coverme-security-scanner 3.0.0

package/.claude/commands/coverme.md

@@ -0,0 +1,349 @@
+# CoverMe Security Assessment v3
+
+You are a **senior security consultant** writing a Combined Assessment Report.
+
+**Ultrathink** - Read actual code, trace data flows, think like an attacker.
+
+---
+
+## OUTPUT QUALITY STANDARD
+
+Every finding MUST match this quality level. Study these examples carefully.
+
+### GOOD Finding Examples (from real enterprise reports):
+
+```json
+{
+  "id": "T-FE-1",
+  "title": "Attestation Fallback Accepts Unverified Enclave Keys",
+  "severity": "high",
+  "file": "frontend/lib/e2e-encryption.ts",
+  "line": "51-91",
+  "description": "When the attestation bundle endpoint is unavailable, fetchEnclaveInfo() falls back to the legacy /api/v1/enclave endpoint and stores keys with keysVerified: false. The browser silently proceeds to encrypt messages with public keys that have not been cryptographically bound to hardware attestation - enabling a man-in-the-middle attack by a compromised gateway. DREAD-D: 6.3.",
+  "recommendation": "Block the request or display a prominent security warning when attestation fails. Do not silently proceed with unverified keys."
+}
+```
+
+```json
+{
+  "id": "CR-03",
+  "title": "Unauthenticated Enclave Registration and Status Endpoints",
+  "severity": "high",
+  "file": "backend-eks/src/routes/v1/enclave.js",
+  "line": "379-558",
+  "description": "POST /api/v1/enclave/status and POST /api/v1/enclave/register have no application-level authentication. Any party that can reach these endpoints can register fake enclaves with poisoned public keys, send fake heartbeats to influence load balancing, or retrieve VM configuration. Network-level protection exists via ingress CIDR whitelisting in Helm values, but defense in depth requires application-level auth.",
+  "recommendation": "Add a shared secret or mTLS verification. Enclave VMs already have access to secrets via RABBITMQ_CREDENTIALS - use a similar pattern."
+}
+```
+
+```json
+{
+  "id": "CR-01",
+  "title": "Massive Metrics Code Duplication in Chat Handler",
+  "severity": "high",
+  "file": "backend-eks/src/routes/v1/chat.js",
+  "line": "604-691,793-868",
+  "description": "160 lines of Redis metrics tracking code is duplicated verbatim between the streaming path and the non-streaming path. Both blocks perform identical operations: per-hour/minute/second counters, HyperLogLog unique user tracking at multiple granularities, and monthly counts. Any change to the metrics schema requires updating both locations.",
+  "recommendation": "Extract to trackRedisMetrics(redis, models, userIdentifier) and call from both paths."
+}
+```
+
+### BAD Findings (DO NOT write like this):
+
+```json
+// BAD - Title too generic
+{ "title": "Missing input validation" }
+
+// BAD - Description has no specifics
+{ "description": "Input is not validated properly" }
+
+// BAD - Recommendation not actionable
+{ "recommendation": "Add validation" }
+
+// BAD - No DREAD score for HIGH severity
+{ "severity": "high", "description": "..." }  // Missing DREAD-D: X.X
+```
+
+### Quality Checklist (verify before saving):
+
+- [ ] Every HIGH/CRITICAL finding has DREAD-D score inline in description
+- [ ] Every title is specific to the code flow (not generic categories)
+- [ ] Description traces: function -> input -> vulnerability -> consequence
+- [ ] Recommendation names specific functions/patterns to implement
+- [ ] Line numbers are exact (use ranges like "51-91" when applicable)
+- [ ] Code snippets show the actual vulnerable code
+
+---
+
+## SCAN PROCESS
+
+### Phase 1: Discovery
+
+```bash
+mkdir -p .coverme
+
+# Project structure
+ls -la
+find . -maxdepth 2 -type d -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/dist/*" 2>/dev/null | head -40
+
+# Count files and lines
+find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.tsx" -o -name "*.jsx" -o -name "*.py" \) -not -path "*/node_modules/*" -not -path "*/.git/*" 2>/dev/null | wc -l
+
+# Tech stack
+cat package.json 2>/dev/null | head -50
+```
+
+### Phase 2: Map Critical Assets
+
+```bash
+# Authentication & Authorization
+find . -type f \( -name "*auth*" -o -name "*session*" -o -name "*jwt*" -o -name "*login*" \) -not -path "*/node_modules/*" 2>/dev/null | head -15
+
+# API Routes
+find . -type f \( -name "*route*" -o -name "*controller*" -o -name "*api*" \) -not -path "*/node_modules/*" 2>/dev/null | head -15
+
+# Database
+find . -type f \( -name "*model*" -o -name "*repository*" -o -name "*db*" \) -not -path "*/node_modules/*" 2>/dev/null | head -15
+
+# Config & Secrets
+find . -type f \( -name "*.env*" -o -name "*secret*" -o -name "*config*" \) -not -path "*/node_modules/*" 2>/dev/null | head -15
+
+# Infrastructure
+find . -type f \( -name "Dockerfile*" -o -name "*.yaml" -o -name "*.yml" \) -not -path "*/node_modules/*" 2>/dev/null | head -15
+```
+
+### Phase 3: Deep Analysis
+
+**READ the critical files you found.** For each, check:
+
+**Security Issues:**
+- SQL/NoSQL Injection (string concatenation in queries)
+- Command Injection (user input in exec/spawn)
+- XSS (unescaped output, dangerouslySetInnerHTML)
+- SSRF (user-controlled URLs)
+- Path Traversal (../ in file operations)
+- Hardcoded Secrets (API keys, passwords in code)
+- Auth Bypass (missing checks, fail-open patterns)
+- Race Conditions (TOCTOU, non-atomic operations)
+
+**Quality Issues:**
+- Dead Code (unused functions, unreachable code)
+- Code Duplication (copy-pasted blocks)
+- High Complexity (functions > 100 lines)
+- Missing Error Handling
+
+### Phase 4: Check Previous Scan
+
+```bash
+cat .coverme/scan.json 2>/dev/null | head -50 || echo "NO_PREVIOUS_SCAN"
+```
+
+If previous scan exists, compare findings and note what was resolved.
+
+---
+
+## REQUIRED OUTPUT FORMAT
+
+Save this JSON to `.coverme/scan.json`:
+
+```json
+{
+  "projectName": "project-name",
+  "scanDate": "2026-02-18T12:00:00.000Z",
+  "branch": "main",
+  "filesScanned": 45,
+  "linesOfCode": 4850,
+  "projectTree": "project/\n├── src/\n│   ├── api/\n│   └── services/\n└── package.json",
+
+  "projectOverview": {
+    "name": "project-name",
+    "type": "Backend API",
+    "stack": ["Node.js", "TypeScript", "PostgreSQL"],
+    "purpose": "Brief description of what this project does",
+    "architecture": "Monolith",
+    "keyComponents": ["auth service", "api routes", "database"]
+  },
+
+  "executiveSummary": {
+    "headline": "0 Critical + 3 High findings - key gaps remain",
+    "riskLevel": "HIGH",
+    "overview": "Project-name is a [describe architecture]. No critical vulnerabilities found. The most significant remaining issues are: [specific issue 1], [specific issue 2], and [specific issue 3].",
+    "topRisks": [
+      "Specific risk with file reference and technical detail",
+      "Another specific risk with impact quantification"
+    ],
+    "positives": [
+      "Specific strength citing libraries/patterns/algorithms used"
+    ]
+  },
+
+  "findings": [
+    {
+      "id": "SEC-001",
+      "title": "Specific Descriptive Title for This Exact Vulnerability",
+      "severity": "high",
+      "category": "security",
+      "file": "src/routes/users.ts",
+      "line": "45-52",
+      "code": "const query = `SELECT * FROM users WHERE id = ${userId}`;",
+      "description": "The getUserById function at line 45 concatenates userId directly into SQL without parameterization. An attacker sending id=1 OR 1=1 can extract all user records. DREAD-D: 7.5.",
+      "recommendation": "Use parameterized queries: db.query('SELECT * FROM users WHERE id = $1', [userId])",
+      "cwe": "CWE-89",
+      "dread": {
+        "damage": 9,
+        "reproducibility": 9,
+        "exploitability": 8,
+        "affectedUsers": 8,
+        "discoverability": 6,
+        "total": 8.0
+      },
+      "confidence": 95,
+      "fixOwner": "developer"
+    }
+  ],
+
+  "threatModel": [
+    {
+      "id": "T-001",
+      "threat": "SQL Injection via user input",
+      "category": "STRIDE",
+      "strideType": "T",
+      "status": "open",
+      "relatedFindings": ["SEC-001"],
+      "mitigation": "Use parameterized queries",
+      "dreadScore": 8.0
+    }
+  ],
+
+  "qualityReview": {
+    "deleteItems": [
+      {
+        "type": "delete",
+        "file": "src/legacy/old-auth.ts",
+        "lines": 250,
+        "title": "Dead legacy auth module",
+        "description": "Entire file unused since migration to Clerk",
+        "reason": "No imports found in codebase",
+        "roi": "~250 lines"
+      }
+    ],
+    "mergeItems": [
+      {
+        "type": "merge",
+        "file": "src/utils/validate.ts + src/helpers/validation.ts",
+        "title": "Duplicate validation modules",
+        "description": "Two files with overlapping validation functions",
+        "reason": "DRY violation - consolidate",
+        "roi": "~120 lines"
+      }
+    ],
+    "simplifyItems": [],
+    "totalLinesRemovable": 370,
+    "percentageOfCodebase": 3.5
+  },
+
+  "positiveObservations": [
+    {
+      "title": "Strong Authentication Implementation",
+      "description": "Clerk integration with proper session management. All tokens kept server-side. httpOnly + secure cookies with SameSite=strict."
+    },
+    {
+      "title": "Comprehensive Input Validation",
+      "description": "Zod schemas used consistently across all API endpoints with proper error handling."
+    }
+  ],
+
+  "previouslyResolved": [],
+
+  "summary": {
+    "total": 5,
+    "critical": 0,
+    "high": 3,
+    "medium": 2,
+    "low": 0,
+    "info": 0
+  }
+}
+```
+
+---
+
+## DREAD SCORING (for HIGH and CRITICAL)
+
+Calculate and include in description as "DREAD-D: X.X":
+
+| Score | Meaning |
+|-------|---------|
+| **Damage** | 10 = full system compromise, 1 = minimal |
+| **Reproducibility** | 10 = always works, 1 = rare conditions |
+| **Exploitability** | 10 = script kiddie, 1 = expert required |
+| **Affected Users** | 10 = all users, 1 = single admin |
+| **Discoverability** | 10 = obvious, 1 = requires source code |
+
+Average = DREAD-D score. Include in description for HIGH/CRITICAL findings.
+
+---
+
+## ID PREFIXES
+
+Use component-based prefixes:
+- `SEC-` Security issues
+- `AUTH-` Authentication/authorization
+- `API-` API security
+- `DB-` Database issues
+- `INFRA-` Infrastructure
+- `QUAL-` Code quality
+- `PERF-` Performance
+
+For threat model: `T-` prefix with component (e.g., `T-FE-1`, `T-EKS-2`)
+
+---
+
+## AFTER SCAN
+
+1. Save JSON to `.coverme/scan.json`
+2. Generate PDF report:
+
+```bash
+npx coverme report .coverme/scan.json --format pdf
+```
+
+Or if coverme is installed globally:
+
+```bash
+coverme report .coverme/scan.json --format pdf
+```
+
+The PDF will be saved to `.coverme/assessment-report.pdf`
+
+---
+
+## EXECUTIVE SUMMARY WRITING GUIDE
+
+The overview field must read like a professional security consultant's opening paragraph:
+
+**Structure:**
+1. One sentence describing what the project IS (architecture, purpose)
+2. State overall security posture clearly
+3. List the most significant remaining issues
+
+**Example:**
+> "Express-AI Officely is a confidential AI platform built on a three-tier encrypted architecture: a Next.js frontend with BFF pattern, an Express.js API gateway on EKS, and backend enclaves running inside AMD SEV-SNP encrypted VMs. No critical vulnerabilities remain. The most significant remaining issues are: unauthenticated enclave registration endpoints (mitigated by network whitelisting), hardcoded secrets in Helm values, and zero test coverage across all components."
+
+---
+
+## POSITIVE OBSERVATIONS GUIDE
+
+Each observation must cite specific technical evidence:
+
+**BAD:** "Good authentication implementation"
+
+**GOOD:** "Zero-Knowledge Architecture - EKS gateway genuinely never sees plaintext. Encrypted payloads flow through without decryption. Well-enforced across all components."
+
+**GOOD:** "Atomic Credit Operations - Lua scripts for token burning and balance deduction prevent cross-pod race conditions. Check-and-deduct is atomic."
+
+---
+
+## START SCANNING
+
+Begin with Phase 1: Discovery. Read critical files. Find real issues with real specifics.

package/README.md

@@ -0,0 +1,97 @@
+# CoverMe Scanner v3
+
+AI-powered security assessment tool for Claude Code.
+
+## Overview
+
+CoverMe is a slash command for Claude Code that performs comprehensive security assessments and generates professional PDF reports. It uses Claude's intelligence to analyze code like a senior security consultant.
+
+## Installation
+
+```bash
+cd coverme-v3
+npm install
+npm run build
+npm link  # Makes 'coverme' command available globally
+```
+
+## Usage
+
+### 1. Run Security Scan (in Claude Code)
+
+Navigate to your project and run:
+```
+/coverme
+```
+
+Claude will:
+1. Discover and read relevant source files
+2. Analyze security patterns and vulnerabilities
+3. Generate a threat model (STRIDE + DREAD)
+4. Create quality recommendations
+5. Save results to `coverme-report.json`
+
+### 2. Generate PDF Report
+
+```bash
+coverme report coverme-report.json
+coverme report coverme-report.json --output my-report.pdf
+coverme report coverme-report.json --open  # Opens PDF after generation
+```
+
+### 3. Validate JSON
+
+```bash
+coverme validate coverme-report.json
+```
+
+## Output Format
+
+The scan produces a JSON file with:
+
+- **projectName**: Project identifier
+- **scanDate**: ISO timestamp
+- **executiveSummary**: Architecture overview and security posture
+- **findings**: Array of security findings with DREAD scores
+- **threatModel**: STRIDE-based threat analysis
+- **qualityReview**: Delete/Merge/Simplify recommendations
+- **positiveObservations**: Good security practices found
+- **previouslyResolved**: Fixed issues from prior scans
+
+## Finding Quality Standard
+
+Each finding includes:
+- **Severity**: critical / high / medium / low / info
+- **DPI Priority**: "Today" / "This Sprint" / "Next Sprint" / "Backlog"
+- **DREAD Score**: Damage, Reproducibility, Exploitability, Affected Users, Discoverability
+- **Specific Location**: File path and line numbers
+- **Evidence**: Actual code snippets
+- **Remediation**: Concrete fix with code example
+
+## Project Structure
+
+```
+coverme-v3/
+├── .claude/
+│   └── commands/
+│       └── coverme.md          # The main prompt (~350 lines)
+├── src/
+│   ├── index.ts                # CLI entry (~120 lines)
+│   ├── types.ts                # Type definitions (~200 lines)
+│   └── pdf-generator.ts        # PDF generation (~700 lines)
+├── package.json
+├── tsconfig.json
+└── README.md
+```
+
+Total: ~1,350 lines (vs previous ~5,000 lines)
+
+## Requirements
+
+- Node.js 20+
+- Claude Code CLI
+- PDFKit (installed via npm)
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,124 @@
+#!/usr/bin/env node
+/**
+ * CoverMe Scanner v3 - CLI Entry Point
+ * Simple CLI: coverme report <json-file>
+ */
+import { Command } from 'commander';
+import { readFileSync, existsSync } from 'fs';
+import { resolve, dirname, basename, extname } from 'path';
+import { PDFGenerator } from './pdf-generator.js';
+const program = new Command();
+program
+    .name('coverme')
+    .description('CoverMe Security Scanner v3 - Generate PDF reports from scan results')
+    .version('3.0.0');
+program
+    .command('report <json-file>')
+    .description('Generate a PDF report from a JSON scan result')
+    .option('-o, --output <path>', 'Output PDF path')
+    .option('--open', 'Open PDF after generation')
+    .action(async (jsonFile, options) => {
+    try {
+        const inputPath = resolve(jsonFile);
+        if (!existsSync(inputPath)) {
+            console.error(`Error: File not found: ${inputPath}`);
+            process.exit(1);
+        }
+        const rawData = readFileSync(inputPath, 'utf-8');
+        let data;
+        try {
+            data = JSON.parse(rawData);
+        }
+        catch {
+            console.error('Error: Invalid JSON file');
+            process.exit(1);
+        }
+        // Validate required fields
+        if (!data.projectName || !data.findings) {
+            console.error('Error: JSON must contain projectName and findings array');
+            process.exit(1);
+        }
+        // Determine output path
+        const outputPath = options.output
+            ? resolve(options.output)
+            : resolve(dirname(inputPath), `${basename(inputPath, extname(inputPath))}.pdf`);
+        console.log(`Generating PDF report for: ${data.projectName}`);
+        console.log(`Findings: ${data.findings.length}`);
+        const generator = new PDFGenerator();
+        await generator.generate(data, outputPath);
+        console.log(`Report saved to: ${outputPath}`);
+        // Open PDF if requested
+        if (options.open) {
+            const { exec } = await import('child_process');
+            const openCmd = process.platform === 'darwin' ? 'open' :
+                process.platform === 'win32' ? 'start' : 'xdg-open';
+            exec(`${openCmd} "${outputPath}"`);
+        }
+    }
+    catch (error) {
+        console.error('Error generating report:', error instanceof Error ? error.message : error);
+        process.exit(1);
+    }
+});
+program
+    .command('validate <json-file>')
+    .description('Validate a JSON scan result without generating PDF')
+    .action((jsonFile) => {
+    try {
+        const inputPath = resolve(jsonFile);
+        if (!existsSync(inputPath)) {
+            console.error(`Error: File not found: ${inputPath}`);
+            process.exit(1);
+        }
+        const rawData = readFileSync(inputPath, 'utf-8');
+        const data = JSON.parse(rawData);
+        // Validation checks
+        const errors = [];
+        const warnings = [];
+        if (!data.projectName)
+            errors.push('Missing projectName');
+        if (!data.findings || !Array.isArray(data.findings))
+            errors.push('Missing or invalid findings array');
+        if (!data.executiveSummary)
+            warnings.push('Missing executiveSummary');
+        if (!data.threatModel)
+            warnings.push('Missing threatModel');
+        // Validate findings
+        if (data.findings) {
+            data.findings.forEach((f, i) => {
+                if (!f.title)
+                    errors.push(`Finding ${i + 1}: missing title`);
+                if (!f.severity)
+                    errors.push(`Finding ${i + 1}: missing severity`);
+                if (!f.description)
+                    warnings.push(`Finding ${i + 1}: missing description`);
+                if (!f.dpiPriority)
+                    warnings.push(`Finding ${i + 1}: missing dpiPriority`);
+            });
+        }
+        if (errors.length > 0) {
+            console.error('Validation FAILED:');
+            errors.forEach(e => console.error(`  - ${e}`));
+            if (warnings.length > 0) {
+                console.warn('Warnings:');
+                warnings.forEach(w => console.warn(`  - ${w}`));
+            }
+            process.exit(1);
+        }
+        console.log('Validation PASSED');
+        console.log(`  Project: ${data.projectName}`);
+        console.log(`  Findings: ${data.findings.length}`);
+        console.log(`  Threat Model: ${data.threatModel ? 'Yes' : 'No'}`);
+        console.log(`  Quality Review: ${data.qualityReview ? 'Yes' : 'No'}`);
+        if (warnings.length > 0) {
+            console.warn('Warnings:');
+            warnings.forEach(w => console.warn(`  - ${w}`));
+        }
+    }
+    catch (error) {
+        console.error('Error:', error instanceof Error ? error.message : error);
+        process.exit(1);
+    }
+});
+program.parse();
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;GAGG;AACH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGlD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,SAAS,CAAC;KACf,WAAW,CAAC,sEAAsE,CAAC;KACnF,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,oBAAoB,CAAC;KAC7B,WAAW,CAAC,+CAA+C,CAAC;KAC5D,MAAM,CAAC,qBAAqB,EAAE,iBAAiB,CAAC;KAChD,MAAM,CAAC,QAAQ,EAAE,2BAA2B,CAAC;KAC7C,MAAM,CAAC,KAAK,EAAE,QAAgB,EAAE,OAA4C,EAAE,EAAE;IAC/E,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QAEpC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3B,OAAO,CAAC,KAAK,CAAC,0BAA0B,SAAS,EAAE,CAAC,CAAC;YACrD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACjD,IAAI,IAAgB,CAAC;QAErB,IAAI,CAAC;YACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAe,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;YAC1C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,2BAA2B;QAC3B,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxC,OAAO,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,wBAAwB;QACxB,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM;YAC/B,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC;YACzB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,GAAG,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC;QAElF,OAAO,CAAC,GAAG,CAAC,8BAA8B,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAEjD,MAAM,SAAS,GAAG,IAAI,YAAY,EAAE,CAAC;QACrC,MAAM,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAE3C,OAAO,CAAC,GAAG,CAAC,oBAAoB,UAAU,EAAE,CAAC,CAAC;QAE9C,wBAAwB;QACxB,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;YAC/C,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;gBACxC,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC;YACpE,IAAI,CAAC,GAAG,OAAO,KAAK,UAAU,GAAG,CAAC,CAAC;QACrC,CAAC;IAEH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAC1F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,sBAAsB,CAAC;KAC/B,WAAW,CAAC,oDAAoD,CAAC;KACjE,MAAM,CAAC,CAAC,QAAgB,EAAE,EAAE;IAC3B,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QAEpC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3B,OAAO,CAAC,KAAK,CAAC,0BAA0B,SAAS,EAAE,CAAC,CAAC;YACrD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAe,CAAC;QAE/C,oBAAoB;QACpB,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACtG,IAAI,CAAC,IAAI,CAAC,gBAAgB;YAAE,QAAQ,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACtE,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,QAAQ,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAE5D,oBAAoB;QACpB,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;gBAC7B,IAAI,CAAC,CAAC,CAAC,KAAK;oBAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;gBAC7D,IAAI,CAAC,CAAC,CAAC,QAAQ;oBAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;gBACnE,IAAI,CAAC,CAAC,CAAC,WAAW;oBAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;gBAC3E,IAAI,CAAC,CAAC,CAAC,WAAW;oBAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YAC7E,CAAC,CAAC,CAAC;QACL,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YACpC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;YAC/C,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;gBAC1B,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;YAClD,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAEtE,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC1B,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;QAClD,CAAC;IAEH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACxE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/pdf-generator.d.ts

@@ -0,0 +1,32 @@
+/**
+ * CoverMe Scanner v3 - PDF Generator
+ * Generates professional security assessment reports
+ */
+import type { ScanResult } from './types.js';
+export declare class PDFGenerator {
+    private doc;
+    private yPosition;
+    private pageHeight;
+    private pageWidth;
+    private margin;
+    constructor();
+    generate(result: ScanResult, outputPath: string): Promise<void>;
+    private renderCoverPage;
+    private renderCoverTable;
+    private renderSeverityBoxes;
+    private renderTableOfContents;
+    private renderExecutiveSummary;
+    private renderArchitectureOverview;
+    private renderFindingsSection;
+    private renderFinding;
+    private renderLowSeveritySection;
+    private renderThreatModel;
+    private renderQualityReview;
+    private renderQualityItem;
+    private renderPreviouslyResolved;
+    private renderPositiveObservations;
+    private renderSummaryPage;
+    private renderSectionHeader;
+    private addPage;
+}
+//# sourceMappingURL=pdf-generator.d.ts.map

package/dist/pdf-generator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pdf-generator.d.ts","sourceRoot":"","sources":["../src/pdf-generator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,UAAU,EAAyC,MAAM,YAAY,CAAC;AAEpF,qBAAa,YAAY;IACvB,OAAO,CAAC,GAAG,CAAqB;IAChC,OAAO,CAAC,SAAS,CAAK;IACtB,OAAO,CAAC,UAAU,CAAO;IACzB,OAAO,CAAC,SAAS,CAAU;IAC3B,OAAO,CAAC,MAAM,CAAM;;IASd,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAoFrE,OAAO,CAAC,eAAe;IAmEvB,OAAO,CAAC,gBAAgB;IAuBxB,OAAO,CAAC,mBAAmB;IAqC3B,OAAO,CAAC,qBAAqB;IAyB7B,OAAO,CAAC,sBAAsB;IAoD9B,OAAO,CAAC,0BAA0B;IAwClC,OAAO,CAAC,qBAAqB;IAgB7B,OAAO,CAAC,aAAa;IAiErB,OAAO,CAAC,wBAAwB;IAiBhC,OAAO,CAAC,iBAAiB;IA8EzB,OAAO,CAAC,mBAAmB;IAuC3B,OAAO,CAAC,iBAAiB;IAqBzB,OAAO,CAAC,wBAAwB;IA2BhC,OAAO,CAAC,0BAA0B;IA4BlC,OAAO,CAAC,iBAAiB;IAgCzB,OAAO,CAAC,mBAAmB;IAK3B,OAAO,CAAC,OAAO;CAIhB"}