x-fidelity 3.18.0 → 3.19.1

package/.xfi-config.json

@@ -29,8 +29,19 @@
                     }
                 }
             }
+        },
+        {
+            "name": "sensitiveLogging-iterative",
+            "path": "src/demoConfig/rules/sensitiveLogging-iterative-rule.json"
+        },
+        {
+            "name": "functionComplexity-iterative",
+            "path": "src/plugins/xfiPluginAst/sampleRules/functionComplexity-iterative-rule.json"
+        },
+        {
+            "name": "remote-rule",
+            "url": "https://example.com/rules/custom-rule.json"
         }
-        
     ],
     "additionalFacts": ["customFact"],
     "additionalOperators": ["customOperator"],

package/CHANGELOG.md

@@ -1,3 +1,47 @@
+## [3.19.1](https://github.com/zotoio/x-fidelity/compare/v3.19.0...v3.19.1) (2025-03-25)
+
+
+### Bug Fixes
+
+* add missing mock implementation for loadRepoXFIConfig in tests ([f77ef79](https://github.com/zotoio/x-fidelity/commit/f77ef79651fcbca54e4a8825dad1f0dd7f2e6a81))
+
+# [3.19.0](https://github.com/zotoio/x-fidelity/compare/v3.18.0...v3.19.0) (2025-03-25)
+
+
+### Bug Fixes
+
+* add non-null assertion for additionalRules array access ([9e7ee91](https://github.com/zotoio/x-fidelity/commit/9e7ee9117bd336c016bdeb5c1c429d6c59388fa1))
+* correct try-catch block structure in config loader ([dc6fd2c](https://github.com/zotoio/x-fidelity/commit/dc6fd2c7683c2694381020e9ac9ffd6032dbb2da))
+* correct try/catch block structure in repoXFIConfigLoader ([82ddb04](https://github.com/zotoio/x-fidelity/commit/82ddb04f4f9efa915386a213fad61dd55c923553))
+* correct TypeScript type errors in repoXFIConfigLoader tests ([4100e06](https://github.com/zotoio/x-fidelity/commit/4100e067e71b4154b14da299c4760950e7ebaa8b))
+* ensure inline rules are properly processed and assigned ([7ea7661](https://github.com/zotoio/x-fidelity/commit/7ea7661a962af83423f20270c1f27bb859573ef4))
+* handle undefined sensitiveFileFalsePositives in config loader ([4f940cf](https://github.com/zotoio/x-fidelity/commit/4f940cf7677a29b5e1c611531b0294f1970a15d3))
+* improve error message for missing rule files ([c271700](https://github.com/zotoio/x-fidelity/commit/c271700fa35bd9c43a68f996a7c1f29790bbab53))
+* improve file path handling in repoXFIConfigLoader tests ([93a0289](https://github.com/zotoio/x-fidelity/commit/93a02891528852192d0d7c1b86f9b441f1c66c75))
+* improve file system mocking in config loader test ([f0cfc25](https://github.com/zotoio/x-fidelity/commit/f0cfc25d1a3cfc9207b65078c2bc26b8c95cf0a0))
+* improve inline rule validation and logging in config loader ([625a4aa](https://github.com/zotoio/x-fidelity/commit/625a4aae86220f6ed856f8ea3679b17e48f75cfc))
+* improve test mocks for fs.promises and jsonSchemas validation ([8b1def8](https://github.com/zotoio/x-fidelity/commit/8b1def8bf577a7ad1d4314fe4787b8e7b6570264))
+* prevent duplicate rule registration in engine setup ([a9e2956](https://github.com/zotoio/x-fidelity/commit/a9e295666dc41079f31074164a6c60babae4cc96))
+* remove duplicate code blocks and fix return statements in config loader ([414e500](https://github.com/zotoio/x-fidelity/commit/414e5001b2a0329ce88f519a2d5563f815772154))
+* Replace continue with return in rule registration loop ([44ef9fd](https://github.com/zotoio/x-fidelity/commit/44ef9fd92be577043d1cf04585841e3ded5bf42f))
+* restructure rule loading logic and improve error handling ([ff8b6e6](https://github.com/zotoio/x-fidelity/commit/ff8b6e698d89b7adb99b294eec048c340d4976ac))
+* restructure try/catch blocks and improve error handling in config loader ([a0f76bb](https://github.com/zotoio/x-fidelity/commit/a0f76bbabfc29c172fecf7d1d0691358ff44226b))
+* simplify pino file transport configuration ([c99bf26](https://github.com/zotoio/x-fidelity/commit/c99bf2671abd96bf5b77d09ce3941852609dfaac))
+* **tests:** update docs and tests for .xfi-config.json ([cc6e11e](https://github.com/zotoio/x-fidelity/commit/cc6e11e24fbb94c8cca34147026c2072db918ba3))
+* update fs mock to include promises property in test ([1a50355](https://github.com/zotoio/x-fidelity/commit/1a50355aec723fa4cfd0ee4403b07fccd218303b))
+* update glob import to use dynamic import pattern ([2677260](https://github.com/zotoio/x-fidelity/commit/2677260d854728195559798d66ccd1a94ca8a476))
+* update glob import to use named import syntax ([c290016](https://github.com/zotoio/x-fidelity/commit/c2900168c270edd38bea766baa440baab8a16959))
+* update test mocks to handle file paths correctly ([4407c1e](https://github.com/zotoio/x-fidelity/commit/4407c1e39a433f8c9e7bc1b7cab1d3781447acc3))
+
+
+### Features
+
+* Add CLI options import to repo config loader ([26b97bc](https://github.com/zotoio/x-fidelity/commit/26b97bcbe80438debd1a07f3b22076ff9398f933))
+* add deduplication for rules and failure results ([169c035](https://github.com/zotoio/x-fidelity/commit/169c0351de2390bb9f22823c6a64110306caf32e))
+* add reference to sensitiveLogging-iterative rule ([fea3d28](https://github.com/zotoio/x-fidelity/commit/fea3d2817018c0b7e328cec539a1ac00a1cd48b6))
+* add support for loading additional rules from repo config ([7abac68](https://github.com/zotoio/x-fidelity/commit/7abac6891076f2eb0d47b3e2a08470241ac0b3fe))
+* add wildcard support and flexible rule loading patterns ([a2d19c2](https://github.com/zotoio/x-fidelity/commit/a2d19c2bb5ba38026ba3dce6ba0be17039b9387f))
+
 # [3.18.0](https://github.com/zotoio/x-fidelity/compare/v3.17.1...v3.18.0) (2025-03-25)
 
 

package/dist/core/engine/engineRunner.js

@@ -15,7 +15,7 @@ const configManager_1 = require("../configManager");
 const errorActionExecutor_1 = require("./errorActionExecutor");
 function runEngineOnFiles(params) {
     return __awaiter(this, void 0, void 0, function* () {
-        var _a, _b, _c, _d, _e, _f, _g, _h, _j;
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m;
         const { engine, fileData, installedDependencyVersions, minimumDependencyVersions, standardStructure } = params;
         const msg = `\n==========================\nRUNNING FILE CHECKS..\n==========================`;
         logger_1.logger.info(msg);
@@ -42,20 +42,29 @@ function runEngineOnFiles(params) {
             const fileFailures = [];
             try {
                 const { results } = yield engine.run(facts);
+                const seenFailures = new Set();
                 for (const result of results) {
                     logger_1.logger.trace(JSON.stringify(result));
                     if (result.result) {
-                        fileFailures.push({
-                            ruleFailure: result.name,
-                            level: (_a = result.event) === null || _a === void 0 ? void 0 : _a.type,
-                            details: Object.assign({ message: ((_c = (_b = result.event) === null || _b === void 0 ? void 0 : _b.params) === null || _c === void 0 ? void 0 : _c.message) || 'Rule failure detected' }, (_d = result.event) === null || _d === void 0 ? void 0 : _d.params)
-                        });
+                        // Create unique key for deduplication
+                        const failureKey = `${result.name}:${(_a = result.event) === null || _a === void 0 ? void 0 : _a.type}:${(_c = (_b = result.event) === null || _b === void 0 ? void 0 : _b.params) === null || _c === void 0 ? void 0 : _c.message}`;
+                        if (!seenFailures.has(failureKey)) {
+                            fileFailures.push({
+                                ruleFailure: result.name,
+                                level: (_d = result.event) === null || _d === void 0 ? void 0 : _d.type,
+                                details: Object.assign({ message: ((_f = (_e = result.event) === null || _e === void 0 ? void 0 : _e.params) === null || _f === void 0 ? void 0 : _f.message) || 'Rule failure detected' }, (_g = result.event) === null || _g === void 0 ? void 0 : _g.params)
+                            });
+                            seenFailures.add(failureKey);
+                        }
+                        else {
+                            logger_1.logger.debug(`Skipping duplicate failure: ${failureKey}`);
+                        }
                     }
                 }
             }
             catch (e) {
                 const error = e;
-                const failedRuleName = (_e = error === null || error === void 0 ? void 0 : error.rule) === null || _e === void 0 ? void 0 : _e.name;
+                const failedRuleName = (_h = error === null || error === void 0 ? void 0 : error.rule) === null || _h === void 0 ? void 0 : _h.name;
                 const rule = failedRuleName ? engine.rules.find((r) => r.name === failedRuleName) : null;
                 // Determine error source and level
                 let errorSource = 'unknown';
@@ -80,7 +89,7 @@ function runEngineOnFiles(params) {
                 }
                 else if (failedRuleName) {
                     errorSource = 'rule';
-                    errorLevel = (rule === null || rule === void 0 ? void 0 : rule.errorBehavior) === 'fatal' || ((_f = rule === null || rule === void 0 ? void 0 : rule.event) === null || _f === void 0 ? void 0 : _f.type) === 'fatality' ? 'fatality' : 'error';
+                    errorLevel = (rule === null || rule === void 0 ? void 0 : rule.errorBehavior) === 'fatal' || ((_j = rule === null || rule === void 0 ? void 0 : rule.event) === null || _j === void 0 ? void 0 : _j.type) === 'fatality' ? 'fatality' : 'error';
                 }
                 logger_1.logger.error({
                     index: i,
@@ -90,10 +99,10 @@ function runEngineOnFiles(params) {
                     source: errorSource,
                     type: errorLevel,
                     stack: (handledError || error).stack,
-                    details: ((_g = error === null || error === void 0 ? void 0 : error.pluginError) === null || _g === void 0 ? void 0 : _g.details) || error.message
+                    details: ((_k = error === null || error === void 0 ? void 0 : error.pluginError) === null || _k === void 0 ? void 0 : _k.details) || error.message
                 }, `Execution error occurred at file ${file.filePath} (${i + 1} of ${fileCount})`);
                 // Execute error action if specified
-                if ((_h = rule === null || rule === void 0 ? void 0 : rule.onError) === null || _h === void 0 ? void 0 : _h.action) {
+                if ((_l = rule === null || rule === void 0 ? void 0 : rule.onError) === null || _l === void 0 ? void 0 : _l.action) {
                     try {
                         const actionResult = yield (0, errorActionExecutor_1.executeErrorAction)(rule.onError.action, {
                             error: error,
@@ -124,7 +133,7 @@ function runEngineOnFiles(params) {
                         message: `${errorSource} execution failed: ${(handledError || error).message}`,
                         source: errorSource,
                         stack: (handledError || error).stack,
-                        details: (_j = error === null || error === void 0 ? void 0 : error.pluginError) === null || _j === void 0 ? void 0 : _j.details
+                        details: (_m = error === null || error === void 0 ? void 0 : error.pluginError) === null || _m === void 0 ? void 0 : _m.details
                     }
                 });
             }

package/dist/core/engine/engineSetup.js

@@ -17,9 +17,11 @@ const facts_1 = require("../../facts");
 const telemetry_1 = require("../../utils/telemetry");
 const exemptionUtils_1 = require("../../utils/exemptionUtils");
 const configManager_1 = require("../configManager");
+const repoXFIConfigLoader_1 = require("../../utils/repoXFIConfigLoader");
 function setupEngine(params) {
     return __awaiter(this, void 0, void 0, function* () {
-        const { archetypeConfig, archetype, executionLogPrefix, repoUrl } = params;
+        var _a;
+        const { archetypeConfig, archetype, executionLogPrefix, repoUrl, localConfigPath } = params;
         const engine = new json_rules_engine_1.Engine([], { replaceFactsInEventParams: true, allowUndefinedFacts: true });
         // Add operators to engine
         logger_1.logger.info(`=== loading custom operators..`);
@@ -34,12 +36,21 @@ function setupEngine(params) {
         // Add rules to engine
         logger_1.logger.info(`=== loading json rules..`);
         const config = yield configManager_1.ConfigManager.getConfig({ archetype, logPrefix: executionLogPrefix });
+        // Load repo config to get additional rules
+        const repoConfig = yield (0, repoXFIConfigLoader_1.loadRepoXFIConfig)(localConfigPath);
         logger_1.logger.debug(`rules loaded: ${config.rules}`);
         const addedRules = new Set();
+        // First add archetype rules
         config.rules.forEach((rule) => {
             try {
                 if (rule && rule.name) {
-                    logger_1.logger.info(`adding rule: ${rule.name}`);
+                    // Check if rule is already registered
+                    if (addedRules.has(rule.name)) {
+                        logger_1.logger.warn(`Skipping duplicate rule: ${rule.name}`);
+                        return;
+                    }
+                    logger_1.logger.info(`adding archetype rule: ${rule.name}`);
+                    // Check for exemption
                     if ((0, exemptionUtils_1.isExempt)({ exemptions: config.exemptions, repoUrl, ruleName: rule.name, logPrefix: executionLogPrefix })) {
                         // clone the rule to avoid modifying the original rule
                         const exemptRule = JSON.parse(JSON.stringify(rule));
@@ -50,6 +61,7 @@ function setupEngine(params) {
                     else {
                         engine.addRule(rule);
                     }
+                    // Track added rule
                     addedRules.add(rule.name);
                 }
                 else {
@@ -57,10 +69,31 @@ function setupEngine(params) {
                 }
             }
             catch (e) {
-                logger_1.logger.error(`Error loading rule: ${(rule === null || rule === void 0 ? void 0 : rule.name) || 'unknown'}`);
+                logger_1.logger.error(`Error loading archetype rule: ${(rule === null || rule === void 0 ? void 0 : rule.name) || 'unknown'}`);
                 logger_1.logger.error(e.message);
             }
         });
+        // Then add additional rules from repo config
+        if ((_a = repoConfig.additionalRules) === null || _a === void 0 ? void 0 : _a.length) {
+            repoConfig.additionalRules.forEach((rule) => {
+                try {
+                    if (rule && rule.name) {
+                        // Check if rule is already registered
+                        if (addedRules.has(rule.name)) {
+                            logger_1.logger.warn(`Skipping duplicate additional rule: ${rule.name}`);
+                            return;
+                        }
+                        logger_1.logger.info(`adding additional rule: ${rule.name}`);
+                        engine.addRule(rule);
+                        addedRules.add(rule.name);
+                    }
+                }
+                catch (e) {
+                    logger_1.logger.error(`Error loading additional rule: ${(rule === null || rule === void 0 ? void 0 : rule.name) || 'unknown'}`);
+                    logger_1.logger.error(e.message);
+                }
+            });
+        }
         engine.on('success', (_a) => __awaiter(this, [_a], void 0, function* ({ type, params }) {
             if (type === 'warning') {
                 logger_1.logger.warn(`warning detected: ${JSON.stringify(params)}`);

package/dist/core/engine/engineSetup.test.js

@@ -16,12 +16,14 @@ const facts_1 = require("../../facts");
 const telemetry_1 = require("../../utils/telemetry");
 const configManager_1 = require("../configManager");
 const logger_1 = require("../../utils/logger");
+const repoXFIConfigLoader_1 = require("../../utils/repoXFIConfigLoader");
 jest.mock('json-rules-engine');
 jest.mock('../../operators');
 jest.mock('../../facts');
 jest.mock('../../utils/telemetry');
 jest.mock('../configManager');
 jest.mock('../../utils/logger');
+jest.mock('../../utils/repoXFIConfigLoader');
 describe('setupEngine', () => {
     let engine;
     afterEach(() => {
@@ -61,6 +63,13 @@ describe('setupEngine', () => {
             ],
             cliOptions: {}
         });
+        repoXFIConfigLoader_1.loadRepoXFIConfig.mockResolvedValue({
+            additionalRules: [],
+            additionalFacts: [],
+            additionalOperators: [],
+            additionalPlugins: [],
+            sensitiveFileFalsePositives: []
+        });
         operators_1.loadOperators.mockResolvedValue([
             { name: 'operator1', fn: jest.fn() },
             { name: 'operator2', fn: jest.fn() }
@@ -159,4 +168,49 @@ describe('setupEngine', () => {
         expect(mockAddFact).toHaveBeenCalledWith('fact1', expect.any(Function), { priority: 1 });
         expect(mockAddFact).toHaveBeenCalledWith('openaiAnalysis', expect.any(Function), { priority: 1 });
     }));
+    describe('rule loading order', () => {
+        it('should load archetype rules before additional rules', () => __awaiter(void 0, void 0, void 0, function* () {
+            const mockArchetypeRule = { name: 'rule1', conditions: {}, event: {} };
+            const mockAdditionalRule = { name: 'rule2', conditions: {}, event: {} };
+            configManager_1.ConfigManager.getConfig.mockResolvedValue({
+                rules: [mockArchetypeRule],
+                exemptions: []
+            });
+            repoXFIConfigLoader_1.loadRepoXFIConfig.mockResolvedValue({
+                additionalRules: [mockAdditionalRule]
+            });
+            const mockAddRule = jest.fn();
+            json_rules_engine_1.Engine.mockImplementation(() => ({
+                addOperator: jest.fn(),
+                addRule: mockAddRule,
+                addFact: jest.fn(),
+                on: jest.fn()
+            }));
+            yield (0, engineSetup_1.setupEngine)(mockParams);
+            expect(mockAddRule).toHaveBeenNthCalledWith(1, mockArchetypeRule);
+            expect(mockAddRule).toHaveBeenNthCalledWith(2, mockAdditionalRule);
+        }));
+        it('should skip duplicate rules and keep first occurrence', () => __awaiter(void 0, void 0, void 0, function* () {
+            const duplicateRule = { name: 'duplicate', conditions: {}, event: {} };
+            const uniqueRule = { name: 'unique', conditions: {}, event: {} };
+            configManager_1.ConfigManager.getConfig.mockResolvedValue({
+                rules: [duplicateRule],
+                exemptions: []
+            });
+            repoXFIConfigLoader_1.loadRepoXFIConfig.mockResolvedValue({
+                additionalRules: [duplicateRule, uniqueRule]
+            });
+            const mockAddRule = jest.fn();
+            json_rules_engine_1.Engine.mockImplementation(() => ({
+                addOperator: jest.fn(),
+                addRule: mockAddRule,
+                addFact: jest.fn(),
+                on: jest.fn()
+            }));
+            yield (0, engineSetup_1.setupEngine)(mockParams);
+            expect(mockAddRule).toHaveBeenCalledTimes(2);
+            expect(mockAddRule).toHaveBeenNthCalledWith(1, duplicateRule);
+            expect(mockAddRule).toHaveBeenNthCalledWith(2, uniqueRule);
+        }));
+    });
 });

package/dist/utils/logger.js

@@ -41,11 +41,7 @@ function getLogger(force) {
     // Determine if color should be enabled based on environment variable only
     const useColor = process.env.XFI_LOG_COLOR !== 'false';
     if (!loggerInstance || force) {
-        const fileTransport = pino_1.default.destination({
-            dest: 'x-fidelity.log',
-            sync: false,
-            mkdir: true
-        });
+        const fileTransport = pino_1.default.destination('x-fidelity.log');
         const prettyTransport = pino_1.default.transport({
             target: 'pino-pretty',
             options: {

package/dist/utils/repoXFIConfigLoader.js

@@ -1,4 +1,37 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
@@ -19,6 +52,7 @@ const path_1 = __importDefault(require("path"));
 const pathUtils_1 = require("./pathUtils");
 const logger_1 = require("./logger");
 const jsonSchemas_1 = require("./jsonSchemas");
+const cli_1 = require("../core/cli");
 exports.defaultRepoXFIConfig = {
     sensitiveFileFalsePositives: [],
     additionalRules: [],
@@ -28,103 +62,182 @@ exports.defaultRepoXFIConfig = {
 };
 function loadRepoXFIConfig(repoPath) {
     return __awaiter(this, void 0, void 0, function* () {
+        var _a;
         try {
             const baseRepo = path_1.default.resolve(repoPath);
             const configPath = path_1.default.resolve(baseRepo, '.xfi-config.json');
+            // Early return if no config file
             if (!fs_1.default.existsSync(configPath)) {
-                throw new Error('No .xfi-config.json file found');
+                logger_1.logger.warn(`No .xfi-config.json file found, returning default config`);
+                return exports.defaultRepoXFIConfig;
             }
             if (!(0, pathUtils_1.isPathInside)(configPath, baseRepo)) {
                 throw new Error('Resolved config path is outside allowed directory');
             }
+            // Load and parse config
+            const parsedConfig = yield loadAndValidateConfig(configPath);
+            if (!parsedConfig)
+                return exports.defaultRepoXFIConfig;
+            // Process paths if they exist
+            if (parsedConfig.sensitiveFileFalsePositives) {
+                parsedConfig.sensitiveFileFalsePositives = processFilePaths(parsedConfig.sensitiveFileFalsePositives, repoPath);
+            }
+            else {
+                parsedConfig.sensitiveFileFalsePositives = [];
+            }
+            // Initialize arrays
+            initializeArrays(parsedConfig);
+            // Process additional rules
+            if ((_a = parsedConfig.additionalRules) === null || _a === void 0 ? void 0 : _a.length) {
+                parsedConfig.additionalRules = yield processAdditionalRules(parsedConfig.additionalRules, baseRepo);
+            }
+            return parsedConfig;
+        }
+        catch (error) {
+            logger_1.logger.error(`Error loading repo config: ${error}`);
+            return exports.defaultRepoXFIConfig;
+        }
+    });
+}
+function loadAndValidateConfig(configPath) {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
             const configContent = yield fs_1.default.promises.readFile(configPath, 'utf8');
             const parsedConfig = JSON.parse(configContent);
-            if ((0, jsonSchemas_1.validateXFIConfig)(parsedConfig)) {
-                logger_1.logger.info('Loaded .xfi-config.json file from repo..');
-                // Add the repoPath prefix to the relative paths
-                if (parsedConfig.sensitiveFileFalsePositives) {
-                    parsedConfig.sensitiveFileFalsePositives = parsedConfig.sensitiveFileFalsePositives.map((filePath) => {
-                        filePath = path_1.default.join(repoPath, filePath);
-                        return filePath;
-                    });
+            if (!(0, jsonSchemas_1.validateXFIConfig)(parsedConfig)) {
+                logger_1.logger.warn('Invalid .xfi-config.json schema');
+                return null;
+            }
+            return parsedConfig;
+        }
+        catch (error) {
+            logger_1.logger.error(`Error reading/parsing config: ${error}`);
+            return null;
+        }
+    });
+}
+function processFilePaths(paths = [], repoPath) {
+    return paths.map(filePath => path_1.default.join(repoPath, filePath));
+}
+function initializeArrays(config) {
+    config.additionalRules = config.additionalRules || [];
+    config.additionalFacts = config.additionalFacts || [];
+    config.additionalOperators = config.additionalOperators || [];
+    config.additionalPlugins = config.additionalPlugins || [];
+}
+function processAdditionalRules(rules, baseRepo) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const validatedRules = [];
+        for (const rule of rules) {
+            try {
+                // Handle inline rules first
+                if (!('path' in rule) && !('url' in rule)) {
+                    const ruleName = (rule === null || rule === void 0 ? void 0 : rule.name) || 'unnamed';
+                    logger_1.logger.debug(`Validating inline rule ${ruleName}`);
+                    if ((0, jsonSchemas_1.validateRule)(rule)) {
+                        logger_1.logger.info(`Adding valid inline rule ${ruleName}`);
+                        validatedRules.push(rule);
+                        continue;
+                    }
+                    logger_1.logger.warn(`Invalid inline rule ${ruleName} in .xfi-config.json, skipping`);
+                    continue;
+                }
+                // Handle remote URL
+                if ('url' in rule && rule.url) {
+                    yield processRemoteRule(rule, validatedRules);
+                    continue;
+                }
+                // Handle local path with potential wildcards
+                if ('path' in rule && rule.path) {
+                    yield processLocalRule(rule, baseRepo, validatedRules);
                 }
-                // Validate and load additional rules if present
-                if (parsedConfig.additionalRules && Array.isArray(parsedConfig.additionalRules)) {
-                    const validatedRules = [];
-                    for (const ruleConfig of parsedConfig.additionalRules) {
-                        if ('path' in ruleConfig || 'url' in ruleConfig) {
-                            // Handle rule reference
-                            try {
-                                let ruleContent;
-                                if ('url' in ruleConfig && ruleConfig.url) {
-                                    // Handle remote URL
-                                    const response = yield fetch(ruleConfig.url);
-                                    if (!response.ok) {
-                                        throw new Error(`HTTP error! status: ${response.status}`);
-                                    }
-                                    ruleContent = yield response.text();
-                                }
-                                else if ('path' in ruleConfig && ruleConfig.path) {
-                                    // Handle local path - try different base directories
-                                    let rulePath = null;
-                                    // Try relative to config dir first
-                                    const localConfigPath = process.env.LOCAL_CONFIG_PATH;
-                                    if (localConfigPath) {
-                                        const configDirPath = path_1.default.resolve(localConfigPath, ruleConfig.path);
-                                        if (fs_1.default.existsSync(configDirPath)) {
-                                            rulePath = configDirPath;
-                                        }
-                                    }
-                                    // Then try relative to repo dir
-                                    if (!rulePath) {
-                                        const repoDirPath = path_1.default.resolve(baseRepo, ruleConfig.path);
-                                        if ((0, pathUtils_1.isPathInside)(repoDirPath, baseRepo) && fs_1.default.existsSync(repoDirPath)) {
-                                            rulePath = repoDirPath;
-                                        }
-                                    }
-                                    if (!rulePath) {
-                                        throw new Error(`Could not resolve rule path: ${ruleConfig.path}`);
-                                    }
-                                    ruleContent = yield fs_1.default.promises.readFile(rulePath, 'utf8');
-                                }
-                                else {
-                                    throw new Error('Rule reference must have either url or path');
-                                }
-                                const rule = JSON.parse(ruleContent);
-                                if ((0, jsonSchemas_1.validateRule)(rule)) {
-                                    validatedRules.push(rule);
-                                }
-                                else {
-                                    logger_1.logger.warn(`Invalid rule in referenced file ${ruleConfig.path || ruleConfig.url}, skipping`);
-                                }
-                            }
-                            catch (error) {
-                                logger_1.logger.warn(`Error loading rule from ${ruleConfig.path || ruleConfig.url}: ${error}`);
-                            }
+            }
+            catch (error) {
+                logger_1.logger.error(`Error processing rule: ${error}`);
+            }
+        }
+        return validatedRules;
+    });
+}
+function processRemoteRule(rule, validatedRules) {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            const response = yield fetch(rule.url);
+            if (!response.ok) {
+                throw new Error(`HTTP error! status: ${response.status}`);
+            }
+            const ruleContent = yield response.text();
+            const remoteRule = JSON.parse(ruleContent);
+            if ((0, jsonSchemas_1.validateRule)(remoteRule)) {
+                validatedRules.push(remoteRule);
+                logger_1.logger.info(`Loaded rule from URL ${rule.url}`);
+            }
+            else {
+                logger_1.logger.warn(`Invalid rule from URL ${rule.url}, skipping`);
+            }
+        }
+        catch (error) {
+            logger_1.logger.warn(`Error loading rule from URL ${rule.url}: ${error}`);
+        }
+    });
+}
+function processLocalRule(rule, baseRepo, validatedRules) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const pathPattern = rule.path;
+        let foundValidRule = false;
+        // Try multiple base directories in order of precedence
+        const searchPaths = [
+            cli_1.options.localConfigPath, // Local config dir first
+            process.cwd(), // Current working dir second
+            baseRepo // Repository root last
+        ].filter(Boolean); // Remove undefined/null paths
+        for (const basePath of searchPaths) {
+            if (foundValidRule)
+                break;
+            const fullPattern = path_1.default.resolve(basePath, pathPattern);
+            const baseDir = path_1.default.dirname(fullPattern);
+            // Check if path is inside allowed directories
+            if (!searchPaths.some(allowedPath => (0, pathUtils_1.isPathInside)(baseDir, allowedPath))) {
+                logger_1.logger.warn(`Rule path ${pathPattern} resolves outside allowed directories, skipping`);
+                continue;
+            }
+            try {
+                let rulePaths = [];
+                if (pathPattern.includes('*')) {
+                    // Handle wildcards using glob pattern
+                    const { glob } = yield Promise.resolve().then(() => __importStar(require('glob')));
+                    rulePaths = yield glob(fullPattern);
+                }
+                else if (fs_1.default.existsSync(fullPattern)) {
+                    // Single file path
+                    rulePaths = [fullPattern];
+                }
+                // Load and validate each rule file
+                for (const rulePath of rulePaths) {
+                    try {
+                        const content = yield fs_1.default.promises.readFile(rulePath, 'utf8');
+                        const rule = JSON.parse(content);
+                        if ((0, jsonSchemas_1.validateRule)(rule)) {
+                            validatedRules.push(rule);
+                            logger_1.logger.info(`Loaded rule from ${rulePath}`);
+                            foundValidRule = true;
+                            break; // Take first valid rule found
                         }
                         else {
-                            // Handle inline rule
-                            if ((0, jsonSchemas_1.validateRule)(ruleConfig)) {
-                                validatedRules.push(ruleConfig);
-                            }
-                            else {
-                                const ruleName = (ruleConfig === null || ruleConfig === void 0 ? void 0 : ruleConfig.name) || 'unnamed';
-                                logger_1.logger.warn(`Invalid inline rule ${ruleName} in .xfi-config.json, skipping`);
-                            }
+                            logger_1.logger.warn(`Invalid rule in ${rulePath}, skipping`);
                         }
                     }
-                    parsedConfig.additionalRules = validatedRules;
+                    catch (error) {
+                        logger_1.logger.warn(`Error loading rule from ${rulePath}: ${error}`);
+                    }
                 }
-                return parsedConfig;
             }
-            else {
-                logger_1.logger.warn(`Ignoring invalid .xfi-config.json file, returing default config: ${JSON.stringify(exports.defaultRepoXFIConfig)}`);
-                return exports.defaultRepoXFIConfig;
+            catch (error) {
+                logger_1.logger.debug(`Error resolving pattern ${pathPattern} in ${basePath}: ${error}`);
             }
         }
-        catch (error) {
-            logger_1.logger.warn(`No .xfi-config.json file found, returing default config: ${JSON.stringify(exports.defaultRepoXFIConfig)}`);
-            return exports.defaultRepoXFIConfig;
+        if (!foundValidRule) {
+            logger_1.logger.warn(`No valid rules found for pattern: ${pathPattern}`);
         }
     });
 }