@securitychecks/cli 0.1.1-rc.1

package/dist/lib.js

@@ -0,0 +1,2187 @@
+import { resolveTargetPath, collect, ARTIFACT_SCHEMA_VERSION } from '@securitychecks/collector';
+import { readFile, mkdir, writeFile } from 'fs/promises';
+import { existsSync, readFileSync } from 'fs';
+import { homedir } from 'os';
+import { join, dirname } from 'path';
+import { gzipSync } from 'zlib';
+import { randomUUID, createHash } from 'crypto';
+
+// src/audit.ts
+var CONFIG_DIR = join(homedir(), ".securitychecks");
+join(CONFIG_DIR, "config.json");
+function normalizeApiBaseUrl(input) {
+  const value = input.trim();
+  if (!value) {
+    throw new Error("API URL is empty");
+  }
+  let url;
+  try {
+    url = new URL(value);
+  } catch {
+    throw new Error(`Invalid API URL: ${input}`);
+  }
+  if (url.protocol !== "https:" && url.protocol !== "http:") {
+    throw new Error("API URL must start with http:// or https://");
+  }
+  if (url.username || url.password) {
+    throw new Error("API URL must not include credentials");
+  }
+  url.hash = "";
+  url.search = "";
+  const pathname = url.pathname.replace(/\/+$/, "");
+  const stripped = pathname.replace(/\/api\/v1$/i, "").replace(/\/v1$/i, "");
+  url.pathname = stripped.length === 0 ? "/" : `${stripped}/`;
+  return url.toString().replace(/\/$/, "");
+}
+
+// src/lib/license.ts
+var CLOUD_API_KEY_ENV_VARS = [
+  "SECURITYCHECKS_API_KEY",
+  "SECURITYCHECKS_LICENSE_KEY"
+];
+var DEFAULT_CLOUD_BASE_URL = "https://api.securitychecks.ai";
+function getCloudApiKey() {
+  for (const envVar of CLOUD_API_KEY_ENV_VARS) {
+    const value = process.env[envVar];
+    if (value) {
+      return value;
+    }
+  }
+  return void 0;
+}
+function getCloudApiBaseUrl() {
+  const raw = process.env["SECURITYCHECKS_API_URL"] ?? DEFAULT_CLOUD_BASE_URL;
+  return normalizeApiBaseUrl(raw);
+}
+
+// src/lib/errors.ts
+var ErrorCodes = {
+  // CONFIG errors (001-099)
+  CONFIG_NOT_FOUND: "SC_CONFIG_001",
+  CONFIG_INVALID: "SC_CONFIG_002",
+  CONFIG_SCHEMA_ERROR: "SC_CONFIG_003",
+  // PARSE errors (100-199)
+  PARSE_TYPESCRIPT_ERROR: "SC_PARSE_101",
+  PARSE_FILE_NOT_FOUND: "SC_PARSE_102",
+  PARSE_UNSUPPORTED_SYNTAX: "SC_PARSE_103",
+  // CHECK errors (200-299)
+  CHECK_EXECUTION_ERROR: "SC_CHECK_201",
+  CHECK_TIMEOUT: "SC_CHECK_202",
+  CHECK_INVARIANT_NOT_FOUND: "SC_CHECK_203",
+  // IO errors (300-399)
+  IO_READ_ERROR: "SC_IO_301",
+  IO_WRITE_ERROR: "SC_IO_302",
+  IO_PERMISSION_DENIED: "SC_IO_303",
+  IO_PATH_NOT_FOUND: "SC_IO_304",
+  // CLI errors (400-499)
+  CLI_INVALID_ARGUMENT: "SC_CLI_401",
+  CLI_MISSING_ARGUMENT: "SC_CLI_402",
+  CLI_UNKNOWN_COMMAND: "SC_CLI_403",
+  // ARTIFACT errors (500-599)
+  ARTIFACT_NOT_FOUND: "SC_ARTIFACT_501",
+  ARTIFACT_INVALID: "SC_ARTIFACT_502",
+  ARTIFACT_VERSION_MISMATCH: "SC_ARTIFACT_503",
+  // CLOUD errors (600-699)
+  CLOUD_AUTH_FAILED: "SC_CLOUD_601",
+  CLOUD_PERMISSION_DENIED: "SC_CLOUD_602",
+  CLOUD_NOT_FOUND: "SC_CLOUD_603",
+  CLOUD_RATE_LIMITED: "SC_CLOUD_604",
+  CLOUD_API_ERROR: "SC_CLOUD_605",
+  CLOUD_NETWORK_ERROR: "SC_CLOUD_606",
+  CLOUD_INVALID_API_KEY: "SC_CLOUD_607",
+  AUTH_REQUIRED: "SC_CLOUD_608",
+  OFFLINE_NOT_SUPPORTED: "SC_CLOUD_609"
+};
+var ErrorMessages = {
+  [ErrorCodes.CONFIG_NOT_FOUND]: "Configuration file not found",
+  [ErrorCodes.CONFIG_INVALID]: "Configuration file is invalid",
+  [ErrorCodes.CONFIG_SCHEMA_ERROR]: "Configuration does not match expected schema",
+  [ErrorCodes.PARSE_TYPESCRIPT_ERROR]: "Failed to parse TypeScript file",
+  [ErrorCodes.PARSE_FILE_NOT_FOUND]: "Source file not found",
+  [ErrorCodes.PARSE_UNSUPPORTED_SYNTAX]: "Unsupported syntax encountered",
+  [ErrorCodes.CHECK_EXECUTION_ERROR]: "Error executing invariant check",
+  [ErrorCodes.CHECK_TIMEOUT]: "Invariant check timed out",
+  [ErrorCodes.CHECK_INVARIANT_NOT_FOUND]: "Invariant not found",
+  [ErrorCodes.IO_READ_ERROR]: "Failed to read file",
+  [ErrorCodes.IO_WRITE_ERROR]: "Failed to write file",
+  [ErrorCodes.IO_PERMISSION_DENIED]: "Permission denied",
+  [ErrorCodes.IO_PATH_NOT_FOUND]: "Path not found",
+  [ErrorCodes.CLI_INVALID_ARGUMENT]: "Invalid argument provided",
+  [ErrorCodes.CLI_MISSING_ARGUMENT]: "Required argument missing",
+  [ErrorCodes.CLI_UNKNOWN_COMMAND]: "Unknown command",
+  [ErrorCodes.ARTIFACT_NOT_FOUND]: "Artifact file not found",
+  [ErrorCodes.ARTIFACT_INVALID]: "Invalid artifact format",
+  [ErrorCodes.ARTIFACT_VERSION_MISMATCH]: "Artifact version not supported",
+  [ErrorCodes.CLOUD_AUTH_FAILED]: "Authentication failed",
+  [ErrorCodes.CLOUD_PERMISSION_DENIED]: "Permission denied",
+  [ErrorCodes.CLOUD_NOT_FOUND]: "Resource not found",
+  [ErrorCodes.CLOUD_RATE_LIMITED]: "Rate limit exceeded",
+  [ErrorCodes.CLOUD_API_ERROR]: "Cloud API error",
+  [ErrorCodes.CLOUD_NETWORK_ERROR]: "Network error",
+  [ErrorCodes.CLOUD_INVALID_API_KEY]: "Invalid API key format",
+  [ErrorCodes.AUTH_REQUIRED]: "API key required for evaluation",
+  [ErrorCodes.OFFLINE_NOT_SUPPORTED]: "Offline mode is not supported"
+};
+var ErrorRemediation = {
+  // CONFIG errors
+  [ErrorCodes.CONFIG_NOT_FOUND]: `
+Create a configuration file in your project root:
+
+  scheck init
+
+Or create securitychecks.config.ts manually:
+
+  export default {
+    include: ['src/**/*.ts'],
+    exclude: ['node_modules/**'],
+  };
+`.trim(),
+  [ErrorCodes.CONFIG_INVALID]: `
+Check your securitychecks.config.ts for syntax errors.
+
+Common issues:
+- Missing export default
+- Invalid JSON in securitychecks.json
+- Typo in configuration keys
+
+Run with --verbose for more details.
+`.trim(),
+  [ErrorCodes.CONFIG_SCHEMA_ERROR]: `
+Your configuration has invalid options. Check these common issues:
+
+- 'include' and 'exclude' must be arrays of glob patterns
+- 'testPatterns' must be an array of test file patterns
+- 'servicePatterns' must be an array of service file patterns
+
+See: https://securitychecks.ai/docs/configuration
+`.trim(),
+  // PARSE errors
+  [ErrorCodes.PARSE_TYPESCRIPT_ERROR]: `
+A TypeScript file failed to parse. This usually means:
+
+1. The file has syntax errors - run tsc to check
+2. The file uses unsupported TypeScript features
+3. There are missing dependencies
+
+Try:
+  npx tsc --noEmit
+
+If the error persists, exclude the problematic file:
+  exclude: ['path/to/problematic-file.ts']
+`.trim(),
+  [ErrorCodes.PARSE_FILE_NOT_FOUND]: `
+The specified source file doesn't exist. Check:
+
+1. The file path is correct
+2. The file hasn't been moved or deleted
+3. Your include/exclude patterns are correct
+
+Run: ls <path> to verify the file exists.
+`.trim(),
+  [ErrorCodes.PARSE_UNSUPPORTED_SYNTAX]: `
+The file contains syntax that can't be parsed. This may happen with:
+
+- Very new TypeScript/JavaScript features
+- Non-standard syntax extensions
+- Malformed source code
+
+Try excluding the file or updating the parser.
+`.trim(),
+  // CHECK errors
+  [ErrorCodes.CHECK_EXECUTION_ERROR]: `
+An invariant check failed to run. This is usually a bug in scheck.
+
+Please report this issue with:
+1. The full error message (--verbose)
+2. A minimal reproduction
+3. Your Node.js and @securitychecks/cli versions
+
+Report at: https://github.com/securitychecks/securitychecks.ai/issues
+`.trim(),
+  [ErrorCodes.CHECK_TIMEOUT]: `
+An invariant check took too long. This can happen with:
+
+1. Very large codebases
+2. Complex file structures
+3. Slow file system access
+
+Try:
+- Narrowing include patterns to scan fewer files
+- Excluding large generated files
+- Running with --only to check specific invariants
+`.trim(),
+  [ErrorCodes.CHECK_INVARIANT_NOT_FOUND]: `
+The specified invariant ID doesn't exist.
+
+List available invariants:
+  scheck explain --list
+
+Common invariant IDs:
+- AUTHZ.SERVICE_LAYER.ENFORCED
+- WEBHOOK.IDEMPOTENT
+- TRANSACTION.POST_COMMIT.SIDE_EFFECTS
+`.trim(),
+  // IO errors
+  [ErrorCodes.IO_READ_ERROR]: `
+Failed to read a file. Check:
+
+1. The file exists and is readable
+2. You have permission to read the file
+3. The file is not locked by another process
+
+Try: cat <file> to verify readability.
+`.trim(),
+  [ErrorCodes.IO_WRITE_ERROR]: `
+Failed to write a file. Check:
+
+1. The directory exists
+2. You have write permission
+3. There's enough disk space
+4. The file is not locked
+
+Try: touch <file> to verify writability.
+`.trim(),
+  [ErrorCodes.IO_PERMISSION_DENIED]: `
+Permission denied accessing a file or directory.
+
+On Unix/Mac:
+  chmod +r <file>  # Make readable
+  chmod +w <file>  # Make writable
+
+On Windows: Check file properties > Security tab.
+`.trim(),
+  [ErrorCodes.IO_PATH_NOT_FOUND]: `
+The specified path doesn't exist.
+
+Check:
+1. You're in the correct directory
+2. The path is spelled correctly
+3. The directory structure is correct
+
+Run: pwd && ls to verify your location.
+`.trim(),
+  // CLI errors
+  [ErrorCodes.CLI_INVALID_ARGUMENT]: `
+Invalid command-line argument.
+
+Run: scheck --help
+
+Common commands:
+  scheck run              # Run all checks
+  scheck run --ci         # CI mode (fails on P0/P1)
+  scheck explain <id>     # Explain an invariant
+  scheck init             # Initialize configuration
+`.trim(),
+  [ErrorCodes.CLI_MISSING_ARGUMENT]: `
+A required argument is missing.
+
+Check the command syntax:
+  scheck --help
+  scheck <command> --help
+`.trim(),
+  [ErrorCodes.CLI_UNKNOWN_COMMAND]: `
+Unknown command. Available commands:
+
+  run       Run invariant checks
+  init      Initialize configuration
+  explain   Explain an invariant
+  baseline  Manage baseline
+  waive     Waive a finding
+
+Run: scheck --help
+`.trim(),
+  // ARTIFACT errors
+  [ErrorCodes.ARTIFACT_NOT_FOUND]: `
+Artifact file not found.
+
+The artifact file stores collected code facts. Options:
+
+1. Let scheck collect automatically (default):
+   scheck run
+
+2. Collect manually first:
+   npx scc collect -o .securitychecks/artifacts.json
+   scheck run --artifact .securitychecks/artifacts.json
+
+3. Check if file was deleted:
+   ls .securitychecks/
+`.trim(),
+  [ErrorCodes.ARTIFACT_INVALID]: `
+The artifact file is malformed or corrupt.
+
+Common issues:
+- Incomplete JSON (process was killed during write)
+- Modified manually with syntax errors
+- Wrong file format
+
+Fix:
+1. Delete the corrupt artifact:
+   rm .securitychecks/artifacts.json
+
+2. Re-collect:
+   scheck run
+   (or: npx scc collect -o .securitychecks/artifacts.json)
+`.trim(),
+  [ErrorCodes.ARTIFACT_VERSION_MISMATCH]: `
+The artifact was created by an incompatible version.
+
+This happens when:
+- Artifact was created by an older/newer scheck version
+- Artifact schema has changed
+
+Fix:
+1. Delete the old artifact:
+   rm .securitychecks/artifacts.json
+
+2. Re-collect with current version:
+   scheck run
+
+Your current version: scheck --version
+`.trim(),
+  // CLOUD errors
+  [ErrorCodes.CLOUD_AUTH_FAILED]: `
+Authentication failed. Your API key may be invalid or expired.
+
+Fix:
+1. Generate a new API key at https://securitychecks.ai/dashboard/settings/api-keys
+2. Log in again:
+   scheck login
+
+Environment variable:
+  export SECURITYCHECKS_API_KEY=sc_live_...
+`.trim(),
+  [ErrorCodes.CLOUD_PERMISSION_DENIED]: `
+You don't have permission for this action.
+
+Check:
+1. You have access to the project/organization
+2. Your API key has the required scopes
+3. Your subscription is active
+
+Manage at: https://securitychecks.ai/dashboard
+`.trim(),
+  [ErrorCodes.CLOUD_NOT_FOUND]: `
+The requested resource was not found.
+
+Check:
+1. The project slug is correct
+2. The project exists and you have access
+3. The resource ID is valid
+
+List your projects:
+  scheck config --show
+`.trim(),
+  [ErrorCodes.CLOUD_RATE_LIMITED]: `
+You've hit the rate limit. Please try again later.
+
+Options:
+1. Wait a few minutes and retry
+2. Upgrade your plan for higher limits
+
+Plan limits: https://securitychecks.ai/pricing
+`.trim(),
+  [ErrorCodes.CLOUD_API_ERROR]: `
+The SecurityChecks API returned an error.
+
+This could be:
+1. A temporary service issue - try again shortly
+2. An invalid request - check your parameters
+
+Status: https://status.securitychecks.ai
+Help: https://securitychecks.ai/docs/troubleshooting
+`.trim(),
+  [ErrorCodes.CLOUD_NETWORK_ERROR]: `
+Could not connect to SecurityChecks API.
+
+Check:
+1. Your internet connection
+2. Firewall/proxy settings
+3. API endpoint accessibility
+
+Default API: https://api.securitychecks.ai
+`.trim(),
+  [ErrorCodes.CLOUD_INVALID_API_KEY]: `
+The API key format is invalid.
+
+API keys should start with:
+- sc_live_ for production
+- sc_test_ for testing
+
+Get a key at: https://securitychecks.ai/dashboard/settings/api-keys
+`.trim(),
+  [ErrorCodes.AUTH_REQUIRED]: `
+An API key is required to run security checks.
+
+SecurityChecks uses cloud evaluation to protect proprietary patterns.
+Your source code never leaves your machine - only structural facts are sent.
+
+Setup:
+1. Get your API key at https://securitychecks.ai/dashboard/settings/api-keys
+2. Set environment variable:
+   export SECURITYCHECKS_API_KEY=sc_live_...
+
+Or add to securitychecks.config.yaml:
+  calibration:
+    apiKey: sc_live_...
+`.trim(),
+  [ErrorCodes.OFFLINE_NOT_SUPPORTED]: `
+Offline mode is not supported.
+
+SecurityChecks requires cloud evaluation to protect proprietary patterns.
+Your source code never leaves your machine - only structural facts are sent.
+
+Options:
+1. Remove --offline flag and ensure network connectivity
+2. For air-gapped environments, contact sales for an enterprise on-premise license:
+   https://securitychecks.ai/enterprise
+`.trim()
+};
+var CLIError = class _CLIError extends Error {
+  code;
+  details;
+  cause;
+  constructor(code, message, options) {
+    const baseMessage = message ?? ErrorMessages[code];
+    super(baseMessage, { cause: options?.cause });
+    this.name = "CLIError";
+    this.code = code;
+    this.details = options?.details;
+    this.cause = options?.cause;
+    Error.captureStackTrace?.(this, _CLIError);
+  }
+  /**
+   * Get remediation guidance for this error
+   */
+  getRemediation() {
+    return ErrorRemediation[this.code];
+  }
+  /**
+   * Format error for user display
+   */
+  toUserString(verbose = false) {
+    const parts = [`[${this.code}] ${this.message}`];
+    if (verbose && this.details) {
+      parts.push(`
+Details: ${JSON.stringify(this.details, null, 2)}`);
+    }
+    if (verbose && this.cause) {
+      parts.push(`
+Caused by: ${this.cause.message}`);
+      if (this.cause.stack) {
+        parts.push(`
+${this.cause.stack}`);
+      }
+    }
+    return parts.join("");
+  }
+  /**
+   * Format error with remediation for user display
+   */
+  toUserStringWithRemediation() {
+    const parts = [this.toUserString()];
+    const remediation = this.getRemediation();
+    if (remediation) {
+      parts.push("\n\nHow to fix:\n");
+      const indented = remediation.split("\n").map((line) => `  ${line}`).join("\n");
+      parts.push(indented);
+    }
+    return parts.join("");
+  }
+  /**
+   * Format error for JSON output
+   */
+  toJSON() {
+    return {
+      code: this.code,
+      message: this.message,
+      remediation: this.getRemediation(),
+      details: this.details,
+      cause: this.cause ? {
+        message: this.cause.message,
+        stack: this.cause.stack
+      } : void 0
+    };
+  }
+};
+function isCLIError(error) {
+  return error instanceof CLIError;
+}
+function wrapError(error, code, message) {
+  if (error instanceof CLIError) {
+    return error;
+  }
+  const cause = error instanceof Error ? error : new Error(String(error));
+  return new CLIError(code, message, { cause });
+}
+function detectCIContext() {
+  if (process.env["GITHUB_ACTIONS"] === "true") {
+    return detectGitHubActions();
+  }
+  if (process.env["GITLAB_CI"] === "true") {
+    return detectGitLabCI();
+  }
+  if (process.env["CIRCLECI"] === "true") {
+    return detectCircleCI();
+  }
+  if (process.env["JENKINS_URL"]) {
+    return detectJenkins();
+  }
+  return null;
+}
+function detectGitHubActions() {
+  const eventName = process.env["GITHUB_EVENT_NAME"];
+  const isPullRequest = eventName === "pull_request" || eventName === "pull_request_target";
+  const eventPayload = readGitHubEventPayload();
+  let branch;
+  if (isPullRequest) {
+    branch = eventPayload?.pull_request?.head?.ref || process.env["GITHUB_HEAD_REF"];
+  } else {
+    const ref = process.env["GITHUB_REF"] || "";
+    branch = ref.replace(/^refs\/heads\//, "");
+  }
+  const commitSha = isPullRequest ? eventPayload?.pull_request?.head?.sha || process.env["GITHUB_SHA"] : process.env["GITHUB_SHA"];
+  let prNumber;
+  if (isPullRequest) {
+    prNumber = eventPayload?.number;
+    if (!prNumber) {
+      const prRef = process.env["GITHUB_REF"] || "";
+      const match = prRef.match(/refs\/pull\/(\d+)/);
+      if (match && match[1]) {
+        prNumber = parseInt(match[1], 10);
+      }
+    }
+  }
+  return {
+    provider: "github-actions",
+    branch,
+    commitSha,
+    prNumber,
+    repository: process.env["GITHUB_REPOSITORY"],
+    isPullRequest
+  };
+}
+function readGitHubEventPayload() {
+  const eventPath = process.env["GITHUB_EVENT_PATH"];
+  if (!eventPath) {
+    return null;
+  }
+  try {
+    const raw = readFileSync(eventPath, "utf8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function detectGitLabCI() {
+  const mrIid = process.env["CI_MERGE_REQUEST_IID"];
+  const isPullRequest = !!mrIid;
+  let prNumber;
+  if (mrIid) {
+    prNumber = parseInt(mrIid, 10);
+  }
+  return {
+    provider: "gitlab-ci",
+    branch: process.env["CI_COMMIT_REF_NAME"],
+    commitSha: process.env["CI_COMMIT_SHA"],
+    prNumber,
+    repository: process.env["CI_PROJECT_PATH"],
+    isPullRequest
+  };
+}
+function detectCircleCI() {
+  let prNumber;
+  const prUrl = process.env["CIRCLE_PULL_REQUEST"];
+  if (prUrl) {
+    const match = prUrl.match(/\/pull\/(\d+)/);
+    if (match && match[1]) {
+      prNumber = parseInt(match[1], 10);
+    }
+  }
+  return {
+    provider: "circleci",
+    branch: process.env["CIRCLE_BRANCH"],
+    commitSha: process.env["CIRCLE_SHA1"],
+    prNumber,
+    repository: `${process.env["CIRCLE_PROJECT_USERNAME"]}/${process.env["CIRCLE_PROJECT_REPONAME"]}`,
+    isPullRequest: !!prUrl
+  };
+}
+function detectJenkins() {
+  const changeId = process.env["CHANGE_ID"];
+  const isPullRequest = !!changeId;
+  let prNumber;
+  if (changeId) {
+    prNumber = parseInt(changeId, 10);
+  }
+  return {
+    provider: "jenkins",
+    branch: process.env["BRANCH_NAME"] || process.env["GIT_BRANCH"],
+    commitSha: process.env["GIT_COMMIT"],
+    prNumber,
+    isPullRequest
+  };
+}
+function buildHeaders(extra = {}) {
+  const headers = { ...extra };
+  const bypassSecret = process.env["VERCEL_AUTOMATION_BYPASS_SECRET"];
+  if (bypassSecret) {
+    headers["x-vercel-protection-bypass"] = bypassSecret;
+  }
+  return headers;
+}
+function isTruthy(value) {
+  if (!value) return false;
+  return value === "1" || value.toLowerCase() === "true" || value.toLowerCase() === "yes";
+}
+function isCloudEvalAvailable(apiKey) {
+  return !!apiKey;
+}
+function buildEvaluatePayload(artifact, options) {
+  const ciContext = options.ciContext !== void 0 ? options.ciContext : detectCIContext();
+  return {
+    artifact: {
+      version: artifact.version,
+      schemaVersion: artifact.schemaVersion,
+      profile: artifact.profile,
+      extractedAt: artifact.extractedAt,
+      targetPath: artifact.codebase?.root,
+      codebase: {
+        file_count: artifact.codebase?.filesScanned ?? 0,
+        languages: artifact.codebase?.languages ?? []
+      },
+      services: artifact.services,
+      authzCalls: artifact.authzCalls ?? [],
+      cacheOperations: artifact.cacheOperations ?? [],
+      transactionScopes: artifact.transactionScopes ?? [],
+      webhookHandlers: artifact.webhookHandlers ?? [],
+      jobHandlers: artifact.jobHandlers ?? [],
+      membershipMutations: artifact.membershipMutations ?? [],
+      tests: artifact.tests ?? [],
+      routes: artifact.routes ?? [],
+      callGraph: artifact.callGraph,
+      dataFlow: artifact.dataFlows?.flows ?? [],
+      rlsPolicies: artifact.rlsArtifact?.rlsPolicies ?? []
+    },
+    options: {
+      invariants: options.invariants,
+      skip: options.skip,
+      severity: options.severity,
+      projectSlug: options.projectSlug,
+      // CI context for scan association (enables PR comments)
+      branch: ciContext?.branch,
+      commitSha: ciContext?.commitSha,
+      prNumber: ciContext?.prNumber,
+      // Opt-in guard for GitHub PR CI mode to enforce webhook + evaluate env alignment.
+      // This is intentionally gated to avoid breaking standalone CLI workflows that do not use GitHub App webhooks.
+      requireExistingCiScan: ciContext?.provider === "github-actions" && ciContext?.isPullRequest && isTruthy(process.env["SECURITYCHECKS_REQUIRE_EXISTING_CI_SCAN"]) ? true : void 0
+    }
+  };
+}
+async function submitForEvaluation(artifact, options) {
+  const endpoint = `${options.baseUrl}/api/v1/evaluate`;
+  const payload = buildEvaluatePayload(artifact, options);
+  const json = JSON.stringify(payload);
+  const gz = gzipSync(Buffer.from(json, "utf8"));
+  const response = await fetch(endpoint, {
+    method: "POST",
+    headers: buildHeaders({
+      "Content-Type": "application/json",
+      "Content-Encoding": "gzip",
+      Authorization: `Bearer ${options.apiKey}`
+    }),
+    body: gz
+  });
+  if (!response.ok) {
+    const errorBody = await response.json().catch(() => ({}));
+    const serverMessage = errorBody?.message;
+    const errorText = serverMessage ? `${errorBody.error || "Cloud API error"}: ${serverMessage}` : errorBody.error;
+    if (response.status === 401) {
+      throw new CLIError(ErrorCodes.CLOUD_AUTH_FAILED, "Invalid API key. Check your SECURITYCHECKS_API_KEY.");
+    }
+    if (response.status === 413) {
+      throw new CLIError(
+        ErrorCodes.CLOUD_API_ERROR,
+        `Artifact too large. ${errorBody.details || "Contact support if this persists."}`,
+        { details: errorBody.details }
+      );
+    }
+    if (response.status === 429) {
+      const remaining = errorBody.usage?.scansRemaining ?? 0;
+      throw new CLIError(
+        ErrorCodes.CLOUD_RATE_LIMITED,
+        `Monthly scan limit reached (${remaining} remaining). Upgrade at https://securitychecks.ai/pricing`,
+        { details: { scansRemaining: remaining } }
+      );
+    }
+    if (response.status === 503) {
+      throw new CLIError(ErrorCodes.CLOUD_API_ERROR, "Cloud evaluation temporarily unavailable. Try again later.");
+    }
+    throw new CLIError(
+      ErrorCodes.CLOUD_API_ERROR,
+      errorText || `Cloud API error: ${response.status}`,
+      { details: errorBody }
+    );
+  }
+  return await response.json();
+}
+async function pollForResults(scanId, options) {
+  const timeout = options.timeout ?? 3e5;
+  const pollInterval = options.pollInterval ?? 2e3;
+  const startTime = Date.now();
+  while (Date.now() - startTime < timeout) {
+    const response = await fetch(`${options.baseUrl}/api/v1/scans/${scanId}`, {
+      method: "GET",
+      headers: buildHeaders({
+        Authorization: `Bearer ${options.apiKey}`
+      })
+    });
+    if (!response.ok) {
+      if (response.status === 404) {
+        throw new CLIError(ErrorCodes.CLOUD_NOT_FOUND, `Scan ${scanId} not found`);
+      }
+      throw new CLIError(ErrorCodes.CLOUD_API_ERROR, `Failed to get scan status: ${response.status}`);
+    }
+    const scan = await response.json();
+    options.onProgress?.({
+      status: scan.status,
+      message: scan.status === "RUNNING" ? "Evaluating..." : void 0
+    });
+    if (scan.status === "COMPLETED") {
+      return {
+        findings: scan.findings ?? [],
+        stats: scan.stats ?? {
+          invariantsRun: 0,
+          patternsRun: 0,
+          findingsCount: scan.findings?.length ?? 0,
+          executionMs: Date.now() - startTime
+        },
+        usage: scan.usage ?? { scansUsed: 0, scansRemaining: 0 }
+      };
+    }
+    if (scan.status === "FAILED") {
+      throw new CLIError(
+        ErrorCodes.CLOUD_API_ERROR,
+        `Scan failed: ${scan.errorMessage ?? "Unknown error"}`,
+        { details: { scanId, errorMessage: scan.errorMessage } }
+      );
+    }
+    if (scan.status === "CANCELLED") {
+      throw new CLIError(ErrorCodes.CLOUD_API_ERROR, "Scan was cancelled", { details: { scanId } });
+    }
+    await new Promise((resolve) => setTimeout(resolve, pollInterval));
+  }
+  throw new CLIError(
+    ErrorCodes.CHECK_TIMEOUT,
+    `Scan timed out after ${timeout / 1e3}s. Check dashboard for results.`,
+    { details: { timeoutMs: timeout, scanId } }
+  );
+}
+async function evaluateCloud(artifact, options) {
+  const { scanId } = await submitForEvaluation(artifact, options);
+  options.onProgress?.({
+    status: "PENDING",
+    message: "Submitted for evaluation..."
+  });
+  return pollForResults(scanId, options);
+}
+async function checkCloudHealth(baseUrl) {
+  try {
+    const response = await fetch(`${baseUrl}/api/health`, {
+      method: "GET",
+      headers: buildHeaders(),
+      signal: AbortSignal.timeout(5e3)
+    });
+    return response.ok;
+  } catch {
+    return false;
+  }
+}
+async function getCloudInvariants(baseUrl, apiKey) {
+  const response = await fetch(`${baseUrl}/api/v1/evaluate`, {
+    method: "GET",
+    headers: buildHeaders({
+      Authorization: `Bearer ${apiKey}`
+    })
+  });
+  if (!response.ok) {
+    throw new CLIError(ErrorCodes.CLOUD_API_ERROR, `Failed to fetch invariants: ${response.status}`);
+  }
+  const data = await response.json();
+  return data.invariants;
+}
+
+// src/lib/project-slug.ts
+function getProjectSlug(env = process.env) {
+  const raw = env["SECURITYCHECKS_PROJECT"];
+  const trimmed = raw?.trim();
+  return trimmed ? trimmed : void 0;
+}
+
+// src/audit.ts
+function toArtifact(collectorArtifact) {
+  return {
+    version: "1.0",
+    extractedAt: collectorArtifact.extractedAt,
+    targetPath: collectorArtifact.codebase.root,
+    services: collectorArtifact.services,
+    authzCalls: collectorArtifact.authzCalls ?? [],
+    cacheOperations: collectorArtifact.cacheOperations ?? [],
+    transactionScopes: collectorArtifact.transactionScopes ?? [],
+    webhookHandlers: collectorArtifact.webhookHandlers ?? [],
+    jobHandlers: collectorArtifact.jobHandlers ?? [],
+    membershipMutations: collectorArtifact.membershipMutations ?? [],
+    tests: collectorArtifact.tests ?? [],
+    routes: collectorArtifact.routes ?? [],
+    dataFlows: collectorArtifact.dataFlows,
+    callGraph: collectorArtifact.callGraph
+  };
+}
+async function audit(options = {}) {
+  const startTime = Date.now();
+  const apiKey = getCloudApiKey();
+  if (!apiKey) {
+    throw new CLIError(
+      ErrorCodes.AUTH_REQUIRED,
+      "API key required for scanning",
+      {
+        details: {
+          remediation: `Set SECURITYCHECKS_API_KEY environment variable.
+Get your API key at https://securitychecks.ai/dashboard/settings/api-keys
+
+For air-gapped environments, contact sales@securitychecks.ai for enterprise options.`
+        }
+      }
+    );
+  }
+  const targetPath = resolveTargetPath(options.targetPath);
+  const collectorArtifact = await collect({
+    targetPath,
+    profile: "securitychecks"
+  });
+  const cloudResult = await evaluateCloud(collectorArtifact, {
+    apiKey,
+    baseUrl: getCloudApiBaseUrl(),
+    invariants: options.only,
+    skip: options.skip,
+    projectSlug: getProjectSlug()
+  });
+  const artifact = toArtifact(collectorArtifact);
+  const findings = cloudResult.findings;
+  const byPriority = {
+    P0: findings.filter((f) => f.severity === "P0").length,
+    P1: findings.filter((f) => f.severity === "P1").length,
+    P2: findings.filter((f) => f.severity === "P2").length
+  };
+  const invariantIds = [...new Set(findings.map((f) => f.invariantId))];
+  const results = invariantIds.map((id) => ({
+    invariantId: id,
+    passed: !findings.some((f) => f.invariantId === id),
+    findings: findings.filter((f) => f.invariantId === id),
+    checkedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    duration: 0
+  }));
+  const passed = results.filter((r) => r.passed).length;
+  const failed = results.filter((r) => !r.passed).length;
+  const waived = findings.filter((f) => f.waived).length;
+  return {
+    version: "1.0",
+    targetPath,
+    runAt: (/* @__PURE__ */ new Date()).toISOString(),
+    duration: Date.now() - startTime,
+    summary: {
+      total: cloudResult.stats.invariantsRun,
+      passed,
+      failed,
+      waived,
+      byPriority
+    },
+    results,
+    artifact
+  };
+}
+var SUPPORTED_SCHEMA_RANGE = {
+  // Minimum version we can consume
+  minMajor: 1,
+  minMinor: 0,
+  // Maximum major version we understand (breaking changes)
+  maxMajor: 1
+};
+function parseSemver(version) {
+  const match = version.match(/^(\d+)\.(\d+)\.(\d+)/);
+  if (!match || !match[1] || !match[2] || !match[3]) return null;
+  return {
+    major: parseInt(match[1], 10),
+    minor: parseInt(match[2], 10),
+    patch: parseInt(match[3], 10)
+  };
+}
+function validateSchemaVersion(artifactSchemaVersion) {
+  const currentVersion = ARTIFACT_SCHEMA_VERSION;
+  const effectiveVersion = artifactSchemaVersion ?? "1.0.0";
+  const parsed = parseSemver(effectiveVersion);
+  if (!parsed) {
+    return {
+      valid: false,
+      artifactVersion: effectiveVersion,
+      currentVersion,
+      error: `Invalid schema version format: "${effectiveVersion}" (expected semver like "1.0.0")`,
+      remediation: "Re-collect artifacts with: npx scc collect -o .securitychecks/artifacts.json"
+    };
+  }
+  const { major, minor } = parsed;
+  if (major > SUPPORTED_SCHEMA_RANGE.maxMajor) {
+    return {
+      valid: false,
+      artifactVersion: effectiveVersion,
+      currentVersion,
+      error: `Artifact schema version ${effectiveVersion} is too new (CLI supports up to ${SUPPORTED_SCHEMA_RANGE.maxMajor}.x.x)`,
+      remediation: `Upgrade scheck: npm install -g @securitychecks/cli@latest`
+    };
+  }
+  if (major < SUPPORTED_SCHEMA_RANGE.minMajor) {
+    return {
+      valid: false,
+      artifactVersion: effectiveVersion,
+      currentVersion,
+      error: `Artifact schema version ${effectiveVersion} is too old (CLI requires ${SUPPORTED_SCHEMA_RANGE.minMajor}.x.x+)`,
+      remediation: "Re-collect artifacts: npx scc collect -o .securitychecks/artifacts.json"
+    };
+  }
+  if (minor < SUPPORTED_SCHEMA_RANGE.minMinor) {
+    return {
+      valid: false,
+      artifactVersion: effectiveVersion,
+      currentVersion,
+      error: `Artifact schema version ${effectiveVersion} is missing required fields (CLI requires ${SUPPORTED_SCHEMA_RANGE.minMajor}.${SUPPORTED_SCHEMA_RANGE.minMinor}.x+)`,
+      remediation: "Re-collect artifacts: npx scc collect -o .securitychecks/artifacts.json"
+    };
+  }
+  return {
+    valid: true,
+    artifactVersion: effectiveVersion,
+    currentVersion
+  };
+}
+function getCurrentSchemaVersion() {
+  return ARTIFACT_SCHEMA_VERSION;
+}
+var ANCHOR_EXTRACTORS = {
+  // Webhook: include provider from context if available
+  "WEBHOOK.IDEMPOTENT": (finding) => {
+    const context = finding.evidence[0]?.context ?? "";
+    const providerMatch = context.match(/^(stripe|github|slack|svix|generic):/i);
+    return {
+      provider: providerMatch?.[1]?.toLowerCase() ?? ""
+    };
+  },
+  // Transaction: include side effect type from message
+  "TRANSACTION.POST_COMMIT.SIDE_EFFECTS": (finding) => {
+    const typeMatch = finding.message.match(/contains (\w+) side effect/i);
+    return {
+      sideEffectType: typeMatch?.[1]?.toLowerCase() ?? ""
+    };
+  },
+  // Membership revocation: include mutation type
+  "AUTHZ.MEMBERSHIP.REVOCATION.IMMEDIATE": (finding) => {
+    const context = finding.evidence[0]?.context ?? "";
+    const mutationMatch = context.match(/mutationType[:\s]+(\w+)/i);
+    return {
+      mutationType: mutationMatch?.[1]?.toLowerCase() ?? ""
+    };
+  },
+  // Keys revocation: include entity type
+  "AUTHZ.KEYS.REVOCATION.IMMEDIATE": (finding) => {
+    const context = finding.evidence[0]?.context ?? "";
+    const entityMatch = context.match(/entity[:\s]+(\w+)/i);
+    return {
+      entity: entityMatch?.[1]?.toLowerCase() ?? ""
+    };
+  }
+};
+function extractIdentityPayload(finding) {
+  const primary = finding.evidence[0];
+  const base = {
+    invariantId: finding.invariantId.toLowerCase(),
+    file: normalizePath(primary?.file ?? ""),
+    symbol: (primary?.symbol ?? "").toLowerCase()
+  };
+  const extractor = ANCHOR_EXTRACTORS[finding.invariantId];
+  if (extractor) {
+    const anchors = extractor(finding);
+    Object.assign(base, anchors);
+  }
+  return base;
+}
+function normalizePath(path) {
+  return path.trim().replace(/\\/g, "/").replace(/^\.\//, "").replace(/^\//, "").toLowerCase();
+}
+function hashPayload(payload) {
+  const keys = Object.keys(payload).sort();
+  const canonical = keys.map((k) => `${k}:${payload[k]}`).join("|");
+  const hash = createHash("sha256").update(canonical).digest("hex");
+  return hash.slice(0, 12);
+}
+function generateFindingId(finding) {
+  const payload = extractIdentityPayload(finding);
+  const hash = hashPayload(payload);
+  return `${finding.invariantId}:${hash}`;
+}
+function attachFindingId(finding) {
+  const findingId2 = generateFindingId(finding);
+  return Object.assign(finding, { findingId: findingId2 });
+}
+function attachFindingIds(findings) {
+  return findings.map(attachFindingId);
+}
+
+// src/baseline/schema.ts
+var BASELINE_SCHEMA_VERSION = "1.0.0";
+var WAIVER_SCHEMA_VERSION = "1.1.0";
+var WAIVER_REASON_KEYS = [
+  "false_positive",
+  "acceptable_risk",
+  "will_fix_later",
+  "not_applicable",
+  "other"
+];
+function isValidWaiverReasonKey(value) {
+  return WAIVER_REASON_KEYS.includes(value);
+}
+var CLI_PACKAGE_NAME = "@securitychecks/cli";
+function getGeneratedBy(version) {
+  return `${CLI_PACKAGE_NAME}@${version}`;
+}
+function createEmptyBaseline(version = "0.0.0") {
+  return {
+    schemaVersion: BASELINE_SCHEMA_VERSION,
+    toolVersion: version,
+    generatedBy: getGeneratedBy(version),
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    entries: {}
+  };
+}
+function createEmptyWaiverFile(version = "0.0.0") {
+  return {
+    schemaVersion: WAIVER_SCHEMA_VERSION,
+    toolVersion: version,
+    generatedBy: getGeneratedBy(version),
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    entries: {}
+  };
+}
+var CLI_VERSION = "0.1.1-rc.1";
+var SCHECK_DIR = ".scheck";
+var BASELINE_FILE = "baseline.json";
+var WAIVER_FILE = "waivers.json";
+function getBaselinePath(rootPath) {
+  return join(rootPath, SCHECK_DIR, BASELINE_FILE);
+}
+function getWaiverPath(rootPath) {
+  return join(rootPath, SCHECK_DIR, WAIVER_FILE);
+}
+async function loadBaseline(rootPath) {
+  const path = getBaselinePath(rootPath);
+  if (!existsSync(path)) {
+    return createEmptyBaseline(CLI_VERSION);
+  }
+  try {
+    const content = await readFile(path, "utf-8");
+    const data = JSON.parse(content);
+    if (!data.schemaVersion) {
+      data.schemaVersion = BASELINE_SCHEMA_VERSION;
+    }
+    if (!data.toolVersion) {
+      data.toolVersion = CLI_VERSION;
+    }
+    if (!data.generatedBy) {
+      data.generatedBy = getGeneratedBy(CLI_VERSION);
+    }
+    return data;
+  } catch {
+    console.warn(`Warning: Could not parse baseline file at ${path}, using empty baseline`);
+    return createEmptyBaseline(CLI_VERSION);
+  }
+}
+async function saveBaseline(rootPath, baseline, collectorSchemaVersion) {
+  const path = getBaselinePath(rootPath);
+  await mkdir(dirname(path), { recursive: true });
+  baseline.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+  baseline.toolVersion = CLI_VERSION;
+  baseline.generatedBy = getGeneratedBy(CLI_VERSION);
+  if (collectorSchemaVersion) {
+    baseline.collectorSchemaVersion = collectorSchemaVersion;
+  }
+  const orderedBaseline = {
+    schemaVersion: baseline.schemaVersion,
+    toolVersion: baseline.toolVersion,
+    ...baseline.collectorSchemaVersion ? { collectorSchemaVersion: baseline.collectorSchemaVersion } : {},
+    generatedBy: baseline.generatedBy,
+    updatedAt: baseline.updatedAt,
+    entries: sortEntriesByFindingId(baseline.entries)
+  };
+  await writeFile(path, JSON.stringify(orderedBaseline, null, 2) + "\n", "utf-8");
+}
+function sortEntriesByFindingId(entries) {
+  const sorted = {};
+  const keys = Object.keys(entries).sort();
+  for (const key of keys) {
+    sorted[key] = entries[key];
+  }
+  return sorted;
+}
+function addToBaseline(baseline, findings, notes) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  let added = 0;
+  for (const finding of findings) {
+    const findingId2 = generateFindingId(finding);
+    if (!baseline.entries[findingId2]) {
+      baseline.entries[findingId2] = {
+        findingId: findingId2,
+        invariantId: finding.invariantId,
+        file: finding.evidence[0]?.file ?? "",
+        symbol: finding.evidence[0]?.symbol,
+        createdAt: now,
+        lastSeenAt: now,
+        notes
+      };
+      added++;
+    } else {
+      baseline.entries[findingId2].lastSeenAt = now;
+    }
+  }
+  return added;
+}
+function isInBaseline(baseline, finding) {
+  const findingId2 = generateFindingId(finding);
+  return findingId2 in baseline.entries;
+}
+function pruneBaseline(baseline, staleDays = 90) {
+  const cutoff = /* @__PURE__ */ new Date();
+  cutoff.setDate(cutoff.getDate() - staleDays);
+  const cutoffIso = cutoff.toISOString();
+  let removed = 0;
+  for (const [id, entry] of Object.entries(baseline.entries)) {
+    if (entry.lastSeenAt < cutoffIso) {
+      delete baseline.entries[id];
+      removed++;
+    }
+  }
+  return removed;
+}
+async function loadWaivers(rootPath) {
+  const path = getWaiverPath(rootPath);
+  if (!existsSync(path)) {
+    return createEmptyWaiverFile(CLI_VERSION);
+  }
+  try {
+    const content = await readFile(path, "utf-8");
+    const data = JSON.parse(content);
+    if (!data.schemaVersion) {
+      data.schemaVersion = WAIVER_SCHEMA_VERSION;
+    }
+    if (!data.toolVersion) {
+      data.toolVersion = CLI_VERSION;
+    }
+    if (!data.generatedBy) {
+      data.generatedBy = getGeneratedBy(CLI_VERSION);
+    }
+    return data;
+  } catch {
+    console.warn(`Warning: Could not parse waiver file at ${path}, using empty waivers`);
+    return createEmptyWaiverFile(CLI_VERSION);
+  }
+}
+async function saveWaivers(rootPath, waivers) {
+  const path = getWaiverPath(rootPath);
+  await mkdir(dirname(path), { recursive: true });
+  waivers.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+  waivers.toolVersion = CLI_VERSION;
+  waivers.generatedBy = getGeneratedBy(CLI_VERSION);
+  const orderedWaivers = {
+    schemaVersion: waivers.schemaVersion,
+    toolVersion: waivers.toolVersion,
+    generatedBy: waivers.generatedBy,
+    updatedAt: waivers.updatedAt,
+    entries: sortEntriesByFindingId(waivers.entries)
+  };
+  await writeFile(path, JSON.stringify(orderedWaivers, null, 2) + "\n", "utf-8");
+}
+function addWaiver(waivers, finding, options) {
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(now);
+  expiresAt.setDate(expiresAt.getDate() + options.expiresInDays);
+  const findingId2 = generateFindingId(finding);
+  const entry = {
+    findingId: findingId2,
+    invariantId: finding.invariantId,
+    file: finding.evidence[0]?.file ?? "",
+    symbol: finding.evidence[0]?.symbol,
+    reasonKey: options.reasonKey,
+    reason: options.reason,
+    owner: options.owner,
+    expiresAt: expiresAt.toISOString(),
+    createdAt: now.toISOString()
+  };
+  waivers.entries[findingId2] = entry;
+  return entry;
+}
+function getValidWaiver(waivers, finding) {
+  const findingId2 = generateFindingId(finding);
+  const waiver = waivers.entries[findingId2];
+  if (!waiver) {
+    return void 0;
+  }
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(waiver.expiresAt);
+  if (expiresAt < now) {
+    return void 0;
+  }
+  return waiver;
+}
+function pruneExpiredWaivers(waivers) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  let removed = 0;
+  for (const [id, entry] of Object.entries(waivers.entries)) {
+    if (entry.expiresAt < now) {
+      delete waivers.entries[id];
+      removed++;
+    }
+  }
+  return removed;
+}
+function getExpiringWaivers(waivers, withinDays = 7) {
+  const now = /* @__PURE__ */ new Date();
+  const threshold = new Date(now);
+  threshold.setDate(threshold.getDate() + withinDays);
+  const thresholdIso = threshold.toISOString();
+  return Object.values(waivers.entries).filter(
+    (entry) => entry.expiresAt > now.toISOString() && entry.expiresAt <= thresholdIso
+  );
+}
+
+// src/baseline/matcher.ts
+function categorizeFindings(findings, baseline, waivers, failSeverities = ["P0", "P1"]) {
+  const categorized = [];
+  const newFindings = [];
+  const baselinedFindings = [];
+  const waivedFindings = [];
+  for (const finding of findings) {
+    const findingId2 = generateFindingId(finding);
+    const isBaselined = isInBaseline(baseline, finding);
+    const waiver = getValidWaiver(waivers, finding);
+    const isFailSeverity = failSeverities.includes(finding.severity);
+    const shouldFail = isFailSeverity && !isBaselined && !waiver;
+    const categorizedFinding = {
+      ...finding,
+      findingId: findingId2,
+      isBaselined,
+      waiver,
+      shouldFail
+    };
+    categorized.push(categorizedFinding);
+    if (waiver) {
+      waivedFindings.push(categorizedFinding);
+    } else if (isBaselined) {
+      baselinedFindings.push(categorizedFinding);
+    } else {
+      newFindings.push(categorizedFinding);
+    }
+  }
+  return {
+    all: categorized,
+    new: newFindings,
+    baselined: baselinedFindings,
+    waived: waivedFindings,
+    counts: {
+      total: categorized.length,
+      new: newFindings.length,
+      baselined: baselinedFindings.length,
+      waived: waivedFindings.length,
+      willFail: categorized.filter((f) => f.shouldFail).length
+    }
+  };
+}
+function getCIExitCode(result) {
+  return result.counts.willFail > 0 ? 1 : 0;
+}
+function getCISummary(result) {
+  const { counts } = result;
+  if (counts.total === 0) {
+    return "No findings detected.";
+  }
+  const parts = [];
+  if (counts.willFail > 0) {
+    parts.push(`${counts.willFail} new finding(s) require attention`);
+  }
+  if (counts.baselined > 0) {
+    parts.push(`${counts.baselined} baselined`);
+  }
+  if (counts.waived > 0) {
+    parts.push(`${counts.waived} waived`);
+  }
+  if (counts.willFail === 0) {
+    parts.unshift("All findings are baselined or waived");
+  }
+  return parts.join(", ") + ".";
+}
+function resolveCollisions(findings) {
+  const seen = /* @__PURE__ */ new Map();
+  const result = [];
+  for (const finding of findings) {
+    let findingId2 = generateFindingId(finding);
+    const count = seen.get(findingId2) ?? 0;
+    if (count > 0) {
+      const suffix = String.fromCharCode(96 + count);
+      findingId2 = `${findingId2}:${suffix}`;
+    }
+    seen.set(generateFindingId(finding), count + 1);
+    result.push({
+      ...finding,
+      findingId: findingId2
+    });
+  }
+  return result;
+}
+function hasCollisions(findings) {
+  const ids = /* @__PURE__ */ new Set();
+  for (const finding of findings) {
+    const id = generateFindingId(finding);
+    if (ids.has(id)) {
+      return true;
+    }
+    ids.add(id);
+  }
+  return false;
+}
+
+// src/lib/correlation.ts
+var COMPOUNDING_RULES = [
+  // Webhook + Transaction = Replay causes inconsistent state
+  {
+    invariants: ["WEBHOOK.IDEMPOTENT", "TRANSACTION.POST_COMMIT.SIDE_EFFECTS"],
+    effect: {
+      description: "Webhook replay can cause duplicate side effects AND inconsistent database state",
+      riskMultiplier: 2,
+      signals: ["webhook_replay", "transaction_side_effect", "data_inconsistency"]
+    },
+    attackPathTemplate: {
+      title: "Webhook Replay Attack with Data Inconsistency",
+      exploitability: "easy",
+      impact: "high",
+      timeWindow: "Immediate - no time limit on replay"
+    }
+  },
+  // No auth + No service auth = Complete bypass
+  {
+    invariants: ["AUTHZ.SERVICE_LAYER.ENFORCED", "AUTHZ.MEMBERSHIP.REVOCATION.IMMEDIATE"],
+    effect: {
+      description: "Missing service-layer auth combined with delayed revocation allows extended unauthorized access",
+      riskMultiplier: 2.5,
+      signals: ["auth_bypass", "delayed_revocation", "privilege_persistence"]
+    },
+    attackPathTemplate: {
+      title: "Extended Privilege Persistence",
+      exploitability: "medium",
+      impact: "critical",
+      timeWindow: "Until cache expires or session timeout"
+    }
+  },
+  // Cache + Membership revocation = Stale permissions
+  {
+    invariants: ["CACHE.INVALIDATION.ON_AUTH_CHANGE", "AUTHZ.MEMBERSHIP.REVOCATION.IMMEDIATE"],
+    effect: {
+      description: "Membership change without cache invalidation allows continued access via stale cache",
+      riskMultiplier: 2,
+      signals: ["stale_cache", "permission_leak", "revocation_bypass"]
+    },
+    attackPathTemplate: {
+      title: "Stale Permission Cache Exploit",
+      exploitability: "medium",
+      impact: "high",
+      timeWindow: "Cache TTL (often 5-15 minutes)"
+    }
+  },
+  // Transaction + Cache = Inconsistent read after rollback
+  {
+    invariants: ["TRANSACTION.POST_COMMIT.SIDE_EFFECTS", "CACHE.INVALIDATION.ON_AUTH_CHANGE"],
+    effect: {
+      description: "Side effect in transaction + missing cache invalidation can leave cache inconsistent after rollback",
+      riskMultiplier: 1.5,
+      signals: ["rollback_inconsistency", "cache_stale", "side_effect_mismatch"]
+    }
+  },
+  // Billing + Auth = Free tier bypass
+  {
+    invariants: ["BILLING.SERVER_ENFORCED", "AUTHZ.SERVICE_LAYER.ENFORCED"],
+    effect: {
+      description: "Missing billing enforcement + auth gap allows access to paid features without payment",
+      riskMultiplier: 2,
+      signals: ["billing_bypass", "feature_theft", "revenue_loss"]
+    },
+    attackPathTemplate: {
+      title: "Billing Bypass via Auth Gap",
+      exploitability: "medium",
+      impact: "high"
+    }
+  },
+  // Jobs + Transaction = Retry causes duplicate side effects
+  {
+    invariants: ["JOBS.RETRY_SAFE", "TRANSACTION.POST_COMMIT.SIDE_EFFECTS"],
+    effect: {
+      description: "Non-idempotent job with side effects in transaction can cause duplicates on retry",
+      riskMultiplier: 1.8,
+      signals: ["job_retry", "duplicate_side_effect", "data_duplication"]
+    }
+  },
+  // API Key + Cache = Revoked key still works
+  {
+    invariants: ["AUTHZ.KEYS.REVOCATION.IMMEDIATE", "CACHE.INVALIDATION.ON_AUTH_CHANGE"],
+    effect: {
+      description: "API key revocation without cache invalidation allows continued API access",
+      riskMultiplier: 2,
+      signals: ["key_still_valid", "cache_bypass", "api_access_leak"]
+    },
+    attackPathTemplate: {
+      title: "API Key Revocation Bypass",
+      exploitability: "easy",
+      impact: "high",
+      timeWindow: "Until cache expires"
+    }
+  }
+];
+function correlateFindings(results, artifact) {
+  const allFindings = results.flatMap((r) => r.findings);
+  if (allFindings.length === 0) {
+    return {
+      correlations: [],
+      stats: {
+        totalFindings: 0,
+        correlatedFindings: 0,
+        correlationGroups: 0,
+        severityEscalations: 0
+      }
+    };
+  }
+  const groups = groupFindingsByLocation(allFindings);
+  const correlations = [];
+  let severityEscalations = 0;
+  for (const group of groups.values()) {
+    if (group.length < 2) continue;
+    const correlation = findCorrelation(group);
+    if (correlation) {
+      correlations.push(correlation);
+      if (severityToNumber(correlation.adjustedSeverity) > severityToNumber(correlation.primary.severity)) {
+        severityEscalations++;
+      }
+    }
+  }
+  const correlatedFindingIds = /* @__PURE__ */ new Set();
+  for (const c of correlations) {
+    correlatedFindingIds.add(findingId(c.primary));
+    for (const r of c.related) {
+      correlatedFindingIds.add(findingId(r));
+    }
+  }
+  return {
+    correlations,
+    stats: {
+      totalFindings: allFindings.length,
+      correlatedFindings: correlatedFindingIds.size,
+      correlationGroups: correlations.length,
+      severityEscalations
+    }
+  };
+}
+function groupFindingsByLocation(findings) {
+  const groups = /* @__PURE__ */ new Map();
+  for (const finding of findings) {
+    const evidence = finding.evidence[0];
+    if (!evidence) continue;
+    const key = `${evidence.file}:${evidence.symbol ?? "unknown"}`;
+    if (!groups.has(key)) {
+      groups.set(key, []);
+    }
+    groups.get(key).push(finding);
+  }
+  return groups;
+}
+function findCorrelation(findings, _artifact) {
+  const invariantIds = new Set(findings.map((f) => f.invariantId));
+  let bestMatch = null;
+  let matchCount = 0;
+  for (const rule of COMPOUNDING_RULES) {
+    const matches = rule.invariants.filter((inv) => invariantIds.has(inv));
+    if (matches.length >= 2 && matches.length > matchCount) {
+      bestMatch = rule;
+      matchCount = matches.length;
+    }
+  }
+  if (!bestMatch) {
+    if (findings.length >= 2) {
+      return createGenericCorrelation(findings);
+    }
+    return null;
+  }
+  const matchingFindings = findings.filter(
+    (f) => bestMatch.invariants.includes(f.invariantId)
+  );
+  matchingFindings.sort(
+    (a, b) => severityToNumber(b.severity) - severityToNumber(a.severity)
+  );
+  const primary = matchingFindings[0];
+  const related = matchingFindings.slice(1);
+  const evidence = primary.evidence[0];
+  const sharedContext = {
+    file: evidence?.file,
+    functionName: evidence?.symbol,
+    findingCount: matchingFindings.length
+  };
+  const adjustedSeverity = calculateAdjustedSeverity(
+    primary.severity,
+    bestMatch.effect.riskMultiplier
+  );
+  let attackPath;
+  if (bestMatch.attackPathTemplate) {
+    attackPath = buildAttackPath(
+      bestMatch.attackPathTemplate,
+      matchingFindings
+    );
+  }
+  return {
+    primary,
+    related,
+    sharedContext,
+    compoundingEffect: bestMatch.effect,
+    adjustedSeverity,
+    attackPath
+  };
+}
+function createGenericCorrelation(findings) {
+  findings.sort(
+    (a, b) => severityToNumber(b.severity) - severityToNumber(a.severity)
+  );
+  const primary = findings[0];
+  const related = findings.slice(1);
+  const evidence = primary.evidence[0];
+  return {
+    primary,
+    related,
+    sharedContext: {
+      file: evidence?.file,
+      functionName: evidence?.symbol,
+      findingCount: findings.length
+    },
+    compoundingEffect: {
+      description: `Multiple security issues in the same location (${findings.length} findings)`,
+      riskMultiplier: 1 + (findings.length - 1) * 0.2,
+      signals: findings.map((f) => f.invariantId)
+    },
+    adjustedSeverity: primary.severity
+  };
+}
+function buildAttackPath(template, findings) {
+  const steps = [];
+  for (let i = 0; i < findings.length; i++) {
+    const finding = findings[i];
+    const evidence = finding.evidence[0];
+    steps.push({
+      step: i + 1,
+      description: getAttackStepDescription(finding),
+      invariantId: finding.invariantId,
+      location: evidence ? { file: evidence.file, line: evidence.line } : void 0
+    });
+  }
+  return {
+    ...template,
+    steps
+  };
+}
+function getAttackStepDescription(finding) {
+  const invariant = finding.invariantId;
+  switch (invariant) {
+    case "WEBHOOK.IDEMPOTENT":
+      return "Attacker replays webhook request (no idempotency protection)";
+    case "TRANSACTION.POST_COMMIT.SIDE_EFFECTS":
+      return "Side effect fires inside transaction (may be duplicated or inconsistent)";
+    case "AUTHZ.SERVICE_LAYER.ENFORCED":
+      return "Service function called without authorization check";
+    case "AUTHZ.MEMBERSHIP.REVOCATION.IMMEDIATE":
+      return "Membership/role change does not immediately revoke access";
+    case "AUTHZ.KEYS.REVOCATION.IMMEDIATE":
+      return "API key revocation does not immediately invalidate the key";
+    case "CACHE.INVALIDATION.ON_AUTH_CHANGE":
+      return "Auth change does not invalidate cached permissions";
+    case "BILLING.SERVER_ENFORCED":
+      return "Billing/entitlement check bypassed or missing";
+    case "JOBS.RETRY_SAFE":
+      return "Background job is not idempotent (retry causes duplicates)";
+    default:
+      return finding.message;
+  }
+}
+function severityToNumber(severity) {
+  switch (severity) {
+    case "P0":
+      return 3;
+    case "P1":
+      return 2;
+    case "P2":
+      return 1;
+    default:
+      return 0;
+  }
+}
+function numberToSeverity(num) {
+  if (num >= 3) return "P0";
+  if (num >= 2) return "P1";
+  return "P2";
+}
+function calculateAdjustedSeverity(baseSeverity, multiplier) {
+  const base = severityToNumber(baseSeverity);
+  const adjusted = Math.min(3, Math.ceil(base * multiplier));
+  return numberToSeverity(adjusted);
+}
+function findingId(finding) {
+  const evidence = finding.evidence[0];
+  return `${finding.invariantId}:${evidence?.file ?? "unknown"}:${evidence?.line ?? 0}`;
+}
+function formatCorrelatedFinding(correlation) {
+  const lines = [];
+  const location = correlation.sharedContext.file ? `${correlation.sharedContext.file}:${correlation.sharedContext.functionName ?? "unknown"}` : "Unknown location";
+  lines.push(`
+\u250C\u2500 CORRELATED FINDINGS \u2500 ${location}`);
+  lines.push(`\u2502`);
+  lines.push(`\u2502 [${correlation.adjustedSeverity}] ${correlation.primary.message}`);
+  lines.push(`\u2502     \u2514\u2500 ${correlation.primary.invariantId}`);
+  for (const related of correlation.related) {
+    lines.push(`\u2502 [${related.severity}] ${related.message}`);
+    lines.push(`\u2502     \u2514\u2500 ${related.invariantId}`);
+  }
+  lines.push(`\u2502`);
+  lines.push(`\u2502 \u26A0 Compounding Effect:`);
+  lines.push(`\u2502   ${correlation.compoundingEffect.description}`);
+  lines.push(`\u2502   Risk multiplier: ${correlation.compoundingEffect.riskMultiplier}x`);
+  if (correlation.attackPath) {
+    lines.push(`\u2502`);
+    lines.push(`\u2502 \u{1F3AF} Attack Path: ${correlation.attackPath.title}`);
+    lines.push(`\u2502   Exploitability: ${correlation.attackPath.exploitability}`);
+    lines.push(`\u2502   Impact: ${correlation.attackPath.impact}`);
+    if (correlation.attackPath.timeWindow) {
+      lines.push(`\u2502   Time window: ${correlation.attackPath.timeWindow}`);
+    }
+    lines.push(`\u2502`);
+    for (const step of correlation.attackPath.steps) {
+      lines.push(`\u2502   ${step.step}. ${step.description}`);
+    }
+  }
+  lines.push(`\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`);
+  return lines.join("\n");
+}
+function formatCorrelationStats(result) {
+  const { stats } = result;
+  return `
+Correlation Analysis:
+  Total findings: ${stats.totalFindings}
+  Correlated: ${stats.correlatedFindings} (${Math.round(stats.correlatedFindings / stats.totalFindings * 100)}%)
+  Correlation groups: ${stats.correlationGroups}
+  Severity escalations: ${stats.severityEscalations}
+`.trim();
+}
+var DEFAULT_ENDPOINT = "https://api.securitychecks.ai/v1/correlations";
+function toObservation(correlation, framework) {
+  const allFindings = [correlation.primary, ...correlation.related];
+  const invariants = [...new Set(allFindings.map((f) => f.invariantId))];
+  return {
+    invariants,
+    context: {
+      framework,
+      file: correlation.sharedContext.file,
+      functionName: correlation.sharedContext.functionName,
+      route: correlation.sharedContext.route
+    },
+    stats: {
+      findingCount: correlation.sharedContext.findingCount,
+      severityBefore: correlation.primary.severity,
+      severityAfter: correlation.adjustedSeverity,
+      wasEscalated: correlation.adjustedSeverity !== correlation.primary.severity,
+      riskMultiplier: correlation.compoundingEffect.riskMultiplier
+    },
+    attackPath: correlation.attackPath ? {
+      title: correlation.attackPath.title,
+      exploitability: correlation.attackPath.exploitability,
+      impact: correlation.attackPath.impact,
+      timeWindow: correlation.attackPath.timeWindow,
+      steps: correlation.attackPath.steps
+    } : void 0,
+    compoundingEffect: {
+      description: correlation.compoundingEffect.description,
+      signals: correlation.compoundingEffect.signals
+    },
+    meta: {
+      clientVersion: "0.1.1-rc.1",
+      requestId: randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  };
+}
+async function reportCorrelations(result, config, framework) {
+  if (!config.enabled || result.correlations.length === 0) {
+    return { success: true, stored: 0 };
+  }
+  const endpoint = config.endpoint ?? DEFAULT_ENDPOINT;
+  const timeout = config.timeout ?? 5e3;
+  try {
+    const observations = result.correlations.map((c) => toObservation(c, framework));
+    const payload = {
+      correlations: observations,
+      summary: result.stats,
+      meta: {
+        clientVersion: "0.1.1-rc.1",
+        framework
+      }
+    };
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          ...config.apiKey && { Authorization: `Bearer ${config.apiKey}` },
+          "X-Client-Version": "0.1.1-rc.1"
+        },
+        body: JSON.stringify(payload),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        return { success: false };
+      }
+      const data = await response.json();
+      return {
+        success: true,
+        stored: data.stored ?? observations.length,
+        errors: data.errors ?? 0
+      };
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  } catch (_error) {
+    return { success: false };
+  }
+}
+async function reportCorrelationFeedback(requestId, wasAccurate, reason, config) {
+  const endpoint = config?.endpoint ?? DEFAULT_ENDPOINT;
+  try {
+    const response = await fetch(endpoint, {
+      method: "PATCH",
+      headers: {
+        "Content-Type": "application/json",
+        ...config?.apiKey && { Authorization: `Bearer ${config.apiKey}` }
+      },
+      body: JSON.stringify({
+        requestId,
+        wasAccurate,
+        feedbackReason: reason
+      })
+    });
+    return response.ok;
+  } catch {
+    return false;
+  }
+}
+var DEFAULT_ENDPOINT2 = "https://api.securitychecks.ai/v1/telemetry";
+function buildTelemetry(result, options) {
+  const byInvariant = {};
+  for (const checkResult of result.results) {
+    byInvariant[checkResult.invariantId] = checkResult.findings.length;
+  }
+  const ciProvider = detectCIProvider();
+  return {
+    scanId: randomUUID(),
+    codebase: {
+      filesScanned: options.filesScanned,
+      servicesCount: result.artifact.services.length
+    },
+    frameworks: options.frameworks,
+    findings: {
+      byInvariant,
+      byPriority: result.summary.byPriority,
+      total: result.summary.byPriority.P0 + result.summary.byPriority.P1 + result.summary.byPriority.P2
+    },
+    correlation: options.correlation ? {
+      groups: options.correlation.stats.correlationGroups,
+      escalations: options.correlation.stats.severityEscalations,
+      correlatedFindings: options.correlation.stats.correlatedFindings
+    } : void 0,
+    calibration: options.calibratedCount !== void 0 ? {
+      calibrated: options.calibratedCount,
+      suppressed: options.suppressedCount ?? 0
+    } : void 0,
+    patterns: options.patternsApplied !== void 0 ? {
+      applied: options.patternsApplied,
+      findings: options.patternFindings ?? 0
+    } : void 0,
+    meta: {
+      duration: result.duration,
+      clientVersion: "0.1.1-rc.1",
+      mode: options.mode ?? (ciProvider ? "ci" : "manual"),
+      ciProvider
+    },
+    baseline: options.categorization ? {
+      size: options.baselineSize ?? 0,
+      waivers: options.waiversCount ?? 0,
+      newFindings: options.categorization.counts.new
+    } : void 0,
+    feedback: options.categorization ? {
+      waivedCount: options.categorization.counts.waived,
+      waiverReasons: buildWaiverReasonCounts(options.categorization),
+      baselinedCount: options.categorization.counts.baselined
+    } : void 0
+  };
+}
+async function reportTelemetry(telemetry, config) {
+  if (!config.enabled) {
+    return true;
+  }
+  const endpoint = config.endpoint ?? DEFAULT_ENDPOINT2;
+  const timeout = config.timeout ?? 5e3;
+  try {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          ...config.apiKey && { Authorization: `Bearer ${config.apiKey}` },
+          "X-Client-Version": telemetry.meta.clientVersion
+        },
+        body: JSON.stringify(telemetry),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      return response.ok;
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  } catch {
+    return false;
+  }
+}
+function buildWaiverReasonCounts(categorization) {
+  const counts = {};
+  for (const finding of categorization.waived) {
+    const waiver = finding.waiver;
+    if (!waiver) continue;
+    const candidate = waiver.reasonKey ?? waiver.reason;
+    const key = candidate && isValidWaiverReasonKey(candidate) ? candidate : "other";
+    counts[key] = (counts[key] ?? 0) + 1;
+  }
+  return counts;
+}
+function detectCIProvider() {
+  if (process.env["GITHUB_ACTIONS"]) return "github";
+  if (process.env["GITLAB_CI"]) return "gitlab";
+  if (process.env["JENKINS_URL"]) return "jenkins";
+  if (process.env["CIRCLECI"]) return "circleci";
+  if (process.env["TRAVIS"]) return "travis";
+  if (process.env["BITBUCKET_BUILD_NUMBER"]) return "bitbucket";
+  if (process.env["AZURE_PIPELINES"]) return "azure";
+  if (process.env["CI"]) return "unknown";
+  return void 0;
+}
+function isTelemetryDisabled() {
+  return process.env["SECURITYCHECKS_TELEMETRY"] === "false" || process.env["DO_NOT_TRACK"] === "1";
+}
+
+// src/lib/calibration.ts
+var AGGREGATE_CALIBRATION_ENDPOINT = "https://api.securitychecks.ai/v1/calibration";
+var AGGREGATE_CACHE_TTL_MS = 60 * 60 * 1e3;
+var aggregateCache = null;
+var aggregateCacheTimestamp = 0;
+async function fetchAggregateCalibration(frameworks, config) {
+  if (!config.enabled) {
+    return { data: null, fromCache: false, error: "Aggregate calibration disabled" };
+  }
+  if (config.cacheEnabled !== false && aggregateCache && Date.now() - aggregateCacheTimestamp < AGGREGATE_CACHE_TTL_MS) {
+    return { data: aggregateCache, fromCache: true };
+  }
+  const endpoint = config.endpoint ?? AGGREGATE_CALIBRATION_ENDPOINT;
+  const timeout = config.timeout ?? 5e3;
+  try {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const url = new URL(endpoint);
+      url.searchParams.set("frameworks", frameworks.join(","));
+      const response = await fetch(url.toString(), {
+        method: "GET",
+        headers: {
+          "Accept": "application/json",
+          ...config.apiKey && { Authorization: `Bearer ${config.apiKey}` }
+        },
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        return {
+          data: null,
+          fromCache: false,
+          error: `HTTP ${response.status}: ${response.statusText}`
+        };
+      }
+      const data = await response.json();
+      if (config.cacheEnabled !== false) {
+        aggregateCache = data;
+        aggregateCacheTimestamp = Date.now();
+      }
+      return { data, fromCache: false };
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  } catch (err) {
+    return {
+      data: null,
+      fromCache: false,
+      error: err instanceof Error ? err.message : "Unknown error"
+    };
+  }
+}
+function clearAggregateCache() {
+  aggregateCache = null;
+  aggregateCacheTimestamp = 0;
+}
+function getFrameworkBaseline(calibration, framework) {
+  return calibration.frameworks.find((f) => f.framework === framework);
+}
+function shouldSkipPattern(calibration, patternId, framework, accuracyThreshold = 0.3) {
+  const pattern = calibration.patterns.find(
+    (p) => p.patternId === patternId && (p.framework === framework || p.framework === null)
+  );
+  if (!pattern || pattern.accuracy === null) {
+    return false;
+  }
+  if (pattern.confidence !== "high") {
+    return false;
+  }
+  return pattern.accuracy < accuracyThreshold;
+}
+function getSkippedPatterns(calibration, framework, accuracyThreshold = 0.3) {
+  return calibration.patterns.filter((p) => {
+    if (p.accuracy === null || p.confidence !== "high") {
+      return false;
+    }
+    if (framework && p.framework && p.framework !== framework) {
+      return false;
+    }
+    return p.accuracy < accuracyThreshold;
+  }).map((p) => p.patternId);
+}
+function getVerifiedCorrelations(calibration) {
+  return calibration.correlations.filter((c) => c.isVerified);
+}
+function calculateRelativeSeverity(findingCount, baseline, type = "total") {
+  let avg;
+  switch (type) {
+    case "P0":
+      avg = baseline.avgP0;
+      break;
+    case "P1":
+      avg = baseline.avgP1;
+      break;
+    case "P2":
+      avg = baseline.avgP2;
+      break;
+    default:
+      avg = baseline.avgFindings;
+  }
+  if (avg === 0) {
+    return findingCount > 0 ? "above_average" : "average";
+  }
+  const ratio = findingCount / avg;
+  if (ratio < 0.5) return "below_average";
+  if (ratio < 1.5) return "average";
+  if (ratio < 3) return "above_average";
+  return "critical";
+}
+function formatAggregateCalibrationSummary(calibration, frameworks, findings) {
+  const lines = [];
+  for (const fw of frameworks) {
+    const baseline = getFrameworkBaseline(calibration, fw);
+    if (baseline && baseline.confidence !== "low") {
+      const severity = calculateRelativeSeverity(findings.total, baseline);
+      const avgStr = baseline.avgFindings.toFixed(1);
+      if (severity === "below_average") {
+        lines.push(`${fw}: ${findings.total} findings (${avgStr} avg) - Below average`);
+      } else if (severity === "above_average") {
+        lines.push(`${fw}: ${findings.total} findings (${avgStr} avg) - Above average`);
+      } else if (severity === "critical") {
+        lines.push(`${fw}: ${findings.total} findings (${avgStr} avg) - Significantly above average`);
+      } else {
+        lines.push(`${fw}: ${findings.total} findings (${avgStr} avg) - Typical`);
+      }
+    }
+  }
+  const skipped = getSkippedPatterns(calibration, frameworks[0]);
+  if (skipped.length > 0) {
+    lines.push(`Skipped ${skipped.length} low-accuracy patterns`);
+  }
+  if (calibration.meta.totalScansAnalyzed < 100) {
+    lines.push(`Calibration based on ${calibration.meta.totalScansAnalyzed} scans (limited data)`);
+  }
+  return lines.join("\n");
+}
+function isAggregateCalibrationDisabled() {
+  return process.env["SECURITYCHECKS_CALIBRATION"] === "false";
+}
+
+// src/lib/staff.ts
+function getStaffQuestion(invariantId) {
+  const questions = {
+    "AUTHZ.SERVICE_LAYER.ENFORCED": "What happens when a background job calls this function directly, bypassing the route?",
+    "AUTHZ.MEMBERSHIP.REVOCATION.IMMEDIATE": "If I remove someone from a team right now, can they still access team resources?",
+    "AUTHZ.KEYS.REVOCATION.IMMEDIATE": "If I revoke this API key, does it stop working immediately or is it cached?",
+    "WEBHOOK.IDEMPOTENT": "What happens when Stripe retries this webhook? Will we double-charge the customer?",
+    "WEBHOOK.SIGNATURE.VERIFIED": "Are we verifying webhook signatures before processing any side effects?",
+    "TRANSACTION.POST_COMMIT.SIDE_EFFECTS": "If this transaction rolls back, did we already send an email the user will never receive?",
+    "TESTS.NO_FALSE_CONFIDENCE": "Is this test actually verifying behavior, or just making CI green?",
+    "CACHE.INVALIDATION.ON_AUTH_CHANGE": "When someone loses access, how long until the cache catches up?",
+    "JOBS.RETRY_SAFE": "If this job runs twice, will we have duplicate data or double-bill someone?",
+    "BILLING.SERVER_ENFORCED": "Can someone bypass the paywall by calling the API directly?",
+    "ANALYTICS.SCHEMA.STABLE": "If someone adds a field here, will it break our dashboards?",
+    "DATAFLOW.UNTRUSTED.SQL_QUERY": "Can untrusted input reach a raw SQL/NoSQL query without strict validation?",
+    "DATAFLOW.UNTRUSTED.COMMAND_EXEC": "Can user input make it into exec/spawn/eval and change what runs?",
+    "DATAFLOW.UNTRUSTED.FILE_ACCESS": "Can user input control file paths or write locations here?",
+    "DATAFLOW.UNTRUSTED.RESPONSE": "Can user input drive redirects or HTML output without sanitization?",
+    "SECRETS.HARDCODED": "If this repo were accidentally made public, what credentials would be exposed?",
+    "CRYPTO.ALGORITHM.STRONG": "Is this encryption strong enough for the data it protects?"
+  };
+  return questions[invariantId] ?? null;
+}
+function generateTestSkeleton(invariant, framework, context) {
+  if (!invariant) return "Unknown invariant";
+  const testFn = framework === "jest" ? "test" : framework === "playwright" ? "test" : "it";
+  const describe = framework === "playwright" ? "" : "describe";
+  const wrap = (body) => {
+    if (framework === "playwright") {
+      return body.trim();
+    }
+    return `
+${describe}('${escapeString(invariant.name)}', () => {
+${indent(body.trim(), 2)}
+});
+`.trim();
+  };
+  switch (invariant.id) {
+    case "AUTHZ.SERVICE_LAYER.ENFORCED":
+      return wrap(`
+${testFn}('denies access without valid authorization', async () => {
+  // Arrange: create context without auth
+  const unauthorizedContext = { userId: null, tenantId: null };
+
+  // Act + Assert: service call should throw (or return a forbidden result)
+  await expect(
+    yourService.sensitiveOperation({ context: unauthorizedContext })
+  ).rejects.toThrow(/unauthorized|forbidden/i);
+});
+
+${testFn}('denies access to wrong-tenant resources', async () => {
+  // Arrange: user from tenant-1 trying to access tenant-2 resource
+  const context = { userId: 'user-1', tenantId: 'tenant-1' };
+  const resourceFromOtherTenant = { id: 'resource-1', tenantId: 'tenant-2' };
+
+  // Act + Assert
+  await expect(
+    yourService.getResource({ context, resourceId: resourceFromOtherTenant.id })
+  ).rejects.toThrow(/forbidden|access denied/i);
+});
+`);
+    case "AUTHZ.MEMBERSHIP.REVOCATION.IMMEDIATE":
+      return wrap(`
+${testFn}('denies access immediately after membership removal', async () => {
+  // Arrange: user with team membership
+  const userId = 'user-1';
+  const teamId = 'team-1';
+  await addMemberToTeam(userId, teamId);
+
+  // Act: remove membership
+  await removeMemberFromTeam(userId, teamId);
+
+  // Assert: immediate access denial (no TTL grace period)
+  await expect(accessTeamResource({ userId, teamId })).rejects.toThrow(/forbidden|not a member/i);
+});
+`);
+    case "WEBHOOK.IDEMPOTENT":
+      return wrap(`
+${testFn}('handles duplicate webhook events idempotently', async () => {
+  // Arrange: create a webhook event
+  const event = { id: 'evt_test_123', type: 'payment.succeeded', data: { amount: 1000 } };
+
+  // Act: process the same event twice
+  await processWebhook(event);
+  await processWebhook(event); // duplicate
+
+  // Assert: side effect only happened once
+  const payments = await getPaymentRecords();
+  expect(payments.filter((p: any) => p.eventId === event.id)).toHaveLength(1);
+});
+
+${testFn}('stores event IDs to prevent duplicates', async () => {
+  const event = { id: 'evt_test_456', type: 'payment.succeeded' };
+
+  await processWebhook(event);
+
+  // Verify idempotency key was stored
+  const stored = await getProcessedEventIds();
+  expect(stored).toContain(event.id);
+});
+`);
+    case "TRANSACTION.POST_COMMIT.SIDE_EFFECTS":
+      return wrap(`
+${testFn}('does not send side effects if transaction rolls back', async () => {
+  const emailSpy = vi.spyOn(emailService, 'send');
+
+  // Act: trigger action that should fail and rollback
+  await expect(createOrderWithInvalidData({ /* invalid data causing rollback */ })).rejects.toThrow();
+
+  // Assert: no email was sent
+  expect(emailSpy).not.toHaveBeenCalled();
+});
+
+${testFn}('sends side effects only after successful commit', async () => {
+  const emailSpy = vi.spyOn(emailService, 'send');
+
+  // Act: successful order creation
+  await createOrder({ productId: 'prod-1', quantity: 1 });
+
+  // Assert: email was sent
+  expect(emailSpy).toHaveBeenCalledOnce();
+});
+`);
+    default: {
+      const proof = invariant.requiredProof ? invariant.requiredProof : "(see invariant docs)";
+      const contextLine = context ? `// Context: ${context}` : "";
+      return wrap(`
+${testFn}('enforces ${invariant.id}', async () => {
+  // TODO: implement test for ${invariant.id}
+  // Required proof: ${proof}
+  ${contextLine}
+
+  throw new Error('Test not implemented');
+});
+`);
+    }
+  }
+}
+function indent(text, spaces) {
+  const prefix = " ".repeat(spaces);
+  return text.split("\n").map((line) => line ? `${prefix}${line}` : line).join("\n");
+}
+function escapeString(text) {
+  return text.replace(/\\/g, "\\\\").replace(/'/g, "\\'");
+}
+
+export { BASELINE_SCHEMA_VERSION, CLIError, ErrorCodes, ErrorMessages, ErrorRemediation, SUPPORTED_SCHEMA_RANGE, WAIVER_SCHEMA_VERSION, addToBaseline, addWaiver, attachFindingId, attachFindingIds, audit, buildTelemetry, calculateRelativeSeverity, categorizeFindings, checkCloudHealth, clearAggregateCache, correlateFindings, evaluateCloud, extractIdentityPayload, fetchAggregateCalibration, formatAggregateCalibrationSummary, formatCorrelatedFinding, formatCorrelationStats, generateFindingId, generateTestSkeleton, getCIExitCode, getCISummary, getCloudInvariants, getCurrentSchemaVersion, getExpiringWaivers, getFrameworkBaseline, getSkippedPatterns, getStaffQuestion, getValidWaiver, getVerifiedCorrelations, hasCollisions, isAggregateCalibrationDisabled, isCLIError, isCloudEvalAvailable, isInBaseline, isTelemetryDisabled, loadBaseline, loadWaivers, pruneBaseline, pruneExpiredWaivers, reportCorrelationFeedback, reportCorrelations, reportTelemetry, resolveCollisions, saveBaseline, saveWaivers, shouldSkipPattern, validateSchemaVersion, wrapError };
+//# sourceMappingURL=lib.js.map
+//# sourceMappingURL=lib.js.map