@ktpartners/dgs-platform 2.9.0 → 3.3.0

package/deliver-great-systems/bin/lib/fast-routing.cjs

@@ -0,0 +1,199 @@
+// deliver-great-systems/bin/lib/fast-routing.cjs
+//
+// REL-05/06: Fast-mode commit routing helpers for /dgs:fast.
+//
+// Exports:
+//   surveyDirty(planningRoot) -> { planningRoot: { dirty, paths }, subRepos: [{ name, path, dirty, paths }], submodules: [{ path, dirty }] }
+//   decideRouting(survey) -> { action: 'route-to-planning-root'|'route-to-sub-repo'|'fail', repoCwd?, exitCode?, warnings?: [string], message?: string }
+//   enumerateSubmodules(repoPath) -> [{ path, dirty }]
+//
+// REL-05: decideRouting routes commits to the correct repo on multi-repo products.
+// REL-06: surveyDirty + a thin pre-edit caller (in dgs-tools dispatcher) implements pre-edit dirt check.
+//
+// Both helpers honour the fail-loudly contract: surveyDirty returns structured data;
+// decideRouting names the exit-code label (`multi-repo-dirt`) and includes a 1-3 line
+// remediation message suitable for direct display.
+
+const fs = require('node:fs');
+const path = require('node:path');
+const { execGit } = require('./core.cjs');
+
+// Inline REPOS.md parser — does NOT use repos.cjs's parseReposMd because that
+// helper goes through getPlanningRoot() which has a per-process cache that
+// breaks tests using multiple temp planning roots in the same process.
+function parseReposMdLocal(planningRoot) {
+  const filePath = path.join(planningRoot, 'REPOS.md');
+  let content;
+  try {
+    content = fs.readFileSync(filePath, 'utf-8');
+  } catch {
+    return { repos: [] };
+  }
+  if (!content || !content.startsWith('# Repos')) return { repos: [] };
+  const lines = content.split('\n');
+  let tableStart = -1;
+  for (let i = 0; i < lines.length; i++) {
+    if (lines[i].startsWith('|') && lines[i].includes('Name')) { tableStart = i; break; }
+  }
+  if (tableStart === -1) return { repos: [] };
+  const repos = [];
+  for (let i = tableStart + 2; i < lines.length; i++) {
+    const line = lines[i].trim();
+    if (!line.startsWith('|')) break;
+    const cells = line.split('|').map(c => c.trim()).filter((_, idx, arr) => idx > 0 && idx < arr.length - 1);
+    if (cells.length < 2) continue;
+    const [name, p] = cells;
+    if (!name || !p) continue;
+    repos.push({ name, path: p });
+  }
+  return { repos };
+}
+
+function readConfigLocalJson(planningRoot) {
+  const cfgPath = path.join(planningRoot, 'config.local.json');
+  if (!fs.existsSync(cfgPath)) return {};
+  try {
+    return JSON.parse(fs.readFileSync(cfgPath, 'utf-8'));
+  } catch {
+    return {};
+  }
+}
+
+function enumerateRegisteredRepos(planningRoot) {
+  const seen = new Map(); // absolute path -> { name, path }
+
+  // Source 1: REPOS.md (inline parser, bypassing repos.cjs cache)
+  const reposMd = parseReposMdLocal(planningRoot);
+  for (const r of (reposMd.repos || [])) {
+    const abs = path.resolve(planningRoot, r.path);
+    if (!seen.has(abs)) seen.set(abs, { name: r.name, path: abs });
+  }
+
+  // Source 2: config.local.json projects.*.worktrees.*.repos (map of name -> absolute path)
+  const cfg = readConfigLocalJson(planningRoot);
+  const projects = (cfg.projects || {});
+  for (const proj of Object.values(projects)) {
+    const wts = (proj.worktrees || {});
+    for (const wt of Object.values(wts)) {
+      const repos = (wt.repos || {});
+      for (const [name, abs] of Object.entries(repos)) {
+        if (typeof abs !== 'string') continue;
+        const resolved = path.resolve(abs);
+        if (!seen.has(resolved)) seen.set(resolved, { name, path: resolved });
+      }
+    }
+  }
+
+  return Array.from(seen.values());
+}
+
+function isGitRepo(p) {
+  try {
+    const res = execGit(p, ['rev-parse', '--is-inside-work-tree']);
+    if (!res || res.exitCode !== 0) return false;
+    return typeof res.stdout === 'string' && res.stdout.trim() === 'true';
+  } catch {
+    return false;
+  }
+}
+
+function porcelainPaths(repoPath) {
+  if (!isGitRepo(repoPath)) return null;
+  let out = '';
+  try {
+    const res = execGit(repoPath, ['status', '--porcelain']);
+    out = (res && res.stdout) || '';
+  } catch {
+    out = '';
+  }
+  // git status --porcelain format: "XY <path>" where XY is a 2-char status code
+  // Strip the 2-char status + 1 space; trim and filter empties.
+  return out
+    .split('\n')
+    .map(l => l.replace(/^.{2,3}/, '').trim())
+    .filter(Boolean);
+}
+
+function enumerateSubmodules(repoPath) {
+  if (!isGitRepo(repoPath)) return [];
+  let out = '';
+  try {
+    const res = execGit(repoPath, ['submodule', 'status']);
+    out = (res && res.stdout) || '';
+  } catch {
+    out = '';
+  }
+  return out
+    .split('\n')
+    .filter(Boolean)
+    .map(line => {
+      // Format: ` <sha> <path> (<ref>)` — leading char `+` (mismatch),
+      // `-` (uninitialised), ` ` (clean), `U` (conflict)
+      const lead = line[0];
+      const match = line.trim().match(/^[+\- U]?\w+\s+(\S+)/);
+      return {
+        path: match ? match[1] : line.trim(),
+        dirty: Boolean(lead && lead !== ' '),
+      };
+    });
+}
+
+function surveyDirty(planningRoot) {
+  const planningPaths = porcelainPaths(planningRoot) || [];
+  const planningRootEntry = { dirty: planningPaths.length > 0, paths: planningPaths };
+
+  const subRepos = [];
+  for (const repo of enumerateRegisteredRepos(planningRoot)) {
+    if (path.resolve(repo.path) === path.resolve(planningRoot)) continue; // skip if same dir
+    const paths = porcelainPaths(repo.path) || [];
+    subRepos.push({ name: repo.name, path: repo.path, dirty: paths.length > 0, paths });
+  }
+
+  const submodules = enumerateSubmodules(planningRoot);
+
+  return { planningRoot: planningRootEntry, subRepos, submodules };
+}
+
+function decideRouting(survey) {
+  const warnings = [];
+  const dirtySubmodules = (survey.submodules || []).filter(s => s.dirty);
+  for (const sm of dirtySubmodules) {
+    warnings.push(
+      `submodule changes detected at ${sm.path}; auto-routing not supported for submodules — commit manually or use /dgs:quick`
+    );
+  }
+
+  const planningRoot = survey.planningRoot || { dirty: false };
+  const subRepos = survey.subRepos || [];
+  const dirtySubRepos = subRepos.filter(r => r.dirty);
+
+  // Case (c): multiple sub-repos dirty OR planning + at least one sub-repo dirty
+  if (dirtySubRepos.length > 1 || (dirtySubRepos.length >= 1 && planningRoot.dirty)) {
+    return {
+      action: 'fail',
+      exitCode: 'multi-repo-dirt',
+      message:
+        'Multiple repos have dirty changes — fast-mode cannot auto-route. Review state with `git status` in each repo, run `/dgs:fast --repo <name>` per repo, or use `/dgs:quick` for multi-repo work.',
+      warnings,
+    };
+  }
+
+  // Case (a): exactly one sub-repo dirty + planning clean
+  if (dirtySubRepos.length === 1 && !planningRoot.dirty) {
+    return {
+      action: 'route-to-sub-repo',
+      repoCwd: dirtySubRepos[0].path,
+      warnings,
+    };
+  }
+
+  // Case (b): only planning root dirty (or nothing dirty — same code path)
+  return { action: 'route-to-planning-root', warnings };
+}
+
+module.exports = {
+  surveyDirty,
+  decideRouting,
+  enumerateSubmodules,
+  enumerateRegisteredRepos,
+};

package/deliver-great-systems/bin/lib/fast-routing.test.cjs

@@ -0,0 +1,108 @@
+// deliver-great-systems/bin/lib/fast-routing.test.cjs
+// REL-05/06 regression test scaffold — initially RED. Turns GREEN after plan 03
+// implements bin/lib/fast-routing.cjs with surveyDirty + decideRouting helpers.
+
+const test = require('node:test');
+const assert = require('node:assert');
+const fs = require('node:fs');
+const path = require('node:path');
+const os = require('node:os');
+const { execSync } = require('node:child_process');
+
+function getModule() {
+  try {
+    return require('./fast-routing.cjs');
+  } catch (err) {
+    assert.fail('REL-05/06 module not yet implemented: bin/lib/fast-routing.cjs (plan 03 task)');
+  }
+}
+
+function setupMultiRepoFixture() {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), 'fast-routing-'));
+  execSync('git init -q', { cwd: root });
+  execSync('git config user.email test@test', { cwd: root });
+  execSync('git config user.name test', { cwd: root });
+  const subRepo = path.join(root, '..', `fast-routing-sub-${path.basename(root)}`);
+  fs.mkdirSync(subRepo);
+  execSync('git init -q', { cwd: subRepo });
+  execSync('git config user.email test@test', { cwd: subRepo });
+  execSync('git config user.name test', { cwd: subRepo });
+  fs.writeFileSync(
+    path.join(root, 'REPOS.md'),
+    `# Repos\n\n| Name | Path | GitHub URL | Description |\n|------|------|------------|-------------|\n| sub | ${subRepo} | git@x:y.git | test sub-repo |\n`
+  );
+  // Commit something so the planning-root tree isn't entirely empty
+  execSync('git add REPOS.md', { cwd: root });
+  execSync('git commit -q -m init', { cwd: root });
+  return { root, subRepo };
+}
+
+test('REL-06: surveyDirty detects pre-existing dirt in planning root (pre-existing-dirt)', () => {
+  const m = getModule();
+  const { root } = setupMultiRepoFixture();
+  fs.writeFileSync(path.join(root, 'dirty.txt'), 'pre-existing');
+  const survey = m.surveyDirty(root);
+  assert.ok(survey.planningRoot.dirty, 'planning root should be flagged dirty');
+  assert.ok((survey.planningRoot.paths || []).some(p => /dirty\.txt/.test(p)), 'dirty.txt must appear in paths');
+});
+
+test('REL-06: surveyDirty detects pre-existing dirt in registered sub-repo', () => {
+  const m = getModule();
+  const { root, subRepo } = setupMultiRepoFixture();
+  fs.writeFileSync(path.join(subRepo, 'dirty.txt'), 'pre-existing');
+  const survey = m.surveyDirty(root);
+  const subEntry = (survey.subRepos || []).find(r => r.name === 'sub');
+  assert.ok(subEntry && subEntry.dirty, 'sub-repo should be flagged dirty');
+});
+
+test('REL-05: decideRouting returns route-to-sub-repo for single-sub-repo dirty case', () => {
+  const m = getModule();
+  const survey = {
+    planningRoot: { dirty: false, paths: [] },
+    subRepos: [{ name: 'sub', path: '/tmp/sub', dirty: true, paths: ['file.txt'] }],
+    submodules: [],
+  };
+  const decision = m.decideRouting(survey);
+  assert.strictEqual(decision.action, 'route-to-sub-repo');
+  assert.strictEqual(decision.repoCwd, '/tmp/sub');
+});
+
+test('REL-05: decideRouting returns route-to-planning-root for planning-only dirty case', () => {
+  const m = getModule();
+  const survey = {
+    planningRoot: { dirty: true, paths: ['a.md'] },
+    subRepos: [{ name: 'sub', path: '/tmp/sub', dirty: false, paths: [] }],
+    submodules: [],
+  };
+  const decision = m.decideRouting(survey);
+  assert.strictEqual(decision.action, 'route-to-planning-root');
+});
+
+test('REL-05: decideRouting fails with multi-repo-dirt for multiple-dirty case', () => {
+  const m = getModule();
+  const survey = {
+    planningRoot: { dirty: true, paths: ['a.md'] },
+    subRepos: [{ name: 'sub', path: '/tmp/sub', dirty: true, paths: ['b.txt'] }],
+    submodules: [],
+  };
+  const decision = m.decideRouting(survey);
+  assert.strictEqual(decision.action, 'fail');
+  assert.strictEqual(decision.exitCode, 'multi-repo-dirt');
+});
+
+test('REL-05: decideRouting warns on submodules but does not auto-route them', () => {
+  const m = getModule();
+  const survey = {
+    planningRoot: { dirty: false, paths: [] },
+    subRepos: [{ name: 'sub', path: '/tmp/sub', dirty: true, paths: ['file.txt'] }],
+    submodules: [{ path: 'vendor/lib', dirty: true }],
+  };
+  const decision = m.decideRouting(survey);
+  assert.strictEqual(decision.action, 'route-to-sub-repo');
+  assert.ok(
+    Array.isArray(decision.warnings) && decision.warnings.some(w => /submodule/i.test(w)),
+    'submodule warning must be present in decision.warnings'
+  );
+});
+
+// REL-05/06 sentinel — flag this file as a Wave-0 RED scaffold for plan 03.

package/deliver-great-systems/bin/lib/final-commit-precondition.test.cjs

@@ -0,0 +1,87 @@
+// deliver-great-systems/bin/lib/final-commit-precondition.test.cjs
+// REL-08 regression test scaffold — initially RED. Turns GREEN after plan 02
+// adds the pre-commit precondition gate to executor's <final_commit> step.
+
+const test = require('node:test');
+const assert = require('node:assert');
+const fs = require('node:fs');
+const path = require('node:path');
+const os = require('node:os');
+const { execSync } = require('node:child_process');
+
+// Resolve dgs-tools.cjs CLI: __dirname = .../deliver-great-systems/bin/lib
+// CLI lives at .../deliver-great-systems/bin/dgs-tools.cjs
+const CLI = path.resolve(__dirname, '..', 'dgs-tools.cjs');
+
+function setupFixture({ planRequirements, summaryRequirementsCompleted }) {
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'rel08-'));
+  execSync('git init -q', { cwd: tmpDir });
+  execSync('git config user.email test@test', { cwd: tmpDir });
+  execSync('git config user.name test', { cwd: tmpDir });
+  fs.writeFileSync(
+    path.join(tmpDir, 'PLAN.md'),
+    `---\nphase: test\nplan: 01\nrequirements:\n${planRequirements.map(r => `  - ${r}`).join('\n')}\n---\n`
+  );
+  fs.writeFileSync(
+    path.join(tmpDir, 'SUMMARY.md'),
+    `---\nphase: test\nplan: 01\nrequirements_completed: [${summaryRequirementsCompleted.join(', ')}]\n---\n`
+  );
+  return tmpDir;
+}
+
+test('REL-08: precondition aborts with summary-frontmatter-mismatch when PLAN non-empty AND SUMMARY empty', () => {
+  const fixture = setupFixture({ planRequirements: ['TEST-01'], summaryRequirementsCompleted: [] });
+
+  let exitCode = 0;
+  let combined = '';
+  try {
+    execSync(`node ${CLI} final-commit-precondition --plan ${fixture}/PLAN.md --summary ${fixture}/SUMMARY.md`, { stdio: 'pipe' });
+  } catch (err) {
+    exitCode = err.status;
+    combined = (err.stderr ? err.stderr.toString() : '') + (err.stdout ? err.stdout.toString() : '');
+  }
+
+  // RED: the CLI subcommand doesn't exist yet, so execSync throws with a different error
+  // (CLI says "Unknown command: final-commit-precondition" or similar — does NOT include the literal label).
+  assert.notStrictEqual(exitCode, 0, 'should exit non-zero on mismatch');
+  assert.match(combined, /summary-frontmatter-mismatch/, 'stderr must include the exit-code label');
+});
+
+test('REL-08: precondition leaves working tree unchanged on abort (REL-08 fail-loudly contract)', () => {
+  const fixture = setupFixture({ planRequirements: ['TEST-01'], summaryRequirementsCompleted: [] });
+  // Snapshot working-tree state BEFORE precondition runs
+  const before = execSync('git status --porcelain', { cwd: fixture }).toString();
+
+  try {
+    execSync(`node ${CLI} final-commit-precondition --plan ${fixture}/PLAN.md --summary ${fixture}/SUMMARY.md`, { stdio: 'pipe' });
+  } catch (_) { /* expected non-zero */ }
+
+  const after = execSync('git status --porcelain', { cwd: fixture }).toString();
+  assert.strictEqual(after, before, 'working tree must be unchanged after precondition abort');
+});
+
+test('REL-08: precondition is a no-op (exit 0) when PLAN requirements is empty', () => {
+  const fixture = setupFixture({ planRequirements: [], summaryRequirementsCompleted: [] });
+
+  let exitCode = 0;
+  try {
+    execSync(`node ${CLI} final-commit-precondition --plan ${fixture}/PLAN.md --summary ${fixture}/SUMMARY.md`, { stdio: 'pipe' });
+  } catch (err) {
+    exitCode = err.status;
+  }
+  assert.strictEqual(exitCode, 0, 'precondition is no-op when PLAN requirements is empty');
+});
+
+test('REL-08: precondition succeeds (exit 0) when SUMMARY requirements_completed matches PLAN', () => {
+  const fixture = setupFixture({ planRequirements: ['TEST-01'], summaryRequirementsCompleted: ['TEST-01'] });
+
+  let exitCode = 0;
+  try {
+    execSync(`node ${CLI} final-commit-precondition --plan ${fixture}/PLAN.md --summary ${fixture}/SUMMARY.md`, { stdio: 'pipe' });
+  } catch (err) {
+    exitCode = err.status;
+  }
+  assert.strictEqual(exitCode, 0, 'precondition exits 0 when SUMMARY matches PLAN');
+});
+
+// REL-08 sentinel — flag this file as a Wave-0 RED scaffold for plan 02.

package/deliver-great-systems/bin/lib/fixtures/package-scan/bundler-audit-gemfile.json

@@ -0,0 +1,21 @@
+{
+  "results": [
+    {
+      "type": "unpatched_gem",
+      "advisory": {
+        "id": "CVE-2020-8164",
+        "url": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY",
+        "title": "Possible Strong Parameters Bypass in ActionPack",
+        "description": "There is a strong parameters bypass vector in ActionPack versions 5.2.4.3 and below.",
+        "cvss_v3": 7.5,
+        "cvss_v2": 5.0,
+        "criticality": "high",
+        "solution": "Upgrade to activerecord >= 5.2.4.3"
+      },
+      "gem": {
+        "name": "activerecord",
+        "version": "5.2.3"
+      }
+    }
+  ]
+}

package/deliver-great-systems/bin/lib/fixtures/package-scan/gate-parity-expected.md

@@ -0,0 +1,186 @@
+---
+type: "package-scan"
+date: "2026-04-18"
+tool: "mixed"
+snyk_org: null
+repos_scanned: 3
+critical: 1
+high: 1
+medium: 2
+low: 0
+duration: 5
+findings:
+  - id: "pkg-001"
+    test_source: "package-scan"
+    gap_type: "dependency-security"
+    severity: "high"
+    resource_id: "lodash@4.17.15"
+    repo: "api"
+    manifest_path: "packages/api/package.json"
+    title: "Command Injection in lodash"
+    description: "Versions of lodash prior to 4.17.21 are vulnerable to Command Injection."
+    remediation: "upgrade to lodash@4.17.21"
+    reference: "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
+    cve: "CVE-2021-23337"
+    cvss: 7.2
+    dependency_chain:
+      - "api@1.0.0"
+      - "lodash@4.17.15"
+    chain_available: true
+    direct_or_transitive: "direct"
+    tool: "snyk"
+    introduced_in_commit: null
+    introduced_in_plan: null
+  - id: "pkg-002"
+    test_source: "package-scan"
+    gap_type: "dependency-security"
+    severity: "medium"
+    resource_id: "gpl-licensed-dep@2.0.0"
+    repo: "api"
+    manifest_path: "packages/api/package.json"
+    title: "Prototype Pollution in gpl-licensed-dep"
+    description: |-
+      Multi-line
+      description with
+      embedded newlines.
+    remediation: null
+    reference: "https://example.com/advisory"
+    cve: null
+    cvss: null
+    dependency_chain: null
+    chain_available: false
+    direct_or_transitive: "transitive"
+    tool: "snyk"
+    introduced_in_commit: null
+    introduced_in_plan: null
+  - id: "pkg-002-lic"
+    test_source: "package-scan"
+    gap_type: "dependency-licence"
+    severity: "high"
+    resource_id: "gpl-licensed-dep@2.0.0"
+    repo: "api"
+    manifest_path: "packages/api/package.json"
+    title: "Restrictive licence: GPL-3.0"
+    description: "Package gpl-licensed-dep@2.0.0 is licensed under GPL-3.0. Using this dependency may impose copyleft obligations on your project."
+    remediation: "Review licence compatibility or replace with a permissive-licensed alternative."
+    reference: null
+    cve: null
+    cvss: null
+    dependency_chain: null
+    chain_available: false
+    direct_or_transitive: "transitive"
+    tool: "snyk"
+    introduced_in_commit: null
+    introduced_in_plan: null
+  - id: "pkg-003"
+    test_source: "package-scan"
+    gap_type: "dependency-security"
+    severity: "medium"
+    resource_id: "requests@2.25.0"
+    repo: "worker"
+    manifest_path: null
+    title: "Unintended leak of Proxy-Authorization header"
+    description: "Requests is a HTTP library."
+    remediation: "pip install requests==2.31.0"
+    reference: null
+    cve: "CVE-2023-32681"
+    cvss: null
+    dependency_chain: null
+    chain_available: false
+    direct_or_transitive: null
+    tool: "pip-audit"
+    introduced_in_commit: null
+    introduced_in_plan: null
+  - id: "pkg-004"
+    test_source: "package-scan"
+    gap_type: "dependency-security"
+    severity: "critical"
+    resource_id: "express"
+    repo: "_product_root"
+    manifest_path: null
+    title: "express Critical vulnerability"
+    description: null
+    remediation: null
+    reference: "https://github.com/advisories/GHSA-xxxx"
+    cve: null
+    cvss: 9.8
+    dependency_chain: null
+    chain_available: false
+    direct_or_transitive: "direct"
+    tool: "npm-audit"
+    introduced_in_commit: null
+    introduced_in_plan: null
+---
+
+# Package Scan Report
+
+## Summary
+
+| Repo | Ecosystem | Tool | .snyk policy | Critical | High | Medium | Low | Status |
+|------|-----------|------|--------------|----------|------|--------|-----|--------|
+| api | node | snyk | — | 0 | 1 | 1 | 0 | ok |
+| worker | python | pip-audit | — | 0 | 0 | 1 | 0 | ok |
+| _product_root | node | npm-audit | — | 1 | 0 | 0 | 0 | ok |
+
+## Licence Compliance
+
+> Licence scan incomplete -- use Snyk for full coverage.
+
+## Critical
+
+### _product_root: express — express Critical vulnerability
+- **CVE:** unavailable
+- **CVSS:** 9.8
+- **Tool:** npm-audit
+- **Manifest:** repo root
+- **Direct/Transitive:** direct
+- **Dependency chain:** unavailable (chain_available: false — recommend Snyk for full chain analysis)
+- **Fix:** no upgrade path available — manual review required
+- **Reference:** https://github.com/advisories/GHSA-xxxx
+- **Introduced in:** unknown
+
+## High
+
+### api: lodash@4.17.15 — Command Injection in lodash
+- **CVE:** CVE-2021-23337
+- **CVSS:** 7.2
+- **Tool:** snyk
+- **Manifest:** `packages/api/package.json`
+- **Direct/Transitive:** direct
+- **Dependency chain:** api@1.0.0 → lodash@4.17.15
+- **Fix:** upgrade to lodash@4.17.21
+- **Reference:** https://snyk.io/vuln/SNYK-JS-LODASH-1040724
+- **Introduced in:** unknown
+
+> Versions of lodash prior to 4.17.21 are vulnerable to Command Injection.
+
+## Medium
+
+### api: gpl-licensed-dep@2.0.0 — Prototype Pollution in gpl-licensed-dep
+- **CVE:** unavailable
+- **CVSS:** unavailable
+- **Tool:** snyk
+- **Manifest:** `packages/api/package.json`
+- **Direct/Transitive:** transitive
+- **Dependency chain:** unavailable (chain_available: false — recommend Snyk for full chain analysis)
+- **Fix:** no upgrade path available — manual review required
+- **Reference:** https://example.com/advisory
+- **Introduced in:** unknown
+
+> Multi-line
+> description with
+> embedded newlines.
+
+### worker: requests@2.25.0 — Unintended leak of Proxy-Authorization header
+- **CVE:** CVE-2023-32681
+- **CVSS:** unavailable
+- **Tool:** pip-audit
+- **Manifest:** repo root
+- **Direct/Transitive:** unknown
+- **Dependency chain:** unavailable (chain_available: false — recommend Snyk for full chain analysis)
+- **Fix:** pip install requests==2.31.0
+- **Reference:** unavailable
+- **Introduced in:** unknown
+
+> Requests is a HTTP library.
+