@kevinrabun/judges 3.47.0 → 3.49.0

package/dist/commands/audit-trail.js

@@ -0,0 +1,155 @@
+/**
+ * Audit trail — chain-of-custody tracking for findings,
+ * recording who reviewed, voted, suppressed, or resolved each finding.
+ *
+ * All data stored locally in .judges-audit-trail/.
+ */
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+const TRAIL_DIR = ".judges-audit-trail";
+const TRAIL_FILE = join(TRAIL_DIR, "trail.json");
+// ─── Core ───────────────────────────────────────────────────────────────────
+function ensureDir() {
+    if (!existsSync(TRAIL_DIR))
+        mkdirSync(TRAIL_DIR, { recursive: true });
+}
+function loadStore() {
+    if (!existsSync(TRAIL_FILE))
+        return { events: [], updatedAt: new Date().toISOString() };
+    try {
+        return JSON.parse(readFileSync(TRAIL_FILE, "utf-8"));
+    }
+    catch {
+        return { events: [], updatedAt: new Date().toISOString() };
+    }
+}
+function saveStore(store) {
+    ensureDir();
+    store.updatedAt = new Date().toISOString();
+    writeFileSync(TRAIL_FILE, JSON.stringify(store, null, 2));
+}
+function generateId() {
+    return `evt-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+}
+export function recordEvent(findingId, action, actor, detail) {
+    const event = {
+        id: generateId(),
+        findingId,
+        action,
+        actor,
+        detail,
+        timestamp: new Date().toISOString(),
+    };
+    const store = loadStore();
+    store.events.push(event);
+    if (store.events.length > 2000)
+        store.events = store.events.slice(-2000);
+    saveStore(store);
+    return event;
+}
+// ─── CLI ────────────────────────────────────────────────────────────────────
+export function runAuditTrail(argv) {
+    if (argv.includes("--help") || argv.includes("-h")) {
+        console.log(`
+judges audit-trail — Finding chain-of-custody tracking
+
+Usage:
+  judges audit-trail --record --finding SEC-001 --action reviewed --actor "alice@co.com" --detail "Confirmed valid"
+  judges audit-trail --finding SEC-001
+  judges audit-trail --actor "alice@co.com"
+  judges audit-trail --summary
+  judges audit-trail --export
+
+Options:
+  --record                Record a new audit event
+  --finding <id>          Filter by finding/rule ID
+  --action <type>         Event type: created, reviewed, suppressed, resolved, reopened, escalated, voted
+  --actor <name>          Who performed the action
+  --detail <text>         Additional context
+  --summary               Show audit trail summary
+  --export                Export full audit trail
+  --format json           JSON output
+  --help, -h              Show this help
+`);
+        return;
+    }
+    const format = argv.find((_a, i) => argv[i - 1] === "--format") || "text";
+    // Record event
+    if (argv.includes("--record")) {
+        const finding = argv.find((_a, i) => argv[i - 1] === "--finding") || "unknown";
+        const action = (argv.find((_a, i) => argv[i - 1] === "--action") ||
+            "reviewed");
+        const actor = argv.find((_a, i) => argv[i - 1] === "--actor") || "anonymous";
+        const detail = argv.find((_a, i) => argv[i - 1] === "--detail") || "";
+        const event = recordEvent(finding, action, actor, detail);
+        if (format === "json") {
+            console.log(JSON.stringify(event, null, 2));
+        }
+        else {
+            console.log(`  ✅ Audit event recorded: ${event.id}`);
+            console.log(`     ${event.action} ${event.findingId} by ${event.actor}`);
+        }
+        return;
+    }
+    // Summary
+    if (argv.includes("--summary")) {
+        const store = loadStore();
+        const actionCounts = new Map();
+        const actorCounts = new Map();
+        for (const e of store.events) {
+            actionCounts.set(e.action, (actionCounts.get(e.action) || 0) + 1);
+            actorCounts.set(e.actor, (actorCounts.get(e.actor) || 0) + 1);
+        }
+        if (format === "json") {
+            console.log(JSON.stringify({
+                totalEvents: store.events.length,
+                actions: Object.fromEntries(actionCounts),
+                actors: Object.fromEntries(actorCounts),
+            }, null, 2));
+        }
+        else {
+            console.log(`\n  Audit Trail Summary\n  ──────────────────────────`);
+            console.log(`  Total events: ${store.events.length}`);
+            if (actionCounts.size > 0) {
+                console.log(`\n  By action:`);
+                for (const [action, count] of actionCounts) {
+                    console.log(`    ${action.padEnd(15)} ${count}`);
+                }
+            }
+            if (actorCounts.size > 0) {
+                console.log(`\n  By actor:`);
+                for (const [actor, count] of actorCounts) {
+                    console.log(`    ${actor.padEnd(25)} ${count} events`);
+                }
+            }
+            console.log("");
+        }
+        return;
+    }
+    // Export
+    if (argv.includes("--export")) {
+        const store = loadStore();
+        console.log(JSON.stringify(store, null, 2));
+        return;
+    }
+    // Filter by finding
+    const findingFilter = argv.find((_a, i) => argv[i - 1] === "--finding");
+    const actorFilter = argv.find((_a, i) => argv[i - 1] === "--actor");
+    const store = loadStore();
+    let events = store.events;
+    if (findingFilter)
+        events = events.filter((e) => e.findingId === findingFilter);
+    if (actorFilter)
+        events = events.filter((e) => e.actor === actorFilter);
+    if (format === "json") {
+        console.log(JSON.stringify(events, null, 2));
+    }
+    else {
+        console.log(`\n  Audit Trail (${events.length} events)\n  ──────────────────────────`);
+        for (const e of events.slice(-20)) {
+            console.log(`    ${e.timestamp.slice(0, 16)}  ${e.action.padEnd(12)} ${e.findingId.padEnd(12)} ${e.actor} ${e.detail ? `— ${e.detail}` : ""}`);
+        }
+        console.log("");
+    }
+}
+//# sourceMappingURL=audit-trail.js.map

package/dist/commands/audit-trail.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-trail.js","sourceRoot":"","sources":["../../src/commands/audit-trail.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAkB5B,MAAM,SAAS,GAAG,qBAAqB,CAAC;AACxC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;AAEjD,+EAA+E;AAE/E,SAAS,SAAS;IAChB,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,SAAS;IAChB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;IACxF,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;IAC7D,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,KAAsB;IACvC,SAAS,EAAE,CAAC;IACZ,KAAK,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3C,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,SAAiB,EACjB,MAA4B,EAC5B,KAAa,EACb,MAAc;IAEd,MAAM,KAAK,GAAe;QACxB,EAAE,EAAE,UAAU,EAAE;QAChB,SAAS;QACT,MAAM;QACN,KAAK;QACL,MAAM;QACN,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IAEF,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzB,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,IAAI;QAAE,KAAK,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC;IACzE,SAAS,CAAC,KAAK,CAAC,CAAC;IAEjB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,+EAA+E;AAE/E,MAAM,UAAU,aAAa,CAAC,IAAc;IAC1C,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;CAoBf,CAAC,CAAC;QACC,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,CAAC,IAAI,MAAM,CAAC;IAE1F,eAAe;IACf,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,WAAW,CAAC,IAAI,SAAS,CAAC;QAC/F,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,CAAC;YAC9E,UAAU,CAAyB,CAAC;QACtC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,SAAS,CAAC,IAAI,WAAW,CAAC;QAC7F,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,CAAC,IAAI,EAAE,CAAC;QAEtF,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,6BAA6B,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,SAAS,OAAO,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QAC3E,CAAC;QACD,OAAO;IACT,CAAC;IAED,UAAU;IACV,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;QAC1B,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;QAC/C,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;QAC9C,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YAC7B,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAClE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CACZ;gBACE,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM;gBAChC,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,YAAY,CAAC;gBACzC,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC,WAAW,CAAC;aACxC,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;YACrE,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;YACtD,IAAI,YAAY,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBAC1B,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;gBAC9B,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;oBAC3C,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,KAAK,EAAE,CAAC,CAAC;gBACnD,CAAC;YACH,CAAC;YACD,IAAI,WAAW,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBACzB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;gBAC7B,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC;oBACzC,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QACD,OAAO;IACT,CAAC;IAED,SAAS;IACT,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC5C,OAAO;IACT,CAAC;IAED,oBAAoB;IACpB,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC;IACxF,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;IAEpF,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,IAAI,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;IAC1B,IAAI,aAAa;QAAE,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,aAAa,CAAC,CAAC;IAChF,IAAI,WAAW;QAAE,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,WAAW,CAAC,CAAC;IAExE,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/C,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,MAAM,wCAAwC,CAAC,CAAC;QACvF,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;YAClC,OAAO,CAAC,GAAG,CACT,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAClI,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/commands/auto-fix.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Auto-fix — generates safe, automated fix suggestions for
+ * common finding patterns. All processing is local.
+ */
+interface FixSuggestion {
+    ruleId: string;
+    title: string;
+    file: string;
+    line: number;
+    before: string;
+    after: string;
+    confidence: number;
+    timestamp: string;
+}
+export declare function suggestFix(ruleId: string, file: string, line: number): FixSuggestion | null;
+export declare function runAutoFix(argv: string[]): void;
+export {};
+//# sourceMappingURL=auto-fix.d.ts.map

package/dist/commands/auto-fix.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto-fix.d.ts","sourceRoot":"","sources":["../../src/commands/auto-fix.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAgBH,UAAU,aAAa;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAqHD,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAqB3F;AAID,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAoH/C"}

package/dist/commands/auto-fix.js

@@ -0,0 +1,241 @@
+/**
+ * Auto-fix — generates safe, automated fix suggestions for
+ * common finding patterns. All processing is local.
+ */
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+const FIX_DIR = ".judges-auto-fix";
+const FIX_FILE = join(FIX_DIR, "fix-history.json");
+// ─── Fix template library ───────────────────────────────────────────────────
+const FIX_TEMPLATES = [
+    {
+        rulePattern: "SQL-",
+        title: "Use parameterized queries",
+        description: "Replace string concatenation in SQL with parameterized queries",
+        before: 'db.query("SELECT * FROM users WHERE id = " + userId)',
+        after: 'db.query("SELECT * FROM users WHERE id = $1", [userId])',
+        language: "typescript",
+    },
+    {
+        rulePattern: "XSS-",
+        title: "Use textContent instead of innerHTML",
+        description: "Replace innerHTML with textContent to prevent XSS",
+        before: "element.innerHTML = userInput",
+        after: "element.textContent = userInput",
+        language: "typescript",
+    },
+    {
+        rulePattern: "CMD-",
+        title: "Use execFile with argument array",
+        description: "Replace exec with execFile and separate arguments",
+        before: 'exec("git " + command)',
+        after: 'execFile("git", [command])',
+        language: "typescript",
+    },
+    {
+        rulePattern: "CRYPTO-",
+        title: "Replace MD5 with SHA-256",
+        description: "Use cryptographically secure hash function",
+        before: "crypto.createHash('md5').update(data).digest('hex')",
+        after: "crypto.createHash('sha256').update(data).digest('hex')",
+        language: "typescript",
+    },
+    {
+        rulePattern: "AUTH-",
+        title: "Add bcrypt password hashing",
+        description: "Hash passwords with bcrypt instead of plaintext storage",
+        before: "user.password = password",
+        after: "user.password = await bcrypt.hash(password, 12)",
+        language: "typescript",
+    },
+    {
+        rulePattern: "SEC-",
+        title: "Validate input before use",
+        description: "Add input validation before processing user data",
+        before: "const data = req.body",
+        after: "const data = validateInput(req.body, schema)",
+        language: "typescript",
+    },
+    {
+        rulePattern: "SSRF-",
+        title: "Validate URL against allowlist",
+        description: "Check URL against trusted domains before requesting",
+        before: "await fetch(userUrl)",
+        after: "if (isAllowedUrl(userUrl)) await fetch(userUrl)",
+        language: "typescript",
+    },
+    {
+        rulePattern: "PATH-",
+        title: "Sanitize file path",
+        description: "Resolve and validate file path within allowed directory",
+        before: 'readFileSync(userPath, "utf-8")',
+        after: 'readFileSync(path.resolve(SAFE_DIR, path.basename(userPath)), "utf-8")',
+        language: "typescript",
+    },
+    {
+        rulePattern: "ERR-",
+        title: "Use safe error response",
+        description: "Return generic error message instead of stack trace",
+        before: "res.status(500).json({ error: err.stack })",
+        after: 'res.status(500).json({ error: "Internal server error" })',
+        language: "typescript",
+    },
+    {
+        rulePattern: "CORS-",
+        title: "Restrict CORS origins",
+        description: "Replace wildcard CORS with specific trusted origins",
+        before: 'cors({ origin: "*" })',
+        after: 'cors({ origin: ["https://app.example.com"] })',
+        language: "typescript",
+    },
+];
+// ─── Core ───────────────────────────────────────────────────────────────────
+function ensureDir() {
+    if (!existsSync(FIX_DIR))
+        mkdirSync(FIX_DIR, { recursive: true });
+}
+function loadStore() {
+    if (!existsSync(FIX_FILE))
+        return { suggestions: [], applied: 0, updatedAt: new Date().toISOString() };
+    try {
+        return JSON.parse(readFileSync(FIX_FILE, "utf-8"));
+    }
+    catch {
+        return { suggestions: [], applied: 0, updatedAt: new Date().toISOString() };
+    }
+}
+function saveStore(store) {
+    ensureDir();
+    store.updatedAt = new Date().toISOString();
+    writeFileSync(FIX_FILE, JSON.stringify(store, null, 2));
+}
+export function suggestFix(ruleId, file, line) {
+    const template = FIX_TEMPLATES.find((t) => ruleId.startsWith(t.rulePattern));
+    if (!template)
+        return null;
+    const suggestion = {
+        ruleId,
+        title: template.title,
+        file,
+        line,
+        before: template.before,
+        after: template.after,
+        confidence: 75,
+        timestamp: new Date().toISOString(),
+    };
+    const store = loadStore();
+    store.suggestions.push(suggestion);
+    if (store.suggestions.length > 500)
+        store.suggestions = store.suggestions.slice(-500);
+    saveStore(store);
+    return suggestion;
+}
+// ─── CLI ────────────────────────────────────────────────────────────────────
+export function runAutoFix(argv) {
+    if (argv.includes("--help") || argv.includes("-h")) {
+        console.log(`
+judges auto-fix — Automated fix suggestions for findings
+
+Usage:
+  judges auto-fix --rule SQL-001 --file src/db.ts --line 42
+  judges auto-fix --catalog
+  judges auto-fix --history
+  judges auto-fix --stats
+
+Options:
+  --rule <id>             Rule ID to generate fix for
+  --file <path>           File containing the finding
+  --line <n>              Line number of the finding
+  --catalog               Show all available fix templates
+  --history               Show past fix suggestions
+  --stats                 Show fix statistics
+  --format json           JSON output
+  --help, -h              Show this help
+`);
+        return;
+    }
+    const format = argv.find((_a, i) => argv[i - 1] === "--format") || "text";
+    // Catalog
+    if (argv.includes("--catalog")) {
+        if (format === "json") {
+            console.log(JSON.stringify(FIX_TEMPLATES, null, 2));
+        }
+        else {
+            console.log(`\n  Fix Template Catalog (${FIX_TEMPLATES.length})\n  ──────────────────────────`);
+            for (const t of FIX_TEMPLATES) {
+                console.log(`    [${t.rulePattern.padEnd(8)}] ${t.title}`);
+                console.log(`            Before: ${t.before}`);
+                console.log(`            After:  ${t.after}`);
+                console.log("");
+            }
+        }
+        return;
+    }
+    // History
+    if (argv.includes("--history")) {
+        const store = loadStore();
+        if (format === "json") {
+            console.log(JSON.stringify(store.suggestions.slice(-20), null, 2));
+        }
+        else {
+            console.log(`\n  Fix History (${store.suggestions.length} suggestions)\n  ──────────────────────────`);
+            for (const s of store.suggestions.slice(-15)) {
+                console.log(`    ${s.timestamp.slice(0, 16)}  ${s.ruleId.padEnd(10)} ${s.title}  ${s.file}:${s.line}`);
+            }
+            console.log("");
+        }
+        return;
+    }
+    // Stats
+    if (argv.includes("--stats")) {
+        const store = loadStore();
+        const byRule = new Map();
+        for (const s of store.suggestions) {
+            const prefix = s.ruleId.split("-")[0] + "-";
+            byRule.set(prefix, (byRule.get(prefix) || 0) + 1);
+        }
+        if (format === "json") {
+            console.log(JSON.stringify({ total: store.suggestions.length, applied: store.applied, byRule: Object.fromEntries(byRule) }, null, 2));
+        }
+        else {
+            console.log(`\n  Fix Statistics\n  ──────────────────────────`);
+            console.log(`  Total suggestions: ${store.suggestions.length}`);
+            console.log(`  Applied:           ${store.applied}`);
+            if (byRule.size > 0) {
+                console.log(`\n  By category:`);
+                for (const [rule, count] of byRule) {
+                    console.log(`    ${rule.padEnd(10)} ${count} suggestions`);
+                }
+            }
+            console.log("");
+        }
+        return;
+    }
+    // Suggest fix
+    const ruleId = argv.find((_a, i) => argv[i - 1] === "--rule");
+    const file = argv.find((_a, i) => argv[i - 1] === "--file");
+    const line = parseInt(argv.find((_a, i) => argv[i - 1] === "--line") || "1", 10);
+    if (!ruleId) {
+        console.error("  Use --rule <id>, --catalog, --history, or --stats. --help for usage.");
+        return;
+    }
+    const suggestion = suggestFix(ruleId, file || "unknown", line);
+    if (!suggestion) {
+        console.log(`  No fix template for rule: ${ruleId}`);
+        console.log(`  Available patterns: ${FIX_TEMPLATES.map((t) => t.rulePattern).join(", ")}`);
+        return;
+    }
+    if (format === "json") {
+        console.log(JSON.stringify(suggestion, null, 2));
+    }
+    else {
+        console.log(`\n  Fix Suggestion — ${suggestion.ruleId}`);
+        console.log(`  ──────────────────────────`);
+        console.log(`  Title: ${suggestion.title}`);
+        console.log(`  File:  ${suggestion.file}:${suggestion.line}`);
+        console.log(`\n  Before: ${suggestion.before}`);
+        console.log(`  After:  ${suggestion.after}`);
+        console.log(`\n  Confidence: ${suggestion.confidence}%\n`);
+    }
+}
+//# sourceMappingURL=auto-fix.js.map

package/dist/commands/auto-fix.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto-fix.js","sourceRoot":"","sources":["../../src/commands/auto-fix.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AA8B5B,MAAM,OAAO,GAAG,kBAAkB,CAAC;AACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;AAEnD,+EAA+E;AAE/E,MAAM,aAAa,GAAkB;IACnC;QACE,WAAW,EAAE,MAAM;QACnB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EAAE,gEAAgE;QAC7E,MAAM,EAAE,sDAAsD;QAC9D,KAAK,EAAE,yDAAyD;QAChE,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,WAAW,EAAE,MAAM;QACnB,KAAK,EAAE,sCAAsC;QAC7C,WAAW,EAAE,mDAAmD;QAChE,MAAM,EAAE,+BAA+B;QACvC,KAAK,EAAE,iCAAiC;QACxC,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,WAAW,EAAE,MAAM;QACnB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mDAAmD;QAChE,MAAM,EAAE,wBAAwB;QAChC,KAAK,EAAE,4BAA4B;QACnC,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,WAAW,EAAE,SAAS;QACtB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EAAE,4CAA4C;QACzD,MAAM,EAAE,qDAAqD;QAC7D,KAAK,EAAE,wDAAwD;QAC/D,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,WAAW,EAAE,OAAO;QACpB,KAAK,EAAE,6BAA6B;QACpC,WAAW,EAAE,yDAAyD;QACtE,MAAM,EAAE,0BAA0B;QAClC,KAAK,EAAE,iDAAiD;QACxD,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,WAAW,EAAE,MAAM;QACnB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EAAE,kDAAkD;QAC/D,MAAM,EAAE,uBAAuB;QAC/B,KAAK,EAAE,8CAA8C;QACrD,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,WAAW,EAAE,OAAO;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,qDAAqD;QAClE,MAAM,EAAE,sBAAsB;QAC9B,KAAK,EAAE,iDAAiD;QACxD,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,WAAW,EAAE,OAAO;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,yDAAyD;QACtE,MAAM,EAAE,iCAAiC;QACzC,KAAK,EAAE,wEAAwE;QAC/E,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,WAAW,EAAE,MAAM;QACnB,KAAK,EAAE,yBAAyB;QAChC,WAAW,EAAE,qDAAqD;QAClE,MAAM,EAAE,4CAA4C;QACpD,KAAK,EAAE,0DAA0D;QACjE,QAAQ,EAAE,YAAY;KACvB;IACD;QACE,WAAW,EAAE,OAAO;QACpB,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EAAE,qDAAqD;QAClE,MAAM,EAAE,uBAAuB;QAC/B,KAAK,EAAE,+CAA+C;QACtD,QAAQ,EAAE,YAAY;KACvB;CACF,CAAC;AAEF,+EAA+E;AAE/E,SAAS,SAAS;IAChB,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,SAAS;IAChB,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;IACvG,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;IACrD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,WAAW,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;IAC9E,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,KAAe;IAChC,SAAS,EAAE,CAAC;IACZ,KAAK,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3C,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAc,EAAE,IAAY,EAAE,IAAY;IACnE,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;IAC7E,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,MAAM,UAAU,GAAkB;QAChC,MAAM;QACN,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,IAAI;QACJ,IAAI;QACJ,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,UAAU,EAAE,EAAE;QACd,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IAEF,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;IAC1B,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,WAAW,CAAC,MAAM,GAAG,GAAG;QAAE,KAAK,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC;IACtF,SAAS,CAAC,KAAK,CAAC,CAAC;IAEjB,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,+EAA+E;AAE/E,MAAM,UAAU,UAAU,CAAC,IAAc;IACvC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;CAkBf,CAAC,CAAC;QACC,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,CAAC,IAAI,MAAM,CAAC;IAE1F,UAAU;IACV,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACtD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,6BAA6B,aAAa,CAAC,MAAM,iCAAiC,CAAC,CAAC;YAChG,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;gBAC3D,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;gBAC/C,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;gBAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QACD,OAAO;IACT,CAAC;IAED,UAAU;IACV,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;QAC1B,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACrE,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,oBAAoB,KAAK,CAAC,WAAW,CAAC,MAAM,6CAA6C,CAAC,CAAC;YACvG,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YACzG,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QACD,OAAO;IACT,CAAC;IAED,QAAQ;IACR,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,SAAS,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;QACzC,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;YAClC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC;YAC5C,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CACZ,EAAE,KAAK,EAAE,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,EAC/F,IAAI,EACJ,CAAC,CACF,CACF,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;YAChE,OAAO,CAAC,GAAG,CAAC,wBAAwB,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;YAChE,OAAO,CAAC,GAAG,CAAC,wBAAwB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YACrD,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBACpB,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;gBAChC,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,EAAE,CAAC;oBACnC,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,KAAK,cAAc,CAAC,CAAC;gBAC7D,CAAC;YACH,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QACD,OAAO;IACT,CAAC;IAED,cAAc;IACd,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,QAAQ,CAAC,CAAC;IAC9E,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,QAAQ,CAAC,CAAC;IAC5E,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAU,EAAE,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,QAAQ,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;IAEjG,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,KAAK,CAAC,wEAAwE,CAAC,CAAC;QACxF,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,EAAE,IAAI,IAAI,SAAS,EAAE,IAAI,CAAC,CAAC;IAC/D,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,+BAA+B,MAAM,EAAE,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,yBAAyB,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3F,OAAO;IACT,CAAC;IAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACnD,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,wBAAwB,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,YAAY,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,YAAY,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,eAAe,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,aAAa,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,mBAAmB,UAAU,CAAC,UAAU,KAAK,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC"}

package/dist/commands/dep-correlate.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Dependency vulnerability correlation — cross-references
+ * Judges findings with dependency versions to identify which
+ * dependencies contribute the most security findings.
+ *
+ * All data from local files (package.json, lock files).
+ */
+export declare function runDepCorrelate(argv: string[]): void;
+//# sourceMappingURL=dep-correlate.d.ts.map

package/dist/commands/dep-correlate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dep-correlate.d.ts","sourceRoot":"","sources":["../../src/commands/dep-correlate.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAiKH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAsFpD"}

package/dist/commands/dep-correlate.js

@@ -0,0 +1,208 @@
+/**
+ * Dependency vulnerability correlation — cross-references
+ * Judges findings with dependency versions to identify which
+ * dependencies contribute the most security findings.
+ *
+ * All data from local files (package.json, lock files).
+ */
+import { existsSync, readFileSync, mkdirSync, writeFileSync } from "fs";
+import { join } from "path";
+// ─── Dep parsing ────────────────────────────────────────────────────────────
+function loadDeps() {
+    const deps = [];
+    // package.json (npm)
+    if (existsSync("package.json")) {
+        try {
+            const pkg = JSON.parse(readFileSync("package.json", "utf-8"));
+            for (const [name, ver] of Object.entries(pkg.dependencies || {})) {
+                deps.push({ name, version: String(ver), type: "dependency" });
+            }
+            for (const [name, ver] of Object.entries(pkg.devDependencies || {})) {
+                deps.push({ name, version: String(ver), type: "devDependency" });
+            }
+        }
+        catch {
+            /* skip */
+        }
+    }
+    // requirements.txt (Python)
+    if (existsSync("requirements.txt")) {
+        try {
+            const lines = readFileSync("requirements.txt", "utf-8").split("\n");
+            for (const line of lines) {
+                const match = /^([a-zA-Z0-9_-]+)==(.+)/.exec(line.trim());
+                if (match)
+                    deps.push({ name: match[1], version: match[2], type: "dependency" });
+            }
+        }
+        catch {
+            /* skip */
+        }
+    }
+    // go.mod (Go)
+    if (existsSync("go.mod")) {
+        try {
+            const content = readFileSync("go.mod", "utf-8");
+            const lines = content.split("\n");
+            for (const line of lines) {
+                const match = /^\s+([\w./-]+)\s+(v[\d.]+)/.exec(line);
+                if (match)
+                    deps.push({ name: match[1], version: match[2], type: "dependency" });
+            }
+        }
+        catch {
+            /* skip */
+        }
+    }
+    return deps;
+}
+function loadFindings() {
+    // Try common finding output locations
+    const paths = [".judges-findings.json", join(".judges-audit-trail", "trail.json"), "judges-report.json"];
+    for (const p of paths) {
+        if (!existsSync(p))
+            continue;
+        try {
+            const data = JSON.parse(readFileSync(p, "utf-8"));
+            if (Array.isArray(data))
+                return data;
+            if (data.findings && Array.isArray(data.findings))
+                return data.findings;
+            if (data.events && Array.isArray(data.events)) {
+                return data.events
+                    .filter((e) => e.type === "created")
+                    .map((e) => e.finding || { ruleId: e.findingId, severity: "medium", title: String(e.findingId), description: "" });
+            }
+        }
+        catch {
+            /* skip */
+        }
+    }
+    return [];
+}
+// ─── Correlation ────────────────────────────────────────────────────────────
+const KNOWN_VULN_PATTERNS = {
+    express: ["ssrf", "xss", "csrf", "header-injection"],
+    lodash: ["prototype-pollution", "command-injection"],
+    axios: ["ssrf", "redirect"],
+    jsonwebtoken: ["jwt", "auth", "token"],
+    helmet: ["header", "csp", "xss"],
+    sequelize: ["sql-injection", "nosql"],
+    mongoose: ["nosql-injection", "injection"],
+    mysql: ["sql-injection", "injection"],
+    pg: ["sql-injection", "injection"],
+    "crypto-js": ["crypto", "weak-cipher", "weak-hash"],
+    bcrypt: ["password", "hash"],
+    passport: ["auth", "authentication"],
+    cors: ["cors", "origin"],
+    multer: ["upload", "file", "path-traversal"],
+    child_process: ["command-injection", "exec"],
+};
+function correlate(deps, findings) {
+    const correlations = [];
+    for (const dep of deps) {
+        const patterns = KNOWN_VULN_PATTERNS[dep.name] || [];
+        const matched = findings.filter((f) => {
+            const text = `${f.ruleId} ${f.title} ${f.description || ""}`.toLowerCase();
+            return patterns.some((p) => text.includes(p));
+        });
+        if (matched.length > 0) {
+            const sevWeights = { critical: 10, high: 7, medium: 4, low: 1 };
+            const riskScore = matched.reduce((s, f) => s + (sevWeights[f.severity] || 2), 0);
+            correlations.push({
+                dependency: dep.name,
+                version: dep.version,
+                findingCount: matched.length,
+                findings: matched.map((f) => ({ ruleId: f.ruleId, severity: f.severity, title: f.title })),
+                riskScore,
+                upgradeRecommendation: riskScore > 20 ? "Urgent upgrade recommended" : riskScore > 10 ? "Upgrade recommended" : "Monitor",
+            });
+        }
+    }
+    return correlations.sort((a, b) => b.riskScore - a.riskScore);
+}
+// ─── CLI ────────────────────────────────────────────────────────────────────
+const STORE = ".judges-dep-correlate";
+export function runDepCorrelate(argv) {
+    if (argv.includes("--help") || argv.includes("-h")) {
+        console.log(`
+judges dep-correlate — Dependency vulnerability correlation
+
+Usage:
+  judges dep-correlate
+  judges dep-correlate --deps
+  judges dep-correlate --top 5
+
+Options:
+  --deps                List detected dependencies
+  --top <n>             Show top N riskiest dependencies
+  --save                Save report to ${STORE}/
+  --format json         JSON output
+  --help, -h            Show this help
+`);
+        return;
+    }
+    const format = argv.find((_a, i) => argv[i - 1] === "--format") || "text";
+    const deps = loadDeps();
+    // List deps only
+    if (argv.includes("--deps")) {
+        if (format === "json") {
+            console.log(JSON.stringify(deps, null, 2));
+        }
+        else {
+            console.log(`\n  Dependencies (${deps.length})\n  ──────────────────────────`);
+            for (const d of deps) {
+                console.log(`    ${d.name.padEnd(30)} ${d.version.padEnd(15)} ${d.type}`);
+            }
+            console.log("");
+        }
+        return;
+    }
+    if (deps.length === 0) {
+        console.log("  No dependencies found. Supports: package.json, requirements.txt, go.mod");
+        return;
+    }
+    const findings = loadFindings();
+    const correlations = correlate(deps, findings);
+    const topN = argv.find((_a, i) => argv[i - 1] === "--top");
+    const limit = topN ? parseInt(topN, 10) : correlations.length;
+    const report = {
+        correlations: correlations.slice(0, limit),
+        totalDeps: deps.length,
+        depsWithFindings: correlations.length,
+        timestamp: new Date().toISOString(),
+    };
+    // Save
+    if (argv.includes("--save")) {
+        if (!existsSync(STORE))
+            mkdirSync(STORE, { recursive: true });
+        writeFileSync(join(STORE, "correlation-report.json"), JSON.stringify(report, null, 2));
+        console.log(`  Saved to ${STORE}/correlation-report.json`);
+    }
+    if (format === "json") {
+        console.log(JSON.stringify(report, null, 2));
+    }
+    else {
+        console.log(`\n  Dependency Vulnerability Correlation`);
+        console.log(`  Total dependencies: ${report.totalDeps}  With correlated findings: ${report.depsWithFindings}`);
+        console.log(`  ──────────────────────────`);
+        if (report.correlations.length === 0) {
+            console.log(`    ✅ No dependency-finding correlations detected`);
+            if (findings.length === 0)
+                console.log(`    (No findings data found — run a scan first)`);
+            console.log("");
+            return;
+        }
+        for (const c of report.correlations) {
+            console.log(`\n    ${c.dependency}@${c.version}  Risk: ${c.riskScore}  Findings: ${c.findingCount}`);
+            console.log(`    Recommendation: ${c.upgradeRecommendation}`);
+            for (const f of c.findings.slice(0, 3)) {
+                console.log(`      - [${f.severity.toUpperCase()}] ${f.ruleId}: ${f.title}`);
+            }
+            if (c.findings.length > 3)
+                console.log(`      ... and ${c.findings.length - 3} more`);
+        }
+        console.log("");
+    }
+}
+//# sourceMappingURL=dep-correlate.js.map