@scantrix/cli 1.0.0

package/dist/auditConfig.js

@@ -0,0 +1,81 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadAuditConfig = loadAuditConfig;
+exports.isRuleDisabled = isRuleDisabled;
+exports.getEffectiveSeverity = getEffectiveSeverity;
+exports.generateDefaultConfig = generateDefaultConfig;
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+const DEFAULT_CONFIG = {
+    rules: { disabled: [], severityOverrides: {} },
+    exclude: [],
+    thresholds: { gradeA: 80, gradeB: 60, gradeC: 40 },
+};
+async function loadAuditConfig(repoPath, explicitPath) {
+    const configPath = explicitPath
+        ? path_1.default.resolve(explicitPath)
+        : path_1.default.join(repoPath, ".auditrc.json");
+    try {
+        const raw = await promises_1.default.readFile(configPath, "utf8");
+        const parsed = JSON.parse(raw);
+        return mergeConfig(DEFAULT_CONFIG, parsed);
+    }
+    catch {
+        return { ...DEFAULT_CONFIG };
+    }
+}
+function mergeConfig(defaults, overrides) {
+    return {
+        rules: {
+            disabled: overrides.rules?.disabled ?? defaults.rules?.disabled ?? [],
+            severityOverrides: {
+                ...(defaults.rules?.severityOverrides ?? {}),
+                ...(overrides.rules?.severityOverrides ?? {}),
+            },
+        },
+        exclude: overrides.exclude ?? defaults.exclude ?? [],
+        thresholds: {
+            gradeA: overrides.thresholds?.gradeA ?? defaults.thresholds?.gradeA ?? 80,
+            gradeB: overrides.thresholds?.gradeB ?? defaults.thresholds?.gradeB ?? 60,
+            gradeC: overrides.thresholds?.gradeC ?? defaults.thresholds?.gradeC ?? 40,
+        },
+    };
+}
+function isRuleDisabled(config, ruleId) {
+    return config.rules?.disabled?.includes(ruleId) ?? false;
+}
+function getEffectiveSeverity(config, ruleId, defaultSeverity) {
+    return config.rules?.severityOverrides?.[ruleId] ?? defaultSeverity;
+}
+/**
+ * Generate a well-documented starter .auditrc.json with all options commented.
+ */
+function generateDefaultConfig() {
+    const config = {
+        "$schema": "https://scantrix.com/schemas/auditrc.json",
+        "rules": {
+            "disabled": [],
+            "severityOverrides": {},
+        },
+        "exclude": [
+            "node_modules/**",
+            "dist/**",
+            "coverage/**",
+        ],
+        "thresholds": {
+            "gradeA": 80,
+            "gradeB": 60,
+            "gradeC": 40,
+        },
+        "_comments": {
+            "disabled": "Add finding IDs to suppress entirely, e.g. [\"PW-LOC-001\", \"ARCH-006\"]",
+            "severityOverrides": "Override severity for specific findings, e.g. { \"PW-FLAKE-001\": \"medium\" }",
+            "exclude": "Glob patterns to exclude from file scanning",
+            "thresholds": "Health score thresholds for letter grades (0-100, higher=better). gradeA=min score for A, gradeB=min for B, gradeC=min for C, below C = D/F",
+        },
+    };
+    return JSON.stringify(config, null, 2) + "\n";
+}

package/dist/ciExtractor.js

@@ -0,0 +1,327 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extractCiSummary = extractCiSummary;
+const fast_glob_1 = __importDefault(require("fast-glob"));
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+function normalize(p) {
+    return p.replace(/\\/g, "/");
+}
+function classifyCiFile(file) {
+    const n = normalize(file).toLowerCase();
+    if (n.includes("/.github/workflows/") &&
+        (n.endsWith(".yml") || n.endsWith(".yaml"))) {
+        return "github_actions";
+    }
+    // Typical Azure Pipelines
+    if (n.endsWith("/azure-pipelines.yml") || n.endsWith("/azure-pipelines.yaml")) {
+        return "azure_pipelines";
+    }
+    // Repo conventions: /pipelines/ folder or names containing azure/ado/pipeline
+    const base = path_1.default.basename(n);
+    if (n.includes("/pipelines/"))
+        return "azure_pipelines";
+    if (base.includes("pipeline") || base.includes("azure") || base.includes("ado"))
+        return "azure_pipelines";
+    return "unknown";
+}
+function contentHasAny(content, patterns) {
+    return patterns.some((p) => p.test(content));
+}
+function looksLikeCiByPath(file) {
+    const n = normalize(file).toLowerCase();
+    const base = path_1.default.basename(n);
+    return (n.includes("/pipelines/") ||
+        n.includes("/.github/workflows/") ||
+        base.includes("pipeline") ||
+        base.includes("azure") ||
+        base.includes("ado") ||
+        base === "azure-pipelines.yml" ||
+        base === "azure-pipelines.yaml");
+}
+function looksLikePipelineYamlContent(c) {
+    // super lightweight heuristic to avoid false positives (e.g., docker-compose, k8s manifests)
+    return contentHasAny(c, [
+        /^\s*trigger\s*:/mi,
+        /^\s*schedules\s*:/mi,
+        /^\s*stages\s*:/mi,
+        /^\s*jobs\s*:/mi,
+        /^\s*steps\s*:/mi,
+        /^\s*pool\s*:/mi,
+        /^\s*-+\s*task\s*:/mi,
+        /PublishPipelineArtifact/i,
+        /PublishTestResults/i,
+        /actions\/upload-artifact/i,
+    ]);
+}
+async function extractCiSummary(repoPath) {
+    // Bulletproof discovery: find all YAML files, then filter down.
+    const allYaml = (await (0, fast_glob_1.default)(["**/*.yml", "**/*.yaml"], {
+        cwd: repoPath,
+        absolute: true,
+        dot: true, // include .github/workflows
+        onlyFiles: true,
+        followSymbolicLinks: false,
+        ignore: ["**/node_modules/**", "**/dist/**", "**/build/**", "**/.git/**"],
+    }));
+    // First-pass filter by path/name conventions
+    const likelyByPath = allYaml.filter(looksLikeCiByPath);
+    // Second-pass: if we found nothing, fall back to scanning content for CI-ish keys.
+    let candidates = likelyByPath;
+    if (!candidates.length && allYaml.length) {
+        const contentCandidates = [];
+        // Cap to keep it fast on huge repos
+        for (const f of allYaml.slice(0, 300)) {
+            try {
+                const c = await promises_1.default.readFile(f, "utf8");
+                if (looksLikePipelineYamlContent(c))
+                    contentCandidates.push(f);
+            }
+            catch {
+                // ignore unreadable
+            }
+        }
+        candidates = contentCandidates;
+    }
+    const files = candidates
+        .map((f) => ({ file: normalize(f), kind: classifyCiFile(f) }))
+        .filter((f) => !f.file.toLowerCase().includes("/node_modules/"));
+    const summary = {
+        files,
+        detectedAzurePipelines: files.some((f) => f.kind === "azure_pipelines"),
+        detectedGitHubActions: files.some((f) => f.kind === "github_actions"),
+        publishesPlaywrightReport: false,
+        publishesJUnit: false,
+        publishesTracesOrTestResultsDir: false,
+        publishesArtifactsOnFailure: false,
+        usesCache: false,
+        usesSharding: false,
+        shardingFiles: [],
+        setsWorkersEnv: false,
+        workersEnvName: undefined,
+        workersEnvFiles: [],
+        setsHeadlessEnv: false,
+        headlessEnvName: undefined,
+        mentionsNodeSetup: false,
+        mentionsNpmInstall: false,
+        mentionsPlaywrightInstall: false,
+        playwrightInstallMethod: undefined,
+        usesSelfHostedPool: false,
+        usesMicrosoftHostedPool: false,
+        mentionsBrowsersPreinstalled: false,
+        hasFailureHandling: false,
+        failureHandlingMethods: [],
+        setsCiEnvTrue: false,
+        ciEnvTrueFiles: [],
+        hasPipelineTimeout: false,
+        pipelineTimeoutMinutes: undefined,
+        hasReporterInPlaywrightCommand: false,
+        notes: [],
+    };
+    if (!files.length) {
+        summary.notes.push(`No CI pipeline YAML detected under repoPath: ${normalize(repoPath)}`);
+        summary.notes.push(`YAML files scanned: ${allYaml.length}`);
+        return summary;
+    }
+    for (const f of files) {
+        let content = "";
+        try {
+            content = await promises_1.default.readFile(f.file, "utf8");
+        }
+        catch {
+            continue;
+        }
+        const c = content;
+        // Pool type signals
+        if (contentHasAny(c, [
+            /\bpool\s*:\s*\n\s*name\s*:/i,
+            /\bpool\s*:\s*{[^}]*\bname\s*:/i,
+        ])) {
+            summary.usesSelfHostedPool = true;
+        }
+        if (contentHasAny(c, [/\bvmImage\s*:/i])) {
+            summary.usesMicrosoftHostedPool = true;
+        }
+        if (contentHasAny(c, [
+            /already\s+has\s+browsers?/i,
+            /browsers?.*already\s+installed/i,
+            /playwright.*already\s+has\s+browsers/i,
+        ])) {
+            summary.mentionsBrowsersPreinstalled = true;
+        }
+        // Report publishing
+        if (contentHasAny(c, [/playwright-report/i, /\bhtml-report\b/i])) {
+            if (contentHasAny(c, [
+                /\bPublishPipelineArtifact\b/i,
+                /\bPublishBuildArtifacts\b/i,
+                /\bactions\/upload-artifact\b/i,
+                /\bupload-artifact\b/i,
+                /\bpublish:\s*/i,
+            ])) {
+                summary.publishesPlaywrightReport = true;
+            }
+        }
+        // JUnit publishing
+        if (contentHasAny(c, [/PublishTestResults@/i, /\bPublishTestResults\b/i])) {
+            summary.publishesJUnit = true;
+        }
+        else if (contentHasAny(c, [/test-results\.xml/i, /junit/i])) {
+            if (contentHasAny(c, [
+                /\bPublishPipelineArtifact\b/i,
+                /\bPublishBuildArtifacts\b/i,
+                /\bactions\/upload-artifact\b/i,
+                /\bupload-artifact\b/i,
+            ])) {
+                summary.publishesJUnit = true;
+            }
+        }
+        // Traces/test-results publishing
+        if (contentHasAny(c, [/test-results/i, /trace\.zip/i, /traces?/i])) {
+            if (contentHasAny(c, [
+                /\bPublishPipelineArtifact\b/i,
+                /\bPublishBuildArtifacts\b/i,
+                /\bactions\/upload-artifact\b/i,
+                /\bupload-artifact\b/i,
+            ])) {
+                summary.publishesTracesOrTestResultsDir = true;
+            }
+        }
+        // Detect if artifact publishing is configured to run even on failure
+        // Azure DevOps: condition: always() or condition: failed() or condition: succeededOrFailed()
+        // GitHub Actions: if: always() or if: failure() or if: ${{ always() }}
+        if (contentHasAny(c, [
+            // Azure DevOps conditions
+            /condition\s*:\s*always\s*\(\)/i,
+            /condition\s*:\s*failed\s*\(\)/i,
+            /condition\s*:\s*succeededOrFailed\s*\(\)/i,
+            // GitHub Actions conditions
+            /if\s*:\s*always\s*\(\)/i,
+            /if\s*:\s*failure\s*\(\)/i,
+            /if\s*:\s*\$\{\{\s*always\s*\(\)/i,
+            /if\s*:\s*\$\{\{\s*failure\s*\(\)/i,
+            // Combined with artifact keywords nearby (within ~200 chars context)
+        ])) {
+            // Check if it's associated with artifact/test-results publishing
+            if (contentHasAny(c, [
+                /test-results/i,
+                /playwright-report/i,
+                /trace/i,
+                /upload-artifact/i,
+                /PublishPipelineArtifact/i,
+                /PublishBuildArtifacts/i,
+            ])) {
+                summary.publishesArtifactsOnFailure = true;
+            }
+        }
+        // Cache usage — tightened to avoid false negatives from unrelated YAML keys
+        // Only match explicit CI cache tasks/actions, not arbitrary `cache:` keys
+        if (contentHasAny(c, [
+            /\bCache@2\b/i,
+            /\bactions\/cache\b/i,
+            /\bactions\/setup-node[\s\S]{0,200}cache\s*:/i,
+            /\bnpm\s+ci\s+--cache/i,
+        ])) {
+            summary.usesCache = true;
+        }
+        // Env wiring
+        if (contentHasAny(c, [/\bWORKERS\b/i])) {
+            summary.setsWorkersEnv = true;
+            summary.workersEnvName = "WORKERS";
+            summary.workersEnvFiles.push(normalize(f.file));
+        }
+        if (contentHasAny(c, [/\bHEADLESS_MODE\b/i])) {
+            summary.setsHeadlessEnv = true;
+            summary.headlessEnvName = "HEADLESS_MODE";
+        }
+        // Tooling steps
+        if (contentHasAny(c, [
+            /\bNodeTool@0\b/i,
+            /actions\/setup-node/i,
+            /\bsetup-node\b/i,
+        ])) {
+            summary.mentionsNodeSetup = true;
+        }
+        if (contentHasAny(c, [
+            /\bnpm ci\b/i,
+            /\bnpm install\b/i,
+            /\byarn install\b/i,
+            /\bpnpm install\b/i,
+        ])) {
+            summary.mentionsNpmInstall = true;
+        }
+        if (contentHasAny(c, [/\bnpx playwright install\b/i, /playwright install\b/i])) {
+            summary.mentionsPlaywrightInstall = true;
+            // Detect install method
+            if (contentHasAny(c, [/npx playwright install --with-deps/i])) {
+                summary.playwrightInstallMethod = "npx playwright install --with-deps";
+            }
+            else if (contentHasAny(c, [/npx playwright install(?!\s+--with-deps)/i])) {
+                summary.playwrightInstallMethod = "npx playwright install";
+            }
+            else {
+                summary.playwrightInstallMethod = "unknown";
+            }
+        }
+        // Sharding detection
+        if (contentHasAny(c, [/--shard=/i, /\bshard\b.*\d+\/\d+/i])) {
+            summary.usesSharding = true;
+            summary.shardingFiles.push(normalize(f.file));
+        }
+        // Failure handling detection
+        if (contentHasAny(c, [/continueOnError\s*:\s*true/i])) {
+            summary.hasFailureHandling = true;
+            if (!summary.failureHandlingMethods.includes("continueOnError")) {
+                summary.failureHandlingMethods.push("continueOnError");
+            }
+        }
+        if (contentHasAny(c, [/condition\s*:.*failed\(\)/i, /if\s*:.*failure\(\)/i])) {
+            summary.hasFailureHandling = true;
+            if (!summary.failureHandlingMethods.includes("conditional steps on failure")) {
+                summary.failureHandlingMethods.push("conditional steps on failure");
+            }
+        }
+        // CI-012: Does the pipeline explicitly set CI=true?
+        // GitHub Actions sets CI=true automatically, Azure DevOps does not.
+        if (contentHasAny(c, [
+            /\bCI\s*:\s*['"]?true['"]?/i, // map-style:  CI: true / CI: 'true'
+            /\bCI=true\b/i, // script:     CI=true
+            /\benv\s*:\s*\n[^]*?\bCI\s*:\s/i, // env block with CI key
+            /- name:\s*['"]?CI['"]?\s*\n\s*value:\s*['"]?true['"]?/i, // Azure list-style variables
+        ])) {
+            summary.setsCiEnvTrue = true;
+            summary.ciEnvTrueFiles.push(normalize(f.file));
+        }
+        // GitHub Actions implicitly sets CI=true
+        if (f.kind === "github_actions") {
+            summary.setsCiEnvTrue = true;
+            summary.ciEnvTrueFiles.push(normalize(f.file));
+        }
+        // CI-013: Pipeline timeout detection
+        // Azure DevOps: timeoutInMinutes at job/step level
+        // GitHub Actions: timeout-minutes at job/step level
+        const adoTimeoutMatch = c.match(/\btimeoutInMinutes\s*:\s*(\d+)/i);
+        const ghaTimeoutMatch = c.match(/\btimeout-minutes\s*:\s*(\d+)/i);
+        const timeoutMatch = adoTimeoutMatch || ghaTimeoutMatch;
+        if (timeoutMatch) {
+            summary.hasPipelineTimeout = true;
+            const mins = Number(timeoutMatch[1]);
+            if (Number.isFinite(mins)) {
+                summary.pipelineTimeoutMinutes = summary.pipelineTimeoutMinutes
+                    ? Math.max(summary.pipelineTimeoutMinutes, mins)
+                    : mins;
+            }
+        }
+        // CI-014: Does `npx playwright test` command include --reporter?
+        if (contentHasAny(c, [/playwright\s+test\b[^\n]*--reporter/i])) {
+            summary.hasReporterInPlaywrightCommand = true;
+        }
+    }
+    // Dedupes (safe + makes CI-006 deterministic)
+    summary.workersEnvFiles = [...new Set(summary.workersEnvFiles)];
+    summary.shardingFiles = [...new Set(summary.shardingFiles)];
+    summary.ciEnvTrueFiles = [...new Set(summary.ciEnvTrueFiles)];
+    return summary;
+}

package/dist/cli.js

@@ -0,0 +1,156 @@
+#!/usr/bin/env node
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const minimist_1 = __importDefault(require("minimist"));
+const path_1 = __importDefault(require("path"));
+const fs_1 = require("fs");
+const scanner_1 = require("./scanner");
+const report_1 = require("./report");
+const auditConfig_1 = require("./auditConfig");
+const diffTracker_1 = require("./diffTracker");
+const scanResult_1 = require("./scanResult");
+const sinks_1 = require("./sinks");
+const scoring_1 = require("./scoring");
+const promises_1 = __importDefault(require("fs/promises"));
+async function main() {
+    const args = (0, minimist_1.default)(process.argv.slice(2));
+    const subcommand = args._[0];
+    // ── Subcommand: init ─────────────────────────────────────────────
+    if (subcommand === "init") {
+        const targetDir = args._[1] || ".";
+        const configPath = path_1.default.join(path_1.default.resolve(targetDir), ".auditrc.json");
+        try {
+            await promises_1.default.access(configPath);
+            console.error(`[init] .auditrc.json already exists at ${configPath}`);
+            process.exit(1);
+        }
+        catch {
+            // File doesn't exist — good
+        }
+        await promises_1.default.writeFile(configPath, (0, auditConfig_1.generateDefaultConfig)(), "utf8");
+        console.log(`[init] Created .auditrc.json at ${configPath}`);
+        return;
+    }
+    // ── Standard scan ────────────────────────────────────────────────
+    const repoPath = args.repo || args._[0];
+    const outDir = args.out || "./audit-out";
+    const checkUpdates = Boolean(args.updates || args.update || args.checkUpdates);
+    const configPath = args.config; // --config .auditrc.json
+    const diffPath = args.diff; // --diff path/to/baseline/findings.json
+    const formatArg = args.format; // --format md,html,json,sarif,email
+    const noTrend = Boolean(args["no-trend"]); // --no-trend to disable auto-snapshot
+    const jsonPath = args["json-path"]; // --json-path path/to/results.json
+    const repoName = args["repo-name"]; // --repo-name display name override
+    const branchOverride = args["branch"]; // --branch override detected branch
+    if (!repoPath) {
+        console.error("Usage:\n" +
+            "  scantrix <repoPath> [--out <dir>] [--updates] [--config <path>]\n" +
+            "           [--diff <baseline.json>] [--format md,html,json,sarif,email]\n" +
+            "           [--no-trend] [--json-path <path>]\n" +
+            "           [--repo-name <name>] [--branch <branch>]\n" +
+            "\n" +
+            "  scantrix init [dir]           Create a starter .auditrc.json\n" +
+            "\n" +
+            "Environment variables:\n" +
+            "  SCANTRIX_JSON_PATH     Write canonical results JSON to this path\n");
+        process.exit(1);
+    }
+    const absRepo = path_1.default.resolve(repoPath);
+    const absOut = path_1.default.resolve(outDir);
+    // Read tool version from package.json (dist/cli.js → ../package.json)
+    const pkg = JSON.parse((0, fs_1.readFileSync)(path_1.default.resolve(__dirname, "..", "package.json"), "utf8"));
+    const toolVersion = pkg.version ?? "0.0.0";
+    // ── Load optional .auditrc.json ────────────────────────────────────
+    const auditConfig = await (0, auditConfig_1.loadAuditConfig)(configPath ?? repoPath);
+    // ── Parse --format flag ────────────────────────────────────────────
+    const validFormats = ["md", "html", "json", "sarif", "email"];
+    let formats;
+    if (formatArg) {
+        formats = formatArg.split(",").map(s => s.trim().toLowerCase()).filter((s) => validFormats.includes(s));
+        if (formats.length === 0)
+            formats = undefined; // fall back to all
+    }
+    // ── Resolve baseline for diff tracking ───────────────────────────────
+    let resolvedBaseline = diffPath;
+    let baselineMeta;
+    if (!resolvedBaseline && !noTrend) {
+        resolvedBaseline = await (0, diffTracker_1.findLatestBaseline)(outDir) ?? undefined;
+        // Load the baseline snapshot's meta.json for inventory comparison
+        if (resolvedBaseline) {
+            try {
+                const metaPath = path_1.default.join(path_1.default.dirname(resolvedBaseline), "meta.json");
+                const metaRaw = await promises_1.default.readFile(metaPath, "utf8");
+                baselineMeta = JSON.parse(metaRaw);
+            }
+            catch { /* no meta available — first scan or corrupt snapshot */ }
+        }
+    }
+    const startedAt = new Date().toISOString();
+    try {
+        const results = await (0, scanner_1.scanRepo)(repoPath, {
+            checkOutdatedDependencies: checkUpdates,
+            auditConfig,
+            repoName,
+            branch: branchOverride,
+        });
+        // ── Prevalence-based severity escalation ──────────────────────────
+        const effectiveTestFiles = results.inventory.testFiles +
+            (results.inventory.cypressTestFiles ?? 0) +
+            (results.inventory.seleniumTestFiles ?? 0);
+        results.findings = (0, scoring_1.applyEscalation)(results.findings, effectiveTestFiles);
+        await (0, report_1.writeReportArtifacts)(outDir, results, {
+            baselinePath: resolvedBaseline,
+            baselineMeta,
+            formats,
+        });
+        console.log(`[audit] wrote report to: ${outDir}`);
+        // ── Auto-snapshot ─────────────────────────────────────────────────
+        if (!noTrend) {
+            await (0, diffTracker_1.saveSnapshot)(outDir, results.findings, {
+                inventory: results.inventory,
+                repoPath: absRepo,
+            });
+            console.log(`[snapshot] Saved to ${outDir}/snapshots/`);
+        }
+        // ── Console diff summary ───────────────────────────────────────────
+        if (resolvedBaseline) {
+            const baseline = await (0, diffTracker_1.loadBaseline)(resolvedBaseline);
+            if (baseline.length > 0) {
+                const diff = (0, diffTracker_1.computeDiff)(baseline, results.findings, {
+                    baselineInventory: baselineMeta,
+                    currentInventory: results.inventory,
+                });
+                console.log((0, diffTracker_1.formatDiffConsoleSummary)(diff));
+            }
+        }
+        else if (!noTrend) {
+            console.log("[diff] First scan — no baseline to compare.");
+        }
+        // ── Write canonical ScanResult JSON ────────────────────────────────
+        const effectiveJsonPath = jsonPath ?? process.env.SCANTRIX_JSON_PATH;
+        if (effectiveJsonPath) {
+            const scanResult = (0, scanResult_1.buildScanResult)(results, {
+                version: toolVersion,
+                startedAt,
+                repoPath: absRepo,
+            });
+            const sink = new sinks_1.JsonSink(effectiveJsonPath);
+            await sink.write(scanResult);
+            console.log(`[sink:json] Results written to ${effectiveJsonPath}`);
+        }
+    }
+    catch (err) {
+        console.error("[audit] FAILED:", err);
+        // Write a minimal crash report so audit_summary.md is never empty again
+        await promises_1.default.mkdir(outDir, { recursive: true });
+        await promises_1.default.writeFile(path_1.default.join(outDir, "audit_summary.md"), `# Playwright Reliability Audit (Crash)\n\nRepo: \`${repoPath}\`\n\nError:\n\n\`\`\`\n${String(err)}\n\`\`\`\n`, "utf8");
+        throw err;
+    }
+}
+main().catch((e) => {
+    console.error(" Audit failed:", e);
+    process.exit(1);
+});