@activemind/scd 1.4.0

package/lib/store-verify.js

@@ -0,0 +1,395 @@
+/**
+ * store-verify.js
+ *
+ * Verifies that repos in the global store still exist on disk and are
+ * valid git repositories. Reports status for each, and optionally runs
+ * an interactive cleanup flow.
+ *
+ * Statuses:
+ *   OK      – localPath exists, is a git repo, remote matches (if remote-type)
+ *   STALE   – localPath exists but .git/ is gone (remote-type repos only)
+ *   MISSING – localPath does not exist on disk
+ *   ORPHAN  – meta.json has no localPath recorded
+ */
+
+'use strict';
+const { RESET, BOLD, DIM, RED, GREEN, YELLOW, CYAN, OK } = require('./output-constants');
+
+const fs   = require('fs');
+const path = require('path');
+const os   = require('os');
+const { execSync } = require('child_process');
+const readline = require('readline');
+
+const REPOS_DIR = path.join(
+  process.env.HOME || process.env.USERPROFILE || '~',
+  '.scd', 'repos'
+);
+
+// ── Status constants ───────────────────────────────────────────────────────
+
+const STATUS = {
+  OK:      'OK',
+  STALE:   'STALE',
+  MISSING: 'MISSING',
+  ORPHAN:  'ORPHAN',
+};
+
+// ── Helpers ────────────────────────────────────────────────────────────────
+
+function daysSince(isoString) {
+  if (!isoString) return null;
+  const diff = Date.now() - new Date(isoString).getTime();
+  return Math.floor(diff / (1000 * 60 * 60 * 24));
+}
+
+function repoStorePath(repoId) {
+  return path.join(REPOS_DIR, repoId);
+}
+
+function readMeta(repoId) {
+  try {
+    return JSON.parse(
+      fs.readFileSync(path.join(repoStorePath(repoId), 'meta.json'), 'utf8')
+    );
+  } catch {
+    return { repoId, name: repoId, localPath: null, remote: null, type: null };
+  }
+}
+
+function getStoreStats(repoId) {
+  const dir = repoStorePath(repoId);
+  let scanCount = 0;
+  let reportCount = 0;
+  let totalBytes = 0;
+
+  // Count scans in audit.log
+  const auditFile = path.join(dir, 'audit.log');
+  if (fs.existsSync(auditFile)) {
+    try {
+      const lines = fs.readFileSync(auditFile, 'utf8').split('\n').filter(Boolean);
+      scanCount = lines.filter(l => {
+        try { return JSON.parse(l).event === 'scan_complete'; } catch { return false; }
+      }).length;
+    } catch {}
+  }
+
+  // Count reports
+  const reportsDir = path.join(dir, 'reports');
+  if (fs.existsSync(reportsDir)) {
+    try {
+      reportCount = fs.readdirSync(reportsDir).filter(f => /\.(html|md|json)$/.test(f)).length;
+    } catch {}
+  }
+
+  // Total store size
+  try {
+    const walk = (d) => {
+      for (const f of fs.readdirSync(d)) {
+        const full = path.join(d, f);
+        try {
+          const st = fs.statSync(full);
+          if (st.isDirectory()) walk(full);
+          else totalBytes += st.size;
+        } catch {}
+      }
+    };
+    walk(dir);
+  } catch {}
+
+  return { scanCount, reportCount, totalBytes };
+}
+
+function formatBytes(bytes) {
+  if (bytes < 1024) return bytes + ' B';
+  if (bytes < 1024 * 1024) return (bytes / 1024).toFixed(1) + ' KB';
+  return (bytes / (1024 * 1024)).toFixed(1) + ' MB';
+}
+
+function currentRemote(localPath) {
+  try {
+    return execSync('git remote get-url origin', {
+      cwd: localPath, stdio: ['pipe', 'pipe', 'pipe']
+    }).toString().trim();
+  } catch {
+    return null;
+  }
+}
+
+// ── Core verify logic ──────────────────────────────────────────────────────
+
+function verifyRepo(repoId) {
+  const meta = readMeta(repoId);
+  const result = {
+    repoId,
+    name:        meta.name      || repoId,
+    localPath:   meta.localPath || null,
+    remote:      meta.remote    || null,
+    type:        meta.type      || 'unknown',
+    lastSeen:    meta.lastSeen  || null,
+    lastScan:    meta.lastScan  || null,
+    daysSinceLastSeen: daysSince(meta.lastSeen),
+    status:      null,
+    detail:      null,
+    stats:       getStoreStats(repoId),
+  };
+
+  if (!meta.localPath) {
+    result.status = STATUS.ORPHAN;
+    result.detail = 'No localPath recorded in meta.json';
+    return result;
+  }
+
+  if (!fs.existsSync(meta.localPath)) {
+    result.status = STATUS.MISSING;
+    result.detail = 'Directory no longer exists on disk';
+    return result;
+  }
+
+  const gitDir = path.join(meta.localPath, '.git');
+  const hasGit = fs.existsSync(gitDir);
+
+  if (meta.type === 'path-based') {
+    // path-based repos are plain directory scans — .git/ is irrelevant
+    // Optionally note if .git has appeared (repo was initialised after first scan)
+    result.status = STATUS.OK;
+    if (hasGit) {
+      result.detail = 'Directory scan — .git/ present (repo was initialised after first scan)';
+    }
+    return result;
+  }
+
+  // For remote-type repos: .git/ must exist
+  if (!hasGit) {
+    result.status = STATUS.STALE;
+    result.detail = '.git/ directory removed — no longer a git repository';
+    return result;
+  }
+
+  // Check remote match
+  if (meta.remote) {
+    const actualRemote = currentRemote(meta.localPath);
+    if (actualRemote && actualRemote !== meta.remote) {
+      result.status = STATUS.STALE;
+      result.detail = `Remote mismatch — stored: ${meta.remote}, actual: ${actualRemote}`;
+      return result;
+    }
+  }
+
+  result.status = STATUS.OK;
+  return result;
+}
+
+function verifyAll() {
+  if (!fs.existsSync(REPOS_DIR)) return [];
+  const ids = fs.readdirSync(REPOS_DIR).filter(id => {
+    try { return fs.statSync(path.join(REPOS_DIR, id)).isDirectory(); }
+    catch { return false; }
+  });
+  return ids.map(verifyRepo);
+}
+
+// ── Archive a repo store entry ─────────────────────────────────────────────
+
+function copyDirRecursive(src, dest) {
+  fs.mkdirSync(dest, { recursive: true });
+  for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
+    const srcPath  = path.join(src, entry.name);
+    const destPath = path.join(dest, entry.name);
+    if (entry.isDirectory()) {
+      copyDirRecursive(srcPath, destPath);
+    } else {
+      fs.copyFileSync(srcPath, destPath);
+    }
+  }
+}
+
+function archiveRepo(repoId) {
+  const dir  = repoStorePath(repoId);
+  const meta = readMeta(repoId);
+  const ts   = new Date().toISOString().replace(/[:.]/g, '-').slice(0, 19);
+  const name = (meta.name || repoId).replace(/[^a-z0-9_-]/gi, '_');
+
+  if (process.platform !== 'win32') {
+    // Unix: use tar for a proper compressed archive
+    const { execSync } = require('child_process');
+    const archive = path.join(os.homedir(), '.scd', 'archive', `${name}_${ts}.tar.gz`);
+    fs.mkdirSync(path.dirname(archive), { recursive: true, mode: 0o700 });
+    execSync(`tar -czf "${archive}" -C "${path.dirname(dir)}" "${repoId}"`, {
+      stdio: ['pipe', 'pipe', 'pipe']
+    });
+    fs.rmSync(dir, { recursive: true, force: true });
+    return archive;
+  } else {
+    // Windows: copy to a named folder (no tar dependency)
+    const archiveDir = path.join(os.homedir(), '.scd', 'archive', `${name}_${ts}`);
+    fs.mkdirSync(archiveDir, { recursive: true });
+    copyDirRecursive(dir, archiveDir);
+    fs.rmSync(dir, { recursive: true, force: true });
+    return archiveDir;
+  }
+}
+
+// ── Delete a repo store entry ──────────────────────────────────────────────
+
+function deleteRepo(repoId) {
+  const dir = repoStorePath(repoId);
+  fs.rmSync(dir, { recursive: true, force: true });
+}
+
+// ── Interactive cleanup prompt ─────────────────────────────────────────────
+
+async function promptClean(results) {
+  const issues = results.filter(r => r.status !== STATUS.OK);
+  if (issues.length === 0) return;
+
+  const rl = readline.createInterface({
+    input:  process.stdin,
+    output: process.stdout,
+  });
+
+  const ask = (q) => new Promise(resolve => rl.question(q, resolve));
+
+
+  console.log('');
+
+  for (const repo of issues) {
+    const age = repo.daysSinceLastSeen !== null ? `last seen ${repo.daysSinceLastSeen} days ago` : 'never seen';
+    const statsStr = `${repo.stats.scanCount} scan${repo.stats.scanCount !== 1 ? 's' : ''}, `
+                   + `${repo.stats.reportCount} report${repo.stats.reportCount !== 1 ? 's' : ''}, `
+                   + `${formatBytes(repo.stats.totalBytes)} stored`;
+
+    console.log(BOLD + '──────────────────────────────────────────────────' + RESET);
+    console.log(BOLD + repo.name + RESET + '  ' + DIM + `(${repo.repoId.slice(0, 12)}…)` + RESET);
+    console.log(`  Status:  ${statusBadge(repo.status)}  ${DIM}${repo.detail}${RESET}`);
+    console.log(`  Path:    ${DIM}${repo.localPath || 'unknown'}${RESET}`);
+    console.log(`  History: ${DIM}${statsStr}  ·  ${age}${RESET}`);
+    if (repo.remote) {
+      console.log(`  Remote:  ${DIM}${repo.remote}${RESET}`);
+    }
+    console.log('');
+
+    let choice = '';
+    while (!['k', 'a', 'd', 's'].includes(choice)) {
+      const raw = await ask(
+        `  ${CYAN}[k]${RESET} Keep   `
+        + `${YELLOW}[a]${RESET} Archive   `
+        + `${RED}[d]${RESET} Delete   `
+        + `${DIM}[s]${RESET} Skip\n  → `
+      );
+      choice = raw.trim().toLowerCase();
+    }
+
+    console.log('');
+
+    if (choice === 'k') {
+      console.log(`  ${DIM}Kept — no changes made.${RESET}\n`);
+
+    } else if (choice === 'a') {
+      try {
+        const archivePath = archiveRepo(repo.repoId);
+        console.log(`  ✓ Archived to: ${archivePath}\n`);
+      } catch (err) {
+        console.log(`  ✗ Archive failed: ${err.message}\n`);
+      }
+
+    } else if (choice === 'd') {
+      // Extra confirmation if there is scan history
+      let confirmed = true;
+      if (repo.stats.scanCount > 0) {
+        const confirm = await ask(
+          `  ${RED}Warning:${RESET} This repo has ${repo.stats.scanCount} scan(s) in history.\n`
+          + `  Type the repo name to confirm deletion: `
+        );
+        confirmed = confirm.trim() === repo.name;
+        if (!confirmed) {
+          console.log(`  ${DIM}Name did not match — skipping deletion.${RESET}\n`);
+        }
+      }
+      if (confirmed) {
+        deleteRepo(repo.repoId);
+        console.log(`  ✓ Deleted store entry for ${repo.name}\n`);
+      }
+
+    } else {
+      console.log(`  ${DIM}Skipped.${RESET}\n`);
+    }
+  }
+
+  rl.close();
+}
+
+// ── Rendering ──────────────────────────────────────────────────────────────
+
+const STATUS_ICON = {
+  OK:      GREEN + '✓' + RESET,
+  MISSING: YELLOW + '⚠' + RESET,
+  STALE:   RED + '✗' + RESET,
+  ORPHAN:  RED + '✗' + RESET,
+};
+
+function statusBadge(status) {
+  const colors = {
+    OK:      GREEN,
+    MISSING: YELLOW,
+    STALE:   RED,
+    ORPHAN:  RED,
+  };
+  return (colors[status] || '') + status + RESET;
+}
+
+function renderResults(results, { verbose } = {}) {
+
+  const issues  = results.filter(r => r.status !== STATUS.OK);
+  const ok      = results.filter(r => r.status === STATUS.OK);
+
+  console.log('');
+
+  for (const repo of results) {
+    const icon = STATUS_ICON[repo.status] || '?';
+    const age  = repo.daysSinceLastSeen !== null
+      ? DIM + `  (last seen ${repo.daysSinceLastSeen}d ago)` + RESET
+      : '';
+
+    const pathStr = repo.localPath
+      ? DIM + '  ' + repo.localPath + RESET
+      : DIM + '  (no path)' + RESET;
+
+    console.log(
+      `  ${icon}  ${BOLD}${repo.name.padEnd(24)}${RESET}`
+      + statusBadge(repo.status).padEnd(18)
+      + pathStr
+      + age
+    );
+
+    if (verbose && repo.status !== STATUS.OK) {
+      console.log(`     ${DIM}↳ ${repo.detail}${RESET}`);
+    }
+  }
+
+  console.log('');
+  console.log(
+    `  ${DIM}${ok.length}/${results.length} repos OK`
+    + (issues.length > 0 ? `  ·  ${issues.length} issue${issues.length !== 1 ? 's' : ''} found` : '')
+    + RESET
+  );
+  console.log('');
+
+  if (issues.length > 0) {
+    console.log(
+      `  ${DIM}Run ${RESET}sc store --verify --clean${DIM} to review cleanup options.${RESET}`
+    );
+    console.log('');
+  }
+}
+
+module.exports = {
+  verifyAll,
+  verifyRepo,
+  promptClean,
+  renderResults,
+  deleteRepo,
+  archiveRepo,
+  formatBytes,
+  STATUS,
+};

package/lib/store.js

@@ -0,0 +1,310 @@
+/**
+ * store.js
+ * Central path management for the Secure Code by Design global store.
+ *
+ * All per-repo data lives in ~/.scd/repos/{repoId}/
+ * Nothing is ever written inside the user's git repository.
+ *
+ * repoId = first 16 chars of SHA-256( git remote origin URL )
+ *          Falls back to SHA-256( absolute repo root path ) if no remote.
+ *          This makes the ID stable across re-clones of the same repo.
+ *
+ * Directory layout:
+ *   ~/.scd/
+ *   ├── config                  ← global settings (API key etc.)
+ *   └── repos/
+ *       └── {repoId}/
+ *           ├── meta.json       ← human-readable: remote URL, last seen path, name
+ *           ├── config.yml      ← per-repo security config (exceptions, rules)
+ *           ├── audit.log       ← full findings history (JSONL)
+ *           ├── audit-summary.log ← anonymised statistics (JSONL)
+ *           ├── last-scan.json  ← symlink to latest scan (backwards compat)
+ *           ├── scans/             ← one JSON per scan, never overwritten
+ *           └── reports/           ← generated reports (html, md, json)
+ *
+ * If no git remote exists, repoId is based on absolute path.
+ * meta.json records type: "remote" | "path-based" so scd list can flag instability.
+ */
+
+'use strict';
+
+const fs     = require('fs');
+const path   = require('path');
+const os     = require('os');
+const crypto = require('crypto');
+
+const GLOBAL_DIR  = path.join(os.homedir(), '.scd');
+const REPOS_DIR   = path.join(GLOBAL_DIR, 'repos');
+
+// ── Repo identification ────────────────────────────────────────────────────
+
+/**
+ * Derive a stable repo ID from git remote origin URL.
+ * Falls back to absolute path if no remote is configured.
+ */
+function getRepoIdentity(repoRoot) {
+  try {
+    const { execSync } = require('child_process');
+    // Check it's a git repo first
+    execSync('git rev-parse --git-dir', {
+      cwd: repoRoot, encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    const remote = execSync('git remote get-url origin', {
+      cwd: repoRoot, encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+    return { identifier: remote, type: 'remote' };
+  } catch {
+    // Not a git repo, or no remote – fall back to absolute path
+    return { identifier: path.resolve(repoRoot), type: 'path-based' };
+  }
+}
+
+function getRepoId(repoRoot) {
+  const { identifier } = getRepoIdentity(repoRoot);
+  return crypto.createHash('sha256').update(identifier).digest('hex').slice(0, 16);
+}
+
+// ── Directory helpers ──────────────────────────────────────────────────────
+
+function getRepoStoreDir(repoRoot) {
+  const id  = getRepoId(repoRoot);
+  const dir = path.join(REPOS_DIR, id);
+  fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  return dir;
+}
+
+function getFilePath(repoRoot, filename) {
+  return path.join(getRepoStoreDir(repoRoot), filename);
+}
+
+/**
+ * Returns true if this repo has been registered in the store (has a meta.json).
+ * Unlike getRepoStoreDir(), this never creates any directories.
+ */
+function isRepoKnown(repoRoot) {
+  const { identifier } = getRepoIdentity(repoRoot);
+  const id      = crypto.createHash('sha256').update(identifier).digest('hex').slice(0, 16);
+  const metaPath = path.join(REPOS_DIR, id, 'meta.json');
+  return fs.existsSync(metaPath);
+}
+
+// ── Meta (human-readable index of what repo each ID belongs to) ───────────
+
+function updateMeta(repoRoot, scanData = null) {
+  const dir      = getRepoStoreDir(repoRoot);
+  const metaPath = path.join(dir, 'meta.json');
+  const identity = getRepoIdentity(repoRoot);
+
+  // Preserve existing meta fields (e.g. lastScan) if file exists
+  let existing = {};
+  try { existing = JSON.parse(fs.readFileSync(metaPath, 'utf8')); } catch {}
+
+  const meta = {
+    ...existing,
+    repoId:    path.basename(dir),
+    type:      identity.type,                    // 'remote' | 'path-based'
+    remote:    identity.type === 'remote' ? identity.identifier : null,
+    localPath: path.resolve(repoRoot),
+    name:      path.basename(path.resolve(repoRoot)),
+    lastSeen:  new Date().toISOString(),
+    // Preserve removed flag if set — cleared on re-init
+    removed:   existing.removed || false,
+    removedAt: existing.removedAt || null,
+  };
+
+  // Re-init clears the removed flag
+  if (!scanData) {
+    meta.removed   = false;
+    meta.removedAt = null;
+  }
+
+  if (scanData) {
+    meta.lastScan         = new Date().toISOString();
+    meta.lastScanFindings = scanData.findingCount  ?? null;
+    meta.lastScanCritical = scanData.criticalCount ?? null;
+  }
+
+  fs.writeFileSync(metaPath, JSON.stringify(meta, null, 2), 'utf8');
+  return meta;
+}
+
+// ── Public path accessors ──────────────────────────────────────────────────
+
+const FILES = {
+  CONFIG:        'config.yml',
+  SCOPE:         'scope.yml',
+  SCOPE_SERVER:  'scope-server.yml',
+  AUDIT:         'audit.log',
+  AUDIT_SUMMARY: 'audit-summary.log',
+  SCAN_CACHE:    'last-scan.json',
+};
+
+function configPath(repoRoot)       { return getFilePath(repoRoot, FILES.CONFIG);        }
+function auditPath(repoRoot)        { return getFilePath(repoRoot, FILES.AUDIT);         }
+function auditSummaryPath(repoRoot) { return getFilePath(repoRoot, FILES.AUDIT_SUMMARY); }
+function scanCachePath(repoRoot)    { return getFilePath(repoRoot, FILES.SCAN_CACHE);    }
+function scopePath(repoRoot)        { return getFilePath(repoRoot, FILES.SCOPE);          }
+function serverScopePath(repoRoot)  { return getFilePath(repoRoot, FILES.SCOPE_SERVER);   }
+function globalScopePath()          { return path.join(GLOBAL_DIR, FILES.SCOPE);          }
+function storeDir(repoRoot)         { return getRepoStoreDir(repoRoot);                  }
+
+function reportsDir(repoRoot) {
+  const dir = path.join(getRepoStoreDir(repoRoot), 'reports');
+  fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  return dir;
+}
+
+function reportPath(repoRoot, filename) {
+  return path.join(reportsDir(repoRoot), filename);
+}
+
+function scansDir(repoRoot) {
+  const dir = path.join(getRepoStoreDir(repoRoot), 'scans');
+  fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  return dir;
+}
+
+function scanPath(repoRoot, scanId) {
+  return path.join(scansDir(repoRoot), scanId + '.json');
+}
+
+function exportsDir(repoRoot) {
+  const dir = path.join(getRepoStoreDir(repoRoot), 'exports');
+  fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  return dir;
+}
+
+function exportPath(repoRoot, filename) {
+  return path.join(exportsDir(repoRoot), filename);
+}
+
+/**
+ * List all saved scans for a repo, newest first.
+ */
+function listScans(repoRoot) {
+  const dir = scansDir(repoRoot);
+  if (!fs.existsSync(dir)) return [];
+  return fs.readdirSync(dir)
+    .filter(f => f.endsWith('.json'))
+    .map(f => {
+      const full = path.join(dir, f);
+      const stat = fs.statSync(full);
+      const scanId = f.replace('.json', '');
+      let meta = { scanId, scanDate: null, totalFiles: 0, hasDeep: false, findingCount: 0 };
+      try {
+        const d = JSON.parse(fs.readFileSync(full, 'utf8'));
+        meta = {
+          scanId,
+          scanDate:    d.scanDate    || null,
+          totalFiles:  d.totalFiles  || 0,
+          findingCount: (d.findings  || []).length,
+          hasDeep:     !!(d.deepResults && d.deepResults.length > 0),
+          size:        stat.size,
+        };
+      } catch {}
+      return meta;
+    })
+    .sort((a, b) => (b.scanDate || '').localeCompare(a.scanDate || ''));
+}
+
+function listReports(repoRoot) {
+  const dir = path.join(getRepoStoreDir(repoRoot), 'reports');
+  if (!fs.existsSync(dir)) return [];
+  return fs.readdirSync(dir)
+    .filter(f => /\.(html|md|json)$/.test(f))
+    .map(f => {
+      const full = path.join(dir, f);
+      const stat = fs.statSync(full);
+      return { filename: f, path: full, size: stat.size, mtime: stat.mtime.toISOString() };
+    })
+    .sort((a, b) => b.mtime.localeCompare(a.mtime));
+}
+
+/**
+ * List all known repos in the global store.
+ * Used by scd doctor and future scd export.
+ */
+function listRepos() {
+  if (!fs.existsSync(REPOS_DIR)) return [];
+  return fs.readdirSync(REPOS_DIR)
+    .filter(id => {
+      // Only process directories – ignore .DS_Store and other stray files
+      try { return fs.statSync(path.join(REPOS_DIR, id)).isDirectory(); }
+      catch { return false; }
+    })
+    .map(id => {
+      const metaFile = path.join(REPOS_DIR, id, 'meta.json');
+      try {
+        return JSON.parse(fs.readFileSync(metaFile, 'utf8'));
+      } catch {
+        return { repoId: id, remote: null, localPath: null, name: id };
+      }
+    });
+}
+
+function updateLastSynced(repoRoot, handledIds = []) {
+  const metaPath = path.join(getRepoStoreDir(repoRoot), 'meta.json');
+  let existing = {};
+  try { existing = JSON.parse(fs.readFileSync(metaPath, 'utf8')); } catch {}
+  existing.lastSynced = new Date().toISOString();
+  // Accumulate handled IDs so getSyncNotice can exclude them
+  const prev = Array.isArray(existing.handledExceptionIds) ? existing.handledExceptionIds : [];
+  existing.handledExceptionIds = [...new Set([...prev, ...handledIds])];
+  fs.writeFileSync(metaPath, JSON.stringify(existing, null, 2), 'utf8');
+}
+
+function readMeta(repoRoot) {
+  const metaPath = path.join(getRepoStoreDir(repoRoot), 'meta.json');
+  try { return JSON.parse(fs.readFileSync(metaPath, 'utf8')); } catch { return {}; }
+}
+
+
+// ── Machine fingerprint ────────────────────────────────────────────────────
+// Stable installation identity derived from hardware characteristics.
+// Mirrors the logic in scd-server/lib/auth.js getMachineFingerprint()
+// so the server can correlate CLI events with its own fingerprint records.
+// Also used as added_by identifier in scope.yml exclusion entries.
+
+function getMachineFingerprint() {
+  try {
+    const hostname = os.hostname();
+    const platform = os.platform();
+    const cpus     = os.cpus();
+    const cpuModel = cpus.length > 0 ? cpus[0].model : 'unknown';
+    const cpuCount = String(cpus.length);
+    const raw = `${hostname}|${platform}|${cpuModel}|${cpuCount}`;
+    return 'fp-' + crypto.createHash('sha256').update(raw).digest('hex').slice(0, 32);
+  } catch {
+    return 'fp-unknown';
+  }
+}
+
+module.exports = {
+  getRepoId,
+  getRepoIdentity,
+  isRepoKnown,
+  getMachineFingerprint,
+  updateMeta,
+  updateLastSynced,
+  readMeta,
+  configPath,
+  auditPath,
+  auditSummaryPath,
+  scanCachePath,
+  scopePath,
+  serverScopePath,
+  globalScopePath,
+  storeDir,
+  scansDir,
+  scanPath,
+  listScans,
+  reportsDir,
+  reportPath,
+  listReports,
+  exportsDir,
+  exportPath,
+  listRepos,
+  GLOBAL_DIR,
+  REPOS_DIR,
+  FILES,
+};