@bouncesecurity/aghast 0.5.0 → 0.6.1

package/dist/scan-history.js

@@ -0,0 +1,127 @@
+/**
+ * Scan history: persisted record of completed scans for cost dashboards
+ * and budget controls.
+ *
+ * Storage: `~/.aghast/history.json` by default (one file per user). When the
+ * home directory cannot be resolved, falls back to project-local
+ * `.aghast-history.json`. The path can be overridden in tests via the
+ * `AGHAST_HISTORY_FILE` env var or by passing `historyFile` to the helpers.
+ *
+ * Format: a single JSON document `{ "records": [...] }`. We keep this simple
+ * (no SQLite) so the file is human-readable and can be edited / pruned by
+ * hand. Corrupt files are logged and rebuilt to avoid blocking scans on a
+ * malformed history file.
+ */
+import { readFile, writeFile, mkdir } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { resolve, dirname } from 'node:path';
+import { logProgress } from './logging.js';
+const TAG = 'scan-history';
+const DEFAULT_FILENAME = 'history.json';
+const FALLBACK_FILENAME = '.aghast-history.json';
+const SCHEMA_VERSION = 1;
+/**
+ * Resolve the history file path.
+ *
+ * Precedence:
+ *   1. explicit `historyFile` argument
+ *   2. AGHAST_HISTORY_FILE env var
+ *   3. ~/.aghast/history.json when homedir is available
+ *   4. project-local `.aghast-history.json`
+ */
+export function resolveHistoryFilePath(historyFile) {
+    if (historyFile)
+        return resolve(historyFile);
+    const envOverride = process.env.AGHAST_HISTORY_FILE;
+    if (envOverride && envOverride.length > 0)
+        return resolve(envOverride);
+    let home;
+    try {
+        home = homedir();
+    }
+    catch {
+        home = undefined;
+    }
+    if (home && home.length > 0) {
+        return resolve(home, '.aghast', DEFAULT_FILENAME);
+    }
+    return resolve(process.cwd(), FALLBACK_FILENAME);
+}
+async function readHistoryFile(path) {
+    let content;
+    try {
+        content = await readFile(path, 'utf-8');
+    }
+    catch (err) {
+        if (err.code === 'ENOENT') {
+            return { version: SCHEMA_VERSION, records: [] };
+        }
+        throw err;
+    }
+    try {
+        const parsed = JSON.parse(content);
+        if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+            throw new Error('not an object');
+        }
+        const obj = parsed;
+        const records = Array.isArray(obj.records) ? obj.records : [];
+        const version = typeof obj.version === 'number' ? obj.version : SCHEMA_VERSION;
+        return { version, records };
+    }
+    catch (err) {
+        // Corrupt history: log and rebuild, never block a scan.
+        logProgress(TAG, `History file at ${path} is corrupt (${err instanceof Error ? err.message : String(err)}); rebuilding.`);
+        return { version: SCHEMA_VERSION, records: [] };
+    }
+}
+async function writeHistoryFile(path, file) {
+    await mkdir(dirname(path), { recursive: true });
+    await writeFile(path, JSON.stringify(file, null, 2) + '\n', 'utf-8');
+}
+/**
+ * Append a record to the scan history, deduplicating by scanId.
+ * If a record with the same scanId already exists, it is replaced.
+ */
+export async function saveScanRecord(record, options = {}) {
+    const path = resolveHistoryFilePath(options.historyFile);
+    const file = await readHistoryFile(path);
+    const existingIdx = file.records.findIndex((r) => r.scanId === record.scanId);
+    if (existingIdx >= 0) {
+        file.records[existingIdx] = record;
+    }
+    else {
+        file.records.push(record);
+    }
+    await writeHistoryFile(path, file);
+}
+/**
+ * Load all scan records, applying optional filters.
+ * Records are returned newest-first (descending startedAt).
+ */
+export async function queryScanHistory(filters = {}, options = {}) {
+    const path = resolveHistoryFilePath(options.historyFile);
+    const file = await readHistoryFile(path);
+    let out = file.records.slice();
+    if (filters.repository) {
+        const needle = filters.repository;
+        out = out.filter((r) => r.repository === needle ||
+            r.repositoryUrl === needle ||
+            r.repository.includes(needle) ||
+            (r.repositoryUrl ?? '').includes(needle));
+    }
+    if (filters.model) {
+        const needle = filters.model;
+        out = out.filter((r) => r.models.some((m) => m.includes(needle)));
+    }
+    if (filters.since) {
+        const since = filters.since;
+        out = out.filter((r) => r.startedAt >= since);
+    }
+    if (filters.until) {
+        const until = filters.until;
+        out = out.filter((r) => r.startedAt <= until);
+    }
+    out.sort((a, b) => (a.startedAt < b.startedAt ? 1 : a.startedAt > b.startedAt ? -1 : 0));
+    return out;
+}
+//# sourceMappingURL=scan-history.js.map

package/dist/scan-history.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-history.js","sourceRoot":"","sources":["../src/scan-history.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAG3C,MAAM,GAAG,GAAG,cAAc,CAAC;AAC3B,MAAM,gBAAgB,GAAG,cAAc,CAAC;AACxC,MAAM,iBAAiB,GAAG,sBAAsB,CAAC;AACjD,MAAM,cAAc,GAAG,CAAC,CAAC;AAmDzB;;;;;;;;GAQG;AACH,MAAM,UAAU,sBAAsB,CAAC,WAAoB;IACzD,IAAI,WAAW;QAAE,OAAO,OAAO,CAAC,WAAW,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACpD,IAAI,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC,WAAW,CAAC,CAAC;IACvE,IAAI,IAAwB,CAAC;IAC7B,IAAI,CAAC;QACH,IAAI,GAAG,OAAO,EAAE,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,GAAG,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,OAAO,CAAC,IAAI,EAAE,SAAS,EAAE,gBAAgB,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,iBAAiB,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,IAAY;IACzC,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrD,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAClD,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAY,CAAC;QAC9C,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACnE,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;QACnC,CAAC;QACD,MAAM,GAAG,GAAG,MAAiC,CAAC;QAC9C,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAE,GAAG,CAAC,OAAwB,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,MAAM,OAAO,GAAG,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,cAAc,CAAC;QAC/E,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IAC9B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,wDAAwD;QACxD,WAAW,CAAC,GAAG,EAAE,mBAAmB,IAAI,gBAAgB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAC1H,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IAClD,CAAC;AACH,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,IAAY,EAAE,IAAiB;IAC7D,MAAM,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,MAAM,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AACvE,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAkB,EAAE,UAAoC,EAAE;IAC7F,MAAM,IAAI,GAAG,sBAAsB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACzD,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,CAAC;IACzC,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,CAAC;IAC9E,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;QACrB,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,GAAG,MAAM,CAAC;IACrC,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;IACD,MAAM,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,UAA0B,EAAE,EAC5B,UAAoC,EAAE;IAEtC,MAAM,IAAI,GAAG,sBAAsB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACzD,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,CAAC;IACzC,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IAE/B,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;QAClC,GAAG,GAAG,GAAG,CAAC,MAAM,CACd,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,UAAU,KAAK,MAAM;YACvB,CAAC,CAAC,aAAa,KAAK,MAAM;YAC1B,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC7B,CAAC,CAAC,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAC3C,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;QAC7B,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC5B,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC5B,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,KAAK,CAAC,CAAC;IAChD,CAAC;IAED,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACzF,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/scan-runner.d.ts

@@ -3,7 +3,19 @@
  * Runs security checks against a repository and produces ScanResults.
  * Implements the core workflow from spec Section 2.2.
  */
-import { type AgentProvider, type RepositoryInfo, type CheckDetails, type SecurityCheck, type ScanResults } from './types.js';
+import { type AgentProvider, type RepositoryInfo, type CheckDetails, type SecurityCheck, type ScanResults, type TokenUsage } from './types.js';
+import { type PricingConfig, type CostBreakdown } from './cost-calculator.js';
+import { type BudgetLimits } from './budget.js';
+import type { ScanRecord } from './scan-history.js';
+/**
+ * Sum multiple TokenUsage values into one aggregate.
+ * Returns undefined if no inputs have token usage.
+ *
+ * reportedCost is aggregated only when every contributing call has it — a
+ * single missing cost means we cannot produce an accurate total, so we fall
+ * back to undefined (which triggers rate-based estimation later).
+ */
+export declare function sumTokenUsage(usages: (TokenUsage | undefined)[]): TokenUsage | undefined;
 export interface MultiScanOptions {
     repositoryPath: string;
     checks: Array<{
@@ -17,13 +29,64 @@ export interface MultiScanOptions {
     repositoryInfo?: RepositoryInfo;
     configDir?: string;
     genericPrompt?: string;
+    /** Pricing config for cost calculations. */
+    pricing?: PricingConfig;
+    /** Optional budget limits enforced before each AI call. */
+    budgetLimits?: BudgetLimits;
+    /** Pre-loaded scan history (for period budget checks). */
+    scanHistory?: ScanRecord[];
+    /** true when AGHAST_LOCAL_CLAUDE=true — triggers budget warning if limits are also set */
+    isLocalClaude?: boolean;
+}
+/**
+ * Tracks accumulated tokens/cost across a scan so the budget can be evaluated
+ * before each AI call. Mutated in place by AI invocations.
+ */
+export interface ScanCostTracker {
+    pricing?: PricingConfig;
+    budgetLimits?: BudgetLimits;
+    scanHistory?: ScanRecord[];
+    totalTokens: number;
+    totalCostUsd: number;
+    /** Cost source from the last recorded AI call. Used for banner labelling. */
+    lastCostSource?: CostBreakdown['source'];
+    lastCostReportedBy?: CostBreakdown['reportedBy'];
+    lastCostCoveredBySubscription?: boolean;
+    /** Set true after the first warn so we don't log it repeatedly. */
+    warned: boolean;
+    /** Most recent budget action returned to the runner. */
+    lastAction: 'continue' | 'warn' | 'abort';
+    /** Reason from the most recent non-continue check. */
+    lastReason?: string;
 }
 /**
  * Generate a scanId in the format: scan-<timestamp>-<hash>
  */
 export declare function generateScanId(): string;
+/** Aggregated ScanResults plus computed cost summary. */
+export interface MultiScanOutcome {
+    results: ScanResults;
+    totalCostUsd: number;
+    currency: string;
+    models: string[];
+    /** How the cost was determined (for banner/stats labelling). */
+    costSource?: CostBreakdown['source'];
+    /** Which provider reported the cost when costSource === 'reported'. */
+    costReportedBy?: CostBreakdown['reportedBy'];
+    /** true when AGHAST_LOCAL_CLAUDE=true — amount is API-equivalent, not billed */
+    costCoveredBySubscription?: boolean;
+    /** True when the scan was halted by a budget abort. */
+    budgetAborted?: boolean;
+    /** Reason from the budget abort, when budgetAborted is true. */
+    budgetAbortReason?: string;
+}
 /**
  * Run multiple security checks and return aggregated ScanResults.
  */
 export declare function runMultiScan(options: MultiScanOptions): Promise<ScanResults>;
+/**
+ * Same as runMultiScan but also returns the computed cost summary.
+ * Used by the CLI to record scan history.
+ */
+export declare function runMultiScanWithCost(options: MultiScanOptions): Promise<MultiScanOutcome>;
 //# sourceMappingURL=scan-runner.d.ts.map

package/dist/scan-runner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scan-runner.d.ts","sourceRoot":"","sources":["../src/scan-runner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAkBH,OAAO,EAGL,KAAK,aAAa,EAClB,KAAK,cAAc,EAInB,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,WAAW,EAGjB,MAAM,YAAY,CAAC;AAwFpB,MAAM,WAAW,gBAAgB;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,aAAa,CAAC;QAAC,OAAO,EAAE,YAAY,CAAA;KAAE,CAAC,CAAC;IAC/D,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,wBAAgB,cAAc,IAAI,MAAM,CAKvC;AAylBD;;GAEG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,WAAW,CAAC,CA6HlF"}
+{"version":3,"file":"scan-runner.d.ts","sourceRoot":"","sources":["../src/scan-runner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAkBH,OAAO,EAGL,KAAK,aAAa,EAClB,KAAK,cAAc,EAInB,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,WAAW,EAEhB,KAAK,UAAU,EAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAiB,KAAK,aAAa,EAAE,KAAK,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC7F,OAAO,EAAoC,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AAClF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAcpD;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,CAAC,UAAU,GAAG,SAAS,CAAC,EAAE,GAAG,UAAU,GAAG,SAAS,CA0BxF;AAiED,MAAM,WAAW,gBAAgB;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,aAAa,CAAC;QAAC,OAAO,EAAE,YAAY,CAAA;KAAE,CAAC,CAAC;IAC/D,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,4CAA4C;IAC5C,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,2DAA2D;IAC3D,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,0DAA0D;IAC1D,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAC3B,0FAA0F;IAC1F,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IACzC,kBAAkB,CAAC,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;IACjD,6BAA6B,CAAC,EAAE,OAAO,CAAC;IACxC,mEAAmE;IACnE,MAAM,EAAE,OAAO,CAAC;IAChB,wDAAwD;IACxD,UAAU,EAAE,UAAU,GAAG,MAAM,GAAG,OAAO,CAAC;IAC1C,sDAAsD;IACtD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AA0DD;;GAEG;AACH,wBAAgB,cAAc,IAAI,MAAM,CAKvC;AAwnBD,yDAAyD;AACzD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,WAAW,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,gEAAgE;IAChE,UAAU,CAAC,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IACrC,uEAAuE;IACvE,cAAc,CAAC,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;IAC7C,gFAAgF;IAChF,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,uDAAuD;IACvD,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,gEAAgE;IAChE,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,WAAW,CAAC,CAGlF;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAsL/F"}

package/dist/scan-runner.js

@@ -11,7 +11,7 @@ import { buildPrompt } from './prompt-template.js';
 import { parseAgentResponse } from './response-parser.js';
 import { extractSnippet } from './snippet-extractor.js';
 import { analyzeRepository } from './repository-analyzer.js';
-import { logProgress, logDebug, createTimer } from './logging.js';
+import { logProgress, logDebug, logWarn, createTimer } from './logging.js';
 import { CHECK_TYPE } from './check-types.js';
 import { getDiscovery, registerDiscovery } from './discovery.js';
 import { DEFAULT_PROVIDER_NAME } from './provider-registry.js';
@@ -19,9 +19,14 @@ import { semgrepDiscovery } from './discoveries/semgrep-discovery.js';
 import { openantDiscovery } from './discoveries/openant-discovery.js';
 import { sarifDiscovery } from './discoveries/sarif-discovery.js';
 import { DEFAULT_MODEL, FatalProviderError, } from './types.js';
+import { calculateCost } from './cost-calculator.js';
+import { checkBudget, BudgetExceededError } from './budget.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const TAG = 'scan';
 const DEFAULT_CONCURRENCY = 5;
+// Per-target AI call timeout. Without this, a single hung provider request stalls
+// the worker indefinitely; with concurrency=N hangs, the entire check freezes.
+const DEFAULT_TARGET_TIMEOUT_MS = 5 * 60 * 1000;
 // --- Register built-in discovery implementations ---
 registerDiscovery(semgrepDiscovery);
 registerDiscovery(openantDiscovery);
@@ -29,15 +34,34 @@ registerDiscovery(sarifDiscovery);
 /**
  * Sum multiple TokenUsage values into one aggregate.
  * Returns undefined if no inputs have token usage.
+ *
+ * reportedCost is aggregated only when every contributing call has it — a
+ * single missing cost means we cannot produce an accurate total, so we fall
+ * back to undefined (which triggers rate-based estimation later).
  */
-function sumTokenUsage(usages) {
+export function sumTokenUsage(usages) {
     const defined = usages.filter((u) => u !== undefined);
     if (defined.length === 0)
         return undefined;
+    // Optional fields: sum when at least one is present; preserve undefined when all absent.
+    const sumOptional = (getter) => {
+        const values = defined.map(getter).filter((v) => v !== undefined);
+        return values.length > 0 ? values.reduce((a, b) => a + b, 0) : undefined;
+    };
+    // reportedCost: only aggregate when every item has it (uniform provider, single source).
+    let reportedCost;
+    if (defined.every((u) => u.reportedCost !== undefined)) {
+        const total = defined.reduce((sum, u) => sum + u.reportedCost.amountUsd, 0);
+        reportedCost = { amountUsd: total, source: defined[0].reportedCost.source };
+    }
     return {
         inputTokens: defined.reduce((sum, u) => sum + u.inputTokens, 0),
         outputTokens: defined.reduce((sum, u) => sum + u.outputTokens, 0),
+        cacheCreationInputTokens: sumOptional((u) => u.cacheCreationInputTokens),
+        cacheReadInputTokens: sumOptional((u) => u.cacheReadInputTokens),
+        reasoningTokens: sumOptional((u) => u.reasoningTokens),
         totalTokens: defined.reduce((sum, u) => sum + u.totalTokens, 0),
+        ...(reportedCost !== undefined ? { reportedCost } : {}),
     };
 }
 /**
@@ -88,6 +112,54 @@ async function mapWithConcurrency(items, concurrency, fn, abortHandle) {
     }
     return results;
 }
+function createCostTracker(options) {
+    return {
+        pricing: options.pricing,
+        budgetLimits: options.budgetLimits,
+        scanHistory: options.scanHistory,
+        totalTokens: 0,
+        totalCostUsd: 0,
+        warned: false,
+        lastAction: 'continue',
+    };
+}
+/**
+ * Record an AI call's token usage against the tracker. Called after each
+ * successful executeCheck().
+ */
+function recordUsage(tracker, usage, model) {
+    if (!usage || !tracker.pricing)
+        return;
+    const cost = calculateCost(usage, model, tracker.pricing);
+    tracker.totalTokens += usage.totalTokens;
+    tracker.totalCostUsd += cost.totalCost;
+    tracker.lastCostSource = cost.source;
+    tracker.lastCostReportedBy = cost.reportedBy;
+    tracker.lastCostCoveredBySubscription = cost.coveredBySubscription;
+}
+/**
+ * Check the budget before an AI call. Logs a warning the first time the warn
+ * threshold is crossed; throws BudgetExceededError when the abort threshold is
+ * crossed.
+ */
+function preflightBudget(tracker) {
+    if (!tracker.budgetLimits)
+        return;
+    const status = checkBudget({
+        currentScanCostUsd: tracker.totalCostUsd,
+        currentScanTokens: tracker.totalTokens,
+        history: tracker.scanHistory,
+    }, tracker.budgetLimits);
+    tracker.lastAction = status.action;
+    tracker.lastReason = status.reason;
+    if (status.action === 'abort') {
+        throw new BudgetExceededError(status.reason ?? 'Budget limit exceeded');
+    }
+    if (status.action === 'warn' && !tracker.warned) {
+        tracker.warned = true;
+        logProgress(TAG, `Budget warning: ${status.reason ?? 'approaching limit'}`);
+    }
+}
 /**
  * Generate a scanId in the format: scan-<timestamp>-<hash>
  */
@@ -223,14 +295,14 @@ async function mapTargetToIssue(target, checkId, checkName, repositoryPath, chec
  * Execute a single check against a repository.
  * Routes to the appropriate execution path based on check type.
  */
-async function executeSingleCheck(check, checkName, checkInstructions, repositoryPath, agentProvider, checkMetadata, concurrency, configDir, genericPrompt) {
+async function executeSingleCheck(check, checkName, checkInstructions, repositoryPath, agentProvider, costTracker, checkMetadata, concurrency, configDir, genericPrompt) {
     const checkId = check.id;
     // Route to targeted execution (discovery + AI analysis)
     if (check.checkTarget?.type === CHECK_TYPE.TARGETED) {
         if (!agentProvider) {
             throw new Error(`Check "${checkId}" requires an agent provider but none was configured`);
         }
-        return executeTargetedCheck(check, checkName, checkInstructions, repositoryPath, agentProvider, checkMetadata, concurrency, configDir, genericPrompt);
+        return executeTargetedCheck(check, checkName, checkInstructions, repositoryPath, agentProvider, costTracker, checkMetadata, concurrency, configDir, genericPrompt);
     }
     // Route to static execution (discovery + direct mapping, no AI)
     if (check.checkTarget?.type === CHECK_TYPE.STATIC) {
@@ -247,7 +319,10 @@ async function executeSingleCheck(check, checkName, checkInstructions, repositor
     let summary;
     const checkTimer = createTimer();
     try {
+        preflightBudget(costTracker);
         const agentResponse = await agentProvider.executeCheck(prompt, repositoryPath);
+        const model = agentProvider.getModelName?.() ?? DEFAULT_MODEL;
+        recordUsage(costTracker, agentResponse.tokenUsage, model);
         const executionTime = checkTimer.elapsed();
         logDebug(TAG, `Agent response: ${agentResponse.raw.length} chars`);
         const parsed = agentResponse.parsed ?? parseAgentResponse(agentResponse.raw);
@@ -300,8 +375,8 @@ async function executeSingleCheck(check, checkName, checkInstructions, repositor
         }
     }
     catch (err) {
-        // Fatal errors must propagate up to abort the entire scan
-        if (err instanceof FatalProviderError) {
+        // Fatal errors and budget aborts must propagate up to stop the scan
+        if (err instanceof FatalProviderError || err instanceof BudgetExceededError) {
             throw err;
         }
         const executionTime = checkTimer.elapsed();
@@ -323,7 +398,7 @@ async function executeSingleCheck(check, checkName, checkInstructions, repositor
  * The execution pipeline is generic — all discovery-specific behavior is
  * encapsulated in the DiscoveredTarget data from the discovery implementation.
  */
-async function executeTargetedCheck(check, checkName, checkInstructions, repositoryPath, agentProvider, checkMetadata, optionsConcurrency, configDir, genericPromptOverride) {
+async function executeTargetedCheck(check, checkName, checkInstructions, repositoryPath, agentProvider, costTracker, checkMetadata, optionsConcurrency, configDir, genericPromptOverride) {
     const checkId = check.id;
     const checkTarget = check.checkTarget;
     const discoveryName = checkTarget.discovery;
@@ -387,9 +462,31 @@ async function executeTargetedCheck(check, checkName, checkInstructions, reposit
             targetResults = await mapWithConcurrency(targets, effectiveConcurrency, async (target, _idx) => {
                 inProgressCount++;
                 try {
+                    try {
+                        preflightBudget(costTracker);
+                    }
+                    catch (budgetErr) {
+                        if (budgetErr instanceof BudgetExceededError) {
+                            abortHandle.aborted = true;
+                            abortHandle.reason = budgetErr;
+                            throw budgetErr;
+                        }
+                        throw budgetErr;
+                    }
                     const prompt = basePrompt + (target.promptEnrichment ?? '');
                     logDebug(TAG, `${target.label} Analyzing: ${target.file}:${target.startLine}-${target.endLine}`);
-                    const agentResponse = await agentProvider.executeCheck(prompt, repositoryPath, target.label, target.agentOptions);
+                    let timeoutHandle;
+                    const agentResponse = await Promise.race([
+                        agentProvider.executeCheck(prompt, repositoryPath, target.label, target.agentOptions),
+                        new Promise((_, reject) => {
+                            timeoutHandle = setTimeout(() => reject(new Error(`Agent provider timed out after ${DEFAULT_TARGET_TIMEOUT_MS / 1000}s on target ${target.label}`)), DEFAULT_TARGET_TIMEOUT_MS);
+                        }),
+                    ]).finally(() => {
+                        if (timeoutHandle)
+                            clearTimeout(timeoutHandle);
+                    });
+                    const model = agentProvider.getModelName?.() ?? DEFAULT_MODEL;
+                    recordUsage(costTracker, agentResponse.tokenUsage, model);
                     const parsed = agentResponse.parsed ?? parseAgentResponse(agentResponse.raw);
                     if (!parsed) {
                         logDebug(TAG, `${target.label} Returned malformed response`);
@@ -409,8 +506,8 @@ async function executeTargetedCheck(check, checkName, checkInstructions, reposit
                     return { issues, error: false, flagged: parsed.flagged === true, tokenUsage: agentResponse.tokenUsage };
                 }
                 catch (err) {
-                    // Fatal errors: signal abort and re-throw to stop other workers
-                    if (err instanceof FatalProviderError) {
+                    // Fatal errors and budget aborts: signal abort and re-throw to stop other workers
+                    if (err instanceof FatalProviderError || err instanceof BudgetExceededError) {
                         abortHandle.aborted = true;
                         abortHandle.reason = err;
                         throw err;
@@ -472,8 +569,8 @@ async function executeTargetedCheck(check, checkName, checkInstructions, reposit
         };
     }
     catch (err) {
-        // Fatal errors must propagate up to abort the entire scan
-        if (err instanceof FatalProviderError) {
+        // Fatal errors and budget aborts must propagate up to stop the scan
+        if (err instanceof FatalProviderError || err instanceof BudgetExceededError) {
             throw err;
         }
         const executionTime = checkTimer.elapsed();
@@ -564,6 +661,14 @@ async function executeStaticCheck(check, checkName, repositoryPath, checkMetadat
  * Run multiple security checks and return aggregated ScanResults.
  */
 export async function runMultiScan(options) {
+    const outcome = await runMultiScanWithCost(options);
+    return outcome.results;
+}
+/**
+ * Same as runMultiScan but also returns the computed cost summary.
+ * Used by the CLI to record scan history.
+ */
+export async function runMultiScanWithCost(options) {
     const { repositoryPath, checks, agentProvider, modelName, agentProviderName, concurrency, configDir, genericPrompt } = options;
     const scanTimer = createTimer();
     const scanId = generateScanId();
@@ -571,6 +676,9 @@ export async function runMultiScan(options) {
     const version = await getVersion();
     logProgress(TAG, `Starting scan ${scanId} (${checks.length} ${checks.length === 1 ? 'check' : 'checks'})`);
     logDebug(TAG, `Repository: ${repositoryPath}`);
+    if (options.isLocalClaude && options.budgetLimits) {
+        logWarn(TAG, 'Budget limits in local-Claude mode apply to equivalent API cost, not subscription usage.');
+    }
     // Use pre-analyzed repository info if provided, otherwise analyze here
     let repositoryInfo;
     if (options.repositoryInfo) {
@@ -582,6 +690,10 @@ export async function runMultiScan(options) {
     }
     const allCheckSummaries = [];
     const allIssues = [];
+    let budgetAborted = false;
+    let budgetAbortReason;
+    // Cost / budget tracking spans all checks in the scan.
+    const costTracker = createCostTracker(options);
     // Track all models used during the scan
     const modelsUsed = new Set();
     if (modelName)
@@ -598,11 +710,38 @@ export async function runMultiScan(options) {
         if (check.model)
             modelsUsed.add(check.model);
         try {
-            const { summary: checkSummary, issues } = await executeSingleCheck(check, details.name, details.content, repositoryPath, agentProvider, checkMetadata, concurrency, configDir, genericPrompt);
+            const { summary: checkSummary, issues } = await executeSingleCheck(check, details.name, details.content, repositoryPath, agentProvider, costTracker, checkMetadata, concurrency, configDir, genericPrompt);
             allCheckSummaries.push(checkSummary);
             allIssues.push(...issues);
         }
         catch (err) {
+            if (err instanceof BudgetExceededError) {
+                budgetAborted = true;
+                budgetAbortReason = err.message;
+                logProgress(TAG, `Budget exceeded during check "${check.id}": ${err.message}`);
+                allCheckSummaries.push({
+                    checkId: check.id,
+                    checkName: details.name,
+                    status: 'ERROR',
+                    issuesFound: 0,
+                    executionTime: 0,
+                    error: `Budget exceeded: ${err.message}`,
+                });
+                for (let ri = ci + 1; ri < checks.length; ri++) {
+                    const remaining = checks[ri];
+                    logProgress(TAG, `Skipping check "${remaining.check.id}" due to budget abort`);
+                    allCheckSummaries.push({
+                        checkId: remaining.check.id,
+                        checkName: remaining.details.name,
+                        status: 'ERROR',
+                        issuesFound: 0,
+                        executionTime: 0,
+                        error: `Scan aborted: budget limit exceeded`,
+                    });
+                }
+                restoreModel(agentProvider, previousModel);
+                break;
+            }
             if (err instanceof FatalProviderError) {
                 // Record the failing check as ERROR
                 logProgress(TAG, `Fatal error during check "${check.id}": ${err.message}`);
@@ -668,6 +807,26 @@ export async function runMultiScan(options) {
             : { name: 'none', models: [] },
         tokenUsage: aggregateTokenUsage,
     };
-    return results;
+    // Attach cost metadata when pricing was provided.
+    if (options.pricing) {
+        results.metadata = {
+            ...(results.metadata ?? {}),
+            cost: {
+                totalCostUsd: costTracker.totalCostUsd,
+                currency: options.pricing.currency ?? 'USD',
+            },
+        };
+    }
+    return {
+        results,
+        totalCostUsd: costTracker.totalCostUsd,
+        currency: options.pricing?.currency ?? 'USD',
+        models: [...modelsUsed],
+        costSource: costTracker.lastCostSource,
+        costReportedBy: costTracker.lastCostReportedBy,
+        costCoveredBySubscription: costTracker.lastCostCoveredBySubscription,
+        budgetAborted,
+        budgetAbortReason,
+    };
 }
 //# sourceMappingURL=scan-runner.js.map