anchor-audit 0.1.0

package/README.md

@@ -0,0 +1,28 @@
+# anchor-audit CLI
+
+AI-driven security audit CLI for Anchor programs on Solana. Sends your program source plus the [rule catalog](../rules) to the Claude API and renders a structured audit report.
+
+> **Status:** scaffolding only — implementation lands in Phase 4 (see [IMPLEMENTATION_PLAN.md](../IMPLEMENTATION_PLAN.md)).
+
+```bash
+anchor-audit <path-to-anchor-program> [options]
+
+Options:
+  --output <path>    output file (default: stdout)
+  --rules <ids>      comma-separated rule IDs (default: all)
+  --severity <min>   minimum severity to report (critical | high | medium | low)
+  --format <fmt>     markdown (default) | json
+  --verbose          print per-rule progress
+  --api-key <key>    override ANTHROPIC_API_KEY env var
+  --model <id>       override default model (claude-sonnet-4-6)
+```
+
+Requires Node 20+ and an `ANTHROPIC_API_KEY`. Exit code is `0` when no critical/high findings, `1` otherwise, `2` on execution error.
+
+## Module layout
+
+- `src/index.ts` — entry point and flag parsing
+- `src/scanner.ts` — file collection + filtering
+- `src/rules-loader.ts` — loads `/rules/*.md` at runtime
+- `src/auditor.ts` — Claude API orchestration (rules batched 4–6 per call)
+- `src/reporter.ts` — markdown/JSON report generation

package/dist/auditor.d.ts

@@ -0,0 +1,16 @@
+import type { CliOptions, Severity } from "./index.js";
+import type { Rule } from "./rules-loader.js";
+import type { SourceFile } from "./scanner.js";
+export interface Finding {
+    ruleId: string;
+    ruleName: string;
+    severity: Severity;
+    title: string;
+    file: string;
+    line: number | null;
+    description: string;
+    vulnerableCode: string;
+    recommendation: string;
+}
+export declare const SEVERITY_ORDER: Record<Severity, number>;
+export declare function runAudit(sources: SourceFile[], rules: Rule[], options: CliOptions): Promise<Finding[]>;

package/dist/auditor.js

@@ -0,0 +1,235 @@
+/**
+ * AI API orchestration — provider-agnostic.
+ *
+ * Anthropic is called natively via @anthropic-ai/sdk (best quality).
+ * Every other provider (cloud and local) uses the OpenAI-compatible chat
+ * completions API via the `openai` package with a custom baseURL.
+ *
+ * Cloud routing:
+ *   anthropic   → @anthropic-ai/sdk   → api.anthropic.com
+ *   openai      → openai SDK          → api.openai.com/v1
+ *   google      → openai SDK          → generativelanguage.googleapis.com/v1beta/openai/
+ *   groq        → openai SDK          → api.groq.com/openai/v1
+ *   openrouter  → openai SDK          → openrouter.ai/api/v1
+ *
+ * Local routing (no API key required):
+ *   ollama      → openai SDK          → http://localhost:11434/v1
+ *   lmstudio    → openai SDK          → http://localhost:1234/v1
+ *   vllm        → openai SDK          → http://localhost:8000/v1
+ *   custom      → openai SDK          → <--base-url>
+ */
+import Anthropic from "@anthropic-ai/sdk";
+import OpenAI from "openai";
+import chalk from "chalk";
+export const SEVERITY_ORDER = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3,
+};
+/** Max tokens per provider call, controlled by --effort. */
+const EFFORT_MAX_TOKENS = {
+    low: 2048,
+    medium: 4096,
+    high: 8192,
+};
+const BATCH_SIZE = 5;
+// ---------------------------------------------------------------------------
+// Provider config
+// ---------------------------------------------------------------------------
+/** Base URLs for OpenAI-compatible providers (cloud and local). */
+const PROVIDER_BASE_URLS = {
+    // Cloud
+    openai: "https://api.openai.com/v1",
+    google: "https://generativelanguage.googleapis.com/v1beta/openai/",
+    groq: "https://api.groq.com/openai/v1",
+    openrouter: "https://openrouter.ai/api/v1",
+    // Local — override with --base-url if your server runs on a different port
+    ollama: "http://localhost:11434/v1",
+    lmstudio: "http://localhost:1234/v1",
+    vllm: "http://localhost:8000/v1",
+};
+/** Environment variable names per cloud provider. */
+const PROVIDER_ENV_VARS = {
+    anthropic: "ANTHROPIC_API_KEY",
+    openai: "OPENAI_API_KEY",
+    google: "GEMINI_API_KEY",
+    groq: "GROQ_API_KEY",
+    openrouter: "OPENROUTER_API_KEY",
+    custom: "OPENAI_API_KEY",
+};
+/** Local providers don't use real API keys; the OpenAI SDK still requires a non-empty string. */
+const LOCAL_PROVIDERS = new Set(["ollama", "lmstudio", "vllm"]);
+const LOCAL_KEY_PLACEHOLDER = "local";
+function resolveApiKey(options) {
+    if (options.apiKey)
+        return options.apiKey;
+    const envVar = PROVIDER_ENV_VARS[options.provider];
+    if (envVar) {
+        const key = process.env[envVar];
+        if (key)
+            return key;
+    }
+    // Local providers work without a real API key.
+    if (LOCAL_PROVIDERS.has(options.provider)) {
+        return LOCAL_KEY_PLACEHOLDER;
+    }
+    throw new Error(`No API key found for provider "${options.provider}".\n` +
+        `Set the ${PROVIDER_ENV_VARS[options.provider] ?? "OPENAI_API_KEY"} environment variable or pass --api-key.`);
+}
+// ---------------------------------------------------------------------------
+// Prompt builders
+// ---------------------------------------------------------------------------
+function buildSystem(rules) {
+    const blocks = rules
+        .map((r) => `### Rule ${r.id}: ${r.name} [${r.severity.toUpperCase()}]\n\n${r.content}`)
+        .join("\n\n---\n\n");
+    return `You are a Solana Anchor smart-contract security auditor.
+
+Analyze the provided Rust source files for violations of the security rules below.
+Return ONLY a valid JSON array of findings — no markdown fences, no commentary.
+If you find no violations, return exactly: []
+
+Each object in the array must match this schema:
+{
+  "ruleId":         "<NNN>",          // three-digit string, e.g. "017"
+  "severity":       "<level>",        // one of: critical | high | medium | low
+  "title":          "<string>",       // ≤ 100 chars; what was found
+  "file":           "<path>",         // as given in the <file path="..."> tag
+  "line":           <number | null>,  // best-effort integer line number
+  "description":    "<string>",       // what the code does wrong and why it matters
+  "vulnerableCode": "<string>",       // relevant snippet, ≤ 400 chars
+  "recommendation": "<string>"        // concrete, actionable fix
+}
+
+Security rules to check:
+
+${blocks}`;
+}
+function buildUser(sources) {
+    return sources
+        .map((s) => `<file path="${s.path}">\n${s.content}\n</file>`)
+        .join("\n\n");
+}
+// ---------------------------------------------------------------------------
+// Provider-specific API calls
+// ---------------------------------------------------------------------------
+async function callAnthropic(apiKey, model, maxTokens, system, user) {
+    const client = new Anthropic({ apiKey });
+    const msg = await client.messages.create({
+        model,
+        max_tokens: maxTokens,
+        system,
+        messages: [{ role: "user", content: user }],
+    });
+    return msg.content[0]?.type === "text" ? msg.content[0].text : "";
+}
+async function callOpenAICompatible(apiKey, model, baseURL, maxTokens, system, user) {
+    const client = new OpenAI({ apiKey, baseURL });
+    const response = await client.chat.completions.create({
+        model,
+        max_tokens: maxTokens,
+        messages: [
+            { role: "system", content: system },
+            { role: "user", content: user },
+        ],
+    });
+    return response.choices[0]?.message?.content ?? "";
+}
+async function callProvider(options, apiKey, system, user) {
+    const maxTokens = EFFORT_MAX_TOKENS[options.effort];
+    if (options.provider === "anthropic") {
+        return callAnthropic(apiKey, options.model, maxTokens, system, user);
+    }
+    const baseURL = options.baseUrl ??
+        PROVIDER_BASE_URLS[options.provider] ??
+        "https://api.openai.com/v1";
+    return callOpenAICompatible(apiKey, options.model, baseURL, maxTokens, system, user);
+}
+// ---------------------------------------------------------------------------
+// Response parsing
+// ---------------------------------------------------------------------------
+function parseFindings(raw, rules) {
+    const cleaned = raw
+        .replace(/^```(?:json)?\r?\n?/m, "")
+        .replace(/\r?\n?```$/m, "")
+        .trim();
+    let parsed;
+    try {
+        parsed = JSON.parse(cleaned);
+    }
+    catch {
+        return [];
+    }
+    if (!Array.isArray(parsed))
+        return [];
+    const ruleMap = new Map(rules.map((r) => [r.id, r]));
+    const findings = [];
+    for (const item of parsed) {
+        if (typeof item !== "object" || item === null)
+            continue;
+        const obj = item;
+        const id = String(obj["ruleId"] ?? "").padStart(3, "0");
+        const rule = ruleMap.get(id);
+        if (!rule)
+            continue;
+        const sev = String(obj["severity"] ?? "").toLowerCase();
+        if (!["critical", "high", "medium", "low"].includes(sev))
+            continue;
+        findings.push({
+            ruleId: id,
+            ruleName: rule.name,
+            severity: sev,
+            title: String(obj["title"] ?? "").slice(0, 200),
+            file: String(obj["file"] ?? ""),
+            line: typeof obj["line"] === "number"
+                ? Math.max(1, Math.floor(obj["line"]))
+                : null,
+            description: String(obj["description"] ?? ""),
+            vulnerableCode: String(obj["vulnerableCode"] ?? "").slice(0, 800),
+            recommendation: String(obj["recommendation"] ?? ""),
+        });
+    }
+    return findings;
+}
+// ---------------------------------------------------------------------------
+// Main entry
+// ---------------------------------------------------------------------------
+export async function runAudit(sources, rules, options) {
+    const apiKey = resolveApiKey(options);
+    const minOrder = options.severity ? SEVERITY_ORDER[options.severity] : 3;
+    const eligible = rules.filter((r) => SEVERITY_ORDER[r.severity] <= minOrder);
+    if (eligible.length === 0)
+        return [];
+    const batches = [];
+    for (let i = 0; i < eligible.length; i += BATCH_SIZE) {
+        batches.push(eligible.slice(i, i + BATCH_SIZE));
+    }
+    if (options.verbose) {
+        process.stderr.write(chalk.dim(`provider: ${options.provider}  model: ${options.model}  effort: ${options.effort}  batches: ${batches.length}\n`));
+    }
+    const userContent = buildUser(sources);
+    const allFindings = [];
+    for (let i = 0; i < batches.length; i++) {
+        const batch = batches[i];
+        if (options.verbose) {
+            process.stderr.write(chalk.dim(`  [${i + 1}/${batches.length}] rules ${batch.map((r) => r.id).join(", ")}\n`));
+        }
+        let responseText;
+        try {
+            responseText = await callProvider(options, apiKey, buildSystem(batch), userContent);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            throw new Error(`API error on batch ${i + 1} (${options.provider}): ${msg}`);
+        }
+        const batchFindings = parseFindings(responseText, batch);
+        if (options.verbose && batchFindings.length > 0) {
+            process.stderr.write(chalk.yellow(`    → ${batchFindings.length} finding(s)\n`));
+        }
+        allFindings.push(...batchFindings);
+    }
+    const filtered = allFindings.filter((f) => SEVERITY_ORDER[f.severity] <= minOrder);
+    return filtered.sort((a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]);
+}
+//# sourceMappingURL=auditor.js.map

package/dist/auditor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auditor.js","sourceRoot":"","sources":["../src/auditor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,OAAO,SAAS,MAAM,mBAAmB,CAAC;AAC1C,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,KAAK,MAAM,OAAO,CAAC;AAiB1B,MAAM,CAAC,MAAM,cAAc,GAA6B;IACtD,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;CACP,CAAC;AAEF,4DAA4D;AAC5D,MAAM,iBAAiB,GAA2B;IAChD,GAAG,EAAE,IAAI;IACT,MAAM,EAAE,IAAI;IACZ,IAAI,EAAE,IAAI;CACX,CAAC;AAEF,MAAM,UAAU,GAAG,CAAC,CAAC;AAErB,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E,mEAAmE;AACnE,MAAM,kBAAkB,GAAsC;IAC5D,QAAQ;IACR,MAAM,EAAE,2BAA2B;IACnC,MAAM,EAAE,0DAA0D;IAClE,IAAI,EAAE,gCAAgC;IACtC,UAAU,EAAE,8BAA8B;IAC1C,2EAA2E;IAC3E,MAAM,EAAE,2BAA2B;IACnC,QAAQ,EAAE,0BAA0B;IACpC,IAAI,EAAE,0BAA0B;CACjC,CAAC;AAEF,qDAAqD;AACrD,MAAM,iBAAiB,GAAsC;IAC3D,SAAS,EAAE,mBAAmB;IAC9B,MAAM,EAAE,gBAAgB;IACxB,MAAM,EAAE,gBAAgB;IACxB,IAAI,EAAE,cAAc;IACpB,UAAU,EAAE,oBAAoB;IAChC,MAAM,EAAE,gBAAgB;CACzB,CAAC;AAEF,iGAAiG;AACjG,MAAM,eAAe,GAAG,IAAI,GAAG,CAAW,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;AAC1E,MAAM,qBAAqB,GAAG,OAAO,CAAC;AAEtC,SAAS,aAAa,CAAC,OAAmB;IACxC,IAAI,OAAO,CAAC,MAAM;QAAE,OAAO,OAAO,CAAC,MAAM,CAAC;IAE1C,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAChC,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;IACtB,CAAC;IAED,+CAA+C;IAC/C,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1C,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IAED,MAAM,IAAI,KAAK,CACb,kCAAkC,OAAO,CAAC,QAAQ,MAAM;QACtD,WAAW,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,gBAAgB,0CAA0C,CAC/G,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E,SAAS,WAAW,CAAC,KAAa;IAChC,MAAM,MAAM,GAAG,KAAK;SACjB,GAAG,CACF,CAAC,CAAC,EAAE,EAAE,CACJ,YAAY,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,OAAO,EAAE,CAC9E;SACA,IAAI,CAAC,aAAa,CAAC,CAAC;IAEvB,OAAO;;;;;;;;;;;;;;;;;;;;EAoBP,MAAM,EAAE,CAAC;AACX,CAAC;AAED,SAAS,SAAS,CAAC,OAAqB;IACtC,OAAO,OAAO;SACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,OAAO,WAAW,CAAC;SAC5D,IAAI,CAAC,MAAM,CAAC,CAAC;AAClB,CAAC;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E,KAAK,UAAU,aAAa,CAC1B,MAAc,EACd,KAAa,EACb,SAAiB,EACjB,MAAc,EACd,IAAY;IAEZ,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QACvC,KAAK;QACL,UAAU,EAAE,SAAS;QACrB,MAAM;QACN,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;KAC5C,CAAC,CAAC;IACH,OAAO,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;AACpE,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,MAAc,EACd,KAAa,EACb,OAAe,EACf,SAAiB,EACjB,MAAc,EACd,IAAY;IAEZ,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC;QACpD,KAAK;QACL,UAAU,EAAE,SAAS;QACrB,QAAQ,EAAE;YACR,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE;YACnC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE;SAChC;KACF,CAAC,CAAC;IACH,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;AACrD,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,OAAmB,EACnB,MAAc,EACd,MAAc,EACd,IAAY;IAEZ,MAAM,SAAS,GAAG,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAEpD,IAAI,OAAO,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACrC,OAAO,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,OAAO,GACX,OAAO,CAAC,OAAO;QACf,kBAAkB,CAAC,OAAO,CAAC,QAAQ,CAAC;QACpC,2BAA2B,CAAC;IAE9B,OAAO,oBAAoB,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;AACvF,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,SAAS,aAAa,CAAC,GAAW,EAAE,KAAa;IAC/C,MAAM,OAAO,GAAG,GAAG;SAChB,OAAO,CAAC,sBAAsB,EAAE,EAAE,CAAC;SACnC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC;SAC1B,IAAI,EAAE,CAAC;IAEV,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,CAAC;IAEtC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;QAC1B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI;YAAE,SAAS;QACxD,MAAM,GAAG,GAAG,IAA+B,CAAC;QAE5C,MAAM,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACxD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC7B,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QACxD,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,SAAS;QAEnE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,EAAE;YACV,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ,EAAE,GAAe;YACzB,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YAC/C,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC/B,IAAI,EACF,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,QAAQ;gBAC7B,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;gBACtC,CAAC,CAAC,IAAI;YACV,WAAW,EAAE,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;YAC7C,cAAc,EAAE,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YACjE,cAAc,EAAE,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;SACpD,CAAC,CAAC;IACL,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,OAAqB,EACrB,KAAa,EACb,OAAmB;IAEnB,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAEtC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACzE,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,CAAC;IAC7E,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAErC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,IAAI,UAAU,EAAE,CAAC;QACrD,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC;IAClD,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,KAAK,CAAC,GAAG,CACP,aAAa,OAAO,CAAC,QAAQ,YAAY,OAAO,CAAC,KAAK,aAAa,OAAO,CAAC,MAAM,cAAc,OAAO,CAAC,MAAM,IAAI,CAClH,CACF,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IACvC,MAAM,WAAW,GAAc,EAAE,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;QAE1B,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,KAAK,CAAC,GAAG,CACP,MAAM,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,MAAM,WAAW,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAC9E,CACF,CAAC;QACJ,CAAC;QAED,IAAI,YAAoB,CAAC;QACzB,IAAI,CAAC;YACH,YAAY,GAAG,MAAM,YAAY,CAC/B,OAAO,EACP,MAAM,EACN,WAAW,CAAC,KAAK,CAAC,EAClB,WAAW,CACZ,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,GAAG,CAAC,KAAK,OAAO,CAAC,QAAQ,MAAM,GAAG,EAAE,CAAC,CAAC;QAC/E,CAAC;QAED,MAAM,aAAa,GAAG,aAAa,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QAEzD,IAAI,OAAO,CAAC,OAAO,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChD,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,KAAK,CAAC,MAAM,CAAC,SAAS,aAAa,CAAC,MAAM,eAAe,CAAC,CAC3D,CAAC;QACJ,CAAC;QAED,WAAW,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;IACrC,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,CACjC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAC9C,CAAC;IAEF,OAAO,QAAQ,CAAC,IAAI,CAClB,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,CAClE,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,19 @@
+#!/usr/bin/env node
+import "dotenv/config";
+export type Severity = "critical" | "high" | "medium" | "low";
+export type Effort = "low" | "medium" | "high";
+export type Provider = "anthropic" | "openai" | "google" | "groq" | "openrouter" | "ollama" | "lmstudio" | "vllm" | "custom";
+/** Default model ID for each provider. */
+export declare const DEFAULT_MODELS: Record<Provider, string>;
+export interface CliOptions {
+    output?: string;
+    rules?: string;
+    severity?: Severity;
+    format: "markdown" | "json";
+    verbose: boolean;
+    apiKey?: string;
+    model: string;
+    provider: Provider;
+    baseUrl?: string;
+    effort: Effort;
+}

package/dist/index.js

@@ -0,0 +1,96 @@
+#!/usr/bin/env node
+import "dotenv/config";
+import { Command } from "commander";
+import chalk from "chalk";
+import { basename } from "node:path";
+import { scanProgram } from "./scanner.js";
+import { loadRules } from "./rules-loader.js";
+import { runAudit } from "./auditor.js";
+import { renderReport } from "./reporter.js";
+import { buildMetadata } from "./metadata.js";
+/** Default model ID for each provider. */
+export const DEFAULT_MODELS = {
+    // Cloud
+    anthropic: "claude-sonnet-4-6",
+    openai: "gpt-4o",
+    google: "gemini-2.0-flash",
+    groq: "llama-3.3-70b-versatile",
+    openrouter: "anthropic/claude-sonnet-4-6",
+    // Local
+    ollama: "llama3.1:8b",
+    lmstudio: "local-model",
+    vllm: "local-model",
+    custom: "gpt-4o",
+};
+const VALID_PROVIDERS = Object.keys(DEFAULT_MODELS);
+const VALID_EFFORTS = ["low", "medium", "high"];
+const program = new Command();
+program
+    .name("anchor-audit")
+    .description("Security audit for Anchor programs on Solana.\n" +
+    "Cloud: anthropic, openai, google, groq, openrouter\n" +
+    "Local: ollama, lmstudio, vllm, custom")
+    .argument("<path>", "path to the Anchor program source directory")
+    .option("--output <path>", "also write report to this specific file")
+    .option("--rules <ids>", "comma-separated rule IDs to run (default: all 50)")
+    .option("--severity <min>", "minimum severity to report: critical | high | medium | low")
+    .option("--format <fmt>", "output format: markdown | json", "markdown")
+    .option("--verbose", "print per-rule batch progress", false)
+    .option("--api-key <key>", "API key (overrides env var; not required for local providers)")
+    .option("--provider <name>", `AI provider: ${VALID_PROVIDERS.join(" | ")}`, "anthropic")
+    .option("--model <id>", "model ID (default depends on --provider; see README)")
+    .option("--base-url <url>", "base URL for OpenAI-compatible endpoint (required for --provider custom; " +
+    "optional override for ollama/lmstudio/vllm defaults)")
+    .option("--effort <level>", "analysis depth — low (2 k tokens) | medium (4 k) | high (8 k)", "medium")
+    .version("0.1.0")
+    .action(async (targetPath, opts) => {
+    const startTime = new Date();
+    const provider = (opts.provider ?? "anthropic");
+    if (!VALID_PROVIDERS.includes(provider)) {
+        console.error(chalk.red(`error: unknown provider "${provider}". Valid: ${VALID_PROVIDERS.join(", ")}`));
+        process.exit(2);
+    }
+    if (provider === "custom" && !opts.baseUrl) {
+        console.error(chalk.red(`error: --provider custom requires --base-url <url>`));
+        process.exit(2);
+    }
+    const effort = (opts.effort ?? "medium");
+    if (!VALID_EFFORTS.includes(effort)) {
+        console.error(chalk.red(`error: --effort must be one of: ${VALID_EFFORTS.join(" | ")}`));
+        process.exit(2);
+    }
+    const options = {
+        output: opts.output,
+        rules: opts.rules,
+        severity: opts.severity,
+        format: (opts.format ?? "markdown"),
+        verbose: opts.verbose ?? false,
+        apiKey: opts.apiKey,
+        model: opts.model ?? DEFAULT_MODELS[provider],
+        provider,
+        baseUrl: opts.baseUrl,
+        effort,
+    };
+    try {
+        const sources = await scanProgram(targetPath);
+        const rules = await loadRules(options.rules);
+        const findings = await runAudit(sources, rules, options);
+        const meta = buildMetadata({
+            model: options.model,
+            provider: options.provider,
+            effort: options.effort,
+            project: basename(targetPath),
+            startTime,
+            totalFiles: sources.length,
+            totalFindings: findings.length,
+        });
+        await renderReport(findings, options, meta);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(chalk.red(`error: ${message}`));
+        process.exit(2);
+    }
+});
+program.parseAsync(process.argv);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,eAAe,CAAC;AACvB,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAkB9C,0CAA0C;AAC1C,MAAM,CAAC,MAAM,cAAc,GAA6B;IACtD,QAAQ;IACR,SAAS,EAAE,mBAAmB;IAC9B,MAAM,EAAE,QAAQ;IAChB,MAAM,EAAE,kBAAkB;IAC1B,IAAI,EAAE,yBAAyB;IAC/B,UAAU,EAAE,6BAA6B;IACzC,QAAQ;IACR,MAAM,EAAE,aAAa;IACrB,QAAQ,EAAE,aAAa;IACvB,IAAI,EAAE,aAAa;IACnB,MAAM,EAAE,QAAQ;CACjB,CAAC;AAeF,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,cAAc,CAAe,CAAC;AAClE,MAAM,aAAa,GAAa,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;AAE1D,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,cAAc,CAAC;KACpB,WAAW,CACV,iDAAiD;IAC/C,sDAAsD;IACtD,uCAAuC,CAC1C;KACA,QAAQ,CAAC,QAAQ,EAAE,6CAA6C,CAAC;KACjE,MAAM,CAAC,iBAAiB,EAAE,yCAAyC,CAAC;KACpE,MAAM,CAAC,eAAe,EAAE,mDAAmD,CAAC;KAC5E,MAAM,CACL,kBAAkB,EAClB,4DAA4D,CAC7D;KACA,MAAM,CAAC,gBAAgB,EAAE,gCAAgC,EAAE,UAAU,CAAC;KACtE,MAAM,CAAC,WAAW,EAAE,+BAA+B,EAAE,KAAK,CAAC;KAC3D,MAAM,CACL,iBAAiB,EACjB,+DAA+D,CAChE;KACA,MAAM,CACL,mBAAmB,EACnB,gBAAgB,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,EAC7C,WAAW,CACZ;KACA,MAAM,CAAC,cAAc,EAAE,sDAAsD,CAAC;KAC9E,MAAM,CACL,kBAAkB,EAClB,2EAA2E;IACzE,sDAAsD,CACzD;KACA,MAAM,CACL,kBAAkB,EAClB,+DAA+D,EAC/D,QAAQ,CACT;KACA,OAAO,CAAC,OAAO,CAAC;KAChB,MAAM,CAAC,KAAK,EAAE,UAAkB,EAAE,IAAyB,EAAE,EAAE;IAC9D,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,WAAW,CAAa,CAAC;IAE5D,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxC,OAAO,CAAC,KAAK,CACX,KAAK,CAAC,GAAG,CACP,4BAA4B,QAAQ,aAAa,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC9E,CACF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,QAAQ,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAC3C,OAAO,CAAC,KAAK,CACX,KAAK,CAAC,GAAG,CAAC,oDAAoD,CAAC,CAChE,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,QAAQ,CAAW,CAAC;IACnD,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACpC,OAAO,CAAC,KAAK,CACX,KAAK,CAAC,GAAG,CACP,mCAAmC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAC/D,CACF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAe;QAC1B,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,IAAI,UAAU,CAAwB;QAC1D,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,KAAK;QAC9B,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,cAAc,CAAC,QAAQ,CAAC;QAC7C,QAAQ;QACR,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM;KACP,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,UAAU,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC7C,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;QAEzD,MAAM,IAAI,GAAG,aAAa,CAAC;YACzB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC;YAC7B,SAAS;YACT,UAAU,EAAE,OAAO,CAAC,MAAM;YAC1B,aAAa,EAAE,QAAQ,CAAC,MAAM;SAC/B,CAAC,CAAC;QAEH,MAAM,YAAY,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,OAAO,EAAE,CAAC,CAAC,CAAC;QAC9C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/dist/metadata.d.ts

@@ -0,0 +1,25 @@
+export interface AuditMetadata {
+    date: string;
+    time: string;
+    timestamp: string;
+    model: string;
+    provider: string;
+    effort: string;
+    cliVersion: string;
+    project: string;
+    gitCommit?: string;
+    gitBranch?: string;
+    os: string;
+    durationMs: number;
+    totalFiles: number;
+    totalFindings: number;
+}
+export declare function buildMetadata(params: {
+    model: string;
+    provider: string;
+    effort: string;
+    project: string;
+    startTime: Date;
+    totalFiles: number;
+    totalFindings: number;
+}): AuditMetadata;

package/dist/metadata.js

@@ -0,0 +1,48 @@
+import { execSync } from "node:child_process";
+import os from "node:os";
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { dirname, join } from "node:path";
+function git(cmd) {
+    try {
+        return execSync(cmd, {
+            encoding: "utf8",
+            stdio: ["pipe", "pipe", "ignore"],
+            timeout: 2000,
+        }).trim() || undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function readVersion() {
+    try {
+        const pkgPath = join(dirname(fileURLToPath(import.meta.url)), "../package.json");
+        const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+        return pkg.version ?? "0.1.0";
+    }
+    catch {
+        return "0.1.0";
+    }
+}
+export function buildMetadata(params) {
+    const now = new Date();
+    const iso = now.toISOString();
+    return {
+        date: iso.slice(0, 10),
+        time: iso.slice(11, 19) + " UTC",
+        timestamp: iso,
+        model: params.model,
+        provider: params.provider,
+        effort: params.effort,
+        cliVersion: readVersion(),
+        project: params.project,
+        gitCommit: git("git rev-parse --short HEAD"),
+        gitBranch: git("git rev-parse --abbrev-ref HEAD"),
+        os: `${os.type()} ${os.release()} (${os.arch()})`,
+        durationMs: now.getTime() - params.startTime.getTime(),
+        totalFiles: params.totalFiles,
+        totalFindings: params.totalFindings,
+    };
+}
+//# sourceMappingURL=metadata.js.map

package/dist/metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.js","sourceRoot":"","sources":["../src/metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAmB1C,SAAS,GAAG,CAAC,GAAW;IACtB,IAAI,CAAC;QACH,OAAO,QAAQ,CAAC,GAAG,EAAE;YACnB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC;YACjC,OAAO,EAAE,IAAI;SACd,CAAC,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,WAAW;IAClB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC;QACjF,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAyB,CAAC;QAC9E,OAAO,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAQ7B;IACC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,GAAG,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IAE9B,OAAO;QACL,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;QACtB,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,GAAG,MAAM;QAChC,SAAS,EAAE,GAAG;QACd,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,UAAU,EAAE,WAAW,EAAE;QACzB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,SAAS,EAAE,GAAG,CAAC,4BAA4B,CAAC;QAC5C,SAAS,EAAE,GAAG,CAAC,iCAAiC,CAAC;QACjD,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,GAAG;QACjD,UAAU,EAAE,GAAG,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE;QACtD,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC;AACJ,CAAC"}

package/dist/reporter.d.ts

@@ -0,0 +1,18 @@
+import { SEVERITY_ORDER, type Finding } from "./auditor.js";
+import type { CliOptions, Severity } from "./index.js";
+import type { AuditMetadata } from "./metadata.js";
+type Counts = Record<Severity, number>;
+export declare function countBySeverity(findings: Finding[]): Counts;
+export interface AuditReport {
+    version: string;
+    date: string;
+    metadata?: AuditMetadata;
+    summary: Counts & {
+        total: number;
+    };
+    findings: Finding[];
+}
+export declare function renderJson(findings: Finding[], meta?: AuditMetadata): string;
+export declare function renderMarkdown(findings: Finding[], meta?: AuditMetadata): string;
+export declare function renderReport(findings: Finding[], options: CliOptions, meta?: AuditMetadata): Promise<void>;
+export { SEVERITY_ORDER };