npm - @veraxhq/verax - Versions diffs - 0.2.1 → 0.3.0 - Mend

@veraxhq/verax 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (152) hide show

package/README.md +14 -18
package/bin/verax.js +7 -0
package/package.json +3 -3
package/src/cli/commands/baseline.js +104 -0
package/src/cli/commands/default.js +79 -25
package/src/cli/commands/ga.js +243 -0
package/src/cli/commands/gates.js +95 -0
package/src/cli/commands/inspect.js +131 -2
package/src/cli/commands/release-check.js +213 -0
package/src/cli/commands/run.js +246 -35
package/src/cli/commands/security-check.js +211 -0
package/src/cli/commands/truth.js +114 -0
package/src/cli/entry.js +304 -67
package/src/cli/util/angular-component-extractor.js +179 -0
package/src/cli/util/angular-navigation-detector.js +141 -0
package/src/cli/util/angular-network-detector.js +161 -0
package/src/cli/util/angular-state-detector.js +162 -0
package/src/cli/util/ast-interactive-detector.js +546 -0
package/src/cli/util/ast-network-detector.js +603 -0
package/src/cli/util/ast-usestate-detector.js +602 -0
package/src/cli/util/bootstrap-guard.js +86 -0
package/src/cli/util/determinism-runner.js +123 -0
package/src/cli/util/determinism-writer.js +129 -0
package/src/cli/util/env-url.js +4 -0
package/src/cli/util/expectation-extractor.js +369 -73
package/src/cli/util/findings-writer.js +126 -16
package/src/cli/util/learn-writer.js +3 -1
package/src/cli/util/observe-writer.js +3 -1
package/src/cli/util/paths.js +3 -12
package/src/cli/util/project-discovery.js +3 -0
package/src/cli/util/project-writer.js +3 -1
package/src/cli/util/run-resolver.js +64 -0
package/src/cli/util/source-requirement.js +55 -0
package/src/cli/util/summary-writer.js +1 -0
package/src/cli/util/svelte-navigation-detector.js +163 -0
package/src/cli/util/svelte-network-detector.js +80 -0
package/src/cli/util/svelte-sfc-extractor.js +147 -0
package/src/cli/util/svelte-state-detector.js +243 -0
package/src/cli/util/vue-navigation-detector.js +177 -0
package/src/cli/util/vue-sfc-extractor.js +162 -0
package/src/cli/util/vue-state-detector.js +215 -0
package/src/verax/cli/finding-explainer.js +56 -3
package/src/verax/core/artifacts/registry.js +154 -0
package/src/verax/core/artifacts/verifier.js +980 -0
package/src/verax/core/baseline/baseline.enforcer.js +137 -0
package/src/verax/core/baseline/baseline.snapshot.js +231 -0
package/src/verax/core/capabilities/gates.js +499 -0
package/src/verax/core/capabilities/registry.js +475 -0
package/src/verax/core/confidence/confidence-compute.js +137 -0
package/src/verax/core/confidence/confidence-invariants.js +234 -0
package/src/verax/core/confidence/confidence-report-writer.js +112 -0
package/src/verax/core/confidence/confidence-weights.js +44 -0
package/src/verax/core/confidence/confidence.defaults.js +65 -0
package/src/verax/core/confidence/confidence.loader.js +79 -0
package/src/verax/core/confidence/confidence.schema.js +94 -0
package/src/verax/core/confidence-engine-refactor.js +484 -0
package/src/verax/core/confidence-engine.js +486 -0
package/src/verax/core/confidence-engine.js.backup +471 -0
package/src/verax/core/contracts/index.js +29 -0
package/src/verax/core/contracts/types.js +185 -0
package/src/verax/core/contracts/validators.js +381 -0
package/src/verax/core/decision-snapshot.js +30 -3
package/src/verax/core/decisions/decision.trace.js +276 -0
package/src/verax/core/determinism/contract-writer.js +89 -0
package/src/verax/core/determinism/contract.js +139 -0
package/src/verax/core/determinism/diff.js +364 -0
package/src/verax/core/determinism/engine.js +221 -0
package/src/verax/core/determinism/finding-identity.js +148 -0
package/src/verax/core/determinism/normalize.js +438 -0
package/src/verax/core/determinism/report-writer.js +92 -0
package/src/verax/core/determinism/run-fingerprint.js +118 -0
package/src/verax/core/dynamic-route-intelligence.js +528 -0
package/src/verax/core/evidence/evidence-capture-service.js +307 -0
package/src/verax/core/evidence/evidence-intent-ledger.js +165 -0
package/src/verax/core/evidence-builder.js +487 -0
package/src/verax/core/execution-mode-context.js +77 -0
package/src/verax/core/execution-mode-detector.js +190 -0
package/src/verax/core/failures/exit-codes.js +86 -0
package/src/verax/core/failures/failure-summary.js +76 -0
package/src/verax/core/failures/failure.factory.js +225 -0
package/src/verax/core/failures/failure.ledger.js +132 -0
package/src/verax/core/failures/failure.types.js +196 -0
package/src/verax/core/failures/index.js +10 -0
package/src/verax/core/ga/ga-report-writer.js +43 -0
package/src/verax/core/ga/ga.artifact.js +49 -0
package/src/verax/core/ga/ga.contract.js +434 -0
package/src/verax/core/ga/ga.enforcer.js +86 -0
package/src/verax/core/guardrails/guardrails-report-writer.js +109 -0
package/src/verax/core/guardrails/policy.defaults.js +210 -0
package/src/verax/core/guardrails/policy.loader.js +83 -0
package/src/verax/core/guardrails/policy.schema.js +110 -0
package/src/verax/core/guardrails/truth-reconciliation.js +136 -0
package/src/verax/core/guardrails-engine.js +505 -0
package/src/verax/core/observe/run-timeline.js +316 -0
package/src/verax/core/perf/perf.contract.js +186 -0
package/src/verax/core/perf/perf.display.js +65 -0
package/src/verax/core/perf/perf.enforcer.js +91 -0
package/src/verax/core/perf/perf.monitor.js +209 -0
package/src/verax/core/perf/perf.report.js +198 -0
package/src/verax/core/pipeline-tracker.js +238 -0
package/src/verax/core/product-definition.js +127 -0
package/src/verax/core/release/provenance.builder.js +271 -0
package/src/verax/core/release/release-report-writer.js +40 -0
package/src/verax/core/release/release.enforcer.js +159 -0
package/src/verax/core/release/reproducibility.check.js +221 -0
package/src/verax/core/release/sbom.builder.js +283 -0
package/src/verax/core/report/cross-index.js +192 -0
package/src/verax/core/report/human-summary.js +222 -0
package/src/verax/core/route-intelligence.js +419 -0
package/src/verax/core/security/secrets.scan.js +326 -0
package/src/verax/core/security/security-report.js +50 -0
package/src/verax/core/security/security.enforcer.js +124 -0
package/src/verax/core/security/supplychain.defaults.json +38 -0
package/src/verax/core/security/supplychain.policy.js +326 -0
package/src/verax/core/security/vuln.scan.js +265 -0
package/src/verax/core/truth/truth.certificate.js +250 -0
package/src/verax/core/ui-feedback-intelligence.js +515 -0
package/src/verax/detect/confidence-engine.js +628 -40
package/src/verax/detect/confidence-helper.js +33 -0
package/src/verax/detect/detection-engine.js +18 -1
package/src/verax/detect/dynamic-route-findings.js +335 -0
package/src/verax/detect/expectation-chain-detector.js +417 -0
package/src/verax/detect/expectation-model.js +3 -1
package/src/verax/detect/findings-writer.js +141 -5
package/src/verax/detect/index.js +229 -5
package/src/verax/detect/journey-stall-detector.js +558 -0
package/src/verax/detect/route-findings.js +218 -0
package/src/verax/detect/ui-feedback-findings.js +207 -0
package/src/verax/detect/verdict-engine.js +57 -3
package/src/verax/detect/view-switch-correlator.js +242 -0
package/src/verax/index.js +413 -45
package/src/verax/learn/action-contract-extractor.js +682 -64
package/src/verax/learn/route-validator.js +4 -1
package/src/verax/observe/index.js +88 -843
package/src/verax/observe/interaction-runner.js +25 -8
package/src/verax/observe/observe-context.js +205 -0
package/src/verax/observe/observe-helpers.js +191 -0
package/src/verax/observe/observe-runner.js +226 -0
package/src/verax/observe/observers/budget-observer.js +185 -0
package/src/verax/observe/observers/console-observer.js +102 -0
package/src/verax/observe/observers/coverage-observer.js +107 -0
package/src/verax/observe/observers/interaction-observer.js +471 -0
package/src/verax/observe/observers/navigation-observer.js +132 -0
package/src/verax/observe/observers/network-observer.js +87 -0
package/src/verax/observe/observers/safety-observer.js +82 -0
package/src/verax/observe/observers/ui-feedback-observer.js +99 -0
package/src/verax/observe/ui-feedback-detector.js +742 -0
package/src/verax/observe/ui-signal-sensor.js +148 -2
package/src/verax/scan-summary-writer.js +42 -8
package/src/verax/shared/artifact-manager.js +8 -5
package/src/verax/shared/css-spinner-rules.js +204 -0
package/src/verax/shared/view-switch-rules.js +208 -0

package/src/verax/core/security/supplychain.policy.js ADDED Viewed

@@ -0,0 +1,326 @@
+/**
+ * PHASE 21.8 — Supply-Chain Policy
+ *
+ * Enforces supply-chain security policies:
+ * - License allowlist/denylist
+ * - Integrity hash requirements
+ * - Postinstall script restrictions
+ */
+import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'fs';
+import { resolve } from 'path';
+import DEFAULT_POLICY from './supplychain.defaults.json' with { type: 'json' };
+/**
+ * Load supply-chain policy
+ *
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Policy object
+ */
+export function loadSupplyChainPolicy(projectDir) {
+  const customPath = resolve(projectDir, 'supplychain.policy.json');
+  if (existsSync(customPath)) {
+    try {
+      const custom = JSON.parse(readFileSync(customPath, 'utf-8'));
+      // Merge with defaults (custom overrides)
+      return {
+        ...DEFAULT_POLICY,
+        ...custom,
+        licensePolicy: {
+          ...DEFAULT_POLICY.licensePolicy,
+          ...(custom.licensePolicy || {})
+        },
+        integrityPolicy: {
+          ...DEFAULT_POLICY.integrityPolicy,
+          ...(custom.integrityPolicy || {})
+        },
+        scriptPolicy: {
+          ...DEFAULT_POLICY.scriptPolicy,
+          ...(custom.scriptPolicy || {})
+        },
+        sourcePolicy: {
+          ...DEFAULT_POLICY.sourcePolicy,
+          ...(custom.sourcePolicy || {})
+        }
+      };
+    } catch {
+      // Invalid custom policy, use defaults
+    }
+  }
+  return DEFAULT_POLICY;
+}
+/**
+ * Get package.json dependencies
+ *
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Dependencies
+ */
+function getDependencies(projectDir) {
+  try {
+    const pkgPath = resolve(projectDir, 'package.json');
+    if (!existsSync(pkgPath)) {
+      return { dependencies: {}, devDependencies: {} };
+    }
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    return {
+      dependencies: pkg.dependencies || {},
+      devDependencies: pkg.devDependencies || {}
+    };
+  } catch {
+    return { dependencies: {}, devDependencies: {} };
+  }
+}
+/**
+ * Get package license from node_modules
+ *
+ * @param {string} projectDir - Project directory
+ * @param {string} packageName - Package name
+ * @returns {string|null} License or null
+ */
+function getPackageLicense(projectDir, packageName) {
+  try {
+    const pkgPath = resolve(projectDir, 'node_modules', packageName, 'package.json');
+    if (!existsSync(pkgPath)) {
+      return null;
+    }
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    if (typeof pkg.license === 'string') {
+      return pkg.license;
+    } else if (pkg.license && pkg.license.type) {
+      return pkg.license.type;
+    } else if (Array.isArray(pkg.licenses) && pkg.licenses.length > 0) {
+      return pkg.licenses[0].type || pkg.licenses[0];
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+/**
+ * Check package-lock.json for integrity hashes
+ *
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Integrity check results
+ */
+function checkIntegrityHashes(projectDir) {
+  const lockPath = resolve(projectDir, 'package-lock.json');
+  const missing = [];
+  if (!existsSync(lockPath)) {
+    return { missing: [], total: 0 };
+  }
+  try {
+    const lock = JSON.parse(readFileSync(lockPath, 'utf-8'));
+    const packages = lock.packages || {};
+    let total = 0;
+    for (const [path, pkg] of Object.entries(packages)) {
+      if (path && pkg && pkg.version) {
+        total++;
+        if (!pkg.integrity && !pkg.resolved?.includes('file:')) {
+          missing.push({
+            package: pkg.name || path,
+            path: path,
+            version: pkg.version
+          });
+        }
+      }
+    }
+    return { missing, total };
+  } catch {
+    return { missing: [], total: 0 };
+  }
+}
+/**
+ * Check for postinstall scripts
+ *
+ * @param {string} projectDir - Project directory
+ * @returns {Array} Packages with postinstall scripts
+ */
+function checkPostinstallScripts(projectDir) {
+  const packages = [];
+  const nodeModulesPath = resolve(projectDir, 'node_modules');
+  if (!existsSync(nodeModulesPath)) {
+    return packages;
+  }
+  try {
+    const { readdirSync } = require('fs');
+    const entries = readdirSync(nodeModulesPath, { withFileTypes: true });
+    for (const entry of entries) {
+      if (entry.isDirectory() && !entry.name.startsWith('.')) {
+        const pkgPath = resolve(nodeModulesPath, entry.name, 'package.json');
+        if (existsSync(pkgPath)) {
+          try {
+            const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+            if (pkg.scripts) {
+              if (pkg.scripts.postinstall || pkg.scripts.preinstall || pkg.scripts.install) {
+                packages.push({
+                  name: pkg.name || entry.name,
+                  version: pkg.version || 'unknown',
+                  scripts: Object.keys(pkg.scripts).filter(s =>
+                    ['postinstall', 'preinstall', 'install'].includes(s)
+                  )
+                });
+              }
+            }
+          } catch {
+            // Skip invalid packages
+          }
+        }
+      }
+    }
+  } catch {
+    // If scanning fails, return empty
+  }
+  return packages;
+}
+/**
+ * Evaluate supply-chain policy
+ *
+ * @param {string} projectDir - Project directory
+ * @returns {Promise<Object>} Evaluation results
+ */
+export async function evaluateSupplyChainPolicy(projectDir) {
+  const policy = loadSupplyChainPolicy(projectDir);
+  const deps = getDependencies(projectDir);
+  const violations = [];
+  const warnings = [];
+  // Check licenses
+  const allDeps = { ...deps.dependencies, ...deps.devDependencies };
+  for (const [packageName] of Object.entries(allDeps)) {
+    const license = getPackageLicense(projectDir, packageName);
+    if (license) {
+      // Check denylist
+      if (policy.licensePolicy.denylist.includes(license)) {
+        violations.push({
+          type: 'FORBIDDEN_LICENSE',
+          package: packageName,
+          license: license,
+          severity: 'BLOCKING',
+          message: `Package ${packageName} uses forbidden license: ${license}`
+        });
+      }
+      // Check allowlist (if strict mode)
+      if (policy.licensePolicy.strictMode && !policy.licensePolicy.allowlist.includes(license)) {
+        violations.push({
+          type: 'UNALLOWED_LICENSE',
+          package: packageName,
+          license: license,
+          severity: 'BLOCKING',
+          message: `Package ${packageName} uses unallowed license: ${license}`
+        });
+      }
+    } else {
+      warnings.push({
+        type: 'MISSING_LICENSE',
+        package: packageName,
+        message: `Package ${packageName} has no license information`
+      });
+    }
+  }
+  // Check integrity hashes
+  if (policy.integrityPolicy.requireIntegrityHash) {
+    const integrityCheck = checkIntegrityHashes(projectDir);
+    for (const missing of integrityCheck.missing) {
+      if (!policy.integrityPolicy.allowedMissingIntegrity.includes(missing.package)) {
+        violations.push({
+          type: 'MISSING_INTEGRITY',
+          package: missing.package,
+          version: missing.version,
+          severity: 'BLOCKING',
+          message: `Package ${missing.package}@${missing.version} missing integrity hash`
+        });
+      }
+    }
+  }
+  // Check postinstall scripts
+  if (policy.scriptPolicy.forbidPostinstall ||
+      policy.scriptPolicy.forbidPreinstall ||
+      policy.scriptPolicy.forbidInstall) {
+    const scripts = checkPostinstallScripts(projectDir);
+    for (const pkg of scripts) {
+      const forbiddenScripts = pkg.scripts.filter(s => {
+        if (s === 'postinstall' && policy.scriptPolicy.forbidPostinstall) return true;
+        if (s === 'preinstall' && policy.scriptPolicy.forbidPreinstall) return true;
+        if (s === 'install' && policy.scriptPolicy.forbidInstall) return true;
+        return false;
+      });
+      if (forbiddenScripts.length > 0 && !policy.scriptPolicy.allowlist.includes(pkg.name)) {
+        violations.push({
+          type: 'FORBIDDEN_SCRIPT',
+          package: pkg.name,
+          version: pkg.version,
+          scripts: forbiddenScripts,
+          severity: 'BLOCKING',
+          message: `Package ${pkg.name} has forbidden scripts: ${forbiddenScripts.join(', ')}`
+        });
+      }
+    }
+  }
+  const ok = violations.length === 0;
+  return {
+    ok,
+    violations,
+    warnings,
+    summary: {
+      totalViolations: violations.length,
+      totalWarnings: warnings.length,
+      byType: violations.reduce((acc, v) => {
+        acc[v.type] = (acc[v.type] || 0) + 1;
+        return acc;
+      }, {}),
+      evaluatedAt: new Date().toISOString()
+    },
+    policy: {
+      version: policy.version,
+      licensePolicy: {
+        allowlist: policy.licensePolicy.allowlist,
+        denylist: policy.licensePolicy.denylist,
+        strictMode: policy.licensePolicy.strictMode
+      }
+    }
+  };
+}
+/**
+ * Write supply-chain report
+ *
+ * @param {string} projectDir - Project directory
+ * @param {Object} report - Evaluation results
+ * @returns {string} Path to written file
+ */
+export function writeSupplyChainReport(projectDir, report) {
+  const outputDir = resolve(projectDir, 'release');
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+  const outputPath = resolve(outputDir, 'security.supplychain.report.json');
+  writeFileSync(outputPath, JSON.stringify(report, null, 2), 'utf-8');
+  return outputPath;
+}

package/src/verax/core/security/vuln.scan.js ADDED Viewed

@@ -0,0 +1,265 @@
+/**
+ * PHASE 21.8 — Vulnerability Scanner
+ *
+ * Scans dependencies for vulnerabilities using npm audit.
+ * HIGH/CRITICAL = BLOCKING, MEDIUM = WARNING (configurable).
+ */
+import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'fs';
+import { resolve } from 'path';
+import { execSync } from 'child_process';
+/**
+ * Check if OSV scanner is available
+ *
+ * @returns {boolean} Whether osv-scanner is available
+ */
+function checkOSVAvailable() {
+  try {
+    execSync('osv-scanner --version', {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      timeout: 5000
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+/**
+ * Run npm audit
+ *
+ * @param {string} projectDir - Project directory
+ * @returns {Object|null} Audit results or null
+ */
+function runNpmAudit(projectDir) {
+  try {
+    const result = execSync('npm audit --json', {
+      cwd: projectDir,
+      encoding: 'utf-8',
+      stdio: ['ignore', 'pipe', 'pipe']
+    });
+    return JSON.parse(result);
+  } catch (error) {
+    // npm audit exits with non-zero on vulnerabilities
+    try {
+      const stderr = error.stderr?.toString() || '';
+      const stdout = error.stdout?.toString() || '';
+      const output = stdout || stderr;
+      if (output) {
+        return JSON.parse(output);
+      }
+    } catch {
+      // Failed to parse
+    }
+    return null;
+  }
+}
+/**
+ * Parse vulnerabilities from audit results
+ *
+ * @param {Object} auditResults - npm audit JSON output
+ * @returns {Array} Array of vulnerabilities
+ */
+function parseVulnerabilities(auditResults) {
+  const vulnerabilities = [];
+  if (!auditResults || !auditResults.vulnerabilities) {
+    return vulnerabilities;
+  }
+  for (const [packageName, vulnData] of Object.entries(auditResults.vulnerabilities)) {
+    if (Array.isArray(vulnData)) {
+      for (const vuln of vulnData) {
+        vulnerabilities.push({
+          package: packageName,
+          severity: vuln.severity?.toUpperCase() || 'UNKNOWN',
+          title: vuln.title || vuln.name || 'Unknown vulnerability',
+          url: vuln.url || null,
+          dependencyOf: vuln.dependencyOf || null,
+          via: vuln.via || null
+        });
+      }
+    } else if (vulnData.vulnerabilities) {
+      for (const vuln of vulnData.vulnerabilities) {
+        vulnerabilities.push({
+          package: packageName,
+          severity: vuln.severity?.toUpperCase() || 'UNKNOWN',
+          title: vuln.title || vuln.name || 'Unknown vulnerability',
+          url: vuln.url || null,
+          dependencyOf: vulnData.dependencyOf || null,
+          via: vuln.via || null
+        });
+      }
+    }
+  }
+  return vulnerabilities;
+}
+/**
+ * Scan for vulnerabilities
+ *
+ * @param {string} projectDir - Project directory
+ * @param {Object} options - Options
+ * @param {boolean} options.blockMedium - Block MEDIUM severity (default: false)
+ * @param {boolean} options.requireOSV - Require OSV scanner (default: false)
+ * @returns {Promise<Object>} Scan results
+ */
+export async function scanVulnerabilities(projectDir, options = {}) {
+  const { blockMedium = false, requireOSV = false } = options;
+  // Check OSV availability
+  const osvAvailable = checkOSVAvailable();
+  let osvResults = null;
+  if (osvAvailable) {
+    try {
+      // Run OSV scanner
+      const osvOutput = execSync('osv-scanner --format=json .', {
+        cwd: projectDir,
+        encoding: 'utf-8',
+        stdio: ['ignore', 'pipe', 'pipe'],
+        timeout: 60000
+      });
+      try {
+        osvResults = JSON.parse(osvOutput);
+      } catch {
+        // OSV scanner may output non-JSON on errors
+      }
+    } catch {
+      // OSV scanner failed, fall back to npm audit
+    }
+  }
+  // Always try npm audit as fallback
+  const auditResults = runNpmAudit(projectDir);
+  if (!auditResults && !osvResults) {
+    if (requireOSV && !osvAvailable) {
+      return {
+        ok: false,
+        error: 'OSV scanner not available',
+        availability: 'NOT_AVAILABLE',
+        tool: null,
+        vulnerabilities: [],
+        summary: {
+          total: 0,
+          critical: 0,
+          high: 0,
+          medium: 0,
+          low: 0,
+          scannedAt: new Date().toISOString()
+        }
+      };
+    }
+    return {
+      ok: false,
+      error: 'Failed to run npm audit',
+      availability: 'FAILED',
+      tool: 'NPM_AUDIT',
+      vulnerabilities: [],
+      summary: {
+        total: 0,
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        scannedAt: new Date().toISOString()
+      }
+    };
+  }
+  // Parse vulnerabilities from npm audit (primary source)
+  let vulnerabilities = [];
+  if (auditResults) {
+    vulnerabilities = parseVulnerabilities(auditResults);
+  }
+  // Merge OSV results if available
+  if (osvResults && osvResults.results) {
+    for (const result of osvResults.results) {
+      if (result.packages && Array.isArray(result.packages)) {
+        for (const pkg of result.packages) {
+          if (result.vulnerabilities && Array.isArray(result.vulnerabilities)) {
+            for (const vuln of result.vulnerabilities) {
+              // Avoid duplicates (merge by package + ID)
+              const existing = vulnerabilities.find(v =>
+                v.package === pkg.package?.name &&
+                v.osvId === vuln.id
+              );
+              if (!existing) {
+                vulnerabilities.push({
+                  package: pkg.package?.name || 'unknown',
+                  severity: vuln.severity?.toUpperCase() || 'UNKNOWN',
+                  title: vuln.summary || vuln.id || 'Unknown vulnerability',
+                  url: vuln.database_specific?.url || vuln.id ? `https://osv.dev/vulnerability/${vuln.id}` : null,
+                  osvId: vuln.id,
+                  source: 'OSV'
+                });
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  const critical = vulnerabilities.filter(v => v.severity === 'CRITICAL');
+  const high = vulnerabilities.filter(v => v.severity === 'HIGH');
+  const medium = vulnerabilities.filter(v => v.severity === 'MEDIUM');
+  const low = vulnerabilities.filter(v => v.severity === 'LOW');
+  // BLOCKING: CRITICAL or HIGH
+  // WARNING: MEDIUM (blocking if blockMedium=true)
+  const blocking = critical.length > 0 || high.length > 0 || (blockMedium && medium.length > 0);
+  return {
+    ok: !blocking,
+    blocking,
+    availability: osvAvailable ? 'AVAILABLE' : 'NOT_AVAILABLE',
+    tool: osvAvailable ? 'OSV_SCANNER' : (auditResults ? 'NPM_AUDIT' : null),
+    osvAvailable,
+    vulnerabilities,
+    summary: {
+      total: vulnerabilities.length,
+      critical: critical.length,
+      high: high.length,
+      medium: medium.length,
+      low: low.length,
+      blocking,
+      warnings: blockMedium ? 0 : medium.length,
+      scannedAt: new Date().toISOString()
+    },
+    metadata: {
+      auditVersion: auditResults?.auditReportVersion || null,
+      npmVersion: auditResults?.npmVersion || null,
+      osvVersion: osvAvailable ? 'detected' : null
+    }
+  };
+}
+/**
+ * Write vulnerability report
+ *
+ * @param {string} projectDir - Project directory
+ * @param {Object} report - Scan results
+ * @returns {string} Path to written file
+ */
+export function writeVulnReport(projectDir, report) {
+  const outputDir = resolve(projectDir, 'release');
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+  const outputPath = resolve(outputDir, 'security.vuln.report.json');
+  writeFileSync(outputPath, JSON.stringify(report, null, 2), 'utf-8');
+  return outputPath;
+}