codeproof 1.0.0 → 1.0.2

package/bin/codeproof.js

@@ -3,13 +3,16 @@ import { runInit } from "../commands/init.js";
 import { runCli } from "../commands/run.js";
 import { runReportDashboard } from "../commands/reportDashboard.js";
 import { runMoveSecret } from "../commands/moveSecret.js";
+import { runWhoAmI } from "../commands/whoami.js";
+import { runIgnore } from "../commands/ignore.js";
+import { runApply } from "../commands/apply.js";
 import { logError, logInfo } from "../utils/logger.js";
 
 const [, , command, ...args] = process.argv;
 
 async function main() {
   if (!command || command === "-h" || command === "--help") {
-    logInfo("Usage: codeproof <command>\n\nCommands:\n  init               Initialize CodeProof in a Git repository\n  run                Run CodeProof checks (stub)\n  report@dashboard   Send latest report and show dashboard link\n  move-secret        Move high-confidence secrets to .env");
+    logInfo("Usage: codeproof <command>\n\nCommands:\n  init               Initialize CodeProof in a Git repository\n  run                Run CodeProof checks (stub)\n  report@dashboard   Send latest report and show dashboard link\n  move-secret        Move high-confidence secrets to .env\n  ignore             Temporarily disable commit enforcement\n  apply              Re-enable commit enforcement\n  whoami             Show the local CodeProof client ID");
     process.exit(0);
   }
 
@@ -33,6 +36,21 @@ async function main() {
     return;
   }
 
+  if (command === "ignore") {
+    await runIgnore({ args, cwd: process.cwd() });
+    return;
+  }
+
+  if (command === "apply") {
+    await runApply({ args, cwd: process.cwd() });
+    return;
+  }
+
+  if (command === "whoami") {
+    await runWhoAmI();
+    return;
+  }
+
   logError(`Unknown command: ${command}`);
   process.exit(1);
 }

package/commands/apply.js

@@ -0,0 +1,32 @@
+import { ensureGitRepo, getGitRoot } from "../utils/git.js";
+import { logError, logInfo, logSuccess, logWarn } from "../utils/logger.js";
+import { getEnforcementState, setEnforcementState } from "../core/enforcement.js";
+
+export async function runApply({ cwd }) {
+  // Re-enable enforcement explicitly to restore pre-commit blocking.
+  ensureGitRepo(cwd);
+  const gitRoot = getGitRoot(cwd);
+
+  let current = "enabled";
+  try {
+    current = getEnforcementState(gitRoot);
+  } catch (error) {
+    logError(error?.message || "Unable to read codeproof.config.json.");
+    process.exit(1);
+  }
+
+  if (current === "enabled") {
+    logWarn("CodeProof enforcement is already enabled.");
+    return;
+  }
+
+  try {
+    setEnforcementState(gitRoot, "enabled");
+  } catch (error) {
+    logError(error?.message || "Unable to update codeproof.config.json.");
+    process.exit(1);
+  }
+
+  logSuccess("CodeProof enforcement re-enabled.");
+  logInfo("Pre-commit protection active.");
+}

package/commands/ignore.js

@@ -0,0 +1,32 @@
+import { ensureGitRepo, getGitRoot } from "../utils/git.js";
+import { logError, logInfo, logSuccess, logWarn } from "../utils/logger.js";
+import { getEnforcementState, setEnforcementState } from "../core/enforcement.js";
+
+export async function runIgnore({ cwd }) {
+  // Controlled bypass: disabling enforcement is explicit and project-scoped.
+  ensureGitRepo(cwd);
+  const gitRoot = getGitRoot(cwd);
+
+  let current = "enabled";
+  try {
+    current = getEnforcementState(gitRoot);
+  } catch (error) {
+    logError(error?.message || "Unable to read codeproof.config.json.");
+    process.exit(1);
+  }
+
+  if (current === "disabled") {
+    logWarn("CodeProof enforcement is already disabled.");
+    return;
+  }
+
+  try {
+    setEnforcementState(gitRoot, "disabled");
+  } catch (error) {
+    logError(error?.message || "Unable to update codeproof.config.json.");
+    process.exit(1);
+  }
+
+  logSuccess("CodeProof enforcement disabled.");
+  logInfo("Commits will not be blocked until `codeproof apply` is run.");
+}

package/commands/init.js

@@ -5,11 +5,15 @@ import { logInfo, logSuccess, logWarn } from "../utils/logger.js";
 import { detectProjectType } from "../utils/projectType.js";
 import { installPreCommitHook } from "../hooks/preCommit.js";
 import { showWelcomeScreen } from "../ui/welcomeScreen.js";
+import { getClientId } from "../core/identity.js";
+import { randomUUID } from "crypto";
 
 
 
 export async function runInit({ cwd }) {
   logInfo("Initializing CodeProof...");
+
+  getClientId();
   
   ensureGitRepo(cwd);
   logSuccess("Git repository detected.");
@@ -23,11 +27,30 @@ export async function runInit({ cwd }) {
   const configPath = path.join(gitRoot, "codeproof.config.json");
   // Avoid overwriting user configuration to keep init idempotent.
   if (fs.existsSync(configPath)) {
-    logWarn("Config already exists. Skipping creation.");
+    let updated = false;
+    try {
+      const raw = fs.readFileSync(configPath, "utf8");
+      const existing = JSON.parse(raw);
+      if (!existing.projectId) {
+        existing.projectId = randomUUID();
+        updated = true;
+        fs.writeFileSync(configPath, JSON.stringify(existing, null, 2) + "\n", "utf8");
+      }
+    } catch {
+      logWarn("Config already exists but could not be updated.");
+    }
+
+    if (updated) {
+      logSuccess("Added projectId to codeproof.config.json");
+    } else {
+      logWarn("Config already exists. Skipping creation.");
+    }
   } else {
     const config = {
+      projectId: randomUUID(),
       projectType,
       scanMode: "staged",
+      enforcement: "enabled",
       features: {
         reporting: true,
         integration: false,
@@ -48,6 +71,18 @@ export async function runInit({ cwd }) {
     logSuccess("Created codeproof.config.json");
   }
 
+  try {
+    const raw = fs.readFileSync(configPath, "utf8");
+    const existing = JSON.parse(raw);
+    if (!existing.enforcement) {
+      existing.enforcement = "enabled";
+      fs.writeFileSync(configPath, JSON.stringify(existing, null, 2) + "\n", "utf8");
+      logSuccess("Added enforcement=enabled to codeproof.config.json");
+    }
+  } catch {
+    logWarn("Unable to update enforcement in codeproof.config.json.");
+  }
+
   installPreCommitHook(gitRoot);
   logSuccess("Pre-commit hook installed.");
 

package/commands/moveSecret.js

@@ -8,6 +8,7 @@ import { ensureEnvFile, readEnvKeys, appendEnvEntries } from "../utils/envManage
 import { backupFileOnce, extractSecretValueFromLine, replaceSecretInFile } from "../utils/fileRewriter.js";
 import { resolveFeatureFlags, isVerbose } from "../core/featureFlags.js";
 import { reportFeatureDisabled, warnExperimentalOnce } from "../core/safetyGuards.js";
+import { readLatestReport } from "../reporting/reportReader.js";
 
 const TEST_PATH_HINTS = [
   "test",
@@ -37,24 +38,6 @@ function isIgnoredPath(filePath, excludes) {
   return false;
 }
 
-function readLatestReport(reportPath) {
-  if (!fs.existsSync(reportPath)) {
-    return null;
-  }
-
-  const content = fs.readFileSync(reportPath, "utf8");
-  const lines = content.split(/\r?\n/).filter(Boolean);
-  if (lines.length === 0) {
-    return null;
-  }
-
-  try {
-    return JSON.parse(lines[lines.length - 1]);
-  } catch {
-    return null;
-  }
-}
-
 function confirmProceed(message) {
   return new Promise((resolve) => {
     const rl = readline.createInterface({
@@ -73,7 +56,6 @@ export async function runMoveSecret({ cwd }) {
   // Boundary: remediation reads reports only and must not depend on analysis state.
   ensureGitRepo(cwd);
   const gitRoot = getGitRoot(cwd);
-  const reportPath = path.join(gitRoot, "codeproof-report.log");
   const configPath = path.join(gitRoot, "codeproof.config.json");
   let config = {};
   try {
@@ -92,7 +74,7 @@ export async function runMoveSecret({ cwd }) {
   }
 
   warnExperimentalOnce("Experimental feature enabled: move-secret.", logWarn);
-  const latestReport = readLatestReport(reportPath);
+  const latestReport = readLatestReport(gitRoot)?.report || null;
 
   if (!latestReport || !Array.isArray(latestReport.findings)) {
     logWarn("No reports found. Run 'codeproof run' first.");

package/commands/reportDashboard.js

@@ -5,6 +5,7 @@ import { logError, logInfo, logWarn } from "../utils/logger.js";
 import { sendReportToServer } from "../utils/apiClient.js";
 import { resolveFeatureFlags, isVerbose } from "../core/featureFlags.js";
 import { reportFeatureDisabled, withFailOpenIntegration } from "../core/safetyGuards.js";
+import { readLatestReport } from "../reporting/reportReader.js";
 
 function readConfig(configPath) {
   if (!fs.existsSync(configPath)) {
@@ -21,24 +22,6 @@ function readConfig(configPath) {
   }
 }
 
-function readLatestReport(reportPath) {
-  if (!fs.existsSync(reportPath)) {
-    return null;
-  }
-
-  const content = fs.readFileSync(reportPath, "utf8");
-  const lines = content.split(/\r?\n/).filter(Boolean);
-  if (lines.length === 0) {
-    return null;
-  }
-
-  try {
-    return JSON.parse(lines[lines.length - 1]);
-  } catch {
-    return null;
-  }
-}
-
 export async function runReportDashboard({ cwd }) {
   // Boundary: CLI orchestration only. Avoid importing this module in lower layers.
   ensureGitRepo(cwd);
@@ -49,30 +32,26 @@ export async function runReportDashboard({ cwd }) {
   const verbose = isVerbose(config);
 
   if (features.reporting) {
-    const reportPath = path.join(gitRoot, "codeproof-report.log");
-    const latestReport = readLatestReport(reportPath);
+    const latestEntry = readLatestReport(gitRoot);
+    const latestReport = latestEntry?.report || null;
 
     if (!latestReport) {
-      logWarn("No reports found. Run 'codeproof run' first.");
+      logWarn("No reports found. Run `codeproof run` first.");
     } else {
       const integration = config?.integration || {};
-      const integrationEnabled = features.integration && Boolean(integration.enabled);
-      if (integrationEnabled) {
-        // Integrations are fail-open: skip silently when disabled, never throw on network errors.
-        withFailOpenIntegration(() => {
-          sendReportToServer(latestReport, {
-            enabled: true,
-            endpointUrl: integration.endpointUrl
-          });
+      // Integrations are fail-open: never throw on network errors.
+      withFailOpenIntegration(() => {
+        sendReportToServer(latestReport, {
+          enabled: true,
+          endpointUrl: integration.endpointUrl
         });
-      } else {
-        reportFeatureDisabled("Integration", verbose, logInfo);
+      });
+
+      if (latestReport?.projectId) {
+        logInfo(`View dashboard: https://dashboard.codeproof.dev/project/${latestReport.projectId}`);
       }
     }
   } else {
     reportFeatureDisabled("Reporting", verbose, logInfo);
   }
-
-  const projectId = encodeURIComponent(path.basename(gitRoot) || "project");
-  logInfo(`Dashboard: https://dashboard.codeproof.dev/project/${projectId}`);
 }

package/commands/run.js

@@ -2,15 +2,17 @@ import fs from "fs";
 import path from "path";
 import { ensureGitRepo, getGitRoot, getStagedFiles } from "../utils/git.js";
 import { logError, logInfo, logSuccess, logWarn } from "../utils/logger.js";
-import { getDefaultExcludes, isBinaryFile, listFilesRecursive } from "../utils/files.js";
+import { buildScanTargets } from "../utils/fileScanner.js";
 import { runRuleEngine } from "../engine/ruleEngine.js";
 import { analyze } from "../engine/aiAnalyzer.js";
 import { mergeDecisions } from "../engine/decisionMerger.js";
 import { buildAiInputs, buildProjectContext } from "../engine/contextBuilder.js";
 import { buildReport } from "../reporting/reportBuilder.js";
-import { appendReport } from "../reporting/reportWriter.js";
+import { writeReport } from "../reporting/reportWriter.js";
 import { sendReportToServer } from "../utils/apiClient.js";
 import { resolveFeatureFlags, isVerbose } from "../core/featureFlags.js";
+import { getClientId } from "../core/identity.js";
+import { getEnforcementState } from "../core/enforcement.js";
 import {
     reportFeatureDisabled,
     warnExperimentalOnce,
@@ -18,6 +20,7 @@ import {
     withFailOpenIntegration,
     withFailOpenReporting
 } from "../core/safetyGuards.js";
+import { randomUUID } from "crypto";
 
 function readConfig(configPath) {
     if (!fs.existsSync(configPath)) {
@@ -34,23 +37,7 @@ function readConfig(configPath) {
     }
 }
 
-function normalizeScopeFiles(files, gitRoot) {
-    return files
-        .map((filePath) => (path.isAbsolute(filePath) ? filePath : path.join(gitRoot, filePath)))
-        .filter((filePath) => {
-            try {
-                return fs.statSync(filePath).isFile();
-            } catch {
-                return false;
-            }
-        });
-}
-
-function filterBinaryFiles(files) {
-    return files.filter((filePath) => !isBinaryFile(filePath));
-}
-
-export async function runCli({ cwd }) {
+export async function runCli({ args = [], cwd }) {
     // Boundary: CLI orchestration only. Avoid importing this module in lower layers.
     logInfo("CodeProof run started.");
 
@@ -60,6 +47,20 @@ export async function runCli({ cwd }) {
     const config = readConfig(configPath);
     const features = resolveFeatureFlags(config);
     const verbose = isVerbose(config);
+    let enforcement = "enabled";
+    try {
+        enforcement = getEnforcementState(gitRoot);
+    } catch (error) {
+        logError(error?.message || "Unable to read enforcement state.");
+        process.exit(1);
+    }
+    const isPreCommit = args.includes("--precommit") || Boolean(process.env.CODEPROOF_PRECOMMIT);
+
+    if (isPreCommit && enforcement === "disabled") {
+        logWarn("CodeProof enforcement is temporarily disabled.");
+        logInfo("Commit allowed.");
+        process.exit(0);
+    }
 
     if (!config.scanMode) {
         logError("Config missing scanMode. Expected 'staged' or 'full'.");
@@ -71,27 +72,30 @@ export async function runCli({ cwd }) {
 
     if (scanMode === "staged") {
         logInfo("Scan mode: staged");
-        const staged = getStagedFiles(gitRoot);
-        targets = normalizeScopeFiles(staged, gitRoot);
+        targets = buildScanTargets({
+            gitRoot,
+            scanMode,
+            stagedFiles: getStagedFiles(gitRoot)
+        });
     } else if (scanMode === "full") {
         logInfo("Scan mode: full");
-        const excludes = getDefaultExcludes();
-        const allFiles = listFilesRecursive(gitRoot, excludes);
-        targets = normalizeScopeFiles(allFiles, gitRoot);
+        targets = buildScanTargets({
+            gitRoot,
+            scanMode,
+            stagedFiles: []
+        });
     } else {
         logError("Invalid scanMode. Expected 'staged' or 'full'.");
         process.exit(1);
     }
 
-    const filtered = filterBinaryFiles(targets);
-
-    if (filtered.length === 0) {
+    if (targets.length === 0) {
         logWarn("No relevant files found. Exiting.");
         // Exit code 0 allows the Git commit to continue.
         process.exit(0);
     }
 
-    const { findings, escalations } = runRuleEngine({ files: filtered });
+    const { findings, escalations } = runRuleEngine({ files: targets });
     const projectContext = buildProjectContext({ gitRoot, config });
     let aiInputs = [];
     if (features.aiEscalation) {
@@ -116,18 +120,22 @@ export async function runCli({ cwd }) {
     if (features.reporting) {
         withFailOpenReporting(() => {
             const timestamp = new Date().toISOString();
-            const runId = `${Date.now()}-${process.pid}`;
+            const reportId = randomUUID();
+            const projectId = config.projectId || "";
+            const clientId = getClientId();
             const report = buildReport({
                 projectRoot: gitRoot,
+                projectId,
+                clientId,
+                reportId,
                 scanMode,
-                filesScannedCount: filtered.length,
+                filesScannedCount: targets.length,
                 baselineFindings: [...findings, ...escalations],
                 aiReviewed,
-                runId,
                 timestamp
             });
             // Reporting is fail-open: never block commits if logging fails.
-            appendReport({ projectRoot: gitRoot, report });
+            writeReport({ projectRoot: gitRoot, report });
 
             const integration = config?.integration || {};
             const integrationEnabled = features.integration && Boolean(integration.enabled);

package/commands/whoami.js

@@ -0,0 +1,19 @@
+import { readClientId, getGlobalConfigPath } from "../core/identity.js";
+import { logError, logInfo } from "../utils/logger.js";
+
+export async function runWhoAmI() {
+  const clientId = readClientId();
+
+  if (!clientId) {
+    logError("CodeProof not initialized. Run codeproof init first.");
+    process.exit(1);
+  }
+
+  logInfo("CodeProof Client ID:");
+  logInfo(clientId);
+  logInfo("");
+  logInfo("Use this ID to log in at:");
+  logInfo("https://your-dashboard-url.com/login");
+  logInfo("");
+  logInfo(`Config: ${getGlobalConfigPath()}`);
+}

package/core/enforcement.js

@@ -0,0 +1,51 @@
+import fs from "fs";
+import path from "path";
+
+const ENFORCEMENT_ENABLED = "enabled";
+const ENFORCEMENT_DISABLED = "disabled";
+
+function getConfigPath(gitRoot) {
+  return path.join(gitRoot, "codeproof.config.json");
+}
+
+function readConfig(gitRoot) {
+  const configPath = getConfigPath(gitRoot);
+  if (!fs.existsSync(configPath)) {
+    const error = new Error("Missing codeproof.config.json. Run codeproof init first.");
+    error.code = "CODEPROOF_CONFIG_MISSING";
+    throw error;
+  }
+
+  try {
+    const raw = fs.readFileSync(configPath, "utf8");
+    return JSON.parse(raw);
+  } catch {
+    const error = new Error("Invalid codeproof.config.json. Please fix the file.");
+    error.code = "CODEPROOF_CONFIG_INVALID";
+    throw error;
+  }
+}
+
+function writeConfig(gitRoot, config) {
+  const configPath = getConfigPath(gitRoot);
+  fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n", "utf8");
+}
+
+export function getEnforcementState(gitRoot) {
+  const config = readConfig(gitRoot);
+  const enforcement = String(config.enforcement || ENFORCEMENT_ENABLED).toLowerCase();
+  return enforcement === ENFORCEMENT_DISABLED ? ENFORCEMENT_DISABLED : ENFORCEMENT_ENABLED;
+}
+
+export function setEnforcementState(gitRoot, nextState) {
+  const config = readConfig(gitRoot);
+  const normalized = String(nextState || "").toLowerCase();
+  const enforcement = normalized === ENFORCEMENT_DISABLED
+    ? ENFORCEMENT_DISABLED
+    : ENFORCEMENT_ENABLED;
+
+  // Security: explicit state keeps this a reversible bypass, not a silent disable.
+  const updated = { ...config, enforcement };
+  writeConfig(gitRoot, updated);
+  return enforcement;
+}

package/core/identity.js

@@ -0,0 +1,78 @@
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { randomUUID } from "crypto";
+
+const CONFIG_DIR_NAME = ".codeproof";
+const CONFIG_FILE_NAME = "config.json";
+
+function getConfigDir() {
+  return path.join(os.homedir(), CONFIG_DIR_NAME);
+}
+
+function getConfigPath() {
+  return path.join(getConfigDir(), CONFIG_FILE_NAME);
+}
+
+function ensureConfigDir() {
+  const dir = getConfigDir();
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  }
+  try {
+    fs.chmodSync(dir, 0o700);
+  } catch {
+    // Best-effort on platforms that ignore chmod.
+  }
+}
+
+function writeConfig(config) {
+  const filePath = getConfigPath();
+  const payload = JSON.stringify(config, null, 2) + "\n";
+  fs.writeFileSync(filePath, payload, { encoding: "utf8", mode: 0o600 });
+  try {
+    fs.chmodSync(filePath, 0o600);
+  } catch {
+    // Best-effort on platforms that ignore chmod.
+  }
+}
+
+function readConfig() {
+  const filePath = getConfigPath();
+  if (!fs.existsSync(filePath)) {
+    return null;
+  }
+
+  try {
+    const raw = fs.readFileSync(filePath, "utf8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+
+function ensureClientId() {
+  ensureConfigDir();
+
+  const existing = readConfig();
+  if (existing?.clientId) {
+    return existing.clientId;
+  }
+
+  const clientId = randomUUID();
+  writeConfig({ clientId });
+  return clientId;
+}
+
+export function getClientId() {
+  return ensureClientId();
+}
+
+export function readClientId() {
+  const existing = readConfig();
+  return existing?.clientId ?? null;
+}
+
+export function getGlobalConfigPath() {
+  return getConfigPath();
+}

package/hooks/preCommit.js

@@ -12,7 +12,20 @@ function getHookBlock() {
   return [
     "",
     HOOK_MARKER,
-    "codeproof run",
+    "GIT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)",
+    "if [ -n \"$GIT_ROOT\" ]; then",
+    "  cd \"$GIT_ROOT\" || exit 1",
+    "fi",
+    "CONFIG_PATH=\"$GIT_ROOT/codeproof.config.json\"",
+    "if [ -f \"$CONFIG_PATH\" ]; then",
+    "  ENFORCEMENT=$(node -e \"const fs=require('fs');try{const c=JSON.parse(fs.readFileSync('$CONFIG_PATH','utf8'));console.log((c.enforcement||'enabled').toLowerCase());}catch(e){console.log('enabled');}\")",
+    "  if [ \"$ENFORCEMENT\" = \"disabled\" ]; then",
+    "    echo \"CodeProof enforcement is temporarily disabled.\"",
+    "    echo \"Commit allowed.\"",
+    "    exit 0",
+    "  fi",
+    "fi",
+    "CODEPROOF_PRECOMMIT=1 codeproof run --precommit",
     "RESULT=$?",
     "if [ $RESULT -ne 0 ]; then",
     "  echo \"CodeProof checks failed. Commit blocked.\"",
@@ -36,7 +49,20 @@ export function installPreCommitHook(gitRoot) {
       "#!/bin/sh",
       "", 
       "# Auto-generated by CodeProof",
-      "codeproof run",
+      "GIT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)",
+      "if [ -n \"$GIT_ROOT\" ]; then",
+      "  cd \"$GIT_ROOT\" || exit 1",
+      "fi",
+      "CONFIG_PATH=\"$GIT_ROOT/codeproof.config.json\"",
+      "if [ -f \"$CONFIG_PATH\" ]; then",
+      "  ENFORCEMENT=$(node -e \"const fs=require('fs');try{const c=JSON.parse(fs.readFileSync('$CONFIG_PATH','utf8'));console.log((c.enforcement||'enabled').toLowerCase());}catch(e){console.log('enabled');}\")",
+      "  if [ \"$ENFORCEMENT\" = \"disabled\" ]; then",
+      "    echo \"CodeProof enforcement is temporarily disabled.\"",
+      "    echo \"Commit allowed.\"",
+      "    exit 0",
+      "  fi",
+      "fi",
+      "CODEPROOF_PRECOMMIT=1 codeproof run --precommit",
       "RESULT=$?",
       "if [ $RESULT -ne 0 ]; then",
       "  echo \"CodeProof checks failed. Commit blocked.\"",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeproof",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "CodeProof CLI",
   "type": "module",
   "bin": {
@@ -9,5 +9,8 @@
   "engines": {
     "node": ">=18"
   },
-  "license": "MIT"
+  "license": "MIT",
+  "dependencies": {
+    "uuid": "^13.0.0"
+  }
 }

package/reporting/reportBuilder.js

@@ -45,11 +45,13 @@ function normalizeSeverity(value) {
 
 export function buildReport({
   projectRoot,
+  projectId,
+  clientId,
+  reportId,
   scanMode,
   filesScannedCount,
   baselineFindings,
   aiReviewed,
-  runId,
   timestamp
 }) {
   const aiById = new Map(aiReviewed.map((entry) => [entry.finding.findingId, entry.decision]));
@@ -84,9 +86,10 @@ export function buildReport({
       : "allowed";
 
   return {
-    runId,
+    reportId,
     timestamp,
-    projectRoot,
+    projectId,
+    clientId,
     scanMode,
     summary: {
       totalFilesScanned: filesScannedCount,

package/reporting/reportReader.js

@@ -0,0 +1,49 @@
+import fs from "fs";
+import path from "path";
+
+const REPORT_DIR_NAME = "codeproof-reports";
+const REPORT_PATTERN = /^report-(\d+)\.json$/;
+
+function getReportDir(projectRoot) {
+  return path.join(projectRoot, REPORT_DIR_NAME);
+}
+
+function getReportNumbers(files) {
+  return files
+    .map((file) => {
+      const match = REPORT_PATTERN.exec(file);
+      return match ? Number.parseInt(match[1], 10) : null;
+    })
+    .filter((value) => Number.isInteger(value));
+}
+
+export function readLatestReport(projectRoot) {
+  const reportDir = getReportDir(projectRoot);
+  if (!fs.existsSync(reportDir)) {
+    return null;
+  }
+
+  let files = [];
+  try {
+    files = fs.readdirSync(reportDir);
+  } catch {
+    return null;
+  }
+
+  const numbers = getReportNumbers(files).sort((a, b) => b - a);
+  if (numbers.length === 0) {
+    return null;
+  }
+
+  for (const number of numbers) {
+    const reportPath = path.join(reportDir, `report-${number}.json`);
+    try {
+      const raw = fs.readFileSync(reportPath, "utf8");
+      return { report: JSON.parse(raw), reportPath };
+    } catch {
+      // Skip unreadable or invalid JSON reports instead of crashing.
+    }
+  }
+
+  return null;
+}

package/reporting/reportWriter.js

@@ -1,19 +1,62 @@
 import fs from "fs";
-import os from "os";
 import path from "path";
 
+const REPORT_DIR_NAME = "codeproof-reports";
+const REPORT_PREFIX = "report-";
+const REPORT_SUFFIX = ".json";
+const REPORT_PATTERN = /^report-(\d+)\.json$/;
+
 // Boundary: reporting storage only. Must not import rule logic, AI logic, or integrations.
 
-export function appendReport({ projectRoot, report }) {
-  const reportPath = path.join(projectRoot, "codeproof-report.log");
-  const line = JSON.stringify(report) + os.EOL;
+function getReportDir(projectRoot) {
+  return path.join(projectRoot, REPORT_DIR_NAME);
+}
+
+function ensureReportDir(reportDir) {
+  if (!fs.existsSync(reportDir)) {
+    fs.mkdirSync(reportDir, { recursive: true });
+  }
+}
 
-  // Append-only to preserve an immutable audit trail of every run.
-  const fileHandle = fs.openSync(reportPath, "a");
+function getNextReportNumber(reportDir) {
+  let files = [];
   try {
-    fs.writeSync(fileHandle, line, null, "utf8");
-    fs.fsyncSync(fileHandle);
-  } finally {
-    fs.closeSync(fileHandle);
+    files = fs.readdirSync(reportDir);
+  } catch {
+    return 1;
+  }
+
+  const numbers = files
+    .map((file) => {
+      const match = REPORT_PATTERN.exec(file);
+      return match ? Number.parseInt(match[1], 10) : null;
+    })
+    .filter((value) => Number.isInteger(value));
+
+  if (numbers.length === 0) {
+    return 1;
   }
+
+  return Math.max(...numbers) + 1;
+}
+
+export function writeReport({ projectRoot, report }) {
+  const reportDir = getReportDir(projectRoot);
+  ensureReportDir(reportDir);
+
+  // Per-run JSON keeps every audit entry immutable and easy to archive.
+  let reportNumber = getNextReportNumber(reportDir);
+  let reportPath = path.join(reportDir, `${REPORT_PREFIX}${reportNumber}${REPORT_SUFFIX}`);
+  while (fs.existsSync(reportPath)) {
+    reportNumber += 1;
+    reportPath = path.join(reportDir, `${REPORT_PREFIX}${reportNumber}${REPORT_SUFFIX}`);
+  }
+
+  // Use numeric sequencing over timestamps to avoid collisions in fast CI runs.
+  const tempPath = path.join(reportDir, `.tmp-${process.pid}-${Date.now()}.json`);
+  const payload = JSON.stringify(report, null, 2) + "\n";
+  fs.writeFileSync(tempPath, payload, "utf8");
+  fs.renameSync(tempPath, reportPath);
+
+  return reportPath;
 }

package/utils/fileScanner.js

@@ -0,0 +1,40 @@
+import fs from "fs";
+import path from "path";
+import { filterIgnoredFiles } from "./gitIgnore.js";
+import { getDefaultExcludes, isBinaryFile, listFilesRecursive } from "./files.js";
+
+function normalizeScopeFiles(files, gitRoot) {
+  return files
+    .map((filePath) => (path.isAbsolute(filePath) ? filePath : path.join(gitRoot, filePath)))
+    .filter((filePath) => {
+      try {
+        return fs.statSync(filePath).isFile();
+      } catch {
+        return false;
+      }
+    });
+}
+
+function isExcludedByDefault(filePath, gitRoot, excludes) {
+  const relative = path.relative(gitRoot, filePath);
+  const segments = relative.split(path.sep);
+  return segments.some((segment) => excludes.has(segment));
+}
+
+export function buildScanTargets({ gitRoot, scanMode, stagedFiles }) {
+  const excludes = getDefaultExcludes();
+
+  let scopeFiles = [];
+  if (scanMode === "staged") {
+    const normalized = normalizeScopeFiles(stagedFiles, gitRoot);
+    scopeFiles = normalized.filter((filePath) => !isExcludedByDefault(filePath, gitRoot, excludes));
+  } else {
+    scopeFiles = normalizeScopeFiles(listFilesRecursive(gitRoot, excludes), gitRoot);
+  }
+
+  // Respect .gitignore via `git check-ignore` so scans only touch tracked sources.
+  const notIgnored = filterIgnoredFiles({ gitRoot, filePaths: scopeFiles });
+
+  // Exclude binary files to avoid false positives and wasted I/O.
+  return notIgnored.filter((filePath) => !isBinaryFile(filePath));
+}

package/utils/gitIgnore.js

@@ -0,0 +1,55 @@
+import path from "path";
+import { spawnSync } from "child_process";
+
+function normalizePathForGit(filePath, gitRoot) {
+  const relative = path.isAbsolute(filePath)
+    ? path.relative(gitRoot, filePath)
+    : filePath;
+
+  if (!relative || relative.startsWith("..")) {
+    return null;
+  }
+
+  return relative.replace(/\\/g, "/");
+}
+
+export function filterIgnoredFiles({ gitRoot, filePaths }) {
+  if (!Array.isArray(filePaths) || filePaths.length === 0) {
+    return [];
+  }
+
+  const normalized = new Map();
+  for (const filePath of filePaths) {
+    const relative = normalizePathForGit(filePath, gitRoot);
+    if (relative) {
+      normalized.set(relative, filePath);
+    }
+  }
+
+  if (normalized.size === 0) {
+    return [];
+  }
+
+  // Use `git check-ignore` to respect .gitignore rules quickly and accurately.
+  const input = `${Array.from(normalized.keys()).join("\u0000")}\u0000`;
+  const result = spawnSync("git", ["check-ignore", "--stdin", "-z"], {
+    cwd: gitRoot,
+    input,
+    encoding: "utf8"
+  });
+
+  if (result.error || (result.status && result.status > 1)) {
+    return Array.from(normalized.values());
+  }
+
+  const ignored = new Set(
+    String(result.stdout)
+      .split("\u0000")
+      .map((entry) => entry.trim())
+      .filter(Boolean)
+  );
+
+  return Array.from(normalized.entries())
+    .filter(([relative]) => !ignored.has(relative))
+    .map(([, original]) => original);
+}