falsegreen-js 0.3.0 → 0.5.0

package/dist/cli.js

@@ -1,22 +1,40 @@
 #!/usr/bin/env node
 import * as fs from "node:fs";
 import * as path from "node:path";
-import { pathToFileURL } from "node:url";
-import { JUDGMENTS, CASES, groupOf, FIX_HINTS } from "./cases.js";
+import { pathToFileURL, fileURLToPath } from "node:url";
+import { JUDGMENTS, CASES, groupOf, riskGroupOf, FIX_HINTS } from "./cases.js";
+import { ORACLE_REGISTRY_VERSION } from "./oracles.js";
 import { scanPaths, scanFile, stagedFiles, loadConfig, } from "./scan.js";
 import { auditConfig } from "./audit.js";
-const VERSION = "0.2.0";
+import { OUTPUT_EXT, renderSarif, renderJunit, loadBaseline, writeBaseline, applyBaseline, } from "./report.js";
+const DEFAULT_BASELINE = ".falsegreen-baseline.json";
+/** Single source of truth for the version: package.json, resolved at runtime so
+ * `--version` and the JSON report never drift from the published package. */
+function readVersion() {
+    try {
+        const pkg = path.join(path.dirname(fileURLToPath(import.meta.url)), "..", "package.json");
+        return JSON.parse(fs.readFileSync(pkg, "utf-8")).version ?? "0.0.0";
+    }
+    catch {
+        return "0.0.0";
+    }
+}
+const VERSION = readVersion();
 const TOOL_URI = "https://github.com/vinicq/falsegreen-js";
 const HELP = `falsegreen-js ${VERSION} - find false-positive JS/TS tests (static AST scan)
 
 Usage:
   falsegreen-js [paths...]        files/dirs; no args = scan cwd
   falsegreen-js --staged          only test files staged in git
-  falsegreen-js --json            JSON output
+  falsegreen-js --format FMT      text | json | sarif | junit (default text)
+  falsegreen-js --json            alias for --format json
   falsegreen-js --output PATH     write to a file, or report.<ext> into a directory
+  falsegreen-js --baseline [PATH] suppress findings in PATH (default ${DEFAULT_BASELINE})
+  falsegreen-js --write-baseline [PATH]  record current findings as a baseline, exit 0
   falsegreen-js --config-audit    audit Jest/Vitest config (project-layer PL codes)
   falsegreen-js --diagnostics     also report the opt-in maintainability group (D*/M*)
   falsegreen-js --disable C7,JS3  turn off specific codes
+  falsegreen-js --enable D8,M2    re-activate off/opt-in codes at catalog severity (--disable wins)
   falsegreen-js --version
   falsegreen-js --help
 
@@ -25,12 +43,20 @@ and a one-line fix hint; the summary breaks findings down by level.
 Exit codes: 0 clean, 10 low-confidence only, 20 high-confidence present.
 Suppress inline:  expect(x).toBe(x); // falsegreen: ignore[C7]
 Covers: .js .jsx .ts .tsx .mjs .cjs .mts .cts`;
+const FORMATS = new Set(["text", "json", "sarif", "junit"]);
 function parseArgs(argv) {
     const paths = [];
     let json = false, staged = false, help = false, version = false, diagnostics = false;
     let configAudit = false;
+    let format;
     let output;
+    let baseline;
+    let writeBaselinePath;
     const disable = new Set();
+    const enable = new Set();
+    // An optional-value flag (--baseline / --write-baseline) consumes the next
+    // token only when it is a value, not another flag.
+    const optionalValue = (next) => (next !== undefined && !next.startsWith("-")) ? next : undefined;
     for (let i = 0; i < argv.length; i++) {
         const a = argv[i];
         if (a === "--json")
@@ -45,10 +71,44 @@ function parseArgs(argv) {
             help = true;
         else if (a === "--version" || a === "-V")
             version = true;
+        else if (a === "--format") {
+            const v = argv[++i] ?? "";
+            if (!FORMATS.has(v)) {
+                process.stderr.write(`falsegreen-js: invalid --format ${v} (text|json|sarif|junit)\n`);
+                process.exit(2);
+            }
+            format = v;
+        }
+        else if (a.startsWith("--format=")) {
+            const v = a.slice("--format=".length);
+            if (!FORMATS.has(v)) {
+                process.stderr.write(`falsegreen-js: invalid --format ${v} (text|json|sarif|junit)\n`);
+                process.exit(2);
+            }
+            format = v;
+        }
         else if (a === "--output")
             output = argv[++i] ?? "";
         else if (a.startsWith("--output="))
             output = a.slice("--output=".length);
+        else if (a === "--baseline") {
+            const v = optionalValue(argv[i + 1]);
+            if (v !== undefined)
+                i++;
+            baseline = v ?? DEFAULT_BASELINE;
+        }
+        else if (a.startsWith("--baseline=")) {
+            baseline = a.slice("--baseline=".length) || DEFAULT_BASELINE;
+        }
+        else if (a === "--write-baseline") {
+            const v = optionalValue(argv[i + 1]);
+            if (v !== undefined)
+                i++;
+            writeBaselinePath = v ?? DEFAULT_BASELINE;
+        }
+        else if (a.startsWith("--write-baseline=")) {
+            writeBaselinePath = a.slice("--write-baseline=".length) || DEFAULT_BASELINE;
+        }
         else if (a === "--disable") {
             const v = argv[++i] ?? "";
             v.split(",").map((s) => s.trim()).filter(Boolean).forEach((c) => disable.add(c));
@@ -57,6 +117,14 @@ function parseArgs(argv) {
             a.slice("--disable=".length).split(",").map((s) => s.trim())
                 .filter(Boolean).forEach((c) => disable.add(c));
         }
+        else if (a === "--enable") {
+            const v = argv[++i] ?? "";
+            v.split(",").map((s) => s.trim()).filter(Boolean).forEach((c) => enable.add(c));
+        }
+        else if (a.startsWith("--enable=")) {
+            a.slice("--enable=".length).split(",").map((s) => s.trim())
+                .filter(Boolean).forEach((c) => enable.add(c));
+        }
         else if (a.startsWith("-")) {
             process.stderr.write(`falsegreen-js: unknown option ${a}\n`);
             process.exit(2);
@@ -64,14 +132,18 @@ function parseArgs(argv) {
         else
             paths.push(a);
     }
-    return { paths, json, staged, help, version, diagnostics, configAudit, disable, output };
+    const fmt = format ?? (json ? "json" : "text");
+    return {
+        paths, fmt, staged, help, version, diagnostics, configAudit, disable, enable,
+        output, baseline, writeBaselinePath,
+    };
 }
 /** Turn --output into a concrete file path. A directory (existing dir, a
  * trailing separator, or an extension-less name like ".falsegreen") receives
  * "report.<ext>" for the chosen format; anything else is treated as a file.
  * Missing parent directories are created either way. */
 export function resolveOutputPath(p, fmt) {
-    const ext = fmt === "json" ? "json" : "txt";
+    const ext = OUTPUT_EXT[fmt];
     const trimmed = p.replace(/[/\\]+$/, "");
     const base = path.basename(trimmed);
     let isDir = /[/\\]$/.test(p) || path.extname(base) === "";
@@ -96,6 +168,35 @@ function exitCode(findings) {
         return 10;
     return 0;
 }
+/** The JSON report object. Each finding carries both the primary `riskGroup`
+ * (closed taxonomy) and the legacy `group` (transition-compat), plus its fix
+ * hint. The tool block records the oracle-registry version that classified it. */
+export function buildReport(findings) {
+    return {
+        tool: "falsegreen-js",
+        version: VERSION,
+        oracleRegistryVersion: ORACLE_REGISTRY_VERSION,
+        judgments: JUDGMENTS,
+        findings: findings.map((f) => ({
+            ...f,
+            riskGroup: riskGroupOf(f.code),
+            group: groupOf(f.code),
+            fix: FIX_HINTS[f.code] ?? "",
+        })),
+    };
+}
+/** Render findings in the chosen format. JSON keeps the full report object
+ * (riskGroup/group/fix/oracleRegistryVersion/judgments); SARIF/JUnit follow the
+ * Python sibling's contract. */
+export function render(findings, fmt) {
+    if (fmt === "json")
+        return JSON.stringify(buildReport(findings), null, 2);
+    if (fmt === "sarif")
+        return renderSarif(findings, TOOL_URI, VERSION);
+    if (fmt === "junit")
+        return renderJunit(findings);
+    return renderText(findings);
+}
 export function renderText(findings) {
     if (findings.length === 0)
         return "falsegreen-js: no false-positive patterns found.";
@@ -141,6 +242,21 @@ export function renderText(findings) {
     }
     return lines.join("\n");
 }
+function scan(opt) {
+    const config = loadConfig();
+    const scanOpts = {
+        config, cliDisable: opt.disable, cliEnable: opt.enable, diagnostics: opt.diagnostics,
+    };
+    if (opt.staged)
+        return stagedFiles().flatMap((f) => scanFile(f, scanOpts));
+    return scanPaths(opt.paths.length ? opt.paths : ["."], scanOpts);
+}
+function emit(rendered, opt) {
+    if (opt.output)
+        fs.writeFileSync(resolveOutputPath(opt.output, opt.fmt), rendered + "\n");
+    else
+        process.stdout.write(rendered + "\n");
+}
 function main() {
     const opt = parseArgs(process.argv.slice(2));
     if (opt.help) {
@@ -151,6 +267,13 @@ function main() {
         process.stdout.write(VERSION + "\n");
         process.exit(0);
     }
+    // --write-baseline records the current scan and exits clean, ahead of every
+    // other mode (mirrors the Python sibling: it ratchets the file scan only).
+    if (opt.writeBaselinePath !== undefined) {
+        const n = writeBaseline(opt.writeBaselinePath, scan(opt));
+        process.stderr.write(`falsegreen-js: wrote ${n} fingerprint(s) to ${opt.writeBaselinePath}\n`);
+        process.exit(0);
+    }
     if (opt.configAudit) {
         const base = opt.paths.find((p) => { try {
             return fs.statSync(p).isDirectory();
@@ -159,44 +282,16 @@ function main() {
             return false;
         } }) ?? ".";
         const findings = auditConfig(base);
-        const rendered = opt.json
-            ? JSON.stringify({
-                tool: "falsegreen-js", version: VERSION, judgments: JUDGMENTS,
-                findings: findings.map((f) => ({ ...f, group: groupOf(f.code), fix: FIX_HINTS[f.code] ?? "" })),
-            }, null, 2)
-            : renderText(findings);
-        if (opt.output)
-            fs.writeFileSync(resolveOutputPath(opt.output, opt.json ? "json" : "text"), rendered + "\n");
-        else
-            process.stdout.write(rendered + "\n");
+        emit(render(findings, opt.fmt), opt);
         process.exit(findings.length ? 10 : 0);
     }
-    const config = loadConfig();
-    const scanOpts = { config, cliDisable: opt.disable, diagnostics: opt.diagnostics };
-    let findings;
-    if (opt.staged) {
-        findings = stagedFiles().flatMap((f) => scanFile(f, scanOpts));
-    }
-    else {
-        findings = scanPaths(opt.paths.length ? opt.paths : ["."], scanOpts);
-    }
-    const rendered = opt.json
-        ? JSON.stringify({
-            tool: "falsegreen-js",
-            version: VERSION,
-            judgments: JUDGMENTS,
-            findings: findings.map((f) => ({
-                ...f, group: groupOf(f.code), fix: FIX_HINTS[f.code] ?? "",
-            })),
-        }, null, 2)
-        : renderText(findings);
-    if (opt.output) {
-        const dest = resolveOutputPath(opt.output, opt.json ? "json" : "text");
-        fs.writeFileSync(dest, rendered + "\n");
-    }
-    else {
-        process.stdout.write(rendered + "\n");
+    let findings = scan(opt);
+    // The baseline filter runs before the exit code, so CI fails only on findings
+    // that are not already recorded.
+    if (opt.baseline !== undefined) {
+        findings = applyBaseline(findings, loadBaseline(opt.baseline));
     }
+    emit(render(findings, opt.fmt), opt);
     process.exit(exitCode(findings));
 }
 /** True when this module is the process entry point. Package managers expose the

package/dist/oracles.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Oracle registry — the assertion-API vocabulary falsegreen-js understands, kept
+ * as a single versioned table instead of scattered Sets across the rules.
+ *
+ * Each family is classified by how its failure reaches the runner. That kind is
+ * what tells the async analysis whether a call settles synchronously, returns a
+ * promise that must be awaited, or only produces a value:
+ *
+ *   sync-fail          throws synchronously on mismatch — a bare statement is
+ *                      enough to fail the test (jest/vitest expect().matcher(),
+ *                      node:assert, chai assert, sinon.assert).
+ *   promise            returns a promise; the failure only surfaces if it is
+ *                      awaited or returned (expect().resolves/.rejects, supertest
+ *                      .expect() in its awaited form).
+ *   runner-registered  registered with the runner; the framework collects the
+ *                      result even from a fluent chain (AVA/node:test t.is,
+ *                      Cypress cy.should, chai .should).
+ *   value-only         produces a value but does not assert on its own; it must
+ *                      feed an assertion (Testing Library getBy* and findBy*).
+ *
+ * Bump ORACLE_REGISTRY_VERSION when the classification changes, so a JSON report
+ * records which vocabulary produced it.
+ */
+export declare const ORACLE_REGISTRY_VERSION = 2;
+export type OracleKind = "sync-fail" | "promise" | "runner-registered" | "value-only";
+/**
+ * Roots whose `<root>.<method>()` call counts as an assertion across runners:
+ * AVA / node:test / tap (t), Cypress (cy), chai assert, sinon.assert, QUnit.
+ * These are runner-registered: the framework records the outcome.
+ */
+export declare const ASSERT_ROOTS: Set<string>;
+/** Assertion method names used by AVA / tap / node:test / chai assert / QUnit. */
+export declare const ASSERT_METHODS: Set<string>;
+/** Matchers whose baseline is generated from the output itself (snapshot family). */
+export declare const SNAPSHOT_MATCHERS: Set<string>;
+/** Equality matchers (Jest/Vitest). */
+export declare const EQUALITY_MATCHERS: Set<string>;
+/**
+ * Testing Library async leaves that return a promise and must be awaited before
+ * the assertion can settle (value-only / promise: findBy* resolve to an element,
+ * waitFor* resolve when their callback stops throwing).
+ */
+export declare const ASYNC_AWAIT_LEAVES: Set<string>;
+/** Vue/Svelte async test helpers that return a promise and must be awaited. */
+export declare const VUE_SVELTE_ASYNC: Set<string>;
+/**
+ * Classify a call name (`root.leaf` or a bare identifier) by oracle kind. Returns
+ * null when the name is not a known oracle. Conservative: only the vocabulary
+ * above is classified; project-specific helpers are handled by naming convention
+ * in the rules, not here.
+ */
+export declare function oracleKind(name: string): OracleKind | null;

package/dist/oracles.js

@@ -0,0 +1,87 @@
+/**
+ * Oracle registry — the assertion-API vocabulary falsegreen-js understands, kept
+ * as a single versioned table instead of scattered Sets across the rules.
+ *
+ * Each family is classified by how its failure reaches the runner. That kind is
+ * what tells the async analysis whether a call settles synchronously, returns a
+ * promise that must be awaited, or only produces a value:
+ *
+ *   sync-fail          throws synchronously on mismatch — a bare statement is
+ *                      enough to fail the test (jest/vitest expect().matcher(),
+ *                      node:assert, chai assert, sinon.assert).
+ *   promise            returns a promise; the failure only surfaces if it is
+ *                      awaited or returned (expect().resolves/.rejects, supertest
+ *                      .expect() in its awaited form).
+ *   runner-registered  registered with the runner; the framework collects the
+ *                      result even from a fluent chain (AVA/node:test t.is,
+ *                      Cypress cy.should, chai .should).
+ *   value-only         produces a value but does not assert on its own; it must
+ *                      feed an assertion (Testing Library getBy* and findBy*).
+ *
+ * Bump ORACLE_REGISTRY_VERSION when the classification changes, so a JSON report
+ * records which vocabulary produced it.
+ */
+export const ORACLE_REGISTRY_VERSION = 2;
+/**
+ * Roots whose `<root>.<method>()` call counts as an assertion across runners:
+ * AVA / node:test / tap (t), Cypress (cy), chai assert, sinon.assert, QUnit.
+ * These are runner-registered: the framework records the outcome.
+ */
+export const ASSERT_ROOTS = new Set(["assert", "t", "cy", "tap", "qunit", "sinon", "chai", "should"]);
+/** Assertion method names used by AVA / tap / node:test / chai assert / QUnit. */
+export const ASSERT_METHODS = new Set([
+    "is", "not", "ok", "notOk", "true", "false", "truthy", "falsy",
+    "equal", "notEqual", "deepEqual", "notDeepEqual", "strictEqual",
+    "same", "notSame", "throws", "notThrows", "throwsAsync", "regex", "notRegex",
+    "pass", "fail", "assert", "expect", "include", "match",
+]);
+/** Matchers whose baseline is generated from the output itself (snapshot family). */
+export const SNAPSHOT_MATCHERS = new Set([
+    "toMatchSnapshot", "toMatchInlineSnapshot",
+    "toThrowErrorMatchingSnapshot", "toThrowErrorMatchingInlineSnapshot",
+    // visual snapshots (Playwright): the baseline is generated from the output too
+    "toHaveScreenshot", "toMatchScreenshot",
+]);
+/** Equality matchers (Jest/Vitest). */
+export const EQUALITY_MATCHERS = new Set(["toBe", "toEqual", "toStrictEqual"]);
+/**
+ * Testing Library async leaves that return a promise and must be awaited before
+ * the assertion can settle (value-only / promise: findBy* resolve to an element,
+ * waitFor* resolve when their callback stops throwing).
+ */
+export const ASYNC_AWAIT_LEAVES = new Set(["waitFor", "waitForElementToBeRemoved"]);
+/** Vue/Svelte async test helpers that return a promise and must be awaited. */
+export const VUE_SVELTE_ASYNC = new Set(["flushPromises", "nextTick", "$nextTick", "tick"]);
+/**
+ * Classify a call name (`root.leaf` or a bare identifier) by oracle kind. Returns
+ * null when the name is not a known oracle. Conservative: only the vocabulary
+ * above is classified; project-specific helpers are handled by naming convention
+ * in the rules, not here.
+ */
+export function oracleKind(name) {
+    const parts = name.split(".");
+    const root = parts[0];
+    const leaf = parts[parts.length - 1];
+    // expect(x).resolves/.rejects.matcher() — promise; plain expect().matcher() is sync-fail.
+    if (root === "expect")
+        return name.includes(".resolves") || name.includes(".rejects") ? "promise" : "sync-fail";
+    if (root === "assert")
+        return "sync-fail";
+    if (root === "sinon" && name.includes("assert"))
+        return "sync-fail";
+    if (ASSERT_ROOTS.has(root) && ASSERT_METHODS.has(leaf))
+        return "runner-registered";
+    if (leaf === "should")
+        return "runner-registered";
+    if (leaf.startsWith("findBy") || leaf.startsWith("findAllBy"))
+        return "value-only";
+    // @testing-library/user-event v14+: every action (click/type/keyboard/…) returns
+    // a promise that must be awaited before the resulting state can be asserted.
+    if (root === "userEvent")
+        return "promise";
+    if (ASYNC_AWAIT_LEAVES.has(leaf))
+        return "promise";
+    if (VUE_SVELTE_ASYNC.has(leaf))
+        return "promise";
+    return null;
+}

package/dist/report.d.ts

@@ -0,0 +1,31 @@
+import { Finding } from "./types.js";
+export type OutputFormat = "text" | "json" | "sarif" | "junit";
+export declare const OUTPUT_EXT: Record<OutputFormat, string>;
+/** A forward-slash relative URI (load-bearing for GitHub code scanning). */
+export declare function relUri(file: string): string;
+/**
+ * SARIF 2.1.0 document. One rule per code present, one result per finding.
+ * Levels come from the finding's effective confidence; result tags carry the
+ * judgment, the risk group, and the level so GitHub code scanning can facet on
+ * any of them.
+ */
+export declare function renderSarif(findings: Finding[], toolUri: string, version: string): string;
+/**
+ * JUnit XML. One testcase per finding, ordered by (file, line). A high-severity
+ * finding is a <failure>; everything else is <skipped>. The suite attributes
+ * count tests, failures (high), skipped (non-high), and errors (always 0).
+ */
+export declare function renderJunit(findings: Finding[]): string;
+/**
+ * Stable id: sha1(relpath + "\0" + code + "\0" + detail)[:16]. No line number,
+ * so the fingerprint survives unrelated line shifts in the file. The js
+ * fingerprint omits the source snippet the Python tool folds in, since the js
+ * Finding does not carry one.
+ */
+export declare function fingerprint(f: Finding): string;
+/** Read a baseline file into a set of fingerprints (empty set if unreadable). */
+export declare function loadBaseline(file: string): Set<string>;
+/** Write all current findings as a baseline. Returns how many were recorded. */
+export declare function writeBaseline(file: string, findings: Finding[]): number;
+/** Drop findings whose content fingerprint is already in the baseline. */
+export declare function applyBaseline(findings: Finding[], baseline: Set<string>): Finding[];

package/dist/report.js

@@ -0,0 +1,177 @@
+/**
+ * Output renderers and the baseline ratchet. Mirrors the Python sibling's
+ * contract (SARIF 2.1.0, JUnit XML, content fingerprint) so the two scanners
+ * produce interchangeable reports and a CI pipeline can swap one for the other.
+ *
+ * Divergence from falsegreen (Python): the js Finding carries no source snippet,
+ * so the content fingerprint hashes relpath + code + detail only (Python also
+ * folds in a normalized snippet). The fingerprint stays stable across unrelated
+ * line shifts in both tools; the js id is just coarser when two findings share
+ * the same code and detail in one file.
+ */
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { createHash } from "node:crypto";
+import { CASES, riskGroupOf } from "./cases.js";
+export const OUTPUT_EXT = {
+    text: "txt", json: "json", sarif: "sarif", junit: "xml",
+};
+/** A forward-slash relative URI (load-bearing for GitHub code scanning). */
+export function relUri(file) {
+    let rel = file;
+    try {
+        rel = path.relative(process.cwd(), file);
+    }
+    catch { /* different drive on Windows */ }
+    return rel.replace(/\\/g, "/");
+}
+/** SARIF level map: high -> error, low -> warning, off -> note. */
+function sarifLevel(conf) {
+    if (conf === "high")
+        return "error";
+    if (conf === "low")
+        return "warning";
+    return "note";
+}
+function messageText(f) {
+    return CASES[f.code].title + (f.detail ? ` (${f.detail})` : "");
+}
+/**
+ * SARIF 2.1.0 document. One rule per code present, one result per finding.
+ * Levels come from the finding's effective confidence; result tags carry the
+ * judgment, the risk group, and the level so GitHub code scanning can facet on
+ * any of them.
+ */
+export function renderSarif(findings, toolUri, version) {
+    const codes = [];
+    for (const f of findings)
+        if (!codes.includes(f.code))
+            codes.push(f.code);
+    const rules = codes.map((code) => {
+        const c = CASES[code];
+        return {
+            id: code,
+            name: code,
+            shortDescription: { text: c.title },
+            defaultConfiguration: { level: sarifLevel(c.defaultOn ? c.severity : "off") },
+            helpUri: toolUri,
+            properties: { tags: [c.judgment] },
+        };
+    });
+    const results = findings.map((f) => ({
+        ruleId: f.code,
+        level: sarifLevel(f.confidence),
+        message: { text: messageText(f) },
+        properties: {
+            tags: [CASES[f.code].judgment, `risk:${riskGroupOf(f.code)}`, `level:${f.confidence}`],
+        },
+        locations: [{
+                physicalLocation: {
+                    artifactLocation: { uri: relUri(f.file) },
+                    region: { startLine: f.line },
+                },
+            }],
+    }));
+    const doc = {
+        $schema: "https://json.schemastore.org/sarif-2.1.0.json",
+        version: "2.1.0",
+        runs: [{
+                tool: { driver: { name: "falsegreen-js", informationUri: toolUri, version, rules } },
+                results,
+            }],
+    };
+    return JSON.stringify(doc, null, 2);
+}
+/** XML attribute / text escaping for the JUnit renderer. */
+function xmlEscape(s) {
+    return s
+        .replace(/&/g, "&")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;");
+}
+/**
+ * JUnit XML. One testcase per finding, ordered by (file, line). A high-severity
+ * finding is a <failure>; everything else is <skipped>. The suite attributes
+ * count tests, failures (high), skipped (non-high), and errors (always 0).
+ */
+export function renderJunit(findings) {
+    const n = findings.length;
+    const nHigh = findings.filter((f) => f.confidence === "high").length;
+    const nNonHigh = n - nHigh;
+    const suiteAttrs = `name="falsegreen-js" tests="${n}" failures="${nHigh}" skipped="${nNonHigh}" errors="0"`;
+    const ordered = [...findings].sort((a, b) => (a.file < b.file ? -1 : a.file > b.file ? 1 : a.line - b.line));
+    const cases = [];
+    for (const f of ordered) {
+        const title = messageText(f);
+        const loc = `${relUri(f.file)}:${f.line}`;
+        const caseAttrs = `classname="falsegreen-js.${xmlEscape(f.code)}" name="${xmlEscape(`${f.code} ${loc}`)}"`;
+        if (f.confidence === "high") {
+            cases.push(`    <testcase ${caseAttrs}>\n` +
+                `      <failure message="${xmlEscape(title)}">${xmlEscape(loc)}</failure>\n` +
+                `    </testcase>`);
+        }
+        else {
+            cases.push(`    <testcase ${caseAttrs}>\n` +
+                `      <skipped message="${xmlEscape(`${title}  ${loc}`)}"></skipped>\n` +
+                `    </testcase>`);
+        }
+    }
+    const body = cases.length ? `\n${cases.join("\n")}\n  ` : "";
+    return `<?xml version="1.0" encoding="utf-8"?>\n` +
+        `<testsuites ${suiteAttrs}>\n` +
+        `  <testsuite ${suiteAttrs}>${body}</testsuite>\n` +
+        `</testsuites>`;
+}
+// ---------------------------------------------------------------------------
+// Baseline (ratchet): fingerprint by content, not line number
+// ---------------------------------------------------------------------------
+/**
+ * Stable id: sha1(relpath + "\0" + code + "\0" + detail)[:16]. No line number,
+ * so the fingerprint survives unrelated line shifts in the file. The js
+ * fingerprint omits the source snippet the Python tool folds in, since the js
+ * Finding does not carry one.
+ */
+export function fingerprint(f) {
+    const key = [relUri(f.file), f.code, f.detail || ""].join("\0");
+    return createHash("sha1").update(key, "utf-8").digest("hex").slice(0, 16);
+}
+/** Read a baseline file into a set of fingerprints (empty set if unreadable). */
+export function loadBaseline(file) {
+    let data;
+    try {
+        data = JSON.parse(fs.readFileSync(file, "utf-8"));
+    }
+    catch {
+        return new Set();
+    }
+    const out = new Set();
+    const items = data.findings;
+    if (Array.isArray(items)) {
+        for (const item of items) {
+            const fp = item.fingerprint;
+            if (typeof fp === "string" && fp)
+                out.add(fp);
+        }
+    }
+    return out;
+}
+/** Write all current findings as a baseline. Returns how many were recorded. */
+export function writeBaseline(file, findings) {
+    const ordered = [...findings].sort((a, b) => (a.file < b.file ? -1 : a.file > b.file ? 1 : a.line - b.line));
+    const items = ordered.map((f) => ({
+        fingerprint: fingerprint(f),
+        code: f.code,
+        file: relUri(f.file),
+        detail: f.detail,
+    }));
+    const parent = path.dirname(file);
+    if (parent)
+        fs.mkdirSync(parent, { recursive: true });
+    fs.writeFileSync(file, JSON.stringify({ version: 1, tool: "falsegreen-js", findings: items }, null, 2) + "\n");
+    return items.length;
+}
+/** Drop findings whose content fingerprint is already in the baseline. */
+export function applyBaseline(findings, baseline) {
+    return findings.filter((f) => !baseline.has(fingerprint(f)));
+}