@vertaaux/cli 0.4.0 → 0.5.1

package/dist/auth/token-store.js

@@ -4,8 +4,8 @@
  * Tokens are stored in ~/.vertaaux/credentials.json with restrictive permissions.
  * This is separate from project config - tokens are user-scoped, not project-scoped.
  */
-import { readFile, writeFile, mkdir, unlink } from "fs/promises";
-import { existsSync } from "fs";
+import { readFile, writeFile, mkdir, unlink, chmod } from "fs/promises";
+import { existsSync, lstatSync } from "fs";
 import { homedir } from "os";
 import { join, dirname } from "path";
 /**
@@ -26,6 +26,10 @@ export function getCredentialsPath() {
 export async function saveToken(token) {
     const credPath = getCredentialsPath();
     const dir = dirname(credPath);
+    // SECVAL-1: Refuse to write if credentials path is a symlink
+    if (existsSync(credPath) && lstatSync(credPath).isSymbolicLink()) {
+        throw new Error(`Security error: ${credPath} is a symlink. Refusing to write credentials.`);
+    }
     // Create directory if needed
     if (!existsSync(dir)) {
         await mkdir(dir, { recursive: true, mode: 0o700 });
@@ -33,6 +37,8 @@ export async function saveToken(token) {
     // Write token with restrictive permissions
     const content = JSON.stringify(token, null, 2);
     await writeFile(credPath, content + "\n", { encoding: "utf-8", mode: 0o600 });
+    // SECVAL-2: Ensure restrictive permissions after write
+    await chmod(credPath, 0o600);
 }
 /**
  * Load token data from credentials file.
@@ -44,6 +50,10 @@ export async function loadToken() {
     if (!existsSync(credPath)) {
         return null;
     }
+    // SECVAL-1: Refuse to read if credentials path is a symlink
+    if (lstatSync(credPath).isSymbolicLink()) {
+        return null;
+    }
     try {
         const content = await readFile(credPath, "utf-8");
         return JSON.parse(content);

package/dist/baseline/diff.d.ts

@@ -38,8 +38,8 @@ export declare function computeDiff(currentIssues: Issue[], baseline: BaselineFi
  * Format diff result for human-readable output.
  *
  * Uses colors:
- * - New issues: red
- * - Fixed issues: green
+ * - New issues: red (tokens.error)
+ * - Fixed issues: green (tokens.success)
  * - Still present: dim
  *
  * @param diff - Diff result to format

package/dist/baseline/diff.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../../src/baseline/diff.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAuB,KAAK,KAAK,EAAE,MAAM,WAAW,CAAC;AAC5D,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAEhE;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,iCAAiC;IACjC,GAAG,EAAE,KAAK,EAAE,CAAC;IACb,8CAA8C;IAC9C,KAAK,EAAE,aAAa,EAAE,CAAC;IACvB,qCAAqC;IACrC,OAAO,EAAE,KAAK,EAAE,CAAC;IACjB,qBAAqB;IACrB,OAAO,EAAE;QACP,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,aAAa,EAAE,KAAK,EAAE,EACtB,QAAQ,EAAE,YAAY,GACrB,UAAU,CA2CZ;AA2CD;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,UAAQ,GAAG,MAAM,CAsCzE;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,CAEvD"}
+{"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../../src/baseline/diff.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAuB,KAAK,KAAK,EAAE,MAAM,WAAW,CAAC;AAC5D,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAEhE;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,iCAAiC;IACjC,GAAG,EAAE,KAAK,EAAE,CAAC;IACb,8CAA8C;IAC9C,KAAK,EAAE,aAAa,EAAE,CAAC;IACvB,qCAAqC;IACrC,OAAO,EAAE,KAAK,EAAE,CAAC;IACjB,qBAAqB;IACrB,OAAO,EAAE;QACP,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,aAAa,EAAE,KAAK,EAAE,EACtB,QAAQ,EAAE,YAAY,GACrB,UAAU,CA2CZ;AAuBD;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,UAAQ,GAAG,MAAM,CAsCzE;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,CAEvD"}

package/dist/baseline/diff.js

@@ -7,7 +7,7 @@
  * - Fixed: Issues in baseline but not in current
  * - Present: Issues in both current and baseline
  */
-import chalk from "chalk";
+import { boldColor, dim, tokens, text } from "@vertaaux/tui";
 import { generateFingerprint } from "./hash.js";
 /**
  * Compute diff between current issues and baseline.
@@ -60,25 +60,6 @@ export function computeDiff(currentIssues, baseline) {
 function getRuleId(issue) {
     return issue.ruleId || issue.rule_id || issue.id || "unknown";
 }
-/**
- * Format severity badge for display.
- */
-function formatSeverityBadge(severity) {
-    const upper = (severity || "info").toUpperCase();
-    switch (upper) {
-        case "ERROR":
-        case "CRITICAL":
-            return chalk.red(`[${upper}]`);
-        case "WARNING":
-        case "SERIOUS":
-            return chalk.yellow(`[${upper}]`);
-        case "INFO":
-        case "MINOR":
-            return chalk.blue(`[${upper}]`);
-        default:
-            return chalk.gray(`[${upper}]`);
-    }
-}
 /**
  * Format issue line for display.
  */
@@ -88,14 +69,14 @@ function formatIssueLine(issue) {
         ? issue.description
         : issue.description || issue.title || "";
     const severity = issue.severity || "info";
-    return `${formatSeverityBadge(severity)} ${ruleId}: ${description}`;
+    return `[${text.severityBadge(severity)}] ${ruleId}: ${description}`;
 }
 /**
  * Format diff result for human-readable output.
  *
  * Uses colors:
- * - New issues: red
- * - Fixed issues: green
+ * - New issues: red (tokens.error)
+ * - Fixed issues: green (tokens.success)
  * - Still present: dim
  *
  * @param diff - Diff result to format
@@ -104,10 +85,10 @@ function formatIssueLine(issue) {
  */
 export function formatDiffHuman(diff, verbose = false) {
     const lines = [];
-    // New issues section (red)
-    lines.push(chalk.red.bold(`NEW ISSUES (${diff.summary.newCount})`));
+    // New issues section (red bold)
+    lines.push(boldColor(`NEW ISSUES (${diff.summary.newCount})`, tokens.error));
     if (diff.new.length === 0) {
-        lines.push(chalk.dim("  No new issues"));
+        lines.push(dim("  No new issues"));
     }
     else {
         for (const issue of diff.new) {
@@ -115,10 +96,10 @@ export function formatDiffHuman(diff, verbose = false) {
         }
     }
     lines.push("");
-    // Fixed issues section (green)
-    lines.push(chalk.green.bold(`FIXED (${diff.summary.fixedCount})`));
+    // Fixed issues section (green bold)
+    lines.push(boldColor(`FIXED (${diff.summary.fixedCount})`, tokens.success));
     if (diff.fixed.length === 0) {
-        lines.push(chalk.dim("  No issues fixed"));
+        lines.push(dim("  No issues fixed"));
     }
     else {
         for (const issue of diff.fixed) {
@@ -126,18 +107,18 @@ export function formatDiffHuman(diff, verbose = false) {
         }
     }
     lines.push("");
-    // Still present section (dim)
-    lines.push(chalk.dim.bold(`STILL PRESENT (${diff.summary.presentCount})`));
+    // Still present section (dim only — no bold+dim combo per locked decisions)
+    lines.push(dim(`STILL PRESENT (${diff.summary.presentCount})`));
     if (diff.present.length === 0) {
-        lines.push(chalk.dim("  No baselined issues remain"));
+        lines.push(dim("  No baselined issues remain"));
     }
     else if (verbose) {
         for (const issue of diff.present) {
-            lines.push(chalk.dim(`  ${formatIssueLine(issue)}`));
+            lines.push(dim(`  ${formatIssueLine(issue)}`));
         }
     }
     else {
-        lines.push(chalk.dim("  (use --verbose to show all)"));
+        lines.push(dim("  (use --verbose to show all)"));
     }
     return lines.join("\n");
 }

package/dist/commands/a11y.d.ts

@@ -0,0 +1,11 @@
+/**
+ * A11y command handler.
+ * Runs a dedicated multi-engine accessibility audit via POST /v1/a11y/audit.
+ * Uses axe-core (101 WCAG rules) + @accesslint/core (structured fixes) + custom analyzers.
+ */
+import type { Command } from "commander";
+import type { Flags } from "../types.js";
+export declare function runA11yAudit(base: string, url: string, flags: Flags): Promise<void>;
+export declare function handleA11y(rawUrl: string, cmdOptions: Flags): Promise<void>;
+export declare function registerA11yCommand(program: Command): void;
+//# sourceMappingURL=a11y.d.ts.map

package/dist/commands/a11y.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"a11y.d.ts","sourceRoot":"","sources":["../../src/commands/a11y.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAYzC,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAqEzC,wBAAsB,YAAY,CAChC,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,KAAK,GACX,OAAO,CAAC,IAAI,CAAC,CAkDf;AAED,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,CAgDjF;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA0B1D"}

package/dist/commands/a11y.js

@@ -0,0 +1,149 @@
+/**
+ * A11y command handler.
+ * Runs a dedicated multi-engine accessibility audit via POST /v1/a11y/audit.
+ * Uses axe-core (101 WCAG rules) + @accesslint/core (structured fixes) + custom analyzers.
+ */
+import { renderError, runSteps, createRenderer } from "@vertaaux/tui";
+import { ExitCode } from "../utils/exit-codes.js";
+import { parseMode, parseTimeout, parseInterval, parseScore } from "../utils/validators.js";
+import { resolveApiBase, getString, getNumber, resolveFormat, } from "../utils/api-client.js";
+import { apiRequest, getApiKey } from "../utils/client.js";
+import { printOutput } from "../utils/formatters.js";
+function formatA11yMarkdown(result) {
+    const lines = [
+        `## Accessibility Audit: ${result.url}`,
+        "",
+        `**Total findings:** ${result.total_findings}`,
+        `**Severity:** ${result.severity_counts.critical || 0} critical, ${result.severity_counts.serious || 0} serious, ${result.severity_counts.moderate || 0} moderate, ${result.severity_counts.minor || 0} minor`,
+    ];
+    if (result.tier_shaping) {
+        lines.push("", `> ${result.tier_shaping.gated_findings} additional findings available on a paid plan.`, `> Upgrade: ${result.tier_shaping.upgrade_url}`);
+    }
+    if (result.findings.length > 0) {
+        lines.push("", "### Findings", "");
+        for (const f of result.findings.slice(0, 20)) {
+            const wcag = f.wcagCriteria?.length ? ` [WCAG ${f.wcagCriteria.join(", ")}]` : "";
+            lines.push(`- **[${f.impact.toUpperCase()}]** \`${f.engineId}/${f.ruleId}\`${wcag}`);
+            lines.push(`  ${f.message}`);
+            lines.push(`  Element: \`${f.selector}\``);
+            if (f.fix?.suggestion) {
+                lines.push(`  Fix: ${f.fix.suggestion}`);
+            }
+            else if (f.fix?.attribute) {
+                lines.push(`  Fix: ${f.fix.type} ${f.fix.attribute}="${f.fix.value || ""}"`);
+            }
+            if (f.fixability) {
+                lines.push(`  Fixability: ${f.fixability}`);
+            }
+            lines.push("");
+        }
+        if (result.findings.length > 20) {
+            lines.push(`... and ${result.findings.length - 20} more findings.`);
+        }
+    }
+    return lines.join("\n");
+}
+export async function runA11yAudit(base, url, flags) {
+    const minImpact = getString(flags, "min-impact");
+    const mode = getString(flags, "mode");
+    const format = resolveFormat(flags);
+    const apiKey = getApiKey();
+    const body = { url, source: "cli" };
+    if (minImpact)
+        body.min_impact = minImpact;
+    if (mode)
+        body.mode = mode;
+    const result = await apiRequest(base, "/a11y/audit", { method: "POST", body }, apiKey);
+    // Compute an accessibility score from findings for --fail-on-score
+    // Starts at 100, subtracts 15 per critical, 10 per serious, 5 per moderate, 2 per minor
+    const counts = result.severity_counts;
+    const a11yScore = Math.max(0, 100 -
+        (counts.critical || 0) * 15 -
+        (counts.serious || 0) * 10 -
+        (counts.moderate || 0) * 5 -
+        (counts.minor || 0) * 2);
+    printOutput(format, { ...result, accessibility_score: a11yScore }, formatA11yMarkdown(result));
+    // Exit non-zero if --fail-on-score and computed score is below threshold
+    const failOnScore = getNumber(flags, "fail-on-score");
+    if (failOnScore !== undefined && a11yScore < failOnScore) {
+        process.exitCode = 1;
+    }
+    // Exit non-zero if --fail-on-findings and critical/serious findings exceed threshold
+    const failOnFindings = getNumber(flags, "fail-on-findings");
+    if (failOnFindings !== undefined) {
+        const criticalAndSerious = (counts.critical || 0) + (counts.serious || 0);
+        if (criticalAndSerious > failOnFindings) {
+            process.exitCode = 1;
+        }
+    }
+}
+export async function handleA11y(rawUrl, cmdOptions) {
+    const url = /^https?:\/\//i.test(rawUrl) ? rawUrl : `https://${rawUrl}`;
+    const renderer = createRenderer("auto");
+    const baseState = {
+        phase: "a11y",
+        phaseIndex: 1,
+        phaseTotal: 1,
+        url,
+        mode: "a11y",
+        progress: {},
+        totals: {},
+        issueCount: 0,
+        scorePreview: null,
+        verbose: false,
+        elapsed: 0,
+    };
+    const startTime = Date.now();
+    const steps = [
+        {
+            id: "a11y",
+            actionText: "Running multi-engine accessibility audit...",
+            summaryText: "Accessibility audit complete",
+            run: async () => {
+                const base = resolveApiBase(cmdOptions);
+                await runA11yAudit(base, url, cmdOptions);
+            },
+        },
+    ];
+    const { success, states } = await runSteps(steps, {
+        failFast: true,
+        onStateChange: (stepStates) => {
+            renderer.update({ ...baseState, stepStates, elapsed: Date.now() - startTime });
+        },
+    });
+    renderer.finish({ url, mode: "a11y", overallScore: 0, scores: {}, issueCount: 0, passed: success, elapsed: Date.now() - startTime });
+    if (!success) {
+        const failed = states.find(s => s.status === "failed");
+        process.stderr.write(renderError({
+            message: failed?.failReason || "Command failed",
+            suggestion: "vertaa doctor",
+        }) + "\n");
+        process.exitCode = ExitCode.ERROR;
+    }
+}
+export function registerA11yCommand(program) {
+    program
+        .command("a11y <url>")
+        .description("Run multi-engine accessibility audit (axe-core + accesslint + custom analyzers)")
+        .option("--mode <mode>", "Audit depth: basic|standard|deep", parseMode, "basic")
+        .option("--min-impact <level>", "Minimum impact level: minor|moderate|serious|critical")
+        .option("--fail-on-score <n>", "Exit non-zero if accessibility score below n (0-100)", parseScore)
+        .option("--fail-on-findings <n>", "Exit non-zero if critical+serious findings exceed n")
+        .option("--wait", "Wait for audit completion (default: true)")
+        .option("--timeout <ms>", "Wait timeout in milliseconds (1-300000)", parseTimeout, 60000)
+        .option("--interval <ms>", "Poll interval in milliseconds (1-300000)", parseInterval, 5000)
+        .option("--format <fmt>", "Output format: json|md", "json")
+        .action(async (url, cmdOptions) => {
+        try {
+            await handleA11y(url, cmdOptions);
+        }
+        catch (error) {
+            process.stderr.write(renderError({
+                message: error instanceof Error ? error.message : String(error),
+                suggestion: "vertaa audit <url>",
+                exitCode: ExitCode.ERROR,
+            }) + "\n");
+            process.exit(ExitCode.ERROR);
+        }
+    });
+}

package/dist/commands/audit/artifacts.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Artifact saving for the audit command.
+ *
+ * Handles repro artifacts (trace, HAR, screenshots, DOM snapshots)
+ * and CI artifact bundling.
+ */
+import type { AuditResponse } from "../../utils/client.js";
+import type { IssueLike, AuditCommandOptions, ArtifactManifest } from "./types.js";
+/**
+ * Count issues by severity level.
+ */
+export declare function countIssuesBySeverity(issues: IssueLike[]): ArtifactManifest["issue_count"];
+/**
+ * Save repro artifacts from API response.
+ */
+export declare function saveReproArtifacts(jobId: string, response: AuditResponse, options: AuditCommandOptions, quiet: boolean): void;
+/**
+ * Save CI artifact bundle for GitHub Actions upload.
+ *
+ * Creates a complete evidence bundle:
+ * - results.json: Full audit results
+ * - results.sarif: SARIF for Code Scanning
+ * - report.html: HTML report for viewing
+ * - manifest.json: Metadata about the bundle
+ */
+export declare function saveArtifactBundle(jobId: string, result: AuditResponse, issues: IssueLike[], exitCode: number, quiet: boolean): string;
+//# sourceMappingURL=artifacts.d.ts.map

package/dist/commands/audit/artifacts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"artifacts.d.ts","sourceRoot":"","sources":["../../../src/commands/audit/artifacts.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAI3D,OAAO,KAAK,EAAE,SAAS,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAGnF;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,SAAS,EAAE,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAe1F;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,aAAa,EACvB,OAAO,EAAE,mBAAmB,EAC5B,KAAK,EAAE,OAAO,GACb,IAAI,CAmFN;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,EACrB,MAAM,EAAE,SAAS,EAAE,EACnB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,OAAO,GACb,MAAM,CAkDR"}

package/dist/commands/audit/artifacts.js

@@ -0,0 +1,158 @@
+/**
+ * Artifact saving for the audit command.
+ *
+ * Handles repro artifacts (trace, HAR, screenshots, DOM snapshots)
+ * and CI artifact bundling.
+ */
+import fs from "fs";
+import path from "path";
+import { writeOutput } from "../../output/envelope.js";
+import { formatSarif, formatAuditHtml } from "../../output/factory.js";
+import { assertPathContainment } from "../../utils/sanitize.js";
+import { ARTIFACTS_DIR } from "./types.js";
+/**
+ * Count issues by severity level.
+ */
+export function countIssuesBySeverity(issues) {
+    const counts = { error: 0, warning: 0, info: 0 };
+    for (const issue of issues) {
+        const sev = (issue.severity || "info").toLowerCase();
+        if (sev === "error" || sev === "critical") {
+            counts.error++;
+        }
+        else if (sev === "warning" || sev === "serious") {
+            counts.warning++;
+        }
+        else {
+            counts.info++;
+        }
+    }
+    return counts;
+}
+/**
+ * Save repro artifacts from API response.
+ */
+export function saveReproArtifacts(jobId, response, options, quiet) {
+    const hasArtifactOptions = options.saveTrace || options.saveHar || options.screenshots || options.domSnapshots;
+    if (!hasArtifactOptions)
+        return;
+    // Create artifacts directory
+    const artifactsPath = path.resolve(process.cwd(), ARTIFACTS_DIR, jobId);
+    // Check if API response includes artifact data
+    const responseAny = response;
+    const artifacts = responseAny.artifacts;
+    if (!artifacts) {
+        if (!quiet) {
+            writeOutput("Note: Repro artifacts were requested but not available in API response.\n");
+            writeOutput("Artifact capture may require a 'deep' mode audit or premium plan.\n");
+        }
+        return;
+    }
+    // Ensure directory exists
+    if (!fs.existsSync(artifactsPath)) {
+        fs.mkdirSync(artifactsPath, { recursive: true });
+    }
+    const saved = [];
+    // Save trace file if available and requested
+    if (options.saveTrace && artifacts.trace) {
+        const tracePath = path.join(artifactsPath, "trace.zip");
+        fs.writeFileSync(tracePath, Buffer.from(artifacts.trace, "base64"));
+        saved.push("trace.zip");
+    }
+    // Save HAR file if available and requested
+    if (options.saveHar && artifacts.har) {
+        const harPath = path.join(artifactsPath, "network.har");
+        fs.writeFileSync(harPath, typeof artifacts.har === "string" ? artifacts.har : JSON.stringify(artifacts.har, null, 2));
+        saved.push("network.har");
+    }
+    // Save screenshots if available and requested
+    if (options.screenshots && artifacts.screenshots) {
+        const screenshots = artifacts.screenshots;
+        for (const screenshot of screenshots) {
+            const screenshotName = screenshot.name || "screenshot.png";
+            let screenshotPath;
+            try {
+                screenshotPath = assertPathContainment(screenshotName, artifactsPath);
+            }
+            catch {
+                writeOutput(`Security: Rejected screenshot "${screenshotName}" -- path traversal outside artifacts directory.\n`);
+                continue;
+            }
+            fs.writeFileSync(screenshotPath, Buffer.from(screenshot.data, "base64"));
+            saved.push(screenshotName);
+        }
+    }
+    // Save DOM snapshots if available and requested
+    if (options.domSnapshots && artifacts.domSnapshots) {
+        const snapshots = artifacts.domSnapshots;
+        for (const snapshot of snapshots) {
+            const snapshotName = snapshot.name || "snapshot.html";
+            let snapshotPath;
+            try {
+                snapshotPath = assertPathContainment(snapshotName, artifactsPath);
+            }
+            catch {
+                writeOutput(`Security: Rejected snapshot "${snapshotName}" -- path traversal outside artifacts directory.\n`);
+                continue;
+            }
+            fs.writeFileSync(snapshotPath, snapshot.html);
+            saved.push(snapshotName);
+        }
+    }
+    if (saved.length > 0 && !quiet) {
+        writeOutput(`Artifacts saved to: ${artifactsPath}\n`);
+        writeOutput(`  - ${saved.join("\n  - ")}\n`);
+    }
+}
+/**
+ * Save CI artifact bundle for GitHub Actions upload.
+ *
+ * Creates a complete evidence bundle:
+ * - results.json: Full audit results
+ * - results.sarif: SARIF for Code Scanning
+ * - report.html: HTML report for viewing
+ * - manifest.json: Metadata about the bundle
+ */
+export function saveArtifactBundle(jobId, result, issues, exitCode, quiet) {
+    const artifactsPath = path.resolve(process.cwd(), ARTIFACTS_DIR, jobId);
+    // Ensure directory exists
+    if (!fs.existsSync(artifactsPath)) {
+        fs.mkdirSync(artifactsPath, { recursive: true });
+    }
+    const files = [];
+    // 1. Save JSON results
+    const jsonPath = path.join(artifactsPath, "results.json");
+    fs.writeFileSync(jsonPath, JSON.stringify(result, null, 2), "utf-8");
+    files.push("results.json");
+    // 2. Save SARIF for Code Scanning
+    const sarifContent = formatSarif(result, {
+        workingDirectory: process.cwd(),
+    });
+    const sarifPath = path.join(artifactsPath, "results.sarif");
+    fs.writeFileSync(sarifPath, sarifContent, "utf-8");
+    files.push("results.sarif");
+    // 3. Save HTML report
+    const htmlContent = formatAuditHtml(result, {
+        interactive: true,
+    });
+    const htmlPath = path.join(artifactsPath, "report.html");
+    fs.writeFileSync(htmlPath, htmlContent, "utf-8");
+    files.push("report.html");
+    // 4. Save manifest
+    const manifest = {
+        job_id: jobId,
+        timestamp: new Date().toISOString(),
+        files,
+        audit_url: result.url,
+        issue_count: countIssuesBySeverity(issues),
+        exit_code: exitCode,
+    };
+    const manifestPath = path.join(artifactsPath, "manifest.json");
+    fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2), "utf-8");
+    files.push("manifest.json");
+    if (!quiet) {
+        writeOutput(`Artifacts saved to: ${artifactsPath}\n`);
+        writeOutput(`  - ${files.join("\n  - ")}\n`);
+    }
+    return artifactsPath;
+}

package/dist/commands/audit/ci-detection.d.ts

@@ -0,0 +1,18 @@
+/**
+ * CI environment detection for the audit command.
+ *
+ * Detects current branch and PR labels from various CI providers.
+ */
+/**
+ * Detect current branch from CI environment or git.
+ */
+export declare function detectCurrentBranch(): string;
+/**
+ * Detect PR labels from CI environment variables.
+ *
+ * Supports:
+ * - GitHub Actions: GITHUB_EVENT_PATH contains event JSON with labels
+ * - GitLab CI: CI_MERGE_REQUEST_LABELS is comma-separated
+ */
+export declare function detectPRLabels(): string[];
+//# sourceMappingURL=ci-detection.d.ts.map

package/dist/commands/audit/ci-detection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ci-detection.d.ts","sourceRoot":"","sources":["../../../src/commands/audit/ci-detection.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAqC5C;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,IAAI,MAAM,EAAE,CA0BzC"}

package/dist/commands/audit/ci-detection.js

@@ -0,0 +1,71 @@
+/**
+ * CI environment detection for the audit command.
+ *
+ * Detects current branch and PR labels from various CI providers.
+ */
+import fs from "fs";
+/**
+ * Detect current branch from CI environment or git.
+ */
+export function detectCurrentBranch() {
+    // GitHub Actions
+    if (process.env.GITHUB_HEAD_REF) {
+        return process.env.GITHUB_HEAD_REF;
+    }
+    if (process.env.GITHUB_REF_NAME) {
+        return process.env.GITHUB_REF_NAME;
+    }
+    // GitLab CI
+    if (process.env.CI_COMMIT_REF_NAME) {
+        return process.env.CI_COMMIT_REF_NAME;
+    }
+    // Azure DevOps
+    if (process.env.BUILD_SOURCEBRANCHNAME) {
+        return process.env.BUILD_SOURCEBRANCHNAME;
+    }
+    // CircleCI
+    if (process.env.CIRCLE_BRANCH) {
+        return process.env.CIRCLE_BRANCH;
+    }
+    // Jenkins
+    if (process.env.GIT_BRANCH) {
+        // Jenkins often includes origin/, remove it
+        return process.env.GIT_BRANCH.replace(/^origin\//, "");
+    }
+    // Generic CI
+    if (process.env.BRANCH_NAME) {
+        return process.env.BRANCH_NAME;
+    }
+    // Default
+    return "";
+}
+/**
+ * Detect PR labels from CI environment variables.
+ *
+ * Supports:
+ * - GitHub Actions: GITHUB_EVENT_PATH contains event JSON with labels
+ * - GitLab CI: CI_MERGE_REQUEST_LABELS is comma-separated
+ */
+export function detectPRLabels() {
+    // GitHub Actions: GITHUB_EVENT_PATH contains event JSON with labels
+    if (process.env.GITHUB_EVENT_PATH) {
+        try {
+            const eventContent = fs.readFileSync(process.env.GITHUB_EVENT_PATH, "utf-8");
+            const event = JSON.parse(eventContent);
+            const labels = event.pull_request?.labels;
+            if (Array.isArray(labels)) {
+                return labels.map((l) => l.name || "").filter(Boolean);
+            }
+        }
+        catch {
+            // Ignore errors reading event file
+        }
+    }
+    // GitLab CI: CI_MERGE_REQUEST_LABELS is comma-separated
+    if (process.env.CI_MERGE_REQUEST_LABELS) {
+        return process.env.CI_MERGE_REQUEST_LABELS.split(",")
+            .map((l) => l.trim())
+            .filter(Boolean);
+    }
+    return [];
+}

package/dist/commands/audit/explain.d.ts

@@ -0,0 +1,11 @@
+/**
+ * AI inline explanation for the audit command.
+ */
+import type { VertaauxConfig } from "../../config/schema.js";
+import { type AuditResponse } from "../../utils/client.js";
+import type { IssueLike, AuditCommandOptions } from "./types.js";
+/**
+ * Run the inline AI explanation for audit issues.
+ */
+export declare function runInlineExplanation(issues: IssueLike[], result: AuditResponse, targetUrl: string, options: AuditCommandOptions, config: VertaauxConfig): Promise<void>;
+//# sourceMappingURL=explain.d.ts.map

package/dist/commands/audit/explain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"explain.d.ts","sourceRoot":"","sources":["../../../src/commands/audit/explain.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAE7D,OAAO,EAIL,KAAK,aAAa,EACnB,MAAM,uBAAuB,CAAC;AAK/B,OAAO,KAAK,EAAE,SAAS,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAGjE;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,SAAS,EAAE,EACnB,MAAM,EAAE,aAAa,EACrB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,mBAAmB,EAC5B,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,IAAI,CAAC,CAyCf"}