@activemind/scd 1.4.0

package/lib/report-index.js

@@ -0,0 +1,157 @@
+/**
+ * report-index.js
+ * Generates the HTML index page for scd report --serve.
+ * Matches the visual theme of report-html.js.
+ */
+
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+
+function buildIndexPage(reports, reportDir, currentFile) {
+  const meta = (() => {
+    try {
+      return JSON.parse(fs.readFileSync(path.join(reportDir, '..', 'meta.json'), 'utf8'));
+    } catch { return {}; }
+  })();
+
+  const rows = reports.map(r => {
+    const date    = (r.filename.match(/(\d{4}-\d{2}-\d{2})/) || [])[1] || '—';
+    const sizeStr = r.size > 1024 * 1024
+      ? (r.size / 1024 / 1024).toFixed(1) + ' MB'
+      : Math.round(r.size / 1024) + ' KB';
+    const age     = Math.floor((Date.now() - new Date(r.mtime)) / 86400000);
+    const ageStr  = age === 0 ? 'today' : age === 1 ? 'yesterday' : age + ' days ago';
+    const isCurrent = r.filename === currentFile;
+    const badge   = isCurrent ? '<span class="badge-latest">latest</span>' : '';
+
+    return [
+      '<tr class="' + (isCurrent ? 'current' : '') + '">',
+      '  <td class="td-date"><span class="mono">' + date + '</span></td>',
+      '  <td class="td-name"><span class="mono">' + esc(r.filename) + '</span>' + badge + '</td>',
+      '  <td class="td-size muted">' + sizeStr + '</td>',
+      '  <td class="td-age muted">' + ageStr + '</td>',
+      '  <td class="td-actions">',
+      '    <a class="btn btn-open" href="/' + encodeURIComponent(r.filename) + '" target="_blank">Open</a>',
+      '    <a class="btn btn-dl" href="/download/' + encodeURIComponent(r.filename) + '" download="' + esc(r.filename) + '">↓</a>',
+      '  </td>',
+      '</tr>',
+    ].join('\n');
+  }).join('\n');
+
+  const dlAll = reports.length > 1
+    ? '<a class="btn btn-dl-all" href="/download-all">↓ Download all</a>'
+    : '';
+
+  const tableOrEmpty = reports.length === 0
+    ? '<div class="empty">No reports found. Run <code>scd report</code> to generate one.</div>'
+    : [
+        '<table>',
+        '  <thead><tr>',
+        '    <th>Date</th><th>File</th><th>Size</th><th>Age</th><th></th>',
+        '  </tr></thead>',
+        '  <tbody>' + rows + '</tbody>',
+        '</table>',
+      ].join('\n');
+
+  return [
+    '<!DOCTYPE html>',
+    '<html lang="en">',
+    '<head>',
+    '  <meta charset="UTF-8">',
+    '  <meta name="viewport" content="width=device-width, initial-scale=1.0">',
+    '  <title>Secure Code by Design \u2013 Reports</title>',
+    '  <link rel="preconnect" href="https://fonts.googleapis.com">',
+    '  <link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500;700&family=Syne:wght@400;600;700;800&display=swap" rel="stylesheet">',
+    '  <style>' + buildCSS() + '  </style>',
+    '</head>',
+    '<body>',
+    '  <div class="page">',
+    '    <div class="report-header">',
+    '      <div>',
+    '        <div class="brand">',
+    '          <div class="brand-icon">\uD83D\uDEE1</div>',
+    '          <div class="brand-name">Secure Code by Design</div>',
+    '        </div>',
+    '        <div class="repo-name">' + esc(meta.name || 'Reports') + '</div>',
+    meta.localPath ? '        <div class="repo-path">' + esc(meta.localPath) + '</div>' : '',
+    '      </div>',
+    '    </div>',
+    '    <div class="section-title">',
+    '      <span>' + reports.length + ' saved report' + (reports.length !== 1 ? 's' : '') + '</span>',
+    '      ' + dlAll,
+    '    </div>',
+    '    ' + tableOrEmpty,
+    '  </div>',
+    '</body>',
+    '</html>',
+  ].join('\n');
+}
+
+function buildCSS() {
+  return [
+    '    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }',
+    '    :root {',
+    '      --bg:       #0a0f1a;',
+    '      --surface:  #0f172a;',
+    '      --surface2: #1e293b;',
+    '      --border:   #1e293b;',
+    '      --text:     #e2e8f0;',
+    '      --muted:    #64748b;',
+    '      --accent:   #38bdf8;',
+    '    }',
+    '    html { font-size: 15px; }',
+    '    body { background: var(--bg); color: var(--text); font-family: \'Syne\', sans-serif;',
+    '           line-height: 1.6; min-height: 100vh; }',
+    '    .page { max-width: 900px; margin: 0 auto; padding: 0 2rem 4rem; }',
+    '    .report-header { border-bottom: 1px solid var(--border); padding: 3rem 0 2rem;',
+    '                     margin-bottom: 2.5rem; display: flex; align-items: center; gap: 2rem; }',
+    '    .brand { display: flex; align-items: center; gap: 1rem; }',
+    '    .brand-icon { width: 38px; height: 38px; background: var(--accent); border-radius: 8px;',
+    '                  display: flex; align-items: center; justify-content: center; font-size: 1.2rem; }',
+    '    .brand-name { font-size: 0.85rem; font-weight: 700; letter-spacing: 0.1em;',
+    '                  text-transform: uppercase; color: var(--muted); }',
+    '    .repo-name { font-size: 1.5rem; font-weight: 800; color: var(--text); margin-top: 0.4rem; }',
+    '    .repo-path { font-family: \'JetBrains Mono\', monospace; color: var(--muted);',
+    '                 font-size: 0.78rem; margin-top: 0.3rem; }',
+    '    .section-title { font-size: 0.72rem; font-weight: 700; letter-spacing: 0.12em;',
+    '                     text-transform: uppercase; color: var(--muted); margin-bottom: 1rem;',
+    '                     display: flex; align-items: center; justify-content: space-between; }',
+    '    table { width: 100%; border-collapse: collapse; }',
+    '    th { font-size: 0.7rem; font-weight: 600; letter-spacing: 0.08em; text-transform: uppercase;',
+    '         color: var(--muted); padding: 0 1rem 0.75rem; text-align: left;',
+    '         border-bottom: 1px solid var(--border); }',
+    '    td { padding: 0.85rem 1rem; border-bottom: 1px solid rgba(30,41,59,0.6); vertical-align: middle; }',
+    '    tr:hover td { background: var(--surface); }',
+    '    tr.current td { background: rgba(56,189,248,0.04); }',
+    '    tr:last-child td { border-bottom: none; }',
+    '    .mono { font-family: \'JetBrains Mono\', monospace; font-size: 0.82rem; }',
+    '    .muted { color: var(--muted); font-size: 0.85rem; }',
+    '    .td-actions { text-align: right; white-space: nowrap; }',
+    '    .badge-latest { font-size: 0.63rem; font-weight: 700; letter-spacing: 0.06em;',
+    '                    text-transform: uppercase; background: rgba(56,189,248,0.15);',
+    '                    color: var(--accent); border: 1px solid rgba(56,189,248,0.3);',
+    '                    border-radius: 4px; padding: 0.1rem 0.4rem; margin-left: 0.5rem;',
+    '                    vertical-align: middle; }',
+    '    .btn { display: inline-block; font-size: 0.78rem; font-weight: 600; border-radius: 6px;',
+    '           padding: 0.3rem 0.8rem; text-decoration: none; cursor: pointer; transition: opacity 0.15s; }',
+    '    .btn:hover { opacity: 0.8; }',
+    '    .btn-open { background: var(--accent); color: #0a0f1a; margin-right: 0.4rem; }',
+    '    .btn-dl   { background: var(--surface2); color: var(--text); border: 1px solid var(--border); }',
+    '    .btn-dl-all { background: var(--surface2); color: var(--text); border: 1px solid var(--border);',
+    '                  font-size: 0.78rem; font-weight: 600; border-radius: 6px;',
+    '                  padding: 0.3rem 0.9rem; text-decoration: none; }',
+    '    .empty { color: var(--muted); padding: 3rem 0; text-align: center; font-size: 0.9rem; }',
+  ].join('\n');
+}
+
+function esc(str) {
+  return String(str || '')
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;');
+}
+
+module.exports = { buildIndexPage };

package/lib/report-json.js

@@ -0,0 +1,136 @@
+/**
+ * report-json.js
+ * Generates a structured JSON security report from scan findings.
+ *
+ * Designed for:
+ *   - CI/CD pipeline integration (fail build on CRITICAL count threshold)
+ *   - Import into dashboards, ticketing systems, or SIEMs
+ *   - Diffing findings between scans
+ *
+ * Structure:
+ *   {
+ *     meta:      { scanDate, target, totalFiles, generatedBy, version }
+ *     summary:   { riskScore, riskLabel, totalFindings, bySeverity, byCategory }
+ *     findings:  [ { ruleId, severity, name, category, filePath, line, match, why, fix } ]
+ *     checklist: [ { ruleId, severity, name, occurrences } ]
+ *   }
+ */
+
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+
+// ── Risk scoring ───────────────────────────────────────────────────────────
+
+const SEV_WEIGHT = { CRITICAL: 10, HIGH: 5, MEDIUM: 2, EXPOSURE: 1, INFO: 0 };
+const SEV_ORDER  = ['CRITICAL', 'HIGH', 'MEDIUM', 'EXPOSURE', 'INFO'];
+
+function computeRiskScore(findings) {
+  if (!findings.length) return 0;
+  const raw = findings.reduce((sum, f) => sum + (SEV_WEIGHT[f.severity] || 0), 0);
+  return Math.min(100, Math.round(raw / Math.max(findings.length, 1) * 5));
+}
+
+function riskLabel(score) {
+  if (score >= 80) return 'CRITICAL';
+  if (score >= 55) return 'HIGH';
+  if (score >= 30) return 'MEDIUM';
+  if (score >= 10) return 'LOW';
+  return 'MINIMAL';
+}
+
+function countBySeverity(findings) {
+  const counts = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, EXPOSURE: 0, INFO: 0 };
+  findings.forEach(f => { if (counts[f.severity] !== undefined) counts[f.severity]++; });
+  return counts;
+}
+
+function countByCategory(findings) {
+  const counts = {};
+  findings.forEach(f => {
+    const cat = f.category || 'Unknown';
+    counts[cat] = (counts[cat] || 0) + 1;
+  });
+  // Sort by count descending
+  return Object.fromEntries(
+    Object.entries(counts).sort(([, a], [, b]) => b - a)
+  );
+}
+
+function buildChecklist(findings) {
+  const seen  = new Set();
+  const items = [];
+  for (const sev of SEV_ORDER) {
+    for (const f of findings.filter(x => x.severity === sev)) {
+      if (seen.has(f.ruleId)) continue;
+      seen.add(f.ruleId);
+      items.push({
+        ruleId:      f.ruleId,
+        severity:    f.severity,
+        name:        f.name,
+        category:    f.category || null,
+        occurrences: findings.filter(x => x.ruleId === f.ruleId).length,
+        resolved:    false,   // placeholder for tooling integration
+      });
+    }
+  }
+  return items;
+}
+
+// ── Main generator ─────────────────────────────────────────────────────────
+
+function generateJson(findings, opts = {}) {
+  const {
+    target     = '.',
+    scanDate   = new Date(),
+    totalFiles = 0,
+    skipped    = [],
+    repoRoot   = process.cwd(),
+  } = opts;
+
+  const score  = computeRiskScore(findings);
+
+  const report = {
+    meta: {
+      generatedBy:  'Secure Code by Design',
+      version:      require('../package.json').version,
+      scanDate:     new Date(scanDate).toISOString(),
+      target,
+      totalFiles,
+      skippedFiles: skipped.length,
+    },
+    summary: {
+      riskScore:     score,
+      riskLabel:     riskLabel(score),
+      totalFindings: findings.length,
+      bySeverity:    countBySeverity(findings),
+      byCategory:    countByCategory(findings),
+    },
+    findings: findings.map(f => ({
+      findingId: f.findingId  || null,
+      ruleId:    f.ruleId,
+      severity:  f.severity,
+      name:      f.name       || null,
+      category:  f.category   || null,
+      filePath:  f.filePath,
+      line:      f.line,
+      match:     f.match      || null,
+      why:       f.why        || null,
+      scenario:  f.scenario   || null,
+      fix:       f.fix        || null,
+      excepted:  f.excepted   || false,
+      codeHash:  f.codeHash   || null,
+    })),
+    checklist: buildChecklist(findings),
+  };
+
+  return JSON.stringify(report, null, 2);
+}
+
+function writeJson(json, outPath) {
+  fs.mkdirSync(path.dirname(outPath), { recursive: true });
+  fs.writeFileSync(outPath, json, { encoding: 'utf8', mode: 0o644 });
+}
+
+module.exports = { generateJson, writeJson };

package/lib/report-markdown.js

@@ -0,0 +1,250 @@
+/**
+ * report-markdown.js
+ * Generates a Markdown security report from scan findings.
+ *
+ * Designed for two use cases:
+ *   1. Pasting into GitHub Issues, Confluence, Notion, Jira, etc.
+ *   2. Committing as SECURITY.md or including in PR descriptions.
+ *
+ * Sections:
+ *   - Executive summary (risk score, severity counts)
+ *   - Findings by severity (CRITICAL → EXPOSURE)
+ *   - Per-finding detail: file, line, why, fix
+ *   - Remediation checklist
+ */
+
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+
+// ── Risk scoring (same weights as report-html) ─────────────────────────────
+
+const SEV_WEIGHT = { CRITICAL: 10, HIGH: 5, MEDIUM: 2, EXPOSURE: 1, INFO: 0 };
+const SEV_EMOJI  = { CRITICAL: '🔴', HIGH: '🟠', MEDIUM: '🟡', EXPOSURE: '🔵', INFO: '⚪' };
+const SEV_ORDER  = ['CRITICAL', 'HIGH', 'MEDIUM', 'EXPOSURE', 'INFO'];
+
+function computeRiskScore(findings) {
+  if (!findings.length) return 0;
+  const raw = findings.reduce((sum, f) => sum + (SEV_WEIGHT[f.severity] || 0), 0);
+  return Math.min(100, Math.round(raw / Math.max(findings.length, 1) * 5));
+}
+
+function riskLabel(score) {
+  if (score >= 80) return '🔴 CRITICAL RISK';
+  if (score >= 55) return '🟠 HIGH RISK';
+  if (score >= 30) return '🟡 MEDIUM RISK';
+  if (score >= 10) return '🟢 LOW RISK';
+  return '⚪ MINIMAL RISK';
+}
+
+function countBySeverity(findings) {
+  const counts = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, EXPOSURE: 0, INFO: 0 };
+  findings.forEach(f => { if (counts[f.severity] !== undefined) counts[f.severity]++; });
+  return counts;
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────
+
+function escMd(str) {
+  // Escape markdown special chars in inline text
+  return String(str || '').replace(/([`*_\[\]<>|\\])/g, '\\$1');
+}
+
+function shortPath(filePath, repoRoot) {
+  if (repoRoot && filePath.startsWith(repoRoot)) {
+    return filePath.slice(repoRoot.length).replace(/^[\\/]/, '');
+  }
+  return filePath;
+}
+
+function severityBar(counts) {
+  const parts = SEV_ORDER
+    .filter(s => counts[s] > 0)
+    .map(s => `${SEV_EMOJI[s]} **${counts[s]} ${s}**`);
+  return parts.join('  ·  ');
+}
+
+function groupBy(arr, key) {
+  return arr.reduce((acc, item) => {
+    const k = item[key] || 'Unknown';
+    (acc[k] = acc[k] || []).push(item);
+    return acc;
+  }, {});
+}
+
+// ── Remediation checklist ──────────────────────────────────────────────────
+
+function buildChecklist(findings) {
+  // Deduplicate by ruleId – one checklist item per unique rule
+  const seen   = new Set();
+  const items  = [];
+  for (const sev of SEV_ORDER) {
+    const bySev = findings.filter(f => f.severity === sev);
+    for (const f of bySev) {
+      if (seen.has(f.ruleId)) continue;
+      seen.add(f.ruleId);
+      const count = findings.filter(x => x.ruleId === f.ruleId).length;
+      items.push({ sev, ruleId: f.ruleId, name: f.name, count });
+    }
+  }
+  return items;
+}
+
+// ── Main generator ─────────────────────────────────────────────────────────
+
+function generateMarkdown(findings, opts = {}) {
+  const {
+    target    = '.',
+    scanDate  = new Date(),
+    totalFiles = 0,
+    skipped   = [],
+    repoRoot  = process.cwd(),
+  } = opts;
+
+  const counts   = countBySeverity(findings);
+  const score    = computeRiskScore(findings);
+  const risk     = riskLabel(score);
+  const dateStr  = new Date(scanDate).toLocaleDateString('sv-SE', {
+    year: 'numeric', month: 'long', day: 'numeric',
+    hour: '2-digit', minute: '2-digit',
+  });
+
+  const lines = [];
+
+  // ── Header ────────────────────────────────────────────────────────────────
+  lines.push(`# 🛡️ Secure Code by Design – Security Report`);
+  lines.push('');
+  lines.push(`> Genererad: **${dateStr}**  ·  Target: \`${escMd(target)}\`  ·  Filer: **${totalFiles}**`);
+  lines.push('');
+
+  // ── Executive summary ─────────────────────────────────────────────────────
+  lines.push('## Summary');
+  lines.push('');
+  lines.push(`| Property | Value |`);
+  lines.push(`|---|---|`);
+  lines.push(`| Risk assessment | ${risk} (${score}/100) |`);
+  lines.push(`| Total findings | **${findings.length}** |`);
+  lines.push(`| Files scanned | ${totalFiles} |`);
+  if (skipped.length > 0) {
+    lines.push(`| Skipped files | ${skipped.length} (too large) |`);
+  }
+  lines.push('');
+
+  // Severity breakdown
+  lines.push('### Findings by severity');
+  lines.push('');
+  lines.push('| Severity | Count | Description |');
+  lines.push('|---|---|---|');
+  const sevDesc = {
+    CRITICAL: 'Directly exploitable – fix immediately',
+    HIGH:     'High risk – fix within sprint',
+    MEDIUM:   'Medium risk – schedule remediation',
+    EXPOSURE: 'Configuration risk – may leak information',
+    INFO:     'Informational',
+  };
+  for (const sev of SEV_ORDER) {
+    if (counts[sev] === 0) continue;
+    lines.push(`| ${SEV_EMOJI[sev]} ${sev} | **${counts[sev]}** | ${sevDesc[sev]} |`);
+  }
+  lines.push('');
+
+  // ── Findings per severity ─────────────────────────────────────────────────
+  lines.push('---');
+  lines.push('');
+  lines.push('## Findings');
+  lines.push('');
+
+  for (const sev of SEV_ORDER) {
+    const sevFindings = findings.filter(f => f.severity === sev);
+    if (sevFindings.length === 0) continue;
+
+    lines.push(`### ${SEV_EMOJI[sev]} ${sev} (${sevFindings.length})`);
+    lines.push('');
+
+    // Group by rule for compact output
+    const byRule = groupBy(sevFindings, 'ruleId');
+
+    for (const [ruleId, ruleFindings] of Object.entries(byRule)) {
+      const first = ruleFindings[0];
+      lines.push(`#### ${escMd(ruleId)} – ${escMd(first.name)}`);
+      lines.push('');
+
+      if (first.category) {
+        lines.push(`**Kategori:** ${escMd(first.category)}`);
+        lines.push('');
+      }
+
+      // Affected locations
+      lines.push('**Occurrences:**');
+      lines.push('');
+      for (const f of ruleFindings) {
+        const fp = shortPath(f.filePath, repoRoot);
+        const matchSnippet = f.match ? `  \`${escMd(f.match.slice(0, 80).trim())}\`` : '';
+        lines.push(`- \`${escMd(fp)}\` rad **${f.line}**${matchSnippet}`);
+      }
+      lines.push('');
+
+      // Why
+      if (first.why) {
+        lines.push('<details>');
+        lines.push('<summary>Why is this a problem?</summary>');
+        lines.push('');
+        lines.push(first.why);
+        lines.push('');
+        lines.push('</details>');
+        lines.push('');
+      }
+
+      // Scenario
+      if (first.scenario) {
+        lines.push('<details>');
+        lines.push('<summary>Attackscenario</summary>');
+        lines.push('');
+        lines.push(`> ${first.scenario}`);
+        lines.push('');
+        lines.push('</details>');
+        lines.push('');
+      }
+
+      // Fix
+      if (first.fix) {
+        lines.push('**Fix:**');
+        lines.push('');
+        lines.push(`> ${first.fix}`);
+        lines.push('');
+      }
+
+      lines.push('---');
+      lines.push('');
+    }
+  }
+
+  // ── Remediation checklist ─────────────────────────────────────────────────
+  lines.push('## Remediation checklist');
+  lines.push('');
+  lines.push('Check off each finding when resolved:');
+  lines.push('');
+
+  const checklist = buildChecklist(findings);
+  for (const item of checklist) {
+    const plural = item.count > 1 ? ` _(${item.count} occurrences)_` : '';
+    lines.push(`- [ ] ${SEV_EMOJI[item.sev]} **${item.ruleId}** – ${escMd(item.name)}${plural}`);
+  }
+  lines.push('');
+
+  // ── Footer ────────────────────────────────────────────────────────────────
+  lines.push('---');
+  lines.push('');
+  lines.push(`_Report generated by **Secure Code by Design** · ${dateStr}_`);
+  lines.push('');
+
+  return lines.join('\n');
+}
+
+function writeMarkdown(md, outPath) {
+  fs.mkdirSync(path.dirname(outPath), { recursive: true });
+  fs.writeFileSync(outPath, md, { encoding: 'utf8', mode: 0o644 });
+}
+
+module.exports = { generateMarkdown, writeMarkdown };

package/lib/resolve-manager.js

@@ -0,0 +1,148 @@
+const { RESET, BOLD, DIM, GREEN, YELLOW, CYAN } = require('./output-constants');
+/**
+ * resolve-manager.js
+ * Interactive CLI for resolving EXPOSURE-class findings.
+ *
+ * Unlike exceptions (approve), a resolve means:
+ * "We have taken action outside the code to make this safe."
+ *
+ * Usage: scd resolve --rule FRONT-001 --file src/maps/config.js --line 3
+ *
+ * Creates a resolution record in ~/.scd/repos/{repoId}/config.yml under `resolutions:`
+ * and logs the event to the audit trail.
+ */
+
+const fs       = require('fs');
+const path     = require('path');
+const readline = require('readline');
+const { CONFIG_FILENAME, hashLine, EXPOSURE_RULES } = require('./config');
+const { logEvent } = require('./audit');
+
+// Import EXPOSURE_RULES for checklist display
+let EXPOSURE_RULE_MAP = {};
+try {
+  const { EXPOSURE_RULES } = require('./scanner-full');
+  for (const r of EXPOSURE_RULES) EXPOSURE_RULE_MAP[r.id] = r;
+} catch { /* scanner-full may not be loaded yet */ }
+
+
+async function resolveExposure(repoRoot, opts) {
+  const { rule, file, line } = opts;
+
+  if (!rule || !file || !line) {
+    console.log(`\nREDUsage: scd resolve --rule <id> --file <path> --line <n>${RESET}`);
+    console.log(`${DIM}Example: scd resolve --rule FRONT-001 --file src/maps/config.js --line 3${RESET}\n`);
+    process.exit(1);
+  }
+
+  const lineNum  = parseInt(line);
+  const filePath = path.resolve(repoRoot, file);
+
+  // Show which rule this is
+  const ruleInfo = EXPOSURE_RULE_MAP[rule];
+
+  console.log(`\n${CYAN}${BOLD}Secure Code by Design – Resolve EXPOSURE finding${RESET}`);
+  console.log(`${'─'.repeat(50)}`);
+  console.log(`Regel:  ${rule}${ruleInfo ? ' – ' + ruleInfo.name : ''}`);
+  console.log(`Fil:    ${file}:${lineNum}`);
+
+  // Show the actual line
+  if (fs.existsSync(filePath)) {
+    const lines = fs.readFileSync(filePath, 'utf8').split('\n');
+    const lineContent = lines[lineNum - 1];
+    if (lineContent) {
+      console.log(`Kod:    ${DIM}${lineContent.trim()}${RESET}`);
+    }
+  }
+
+  // Show checklist if available
+  if (ruleInfo?.checklist) {
+    console.log(`\n${BOLD}Confirm the following is in place:${RESET}`);
+    ruleInfo.checklist.forEach((item, i) => {
+      console.log(`  ${YELLOW}☐${RESET} ${item}`);
+    });
+  }
+
+  console.log('');
+
+  // Prompt
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  const ask = (q) => new Promise(resolve => rl.question(q, resolve));
+
+  const action_taken = await ask('Action taken (describe what was done):       ');
+  const resolved_by  = await ask('Hanterat av (e-post):                        ');
+  const reviewDays   = await ask('Review in (days, Enter = 180):               ');
+  rl.close();
+
+  const days        = parseInt(reviewDays) || 180;
+  const review_date = new Date(Date.now() + days * 86400000).toISOString().slice(0, 10);
+  const resId       = `res-${Date.now().toString(36)}`;
+
+  // Read line hash
+  let lineHash = null;
+  if (fs.existsSync(filePath)) {
+    const lines = fs.readFileSync(filePath, 'utf8').split('\n');
+    const lineContent = lines[lineNum - 1];
+    if (lineContent) lineHash = hashLine(lineContent);
+  }
+
+  const resolution = {
+    id:            resId,
+    rule,
+    file:          file.replace(/\\/g, '/'),
+    line:          lineNum,
+    line_hash:     lineHash,
+    action_taken:  action_taken.trim(),
+    resolved_by:   resolved_by.trim(),
+    resolved_date: new Date().toISOString().slice(0, 10),
+    review_date,
+  };
+
+  writeResolution(repoRoot, resolution);
+
+  logEvent(repoRoot, 'exposure_resolved', {
+    resolution_id: resId,
+    rule,
+    file,
+    line:         lineNum,
+    action_taken: action_taken.trim(),
+    resolved_by:  resolved_by.trim(),
+    review_date,
+  });
+
+  console.log(`\n${GREEN}${BOLD}✅ Resolution recorded (${resId})${RESET}`);
+  console.log(`${DIM}   Review due: ${review_date} (in ${days} days)${RESET}`);
+  console.log(`${DIM}   Finding will show as "Resolved" in reports until review is due.${RESET}\n`);
+}
+
+function writeResolution(repoRoot, resolution) {
+  const configPath = require('./store').configPath(repoRoot);
+
+  let content = '';
+  if (fs.existsSync(configPath)) {
+    content = fs.readFileSync(configPath, 'utf8');
+  } else {
+    content = '# Secure Code by Design configuration\ntrust_level: balanced\n\n';
+  }
+
+  const block = `
+  - id: "${resolution.id}"
+    rule: "${resolution.rule}"
+    file: "${resolution.file}"
+    line: ${resolution.line}
+    line_hash: "${resolution.line_hash || ''}"
+    action_taken: "${resolution.action_taken}"
+    resolved_by: "${resolution.resolved_by}"
+    resolved_date: "${resolution.resolved_date}"
+    review_date: "${resolution.review_date}"`;
+
+  if (content.includes('\nresolutions:')) {
+    content = content.replace(/\nresolutions:\n/, `\nresolutions:\n${block}\n`);
+  } else {
+    content += `\nresolutions:${block}\n`;
+  }
+
+  fs.writeFileSync(configPath, content);
+}
+
+module.exports = { resolveExposure };