@fourteensystems/shipguard 0.1.0

package/dist/cli/commands/waive.js

@@ -0,0 +1,34 @@
+import pc from "picocolors";
+import { addWaiver } from "../../engine/waivers.js";
+import { loadConfigIfExists, DEFAULT_CONFIG } from "../../engine/config.js";
+export async function cmdWaive(ruleId, opts) {
+    try {
+        // Validate expiry date if provided
+        if (opts.expiry) {
+            const d = new Date(opts.expiry);
+            if (isNaN(d.getTime())) {
+                console.error(pc.red(`  Invalid expiry date: "${opts.expiry}". Use ISO format (e.g., 2025-12-31)`));
+                process.exit(1);
+            }
+        }
+        const rootDir = process.cwd();
+        const config = loadConfigIfExists(rootDir) ?? DEFAULT_CONFIG;
+        const waiver = addWaiver(rootDir, config.waiversFile, {
+            ruleId,
+            file: opts.file,
+            reason: opts.reason,
+            expiry: opts.expiry,
+        });
+        console.log(pc.green(`  Waiver added for ${ruleId}`));
+        console.log(pc.dim(`  File: ${waiver.file}`));
+        console.log(pc.dim(`  Reason: ${waiver.reason}`));
+        if (waiver.expiry) {
+            console.log(pc.dim(`  Expires: ${waiver.expiry}`));
+        }
+    }
+    catch (err) {
+        console.error(pc.red(`  Error: ${err instanceof Error ? err.message : String(err)}`));
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=waive.js.map

package/dist/cli/commands/waive.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"waive.js","sourceRoot":"","sources":["../../../src/cli/commands/waive.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAQ5E,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,MAAc,EAAE,IAAkB;IAC/D,IAAI,CAAC;QACH,mCAAmC;QACnC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAChC,IAAI,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;gBACvB,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,2BAA2B,IAAI,CAAC,MAAM,sCAAsC,CAAC,CAAC,CAAC;gBACpG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,IAAI,cAAc,CAAC;QAE7D,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,WAAW,EAAE;YACpD,MAAM;YACN,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB,CAAC,CAAC;QAEH,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,sBAAsB,MAAM,EAAE,CAAC,CAAC,CAAC;QACtD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAClD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,YAAY,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QACtF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/cli/index.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":""}

package/dist/cli/index.js

@@ -0,0 +1,63 @@
+import { Command } from "commander";
+import { cmdScan } from "./commands/scan.js";
+import { cmdCi } from "./commands/ci.js";
+import { cmdInit } from "./commands/init.js";
+import { cmdBaseline } from "./commands/baseline.js";
+import { cmdWaive } from "./commands/waive.js";
+import { cmdRules } from "./commands/rules.js";
+import { cmdExplain } from "./commands/explain.js";
+const program = new Command();
+program
+    .name("shipguard")
+    .description("Code-level operational maturity analysis for Next.js projects")
+    .version("0.1.0");
+program
+    .command("init")
+    .description("Detect framework, generate config, and run first scan")
+    .option("--force", "Overwrite existing config")
+    .option("--dry-run", "Print what would happen without writing files")
+    .action(cmdInit);
+program
+    .command("scan", { isDefault: true })
+    .description("Scan the project and print readiness report")
+    .option("--format <format>", "Output format: pretty, json, sarif", "pretty")
+    .option("--output <path>", "Write report to file")
+    .option("--only <rules>", "Run only specified rules (comma-separated)")
+    .option("--exclude <globs>", "Additional exclude patterns (comma-separated)")
+    .option("--min-confidence <level>", "Minimum confidence to report: low, med, high")
+    .action(cmdScan);
+program
+    .command("ci")
+    .description("CI mode: enforce thresholds and fail on regressions")
+    .option("--fail-on <severity>", "Minimum severity to fail: low, med, high, critical", "critical")
+    .option("--min-confidence <level>", "Minimum confidence to fail: low, med, high", "high")
+    .option("--min-score <score>", "Minimum passing score", "70")
+    .option("--baseline <path>", "Baseline file for regression detection")
+    .option("--max-new-critical <n>", "Max new critical findings allowed", "0")
+    .option("--max-new-high <n>", "Max new high findings allowed")
+    .option("--format <format>", "Output format: pretty, json, sarif", "pretty")
+    .option("--output <path>", "Write report to file")
+    .action(cmdCi);
+program
+    .command("baseline")
+    .description("Write or update baseline snapshot")
+    .option("--write", "Write baseline file")
+    .option("--output <path>", "Baseline output path")
+    .action(cmdBaseline);
+program
+    .command("waive <rule>")
+    .description("Add a waiver for a specific finding")
+    .requiredOption("--file <path>", "File to waive")
+    .requiredOption("--reason <reason>", "Reason for waiver")
+    .option("--expiry <date>", "Waiver expiry date (ISO format)")
+    .action(cmdWaive);
+program
+    .command("rules")
+    .description("List all available rules")
+    .action(cmdRules);
+program
+    .command("explain <rule>")
+    .description("Show detailed explanation for a rule")
+    .action(cmdExplain);
+program.parse();
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEnD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,WAAW,CAAC;KACjB,WAAW,CAAC,+DAA+D,CAAC;KAC5E,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,uDAAuD,CAAC;KACpE,MAAM,CAAC,SAAS,EAAE,2BAA2B,CAAC;KAC9C,MAAM,CAAC,WAAW,EAAE,+CAA+C,CAAC;KACpE,MAAM,CAAC,OAAO,CAAC,CAAC;AAEnB,OAAO;KACJ,OAAO,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;KACpC,WAAW,CAAC,6CAA6C,CAAC;KAC1D,MAAM,CAAC,mBAAmB,EAAE,oCAAoC,EAAE,QAAQ,CAAC;KAC3E,MAAM,CAAC,iBAAiB,EAAE,sBAAsB,CAAC;KACjD,MAAM,CAAC,gBAAgB,EAAE,4CAA4C,CAAC;KACtE,MAAM,CAAC,mBAAmB,EAAE,+CAA+C,CAAC;KAC5E,MAAM,CAAC,0BAA0B,EAAE,8CAA8C,CAAC;KAClF,MAAM,CAAC,OAAO,CAAC,CAAC;AAEnB,OAAO;KACJ,OAAO,CAAC,IAAI,CAAC;KACb,WAAW,CAAC,qDAAqD,CAAC;KAClE,MAAM,CAAC,sBAAsB,EAAE,oDAAoD,EAAE,UAAU,CAAC;KAChG,MAAM,CAAC,0BAA0B,EAAE,4CAA4C,EAAE,MAAM,CAAC;KACxF,MAAM,CAAC,qBAAqB,EAAE,uBAAuB,EAAE,IAAI,CAAC;KAC5D,MAAM,CAAC,mBAAmB,EAAE,wCAAwC,CAAC;KACrE,MAAM,CAAC,wBAAwB,EAAE,mCAAmC,EAAE,GAAG,CAAC;KAC1E,MAAM,CAAC,oBAAoB,EAAE,+BAA+B,CAAC;KAC7D,MAAM,CAAC,mBAAmB,EAAE,oCAAoC,EAAE,QAAQ,CAAC;KAC3E,MAAM,CAAC,iBAAiB,EAAE,sBAAsB,CAAC;KACjD,MAAM,CAAC,KAAK,CAAC,CAAC;AAEjB,OAAO;KACJ,OAAO,CAAC,UAAU,CAAC;KACnB,WAAW,CAAC,mCAAmC,CAAC;KAChD,MAAM,CAAC,SAAS,EAAE,qBAAqB,CAAC;KACxC,MAAM,CAAC,iBAAiB,EAAE,sBAAsB,CAAC;KACjD,MAAM,CAAC,WAAW,CAAC,CAAC;AAEvB,OAAO;KACJ,OAAO,CAAC,cAAc,CAAC;KACvB,WAAW,CAAC,qCAAqC,CAAC;KAClD,cAAc,CAAC,eAAe,EAAE,eAAe,CAAC;KAChD,cAAc,CAAC,mBAAmB,EAAE,mBAAmB,CAAC;KACxD,MAAM,CAAC,iBAAiB,EAAE,iCAAiC,CAAC;KAC5D,MAAM,CAAC,QAAQ,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,0BAA0B,CAAC;KACvC,MAAM,CAAC,QAAQ,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,gBAAgB,CAAC;KACzB,WAAW,CAAC,sCAAsC,CAAC;KACnD,MAAM,CAAC,UAAU,CAAC,CAAC;AAEtB,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/engine/baseline.d.ts

@@ -0,0 +1,11 @@
+import type { Baseline, Finding, ScanResult } from "./types.js";
+export declare function findingKey(f: Finding): string;
+export declare function writeBaseline(rootDir: string, result: ScanResult, filePath?: string): string;
+export declare function loadBaseline(filePath: string): Baseline | undefined;
+export interface BaselineDiff {
+    newFindings: Finding[];
+    resolvedKeys: string[];
+    scoreDelta: number;
+}
+export declare function diffBaseline(baseline: Baseline, current: ScanResult): BaselineDiff;
+//# sourceMappingURL=baseline.d.ts.map

package/dist/engine/baseline.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"baseline.d.ts","sourceRoot":"","sources":["../../src/engine/baseline.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAGhE,wBAAgB,UAAU,CAAC,CAAC,EAAE,OAAO,GAAG,MAAM,CAE7C;AAED,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAa5F;AAED,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,SAAS,CAOnE;AAED,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,OAAO,EAAE,CAAC;IACvB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,UAAU,GAClB,YAAY,CASd"}

package/dist/engine/baseline.js

@@ -0,0 +1,39 @@
+import path from "node:path";
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { SHIPGUARD_VERSION, INDEX_VERSION } from "./version.js";
+export function findingKey(f) {
+    return `${f.ruleId}::${f.file}::${f.line ?? 0}`;
+}
+export function writeBaseline(rootDir, result, filePath) {
+    const dest = filePath ?? path.join(rootDir, "shipguard.baseline.json");
+    const baseline = {
+        version: 1,
+        shipguardVersion: SHIPGUARD_VERSION,
+        configHash: result.configHash,
+        indexVersion: INDEX_VERSION,
+        createdAt: new Date().toISOString(),
+        score: result.score,
+        findingKeys: result.findings.map(findingKey),
+    };
+    writeFileSync(dest, JSON.stringify(baseline, null, 2) + "\n");
+    return dest;
+}
+export function loadBaseline(filePath) {
+    if (!existsSync(filePath))
+        return undefined;
+    try {
+        return JSON.parse(readFileSync(filePath, "utf8"));
+    }
+    catch (err) {
+        throw new Error(`Failed to parse baseline ${filePath}: ${err instanceof Error ? err.message : String(err)}`);
+    }
+}
+export function diffBaseline(baseline, current) {
+    const currentKeys = new Set(current.findings.map(findingKey));
+    const baselineKeys = new Set(baseline.findingKeys);
+    const newFindings = current.findings.filter((f) => !baselineKeys.has(findingKey(f)));
+    const resolvedKeys = baseline.findingKeys.filter((k) => !currentKeys.has(k));
+    const scoreDelta = current.score - baseline.score;
+    return { newFindings, resolvedKeys, scoreDelta };
+}
+//# sourceMappingURL=baseline.js.map

package/dist/engine/baseline.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"baseline.js","sourceRoot":"","sources":["../../src/engine/baseline.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAElE,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAEhE,MAAM,UAAU,UAAU,CAAC,CAAU;IACnC,OAAO,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,EAAE,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,OAAe,EAAE,MAAkB,EAAE,QAAiB;IAClF,MAAM,IAAI,GAAG,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,yBAAyB,CAAC,CAAC;IACvE,MAAM,QAAQ,GAAa;QACzB,OAAO,EAAE,CAAC;QACV,gBAAgB,EAAE,iBAAiB;QACnC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,YAAY,EAAE,aAAa;QAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC;KAC7C,CAAC;IACF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC9D,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,QAAgB;IAC3C,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,SAAS,CAAC;IAC5C,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAa,CAAC;IAChE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC/G,CAAC;AACH,CAAC;AAQD,MAAM,UAAU,YAAY,CAC1B,QAAkB,EAClB,OAAmB;IAEnB,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;IAC9D,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAEnD,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACrF,MAAM,YAAY,GAAG,QAAQ,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7E,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;IAElD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC;AACnD,CAAC"}

package/dist/engine/config.d.ts

@@ -0,0 +1,8 @@
+import type { ShipguardConfig } from "./types.js";
+export declare function findConfigFile(rootDir: string): string | undefined;
+export declare function loadConfigIfExists(rootDir: string): ShipguardConfig | undefined;
+export declare const DEFAULT_CONFIG: ShipguardConfig;
+export declare function writeDefaultConfig(rootDir: string, opts: {
+    force?: boolean;
+}): void;
+//# sourceMappingURL=config.d.ts.map

package/dist/engine/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/engine/config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAQlD,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAMlE;AAED,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAc/E;AAED,eAAO,MAAM,cAAc,EAAE,eA+C5B,CAAC;AAEF,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,IAAI,CAoDnF"}

package/dist/engine/config.js

@@ -0,0 +1,130 @@
+import path from "node:path";
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+const CONFIG_FILES = [
+    "shipguard.config.ts",
+    "shipguard.config.js",
+    "shipguard.config.json",
+];
+export function findConfigFile(rootDir) {
+    for (const name of CONFIG_FILES) {
+        const abs = path.join(rootDir, name);
+        if (existsSync(abs))
+            return abs;
+    }
+    return undefined;
+}
+export function loadConfigIfExists(rootDir) {
+    const file = findConfigFile(rootDir);
+    if (!file)
+        return undefined;
+    if (file.endsWith(".json")) {
+        try {
+            return JSON.parse(readFileSync(file, "utf8"));
+        }
+        catch (err) {
+            throw new Error(`Failed to parse ${file}: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    // TS/JS config requires a loader (tsx, jiti) — not yet supported.
+    return undefined;
+}
+export const DEFAULT_CONFIG = {
+    framework: "next-app-router",
+    include: ["app/**", "src/**"],
+    exclude: ["**/*.test.*", "**/*.spec.*", "**/node_modules/**"],
+    ci: {
+        failOn: "critical",
+        minConfidence: "high",
+        minScore: 70,
+        maxNewCritical: 0,
+    },
+    scoring: {
+        start: 100,
+        penalties: { critical: 25, high: 10, med: 3, low: 1 },
+    },
+    hints: {
+        auth: {
+            functions: [
+                "auth", "getServerSession", "getSession", "currentUser",
+                "requireUser", "requireAuth",
+                "withAuth", // NextAuth v4 / WorkOS
+                "getKindeServerSession", // Kinde
+                "validateRequest", // Lucia
+                "getIronSession", // iron-session
+                "withApiAuthRequired", // Auth0
+                "verifyIdToken", // Firebase Admin
+                "getTokens", // next-firebase-auth-edge
+            ],
+            middlewareFiles: ["middleware.ts"],
+            allowlistPaths: [],
+        },
+        rateLimit: {
+            wrappers: [
+                "rateLimit", "withRateLimit", "ratelimit", "limit",
+                "checkRateLimitAndThrowError", "ratelimitOrThrow", "rateLimitOrThrow",
+            ],
+            allowlistPaths: [],
+        },
+        tenancy: {
+            orgFieldNames: ["orgId", "tenantId", "workspaceId", "organizationId", "teamId", "accountId"],
+        },
+    },
+    rules: {
+        "AUTH-BOUNDARY-MISSING": { severity: "critical" },
+        "RATE-LIMIT-MISSING": { severity: "critical" },
+        "TENANCY-SCOPE-MISSING": { severity: "critical" },
+    },
+    waiversFile: "shipguard.waivers.json",
+};
+export function writeDefaultConfig(rootDir, opts) {
+    const dest = path.join(rootDir, "shipguard.config.json");
+    if (existsSync(dest) && !opts.force) {
+        return;
+    }
+    const config = {
+        $schema: "https://shipguard.dev/schema.json",
+        framework: "next-app-router",
+        include: ["app/**", "src/**"],
+        exclude: ["**/*.test.*", "**/*.spec.*"],
+        ci: {
+            failOn: "critical",
+            minConfidence: "high",
+            minScore: 70,
+            maxNewCritical: 0,
+        },
+        hints: {
+            auth: {
+                functions: [
+                    "auth", "getServerSession", "getSession", "currentUser",
+                    "requireUser", "requireAuth",
+                    "withAuth", "getKindeServerSession", "validateRequest",
+                    "getIronSession", "withApiAuthRequired", "verifyIdToken", "getTokens"
+                ],
+                middlewareFiles: ["middleware.ts"],
+                allowlistPaths: []
+            },
+            rateLimit: {
+                wrappers: [
+                    "rateLimit", "withRateLimit", "limit",
+                    "checkRateLimitAndThrowError", "ratelimitOrThrow", "rateLimitOrThrow"
+                ],
+                allowlistPaths: []
+            },
+            tenancy: {
+                orgFieldNames: ["orgId", "tenantId", "workspaceId", "organizationId", "teamId", "accountId"]
+            },
+        },
+        rules: {
+            "AUTH-BOUNDARY-MISSING": { severity: "critical" },
+            "RATE-LIMIT-MISSING": { severity: "critical" },
+            "TENANCY-SCOPE-MISSING": { severity: "critical" },
+        },
+        scoring: {
+            start: 100,
+            penalties: { critical: 25, high: 10, med: 3, low: 1 },
+        },
+        waiversFile: "shipguard.waivers.json",
+    };
+    writeFileSync(dest, JSON.stringify(config, null, 2) + "\n");
+}
+//# sourceMappingURL=config.js.map

package/dist/engine/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/engine/config.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAGlE,MAAM,YAAY,GAAG;IACnB,qBAAqB;IACrB,qBAAqB;IACrB,uBAAuB;CACxB,CAAC;AAEF,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACrC,IAAI,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,GAAG,CAAC;IAClC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACrC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAE5B,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAoB,CAAC;QACnE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClG,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAoB;IAC7C,SAAS,EAAE,iBAAiB;IAC5B,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC7B,OAAO,EAAE,CAAC,aAAa,EAAE,aAAa,EAAE,oBAAoB,CAAC;IAC7D,EAAE,EAAE;QACF,MAAM,EAAE,UAAU;QAClB,aAAa,EAAE,MAAM;QACrB,QAAQ,EAAE,EAAE;QACZ,cAAc,EAAE,CAAC;KAClB;IACD,OAAO,EAAE;QACP,KAAK,EAAE,GAAG;QACV,SAAS,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE;KACtD;IACD,KAAK,EAAE;QACL,IAAI,EAAE;YACJ,SAAS,EAAE;gBACT,MAAM,EAAE,kBAAkB,EAAE,YAAY,EAAE,aAAa;gBACvD,aAAa,EAAE,aAAa;gBAC5B,UAAU,EAAkB,uBAAuB;gBACnD,uBAAuB,EAAK,QAAQ;gBACpC,iBAAiB,EAAW,QAAQ;gBACpC,gBAAgB,EAAY,eAAe;gBAC3C,qBAAqB,EAAO,QAAQ;gBACpC,eAAe,EAAa,iBAAiB;gBAC7C,WAAW,EAAgB,0BAA0B;aACtD;YACD,eAAe,EAAE,CAAC,eAAe,CAAC;YAClC,cAAc,EAAE,EAAE;SACnB;QACD,SAAS,EAAE;YACT,QAAQ,EAAE;gBACR,WAAW,EAAE,eAAe,EAAE,WAAW,EAAE,OAAO;gBAClD,6BAA6B,EAAE,kBAAkB,EAAE,kBAAkB;aACtE;YACD,cAAc,EAAE,EAAE;SACnB;QACD,OAAO,EAAE;YACP,aAAa,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,gBAAgB,EAAE,QAAQ,EAAE,WAAW,CAAC;SAC7F;KACF;IACD,KAAK,EAAE;QACL,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;QACjD,oBAAoB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;QAC9C,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;KAClD;IACD,WAAW,EAAE,wBAAwB;CACtC,CAAC;AAEF,MAAM,UAAU,kBAAkB,CAAC,OAAe,EAAE,IAAyB;IAC3E,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC;IACzD,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QACpC,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG;QACb,OAAO,EAAE,mCAAmC;QAC5C,SAAS,EAAE,iBAAiB;QAC5B,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;QAC7B,OAAO,EAAE,CAAC,aAAa,EAAE,aAAa,CAAC;QACvC,EAAE,EAAE;YACF,MAAM,EAAE,UAAU;YAClB,aAAa,EAAE,MAAM;YACrB,QAAQ,EAAE,EAAE;YACZ,cAAc,EAAE,CAAC;SAClB;QACD,KAAK,EAAE;YACL,IAAI,EAAE;gBACJ,SAAS,EAAE;oBACT,MAAM,EAAE,kBAAkB,EAAE,YAAY,EAAE,aAAa;oBACvD,aAAa,EAAE,aAAa;oBAC5B,UAAU,EAAE,uBAAuB,EAAE,iBAAiB;oBACtD,gBAAgB,EAAE,qBAAqB,EAAE,eAAe,EAAE,WAAW;iBACtE;gBACD,eAAe,EAAE,CAAC,eAAe,CAAC;gBAClC,cAAc,EAAE,EAAE;aACnB;YACD,SAAS,EAAE;gBACT,QAAQ,EAAE;oBACR,WAAW,EAAE,eAAe,EAAE,OAAO;oBACrC,6BAA6B,EAAE,kBAAkB,EAAE,kBAAkB;iBACtE;gBACD,cAAc,EAAE,EAAE;aACnB;YACD,OAAO,EAAE;gBACP,aAAa,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,gBAAgB,EAAE,QAAQ,EAAE,WAAW,CAAC;aAC7F;SACF;QACD,KAAK,EAAE;YACL,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;YACjD,oBAAoB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;YAC9C,uBAAuB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;SAClD;QACD,OAAO,EAAE;YACP,KAAK,EAAE,GAAG;YACV,SAAS,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE;SACtD;QACD,WAAW,EAAE,wBAAwB;KACtC,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC9D,CAAC"}

package/dist/engine/extensions/load.d.ts

@@ -0,0 +1,11 @@
+import type { ShipguardConfig } from "../types.js";
+/**
+ * Attempts to load the governance module if a license key is present.
+ * Soft-fails: OSS core runs fine without governance installed.
+ *
+ * NOTE: Not wired into run.ts yet. Will be integrated when governance
+ * module is built. The extension types and registry are reserved now
+ * so the boundary is defined.
+ */
+export declare function loadGovernanceIfPresent(config: ShipguardConfig): Promise<void>;
+//# sourceMappingURL=load.d.ts.map

package/dist/engine/extensions/load.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"load.d.ts","sourceRoot":"","sources":["../../../src/engine/extensions/load.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEnD;;;;;;;GAOG;AACH,wBAAsB,uBAAuB,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAcpF"}

package/dist/engine/extensions/load.js

@@ -0,0 +1,26 @@
+import { registerExtension } from "./registry.js";
+/**
+ * Attempts to load the governance module if a license key is present.
+ * Soft-fails: OSS core runs fine without governance installed.
+ *
+ * NOTE: Not wired into run.ts yet. Will be integrated when governance
+ * module is built. The extension types and registry are reserved now
+ * so the boundary is defined.
+ */
+export async function loadGovernanceIfPresent(config) {
+    if (!config.license?.key)
+        return;
+    try {
+        // @ts-expect-error — governance module is optional; not installed in OSS
+        const mod = await import("@shipguard/governance");
+        if (typeof mod.registerGovernance === "function") {
+            mod.registerGovernance({
+                registerExtension,
+            });
+        }
+    }
+    catch {
+        // Governance not installed — this is fine for OSS usage.
+    }
+}
+//# sourceMappingURL=load.js.map

package/dist/engine/extensions/load.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"load.js","sourceRoot":"","sources":["../../../src/engine/extensions/load.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGlD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,MAAuB;IACnE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG;QAAE,OAAO;IAEjC,IAAI,CAAC;QACH,yEAAyE;QACzE,MAAM,GAAG,GAA4B,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;QAC3E,IAAI,OAAO,GAAG,CAAC,kBAAkB,KAAK,UAAU,EAAE,CAAC;YAChD,GAAG,CAAC,kBAAqF,CAAC;gBACzF,iBAAiB;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,yDAAyD;IAC3D,CAAC;AACH,CAAC"}

package/dist/engine/extensions/registry.d.ts

@@ -0,0 +1,5 @@
+import type { ShipguardExtension } from "./types.js";
+export declare function registerExtension(ext: ShipguardExtension): void;
+export declare function getExtensions(): readonly ShipguardExtension[];
+export declare function clearExtensions(): void;
+//# sourceMappingURL=registry.d.ts.map

package/dist/engine/extensions/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../../src/engine/extensions/registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAIrD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,kBAAkB,GAAG,IAAI,CAE/D;AAED,wBAAgB,aAAa,IAAI,SAAS,kBAAkB,EAAE,CAE7D;AAED,wBAAgB,eAAe,IAAI,IAAI,CAEtC"}

package/dist/engine/extensions/registry.js

@@ -0,0 +1,11 @@
+const extensions = [];
+export function registerExtension(ext) {
+    extensions.push(ext);
+}
+export function getExtensions() {
+    return extensions;
+}
+export function clearExtensions() {
+    extensions.length = 0;
+}
+//# sourceMappingURL=registry.js.map

package/dist/engine/extensions/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../../src/engine/extensions/registry.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAAyB,EAAE,CAAC;AAE5C,MAAM,UAAU,iBAAiB,CAAC,GAAuB;IACvD,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC;AACxB,CAAC"}

package/dist/engine/extensions/types.d.ts

@@ -0,0 +1,51 @@
+import type { Finding, ScanResult, ShipguardConfig } from "../types.js";
+export type ExtensionId = string;
+export type GateResult = {
+    ok: true;
+} | {
+    ok: false;
+    exitCode: number;
+    message: string;
+    details?: unknown;
+};
+export interface RunContext {
+    rootDir: string;
+    mode: "scan" | "ci" | "init";
+}
+export interface ExtensionHooks {
+    /** Called after config is loaded. Can validate config or gate. */
+    onConfigLoaded?: (args: {
+        config: ShipguardConfig;
+        ctx: RunContext;
+    }) => GateResult | void;
+    /** Called after analysis, before scoring. Can mutate findings or gate. */
+    onFindings?: (args: {
+        config: ShipguardConfig;
+        ctx: RunContext;
+        findings: Finding[];
+    }) => GateResult | void;
+    /** Called after scoring. Useful for policy gates. */
+    onScored?: (args: {
+        config: ShipguardConfig;
+        ctx: RunContext;
+        score: number;
+        findings: Finding[];
+    }) => GateResult | void;
+    /** Called before writing outputs. Can attach extra report sections. */
+    onReport?: (args: {
+        config: ShipguardConfig;
+        ctx: RunContext;
+        result: ScanResult;
+    }) => GateResult | void;
+    /** Called during `shipguard init`. Can add setup messages. */
+    onInit?: (args: {
+        config: ShipguardConfig;
+        ctx: RunContext;
+        messages: string[];
+    }) => void;
+}
+export interface ShipguardExtension {
+    id: ExtensionId;
+    hooks: ExtensionHooks;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/engine/extensions/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/engine/extensions/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAExE,MAAM,MAAM,WAAW,GAAG,MAAM,CAAC;AAEjC,MAAM,MAAM,UAAU,GAClB;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC;AAExE,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,kEAAkE;IAClE,cAAc,CAAC,EAAE,CAAC,IAAI,EAAE;QACtB,MAAM,EAAE,eAAe,CAAC;QACxB,GAAG,EAAE,UAAU,CAAC;KACjB,KAAK,UAAU,GAAG,IAAI,CAAC;IAExB,0EAA0E;IAC1E,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE;QAClB,MAAM,EAAE,eAAe,CAAC;QACxB,GAAG,EAAE,UAAU,CAAC;QAChB,QAAQ,EAAE,OAAO,EAAE,CAAC;KACrB,KAAK,UAAU,GAAG,IAAI,CAAC;IAExB,qDAAqD;IACrD,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE;QAChB,MAAM,EAAE,eAAe,CAAC;QACxB,GAAG,EAAE,UAAU,CAAC;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,OAAO,EAAE,CAAC;KACrB,KAAK,UAAU,GAAG,IAAI,CAAC;IAExB,uEAAuE;IACvE,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE;QAChB,MAAM,EAAE,eAAe,CAAC;QACxB,GAAG,EAAE,UAAU,CAAC;QAChB,MAAM,EAAE,UAAU,CAAC;KACpB,KAAK,UAAU,GAAG,IAAI,CAAC;IAExB,8DAA8D;IAC9D,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE;QACd,MAAM,EAAE,eAAe,CAAC;QACxB,GAAG,EAAE,UAAU,CAAC;QAChB,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,KAAK,IAAI,CAAC;CACZ;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,WAAW,CAAC;IAChB,KAAK,EAAE,cAAc,CAAC;CACvB"}

package/dist/engine/extensions/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/engine/extensions/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/engine/extensions/types.ts"],"names":[],"mappings":""}

package/dist/engine/report.d.ts

@@ -0,0 +1,5 @@
+import type { ScanResult } from "./types.js";
+import type { BaselineDiff } from "./baseline.js";
+export declare function formatPretty(result: ScanResult, diff?: BaselineDiff): string;
+export declare function formatJson(result: ScanResult): string;
+//# sourceMappingURL=report.d.ts.map

package/dist/engine/report.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.d.ts","sourceRoot":"","sources":["../../src/engine/report.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAW,MAAM,YAAY,CAAC;AACtD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAGlD,wBAAgB,YAAY,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,EAAE,YAAY,GAAG,MAAM,CAgF5E;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAErD"}

package/dist/engine/report.js

@@ -0,0 +1,88 @@
+import pc from "picocolors";
+import { scoreStatus, buildDetectedList } from "./score.js";
+export function formatPretty(result, diff) {
+    const lines = [];
+    const { score, findings, waivedFindings, summary } = result;
+    // Header with detected stack
+    const detected = buildDetectedList(result);
+    const status = scoreStatus(score);
+    const scoreColor = status === "PASS" ? pc.green : status === "WARN" ? pc.yellow : pc.red;
+    lines.push("");
+    lines.push(`  ${pc.bold("Shipguard")} ${pc.dim(result.shipguardVersion)}`);
+    lines.push(`  ${pc.dim("Detected:")} ${detected.join(" · ")}`);
+    lines.push(`  ${pc.dim("Score:")} ${scoreColor(String(score))} ${scoreColor(status)}`);
+    if (diff) {
+        const deltaStr = diff.scoreDelta >= 0 ? `+${diff.scoreDelta}` : `${diff.scoreDelta}`;
+        lines.push(`  Delta from baseline: ${diff.scoreDelta >= 0 ? pc.green(deltaStr) : pc.red(deltaStr)}`);
+        if (diff.newFindings.length > 0) {
+            lines.push(`  New findings: ${pc.red(String(diff.newFindings.length))}`);
+        }
+        if (diff.resolvedKeys.length > 0) {
+            lines.push(`  Resolved: ${pc.green(String(diff.resolvedKeys.length))}`);
+        }
+    }
+    lines.push("");
+    // Group by severity
+    const grouped = groupBySeverity(findings);
+    for (const [severity, items] of Object.entries(grouped)) {
+        if (items.length === 0)
+            continue;
+        const color = severity === "critical" ? pc.red : severity === "high" ? pc.yellow : pc.dim;
+        lines.push(`  ${color(severity.toUpperCase())} (${items.length})`);
+        for (const f of items) {
+            const loc = f.line ? `:${f.line}` : "";
+            const conf = pc.dim(`(${f.confidence} confidence)`);
+            lines.push(`    ${f.ruleId} ${conf}`);
+            lines.push(`      ${pc.dim(f.file + loc)}`);
+            if (f.evidence.length > 0) {
+                for (const e of f.evidence) {
+                    lines.push(`      - ${e}`);
+                }
+            }
+            lines.push(`      ${pc.dim(`Why ${f.confidence}: ${f.confidenceRationale}`)}`);
+        }
+        lines.push("");
+    }
+    // Remediation
+    const remediations = new Map();
+    for (const f of findings) {
+        if (!remediations.has(f.ruleId)) {
+            remediations.set(f.ruleId, f.remediation);
+        }
+    }
+    if (remediations.size > 0) {
+        lines.push("  Suggested fixes:");
+        for (const [ruleId, fixes] of remediations) {
+            for (const fix of fixes) {
+                lines.push(`    - ${fix}`);
+            }
+        }
+        lines.push("");
+    }
+    // Waivers
+    if (waivedFindings.length > 0) {
+        lines.push(`  ${pc.dim(`Waived: ${waivedFindings.length} finding(s)`)}`);
+        lines.push("");
+    }
+    // Tip
+    lines.push(pc.dim("  Tip: Use `shipguard waive <RULE> --file <path> --reason \"...\"` to waive known exceptions."));
+    lines.push(pc.dim("  Tip: Configure hints in shipguard.config.json to reduce false positives."));
+    lines.push("");
+    return lines.join("\n");
+}
+export function formatJson(result) {
+    return JSON.stringify(result, null, 2);
+}
+function groupBySeverity(findings) {
+    const groups = {
+        critical: [],
+        high: [],
+        med: [],
+        low: [],
+    };
+    for (const f of findings) {
+        groups[f.severity]?.push(f);
+    }
+    return groups;
+}
+//# sourceMappingURL=report.js.map

package/dist/engine/report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.js","sourceRoot":"","sources":["../../src/engine/report.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,YAAY,CAAC;AAG5B,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE5D,MAAM,UAAU,YAAY,CAAC,MAAkB,EAAE,IAAmB;IAClE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;IAE5D,6BAA6B;IAC7B,MAAM,QAAQ,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,UAAU,GAAG,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC;IACzF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC;IAC3E,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAEvF,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACrF,KAAK,CAAC,IAAI,CAAC,0BAA0B,IAAI,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACrG,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,KAAK,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,oBAAoB;IACpB,MAAM,OAAO,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IAE1C,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACxD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QACjC,MAAM,KAAK,GAAG,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC;QAC1F,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;QAEnE,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,cAAc,CAAC,CAAC;YACpD,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;YACtC,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;YAC5C,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;oBAC3B,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;gBAC7B,CAAC;YACH,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,UAAU,KAAK,CAAC,CAAC,mBAAmB,EAAE,CAAC,EAAE,CAAC,CAAC;QAEjF,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,cAAc;IACd,MAAM,YAAY,GAAG,IAAI,GAAG,EAAoB,CAAC;IACjD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,WAAW,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACjC,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;YAC3C,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;gBACxB,KAAK,CAAC,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,UAAU;IACV,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,WAAW,cAAc,CAAC,MAAM,aAAa,CAAC,EAAE,CAAC,CAAC;QACzE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,MAAM;IACN,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,+FAA+F,CAAC,CAAC,CAAC;IACpH,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC,CAAC;IACjG,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAkB;IAC3C,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,eAAe,CAAC,QAAmB;IAC1C,MAAM,MAAM,GAA8B;QACxC,QAAQ,EAAE,EAAE;QACZ,IAAI,EAAE,EAAE;QACR,GAAG,EAAE,EAAE;QACP,GAAG,EAAE,EAAE;KACR,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/engine/run.d.ts

@@ -0,0 +1,9 @@
+import type { ShipguardConfig, ScanResult } from "./types.js";
+export interface RunOptions {
+    rootDir: string;
+    configOverrides?: Partial<ShipguardConfig>;
+    /** Additional exclude globs appended to config excludes (not replacing) */
+    additionalExclude?: string[];
+}
+export declare function runScan(opts: RunOptions): Promise<ScanResult>;
+//# sourceMappingURL=run.d.ts.map

package/dist/engine/run.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../src/engine/run.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAW,MAAM,YAAY,CAAC;AAQvE,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IAC3C,2EAA2E;IAC3E,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC9B;AAED,wBAAsB,OAAO,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAoFnE"}