@toolbaux/guardian 0.1.0

package/dist/commands/security-boundary-auditor.js

@@ -0,0 +1,359 @@
+/**
+ * FEATURE 6: SECURITY BOUNDARY AUDITOR
+ *
+ * Identify potential security violations:
+ * - Unauthorized access patterns
+ * - Missing authentication checks
+ * - Data leakage across service boundaries
+ * - Credential exposure
+ *
+ * Benchmarking: High complexity
+ * Problem Domain: Security, Access Control, Compliance
+ */
+import fs from "node:fs/promises";
+import path from "node:path";
+/**
+ * Main function: Audit security boundaries
+ */
+export async function auditSecurityBoundaries(options) {
+    const { srcRoot, output, checkCredentials = true, checkSqlInjection = true, checkAuthentication = true, } = options;
+    const sourceFiles = await scanSourceFiles(srcRoot);
+    const issues = [];
+    // Run all security checks
+    if (checkCredentials) {
+        issues.push(...checkExposedCredentials(sourceFiles));
+    }
+    if (checkAuthentication) {
+        issues.push(...checkMissingAuthentication(sourceFiles));
+    }
+    if (checkSqlInjection) {
+        issues.push(...checkSqlInjectionRisks(sourceFiles));
+    }
+    issues.push(...checkDataLeakage(sourceFiles));
+    issues.push(...checkUnauthorizedAccess(sourceFiles));
+    // Identify security boundaries
+    const boundaries = identifySecurityBoundaries(sourceFiles, issues);
+    // Calculate metrics
+    const criticalCount = issues.filter((i) => i.severity === "critical").length;
+    const highCount = issues.filter((i) => i.severity === "high").length;
+    const riskScore = calculateSecurityRiskScore(issues);
+    const complianceStatus = determineComplianceStatus(riskScore);
+    const report = {
+        timestamp: new Date().toISOString(),
+        totalIssues: issues.length,
+        criticalIssues: criticalCount,
+        highIssues: highCount,
+        issues,
+        boundaries,
+        riskScore,
+        complianceStatus,
+        recommendations: generateSecurityRecommendations(issues),
+    };
+    if (output) {
+        await writeAuditReport(report, output);
+    }
+    return report;
+}
+/**
+ * Helper: Scan source files
+ */
+async function scanSourceFiles(srcRoot) {
+    const files = new Map();
+    async function walkDir(dir) {
+        try {
+            const entries = await fs.readdir(dir, { withFileTypes: true });
+            for (const entry of entries) {
+                const fullPath = path.join(dir, entry.name);
+                if (entry.isDirectory() &&
+                    [".git", "node_modules", "dist", "build", "coverage"].includes(entry.name)) {
+                    continue;
+                }
+                if (entry.isDirectory()) {
+                    await walkDir(fullPath);
+                }
+                else if (entry.isFile() &&
+                    [".ts", ".tsx", ".js", ".jsx"].some((ext) => entry.name.endsWith(ext))) {
+                    const content = await fs.readFile(fullPath, "utf8");
+                    const relPath = path.relative(srcRoot, fullPath);
+                    files.set(relPath, content);
+                }
+            }
+        }
+        catch {
+            // Skip inaccessible directories
+        }
+    }
+    await walkDir(srcRoot);
+    return files;
+}
+/**
+ * Helper: Check for exposed credentials
+ */
+function checkExposedCredentials(sourceFiles) {
+    const issues = [];
+    const patterns = [
+        { regex: /password\s*[:=]\s*['"`]([^'"`]+)/gi, type: "password" },
+        { regex: /api[_-]?key\s*[:=]\s*['"`]([^'"`]+)/gi, type: "API key" },
+        { regex: /secret\s*[:=]\s*['"`]([^'"`]+)/gi, type: "secret" },
+        { regex: /token\s*[:=]\s*['"`](eyJ[^'"`]+)/gi, type: "JWT token" },
+    ];
+    for (const [file, content] of sourceFiles.entries()) {
+        const lines = content.split("\n");
+        for (const { regex, type } of patterns) {
+            lines.forEach((line, idx) => {
+                if (regex.test(line)) {
+                    issues.push({
+                        type: "exposed_credentials",
+                        severity: "critical",
+                        file,
+                        line: idx + 1,
+                        code: line.trim(),
+                        description: `Hardcoded ${type} detected in source code`,
+                        remediationSteps: [
+                            "Move to environment variables",
+                            "Use secrets management system",
+                            "Rotate compromised credentials",
+                        ],
+                        cwes: ["CWE-798", "CWE-321"],
+                    });
+                }
+            });
+        }
+    }
+    return issues;
+}
+/**
+ * Helper: Check for missing authentication
+ */
+function checkMissingAuthentication(sourceFiles) {
+    const issues = [];
+    for (const [file, content] of sourceFiles.entries()) {
+        const lines = content.split("\n");
+        // Look for endpoints without auth checks
+        const endpointPattern = /(?:app|router)\.(?:get|post|put|delete|patch)\s*\(\s*['"`]([^'"`]+)/gi;
+        let match;
+        while ((match = endpointPattern.exec(content)) !== null) {
+            const lineIdx = content.substring(0, match.index).split("\n").length - 1;
+            const line = lines[lineIdx];
+            // Check if there's an auth middleware or check nearby
+            const hasAuth = line.includes("auth") ||
+                line.includes("unauthorized") ||
+                line.includes("private") ||
+                (lines[lineIdx - 1] && lines[lineIdx - 1].includes("auth"));
+            if (!hasAuth && !match[1].includes("public")) {
+                issues.push({
+                    type: "missing_auth",
+                    severity: "high",
+                    file,
+                    line: lineIdx + 1,
+                    code: line.trim(),
+                    description: `Endpoint may lack authentication check: ${match[1]}`,
+                    remediationSteps: [
+                        "Add authentication middleware",
+                        "Verify authorization rules",
+                        "Document access requirements",
+                    ],
+                    cwes: ["CWE-284", "CWE-287"],
+                });
+            }
+        }
+    }
+    return issues;
+}
+/**
+ * Helper: Check for SQL injection risks
+ */
+function checkSqlInjectionRisks(sourceFiles) {
+    const issues = [];
+    const sqlPattern = /query\s*\(\s*\$\{|query\s*\(\s*[`'].*\$\{|execute\s*\(\s*\$\{/gi;
+    for (const [file, content] of sourceFiles.entries()) {
+        const lines = content.split("\n");
+        lines.forEach((line, idx) => {
+            if (sqlPattern.test(line)) {
+                issues.push({
+                    type: "sql_injection_risk",
+                    severity: "critical",
+                    file,
+                    line: idx + 1,
+                    code: line.trim(),
+                    description: "Potential SQL injection: string interpolation in query",
+                    remediationSteps: [
+                        "Use parameterized queries",
+                        "Use prepared statements",
+                        "Use ORM with proper escaping",
+                    ],
+                    cwes: ["CWE-89"],
+                });
+            }
+        });
+    }
+    return issues;
+}
+/**
+ * Helper: Check for data leakage
+ */
+function checkDataLeakage(sourceFiles) {
+    const issues = [];
+    const leakagePatterns = [
+        /console\s*\.\s*log\s*\(\s*(?:password|token|secret|auth)/gi,
+        /error\s*\(\s*.*(?:password|token|secret)/gi,
+    ];
+    for (const [file, content] of sourceFiles.entries()) {
+        const lines = content.split("\n");
+        lines.forEach((line, idx) => {
+            for (const pattern of leakagePatterns) {
+                if (pattern.test(line)) {
+                    issues.push({
+                        type: "data_leakage",
+                        severity: "high",
+                        file,
+                        line: idx + 1,
+                        code: line.trim(),
+                        description: "Sensitive data logged or exposed in error messages",
+                        remediationSteps: [
+                            "Remove sensitive data from logs",
+                            "Use data filtering/masking",
+                            "Implement proper logging practices",
+                        ],
+                        cwes: ["CWE-532"],
+                    });
+                }
+            }
+        });
+    }
+    return issues;
+}
+/**
+ * Helper: Check for unauthorized access patterns
+ */
+function checkUnauthorizedAccess(sourceFiles) {
+    const issues = [];
+    for (const [file, content] of sourceFiles.entries()) {
+        const lines = content.split("\n");
+        lines.forEach((line, idx) => {
+            // Check for hardcoded admin/superuser patterns
+            if (line.includes("isAdmin") &&
+                !line.includes("check") &&
+                !line.includes("verify")) {
+                issues.push({
+                    type: "unauthorized_access",
+                    severity: "medium",
+                    file,
+                    line: idx + 1,
+                    code: line.trim(),
+                    description: "Authorization check may be incomplete",
+                    remediationSteps: [
+                        "Verify authorization logic",
+                        "Add role-based access control",
+                        "Audit permission matrix",
+                    ],
+                    cwes: ["CWE-639"],
+                });
+            }
+        });
+    }
+    return issues;
+}
+/**
+ * Helper: Identify security boundaries
+ */
+function identifySecurityBoundaries(sourceFiles, issues) {
+    const boundaries = [];
+    // Group files by directory as boundaries
+    const dirs = new Set();
+    for (const file of sourceFiles.keys()) {
+        dirs.add(path.dirname(file));
+    }
+    for (const dir of dirs) {
+        const files = Array.from(sourceFiles.keys()).filter((f) => f.startsWith(dir));
+        // Determine access control level based on issues and naming
+        const accessControl = dir.includes("public") ? "public" : "protected";
+        const authenticatedOnly = dir.includes("admin") || dir.includes("private");
+        const hasExposed = issues.some((i) => i.type === "exposed_credentials" && i.file.includes(dir));
+        boundaries.push({
+            name: dir,
+            files,
+            accessControl,
+            authenticatedOnly,
+            encryptionStatus: hasExposed ? "none" : "partial",
+        });
+    }
+    return boundaries;
+}
+/**
+ * Helper: Calculate security risk score
+ */
+function calculateSecurityRiskScore(issues) {
+    const criticalWeight = 40;
+    const highWeight = 20;
+    const mediumWeight = 10;
+    const lowWeight = 5;
+    const score = issues.filter((i) => i.severity === "critical").length * criticalWeight +
+        issues.filter((i) => i.severity === "high").length * highWeight +
+        issues.filter((i) => i.severity === "medium").length * mediumWeight +
+        issues.filter((i) => i.severity === "low").length * lowWeight;
+    return Math.min(100, score);
+}
+/**
+ * Helper: Determine compliance status
+ */
+function determineComplianceStatus(riskScore) {
+    if (riskScore >= 80)
+        return "CRITICAL - Immediate action required";
+    if (riskScore >= 60)
+        return "HIGH - Significant vulnerabilities";
+    if (riskScore >= 40)
+        return "MEDIUM - Notable issues to address";
+    if (riskScore >= 20)
+        return "LOW - Minor concerns";
+    return "ACCEPTABLE - Security posture is good";
+}
+/**
+ * Helper: Generate security recommendations
+ */
+function generateSecurityRecommendations(issues) {
+    const recommendations = [];
+    const criticalCount = issues.filter((i) => i.severity === "critical").length;
+    if (criticalCount > 0) {
+        recommendations.push(`🚨 CRITICAL: ${criticalCount} critical vulnerabilities must be fixed immediately`);
+    }
+    const credentialCount = issues.filter((i) => i.type === "exposed_credentials").length;
+    if (credentialCount > 0) {
+        recommendations.push(`🔐 Move ${credentialCount} hardcoded credentials to env vars`);
+    }
+    const authCount = issues.filter((i) => i.type === "missing_auth").length;
+    if (authCount > 0) {
+        recommendations.push(`🔒 Add/verify authentication on ${authCount} endpoints`);
+    }
+    if (issues.length === 0) {
+        recommendations.push(`✅ No security issues detected`);
+    }
+    return recommendations;
+}
+/**
+ * Helper: Write audit report
+ */
+async function writeAuditReport(report, outputPath) {
+    let md = `# Security Boundary Audit Report\n\n`;
+    md += `Generated: ${report.timestamp}\n\n`;
+    md += `## Summary\n`;
+    md += `- **Risk Score:** ${report.riskScore}/100\n`;
+    md += `- **Compliance:** ${report.complianceStatus}\n`;
+    md += `- **Total Issues:** ${report.totalIssues}\n`;
+    md += `- **Critical:** ${report.criticalIssues} | High: ${report.highIssues}\n\n`;
+    md += `## Issues by Type\n`;
+    const byType = new Map();
+    for (const issue of report.issues) {
+        byType.set(issue.type, (byType.get(issue.type) || 0) + 1);
+    }
+    for (const [type, count] of byType.entries()) {
+        md += `- ${type}: ${count}\n`;
+    }
+    md += `\n## Recommendations\n`;
+    for (const rec of report.recommendations) {
+        md += `- ${rec}\n`;
+    }
+    await fs.mkdir(path.dirname(outputPath), { recursive: true });
+    await fs.writeFile(outputPath, md, "utf8");
+}
+export default auditSecurityBoundaries;

package/dist/commands/simulate.js

@@ -0,0 +1,294 @@
+import fs from "node:fs/promises";
+import * as fsSync from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { spawn } from "node:child_process";
+import yaml from "js-yaml";
+import { buildSnapshots } from "../extract/index.js";
+import { buildArchitectureSummary, loadArchitectureSummary } from "../extract/compress.js";
+import { createIgnoreMatcher } from "../extract/ignore.js";
+import { logResolvedProjectPaths, resolveProjectPaths } from "../project-discovery.js";
+export async function runSimulate(options) {
+    const resolved = await resolveProjectPaths({
+        projectRoot: options.projectRoot,
+        backendRoot: options.backendRoot,
+        frontendRoot: options.frontendRoot,
+        configPath: options.configPath
+    });
+    const resolvedBackendRoot = resolved.backendRoot;
+    const resolvedFrontendRoot = resolved.frontendRoot;
+    const originalRoot = resolved.workspaceRoot;
+    const config = resolved.config;
+    logResolvedProjectPaths(resolved);
+    let simulationRoot = originalRoot;
+    let simBackendRoot = resolvedBackendRoot;
+    let simFrontendRoot = resolvedFrontendRoot;
+    let cleanupTemp = false;
+    try {
+        if (options.patch) {
+            const tempRoot = await createTempCopy(originalRoot, config);
+            await applyPatch(tempRoot, options.patch);
+            simulationRoot = tempRoot;
+            simBackendRoot = remapPath(resolvedBackendRoot, originalRoot, tempRoot);
+            simFrontendRoot = remapPath(resolvedFrontendRoot, originalRoot, tempRoot);
+            cleanupTemp = true;
+        }
+        const { architecture, ux } = await buildSnapshots({
+            projectRoot: simulationRoot,
+            backendRoot: simBackendRoot,
+            frontendRoot: simFrontendRoot,
+            output: options.output,
+            includeFileGraph: true,
+            configPath: options.configPath
+        });
+        const candidate = architecture.drift;
+        const candidateSummary = buildArchitectureSummary(architecture, ux);
+        const baselinePath = await resolveBaselinePath({
+            projectRoot: originalRoot,
+            config,
+            override: options.baseline
+        });
+        const baseline = baselinePath ? await loadDriftFromFile(baselinePath) : null;
+        const baselineSummaryPath = await resolveBaselineSummaryPath({
+            projectRoot: originalRoot,
+            override: options.baselineSummary
+        });
+        const baselineSummary = baselineSummaryPath
+            ? await loadSummaryFromPath(baselineSummaryPath)
+            : null;
+        const evaluation = evaluateCandidate({
+            candidate,
+            baseline,
+            config,
+            baselineSummary,
+            candidateSummary,
+            mode: options.mode ?? config.guard?.mode ?? "soft"
+        });
+        const outputPath = path.resolve(options.output ?? "specs-out/drift.simulation.json");
+        await fs.mkdir(path.dirname(outputPath), { recursive: true });
+        await fs.writeFile(outputPath, JSON.stringify(evaluation, null, 2));
+        console.log(`Simulation decision: ${evaluation.decision}`);
+        if (evaluation.reasons.length > 0) {
+            console.log(`Reasons: ${evaluation.reasons.join(", ")}`);
+        }
+        console.log(`Wrote ${outputPath}`);
+    }
+    finally {
+        if (cleanupTemp) {
+            await fs.rm(simulationRoot, { recursive: true, force: true });
+        }
+    }
+}
+async function resolveBaselinePath(params) {
+    const { projectRoot, config, override } = params;
+    const candidates = [];
+    if (override) {
+        candidates.push(override);
+    }
+    if (config.drift?.baselinePath) {
+        candidates.push(config.drift.baselinePath);
+    }
+    candidates.push("specs-out/machine/baseline.json");
+    candidates.push("specs-out/machine/drift.report.json");
+    candidates.push("specs-out/machine/architecture.snapshot.yaml");
+    for (const candidate of candidates) {
+        const resolved = path.isAbsolute(candidate)
+            ? candidate
+            : path.resolve(projectRoot, candidate);
+        if (await fileExists(resolved)) {
+            return resolved;
+        }
+    }
+    return null;
+}
+async function resolveBaselineSummaryPath(params) {
+    const candidates = [];
+    if (params.override) {
+        candidates.push(params.override);
+    }
+    candidates.push(path.join(params.projectRoot, "specs-out", "machine", "architecture.summary.json"));
+    for (const candidate of candidates) {
+        const resolved = path.isAbsolute(candidate)
+            ? candidate
+            : path.resolve(params.projectRoot, candidate);
+        if (await fileExists(resolved)) {
+            return resolved;
+        }
+    }
+    return null;
+}
+async function loadSummaryFromPath(filePath) {
+    const dir = path.dirname(filePath);
+    if (path.basename(filePath) === "architecture.summary.json") {
+        return loadArchitectureSummary(dir);
+    }
+    try {
+        const raw = await fs.readFile(filePath, "utf8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+async function loadDriftFromFile(filePath) {
+    try {
+        const raw = await fs.readFile(filePath, "utf8");
+        const ext = path.extname(filePath).toLowerCase();
+        const parsed = ext === ".yaml" || ext === ".yml"
+            ? yaml.load(raw)
+            : JSON.parse(raw);
+        if (!parsed) {
+            return null;
+        }
+        const drift = parsed["drift"];
+        if (drift && typeof drift.delta === "number") {
+            return drift;
+        }
+        if (typeof parsed.delta === "number") {
+            return parsed;
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+function evaluateCandidate(params) {
+    const { candidate, baseline, config, baselineSummary, candidateSummary, mode } = params;
+    const reasons = [];
+    if (!baseline) {
+        reasons.push("baseline_missing");
+    }
+    else {
+        if (candidate.delta < baseline.delta) {
+            reasons.push("delta_regressed");
+        }
+        const baselineEdges = baseline.details?.edges ?? 0;
+        const candidateEdges = candidate.details?.edges ?? 0;
+        if (baselineEdges > 0) {
+            const ratio = (candidateEdges - baselineEdges) / baselineEdges;
+            const maxRatio = config.drift?.growth?.maxEdgeGrowthRatio ?? 0;
+            if (maxRatio > 0 && ratio > maxRatio) {
+                reasons.push("edge_growth_ratio_exceeded");
+            }
+        }
+    }
+    if (candidate.status === "drift") {
+        reasons.push("candidate_in_drift");
+    }
+    if (candidate.capacity.status === "critical") {
+        reasons.push("capacity_critical");
+    }
+    if (candidate.growth.status === "critical") {
+        reasons.push("growth_critical");
+    }
+    let shapeEquivalent;
+    if (baselineSummary) {
+        shapeEquivalent = baselineSummary.shape_fingerprint === candidateSummary.shape_fingerprint;
+        if (!shapeEquivalent) {
+            reasons.push("shape_changed");
+        }
+    }
+    let decision = "accept";
+    if (reasons.length > 0) {
+        decision = mode === "hard" ? "reject" : "warn";
+    }
+    return {
+        decision,
+        reasons,
+        feedback: {
+            previous_delta: baseline?.delta,
+            candidate_delta: candidate.delta,
+            reasons,
+            suggestions: buildSuggestions(reasons)
+        },
+        mode,
+        baseline_delta: baseline?.delta,
+        candidate_delta: candidate.delta,
+        edge_growth_ratio: baseline && (baseline.details?.edges ?? 0) > 0
+            ? ((candidate.details?.edges ?? 0) - (baseline.details?.edges ?? 0)) /
+                (baseline.details?.edges ?? 1)
+            : undefined,
+        shape_equivalent: shapeEquivalent
+    };
+}
+async function fileExists(target) {
+    try {
+        const stat = await fs.stat(target);
+        return stat.isFile();
+    }
+    catch {
+        return false;
+    }
+}
+function buildSuggestions(reasons) {
+    const suggestions = new Set();
+    const mapping = {
+        delta_regressed: "Reduce cross-layer coupling and refactor to lower drift.",
+        edge_growth_ratio_exceeded: "Limit new dependencies; split the change into smaller steps.",
+        candidate_in_drift: "Refactor to remove cycles or reduce coupling before applying.",
+        capacity_critical: "Reduce edges in saturated layers or consolidate modules.",
+        growth_critical: "Avoid adding new dependencies in this patch.",
+        shape_changed: "Preserve the existing architecture shape; avoid new structural coupling.",
+        baseline_missing: "Capture a baseline before enforcing drift gates."
+    };
+    for (const reason of reasons) {
+        const suggestion = mapping[reason];
+        if (suggestion) {
+            suggestions.add(suggestion);
+        }
+    }
+    return Array.from(suggestions);
+}
+async function createTempCopy(sourceRoot, config) {
+    const tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), "specguard-sim-"));
+    const ignore = createIgnoreMatcher(config, sourceRoot);
+    await fs.cp(sourceRoot, tempRoot, {
+        recursive: true,
+        filter: (src) => filterCopy(src, sourceRoot, ignore)
+    });
+    return tempRoot;
+}
+function filterCopy(src, baseRoot, ignore) {
+    if (src === baseRoot) {
+        return true;
+    }
+    const relative = path.relative(baseRoot, src);
+    if (!relative) {
+        return true;
+    }
+    const name = path.basename(src);
+    let stat;
+    try {
+        stat = fsSync.statSync(src);
+    }
+    catch {
+        return false;
+    }
+    if (stat.isDirectory()) {
+        return !ignore.isIgnoredDir(name, src);
+    }
+    return !ignore.isIgnoredPath(relative);
+}
+async function applyPatch(workspaceRoot, patchPath) {
+    const resolvedPatch = path.resolve(patchPath);
+    const result = await runCommand("git", ["apply", "--whitespace=nowarn", resolvedPatch], workspaceRoot);
+    if (result.code !== 0) {
+        throw new Error(`Failed to apply patch: ${result.stderr || result.stdout}`);
+    }
+}
+function runCommand(command, args, cwd) {
+    return new Promise((resolve) => {
+        const child = spawn(command, args, { cwd, shell: true });
+        let stdout = "";
+        let stderr = "";
+        child.stdout.on("data", (data) => (stdout += data.toString()));
+        child.stderr.on("data", (data) => (stderr += data.toString()));
+        child.on("close", (code) => resolve({ code: code ?? 1, stdout, stderr }));
+        child.on("error", () => resolve({ code: 1, stdout, stderr }));
+    });
+}
+function remapPath(original, sourceRoot, targetRoot) {
+    const relative = path.relative(sourceRoot, original);
+    return path.join(targetRoot, relative);
+}

package/dist/commands/summary.js

@@ -0,0 +1,27 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import yaml from "js-yaml";
+import { renderExecutiveSummary } from "../extract/docs.js";
+import { loadArchitectureSummary, loadArchitectureDiff, loadHeatmap } from "../extract/compress.js";
+import { resolveMachineInputDir } from "../output-layout.js";
+export async function runSummary(options) {
+    const inputDir = await resolveMachineInputDir(options.input || "specs-out");
+    const architecturePath = path.join(inputDir, "architecture.snapshot.yaml");
+    const uxPath = path.join(inputDir, "ux.snapshot.yaml");
+    const [architectureRaw, uxRaw] = await Promise.all([
+        fs.readFile(architecturePath, "utf8"),
+        fs.readFile(uxPath, "utf8")
+    ]);
+    const architecture = yaml.load(architectureRaw);
+    const ux = yaml.load(uxRaw);
+    const summary = await loadArchitectureSummary(inputDir);
+    const diff = await loadArchitectureDiff(inputDir);
+    const heatmap = await loadHeatmap(inputDir);
+    const content = renderExecutiveSummary(architecture, ux, { summary, diff, heatmap });
+    const outputPath = options.output
+        ? path.resolve(options.output)
+        : path.join(inputDir, "docs", "summary.md");
+    await fs.mkdir(path.dirname(outputPath), { recursive: true });
+    await fs.writeFile(outputPath, content);
+    console.log(`Wrote ${outputPath}`);
+}