@securitychecks/cli 0.2.2 → 0.3.0

package/dist/lib.d.ts

@@ -1,4 +1,4 @@
-import { AuditResult, Finding, CollectorArtifact, Severity, CheckResult, Artifact } from '@securitychecks/collector';
+import { AuditResult, Finding, CollectorArtifact, Severity, CheckResult, Artifact, InvariantDefinition } from '@securitychecks/collector';
 
 /**
  * Audit API - Programmatic interface for running the staff check
@@ -904,6 +904,16 @@ type InvariantLike = {
  */
 declare function getStaffQuestion(invariantId: string): string | null;
 declare function generateTestSkeleton(invariant: InvariantLike | null | undefined, framework: TestFramework, context?: string): string;
+/**
+ * Generates a structured AI fix prompt from a finding.
+ * Designed to be copy-pasted into any AI coding assistant.
+ */
+declare function generateFixPrompt(invariant: InvariantLike | null | undefined, options?: {
+    file?: string;
+    line?: number;
+    message?: string;
+    framework?: TestFramework;
+}): string;
 
 type Grade = 'A' | 'B' | 'C' | 'F';
 interface ReadinessScore {
@@ -927,4 +937,93 @@ declare function computeReadinessScore(summary: {
 }): ReadinessScore;
 declare function formatScoreForCli(rs: ReadinessScore): string;
 
-export { type AggregateCalibrationConfig, type AggregateCalibrationData, type AggregateCalibrationResult, type AttackPath, type AttackStep, type AuditOptions, BASELINE_SCHEMA_VERSION, type BaselineEntry, type BaselineFile, CLIError, type CategorizationResult, type CategorizedFinding, type CloudEvaluateOptions, type CloudEvaluateResult, type CompoundingEffect, type CorrelatedFinding, type CorrelationResult, type CorrelationStats, type CorrelationTelemetryConfig, type ErrorCode, ErrorCodes, ErrorMessages, ErrorRemediation, type EvaluationProgressCallback, type FrameworkBaseline, type Grade, type InvariantLike, type InvariantStats, type PatternStats, type ReadinessScore, SUPPORTED_SCHEMA_RANGE, type ScanTelemetry, type SchemaValidationResult, type SharedContext, type TelemetryConfig, type TestFramework, WAIVER_SCHEMA_VERSION, type WaiverEntry, type WaiverFile, addToBaseline, addWaiver, attachFindingId, attachFindingIds, audit, buildTelemetry, calculateRelativeSeverity, categorizeFindings, checkCloudHealth, clearAggregateCache, computeReadinessScore, correlateFindings, evaluateCloud, extractIdentityPayload, fetchAggregateCalibration, formatAggregateCalibrationSummary, formatCorrelatedFinding, formatCorrelationStats, formatScoreForCli, generateFindingId, generateTestSkeleton, getCIExitCode, getCISummary, getCloudInvariants, getCurrentSchemaVersion, getExpiringWaivers, getFrameworkBaseline, getScoreGrade, getSkippedPatterns, getStaffQuestion, getValidWaiver, getVerifiedCorrelations, hasCollisions, isAggregateCalibrationDisabled, isCLIError, isCloudEvalAvailable, isInBaseline, isTelemetryDisabled, loadBaseline, loadWaivers, pruneBaseline, pruneExpiredWaivers, reportCorrelationFeedback, reportCorrelations, reportTelemetry, resolveCollisions, saveBaseline, saveWaivers, shouldSkipPattern, validateSchemaVersion, wrapError };
+/**
+ * Posture Report — invariant-by-invariant security posture view.
+ *
+ * Transforms an AuditResult into a posture view showing every invariant
+ * checked, whether it passed, and exportable proof for auditors/CI.
+ */
+
+interface PostureReportEntry {
+    invariantId: string;
+    name: string;
+    category: string;
+    severity: Severity;
+    status: 'passed' | 'failed' | 'skipped';
+    findingCount: number;
+    violations?: Array<{
+        file: string;
+        line: number;
+        message: string;
+    }>;
+}
+interface PostureSummary {
+    invariantsChecked: number;
+    passed: number;
+    failed: number;
+    skipped: number;
+    coveragePercent: number;
+    byCategory: Record<string, {
+        total: number;
+        passed: number;
+        failed: number;
+    }>;
+    bySeverity: Record<string, {
+        total: number;
+        passed: number;
+        failed: number;
+    }>;
+}
+interface PostureProofArtifact {
+    version: '1.0';
+    metadata: {
+        generatedAt: string;
+        generatedBy: string;
+        cliVersion: string;
+        targetPath: string;
+        scanDurationMs: number;
+        filesAnalyzed: number;
+        scope: {
+            totalInvariantsAvailable: number;
+            invariantsChecked: number;
+            onlyFilter?: string[];
+            skipFilter?: string[];
+        };
+    };
+    score: {
+        value: number;
+        grade: string;
+        hasP0: boolean;
+    };
+    summary: PostureSummary;
+    invariants: PostureReportEntry[];
+}
+interface PostureOptions {
+    only?: string[];
+    skip?: string[];
+}
+/**
+ * Build posture entries from an AuditResult + full invariant catalog.
+ *
+ * - Invariants with CheckResults → passed/failed based on findings.
+ * - Invariants not in results → "skipped" (honest about scope).
+ * - Respects --only / --skip filters.
+ */
+declare function buildPostureEntries(result: AuditResult, allInvariants: InvariantDefinition[], options?: PostureOptions): PostureReportEntry[];
+/**
+ * Aggregate posture entries into a summary.
+ */
+declare function computePostureSummary(entries: PostureReportEntry[]): PostureSummary;
+/**
+ * Build the exportable proof artifact (JSON).
+ */
+declare function buildPostureProofArtifact(result: AuditResult, readiness: ReadinessScore, entries: PostureReportEntry[], summary: PostureSummary, allInvariantsCount: number, options?: PostureOptions): PostureProofArtifact;
+/**
+ * Render the posture report to the terminal.
+ *
+ * Grouped by category, severity badges color-coded, PASS/FAIL with count.
+ * No individual violation details — that's what the default view is for.
+ */
+declare function displayPosture(entries: PostureReportEntry[], summary: PostureSummary, readiness: ReadinessScore): void;
+
+export { type AggregateCalibrationConfig, type AggregateCalibrationData, type AggregateCalibrationResult, type AttackPath, type AttackStep, type AuditOptions, BASELINE_SCHEMA_VERSION, type BaselineEntry, type BaselineFile, CLIError, type CategorizationResult, type CategorizedFinding, type CloudEvaluateOptions, type CloudEvaluateResult, type CompoundingEffect, type CorrelatedFinding, type CorrelationResult, type CorrelationStats, type CorrelationTelemetryConfig, type ErrorCode, ErrorCodes, ErrorMessages, ErrorRemediation, type EvaluationProgressCallback, type FrameworkBaseline, type Grade, type InvariantLike, type InvariantStats, type PatternStats, type PostureProofArtifact, type PostureReportEntry, type PostureSummary, type ReadinessScore, SUPPORTED_SCHEMA_RANGE, type ScanTelemetry, type SchemaValidationResult, type SharedContext, type TelemetryConfig, type TestFramework, WAIVER_SCHEMA_VERSION, type WaiverEntry, type WaiverFile, addToBaseline, addWaiver, attachFindingId, attachFindingIds, audit, buildPostureEntries, buildPostureProofArtifact, buildTelemetry, calculateRelativeSeverity, categorizeFindings, checkCloudHealth, clearAggregateCache, computePostureSummary, computeReadinessScore, correlateFindings, displayPosture, evaluateCloud, extractIdentityPayload, fetchAggregateCalibration, formatAggregateCalibrationSummary, formatCorrelatedFinding, formatCorrelationStats, formatScoreForCli, generateFindingId, generateFixPrompt, generateTestSkeleton, getCIExitCode, getCISummary, getCloudInvariants, getCurrentSchemaVersion, getExpiringWaivers, getFrameworkBaseline, getScoreGrade, getSkippedPatterns, getStaffQuestion, getValidWaiver, getVerifiedCorrelations, hasCollisions, isAggregateCalibrationDisabled, isCLIError, isCloudEvalAvailable, isInBaseline, isTelemetryDisabled, loadBaseline, loadWaivers, pruneBaseline, pruneExpiredWaivers, reportCorrelationFeedback, reportCorrelations, reportTelemetry, resolveCollisions, saveBaseline, saveWaivers, shouldSkipPattern, validateSchemaVersion, wrapError };

package/dist/lib.js

@@ -5,7 +5,7 @@ import { homedir } from 'os';
 import { join, dirname } from 'path';
 import { gzipSync } from 'zlib';
 import { randomUUID, createHash } from 'crypto';
-import pc from 'picocolors';
+import pc2 from 'picocolors';
 
 // src/audit.ts
 var CONFIG_DIR = join(homedir(), ".securitychecks");
@@ -1070,7 +1070,7 @@ function createEmptyWaiverFile(version = "0.0.0") {
     entries: {}
   };
 }
-var CLI_VERSION = "0.2.2";
+var CLI_VERSION = "0.3.0";
 var SCHECK_DIR = ".scheck";
 var BASELINE_FILE = "baseline.json";
 var WAIVER_FILE = "waivers.json";
@@ -1448,6 +1448,132 @@ var COMPOUNDING_RULES = [
       impact: "high",
       timeWindow: "Until cache expires"
     }
+  },
+  // SQL Injection + Tenant Isolation = Cross-tenant data access
+  {
+    invariants: ["DATAFLOW.UNTRUSTED.SQL_QUERY", "AUTHZ.TENANT.ISOLATION"],
+    effect: {
+      description: "SQL injection bypasses tenant isolation allowing cross-tenant data exfiltration",
+      riskMultiplier: 3,
+      signals: ["sqli", "tenant_bypass", "cross_tenant_data"]
+    },
+    attackPathTemplate: {
+      title: "Cross-Tenant Data Exfiltration via SQL Injection",
+      exploitability: "medium",
+      impact: "critical"
+    }
+  },
+  // XSS + No HttpOnly Cookie = Session Hijacking
+  {
+    invariants: ["XSS.DOM.SINK", "SESSION.COOKIE.NO_HTTPONLY"],
+    effect: {
+      description: "XSS can steal session cookies when HttpOnly flag is missing, enabling session hijacking",
+      riskMultiplier: 2.3,
+      signals: ["xss", "cookie_theft", "session_hijack"]
+    },
+    attackPathTemplate: {
+      title: "Session Hijacking via XSS Cookie Theft",
+      exploitability: "easy",
+      impact: "critical"
+    }
+  },
+  // IDOR + Missing Service Auth = Enumeration attack
+  {
+    invariants: ["IDOR.SEQUENTIAL_ID", "AUTHZ.SERVICE_LAYER.ENFORCED"],
+    effect: {
+      description: "Sequential IDs make resource enumeration trivial when service-layer auth is missing",
+      riskMultiplier: 2.2,
+      signals: ["idor", "enumeration", "auth_bypass"]
+    },
+    attackPathTemplate: {
+      title: "Resource Enumeration via Sequential IDs",
+      exploitability: "easy",
+      impact: "high"
+    }
+  },
+  // Payment No Idempotency + Race Condition = Double Charges
+  {
+    invariants: ["PAYMENT.NO_IDEMPOTENCY", "RACE.BALANCE_CHECK"],
+    effect: {
+      description: "Non-idempotent payment endpoint + race condition on balance allows double charges and overdraft",
+      riskMultiplier: 2.5,
+      signals: ["double_charge", "race_condition", "overdraft"]
+    },
+    attackPathTemplate: {
+      title: "Double Charge via Payment Race Condition",
+      exploitability: "medium",
+      impact: "critical"
+    }
+  },
+  // MFA Bypass + Password Reset No Expire = Account Takeover
+  {
+    invariants: ["AUTH.MFA_BYPASS", "AUTH.PASSWORD_RESET_NO_EXPIRE"],
+    effect: {
+      description: "MFA bypass combined with non-expiring password reset tokens enables full account takeover",
+      riskMultiplier: 2.8,
+      signals: ["mfa_bypass", "token_reuse", "account_takeover"]
+    },
+    attackPathTemplate: {
+      title: "Account Takeover via MFA Bypass",
+      exploitability: "medium",
+      impact: "critical"
+    }
+  },
+  // Middleware Bypass + Missing Service Auth = Unprotected Access
+  {
+    invariants: ["NEXTJS.MIDDLEWARE_BYPASS", "AUTHZ.SERVICE_LAYER.ENFORCED"],
+    effect: {
+      description: "Middleware bypass combined with missing service-layer auth leaves routes completely unprotected",
+      riskMultiplier: 2.4,
+      signals: ["middleware_bypass", "auth_gap", "unprotected_route"]
+    },
+    attackPathTemplate: {
+      title: "Complete Auth Bypass via Middleware Gap",
+      exploitability: "easy",
+      impact: "critical"
+    }
+  },
+  // Billing + Client Feature Flag = Free Premium Access
+  {
+    invariants: ["BILLING.SERVER_ENFORCED", "FEATURE.FLAG_CLIENT_CONTROLLED"],
+    effect: {
+      description: "Client-controlled feature flags combined with missing server billing enforcement allows free premium access",
+      riskMultiplier: 2.3,
+      signals: ["billing_bypass", "client_flag", "premium_theft"]
+    },
+    attackPathTemplate: {
+      title: "Free Premium Access via Client Feature Flag",
+      exploitability: "easy",
+      impact: "high"
+    }
+  },
+  // XXE + SSRF = Internal Network Compromise
+  {
+    invariants: ["XXE.EXTERNAL_ENTITY", "SSRF.URL"],
+    effect: {
+      description: "XXE enables fetching internal URLs via SSRF, accessing cloud metadata and internal services",
+      riskMultiplier: 3,
+      signals: ["xxe", "ssrf", "internal_access", "metadata_leak"]
+    },
+    attackPathTemplate: {
+      title: "Internal Network Access via XXE-SSRF Chain",
+      exploitability: "medium",
+      impact: "critical"
+    }
+  },
+  // Soft Delete Bypass + IDOR = Accessing Deleted Data
+  {
+    invariants: ["DATA.SOFT_DELETE_BYPASS", "IDOR.SEQUENTIAL_ID"],
+    effect: {
+      description: "Soft-deleted records remain accessible via sequential ID enumeration",
+      riskMultiplier: 2.1,
+      signals: ["soft_delete", "idor", "deleted_data_leak"]
+    },
+    attackPathTemplate: {
+      title: "Deleted Data Access via IDOR Enumeration",
+      exploitability: "easy",
+      impact: "high"
+    }
   }
 ];
 function correlateFindings(results, artifact) {
@@ -1463,9 +1589,10 @@ function correlateFindings(results, artifact) {
       }
     };
   }
-  const groups = groupFindingsByLocation(allFindings);
   const correlations = [];
   let severityEscalations = 0;
+  const usedFindingIds = /* @__PURE__ */ new Set();
+  const groups = groupFindingsByLocation(allFindings);
   for (const group of groups.values()) {
     if (group.length < 2) continue;
     const correlation = findCorrelation(group);
@@ -1474,20 +1601,63 @@ function correlateFindings(results, artifact) {
       if (severityToNumber(correlation.adjustedSeverity) > severityToNumber(correlation.primary.severity)) {
         severityEscalations++;
       }
+      usedFindingIds.add(findingId(correlation.primary));
+      for (const r of correlation.related) {
+        usedFindingIds.add(findingId(r));
+      }
     }
   }
-  const correlatedFindingIds = /* @__PURE__ */ new Set();
-  for (const c of correlations) {
-    correlatedFindingIds.add(findingId(c.primary));
-    for (const r of c.related) {
-      correlatedFindingIds.add(findingId(r));
+  const allInvariantIds = new Set(allFindings.map((f) => f.invariantId));
+  for (const rule of COMPOUNDING_RULES) {
+    const matchedInvariants = rule.invariants.filter((inv) => allInvariantIds.has(inv));
+    if (matchedInvariants.length < 2) continue;
+    const representatives = [];
+    for (const inv of matchedInvariants) {
+      const finding = allFindings.find(
+        (f) => f.invariantId === inv && !usedFindingIds.has(findingId(f))
+      );
+      if (finding) representatives.push(finding);
+    }
+    if (representatives.length < 2) continue;
+    representatives.sort(
+      (a, b) => severityToNumber(b.severity) - severityToNumber(a.severity)
+    );
+    const primary = representatives[0];
+    const related = representatives.slice(1);
+    const evidence = primary.evidence[0];
+    const adjustedSeverity = calculateAdjustedSeverity(
+      primary.severity,
+      rule.effect.riskMultiplier
+    );
+    let attackPath;
+    if (rule.attackPathTemplate) {
+      attackPath = buildAttackPath(rule.attackPathTemplate, representatives);
+    }
+    correlations.push({
+      primary,
+      related,
+      sharedContext: {
+        file: evidence?.file,
+        functionName: evidence?.symbol,
+        findingCount: representatives.length
+      },
+      compoundingEffect: rule.effect,
+      adjustedSeverity,
+      attackPath
+    });
+    if (severityToNumber(adjustedSeverity) > severityToNumber(primary.severity)) {
+      severityEscalations++;
+    }
+    usedFindingIds.add(findingId(primary));
+    for (const r of related) {
+      usedFindingIds.add(findingId(r));
     }
   }
   return {
     correlations,
     stats: {
       totalFindings: allFindings.length,
-      correlatedFindings: correlatedFindingIds.size,
+      correlatedFindings: usedFindingIds.size,
       correlationGroups: correlations.length,
       severityEscalations
     }
@@ -1683,7 +1853,7 @@ function formatCorrelationStats(result) {
   return `
 Correlation Analysis:
   Total findings: ${stats.totalFindings}
-  Correlated: ${stats.correlatedFindings} (${Math.round(stats.correlatedFindings / stats.totalFindings * 100)}%)
+  Correlated: ${stats.correlatedFindings} (${stats.totalFindings > 0 ? Math.round(stats.correlatedFindings / stats.totalFindings * 100) : 0}%)
   Correlation groups: ${stats.correlationGroups}
   Severity escalations: ${stats.severityEscalations}
 `.trim();
@@ -1719,7 +1889,7 @@ function toObservation(correlation, framework) {
       signals: correlation.compoundingEffect.signals
     },
     meta: {
-      clientVersion: "0.2.2",
+      clientVersion: "0.3.0",
       requestId: randomUUID(),
       timestamp: (/* @__PURE__ */ new Date()).toISOString()
     }
@@ -1737,7 +1907,7 @@ async function reportCorrelations(result, config, framework) {
       correlations: observations,
       summary: result.stats,
       meta: {
-        clientVersion: "0.2.2",
+        clientVersion: "0.3.0",
         framework
       }
     };
@@ -1749,7 +1919,7 @@ async function reportCorrelations(result, config, framework) {
         headers: {
           "Content-Type": "application/json",
           ...config.apiKey && { Authorization: `Bearer ${config.apiKey}` },
-          "X-Client-Version": "0.2.2"
+          "X-Client-Version": "0.3.0"
         },
         body: JSON.stringify(payload),
         signal: controller.signal
@@ -1825,7 +1995,7 @@ function buildTelemetry(result, options) {
     } : void 0,
     meta: {
       duration: result.duration,
-      clientVersion: "0.2.2",
+      clientVersion: "0.3.0",
       mode: options.mode ?? (ciProvider ? "ci" : "manual"),
       ciProvider
     },
@@ -2056,7 +2226,11 @@ function getStaffQuestion(invariantId) {
     "DATAFLOW.UNTRUSTED.FILE_ACCESS": "Can user input control file paths or write locations here?",
     "DATAFLOW.UNTRUSTED.RESPONSE": "Can user input drive redirects or HTML output without sanitization?",
     "SECRETS.HARDCODED": "If this repo were accidentally made public, what credentials would be exposed?",
-    "CRYPTO.ALGORITHM.STRONG": "Is this encryption strong enough for the data it protects?"
+    "CRYPTO.ALGORITHM.STRONG": "Is this encryption strong enough for the data it protects?",
+    "CONFIG.ENV_HARDCODED": "What happens when this runs in staging vs production?",
+    "CONFIG.HEALTH_CHECK_MISSING": "How does the load balancer know this instance is healthy?",
+    "CONFIG.ERROR_STACK_LEAK": "If this endpoint throws, what does the user see?",
+    "CONFIG.GRACEFUL_SHUTDOWN_MISSING": "What happens to in-flight requests when this pod is terminated?"
   };
   return questions[invariantId] ?? null;
 }
@@ -2159,6 +2333,61 @@ ${testFn}('sends side effects only after successful commit', async () => {
   // Assert: email was sent
   expect(emailSpy).toHaveBeenCalledOnce();
 });
+`);
+    case "CONFIG.ENV_HARDCODED":
+      return wrap(`
+${testFn}('does not contain hardcoded environment values', () => {
+  // Grep source files for hardcoded URLs and connection strings
+  const sourceFiles = getSourceFiles('src/');
+  const hardcodedPatterns = [
+    /localhost:\\d+/,
+    /127\\.0\\.0\\.1:\\d+/,
+    /mongodb:\\/\\//,
+    /postgres:\\/\\//,
+    /redis:\\/\\//,
+  ];
+
+  for (const file of sourceFiles) {
+    for (const pattern of hardcodedPatterns) {
+      expect(file.content).not.toMatch(pattern);
+    }
+  }
+});
+`);
+    case "CONFIG.HEALTH_CHECK_MISSING":
+      return wrap(`
+${testFn}('exposes a health check endpoint', async () => {
+  const response = await request(app).get('/health');
+  expect(response.status).toBe(200);
+});
+`);
+    case "CONFIG.ERROR_STACK_LEAK":
+      return wrap(`
+${testFn}('does not leak stack traces in production errors', async () => {
+  // Arrange: force an internal error
+  const response = await request(app)
+    .get('/api/will-throw')
+    .set('Accept', 'application/json');
+
+  // Assert: response body does not contain stack trace
+  expect(response.body.stack).toBeUndefined();
+  expect(JSON.stringify(response.body)).not.toMatch(/at \\w+\\s*\\(/);
+});
+`);
+    case "CONFIG.GRACEFUL_SHUTDOWN_MISSING":
+      return wrap(`
+${testFn}('handles SIGTERM gracefully', async () => {
+  // Arrange: start server and make in-flight request
+  const server = startServer();
+  const inflightRequest = fetch(server.url + '/slow-endpoint');
+
+  // Act: send SIGTERM
+  process.kill(server.pid, 'SIGTERM');
+
+  // Assert: in-flight request completes successfully
+  const response = await inflightRequest;
+  expect(response.ok).toBe(true);
+});
 `);
     default: {
       const proof = invariant.requiredProof ? invariant.requiredProof : "(see invariant docs)";
@@ -2175,6 +2404,43 @@ ${testFn}('enforces ${invariant.id}', async () => {
     }
   }
 }
+function generateFixPrompt(invariant, options) {
+  if (!invariant) return "Unknown invariant";
+  const framework = options?.framework || "vitest";
+  const severity = invariant.severity || "P1";
+  const staffQuestion = getStaffQuestion(invariant.id);
+  const testSkeleton = generateTestSkeleton(invariant, framework);
+  const lines = [
+    `## Security Issue: ${invariant.name} [${severity}]`,
+    ""
+  ];
+  lines.push("### What was found");
+  if (options?.file) {
+    lines.push(`File: ${options.file}${options.line ? `:${options.line}` : ""}`);
+  }
+  if (options?.message) {
+    lines.push(options.message);
+  }
+  if (!options?.file && !options?.message) {
+    lines.push(`Invariant \`${invariant.id}\` is violated.`);
+  }
+  lines.push("");
+  lines.push("### What's required");
+  lines.push(invariant.requiredProof || `Satisfy the ${invariant.id} invariant.`);
+  lines.push("");
+  if (staffQuestion) {
+    lines.push("### Staff engineer asks");
+    lines.push(`"${staffQuestion}"`);
+    lines.push("");
+  }
+  lines.push("### Test to prove the fix");
+  lines.push("```typescript");
+  lines.push(testSkeleton);
+  lines.push("```");
+  lines.push("");
+  lines.push("Fix the code to satisfy this invariant, then run the test to verify.");
+  return lines.join("\n");
+}
 function indent(text, spaces) {
   const prefix = " ".repeat(spaces);
   return text.split("\n").map((line) => line ? `${prefix}${line}` : line).join("\n");
@@ -2208,10 +2474,159 @@ function computeReadinessScore(summary) {
   };
 }
 function formatScoreForCli(rs) {
-  const gradeColor = rs.grade === "A" ? pc.green : rs.grade === "B" ? pc.yellow : rs.grade === "C" ? pc.red : pc.red;
+  const gradeColor = rs.grade === "A" ? pc2.green : rs.grade === "B" ? pc2.yellow : rs.grade === "C" ? pc2.red : pc2.red;
   return gradeColor(`Score: ${rs.score}/100 (${rs.grade})`);
 }
+function buildPostureEntries(result, allInvariants, options) {
+  let invariantsInScope = allInvariants;
+  if (options?.only && options.only.length > 0) {
+    const onlySet = new Set(options.only);
+    invariantsInScope = invariantsInScope.filter((inv) => onlySet.has(inv.id));
+  }
+  if (options?.skip && options.skip.length > 0) {
+    const skipSet = new Set(options.skip);
+    invariantsInScope = invariantsInScope.filter((inv) => !skipSet.has(inv.id));
+  }
+  const resultMap = /* @__PURE__ */ new Map();
+  for (const r of result.results) {
+    resultMap.set(r.invariantId, r);
+  }
+  return invariantsInScope.map((inv) => {
+    const checkResult = resultMap.get(inv.id);
+    if (!checkResult) {
+      return {
+        invariantId: inv.id,
+        name: inv.name,
+        category: inv.category,
+        severity: inv.severity,
+        status: "skipped",
+        findingCount: 0
+      };
+    }
+    const failed = checkResult.findings.length > 0;
+    const violations = failed ? checkResult.findings.flatMap(
+      (f) => f.evidence.map((e) => ({
+        file: e.file,
+        line: e.line,
+        message: f.message
+      }))
+    ) : void 0;
+    return {
+      invariantId: inv.id,
+      name: inv.name,
+      category: inv.category,
+      severity: inv.severity,
+      status: failed ? "failed" : "passed",
+      findingCount: checkResult.findings.length,
+      violations
+    };
+  });
+}
+function computePostureSummary(entries) {
+  const passed = entries.filter((e) => e.status === "passed").length;
+  const failed = entries.filter((e) => e.status === "failed").length;
+  const skipped = entries.filter((e) => e.status === "skipped").length;
+  const checked = passed + failed;
+  const byCategory = {};
+  const bySeverity = {};
+  for (const entry of entries) {
+    if (!byCategory[entry.category]) {
+      byCategory[entry.category] = { total: 0, passed: 0, failed: 0 };
+    }
+    const cat = byCategory[entry.category];
+    cat.total++;
+    if (entry.status === "passed") cat.passed++;
+    if (entry.status === "failed") cat.failed++;
+    if (!bySeverity[entry.severity]) {
+      bySeverity[entry.severity] = { total: 0, passed: 0, failed: 0 };
+    }
+    const sev = bySeverity[entry.severity];
+    sev.total++;
+    if (entry.status === "passed") sev.passed++;
+    if (entry.status === "failed") sev.failed++;
+  }
+  return {
+    invariantsChecked: checked,
+    passed,
+    failed,
+    skipped,
+    coveragePercent: entries.length > 0 ? Math.round(100 * checked / entries.length) : 0,
+    byCategory,
+    bySeverity
+  };
+}
+function buildPostureProofArtifact(result, readiness, entries, summary, allInvariantsCount, options) {
+  const cliVersion = "0.3.0";
+  const filesAnalyzed = result.artifact?.services?.length ?? 0;
+  return {
+    version: "1.0",
+    metadata: {
+      generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      generatedBy: "securitychecks-cli",
+      cliVersion,
+      targetPath: result.targetPath,
+      scanDurationMs: result.duration,
+      filesAnalyzed,
+      scope: {
+        totalInvariantsAvailable: allInvariantsCount,
+        invariantsChecked: summary.invariantsChecked,
+        ...options?.only && options.only.length > 0 ? { onlyFilter: options.only } : {},
+        ...options?.skip && options.skip.length > 0 ? { skipFilter: options.skip } : {}
+      }
+    },
+    score: {
+      value: readiness.score,
+      grade: readiness.grade,
+      hasP0: readiness.hasP0
+    },
+    summary,
+    invariants: entries
+  };
+}
+function displayPosture(entries, summary, readiness) {
+  console.log(pc2.bold("\nPosture Report\n"));
+  const byCategory = /* @__PURE__ */ new Map();
+  for (const entry of entries) {
+    if (!byCategory.has(entry.category)) {
+      byCategory.set(entry.category, []);
+    }
+    byCategory.get(entry.category).push(entry);
+  }
+  for (const [category, catEntries] of byCategory) {
+    const checked2 = catEntries.filter((e) => e.status !== "skipped").length;
+    const label = category.charAt(0).toUpperCase() + category.slice(1);
+    console.log(`  ${pc2.bold(label)} (${checked2} checked)`);
+    const severityOrder = { P0: 0, P1: 1, P2: 2 };
+    const sorted = [...catEntries].sort(
+      (a, b) => (severityOrder[a.severity] ?? 3) - (severityOrder[b.severity] ?? 3)
+    );
+    for (const entry of sorted) {
+      const sevColor = entry.severity === "P0" ? pc2.red : entry.severity === "P1" ? pc2.yellow : pc2.dim;
+      const sevBadge = sevColor(`[${entry.severity}]`);
+      const id = entry.invariantId.padEnd(44);
+      if (entry.status === "skipped") {
+        console.log(`    ${sevBadge} ${pc2.dim(id)}${pc2.dim("SKIP")}`);
+      } else if (entry.status === "passed") {
+        console.log(`    ${sevBadge} ${id}${pc2.green("PASS")}`);
+      } else {
+        const count = entry.findingCount;
+        const violationLabel = count === 1 ? "1 violation" : `${count} violations`;
+        console.log(`    ${sevBadge} ${id}${pc2.red("FAIL")}  ${pc2.red(violationLabel)}`);
+      }
+    }
+    console.log("");
+  }
+  const total = entries.length;
+  const checked = summary.invariantsChecked;
+  const coverage = summary.coveragePercent;
+  console.log(`  Checked: ${checked}/${total} invariants (${coverage}%)`);
+  console.log(`  Passed:  ${summary.passed}/${checked}   Failed: ${summary.failed}/${checked}`);
+  console.log("");
+  const gradeColor = readiness.grade === "A" ? pc2.green : readiness.grade === "B" ? pc2.yellow : pc2.red;
+  console.log(`  ${gradeColor(`Score: ${readiness.score}/100 (${readiness.grade})`)}`);
+  console.log("");
+}
 
-export { BASELINE_SCHEMA_VERSION, CLIError, ErrorCodes, ErrorMessages, ErrorRemediation, SUPPORTED_SCHEMA_RANGE, WAIVER_SCHEMA_VERSION, addToBaseline, addWaiver, attachFindingId, attachFindingIds, audit, buildTelemetry, calculateRelativeSeverity, categorizeFindings, checkCloudHealth, clearAggregateCache, computeReadinessScore, correlateFindings, evaluateCloud, extractIdentityPayload, fetchAggregateCalibration, formatAggregateCalibrationSummary, formatCorrelatedFinding, formatCorrelationStats, formatScoreForCli, generateFindingId, generateTestSkeleton, getCIExitCode, getCISummary, getCloudInvariants, getCurrentSchemaVersion, getExpiringWaivers, getFrameworkBaseline, getScoreGrade, getSkippedPatterns, getStaffQuestion, getValidWaiver, getVerifiedCorrelations, hasCollisions, isAggregateCalibrationDisabled, isCLIError, isCloudEvalAvailable, isInBaseline, isTelemetryDisabled, loadBaseline, loadWaivers, pruneBaseline, pruneExpiredWaivers, reportCorrelationFeedback, reportCorrelations, reportTelemetry, resolveCollisions, saveBaseline, saveWaivers, shouldSkipPattern, validateSchemaVersion, wrapError };
+export { BASELINE_SCHEMA_VERSION, CLIError, ErrorCodes, ErrorMessages, ErrorRemediation, SUPPORTED_SCHEMA_RANGE, WAIVER_SCHEMA_VERSION, addToBaseline, addWaiver, attachFindingId, attachFindingIds, audit, buildPostureEntries, buildPostureProofArtifact, buildTelemetry, calculateRelativeSeverity, categorizeFindings, checkCloudHealth, clearAggregateCache, computePostureSummary, computeReadinessScore, correlateFindings, displayPosture, evaluateCloud, extractIdentityPayload, fetchAggregateCalibration, formatAggregateCalibrationSummary, formatCorrelatedFinding, formatCorrelationStats, formatScoreForCli, generateFindingId, generateFixPrompt, generateTestSkeleton, getCIExitCode, getCISummary, getCloudInvariants, getCurrentSchemaVersion, getExpiringWaivers, getFrameworkBaseline, getScoreGrade, getSkippedPatterns, getStaffQuestion, getValidWaiver, getVerifiedCorrelations, hasCollisions, isAggregateCalibrationDisabled, isCLIError, isCloudEvalAvailable, isInBaseline, isTelemetryDisabled, loadBaseline, loadWaivers, pruneBaseline, pruneExpiredWaivers, reportCorrelationFeedback, reportCorrelations, reportTelemetry, resolveCollisions, saveBaseline, saveWaivers, shouldSkipPattern, validateSchemaVersion, wrapError };
 //# sourceMappingURL=lib.js.map
 //# sourceMappingURL=lib.js.map