@fourteensystems/prodcheck 0.3.0

package/dist/engine/config.test.js

@@ -0,0 +1,107 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtempSync, rmSync, writeFileSync, existsSync } from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { findConfigFile, loadConfigIfExists, writeDefaultConfig, DEFAULT_CONFIG } from "./config.js";
+describe("findConfigFile", () => {
+    let tmpDir;
+    beforeEach(() => {
+        tmpDir = mkdtempSync(path.join(os.tmpdir(), "prodcheck-config-"));
+    });
+    afterEach(() => {
+        rmSync(tmpDir, { recursive: true, force: true });
+    });
+    it("returns undefined when no config exists", () => {
+        expect(findConfigFile(tmpDir)).toBeUndefined();
+    });
+    it("finds prodcheck.config.json", () => {
+        writeFileSync(path.join(tmpDir, "prodcheck.config.json"), "{}");
+        expect(findConfigFile(tmpDir)).toBe(path.join(tmpDir, "prodcheck.config.json"));
+    });
+    it("finds prodcheck.config.ts", () => {
+        writeFileSync(path.join(tmpDir, "prodcheck.config.ts"), "export default {}");
+        expect(findConfigFile(tmpDir)).toBe(path.join(tmpDir, "prodcheck.config.ts"));
+    });
+    it("prefers ts over json", () => {
+        writeFileSync(path.join(tmpDir, "prodcheck.config.ts"), "export default {}");
+        writeFileSync(path.join(tmpDir, "prodcheck.config.json"), "{}");
+        expect(findConfigFile(tmpDir)).toBe(path.join(tmpDir, "prodcheck.config.ts"));
+    });
+});
+describe("loadConfigIfExists", () => {
+    let tmpDir;
+    beforeEach(() => {
+        tmpDir = mkdtempSync(path.join(os.tmpdir(), "prodcheck-config-"));
+    });
+    afterEach(() => {
+        rmSync(tmpDir, { recursive: true, force: true });
+    });
+    it("returns undefined when no config exists", () => {
+        expect(loadConfigIfExists(tmpDir)).toBeUndefined();
+    });
+    it("loads JSON config", () => {
+        const config = { framework: "next-app-router", include: ["app/**"] };
+        writeFileSync(path.join(tmpDir, "prodcheck.config.json"), JSON.stringify(config));
+        const loaded = loadConfigIfExists(tmpDir);
+        expect(loaded).toBeDefined();
+        expect(loaded.framework).toBe("next-app-router");
+    });
+    it("throws on malformed JSON", () => {
+        writeFileSync(path.join(tmpDir, "prodcheck.config.json"), "not json");
+        expect(() => loadConfigIfExists(tmpDir)).toThrow("Failed to parse");
+    });
+    it("returns undefined for TS config (not yet supported)", () => {
+        writeFileSync(path.join(tmpDir, "prodcheck.config.ts"), "export default {}");
+        expect(loadConfigIfExists(tmpDir)).toBeUndefined();
+    });
+});
+describe("writeDefaultConfig", () => {
+    let tmpDir;
+    beforeEach(() => {
+        tmpDir = mkdtempSync(path.join(os.tmpdir(), "prodcheck-config-"));
+    });
+    afterEach(() => {
+        rmSync(tmpDir, { recursive: true, force: true });
+    });
+    it("writes config file", () => {
+        writeDefaultConfig(tmpDir, {});
+        expect(existsSync(path.join(tmpDir, "prodcheck.config.json"))).toBe(true);
+    });
+    it("does not overwrite existing without force", () => {
+        writeFileSync(path.join(tmpDir, "prodcheck.config.json"), '{"custom": true}');
+        writeDefaultConfig(tmpDir, {});
+        const content = JSON.parse(require("node:fs").readFileSync(path.join(tmpDir, "prodcheck.config.json"), "utf8"));
+        expect(content.custom).toBe(true);
+    });
+    it("overwrites existing with force", () => {
+        writeFileSync(path.join(tmpDir, "prodcheck.config.json"), '{"custom": true}');
+        writeDefaultConfig(tmpDir, { force: true });
+        const content = JSON.parse(require("node:fs").readFileSync(path.join(tmpDir, "prodcheck.config.json"), "utf8"));
+        expect(content.custom).toBeUndefined();
+        expect(content.framework).toBe("next-app-router");
+    });
+});
+describe("DEFAULT_CONFIG", () => {
+    it("has expected structure", () => {
+        expect(DEFAULT_CONFIG.framework).toBe("next-app-router");
+        expect(DEFAULT_CONFIG.scoring.start).toBe(100);
+        expect(DEFAULT_CONFIG.scoring.penalties.critical).toBe(15);
+        expect(DEFAULT_CONFIG.rules["AUTH-BOUNDARY-MISSING"]).toBeDefined();
+        expect(DEFAULT_CONFIG.rules["RATE-LIMIT-MISSING"]).toBeDefined();
+        expect(DEFAULT_CONFIG.rules["TENANCY-SCOPE-MISSING"]).toBeDefined();
+    });
+    it("has auth hint functions", () => {
+        expect(DEFAULT_CONFIG.hints.auth.functions.length).toBeGreaterThan(0);
+        expect(DEFAULT_CONFIG.hints.auth.functions).toContain("auth");
+        expect(DEFAULT_CONFIG.hints.auth.functions).toContain("getServerSession");
+    });
+    it("has rate limit wrappers", () => {
+        expect(DEFAULT_CONFIG.hints.rateLimit.wrappers.length).toBeGreaterThan(0);
+        expect(DEFAULT_CONFIG.hints.rateLimit.wrappers).toContain("rateLimit");
+    });
+    it("has tenancy field names", () => {
+        expect(DEFAULT_CONFIG.hints.tenancy.orgFieldNames).toContain("orgId");
+        expect(DEFAULT_CONFIG.hints.tenancy.orgFieldNames).toContain("tenantId");
+    });
+});
+//# sourceMappingURL=config.test.js.map

package/dist/engine/config.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.test.js","sourceRoot":"","sources":["../../src/engine/config.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACzE,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAErG,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,IAAI,MAAc,CAAC;IAEnB,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,IAAI,CAAC,CAAC;QAChE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,CAAC,EAAE,mBAAmB,CAAC,CAAC;QAC7E,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,CAAC,EAAE,mBAAmB,CAAC,CAAC;QAC7E,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,IAAI,CAAC,CAAC;QAChE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,IAAI,MAAc,CAAC;IAEnB,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,MAAM,GAAG,EAAE,SAAS,EAAE,iBAAiB,EAAE,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC;QACrE,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAClF,MAAM,MAAM,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7B,MAAM,CAAC,MAAO,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,UAAU,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,EAAE,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,CAAC,EAAE,mBAAmB,CAAC,CAAC;QAC7E,MAAM,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,IAAI,MAAc,CAAC;IAEnB,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAC5B,kBAAkB,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC/B,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,kBAAkB,CAAC,CAAC;QAC9E,kBAAkB,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;QAChH,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,kBAAkB,CAAC,CAAC;QAC9E,kBAAkB,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;QAChH,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAC;QACvC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACzD,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC/C,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3D,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACpE,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACjE,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACtE,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAC9D,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAC1E,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/engine/extensions/load.d.ts

@@ -0,0 +1,11 @@
+import type { ShipguardConfig } from "../types.js";
+/**
+ * Attempts to load the governance module if a license key is present.
+ * Soft-fails: OSS core runs fine without governance installed.
+ *
+ * NOTE: Not wired into run.ts yet. Will be integrated when governance
+ * module is built. The extension types and registry are reserved now
+ * so the boundary is defined.
+ */
+export declare function loadGovernanceIfPresent(config: ShipguardConfig): Promise<void>;
+//# sourceMappingURL=load.d.ts.map

package/dist/engine/extensions/load.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"load.d.ts","sourceRoot":"","sources":["../../../src/engine/extensions/load.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEnD;;;;;;;GAOG;AACH,wBAAsB,uBAAuB,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAcpF"}

package/dist/engine/extensions/load.js

@@ -0,0 +1,26 @@
+import { registerExtension } from "./registry.js";
+/**
+ * Attempts to load the governance module if a license key is present.
+ * Soft-fails: OSS core runs fine without governance installed.
+ *
+ * NOTE: Not wired into run.ts yet. Will be integrated when governance
+ * module is built. The extension types and registry are reserved now
+ * so the boundary is defined.
+ */
+export async function loadGovernanceIfPresent(config) {
+    if (!config.license?.key)
+        return;
+    try {
+        // @ts-expect-error — governance module is optional; not installed in OSS
+        const mod = await import("@shipguard/governance");
+        if (typeof mod.registerGovernance === "function") {
+            mod.registerGovernance({
+                registerExtension,
+            });
+        }
+    }
+    catch {
+        // Governance not installed — this is fine for OSS usage.
+    }
+}
+//# sourceMappingURL=load.js.map

package/dist/engine/extensions/load.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"load.js","sourceRoot":"","sources":["../../../src/engine/extensions/load.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGlD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,MAAuB;IACnE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG;QAAE,OAAO;IAEjC,IAAI,CAAC;QACH,yEAAyE;QACzE,MAAM,GAAG,GAA4B,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QAC3E,IAAI,OAAO,GAAG,CAAC,kBAAkB,KAAK,UAAU,EAAE,CAAC;YAChD,GAAG,CAAC,kBAAqF,CAAC;gBACzF,iBAAiB;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,yDAAyD;IAC3D,CAAC;AACH,CAAC"}

package/dist/engine/extensions/registry.d.ts

@@ -0,0 +1,5 @@
+import type { ShipguardExtension } from "./types.js";
+export declare function registerExtension(ext: ShipguardExtension): void;
+export declare function getExtensions(): readonly ShipguardExtension[];
+export declare function clearExtensions(): void;
+//# sourceMappingURL=registry.d.ts.map

package/dist/engine/extensions/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../../src/engine/extensions/registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAIrD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,kBAAkB,GAAG,IAAI,CAE/D;AAED,wBAAgB,aAAa,IAAI,SAAS,kBAAkB,EAAE,CAE7D;AAED,wBAAgB,eAAe,IAAI,IAAI,CAEtC"}

package/dist/engine/extensions/registry.js

@@ -0,0 +1,11 @@
+const extensions = [];
+export function registerExtension(ext) {
+    extensions.push(ext);
+}
+export function getExtensions() {
+    return extensions;
+}
+export function clearExtensions() {
+    extensions.length = 0;
+}
+//# sourceMappingURL=registry.js.map

package/dist/engine/extensions/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../../src/engine/extensions/registry.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAAyB,EAAE,CAAC;AAE5C,MAAM,UAAU,iBAAiB,CAAC,GAAuB;IACvD,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC;AACxB,CAAC"}

package/dist/engine/extensions/types.d.ts

@@ -0,0 +1,51 @@
+import type { Finding, ScanResult, ShipguardConfig } from "../types.js";
+export type ExtensionId = string;
+export type GateResult = {
+    ok: true;
+} | {
+    ok: false;
+    exitCode: number;
+    message: string;
+    details?: unknown;
+};
+export interface RunContext {
+    rootDir: string;
+    mode: "scan" | "ci" | "init";
+}
+export interface ExtensionHooks {
+    /** Called after config is loaded. Can validate config or gate. */
+    onConfigLoaded?: (args: {
+        config: ShipguardConfig;
+        ctx: RunContext;
+    }) => GateResult | void;
+    /** Called after analysis, before scoring. Can mutate findings or gate. */
+    onFindings?: (args: {
+        config: ShipguardConfig;
+        ctx: RunContext;
+        findings: Finding[];
+    }) => GateResult | void;
+    /** Called after scoring. Useful for policy gates. */
+    onScored?: (args: {
+        config: ShipguardConfig;
+        ctx: RunContext;
+        score: number;
+        findings: Finding[];
+    }) => GateResult | void;
+    /** Called before writing outputs. Can attach extra report sections. */
+    onReport?: (args: {
+        config: ShipguardConfig;
+        ctx: RunContext;
+        result: ScanResult;
+    }) => GateResult | void;
+    /** Called during `shipguard init`. Can add setup messages. */
+    onInit?: (args: {
+        config: ShipguardConfig;
+        ctx: RunContext;
+        messages: string[];
+    }) => void;
+}
+export interface ShipguardExtension {
+    id: ExtensionId;
+    hooks: ExtensionHooks;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/engine/extensions/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/engine/extensions/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAExE,MAAM,MAAM,WAAW,GAAG,MAAM,CAAC;AAEjC,MAAM,MAAM,UAAU,GAClB;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC;AAExE,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,kEAAkE;IAClE,cAAc,CAAC,EAAE,CAAC,IAAI,EAAE;QACtB,MAAM,EAAE,eAAe,CAAC;QACxB,GAAG,EAAE,UAAU,CAAC;KACjB,KAAK,UAAU,GAAG,IAAI,CAAC;IAExB,0EAA0E;IAC1E,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE;QAClB,MAAM,EAAE,eAAe,CAAC;QACxB,GAAG,EAAE,UAAU,CAAC;QAChB,QAAQ,EAAE,OAAO,EAAE,CAAC;KACrB,KAAK,UAAU,GAAG,IAAI,CAAC;IAExB,qDAAqD;IACrD,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE;QAChB,MAAM,EAAE,eAAe,CAAC;QACxB,GAAG,EAAE,UAAU,CAAC;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,OAAO,EAAE,CAAC;KACrB,KAAK,UAAU,GAAG,IAAI,CAAC;IAExB,uEAAuE;IACvE,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE;QAChB,MAAM,EAAE,eAAe,CAAC;QACxB,GAAG,EAAE,UAAU,CAAC;QAChB,MAAM,EAAE,UAAU,CAAC;KACpB,KAAK,UAAU,GAAG,IAAI,CAAC;IAExB,8DAA8D;IAC9D,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE;QACd,MAAM,EAAE,eAAe,CAAC;QACxB,GAAG,EAAE,UAAU,CAAC;QAChB,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,KAAK,IAAI,CAAC;CACZ;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,WAAW,CAAC;IAChB,KAAK,EAAE,cAAc,CAAC;CACvB"}

package/dist/engine/extensions/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/engine/extensions/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/engine/extensions/types.ts"],"names":[],"mappings":""}

package/dist/engine/license.d.ts

@@ -0,0 +1,40 @@
+export interface LicensePayload {
+    /** Customer identifier (email or user ID) */
+    sub: string;
+    /** Optional org/team scope */
+    org?: string;
+    /** License tier */
+    tier: "pro";
+    /** Issuer */
+    iss: "fourteensystems.com";
+    /** Issued at (unix seconds) */
+    iat: number;
+    /** Expiry (unix seconds) */
+    exp: number;
+}
+export interface LicenseResult {
+    valid: true;
+    payload: LicensePayload;
+}
+export interface LicenseError {
+    valid: false;
+    reason: string;
+}
+export type LicenseCheck = LicenseResult | LicenseError;
+/**
+ * Resolve a license key from (in priority order):
+ * 1. PRODCHECK_PRO_KEY env var
+ * 2. config.license.key
+ */
+export declare function resolveLicenseKey(configKey?: string): string | undefined;
+/**
+ * Validate and decode a Prodcheck Pro license key.
+ * Fully offline — uses Ed25519 signature verification.
+ */
+export declare function validateLicense(key: string): LicenseCheck;
+/**
+ * Require a valid Pro license or exit with a helpful message.
+ * Used at the top of Pro-gated commands.
+ */
+export declare function requireProLicense(configKey?: string): LicensePayload;
+//# sourceMappingURL=license.d.ts.map

package/dist/engine/license.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"license.d.ts","sourceRoot":"","sources":["../../src/engine/license.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,cAAc;IAC7B,6CAA6C;IAC7C,GAAG,EAAE,MAAM,CAAC;IACZ,8BAA8B;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,mBAAmB;IACnB,IAAI,EAAE,KAAK,CAAC;IACZ,aAAa;IACb,GAAG,EAAE,qBAAqB,CAAC;IAC3B,+BAA+B;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,4BAA4B;IAC5B,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,IAAI,CAAC;IACZ,OAAO,EAAE,cAAc,CAAC;CACzB;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,KAAK,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,MAAM,YAAY,GAAG,aAAa,GAAG,YAAY,CAAC;AAIxD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAExE;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,YAAY,CAgDzD;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,cAAc,CAepE"}

package/dist/engine/license.js

@@ -0,0 +1,104 @@
+import { verify, createPublicKey } from "node:crypto";
+/**
+ * Prodcheck Pro license verification.
+ *
+ * Key format: pc_pro_<base64url(payload)>.<base64url(signature)>
+ * Payload:   JSON { sub, org?, tier, iss, iat, exp }
+ * Signature: Ed25519 over the raw payload bytes
+ *
+ * Verification is fully offline — no network calls.
+ */
+// Ed25519 public key for verifying license signatures.
+// The corresponding private key is held offline for key generation.
+const PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAfISU4mB83G7joDkEkwQ8MrgflJAhdLbg8yzxZhcDwbU=
+-----END PUBLIC KEY-----`;
+const PREFIX = "pc_pro_";
+/**
+ * Resolve a license key from (in priority order):
+ * 1. PRODCHECK_PRO_KEY env var
+ * 2. config.license.key
+ */
+export function resolveLicenseKey(configKey) {
+    return process.env.PRODCHECK_PRO_KEY || configKey || undefined;
+}
+/**
+ * Validate and decode a Prodcheck Pro license key.
+ * Fully offline — uses Ed25519 signature verification.
+ */
+export function validateLicense(key) {
+    if (!key.startsWith(PREFIX)) {
+        return { valid: false, reason: "Invalid key format" };
+    }
+    const rest = key.slice(PREFIX.length);
+    const dotIndex = rest.indexOf(".");
+    if (dotIndex === -1) {
+        return { valid: false, reason: "Invalid key format" };
+    }
+    const payloadB64 = rest.slice(0, dotIndex);
+    const signatureB64 = rest.slice(dotIndex + 1);
+    // Decode payload
+    let payloadBytes;
+    let payload;
+    try {
+        payloadBytes = Buffer.from(payloadB64, "base64url");
+        payload = JSON.parse(payloadBytes.toString("utf8"));
+    }
+    catch {
+        return { valid: false, reason: "Invalid key format" };
+    }
+    // Verify Ed25519 signature
+    try {
+        const sigBytes = Buffer.from(signatureB64, "base64url");
+        const pubKey = createPublicKey(PUBLIC_KEY_PEM);
+        const valid = verify(null, payloadBytes, pubKey, sigBytes);
+        if (!valid) {
+            return { valid: false, reason: "Invalid license signature" };
+        }
+    }
+    catch {
+        return { valid: false, reason: "Signature verification failed" };
+    }
+    // Check required fields
+    if (payload.tier !== "pro" || payload.iss !== "fourteensystems.com") {
+        return { valid: false, reason: "Invalid license payload" };
+    }
+    // Check expiry
+    const nowSec = Math.floor(Date.now() / 1000);
+    if (payload.exp && nowSec > payload.exp) {
+        return { valid: false, reason: "License expired" };
+    }
+    return { valid: true, payload };
+}
+/**
+ * Require a valid Pro license or exit with a helpful message.
+ * Used at the top of Pro-gated commands.
+ */
+export function requireProLicense(configKey) {
+    const key = resolveLicenseKey(configKey);
+    if (!key) {
+        printUpgradeMessage("No Prodcheck Pro license key found.");
+        process.exit(1);
+    }
+    const result = validateLicense(key);
+    if (!result.valid) {
+        printUpgradeMessage(result.reason);
+        process.exit(1);
+    }
+    return result.payload;
+}
+function printUpgradeMessage(reason) {
+    console.error("");
+    console.error(`  ${reason}`);
+    console.error("");
+    console.error("  This command requires Prodcheck Pro.");
+    console.error("");
+    console.error("  Set your key via:");
+    console.error("    export PRODCHECK_PRO_KEY=pc_pro_...");
+    console.error("  or in prodcheck.config.json:");
+    console.error('    { "license": { "key": "pc_pro_..." } }');
+    console.error("");
+    console.error("  Get Pro → https://fourteensystems.com/prodcheck#pricing");
+    console.error("");
+}
+//# sourceMappingURL=license.js.map

package/dist/engine/license.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"license.js","sourceRoot":"","sources":["../../src/engine/license.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEtD;;;;;;;;GAQG;AAEH,uDAAuD;AACvD,oEAAoE;AACpE,MAAM,cAAc,GAAG;;yBAEE,CAAC;AA6B1B,MAAM,MAAM,GAAG,SAAS,CAAC;AAEzB;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,SAAkB;IAClD,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,SAAS,IAAI,SAAS,CAAC;AACjE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;QACpB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IAE9C,iBAAiB;IACjB,IAAI,YAAoB,CAAC;IACzB,IAAI,OAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QACpD,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAmB,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;IACxD,CAAC;IAED,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,eAAe,CAAC,cAAc,CAAC,CAAC;QAC/C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;QAC/D,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;IACnE,CAAC;IAED,wBAAwB;IACxB,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,IAAI,OAAO,CAAC,GAAG,KAAK,qBAAqB,EAAE,CAAC;QACpE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;IAC7D,CAAC;IAED,eAAe;IACf,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7C,IAAI,OAAO,CAAC,GAAG,IAAI,MAAM,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QACxC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACrD,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,SAAkB;IAClD,MAAM,GAAG,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAEzC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,mBAAmB,CAAC,qCAAqC,CAAC,CAAC;QAC3D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACnC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,MAAM,CAAC,OAAO,CAAC;AACxB,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAc;IACzC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClB,OAAO,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC;IAC7B,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClB,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;IACxD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClB,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACrC,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;IACzD,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;IAChD,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAC5D,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClB,OAAO,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAC;IAC3E,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;AACpB,CAAC"}

package/dist/engine/report.d.ts

@@ -0,0 +1,5 @@
+import type { ScanResult } from "./types.js";
+import type { BaselineDiff } from "./baseline.js";
+export declare function formatPretty(result: ScanResult, diff?: BaselineDiff): string;
+export declare function formatJson(result: ScanResult): string;
+//# sourceMappingURL=report.d.ts.map

package/dist/engine/report.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.d.ts","sourceRoot":"","sources":["../../src/engine/report.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAW,MAAM,YAAY,CAAC;AACtD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAGlD,wBAAgB,YAAY,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,EAAE,YAAY,GAAG,MAAM,CAsG5E;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAErD"}

package/dist/engine/report.js

@@ -0,0 +1,115 @@
+import pc from "picocolors";
+import { scoreStatus, buildDetectedList } from "./score.js";
+export function formatPretty(result, diff) {
+    const lines = [];
+    const { score, findings, waivedFindings, summary } = result;
+    // Header with detected stack
+    const detected = buildDetectedList(result);
+    const status = scoreStatus(score);
+    const scoreColor = status === "PASS" ? pc.green : status === "WARN" ? pc.yellow : pc.red;
+    lines.push("");
+    lines.push(`  ${pc.bold("Prodcheck")} ${pc.dim(result.prodcheckVersion)}`);
+    lines.push(`  ${pc.dim("Detected:")} ${detected.join(" · ")}`);
+    // Score line with inline severity counts
+    if (findings.length === 0) {
+        lines.push(`  ${pc.dim("Score:")} ${scoreColor(String(score))} ${scoreColor(status)}`);
+    }
+    else {
+        const parts = [];
+        if (summary.critical > 0)
+            parts.push(pc.red(`${summary.critical} critical`));
+        if (summary.high > 0)
+            parts.push(pc.yellow(`${summary.high} high`));
+        if (summary.med > 0)
+            parts.push(`${summary.med} med`);
+        if (summary.low > 0)
+            parts.push(pc.dim(`${summary.low} low`));
+        lines.push(`  ${pc.dim("Score:")} ${scoreColor(String(score))} ${scoreColor(status)}  ${pc.dim("·")}  ${parts.join(pc.dim(" · "))}`);
+    }
+    // Banner: no auth provider detected
+    const d = result.detected.deps;
+    const hasAnyAuth = d.hasNextAuth || d.hasClerk || d.hasSupabase || d.hasKinde ||
+        d.hasWorkOS || d.hasBetterAuth || d.hasLucia || d.hasAuth0 || d.hasIronSession ||
+        d.hasFirebaseAuth;
+    if (!hasAnyAuth && !result.detected.middleware) {
+        lines.push("");
+        lines.push(`  ${pc.yellow("⚠")} ${pc.yellow("No auth provider detected.")} Public mutation endpoints will be treated as high risk.`);
+    }
+    if (diff) {
+        const deltaStr = diff.scoreDelta >= 0 ? `+${diff.scoreDelta}` : `${diff.scoreDelta}`;
+        lines.push(`  Delta from baseline: ${diff.scoreDelta >= 0 ? pc.green(deltaStr) : pc.red(deltaStr)}`);
+        if (diff.newFindings.length > 0) {
+            lines.push(`  New findings: ${pc.red(String(diff.newFindings.length))}`);
+        }
+        if (diff.resolvedKeys.length > 0) {
+            lines.push(`  Resolved: ${pc.green(String(diff.resolvedKeys.length))}`);
+        }
+    }
+    lines.push("");
+    // Group by severity
+    const grouped = groupBySeverity(findings);
+    for (const [severity, items] of Object.entries(grouped)) {
+        if (items.length === 0)
+            continue;
+        const color = severity === "critical" ? pc.red : severity === "high" ? pc.yellow : pc.dim;
+        lines.push(`  ${color(severity.toUpperCase())} (${items.length})`);
+        for (const f of items) {
+            const loc = f.line ? `:${f.line}` : "";
+            const conf = pc.dim(`(${f.confidence} confidence)`);
+            lines.push(`    ${f.ruleId} ${conf}`);
+            lines.push(`      ${pc.dim(f.file + loc)}`);
+            if (f.evidence.length > 0) {
+                for (const e of f.evidence) {
+                    lines.push(`      - ${e}`);
+                }
+            }
+            lines.push(`      ${pc.dim(`Why ${f.confidence}: ${f.confidenceRationale}`)}`);
+            if (f.remediation.length > 0) {
+                lines.push(`      ${pc.cyan("Fix:")} ${f.remediation[0]}`);
+            }
+        }
+        lines.push("");
+    }
+    // Remediation
+    const remediations = new Map();
+    for (const f of findings) {
+        if (!remediations.has(f.ruleId)) {
+            remediations.set(f.ruleId, f.remediation);
+        }
+    }
+    if (remediations.size > 0) {
+        lines.push("  Suggested fixes:");
+        for (const [ruleId, fixes] of remediations) {
+            for (const fix of fixes) {
+                lines.push(`    - ${fix}`);
+            }
+        }
+        lines.push("");
+    }
+    // Waivers
+    if (waivedFindings.length > 0) {
+        lines.push(`  ${pc.dim(`Waived: ${waivedFindings.length} finding(s)`)}`);
+        lines.push("");
+    }
+    // Tip
+    lines.push(pc.dim("  Tip: Use `prodcheck waive <RULE> --file <path> --reason \"...\"` to waive known exceptions."));
+    lines.push(pc.dim("  Tip: Configure hints in prodcheck.config.json to reduce false positives."));
+    lines.push("");
+    return lines.join("\n");
+}
+export function formatJson(result) {
+    return JSON.stringify(result, null, 2);
+}
+function groupBySeverity(findings) {
+    const groups = {
+        critical: [],
+        high: [],
+        med: [],
+        low: [],
+    };
+    for (const f of findings) {
+        groups[f.severity]?.push(f);
+    }
+    return groups;
+}
+//# sourceMappingURL=report.js.map

package/dist/engine/report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.js","sourceRoot":"","sources":["../../src/engine/report.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAG5B,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE5D,MAAM,UAAU,YAAY,CAAC,MAAkB,EAAE,IAAmB;IAClE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;IAE5D,6BAA6B;IAC7B,MAAM,QAAQ,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,UAAU,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC;IACzF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC;IAC3E,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC/D,yCAAyC;IACzC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACzF,CAAC;SAAM,CAAC;QACN,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,OAAO,CAAC,QAAQ,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,QAAQ,WAAW,CAAC,CAAC,CAAC;QAC7E,IAAI,OAAO,CAAC,IAAI,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC;QACpE,IAAI,OAAO,CAAC,GAAG,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;QACtD,IAAI,OAAO,CAAC,GAAG,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC;QAC9D,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;IACvI,CAAC;IAED,oCAAoC;IACpC,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC/B,MAAM,UAAU,GAAG,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,QAAQ;QAC3E,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,cAAc;QAC9E,CAAC,CAAC,eAAe,CAAC;IACpB,IAAI,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,CAAC;QAC/C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,4BAA4B,CAAC,0DAA0D,CAAC,CAAC;IACvI,CAAC;IAED,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACrF,KAAK,CAAC,IAAI,CAAC,0BAA0B,IAAI,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACrG,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,KAAK,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,oBAAoB;IACpB,MAAM,OAAO,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IAE1C,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACxD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QACjC,MAAM,KAAK,GAAG,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC;QAC1F,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;QAEnE,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,cAAc,CAAC,CAAC;YACpD,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;YACtC,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;YAC5C,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;oBAC3B,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;gBAC7B,CAAC;YACH,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC,mBAAmB,EAAE,CAAC,EAAE,CAAC,CAAC;YAC/E,IAAI,CAAC,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7B,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,cAAc;IACd,MAAM,YAAY,GAAG,IAAI,GAAG,EAAoB,CAAC;IACjD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,WAAW,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACjC,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;YAC3C,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;gBACxB,KAAK,CAAC,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,UAAU;IACV,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,WAAW,cAAc,CAAC,MAAM,aAAa,CAAC,EAAE,CAAC,CAAC;QACzE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,MAAM;IACN,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,+FAA+F,CAAC,CAAC,CAAC;IACpH,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC,CAAC;IACjG,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAkB;IAC3C,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,eAAe,CAAC,QAAmB;IAC1C,MAAM,MAAM,GAA8B;QACxC,QAAQ,EAAE,EAAE;QACZ,IAAI,EAAE,EAAE;QACR,GAAG,EAAE,EAAE;QACP,GAAG,EAAE,EAAE;KACR,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/engine/run.d.ts

@@ -0,0 +1,11 @@
+import type { ProdcheckConfig, ScanResult } from "./types.js";
+export interface RunOptions {
+    rootDir: string;
+    configOverrides?: Partial<ProdcheckConfig>;
+    /** Additional exclude globs appended to config excludes (not replacing) */
+    additionalExclude?: string[];
+    /** Called with a short status string at each scan phase */
+    onProgress?: (step: string) => void;
+}
+export declare function runScan(opts: RunOptions): Promise<ScanResult>;
+//# sourceMappingURL=run.d.ts.map

package/dist/engine/run.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../src/engine/run.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAW,MAAM,YAAY,CAAC;AAQvE,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IAC3C,2EAA2E;IAC3E,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,2DAA2D;IAC3D,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;CACrC;AAED,wBAAsB,OAAO,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAyFnE"}