@vaultcompass/vault-guard-core 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Vault & Compass LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/baseline.d.ts

@@ -0,0 +1,24 @@
+import type { FileScanResult } from './scan-output';
+/** Default baseline filename (same discovery walk as `.vault-guard.json`). */
+export declare const BASELINE_FILENAME = ".vault-guard.baseline.json";
+export interface BaselineFileV1 {
+    version: 1;
+    fingerprints: string[];
+}
+export interface LoadBaselineOutcome {
+    /** Absolute path of the baseline file that was read, if any. */
+    sourcePath?: string;
+    fingerprints: Set<string>;
+    /** Present when a baseline file existed but JSON was invalid or wrong shape. */
+    parseError?: string;
+}
+/**
+ * Walk the same directories as {@link loadConfig} and load the nearest
+ * `.vault-guard.baseline.json`.
+ */
+export declare function loadBaseline(startDir?: string): LoadBaselineOutcome;
+export declare function filterResultsByBaseline(cwd: string | null, results: FileScanResult[], baseline: Set<string>): {
+    results: FileScanResult[];
+    suppressed: number;
+};
+//# sourceMappingURL=baseline.d.ts.map

package/dist/baseline.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"baseline.d.ts","sourceRoot":"","sources":["../src/baseline.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAIpD,8EAA8E;AAC9E,eAAO,MAAM,iBAAiB,+BAA+B,CAAC;AAE9D,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAED,MAAM,WAAW,mBAAmB;IAClC,gEAAgE;IAChE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1B,gFAAgF;IAChF,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,QAAQ,GAAE,MAAsB,GAAG,mBAAmB,CA+ClF;AAED,wBAAgB,uBAAuB,CACrC,GAAG,EAAE,MAAM,GAAG,IAAI,EAClB,OAAO,EAAE,cAAc,EAAE,EACzB,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,GACpB;IAAE,OAAO,EAAE,cAAc,EAAE,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAiBnD"}

package/dist/baseline.js

@@ -0,0 +1,87 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BASELINE_FILENAME = void 0;
+exports.loadBaseline = loadBaseline;
+exports.filterResultsByBaseline = filterResultsByBaseline;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const config_1 = require("./config");
+const match_fingerprint_1 = require("./match-fingerprint");
+/** Default baseline filename (same discovery walk as `.vault-guard.json`). */
+exports.BASELINE_FILENAME = '.vault-guard.baseline.json';
+/**
+ * Walk the same directories as {@link loadConfig} and load the nearest
+ * `.vault-guard.baseline.json`.
+ */
+function loadBaseline(startDir = process.cwd()) {
+    const dirs = (0, config_1.listConfigSearchDirs)(startDir);
+    for (const dir of dirs) {
+        const filePath = path_1.default.join(dir, exports.BASELINE_FILENAME);
+        if (!fs_1.default.existsSync(filePath))
+            continue;
+        let raw;
+        try {
+            raw = fs_1.default.readFileSync(filePath, 'utf-8');
+        }
+        catch (e) {
+            const detail = e instanceof Error ? e.message : String(e);
+            return {
+                sourcePath: filePath,
+                fingerprints: new Set(),
+                parseError: `read failed: ${detail}`,
+            };
+        }
+        try {
+            const parsed = JSON.parse(raw);
+            if (!parsed || typeof parsed !== 'object') {
+                return { sourcePath: filePath, fingerprints: new Set(), parseError: 'not an object' };
+            }
+            const v = parsed.version;
+            const fps = parsed.fingerprints;
+            if (v !== 1) {
+                return {
+                    sourcePath: filePath,
+                    fingerprints: new Set(),
+                    parseError: `unsupported version (expected 1, got ${String(v)})`,
+                };
+            }
+            if (!Array.isArray(fps)) {
+                return { sourcePath: filePath, fingerprints: new Set(), parseError: 'fingerprints must be an array' };
+            }
+            const out = new Set();
+            for (const x of fps) {
+                if (typeof x === 'string' && x.length > 0)
+                    out.add(x);
+            }
+            return { sourcePath: filePath, fingerprints: out };
+        }
+        catch (e) {
+            const detail = e instanceof Error ? e.message : String(e);
+            return { sourcePath: filePath, fingerprints: new Set(), parseError: `JSON: ${detail}` };
+        }
+    }
+    return { fingerprints: new Set() };
+}
+function filterResultsByBaseline(cwd, results, baseline) {
+    if (baseline.size === 0)
+        return { results, suppressed: 0 };
+    let suppressed = 0;
+    const out = [];
+    for (const r of results) {
+        const kept = [];
+        for (const m of r.matches) {
+            const fp = (0, match_fingerprint_1.fingerprintForMatch)(cwd, r.file, m);
+            if (baseline.has(fp))
+                suppressed++;
+            else
+                kept.push(m);
+        }
+        if (kept.length > 0)
+            out.push({ file: r.file, matches: kept });
+    }
+    return { results: out, suppressed };
+}
+//# sourceMappingURL=baseline.js.map

package/dist/baseline.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"baseline.js","sourceRoot":"","sources":["../src/baseline.ts"],"names":[],"mappings":";;;;;;AA2BA,oCA+CC;AAED,0DAqBC;AAjGD,4CAAoB;AACpB,gDAAwB;AAGxB,qCAAgD;AAChD,2DAA0D;AAE1D,8EAA8E;AACjE,QAAA,iBAAiB,GAAG,4BAA4B,CAAC;AAe9D;;;GAGG;AACH,SAAgB,YAAY,CAAC,WAAmB,OAAO,CAAC,GAAG,EAAE;IAC3D,MAAM,IAAI,GAAG,IAAA,6BAAoB,EAAC,QAAQ,CAAC,CAAC;IAC5C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,yBAAiB,CAAC,CAAC;QACnD,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,SAAS;QAEvC,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,GAAG,GAAG,YAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,MAAM,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC1D,OAAO;gBACL,UAAU,EAAE,QAAQ;gBACpB,YAAY,EAAE,IAAI,GAAG,EAAE;gBACvB,UAAU,EAAE,gBAAgB,MAAM,EAAE;aACrC,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;YAC1C,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;gBAC1C,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,IAAI,GAAG,EAAE,EAAE,UAAU,EAAE,eAAe,EAAE,CAAC;YACxF,CAAC;YACD,MAAM,CAAC,GAAI,MAAgC,CAAC,OAAO,CAAC;YACpD,MAAM,GAAG,GAAI,MAAqC,CAAC,YAAY,CAAC;YAChE,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBACZ,OAAO;oBACL,UAAU,EAAE,QAAQ;oBACpB,YAAY,EAAE,IAAI,GAAG,EAAE;oBACvB,UAAU,EAAE,wCAAwC,MAAM,CAAC,CAAC,CAAC,GAAG;iBACjE,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,IAAI,GAAG,EAAE,EAAE,UAAU,EAAE,+BAA+B,EAAE,CAAC;YACxG,CAAC;YACD,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;YAC9B,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE,CAAC;gBACpB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;oBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACxD,CAAC;YACD,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;QACrD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,MAAM,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC1D,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,IAAI,GAAG,EAAE,EAAE,UAAU,EAAE,SAAS,MAAM,EAAE,EAAE,CAAC;QAC1F,CAAC;IACH,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,IAAI,GAAG,EAAE,EAAE,CAAC;AACrC,CAAC;AAED,SAAgB,uBAAuB,CACrC,GAAkB,EAClB,OAAyB,EACzB,QAAqB;IAErB,IAAI,QAAQ,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;IAE3D,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,MAAM,GAAG,GAAqB,EAAE,CAAC;IAEjC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,GAAkB,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YAC1B,MAAM,EAAE,GAAG,IAAA,uCAAmB,EAAC,GAAG,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;YAC/C,IAAI,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAAE,UAAU,EAAE,CAAC;;gBAC9B,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC;AACtC,CAAC"}

package/dist/config-validate.d.ts

@@ -0,0 +1,13 @@
+import type { VaultGuardConfig } from './config';
+/**
+ * Structural validation for parsed `.vault-guard.json` (no file I/O).
+ * Used by `vault-guard config validate` and for tooling that cannot run the scanner.
+ */
+export declare function validateVaultGuardConfig(value: unknown): {
+    ok: true;
+    config: VaultGuardConfig;
+} | {
+    ok: false;
+    errors: string[];
+};
+//# sourceMappingURL=config-validate.d.ts.map

package/dist/config-validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-validate.d.ts","sourceRoot":"","sources":["../src/config-validate.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAIjD;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,OAAO,GAAG;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,gBAAgB,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAoGjI"}

package/dist/config-validate.js

@@ -0,0 +1,111 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateVaultGuardConfig = validateVaultGuardConfig;
+const SEVERITIES = new Set(['critical', 'high', 'medium', 'low', 'off']);
+/**
+ * Structural validation for parsed `.vault-guard.json` (no file I/O).
+ * Used by `vault-guard config validate` and for tooling that cannot run the scanner.
+ */
+function validateVaultGuardConfig(value) {
+    const errors = [];
+    if (value === null || typeof value !== 'object' || Array.isArray(value)) {
+        return { ok: false, errors: ['root must be a JSON object'] };
+    }
+    const o = value;
+    for (const key of Object.keys(o)) {
+        const allowed = new Set([
+            'ignore',
+            'severity_overrides',
+            'extra_patterns',
+            'extra_patterns_unsafe',
+            'entropy_threshold',
+        ]);
+        if (!allowed.has(key)) {
+            errors.push(`unknown top-level key: ${JSON.stringify(key)}`);
+        }
+    }
+    if (o.ignore !== undefined) {
+        if (o.ignore === null || typeof o.ignore !== 'object' || Array.isArray(o.ignore)) {
+            errors.push('ignore must be an object');
+        }
+        else {
+            const ig = o.ignore;
+            for (const k of Object.keys(ig)) {
+                if (k !== 'paths' && k !== 'patterns') {
+                    errors.push(`ignore: unknown key ${JSON.stringify(k)}`);
+                }
+            }
+            if (ig.paths !== undefined && !isStringArray(ig.paths)) {
+                errors.push('ignore.paths must be an array of strings');
+            }
+            if (ig.patterns !== undefined && !isStringArray(ig.patterns)) {
+                errors.push('ignore.patterns must be an array of strings');
+            }
+        }
+    }
+    if (o.severity_overrides !== undefined) {
+        if (o.severity_overrides === null || typeof o.severity_overrides !== 'object' || Array.isArray(o.severity_overrides)) {
+            errors.push('severity_overrides must be an object');
+        }
+        else {
+            for (const [id, sev] of Object.entries(o.severity_overrides)) {
+                if (typeof id !== 'string' || id.length === 0) {
+                    errors.push('severity_overrides keys must be non-empty strings');
+                    continue;
+                }
+                if (typeof sev !== 'string' || !SEVERITIES.has(sev)) {
+                    errors.push(`severity_overrides[${JSON.stringify(id)}] must be critical|high|medium|low|off`);
+                }
+            }
+        }
+    }
+    if (o.extra_patterns_unsafe !== undefined && typeof o.extra_patterns_unsafe !== 'boolean') {
+        errors.push('extra_patterns_unsafe must be a boolean');
+    }
+    if (o.entropy_threshold !== undefined) {
+        if (typeof o.entropy_threshold !== 'number' || !Number.isFinite(o.entropy_threshold)) {
+            errors.push('entropy_threshold must be a finite number');
+        }
+    }
+    if (o.extra_patterns !== undefined) {
+        if (!Array.isArray(o.extra_patterns)) {
+            errors.push('extra_patterns must be an array');
+        }
+        else {
+            o.extra_patterns.forEach((entry, i) => {
+                if (entry === null || typeof entry !== 'object' || Array.isArray(entry)) {
+                    errors.push(`extra_patterns[${i}] must be an object`);
+                    return;
+                }
+                const ep = entry;
+                if (typeof ep.id !== 'string' || ep.id.length === 0) {
+                    errors.push(`extra_patterns[${i}].id must be a non-empty string`);
+                }
+                if (typeof ep.regex !== 'string' || ep.regex.length === 0) {
+                    errors.push(`extra_patterns[${i}].regex must be a non-empty string`);
+                }
+                if (typeof ep.severity !== 'string' || !isSeverity(ep.severity)) {
+                    errors.push(`extra_patterns[${i}].severity must be critical|high|medium|low`);
+                }
+                if (ep.description !== undefined && typeof ep.description !== 'string') {
+                    errors.push(`extra_patterns[${i}].description must be a string`);
+                }
+                if (ep.min_entropy !== undefined) {
+                    if (typeof ep.min_entropy !== 'number' || !Number.isFinite(ep.min_entropy)) {
+                        errors.push(`extra_patterns[${i}].min_entropy must be a finite number`);
+                    }
+                }
+            });
+        }
+    }
+    if (errors.length > 0)
+        return { ok: false, errors };
+    return { ok: true, config: value };
+}
+function isStringArray(v) {
+    return Array.isArray(v) && v.every(x => typeof x === 'string');
+}
+function isSeverity(v) {
+    return v === 'critical' || v === 'high' || v === 'medium' || v === 'low';
+}
+//# sourceMappingURL=config-validate.js.map

package/dist/config-validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-validate.js","sourceRoot":"","sources":["../src/config-validate.ts"],"names":[],"mappings":";;AASA,4DAoGC;AA1GD,MAAM,UAAU,GAAwB,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAE9F;;;GAGG;AACH,SAAgB,wBAAwB,CAAC,KAAc;IACrD,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,4BAA4B,CAAC,EAAE,CAAC;IAC/D,CAAC;IAED,MAAM,CAAC,GAAG,KAAgC,CAAC;IAE3C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC;YACtB,QAAQ;YACR,oBAAoB;YACpB,gBAAgB;YAChB,uBAAuB;YACvB,mBAAmB;SACpB,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,CAAC,IAAI,CAAC,0BAA0B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC3B,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI,IAAI,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YACjF,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,GAAG,CAAC,CAAC,MAAiC,CAAC;YAC/C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,KAAK,OAAO,IAAI,CAAC,KAAK,UAAU,EAAE,CAAC;oBACtC,MAAM,CAAC,IAAI,CAAC,uBAAuB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBAC1D,CAAC;YACH,CAAC;YACD,IAAI,EAAE,CAAC,KAAK,KAAK,SAAS,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;gBACvD,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;YAC1D,CAAC;YACD,IAAI,EAAE,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC7D,MAAM,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;QACvC,IAAI,CAAC,CAAC,kBAAkB,KAAK,IAAI,IAAI,OAAO,CAAC,CAAC,kBAAkB,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACrH,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QACtD,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,kBAA6C,CAAC,EAAE,CAAC;gBACxF,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC9C,MAAM,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;oBACjE,SAAS;gBACX,CAAC;gBACD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBACpD,MAAM,CAAC,IAAI,CAAC,sBAAsB,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,wCAAwC,CAAC,CAAC;gBAChG,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,CAAC,qBAAqB,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,qBAAqB,KAAK,SAAS,EAAE,CAAC;QAC1F,MAAM,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IACzD,CAAC;IAED,IAAI,CAAC,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;QACtC,IAAI,OAAO,CAAC,CAAC,iBAAiB,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACrF,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,IAAI,CAAC,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QACnC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,cAAc,CAAC,EAAE,CAAC;YACrC,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;gBACpC,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;oBACxE,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,qBAAqB,CAAC,CAAC;oBACtD,OAAO;gBACT,CAAC;gBACD,MAAM,EAAE,GAAG,KAAgC,CAAC;gBAC5C,IAAI,OAAO,EAAE,CAAC,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACpD,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,iCAAiC,CAAC,CAAC;gBACpE,CAAC;gBACD,IAAI,OAAO,EAAE,CAAC,KAAK,KAAK,QAAQ,IAAI,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC1D,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,oCAAoC,CAAC,CAAC;gBACvE,CAAC;gBACD,IAAI,OAAO,EAAE,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAChE,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,6CAA6C,CAAC,CAAC;gBAChF,CAAC;gBACD,IAAI,EAAE,CAAC,WAAW,KAAK,SAAS,IAAI,OAAO,EAAE,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;oBACvE,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,gCAAgC,CAAC,CAAC;gBACnE,CAAC;gBACD,IAAI,EAAE,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;oBACjC,IAAI,OAAO,EAAE,CAAC,WAAW,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC;wBAC3E,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,uCAAuC,CAAC,CAAC;oBAC1E,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IACpD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAyB,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,aAAa,CAAC,CAAU;IAC/B,OAAO,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,KAAK,CAAC;AAC3E,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,69 @@
+import { SecretMatch } from './types';
+/**
+ * Shape of .vault-guard.json in a repository root.
+ *
+ * YAML support (.vault-guard.yml) deferred to a follow-up to avoid adding a runtime
+ * dependency on the core package.
+ */
+export interface VaultGuardConfig {
+    /** Glob patterns or file paths to skip entirely during scanning. */
+    ignore?: {
+        paths?: string[];
+        patterns?: string[];
+    };
+    /**
+     * Override severity for built-in pattern keys, or set to "off" to disable a
+     * pattern entirely.  Keys match the pattern id strings in secret-scanner.ts.
+     */
+    severity_overrides?: Record<string, SecretMatch['severity'] | 'off'>;
+    /**
+     * Additional patterns to run alongside the built-in set.  Regex strings are
+     * compiled at scanner construction time and validated by
+     * `utils/regex-safety.ts` against catastrophic-backtracking shapes.
+     */
+    extra_patterns?: Array<{
+        id: string;
+        regex: string;
+        severity: SecretMatch['severity'];
+        description?: string;
+        /** Optional minimum Shannon entropy (bits/char) for the matched value. */
+        min_entropy?: number;
+    }>;
+    /**
+     * Bypass the ReDoS-safety heuristic for `extra_patterns`. Length cap still
+     * applies as a backstop. Set this only if you have audited every pattern
+     * and accept the catastrophic-backtracking risk.
+     */
+    extra_patterns_unsafe?: boolean;
+    /**
+     * Override the default Shannon entropy threshold (3.5 bits/char) used by
+     * generic catch-all patterns.  Lower = more matches but more false positives.
+     */
+    entropy_threshold?: number;
+}
+/**
+ * Directories searched for `.vault-guard.json` / baseline files, in order
+ * (nearest to `startDir` first). Same policy as {@link loadConfig}.
+ */
+export declare function listConfigSearchDirs(startDir?: string): string[];
+/**
+ * Load the nearest Vault Guard config file.
+ *
+ * Search policy (security-relevant):
+ *   - If `startDir` is inside a git repository: search from `startDir` up to
+ *     the repo root (inclusive). Never ascend past `.git` — a config in a
+ *     parent directory of the repo root could change what counts as a secret
+ *     for the user (severity overrides, extra patterns) without their consent.
+ *   - If `startDir` is NOT inside a git repository: search **only** `startDir`.
+ *     This prevents accidental loading of `~/.vault-guard.json` (or any other
+ *     ancestor) when the user runs the CLI in `/tmp` or similar.
+ *
+ * Throws `ConfigError` on JSON parse failure (do not fail silent — a typo in
+ * `.vault-guard.json` is indistinguishable from "no config" if we swallow it).
+ */
+/**
+ * First existing config path on the {@link listConfigSearchDirs} walk, or `null`.
+ */
+export declare function findVaultGuardConfigPath(startDir?: string): string | null;
+export declare function loadConfig(startDir?: string): VaultGuardConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAGtC;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAC/B,oEAAoE;IACpE,MAAM,CAAC,EAAE;QACP,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;IACF;;;OAGG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC,CAAC;IACrE;;;;OAIG;IACH,cAAc,CAAC,EAAE,KAAK,CAAC;QACrB,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,WAAW,CAAC,UAAU,CAAC,CAAC;QAClC,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,0EAA0E;QAC1E,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC,CAAC;IACH;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAgCD;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,GAAE,MAAsB,GAAG,MAAM,EAAE,CAG/E;AAED;;;;;;;;;;;;;;GAcG;AACH;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,GAAE,MAAsB,GAAG,MAAM,GAAG,IAAI,CASxF;AAED,wBAAgB,UAAU,CAAC,QAAQ,GAAE,MAAsB,GAAG,gBAAgB,CAgC7E"}

package/dist/config.js

@@ -0,0 +1,106 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.listConfigSearchDirs = listConfigSearchDirs;
+exports.findVaultGuardConfigPath = findVaultGuardConfigPath;
+exports.loadConfig = loadConfig;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const errors_1 = require("./errors");
+const CONFIG_FILENAMES = ['.vault-guard.json', '.vault-guard.local.json'];
+/**
+ * Walk up from `startDir` looking for a `.git` entry (directory in regular
+ * checkouts, file in worktrees). Returns the first directory containing one,
+ * or `null` if no git repo is found before the filesystem root.
+ */
+function findRepoRoot(startDir) {
+    let dir = startDir;
+    while (true) {
+        if (fs_1.default.existsSync(path_1.default.join(dir, '.git')))
+            return dir;
+        const parent = path_1.default.dirname(dir);
+        if (parent === dir)
+            return null;
+        dir = parent;
+    }
+}
+/** Build `[startDir, ..., root]` (inclusive on both ends). */
+function ascendInclusive(startDir, root) {
+    const out = [];
+    let dir = startDir;
+    while (true) {
+        out.push(dir);
+        if (dir === root)
+            return out;
+        const parent = path_1.default.dirname(dir);
+        if (parent === dir)
+            return out;
+        dir = parent;
+    }
+}
+/**
+ * Directories searched for `.vault-guard.json` / baseline files, in order
+ * (nearest to `startDir` first). Same policy as {@link loadConfig}.
+ */
+function listConfigSearchDirs(startDir = process.cwd()) {
+    const repoRoot = findRepoRoot(startDir);
+    return repoRoot ? ascendInclusive(startDir, repoRoot) : [startDir];
+}
+/**
+ * Load the nearest Vault Guard config file.
+ *
+ * Search policy (security-relevant):
+ *   - If `startDir` is inside a git repository: search from `startDir` up to
+ *     the repo root (inclusive). Never ascend past `.git` — a config in a
+ *     parent directory of the repo root could change what counts as a secret
+ *     for the user (severity overrides, extra patterns) without their consent.
+ *   - If `startDir` is NOT inside a git repository: search **only** `startDir`.
+ *     This prevents accidental loading of `~/.vault-guard.json` (or any other
+ *     ancestor) when the user runs the CLI in `/tmp` or similar.
+ *
+ * Throws `ConfigError` on JSON parse failure (do not fail silent — a typo in
+ * `.vault-guard.json` is indistinguishable from "no config" if we swallow it).
+ */
+/**
+ * First existing config path on the {@link listConfigSearchDirs} walk, or `null`.
+ */
+function findVaultGuardConfigPath(startDir = process.cwd()) {
+    const dirs = listConfigSearchDirs(startDir);
+    for (const dir of dirs) {
+        for (const filename of CONFIG_FILENAMES) {
+            const filePath = path_1.default.join(dir, filename);
+            if (fs_1.default.existsSync(filePath))
+                return filePath;
+        }
+    }
+    return null;
+}
+function loadConfig(startDir = process.cwd()) {
+    const dirs = listConfigSearchDirs(startDir);
+    for (const dir of dirs) {
+        for (const filename of CONFIG_FILENAMES) {
+            const filePath = path_1.default.join(dir, filename);
+            if (!fs_1.default.existsSync(filePath))
+                continue;
+            let raw;
+            try {
+                raw = fs_1.default.readFileSync(filePath, 'utf-8');
+            }
+            catch (e) {
+                const detail = e instanceof Error ? e.message : String(e);
+                throw new errors_1.ConfigError(`Failed to read Vault Guard config at ${filePath}: ${detail}`, filePath);
+            }
+            try {
+                return JSON.parse(raw);
+            }
+            catch (e) {
+                const detail = e instanceof Error ? e.message : String(e);
+                throw new errors_1.ConfigError(`Failed to parse Vault Guard config at ${filePath}: ${detail}`, filePath);
+            }
+        }
+    }
+    return {};
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":";;;;;AAkFA,oDAGC;AAoBD,4DASC;AAED,gCAgCC;AApJD,4CAAoB;AACpB,gDAAwB;AAExB,qCAAuC;AA6CvC,MAAM,gBAAgB,GAAG,CAAC,mBAAmB,EAAE,yBAAyB,CAAC,CAAC;AAE1E;;;;GAIG;AACH,SAAS,YAAY,CAAC,QAAgB;IACpC,IAAI,GAAG,GAAG,QAAQ,CAAC;IACnB,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,YAAE,CAAC,UAAU,CAAC,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YAAE,OAAO,GAAG,CAAC;QACtD,MAAM,MAAM,GAAG,cAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,MAAM,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QAChC,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;AACH,CAAC;AAED,8DAA8D;AAC9D,SAAS,eAAe,CAAC,QAAgB,EAAE,IAAY;IACrD,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,IAAI,GAAG,GAAG,QAAQ,CAAC;IACnB,OAAO,IAAI,EAAE,CAAC;QACZ,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACd,IAAI,GAAG,KAAK,IAAI;YAAE,OAAO,GAAG,CAAC;QAC7B,MAAM,MAAM,GAAG,cAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,MAAM,KAAK,GAAG;YAAE,OAAO,GAAG,CAAC;QAC/B,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,oBAAoB,CAAC,WAAmB,OAAO,CAAC,GAAG,EAAE;IACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACxC,OAAO,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH;;GAEG;AACH,SAAgB,wBAAwB,CAAC,WAAmB,OAAO,CAAC,GAAG,EAAE;IACvE,MAAM,IAAI,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;IAC5C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YAC1C,IAAI,YAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;gBAAE,OAAO,QAAQ,CAAC;QAC/C,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAgB,UAAU,CAAC,WAAmB,OAAO,CAAC,GAAG,EAAE;IACzD,MAAM,IAAI,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;IAE5C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YAC1C,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAEvC,IAAI,GAAW,CAAC;YAChB,IAAI,CAAC;gBACH,GAAG,GAAG,YAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC3C,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,MAAM,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC1D,MAAM,IAAI,oBAAW,CACnB,wCAAwC,QAAQ,KAAK,MAAM,EAAE,EAC7D,QAAQ,CACT,CAAC;YACJ,CAAC;YAED,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;YAC7C,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,MAAM,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC1D,MAAM,IAAI,oBAAW,CACnB,yCAAyC,QAAQ,KAAK,MAAM,EAAE,EAC9D,QAAQ,CACT,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/diagnostics.d.ts

@@ -0,0 +1,64 @@
+/**
+ * DiagnosticBus — lightweight structured error channel for vault-guard.
+ *
+ * Motivation (Audit §14): the codebase had pervasive `catch {}` silent swallows.
+ * For a security tool, every silent fallback is an undetected miss:
+ *   - A corrupt `.vault-guard.json` silently reverts to defaults
+ *   - `git diff --cached` failing produces a false ✅ on pre-commit
+ *   - A `>10 MB` file is skipped without any output
+ *   - A ReDoS-unsafe `extra_pattern` is dropped with no feedback
+ *
+ * Instead of adding a third-party logging dep, we funnel every "would have
+ * been silently swallowed" event through this typed channel, emit it in
+ * JSON/SARIF output, and print a one-line summary in text mode.
+ */
+export type DiagnosticSeverity = 'warning' | 'error';
+export type DiagnosticCode = 'config.parse_error' | 'config.read_error' | 'config.unsafe_extra_pattern' | 'pattern.invalid' | 'pattern.too_long' | 'pattern.redos_unsafe' | 'file.too_large' | 'file.line_too_long' | 'file.read_error' | 'fs.permission_denied' | 'git.staged_files_failed' | 'baseline.invalid';
+/**
+ * Structured non-fatal warning/error emitted during a scan.
+ */
+export interface Diagnostic {
+    /** Stable machine-readable diagnostic identifier. */
+    code: DiagnosticCode;
+    /** Severity level for UI/reporting surfaces. */
+    severity: DiagnosticSeverity;
+    /**
+     * Free-form context payload (file path, error message, pattern id, etc.).
+     *
+     * Keep values JSON-serializable because this object is emitted in JSON and SARIF.
+     */
+    ctx: Record<string, unknown>;
+}
+/**
+ * Collects diagnostics during a single scan run.
+ *
+ * Callers add diagnostics with `bus.add(...)`. At the end of a run the CLI
+ * calls `bus.drain()` to retrieve them all and include them in JSON/SARIF
+ * output and/or print a summary to stderr.
+ *
+ * Intentionally not a singleton — one bus per `scanCommand` / `proxyCommand`
+ * invocation so that concurrent processes don't share state.
+ *
+ * @example
+ * ```ts
+ * const bus = new DiagnosticBus();
+ * bus.add({
+ *   code: 'file.too_large',
+ *   severity: 'warning',
+ *   ctx: { file: 'assets/dump.bin', bytes: 73400320 },
+ * });
+ *
+ * const diagnostics = bus.drain();
+ * // Pass diagnostics to formatJson/formatSarif.
+ * ```
+ */
+export declare class DiagnosticBus {
+    private readonly items;
+    add(d: Diagnostic): void;
+    /** Returns all diagnostics and clears the bus. */
+    drain(): Diagnostic[];
+    /** Returns all diagnostics without clearing. */
+    peek(): readonly Diagnostic[];
+    get size(): number;
+}
+//# sourceMappingURL=diagnostics.d.ts.map

package/dist/diagnostics.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"diagnostics.d.ts","sourceRoot":"","sources":["../src/diagnostics.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,MAAM,MAAM,kBAAkB,GAAG,SAAS,GAAG,OAAO,CAAC;AAErD,MAAM,MAAM,cAAc,GACtB,oBAAoB,GACpB,mBAAmB,GACnB,6BAA6B,GAC7B,iBAAiB,GACjB,kBAAkB,GAClB,sBAAsB,GACtB,gBAAgB,GAChB,oBAAoB,GACpB,iBAAiB,GACjB,sBAAsB,GACtB,yBAAyB,GACzB,kBAAkB,CAAC;AAEvB;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,qDAAqD;IACrD,IAAI,EAAE,cAAc,CAAC;IACrB,gDAAgD;IAChD,QAAQ,EAAE,kBAAkB,CAAC;IAC7B;;;;OAIG;IACH,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9B;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAoB;IAE1C,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,IAAI;IAIxB,kDAAkD;IAClD,KAAK,IAAI,UAAU,EAAE;IAIrB,gDAAgD;IAChD,IAAI,IAAI,SAAS,UAAU,EAAE;IAI7B,IAAI,IAAI,IAAI,MAAM,CAEjB;CACF"}

package/dist/diagnostics.js

@@ -0,0 +1,59 @@
+"use strict";
+/**
+ * DiagnosticBus — lightweight structured error channel for vault-guard.
+ *
+ * Motivation (Audit §14): the codebase had pervasive `catch {}` silent swallows.
+ * For a security tool, every silent fallback is an undetected miss:
+ *   - A corrupt `.vault-guard.json` silently reverts to defaults
+ *   - `git diff --cached` failing produces a false ✅ on pre-commit
+ *   - A `>10 MB` file is skipped without any output
+ *   - A ReDoS-unsafe `extra_pattern` is dropped with no feedback
+ *
+ * Instead of adding a third-party logging dep, we funnel every "would have
+ * been silently swallowed" event through this typed channel, emit it in
+ * JSON/SARIF output, and print a one-line summary in text mode.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DiagnosticBus = void 0;
+/**
+ * Collects diagnostics during a single scan run.
+ *
+ * Callers add diagnostics with `bus.add(...)`. At the end of a run the CLI
+ * calls `bus.drain()` to retrieve them all and include them in JSON/SARIF
+ * output and/or print a summary to stderr.
+ *
+ * Intentionally not a singleton — one bus per `scanCommand` / `proxyCommand`
+ * invocation so that concurrent processes don't share state.
+ *
+ * @example
+ * ```ts
+ * const bus = new DiagnosticBus();
+ * bus.add({
+ *   code: 'file.too_large',
+ *   severity: 'warning',
+ *   ctx: { file: 'assets/dump.bin', bytes: 73400320 },
+ * });
+ *
+ * const diagnostics = bus.drain();
+ * // Pass diagnostics to formatJson/formatSarif.
+ * ```
+ */
+class DiagnosticBus {
+    items = [];
+    add(d) {
+        this.items.push(d);
+    }
+    /** Returns all diagnostics and clears the bus. */
+    drain() {
+        return this.items.splice(0);
+    }
+    /** Returns all diagnostics without clearing. */
+    peek() {
+        return this.items;
+    }
+    get size() {
+        return this.items.length;
+    }
+}
+exports.DiagnosticBus = DiagnosticBus;
+//# sourceMappingURL=diagnostics.js.map

package/dist/diagnostics.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diagnostics.js","sourceRoot":"","sources":["../src/diagnostics.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAkCH;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAa,aAAa;IACP,KAAK,GAAiB,EAAE,CAAC;IAE1C,GAAG,CAAC,CAAa;QACf,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACrB,CAAC;IAED,kDAAkD;IAClD,KAAK;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,gDAAgD;IAChD,IAAI;QACF,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;IAC3B,CAAC;CACF;AApBD,sCAoBC"}