@dotsetlabs/bellwether 1.0.2 → 2.0.0

package/dist/cache/response-cache.js

@@ -3,6 +3,8 @@
  * Enables reuse of tool call results and LLM analysis across personas.
  */
 import { createHash } from 'crypto';
+import { existsSync, mkdirSync, readFileSync, readdirSync, unlinkSync, writeFileSync } from 'fs';
+import { join } from 'path';
 import { getLogger } from '../logging/logger.js';
 import { TIME_CONSTANTS, CACHE } from '../constants.js';
 const logger = getLogger('response-cache');
@@ -18,33 +20,27 @@ export class ResponseCache {
         evictions: 0,
     };
     totalSizeBytes = 0;
+    cacheDir;
     constructor(config = {}) {
         this.config = {
             defaultTTLMs: config.defaultTTLMs ?? TIME_CONSTANTS.DEFAULT_CACHE_TTL,
             maxEntries: config.maxEntries ?? CACHE.MAX_ENTRIES,
             maxSizeBytes: config.maxSizeBytes ?? 50 * 1024 * 1024, // 50MB
             enabled: config.enabled ?? true,
+            dir: config.dir ?? '',
         };
+        this.cacheDir = this.config.enabled ? this.config.dir || undefined : undefined;
+        if (this.cacheDir) {
+            this.ensureCacheDir(this.cacheDir);
+        }
     }
     /**
      * Generate a cache key from input data.
      */
     generateKey(...parts) {
-        const serialized = parts.map((p) => {
-            if (typeof p === 'string')
-                return p;
-            if (typeof p === 'undefined')
-                return 'undefined';
-            if (p === null)
-                return 'null';
-            try {
-                return JSON.stringify(p, Object.keys(p).sort());
-            }
-            catch {
-                return String(p);
-            }
-        }).join('|');
-        return createHash('sha256').update(serialized).digest('hex').slice(0, 16);
+        const serialized = parts.map((p) => stableStringify(p)).join('|');
+        // Use 128-bit hash (32 hex chars) to reduce collision risk.
+        return createHash('sha256').update(serialized).digest('hex').slice(0, 32);
     }
     /**
      * Get an entry from cache.
@@ -55,6 +51,13 @@ export class ResponseCache {
         }
         const entry = this.cache.get(key);
         if (!entry) {
+            const diskEntry = this.loadFromDisk(key);
+            if (diskEntry) {
+                this.cache.set(key, diskEntry);
+                this.totalSizeBytes += this.estimateSize(diskEntry.value);
+                this.stats.hits++;
+                return diskEntry.value;
+            }
             this.stats.misses++;
             return undefined;
         }
@@ -66,6 +69,7 @@ export class ResponseCache {
             return undefined;
         }
         entry.hitCount++;
+        entry.lastAccessedAt = new Date();
         this.stats.hits++;
         logger.debug({ key, hitCount: entry.hitCount }, 'Cache hit');
         return entry.value;
@@ -86,6 +90,7 @@ export class ResponseCache {
         const entry = {
             value,
             createdAt: now,
+            lastAccessedAt: now,
             expiresAt: new Date(now.getTime() + ttl),
             key,
             description: options?.description,
@@ -99,6 +104,7 @@ export class ResponseCache {
         this.totalSizeBytes += entrySize;
         this.cache.set(key, entry);
         logger.debug({ key, ttlMs: ttl, description: options?.description }, 'Cache entry set');
+        this.saveToDisk(entry);
     }
     /**
      * Check if key exists and is not expired.
@@ -125,8 +131,10 @@ export class ResponseCache {
         if (entry) {
             this.totalSizeBytes -= this.estimateSize(entry.value);
             this.cache.delete(key);
+            this.deleteFromDisk(key);
             return true;
         }
+        this.deleteFromDisk(key);
         return false;
     }
     /**
@@ -135,6 +143,16 @@ export class ResponseCache {
     clear() {
         this.cache.clear();
         this.totalSizeBytes = 0;
+        if (this.cacheDir && existsSync(this.cacheDir)) {
+            try {
+                for (const file of listCacheFiles(this.cacheDir)) {
+                    unlinkSync(file);
+                }
+            }
+            catch {
+                // Ignore disk cleanup errors
+            }
+        }
         logger.debug('Cache cleared');
     }
     /**
@@ -168,31 +186,30 @@ export class ResponseCache {
     evictIfNeeded(newEntrySize) {
         // Check entry count
         while (this.cache.size >= this.config.maxEntries) {
-            this.evictOldest();
+            this.evictLeastRecentlyUsed();
         }
         // Check size
-        while (this.totalSizeBytes + newEntrySize > this.config.maxSizeBytes &&
-            this.cache.size > 0) {
-            this.evictOldest();
+        while (this.totalSizeBytes + newEntrySize > this.config.maxSizeBytes && this.cache.size > 0) {
+            this.evictLeastRecentlyUsed();
         }
     }
     /**
-     * Evict the oldest entry (LRU based on creation time).
+     * Evict the least recently used entry (LRU based on last access time).
      */
-    evictOldest() {
-        let oldestKey;
-        let oldestTime = Infinity;
+    evictLeastRecentlyUsed() {
+        let lruKey;
+        let oldestAccessTime = Infinity;
         for (const [key, entry] of this.cache) {
-            const time = entry.createdAt.getTime();
-            if (time < oldestTime) {
-                oldestTime = time;
-                oldestKey = key;
+            const time = entry.lastAccessedAt.getTime();
+            if (time < oldestAccessTime) {
+                oldestAccessTime = time;
+                lruKey = key;
             }
         }
-        if (oldestKey) {
-            this.delete(oldestKey);
+        if (lruKey) {
+            this.delete(lruKey);
             this.stats.evictions++;
-            logger.debug({ key: oldestKey }, 'Evicted cache entry');
+            logger.debug({ key: lruKey }, 'Evicted cache entry');
         }
     }
     /**
@@ -206,6 +223,137 @@ export class ResponseCache {
             return 1000; // Default estimate for non-serializable values
         }
     }
+    ensureCacheDir(dir) {
+        try {
+            if (!existsSync(dir)) {
+                mkdirSync(dir, { recursive: true });
+            }
+        }
+        catch (error) {
+            logger.warn({ dir, error: String(error) }, 'Failed to create cache directory');
+            this.cacheDir = undefined;
+        }
+    }
+    getCachePath(key) {
+        if (!this.cacheDir)
+            return null;
+        return join(this.cacheDir, `${key}.json`);
+    }
+    saveToDisk(entry) {
+        const path = this.getCachePath(entry.key);
+        if (!path)
+            return;
+        try {
+            const serialized = JSON.stringify({
+                ...entry,
+                createdAt: entry.createdAt.toISOString(),
+                lastAccessedAt: entry.lastAccessedAt.toISOString(),
+                expiresAt: entry.expiresAt.toISOString(),
+            });
+            writeFileSync(path, serialized, 'utf-8');
+        }
+        catch (error) {
+            logger.debug({ key: entry.key, error: String(error) }, 'Failed to persist cache entry');
+        }
+    }
+    loadFromDisk(key) {
+        const path = this.getCachePath(key);
+        if (!path || !existsSync(path))
+            return null;
+        try {
+            const raw = readFileSync(path, 'utf-8');
+            const parsed = JSON.parse(raw);
+            const entry = {
+                ...parsed,
+                createdAt: new Date(parsed.createdAt),
+                lastAccessedAt: new Date(parsed.lastAccessedAt),
+                expiresAt: new Date(parsed.expiresAt),
+            };
+            if (new Date() > entry.expiresAt) {
+                this.deleteFromDisk(key);
+                return null;
+            }
+            entry.hitCount = (entry.hitCount ?? 0) + 1;
+            entry.lastAccessedAt = new Date();
+            this.saveToDisk(entry);
+            return entry;
+        }
+        catch (error) {
+            logger.debug({ key, error: String(error) }, 'Failed to load cache entry');
+            return null;
+        }
+    }
+    deleteFromDisk(key) {
+        const path = this.getCachePath(key);
+        if (!path || !existsSync(path))
+            return;
+        try {
+            unlinkSync(path);
+        }
+        catch {
+            // Ignore delete errors
+        }
+    }
+}
+function listCacheFiles(dir) {
+    try {
+        const entries = readdirSync(dir, { withFileTypes: true });
+        return entries
+            .filter((entry) => entry.isFile())
+            .map((entry) => join(dir, entry.name));
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Stable, deterministic JSON stringify with deep key sorting.
+ * Falls back to string conversion for unsupported types.
+ */
+function stableStringify(value) {
+    const seen = new WeakSet();
+    const normalize = (input) => {
+        if (input === null || input === undefined)
+            return input;
+        const type = typeof input;
+        if (type === 'string' || type === 'number' || type === 'boolean') {
+            return input;
+        }
+        if (type === 'bigint') {
+            return input.toString();
+        }
+        if (type === 'symbol' || type === 'function') {
+            return String(input);
+        }
+        if (input instanceof Date) {
+            return input.toISOString();
+        }
+        if (Array.isArray(input)) {
+            return input.map((item) => normalize(item));
+        }
+        if (typeof input === 'object') {
+            const obj = input;
+            if (seen.has(obj)) {
+                return '[Circular]';
+            }
+            seen.add(obj);
+            const keys = Object.keys(obj).sort();
+            const normalized = {};
+            for (const key of keys) {
+                normalized[key] = normalize(obj[key]);
+            }
+            return normalized;
+        }
+        try {
+            return JSON.parse(JSON.stringify(input));
+        }
+        catch {
+            return String(input);
+        }
+    };
+    const normalized = normalize(value);
+    const json = JSON.stringify(normalized);
+    return json === undefined ? 'undefined' : json;
 }
 /**
  * Specialized cache for tool responses.

package/dist/cli/commands/check.js

@@ -13,7 +13,7 @@ import { MCPClient } from '../../transport/mcp-client.js';
 import { discover } from '../../discovery/discovery.js';
 import { Interviewer } from '../../interview/interviewer.js';
 import { generateContractMd, generateJsonReport } from '../../docs/generator.js';
-import { loadConfig, ConfigNotFoundError, parseCommandString } from '../../config/loader.js';
+import { loadConfig, ConfigNotFoundError, parseCommandString, } from '../../config/loader.js';
 import { validateConfigForCheck, getConfigWarnings } from '../../config/validator.js';
 import { createBaseline, loadBaseline, saveBaseline, getToolFingerprints, toToolCapability, compareBaselines, acceptDrift, formatDiffText, formatDiffJson, formatDiffCompact, formatDiffGitHubActions, formatDiffMarkdown, formatDiffJUnit, formatDiffSarif, applySeverityConfig, shouldFailOnDiff, analyzeForIncremental, formatIncrementalSummary, runSecurityTests, parseSecurityCategories, getAllSecurityCategories, } from '../../baseline/index.js';
 import { convertAssertions } from '../../baseline/converter.js';
@@ -21,11 +21,12 @@ import { getMetricsCollector, resetMetricsCollector } from '../../metrics/collec
 import { getGlobalCache, resetGlobalCache } from '../../cache/response-cache.js';
 import { InterviewProgressBar, formatCheckBanner } from '../utils/progress.js';
 import { buildCheckSummary, colorizeConfidence, formatConfidenceLevel, formatToolResultLine, } from '../output/terminal-reporter.js';
-import { loadScenariosFromFile, tryLoadDefaultScenarios, DEFAULT_SCENARIOS_FILE } from '../../scenarios/index.js';
+import { loadScenariosFromFile, tryLoadDefaultScenarios, DEFAULT_SCENARIOS_FILE, } from '../../scenarios/index.js';
 import { loadWorkflowsFromFile, tryLoadDefaultWorkflows, DEFAULT_WORKFLOWS_FILE, WorkflowExecutor, generateWorkflowsFromTools, generateWorkflowYamlContent, } from '../../workflow/index.js';
 import * as output from '../output.js';
 import { extractServerContextFromArgs } from '../utils/server-context.js';
 import { configureLogger } from '../../logging/logger.js';
+import { buildInterviewInsights } from '../../interview/insights.js';
 import { EXIT_CODES, SEVERITY_TO_EXIT_CODE, PATHS, SECURITY_TESTING, CHECK_SAMPLING, WORKFLOW, REPORT_SCHEMAS, PERCENTAGE_CONVERSION, } from '../../constants.js';
 export const checkCommand = new Command('check')
     .description('Check MCP server schema and detect drift (free, fast, deterministic)')
@@ -73,14 +74,6 @@ export const checkCommand = new Command('check')
         output.error(error instanceof Error ? error.message : String(error));
         process.exit(EXIT_CODES.ERROR);
     }
-    const warnings = getConfigWarnings(config);
-    if (warnings.length > 0) {
-        output.warn('Configuration warnings:');
-        for (const warning of warnings) {
-            output.warn(`  - ${warning}`);
-        }
-        output.newline();
-    }
     // Extract settings from config
     const timeout = config.server.timeout;
     const outputDir = config.output.dir;
@@ -105,7 +98,8 @@ export const checkCommand = new Command('check')
         minimumSeverity: options.minSeverity ?? config.baseline.severity.minimumSeverity,
         failOnSeverity: options.failOnSeverity ?? config.baseline.severity.failOnSeverity,
         suppressWarnings: config.baseline.severity.suppressWarnings,
-        aspectOverrides: config.baseline.severity.aspectOverrides,
+        aspectOverrides: config.baseline.severity
+            .aspectOverrides,
     };
     // Resolve check options from config (no CLI overrides for these)
     const incrementalEnabled = config.check.incremental;
@@ -114,9 +108,26 @@ export const checkCommand = new Command('check')
     const parallelWorkers = config.check.parallelWorkers;
     const performanceThreshold = config.check.performanceThreshold / PERCENTAGE_CONVERSION.DIVISOR;
     const diffFormat = options.format ?? config.check.diffFormat;
+    const machineReadableFormats = new Set(['json', 'junit', 'sarif']);
+    const machineReadable = machineReadableFormats.has(String(diffFormat).toLowerCase());
+    if (machineReadable) {
+        // Suppress standard CLI output to keep stdout clean for machine-readable formats.
+        output.configureOutput({ quiet: true });
+    }
+    const warnings = getConfigWarnings(config);
+    if (warnings.length > 0) {
+        output.warn('Configuration warnings:');
+        for (const warning of warnings) {
+            output.warn(`  - ${warning}`);
+        }
+        if (!machineReadable) {
+            output.newline();
+        }
+    }
     // Resolve security options from config
     const securityEnabled = config.check.security.enabled;
-    let securityCategories = config.check.security.categories;
+    let securityCategories = config.check.security
+        .categories;
     // Validate security categories
     try {
         securityCategories = parseSecurityCategories(securityCategories.join(','));
@@ -141,20 +152,22 @@ export const checkCommand = new Command('check')
         ? `${serverCommand} ${args.join(' ')}`.trim()
         : (remoteUrl ?? 'unknown');
     // Display startup banner
-    const banner = formatCheckBanner({
-        serverCommand: serverIdentifier,
-    });
-    output.info(banner);
-    output.newline();
-    output.info('Check: Schema validation and drift detection (free, deterministic)');
-    output.newline();
+    if (!machineReadable) {
+        const banner = formatCheckBanner({
+            serverCommand: serverIdentifier,
+        });
+        output.info(banner);
+        output.newline();
+        output.info('Check: Schema validation and drift detection (free, deterministic)');
+        output.newline();
+    }
     // Initialize metrics collector
     resetMetricsCollector();
     const metricsCollector = getMetricsCollector();
     metricsCollector.startInterview();
     // Initialize cache
     resetGlobalCache();
-    const cache = getGlobalCache({ enabled: cacheEnabled });
+    const cache = getGlobalCache({ enabled: cacheEnabled, dir: config.cache.dir });
     if (cacheEnabled && verbose) {
         output.info('Response caching enabled');
     }
@@ -182,9 +195,12 @@ export const checkCommand = new Command('check')
         }
         // Discovery phase
         output.info('Discovering capabilities...');
-        const discovery = await discover(mcpClient, transport === 'stdio' ? serverCommand : remoteUrl ?? serverCommand, transport === 'stdio' ? args : []);
+        const discovery = await discover(mcpClient, transport === 'stdio' ? serverCommand : (remoteUrl ?? serverCommand), transport === 'stdio' ? args : []);
         const resourceCount = discovery.resources?.length ?? 0;
-        const discoveryParts = [`${discovery.tools.length} tools`, `${discovery.prompts.length} prompts`];
+        const discoveryParts = [
+            `${discovery.tools.length} tools`,
+            `${discovery.prompts.length} prompts`,
+        ];
         if (resourceCount > 0) {
             discoveryParts.push(`${resourceCount} resources`);
         }
@@ -228,7 +244,9 @@ export const checkCommand = new Command('check')
             }
             else {
                 incrementalBaseline = loadBaseline(baselinePath);
-                const result = analyzeForIncremental(discovery.tools, incrementalBaseline, { maxCacheAgeHours: incrementalCacheHours });
+                const result = analyzeForIncremental(discovery.tools, incrementalBaseline, {
+                    maxCacheAgeHours: incrementalCacheHours,
+                });
                 incrementalResult = result;
                 const summary = formatIncrementalSummary(result.changeSummary);
                 output.info(`Incremental analysis: ${summary}`);
@@ -240,7 +258,7 @@ export const checkCommand = new Command('check')
                 else {
                     output.info(`Testing ${result.toolsToTest.length} tools (${result.toolsToSkip.length} cached)\n`);
                     // Filter discovery to only include tools that need testing
-                    discovery.tools = discovery.tools.filter(t => result.toolsToTest.includes(t.name));
+                    discovery.tools = discovery.tools.filter((t) => result.toolsToTest.includes(t.name));
                 }
             }
         }
@@ -323,7 +341,7 @@ export const checkCommand = new Command('check')
             interviewer.setServerContext(serverContext);
         }
         // Set up progress display
-        const progressBar = new InterviewProgressBar({ enabled: !verbose });
+        const progressBar = new InterviewProgressBar({ enabled: !verbose && !machineReadable });
         const reportedTools = new Set();
         const progressCallback = (progress) => {
             if (verbose) {
@@ -365,6 +383,8 @@ export const checkCommand = new Command('check')
         };
         output.info('Checking schemas...\n');
         const result = await interviewer.interview(mcpClient, discovery, progressCallback);
+        const insights = buildInterviewInsights(result);
+        const enrichedResult = { ...result, ...insights };
         progressBar.stop();
         if (!verbose) {
             output.newline();
@@ -431,7 +451,7 @@ export const checkCommand = new Command('check')
                 output.info(`Rate-limited tools: ${rateLimit.tools.slice(0, 5).join(', ')}${rateLimit.tools.length > 5 ? ' ...' : ''}`);
             }
         }
-        const checkSummary = buildCheckSummary(result);
+        const checkSummary = buildCheckSummary(enrichedResult);
         output.newline();
         output.lines(...checkSummary.lines);
         if (checkSummary.nextSteps.length > 0) {
@@ -462,7 +482,7 @@ export const checkCommand = new Command('check')
                         try {
                             const response = await mcpClient.callTool(tool.name, args);
                             const content = response.content
-                                .map((c) => c.type === 'text' ? c.text : '')
+                                .map((c) => (c.type === 'text' ? c.text : ''))
                                 .join('\n');
                             return {
                                 isError: response.isError ?? false,
@@ -580,7 +600,7 @@ export const checkCommand = new Command('check')
                     const workflowResult = await workflowExecutor.execute(workflow);
                     workflowResults.push(workflowResult);
                     const statusIcon = workflowResult.success ? '\u2713' : '\u2717';
-                    const stepsInfo = `${workflowResult.steps.filter(s => s.success).length}/${workflow.steps.length} steps`;
+                    const stepsInfo = `${workflowResult.steps.filter((s) => s.success).length}/${workflow.steps.length} steps`;
                     if (workflowResult.success) {
                         output.success(`  ${statusIcon} ${workflow.name} (${stepsInfo}) - ${workflowResult.durationMs}ms`);
                     }
@@ -599,7 +619,7 @@ export const checkCommand = new Command('check')
                 }
             }
             // Workflow summary
-            const passed = workflowResults.filter(r => r.success).length;
+            const passed = workflowResults.filter((r) => r.success).length;
             const failed = workflowResults.length - passed;
             output.newline();
             if (failed === 0) {
@@ -612,12 +632,25 @@ export const checkCommand = new Command('check')
         }
         // Generate documentation (after security testing so findings can be included)
         output.info('Generating documentation...');
-        const writeDocs = outputFormat === 'both' || outputFormat === 'agents.md';
+        const writeDocs = outputFormat === 'both' || outputFormat === 'docs';
         const writeJson = outputFormat === 'both' || outputFormat === 'json';
         if (writeDocs) {
-            const contractMd = generateContractMd(result, {
+            const semanticMap = insights.semanticInferences
+                ? new Map(Object.entries(insights.semanticInferences))
+                : undefined;
+            const schemaEvolutionMap = insights.schemaEvolution
+                ? new Map(Object.entries(insights.schemaEvolution))
+                : undefined;
+            const errorAnalysisMap = insights.errorAnalysisSummaries
+                ? new Map(Object.entries(insights.errorAnalysisSummaries))
+                : undefined;
+            const contractMd = generateContractMd(enrichedResult, {
                 securityFingerprints: securityEnabled ? securityFingerprints : undefined,
                 workflowResults: workflowResults.length > 0 ? workflowResults : undefined,
+                semanticInferences: semanticMap,
+                schemaEvolution: schemaEvolutionMap,
+                errorAnalysisSummaries: errorAnalysisMap,
+                documentationScore: insights.documentationScore,
                 exampleLength,
                 fullExamples,
                 maxExamplesPerTool,
@@ -631,13 +664,12 @@ export const checkCommand = new Command('check')
         }
         if (writeJson) {
             // Add workflow results to the result object for the JSON report
-            const resultWithWorkflows = workflowResults.length > 0
-                ? { ...result, workflowResults }
-                : result;
+            const resultWithWorkflows = workflowResults.length > 0 ? { ...enrichedResult, workflowResults } : enrichedResult;
             let jsonReport;
             try {
                 jsonReport = generateJsonReport(resultWithWorkflows, {
                     schemaUrl: REPORT_SCHEMAS.CHECK_REPORT_SCHEMA_URL,
+                    schemaPath: REPORT_SCHEMAS.CHECK_REPORT_SCHEMA_FILE,
                     validate: true,
                 });
             }
@@ -650,7 +682,7 @@ export const checkCommand = new Command('check')
             output.info(`Written: ${jsonPath}`);
         }
         // Create baseline from results
-        let currentBaseline = createBaseline(result, fullServerCommand);
+        let currentBaseline = createBaseline(enrichedResult, fullServerCommand);
         // Attach security fingerprints to tool fingerprints if security testing was run
         if (securityEnabled && securityFingerprints.size > 0) {
             currentBaseline = {
@@ -671,10 +703,7 @@ export const checkCommand = new Command('check')
         if (incrementalResult && incrementalResult.cachedFingerprints.length > 0) {
             // Merge new fingerprints with cached ones
             const cachedTools = incrementalResult.cachedFingerprints.map(toToolCapability);
-            const mergedTools = [
-                ...currentBaseline.capabilities.tools,
-                ...cachedTools,
-            ].sort((a, b) => a.name.localeCompare(b.name));
+            const mergedTools = [...currentBaseline.capabilities.tools, ...cachedTools].sort((a, b) => a.name.localeCompare(b.name));
             currentBaseline = {
                 ...currentBaseline,
                 capabilities: {
@@ -773,7 +802,9 @@ export const checkCommand = new Command('check')
         if (!baselinePath) {
             const formattedCheckResults = formatCheckResults(currentBaseline, diffFormat);
             if (formattedCheckResults) {
-                output.info('\n--- Check Results ---');
+                if (!machineReadable) {
+                    output.info('\n--- Check Results ---');
+                }
                 // Output directly to stdout for machine-readable formats
                 console.log(formattedCheckResults);
             }
@@ -790,10 +821,17 @@ export const checkCommand = new Command('check')
             });
             // Apply severity configuration (filtering, overrides)
             const diff = applySeverityConfig(rawDiff, severityConfig);
-            output.info('\n--- Drift Report ---');
+            if (!machineReadable) {
+                output.info('\n--- Drift Report ---');
+            }
             // Select formatter based on --format option
             const formattedDiff = formatDiff(diff, diffFormat, baselinePath);
-            output.info(formattedDiff);
+            if (machineReadable) {
+                console.log(formattedDiff);
+            }
+            else {
+                output.info(formattedDiff);
+            }
             // Report performance regressions if detected
             if (diff.performanceReport?.hasRegressions) {
                 output.warn('\n--- Performance Regressions ---');
@@ -936,7 +974,7 @@ function formatDiff(diff, format, baselinePath) {
 function formatCheckResultsJUnit(baseline) {
     const tools = getToolFingerprints(baseline);
     const lines = [];
-    const securityFailures = tools.filter(t => t.securityFingerprint?.findings?.some(f => f.riskLevel === 'critical' || f.riskLevel === 'high')).length;
+    const securityFailures = tools.filter((t) => t.securityFingerprint?.findings?.some((f) => f.riskLevel === 'critical' || f.riskLevel === 'high')).length;
     lines.push('<?xml version="1.0" encoding="UTF-8"?>');
     lines.push('<testsuites>');
     lines.push(`  <testsuite name="bellwether-check" tests="${tools.length}" failures="${securityFailures}" errors="0">`);
@@ -951,16 +989,16 @@ function formatCheckResultsJUnit(baseline) {
         lines.push('    </testcase>');
     }
     // Add security findings as test cases if present
-    const securityTools = tools.filter(t => t.securityFingerprint?.findings?.length);
+    const securityTools = tools.filter((t) => t.securityFingerprint?.findings?.length);
     if (securityTools.length > 0) {
         lines.push(`    <!-- Security findings -->`);
         for (const tool of securityTools) {
             const findings = tool.securityFingerprint?.findings ?? [];
-            const criticalHigh = findings.filter(f => f.riskLevel === 'critical' || f.riskLevel === 'high').length;
+            const criticalHigh = findings.filter((f) => f.riskLevel === 'critical' || f.riskLevel === 'high').length;
             if (criticalHigh > 0) {
                 lines.push(`    <testcase name="${tool.name}-security" classname="security">`);
                 lines.push(`      <failure message="${criticalHigh} critical/high security findings">`);
-                for (const finding of findings.filter(f => f.riskLevel === 'critical' || f.riskLevel === 'high')) {
+                for (const finding of findings.filter((f) => f.riskLevel === 'critical' || f.riskLevel === 'high')) {
                     lines.push(`        ${finding.riskLevel.toUpperCase()}: ${finding.title} (${finding.cweId})`);
                 }
                 lines.push(`      </failure>`);
@@ -981,7 +1019,7 @@ function formatCheckResultsSarif(baseline) {
     const serverUri = baseline.metadata?.serverCommand || baseline.server.name || 'mcp-server';
     const results = [];
     // Add results for tools with security findings
-    const securityTools = tools.filter(t => t.securityFingerprint?.findings?.length);
+    const securityTools = tools.filter((t) => t.securityFingerprint?.findings?.length);
     for (const tool of securityTools) {
         const findings = tool.securityFingerprint?.findings ?? [];
         for (const finding of findings) {
@@ -994,12 +1032,14 @@ function formatCheckResultsSarif(baseline) {
                 ruleId: finding.cweId || 'BWH-SEC',
                 level,
                 message: { text: `[${tool.name}] ${finding.title}: ${finding.description}` },
-                locations: [{
+                locations: [
+                    {
                         physicalLocation: {
                             artifactLocation: { uri: serverUri },
                             region: { startLine: 1 },
                         },
-                    }],
+                    },
+                ],
             });
         }
     }
@@ -1010,20 +1050,25 @@ function formatCheckResultsSarif(baseline) {
             results.push({
                 ruleId: 'BWH-REL',
                 level: 'warning',
-                message: { text: `Tool "${tool.name}" has ${(successRate * 100).toFixed(0)}% success rate` },
-                locations: [{
+                message: {
+                    text: `Tool "${tool.name}" has ${(successRate * 100).toFixed(0)}% success rate`,
+                },
+                locations: [
+                    {
                         physicalLocation: {
                             artifactLocation: { uri: serverUri },
                             region: { startLine: 1 },
                         },
-                    }],
+                    },
+                ],
             });
         }
     }
     const sarif = {
         $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
         version: '2.1.0',
-        runs: [{
+        runs: [
+            {
                 tool: {
                     driver: {
                         name: 'bellwether',
@@ -1046,7 +1091,8 @@ function formatCheckResultsSarif(baseline) {
                     },
                 },
                 results,
-            }],
+            },
+        ],
     };
     return JSON.stringify(sarif, null, 2);
 }