@prodcycle/prodcycle 0.2.2 → 0.4.0

package/dist/cli.js

@@ -38,12 +38,71 @@ const commander_1 = require("commander");
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const index_1 = require("./index");
+const table_1 = require("./formatters/table");
+const sarif_1 = require("./formatters/sarif");
+const prompt_1 = require("./formatters/prompt");
+const KNOWN_COMMANDS = new Set([
+    'scan',
+    'gate',
+    'hook',
+    'init',
+    'help',
+    '--help',
+    '-h',
+    '--version',
+    '-V',
+]);
+/**
+ * Back-compat shim: `prodcycle .` used to scan the current directory with no
+ * subcommand. Preserve that behavior by injecting `scan` when the first arg
+ * isn't a known subcommand or a global flag.
+ */
+function injectScanDefault(argv) {
+    const args = argv.slice(2);
+    if (args.length === 0)
+        return [...argv.slice(0, 2), 'scan'];
+    if (KNOWN_COMMANDS.has(args[0]))
+        return argv;
+    return [...argv.slice(0, 2), 'scan', ...args];
+}
+function renderReport(response, format) {
+    switch (format) {
+        case 'json':
+            return JSON.stringify(response, null, 2);
+        case 'sarif':
+            return JSON.stringify((0, sarif_1.formatSarif)(response), null, 2);
+        case 'prompt':
+            return (0, prompt_1.formatPrompt)(response);
+        case 'table':
+        default:
+            return (0, table_1.formatTable)(response);
+    }
+}
+function writeOutput(text, outFile) {
+    if (outFile) {
+        fs.writeFileSync(outFile, text);
+    }
+    else {
+        process.stdout.write(text.endsWith('\n') ? text : text + '\n');
+    }
+}
+function parseList(val) {
+    if (!val)
+        return undefined;
+    return val
+        .split(',')
+        .map((s) => s.trim())
+        .filter(Boolean);
+}
 const program = new commander_1.Command();
 program
     .name('prodcycle')
     .description('Multi-framework policy-as-code compliance scanner for infrastructure and application code.')
-    .version('0.1.0')
-    .argument('[repo_path]', 'Path to the repository to scan', '.')
+    .version('0.4.0');
+// ── scan ────────────────────────────────────────────────────────────────────
+program
+    .command('scan [repo_path]')
+    .description('Scan a repository for compliance violations')
     .option('--framework <ids>', 'Comma-separated framework IDs to evaluate', 'soc2')
     .option('--format <format>', 'Output format: json, sarif, table, prompt', 'table')
     .option('--severity-threshold <severity>', 'Minimum severity to include in report', 'low')
@@ -53,53 +112,72 @@ program
     .option('--output <file>', 'Write report to file')
     .option('--api-url <url>', 'Compliance API base URL (or PC_API_URL env)')
     .option('--api-key <key>', 'API key for compliance API (or PC_API_KEY env)')
-    .option('--hook', 'Run as coding agent post-edit hook (reads stdin)')
-    .option('--hook-file <path>', 'File path for hook mode (alternative to stdin)')
-    .option('--hook-api', 'Run as API-based hook (calls hosted compliance API)')
-    .option('--init', 'Set up compliance hooks for coding agents')
-    .option('--agent <agents>', 'Comma-separated agents to configure')
     .action(async (repoPath, opts) => {
     try {
-        if (opts.hook || opts.hookApi) {
-            // Implement hook logic here
-            console.log('Hook mode executed.');
-            process.exit(0);
-        }
-        if (opts.init) {
-            // Implement init logic here
-            console.log('Init mode executed.');
-            process.exit(0);
-        }
-        const frameworks = opts.framework.split(',').map((s) => s.trim());
-        const failOn = opts.failOn.split(',').map((s) => s.trim());
-        const include = opts.include ? opts.include.split(',') : undefined;
-        const exclude = opts.exclude ? opts.exclude.split(',') : undefined;
-        console.log(`Scanning ${path.resolve(repoPath)} for ${frameworks.join(', ')}...`);
+        const target = repoPath ?? '.';
+        const frameworks = parseList(opts.framework) ?? ['soc2'];
+        const failOn = parseList(opts.failOn) ?? ['critical', 'high'];
+        const format = (opts.format ?? 'table');
+        console.error(`Scanning ${path.resolve(target)} for ${frameworks.join(', ')}...`);
         const response = await (0, index_1.scan)({
-            repoPath,
+            repoPath: target,
             frameworks,
             options: {
                 severityThreshold: opts.severityThreshold,
-                failOn,
-                include,
-                exclude,
+                failOn: failOn,
+                include: parseList(opts.include),
+                exclude: parseList(opts.exclude),
                 apiUrl: opts.apiUrl,
                 apiKey: opts.apiKey,
-            }
+            },
         });
-        if (opts.format === 'json') {
-            const output = JSON.stringify(response, null, 2);
-            if (opts.output) {
-                fs.writeFileSync(opts.output, output);
-            }
-            else {
-                console.log(output);
-            }
+        writeOutput(renderReport(response, format), opts.output);
+        process.exit(response.exitCode);
+    }
+    catch (error) {
+        console.error(`\u2717 Error: ${error.message}`);
+        process.exit(2);
+    }
+});
+// ── gate ────────────────────────────────────────────────────────────────────
+program
+    .command('gate')
+    .description('Evaluate a JSON payload of files from stdin (low-latency hook endpoint)')
+    .option('--framework <ids>', 'Comma-separated framework IDs to evaluate', 'soc2')
+    .option('--format <format>', 'Output format: json, sarif, table, prompt', 'prompt')
+    .option('--output <file>', 'Write report to file')
+    .option('--api-url <url>', 'Compliance API base URL (or PC_API_URL env)')
+    .option('--api-key <key>', 'API key for compliance API (or PC_API_KEY env)')
+    .action(async (opts) => {
+    try {
+        const frameworks = parseList(opts.framework) ?? ['soc2'];
+        const format = (opts.format ?? 'prompt');
+        const stdin = await readStdin();
+        if (!stdin.trim()) {
+            console.error('gate: no input on stdin. Expected JSON payload: {"files": {...}}');
+            process.exit(2);
+        }
+        let payload;
+        try {
+            payload = JSON.parse(stdin);
         }
-        else {
-            console.log(`Passed: ${response.passed}`);
-            console.log(`Findings: ${response.findings.length}`);
+        catch (e) {
+            console.error(`gate: invalid JSON on stdin: ${e.message}`);
+            process.exit(2);
+            return;
         }
+        if (!payload.files || typeof payload.files !== 'object') {
+            console.error('gate: payload must include a "files" object of {path: content}');
+            process.exit(2);
+            return;
+        }
+        const response = await (0, index_1.gate)({
+            files: payload.files,
+            frameworks,
+            apiUrl: opts.apiUrl,
+            apiKey: opts.apiKey,
+        });
+        writeOutput(renderReport(response, format), opts.output);
         process.exit(response.exitCode);
     }
     catch (error) {
@@ -107,4 +185,367 @@ program
         process.exit(2);
     }
 });
-program.parse();
+// ── hook ────────────────────────────────────────────────────────────────────
+program
+    .command('hook')
+    .description('Run as coding-agent post-edit hook (reads stdin or --file)')
+    .option('--framework <ids>', 'Comma-separated framework IDs to evaluate', 'soc2')
+    .option('--format <format>', 'Output format: json, sarif, table, prompt', 'prompt')
+    .option('--file <path>', 'Scan this file from disk (alternative to reading content from stdin)')
+    .option('--fail-on <levels>', 'Severities that cause non-zero exit', 'critical,high')
+    .option('--output <file>', 'Write report to file')
+    .option('--api-url <url>', 'Compliance API base URL (or PC_API_URL env)')
+    .option('--api-key <key>', 'API key for compliance API (or PC_API_KEY env)')
+    .action(async (opts) => {
+    try {
+        const frameworks = parseList(opts.framework) ?? ['soc2'];
+        const format = (opts.format ?? 'prompt');
+        const files = await collectHookFiles(opts.file);
+        if (!files || Object.keys(files).length === 0) {
+            // No files to check — exit clean so the agent proceeds.
+            process.exit(0);
+            return;
+        }
+        const response = await (0, index_1.gate)({
+            files,
+            frameworks,
+            apiUrl: opts.apiUrl,
+            apiKey: opts.apiKey,
+        });
+        writeOutput(renderReport(response, format), opts.output);
+        process.exit(response.exitCode);
+    }
+    catch (error) {
+        console.error(`\u2717 Error: ${error.message}`);
+        process.exit(2);
+    }
+});
+/**
+ * Resolve the files to scan for a `hook` invocation. Supports:
+ *   - `--file <path>` — read that file from disk
+ *   - stdin: `{"files": {path: content}}` (same as gate)
+ *   - stdin: `{"file_path": "...", "content": "..."}` (single file)
+ *   - stdin: Claude Code PostToolUse shape —
+ *       `{"tool_input": {"file_path": "...", "content"|"new_string": "..."}}`
+ *     When only `file_path` is given and we can read the file, we do.
+ */
+async function collectHookFiles(filePath) {
+    if (filePath) {
+        const absolute = path.resolve(filePath);
+        if (!fs.existsSync(absolute)) {
+            console.error(`hook: --file path does not exist: ${absolute}`);
+            process.exit(2);
+        }
+        const content = fs.readFileSync(absolute, 'utf8');
+        return { [filePath]: content };
+    }
+    const stdin = await readStdin();
+    if (!stdin.trim()) {
+        console.error('hook: no input. Provide --file <path> or JSON on stdin (see `prodcycle hook --help`).');
+        process.exit(2);
+    }
+    let payload;
+    try {
+        payload = JSON.parse(stdin);
+    }
+    catch (e) {
+        console.error(`hook: invalid JSON on stdin: ${e.message}`);
+        process.exit(2);
+    }
+    // Shape 1: {"files": {path: content}} — gate-compatible
+    if (payload && typeof payload.files === 'object' && payload.files !== null) {
+        return payload.files;
+    }
+    // Shape 2: top-level single file. Shape 3: Claude Code tool_input nesting.
+    const candidate = payload?.tool_input ?? payload;
+    const hookFilePath = candidate?.file_path ?? candidate?.path;
+    const hookContent = candidate?.content ?? candidate?.new_string;
+    if (hookFilePath && typeof hookContent === 'string') {
+        return { [hookFilePath]: hookContent };
+    }
+    if (hookFilePath && fs.existsSync(hookFilePath)) {
+        // Only a path was given — read from disk so post-edit hooks still work
+        // when the agent doesn't ship the content inline.
+        const content = fs.readFileSync(hookFilePath, 'utf8');
+        return { [hookFilePath]: content };
+    }
+    console.error('hook: stdin payload not recognized. Expected one of:\n' +
+        '  {"files": {"path": "content"}}\n' +
+        '  {"file_path": "...", "content": "..."}\n' +
+        '  {"tool_input": {"file_path": "...", "content": "..."}}');
+    process.exit(2);
+    return null; // unreachable
+}
+// ── init ────────────────────────────────────────────────────────────────────
+program
+    .command('init')
+    .description('Configure compliance hooks for coding agents')
+    .option('--agent <agents>', 'Comma-separated agents to configure (claude, cursor, codex, opencode, github-copilot, gemini-cli). Use "all" to configure every agent. Default: auto-detect.')
+    .option('--force', 'Overwrite existing compliance hook entries')
+    .option('--dir <path>', 'Project directory to configure', '.')
+    .action((opts) => {
+    try {
+        const dir = path.resolve(opts.dir ?? '.');
+        const agents = resolveAgents(opts.agent, dir);
+        if (agents.length === 0) {
+            console.error('init: no agents selected and none auto-detected. ' +
+                'Use --agent <name> to configure explicitly (claude, cursor, codex, ' +
+                'opencode, github-copilot, gemini-cli, or "all").');
+            process.exit(2);
+        }
+        let anyFailed = false;
+        const writtenPaths = new Set();
+        for (const agent of agents) {
+            const result = configureAgent(agent, dir, !!opts.force, writtenPaths);
+            process.stdout.write(result.message + '\n');
+            if (result.status === 'failed')
+                anyFailed = true;
+        }
+        process.exit(anyFailed ? 1 : 0);
+    }
+    catch (error) {
+        console.error(`\u2717 Error: ${error.message}`);
+        process.exit(2);
+    }
+});
+const ALL_AGENTS = [
+    'claude',
+    'cursor',
+    'codex',
+    'opencode',
+    'github-copilot',
+    'gemini-cli',
+];
+function isAgentName(name) {
+    return ALL_AGENTS.includes(name);
+}
+function resolveAgents(userChoice, dir) {
+    if (userChoice) {
+        const list = parseList(userChoice) ?? [];
+        if (list.length === 1 && list[0] === 'all')
+            return ALL_AGENTS.slice();
+        const valid = [];
+        for (const name of list) {
+            if (isAgentName(name))
+                valid.push(name);
+            else
+                console.error(`init: unknown agent "${name}" — ignoring`);
+        }
+        return valid;
+    }
+    // Auto-detect: look for config dirs/files that indicate the agent is already in use.
+    const detected = [];
+    if (fs.existsSync(path.join(dir, '.claude')))
+        detected.push('claude');
+    if (fs.existsSync(path.join(dir, '.cursor')))
+        detected.push('cursor');
+    if (fs.existsSync(path.join(dir, '.codex')))
+        detected.push('codex');
+    if (fs.existsSync(path.join(dir, '.opencode')))
+        detected.push('opencode');
+    if (fs.existsSync(path.join(dir, '.github', 'copilot-instructions.md'))) {
+        detected.push('github-copilot');
+    }
+    if (fs.existsSync(path.join(dir, 'GEMINI.md')) ||
+        fs.existsSync(path.join(dir, '.gemini'))) {
+        detected.push('gemini-cli');
+    }
+    return detected;
+}
+function configureAgent(agent, dir, force, writtenPaths) {
+    switch (agent) {
+        case 'claude':
+            return configureClaudeCode(dir, force);
+        case 'cursor':
+            return configureCursor(dir, force);
+        case 'codex':
+            return configureInstructionFile(agent, dir, 'AGENTS.md', force, writtenPaths);
+        case 'opencode':
+            return configureInstructionFile(agent, dir, 'AGENTS.md', force, writtenPaths);
+        case 'github-copilot':
+            return configureInstructionFile(agent, dir, path.join('.github', 'copilot-instructions.md'), force, writtenPaths);
+        case 'gemini-cli':
+            return configureInstructionFile(agent, dir, 'GEMINI.md', force, writtenPaths);
+    }
+}
+const CLAUDE_MATCHER = 'Write|Edit|MultiEdit';
+const CLAUDE_COMMAND = 'prodcycle hook';
+function configureClaudeCode(dir, force) {
+    const claudeDir = path.join(dir, '.claude');
+    const settingsPath = path.join(claudeDir, 'settings.json');
+    let settings = {};
+    if (fs.existsSync(settingsPath)) {
+        try {
+            settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+            if (typeof settings !== 'object' || settings === null || Array.isArray(settings)) {
+                return {
+                    status: 'failed',
+                    message: `[claude] ${settingsPath} is not a JSON object — refusing to overwrite. Fix the file manually.`,
+                };
+            }
+        }
+        catch (e) {
+            return {
+                status: 'failed',
+                message: `[claude] could not parse ${settingsPath}: ${e.message}. Fix the file manually.`,
+            };
+        }
+    }
+    const hooks = (settings.hooks ??= {});
+    const postToolUse = (hooks.PostToolUse ??= []);
+    // Look for an existing prodcycle entry
+    const existing = postToolUse.find((b) => b.hooks?.some((h) => h.type === 'command' && h.command.trim().startsWith('prodcycle hook')));
+    if (existing && !force) {
+        return {
+            status: 'already',
+            message: `[claude] PostToolUse hook for prodcycle already present in ${settingsPath}. Use --force to rewrite.`,
+        };
+    }
+    if (existing && force) {
+        // Replace in place — preserve the matcher, rewrite the command to the canonical form
+        existing.matcher = CLAUDE_MATCHER;
+        existing.hooks = [{ type: 'command', command: CLAUDE_COMMAND }];
+    }
+    else {
+        postToolUse.push({
+            matcher: CLAUDE_MATCHER,
+            hooks: [{ type: 'command', command: CLAUDE_COMMAND }],
+        });
+    }
+    if (!fs.existsSync(claudeDir))
+        fs.mkdirSync(claudeDir, { recursive: true });
+    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n');
+    return {
+        status: 'installed',
+        message: `[claude] wrote PostToolUse hook to ${settingsPath}. Requires PC_API_KEY in the environment when Claude Code runs.`,
+    };
+}
+const CURSOR_COMMAND = 'prodcycle hook';
+function configureCursor(dir, force) {
+    const cursorDir = path.join(dir, '.cursor');
+    const hooksPath = path.join(cursorDir, 'hooks.json');
+    let config = { version: 1 };
+    if (fs.existsSync(hooksPath)) {
+        try {
+            const parsed = JSON.parse(fs.readFileSync(hooksPath, 'utf8'));
+            if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+                return {
+                    status: 'failed',
+                    message: `[cursor] ${hooksPath} is not a JSON object — refusing to overwrite. Fix the file manually.`,
+                };
+            }
+            config = parsed;
+        }
+        catch (e) {
+            return {
+                status: 'failed',
+                message: `[cursor] could not parse ${hooksPath}: ${e.message}. Fix the file manually.`,
+            };
+        }
+    }
+    if (typeof config.version !== 'number')
+        config.version = 1;
+    const hooks = (config.hooks ??= {});
+    const afterFileEdit = (hooks.afterFileEdit ??= []);
+    const existing = afterFileEdit.find((h) => typeof h.command === 'string' && h.command.trim().startsWith('prodcycle hook'));
+    if (existing && !force) {
+        return {
+            status: 'already',
+            message: `[cursor] afterFileEdit hook for prodcycle already present in ${hooksPath}. Use --force to rewrite.`,
+        };
+    }
+    if (existing && force) {
+        existing.command = CURSOR_COMMAND;
+    }
+    else {
+        afterFileEdit.push({ command: CURSOR_COMMAND });
+    }
+    if (!fs.existsSync(cursorDir))
+        fs.mkdirSync(cursorDir, { recursive: true });
+    fs.writeFileSync(hooksPath, JSON.stringify(config, null, 2) + '\n');
+    return {
+        status: 'installed',
+        message: `[cursor] wrote afterFileEdit hook to ${hooksPath}. Requires PC_API_KEY in the environment when Cursor runs.`,
+    };
+}
+// ── Instruction-file agents (codex, opencode, github-copilot, gemini-cli) ───
+const INSTRUCTION_BEGIN = '<!-- prodcycle:begin -->';
+const INSTRUCTION_END = '<!-- prodcycle:end -->';
+function buildInstructionBlock() {
+    return [
+        INSTRUCTION_BEGIN,
+        '## ProdCycle Compliance',
+        '',
+        'This project enforces SOC 2, HIPAA, and NIST CSF policies on infrastructure',
+        'and application code. After creating or modifying any file, run the compliance',
+        'scanner and fix every violation before continuing:',
+        '',
+        '```bash',
+        'npx prodcycle scan . --format prompt',
+        '```',
+        '',
+        'Each finding includes a severity, rule ID, message, and remediation guidance.',
+        'Apply the fixes, then re-run the scan until every check passes.',
+        INSTRUCTION_END,
+        '',
+    ].join('\n');
+}
+function configureInstructionFile(agent, dir, relPath, force, writtenPaths) {
+    const fullPath = path.join(dir, relPath);
+    // Multiple agents may share the same target file (codex + opencode → AGENTS.md).
+    // Skip the second agent silently if we already wrote to the same file in this run.
+    if (writtenPaths.has(fullPath)) {
+        return {
+            status: 'already',
+            message: `[${agent}] ${relPath} already written in this run (shared with another agent).`,
+        };
+    }
+    let existing = '';
+    if (fs.existsSync(fullPath)) {
+        existing = fs.readFileSync(fullPath, 'utf8');
+    }
+    const block = buildInstructionBlock();
+    const hasBlock = existing.includes(INSTRUCTION_BEGIN) && existing.includes(INSTRUCTION_END);
+    if (hasBlock && !force) {
+        return {
+            status: 'already',
+            message: `[${agent}] prodcycle instruction block already present in ${fullPath}. Use --force to rewrite.`,
+        };
+    }
+    let next;
+    if (hasBlock) {
+        const pattern = new RegExp(`${escapeRegExp(INSTRUCTION_BEGIN)}[\\s\\S]*?${escapeRegExp(INSTRUCTION_END)}\\n?`);
+        next = existing.replace(pattern, block);
+    }
+    else if (existing.trim().length === 0) {
+        next = block;
+    }
+    else {
+        next = existing.replace(/\n*$/, '\n\n') + block;
+    }
+    const parent = path.dirname(fullPath);
+    if (!fs.existsSync(parent))
+        fs.mkdirSync(parent, { recursive: true });
+    fs.writeFileSync(fullPath, next);
+    writtenPaths.add(fullPath);
+    return {
+        status: 'installed',
+        message: `[${agent}] wrote compliance instructions to ${fullPath}.`,
+    };
+}
+function escapeRegExp(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+function readStdin() {
+    return new Promise((resolve, reject) => {
+        if (process.stdin.isTTY) {
+            resolve('');
+            return;
+        }
+        const chunks = [];
+        process.stdin.on('data', (c) => chunks.push(c));
+        process.stdin.on('end', () => resolve(Buffer.concat(chunks).toString('utf8')));
+        process.stdin.on('error', reject);
+    });
+}
+program.parse(injectScanDefault(process.argv));

package/dist/formatters/prompt.d.ts

@@ -1 +1,5 @@
-export declare function formatPrompt(report: any): string;
+/**
+ * Render a coding-agent-oriented prompt describing findings. If the server
+ * returned a pre-built `prompt` field (hook endpoint), prefer that.
+ */
+export declare function formatPrompt(report: unknown): string;

package/dist/formatters/prompt.js

@@ -1,8 +1,37 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.formatPrompt = formatPrompt;
+/**
+ * Render a coding-agent-oriented prompt describing findings. If the server
+ * returned a pre-built `prompt` field (hook endpoint), prefer that.
+ */
 function formatPrompt(report) {
-    if (!report)
+    const r = (report ?? {});
+    if (typeof r.prompt === 'string' && r.prompt.trim())
+        return r.prompt;
+    const findings = r.findings ?? [];
+    if (findings.length === 0)
+        return 'No compliance violations detected.';
+    const lines = [];
+    lines.push(`Compliance scan found ${findings.length} violation(s) that need to be addressed:`);
+    lines.push('');
+    for (const f of findings) {
+        const sev = (f.severity ?? 'unknown').toUpperCase();
+        const rule = f.rule_id ?? f.ruleId ?? 'unknown';
+        const loc = locOf(f);
+        const title = f.title ?? f.message ?? '';
+        lines.push(`- [${sev}] ${rule}${loc ? ` (${loc})` : ''}: ${title}`);
+        if (f.description && f.description !== title) {
+            lines.push(`    ${f.description}`);
+        }
+    }
+    lines.push('');
+    lines.push('Please update the code to resolve these issues before continuing.');
+    return lines.join('\n');
+}
+function locOf(f) {
+    const file = f.file ?? f.path;
+    if (!file)
         return '';
-    return 'Please fix the compliance issues found in this repository.';
+    return f.line ? `${file}:${f.line}` : file;
 }

package/dist/formatters/sarif.d.ts

@@ -1 +1 @@
-export declare function formatSarif(report: any): any;
+export declare function formatSarif(report: unknown): object;

package/dist/formatters/sarif.js

@@ -1,9 +1,74 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.formatSarif = formatSarif;
+/**
+ * SARIF 2.1.0 level mapping for compliance severities.
+ * Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html
+ */
+function sarifLevel(sev) {
+    const s = (sev ?? '').toLowerCase();
+    if (s === 'critical' || s === 'high')
+        return 'error';
+    if (s === 'medium')
+        return 'warning';
+    return 'note';
+}
 function formatSarif(report) {
+    const r = (report ?? {});
+    const findings = r.findings ?? [];
+    const rulesById = new Map();
+    const results = findings.map((f) => {
+        const ruleId = f.rule_id ?? f.ruleId ?? 'unknown';
+        if (!rulesById.has(ruleId)) {
+            rulesById.set(ruleId, {
+                id: ruleId,
+                name: ruleId,
+                shortDescription: { text: f.title ?? ruleId },
+                ...(f.description ? { fullDescription: { text: f.description } } : {}),
+            });
+        }
+        const file = f.file ?? f.path ?? '';
+        const startLine = f.line;
+        const endLine = f.end_line ?? f.endLine;
+        return {
+            ruleId,
+            level: sarifLevel(f.severity),
+            message: { text: f.message ?? f.title ?? ruleId },
+            ...(file
+                ? {
+                    locations: [
+                        {
+                            physicalLocation: {
+                                artifactLocation: { uri: file },
+                                ...(startLine
+                                    ? {
+                                        region: {
+                                            startLine,
+                                            ...(endLine ? { endLine } : {}),
+                                        },
+                                    }
+                                    : {}),
+                            },
+                        },
+                    ],
+                }
+                : {}),
+        };
+    });
     return {
         version: '2.1.0',
-        runs: [{ tool: { driver: { name: 'ProdCycle Compliance Scanner' } }, results: [] }]
+        $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+        runs: [
+            {
+                tool: {
+                    driver: {
+                        name: 'ProdCycle Compliance Scanner',
+                        informationUri: 'https://docs.prodcycle.com',
+                        rules: [...rulesById.values()],
+                    },
+                },
+                results,
+            },
+        ],
     };
 }

package/dist/formatters/table.d.ts

@@ -1 +1 @@
-export declare function formatTable(report: any): string;
+export declare function formatTable(report: unknown): string;

package/dist/formatters/table.js

@@ -1,9 +1,43 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.formatTable = formatTable;
+const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info'];
+function sevRank(s) {
+    const i = SEVERITY_ORDER.indexOf((s ?? '').toLowerCase());
+    return i === -1 ? SEVERITY_ORDER.length : i;
+}
 function formatTable(report) {
-    // Simplistic table formatter
-    if (!report)
-        return 'No report data';
-    return `Scan Results: ${report.summary?.passed || 0} passed, ${report.summary?.failed || 0} failed.`;
+    const r = (report ?? {});
+    const findings = r.findings ?? [];
+    if (findings.length === 0) {
+        return r.passed === false ? 'Scan failed but no findings returned.' : '\u2713 No compliance violations found.';
+    }
+    const sorted = [...findings].sort((a, b) => sevRank(a.severity) - sevRank(b.severity));
+    const counts = new Map();
+    for (const f of findings) {
+        const sev = (f.severity ?? 'unknown').toLowerCase();
+        counts.set(sev, (counts.get(sev) ?? 0) + 1);
+    }
+    const lines = [];
+    lines.push(`Findings: ${findings.length}`);
+    const summaryParts = SEVERITY_ORDER.filter((s) => counts.has(s)).map((s) => `${counts.get(s)} ${s}`);
+    if (summaryParts.length > 0)
+        lines.push(`  ${summaryParts.join(', ')}`);
+    lines.push('');
+    for (const f of sorted) {
+        const sev = (f.severity ?? 'unknown').toUpperCase().padEnd(8);
+        const rule = f.rule_id ?? f.ruleId ?? '';
+        const loc = locOf(f);
+        const title = f.title ?? f.message ?? f.description ?? '';
+        lines.push(`  [${sev}] ${rule}  ${title}`);
+        if (loc)
+            lines.push(`            ${loc}`);
+    }
+    return lines.join('\n');
+}
+function locOf(f) {
+    const file = f.file ?? f.path;
+    if (!file)
+        return '';
+    return f.line ? `${file}:${f.line}` : file;
 }

package/dist/index.d.ts

@@ -33,18 +33,3 @@ export declare function gate(options: GateOptions): Promise<{
     prompt: any;
     summary: any;
 }>;
-/**
- * Run local hook
- */
-export declare function runHook(params: {
-    frameworks?: string[];
-    filePath?: string;
-}): Promise<number>;
-/**
- * Run API hook
- */
-export declare function runHookApi(params: {
-    apiUrl?: string;
-    apiKey?: string;
-    frameworks?: string[];
-}): Promise<number>;

package/dist/index.js

@@ -16,8 +16,6 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.scan = scan;
 exports.gate = gate;
-exports.runHook = runHook;
-exports.runHookApi = runHookApi;
 const api_client_1 = require("./api-client");
 const fs_1 = require("./utils/fs");
 __exportStar(require("./api-client"), exports);
@@ -64,19 +62,3 @@ async function gate(options) {
         summary: response.summary
     };
 }
-/**
- * Run local hook
- */
-async function runHook(params) {
-    // Logic to read stdin or specific file and call gate
-    const { frameworks = ['soc2'], filePath } = params;
-    // Implementation details...
-    return 0;
-}
-/**
- * Run API hook
- */
-async function runHookApi(params) {
-    // Implementation details...
-    return 0;
-}

package/dist/utils/fs.js

@@ -36,66 +36,116 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.collectFiles = collectFiles;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
-const glob_1 = require("glob");
+const minimatch_1 = require("minimatch");
 const MAX_FILE_SIZE = 256 * 1024; // 256 KB
 const MAX_TOTAL_FILES = 10_000;
-async function collectFiles(baseDir, includePatterns, excludePatterns) {
-    // Simple implementation using glob
-    const patterns = includePatterns && includePatterns.length > 0 ? includePatterns : ['**/*'];
-    const ignore = [
-        'node_modules/**',
-        '.git/**',
-        '.terraform/**',
-        'dist/**',
-        'build/**',
-        '**/__pycache__/**',
-        '.next/**',
-        '.nuxt/**',
-        'vendor/**',
-        'coverage/**',
-        '.venv/**',
-        'venv/**',
-        '.tox/**',
-        'target/**',
-        '*.lock',
-        'package-lock.json',
-        '*.min.js',
-        '*.min.css',
-        '*.map',
-        '*.bundle.js',
-        '*.tfstate',
-        '*.tfstate.backup',
-    ];
-    if (excludePatterns && excludePatterns.length > 0) {
-        ignore.push(...excludePatterns);
+/**
+ * Directories skipped unconditionally. Kept in parity with
+ * `packages/compliance-code-scanner/src/ignore-utils.ts`.
+ */
+const SKIP_DIRS = new Set([
+    'node_modules',
+    'vendor',
+    '__pycache__',
+    '.terraform',
+    '.git',
+    'dist',
+    '.venv',
+    'venv',
+    'build',
+    'out',
+    '.next',
+    '.nuxt',
+    '.output',
+    '.cache',
+    '.parcel-cache',
+    'coverage',
+    '.nyc_output',
+    '.turbo',
+    'target',
+    '.gradle',
+    '.mvn',
+    '.idea',
+    '.vscode',
+    '.eggs',
+    '.tox',
+    '.mypy_cache',
+    '.ruff_cache',
+    '.pytest_cache',
+    'bower_components',
+    '.svn',
+    '.hg',
+    '__snapshots__',
+]);
+const SKIP_DIR_SUFFIXES = ['.egg-info'];
+const SKIP_FILE_EXTENSIONS = ['.lock', '.min.js', '.min.css', '.map', '.bundle.js', '.tfstate', '.tfstate.backup'];
+const SKIP_FILE_NAMES = new Set(['package-lock.json']);
+/**
+ * Load .gitignore patterns from the repo root.
+ *
+ * Negation patterns (`!foo`) are dropped — minimatch does not interpret them
+ * as gitignore would, and passing them through causes directory-wide blindness
+ * (see server-side fix in ignore-utils.ts).
+ */
+function loadGitignore(repoPath) {
+    try {
+        const gitignorePath = path.join(repoPath, '.gitignore');
+        if (!fs.existsSync(gitignorePath))
+            return [];
+        const content = fs.readFileSync(gitignorePath, 'utf-8');
+        return content
+            .split('\n')
+            .map((line) => line.trim())
+            .filter((line) => line && !line.startsWith('#') && !line.startsWith('!'))
+            .map((line) => (line.endsWith('/') ? line.slice(0, -1) : line));
     }
-    const matches = await (0, glob_1.glob)(patterns, {
-        cwd: baseDir,
-        ignore,
-        nodir: true,
-    });
-    const files = {};
-    let count = 0;
-    for (const match of matches) {
-        if (count >= MAX_TOTAL_FILES) {
-            console.warn(`Reached max file limit (${MAX_TOTAL_FILES}). Some files were skipped.`);
-            break;
-        }
-        const fullPath = path.join(baseDir, match);
-        const stats = fs.statSync(fullPath);
-        // Skip large files
-        if (stats.size > MAX_FILE_SIZE) {
-            continue;
+    catch {
+        return [];
+    }
+}
+function matchesAny(filePath, patterns) {
+    return patterns.some((p) => (0, minimatch_1.minimatch)(filePath, p));
+}
+/**
+ * Decide whether a directory or file entry should be excluded from collection.
+ * Mirrors server `shouldIgnore` so scanner results stay consistent between
+ * client-collected (CLI) and server-collected paths.
+ */
+function shouldIgnore(name, relPath, ignores, userExcludes) {
+    if (SKIP_DIRS.has(name) ||
+        SKIP_DIR_SUFFIXES.some((s) => name.endsWith(s)) ||
+        (name.startsWith('.') &&
+            !name.startsWith('.env') &&
+            !name.startsWith('.github') &&
+            !name.startsWith('.gitlab'))) {
+        return true;
+    }
+    if (userExcludes && userExcludes.length > 0) {
+        for (const pattern of userExcludes) {
+            if (name === pattern ||
+                name + '/' === pattern ||
+                relPath === pattern ||
+                relPath + '/' === pattern) {
+                return true;
+            }
         }
-        // Basic heuristic to skip binary files
-        const buffer = fs.readFileSync(fullPath);
-        if (isBinary(buffer)) {
-            continue;
+        if (matchesAny(relPath, userExcludes))
+            return true;
+    }
+    // .env* files are always scanned, even if listed in .gitignore (common case)
+    if (name.startsWith('.env') || name.endsWith('.env'))
+        return false;
+    for (const pattern of ignores) {
+        if (name === pattern ||
+            name + '/' === pattern ||
+            relPath === pattern ||
+            relPath + '/' === pattern) {
+            return true;
         }
-        files[match] = buffer.toString('utf8');
-        count++;
     }
-    return files;
+    if (matchesAny(relPath, ignores))
+        return true;
+    return false;
 }
 function isBinary(buffer) {
     for (let i = 0; i < Math.min(buffer.length, 1024); i++) {
@@ -104,3 +154,74 @@ function isBinary(buffer) {
     }
     return false;
 }
+function shouldSkipFileByName(name) {
+    if (SKIP_FILE_NAMES.has(name))
+        return true;
+    return SKIP_FILE_EXTENSIONS.some((ext) => name.endsWith(ext));
+}
+async function collectFiles(baseDir, includePatterns, excludePatterns) {
+    const repoRoot = path.resolve(baseDir);
+    const ignores = loadGitignore(repoRoot);
+    const files = {};
+    const state = { count: 0, limitReached: false };
+    walk(repoRoot, repoRoot, ignores, includePatterns, excludePatterns, files, state);
+    return files;
+}
+function walk(dir, repoRoot, ignores, includePatterns, userExcludes, files, state) {
+    if (state.limitReached)
+        return;
+    let entries;
+    try {
+        entries = fs.readdirSync(dir, { withFileTypes: true });
+    }
+    catch {
+        return;
+    }
+    for (const entry of entries) {
+        if (state.limitReached)
+            return;
+        const name = entry.name;
+        const fullPath = path.join(dir, name);
+        const relPath = path.relative(repoRoot, fullPath);
+        if (entry.isDirectory()) {
+            if (shouldIgnore(name, relPath, ignores, userExcludes))
+                continue;
+            walk(fullPath, repoRoot, ignores, includePatterns, userExcludes, files, state);
+            continue;
+        }
+        if (!entry.isFile())
+            continue;
+        if (shouldIgnore(name, relPath, ignores, userExcludes))
+            continue;
+        if (shouldSkipFileByName(name))
+            continue;
+        if (includePatterns && includePatterns.length > 0 && !matchesAny(relPath, includePatterns)) {
+            continue;
+        }
+        if (state.count >= MAX_TOTAL_FILES) {
+            console.warn(`Reached max file limit (${MAX_TOTAL_FILES}). Some files were skipped.`);
+            state.limitReached = true;
+            return;
+        }
+        let stats;
+        try {
+            stats = fs.statSync(fullPath);
+        }
+        catch {
+            continue;
+        }
+        if (stats.size > MAX_FILE_SIZE)
+            continue;
+        let buffer;
+        try {
+            buffer = fs.readFileSync(fullPath);
+        }
+        catch {
+            continue;
+        }
+        if (isBinary(buffer))
+            continue;
+        files[relPath] = buffer.toString('utf8');
+        state.count++;
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prodcycle/prodcycle",
-  "version": "0.2.2",
+  "version": "0.4.0",
   "description": "Multi-framework policy-as-code compliance scanner for infrastructure and application code.",
   "homepage": "https://docs.prodcycle.com",
   "repository": {
@@ -34,8 +34,7 @@
   "license": "SEE LICENSE IN LICENSE",
   "dependencies": {
     "commander": "^12.0.0",
-    "glob": "^10.3.10",
-    "ignore": "^5.3.1"
+    "minimatch": "^9.0.3"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",