aegis-audit 2.1.0

package/src/commands/benchmark.js

@@ -0,0 +1,123 @@
+import chalk from 'chalk';
+import fs from 'fs';
+import path from 'path';
+import { execSync } from 'child_process';
+import { runBenchmark, FIXTURES_DIR } from '../../benchmark/runner.js';
+import { sectionHeader, dim } from '../ui/banner.js';
+
+chalk.level = 3;
+
+const SMARTBUGS_REPO = 'https://github.com/smartbugs/smartbugs-curated.git';
+
+export async function benchmarkCommand(options) {
+  chalk.level = 3;
+
+  let datasetDir = FIXTURES_DIR;
+  let datasetName = 'built-in fixtures (7 contracts)';
+
+  // Use a custom dataset dir if provided
+  if (options.dataset) {
+    datasetDir = options.dataset;
+    datasetName = options.dataset;
+    if (!fs.existsSync(datasetDir)) {
+      console.log('\n' + chalk.hex('#ff4560')(`X Dataset directory not found: ${datasetDir}`) + '\n');
+      process.exit(2);
+    }
+  }
+
+  // Optionally fetch the full SmartBugs Curated dataset (143 contracts)
+  if (options.fetchSmartbugs) {
+    const target = path.join(process.cwd(), '.solguard-smartbugs');
+    if (!fs.existsSync(target)) {
+      console.log(dim('  Cloning SmartBugs Curated (143 labeled contracts)...'));
+      try {
+        execSync(`git clone --depth 1 ${SMARTBUGS_REPO} "${target}"`, { stdio: 'ignore' });
+      } catch {
+        console.log('\n' + chalk.hex('#ff4560')('X Failed to clone SmartBugs. Check git + network, then retry.') + '\n');
+        process.exit(2);
+      }
+    }
+    datasetDir = path.join(target, 'dataset');
+    datasetName = 'SmartBugs Curated (143 labeled contracts, DASP taxonomy)';
+  }
+
+  console.log(dim(`\n  Dataset: ${datasetName}`));
+  console.log(dim('  Scoring: static detector layer only (deterministic). Contract-level, per DASP category.\n'));
+
+  const report = runBenchmark(datasetDir);
+
+  // ── Per-category table ──────────────────────────────────────────────────
+  sectionHeader('PER-CATEGORY RESULTS');
+  console.log(
+    '  ' +
+    chalk.hex('#7a90a8')('Category'.padEnd(26)) +
+    chalk.hex('#7a90a8')('Supp'.padStart(5)) +
+    chalk.hex('#7a90a8')('TP'.padStart(4)) +
+    chalk.hex('#7a90a8')('FN'.padStart(4)) +
+    chalk.hex('#7a90a8')('FP'.padStart(4)) +
+    chalk.hex('#7a90a8')('Recall'.padStart(9)) +
+    chalk.hex('#7a90a8')('Prec'.padStart(8)) +
+    chalk.hex('#7a90a8')('F1'.padStart(8))
+  );
+  console.log('  ' + chalk.hex('#162030')('-'.repeat(66)));
+
+  for (const [cat, m] of Object.entries(report.categories)) {
+    if (m.support === 0) continue;
+    const recall = pct(m.recall);
+    const recColor = m.recall >= 0.8 ? '#00e6b4' : m.recall >= 0.5 ? '#ffb740' : '#ff4560';
+    console.log(
+      '  ' +
+      chalk.hex('#c8d8e8')(m.label.slice(0, 25).padEnd(26)) +
+      chalk.hex('#c8d8e8')(String(m.support).padStart(5)) +
+      chalk.hex('#00e6b4')(String(m.tp).padStart(4)) +
+      chalk.hex('#ff4560')(String(m.fn).padStart(4)) +
+      chalk.hex('#ffb740')(String(m.fp).padStart(4)) +
+      chalk.hex(recColor)(recall.padStart(9)) +
+      chalk.hex('#c8d8e8')(pct(m.precision).padStart(8)) +
+      chalk.hex('#c8d8e8')(pct(m.f1).padStart(8))
+    );
+  }
+
+  // ── Overall ─────────────────────────────────────────────────────────────
+  sectionHeader('OVERALL (micro-averaged)');
+  const o = report.overall;
+  const recColor = o.microRecall >= 0.8 ? '#00e6b4' : o.microRecall >= 0.5 ? '#ffb740' : '#ff4560';
+  console.log(`  ${chalk.white.bold('Contracts tested:')}      ${o.contractsTested}`);
+  console.log(`  ${chalk.white.bold('Vuln instances:')}        ${o.totalVulnInstances}`);
+  console.log(`  ${chalk.white.bold('True positives:')}        ${chalk.hex('#00e6b4')(o.truePositives)}`);
+  console.log(`  ${chalk.white.bold('False negatives:')}       ${chalk.hex('#ff4560')(o.falseNegatives)}  ${dim('(missed vulnerabilities)')}`);
+  console.log(`  ${chalk.white.bold('False positives:')}       ${chalk.hex('#ffb740')(o.falsePositives)}`);
+  console.log('');
+  console.log(`  ${chalk.white.bold('Recall:')}               ${chalk.hex(recColor).bold(pct(o.microRecall))}  ${dim('(detection rate)')}`);
+  console.log(`  ${chalk.white.bold('Precision:')}            ${chalk.hex('#c8d8e8').bold(pct(o.microPrecision))}`);
+  console.log(`  ${chalk.white.bold('F1 score:')}             ${chalk.hex('#c8d8e8').bold(pct(o.microF1))}`);
+  console.log(`  ${chalk.white.bold('False-negative rate:')}  ${chalk.hex('#ff4560').bold(pct(o.falseNegativeRate))}`);
+
+  // ── Clean-contract false positives ──────────────────────────────────────
+  if (report.clean.cleanContracts > 0) {
+    sectionHeader('FALSE-POSITIVE CHECK (clean contracts)');
+    const fpColor = report.clean.falsePositiveRate <= 0.2 ? '#00e6b4' : '#ffb740';
+    console.log(`  ${chalk.white.bold('Clean contracts:')}      ${report.clean.cleanContracts}`);
+    console.log(`  ${chalk.white.bold('Flagged anyway:')}       ${chalk.hex(fpColor)(report.clean.cleanFalsePositives)}`);
+    console.log(`  ${chalk.white.bold('False-positive rate:')}  ${chalk.hex(fpColor).bold(pct(report.clean.falsePositiveRate))}`);
+  }
+
+  // ── Honesty footer ──────────────────────────────────────────────────────
+  console.log('\n' + chalk.hex('#162030')('-'.repeat(72)));
+  console.log(dim('  These numbers reflect the deterministic static layer only. The Claude AI'));
+  console.log(dim('  layer adds semantic findings not measured here, so production recall is'));
+  console.log(dim('  higher — but a non-zero false-negative rate means this tool MUST NOT be'));
+  console.log(dim('  the only gate before deploying high-value contracts.'));
+  console.log(chalk.hex('#162030')('-'.repeat(72)) + '\n');
+
+  // ── Machine-readable output ─────────────────────────────────────────────
+  if (options.output) {
+    fs.writeFileSync(options.output, JSON.stringify(report, null, 2));
+    console.log(chalk.hex('#00e6b4')('OK ') + `Full benchmark report written to ${chalk.hex('#4da6ff')(options.output)}\n`);
+  }
+}
+
+function pct(x) {
+  if (x === null || x === undefined) return 'n/a';
+  return (x * 100).toFixed(1) + '%';
+}

package/src/commands/config.js

@@ -0,0 +1,27 @@
+import { input } from '@inquirer/prompts';
+import chalk from 'chalk';
+import boxen from 'boxen';
+import { loadConfig, saveConfig, verifyAuditLog } from '../utils/secure-config.js';
+
+export async function configCommand() {
+  chalk.level = 3;
+  console.log(boxen(
+    chalk.hex('#00e6b4').bold('SolGuard Configuration') + '\n' +
+    chalk.hex('#7a90a8')('API key is encrypted at rest (AES-256-GCM) in ~/.solguard/config.enc\n') +
+    chalk.hex('#7a90a8')('Enterprise: prefer setting ANTHROPIC_API_KEY via your secrets manager,\nor use --offline to never transmit source code.'),
+    { padding: 1, borderColor: '#162030', borderStyle: 'round' }
+  ));
+
+  const current = loadConfig();
+  const apiKey = await input({
+    message: chalk.white('Anthropic API key') + chalk.hex('#4a5a6a')(' (console.anthropic.com):'),
+    default: current.apiKey ? '***' + current.apiKey.slice(-6) : undefined,
+  });
+  const finalKey = apiKey.startsWith('***') ? current.apiKey : apiKey.trim();
+  saveConfig({ ...current, apiKey: finalKey });
+
+  console.log('\n' + chalk.hex('#00e6b4')('OK ') + chalk.white('Config encrypted and saved.'));
+
+  const audit = verifyAuditLog();
+  console.log(chalk.hex('#7a90a8')(`  Audit log: ${audit.entries} entries, integrity ${audit.valid ? chalk.hex('#00e6b4')('VALID') : chalk.hex('#ff4560')('BROKEN at #' + audit.brokenAt)}`) + '\n');
+}

package/src/knowledge/frameworks.js

@@ -0,0 +1,97 @@
+// ─────────────────────────────────────────────────────────────────────────────
+// SolGuard knowledge base
+// Maps every detector to authoritative framework identifiers so findings are
+// traceable to OWASP SC Top 10 (2026), MITRE ATT&CK, and CWE.
+//
+// Sources:
+//  - OWASP Smart Contract Top 10 : 2026 (owasp.org/www-project-smart-contract-top-10)
+//  - MITRE ATT&CK v18
+//  - MITRE CWE
+// ─────────────────────────────────────────────────────────────────────────────
+
+// OWASP Smart Contract Top 10 — 2026 (forward-looking, built on 2025 incident data)
+export const OWASP_SC_2026 = {
+  SC01: { id: 'SC01:2026', title: 'Access Control Vulnerabilities',
+    desc: 'Unauthorized users or roles invoke privileged functions or modify critical state, often leading to full protocol compromise when admin, governance, or upgrade paths are exposed.',
+    loss2024: '$953.2M' },
+  SC02: { id: 'SC02:2026', title: 'Business Logic Vulnerabilities',
+    desc: 'Design-level flaws in lending, AMM, reward, or governance logic that break intended economic rules, letting attackers extract value even when low-level checks pass.',
+    loss2024: '$63.8M' },
+  SC03: { id: 'SC03:2026', title: 'Price Oracle Manipulation',
+    desc: 'Weak oracles and unsafe price integrations let attackers skew reference prices, enabling under-collateralized borrowing, unfair liquidations, and mispriced swaps.',
+    loss2024: '$8.8M' },
+  SC04: { id: 'SC04:2026', title: 'Flash Loan-Facilitated Attacks',
+    desc: 'Large uncollateralized flash loans magnify small bugs into large drains via complex multi-step sequences in a single transaction.',
+    loss2024: '$33.8M' },
+  SC05: { id: 'SC05:2026', title: 'Lack of Input Validation',
+    desc: 'Missing or weak validation of user, admin, or cross-chain inputs allows unsafe parameters to reach core logic, corrupting state or enabling direct fund loss.',
+    loss2024: '$14.6M' },
+  SC06: { id: 'SC06:2026', title: 'Unchecked External Calls',
+    desc: 'Unsafe interactions with external contracts where failures, reverts, or callbacks are not handled, often enabling reentrancy or inconsistent state.',
+    loss2024: '$550.7K' },
+  SC07: { id: 'SC07:2026', title: 'Arithmetic Errors',
+    desc: 'Subtle bugs in integer math, scaling, and rounding — especially in share, interest, and AMM calculations — exploitable for precision loss or value siphoning.',
+    loss2024: 'n/a' },
+  SC08: { id: 'SC08:2026', title: 'Reentrancy Attacks',
+    desc: 'External calls re-enter vulnerable functions before state is updated, allowing repeated withdrawals from an outdated view of state.',
+    loss2024: '$35.7M' },
+  SC09: { id: 'SC09:2026', title: 'Integer Overflow and Underflow',
+    desc: 'Arithmetic on code paths without overflow checks leads to wrapped values, broken invariants, and potential drains.',
+    loss2024: 'n/a' },
+  SC10: { id: 'SC10:2026', title: 'Proxy & Upgradeability Vulnerabilities',
+    desc: 'Misconfigured proxy, initialization, and upgrade mechanisms let attackers seize implementations or reinitialize critical state.',
+    loss2024: 'n/a' },
+};
+
+// MITRE ATT&CK techniques relevant to smart-contract / Web3 threat modeling.
+// On-chain exploitation maps imperfectly to ATT&CK (built for traditional IT),
+// so we use the closest applicable techniques plus supply-chain ones that APTs
+// (e.g. Lazarus/BlueNoroff G0032) actually use against Web3 teams.
+export const MITRE = {
+  T1195:    { id: 'T1195',    name: 'Supply Chain Compromise' },
+  T1195_001:{ id: 'T1195.001',name: 'Compromise Software Dependencies and Development Tools' },
+  T1190:    { id: 'T1190',    name: 'Exploit Public-Facing Application' },
+  T1059:    { id: 'T1059',    name: 'Command and Scripting Interpreter' },
+  T1499:    { id: 'T1499',    name: 'Endpoint Denial of Service' },
+  T1078:    { id: 'T1078',    name: 'Valid Accounts (privileged key abuse)' },
+  T1556:    { id: 'T1556',    name: 'Modify Authentication Process' },
+  T1565:    { id: 'T1565',    name: 'Data Manipulation (on-chain state/price)' },
+  T1583:    { id: 'T1583',    name: 'Acquire Infrastructure (attacker contracts)' },
+};
+
+// CWE identifiers for deterministic, tool-agnostic classification.
+export const CWE = {
+  CWE_284:  { id: 'CWE-284',  name: 'Improper Access Control' },
+  CWE_285:  { id: 'CWE-285',  name: 'Improper Authorization' },
+  CWE_841:  { id: 'CWE-841',  name: 'Improper Enforcement of Behavioral Workflow' },
+  CWE_682:  { id: 'CWE-682',  name: 'Incorrect Calculation' },
+  CWE_190:  { id: 'CWE-190',  name: 'Integer Overflow or Wraparound' },
+  CWE_191:  { id: 'CWE-191',  name: 'Integer Underflow' },
+  CWE_252:  { id: 'CWE-252',  name: 'Unchecked Return Value' },
+  CWE_20:   { id: 'CWE-20',   name: 'Improper Input Validation' },
+  CWE_362:  { id: 'CWE-362',  name: 'Race Condition' },
+  CWE_841b: { id: 'CWE-841',  name: 'Reentrancy' },
+  CWE_330:  { id: 'CWE-330',  name: 'Use of Insufficiently Random Values' },
+  CWE_400:  { id: 'CWE-400',  name: 'Uncontrolled Resource Consumption' },
+  CWE_829:  { id: 'CWE-829',  name: 'Inclusion of Functionality from Untrusted Control Sphere' },
+  CWE_665:  { id: 'CWE-665',  name: 'Improper Initialization' },
+  CWE_345:  { id: 'CWE-345',  name: 'Insufficient Verification of Data Authenticity' },
+};
+
+// NIST SSDF (SP 800-218) practices this tool helps satisfy, for the
+// compliance appendix in enterprise reports.
+export const NIST_SSDF = {
+  'PW.7': 'Review and/or analyze human-readable code to identify vulnerabilities (this scan).',
+  'PW.8': 'Test executable code to identify vulnerabilities and verify compliance.',
+  'PS.3': 'Archive and protect each software release (SBOM generation).',
+  'PS.2': 'Provide a mechanism for verifying software release integrity (signed reports).',
+  'RV.1': 'Identify and confirm vulnerabilities on an ongoing basis.',
+  'RV.2': 'Assess, prioritize, and remediate vulnerabilities.',
+  'RV.3': 'Analyze vulnerabilities to identify their root causes.',
+};
+
+export const DISCLAIMER = `SolGuard is an AI-assisted automated scanner. It is NOT a substitute for a
+professional manual audit, formal verification, or economic/game-theoretic review.
+Automated analysis produces both false positives and false negatives. For
+high-value or production deployments, commission an independent human audit and,
+where applicable, formal verification of critical invariants.`;

package/src/output/formats.js

@@ -0,0 +1,125 @@
+// ─────────────────────────────────────────────────────────────────────────────
+// Enterprise output formats
+//  - SBOM (CycloneDX 1.5) — NIST SSDF PS.3, EO 14028 software supply chain
+//  - SARIF 2.1.0 — standard for GitHub Code Scanning / CI ingestion
+// ─────────────────────────────────────────────────────────────────────────────
+
+import crypto from 'crypto';
+
+// Generate a CycloneDX SBOM from detected imports / dependencies in the source.
+export function generateSBOM(contractInfo) {
+  const source = contractInfo.source;
+
+  // Extract Solidity imports (the contract's "dependencies")
+  const importRe = /import\s+(?:\{[^}]*\}\s+from\s+)?["']([^"']+)["']/g;
+  const deps = new Set();
+  let m;
+  while ((m = importRe.exec(source)) !== null) deps.add(m[1]);
+
+  // Detect well-known library families
+  const libraries = [];
+  if (/@openzeppelin/.test(source)) libraries.push({ name: '@openzeppelin/contracts', purl: 'pkg:npm/@openzeppelin/contracts' });
+  if (/@chainlink/.test(source))    libraries.push({ name: '@chainlink/contracts', purl: 'pkg:npm/@chainlink/contracts' });
+  if (/@uniswap/.test(source))      libraries.push({ name: '@uniswap/v3-core', purl: 'pkg:npm/@uniswap/v3-core' });
+  if (/solmate/.test(source))       libraries.push({ name: 'solmate', purl: 'pkg:github/transmissions11/solmate' });
+
+  const components = [
+    ...[...deps].map(d => ({
+      type: 'library',
+      name: d,
+      scope: 'required',
+      hashes: [{ alg: 'SHA-256', content: sha256(d) }],
+    })),
+    ...libraries.map(l => ({
+      type: 'library',
+      name: l.name,
+      purl: l.purl,
+      scope: 'required',
+    })),
+  ];
+
+  return {
+    bomFormat: 'CycloneDX',
+    specVersion: '1.5',
+    serialNumber: `urn:uuid:${crypto.randomUUID()}`,
+    version: 1,
+    metadata: {
+      timestamp: new Date().toISOString(),
+      tools: [{ vendor: 'SolGuard', name: 'solguard', version: '2.0.0' }],
+      component: {
+        type: 'application',
+        name: contractInfo.name,
+        ...(contractInfo.address && { 'bom-ref': contractInfo.address }),
+        hashes: [{ alg: 'SHA-256', content: sha256(source) }],
+      },
+    },
+    components,
+  };
+}
+
+// Convert findings to SARIF 2.1.0 for CI ingestion (GitHub Code Scanning, etc.)
+export function generateSARIF(contractInfo, findings) {
+  const rules = [];
+  const seenRules = new Set();
+  const results = [];
+
+  const sarifLevel = { CRITICAL: 'error', HIGH: 'error', MEDIUM: 'warning', LOW: 'note' };
+
+  for (const f of findings) {
+    const ruleId = f.detectorId || f.owasp || f.title.slice(0, 24).replace(/\s+/g, '-');
+    if (!seenRules.has(ruleId)) {
+      seenRules.add(ruleId);
+      rules.push({
+        id: ruleId,
+        name: f.title,
+        shortDescription: { text: f.title },
+        fullDescription: { text: f.description },
+        helpUri: f.owasp ? `https://owasp.org/www-project-smart-contract-top-10/` : undefined,
+        properties: {
+          tags: [f.owasp, f.cwe, f.mitre].filter(Boolean),
+          'security-severity': severityScore(f.severity),
+        },
+        defaultConfiguration: { level: sarifLevel[f.severity] || 'warning' },
+      });
+    }
+
+    const lineMatch = /Line (\d+)/.exec(f.location || '');
+    results.push({
+      ruleId,
+      level: sarifLevel[f.severity] || 'warning',
+      message: { text: `${f.description}\n\nFix: ${f.fix}` },
+      locations: [{
+        physicalLocation: {
+          artifactLocation: { uri: contractInfo.files?.[0]?.name || contractInfo.name },
+          region: lineMatch ? { startLine: parseInt(lineMatch[1], 10) } : { startLine: 1 },
+        },
+      }],
+      properties: {
+        owasp: f.owasp, cwe: f.cwe, mitre: f.mitre,
+        exploitLikelihood: f.exploitLikelihood, attackerCost: f.attackerCost,
+      },
+    });
+  }
+
+  return {
+    $schema: 'https://json.schemastore.org/sarif-2.1.0.json',
+    version: '2.1.0',
+    runs: [{
+      tool: { driver: {
+        name: 'SolGuard',
+        version: '2.0.0',
+        informationUri: 'https://github.com/rsh1k/solguard',
+        rules,
+      }},
+      results,
+    }],
+  };
+}
+
+function severityScore(sev) {
+  return ({ CRITICAL: '9.5', HIGH: '7.5', MEDIUM: '5.0', LOW: '2.5' })[sev] || '5.0';
+}
+
+export function sha256(s) {
+  return crypto.createHash('sha256').update(s).digest('hex');
+}

package/src/ui/banner.js

@@ -0,0 +1,77 @@
+import chalk from 'chalk';
+import boxen from 'boxen';
+
+export async function banner() {
+  // Force color on
+  chalk.level = 3;
+
+  const title = [
+    ' ███████╗ ██████╗ ██╗      ██████╗ ██╗   ██╗ █████╗ ██████╗ ██████╗ ',
+    ' ██╔════╝██╔═══██╗██║     ██╔════╝ ██║   ██║██╔══██╗██╔══██╗██╔══██╗',
+    ' ███████╗██║   ██║██║     ██║  ███╗██║   ██║███████║██████╔╝██║  ██║',
+    ' ╚════██║██║   ██║██║     ██║   ██║██║   ██║██╔══██║██╔══██╗██║  ██║',
+    ' ███████║╚██████╔╝███████╗╚██████╔╝╚██████╔╝██║  ██║██║  ██║██████╔╝',
+    ' ╚══════╝ ╚═════╝ ╚══════╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝ ',
+  ].map(l => chalk.hex('#00e6b4')(l)).join('\n');
+
+  const subtitle = chalk.hex('#4a5a6a')('  Aegis · AI-powered smart contract security auditor');
+  const version  = chalk.hex('#4a5a6a')('  v2.1.0 · OWASP SC Top 10 2026 · MITRE · NIST SSDF');
+
+  console.log('\n' + title);
+  console.log(subtitle);
+  console.log(version + '\n');
+}
+
+export function sectionHeader(title) {
+  chalk.level = 3;
+  const line = chalk.hex('#162030')('─'.repeat(60));
+  const label = chalk.hex('#00e6b4').bold(` ${title} `);
+  console.log('\n' + chalk.hex('#00e6b4')('┌') + line);
+  console.log(chalk.hex('#00e6b4')('│') + label);
+  console.log(chalk.hex('#00e6b4')('└') + line);
+}
+
+export function severityBadge(sev) {
+  chalk.level = 3;
+  const map = {
+    CRITICAL: chalk.bgHex('#ff4560').white.bold(' CRITICAL '),
+    HIGH:     chalk.bgHex('#ffb740').black.bold('   HIGH   '),
+    MEDIUM:   chalk.bgHex('#4da6ff').black.bold('  MEDIUM  '),
+    LOW:      chalk.bgHex('#4a5a6a').white.bold('   LOW    '),
+  };
+  return map[sev] || chalk.gray(` ${sev} `);
+}
+
+export function scoreBar(score, width = 30) {
+  chalk.level = 3;
+  const filled = Math.round((score / 100) * width);
+  const empty  = width - filled;
+  const color  = score >= 75 ? '#00e6b4' : score >= 50 ? '#ffb740' : '#ff4560';
+  const bar    = chalk.hex(color)('█'.repeat(filled)) + chalk.hex('#162030')('░'.repeat(empty));
+  return `[${bar}] ${chalk.hex(color).bold(score + '/100')}`;
+}
+
+export function dim(text) {
+  chalk.level = 3;
+  return chalk.hex('#4a5a6a')(text);
+}
+
+export function success(text) {
+  chalk.level = 3;
+  return chalk.hex('#00e6b4')('✔ ') + text;
+}
+
+export function warn(text) {
+  chalk.level = 3;
+  return chalk.hex('#ffb740')('⚠ ') + text;
+}
+
+export function error(text) {
+  chalk.level = 3;
+  return chalk.hex('#ff4560')('✖ ') + text;
+}
+
+export function info(text) {
+  chalk.level = 3;
+  return chalk.hex('#4da6ff')('ℹ ') + text;
+}

package/src/ui/report.js

@@ -0,0 +1,178 @@
+import chalk from 'chalk';
+import fs from 'fs';
+import { severityBadge, scoreBar, sectionHeader, dim, success, warn } from './banner.js';
+import { DISCLAIMER, NIST_SSDF } from '../knowledge/frameworks.js';
+
+chalk.level = 3;
+const SEV_ORDER = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3 };
+
+function wrap(text, indent = '  ', width = 76) {
+  const words = (text || '').split(' ');
+  let line = indent; const out = [];
+  for (const w of words) {
+    if ((line + w).length > width) { out.push(line); line = indent + w + ' '; }
+    else line += w + ' ';
+  }
+  if (line.trim()) out.push(line);
+  return out.join('\n');
+}
+
+export function renderReport(contractInfo, findings, meta, options) {
+  chalk.level = 3;
+
+  if (options.json) {
+    console.log(JSON.stringify({ contractInfo: { name: contractInfo.name, address: contractInfo.address }, score: meta.score, verdict: meta.verdict, findings, attackPaths: meta.attackPaths }, null, 2));
+    return;
+  }
+
+  const verdictColor = meta.score >= 80 ? '#00e6b4' : meta.score >= 60 ? '#ffb740' : '#ff4560';
+
+  sectionHeader('CONTRACT');
+  console.log(`  ${chalk.white.bold('Name:')}     ${chalk.hex('#c8d8e8')(contractInfo.name)}`);
+  if (contractInfo.address) console.log(`  ${chalk.white.bold('Address:')}  ${chalk.hex('#4da6ff')(contractInfo.address)} (${contractInfo.network})`);
+  console.log(`  ${chalk.white.bold('Solidity:')} ${chalk.hex('#c8d8e8')(meta.metrics.solidityVersion)}`);
+  console.log(`  ${chalk.white.bold('Files:')}    ${chalk.hex('#c8d8e8')(contractInfo.files?.length ?? 1)}`);
+
+  sectionHeader('RISK SCORE');
+  console.log(`\n  ${scoreBar(meta.score)}`);
+  console.log(`\n  ${chalk.hex(verdictColor).bold('> ' + meta.verdict)}`);
+  if (meta.aiSummary) console.log(`\n${wrap(meta.aiSummary, '  ')}`);
+
+  console.log('');
+  for (const [label, val] of Object.entries(meta.breakdown)) {
+    const col = val >= 75 ? '#00e6b4' : val >= 50 ? '#ffb740' : '#ff4560';
+    const filled = Math.round((val / 100) * 18);
+    const bar = chalk.hex(col)('#'.repeat(filled)) + chalk.hex('#162030')('-'.repeat(18 - filled));
+    console.log(`  ${chalk.hex('#4a5a6a')(label.padEnd(18))} [${bar}] ${chalk.hex(col).bold(String(val).padStart(3))}`);
+  }
+
+  const counts = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
+  for (const f of findings) counts[f.severity]++;
+  sectionHeader('FINDINGS SUMMARY');
+  console.log(
+    `  ${chalk.hex('#ff4560').bold(counts.CRITICAL + ' Critical')}   ` +
+    `${chalk.hex('#ffb740').bold(counts.HIGH + ' High')}   ` +
+    `${chalk.hex('#4da6ff').bold(counts.MEDIUM + ' Medium')}   ` +
+    `${chalk.hex('#4a5a6a').bold(counts.LOW + ' Low')}`
+  );
+
+  // Attack paths — the red-team lens
+  if (meta.attackPaths && meta.attackPaths.length) {
+    sectionHeader('ATTACK PATHS (red-team analysis)');
+    for (const p of meta.attackPaths) {
+      console.log(`\n  ${severityBadge(p.severity)}  ${chalk.white.bold(p.name)}`);
+      console.log(`  ${dim('OWASP:')} ${chalk.hex('#4da6ff')(p.owasp.join(', '))}  ${dim('MITRE:')} ${chalk.hex('#4da6ff')(p.mitre.join(', '))}`);
+      p.steps.forEach((s, i) => console.log(chalk.hex('#7a90a8')(`    ${i + 1}. ${s}`)));
+    }
+  }
+
+  if (findings.length) {
+    sectionHeader(`FINDINGS  (${findings.length})`);
+    const sorted = [...findings].sort((a, b) => (SEV_ORDER[a.severity] ?? 9) - (SEV_ORDER[b.severity] ?? 9));
+    for (let i = 0; i < sorted.length; i++) {
+      const f = sorted[i];
+      console.log(`\n  ${severityBadge(f.severity)}  ${chalk.white.bold(f.title)}`);
+      const tags = [f.owasp, f.cwe, f.mitre].filter(Boolean).join('  ');
+      if (tags) console.log(`  ${chalk.hex('#4da6ff')(tags)}`);
+      console.log(`  ${dim('Location:')} ${f.location || 'n/a'}  ${dim('Detector:')} ${f.source === 'static' ? 'static' : 'Claude AI'}` +
+        (f.exploitLikelihood ? `  ${dim('Exploitability:')} ${f.exploitLikelihood}/5  ${dim('Attacker cost:')} ${f.attackerCost}` : ''));
+      console.log('\n' + wrap(f.description, '  '));
+      if (f.fix) console.log(`\n  ${chalk.hex('#00e6b4').bold('Fix:')} ${wrap(f.fix, '').trim()}`);
+      if (i < sorted.length - 1) console.log('\n  ' + chalk.hex('#162030')('-'.repeat(60)));
+    }
+  } else {
+    console.log('\n  ' + success('No findings from automated detectors.'));
+  }
+
+  // NIST SSDF compliance appendix
+  sectionHeader('NIST SSDF (SP 800-218) COVERAGE');
+  for (const [k, v] of Object.entries(NIST_SSDF)) {
+    console.log(`  ${chalk.hex('#00e6b4')(k.padEnd(6))} ${chalk.hex('#7a90a8')(v)}`);
+  }
+
+  console.log('\n' + chalk.hex('#162030')('-'.repeat(78)));
+  console.log(wrap(DISCLAIMER, '  '));
+  console.log(chalk.hex('#162030')('-'.repeat(78)) + '\n');
+
+  if (options.output) {
+    saveMarkdown(options.output, contractInfo, findings, meta);
+    console.log(success(`Markdown report saved to ${chalk.hex('#4da6ff')(options.output)}\n`));
+  }
+}
+
+function saveMarkdown(outputPath, contractInfo, findings, meta) {
+  const sorted = [...findings].sort((a, b) => (SEV_ORDER[a.severity] ?? 9) - (SEV_ORDER[b.severity] ?? 9));
+  const counts = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
+  for (const f of findings) counts[f.severity]++;
+
+  const md = `# SolGuard Security Report
+
+**Contract:** ${contractInfo.name}
+${contractInfo.address ? `**Address:** \`${contractInfo.address}\` (${contractInfo.network})` : ''}
+**Solidity:** ${meta.metrics.solidityVersion}
+**Date:** ${new Date().toISOString().slice(0, 19)}Z
+**Scanner:** SolGuard v2.0.0 ${meta.offline ? '(offline mode)' : '(static + Claude AI)'}
+
+---
+
+## Risk Score: ${meta.score}/100 - ${meta.verdict}
+
+${meta.aiSummary || ''}
+
+### Category Breakdown
+| Category | Score |
+|---|---|
+${Object.entries(meta.breakdown).map(([k, v]) => `| ${k} | ${v}/100 |`).join('\n')}
+
+### Findings Summary
+| Severity | Count |
+|---|---|
+| Critical | ${counts.CRITICAL} |
+| High | ${counts.HIGH} |
+| Medium | ${counts.MEDIUM} |
+| Low | ${counts.LOW} |
+
+---
+
+## Attack Paths (Red-Team Analysis)
+
+${(meta.attackPaths || []).map(p => `### ${p.name} (${p.severity})
+**OWASP:** ${p.owasp.join(', ')} | **MITRE ATT&CK:** ${p.mitre.join(', ')}
+
+${p.steps.map((s, i) => `${i + 1}. ${s}`).join('\n')}`).join('\n\n') || '_No multi-step attack chains identified._'}
+
+---
+
+## Findings
+
+${sorted.map((f, i) => `### ${i + 1}. [${f.severity}] ${f.title}
+
+| Field | Value |
+|---|---|
+| OWASP | ${f.owasp || 'n/a'} ${f.owaspTitle ? '- ' + f.owaspTitle : ''} |
+| CWE | ${f.cwe || 'n/a'} ${f.cweName ? '- ' + f.cweName : ''} |
+| MITRE ATT&CK | ${f.mitre || 'n/a'} ${f.mitreName ? '- ' + f.mitreName : ''} |
+| Location | ${f.location || 'n/a'} |
+| Exploitability | ${f.exploitLikelihood ? f.exploitLikelihood + '/5' : 'n/a'} |
+| Attacker cost | ${f.attackerCost || 'n/a'} |
+| Detector | ${f.source === 'static' ? 'Static analysis' : 'Claude AI'} |
+
+${f.description}
+
+**Recommended fix:** ${f.fix}
+`).join('\n---\n\n')}
+
+---
+
+## NIST SSDF (SP 800-218) Coverage
+
+${Object.entries(NIST_SSDF).map(([k, v]) => `- **${k}**: ${v}`).join('\n')}
+
+---
+
+## Disclaimer
+
+${DISCLAIMER}
+`;
+  fs.writeFileSync(outputPath, md, 'utf8');
+}