@dotsetlabs/bellwether 1.0.0 → 1.0.2

package/.dockerignore

@@ -0,0 +1,25 @@
+node_modules
+npm-debug.log
+.git
+.gitignore
+README.md
+CHANGELOG.md
+.eslintrc.json
+.prettierrc
+.github
+.nyc_output
+coverage
+.vscode
+.idea
+test/
+src/
+*.test.ts
+*.spec.ts
+tsconfig.json
+typedoc.json
+vitest.config.ts
+.dccache
+*.md
+!LICENSE
+!README.md
+!CHANGELOG.md

package/CHANGELOG.md

@@ -2,6 +2,69 @@
 
 All notable changes to this project will be documented in this file.
 
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [1.0.2] - 2026-01-30
+
+### Added
+
+- Added SARIF and JUnit output format support for `bellwether check` without baseline comparison
+  - Use `--format sarif` for GitHub Code Scanning integration
+  - Use `--format junit` for CI/CD test reporting
+- Added registry validation indicators showing environment variable requirements
+  - Servers requiring setup now display ⚙ indicator
+  - Environment variables show ✓/✗ status based on whether they're set
+  - Automatic detection of common service patterns (postgres→DATABASE_URL, etc.)
+  - Setup hints displayed for unconfigured servers
+
+### Changed
+
+- Security and thorough presets now enable security testing by default (`check.security.enabled: true`)
+
+### Fixed
+
+- Fixed baseline path resolution in `baseline compare` to be consistent with `baseline show`
+  - Now checks both output directory and current working directory before failing
+- Fixed `bellwether auth status` requiring a config file
+  - Auth commands now work without bellwether.yaml present
+- Fixed ANSI escape codes appearing in non-TTY output (e.g., when piping to files)
+  - StreamingDisplay now checks for TTY before applying ANSI styling
+  - Automatically respects `NO_COLOR` and `FORCE_COLOR=0` environment variables
+
+## [1.0.1] - 2026-01-29
+
+### Added
+
+- Added `$VAR` syntax support for environment variable interpolation in config files
+- Added rate limiting to registry client (5 req/s default)
+- Added `AnthropicClient` and `OllamaClient` exports to public API
+- Added `repository.directory` and `funding` fields to package.json
+- Added required permissions documentation to GitHub Action
+- Added debug logging for all credential operations
+- Added warning when environment variables in config are not resolved
+
+### Changed
+
+- Optimized GitHub Action to run check once; SARIF and JUnit are now converted from JSON output
+- Removed test coverage exclusion for CLI entry point
+- Removed unnecessary type casts in check.ts and security-tester.ts
+- Replaced magic number 100 with PERCENTAGE_CONVERSION.DIVISOR constant
+- Removed dead code sections from constants
+- Refactored string concatenation to template literals in CLI output modules
+
+### Fixed
+
+- Fixed version fallback inconsistency (0.13.0 → 1.0.1)
+- Fixed missing pino-pretty dependency
+- Fixed non-null assertion for remoteUrl in check.ts (added proper null check)
+- Fixed non-null assertion for incrementalResult in check.ts
+- Added debug logging to catch blocks in keychain.ts (graceful degradation with visibility)
+- Fixed flaky test in workflow executor (timing assertion)
+- Fixed test failures in baseline-accept tests (process.exit mock)
+
 ## [1.0.0] - 2026-01-27
 
 ### Breaking Changes

package/Dockerfile

@@ -0,0 +1,43 @@
+# Bellwether MCP Testing Tool
+# https://github.com/dotsetlabs/bellwether
+
+FROM node:20-alpine
+
+LABEL maintainer="Dotset Labs <hello@dotsetlabs.com>"
+LABEL description="Bellwether - MCP Server Testing & Validation"
+LABEL org.opencontainers.image.source="https://github.com/dotsetlabs/bellwether"
+
+# Install git for npm dependencies that may need it
+RUN apk add --no-cache git
+
+# Create app directory
+WORKDIR /app
+
+# Copy package files
+COPY package*.json ./
+
+# Install production dependencies only
+RUN npm ci --omit=dev
+
+# Copy built application
+COPY dist/ ./dist/
+COPY schemas/ ./schemas/
+COPY LICENSE README.md CHANGELOG.md ./
+
+# Create non-root user
+RUN addgroup -g 1001 -S bellwether && \
+    adduser -S bellwether -u 1001
+
+# Set proper permissions
+RUN chown -R bellwether:bellwether /app
+
+# Switch to non-root user
+USER bellwether
+
+# Set environment
+ENV NODE_ENV=production
+ENV BELLWETHER_DOCKER=1
+
+# Entry point
+ENTRYPOINT ["node", "dist/cli/index.js"]
+CMD ["--help"]

package/dist/auth/keychain.js

@@ -12,6 +12,8 @@ import { homedir } from 'os';
 import { join } from 'path';
 import { createRequire } from 'module';
 import { createCipheriv, createDecipheriv, randomBytes } from 'crypto';
+import { getLogger } from '../logging/logger.js';
+const logger = getLogger('keychain');
 // Create require function for loading CommonJS optional dependencies in ESM
 const require = createRequire(import.meta.url);
 // Service name for keychain entries
@@ -80,7 +82,8 @@ export function decryptEnvValue(value) {
         decipher.setAuthTag(tag);
         return Buffer.concat([decipher.update(data), decipher.final()]).toString('utf8');
     }
-    catch {
+    catch (error) {
+        logger.debug({ error }, 'Failed to decrypt env value');
         return undefined;
     }
 }
@@ -100,8 +103,8 @@ class KeytarBackend {
                 // Using require() for optional dependency
                 this.keytar = require('keytar');
             }
-            catch {
-                // keytar not available - will use fallback
+            catch (error) {
+                logger.debug({ error }, 'keytar not available, will use file fallback');
                 this.keytar = null;
             }
         })();
@@ -154,7 +157,8 @@ class FileBackend {
                 this.envLines = [];
             }
         }
-        catch {
+        catch (error) {
+            logger.debug({ error }, 'Failed to load credentials file');
             this.envLines = [];
         }
         return this.envLines;
@@ -264,7 +268,8 @@ export class KeychainService {
             require('keytar');
             return true;
         }
-        catch {
+        catch (error) {
+            logger.debug({ error }, 'Secure keychain (keytar) not available');
             return false;
         }
     }
@@ -295,7 +300,8 @@ export class KeychainService {
         try {
             return await this.backend.getPassword(SERVICE_NAME, account);
         }
-        catch {
+        catch (error) {
+            logger.debug({ error, provider }, 'Keychain get failed, trying file backend');
             // If keytar fails, try file backend
             if (!this.useFileBackend) {
                 this.enableFileBackend();
@@ -337,7 +343,8 @@ export class KeychainService {
         try {
             return await this.backend.deletePassword(SERVICE_NAME, account);
         }
-        catch {
+        catch (error) {
+            logger.debug({ error, provider }, 'Keychain delete failed, trying file backend');
             // If keytar fails, try file backend
             if (!this.useFileBackend) {
                 this.enableFileBackend();

package/dist/baseline/change-impact-analyzer.js

@@ -543,7 +543,7 @@ function generateImpactSummary(diff, toolImpacts, brokenWorkflows) {
     if (brokenWorkflows.length > 0) {
         parts.push(`${brokenWorkflows.length} workflow(s) may be affected`);
     }
-    return parts.length > 0 ? parts.join('. ') + '.' : 'No changes detected.';
+    return parts.length > 0 ? `${parts.join('. ')}.` : 'No changes detected.';
 }
 /**
  * Check if a behavior change is actually breaking based on semantic analysis.

package/dist/baseline/comparator.js

@@ -337,7 +337,7 @@ function formatSchemaChangeValue(value) {
     // For objects, show a compact representation
     try {
         const json = JSON.stringify(value);
-        return json.length > 50 ? json.slice(0, 47) + '...' : json;
+        return json.length > 50 ? `${json.slice(0, 47)}...` : json;
     }
     catch {
         return String(value);
@@ -425,7 +425,7 @@ function generateSummary(toolsAdded, toolsRemoved, toolsModified, changes, sever
     if (warningChanges > 0) {
         parts.push(`${warningChanges} warning(s)`);
     }
-    return parts.join('. ') + '.';
+    return `${parts.join('. ')}.`;
 }
 export function hasBreakingChanges(diff) {
     return diff.severity === 'breaking';

package/dist/baseline/deprecation-tracker.js

@@ -231,7 +231,7 @@ function generateDeprecationSummary(warnings, deprecatedCount, expiredCount, gra
     if (criticalTools.length > 0) {
         parts.push(`${criticalTools.length} tool(s) will be removed within ${DEPRECATION_THRESHOLDS.CRITICAL_REMOVAL_DAYS} days`);
     }
-    return parts.join(', ') + '.';
+    return `${parts.join(', ')}.`;
 }
 /**
  * Get all deprecated tools from a baseline.

package/dist/baseline/diff.js

@@ -59,10 +59,10 @@ export function formatDiffText(diff, useColors = true) {
                 const sevColor = getSeverityColor(change.severity, useColors);
                 lines.push(`    ${sevColor(`[${change.severity.toUpperCase()}]`)} ${change.aspect}`);
                 if (change.before) {
-                    lines.push(`      ${red('- ' + change.before)}`);
+                    lines.push(`      ${red(`- ${change.before}`)}`);
                 }
                 if (change.after) {
-                    lines.push(`      ${green('+ ' + change.after)}`);
+                    lines.push(`      ${green(`+ ${change.after}`)}`);
                 }
             }
             lines.push('');
@@ -144,10 +144,10 @@ export function formatDiffText(diff, useColors = true) {
                 lines.push(`  ${issueIcon} ${bold(issue.toolName)}`);
                 lines.push(`      ${issue.summary}`);
                 if (issue.fieldsRemoved.length > 0) {
-                    lines.push(`      ${red('- Removed: ' + issue.fieldsRemoved.join(', '))}`);
+                    lines.push(`      ${red(`- Removed: ${issue.fieldsRemoved.join(', ')}`)}`);
                 }
                 if (issue.fieldsAdded.length > 0) {
-                    lines.push(`      ${green('+ Added: ' + issue.fieldsAdded.join(', '))}`);
+                    lines.push(`      ${green(`+ Added: ${issue.fieldsAdded.join(', ')}`)}`);
                 }
             }
             lines.push('');

package/dist/baseline/golden-output.js

@@ -562,7 +562,7 @@ function isPathAllowed(path, allowedPaths) {
         // Normalize pattern by stripping leading $. if present
         const normalizedPattern = pattern.replace(/^\$\.?/, '');
         // Simple glob matching: * matches any segment
-        const regex = new RegExp('^' + normalizedPattern.replace(/\*/g, '[^.]+').replace(/\./g, '\\.') + '$');
+        const regex = new RegExp(`^${normalizedPattern.replace(/\*/g, '[^.]+').replace(/\./g, '\\.')}$`);
         return regex.test(normalizedPath);
     });
 }
@@ -583,7 +583,7 @@ function truncateForDisplay(value, maxLength = 50) {
     const str = typeof value === 'string' ? value : JSON.stringify(value);
     if (str.length <= maxLength)
         return str;
-    return str.slice(0, maxLength - 3) + '...';
+    return `${str.slice(0, maxLength - 3)}...`;
 }
 /**
  * Determine severity based on differences.

package/dist/baseline/migration-generator.js

@@ -472,12 +472,12 @@ export function formatMigrationGuideMarkdown(guide) {
                 lines.push(`**${example.title}**`);
                 lines.push('');
                 lines.push('Before:');
-                lines.push('```' + example.language);
+                lines.push(`\`\`\`${example.language}`);
                 lines.push(example.before);
                 lines.push('```');
                 lines.push('');
                 lines.push('After:');
-                lines.push('```' + example.language);
+                lines.push(`\`\`\`${example.language}`);
                 lines.push(example.after);
                 lines.push('```');
                 lines.push('');

package/dist/baseline/performance-tracker.js

@@ -494,7 +494,7 @@ function generateReportSummary(regressions, improvements, stable, total) {
     if (parts.length === 0) {
         return `No performance data for ${total} tool(s).`;
     }
-    return parts.join(', ') + '.';
+    return `${parts.join(', ')}.`;
 }
 /**
  * Format performance metrics for display.

package/dist/baseline/pr-comment-generator.js

@@ -199,12 +199,12 @@ function generateMigrationSection(guide, config) {
         if (step.codeExamples && step.codeExamples.length > 0) {
             const example = step.codeExamples[0];
             lines.push('');
-            lines.push('   ```' + (example.language || ''));
+            lines.push(`   \`\`\`${example.language || ''}`);
             lines.push('   // Before:');
-            lines.push('   ' + example.before.split('\n').join('\n   '));
+            lines.push(`   ${example.before.split('\n').join('\n   ')}`);
             lines.push('');
             lines.push('   // After:');
-            lines.push('   ' + example.after.split('\n').join('\n   '));
+            lines.push(`   ${example.after.split('\n').join('\n   ')}`);
             lines.push('   ```');
         }
         lines.push('');
@@ -283,7 +283,7 @@ function formatAspect(aspect) {
 function truncate(value, maxLength = PR_COMMENTS.VALUE_TRUNCATE_LENGTH) {
     if (value.length <= maxLength)
         return value;
-    return value.substring(0, maxLength - 3) + '...';
+    return `${value.substring(0, maxLength - 3)}...`;
 }
 /**
  * Render a collapsible section.

package/dist/baseline/risk-scorer.js

@@ -429,6 +429,6 @@ export function generateRiskScoreMarkdown(riskScore) {
 function generateScoreBar(score, width = 10) {
     const filled = Math.round((score / 100) * width);
     const empty = width - filled;
-    return '[' + '█'.repeat(filled) + '░'.repeat(empty) + ']';
+    return `[${'█'.repeat(filled)}${'░'.repeat(empty)}]`;
 }
 //# sourceMappingURL=risk-scorer.js.map

package/dist/baseline/schema-evolution.js

@@ -365,7 +365,7 @@ export function generateVisualTimeline(timeline, width = SCHEMA_EVOLUTION.DEFAUL
         const marker = v.hasBreakingChanges ? '◆' : '●';
         bar += marker + '─'.repeat(segmentWidth - 1);
     }
-    lines.push('  ' + bar);
+    lines.push(`  ${bar}`);
     // Version labels
     let labels = '  ';
     for (const v of displayVersions) {

package/dist/cli/commands/baseline.js

@@ -146,12 +146,31 @@ baselineCommand
         output.error('No baseline path provided. Set baseline.path or baseline.comparePath in config, or pass a path argument.');
         process.exit(EXIT_CODES.ERROR);
     }
-    const baselineBaseDir = baselinePath ? process.cwd() : outputDir;
-    const fullBaselinePath = resolvedBaselinePath.startsWith('/')
-        ? resolvedBaselinePath
-        : join(baselineBaseDir, resolvedBaselinePath);
+    // Resolve baseline path consistently with 'show' command:
+    // 1. If absolute path, use as-is
+    // 2. First try relative to outputDir (e.g., .bellwether/)
+    // 3. Fall back to relative to cwd
+    let fullBaselinePath;
+    if (resolvedBaselinePath.startsWith('/')) {
+        fullBaselinePath = resolvedBaselinePath;
+    }
+    else {
+        const outputDirPath = join(outputDir, resolvedBaselinePath);
+        const cwdPath = join(process.cwd(), resolvedBaselinePath);
+        if (existsSync(outputDirPath)) {
+            fullBaselinePath = outputDirPath;
+        }
+        else if (existsSync(cwdPath)) {
+            fullBaselinePath = cwdPath;
+        }
+        else {
+            // Default to outputDir path for error message consistency
+            fullBaselinePath = outputDirPath;
+        }
+    }
     if (!existsSync(fullBaselinePath)) {
         output.error(`Baseline not found: ${fullBaselinePath}`);
+        output.error('\nRun `bellwether baseline save` to create a baseline.');
         process.exit(EXIT_CODES.ERROR);
     }
     let previousBaseline;
@@ -203,13 +222,13 @@ baselineCommand
     // Format and output
     switch (format) {
         case 'json':
-            console.log(formatDiffJson(diff));
+            output.info(formatDiffJson(diff));
             break;
         case 'markdown':
-            console.log(formatDiffMarkdown(diff));
+            output.info(formatDiffMarkdown(diff));
             break;
         case 'compact':
-            console.log(formatDiffCompact(diff));
+            output.info(formatDiffCompact(diff));
             break;
         default:
             output.info('--- Drift Report ---');
@@ -271,7 +290,7 @@ baselineCommand
     }
     // Raw JSON output
     if (options.json) {
-        console.log(JSON.stringify(baseline, null, 2));
+        output.info(JSON.stringify(baseline, null, 2));
         return;
     }
     // Formatted output
@@ -411,13 +430,13 @@ baselineCommand
     // Format and output
     switch (format) {
         case 'json':
-            console.log(formatDiffJson(diff));
+            output.info(formatDiffJson(diff));
             break;
         case 'markdown':
-            console.log(formatDiffMarkdown(diff));
+            output.info(formatDiffMarkdown(diff));
             break;
         case 'compact':
-            console.log(formatDiffCompact(diff));
+            output.info(formatDiffCompact(diff));
             break;
         default:
             output.info(formatDiffText(diff));

package/dist/cli/commands/check.js

@@ -26,7 +26,7 @@ import { loadWorkflowsFromFile, tryLoadDefaultWorkflows, DEFAULT_WORKFLOWS_FILE,
 import * as output from '../output.js';
 import { extractServerContextFromArgs } from '../utils/server-context.js';
 import { configureLogger } from '../../logging/logger.js';
-import { EXIT_CODES, SEVERITY_TO_EXIT_CODE, PATHS, SECURITY_TESTING, CHECK_SAMPLING, WORKFLOW, REPORT_SCHEMAS, } from '../../constants.js';
+import { EXIT_CODES, SEVERITY_TO_EXIT_CODE, PATHS, SECURITY_TESTING, CHECK_SAMPLING, WORKFLOW, REPORT_SCHEMAS, PERCENTAGE_CONVERSION, } from '../../constants.js';
 export const checkCommand = new Command('check')
     .description('Check MCP server schema and detect drift (free, fast, deterministic)')
     .allowUnknownOption() // Allow server flags like -y for npx to pass through
@@ -112,7 +112,7 @@ export const checkCommand = new Command('check')
     const incrementalCacheHours = config.check.incrementalCacheHours;
     const parallelEnabled = config.check.parallel;
     const parallelWorkers = config.check.parallelWorkers;
-    const performanceThreshold = config.check.performanceThreshold / 100;
+    const performanceThreshold = config.check.performanceThreshold / PERCENTAGE_CONVERSION.DIVISOR;
     const diffFormat = options.format ?? config.check.diffFormat;
     // Resolve security options from config
     const securityEnabled = config.check.security.enabled;
@@ -171,6 +171,10 @@ export const checkCommand = new Command('check')
             await mcpClient.connect(serverCommand, args, config.server.env);
         }
         else {
+            if (!remoteUrl) {
+                output.error('No server URL specified for remote transport');
+                process.exit(EXIT_CODES.ERROR);
+            }
             await mcpClient.connectRemote(remoteUrl, {
                 transport,
                 sessionId: remoteSessionId || undefined,
@@ -224,18 +228,19 @@ export const checkCommand = new Command('check')
             }
             else {
                 incrementalBaseline = loadBaseline(baselinePath);
-                incrementalResult = analyzeForIncremental(discovery.tools, incrementalBaseline, { maxCacheAgeHours: incrementalCacheHours });
-                const summary = formatIncrementalSummary(incrementalResult.changeSummary);
+                const result = analyzeForIncremental(discovery.tools, incrementalBaseline, { maxCacheAgeHours: incrementalCacheHours });
+                incrementalResult = result;
+                const summary = formatIncrementalSummary(result.changeSummary);
                 output.info(`Incremental analysis: ${summary}`);
-                if (incrementalResult.toolsToTest.length === 0) {
+                if (result.toolsToTest.length === 0) {
                     output.info('All tools unchanged. Using cached results.');
                     // Still need to generate output with cached data
                     // Skip to comparison section
                 }
                 else {
-                    output.info(`Testing ${incrementalResult.toolsToTest.length} tools (${incrementalResult.toolsToSkip.length} cached)\n`);
+                    output.info(`Testing ${result.toolsToTest.length} tools (${result.toolsToSkip.length} cached)\n`);
                     // Filter discovery to only include tools that need testing
-                    discovery.tools = discovery.tools.filter(t => incrementalResult.toolsToTest.includes(t.name));
+                    discovery.tools = discovery.tools.filter(t => result.toolsToTest.includes(t.name));
                 }
             }
         }
@@ -452,7 +457,7 @@ export const checkCommand = new Command('check')
                 const fingerprint = await runSecurityTests({
                     toolName: tool.name,
                     toolDescription: tool.description || '',
-                    inputSchema: tool.inputSchema,
+                    inputSchema: tool.inputSchema ?? {},
                     callTool: async (args) => {
                         try {
                             const response = await mcpClient.callTool(tool.name, args);
@@ -763,6 +768,16 @@ export const checkCommand = new Command('check')
             saveBaseline(currentBaseline, saveBaselinePath);
             output.info(`\nBaseline saved: ${saveBaselinePath}`);
         }
+        // Output formatted results for sarif/junit when no baseline comparison
+        // This allows CI systems to consume check results even without drift detection
+        if (!baselinePath) {
+            const formattedCheckResults = formatCheckResults(currentBaseline, diffFormat);
+            if (formattedCheckResults) {
+                output.info('\n--- Check Results ---');
+                // Output directly to stdout for machine-readable formats
+                console.log(formattedCheckResults);
+            }
+        }
         // Handle baseline comparison
         if (baselinePath) {
             if (!existsSync(baselinePath)) {
@@ -914,4 +929,141 @@ function formatDiff(diff, format, baselinePath) {
             return formatDiffText(diff);
     }
 }
+/**
+ * Format check results as JUnit XML (for CI systems that expect test results).
+ * This is used when --format junit is specified but no baseline comparison occurs.
+ */
+function formatCheckResultsJUnit(baseline) {
+    const tools = getToolFingerprints(baseline);
+    const lines = [];
+    const securityFailures = tools.filter(t => t.securityFingerprint?.findings?.some(f => f.riskLevel === 'critical' || f.riskLevel === 'high')).length;
+    lines.push('<?xml version="1.0" encoding="UTF-8"?>');
+    lines.push('<testsuites>');
+    lines.push(`  <testsuite name="bellwether-check" tests="${tools.length}" failures="${securityFailures}" errors="0">`);
+    for (const tool of tools) {
+        const successRate = tool.baselineSuccessRate ?? 1;
+        const status = successRate >= 0.9 ? 'passed' : 'warning';
+        lines.push(`    <testcase name="${tool.name}" classname="mcp-tools" time="0">`);
+        lines.push(`      <system-out>Success rate: ${(successRate * 100).toFixed(0)}%</system-out>`);
+        if (status === 'warning') {
+            lines.push(`      <system-err>Tool has success rate below 90%</system-err>`);
+        }
+        lines.push('    </testcase>');
+    }
+    // Add security findings as test cases if present
+    const securityTools = tools.filter(t => t.securityFingerprint?.findings?.length);
+    if (securityTools.length > 0) {
+        lines.push(`    <!-- Security findings -->`);
+        for (const tool of securityTools) {
+            const findings = tool.securityFingerprint?.findings ?? [];
+            const criticalHigh = findings.filter(f => f.riskLevel === 'critical' || f.riskLevel === 'high').length;
+            if (criticalHigh > 0) {
+                lines.push(`    <testcase name="${tool.name}-security" classname="security">`);
+                lines.push(`      <failure message="${criticalHigh} critical/high security findings">`);
+                for (const finding of findings.filter(f => f.riskLevel === 'critical' || f.riskLevel === 'high')) {
+                    lines.push(`        ${finding.riskLevel.toUpperCase()}: ${finding.title} (${finding.cweId})`);
+                }
+                lines.push(`      </failure>`);
+                lines.push('    </testcase>');
+            }
+        }
+    }
+    lines.push('  </testsuite>');
+    lines.push('</testsuites>');
+    return lines.join('\n');
+}
+/**
+ * Format check results as SARIF (for GitHub Code Scanning and other tools).
+ * This is used when --format sarif is specified but no baseline comparison occurs.
+ */
+function formatCheckResultsSarif(baseline) {
+    const tools = getToolFingerprints(baseline);
+    const serverUri = baseline.metadata?.serverCommand || baseline.server.name || 'mcp-server';
+    const results = [];
+    // Add results for tools with security findings
+    const securityTools = tools.filter(t => t.securityFingerprint?.findings?.length);
+    for (const tool of securityTools) {
+        const findings = tool.securityFingerprint?.findings ?? [];
+        for (const finding of findings) {
+            const level = finding.riskLevel === 'critical' || finding.riskLevel === 'high'
+                ? 'error'
+                : finding.riskLevel === 'medium'
+                    ? 'warning'
+                    : 'note';
+            results.push({
+                ruleId: finding.cweId || 'BWH-SEC',
+                level,
+                message: { text: `[${tool.name}] ${finding.title}: ${finding.description}` },
+                locations: [{
+                        physicalLocation: {
+                            artifactLocation: { uri: serverUri },
+                            region: { startLine: 1 },
+                        },
+                    }],
+            });
+        }
+    }
+    // Add results for tools with low success rate
+    for (const tool of tools) {
+        const successRate = tool.baselineSuccessRate ?? 1;
+        if (successRate < 0.9) {
+            results.push({
+                ruleId: 'BWH-REL',
+                level: 'warning',
+                message: { text: `Tool "${tool.name}" has ${(successRate * 100).toFixed(0)}% success rate` },
+                locations: [{
+                        physicalLocation: {
+                            artifactLocation: { uri: serverUri },
+                            region: { startLine: 1 },
+                        },
+                    }],
+            });
+        }
+    }
+    const sarif = {
+        $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+        version: '2.1.0',
+        runs: [{
+                tool: {
+                    driver: {
+                        name: 'bellwether',
+                        version: '1.0.0',
+                        informationUri: 'https://github.com/dotsetlabs/bellwether',
+                        rules: [
+                            {
+                                id: 'BWH-SEC',
+                                name: 'SecurityFinding',
+                                shortDescription: { text: 'Security vulnerability detected' },
+                                defaultConfiguration: { level: 'warning' },
+                            },
+                            {
+                                id: 'BWH-REL',
+                                name: 'LowReliability',
+                                shortDescription: { text: 'Tool reliability below threshold' },
+                                defaultConfiguration: { level: 'warning' },
+                            },
+                        ],
+                    },
+                },
+                results,
+            }],
+    };
+    return JSON.stringify(sarif, null, 2);
+}
+/**
+ * Format check results using the specified output format.
+ * Used when no baseline comparison occurs.
+ */
+function formatCheckResults(baseline, format) {
+    switch (format.toLowerCase()) {
+        case 'junit':
+        case 'junit-xml':
+        case 'xml':
+            return formatCheckResultsJUnit(baseline);
+        case 'sarif':
+            return formatCheckResultsSarif(baseline);
+        default:
+            return null; // No special formatting needed for other formats
+    }
+}
 //# sourceMappingURL=check.js.map