@fourteensystems/shipguard 0.1.0 → 0.2.1

package/README.md

@@ -2,19 +2,21 @@
 
 CI guardrail that blocks unprotected mutation routes in Next.js SaaS.
 
-Shipguard statically analyzes your Next.js App Router codebase and flags mutation endpoints missing auth boundaries, rate limiting, or tenant scoping. It understands your stack — Auth.js, Clerk, Supabase, tRPC, Prisma — and stays quiet when protections are in place.
+Shipguard statically analyzes your Next.js App Router codebase and flags mutation endpoints missing auth boundaries, rate limiting, or tenant scoping. It understands your stack — Auth.js, Clerk, Supabase, tRPC, Prisma — resolves your wrapper implementations, and stays quiet when protections are in place.
+
+Zero config for most projects. Shipguard auto-detects your auth library, rate limiter, ORM, middleware, tsconfig path aliases, and HOF wrappers. No manual hints needed unless you're doing something exotic.
 
 ## Quick Start
 
 ```bash
-npx shipguard init
+npx @fourteensystems/shipguard init
 ```
 
 Detects your framework and dependencies, generates a config, and runs your first scan.
 
 ```
   Shipguard 0.1.0
-  Detected: next-app-router · clerk · prisma · trpc · middleware
+  Detected: next-app-router · next-auth · prisma · upstash-ratelimit · middleware.ts
   Score: 85 PASS
 ```
 
@@ -57,8 +59,29 @@ shipguard explain AUTH-BOUNDARY-MISSING
 | Rule | Severity | What it catches |
 |------|----------|----------------|
 | AUTH-BOUNDARY-MISSING | critical | Mutation endpoints without auth checks |
-| RATE-LIMIT-MISSING | critical | Public API routes without rate limiting |
+| RATE-LIMIT-MISSING | critical | API routes without rate limiting (auth-aware severity) |
 | TENANCY-SCOPE-MISSING | critical | Prisma queries without tenant scoping |
+| WRAPPER-UNRECOGNIZED | high | HOF wrappers that couldn't be verified for auth/rate-limit enforcement |
+
+### Wrapper Introspection
+
+The dominant pattern in real-world Next.js codebases is HOF wrappers:
+
+```ts
+export const POST = withWorkspace(async (req) => {
+  await prisma.user.create({ data: { name: "test" } });
+  return Response.json({});
+});
+```
+
+Shipguard doesn't just detect the wrapper name — it **follows the import, reads the implementation, and verifies enforcement**:
+
+1. **Resolve**: follows `import { withWorkspace } from "@/lib/auth"` through tsconfig path aliases (`@/lib/*` → `lib/*`), barrel re-exports (`index.ts` → `export * from "./workspace"`), up to 5 hops with cycle detection
+2. **Analyze**: parses the wrapper body with TypeScript AST to find auth/rate-limit calls
+3. **Verify enforcement**: checks that the call result is used in a conditional (`if (!session) throw`) — calling `getSession()` without checking the result is NOT an auth boundary
+4. **Apply**: routes using a verified wrapper are automatically cleared, no hints needed
+
+When a wrapper can't be resolved (npm package) or enforcement can't be proven, Shipguard emits a single grouped `WRAPPER-UNRECOGNIZED` finding instead of N identical per-route alerts.
 
 ### Stack Support
 
@@ -85,129 +108,40 @@ Shipguard auto-detects your stack and adjusts detection accordingly:
 
 ### What It Skips
 
-- Webhook routes (`/api/webhooks/*`) — exempt from rate-limit
+- Webhook routes (any path containing `webhook`) — exempt from rate-limit
 - Cron routes (`/api/cron/*`) — exempt from rate-limit
+- Framework-managed routes (NextAuth catch-all, OAuth/SAML endpoints, callbacks, OG images) — exempt from rate-limit
 - `GET`-only route handlers — not mutation surfaces
 - Routes covered by `middleware.ts` auth — no double-flagging
-- HOF-wrapped handlers (`withAuth(handler)`) — detected as auth boundary
-
-See [PATTERNS.md](PATTERNS.md) for full detection logic.
-
-## GitHub Action
-
-```yaml
-name: Shipguard
-on: [pull_request]
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  shipguard:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - run: npm ci
-      - uses: shipguard/action@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          min-score: 70
-          fail-on: critical
-          min-confidence: high
-```
+- Routes wrapped by verified HOF wrappers (`withWorkspace(handler)` where auth+RL enforcement is proven)
+- Authenticated routes get lower rate-limit severity (abuse requires stolen credentials)
 
-The action:
-- Comments on PRs with findings, score, and detected stack
-- Adds inline annotations on flagged files
-- Shows score delta when a baseline is provided
-- Updates the same comment on re-runs (no spam)
-
-### Action Inputs
-
-| Input | Default | Description |
-|-------|---------|-------------|
-| `fail-on` | `critical` | Minimum severity to fail the check |
-| `min-confidence` | `high` | Minimum confidence to include |
-| `min-score` | `70` | Minimum passing score |
-| `baseline` | — | Path to baseline file for regression detection |
-| `max-new-critical` | `0` | Max new critical findings allowed |
-| `max-new-high` | — | Max new high findings allowed |
-| `comment` | `true` | Post a PR comment with findings |
-| `annotations` | `true` | Add inline file annotations |
-
-### Action Outputs
-
-| Output | Description |
-|--------|-------------|
-| `score` | Shipguard score (0-100) |
-| `findings` | Total number of findings |
-| `result` | `PASS`, `WARN`, or `FAIL` |
+See [PATTERNS.md](../../PATTERNS.md) for full detection logic.
 
-## Configuration
+## Monorepos
 
-Most teams do not need to configure Shipguard. Run `shipguard init` and commit the generated config.
+Shipguard must be run from the Next.js app directory (the one with `package.json` and `app/`). In a monorepo like Turborepo or pnpm workspaces:
 
-For advanced use cases, create `shipguard.config.json`:
-
-```json
-{
-  "framework": "next-app-router",
-  "include": ["app/**", "src/**"],
-  "exclude": ["**/*.test.*", "**/*.spec.*"],
-  "ci": {
-    "failOn": "critical",
-    "minConfidence": "high",
-    "minScore": 70,
-    "maxNewCritical": 0
-  },
-  "hints": {
-    "auth": {
-      "functions": ["auth", "getServerSession", "currentUser"],
-      "middlewareFiles": ["middleware.ts"],
-      "allowlistPaths": ["app/api/public/**"]
-    },
-    "rateLimit": {
-      "wrappers": ["rateLimit", "withRateLimit"],
-      "allowlistPaths": ["app/api/webhooks/**"]
-    },
-    "tenancy": {
-      "orgFieldNames": ["orgId", "tenantId", "workspaceId"]
-    }
-  }
-}
+```bash
+cd apps/web && npx @fourteensystems/shipguard scan
 ```
 
-### Hints
-
-Hints tell Shipguard about your codebase-specific patterns. If you use a custom auth wrapper like `requireAuth()` or a rate limiting function like `withRateLimit()`, add it to hints so Shipguard recognizes it and doesn't flag protected routes.
-
-Most built-in patterns (Auth.js, Clerk, Supabase, Kinde, WorkOS, Lucia, Auth0, Firebase, tRPC, Upstash, Arcjet, Unkey) are detected automatically — hints are for your custom wrappers.
-
-## Confidence Levels
-
-Every finding has a confidence level:
+Shipguard automatically reads dependencies from both the app's `package.json` and the workspace root, and checks for `middleware.ts` at both levels. tsconfig `extends` chains (e.g., `"extends": "tsconfig/nextjs.json"`) and monorepo path aliases are resolved automatically.
 
-- **high** — strong evidence (e.g., `publicProcedure.mutation()` with `prisma.create`)
-- **med** — likely but uncertain (e.g., unrecognized procedure type)
-- **low** — possible issue, may be false positive
+## Configuration
 
-Use `--min-confidence` in CI to control noise:
+Most teams do not need to configure Shipguard. Run `shipguard init` and commit the generated config.
 
-```bash
-shipguard ci --min-confidence high
-```
+With wrapper introspection, Shipguard resolves and analyzes your custom wrappers automatically. Hints are only needed for edge cases where the wrapper can't be resolved (e.g., auth handled by an API gateway, rate limiting at the CDN edge).
 
-## Compatibility
+### Hints
 
-Shipguard has no runtime dependency on Next.js, but it tracks evolving ecosystem patterns. Updates primarily add new detectors and improve confidence — not compatibility fixes.
+Hints are the "hard allow" escape hatch. Add function names when Shipguard can't verify protection automatically:
 
-Requires Next.js App Router (13.4+). Pages Router is not supported.
+- **Wrapper introspection handles most cases** — if your wrapper calls `getSession()` and throws on failure, Shipguard detects this without hints
+- **Unresolvable wrappers** (npm packages, API gateway auth) need hints: add to `hints.auth.functions` or `hints.rateLimit.wrappers`
+- **CDN/edge rate limiting** (Cloudflare, Vercel) is invisible to static analysis — use waivers or allowlist paths
 
 ## License
 
-MIT — see [LICENSE](LICENSE)
+MIT

package/dist/cli/commands/init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AASA,UAAU,WAAW;IACnB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wBAAsB,OAAO,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CA8E9D"}
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AASA,UAAU,WAAW;IACnB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wBAAsB,OAAO,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAiH9D"}

package/dist/cli/commands/init.js

@@ -76,6 +76,42 @@ export async function cmdInit(opts) {
                 console.log(pc.dim(`  ... and ${result.findings.length - 5} more`));
             }
         }
+        // Wrapper suggestions
+        const wrapperFindings = result.findings.filter((f) => f.ruleId === "WRAPPER-UNRECOGNIZED");
+        if (wrapperFindings.length > 0) {
+            console.log(pc.yellow("\n  Wrapper hints needed:"));
+            for (const f of wrapperFindings) {
+                const nameMatch = f.message.match(/Wrapper "(\w+)"/);
+                if (!nameMatch)
+                    continue;
+                const name = nameMatch[1];
+                // Determine suggestion based on evidence
+                const hasAuth = f.evidence.some((e) => e.startsWith("Auth call detected:"));
+                const hasRL = f.evidence.some((e) => e.startsWith("Rate-limit call detected:"));
+                const isUnresolved = f.message.includes("could not be resolved");
+                const isUnverified = f.message.includes("enforcement not proven");
+                if (isUnresolved) {
+                    console.log(pc.dim(`    ${name} — wraps routes but could not be resolved`));
+                    console.log(pc.dim(`      If auth:       add "${name}" to hints.auth.functions`));
+                    console.log(pc.dim(`      If rate limit:  add "${name}" to hints.rateLimit.wrappers`));
+                }
+                else if (isUnverified) {
+                    if (hasAuth && !hasRL) {
+                        console.log(pc.dim(`    ${name} — calls auth but enforcement not proven`));
+                        console.log(pc.dim(`      Verify wrapper or add "${name}" to hints.auth.functions`));
+                    }
+                    else if (hasRL && !hasAuth) {
+                        console.log(pc.dim(`    ${name} — calls rate limiter but enforcement not proven`));
+                        console.log(pc.dim(`      Verify wrapper or add "${name}" to hints.rateLimit.wrappers`));
+                    }
+                    else {
+                        console.log(pc.dim(`    ${name} — missing protections`));
+                        console.log(pc.dim(`      If auth:       add "${name}" to hints.auth.functions`));
+                        console.log(pc.dim(`      If rate limit:  add "${name}" to hints.rateLimit.wrappers`));
+                    }
+                }
+            }
+        }
         // Next steps
         console.log(pc.dim("\n  Next:"));
         console.log(pc.dim("    shipguard baseline --write     Save current state as baseline"));

package/dist/cli/commands/init.js.map

@@ -1 +1 @@
-{"version":3,"file":"init.js","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAwB,MAAM,oBAAoB,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,IAAI,MAAM,WAAW,CAAC;AAO7B,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAiB;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAE9B,sBAAsB;IACtB,MAAM,GAAG,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC,CAAC;QACjF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACjD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAC,CAAC;QACxG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;IAEvD,iDAAiD;IACjD,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAa,CAAC,iBAAiB,CAAC,CAAC;IAC/C,IAAI,IAAI,CAAC,WAAW;QAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACjD,IAAI,IAAI,CAAC,QAAQ;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,IAAI,CAAC,WAAW;QAAE,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAChD,IAAI,IAAI,CAAC,SAAS;QAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,IAAI,CAAC,UAAU;QAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9C,IAAI,IAAI,CAAC,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC,mBAAmB;QAAE,QAAQ,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAEjE,uBAAuB;IACvB,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;WAChE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;WAC/C,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;WACnD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACzD,IAAI,aAAa;QAAE,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAElD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,eAAe,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;IAE7D,+BAA+B;IAC/B,MAAM,cAAc,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,cAAc,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,kDAAkD,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1G,CAAC;SAAM,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC,CAAC;IAC1E,CAAC;SAAM,CAAC;QACN,kBAAkB,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,cAAc;IACd,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,UAAU,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC;QACzF,OAAO,CAAC,GAAG,CAAC,wBAAwB,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAE9F,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,sBAAsB;YACtB,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACxC,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE,CAAC;gBACpB,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvC,MAAM,IAAI,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC;gBACzC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;YACvE,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QAED,aAAa;QACb,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAC,CAAC;QACzF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC,CAAC;QACvF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,kBAAkB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5E,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAwB,MAAM,oBAAoB,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,IAAI,MAAM,WAAW,CAAC;AAO7B,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAiB;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAE9B,sBAAsB;IACtB,MAAM,GAAG,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC,CAAC;QACjF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACjD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAC,CAAC;QACxG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;IAEvD,iDAAiD;IACjD,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAa,CAAC,iBAAiB,CAAC,CAAC;IAC/C,IAAI,IAAI,CAAC,WAAW;QAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACjD,IAAI,IAAI,CAAC,QAAQ;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,IAAI,CAAC,WAAW;QAAE,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAChD,IAAI,IAAI,CAAC,SAAS;QAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,IAAI,CAAC,UAAU;QAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9C,IAAI,IAAI,CAAC,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC,mBAAmB;QAAE,QAAQ,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAEjE,uBAAuB;IACvB,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;WAChE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;WAC/C,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;WACnD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACzD,IAAI,aAAa;QAAE,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAElD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,eAAe,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;IAE7D,+BAA+B;IAC/B,MAAM,cAAc,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,cAAc,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,kDAAkD,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1G,CAAC;SAAM,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC,CAAC;IAC1E,CAAC;SAAM,CAAC;QACN,kBAAkB,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,cAAc;IACd,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,UAAU,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC;QACzF,OAAO,CAAC,GAAG,CAAC,wBAAwB,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAE9F,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,sBAAsB;YACtB,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACxC,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE,CAAC;gBACpB,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvC,MAAM,IAAI,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC;gBACzC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;YACvE,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QAED,sBAAsB;QACtB,MAAM,eAAe,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,sBAAsB,CAAC,CAAC;QAC3F,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC;YACpD,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;gBAChC,MAAM,SAAS,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;gBACrD,IAAI,CAAC,SAAS;oBAAE,SAAS;gBACzB,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;gBAE1B,yCAAyC;gBACzC,MAAM,OAAO,GAAG,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC;gBAC5E,MAAM,KAAK,GAAG,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC,CAAC;gBAChF,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,CAAC;gBACjE,MAAM,YAAY,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC;gBAElE,IAAI,YAAY,EAAE,CAAC;oBACjB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,IAAI,2CAA2C,CAAC,CAAC,CAAC;oBAC5E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,6BAA6B,IAAI,2BAA2B,CAAC,CAAC,CAAC;oBAClF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,8BAA8B,IAAI,+BAA+B,CAAC,CAAC,CAAC;gBACzF,CAAC;qBAAM,IAAI,YAAY,EAAE,CAAC;oBACxB,IAAI,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;wBACtB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,IAAI,0CAA0C,CAAC,CAAC,CAAC;wBAC3E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,gCAAgC,IAAI,2BAA2B,CAAC,CAAC,CAAC;oBACvF,CAAC;yBAAM,IAAI,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;wBAC7B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,IAAI,kDAAkD,CAAC,CAAC,CAAC;wBACnF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,gCAAgC,IAAI,+BAA+B,CAAC,CAAC,CAAC;oBAC3F,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,OAAO,IAAI,wBAAwB,CAAC,CAAC,CAAC;wBACzD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,6BAA6B,IAAI,2BAA2B,CAAC,CAAC,CAAC;wBAClF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,8BAA8B,IAAI,+BAA+B,CAAC,CAAC,CAAC;oBACzF,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,aAAa;QACb,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAC,CAAC;QACzF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC,CAAC;QACvF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,kBAAkB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/engine/baseline.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=baseline.test.d.ts.map

package/dist/engine/baseline.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"baseline.test.d.ts","sourceRoot":"","sources":["../../src/engine/baseline.test.ts"],"names":[],"mappings":""}

package/dist/engine/baseline.test.js

@@ -0,0 +1,135 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtempSync, rmSync } from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { findingKey, writeBaseline, loadBaseline, diffBaseline } from "./baseline.js";
+function makeFinding(overrides = {}) {
+    return {
+        ruleId: "TEST-RULE",
+        severity: "high",
+        confidence: "high",
+        message: "test",
+        file: "test.ts",
+        evidence: [],
+        confidenceRationale: "",
+        remediation: [],
+        tags: [],
+        ...overrides,
+    };
+}
+function makeScanResult(findings, score = 100) {
+    return {
+        version: 1,
+        shipguardVersion: "0.1.0",
+        configHash: "abc",
+        indexVersion: 1,
+        timestamp: new Date().toISOString(),
+        framework: "next-app-router",
+        detected: {
+            deps: {},
+            trpc: false,
+            middleware: false,
+        },
+        score,
+        findings,
+        waivedFindings: [],
+        summary: { total: findings.length, critical: 0, high: 0, med: 0, low: 0, waived: 0 },
+    };
+}
+describe("findingKey", () => {
+    it("generates key from ruleId, file, and line", () => {
+        const f = makeFinding({ ruleId: "AUTH-BOUNDARY-MISSING", file: "app/api/route.ts", line: 13 });
+        expect(findingKey(f)).toBe("AUTH-BOUNDARY-MISSING::app/api/route.ts::13");
+    });
+    it("uses 0 when line is undefined", () => {
+        const f = makeFinding({ ruleId: "RATE-LIMIT-MISSING", file: "app/api/route.ts" });
+        expect(findingKey(f)).toBe("RATE-LIMIT-MISSING::app/api/route.ts::0");
+    });
+});
+describe("writeBaseline / loadBaseline", () => {
+    let tmpDir;
+    beforeEach(() => {
+        tmpDir = mkdtempSync(path.join(os.tmpdir(), "shipguard-test-"));
+    });
+    afterEach(() => {
+        rmSync(tmpDir, { recursive: true, force: true });
+    });
+    it("writes and loads baseline roundtrip", () => {
+        const findings = [makeFinding({ ruleId: "R1", file: "a.ts", line: 1 })];
+        const result = makeScanResult(findings, 90);
+        const dest = writeBaseline(tmpDir, result);
+        const loaded = loadBaseline(dest);
+        expect(loaded).toBeDefined();
+        expect(loaded.score).toBe(90);
+        expect(loaded.findingKeys).toEqual(["R1::a.ts::1"]);
+        expect(loaded.version).toBe(1);
+    });
+    it("writes to custom path", () => {
+        const customPath = path.join(tmpDir, "custom-baseline.json");
+        const result = makeScanResult([]);
+        writeBaseline(tmpDir, result, customPath);
+        expect(loadBaseline(customPath)).toBeDefined();
+    });
+    it("returns undefined for missing file", () => {
+        expect(loadBaseline("/nonexistent/path.json")).toBeUndefined();
+    });
+    it("throws on malformed JSON", () => {
+        const badFile = path.join(tmpDir, "bad.json");
+        require("node:fs").writeFileSync(badFile, "not json");
+        expect(() => loadBaseline(badFile)).toThrow("Failed to parse baseline");
+    });
+});
+describe("diffBaseline", () => {
+    it("identifies new findings", () => {
+        const baseline = {
+            version: 1,
+            shipguardVersion: "0.1.0",
+            configHash: "abc",
+            indexVersion: 1,
+            createdAt: new Date().toISOString(),
+            score: 90,
+            findingKeys: ["R1::a.ts::1"],
+        };
+        const newFinding = makeFinding({ ruleId: "R2", file: "b.ts", line: 5 });
+        const existing = makeFinding({ ruleId: "R1", file: "a.ts", line: 1 });
+        const current = makeScanResult([existing, newFinding], 80);
+        const diff = diffBaseline(baseline, current);
+        expect(diff.newFindings).toHaveLength(1);
+        expect(diff.newFindings[0].ruleId).toBe("R2");
+        expect(diff.resolvedKeys).toHaveLength(0);
+        expect(diff.scoreDelta).toBe(-10);
+    });
+    it("identifies resolved findings", () => {
+        const baseline = {
+            version: 1,
+            shipguardVersion: "0.1.0",
+            configHash: "abc",
+            indexVersion: 1,
+            createdAt: new Date().toISOString(),
+            score: 80,
+            findingKeys: ["R1::a.ts::1", "R2::b.ts::5"],
+        };
+        const current = makeScanResult([makeFinding({ ruleId: "R1", file: "a.ts", line: 1 })], 90);
+        const diff = diffBaseline(baseline, current);
+        expect(diff.newFindings).toHaveLength(0);
+        expect(diff.resolvedKeys).toEqual(["R2::b.ts::5"]);
+        expect(diff.scoreDelta).toBe(10);
+    });
+    it("handles empty baseline and empty current", () => {
+        const baseline = {
+            version: 1,
+            shipguardVersion: "0.1.0",
+            configHash: "abc",
+            indexVersion: 1,
+            createdAt: new Date().toISOString(),
+            score: 100,
+            findingKeys: [],
+        };
+        const current = makeScanResult([], 100);
+        const diff = diffBaseline(baseline, current);
+        expect(diff.newFindings).toHaveLength(0);
+        expect(diff.resolvedKeys).toHaveLength(0);
+        expect(diff.scoreDelta).toBe(0);
+    });
+});
+//# sourceMappingURL=baseline.test.js.map

package/dist/engine/baseline.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"baseline.test.js","sourceRoot":"","sources":["../../src/engine/baseline.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAgB,MAAM,SAAS,CAAC;AAC5D,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAGtF,SAAS,WAAW,CAAC,YAA8B,EAAE;IACnD,OAAO;QACL,MAAM,EAAE,WAAW;QACnB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,MAAM;QAClB,OAAO,EAAE,MAAM;QACf,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,EAAE;QACZ,mBAAmB,EAAE,EAAE;QACvB,WAAW,EAAE,EAAE;QACf,IAAI,EAAE,EAAE;QACR,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,QAAmB,EAAE,KAAK,GAAG,GAAG;IACtD,OAAO;QACL,OAAO,EAAE,CAAC;QACV,gBAAgB,EAAE,OAAO;QACzB,UAAU,EAAE,KAAK;QACjB,YAAY,EAAE,CAAC;QACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,SAAS,EAAE,iBAAiB;QAC5B,QAAQ,EAAE;YACR,IAAI,EAAE,EAAS;YACf,IAAI,EAAE,KAAK;YACX,UAAU,EAAE,KAAK;SAClB;QACD,KAAK;QACL,QAAQ;QACR,cAAc,EAAE,EAAE;QAClB,OAAO,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE;KACrF,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;IAC1B,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,GAAG,WAAW,CAAC,EAAE,MAAM,EAAE,uBAAuB,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QAC/F,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,GAAG,WAAW,CAAC,EAAE,MAAM,EAAE,oBAAoB,EAAE,IAAI,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAClF,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,IAAI,MAAc,CAAC;IAEnB,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,QAAQ,GAAG,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;QACxE,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC5C,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7B,MAAM,CAAC,MAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC/B,MAAM,CAAC,MAAO,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;QACrD,MAAM,CAAC,MAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC;QAC7D,MAAM,MAAM,GAAG,cAAc,CAAC,EAAE,CAAC,CAAC;QAClC,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QAE1C,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,CAAC,YAAY,CAAC,wBAAwB,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAC9C,OAAO,CAAC,SAAS,CAAC,CAAC,aAAa,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,QAAQ,GAAa;YACzB,OAAO,EAAE,CAAC;YACV,gBAAgB,EAAE,OAAO;YACzB,UAAU,EAAE,KAAK;YACjB,YAAY,EAAE,CAAC;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,EAAE;YACT,WAAW,EAAE,CAAC,aAAa,CAAC;SAC7B,CAAC;QAEF,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC;QACxE,MAAM,QAAQ,GAAG,WAAW,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC;QACtE,MAAM,OAAO,GAAG,cAAc,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE,CAAC,CAAC;QAE3D,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC7C,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC1C,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,QAAQ,GAAa;YACzB,OAAO,EAAE,CAAC;YACV,gBAAgB,EAAE,OAAO;YACzB,UAAU,EAAE,KAAK;YACjB,YAAY,EAAE,CAAC;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,EAAE;YACT,WAAW,EAAE,CAAC,aAAa,EAAE,aAAa,CAAC;SAC5C,CAAC;QAEF,MAAM,OAAO,GAAG,cAAc,CAAC,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAE3F,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC7C,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;QACnD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,QAAQ,GAAa;YACzB,OAAO,EAAE,CAAC;YACV,gBAAgB,EAAE,OAAO;YACzB,UAAU,EAAE,KAAK;YACjB,YAAY,EAAE,CAAC;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,GAAG;YACV,WAAW,EAAE,EAAE;SAChB,CAAC;QAEF,MAAM,OAAO,GAAG,cAAc,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QACxC,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC7C,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC1C,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/engine/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/engine/config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAQlD,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAMlE;AAED,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAc/E;AAED,eAAO,MAAM,cAAc,EAAE,eA+C5B,CAAC;AAEF,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,IAAI,CAoDnF"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/engine/config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAQlD,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAMlE;AAED,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAc/E;AAED,eAAO,MAAM,cAAc,EAAE,eAgD5B,CAAC;AAEF,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,IAAI,CAqDnF"}

package/dist/engine/config.js

@@ -73,6 +73,7 @@ export const DEFAULT_CONFIG = {
         "AUTH-BOUNDARY-MISSING": { severity: "critical" },
         "RATE-LIMIT-MISSING": { severity: "critical" },
         "TENANCY-SCOPE-MISSING": { severity: "critical" },
+        "WRAPPER-UNRECOGNIZED": { severity: "high" },
     },
     waiversFile: "shipguard.waivers.json",
 };
@@ -118,6 +119,7 @@ export function writeDefaultConfig(rootDir, opts) {
             "AUTH-BOUNDARY-MISSING": { severity: "critical" },
             "RATE-LIMIT-MISSING": { severity: "critical" },
             "TENANCY-SCOPE-MISSING": { severity: "critical" },
+            "WRAPPER-UNRECOGNIZED": { severity: "high" },
         },
         scoring: {
             start: 100,

package/dist/engine/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/engine/config.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAGlE,MAAM,YAAY,GAAG;IACnB,qBAAqB;IACrB,qBAAqB;IACrB,uBAAuB;CACxB,CAAC;AAEF,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACrC,IAAI,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,GAAG,CAAC;IAClC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACrC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAE5B,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAoB,CAAC;QACnE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClG,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAoB;IAC7C,SAAS,EAAE,iBAAiB;IAC5B,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC7B,OAAO,EAAE,CAAC,aAAa,EAAE,aAAa,EAAE,oBAAoB,CAAC;IAC7D,EAAE,EAAE;QACF,MAAM,EAAE,UAAU;QAClB,aAAa,EAAE,MAAM;QACrB,QAAQ,EAAE,EAAE;QACZ,cAAc,EAAE,CAAC;KAClB;IACD,OAAO,EAAE;QACP,KAAK,EAAE,GAAG;QACV,SAAS,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE;KACtD;IACD,KAAK,EAAE;QACL,IAAI,EAAE;YACJ,SAAS,EAAE;gBACT,MAAM,EAAE,kBAAkB,EAAE,YAAY,EAAE,aAAa;gBACvD,aAAa,EAAE,aAAa;gBAC5B,UAAU,EAAkB,uBAAuB;gBACnD,uBAAuB,EAAK,QAAQ;gBACpC,iBAAiB,EAAW,QAAQ;gBACpC,gBAAgB,EAAY,eAAe;gBAC3C,qBAAqB,EAAO,QAAQ;gBACpC,eAAe,EAAa,iBAAiB;gBAC7C,WAAW,EAAgB,0BAA0B;aACtD;YACD,eAAe,EAAE,CAAC,eAAe,CAAC;YAClC,cAAc,EAAE,EAAE;SACnB;QACD,SAAS,EAAE;YACT,QAAQ,EAAE;gBACR,WAAW,EAAE,eAAe,EAAE,WAAW,EAAE,OAAO;gBAClD,6BAA6B,EAAE,kBAAkB,EAAE,kBAAkB;aACtE;YACD,cAAc,EAAE,EAAE;SACnB;QACD,OAAO,EAAE;YACP,aAAa,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,gBAAgB,EAAE,QAAQ,EAAE,WAAW,CAAC;SAC7F;KACF;IACD,KAAK,EAAE;QACL,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;QACjD,oBAAoB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;QAC9C,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;KAClD;IACD,WAAW,EAAE,wBAAwB;CACtC,CAAC;AAEF,MAAM,UAAU,kBAAkB,CAAC,OAAe,EAAE,IAAyB;IAC3E,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC;IACzD,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QACpC,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG;QACb,OAAO,EAAE,mCAAmC;QAC5C,SAAS,EAAE,iBAAiB;QAC5B,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;QAC7B,OAAO,EAAE,CAAC,aAAa,EAAE,aAAa,CAAC;QACvC,EAAE,EAAE;YACF,MAAM,EAAE,UAAU;YAClB,aAAa,EAAE,MAAM;YACrB,QAAQ,EAAE,EAAE;YACZ,cAAc,EAAE,CAAC;SAClB;QACD,KAAK,EAAE;YACL,IAAI,EAAE;gBACJ,SAAS,EAAE;oBACT,MAAM,EAAE,kBAAkB,EAAE,YAAY,EAAE,aAAa;oBACvD,aAAa,EAAE,aAAa;oBAC5B,UAAU,EAAE,uBAAuB,EAAE,iBAAiB;oBACtD,gBAAgB,EAAE,qBAAqB,EAAE,eAAe,EAAE,WAAW;iBACtE;gBACD,eAAe,EAAE,CAAC,eAAe,CAAC;gBAClC,cAAc,EAAE,EAAE;aACnB;YACD,SAAS,EAAE;gBACT,QAAQ,EAAE;oBACR,WAAW,EAAE,eAAe,EAAE,OAAO;oBACrC,6BAA6B,EAAE,kBAAkB,EAAE,kBAAkB;iBACtE;gBACD,cAAc,EAAE,EAAE;aACnB;YACD,OAAO,EAAE;gBACP,aAAa,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,gBAAgB,EAAE,QAAQ,EAAE,WAAW,CAAC;aAC7F;SACF;QACD,KAAK,EAAE;YACL,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;YACjD,oBAAoB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;YAC9C,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;SAClD;QACD,OAAO,EAAE;YACP,KAAK,EAAE,GAAG;YACV,SAAS,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE;SACtD;QACD,WAAW,EAAE,wBAAwB;KACtC,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC9D,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/engine/config.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAGlE,MAAM,YAAY,GAAG;IACnB,qBAAqB;IACrB,qBAAqB;IACrB,uBAAuB;CACxB,CAAC;AAEF,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACrC,IAAI,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,GAAG,CAAC;IAClC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACrC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAE5B,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAoB,CAAC;QACnE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClG,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAoB;IAC7C,SAAS,EAAE,iBAAiB;IAC5B,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC7B,OAAO,EAAE,CAAC,aAAa,EAAE,aAAa,EAAE,oBAAoB,CAAC;IAC7D,EAAE,EAAE;QACF,MAAM,EAAE,UAAU;QAClB,aAAa,EAAE,MAAM;QACrB,QAAQ,EAAE,EAAE;QACZ,cAAc,EAAE,CAAC;KAClB;IACD,OAAO,EAAE;QACP,KAAK,EAAE,GAAG;QACV,SAAS,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE;KACtD;IACD,KAAK,EAAE;QACL,IAAI,EAAE;YACJ,SAAS,EAAE;gBACT,MAAM,EAAE,kBAAkB,EAAE,YAAY,EAAE,aAAa;gBACvD,aAAa,EAAE,aAAa;gBAC5B,UAAU,EAAkB,uBAAuB;gBACnD,uBAAuB,EAAK,QAAQ;gBACpC,iBAAiB,EAAW,QAAQ;gBACpC,gBAAgB,EAAY,eAAe;gBAC3C,qBAAqB,EAAO,QAAQ;gBACpC,eAAe,EAAa,iBAAiB;gBAC7C,WAAW,EAAgB,0BAA0B;aACtD;YACD,eAAe,EAAE,CAAC,eAAe,CAAC;YAClC,cAAc,EAAE,EAAE;SACnB;QACD,SAAS,EAAE;YACT,QAAQ,EAAE;gBACR,WAAW,EAAE,eAAe,EAAE,WAAW,EAAE,OAAO;gBAClD,6BAA6B,EAAE,kBAAkB,EAAE,kBAAkB;aACtE;YACD,cAAc,EAAE,EAAE;SACnB;QACD,OAAO,EAAE;YACP,aAAa,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,gBAAgB,EAAE,QAAQ,EAAE,WAAW,CAAC;SAC7F;KACF;IACD,KAAK,EAAE;QACL,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;QACjD,oBAAoB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;QAC9C,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;QACjD,sBAAsB,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE;KAC7C;IACD,WAAW,EAAE,wBAAwB;CACtC,CAAC;AAEF,MAAM,UAAU,kBAAkB,CAAC,OAAe,EAAE,IAAyB;IAC3E,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC;IACzD,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QACpC,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG;QACb,OAAO,EAAE,mCAAmC;QAC5C,SAAS,EAAE,iBAAiB;QAC5B,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;QAC7B,OAAO,EAAE,CAAC,aAAa,EAAE,aAAa,CAAC;QACvC,EAAE,EAAE;YACF,MAAM,EAAE,UAAU;YAClB,aAAa,EAAE,MAAM;YACrB,QAAQ,EAAE,EAAE;YACZ,cAAc,EAAE,CAAC;SAClB;QACD,KAAK,EAAE;YACL,IAAI,EAAE;gBACJ,SAAS,EAAE;oBACT,MAAM,EAAE,kBAAkB,EAAE,YAAY,EAAE,aAAa;oBACvD,aAAa,EAAE,aAAa;oBAC5B,UAAU,EAAE,uBAAuB,EAAE,iBAAiB;oBACtD,gBAAgB,EAAE,qBAAqB,EAAE,eAAe,EAAE,WAAW;iBACtE;gBACD,eAAe,EAAE,CAAC,eAAe,CAAC;gBAClC,cAAc,EAAE,EAAE;aACnB;YACD,SAAS,EAAE;gBACT,QAAQ,EAAE;oBACR,WAAW,EAAE,eAAe,EAAE,OAAO;oBACrC,6BAA6B,EAAE,kBAAkB,EAAE,kBAAkB;iBACtE;gBACD,cAAc,EAAE,EAAE;aACnB;YACD,OAAO,EAAE;gBACP,aAAa,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,gBAAgB,EAAE,QAAQ,EAAE,WAAW,CAAC;aAC7F;SACF;QACD,KAAK,EAAE;YACL,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;YACjD,oBAAoB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;YAC9C,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;YACjD,sBAAsB,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE;SAC7C;QACD,OAAO,EAAE;YACP,KAAK,EAAE,GAAG;YACV,SAAS,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE;SACtD;QACD,WAAW,EAAE,wBAAwB;KACtC,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC9D,CAAC"}

package/dist/engine/config.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=config.test.d.ts.map

package/dist/engine/config.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.test.d.ts","sourceRoot":"","sources":["../../src/engine/config.test.ts"],"names":[],"mappings":""}

package/dist/engine/config.test.js

@@ -0,0 +1,107 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtempSync, rmSync, writeFileSync, existsSync } from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { findConfigFile, loadConfigIfExists, writeDefaultConfig, DEFAULT_CONFIG } from "./config.js";
+describe("findConfigFile", () => {
+    let tmpDir;
+    beforeEach(() => {
+        tmpDir = mkdtempSync(path.join(os.tmpdir(), "shipguard-config-"));
+    });
+    afterEach(() => {
+        rmSync(tmpDir, { recursive: true, force: true });
+    });
+    it("returns undefined when no config exists", () => {
+        expect(findConfigFile(tmpDir)).toBeUndefined();
+    });
+    it("finds shipguard.config.json", () => {
+        writeFileSync(path.join(tmpDir, "shipguard.config.json"), "{}");
+        expect(findConfigFile(tmpDir)).toBe(path.join(tmpDir, "shipguard.config.json"));
+    });
+    it("finds shipguard.config.ts", () => {
+        writeFileSync(path.join(tmpDir, "shipguard.config.ts"), "export default {}");
+        expect(findConfigFile(tmpDir)).toBe(path.join(tmpDir, "shipguard.config.ts"));
+    });
+    it("prefers ts over json", () => {
+        writeFileSync(path.join(tmpDir, "shipguard.config.ts"), "export default {}");
+        writeFileSync(path.join(tmpDir, "shipguard.config.json"), "{}");
+        expect(findConfigFile(tmpDir)).toBe(path.join(tmpDir, "shipguard.config.ts"));
+    });
+});
+describe("loadConfigIfExists", () => {
+    let tmpDir;
+    beforeEach(() => {
+        tmpDir = mkdtempSync(path.join(os.tmpdir(), "shipguard-config-"));
+    });
+    afterEach(() => {
+        rmSync(tmpDir, { recursive: true, force: true });
+    });
+    it("returns undefined when no config exists", () => {
+        expect(loadConfigIfExists(tmpDir)).toBeUndefined();
+    });
+    it("loads JSON config", () => {
+        const config = { framework: "next-app-router", include: ["app/**"] };
+        writeFileSync(path.join(tmpDir, "shipguard.config.json"), JSON.stringify(config));
+        const loaded = loadConfigIfExists(tmpDir);
+        expect(loaded).toBeDefined();
+        expect(loaded.framework).toBe("next-app-router");
+    });
+    it("throws on malformed JSON", () => {
+        writeFileSync(path.join(tmpDir, "shipguard.config.json"), "not json");
+        expect(() => loadConfigIfExists(tmpDir)).toThrow("Failed to parse");
+    });
+    it("returns undefined for TS config (not yet supported)", () => {
+        writeFileSync(path.join(tmpDir, "shipguard.config.ts"), "export default {}");
+        expect(loadConfigIfExists(tmpDir)).toBeUndefined();
+    });
+});
+describe("writeDefaultConfig", () => {
+    let tmpDir;
+    beforeEach(() => {
+        tmpDir = mkdtempSync(path.join(os.tmpdir(), "shipguard-config-"));
+    });
+    afterEach(() => {
+        rmSync(tmpDir, { recursive: true, force: true });
+    });
+    it("writes config file", () => {
+        writeDefaultConfig(tmpDir, {});
+        expect(existsSync(path.join(tmpDir, "shipguard.config.json"))).toBe(true);
+    });
+    it("does not overwrite existing without force", () => {
+        writeFileSync(path.join(tmpDir, "shipguard.config.json"), '{"custom": true}');
+        writeDefaultConfig(tmpDir, {});
+        const content = JSON.parse(require("node:fs").readFileSync(path.join(tmpDir, "shipguard.config.json"), "utf8"));
+        expect(content.custom).toBe(true);
+    });
+    it("overwrites existing with force", () => {
+        writeFileSync(path.join(tmpDir, "shipguard.config.json"), '{"custom": true}');
+        writeDefaultConfig(tmpDir, { force: true });
+        const content = JSON.parse(require("node:fs").readFileSync(path.join(tmpDir, "shipguard.config.json"), "utf8"));
+        expect(content.custom).toBeUndefined();
+        expect(content.framework).toBe("next-app-router");
+    });
+});
+describe("DEFAULT_CONFIG", () => {
+    it("has expected structure", () => {
+        expect(DEFAULT_CONFIG.framework).toBe("next-app-router");
+        expect(DEFAULT_CONFIG.scoring.start).toBe(100);
+        expect(DEFAULT_CONFIG.scoring.penalties.critical).toBe(25);
+        expect(DEFAULT_CONFIG.rules["AUTH-BOUNDARY-MISSING"]).toBeDefined();
+        expect(DEFAULT_CONFIG.rules["RATE-LIMIT-MISSING"]).toBeDefined();
+        expect(DEFAULT_CONFIG.rules["TENANCY-SCOPE-MISSING"]).toBeDefined();
+    });
+    it("has auth hint functions", () => {
+        expect(DEFAULT_CONFIG.hints.auth.functions.length).toBeGreaterThan(0);
+        expect(DEFAULT_CONFIG.hints.auth.functions).toContain("auth");
+        expect(DEFAULT_CONFIG.hints.auth.functions).toContain("getServerSession");
+    });
+    it("has rate limit wrappers", () => {
+        expect(DEFAULT_CONFIG.hints.rateLimit.wrappers.length).toBeGreaterThan(0);
+        expect(DEFAULT_CONFIG.hints.rateLimit.wrappers).toContain("rateLimit");
+    });
+    it("has tenancy field names", () => {
+        expect(DEFAULT_CONFIG.hints.tenancy.orgFieldNames).toContain("orgId");
+        expect(DEFAULT_CONFIG.hints.tenancy.orgFieldNames).toContain("tenantId");
+    });
+});
+//# sourceMappingURL=config.test.js.map

package/dist/engine/config.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.test.js","sourceRoot":"","sources":["../../src/engine/config.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACzE,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAErG,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,IAAI,MAAc,CAAC;IAEnB,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,IAAI,CAAC,CAAC;QAChE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,CAAC,EAAE,mBAAmB,CAAC,CAAC;QAC7E,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,CAAC,EAAE,mBAAmB,CAAC,CAAC;QAC7E,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,IAAI,CAAC,CAAC;QAChE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,IAAI,MAAc,CAAC;IAEnB,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,MAAM,GAAG,EAAE,SAAS,EAAE,iBAAiB,EAAE,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC;QACrE,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAClF,MAAM,MAAM,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7B,MAAM,CAAC,MAAO,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,UAAU,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,EAAE,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,CAAC,EAAE,mBAAmB,CAAC,CAAC;QAC7E,MAAM,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,IAAI,MAAc,CAAC;IAEnB,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAC5B,kBAAkB,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC/B,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,kBAAkB,CAAC,CAAC;QAC9E,kBAAkB,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;QAChH,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,kBAAkB,CAAC,CAAC;QAC9E,kBAAkB,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;QAChH,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAC;QACvC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACzD,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC/C,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3D,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACpE,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACjE,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACtE,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAC9D,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAC1E,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACtE,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/engine/sarif.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=sarif.test.d.ts.map

package/dist/engine/sarif.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.test.d.ts","sourceRoot":"","sources":["../../src/engine/sarif.test.ts"],"names":[],"mappings":""}