@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/report.js

@@ -1,21 +1,29 @@
 export function generateHTML(scans) {
-  const rows = scans.map(s => {
+  const rows = scans.map((s) => {
     const findings = s.findings || [];
     const sevMap = { critical: 5, high: 4, medium: 3, low: 2, info: 1 };
     const worst = findings.reduce((m, f) => Math.max(m, sevMap[f.severity] || 0), 0);
     const worstLabel = ['', 'info', 'low', 'medium', 'high', 'critical'][worst] || 'clean';
-    const color = { critical: '#d73a49', high: '#cb2431', medium: '#f66a0a', low: '#dbab09', clean: '#28a745' }[worstLabel] || '#28a745';
-    const findingRows = findings.map(f =>
-      `<tr><td>${f.atk_id || f.id}</td><td style="color:${color}">${f.severity}</td><td>${f.description || f.title || ''}</td><td>${(f.evidence || '').slice(0, 80)}</td></tr>`
-    ).join('');
+    const color =
+      { critical: '#d73a49', high: '#cb2431', medium: '#f66a0a', low: '#dbab09', clean: '#28a745' }[
+        worstLabel
+      ] || '#28a745';
+    const findingRows = findings
+      .map(
+        (f) =>
+          `<tr><td>${f.atk_id || f.id}</td><td style="color:${color}">${f.severity}</td><td>${f.description || f.title || ''}</td><td>${(f.evidence || '').slice(0, 80)}</td></tr>`
+      )
+      .join('');
     return { name: s.package_name, worstLabel, color, count: findings.length, findingRows };
   });
 
-  const criticalCount = scans.filter(s => s.findings?.some(f => f.severity === 'critical')).length;
-  const highCount = scans.filter(s => s.findings?.some(f => f.severity === 'high')).length;
-  const mediumCount = scans.filter(s => s.findings?.some(f => f.severity === 'medium')).length;
-  const lowCount = scans.filter(s => s.findings?.some(f => f.severity === 'low')).length;
-  const cleanCount = scans.filter(s => !s.findings?.length).length;
+  const criticalCount = scans.filter((s) =>
+    s.findings?.some((f) => f.severity === 'critical')
+  ).length;
+  const highCount = scans.filter((s) => s.findings?.some((f) => f.severity === 'high')).length;
+  const mediumCount = scans.filter((s) => s.findings?.some((f) => f.severity === 'medium')).length;
+  const lowCount = scans.filter((s) => s.findings?.some((f) => f.severity === 'low')).length;
+  const cleanCount = scans.filter((s) => !s.findings?.length).length;
 
   const nistMap = generateNistTable(scans);
 
@@ -59,7 +67,7 @@ th { background: #161b22; font-weight: 600; }
 <h2>Findings</h2>
 <table>
 <thead><tr><th>ATK</th><th>Severity</th><th>Title</th><th>Evidence</th></tr></thead>
-<tbody>${rows.map(r => `<tr><td colspan="4" style="background:#161b22;font-weight:600">${r.name} <span class="badge ${r.worstLabel}">${r.count ? r.worstLabel : 'clean'}</span></td></tr>${r.findingRows}`).join('')}</tbody>
+<tbody>${rows.map((r) => `<tr><td colspan="4" style="background:#161b22;font-weight:600">${r.name} <span class="badge ${r.worstLabel}">${r.count ? r.worstLabel : 'clean'}</span></td></tr>${r.findingRows}`).join('')}</tbody>
 </table>
 
 <h2>NIST SP 800-161 Compliance Summary</h2>
@@ -73,9 +81,11 @@ ${nistMap}
 function getAtkFindings(scans) {
   const map = {};
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
+    for (const f of s.findings || []) {
       const key = f.atk_id || f.id;
-      if (!map[key]) map[key] = [];
+      if (!map[key]) {
+        map[key] = [];
+      }
       map[key].push(f);
     }
   }
@@ -117,7 +127,9 @@ export function generateText(scans) {
     const worst = findings.reduce((m, f) => Math.max(m, sevMap[f.severity] || 0), 0);
     const worstLabel = sevLabel[worst] || 'clean';
 
-    lines.push(`${s.package_name}@${s.version || 'unknown'} \u2500\u2500 ${findings.length} findings (worst: ${worstLabel})`);
+    lines.push(
+      `${s.package_name}@${s.version || 'unknown'} \u2500\u2500 ${findings.length} findings (worst: ${worstLabel})`
+    );
 
     for (const f of findings) {
       const desc = (f.description || f.title || '').slice(0, 80);
@@ -159,41 +171,46 @@ function generateNistTable(scans) {
 
 export function generateSARIF(scan, format = 'json') {
   const findings = scan.findings || [];
-  const runs = [{
-    tool: {
-      driver: {
-        name: 'npm-scan',
-        version: '0.9.7',
-        informationUri: 'https://github.com/lateos-ai/npm-scan',
-        rules: Array.from(new Set(findings.map(f => f.id))).map(id => ({
-          id,
-          name: `ATK-${id.replace('ATK-', '')}`,
-          shortDescription: { text: findings.find(f => f.id === id)?.title || id },
-          fullDescription: { text: findings.find(f => f.id === id)?.description || '' },
-          defaultConfiguration: { enabled: true }
-        }))
-      }
+  const runs = [
+    {
+      tool: {
+        driver: {
+          name: 'npm-scan',
+          version: '0.9.7',
+          informationUri: 'https://github.com/lateos-ai/npm-scan',
+          rules: Array.from(new Set(findings.map((f) => f.id))).map((id) => ({
+            id,
+            name: `ATK-${id.replace('ATK-', '')}`,
+            shortDescription: { text: findings.find((f) => f.id === id)?.title || id },
+            fullDescription: { text: findings.find((f) => f.id === id)?.description || '' },
+            defaultConfiguration: { enabled: true },
+          })),
+        },
+      },
+      results: findings.map((f) => {
+        const severityMap = { critical: 'error', high: 'error', medium: 'warning', low: 'note' };
+        return {
+          ruleId: f.id,
+          level: severityMap[f.severity] || 'note',
+          message: { text: f.description || f.title },
+          locations: [
+            {
+              physicalLocation: {
+                artifactLocation: { uri: f.evidence || 'unknown' },
+                region: { startLine: 1, startColumn: 1 },
+              },
+            },
+          ],
+        };
+      }),
     },
-    results: findings.map(f => {
-      const severityMap = { critical: 'error', high: 'error', medium: 'warning', low: 'note' };
-      return {
-        ruleId: f.id,
-        level: severityMap[f.severity] || 'note',
-        message: { text: f.description || f.title },
-        locations: [{
-          physicalLocation: {
-            artifactLocation: { uri: f.evidence || 'unknown' },
-            region: { startLine: 1, startColumn: 1 }
-          }
-        }]
-      };
-    })
-  }];
+  ];
 
   const sarif = {
     version: '2.1.0',
-    schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
-    runs
+    schema:
+      'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    runs,
   };
 
   return format === 'pretty' ? JSON.stringify(sarif, null, 2) : JSON.stringify(sarif);
@@ -201,17 +218,21 @@ export function generateSARIF(scan, format = 'json') {
 
 export function generateCSV(scans) {
   const headers = 'id,severity,title,description,evidence,package_name,version\n';
-  const rows = (scans || []).flatMap(s => 
-    (s.findings || []).map(f => [
-      f.id,
-      f.severity || '',
-      (f.title || '').replace(/,/g, ';'),
-      (f.description || '').replace(/,/g, ';'),
-      (f.evidence || '').replace(/,/g, ';'),
-      s.package_name || '',
-      s.version || ''
-    ].join(','))
-  ).join('\n');
+  const rows = (scans || [])
+    .flatMap((s) =>
+      (s.findings || []).map((f) =>
+        [
+          f.id,
+          f.severity || '',
+          (f.title || '').replace(/,/g, ';'),
+          (f.description || '').replace(/,/g, ';'),
+          (f.evidence || '').replace(/,/g, ';'),
+          s.package_name || '',
+          s.version || '',
+        ].join(',')
+      )
+    )
+    .join('\n');
   return headers + rows;
 }
 
@@ -222,25 +243,70 @@ export function calculateRiskScore(findings, totalPackages = 1) {
 }
 
 const STIG_MAP = {
-  'SRG-APP-000141': { title: 'Application Malware Detection', atk: 'ATK-001', desc: 'Lifecycle script detection' },
-  'SRG-APP-000142': { title: 'Application Code Obfuscation', atk: 'ATK-002', desc: 'Obfuscated payload detection' },
-  'SRG-APP-000143': { title: 'Credential Harvesting', atk: 'ATK-003', desc: 'Credential exfiltration detection' },
-  'SRG-APP-000144': { title: 'Persistence Mechanisms', atk: 'ATK-004', desc: 'Malicious persistence detection' },
-  'SRG-APP-000145': { title: 'Data Exfiltration', atk: 'ATK-005', desc: 'Network exfiltration detection' },
-  'SRG-APP-000146': { title: 'Dependency Confusion', atk: 'ATK-006', desc: 'Internal package detection' },
-  'SRG-APP-000147': { title: 'Typosquatting', atk: 'ATK-007', desc: 'Malicious package name detection' },
-  'SRG-APP-000148': { title: 'Tarball Tampering', atk: 'ATK-008', desc: 'Modified package detection' },
-  'SRG-APP-000149': { title: 'Dormant Triggers', atk: 'ATK-009', desc: 'Conditional execution detection' },
-  'SRG-APP-000150': { title: 'Sandbox Evasion', atk: 'ATK-010', desc: 'Environment detection evasion' },
-  'SRG-APP-000151': { title: 'Transitive Propagation', atk: 'ATK-011', desc: 'Dependency chain attacks' }
+  'SRG-APP-000141': {
+    title: 'Application Malware Detection',
+    atk: 'ATK-001',
+    desc: 'Lifecycle script detection',
+  },
+  'SRG-APP-000142': {
+    title: 'Application Code Obfuscation',
+    atk: 'ATK-002',
+    desc: 'Obfuscated payload detection',
+  },
+  'SRG-APP-000143': {
+    title: 'Credential Harvesting',
+    atk: 'ATK-003',
+    desc: 'Credential exfiltration detection',
+  },
+  'SRG-APP-000144': {
+    title: 'Persistence Mechanisms',
+    atk: 'ATK-004',
+    desc: 'Malicious persistence detection',
+  },
+  'SRG-APP-000145': {
+    title: 'Data Exfiltration',
+    atk: 'ATK-005',
+    desc: 'Network exfiltration detection',
+  },
+  'SRG-APP-000146': {
+    title: 'Dependency Confusion',
+    atk: 'ATK-006',
+    desc: 'Internal package detection',
+  },
+  'SRG-APP-000147': {
+    title: 'Typosquatting',
+    atk: 'ATK-007',
+    desc: 'Malicious package name detection',
+  },
+  'SRG-APP-000148': {
+    title: 'Tarball Tampering',
+    atk: 'ATK-008',
+    desc: 'Modified package detection',
+  },
+  'SRG-APP-000149': {
+    title: 'Dormant Triggers',
+    atk: 'ATK-009',
+    desc: 'Conditional execution detection',
+  },
+  'SRG-APP-000150': {
+    title: 'Sandbox Evasion',
+    atk: 'ATK-010',
+    desc: 'Environment detection evasion',
+  },
+  'SRG-APP-000151': {
+    title: 'Transitive Propagation',
+    atk: 'ATK-011',
+    desc: 'Dependency chain attacks',
+  },
 };
 
 export function generateSTIG(scans) {
   const rows = [];
   for (const [stigId, info] of Object.entries(STIG_MAP)) {
-    const findings = scans.flatMap(s => (s.findings || []).filter(f => f.id === info.atk));
+    const findings = scans.flatMap((s) => (s.findings || []).filter((f) => f.id === info.atk));
     const status = findings.length > 0 ? 'NOT APPLICABLE' : 'COMPLETE';
-    const findingsList = findings.map(f => `${f.severity.toUpperCase()}: ${f.title}`).join('; ') || 'None';
+    const findingsList =
+      findings.map((f) => `${f.severity.toUpperCase()}: ${f.title}`).join('; ') || 'None';
     rows.push(`| ${stigId} | ${info.title} | ${status} | ${findingsList} |`);
   }
   return `# STIG Compliance Report
@@ -252,4 +318,4 @@ ${rows.join('\n')}
 
 ---
 *This report maps application security controls to DISA STIG requirements.*`;
-}
+}

package/backend/sbom.js

@@ -1,5 +1,7 @@
 export function generateSBOM(pkgJson, findings, format = 'json') {
-  if (format === 'spdx') return generateSPDX(pkgJson, findings);
+  if (format === 'spdx') {
+    return generateSPDX(pkgJson, findings);
+  }
   return generateCycloneDX(pkgJson, findings);
 }
 
@@ -13,20 +15,20 @@ function generateCycloneDX(pkgJson, findings) {
         type: 'library',
         name: pkgJson.name || 'unknown',
         version: pkgJson.version || 'unknown',
-        purl: `pkg:npm/${pkgJson.name || 'unknown'}@${pkgJson.version || 'unknown'}`
+        purl: `pkg:npm/${pkgJson.name || 'unknown'}@${pkgJson.version || 'unknown'}`,
       },
-      tools: [{ name: 'npm-scan', version: process.env.npm_package_version || '0.3.2' }]
+      tools: [{ name: 'npm-scan', version: process.env.npm_package_version || '0.3.2' }],
     },
-    vulnerabilities: findings.map(f => {
+    vulnerabilities: findings.map((f) => {
       const atkId = f.atk_id || f.id;
       return {
-      id: atkId,
-      source: { name: 'npm-scan' },
-      ratings: [{ severity: f.severity }],
-      description: f.description || f.title || '',
-      recommendation: f.mitigation || 'Review evidence'
+        id: atkId,
+        source: { name: 'npm-scan' },
+        ratings: [{ severity: f.severity }],
+        description: f.description || f.title || '',
+        recommendation: f.mitigation || 'Review evidence',
       };
-    })
+    }),
   };
   return JSON.stringify(bom, null, 2);
 }
@@ -42,26 +44,30 @@ function generateSPDX(pkgJson, findings) {
     documentNamespace: `https://npm-scan.io/spdx/${pkgName}-${pkgVer}`,
     creationInfo: {
       creators: ['Tool: npm-scan'],
-      created: new Date().toISOString()
+      created: new Date().toISOString(),
     },
-    packages: [{
-      SPDXID: 'SPDXRef-Package',
-      name: pkgName,
-      versionInfo: pkgVer,
-      packageFileName: `pkg:npm/${pkgName}@${pkgVer}`,
-      primaryPackagePurpose: 'LIBRARY',
-      externalRefs: [{
-        referenceCategory: 'PACKAGE-MANAGER',
-        referenceType: 'purl',
-        referenceLocator: `pkg:npm/${pkgName}@${pkgVer}`
-      }]
-    }],
-    annotations: findings.map(f => ({
+    packages: [
+      {
+        SPDXID: 'SPDXRef-Package',
+        name: pkgName,
+        versionInfo: pkgVer,
+        packageFileName: `pkg:npm/${pkgName}@${pkgVer}`,
+        primaryPackagePurpose: 'LIBRARY',
+        externalRefs: [
+          {
+            referenceCategory: 'PACKAGE-MANAGER',
+            referenceType: 'purl',
+            referenceLocator: `pkg:npm/${pkgName}@${pkgVer}`,
+          },
+        ],
+      },
+    ],
+    annotations: findings.map((f) => ({
       annotationDate: new Date().toISOString(),
       annotationType: 'OTHER',
       annotator: 'Tool: npm-scan',
-      comment: `[${f.atk_id || f.id}] ${f.severity.toUpperCase()}: ${f.description || f.title || ''}`
-    }))
+      comment: `[${f.atk_id || f.id}] ${f.severity.toUpperCase()}: ${f.description || f.title || ''}`,
+    })),
   };
   return JSON.stringify(spdx, null, 2);
-}
+}

package/backend/scripts/analyze-false-positives.js

@@ -0,0 +1,152 @@
+#!/usr/bin/env node
+import { readFileSync, existsSync, writeFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+
+function analyzeFalsePositives(fpFile) {
+  const analysis = {
+    total_fps: 0,
+    scanned_packages: 0,
+    fp_rate: '0%',
+    detectors: {},
+    high_fp_detectors: [],
+    recommendations: [],
+    per_package: {},
+  };
+
+  const absPath = resolve(fpFile);
+  if (!existsSync(absPath)) {
+    console.error(`[ERROR] False positives file not found: ${absPath}`);
+    process.exit(1);
+  }
+
+  const text = readFileSync(absPath, 'utf-8');
+  const lines = text.split('\n').filter((l) => l.trim());
+
+  for (const line of lines) {
+    const fp = JSON.parse(line);
+    analysis.total_fps += 1;
+
+    const detector = fp.detector;
+    if (!analysis.detectors[detector]) {
+      analysis.detectors[detector] = {
+        fp_count: 0,
+        avg_confidence: 0,
+        confidences: [],
+        severities: [],
+        examples: [],
+        unique_packages: new Set(),
+      };
+    }
+
+    analysis.detectors[detector].fp_count += 1;
+    analysis.detectors[detector].confidences.push(fp.confidence);
+    analysis.detectors[detector].severities.push(fp.severity);
+    analysis.detectors[detector].unique_packages.add(fp.package);
+
+    if (analysis.detectors[detector].examples.length < 5) {
+      analysis.detectors[detector].examples.push({
+        package: fp.package,
+        version: fp.version,
+        confidence: fp.confidence,
+        subtype: fp.subtype,
+      });
+    }
+
+    if (!analysis.per_package[fp.package]) {
+      analysis.per_package[fp.package] = [];
+    }
+    analysis.per_package[fp.package].push({
+      detector: fp.detector,
+      confidence: fp.confidence,
+      version: fp.version,
+    });
+  }
+
+  for (const [detectorName, stats] of Object.entries(analysis.detectors)) {
+    stats.avg_confidence =
+      stats.confidences.length > 0
+        ? (stats.confidences.reduce((a, b) => a + b, 0) / stats.confidences.length).toFixed(1)
+        : '0.0';
+    stats.unique_package_count = stats.unique_packages.size;
+    delete stats.unique_packages;
+
+    const fpShare = ((stats.fp_count / analysis.total_fps) * 100).toFixed(1);
+
+    if (stats.fp_count >= 5) {
+      analysis.high_fp_detectors.push(detectorName);
+      analysis.recommendations.push({
+        detector: detectorName,
+        fp_count: stats.fp_count,
+        unique_packages: stats.unique_package_count,
+        share_of_total_fps: fpShare + '%',
+        avg_confidence: stats.avg_confidence,
+        severity_distribution: stats.severities.reduce((acc, s) => {
+          acc[s] = (acc[s] || 0) + 1;
+          return acc;
+        }, {}),
+        suggested_action: `Increase confidence threshold from current to ${Math.min(100, Math.ceil(parseFloat(stats.avg_confidence)) + 5)}`,
+        examples: stats.examples,
+      });
+    }
+  }
+
+  return analysis;
+}
+
+const fpFile = process.argv[2] || 'false-positives.jsonl';
+
+console.log(`[INFO] Analyzing ${fpFile}...`);
+const analysis = analyzeFalsePositives(fpFile);
+
+console.log('\n=== FALSE POSITIVE ANALYSIS ===');
+console.log(`Total FPs: ${analysis.total_fps}`);
+console.log(`Detectors with FPs: ${Object.keys(analysis.detectors).length}`);
+
+if (analysis.high_fp_detectors.length > 0) {
+  console.log(`\nHigh-FP detectors (>= 5 FPs): ${analysis.high_fp_detectors.join(', ')}`);
+} else {
+  console.log('\nNo high-FP detectors found (all < 5 FPs) — thresholds are well-calibrated');
+}
+
+console.log('\n=== PER-DETECTOR BREAKDOWN ===');
+console.log('Detector                          FPs  UniquePkgs  AvgConf  Top Examples');
+console.log('─'.repeat(90));
+for (const [name, stats] of Object.entries(analysis.detectors).sort(
+  (a, b) => b[1].fp_count - a[1].fp_count
+)) {
+  const dName = name.padEnd(32).slice(0, 32);
+  const examples = stats.examples
+    .slice(0, 2)
+    .map((e) => e.package)
+    .join(', ');
+  console.log(
+    `${dName} ${String(stats.fp_count).padStart(4)} ${String(stats.unique_package_count).padStart(11)} ` +
+      `${stats.avg_confidence.padStart(7)}  ${examples}`
+  );
+}
+
+if (analysis.recommendations.length > 0) {
+  console.log('\n=== RECOMMENDATIONS ===');
+  for (const rec of analysis.recommendations) {
+    console.log(`\n${rec.detector}:`);
+    console.log(
+      `  FPs: ${rec.fp_count} (${rec.share_of_total_fps} of total) across ${rec.unique_packages} unique packages`
+    );
+    console.log(`  Avg confidence: ${rec.avg_confidence}`);
+    console.log(`  Severity breakdown: ${JSON.stringify(rec.severity_distribution)}`);
+    console.log(`  Suggestion: ${rec.suggested_action}`);
+    console.log(`  Examples:`);
+    for (const ex of rec.examples.slice(0, 3)) {
+      console.log(`    ${ex.package}@${ex.version} (${ex.confidence}%) [${ex.subtype}]`);
+    }
+  }
+} else {
+  console.log('\n=== RECOMMENDATIONS ===');
+  console.log('No threshold adjustments needed — FP rates are within acceptable bounds.');
+}
+
+const outPath = resolve('fp-analysis.json');
+writeFileSync(outPath, JSON.stringify(analysis, null, 2), 'utf-8');
+console.log(`\n[INFO] Full analysis written to ${outPath}`);
+
+process.exit(0);

package/backend/scripts/analyze-validation.js

@@ -0,0 +1,157 @@
+#!/usr/bin/env node
+import { readFileSync, existsSync, writeFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+
+async function analyzeValidation(resultsFile) {
+  const stats = {
+    total_packages: 0,
+    total_detections: 0,
+    total_expected: 0,
+    total_matched: 0,
+    campaigns: {},
+    detectors: {},
+    detection_matrix: {},
+  };
+
+  const absPath = resolve(resultsFile);
+  if (!existsSync(absPath)) {
+    console.error(`[ERROR] Results file not found: ${absPath}`);
+    process.exit(1);
+  }
+
+  const text = readFileSync(absPath, 'utf-8');
+  const lines = text.split('\n').filter((l) => l.trim());
+
+  for (const line of lines) {
+    const result = JSON.parse(line);
+    if (result.error) {
+      continue;
+    }
+
+    stats.total_packages += 1;
+    stats.total_detections += result.detection_count;
+
+    const campaignId = result.campaign_id;
+    if (!stats.campaigns[campaignId]) {
+      stats.campaigns[campaignId] = {
+        name: result.campaign_name,
+        total: 0,
+        detected: 0,
+        detection_rate: 0,
+        total_expected: 0,
+        total_matched: 0,
+        avg_confidence: 0,
+        confidences: [],
+      };
+    }
+
+    const campaign = stats.campaigns[campaignId];
+    campaign.total += 1;
+    campaign.total_expected += result.expected_detectors.length;
+
+    const matched = result.expected_detectors.filter((id) =>
+      result.detected_detectors.includes(id)
+    );
+    campaign.total_matched += matched.length;
+    stats.total_expected += result.expected_detectors.length;
+    stats.total_matched += matched.length;
+
+    if (matched.length > 0) {
+      campaign.detected += 1;
+    }
+
+    for (const detection of result.detections) {
+      const detectorName = detection.id || detection.detector;
+      if (!stats.detectors[detectorName]) {
+        stats.detectors[detectorName] = {
+          total_hits: 0,
+          expected_count: 0,
+          avg_confidence: 0,
+          confidences: [],
+          severities: [],
+        };
+      }
+
+      stats.detectors[detectorName].total_hits += 1;
+      stats.detectors[detectorName].confidences.push(detection.confidenceScore);
+      stats.detectors[detectorName].severities.push(detection.severity);
+
+      if (result.expected_detectors.includes(detectorName)) {
+        stats.detectors[detectorName].expected_count += 1;
+      }
+
+      if (!stats.detection_matrix[campaignId]) {
+        stats.detection_matrix[campaignId] = {};
+      }
+      if (!stats.detection_matrix[campaignId][detectorName]) {
+        stats.detection_matrix[campaignId][detectorName] = 0;
+      }
+      stats.detection_matrix[campaignId][detectorName] += 1;
+    }
+  }
+
+  for (const campaignId of Object.keys(stats.campaigns)) {
+    const campaign = stats.campaigns[campaignId];
+    campaign.detection_rate =
+      campaign.total > 0 ? ((campaign.detected / campaign.total) * 100).toFixed(1) + '%' : '0%';
+    campaign.expected_match_rate =
+      campaign.total_expected > 0
+        ? ((campaign.total_matched / campaign.total_expected) * 100).toFixed(1) + '%'
+        : '0%';
+  }
+
+  for (const detectorName of Object.keys(stats.detectors)) {
+    const detector = stats.detectors[detectorName];
+    detector.avg_confidence =
+      detector.confidences.length > 0
+        ? (detector.confidences.reduce((a, b) => a + b, 0) / detector.confidences.length).toFixed(1)
+        : '0.0';
+    detector.precision =
+      detector.total_hits > 0
+        ? ((detector.expected_count / detector.total_hits) * 100).toFixed(1) + '%'
+        : '0%';
+  }
+
+  return stats;
+}
+
+const resultsFile = process.argv[2] || 'validation-results.jsonl';
+
+console.log(`[INFO] Analyzing ${resultsFile}...`);
+const stats = await analyzeValidation(resultsFile);
+
+console.log('\n=== CAMPAIGN DETECTION RATES ===');
+console.log(
+  'Campaign                         Packages  Detected  Rate     Expected  Matched  Match%'
+);
+console.log('─'.repeat(95));
+for (const [_id, campaign] of Object.entries(stats.campaigns)) {
+  const name = campaign.name.padEnd(33).slice(0, 33);
+  console.log(
+    `${name} ${String(campaign.total).padStart(8)} ${String(campaign.detected).padStart(9)} ` +
+      `${campaign.detection_rate.padStart(7)} ${String(campaign.total_expected).padStart(9)} ` +
+      `${String(campaign.total_matched).padStart(8)} ${campaign.expected_match_rate.padStart(7)}`
+  );
+}
+console.log(`\nTotal: ${stats.total_packages} packages, ${stats.total_detections} detections`);
+
+console.log('\n=== DETECTOR PERFORMANCE ===');
+console.log('Detector                          Hits  Expected  Precision  Avg Confidence');
+console.log('─'.repeat(80));
+for (const [name, detector] of Object.entries(stats.detectors).sort(
+  (a, b) => b[1].total_hits - a[1].total_hits
+)) {
+  const dName = name.padEnd(32).slice(0, 32);
+  console.log(
+    `${dName} ${String(detector.total_hits).padStart(5)} ${String(detector.expected_count).padStart(9)} ` +
+      `${detector.precision.padStart(10)} ${detector.avg_confidence.padStart(14)}`
+  );
+}
+
+console.log('\n=== DETECTION MATRIX (Hits per Campaign × Detector) ===');
+console.log(JSON.stringify(stats.detection_matrix, null, 2));
+
+writeFileSync('detection-rates.json', JSON.stringify(stats, null, 2), 'utf-8');
+console.log('\n[INFO] Full results written to detection-rates.json');
+
+process.exit(0);