@fourteensystems/shipguard 0.1.0

package/README.md

@@ -0,0 +1,213 @@
+# Shipguard
+
+CI guardrail that blocks unprotected mutation routes in Next.js SaaS.
+
+Shipguard statically analyzes your Next.js App Router codebase and flags mutation endpoints missing auth boundaries, rate limiting, or tenant scoping. It understands your stack — Auth.js, Clerk, Supabase, tRPC, Prisma — and stays quiet when protections are in place.
+
+## Quick Start
+
+```bash
+npx shipguard init
+```
+
+Detects your framework and dependencies, generates a config, and runs your first scan.
+
+```
+  Shipguard 0.1.0
+  Detected: next-app-router · clerk · prisma · trpc · middleware
+  Score: 85 PASS
+```
+
+## Usage
+
+```bash
+# Scan and print report
+shipguard
+
+# Only run specific rules
+shipguard scan --only AUTH-BOUNDARY-MISSING,RATE-LIMIT-MISSING
+
+# Exclude paths
+shipguard scan --exclude "app/api/internal/**"
+
+# JSON or SARIF output
+shipguard scan --format json
+shipguard scan --format sarif --output report.sarif
+
+# CI mode (fail on critical findings)
+shipguard ci --fail-on critical --min-confidence high
+
+# Save baseline for regression detection
+shipguard baseline --write
+
+# Waive a finding
+shipguard waive RATE-LIMIT-MISSING --file app/api/foo/route.ts --reason "Handled by Cloudflare WAF"
+
+# List rules
+shipguard rules
+
+# Explain a rule
+shipguard explain AUTH-BOUNDARY-MISSING
+```
+
+## What It Detects
+
+### Rules
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| AUTH-BOUNDARY-MISSING | critical | Mutation endpoints without auth checks |
+| RATE-LIMIT-MISSING | critical | Public API routes without rate limiting |
+| TENANCY-SCOPE-MISSING | critical | Prisma queries without tenant scoping |
+
+### Stack Support
+
+Shipguard auto-detects your stack and adjusts detection accordingly:
+
+| Stack | What Shipguard understands |
+|-------|---------------------------|
+| **Auth.js / NextAuth** | `auth()`, `getServerSession()`, `withAuth()`, middleware auth |
+| **Clerk** | `auth()`, `currentUser()`, `clerkMiddleware()` |
+| **Supabase** | `.auth.getUser()`, `.auth.getSession()` (call-based, not import-based) |
+| **Kinde** | `getKindeServerSession()` |
+| **WorkOS / AuthKit** | `withAuth()`, `getUser()`, `authkitMiddleware()` |
+| **Better Auth** | `auth()` |
+| **Lucia** | `validateRequest()`, `validateSession()` |
+| **Auth0** | `getSession()`, `withApiAuthRequired()` |
+| **iron-session** | `getIronSession()` |
+| **Firebase Auth** | `verifyIdToken()`, `getTokens()`, `verifySessionCookie()` |
+| **tRPC** | `protectedProcedure` vs `publicProcedure`, `.mutation()` surfaces |
+| **Prisma** | `.create()`, `.update()`, `.delete()` as mutation evidence, tenant scoping |
+| **Drizzle** | Detected but gracefully degraded (tenancy rule skips) |
+| **Upstash** | `Ratelimit`, `ratelimit.limit()` as rate-limit evidence |
+| **Arcjet** | `fixedWindow()`, `slidingWindow()`, `tokenBucket()` |
+| **Unkey** | `withUnkey()`, `verifyKey()` |
+
+### What It Skips
+
+- Webhook routes (`/api/webhooks/*`) — exempt from rate-limit
+- Cron routes (`/api/cron/*`) — exempt from rate-limit
+- `GET`-only route handlers — not mutation surfaces
+- Routes covered by `middleware.ts` auth — no double-flagging
+- HOF-wrapped handlers (`withAuth(handler)`) — detected as auth boundary
+
+See [PATTERNS.md](PATTERNS.md) for full detection logic.
+
+## GitHub Action
+
+```yaml
+name: Shipguard
+on: [pull_request]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  shipguard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - run: npm ci
+      - uses: shipguard/action@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          min-score: 70
+          fail-on: critical
+          min-confidence: high
+```
+
+The action:
+- Comments on PRs with findings, score, and detected stack
+- Adds inline annotations on flagged files
+- Shows score delta when a baseline is provided
+- Updates the same comment on re-runs (no spam)
+
+### Action Inputs
+
+| Input | Default | Description |
+|-------|---------|-------------|
+| `fail-on` | `critical` | Minimum severity to fail the check |
+| `min-confidence` | `high` | Minimum confidence to include |
+| `min-score` | `70` | Minimum passing score |
+| `baseline` | — | Path to baseline file for regression detection |
+| `max-new-critical` | `0` | Max new critical findings allowed |
+| `max-new-high` | — | Max new high findings allowed |
+| `comment` | `true` | Post a PR comment with findings |
+| `annotations` | `true` | Add inline file annotations |
+
+### Action Outputs
+
+| Output | Description |
+|--------|-------------|
+| `score` | Shipguard score (0-100) |
+| `findings` | Total number of findings |
+| `result` | `PASS`, `WARN`, or `FAIL` |
+
+## Configuration
+
+Most teams do not need to configure Shipguard. Run `shipguard init` and commit the generated config.
+
+For advanced use cases, create `shipguard.config.json`:
+
+```json
+{
+  "framework": "next-app-router",
+  "include": ["app/**", "src/**"],
+  "exclude": ["**/*.test.*", "**/*.spec.*"],
+  "ci": {
+    "failOn": "critical",
+    "minConfidence": "high",
+    "minScore": 70,
+    "maxNewCritical": 0
+  },
+  "hints": {
+    "auth": {
+      "functions": ["auth", "getServerSession", "currentUser"],
+      "middlewareFiles": ["middleware.ts"],
+      "allowlistPaths": ["app/api/public/**"]
+    },
+    "rateLimit": {
+      "wrappers": ["rateLimit", "withRateLimit"],
+      "allowlistPaths": ["app/api/webhooks/**"]
+    },
+    "tenancy": {
+      "orgFieldNames": ["orgId", "tenantId", "workspaceId"]
+    }
+  }
+}
+```
+
+### Hints
+
+Hints tell Shipguard about your codebase-specific patterns. If you use a custom auth wrapper like `requireAuth()` or a rate limiting function like `withRateLimit()`, add it to hints so Shipguard recognizes it and doesn't flag protected routes.
+
+Most built-in patterns (Auth.js, Clerk, Supabase, Kinde, WorkOS, Lucia, Auth0, Firebase, tRPC, Upstash, Arcjet, Unkey) are detected automatically — hints are for your custom wrappers.
+
+## Confidence Levels
+
+Every finding has a confidence level:
+
+- **high** — strong evidence (e.g., `publicProcedure.mutation()` with `prisma.create`)
+- **med** — likely but uncertain (e.g., unrecognized procedure type)
+- **low** — possible issue, may be false positive
+
+Use `--min-confidence` in CI to control noise:
+
+```bash
+shipguard ci --min-confidence high
+```
+
+## Compatibility
+
+Shipguard has no runtime dependency on Next.js, but it tracks evolving ecosystem patterns. Updates primarily add new detectors and improve confidence — not compatibility fixes.
+
+Requires Next.js App Router (13.4+). Pages Router is not supported.
+
+## License
+
+MIT — see [LICENSE](LICENSE)

package/bin/shipguard.mjs

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import "../dist/cli/index.js";

package/dist/cli/commands/baseline.d.ts

@@ -0,0 +1,7 @@
+interface BaselineOptions {
+    write?: boolean;
+    output?: string;
+}
+export declare function cmdBaseline(opts: BaselineOptions): Promise<void>;
+export {};
+//# sourceMappingURL=baseline.d.ts.map

package/dist/cli/commands/baseline.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"baseline.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/baseline.ts"],"names":[],"mappings":"AAIA,UAAU,eAAe;IACvB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,WAAW,CAAC,IAAI,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAkBtE"}

package/dist/cli/commands/baseline.js

@@ -0,0 +1,22 @@
+import pc from "picocolors";
+import { runScan } from "../../engine/run.js";
+import { writeBaseline } from "../../engine/baseline.js";
+export async function cmdBaseline(opts) {
+    if (!opts.write) {
+        console.log(pc.dim("  Use --write to save a baseline snapshot."));
+        console.log(pc.dim("  Example: shipguard baseline --write"));
+        return;
+    }
+    try {
+        const rootDir = process.cwd();
+        const result = await runScan({ rootDir });
+        const dest = writeBaseline(rootDir, result, opts.output);
+        console.log(pc.green(`  Baseline written to ${dest}`));
+        console.log(pc.dim(`  Score: ${result.score} | Findings: ${result.findings.length}`));
+    }
+    catch (err) {
+        console.error(pc.red(`  Error: ${err instanceof Error ? err.message : String(err)}`));
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=baseline.js.map

package/dist/cli/commands/baseline.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"baseline.js","sourceRoot":"","sources":["../../../src/cli/commands/baseline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAOzD,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAqB;IACrD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC,CAAC;QAC7D,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAC1C,MAAM,IAAI,GAAG,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAEzD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,KAAK,gBAAgB,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACxF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QACtF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/cli/commands/ci.d.ts

@@ -0,0 +1,13 @@
+interface CiOptions {
+    failOn: string;
+    minConfidence: string;
+    minScore: string;
+    baseline?: string;
+    maxNewCritical: string;
+    maxNewHigh?: string;
+    format: string;
+    output?: string;
+}
+export declare function cmdCi(opts: CiOptions): Promise<void>;
+export {};
+//# sourceMappingURL=ci.d.ts.map

package/dist/cli/commands/ci.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ci.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/ci.ts"],"names":[],"mappings":"AAQA,UAAU,SAAS;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,KAAK,CAAC,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAiG1D"}

package/dist/cli/commands/ci.js

@@ -0,0 +1,91 @@
+import { writeFileSync } from "node:fs";
+import pc from "picocolors";
+import { runScan } from "../../engine/run.js";
+import { formatPretty, formatJson } from "../../engine/report.js";
+import { formatSarif } from "../../engine/sarif.js";
+import { loadBaseline, diffBaseline } from "../../engine/baseline.js";
+import { confidenceLevel, severityLevel, parseConfidence, parseSeverity, parseIntOrThrow } from "../../engine/score.js";
+export async function cmdCi(opts) {
+    try {
+        const rootDir = process.cwd();
+        const result = await runScan({ rootDir });
+        const minConf = parseConfidence(opts.minConfidence ?? "high");
+        const failOnSeverity = parseSeverity(opts.failOn ?? "critical");
+        const minScore = parseIntOrThrow(opts.minScore ?? "70", "min-score");
+        const maxNewCritical = parseIntOrThrow(opts.maxNewCritical ?? "0", "max-new-critical");
+        const maxNewHigh = opts.maxNewHigh !== undefined ? parseIntOrThrow(opts.maxNewHigh, "max-new-high") : undefined;
+        // Filter findings by confidence for failure evaluation
+        const gatedFindings = result.findings.filter((f) => confidenceLevel(f.confidence) >= confidenceLevel(minConf));
+        // Check baseline
+        let diff;
+        if (opts.baseline) {
+            const baseline = loadBaseline(opts.baseline);
+            if (baseline) {
+                diff = diffBaseline(baseline, result);
+            }
+        }
+        // Output report
+        let output;
+        switch (opts.format) {
+            case "json":
+                output = formatJson(result);
+                break;
+            case "sarif":
+                output = formatSarif(result);
+                break;
+            default:
+                output = formatPretty(result, diff);
+        }
+        if (opts.output) {
+            writeFileSync(opts.output, output);
+        }
+        console.log(output);
+        // Evaluate gates
+        const failures = [];
+        // Score gate
+        if (result.score < minScore) {
+            failures.push(`Score ${result.score} is below minimum ${minScore}`);
+        }
+        // Severity gate: any findings at or above fail-on severity with sufficient confidence
+        const failingSeverities = gatedFindings.filter((f) => severityLevel(f.severity) >= severityLevel(failOnSeverity));
+        if (failingSeverities.length > 0) {
+            failures.push(`${failingSeverities.length} finding(s) at ${failOnSeverity} or above (${minConf}+ confidence)`);
+        }
+        // New findings gate (baseline)
+        if (diff) {
+            const newCritical = diff.newFindings.filter((f) => f.severity === "critical").length;
+            const newHigh = diff.newFindings.filter((f) => f.severity === "high").length;
+            if (newCritical > maxNewCritical) {
+                failures.push(`${newCritical} new critical finding(s) exceeds max ${maxNewCritical}`);
+            }
+            if (maxNewHigh !== undefined && newHigh > maxNewHigh) {
+                failures.push(`${newHigh} new high finding(s) exceeds max ${maxNewHigh}`);
+            }
+        }
+        if (failures.length > 0) {
+            console.log(pc.red("\n  CI FAILED:"));
+            for (const f of failures) {
+                console.log(pc.red(`    - ${f}`));
+            }
+            // Show specific rule IDs + files that triggered the failure
+            if (failingSeverities.length > 0) {
+                console.log("");
+                console.log(pc.dim("  Failing findings:"));
+                for (const f of failingSeverities) {
+                    const loc = f.line ? `:${f.line}` : "";
+                    console.log(`    ${pc.red(f.ruleId)} ${pc.dim(`(${f.severity})`)} ${pc.dim(f.file + loc)}`);
+                }
+            }
+            console.log("");
+            process.exit(1);
+        }
+        else {
+            console.log(pc.green("\n  CI PASSED\n"));
+        }
+    }
+    catch (err) {
+        console.error(pc.red(`  Error: ${err instanceof Error ? err.message : String(err)}`));
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=ci.js.map

package/dist/cli/commands/ci.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ci.js","sourceRoot":"","sources":["../../../src/cli/commands/ci.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxC,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAClE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAaxH,MAAM,CAAC,KAAK,UAAU,KAAK,CAAC,IAAe;IACzC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAE1C,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,aAAa,IAAI,MAAM,CAAC,CAAC;QAC9D,MAAM,cAAc,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,IAAI,UAAU,CAAC,CAAC;QAChE,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,EAAE,WAAW,CAAC,CAAC;QACrE,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,cAAc,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACvF,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEhH,uDAAuD;QACvD,MAAM,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,eAAe,CAAC,OAAO,CAAC,CACjE,CAAC;QAEF,iBAAiB;QACjB,IAAI,IAAI,CAAC;QACT,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC7C,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAED,gBAAgB;QAChB,IAAI,MAAc,CAAC;QACnB,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;YACpB,KAAK,MAAM;gBACT,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;gBAC5B,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;gBAC7B,MAAM;YACR;gBACE,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACxC,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAEpB,iBAAiB;QACjB,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,aAAa;QACb,IAAI,MAAM,CAAC,KAAK,GAAG,QAAQ,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,CAAC,SAAS,MAAM,CAAC,KAAK,qBAAqB,QAAQ,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,sFAAsF;QACtF,MAAM,iBAAiB,GAAG,aAAa,CAAC,MAAM,CAC5C,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,aAAa,CAAC,cAAc,CAAC,CAClE,CAAC;QACF,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjC,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,MAAM,kBAAkB,cAAc,cAAc,OAAO,eAAe,CAAC,CAAC;QACjH,CAAC;QAED,+BAA+B;QAC/B,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;YACrF,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;YAE7E,IAAI,WAAW,GAAG,cAAc,EAAE,CAAC;gBACjC,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,wCAAwC,cAAc,EAAE,CAAC,CAAC;YACxF,CAAC;YACD,IAAI,UAAU,KAAK,SAAS,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;gBACrD,QAAQ,CAAC,IAAI,CAAC,GAAG,OAAO,oCAAoC,UAAU,EAAE,CAAC,CAAC;YAC5E,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC;YACtC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC;YACpC,CAAC;YAED,4DAA4D;YAC5D,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;gBAC3C,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC;oBAClC,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC9F,CAAC;YACH,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QACtF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/cli/commands/explain.d.ts

@@ -0,0 +1,2 @@
+export declare function cmdExplain(ruleId: string): Promise<void>;
+//# sourceMappingURL=explain.d.ts.map

package/dist/cli/commands/explain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"explain.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/explain.ts"],"names":[],"mappings":"AAGA,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAoB9D"}

package/dist/cli/commands/explain.js

@@ -0,0 +1,20 @@
+import pc from "picocolors";
+import { RULE_REGISTRY } from "../../rules/index.js";
+export async function cmdExplain(ruleId) {
+    const rule = RULE_REGISTRY.find((r) => r.id === ruleId || r.id === ruleId.toUpperCase());
+    if (!rule) {
+        console.error(pc.red(`  Unknown rule: ${ruleId}`));
+        console.error(pc.dim(`  Run \`shipguard rules\` to see available rules.`));
+        process.exit(1);
+    }
+    console.log(`\n  ${pc.bold(rule.id)}`);
+    console.log(`  ${rule.name}`);
+    console.log(`  Default severity: ${rule.defaultSeverity}`);
+    console.log("");
+    console.log(`  ${rule.description}`);
+    console.log("");
+    console.log(`  ${pc.dim("How it works:")}`);
+    console.log(`  ${rule.docs}`);
+    console.log("");
+}
+//# sourceMappingURL=explain.js.map

package/dist/cli/commands/explain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"explain.js","sourceRoot":"","sources":["../../../src/cli/commands/explain.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAc;IAC7C,MAAM,IAAI,GAAG,aAAa,CAAC,IAAI,CAC7B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,IAAI,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,WAAW,EAAE,CACxD,CAAC;IAEF,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,mBAAmB,MAAM,EAAE,CAAC,CAAC,CAAC;QACnD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC,CAAC;QAC3E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9B,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC"}

package/dist/cli/commands/init.d.ts

@@ -0,0 +1,7 @@
+interface InitOptions {
+    force?: boolean;
+    dryRun?: boolean;
+}
+export declare function cmdInit(opts: InitOptions): Promise<void>;
+export {};
+//# sourceMappingURL=init.d.ts.map

package/dist/cli/commands/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AASA,UAAU,WAAW;IACnB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wBAAsB,OAAO,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CA8E9D"}

package/dist/cli/commands/init.js

@@ -0,0 +1,91 @@
+import pc from "picocolors";
+import { findConfigFile, writeDefaultConfig } from "../../engine/config.js";
+import { runScan } from "../../engine/run.js";
+import { scoreStatus } from "../../engine/score.js";
+import { readDeps } from "../../next/deps.js";
+import { detectNextAppRouter } from "../../next/detect.js";
+import { existsSync } from "node:fs";
+import path from "node:path";
+export async function cmdInit(opts) {
+    const rootDir = process.cwd();
+    // 1. Detect framework
+    const det = detectNextAppRouter(rootDir);
+    if (!det.ok) {
+        console.error(pc.red(`\n  Shipguard v1 requires a Next.js App Router project.`));
+        console.error(pc.dim(`  Reason: ${det.reason}`));
+        console.error(pc.dim(`  Make sure you're in the project root with package.json and app/ directory.\n`));
+        process.exit(1);
+    }
+    console.log(pc.green("  Detected Next.js App Router"));
+    // 2. Detect dependencies and print what we found
+    const deps = readDeps(rootDir);
+    const detected = ["next-app-router"];
+    if (deps.hasNextAuth)
+        detected.push("next-auth");
+    if (deps.hasClerk)
+        detected.push("clerk");
+    if (deps.hasSupabase)
+        detected.push("supabase");
+    if (deps.hasPrisma)
+        detected.push("prisma");
+    if (deps.hasDrizzle)
+        detected.push("drizzle");
+    if (deps.hasTrpc)
+        detected.push("trpc");
+    if (deps.hasUpstashRatelimit)
+        detected.push("upstash-ratelimit");
+    // Check for middleware
+    const hasMiddleware = existsSync(path.join(rootDir, "middleware.ts"))
+        || existsSync(path.join(rootDir, "middleware.js"))
+        || existsSync(path.join(rootDir, "src/middleware.ts"))
+        || existsSync(path.join(rootDir, "src/middleware.js"));
+    if (hasMiddleware)
+        detected.push("middleware.ts");
+    console.log(pc.green(`  Detected: ${detected.join(" · ")}`));
+    // 3. Write config (idempotent)
+    const existingConfig = findConfigFile(rootDir);
+    if (existingConfig && !opts.force) {
+        console.log(pc.dim(`  Found existing config → skipping generation (${path.basename(existingConfig)})`));
+    }
+    else if (opts.dryRun) {
+        console.log(pc.dim("  Would create shipguard.config.json (--dry-run)"));
+    }
+    else {
+        writeDefaultConfig(rootDir, { force: Boolean(opts.force) });
+        console.log(pc.green("  Created shipguard.config.json"));
+    }
+    // 4. Run scan
+    console.log(pc.dim("\n  Running scan..."));
+    try {
+        const result = await runScan({ rootDir });
+        const status = scoreStatus(result.score);
+        const scoreColor = status === "PASS" ? pc.green : status === "WARN" ? pc.yellow : pc.red;
+        console.log(`\n  Shipguard Score: ${scoreColor(String(result.score))} ${scoreColor(status)}`);
+        if (result.findings.length === 0) {
+            console.log(pc.green("  No findings — looking good!"));
+        }
+        else {
+            // Show top 5 findings
+            const top = result.findings.slice(0, 5);
+            for (const f of top) {
+                const loc = f.line ? `:${f.line}` : "";
+                const conf = pc.dim(`(${f.confidence})`);
+                console.log(`  ${pc.red(f.ruleId)} ${conf} ${pc.dim(f.file + loc)}`);
+            }
+            if (result.findings.length > 5) {
+                console.log(pc.dim(`  ... and ${result.findings.length - 5} more`));
+            }
+        }
+        // Next steps
+        console.log(pc.dim("\n  Next:"));
+        console.log(pc.dim("    shipguard baseline --write     Save current state as baseline"));
+        console.log(pc.dim("    shipguard explain <RULE>        Learn about a specific rule"));
+        console.log(pc.dim("    shipguard ci                    Run in CI mode"));
+        console.log("");
+    }
+    catch (err) {
+        console.error(pc.red(`  Scan failed: ${err instanceof Error ? err.message : String(err)}`));
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=init.js.map

package/dist/cli/commands/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAwB,MAAM,oBAAoB,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,IAAI,MAAM,WAAW,CAAC;AAO7B,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAiB;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAE9B,sBAAsB;IACtB,MAAM,GAAG,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC,CAAC;QACjF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACjD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAC,CAAC;QACxG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;IAEvD,iDAAiD;IACjD,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAa,CAAC,iBAAiB,CAAC,CAAC;IAC/C,IAAI,IAAI,CAAC,WAAW;QAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACjD,IAAI,IAAI,CAAC,QAAQ;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,IAAI,CAAC,WAAW;QAAE,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAChD,IAAI,IAAI,CAAC,SAAS;QAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,IAAI,CAAC,UAAU;QAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9C,IAAI,IAAI,CAAC,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC,mBAAmB;QAAE,QAAQ,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAEjE,uBAAuB;IACvB,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;WAChE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;WAC/C,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;WACnD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACzD,IAAI,aAAa;QAAE,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAElD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,eAAe,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;IAE7D,+BAA+B;IAC/B,MAAM,cAAc,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,cAAc,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,kDAAkD,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1G,CAAC;SAAM,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC,CAAC;IAC1E,CAAC;SAAM,CAAC;QACN,kBAAkB,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,cAAc;IACd,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,UAAU,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC;QACzF,OAAO,CAAC,GAAG,CAAC,wBAAwB,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAE9F,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,sBAAsB;YACtB,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACxC,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE,CAAC;gBACpB,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvC,MAAM,IAAI,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC;gBACzC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;YACvE,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QAED,aAAa;QACb,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAC,CAAC;QACzF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC,CAAC;QACvF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,kBAAkB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/cli/commands/rules.d.ts

@@ -0,0 +1,2 @@
+export declare function cmdRules(): Promise<void>;
+//# sourceMappingURL=rules.d.ts.map

package/dist/cli/commands/rules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rules.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/rules.ts"],"names":[],"mappings":"AAGA,wBAAsB,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,CAW9C"}

package/dist/cli/commands/rules.js

@@ -0,0 +1,13 @@
+import pc from "picocolors";
+import { RULE_REGISTRY } from "../../rules/index.js";
+export async function cmdRules() {
+    console.log("\n  Shipguard Rules (v1)\n");
+    for (const rule of RULE_REGISTRY) {
+        const severityColor = rule.defaultSeverity === "critical" ? pc.red : pc.yellow;
+        console.log(`  ${pc.bold(rule.id)} ${severityColor(`[${rule.defaultSeverity}]`)}`);
+        console.log(`  ${pc.dim(rule.description)}`);
+        console.log("");
+    }
+    console.log(pc.dim("  Run `shipguard explain <RULE>` for full details.\n"));
+}
+//# sourceMappingURL=rules.js.map

package/dist/cli/commands/rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rules.js","sourceRoot":"","sources":["../../../src/cli/commands/rules.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,MAAM,CAAC,KAAK,UAAU,QAAQ;IAC5B,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;IAE1C,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;QACjC,MAAM,aAAa,GAAG,IAAI,CAAC,eAAe,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC;QAC/E,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,aAAa,CAAC,IAAI,IAAI,CAAC,eAAe,GAAG,CAAC,EAAE,CAAC,CAAC;QACnF,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC,CAAC;AAC9E,CAAC"}

package/dist/cli/commands/scan.d.ts

@@ -0,0 +1,10 @@
+interface ScanOptions {
+    format: string;
+    output?: string;
+    only?: string;
+    exclude?: string;
+    minConfidence?: string;
+}
+export declare function cmdScan(opts: ScanOptions): Promise<void>;
+export {};
+//# sourceMappingURL=scan.d.ts.map

package/dist/cli/commands/scan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/scan.ts"],"names":[],"mappings":"AASA,UAAU,WAAW;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,wBAAsB,OAAO,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAsD9D"}

package/dist/cli/commands/scan.js

@@ -0,0 +1,55 @@
+import { writeFileSync } from "node:fs";
+import pc from "picocolors";
+import { runScan } from "../../engine/run.js";
+import { formatPretty, formatJson } from "../../engine/report.js";
+import { formatSarif } from "../../engine/sarif.js";
+import { computeScore, summarizeFindings, confidenceLevel, parseConfidence } from "../../engine/score.js";
+export async function cmdScan(opts) {
+    try {
+        const rootDir = process.cwd();
+        // Build config overrides from CLI flags
+        const configOverrides = {};
+        if (opts.only) {
+            const onlyRules = opts.only.split(",").map((r) => r.trim().toUpperCase());
+            const rules = {};
+            for (const ruleId of onlyRules) {
+                rules[ruleId] = { severity: "critical" };
+            }
+            configOverrides.rules = rules;
+        }
+        const additionalExclude = opts.exclude
+            ? opts.exclude.split(",").map((g) => g.trim())
+            : undefined;
+        const result = await runScan({ rootDir, configOverrides, additionalExclude });
+        // Filter by confidence if specified, recalculate score and summary
+        if (opts.minConfidence) {
+            const minConf = parseConfidence(opts.minConfidence);
+            result.findings = result.findings.filter((f) => confidenceLevel(f.confidence) >= confidenceLevel(minConf));
+            result.score = computeScore(result.findings);
+            const counts = summarizeFindings(result.findings);
+            result.summary = { total: result.findings.length, ...counts, waived: result.summary.waived };
+        }
+        let output;
+        switch (opts.format) {
+            case "json":
+                output = formatJson(result);
+                break;
+            case "sarif":
+                output = formatSarif(result);
+                break;
+            default:
+                output = formatPretty(result);
+        }
+        if (opts.output) {
+            writeFileSync(opts.output, output);
+        }
+        else {
+            console.log(output);
+        }
+    }
+    catch (err) {
+        console.error(pc.red(`  Error: ${err instanceof Error ? err.message : String(err)}`));
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=scan.js.map

package/dist/cli/commands/scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../../src/cli/commands/scan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxC,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAClE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAY1G,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAiB;IAC7C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAE9B,wCAAwC;QACxC,MAAM,eAAe,GAA6B,EAAE,CAAC;QAErD,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;YAC1E,MAAM,KAAK,GAA2C,EAAE,CAAC;YACzD,KAAK,MAAM,MAAM,IAAI,SAAS,EAAE,CAAC;gBAC/B,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;YAC3C,CAAC;YACD,eAAe,CAAC,KAAK,GAAG,KAAK,CAAC;QAChC,CAAC;QAED,MAAM,iBAAiB,GAAG,IAAI,CAAC,OAAO;YACpC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC9C,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAE9E,mEAAmE;QACnE,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YACpD,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CACtC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,eAAe,CAAC,OAAO,CAAC,CACjE,CAAC;YACF,MAAM,CAAC,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC7C,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAClD,MAAM,CAAC,OAAO,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QAC/F,CAAC;QAED,IAAI,MAAc,CAAC;QACnB,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;YACpB,KAAK,MAAM;gBACT,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;gBAC5B,MAAM;YACR,KAAK,OAAO;gBACV,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;gBAC7B,MAAM;YACR;gBACE,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;QAClC,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QACtF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/cli/commands/waive.d.ts

@@ -0,0 +1,8 @@
+interface WaiveOptions {
+    file: string;
+    reason: string;
+    expiry?: string;
+}
+export declare function cmdWaive(ruleId: string, opts: WaiveOptions): Promise<void>;
+export {};
+//# sourceMappingURL=waive.d.ts.map

package/dist/cli/commands/waive.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"waive.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/waive.ts"],"names":[],"mappings":"AAIA,UAAU,YAAY;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA+BhF"}