@vibecheckai/cli 3.1.0 → 3.1.1

package/bin/runners/lib/report-engine.js

@@ -1,447 +1,447 @@
-/**
- * Report Engine - World-Class Report Generation
- * 
- * Enterprise-grade reporting with:
- * - Multiple output formats (HTML, PDF, MD, JSON, SARIF, CSV)
- * - Beautiful interactive HTML with Chart.js
- * - Executive, Technical, Compliance, and Trend reports
- * - Historical analysis and fix time estimates
- * - Print-optimized layouts
- */
-
-const fs = require("fs");
-const path = require("path");
-
-// ============================================================================
-// REPORT DATA MODEL
-// ============================================================================
-
-/**
- * Build comprehensive report data from ship results
- */
-function buildReportData(shipResults, options = {}) {
-  const findings = shipResults?.findings || [];
-  const truthpack = shipResults?.truthpack || {};
-  
-  // Severity counts
-  const severityCounts = {
-    critical: findings.filter(f => f.severity === "BLOCK" || f.severity === "critical").length,
-    high: findings.filter(f => f.severity === "high").length,
-    medium: findings.filter(f => f.severity === "WARN" || f.severity === "medium").length,
-    low: findings.filter(f => f.severity === "low" || f.severity === "INFO").length,
-  };
-  
-  // Category scores (invert finding counts to scores)
-  const categoryFindings = groupFindingsByCategory(findings);
-  const categoryScores = calculateCategoryScores(categoryFindings);
-  
-  // Overall score
-  const score = calculateOverallScore(severityCounts, categoryScores);
-  
-  // Verdict
-  const verdict = severityCounts.critical > 0 ? "BLOCK" :
-                  severityCounts.high > 0 || severityCounts.medium > 5 ? "WARN" : "SHIP";
-  
-  // Fix time estimates
-  const fixEstimates = estimateFixTimes(findings);
-  
-  // Coverage stats
-  const coverage = extractCoverageStats(truthpack);
-  
-  return {
-    meta: {
-      projectName: options.projectName || truthpack?.project?.name || path.basename(process.cwd()),
-      generatedAt: new Date().toISOString(),
-      version: "2.0.0",
-      reportId: generateReportId(),
-    },
-    summary: {
-      score,
-      verdict,
-      totalFindings: findings.length,
-      severityCounts,
-      categoryScores,
-    },
-    findings: enrichFindings(findings),
-    coverage,
-    fixEstimates,
-    truthpack: {
-      routes: truthpack?.routes?.server?.length || 0,
-      envVars: truthpack?.env?.vars?.length || 0,
-      hasAuth: !!(truthpack?.auth?.nextMiddleware?.length || truthpack?.auth?.fastify?.hooks?.length),
-      hasBilling: !!truthpack?.billing?.webhooks?.length,
-    },
-    trends: options.includeTrends ? loadHistoricalTrends(options.repoRoot) : null,
-  };
-}
-
-function groupFindingsByCategory(findings) {
-  const groups = {
-    security: [],
-    auth: [],
-    billing: [],
-    routes: [],
-    env: [],
-    quality: [],
-    other: [],
-  };
-  
-  for (const f of findings) {
-    const cat = categorizeFindings(f);
-    if (groups[cat]) {
-      groups[cat].push(f);
-    } else {
-      groups.other.push(f);
-    }
-  }
-  
-  return groups;
-}
-
-function categorizeFindings(finding) {
-  const type = (finding.type || finding.id || "").toLowerCase();
-  const msg = (finding.message || finding.title || "").toLowerCase();
-  
-  if (type.includes("auth") || msg.includes("auth") || msg.includes("session")) return "auth";
-  if (type.includes("billing") || type.includes("stripe") || msg.includes("payment")) return "billing";
-  if (type.includes("route") || type.includes("endpoint") || msg.includes("route")) return "routes";
-  if (type.includes("env") || msg.includes("environment")) return "env";
-  if (type.includes("secret") || type.includes("security") || msg.includes("secret")) return "security";
-  if (type.includes("mock") || type.includes("fake") || msg.includes("console")) return "quality";
-  return "other";
-}
-
-function calculateCategoryScores(categoryFindings) {
-  const scores = {};
-  const weights = {
-    security: { max: 100, perFinding: 20 },
-    auth: { max: 100, perFinding: 15 },
-    billing: { max: 100, perFinding: 15 },
-    routes: { max: 100, perFinding: 10 },
-    env: { max: 100, perFinding: 5 },
-    quality: { max: 100, perFinding: 5 },
-  };
-  
-  for (const [cat, findings] of Object.entries(categoryFindings)) {
-    if (cat === "other") continue;
-    const w = weights[cat] || { max: 100, perFinding: 10 };
-    scores[cat] = Math.max(0, w.max - (findings.length * w.perFinding));
-  }
-  
-  return scores;
-}
-
-function calculateOverallScore(severityCounts, categoryScores) {
-  // Weighted average of category scores with severity penalties
-  const categoryAvg = Object.values(categoryScores).reduce((a, b) => a + b, 0) / 
-                      Math.max(1, Object.keys(categoryScores).length);
-  
-  // Severity penalties
-  const penalties = 
-    (severityCounts.critical * 25) +
-    (severityCounts.high * 10) +
-    (severityCounts.medium * 3) +
-    (severityCounts.low * 1);
-  
-  return Math.max(0, Math.min(100, Math.round(categoryAvg - penalties)));
-}
-
-function enrichFindings(findings) {
-  return findings.map((f, idx) => ({
-    id: f.id || `F${String(idx + 1).padStart(3, "0")}`,
-    severity: normalizeSeverity(f.severity),
-    category: categorizeFindings(f),
-    title: f.title || f.message || "Finding",
-    description: f.description || f.message || "",
-    file: f.file || f.evidence?.file || null,
-    line: f.line || f.evidence?.line || null,
-    fix: f.fix || f.recommendation || null,
-    fixTime: estimateSingleFixTime(f),
-    evidence: f.evidence || null,
-  }));
-}
-
-function normalizeSeverity(sev) {
-  const s = String(sev || "medium").toLowerCase();
-  if (s === "block" || s === "critical") return "critical";
-  if (s === "high") return "high";
-  if (s === "warn" || s === "warning" || s === "medium") return "medium";
-  return "low";
-}
-
-function estimateFixTimes(findings) {
-  const times = {
-    critical: { count: 0, totalMinutes: 0 },
-    high: { count: 0, totalMinutes: 0 },
-    medium: { count: 0, totalMinutes: 0 },
-    low: { count: 0, totalMinutes: 0 },
-  };
-  
-  for (const f of findings) {
-    const sev = normalizeSeverity(f.severity);
-    const mins = estimateSingleFixTime(f);
-    if (times[sev]) {
-      times[sev].count++;
-      times[sev].totalMinutes += mins;
-    }
-  }
-  
-  const totalMinutes = Object.values(times).reduce((a, t) => a + t.totalMinutes, 0);
-  
-  return {
-    bySeverity: times,
-    totalMinutes,
-    totalHours: Math.round(totalMinutes / 60 * 10) / 10,
-    humanReadable: formatDuration(totalMinutes),
-  };
-}
-
-function estimateSingleFixTime(finding) {
-  const sev = normalizeSeverity(finding.severity);
-  const type = (finding.type || finding.id || "").toLowerCase();
-  
-  // Base times by severity
-  const baseTimes = { critical: 60, high: 30, medium: 15, low: 5 };
-  let mins = baseTimes[sev] || 15;
-  
-  // Adjustments by type
-  if (type.includes("auth") || type.includes("security")) mins *= 1.5;
-  if (type.includes("mock") || type.includes("console")) mins *= 0.5;
-  
-  return Math.round(mins);
-}
-
-function formatDuration(minutes) {
-  if (minutes < 60) return `${minutes} min`;
-  const hours = Math.floor(minutes / 60);
-  const mins = minutes % 60;
-  if (mins === 0) return `${hours}h`;
-  return `${hours}h ${mins}m`;
-}
-
-function extractCoverageStats(truthpack) {
-  return {
-    routes: {
-      total: truthpack?.routes?.server?.length || 0,
-      protected: truthpack?.routes?.server?.filter(r => r.protected)?.length || 0,
-      tested: truthpack?.routes?.coverage?.hit || 0,
-    },
-    env: {
-      total: truthpack?.env?.vars?.length || 0,
-      declared: truthpack?.env?.declared?.length || 0,
-    },
-    auth: {
-      middlewareCount: truthpack?.auth?.nextMiddleware?.length || 0,
-      patterns: truthpack?.auth?.nextMatcherPatterns?.length || 0,
-    },
-  };
-}
-
-function generateReportId() {
-  const date = new Date().toISOString().split("T")[0].replace(/-/g, "");
-  const rand = Math.random().toString(36).substring(2, 8).toUpperCase();
-  return `VC-${date}-${rand}`;
-}
-
-function loadHistoricalTrends(repoRoot) {
-  // Try to load previous reports for trend analysis
-  const historyPath = path.join(repoRoot || process.cwd(), ".vibecheck", "history");
-  if (!fs.existsSync(historyPath)) return null;
-  
-  try {
-    const files = fs.readdirSync(historyPath)
-      .filter(f => f.endsWith(".json"))
-      .sort()
-      .slice(-10);
-    
-    return files.map(f => {
-      const data = JSON.parse(fs.readFileSync(path.join(historyPath, f), "utf8"));
-      return {
-        date: data.meta?.generatedAt || f.replace(".json", ""),
-        score: data.summary?.score || 0,
-        findings: data.summary?.totalFindings || 0,
-      };
-    });
-  } catch {
-    return null;
-  }
-}
-
-// ============================================================================
-// EXPORT FORMATS
-// ============================================================================
-
-/**
- * Export to SARIF format (Static Analysis Results Interchange Format)
- */
-function exportToSARIF(reportData) {
-  return {
-    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
-    version: "2.1.0",
-    runs: [{
-      tool: {
-        driver: {
-          name: "vibecheck",
-          version: reportData.meta.version,
-          informationUri: "https://vibecheck.dev",
-          rules: generateSARIFRules(reportData.findings),
-        },
-      },
-      results: reportData.findings.map(f => ({
-        ruleId: f.id,
-        level: sarifLevel(f.severity),
-        message: { text: f.title },
-        locations: f.file ? [{
-          physicalLocation: {
-            artifactLocation: { uri: f.file },
-            region: f.line ? { startLine: f.line } : undefined,
-          },
-        }] : [],
-      })),
-    }],
-  };
-}
-
-function generateSARIFRules(findings) {
-  const seen = new Set();
-  return findings
-    .filter(f => {
-      if (seen.has(f.id)) return false;
-      seen.add(f.id);
-      return true;
-    })
-    .map(f => ({
-      id: f.id,
-      shortDescription: { text: f.title },
-      fullDescription: { text: f.description || f.title },
-      defaultConfiguration: { level: sarifLevel(f.severity) },
-    }));
-}
-
-function sarifLevel(severity) {
-  const levels = { critical: "error", high: "error", medium: "warning", low: "note" };
-  return levels[severity] || "warning";
-}
-
-/**
- * Export to CSV format
- */
-function exportToCSV(reportData) {
-  const headers = ["ID", "Severity", "Category", "Title", "File", "Line", "Fix Time (min)"];
-  const rows = reportData.findings.map(f => [
-    f.id,
-    f.severity,
-    f.category,
-    `"${(f.title || "").replace(/"/g, '""')}"`,
-    f.file || "",
-    f.line || "",
-    f.fixTime || "",
-  ]);
-  
-  return [headers.join(","), ...rows.map(r => r.join(","))].join("\n");
-}
-
-/**
- * Export to Markdown format
- */
-function exportToMarkdown(reportData, options = {}) {
-  const { meta, summary, findings, fixEstimates, coverage } = reportData;
-  const verdictEmoji = summary.verdict === "SHIP" ? "✅" : summary.verdict === "WARN" ? "⚠️" : "🚫";
-  
-  let md = `# ${options.title || "Vibecheck Report"}
-
-**Project:** ${meta.projectName}  
-**Generated:** ${new Date(meta.generatedAt).toLocaleString()}  
-**Report ID:** ${meta.reportId}
-
----
-
-## Summary
-
-| Metric | Value |
-|--------|-------|
-| **Score** | ${summary.score}/100 |
-| **Verdict** | ${verdictEmoji} ${summary.verdict} |
-| **Total Findings** | ${summary.totalFindings} |
-| **Est. Fix Time** | ${fixEstimates.humanReadable} |
-
-### Severity Breakdown
-
-| Severity | Count |
-|----------|-------|
-| 🔴 Critical | ${summary.severityCounts.critical} |
-| 🟠 High | ${summary.severityCounts.high} |
-| 🟡 Medium | ${summary.severityCounts.medium} |
-| ⚪ Low | ${summary.severityCounts.low} |
-
-### Category Scores
-
-| Category | Score |
-|----------|-------|
-${Object.entries(summary.categoryScores).map(([k, v]) => `| ${formatCategoryName(k)} | ${v}% |`).join("\n")}
-
----
-
-## Findings
-
-`;
-
-  // Group by severity
-  const bySeverity = { critical: [], high: [], medium: [], low: [] };
-  for (const f of findings) {
-    if (bySeverity[f.severity]) bySeverity[f.severity].push(f);
-  }
-  
-  for (const [sev, items] of Object.entries(bySeverity)) {
-    if (items.length === 0) continue;
-    md += `### ${sev.charAt(0).toUpperCase() + sev.slice(1)} (${items.length})\n\n`;
-    for (const f of items.slice(0, options.maxFindings || 20)) {
-      md += `#### ${f.id}: ${f.title}\n`;
-      if (f.file) md += `- **File:** \`${f.file}${f.line ? `:${f.line}` : ""}\`\n`;
-      if (f.fix) md += `- **Fix:** ${f.fix}\n`;
-      md += `\n`;
-    }
-  }
-  
-  md += `---
-
-*Generated by [Vibecheck](https://vibecheck.dev) · ${meta.reportId}*
-`;
-  
-  return md;
-}
-
-/**
- * Export to JSON format
- */
-function exportToJSON(reportData) {
-  return JSON.stringify(reportData, null, 2);
-}
-
-function formatCategoryName(name) {
-  const names = {
-    security: "Security",
-    auth: "Authentication",
-    billing: "Billing/Payments",
-    routes: "Route Integrity",
-    env: "Environment",
-    quality: "Code Quality",
-  };
-  return names[name] || name.charAt(0).toUpperCase() + name.slice(1);
-}
-
-// ============================================================================
-// EXPORTS
-// ============================================================================
-
-module.exports = {
-  buildReportData,
-  exportToSARIF,
-  exportToCSV,
-  exportToMarkdown,
-  exportToJSON,
-  formatCategoryName,
-  normalizeSeverity,
-  estimateFixTimes,
-  generateReportId,
-};
+/**
+ * Report Engine - World-Class Report Generation
+ * 
+ * Enterprise-grade reporting with:
+ * - Multiple output formats (HTML, PDF, MD, JSON, SARIF, CSV)
+ * - Beautiful interactive HTML with Chart.js
+ * - Executive, Technical, Compliance, and Trend reports
+ * - Historical analysis and fix time estimates
+ * - Print-optimized layouts
+ */
+
+const fs = require("fs");
+const path = require("path");
+
+// ============================================================================
+// REPORT DATA MODEL
+// ============================================================================
+
+/**
+ * Build comprehensive report data from ship results
+ */
+function buildReportData(shipResults, options = {}) {
+  const findings = shipResults?.findings || [];
+  const truthpack = shipResults?.truthpack || {};
+  
+  // Severity counts
+  const severityCounts = {
+    critical: findings.filter(f => f.severity === "BLOCK" || f.severity === "critical").length,
+    high: findings.filter(f => f.severity === "high").length,
+    medium: findings.filter(f => f.severity === "WARN" || f.severity === "medium").length,
+    low: findings.filter(f => f.severity === "low" || f.severity === "INFO").length,
+  };
+  
+  // Category scores (invert finding counts to scores)
+  const categoryFindings = groupFindingsByCategory(findings);
+  const categoryScores = calculateCategoryScores(categoryFindings);
+  
+  // Overall score
+  const score = calculateOverallScore(severityCounts, categoryScores);
+  
+  // Verdict
+  const verdict = severityCounts.critical > 0 ? "BLOCK" :
+                  severityCounts.high > 0 || severityCounts.medium > 5 ? "WARN" : "SHIP";
+  
+  // Fix time estimates
+  const fixEstimates = estimateFixTimes(findings);
+  
+  // Coverage stats
+  const coverage = extractCoverageStats(truthpack);
+  
+  return {
+    meta: {
+      projectName: options.projectName || truthpack?.project?.name || path.basename(process.cwd()),
+      generatedAt: new Date().toISOString(),
+      version: "2.0.0",
+      reportId: generateReportId(),
+    },
+    summary: {
+      score,
+      verdict,
+      totalFindings: findings.length,
+      severityCounts,
+      categoryScores,
+    },
+    findings: enrichFindings(findings),
+    coverage,
+    fixEstimates,
+    truthpack: {
+      routes: truthpack?.routes?.server?.length || 0,
+      envVars: truthpack?.env?.vars?.length || 0,
+      hasAuth: !!(truthpack?.auth?.nextMiddleware?.length || truthpack?.auth?.fastify?.hooks?.length),
+      hasBilling: !!truthpack?.billing?.webhooks?.length,
+    },
+    trends: options.includeTrends ? loadHistoricalTrends(options.repoRoot) : null,
+  };
+}
+
+function groupFindingsByCategory(findings) {
+  const groups = {
+    security: [],
+    auth: [],
+    billing: [],
+    routes: [],
+    env: [],
+    quality: [],
+    other: [],
+  };
+  
+  for (const f of findings) {
+    const cat = categorizeFindings(f);
+    if (groups[cat]) {
+      groups[cat].push(f);
+    } else {
+      groups.other.push(f);
+    }
+  }
+  
+  return groups;
+}
+
+function categorizeFindings(finding) {
+  const type = (finding.type || finding.id || "").toLowerCase();
+  const msg = (finding.message || finding.title || "").toLowerCase();
+  
+  if (type.includes("auth") || msg.includes("auth") || msg.includes("session")) return "auth";
+  if (type.includes("billing") || type.includes("stripe") || msg.includes("payment")) return "billing";
+  if (type.includes("route") || type.includes("endpoint") || msg.includes("route")) return "routes";
+  if (type.includes("env") || msg.includes("environment")) return "env";
+  if (type.includes("secret") || type.includes("security") || msg.includes("secret")) return "security";
+  if (type.includes("mock") || type.includes("fake") || msg.includes("console")) return "quality";
+  return "other";
+}
+
+function calculateCategoryScores(categoryFindings) {
+  const scores = {};
+  const weights = {
+    security: { max: 100, perFinding: 20 },
+    auth: { max: 100, perFinding: 15 },
+    billing: { max: 100, perFinding: 15 },
+    routes: { max: 100, perFinding: 10 },
+    env: { max: 100, perFinding: 5 },
+    quality: { max: 100, perFinding: 5 },
+  };
+  
+  for (const [cat, findings] of Object.entries(categoryFindings)) {
+    if (cat === "other") continue;
+    const w = weights[cat] || { max: 100, perFinding: 10 };
+    scores[cat] = Math.max(0, w.max - (findings.length * w.perFinding));
+  }
+  
+  return scores;
+}
+
+function calculateOverallScore(severityCounts, categoryScores) {
+  // Weighted average of category scores with severity penalties
+  const categoryAvg = Object.values(categoryScores).reduce((a, b) => a + b, 0) / 
+                      Math.max(1, Object.keys(categoryScores).length);
+  
+  // Severity penalties
+  const penalties = 
+    (severityCounts.critical * 25) +
+    (severityCounts.high * 10) +
+    (severityCounts.medium * 3) +
+    (severityCounts.low * 1);
+  
+  return Math.max(0, Math.min(100, Math.round(categoryAvg - penalties)));
+}
+
+function enrichFindings(findings) {
+  return findings.map((f, idx) => ({
+    id: f.id || `F${String(idx + 1).padStart(3, "0")}`,
+    severity: normalizeSeverity(f.severity),
+    category: categorizeFindings(f),
+    title: f.title || f.message || "Finding",
+    description: f.description || f.message || "",
+    file: f.file || f.evidence?.file || null,
+    line: f.line || f.evidence?.line || null,
+    fix: f.fix || f.recommendation || null,
+    fixTime: estimateSingleFixTime(f),
+    evidence: f.evidence || null,
+  }));
+}
+
+function normalizeSeverity(sev) {
+  const s = String(sev || "medium").toLowerCase();
+  if (s === "block" || s === "critical") return "critical";
+  if (s === "high") return "high";
+  if (s === "warn" || s === "warning" || s === "medium") return "medium";
+  return "low";
+}
+
+function estimateFixTimes(findings) {
+  const times = {
+    critical: { count: 0, totalMinutes: 0 },
+    high: { count: 0, totalMinutes: 0 },
+    medium: { count: 0, totalMinutes: 0 },
+    low: { count: 0, totalMinutes: 0 },
+  };
+  
+  for (const f of findings) {
+    const sev = normalizeSeverity(f.severity);
+    const mins = estimateSingleFixTime(f);
+    if (times[sev]) {
+      times[sev].count++;
+      times[sev].totalMinutes += mins;
+    }
+  }
+  
+  const totalMinutes = Object.values(times).reduce((a, t) => a + t.totalMinutes, 0);
+  
+  return {
+    bySeverity: times,
+    totalMinutes,
+    totalHours: Math.round(totalMinutes / 60 * 10) / 10,
+    humanReadable: formatDuration(totalMinutes),
+  };
+}
+
+function estimateSingleFixTime(finding) {
+  const sev = normalizeSeverity(finding.severity);
+  const type = (finding.type || finding.id || "").toLowerCase();
+  
+  // Base times by severity
+  const baseTimes = { critical: 60, high: 30, medium: 15, low: 5 };
+  let mins = baseTimes[sev] || 15;
+  
+  // Adjustments by type
+  if (type.includes("auth") || type.includes("security")) mins *= 1.5;
+  if (type.includes("mock") || type.includes("console")) mins *= 0.5;
+  
+  return Math.round(mins);
+}
+
+function formatDuration(minutes) {
+  if (minutes < 60) return `${minutes} min`;
+  const hours = Math.floor(minutes / 60);
+  const mins = minutes % 60;
+  if (mins === 0) return `${hours}h`;
+  return `${hours}h ${mins}m`;
+}
+
+function extractCoverageStats(truthpack) {
+  return {
+    routes: {
+      total: truthpack?.routes?.server?.length || 0,
+      protected: truthpack?.routes?.server?.filter(r => r.protected)?.length || 0,
+      tested: truthpack?.routes?.coverage?.hit || 0,
+    },
+    env: {
+      total: truthpack?.env?.vars?.length || 0,
+      declared: truthpack?.env?.declared?.length || 0,
+    },
+    auth: {
+      middlewareCount: truthpack?.auth?.nextMiddleware?.length || 0,
+      patterns: truthpack?.auth?.nextMatcherPatterns?.length || 0,
+    },
+  };
+}
+
+function generateReportId() {
+  const date = new Date().toISOString().split("T")[0].replace(/-/g, "");
+  const rand = Math.random().toString(36).substring(2, 8).toUpperCase();
+  return `VC-${date}-${rand}`;
+}
+
+function loadHistoricalTrends(repoRoot) {
+  // Try to load previous reports for trend analysis
+  const historyPath = path.join(repoRoot || process.cwd(), ".vibecheck", "history");
+  if (!fs.existsSync(historyPath)) return null;
+  
+  try {
+    const files = fs.readdirSync(historyPath)
+      .filter(f => f.endsWith(".json"))
+      .sort()
+      .slice(-10);
+    
+    return files.map(f => {
+      const data = JSON.parse(fs.readFileSync(path.join(historyPath, f), "utf8"));
+      return {
+        date: data.meta?.generatedAt || f.replace(".json", ""),
+        score: data.summary?.score || 0,
+        findings: data.summary?.totalFindings || 0,
+      };
+    });
+  } catch {
+    return null;
+  }
+}
+
+// ============================================================================
+// EXPORT FORMATS
+// ============================================================================
+
+/**
+ * Export to SARIF format (Static Analysis Results Interchange Format)
+ */
+function exportToSARIF(reportData) {
+  return {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [{
+      tool: {
+        driver: {
+          name: "vibecheck",
+          version: reportData.meta.version,
+          informationUri: "https://vibecheck.dev",
+          rules: generateSARIFRules(reportData.findings),
+        },
+      },
+      results: reportData.findings.map(f => ({
+        ruleId: f.id,
+        level: sarifLevel(f.severity),
+        message: { text: f.title },
+        locations: f.file ? [{
+          physicalLocation: {
+            artifactLocation: { uri: f.file },
+            region: f.line ? { startLine: f.line } : undefined,
+          },
+        }] : [],
+      })),
+    }],
+  };
+}
+
+function generateSARIFRules(findings) {
+  const seen = new Set();
+  return findings
+    .filter(f => {
+      if (seen.has(f.id)) return false;
+      seen.add(f.id);
+      return true;
+    })
+    .map(f => ({
+      id: f.id,
+      shortDescription: { text: f.title },
+      fullDescription: { text: f.description || f.title },
+      defaultConfiguration: { level: sarifLevel(f.severity) },
+    }));
+}
+
+function sarifLevel(severity) {
+  const levels = { critical: "error", high: "error", medium: "warning", low: "note" };
+  return levels[severity] || "warning";
+}
+
+/**
+ * Export to CSV format
+ */
+function exportToCSV(reportData) {
+  const headers = ["ID", "Severity", "Category", "Title", "File", "Line", "Fix Time (min)"];
+  const rows = reportData.findings.map(f => [
+    f.id,
+    f.severity,
+    f.category,
+    `"${(f.title || "").replace(/"/g, '""')}"`,
+    f.file || "",
+    f.line || "",
+    f.fixTime || "",
+  ]);
+  
+  return [headers.join(","), ...rows.map(r => r.join(","))].join("\n");
+}
+
+/**
+ * Export to Markdown format
+ */
+function exportToMarkdown(reportData, options = {}) {
+  const { meta, summary, findings, fixEstimates, coverage } = reportData;
+  const verdictEmoji = summary.verdict === "SHIP" ? "✅" : summary.verdict === "WARN" ? "⚠️" : "🚫";
+  
+  let md = `# ${options.title || "Vibecheck Report"}
+
+**Project:** ${meta.projectName}  
+**Generated:** ${new Date(meta.generatedAt).toLocaleString()}  
+**Report ID:** ${meta.reportId}
+
+---
+
+## Summary
+
+| Metric | Value |
+|--------|-------|
+| **Score** | ${summary.score}/100 |
+| **Verdict** | ${verdictEmoji} ${summary.verdict} |
+| **Total Findings** | ${summary.totalFindings} |
+| **Est. Fix Time** | ${fixEstimates.humanReadable} |
+
+### Severity Breakdown
+
+| Severity | Count |
+|----------|-------|
+| 🔴 Critical | ${summary.severityCounts.critical} |
+| 🟠 High | ${summary.severityCounts.high} |
+| 🟡 Medium | ${summary.severityCounts.medium} |
+| ⚪ Low | ${summary.severityCounts.low} |
+
+### Category Scores
+
+| Category | Score |
+|----------|-------|
+${Object.entries(summary.categoryScores).map(([k, v]) => `| ${formatCategoryName(k)} | ${v}% |`).join("\n")}
+
+---
+
+## Findings
+
+`;
+
+  // Group by severity
+  const bySeverity = { critical: [], high: [], medium: [], low: [] };
+  for (const f of findings) {
+    if (bySeverity[f.severity]) bySeverity[f.severity].push(f);
+  }
+  
+  for (const [sev, items] of Object.entries(bySeverity)) {
+    if (items.length === 0) continue;
+    md += `### ${sev.charAt(0).toUpperCase() + sev.slice(1)} (${items.length})\n\n`;
+    for (const f of items.slice(0, options.maxFindings || 20)) {
+      md += `#### ${f.id}: ${f.title}\n`;
+      if (f.file) md += `- **File:** \`${f.file}${f.line ? `:${f.line}` : ""}\`\n`;
+      if (f.fix) md += `- **Fix:** ${f.fix}\n`;
+      md += `\n`;
+    }
+  }
+  
+  md += `---
+
+*Generated by [Vibecheck](https://vibecheck.dev) · ${meta.reportId}*
+`;
+  
+  return md;
+}
+
+/**
+ * Export to JSON format
+ */
+function exportToJSON(reportData) {
+  return JSON.stringify(reportData, null, 2);
+}
+
+function formatCategoryName(name) {
+  const names = {
+    security: "Security",
+    auth: "Authentication",
+    billing: "Billing/Payments",
+    routes: "Route Integrity",
+    env: "Environment",
+    quality: "Code Quality",
+  };
+  return names[name] || name.charAt(0).toUpperCase() + name.slice(1);
+}
+
+// ============================================================================
+// EXPORTS
+// ============================================================================
+
+module.exports = {
+  buildReportData,
+  exportToSARIF,
+  exportToCSV,
+  exportToMarkdown,
+  exportToJSON,
+  formatCategoryName,
+  normalizeSeverity,
+  estimateFixTimes,
+  generateReportId,
+};