@cleartrip/frontguard 0.1.4 → 0.1.6

package/dist/cli.js

@@ -4,7 +4,7 @@ import g, { stdin, stdout, cwd } from 'process';
 import f from 'readline';
 import * as tty from 'tty';
 import { WriteStream } from 'tty';
-import path, { sep, normalize, delimiter, resolve, dirname } from 'path';
+import path4, { sep, normalize, delimiter, resolve, dirname } from 'path';
 import fs from 'fs/promises';
 import { createRequire } from 'module';
 import fs4 from 'fs';
@@ -2497,19 +2497,19 @@ async function ensureDir(dir) {
   await fs.mkdir(dir, { recursive: true });
 }
 async function initFrontGuard(cwd) {
-  const gh = path.join(cwd, ".github", "workflows");
+  const gh = path4.join(cwd, ".github", "workflows");
   await ensureDir(gh);
-  const wfPath = path.join(gh, "frontguard.yml");
+  const wfPath = path4.join(gh, "frontguard.yml");
   await fs.writeFile(wfPath, WORKFLOW, "utf8");
-  const cfgPath = path.join(cwd, "frontguard.config.js");
+  const cfgPath = path4.join(cwd, "frontguard.config.js");
   try {
     await fs.access(cfgPath);
   } catch {
     await fs.writeFile(cfgPath, CONFIG, "utf8");
   }
-  const tplRoot = path.join(cwd, ".github");
+  const tplRoot = path4.join(cwd, ".github");
   await ensureDir(tplRoot);
-  const tplPath = path.join(tplRoot, "pull_request_template.md");
+  const tplPath = path4.join(tplRoot, "pull_request_template.md");
   try {
     await fs.access(tplPath);
   } catch {
@@ -2614,10 +2614,10 @@ async function resolvePrNumber() {
   const raw = process.env.FRONTGUARD_PR_NUMBER ?? process.env.PR_NUMBER;
   const n3 = Number(raw);
   if (Number.isFinite(n3) && n3 > 0) return n3;
-  const path14 = process.env.GITHUB_EVENT_PATH;
-  if (!path14) return null;
+  const path15 = process.env.GITHUB_EVENT_PATH;
+  if (!path15) return null;
   try {
-    const payload = JSON.parse(await fs.readFile(path14, "utf8"));
+    const payload = JSON.parse(await fs.readFile(path15, "utf8"));
     const num = payload.pull_request?.number;
     return typeof num === "number" && num > 0 ? num : null;
   } catch {
@@ -2824,7 +2824,7 @@ function stripExtends(c4) {
 }
 async function loadExtendsLayer(cwd, spec) {
   if (!spec) return {};
-  const req = createRequire(path.join(cwd, "package.json"));
+  const req = createRequire(path4.join(cwd, "package.json"));
   const specs = Array.isArray(spec) ? spec : [spec];
   let merged = {};
   for (const s3 of specs) {
@@ -2843,7 +2843,7 @@ async function loadExtendsLayer(cwd, spec) {
 async function loadConfig(cwd) {
   let userFile = null;
   for (const name of CONFIG_NAMES) {
-    const full = path.join(cwd, name);
+    const full = path4.join(cwd, name);
     if (!fs4.existsSync(full)) continue;
     try {
       const mod = await importConfig(full);
@@ -2873,7 +2873,7 @@ function hasDep(deps, name) {
 async function detectStack(cwd) {
   let pkg = {};
   try {
-    const raw = await fs.readFile(path.join(cwd, "package.json"), "utf8");
+    const raw = await fs.readFile(path4.join(cwd, "package.json"), "utf8");
     pkg = JSON.parse(raw);
   } catch {
     return {
@@ -2893,7 +2893,7 @@ async function detectStack(cwd) {
   const isMonorepo = Boolean(pkg.workspaces);
   let tsStrict = null;
   try {
-    const tsconfigPath = path.join(cwd, "tsconfig.json");
+    const tsconfigPath = path4.join(cwd, "tsconfig.json");
     const tsRaw = await fs.readFile(tsconfigPath, "utf8");
     const ts = JSON.parse(tsRaw);
     if (typeof ts.compilerOptions?.strict === "boolean") {
@@ -2903,15 +2903,15 @@ async function detectStack(cwd) {
   }
   let pm = "unknown";
   try {
-    await fs.access(path.join(cwd, "pnpm-lock.yaml"));
+    await fs.access(path4.join(cwd, "pnpm-lock.yaml"));
     pm = "pnpm";
   } catch {
     try {
-      await fs.access(path.join(cwd, "yarn.lock"));
+      await fs.access(path4.join(cwd, "yarn.lock"));
       pm = "yarn";
     } catch {
       try {
-        await fs.access(path.join(cwd, "package-lock.json"));
+        await fs.access(path4.join(cwd, "package-lock.json"));
         pm = "npm";
       } catch {
         pm = "npm";
@@ -2931,6 +2931,51 @@ async function detectStack(cwd) {
     tsStrict
   };
 }
+function stripFileUrl(p2) {
+  let s3 = p2.trim();
+  if (!/^file:/i.test(s3)) return s3;
+  s3 = s3.replace(/^file:\/\//i, "");
+  if (process.platform === "win32" && s3.startsWith("/")) {
+    const m3 = s3.match(/^\/([A-Za-z]:\/.*)$/);
+    if (m3) return m3[1];
+  }
+  return s3;
+}
+function isUnderDir(parent, child) {
+  const rel = path4.relative(parent, child);
+  return rel === "" || !rel.startsWith("..") && !path4.isAbsolute(rel);
+}
+function toRepoRelativePath(cwd, filePath) {
+  if (!filePath?.trim()) return void 0;
+  const raw = stripFileUrl(filePath);
+  const resolvedCwd = path4.resolve(cwd);
+  const absFile = path4.isAbsolute(raw) ? path4.resolve(raw) : path4.resolve(resolvedCwd, raw);
+  if (!isUnderDir(resolvedCwd, absFile)) {
+    return raw.split(/[/\\]/g).join("/");
+  }
+  let rel = path4.relative(resolvedCwd, absFile);
+  if (!rel || rel === ".") {
+    return path4.basename(absFile);
+  }
+  return rel.split(path4.sep).join("/");
+}
+function stripRepoAbsolutePaths(cwd, text) {
+  if (!text || !cwd.trim()) return text;
+  const resolvedCwd = path4.resolve(cwd);
+  const asPosix = (s3) => s3.replace(/\\/g, "/");
+  const cwdPosix = asPosix(resolvedCwd);
+  let out = asPosix(text);
+  const prefixes = [.../* @__PURE__ */ new Set([cwdPosix + "/", resolvedCwd + path4.sep])].filter(
+    (p2) => p2.length > 1
+  );
+  for (const prefix of prefixes) {
+    const norm = prefix.replace(/\\/g, "/");
+    if (out.includes(norm)) {
+      out = out.split(norm).join("");
+    }
+  }
+  return out;
+}
 var d2 = (e3, t3) => () => (t3 || e3((t3 = { exports: {} }).exports, t3), t3.exports);
 var f3 = /* @__PURE__ */ createRequire(import.meta.url);
 var p = /^path$/i;
@@ -3546,7 +3591,7 @@ async function pathExists(file) {
   }
 }
 async function resolveBin(cwd, name) {
-  const local = path.join(cwd, "node_modules", ".bin", name);
+  const local = path4.join(cwd, "node_modules", ".bin", name);
   if (await pathExists(local)) return local;
   const win = local + ".cmd";
   if (await pathExists(win)) return win;
@@ -3602,7 +3647,7 @@ async function runNpx(cwd, args) {
 // src/checks/eslint.ts
 async function hasEslintDependency(cwd) {
   try {
-    const raw = await fs.readFile(path.join(cwd, "package.json"), "utf8");
+    const raw = await fs.readFile(path4.join(cwd, "package.json"), "utf8");
     const p2 = JSON.parse(raw);
     return Boolean(p2.devDependencies?.eslint || p2.dependencies?.eslint);
   } catch {
@@ -3621,7 +3666,7 @@ async function hasEslintConfig(cwd) {
     ".eslintrc.yml"
   ];
   for (const c4 of candidates) {
-    if (await pathExists(path.join(cwd, c4))) return true;
+    if (await pathExists(path4.join(cwd, c4))) return true;
   }
   return false;
 }
@@ -3677,20 +3722,19 @@ async function runEslint(cwd, config, _stack) {
   }
   try {
     const rows = JSON.parse(stdout2);
-    let n3 = 0;
     for (const row of rows) {
+      const relFile = toRepoRelativePath(cwd, row.filePath);
       for (const m3 of row.messages) {
-        if (n3++ >= 40) break;
         findings.push({
           id: `eslint-${m3.ruleId ?? "unknown"}`,
           severity: "warn",
           message: m3.message,
-          file: row.filePath,
+          file: relFile,
           detail: m3.line ? `line ${m3.line}` : void 0
         });
       }
     }
-    if (n3 === 0) {
+    if (findings.length === 0) {
       findings.push({
         id: "eslint-failed",
         severity: "warn",
@@ -3778,7 +3822,7 @@ async function runTypeScript(cwd, config, stack) {
       skipped: "disabled in config"
     };
   }
-  const hasTs = stack.hasTypeScript || await pathExists(path.join(cwd, "tsconfig.json"));
+  const hasTs = stack.hasTypeScript || await pathExists(path4.join(cwd, "tsconfig.json"));
   if (!hasTs) {
     return {
       checkId: "typescript",
@@ -3891,7 +3935,7 @@ async function runSecrets(cwd, config, pr) {
       });
       break;
     }
-    const full = path.join(cwd, rel);
+    const full = path4.join(cwd, rel);
     let content;
     try {
       content = await fs.readFile(full, "utf8");
@@ -3917,7 +3961,7 @@ async function runSecrets(cwd, config, pr) {
   };
 }
 function isProbablyTextFile(rel) {
-  const ext = path.extname(rel).toLowerCase();
+  const ext = path4.extname(rel).toLowerCase();
   return TEXT_EXT.has(ext);
 }
 
@@ -4210,12 +4254,12 @@ async function runCycles(cwd, config, stack) {
   }
   let entry = cfg.entries[0] ?? "src";
   for (const e3 of cfg.entries) {
-    if (await pathExists(path.join(cwd, e3))) {
+    if (await pathExists(path4.join(cwd, e3))) {
       entry = e3;
       break;
     }
   }
-  if (!await pathExists(path.join(cwd, entry))) {
+  if (!await pathExists(path4.join(cwd, entry))) {
     return {
       checkId: "cycles",
       findings: [],
@@ -4339,7 +4383,7 @@ async function sumGlobBytes(cwd, patterns) {
     });
     for (const rel of files) {
       try {
-        const st = await fs.stat(path.join(cwd, rel));
+        const st = await fs.stat(path4.join(cwd, rel));
         total += st.size;
       } catch {
       }
@@ -4348,7 +4392,7 @@ async function sumGlobBytes(cwd, patterns) {
   return total;
 }
 async function readBaseline(cwd, relPath, baseRef) {
-  const disk = path.join(cwd, relPath);
+  const disk = path4.join(cwd, relPath);
   try {
     const raw = await fs.readFile(disk, "utf8");
     return JSON.parse(raw);
@@ -4523,7 +4567,7 @@ async function runCwv(cwd, config, stack, pr) {
   const findings = [];
   const sev2 = gateSeverity5(cfg.gate);
   for (const rel of toScan.slice(0, 400)) {
-    const full = path.join(cwd, rel);
+    const full = path4.join(cwd, rel);
     let text;
     try {
       text = await fs.readFile(full, "utf8");
@@ -4608,7 +4652,7 @@ async function runCustomRules(cwd, config, restrictToFiles) {
       });
       break;
     }
-    const full = path.join(cwd, rel);
+    const full = path4.join(cwd, rel);
     let content;
     try {
       content = await fs.readFile(full, "utf8");
@@ -4739,7 +4783,7 @@ async function runAiAssistedStrict(cwd, config, pr) {
   const gate = cfg.gate;
   const findings = [];
   for (const rel of files) {
-    const full = path.join(cwd, rel);
+    const full = path4.join(cwd, rel);
     let content;
     try {
       content = await fs.readFile(full, "utf8");
@@ -4799,6 +4843,7 @@ function applyAiAssistedEscalation(results, pr, config) {
 var import_picocolors = __toESM(require_picocolors());
 function buildReport(stack, pr, results, options) {
   const mode = options?.mode ?? "warn";
+  const cwd = options?.cwd ?? process.cwd();
   const allFindings = results.flatMap(
     (r4) => r4.findings.map((f4) => ({ ...f4, checkId: r4.checkId }))
   );
@@ -4808,6 +4853,7 @@ function buildReport(stack, pr, results, options) {
   const lines = pr != null ? pr.additions + pr.deletions : null;
   const riskScore = scoreRisk(blocks, warns, lines, pr?.changedFiles ?? 0);
   const markdown = formatMarkdown({
+    cwd,
     riskScore,
     mode,
     stack,
@@ -4855,8 +4901,107 @@ function scoreRisk(blocks, warns, lines, files) {
   if (score >= 2) return "MEDIUM";
   return "LOW";
 }
+function shieldImageUrl(label, message, color) {
+  const q2 = new URLSearchParams({
+    label,
+    message,
+    color,
+    style: "for-the-badge"
+  });
+  return `https://img.shields.io/static/v1?${q2}`;
+}
+function mdShield(alt, label, message, color) {
+  return `![${alt}](${shieldImageUrl(label, message, color)})`;
+}
+function riskEmoji(risk) {
+  if (risk === "LOW") return "\u{1F7E2}";
+  if (risk === "MEDIUM") return "\u{1F7E0}";
+  return "\u{1F534}";
+}
+function riskShieldColor(risk) {
+  if (risk === "LOW") return "brightgreen";
+  if (risk === "MEDIUM") return "orange";
+  return "red";
+}
+function modeShieldColor(mode) {
+  return mode === "enforce" ? "critical" : "blue";
+}
+function countShieldColor(kind, n3) {
+  if (kind === "block") return n3 === 0 ? "brightgreen" : "critical";
+  if (kind === "info") return n3 === 0 ? "inactive" : "informational";
+  if (n3 === 0) return "brightgreen";
+  if (n3 <= 10) return "yellow";
+  return "orange";
+}
+function formatDuration(ms) {
+  if (ms < 1e3) return `${ms} ms`;
+  const s3 = Math.round(ms / 1e3);
+  if (s3 < 60) return `${s3}s`;
+  const m3 = Math.floor(s3 / 60);
+  const r4 = s3 % 60;
+  return r4 ? `${m3}m ${r4}s` : `${m3}m`;
+}
+function healthEmojiForCheck(r4) {
+  if (r4.skipped) return "\u23ED\uFE0F";
+  if (r4.findings.length === 0) return "\u{1F7E2}";
+  const hasBlock = r4.findings.some((f4) => f4.severity === "block");
+  if (hasBlock) return "\u{1F534}";
+  return "\u{1F7E1}";
+}
+function escapeHtml(s3) {
+  return s3.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+function normalizeFindingDisplay(cwd, f4) {
+  const file = toRepoRelativePath(cwd, f4.file);
+  const message = stripRepoAbsolutePaths(cwd, f4.message);
+  const detail = f4.detail ? stripRepoAbsolutePaths(cwd, f4.detail) : void 0;
+  return { file, message, detail };
+}
+function sanitizeFence(cwd, s3) {
+  return stripRepoAbsolutePaths(cwd, s3).replace(/\r\n/g, "\n").replace(/```/g, "`\u200B``");
+}
+function accordionSummaryHtml(file, message) {
+  const msg = message.length > 160 ? `${message.slice(0, 157).trimEnd()}\u2026` : message;
+  const filePart = file ? `<code>${escapeHtml(file)}</code> \xB7 ` : "";
+  return filePart + escapeHtml(msg);
+}
+function parseLineHint(detail) {
+  if (!detail) return 0;
+  const m3 = /^line\s+(\d+)/i.exec(detail.trim());
+  return m3 ? Number(m3[1]) : 0;
+}
+function appendDetailAfterTable(sb, cwd, detail) {
+  if (!detail?.trim()) return;
+  const d3 = detail.trim();
+  const oneLine = !d3.includes("\n");
+  const safeForTable = oneLine && d3.length <= 200 && !d3.includes("|") && !d3.includes("`");
+  if (safeForTable) {
+    sb.push(`| **Hint** | ${d3} |`);
+    return;
+  }
+  sb.push("");
+  sb.push("*Detail*");
+  sb.push("");
+  sb.push("```text");
+  sb.push(sanitizeFence(cwd, d3));
+  sb.push("```");
+}
+function appendDetailFree(sb, cwd, detail) {
+  if (!detail?.trim()) return;
+  const d3 = detail.trim();
+  if (!d3.includes("\n") && d3.length <= 300) {
+    sb.push("");
+    sb.push(`_${d3}_`);
+    return;
+  }
+  sb.push("");
+  sb.push("```text");
+  sb.push(sanitizeFence(cwd, d3));
+  sb.push("```");
+}
 function formatMarkdown(p2) {
   const {
+    cwd,
     riskScore,
     mode,
     stack,
@@ -4869,99 +5014,205 @@ function formatMarkdown(p2) {
     llmAppendix
   } = p2;
   const sb = [];
-  sb.push("## FrontGuard review brief");
+  const sortWithCwd = (items) => [...items].sort((a3, b3) => {
+    const af = toRepoRelativePath(cwd, a3.f.file) ?? "";
+    const bf = toRepoRelativePath(cwd, b3.f.file) ?? "";
+    if (af !== bf) return af.localeCompare(bf);
+    const lineA = parseLineHint(a3.f.detail);
+    const lineB = parseLineHint(b3.f.detail);
+    if (lineA !== lineB) return lineA - lineB;
+    return a3.f.message.localeCompare(b3.f.message);
+  });
+  sb.push("## \u2728 FrontGuard review brief");
+  sb.push("");
+  const modeLabel = mode === "enforce" ? "enforce" : "warn only";
+  const badgeLine = [
+    mdShield("Risk level", "risk", riskScore, riskShieldColor(riskScore)),
+    mdShield("CI mode", "mode", modeLabel, modeShieldColor(mode)),
+    mdShield("Blocking", "blocking", String(blocks), countShieldColor("block", blocks)),
+    mdShield("Warnings", "warnings", String(warns), countShieldColor("warn", warns)),
+    mdShield("Info", "info notes", String(infos), countShieldColor("info", infos))
+  ].join(" ");
+  sb.push(badgeLine);
+  sb.push("");
+  sb.push("---");
   sb.push("");
+  sb.push("### \u{1F4CC} Snapshot");
+  sb.push("");
+  sb.push("| | |");
+  sb.push("|:--|:--|");
+  sb.push(`| **Composite risk** | ${riskEmoji(riskScore)} **${riskScore}** \u2014 heuristic from blocks, warnings, and PR size. |`);
   sb.push(
-    `**Risk:** ${riskScore} \xB7 **Mode:** ${mode === "enforce" ? "enforce (CI may fail on `block`)" : "warn-only"}`
+    `| **Gate mode** | ${mode === "enforce" ? "\u{1F512} **Enforce** \u2014 CI fails when a `block` finding is present." : "\u{1F6C8} **Warn only** \u2014 findings are advisory unless you use `--enforce`."} |`
   );
-  if (pr?.aiAssisted) {
-    sb.push("");
+  sb.push(`| **Stack detected** | ${formatStackOneLiner(stack)} |`);
+  if (pr && lines != null) {
     sb.push(
-      "**AI-assisted PR:** Stricter static pass is active (security / footgun patterns on changed files; secrets & `any` deltas may be escalated). **Human review** still required for correctness and product rules."
+      `| **PR size** | \u{1F4CF} **${lines}** LOC ( +${pr.additions} / \u2212${pr.deletions} ) \xB7 **${pr.changedFiles}** files |`
     );
   }
   sb.push("");
-  sb.push(`**Stack:** ${formatStackOneLiner(stack)}`);
-  if (pr && lines != null) {
+  if (pr?.aiAssisted) {
     sb.push(
-      `**Size:** ${lines} lines (+${pr.additions} / -${pr.deletions}) across ${pr.changedFiles} files`
+      "> **\u{1F916} AI-assisted PR** \u2014 Stricter static checks run on changed files (security / footguns; secrets & `any` deltas may escalate). This does not replace human review for behavior or product rules."
     );
+    sb.push("");
   }
-  sb.push("");
+  sb.push("> **How to read this report**");
+  sb.push(">");
+  sb.push("> | Symbol | Meaning |");
+  sb.push("> |:--|:--|");
+  sb.push("> | \u{1F7E2} | Check passed or skipped cleanly |");
+  sb.push("> | \u{1F7E1} | Warnings only \u2014 review recommended |");
+  sb.push("> | \u{1F534} | Blocking (`block`) severity present |");
+  sb.push("> | \u23ED\uFE0F | Check skipped (see reason in table) |");
+  sb.push(">");
   sb.push(
-    blocks > 0 ? `**Blocking (\`block\`) findings:** ${blocks}` : "**Blocking (`block`) findings:** 0"
+    "> Paths in findings are **relative to the repo root**. Expand nested sections for rule id, file, and tool output."
   );
-  sb.push(`**Warnings:** ${warns} \xB7 **Info:** ${infos}`);
   sb.push("");
-  sb.push("### Check summary");
+  sb.push("---");
+  sb.push("");
+  sb.push("### \u{1F4CB} Check results");
+  sb.push("");
+  sb.push("| | Check | Status | Findings | Duration |");
+  sb.push("|:--:|:--|:--|:-:|--:|");
   for (const r4 of results) {
-    const status = r4.skipped ? `\u23ED\uFE0F skipped (${r4.skipped})` : r4.findings.length === 0 ? "\u2705 clean" : `\u26A0\uFE0F ${r4.findings.length} finding(s)`;
-    sb.push(`- **${r4.checkId}** \u2014 ${status} (${r4.durationMs}ms)`);
+    const he2 = healthEmojiForCheck(r4);
+    const status = r4.skipped ? "\u23ED\uFE0F **Skipped**" : r4.findings.length === 0 ? "\u2705 **Clean**" : "\u26A0\uFE0F **Issues**";
+    const nFind = r4.skipped ? "\u2014" : String(r4.findings.length);
+    const note = r4.skipped ? `<br><sub>\u{1F4AC} ${escapeHtml(r4.skipped)}</sub>` : "";
+    sb.push(
+      `| ${he2} | **${r4.checkId}** | ${status}${note} | **${nFind}** | ${formatDuration(r4.durationMs)} |`
+    );
   }
   sb.push("");
-  const blockFindings = results.flatMap(
-    (r4) => r4.findings.filter((f4) => f4.severity === "block").map((f4) => ({ r: r4, f: f4 }))
+  const blockFindings = sortWithCwd(
+    results.flatMap(
+      (r4) => r4.findings.filter((f4) => f4.severity === "block").map((f4) => ({ r: r4, f: f4 }))
+    )
   );
-  if (blockFindings.length) {
-    sb.push("### Blocking");
-    for (const { f: f4 } of blockFindings.slice(0, 40)) {
-      const loc = f4.file ? ` \`${f4.file}\`` : "";
-      sb.push(`- ${f4.message}${loc}`);
-      if (f4.detail) {
-        sb.push(
-          `  - <details><summary>detail</summary>
-
-\`\`\`text
-${f4.detail}
-\`\`\`
-
-</details>`
-        );
-      }
-    }
+  sb.push("<details open>");
+  sb.push(
+    `<summary><strong>\u{1F6D1} Blocking \u2014 ${blocks} issue${blocks === 1 ? "" : "s"}</strong></summary>`
+  );
+  sb.push("");
+  if (blockFindings.length === 0) {
+    sb.push("*\u2705 No blocking findings \u2014 nothing mapped to severity `block`.*");
+  } else {
     sb.push("");
+    for (const { r: r4, f: f4 } of blockFindings) {
+      const d3 = normalizeFindingDisplay(cwd, f4);
+      sb.push("<details>");
+      sb.push(
+        `<summary>${accordionSummaryHtml(d3.file, d3.message)}</summary>`
+      );
+      sb.push("");
+      sb.push(`| Field | Value |`);
+      sb.push(`|:--|:--|`);
+      sb.push(`| **Check** | \`${r4.checkId}\` |`);
+      sb.push(`| **Rule / id** | \`${f4.id}\` |`);
+      if (d3.file) sb.push(`| **File** | \`${d3.file}\` |`);
+      appendDetailAfterTable(sb, cwd, d3.detail);
+      sb.push("");
+      sb.push("</details>");
+      sb.push("");
+    }
   }
-  const warnFindings = results.flatMap(
-    (r4) => r4.findings.filter((f4) => f4.severity === "warn").map((f4) => ({ r: r4, f: f4 }))
+  sb.push("");
+  sb.push("</details>");
+  sb.push("");
+  const warnFindings = sortWithCwd(
+    results.flatMap(
+      (r4) => r4.findings.filter((f4) => f4.severity === "warn").map((f4) => ({ r: r4, f: f4 }))
+    )
   );
-  if (warnFindings.length) {
-    sb.push("### Warnings");
-    for (const { f: f4 } of warnFindings.slice(0, 30)) {
-      const loc = f4.file ? ` \`${f4.file}\`` : "";
-      sb.push(`- ${f4.message}${loc}`);
-      if (f4.detail) {
+  sb.push("<details open>");
+  sb.push(
+    `<summary><strong>\u26A0\uFE0F Warnings \u2014 ${warns} issue${warns === 1 ? "" : "s"}</strong> \xB7 grouped by check</summary>`
+  );
+  sb.push("");
+  if (warnFindings.length === 0) {
+    sb.push("*\u{1F389} No warnings \u2014 nice work.*");
+  } else {
+    const byCheck = /* @__PURE__ */ new Map();
+    for (const item of warnFindings) {
+      const list = byCheck.get(item.r.checkId) ?? [];
+      list.push(item);
+      byCheck.set(item.r.checkId, list);
+    }
+    const checkOrder = [...byCheck.keys()].sort((a3, b3) => a3.localeCompare(b3));
+    for (const checkId of checkOrder) {
+      const group = sortWithCwd(byCheck.get(checkId));
+      sb.push(`#### \u{1F4C2} \`${checkId}\` \xB7 ${group.length} finding${group.length === 1 ? "" : "s"}`);
+      sb.push("");
+      for (const { r: r4, f: f4 } of group) {
+        const d3 = normalizeFindingDisplay(cwd, f4);
+        sb.push("<details>");
         sb.push(
-          `  - <details><summary>detail</summary>
-
-\`\`\`text
-${f4.detail}
-\`\`\`
-
-</details>`
+          `<summary>${accordionSummaryHtml(d3.file, d3.message)}</summary>`
         );
+        sb.push("");
+        sb.push(`| Field | Value |`);
+        sb.push(`|:--|:--|`);
+        sb.push(`| **Check** | \`${r4.checkId}\` |`);
+        sb.push(`| **Rule / id** | \`${f4.id}\` |`);
+        if (d3.file) sb.push(`| **File** | \`${d3.file}\` |`);
+        appendDetailAfterTable(sb, cwd, d3.detail);
+        sb.push("");
+        sb.push("</details>");
+        sb.push("");
       }
     }
-    if (warnFindings.length > 30) {
-      sb.push(`- _\u2026and ${warnFindings.length - 30} more_`);
-    }
-    sb.push("");
   }
-  const infoFindings = results.flatMap(
-    (r4) => r4.findings.filter((f4) => f4.severity === "info").map((f4) => ({ r: r4, f: f4 }))
+  sb.push("</details>");
+  sb.push("");
+  const infoFindings = sortWithCwd(
+    results.flatMap(
+      (r4) => r4.findings.filter((f4) => f4.severity === "info").map((f4) => ({ r: r4, f: f4 }))
+    )
   );
-  if (infoFindings.length) {
-    sb.push("### Notes");
-    for (const { f: f4 } of infoFindings.slice(0, 20)) {
-      sb.push(`- ${f4.message}`);
+  sb.push("<details>");
+  sb.push(
+    `<summary><strong>\u2139\uFE0F Info & notes \u2014 ${infos} item${infos === 1 ? "" : "s"}</strong></summary>`
+  );
+  sb.push("");
+  if (infoFindings.length === 0) {
+    sb.push("*No info-level notes.*");
+  } else {
+    for (const { r: r4, f: f4 } of infoFindings) {
+      const d3 = normalizeFindingDisplay(cwd, f4);
+      sb.push("<details>");
+      sb.push(`<summary>${accordionSummaryHtml(d3.file, d3.message)}</summary>`);
+      sb.push("");
+      sb.push(`- **Check:** \`${r4.checkId}\` \xB7 **id:** \`${f4.id}\``);
+      appendDetailFree(sb, cwd, d3.detail);
+      sb.push("");
+      sb.push("</details>");
+      sb.push("");
     }
-    sb.push("");
   }
+  sb.push("");
+  sb.push("</details>");
+  sb.push("");
   if (llmAppendix?.trim()) {
+    sb.push("### \u{1F916} AI / manual appendix");
+    sb.push("");
     sb.push(llmAppendix.trim());
     sb.push("");
   }
   sb.push("---");
-  sb.push("_Generated by FrontGuard \u2014 configure with `frontguard.config.js`_");
+  sb.push("");
+  sb.push(
+    mdShield(
+      "Generated by",
+      "report",
+      "FrontGuard",
+      "blueviolet"
+    )
+  );
+  sb.push("");
+  sb.push("_Configure checks in `frontguard.config.js` \xB7 [Shields.io](https://shields.io) badges load at view time._");
   return sb.join("\n");
 }
 function formatConsole(p2) {
@@ -5127,7 +5378,7 @@ async function loadManualAppendix(opts) {
   const envFile = process.env.FRONTGUARD_MANUAL_APPENDIX_FILE?.trim();
   const resolvedPath = filePath?.trim() || envFile;
   if (resolvedPath) {
-    const abs = path.isAbsolute(resolvedPath) ? resolvedPath : path.join(cwd, resolvedPath);
+    const abs = path4.isAbsolute(resolvedPath) ? resolvedPath : path4.join(cwd, resolvedPath);
     try {
       let text = await fs.readFile(abs, "utf8");
       if (text.length > MAX_CHARS) {
@@ -5217,7 +5468,11 @@ async function runFrontGuard(opts) {
     results
   });
   const llmAppendix = [manualAppendix, automatedAppendix].filter(Boolean).join("\n\n") || null;
-  const report = buildReport(stack, pr, results, { mode, llmAppendix });
+  const report = buildReport(stack, pr, results, {
+    mode,
+    llmAppendix,
+    cwd: opts.cwd
+  });
   if (opts.markdown) {
     g.stdout.write(report.markdown + "\n");
   } else {