root.findAll({ rule: { kind: "call_expression" } });
   for (const call of callExprs) {
@@ -14295,18 +14375,7 @@ function detectJavaScriptUndeclaredImports(ctx) {
     const nearestDeps = findNearestJsDependencies(ctx.file.absolutePath, scanRoot);
     if (nearestDeps.has(packageName))
       continue;
-    const range = call.range();
-    findings.push({
-      detectorId: "undeclared-import",
-      message: `Import '${packageName}' is not declared in project dependencies`,
-      severity: "error",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: `Add '${packageName}' to your package.json dependencies`
-    });
+    findings.push(makeFinding("undeclared-import", ctx, call, `Import '${packageName}' is not declared in project dependencies`, "error", `Add '${packageName}' to your package.json dependencies`));
   }
   return findings;
 }
@@ -14330,18 +14399,7 @@ function detectPythonUndeclaredImports(ctx) {
     const topLevel = fullName.split(".")[0];
     if (isPythonImportDeclared(topLevel, ctx, scanRoot))
       continue;
-    const range = importNode.range();
-    findings.push({
-      detectorId: "undeclared-import",
-      message: `Import '${topLevel}' is not declared in project dependencies`,
-      severity: "error",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: `Add '${topLevel}' to your requirements.txt or pyproject.toml`
-    });
+    findings.push(makeFinding("undeclared-import", ctx, importNode, `Import '${topLevel}' is not declared in project dependencies`, "error", `Add '${topLevel}' to your requirements.txt or pyproject.toml`));
   }
   const fromImports = root.findAll({ rule: { kind: "import_from_statement" } });
   for (const importNode of fromImports) {
@@ -14356,18 +14414,7 @@ function detectPythonUndeclaredImports(ctx) {
     const topLevel = fullName.split(".")[0];
     if (isPythonImportDeclared(topLevel, ctx, scanRoot))
       continue;
-    const range = importNode.range();
-    findings.push({
-      detectorId: "undeclared-import",
-      message: `Import '${topLevel}' is not declared in project dependencies`,
-      severity: "error",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: `Add '${topLevel}' to your requirements.txt or pyproject.toml`
-    });
+    findings.push(makeFinding("undeclared-import", ctx, importNode, `Import '${topLevel}' is not declared in project dependencies`, "error", `Add '${topLevel}' to your requirements.txt or pyproject.toml`));
   }
   return findings;
 }
@@ -14460,33 +14507,11 @@ function detectRedundantNullChecks(ctx) {
     if (leftCheck.variable !== rightCheck.variable)
       continue;
     if (!leftCheck.isLoose && !rightCheck.isLoose && (leftCheck.checksNull && rightCheck.checksUndefined || leftCheck.checksUndefined && rightCheck.checksNull)) {
-      const range = expr.range();
-      findings.push({
-        detectorId: "over-defensive-coding",
-        message: `Redundant null+undefined check on '${leftCheck.variable}'. Use '${leftCheck.variable} != null' to check both.`,
-        severity: "info",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: `Replace with '${leftCheck.variable} != null' which checks both null and undefined`
-      });
+      findings.push(makeFinding("over-defensive-coding", ctx, expr, `Redundant null+undefined check on '${leftCheck.variable}'. Use '${leftCheck.variable} != null' to check both.`, "info", `Replace with '${leftCheck.variable} != null' which checks both null and undefined`));
       continue;
     }
     if (leftCheck.isLoose && rightCheck.isLoose && (leftCheck.checksNull && rightCheck.checksUndefined || leftCheck.checksUndefined && rightCheck.checksNull)) {
-      const range = expr.range();
-      findings.push({
-        detectorId: "over-defensive-coding",
-        message: `Redundant check: '${leftCheck.variable} != null' already checks both null and undefined`,
-        severity: "info",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: `Use just '${leftCheck.variable} != null' — it checks both null and undefined`
-      });
+      findings.push(makeFinding("over-defensive-coding", ctx, expr, `Redundant check: '${leftCheck.variable} != null' already checks both null and undefined`, "info", `Use just '${leftCheck.variable} != null' — it checks both null and undefined`));
     }
   }
   return findings;
@@ -14519,18 +14544,7 @@ function detectJsonParseLiteralTryCatch(ctx) {
         const arg = argNodes[0];
         if (arg.kind() !== "string")
           continue;
-        const range = tryNode.range();
-        findings.push({
-          detectorId: "over-defensive-coding",
-          message: "Unnecessary try/catch around JSON.parse() with a string literal argument that cannot fail",
-          severity: "info",
-          file: ctx.file.path,
-          line: range.start.line + 1,
-          column: range.start.column + 1,
-          endLine: range.end.line + 1,
-          endColumn: range.end.column + 1,
-          suggestion: "Remove the try/catch — JSON.parse with a valid string literal will never throw"
-        });
+        findings.push(makeFinding("over-defensive-coding", ctx, tryNode, "Unnecessary try/catch around JSON.parse() with a string literal argument that cannot fail", "info", "Remove the try/catch — JSON.parse with a valid string literal will never throw"));
       }
     }
   }
@@ -14627,15 +14641,7 @@ var excessiveCommentRatio = {
     if (ratio > threshold) {
       const pct = Math.round(ratio * 100);
       return [
-        {
-          detectorId: "excessive-comment-ratio",
-          message: `File has ${pct}% comment lines (${counts.commentLines} comments, ${counts.codeLines} code lines). Threshold: ${Math.round(threshold * 100)}%`,
-          severity: "info",
-          file: ctx.file.path,
-          line: 1,
-          column: 1,
-          suggestion: "Reduce excessive comments. Good code should be self-documenting with comments reserved for explaining 'why', not 'what'."
-        }
+        makeLineFinding("excessive-comment-ratio", ctx, 1, 1, `File has ${pct}% comment lines (${counts.commentLines} comments, ${counts.codeLines} code lines). Threshold: ${Math.round(threshold * 100)}%`, "info", "Reduce excessive comments. Good code should be self-documenting with comments reserved for explaining 'why', not 'what'.")
       ];
     }
     return [];
@@ -14706,15 +14712,7 @@ function detectJsMocking(ctx) {
   const ratio = ctx.config.ratio ?? DEFAULT_RATIO;
   if (mockCount > 0 && mockCount > assertionCount * ratio) {
     return [
-      {
-        detectorId: "over-mocking",
-        message: `Test file has more mocks (${mockCount}) than assertions (${assertionCount}). Tests that over-mock may not verify real behavior.`,
-        severity: "warning",
-        file: ctx.file.path,
-        line: 1,
-        column: 1,
-        suggestion: "Reduce mocking and add more assertions. Consider integration tests for heavily-mocked code."
-      }
+      makeLineFinding("over-mocking", ctx, 1, 1, `Test file has more mocks (${mockCount}) than assertions (${assertionCount}). Tests that over-mock may not verify real behavior.`, "warning", "Reduce mocking and add more assertions. Consider integration tests for heavily-mocked code.")
     ];
   }
   return [];
@@ -14725,15 +14723,7 @@ function detectPythonMocking(ctx) {
   const ratio = ctx.config.ratio ?? DEFAULT_RATIO;
   if (mockCount > 0 && mockCount > assertionCount * ratio) {
     return [
-      {
-        detectorId: "over-mocking",
-        message: `Test file has more mocks (${mockCount}) than assertions (${assertionCount}). Tests that over-mock may not verify real behavior.`,
-        severity: "warning",
-        file: ctx.file.path,
-        line: 1,
-        column: 1,
-        suggestion: "Reduce mocking and add more assertions. Consider integration tests for heavily-mocked code."
-      }
+      makeLineFinding("over-mocking", ctx, 1, 1, `Test file has more mocks (${mockCount}) than assertions (${assertionCount}). Tests that over-mock may not verify real behavior.`, "warning", "Reduce mocking and add more assertions. Consider integration tests for heavily-mocked code.")
     ];
   }
   return [];
@@ -14866,18 +14856,7 @@ function detectJavaScript(ctx) {
     }
     if (!isDbCall)
       continue;
-    const range = awaitExpr.range();
-    findings.push({
-      detectorId: "n-plus-one-query",
-      message: "Database or API call inside a loop — potential N+1 query",
-      severity: "warning",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Batch the operation outside the loop (e.g., use WHERE IN, Promise.all, or bulk API endpoint)"
-    });
+    findings.push(makeFinding("n-plus-one-query", ctx, awaitExpr, "Database or API call inside a loop — potential N+1 query", "warning", "Batch the operation outside the loop (e.g., use WHERE IN, Promise.all, or bulk API endpoint)"));
   }
   const arrowFns = root.findAll({ rule: { kind: "arrow_function" } });
   for (const arrow of arrowFns) {
@@ -14917,18 +14896,7 @@ function detectJavaScript(ctx) {
       }
       if (!isDbCall)
         continue;
-      const range = innerAwait.range();
-      findings.push({
-        detectorId: "n-plus-one-query",
-        message: "Database or API call inside .map(async ...) — potential N+1 query",
-        severity: "warning",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: "Batch the operation (e.g., use WHERE IN or a single bulk query) instead of per-item async calls"
-      });
+      findings.push(makeFinding("n-plus-one-query", ctx, innerAwait, "Database or API call inside .map(async ...) — potential N+1 query", "warning", "Batch the operation (e.g., use WHERE IN or a single bulk query) instead of per-item async calls"));
     }
   }
   const callExprs = root.findAll({ rule: { kind: "call_expression" } });
@@ -14963,18 +14931,7 @@ function detectJavaScript(ctx) {
     }
     if (!isDbCall)
       continue;
-    const range = call.range();
-    findings.push({
-      detectorId: "n-plus-one-query",
-      message: "Database or API call inside a loop — potential N+1 query",
-      severity: "warning",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Batch the operation outside the loop (e.g., use WHERE IN, Promise.all, or bulk API endpoint)"
-    });
+    findings.push(makeFinding("n-plus-one-query", ctx, call, "Database or API call inside a loop — potential N+1 query", "warning", "Batch the operation outside the loop (e.g., use WHERE IN, Promise.all, or bulk API endpoint)"));
   }
   return findings;
 }
@@ -14999,17 +14956,7 @@ function detectPython(ctx) {
       continue;
     const range = awaitExpr.range();
     reported.add(range.start.line);
-    findings.push({
-      detectorId: "n-plus-one-query",
-      message: "Database call inside a loop — potential N+1 query",
-      severity: "warning",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Batch the operation outside the loop (e.g., use WHERE IN or bulk query)"
-    });
+    findings.push(makeFinding("n-plus-one-query", ctx, awaitExpr, "Database call inside a loop — potential N+1 query", "warning", "Batch the operation outside the loop (e.g., use WHERE IN or bulk query)"));
   }
   const callExprs = root.findAll({ rule: { kind: "call" } });
   for (const call of callExprs) {
@@ -15022,17 +14969,7 @@ function detectPython(ctx) {
     const callText = call.text();
     if (!isDbCallPython(callText))
       continue;
-    findings.push({
-      detectorId: "n-plus-one-query",
-      message: "Database call inside a loop — potential N+1 query",
-      severity: "warning",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Batch the operation outside the loop (e.g., use WHERE IN or bulk query)"
-    });
+    findings.push(makeFinding("n-plus-one-query", ctx, call, "Database call inside a loop — potential N+1 query", "warning", "Batch the operation outside the loop (e.g., use WHERE IN or bulk query)"));
   }
   return findings;
 }
@@ -15130,18 +15067,7 @@ function detectJavaScript2(ctx) {
       continue;
     if (!looksLikeDbCall(callText))
       continue;
-    const range = stmt.range();
-    findings.push({
-      detectorId: "unchecked-db-result",
-      message: "Database mutation result is not checked — errors will be silently ignored",
-      severity: "warning",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Store the result and check for errors: const result = await db.insert(...)"
-    });
+    findings.push(makeFinding("unchecked-db-result", ctx, stmt, "Database mutation result is not checked — errors will be silently ignored", "warning", "Store the result and check for errors: const result = await db.insert(...)"));
   }
   return findings;
 }
@@ -15189,18 +15115,7 @@ function detectPython2(ctx) {
     }
     if (!isMutation)
       continue;
-    const range = stmt.range();
-    findings.push({
-      detectorId: "unchecked-db-result",
-      message: "Database mutation result is not checked — errors may be silently ignored",
-      severity: "warning",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Store the result and verify the operation succeeded"
-    });
+    findings.push(makeFinding("unchecked-db-result", ctx, stmt, "Database mutation result is not checked — errors may be silently ignored", "warning", "Store the result and verify the operation succeeded"));
   }
   return findings;
 }
@@ -15236,18 +15151,7 @@ function detectJavaScript3(ctx) {
     const ifText = consequent.text().replace(/\s+/g, " ").trim();
     const elseText = elseBody.text().replace(/\s+/g, " ").trim();
     if (ifText === elseText && ifText.length > 4) {
-      const range = ifStmt.range();
-      findings.push({
-        detectorId: "dead-code-path",
-        message: "if and else branches are identical — condition has no effect",
-        severity: "warning",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: "Remove the conditional and keep only the body, or fix the branch logic"
-      });
+      findings.push(makeFinding("dead-code-path", ctx, ifStmt, "if and else branches are identical — condition has no effect", "warning", "Remove the conditional and keep only the body, or fix the branch logic"));
     }
   }
   const blocks = root.findAll({ rule: { kind: "statement_block" } });
@@ -15256,18 +15160,7 @@ function detectJavaScript3(ctx) {
     let foundTerminator = false;
     for (const stmt of stmts) {
       if (foundTerminator) {
-        const range = stmt.range();
-        findings.push({
-          detectorId: "dead-code-path",
-          message: "Unreachable code after return/throw statement",
-          severity: "warning",
-          file: ctx.file.path,
-          line: range.start.line + 1,
-          column: range.start.column + 1,
-          endLine: range.end.line + 1,
-          endColumn: range.end.column + 1,
-          suggestion: "Remove unreachable code or fix the control flow"
-        });
+        findings.push(makeFinding("dead-code-path", ctx, stmt, "Unreachable code after return/throw statement", "warning", "Remove unreachable code or fix the control flow"));
         break;
       }
       if (stmt.kind() === "return_statement" || stmt.kind() === "throw_statement") {
@@ -15291,18 +15184,7 @@ function detectPython3(ctx) {
         const ifText = blocks[0].text().replace(/\s+/g, " ").trim();
         const elseText = elseBlock.text().replace(/\s+/g, " ").trim();
         if (ifText === elseText && ifText.length > 4) {
-          const range = ifStmt.range();
-          findings.push({
-            detectorId: "dead-code-path",
-            message: "if and else branches are identical — condition has no effect",
-            severity: "warning",
-            file: ctx.file.path,
-            line: range.start.line + 1,
-            column: range.start.column + 1,
-            endLine: range.end.line + 1,
-            endColumn: range.end.column + 1,
-            suggestion: "Remove the conditional and keep only the body, or fix the branch logic"
-          });
+          findings.push(makeFinding("dead-code-path", ctx, ifStmt, "if and else branches are identical — condition has no effect", "warning", "Remove the conditional and keep only the body, or fix the branch logic"));
         }
       }
     }
@@ -15344,15 +15226,7 @@ function detect(ctx) {
     const match = line.match(doubleAssertRe) || line.match(doubleAssertRe2);
     if (!match)
       continue;
-    findings.push({
-      detectorId: "double-type-assertion",
-      message: "Double type assertion (as unknown as X) bypasses TypeScript's type safety",
-      severity: "warning",
-      file: ctx.file.path,
-      line: i + 1,
-      column: (match.index ?? 0) + 1,
-      suggestion: "Fix the underlying type mismatch instead of using double assertion. Add a proper type guard or fix the type definition."
-    });
+    findings.push(makeLineFinding("double-type-assertion", ctx, i + 1, (match.index ?? 0) + 1, "Double type assertion (as unknown as X) bypasses TypeScript's type safety", "warning", "Fix the underlying type mismatch instead of using double assertion. Add a proper type guard or fix the type definition."));
   }
   return findings;
 }
@@ -15417,17 +15291,7 @@ function detect2(ctx) {
   if (anyLocations.length <= threshold)
     return findings;
   for (const loc of anyLocations) {
-    findings.push({
-      detectorId: "excessive-any",
-      message: `Excessive use of 'any' type (${anyLocations.length} in this file) — weakens type safety`,
-      severity: "warning",
-      file: ctx.file.path,
-      line: loc.line,
-      column: loc.column,
-      endLine: loc.endLine,
-      endColumn: loc.endColumn,
-      suggestion: "Replace with a specific type, unknown, or a generic type parameter"
-    });
+    findings.push(makeLineFinding("excessive-any", ctx, loc.line, loc.column, `Excessive use of 'any' type (${anyLocations.length} in this file) — weakens type safety`, "warning", "Replace with a specific type, unknown, or a generic type parameter", loc.endLine, loc.endColumn));
   }
   return findings;
 }
@@ -15466,18 +15330,7 @@ function detectJavaScript4(ctx) {
     const method = property.text();
     if (!DEBUG_METHODS.has(method))
       continue;
-    const range = call.range();
-    findings.push({
-      detectorId: "debug-console-in-prod",
-      message: `console.${method}() left in production code`,
-      severity: "warning",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Remove debug logging or replace with a structured logger"
-    });
+    findings.push(makeFinding("debug-console-in-prod", ctx, call, `console.${method}() left in production code`, "warning", "Remove debug logging or replace with a structured logger"));
   }
   return findings;
 }
@@ -15491,18 +15344,7 @@ function detectPython4(ctx) {
     const callText = call.text();
     if (!callText.startsWith("print("))
       continue;
-    const range = call.range();
-    findings.push({
-      detectorId: "debug-console-in-prod",
-      message: "print() left in production code",
-      severity: "info",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Remove debug print or replace with logging module"
-    });
+    findings.push(makeFinding("debug-console-in-prod", ctx, call, "print() left in production code", "info", "Remove debug print or replace with logging module"));
   }
   return findings;
 }
@@ -15541,15 +15383,7 @@ function detect3(ctx) {
     if (!isComment)
       continue;
     const hasSecurityImplication = SECURITY_KEYWORDS.test(line);
-    findings.push({
-      detectorId: "todo-in-production",
-      message: `${match[1]} comment in production code${hasSecurityImplication ? " (security-related)" : ""}`,
-      severity: hasSecurityImplication ? "warning" : "info",
-      file: ctx.file.path,
-      line: i + 1,
-      column: (match.index ?? 0) + 1,
-      suggestion: "Address the TODO or create a tracked issue and reference it in the comment"
-    });
+    findings.push(makeLineFinding("todo-in-production", ctx, i + 1, (match.index ?? 0) + 1, `${match[1]} comment in production code${hasSecurityImplication ? " (security-related)" : ""}`, hasSecurityImplication ? "warning" : "info", "Address the TODO or create a tracked issue and reference it in the comment"));
   }
   return findings;
 }
@@ -15599,15 +15433,7 @@ function detect4(ctx) {
       const hasContext = CONFIG_CONTEXTS.test(line);
       if (!hasContext && description === "placeholder value")
         continue;
-      findings.push({
-        detectorId: "placeholder-in-production",
-        message: `Placeholder ${description} found: ${match[0].slice(0, 40)}`,
-        severity: "error",
-        file: ctx.file.path,
-        line: i + 1,
-        column: (match.index ?? 0) + 1,
-        suggestion: "Replace with actual configuration value or use environment variable"
-      });
+      findings.push(makeLineFinding("placeholder-in-production", ctx, i + 1, (match.index ?? 0) + 1, `Placeholder ${description} found: ${match[0].slice(0, 40)}`, "error", "Replace with actual configuration value or use environment variable"));
       break;
     }
   }
@@ -15658,18 +15484,7 @@ function detect5(ctx) {
     if (!SENSITIVE_KEYS.test(keyArg.text()))
       continue;
     const storage = object.text();
-    const range = call.range();
-    findings.push({
-      detectorId: "token-in-localstorage",
-      message: `Auth token stored in ${storage} — vulnerable to XSS attacks`,
-      severity: "error",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Use httpOnly cookies for auth tokens instead of browser storage"
-    });
+    findings.push(makeFinding("token-in-localstorage", ctx, call, `Auth token stored in ${storage} — vulnerable to XSS attacks`, "error", "Use httpOnly cookies for auth tokens instead of browser storage"));
   }
   return findings;
 }
@@ -15740,15 +15555,7 @@ function detect6(ctx) {
   if (violations.length < 2)
     return [];
   return [
-    {
-      detectorId: "god-component",
-      message: `Component file has too many hooks (${violations.join(", ")})`,
-      severity: "warning",
-      file: ctx.file.path,
-      line: 1,
-      column: 1,
-      suggestion: "Split this component into smaller, focused components. Extract custom hooks for related state and effects."
-    }
+    makeLineFinding("god-component", ctx, 1, 1, `Component file has too many hooks (${violations.join(", ")})`, "warning", "Split this component into smaller, focused components. Extract custom hooks for related state and effects.")
   ];
 }
 var godComponent = {
@@ -15855,6 +15662,9 @@ function getJsFunctionName(node) {
   }
   return "<anonymous>";
 }
+function buildFinding(ctx, m, severity) {
+  return makeLineFinding("god-function", ctx, m.startLine, m.startColumn, `Function '${m.name}' is too complex (${m.lines} lines, cyclomatic complexity ${m.complexity}, ${m.params} params)`, severity, "Break this function into smaller, focused functions. Extract helper methods, use early returns, and reduce branching.", m.endLine, m.endColumn);
+}
 function detectJavaScript5(ctx) {
   const findings = [];
   const root = ctx.root.root();
@@ -15946,19 +15756,6 @@ function detectPython5(ctx) {
   }
   return findings;
 }
-function buildFinding(ctx, m, severity) {
-  return {
-    detectorId: "god-function",
-    message: `Function '${m.name}' is too complex (${m.lines} lines, cyclomatic complexity ${m.complexity}, ${m.params} params)`,
-    severity,
-    file: ctx.file.path,
-    line: m.startLine,
-    column: m.startColumn,
-    endLine: m.endLine,
-    endColumn: m.endColumn,
-    suggestion: "Break this function into smaller, focused functions. Extract helper methods, use early returns, and reduce branching."
-  };
-}
 var godFunction = {
   id: "god-function",
   meta: {
@@ -16024,35 +15821,13 @@ function detectJavaScript6(ctx) {
     if (firstArg.kind() === "template_string") {
       const hasSubstitution = firstArg.children().some((ch) => ch.kind() === "template_substitution");
       if (hasSubstitution) {
-        const range = call.range();
-        findings.push({
-          detectorId: "sql-injection",
-          message: "SQL query uses template literal with interpolation — potential SQL injection",
-          severity: "error",
-          file: ctx.file.path,
-          line: range.start.line + 1,
-          column: range.start.column + 1,
-          endLine: range.end.line + 1,
-          endColumn: range.end.column + 1,
-          suggestion: "Use parameterized queries instead: db.query('SELECT * FROM users WHERE id = $1', [userId])"
-        });
+        findings.push(makeFinding("sql-injection", ctx, call, "SQL query uses template literal with interpolation — potential SQL injection", "error", "Use parameterized queries instead: db.query('SELECT * FROM users WHERE id = $1', [userId])"));
       }
     }
     if (firstArg.kind() === "binary_expression") {
       const text = firstArg.text();
       if (/\b(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|JOIN|DROP|ALTER|CREATE)\b/i.test(text)) {
-        const range = call.range();
-        findings.push({
-          detectorId: "sql-injection",
-          message: "SQL query built with string concatenation — potential SQL injection",
-          severity: "error",
-          file: ctx.file.path,
-          line: range.start.line + 1,
-          column: range.start.column + 1,
-          endLine: range.end.line + 1,
-          endColumn: range.end.column + 1,
-          suggestion: "Use parameterized queries instead of string concatenation"
-        });
+        findings.push(makeFinding("sql-injection", ctx, call, "SQL query built with string concatenation — potential SQL injection", "error", "Use parameterized queries instead of string concatenation"));
       }
     }
   }
@@ -16077,51 +15852,18 @@ function detectPython6(ctx) {
       continue;
     const firstArg = args[0];
     if (firstArg.kind() === "string" && firstArg.text().startsWith("f")) {
-      const range = call.range();
-      findings.push({
-        detectorId: "sql-injection",
-        message: "SQL query uses f-string — potential SQL injection",
-        severity: "error",
-        file: ctx.file.path,
-        line: range.start.line + 1,
-        column: range.start.column + 1,
-        endLine: range.end.line + 1,
-        endColumn: range.end.column + 1,
-        suggestion: "Use parameterized queries: cursor.execute('SELECT * FROM users WHERE id = %s', (user_id,))"
-      });
+      findings.push(makeFinding("sql-injection", ctx, call, "SQL query uses f-string — potential SQL injection", "error", "Use parameterized queries: cursor.execute('SELECT * FROM users WHERE id = %s', (user_id,))"));
     }
     if (firstArg.kind() === "call" && firstArg.text().includes(".format(")) {
       const text = firstArg.text();
       if (/\b(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE)\b/i.test(text)) {
-        const range = call.range();
-        findings.push({
-          detectorId: "sql-injection",
-          message: "SQL query uses .format() — potential SQL injection",
-          severity: "error",
-          file: ctx.file.path,
-          line: range.start.line + 1,
-          column: range.start.column + 1,
-          endLine: range.end.line + 1,
-          endColumn: range.end.column + 1,
-          suggestion: "Use parameterized queries instead of .format()"
-        });
+        findings.push(makeFinding("sql-injection", ctx, call, "SQL query uses .format() — potential SQL injection", "error", "Use parameterized queries instead of .format()"));
       }
     }
     if (firstArg.kind() === "binary_expression" || firstArg.kind() === "string" && args.length >= 2) {
       const stmtText = call.text();
       if (stmtText.includes(" % ") && /\b(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE)\b/i.test(stmtText)) {
-        const range = call.range();
-        findings.push({
-          detectorId: "sql-injection",
-          message: "SQL query uses % formatting — potential SQL injection",
-          severity: "error",
-          file: ctx.file.path,
-          line: range.start.line + 1,
-          column: range.start.column + 1,
-          endLine: range.end.line + 1,
-          endColumn: range.end.column + 1,
-          suggestion: "Use parameterized queries: cursor.execute('SELECT ... WHERE id = %s', (value,))"
-        });
+        findings.push(makeFinding("sql-injection", ctx, call, "SQL query uses % formatting — potential SQL injection", "error", "Use parameterized queries: cursor.execute('SELECT ... WHERE id = %s', (value,))"));
       }
     }
   }
@@ -16159,18 +15901,7 @@ function detect7(ctx) {
       continue;
     if (name.text() !== "dangerouslySetInnerHTML")
       continue;
-    const range = attr.range();
-    findings.push({
-      detectorId: "dangerous-inner-html",
-      message: "dangerouslySetInnerHTML can lead to XSS attacks if the content is not sanitized",
-      severity: "warning",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Use a sanitization library like DOMPurify: dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(content)}}"
-    });
+    findings.push(makeFinding("dangerous-inner-html", ctx, attr, "dangerouslySetInnerHTML can lead to XSS attacks if the content is not sanitized", "warning", "Use a sanitization library like DOMPurify: dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(content)}}"));
   }
   return findings;
 }
@@ -16287,18 +16018,7 @@ function detectJavaScript7(ctx) {
     }
     if (chainHasLimit)
       continue;
-    const range = call.range();
-    findings.push({
-      detectorId: "unbounded-query",
-      message: "Query fetches multiple records without a limit — may return excessive data",
-      severity: "info",
-      file: ctx.file.path,
-      line: range.start.line + 1,
-      column: range.start.column + 1,
-      endLine: range.end.line + 1,
-      endColumn: range.end.column + 1,
-      suggestion: "Add a limit: findMany({ take: 100 }) or .limit(100)"
-    });
+    findings.push(makeFinding("unbounded-query", ctx, call, "Query fetches multiple records without a limit — may return excessive data", "info", "Add a limit: findMany({ take: 100 }) or .limit(100)"));
   }
   return findings;
 }
@@ -16391,26 +16111,10 @@ function detect8(ctx) {
     }
   }
   if (hasUIImport && hasDBImport) {
-    findings.push({
-      detectorId: "mixed-concerns",
-      message: `File imports both UI framework (${uiImportName}) and database (${dbImportName}) — mixed concerns`,
-      severity: "warning",
-      file: ctx.file.path,
-      line: 1,
-      column: 1,
-      suggestion: "Separate UI rendering from data access. Move database logic to a service/API layer."
-    });
+    findings.push(makeLineFinding("mixed-concerns", ctx, 1, 1, `File imports both UI framework (${uiImportName}) and database (${dbImportName}) — mixed concerns`, "warning", "Separate UI rendering from data access. Move database logic to a service/API layer."));
   }
   if (hasUIImport && hasServerImport) {
-    findings.push({
-      detectorId: "mixed-concerns",
-      message: `File imports both UI framework (${uiImportName}) and server framework — mixed concerns`,
-      severity: "warning",
-      file: ctx.file.path,
-      line: 1,
-      column: 1,
-      suggestion: "Separate UI components from server-side logic."
-    });
+    findings.push(makeLineFinding("mixed-concerns", ctx, 1, 1, `File imports both UI framework (${uiImportName}) and server framework — mixed concerns`, "warning", "Separate UI components from server-side logic."));
   }
   return findings;
 }
@@ -16425,36 +16129,770 @@ var mixedConcerns = {
   },
   detect: detect8
 };
-// src/detectors/index.ts
-var builtinDetectors = [
-  emptyErrorHandler,
-  trivialAssertion,
-  insecureDefaults,
-  undeclaredImport,
-  overDefensiveCoding,
-  excessiveCommentRatio,
-  overMocking,
-  nPlusOneQuery,
-  uncheckedDbResult,
-  deadCodePath,
-  doubleTypeAssertion,
-  excessiveAny,
-  debugConsoleInProd,
-  todoInProduction,
-  placeholderInProduction,
+// src/detectors/unsafe-shell-exec.ts
+var EXEC_FUNCTIONS = new Set(["exec", "execSync"]);
+var SUBPROCESS_METHODS = new Set(["run", "call", "Popen", "check_output", "check_call"]);
+function detectJavaScript8(ctx) {
+  const findings = [];
+  const root = ctx.root.root();
+  const callExprs = root.findAll({ rule: { kind: "call_expression" } });
+  for (const call of callExprs) {
+    const children = call.children();
+    const callee = children[0];
+    if (!callee)
+      continue;
+    let isExecCall = false;
+    if (callee.kind() === "identifier" && EXEC_FUNCTIONS.has(callee.text())) {
+      isExecCall = true;
+    } else if (callee.kind() === "member_expression") {
+      const text = callee.text();
+      for (const fn of EXEC_FUNCTIONS) {
+        if (text.endsWith(`.${fn}`)) {
+          isExecCall = true;
+          break;
+        }
+      }
+    }
+    if (!isExecCall)
+      continue;
+    const args = children.find((ch) => ch.kind() === "arguments");
+    if (!args)
+      continue;
+    const argNodes = args.children().filter((ch) => ch.kind() !== "(" && ch.kind() !== ")" && ch.kind() !== ",");
+    if (argNodes.length === 0)
+      continue;
+    const firstArg = argNodes[0];
+    const argKind = firstArg.kind();
+    if (argKind === "string" || argKind === "string_fragment")
+      continue;
+    findings.push(makeFinding("unsafe-shell-exec", ctx, call, `${callee.text()}() called with dynamic argument — risk of shell injection`, "error", "Use execFile() or spawn() with an argument array instead of exec() with string interpolation"));
+  }
+  return findings;
+}
+function detectPython7(ctx) {
+  const findings = [];
+  const root = ctx.root.root();
+  const calls = root.findAll({ rule: { kind: "call" } });
+  for (const call of calls) {
+    const children = call.children();
+    const callee = children[0];
+    if (!callee)
+      continue;
+    const calleeText = callee.text();
+    let isSubprocessCall = false;
+    for (const method of SUBPROCESS_METHODS) {
+      if (calleeText === `subprocess.${method}` || calleeText.endsWith(`.${method}`)) {
+        isSubprocessCall = true;
+        break;
+      }
+    }
+    if (!isSubprocessCall)
+      continue;
+    const argList = children.find((ch) => ch.kind() === "argument_list");
+    if (!argList)
+      continue;
+    const kwargs = argList.children().filter((ch) => ch.kind() === "keyword_argument");
+    let hasShellTrue = false;
+    for (const kwarg of kwargs) {
+      const kwChildren = kwarg.children();
+      const key = kwChildren.find((ch) => ch.kind() === "identifier");
+      const value = kwChildren.find((ch) => ch.kind() === "true");
+      if (key && value && key.text() === "shell") {
+        hasShellTrue = true;
+        break;
+      }
+    }
+    if (!hasShellTrue)
+      continue;
+    const positionalArgs = argList.children().filter((ch) => ch.kind() !== "(" && ch.kind() !== ")" && ch.kind() !== "," && ch.kind() !== "keyword_argument");
+    if (positionalArgs.length === 0)
+      continue;
+    const firstArg = positionalArgs[0];
+    const argKind = firstArg.kind();
+    if (argKind === "string") {
+      const text = firstArg.text();
+      if (!text.startsWith('f"') && !text.startsWith("f'")) {
+        continue;
+      }
+    } else if (argKind === "concatenated_string") {} else if (argKind !== "identifier" && argKind !== "binary_operator") {
+      continue;
+    }
+    findings.push(makeFinding("unsafe-shell-exec", ctx, call, `${calleeText}() called with shell=True and dynamic argument — risk of shell injection`, "error", "Pass arguments as a list and remove shell=True: subprocess.run(['cmd', arg])"));
+  }
+  return findings;
+}
+var unsafeShellExec = {
+  id: "unsafe-shell-exec",
+  meta: {
+    name: "Unsafe Shell Execution",
+    description: "Detects shell command execution with dynamic arguments that may be vulnerable to injection",
+    severity: "error",
+    category: "security",
+    languages: ["javascript", "typescript", "tsx", "python"],
+    priority: 10
+  },
+  detect(ctx) {
+    if (ctx.file.language === "python")
+      return detectPython7(ctx);
+    return detectJavaScript8(ctx);
+  }
+};
+// src/detectors/llm-call-no-timeout.ts
+var LLM_CONSTRUCTORS = new Set(["OpenAI", "Anthropic"]);
+function hasProperty(objectNode, propName) {
+  const pairs = objectNode.findAll({ rule: { kind: "pair" } });
+  for (const pair of pairs) {
+    const children = pair.children();
+    const key = children.find((ch) => ch.kind() === "property_identifier" || ch.kind() === "string" || ch.kind() === "shorthand_property_identifier");
+    if (key && key.text().replace(/["']/g, "") === propName) {
+      return true;
+    }
+  }
+  const shorthandProps = objectNode.findAll({ rule: { kind: "shorthand_property_identifier" } });
+  for (const sp of shorthandProps) {
+    if (sp.text() === propName)
+      return true;
+  }
+  return false;
+}
+function detectJavaScript9(ctx) {
+  const findings = [];
+  const root = ctx.root.root();
+  const newExprs = root.findAll({ rule: { kind: "new_expression" } });
+  for (const newExpr of newExprs) {
+    const children = newExpr.children();
+    const constructorNode = children.find((ch) => ch.kind() === "identifier");
+    if (!constructorNode || !LLM_CONSTRUCTORS.has(constructorNode.text()))
+      continue;
+    const args = children.find((ch) => ch.kind() === "arguments");
+    if (!args) {
+      findings.push(makeFinding("llm-call-no-timeout", ctx, newExpr, `new ${constructorNode.text()}() called without timeout option`, "warning", `Pass a timeout option: new ${constructorNode.text()}({ timeout: 30000 })`));
+      continue;
+    }
+    const argNodes = args.children().filter((ch) => ch.kind() !== "(" && ch.kind() !== ")" && ch.kind() !== ",");
+    if (argNodes.length === 0) {
+      findings.push(makeFinding("llm-call-no-timeout", ctx, newExpr, `new ${constructorNode.text()}() called without timeout option`, "warning", `Pass a timeout option: new ${constructorNode.text()}({ timeout: 30000 })`));
+      continue;
+    }
+    const firstArg = argNodes[0];
+    if (firstArg.kind() === "object") {
+      if (!hasProperty(firstArg, "timeout")) {
+        findings.push(makeFinding("llm-call-no-timeout", ctx, newExpr, `new ${constructorNode.text()}() called without timeout option`, "warning", `Add timeout to options: new ${constructorNode.text()}({ timeout: 30000, ... })`));
+      }
+    }
+  }
+  const callExprs = root.findAll({ rule: { kind: "call_expression" } });
+  for (const call of callExprs) {
+    const children = call.children();
+    const callee = children[0];
+    if (!callee || callee.kind() !== "member_expression")
+      continue;
+    const calleeText = callee.text();
+    if (!calleeText.endsWith(".create"))
+      continue;
+    if (!calleeText.includes("completions") && !calleeText.includes("messages") && !calleeText.includes("chat")) {
+      continue;
+    }
+    const args = children.find((ch) => ch.kind() === "arguments");
+    if (!args)
+      continue;
+    const argNodes = args.children().filter((ch) => ch.kind() !== "(" && ch.kind() !== ")" && ch.kind() !== ",");
+    if (argNodes.length === 0)
+      continue;
+    const firstArg = argNodes[0];
+    if (firstArg.kind() === "object") {
+      if (!hasProperty(firstArg, "max_tokens")) {
+        findings.push(makeFinding("llm-call-no-timeout", ctx, call, ".create() called without max_tokens — response size is unbounded", "warning", "Add max_tokens to limit response size: .create({ max_tokens: 1000, ... })"));
+      }
+    }
+  }
+  return findings;
+}
+function detectPython8(ctx) {
+  const findings = [];
+  const root = ctx.root.root();
+  const calls = root.findAll({ rule: { kind: "call" } });
+  for (const call of calls) {
+    const children = call.children();
+    const callee = children[0];
+    if (!callee)
+      continue;
+    const calleeText = callee.text();
+    if (!calleeText.endsWith(".create"))
+      continue;
+    if (!calleeText.includes("completions") && !calleeText.includes("Completion") && !calleeText.includes("messages") && !calleeText.includes("chat")) {
+      continue;
+    }
+    const argList = children.find((ch) => ch.kind() === "argument_list");
+    if (!argList)
+      continue;
+    const kwargs = argList.children().filter((ch) => ch.kind() === "keyword_argument");
+    let hasTimeout = false;
+    for (const kwarg of kwargs) {
+      const kwChildren = kwarg.children();
+      const key = kwChildren.find((ch) => ch.kind() === "identifier");
+      if (key && key.text() === "timeout") {
+        hasTimeout = true;
+        break;
+      }
+    }
+    if (!hasTimeout) {
+      findings.push(makeFinding("llm-call-no-timeout", ctx, call, `${calleeText}() called without timeout — request may hang indefinitely`, "warning", "Add a timeout parameter: .create(timeout=30, ...)"));
+    }
+  }
+  return findings;
+}
+var llmCallNoTimeout = {
+  id: "llm-call-no-timeout",
+  meta: {
+    name: "LLM Call No Timeout",
+    description: "Detects LLM API calls (OpenAI, Anthropic) without timeout or max_tokens configuration",
+    severity: "warning",
+    category: "quality",
+    languages: ["javascript", "typescript", "tsx", "python"],
+    priority: 10
+  },
+  detect(ctx) {
+    if (ctx.file.language === "python")
+      return detectPython8(ctx);
+    return detectJavaScript9(ctx);
+  }
+};
+// src/detectors/dynamic-code-exec.ts
+function detectJavaScript10(ctx) {
+  const findings = [];
+  const root = ctx.root.root();
+  const callExprs = root.findAll({ rule: { kind: "call_expression" } });
+  for (const call of callExprs) {
+    const children = call.children();
+    const callee = children[0];
+    if (!callee || callee.kind() !== "identifier" || callee.text() !== "eval")
+      continue;
+    const args = children.find((ch) => ch.kind() === "arguments");
+    if (!args)
+      continue;
+    const argNodes = args.children().filter((ch) => ch.kind() !== "(" && ch.kind() !== ")" && ch.kind() !== ",");
+    if (argNodes.length === 0)
+      continue;
+    const firstArg = argNodes[0];
+    if (firstArg.kind() === "string" || firstArg.kind() === "string_fragment")
+      continue;
+    findings.push(makeFinding("dynamic-code-exec", ctx, call, "eval() called with dynamic argument — arbitrary code execution risk", "error", "Avoid eval() with dynamic input. Use JSON.parse() for data or refactor to avoid dynamic code"));
+  }
+  const newExprs = root.findAll({ rule: { kind: "new_expression" } });
+  for (const newExpr of newExprs) {
+    const children = newExpr.children();
+    const constructorNode = children.find((ch) => ch.kind() === "identifier");
+    if (!constructorNode || constructorNode.text() !== "Function")
+      continue;
+    const args = children.find((ch) => ch.kind() === "arguments");
+    if (!args)
+      continue;
+    const argNodes = args.children().filter((ch) => ch.kind() !== "(" && ch.kind() !== ")" && ch.kind() !== ",");
+    if (argNodes.length === 0)
+      continue;
+    const lastArg = argNodes[argNodes.length - 1];
+    if (lastArg.kind() === "string" || lastArg.kind() === "string_fragment")
+      continue;
+    findings.push(makeFinding("dynamic-code-exec", ctx, newExpr, "new Function() called with dynamic argument — arbitrary code execution risk", "error", "Avoid new Function() with dynamic input. Use static function definitions instead"));
+  }
+  return findings;
+}
+function detectPython9(ctx) {
+  const findings = [];
+  const root = ctx.root.root();
+  const calls = root.findAll({ rule: { kind: "call" } });
+  for (const call of calls) {
+    const children = call.children();
+    const callee = children[0];
+    if (!callee || callee.kind() !== "identifier")
+      continue;
+    const funcName = callee.text();
+    if (funcName !== "eval" && funcName !== "exec")
+      continue;
+    const argList = children.find((ch) => ch.kind() === "argument_list");
+    if (!argList)
+      continue;
+    const argNodes = argList.children().filter((ch) => ch.kind() !== "(" && ch.kind() !== ")" && ch.kind() !== "," && ch.kind() !== "keyword_argument");
+    if (argNodes.length === 0)
+      continue;
+    const firstArg = argNodes[0];
+    if (firstArg.kind() === "string") {
+      const text = firstArg.text();
+      if (!text.startsWith('f"') && !text.startsWith("f'")) {
+        continue;
+      }
+    } else if (firstArg.kind() === "identifier" || firstArg.kind() === "binary_operator" || firstArg.kind() === "concatenated_string") {} else {
+      continue;
+    }
+    findings.push(makeFinding("dynamic-code-exec", ctx, call, `${funcName}() called with dynamic argument — arbitrary code execution risk`, "error", `Avoid ${funcName}() with dynamic input. Use ast.literal_eval() for safe expression evaluation`));
+  }
+  return findings;
+}
+var dynamicCodeExec = {
+  id: "dynamic-code-exec",
+  meta: {
+    name: "Dynamic Code Execution",
+    description: "Detects eval() and new Function() / exec() with dynamic (non-literal) arguments",
+    severity: "error",
+    category: "security",
+    languages: ["javascript", "typescript", "tsx", "python"],
+    priority: 10
+  },
+  detect(ctx) {
+    if (ctx.file.language === "python")
+      return detectPython9(ctx);
+    return detectJavaScript10(ctx);
+  }
+};
+// src/detectors/llm-unpinned-model.ts
+var DATE_SUFFIX_RE = /[-_]\d{8}$/;
+var DATE_DASH_SUFFIX_RE = /[-_]\d{4}-\d{2}-\d{2}$/;
+var UNPINNED_MODEL_PATTERNS = [
+  /^gpt-4o$/,
+  /^gpt-4$/,
+  /^gpt-4o-mini$/,
+  /^gpt-4-turbo$/,
+  /^gpt-3\.5-turbo$/,
+  /^o1$/,
+  /^o1-mini$/,
+  /^o1-preview$/,
+  /^o3$/,
+  /^o3-mini$/,
+  /^o4-mini$/,
+  /^claude-.*-latest$/,
+  /^claude-3-opus$/,
+  /^claude-3-haiku$/,
+  /^claude-3-5-sonnet$/,
+  /^claude-3-5-haiku$/,
+  /^claude-sonnet-4$/,
+  /^claude-opus-4$/,
+  /^gemini-pro$/,
+  /^gemini-1\.5-pro$/,
+  /^gemini-1\.5-flash$/,
+  /^gemini-2\.0-flash$/
+];
+function isPinned(model) {
+  return DATE_SUFFIX_RE.test(model) || DATE_DASH_SUFFIX_RE.test(model);
+}
+function isUnpinnedModel(value) {
+  if (isPinned(value))
+    return false;
+  return UNPINNED_MODEL_PATTERNS.some((re) => re.test(value));
+}
+function detect9(ctx) {
+  const findings = [];
+  const lines = ctx.source.split(`
+`);
+  const stringLiteralRe = /(['"])([^'"]*)\1/g;
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i];
+    let match;
+    stringLiteralRe.lastIndex = 0;
+    while ((match = stringLiteralRe.exec(line)) !== null) {
+      const value = match[2];
+      if (isUnpinnedModel(value)) {
+        findings.push(makeLineFinding("llm-unpinned-model", ctx, i + 1, match.index + 1, `Unpinned model alias "${value}" — model behavior may change without notice`, "warning", `Pin to a specific version with a date suffix, e.g. "${value}-YYYYMMDD"`));
+      }
+    }
+  }
+  return findings;
+}
+var llmUnpinnedModel = {
+  id: "llm-unpinned-model",
+  meta: {
+    name: "LLM Unpinned Model",
+    description: "Detects unpinned LLM model aliases that may change behavior without notice",
+    severity: "warning",
+    category: "quality",
+    languages: ["javascript", "typescript", "tsx", "python"],
+    priority: 10
+  },
+  detect: detect9
+};
+// src/detectors/llm-no-system-message.ts
+var SYSTEM_ROLE_RE = /["']system["']/;
+function detectJavaScript11(ctx) {
+  const findings = [];
+  const root = ctx.root.root();
+  const pairs = root.findAll({ rule: { kind: "pair" } });
+  for (const pair of pairs) {
+    const children = pair.children();
+    const key = children.find((ch) => ch.kind() === "property_identifier" || ch.kind() === "string" || ch.kind() === "shorthand_property_identifier");
+    if (!key)
+      continue;
+    const keyName = key.text().replace(/["']/g, "");
+    if (keyName !== "messages")
+      continue;
+    const value = children.find((ch) => ch.kind() === "array");
+    if (!value)
+      continue;
+    const arrayText = value.text();
+    if (!SYSTEM_ROLE_RE.test(arrayText)) {
+      findings.push(makeFinding("llm-no-system-message", ctx, pair, "messages array has no system message — LLM behavior may be unpredictable", "info", 'Add a system message: { role: "system", content: "You are a helpful assistant." }'));
+    }
+  }
+  return findings;
+}
+function detectPython10(ctx) {
+  const findings = [];
+  const root = ctx.root.root();
+  const kwargs = root.findAll({ rule: { kind: "keyword_argument" } });
+  for (const kwarg of kwargs) {
+    const children = kwarg.children();
+    const key = children.find((ch) => ch.kind() === "identifier");
+    if (!key || key.text() !== "messages")
+      continue;
+    const value = children.find((ch) => ch.kind() === "list");
+    if (!value)
+      continue;
+    const listText = value.text();
+    if (!SYSTEM_ROLE_RE.test(listText)) {
+      findings.push(makeFinding("llm-no-system-message", ctx, kwarg, "messages list has no system message — LLM behavior may be unpredictable", "info", 'Add a system message: {"role": "system", "content": "You are a helpful assistant."}'));
+    }
+  }
+  const assignments = root.findAll({ rule: { kind: "assignment" } });
+  for (const assign of assignments) {
+    const children = assign.children();
+    const nameNode = children.find((ch) => ch.kind() === "identifier");
+    if (!nameNode || nameNode.text() !== "messages")
+      continue;
+    const value = children.find((ch) => ch.kind() === "list");
+    if (!value)
+      continue;
+    const listText = value.text();
+    if (!SYSTEM_ROLE_RE.test(listText)) {
+      findings.push(makeFinding("llm-no-system-message", ctx, assign, "messages list has no system message — LLM behavior may be unpredictable", "info", 'Add a system message: {"role": "system", "content": "You are a helpful assistant."}'));
+    }
+  }
+  return findings;
+}
+var llmNoSystemMessage = {
+  id: "llm-no-system-message",
+  meta: {
+    name: "LLM No System Message",
+    description: "Detects LLM chat API calls where messages array lacks a system role message",
+    severity: "info",
+    category: "quality",
+    languages: ["javascript", "typescript", "tsx", "python"],
+    priority: 10
+  },
+  detect(ctx) {
+    if (ctx.file.language === "python")
+      return detectPython10(ctx);
+    return detectJavaScript11(ctx);
+  }
+};
+// src/detectors/llm-temperature-not-set.ts
+function detectJavaScript12(ctx) {
+  const findings = [];
+  const root = ctx.root.root();
+  const callExprs = root.findAll({ rule: { kind: "call_expression" } });
+  for (const call of callExprs) {
+    const children = call.children();
+    const callee = children[0];
+    if (!callee || callee.kind() !== "member_expression")
+      continue;
+    const calleeText = callee.text();
+    if (!calleeText.endsWith(".create"))
+      continue;
+    if (!calleeText.includes("completions") && !calleeText.includes("messages") && !calleeText.includes("chat")) {
+      continue;
+    }
+    const args = children.find((ch) => ch.kind() === "arguments");
+    if (!args)
+      continue;
+    const argNodes = args.children().filter((ch) => ch.kind() !== "(" && ch.kind() !== ")" && ch.kind() !== ",");
+    if (argNodes.length === 0)
+      continue;
+    const firstArg = argNodes[0];
+    if (firstArg.kind() !== "object")
+      continue;
+    const pairs = firstArg.findAll({ rule: { kind: "pair" } });
+    let hasTemperature = false;
+    for (const pair of pairs) {
+      const pairChildren = pair.children();
+      const key = pairChildren.find((ch) => ch.kind() === "property_identifier" || ch.kind() === "string" || ch.kind() === "shorthand_property_identifier");
+      if (key && key.text().replace(/["']/g, "") === "temperature") {
+        hasTemperature = true;
+        break;
+      }
+    }
+    if (!hasTemperature) {
+      const shorthandProps = firstArg.findAll({ rule: { kind: "shorthand_property_identifier" } });
+      for (const sp of shorthandProps) {
+        if (sp.text() === "temperature") {
+          hasTemperature = true;
+          break;
+        }
+      }
+    }
+    if (!hasTemperature) {
+      findings.push(makeFinding("llm-temperature-not-set", ctx, call, ".create() called without temperature — model output randomness is not controlled", "info", "Set temperature explicitly: .create({ temperature: 0.7, ... })"));
+    }
+  }
+  return findings;
+}
+function detectPython11(ctx) {
+  const findings = [];
+  const root = ctx.root.root();
+  const calls = root.findAll({ rule: { kind: "call" } });
+  for (const call of calls) {
+    const children = call.children();
+    const callee = children[0];
+    if (!callee)
+      continue;
+    const calleeText = callee.text();
+    if (!calleeText.endsWith(".create"))
+      continue;
+    if (!calleeText.includes("completions") && !calleeText.includes("Completion") && !calleeText.includes("messages") && !calleeText.includes("chat")) {
+      continue;
+    }
+    const argList = children.find((ch) => ch.kind() === "argument_list");
+    if (!argList)
+      continue;
+    const kwargs = argList.children().filter((ch) => ch.kind() === "keyword_argument");
+    let hasTemperature = false;
+    for (const kwarg of kwargs) {
+      const kwChildren = kwarg.children();
+      const key = kwChildren.find((ch) => ch.kind() === "identifier");
+      if (key && key.text() === "temperature") {
+        hasTemperature = true;
+        break;
+      }
+    }
+    if (!hasTemperature) {
+      findings.push(makeFinding("llm-temperature-not-set", ctx, call, `${calleeText}() called without temperature — model output randomness is not controlled`, "info", "Set temperature explicitly: .create(temperature=0.7, ...)"));
+    }
+  }
+  return findings;
+}
+var llmTemperatureNotSet = {
+  id: "llm-temperature-not-set",
+  meta: {
+    name: "LLM Temperature Not Set",
+    description: "Detects LLM API .create() calls without explicit temperature parameter",
+    severity: "info",
+    category: "quality",
+    languages: ["javascript", "typescript", "tsx", "python"],
+    priority: 10
+  },
+  detect(ctx) {
+    if (ctx.file.language === "python")
+      return detectPython11(ctx);
+    return detectJavaScript12(ctx);
+  }
+};
+// src/detectors/hallucinated-package.ts
+import { readFileSync as readFileSync3 } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { dirname as dirname2, join as join2, basename as basename2 } from "node:path";
+var __dirname2 = dirname2(fileURLToPath(import.meta.url));
+var knownPackages = JSON.parse(readFileSync3(join2(__dirname2, "../data/known-packages.json"), "utf-8"));
+var KNOWN_SET = new Set(knownPackages);
+var KNOWN_SCOPES = new Set([
+  "@types",
+  "@babel",
+  "@rollup",
+  "@eslint",
+  "@typescript-eslint",
+  "@angular",
+  "@vue",
+  "@nuxt",
+  "@svelte",
+  "@sveltejs",
+  "@react-native",
+  "@react-native-community",
+  "@aws-sdk",
+  "@aws-cdk",
+  "@google-cloud",
+  "@azure",
+  "@firebase",
+  "@vercel",
+  "@netlify",
+  "@cloudflare",
+  "@testing-library",
+  "@storybook",
+  "@prisma",
+  "@trpc",
+  "@tanstack",
+  "@emotion",
+  "@mui",
+  "@chakra-ui",
+  "@radix-ui",
+  "@headlessui",
+  "@sentry",
+  "@datadog",
+  "@opentelemetry",
+  "@octokit",
+  "@actions",
+  "@nestjs",
+  "@fastify",
+  "@hapi",
+  "@grpc",
+  "@apollo",
+  "@graphql-codegen",
+  "@graphql-tools",
+  "@remix-run",
+  "@shopify",
+  "@stripe",
+  "@auth0",
+  "@clerk",
+  "@supabase",
+  "@upstash",
+  "@expo",
+  "@react-navigation",
+  "@mantine",
+  "@floating-ui",
+  "@dnd-kit",
+  "@tailwindcss",
+  "@heroicons",
+  "@iconify",
+  "@astrojs",
+  "@sanity",
+  "@contentful",
+  "@mdx-js",
+  "@codemirror",
+  "@tiptap",
+  "@monaco-editor",
+  "@react-aria",
+  "@react-stately",
+  "@react-spring",
+  "@react-three",
+  "@fontsource",
+  "@mapbox",
+  "@nrwl",
+  "@nx",
+  "@swc",
+  "@vitejs",
+  "@esbuild",
+  "@changesets",
+  "@commitlint",
+  "@semantic-release",
+  "@rushstack",
+  "@microsoft",
+  "@sindresorhus",
+  "@antfu",
+  "@jridgewell",
+  "@csstools",
+  "@webassemblyjs",
+  "@npmcli",
+  "@isaacs",
+  "@pkgr",
+  "@nodelib",
+  "@tsconfig",
+  "@jest",
+  "@vitest",
+  "@sinonjs",
+  "@hono",
+  "@elysiajs",
+  "@effect",
+  "@langchain",
+  "@ai-sdk",
+  "@aws-lambda-powertools",
+  "@middy",
+  "@pulumi",
+  "@builder.io",
+  "@solidjs",
+  "@biomejs"
+]);
+function getScope(packageName) {
+  if (!packageName.startsWith("@"))
+    return null;
+  const slashIdx = packageName.indexOf("/");
+  if (slashIdx === -1)
+    return null;
+  return packageName.slice(0, slashIdx);
+}
+var hallucinatedPackage = {
+  id: "hallucinated-package",
+  meta: {
+    name: "Hallucinated Package",
+    description: "Detects potentially hallucinated (non-existent) packages in package.json",
+    severity: "info",
+    category: "correctness",
+    languages: ["javascript", "typescript"],
+    priority: 10
+  },
+  detect(ctx) {
+    if (basename2(ctx.file.path) !== "package.json") {
+      return [];
+    }
+    let pkg;
+    try {
+      pkg = JSON.parse(ctx.source);
+    } catch {
+      return [];
+    }
+    const findings = [];
+    const lines = ctx.source.split(`
+`);
+    const deps = pkg.dependencies;
+    const devDeps = pkg.devDependencies;
+    const allDeps = [];
+    if (deps && typeof deps === "object") {
+      allDeps.push(...Object.keys(deps));
+    }
+    if (devDeps && typeof devDeps === "object") {
+      allDeps.push(...Object.keys(devDeps));
+    }
+    for (const dep of allDeps) {
+      if (KNOWN_SET.has(dep))
+        continue;
+      const scope = getScope(dep);
+      if (scope && KNOWN_SCOPES.has(scope))
+        continue;
+      const searchStr = `"${dep}"`;
+      let lineNum = 1;
+      for (let i = 0;i < lines.length; i++) {
+        if (lines[i].includes(searchStr)) {
+          lineNum = i + 1;
+          break;
+        }
+      }
+      const col = (lines[lineNum - 1]?.indexOf(searchStr) ?? 0) + 1;
+      findings.push(makeLineFinding("hallucinated-package", ctx, lineNum, col, `Package '${dep}' is not in the known-packages allowlist — verify it exists on npm`, "info", `Run: npm view ${dep} to check if this package exists`));
+    }
+    return findings;
+  }
+};
+// src/detectors/index.ts
+var builtinDetectors = [
+  emptyErrorHandler,
+  trivialAssertion,
+  insecureDefaults,
+  undeclaredImport,
+  overDefensiveCoding,
+  excessiveCommentRatio,
+  overMocking,
+  nPlusOneQuery,
+  uncheckedDbResult,
+  deadCodePath,
+  doubleTypeAssertion,
+  excessiveAny,
+  debugConsoleInProd,
+  todoInProduction,
+  placeholderInProduction,
   tokenInLocalstorage,
   godComponent,
   godFunction,
   sqlInjection,
   dangerousInnerHtml,
   unboundedQuery,
-  mixedConcerns
+  mixedConcerns,
+  unsafeShellExec,
+  llmCallNoTimeout,
+  dynamicCodeExec,
+  llmUnpinnedModel,
+  llmNoSystemMessage,
+  llmTemperatureNotSet,
+  hallucinatedPackage
 ];
 
 // src/engine.ts
-import { existsSync as existsSync2, readdirSync as readdirSync2, readFileSync as readFileSync3, statSync } from "node:fs";
+import { existsSync as existsSync2, readdirSync as readdirSync2, readFileSync as readFileSync4, statSync } from "node:fs";
 import { createRequire as createRequire2 } from "node:module";
-import { extname, join as join2, relative, resolve as resolve2 } from "node:path";
+import { extname, join as join3, relative, resolve as resolve2 } from "node:path";
 import { parse, Lang as SgLang, registerDynamicLanguage } from "@ast-grep/napi";
 var EXTENSION_MAP = {
   ".js": "javascript",
@@ -16554,7 +16992,7 @@ function runDetectors(files, detectors, project, config, options = {}) {
     filesProcessed++;
     let source;
     try {
-      source = readFileSync3(file.absolutePath, "utf-8");
+      source = readFileSync4(file.absolutePath, "utf-8");
     } catch (err) {
       errors2.push({
         file: file.path,
@@ -16636,13 +17074,44 @@ function runDetectors(files, detectors, project, config, options = {}) {
   }
   const totalMs = performance.now() - startTime;
   const timing = options.verbose ? { totalMs, perDetector } : undefined;
+  const dedupedFindings = dedupFindings(findings, detectors);
   return {
-    findings,
+    findings: dedupedFindings,
     filesScanned: filesProcessed,
     errors: errors2,
     timing
   };
 }
+function dedupFindings(findings, detectors) {
+  const priorityMap = new Map;
+  for (const d of detectors) {
+    priorityMap.set(d.id, d.meta.priority ?? 0);
+  }
+  const groups = new Map;
+  for (const f of findings) {
+    const key = `${f.file}:${f.line}`;
+    const group = groups.get(key);
+    if (group) {
+      group.push(f);
+    } else {
+      groups.set(key, [f]);
+    }
+  }
+  const deduped = [];
+  for (const group of groups.values()) {
+    if (group.length === 1) {
+      deduped.push(group[0]);
+    } else {
+      group.sort((a, b) => {
+        const pa = priorityMap.get(a.detectorId) ?? 0;
+        const pb = priorityMap.get(b.detectorId) ?? 0;
+        return pb - pa;
+      });
+      deduped.push(group[0]);
+    }
+  }
+  return deduped;
+}
 function runWithTimeout(fn, timeoutMs, detectorId, filePath) {
   const start = performance.now();
   try {
@@ -16678,7 +17147,7 @@ function walkDirectory(dir, scanRoot, compiledIgnorePatterns, files) {
     throw err;
   }
   for (const entry of entries) {
-    const fullPath = join2(dir, entry.name);
+    const fullPath = join3(dir, entry.name);
     const relativePath = relative(scanRoot, fullPath);
     if (matchesIgnorePattern(relativePath, entry.name, compiledIgnorePatterns)) {
       continue;
@@ -16725,9 +17194,9 @@ function matchesIgnorePattern(relativePath, baseName, compiledPatterns) {
   return false;
 }
 function loadGitignore(root) {
-  const gitignorePath = join2(root, ".gitignore");
+  const gitignorePath = join3(root, ".gitignore");
   try {
-    const content = readFileSync3(gitignorePath, "utf-8");
+    const content = readFileSync4(gitignorePath, "utf-8");
     return content.split(`
 `).map((line) => line.trim()).filter((line) => line && !line.startsWith("#")).map((line) => {
       if (line.startsWith("/")) {
@@ -16750,7 +17219,7 @@ function getExtension(filename) {
 }
 function isBinaryFile(filePath) {
   try {
-    const fd = readFileSync3(filePath, { encoding: null, flag: "r" });
+    const fd = readFileSync4(filePath, { encoding: null, flag: "r" });
     const sample = fd.subarray(0, 512);
     for (const byte of sample) {
       if (byte === 0)
@@ -16792,6 +17261,19 @@ function isNodeError2(err) {
   return err instanceof Error && "code" in err;
 }
 
+// src/formatters/agent.ts
+function formatAgent(result) {
+  if (result.findings.length === 0) {
+    return "";
+  }
+  return result.findings.map((f) => {
+    const location = `${f.file}:${f.line}:${f.column}`;
+    const suffix = f.suggestion ? `. ${f.suggestion}` : "";
+    return `${location} ${f.severity} ${f.detectorId}: ${f.message}${suffix}`;
+  }).join(`
+`);
+}
+
 // src/formatters/github.ts
 import { appendFileSync } from "node:fs";
 function ghLevel(severity) {
@@ -17272,14 +17754,16 @@ function getFormatter(format, options) {
       return formatSarif;
     case "html":
       return formatHtml;
+    case "agent":
+      return formatAgent;
     default:
-      throw new Error(`Unknown format '${format}'. Available formats: text, json, github, sarif, html`);
+      throw new Error(`Unknown format '${format}'. Available formats: text, json, github, sarif, html, agent`);
   }
 }
 
 // src/project.ts
-import { existsSync as existsSync3, readFileSync as readFileSync4 } from "node:fs";
-import { dirname as dirname2, join as join3, resolve as resolve3 } from "node:path";
+import { existsSync as existsSync3, readFileSync as readFileSync5 } from "node:fs";
+import { dirname as dirname3, join as join4, resolve as resolve3 } from "node:path";
 function loadProjectInfo(scanRoot) {
   const info = {
     dependencies: new Set,
@@ -17306,11 +17790,11 @@ function findProjectRoot(startDir) {
       "pyproject.toml"
     ];
     for (const m of manifests) {
-      if (existsSync3(join3(dir, m))) {
+      if (existsSync3(join4(dir, m))) {
         return dir;
       }
     }
-    const parentDir = dirname2(dir);
+    const parentDir = dirname3(dir);
     if (parentDir === dir)
       break;
     dir = parentDir;
@@ -17318,12 +17802,12 @@ function findProjectRoot(startDir) {
   return null;
 }
 function parsePackageJson(root, info) {
-  const pkgPath = join3(root, "package.json");
+  const pkgPath = join4(root, "package.json");
   if (!existsSync3(pkgPath))
     return;
   info.manifests.push(pkgPath);
   try {
-    const raw = readFileSync4(pkgPath, "utf-8");
+    const raw = readFileSync5(pkgPath, "utf-8");
     const pkg = JSON.parse(raw);
     if (isRecord(pkg.dependencies)) {
       for (const name of Object.keys(pkg.dependencies)) {
@@ -17342,11 +17826,11 @@ function parsePackageJson(root, info) {
   } catch {}
 }
 function parseLockFiles(root, info) {
-  const npmLockPath = join3(root, "package-lock.json");
+  const npmLockPath = join4(root, "package-lock.json");
   if (existsSync3(npmLockPath)) {
     info.manifests.push(npmLockPath);
     try {
-      const raw = readFileSync4(npmLockPath, "utf-8");
+      const raw = readFileSync5(npmLockPath, "utf-8");
       const lock = JSON.parse(raw);
       if (isRecord(lock.packages)) {
         for (const key of Object.keys(lock.packages)) {
@@ -17366,11 +17850,11 @@ function parseLockFiles(root, info) {
       }
     } catch {}
   }
-  const yarnLockPath = join3(root, "yarn.lock");
+  const yarnLockPath = join4(root, "yarn.lock");
   if (existsSync3(yarnLockPath)) {
     info.manifests.push(yarnLockPath);
     try {
-      const raw = readFileSync4(yarnLockPath, "utf-8");
+      const raw = readFileSync5(yarnLockPath, "utf-8");
       for (const line of raw.split(`
 `)) {
         const match = line.match(/^"?(@?[^@\s"]+)@/);
@@ -17383,11 +17867,11 @@ function parseLockFiles(root, info) {
       }
     } catch {}
   }
-  const pnpmLockPath = join3(root, "pnpm-lock.yaml");
+  const pnpmLockPath = join4(root, "pnpm-lock.yaml");
   if (existsSync3(pnpmLockPath)) {
     info.manifests.push(pnpmLockPath);
     try {
-      const raw = readFileSync4(pnpmLockPath, "utf-8");
+      const raw = readFileSync5(pnpmLockPath, "utf-8");
       for (const line of raw.split(`
 `)) {
         const match = line.match(/^\s+'?\/?(@?[^@\s':]+)@/);
@@ -17402,12 +17886,12 @@ function parseLockFiles(root, info) {
   }
 }
 function parseRequirementsTxt(root, info) {
-  const reqPath = join3(root, "requirements.txt");
+  const reqPath = join4(root, "requirements.txt");
   if (!existsSync3(reqPath))
     return;
   info.manifests.push(reqPath);
   try {
-    const raw = readFileSync4(reqPath, "utf-8");
+    const raw = readFileSync5(reqPath, "utf-8");
     for (const line of raw.split(`
 `)) {
       const trimmed = line.trim();
@@ -17423,12 +17907,12 @@ function parseRequirementsTxt(root, info) {
   } catch {}
 }
 function parsePyprojectToml(root, info) {
-  const tomlPath = join3(root, "pyproject.toml");
+  const tomlPath = join4(root, "pyproject.toml");
   if (!existsSync3(tomlPath))
     return;
   info.manifests.push(tomlPath);
   try {
-    const raw = readFileSync4(tomlPath, "utf-8");
+    const raw = readFileSync5(tomlPath, "utf-8");
     const lines = raw.split(`
 `);
     let inProjectSection = false;
@@ -17496,7 +17980,7 @@ function isRecord(value) {
 function getVersion() {
   try {
     const pkgPath = new URL("../package.json", import.meta.url);
-    const pkg = JSON.parse(readFileSync5(pkgPath, "utf-8"));
+    const pkg = JSON.parse(readFileSync7(pkgPath, "utf-8"));
     return pkg.version;
   } catch {
     return "0.0.0";
@@ -17529,7 +18013,7 @@ async function readStdinFiles() {
 }
 function getGitDiffFiles(ref, scanRoot) {
   try {
-    const output = execSync(`git diff --name-only ${ref}`, {
+    const output = execSync2(`git diff --name-only ${ref}`, {
       cwd: scanRoot,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
@@ -17590,7 +18074,7 @@ async function scanAction(scanPath, options) {
 }
 function checkAction(filePath, options) {
   const absolutePath = resolve4(filePath);
-  if (!existsSync4(absolutePath)) {
+  if (!existsSync5(absolutePath)) {
     process.stderr.write(`Error: File not found: ${filePath}
 `);
     process.exit(2);
@@ -17632,8 +18116,12 @@ function main() {
   setupEpipeHandler();
   const program2 = new Command;
   program2.name("vibecop").description("AI code quality linter built on ast-grep").version(getVersion());
-  program2.command("scan").description("Scan a directory for code quality issues").argument("[path]", "Directory to scan", ".").option("-f, --format <format>", "Output format (text, json, github, sarif, html)", "text").option("-c, --config <path>", "Path to config file").option("--no-config", "Disable config file loading").option("--max-findings <number>", "Maximum number of findings to report", "50").option("--verbose", "Show timing information", false).option("--diff <ref>", "Scan only files changed vs git ref").option("--stdin-files", "Read file list from stdin", false).option("--group-by <mode>", "Group findings by 'file' or 'rule'", "file").action(scanAction);
-  program2.command("check").description("Check a single file for code quality issues").argument("<file>", "File to check").option("-f, --format <format>", "Output format (text, json, github, sarif, html)", "text").option("--max-findings <number>", "Maximum number of findings to report", "50").option("--verbose", "Show timing information", false).option("--group-by <mode>", "Group findings by 'file' or 'rule'", "file").action(checkAction);
+  program2.command("scan").description("Scan a directory for code quality issues").argument("[path]", "Directory to scan", ".").option("-f, --format <format>", "Output format (text, json, github, sarif, html, agent)", "text").option("-c, --config <path>", "Path to config file").option("--no-config", "Disable config file loading").option("--max-findings <number>", "Maximum number of findings to report", "50").option("--verbose", "Show timing information", false).option("--diff <ref>", "Scan only files changed vs git ref").option("--stdin-files", "Read file list from stdin", false).option("--group-by <mode>", "Group findings by 'file' or 'rule'", "file").action(scanAction);
+  program2.command("check").description("Check a single file for code quality issues").argument("<file>", "File to check").option("-f, --format <format>", "Output format (text, json, github, sarif, html, agent)", "text").option("--max-findings <number>", "Maximum number of findings to report", "50").option("--verbose", "Show timing information", false).option("--group-by <mode>", "Group findings by 'file' or 'rule'", "file").action(checkAction);
+  program2.command("init").description("Set up vibecop integration with AI coding tools").action(async () => {
+    const { runInit: runInit2 } = await Promise.resolve().then(() => (init_init(), exports_init));
+    await runInit2();
+  });
   program2.parse();
 }
 main();