falsegreen-js 0.2.0 → 0.4.0

package/dist/cli.js

@@ -1,38 +1,112 @@
 #!/usr/bin/env node
-import { JUDGMENTS, groupOf } from "./cases.js";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { pathToFileURL, fileURLToPath } from "node:url";
+import { JUDGMENTS, CASES, groupOf, riskGroupOf, FIX_HINTS } from "./cases.js";
+import { ORACLE_REGISTRY_VERSION } from "./oracles.js";
 import { scanPaths, scanFile, stagedFiles, loadConfig, } from "./scan.js";
-const VERSION = "0.2.0";
+import { auditConfig } from "./audit.js";
+import { OUTPUT_EXT, renderSarif, renderJunit, loadBaseline, writeBaseline, applyBaseline, } from "./report.js";
+const DEFAULT_BASELINE = ".falsegreen-baseline.json";
+/** Single source of truth for the version: package.json, resolved at runtime so
+ * `--version` and the JSON report never drift from the published package. */
+function readVersion() {
+    try {
+        const pkg = path.join(path.dirname(fileURLToPath(import.meta.url)), "..", "package.json");
+        return JSON.parse(fs.readFileSync(pkg, "utf-8")).version ?? "0.0.0";
+    }
+    catch {
+        return "0.0.0";
+    }
+}
+const VERSION = readVersion();
 const TOOL_URI = "https://github.com/vinicq/falsegreen-js";
 const HELP = `falsegreen-js ${VERSION} - find false-positive JS/TS tests (static AST scan)
 
 Usage:
   falsegreen-js [paths...]        files/dirs; no args = scan cwd
   falsegreen-js --staged          only test files staged in git
-  falsegreen-js --json            JSON output
+  falsegreen-js --format FMT      text | json | sarif | junit (default text)
+  falsegreen-js --json            alias for --format json
+  falsegreen-js --output PATH     write to a file, or report.<ext> into a directory
+  falsegreen-js --baseline [PATH] suppress findings in PATH (default ${DEFAULT_BASELINE})
+  falsegreen-js --write-baseline [PATH]  record current findings as a baseline, exit 0
+  falsegreen-js --config-audit    audit Jest/Vitest config (project-layer PL codes)
   falsegreen-js --diagnostics     also report the opt-in maintainability group (D*/M*)
   falsegreen-js --disable C7,JS3  turn off specific codes
   falsegreen-js --version
   falsegreen-js --help
 
+Each finding carries its pyramid level (unit/integration/e2e, read from imports)
+and a one-line fix hint; the summary breaks findings down by level.
 Exit codes: 0 clean, 10 low-confidence only, 20 high-confidence present.
 Suppress inline:  expect(x).toBe(x); // falsegreen: ignore[C7]
 Covers: .js .jsx .ts .tsx .mjs .cjs .mts .cts`;
+const FORMATS = new Set(["text", "json", "sarif", "junit"]);
 function parseArgs(argv) {
     const paths = [];
     let json = false, staged = false, help = false, version = false, diagnostics = false;
+    let configAudit = false;
+    let format;
+    let output;
+    let baseline;
+    let writeBaselinePath;
     const disable = new Set();
+    // An optional-value flag (--baseline / --write-baseline) consumes the next
+    // token only when it is a value, not another flag.
+    const optionalValue = (next) => (next !== undefined && !next.startsWith("-")) ? next : undefined;
     for (let i = 0; i < argv.length; i++) {
         const a = argv[i];
         if (a === "--json")
             json = true;
         else if (a === "--staged")
             staged = true;
+        else if (a === "--config-audit")
+            configAudit = true;
         else if (a === "--diagnostics")
             diagnostics = true;
         else if (a === "--help" || a === "-h")
             help = true;
         else if (a === "--version" || a === "-V")
             version = true;
+        else if (a === "--format") {
+            const v = argv[++i] ?? "";
+            if (!FORMATS.has(v)) {
+                process.stderr.write(`falsegreen-js: invalid --format ${v} (text|json|sarif|junit)\n`);
+                process.exit(2);
+            }
+            format = v;
+        }
+        else if (a.startsWith("--format=")) {
+            const v = a.slice("--format=".length);
+            if (!FORMATS.has(v)) {
+                process.stderr.write(`falsegreen-js: invalid --format ${v} (text|json|sarif|junit)\n`);
+                process.exit(2);
+            }
+            format = v;
+        }
+        else if (a === "--output")
+            output = argv[++i] ?? "";
+        else if (a.startsWith("--output="))
+            output = a.slice("--output=".length);
+        else if (a === "--baseline") {
+            const v = optionalValue(argv[i + 1]);
+            if (v !== undefined)
+                i++;
+            baseline = v ?? DEFAULT_BASELINE;
+        }
+        else if (a.startsWith("--baseline=")) {
+            baseline = a.slice("--baseline=".length) || DEFAULT_BASELINE;
+        }
+        else if (a === "--write-baseline") {
+            const v = optionalValue(argv[i + 1]);
+            if (v !== undefined)
+                i++;
+            writeBaselinePath = v ?? DEFAULT_BASELINE;
+        }
+        else if (a.startsWith("--write-baseline=")) {
+            writeBaselinePath = a.slice("--write-baseline=".length) || DEFAULT_BASELINE;
+        }
         else if (a === "--disable") {
             const v = argv[++i] ?? "";
             v.split(",").map((s) => s.trim()).filter(Boolean).forEach((c) => disable.add(c));
@@ -48,7 +122,34 @@ function parseArgs(argv) {
         else
             paths.push(a);
     }
-    return { paths, json, staged, help, version, diagnostics, disable };
+    const fmt = format ?? (json ? "json" : "text");
+    return {
+        paths, fmt, staged, help, version, diagnostics, configAudit, disable,
+        output, baseline, writeBaselinePath,
+    };
+}
+/** Turn --output into a concrete file path. A directory (existing dir, a
+ * trailing separator, or an extension-less name like ".falsegreen") receives
+ * "report.<ext>" for the chosen format; anything else is treated as a file.
+ * Missing parent directories are created either way. */
+export function resolveOutputPath(p, fmt) {
+    const ext = OUTPUT_EXT[fmt];
+    const trimmed = p.replace(/[/\\]+$/, "");
+    const base = path.basename(trimmed);
+    let isDir = /[/\\]$/.test(p) || path.extname(base) === "";
+    try {
+        if (fs.statSync(p).isDirectory())
+            isDir = true;
+    }
+    catch { /* missing path */ }
+    if (isDir) {
+        fs.mkdirSync(p, { recursive: true });
+        return path.join(p, `report.${ext}`);
+    }
+    const parent = path.dirname(p);
+    if (parent)
+        fs.mkdirSync(parent, { recursive: true });
+    return p;
 }
 function exitCode(findings) {
     if (findings.some((f) => f.confidence === "high"))
@@ -57,7 +158,36 @@ function exitCode(findings) {
         return 10;
     return 0;
 }
-function renderText(findings) {
+/** The JSON report object. Each finding carries both the primary `riskGroup`
+ * (closed taxonomy) and the legacy `group` (transition-compat), plus its fix
+ * hint. The tool block records the oracle-registry version that classified it. */
+export function buildReport(findings) {
+    return {
+        tool: "falsegreen-js",
+        version: VERSION,
+        oracleRegistryVersion: ORACLE_REGISTRY_VERSION,
+        judgments: JUDGMENTS,
+        findings: findings.map((f) => ({
+            ...f,
+            riskGroup: riskGroupOf(f.code),
+            group: groupOf(f.code),
+            fix: FIX_HINTS[f.code] ?? "",
+        })),
+    };
+}
+/** Render findings in the chosen format. JSON keeps the full report object
+ * (riskGroup/group/fix/oracleRegistryVersion/judgments); SARIF/JUnit follow the
+ * Python sibling's contract. */
+export function render(findings, fmt) {
+    if (fmt === "json")
+        return JSON.stringify(buildReport(findings), null, 2);
+    if (fmt === "sarif")
+        return renderSarif(findings, TOOL_URI, VERSION);
+    if (fmt === "junit")
+        return renderJunit(findings);
+    return renderText(findings);
+}
+export function renderText(findings) {
     if (findings.length === 0)
         return "falsegreen-js: no false-positive patterns found.";
     const byFile = new Map();
@@ -76,11 +206,45 @@ function renderText(findings) {
                 low++;
             lines.push(`  ${tag} ${f.code.padEnd(4)} L${f.line}  ${f.title}` +
                 (f.detail ? `\n         ${f.detail}` : ""));
+            const hint = FIX_HINTS[f.code];
+            lines.push(`         level: ${f.level}` + (hint ? `   fix: ${hint}` : ""));
         }
     }
     lines.push(`\n${high} high, ${low} low. ${TOOL_URI}`);
+    // Test-pyramid breakdown + the most common fixes, over every finding shown.
+    const byLevel = new Map();
+    const byCode = new Map();
+    for (const f of findings) {
+        byLevel.set(f.level, (byLevel.get(f.level) ?? 0) + 1);
+        byCode.set(f.code, (byCode.get(f.code) ?? 0) + 1);
+    }
+    const order = ["unit", "integration", "e2e"];
+    const levels = [
+        ...order.filter((l) => byLevel.has(l)),
+        ...[...byLevel.keys()].filter((l) => !order.includes(l)).sort(),
+    ];
+    lines.push("By level: " + levels.map((l) => `${l}:${byLevel.get(l)}`).join(", "));
+    const top = [...byCode.entries()]
+        .sort((a, b) => b[1] - a[1] || a[0].localeCompare(b[0])).slice(0, 3);
+    lines.push("Top fixes:");
+    for (const [code, n] of top) {
+        lines.push(`  ${code} (${n}): ${FIX_HINTS[code] ?? CASES[code].title}`);
+    }
     return lines.join("\n");
 }
+function scan(opt) {
+    const config = loadConfig();
+    const scanOpts = { config, cliDisable: opt.disable, diagnostics: opt.diagnostics };
+    if (opt.staged)
+        return stagedFiles().flatMap((f) => scanFile(f, scanOpts));
+    return scanPaths(opt.paths.length ? opt.paths : ["."], scanOpts);
+}
+function emit(rendered, opt) {
+    if (opt.output)
+        fs.writeFileSync(resolveOutputPath(opt.output, opt.fmt), rendered + "\n");
+    else
+        process.stdout.write(rendered + "\n");
+}
 function main() {
     const opt = parseArgs(process.argv.slice(2));
     if (opt.help) {
@@ -91,26 +255,49 @@ function main() {
         process.stdout.write(VERSION + "\n");
         process.exit(0);
     }
-    const config = loadConfig();
-    const scanOpts = { config, cliDisable: opt.disable, diagnostics: opt.diagnostics };
-    let findings;
-    if (opt.staged) {
-        findings = stagedFiles().flatMap((f) => scanFile(f, scanOpts));
-    }
-    else {
-        findings = scanPaths(opt.paths.length ? opt.paths : ["."], scanOpts);
+    // --write-baseline records the current scan and exits clean, ahead of every
+    // other mode (mirrors the Python sibling: it ratchets the file scan only).
+    if (opt.writeBaselinePath !== undefined) {
+        const n = writeBaseline(opt.writeBaselinePath, scan(opt));
+        process.stderr.write(`falsegreen-js: wrote ${n} fingerprint(s) to ${opt.writeBaselinePath}\n`);
+        process.exit(0);
     }
-    if (opt.json) {
-        process.stdout.write(JSON.stringify({
-            tool: "falsegreen-js",
-            version: VERSION,
-            judgments: JUDGMENTS,
-            findings: findings.map((f) => ({ ...f, group: groupOf(f.code) })),
-        }, null, 2) + "\n");
+    if (opt.configAudit) {
+        const base = opt.paths.find((p) => { try {
+            return fs.statSync(p).isDirectory();
+        }
+        catch {
+            return false;
+        } }) ?? ".";
+        const findings = auditConfig(base);
+        emit(render(findings, opt.fmt), opt);
+        process.exit(findings.length ? 10 : 0);
     }
-    else {
-        process.stdout.write(renderText(findings) + "\n");
+    let findings = scan(opt);
+    // The baseline filter runs before the exit code, so CI fails only on findings
+    // that are not already recorded.
+    if (opt.baseline !== undefined) {
+        findings = applyBaseline(findings, loadBaseline(opt.baseline));
     }
+    emit(render(findings, opt.fmt), opt);
     process.exit(exitCode(findings));
 }
-main();
+/** True when this module is the process entry point. Package managers expose the
+ * `bin` through a symlink (node_modules/.bin/falsegreen-js), so process.argv[1]
+ * is the symlink while import.meta.url is the real dist/cli.js path; resolve the
+ * realpath before comparing, or `npx falsegreen-js` would exit without scanning. */
+export function isDirectRun(invokedPath, moduleUrl) {
+    if (!invokedPath)
+        return false;
+    let resolved = invokedPath;
+    try {
+        resolved = fs.realpathSync(invokedPath);
+    }
+    catch { /* keep raw path */ }
+    return moduleUrl === pathToFileURL(resolved).href;
+}
+// Run only when invoked as the CLI, so the module can be imported in tests
+// without triggering a scan and process.exit.
+if (isDirectRun(process.argv[1], import.meta.url)) {
+    main();
+}

package/dist/level.d.ts

@@ -0,0 +1,10 @@
+import ts from "typescript";
+import { PyramidLevel } from "./cases.js";
+/**
+ * Map a test file to a pyramid level from its import roots: "e2e" (browser
+ * driver / e2e framework), "integration" (HTTP client or database driver:
+ * API and DB tests), or "unit" (neither). Broadest wins. A real API/DB import
+ * in a test the author treats as a unit test is itself the smell, surfaced by
+ * the level mismatch.
+ */
+export declare function detectPyramidLevel(sf: ts.SourceFile): PyramidLevel;

package/dist/level.js

@@ -0,0 +1,75 @@
+import ts from "typescript";
+// Browser drivers and end-to-end frameworks. A test file importing one of these
+// drives a real browser or a full stack: it is an E2E test.
+const E2E_ROOTS = new Set([
+    "cypress", "@playwright/test", "playwright", "playwright-core",
+    "selenium-webdriver", "webdriverio", "@wdio/globals", "puppeteer",
+    "puppeteer-core", "protractor", "nightwatch", "testcafe",
+]);
+// HTTP clients / API mocks and real datastore drivers or ORMs. A test importing
+// one of these crosses an I/O boundary (API or database): it is an integration
+// test, where the response or the row is the oracle.
+const INTEGRATION_ROOTS = new Set([
+    // API / HTTP
+    "supertest", "axios", "node-fetch", "cross-fetch", "got", "undici",
+    "superagent", "request", "nock", "msw", "pactum",
+    // database drivers / ORMs
+    "@prisma/client", "prisma", "typeorm", "sequelize", "mongoose", "mongodb",
+    "pg", "mysql", "mysql2", "redis", "ioredis", "knex", "better-sqlite3",
+    "sqlite3", "drizzle-orm", "testcontainers",
+]);
+/** The package root of a module specifier, or null for a relative import.
+ * Scoped packages keep two segments (`@playwright/test`); others keep one. */
+function packageRoot(spec) {
+    if (!spec || spec.startsWith(".") || spec.startsWith("/"))
+        return null;
+    const parts = spec.split("/");
+    return spec.startsWith("@") ? parts.slice(0, 2).join("/") : parts[0];
+}
+/** Every module specifier imported or required in the file. */
+function importRoots(sf) {
+    const roots = new Set();
+    const add = (spec) => {
+        const root = spec ? packageRoot(spec) : null;
+        if (root)
+            roots.add(root);
+    };
+    const visit = (node) => {
+        if (ts.isImportDeclaration(node) && ts.isStringLiteral(node.moduleSpecifier)) {
+            add(node.moduleSpecifier.text);
+        }
+        else if (ts.isImportEqualsDeclaration(node) &&
+            ts.isExternalModuleReference(node.moduleReference) &&
+            ts.isStringLiteral(node.moduleReference.expression)) {
+            add(node.moduleReference.expression.text);
+        }
+        else if (ts.isCallExpression(node)) {
+            const fn = node.expression;
+            const isRequire = ts.isIdentifier(fn) && fn.text === "require";
+            const isDynImport = fn.kind === ts.SyntaxKind.ImportKeyword;
+            const arg = node.arguments[0];
+            if ((isRequire || isDynImport) && arg && ts.isStringLiteral(arg))
+                add(arg.text);
+        }
+        ts.forEachChild(node, visit);
+    };
+    visit(sf);
+    return roots;
+}
+/**
+ * Map a test file to a pyramid level from its import roots: "e2e" (browser
+ * driver / e2e framework), "integration" (HTTP client or database driver:
+ * API and DB tests), or "unit" (neither). Broadest wins. A real API/DB import
+ * in a test the author treats as a unit test is itself the smell, surfaced by
+ * the level mismatch.
+ */
+export function detectPyramidLevel(sf) {
+    const roots = importRoots(sf);
+    for (const r of roots)
+        if (E2E_ROOTS.has(r))
+            return "e2e";
+    for (const r of roots)
+        if (INTEGRATION_ROOTS.has(r))
+            return "integration";
+    return "unit";
+}

package/dist/oracles.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Oracle registry — the assertion-API vocabulary falsegreen-js understands, kept
+ * as a single versioned table instead of scattered Sets across the rules.
+ *
+ * Each family is classified by how its failure reaches the runner. That kind is
+ * what tells the async analysis whether a call settles synchronously, returns a
+ * promise that must be awaited, or only produces a value:
+ *
+ *   sync-fail          throws synchronously on mismatch — a bare statement is
+ *                      enough to fail the test (jest/vitest expect().matcher(),
+ *                      node:assert, chai assert, sinon.assert).
+ *   promise            returns a promise; the failure only surfaces if it is
+ *                      awaited or returned (expect().resolves/.rejects, supertest
+ *                      .expect() in its awaited form).
+ *   runner-registered  registered with the runner; the framework collects the
+ *                      result even from a fluent chain (AVA/node:test t.is,
+ *                      Cypress cy.should, chai .should).
+ *   value-only         produces a value but does not assert on its own; it must
+ *                      feed an assertion (Testing Library getBy* and findBy*).
+ *
+ * Bump ORACLE_REGISTRY_VERSION when the classification changes, so a JSON report
+ * records which vocabulary produced it.
+ */
+export declare const ORACLE_REGISTRY_VERSION = 2;
+export type OracleKind = "sync-fail" | "promise" | "runner-registered" | "value-only";
+/**
+ * Roots whose `<root>.<method>()` call counts as an assertion across runners:
+ * AVA / node:test / tap (t), Cypress (cy), chai assert, sinon.assert, QUnit.
+ * These are runner-registered: the framework records the outcome.
+ */
+export declare const ASSERT_ROOTS: Set<string>;
+/** Assertion method names used by AVA / tap / node:test / chai assert / QUnit. */
+export declare const ASSERT_METHODS: Set<string>;
+/** Matchers whose baseline is generated from the output itself (snapshot family). */
+export declare const SNAPSHOT_MATCHERS: Set<string>;
+/** Equality matchers (Jest/Vitest). */
+export declare const EQUALITY_MATCHERS: Set<string>;
+/**
+ * Testing Library async leaves that return a promise and must be awaited before
+ * the assertion can settle (value-only / promise: findBy* resolve to an element,
+ * waitFor* resolve when their callback stops throwing).
+ */
+export declare const ASYNC_AWAIT_LEAVES: Set<string>;
+/** Vue/Svelte async test helpers that return a promise and must be awaited. */
+export declare const VUE_SVELTE_ASYNC: Set<string>;
+/**
+ * Classify a call name (`root.leaf` or a bare identifier) by oracle kind. Returns
+ * null when the name is not a known oracle. Conservative: only the vocabulary
+ * above is classified; project-specific helpers are handled by naming convention
+ * in the rules, not here.
+ */
+export declare function oracleKind(name: string): OracleKind | null;

package/dist/oracles.js

@@ -0,0 +1,87 @@
+/**
+ * Oracle registry — the assertion-API vocabulary falsegreen-js understands, kept
+ * as a single versioned table instead of scattered Sets across the rules.
+ *
+ * Each family is classified by how its failure reaches the runner. That kind is
+ * what tells the async analysis whether a call settles synchronously, returns a
+ * promise that must be awaited, or only produces a value:
+ *
+ *   sync-fail          throws synchronously on mismatch — a bare statement is
+ *                      enough to fail the test (jest/vitest expect().matcher(),
+ *                      node:assert, chai assert, sinon.assert).
+ *   promise            returns a promise; the failure only surfaces if it is
+ *                      awaited or returned (expect().resolves/.rejects, supertest
+ *                      .expect() in its awaited form).
+ *   runner-registered  registered with the runner; the framework collects the
+ *                      result even from a fluent chain (AVA/node:test t.is,
+ *                      Cypress cy.should, chai .should).
+ *   value-only         produces a value but does not assert on its own; it must
+ *                      feed an assertion (Testing Library getBy* and findBy*).
+ *
+ * Bump ORACLE_REGISTRY_VERSION when the classification changes, so a JSON report
+ * records which vocabulary produced it.
+ */
+export const ORACLE_REGISTRY_VERSION = 2;
+/**
+ * Roots whose `<root>.<method>()` call counts as an assertion across runners:
+ * AVA / node:test / tap (t), Cypress (cy), chai assert, sinon.assert, QUnit.
+ * These are runner-registered: the framework records the outcome.
+ */
+export const ASSERT_ROOTS = new Set(["assert", "t", "cy", "tap", "qunit", "sinon", "chai", "should"]);
+/** Assertion method names used by AVA / tap / node:test / chai assert / QUnit. */
+export const ASSERT_METHODS = new Set([
+    "is", "not", "ok", "notOk", "true", "false", "truthy", "falsy",
+    "equal", "notEqual", "deepEqual", "notDeepEqual", "strictEqual",
+    "same", "notSame", "throws", "notThrows", "throwsAsync", "regex", "notRegex",
+    "pass", "fail", "assert", "expect", "include", "match",
+]);
+/** Matchers whose baseline is generated from the output itself (snapshot family). */
+export const SNAPSHOT_MATCHERS = new Set([
+    "toMatchSnapshot", "toMatchInlineSnapshot",
+    "toThrowErrorMatchingSnapshot", "toThrowErrorMatchingInlineSnapshot",
+    // visual snapshots (Playwright): the baseline is generated from the output too
+    "toHaveScreenshot", "toMatchScreenshot",
+]);
+/** Equality matchers (Jest/Vitest). */
+export const EQUALITY_MATCHERS = new Set(["toBe", "toEqual", "toStrictEqual"]);
+/**
+ * Testing Library async leaves that return a promise and must be awaited before
+ * the assertion can settle (value-only / promise: findBy* resolve to an element,
+ * waitFor* resolve when their callback stops throwing).
+ */
+export const ASYNC_AWAIT_LEAVES = new Set(["waitFor", "waitForElementToBeRemoved"]);
+/** Vue/Svelte async test helpers that return a promise and must be awaited. */
+export const VUE_SVELTE_ASYNC = new Set(["flushPromises", "nextTick", "$nextTick", "tick"]);
+/**
+ * Classify a call name (`root.leaf` or a bare identifier) by oracle kind. Returns
+ * null when the name is not a known oracle. Conservative: only the vocabulary
+ * above is classified; project-specific helpers are handled by naming convention
+ * in the rules, not here.
+ */
+export function oracleKind(name) {
+    const parts = name.split(".");
+    const root = parts[0];
+    const leaf = parts[parts.length - 1];
+    // expect(x).resolves/.rejects.matcher() — promise; plain expect().matcher() is sync-fail.
+    if (root === "expect")
+        return name.includes(".resolves") || name.includes(".rejects") ? "promise" : "sync-fail";
+    if (root === "assert")
+        return "sync-fail";
+    if (root === "sinon" && name.includes("assert"))
+        return "sync-fail";
+    if (ASSERT_ROOTS.has(root) && ASSERT_METHODS.has(leaf))
+        return "runner-registered";
+    if (leaf === "should")
+        return "runner-registered";
+    if (leaf.startsWith("findBy") || leaf.startsWith("findAllBy"))
+        return "value-only";
+    // @testing-library/user-event v14+: every action (click/type/keyboard/…) returns
+    // a promise that must be awaited before the resulting state can be asserted.
+    if (root === "userEvent")
+        return "promise";
+    if (ASYNC_AWAIT_LEAVES.has(leaf))
+        return "promise";
+    if (VUE_SVELTE_ASYNC.has(leaf))
+        return "promise";
+    return null;
+}

package/dist/report.d.ts

@@ -0,0 +1,31 @@
+import { Finding } from "./types.js";
+export type OutputFormat = "text" | "json" | "sarif" | "junit";
+export declare const OUTPUT_EXT: Record<OutputFormat, string>;
+/** A forward-slash relative URI (load-bearing for GitHub code scanning). */
+export declare function relUri(file: string): string;
+/**
+ * SARIF 2.1.0 document. One rule per code present, one result per finding.
+ * Levels come from the finding's effective confidence; result tags carry the
+ * judgment, the risk group, and the level so GitHub code scanning can facet on
+ * any of them.
+ */
+export declare function renderSarif(findings: Finding[], toolUri: string, version: string): string;
+/**
+ * JUnit XML. One testcase per finding, ordered by (file, line). A high-severity
+ * finding is a <failure>; everything else is <skipped>. The suite attributes
+ * count tests, failures (high), skipped (non-high), and errors (always 0).
+ */
+export declare function renderJunit(findings: Finding[]): string;
+/**
+ * Stable id: sha1(relpath + "\0" + code + "\0" + detail)[:16]. No line number,
+ * so the fingerprint survives unrelated line shifts in the file. The js
+ * fingerprint omits the source snippet the Python tool folds in, since the js
+ * Finding does not carry one.
+ */
+export declare function fingerprint(f: Finding): string;
+/** Read a baseline file into a set of fingerprints (empty set if unreadable). */
+export declare function loadBaseline(file: string): Set<string>;
+/** Write all current findings as a baseline. Returns how many were recorded. */
+export declare function writeBaseline(file: string, findings: Finding[]): number;
+/** Drop findings whose content fingerprint is already in the baseline. */
+export declare function applyBaseline(findings: Finding[], baseline: Set<string>): Finding[];