guardlink 1.3.0 → 1.4.1

package/dist/tui/commands.js

@@ -21,7 +21,7 @@
  * @handles secrets on #tui -- "Processes and stores API keys via /model"
  */
 import { resolve, basename } from 'node:path';
-import { existsSync, writeFileSync, mkdirSync } from 'node:fs';
+import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'node:fs';
 import { parseProject, findDanglingRefs, findUnmitigatedExposures, findAcceptedWithoutAudit, findAcceptedExposures, clearAnnotations } from '../parser/index.js';
 import { initProject, detectProject, promptAgentSelection, syncAgentFiles } from '../init/index.js';
 import { generateReport } from '../report/index.js';
@@ -35,6 +35,7 @@ import { resolveLLMConfig, saveTuiConfig, loadTuiConfig } from './config.js';
 import { AGENTS, parseAgentFlag, launchAgent, launchAgentInline, copyToClipboard, buildAnnotatePrompt } from '../agents/index.js';
 import { describeConfigSource } from '../agents/config.js';
 import { getReviewableExposures, applyReviewAction, summarizeReview } from '../review/index.js';
+import { loadWorkspaceConfig, linkProject, addToWorkspace, removeFromWorkspace, mergeReports, formatMergeSummary, diffMergedReports } from '../workspace/index.js';
 // ─── Shared context ──────────────────────────────────────────────────
 /** Prompt user to pick an agent interactively (TUI only) */
 async function pickAgent(ctx) {
@@ -86,6 +87,7 @@ export function cmdHelp() {
         ['/assets', 'Asset tree with threat/control counts'],
         ['/files', 'Annotated file tree with exposure counts'],
         ['/view <file>', 'Show all annotations in a file with code context'],
+        ['/unannotated', 'List source files with no annotations'],
         ['', ''],
         ['/threat-report <fw>', 'AI threat report (stride|dread|pasta|attacker|rapid|general|custom)'],
         ['/threat-reports', 'List saved AI threat reports'],
@@ -101,6 +103,10 @@ export function cmdHelp() {
         ['/diff [ref]', 'Compare model against a git ref (default: HEAD~1)'],
         ['/sarif [-o file]', 'Export SARIF 2.1.0 for GitHub / VS Code'],
         ['', ''],
+        ['/workspace', 'Show workspace config and linked repos'],
+        ['/link <repos...>', 'Link repos into a workspace (--add / --remove)'],
+        ['/merge <files...>', 'Merge report JSONs into unified dashboard'],
+        ['', ''],
         ['/gal', 'GAL annotation language guide'],
         ['/help', 'This help'],
         ['/quit', 'Exit'],
@@ -131,112 +137,130 @@ export function cmdGal() {
     console.log(D('  Annotations live in source code comments. GuardLink parses'));
     console.log(D('  them to build a live threat model from your codebase.'));
     console.log('');
-    console.log(D('  Syntax:  @verb  subject  [preposition  object]  [: description]'));
+    console.log(D('  Syntax:  @verb  subject  [preposition  object]  [-- "description"]'));
     console.log('');
     // ── DEFINITIONS ──────────────────────────────────────────────────
     console.log(H('  ── Definitions ─────────────────────────────────────────────'));
     console.log('');
-    console.log(`  ${V('@asset')}  ${K('<path>')}  ${D('[: description]')}`);
+    console.log(`  ${V('@asset')}  ${K('<path>')}  ${D('[-- "description"]')}`);
     console.log(D('    Declare a named asset (component, service, data store).'));
     console.log(D('    Path uses dot notation for hierarchy.'));
-    console.log(EX('    // @asset  api.auth.token_store  : Stores JWT refresh tokens'));
+    console.log(EX('    // @asset  api.auth.token_store  -- "Stores JWT refresh tokens"'));
     console.log(EX('    // @asset  db.users'));
     console.log('');
-    console.log(`  ${V('@threat')}  ${K('<name>')}  ${D('[severity: critical|high|medium|low]  [: description]')}`);
-    console.log(D('    Declare a named threat. Severity aliases: P0=critical P1=high P2=medium P3=low.'));
-    console.log(EX('    // @threat  SQL Injection  severity:high  : Unsanitized input reaches DB'));
-    console.log(EX('    // @threat  Token Theft  severity:P0'));
+    console.log(`  ${V('@threat')}  ${K('<name>')}  ${D('(#id)')}  ${D('[critical|high|medium|low]')}  ${D('[ext-refs]')}  ${D('[-- "description"]')}`);
+    console.log(D('    Declare a named threat. Severity in brackets: [P0]=[critical] [P1]=[high] [P2]=[medium] [P3]=[low].'));
+    console.log(EX('    // @threat  SQL Injection  (#sql-inj)  [high]  cwe:CWE-89  -- "Unsanitized input reaches DB"'));
+    console.log(EX('    // @threat  Token Theft  [P0]'));
     console.log('');
-    console.log(`  ${V('@control')}  ${K('<name>')}  ${D('[: description]')}`);
+    console.log(`  ${V('@control')}  ${K('<name>')}  ${D('(#id)')}  ${D('[-- "description"]')}`);
     console.log(D('    Declare a security control (mitigation mechanism).'));
-    console.log(EX('    // @control  Input Validation  : Sanitize all user-supplied strings'));
+    console.log(EX('    // @control  Input Validation  (#input-val)  -- "Sanitize all user-supplied strings"'));
     console.log(EX('    // @control  Rate Limiting'));
     console.log('');
     // ── RELATIONSHIPS ─────────────────────────────────────────────────
     console.log(H('  ── Relationships ───────────────────────────────────────────'));
     console.log('');
-    console.log(`  ${V('@exposes')}  ${K('<asset>')}  ${D('to')}  ${K('<threat>')}  ${D('[severity: ...]  [: description]')}`);
+    console.log(`  ${V('@exposes')}  ${K('<asset>')}  ${D('to')}  ${K('<threat>')}  ${D('[severity]')}  ${D('[ext-refs]')}  ${D('[-- "description"]')}`);
     console.log(D('    Mark an asset as exposed to a threat at this code location.'));
     console.log(D('    This is the primary annotation — every exposure creates a finding.'));
-    console.log(EX('    // @exposes  api.auth  to  SQL Injection  severity:high'));
-    console.log(EX('    // @exposes  db.users  to  Token Theft  severity:critical  : No token rotation'));
+    console.log(EX('    // @exposes  api.auth  to  SQL Injection  [high]  cwe:CWE-89'));
+    console.log(EX('    // @exposes  db.users  to  Token Theft  [critical]  -- "No token rotation"'));
     console.log('');
-    console.log(`  ${V('@mitigates')}  ${K('<asset>')}  ${D('against')}  ${K('<threat>')}  ${D('[with')}  ${K('<control>')}${D(']  [: description]')}`);
+    console.log(`  ${V('@mitigates')}  ${K('<asset>')}  ${D('against')}  ${K('<threat>')}  ${D('[using')}  ${K('<control>')}${D(']')}  ${D('[-- "description"]')}`);
     console.log(D('    Mark that a control mitigates a threat on an asset.'));
     console.log(D('    Closes the exposure — removes it from open findings.'));
-    console.log(EX('    // @mitigates  api.auth  against  SQL Injection  with  Input Validation'));
-    console.log(EX('    // @mitigates  db.users  against  Token Theft  : Rotation implemented in v2'));
+    console.log(D('    "using" is the primary keyword; "with" also accepted.'));
+    console.log(EX('    // @mitigates  api.auth  against  SQL Injection  using  Input Validation'));
+    console.log(EX('    // @mitigates  db.users  against  Token Theft  -- "Rotation implemented in v2"'));
     console.log('');
-    console.log(`  ${V('@accepts')}  ${K('<threat>')}  ${D('on')}  ${K('<asset>')}  ${D('[: reason]')}`);
+    console.log(`  ${V('@accepts')}  ${K('<threat>')}  ${D('on')}  ${K('<asset>')}  ${D('[-- "reason"]')}`);
     console.log(D('    Explicitly accept a risk. Removes it from open findings.'));
     console.log(D('    Use when the risk is known and intentionally not mitigated.'));
-    console.log(EX('    // @accepts  Timing Attack  on  api.auth  : Acceptable for current threat model'));
+    console.log(EX('    // @accepts  Timing Attack  on  api.auth  -- "Acceptable for current threat model"'));
     console.log('');
-    console.log(`  ${V('@transfers')}  ${K('<threat>')}  ${D('from')}  ${K('<source>')}  ${D('to')}  ${K('<target>')}  ${D('[: description]')}`);
+    console.log(`  ${V('@transfers')}  ${K('<threat>')}  ${D('from')}  ${K('<source>')}  ${D('to')}  ${K('<target>')}  ${D('[-- "description"]')}`);
     console.log(D('    Transfer responsibility for a threat to another asset/team.'));
-    console.log(EX('    // @transfers  DDoS  from  api.gateway  to  cdn.cloudflare  : Handled by CDN layer'));
+    console.log(EX('    // @transfers  DDoS  from  api.gateway  to  cdn.cloudflare  -- "Handled by CDN layer"'));
     console.log('');
     // ── DATA FLOWS ────────────────────────────────────────────────────
     console.log(H('  ── Data Flows & Boundaries ─────────────────────────────────'));
     console.log('');
-    console.log(`  ${V('@flows')}  ${K('<source>')}  ${D('to')}  ${K('<target>')}  ${D('[via')}  ${K('<mechanism>')}${D(']  [: description]')}`);
+    console.log(`  ${V('@flows')}  ${K('<source>')}  ${D('->')}  ${K('<target>')}  ${D('[via')}  ${K('<mechanism>')}${D(']')}  ${D('[-- "description"]')}`);
     console.log(D('    Document data movement between components.'));
     console.log(D('    Appears in the Data Flow Diagram.'));
-    console.log(EX('    // @flows  api.auth  to  db.users  via  TLS 1.3'));
-    console.log(EX('    // @flows  mobile.app  to  api.gateway  via  HTTPS  : User credentials'));
+    console.log(EX('    // @flows  api.auth  ->  db.users  via  TLS 1.3'));
+    console.log(EX('    // @flows  mobile.app  ->  api.gateway  via  HTTPS  -- "User credentials"'));
     console.log('');
-    console.log(`  ${V('@boundary')}  ${K('<asset_a>')}  ${D('and')}  ${K('<asset_b>')}  ${D('[: description]')}`);
+    console.log(`  ${V('@boundary')}  ${K('<asset_a>')}  ${D('and')}  ${K('<asset_b>')}  ${D('(#id)')}  ${D('[-- "description"]')}`);
     console.log(D('    Declare a trust boundary between two assets.'));
     console.log(D('    Groups assets in the Data Flow Diagram.'));
-    console.log(EX('    // @boundary  internet  and  api.gateway  : Public-facing edge'));
-    console.log(EX('    // @boundary  api.gateway  and  db.users  : Internal network boundary'));
+    console.log(D('    Alternate: @boundary between A and B  or  @boundary A | B'));
+    console.log(EX('    // @boundary  internet  and  api.gateway  (#edge)  -- "Public-facing edge"'));
+    console.log(EX('    // @boundary  api.gateway | db.users  -- "Internal network boundary"'));
     console.log('');
     // ── LIFECYCLE ─────────────────────────────────────────────────────
     console.log(H('  ── Lifecycle & Governance ──────────────────────────────────'));
     console.log('');
-    console.log(`  ${V('@handles')}  ${K('<classification>')}  ${D('on')}  ${K('<asset>')}  ${D('[: description]')}`);
+    console.log(`  ${V('@handles')}  ${K('<classification>')}  ${D('on')}  ${K('<asset>')}  ${D('[-- "description"]')}`);
     console.log(D('    Declare data classification handled by an asset.'));
     console.log(D('    Classifications: pii  phi  financial  secrets  internal  public'));
-    console.log(EX('    // @handles  pii  on  db.users  : Stores name, email, phone'));
+    console.log(EX('    // @handles  pii  on  db.users  -- "Stores name, email, phone"'));
     console.log(EX('    // @handles  secrets  on  api.auth.token_store'));
     console.log('');
-    console.log(`  ${V('@owns')}  ${K('<owner>')}  ${K('<asset>')}  ${D('[: description]')}`);
+    console.log(`  ${V('@owns')}  ${K('<owner>')}  ${D('for')}  ${K('<asset>')}  ${D('[-- "description"]')}`);
     console.log(D('    Assign ownership of an asset to a team or person.'));
-    console.log(EX('    // @owns  platform-team  api.auth'));
+    console.log(EX('    // @owns  platform-team  for  api.auth'));
     console.log('');
-    console.log(`  ${V('@validates')}  ${K('<control>')}  ${D('on')}  ${K('<asset>')}  ${D('[: description]')}`);
+    console.log(`  ${V('@validates')}  ${K('<control>')}  ${D('for')}  ${K('<asset>')}  ${D('[-- "description"]')}`);
     console.log(D('    Assert that a control has been validated/tested on an asset.'));
-    console.log(EX('    // @validates  Input Validation  on  api.auth  : Pen-tested 2024-Q3'));
+    console.log(EX('    // @validates  Input Validation  for  api.auth  -- "Pen-tested 2024-Q3"'));
     console.log('');
-    console.log(`  ${V('@audit')}  ${K('<asset>')}  ${D('[: description]')}`);
+    console.log(`  ${V('@audit')}  ${K('<asset>')}  ${D('[-- "description"]')}`);
     console.log(D('    Mark that this code path is an audit trail point.'));
-    console.log(EX('    // @audit  db.users  : All writes logged to audit_log table'));
+    console.log(EX('    // @audit  db.users  -- "All writes logged to audit_log table"'));
     console.log('');
-    console.log(`  ${V('@assumes')}  ${K('<asset>')}  ${D('[: description]')}`);
+    console.log(`  ${V('@assumes')}  ${K('<asset>')}  ${D('[-- "description"]')}`);
     console.log(D('    Document a security assumption about an asset.'));
-    console.log(EX('    // @assumes  api.gateway  : Upstream WAF filters malformed requests'));
+    console.log(EX('    // @assumes  api.gateway  -- "Upstream WAF filters malformed requests"'));
     console.log('');
-    console.log(`  ${V('@comment')}  ${D('[: description]')}`);
+    console.log(`  ${V('@comment')}  ${D('[-- "description"]')}`);
     console.log(D('    Free-form developer security note (no structural effect).'));
-    console.log(EX('    // @comment  : TODO — add rate limiting before v2 launch'));
+    console.log(EX('    // @comment  -- "TODO — add rate limiting before v2 launch"'));
     console.log('');
     // ── SHIELD BLOCKS ─────────────────────────────────────────────────
     console.log(H('  ── Shield Blocks ───────────────────────────────────────────'));
     console.log('');
+    console.log(`  ${V('@shield')}  ${D('[-- "reason"]')}`);
+    console.log(D('    Single-line marker for a security-sensitive code point.'));
+    console.log(EX('    // @shield  -- "Crypto key derivation — do not refactor without review"'));
+    console.log('');
     console.log(`  ${V('@shield:begin')}  ${D('/')}  ${V('@shield:end')}`);
     console.log(D('    Wrap a code block to mark it as security-sensitive.'));
     console.log(D('    GuardLink will flag unannotated symbols inside the block.'));
-    console.log(EX('    // @shield:begin'));
+    console.log(EX('    // @shield:begin  -- "Auth verification block"'));
     console.log(EX('    function verifyToken(token: string) { ... }'));
     console.log(EX('    // @shield:end'));
     console.log('');
+    // ── EXTERNAL REFERENCES ─────────────────────────────────────────
+    console.log(H('  ── External References ─────────────────────────────────────'));
+    console.log('');
+    console.log(D('  Append space-separated refs after severity on @threat and @exposes:'));
+    console.log(EX('    cwe:CWE-89  owasp:A03:2021  capec:CAPEC-66  attack:T1190'));
+    console.log('');
+    console.log(D('  Example:'));
+    console.log(EX('    // @exposes  api.auth  to  SQL Injection  [high]  cwe:CWE-89  owasp:A03:2021'));
+    console.log('');
     // ── TIPS ──────────────────────────────────────────────────────────
     console.log(H('  ── Tips ────────────────────────────────────────────────────'));
     console.log('');
+    console.log(D('  • Descriptions use -- "quoted text" format (not : colon)'));
+    console.log(D('  • Severity uses brackets: [critical] [high] [medium] [low] or [P0]-[P3]'));
     console.log(D('  • Annotations work in any comment style: // /* # -- <!-- -->'));
     console.log(D('  • Place annotations on the line ABOVE the code they describe'));
     console.log(D('  • Asset names are case-insensitive and normalized (spaces→underscores)'));
     console.log(D('  • Threat/control names can reference IDs with #id syntax'));
+    console.log(D('  • @flows uses -> arrow syntax (not "to")'));
     console.log(D('  • Run /parse after adding annotations to update the threat model'));
     console.log(D('  • Run /validate to check for syntax errors and dangling references'));
     console.log(D('  • Run /annotate to have an AI agent add annotations automatically'));
@@ -1595,4 +1619,238 @@ export async function cmdDashboard(ctx) {
     }
     console.log('');
 }
+// ─── /workspace ──────────────────────────────────────────────────────
+export function cmdWorkspace(ctx) {
+    const config = loadWorkspaceConfig(ctx.root);
+    if (!config) {
+        console.log('');
+        console.log(C.warn('  This repo is not part of a workspace.'));
+        console.log(C.dim('  Use /link to create one, or guardlink link-project in the CLI.'));
+        console.log('');
+        return;
+    }
+    console.log('');
+    console.log(`  ${C.bold('Workspace:')} ${config.workspace}`);
+    console.log(`  ${C.bold('This repo:')} ${config.this_repo}`);
+    console.log('');
+    console.log(`  ${C.bold('Linked repos')} (${config.repos.length}):`);
+    for (const r of config.repos) {
+        const isSelf = r.name === config.this_repo ? C.dim(' (this)') : '';
+        const reg = r.registry ? C.dim(` → ${r.registry}`) : '';
+        console.log(`    ${r.name === config.this_repo ? C.green('●') : C.cyan('○')} ${r.name}${isSelf}${reg}`);
+    }
+    console.log('');
+    console.log(C.dim('  /merge to combine reports · /link --add to add a repo · /link --remove to remove'));
+    console.log('');
+}
+// ─── /link ───────────────────────────────────────────────────────────
+export async function cmdLink(args, ctx) {
+    const parts = args.trim().split(/\s+/).filter(Boolean);
+    // Parse flags
+    let addPath;
+    let removeName;
+    let workspace = 'workspace';
+    let registry;
+    const repoPaths = [];
+    for (let i = 0; i < parts.length; i++) {
+        const p = parts[i];
+        if (p === '--add' && parts[i + 1]) {
+            addPath = parts[++i];
+        }
+        else if (p === '--remove' && parts[i + 1]) {
+            removeName = parts[++i];
+        }
+        else if ((p === '-w' || p === '--workspace') && parts[i + 1]) {
+            workspace = parts[++i];
+        }
+        else if ((p === '-r' || p === '--registry') && parts[i + 1]) {
+            registry = parts[++i];
+        }
+        else {
+            repoPaths.push(p);
+        }
+    }
+    if (removeName) {
+        // ── Remove mode ──
+        console.log(C.dim(`  Removing "${removeName}" from workspace...`));
+        const result = removeFromWorkspace({
+            repoName: removeName,
+            existingRepoPath: ctx.root,
+        });
+        for (const name of result.updated)
+            console.log(`  ${C.green('↻')} ${name} — updated`);
+        for (const f of result.agentFilesUpdated) {
+            if (f.includes('(cleaned)'))
+                console.log(`  ${C.dim('🧹')} ${f}`);
+        }
+        for (const s of result.skipped)
+            console.log(`  ${C.warn('✗')} ${s.name} — ${s.reason}`);
+        if (result.updated.length > 0) {
+            console.log('');
+            console.log(C.success(`  ✓ Removed "${removeName}", updated ${result.updated.length} repo(s)`));
+        }
+    }
+    else if (addPath) {
+        // ── Add mode (--from is implicit: ctx.root) ──
+        console.log(C.dim(`  Adding ${addPath} to workspace...`));
+        const result = addToWorkspace({
+            newRepoPath: resolve(addPath),
+            existingRepoPath: ctx.root,
+            registry,
+        });
+        for (const name of result.initialized)
+            console.log(`  ${C.cyan('⚡')} ${name} — auto-initialized`);
+        for (const name of result.linked)
+            console.log(`  ${C.green('✓')} ${name} — linked`);
+        for (const name of result.updated)
+            console.log(`  ${C.green('↻')} ${name} — updated`);
+        for (const s of result.skipped)
+            console.log(`  ${C.warn('✗')} ${s.name} — ${s.reason}`);
+        if (result.linked.length > 0 || result.updated.length > 0) {
+            console.log('');
+            console.log(C.success(`  ✓ ${result.linked.length} added, ${result.updated.length} updated`));
+        }
+    }
+    else if (repoPaths.length >= 2) {
+        // ── Fresh link mode ──
+        console.log(C.dim(`  Linking ${repoPaths.length} repos into "${workspace}"...`));
+        const result = linkProject({
+            workspace,
+            repoPaths: repoPaths.map(p => resolve(p)),
+            registry,
+        });
+        for (const name of result.initialized)
+            console.log(`  ${C.cyan('⚡')} ${name} — auto-initialized`);
+        for (const name of result.linked)
+            console.log(`  ${C.green('✓')} ${name} — linked`);
+        for (const s of result.skipped)
+            console.log(`  ${C.warn('✗')} ${s.name} — ${s.reason}`);
+        if (result.linked.length > 0) {
+            console.log('');
+            console.log(C.success(`  ✓ Linked ${result.linked.length} repo(s) into "${workspace}"`));
+        }
+    }
+    else {
+        console.log('');
+        console.log(`  ${C.bold('Usage:')}`);
+        console.log(`    /link <repo1> <repo2> ...           ${C.dim('Fresh workspace setup')}`);
+        console.log(`    /link --add <repo-path>             ${C.dim('Add a repo (uses current repo as reference)')}`);
+        console.log(`    /link --remove <repo-name>          ${C.dim('Remove a repo by name')}`);
+        console.log(`    /link -w <name> -r <registry> ...   ${C.dim('Set workspace name and registry')}`);
+    }
+    console.log('');
+}
+// ─── /merge ──────────────────────────────────────────────────────────
+export async function cmdMerge(args, ctx) {
+    const parts = args.trim().split(/\s+/).filter(Boolean);
+    // Parse flags
+    let outputFile;
+    let jsonFile;
+    let diffAgainst;
+    let workspaceName;
+    const files = [];
+    for (let i = 0; i < parts.length; i++) {
+        const p = parts[i];
+        if ((p === '-o' || p === '--output') && parts[i + 1]) {
+            outputFile = parts[++i];
+        }
+        else if (p === '--json' && parts[i + 1]) {
+            jsonFile = parts[++i];
+        }
+        else if (p === '--diff-against' && parts[i + 1]) {
+            diffAgainst = parts[++i];
+        }
+        else if ((p === '-w' || p === '--workspace') && parts[i + 1]) {
+            workspaceName = parts[++i];
+        }
+        else {
+            files.push(resolve(p));
+        }
+    }
+    if (files.length === 0) {
+        console.log('');
+        console.log(`  ${C.bold('Usage:')}`);
+        console.log(`    /merge <report1.json> <report2.json> ...`);
+        console.log(`    /merge *.json -o dashboard.html --json merged.json`);
+        console.log(`    /merge *.json --diff-against last-week.json`);
+        console.log('');
+        return;
+    }
+    console.log(C.dim(`  Merging ${files.length} report(s)...`));
+    // Load and merge
+    const reportJsons = [];
+    for (const f of files) {
+        if (!existsSync(f)) {
+            console.log(C.warn(`  ✗ File not found: ${f}`));
+            continue;
+        }
+        try {
+            reportJsons.push(JSON.parse(readFileSync(f, 'utf-8')));
+        }
+        catch (err) {
+            console.log(C.warn(`  ✗ Invalid JSON: ${f}`));
+        }
+    }
+    if (reportJsons.length === 0) {
+        console.log(C.error('  No valid reports to merge.'));
+        console.log('');
+        return;
+    }
+    const merged = await mergeReports(reportJsons, { workspace: workspaceName });
+    // Summary
+    const t = merged.totals;
+    console.log('');
+    console.log(`  ${C.bold(merged.workspace)} — ${merged.repo_statuses.filter(r => r.loaded).length}/${merged.repo_statuses.length} repos loaded`);
+    console.log(`  ${t.annotations} annotations | ${t.assets} assets | ${t.threats} threats | ${t.controls} controls`);
+    console.log(`  ${t.mitigations} mitigations | ${t.exposures} exposures | ${t.unmitigated_exposures} unmitigated`);
+    console.log(`  ${t.flows} flows | ${t.external_refs_resolved} refs resolved | ${t.external_refs_unresolved} unresolved`);
+    // Warnings
+    for (const w of merged.warnings) {
+        console.log(`  ${C.warn('⚠')} ${w.message}`);
+    }
+    // Write JSON
+    if (jsonFile) {
+        writeFileSync(resolve(jsonFile), JSON.stringify(merged, null, 2));
+        console.log(`  ${C.green('✓')} Wrote merged JSON to ${jsonFile}`);
+    }
+    // Diff
+    if (diffAgainst && existsSync(resolve(diffAgainst))) {
+        try {
+            const previous = JSON.parse(readFileSync(resolve(diffAgainst), 'utf-8'));
+            const diff = diffMergedReports(merged, previous);
+            if (diff.risk_delta === 'decreased') {
+                console.log(`  ${C.green('🟢')} Risk decreased since last merge`);
+            }
+            else if (diff.risk_delta === 'increased') {
+                console.log(`  ${C.red('🔴')} Risk increased since last merge`);
+            }
+            else {
+                console.log(`  ${C.dim('⚪')} Risk unchanged`);
+            }
+            if (diff.resolved_unmitigated > 0) {
+                console.log(`  ${C.green('🟢')} ${diff.resolved_unmitigated} exposure(s) now mitigated`);
+            }
+            if (diff.new_unmitigated > 0) {
+                console.log(`  ${C.red('🔴')} ${diff.new_unmitigated} new unmitigated exposure(s)`);
+            }
+        }
+        catch {
+            console.log(C.warn(`  ✗ Could not parse diff file: ${diffAgainst}`));
+        }
+    }
+    // Dashboard
+    if (outputFile || !jsonFile) {
+        const dashPath = resolve(outputFile || 'workspace-dashboard.html');
+        const html = generateDashboardHTML(merged.model);
+        writeFileSync(dashPath, html);
+        console.log(`  ${C.green('✓')} Dashboard: ${outputFile || 'workspace-dashboard.html'}`);
+    }
+    // Print summary
+    const summary = formatMergeSummary(merged);
+    console.log('');
+    for (const line of summary.split('\n').slice(0, 15)) {
+        console.log(`  ${line}`);
+    }
+    console.log('');
+}
 //# sourceMappingURL=commands.js.map