argus-ci 1.0.0

package/dist/cli/index.js

@@ -0,0 +1,133 @@
+/**
+ * argus-ci CLI
+ *
+ * Commands:
+ *   argus-ci               — start MCP server (default, for Cursor/Claude)
+ *   argus-ci chat          — start conversational agent REPL
+ *   argus-ci scan [files]  — scan files / staged / branch from terminal
+ *   argus-ci pr <url>      — scan a PR directly
+ *   argus-ci setup         — install pre-commit hook in current repo
+ */
+import { scanFiles, scanStaged, scanBranch } from "../core/scanner.js";
+import { detectRulesets } from "../core/detector.js";
+import { toMarkdown } from "../core/reporter.js";
+import { runAgent, startRepl } from "../agent/index.js";
+import { setupHook } from "../hooks/setup.js";
+const args = process.argv.slice(2);
+const command = args[0];
+async function main() {
+    switch (command) {
+        // ── chat — conversational agent REPL ─────────────────────────────────────
+        case "chat": {
+            const prompt = args.slice(1).join(" ");
+            if (prompt) {
+                await runAgent(prompt);
+            }
+            else {
+                await startRepl();
+            }
+            break;
+        }
+        // ── scan — scan files, staged, or a branch ────────────────────────────────
+        case "scan": {
+            const cwd = process.cwd();
+            const detected = detectRulesets(cwd);
+            const config = { rulesets: detected.rulesets };
+            let result;
+            const subArg = args[1];
+            if (!subArg || subArg === "--staged") {
+                // scan staged files
+                result = await scanStaged(cwd, config);
+            }
+            else if (subArg === "--branch" || subArg === "-b") {
+                const branch = args[2];
+                const base = args[3] ?? "main";
+                if (!branch) {
+                    console.error("Usage: argus-ci scan --branch <branch> [base]");
+                    process.exit(1);
+                }
+                result = await scanBranch(cwd, branch, base, config);
+            }
+            else {
+                // treat remaining args as file paths
+                const files = args.slice(1).filter((a) => !a.startsWith("--"));
+                result = await scanFiles(files, cwd, config);
+            }
+            const markdown = toMarkdown(result);
+            console.log(markdown);
+            const hasErrors = result.issues.some((i) => i.severity === "error");
+            process.exit(hasErrors ? 1 : 0);
+            break;
+        }
+        // ── pr — scan a GitHub PR ─────────────────────────────────────────────────
+        case "pr": {
+            const prUrl = args[1];
+            if (!prUrl) {
+                console.error("Usage: argus-ci pr <github-pr-url>");
+                process.exit(1);
+            }
+            await runAgent(`Review PR ${prUrl} and give me a full security and quality report`);
+            break;
+        }
+        // ── setup — install pre-commit hook ───────────────────────────────────────
+        case "setup": {
+            const cwd = process.cwd();
+            await setupHook(cwd);
+            break;
+        }
+        // ── version ───────────────────────────────────────────────────────────────
+        case "--version":
+        case "-v": {
+            const { createRequire } = await import("module");
+            const require = createRequire(import.meta.url);
+            const pkg = require("../../package.json");
+            console.log(`argus-ci v${pkg.version}`);
+            break;
+        }
+        // ── help ──────────────────────────────────────────────────────────────────
+        case "--help":
+        case "-h":
+        case "help":
+        case undefined: {
+            // No command = start MCP server (main use case when added to Cursor/Claude)
+            await import("../mcp/server.js");
+            break;
+        }
+        default:
+            console.error(`Unknown command: ${command}`);
+            printHelp();
+            process.exit(1);
+    }
+}
+function printHelp() {
+    console.log(`
+argus-ci — Semgrep quality agent with MCP server and conversational interface
+
+USAGE
+  argus-ci                        Start MCP server (add to Cursor / Claude Code)
+  argus-ci chat                   Start conversational agent REPL
+  argus-ci chat "review PR <url>" Run a one-shot agent request
+  argus-ci scan                   Scan staged files
+  argus-ci scan --staged          Scan staged files (explicit)
+  argus-ci scan --branch <name>   Scan a branch vs main
+  argus-ci scan file1 file2       Scan specific files
+  argus-ci pr <github-url>        Scan a GitHub PR
+  argus-ci setup                  Install pre-commit hook in current repo
+  argus-ci --version              Show version
+
+ENVIRONMENT VARIABLES
+  ANTHROPIC_API_KEY   Required for the chat / agent interface
+  GITHUB_TOKEN        Required for private repo PR scanning
+
+ADD TO CURSOR (Settings → MCP):
+  { "argus-ci": { "command": "npx", "args": ["argus-ci"] } }
+
+ADD TO CLAUDE CODE (~/.claude/settings.json):
+  { "mcpServers": { "semgrep": { "command": "npx", "args": ["argus-ci"] } } }
+`);
+}
+main().catch((err) => {
+    console.error("Fatal:", err);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AACvE,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAa,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAG9C,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACnC,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AAExB,KAAK,UAAU,IAAI;IACjB,QAAQ,OAAO,EAAE,CAAC;QAEhB,4EAA4E;QAC5E,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACvC,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,QAAQ,CAAC,MAAM,CAAC,CAAC;YACzB,CAAC;iBAAM,CAAC;gBACN,MAAM,SAAS,EAAE,CAAC;YACpB,CAAC;YACD,MAAM;QACR,CAAC;QAED,6EAA6E;QAC7E,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;YAC1B,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;YACrC,MAAM,MAAM,GAAG,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC;YAE/C,IAAI,MAAkB,CAAC;YAEvB,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACvB,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;gBACrC,oBAAoB;gBACpB,MAAM,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YACzC,CAAC;iBAAM,IAAI,MAAM,KAAK,UAAU,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;gBACpD,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;gBACvB,MAAM,IAAI,GAAK,IAAI,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;gBACjC,IAAI,CAAC,MAAM,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAC,CAAC;gBACjG,MAAM,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;YACvD,CAAC;iBAAM,CAAC;gBACN,qCAAqC;gBACrC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC/D,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;YAED,MAAM,QAAQ,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAEtB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;YACpE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAChC,MAAM;QACR,CAAC;QAED,6EAA6E;QAC7E,KAAK,IAAI,CAAC,CAAC,CAAC;YACV,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,MAAM,QAAQ,CAAC,aAAa,KAAK,iDAAiD,CAAC,CAAC;YACpF,MAAM;QACR,CAAC;QAED,6EAA6E;QAC7E,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;YAC1B,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACrB,MAAM;QACR,CAAC;QAED,6EAA6E;QAC7E,KAAK,WAAW,CAAC;QACjB,KAAK,IAAI,CAAC,CAAC,CAAC;YACV,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;YACjD,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC/C,MAAM,GAAG,GAAG,OAAO,CAAC,oBAAoB,CAAwB,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACxC,MAAM;QACR,CAAC;QAED,6EAA6E;QAC7E,KAAK,QAAQ,CAAC;QACd,KAAK,IAAI,CAAC;QACV,KAAK,MAAM,CAAC;QACZ,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,4EAA4E;YAC5E,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;YACjC,MAAM;QACR,CAAC;QAED;YACE,OAAO,CAAC,KAAK,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;YAC7C,SAAS,EAAE,CAAC;YACZ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;AACH,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;CAwBb,CAAC,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC7B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/core/detector.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Auto-detects the tech stack from package.json / file extensions
+ * and returns the appropriate Semgrep rulesets.
+ */
+interface StackInfo {
+    rulesets: string[];
+    description: string;
+}
+export declare function detectRulesets(cwd: string): StackInfo;
+export {};
+//# sourceMappingURL=detector.d.ts.map

package/dist/core/detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"detector.d.ts","sourceRoot":"","sources":["../../src/core/detector.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,UAAU,SAAS;IACjB,QAAQ,EAAK,MAAM,EAAE,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,CAyErD"}

package/dist/core/detector.js

@@ -0,0 +1,69 @@
+/**
+ * Auto-detects the tech stack from package.json / file extensions
+ * and returns the appropriate Semgrep rulesets.
+ */
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+export function detectRulesets(cwd) {
+    const rulesets = new Set();
+    // Always-on: secrets and OWASP top 10
+    rulesets.add("p/secrets");
+    rulesets.add("p/owasp-top-ten");
+    const pkgPath = join(cwd, "package.json");
+    if (existsSync(pkgPath)) {
+        try {
+            const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+            const allDeps = {
+                ...(pkg.dependencies ?? {}),
+                ...(pkg.devDependencies ?? {}),
+            };
+            // JavaScript / TypeScript — always for any JS project
+            rulesets.add("p/javascript");
+            // TypeScript
+            if (allDeps["typescript"] || existsSync(join(cwd, "tsconfig.json"))) {
+                rulesets.add("p/typescript");
+            }
+            // React
+            if (allDeps["react"] || allDeps["react-dom"]) {
+                rulesets.add("p/react");
+            }
+            // Vue
+            if (allDeps["vue"] || allDeps["@vue/core"]) {
+                rulesets.add("p/javascript"); // no official p/vue but js covers it
+            }
+            // Node.js server-side (Express, Fastify, Koa, NestJS etc.)
+            const serverFrameworks = ["express", "fastify", "koa", "@nestjs/core", "hapi", "restify"];
+            if (serverFrameworks.some((f) => f in allDeps)) {
+                rulesets.add("p/nodejs");
+                rulesets.add("p/sql-injection");
+            }
+            // Next.js
+            if (allDeps["next"]) {
+                rulesets.add("p/nextjs");
+            }
+            // Generic CI / config security
+            rulesets.add("p/ci");
+        }
+        catch { /* ignore malformed package.json */ }
+    }
+    // Python project
+    const pyFiles = ["requirements.txt", "setup.py", "pyproject.toml", "Pipfile"];
+    if (pyFiles.some((f) => existsSync(join(cwd, f)))) {
+        rulesets.add("p/python");
+        rulesets.add("p/bandit"); // Python security
+    }
+    // Go
+    if (existsSync(join(cwd, "go.mod"))) {
+        rulesets.add("p/golang");
+    }
+    // Java / Kotlin
+    if (existsSync(join(cwd, "pom.xml")) || existsSync(join(cwd, "build.gradle"))) {
+        rulesets.add("p/java");
+    }
+    const list = [...rulesets];
+    return {
+        rulesets: list,
+        description: list.join(", "),
+    };
+}
+//# sourceMappingURL=detector.js.map

package/dist/core/detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detector.js","sourceRoot":"","sources":["../../src/core/detector.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAO5B,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IAEnC,sCAAsC;IACtC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC1B,QAAQ,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAEhC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IAC1C,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAA4B,CAAC;YACjF,MAAM,OAAO,GAAG;gBACd,GAAG,CAAE,GAAG,CAAC,YAAyC,IAAI,EAAE,CAAC;gBACzD,GAAG,CAAE,GAAG,CAAC,eAA0C,IAAI,EAAE,CAAC;aAC3D,CAAC;YAEF,sDAAsD;YACtD,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAE7B,aAAa;YACb,IAAI,OAAO,CAAC,YAAY,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,EAAE,CAAC;gBACpE,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC/B,CAAC;YAED,QAAQ;YACR,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC7C,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC1B,CAAC;YAED,MAAM;YACN,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC3C,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,qCAAqC;YACrE,CAAC;YAED,2DAA2D;YAC3D,MAAM,gBAAgB,GAAG,CAAC,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;YAC1F,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,OAAO,CAAC,EAAE,CAAC;gBAC/C,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;gBACzB,QAAQ,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YAClC,CAAC;YAED,UAAU;YACV,IAAI,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBACpB,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC3B,CAAC;YAED,+BAA+B;YAC/B,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC,CAAC,mCAAmC,CAAC,CAAC;IACjD,CAAC;IAED,iBAAiB;IACjB,MAAM,OAAO,GAAG,CAAC,kBAAkB,EAAE,UAAU,EAAE,gBAAgB,EAAE,SAAS,CAAC,CAAC;IAC9E,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAClD,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACzB,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,kBAAkB;IAC9C,CAAC;IAED,KAAK;IACL,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;QACpC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC3B,CAAC;IAED,gBAAgB;IAChB,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC;QAC9E,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzB,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC;IAC3B,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;KAC7B,CAAC;AACJ,CAAC"}

package/dist/core/github.d.ts

@@ -0,0 +1,41 @@
+/**
+ * GitHub API helpers.
+ * Fetches changed files from a PR or branch comparison.
+ *
+ * Requires GITHUB_TOKEN env var for private repos (public repos work without it).
+ */
+interface PRMeta {
+    title: string;
+    number: number;
+    base: string;
+    head: string;
+    state: string;
+    author: string;
+    url: string;
+}
+export interface PRInfo {
+    meta: PRMeta;
+    files: string[];
+    owner: string;
+    repo: string;
+}
+/**
+ * Parses a GitHub PR URL into owner/repo/number.
+ * Accepts: https://github.com/owner/repo/pull/123
+ *          github.com/owner/repo/pull/123
+ */
+export declare function parsePRUrl(url: string): {
+    owner: string;
+    repo: string;
+    number: number;
+} | null;
+/**
+ * Fetches PR metadata and list of changed files.
+ */
+export declare function fetchPRFiles(prUrl: string, token?: string): Promise<PRInfo | null>;
+/**
+ * Posts a review comment to a PR with the scan results.
+ */
+export declare function postPRComment(owner: string, repo: string, prNumber: number, body: string, token?: string): Promise<boolean>;
+export {};
+//# sourceMappingURL=github.d.ts.map

package/dist/core/github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../src/core/github.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,UAAU,MAAM;IACd,KAAK,EAAI,MAAM,CAAC;IAChB,MAAM,EAAG,MAAM,CAAC;IAChB,IAAI,EAAK,MAAM,CAAC;IAChB,IAAI,EAAK,MAAM,CAAC;IAChB,KAAK,EAAI,MAAM,CAAC;IAChB,MAAM,EAAG,MAAM,CAAC;IAChB,GAAG,EAAM,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,MAAM;IACrB,IAAI,EAAG,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAG,MAAM,CAAC;CACf;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAI9F;AAED;;GAEG;AACH,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAqExF;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAI,MAAM,EACf,IAAI,EAAK,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAK,MAAM,EACf,KAAK,CAAC,EAAG,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAmBlB"}

package/dist/core/github.js

@@ -0,0 +1,97 @@
+/**
+ * GitHub API helpers.
+ * Fetches changed files from a PR or branch comparison.
+ *
+ * Requires GITHUB_TOKEN env var for private repos (public repos work without it).
+ */
+/**
+ * Parses a GitHub PR URL into owner/repo/number.
+ * Accepts: https://github.com/owner/repo/pull/123
+ *          github.com/owner/repo/pull/123
+ */
+export function parsePRUrl(url) {
+    const match = url.match(/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)/);
+    if (!match)
+        return null;
+    return { owner: match[1], repo: match[2], number: parseInt(match[3], 10) };
+}
+/**
+ * Fetches PR metadata and list of changed files.
+ */
+export async function fetchPRFiles(prUrl, token) {
+    const parsed = parsePRUrl(prUrl);
+    if (!parsed)
+        return null;
+    const { owner, repo, number } = parsed;
+    const headers = {
+        Accept: "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28",
+    };
+    const githubToken = token ?? process.env.GITHUB_TOKEN;
+    if (githubToken)
+        headers["Authorization"] = `Bearer ${githubToken}`;
+    // Fetch PR metadata
+    const prRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/pulls/${number}`, { headers });
+    if (!prRes.ok) {
+        if (prRes.status === 401 || prRes.status === 403) {
+            throw new Error(`GitHub API auth failed — set GITHUB_TOKEN for private repos`);
+        }
+        if (prRes.status === 404) {
+            throw new Error(`PR not found: ${prUrl}`);
+        }
+        throw new Error(`GitHub API error ${prRes.status}`);
+    }
+    const pr = await prRes.json();
+    // Fetch changed files (paginated — GitHub caps at 300 files per PR)
+    const allFiles = [];
+    let page = 1;
+    while (true) {
+        const filesRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/pulls/${number}/files?per_page=100&page=${page}`, { headers });
+        if (!filesRes.ok)
+            break;
+        const batch = await filesRes.json();
+        if (batch.length === 0)
+            break;
+        allFiles.push(...batch);
+        if (batch.length < 100)
+            break;
+        page++;
+    }
+    // Only keep files that exist (not deleted)
+    const files = allFiles
+        .filter((f) => f.status !== "removed")
+        .map((f) => f.filename);
+    return {
+        owner, repo,
+        meta: {
+            title: pr.title,
+            number: pr.number,
+            base: pr.base.ref,
+            head: pr.head.ref,
+            state: pr.state,
+            author: pr.user.login,
+            url: pr.html_url,
+        },
+        files,
+    };
+}
+/**
+ * Posts a review comment to a PR with the scan results.
+ */
+export async function postPRComment(owner, repo, prNumber, body, token) {
+    const githubToken = token ?? process.env.GITHUB_TOKEN;
+    if (!githubToken)
+        return false;
+    const res = await fetch(`https://api.github.com/repos/${owner}/${repo}/issues/${prNumber}/comments`, {
+        method: "POST",
+        headers: {
+            Authorization: `Bearer ${githubToken}`,
+            Accept: "application/vnd.github+json",
+            "Content-Type": "application/json",
+            "X-GitHub-Api-Version": "2022-11-28",
+        },
+        body: JSON.stringify({ body }),
+    });
+    return res.ok;
+}
+//# sourceMappingURL=github.js.map

package/dist/core/github.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.js","sourceRoot":"","sources":["../../src/core/github.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAyBH;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;IACtE,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;AAC7E,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,KAAa,EAAE,KAAc;IAC9D,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;IACvC,MAAM,OAAO,GAA2B;QACtC,MAAM,EAAM,6BAA6B;QACzC,sBAAsB,EAAE,YAAY;KACrC,CAAC;IAEF,MAAM,WAAW,GAAG,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACtD,IAAI,WAAW;QAAE,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,WAAW,EAAE,CAAC;IAEpE,oBAAoB;IACpB,MAAM,KAAK,GAAG,MAAM,KAAK,CACvB,gCAAgC,KAAK,IAAI,IAAI,UAAU,MAAM,EAAE,EAC/D,EAAE,OAAO,EAAE,CACZ,CAAC;IAEF,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACd,IAAI,KAAK,CAAC,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;QACjF,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,iBAAiB,KAAK,EAAE,CAAC,CAAC;QAC5C,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,oBAAoB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,IAAI,EAI1B,CAAC;IAEF,oEAAoE;IACpE,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,gCAAgC,KAAK,IAAI,IAAI,UAAU,MAAM,4BAA4B,IAAI,EAAE,EAC/F,EAAE,OAAO,EAAE,CACZ,CAAC;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,MAAM;QACxB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAc,CAAC;QAChD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,MAAM;QAC9B,QAAQ,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC;QACxB,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG;YAAE,MAAM;QAC9B,IAAI,EAAE,CAAC;IACT,CAAC;IAED,2CAA2C;IAC3C,MAAM,KAAK,GAAG,QAAQ;SACnB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;SACrC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAE1B,OAAO;QACL,KAAK,EAAE,IAAI;QACX,IAAI,EAAE;YACJ,KAAK,EAAG,EAAE,CAAC,KAAK;YAChB,MAAM,EAAE,EAAE,CAAC,MAAM;YACjB,IAAI,EAAI,EAAE,CAAC,IAAI,CAAC,GAAG;YACnB,IAAI,EAAI,EAAE,CAAC,IAAI,CAAC,GAAG;YACnB,KAAK,EAAG,EAAE,CAAC,KAAK;YAChB,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK;YACrB,GAAG,EAAK,EAAE,CAAC,QAAQ;SACpB;QACD,KAAK;KACN,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAe,EACf,IAAe,EACf,QAAgB,EAChB,IAAe,EACf,KAAe;IAEf,MAAM,WAAW,GAAG,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACtD,IAAI,CAAC,WAAW;QAAE,OAAO,KAAK,CAAC;IAE/B,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,gCAAgC,KAAK,IAAI,IAAI,WAAW,QAAQ,WAAW,EAC3E;QACE,MAAM,EAAG,MAAM;QACf,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,MAAM,EAAS,6BAA6B;YAC5C,cAAc,EAAE,kBAAkB;YAClC,sBAAsB,EAAE,YAAY;SACrC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;KAC/B,CACF,CAAC;IAEF,OAAO,GAAG,CAAC,EAAE,CAAC;AAChB,CAAC"}

package/dist/core/reporter.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Formats ScanResult into human-readable markdown or compact JSON.
+ */
+import type { ScanResult } from "../types.js";
+export declare function toMarkdown(result: ScanResult, context?: string): string;
+export declare function toCompact(result: ScanResult): string;
+export declare function toPRComment(result: ScanResult, prTitle: string, prUrl: string): string;
+//# sourceMappingURL=reporter.d.ts.map

package/dist/core/reporter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reporter.d.ts","sourceRoot":"","sources":["../../src/core/reporter.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAS,UAAU,EAAY,MAAM,aAAa,CAAC;AAc/D,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAsDvE;AAED,wBAAgB,SAAS,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAOpD;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAsBtF"}

package/dist/core/reporter.js

@@ -0,0 +1,98 @@
+/**
+ * Formats ScanResult into human-readable markdown or compact JSON.
+ */
+const SEVERITY_EMOJI = {
+    error: "🔴",
+    warning: "🟡",
+    info: "🔵",
+};
+const SEVERITY_LABEL = {
+    error: "ERROR",
+    warning: "WARNING",
+    info: "INFO",
+};
+export function toMarkdown(result, context) {
+    if (result.skipped) {
+        return `> ⚠️ Scan skipped: ${result.skipReason}`;
+    }
+    const { issues, filesScanned, durationMs, rulesets } = result;
+    const errors = issues.filter((i) => i.severity === "error");
+    const warnings = issues.filter((i) => i.severity === "warning");
+    const infos = issues.filter((i) => i.severity === "info");
+    const lines = [];
+    // Header
+    if (context)
+        lines.push(`## Semgrep scan — ${context}\n`);
+    else
+        lines.push(`## Semgrep scan results\n`);
+    // Summary bar
+    if (issues.length === 0) {
+        lines.push(`✅ **No issues found** — ${filesScanned} file${filesScanned !== 1 ? "s" : ""} scanned in ${durationMs}ms`);
+        lines.push(`\n_Rulesets: ${rulesets.join(", ")}_`);
+        return lines.join("\n");
+    }
+    lines.push(`| Severity | Count |`, `|----------|-------|`, `| 🔴 Error   | ${errors.length}   |`, `| 🟡 Warning | ${warnings.length} |`, `| 🔵 Info    | ${infos.length}    |`, ``, `_${filesScanned} file${filesScanned !== 1 ? "s" : ""} scanned · ${durationMs}ms · rulesets: ${rulesets.join(", ")}_`, ``);
+    // Group by file
+    const byFile = groupByFile(issues);
+    for (const [file, fileIssues] of Object.entries(byFile)) {
+        lines.push(`### \`${file}\``);
+        for (const issue of fileIssues) {
+            const emoji = SEVERITY_EMOJI[issue.severity];
+            const label = SEVERITY_LABEL[issue.severity];
+            lines.push(`\n**${emoji} ${label}** — Line ${issue.line}`);
+            lines.push(`> ${issue.message}`);
+            if (issue.sourceLine) {
+                lines.push(`\`\`\`\n${issue.sourceLine}\n\`\`\``);
+            }
+            lines.push(`_Rule: \`${issue.ruleId}\`_`);
+            if (issue.cwe?.length)
+                lines.push(`_CWE: ${issue.cwe.join(", ")}_`);
+            if (issue.owasp?.length)
+                lines.push(`_OWASP: ${issue.owasp.join(", ")}_`);
+        }
+        lines.push("");
+    }
+    return lines.join("\n");
+}
+export function toCompact(result) {
+    if (result.skipped)
+        return `SKIPPED: ${result.skipReason}`;
+    if (result.issues.length === 0)
+        return `CLEAN — ${result.filesScanned} files scanned`;
+    const errors = result.issues.filter((i) => i.severity === "error").length;
+    const warns = result.issues.filter((i) => i.severity === "warning").length;
+    return `FOUND ${result.issues.length} issues (${errors} errors, ${warns} warnings) in ${result.filesScanned} files`;
+}
+export function toPRComment(result, prTitle, prUrl) {
+    const lines = [
+        `## 🔍 Semgrep Quality Scan`,
+        `> **PR:** [${prTitle}](${prUrl})`,
+        ``,
+    ];
+    if (result.skipped) {
+        lines.push(`> ⚠️ Scan skipped: ${result.skipReason}`);
+        return lines.join("\n");
+    }
+    if (result.issues.length === 0) {
+        lines.push(`✅ **No issues found** — ${result.filesScanned} files scanned in ${result.durationMs}ms`);
+        lines.push(`\n_Rulesets: ${result.rulesets.join(", ")}_`);
+        return lines.join("\n");
+    }
+    // Append full markdown report
+    lines.push(toMarkdown(result).replace(/^## Semgrep scan results\n/, ""));
+    lines.push(`\n---\n_Generated by [argus-ci](https://github.com) · ${new Date().toISOString()}_`);
+    return lines.join("\n");
+}
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+function groupByFile(issues) {
+    const result = {};
+    for (const issue of issues) {
+        (result[issue.path] ??= []).push(issue);
+    }
+    // Sort each file's issues by line number
+    for (const issues of Object.values(result)) {
+        issues.sort((a, b) => a.line - b.line);
+    }
+    return result;
+}
+//# sourceMappingURL=reporter.js.map

package/dist/core/reporter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reporter.js","sourceRoot":"","sources":["../../src/core/reporter.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,cAAc,GAA6B;IAC/C,KAAK,EAAI,IAAI;IACb,OAAO,EAAE,IAAI;IACb,IAAI,EAAK,IAAI;CACd,CAAC;AAEF,MAAM,cAAc,GAA6B;IAC/C,KAAK,EAAI,OAAO;IAChB,OAAO,EAAE,SAAS;IAClB,IAAI,EAAK,MAAM;CAChB,CAAC;AAEF,MAAM,UAAU,UAAU,CAAC,MAAkB,EAAE,OAAgB;IAC7D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,OAAO,sBAAsB,MAAM,CAAC,UAAU,EAAE,CAAC;IACnD,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;IAC9D,MAAM,MAAM,GAAK,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC;IAChE,MAAM,KAAK,GAAM,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;IAE7D,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,SAAS;IACT,IAAI,OAAO;QAAE,KAAK,CAAC,IAAI,CAAC,qBAAqB,OAAO,IAAI,CAAC,CAAC;;QAC7C,KAAK,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAErD,cAAc;IACd,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,2BAA2B,YAAY,QAAQ,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,eAAe,UAAU,IAAI,CAAC,CAAC;QACtH,KAAK,CAAC,IAAI,CAAC,gBAAgB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,IAAI,CACR,sBAAsB,EACtB,sBAAsB,EACtB,kBAAkB,MAAM,CAAC,MAAM,MAAM,EACrC,kBAAkB,QAAQ,CAAC,MAAM,IAAI,EACrC,kBAAkB,KAAK,CAAC,MAAM,OAAO,EACrC,EAAE,EACF,IAAI,YAAY,QAAQ,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,cAAc,UAAU,kBAAkB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EACrH,EAAE,CACH,CAAC;IAEF,gBAAgB;IAChB,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IACnC,KAAK,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,CAAC;QAC9B,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAC7C,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAC7C,KAAK,CAAC,IAAI,CAAC,OAAO,KAAK,IAAI,KAAK,aAAa,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3D,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YACjC,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;gBACrB,KAAK,CAAC,IAAI,CAAC,WAAW,KAAK,CAAC,UAAU,UAAU,CAAC,CAAC;YACpD,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,YAAY,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC;YAC1C,IAAI,KAAK,CAAC,GAAG,EAAE,MAAM;gBAAI,KAAK,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtE,IAAI,KAAK,CAAC,KAAK,EAAE,MAAM;gBAAE,KAAK,CAAC,IAAI,CAAC,WAAW,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5E,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,MAAkB;IAC1C,IAAI,MAAM,CAAC,OAAO;QAAE,OAAO,YAAY,MAAM,CAAC,UAAU,EAAE,CAAC;IAC3D,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,WAAW,MAAM,CAAC,YAAY,gBAAgB,CAAC;IAEtF,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,MAAM,CAAC;IAC1E,MAAM,KAAK,GAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;IAC5E,OAAO,SAAS,MAAM,CAAC,MAAM,CAAC,MAAM,YAAY,MAAM,YAAY,KAAK,iBAAiB,MAAM,CAAC,YAAY,QAAQ,CAAC;AACtH,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,MAAkB,EAAE,OAAe,EAAE,KAAa;IAC5E,MAAM,KAAK,GAAa;QACtB,4BAA4B;QAC5B,cAAc,OAAO,KAAK,KAAK,GAAG;QAClC,EAAE;KACH,CAAC;IAEF,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,KAAK,CAAC,IAAI,CAAC,sBAAsB,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;QACtD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,KAAK,CAAC,IAAI,CAAC,2BAA2B,MAAM,CAAC,YAAY,qBAAqB,MAAM,CAAC,UAAU,IAAI,CAAC,CAAC;QACrG,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1D,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,8BAA8B;IAC9B,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,4BAA4B,EAAE,EAAE,CAAC,CAAC,CAAC;IACzE,KAAK,CAAC,IAAI,CAAC,yDAAyD,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;IACjG,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,gFAAgF;AAEhF,SAAS,WAAW,CAAC,MAAe;IAClC,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IACD,yCAAyC;IACzC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/core/scanner.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Semgrep CLI wrapper.
+ * Runs `semgrep --json` on a set of files and returns normalised Issue[].
+ *
+ * Semgrep must be installed: pip install semgrep  OR  brew install semgrep
+ * We check for it on first run and give a clear install message if missing.
+ */
+import type { ScanConfig, ScanResult } from "../types.js";
+export declare function scanFiles(files: string[], cwd: string, config?: ScanConfig): Promise<ScanResult>;
+/**
+ * Scans only the git-staged files in cwd.
+ * Used by the pre-commit hook.
+ */
+export declare function scanStaged(cwd: string, config?: ScanConfig): Promise<ScanResult>;
+/**
+ * Scans files changed on a branch vs a base branch.
+ */
+export declare function scanBranch(cwd: string, branch: string, base?: string, config?: ScanConfig): Promise<ScanResult>;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/core/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/core/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAS,UAAU,EAAE,UAAU,EAA8C,MAAM,aAAa,CAAC;AAO7G,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EAAE,EACf,GAAG,EAAI,MAAM,EACb,MAAM,GAAE,UAAe,GACtB,OAAO,CAAC,UAAU,CAAC,CAgFrB;AAED;;;GAGG;AACH,wBAAsB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,GAAE,UAAe,GAAG,OAAO,CAAC,UAAU,CAAC,CAc1F;AAED;;GAEG;AACH,wBAAsB,UAAU,CAC9B,GAAG,EAAK,MAAM,EACd,MAAM,EAAE,MAAM,EACd,IAAI,GAAI,MAAe,EACvB,MAAM,GAAE,UAAe,GACtB,OAAO,CAAC,UAAU,CAAC,CA6BrB"}