@snovon/solast 0.2.0

package/dist/cli.js

@@ -0,0 +1,755 @@
+#!/usr/bin/env node
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseCiSeverityThreshold = parseCiSeverityThreshold;
+exports.getExitCode = getExitCode;
+exports.resolveScanFiles = resolveScanFiles;
+exports.runScanCommand = runScanCommand;
+exports.runScanCommandParallel = runScanCommandParallel;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const commander_1 = require("commander");
+let fpRatesData = {};
+try {
+    fpRatesData = require('./fp-rates.json');
+}
+catch (e) {
+    // Missing FP-rate entry for a rule defaults to native severity without crash
+}
+// Single source of truth for the version: read it from package.json at runtime
+// (dist/cli.js -> ../package.json) so `solast --version` can never drift from
+// the published package. The literal is only a fallback if resolution fails.
+let pkgVersion = '0.1.0';
+try {
+    pkgVersion = require('../package.json').version || pkgVersion;
+}
+catch (e) {
+    // keep the fallback literal above
+}
+const index_1 = require("./index");
+const parallel_scan_1 = require("./parallel-scan");
+const files_1 = require("./dedup/files");
+const registry_1 = require("./registry");
+const sarif_1 = require("./formatters/sarif");
+const text_1 = require("./formatters/text");
+const github_actions_1 = require("./formatters/github-actions");
+const config_1 = require("./config");
+const exit_codes_1 = require("./exit-codes");
+const glob_1 = require("./rules/glob");
+const severity_1 = require("./severity");
+const diff_baseline_1 = require("./identity/diff-baseline");
+function buildScanOptions(options) {
+    const rules = [...(options.rule || [])];
+    const enabledRules = [...(options.enable || [])];
+    const ignorePatterns = [...(options.ignorePattern || [])];
+    const scanOptions = {};
+    if (rules.length > 0)
+        scanOptions.rules = rules;
+    if (enabledRules.length > 0)
+        scanOptions.enabledRules = enabledRules;
+    if (ignorePatterns.length > 0)
+        scanOptions.ignorePatterns = ignorePatterns;
+    if (options.dedup)
+        scanOptions.dedup = true;
+    if (options.tier && options.tier !== 'all')
+        scanOptions.tier = options.tier;
+    // Only forward detectorOptions when non-empty — loadProjectConfig
+    // always returns a `{}` for it, and an empty object would leak into
+    // ScanOptions equality checks (dedup-unit).
+    if (options.detectorOptions && Object.keys(options.detectorOptions).length > 0) {
+        scanOptions.detectorOptions = options.detectorOptions;
+    }
+    return scanOptions;
+}
+function parseSeverityThreshold(value) {
+    if (value === undefined)
+        return undefined;
+    const normalized = value.trim().toLowerCase();
+    return severity_1.CANONICAL_SEVERITIES.includes(normalized)
+        ? normalized
+        : undefined;
+}
+function parseCiSeverityThreshold(value) {
+    if (value === undefined)
+        return undefined;
+    const canonical = parseSeverityThreshold(value);
+    if (canonical)
+        return canonical;
+    const normalized = value.trim().toLowerCase();
+    const legacyAliases = {
+        error: 'high',
+        warning: 'medium',
+        note: 'informational',
+        none: 'none',
+    };
+    return legacyAliases[normalized];
+}
+function stripTomlQuotes(value) {
+    const trimmed = value.trim();
+    if ((trimmed.startsWith('"') && trimmed.endsWith('"')) || (trimmed.startsWith("'") && trimmed.endsWith("'"))) {
+        return trimmed.slice(1, -1);
+    }
+    return trimmed;
+}
+function readCiSeverityThresholdConfig(cwd) {
+    for (const fileName of ['solast.toml', '.solast.toml']) {
+        const file = path.join(cwd, fileName);
+        if (!fs.existsSync(file))
+            continue;
+        const lines = fs.readFileSync(file, 'utf8').split(/\r?\n/);
+        let section = '';
+        for (const rawLine of lines) {
+            const line = rawLine.replace(/\s+#.*$/, '').trim();
+            if (!line)
+                continue;
+            const sectionMatch = line.match(/^\[([^\]]+)\]$/);
+            if (sectionMatch) {
+                section = sectionMatch[1].trim();
+                continue;
+            }
+            if (section !== 'ci')
+                continue;
+            const assignment = line.match(/^([A-Za-z0-9_-]+)\s*=\s*(.+)$/);
+            if (!assignment)
+                continue;
+            if (assignment[1] === 'severity_threshold') {
+                return stripTomlQuotes(assignment[2]);
+            }
+        }
+        return undefined;
+    }
+    return undefined;
+}
+function resolveSeverityThreshold(options, cwd, stderr) {
+    const cliThreshold = options.severityThreshold;
+    if (cliThreshold !== undefined) {
+        const parsed = parseSeverityThreshold(cliThreshold);
+        if (parsed)
+            return { threshold: parsed, filtersOutput: true };
+        stderr(`error: --severity-threshold must be one of: ${severity_1.CANONICAL_SEVERITIES.join(', ')}`);
+        return exit_codes_1.EXIT_CODES.USER_ERROR;
+    }
+    if (!options.ci) {
+        return { threshold: undefined, filtersOutput: false };
+    }
+    const configuredThreshold = readCiSeverityThresholdConfig(cwd);
+    if (configuredThreshold !== undefined) {
+        const parsed = parseCiSeverityThreshold(configuredThreshold);
+        if (parsed === 'none')
+            return { threshold: undefined, filtersOutput: false, ciGateDisabled: true };
+        if (parsed)
+            return { threshold: parsed, filtersOutput: false };
+        stderr(`error: ci.severity_threshold must be one of: ${severity_1.CANONICAL_SEVERITIES.join(', ')}, error, warning, note, none`);
+        return exit_codes_1.EXIT_CODES.USER_ERROR;
+    }
+    // If running in CI mode and no threshold is configured, default to 'high'
+    // (which corresponds to the old 'error' default).
+    if (options.ci) {
+        return { threshold: 'high', filtersOutput: false };
+    }
+    return { threshold: undefined, filtersOutput: false };
+}
+function isUserError(result) {
+    return result.ruleId === 'error' || result.ruleId === 'parse-error';
+}
+// 'scan-error' marks a detector crash (registry.runAll threw): an internal
+// tool failure per the exit-code contract, not a security finding and not a
+// user/input error.
+function isInternalError(result) {
+    return result.ruleId === 'scan-error';
+}
+function isReportableVulnerability(result) {
+    return !isUserError(result) && !isInternalError(result);
+}
+function getExitCode(results) {
+    if (results.some(isInternalError)) {
+        return exit_codes_1.EXIT_CODES.INTERNAL_FAILURE;
+    }
+    if (results.some(isUserError)) {
+        return exit_codes_1.EXIT_CODES.USER_ERROR;
+    }
+    if (results.some(isReportableVulnerability)) {
+        return exit_codes_1.EXIT_CODES.VULNERABILITIES_FOUND;
+    }
+    return exit_codes_1.EXIT_CODES.OK;
+}
+function validateDiffBaselineOptions(options, stderr) {
+    if (options.diffBaseline && options.rule && options.rule.length > 0) {
+        stderr('error: --diff-baseline cannot be combined with --rule');
+        return exit_codes_1.EXIT_CODES.USER_ERROR;
+    }
+    return undefined;
+}
+function validateIgnorePatternOptions(options, stderr) {
+    if (!options.ignorePattern || options.ignorePattern.length === 0)
+        return undefined;
+    const normalized = [];
+    try {
+        for (const pattern of options.ignorePattern) {
+            normalized.push((0, glob_1.validateGlobPattern)(pattern));
+        }
+    }
+    catch (e) {
+        if (e instanceof glob_1.GlobPatternError) {
+            stderr(`error: invalid --ignore-pattern: ${e.message}`);
+        }
+        else {
+            stderr(`error: invalid --ignore-pattern: ${e instanceof Error ? e.message : String(e)}`);
+        }
+        return exit_codes_1.EXIT_CODES.USER_ERROR;
+    }
+    options.ignorePattern = normalized;
+    return undefined;
+}
+function loadScanConfig(cwd, targets, stderr) {
+    try {
+        return (0, config_1.loadProjectConfig)(cwd, targets);
+    }
+    catch (e) {
+        if (e instanceof config_1.ConfigUserError) {
+            stderr(`error: ${e.message}`);
+            return exit_codes_1.EXIT_CODES.USER_ERROR;
+        }
+        const message = e instanceof Error ? e.message : String(e);
+        stderr(`error: could not read SolAST config: ${message}`);
+        return exit_codes_1.EXIT_CODES.USER_ERROR;
+    }
+}
+function formatNdjson(results, dedupMeta) {
+    const lines = results.map(result => JSON.stringify(scanResultToNdjsonObject(result)));
+    if (dedupMeta && dedupMeta.rawCount !== dedupMeta.uniqueCount) {
+        lines.push(JSON.stringify({ type: 'dedup_summary', dedup_summary: { raw_count: dedupMeta.rawCount, unique_count: dedupMeta.uniqueCount } }));
+    }
+    return lines.join('\n');
+}
+function getIgnoreSuppressionMetadata(results) {
+    return results._ignoreSuppression;
+}
+function applyIgnorePatternFilter(results, options) {
+    if (!options.ignorePattern || options.ignorePattern.length === 0)
+        return results;
+    const meta = getIgnoreSuppressionMetadata(results) || {
+        patterns: options.ignorePattern.slice(),
+        suppressedDetectorIds: inferSuppressedDetectorIds(options),
+        suppressedFindingCount: 0,
+    };
+    results._ignoreSuppression = {
+        patterns: meta.patterns.length > 0 ? meta.patterns : options.ignorePattern.slice(),
+        suppressedDetectorIds: meta.suppressedDetectorIds.slice().sort((a, b) => a.localeCompare(b)),
+        suppressedFindingCount: meta.suppressedFindingCount,
+    };
+    return results;
+}
+function inferSuppressedDetectorIds(options) {
+    if (!options.ignorePattern || options.ignorePattern.length === 0)
+        return [];
+    return (0, registry_1.createDefaultDetectorRegistry)()
+        .ignoredDetectorIds(options.rule, options.enable, options.ignorePattern);
+}
+function emitVerboseIgnoreSuppression(results, options, stderr) {
+    if (!options.verbose)
+        return;
+    const meta = getIgnoreSuppressionMetadata(results);
+    if (!meta || meta.patterns.length === 0)
+        return;
+    const ids = meta.suppressedDetectorIds;
+    stderr(`SolAST: ${ids.length} detector(s) ignored by --ignore-pattern${ids.length > 0 ? `: ${ids.join(', ')}` : ''}`);
+}
+function emitSourceSuppressionDiagnostics(results, stderr) {
+    const diagnostics = results._sourceSuppressionDiagnostics;
+    if (!Array.isArray(diagnostics))
+        return;
+    for (const diagnostic of diagnostics) {
+        if (diagnostic && typeof diagnostic.message === 'string') {
+            stderr(diagnostic.message);
+        }
+    }
+}
+// Per-finding object shape used by formatNdjson for `--format json` NDJSON output.
+function scanResultToNdjsonObject(result) {
+    return {
+        finding_id: result.findingId,
+        file_path: result.file,
+        finding_type: result.ruleId,
+        severity: result.severity,
+        contract_name: result.contractName,
+        function_name: result.functionName,
+        source_location: {
+            line: result.line,
+            column: result.column ?? 0
+        },
+        external_call_node: result.externalCallNode,
+        state_mutation_node: result.stateMutationNode,
+        caller: result.caller,
+        delegate_target: result.delegateTarget,
+        initializer_path: result.initializerPath,
+        message: result.message,
+        contract_hash: result.contractHash,
+        source: result.provenance,
+        tier: result.tier
+    };
+}
+function applyDiffBaselineFilter(findings, options, cwdImpl, stderr) {
+    const cwd = cwdImpl();
+    try {
+        const baselineKeys = (0, diff_baseline_1.loadBaselineKeys)(options.diffBaseline, cwd);
+        return (0, diff_baseline_1.filterNewFindings)(findings, baselineKeys, cwd);
+    }
+    catch (e) {
+        if (e instanceof diff_baseline_1.DiffBaselineUserError) {
+            stderr(`error: ${e.message}`);
+        }
+        else {
+            stderr(`error: could not load diff baseline: ${e instanceof Error ? e.message : String(e)}`);
+        }
+        return exit_codes_1.EXIT_CODES.USER_ERROR;
+    }
+}
+function emitScanResults(results, options, deps, cwdImpl, stdout, stderr, writeFileImpl) {
+    const formatImpl = deps.formatFindings || text_1.formatFindings;
+    results = applyIgnorePatternFilter(results, options);
+    emitVerboseIgnoreSuppression(results, options, stderr);
+    emitSourceSuppressionDiagnostics(results, stderr);
+    const jsonShorthand = options.json === true;
+    const format = jsonShorthand ? 'json' : (options.format || 'text');
+    const ci = options.ci === true;
+    const quiet = options.quiet === true;
+    for (const r of results) {
+        if (isUserError(r) || isInternalError(r)) {
+            stderr(`error: ${r.file}: ${r.message}`);
+        }
+    }
+    const hasUserErrors = results.some(isUserError);
+    const hasInternalErrors = results.some(isInternalError);
+    if (hasInternalErrors && ci) {
+        return exit_codes_1.EXIT_CODES.INTERNAL_FAILURE;
+    }
+    if (hasUserErrors && ci) {
+        return exit_codes_1.EXIT_CODES.USER_ERROR;
+    }
+    let threshold;
+    const resolved = resolveSeverityThreshold(options, cwdImpl(), stderr);
+    if (typeof resolved === 'number')
+        return resolved;
+    threshold = resolved.threshold;
+    const thresholdFiltersOutput = resolved.filtersOutput;
+    let findings = results.filter(isReportableVulnerability);
+    if (thresholdFiltersOutput) {
+        findings = findings.filter(f => (0, severity_1.atOrAboveThreshold)((0, severity_1.normalizeSeverity)(f.severity), threshold));
+    }
+    const dedupMeta = results._dedup;
+    const ignoreMeta = getIgnoreSuppressionMetadata(results);
+    if (options.diffBaseline) {
+        if (hasUserErrors) {
+            // Don't run diff when the scan itself surfaced a user-level error —
+            // the per-file error messages were already emitted above; treat
+            // the run as a normal user-error exit.
+            return exit_codes_1.EXIT_CODES.USER_ERROR;
+        }
+        const filtered = applyDiffBaselineFilter(findings, options, cwdImpl, stderr);
+        if (typeof filtered === 'number')
+            return filtered;
+        findings = filtered;
+    }
+    // Location-sort findings for deterministic output across all formats
+    // (SARIF also sorts internally); decouples output from registration order.
+    findings = findings.slice().sort((a, b) => a.file.localeCompare(b.file) || (a.line || 0) - (b.line || 0) || (a.column || 0) - (b.column || 0) || a.ruleId.localeCompare(b.ruleId));
+    // Note: per-file parse errors do NOT blank the report — findings from
+    // files that parsed are still emitted (the run still exits USER_ERROR).
+    // Suppressing the whole report because one vendored/exotic file failed
+    // to parse silently destroyed results for every other file.
+    const isCleanDiffBaseline = options.diffBaseline && findings.length === 0;
+    const output = isCleanDiffBaseline && format !== 'sarif'
+        ? ''
+        : format === 'json'
+            ? formatNdjson(findings, options.diffBaseline ? undefined : dedupMeta)
+            : format === 'sarif'
+                ? (0, sarif_1.formatSarif)(findings, {
+                    rootDir: cwdImpl(),
+                    fpThresholdPct: options.fpThreshold,
+                    fpRates: fpRatesData,
+                    severityOverrides: options.severityOverrides,
+                    sarifSeverityTuning: options.sarifSeverityTuning,
+                })
+                : formatImpl(findings, {
+                    cwd: cwdImpl(),
+                    color: options.color === false ? 'never' : 'auto',
+                    stdoutIsTTY: Boolean(process.stdout.isTTY),
+                    env: process.env,
+                    rawCount: dedupMeta?.rawCount,
+                    uniqueCount: dedupMeta?.uniqueCount,
+                    dedupActive: Boolean(dedupMeta),
+                    suppressedDetectorCount: ignoreMeta?.suppressedDetectorIds.length,
+                });
+    const emittedOutput = ci && format === 'text' ? '' : output;
+    if (options.output) {
+        try {
+            // --output always receives the full formatted report; CI mode only
+            // suppresses the stdout copy (annotations still go to stdout below).
+            writeFileImpl(options.output, output ? `${output}\n` : '');
+        }
+        catch (e) {
+            const message = e instanceof Error ? e.message : String(e);
+            stderr(`error: could not write output file '${options.output}': ${message}`);
+            return exit_codes_1.EXIT_CODES.USER_ERROR;
+        }
+    }
+    else if (quiet) {
+        // --quiet silences stdout for all formats (text/json/sarif).
+        // The exit code still gates the run; text mode keeps a one-line stderr
+        // breadcrumb so a non-CI caller knows why the run failed.
+        if (findings.length > 0 && format === 'text' && !ci) {
+            stderr(`SolAST: ${findings.length} finding(s) blocked the run — re-run without --quiet for details`);
+        }
+    }
+    else {
+        if (emittedOutput) {
+            stdout(emittedOutput);
+        }
+    }
+    if (ci && threshold) {
+        const shouldEmitGithubAnnotations = !quiet && format === 'text';
+        const gatedFindings = findings.filter(f => (0, severity_1.atOrAboveThreshold)((0, severity_1.normalizeSeverity)(f.severity), threshold));
+        for (const finding of gatedFindings) {
+            const level = (0, sarif_1.sarifLevelForFinding)(finding, {
+                fpThresholdPct: options.fpThreshold,
+                fpRates: fpRatesData,
+                severityOverrides: options.severityOverrides,
+                sarifSeverityTuning: options.sarifSeverityTuning,
+            });
+            if (shouldEmitGithubAnnotations && level === 'error') {
+                stdout((0, github_actions_1.formatGithubActionsAnnotation)(finding, level, cwdImpl()));
+            }
+        }
+        // We only stderr if ciCount > 0 or if we want to keep the breadcrumb.
+        // Let's just output the breadcrumb like it used to.
+        const ciCount = gatedFindings.length;
+        stderr(`${ciCount} findings ≥ ${threshold}`);
+        return ciCount > 0 ? exit_codes_1.EXIT_CODES.VULNERABILITIES_FOUND : exit_codes_1.EXIT_CODES.OK;
+    }
+    if (ci && resolved.ciGateDisabled) {
+        stderr('0 findings ≥ none');
+        return exit_codes_1.EXIT_CODES.OK;
+    }
+    if (hasInternalErrors) {
+        return exit_codes_1.EXIT_CODES.INTERNAL_FAILURE;
+    }
+    if (hasUserErrors) {
+        return exit_codes_1.EXIT_CODES.USER_ERROR;
+    }
+    return findings.length > 0 ? exit_codes_1.EXIT_CODES.VULNERABILITIES_FOUND : exit_codes_1.EXIT_CODES.OK;
+}
+function collectSolidityFiles(dir) {
+    const files = [];
+    const entries = fs.readdirSync(dir).sort((a, b) => a.localeCompare(b));
+    for (const entry of entries) {
+        const fullPath = path.join(dir, entry);
+        let stat;
+        try {
+            stat = fs.statSync(fullPath);
+        }
+        catch {
+            // Broken symlink or unreadable entry (common under node_modules/.bin
+            // and pnpm layouts) — skip it instead of aborting the whole scan.
+            continue;
+        }
+        if (stat.isDirectory()) {
+            files.push(...collectSolidityFiles(fullPath));
+        }
+        else if (stat.isFile() && entry.endsWith('.sol')) {
+            files.push(fullPath);
+        }
+    }
+    return files;
+}
+function resolveScanFiles(inputPaths) {
+    const paths = Array.isArray(inputPaths) ? inputPaths : [inputPaths];
+    const discovered = new Map();
+    for (const inputPath of paths) {
+        let realPath;
+        let stat;
+        try {
+            realPath = fs.realpathSync(inputPath);
+            stat = fs.statSync(realPath);
+        }
+        catch (e) {
+            throw new Error(`Path not found: ${inputPath}`);
+        }
+        if (stat.isDirectory()) {
+            const files = collectSolidityFiles(realPath);
+            if (files.length === 0) {
+                throw new Error(`No Solidity files found in directory: ${inputPath}`);
+            }
+            for (const file of files) {
+                discovered.set(path.resolve(file), file);
+            }
+        }
+        else if (stat.isFile()) {
+            if (!realPath.endsWith('.sol')) {
+                throw new Error(`Not a Solidity file: ${inputPath}`);
+            }
+            discovered.set(path.resolve(realPath), realPath);
+        }
+        else {
+            throw new Error(`Path is not a file or directory: ${inputPath}`);
+        }
+    }
+    return [...discovered.values()].sort((a, b) => a.localeCompare(b));
+}
+function runScanCommand(targetPath, options = {}, deps = {}) {
+    const discoverImpl = deps.discoverFiles || index_1.discoverFiles;
+    const scanFilesImpl = deps.scanFiles || index_1.scanFiles;
+    const cwdImpl = deps.cwd || (() => process.cwd());
+    const stdout = deps.stdout || ((message) => process.stdout.write(`${message}\n`));
+    const stderr = deps.stderr || console.error;
+    const writeFileImpl = deps.writeFile || ((p, c) => fs.writeFileSync(p, c));
+    const paths = Array.isArray(targetPath) ? targetPath : [targetPath];
+    const jsonShorthand = options.json === true;
+    const format = jsonShorthand ? 'json' : (options.format || 'text');
+    const ci = options.ci === true;
+    const quiet = options.quiet === true;
+    // Machine-readable formats must not interleave human-friendly
+    // discovery messages on stderr: a non-empty stderr breaks shell
+    // scripts that assert empty error streams on a clean run.
+    const suppressDiscoveryMessage = ci || quiet || format === 'json' || format === 'sarif' || Boolean(options.diffBaseline);
+    if (paths.length === 0) {
+        stderr('error: missing required path argument');
+        return exit_codes_1.EXIT_CODES.USER_ERROR;
+    }
+    const diffBaselineOptionError = validateDiffBaselineOptions(options, stderr);
+    if (diffBaselineOptionError !== undefined)
+        return diffBaselineOptionError;
+    const ignorePatternOptionError = validateIgnorePatternOptions(options, stderr);
+    if (ignorePatternOptionError !== undefined)
+        return ignorePatternOptionError;
+    const scanOptions = buildScanOptions(options);
+    const configResult = loadScanConfig(cwdImpl(), paths, stderr);
+    if (typeof configResult === 'number')
+        return configResult;
+    options = { ...options, severityOverrides: configResult.severityOverrides, detectorOptions: configResult.detectorOptions };
+    // `scanOptions` was built from `options` before the project config
+    // was loaded, so per-detector options from .solast.yml have to be
+    // folded in here — without this the detectorOptions never reach the
+    // registry and a configured detector silently runs with its defaults.
+    // Guard on non-empty: loadProjectConfig always returns a `{}`, which
+    // would otherwise leak into ScanOptions equality checks.
+    if (configResult.detectorOptions && Object.keys(configResult.detectorOptions).length > 0) {
+        scanOptions.detectorOptions = configResult.detectorOptions;
+    }
+    let results;
+    try {
+        if (deps.scan) {
+            if (deps.discoverFiles) {
+                const files = discoverImpl(paths);
+                if (!suppressDiscoveryMessage)
+                    stderr(`Discovered ${files.length} Solidity file(s).`);
+            }
+            results = deps.scan(paths, scanOptions);
+        }
+        else {
+            let files;
+            try {
+                files = deps.discoverFiles ? discoverImpl(paths) : resolveScanFiles(paths);
+            }
+            catch (e) {
+                const message = e instanceof Error ? e.message : String(e);
+                stderr(`error: ${message}`);
+                return exit_codes_1.EXIT_CODES.USER_ERROR;
+            }
+            if (!deps.scanFiles)
+                files = (0, files_1.deduplicateFilesByContent)(files);
+            if (!suppressDiscoveryMessage)
+                stderr(`Discovered ${files.length} Solidity file(s).`);
+            results = scanFilesImpl(files, scanOptions);
+        }
+    }
+    catch (e) {
+        const message = e instanceof Error ? e.message : String(e);
+        stderr(`SolAST internal error: ${message}`);
+        return exit_codes_1.EXIT_CODES.INTERNAL_FAILURE;
+    }
+    return emitScanResults(results, options, deps, cwdImpl, stdout, stderr, writeFileImpl);
+}
+/**
+ * Async sibling of `runScanCommand` that runs the scan across a worker
+ * thread pool when `options.workers > 1`. Falls through to the sync
+ * `runScanCommand` whenever the worker count is 0/1 or the file count
+ * is below the threshold inside `scanFilesParallel`. The CLI binding
+ * routes here when the user passes `--workers <n>`; everything else
+ * keeps the existing synchronous code path so this PR doesn't perturb
+ * behaviour for callers that don't opt in.
+ */
+async function runScanCommandParallel(targetPath, options = {}, deps = {}) {
+    const workerCount = (0, parallel_scan_1.resolveWorkerCount)(options.workers);
+    const discoverImpl = deps.discoverFiles || index_1.discoverFiles;
+    const cwdImpl = deps.cwd || (() => process.cwd());
+    const stdout = deps.stdout || ((message) => process.stdout.write(`${message}\n`));
+    const stderr = deps.stderr || console.error;
+    const writeFileImpl = deps.writeFile || ((p, c) => fs.writeFileSync(p, c));
+    const paths = Array.isArray(targetPath) ? targetPath : [targetPath];
+    const jsonShorthand = options.json === true;
+    const format = jsonShorthand ? 'json' : (options.format || 'text');
+    const ci = options.ci === true;
+    const quiet = options.quiet === true;
+    let scanOptions = buildScanOptions(options);
+    const suppressDiscoveryMessage = ci || quiet || format === 'json' || format === 'sarif' || Boolean(options.diffBaseline);
+    if (paths.length === 0) {
+        stderr('error: missing required path argument');
+        return exit_codes_1.EXIT_CODES.USER_ERROR;
+    }
+    const diffBaselineOptionError = validateDiffBaselineOptions(options, stderr);
+    if (diffBaselineOptionError !== undefined)
+        return diffBaselineOptionError;
+    const ignorePatternOptionError = validateIgnorePatternOptions(options, stderr);
+    if (ignorePatternOptionError !== undefined)
+        return ignorePatternOptionError;
+    const configResult = loadScanConfig(cwdImpl(), paths, stderr);
+    if (typeof configResult === 'number')
+        return configResult;
+    options = { ...options, severityOverrides: configResult.severityOverrides, detectorOptions: configResult.detectorOptions };
+    let results;
+    try {
+        scanOptions = buildScanOptions(options);
+        let files;
+        try {
+            files = deps.discoverFiles ? discoverImpl(paths) : resolveScanFiles(paths);
+        }
+        catch (e) {
+            const message = e instanceof Error ? e.message : String(e);
+            stderr(`error: ${message}`);
+            return exit_codes_1.EXIT_CODES.USER_ERROR;
+        }
+        files = (0, files_1.deduplicateFilesByContent)(files);
+        if (!suppressDiscoveryMessage)
+            stderr(`Discovered ${files.length} Solidity file(s).`);
+        // The dispatcher gates on `files.length >= workerCount * minFilesPerWorker`
+        // and falls through to the sync `scanFiles` when the file set is
+        // too small to amortise worker startup. That keeps the behaviour
+        // stable for tiny scans even if the user explicitly asked for
+        // workers.
+        if (workerCount <= 1) {
+            results = (0, index_1.scanFiles)(files, scanOptions);
+        }
+        else {
+            results = await (0, parallel_scan_1.scanFilesParallel)(files, { ...scanOptions, workerCount });
+        }
+    }
+    catch (e) {
+        const message = e instanceof Error ? e.message : String(e);
+        stderr(`SolAST internal error: ${message}`);
+        return exit_codes_1.EXIT_CODES.INTERNAL_FAILURE;
+    }
+    return emitScanResults(results, options, deps, cwdImpl, stdout, stderr, writeFileImpl);
+}
+const program = new commander_1.Command();
+program.enablePositionalOptions();
+program
+    .name('solast')
+    .description('Static analysis CLI for Solidity smart contracts')
+    .version(pkgVersion)
+    .showHelpAfterError()
+    .argument('[paths...]', 'path(s) to .sol files or directories of .sol files')
+    .action(async (paths, options) => {
+    process.exitCode = await runScanCommandParallel(paths, { ...options, format: 'text' });
+});
+program
+    .command('scan')
+    .description('Scan Solidity files for known issues')
+    .argument('[paths...]', 'path(s) to .sol files or directories of .sol files')
+    .addOption(new commander_1.Option('--format <format>', 'output format: text severity report, json NDJSON, or sarif 2.1.0; severities are critical, high, medium, low, informational').choices(['text', 'json', 'sarif']).default('text'))
+    .option('--ci', 'run in CI mode: keep the selected output format and gate the exit code by SARIF severity threshold')
+    .option('--severity-threshold <level>', 'filter findings below this severity (critical, high, medium, low, informational)')
+    .option('--output <file>', 'write findings to a file instead of stdout')
+    .option('--no-color', 'suppress ANSI severity colors in text output')
+    .option('--quiet', 'silence stdout and discovery messages; on findings, exit 1 with a one-line stderr summary (intended for editor and Foundry pre-test integration)')
+    .option('--json', 'shorthand for --format json with discovery messages suppressed; output is one NDJSON object per finding')
+    .option('--tier <tier>', 'restrict scan to a rule tier (core, extended, all)', value => {
+    if (!['core', 'extended', 'all'].includes(value)) {
+        process.stderr.write('error: --tier must be one of core, extended, all\n');
+        process.exit(exit_codes_1.EXIT_CODES.USER_ERROR);
+    }
+    return value;
+}, 'all')
+    .option('--rule <rule_id>', 'restrict scan to a rule id; repeat for multiple rules (e.g. --rule classic-reentrancy --rule check-effects-interactions)', (value, previous) => (previous || []).concat(value))
+    .option('--ignore-pattern <glob>', 'exclude detectors whose rule id matches this glob from execution; repeat for multiple ephemeral ignore patterns', (value, previous) => (previous || []).concat(value))
+    .option('--enable <rule_id>', 'enable an opt-in detector by rule id; repeat for multiple opt-in rules (e.g. --enable fhe-state-leakage)', (value, previous) => (previous || []).concat(value))
+    .option('--verbose', 'print additional scan diagnostics to stderr')
+    .option('--dedup', 'also deduplicate overlapping findings from bridge/cross-chain detectors using the shared rule-deduplication engine; content-identical Solidity files are always scanned once')
+    .option('--fp-threshold <pct>', 'dynamic severity downgrade threshold for noisy rules (default: 5). 0 disables downgrading.', value => {
+    const n = Number.parseFloat(value);
+    if (!Number.isFinite(n) || n < 0 || n > 100) {
+        process.stderr.write('error: --fp-threshold must be a number between 0 and 100\n');
+        process.exit(exit_codes_1.EXIT_CODES.USER_ERROR);
+    }
+    return n;
+})
+    .option('--sarif-severity-tuning <state>', 'enable or disable FP-rate based SARIF severity tuning (default: on)', value => {
+    if (value !== 'on' && value !== 'off') {
+        process.stderr.write('error: --sarif-severity-tuning must be one of: on, off\n');
+        process.exit(exit_codes_1.EXIT_CODES.USER_ERROR);
+    }
+    return value === 'on';
+}, true)
+    .option('--workers <n>', 'spread the scan across N worker_threads (clamped to CPU count, capped at 32). Threshold-gated: small file sets fall through to the synchronous path so worker startup never costs more than the parallelism saves.', value => {
+    if (!/^\d+$/.test(value.trim())) {
+        process.stderr.write('error: --workers must be a non-negative integer\n');
+        process.exit(exit_codes_1.EXIT_CODES.USER_ERROR);
+    }
+    return Number.parseInt(value, 10);
+})
+    .option('--diff-baseline <path>', 'CI regression detection: compare the current scan against a checked-in SolAST NDJSON baseline and emit only net-new findings. Exits 1 only if new findings are present; cannot be combined with --rule.')
+    .addHelpText('after', `
+
+Example:
+  $ solast scan --ci --severity-threshold high <path>
+  $ solast scan --workers 8 contracts/
+`)
+    .action(async (paths, options, command) => {
+    if (paths.length === 0) {
+        process.stderr.write('error: missing required path argument\n');
+        process.exitCode = exit_codes_1.EXIT_CODES.USER_ERROR;
+        return;
+    }
+    // Always go through the parallel adapter so a `--workers <n>` flag
+    // takes effect; the adapter is a thin wrapper that delegates to
+    // the synchronous `runScanCommand` whenever workers are 0/1 or
+    // the file set is too small to amortise worker startup.
+    process.exitCode = await runScanCommandParallel(paths, options);
+});
+if (require.main === module) {
+    program.parse();
+}
+//# sourceMappingURL=cli.js.map