guardrail-cli 1.0.5 → 2.0.0

package/dist/runtime/creds.js

@@ -0,0 +1,245 @@
+"use strict";
+/**
+ * Enterprise Credential Store
+ * - OS keychain first (Keychain/Windows Credential Manager/libsecret)
+ * - Secure fallback with 0600 perms + atomic writes
+ * - Token-first model (short-lived tokens preferred over static API keys)
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadAuthState = loadAuthState;
+exports.saveAuthState = saveAuthState;
+exports.clearAuthState = clearAuthState;
+exports.isCacheValid = isCacheValid;
+exports.shouldUseCachedEntitlements = shouldUseCachedEntitlements;
+exports.getConfigPath = getConfigPath;
+const os_1 = __importDefault(require("os"));
+const path_1 = __importDefault(require("path"));
+const promises_1 = __importDefault(require("fs/promises"));
+const fs_1 = require("fs");
+const crypto_1 = __importDefault(require("crypto"));
+const SERVICE = 'guardrail-cli';
+const ACCOUNT = 'default';
+function getConfigDir() {
+    if (process.platform === 'win32') {
+        return path_1.default.join(process.env.APPDATA || path_1.default.join(os_1.default.homedir(), 'AppData', 'Roaming'), 'guardrail');
+    }
+    if (process.platform === 'darwin') {
+        return path_1.default.join(os_1.default.homedir(), 'Library', 'Application Support', 'guardrail');
+    }
+    return path_1.default.join(process.env.XDG_CONFIG_HOME || path_1.default.join(os_1.default.homedir(), '.config'), 'guardrail');
+}
+const CONFIG_DIR = getConfigDir();
+const CONFIG_FILE = path_1.default.join(CONFIG_DIR, 'state.json');
+/**
+ * Try to load keytar for OS keychain access
+ * Returns null if keytar is not available
+ */
+async function tryKeytar() {
+    try {
+        return require('keytar');
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Atomic write with restrictive permissions
+ * Prevents partial writes and race conditions
+ * Security: 0600 on Unix, NTFS ACL restriction on Windows (best effort)
+ */
+async function atomicWrite(filePath, data) {
+    await promises_1.default.mkdir(path_1.default.dirname(filePath), { recursive: true, mode: 0o700 });
+    const tmp = `${filePath}.${crypto_1.default.randomBytes(6).toString('hex')}.tmp`;
+    // Write with restrictive mode on Unix
+    await promises_1.default.writeFile(tmp, data, { encoding: 'utf8', mode: 0o600 });
+    // Lock down permissions
+    if (process.platform !== 'win32') {
+        // Unix: 0600 = owner read/write only
+        await promises_1.default.chmod(tmp, 0o600);
+    }
+    else {
+        // Windows: Best effort - use icacls to restrict access
+        // This is a no-op if it fails, as Windows file permissions are complex
+        try {
+            const { exec } = await Promise.resolve().then(() => __importStar(require('child_process')));
+            const username = process.env.USERNAME || process.env.USER;
+            if (username) {
+                await new Promise((resolve) => {
+                    exec(`icacls "${tmp}" /inheritance:r /grant:r "${username}:F"`, { windowsHide: true }, () => resolve() // Ignore errors
+                    );
+                });
+            }
+        }
+        catch {
+            // Windows permission setting failed - continue anyway
+        }
+    }
+    await promises_1.default.rename(tmp, filePath);
+    // Also secure the directory on Unix
+    if (process.platform !== 'win32') {
+        await promises_1.default.chmod(path_1.default.dirname(filePath), 0o700).catch(() => { });
+    }
+}
+/**
+ * Load authentication state
+ * Prefers keychain for sensitive tokens, falls back to disk
+ */
+async function loadAuthState() {
+    try {
+        if (!(0, fs_1.existsSync)(CONFIG_FILE))
+            return {};
+        const raw = await promises_1.default.readFile(CONFIG_FILE, 'utf8');
+        const state = JSON.parse(raw);
+        // If keychain is available, prefer tokens from there
+        const keytar = await tryKeytar();
+        if (keytar) {
+            try {
+                const secret = await keytar.getPassword(SERVICE, ACCOUNT);
+                if (secret) {
+                    const fromKeychain = JSON.parse(secret);
+                    return { ...state, ...fromKeychain };
+                }
+            }
+            catch {
+                // Keychain access failed, use disk state
+            }
+        }
+        return state;
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Save authentication state
+ * Stores sensitive tokens in keychain when available, non-sensitive data on disk
+ */
+async function saveAuthState(next) {
+    // Separate sensitive from non-sensitive data
+    const { accessToken, refreshToken, apiKey, ...diskSafe } = next;
+    const keytar = await tryKeytar();
+    if (keytar) {
+        try {
+            const secretPayload = { accessToken, refreshToken, apiKey };
+            await keytar.setPassword(SERVICE, ACCOUNT, JSON.stringify(secretPayload));
+        }
+        catch {
+            // Keychain save failed, store everything on disk
+            diskSafe.apiKey = apiKey;
+            diskSafe.accessToken = accessToken;
+            diskSafe.refreshToken = refreshToken;
+        }
+    }
+    else {
+        // No keychain available: fall back to disk with tight perms
+        diskSafe.apiKey = apiKey;
+        diskSafe.accessToken = accessToken;
+        diskSafe.refreshToken = refreshToken;
+    }
+    await atomicWrite(CONFIG_FILE, JSON.stringify(diskSafe, null, 2));
+}
+/**
+ * Clear all authentication state (logout)
+ */
+async function clearAuthState() {
+    const keytar = await tryKeytar();
+    if (keytar) {
+        try {
+            await keytar.deletePassword(SERVICE, ACCOUNT);
+        }
+        catch {
+            // Keychain delete failed, continue anyway
+        }
+    }
+    await atomicWrite(CONFIG_FILE, JSON.stringify({}, null, 2));
+}
+/**
+ * Check if cached entitlements are still valid
+ * Uses the shorter of cacheUntil (local) or expiresAt (server)
+ */
+function isCacheValid(state) {
+    if (!state.tier)
+        return false;
+    const now = new Date();
+    // Check local cache expiry
+    if (state.cacheUntil) {
+        const cacheExpiry = new Date(state.cacheUntil);
+        if (cacheExpiry <= now)
+            return false;
+    }
+    // Check server-issued expiry
+    if (state.expiresAt) {
+        const serverExpiry = new Date(state.expiresAt);
+        if (serverExpiry <= now)
+            return false;
+    }
+    // At least one expiry must be set
+    return Boolean(state.cacheUntil || state.expiresAt);
+}
+/**
+ * Check if entitlements should be reused from cache
+ * Returns true only if cache is valid AND has > 5 minutes remaining
+ */
+function shouldUseCachedEntitlements(state) {
+    if (!state.tier)
+        return false;
+    const now = new Date();
+    const fiveMinutesFromNow = new Date(now.getTime() + 5 * 60 * 1000);
+    // Check if local cache has > 5 min remaining
+    if (state.cacheUntil) {
+        const cacheExpiry = new Date(state.cacheUntil);
+        if (cacheExpiry <= fiveMinutesFromNow)
+            return false;
+    }
+    // Check if server expiry has > 5 min remaining
+    if (state.expiresAt) {
+        const serverExpiry = new Date(state.expiresAt);
+        if (serverExpiry <= fiveMinutesFromNow)
+            return false;
+    }
+    // At least one expiry must be set and valid
+    return Boolean(state.cacheUntil || state.expiresAt);
+}
+/**
+ * Get config directory path (for display purposes)
+ */
+function getConfigPath() {
+    return CONFIG_FILE;
+}
+//# sourceMappingURL=creds.js.map

package/dist/runtime/creds.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"creds.js","sourceRoot":"","sources":["../../src/runtime/creds.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyGH,sCAwBC;AAMD,sCAuBC;AAKD,wCAUC;AAMD,oCAmBC;AAMD,kEAoBC;AAKD,sCAEC;AArOD,4CAAoB;AACpB,gDAAwB;AACxB,2DAA6B;AAC7B,2BAAgC;AAChC,oDAA4B;AAiB5B,MAAM,OAAO,GAAG,eAAe,CAAC;AAChC,MAAM,OAAO,GAAG,SAAS,CAAC;AAE1B,SAAS,YAAY;IACnB,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,OAAO,cAAI,CAAC,IAAI,CACd,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,cAAI,CAAC,IAAI,CAAC,YAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,SAAS,CAAC,EACpE,WAAW,CACZ,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,OAAO,cAAI,CAAC,IAAI,CAAC,YAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,qBAAqB,EAAE,WAAW,CAAC,CAAC;IAChF,CAAC;IACD,OAAO,cAAI,CAAC,IAAI,CACd,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,cAAI,CAAC,IAAI,CAAC,YAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,EACjE,WAAW,CACZ,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC;AAClC,MAAM,WAAW,GAAG,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;AAExD;;;GAGG;AACH,KAAK,UAAU,SAAS;IACtB,IAAI,CAAC;QACH,OAAO,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,WAAW,CAAC,QAAgB,EAAE,IAAY;IACvD,MAAM,kBAAE,CAAC,KAAK,CAAC,cAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACzE,MAAM,GAAG,GAAG,GAAG,QAAQ,IAAI,gBAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC;IAEvE,sCAAsC;IACtC,MAAM,kBAAE,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEjE,wBAAwB;IACxB,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,qCAAqC;QACrC,MAAM,kBAAE,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,uDAAuD;QACvD,uEAAuE;QACvE,IAAI,CAAC;YACH,MAAM,EAAE,IAAI,EAAE,GAAG,wDAAa,eAAe,GAAC,CAAC;YAC/C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;YAC1D,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;oBAClC,IAAI,CACF,WAAW,GAAG,8BAA8B,QAAQ,KAAK,EACzD,EAAE,WAAW,EAAE,IAAI,EAAE,EACrB,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,gBAAgB;qBACjC,CAAC;gBACJ,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;IACH,CAAC;IAED,MAAM,kBAAE,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAE/B,oCAAoC;IACpC,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,kBAAE,CAAC,KAAK,CAAC,cAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,aAAa;IACjC,IAAI,CAAC;QACH,IAAI,CAAC,IAAA,eAAU,EAAC,WAAW,CAAC;YAAE,OAAO,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAc,CAAC;QAE3C,qDAAqD;QACrD,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;QACjC,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;gBAC1D,IAAI,MAAM,EAAE,CAAC;oBACX,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAuB,CAAC;oBAC9D,OAAO,EAAE,GAAG,KAAK,EAAE,GAAG,YAAY,EAAE,CAAC;gBACvC,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yCAAyC;YAC3C,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,aAAa,CAAC,IAAe;IACjD,6CAA6C;IAC7C,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,QAAQ,EAAE,GAAG,IAAI,CAAC;IAEhE,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;IACjC,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,aAAa,GAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;YAChF,MAAM,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,iDAAiD;YAChD,QAAsB,CAAC,MAAM,GAAG,MAAM,CAAC;YACvC,QAAsB,CAAC,WAAW,GAAG,WAAW,CAAC;YACjD,QAAsB,CAAC,YAAY,GAAG,YAAY,CAAC;QACtD,CAAC;IACH,CAAC;SAAM,CAAC;QACN,4DAA4D;QAC3D,QAAsB,CAAC,MAAM,GAAG,MAAM,CAAC;QACvC,QAAsB,CAAC,WAAW,GAAG,WAAW,CAAC;QACjD,QAAsB,CAAC,YAAY,GAAG,YAAY,CAAC;IACtD,CAAC;IAED,MAAM,WAAW,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AACpE,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,cAAc;IAClC,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;IACjC,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,0CAA0C;QAC5C,CAAC;IACH,CAAC;IACD,MAAM,WAAW,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED;;;GAGG;AACH,SAAgB,YAAY,CAAC,KAAgB;IAC3C,IAAI,CAAC,KAAK,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAE9B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,2BAA2B;IAC3B,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,WAAW,IAAI,GAAG;YAAE,OAAO,KAAK,CAAC;IACvC,CAAC;IAED,6BAA6B;IAC7B,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACpB,MAAM,YAAY,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,YAAY,IAAI,GAAG;YAAE,OAAO,KAAK,CAAC;IACxC,CAAC;IAED,kCAAkC;IAClC,OAAO,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,SAAgB,2BAA2B,CAAC,KAAgB;IAC1D,IAAI,CAAC,KAAK,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAE9B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,kBAAkB,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEnE,6CAA6C;IAC7C,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,WAAW,IAAI,kBAAkB;YAAE,OAAO,KAAK,CAAC;IACtD,CAAC;IAED,+CAA+C;IAC/C,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACpB,MAAM,YAAY,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,YAAY,IAAI,kBAAkB;YAAE,OAAO,KAAK,CAAC;IACvD,CAAC;IAED,4CAA4C;IAC5C,OAAO,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;AACtD,CAAC;AAED;;GAEG;AACH,SAAgB,aAAa;IAC3B,OAAO,WAAW,CAAC;AACrB,CAAC"}

package/dist/runtime/exit-codes.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Enterprise Exit Codes
+ * Consistent, meaningful exit codes for CI/CD integration
+ *
+ * Usage:
+ *   process.exit(ExitCode.POLICY_FAIL)
+ *   exitWith(ExitCode.AUTH_FAILURE, 'Invalid API key')
+ */
+export declare enum ExitCode {
+    /** Scan passed, no policy violations */
+    SUCCESS = 0,
+    /** Findings above threshold (policy fail) - actionable by user */
+    POLICY_FAIL = 1,
+    /** User error: invalid args, bad config, missing required options */
+    USER_ERROR = 2,
+    /** System error: crash, filesystem issues, unexpected exceptions */
+    SYSTEM_ERROR = 3,
+    /** Auth/entitlement failure: invalid key, expired token, insufficient tier */
+    AUTH_FAILURE = 4,
+    /** Network/backend failure: API unreachable, timeout */
+    NETWORK_FAILURE = 5
+}
+export declare const EXIT_CODE_DESCRIPTIONS: Record<ExitCode, string>;
+/**
+ * Exit with code and optional message
+ * Logs the exit reason for debugging
+ */
+export declare function exitWith(code: ExitCode, message?: string): never;
+/**
+ * Map error types to exit codes
+ */
+export declare function getExitCodeForError(err: Error): ExitCode;
+/**
+ * Determine exit code based on scan results and policy
+ */
+export declare function getExitCodeForFindings(findings: {
+    critical?: number;
+    high?: number;
+    medium?: number;
+    low?: number;
+}, policy: {
+    failOnCritical?: boolean;
+    failOnHigh?: boolean;
+    failOnMedium?: boolean;
+    failOnAny?: boolean;
+}): ExitCode;
+//# sourceMappingURL=exit-codes.d.ts.map

package/dist/runtime/exit-codes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exit-codes.d.ts","sourceRoot":"","sources":["../../src/runtime/exit-codes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,oBAAY,QAAQ;IAClB,wCAAwC;IACxC,OAAO,IAAI;IAEX,kEAAkE;IAClE,WAAW,IAAI;IAEf,qEAAqE;IACrE,UAAU,IAAI;IAEd,oEAAoE;IACpE,YAAY,IAAI;IAEhB,8EAA8E;IAC9E,YAAY,IAAI;IAEhB,wDAAwD;IACxD,eAAe,IAAI;CACpB;AAED,eAAO,MAAM,sBAAsB,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAO3D,CAAC;AAEF;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,KAAK,CAShE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,GAAG,QAAQ,CAiBxD;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,EAAE,MAAM,EAAE;IACT,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB,GAAG,QAAQ,CAiBX"}

package/dist/runtime/exit-codes.js

@@ -0,0 +1,91 @@
+"use strict";
+/**
+ * Enterprise Exit Codes
+ * Consistent, meaningful exit codes for CI/CD integration
+ *
+ * Usage:
+ *   process.exit(ExitCode.POLICY_FAIL)
+ *   exitWith(ExitCode.AUTH_FAILURE, 'Invalid API key')
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EXIT_CODE_DESCRIPTIONS = exports.ExitCode = void 0;
+exports.exitWith = exitWith;
+exports.getExitCodeForError = getExitCodeForError;
+exports.getExitCodeForFindings = getExitCodeForFindings;
+var ExitCode;
+(function (ExitCode) {
+    /** Scan passed, no policy violations */
+    ExitCode[ExitCode["SUCCESS"] = 0] = "SUCCESS";
+    /** Findings above threshold (policy fail) - actionable by user */
+    ExitCode[ExitCode["POLICY_FAIL"] = 1] = "POLICY_FAIL";
+    /** User error: invalid args, bad config, missing required options */
+    ExitCode[ExitCode["USER_ERROR"] = 2] = "USER_ERROR";
+    /** System error: crash, filesystem issues, unexpected exceptions */
+    ExitCode[ExitCode["SYSTEM_ERROR"] = 3] = "SYSTEM_ERROR";
+    /** Auth/entitlement failure: invalid key, expired token, insufficient tier */
+    ExitCode[ExitCode["AUTH_FAILURE"] = 4] = "AUTH_FAILURE";
+    /** Network/backend failure: API unreachable, timeout */
+    ExitCode[ExitCode["NETWORK_FAILURE"] = 5] = "NETWORK_FAILURE";
+})(ExitCode || (exports.ExitCode = ExitCode = {}));
+exports.EXIT_CODE_DESCRIPTIONS = {
+    [ExitCode.SUCCESS]: 'Scan completed successfully with no policy violations',
+    [ExitCode.POLICY_FAIL]: 'Findings exceed configured thresholds',
+    [ExitCode.USER_ERROR]: 'Invalid arguments or configuration',
+    [ExitCode.SYSTEM_ERROR]: 'Internal error or filesystem issue',
+    [ExitCode.AUTH_FAILURE]: 'Authentication or authorization failed',
+    [ExitCode.NETWORK_FAILURE]: 'Network or API communication failed',
+};
+/**
+ * Exit with code and optional message
+ * Logs the exit reason for debugging
+ */
+function exitWith(code, message) {
+    if (message) {
+        if (code === ExitCode.SUCCESS) {
+            console.log(message);
+        }
+        else {
+            console.error(`[exit:${code}] ${message}`);
+        }
+    }
+    process.exit(code);
+}
+/**
+ * Map error types to exit codes
+ */
+function getExitCodeForError(err) {
+    const msg = err.message.toLowerCase();
+    if (msg.includes('enoent') || msg.includes('permission denied') || msg.includes('eacces')) {
+        return ExitCode.SYSTEM_ERROR;
+    }
+    if (msg.includes('network') || msg.includes('timeout') || msg.includes('fetch')) {
+        return ExitCode.NETWORK_FAILURE;
+    }
+    if (msg.includes('auth') || msg.includes('unauthorized') || msg.includes('forbidden')) {
+        return ExitCode.AUTH_FAILURE;
+    }
+    if (msg.includes('invalid') || msg.includes('missing') || msg.includes('required')) {
+        return ExitCode.USER_ERROR;
+    }
+    return ExitCode.SYSTEM_ERROR;
+}
+/**
+ * Determine exit code based on scan results and policy
+ */
+function getExitCodeForFindings(findings, policy) {
+    const { critical = 0, high = 0, medium = 0, low = 0 } = findings;
+    if (policy.failOnAny && (critical + high + medium + low) > 0) {
+        return ExitCode.POLICY_FAIL;
+    }
+    if (policy.failOnCritical && critical > 0) {
+        return ExitCode.POLICY_FAIL;
+    }
+    if (policy.failOnHigh && (critical + high) > 0) {
+        return ExitCode.POLICY_FAIL;
+    }
+    if (policy.failOnMedium && (critical + high + medium) > 0) {
+        return ExitCode.POLICY_FAIL;
+    }
+    return ExitCode.SUCCESS;
+}
+//# sourceMappingURL=exit-codes.js.map

package/dist/runtime/exit-codes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exit-codes.js","sourceRoot":"","sources":["../../src/runtime/exit-codes.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAmCH,4BASC;AAKD,kDAiBC;AAKD,wDA2BC;AAhGD,IAAY,QAkBX;AAlBD,WAAY,QAAQ;IAClB,wCAAwC;IACxC,6CAAW,CAAA;IAEX,kEAAkE;IAClE,qDAAe,CAAA;IAEf,qEAAqE;IACrE,mDAAc,CAAA;IAEd,oEAAoE;IACpE,uDAAgB,CAAA;IAEhB,8EAA8E;IAC9E,uDAAgB,CAAA;IAEhB,wDAAwD;IACxD,6DAAmB,CAAA;AACrB,CAAC,EAlBW,QAAQ,wBAAR,QAAQ,QAkBnB;AAEY,QAAA,sBAAsB,GAA6B;IAC9D,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,uDAAuD;IAC3E,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,uCAAuC;IAC/D,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,oCAAoC;IAC3D,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,oCAAoC;IAC7D,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,wCAAwC;IACjE,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,qCAAqC;CAClE,CAAC;AAEF;;;GAGG;AACH,SAAgB,QAAQ,CAAC,IAAc,EAAE,OAAgB;IACvD,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,IAAI,KAAK,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,SAAS,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CAAC,GAAU;IAC5C,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;IAEtC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1F,OAAO,QAAQ,CAAC,YAAY,CAAC;IAC/B,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAChF,OAAO,QAAQ,CAAC,eAAe,CAAC;IAClC,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QACtF,OAAO,QAAQ,CAAC,YAAY,CAAC;IAC/B,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACnF,OAAO,QAAQ,CAAC,UAAU,CAAC;IAC7B,CAAC;IAED,OAAO,QAAQ,CAAC,YAAY,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,SAAgB,sBAAsB,CAAC,QAKtC,EAAE,MAKF;IACC,MAAM,EAAE,QAAQ,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,MAAM,GAAG,CAAC,EAAE,GAAG,GAAG,CAAC,EAAE,GAAG,QAAQ,CAAC;IAEjE,IAAI,MAAM,CAAC,SAAS,IAAI,CAAC,QAAQ,GAAG,IAAI,GAAG,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7D,OAAO,QAAQ,CAAC,WAAW,CAAC;IAC9B,CAAC;IACD,IAAI,MAAM,CAAC,cAAc,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QAC1C,OAAO,QAAQ,CAAC,WAAW,CAAC;IAC9B,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,OAAO,QAAQ,CAAC,WAAW,CAAC;IAC9B,CAAC;IACD,IAAI,MAAM,CAAC,YAAY,IAAI,CAAC,QAAQ,GAAG,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO,QAAQ,CAAC,WAAW,CAAC;IAC9B,CAAC;IAED,OAAO,QAAQ,CAAC,OAAO,CAAC;AAC1B,CAAC"}

package/dist/runtime/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Enterprise Runtime Modules
+ * Re-exports all runtime utilities for clean imports
+ */
+export * from './creds';
+export * from './client';
+export * from './exit-codes';
+export * from './semver';
+//# sourceMappingURL=index.d.ts.map

package/dist/runtime/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,cAAc,CAAC;AAC7B,cAAc,UAAU,CAAC"}

package/dist/runtime/index.js

@@ -0,0 +1,25 @@
+"use strict";
+/**
+ * Enterprise Runtime Modules
+ * Re-exports all runtime utilities for clean imports
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./creds"), exports);
+__exportStar(require("./client"), exports);
+__exportStar(require("./exit-codes"), exports);
+__exportStar(require("./semver"), exports);
+//# sourceMappingURL=index.js.map

package/dist/runtime/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;AAEH,0CAAwB;AACxB,2CAAyB;AACzB,+CAA6B;AAC7B,2CAAyB"}

package/dist/runtime/semver.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Lightweight Semver Utilities
+ * Proper version comparison for vulnerability checking
+ * (Avoids incorrect lexicographic comparison like "10.0.0" < "2.0.0")
+ */
+export interface SemverParts {
+    major: number;
+    minor: number;
+    patch: number;
+    prerelease?: string;
+}
+/**
+ * Parse a semver string into components
+ * Handles formats: 1.2.3, 1.2.3-beta.1, ^1.2.3, ~1.2.3
+ */
+export declare function parseSemver(version: string): SemverParts | null;
+/**
+ * Compare two semver versions
+ * Returns: -1 if a < b, 0 if a == b, 1 if a > b
+ */
+export declare function compareSemver(a: string, b: string): number;
+/**
+ * Check if version is less than target
+ * Enterprise-grade: "10.0.0" is NOT less than "2.0.0"
+ */
+export declare function isVersionLessThan(version: string, target: string): boolean;
+/**
+ * Check if version satisfies a range expression
+ * Supports: <1.2.3, <=1.2.3, >1.2.3, >=1.2.3, 1.2.3 (exact)
+ */
+export declare function satisfiesRange(version: string, range: string): boolean;
+/**
+ * Check if version is affected by vulnerability
+ * affectedVersions format: "<4.17.21" or ">=1.0.0 <2.0.0"
+ */
+export declare function isAffected(version: string, affectedVersions: string): boolean;
+//# sourceMappingURL=semver.d.ts.map

package/dist/runtime/semver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"semver.d.ts","sourceRoot":"","sources":["../../src/runtime/semver.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CAyB/D;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CA4B1D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAE1E;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAkBtE;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAM7E"}

package/dist/runtime/semver.js

@@ -0,0 +1,110 @@
+"use strict";
+/**
+ * Lightweight Semver Utilities
+ * Proper version comparison for vulnerability checking
+ * (Avoids incorrect lexicographic comparison like "10.0.0" < "2.0.0")
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseSemver = parseSemver;
+exports.compareSemver = compareSemver;
+exports.isVersionLessThan = isVersionLessThan;
+exports.satisfiesRange = satisfiesRange;
+exports.isAffected = isAffected;
+/**
+ * Parse a semver string into components
+ * Handles formats: 1.2.3, 1.2.3-beta.1, ^1.2.3, ~1.2.3
+ */
+function parseSemver(version) {
+    // Strip range prefixes
+    const cleaned = version.replace(/^[\^~>=<]+/, '').trim();
+    // Match semver pattern
+    const match = cleaned.match(/^(\d+)\.(\d+)\.(\d+)(?:-(.+))?$/);
+    if (!match) {
+        // Try partial versions (1.2, 1)
+        const partial = cleaned.match(/^(\d+)(?:\.(\d+))?$/);
+        if (partial) {
+            return {
+                major: parseInt(partial[1], 10),
+                minor: partial[2] ? parseInt(partial[2], 10) : 0,
+                patch: 0,
+            };
+        }
+        return null;
+    }
+    return {
+        major: parseInt(match[1], 10),
+        minor: parseInt(match[2], 10),
+        patch: parseInt(match[3], 10),
+        prerelease: match[4],
+    };
+}
+/**
+ * Compare two semver versions
+ * Returns: -1 if a < b, 0 if a == b, 1 if a > b
+ */
+function compareSemver(a, b) {
+    const parsedA = parseSemver(a);
+    const parsedB = parseSemver(b);
+    if (!parsedA || !parsedB) {
+        // Fallback to string comparison if parsing fails
+        return a.localeCompare(b, undefined, { numeric: true, sensitivity: 'base' });
+    }
+    // Compare major.minor.patch
+    if (parsedA.major !== parsedB.major) {
+        return parsedA.major < parsedB.major ? -1 : 1;
+    }
+    if (parsedA.minor !== parsedB.minor) {
+        return parsedA.minor < parsedB.minor ? -1 : 1;
+    }
+    if (parsedA.patch !== parsedB.patch) {
+        return parsedA.patch < parsedB.patch ? -1 : 1;
+    }
+    // Handle prerelease (1.0.0-alpha < 1.0.0)
+    if (parsedA.prerelease && !parsedB.prerelease)
+        return -1;
+    if (!parsedA.prerelease && parsedB.prerelease)
+        return 1;
+    if (parsedA.prerelease && parsedB.prerelease) {
+        return parsedA.prerelease.localeCompare(parsedB.prerelease);
+    }
+    return 0;
+}
+/**
+ * Check if version is less than target
+ * Enterprise-grade: "10.0.0" is NOT less than "2.0.0"
+ */
+function isVersionLessThan(version, target) {
+    return compareSemver(version, target) < 0;
+}
+/**
+ * Check if version satisfies a range expression
+ * Supports: <1.2.3, <=1.2.3, >1.2.3, >=1.2.3, 1.2.3 (exact)
+ */
+function satisfiesRange(version, range) {
+    const trimmed = range.trim();
+    if (trimmed.startsWith('<=')) {
+        return compareSemver(version, trimmed.slice(2)) <= 0;
+    }
+    if (trimmed.startsWith('<')) {
+        return compareSemver(version, trimmed.slice(1)) < 0;
+    }
+    if (trimmed.startsWith('>=')) {
+        return compareSemver(version, trimmed.slice(2)) >= 0;
+    }
+    if (trimmed.startsWith('>')) {
+        return compareSemver(version, trimmed.slice(1)) > 0;
+    }
+    // Exact match
+    return compareSemver(version, trimmed) === 0;
+}
+/**
+ * Check if version is affected by vulnerability
+ * affectedVersions format: "<4.17.21" or ">=1.0.0 <2.0.0"
+ */
+function isAffected(version, affectedVersions) {
+    // Split on spaces for compound ranges
+    const parts = affectedVersions.split(/\s+/).filter(Boolean);
+    // All conditions must be satisfied
+    return parts.every(part => satisfiesRange(version, part));
+}
+//# sourceMappingURL=semver.js.map

package/dist/runtime/semver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semver.js","sourceRoot":"","sources":["../../src/runtime/semver.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;AAaH,kCAyBC;AAMD,sCA4BC;AAMD,8CAEC;AAMD,wCAkBC;AAMD,gCAMC;AA3GD;;;GAGG;AACH,SAAgB,WAAW,CAAC,OAAe;IACzC,uBAAuB;IACvB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAEzD,uBAAuB;IACvB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;IAC/D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,gCAAgC;QAChC,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACrD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;gBAC/B,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;gBAChD,KAAK,EAAE,CAAC;aACT,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO;QACL,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAC7B,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAC7B,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAC7B,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC;KACrB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAAC,CAAS,EAAE,CAAS;IAChD,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAE/B,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;QACzB,iDAAiD;QACjD,OAAO,CAAC,CAAC,aAAa,CAAC,CAAC,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED,4BAA4B;IAC5B,IAAI,OAAO,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC;QACpC,OAAO,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC;QACpC,OAAO,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC;QACpC,OAAO,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,0CAA0C;IAC1C,IAAI,OAAO,CAAC,UAAU,IAAI,CAAC,OAAO,CAAC,UAAU;QAAE,OAAO,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU;QAAE,OAAO,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QAC7C,OAAO,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC9D,CAAC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,OAAe,EAAE,MAAc;IAC/D,OAAO,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;AAC5C,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc,CAAC,OAAe,EAAE,KAAa;IAC3D,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAE7B,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,OAAO,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,OAAO,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACtD,CAAC;IAED,cAAc;IACd,OAAO,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,SAAgB,UAAU,CAAC,OAAe,EAAE,gBAAwB;IAClE,sCAAsC;IACtC,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE5D,mCAAmC;IACnC,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;AAC5D,CAAC"}

package/dist/scanner/baseline.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Baseline support for suppressing known findings
+ */
+export interface BaselineFinding {
+    fingerprint: string;
+    category: string;
+    title: string;
+    file: string;
+    line: number;
+    suppressedAt: string;
+}
+export interface Baseline {
+    version: string;
+    createdAt: string;
+    findings: BaselineFinding[];
+}
+export interface Finding {
+    type?: string;
+    category?: string;
+    title: string;
+    file: string;
+    line: number;
+    match?: string;
+    snippet?: string;
+}
+export declare class BaselineManager {
+    /**
+     * Generate stable fingerprint for a finding
+     * fingerprint = sha256(category + title + file + line + snippetNormalized)
+     */
+    static generateFingerprint(finding: Finding): string;
+    /**
+     * Load baseline from file
+     */
+    static loadBaseline(path: string): Baseline | null;
+    /**
+     * Save baseline to file
+     */
+    static saveBaseline(path: string, findings: Finding[]): void;
+    /**
+     * Check if a finding is suppressed by baseline
+     */
+    static isSuppressed(finding: Finding, baseline: Baseline | null): boolean;
+    /**
+     * Filter findings by baseline
+     */
+    static filterFindings<T extends Finding>(findings: T[], baselinePath?: string): {
+        filtered: T[];
+        suppressed: number;
+    };
+}
+//# sourceMappingURL=baseline.d.ts.map

package/dist/scanner/baseline.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"baseline.d.ts","sourceRoot":"","sources":["../../src/scanner/baseline.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,eAAe,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,OAAO;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,eAAe;IAC1B;;;OAGG;IACH,MAAM,CAAC,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM;IAcpD;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,GAAG,IAAI;IAalD;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,IAAI;IAiB5D;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,GAAG,IAAI,GAAG,OAAO;IASzE;;OAEG;IACH,MAAM,CAAC,cAAc,CAAC,CAAC,SAAS,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG;QAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE;CAetH"}