configorama 0.11.0 → 1.0.0

package/src/resolvers/valueFromGit.js

@@ -114,6 +114,32 @@ const GIT_KEYS = {
 }
 
 function createResolver(cwd) {
+  let gitRepo
+  const gitResultCache = new Map()
+
+  function isCurrentGitRepo() {
+    if (typeof gitRepo === 'undefined') {
+      gitRepo = isGitRepo(cwd)
+    }
+    return gitRepo
+  }
+
+  function cachedSafeGit(key, cmdFn) {
+    if (!gitResultCache.has(key)) {
+      gitResultCache.set(key, _safeGit(cmdFn))
+    }
+    return gitResultCache.get(key)
+  }
+
+  function gitExec(args) {
+    const key = `git:${JSON.stringify(args)}`
+    return cachedSafeGit(key, () => _execFile('git', args))
+  }
+
+  function gitRemote(name = 'origin') {
+    return cachedSafeGit(`remote:${name}`, () => getGitRemote(name))
+  }
+
   async function _getValueFromGit(variableString) {
     const variable = variableString.split(`${GIT_PREFIX}:`)[1]
     let value = null
@@ -123,14 +149,14 @@ function createResolver(cwd) {
     // undefined. This lets fallbacks like `${git:branch, "main"}` work, and
     // when there's no fallback the outer resolver throws a clear "Unable to
     // resolve config variable" error pointing at the config path.
-    if (!isGitRepo(cwd)) {
+    if (!isCurrentGitRepo()) {
       return undefined
     }
 
     if (variable.match(/^remote/i)) {
       const hasParams = functionRegex.exec(variableString)
       const remoteName = (hasParams && hasParams[2]) ? formatFunctionArgs(hasParams[2]) : 'origin'
-      return _safeGit(() => getGitRemote(remoteName))
+      return gitRemote(remoteName)
     }
 
     const normalizedVar = (variable || '').toLowerCase()
@@ -152,7 +178,7 @@ function createResolver(cwd) {
       case 'repository':
       case 'reposlug':
       case 'repo-slug': {
-        const urla = await _safeGit(() => getGitRemote())
+        const urla = await gitRemote()
         if (!urla) return undefined
         const parseda = GitUrlParse(urla)
         value = parseda.full_name
@@ -162,7 +188,7 @@ function createResolver(cwd) {
       case GIT_KEYS.name:
       case 'reponame': // repoName
       case 'repo-name': {
-        const toplevel = await _safeGit(() => _execFile('git', ['rev-parse', '--show-toplevel']))
+        const toplevel = await gitExec(['rev-parse', '--show-toplevel'])
         if (!toplevel) return undefined
         value = path.basename(toplevel)
         break
@@ -173,7 +199,7 @@ function createResolver(cwd) {
       case 'organization':
       case 'repoowner': // repoOwner
       case 'repo-owner': {
-        const url = await _safeGit(() => getGitRemote())
+        const url = await gitRemote()
         if (!url) return undefined
         const parsed = GitUrlParse(url)
         value = parsed.organization || parsed.owner
@@ -185,12 +211,12 @@ function createResolver(cwd) {
       case 'dirpath': // dirPath
       case 'dir-path':
       case 'dir_path': {
-        const gitBasePath = await _safeGit(() => _execFile('git', ['rev-parse', '--show-toplevel']))
+        const gitBasePath = await gitExec(['rev-parse', '--show-toplevel'])
         if (!gitBasePath) return undefined
         if (cwd) {
           const subPath = cwd.replace(gitBasePath, '')
-          const branch = await _safeGit(() => _execFile('git', ['rev-parse', '--abbrev-ref', 'HEAD']))
-          const url = await _safeGit(() => getGitRemote())
+          const branch = await gitExec(['rev-parse', '--abbrev-ref', 'HEAD'])
+          const url = await gitRemote()
           if (!url) return undefined
           value = (subPath && branch) ? `${url}/tree/${branch}${subPath}` : url
         }
@@ -200,12 +226,12 @@ function createResolver(cwd) {
       case GIT_KEYS.url:
       case 'repourl': // repoUrl
       case 'repo-url':
-        value = await _safeGit(() => getGitRemote())
+        value = await gitRemote()
         break
       // Current commit sha
       case 'sha':
       case 'sha1':
-        value = await _safeGit(() => _execFile('git', ['rev-parse', '--short', 'HEAD']))
+        value = await gitExec(['rev-parse', '--short', 'HEAD'])
         break
       // Current commit full sha
       case GIT_KEYS.commit:
@@ -213,7 +239,7 @@ function createResolver(cwd) {
       case 'commit-sha':
       case 'commithash':
       case 'commit-hash':
-        value = await _safeGit(() => _execFile('git', ['rev-parse', 'HEAD']))
+        value = await gitExec(['rev-parse', 'HEAD'])
         break
       // Branches
       case GIT_KEYS.branch:
@@ -221,7 +247,7 @@ function createResolver(cwd) {
       case 'branch-name':
       case 'currentbranch': // currentBranch
       case 'current-branch':
-        value = await _safeGit(() => _execFile('git', ['rev-parse', '--abbrev-ref', 'HEAD']))
+        value = await gitExec(['rev-parse', '--abbrev-ref', 'HEAD'])
         break
       // Commit msg
       case GIT_KEYS.message:
@@ -230,26 +256,26 @@ function createResolver(cwd) {
       case 'commit-message':
       case 'commitmsg': // commitMsg
       case 'commit-msg':
-        value = await _safeGit(() => _execFile('git', ['log', '-1', '--pretty=%B']))
+        value = await gitExec(['log', '-1', '--pretty=%B'])
         break
       // Git tags
       case GIT_KEYS.tag:
       case 'describe':
-        value = await _safeGit(() => _execFile('git', ['describe', '--always']))
+        value = await gitExec(['describe', '--always'])
         break
       // Git tags
       case 'describeLight':
       case 'describelight':
       case 'describe-light':
-        value = await _safeGit(() => _execFile('git', ['describe', '--always', '--tags']))
+        value = await gitExec(['describe', '--always', '--tags'])
         break
       // Is branch dirty
       case 'isDirty':
       case 'isdirty':
       case 'is-dirty': {
-        const writeTree = await _safeGit(() => _execFile('git', ['write-tree']))
+        const writeTree = await gitExec(['write-tree'])
         if (!writeTree) return undefined
-        const changes = await _safeGit(() => _execFile('git', ['diff-index', writeTree.trim(), '--']))
+        const changes = await gitExec(['diff-index', writeTree.trim(), '--'])
         if (changes === undefined) return undefined
         value = `${changes.length > 0}`
         break

package/src/resolvers/valueFromOptions.js

@@ -1,6 +1,6 @@
 // Resolves values from CLI option flags
-// Matches ${opt:FLAG_NAME} syntax with optional fallback values
-const optRefSyntax = RegExp(/^opt:/g)
+// Matches ${opt:FLAG_NAME} and ${option:FLAG_NAME} syntax with optional fallback values
+const optRefSyntax = RegExp(/^(?:opt|option):/g)
 
 function getValueFromOptions(variableString, options) {
   const requestedOption = variableString.split(':')[1]
@@ -12,8 +12,9 @@ module.exports = {
   type: 'options',
   source: 'user',
   prefix: 'opt',
-  syntax: '${opt:flagName}',
-  description: 'Resolves CLI option flags. Examples: ${opt:stage}, ${opt:other, "fallbackValue"}',
+  prefixes: ['opt', 'option'],
+  syntax: '${option:flagName}',
+  description: 'Resolves CLI option flags. Examples: ${option:stage}, ${opt:stage}, ${option:other, "fallbackValue"}',
   match: optRefSyntax,
   resolver: getValueFromOptions
 }

package/src/utils/filters/filterArgs.js

@@ -0,0 +1,57 @@
+const MARKER = '__CONFIGORAMA_FILTER_ARG__'
+
+class ResolvedFilterArg {
+  constructor(value) {
+    this.value = value
+    this.__resolvedFilterArg = true
+  }
+
+  toString() {
+    return String(this.value)
+  }
+
+  valueOf() {
+    return this.value
+  }
+}
+
+function encodeBase64Url(value) {
+  return Buffer.from(value).toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
+}
+
+function decodeBase64Url(value) {
+  let base64 = value.replace(/-/g, '+').replace(/_/g, '/')
+  while (base64.length % 4) base64 += '='
+  return Buffer.from(base64, 'base64').toString('utf8')
+}
+
+function encodeFilterArg(value) {
+  return `${MARKER}:${encodeBase64Url(JSON.stringify(value))}`
+}
+
+function isEncodedFilterArg(value) {
+  return typeof value === 'string' && value.startsWith(`${MARKER}:`)
+}
+
+function decodeFilterArg(value) {
+  if (!isEncodedFilterArg(value)) return value
+  const encoded = value.slice(MARKER.length + 1)
+  return new ResolvedFilterArg(JSON.parse(decodeBase64Url(encoded)))
+}
+
+function isResolvedFilterArg(value) {
+  return Boolean(value && value.__resolvedFilterArg)
+}
+
+function unwrapFilterArg(value) {
+  return isResolvedFilterArg(value) ? value.value : value
+}
+
+module.exports = {
+  ResolvedFilterArg,
+  decodeFilterArg,
+  encodeFilterArg,
+  isEncodedFilterArg,
+  isResolvedFilterArg,
+  unwrapFilterArg,
+}

package/src/utils/filters/oneOf.js

@@ -0,0 +1,77 @@
+const { splitCsv } = require('../strings/splitCsv')
+const { trimSurroundingQuotes } = require('../strings/quoteUtils')
+const { isResolvedFilterArg, unwrapFilterArg } = require('./filterArgs')
+
+function isRuntimeContextArg(value) {
+  return typeof value === 'string' && value.startsWith('from ')
+}
+
+function stripRuntimeContext(args) {
+  if (!args.length) return args
+  const last = args[args.length - 1]
+  return isRuntimeContextArg(last) ? args.slice(0, -1) : args
+}
+
+function hasDynamicArgument(value) {
+  return typeof value === 'string' && value.includes('${')
+}
+
+function parseOneOfLiteral(rawValue) {
+  const trimmed = String(rawValue).trim()
+  const unquoted = trimSurroundingQuotes(trimmed, false)
+  if (unquoted !== trimmed) return unquoted
+  if (/^-?(?:\d+|\d*\.\d+)(?:e[+-]?\d+)?$/i.test(trimmed)) return Number(trimmed)
+  return trimmed
+}
+
+function parseOneOfFilter(filter) {
+  if (typeof filter !== 'string') return null
+  const match = filter.match(/^oneOf\(([\s\S]*)\)$/)
+  if (!match) return null
+
+  const args = splitCsv(match[1], ',', { protectVariables: true })
+    .filter(arg => arg !== '')
+
+  if (args.some(hasDynamicArgument)) {
+    return {
+      dynamic: true,
+      allowedValues: null,
+    }
+  }
+
+  return {
+    dynamic: false,
+    allowedValues: args.map(arg => String(parseOneOfLiteral(arg))),
+  }
+}
+
+function validateOneOf(value, ...rawArgs) {
+  const args = stripRuntimeContext(rawArgs)
+  if (!args.length) {
+    throw new Error('Configorama Error: oneOf() requires at least one allowed value')
+  }
+  if (args.some(hasDynamicArgument)) {
+    throw new Error('Configorama Error: oneOf(${...}) dynamic arguments are not supported yet')
+  }
+
+  const hasResolvedFilterArg = args.some(isResolvedFilterArg)
+  const unwrappedArgs = args.map(unwrapFilterArg)
+  if (hasResolvedFilterArg) {
+    if (unwrappedArgs.length !== 1 || !Array.isArray(unwrappedArgs[0])) {
+      throw new Error('Configorama Error: oneOf(${...}) must resolve to an array')
+    }
+  }
+
+  const allowed = hasResolvedFilterArg ? unwrappedArgs[0] : unwrappedArgs
+  const allowedValues = allowed.map(String)
+  if (!allowedValues.some(allowed => allowed === String(value))) {
+    throw new Error(`Configorama Error: Value "${value}" is not oneOf(${allowedValues.join(', ')})`)
+  }
+  return value
+}
+
+module.exports = {
+  parseOneOfFilter,
+  parseOneOfLiteral,
+  validateOneOf,
+}

package/src/utils/introspection/audit.js

@@ -0,0 +1,78 @@
+const { severityForRisk } = require('./model')
+
+function sortFindings(a, b) {
+  const severityOrder = { high: 0, medium: 1, low: 2, info: 3 }
+  const severityDiff = (severityOrder[a.severity] ?? 99) - (severityOrder[b.severity] ?? 99)
+  if (severityDiff !== 0) return severityDiff
+  return String(a.id).localeCompare(String(b.id))
+}
+
+function buildAuditReport(introspection, options = {}) {
+  const findings = []
+
+  for (const node of introspection.nodes || []) {
+    if (!node.risk || node.risk === 'none') continue
+    findings.push({
+      id: node.id,
+      severity: node.severity || severityForRisk(node.risk),
+      risk: node.risk,
+      kind: node.kind,
+      variable: node.variable,
+      path: node.path,
+      relativePath: node.relativePath,
+      configPaths: node.paths || [],
+      message: messageForNode(node),
+    })
+  }
+
+  if (options.dotenv === true) {
+    findings.push({
+      id: 'dotenv:useDotenv',
+      severity: 'high',
+      risk: 'environment_mutation',
+      kind: 'source',
+      message: 'Configuration requests dotenv loading, which mutates process.env.',
+    })
+  }
+
+  if (options.customResolvers && options.customResolvers.length) {
+    for (const resolver of options.customResolvers.slice().sort()) {
+      findings.push({
+        id: `customResolver:${resolver}`,
+        severity: 'high',
+        risk: 'custom_extension',
+        kind: 'source',
+        variableType: resolver,
+        message: `Custom resolver "${resolver}" can execute user-provided code.`,
+      })
+    }
+  }
+
+  findings.sort(sortFindings)
+
+  return {
+    schemaVersion: 1,
+    safeMode: options.safeMode === true,
+    findings,
+    diagnostics: introspection.diagnostics || [],
+    summary: {
+      high: findings.filter(finding => finding.severity === 'high').length,
+      medium: findings.filter(finding => finding.severity === 'medium').length,
+      low: findings.filter(finding => finding.severity === 'low').length,
+      info: findings.filter(finding => finding.severity === 'info').length,
+      total: findings.length,
+    }
+  }
+}
+
+function messageForNode(node) {
+  if (node.risk === 'executable_code') return 'Reference may execute JavaScript or TypeScript.'
+  if (node.risk === 'process_spawn') return 'Reference may spawn a git process.'
+  if (node.risk === 'local_file_read') return 'Reference reads a local file.'
+  if (node.risk === 'data_flow_expression') return 'Expression can read resolved config values but is not JavaScript execution.'
+  return `Risk surface: ${node.risk}`
+}
+
+module.exports = {
+  buildAuditReport,
+}

package/src/utils/introspection/graph.js

@@ -0,0 +1,43 @@
+function quote(value) {
+  return JSON.stringify(String(value))
+}
+
+function toMermaid(graph) {
+  const lines = ['graph TD']
+  for (const node of graph.nodes) {
+    lines.push(`  ${sanitizeId(node.id)}[${quote(node.label || node.variable || node.relativePath || node.id).slice(1, -1)}]`)
+  }
+  for (const edge of graph.edges) {
+    lines.push(`  ${sanitizeId(edge.from)} -->|${edge.kind}| ${sanitizeId(edge.to)}`)
+  }
+  return lines.join('\n') + '\n'
+}
+
+function sanitizeId(value) {
+  return String(value).replace(/[^A-Za-z0-9_]/g, '_')
+}
+
+function toDot(graph) {
+  const lines = ['digraph configorama {']
+  for (const node of graph.nodes) {
+    lines.push(`  ${quote(node.id)} [label=${quote(node.label || node.variable || node.relativePath || node.id)}];`)
+  }
+  for (const edge of graph.edges) {
+    lines.push(`  ${quote(edge.from)} -> ${quote(edge.to)} [label=${quote(edge.kind)}];`)
+  }
+  lines.push('}')
+  return lines.join('\n') + '\n'
+}
+
+function formatGraph(graph, format = 'json') {
+  const normalized = String(format || 'json').toLowerCase()
+  if (normalized === 'mermaid' || normalized === 'mmd') return toMermaid(graph)
+  if (normalized === 'dot' || normalized === 'graphviz') return toDot(graph)
+  return JSON.stringify(graph, null, 2)
+}
+
+module.exports = {
+  formatGraph,
+  toDot,
+  toMermaid,
+}

package/src/utils/introspection/model.js

@@ -0,0 +1,150 @@
+const path = require('path')
+const { EXECUTABLE_EXTENSIONS } = require('../security/safetyPolicy')
+const { redactRequirementValue } = require('../redaction/redact')
+
+const SCHEMA_VERSION = 1
+
+function sortBy(keys) {
+  return (a, b) => {
+    for (const key of keys) {
+      const av = a[key] === undefined || a[key] === null ? '' : String(a[key])
+      const bv = b[key] === undefined || b[key] === null ? '' : String(b[key])
+      if (av < bv) return -1
+      if (av > bv) return 1
+    }
+    return 0
+  }
+}
+
+function normalizeVariableType(type) {
+  if (type === 'options' || type === 'opt') return 'option'
+  if (type === 'dot.prop') return 'dotProp'
+  if (type === 'if') return 'eval'
+  return type || 'unknown'
+}
+
+function riskForVariable(variableType, variable) {
+  const type = normalizeVariableType(variableType)
+  if (type === 'eval') return 'data_flow_expression'
+  if (type === 'git') return 'process_spawn'
+  if (type === 'file' || type === 'text') {
+    const match = String(variable || '').match(/^(?:file|text)\((.+?)\)/)
+    const ext = match ? path.extname(match[1]).toLowerCase() : ''
+    return EXECUTABLE_EXTENSIONS.has(ext) ? 'executable_code' : 'local_file_read'
+  }
+  return 'none'
+}
+
+function severityForRisk(risk) {
+  if (risk === 'executable_code' || risk === 'custom_extension' || risk === 'environment_mutation') return 'high'
+  if (risk === 'process_spawn') return 'medium'
+  if (risk === 'local_file_read' || risk === 'data_flow_expression') return 'low'
+  return 'info'
+}
+
+function buildIntrospection(enrichedMetadata = {}, options = {}) {
+  const uniqueVariables = enrichedMetadata.uniqueVariables || {}
+  const requirements = options.requirements || []
+  const requirementsByVariable = new Map(requirements.map(req => [req.variable, req]))
+  const nodes = []
+  const edges = []
+  const diagnostics = []
+
+  for (const [key, entry] of Object.entries(uniqueVariables).sort(([a], [b]) => a.localeCompare(b))) {
+    const variable = entry.variable || key
+    const variableType = normalizeVariableType(entry.variableType)
+    const requirement = requirementsByVariable.get(variable)
+    const risk = riskForVariable(variableType, variable)
+    const node = {
+      id: `variable:${variable}`,
+      kind: variableType === 'file' || variableType === 'text'
+        ? 'file'
+        : (risk === 'executable_code' ? 'executable' : 'variable'),
+      variable,
+      variableType,
+      sourceClass: entry.variableSourceType || entry.sourceClass || requirement?.sourceClass || null,
+      risk,
+      severity: severityForRisk(risk),
+      paths: [...new Set((entry.occurrences || []).map(occ => occ.path).filter(Boolean))].sort(),
+      sensitive: requirement ? requirement.sensitive === true : false,
+    }
+    if (requirement) {
+      node.required = requirement.required
+      node.default = redactRequirementValue(requirement, requirement.default)
+      node.description = requirement.description
+    }
+    nodes.push(node)
+
+    for (const configPath of node.paths) {
+      edges.push({
+        from: `configPath:${configPath}`,
+        to: node.id,
+        kind: 'uses',
+      })
+    }
+
+    for (const inner of entry.innerVariables || []) {
+      edges.push({
+        from: node.id,
+        to: `variable:${inner.variable}`,
+        kind: 'depends_on',
+      })
+    }
+
+    if ((variableType === 'file' || variableType === 'text') && String(variable).includes('${')) {
+      diagnostics.push({
+        code: 'dynamic_file_target',
+        severity: 'info',
+        variable,
+        message: 'File target contains variables; static introspection records a partial edge.',
+      })
+    }
+  }
+
+  const fileDeps = enrichedMetadata.fileDependencies || {}
+  for (const dep of fileDeps.byConfigPath || []) {
+    const id = `file:${dep.relativePath || dep.filePath}`
+    if (!nodes.some(node => node.id === id)) {
+      nodes.push({
+        id,
+        kind: EXECUTABLE_EXTENSIONS.has(path.extname(dep.relativePath || dep.filePath || '').toLowerCase()) ? 'executable' : 'file',
+        path: dep.filePath,
+        relativePath: dep.relativePath,
+        exists: dep.exists,
+        risk: EXECUTABLE_EXTENSIONS.has(path.extname(dep.relativePath || dep.filePath || '').toLowerCase()) ? 'executable_code' : 'local_file_read',
+        severity: EXECUTABLE_EXTENSIONS.has(path.extname(dep.relativePath || dep.filePath || '').toLowerCase()) ? 'high' : 'low',
+      })
+    }
+    if (dep.location) {
+      edges.push({
+        from: `configPath:${dep.location}`,
+        to: id,
+        kind: 'reads',
+      })
+    }
+  }
+
+  nodes.sort(sortBy(['kind', 'id']))
+  edges.sort(sortBy(['from', 'kind', 'to']))
+  diagnostics.sort(sortBy(['code', 'variable']))
+
+  return {
+    schemaVersion: SCHEMA_VERSION,
+    nodes,
+    edges,
+    diagnostics,
+    summary: {
+      nodes: nodes.length,
+      edges: edges.length,
+      diagnostics: diagnostics.length,
+    }
+  }
+}
+
+module.exports = {
+  SCHEMA_VERSION,
+  buildIntrospection,
+  normalizeVariableType,
+  riskForVariable,
+  severityForRisk,
+}

package/src/utils/introspection/model.test.js

@@ -0,0 +1,93 @@
+const { test } = require('uvu')
+const assert = require('uvu/assert')
+const { buildIntrospection, riskForVariable } = require('./model')
+const { buildAuditReport } = require('./audit')
+const { formatGraph } = require('./graph')
+
+test('riskForVariable classifies eval as data-flow and js file refs as executable', () => {
+  assert.is(riskForVariable('eval', 'eval(1 + 1)'), 'data_flow_expression')
+  assert.is(riskForVariable('if', 'if(true)'), 'data_flow_expression')
+  assert.is(riskForVariable('file', 'file(./config.js)'), 'executable_code')
+  assert.is(riskForVariable('file', 'file(./config.yml)'), 'local_file_read')
+})
+
+test('buildIntrospection creates deterministic nodes edges and dynamic diagnostics', () => {
+  const graph = buildIntrospection({
+    uniqueVariables: {
+      'file(./${opt:stage}.yml)': {
+        variable: 'file(./${opt:stage}.yml)',
+        variableType: 'file',
+        variableSourceType: 'config',
+        occurrences: [{ path: 'database' }],
+        innerVariables: [{ variable: 'opt:stage', variableType: 'options' }]
+      },
+      'opt:stage': {
+        variable: 'opt:stage',
+        variableType: 'options',
+        variableSourceType: 'user',
+        occurrences: [{ path: 'stage' }]
+      }
+    },
+    fileDependencies: {
+      byConfigPath: []
+    }
+  }, {
+    requirements: [{ variable: 'opt:stage', sensitive: false, required: true, default: null }]
+  })
+
+  assert.is(graph.schemaVersion, 1)
+  assert.ok(graph.nodes.some(node => node.id === 'variable:file(./${opt:stage}.yml)'))
+  assert.ok(graph.edges.some(edge => edge.kind === 'depends_on'))
+  assert.is(graph.diagnostics[0].code, 'dynamic_file_target')
+})
+
+test('buildIntrospection redacts sensitive requirement defaults', () => {
+  const graph = buildIntrospection({
+    uniqueVariables: {
+      'env:API_KEY': {
+        variable: 'env:API_KEY',
+        variableType: 'env',
+        variableSourceType: 'user',
+        occurrences: [{ path: 'apiKey' }]
+      }
+    },
+    fileDependencies: { byConfigPath: [] }
+  }, {
+    requirements: [{
+      variable: 'env:API_KEY',
+      sensitive: true,
+      required: false,
+      default: 'secret-value',
+      description: 'API key'
+    }]
+  })
+
+  const node = graph.nodes.find(item => item.variable === 'env:API_KEY')
+  assert.is(node.sensitive, true)
+  assert.is(node.default, '********')
+})
+
+test('audit report sorts executable findings before lower severity surfaces', () => {
+  const report = buildAuditReport({
+    nodes: [
+      { id: 'variable:eval(1)', risk: 'data_flow_expression', severity: 'low', kind: 'variable' },
+      { id: 'variable:file(./x.js)', risk: 'executable_code', severity: 'high', kind: 'executable' }
+    ],
+    diagnostics: []
+  })
+
+  assert.is(report.summary.total, 2)
+  assert.is(report.findings[0].severity, 'high')
+})
+
+test('formatGraph emits mermaid and dot formats', () => {
+  const graph = {
+    nodes: [{ id: 'configPath:stage', label: 'stage' }, { id: 'variable:opt:stage', variable: 'opt:stage' }],
+    edges: [{ from: 'configPath:stage', to: 'variable:opt:stage', kind: 'uses' }]
+  }
+
+  assert.match(formatGraph(graph, 'mermaid'), /graph TD/)
+  assert.match(formatGraph(graph, 'dot'), /digraph configorama/)
+})
+
+test.run()