npm - flaglint - Versions diffs - 0.4.0 → 0.5.0 - Mend

flaglint 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/bin/flaglint.js CHANGED Viewed

@@ -1,4 +1,8 @@
 #!/usr/bin/env node
+import {
+  ApplyError,
+  applyMigration
+} from "../chunk-MJLXM6GZ.js";
 // src/cli.ts
 import { Command } from "commander";
@@ -53,6 +57,13 @@ var LD_FLAG_KEY_METHODS = /* @__PURE__ */ new Set([
   "jsonVariationDetail"
 ]);
 var LD_ALL_FLAGS_METHODS = /* @__PURE__ */ new Set(["allFlags", "allFlagsState"]);
+var LD_DETAIL_METHODS = /* @__PURE__ */ new Set([
+  "variationDetail",
+  "boolVariationDetail",
+  "stringVariationDetail",
+  "numberVariationDetail",
+  "jsonVariationDetail"
+]);
 var LD_HOOKS = /* @__PURE__ */ new Set(["useFlags", "useLDClient"]);
 var DEFAULT_EXCLUDE = ["**/node_modules/**", "**/dist/**", "**/build/**", "**/.next/**"];
 function extractFlagKey(arg) {
@@ -120,7 +131,7 @@ function buildMigrationInventoryItem(code, filePath, loc, call, methodName, args
   }
   const fallback = args[2];
   const valueType = inferValueType(methodName, fallback);
-  const manualReviewReason = isDynamic ? "dynamic-key" : valueType === "unknown" ? "unknown-fallback" : void 0;
+  const manualReviewReason = isDynamic ? "dynamic-key" : LD_DETAIL_METHODS.has(methodName) ? "detail-method" : valueType === "unknown" ? "unknown-fallback" : void 0;
   return {
     file: filePath,
     line: loc.line,
@@ -528,7 +539,7 @@ function formatMarkdown(result, options) {
   }
   if (staleFlags.length > 0) {
     lines.push("## \u26A0 Stale Flag Candidates");
-    lines.push("Flags that may be safe to remove:");
+    lines.push("Flags with review signals:");
     lines.push("| Flag Key | Reason | Location |");
     lines.push("|----------|--------|----------|");
     for (const [key, data] of staleFlags) {
@@ -665,6 +676,16 @@ function formatSARIF(result) {
     2
   );
 }
+function usagesByDirectory(usages) {
+  const map = /* @__PURE__ */ new Map();
+  for (const u of usages) {
+    const parts = u.file.replace(/\\/g, "/").split("/");
+    const dir = parts.length > 1 ? parts.slice(0, Math.min(2, parts.length - 1)).join("/") : ".";
+    if (!map.has(dir)) map.set(dir, []);
+    map.get(dir).push(u);
+  }
+  return new Map([...map.entries()].sort(([a], [b]) => a.localeCompare(b)));
+}
 function formatHTML(result, options) {
   const { scannedFiles, totalUsages, uniqueFlags, usages, scanDurationMs } = result;
   const staleCount = new Set(
@@ -672,6 +693,34 @@ function formatHTML(result, options) {
   ).size;
   const dynamicCount = usages.filter((u) => u.isDynamic).length;
   const date = new Date(result.scannedAt).toLocaleString();
+  const inv = result.migrationInventory ?? [];
+  const automatableCount = inv.filter((i) => i.safelyAutomatable).length;
+  const manualCount = inv.filter((i) => !i.safelyAutomatable).length;
+  const detailBulkCount = inv.filter(
+    (i) => i.manualReviewReason === "detail-method" || i.manualReviewReason === "bulk-inventory-call"
+  ).length;
+  const affectedFiles = new Set(usages.map((u) => u.file)).size;
+  const automatablePct = inv.length > 0 ? Math.round(automatableCount / inv.length * 100) : 0;
+  const manualPct = inv.length > 0 ? Math.round(manualCount / inv.length * 100) : 0;
+  const markdownSummary = [
+    "## FlagLint Audit Summary",
+    "",
+    `- **Total call-sites:** ${totalUsages}`,
+    `- **Unique flags:** ${uniqueFlags.length}`,
+    `- **Files affected:** ${affectedFiles}`,
+    ...inv.length > 0 ? [
+      `- **Safely automatable:** ${automatableCount} (${automatablePct}%)`,
+      `- **Manual review required:** ${manualCount} (${manualPct}%)`,
+      `- **Dynamic keys:** ${dynamicCount}`,
+      `- **Detail/bulk calls:** ${detailBulkCount}`
+    ] : [`- **Dynamic keys:** ${dynamicCount}`, `- **Stale candidates:** ${staleCount}`],
+    "",
+    "### Recommended next steps",
+    "1. Configure OpenFeature provider (one-time manual step)",
+    "2. Review migration plan: `flaglint migrate --dry-run`",
+    "3. Apply automatable transformations: `flaglint migrate --apply`",
+    "4. Add CI enforcement: `flaglint validate --no-direct-launchdarkly`"
+  ].join("\\n");
   const flagMap = buildFlagMap(usages);
   const sorted = sortedFlagEntries(flagMap);
   const rows = sorted.map(([key, data]) => {
@@ -680,8 +729,18 @@ function formatHTML(result, options) {
     const fileList = [...data.files].map((f) => esc(f)).join("<br>");
     return `<tr class="${cls}"><td><code>${esc(key)}</code></td><td>${data.usages.length}</td><td>${fileList}</td><td>${[...data.callTypes].map(esc).join(", ")}</td><td>${status}</td></tr>`;
   }).join("\n      ");
+  const byDir = usagesByDirectory(usages);
+  const dirRows = [...byDir.entries()].map(([dir, dirUsages]) => {
+    const flagKeys = new Set(dirUsages.map((u) => u.flagKey)).size;
+    const callTypes = new Set(dirUsages.map((u) => u.callType));
+    return `<tr><td><code>${esc(dir)}</code></td><td>${dirUsages.length}</td><td>${flagKeys}</td><td>${[...callTypes].map(esc).join(", ")}</td></tr>`;
+  }).join("\n      ");
+  const auditCards = inv.length > 0 ? `
+    <div class="card"><div class="card-num green">${automatableCount}</div><div class="card-label">Auto-Migratable (${automatablePct}%)</div></div>
+    <div class="card"><div class="card-num orange">${manualCount}</div><div class="card-label">Manual Review (${manualPct}%)</div></div>
+    <div class="card"><div class="card-num blue">${detailBulkCount}</div><div class="card-label">Detail/Bulk Calls</div></div>` : "";
   const title = options.title ? esc(options.title) : "FlagLint Scan Report";
-  const version = true ? "0.4.0" : "0.1.0";
+  const version = true ? "0.5.0" : "0.1.0";
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -695,12 +754,15 @@ function formatHTML(result, options) {
     body{background:var(--bg);color:var(--text);font-family:system-ui,-apple-system,sans-serif;padding:2rem;max-width:1200px;margin:0 auto;line-height:1.5}
     h1{font-size:1.75rem;margin-bottom:.25rem}
     h2{font-size:1.125rem;margin:2rem 0 .75rem;padding-bottom:.5rem;border-bottom:1px solid var(--border)}
+    h3{font-size:.9375rem;margin:1.5rem 0 .5rem;color:var(--muted)}
     .subtitle{color:var(--muted);margin-bottom:1.5rem;font-size:.875rem}
     .cards{display:flex;gap:1rem;flex-wrap:wrap;margin-bottom:2rem}
     .card{flex:1;min-width:140px;background:var(--surface);border:1px solid var(--border);border-radius:8px;padding:1rem;box-shadow:var(--card-shadow)}
     .card-num{font-size:1.875rem;font-weight:700;line-height:1}
     .card-num.yellow{color:#d97706}
     .card-num.blue{color:#3b82f6}
+    .card-num.green{color:#16a34a}
+    .card-num.orange{color:#ea580c}
     .card-label{color:var(--muted);font-size:.75rem;margin-top:.375rem;text-transform:uppercase;letter-spacing:.05em}
     .filter-wrap{margin-bottom:.75rem}
     #filter{width:100%;padding:.5rem .75rem;border:1px solid var(--border);border-radius:6px;background:var(--surface);color:var(--text);font-size:.875rem;outline:none}
@@ -711,19 +773,25 @@ function formatHTML(result, options) {
     tr.stale td{background:var(--stale-bg)}
     tr.dynamic td{background:var(--dyn-bg)}
     code{font-family:ui-monospace,monospace;font-size:.8em;background:var(--surface);padding:.1em .3em;border-radius:3px}
+    .steps{margin:.75rem 0 1rem 1.25rem;line-height:2}
+    .steps li{margin-bottom:.25rem}
+    .btn{display:inline-flex;align-items:center;gap:.4rem;background:#6366f1;color:#fff;border:none;border-radius:6px;padding:.5rem 1rem;font-size:.8125rem;cursor:pointer;margin-top:.75rem}
+    .btn:hover{background:#4f46e5}
+    .btn.copied{background:#16a34a}
     footer{margin-top:3rem;padding-top:1rem;border-top:1px solid var(--border);color:var(--muted);font-size:.75rem;text-align:center}
   </style>
 </head>
 <body>
   <h1>${title}</h1>
-  <p class="subtitle">Scanned ${scannedFiles} files in ${scanDurationMs}ms</p>
+  <p class="subtitle">Scanned ${scannedFiles} files in ${scanDurationMs}ms \xB7 ${esc(date)}</p>
+  <h2>Executive Summary</h2>
   <div class="cards">
-    <div class="card"><div class="card-num">${scannedFiles}</div><div class="card-label">Files Scanned</div></div>
+    <div class="card"><div class="card-num">${totalUsages}</div><div class="card-label">Total Call-Sites</div></div>
     <div class="card"><div class="card-num">${uniqueFlags.length}</div><div class="card-label">Unique Flags</div></div>
-    <div class="card"><div class="card-num">${totalUsages}</div><div class="card-label">Total Usages</div></div>
+    <div class="card"><div class="card-num">${affectedFiles}</div><div class="card-label">Files Affected</div></div>
     <div class="card"><div class="card-num yellow">${staleCount}</div><div class="card-label">Stale Candidates</div></div>
-    <div class="card"><div class="card-num blue">${dynamicCount}</div><div class="card-label">Dynamic Keys</div></div>
+    <div class="card"><div class="card-num blue">${dynamicCount}</div><div class="card-label">Dynamic Keys</div></div>${auditCards}
   </div>
   <h2>Flag Inventory</h2>
@@ -737,15 +805,41 @@ function formatHTML(result, options) {
     </tbody>
   </table>
-  <footer>Generated by FlagLint ${esc(version)} on ${esc(date)}</footer>
+  <h2>Findings by Directory</h2>
+  <table id="dir-table">
+    <thead><tr><th>Directory</th><th>Call-Sites</th><th>Unique Flags</th><th>Call Types</th></tr></thead>
+    <tbody>
+      ${dirRows}
+    </tbody>
+  </table>
+  <h2>Recommended Next Steps</h2>
+  <ol class="steps">
+    <li>Configure the OpenFeature provider once at application startup (manual \u2014 see <code>flaglint migrate --dry-run</code> for guidance)</li>
+    <li>Review the migration plan: <code>flaglint migrate --dry-run</code></li>
+    <li>Apply automatable transformations: <code>flaglint migrate --apply</code></li>
+    <li>Add CI policy enforcement: <code>flaglint validate --no-direct-launchdarkly</code></li>
+  </ol>
+  <button class="btn" id="copy-btn" onclick="copyMarkdown()">\u{1F4CB} Copy Markdown Summary</button>
+  <footer>Generated by FlagLint ${esc(version)}</footer>
   <script>
     const input = document.getElementById('filter');
-    const rows = document.querySelectorAll('#flags-table tbody tr');
+    const tableRows = document.querySelectorAll('#flags-table tbody tr');
     input.addEventListener('input', () => {
       const q = input.value.toLowerCase();
-      rows.forEach(r => { r.style.display = r.textContent.toLowerCase().includes(q) ? '' : 'none'; });
+      tableRows.forEach(r => { r.style.display = r.textContent.toLowerCase().includes(q) ? '' : 'none'; });
     });
+    function copyMarkdown() {
+      const md = ${JSON.stringify(markdownSummary)}.replace(/\\\\n/g, '\\n');
+      navigator.clipboard.writeText(md).then(() => {
+        const btn = document.getElementById('copy-btn');
+        btn.textContent = '\u2713 Copied!';
+        btn.className = 'btn copied';
+        setTimeout(() => { btn.textContent = '\u{1F4CB} Copy Markdown Summary'; btn.className = 'btn'; }, 2000);
+      });
+    }
   </script>
 </body>
 </html>`;
@@ -779,8 +873,11 @@ var FlagLintConfigSchema = z.object({
   ]),
   provider: z.enum(["launchdarkly", "unleash", "growthbook", "custom"]).default("launchdarkly"),
   // TODO v0.3: replace minFileCount with real date-based staleness via git log
-  minFileCount: z.number().int().min(0).default(1),
+  minFileCount: z.number().int().min(0).default(0),
   wrappers: z.array(z.string()).default([]),
+  openFeatureClientBindings: z.array(
+    z.object({ importName: z.string(), modulePatterns: z.array(z.string()).default([]) })
+  ).default([]),
   reportTitle: z.string().optional(),
   outputDir: z.string().default(".")
 });
@@ -955,7 +1052,7 @@ Examples:
       } else {
         process.stdout.write(report + "\n");
       }
-      process.exit(staleCount > 0 ? 1 : 0);
+      process.exitCode = staleCount > 0 ? 1 : 0;
     }
   );
 }
@@ -1011,6 +1108,8 @@ function reasonLabel(reason) {
       return "dynamic key";
     case "unknown-fallback":
       return "unsupported or unknown fallback";
+    case "detail-method":
+      return "detail method";
     case "bulk-inventory-call":
       return "bulk inventory call";
     default:
@@ -1094,7 +1193,7 @@ function formatMigrationReport(analysis) {
     unsupportedUnknownCount
   } = analysis;
   const date = (/* @__PURE__ */ new Date()).toLocaleDateString();
-  const version = true ? "0.4.0" : "0.1.0";
+  const version = true ? "0.5.0" : "0.1.0";
   const lines = [];
   lines.push("# OpenFeature Migration Inventory");
   lines.push(`Generated by FlagLint v${version} on ${date}`);
@@ -1179,10 +1278,13 @@ function methodForType(valueType) {
 function manualReason(item) {
   if (item.manualReviewReason === "dynamic-key") return "dynamic key requires manual review";
   if (item.manualReviewReason === "unknown-fallback") return "unknown fallback type requires manual review";
+  if (item.manualReviewReason === "detail-method") {
+    return "detail methods skipped: OpenFeature detail APIs exist, but LaunchDarkly/OpenFeature detail result parity requires manual review";
+  }
   if (item.manualReviewReason === "bulk-inventory-call") return "bulk inventory call has no single-flag codemod";
   return "manual review required";
 }
-function buildReplacement(item) {
+function buildReplacement(item, clientBindingName) {
   if (DETAIL_METHODS.has(item.launchDarklyMethod)) {
     return {
       item,
@@ -1200,11 +1302,13 @@ function buildReplacement(item) {
   }
   const method = methodForType(item.valueType);
   if (!method) return { item, reason: "unsupported or unknown value type" };
-  const call = `openFeatureClient.${method}(${item.flagKeyExpression}, ${item.fallbackExpression}, ${item.evaluationContextExpression})`;
+  const placeholder = "openFeatureClient";
+  const target = clientBindingName ?? placeholder;
+  const call = `${target}.${method}(${item.flagKeyExpression}, ${item.fallbackExpression}, ${item.evaluationContextExpression})`;
   return {
     item,
     replacement: call,
-    requiresProviderSetup: true
+    requiresProviderSetup: clientBindingName == null
   };
 }
 function applyReplacements(code, replacements) {
@@ -1268,7 +1372,7 @@ function formatProviderSetupSection() {
   lines.push('import { OpenFeature } from "@openfeature/server-sdk";');
   lines.push('import { LaunchDarklyProvider } from "@launchdarkly/openfeature-node-server";');
   lines.push("");
-  lines.push('const ldProvider = new LaunchDarklyProvider("<your-sdk-key>");');
+  lines.push("const ldProvider = new LaunchDarklyProvider(process.env.LD_SDK_KEY!);");
   lines.push("await OpenFeature.setProviderAndWait(ldProvider);");
   lines.push("");
   lines.push("// Share this client across your application.");
@@ -1278,26 +1382,39 @@ function formatProviderSetupSection() {
   lines.push("");
   lines.push("### 3. Evaluation context \u2014 targeting key");
   lines.push("");
-  lines.push("LaunchDarkly requires a `targetingKey` field in every evaluation context.");
-  lines.push("Replace the context arguments shown in the diffs with an object that includes it:");
+  lines.push("LaunchDarkly requires a targeting key in every evaluation context. The");
+  lines.push("provider accepts either OpenFeature `targetingKey` or an existing");
+  lines.push("LaunchDarkly `key`.");
+  lines.push("Keep your existing LaunchDarkly `key` contexts, or use `targetingKey`");
+  lines.push("for new OpenFeature-native contexts:");
   lines.push("");
   lines.push("```typescript");
-  lines.push("{ targetingKey: user.key, ...otherAttributes }");
+  lines.push("{ targetingKey: user.id } // or { key: user.id }");
   lines.push("```");
   lines.push("");
   return lines;
 }
-async function formatDryRunDiff(analysis, source) {
+async function formatDryRunDiff(analysis, source, allowedBindings = []) {
   const replacementsByFile = /* @__PURE__ */ new Map();
   const skipped = [];
+  const itemsByFile = /* @__PURE__ */ new Map();
   for (const item of analysis.inventoryItems) {
-    const result = buildReplacement(item);
-    if ("reason" in result) {
-      skipped.push(result);
-      continue;
+    if (!itemsByFile.has(item.file)) itemsByFile.set(item.file, []);
+    itemsByFile.get(item.file).push(item);
+  }
+  for (const [file, items] of [...itemsByFile.entries()].sort(([a], [b]) => a.localeCompare(b))) {
+    const before = await source.readFile(file);
+    const { getOpenFeatureClientBindingName } = await import("../apply-ZYLA2N7Y.js");
+    const clientBindingName = getOpenFeatureClientBindingName(before, allowedBindings);
+    for (const item of items) {
+      const result = buildReplacement(item, clientBindingName);
+      if ("reason" in result) {
+        skipped.push(result);
+        continue;
+      }
+      if (!replacementsByFile.has(item.file)) replacementsByFile.set(item.file, []);
+      replacementsByFile.get(item.file).push(result);
     }
-    if (!replacementsByFile.has(item.file)) replacementsByFile.set(item.file, []);
-    replacementsByFile.get(item.file).push(result);
   }
   const lines = [];
   lines.push("# FlagLint migrate --dry-run");
@@ -1335,205 +1452,6 @@ async function formatDryRunDiff(analysis, source) {
   return lines.join("\n");
 }
-// src/migrator/apply.ts
-import { execFile } from "child_process";
-import { promisify } from "util";
-import { parse as parse2 } from "@typescript-eslint/typescript-estree";
-var execFileAsync = promisify(execFile);
-var ApplyError = class extends Error {
-  constructor(kind, message) {
-    super(message);
-    this.kind = kind;
-    this.name = "ApplyError";
-  }
-  kind;
-};
-var OF_SERVER_SDK = "@openfeature/server-sdk";
-function tryParse(code) {
-  for (const jsx of [false, true]) {
-    try {
-      return parse2(code, { jsx, comment: false });
-    } catch {
-    }
-  }
-  return null;
-}
-function walkNodes(root, visit) {
-  const stack = [root];
-  while (stack.length > 0) {
-    const node = stack.pop();
-    visit(node);
-    for (const val of Object.values(node)) {
-      if (Array.isArray(val)) {
-        for (const item of val) {
-          if (item !== null && typeof item === "object" && "type" in item) {
-            stack.push(item);
-          }
-        }
-      } else if (val !== null && typeof val === "object" && "type" in val) {
-        stack.push(val);
-      }
-    }
-  }
-}
-function hasOpenFeatureClientBinding(code) {
-  const ast = tryParse(code);
-  if (!ast) return false;
-  const ofApiNames = /* @__PURE__ */ new Set();
-  for (const stmt of ast.body) {
-    if (stmt.type === "ImportDeclaration" && stmt.source.value === OF_SERVER_SDK) {
-      for (const spec of stmt.specifiers) {
-        if (spec.type === "ImportSpecifier") {
-          const importedName = spec.imported.type === "Identifier" ? spec.imported.name : spec.imported.value;
-          if (importedName === "OpenFeature") {
-            ofApiNames.add(spec.local.name);
-          }
-        }
-      }
-      continue;
-    }
-    if (stmt.type === "VariableDeclaration") {
-      for (const decl of stmt.declarations) {
-        const init = decl.init;
-        if (init?.type === "CallExpression" && init.callee.type === "Identifier" && init.callee.name === "require" && init.arguments.length === 1 && init.arguments[0]?.type === "Literal" && init.arguments[0].value === OF_SERVER_SDK && decl.id.type === "ObjectPattern") {
-          for (const prop of decl.id.properties) {
-            if (prop.type === "Property" && prop.key.type === "Identifier" && prop.key.name === "OpenFeature" && prop.value.type === "Identifier") {
-              ofApiNames.add(prop.value.name);
-            }
-          }
-        }
-      }
-    }
-  }
-  if (ofApiNames.size === 0) return false;
-  let proven = false;
-  walkNodes(ast, (node) => {
-    if (proven) return;
-    if (node.type !== "VariableDeclarator") return;
-    const decl = node;
-    if (decl.id.type !== "Identifier") return;
-    if (decl.id.name !== "openFeatureClient") return;
-    if (decl.init?.type !== "CallExpression") return;
-    const call = decl.init;
-    if (call.callee.type !== "MemberExpression") return;
-    const member = call.callee;
-    if (member.computed) return;
-    if (member.object.type !== "Identifier") return;
-    if (!ofApiNames.has(member.object.name)) return;
-    if (member.property.type !== "Identifier") return;
-    if (member.property.name !== "getClient") return;
-    proven = true;
-  });
-  return proven;
-}
-var DETAIL_METHODS2 = /* @__PURE__ */ new Set([
-  "variationDetail",
-  "boolVariationDetail",
-  "stringVariationDetail",
-  "numberVariationDetail",
-  "jsonVariationDetail"
-]);
-function methodForType2(valueType) {
-  switch (valueType) {
-    case "boolean":
-      return "getBooleanValue";
-    case "string":
-      return "getStringValue";
-    case "number":
-      return "getNumberValue";
-    case "object":
-      return "getObjectValue";
-    case "unknown":
-      return null;
-  }
-}
-function buildReplacement2(item, code) {
-  if (DETAIL_METHODS2.has(item.launchDarklyMethod)) {
-    return {
-      item,
-      reason: "detail methods skipped: OpenFeature detail APIs exist, but LaunchDarkly/OpenFeature detail result parity requires manual review"
-    };
-  }
-  if (!item.safelyAutomatable) {
-    const reason = item.manualReviewReason === "dynamic-key" ? "dynamic key requires manual review" : item.manualReviewReason === "unknown-fallback" ? "unknown fallback type requires manual review" : item.manualReviewReason === "bulk-inventory-call" ? "bulk inventory call has no single-flag codemod" : "manual review required";
-    return { item, reason };
-  }
-  if (item.rangeStart == null || item.rangeEnd == null || !item.callExpression) {
-    return { item, reason: "missing source range for apply" };
-  }
-  const currentText = code.slice(item.rangeStart, item.rangeEnd);
-  if (currentText !== item.callExpression) {
-    return {
-      item,
-      reason: "range content does not match original call \u2014 already transformed or stale analysis; skipping"
-    };
-  }
-  if (!item.flagKeyExpression || !item.fallbackExpression || !item.evaluationContextExpression) {
-    return { item, reason: "missing flag key, fallback, or evaluation context evidence" };
-  }
-  const method = methodForType2(item.valueType);
-  if (!method) return { item, reason: "unsupported or unknown value type" };
-  const call = `openFeatureClient.${method}(${item.flagKeyExpression}, ${item.fallbackExpression}, ${item.evaluationContextExpression})`;
-  return { item, replacement: call };
-}
-function applyReplacements2(code, replacements) {
-  let next = code;
-  for (const r of [...replacements].sort((a, b) => b.item.rangeStart - a.item.rangeStart)) {
-    next = next.slice(0, r.item.rangeStart) + r.replacement + next.slice(r.item.rangeEnd);
-  }
-  return next;
-}
-async function defaultIsWorkingTreeDirty() {
-  try {
-    const { stdout } = await execFileAsync("git", ["status", "--porcelain"]);
-    return stdout.trim().length > 0;
-  } catch {
-    return false;
-  }
-}
-async function applyMigration(analysis, source, options = {}) {
-  if (!options.allowDirty) {
-    const checkDirty = options.isWorkingTreeDirty ?? defaultIsWorkingTreeDirty;
-    if (await checkDirty()) {
-      throw new ApplyError(
-        "dirty-tree",
-        "Working tree has uncommitted changes.\nCommit or stash your changes first, or pass --allow-dirty to override.\nReview `flaglint migrate --dry-run` for provider setup guidance before applying."
-      );
-    }
-  }
-  const itemsByFile = /* @__PURE__ */ new Map();
-  for (const item of analysis.inventoryItems) {
-    if (!itemsByFile.has(item.file)) itemsByFile.set(item.file, []);
-    itemsByFile.get(item.file).push(item);
-  }
-  const transformedFiles = [];
-  const skippedFiles = [];
-  let transformed = 0;
-  for (const [file, items] of [...itemsByFile.entries()].sort(([a], [b]) => a.localeCompare(b))) {
-    const code = await source.readFile(file);
-    if (!hasOpenFeatureClientBinding(code)) {
-      skippedFiles.push({
-        file,
-        reason: "skipped \u2014 OpenFeature client setup required. Review `flaglint migrate --dry-run` provider guidance first."
-      });
-      continue;
-    }
-    const replacements = [];
-    for (const item of items) {
-      const result = buildReplacement2(item, code);
-      if ("reason" in result) continue;
-      replacements.push(result);
-    }
-    if (replacements.length === 0) continue;
-    const newCode = applyReplacements2(code, replacements);
-    if (newCode === code) continue;
-    await source.writeFile(file, newCode);
-    transformedFiles.push(file);
-    transformed += replacements.length;
-  }
-  return { transformed, skipped: skippedFiles.length, transformedFiles, skippedFiles };
-}
 // src/commands/migrate.ts
 function registerMigrateCommand(program2) {
   program2.command("migrate").description("Analyze migration readiness and generate an OpenFeature migration plan").argument("[dir]", "directory to analyze", process.cwd()).option("-o, --output <file>", "write migration plan to file", "MIGRATION.md").option("-c, --config <path>", "path to .flaglintrc config file").option("--dry-run", "print reviewable diffs to stdout without writing files").option("--apply", "apply safe transformations to source files in-place").option("--allow-dirty", "allow --apply on a dirty git working tree").option("--exclude-tests", "exclude test files (*.test.*, *.spec.*, __tests__/, tests/)").addHelpText(
@@ -1640,14 +1558,14 @@ Examples:
         )
       );
       if (options.dryRun) {
-        const report2 = await formatDryRunDiff(analysis, source);
+        const report2 = await formatDryRunDiff(analysis, source, config.openFeatureClientBindings);
         process.stdout.write(report2 + "\n");
         process.exit(0);
       }
       if (options.apply) {
         let result;
         try {
-          result = await applyMigration(analysis, source, { allowDirty: options.allowDirty });
+          result = await applyMigration(analysis, source, { allowDirty: options.allowDirty, allowedOpenFeatureClientBindings: config.openFeatureClientBindings });
         } catch (err) {
           if (err instanceof ApplyError && err.kind === "dirty-tree") {
             process.stderr.write(chalk2.red(`
@@ -1710,12 +1628,15 @@ Error: ${err.message}
 }
 // src/commands/validate.ts
+import { writeFile as writeFile4 } from "fs/promises";
 import { stat as stat3 } from "fs/promises";
-import { resolve as resolve6 } from "path";
+import { resolve as resolve7 } from "path";
 import chalk3 from "chalk";
 import ora3 from "ora";
 // src/validator/index.ts
+import { resolve as resolve6 } from "path";
+import { pathToFileURL as pathToFileURL2 } from "url";
 function matchesBootstrapPattern(file, patterns) {
   const clean = (s) => s.replace(/^\.\//, "");
   const cleanFile = clean(file);
@@ -1786,8 +1707,106 @@ function formatValidationReport(result, options = {}) {
   lines.push("Run `flaglint migrate --dry-run` to review the migration plan.");
   return lines.join("\n") + "\n";
 }
+var SARIF_RULE_NO_DIRECT_LD = {
+  id: "flaglint.direct-launchdarkly",
+  name: "DirectLaunchDarklySDKUsage",
+  shortDescription: {
+    text: "Direct LaunchDarkly SDK evaluation call detected"
+  },
+  fullDescription: {
+    text: "A direct LaunchDarkly Node.js server SDK evaluation call was found. Migrate this call to OpenFeature so the codebase is provider-independent."
+  },
+  helpUri: "https://github.com/flaglint/flaglint#flaglint-validate-dir",
+  properties: {
+    tags: ["openfeature", "migration", "launchdarkly"]
+  }
+};
+function sarifViolationUri(file) {
+  return file.split(/[\\/]/).join("/");
+}
+function sarifScanRootUri(scanRoot) {
+  const uri = pathToFileURL2(resolve6(scanRoot)).href;
+  return uri.endsWith("/") ? uri : `${uri}/`;
+}
+function violationSarifMessage(v) {
+  if (v.isDynamic) {
+    return `Direct LaunchDarkly SDK call ${v.callType}() with a dynamic flag key at ${v.file}:${v.line}. Migrate to OpenFeature using flaglint migrate --dry-run.`;
+  }
+  if (v.flagKey === "*") {
+    return `Direct LaunchDarkly bulk inventory call ${v.callType}() at ${v.file}:${v.line}. Migrate to OpenFeature using flaglint migrate --dry-run.`;
+  }
+  return `Direct LaunchDarkly SDK call ${v.callType}("${v.flagKey}") at ${v.file}:${v.line}. Migrate to OpenFeature using flaglint migrate --dry-run.`;
+}
+function formatValidationSarif(result, scanRoot, scannedAt) {
+  return JSON.stringify(
+    {
+      $schema: "https://json.schemastore.org/sarif-2.1.0.json",
+      version: "2.1.0",
+      runs: [
+        {
+          tool: {
+            driver: {
+              name: "FlagLint",
+              informationUri: "https://github.com/flaglint/flaglint",
+              rules: [SARIF_RULE_NO_DIRECT_LD]
+            }
+          },
+          invocations: [
+            {
+              executionSuccessful: true,
+              startTimeUtc: scannedAt,
+              properties: {
+                scannedFiles: result.scannedFiles,
+                totalUsages: result.totalUsages,
+                violations: result.violations.length,
+                passed: result.passed
+              }
+            }
+          ],
+          originalUriBaseIds: {
+            "%SRCROOT%": {
+              uri: sarifScanRootUri(scanRoot)
+            }
+          },
+          results: result.violations.map((v) => ({
+            ruleId: SARIF_RULE_NO_DIRECT_LD.id,
+            level: "error",
+            message: {
+              text: violationSarifMessage(v)
+            },
+            locations: [
+              {
+                physicalLocation: {
+                  artifactLocation: {
+                    uri: sarifViolationUri(v.file),
+                    uriBaseId: "%SRCROOT%"
+                  },
+                  region: {
+                    startLine: Math.max(v.line, 1),
+                    startColumn: Math.max(v.column + 1, 1)
+                  }
+                }
+              }
+            ],
+            partialFingerprints: {
+              "flagKey/v1": v.flagKey
+            },
+            properties: {
+              flagKey: v.flagKey,
+              callType: v.callType,
+              isDynamic: v.isDynamic
+            }
+          }))
+        }
+      ]
+    },
+    null,
+    2
+  );
+}
 // src/commands/validate.ts
+var VALID_VALIDATE_FORMATS = ["text", "sarif"];
 function registerValidateCommand(program2) {
   program2.command("validate").description("Validate that your codebase complies with feature flag usage policies").argument("[dir]", "directory to validate", process.cwd()).option(
     "--no-direct-launchdarkly",
@@ -1797,7 +1816,11 @@ function registerValidateCommand(program2) {
     "glob pattern for files allowed to use LaunchDarkly SDK directly (repeatable)",
     (val, prev) => [...prev, val],
     []
-  ).option("-c, --config <path>", "path to .flaglintrc config file").addHelpText(
+  ).option(
+    "-f, --format <format>",
+    "output format: text | sarif",
+    "text"
+  ).option("-o, --output <file>", "write report to file instead of stdout").option("-c, --config <path>", "path to .flaglintrc config file").addHelpText(
     "after",
     `
 Examples:
@@ -1807,13 +1830,25 @@ Examples:
       --bootstrap-exclude src/provider/setup.ts             allow bootstrap file
   $ flaglint validate --no-direct-launchdarkly \\
       --bootstrap-exclude "src/provider/**"                 allow all provider files
+  $ flaglint validate --no-direct-launchdarkly \\
+      --format sarif --output flaglint.sarif                emit SARIF for GitHub Code Scanning
   $ flaglint validate --no-direct-launchdarkly \\
       --bootstrap-exclude "src/provider/*.ts" \\
       --bootstrap-exclude "src/bootstrap/**"                multiple exclusion patterns`
   ).action(
     async (dir, options) => {
+      if (!VALID_VALIDATE_FORMATS.includes(options.format)) {
+        process.stderr.write(
+          chalk3.red(
+            `Error: Invalid format '${options.format}'. Must be one of: ${VALID_VALIDATE_FORMATS.join(", ")}
+`
+          )
+        );
+        process.exit(2);
+      }
+      const format = options.format;
       try {
-        const s = await stat3(resolve6(dir));
+        const s = await stat3(resolve7(dir));
         if (!s.isDirectory()) {
           process.stderr.write(chalk3.red(`Error: Not a directory: ${dir}
 `));
@@ -1868,8 +1903,34 @@ Examples:
         bootstrapExclude
       };
       const validationResult = validateScanResult(scanResult, validateOptions);
-      const report = formatValidationReport(validationResult, validateOptions);
-      process.stdout.write(report);
+      let report;
+      if (format === "sarif") {
+        report = formatValidationSarif(
+          validationResult,
+          scanResult.scanRoot,
+          scanResult.scannedAt
+        );
+      } else {
+        report = formatValidationReport(validationResult, validateOptions);
+      }
+      if (options.output) {
+        const outPath = resolve7(options.output);
+        try {
+          await writeFile4(outPath, report, "utf8");
+          process.stderr.write(chalk3.dim(`   Report written to ${options.output}
+`));
+        } catch (err) {
+          process.stderr.write(
+            chalk3.red(
+              `Error: Failed to write report to ${options.output}: ${err instanceof Error ? err.message : String(err)}
+`
+            )
+          );
+          process.exit(1);
+        }
+      } else {
+        process.stdout.write(report);
+      }
       if (!validationResult.passed) {
         process.exit(1);
       }
@@ -1881,7 +1942,7 @@ Examples:
 // src/cli.ts
 function createCLI() {
   const program2 = new Command();
-  program2.name("flaglint").description("LaunchDarkly Node.js server SDK -> OpenFeature migration.").version("0.4.0", "-v, --version", "output the current version").addHelpText(
+  program2.name("flaglint").description("LaunchDarkly Node.js server SDK -> OpenFeature migration.").version("0.5.0", "-v, --version", "output the current version").addHelpText(
     "after",
     `
 Examples: