Auto-commit: Sync changes [2026-02-18]

Author: Jonathan D.A. Jewell

.cabal/config

@@ -0,0 +1,254 @@
+-- This is the configuration file for the 'cabal' command line tool.
+--
+-- The available configuration options are listed below.
+-- Some of them have default values listed.
+--
+-- Lines (like this one) beginning with '--' are comments.
+-- Be careful with spaces and indentation because they are
+-- used to indicate layout for nested sections.
+--
+-- This config file was generated using the following versions
+-- of Cabal and cabal-install:
+-- Cabal library version: 3.14.2.0
+-- cabal-install version: 3.14.2.0
+
+
+repository hackage.haskell.org
+  url: http://hackage.haskell.org/
+  -- secure: True
+  -- root-keys:
+  -- key-threshold: 3
+
+-- ignore-expiry: False
+-- http-transport:
+-- nix:
+-- store-dir:
+-- active-repositories:
+-- local-no-index-repo:
+remote-repo-cache: /var/mnt/eclipse/repos/sanctify-php/.cabal/packages
+-- logs-dir: /var/mnt/eclipse/repos/sanctify-php/.cabal/logs
+-- default-user-config:
+-- verbose: 1
+-- cabal-file:
+-- compiler: ghc
+-- with-compiler:
+-- with-hc-pkg:
+-- program-prefix: 
+-- program-suffix: 
+-- library-vanilla: True
+-- library-profiling:
+-- shared:
+-- static:
+-- executable-dynamic: False
+-- executable-static: False
+-- profiling:
+-- profiling-shared:
+-- executable-profiling:
+-- profiling-detail:
+-- library-profiling-detail:
+-- optimization: True
+-- debug-info: False
+-- build-info:
+-- library-for-ghci:
+-- split-sections: False
+-- split-objs: False
+-- executable-stripping:
+-- library-stripping:
+-- configure-option:
+-- user-install: True
+-- package-db:
+-- flags:
+-- extra-include-dirs:
+-- deterministic:
+-- cid:
+-- extra-lib-dirs:
+-- extra-lib-dirs-static:
+-- extra-framework-dirs:
+-- extra-prog-path:
+-- instantiate-with:
+-- tests: False
+-- coverage: False
+-- library-coverage:
+-- exact-configuration: False
+-- benchmarks: False
+-- relocatable: False
+-- response-files:
+-- allow-depending-on-private-libs:
+-- coverage-for:
+-- ignore-build-tools:
+-- cabal-lib-version:
+-- append:
+-- backup:
+-- constraint:
+-- preference:
+-- solver: modular
+-- allow-older: False
+-- allow-newer: False
+-- write-ghc-environment-files:
+-- documentation: False
+-- doc-index-file: $datadir/doc/$arch-$os-$compiler/index.html
+-- only-download: False
+-- target-package-db:
+-- max-backjumps: 4000
+-- reorder-goals: False
+-- count-conflicts: True
+-- fine-grained-conflicts: True
+-- minimize-conflict-set: False
+-- independent-goals: False
+-- prefer-oldest: False
+-- shadow-installed-packages: False
+-- strong-flags: False
+-- allow-boot-library-installs: False
+-- reject-unconstrained-dependencies: none
+-- reinstall: False
+-- avoid-reinstalls: False
+-- force-reinstalls: False
+-- upgrade-dependencies: False
+-- index-state:
+-- root-cmd:
+-- symlink-bindir:
+build-summary: /var/mnt/eclipse/repos/sanctify-php/.cabal/logs/build.log
+-- build-log:
+remote-build-reporting: none
+-- report-planning-failure: False
+-- per-component: True
+-- run-tests:
+-- semaphore: False
+jobs: $ncpus
+-- keep-going: False
+-- offline: False
+-- lib: False
+-- package-env:
+-- overwrite-policy:
+-- install-method:
+installdir: /var/mnt/eclipse/repos/sanctify-php/.cabal/bin
+-- token:
+-- username:
+-- password:
+-- password-command:
+-- multi-repl:
+-- builddir:
+
+haddock
+  -- cabal-file:
+  -- keep-temp-files: False
+  -- hoogle: False
+  -- html: False
+  -- html-location:
+  -- executables: False
+  -- tests: False
+  -- benchmarks: False
+  -- foreign-libraries: False
+  -- all:
+  -- internal: False
+  -- css:
+  -- hyperlink-source: False
+  -- quickjump: False
+  -- hscolour-css:
+  -- contents-location:
+  -- index-location:
+  -- base-url:
+  -- resources-dir:
+  -- output-dir:
+  -- use-unicode: False
+
+init
+  -- interactive: False
+  -- quiet: False
+  -- no-comments: False
+  -- minimal: False
+  -- cabal-version: 3.0
+  -- license:
+  -- extra-doc-file:
+  -- tests:
+  -- test-dir:
+  -- simple: False
+  -- language: Haskell2010
+  -- application-dir: app
+  -- source-dir: src
+
+install-dirs user
+  -- prefix: /var/mnt/eclipse/repos/sanctify-php/.cabal
+  -- bindir: $prefix/bin
+  -- libdir: $prefix/lib
+  -- libsubdir: $abi/$libname
+  -- dynlibdir: $libdir/$abi
+  -- libexecdir: $prefix/libexec
+  -- libexecsubdir: $abi/$pkgid
+  -- datadir: $prefix/share
+  -- datasubdir: $abi/$pkgid
+  -- docdir: $datadir/doc/$abi/$pkgid
+  -- htmldir: $docdir/html
+  -- haddockdir: $htmldir
+  -- sysconfdir: $prefix/etc
+
+install-dirs global
+  -- prefix: /usr/local
+  -- bindir: $prefix/bin
+  -- libdir: $prefix/lib
+  -- libsubdir: $abi/$libname
+  -- dynlibdir: $libdir/$abi
+  -- libexecdir: $prefix/libexec
+  -- libexecsubdir: $abi/$pkgid
+  -- datadir: $prefix/share
+  -- datasubdir: $abi/$pkgid
+  -- docdir: $datadir/doc/$abi/$pkgid
+  -- htmldir: $docdir/html
+  -- haddockdir: $htmldir
+  -- sysconfdir: $prefix/etc
+
+program-locations
+  -- alex-location:
+  -- ar-location:
+  -- c2hs-location:
+  -- cpphs-location:
+  -- doctest-location:
+  -- gcc-location:
+  -- ghc-location:
+  -- ghc-pkg-location:
+  -- ghcjs-location:
+  -- ghcjs-pkg-location:
+  -- greencard-location:
+  -- haddock-location:
+  -- happy-location:
+  -- haskell-suite-location:
+  -- haskell-suite-pkg-location:
+  -- hmake-location:
+  -- hpc-location:
+  -- hsc2hs-location:
+  -- hscolour-location:
+  -- jhc-location:
+  -- ld-location:
+  -- pkg-config-location:
+  -- runghc-location:
+  -- strip-location:
+  -- tar-location:
+  -- uhc-location:
+
+program-default-options
+  -- alex-options:
+  -- ar-options:
+  -- c2hs-options:
+  -- cpphs-options:
+  -- doctest-options:
+  -- gcc-options:
+  -- ghc-options:
+  -- ghc-pkg-options:
+  -- ghcjs-options:
+  -- ghcjs-pkg-options:
+  -- greencard-options:
+  -- haddock-options:
+  -- happy-options:
+  -- haskell-suite-options:
+  -- haskell-suite-pkg-options:
+  -- hmake-options:
+  -- hpc-options:
+  -- hsc2hs-options:
+  -- hscolour-options:
+  -- jhc-options:
+  -- ld-options:
+  -- pkg-config-options:
+  -- runghc-options:
+  -- strip-options:
+  -- tar-options:
+  -- uhc-options:

.gitignore

@@ -54,6 +54,7 @@ __pycache__/
 # Haskell
 /.stack-work/
 /dist-newstyle/
+/cabal/
 
 # Chapel
 *.chpl.tmp.*

app/Main.hs

@@ -8,9 +8,10 @@ import System.IO (hFlush, stdout, hPutStrLn, stderr)
 import Data.Text (Text)
 import qualified Data.Text as T
 import qualified Data.Text.IO as TIO
+import qualified Data.ByteString.Lazy.Char8 as BL8
 import System.Directory (doesFileExist, doesDirectoryExist, listDirectory, getModificationTime)
 import System.FilePath ((</>), takeExtension)
-import Control.Monad (forM, filterM, when, unless, forever)
+import Control.Monad (forM, forM_, filterM, when, unless, forever)
 import Control.Concurrent (threadDelay)
 import Data.Either (partitionEithers)
 import Data.List (isPrefixOf, isSuffixOf)
@@ -21,14 +22,14 @@ import qualified Data.Map.Strict as Map
 import Sanctify.Parser
 import Sanctify.AST
 import Sanctify.Analysis.Security
-import Sanctify.Analysis.Types
+import Sanctify.Analysis.Types (emptyTypeContext)
 import Sanctify.WordPress.Constraints
 import Sanctify.Transform.StrictTypes
 import Sanctify.Transform.Sanitize
 import Sanctify.Transform.TypeHints
-import Sanctify.Emit
+import Sanctify.Emit (emitPhp, emitPhpIniRecommendations, emitNginxRules, emitGuixOverrides)
 import Sanctify.Config
-import Sanctify.Report
+import qualified Sanctify.Report as SReport
 
 -- | CLI options
 data Options = Options
@@ -490,7 +491,7 @@ fixCommand path = fixOnce (Options (Fix path) False False FormatText [] [] False
 applyTransforms :: PhpFile -> PhpFile
 applyTransforms = addStrictTypes . addAbspathCheck . addTypeHintsFile
   where
-    addTypeHintsFile file = addAllTypeHints emptyContext file
+    addTypeHintsFile file = addAllTypeHints emptyTypeContext file
 
 -- | Enhanced report command with multiple output formats
 reportCommandNew :: Options -> FilePath -> IO ()
@@ -503,29 +504,29 @@ reportCommandNew opts path = do
     fileReports <- forM files $ \file -> do
         content <- TIO.readFile file
         case parsePhpString file content of
-            Left _ -> pure $ generateFileReport file [] [] 0 0 False
+            Left _ -> pure $ SReport.generateFileReport file [] [] 0 0 False
             Right ast -> do
                 let secIssues = filterIssues opts $ analyzeSecurityIssues ast
                 let wpIssues = if isWordPressCode ast
                                then checkWordPressConstraints ast
                                else []
                 let autoFixed = length $ filter (canAutoFix . issueType) secIssues
                 let manual = length secIssues - autoFixed
-                pure $ generateFileReport file secIssues wpIssues autoFixed manual False
+                pure $ SReport.generateFileReport file secIssues wpIssues autoFixed manual False
 
     case optFormat opts of
         FormatText -> do
-            report <- generateReport defaultConfig fileReports
-            TIO.putStrLn $ renderText report
+            report <- SReport.generateReport defaultConfig fileReports
+            TIO.putStrLn $ SReport.renderText report
         FormatJSON -> do
-            report <- generateReport defaultConfig fileReports
-            TIO.putStrLn $ renderJSON report
+            report <- SReport.generateReport defaultConfig fileReports
+            BL8.putStrLn $ SReport.renderJson report
         FormatSARIF -> do
-            report <- generateReport defaultConfig fileReports
-            TIO.putStrLn $ renderSARIF report
+            report <- SReport.generateReport defaultConfig fileReports
+            BL8.putStrLn $ SReport.renderSarif report
         FormatHTML -> do
-            report <- generateReport defaultConfig fileReports
-            TIO.putStrLn $ renderHTML report
+            report <- SReport.generateReport defaultConfig fileReports
+            TIO.putStrLn $ SReport.renderHtml report
   where
     canAutoFix :: IssueType -> Bool
     canAutoFix MissingStrictTypes = True

sanctify-php.cabal

@@ -12,7 +12,7 @@ description:
     * Multiple output formats (text, JSON, SARIF, HTML)
     * Interactive fix mode and watch mode for development
     * Infrastructure export (php.ini, nginx, Guix/Nix)
-license:            PMPL-1.0-or-later
+license:            LicenseRef-PMPL-1.0-or-later
 license-file:       LICENSE
 author:             Jonathan D.A. Jewell
 maintainer:         jonathan.jewell@gmail.com
@@ -50,7 +50,7 @@ library
         Sanctify.Parser.Lexer
         Sanctify.Parser.Token
     build-depends:
-        base ^>=4.17,
+        base >=4.17,
         text >=2.0,
         containers >=0.6,
         mtl >=2.3,
@@ -65,7 +65,8 @@ library
         vector >=0.13,
         unordered-containers >=0.2,
         prettyprinter >=1.7,
-        optparse-applicative >=0.18
+        optparse-applicative >=0.18,
+        time >=1.12
     hs-source-dirs:   src
     default-language: GHC2021
     default-extensions:
@@ -79,7 +80,7 @@ executable sanctify
     import:           warnings
     main-is:          Main.hs
     build-depends:
-        base ^>=4.17,
+        base >=4.17,
         sanctify-php,
         text,
         containers,
@@ -109,7 +110,7 @@ test-suite sanctify-php-test
         SecuritySpec
         TransformSpec
     build-depends:
-        base ^>=4.17,
+        base >=4.17,
         sanctify-php,
         hspec >=2.10,
         hspec-discover >=2.10,