dependencyiq 2.0.0 → 2.2.0

package/src/fleetDashboardGenerator.js

@@ -1,199 +1,199 @@
-/**
- * Fleet Dashboard: the cross-project view GitHub's org-wide "Security
- * Overview" is the closest public precedent for — every project in a
- * GitLab group, in one page, sorted by real risk.
- *
- * Still a static page (GitLab Pages, no backend) — the data is a
- * build-time snapshot (fleetAggregator.js), not a live query. What's
- * genuinely new compared to the per-project dashboard is real client-side
- * interactivity over that snapshot: sortable columns and a search box,
- * implemented as a small inline <script> with no external library, so
- * the "nothing to fetch, nothing that can 404" property is preserved —
- * the interactivity works entirely on data already embedded in the page.
- *
- * The NOT ONBOARDED section is deliberate, not an afterthought: a
- * project with no dependencyiq-report.json artifact has never run this
- * tool, which is a meaningfully different fact from "ran it and found
- * zero issues." Collapsing the two would make fleet-wide adoption
- * progress invisible.
- */
-
-const { SHARED_STYLES, escapeHtml, priorityColor } = require('./dashboardGenerator');
-
-function fmtDate(iso) {
-  if (!iso) return 'unknown';
-  return new Date(iso).toISOString().slice(0, 16).replace('T', ' ') + ' UTC';
-}
-
-function renderOnboardedRow(entry) {
-  const { project, snapshot } = entry;
-  const top = snapshot.topFindings?.[0];
-  const topLabel = top ? `${escapeHtml(top.package)} (${top.priority})` : 'none';
-  return `<tr data-name="${escapeHtml(project.pathWithNamespace.toLowerCase())}"
-      data-score="${snapshot.topRiskScore || 0}"
-      data-findings="${snapshot.totalFindings || 0}"
-      data-urgent="${snapshot.urgentCount || 0}">
-    <td><a href="https://gitlab.com/${escapeHtml(project.pathWithNamespace)}" target="_blank" rel="noopener">${escapeHtml(project.pathWithNamespace)}</a></td>
-    <td>${snapshot.totalFindings || 0}</td>
-    <td>${snapshot.urgentCount || 0}</td>
-    <td>${snapshot.highCount || 0}</td>
-    <td>${snapshot.unusedCount || 0}</td>
-    <td><span style="color:${priorityColor(top?.priority)}; font-weight:700;">${snapshot.topRiskScore || 0}</span></td>
-    <td>${topLabel}</td>
-    <td>${fmtDate(snapshot.generatedAt)}</td>
-  </tr>`;
-}
-
-function renderNotOnboardedRow(entry) {
-  return `<tr>
-    <td><a href="https://gitlab.com/${escapeHtml(entry.project.pathWithNamespace)}" target="_blank" rel="noopener">${escapeHtml(entry.project.pathWithNamespace)}</a></td>
-    <td colspan="6" style="color: var(--text-muted);">${escapeHtml(entry.reason)}</td>
-  </tr>`;
-}
-
-/**
- * @param {Object} report - { available, rollup } from fleetAggregator.buildFleetReport,
- *   or { available: false, reason } when the report itself couldn't be built
- * @param {Object} meta - { groupId, groupName }
- * @returns {string} a complete, self-contained HTML document
- */
-function generateFleetDashboardHtml(report, meta = {}) {
-  if (!report.available) {
-    return `<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">
-<title>DependencyIQ Fleet Dashboard — Unavailable</title>
-<style>${SHARED_STYLES}</style></head>
-<body><div style="max-width:640px;margin:4rem auto;padding:0 1.5rem;">
-<h1>Fleet Dashboard unavailable</h1>
-<p style="color: var(--text-muted);">${escapeHtml(report.reason)}</p>
-</div></body></html>`;
-  }
-
-  const { rollup } = report;
-  const onboardedRows = rollup.onboarded.map(renderOnboardedRow).join('\n');
-  const notOnboardedRows = rollup.notOnboarded.map(renderNotOnboardedRow).join('\n');
-  const adoptionPercent = rollup.totalProjects > 0 ? Math.round((rollup.onboardedCount / rollup.totalProjects) * 100) : 0;
-
-  return `<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="UTF-8">
-<meta name="viewport" content="width=device-width, initial-scale=1.0">
-<title>DependencyIQ Fleet Dashboard${meta.groupName ? ` — ${escapeHtml(meta.groupName)}` : ''}</title>
-<style>
-${SHARED_STYLES}
-  .page { max-width: 1180px; margin: 0 auto; padding: 0 1.5rem 3rem; }
-  header.page-header { padding: 1.75rem 0 1.25rem; border-bottom: 1px solid var(--border); margin-bottom: 1.75rem; }
-  .brand-title { font-size: 1.25rem; font-weight: 700; }
-  .brand-subtitle { color: var(--text-muted); font-size: 0.85rem; margin-top: 0.15rem; }
-  .stats { display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 0.85rem; margin-bottom: 1.75rem; }
-  .stat { background: var(--surface); border: 1px solid var(--border); border-left: 3px solid var(--accent); border-radius: var(--radius); padding: 1rem 1.1rem; }
-  .stat .num { font-size: 1.7rem; font-weight: 700; line-height: 1.1; }
-  .stat .label { color: var(--text-muted); font-size: 0.72rem; text-transform: uppercase; letter-spacing: 0.04em; margin-top: 0.3rem; }
-  .toolbar { display: flex; gap: 0.75rem; margin-bottom: 1rem; flex-wrap: wrap; align-items: center; }
-  #search { flex: 1 1 240px; background: var(--surface); border: 1px solid var(--border); color: var(--text); padding: 0.55rem 0.85rem; border-radius: var(--radius-sm); font-size: 0.9rem; }
-  table { width: 100%; border-collapse: collapse; background: var(--surface); border: 1px solid var(--border); border-radius: var(--radius); overflow: hidden; }
-  th, td { padding: 0.65rem 0.85rem; text-align: left; border-bottom: 1px solid var(--border-soft); font-size: 0.88rem; }
-  th { cursor: pointer; user-select: none; color: var(--text-muted); font-size: 0.74rem; text-transform: uppercase; letter-spacing: 0.03em; }
-  th:hover { color: var(--text); }
-  th.sorted-asc::after { content: ' \\2191'; }
-  th.sorted-desc::after { content: ' \\2193'; }
-  tr:last-child td { border-bottom: none; }
-  .section-title { font-size: 0.95rem; font-weight: 600; margin: 2rem 0 0.75rem; }
-  .empty-note { color: var(--text-muted); font-size: 0.85rem; padding: 1rem; }
-</style>
-</head>
-<body>
-<div class="page">
-  <header class="page-header">
-    <div class="brand-title">DependencyIQ Fleet Dashboard${meta.groupName ? ` — ${escapeHtml(meta.groupName)}` : ''}</div>
-    <div class="brand-subtitle">Generated ${fmtDate(rollup.generatedAt)} · build-time snapshot from each project's own analyze_vulnerabilities CI artifact, not a live cross-project query</div>
-  </header>
-
-  <div class="stats">
-    <div class="stat"><div class="num">${rollup.onboardedCount}/${rollup.totalProjects}</div><div class="label">Projects onboarded (${adoptionPercent}%)</div></div>
-    <div class="stat"><div class="num">${rollup.totalFindings}</div><div class="label">Total findings, fleet-wide</div></div>
-    <div class="stat"><div class="num">${rollup.urgentCount}</div><div class="label">Urgent findings</div></div>
-    <div class="stat"><div class="num">${rollup.highCount}</div><div class="label">High findings</div></div>
-    <div class="stat"><div class="num">${rollup.unusedCount}</div><div class="label">Removable (unused) deps</div></div>
-  </div>
-
-  <div class="toolbar">
-    <input id="search" type="text" placeholder="Filter by project path...">
-  </div>
-
-  <table id="fleet-table">
-    <thead>
-      <tr>
-        <th data-key="name">Project</th>
-        <th data-key="findings">Findings</th>
-        <th data-key="urgent">Urgent</th>
-        <th>High</th>
-        <th>Unused</th>
-        <th data-key="score">Top risk score</th>
-        <th>Top finding</th>
-        <th>Last scanned</th>
-      </tr>
-    </thead>
-    <tbody>
-${onboardedRows || '<tr><td colspan="8" class="empty-note">No onboarded projects yet — see "Not yet onboarded" below.</td></tr>'}
-    </tbody>
-  </table>
-
-  <div class="section-title">Not yet onboarded (${rollup.notOnboardedCount})</div>
-  <table>
-    <tbody>
-${notOnboardedRows || '<tr><td class="empty-note">Every project in this group has onboarded DependencyIQ.</td></tr>'}
-    </tbody>
-  </table>
-</div>
-
-<script>
-  (function () {
-    var table = document.getElementById('fleet-table');
-    var tbody = table.querySelector('tbody');
-    var searchBox = document.getElementById('search');
-    var sortState = { key: null, dir: 1 };
-
-    function applySearch() {
-      var q = searchBox.value.trim().toLowerCase();
-      Array.prototype.forEach.call(tbody.querySelectorAll('tr'), function (row) {
-        var name = row.dataset.name || '';
-        row.style.display = (!q || name.indexOf(q) !== -1) ? '' : 'none';
-      });
-    }
-
-    function applySort(key) {
-      var rows = Array.prototype.slice.call(tbody.querySelectorAll('tr')).filter(function (r) { return r.dataset.name !== undefined; });
-      var dir = (sortState.key === key) ? -sortState.dir : 1;
-      sortState = { key: key, dir: dir };
-
-      rows.sort(function (a, b) {
-        var av = key === 'name' ? a.dataset.name : Number(a.dataset[key] || 0);
-        var bv = key === 'name' ? b.dataset.name : Number(b.dataset[key] || 0);
-        if (av < bv) return -1 * dir;
-        if (av > bv) return 1 * dir;
-        return 0;
-      });
-
-      rows.forEach(function (r) { tbody.appendChild(r); });
-
-      Array.prototype.forEach.call(table.querySelectorAll('th'), function (th) {
-        th.classList.remove('sorted-asc', 'sorted-desc');
-      });
-      var activeTh = table.querySelector('th[data-key="' + key + '"]');
-      if (activeTh) activeTh.classList.add(dir === 1 ? 'sorted-asc' : 'sorted-desc');
-    }
-
-    searchBox.addEventListener('input', applySearch);
-    Array.prototype.forEach.call(table.querySelectorAll('th[data-key]'), function (th) {
-      th.addEventListener('click', function () { applySort(th.dataset.key); });
-    });
-
-    applySort('score');
-  })();
-</script>
-</body>
-</html>`;
-}
-
-module.exports = { generateFleetDashboardHtml };
+/**
+ * Fleet Dashboard: the cross-project view GitHub's org-wide "Security
+ * Overview" is the closest public precedent for — every project in a
+ * GitLab group, in one page, sorted by real risk.
+ *
+ * Still a static page (GitLab Pages, no backend) — the data is a
+ * build-time snapshot (fleetAggregator.js), not a live query. What's
+ * genuinely new compared to the per-project dashboard is real client-side
+ * interactivity over that snapshot: sortable columns and a search box,
+ * implemented as a small inline <script> with no external library, so
+ * the "nothing to fetch, nothing that can 404" property is preserved —
+ * the interactivity works entirely on data already embedded in the page.
+ *
+ * The NOT ONBOARDED section is deliberate, not an afterthought: a
+ * project with no dependencyiq-report.json artifact has never run this
+ * tool, which is a meaningfully different fact from "ran it and found
+ * zero issues." Collapsing the two would make fleet-wide adoption
+ * progress invisible.
+ */
+
+const { SHARED_STYLES, escapeHtml, priorityColor } = require('./dashboardGenerator');
+
+function fmtDate(iso) {
+  if (!iso) return 'unknown';
+  return new Date(iso).toISOString().slice(0, 16).replace('T', ' ') + ' UTC';
+}
+
+function renderOnboardedRow(entry) {
+  const { project, snapshot } = entry;
+  const top = snapshot.topFindings?.[0];
+  const topLabel = top ? `${escapeHtml(top.package)} (${top.priority})` : 'none';
+  return `<tr data-name="${escapeHtml(project.pathWithNamespace.toLowerCase())}"
+      data-score="${snapshot.topRiskScore || 0}"
+      data-findings="${snapshot.totalFindings || 0}"
+      data-urgent="${snapshot.urgentCount || 0}">
+    <td><a href="https://gitlab.com/${escapeHtml(project.pathWithNamespace)}" target="_blank" rel="noopener">${escapeHtml(project.pathWithNamespace)}</a></td>
+    <td>${snapshot.totalFindings || 0}</td>
+    <td>${snapshot.urgentCount || 0}</td>
+    <td>${snapshot.highCount || 0}</td>
+    <td>${snapshot.unusedCount || 0}</td>
+    <td><span style="color:${priorityColor(top?.priority)}; font-weight:700;">${snapshot.topRiskScore || 0}</span></td>
+    <td>${topLabel}</td>
+    <td>${fmtDate(snapshot.generatedAt)}</td>
+  </tr>`;
+}
+
+function renderNotOnboardedRow(entry) {
+  return `<tr>
+    <td><a href="https://gitlab.com/${escapeHtml(entry.project.pathWithNamespace)}" target="_blank" rel="noopener">${escapeHtml(entry.project.pathWithNamespace)}</a></td>
+    <td colspan="6" style="color: var(--text-muted);">${escapeHtml(entry.reason)}</td>
+  </tr>`;
+}
+
+/**
+ * @param {Object} report - { available, rollup } from fleetAggregator.buildFleetReport,
+ *   or { available: false, reason } when the report itself couldn't be built
+ * @param {Object} meta - { groupId, groupName }
+ * @returns {string} a complete, self-contained HTML document
+ */
+function generateFleetDashboardHtml(report, meta = {}) {
+  if (!report.available) {
+    return `<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">
+<title>DependencyIQ Fleet Dashboard — Unavailable</title>
+<style>${SHARED_STYLES}</style></head>
+<body><div style="max-width:640px;margin:4rem auto;padding:0 1.5rem;">
+<h1>Fleet Dashboard unavailable</h1>
+<p style="color: var(--text-muted);">${escapeHtml(report.reason)}</p>
+</div></body></html>`;
+  }
+
+  const { rollup } = report;
+  const onboardedRows = rollup.onboarded.map(renderOnboardedRow).join('\n');
+  const notOnboardedRows = rollup.notOnboarded.map(renderNotOnboardedRow).join('\n');
+  const adoptionPercent = rollup.totalProjects > 0 ? Math.round((rollup.onboardedCount / rollup.totalProjects) * 100) : 0;
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>DependencyIQ Fleet Dashboard${meta.groupName ? ` — ${escapeHtml(meta.groupName)}` : ''}</title>
+<style>
+${SHARED_STYLES}
+  .page { max-width: 1180px; margin: 0 auto; padding: 0 1.5rem 3rem; }
+  header.page-header { padding: 1.75rem 0 1.25rem; border-bottom: 1px solid var(--border); margin-bottom: 1.75rem; }
+  .brand-title { font-size: 1.25rem; font-weight: 700; }
+  .brand-subtitle { color: var(--text-muted); font-size: 0.85rem; margin-top: 0.15rem; }
+  .stats { display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 0.85rem; margin-bottom: 1.75rem; }
+  .stat { background: var(--surface); border: 1px solid var(--border); border-left: 3px solid var(--accent); border-radius: var(--radius); padding: 1rem 1.1rem; }
+  .stat .num { font-size: 1.7rem; font-weight: 700; line-height: 1.1; }
+  .stat .label { color: var(--text-muted); font-size: 0.72rem; text-transform: uppercase; letter-spacing: 0.04em; margin-top: 0.3rem; }
+  .toolbar { display: flex; gap: 0.75rem; margin-bottom: 1rem; flex-wrap: wrap; align-items: center; }
+  #search { flex: 1 1 240px; background: var(--surface); border: 1px solid var(--border); color: var(--text); padding: 0.55rem 0.85rem; border-radius: var(--radius-sm); font-size: 0.9rem; }
+  table { width: 100%; border-collapse: collapse; background: var(--surface); border: 1px solid var(--border); border-radius: var(--radius); overflow: hidden; }
+  th, td { padding: 0.65rem 0.85rem; text-align: left; border-bottom: 1px solid var(--border-soft); font-size: 0.88rem; }
+  th { cursor: pointer; user-select: none; color: var(--text-muted); font-size: 0.74rem; text-transform: uppercase; letter-spacing: 0.03em; }
+  th:hover { color: var(--text); }
+  th.sorted-asc::after { content: ' \\2191'; }
+  th.sorted-desc::after { content: ' \\2193'; }
+  tr:last-child td { border-bottom: none; }
+  .section-title { font-size: 0.95rem; font-weight: 600; margin: 2rem 0 0.75rem; }
+  .empty-note { color: var(--text-muted); font-size: 0.85rem; padding: 1rem; }
+</style>
+</head>
+<body>
+<div class="page">
+  <header class="page-header">
+    <div class="brand-title">DependencyIQ Fleet Dashboard${meta.groupName ? ` — ${escapeHtml(meta.groupName)}` : ''}</div>
+    <div class="brand-subtitle">Generated ${fmtDate(rollup.generatedAt)} · build-time snapshot from each project's own analyze_vulnerabilities CI artifact, not a live cross-project query</div>
+  </header>
+
+  <div class="stats">
+    <div class="stat"><div class="num">${rollup.onboardedCount}/${rollup.totalProjects}</div><div class="label">Projects onboarded (${adoptionPercent}%)</div></div>
+    <div class="stat"><div class="num">${rollup.totalFindings}</div><div class="label">Total findings, fleet-wide</div></div>
+    <div class="stat"><div class="num">${rollup.urgentCount}</div><div class="label">Urgent findings</div></div>
+    <div class="stat"><div class="num">${rollup.highCount}</div><div class="label">High findings</div></div>
+    <div class="stat"><div class="num">${rollup.unusedCount}</div><div class="label">Removable (unused) deps</div></div>
+  </div>
+
+  <div class="toolbar">
+    <input id="search" type="text" placeholder="Filter by project path...">
+  </div>
+
+  <table id="fleet-table">
+    <thead>
+      <tr>
+        <th data-key="name">Project</th>
+        <th data-key="findings">Findings</th>
+        <th data-key="urgent">Urgent</th>
+        <th>High</th>
+        <th>Unused</th>
+        <th data-key="score">Top risk score</th>
+        <th>Top finding</th>
+        <th>Last scanned</th>
+      </tr>
+    </thead>
+    <tbody>
+${onboardedRows || '<tr><td colspan="8" class="empty-note">No onboarded projects yet — see "Not yet onboarded" below.</td></tr>'}
+    </tbody>
+  </table>
+
+  <div class="section-title">Not yet onboarded (${rollup.notOnboardedCount})</div>
+  <table>
+    <tbody>
+${notOnboardedRows || '<tr><td class="empty-note">Every project in this group has onboarded DependencyIQ.</td></tr>'}
+    </tbody>
+  </table>
+</div>
+
+<script>
+  (function () {
+    var table = document.getElementById('fleet-table');
+    var tbody = table.querySelector('tbody');
+    var searchBox = document.getElementById('search');
+    var sortState = { key: null, dir: 1 };
+
+    function applySearch() {
+      var q = searchBox.value.trim().toLowerCase();
+      Array.prototype.forEach.call(tbody.querySelectorAll('tr'), function (row) {
+        var name = row.dataset.name || '';
+        row.style.display = (!q || name.indexOf(q) !== -1) ? '' : 'none';
+      });
+    }
+
+    function applySort(key) {
+      var rows = Array.prototype.slice.call(tbody.querySelectorAll('tr')).filter(function (r) { return r.dataset.name !== undefined; });
+      var dir = (sortState.key === key) ? -sortState.dir : 1;
+      sortState = { key: key, dir: dir };
+
+      rows.sort(function (a, b) {
+        var av = key === 'name' ? a.dataset.name : Number(a.dataset[key] || 0);
+        var bv = key === 'name' ? b.dataset.name : Number(b.dataset[key] || 0);
+        if (av < bv) return -1 * dir;
+        if (av > bv) return 1 * dir;
+        return 0;
+      });
+
+      rows.forEach(function (r) { tbody.appendChild(r); });
+
+      Array.prototype.forEach.call(table.querySelectorAll('th'), function (th) {
+        th.classList.remove('sorted-asc', 'sorted-desc');
+      });
+      var activeTh = table.querySelector('th[data-key="' + key + '"]');
+      if (activeTh) activeTh.classList.add(dir === 1 ? 'sorted-asc' : 'sorted-desc');
+    }
+
+    searchBox.addEventListener('input', applySearch);
+    Array.prototype.forEach.call(table.querySelectorAll('th[data-key]'), function (th) {
+      th.addEventListener('click', function () { applySort(th.dataset.key); });
+    });
+
+    applySort('score');
+  })();
+</script>
+</body>
+</html>`;
+}
+
+module.exports = { generateFleetDashboardHtml };

package/src/fleetSnapshot.js

@@ -1,103 +1,103 @@
-/**
- * Fleet snapshot: the per-project artifact a Fleet Dashboard aggregates
- * across a whole GitLab group.
- *
- * A static page can only ever show a build-time snapshot, never a live
- * query across projects it doesn't own — so each project's own CI run
- * writes one small, honest JSON file (`dependencyiq-report.json`) as a
- * normal job artifact, and the Fleet Dashboard (fleetAggregator.js) later
- * fetches the latest one from every project in a group via GitLab's Job
- * Artifacts API. A project that has never produced this file has never
- * "onboarded" DependencyIQ — that is a real, meaningful distinction from
- * "onboarded and found zero issues," and the aggregator never collapses
- * the two.
- *
- * Deliberately small: full per-file evidence/affectedFiles arrays stay
- * in the per-project dashboard (dashboardGenerator.js); this snapshot
- * only carries what a cross-project rollup table actually needs, so
- * fetching it from N projects stays cheap.
- */
-
-const fs = require('fs');
-
-const SCHEMA_VERSION = 1;
-const TOP_FINDINGS_LIMIT = 5;
-
-/**
- * @param {Object} analyzeResult - the result of agent.js's analyzeRepository()
- * @param {Object} meta - { projectId, projectPath, ecosystems }
- * @returns {Object} a compact, fleet-aggregatable snapshot
- */
-function buildFleetSnapshot(analyzeResult, meta = {}) {
-  const vulnerabilities = analyzeResult?.vulnerabilities || [];
-  const execSummary = buildSummaryFields(vulnerabilities);
-
-  const topFindings = [...vulnerabilities]
-    .sort((a, b) => (b.riskScore?.score || 0) - (a.riskScore?.score || 0))
-    .slice(0, TOP_FINDINGS_LIMIT)
-    .map(v => ({
-      package: v.package,
-      ecosystem: v.ecosystem,
-      severity: v.severity,
-      cvss: v.cvss,
-      score: v.riskScore?.score ?? null,
-      priority: v.riskScore?.priority || 'UNSCORED',
-      recommendation: v.recommendation || null,
-      exposureDataSource: v.riskScore?.exposureDataSource || 'unavailable',
-      isDirect: v.dependencyChain?.available ? v.dependencyChain.isDirect : null,
-    }));
-
-  return {
-    schemaVersion: SCHEMA_VERSION,
-    generatedAt: new Date().toISOString(),
-    projectId: meta.projectId || null,
-    projectPath: meta.projectPath || null,
-    ecosystems: meta.ecosystems || [],
-    ...execSummary,
-    topFindings,
-  };
-}
-
-function buildSummaryFields(vulnerabilities) {
-  const priorityOf = v => v.riskScore?.priority || 'UNSCORED';
-  return {
-    totalFindings: vulnerabilities.length,
-    urgentCount: vulnerabilities.filter(v => priorityOf(v) === 'URGENT').length,
-    highCount: vulnerabilities.filter(v => priorityOf(v) === 'HIGH').length,
-    unusedCount: vulnerabilities.filter(v => priorityOf(v) === 'UNUSED').length,
-    topRiskScore: vulnerabilities.reduce((max, v) => Math.max(max, v.riskScore?.score || 0), 0),
-  };
-}
-
-/**
- * @param {Object} snapshot - from buildFleetSnapshot()
- * @param {string} outPath - file path to write, e.g. "dependencyiq-report.json"
- */
-function writeFleetSnapshot(snapshot, outPath) {
-  fs.writeFileSync(outPath, JSON.stringify(snapshot, null, 2) + '\n');
-}
-
-/**
- * Validate that a fetched JSON blob is actually a snapshot this version
- * of the aggregator understands, rather than trusting it blindly — a
- * stale artifact from a future/incompatible schema should report
- * unavailable, not be silently misread.
- * @returns {Object|null} the snapshot if valid, otherwise null
- */
-function parseFleetSnapshot(rawJson) {
-  let parsed;
-  try {
-    parsed = JSON.parse(rawJson);
-  } catch {
-    return null;
-  }
-  if (!parsed || parsed.schemaVersion !== SCHEMA_VERSION) return null;
-  return parsed;
-}
-
-module.exports = {
-  SCHEMA_VERSION,
-  buildFleetSnapshot,
-  writeFleetSnapshot,
-  parseFleetSnapshot,
-};
+/**
+ * Fleet snapshot: the per-project artifact a Fleet Dashboard aggregates
+ * across a whole GitLab group.
+ *
+ * A static page can only ever show a build-time snapshot, never a live
+ * query across projects it doesn't own — so each project's own CI run
+ * writes one small, honest JSON file (`dependencyiq-report.json`) as a
+ * normal job artifact, and the Fleet Dashboard (fleetAggregator.js) later
+ * fetches the latest one from every project in a group via GitLab's Job
+ * Artifacts API. A project that has never produced this file has never
+ * "onboarded" DependencyIQ — that is a real, meaningful distinction from
+ * "onboarded and found zero issues," and the aggregator never collapses
+ * the two.
+ *
+ * Deliberately small: full per-file evidence/affectedFiles arrays stay
+ * in the per-project dashboard (dashboardGenerator.js); this snapshot
+ * only carries what a cross-project rollup table actually needs, so
+ * fetching it from N projects stays cheap.
+ */
+
+const fs = require('fs');
+
+const SCHEMA_VERSION = 1;
+const TOP_FINDINGS_LIMIT = 5;
+
+/**
+ * @param {Object} analyzeResult - the result of agent.js's analyzeRepository()
+ * @param {Object} meta - { projectId, projectPath, ecosystems }
+ * @returns {Object} a compact, fleet-aggregatable snapshot
+ */
+function buildFleetSnapshot(analyzeResult, meta = {}) {
+  const vulnerabilities = analyzeResult?.vulnerabilities || [];
+  const execSummary = buildSummaryFields(vulnerabilities);
+
+  const topFindings = [...vulnerabilities]
+    .sort((a, b) => (b.riskScore?.score || 0) - (a.riskScore?.score || 0))
+    .slice(0, TOP_FINDINGS_LIMIT)
+    .map(v => ({
+      package: v.package,
+      ecosystem: v.ecosystem,
+      severity: v.severity,
+      cvss: v.cvss,
+      score: v.riskScore?.score ?? null,
+      priority: v.riskScore?.priority || 'UNSCORED',
+      recommendation: v.recommendation || null,
+      exposureDataSource: v.riskScore?.exposureDataSource || 'unavailable',
+      isDirect: v.dependencyChain?.available ? v.dependencyChain.isDirect : null,
+    }));
+
+  return {
+    schemaVersion: SCHEMA_VERSION,
+    generatedAt: new Date().toISOString(),
+    projectId: meta.projectId || null,
+    projectPath: meta.projectPath || null,
+    ecosystems: meta.ecosystems || [],
+    ...execSummary,
+    topFindings,
+  };
+}
+
+function buildSummaryFields(vulnerabilities) {
+  const priorityOf = v => v.riskScore?.priority || 'UNSCORED';
+  return {
+    totalFindings: vulnerabilities.length,
+    urgentCount: vulnerabilities.filter(v => priorityOf(v) === 'URGENT').length,
+    highCount: vulnerabilities.filter(v => priorityOf(v) === 'HIGH').length,
+    unusedCount: vulnerabilities.filter(v => priorityOf(v) === 'UNUSED').length,
+    topRiskScore: vulnerabilities.reduce((max, v) => Math.max(max, v.riskScore?.score || 0), 0),
+  };
+}
+
+/**
+ * @param {Object} snapshot - from buildFleetSnapshot()
+ * @param {string} outPath - file path to write, e.g. "dependencyiq-report.json"
+ */
+function writeFleetSnapshot(snapshot, outPath) {
+  fs.writeFileSync(outPath, JSON.stringify(snapshot, null, 2) + '\n');
+}
+
+/**
+ * Validate that a fetched JSON blob is actually a snapshot this version
+ * of the aggregator understands, rather than trusting it blindly — a
+ * stale artifact from a future/incompatible schema should report
+ * unavailable, not be silently misread.
+ * @returns {Object|null} the snapshot if valid, otherwise null
+ */
+function parseFleetSnapshot(rawJson) {
+  let parsed;
+  try {
+    parsed = JSON.parse(rawJson);
+  } catch {
+    return null;
+  }
+  if (!parsed || parsed.schemaVersion !== SCHEMA_VERSION) return null;
+  return parsed;
+}
+
+module.exports = {
+  SCHEMA_VERSION,
+  buildFleetSnapshot,
+  writeFleetSnapshot,
+  parseFleetSnapshot,
+};