coverme-security-scanner 3.4.0 → 3.7.0

package/bin/merge-reports.js

@@ -0,0 +1,231 @@
+#!/usr/bin/env node
+
+/**
+ * Merge multiple partial security reports into a single comprehensive report
+ * Usage: coverme-merge .coverme/partial-*.json -o scan.json
+ */
+
+import { readFileSync, writeFileSync, readdirSync } from 'fs';
+import { join, dirname } from 'path';
+
+function mergeReports(inputDir, outputFile) {
+  const files = readdirSync(inputDir).filter(f => f.startsWith('partial-') && f.endsWith('.json'));
+
+  if (files.length === 0) {
+    console.error('No partial-*.json files found in', inputDir);
+    process.exit(1);
+  }
+
+  console.log(`Merging ${files.length} partial reports...`);
+
+  // Initialize merged report
+  const merged = {
+    project: '',
+    date: new Date().toISOString().split('T')[0],
+    branch: '',
+    scope: '',
+    methodology: '7 parallel security agents with attack chain analysis',
+    summary: { critical: 0, high: 0, medium: 0, low: 0, total: 0 },
+    overallRiskLevel: 'low',
+    executiveSummary: '',
+    topPriorities: [],
+    attackChains: [],
+    riskMatrix: [],
+    architecture: { overview: '', components: [], trustBoundaries: [] },
+    network: { diagram: '', ports: [], externalDeps: [] },
+    findings: [],
+    threatModel: [],
+    positiveObservations: [],
+    complianceMapping: [],
+    remediation: { p0: [], p1: [], p2: [], p3: [] },
+    qualityReview: { deadCode: [], dryViolations: [], deprecated: [] },
+    resolvedIssues: [],
+    privacyAnalysis: []
+  };
+
+  // Process each partial file
+  for (const file of files) {
+    const filePath = join(inputDir, file);
+    console.log(`  Processing: ${file}`);
+
+    try {
+      const partial = JSON.parse(readFileSync(filePath, 'utf-8'));
+
+      // Merge simple fields (take first non-empty value)
+      if (partial.project && !merged.project) merged.project = partial.project;
+      if (partial.date) merged.date = partial.date;
+      if (partial.branch && !merged.branch) merged.branch = partial.branch;
+      if (partial.scope && !merged.scope) merged.scope = partial.scope;
+      if (partial.executiveSummary && !merged.executiveSummary) {
+        merged.executiveSummary = partial.executiveSummary;
+      }
+
+      // Merge arrays (deduplicate by id where applicable)
+      if (partial.findings) {
+        for (const f of partial.findings) {
+          if (!merged.findings.find(x => x.id === f.id)) {
+            merged.findings.push(f);
+          }
+        }
+      }
+
+      if (partial.attackChains) {
+        for (const ac of partial.attackChains) {
+          if (!merged.attackChains.find(x => x.id === ac.id)) {
+            merged.attackChains.push(ac);
+          }
+        }
+      }
+
+      if (partial.topPriorities) {
+        merged.topPriorities.push(...partial.topPriorities);
+      }
+
+      if (partial.riskMatrix) {
+        for (const rm of partial.riskMatrix) {
+          if (!merged.riskMatrix.find(x => x.category === rm.category)) {
+            merged.riskMatrix.push(rm);
+          }
+        }
+      }
+
+      if (partial.architecture) {
+        if (partial.architecture.overview && !merged.architecture.overview) {
+          merged.architecture.overview = partial.architecture.overview;
+        }
+        if (partial.architecture.components) {
+          merged.architecture.components.push(...partial.architecture.components);
+        }
+        if (partial.architecture.trustBoundaries) {
+          merged.architecture.trustBoundaries.push(...partial.architecture.trustBoundaries);
+        }
+      }
+
+      if (partial.network) {
+        if (partial.network.diagram && !merged.network.diagram) {
+          merged.network.diagram = partial.network.diagram;
+        }
+        if (partial.network.ports) {
+          for (const p of partial.network.ports) {
+            if (!merged.network.ports.find(x => x.port === p.port)) {
+              merged.network.ports.push(p);
+            }
+          }
+        }
+        if (partial.network.externalDeps) {
+          merged.network.externalDeps.push(...partial.network.externalDeps);
+        }
+      }
+
+      if (partial.threatModel) {
+        for (const tm of partial.threatModel) {
+          if (!merged.threatModel.find(x => x.id === tm.id)) {
+            merged.threatModel.push(tm);
+          }
+        }
+      }
+
+      if (partial.positiveObservations) {
+        merged.positiveObservations.push(...partial.positiveObservations);
+      }
+
+      if (partial.complianceMapping) {
+        for (const cm of partial.complianceMapping) {
+          const existing = merged.complianceMapping.find(x => x.framework === cm.framework);
+          if (existing) {
+            existing.controls.push(...cm.controls);
+          } else {
+            merged.complianceMapping.push(cm);
+          }
+        }
+      }
+
+      if (partial.remediation) {
+        if (partial.remediation.p0) merged.remediation.p0.push(...partial.remediation.p0);
+        if (partial.remediation.p1) merged.remediation.p1.push(...partial.remediation.p1);
+        if (partial.remediation.p2) merged.remediation.p2.push(...partial.remediation.p2);
+        if (partial.remediation.p3) merged.remediation.p3.push(...partial.remediation.p3);
+      }
+
+      if (partial.qualityReview) {
+        if (partial.qualityReview.deadCode) {
+          merged.qualityReview.deadCode.push(...partial.qualityReview.deadCode);
+        }
+        if (partial.qualityReview.dryViolations) {
+          merged.qualityReview.dryViolations.push(...partial.qualityReview.dryViolations);
+        }
+        if (partial.qualityReview.deprecated) {
+          merged.qualityReview.deprecated.push(...partial.qualityReview.deprecated);
+        }
+      }
+
+      if (partial.resolvedIssues) {
+        merged.resolvedIssues.push(...partial.resolvedIssues);
+      }
+
+      if (partial.privacyAnalysis) {
+        merged.privacyAnalysis.push(...partial.privacyAnalysis);
+      }
+
+    } catch (e) {
+      console.error(`  Error parsing ${file}:`, e.message);
+    }
+  }
+
+  // Calculate summary counts
+  merged.summary.critical = merged.findings.filter(f => f.severity === 'critical').length;
+  merged.summary.high = merged.findings.filter(f => f.severity === 'high').length;
+  merged.summary.medium = merged.findings.filter(f => f.severity === 'medium').length;
+  merged.summary.low = merged.findings.filter(f => f.severity === 'low').length;
+  merged.summary.total = merged.findings.length;
+
+  // Determine overall risk level
+  if (merged.summary.critical > 0) {
+    merged.overallRiskLevel = 'critical';
+  } else if (merged.summary.high > 2) {
+    merged.overallRiskLevel = 'high';
+  } else if (merged.summary.high > 0 || merged.summary.medium > 3) {
+    merged.overallRiskLevel = 'medium';
+  } else {
+    merged.overallRiskLevel = 'low';
+  }
+
+  // Deduplicate top priorities (keep first 5)
+  const seenPriorities = new Set();
+  merged.topPriorities = merged.topPriorities.filter(p => {
+    if (seenPriorities.has(p.finding)) return false;
+    seenPriorities.add(p.finding);
+    return true;
+  }).slice(0, 5);
+
+  // Remove empty arrays
+  if (merged.qualityReview.deadCode.length === 0 &&
+      merged.qualityReview.dryViolations.length === 0 &&
+      merged.qualityReview.deprecated.length === 0) {
+    delete merged.qualityReview;
+  }
+  if (merged.resolvedIssues.length === 0) delete merged.resolvedIssues;
+  if (merged.privacyAnalysis.length === 0) delete merged.privacyAnalysis;
+
+  // Write merged report
+  writeFileSync(outputFile, JSON.stringify(merged, null, 2));
+  console.log(`\nMerged report written to: ${outputFile}`);
+  console.log(`  Total findings: ${merged.summary.total}`);
+  console.log(`  Critical: ${merged.summary.critical}, High: ${merged.summary.high}, Medium: ${merged.summary.medium}, Low: ${merged.summary.low}`);
+  console.log(`  Attack chains: ${merged.attackChains.length}`);
+  console.log(`  Overall risk: ${merged.overallRiskLevel.toUpperCase()}`);
+}
+
+// CLI
+const args = process.argv.slice(2);
+if (args.length < 1) {
+  console.log('Usage: coverme-merge <input-dir> [output-file]');
+  console.log('  input-dir: Directory containing partial-*.json files');
+  console.log('  output-file: Output file (default: scan.json)');
+  process.exit(1);
+}
+
+const inputDir = args[0];
+const outputFile = args[1] || 'scan.json';
+
+mergeReports(inputDir, outputFile);

package/commands/coverme.md

@@ -1,4 +1,4 @@
-# Security Assessment Generator v2
+# Security Assessment Generator v3
 
 Run a comprehensive security assessment on this codebase and generate a professional PDF report with deep analysis.
 
@@ -6,23 +6,31 @@ Run a comprehensive security assessment on this codebase and generate a professi
 
 You are a senior security architect and penetration tester performing a pre-production security audit. Run 7 parallel security agents to analyze this codebase comprehensively.
 
+### Step 0: Setup (Run First!)
+
+Before starting the scan, create the output directory:
+
+```bash
+mkdir -p .coverme
+```
+
 ### Step 1: Launch Parallel Agents
 
-Launch these 7 agents simultaneously using the Task tool:
+Launch these 7 agents simultaneously using the Task tool. **IMPORTANT: Each agent must write its own partial JSON file immediately when done.**
 
 1. **Executive Summary Agent** (subagent_type: Explore)
    - Understand what the system does
    - Identify the tech stack and architecture
    - Map trust boundaries and critical assets
    - Determine overall risk level
-   - Identify the crown jewels (most valuable assets)
+   - **When done: Write findings to `.coverme/partial-01-executive.json`**
 
 2. **Attack Surface Agent** (subagent_type: Explore)
    - Map all entry points (APIs, webhooks, file uploads, CLI args)
    - Identify unauthenticated endpoints
    - Find admin/debug interfaces
-   - Check for exposed internal services
    - Document external dependencies and their trust level
+   - **When done: Write findings to `.coverme/partial-02-attack-surface.json`**
 
 3. **Vulnerability Hunter Agent** (subagent_type: Explore)
    - OWASP Top 10 deep dive with CODE EVIDENCE
@@ -30,121 +38,37 @@ Launch these 7 agents simultaneously using the Task tool:
    - Authentication/authorization bypass paths
    - Injection vulnerabilities (SQL, command, XSS, SSTI)
    - Secrets in code, hardcoded credentials (show exact lines)
-   - Insecure deserialization, SSRF, XXE
-   - Rate limiting gaps, brute force opportunities
+   - **When done: Write findings to `.coverme/partial-03-vulnerabilities.json`**
 
 4. **Attack Chain Analyst Agent** (subagent_type: Explore)
    - Identify how vulnerabilities COMBINE for greater impact
    - Map realistic attack scenarios (entry -> pivot -> objective)
    - Calculate blast radius for each chain
-   - Example: "Unauthenticated API + hardcoded secret = full DB access"
-   - Prioritize chains by likelihood and impact
+   - **When done: Write findings to `.coverme/partial-04-attack-chains.json`**
 
 5. **Business Logic Agent** (subagent_type: Explore)
    - Race conditions in critical flows (payments, credits, locks)
    - Workflow bypass opportunities (skip steps, replay)
    - Credit/billing manipulation vectors
-   - Data validation gaps at business boundaries
-   - PII handling and data residency violations
    - Privilege escalation paths
+   - **When done: Write findings to `.coverme/partial-05-business-logic.json`**
 
 6. **Infrastructure Agent** (subagent_type: Explore)
    - Docker/Kubernetes security (securityContext, network policies)
    - CI/CD pipeline security gates (or lack thereof)
    - Secrets management (env vars, mounted secrets, hardcoded)
-   - Cloud configuration (IAM, S3 buckets, security groups)
-   - Database security (encryption, access controls)
    - Dependency vulnerabilities (npm audit, CVEs)
+   - **When done: Write findings to `.coverme/partial-06-infrastructure.json`**
 
 7. **Compliance & Impact Agent** (subagent_type: Explore)
-   - Map findings to compliance frameworks (SOC2, PCI-DSS, GDPR, HIPAA)
+   - Map findings to compliance frameworks (SOC2, PCI-DSS, GDPR)
    - Calculate business impact for each critical finding
    - Estimate financial exposure ranges
-   - Identify SLA/availability risks
-   - Determine data breach notification requirements
-
-### Step 2: Deep Dive on Findings
-
-For EVERY critical and high finding, ensure you have:
-
-1. **Code Evidence** - The EXACT vulnerable code snippet:
-   ```
-   "codeEvidence": [{
-     "file": "src/auth/login.js",
-     "startLine": 45,
-     "endLine": 52,
-     "code": "const user = await db.query(`SELECT * FROM users WHERE id = ${req.params.id}`);",
-     "annotation": "User input directly interpolated into SQL query"
-   }]
-   ```
-
-2. **Exploitability Assessment**:
-   ```
-   "exploitability": {
-     "skillLevel": "novice",           // novice/intermediate/expert
-     "accessRequired": "network",       // network/adjacent/local/physical
-     "authRequired": "none",            // none/low/high
-     "userInteraction": "none",         // none/required
-     "hasPublicExploit": true,          // Known PoC exists?
-     "exploitMaturity": "weaponized",   // theoretical/poc/weaponized
-     "automatable": true                // Can be mass-exploited?
-   }
-   ```
-
-3. **Blast Radius**:
-   ```
-   "blastRadius": {
-     "affectedUsers": "all",            // none/single/subset/all
-     "affectedData": ["PII", "credentials", "financial"],
-     "affectedServices": ["auth", "payments"],
-     "cascadeRisk": true,               // Leads to further compromise?
-     "containment": "system"            // isolated/component/system/infrastructure
-   }
-   ```
-
-4. **Business Impact**:
-   ```
-   "businessImpact": {
-     "confidentiality": "high",
-     "integrity": "high",
-     "availability": "low",
-     "financialExposure": "$100k-$1M potential fraud",
-     "complianceViolations": ["PCI-DSS 6.5.1", "SOC2 CC6.1"],
-     "reputationalRisk": "high",
-     "slaImpact": "99.9% SLA at risk"
-   }
-   ```
-
-5. **Proof of Concept** (safe, non-destructive):
-   ```
-   "proofOfConcept": "curl -X POST /api/admin/users -H 'X-Admin: true' -d '{\"role\":\"admin\"}'"
-   ```
-
-### Step 3: Build Attack Chains
-
-Identify 2-5 realistic attack chains that combine multiple vulnerabilities:
-
-```json
-"attackChains": [
-  {
-    "id": "AC-01",
-    "name": "Credential Theft to Full Infrastructure Compromise",
-    "description": "Attacker chains unauthenticated endpoint access with hardcoded secrets to gain full system control",
-    "likelihood": "high",
-    "impact": "critical",
-    "steps": [
-      { "order": 1, "findingId": "HIGH-02", "action": "Access unauthenticated /enclave/register endpoint", "outcome": "Register malicious enclave with attacker-controlled keys" },
-      { "order": 2, "findingId": "HIGH-01", "action": "Use leaked tracker API key from Helm values", "outcome": "Gain access to usage analytics and user activity" },
-      { "order": 3, "findingId": "CRIT-01", "action": "Pivot using AWS credentials from .env", "outcome": "Full AWS account access, S3 data exfiltration" }
-    ],
-    "mitigationStrategy": "Breaking any link stops the chain. Priority: rotate AWS credentials immediately."
-  }
-]
-```
+   - **When done: Write findings to `.coverme/partial-07-compliance.json`**
 
-### Step 4: Compile Results
+### Agent Output Format
 
-After all agents complete, compile their findings into a JSON file with this enhanced schema:
+Each agent should write a partial JSON with this structure (include only relevant fields):
 
 ```json
 {
@@ -152,40 +76,10 @@ After all agents complete, compile their findings into a JSON file with this enh
   "date": "YYYY-MM-DD",
   "branch": "branch-name",
   "scope": "X files, ~Y lines",
-  "methodology": "7 parallel security agents with attack chain analysis",
-
-  "summary": {
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "total": 0
-  },
-
-  "overallRiskLevel": "critical|high|medium|low",
-  "executiveSummary": "2-3 paragraphs: what the system does, key findings, recommended actions...",
+  "executiveSummary": "Summary paragraph...",
 
   "topPriorities": [
-    { "finding": "Description", "severity": "critical", "action": "Immediate action required" }
-  ],
-
-  "attackChains": [
-    {
-      "id": "AC-01",
-      "name": "Chain name",
-      "description": "How vulnerabilities combine",
-      "likelihood": "high",
-      "impact": "critical",
-      "steps": [
-        { "order": 1, "findingId": "CRIT-01", "action": "What attacker does", "outcome": "What they achieve" }
-      ],
-      "mitigationStrategy": "How to break the chain"
-    }
-  ],
-
-  "riskMatrix": [
-    { "category": "Authentication", "currentRisk": "high", "residualRisk": "low", "trend": "stable" },
-    { "category": "Data Protection", "currentRisk": "medium", "residualRisk": "low", "trend": "improving" }
+    { "finding": "Description", "severity": "critical", "action": "Action needed" }
   ],
 
   "architecture": {
@@ -194,7 +88,7 @@ After all agents complete, compile their findings into a JSON file with this enh
       { "name": "Component", "technology": "Tech", "description": "Purpose" }
     ],
     "trustBoundaries": [
-      { "id": "TB-01", "boundary": "Internet/DMZ", "trustLevel": "untrusted", "description": "Public API surface" }
+      { "id": "TB-01", "boundary": "Name", "trustLevel": "untrusted", "description": "..." }
     ]
   },
 
@@ -202,9 +96,6 @@ After all agents complete, compile their findings into a JSON file with this enh
     "diagram": "ASCII diagram...",
     "ports": [
       { "port": 443, "protocol": "HTTPS", "component": "API", "binding": "0.0.0.0", "purpose": "Public API" }
-    ],
-    "externalDeps": [
-      { "service": "Stripe", "endpoint": "api.stripe.com", "auth": "API key", "risk": "PCI scope" }
     ]
   },
 
@@ -221,58 +112,40 @@ After all agents complete, compile their findings into a JSON file with this enh
       "status": "open",
       "dreadScore": 8.5,
       "cwe": "CWE-89",
-      "cvssScore": 9.1,
-      "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
-      "codeEvidence": [
-        {
-          "file": "src/db/query.js",
-          "startLine": 45,
-          "endLine": 48,
-          "code": "db.query(`SELECT * FROM users WHERE id = ${userId}`)",
-          "annotation": "Unsanitized user input in SQL query"
-        }
-      ],
-      "exploitability": {
-        "skillLevel": "novice",
-        "accessRequired": "network",
-        "authRequired": "none",
-        "userInteraction": "none",
-        "hasPublicExploit": true,
-        "exploitMaturity": "weaponized",
-        "automatable": true
-      },
-      "blastRadius": {
-        "affectedUsers": "all",
-        "affectedData": ["PII", "credentials"],
-        "affectedServices": ["database", "auth"],
-        "cascadeRisk": true,
-        "containment": "system"
-      },
-      "businessImpact": {
-        "confidentiality": "high",
-        "integrity": "high",
-        "availability": "none",
-        "financialExposure": "$500k-$5M breach costs",
-        "complianceViolations": ["GDPR Art 32", "SOC2 CC6.1"],
-        "reputationalRisk": "high"
-      },
-      "proofOfConcept": "curl '/api/users/1 OR 1=1--'",
-      "relatedFindings": ["HIGH-02", "HIGH-03"],
-      "attackChainPosition": "entry",
-      "references": ["https://owasp.org/Top10/A03_2021-Injection/"]
+      "codeEvidence": [{
+        "file": "src/file.js",
+        "startLine": 45,
+        "endLine": 50,
+        "code": "vulnerable code here",
+        "annotation": "Explanation"
+      }],
+      "proofOfConcept": "curl command or steps",
+      "relatedFindings": ["HIGH-02"]
     }
   ],
 
-  "threatModel": [
+  "attackChains": [
     {
-      "id": "T-01",
-      "severity": "high",
-      "dread": 6.5,
-      "status": "open",
-      "finding": "STRIDE threat description"
+      "id": "AC-01",
+      "name": "Chain name",
+      "description": "How vulnerabilities combine",
+      "likelihood": "high",
+      "impact": "critical",
+      "steps": [
+        { "order": 1, "findingId": "CRIT-01", "action": "What attacker does", "outcome": "Result" }
+      ],
+      "mitigationStrategy": "How to break the chain"
     }
   ],
 
+  "riskMatrix": [
+    { "category": "Authentication", "currentRisk": "high", "residualRisk": "low", "trend": "stable" }
+  ],
+
+  "threatModel": [
+    { "id": "T-01", "severity": "high", "dread": 6.5, "status": "open", "finding": "Description" }
+  ],
+
   "positiveObservations": [
     { "title": "Good Practice", "description": "What they did right..." }
   ],
@@ -288,43 +161,63 @@ After all agents complete, compile their findings into a JSON file with this enh
 
   "remediation": {
     "p0": [{ "action": "Do this NOW", "finding": "CRIT-01", "owner": "Security" }],
-    "p1": [{ "action": "Do this week", "finding": "HIGH-01", "owner": "Backend" }],
-    "p2": [],
-    "p3": []
-  }
+    "p1": [{ "action": "Do this week", "finding": "HIGH-01", "owner": "Backend" }]
+  },
+
+  "qualityReview": {
+    "deadCode": [{ "type": "dead-code", "action": "DELETE", "file": "path", "description": "..." }],
+    "dryViolations": [{ "type": "dry-violation", "action": "MERGE", "file": "path", "description": "..." }]
+  },
+
+  "privacyAnalysis": [
+    { "category": "Linkability", "risk": "medium", "description": "...", "mitigation": "..." }
+  ]
 }
 ```
 
-### Step 5: Generate PDF
+### Step 2: Wait for All Agents and Verify
+
+After launching all agents, wait for them to complete. Then verify all partial files exist:
+
+```bash
+ls -la .coverme/partial-*.json
+```
+
+You should see 7 files (partial-01 through partial-07).
+
+### Step 3: Merge and Generate PDF
 
-Save the JSON to `.coverme/scan.json` in the project root, then generate the PDF:
+Once all 7 partial files are written, merge them and generate the PDF:
 
 ```bash
-coverme .coverme/scan.json security-assessment-$(date +%Y-%m-%d).pdf && open security-assessment-$(date +%Y-%m-%d).pdf
+coverme-merge .coverme && coverme .coverme/scan.json security-assessment-$(date +%Y-%m-%d).pdf && open security-assessment-$(date +%Y-%m-%d).pdf
 ```
 
-**IMPORTANT:** You MUST run this command to generate and open the PDF. Do not skip this step.
+This command:
+1. Merges all partial-*.json files into scan.json
+2. Generates the PDF report
+3. Opens it automatically
 
 ### Quality Checklist
 
 Before generating the PDF, verify:
+- [ ] All 7 partial JSON files exist in .coverme/
 - [ ] Every CRITICAL/HIGH finding has codeEvidence with actual code
-- [ ] Every CRITICAL/HIGH finding has exploitability assessment
-- [ ] Every CRITICAL/HIGH finding has blastRadius defined
 - [ ] At least 2 attack chains are documented
-- [ ] Top priorities match the most impactful attack chains
-- [ ] Proof of concepts are safe and non-destructive
 - [ ] CWE IDs are accurate for vulnerability types
-- [ ] Compliance violations are specific (e.g., "PCI-DSS 6.5.1" not just "PCI-DSS")
 
 ### Output
 
-The final deliverable is:
-1. `.coverme/scan.json` - Enhanced findings data with attack chains
-2. `security-assessment-YYYY-MM-DD.pdf` - Professional PDF report (auto-opened)
+The final deliverables are:
+1. `.coverme/partial-*.json` - Individual agent reports
+2. `.coverme/scan.json` - Merged comprehensive report
+3. `security-assessment-YYYY-MM-DD.pdf` - Professional PDF report
 
 ---
 
-Now begin the security assessment. Launch all 7 agents in parallel.
+Now begin the security assessment:
 
-**CRITICAL REMINDER:** After completing the scan and saving scan.json, you MUST run the PDF generation command in Step 5. The assessment is NOT complete until the PDF is generated and opened.
+1. Run `mkdir -p .coverme`
+2. Launch all 7 agents in parallel
+3. Each agent writes its own partial JSON when done
+4. After all complete, run the merge and PDF generation command

package/package.json

@@ -1,10 +1,11 @@
 {
   "name": "coverme-security-scanner",
-  "version": "3.4.0",
+  "version": "3.7.0",
   "description": "AI-powered security assessment reports with beautiful PDF output",
   "type": "module",
   "bin": {
     "coverme": "./bin/coverme.js",
+    "coverme-merge": "./bin/merge-reports.js",
     "coverme-install": "./bin/install-command.js"
   },
   "main": "./dist/index.js",