audit-trace 0.1.0

package/dist/integrations/reachability/madge-check.js

@@ -0,0 +1,41 @@
+import madge from "madge";
+import { resolve } from "node:path";
+/**
+ * Best-effort: if madge dependency graph includes the package name under node_modules, treat as reachable.
+ */
+export async function checkRuntimeReachable(entryFile, packageName, cwd) {
+    const abs = resolve(cwd, entryFile);
+    try {
+        const tree = await madge(abs, {
+            baseDir: cwd,
+            includeNpm: true,
+            fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+        });
+        const obj = tree.obj();
+        const needle = `node_modules/${packageName}/`;
+        const needleScoped = packageName.startsWith("@")
+            ? `node_modules/${packageName.replace("/", "/")}/`
+            : needle;
+        for (const [k, deps] of Object.entries(obj)) {
+            if (k.includes(needle) || k.includes(needleScoped)) {
+                return { status: "reachable", evidence: `Graph includes ${k}` };
+            }
+            for (const d of deps) {
+                if (d.includes(needle) || d.includes(needleScoped)) {
+                    return { status: "reachable", evidence: `Import path via ${d}` };
+                }
+            }
+        }
+        return {
+            status: "not_reachable",
+            evidence: "No module path in madge graph referenced this package (heuristic; may be dynamic require).",
+        };
+    }
+    catch (e) {
+        return {
+            status: "unknown",
+            evidence: e instanceof Error ? e.message : String(e),
+        };
+    }
+}
+//# sourceMappingURL=madge-check.js.map

package/dist/integrations/reachability/madge-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"madge-check.js","sourceRoot":"","sources":["../../../src/integrations/reachability/madge-check.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAMpC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,SAAiB,EACjB,WAAmB,EACnB,GAAW;IAEX,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC5B,OAAO,EAAE,GAAG;YACZ,UAAU,EAAE,IAAI;YAChB,cAAc,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC;SACzD,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAA8B,CAAC;QACnD,MAAM,MAAM,GAAG,gBAAgB,WAAW,GAAG,CAAC;QAC9C,MAAM,YAAY,GAAG,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC;YAC9C,CAAC,CAAC,gBAAgB,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG;YAClD,CAAC,CAAC,MAAM,CAAC;QACX,KAAK,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5C,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;gBACnD,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,kBAAkB,CAAC,EAAE,EAAE,CAAC;YAClE,CAAC;YACD,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;oBACnD,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,mBAAmB,CAAC,EAAE,EAAE,CAAC;gBACnE,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO;YACL,MAAM,EAAE,eAAe;YACvB,QAAQ,EAAE,4FAA4F;SACvG,CAAC;IACJ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO;YACL,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;SACrD,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/lib/analyze.d.ts

@@ -0,0 +1,22 @@
+import type { AuditReport } from "../core/models.js";
+import { type OwnershipPath } from "../core/ownership/tracer.js";
+import { detectWorkspaces } from "../core/workspace-engine/detect.js";
+import { type CiPolicy } from "../integrations/ci-mode/policy.js";
+export interface AnalyzeOptions {
+    cwd: string;
+    useAuditFile?: string;
+    pm?: "npm" | "pnpm" | "yarn";
+    prodOnly?: boolean;
+    ci?: boolean;
+    ciVerbose?: boolean;
+    failOn?: CiPolicy["failOn"];
+    runtimeEntry?: string;
+    assumeReachable?: boolean;
+}
+export declare function analyze(opts: AnalyzeOptions): Promise<{
+    report: AuditReport;
+    ownership: OwnershipPath[];
+    exitCode: number;
+    workspace: Awaited<ReturnType<typeof detectWorkspaces>>;
+}>;
+//# sourceMappingURL=analyze.d.ts.map

package/dist/lib/analyze.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyze.d.ts","sourceRoot":"","sources":["../../src/lib/analyze.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAwB,MAAM,mBAAmB,CAAC;AAQ3E,OAAO,EAAkB,KAAK,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAEjF,OAAO,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AACtE,OAAO,EAAgB,KAAK,QAAQ,EAAE,MAAM,mCAAmC,CAAC;AAIhF,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,EAAE,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,MAAM,CAAC;IAC7B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,MAAM,CAAC,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC5B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAgBD,wBAAsB,OAAO,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC;IAC3D,MAAM,EAAE,WAAW,CAAC;IACpB,SAAS,EAAE,aAAa,EAAE,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,gBAAgB,CAAC,CAAC,CAAC;CACzD,CAAC,CAuFD"}

package/dist/lib/analyze.js

@@ -0,0 +1,107 @@
+import { readFile } from "node:fs/promises";
+import { resolve } from "node:path";
+import { loadLockfileGraph } from "../core/graph-engine/load-lockfile.js";
+import { parseNpmAuditJson, parsePnpmAuditJson, parseYarnAuditJsonLines, } from "../core/audit-parser/normalize.js";
+import { runNpmAudit, runPnpmAudit, runYarnAudit } from "../core/audit-parser/run-audit.js";
+import { traceOwnership } from "../core/ownership/tracer.js";
+import { suggestRemediation } from "../core/remediation-engine/engine.js";
+import { detectWorkspaces } from "../core/workspace-engine/detect.js";
+import { evaluateExit } from "../integrations/ci-mode/policy.js";
+import { getPlugins } from "../plugins/registry.js";
+import { checkRuntimeReachable } from "../integrations/reachability/madge-check.js";
+function parseAuditText(text, defaultPm) {
+    const t = text.trim();
+    if (t.includes('"type":"auditAdvisory"') || t.includes('"type": "auditAdvisory"')) {
+        return parseYarnAuditJsonLines(text);
+    }
+    try {
+        const j = JSON.parse(text);
+        if (defaultPm === "pnpm")
+            return parsePnpmAuditJson(j);
+        return parseNpmAuditJson(j);
+    }
+    catch {
+        return parseYarnAuditJsonLines(text);
+    }
+}
+export async function analyze(opts) {
+    const cwd = resolve(opts.cwd);
+    const workspace = await detectWorkspaces(cwd);
+    const { graph, lock } = await loadLockfileGraph(cwd);
+    for (const p of getPlugins())
+        p.afterGraphBuilt?.(graph);
+    let auditText = "";
+    let auditFallback = false;
+    const defaultPm = opts.pm ?? (lock.kind === "pnpm" ? "pnpm" : lock.kind === "yarn" ? "yarn" : "npm");
+    if (opts.useAuditFile) {
+        auditText = await readFile(resolve(cwd, opts.useAuditFile), "utf8");
+    }
+    else {
+        try {
+            if (defaultPm === "pnpm")
+                auditText = await runPnpmAudit(cwd);
+            else if (defaultPm === "yarn")
+                auditText = await runYarnAudit(cwd);
+            else
+                auditText = await runNpmAudit(cwd);
+        }
+        catch {
+            auditText = "{}";
+            auditFallback = true;
+        }
+    }
+    let findings = parseAuditText(auditText, defaultPm);
+    for (const p of getPlugins())
+        p.afterAuditNormalized?.(findings);
+    let ownership = graph.nodes.size ? traceOwnership(graph, findings) : [];
+    let filteredCount = 0;
+    if (opts.prodOnly) {
+        const before = findings.length;
+        const devPkgs = new Set(ownership.filter((o) => o.isDevDependency).map((o) => o.packageName));
+        findings = findings.filter((f) => !devPkgs.has(f.packageName));
+        ownership = ownership.filter((o) => !o.isDevDependency);
+        filteredCount = before - findings.length;
+    }
+    if (opts.runtimeEntry && graph.nodes.size) {
+        for (const f of findings) {
+            const rr = await checkRuntimeReachable(opts.runtimeEntry, f.packageName, cwd);
+            f.title = `${f.title ?? ""} [reachability:${rr.status}]`.trim();
+        }
+    }
+    const remediation = suggestRemediation(findings);
+    const policy = {
+        failOn: opts.failOn ?? "high",
+        prodOnly: Boolean(opts.prodOnly),
+        runtimeReachableOnly: Boolean(opts.runtimeEntry && !opts.assumeReachable),
+    };
+    const ciResult = evaluateExit(findings, policy, {
+        noLockfile: lock.kind === "none",
+        auditFallback,
+        filteredCount,
+    });
+    let diagnostics = ciResult.diagnostics;
+    const exitCode = opts.ci ? ciResult.exitCode : 0;
+    for (const p of getPlugins()) {
+        const d = p.onCiDiagnostics?.(diagnostics);
+        if (d)
+            diagnostics = d;
+    }
+    const report = {
+        findings,
+        graph,
+        diagnostics,
+        remediation,
+    };
+    for (const p of getPlugins()) {
+        const r = p.formatReport?.(report, ownership);
+        if (r)
+            Object.assign(report, r);
+    }
+    return {
+        report,
+        ownership,
+        exitCode,
+        workspace,
+    };
+}
+//# sourceMappingURL=analyze.js.map

package/dist/lib/analyze.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyze.js","sourceRoot":"","sources":["../../src/lib/analyze.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AAC1E,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,uBAAuB,GACxB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,mCAAmC,CAAC;AAC5F,OAAO,EAAE,cAAc,EAAsB,MAAM,6BAA6B,CAAC;AACjF,OAAO,EAAE,kBAAkB,EAAE,MAAM,sCAAsC,CAAC;AAC1E,OAAO,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AACtE,OAAO,EAAE,YAAY,EAAiB,MAAM,mCAAmC,CAAC;AAChF,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,6CAA6C,CAAC;AAcpF,SAAS,cAAc,CAAC,IAAY,EAAE,SAAkC;IACtE,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IACtB,IAAI,CAAC,CAAC,QAAQ,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,yBAAyB,CAAC,EAAE,CAAC;QAClF,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC;IACD,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;QACtD,IAAI,SAAS,KAAK,MAAM;YAAE,OAAO,kBAAkB,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO,iBAAiB,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAoB;IAMhD,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC9B,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC9C,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAErD,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE;QAAE,CAAC,CAAC,eAAe,EAAE,CAAC,KAAK,CAAC,CAAC;IAEzD,IAAI,SAAS,GAAG,EAAE,CAAC;IACnB,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,MAAM,SAAS,GACb,IAAI,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAErF,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;QACtB,SAAS,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC,CAAC;IACtE,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,IAAI,SAAS,KAAK,MAAM;gBAAE,SAAS,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;iBACzD,IAAI,SAAS,KAAK,MAAM;gBAAE,SAAS,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;;gBAC9D,SAAS,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,GAAG,IAAI,CAAC;YACjB,aAAa,GAAG,IAAI,CAAC;QACvB,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,GAAG,cAAc,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IACpD,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE;QAAE,CAAC,CAAC,oBAAoB,EAAE,CAAC,QAAQ,CAAC,CAAC;IAEjE,IAAI,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAExE,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,GAAG,CACrB,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CACrE,CAAC;QACF,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;QAC/D,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC;QACxD,aAAa,GAAG,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;IAC3C,CAAC;IAED,IAAI,IAAI,CAAC,YAAY,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAC1C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,EAAE,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;YAC9E,CAAC,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,kBAAkB,EAAE,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAClE,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IAEjD,MAAM,MAAM,GAAa;QACvB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,MAAM;QAC7B,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QAChC,oBAAoB,EAAE,OAAO,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC;KAC1E,CAAC;IAEF,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE;QAC9C,UAAU,EAAE,IAAI,CAAC,IAAI,KAAK,MAAM;QAChC,aAAa;QACb,aAAa;KACd,CAAC,CAAC;IACH,IAAI,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;IACvC,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAEjD,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,EAAE,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,CAAC,eAAe,EAAE,CAAC,WAAW,CAAC,CAAC;QAC3C,IAAI,CAAC;YAAE,WAAW,GAAG,CAAC,CAAC;IACzB,CAAC;IAED,MAAM,MAAM,GAAgB;QAC1B,QAAQ;QACR,KAAK;QACL,WAAW;QACX,WAAW;KACZ,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,EAAE,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAC9C,IAAI,CAAC;YAAE,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAClC,CAAC;IAED,OAAO;QACL,MAAM;QACN,SAAS;QACT,QAAQ;QACR,SAAS;KACV,CAAC;AACJ,CAAC"}

package/dist/output/html-reporter.d.ts

@@ -0,0 +1,4 @@
+import type { AuditReport } from "../core/models.js";
+import type { OwnershipPath } from "../core/ownership/tracer.js";
+export declare function toHtmlReport(report: AuditReport, ownership: OwnershipPath[]): string;
+//# sourceMappingURL=html-reporter.d.ts.map

package/dist/output/html-reporter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"html-reporter.d.ts","sourceRoot":"","sources":["../../src/output/html-reporter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAEjE,wBAAgB,YAAY,CAAC,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,MAAM,CAuBpF"}

package/dist/output/html-reporter.js

@@ -0,0 +1,18 @@
+export function toHtmlReport(report, ownership) {
+    const esc = (s) => s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+    const rows = report.findings
+        .map((f) => `<tr><td>${esc(f.severity)}</td><td>${esc(f.packageName)}</td><td>${esc(f.title ?? f.id)}</td></tr>`)
+        .join("\n");
+    const own = ownership
+        .slice(0, 100)
+        .map((o) => `<li>${esc(o.packageName)} (${esc(o.severity)}) — via ${esc(o.topLevelNames.join(", "))} — dev: ${o.isDevDependency}</li>`)
+        .join("\n");
+    return `<!DOCTYPE html><html><head><meta charset="utf-8"/><title>audit-trace</title></head><body>
+<h1>audit-trace report</h1>
+<h2>Findings</h2>
+<table border="1" cellpadding="4"><thead><tr><th>Severity</th><th>Package</th><th>Title</th></tr></thead><tbody>${rows}</tbody></table>
+<h2>Ownership</h2><ul>${own}</ul>
+<h2>Diagnostics</h2><pre>${esc(JSON.stringify(report.diagnostics, null, 2))}</pre>
+</body></html>`;
+}
+//# sourceMappingURL=html-reporter.js.map

package/dist/output/html-reporter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"html-reporter.js","sourceRoot":"","sources":["../../src/output/html-reporter.ts"],"names":[],"mappings":"AAGA,MAAM,UAAU,YAAY,CAAC,MAAmB,EAAE,SAA0B;IAC1E,MAAM,GAAG,GAAG,CAAC,CAAS,EAAE,EAAE,CACxB,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACvE,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ;SACzB,GAAG,CACF,CAAC,CAAC,EAAE,EAAE,CACJ,WAAW,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,EAAE,CAAC,YAAY,CACvG;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;IACd,MAAM,GAAG,GAAG,SAAS;SAClB,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;SACb,GAAG,CACF,CAAC,CAAC,EAAE,EAAE,CACJ,OAAO,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,CAAC,CAAC,eAAe,OAAO,CAC7H;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;IACd,OAAO;;;kHAGyG,IAAI;wBAC9F,GAAG;2BACA,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;eAC5D,CAAC;AAChB,CAAC"}

package/dist/output/json-reporter.d.ts

@@ -0,0 +1,5 @@
+import type { AuditReport } from "../core/models.js";
+export declare function toJsonReport(report: AuditReport & {
+    summary?: Record<string, unknown>;
+}): string;
+//# sourceMappingURL=json-reporter.d.ts.map

package/dist/output/json-reporter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"json-reporter.d.ts","sourceRoot":"","sources":["../../src/output/json-reporter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD,wBAAgB,YAAY,CAAC,MAAM,EAAE,WAAW,GAAG;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,GAAG,MAAM,CAgBhG"}

package/dist/output/json-reporter.js

@@ -0,0 +1,18 @@
+export function toJsonReport(report) {
+    const serializable = {
+        ...report,
+        graph: report.graph
+            ? {
+                lockfileKind: report.graph.lockfileKind,
+                nodeCount: report.graph.nodes.size,
+                edgeCount: report.graph.edges.length,
+            }
+            : null,
+        diagnostics: report.diagnostics,
+        findings: report.findings,
+        remediation: report.remediation,
+        summary: report.summary,
+    };
+    return JSON.stringify(serializable, null, 2);
+}
+//# sourceMappingURL=json-reporter.js.map

package/dist/output/json-reporter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"json-reporter.js","sourceRoot":"","sources":["../../src/output/json-reporter.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,YAAY,CAAC,MAA2D;IACtF,MAAM,YAAY,GAAG;QACnB,GAAG,MAAM;QACT,KAAK,EAAE,MAAM,CAAC,KAAK;YACjB,CAAC,CAAC;gBACE,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,YAAY;gBACvC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI;gBAClC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM;aACrC;YACH,CAAC,CAAC,IAAI;QACR,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC;IACF,OAAO,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC/C,CAAC"}

package/dist/output/markdown-reporter.d.ts

@@ -0,0 +1,4 @@
+import type { AuditReport } from "../core/models.js";
+import type { OwnershipPath } from "../core/ownership/tracer.js";
+export declare function toMarkdownReport(report: AuditReport, ownership: OwnershipPath[]): string;
+//# sourceMappingURL=markdown-reporter.d.ts.map

package/dist/output/markdown-reporter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"markdown-reporter.d.ts","sourceRoot":"","sources":["../../src/output/markdown-reporter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAEjE,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,MAAM,CA+BxF"}

package/dist/output/markdown-reporter.js

@@ -0,0 +1,28 @@
+export function toMarkdownReport(report, ownership) {
+    const lines = ["# audit-trace report", ""];
+    lines.push(`## Findings (${report.findings.length})`);
+    for (const f of report.findings) {
+        lines.push(`- **${f.severity.toUpperCase()}** \`${f.packageName}\` — ${f.title ?? f.id}`);
+    }
+    lines.push("");
+    lines.push("## Ownership paths");
+    for (const o of ownership.slice(0, 50)) {
+        lines.push(`- \`${o.packageName}\` (${o.severity}) — top-level via **${o.topLevelNames.join(", ") || "?"}** — dev: ${o.isDevDependency}`);
+    }
+    if (ownership.length > 50)
+        lines.push(`… and ${ownership.length - 50} more`);
+    lines.push("");
+    lines.push("## Remediation");
+    for (const r of report.remediation) {
+        lines.push(`- **${r.kind}** ${r.targetPackage}: ${r.reason}`);
+        if (r.manifestPatch)
+            lines.push("```json\n" + JSON.stringify(r.manifestPatch, null, 2) + "\n```");
+    }
+    lines.push("");
+    lines.push("## CI diagnostics");
+    for (const d of report.diagnostics ?? []) {
+        lines.push(`- **${d.code}** (${d.severity}): ${d.message}`);
+    }
+    return lines.join("\n");
+}
+//# sourceMappingURL=markdown-reporter.js.map

package/dist/output/markdown-reporter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"markdown-reporter.js","sourceRoot":"","sources":["../../src/output/markdown-reporter.ts"],"names":[],"mappings":"AAGA,MAAM,UAAU,gBAAgB,CAAC,MAAmB,EAAE,SAA0B;IAC9E,MAAM,KAAK,GAAa,CAAC,sBAAsB,EAAE,EAAE,CAAC,CAAC;IAErD,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACtD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,WAAW,QAAQ,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5F,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjC,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QACvC,KAAK,CAAC,IAAI,CACR,OAAO,CAAC,CAAC,WAAW,OAAO,CAAC,CAAC,QAAQ,uBAAuB,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC,CAAC,eAAe,EAAE,CAC9H,CAAC;IACJ,CAAC;IACD,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE;QAAE,KAAK,CAAC,IAAI,CAAC,SAAS,SAAS,CAAC,MAAM,GAAG,EAAE,OAAO,CAAC,CAAC;IAE7E,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACnC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,aAAa,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9D,IAAI,CAAC,CAAC,aAAa;YACjB,KAAK,CAAC,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC;IACjF,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;QACzC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,QAAQ,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/output/terminal-renderer.d.ts

@@ -0,0 +1,8 @@
+import type { DependencyGraphSnapshot, VulnerabilityFinding } from "../core/models.js";
+import type { OwnershipPath } from "../core/ownership/tracer.js";
+export declare function renderPretty(findings: VulnerabilityFinding[], ownership: OwnershipPath[], graph: DependencyGraphSnapshot | null, opts: {
+    ci?: boolean;
+    verbose?: boolean;
+}): string;
+export declare function printCiSummary(diagnostics: import("../core/models.js").CiDiagnostic[], verbose: boolean): string;
+//# sourceMappingURL=terminal-renderer.d.ts.map

package/dist/output/terminal-renderer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"terminal-renderer.d.ts","sourceRoot":"","sources":["../../src/output/terminal-renderer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACvF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAIjE,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,oBAAoB,EAAE,EAChC,SAAS,EAAE,aAAa,EAAE,EAC1B,KAAK,EAAE,uBAAuB,GAAG,IAAI,EACrC,IAAI,EAAE;IAAE,EAAE,CAAC,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,GACxC,MAAM,CA+BR;AAED,wBAAgB,cAAc,CAC5B,WAAW,EAAE,OAAO,mBAAmB,EAAE,YAAY,EAAE,EACvD,OAAO,EAAE,OAAO,GACf,MAAM,CAWR"}

package/dist/output/terminal-renderer.js

@@ -0,0 +1,51 @@
+import chalk from "chalk";
+import { formatPathNames, buildIndexes, shortestPathFromRoots } from "../core/graph-engine/traverse.js";
+import { formatChain } from "./tree-format.js";
+export function renderPretty(findings, ownership, graph, opts) {
+    const lines = [];
+    lines.push(chalk.bold("audit-trace"));
+    lines.push("");
+    for (const f of findings) {
+        const label = chalk.hex(f.severity === "critical" ? "#ff0000" : "#ffa500");
+        lines.push(label(`[${f.severity.toUpperCase()}] ${f.packageName}`));
+        if (f.title)
+            lines.push(`  ${f.title}`);
+    }
+    lines.push("");
+    lines.push(chalk.bold("Ownership paths"));
+    for (const o of ownership.slice(0, 40)) {
+        if (!graph) {
+            lines.push(`- ${o.packageName}`);
+            continue;
+        }
+        const idx = buildIndexes(graph);
+        const path = shortestPathFromRoots(graph, idx, o.nodeId);
+        if (path) {
+            const names = path.map((id) => graph.nodes.get(id)?.name ?? id);
+            lines.push(formatChain(names));
+            lines.push("");
+        }
+        else {
+            lines.push(`- ${formatPathNames(o.pathNodeIds, graph.nodes)}`);
+        }
+    }
+    if (opts.ci && !opts.verbose) {
+        lines.push("");
+        lines.push(chalk.dim("Run with --ci-verbose for filter and graph context."));
+    }
+    return lines.join("\n");
+}
+export function printCiSummary(diagnostics, verbose) {
+    const lines = [];
+    lines.push(chalk.bold("CI summary"));
+    for (const d of diagnostics) {
+        const col = d.severity === "error" ? chalk.red : d.severity === "warn" ? chalk.yellow : chalk.blue;
+        lines.push(col(`[${d.code}] ${d.message}`));
+        if (verbose && d.detail)
+            lines.push(chalk.dim(d.detail));
+        if (verbose && d.remediationHint)
+            lines.push(chalk.green(`Hint: ${d.remediationHint}`));
+    }
+    return lines.join("\n");
+}
+//# sourceMappingURL=terminal-renderer.js.map

package/dist/output/terminal-renderer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"terminal-renderer.js","sourceRoot":"","sources":["../../src/output/terminal-renderer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAG1B,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAC;AACxG,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAE/C,MAAM,UAAU,YAAY,CAC1B,QAAgC,EAChC,SAA0B,EAC1B,KAAqC,EACrC,IAAyC;IAEzC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC;IACtC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAC3E,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;QACpE,IAAI,CAAC,CAAC,KAAK;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;IAC1C,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC1C,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QACvC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YACjC,SAAS;QACX,CAAC;QACD,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,IAAI,GAAG,qBAAqB,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;QACzD,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;YAChE,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;YAC/B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;aAAM,CAAC;YACN,KAAK,CAAC,IAAI,CAAC,KAAK,eAAe,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IACD,IAAI,IAAI,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC,CAAC;IAC/E,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,WAAuD,EACvD,OAAgB;IAEhB,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;IACrC,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,MAAM,GAAG,GACP,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC;QACzF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC5C,IAAI,OAAO,IAAI,CAAC,CAAC,MAAM;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;QACzD,IAAI,OAAO,IAAI,CAAC,CAAC,eAAe;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC;IAC1F,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/output/tree-format.d.ts

@@ -0,0 +1,3 @@
+/** Pretty-print a dependency chain like npm ls / user example. */
+export declare function formatChain(names: string[]): string;
+//# sourceMappingURL=tree-format.d.ts.map

package/dist/output/tree-format.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tree-format.d.ts","sourceRoot":"","sources":["../../src/output/tree-format.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,CAQnD"}

package/dist/output/tree-format.js

@@ -0,0 +1,12 @@
+/** Pretty-print a dependency chain like npm ls / user example. */
+export function formatChain(names) {
+    if (names.length === 0)
+        return "";
+    let s = names[0];
+    for (let i = 1; i < names.length; i++) {
+        const pad = "    ".repeat(i - 1);
+        s += `\n${pad}└── ${names[i]}`;
+    }
+    return s;
+}
+//# sourceMappingURL=tree-format.js.map

package/dist/output/tree-format.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tree-format.js","sourceRoot":"","sources":["../../src/output/tree-format.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,MAAM,UAAU,WAAW,CAAC,KAAe;IACzC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAClC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;IAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACjC,CAAC,IAAI,KAAK,GAAG,OAAO,KAAK,CAAC,CAAC,CAAE,EAAE,CAAC;IAClC,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/plugins/registry.d.ts

@@ -0,0 +1,4 @@
+import type { AuditPlugin } from "./types.js";
+export declare function registerPlugin(p: AuditPlugin): void;
+export declare function getPlugins(): AuditPlugin[];
+//# sourceMappingURL=registry.d.ts.map

package/dist/plugins/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/plugins/registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAI9C,wBAAgB,cAAc,CAAC,CAAC,EAAE,WAAW,GAAG,IAAI,CAEnD;AAED,wBAAgB,UAAU,IAAI,WAAW,EAAE,CAE1C"}

package/dist/plugins/registry.js

@@ -0,0 +1,8 @@
+const plugins = [];
+export function registerPlugin(p) {
+    plugins.push(p);
+}
+export function getPlugins() {
+    return [...plugins];
+}
+//# sourceMappingURL=registry.js.map

package/dist/plugins/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/plugins/registry.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,GAAkB,EAAE,CAAC;AAElC,MAAM,UAAU,cAAc,CAAC,CAAc;IAC3C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC;AACtB,CAAC"}

package/dist/plugins/types.d.ts

@@ -0,0 +1,10 @@
+import type { AuditReport, CiDiagnostic, DependencyGraphSnapshot, VulnerabilityFinding } from "../core/models.js";
+import type { OwnershipPath } from "../core/ownership/tracer.js";
+export interface AuditPlugin {
+    name: string;
+    afterGraphBuilt?(graph: DependencyGraphSnapshot): void;
+    afterAuditNormalized?(findings: VulnerabilityFinding[]): void;
+    onCiDiagnostics?(diagnostics: CiDiagnostic[]): CiDiagnostic[] | void;
+    formatReport?(report: AuditReport, ownership: OwnershipPath[]): AuditReport | void;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/plugins/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/plugins/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EACZ,uBAAuB,EACvB,oBAAoB,EACrB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAEjE,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,CAAC,CAAC,KAAK,EAAE,uBAAuB,GAAG,IAAI,CAAC;IACvD,oBAAoB,CAAC,CAAC,QAAQ,EAAE,oBAAoB,EAAE,GAAG,IAAI,CAAC;IAC9D,eAAe,CAAC,CAAC,WAAW,EAAE,YAAY,EAAE,GAAG,YAAY,EAAE,GAAG,IAAI,CAAC;IACrE,YAAY,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,WAAW,GAAG,IAAI,CAAC;CACpF"}

package/dist/plugins/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/plugins/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/plugins/types.ts"],"names":[],"mappings":""}

package/examples/github-actions/ci.yml

@@ -0,0 +1,34 @@
+# Example: run audit-trace in GitHub Actions
+#
+# Install the CLI in your workflow (pick one):
+# - npm install -g audit-trace  (after publishing to npm)
+# - npm ci && npm install ../path-to/audit-trace && use node_modules/.bin/audit-trace
+# - checkout this repo, npm ci && npm run build && node dist/cli.js ...
+
+name: audit-trace-example
+
+on:
+  workflow_dispatch: {}
+
+jobs:
+  deps:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+      - run: npm ci
+      - name: audit-trace report
+        run: |
+          if command -v audit-trace >/dev/null 2>&1; then
+            audit-trace report --ci --json --fail-on high | tee audit-trace-report.json
+          else
+            echo "Install audit-trace first; see examples/github-actions/ci.yml header."
+            exit 0
+          fi
+      - name: Job summary from diagnostics
+        if: always() && hashFiles('audit-trace-report.json') != ''
+        run: |
+          echo "## audit-trace" >> "$GITHUB_STEP_SUMMARY"
+          node -e "const r=require('./audit-trace-report.json');(r.diagnostics||[]).forEach(d=>console.log('- **'+d.code+'**: '+d.message));" >> "$GITHUB_STEP_SUMMARY" || true

package/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "audit-trace",
+  "version": "0.1.0",
+  "description": "Dependency vulnerability analysis with ownership tracing and actionable remediation",
+  "type": "module",
+  "main": "./dist/index.js",
+  "bin": {
+    "audit-trace": "./dist/cli.js"
+  },
+  "files": [
+    "dist",
+    "examples"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "start": "node dist/cli.js",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "prepack": "npm run build"
+  },
+  "keywords": [
+    "audit",
+    "security",
+    "npm",
+    "pnpm",
+    "yarn",
+    "dependencies",
+    "cli"
+  ],
+  "author": "",
+  "license": "MIT",
+  "dependencies": {
+    "@yarnpkg/lockfile": "^1.1.0",
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "debug": "^4.4.0",
+    "graphlib": "^2.1.8",
+    "ink": "^5.0.1",
+    "madge": "^8.0.0",
+    "ora": "^8.1.1",
+    "react": "^18.3.1",
+    "semver": "^7.6.3",
+    "treeify": "^1.1.0",
+    "yaml": "^2.6.1"
+  },
+  "devDependencies": {
+    "@types/graphlib": "^2.1.12",
+    "@types/node": "^22.10.2",
+    "@types/react": "^18.3.12",
+    "@types/semver": "^7.5.8",
+    "typescript": "^5.7.2",
+    "vitest": "^2.1.8"
+  }
+}