devrail 0.1.0

package/dist/cli/index.js

@@ -0,0 +1,1346 @@
+#!/usr/bin/env node
+import {
+  calculateScore,
+  createBaseline,
+  detectStack,
+  filterNewIssues,
+  filterResultsByFiles,
+  getBaselineStats,
+  getChangedFiles,
+  getDefaultConfig,
+  getPreset,
+  gitleaksRunner,
+  groupRulesByTool,
+  loadBaseline,
+  loadConfig,
+  osvScannerRunner,
+  resolveRules,
+  runBuiltinChecks,
+  saveBaseline,
+  semgrepRunner,
+  shouldFail,
+  updateBaseline
+} from "../chunk-ZDEEHXE7.js";
+import {
+  getRuleById
+} from "../chunk-J22FFU7Z.js";
+
+// src/cli/index.ts
+import { Command } from "commander";
+import chalk9 from "chalk";
+
+// src/cli/commands/init.ts
+import { writeFile, mkdir } from "fs/promises";
+import { join } from "path";
+import chalk from "chalk";
+import ora from "ora";
+async function initCommand(options) {
+  const cwd = process.cwd();
+  console.log(chalk.bold.cyan("\n\u{1F6E4}\uFE0F  Devrail - Security & Quality Guardrails\n"));
+  const spinner = ora("Detecting your stack...").start();
+  try {
+    const detected = await detectStack(cwd);
+    const preset = options.preset ?? detected.preset;
+    const level = options.level;
+    spinner.succeed(chalk.green("Stack detected!"));
+    console.log("\n" + chalk.bold("\u{1F4E6} Project Analysis:"));
+    console.log(`  Language:    ${chalk.cyan(detected.language)}`);
+    if (detected.framework) {
+      console.log(`  Framework:   ${chalk.cyan(detected.framework)}`);
+    }
+    console.log(`  Preset:      ${chalk.cyan(preset)} ${detected.confidence < 80 ? chalk.dim("(suggested)") : ""}`);
+    console.log(`  TypeScript:  ${detected.hasTypeScript ? chalk.green("\u2713") : chalk.dim("\u2717")}`);
+    console.log(`  Tests:       ${detected.hasTests ? chalk.green("\u2713") : chalk.yellow("\u2717 missing")}`);
+    console.log(`  CI/CD:       ${detected.hasCi ? chalk.green("\u2713") : chalk.yellow("\u2717 missing")}`);
+    spinner.start("Running quick security scan...");
+    const quickResults = await runBuiltinChecks(cwd, [
+      "secrets.gitignore-required",
+      "secrets.no-env-commit",
+      "deps.lockfile.required",
+      "deps.no-unpinned",
+      "tests.unit.required",
+      "code.strict-mode",
+      "config.node-version"
+    ]);
+    spinner.stop();
+    const errors = quickResults.filter((r) => r.severity === "error");
+    const warnings = quickResults.filter((r) => r.severity === "warn");
+    if (quickResults.length > 0 || detected.issues.length > 0) {
+      console.log("\n" + chalk.bold.yellow("\u26A0\uFE0F  Issues Found:"));
+      for (const issue of detected.issues) {
+        console.log(`  ${chalk.red("\u25CF")} ${issue}`);
+      }
+      for (const result of errors) {
+        console.log(`  ${chalk.red("\u25CF")} ${result.message}`);
+      }
+      for (const result of warnings.slice(0, 5)) {
+        console.log(`  ${chalk.yellow("\u25CF")} ${result.message}`);
+      }
+      if (warnings.length > 5) {
+        console.log(chalk.dim(`    ... and ${warnings.length - 5} more warnings`));
+      }
+    }
+    spinner.start("Creating configuration...");
+    await createConfigFile(cwd, preset, level);
+    if (options.hooks) {
+      spinner.text = "Setting up git hooks...";
+      await setupGitHooks(cwd);
+    }
+    if (options.ci && !detected.hasCi) {
+      spinner.text = "Creating CI templates...";
+      await createCITemplates(cwd, preset, level);
+    }
+    await updateGitignore(cwd);
+    spinner.succeed(chalk.green("Devrail initialized!"));
+    const presetConfig = getPreset(preset);
+    console.log("\n" + chalk.bold("\u{1F680} Next Actions:"));
+    if (errors.length > 0 || warnings.length > 0) {
+      console.log(`  1. ${chalk.cyan("npx devrail fix")}     Fix ${errors.length + Math.min(warnings.length, 5)} auto-fixable issues`);
+      console.log(`  2. ${chalk.cyan("npx devrail baseline")} Accept existing issues, block new ones`);
+      console.log(`  3. ${chalk.cyan("npx devrail ci")}      Run full CI check`);
+    } else {
+      console.log(`  1. ${chalk.cyan("npx devrail check")}  Run security scan`);
+      console.log(`  2. ${chalk.cyan("npx devrail ci")}     Run full CI check`);
+    }
+    console.log("\n" + chalk.dim(`Config: devrail.config.yaml | ${presetConfig.rules[level]?.length ?? 0} rules active
+`));
+  } catch (error) {
+    spinner.fail(chalk.red("Initialization failed"));
+    console.error(error);
+    process.exit(1);
+  }
+}
+async function createConfigFile(cwd, preset, level) {
+  const config = `# Devrail Configuration
+# Docs: https://devrail.dev/docs/config
+
+devrail:
+  preset: "${preset}"
+  level: "${level}"
+
+  # Baseline: accept existing issues, block new ones
+  baseline: ".devrail/baseline.json"
+
+  # Override specific rules (optional)
+  # rules:
+  #   secrets.no-plaintext:
+  #     enabled: true
+  #     severity: error
+  #   deps.no-unpinned:
+  #     enabled: false
+
+  # CI configuration
+  ci:
+    failOn: error
+    # Only fail on NEW issues (not baselined)
+    newOnly: true
+    reportFormat: console
+
+  # Tool toggles
+  tools:
+    eslint: true
+    semgrep: true
+    gitleaks: true
+    osvScanner: true
+`;
+  await writeFile(join(cwd, "devrail.config.yaml"), config, "utf-8");
+}
+async function setupGitHooks(cwd) {
+  const hooksDir = join(cwd, ".husky");
+  try {
+    await mkdir(hooksDir, { recursive: true });
+    const preCommitHook = `#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npx devrail check --changed
+`;
+    await writeFile(join(hooksDir, "pre-commit"), preCommitHook, { mode: 493 });
+    const prePushHook = `#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npx devrail ci
+`;
+    await writeFile(join(hooksDir, "pre-push"), prePushHook, { mode: 493 });
+  } catch {
+    const gitHooksDir = join(cwd, ".git", "hooks");
+    try {
+      const preCommitHook = `#!/usr/bin/env sh
+npx devrail check --changed
+`;
+      await writeFile(join(gitHooksDir, "pre-commit"), preCommitHook, { mode: 493 });
+    } catch {
+    }
+  }
+}
+async function createCITemplates(cwd, preset, level) {
+  const githubDir = join(cwd, ".github", "workflows");
+  await mkdir(githubDir, { recursive: true });
+  const workflow = `name: VibeGuard Security & Quality
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  vibeguard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Install security tools
+        run: |
+          # Install gitleaks
+          curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz | tar -xz
+          sudo mv gitleaks /usr/local/bin/
+
+          # Install osv-scanner
+          curl -sSfL https://github.com/google/osv-scanner/releases/download/v1.7.0/osv-scanner_linux_amd64 -o osv-scanner
+          chmod +x osv-scanner
+          sudo mv osv-scanner /usr/local/bin/
+
+          # Install semgrep
+          pip install semgrep
+
+      - name: Run VibeGuard CI
+        run: npx vg ci --format sarif > vibeguard-results.sarif
+        continue-on-error: true
+
+      - name: Upload SARIF results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: vibeguard-results.sarif
+        if: always()
+
+      - name: Run VibeGuard CI (blocking)
+        run: npx vg ci --fail-on error
+`;
+  await writeFile(join(githubDir, "vibeguard.yml"), workflow, "utf-8");
+}
+async function updateGitignore(cwd) {
+  const gitignorePath = join(cwd, ".gitignore");
+  const entries = `
+# VibeGuard
+.vibeguard-cache/
+vibeguard-report.json
+vibeguard-report.sarif
+`;
+  try {
+    const { readFile: readFile3 } = await import("fs/promises");
+    const existing = await readFile3(gitignorePath, "utf-8");
+    if (!existing.includes(".vibeguard-cache")) {
+      await writeFile(gitignorePath, existing + entries, "utf-8");
+    }
+  } catch {
+    await writeFile(gitignorePath, entries.trim() + "\n", "utf-8");
+  }
+}
+
+// src/cli/commands/check.ts
+import chalk2 from "chalk";
+import ora2 from "ora";
+async function checkCommand(options) {
+  const cwd = process.cwd();
+  const startTime = Date.now();
+  const spinner = options.json ? null : ora2("Loading configuration...").start();
+  try {
+    const loaded = await loadConfig(cwd);
+    const config = loaded?.config ?? getDefaultConfig();
+    if (spinner) spinner.text = "Resolving rules...";
+    const resolvedRules = resolveRules(config);
+    const rulesByTool = groupRulesByTool(resolvedRules);
+    const allResults = [];
+    const toolStats = [];
+    if (spinner) spinner.text = "Running builtin checks...";
+    const builtinRules = rulesByTool.get("builtin") ?? [];
+    if (builtinRules.length > 0) {
+      const builtinStart = Date.now();
+      const builtinResults = await runBuiltinChecks(
+        cwd,
+        builtinRules.map((r) => r.definition.id)
+      );
+      allResults.push(...builtinResults);
+      toolStats.push({
+        name: "builtin",
+        duration: Date.now() - builtinStart,
+        results: builtinResults.length
+      });
+    }
+    if (config.tools?.gitleaks !== false) {
+      if (spinner) spinner.text = "Running gitleaks (secret scanning)...";
+      const isInstalled = await gitleaksRunner.isInstalled();
+      if (isInstalled) {
+        const toolStart = Date.now();
+        const results = await gitleaksRunner.run(cwd);
+        allResults.push(...results);
+        toolStats.push({
+          name: "gitleaks",
+          version: await gitleaksRunner.getVersion() ?? void 0,
+          duration: Date.now() - toolStart,
+          results: results.length
+        });
+      } else if (spinner) {
+        spinner.warn(chalk2.yellow("gitleaks not installed, skipping secret scanning"));
+        spinner.start();
+      }
+    }
+    if (config.tools?.osvScanner !== false) {
+      if (spinner) spinner.text = "Running osv-scanner (dependency vulnerabilities)...";
+      const isInstalled = await osvScannerRunner.isInstalled();
+      if (isInstalled) {
+        const toolStart = Date.now();
+        const results = await osvScannerRunner.run(cwd);
+        allResults.push(...results);
+        toolStats.push({
+          name: "osv-scanner",
+          version: await osvScannerRunner.getVersion() ?? void 0,
+          duration: Date.now() - toolStart,
+          results: results.length
+        });
+      } else if (spinner) {
+        spinner.warn(chalk2.yellow("osv-scanner not installed, skipping dependency scanning"));
+        spinner.start();
+      }
+    }
+    if (config.tools?.semgrep !== false) {
+      if (spinner) spinner.text = "Running semgrep (SAST)...";
+      const isInstalled = await semgrepRunner.isInstalled();
+      if (isInstalled) {
+        const toolStart = Date.now();
+        const results = await semgrepRunner.run(cwd);
+        allResults.push(...results);
+        toolStats.push({
+          name: "semgrep",
+          version: await semgrepRunner.getVersion() ?? void 0,
+          duration: Date.now() - toolStart,
+          results: results.length
+        });
+      } else if (spinner) {
+        spinner.warn(chalk2.yellow("semgrep not installed, skipping SAST"));
+        spinner.start();
+      }
+    }
+    const duration = Date.now() - startTime;
+    const score = calculateScore(allResults);
+    const report = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      duration,
+      preset: config.preset,
+      level: config.level ?? "standard",
+      summary: {
+        total: allResults.length,
+        errors: allResults.filter((r) => r.severity === "error").length,
+        warnings: allResults.filter((r) => r.severity === "warn").length,
+        infos: allResults.filter((r) => r.severity === "info").length,
+        fixed: 0
+      },
+      score,
+      results: allResults,
+      tools: toolStats
+    };
+    if (options.json) {
+      console.log(JSON.stringify(report, null, 2));
+      return;
+    }
+    if (spinner) spinner.stop();
+    printReport(report);
+    if (report.summary.errors > 0) {
+      process.exit(1);
+    }
+  } catch (error) {
+    if (spinner) spinner.fail(chalk2.red("Check failed"));
+    console.error(error);
+    process.exit(1);
+  }
+}
+function printReport(report) {
+  console.log("\n" + chalk2.bold("Devrail Check Results"));
+  console.log(chalk2.dim("\u2500".repeat(50)));
+  const scoreColor = report.score >= 80 ? chalk2.green : report.score >= 50 ? chalk2.yellow : chalk2.red;
+  console.log(`
+Score: ${scoreColor.bold(report.score + "/100")}`);
+  console.log(`
+Summary:`);
+  console.log(`  ${chalk2.red("\u25CF")} Errors: ${report.summary.errors}`);
+  console.log(`  ${chalk2.yellow("\u25CF")} Warnings: ${report.summary.warnings}`);
+  console.log(`  ${chalk2.blue("\u25CF")} Info: ${report.summary.infos}`);
+  if (report.results.length > 0) {
+    console.log("\n" + chalk2.bold("Issues:"));
+    const grouped = /* @__PURE__ */ new Map();
+    for (const result of report.results) {
+      const key = result.file ?? "General";
+      const existing = grouped.get(key) ?? [];
+      existing.push(result);
+      grouped.set(key, existing);
+    }
+    for (const [file, results] of grouped) {
+      console.log(`
+  ${chalk2.cyan(file)}`);
+      for (const result of results) {
+        const severityIcon = result.severity === "error" ? chalk2.red("\u2716") : result.severity === "warn" ? chalk2.yellow("\u26A0") : chalk2.blue("\u2139");
+        const location = result.line ? `:${result.line}` : "";
+        console.log(`    ${severityIcon} ${result.message}`);
+        console.log(`      ${chalk2.dim(result.ruleId)}${chalk2.dim(location)}`);
+      }
+    }
+  } else {
+    console.log("\n" + chalk2.green("\u2713 All clear! No issues found."));
+  }
+  console.log("\n" + chalk2.dim(`Duration: ${report.duration}ms`));
+  console.log(chalk2.dim(`Tools: ${report.tools.map((t) => t.name).join(", ")}`));
+  console.log();
+}
+
+// src/cli/commands/explain.ts
+import chalk3 from "chalk";
+async function explainCommand(ruleId) {
+  const rule = getRuleById(ruleId);
+  if (!rule) {
+    console.error(chalk3.red(`Rule not found: ${ruleId}`));
+    console.log(chalk3.dim("\nRun `vg rules` to see all available rules."));
+    process.exit(1);
+  }
+  console.log("\n" + chalk3.bold.cyan(`Rule: ${rule.id}`));
+  console.log(chalk3.dim("\u2500".repeat(50)));
+  console.log(`
+${chalk3.bold("Name:")} ${rule.name}`);
+  console.log(`${chalk3.bold("Category:")} ${rule.category}`);
+  const severityColor = rule.severity === "error" ? chalk3.red : rule.severity === "warn" ? chalk3.yellow : chalk3.blue;
+  console.log(`${chalk3.bold("Severity:")} ${severityColor(rule.severity)}`);
+  console.log(`${chalk3.bold("Blocking:")} ${rule.blocking ? chalk3.red("Yes") : chalk3.green("No")}`);
+  console.log(`${chalk3.bold("Autofix:")} ${rule.autofix ? chalk3.green("Yes") : chalk3.dim("No")}`);
+  console.log(`${chalk3.bold("Tool:")} ${rule.tool}`);
+  console.log(`
+${chalk3.bold("Description:")}`);
+  console.log(`  ${rule.description}`);
+  console.log(`
+${chalk3.bold("Why this matters:")}`);
+  console.log(`  ${rule.rationale}`);
+  console.log(`
+${chalk3.bold("How to fix:")}`);
+  console.log(`  ${rule.fix}`);
+  if (rule.examples) {
+    console.log(`
+${chalk3.bold("Examples:")}`);
+    if (rule.examples.bad) {
+      console.log(`
+  ${chalk3.red("\u2716 Bad:")}`);
+      console.log(chalk3.dim("  ```"));
+      console.log(`  ${rule.examples.bad.split("\n").join("\n  ")}`);
+      console.log(chalk3.dim("  ```"));
+    }
+    if (rule.examples.good) {
+      console.log(`
+  ${chalk3.green("\u2713 Good:")}`);
+      console.log(chalk3.dim("  ```"));
+      console.log(`  ${rule.examples.good.split("\n").join("\n  ")}`);
+      console.log(chalk3.dim("  ```"));
+    }
+  }
+  console.log(`
+${chalk3.bold("Active in levels:")}`);
+  const levels = [];
+  if (rule.levels.basic) levels.push(chalk3.green("basic"));
+  if (rule.levels.standard) levels.push(chalk3.yellow("standard"));
+  if (rule.levels.strict) levels.push(chalk3.red("strict"));
+  console.log(`  ${levels.join(", ")}`);
+  console.log(`
+${chalk3.dim(`Docs: ${rule.docs}`)}
+`);
+}
+
+// src/cli/commands/ci.ts
+import chalk4 from "chalk";
+async function ciCommand(options) {
+  const cwd = process.cwd();
+  const startTime = Date.now();
+  const failOn = options.failOn ?? "error";
+  const format = options.format ?? "console";
+  const useBaseline = options.newOnly ?? true;
+  const useDiffOnly = options.diffOnly ?? false;
+  try {
+    const loaded = await loadConfig(cwd);
+    const config = loaded?.config ?? getDefaultConfig();
+    const baseline = useBaseline ? await loadBaseline(cwd) : null;
+    const changedFiles = useDiffOnly ? await getChangedFiles(cwd) : [];
+    const resolvedRules = resolveRules(config);
+    const rulesByTool = groupRulesByTool(resolvedRules);
+    const allResults = [];
+    const toolStats = [];
+    const builtinRules = rulesByTool.get("builtin") ?? [];
+    if (builtinRules.length > 0) {
+      const builtinStart = Date.now();
+      const builtinResults = await runBuiltinChecks(
+        cwd,
+        builtinRules.map((r) => r.definition.id)
+      );
+      allResults.push(...builtinResults);
+      toolStats.push({
+        name: "builtin",
+        duration: Date.now() - builtinStart,
+        results: builtinResults.length
+      });
+    }
+    if (config.tools?.gitleaks !== false) {
+      const isInstalled = await gitleaksRunner.isInstalled();
+      if (isInstalled) {
+        const toolStart = Date.now();
+        const results = await gitleaksRunner.run(cwd);
+        allResults.push(...results);
+        toolStats.push({
+          name: "gitleaks",
+          version: await gitleaksRunner.getVersion() ?? void 0,
+          duration: Date.now() - toolStart,
+          results: results.length
+        });
+      }
+    }
+    if (config.tools?.osvScanner !== false) {
+      const isInstalled = await osvScannerRunner.isInstalled();
+      if (isInstalled) {
+        const toolStart = Date.now();
+        const results = await osvScannerRunner.run(cwd);
+        allResults.push(...results);
+        toolStats.push({
+          name: "osv-scanner",
+          version: await osvScannerRunner.getVersion() ?? void 0,
+          duration: Date.now() - toolStart,
+          results: results.length
+        });
+      }
+    }
+    if (config.tools?.semgrep !== false) {
+      const isInstalled = await semgrepRunner.isInstalled();
+      if (isInstalled) {
+        const toolStart = Date.now();
+        const results = await semgrepRunner.run(cwd);
+        allResults.push(...results);
+        toolStats.push({
+          name: "semgrep",
+          version: await semgrepRunner.getVersion() ?? void 0,
+          duration: Date.now() - toolStart,
+          results: results.length
+        });
+      }
+    }
+    const filteredResults = useDiffOnly && changedFiles.length > 0 ? filterResultsByFiles(allResults, changedFiles) : allResults;
+    const newIssues = filterNewIssues(filteredResults, baseline);
+    const baselineStats = getBaselineStats(allResults, baseline);
+    const duration = Date.now() - startTime;
+    const score = calculateScore(allResults);
+    const report = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      duration,
+      preset: config.preset,
+      level: config.level ?? "standard",
+      summary: {
+        total: allResults.length,
+        errors: allResults.filter((r) => r.severity === "error").length,
+        warnings: allResults.filter((r) => r.severity === "warn").length,
+        infos: allResults.filter((r) => r.severity === "info").length,
+        fixed: 0
+      },
+      score,
+      results: allResults,
+      tools: toolStats,
+      // PR Gate stats
+      baseline: baseline ? {
+        total: baselineStats.total,
+        new: baselineStats.new,
+        baselined: baselineStats.baselined,
+        fixed: baselineStats.fixed
+      } : void 0,
+      newIssues,
+      diffOnly: useDiffOnly,
+      changedFiles: changedFiles.length
+    };
+    if (format === "json") {
+      console.log(JSON.stringify(report, null, 2));
+    } else if (format === "sarif") {
+      console.log(JSON.stringify(toSarif(report), null, 2));
+    } else {
+      printCIReport(report, useBaseline);
+    }
+    const issuesToCheck = useBaseline ? newIssues : allResults;
+    if (shouldFail(issuesToCheck, failOn)) {
+      if (useBaseline && newIssues.length > 0) {
+        console.log(chalk4.red(`
+\u274C CI failed: ${newIssues.length} NEW issue(s) detected
+`));
+      }
+      process.exit(1);
+    }
+    if (useBaseline && baseline) {
+      console.log(chalk4.green(`
+\u2713 CI passed (${baselineStats.baselined} baselined issues ignored)
+`));
+    }
+  } catch (error) {
+    console.error(chalk4.red("CI check failed:"), error);
+    process.exit(1);
+  }
+}
+function printCIReport(report, useBaseline) {
+  console.log(chalk4.bold("\n\u{1F6E4}\uFE0F  Devrail CI Report\n"));
+  const scoreColor = report.score >= 80 ? chalk4.green : report.score >= 50 ? chalk4.yellow : chalk4.red;
+  console.log(`Score: ${scoreColor.bold(report.score + "/100")}`);
+  if (useBaseline && report.baseline) {
+    console.log(chalk4.bold("\n\u{1F4CA} PR Gate Status:"));
+    console.log(`  Total issues:     ${report.baseline.total}`);
+    console.log(`  ${chalk4.green("Fixed:")}           ${report.baseline.fixed}`);
+    console.log(`  ${chalk4.dim("Baselined:")}       ${report.baseline.baselined}`);
+    console.log(`  ${chalk4.red("NEW:")}             ${report.baseline.new}`);
+  }
+  console.log(`
+All Findings:`);
+  console.log(`  ${chalk4.red("Errors:")} ${report.summary.errors}`);
+  console.log(`  ${chalk4.yellow("Warnings:")} ${report.summary.warnings}`);
+  console.log(`  ${chalk4.blue("Info:")} ${report.summary.infos}`);
+  if (report.newIssues.length > 0) {
+    console.log("\n" + chalk4.bold.red("\u{1F6A8} NEW Issues (will fail CI):"));
+    for (const result of report.newIssues) {
+      const icon = result.severity === "error" ? chalk4.red("\u2716") : result.severity === "warn" ? chalk4.yellow("\u26A0") : chalk4.blue("\u2139");
+      const location = result.file ? `${result.file}${result.line ? `:${result.line}` : ""}` : "";
+      console.log(`  ${icon} [${result.ruleId}] ${result.message}`);
+      if (location) console.log(`    ${chalk4.dim(location)}`);
+    }
+  } else if (useBaseline && report.baseline && report.baseline.baselined > 0) {
+    console.log("\n" + chalk4.green("\u2713 No NEW issues! Baselined issues are ignored."));
+  }
+  if (report.diffOnly) {
+    console.log(chalk4.dim(`
+Mode: diff-only (${report.changedFiles} files changed)`));
+  }
+  console.log(`
+${chalk4.dim(`Duration: ${report.duration}ms | Tools: ${report.tools.map((t) => t.name).join(", ")}`)}`);
+}
+function toSarif(report) {
+  return {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "VibeGuard",
+            version: "0.1.0",
+            informationUri: "https://vibeguard.dev",
+            rules: report.results.map((r) => ({
+              id: r.ruleId,
+              shortDescription: { text: r.message }
+            }))
+          }
+        },
+        results: report.results.map((r) => ({
+          ruleId: r.ruleId,
+          level: r.severity === "error" ? "error" : r.severity === "warn" ? "warning" : "note",
+          message: { text: r.message },
+          locations: r.file ? [
+            {
+              physicalLocation: {
+                artifactLocation: { uri: r.file },
+                region: r.line ? {
+                  startLine: r.line,
+                  startColumn: r.column ?? 1,
+                  endLine: r.endLine ?? r.line,
+                  endColumn: r.endColumn ?? r.column ?? 1
+                } : void 0
+              }
+            }
+          ] : []
+        }))
+      }
+    ]
+  };
+}
+
+// src/cli/commands/baseline.ts
+import chalk5 from "chalk";
+import ora3 from "ora";
+async function baselineCommand(options) {
+  const cwd = process.cwd();
+  const spinner = ora3("Loading configuration...").start();
+  try {
+    const loaded = await loadConfig(cwd);
+    const config = loaded?.config ?? getDefaultConfig();
+    const existingBaseline = await loadBaseline(cwd);
+    if (options.show) {
+      spinner.stop();
+      await showBaselineStatus(cwd, existingBaseline);
+      return;
+    }
+    spinner.text = "Running full scan...";
+    const allResults = await runFullScan(cwd, config);
+    if (existingBaseline && !options.update) {
+      spinner.stop();
+      const stats = getBaselineStats(allResults, existingBaseline);
+      console.log(chalk5.bold("\n\u{1F4CA} Baseline Status:\n"));
+      console.log(`  Total issues:     ${chalk5.cyan(stats.total)}`);
+      console.log(`  ${chalk5.green("Fixed since baseline:")} ${stats.fixed}`);
+      console.log(`  ${chalk5.yellow("Baselined (ignored):")} ${stats.baselined}`);
+      console.log(`  ${chalk5.red("New issues:")}          ${stats.new}`);
+      if (stats.new > 0) {
+        console.log(chalk5.red(`
+\u26A0\uFE0F  ${stats.new} new issue(s) detected!`));
+        console.log(chalk5.dim("Run `devrail baseline --update` to add them to baseline."));
+      } else if (stats.fixed > 0) {
+        console.log(chalk5.green(`
+\u2713 ${stats.fixed} issue(s) fixed since baseline!`));
+        console.log(chalk5.dim("Run `devrail baseline --update` to update the baseline."));
+      } else {
+        console.log(chalk5.green("\n\u2713 No changes since baseline."));
+      }
+      console.log(chalk5.dim(`
+Baseline: .devrail/baseline.json (${existingBaseline.entries.length} entries)
+`));
+      return;
+    }
+    let baseline;
+    if (existingBaseline && options.update) {
+      spinner.text = "Updating baseline...";
+      baseline = updateBaseline(existingBaseline, allResults);
+    } else {
+      spinner.text = "Creating baseline...";
+      baseline = createBaseline(allResults);
+    }
+    await saveBaseline(cwd, baseline);
+    spinner.succeed(chalk5.green("Baseline saved!"));
+    console.log(chalk5.bold("\n\u{1F4CB} Baseline Summary:\n"));
+    console.log(`  Total issues baselined: ${chalk5.cyan(baseline.entries.length)}`);
+    console.log(`  Created: ${chalk5.dim(baseline.createdAt)}`);
+    const byCategory = /* @__PURE__ */ new Map();
+    for (const entry of baseline.entries) {
+      const category = entry.ruleId.split(".")[0] ?? "other";
+      byCategory.set(category, (byCategory.get(category) ?? 0) + 1);
+    }
+    console.log("\n  By category:");
+    for (const [category, count] of byCategory) {
+      console.log(`    ${category}: ${count}`);
+    }
+    console.log(chalk5.bold("\n\u{1F680} What this means:\n"));
+    console.log(`  \u2022 These issues are now "accepted" and won't fail CI`);
+    console.log("  \u2022 New issues in the same categories WILL fail CI");
+    console.log("  \u2022 Fix baselined issues over time to improve your score");
+    console.log(chalk5.dim("\nRun `devrail ci` to verify only new issues are blocked.\n"));
+  } catch (error) {
+    spinner.fail(chalk5.red("Baseline failed"));
+    console.error(error);
+    process.exit(1);
+  }
+}
+async function showBaselineStatus(cwd, baseline) {
+  if (!baseline) {
+    console.log(chalk5.yellow("\n\u26A0\uFE0F  No baseline found."));
+    console.log(chalk5.dim("Run `devrail baseline` to create one.\n"));
+    return;
+  }
+  console.log(chalk5.bold("\n\u{1F4CB} Current Baseline:\n"));
+  console.log(`  Entries:  ${chalk5.cyan(baseline.entries.length)}`);
+  console.log(`  Created:  ${chalk5.dim(baseline.createdAt)}`);
+  console.log(`  Updated:  ${chalk5.dim(baseline.updatedAt)}`);
+  const byRule = /* @__PURE__ */ new Map();
+  for (const entry of baseline.entries) {
+    byRule.set(entry.ruleId, (byRule.get(entry.ruleId) ?? 0) + 1);
+  }
+  console.log("\n  Top issues:");
+  const sorted = [...byRule.entries()].sort((a, b) => b[1] - a[1]).slice(0, 10);
+  for (const [rule, count] of sorted) {
+    console.log(`    ${chalk5.dim(rule)}: ${count}`);
+  }
+  console.log();
+}
+async function runFullScan(cwd, config) {
+  const allResults = [];
+  const builtinResults = await runBuiltinChecks(cwd, [
+    "secrets.gitignore-required",
+    "secrets.no-env-commit",
+    "deps.lockfile.required",
+    "deps.no-unpinned",
+    "deps.no-git-deps",
+    "tests.unit.required",
+    "code.strict-mode",
+    "config.node-version",
+    "config.editor-config"
+  ]);
+  allResults.push(...builtinResults);
+  if (config.tools?.gitleaks !== false && await gitleaksRunner.isInstalled()) {
+    const results = await gitleaksRunner.run(cwd);
+    allResults.push(...results);
+  }
+  if (config.tools?.osvScanner !== false && await osvScannerRunner.isInstalled()) {
+    const results = await osvScannerRunner.run(cwd);
+    allResults.push(...results);
+  }
+  if (config.tools?.semgrep !== false && await semgrepRunner.isInstalled()) {
+    const results = await semgrepRunner.run(cwd);
+    allResults.push(...results);
+  }
+  return allResults;
+}
+
+// src/cli/commands/fix.ts
+import { writeFile as writeFile2, readFile } from "fs/promises";
+import { join as join2 } from "path";
+import chalk6 from "chalk";
+import ora4 from "ora";
+async function fixCommand(options) {
+  const cwd = process.cwd();
+  const spinner = ora4("Analyzing project for fixes...").start();
+  try {
+    const fixes = [];
+    spinner.text = "Checking .gitignore...";
+    fixes.push(...await getGitignoreFixes(cwd));
+    spinner.text = "Checking .editorconfig...";
+    fixes.push(...await getEditorConfigFixes(cwd));
+    spinner.text = "Checking tsconfig.json...";
+    fixes.push(...await getTsConfigFixes(cwd));
+    spinner.text = "Checking Node version...";
+    fixes.push(...await getNodeVersionFixes(cwd));
+    spinner.text = "Checking security headers...";
+    fixes.push(...await getSecurityFixes(cwd));
+    spinner.stop();
+    const applicableFixes = options.all ? fixes : fixes.filter((f) => f.safe);
+    if (applicableFixes.length === 0) {
+      console.log(chalk6.green("\n\u2713 No auto-fixable issues found!\n"));
+      return;
+    }
+    console.log(chalk6.bold(`
+\u{1F527} Found ${applicableFixes.length} fix(es):
+`));
+    for (const fix of applicableFixes) {
+      const safeLabel = fix.safe ? chalk6.green("[safe]") : chalk6.yellow("[review]");
+      console.log(`  ${safeLabel} ${chalk6.cyan(fix.file)}`);
+      console.log(`    ${chalk6.dim(fix.ruleId)}: ${fix.description}`);
+    }
+    if (options.dryRun) {
+      console.log(chalk6.yellow("\n[Dry run] No changes applied."));
+      console.log(chalk6.dim("Run without --dry-run to apply fixes.\n"));
+      return;
+    }
+    console.log();
+    const applySpinner = ora4("Applying fixes...").start();
+    let applied = 0;
+    for (const fix of applicableFixes) {
+      applySpinner.text = `Fixing ${fix.file}...`;
+      try {
+        await fix.action();
+        applied++;
+      } catch (error) {
+        console.error(chalk6.red(`Failed to fix ${fix.file}: ${error}`));
+      }
+    }
+    applySpinner.succeed(chalk6.green(`Applied ${applied}/${applicableFixes.length} fix(es)`));
+    console.log(chalk6.bold("\n\u{1F680} Next steps:\n"));
+    console.log(`  1. ${chalk6.cyan("git diff")}        Review the changes`);
+    console.log(`  2. ${chalk6.cyan("devrail check")}   Verify fixes worked`);
+    console.log(`  3. ${chalk6.cyan("git commit")}      Commit the fixes
+`);
+  } catch (error) {
+    spinner.fail(chalk6.red("Fix failed"));
+    console.error(error);
+    process.exit(1);
+  }
+}
+async function getGitignoreFixes(cwd) {
+  const fixes = [];
+  const gitignorePath = join2(cwd, ".gitignore");
+  const requiredPatterns = [
+    "# Environment",
+    ".env",
+    ".env.local",
+    ".env*.local",
+    "",
+    "# Dependencies",
+    "node_modules/",
+    "",
+    "# Build",
+    "dist/",
+    "build/",
+    ".next/",
+    "",
+    "# Devrail",
+    ".devrail/"
+  ];
+  try {
+    const content = await readFile(gitignorePath, "utf-8");
+    const missingPatterns = requiredPatterns.filter(
+      (p) => p && !content.includes(p.replace("/", ""))
+    );
+    if (missingPatterns.length > 3) {
+      fixes.push({
+        file: ".gitignore",
+        ruleId: "secrets.gitignore-required",
+        description: "Add missing patterns for env files and build artifacts",
+        safe: true,
+        action: async () => {
+          const newContent = content.trimEnd() + "\n\n" + missingPatterns.join("\n") + "\n";
+          await writeFile2(gitignorePath, newContent, "utf-8");
+        }
+      });
+    }
+  } catch {
+    fixes.push({
+      file: ".gitignore",
+      ruleId: "secrets.gitignore-required",
+      description: "Create .gitignore with security patterns",
+      safe: true,
+      action: async () => {
+        await writeFile2(gitignorePath, requiredPatterns.join("\n") + "\n", "utf-8");
+      }
+    });
+  }
+  return fixes;
+}
+async function getEditorConfigFixes(cwd) {
+  const fixes = [];
+  const editorConfigPath = join2(cwd, ".editorconfig");
+  const defaultConfig = `# EditorConfig - https://editorconfig.org
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false
+`;
+  try {
+    await readFile(editorConfigPath, "utf-8");
+  } catch {
+    fixes.push({
+      file: ".editorconfig",
+      ruleId: "config.editor-config",
+      description: "Create .editorconfig for consistent formatting",
+      safe: true,
+      action: async () => {
+        await writeFile2(editorConfigPath, defaultConfig, "utf-8");
+      }
+    });
+  }
+  return fixes;
+}
+async function getTsConfigFixes(cwd) {
+  const fixes = [];
+  const tsconfigPath = join2(cwd, "tsconfig.json");
+  try {
+    const content = await readFile(tsconfigPath, "utf-8");
+    const tsconfig = JSON.parse(content);
+    if (!tsconfig.compilerOptions?.strict) {
+      fixes.push({
+        file: "tsconfig.json",
+        ruleId: "code.strict-mode",
+        description: "Enable TypeScript strict mode",
+        safe: false,
+        // May break existing code
+        action: async () => {
+          tsconfig.compilerOptions = tsconfig.compilerOptions || {};
+          tsconfig.compilerOptions.strict = true;
+          await writeFile2(tsconfigPath, JSON.stringify(tsconfig, null, 2) + "\n", "utf-8");
+        }
+      });
+    }
+  } catch {
+  }
+  return fixes;
+}
+async function getNodeVersionFixes(cwd) {
+  const fixes = [];
+  const nvmrcPath = join2(cwd, ".nvmrc");
+  try {
+    await readFile(nvmrcPath, "utf-8");
+  } catch {
+    try {
+      const pkgPath = join2(cwd, "package.json");
+      const pkgContent = await readFile(pkgPath, "utf-8");
+      const pkg = JSON.parse(pkgContent);
+      if (!pkg.engines?.node) {
+        fixes.push({
+          file: ".nvmrc",
+          ruleId: "config.node-version",
+          description: "Create .nvmrc with Node.js LTS version",
+          safe: true,
+          action: async () => {
+            await writeFile2(nvmrcPath, "20\n", "utf-8");
+          }
+        });
+      }
+    } catch {
+    }
+  }
+  return fixes;
+}
+async function getSecurityFixes(cwd) {
+  const fixes = [];
+  const nextConfigPath = join2(cwd, "next.config.js");
+  const nextConfigMjsPath = join2(cwd, "next.config.mjs");
+  try {
+    let configPath = nextConfigPath;
+    let content;
+    try {
+      content = await readFile(nextConfigPath, "utf-8");
+    } catch {
+      content = await readFile(nextConfigMjsPath, "utf-8");
+      configPath = nextConfigMjsPath;
+    }
+    if (!content.includes("headers")) {
+      fixes.push({
+        file: configPath.split("/").pop() ?? "next.config.js",
+        ruleId: "security.headers.required",
+        description: "Add security headers configuration (manual review needed)",
+        safe: false,
+        action: async () => {
+          const headerComment = `
+// TODO: Add security headers
+// See: https://nextjs.org/docs/app/api-reference/next-config-js/headers
+// async headers() {
+//   return [
+//     {
+//       source: '/:path*',
+//       headers: [
+//         { key: 'X-Frame-Options', value: 'DENY' },
+//         { key: 'X-Content-Type-Options', value: 'nosniff' },
+//         { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+//       ],
+//     },
+//   ];
+// },
+`;
+          const newContent = content.replace(
+            "module.exports",
+            headerComment + "\nmodule.exports"
+          );
+          await writeFile2(configPath, newContent, "utf-8");
+        }
+      });
+    }
+  } catch {
+  }
+  return fixes;
+}
+
+// src/cli/commands/watch.ts
+import { watch } from "fs";
+import chalk7 from "chalk";
+async function watchCommand(options) {
+  const cwd = process.cwd();
+  const debounceMs = options.debounce ?? 500;
+  console.log(chalk7.bold.cyan("\n\u{1F6E4}\uFE0F  Devrail Guard Mode\n"));
+  console.log(chalk7.dim("Watching for changes... Press Ctrl+C to stop.\n"));
+  let lastRun = 0;
+  let timeout = null;
+  const runCheck = async () => {
+    const now = Date.now();
+    if (now - lastRun < debounceMs) return;
+    lastRun = now;
+    console.clear();
+    console.log(chalk7.bold.cyan("\u{1F6E4}\uFE0F  Devrail Guard Mode"));
+    console.log(chalk7.dim(`Last check: ${(/* @__PURE__ */ new Date()).toLocaleTimeString()}
+`));
+    try {
+      const results = await runBuiltinChecks(cwd, [
+        "secrets.gitignore-required",
+        "secrets.no-env-commit",
+        "deps.lockfile.required",
+        "tests.unit.required",
+        "code.strict-mode"
+      ]);
+      const errors = results.filter((r) => r.severity === "error");
+      const warnings = results.filter((r) => r.severity === "warn");
+      if (results.length === 0) {
+        console.log(chalk7.green.bold("\u2713 All clear!\n"));
+      } else {
+        console.log(chalk7.bold("Issues:"));
+        for (const result of errors) {
+          console.log(`  ${chalk7.red("\u2716")} ${result.message}`);
+          console.log(`    ${chalk7.dim(result.ruleId)}`);
+        }
+        for (const result of warnings.slice(0, 5)) {
+          console.log(`  ${chalk7.yellow("\u26A0")} ${result.message}`);
+          console.log(`    ${chalk7.dim(result.ruleId)}`);
+        }
+        if (warnings.length > 5) {
+          console.log(chalk7.dim(`
+  ... and ${warnings.length - 5} more warnings`));
+        }
+        console.log(`
+${chalk7.red("Errors:")} ${errors.length} | ${chalk7.yellow("Warnings:")} ${warnings.length}`);
+      }
+      const score = Math.max(0, 100 - errors.length * 10 - warnings.length * 3);
+      const scoreColor = score >= 80 ? chalk7.green : score >= 50 ? chalk7.yellow : chalk7.red;
+      console.log(`
+Score: ${scoreColor.bold(score + "/100")}`);
+      console.log(chalk7.dim("\nWatching for changes..."));
+    } catch (error) {
+      console.error(chalk7.red("Check failed:"), error);
+    }
+  };
+  await runCheck();
+  const watcher = watch(cwd, { recursive: true }, (eventType, filename) => {
+    if (!filename) return;
+    if (filename.includes("node_modules") || filename.includes("dist") || filename.includes(".git") || filename.includes(".devrail")) {
+      return;
+    }
+    if (timeout) clearTimeout(timeout);
+    timeout = setTimeout(runCheck, debounceMs);
+  });
+  process.on("SIGINT", () => {
+    watcher.close();
+    console.log(chalk7.dim("\n\nStopped watching.\n"));
+    process.exit(0);
+  });
+}
+
+// src/cli/commands/report.ts
+import { writeFile as writeFile3 } from "fs/promises";
+import chalk8 from "chalk";
+import ora5 from "ora";
+async function reportCommand(options) {
+  const cwd = process.cwd();
+  const format = options.format ?? "console";
+  const spinner = ora5("Generating security posture report...").start();
+  try {
+    const loaded = await loadConfig(cwd);
+    const config = loaded?.config ?? getDefaultConfig();
+    const allResults = [];
+    spinner.text = "Running builtin checks...";
+    const builtinResults = await runBuiltinChecks(cwd, [
+      "secrets.gitignore-required",
+      "secrets.no-env-commit",
+      "deps.lockfile.required",
+      "deps.no-unpinned",
+      "deps.no-git-deps",
+      "tests.unit.required",
+      "code.strict-mode",
+      "config.node-version",
+      "config.editor-config"
+    ]);
+    allResults.push(...builtinResults);
+    if (await gitleaksRunner.isInstalled()) {
+      spinner.text = "Running secret scan...";
+      const results = await gitleaksRunner.run(cwd);
+      allResults.push(...results);
+    }
+    if (await osvScannerRunner.isInstalled()) {
+      spinner.text = "Running dependency scan...";
+      const results = await osvScannerRunner.run(cwd);
+      allResults.push(...results);
+    }
+    const baseline = await loadBaseline(cwd);
+    const baselineStats = getBaselineStats(allResults, baseline);
+    const posture = calculatePosture(allResults, baseline);
+    spinner.stop();
+    if (format === "json") {
+      const report = {
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        posture,
+        issues: allResults,
+        baseline: baseline ? baselineStats : void 0
+      };
+      if (options.output) {
+        await writeFile3(options.output, JSON.stringify(report, null, 2));
+        console.log(chalk8.green(`Report saved to ${options.output}`));
+      } else {
+        console.log(JSON.stringify(report, null, 2));
+      }
+    } else if (format === "markdown") {
+      const md = generateMarkdownReport(posture, allResults, baselineStats);
+      if (options.output) {
+        await writeFile3(options.output, md);
+        console.log(chalk8.green(`Report saved to ${options.output}`));
+      } else {
+        console.log(md);
+      }
+    } else {
+      printConsoleReport(posture, allResults, baselineStats);
+    }
+  } catch (error) {
+    spinner.fail(chalk8.red("Report generation failed"));
+    console.error(error);
+    process.exit(1);
+  }
+}
+function calculatePosture(results, baseline) {
+  const categories = {
+    secrets: { score: 100, issues: 0 },
+    deps: { score: 100, issues: 0 },
+    security: { score: 100, issues: 0 },
+    tests: { score: 100, issues: 0 },
+    config: { score: 100, issues: 0 }
+  };
+  for (const result of results) {
+    const category = result.ruleId.split(".")[0];
+    if (categories[category]) {
+      categories[category].issues++;
+      const penalty = result.severity === "error" ? 15 : result.severity === "warn" ? 5 : 2;
+      categories[category].score = Math.max(0, categories[category].score - penalty);
+    }
+  }
+  const overall = Math.round(
+    categories.secrets.score * 0.3 + categories.deps.score * 0.25 + categories.security.score * 0.2 + categories.tests.score * 0.15 + categories.config.score * 0.1
+  );
+  let trend;
+  let previousScore;
+  if (baseline) {
+    previousScore = baseline.entries.length > 0 ? Math.max(0, 100 - baseline.entries.length * 3) : 100;
+    if (overall > previousScore + 5) trend = "improving";
+    else if (overall < previousScore - 5) trend = "declining";
+    else trend = "stable";
+  }
+  return { overall, categories, trend, previousScore };
+}
+function printConsoleReport(posture, results, baselineStats) {
+  console.log(chalk8.bold.cyan("\n\u{1F4CA} Devrail Security Posture Report\n"));
+  console.log(chalk8.dim("\u2500".repeat(50)));
+  const scoreColor = posture.overall >= 80 ? chalk8.green : posture.overall >= 50 ? chalk8.yellow : chalk8.red;
+  const filledBars = Math.round(posture.overall / 5);
+  const emptyBars = 20 - filledBars;
+  const bar = scoreColor("\u2588".repeat(filledBars)) + chalk8.dim("\u2591".repeat(emptyBars));
+  console.log(`
+${chalk8.bold("Overall Score:")} ${scoreColor.bold(posture.overall + "/100")}`);
+  console.log(`  ${bar}`);
+  if (posture.trend) {
+    const trendIcon = posture.trend === "improving" ? chalk8.green("\u2191") : posture.trend === "declining" ? chalk8.red("\u2193") : chalk8.dim("\u2192");
+    console.log(`  ${trendIcon} ${posture.trend} (was ${posture.previousScore})`);
+  }
+  console.log(chalk8.bold("\n\u{1F4C8} Category Breakdown:\n"));
+  const cats = [
+    { name: "Secrets Hygiene", key: "secrets", weight: "30%" },
+    { name: "Dependencies", key: "deps", weight: "25%" },
+    { name: "Security Patterns", key: "security", weight: "20%" },
+    { name: "Test Coverage", key: "tests", weight: "15%" },
+    { name: "Configuration", key: "config", weight: "10%" }
+  ];
+  for (const cat of cats) {
+    const data = posture.categories[cat.key];
+    const color = data.score >= 80 ? chalk8.green : data.score >= 50 ? chalk8.yellow : chalk8.red;
+    const miniBar = color("\u2588".repeat(Math.round(data.score / 10))) + chalk8.dim("\u2591".repeat(10 - Math.round(data.score / 10)));
+    console.log(`  ${miniBar} ${color(data.score.toString().padStart(3))} ${cat.name} (${cat.weight})`);
+    if (data.issues > 0) {
+      console.log(`             ${chalk8.dim(`${data.issues} issue(s)`)}`);
+    }
+  }
+  if (baselineStats && baselineStats.baselined > 0) {
+    console.log(chalk8.bold("\n\u{1F4CB} Technical Debt:\n"));
+    console.log(`  Baselined issues: ${chalk8.yellow(baselineStats.baselined)}`);
+    console.log(`  Fixed since baseline: ${chalk8.green(baselineStats.fixed)}`);
+    console.log(`  New issues: ${chalk8.red(baselineStats.new)}`);
+  }
+  console.log(chalk8.bold("\n\u{1F3AF} Top Actions:\n"));
+  const actions = [];
+  if (posture.categories.secrets.issues > 0) {
+    actions.push("Fix secret/credential issues");
+  }
+  if (posture.categories.deps.issues > 0) {
+    actions.push("Update vulnerable dependencies");
+  }
+  if (posture.categories.tests.issues > 0) {
+    actions.push("Add unit tests");
+  }
+  if (posture.categories.security.issues > 0) {
+    actions.push("Address security patterns");
+  }
+  if (posture.categories.config.issues > 0) {
+    actions.push("Improve project configuration");
+  }
+  for (let i = 0; i < Math.min(3, actions.length); i++) {
+    console.log(`  ${i + 1}. ${actions[i]}`);
+  }
+  if (actions.length === 0) {
+    console.log(chalk8.green("  \u2713 No critical actions needed!"));
+  }
+  console.log();
+}
+function generateMarkdownReport(posture, results, baselineStats) {
+  const lines = [];
+  lines.push("# \u{1F4CA} Devrail Security Posture Report");
+  lines.push("");
+  lines.push(`**Date:** ${(/* @__PURE__ */ new Date()).toLocaleDateString()}`);
+  lines.push(`**Overall Score:** ${posture.overall}/100`);
+  if (posture.trend) {
+    const emoji = posture.trend === "improving" ? "\u{1F4C8}" : posture.trend === "declining" ? "\u{1F4C9}" : "\u27A1\uFE0F";
+    lines.push(`**Trend:** ${emoji} ${posture.trend}`);
+  }
+  lines.push("");
+  lines.push("## Category Breakdown");
+  lines.push("");
+  lines.push("| Category | Score | Issues |");
+  lines.push("|----------|-------|--------|");
+  const cats = [
+    { name: "Secrets Hygiene", key: "secrets" },
+    { name: "Dependencies", key: "deps" },
+    { name: "Security Patterns", key: "security" },
+    { name: "Test Coverage", key: "tests" },
+    { name: "Configuration", key: "config" }
+  ];
+  for (const cat of cats) {
+    const data = posture.categories[cat.key];
+    const emoji = data.score >= 80 ? "\u2705" : data.score >= 50 ? "\u26A0\uFE0F" : "\u274C";
+    lines.push(`| ${cat.name} | ${emoji} ${data.score}/100 | ${data.issues} |`);
+  }
+  if (baselineStats && baselineStats.baselined > 0) {
+    lines.push("");
+    lines.push("## Technical Debt");
+    lines.push("");
+    lines.push(`- **Baselined:** ${baselineStats.baselined} issues`);
+    lines.push(`- **Fixed:** ${baselineStats.fixed} issues`);
+    lines.push(`- **New:** ${baselineStats.new} issues`);
+  }
+  lines.push("");
+  lines.push("---");
+  lines.push("*Generated by [Devrail](https://devrail.dev)*");
+  return lines.join("\n");
+}
+
+// src/cli/index.ts
+var program = new Command();
+program.name("dr").description("Devrail - Security & Quality Guardrails").version("0.1.0");
+program.command("init").description("Initialize Devrail in your project").option("-p, --preset <preset>", "Preset to use (auto-detected if not specified)").option("-l, --level <level>", "Level (basic, standard, strict)", "standard").option("--no-hooks", "Skip git hooks setup").option("--no-ci", "Skip CI template generation").action(initCommand);
+program.command("check").description("Run local checks (fast)").option("-f, --fix", "Apply safe autofixes").option("--changed", "Only check changed files").option("--json", "Output as JSON").action(checkCommand);
+program.command("ci").description("Run full CI checks (blocking)").option("--fail-on <severity>", "Fail on severity level (info, warn, error)", "error").option("--format <format>", "Output format (console, json, sarif)", "console").option("--new-only", "Only fail on NEW issues (not baselined)", true).option("--no-new-only", "Fail on ALL issues (ignore baseline)").option("--diff-only", "Only check changed files").action(ciCommand);
+program.command("explain <ruleId>").description("Explain a rule and how to fix it").action(explainCommand);
+program.command("fix").description("Apply safe auto-fixes").option("--dry-run", "Show what would be fixed without applying").option("--all", "Include fixes that need review").action(fixCommand);
+program.command("baseline").description("Accept existing issues, block only new ones").option("--update", "Update existing baseline with current issues").option("--show", "Show current baseline status").action(baselineCommand);
+program.command("guard").alias("watch").description("Watch mode - continuous feedback while coding").option("--debounce <ms>", "Debounce interval in milliseconds", "500").action(watchCommand);
+program.command("report").description("Generate security posture report").option("--format <format>", "Output format (console, json, markdown)", "console").option("-o, --output <file>", "Output file path").action(reportCommand);
+program.command("rules").description("List all available rules").option("-c, --category <category>", "Filter by category").option("-l, --level <level>", "Filter by level").action(async (options) => {
+  const { rules } = await import("../rules-XIWD4KI4.js");
+  let filtered = rules;
+  if (options.category) {
+    filtered = filtered.filter((r) => r.category === options.category);
+  }
+  if (options.level) {
+    filtered = filtered.filter((r) => r.levels[options.level]);
+  }
+  console.log(chalk9.bold("\nDevrail Rules\n"));
+  const categories = [...new Set(filtered.map((r) => r.category))];
+  for (const category of categories) {
+    console.log(chalk9.cyan.bold(`
+${category.toUpperCase()}`));
+    const categoryRules = filtered.filter((r) => r.category === category);
+    for (const rule of categoryRules) {
+      const severityColor = rule.severity === "error" ? chalk9.red : rule.severity === "warn" ? chalk9.yellow : chalk9.blue;
+      const autofix = rule.autofix ? chalk9.green(" [autofix]") : "";
+      console.log(`  ${severityColor("\u25CF")} ${chalk9.bold(rule.id)}${autofix}`);
+      console.log(`    ${chalk9.dim(rule.description)}`);
+    }
+  }
+  console.log(`
+${chalk9.dim(`Total: ${filtered.length} rules`)}
+`);
+});
+program.parse();
+//# sourceMappingURL=index.js.map