@build-astron-co/nimbus 0.2.0 → 0.4.0

package/dist/src/audit/compliance-checker.js

@@ -0,0 +1,419 @@
+/**
+ * Compliance Checker - Check infrastructure compliance against standard frameworks.
+ *
+ * Scans Terraform files (and other configuration) for compliance with SOC2,
+ * HIPAA, PCI-DSS, GDPR, and CIS benchmark controls. Each control is evaluated
+ * as pass, fail, warn, or skip based on the presence or absence of required
+ * Terraform configurations.
+ *
+ * Reports include per-framework pass/fail counts and an overall compliance
+ * score expressed as a percentage.
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+const CONTROL_DEFINITIONS = [
+    // -------------------------------------------------------------------------
+    // SOC2 Controls
+    // -------------------------------------------------------------------------
+    {
+        id: 'SOC2-001',
+        framework: 'SOC2',
+        name: 'Logging enabled',
+        description: 'CloudTrail, CloudWatch, or equivalent logging must be configured.',
+        passPattern: /(?:aws_cloudtrail|aws_cloudwatch_log_group|google_logging_project_sink|azurerm_monitor_diagnostic_setting)/,
+    },
+    {
+        id: 'SOC2-002',
+        framework: 'SOC2',
+        name: 'Access controls defined',
+        description: 'IAM policies, roles, or access control resources must be present.',
+        passPattern: /(?:aws_iam_policy|aws_iam_role|google_project_iam|azurerm_role_assignment)/,
+    },
+    {
+        id: 'SOC2-003',
+        framework: 'SOC2',
+        name: 'Encryption at rest',
+        description: 'Storage resources must have encryption at rest enabled.',
+        passPattern: /(?:server_side_encryption_configuration|storage_encrypted\s*=\s*true|encryption_configuration|kms_key_id|customer_managed_key)/,
+    },
+    {
+        id: 'SOC2-004',
+        framework: 'SOC2',
+        name: 'Backup configuration',
+        description: 'Automated backup or snapshot policies must be configured.',
+        passPattern: /(?:backup_retention_period|aws_backup_plan|google_sql_database_instance.*backup_configuration|azurerm_backup_policy)/s,
+    },
+    {
+        id: 'SOC2-005',
+        framework: 'SOC2',
+        name: 'Network security groups',
+        description: 'Network-level access controls (security groups, NACLs, firewall rules) must be present.',
+        passPattern: /(?:aws_security_group|google_compute_firewall|azurerm_network_security_group)/,
+    },
+    // -------------------------------------------------------------------------
+    // HIPAA Controls
+    // -------------------------------------------------------------------------
+    {
+        id: 'HIPAA-001',
+        framework: 'HIPAA',
+        name: 'Encryption required',
+        description: 'All data stores must use encryption at rest and in transit.',
+        passPattern: /(?:server_side_encryption_configuration|storage_encrypted\s*=\s*true|ssl_enforcement_enabled|require_ssl)/,
+    },
+    {
+        id: 'HIPAA-002',
+        framework: 'HIPAA',
+        name: 'Audit logging',
+        description: 'Comprehensive audit logging must be enabled for all access to PHI.',
+        passPattern: /(?:aws_cloudtrail|aws_cloudwatch_log_group|google_logging|azurerm_monitor_diagnostic_setting)/,
+    },
+    {
+        id: 'HIPAA-003',
+        framework: 'HIPAA',
+        name: 'Access controls',
+        description: 'Role-based access controls must restrict access to PHI.',
+        passPattern: /(?:aws_iam_policy|aws_iam_role|google_project_iam|azurerm_role_assignment)/,
+    },
+    {
+        id: 'HIPAA-004',
+        framework: 'HIPAA',
+        name: 'PHI data handling',
+        description: 'Data classification tags or labels must identify PHI resources.',
+        passPattern: /(?:tags\s*=\s*\{[^}]*(?:phi|hipaa|sensitive|classification)[^}]*\}|labels\s*=\s*\{[^}]*(?:phi|hipaa|sensitive)[^}]*\})/is,
+    },
+    {
+        id: 'HIPAA-005',
+        framework: 'HIPAA',
+        name: 'Data backup and recovery',
+        description: 'PHI data must have backup and disaster recovery plans.',
+        passPattern: /(?:backup_retention_period|aws_backup_plan|point_in_time_recovery)/,
+    },
+    // -------------------------------------------------------------------------
+    // PCI-DSS Controls
+    // -------------------------------------------------------------------------
+    {
+        id: 'PCI-001',
+        framework: 'PCI',
+        name: 'Network segmentation',
+        description: 'Cardholder data environments must be segmented from other networks.',
+        passPattern: /(?:aws_vpc|aws_subnet|google_compute_network|google_compute_subnetwork|azurerm_virtual_network|azurerm_subnet)/,
+    },
+    {
+        id: 'PCI-002',
+        framework: 'PCI',
+        name: 'Encryption in transit',
+        description: 'All cardholder data must be encrypted during transmission.',
+        passPattern: /(?:ssl_policy|ssl_certificate|tls_policy|https_only|redirect_all_requests_to.*https|listener.*protocol\s*=\s*["']HTTPS)/s,
+    },
+    {
+        id: 'PCI-003',
+        framework: 'PCI',
+        name: 'Access logging',
+        description: 'All access to cardholder data must be logged.',
+        passPattern: /(?:access_log|logging\s*\{|enable_logging\s*=\s*true|log_analytics)/,
+    },
+    {
+        id: 'PCI-004',
+        framework: 'PCI',
+        name: 'No wildcard IAM permissions',
+        description: 'IAM policies must not use wildcard actions on cardholder data resources.',
+        failPattern: /["']Action["']\s*:\s*["']\*["']/,
+        invertFail: true,
+    },
+    {
+        id: 'PCI-005',
+        framework: 'PCI',
+        name: 'WAF or firewall configured',
+        description: 'Web application firewall or equivalent must protect public-facing applications.',
+        passPattern: /(?:aws_wafv2|aws_waf|google_compute_security_policy|azurerm_web_application_firewall_policy)/,
+    },
+    // -------------------------------------------------------------------------
+    // GDPR Controls
+    // -------------------------------------------------------------------------
+    {
+        id: 'GDPR-001',
+        framework: 'GDPR',
+        name: 'Data retention policies',
+        description: 'Resources must define data retention or lifecycle policies.',
+        passPattern: /(?:lifecycle_rule|retention_in_days|expiration|ttl|data_retention|lifecycle_policy)/,
+    },
+    {
+        id: 'GDPR-002',
+        framework: 'GDPR',
+        name: 'Consent mechanisms',
+        description: 'Infrastructure must support consent management workflows.',
+        passPattern: /(?:consent|gdpr|privacy|data_subject|right_to_erasure)/i,
+    },
+    {
+        id: 'GDPR-003',
+        framework: 'GDPR',
+        name: 'Data deletion capability',
+        description: 'Resources must support deletion of personal data (right to be forgotten).',
+        passPattern: /(?:lifecycle_rule|versioning|object_lock|deletion_protection|prevent_destroy)/,
+    },
+    {
+        id: 'GDPR-004',
+        framework: 'GDPR',
+        name: 'Data processing location',
+        description: 'Resources must specify their deployment region to ensure data residency.',
+        passPattern: /(?:region\s*=|location\s*=|availability_zone)/,
+    },
+    {
+        id: 'GDPR-005',
+        framework: 'GDPR',
+        name: 'Encryption of personal data',
+        description: 'Personal data must be encrypted at rest and in transit.',
+        passPattern: /(?:server_side_encryption|storage_encrypted|kms_key|encryption_configuration)/,
+    },
+    // -------------------------------------------------------------------------
+    // CIS Benchmark Controls
+    // -------------------------------------------------------------------------
+    {
+        id: 'CIS-001',
+        framework: 'CIS',
+        name: 'No public access',
+        description: 'Storage and database resources must not be publicly accessible.',
+        failPattern: /(?:publicly_accessible\s*=\s*true|acl\s*=\s*["']public-read)/,
+        invertFail: true,
+    },
+    {
+        id: 'CIS-002',
+        framework: 'CIS',
+        name: 'Minimal IAM permissions',
+        description: 'IAM policies should follow least privilege; no wildcard actions.',
+        failPattern: /["']Action["']\s*:\s*["']\*["']/,
+        invertFail: true,
+    },
+    {
+        id: 'CIS-003',
+        framework: 'CIS',
+        name: 'Encryption enabled',
+        description: 'All storage and database services must use encryption.',
+        passPattern: /(?:server_side_encryption_configuration|storage_encrypted\s*=\s*true|encryption_configuration|kms_key_id)/,
+    },
+    {
+        id: 'CIS-004',
+        framework: 'CIS',
+        name: 'VPC flow logs enabled',
+        description: 'VPC flow logs must be enabled for network traffic monitoring.',
+        passPattern: /(?:aws_flow_log|google_compute_subnetwork.*log_config|azurerm_network_watcher_flow_log)/s,
+    },
+    {
+        id: 'CIS-005',
+        framework: 'CIS',
+        name: 'Multi-factor authentication',
+        description: 'MFA should be required for IAM users with console access.',
+        passPattern: /(?:mfa_delete|mfa_device|condition.*mfa|multi_factor)/i,
+    },
+];
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const DEFAULT_EXCLUDES = new Set(['node_modules', '.git', 'dist', 'coverage', '.next', 'build']);
+/**
+ * Recursively collect Terraform file contents from a directory.
+ *
+ * @returns Concatenated content of all .tf and .tf.json files, plus a count
+ */
+function collectTerraformContent(dir) {
+    const chunks = [];
+    let fileCount = 0;
+    function walk(currentDir) {
+        let entries;
+        try {
+            entries = fs.readdirSync(currentDir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            if (entry.isDirectory()) {
+                if (DEFAULT_EXCLUDES.has(entry.name)) {
+                    continue;
+                }
+                walk(path.join(currentDir, entry.name));
+            }
+            else if (entry.isFile()) {
+                const ext = path.extname(entry.name).toLowerCase();
+                if (ext === '.tf' || entry.name.endsWith('.tf.json') || ext === '.tfvars') {
+                    try {
+                        const content = fs.readFileSync(path.join(currentDir, entry.name), 'utf-8');
+                        chunks.push(content);
+                        fileCount++;
+                    }
+                    catch {
+                        // skip unreadable files
+                    }
+                }
+            }
+        }
+    }
+    walk(dir);
+    return { content: chunks.join('\n'), fileCount };
+}
+/**
+ * Evaluate a single control definition against the combined Terraform content.
+ */
+function evaluateControl(def, terraformContent, hasTerraformFiles) {
+    // If no Terraform files exist, skip the control
+    if (!hasTerraformFiles) {
+        return {
+            id: def.id,
+            framework: def.framework,
+            name: def.name,
+            description: def.description,
+            status: 'skip',
+            evidence: 'No Terraform files found in the scanned directory.',
+        };
+    }
+    // Controls that use invertFail: pass when failPattern is NOT found
+    if (def.invertFail && def.failPattern) {
+        const match = def.failPattern.exec(terraformContent);
+        if (match) {
+            return {
+                id: def.id,
+                framework: def.framework,
+                name: def.name,
+                description: def.description,
+                status: 'fail',
+                evidence: `Found violation: "${match[0].slice(0, 80)}"`,
+            };
+        }
+        return {
+            id: def.id,
+            framework: def.framework,
+            name: def.name,
+            description: def.description,
+            status: 'pass',
+            evidence: 'No violations detected.',
+        };
+    }
+    // Standard passPattern check
+    if (def.passPattern) {
+        const match = def.passPattern.exec(terraformContent);
+        if (match) {
+            return {
+                id: def.id,
+                framework: def.framework,
+                name: def.name,
+                description: def.description,
+                status: 'pass',
+                evidence: `Found matching configuration: "${match[0].slice(0, 80)}"`,
+            };
+        }
+        return {
+            id: def.id,
+            framework: def.framework,
+            name: def.name,
+            description: def.description,
+            status: 'fail',
+            evidence: 'Required configuration not found in Terraform files.',
+        };
+    }
+    // No pattern defined -- warn
+    return {
+        id: def.id,
+        framework: def.framework,
+        name: def.name,
+        description: def.description,
+        status: 'warn',
+        evidence: 'Manual verification required -- no automated check available.',
+    };
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Check compliance of infrastructure configurations against one or more frameworks.
+ *
+ * Scans Terraform files in the specified directory and evaluates each control
+ * from the selected frameworks. Returns a compliance report per framework.
+ *
+ * @param options - Directory and framework selection
+ * @returns Array of compliance reports, one per framework
+ */
+export async function checkCompliance(options) {
+    const frameworks = options.frameworks ?? ['SOC2', 'HIPAA', 'PCI', 'GDPR', 'CIS'];
+    const { content: terraformContent, fileCount } = collectTerraformContent(options.dir);
+    const hasTerraformFiles = fileCount > 0;
+    const reports = [];
+    for (const framework of frameworks) {
+        const definitions = CONTROL_DEFINITIONS.filter(d => d.framework === framework);
+        const controls = definitions.map(def => evaluateControl(def, terraformContent, hasTerraformFiles));
+        const passCount = controls.filter(c => c.status === 'pass').length;
+        const failCount = controls.filter(c => c.status === 'fail').length;
+        const warnCount = controls.filter(c => c.status === 'warn').length;
+        const skipCount = controls.filter(c => c.status === 'skip').length;
+        // Score = pass / (pass + fail + warn) * 100, skipped controls excluded
+        const evaluatedCount = passCount + failCount + warnCount;
+        const score = evaluatedCount > 0 ? Math.round((passCount / evaluatedCount) * 100) : 0;
+        reports.push({
+            framework,
+            controls,
+            passCount,
+            failCount,
+            warnCount,
+            skipCount,
+            score,
+            timestamp: new Date(),
+        });
+    }
+    return reports;
+}
+/**
+ * Generate a visual scorecard from one or more compliance reports.
+ *
+ * Produces a formatted text table showing framework scores, pass/fail counts,
+ * and individual control statuses.
+ *
+ * @param reports - Compliance reports to include in the scorecard
+ * @returns Multi-line formatted scorecard string
+ */
+export function generateScorecard(reports) {
+    if (reports.length === 0) {
+        return 'No compliance reports to display.';
+    }
+    const statusIcon = {
+        pass: '[PASS]',
+        fail: '[FAIL]',
+        warn: '[WARN]',
+        skip: '[SKIP]',
+    };
+    const lines = ['Compliance Scorecard', '='.repeat(60), ''];
+    // Overview table
+    lines.push('  Framework   Score   Pass  Fail  Warn  Skip');
+    lines.push(`  ${'-'.repeat(50)}`);
+    for (const report of reports) {
+        const fw = report.framework.padEnd(10);
+        const score = `${report.score}%`.padStart(5);
+        const pass = String(report.passCount).padStart(4);
+        const fail = String(report.failCount).padStart(4);
+        const warn = String(report.warnCount).padStart(4);
+        const skip = String(report.skipCount).padStart(4);
+        lines.push(`  ${fw} ${score}   ${pass}  ${fail}  ${warn}  ${skip}`);
+    }
+    lines.push('');
+    // Detailed control results
+    for (const report of reports) {
+        lines.push(`--- ${report.framework} (${report.score}%) ---`);
+        lines.push('');
+        for (const control of report.controls) {
+            lines.push(`  ${statusIcon[control.status]} ${control.id}: ${control.name}`);
+            lines.push(`         ${control.description}`);
+            if (control.evidence) {
+                lines.push(`         Evidence: ${control.evidence}`);
+            }
+            lines.push('');
+        }
+    }
+    // Overall summary
+    const totalPass = reports.reduce((s, r) => s + r.passCount, 0);
+    const totalFail = reports.reduce((s, r) => s + r.failCount, 0);
+    const totalWarn = reports.reduce((s, r) => s + r.warnCount, 0);
+    const totalSkip = reports.reduce((s, r) => s + r.skipCount, 0);
+    const totalEval = totalPass + totalFail + totalWarn;
+    const overallScore = totalEval > 0 ? Math.round((totalPass / totalEval) * 100) : 0;
+    lines.push('='.repeat(60));
+    lines.push(`Overall: ${overallScore}% compliant (${totalPass} pass, ${totalFail} fail, ${totalWarn} warn, ${totalSkip} skip)`);
+    return lines.join('\n');
+}

package/dist/src/audit/cost-tracker.js

@@ -0,0 +1,231 @@
+/**
+ * Cost Tracker - Track LLM and infrastructure costs across sessions.
+ *
+ * Records cost entries for LLM API calls (with token counts and model info)
+ * and infrastructure changes (from terraform plan). Computes daily cost
+ * aggregates, monthly projections, and per-session breakdowns.
+ */
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/**
+ * Format a Date as a YYYY-MM-DD string for daily aggregation.
+ */
+function toDateKey(date) {
+    const y = date.getFullYear();
+    const m = String(date.getMonth() + 1).padStart(2, '0');
+    const d = String(date.getDate()).padStart(2, '0');
+    return `${y}-${m}-${d}`;
+}
+/**
+ * Format a USD amount with appropriate precision.
+ */
+function formatUSD(amount) {
+    if (amount < 0.01 && amount > 0) {
+        return `$${amount.toFixed(6)}`;
+    }
+    return `$${amount.toFixed(4)}`;
+}
+// ---------------------------------------------------------------------------
+// CostTracker
+// ---------------------------------------------------------------------------
+/**
+ * Tracks LLM and infrastructure costs across Nimbus sessions.
+ *
+ * Maintains an in-memory ledger of cost entries and provides methods to
+ * compute summaries, daily breakdowns, and monthly projections.
+ *
+ * @example
+ * ```typescript
+ * const tracker = new CostTracker();
+ *
+ * tracker.recordLLMCost({
+ *   sessionId: 'abc-123',
+ *   model: 'claude-sonnet-4-20250514',
+ *   inputTokens: 1500,
+ *   outputTokens: 800,
+ *   costUSD: 0.0165,
+ * });
+ *
+ * const summary = tracker.getSummary();
+ * console.log(tracker.formatSummary(summary));
+ * ```
+ */
+export class CostTracker {
+    entries = [];
+    /**
+     * Record a cost entry for an LLM API call.
+     *
+     * @param params - LLM call details including model, token counts, and cost
+     * @returns The created cost entry
+     */
+    recordLLMCost(params) {
+        const entry = {
+            id: crypto.randomUUID(),
+            sessionId: params.sessionId,
+            timestamp: new Date(),
+            category: 'llm',
+            description: `LLM call to ${params.model} (${params.inputTokens} in / ${params.outputTokens} out tokens)`,
+            amount: params.costUSD,
+            inputTokens: params.inputTokens,
+            outputTokens: params.outputTokens,
+            model: params.model,
+        };
+        this.entries.push(entry);
+        return entry;
+    }
+    /**
+     * Record an infrastructure cost change, typically derived from a terraform plan.
+     *
+     * @param params - Infrastructure cost details
+     * @returns The created cost entry
+     */
+    recordInfraCost(params) {
+        const entry = {
+            id: crypto.randomUUID(),
+            sessionId: params.sessionId,
+            timestamp: new Date(),
+            category: 'infra',
+            description: params.description,
+            amount: params.monthlyCost,
+        };
+        this.entries.push(entry);
+        return entry;
+    }
+    /**
+     * Compute a cost summary over all entries or a subset filtered by time/session.
+     *
+     * The monthly projection is calculated by taking the average daily cost
+     * and multiplying by 30. If only a single day of data exists, that day's
+     * total is used as the daily average.
+     *
+     * @param options - Optional time range or session filter
+     * @returns Aggregated cost summary
+     */
+    getSummary(options) {
+        let filtered = this.entries;
+        if (options?.since) {
+            const since = options.since.getTime();
+            filtered = filtered.filter(e => e.timestamp.getTime() >= since);
+        }
+        if (options?.sessionId) {
+            filtered = filtered.filter(e => e.sessionId === options.sessionId);
+        }
+        // Totals
+        let totalCost = 0;
+        let llmCost = 0;
+        let infraCost = 0;
+        // Group by session
+        const entriesBySession = new Map();
+        // Group by date
+        const dailyMap = new Map();
+        for (const entry of filtered) {
+            totalCost += entry.amount;
+            if (entry.category === 'llm') {
+                llmCost += entry.amount;
+            }
+            else {
+                infraCost += entry.amount;
+            }
+            // Session grouping
+            const sessionEntries = entriesBySession.get(entry.sessionId);
+            if (sessionEntries) {
+                sessionEntries.push(entry);
+            }
+            else {
+                entriesBySession.set(entry.sessionId, [entry]);
+            }
+            // Daily grouping
+            const dateKey = toDateKey(entry.timestamp);
+            dailyMap.set(dateKey, (dailyMap.get(dateKey) ?? 0) + entry.amount);
+        }
+        // Sort daily costs chronologically
+        const dailyCosts = Array.from(dailyMap.entries())
+            .sort(([a], [b]) => a.localeCompare(b))
+            .map(([date, amount]) => ({ date, amount }));
+        // Monthly projection: average daily cost * 30
+        let monthlyProjection = 0;
+        if (dailyCosts.length > 0) {
+            const totalDailyCost = dailyCosts.reduce((sum, d) => sum + d.amount, 0);
+            const avgDaily = totalDailyCost / dailyCosts.length;
+            monthlyProjection = avgDaily * 30;
+        }
+        return {
+            totalCost,
+            llmCost,
+            infraCost,
+            entriesBySession,
+            dailyCosts,
+            monthlyProjection,
+        };
+    }
+    /**
+     * Retrieve raw cost entries, optionally filtered by session.
+     *
+     * @param sessionId - If provided, only return entries for this session
+     * @returns Array of cost entries sorted by timestamp (newest first)
+     */
+    getEntries(sessionId) {
+        let result = [...this.entries];
+        if (sessionId) {
+            result = result.filter(e => e.sessionId === sessionId);
+        }
+        return result.sort((a, b) => b.timestamp.getTime() - a.timestamp.getTime());
+    }
+    /**
+     * Format a cost summary as a human-readable text report.
+     *
+     * Includes totals, per-session breakdowns, daily costs, and the
+     * projected monthly spend.
+     *
+     * @param summary - The summary to format
+     * @returns Multi-line formatted report
+     */
+    formatSummary(summary) {
+        const lines = [
+            'Cost Summary',
+            '='.repeat(50),
+            '',
+            `  Total Cost:       ${formatUSD(summary.totalCost)}`,
+            `  LLM Cost:         ${formatUSD(summary.llmCost)}`,
+            `  Infra Cost:       ${formatUSD(summary.infraCost)}`,
+            `  Monthly Estimate: ${formatUSD(summary.monthlyProjection)}`,
+            '',
+        ];
+        // Per-session breakdown
+        if (summary.entriesBySession.size > 0) {
+            lines.push('Per-Session Breakdown:');
+            lines.push('-'.repeat(50));
+            for (const [sessionId, entries] of summary.entriesBySession) {
+                const sessionTotal = entries.reduce((s, e) => s + e.amount, 0);
+                const llm = entries.filter(e => e.category === 'llm');
+                const infra = entries.filter(e => e.category === 'infra');
+                const totalInputTokens = llm.reduce((s, e) => s + (e.inputTokens ?? 0), 0);
+                const totalOutputTokens = llm.reduce((s, e) => s + (e.outputTokens ?? 0), 0);
+                lines.push(`  Session: ${sessionId}`);
+                lines.push(`    Total: ${formatUSD(sessionTotal)} (${entries.length} entries)`);
+                if (llm.length > 0) {
+                    const llmTotal = llm.reduce((s, e) => s + e.amount, 0);
+                    lines.push(`    LLM:   ${formatUSD(llmTotal)} (${llm.length} calls, ${totalInputTokens} in / ${totalOutputTokens} out tokens)`);
+                }
+                if (infra.length > 0) {
+                    const infraTotal = infra.reduce((s, e) => s + e.amount, 0);
+                    lines.push(`    Infra: ${formatUSD(infraTotal)} (${infra.length} changes)`);
+                }
+                lines.push('');
+            }
+        }
+        // Daily costs
+        if (summary.dailyCosts.length > 0) {
+            lines.push('Daily Costs:');
+            lines.push('-'.repeat(50));
+            for (const day of summary.dailyCosts) {
+                lines.push(`  ${day.date}: ${formatUSD(day.amount)}`);
+            }
+            lines.push('');
+        }
+        lines.push('='.repeat(50));
+        lines.push(`Projected monthly cost: ${formatUSD(summary.monthlyProjection)}`);
+        return lines.join('\n');
+    }
+}

package/dist/src/audit/index.js

@@ -0,0 +1,10 @@
+/**
+ * Audit Notebook - barrel exports.
+ *
+ * Re-exports the security scanner, compliance checker, cost tracker, and
+ * activity log modules for convenient single-import access.
+ */
+export { scanSecurity, formatFindings } from './security-scanner';
+export { checkCompliance, generateScorecard } from './compliance-checker';
+export { CostTracker } from './cost-tracker';
+export { ActivityLog } from './activity-log';