getdoorman 1.0.0

package/src/config.js

@@ -0,0 +1,466 @@
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { resolve, relative } from 'path';
+import { minimatch } from 'minimatch';
+import { getPreset } from './presets.js';
+
+// ---------------------------------------------------------------------------
+// Severity ordering (lower index = more severe)
+// ---------------------------------------------------------------------------
+
+const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info'];
+
+// ---------------------------------------------------------------------------
+// Defaults
+// ---------------------------------------------------------------------------
+
+const DEFAULT_CONFIG = {
+  rules: {},
+  categories: [],
+  severity: 'low',
+  ignore: [],
+  extends: 'recommended',
+  // Legacy fields kept for backward compat with old .doormanrc.json files
+  _legacyIgnore: [],         // old-style ignore entries [{ruleId, file}]
+  _legacySeverity: {},       // old-style severity overrides {ruleId: level}
+  thresholds: {
+    minScore: 70,
+    failOn: 'critical',
+  },
+};
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Deep-merge source into target (one level for arrays, shallow for objects).
+ */
+function merge(target, source) {
+  const out = { ...target };
+  for (const key of Object.keys(source)) {
+    if (Array.isArray(source[key])) {
+      out[key] = [...(target[key] || []), ...source[key]];
+    } else if (source[key] && typeof source[key] === 'object' && !Array.isArray(source[key])) {
+      out[key] = { ...(target[key] || {}), ...source[key] };
+    } else {
+      out[key] = source[key];
+    }
+  }
+  return out;
+}
+
+const VALID_SEVERITIES = new Set(['critical', 'high', 'medium', 'low', 'info']);
+const VALID_RULE_LEVELS = new Set(['off', 'warn', 'error']);
+
+/**
+ * Basic structural validation — throws on bad shapes.
+ */
+function validate(raw) {
+  if (typeof raw !== 'object' || raw === null || Array.isArray(raw)) {
+    throw new Error('.doormanrc: config must be a JSON object');
+  }
+
+  // New-style "rules" object
+  if (raw.rules !== undefined) {
+    if (typeof raw.rules !== 'object' || Array.isArray(raw.rules)) {
+      throw new Error('.doormanrc: "rules" must be an object');
+    }
+    for (const [ruleId, level] of Object.entries(raw.rules)) {
+      if (!VALID_RULE_LEVELS.has(level)) {
+        throw new Error(`.doormanrc: invalid rule level "${level}" for "${ruleId}" — use "off", "warn", or "error"`);
+      }
+    }
+  }
+
+  // Categories
+  if (raw.categories !== undefined) {
+    if (!Array.isArray(raw.categories)) {
+      throw new Error('.doormanrc: "categories" must be an array');
+    }
+  }
+
+  // Severity threshold (string)
+  if (raw.severity !== undefined && typeof raw.severity === 'string') {
+    if (!VALID_SEVERITIES.has(raw.severity)) {
+      throw new Error(`.doormanrc: invalid severity threshold "${raw.severity}"`);
+    }
+  }
+
+  // Ignore (array of glob strings)
+  if (raw.ignore !== undefined) {
+    if (!Array.isArray(raw.ignore)) {
+      throw new Error('.doormanrc: "ignore" must be an array');
+    }
+    // Support both new-style (strings) and legacy (objects with ruleId)
+  }
+
+  // Extends
+  if (raw.extends !== undefined) {
+    if (typeof raw.extends !== 'string') {
+      throw new Error('.doormanrc: "extends" must be a string');
+    }
+    if (!getPreset(raw.extends)) {
+      throw new Error(`.doormanrc: unknown preset "${raw.extends}" — use "recommended", "strict", or "minimal"`);
+    }
+  }
+
+  // Legacy severity overrides (object form)
+  if (raw.severity !== undefined && typeof raw.severity === 'object') {
+    if (Array.isArray(raw.severity)) {
+      throw new Error('.doormanrc: "severity" must be a string or object');
+    }
+    for (const [ruleId, level] of Object.entries(raw.severity)) {
+      if (!VALID_SEVERITIES.has(level)) {
+        throw new Error(`.doormanrc: invalid severity "${level}" for rule "${ruleId}"`);
+      }
+    }
+  }
+
+  if (raw.thresholds !== undefined) {
+    if (typeof raw.thresholds !== 'object' || Array.isArray(raw.thresholds)) {
+      throw new Error('.doormanrc: "thresholds" must be an object');
+    }
+  }
+}
+
+/**
+ * Normalize raw config into the canonical shape, handling legacy formats.
+ */
+function normalize(raw) {
+  const out = {};
+
+  // "extends" — apply preset as base, then overlay user settings
+  if (raw.extends) out.extends = raw.extends;
+
+  // "rules" — per-rule level overrides
+  if (raw.rules) out.rules = { ...raw.rules };
+
+  // "categories"
+  if (raw.categories) out.categories = [...raw.categories];
+
+  // "severity" — can be a string (threshold) or object (legacy per-rule overrides)
+  if (typeof raw.severity === 'string') {
+    out.severity = raw.severity;
+  } else if (typeof raw.severity === 'object' && raw.severity !== null) {
+    // Legacy format: severity overrides per rule
+    out._legacySeverity = { ...raw.severity };
+  }
+
+  // "ignore" — can be array of strings (new) or array of objects (legacy)
+  if (Array.isArray(raw.ignore)) {
+    const stringIgnores = [];
+    const legacyIgnores = [];
+    for (const entry of raw.ignore) {
+      if (typeof entry === 'string') {
+        stringIgnores.push(entry);
+      } else if (entry && typeof entry === 'object' && entry.ruleId) {
+        legacyIgnores.push(entry);
+      }
+    }
+    if (stringIgnores.length > 0) out.ignore = stringIgnores;
+    if (legacyIgnores.length > 0) out._legacyIgnore = legacyIgnores;
+  }
+
+  // "thresholds"
+  if (raw.thresholds) out.thresholds = { ...raw.thresholds };
+
+  return out;
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Load configuration.
+ *
+ * Searches (in order) unless `configPath` is specified:
+ *   1. .doormanrc          (JSON)
+ *   2. .doormanrc.json     (JSON)
+ *   3. doorman.config.js   (ESM default export)
+ *   4. package.json           ("doorman" key)
+ *
+ * Returns the merged config (preset + user overrides) and the path it was loaded from.
+ */
+export async function loadConfig(targetPath, configPath) {
+  const dir = resolve(targetPath);
+
+  let raw = null;
+  let loadedFrom = null;
+
+  if (configPath) {
+    // Explicit --config flag
+    const absPath = resolve(configPath);
+    if (!existsSync(absPath)) {
+      throw new Error(`Config file not found: ${absPath}`);
+    }
+    if (absPath.endsWith('.js')) {
+      const mod = await import(`file://${absPath}`);
+      raw = mod.default ?? mod;
+    } else {
+      const text = readFileSync(absPath, 'utf-8');
+      try {
+        raw = JSON.parse(text);
+      } catch {
+        throw new Error(`Failed to parse ${absPath} as JSON`);
+      }
+    }
+    loadedFrom = absPath;
+  } else {
+    const candidates = [
+      { path: resolve(dir, '.doormanrc'), type: 'json' },
+      { path: resolve(dir, '.doormanrc.json'), type: 'json' },
+      { path: resolve(dir, 'doorman.config.js'), type: 'esm' },
+      { path: resolve(dir, 'package.json'), type: 'pkg' },
+    ];
+
+    for (const candidate of candidates) {
+      if (!existsSync(candidate.path)) continue;
+
+      if (candidate.type === 'json') {
+        const text = readFileSync(candidate.path, 'utf-8');
+        try {
+          raw = JSON.parse(text);
+        } catch {
+          throw new Error(`Failed to parse ${candidate.path} as JSON`);
+        }
+        loadedFrom = candidate.path;
+        break;
+      } else if (candidate.type === 'esm') {
+        const mod = await import(`file://${candidate.path}`);
+        raw = mod.default ?? mod;
+        loadedFrom = candidate.path;
+        break;
+      } else if (candidate.type === 'pkg') {
+        const text = readFileSync(candidate.path, 'utf-8');
+        try {
+          const pkg = JSON.parse(text);
+          if (pkg.doorman && typeof pkg.doorman === 'object') {
+            raw = pkg.doorman;
+            loadedFrom = candidate.path;
+          }
+        } catch {
+          // Ignore unparseable package.json
+        }
+        if (raw) break;
+      }
+    }
+  }
+
+  // No config found — return defaults with recommended preset applied
+  if (!raw) {
+    const preset = getPreset('recommended');
+    const config = merge({ ...DEFAULT_CONFIG }, preset);
+    config._loadedFrom = null;
+    return config;
+  }
+
+  validate(raw);
+
+  // Normalize into canonical shape
+  const normalized = normalize(raw);
+
+  // Resolve preset base
+  const presetName = normalized.extends || 'recommended';
+  const preset = getPreset(presetName) || {};
+
+  // Merge: defaults ← preset ← user config
+  const config = merge(merge({ ...DEFAULT_CONFIG }, preset), normalized);
+  config._loadedFrom = loadedFrom;
+
+  return config;
+}
+
+/**
+ * Check whether a ruleId matches a pattern (supports trailing wildcards).
+ * E.g. "PERF-*" matches "PERF-001", "PERF-MEM-002", etc.
+ */
+export function ruleMatchesPattern(ruleId, pattern) {
+  if (pattern === ruleId) return true;
+  if (pattern.endsWith('*')) {
+    const prefix = pattern.slice(0, -1);
+    return ruleId.startsWith(prefix);
+  }
+  return false;
+}
+
+/**
+ * Get the effective rule level for a given ruleId based on the rules config.
+ * Returns "off", "warn", or "error".
+ */
+export function getRuleLevel(ruleId, rulesConfig) {
+  if (!rulesConfig || Object.keys(rulesConfig).length === 0) return 'error';
+
+  // Exact match takes priority
+  if (rulesConfig[ruleId] !== undefined) return rulesConfig[ruleId];
+
+  // Wildcard patterns
+  for (const [pattern, level] of Object.entries(rulesConfig)) {
+    if (pattern.includes('*') && ruleMatchesPattern(ruleId, pattern)) {
+      return level;
+    }
+  }
+
+  return 'error';
+}
+
+/**
+ * Check whether a finding passes the severity threshold.
+ */
+export function passesSeverityThreshold(findingSeverity, threshold) {
+  if (!threshold || threshold === 'info') return true;
+  const findingIdx = SEVERITY_ORDER.indexOf(findingSeverity);
+  const thresholdIdx = SEVERITY_ORDER.indexOf(threshold);
+  if (findingIdx === -1 || thresholdIdx === -1) return true;
+  return findingIdx <= thresholdIdx;
+}
+
+/**
+ * Check whether a finding's category is in the allowed categories list.
+ */
+export function passesCategory(findingCategory, categories) {
+  if (!categories || categories.length === 0) return true;
+  return categories.includes(findingCategory);
+}
+
+/**
+ * Check whether a single finding should be ignored based on the config's
+ * legacy ignore list. Supports optional glob patterns in the `file` field
+ * of an ignore rule.
+ */
+export function shouldIgnore(finding, config) {
+  const ignoreList = config._legacyIgnore || [];
+  if (ignoreList.length === 0) return false;
+
+  for (const rule of ignoreList) {
+    if (rule.ruleId !== finding.ruleId) continue;
+
+    // If the ignore rule is scoped to a file pattern, check it
+    if (rule.file) {
+      const findingFile = finding.file || '';
+      if (
+        minimatch(findingFile, rule.file, { dot: true }) ||
+        findingFile === rule.file
+      ) {
+        return true;
+      }
+      continue;
+    }
+
+    // No file scope — blanket ignore for this ruleId
+    return true;
+  }
+
+  return false;
+}
+
+/**
+ * Apply the full config to a findings array:
+ *   1. Filter out ignored findings (legacy ignore list)
+ *   2. Filter by rule levels (off/warn)
+ *   3. Filter by category
+ *   4. Filter by severity threshold
+ *   5. Override severities where configured (legacy)
+ *   6. Downgrade findings where rule level is "warn"
+ *
+ * Returns a new array (does not mutate the input).
+ */
+export function applyConfig(findings, config) {
+  let filtered = findings;
+
+  // 1. Legacy ignore entries
+  filtered = filtered.filter((f) => !shouldIgnore(f, config));
+
+  // 2. Rule level: "off" = drop entirely, "warn" = downgrade later
+  if (config.rules && Object.keys(config.rules).length > 0) {
+    filtered = filtered.filter((f) => {
+      const level = getRuleLevel(f.ruleId, config.rules);
+      return level !== 'off';
+    });
+  }
+
+  // 3. Category filter
+  if (config.categories && config.categories.length > 0) {
+    filtered = filtered.filter((f) => passesCategory(f.category, config.categories));
+  }
+
+  // 4. Severity threshold
+  if (config.severity && config.severity !== 'info') {
+    filtered = filtered.filter((f) => passesSeverityThreshold(f.severity, config.severity));
+  }
+
+  // 5. Legacy severity overrides
+  const legacySev = config._legacySeverity || {};
+  if (Object.keys(legacySev).length > 0) {
+    filtered = filtered.map((f) => {
+      const override = legacySev[f.ruleId];
+      if (override) {
+        return { ...f, severity: override };
+      }
+      return f;
+    });
+  }
+
+  // 6. Rule-level "warn" → downgrade severity to "info"
+  if (config.rules && Object.keys(config.rules).length > 0) {
+    filtered = filtered.map((f) => {
+      const level = getRuleLevel(f.ruleId, config.rules);
+      if (level === 'warn') {
+        return { ...f, severity: 'info', _downgraded: true };
+      }
+      return f;
+    });
+  }
+
+  return filtered;
+}
+
+/**
+ * Get the additional file ignore patterns from the RC config.
+ * These are glob patterns to be appended to the scanner's ignore list.
+ */
+export function getFileIgnorePatterns(config) {
+  return config.ignore || [];
+}
+
+/**
+ * Add (or append) an ignore entry and persist to `.doormanrc.json`.
+ *
+ * Creates the file if it does not exist.
+ */
+export function addIgnore(targetPath, ruleId, file, reason) {
+  const dir = resolve(targetPath);
+  const configPath = resolve(dir, '.doormanrc.json');
+
+  let config = { ignore: [] };
+  if (existsSync(configPath)) {
+    const text = readFileSync(configPath, 'utf-8');
+    try {
+      config = JSON.parse(text);
+    } catch {
+      throw new Error(`Failed to parse ${configPath} as JSON`);
+    }
+  }
+
+  if (!Array.isArray(config.ignore)) {
+    config.ignore = [];
+  }
+
+  const entry = { ruleId };
+  if (file) entry.file = file;
+  if (reason) entry.reason = reason;
+
+  // Avoid exact duplicates
+  const isDuplicate = config.ignore.some(
+    (e) => e.ruleId === ruleId && (e.file || null) === (file || null),
+  );
+
+  if (!isDuplicate) {
+    config.ignore.push(entry);
+    writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+  }
+
+  return config;
+}
+
+export { SEVERITY_ORDER };

package/src/custom-rules.js

@@ -0,0 +1,32 @@
+// Custom rule loader: loads .doorman/rules/*.js files
+import { existsSync, readdirSync, readFileSync } from 'fs';
+import { join } from 'path';
+
+/**
+ * Load custom rules from .doorman/rules/ directory.
+ * Each file should export default an array of rule objects.
+ */
+export async function loadCustomRules(targetPath) {
+  const rulesDir = join(targetPath, '.doorman', 'rules');
+  if (!existsSync(rulesDir)) return [];
+
+  const files = readdirSync(rulesDir).filter(f => f.endsWith('.js'));
+  const rules = [];
+
+  for (const file of files) {
+    try {
+      const mod = await import(join(rulesDir, file));
+      const loaded = mod.default || mod.rules || [];
+      const arr = Array.isArray(loaded) ? loaded : [loaded];
+      for (const rule of arr) {
+        if (rule.id && typeof rule.check === 'function') {
+          rule._custom = true;
+          rules.push(rule);
+        }
+      }
+    } catch (err) {
+      console.warn(`[custom-rules] Failed to load ${file}: ${err.message}`);
+    }
+  }
+  return rules;
+}

package/src/dashboard.js

@@ -0,0 +1,202 @@
+import { writeFileSync, existsSync } from 'fs';
+import { join, resolve, basename } from 'path';
+import { execSync } from 'child_process';
+import { loadMetrics } from './metrics.js';
+import { getScanUsage } from './auth.js';
+
+/**
+ * Generate a standalone HTML dashboard from local .doorman/metrics.json
+ * and open it in the browser.
+ */
+export function openDashboard(targetPath) {
+  const resolvedPath = resolve(targetPath);
+  const projectName = basename(resolvedPath);
+  const metrics = loadMetrics(resolvedPath);
+
+  if (!metrics.scans || metrics.scans.length === 0) {
+    return { error: 'No scans yet. Run `npx getdoorman check` first.' };
+  }
+
+  const html = generateDashboardHTML(projectName, metrics);
+  const outPath = join(resolvedPath, '.doorman', 'dashboard.html');
+  writeFileSync(outPath, html);
+
+  // Try to open in browser
+  try {
+    const cmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
+    execSync(`${cmd} ${outPath}`, { stdio: 'ignore' });
+  } catch { /* ignore */ }
+
+  return { path: outPath };
+}
+
+function generateDashboardHTML(projectName, metrics) {
+  const scans = metrics.scans;
+  const scores = metrics.scores || [];
+  const fixes = metrics.fixes || [];
+  const latest = scans[scans.length - 1];
+  const previous = scans.length > 1 ? scans[scans.length - 2] : null;
+  const scoreDelta = previous ? latest.score - previous.score : 0;
+
+  const totalFixes = fixes.reduce((sum, f) => sum + f.applied, 0);
+
+  // Plan info
+  const usage = getScanUsage();
+  const planLabel = usage.plan || 'Free';
+  const scansUsed = usage.scansUsed || 0;
+  const maxScans = usage.maxScans === Infinity ? '∞' : usage.maxScans;
+
+  const scoreColor = latest.score >= 70 ? '#10b981' : latest.score >= 40 ? '#f59e0b' : '#ef4444';
+  const statusText = latest.score >= 70 ? 'Safe to Launch' : latest.score >= 40 ? 'Needs Work' : 'Not Safe';
+
+  const scoresJSON = JSON.stringify(scores.map(s => ({ t: s.timestamp, s: s.score })));
+  const sevData = latest.bySeverity || { critical: 0, high: 0, medium: 0, low: 0 };
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>${esc(projectName)} — Doorman Dashboard</title>
+<style>
+*,*::before,*::after{box-sizing:border-box;margin:0;padding:0}
+:root{--bg:#0b0e14;--surface:#12161f;--surface2:#1a1f2e;--border:#252b3b;--text:#e2e8f0;--text-dim:#8892a8;--text-faint:#5a6478;--green:#10b981;--red:#ef4444;--yellow:#f59e0b;--critical:#ff2d55;--high:#ff6b35;--medium:#ffb800;--low:#3b82f6;--radius:12px;--font:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif}
+body{font-family:var(--font);background:var(--bg);color:var(--text);min-height:100vh;line-height:1.5}
+.container{max-width:1000px;margin:0 auto;padding:32px 24px}
+header{text-align:center;margin-bottom:40px}
+.logo{font-size:14px;font-weight:700;color:var(--text-dim);letter-spacing:2px;text-transform:uppercase}
+.logo span{color:var(--green)}
+.project{font-size:24px;font-weight:800;margin-top:8px}
+.grid{display:grid;gap:20px;margin-bottom:20px}
+.grid-3{grid-template-columns:1fr 1fr 1fr}
+.grid-2{grid-template-columns:1fr 1fr}
+.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);padding:28px}
+.card h2{font-size:12px;text-transform:uppercase;letter-spacing:1.5px;color:var(--text-dim);margin-bottom:16px;font-weight:600}
+.score-card{text-align:center}
+.score-num{font-size:72px;font-weight:800;color:${scoreColor};line-height:1;letter-spacing:-3px}
+.score-num span{font-size:24px;color:var(--text-faint);font-weight:400}
+.score-status{font-size:14px;font-weight:700;color:${scoreColor};margin-top:6px;text-transform:uppercase;letter-spacing:1px}
+.score-delta{display:inline-block;padding:4px 12px;border-radius:16px;font-size:13px;font-weight:600;margin-top:12px}
+.delta-up{background:rgba(16,185,129,0.15);color:var(--green)}
+.delta-down{background:rgba(239,68,68,0.15);color:var(--red)}
+.delta-flat{background:var(--surface2);color:var(--text-dim)}
+.stat{text-align:center}
+.stat-val{font-size:32px;font-weight:800;color:var(--text)}
+.stat-label{font-size:11px;text-transform:uppercase;letter-spacing:1px;color:var(--text-dim);margin-top:4px}
+.sev-row{display:flex;align-items:center;gap:12px;margin-bottom:12px}
+.sev-label{width:65px;font-size:11px;font-weight:700;text-transform:uppercase;letter-spacing:0.5px}
+.sev-bar-bg{flex:1;background:var(--surface2);border-radius:6px;height:24px;overflow:hidden}
+.sev-bar{height:100%;border-radius:6px;transition:width 0.6s ease}
+.sev-count{font-size:13px;font-weight:600;width:30px;text-align:right}
+.chart-area{width:100%;height:200px}
+.chart-area svg{width:100%;height:100%}
+.scan-row{display:flex;justify-content:space-between;padding:10px 0;border-bottom:1px solid var(--border);font-size:13px}
+.scan-score{font-weight:700}
+footer{text-align:center;padding:40px 0 20px;color:var(--text-faint);font-size:12px}
+@media(max-width:768px){.grid-3,.grid-2{grid-template-columns:1fr}}
+</style>
+</head>
+<body>
+<div class="container">
+  <header>
+    <div class="logo">Door<span>man</span> Dashboard</div>
+    <div class="project">${esc(projectName)}</div>
+    <div style="margin-top:8px;font-size:13px;color:#5a6478">${esc(planLabel)} plan &mdash; ${scansUsed}/${maxScans} scans this month</div>
+  </header>
+
+  <div class="grid grid-3">
+    <div class="card score-card">
+      <h2>Safety Score</h2>
+      <div class="score-num">${latest.score}<span>/100</span></div>
+      <div class="score-status">${statusText}</div>
+      ${scoreDelta !== 0 ? `<div class="score-delta ${scoreDelta > 0 ? 'delta-up' : 'delta-down'}">${scoreDelta > 0 ? '▲' : '▼'} ${Math.abs(scoreDelta)} points since last scan</div>` : '<div class="score-delta delta-flat">— First scan or no change</div>'}
+    </div>
+    <div class="card stat">
+      <h2>Scans</h2>
+      <div class="stat-val">${scans.length}</div>
+      <div class="stat-label">Total scans</div>
+      <div style="margin-top:16px">
+        <div class="stat-val">${totalFixes}</div>
+        <div class="stat-label">Issues fixed</div>
+      </div>
+    </div>
+    <div class="card stat">
+      <h2>Latest Scan</h2>
+      <div class="stat-val">${latest.totalFindings}</div>
+      <div class="stat-label">Issues found</div>
+      <div style="margin-top:16px">
+        <div class="stat-val">${latest.fixable}</div>
+        <div class="stat-label">Auto-fixable</div>
+      </div>
+    </div>
+  </div>
+
+  <div class="grid grid-2">
+    <div class="card">
+      <h2>Score History</h2>
+      <div class="chart-area" id="chart"></div>
+    </div>
+    <div class="card">
+      <h2>Issues by Severity</h2>
+      ${sevBar('critical', sevData.critical, '#ff2d55')}
+      ${sevBar('high', sevData.high, '#ff6b35')}
+      ${sevBar('medium', sevData.medium, '#ffb800')}
+      ${sevBar('low', sevData.low, '#3b82f6')}
+    </div>
+  </div>
+
+  <div class="card">
+    <h2>Recent Scans</h2>
+    ${scans.slice(-10).reverse().map(s => `
+      <div class="scan-row">
+        <span style="color:var(--text-dim)">${new Date(s.timestamp).toLocaleDateString('en-US', { month: 'short', day: 'numeric', hour: '2-digit', minute: '2-digit' })}</span>
+        <span>${s.stack}</span>
+        <span>${s.totalFindings} issues</span>
+        <span class="scan-score" style="color:${s.score >= 70 ? '#10b981' : s.score >= 40 ? '#f59e0b' : '#ef4444'}">${s.score}/100</span>
+      </div>
+    `).join('')}
+  </div>
+
+  <footer>Doorman — Ship with confidence</footer>
+</div>
+
+<script>
+var scores = ${scoresJSON};
+if (scores.length > 1) {
+  var el = document.getElementById('chart');
+  var W=600,H=180,P=40,PR=16,PT=10,PB=30;
+  var cW=W-P-PR, cH=H-PT-PB;
+  var vals=scores.map(function(s){return s.s});
+  var mn=Math.max(0,Math.min.apply(null,vals)-10);
+  var mx=Math.min(100,Math.max.apply(null,vals)+10);
+  var rng=mx-mn||1;
+  function x(i){return P+(i/(scores.length-1))*cW}
+  function y(v){return PT+cH-((v-mn)/rng)*cH}
+  var pts=scores.map(function(s,i){return x(i).toFixed(1)+','+y(s.s).toFixed(1)});
+  var line='M'+pts.join('L');
+  var area=line+'L'+x(scores.length-1).toFixed(1)+','+(PT+cH)+'L'+x(0).toFixed(1)+','+(PT+cH)+'Z';
+  var last=vals[vals.length-1];
+  var col=last>=70?'var(--green)':last>=40?'var(--yellow)':'var(--red)';
+  var dots=scores.map(function(s,i){return '<circle cx="'+x(i).toFixed(1)+'" cy="'+y(s.s).toFixed(1)+'" r="4" fill="'+col+'" stroke="var(--surface)" stroke-width="2"/>'}).join('');
+  el.innerHTML='<svg viewBox="0 0 '+W+' '+H+'"><defs><linearGradient id="g" x1="0" y1="0" x2="0" y2="1"><stop offset="0%" stop-color="'+col+'" stop-opacity="0.2"/><stop offset="100%" stop-color="'+col+'" stop-opacity="0.02"/></linearGradient></defs><path d="'+area+'" fill="url(#g)"/><path d="'+line+'" fill="none" stroke="'+col+'" stroke-width="2.5" stroke-linecap="round"/>'+ dots+'</svg>';
+} else {
+  document.getElementById('chart').innerHTML='<div style="display:flex;align-items:center;justify-content:center;height:100%;color:var(--text-faint)">Run more scans to see the chart</div>';
+}
+</script>
+</body>
+</html>`;
+}
+
+function sevBar(label, count, color) {
+  const max = 50;
+  const pct = Math.max(count > 0 ? 4 : 0, Math.min(100, (count / max) * 100));
+  return `<div class="sev-row">
+    <div class="sev-label" style="color:${color}">${label}</div>
+    <div class="sev-bar-bg"><div class="sev-bar" style="width:${pct}%;background:${color}"></div></div>
+    <div class="sev-count">${count}</div>
+  </div>`;
+}
+
+function esc(s) {
+  return String(s).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;');
+}