coverme-scanner 1.0.25 → 1.1.0

package/.claude/commands/coverme.md

@@ -1,6 +1,6 @@
 # CoverMe - Ultimate AI Security Scanner
 
-The most comprehensive AI-powered code scanner. 10 specialized agents + 3 validators + deep analysis.
+The most comprehensive AI-powered code scanner. 15 specialized agents + 3 validators + deep analysis.
 
 $ARGUMENTS
 
@@ -10,7 +10,7 @@ $ARGUMENTS
 2. **DO NOT STOP FOR CONFIRMATION** - Just keep going through all phases
 3. **DO NOT ASK ABOUT FILE CHANGES** - Automatically update/overwrite scan.json
 4. **DO NOT ASK TO OPEN REPORT** - Just open it automatically at the end
-5. **COMPLETE EVERYTHING IN ONE GO** - All 5 phases without interruption
+5. **COMPLETE EVERYTHING IN ONE GO** - All 6 phases without interruption
 6. **RUN AGENTS IN BACKGROUND** - Use `run_in_background: true` for all Task tool calls
 7. **RUN BASH IN BACKGROUND** - Use `run_in_background: true` for long Bash commands
 
@@ -18,9 +18,27 @@ Execute ALL phases automatically. Do NOT stop until the HTML report is open.
 
 ---
 
-## Phase 0: Load Custom Agents (if exists)
+## Phase 0: Project Discovery & Load Custom Agents
 
-**FIRST**, check if `.coverme/agents.json` exists:
+### Step 1: Understand the Project
+Before scanning, understand what you're scanning. Run these commands:
+```bash
+# Get project info
+cat package.json 2>/dev/null | head -20
+cat README.md 2>/dev/null | head -50
+ls -la
+```
+
+Create a mental model of:
+- **Project type**: Backend API, Frontend SPA, Full-stack, CLI tool, Library, etc.
+- **Tech stack**: Node.js, Python, React, Next.js, etc.
+- **Main purpose**: What does this project do? (1-2 sentences)
+- **Architecture**: Monolith, microservices, serverless, etc.
+
+This context will be included in the final report.
+
+### Step 2: Load Custom Agents (if exists)
+Check if `.coverme/agents.json` exists:
 ```bash
 cat .coverme/agents.json 2>/dev/null || echo "NO_CUSTOM_AGENTS"
 ```

package/dist/prompts/orchestration.md

@@ -2,7 +2,39 @@
 
 **Ultrathink** - Analyze deeply, consider edge cases, trace data flows completely.
 
-Execute this 10-agent security scan with cross-validation.
+Execute this 15-agent security scan with cross-validation.
+
+---
+
+## PHASE 0: PROJECT DISCOVERY
+
+Before scanning, understand what you're scanning:
+
+```bash
+cat package.json 2>/dev/null | head -30
+cat README.md 2>/dev/null | head -100
+ls -la
+ls src/ 2>/dev/null || ls app/ 2>/dev/null || ls lib/ 2>/dev/null
+```
+
+Create a **Project Overview** to include in the report:
+
+```json
+{
+  "projectOverview": {
+    "name": "project-name",
+    "type": "Backend API | Frontend SPA | Full-stack | CLI | Library | Microservice",
+    "stack": ["Node.js", "TypeScript", "React", "PostgreSQL", "Redis"],
+    "purpose": "1-2 sentence description of what this project does",
+    "architecture": "Monolith | Microservices | Serverless | Hybrid",
+    "keyComponents": ["auth service", "payment processing", "AI chat", "etc"]
+  }
+}
+```
+
+This context helps readers understand the security findings in context.
+
+---
 
 ## CRITICAL OUTPUT FORMAT
 
@@ -23,7 +55,9 @@ Every finding MUST include ALL these fields for the report to work:
   "recommendation": "Exact steps to fix this issue with code example if applicable",
   "cwe": "CWE-XXX (if applicable)",
   "confidence": 85,
-  "dpiead": {
+  "fixOwner": "developer|devops|architect",
+  "fixType": "code|config|infrastructure|design",
+  "dread": {
     "damage": 8,
     "reproducibility": 9,
     "exploitability": 7,
@@ -34,6 +68,19 @@ Every finding MUST include ALL these fields for the report to work:
 }
 ```
 
+### fixOwner & fixType Guidelines
+
+**fixOwner** - Who should fix this:
+- `developer` - Code change required (validation, sanitization, logic fix)
+- `devops` - Infrastructure/config change (NetworkPolicy, firewall, K8s config, CI/CD)
+- `architect` - Design decision needed (authentication strategy, data flow, service boundaries)
+
+**fixType** - What kind of fix:
+- `code` - Change application code
+- `config` - Change configuration files (env, yaml, json)
+- `infrastructure` - Change deployment/infra (K8s, Docker, cloud)
+- `design` - Requires architectural redesign
+
 ## DREAD SCORING (for HIGH and CRITICAL findings)
 
 Calculate DREAD score (1-10 for each, average for final score):
@@ -444,9 +491,226 @@ For EACH finding, output the FULL JSON format.
 
 ---
 
+### AGENT 11: Network & Architecture Scanner (ID prefix: ARCH)
+
+Scan {{PROJECT_PATH}} for network architecture and service boundary issues.
+
+**CRITICAL DISTINCTION - Code vs Infrastructure fixes:**
+
+For EACH finding, determine:
+- Is this fixable by changing CODE? → fixOwner: "developer"
+- Is this fixable by NetworkPolicy/firewall/K8s config? → fixOwner: "devops"
+- Does this need architecture redesign? → fixOwner: "architect"
+
+CHECK FOR:
+
+**SERVICE BOUNDARIES:**
+- Internal endpoints exposed externally (should be internal-only)
+- Missing network segmentation between services
+- Service-to-service communication without mTLS
+- Internal IPs hardcoded instead of service discovery
+- Admin/debug ports accessible from outside
+
+**TRUST BOUNDARIES:**
+- Which endpoints are meant to be internal-only?
+- Are internal endpoints protected by network policy OR code auth?
+- Document the INTENDED architecture, not just what's missing
+
+**KUBERNETES/INFRASTRUCTURE:**
+- Missing NetworkPolicies for namespace isolation
+- Services using ClusterIP that should be internal
+- LoadBalancer exposing internal services
+- Missing Ingress rules for path-based routing
+- Pod-to-pod communication without restrictions
+
+**FOR EACH FINDING, specify:**
+```json
+{
+  "fixOwner": "devops",
+  "fixType": "infrastructure",
+  "recommendation": "Add NetworkPolicy to restrict /api/v1/internal/* to enclave namespace only",
+  "notCodeFix": true
+}
+```
+
+If you find an endpoint that lacks authentication but is INTENDED to be protected by network policy:
+- Mark as fixOwner: "devops", NOT "developer"
+- Recommendation should be NetworkPolicy, NOT code auth
+- Add note: "Protected by network segmentation - verify NetworkPolicy exists"
+
+For EACH finding, output the FULL JSON format.
+
+---
+
+### AGENT 12: Design Decision Detector (ID prefix: DESIGN)
+
+Scan {{PROJECT_PATH}} for intentional design decisions that might look like bugs.
+
+**GOAL: Prevent false positives by identifying documented/intentional patterns**
+
+CHECK FOR:
+
+**DOCUMENTED DECISIONS:**
+- Comments explaining WHY something is done a certain way
+- README/docs explaining architecture choices
+- ADR (Architecture Decision Records) files
+- SECURITY.md or similar documentation
+
+**INTENTIONAL PATTERNS:**
+- Content filtering disabled with comment "for transparency"
+- Auth bypassed for specific endpoints with documentation
+- Longer session timeouts with business justification
+- Relaxed validation with explicit reason
+
+**CODE PATTERNS THAT ARE NOT BUGS:**
+- `// Intentional: ....` or `// Design decision: ...`
+- `// SECURITY: This is safe because...`
+- `// TODO: This is acceptable for now because...`
+- Feature flags controlling security features with documentation
+
+**FOR EACH PATTERN FOUND, output:**
+```json
+{
+  "id": "DESIGN-001",
+  "type": "documented_decision",
+  "title": "Content filtering disabled",
+  "file": "src/ai/chat.ts",
+  "line": 45,
+  "reason": "Documented in code comment: 'Disabled for transparency, users see raw AI output'",
+  "relatedFindings": ["AI-001"],
+  "recommendation": "Not a bug - document in security overview as accepted risk"
+}
+```
+
+These findings will be EXCLUDED from the main report and moved to "Design Decisions" section.
+
+---
+
+### AGENT 13: Context-Aware Validator (ID prefix: CTX)
+
+Scan {{PROJECT_PATH}} to understand the CONTEXT of each potential finding.
+
+**GOAL: Reduce false positives by understanding deployment context**
+
+FOR EACH FINDING FROM OTHER AGENTS, determine:
+
+**DEPLOYMENT CONTEXT:**
+- Is this code running in a container with network isolation?
+- Is this behind an API gateway that handles auth?
+- Is this internal-only service behind VPN?
+- Is there a WAF/CDN in front that mitigates this?
+
+**RUNTIME CONTEXT:**
+- Is this code path actually reachable in production?
+- Is this only used in development/testing?
+- Is this dead code or deprecated?
+- Is this protected by feature flag that's disabled?
+
+**DATA FLOW CONTEXT:**
+- Is the input already validated upstream?
+- Is the output sanitized downstream?
+- Is there middleware that applies to this route?
+
+**OUTPUT:**
+```json
+{
+  "findingId": "SEC-001",
+  "contextAnalysis": {
+    "deploymentContext": "Runs in K8s with NetworkPolicy restricting access",
+    "runtimeContext": "Only reachable from internal services",
+    "dataFlowContext": "Input validated by Zod at API gateway level",
+    "verdict": "false_positive|confirmed|needs_review",
+    "reason": "Protected by network policy - not externally accessible"
+  }
+}
+```
+
+---
+
+### AGENT 14: Enclave & Trusted Compute Scanner (ID prefix: ENC)
+
+Scan {{PROJECT_PATH}} for enclave/TEE/trusted compute specific patterns.
+
+**APPLIES TO:** Projects using enclaves, TEE, SGX, Nitro Enclaves, confidential computing.
+
+CHECK FOR:
+
+**ENCLAVE REGISTRATION:**
+- Enclave-to-backend registration without attestation
+- IP-based trust without cryptographic verification
+- Missing remote attestation flow
+- Enclave secrets transmitted without encryption
+
+**TRUST MODEL:**
+- What is the trust boundary between enclave and host?
+- Is the communication channel authenticated?
+- Are enclave outputs verified?
+
+**SPECIFIC PATTERNS:**
+- /register endpoints for enclave → backend (common pattern)
+- Heartbeat/health endpoints from enclave
+- Configuration push to enclave
+
+**FOR ENCLAVE ENDPOINTS, determine:**
+- Is this MEANT to be protected by network only? → Note in finding
+- Is attestation planned but not implemented? → Check TODOs/roadmap
+- Is this MVP/temporary solution? → Check for documentation
+
+Output findings with proper fixOwner:
+- Network protection needed → fixOwner: "devops"
+- Attestation needed → fixOwner: "architect" (design change)
+- Code validation needed → fixOwner: "developer"
+
+---
+
+### AGENT 15: Executive Summary Generator (ID prefix: EXEC)
+
+After all other agents complete, generate an executive summary.
+
+**OUTPUT FORMAT:**
+```json
+{
+  "executiveSummary": {
+    "headline": "3 Critical + 5 High findings require immediate attention",
+    "riskLevel": "HIGH",
+    "topRisks": [
+      "SQL injection in user search allows database access",
+      "Missing rate limiting enables brute force attacks",
+      "Admin API exposed without IP restriction"
+    ],
+    "positives": [
+      "Authentication flow is well-implemented",
+      "Input validation using Zod on most endpoints",
+      "Good use of parameterized queries in core modules"
+    ],
+    "recommendedActions": [
+      {
+        "priority": 1,
+        "action": "Fix SQL injection in src/search.ts",
+        "owner": "developer",
+        "effort": "1-2 hours"
+      },
+      {
+        "priority": 2,
+        "action": "Add NetworkPolicy for admin endpoints",
+        "owner": "devops",
+        "effort": "30 minutes"
+      }
+    ],
+    "byOwner": {
+      "developer": 5,
+      "devops": 3,
+      "architect": 1
+    }
+  }
+}
+```
+
+---
+
 ## PHASE 2: DUPLICATE & EXISTING SOLUTIONS CHECK
 
-### AGENT 11: Duplicate & Existing Solutions Scanner (ID prefix: DUP)
+### AGENT 16: Duplicate & Existing Solutions Scanner (ID prefix: DUP)
 
 CRITICAL: Before recommending ANY fix, check if a solution ALREADY EXISTS in the codebase.
 
@@ -665,6 +929,42 @@ The final report should ONLY contain findings that are:
 {
   "projectName": "project-name",
   "scanDate": "{{SCAN_DATE}}",
+
+  "projectOverview": {
+    "name": "project-name",
+    "type": "Backend API | Full-stack | etc",
+    "stack": ["Node.js", "TypeScript", "React", "PostgreSQL"],
+    "purpose": "Brief description of what this project does",
+    "architecture": "Monolith | Microservices | Serverless",
+    "keyComponents": ["auth service", "payment processing", "AI chat"]
+  },
+
+  "executiveSummary": {
+    "headline": "3 Critical + 5 High findings require immediate attention",
+    "riskLevel": "CRITICAL | HIGH | MEDIUM | LOW",
+    "topRisks": [
+      "SQL injection in user search allows database access",
+      "Missing rate limiting enables brute force attacks"
+    ],
+    "positives": [
+      "Authentication flow is well-implemented",
+      "Good use of parameterized queries"
+    ],
+    "recommendedActions": [
+      {
+        "priority": 1,
+        "action": "Fix SQL injection in src/search.ts",
+        "owner": "developer",
+        "effort": "1-2 hours"
+      }
+    ],
+    "byOwner": {
+      "developer": 5,
+      "devops": 3,
+      "architect": 1
+    }
+  },
+
   "summary": {
     "total": 10,
     "critical": 1,
@@ -675,9 +975,28 @@ The final report should ONLY contain findings that are:
     "mitigatedCount": 5,
     "falsePositiveCount": 3
   },
+
   "findings": [
-    "ONLY confirmed and partial findings - NOT mitigated or false positives!"
+    {
+      "id": "SEC-001",
+      "title": "Example finding",
+      "severity": "high",
+      "fixOwner": "developer",
+      "fixType": "code",
+      "...": "other fields"
+    }
+  ],
+
+  "designDecisions": [
+    {
+      "id": "DESIGN-001",
+      "title": "Content filtering disabled for transparency",
+      "file": "src/ai/chat.ts",
+      "reason": "Documented decision - users see raw AI output",
+      "acceptedRisk": "Users may see inappropriate content"
+    }
   ],
+
   "mitigatedFindings": [
     {
       "id": "SEC-005",
@@ -687,24 +1006,21 @@ The final report should ONLY contain findings that are:
       "mitigationType": "input_validation"
     }
   ],
+
   "falsePositives": [
     {
       "id": "BIZ-004",
       "title": "TOCTOU Race Condition",
       "reason": "Redis Lua script provides atomic operation - no race condition possible",
       "evidence": ["Lua script at src/services/rate-limit.js:95-113"]
-    },
-    {
-      "id": "AUTH-003",
-      "title": "PKCE Code Reuse",
-      "reason": "Intentional design decision documented in code comment",
-      "evidence": ["Comment: 'Allow reuse to prevent double-click race condition'"]
     }
   ],
+
   "positiveObservations": [
     "Good pattern 1",
     "Good pattern 2"
   ],
+
   "validationSummary": {
     "totalInitialFindings": 18,
     "mitigated": 5,
@@ -713,7 +1029,8 @@ The final report should ONLY contain findings that are:
     "partial": 2,
     "accuracy": "Only 56% of initial findings were actual issues"
   },
-  "agentsUsed": ["Security Core", "Auth & Session", "Mitigation Validator"],
+
+  "agentsUsed": ["Security Core", "Auth & Session", "Mitigation Validator", "Network & Architecture", "Design Decision Detector"],
   "scanDuration": 0
 }
 ```

package/dist/report/generator.d.ts

@@ -29,6 +29,33 @@ interface TypeGroup {
     lowCount: number;
     findings: ConsensusFinding[];
 }
+interface ProjectOverview {
+    name: string;
+    type: string;
+    stack: string[];
+    purpose: string;
+    architecture: string;
+    keyComponents: string[];
+    stackText?: string;
+    componentsText?: string;
+}
+interface ExecutiveSummaryData {
+    headline: string;
+    riskLevel: string;
+    topRisks: string[];
+    positives: string[];
+    recommendedActions?: Array<{
+        priority: number;
+        action: string;
+        owner: string;
+        effort?: string;
+    }>;
+    byOwner?: {
+        developer?: number;
+        devops?: number;
+        architect?: number;
+    };
+}
 interface ReportData {
     projectName: string;
     scanDate: string;
@@ -40,6 +67,8 @@ interface ReportData {
     lowCount: number;
     infoCount: number;
     executiveSummary: string;
+    projectOverview?: ProjectOverview;
+    executiveSummaryData?: ExecutiveSummaryData;
     criticalFindings: ConsensusFinding[];
     highFindings: ConsensusFinding[];
     mediumFindings: ConsensusFinding[];

package/dist/report/generator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"generator.d.ts","sourceRoot":"","sources":["../../src/report/generator.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAY,MAAM,aAAa,CAAC;AAE1E,UAAU,SAAS;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,gBAAgB,EAAE,CAAC;CAC9B;AAED,UAAU,eAAe;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,gBAAgB,EAAE,CAAC;CAC9B;AAED,UAAU,SAAS;IACjB,IAAI,EAAE,MAAM,GAAG,QAAQ,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,gBAAgB,EAAE,CAAC;CAC9B;AAED,UAAU,UAAU;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,EAAE,CAAC;IACrC,YAAY,EAAE,gBAAgB,EAAE,CAAC;IACjC,cAAc,EAAE,gBAAgB,EAAE,CAAC;IACnC,WAAW,EAAE,gBAAgB,EAAE,CAAC;IAChC,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,gBAAgB,EAAE,eAAe,EAAE,CAAC;IACpC,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC7F,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,CAAC,MAAM,GAAG;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,EAAE,CAAC;IAC5E,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IAEnB,wBAAwB,EAAE,MAAM,CAAC;IACjC,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;CACzB;AA2BD,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CA0BnF;AAED,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAkBnE;AAsZD,wBAAgB,cAAc,CAAC,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,MAAM,CAuB7E;AAED,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,cAAc,GAAE,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAA;CAAE,CAAM,GAChG,OAAO,CAAC,IAAI,CAAC,CA+Ef;AAED,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,cAAc,GAAE,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAA;CAAE,CAAM,GAChG,OAAO,CAAC,IAAI,CAAC,CA4Df"}
+{"version":3,"file":"generator.d.ts","sourceRoot":"","sources":["../../src/report/generator.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAY,MAAM,aAAa,CAAC;AAE1E,UAAU,SAAS;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,gBAAgB,EAAE,CAAC;CAC9B;AAED,UAAU,eAAe;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,gBAAgB,EAAE,CAAC;CAC9B;AAED,UAAU,SAAS;IACjB,IAAI,EAAE,MAAM,GAAG,QAAQ,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,gBAAgB,EAAE,CAAC;CAC9B;AAED,UAAU,eAAe;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,UAAU,oBAAoB;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,kBAAkB,CAAC,EAAE,KAAK,CAAC;QACzB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;IACH,OAAO,CAAC,EAAE;QACR,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAED,UAAU,UAAU;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAC5C,gBAAgB,EAAE,gBAAgB,EAAE,CAAC;IACrC,YAAY,EAAE,gBAAgB,EAAE,CAAC;IACjC,cAAc,EAAE,gBAAgB,EAAE,CAAC;IACnC,WAAW,EAAE,gBAAgB,EAAE,CAAC;IAChC,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,gBAAgB,EAAE,eAAe,EAAE,CAAC;IACpC,UAAU,EAAE,SAAS,EAAE,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC7F,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,CAAC,MAAM,GAAG;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,EAAE,CAAC;IAC5E,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IAEnB,wBAAwB,EAAE,MAAM,CAAC;IACjC,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;CACzB;AA2BD,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CA0BnF;AAED,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAkBnE;AA6bD,wBAAgB,cAAc,CAAC,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,MAAM,CAuB7E;AAED,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,cAAc,GAAE,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAA;CAAE,CAAM,GAChG,OAAO,CAAC,IAAI,CAAC,CAiFf;AAED,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,cAAc,GAAE,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAA;CAAE,CAAM,GAChG,OAAO,CAAC,IAAI,CAAC,CA8Df"}

package/dist/report/generator.js

@@ -119,6 +119,44 @@ function escapeHtml(text) {
         .replace(/"/g, '"')
         .replace(/'/g, ''');
 }
+function processProjectOverview(result) {
+    const overview = result.projectOverview;
+    if (!overview)
+        return undefined;
+    return {
+        ...overview,
+        stackText: Array.isArray(overview.stack) ? overview.stack.join(', ') : overview.stack || '',
+        componentsText: Array.isArray(overview.keyComponents) ? overview.keyComponents.join(', ') : overview.keyComponents || '',
+    };
+}
+function processExecutiveSummary(result) {
+    const execSummary = result.executiveSummary;
+    if (!execSummary || typeof execSummary === 'string')
+        return undefined;
+    // Count findings by fixOwner
+    const byOwner = {
+        developer: 0,
+        devops: 0,
+        architect: 0,
+    };
+    for (const finding of result.findings || []) {
+        const owner = finding.fixOwner || 'developer';
+        if (owner === 'developer')
+            byOwner.developer++;
+        else if (owner === 'devops')
+            byOwner.devops++;
+        else if (owner === 'architect')
+            byOwner.architect++;
+    }
+    return {
+        headline: execSummary.headline || `${result.summary?.critical || 0} Critical + ${result.summary?.high || 0} High findings`,
+        riskLevel: execSummary.riskLevel || (result.summary?.critical > 0 ? 'CRITICAL' : result.summary?.high > 0 ? 'HIGH' : 'MEDIUM'),
+        topRisks: execSummary.topRisks || [],
+        positives: execSummary.positives || [],
+        recommendedActions: execSummary.recommendedActions,
+        byOwner: execSummary.byOwner || byOwner,
+    };
+}
 function generateArchitectureOverviewHtml(result) {
     if (!result.architectureOverview)
         return '';
@@ -520,6 +558,8 @@ async function generatePdfReport(result, outputPath, falsePositives = []) {
         lowCount: counts.low,
         infoCount: counts.info,
         executiveSummary: generateExecutiveSummary(result),
+        projectOverview: processProjectOverview(result),
+        executiveSummaryData: processExecutiveSummary(result),
         criticalFindings,
         highFindings,
         mediumFindings,
@@ -589,6 +629,8 @@ async function generateHtmlReport(result, outputPath, falsePositives = []) {
         lowCount: counts.low,
         infoCount: counts.info,
         executiveSummary: generateExecutiveSummary(result),
+        projectOverview: processProjectOverview(result),
+        executiveSummaryData: processExecutiveSummary(result),
         criticalFindings,
         highFindings,
         mediumFindings,