getdoorman 1.0.0

package/src/hooks.js

@@ -0,0 +1,115 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs';
+import { join } from 'path';
+
+/**
+ * Check if this is the first scan for the given project.
+ */
+export function isFirstScan(targetPath) {
+  const metricsPath = join(targetPath, '.doorman', 'metrics.json');
+  if (!existsSync(metricsPath)) return true;
+  try {
+    const data = JSON.parse(readFileSync(metricsPath, 'utf-8'));
+    return !data.scans || data.scans.length <= 1;
+  } catch {
+    return true;
+  }
+}
+
+/**
+ * Check if Claude Code hooks are already set up for Doorman.
+ */
+export function hasClaudeHook(targetPath) {
+  const settingsPath = join(targetPath, '.claude', 'settings.json');
+  if (!existsSync(settingsPath)) return false;
+  try {
+    const settings = JSON.parse(readFileSync(settingsPath, 'utf-8'));
+    return JSON.stringify(settings).includes('doorman');
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Install Claude Code hook that runs Doorman after file edits.
+ */
+export function installClaudeHook(targetPath) {
+  const claudeDir = join(targetPath, '.claude');
+  const settingsPath = join(claudeDir, 'settings.json');
+
+  if (!existsSync(claudeDir)) mkdirSync(claudeDir, { recursive: true });
+
+  let settings = {};
+  if (existsSync(settingsPath)) {
+    try {
+      settings = JSON.parse(readFileSync(settingsPath, 'utf-8'));
+    } catch {
+      settings = {};
+    }
+  }
+
+  if (!settings.hooks) settings.hooks = {};
+  if (!settings.hooks.PostToolUse) settings.hooks.PostToolUse = [];
+
+  // Don't add duplicate
+  const already = settings.hooks.PostToolUse.some(h =>
+    h.command && h.command.includes('doorman')
+  );
+  if (already) return false;
+
+  settings.hooks.PostToolUse.push({
+    matcher: 'Write|Edit',
+    command: 'npx getdoorman check --quiet'
+  });
+
+  writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n');
+  return true;
+}
+
+/**
+ * Install pre-commit git hook.
+ */
+export function installGitHook(targetPath) {
+  const hookPath = join(targetPath, '.git', 'hooks', 'pre-commit');
+  if (!existsSync(join(targetPath, '.git'))) return false;
+
+  const hooksDir = join(targetPath, '.git', 'hooks');
+  if (!existsSync(hooksDir)) mkdirSync(hooksDir, { recursive: true });
+
+  if (existsSync(hookPath)) return false;
+
+  const hookScript = `#!/bin/sh
+# Doorman pre-commit hook — blocks commits with critical issues
+npx getdoorman check --quiet --ci
+`;
+  writeFileSync(hookPath, hookScript, { mode: 0o755 });
+  return true;
+}
+
+/**
+ * Add Doorman instructions to CLAUDE.md so Claude knows to use it.
+ */
+export function installClaudeMd(targetPath) {
+  const claudeMdPath = join(targetPath, 'CLAUDE.md');
+  const doormanBlock = `
+## Doorman — Code Safety
+
+Before shipping or when asked to check code safety, run:
+\`\`\`bash
+npx getdoorman check
+\`\`\`
+
+To fix issues automatically:
+\`\`\`bash
+npx getdoorman fix
+\`\`\`
+`;
+
+  if (existsSync(claudeMdPath)) {
+    const content = readFileSync(claudeMdPath, 'utf-8');
+    if (content.includes('doorman')) return false; // Already there
+    writeFileSync(claudeMdPath, content + '\n' + doormanBlock);
+  } else {
+    writeFileSync(claudeMdPath, doormanBlock.trimStart());
+  }
+  return true;
+}

package/src/ignore.js

@@ -0,0 +1,176 @@
+import { readFileSync, existsSync } from 'fs';
+import { join } from 'path';
+import { minimatch } from 'minimatch';
+
+/**
+ * Default directories and patterns to always ignore.
+ */
+const DEFAULT_IGNORES = [
+  // Package managers & build output
+  'node_modules/**',
+  '.git/**',
+  'dist/**',
+  'build/**',
+  'vendor/**',
+  '__pycache__/**',
+  '.next/**',
+  '.vercel/**',
+  'out/**',
+  '.nuxt/**',
+  '.svelte-kit/**',
+  '.astro/**',
+  'coverage/**',
+  '.cache/**',
+  '.turbo/**',
+  '.parcel-cache/**',
+  '.expo/**',
+  // Tests & non-production code
+  'test/**',
+  'tests/**',
+  '__tests__/**',
+  '__mocks__/**',
+  'fixtures/**',
+  'examples/**',
+  'example/**',
+  'sample/**',
+  'samples/**',
+  'demo/**',
+  'demos/**',
+  'docs/**',
+  'doc/**',
+  'benchmarks/**',
+  'benchmark/**',
+  'storybook/**',
+  '.storybook/**',
+  'stories/**',
+  'cypress/**',
+  'playwright/**',
+  'e2e/**',
+  '**/*.test.js',
+  '**/*.test.ts',
+  '**/*.spec.js',
+  '**/*.spec.ts',
+  '**/*.test.jsx',
+  '**/*.test.tsx',
+  '**/*.spec.jsx',
+  '**/*.spec.tsx',
+  // Generated & binary files
+  '*.min.js',
+  '*.min.css',
+  '*.map',
+  '*.d.ts',
+  'package-lock.json',
+  'yarn.lock',
+  'pnpm-lock.yaml',
+  'bun.lockb',
+  // Media & assets
+  '*.ico',
+  '*.png',
+  '*.jpg',
+  '*.jpeg',
+  '*.gif',
+  '*.svg',
+  '*.woff',
+  '*.woff2',
+  '*.ttf',
+  '*.eot',
+  '*.mp4',
+  '*.webm',
+  '*.mp3',
+  '*.pdf',
+  // IDE & config
+  '.vscode/**',
+  '.idea/**',
+  '.doorman/**',
+];
+
+/**
+ * Parse a .doormanignore file.
+ * Supports:
+ *   - Glob patterns (same as .gitignore)
+ *   - Comments starting with #
+ *   - Negation patterns starting with !
+ *   - Blank lines are ignored
+ *
+ * Returns { patterns: string[], negations: string[] }
+ */
+export function parseIgnoreFile(content) {
+  const patterns = [];
+  const negations = [];
+
+  const lines = content.split('\n');
+  for (const raw of lines) {
+    const line = raw.trim();
+
+    // Skip blank lines and comments
+    if (!line || line.startsWith('#')) continue;
+
+    if (line.startsWith('!')) {
+      // Negation — strip the ! prefix
+      negations.push(line.slice(1));
+    } else {
+      patterns.push(line);
+    }
+  }
+
+  return { patterns, negations };
+}
+
+/**
+ * Load ignore patterns from .doormanignore in the given directory.
+ * Merges with the built-in default ignores.
+ *
+ * Returns the full list of ignore glob strings (for use with glob's `ignore`),
+ * plus a `shouldIgnore(filePath)` predicate that respects negation patterns.
+ */
+export function loadIgnorePatterns(targetPath) {
+  const ignoreFilePath = join(targetPath, '.doormanignore');
+
+  let userPatterns = [];
+  let negations = [];
+
+  if (existsSync(ignoreFilePath)) {
+    try {
+      const content = readFileSync(ignoreFilePath, 'utf-8');
+      const parsed = parseIgnoreFile(content);
+      userPatterns = parsed.patterns;
+      negations = parsed.negations;
+    } catch {
+      // If the file can't be read, just use defaults
+    }
+  }
+
+  // Merge default ignores with user patterns
+  const allPatterns = [...DEFAULT_IGNORES, ...userPatterns];
+
+  /**
+   * Check whether a relative file path should be ignored.
+   * First checks if it matches any ignore pattern, then checks
+   * if a negation pattern re-includes it.
+   */
+  function shouldIgnore(filePath) {
+    const matchOpts = { dot: true, matchBase: true };
+
+    // Check negations first — if a negation matches, the file is NOT ignored
+    for (const neg of negations) {
+      if (minimatch(filePath, neg, matchOpts)) {
+        return false;
+      }
+    }
+
+    // Check ignore patterns
+    for (const pattern of allPatterns) {
+      if (minimatch(filePath, pattern, matchOpts)) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  return {
+    patterns: allPatterns,
+    negations,
+    shouldIgnore,
+  };
+}

package/src/index.js

@@ -0,0 +1,384 @@
+import { resolve, dirname } from 'path';
+import { existsSync, statSync } from 'fs';
+import ora from 'ora';
+import chalk from 'chalk';
+import { detectStack } from './detector.js';
+import { collectFiles, collectFilesIncremental, runRules, runRulesParallel } from './scanner.js';
+import { loadRules } from './rules/index.js';
+import { calculateScore, printReport, generateJSON, writeSARIF, writeHTML, printSummaryLine } from './reporter.js';
+import { traceAttackPaths } from './tracer.js';
+import { loadConfig, applyConfig, getFileIgnorePatterns } from './config.js';
+import { recordScan } from './metrics.js';
+import { sendTelemetry } from './telemetry.js';
+import { isASTAvailable } from './ast-scanner.js';
+import { loadBaseline, diffFindings, saveBaseline } from './baseline.js';
+import { loadCustomRules } from './custom-rules.js';
+import { detectWorkspaces } from './monorepo.js';
+import { saveScanCache, mergeWithCache } from './scan-cache.js';
+
+/**
+ * Rules that don't apply to libraries (npm packages, frameworks).
+ * These expect an application context (deployed service, user-facing app).
+ */
+const LIBRARY_SKIP_PATTERNS = [
+  // App-level security headers/middleware — the app's responsibility, not the library's
+  /https.*enforcement|hsts|csp.*header|content.security.policy|x-frame|x-content-type|referrer.policy|permissions.policy|csrf|helmet/i,
+  // App deployment/monitoring
+  /no.*uptime.*monitoring|no.*health.*check|no.*graceful.*shutdown|no.*request.*timeout|no.*rate.*limit|no.*ci.*pipeline|no.*sast|no.*test.*file|no.*lint/i,
+  // App-level process handling
+  /uncaughtException|unhandledRejection|no.*error.*tracking|no.*lockfile/i,
+  // App infrastructure
+  /no.*privacy.*policy|no.*cookie.*consent|no.*data.*retention|no.*backup|no.*incident.*response|no.*breach.*notification/i,
+  // App-level compression/monitoring
+  /without.*compression|no.*monitoring|no.*logging.*service/i,
+];
+
+/**
+ * Rule IDs that are app-level concerns, not library concerns.
+ */
+const LIBRARY_SKIP_RULES = new Set([
+  'SCOPE-AUTH-001',   // "Route handler without auth" — auth is the app's job
+  'SCOPE-AUTH-002',   // "Route handler without rate limiting"
+]);
+
+/**
+ * Rules that should be downgraded to 'info' severity for libraries
+ * (still shown with --verbose, but don't tank the score).
+ */
+const LIBRARY_DOWNGRADE_PATTERNS = [
+  /\bvar\b.*declaration/i,           // var→const/let is a style choice for older Node support
+  /recursive.*without.*depth/i,      // Library internals manage their own call depth
+  /without.*(?:timeout|shutdown|compression|rate.limit)/i,  // App-level concerns
+  /unbounded.*concurrent/i,          // App-level concern
+  /server\.listen|hardcoded.*port/i, // Example patterns, not library code
+];
+
+/**
+ * Categories that are largely irrelevant for libraries.
+ * Compliance, deployment, and cost rules assume a deployed app context.
+ */
+const LIBRARY_SKIP_CATEGORIES = new Set(['compliance', 'deployment', 'cost']);
+
+/**
+ * Filter out findings that don't apply to library/framework codebases.
+ * Libraries provide building blocks — app-level rules (CSRF, HSTS, etc.) are the consumer's job.
+ */
+function filterLibraryFindings(findings) {
+  return findings.filter(f => {
+    const title = f.title || '';
+    const desc = f.description || '';
+    const text = title + ' ' + desc;
+
+    // Skip entire categories that don't apply to libraries
+    if (LIBRARY_SKIP_CATEGORIES.has(f.category)) return false;
+
+    // Skip specific rule IDs
+    if (f.ruleId && LIBRARY_SKIP_RULES.has(f.ruleId)) return false;
+
+    // Skip project-level (no file) findings that match app patterns
+    if (!f.file) {
+      return !LIBRARY_SKIP_PATTERNS.some(p => p.test(text));
+    }
+
+    // Downgrade noisy rules to 'suggestion' confidence for libraries
+    // (still shown with --verbose, doesn't affect score)
+    if (LIBRARY_DOWNGRADE_PATTERNS.some(p => p.test(title))) {
+      f.confidence = 'suggestion';
+      f.severity = 'info';
+    }
+
+    return true;
+  });
+}
+
+/**
+ * Determine whether to use incremental scanning.
+ * Defaults to incremental when inside a git repo, unless --full is set.
+ */
+function shouldUseIncremental(resolvedPath, options) {
+  if (options.full) return false;
+  if (options.incremental) return true;
+  // Default: incremental when a .git directory exists
+  return existsSync(resolve(resolvedPath, '.git'));
+}
+
+/**
+ * Main check function — orchestrates the entire scan.
+ */
+export async function check(targetPath = '.', options = {}) {
+  let resolvedPath = resolve(targetPath);
+  // If target is a file, use its parent directory for scanning
+  if (existsSync(resolvedPath) && statSync(resolvedPath).isFile()) {
+    resolvedPath = dirname(resolvedPath);
+  }
+  const silent = options.silent || options.json || options.sarif || options.html || options.ci || options.quiet || false;
+  const timeoutMs = (options.timeout ? parseInt(options.timeout, 10) : 60) * 1000;
+  const startTime = performance.now();
+  let timedOut = false;
+
+  // Load user config (ignore rules, severity overrides, thresholds)
+  const config = await loadConfig(resolvedPath, options.config);
+
+  if (!silent && config._loadedFrom) {
+    console.log(chalk.gray(`  Using config: ${config._loadedFrom}`));
+  }
+
+  // Wrap the scan in a timeout race
+  const scanPromise = (async () => {
+    // Step 1: Detect stack
+    const spinner = silent ? null : ora('Detecting your tech stack...').start();
+    const stack = await detectStack(resolvedPath);
+    if (spinner) {
+      const stackLabel = [stack.framework || stack.language || 'Unknown', stack.orm, stack.database]
+        .filter(Boolean).join(' + ');
+      spinner.succeed(`Detected: ${chalk.bold(stackLabel)}`);
+    }
+
+    // Step 2: Collect files (incremental or full)
+    const incremental = shouldUseIncremental(resolvedPath, options);
+    if (spinner) spinner.start(incremental ? 'Collecting changed files (incremental)...' : 'Collecting files...');
+
+    const extraIgnores = getFileIgnorePatterns(config);
+    const collectOpts = { silent, noCache: options.noCache || false, extraIgnores };
+    const files = incremental
+      ? await collectFilesIncremental(resolvedPath, collectOpts)
+      : await collectFiles(resolvedPath, collectOpts);
+
+    if (spinner) {
+      const modeLabel = incremental ? ' (incremental)' : '';
+      spinner.succeed(`Found ${chalk.bold(files.size)} files to scan${modeLabel}`);
+    }
+
+    // Detect which languages are present to skip irrelevant rules
+    const _detectedLangs = new Set();
+    for (const fp of files.keys()) {
+      if (/\.(js|jsx|ts|tsx|mjs|cjs)$/.test(fp)) _detectedLangs.add('js');
+      else if (/\.py$/.test(fp)) _detectedLangs.add('py');
+      else if (/\.go$/.test(fp)) _detectedLangs.add('go');
+      else if (/\.rb$/.test(fp)) _detectedLangs.add('rb');
+      else if (/\.php$/.test(fp)) _detectedLangs.add('php');
+      else if (/\.java$/.test(fp)) _detectedLangs.add('java');
+      else if (/\.(cs|csx)$/.test(fp)) _detectedLangs.add('cs');
+      else if (/\.rs$/.test(fp)) _detectedLangs.add('rust');
+      else if (/\.swift$/.test(fp)) _detectedLangs.add('swift');
+      else if (/\.dart$/.test(fp)) _detectedLangs.add('dart');
+      else if (/\.(sh|bash)$/.test(fp)) _detectedLangs.add('shell');
+    }
+
+    // Step 3: Load rules — filtered by detected languages AND user plan
+    // Only load rules for categories the user's plan allows (huge speed win)
+    let planCategories = null;
+    if (!options.allCategories && !options.strict) {
+      try {
+        const { loadAuth, getUserPlan } = await import('./auth.js');
+        const auth = loadAuth();
+        const plan = auth?.email ? getUserPlan(auth.email) : { categories: ['security', 'bugs'] };
+        if (plan.categories !== 'all') {
+          planCategories = plan.categories;
+        }
+      } catch { /* no auth — default to free plan categories */ }
+    }
+    const categoryFilter = planCategories ? planCategories.join(',') : (options.category || null);
+    const rules = loadRules({ ...options, _detectedLangs, category: categoryFilter });
+    const customRules = await loadCustomRules(resolvedPath);
+    if (customRules.length > 0) rules.push(...customRules);
+
+    if (!silent) {
+      const astStatus = isASTAvailable()
+        ? chalk.green('AST engine active')
+        : chalk.gray('AST engine unavailable — install tree-sitter for deeper analysis');
+      const customLabel = customRules.length > 0 ? ` + ${customRules.length} custom` : '';
+      console.log(chalk.gray(`  Running ${rules.length} checks${customLabel} across ${new Set(rules.map(r => r.category)).size} categories (${astStatus}${chalk.gray(')')}...`));
+      console.log('');
+    }
+
+    // Detect monorepo
+    const mono = detectWorkspaces(resolvedPath);
+    if (!silent && mono.isMonorepo) {
+      console.log(chalk.gray(`  Monorepo detected: ${mono.workspaces.length} workspaces`));
+    }
+
+    // Step 4: Run rules — parallel on multi-core machines
+    const context = { files, stack, profile: options.profile || false, _detectedLangs, _categoryFilter: categoryFilter, silent };
+    const useParallel = !options.profile && files.size >= 10;
+    const findings = useParallel
+      ? await runRulesParallel(rules, context)
+      : await runRules(rules, context);
+
+    // Step 5: Filter findings for library context
+    // Libraries (npm packages) shouldn't get app-level rules like "no CSRF", "no HSTS", etc.
+    const contextFiltered = stack.isLibrary ? filterLibraryFindings(findings) : findings;
+
+    // Step 6: Trace attack paths
+    const enrichedFindings = traceAttackPaths(contextFiltered, files, stack);
+
+    // Step 7: Apply config (filter ignored findings, override severities)
+    let filteredFindings = applyConfig(enrichedFindings, config);
+
+    // Step 7a: Deduplicate findings
+    // Many rules fire on every file for the same issue. Cap each rule to
+    // max 3 occurrences — enough to show the pattern without inflating counts.
+    const MAX_PER_RULE = 3;
+    const ruleCount = {};
+    filteredFindings = filteredFindings.filter(f => {
+      const id = f.ruleId || f.title;
+      ruleCount[id] = (ruleCount[id] || 0) + 1;
+      return ruleCount[id] <= MAX_PER_RULE;
+    });
+
+    // Step 7b: Baseline diff — only show new findings
+    if (options.baseline) {
+      const baselinePath = typeof options.baseline === 'string' ? options.baseline : '.doorman-baseline.json';
+      const baseline = loadBaseline(baselinePath);
+      if (baseline) {
+        const before = filteredFindings.length;
+        filteredFindings = diffFindings(filteredFindings, baseline);
+        if (!silent) {
+          console.log(chalk.gray(`  Baseline: ${before - filteredFindings.length} known issues filtered, ${filteredFindings.length} new`));
+        }
+      }
+    }
+
+    // Step 7c: Save baseline if requested
+    if (options.saveBaseline) {
+      const baselinePath = typeof options.saveBaseline === 'string' ? options.saveBaseline : '.doorman-baseline.json';
+      saveBaseline(filteredFindings, baselinePath);
+      if (!silent) {
+        console.log(chalk.green(`  Baseline saved to ${baselinePath} (${filteredFindings.length} findings)`));
+      }
+    }
+
+    // Step 8: Merge with cache for incremental scans (complete picture)
+    const isIncremental = shouldUseIncremental(resolvedPath, options);
+    if (isIncremental) {
+      const scannedFiles = [...files.keys()];
+      filteredFindings = mergeWithCache(resolvedPath, filteredFindings, scannedFiles);
+
+      // Re-apply cap after merge (cached findings may exceed cap)
+      const mergedRuleCount = {};
+      filteredFindings = filteredFindings.filter(f => {
+        const id = f.ruleId || f.title;
+        mergedRuleCount[id] = (mergedRuleCount[id] || 0) + 1;
+        return mergedRuleCount[id] <= MAX_PER_RULE;
+      });
+    }
+
+    // Step 9: Calculate score
+    const score = calculateScore(filteredFindings);
+
+    // Save to cache for future incremental merges and instant fix
+    saveScanCache(resolvedPath, filteredFindings, stack, score);
+
+    // Attach profile data
+    const profileData = findings._profile || null;
+
+    return { findings: filteredFindings, score, stack, fileCount: files.size, profileData };
+  })();
+
+  let scanTimer;
+  const timeoutPromise = new Promise((_, reject) => {
+    scanTimer = setTimeout(() => {
+      timedOut = true;
+      reject(new Error('SCAN_TIMEOUT'));
+    }, timeoutMs);
+  });
+
+  let result;
+  try {
+    result = await Promise.race([scanPromise, timeoutPromise]);
+    clearTimeout(scanTimer);
+  } catch (err) {
+    clearTimeout(scanTimer);
+    if (err.message === 'SCAN_TIMEOUT') {
+      if (!silent) {
+        console.log('');
+        console.log(chalk.yellow(`⚠ Scan timed out after ${timeoutMs / 1000}s — returning partial results`));
+      }
+      result = { findings: [], score: 0, stack: {}, fileCount: 0, partial: true };
+    } else {
+      throw err;
+    }
+  }
+
+  // Timing summary
+  const elapsed = ((performance.now() - startTime) / 1000).toFixed(1);
+  if (!silent) {
+    console.log('');
+    console.log(chalk.gray(`Scanned ${result.fileCount} files in ${elapsed}s`));
+  }
+
+  // Print profiling data if requested
+  if (options.profile && result.profileData && !silent) {
+    console.log('');
+    console.log(chalk.bold('  Performance Profile (slowest rules):'));
+    const top = result.profileData.slice(0, 15);
+    for (const entry of top) {
+      const bar = '█'.repeat(Math.min(Math.ceil(entry.ms / 2), 40));
+      console.log(chalk.gray(`    ${entry.id.padEnd(25)} ${entry.ms.toFixed(1).padStart(7)}ms  ${entry.findings} findings  ${bar}`));
+    }
+    const totalMs = result.profileData.reduce((s, e) => s + e.ms, 0);
+    console.log(chalk.gray(`    ${'TOTAL'.padEnd(25)} ${totalMs.toFixed(1).padStart(7)}ms`));
+  }
+
+  // Record metrics
+  recordScan(resolvedPath, { score: result.score, findings: result.findings, stack: result.stack });
+  sendTelemetry(resolvedPath, result, result.stack).catch(() => {});
+
+  // Step 6: Output report
+  const reportMeta = {
+    filesScanned: result.fileCount,
+    scanDurationSeconds: parseFloat(elapsed),
+    mode: shouldUseIncremental(resolvedPath, options) ? 'incremental' : 'full',
+    ...(result.partial && { partial: true }),
+  };
+
+  if (options.json) {
+    const output = generateJSON(result.findings, result.stack, result.score, reportMeta);
+    console.log(JSON.stringify(output, null, 2));
+  } else if (options.sarif) {
+    const outPath = typeof options.sarif === 'string' ? options.sarif : 'doorman.sarif.json';
+    writeSARIF(outPath, result.findings, result.stack, result.score, reportMeta);
+    console.log(`SARIF report written to ${outPath}`);
+    console.log('Upload to GitHub Code Scanning: gh api repos/{owner}/{repo}/code-scanning/sarifs -f "sarif=@' + outPath + '"');
+  } else if (options.html) {
+    const outPath = typeof options.html === 'string' ? options.html : 'doorman-report.html';
+    writeHTML(outPath, result.findings, result.stack, result.score, reportMeta);
+    console.log(`HTML report written to ${outPath}`);
+  } else if (options.ci) {
+    // CI mode: only print the one-line summary
+    printSummaryLine(result.findings, result.score, { minScore: options.minScore });
+  } else if (options.quiet) {
+    // Quiet mode: only print the one-line summary
+    printSummaryLine(result.findings, result.score, { minScore: options.minScore });
+  } else if (!silent) {
+    printReport(result.findings, result.stack, result.score, options);
+  }
+
+  // Determine exit code
+  const minScore = options.minScore ? parseInt(options.minScore, 10) : null;
+  const counts = { critical: 0, high: 0 };
+  for (const f of result.findings) {
+    if (f.severity === 'critical') counts.critical++;
+    if (f.severity === 'high') counts.high++;
+  }
+
+  let exitCode = 0;
+  if (minScore != null) {
+    if (result.score < minScore || counts.critical > 0 || counts.high > 0) {
+      exitCode = 1;
+    }
+  } else if (options.ci) {
+    // CI without explicit min-score: fail on critical/high
+    if (counts.critical > 0 || counts.high > 0) {
+      exitCode = 1;
+    }
+  }
+
+  return {
+    findings: result.findings,
+    score: result.score,
+    stack: result.stack,
+    exitCode,
+    ...(result.partial && { partial: true }),
+  };
+}