@oculum/scanner 1.0.14 → 1.0.15

package/dist/report/formatters/cli-terminal.js

@@ -3,6 +3,39 @@
  * CLI Terminal Formatter
  * Formats scan results with ANSI colors for terminal output
  */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.formatTerminalOutput = formatTerminalOutput;
 exports.formatCompactSummary = formatCompactSummary;
@@ -11,39 +44,45 @@ exports.formatFindingDetail = formatFindingDetail;
 exports.formatSimpleList = formatSimpleList;
 exports.formatJSON = formatJSON;
 exports.formatSARIF = formatSARIF;
+const path = __importStar(require("path"));
 const grouping_1 = require("./grouping");
 const hash_1 = require("../../postprocess/suppression/hash");
+const sanitize_1 = require("../sanitize");
 /**
  * ANSI color codes
  */
 const colors = {
-    reset: '\x1b[0m',
-    bold: '\x1b[1m',
-    dim: '\x1b[2m',
-    underline: '\x1b[4m',
+    reset: "\x1b[0m",
+    bold: "\x1b[1m",
+    dim: "\x1b[2m",
+    underline: "\x1b[4m",
     // Foreground colors
-    red: '\x1b[31m',
-    green: '\x1b[32m',
-    yellow: '\x1b[33m',
-    blue: '\x1b[34m',
-    magenta: '\x1b[35m',
-    cyan: '\x1b[36m',
-    white: '\x1b[37m',
-    gray: '\x1b[90m',
+    red: "\x1b[31m",
+    green: "\x1b[32m",
+    yellow: "\x1b[33m",
+    blue: "\x1b[34m",
+    magenta: "\x1b[35m",
+    cyan: "\x1b[36m",
+    white: "\x1b[37m",
+    gray: "\x1b[90m",
     // Background colors
-    bgRed: '\x1b[41m',
-    bgYellow: '\x1b[43m',
-    bgBlue: '\x1b[44m',
+    bgRed: "\x1b[41m",
+    bgYellow: "\x1b[43m",
+    bgBlue: "\x1b[44m",
 };
 /**
  * Severity colors and symbols
  */
 const SEVERITY_STYLE = {
-    critical: { color: colors.bgRed + colors.white, symbol: '●', label: 'CRITICAL' },
-    high: { color: colors.red, symbol: '●', label: 'HIGH' },
-    medium: { color: colors.yellow, symbol: '●', label: 'MEDIUM' },
-    low: { color: colors.blue, symbol: '○', label: 'LOW' },
-    info: { color: colors.gray, symbol: '○', label: 'INFO' },
+    critical: {
+        color: colors.bgRed + colors.white,
+        symbol: "●",
+        label: "CRITICAL",
+    },
+    high: { color: colors.red, symbol: "●", label: "HIGH" },
+    medium: { color: colors.yellow, symbol: "●", label: "MEDIUM" },
+    low: { color: colors.blue, symbol: "○", label: "LOW" },
+    info: { color: colors.gray, symbol: "○", label: "INFO" },
 };
 /**
  * Format colored text
@@ -65,7 +104,7 @@ function severityBadge(severity) {
  * Verbose: All of the above plus references and validation notes
  */
 function formatFinding(finding, options = {}) {
-    const { indent = '  ', compact = false, verbose = false } = options;
+    const { indent = "  ", compact = false, verbose = false } = options;
     const badge = severityBadge(finding.severity);
     const location = c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`);
     const hash = (0, hash_1.computeFindingHash)(finding);
@@ -76,29 +115,48 @@ function formatFinding(finding, options = {}) {
     // Default actionable output
     let output = `${indent}${badge} ${c(colors.bold, finding.title)}\n`;
     output += `${indent}   ${location}\n`;
-    output += '\n';
+    output += "\n";
     // Impact (why this matters) - shown by default
     if (finding.impact) {
-        output += `${indent}   ${c(colors.yellow + colors.bold, 'Impact:')} ${finding.impact}\n`;
-        output += '\n';
+        output += `${indent}   ${c(colors.yellow + colors.bold, "Impact:")} ${finding.impact}\n`;
+        output += "\n";
+    }
+    // Taint flow path — shown for taint-based findings
+    if (finding.taintPath && finding.taintPath.steps.length > 0) {
+        output += `${indent}   ${c(colors.yellow + colors.bold, "Flow:")}\n`;
+        for (const step of finding.taintPath.steps) {
+            const icon = step.stepType === "source"
+                ? "▶"
+                : step.stepType === "sink"
+                    ? "◀"
+                    : step.stepType === "sanitizer"
+                        ? "✕"
+                        : "→";
+            const lineRef = step.filePath
+                ? `${step.filePath}:${step.line}`
+                : `L${step.line}`;
+            const varPart = step.variable ? ` ${c(colors.cyan, step.variable)}` : "";
+            output += `${indent}     ${c(colors.dim, icon)} ${c(colors.dim, lineRef)}${varPart} ${c(colors.dim, "—")} ${step.description}\n`;
+        }
+        output += "\n";
     }
     // Code snippet
     if (finding.lineContent && finding.lineContent.trim()) {
-        output += `${indent}   ${c(colors.dim, 'Code:')} ${c(colors.white, finding.lineContent.trim().substring(0, 80))}${finding.lineContent.trim().length > 80 ? '...' : ''}\n`;
-        output += '\n';
+        output += `${indent}   ${c(colors.dim, "Code:")} ${c(colors.white, finding.lineContent.trim().substring(0, 80))}${finding.lineContent.trim().length > 80 ? "..." : ""}\n`;
+        output += "\n";
     }
     // Fix steps - shown by default (numbered list)
     if (finding.fixSteps && finding.fixSteps.length > 0) {
-        output += `${indent}   ${c(colors.green + colors.bold, 'Fix:')}\n`;
+        output += `${indent}   ${c(colors.green + colors.bold, "Fix:")}\n`;
         finding.fixSteps.forEach((step, i) => {
             output += `${indent}   ${c(colors.green, `${i + 1}. ${step}`)}\n`;
         });
-        output += '\n';
+        output += "\n";
     }
     else if (finding.suggestedFix) {
         // Fallback to legacy suggestedFix field
         output += `${indent}   ${c(colors.green, finding.suggestedFix)}\n`;
-        output += '\n';
+        output += "\n";
     }
     // Verbose mode: show additional details
     if (verbose) {
@@ -106,8 +164,8 @@ function formatFinding(finding, options = {}) {
         output += `${indent}   ${c(colors.dim, finding.description)}\n`;
         // References (OWASP/CWE links)
         if (finding.references && finding.references.length > 0) {
-            output += `${indent}   ${c(colors.blue, 'References:')}\n`;
-            finding.references.forEach(ref => {
+            output += `${indent}   ${c(colors.blue, "References:")}\n`;
+            finding.references.forEach((ref) => {
                 output += `${indent}   ${c(colors.blue, `  • ${ref}`)}\n`;
             });
         }
@@ -117,7 +175,7 @@ function formatFinding(finding, options = {}) {
         }
         // AI enhanced indicator
         if (finding.aiEnhanced) {
-            output += `${indent}   ${c(colors.magenta, '[AI] Enhanced fix suggestion')}\n`;
+            output += `${indent}   ${c(colors.magenta, "[AI] Enhanced fix suggestion")}\n`;
         }
     }
     // Suppress command - always shown
@@ -143,12 +201,12 @@ function formatGroup(group, options = {}) {
         counts.push(c(colors.blue, `${severityCounts.low} low`));
     if (severityCounts.info > 0)
         counts.push(c(colors.gray, `${severityCounts.info} info`));
-    let output = `\n${c(colors.bold, `${config.icon} ${themeName}`)} (${counts.join(', ')})\n`;
-    output += c(colors.dim, '─'.repeat(60)) + '\n';
+    let output = `\n${c(colors.bold, `${config.icon} ${themeName}`)} (${counts.join(", ")})\n`;
+    output += c(colors.dim, "─".repeat(60)) + "\n";
     // Show findings
     const shown = findings.slice(0, maxFindings);
     for (const finding of shown) {
-        output += formatFinding(finding, { compact, verbose }) + '\n';
+        output += formatFinding(finding, { compact, verbose }) + "\n";
     }
     // Truncation notice
     if (findings.length > maxFindings) {
@@ -160,35 +218,71 @@ function formatGroup(group, options = {}) {
  * Format baseline diff summary
  */
 function formatDiffSummary(baselineDiff) {
-    let output = '';
-    output += c(colors.bold, 'Baseline Comparison') + '\n';
-    output += c(colors.dim, '─'.repeat(40)) + '\n';
+    let output = "";
+    output += c(colors.bold, "Baseline Comparison") + "\n";
+    output += c(colors.dim, "─".repeat(40)) + "\n";
     output += `  + ${c(colors.yellow, `${baselineDiff.newCount} new`)} findings\n`;
     output += `  - ${c(colors.green, `${baselineDiff.fixedCount} fixed`)} since baseline\n`;
     output += `  = ${c(colors.dim, `${baselineDiff.existingCount} existing`)} (in baseline)\n`;
-    output += '\n';
+    output += "\n";
     // Format baseline date
     const baselineDate = new Date(baselineDiff.baselineCreatedAt);
-    const dateStr = baselineDate.toLocaleDateString('en-US', {
-        year: 'numeric',
-        month: 'short',
-        day: 'numeric',
+    const dateStr = baselineDate.toLocaleDateString("en-US", {
+        year: "numeric",
+        month: "short",
+        day: "numeric",
     });
-    const commitStr = baselineDiff.baselineCommit ? ` (${baselineDiff.baselineCommit})` : '';
-    output += c(colors.dim, `Baseline from ${dateStr}${commitStr}`) + '\n\n';
+    const commitStr = baselineDiff.baselineCommit
+        ? ` (${baselineDiff.baselineCommit})`
+        : "";
+    output += c(colors.dim, `Baseline from ${dateStr}${commitStr}`) + "\n\n";
     return output;
 }
+/**
+ * Collapse findings that share the same title|severity|category signature
+ * across 3+ distinct files into a single representative entry.
+ * Applied at display time only — does not mutate the underlying scan result.
+ */
+function collapseAcrossFiles(findings) {
+    const bySignature = new Map();
+    for (const f of findings) {
+        const sig = `${f.title}|${f.severity}|${f.category}`;
+        const group = bySignature.get(sig) ?? [];
+        group.push(f);
+        bySignature.set(sig, group);
+    }
+    const result = [];
+    for (const [, group] of bySignature) {
+        const files = [...new Set(group.map((f) => f.filePath))];
+        if (files.length >= 3) {
+            const first = group[0];
+            const fileList = files
+                .slice(0, 3)
+                .map((f) => path.basename(f))
+                .join(", ");
+            result.push({
+                ...first,
+                title: `${first.title} (${files.length} routes)`,
+                description: `${first.description}\n\nAffects ${files.length} files: ${fileList}${files.length > 3 ? `, ... and ${files.length - 3} more` : ""}`,
+            });
+        }
+        else {
+            result.push(...group);
+        }
+    }
+    return result;
+}
 /**
  * Format full scan result for terminal
  */
 function formatTerminalOutput(result, options = {}) {
     const { maxFindingsPerGroup = 10, showAllFindings = false, compact = false, verbose = false, } = options;
-    const { vulnerabilities, severityCounts, hasBlockingIssues, filesScanned, scanDuration, baselineDiff } = result;
-    let output = '\n';
+    const { vulnerabilities, severityCounts, hasBlockingIssues, filesScanned, scanDuration, baselineDiff, } = result;
+    let output = "\n";
     // Header
-    output += c(colors.bold, '═'.repeat(60)) + '\n';
-    output += c(colors.bold, '  OCULUM SECURITY SCAN RESULTS') + '\n';
-    output += c(colors.bold, '═'.repeat(60)) + '\n\n';
+    output += c(colors.bold, "═".repeat(60)) + "\n";
+    output += c(colors.bold, "  OCULUM SECURITY SCAN RESULTS") + "\n";
+    output += c(colors.bold, "═".repeat(60)) + "\n\n";
     // Baseline diff summary (if present)
     if (baselineDiff) {
         output += formatDiffSummary(baselineDiff);
@@ -196,81 +290,120 @@ function formatTerminalOutput(result, options = {}) {
     // Status
     if (hasBlockingIssues) {
         const blocking = severityCounts.critical + severityCounts.high;
-        output += c(colors.bgRed + colors.white + colors.bold, ` ! ${blocking} BLOCKING ISSUES FOUND `) + '\n\n';
+        output +=
+            c(colors.bgRed + colors.white + colors.bold, ` ! ${blocking} BLOCKING ISSUES FOUND `) + "\n\n";
     }
     else if (vulnerabilities.length > 0) {
-        output += c(colors.yellow, `${vulnerabilities.length} issues found (no blocking issues)`) + '\n\n';
+        output +=
+            c(colors.yellow, `${vulnerabilities.length} issues found (no blocking issues)`) + "\n\n";
     }
     else {
-        output += c(colors.green, 'No security issues found!') + '\n\n';
-        output += c(colors.dim, `Scanned ${filesScanned} files in ${(scanDuration / 1000).toFixed(1)}s`) + '\n';
+        output += c(colors.green, "No security issues found!") + "\n\n";
+        output +=
+            c(colors.dim, `Scanned ${filesScanned} files in ${(scanDuration / 1000).toFixed(1)}s`) + "\n";
         return output;
     }
     // Summary counts
-    output += c(colors.bold, 'Summary:') + '\n';
+    output += c(colors.bold, "Summary:") + "\n";
     if (severityCounts.critical > 0)
-        output += `  ${severityBadge('critical')}  ${severityCounts.critical}\n`;
+        output += `  ${severityBadge("critical")}  ${severityCounts.critical}\n`;
     if (severityCounts.high > 0)
-        output += `  ${severityBadge('high')}      ${severityCounts.high}\n`;
+        output += `  ${severityBadge("high")}      ${severityCounts.high}\n`;
     if (severityCounts.medium > 0)
-        output += `  ${severityBadge('medium')}    ${severityCounts.medium}\n`;
+        output += `  ${severityBadge("medium")}    ${severityCounts.medium}\n`;
     if (severityCounts.low > 0)
-        output += `  ${severityBadge('low')}       ${severityCounts.low}\n`;
+        output += `  ${severityBadge("low")}       ${severityCounts.low}\n`;
     if (severityCounts.info > 0)
-        output += `  ${severityBadge('info')}      ${severityCounts.info}\n`;
-    output += '\n';
+        output += `  ${severityBadge("info")}      ${severityCounts.info}\n`;
+    output += "\n";
     // Blocking issues first
     const blockingIssues = (0, grouping_1.getBlockingIssues)(vulnerabilities);
+    const blockingIds = new Set(blockingIssues.map((f) => f.id));
     if (blockingIssues.length > 0) {
-        output += c(colors.bgRed + colors.white + colors.bold, ' BLOCKING ISSUES ') + '\n';
-        output += c(colors.red, 'These must be fixed before merging:') + '\n\n';
+        output +=
+            c(colors.bgRed + colors.white + colors.bold, " BLOCKING ISSUES ") + "\n";
+        output += c(colors.red, "These must be fixed before merging:") + "\n\n";
         for (const finding of blockingIssues.slice(0, 10)) {
             output += formatFinding(finding, { compact, verbose });
-            output += '\n';
+            output += "\n";
         }
         if (blockingIssues.length > 10) {
             output += c(colors.dim, `  ... and ${blockingIssues.length - 10} more blocking issues\n`);
         }
-        output += '\n';
+        output += "\n";
     }
     // Grouped findings
     const grouped = (0, grouping_1.groupByTheme)(vulnerabilities);
-    output += c(colors.bold, '─'.repeat(60)) + '\n';
-    output += c(colors.bold, 'ALL FINDINGS BY CATEGORY') + '\n';
-    for (const group of grouped) {
-        // Skip if only showing non-blocking and all are blocking
-        if (!showAllFindings) {
-            const nonBlocking = group.findings.filter(f => f.severity !== 'critical' && f.severity !== 'high');
-            if (nonBlocking.length === 0 && blockingIssues.length > 0)
+    // Check if any groups have non-blocking findings to display
+    const hasNonBlockingGroups = showAllFindings ||
+        grouped.some((group) => {
+            const displayFindings = group.findings.filter((f) => !blockingIds.has(f.id));
+            return displayFindings.length > 0;
+        });
+    if (hasNonBlockingGroups) {
+        output += c(colors.bold, "─".repeat(60)) + "\n";
+        output += c(colors.bold, "ALL FINDINGS BY CATEGORY") + "\n";
+        for (const group of grouped) {
+            const displayFindings = showAllFindings
+                ? group.findings
+                : group.findings.filter((f) => !blockingIds.has(f.id));
+            if (displayFindings.length === 0)
                 continue;
+            const collapsed = collapseAcrossFiles(displayFindings);
+            // Recompute severity counts from the filtered/collapsed findings
+            const filteredCounts = {
+                critical: 0,
+                high: 0,
+                medium: 0,
+                low: 0,
+                info: 0,
+            };
+            for (const f of collapsed)
+                filteredCounts[f.severity] = (filteredCounts[f.severity] ?? 0) + 1;
+            output += formatGroup({
+                ...group,
+                findings: collapsed,
+                severityCounts: filteredCounts,
+            }, {
+                maxFindings: maxFindingsPerGroup,
+                compact,
+                verbose,
+            });
         }
-        output += formatGroup(group, { maxFindings: maxFindingsPerGroup, compact, verbose });
     }
     // Suppressed findings section (if any)
-    if (result.suppressedVulnerabilities && result.suppressedVulnerabilities.length > 0) {
-        output += '\n' + c(colors.dim, '─'.repeat(60)) + '\n';
-        output += c(colors.dim + colors.bold, 'SUPPRESSED FINDINGS') + '\n';
-        output += c(colors.dim, `${result.suppressedVulnerabilities.length} findings suppressed`) + '\n\n';
+    if (result.suppressedVulnerabilities &&
+        result.suppressedVulnerabilities.length > 0) {
+        output += "\n" + c(colors.dim, "─".repeat(60)) + "\n";
+        output += c(colors.dim + colors.bold, "SUPPRESSED FINDINGS") + "\n";
+        output +=
+            c(colors.dim, `${result.suppressedVulnerabilities.length} findings suppressed`) + "\n\n";
         for (const suppressed of result.suppressedVulnerabilities.slice(0, 5)) {
-            const typeLabel = suppressed.suppressionType === 'inline' ? 'inline'
-                : suppressed.suppressionType === 'config-finding' ? 'config'
-                    : 'rule';
-            output += c(colors.dim, `  ${suppressed.hash.slice(0, 8)} ${suppressed.filePath}:${suppressed.lineNumber}`) + '\n';
-            output += c(colors.dim, `    ${suppressed.title}`) + '\n';
-            output += c(colors.dim, `    [${typeLabel}] ${suppressed.suppressionReason}`) + '\n';
+            const typeLabel = suppressed.suppressionType === "inline"
+                ? "inline"
+                : suppressed.suppressionType === "config-finding"
+                    ? "config"
+                    : "rule";
+            output +=
+                c(colors.dim, `  ${suppressed.hash.slice(0, 8)} ${suppressed.filePath}:${suppressed.lineNumber}`) + "\n";
+            output += c(colors.dim, `    ${suppressed.title}`) + "\n";
+            output +=
+                c(colors.dim, `    [${typeLabel}] ${suppressed.suppressionReason}`) +
+                    "\n";
             if (suppressed.expires) {
-                output += c(colors.dim, `    Expires: ${suppressed.expires}`) + '\n';
+                output += c(colors.dim, `    Expires: ${suppressed.expires}`) + "\n";
             }
-            output += '\n';
+            output += "\n";
         }
         if (result.suppressedVulnerabilities.length > 5) {
             output += c(colors.dim, `  ... and ${result.suppressedVulnerabilities.length - 5} more suppressed\n`);
         }
     }
     // Suppression stats (if any)
-    if (result.suppressionStats && (result.suppressionStats.inlineSuppressed > 0 ||
-        result.suppressionStats.configFindingSuppressed > 0 ||
-        result.suppressionStats.configRuleSuppressed > 0)) {
+    if (result.suppressionStats &&
+        (result.suppressionStats.inlineSuppressed > 0 ||
+            result.suppressionStats.configFindingSuppressed > 0 ||
+            result.suppressionStats.configRuleSuppressed > 0)) {
         const stats = result.suppressionStats;
         const parts = [];
         if (stats.inlineSuppressed > 0)
@@ -282,12 +415,50 @@ function formatTerminalOutput(result, options = {}) {
         if (stats.expired > 0)
             parts.push(`${stats.expired} expired`);
         if (!result.suppressedVulnerabilities) {
-            output += '\n' + c(colors.dim, `Suppressed: ${parts.join(', ')}`) + '\n';
+            output += "\n" + c(colors.dim, `Suppressed: ${parts.join(", ")}`) + "\n";
         }
     }
+    // For Review section (confidence-suppressed findings eligible for review)
+    const MAX_FOR_REVIEW = 5;
+    if (result.forReviewFindings && result.forReviewFindings.length > 0) {
+        output += "\n" + c(colors.dim, "─".repeat(60)) + "\n";
+        output += c(colors.yellow + colors.bold, "FOR REVIEW") + " ";
+        output +=
+            c(colors.dim, `(${result.forReviewFindings.length} lower-confidence findings)`) + "\n";
+        output +=
+            c(colors.dim, "Run with -d verified to AI-validate these findings.") +
+                "\n\n";
+        for (const finding of result.forReviewFindings.slice(0, MAX_FOR_REVIEW)) {
+            const score = Math.round(finding.confidenceScore * 100);
+            output += `  ${severityBadge(finding.severity)} ${finding.title}\n`;
+            output +=
+                c(colors.dim, `     ${finding.filePath}:${finding.lineNumber}`) + " ";
+            output += c(colors.dim, `[${score}%]`) + "\n";
+        }
+        if (result.forReviewFindings.length > MAX_FOR_REVIEW) {
+            output +=
+                c(colors.dim, `\n  ... and ${result.forReviewFindings.length - MAX_FOR_REVIEW} more`) + "\n";
+        }
+    }
+    // Unvalidated findings notice
+    const unvalidatedCount = vulnerabilities.filter((v) => v.validationStatus === "not_validated").length;
+    if (unvalidatedCount > 0) {
+        output +=
+            "\n" +
+                c(colors.yellow, `  ⚠ ${unvalidatedCount} finding(s) need AI review (run with --depth verified)`) +
+                "\n";
+    }
     // Footer
-    output += '\n' + c(colors.dim, '─'.repeat(60)) + '\n';
-    output += c(colors.dim, `Scanned ${filesScanned} files in ${(scanDuration / 1000).toFixed(1)}s`) + '\n';
+    output += "\n" + c(colors.dim, "─".repeat(60)) + "\n";
+    // Language breakdown
+    if (result.languageStats && Object.keys(result.languageStats).length > 0) {
+        const langParts = Object.entries(result.languageStats)
+            .sort(([, a], [, b]) => b - a)
+            .map(([lang, count]) => `${count} ${lang}`);
+        output += c(colors.dim, `Scanned: ${langParts.join(", ")}`) + "\n";
+    }
+    output +=
+        c(colors.dim, `Scanned ${filesScanned} files in ${(scanDuration / 1000).toFixed(1)}s`) + "\n";
     return output;
 }
 /**
@@ -301,8 +472,8 @@ function formatCompactSummary(vulnerabilities, options = {}) {
     const { showNumbers = true, maxPerSeverity = 5, showHint = true, noColor = false, } = options;
     if (vulnerabilities.length === 0) {
         return noColor
-            ? 'No security issues found.'
-            : c(colors.green, 'No security issues found.');
+            ? "No security issues found."
+            : c(colors.green, "No security issues found.");
     }
     // Group by severity
     const bySeverity = {
@@ -316,9 +487,15 @@ function formatCompactSummary(vulnerabilities, options = {}) {
         bySeverity[v.severity].push(v);
     }
     // Build output
-    let output = '';
+    let output = "";
     let globalIndex = 1;
-    const severityOrder = ['critical', 'high', 'medium', 'low', 'info'];
+    const severityOrder = [
+        "critical",
+        "high",
+        "medium",
+        "low",
+        "info",
+    ];
     const severityColors = {
         critical: colors.bgRed + colors.white,
         high: colors.red,
@@ -339,13 +516,13 @@ function formatCompactSummary(vulnerabilities, options = {}) {
         // Show findings
         const shown = findings.slice(0, maxPerSeverity);
         for (const finding of shown) {
-            const num = showNumbers ? `${globalIndex}. ` : '';
+            const num = showNumbers ? `${globalIndex}. ` : "";
             const location = noColor
                 ? `${finding.filePath}:${finding.lineNumber}`
                 : c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`);
             output += noColor
                 ? `     ${num}${finding.title} in ${location}\n`
-                : `     ${c(colors.dim, num)}${finding.title} ${c(colors.dim, 'in')} ${location}\n`;
+                : `     ${c(colors.dim, num)}${finding.title} ${c(colors.dim, "in")} ${location}\n`;
             globalIndex++;
         }
         // Show truncation notice
@@ -360,7 +537,7 @@ function formatCompactSummary(vulnerabilities, options = {}) {
     }
     // Hint at bottom
     if (showHint && vulnerabilities.length > 0) {
-        output += '\n';
+        output += "\n";
         output += noColor
             ? "Run 'oculum show 1' for details · 'oculum fix' for suggestions\n"
             : c(colors.dim, "Run 'oculum show 1' for details · 'oculum fix' for suggestions\n");
@@ -382,7 +559,7 @@ function getNumberedFindings(vulnerabilities) {
  */
 function formatFindingDetail(finding, number, options = {}) {
     const { verbose = false, noColor = false } = options;
-    let output = '';
+    let output = "";
     // Header
     const badge = noColor
         ? `[${finding.severity.toUpperCase()}]`
@@ -391,67 +568,75 @@ function formatFindingDetail(finding, number, options = {}) {
     output += `\n#${number} ${badge} ${title}\n`;
     // Location
     const location = noColor
-        ? finding.filePath + ':' + finding.lineNumber
+        ? finding.filePath + ":" + finding.lineNumber
         : c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`);
     output += `   ${location}\n`;
-    output += '\n';
+    output += "\n";
     // Impact
     if (finding.impact) {
-        const impactLabel = noColor ? 'Impact:' : c(colors.yellow + colors.bold, 'Impact:');
+        const impactLabel = noColor
+            ? "Impact:"
+            : c(colors.yellow + colors.bold, "Impact:");
         output += `   ${impactLabel} ${finding.impact}\n`;
-        output += '\n';
+        output += "\n";
     }
     // Code snippet
     if (finding.lineContent && finding.lineContent.trim()) {
-        const codeLabel = noColor ? 'Code:' : c(colors.dim, 'Code:');
+        const codeLabel = noColor ? "Code:" : c(colors.dim, "Code:");
         const code = finding.lineContent.trim().substring(0, 100);
         const codeText = noColor ? code : c(colors.white, code);
-        output += `   ${codeLabel} ${codeText}${finding.lineContent.trim().length > 100 ? '...' : ''}\n`;
-        output += '\n';
+        output += `   ${codeLabel} ${codeText}${finding.lineContent.trim().length > 100 ? "..." : ""}\n`;
+        output += "\n";
     }
     // Description
     output += noColor
         ? `   ${finding.description}\n`
         : `   ${c(colors.dim, finding.description)}\n`;
-    output += '\n';
+    output += "\n";
     // Fix steps
     if (finding.fixSteps && finding.fixSteps.length > 0) {
-        const fixLabel = noColor ? 'How to fix:' : c(colors.green + colors.bold, 'How to fix:');
+        const fixLabel = noColor
+            ? "How to fix:"
+            : c(colors.green + colors.bold, "How to fix:");
         output += `   ${fixLabel}\n`;
         finding.fixSteps.forEach((step, i) => {
-            const stepText = noColor ? `${i + 1}. ${step}` : c(colors.green, `${i + 1}. ${step}`);
+            const stepText = noColor
+                ? `${i + 1}. ${step}`
+                : c(colors.green, `${i + 1}. ${step}`);
             output += `   ${stepText}\n`;
         });
-        output += '\n';
+        output += "\n";
     }
     else if (finding.suggestedFix) {
-        const fixLabel = noColor ? 'Suggested fix:' : c(colors.green + colors.bold, 'Suggested fix:');
+        const fixLabel = noColor
+            ? "Suggested fix:"
+            : c(colors.green + colors.bold, "Suggested fix:");
         output += `   ${fixLabel} ${finding.suggestedFix}\n`;
-        output += '\n';
+        output += "\n";
     }
     // Verbose mode: additional details
     if (verbose) {
         // References
         if (finding.references && finding.references.length > 0) {
-            const refLabel = noColor ? 'References:' : c(colors.blue, 'References:');
+            const refLabel = noColor ? "References:" : c(colors.blue, "References:");
             output += `   ${refLabel}\n`;
-            finding.references.forEach(ref => {
+            finding.references.forEach((ref) => {
                 output += noColor
                     ? `   - ${ref}\n`
                     : `   ${c(colors.blue, `- ${ref}`)}\n`;
             });
-            output += '\n';
+            output += "\n";
         }
         // Validation notes
         if (finding.validationNotes) {
-            const notesLabel = noColor ? '[AI]' : c(colors.magenta, '[AI]');
+            const notesLabel = noColor ? "[AI]" : c(colors.magenta, "[AI]");
             output += `   ${notesLabel} ${finding.validationNotes}\n`;
-            output += '\n';
+            output += "\n";
         }
         // Category and confidence
         output += noColor
-            ? `   Category: ${finding.category} · Confidence: ${finding.confidence || 'medium'} · Layer: ${finding.layer}\n`
-            : c(colors.dim, `   Category: ${finding.category} · Confidence: ${finding.confidence || 'medium'} · Layer: ${finding.layer}\n`);
+            ? `   Category: ${finding.category} · Confidence: ${finding.confidence || "medium"} · Layer: ${finding.layer}\n`
+            : c(colors.dim, `   Category: ${finding.category} · Confidence: ${finding.confidence || "medium"} · Layer: ${finding.layer}\n`);
     }
     return output;
 }
@@ -459,7 +644,7 @@ function formatFindingDetail(finding, number, options = {}) {
  * Format as simple list (no grouping, no colors)
  */
 function formatSimpleList(vulnerabilities) {
-    let output = '';
+    let output = "";
     for (const finding of vulnerabilities) {
         const severity = finding.severity.toUpperCase().padEnd(8);
         output += `[${severity}] ${finding.filePath}:${finding.lineNumber} - ${finding.title}\n`;
@@ -470,104 +655,104 @@ function formatSimpleList(vulnerabilities) {
  * Format as JSON (for piping to other tools)
  */
 function formatJSON(result, pretty = false) {
-    if (pretty) {
-        return JSON.stringify(result, null, 2);
-    }
-    return JSON.stringify(result);
+    const sanitized = (0, sanitize_1.sanitizeScanResult)(result);
+    return pretty
+        ? JSON.stringify(sanitized, null, 2)
+        : JSON.stringify(sanitized);
 }
 /**
  * Rule metadata for SARIF output
  */
 const RULE_METADATA = {
     hardcoded_secret: {
-        name: 'Hardcoded Secret',
-        description: 'Sensitive credentials or API keys hardcoded in source code. These can be extracted from version control history or compiled binaries.',
-        helpUri: 'https://oculum.dev/docs/rules/hardcoded-secrets',
-        tags: ['security', 'secrets', 'credentials'],
+        name: "Hardcoded Secret",
+        description: "Sensitive credentials or API keys hardcoded in source code. These can be extracted from version control history or compiled binaries.",
+        helpUri: "https://oculum.dev/docs/rules/hardcoded-secrets",
+        tags: ["security", "secrets", "credentials"],
     },
     high_entropy_string: {
-        name: 'High Entropy String',
-        description: 'A high-entropy string that may be a secret or API key. Review to ensure it is not sensitive data.',
-        helpUri: 'https://oculum.dev/docs/rules/high-entropy',
-        tags: ['security', 'secrets'],
+        name: "High Entropy String",
+        description: "A high-entropy string that may be a secret or API key. Review to ensure it is not sensitive data.",
+        helpUri: "https://oculum.dev/docs/rules/high-entropy",
+        tags: ["security", "secrets"],
     },
     ai_prompt_injection: {
-        name: 'AI Prompt Injection',
-        description: 'User input is included in AI prompts without proper sanitization, potentially allowing prompt injection attacks.',
-        helpUri: 'https://oculum.dev/docs/rules/prompt-injection',
-        tags: ['security', 'ai', 'injection'],
+        name: "AI Prompt Injection",
+        description: "User input is included in AI prompts without proper sanitization, potentially allowing prompt injection attacks.",
+        helpUri: "https://oculum.dev/docs/rules/prompt-injection",
+        tags: ["security", "ai", "injection"],
     },
     ai_unsafe_execution: {
-        name: 'AI Unsafe Execution',
-        description: 'AI-generated content is used in code execution, SQL queries, or other dangerous sinks without validation.',
-        helpUri: 'https://oculum.dev/docs/rules/unsafe-execution',
-        tags: ['security', 'ai', 'injection'],
+        name: "AI Unsafe Execution",
+        description: "AI-generated content is used in code execution, SQL queries, or other dangerous sinks without validation.",
+        helpUri: "https://oculum.dev/docs/rules/unsafe-execution",
+        tags: ["security", "ai", "injection"],
     },
     ai_overpermissive_tool: {
-        name: 'AI Overpermissive Tool',
-        description: 'AI agent tool has excessive permissions without proper restrictions or sandboxing.',
-        helpUri: 'https://oculum.dev/docs/rules/overpermissive-tools',
-        tags: ['security', 'ai', 'authorization'],
+        name: "AI Overpermissive Tool",
+        description: "AI agent tool has excessive permissions without proper restrictions or sandboxing.",
+        helpUri: "https://oculum.dev/docs/rules/overpermissive-tools",
+        tags: ["security", "ai", "authorization"],
     },
     ai_rag_exfiltration: {
-        name: 'AI RAG Data Exfiltration',
-        description: 'RAG (Retrieval Augmented Generation) queries may expose data across tenant boundaries or leak sensitive context.',
-        helpUri: 'https://oculum.dev/docs/rules/rag-exfiltration',
-        tags: ['security', 'ai', 'data-exposure'],
+        name: "AI RAG Data Exfiltration",
+        description: "RAG (Retrieval Augmented Generation) queries may expose data across tenant boundaries or leak sensitive context.",
+        helpUri: "https://oculum.dev/docs/rules/rag-exfiltration",
+        tags: ["security", "ai", "data-exposure"],
     },
     ai_endpoint_unprotected: {
-        name: 'AI Endpoint Unprotected',
-        description: 'AI endpoint lacks authentication or rate limiting, potentially allowing abuse or cost attacks.',
-        helpUri: 'https://oculum.dev/docs/rules/unprotected-endpoints',
-        tags: ['security', 'ai', 'authentication'],
+        name: "AI Endpoint Unprotected",
+        description: "AI endpoint lacks authentication or rate limiting, potentially allowing abuse or cost attacks.",
+        helpUri: "https://oculum.dev/docs/rules/unprotected-endpoints",
+        tags: ["security", "ai", "authentication"],
     },
     ai_schema_mismatch: {
-        name: 'AI Schema Validation Missing',
-        description: 'AI-generated output is used without schema validation, potentially allowing malformed or malicious data.',
-        helpUri: 'https://oculum.dev/docs/rules/schema-validation',
-        tags: ['security', 'ai', 'validation'],
+        name: "AI Schema Validation Missing",
+        description: "AI-generated output is used without schema validation, potentially allowing malformed or malicious data.",
+        helpUri: "https://oculum.dev/docs/rules/schema-validation",
+        tags: ["security", "ai", "validation"],
     },
     sql_injection: {
-        name: 'SQL Injection',
-        description: 'User input is concatenated into SQL queries without parameterization, allowing SQL injection attacks.',
-        helpUri: 'https://oculum.dev/docs/rules/sql-injection',
-        tags: ['security', 'injection', 'database'],
+        name: "SQL Injection",
+        description: "User input is concatenated into SQL queries without parameterization, allowing SQL injection attacks.",
+        helpUri: "https://oculum.dev/docs/rules/sql-injection",
+        tags: ["security", "injection", "database"],
     },
     xss: {
-        name: 'Cross-Site Scripting (XSS)',
-        description: 'User input is rendered in HTML without proper escaping, allowing script injection.',
-        helpUri: 'https://oculum.dev/docs/rules/xss',
-        tags: ['security', 'injection', 'web'],
+        name: "Cross-Site Scripting (XSS)",
+        description: "User input is rendered in HTML without proper escaping, allowing script injection.",
+        helpUri: "https://oculum.dev/docs/rules/xss",
+        tags: ["security", "injection", "web"],
     },
     command_injection: {
-        name: 'Command Injection',
-        description: 'User input is passed to shell commands without sanitization, allowing arbitrary command execution.',
-        helpUri: 'https://oculum.dev/docs/rules/command-injection',
-        tags: ['security', 'injection', 'shell'],
+        name: "Command Injection",
+        description: "User input is passed to shell commands without sanitization, allowing arbitrary command execution.",
+        helpUri: "https://oculum.dev/docs/rules/command-injection",
+        tags: ["security", "injection", "shell"],
     },
     missing_auth: {
-        name: 'Missing Authentication',
-        description: 'Sensitive endpoint or route lacks authentication checks.',
-        helpUri: 'https://oculum.dev/docs/rules/missing-auth',
-        tags: ['security', 'authentication'],
+        name: "Missing Authentication",
+        description: "Sensitive endpoint or route lacks authentication checks.",
+        helpUri: "https://oculum.dev/docs/rules/missing-auth",
+        tags: ["security", "authentication"],
     },
     data_exposure: {
-        name: 'Data Exposure',
-        description: 'Sensitive data may be exposed through logging, error messages, or API responses.',
-        helpUri: 'https://oculum.dev/docs/rules/data-exposure',
-        tags: ['security', 'data-exposure'],
+        name: "Data Exposure",
+        description: "Sensitive data may be exposed through logging, error messages, or API responses.",
+        helpUri: "https://oculum.dev/docs/rules/data-exposure",
+        tags: ["security", "data-exposure"],
     },
     insecure_config: {
-        name: 'Insecure Configuration',
-        description: 'Security-relevant configuration is set to an insecure value.',
-        helpUri: 'https://oculum.dev/docs/rules/insecure-config',
-        tags: ['security', 'configuration'],
+        name: "Insecure Configuration",
+        description: "Security-relevant configuration is set to an insecure value.",
+        helpUri: "https://oculum.dev/docs/rules/insecure-config",
+        tags: ["security", "configuration"],
     },
     dangerous_function: {
-        name: 'Dangerous Function',
-        description: 'Use of a function known to be dangerous or deprecated for security reasons.',
-        helpUri: 'https://oculum.dev/docs/rules/dangerous-functions',
-        tags: ['security', 'code-quality'],
+        name: "Dangerous Function",
+        description: "Use of a function known to be dangerous or deprecated for security reasons.",
+        helpUri: "https://oculum.dev/docs/rules/dangerous-functions",
+        tags: ["security", "code-quality"],
     },
 };
 /**
@@ -583,11 +768,12 @@ function formatSARIF(result) {
         message: {
             text: v.description,
         },
-        locations: [{
+        locations: [
+            {
                 physicalLocation: {
                     artifactLocation: {
                         uri: v.filePath,
-                        uriBaseId: '%SRCROOT%',
+                        uriBaseId: "%SRCROOT%",
                     },
                     region: {
                         startLine: v.lineNumber,
@@ -595,15 +781,20 @@ function formatSARIF(result) {
                         snippet: v.lineContent ? { text: v.lineContent } : undefined,
                     },
                 },
-            }],
+            },
+        ],
         fingerprints: {
-            'oculum/v1': `${v.category}:${v.filePath}:${v.lineNumber}`,
+            "oculum/v1": `${v.category}:${v.filePath}:${v.lineNumber}`,
         },
-        fixes: v.suggestedFix ? [{
-                description: {
-                    text: v.suggestedFix,
+        fixes: v.suggestedFix
+            ? [
+                {
+                    description: {
+                        text: v.suggestedFix,
+                    },
                 },
-            }] : undefined,
+            ]
+            : undefined,
         properties: {
             confidence: v.confidence,
             layer: v.layer,
@@ -617,59 +808,65 @@ function formatSARIF(result) {
         message: {
             text: s.title,
         },
-        locations: [{
+        locations: [
+            {
                 physicalLocation: {
                     artifactLocation: {
                         uri: s.filePath,
-                        uriBaseId: '%SRCROOT%',
+                        uriBaseId: "%SRCROOT%",
                     },
                     region: {
                         startLine: s.lineNumber,
                         startColumn: 1,
                     },
                 },
-            }],
+            },
+        ],
         fingerprints: {
-            'oculum/v1': `${s.category}:${s.filePath}:${s.lineNumber}`,
-            'oculum/hash': s.hash,
+            "oculum/v1": `${s.category}:${s.filePath}:${s.lineNumber}`,
+            "oculum/hash": s.hash,
         },
-        suppressions: [{
-                kind: s.suppressionType === 'inline' ? 'inSource' : 'external',
+        suppressions: [
+            {
+                kind: s.suppressionType === "inline" ? "inSource" : "external",
                 justification: s.suppressionReason,
-                state: 'accepted',
-            }],
+                state: "accepted",
+            },
+        ],
         properties: {
             suppressionType: s.suppressionType,
             expires: s.expires,
         },
     }));
     return {
-        $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
-        version: '2.1.0',
-        runs: [{
+        $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+        version: "2.1.0",
+        runs: [
+            {
                 tool: {
                     driver: {
-                        name: 'Oculum',
-                        version: '1.0.0',
-                        informationUri: 'https://oculum.dev',
-                        organization: 'Oculum Security',
+                        name: "Oculum",
+                        version: "1.0.0",
+                        informationUri: "https://oculum.dev",
+                        organization: "Oculum Security",
                         rules: getUniqueRules(result.vulnerabilities),
                     },
                 },
                 results: [...activeResults, ...suppressedResults],
-                columnKind: 'utf16CodeUnits',
-            }],
+                columnKind: "utf16CodeUnits",
+            },
+        ],
     };
 }
 function mapSeverityToSARIF(severity) {
     switch (severity) {
-        case 'critical':
-        case 'high':
-            return 'error';
-        case 'medium':
-            return 'warning';
+        case "critical":
+        case "high":
+            return "error";
+        case "medium":
+            return "warning";
         default:
-            return 'note';
+            return "note";
     }
 }
 function getRuleIndex(vulnerabilities, category) {
@@ -693,7 +890,8 @@ function getUniqueRules(vulnerabilities) {
             continue;
         seen.add(v.category);
         const metadata = RULE_METADATA[v.category];
-        const ruleName = metadata?.name || v.category.replace(/_/g, ' ').replace(/\b\w/g, c => c.toUpperCase());
+        const ruleName = metadata?.name ||
+            v.category.replace(/_/g, " ").replace(/\b\w/g, (c) => c.toUpperCase());
         rules.push({
             id: v.category,
             name: ruleName,
@@ -701,18 +899,23 @@ function getUniqueRules(vulnerabilities) {
             fullDescription: {
                 text: metadata?.description || v.description,
             },
-            helpUri: metadata?.helpUri || `https://oculum.dev/docs/rules/${v.category.replace(/_/g, '-')}`,
+            helpUri: metadata?.helpUri ||
+                `https://oculum.dev/docs/rules/${v.category.replace(/_/g, "-")}`,
             help: {
                 text: metadata?.description || v.description,
-                markdown: `# ${ruleName}\n\n${metadata?.description || v.description}\n\n[Learn more](${metadata?.helpUri || 'https://oculum.dev/docs'})`,
+                markdown: `# ${ruleName}\n\n${metadata?.description || v.description}\n\n[Learn more](${metadata?.helpUri || "https://oculum.dev/docs"})`,
             },
             defaultConfiguration: {
                 level: mapSeverityToSARIF(v.severity),
             },
             properties: {
-                tags: metadata?.tags || ['security'],
-                precision: v.confidence === 'high' ? 'high' : v.confidence === 'medium' ? 'medium' : 'low',
-                'security-severity': mapSeverityToScore(v.severity),
+                tags: metadata?.tags || ["security"],
+                precision: v.confidence === "high"
+                    ? "high"
+                    : v.confidence === "medium"
+                        ? "medium"
+                        : "low",
+                "security-severity": mapSeverityToScore(v.severity),
             },
         });
     }
@@ -720,16 +923,16 @@ function getUniqueRules(vulnerabilities) {
 }
 function mapSeverityToScore(severity) {
     switch (severity) {
-        case 'critical':
-            return '9.0';
-        case 'high':
-            return '7.0';
-        case 'medium':
-            return '5.0';
-        case 'low':
-            return '3.0';
+        case "critical":
+            return "9.0";
+        case "high":
+            return "7.0";
+        case "medium":
+            return "5.0";
+        case "low":
+            return "3.0";
         default:
-            return '1.0';
+            return "1.0";
     }
 }
 //# sourceMappingURL=cli-terminal.js.map