@activemind/scd 1.4.0

package/lib/audit-sync.js

@@ -0,0 +1,172 @@
+/**
+ * audit-sync.js
+ * Sync audit.log history to scd-server.
+ *
+ * Used by `scd sync --history` to send existing local findings to the server.
+ * Safe to re-run — server uses INSERT OR IGNORE (idempotent).
+ *
+ * What is synced:
+ *   - findings_batch events reconstructed from FINDING_* events in audit.log
+ *   - Grouped by session_id so each scan becomes one batch
+ *   - scan_completed events for any sessions not already on the server
+ *
+ * What is NOT synced:
+ *   - SCAN_STARTED, SCAN_PASSED, SCAN_BLOCKED (server already has these via push queue)
+ *   - Events without a session_id
+ */
+
+'use strict';
+const { RESET, YELLOW } = require('./output-constants');
+
+const fs    = require('fs');
+const store = require('./store');
+const { EVENTS } = require('./audit');
+
+const FINDING_EVENTS = new Set([
+  EVENTS.FINDING_BLOCKED,
+  EVENTS.FINDING_WARNED,
+  EVENTS.FINDING_EXCEPTED,
+  EVENTS.FINDING_EXCEPTION_EXPIRED,
+]);
+
+/**
+ * Read entire audit.log without limit.
+ */
+function readFullAuditLog(repoRoot) {
+  const p = store.auditPath(repoRoot);
+  if (!fs.existsSync(p)) return [];
+  return fs.readFileSync(p, 'utf8')
+    .split('\n').filter(Boolean)
+    .map(line => { try { return JSON.parse(line); } catch { return null; } })
+    .filter(Boolean);
+}
+
+/**
+ * Reconstruct findings_batch events from audit.log.
+ * Groups FINDING_* events by session_id.
+ * Returns array of findings_batch objects ready for push-queue.
+ */
+function buildFindingsBatches(events) {
+  const sessions = new Map(); // session_id → { hook, ts, findings[] }
+
+  for (const e of events) {
+    if (!e.session_id) continue;
+    if (!FINDING_EVENTS.has(e.event)) continue;
+
+    if (!sessions.has(e.session_id)) {
+      sessions.set(e.session_id, {
+        session_id: e.session_id,
+        hook:       e.hook || 'manual',
+        ts:         e.timestamp,
+        findings:   [],
+      });
+    }
+
+    sessions.get(e.session_id).findings.push({
+      rule_id:      e.rule_id,
+      rule_name:    e.rule_name     || null,
+      category:     e.category      || null,
+      severity:     e.severity,
+      file:         e.file,
+      line:         e.line          || null,
+      snippet:      e.snippet       || null,
+      taint_source: e.taint_source  || null,
+      excepted:     e.excepted      || false,
+      blocked:      e.event === EVENTS.FINDING_BLOCKED,
+      exception_id: e.exception_id  || null,
+    });
+  }
+
+  // Return as findings_batch events, skip sessions with no findings
+  return Array.from(sessions.values())
+    .filter(s => s.findings.length > 0)
+    .map(s => ({
+      type:       'findings_batch',
+      session_id: s.session_id,
+      hook:       s.hook,
+      ts:         s.ts,
+      findings:   s.findings,
+    }));
+}
+
+/**
+ * Sync full audit.log history to scd-server.
+ * Chunks into batches of 50 sessions to avoid huge payloads.
+ * Returns { sessions, findings, errors }.
+ */
+async function syncHistory(repoRoot) {
+  const { getCentralUrl, getCentralToken } = require('./global-config');
+  const centralUrl = getCentralUrl();
+  if (!centralUrl) {
+    return { error: 'No scd-server configured. Run: scd configure --central-url <url>' };
+  }
+
+  const token = getCentralToken();
+  if (!token) {
+    return { error: 'No API token configured. Run: scd configure --central-url <url>' };
+  }
+
+  const identity = store.getRepoIdentity(repoRoot);
+  const repoId   = store.getRepoId(repoRoot);
+  const meta     = store.readMeta(repoRoot) || {};
+
+  const events  = readFullAuditLog(repoRoot);
+  if (events.length === 0) {
+    return { sessions: 0, findings: 0, errors: 0, message: 'No audit log entries found.' };
+  }
+
+  const batches = buildFindingsBatches(events);
+  if (batches.length === 0) {
+    return { sessions: 0, findings: 0, errors: 0, message: 'No finding events in audit log.' };
+  }
+
+  // Chunk into groups of 10 sessions to keep payloads manageable
+  const CHUNK_SIZE = 10;
+  let totalFindings = 0;
+  let totalErrors   = 0;
+
+  for (let i = 0; i < batches.length; i += CHUNK_SIZE) {
+    const chunk = batches.slice(i, i + CHUNK_SIZE);
+    const chunkFindings = chunk.reduce((n, b) => n + b.findings.length, 0);
+
+    try {
+      const res = await fetch(centralUrl + '/api/v1/events/batch', {
+        method:  'POST',
+        headers: {
+          'Content-Type':  'application/json',
+          'Authorization': 'Bearer ' + token,
+        },
+        body: JSON.stringify({
+          events: chunk,
+          meta: {
+            repoId:         repoId,
+            repoName:       meta.name        || null,
+            repoRemote:     meta.remote      || null,
+            installationId: meta.installationId || null,
+            hostname:       require('os').hostname(),
+            platform:       process.platform,
+            scdVersion:     require('../package.json').version,
+          },
+        }),
+      });
+
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.error || `HTTP ${res.status}`);
+      }
+
+      totalFindings += chunkFindings;
+    } catch (err) {
+      totalErrors++;
+      console.error(`${YELLOW}  [sync] Chunk ${Math.floor(i/CHUNK_SIZE)+1} failed: ${err.message}${RESET}`);
+    }
+  }
+
+  return {
+    sessions: batches.length,
+    findings: totalFindings,
+    errors:   totalErrors,
+  };
+}
+
+module.exports = { syncHistory, buildFindingsBatches, readFullAuditLog };

package/lib/audit.js

@@ -0,0 +1,356 @@
+/**
+ * audit.js
+ * Append-only audit trail for all security events.
+ *
+ * All data lives in ~/.scd/repos/{repoId}/
+ * Nothing is written inside the user's git repository.
+ *
+ * Two files per repo:
+ *   audit.log         – Full detail log (rule IDs, file paths, git user, machine)
+ *   audit-summary.log – Anonymised statistics only (counts, dates, no paths)
+ *
+ * Future tiers (Team/Professional):
+ *   Events pushed to scd-server via push queue (push-queue.js).
+ *   The repo remains completely untouched.
+ */
+
+'use strict';
+const { RESET, DIM } = require('./output-constants');
+
+const fs     = require('fs');
+const os     = require('os');
+const crypto = require('crypto');
+const store  = require('./store');
+
+// ── Event types ────────────────────────────────────────────────────────────
+const EVENTS = {
+  SCAN_STARTED:              'scan_started',
+  FINDING_BLOCKED:           'finding_blocked',
+  FINDING_WARNED:            'finding_warned',
+  FINDING_EXCEPTED:          'finding_excepted',
+  FINDING_EXCEPTION_EXPIRED: 'finding_exception_expired',
+  SCAN_PASSED:               'scan_passed',
+  SCAN_BLOCKED:              'scan_blocked',
+  CONFIG_LOADED:             'config_loaded',
+  CONFIG_NOT_FOUND:          'config_not_found',
+  RISK_ACCEPTED:             'risk_accepted',
+  EXPOSURE_RESOLVED:         'exposure_resolved',
+  HOOKS_DISABLED:            'hooks_disabled',
+  HOOKS_ENABLED:             'hooks_enabled',
+};
+
+// ── Git user ───────────────────────────────────────────────────────────────
+function getGitUser() {
+  try {
+    const { execSync } = require('child_process');
+    const name  = execSync('git config user.name',  { encoding: 'utf8' }).trim();
+    const email = execSync('git config user.email', { encoding: 'utf8' }).trim();
+    return { name, email };
+  } catch {
+    return { name: 'unknown', email: 'unknown' };
+  }
+}
+
+// ── Build base event ───────────────────────────────────────────────────────
+function buildEvent(type, data = {}) {
+  const gitUser = getGitUser();
+  return {
+    timestamp: new Date().toISOString(),
+    event:     type,
+    git_user:  gitUser.email,
+    git_name:  gitUser.name,
+    machine:   os.hostname(),
+    platform:  process.platform,
+    ...data,
+  };
+}
+
+// ── Append event to full audit log ────────────────────────────────────────
+function logEvent(repoRoot, type, data = {}) {
+  try {
+    const event = buildEvent(type, data);
+    fs.appendFileSync(store.auditPath(repoRoot), JSON.stringify(event) + '\n');
+    return event;
+  } catch (err) {
+    console.error(`${DIM}[scd] Audit log warning: ${err.message}${RESET}`);
+  }
+}
+
+// ── Append anonymised entry to summary log ────────────────────────────────
+function logSummaryEntry(repoRoot, summary) {
+  try {
+    fs.appendFileSync(store.auditSummaryPath(repoRoot), JSON.stringify(summary) + '\n');
+  } catch (err) {
+    console.error(`${DIM}[scd] Summary log warning: ${err.message}${RESET}`);
+  }
+}
+
+
+// ── Build exclusions summary for audit log ────────────────────────────────
+
+/**
+ * Build the exclusions block logged to audit.log in SCAN_STARTED.
+ * Includes full metadata: pattern/rule, count, source, reason, added_by, added_at.
+ */
+function buildAuditExclusions(scopeExclusions, findings) {
+  const ruleExclusionCounts = findings?._ruleExclusionCounts || {};
+
+  return {
+    files: (scopeExclusions.file_excludes || []).map(e => ({
+      pattern:        e.pattern,
+      files_excluded: scopeExclusions.files_excluded || 0,
+      source:         e._source  || 'repo',
+      reason:         e.reason   || null,
+      added_by:       e.added_by || null,
+      added_at:       e.added_at || null,
+    })),
+    rules: (scopeExclusions.rule_excludes || []).map(e => ({
+      rule:              e.rule,
+      scoped_to:         e.files || null,
+      findings_excluded: ruleExclusionCounts[e.rule] || 0,
+      source:            e._source  || 'repo',
+      reason:            e.reason   || null,
+      added_by:          e.added_by || null,
+      added_at:          e.added_at || null,
+    })),
+  };
+}
+
+// ── Log a complete scan session ────────────────────────────────────────────
+function logScan(repoRoot, { hookType, files, findings, blocked, exceptions_applied, scanId, noSync, scanMode, repoContext, repoContextChanged, scopeExclusions = null }) {
+  // Use the scanId from scan-cache (s-XXXXXXXX format) for full CLI↔server traceability.
+  // Falls back to generating a random ID if called without one (e.g. from hooks).
+  
+  const sessionId = scanId || ('s-' + crypto.randomBytes(4).toString('hex'));
+
+  store.updateMeta(repoRoot, {
+    findingCount:  findings.length,
+    criticalCount: findings.filter(f => f.severity === 'CRITICAL').length,
+  });
+
+  logEvent(repoRoot, EVENTS.SCAN_STARTED, {
+    session_id:  sessionId,
+    hook:        hookType,
+    scan_mode:   scanMode || 'full',
+    files_count: files.length,
+    files:       files.map(f => f.filePath),
+    exclusions:  scopeExclusions ? buildAuditExclusions(scopeExclusions, findings) : null,
+  });
+
+  for (const f of findings) {
+    const eventType = f.excepted
+      ? (f.exception_expired ? EVENTS.FINDING_EXCEPTION_EXPIRED : EVENTS.FINDING_EXCEPTED)
+      : (f.blocks ? EVENTS.FINDING_BLOCKED : EVENTS.FINDING_WARNED);
+
+    logEvent(repoRoot, eventType, {
+      session_id:   sessionId,
+      hook:         hookType,
+      rule_id:      f.ruleId,
+      rule_name:    f.name,
+      category:     f.category || null,
+      severity:     f.severity,
+      file:         f.filePath,
+      line:         f.line,
+      snippet:      f.snippet  || null,
+      taint_source: f.taintSource || null,
+      action:       f.action,
+      excepted:     f.excepted || false,
+      exception_id: f.exception?.id || null,
+      exception_by: f.exception?.approved_by || null,
+    });
+  }
+
+  const outcomeType = blocked ? EVENTS.SCAN_BLOCKED : EVENTS.SCAN_PASSED;
+  logEvent(repoRoot, outcomeType, {
+    session_id:         sessionId,
+    hook:               hookType,
+    total_findings:     findings.length,
+    blocked_findings:   findings.filter(f => f.blocks && !f.excepted).length,
+    excepted_findings:  findings.filter(f => f.excepted).length,
+    expired_exceptions: findings.filter(f => f.exception_expired).length,
+  });
+
+  // Anonymised summary – counts only, no paths or identities
+  logSummaryEntry(repoRoot, {
+    date:               new Date().toISOString().slice(0, 10),
+    session_id:         sessionId,
+    hook:               hookType,
+    scan_mode:          scanMode || 'full',
+    files_scanned:      files.length,
+    findings_total:     findings.length,
+    findings_critical:  findings.filter(f => f.severity === 'CRITICAL').length,
+    findings_high:      findings.filter(f => f.severity === 'HIGH').length,
+    findings_exposure:  findings.filter(f => f.severity === 'EXPOSURE').length,
+    blocked,
+    exceptions_applied: findings.filter(f => f.excepted).length,
+  });
+
+  // ── Push queue integration ───────────────────────────────────────────────
+  // If a central URL is configured, add a compact scan summary to the queue.
+  // Push to scd-server (unless --no-sync or no central URL configured)
+  if (!noSync) {
+    try {
+      const { getCentralUrl } = require('./global-config');
+      const centralUrl = getCentralUrl();
+      if (centralUrl) {
+        const { enqueue } = require('./push-queue');
+
+      // Build category breakdown: { "Injection (OWASP A03)": { critical, high, medium, exposure } }
+      const categories = {};
+      for (const f of findings) {
+        if (!f.category) continue;
+        if (!categories[f.category]) {
+          categories[f.category] = { critical: 0, high: 0, medium: 0, exposure: 0 };
+        }
+        const sev = (f.severity || '').toLowerCase();
+        if (categories[f.category][sev] !== undefined) {
+          categories[f.category][sev]++;
+        }
+      }
+
+      // Build top rules: [{ id, name, severity, count }] sorted by count desc, max 20
+      const ruleCounts = {};
+      for (const f of findings) {
+        if (!f.ruleId) continue;
+        if (!ruleCounts[f.ruleId]) {
+          ruleCounts[f.ruleId] = { id: f.ruleId, name: f.name || f.ruleId, severity: f.severity, count: 0 };
+        }
+        ruleCounts[f.ruleId].count++;
+      }
+      const top_rules = Object.values(ruleCounts)
+        .sort((a, b) => b.count - a.count)
+        .slice(0, 20);
+
+        enqueue({
+          type:               'scan_completed',
+          session_id:         sessionId,
+          hook:               hookType,
+          scan_mode:          scanMode || 'full',
+          files_scanned:      files.length,
+          findings_total:     findings.length,
+          findings_critical:  findings.filter(f => f.severity === 'CRITICAL').length,
+          findings_high:      findings.filter(f => f.severity === 'HIGH').length,
+          findings_medium:    findings.filter(f => f.severity === 'MEDIUM').length,
+          findings_exposure:  findings.filter(f => f.severity === 'EXPOSURE').length,
+          blocked,
+          exceptions_applied: findings.filter(f => f.excepted).length,
+          categories,
+          top_rules,
+          ts:                 new Date().toISOString(),
+        });
+
+        // Enqueue full findings batch for drill-down on server
+        if (findings.length > 0) {
+          enqueue({
+            type:       'findings_batch',
+            session_id: sessionId,
+            hook:       hookType,
+            ts:         new Date().toISOString(),
+            findings:   findings.map(f => ({
+              rule_id:      f.ruleId,
+              rule_name:    f.name,
+              category:     f.category     || null,
+              severity:     f.severity,
+              file:         f.filePath,
+              line:         f.line,
+              snippet:      f.snippet      || null,
+              code_hash:    f.codeHash     || null,
+              finding_id:   f.findingId    || null,
+              taint_source: f.taintSource  || null,
+              excepted:     f.excepted     || false,
+              blocked:      f.blocks       || false,
+              exception_id: f.exception?.id || null,
+            })),
+          });
+        }
+
+        // Send repo context if manifests changed since last scan
+        if (repoContext && repoContextChanged) {
+          enqueue({
+            type:         'repo_context',
+            session_id:   sessionId,
+            ts:           new Date().toISOString(),
+            languages:    repoContext.languages    || [],
+            frameworks:   repoContext.frameworks   || [],
+            manifests:    repoContext.manifests     || [],
+            dependencies: repoContext.dependencies  || {},
+          });
+        }
+      }
+    } catch {
+      // Non-fatal — push queue is best-effort
+    }
+  }
+
+  return sessionId;
+}
+
+// ── Read audit log ─────────────────────────────────────────────────────────
+function readAuditLog(repoRoot, limit = 100) {
+  const p = store.auditPath(repoRoot);
+  if (!fs.existsSync(p)) return [];
+  return fs.readFileSync(p, 'utf8')
+    .split('\n').filter(Boolean).slice(-limit)
+    .map(line => { try { return JSON.parse(line); } catch { return null; } })
+    .filter(Boolean);
+}
+
+// ── Read summary log ───────────────────────────────────────────────────────
+function readSummaryLog(repoRoot, limit = 100) {
+  const p = store.auditSummaryPath(repoRoot);
+  if (!fs.existsSync(p)) return [];
+  return fs.readFileSync(p, 'utf8')
+    .split('\n').filter(Boolean).slice(-limit)
+    .map(line => { try { return JSON.parse(line); } catch { return null; } })
+    .filter(Boolean);
+}
+
+// ── Quick summary for terminal ─────────────────────────────────────────────
+function getRecentSummary(repoRoot) {
+  const events = readAuditLog(repoRoot, 200);
+  if (events.length === 0) return null;
+  const scans    = events.filter(e => e.event === EVENTS.SCAN_STARTED);
+  const blocked  = events.filter(e => e.event === EVENTS.FINDING_BLOCKED);
+  const excepted = events.filter(e => e.event === EVENTS.FINDING_EXCEPTED);
+  const expired  = events.filter(e => e.event === EVENTS.FINDING_EXCEPTION_EXPIRED);
+  return {
+    total_scans:        scans.length,
+    total_blocked:      blocked.length,
+    total_excepted:     excepted.length,
+    expired_exceptions: expired.length,
+    last_scan:          scans[scans.length - 1]?.timestamp,
+  };
+}
+
+/**
+ * Log a hook disable/enable operation to audit.log and push-queue.
+ * Always requires a reason — hook bypasses must be intentional and visible.
+ */
+function logHooks(repoRoot, { action, reason, noSync }) {
+  const eventType = action === 'disable' ? EVENTS.HOOKS_DISABLED : EVENTS.HOOKS_ENABLED;
+
+  logEvent(repoRoot, eventType, {
+    action,
+    reason,
+  });
+
+  // Push to scd-server if configured (premium — visible to team leads)
+  if (!noSync) {
+    try {
+      const { getCentralUrl } = require('./global-config');
+      if (getCentralUrl()) {
+        const { enqueue } = require('./push-queue');
+        enqueue({
+          type:   'hooks_' + action + 'd',
+          action,
+          reason,
+          ts:     new Date().toISOString(),
+        });
+      }
+    } catch { /* non-fatal */ }
+  }
+}
+
+module.exports = {
+  logEvent, logScan, logHooks, readAuditLog, readSummaryLog, getRecentSummary, EVENTS,
+};

package/lib/cli-helpers.js

@@ -0,0 +1,108 @@
+'use strict';
+const { RESET, DIM, YELLOW } = require('./output-constants');
+/**
+ * cli-helpers.js — Shared CLI utilities used across multiple commands.
+ *
+ * Extracted from bin/scd.js during Phase 3 refactoring.
+ * All functions were previously defined inline at the top of bin/scd.js.
+ */
+
+/**
+ * Print a version warning if the local CLI is below the server's minimum
+ * required version. Reads from cached value — no network call.
+ * Non-fatal: only shown when a central URL is configured.
+ * opts.toStderr — write to stderr instead of stdout (for hook mode)
+ */
+function warnIfOutdated(opts = {}) {
+  try {
+    // Only warn when a server is configured — not in standalone mode
+    const globalCfg = require('./global-config');
+    const url = globalCfg.getCentralUrl();
+    if (!url) return;
+
+    const { getVersionWarning } = require('./version-check');
+    const warn = getVersionWarning();
+    if (warn) {
+      const out = opts.toStderr ? process.stderr : process.stdout;
+      out.write('\n' + YELLOW + warn + RESET + '\n');
+    }
+  } catch { /* never break a command */ }
+}
+
+/**
+ * Handles platform differences correctly:
+ *   macOS  → open
+ *   Linux  → xdg-open
+ *   Windows → start with empty title arg to avoid new terminal window
+ */
+function openInBrowser(target) {
+  const { spawn } = require('child_process');
+  if (process.platform === 'darwin') {
+    spawn('open', [target], { detached: true, stdio: 'ignore' }).unref();
+  } else if (process.platform === 'win32') {
+    // 'start' requires shell:true and empty string as window title
+    // to avoid opening a new terminal window instead of the browser
+    spawn('cmd', ['/c', 'start', '', target], { detached: true, stdio: 'ignore', shell: false }).unref();
+  } else {
+    spawn('xdg-open', [target], { detached: true, stdio: 'ignore' }).unref();
+  }
+}
+
+/**
+ * Awaitable push-queue flush — called before process.exit() in scan commands.
+ * Non-blocking: resolves immediately if no central URL or empty queue.
+ * opts.noSync — skip flush entirely (--no-sync flag)
+ */
+async function tryFlush(opts = {}) {
+  if (opts.noSync) return;  // --no-sync: skip push to scd-server
+  try {
+    const { getCentralUrl, getCentralToken, getMinCliVersion, setServerVersionInfo } = require('./global-config');
+    const centralUrl = getCentralUrl();
+    if (!centralUrl) return;
+    const { flush, queueSize } = require('./push-queue');
+
+    if (queueSize() === 0) {
+      // Queue empty — no flush needed, but fetch version info if not yet cached.
+      // Fire-and-forget: never blocks or throws.
+      if (!getMinCliVersion()) {
+        const token   = getCentralToken();
+        const baseUrl = centralUrl.replace(/\/$/, '');
+        const http    = baseUrl.startsWith('https') ? require('https') : require('http');
+        new Promise((resolve) => {
+          const req = http.get(
+            baseUrl + '/api/v1/health',
+            { headers: token ? { 'Authorization': `Bearer ${token}` } : {}, timeout: 4000 },
+            (res) => {
+              let data = '';
+              res.on('data', chunk => { data += chunk; });
+              res.on('end', () => {
+                try {
+                  const body = JSON.parse(data);
+                  if (body.version || body.min_cli_version) {
+                    setServerVersionInfo(body.version || null, body.min_cli_version || null);
+                  }
+                } catch { /* ignore */ }
+                resolve();
+              });
+            }
+          );
+          req.on('timeout', () => { req.destroy(); resolve(); });
+          req.on('error', () => resolve());
+        }).catch(() => {});
+      }
+      return;
+    }
+
+    const repoRoot = (() => {
+      try { return require('./config').getRepoRoot(); } catch { return null; }
+    })();
+    const status = await flush(centralUrl, { repoRoot });
+    if (status === 'license_invalid') {
+      console.log(YELLOW + '  ⚠  Server license invalid — scan data queued locally.' + RESET);
+      console.log(DIM + '     Data will sync automatically when the license is restored.' + RESET);
+      console.log(DIM + '     Contact your scd-server administrator.' + RESET);
+    }
+  } catch { /* non-fatal */ }
+}
+
+module.exports = { warnIfOutdated, openInBrowser, tryFlush };

package/lib/commands/accept.js

@@ -0,0 +1,28 @@
+'use strict';
+const { RESET, DIM, RED } = require('../output-constants');
+// lib/commands/accept.js
+
+module.exports = { register };
+
+function register(program) {
+  program
+    .command('accept [findingId]')
+    .description('Accept a finding as an acceptable risk (requires team-lead approval via scd-server)')
+    .option('--reason <text>', 'Reason why this risk is accepted (required)')
+    .option('--tag <tag>',     'Optional tag for filtering (e.g. false_positive, out_of_scope, third_party)')
+    .action(async (findingId, opts) => {
+      const { addExceptionById } = require('../exception-manager');
+      const { getRepoRoot } = require('../config');
+      const repoRoot = getRepoRoot();
+      if (!findingId) {
+        console.error(RED + '❌ Finding ID required. Run scd findings to see IDs.' + RESET);
+        console.error(DIM + '   Usage: scd accept <finding-id> --reason "..."' + RESET);
+        process.exit(1);
+      }
+      if (!opts.reason) {
+        console.error(RED + '❌ --reason is required.' + RESET);
+        process.exit(1);
+      }
+      await addExceptionById(repoRoot, findingId, opts, 'exception');
+    });
+}

package/lib/commands/audit.js

@@ -0,0 +1,17 @@
+'use strict';
+// lib/commands/audit.js
+
+module.exports = { register };
+
+function register(program) {
+  program
+    .command('audit')
+    .description('Show recent audit log')
+    .option('--limit <n>', 'Number of events', '50')
+    .action(async (opts) => {
+      const { showAuditReport } = require('../audit-report');
+      const { getRepoRoot } = require('../config');
+      const repoRoot = getRepoRoot();
+      await showAuditReport(repoRoot, parseInt(opts.limit));
+    });
+}