9router-manager 0.0.1

package/src/combo.js

@@ -0,0 +1,165 @@
+// src/combo.js
+// SQLite combo management for 9Router Manager.
+// Uses better-sqlite3 (synchronous API). All exported functions are async
+// to keep the event loop free during retry/sleep back-off.
+import Database from 'better-sqlite3';
+import { _resolveDbPath, _getDefaultDbPath } from './env.js';
+import { getModelPriority, getModelReleaseSortKey } from './metadata.js';
+
+// Re-evaluate per call so tests can swap NINEROUTER_DB_PATH env var.
+export function _getDbPath() {
+  return process.env.NINEROUTER_DB_PATH
+    ? _resolveDbPath(process.env.NINEROUTER_DB_PATH)
+    : _getDefaultDbPath();
+}
+
+export async function getDbConnection(maxRetries = 3, delay = 1.0) {
+  const dbPath = _getDbPath();
+  let lastError = null;
+  for (let attempt = 0; attempt < maxRetries; attempt++) {
+    try {
+      return new Database(dbPath, { timeout: 10000 });
+    } catch (e) {
+      lastError = e;
+      console.error(`[combo] SQLite lock attempt ${attempt + 1}/${maxRetries}: ${e.message}`);
+      if (attempt < maxRetries - 1) {
+        await new Promise((resolve) => setTimeout(resolve, delay * 1000));
+      }
+    }
+  }
+  throw new Error(`Gagal koneksi SQLite setelah ${maxRetries}x retry: ${lastError?.message ?? 'unknown'}`);
+}
+
+export async function getAvailableProviders() {
+  let conn;
+  try {
+    conn = await getDbConnection();
+  } catch (e) {
+    console.error(`[combo] Cannot get providers: ${e.message}`);
+    return new Set();
+  }
+  try {
+    const rows = conn.prepare('SELECT provider, isActive, data FROM providerConnections').all();
+    const active = new Set();
+    for (const { provider, isActive, data: dataStr } of rows) {
+      const data = dataStr ? JSON.parse(dataStr) : {};
+      if (isActive && data.testStatus === 'active') active.add(provider);
+    }
+    conn.close();
+    return active;
+  } catch (e) {
+    console.error(`[combo] Error querying providers: ${e.message}`);
+    if (conn) {
+      try { conn.close(); } catch {}
+    }
+    return new Set();
+  }
+}
+
+export async function getComboNames() {
+  let conn;
+  try {
+    conn = await getDbConnection();
+  } catch (e) {
+    throw new Error(`Cannot get combos: ${e.message}`);
+  }
+  try {
+    const rows = conn.prepare('SELECT name FROM combos').all();
+    conn.close();
+    return rows.map((r) => r.name).filter(Boolean);
+  } catch (e) {
+    try { conn.close(); } catch {}
+    throw new Error(`Cannot query combos: ${e.message}`);
+  }
+}
+
+export async function getComboDetails() {
+  let conn;
+  try {
+    conn = await getDbConnection();
+  } catch (e) {
+    throw new Error(`Cannot get combos: ${e.message}`);
+  }
+  try {
+    const rows = conn.prepare('SELECT name, models, updatedAt FROM combos').all();
+    conn.close();
+    return rows
+      .filter((r) => r.name)
+      .map((r) => ({
+        name: r.name,
+        models: JSON.parse(r.models || '[]'),
+        updatedAt: r.updatedAt,
+      }));
+  } catch (e) {
+    if (conn) {
+      try { conn.close(); } catch {}
+    }
+    throw new Error(`Cannot query combos: ${e.message}`);
+  }
+}
+
+export async function detectTargetCombo(models) {
+  const combos = await getComboNames();
+  const modelSet = new Set(models);
+  const detected = combos.filter((name) => modelSet.has(name));
+  if (detected.length === 1) return detected[0];
+  if (detected.length === 0) {
+    throw new Error(
+      `Tidak ada combo yang terdeteksi dari /v1/models. Combo di DB: ${combos.join(', ') || '(none)'}`
+    );
+  }
+  throw new Error(
+    `Lebih dari satu combo terdeteksi dari /v1/models; target ambigu: ${detected.join(', ')}`
+  );
+}
+
+export async function updateCombo(results, comboName) {
+  const okResults = results.filter((r) => r.ok);
+  for (const r of okResults) {
+    r.priority = getModelPriority(r.model);
+    r.release_sort_key = getModelReleaseSortKey(r.model);
+  }
+  const sortedResults = [...okResults].sort((a, b) => {
+    const pa = a.priority ?? 99;
+    const pb = b.priority ?? 99;
+    if (pa !== pb) return pa - pb;
+    const ra = a.release_sort_key ?? [9999, 99, 99];
+    const rb = b.release_sort_key ?? [9999, 99, 99];
+    for (let i = 0; i < 3; i++) {
+      if (ra[i] !== rb[i]) return ra[i] - rb[i];
+    }
+    return (a.elapsed_ms ?? Infinity) - (b.elapsed_ms ?? Infinity);
+  });
+  const okModels = sortedResults.map((r) => r.model);
+
+  const conn = await getDbConnection();
+  try {
+    const row = conn.prepare('SELECT id, models FROM combos WHERE name = ?').get(comboName);
+    if (!row) {
+      conn.close();
+      throw new Error(`Combo '${comboName}' not found`);
+    }
+    const { id: comboId, models: oldModelsStr } = row;
+    const oldModels = JSON.parse(oldModelsStr);
+
+    const filtered = okModels.filter((m) => m && m !== comboName);
+    const seen = new Set();
+    const uniqueModels = [];
+    for (const m of filtered) {
+      if (!seen.has(m)) {
+        seen.add(m);
+        uniqueModels.push(m);
+      }
+    }
+
+    const now = new Date().toISOString();
+    conn.prepare('UPDATE combos SET models = ?, updatedAt = ? WHERE id = ?')
+      .run(JSON.stringify(uniqueModels), now, comboId);
+    conn.close();
+
+    return { oldModels, newModels: uniqueModels };
+  } catch (e) {
+    try { conn.close(); } catch {}
+    throw new Error(`Update combo '${comboName}' failed: ${e.message}`);
+  }
+}

package/src/env.js

@@ -0,0 +1,126 @@
+// src/env.js
+// Shared .env loader + path/token helpers. Single source of truth across all
+// entry points (src/cli.js, bin/9router-manager.js, etc.).
+//
+// Lookup order for .env (first match wins):
+//   1. $NINEROUTER_ENV_FILE (if set)
+//   2. ./.env  (cwd)
+//   3. <this_dir>/../.env  (project root, since this file is in src/)
+//   4. <this_dir>/.env
+//
+// Does NOT override existing process.env values (env vars take precedence).
+//
+// Path/token helpers:
+//   - _resolveDbPath:        expand ~ and $VAR, absolutize
+//   - _getDefaultDbPath:     per-OS candidate list, first existing wins
+//   - _getDefaultAuditPath:  per-OS audit log path
+//   - _generateVerifyToken:  random [A-Z0-9] token
+import dotenv from 'dotenv';
+import path from 'node:path';
+import os from 'node:os';
+import fs from 'node:fs';
+import { fileURLToPath } from 'node:url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+export function getUserConfigPath() {
+  return path.join(os.homedir(), '.9router', '.env');
+}
+
+function _iterCandidatePaths() {
+  const override = process.env.NINEROUTER_ENV_FILE;
+  if (override) {
+    return [path.resolve(override)];
+  }
+
+  return [
+    path.join(process.cwd(), '.env'),
+    getUserConfigPath(),
+    path.join(__dirname, '..', '.env'),
+    path.join(__dirname, '.env'),
+  ];
+}
+
+export function loadEnv(opts = { strict: false }) {
+  const { strict = false } = opts;
+
+  for (const envPath of _iterCandidatePaths()) {
+    const result = dotenv.config({ path: envPath });
+    if (result.error) {
+      if (result.error.code === 'ENOENT') continue;
+      console.error(`[env] failed reading ${envPath}: ${result.error.message}`);
+      continue;
+    }
+    console.error(`[env] loaded ${envPath}`);
+    return envPath;
+  }
+
+  if (strict) {
+    console.error('[env] no .env file found in any of the search paths');
+  }
+  return null;
+}
+
+// ============================================================
+// PATH / TOKEN HELPERS
+// ============================================================
+
+function _expandPath(p) {
+  if (p.startsWith('~')) {
+    p = os.homedir() + p.slice(1);
+  }
+  p = p.replace(/\$([A-Z_][A-Z0-9_]*)/g, (_, name) => process.env[name] ?? '');
+  return p;
+}
+
+export function _resolveDbPath(rawPath) {
+  return path.resolve(_expandPath(rawPath));
+}
+
+export function _getDefaultDbPath() {
+  const system = os.platform(); // 'linux' | 'darwin' | 'win32' | ...
+
+  if (system === 'win32') {
+    return path.join(os.homedir(), 'AppData', 'Roaming', '9router', 'db', 'data.sqlite');
+  }
+
+  const home = os.homedir();
+  if (system === 'linux' || system === 'darwin') {
+    const candidates = [
+      path.join(home, '.9router', 'db', 'data.sqlite'),
+      path.join(home, '.config', '9router', 'data.sqlite'),
+      path.join(home, '.local', 'share', '9router', 'data.sqlite'),
+      path.join(home, '.snap', '9router', 'current', '.config', '9router', 'data.sqlite'),
+    ];
+    for (const c of candidates) {
+      if (fs.existsSync(c)) return c;
+    }
+    return candidates[0];
+  }
+
+  return path.join(home, '.9router', 'db', 'data.sqlite');
+}
+
+export function _getDefaultAuditPath() {
+  const system = os.platform();
+
+  if (system === 'win32') {
+    return path.join(os.homedir(), 'AppData', 'Local', 'hermes', 'scripts', '9router_daily_combo_model_scan_last.json');
+  }
+  if (system === 'darwin') {
+    return path.join(os.homedir(), 'Library', 'Logs', '9router-scan.log');
+  }
+  // linux (and other unix-likes)
+  return path.join(os.homedir(), '.local', 'share', '9router', 'audit', '9router_daily_combo_model_scan_last.json');
+}
+
+const _TOKEN_CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
+
+export function _generateVerifyToken(length = 8) {
+  let out = '';
+  for (let i = 0; i < length; i++) {
+    out += _TOKEN_CHARS[Math.floor(Math.random() * _TOKEN_CHARS.length)];
+  }
+  return out;
+}

package/src/metadata.js

@@ -0,0 +1,137 @@
+// src/metadata.js
+// Pattern matching + sort-key logic, backed by metadata.json.
+// - Loads metadata.json once at startup (priority/release-date lookups).
+// - normalizeModelKey(id): strip provider prefix, lowercase.
+// - getModelPriority(id): 1..5 (frontier models get 1, unknown=5).
+// - extractModelReleaseDate(id): [y, m, d] | null from MODEL_RELEASE_PATTERNS.
+// - extractModelRecency(id): 0..4 heuristic tier (newest=0, unknown=4).
+// - getModelReleaseSortKey(id): [-y, -m, -d] for known date | [1000+r, 0, 0].
+// - getProviderForModel(id): PREFIX_TO_PROVIDER lookup (insertion-ordered).
+
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import fs from 'node:fs';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const METADATA_PATH = path.join(__dirname, '..', 'metadata.json');
+
+let _cache = null;
+
+function _load() {
+  if (_cache) return _cache;
+  try {
+    const raw = fs.readFileSync(METADATA_PATH, 'utf-8');
+    const data = JSON.parse(raw);
+    _cache = {
+      PREFIX_TO_PROVIDER: data.PREFIX_TO_PROVIDER || {},
+      SKIP_MODEL_PREFIXES: data.SKIP_MODEL_PREFIXES || [],
+      FRONTIER_PATTERNS: data.FRONTIER_PATTERNS || [],
+      MODEL_RELEASE_PATTERNS: (data.MODEL_RELEASE_PATTERNS || []).map(
+        ([p, [y, m, d]]) => [p, [y, m, d]]
+      ),
+    };
+  } catch (e) {
+    console.error('[metadata] failed to load metadata.json:', e.message);
+    _cache = {
+      PREFIX_TO_PROVIDER: {},
+      SKIP_MODEL_PREFIXES: [],
+      FRONTIER_PATTERNS: [],
+      MODEL_RELEASE_PATTERNS: [],
+    };
+  }
+  return _cache;
+}
+
+export function loadMetadata() {
+  return _load();
+}
+
+export function normalizeModelKey(id) {
+  const lower = String(id).toLowerCase();
+  const idx = lower.indexOf('/');
+  return idx === -1 ? lower : lower.slice(idx + 1);
+}
+
+export function extractModelReleaseDate(id) {
+  const { MODEL_RELEASE_PATTERNS } = _load();
+  const normalized = normalizeModelKey(id);
+  for (const [pattern, [y, m, d]] of MODEL_RELEASE_PATTERNS) {
+    if (normalized.includes(pattern)) return [y, m, d];
+  }
+  return null;
+}
+
+export function extractModelRecency(id) {
+  const normalized = normalizeModelKey(id);
+  if (
+    [
+      'gpt-4o',
+      'gpt-4.1',
+      'gpt-4.5',
+      'claude-3.5',
+      'claude-3.7',
+      'gemini-2.5',
+      'gemini-3',
+      'llama-4',
+      'grok-4',
+      'minimax-m2',
+    ].some((p) => normalized.includes(p))
+  )
+    return 0;
+  if (
+    [
+      'gpt-4-turbo',
+      'gpt-4-32k',
+      'claude-3-sonnet',
+      'claude-3-opus',
+      'mistral-large-3',
+      'mixtral-8x22b',
+    ].some((p) => normalized.includes(p))
+  )
+    return 1;
+  if (
+    [
+      'gpt-4',
+      'gpt-3.5-turbo-16k',
+      'claude-3-haiku',
+      'mistral-medium',
+      'mistral-small',
+      'mixtral-8x7b',
+    ].some((p) => normalized.includes(p))
+  )
+    return 2;
+  if (
+    ['gpt-3.5-turbo', 'text-davinci', 'ada-002'].some((p) =>
+      normalized.includes(p)
+    )
+  )
+    return 3;
+  return 4;
+}
+
+export function getModelPriority(id) {
+  const { FRONTIER_PATTERNS } = _load();
+  for (const [pattern, priority] of FRONTIER_PATTERNS) {
+    if (pattern.endsWith('/')) {
+      if (id.startsWith(pattern)) return priority;
+    } else {
+      if (id.includes(pattern)) return priority;
+    }
+  }
+  return 5;
+}
+
+export function getModelReleaseSortKey(id) {
+  const d = extractModelReleaseDate(id);
+  if (d) return [-d[0], -d[1], -d[2]];
+  const r = extractModelRecency(id);
+  return [1000 + r, 0, 0];
+}
+
+export function getProviderForModel(id) {
+  const { PREFIX_TO_PROVIDER } = _load();
+  for (const [prefix, provider] of Object.entries(PREFIX_TO_PROVIDER)) {
+    if (id.startsWith(prefix)) return provider;
+  }
+  return null;
+}

package/src/password.js

@@ -0,0 +1,142 @@
+// src/password.js
+// Centralized resolver for NINEROUTER_PASSWORD.
+//
+// Resolution order (first non-empty, non-placeholder wins):
+//   1. CLI flag `--password <value>`
+//   2. process.env.NINEROUTER_PASSWORD (set via shell or .env via dotenv)
+//   3. Interactive masked TTY prompt (only when stdin & stdout are TTYs)
+//   4. Otherwise: return null (caller handles the error message)
+//
+// Why a single module: the previous code had three different places read
+// process.env directly (cli.js runScan, cli.js runTest, scan.js _requirePassword).
+// Centralizing lets us:
+//   - Add a CLI flag or TTY prompt in one place
+//   - Expose a friendly "here's what to do" error message
+//   - Unit-test the pure resolution logic without a real TTY
+import process from 'node:process';
+
+export const PASSWORD_ENV = 'NINEROUTER_PASSWORD';
+export const PASSWORD_PLACEHOLDER = '***ISI_PASSWORD_DISINI***';
+
+function _isUsable(p) {
+  return typeof p === 'string' && p.length > 0 && p !== PASSWORD_PLACEHOLDER;
+}
+
+/**
+ * Pure, synchronous resolution from non-interactive sources only.
+ * @param {{ cliPassword?: string }} opts
+ * @returns {string|null}
+ */
+export function resolvePasswordFromSources({ cliPassword } = {}) {
+  // 1) CLI flag wins (explicit user intent)
+  if (_isUsable(cliPassword)) return cliPassword;
+  // 2) Env var (shell or .env via dotenv)
+  const envPwd = process.env[PASSWORD_ENV];
+  if (_isUsable(envPwd)) return envPwd;
+  return null;
+}
+
+/**
+ * Masked password prompt. Reads from stdin in raw mode and echoes `*`
+ * for each character so the password never appears in terminal scrollback.
+ *
+ * Returns the entered string (without the trailing newline).
+ * Throws on Ctrl-C; resolves to '' on Enter without input.
+ */
+export function promptMasked(question, io = process) {
+  return new Promise((resolve, reject) => {
+    const stdin = io.stdin;
+    const stdout = io.stdout;
+    if (!stdin.isTTY || !stdout.isTTY) {
+      reject(new Error('promptMasked requires a TTY'));
+      return;
+    }
+    stdout.write(question);
+    const wasRaw = stdin.isRaw;
+    if (!wasRaw && typeof stdin.setRawMode === 'function') {
+      stdin.setRawMode(true);
+    }
+    stdin.resume();
+    stdin.setEncoding('utf8');
+
+    let buf = '';
+    const onData = (chunk) => {
+      for (const c of chunk) {
+        const code = c.charCodeAt(0);
+        if (c === '\r' || c === '\n' || code === 0x04) {
+          // Enter or Ctrl-D — finish
+          if (!wasRaw && typeof stdin.setRawMode === 'function') {
+            stdin.setRawMode(false);
+          }
+          stdin.removeListener('data', onData);
+          stdin.pause();
+          stdout.write('\n');
+          resolve(buf);
+          return;
+        }
+        if (code === 0x03) {
+          // Ctrl-C
+          stdout.write('\n');
+          reject(new Error('SIGINT'));
+          if (typeof process !== 'undefined' && process.exit) process.exit(130);
+          return;
+        }
+        if (c === '\b' || c === '\x7f') {
+          // Backspace
+          if (buf.length > 0) {
+            buf = buf.slice(0, -1);
+            stdout.write('\b \b');
+          }
+          continue;
+        }
+        // Ignore non-printable control characters
+        if (code < 0x20) continue;
+        buf += c;
+        stdout.write('*');
+      }
+    };
+    stdin.on('data', onData);
+  });
+}
+
+/**
+ * Full resolution: non-interactive sources first, then masked TTY prompt.
+ * @param {{
+ *   cliPassword?: string,
+ *   io?: { stdin: NodeJS.ReadableStream, stdout: NodeJS.WriteStream },
+ *   prompt?: (q: string) => Promise<string>,
+ * }} opts
+ * @returns {Promise<string|null>}
+ */
+export async function resolvePassword({ cliPassword, io, prompt } = {}) {
+  const fromSources = resolvePasswordFromSources({ cliPassword });
+  if (fromSources) return fromSources;
+
+  // If neither TTY is present, we can't prompt.
+  const stdin = io?.stdin ?? process.stdin;
+  const stdout = io?.stdout ?? process.stdout;
+  if (!stdin.isTTY || !stdout.isTTY) return null;
+
+  const ask = prompt ?? ((q) => promptMasked(q, io ?? process));
+  const answer = await ask(`Enter NINEROUTER_PASSWORD: `);
+  if (!_isUsable(answer)) return null;
+  return answer;
+}
+
+/**
+ * The friendly "password is not set, here's what to do" message.
+ * Exported so tests can pin the wording.
+ */
+export function passwordNotSetMessage() {
+  return [
+    'ERROR: NINEROUTER_PASSWORD is not set.',
+    '  Run the configuration wizard to set it up:',
+    '    9router-manager config',
+    '',
+    '  Alternatively, provide it via:',
+    '    1. Shell env var:    NINEROUTER_PASSWORD=xxx 9router-manager scan',
+    '    2. .env file:        Create/edit .env in your project',
+    '    3. CLI flag:        9router-manager scan --password xxx  (visible in process list)',
+    '  In a non-interactive shell (CI/cron), only options 1 and 2 work.',
+  ].join('\n');
+}

package/src/results.js

@@ -0,0 +1,134 @@
+// src/results.js
+// Read audit JSON (written by src/scan.js after a scan run), summarize, and print.
+import fs from 'node:fs';
+import { _resolveDbPath, _getDefaultAuditPath, loadEnv } from './env.js';
+
+function _resolveAuditPath() {
+  return process.env.NINEROUTER_AUDIT_PATH
+    ? _resolveDbPath(process.env.NINEROUTER_AUDIT_PATH)
+    : _getDefaultAuditPath();
+}
+
+function _safeInt(val, def = 0) {
+  const n = parseInt(val, 10);
+  return Number.isFinite(n) ? n : def;
+}
+
+export function readAudit(auditPath) {
+  const text = fs.readFileSync(auditPath, 'utf-8');
+  return JSON.parse(text);
+}
+
+export function summarizeAudit(d) {
+  const discovered = _safeInt(d.discovered_count);
+  const candidates = _safeInt(d.candidate_count);
+  const skipped = _safeInt(d.skipped_count);
+  const ok = _safeInt(d.ok_count);
+  const failed = _safeInt(d.failed_count);
+  const oldCombo = _safeInt(d.old_combo_count);
+  const newCombo = _safeInt(d.new_combo_count);
+  const added = d.added || [];
+  const removed = d.removed || [];
+  const results = d.results || [];
+
+  // Per-provider breakdown
+  const byProvider = {};
+  for (const r of results) {
+    if (r.ok) {
+      const prefix = String(r.model).split('/')[0];
+      byProvider[prefix] = (byProvider[prefix] || 0) + 1;
+    }
+  }
+  const failedModels = results.filter((r) => !r.ok && !(r.detail || '').startsWith('skipped:'));
+
+  return {
+    header: {
+      started_at: d.started_at || '-',
+      finished_at: d.finished_at || '-',
+      duration_seconds: d.duration_seconds,
+    },
+    metrics: { discovered, candidates, skipped, ok, failed },
+    combo: { old_count: oldCombo, new_count: newCombo, added_count: added.length, removed_count: removed.length },
+    added,
+    removed,
+    by_provider: byProvider,
+    failed: failedModels,
+  };
+}
+
+export function printSummary(summary) {
+  const W = 56;
+  const hr = () => console.log('-'.repeat(W));
+  hr();
+  console.log('  9Router - Hasil Scan Terakhir');
+  hr();
+  console.log(`  Start : ${summary.header.started_at}`);
+  console.log(`  Finish: ${summary.header.finished_at}`);
+  if (summary.header.duration_seconds) {
+    console.log(`  Duration: ${summary.header.duration_seconds}s`);
+  }
+  hr();
+  console.log(`  ${'Metric'.padEnd(20)} ${'Value'.padStart(10)}`);
+  for (const [k, v] of Object.entries(summary.metrics)) {
+    console.log(`  ${k.padEnd(20)} ${String(v).padStart(10)}`);
+  }
+  hr();
+  console.log(`  ${'Old combo count'.padEnd(20)} ${String(summary.combo.old_count).padStart(10)}`);
+  console.log(`  ${'New combo count'.padEnd(20)} ${String(summary.combo.new_count).padStart(10)}`);
+  console.log(`  ${'Added'.padEnd(20)} ${String(summary.combo.added_count).padStart(10)}`);
+  console.log(`  ${'Removed'.padEnd(20)} ${String(summary.combo.removed_count).padStart(10)}`);
+  hr();
+  if (summary.added.length) {
+    console.log(`  + Added to combo (${summary.added.length}):`);
+    for (const m of summary.added) console.log(`      - ${m}`);
+  } else {
+    console.log('  + Added to combo: (none)');
+  }
+  if (summary.removed.length) {
+    console.log(`  - Removed from combo (${summary.removed.length}):`);
+    for (const m of summary.removed) console.log(`      - ${m}`);
+  } else {
+    console.log('  - Removed from combo: (none)');
+  }
+  hr();
+  console.log('  Per-provider breakdown (new combo):');
+  for (const [provider, cnt] of Object.entries(summary.by_provider).sort()) {
+    console.log(`    ${provider.padEnd(22)} ${String(cnt).padStart(3)} models`);
+  }
+  if (summary.failed.length) {
+    hr();
+    console.log(`  Failed models (${summary.failed.length}):`);
+    for (const r of summary.failed.slice(0, 10)) {
+      const detail = (r.detail || 'unknown').slice(0, 60);
+      console.log(`    - ${r.model}: ${detail}`);
+    }
+    if (summary.failed.length > 10) {
+      console.log(`    ... and ${summary.failed.length - 10} more`);
+    }
+  }
+  hr();
+}
+
+export function main() {
+  loadEnv();
+  const auditPath = _resolveAuditPath();
+  if (!fs.existsSync(auditPath)) {
+    console.log('ERROR: Audit log tidak ditemukan:');
+    console.log(`  ${auditPath}`);
+    console.log('\nJalankan scan terlebih dahulu:');
+    console.log('  npm run scan  (or)  node src/cli.js scan');
+    process.exit(1);
+  }
+  try {
+    const d = readAudit(auditPath);
+    const summary = summarizeAudit(d);
+    printSummary(summary);
+  } catch (e) {
+    if (e instanceof SyntaxError) {
+      console.log(`ERROR: Invalid JSON di audit log: ${e.message}`);
+    } else {
+      console.log(`ERROR: Gagal baca audit log: ${e.message}`);
+    }
+    process.exit(1);
+  }
+}