@vertaaux/cli 0.2.0

package/dist/output/sarif.js

@@ -0,0 +1,207 @@
+/**
+ * SARIF 2.1.0 output formatter for CLI.
+ *
+ * Generates SARIF (Static Analysis Results Interchange Format) output
+ * for integration with GitHub Code Scanning and other SARIF consumers.
+ *
+ * @see https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
+ * @see https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning
+ */
+import { generateFingerprint } from "../baseline/hash.js";
+// Package version for tool.driver.version
+const CLI_VERSION = "0.1.0";
+// GitHub Code Scanning limits
+const MAX_RESULTS = 25000;
+/**
+ * Map CLI/API severity to SARIF level.
+ *
+ * - error/critical -> error
+ * - warning/serious -> warning
+ * - info/minor -> note
+ */
+function mapSeverityToLevel(severity) {
+    const sev = (severity || "info").toLowerCase();
+    switch (sev) {
+        case "error":
+        case "critical":
+            return "error";
+        case "warning":
+        case "serious":
+            return "warning";
+        case "info":
+        case "minor":
+        case "moderate":
+            return "note";
+        default:
+            return "note";
+    }
+}
+/**
+ * Get rule ID from issue, checking multiple field names.
+ */
+function getRuleId(issue) {
+    return issue.ruleId || issue.rule_id || issue.id || "unknown";
+}
+/**
+ * Normalize issues from various API response formats.
+ */
+function normalizeIssues(issues) {
+    if (Array.isArray(issues))
+        return issues;
+    if (issues && typeof issues === "object") {
+        const values = Object.values(issues);
+        return values.flatMap((value) => Array.isArray(value) ? value : []);
+    }
+    return [];
+}
+/**
+ * Build unique rules array from issues.
+ */
+function buildRules(issues) {
+    const ruleMap = new Map();
+    for (const issue of issues) {
+        const ruleId = getRuleId(issue);
+        if (ruleMap.has(ruleId))
+            continue;
+        const rule = {
+            id: ruleId,
+            shortDescription: {
+                text: issue.title || issue.description?.slice(0, 100) || ruleId,
+            },
+            defaultConfiguration: {
+                level: mapSeverityToLevel(issue.severity),
+            },
+        };
+        // Add full description if different from short
+        if (issue.description && issue.description.length > 100) {
+            rule.fullDescription = { text: issue.description };
+        }
+        // Add help URI from WCAG reference
+        if (issue.wcag_reference) {
+            // Extract WCAG criterion and build URL
+            const wcagMatch = issue.wcag_reference.match(/\d+\.\d+\.\d+/);
+            if (wcagMatch) {
+                rule.helpUri = `https://www.w3.org/WAI/WCAG21/Understanding/${wcagMatch[0].replace(/\./g, "-")}.html`;
+            }
+        }
+        // Add category as property
+        if (issue.category) {
+            rule.properties = {
+                category: issue.category,
+            };
+        }
+        ruleMap.set(ruleId, rule);
+    }
+    return Array.from(ruleMap.values());
+}
+/**
+ * Get artifact URI from issue and base URL.
+ *
+ * Returns relative path if possible, otherwise full URL.
+ */
+function getArtifactUri(issue, baseUrl) {
+    // If we have a selector, use a relative path based on URL
+    // Otherwise use the base URL or a placeholder
+    if (baseUrl) {
+        try {
+            const url = new URL(baseUrl);
+            // Return path portion as relative URI
+            return url.pathname || "/";
+        }
+        catch {
+            return baseUrl;
+        }
+    }
+    return "index.html";
+}
+/**
+ * Build SARIF result from issue.
+ */
+function buildResult(issue, baseUrl, options) {
+    const ruleId = getRuleId(issue);
+    const fingerprint = generateFingerprint(issue);
+    const result = {
+        ruleId,
+        message: {
+            text: issue.description || issue.title || "No description provided",
+        },
+        level: mapSeverityToLevel(issue.severity),
+        locations: [
+            {
+                physicalLocation: {
+                    artifactLocation: {
+                        uri: getArtifactUri(issue, baseUrl),
+                    },
+                },
+            },
+        ],
+        partialFingerprints: {
+            primaryLocationLineHash: fingerprint,
+        },
+    };
+    // Add suppression if issue is baselined
+    if (options?.includeBaseline && options.baselineFingerprints?.has(fingerprint)) {
+        result.suppressions = [
+            {
+                kind: "external",
+                justification: "Issue was baselined as existing technical debt",
+            },
+        ];
+    }
+    return result;
+}
+/**
+ * Format audit result as SARIF 2.1.0 JSON.
+ *
+ * @param result - Audit result from API
+ * @param options - Formatting options
+ * @returns SARIF 2.1.0 JSON string
+ *
+ * @example
+ * ```typescript
+ * const sarif = formatSarif(auditResult, {
+ *   workingDirectory: process.cwd(),
+ *   includeBaseline: true,
+ *   baselineFingerprints: new Set(['abc123...'])
+ * });
+ * ```
+ */
+export function formatSarif(result, options) {
+    const issues = normalizeIssues(result.issues);
+    const rules = buildRules(issues);
+    const results = issues.map((issue) => buildResult(issue, result.url, options));
+    // Warn if approaching GitHub limits
+    if (results.length > MAX_RESULTS * 0.9) {
+        console.error(`Warning: ${results.length} results approaching GitHub limit of ${MAX_RESULTS}`);
+    }
+    // Truncate if exceeding limit
+    const truncatedResults = results.slice(0, MAX_RESULTS);
+    if (results.length > MAX_RESULTS) {
+        console.error(`Warning: Truncated ${results.length - MAX_RESULTS} results to meet GitHub limit`);
+    }
+    const sarifLog = {
+        $schema: "https://json.schemastore.org/sarif-2.1.0.json",
+        version: "2.1.0",
+        runs: [
+            {
+                tool: {
+                    driver: {
+                        name: "VertaaUX",
+                        version: CLI_VERSION,
+                        informationUri: "https://vertaaux.ai",
+                        rules,
+                    },
+                },
+                results: truncatedResults,
+            },
+        ],
+    };
+    // Add invocation if working directory specified
+    if (options?.workingDirectory) {
+        sarifLog.runs[0].invocation = {
+            workingDirectory: { uri: `file://${options.workingDirectory}` },
+            executionSuccessful: !result.error,
+        };
+    }
+    return JSON.stringify(sarifLog, null, 2);
+}

package/dist/policy/evaluator.d.ts

@@ -0,0 +1,111 @@
+/**
+ * Policy evaluation against audit results.
+ *
+ * Evaluates audit results against policy assertions,
+ * applying rule overrides and path exclusions.
+ *
+ * Implements CICD-17: Policy-as-code support.
+ */
+import type { PolicyFile, RuleOverride } from "./schema.js";
+import type { Issue } from "../baseline/hash.js";
+/**
+ * Audit result subset needed for policy evaluation.
+ */
+export interface AuditResultForPolicy {
+    /** Issues found during audit */
+    issues?: Issue[] | Record<string, Issue[]>;
+    /** Score breakdown */
+    scores?: Record<string, number | unknown>;
+}
+/**
+ * Policy violation details.
+ */
+export interface PolicyViolation {
+    /** Type of violation */
+    type: "score_threshold" | "issue_limit" | "severity_breach";
+    /** Human-readable message */
+    message: string;
+    /** Actual value that caused violation */
+    actual: number;
+    /** Threshold that was breached */
+    threshold: number;
+    /** Additional context */
+    context?: {
+        category?: string;
+        severity?: string;
+    };
+}
+/**
+ * Result of policy evaluation.
+ */
+export interface PolicyEvaluationResult {
+    /** Whether policy passed */
+    passed: boolean;
+    /** List of policy violations */
+    violations: PolicyViolation[];
+    /** Issues with applied rule overrides */
+    adjustedIssues: Issue[];
+    /** Rules that were ignored by policy */
+    ignoredRules: string[];
+    /** Summary of evaluation */
+    summary: {
+        /** Issues by severity after adjustments */
+        issueCounts: {
+            error: number;
+            warning: number;
+            info: number;
+        };
+        /** Number of issues ignored by rule overrides */
+        ignoredCount: number;
+        /** Score breakdown */
+        scores: Record<string, number>;
+    };
+}
+/**
+ * Apply rule overrides to issues.
+ *
+ * Returns adjusted issues with modified severities,
+ * and list of issues that were ignored.
+ *
+ * @param issues - Original issues from audit
+ * @param rules - Rule override configuration
+ * @param currentPath - Current file path for path-specific overrides
+ * @returns Adjusted issues and list of ignored rule IDs
+ */
+export declare function applyRuleOverrides(issues: Issue[], rules: Record<string, RuleOverride>, currentPath?: string): {
+    adjusted: Issue[];
+    ignored: Issue[];
+    ignoredRules: string[];
+};
+/**
+ * Filter issues by excluded paths.
+ *
+ * @param issues - Issues to filter
+ * @param excludePaths - Path patterns to exclude
+ * @returns Filtered issues
+ */
+export declare function filterExcludedPaths(issues: Issue[], excludePaths: string[]): Issue[];
+/**
+ * Evaluate audit result against policy.
+ *
+ * Evaluation order:
+ * 1. Apply rule overrides (change severity, ignore rules)
+ * 2. Filter issues for excluded paths
+ * 3. Check threshold assertions
+ * 4. Check issue count limits
+ * 5. Check severity breach
+ *
+ * @param auditResult - Audit result with issues and scores
+ * @param newIssues - New issues only (from baseline diff)
+ * @param policy - Policy configuration
+ * @param options - Additional options
+ * @returns Evaluation result with pass/fail status and violations
+ */
+export declare function evaluatePolicy(auditResult: AuditResultForPolicy, newIssues: Issue[], policy: PolicyFile, options?: {
+    currentPath?: string;
+}): PolicyEvaluationResult;
+/**
+ * Format policy evaluation result for human-readable output.
+ */
+export declare function formatPolicyResult(result: PolicyEvaluationResult): string;
+//# sourceMappingURL=evaluator.d.ts.map

package/dist/policy/evaluator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluator.d.ts","sourceRoot":"","sources":["../../src/policy/evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,YAAY,EAAoB,MAAM,aAAa,CAAC;AAC9E,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAC;AAEjD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,gCAAgC;IAChC,MAAM,CAAC,EAAE,KAAK,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3C,sBAAsB;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC;CAC3C;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,wBAAwB;IACxB,IAAI,EAAE,iBAAiB,GAAG,aAAa,GAAG,iBAAiB,CAAC;IAC5D,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,yCAAyC;IACzC,MAAM,EAAE,MAAM,CAAC;IACf,kCAAkC;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,OAAO,CAAC,EAAE;QACR,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,4BAA4B;IAC5B,MAAM,EAAE,OAAO,CAAC;IAEhB,gCAAgC;IAChC,UAAU,EAAE,eAAe,EAAE,CAAC;IAE9B,yCAAyC;IACzC,cAAc,EAAE,KAAK,EAAE,CAAC;IAExB,wCAAwC;IACxC,YAAY,EAAE,MAAM,EAAE,CAAC;IAEvB,4BAA4B;IAC5B,OAAO,EAAE;QACP,2CAA2C;QAC3C,WAAW,EAAE;YAAE,KAAK,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC;QAC9D,iDAAiD;QACjD,YAAY,EAAE,MAAM,CAAC;QACrB,sBAAsB;QACtB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAChC,CAAC;CACH;AAkGD;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,KAAK,EAAE,EACf,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,EACnC,WAAW,CAAC,EAAE,MAAM,GACnB;IAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAAC,OAAO,EAAE,KAAK,EAAE,CAAC;IAAC,YAAY,EAAE,MAAM,EAAE,CAAA;CAAE,CAsCjE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,KAAK,EAAE,EACf,YAAY,EAAE,MAAM,EAAE,GACrB,KAAK,EAAE,CAcT;AA8ID;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,cAAc,CAC5B,WAAW,EAAE,oBAAoB,EACjC,SAAS,EAAE,KAAK,EAAE,EAClB,MAAM,EAAE,UAAU,EAClB,OAAO,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GACjC,sBAAsB,CA2CxB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,sBAAsB,GAAG,MAAM,CAiDzE"}

package/dist/policy/evaluator.js

@@ -0,0 +1,362 @@
+/**
+ * Policy evaluation against audit results.
+ *
+ * Evaluates audit results against policy assertions,
+ * applying rule overrides and path exclusions.
+ *
+ * Implements CICD-17: Policy-as-code support.
+ */
+import { minimatch } from "minimatch";
+/** Severity ranking for comparison */
+const SEVERITY_RANK = {
+    error: 3,
+    critical: 3,
+    warning: 2,
+    serious: 2,
+    info: 1,
+    minor: 1,
+    moderate: 1,
+};
+/**
+ * Get severity rank for comparison.
+ */
+function severityRank(severity) {
+    return SEVERITY_RANK[severity.toLowerCase()] ?? 0;
+}
+/**
+ * Normalize severity to canonical values.
+ */
+function normalizeSeverity(severity) {
+    const lower = (severity || "info").toLowerCase();
+    switch (lower) {
+        case "error":
+        case "critical":
+            return "error";
+        case "warning":
+        case "serious":
+            return "warning";
+        default:
+            return "info";
+    }
+}
+/**
+ * Get the rule ID from an issue, checking multiple field names.
+ */
+function getRuleId(issue) {
+    return issue.ruleId || issue.rule_id || issue.id || "";
+}
+/**
+ * Normalize issues from various API response formats to array.
+ */
+function normalizeIssues(issues) {
+    if (Array.isArray(issues)) {
+        return issues;
+    }
+    if (issues && typeof issues === "object") {
+        const values = Object.values(issues);
+        return values.flatMap((value) => Array.isArray(value) ? value : []);
+    }
+    return [];
+}
+/**
+ * Extract numeric scores from audit result.
+ */
+function extractScores(scores) {
+    const result = {};
+    if (!scores)
+        return result;
+    for (const [key, value] of Object.entries(scores)) {
+        if (typeof value === "number" && Number.isFinite(value)) {
+            result[key] = value;
+        }
+    }
+    return result;
+}
+/**
+ * Count issues by normalized severity.
+ */
+function countBySeverity(issues) {
+    const counts = { error: 0, warning: 0, info: 0 };
+    for (const issue of issues) {
+        const normalized = normalizeSeverity(issue.severity || "info");
+        counts[normalized]++;
+    }
+    return counts;
+}
+/**
+ * Check if a path matches any of the given patterns.
+ */
+function pathMatches(filePath, patterns) {
+    return patterns.some((pattern) => minimatch(filePath, pattern));
+}
+/**
+ * Apply rule overrides to issues.
+ *
+ * Returns adjusted issues with modified severities,
+ * and list of issues that were ignored.
+ *
+ * @param issues - Original issues from audit
+ * @param rules - Rule override configuration
+ * @param currentPath - Current file path for path-specific overrides
+ * @returns Adjusted issues and list of ignored rule IDs
+ */
+export function applyRuleOverrides(issues, rules, currentPath) {
+    const adjusted = [];
+    const ignored = [];
+    const ignoredRules = new Set();
+    for (const issue of issues) {
+        const ruleId = getRuleId(issue);
+        const override = rules[ruleId];
+        // No override for this rule
+        if (!override) {
+            adjusted.push(issue);
+            continue;
+        }
+        // Check path filter if specified
+        if (override.paths && currentPath) {
+            if (!pathMatches(currentPath, override.paths)) {
+                // Path doesn't match, skip override
+                adjusted.push(issue);
+                continue;
+            }
+        }
+        // Apply severity override
+        if (override.severity === "ignore") {
+            ignored.push(issue);
+            ignoredRules.add(ruleId);
+        }
+        else {
+            // Change severity
+            adjusted.push({
+                ...issue,
+                severity: override.severity,
+            });
+        }
+    }
+    return { adjusted, ignored, ignoredRules: Array.from(ignoredRules) };
+}
+/**
+ * Filter issues by excluded paths.
+ *
+ * @param issues - Issues to filter
+ * @param excludePaths - Path patterns to exclude
+ * @returns Filtered issues
+ */
+export function filterExcludedPaths(issues, excludePaths) {
+    if (!excludePaths || excludePaths.length === 0) {
+        return issues;
+    }
+    return issues.filter((issue) => {
+        // If issue has a path/file, check if it's excluded
+        const issuePath = issue.path;
+        if (issuePath && pathMatches(issuePath, excludePaths)) {
+            return false;
+        }
+        return true;
+    });
+}
+/**
+ * Check score threshold violations.
+ */
+function checkScoreThresholds(scores, assertions) {
+    const violations = [];
+    // Map assertion keys to score keys
+    const thresholdMap = [
+        {
+            assertionKey: "overall_score",
+            scoreKeys: ["overall", "total", "ux"],
+            label: "overall",
+        },
+        {
+            assertionKey: "accessibility_score",
+            scoreKeys: ["accessibility", "a11y"],
+            label: "accessibility",
+        },
+        { assertionKey: "ux_score", scoreKeys: ["ux", "usability"], label: "UX" },
+        {
+            assertionKey: "performance_score",
+            scoreKeys: ["performance", "perf"],
+            label: "performance",
+        },
+    ];
+    for (const { assertionKey, scoreKeys, label } of thresholdMap) {
+        const threshold = assertions[assertionKey];
+        if (threshold === undefined)
+            continue;
+        // Find the score value using multiple possible keys
+        let actual;
+        for (const key of scoreKeys) {
+            if (scores[key] !== undefined) {
+                actual = scores[key];
+                break;
+            }
+        }
+        if (actual !== undefined && actual < threshold) {
+            violations.push({
+                type: "score_threshold",
+                message: `${label} score ${actual} is below minimum ${threshold}`,
+                actual,
+                threshold,
+                context: { category: label },
+            });
+        }
+    }
+    return violations;
+}
+/**
+ * Check issue count violations.
+ */
+function checkIssueLimits(counts, assertions) {
+    const violations = [];
+    // Check max_new_errors
+    if (assertions.max_new_errors !== undefined &&
+        counts.error > assertions.max_new_errors) {
+        violations.push({
+            type: "issue_limit",
+            message: `${counts.error} error-severity issues exceed maximum ${assertions.max_new_errors}`,
+            actual: counts.error,
+            threshold: assertions.max_new_errors,
+            context: { severity: "error" },
+        });
+    }
+    // Check max_new_warnings
+    if (assertions.max_new_warnings !== undefined &&
+        counts.warning > assertions.max_new_warnings) {
+        violations.push({
+            type: "issue_limit",
+            message: `${counts.warning} warning-severity issues exceed maximum ${assertions.max_new_warnings}`,
+            actual: counts.warning,
+            threshold: assertions.max_new_warnings,
+            context: { severity: "warning" },
+        });
+    }
+    // Check max_new_total
+    const total = counts.error + counts.warning + counts.info;
+    if (assertions.max_new_total !== undefined && total > assertions.max_new_total) {
+        violations.push({
+            type: "issue_limit",
+            message: `${total} total issues exceed maximum ${assertions.max_new_total}`,
+            actual: total,
+            threshold: assertions.max_new_total,
+        });
+    }
+    return violations;
+}
+/**
+ * Check severity-based violations.
+ */
+function checkSeverityBreach(issues, assertions) {
+    if (!assertions.fail_on)
+        return [];
+    const failOnRank = severityRank(assertions.fail_on);
+    const breachingIssues = issues.filter((issue) => severityRank(issue.severity || "info") >= failOnRank);
+    if (breachingIssues.length > 0) {
+        return [
+            {
+                type: "severity_breach",
+                message: `${breachingIssues.length} issues at or above ${assertions.fail_on} severity`,
+                actual: breachingIssues.length,
+                threshold: 0,
+                context: { severity: assertions.fail_on },
+            },
+        ];
+    }
+    return [];
+}
+/**
+ * Evaluate audit result against policy.
+ *
+ * Evaluation order:
+ * 1. Apply rule overrides (change severity, ignore rules)
+ * 2. Filter issues for excluded paths
+ * 3. Check threshold assertions
+ * 4. Check issue count limits
+ * 5. Check severity breach
+ *
+ * @param auditResult - Audit result with issues and scores
+ * @param newIssues - New issues only (from baseline diff)
+ * @param policy - Policy configuration
+ * @param options - Additional options
+ * @returns Evaluation result with pass/fail status and violations
+ */
+export function evaluatePolicy(auditResult, newIssues, policy, options) {
+    const { currentPath } = options || {};
+    // 1. Apply rule overrides
+    const { adjusted, ignored, ignoredRules } = policy.rules
+        ? applyRuleOverrides(newIssues, policy.rules, currentPath)
+        : { adjusted: newIssues, ignored: [], ignoredRules: [] };
+    // 2. Filter excluded paths
+    const filtered = policy.exclude_paths
+        ? filterExcludedPaths(adjusted, policy.exclude_paths)
+        : adjusted;
+    // 3. Extract scores
+    const scores = extractScores(auditResult.scores);
+    // 4. Count issues by severity
+    const issueCounts = countBySeverity(filtered);
+    // 5. Collect violations
+    const violations = [];
+    // Score thresholds
+    violations.push(...checkScoreThresholds(scores, policy.assertions));
+    // Issue limits (applied to new issues)
+    violations.push(...checkIssueLimits(issueCounts, policy.assertions));
+    // Severity breach
+    violations.push(...checkSeverityBreach(filtered, policy.assertions));
+    // 6. Determine result
+    return {
+        passed: violations.length === 0,
+        violations,
+        adjustedIssues: filtered,
+        ignoredRules,
+        summary: {
+            issueCounts,
+            ignoredCount: ignored.length,
+            scores,
+        },
+    };
+}
+/**
+ * Format policy evaluation result for human-readable output.
+ */
+export function formatPolicyResult(result) {
+    const lines = [];
+    // Header
+    if (result.passed) {
+        lines.push("Policy: PASSED");
+    }
+    else {
+        lines.push("Policy: FAILED");
+    }
+    // Summary
+    lines.push("");
+    lines.push("Issue Summary (after adjustments):");
+    lines.push(`  Errors: ${result.summary.issueCounts.error}, Warnings: ${result.summary.issueCounts.warning}, Info: ${result.summary.issueCounts.info}`);
+    if (result.summary.ignoredCount > 0) {
+        lines.push(`  Ignored by policy: ${result.summary.ignoredCount}`);
+    }
+    // Ignored rules
+    if (result.ignoredRules.length > 0) {
+        lines.push("");
+        lines.push(`Ignored rules: ${result.ignoredRules.join(", ")}`);
+    }
+    // Scores
+    const scoreEntries = Object.entries(result.summary.scores);
+    if (scoreEntries.length > 0) {
+        lines.push("");
+        lines.push("Scores:");
+        for (const [category, score] of scoreEntries) {
+            lines.push(`  ${category}: ${score}`);
+        }
+    }
+    // Violations
+    if (result.violations.length > 0) {
+        lines.push("");
+        lines.push(`Violations (${result.violations.length}):`);
+        for (const violation of result.violations) {
+            const context = violation.context
+                ? ` [${Object.values(violation.context).filter(Boolean).join(", ")}]`
+                : "";
+            lines.push(`  - ${violation.message}${context}`);
+        }
+    }
+    return lines.join("\n");
+}

package/dist/policy/index.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Policy module for VertaaUX CLI.
+ *
+ * Provides policy-as-code support for organizations to define
+ * quality standards committed to the repository.
+ *
+ * Implements CICD-17: Policy-as-code support.
+ */
+export type { PolicyFile, PolicyAssertions, RuleOverride, BranchPolicy, PolicyTemplate, } from "./schema.js";
+export { policyJsonSchema, DEFAULT_POLICY, POLICY_TEMPLATES, } from "./schema.js";
+export type { PolicyLoadResult, PolicyValidationResult } from "./loader.js";
+export { loadPolicy, loadPolicyFile, validatePolicy, resolveBranchPolicy, getEffectivePolicy, PolicyValidationError, PolicyLoadError, } from "./loader.js";
+export type { AuditResultForPolicy, PolicyViolation, PolicyEvaluationResult, } from "./evaluator.js";
+export { evaluatePolicy, applyRuleOverrides, filterExcludedPaths, formatPolicyResult, } from "./evaluator.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/policy/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,YAAY,EACV,UAAU,EACV,gBAAgB,EAChB,YAAY,EACZ,YAAY,EACZ,cAAc,GACf,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,gBAAgB,GACjB,MAAM,aAAa,CAAC;AAGrB,YAAY,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC5E,OAAO,EACL,UAAU,EACV,cAAc,EACd,cAAc,EACd,mBAAmB,EACnB,kBAAkB,EAClB,qBAAqB,EACrB,eAAe,GAChB,MAAM,aAAa,CAAC;AAGrB,YAAY,EACV,oBAAoB,EACpB,eAAe,EACf,sBAAsB,GACvB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,gBAAgB,CAAC"}