@oscharko-dev/keiko-quality-intelligence 0.2.0

package/dist/export/adapters/plaintext.js

@@ -0,0 +1,65 @@
+// Plain-text export adapter (Epic #711).
+//
+// Produces a deterministic plain-text document with one section per candidate,
+// sorted by candidateId ascending. No timestamps, no random content. Pure
+// string output — byte-identical for identical input.
+//
+// Pure-domain leaf. NO IO. NO node:* imports. NO new runtime dependency.
+import { assertExportBundleInvariant } from "@oscharko-dev/keiko-contracts";
+import { inlineField, inlineFields } from "../textSafety.js";
+const byCandidateIdAsc = (a, b) => a.candidateId < b.candidateId ? -1 : a.candidateId > b.candidateId ? 1 : 0;
+const RULE = "=".repeat(60);
+const DIVIDER = "-".repeat(40);
+const listItems = (items, indent = "  ") => items.length === 0
+    ? `${indent}(none)\n`
+    : items.map((item) => `${indent}- ${item}`).join("\n") + "\n";
+const numberedList = (items, indent = "  ") => items.length === 0
+    ? `${indent}(none)\n`
+    : items.map((item, i) => `${indent}${String(i + 1)}. ${item}`).join("\n") + "\n";
+function renderCandidate(candidate, index) {
+    const lines = [];
+    lines.push(`${DIVIDER}\n`);
+    lines.push(`CANDIDATE ${String(index + 1)}: ${inlineField(candidate.title)}\n`);
+    lines.push(`  ID:         ${candidate.id}`);
+    lines.push(`  Priority:   ${candidate.priority}`);
+    lines.push(`  Risk class: ${candidate.riskClass}`);
+    lines.push(`  Status:     ${candidate.status}`);
+    lines.push(`  Tags:       ${candidate.tags.length > 0 ? inlineFields(candidate.tags).join(", ") : "(none)"}`);
+    lines.push("");
+    lines.push("  Preconditions:");
+    lines.push(listItems(inlineFields(candidate.preconditions), "    ").trimEnd());
+    lines.push("");
+    lines.push("  Steps:");
+    lines.push(numberedList(inlineFields(candidate.steps), "    ").trimEnd());
+    lines.push("");
+    lines.push("  Expected results:");
+    lines.push(listItems(inlineFields(candidate.expectedResults), "    ").trimEnd());
+    return lines.join("\n") + "\n";
+}
+export function adaptToPlainText(bundle, candidates) {
+    assertExportBundleInvariant(bundle);
+    const byId = new Map();
+    for (const candidate of candidates) {
+        byId.set(candidate.id, candidate);
+    }
+    const sortedEntries = [...bundle.contents].sort(byCandidateIdAsc);
+    const sections = [];
+    sections.push(`${RULE}\n`);
+    sections.push("QUALITY INTELLIGENCE EXPORT\n");
+    sections.push(`${RULE}\n`);
+    sections.push(`Bundle: ${bundle.id}`);
+    sections.push(`Run:    ${bundle.runId}`);
+    sections.push(`Format: ${bundle.targetAdapter}`);
+    sections.push("");
+    let index = 0;
+    for (const entry of sortedEntries) {
+        const candidate = byId.get(entry.candidateId);
+        if (candidate === undefined) {
+            continue;
+        }
+        sections.push(renderCandidate(candidate, index));
+        index += 1;
+    }
+    sections.push(`${RULE}\n`);
+    return sections.join("\n") + "\n";
+}

package/dist/export/adapters/polarion.d.ts

@@ -0,0 +1,4 @@
+import type { QualityIntelligenceExportBundle, QualityIntelligenceTestCaseCandidate } from "@oscharko-dev/keiko-contracts";
+export declare const POLARION_CSV_HEADERS: readonly string[];
+export declare function adaptToPolarion(bundle: QualityIntelligenceExportBundle, candidates: readonly QualityIntelligenceTestCaseCandidate[]): string;
+//# sourceMappingURL=polarion.d.ts.map

package/dist/export/adapters/polarion.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"polarion.d.ts","sourceRoot":"","sources":["../../../src/export/adapters/polarion.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EACV,+BAA+B,EAC/B,oCAAoC,EACrC,MAAM,+BAA+B,CAAC;AAIvC,eAAO,MAAM,oBAAoB,EAAE,SAAS,MAAM,EAOhD,CAAC;AA2BH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,+BAA+B,EACvC,UAAU,EAAE,SAAS,oCAAoC,EAAE,GAC1D,MAAM,CA0BR"}

package/dist/export/adapters/polarion.js

@@ -0,0 +1,67 @@
+// Polarion CSV export adapter (Epic #270, Issue #283).
+//
+// Polarion's bulk-import canonical shape: ID, Title, Type, Severity, Description,
+// TestSteps (semicolon-joined). One row per test case (Polarion stores steps as a
+// single repeating attribute via its Excel/CSV importer).
+//
+// TMS-bound: invariant asserted first. Pure-domain — NO HTTP, NO Polarion SDK.
+import { assertExportBundleInvariant } from "@oscharko-dev/keiko-contracts";
+import { encodeSpreadsheetSafeRow } from "./spreadsheetSafeCsv.js";
+export const POLARION_CSV_HEADERS = Object.freeze([
+    "ID",
+    "Title",
+    "Type",
+    "Severity",
+    "Description",
+    "TestSteps",
+]);
+const mapSeverity = (priority) => {
+    // Polarion default severities; closest mapping to QI's P0..P3.
+    switch (priority) {
+        case "P0":
+            return "blocker";
+        case "P1":
+            return "critical";
+        case "P2":
+            return "major";
+        case "P3":
+            return "minor";
+    }
+};
+const buildDescription = (candidate) => {
+    const parts = [];
+    if (candidate.preconditions.length > 0) {
+        parts.push(`Preconditions: ${candidate.preconditions.join(" ; ")}`);
+    }
+    if (candidate.expectedResults.length > 0) {
+        parts.push(`Expected: ${candidate.expectedResults.join(" ; ")}`);
+    }
+    return parts.join(" || ");
+};
+export function adaptToPolarion(bundle, candidates) {
+    assertExportBundleInvariant(bundle);
+    const byId = new Map();
+    for (const candidate of candidates) {
+        byId.set(candidate.id, candidate);
+    }
+    const sortedIds = bundle.contents
+        .map((entry) => entry.candidateId)
+        .slice()
+        .sort((a, b) => (a < b ? -1 : a > b ? 1 : 0));
+    let body = encodeSpreadsheetSafeRow(POLARION_CSV_HEADERS);
+    for (const id of sortedIds) {
+        const candidate = byId.get(id);
+        if (candidate === undefined) {
+            continue;
+        }
+        body += encodeSpreadsheetSafeRow([
+            candidate.id,
+            candidate.title,
+            "testcase",
+            mapSeverity(candidate.priority),
+            buildDescription(candidate),
+            candidate.steps.join(" ; "),
+        ]);
+    }
+    return body;
+}

package/dist/export/adapters/qtest.d.ts

@@ -0,0 +1,4 @@
+import type { QualityIntelligenceExportBundle, QualityIntelligenceTestCaseCandidate } from "@oscharko-dev/keiko-contracts";
+export declare const QTEST_CSV_HEADERS: readonly string[];
+export declare function adaptToQtest(bundle: QualityIntelligenceExportBundle, candidates: readonly QualityIntelligenceTestCaseCandidate[]): string;
+//# sourceMappingURL=qtest.d.ts.map

package/dist/export/adapters/qtest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"qtest.d.ts","sourceRoot":"","sources":["../../../src/export/adapters/qtest.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EACV,+BAA+B,EAC/B,oCAAoC,EACrC,MAAM,+BAA+B,CAAC;AAIvC,eAAO,MAAM,iBAAiB,EAAE,SAAS,MAAM,EAS7C,CAAC;AA0CH,wBAAgB,YAAY,CAC1B,MAAM,EAAE,+BAA+B,EACvC,UAAU,EAAE,SAAS,oCAAoC,EAAE,GAC1D,MAAM,CAkBR"}

package/dist/export/adapters/qtest.js

@@ -0,0 +1,78 @@
+// qTest CSV export adapter (Epic #270, Issue #283).
+//
+// qTest's canonical bulk-import shape carries ONE row per (test case, step) pair so
+// the test-case header columns (Name, Description, Type, Priority) repeat across
+// step rows of the same test case. A test case with N steps occupies N rows; a
+// test case with zero steps occupies one row (with empty Step Number / Action /
+// Expected). Ordering is deterministic: candidate id ASC, then 1-based step index.
+//
+// TMS-bound: `assertExportBundleInvariant` runs first. Pure-domain leaf — NO HTTP,
+// NO qTest SDK.
+import { assertExportBundleInvariant } from "@oscharko-dev/keiko-contracts";
+import { encodeSpreadsheetSafeRow } from "./spreadsheetSafeCsv.js";
+export const QTEST_CSV_HEADERS = Object.freeze([
+    "Name",
+    "Description",
+    "Type",
+    "Priority",
+    "Status",
+    "StepNumber",
+    "Action",
+    "Expected",
+]);
+const buildDescription = (candidate) => {
+    if (candidate.preconditions.length === 0) {
+        return "";
+    }
+    return `Preconditions: ${candidate.preconditions.join(" ; ")}`;
+};
+const mapPriority = (priority) => {
+    // qTest default priorities are P-prefixed; pass through verbatim.
+    return priority;
+};
+// Build the qTest rows for a single candidate. One row per (step, expected) pair — the row count is
+// the longer of `steps`/`expectedResults` so a trailing expected result is never dropped (Issue
+// #283); a candidate with neither yields one empty-step row.
+function qtestRowsFor(candidate) {
+    const head = [
+        candidate.title,
+        buildDescription(candidate),
+        "Manual",
+        mapPriority(candidate.priority),
+        candidate.status,
+    ];
+    const rowCount = Math.max(candidate.steps.length, candidate.expectedResults.length);
+    if (rowCount === 0) {
+        return encodeSpreadsheetSafeRow([...head, "", "", ""]);
+    }
+    let rows = "";
+    for (let i = 0; i < rowCount; i += 1) {
+        const stepNumber = i < candidate.steps.length ? String(i + 1) : "";
+        rows += encodeSpreadsheetSafeRow([
+            ...head,
+            stepNumber,
+            candidate.steps[i] ?? "",
+            candidate.expectedResults[i] ?? "",
+        ]);
+    }
+    return rows;
+}
+export function adaptToQtest(bundle, candidates) {
+    assertExportBundleInvariant(bundle);
+    const byId = new Map();
+    for (const candidate of candidates) {
+        byId.set(candidate.id, candidate);
+    }
+    const sortedIds = bundle.contents
+        .map((entry) => entry.candidateId)
+        .slice()
+        .sort((a, b) => (a < b ? -1 : a > b ? 1 : 0));
+    let body = encodeSpreadsheetSafeRow(QTEST_CSV_HEADERS);
+    for (const id of sortedIds) {
+        const candidate = byId.get(id);
+        if (candidate !== undefined) {
+            body += qtestRowsFor(candidate);
+        }
+    }
+    return body;
+}

package/dist/export/adapters/qualityCenter.d.ts

@@ -0,0 +1,3 @@
+import type { QualityIntelligenceExportBundle, QualityIntelligenceTestCaseCandidate } from "@oscharko-dev/keiko-contracts";
+export declare function adaptToQualityCenter(bundle: QualityIntelligenceExportBundle, candidates: readonly QualityIntelligenceTestCaseCandidate[]): string;
+//# sourceMappingURL=qualityCenter.d.ts.map

package/dist/export/adapters/qualityCenter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"qualityCenter.d.ts","sourceRoot":"","sources":["../../../src/export/adapters/qualityCenter.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EACV,+BAA+B,EAC/B,oCAAoC,EACrC,MAAM,+BAA+B,CAAC;AA2BvC,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,+BAA+B,EACvC,UAAU,EAAE,SAAS,oCAAoC,EAAE,GAC1D,MAAM,CAyBR"}

package/dist/export/adapters/qualityCenter.js

@@ -0,0 +1,56 @@
+// Quality Center (ALM Octane) export adapter (Epic #711).
+//
+// TMS-bound adapter: produces a deterministic dry-run preview of the payload
+// that would be submitted to Quality Center / ALM Octane. NO outbound write
+// is ever performed here — this is a preview-only leaf. The route layer enforces
+// the 403 QI_EXTERNAL_EXPORT_DISABLED guard on non-dry-run requests.
+//
+// Output format: a simple key-value text report, one test case per block, sorted
+// by candidateId ascending. No timestamps. No random content. Byte-stable.
+//
+// Pure-domain leaf. NO IO. NO node:* imports. NO new runtime dependency.
+import { assertExportBundleInvariant } from "@oscharko-dev/keiko-contracts";
+import { inlineField, inlineFields } from "../textSafety.js";
+const byCandidateIdAsc = (a, b) => a.candidateId < b.candidateId ? -1 : a.candidateId > b.candidateId ? 1 : 0;
+const DIVIDER = "-".repeat(60);
+const joinPipe = (items) => items.length === 0 ? "(none)" : inlineFields(items).join(" | ");
+function renderEntry(candidate, index) {
+    const lines = [];
+    lines.push(DIVIDER);
+    lines.push(`QC-${String(index + 1).padStart(4, "0")} ${inlineField(candidate.title)}`);
+    lines.push(`  ID:           ${candidate.id}`);
+    lines.push(`  Priority:     ${candidate.priority}`);
+    lines.push(`  Risk class:   ${candidate.riskClass}`);
+    lines.push(`  Status:       ${candidate.status}`);
+    lines.push(`  Tags:         ${joinPipe(candidate.tags)}`);
+    lines.push(`  Precond:      ${joinPipe(candidate.preconditions)}`);
+    lines.push(`  Steps:        ${joinPipe(candidate.steps)}`);
+    lines.push(`  Expected:     ${joinPipe(candidate.expectedResults)}`);
+    return lines.join("\n");
+}
+export function adaptToQualityCenter(bundle, candidates) {
+    assertExportBundleInvariant(bundle);
+    const byId = new Map();
+    for (const candidate of candidates) {
+        byId.set(candidate.id, candidate);
+    }
+    const sortedEntries = [...bundle.contents].sort(byCandidateIdAsc);
+    const header = [
+        `Quality Center Export Preview`,
+        `Bundle: ${bundle.id}`,
+        `Run:    ${bundle.runId}`,
+        `NOTE: This is a dry-run preview. Live export requires a configured connector.`,
+        "",
+    ].join("\n");
+    const rows = [];
+    let index = 0;
+    for (const entry of sortedEntries) {
+        const candidate = byId.get(entry.candidateId);
+        if (candidate === undefined) {
+            continue;
+        }
+        rows.push(renderEntry(candidate, index));
+        index += 1;
+    }
+    return header + rows.join("\n") + "\n";
+}

package/dist/export/adapters/spreadsheetSafeCsv.d.ts

@@ -0,0 +1,36 @@
+import type { QualityIntelligenceExportBundle } from "@oscharko-dev/keiko-contracts";
+import type { QualityIntelligenceTestCaseCandidate } from "@oscharko-dev/keiko-contracts";
+/**
+ * Lead characters that a spreadsheet may interpret as a formula or DDE invocation.
+ * Frozen for reference-stability; consumers should not mutate.
+ */
+export declare const SPREADSHEET_FORMULA_LEAD_CHARS: ReadonlySet<string>;
+/**
+ * Returns `true` if `value` would be interpreted as a formula or DDE invocation
+ * by a typical spreadsheet because of its leading character — including the case where a leading
+ * whitespace run precedes a formula lead, which importers may trim before evaluating.
+ */
+export declare function startsWithFormulaLead(value: string): boolean;
+/**
+ * Encodes a single cell value as RFC-4180 CSV with formula-injection
+ * mitigation applied. Pure — input string yields the same output every time.
+ */
+export declare function encodeSpreadsheetSafeCell(value: string): string;
+/**
+ * Encodes a row by joining cell-encoded values with `,` and terminating with
+ * `\r\n` (RFC 4180 line ending).
+ */
+export declare function encodeSpreadsheetSafeRow(cells: readonly string[]): string;
+/**
+ * Schema headers for the generic spreadsheet-safe CSV format. Deliberately
+ * minimal — TMS-specific shape lives in the TMS-specific adapters.
+ */
+export declare const SPREADSHEET_SAFE_CSV_HEADERS: readonly string[];
+/**
+ * Builds the spreadsheet-safe-CSV body for a bundle. The TMS invariant from
+ * the contracts package is asserted up front so a non-attested TMS-targeted
+ * bundle cannot slip through. `candidates` is filtered to the entries
+ * referenced by the bundle, sorted deterministically by candidate id.
+ */
+export declare function adaptToSpreadsheetSafeCsv(bundle: QualityIntelligenceExportBundle, candidates: readonly QualityIntelligenceTestCaseCandidate[]): string;
+//# sourceMappingURL=spreadsheetSafeCsv.d.ts.map

package/dist/export/adapters/spreadsheetSafeCsv.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"spreadsheetSafeCsv.d.ts","sourceRoot":"","sources":["../../../src/export/adapters/spreadsheetSafeCsv.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,+BAA+B,EAAE,MAAM,+BAA+B,CAAC;AAErF,OAAO,KAAK,EAAE,oCAAoC,EAAE,MAAM,+BAA+B,CAAC;AAE1F;;;GAGG;AACH,eAAO,MAAM,8BAA8B,EAAE,WAAW,CAAC,MAAM,CAQ7D,CAAC;AAuCH;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAQ5D;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAa/D;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,MAAM,CAMzE;AAED;;;GAGG;AACH,eAAO,MAAM,4BAA4B,EAAE,SAAS,MAAM,EAUxD,CAAC;AAIH;;;;;GAKG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,+BAA+B,EACvC,UAAU,EAAE,SAAS,oCAAoC,EAAE,GAC1D,MAAM,CA2BR"}

package/dist/export/adapters/spreadsheetSafeCsv.js

@@ -0,0 +1,157 @@
+// Spreadsheet-safe CSV cell encoding (Epic #270, Issue #283).
+//
+// Mitigates CSV formula-injection (OWASP CSV Injection / "DDE injection") by
+// prefixing any cell whose first character is one of `=`, `+`, `-`, `@`, `\t`,
+// `\r`, `\n` with a single quote so a spreadsheet (Excel, LibreOffice Calc,
+// Google Sheets) renders it as literal text rather than evaluating a formula
+// or invoking an external DDE link.
+//
+// The escape rules:
+//   - Cells starting with one of the dangerous lead characters get a `'`
+//     prefix (single straight quote).
+//   - Cells containing `"`, `,`, `\r`, or `\n` are wrapped in `"` quotes; any
+//     embedded `"` is doubled per RFC 4180.
+//
+// The two rules compose — a cell like `=cmd|"calc"` becomes `"'=cmd|""calc"""`.
+//
+// Pure-domain leaf. NO IO, NO new runtime dependency, NO regex.
+import { assertExportBundleInvariant } from "@oscharko-dev/keiko-contracts";
+/**
+ * Lead characters that a spreadsheet may interpret as a formula or DDE invocation.
+ * Frozen for reference-stability; consumers should not mutate.
+ */
+export const SPREADSHEET_FORMULA_LEAD_CHARS = new Set([
+    "=",
+    "+",
+    "-",
+    "@",
+    "\t",
+    "\r",
+    "\n",
+]);
+// Whitespace code points a spreadsheet import may strip BEFORE formula detection. Several importers
+// (Excel/LibreOffice/Sheets) trim a leading whitespace run, so a cell like " =1+1" or a NBSP/tab-
+// prefixed formula can still evaluate even though its literal first char is not a lead char.
+const LEADING_WHITESPACE_CODE_POINTS = new Set([
+    0x09, // tab
+    0x0a, // line feed
+    0x0b, // vertical tab
+    0x0c, // form feed
+    0x0d, // carriage return
+    0x20, // space
+    0xa0, // no-break space
+    0x2007, // figure space
+    0x2028, // line separator
+    0x2029, // paragraph separator
+    0x202f, // narrow no-break space
+    0xfeff, // zero-width no-break space / BOM
+]);
+// The formula/DDE lead characters that remain dangerous once a leading whitespace run is stripped.
+// The whitespace leads themselves (TAB/CR/LF) stay covered by the literal first-char check.
+const FORMULA_LEAD_AFTER_WHITESPACE = new Set(["=", "+", "-", "@"]);
+// Scan past a leading whitespace run; return true when the first non-whitespace character is a
+// formula lead. Pure, no regex — scans UTF-16 code units (every listed whitespace point is BMP).
+function firstNonWhitespaceIsFormulaLead(value) {
+    let index = 0;
+    while (index < value.length && LEADING_WHITESPACE_CODE_POINTS.has(value.charCodeAt(index))) {
+        index += 1;
+    }
+    // index === 0 → no leading whitespace (the literal first-char check already handled it);
+    // index >= length → the cell is all whitespace.
+    if (index === 0 || index >= value.length) {
+        return false;
+    }
+    return FORMULA_LEAD_AFTER_WHITESPACE.has(value.charAt(index));
+}
+/**
+ * Returns `true` if `value` would be interpreted as a formula or DDE invocation
+ * by a typical spreadsheet because of its leading character — including the case where a leading
+ * whitespace run precedes a formula lead, which importers may trim before evaluating.
+ */
+export function startsWithFormulaLead(value) {
+    if (value.length === 0) {
+        return false;
+    }
+    if (SPREADSHEET_FORMULA_LEAD_CHARS.has(value.charAt(0))) {
+        return true;
+    }
+    return firstNonWhitespaceIsFormulaLead(value);
+}
+/**
+ * Encodes a single cell value as RFC-4180 CSV with formula-injection
+ * mitigation applied. Pure — input string yields the same output every time.
+ */
+export function encodeSpreadsheetSafeCell(value) {
+    const prefixed = startsWithFormulaLead(value) ? `'${value}` : value;
+    const needsQuoting = prefixed.includes(",") ||
+        prefixed.includes('"') ||
+        prefixed.includes("\r") ||
+        prefixed.includes("\n");
+    if (!needsQuoting) {
+        return prefixed;
+    }
+    // Double every embedded quote per RFC 4180.
+    const doubled = prefixed.split('"').join('""');
+    return `"${doubled}"`;
+}
+/**
+ * Encodes a row by joining cell-encoded values with `,` and terminating with
+ * `\r\n` (RFC 4180 line ending).
+ */
+export function encodeSpreadsheetSafeRow(cells) {
+    const encoded = [];
+    for (const cell of cells) {
+        encoded.push(encodeSpreadsheetSafeCell(cell));
+    }
+    return `${encoded.join(",")}\r\n`;
+}
+/**
+ * Schema headers for the generic spreadsheet-safe CSV format. Deliberately
+ * minimal — TMS-specific shape lives in the TMS-specific adapters.
+ */
+export const SPREADSHEET_SAFE_CSV_HEADERS = Object.freeze([
+    "CandidateId",
+    "Title",
+    "Priority",
+    "RiskClass",
+    "Status",
+    "Tags",
+    "Preconditions",
+    "Steps",
+    "ExpectedResults",
+]);
+const joinSemicolon = (values) => values.join(" ; ");
+/**
+ * Builds the spreadsheet-safe-CSV body for a bundle. The TMS invariant from
+ * the contracts package is asserted up front so a non-attested TMS-targeted
+ * bundle cannot slip through. `candidates` is filtered to the entries
+ * referenced by the bundle, sorted deterministically by candidate id.
+ */
+export function adaptToSpreadsheetSafeCsv(bundle, candidates) {
+    assertExportBundleInvariant(bundle);
+    const byId = new Map();
+    for (const candidate of candidates) {
+        byId.set(candidate.id, candidate);
+    }
+    const entryIds = bundle.contents.map((entry) => entry.candidateId);
+    const sortedIds = [...entryIds].sort((a, b) => (a < b ? -1 : a > b ? 1 : 0));
+    let body = encodeSpreadsheetSafeRow(SPREADSHEET_SAFE_CSV_HEADERS);
+    for (const id of sortedIds) {
+        const candidate = byId.get(id);
+        if (candidate === undefined) {
+            continue;
+        }
+        body += encodeSpreadsheetSafeRow([
+            candidate.id,
+            candidate.title,
+            candidate.priority,
+            candidate.riskClass,
+            candidate.status,
+            joinSemicolon(candidate.tags),
+            joinSemicolon(candidate.preconditions),
+            joinSemicolon(candidate.steps),
+            joinSemicolon(candidate.expectedResults),
+        ]);
+    }
+    return body;
+}

package/dist/export/adapters/traceability.d.ts

@@ -0,0 +1,34 @@
+import type { CoverageStatus } from "../../domain/coverageRelevance.js";
+/**
+ * One requirement row of the traceability matrix: refs + status, plus an optional short REDACTED
+ * requirement excerpt (#790) so an auditor can read WHICH requirement a row traces without
+ * cross-referencing atom ids. Absent on runs recorded before the excerpt existed.
+ */
+export interface QualityIntelligenceTraceabilityRow {
+    readonly atomId: string;
+    readonly status: CoverageStatus;
+    readonly confidence: number;
+    readonly coveringCandidateIds: readonly string[];
+    readonly requirementExcerptRedacted?: string;
+}
+/** Optional display enrichment: candidate id -> already-redacted candidate title (#790). */
+export interface QualityIntelligenceTraceabilityDisplayOptions {
+    readonly candidateTitleById?: ReadonlyMap<string, string>;
+}
+/** CSV header row for the requirement -> tests direction. */
+export declare const TRACEABILITY_HEADERS: readonly string[];
+/** CSV header row for the test -> requirements (reverse) direction. */
+export declare const TRACEABILITY_REVERSE_HEADERS: readonly string[];
+/**
+ * Render the coverage matrix as a spreadsheet-safe, BIDIRECTIONAL CSV traceability matrix: a
+ * requirement->tests section followed by a blank line and a tests->requirements section. Each cell
+ * is formula-injection-safe via the shared encoder.
+ */
+export declare function adaptToTraceabilityCsv(rows: readonly QualityIntelligenceTraceabilityRow[], display?: QualityIntelligenceTraceabilityDisplayOptions): string;
+/**
+ * Render the coverage matrix as a BIDIRECTIONAL Markdown traceability document: a Requirements ->
+ * Tests table followed by a Tests -> Requirements table. Deterministic, pipe-escaped and
+ * formula-lead-neutralised.
+ */
+export declare function adaptToTraceabilityMarkdown(rows: readonly QualityIntelligenceTraceabilityRow[], display?: QualityIntelligenceTraceabilityDisplayOptions): string;
+//# sourceMappingURL=traceability.d.ts.map

package/dist/export/adapters/traceability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"traceability.d.ts","sourceRoot":"","sources":["../../../src/export/adapters/traceability.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AAIxE;;;;GAIG;AACH,MAAM,WAAW,kCAAkC;IACjD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,oBAAoB,EAAE,SAAS,MAAM,EAAE,CAAC;IACjD,QAAQ,CAAC,0BAA0B,CAAC,EAAE,MAAM,CAAC;CAC9C;AAED,4FAA4F;AAC5F,MAAM,WAAW,6CAA6C;IAC5D,QAAQ,CAAC,kBAAkB,CAAC,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3D;AAED,6DAA6D;AAC7D,eAAO,MAAM,oBAAoB,EAAE,SAAS,MAAM,EAOhD,CAAC;AAEH,uEAAuE;AACvE,eAAO,MAAM,4BAA4B,EAAE,SAAS,MAAM,EAKxD,CAAC;AA2DH;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,SAAS,kCAAkC,EAAE,EACnD,OAAO,GAAE,6CAAkD,GAC1D,MAAM,CA0BR;AAED;;;;GAIG;AACH,wBAAgB,2BAA2B,CACzC,IAAI,EAAE,SAAS,kCAAkC,EAAE,EACnD,OAAO,GAAE,6CAAkD,GAC1D,MAAM,CA0CR"}