pr-context-engine 0.1.2__tar.gz → 0.1.4__tar.gz

pr_context_engine-0.1.4/.claude/commands/publish-pypi.md

@@ -0,0 +1,58 @@
+---
+description: Publish a new release to PyPI — bumps version, updates CHANGELOG, commits, tags, and merges to main. Usage: /publish-pypi [patch|minor|major] (default: patch)
+---
+
+Publish a new version of pr-context-engine to PyPI using the project's GitHub Actions release flow.
+
+**Bump type**: $ARGUMENTS (default to `patch` if empty)
+
+Follow these steps exactly, in order:
+
+## 1. Read current version
+Read `pyproject.toml` and extract the current `version` field.
+
+## 2. Compute new version
+Apply the bump type to the current version (semver):
+- `patch` — increment the third number (0.1.2 → 0.1.3)
+- `minor` — increment the second number, reset patch (0.1.2 → 0.2.0)
+- `major` — increment the first number, reset minor and patch (0.1.2 → 1.0.0)
+
+## 3. Update pyproject.toml
+Edit the `version` field in `pyproject.toml` to the new version.
+
+## 4. Update CHANGELOG.md
+Read `CHANGELOG.md`. Under `## Unreleased`, look at what's there.
+- If `## Unreleased` has content, move it into a new dated section `## X.Y.Z — YYYY-MM-DD` (use today's date) inserted below `## Unreleased`.
+- If `## Unreleased` is empty, create the new section anyway and populate it by summarising the commits since the last tag: run `git log $(git describe --tags --abbrev=0)..HEAD --oneline` to get them, then write a short changelog entry under `### Fixed`, `### Added`, or `### Changed` as appropriate.
+- Leave `## Unreleased` as an empty section above the new version section.
+
+## 5. Commit the version bump
+Stage only `pyproject.toml` and `CHANGELOG.md`, then commit with message:
+`chore: bump version to X.Y.Z`
+
+Do NOT commit anything else.
+
+## 6. Push the current branch
+Run `git push origin <current-branch>`.
+
+## 7. Tag and push the tag
+```
+git tag vX.Y.Z
+git push origin vX.Y.Z
+```
+This triggers the `release.yml` GitHub Actions workflow, which builds and publishes to PyPI via OIDC trusted publishing — no credentials needed.
+
+## 8. Merge to main
+```
+git checkout main
+git merge <previous-branch> --ff-only
+git push origin main
+git checkout <previous-branch>
+```
+
+## 9. Confirm
+Report:
+- New version published: `X.Y.Z`
+- Tag pushed: `vX.Y.Z`
+- GitHub Actions release workflow URL: `https://github.com/paramahastha/pr-context-engine/actions`
+- PyPI package URL: `https://pypi.org/project/pr-context-engine/X.Y.Z/`

{pr_context_engine-0.1.2 → pr_context_engine-0.1.4}/.github/workflows/pr-review.yml

@@ -21,6 +21,8 @@ jobs:
 
   brief:
     needs: lint
+    # Fork PRs get a read-only GITHUB_TOKEN regardless of `permissions:` — skip rather than 401.
+    if: github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
@@ -56,9 +58,9 @@ jobs:
       - name: Generate briefing
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          LLM_PROVIDER: groq
+          LLM_PROVIDER: gemini
+          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
-          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} # fallback (Milestone 7)
         run: >
           uv run pr-context-engine review
           --pr ${{ github.event.pull_request.number }}

{pr_context_engine-0.1.2 → pr_context_engine-0.1.4}/CHANGELOG.md

@@ -6,6 +6,26 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). Thi
 
 ## Unreleased
 
+## 0.1.4 — 2026-05-23
+
+### Fixed
+
+- **Risk scorer false positives** — Comment lines (including `#no-space` Python comments) and bare type/struct/class declarations are now skipped before the auth-keyword check, eliminating spurious `modifies_auth` flags on struct definitions and comment blocks.
+- **Auth flag noise** — `modifies_auth` is now deduplicated to one hit per file; large new store files no longer flood the briefing with dozens of identical flags.
+
+### Added
+
+- **`large_new_file` flag** — New files with 300+ added lines are flagged for explicit review.
+- **Briefing prompt improvements** — LLM is instructed to cover all change threads (not just the largest file), name changed type signatures explicitly, and avoid asking questions whose answers are already visible in the diff.
+
+## 0.1.3 — 2026-05-23
+
+### Fixed
+
+- **GitHub Action 401 error** — `action.yml` now falls back to `github.token` when the `github-token` input is not explicitly passed, preventing Bad credentials errors in consumer workflows.
+- **Error messages** — `post_pr_comment` now catches `GithubException` 401/403 and raises a `RuntimeError` with an actionable message (missing `permissions: pull-requests: write` vs. invalid token) instead of a raw PyGithub traceback.
+- **Fork PR 401** — `pr-review.yml` skips the `brief` job for fork PRs; GitHub's security model forces a read-only token on `pull_request` events from forks regardless of the `permissions:` block.
+
 ## 0.1.2 — 2026-05-23
 
 ### Fixed

{pr_context_engine-0.1.2 → pr_context_engine-0.1.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pr-context-engine
-Version: 0.1.2
+Version: 0.1.4
 Summary: An AI tool that reads every PR and posts a senior-engineer-style briefing.
 Project-URL: Homepage, https://github.com/paramahastha/pr-context-engine
 Project-URL: Repository, https://github.com/paramahastha/pr-context-engine
@@ -61,8 +61,8 @@ pr-context-engine quickstart         # checks keys, scopes, prints what's missin
 
 ### Option A — GitHub Action (recommended)
 
-1. Get a free [Groq API key](https://console.groq.com/keys) — no credit card.
-2. Add it as a secret: **Settings → Secrets → Actions → New secret** → `GROQ_API_KEY`.
+1. Pick a provider and get an API key (see table below).
+2. Add it as a secret: **Settings → Secrets → Actions → New secret**.
 3. Enable write permissions: **Settings → Actions → General → Workflow permissions → Read and write**.
 4. Add this to `.github/workflows/pr-briefing.yml`:
 
@@ -80,11 +80,13 @@ jobs:
     steps:
       - uses: paramahastha/pr-context-engine@main
         with:
-          groq-api-key: ${{ secrets.GROQ_API_KEY }}
+          groq-api-key: ${{ secrets.GROQ_API_KEY }}   # default provider
 ```
 
 That's it. Every new PR gets a briefing comment automatically.
 
+> **Using a different provider?** Set `llm-provider` to match your key — see [Switching LLM providers](#switching-llm-providers) below.
+
 ### Option B — CLI (any CI or local)
 
 ```bash
@@ -161,16 +163,44 @@ See [docs/architecture.md](docs/architecture.md) for the full Mermaid diagram an
 
 ## Switching LLM providers
 
-Set `LLM_PROVIDER` to any of `groq` (default), `gemini`, `ollama`, or `anthropic`. Nothing downstream changes.
+| Provider | Secret name | `llm-provider` value | Notes |
+|---|---|---|---|
+| `groq` *(default)* | `GROQ_API_KEY` | `groq` | Free, ~1 000 req/day, fast |
+| `gemini` | `GEMINI_API_KEY` | `gemini` | Free-tier, ~1 500 req/day |
+| `anthropic` | `ANTHROPIC_API_KEY` | `anthropic` | BYO key, no free tier |
+| `ollama` | — | `ollama` | Local, offline, no rate limits |
+
+**You must set both `llm-provider` and the matching API key input.** Providing only the key without `llm-provider` will fail because the default provider is `groq`.
+
+**GitHub Action examples:**
 
-| Provider | Key env var | Notes |
-|---|---|---|
-| `groq` *(default)* | `GROQ_API_KEY` | Free, ~1 000 req/day, fast |
-| `gemini` | `GEMINI_API_KEY` | Free-tier fallback; auto-engaged on Groq 429 |
-| `ollama` | — | Local, offline, no rate limits |
-| `anthropic` | `ANTHROPIC_API_KEY` | BYO key, no free tier |
+```yaml
+# Gemini
+- uses: paramahastha/pr-context-engine@main
+  with:
+    llm-provider: gemini
+    gemini-api-key: ${{ secrets.GEMINI_API_KEY }}
+
+# Anthropic
+- uses: paramahastha/pr-context-engine@main
+  with:
+    llm-provider: anthropic
+    anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
+
+# Ollama (self-hosted)
+- uses: paramahastha/pr-context-engine@main
+  with:
+    llm-provider: ollama
+    ollama-base-url: http://my-ollama-host:11434
+```
+
+**CLI / env var:**
+
+```bash
+LLM_PROVIDER=gemini GEMINI_API_KEY=<key> pr-context-engine review --pr 42 --repo owner/name
+```
 
-**Automatic failover:** if `GEMINI_API_KEY` is set, the tool fails over to Gemini on any Groq 429 or error and logs which provider was used in the PR comment footer. See [ADR-7](docs/design-decisions.md#adr-7-provider-failover-order-and-motivation).
+**Automatic failover:** if `GEMINI_API_KEY` is set alongside any other provider, Gemini is used as a fallback on rate-limit errors. The PR comment footer shows which provider was actually used. See [ADR-7](docs/design-decisions.md#adr-7-provider-failover-order-and-motivation).
 
 ## Fix suggestions (opt-in)
 

{pr_context_engine-0.1.2 → pr_context_engine-0.1.4}/README.md

@@ -31,8 +31,8 @@ pr-context-engine quickstart         # checks keys, scopes, prints what's missin
 
 ### Option A — GitHub Action (recommended)
 
-1. Get a free [Groq API key](https://console.groq.com/keys) — no credit card.
-2. Add it as a secret: **Settings → Secrets → Actions → New secret** → `GROQ_API_KEY`.
+1. Pick a provider and get an API key (see table below).
+2. Add it as a secret: **Settings → Secrets → Actions → New secret**.
 3. Enable write permissions: **Settings → Actions → General → Workflow permissions → Read and write**.
 4. Add this to `.github/workflows/pr-briefing.yml`:
 
@@ -50,11 +50,13 @@ jobs:
     steps:
       - uses: paramahastha/pr-context-engine@main
         with:
-          groq-api-key: ${{ secrets.GROQ_API_KEY }}
+          groq-api-key: ${{ secrets.GROQ_API_KEY }}   # default provider
 ```
 
 That's it. Every new PR gets a briefing comment automatically.
 
+> **Using a different provider?** Set `llm-provider` to match your key — see [Switching LLM providers](#switching-llm-providers) below.
+
 ### Option B — CLI (any CI or local)
 
 ```bash
@@ -131,16 +133,44 @@ See [docs/architecture.md](docs/architecture.md) for the full Mermaid diagram an
 
 ## Switching LLM providers
 
-Set `LLM_PROVIDER` to any of `groq` (default), `gemini`, `ollama`, or `anthropic`. Nothing downstream changes.
+| Provider | Secret name | `llm-provider` value | Notes |
+|---|---|---|---|
+| `groq` *(default)* | `GROQ_API_KEY` | `groq` | Free, ~1 000 req/day, fast |
+| `gemini` | `GEMINI_API_KEY` | `gemini` | Free-tier, ~1 500 req/day |
+| `anthropic` | `ANTHROPIC_API_KEY` | `anthropic` | BYO key, no free tier |
+| `ollama` | — | `ollama` | Local, offline, no rate limits |
+
+**You must set both `llm-provider` and the matching API key input.** Providing only the key without `llm-provider` will fail because the default provider is `groq`.
+
+**GitHub Action examples:**
 
-| Provider | Key env var | Notes |
-|---|---|---|
-| `groq` *(default)* | `GROQ_API_KEY` | Free, ~1 000 req/day, fast |
-| `gemini` | `GEMINI_API_KEY` | Free-tier fallback; auto-engaged on Groq 429 |
-| `ollama` | — | Local, offline, no rate limits |
-| `anthropic` | `ANTHROPIC_API_KEY` | BYO key, no free tier |
+```yaml
+# Gemini
+- uses: paramahastha/pr-context-engine@main
+  with:
+    llm-provider: gemini
+    gemini-api-key: ${{ secrets.GEMINI_API_KEY }}
+
+# Anthropic
+- uses: paramahastha/pr-context-engine@main
+  with:
+    llm-provider: anthropic
+    anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
+
+# Ollama (self-hosted)
+- uses: paramahastha/pr-context-engine@main
+  with:
+    llm-provider: ollama
+    ollama-base-url: http://my-ollama-host:11434
+```
+
+**CLI / env var:**
+
+```bash
+LLM_PROVIDER=gemini GEMINI_API_KEY=<key> pr-context-engine review --pr 42 --repo owner/name
+```
 
-**Automatic failover:** if `GEMINI_API_KEY` is set, the tool fails over to Gemini on any Groq 429 or error and logs which provider was used in the PR comment footer. See [ADR-7](docs/design-decisions.md#adr-7-provider-failover-order-and-motivation).
+**Automatic failover:** if `GEMINI_API_KEY` is set alongside any other provider, Gemini is used as a fallback on rate-limit errors. The PR comment footer shows which provider was actually used. See [ADR-7](docs/design-decisions.md#adr-7-provider-failover-order-and-motivation).
 
 ## Fix suggestions (opt-in)
 

{pr_context_engine-0.1.2 → pr_context_engine-0.1.4}/action.yml

@@ -4,13 +4,27 @@ author: paramahastha
 
 inputs:
   groq-api-key:
-    description: Groq API key (free at https://console.groq.com/keys). Required unless gemini-api-key is set.
+    description: Groq API key (free at https://console.groq.com/keys).
     required: false
   gemini-api-key:
-    description: Google Gemini API key. Used as failover when Groq is rate-limited.
+    description: Google Gemini API key (https://aistudio.google.com/apikey).
     required: false
+  anthropic-api-key:
+    description: Anthropic API key. Required when llm-provider=anthropic.
+    required: false
+  ollama-base-url:
+    description: Ollama server URL. Used when llm-provider=ollama.
+    required: false
+    default: "http://localhost:11434"
+  ollama-model:
+    description: Ollama model name. Used when llm-provider=ollama.
+    required: false
+    default: "qwen2.5-coder:7b"
   github-token:
-    description: GitHub token with pull-requests:write. Defaults to the built-in GITHUB_TOKEN.
+    description: >
+      GitHub token with pull-requests:write permission. Defaults to the built-in GITHUB_TOKEN.
+      Your calling workflow MUST include `permissions: pull-requests: write` or the comment
+      post will fail with a 401/403 error.
     required: false
     default: ${{ github.token }}
   enable-fixes:
@@ -18,7 +32,10 @@ inputs:
     required: false
     default: "false"
   llm-provider:
-    description: Primary LLM provider — groq | gemini | ollama | anthropic (default groq).
+    description: >
+      Primary LLM provider — groq | gemini | anthropic | ollama (default: groq).
+      Must match the API key you provide: set gemini + gemini-api-key,
+      anthropic + anthropic-api-key, etc.
     required: false
     default: "groq"
 
@@ -53,9 +70,15 @@ runs:
     - name: Generate briefing
       shell: bash
       env:
-        GITHUB_TOKEN: ${{ inputs.github-token }}
+        # Prefer the explicit input; fall back to the calling workflow's built-in token.
+        # The calling workflow MUST grant `permissions: pull-requests: write` for
+        # the token to have enough scope to post a comment.
+        GITHUB_TOKEN: ${{ inputs.github-token || github.token }}
         GROQ_API_KEY: ${{ inputs.groq-api-key }}
         GEMINI_API_KEY: ${{ inputs.gemini-api-key }}
+        ANTHROPIC_API_KEY: ${{ inputs.anthropic-api-key }}
+        OLLAMA_BASE_URL: ${{ inputs.ollama-base-url }}
+        OLLAMA_MODEL: ${{ inputs.ollama-model }}
         LLM_PROVIDER: ${{ inputs.llm-provider }}
         ENABLE_FIXES: ${{ inputs.enable-fixes }}
       run: >

{pr_context_engine-0.1.2 → pr_context_engine-0.1.4}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "pr-context-engine"
-version = "0.1.2"
+version = "0.1.4"
 description = "An AI tool that reads every PR and posts a senior-engineer-style briefing."
 readme = "README.md"
 requires-python = ">=3.12"

{pr_context_engine-0.1.2 → pr_context_engine-0.1.4}/src/analyzers/risk_scorer.py

@@ -27,6 +27,18 @@ _FUNC_DEF_RE = re.compile(
 
 _MIGRATION_MARKERS = ("migrations/", "alembic/", "alembic_migrations/")
 
+# Lines that look auth-related by keyword but carry no real risk:
+# - comment lines (//  #  /*  *  <!--)
+# - bare type/struct/class/interface declarations
+_COMMENT_LINE_RE = re.compile(r"^\s*(?://|/\*|\*+/?\s|#|<!--)")
+_TYPE_DECL_RE = re.compile(
+    r"^\s*type\s+\w+\s+(?:struct|interface)\b"  # Go struct/interface
+    r"|^\s*type\s+\w+\s*(?:=|\b(?:int|string|float|bool)\b)"  # Go type alias/definition
+    r"|^\s*(?:class|interface)\s+\w+"  # Python / JS / TS
+)
+
+_LARGE_NEW_FILE_THRESHOLD = 300  # added lines; new files above this warrant explicit review
+
 
 @dataclass
 class RiskFlag:
@@ -64,6 +76,26 @@ def _is_config(path: str) -> bool:
     return False
 
 
+def _dedup_flags(flags: list[RiskFlag]) -> list[RiskFlag]:
+    """Deduplicate flags where one occurrence per file is enough.
+
+    modifies_auth fires once per matching line and can produce dozens of hits
+    in a large file (e.g. a new store implementation).  Keeping only the first
+    match per file preserves the signal while eliminating fix-suggestion spam.
+    Other flag types are kept as-is because each occurrence is independently
+    meaningful (e.g. multiple deletes_public_api deletions).
+    """
+    seen_auth_files: set[str] = set()
+    result: list[RiskFlag] = []
+    for flag in flags:
+        if flag.flag == "modifies_auth":
+            if flag.file in seen_auth_files:
+                continue
+            seen_auth_files.add(flag.file)
+        result.append(flag)
+    return result
+
+
 def score(changes: list[FileChange]) -> list[RiskFlag]:
     """Return all risk flags detected across the list of file changes."""
     flags: list[RiskFlag] = []
@@ -79,6 +111,16 @@ def score(changes: list[FileChange]) -> list[RiskFlag]:
                 RiskFlag(flag="changes_config", file=change.path, line=None, snippet=change.path)
             )
 
+        if change.is_new_file and len(change.added_lines) >= _LARGE_NEW_FILE_THRESHOLD:
+            flags.append(
+                RiskFlag(
+                    flag="large_new_file",
+                    file=change.path,
+                    line=None,
+                    snippet=f"{len(change.added_lines)} lines added — review for correctness and completeness",
+                )
+            )
+
         for hunk in change.hunks:
             new_lineno = hunk.new_start
             old_lineno = hunk.old_start
@@ -86,6 +128,10 @@ def score(changes: list[FileChange]) -> list[RiskFlag]:
             for raw in hunk.lines:
                 if raw.startswith("+") and not raw.startswith("+++"):
                     content = raw[1:]
+                    stripped = content.strip()
+                    if _COMMENT_LINE_RE.match(stripped) or _TYPE_DECL_RE.match(stripped):
+                        new_lineno += 1
+                        continue
                     if _AUTH_RE.search(content):
                         flags.append(
                             RiskFlag(
@@ -118,4 +164,4 @@ def score(changes: list[FileChange]) -> list[RiskFlag]:
                     new_lineno += 1
                     old_lineno += 1
 
-    return flags
+    return _dedup_flags(flags)

{pr_context_engine-0.1.2 → pr_context_engine-0.1.4}/src/briefing/prompt_templates.py

@@ -18,9 +18,13 @@ Produce a briefing with exactly four sections:
 
 1. WHAT CHANGED — 2-3 sentences. Describe the *intent* of the change, not the
    lines. Do not list files. If you can't tell the intent, say so.
+   If the PR has multiple distinct threads (e.g. both new infrastructure and
+   model/API changes), cover all threads — do not describe only the largest file.
 
 2. BLAST RADIUS — Which callers, services, contracts, or data could break?
    Be specific. If the change is internal and self-contained, write "Self-contained."
+   If any public-facing struct field or type signature changed, name it explicitly
+   (e.g. "Snapshot.Configs changed from map[string]Config to map[string]ConfigEntry").
 
 3. RISK FLAGS — Bullet list. Only include flags that are actually present.
    If none, write "None."
@@ -29,6 +33,8 @@ Produce a briefing with exactly four sections:
    approving. Questions must be answerable and specific. Bad question:
    "Did you test this?" Good question: "The new retry loop in fetch_user
    has no backoff — is that intentional given this is called per-request?"
+   Do NOT ask questions whose answer is already visible in the diff (e.g. do
+   not ask about WAL mode if the schema already sets PRAGMA journal_mode=WAL).
 
 Rules:
 - Be terse. Aim for under 200 words total.

{pr_context_engine-0.1.2 → pr_context_engine-0.1.4}/src/github_api/comment_poster.py

@@ -11,6 +11,7 @@ from typing import TYPE_CHECKING
 
 import requests
 from github import Auth, Github
+from github import GithubException
 
 from src.github_api import GITHUB_API_URL
 
@@ -53,8 +54,23 @@ def post_pr_comment(repo: str, pr_number: int, body: str, github_token: str) ->
     """
     logger.info("Posting comment to %s PR #%d", repo, pr_number)
     gh = Github(auth=Auth.Token(github_token))
-    pull_request = gh.get_repo(repo).get_pull(pr_number)
-    pull_request.create_issue_comment(body)
+    try:
+        pull_request = gh.get_repo(repo).get_pull(pr_number)
+        pull_request.create_issue_comment(body)
+    except GithubException as exc:
+        if exc.status == 401:
+            raise RuntimeError(
+                "GitHub returned 401 Bad credentials. "
+                "Ensure your workflow grants `permissions: pull-requests: write` "
+                "and that GITHUB_TOKEN (or github-token input) is a valid token."
+            ) from exc
+        if exc.status == 403:
+            raise RuntimeError(
+                "GitHub returned 403 Forbidden. "
+                "The token lacks `pull-requests: write` permission. "
+                "Add `permissions: pull-requests: write` to the calling workflow job."
+            ) from exc
+        raise
 
 
 def format_fix_section(suggestions: list[FixSuggestion], extra_count: int = 0) -> str:

{pr_context_engine-0.1.2 → pr_context_engine-0.1.4}/tests/unit/test_risk_scorer.py

@@ -4,6 +4,20 @@ from src.analyzers.diff_parser import FileChange, Hunk
 from src.analyzers.risk_scorer import score
 
 
+def _new_file_change(path: str, num_lines: int) -> FileChange:
+    lines = [f"+    x_{i} = {i}" for i in range(num_lines)]
+    h = Hunk(old_start=0, old_count=0, new_start=1, new_count=num_lines, lines=lines)
+    added = [ln[1:] for ln in lines]
+    return FileChange(
+        path=path,
+        language="python",
+        added_lines=added,
+        removed_lines=[],
+        hunks=[h],
+        is_new_file=True,
+    )
+
+
 def _hunk(old_start: int, new_start: int, lines: list[str]) -> Hunk:
     added = sum(1 for ln in lines if ln.startswith("+") and not ln.startswith("+++"))
     removed = sum(1 for ln in lines if ln.startswith("-") and not ln.startswith("---"))
@@ -176,3 +190,92 @@ def test_no_flags_for_plain_change():
     c = _change("src/constants.py", [h])
     flags = score([c])
     assert flags == []
+
+
+# ── comment and type-decl false-positive suppression ─────────────────────────
+
+def test_python_comment_without_space_not_flagged():
+    # Previously `#\s` required a space, so `#token` slipped through.
+    h = _hunk(1, 1, ['+#auth_token = request.headers.get("X-Token")'])
+    c = _change("src/auth.py", [h])
+    assert not any(f.flag == "modifies_auth" for f in score([c]))
+
+
+def test_python_comment_with_space_not_flagged():
+    h = _hunk(1, 1, ['+# store the auth token here'])
+    c = _change("src/auth.py", [h])
+    assert not any(f.flag == "modifies_auth" for f in score([c]))
+
+
+def test_go_line_comment_not_flagged():
+    h = _hunk(1, 1, ['+// token is validated upstream'])
+    c = _change("pkg/handler.go", [h], language="go")
+    assert not any(f.flag == "modifies_auth" for f in score([c]))
+
+
+def test_go_struct_decl_not_flagged():
+    h = _hunk(1, 1, ['+type AuthStore struct {'])
+    c = _change("pkg/store.go", [h], language="go")
+    assert not any(f.flag == "modifies_auth" for f in score([c]))
+
+
+def test_python_class_decl_not_flagged():
+    h = _hunk(1, 1, ['+class AuthManager:'])
+    c = _change("src/auth.py", [h])
+    assert not any(f.flag == "modifies_auth" for f in score([c]))
+
+
+def test_python_class_with_base_not_flagged():
+    h = _hunk(1, 1, ['+class AuthManager(BaseManager):'])
+    c = _change("src/auth.py", [h])
+    assert not any(f.flag == "modifies_auth" for f in score([c]))
+
+
+# ── modifies_auth deduplication ───────────────────────────────────────────────
+
+def test_auth_deduped_within_file():
+    lines = ['+    token_a = get_token()', '+    token_b = get_token()', '+    password = "secret"']
+    h = _hunk(1, 1, lines)
+    c = _change("src/auth.py", [h])
+    auth_flags = [f for f in score([c]) if f.flag == "modifies_auth"]
+    assert len(auth_flags) == 1
+
+
+def test_auth_not_deduped_across_files():
+    h = _hunk(1, 1, ['+    token = get_token()'])
+    c1 = _change("src/auth.py", [h])
+    c2 = _change("src/user.py", [h])
+    auth_flags = [f for f in score([c1, c2]) if f.flag == "modifies_auth"]
+    assert len(auth_flags) == 2
+
+
+def test_auth_dedup_preserves_first_match_line():
+    lines = ['+    password_a = "x"', '+    password_b = "y"']
+    h = _hunk(10, 10, lines)
+    c = _change("src/auth.py", [h])
+    auth_flags = [f for f in score([c]) if f.flag == "modifies_auth"]
+    assert auth_flags[0].line == 10
+
+
+# ── large_new_file ────────────────────────────────────────────────────────────
+
+def test_large_new_file_flagged():
+    c = _new_file_change("src/new_store.py", 300)
+    assert any(f.flag == "large_new_file" for f in score([c]))
+
+
+def test_boundary_new_file_flagged():
+    c = _new_file_change("src/new_store.py", 301)
+    assert any(f.flag == "large_new_file" for f in score([c]))
+
+
+def test_small_new_file_not_flagged():
+    c = _new_file_change("src/tiny.py", 50)
+    assert not any(f.flag == "large_new_file" for f in score([c]))
+
+
+def test_large_existing_file_not_flagged():
+    lines = [f"+    x_{i} = {i}" for i in range(300)]
+    h = _hunk(1, 1, lines)
+    c = _change("src/existing.py", [h])
+    assert not any(f.flag == "large_new_file" for f in score([c]))