getdoorman 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 SafeLaunch Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,181 @@
+# Doorman
+
+**The broad-spectrum safety net for AI-assisted development.**
+
+2,508 rules across 10 categories. 510 auto-fixes. Runs locally in seconds. Zero account, zero config, zero data sent anywhere.
+
+```bash
+npx getdoorman check
+```
+
+---
+
+## Why Doorman?
+
+AI coding tools (Claude Code, Cursor, Copilot) let anyone build apps fast. But "it works" and "it's safe" are two different things. Doorman catches what code review misses:
+
+- The SQL injection your AI assistant introduced
+- The API key hardcoded in your frontend
+- The `curl | bash` in your CI pipeline
+- The `colors` package that trashed production (supply chain attack)
+- The endpoint that crashes at 100 concurrent users
+- The $3,000/month in unnecessary AI API calls
+- The GDPR violation in every form
+
+**You built it with AI. Doorman makes sure it's safe to ship.**
+
+---
+
+## Quick Start
+
+```bash
+# Run once
+npx getdoorman check
+
+# Install as pre-commit hook — findings block bad commits automatically
+npx getdoorman init
+
+# Auto-fix common issues
+npx getdoorman fix
+```
+
+---
+
+## What It Checks (2,508 rules, 510 auto-fixes)
+
+| Category | Rules | Examples |
+|----------|-------|---------|
+| **Security** | 300+ | SQL injection, XSS, hardcoded secrets, missing auth, CSRF, rate limiting, supply chain attacks |
+| **Performance** | 180+ | N+1 queries, no caching, no pagination, memory leaks, blocking event loop |
+| **Reliability** | 150+ | No error handling, missing health checks, no timeouts, no retries, no monitoring |
+| **Infrastructure** | 120+ | Docker misconfig, Terraform public S3, no resource limits, privileged mode |
+| **Code Quality** | 200+ | Console.log in prod, empty catch blocks, prototype pollution, for-in on arrays |
+| **Deployment** | 150+ | `write-all` CI permissions, unpinned Actions, secrets in CI logs, no rollback |
+| **Compliance** | 180+ | GDPR gaps, missing privacy policy, PII in logs, accessibility issues |
+| **Data Protection** | 150+ | Weak hashing, no validation, MD5 passwords, unencrypted PII |
+| **Cost** | 100+ | Uncached AI API calls, wasteful queries, unnecessary compute |
+| **Dependencies** | 120+ | Outdated packages with CVEs, license issues, lockfile missing, typosquatting |
+
+---
+
+## Supply Chain Protection
+
+Doorman includes dedicated supply chain attack detection — one of the fastest-growing attack vectors:
+
+```bash
+$ npx getdoorman check --category security
+
+  CRITICAL  Compromised package "colors" in dependencies
+            (Deliberate sabotage in 2022 — printed infinite garbage output)
+
+  CRITICAL  Third-party action "actions/checkout@v3" not pinned to commit SHA
+            (Tags are mutable — account takeover can inject malicious code)
+
+  CRITICAL  Remote script execution without integrity check — ci.yml:12
+            (curl https://... | bash allows MITM to execute arbitrary code)
+
+  HIGH      Hardcoded npm auth token in .npmrc
+            (Committed tokens grant publish access to your packages)
+```
+
+31 supply chain rules covering: package manager attacks, CI/CD pipeline injection, Trojan Source (Unicode bidirectional), build artifact signing, container image pinning, Git hook abuse, and registry security.
+
+---
+
+## Benchmark Results
+
+Tested against OWASP NodeGoat, DVNA, and OWASP Juice Shop plus a synthetic benchmark with 46 planted vulnerability classes:
+
+| Metric | Score |
+|--------|-------|
+| Detection rate | **98%** (45/46 vulnerability classes) |
+| Hard false positive rate | **13%** (within industry norm of 15–30%) |
+| Supply chain rules | **31 rules**, 6 attack categories |
+
+---
+
+## Privacy-First
+
+Your code never leaves your machine. Doorman runs 100% locally — no cloud, no account, no GitHub App, no data sent anywhere. This matters for:
+
+- Regulated industries (HIPAA, PCI-DSS, SOC 2)
+- Pre-IPO startups with unreleased code
+- Air-gapped or offline CI environments
+- Teams on GitLab, Bitbucket, or self-hosted git
+
+---
+
+## Pre-Commit Hook
+
+Stop bad code from ever being committed:
+
+```bash
+npx getdoorman init
+```
+
+This installs a git hook that runs `doorman check` on every commit and blocks if critical issues are found. Takes 5 seconds to set up.
+
+---
+
+## CI/CD Integration
+
+```yaml
+# .github/workflows/doorman.yml
+name: Doorman
+on: [pull_request]
+jobs:
+  safety:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npx getdoorman check --ci --min-score 70
+```
+
+---
+
+## CLI Reference
+
+```bash
+npx getdoorman check                    # Scan current directory
+npx getdoorman check ./my-app           # Scan specific path
+npx getdoorman check --full             # Scan all files (not just changed)
+npx getdoorman check --category security,performance
+npx getdoorman check --ci --min-score 70  # Fail below threshold
+npx getdoorman check --json             # Machine-readable output
+
+npx getdoorman fix                      # Auto-fix common issues
+npx getdoorman fix --dry-run            # Preview fixes
+
+npx getdoorman init                     # Install pre-commit hook
+npx getdoorman ignore SEC-XSS-009      # Suppress a rule
+```
+
+---
+
+## How It Works
+
+Doorman uses a 4-layer detection architecture: regex pattern matching (2,508 rules for fast broad coverage), taint tracking (source-to-sink data flow across variable assignments), scope analysis (context-aware detection for loops, routes, and test files), and optional AST analysis via tree-sitter (structural matching with near-zero false positives). Each layer refines the previous one — fast layers catch issues, precise layers eliminate noise. See [Detection Methodology](docs/detection-methodology.md) for details.
+
+---
+
+## vs Alternatives
+
+Doorman is designed for instant, zero-config scans — run `npx getdoorman check` and get results in under 5 seconds with no accounts, servers, or setup. It covers 10 categories beyond just security (performance, cost, compliance, infrastructure). For deep inter-procedural analysis, consider CodeQL; for enterprise dashboards, SonarQube; for custom AST rules, Semgrep. See [full comparison](docs/comparison.md).
+
+---
+
+## Supported Stacks
+
+- **JavaScript/TypeScript**: Next.js, Express, Fastify, Remix, SvelteKit, Astro, Hono
+- **Python**: Django, Flask, FastAPI
+- **Ruby**: Rails, Sinatra
+- **Go**: Standard library, Gin, Echo
+- **Databases**: PostgreSQL, MySQL, SQLite, MongoDB, Redis
+- **ORMs**: Prisma, Drizzle, TypeORM, Sequelize, Mongoose
+- **Infrastructure**: Docker, GitHub Actions, GitLab CI, Terraform
+
+---
+
+## License
+
+MIT

package/bin/doorman.js

@@ -0,0 +1,444 @@
+#!/usr/bin/env node
+
+import { Command } from 'commander';
+import { check } from '../src/index.js';
+import { generateReport } from '../src/compliance.js';
+
+const program = new Command();
+
+program
+  .name('doorman')
+  .description('Find security issues. Tell your AI to fix them.')
+  .version('1.0.0');
+
+program
+  .command('check')
+  .alias('scan')
+  .description('Scan your code for issues (always free)')
+  .argument('[path]', 'Path to scan', '.')
+  .option('--ci', 'CI mode — exit with code 1 if score below threshold')
+  .option('--min-score <number>', 'Minimum score to pass in CI mode', '70')
+  .option('--json', 'Output results as JSON')
+  .option('--sarif [path]', 'Output SARIF 2.1.0 report (for GitHub Code Scanning, VS Code)')
+  .option('--html [path]', 'Output standalone HTML report')
+  .option('--category <categories>', 'Only run specific categories (comma-separated)')
+  .option('--severity <level>', 'Minimum severity to report (critical,high,medium,low,info)', 'low')
+  .option('--full', 'Force full scan (skip incremental)')
+  .option('--no-cache', 'Disable file hash caching (force re-scan all files)')
+  .option('--timeout <seconds>', 'Custom scan timeout in seconds', '60')
+  .option('--verbose', 'Show all findings including suggestions')
+  .option('--detail', 'Show all findings individually (disables smart summary)')
+  .option('--strict', 'Show all severity levels including medium/low')
+  .option('-q, --quiet', 'Only show one-line summary (no findings detail)')
+  .option('--config <path>', 'Path to a custom config file')
+  .option('--baseline [path]', 'Only show NEW findings (diff against baseline file)')
+  .option('--save-baseline [path]', 'Save current findings as baseline for future diffs')
+  .option('--profile', 'Show performance profile of slowest rules')
+  .option('--share', 'Generate a shareable score card')
+  .action(async (path, options) => {
+    try {
+      const result = await check(path, options);
+
+      // Generate shareable score card
+      if (options.share && result) {
+        const { generateScoreCard } = await import('../src/share.js');
+        const cardPath = generateScoreCard(path, result);
+        const chalk = (await import('chalk')).default;
+        console.log('');
+        console.log(chalk.bold.green('  Score card saved!'));
+        console.log(chalk.gray(`  Open: ${cardPath}`));
+        console.log(chalk.gray('  Share it on Twitter, Discord, or Slack.'));
+        console.log('');
+      }
+
+      // After first scan, collect email + offer auto-run
+      if (!options.ci && !options.quiet && !options.json && !options.sarif && !options.html && !options.silent) {
+        const { isFirstScan } = await import('../src/hooks.js');
+        const { loadAuth, saveAuth } = await import('../src/auth.js');
+        const { resolve } = await import('path');
+        const resolvedPath = resolve(path);
+        const auth = loadAuth();
+
+        if (isFirstScan(resolvedPath) && !auth?.email) {
+          const chalk = (await import('chalk')).default;
+          const readline = await import('readline');
+          const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+
+          console.log('');
+          const email = await new Promise(r => {
+            rl.question(chalk.green('  Enter your email for updates (optional): '), a => { rl.close(); r(a.trim()); });
+          });
+
+          if (email && email.includes('@')) {
+            saveAuth(email);
+            // Send to API
+            try {
+              await fetch('https://api.doorman.sh/api/waitlist', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ email, plan: 'cli-signup', source: 'cli' }),
+                signal: AbortSignal.timeout(3000),
+              });
+            } catch {}
+            console.log(chalk.green('  ✓ Saved! We\'ll notify you about updates.'));
+          }
+          console.log('');
+        }
+      }
+
+      process.exit(result.exitCode || 0);
+    } catch (err) {
+      console.error('Error:', err.message);
+      process.exit(2);
+    }
+  });
+
+program
+  .command('fix')
+  .description('Tell your AI to fix issues — works in Claude, Codex, Cursor')
+  .argument('[severity]', 'Filter: critical, high, medium, or all', 'critical')
+  .argument('[path]', 'Path to scan', '.')
+  .action(async (severity, path, options) => {
+    const chalk = (await import('chalk')).default;
+
+    // Load cached scan or run a quick scan
+    let findings = [];
+    try {
+      const { loadScanCache } = await import('../src/scan-cache.js');
+      const { resolve } = await import('path');
+      const cache = loadScanCache(resolve(path));
+      if (cache && cache.findings) findings = cache.findings;
+    } catch {}
+
+    if (findings.length === 0) {
+      console.log('Scanning...');
+      const result = await check(path, { silent: true, full: true });
+      findings = result.findings;
+    }
+
+    // Filter by severity
+    const sevFilter = severity.toLowerCase();
+    let filtered;
+    if (sevFilter === 'all') {
+      filtered = findings;
+    } else if (sevFilter === 'critical') {
+      filtered = findings.filter(f => f.severity === 'critical');
+    } else if (sevFilter === 'high') {
+      filtered = findings.filter(f => f.severity === 'critical' || f.severity === 'high');
+    } else if (sevFilter === 'medium') {
+      filtered = findings.filter(f => f.severity === 'critical' || f.severity === 'high' || f.severity === 'medium');
+    } else {
+      filtered = findings.filter(f => f.severity === sevFilter);
+    }
+
+    const top = filtered.slice(0, 20);
+
+    if (top.length === 0) {
+      console.log(`No ${sevFilter} issues found.`);
+      return;
+    }
+
+    // Build the prompt
+    const issueList = top.map(f => {
+      const loc = f.file ? ` in ${f.file}${f.line ? ':' + f.line : ''}` : '';
+      return `- ${f.severity.toUpperCase()}: ${f.title}${loc}`;
+    }).join('\n');
+
+    const prompt = `Fix these ${sevFilter === 'all' ? '' : sevFilter + ' '}issues in my code:\n\n${issueList}`;
+
+    // Detect environment: AI tool or manual terminal
+    const isAI = process.env.CLAUDE_CODE || process.env.CURSOR_SESSION || process.env.CODEX_SANDBOX || process.env.TERM_PROGRAM === 'claude';
+    const isCI = process.env.CI || process.env.GITHUB_ACTIONS;
+
+    if (isAI) {
+      // Inside an AI tool — just output the prompt directly, the AI will act on it
+      console.log(prompt);
+    } else if (isCI) {
+      // CI — just list issues
+      console.log(prompt);
+    } else {
+      // Manual terminal — show formatted + copy to clipboard
+      console.log('');
+      console.log(chalk.bold('  Paste this into Claude, Codex, or Cursor:'));
+      console.log('');
+      console.log(chalk.cyan('  ┌───────────────────────────────────────────────'));
+      for (const line of prompt.split('\n')) {
+        console.log(chalk.cyan('  │ ') + line);
+      }
+      console.log(chalk.cyan('  └───────────────────────────────────────────────'));
+      console.log('');
+
+      // Copy to clipboard
+      try {
+        const { execSync } = await import('child_process');
+        const cmd = process.platform === 'darwin' ? 'pbcopy' : process.platform === 'win32' ? 'clip' : 'xclip -selection clipboard';
+        execSync(cmd, { input: prompt, stdio: ['pipe', 'ignore', 'ignore'] });
+        console.log(chalk.green('  ✓ Copied to clipboard! Just paste it.'));
+      } catch {
+        console.log(chalk.dim('  Tip: copy the text above and paste into your AI tool'));
+      }
+      console.log('');
+    }
+  });
+
+program
+  .command('review')
+  .description('Review only changed files (for git hooks and PRs)')
+  .argument('[path]', 'Path to scan', '.')
+  .option('--json', 'Output as JSON')
+  .option('--min-score <number>', 'Minimum score', '70')
+  .action(async (path, options) => {
+    try {
+      const result = await check(path, { ...options, incremental: true });
+      process.exit(result.exitCode || 0);
+    } catch (err) {
+      console.error('Error:', err.message);
+      process.exit(2);
+    }
+  });
+
+program
+  .command('ignore')
+  .description('Ignore a rule (mark as false positive)')
+  .argument('<ruleId>', 'Rule ID to ignore (e.g., SEC-INJ-001)')
+  .option('--file <path>', 'Only ignore in this file')
+  .option('--reason <reason>', 'Reason for ignoring')
+  .action(async (ruleId, options) => {
+    const { addIgnore } = await import('../src/config.js');
+    addIgnore('.', ruleId, options.file || null, options.reason || 'User dismissed');
+    console.log(`Ignored ${ruleId}${options.file ? ' in ' + options.file : ''}`);
+  });
+
+program
+  .command('init')
+  .description('Initialize Doorman: create config, hooks, and auto-run')
+  .option('--no-hook', 'Skip pre-commit hook installation')
+  .option('--claude', 'Install Claude Code auto-run hook')
+  .action(async (options) => {
+    const { writeFileSync, existsSync, mkdirSync } = await import('fs');
+    const { installClaudeHook, installGitHook, installClaudeMd } = await import('../src/hooks.js');
+    const { resolve } = await import('path');
+
+    // 1. Config file — create .doormanrc with recommended preset
+    if (existsSync('.doormanrc') || existsSync('.doormanrc.json')) {
+      const which = existsSync('.doormanrc') ? '.doormanrc' : '.doormanrc.json';
+      console.log(`  ✓ Config already exists at ${which}`);
+    } else {
+      const config = {
+        extends: 'recommended',
+        rules: {},
+        categories: [],
+        severity: 'medium',
+        ignore: ['test/**', 'vendor/**', '*.min.js'],
+      };
+      writeFileSync('.doormanrc', JSON.stringify(config, null, 2) + '\n');
+      console.log('  ✓ Created .doormanrc (recommended preset)');
+    }
+
+    // 2. Pre-commit hook
+    if (options.hook !== false) {
+      const installed = installGitHook(resolve('.'));
+      if (installed) {
+        console.log('  ✓ Installed pre-commit hook — critical issues will block commits');
+      } else if (!existsSync('.git')) {
+        console.log('  ⚠ Not a git repository — skipping pre-commit hook');
+      } else {
+        console.log('  ✓ Pre-commit hook already installed');
+      }
+    }
+
+    // 3. Claude Code hook
+    if (options.claude) {
+      const installed = installClaudeHook(resolve('.'));
+      if (installed) {
+        console.log('  ✓ Claude Code hook installed — Doorman runs after every file edit');
+      } else {
+        console.log('  ✓ Claude Code hook already installed');
+      }
+    }
+
+    // 4. CLAUDE.md — teach Claude to use Doorman
+    const mdInstalled = installClaudeMd(resolve('.'));
+    if (mdInstalled) {
+      console.log('  ✓ Added Doorman to CLAUDE.md — Claude will suggest it automatically');
+    } else {
+      console.log('  ✓ CLAUDE.md already mentions Doorman');
+    }
+
+    console.log('');
+    console.log('Doorman is ready. Run `npx getdoorman check` to scan your codebase.');
+    if (!options.claude) {
+      console.log('Tip: Run `npx getdoorman init --claude` to auto-scan when Claude writes code.');
+    }
+  });
+
+program
+  .command('dashboard')
+  .description('Open your project dashboard in the browser')
+  .argument('[path]', 'Project path', '.')
+  .action(async (path) => {
+    const chalk = (await import('chalk')).default;
+    const { openDashboard } = await import('../src/dashboard.js');
+    const result = openDashboard(path);
+    if (result.error) {
+      console.log('');
+      console.log(chalk.yellow(`  ${result.error}`));
+      console.log('');
+    } else {
+      console.log('');
+      console.log(chalk.green(`  ✓ Dashboard opened: ${result.path}`));
+      console.log('');
+    }
+  });
+
+program
+  .command('benchmark')
+  .description('Run the real-world vulnerability detection benchmark')
+  .action(async () => {
+    console.log('Running Doorman benchmark...');
+    const { execSync } = await import('child_process');
+    try {
+      execSync('node --test test/benchmark-real-world.test.js', { stdio: 'inherit' });
+    } catch (e) {
+      // Test runner reports results
+    }
+  });
+
+program
+  .command('hook')
+  .description('Install Doorman as a pre-commit git hook')
+  .option('--remove', 'Remove the git hook')
+  .action(async (options) => {
+    const { writeFileSync, unlinkSync, existsSync, mkdirSync } = await import('fs');
+    const hookPath = '.git/hooks/pre-commit';
+
+    if (options.remove) {
+      if (existsSync(hookPath)) {
+        unlinkSync(hookPath);
+        console.log('Removed Doorman pre-commit hook');
+      }
+      return;
+    }
+
+    if (!existsSync('.git/hooks')) mkdirSync('.git/hooks', { recursive: true });
+
+    const hookScript = `#!/bin/sh
+# Doorman pre-commit hook
+npx getdoorman review --min-score 70
+`;
+    writeFileSync(hookPath, hookScript, { mode: 0o755 });
+    console.log('Installed Doorman pre-commit hook');
+    console.log('Every commit will be checked. Remove with: doorman hook --remove');
+  });
+
+program
+  .command('credits')
+  .description('Check your credit balance or buy more')
+  .option('--buy', 'Open the credit purchase page')
+  .action(async (options) => {
+    const chalk = (await import('chalk')).default;
+    const { loadAuth, checkCredits, getCreditPacks } = await import('../src/auth.js');
+
+    const auth = loadAuth();
+
+    if (!auth || !auth.email) {
+      console.log('');
+      console.log(chalk.dim('  No account yet. Run `npx getdoorman fix` to get 3 free credits.'));
+      console.log('');
+      return;
+    }
+
+    const credits = await checkCredits(auth.email);
+    const packs = getCreditPacks(auth.email);
+
+    console.log('');
+    console.log(chalk.bold('  Doorman Account'));
+    console.log(`    Email:   ${auth.email}`);
+    console.log(`    Credits: ${credits ? credits.credits : 'unknown (offline)'}`);
+    console.log('');
+
+    if (options.buy || (credits && credits.credits <= 0)) {
+      console.log(chalk.bold('  Buy credits:'));
+      console.log('');
+      for (const pack of packs) {
+        const bonus = pack.bonus ? chalk.green(` (${pack.bonus})`) : '';
+        console.log(`    ${String(pack.credits).padStart(3)} credits — ${pack.price}${bonus}   ${chalk.cyan(pack.buyUrl)}`);
+      }
+      console.log('');
+      // Try to open browser
+      try {
+        const { execSync } = await import('child_process');
+        const cmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
+        execSync(`${cmd} ${packs[0].buyUrl}`, { stdio: 'ignore' });
+        console.log(chalk.dim('  Opened in your browser.'));
+      } catch { /* ignore */ }
+    }
+    console.log('');
+  });
+
+// ai-fix is now merged into `fix` — kept as hidden alias for backward compat
+program
+  .command('ai-fix')
+  .description(false)  // hidden
+  .argument('[path]', 'Path to scan', '.')
+  .action(async () => {
+    console.log('ai-fix has been merged into `fix`. Just run: npx getdoorman fix');
+  });
+
+program
+  .command('report')
+  .description('Generate a compliance report (SOC2, GDPR, HIPAA, PCI-DSS)')
+  .argument('[path]', 'Path to scan', '.')
+  .option('--framework <name>', 'Framework: SOC2, GDPR, HIPAA, PCI, or all', 'all')
+  .option('--output <path>', 'Output file path', 'doorman-report.html')
+  .option('--project <name>', 'Project name for the report')
+  .action(async (path, options) => {
+    const chalk = (await import('chalk')).default;
+    const { basename, resolve } = await import('path');
+
+    const framework = options.framework.toLowerCase();
+    const validFrameworks = ['soc2', 'gdpr', 'hipaa', 'pci', 'all'];
+    if (!validFrameworks.includes(framework)) {
+      console.error(`Error: Unknown framework "${options.framework}". Choose from: SOC2, GDPR, HIPAA, PCI, or all`);
+      process.exit(1);
+    }
+
+    const projectName = options.project || basename(resolve(path));
+
+    console.log('');
+    console.log(chalk.bold.cyan('  Doorman — Compliance Report Generator'));
+    console.log('');
+
+    // Step 1: Run a full scan
+    console.log(chalk.gray('  Running full scan...'));
+    let result;
+    try {
+      result = await check(path, { silent: true, full: true });
+    } catch (err) {
+      console.error(chalk.red(`  Scan failed: ${err.message}`));
+      process.exit(1);
+    }
+
+    console.log(chalk.gray(`  Found ${result.findings.length} finding(s), score: ${result.score}/100`));
+    console.log('');
+
+    // Step 2: Generate the compliance report
+    const { summary } = generateReport(
+      { findings: result.findings, score: result.score, stack: result.stack },
+      { framework, projectName, outputPath: options.output }
+    );
+
+    // Step 3: Print summary
+    const frameworkEntries = Object.entries(summary.frameworks);
+    for (const [, fw] of frameworkEntries) {
+      const statusColor = fw.status === 'compliant' ? chalk.green : fw.status === 'partial' ? chalk.yellow : chalk.red;
+      console.log(`  ${fw.name.padEnd(22)} ${statusColor(fw.status.toUpperCase().padEnd(15))} ${fw.score}%`);
+    }
+
+    console.log('');
+    console.log(chalk.bold.green(`  Report saved to ${options.output}`));
+    console.log(chalk.gray('  Open in a browser to view the full compliance report.'));
+    console.log('');
+  });
+
+program.parse();