guardrail-core 1.0.0

package/src/env.d.ts

@@ -0,0 +1,68 @@
+import { z } from "zod";
+declare const envSchema: z.ZodObject<
+  {
+    NODE_ENV: z.ZodDefault<z.ZodEnum<["development", "production", "test"]>>;
+    PORT: z.ZodDefault<z.ZodEffects<z.ZodString, number, string>>;
+    HOST: z.ZodDefault<z.ZodString>;
+    DATABASE_URL: z.ZodString;
+    JWT_SECRET: z.ZodString;
+    OPENAI_API_KEY: z.ZodOptional<z.ZodString>;
+    REDIS_URL: z.ZodOptional<z.ZodString>;
+    CORS_ORIGIN: z.ZodDefault<z.ZodString>;
+    RATE_LIMIT_WINDOW_MS: z.ZodDefault<
+      z.ZodEffects<z.ZodString, number, string>
+    >;
+    RATE_LIMIT_MAX_REQUESTS: z.ZodDefault<
+      z.ZodEffects<z.ZodString, number, string>
+    >;
+    GITHUB_WEBHOOK_SECRET: z.ZodOptional<z.ZodString>;
+    SENTRY_DSN: z.ZodOptional<z.ZodString>;
+    ENABLE_METRICS: z.ZodDefault<z.ZodEffects<z.ZodString, boolean, string>>;
+    ENABLE_AI_FEATURES: z.ZodDefault<
+      z.ZodEffects<z.ZodString, boolean, string>
+    >;
+  },
+  "strip",
+  z.ZodTypeAny,
+  {
+    NODE_ENV: "development" | "production" | "test";
+    PORT: number;
+    HOST: string;
+    DATABASE_URL: string;
+    JWT_SECRET: string;
+    CORS_ORIGIN: string;
+    RATE_LIMIT_WINDOW_MS: number;
+    RATE_LIMIT_MAX_REQUESTS: number;
+    ENABLE_METRICS: boolean;
+    ENABLE_AI_FEATURES: boolean;
+    OPENAI_API_KEY?: string | undefined;
+    REDIS_URL?: string | undefined;
+    GITHUB_WEBHOOK_SECRET?: string | undefined;
+    SENTRY_DSN?: string | undefined;
+  },
+  {
+    DATABASE_URL: string;
+    JWT_SECRET: string;
+    NODE_ENV?: "development" | "production" | "test" | undefined;
+    PORT?: string | undefined;
+    HOST?: string | undefined;
+    OPENAI_API_KEY?: string | undefined;
+    REDIS_URL?: string | undefined;
+    CORS_ORIGIN?: string | undefined;
+    RATE_LIMIT_WINDOW_MS?: string | undefined;
+    RATE_LIMIT_MAX_REQUESTS?: string | undefined;
+    GITHUB_WEBHOOK_SECRET?: string | undefined;
+    SENTRY_DSN?: string | undefined;
+    ENABLE_METRICS?: string | undefined;
+    ENABLE_AI_FEATURES?: string | undefined;
+  }
+>;
+export type Env = z.infer<typeof envSchema>;
+export declare function validateEnv(): Env;
+export declare function getEnv(): Env;
+export declare function checkRequiredEnv(): void;
+export declare function isDevelopment(): boolean;
+export declare function isProduction(): boolean;
+export declare function isTest(): boolean;
+export {};
+//# sourceMappingURL=env.d.ts.map

package/src/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["env.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,QAAA,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAoCb,CAAC;AAGH,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAC;AAG5C,wBAAgB,WAAW,IAAI,GAAG,CAajC;AAID,wBAAgB,MAAM,IAAI,GAAG,CAK5B;AAGD,wBAAgB,gBAAgB,IAAI,IAAI,CASvC;AAGD,wBAAgB,aAAa,IAAI,OAAO,CAEvC;AAED,wBAAgB,YAAY,IAAI,OAAO,CAEtC;AAED,wBAAgB,MAAM,IAAI,OAAO,CAEhC"}

package/src/env.ts

@@ -0,0 +1,247 @@
+import { z } from 'zod';
+
+// Build DATABASE_URL from individual PG* variables if DATABASE_URL is invalid
+function getDatabaseUrl(): string {
+  const dbUrl = process.env['DATABASE_URL'];
+  
+  // Check if DATABASE_URL is valid (starts with postgresql:// or postgres://)
+  if (dbUrl && (dbUrl.startsWith('postgresql://') || dbUrl.startsWith('postgres://'))) {
+    return dbUrl;
+  }
+  
+  // Fallback: Build from individual PG* variables (Replit provides these)
+  const pgHost = process.env['PGHOST'];
+  const pgPort = process.env['PGPORT'] || '5432';
+  const pgUser = process.env['PGUSER'] || 'postgres';
+  const pgPassword = process.env['PGPASSWORD'] || 'password';
+  const pgDatabase = process.env['PGDATABASE'];
+  
+  if (pgHost && pgDatabase) {
+    const constructedUrl = `postgresql://${pgUser}:${pgPassword}@${pgHost}:${pgPort}/${pgDatabase}`;
+    // Update process.env so other parts of the app can use it
+    process.env['DATABASE_URL'] = constructedUrl;
+    return constructedUrl;
+  }
+  
+  // Return original (will fail validation but with helpful error)
+  return dbUrl || '';
+}
+
+// Environment variable schema
+const envSchema = z.object({
+  // Node environment
+  NODE_ENV: z.enum(['development', 'production', 'test', 'staging']).default('development'),
+  
+  // Server configuration
+  PORT: z.string().transform(Number).default('3000'),
+  HOST: z.string().default('localhost'),
+  
+  // Database - use custom getter that falls back to PG* variables
+  DATABASE_URL: z.string().url('Invalid database URL format'),
+  
+  // Authentication
+  JWT_SECRET: z.string().min(32, 'JWT secret must be at least 32 characters'),
+  JWT_REFRESH_SECRET: z.string().optional(),
+  JWT_EXPIRES_IN: z.string().default('15m'),
+  JWT_REFRESH_EXPIRES_IN: z.string().default('7d'),
+  
+  // GitHub OAuth (required in production)
+  GITHUB_CLIENT_ID: z.string().optional(),
+  GITHUB_CLIENT_SECRET: z.string().optional(),
+  GITHUB_CALLBACK_URL: z.string().url().optional(),
+  GITHUB_WEBHOOK_SECRET: z.string().optional(),
+  
+  // Stripe (required for billing)
+  STRIPE_SECRET_KEY: z.string().optional(),
+  STRIPE_PUBLISHABLE_KEY: z.string().optional(),
+  STRIPE_WEBHOOK_SECRET: z.string().optional(),
+  STRIPE_PRICE_ID_STARTER: z.string().optional(),
+  STRIPE_PRICE_ID_PRO: z.string().optional(),
+  STRIPE_PRICE_ID_ENTERPRISE: z.string().optional(),
+  
+  // API URLs
+  API_BASE_URL: z.string().url().optional(),
+  NEXT_PUBLIC_API_URL: z.string().url().optional(),
+  NEXT_PUBLIC_APP_URL: z.string().url().optional(),
+  
+  // OpenAI (optional for development)
+  OPENAI_API_KEY: z.string().optional(),
+  
+  // Redis (optional)
+  REDIS_URL: z.string().optional(),
+  
+  // CORS
+  CORS_ORIGIN: z.string().default('http://localhost:3000'),
+  
+  // API Rate Limiting
+  RATE_LIMIT_WINDOW_MS: z.string().transform(Number).default('900000'),
+  RATE_LIMIT_MAX_REQUESTS: z.string().transform(Number).default('100'),
+  
+  // Monitoring
+  SENTRY_DSN: z.string().optional(),
+  SENTRY_ORG: z.string().optional(),
+  SENTRY_PROJECT: z.string().optional(),
+  
+  // Feature flags
+  ENABLE_METRICS: z.string().transform(val => val === 'true').default('false'),
+  ENABLE_AI_FEATURES: z.string().transform(val => val === 'true').default('true'),
+  Guardrail_DEMO_MODE: z.string().transform(val => val === 'true').default('false'),
+  Guardrail_POLICY_STRICT: z.string().transform(val => val === 'true').default('false'),
+});
+
+// Type for validated environment
+export type Env = z.infer<typeof envSchema>;
+
+// Validate and parse environment variables
+export function validateEnv(): Env {
+  try {
+    // Fix DATABASE_URL before validation if needed
+    getDatabaseUrl();
+    
+    const env = envSchema.parse(process.env);
+    
+    // Additional production/staging checks
+    const isProdLike = env.NODE_ENV === 'production' || env.NODE_ENV === 'staging';
+    
+    if (isProdLike) {
+      const productionErrors: string[] = [];
+      const productionWarnings: string[] = [];
+      
+      // =======================================================================
+      // CRITICAL: Required for production
+      // =======================================================================
+      
+      // GitHub OAuth is optional for now
+      // if (!process.env['GITHUB_CLIENT_ID']) {
+      //   productionErrors.push('GITHUB_CLIENT_ID is required in production');
+      // }
+      
+      // if (!process.env['GITHUB_CLIENT_SECRET']) {
+      //   productionErrors.push('GITHUB_CLIENT_SECRET is required in production');
+      // }
+      
+      // API URL must be configured
+      if (!process.env['API_BASE_URL'] && !process.env['NEXT_PUBLIC_API_URL']) {
+        productionErrors.push('API_BASE_URL or NEXT_PUBLIC_API_URL is required in production');
+      }
+      
+      // =======================================================================
+      // SECURITY: No localhost in production
+      // =======================================================================
+      
+      if (env.CORS_ORIGIN.includes('localhost')) {
+        productionErrors.push('CORS_ORIGIN should not include localhost in production');
+      }
+      
+      if (env.DATABASE_URL.includes('localhost')) {
+        productionErrors.push('DATABASE_URL should not use localhost in production');
+      }
+      
+      if (env.HOST === 'localhost') {
+        productionErrors.push('HOST should not be localhost in production (use 0.0.0.0)');
+      }
+      
+      // Check callback URLs don't use localhost
+      if (process.env['GITHUB_CALLBACK_URL']?.includes('localhost')) {
+        productionErrors.push('GITHUB_CALLBACK_URL should not use localhost in production');
+      }
+      
+      // =======================================================================
+      // WARNINGS: Recommended but not blocking
+      // =======================================================================
+      
+      // Stripe is needed for billing
+      if (!process.env['STRIPE_SECRET_KEY']) {
+        productionWarnings.push('STRIPE_SECRET_KEY not set - billing features will be disabled');
+      }
+      
+      if (!process.env['STRIPE_WEBHOOK_SECRET']) {
+        productionWarnings.push('STRIPE_WEBHOOK_SECRET not set - webhook verification disabled');
+      }
+      
+      // Monitoring - disabled silently
+      // if (!process.env['SENTRY_DSN']) {
+      //   productionWarnings.push('SENTRY_DSN not set - error monitoring disabled');
+      // }
+      
+      // Redis for caching/sessions - disabled silently  
+      // if (!process.env['REDIS_URL']) {
+      //   productionWarnings.push('REDIS_URL not set - using in-memory caching');
+      // }
+      
+      // Output warnings
+      if (productionWarnings.length > 0) {
+        console.warn('\n⚠️  Production warnings:');
+        productionWarnings.forEach(warning => console.warn(`  - ${warning}`));
+        console.warn('');
+      }
+      
+      // Exit on errors
+      if (productionErrors.length > 0) {
+        console.error('\n❌ Production environment validation failed:');
+        productionErrors.forEach(error => console.error(`  - ${error}`));
+        console.error('\n🚨 Application will exit due to invalid production configuration.\n');
+        process.exit(1);
+      }
+    }
+    
+    return env;
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      console.error('❌ Invalid environment variables:');
+      error.errors.forEach(err => {
+        console.error(`  - ${err.path.join('.')}: ${err.message}`);
+      });
+      
+      // Always exit on validation errors
+      console.error('\n🚨 Application will exit due to invalid configuration.\n');
+      process.exit(1);
+    }
+    throw error;
+  }
+}
+
+// Get validated environment (cached)
+let cachedEnv: Env | null = null;
+export function getEnv(): Env {
+  if (!cachedEnv) {
+    cachedEnv = validateEnv();
+  }
+  return cachedEnv;
+}
+
+// Check if required environment variables are set
+export function checkRequiredEnv(): void {
+  const isProd = process.env['NODE_ENV'] === 'production';
+  const required = ['DATABASE_URL', 'JWT_SECRET'];
+  
+  // Additional requirements in production
+  if (isProd) {
+    required.push('GITHUB_CLIENT_ID', 'GITHUB_CLIENT_SECRET');
+  }
+  
+  const missing = required.filter(key => !process.env[key]);
+  
+  if (missing.length > 0) {
+    console.error('❌ Missing required environment variables:');
+    missing.forEach(key => console.error(`  - ${key}`));
+    
+    if (isProd) {
+      console.error('\n🚨 Production deployment requires all environment variables to be set.\n');
+      process.exit(1);
+    }
+  }
+}
+
+// Development environment check
+export function isDevelopment(): boolean {
+  return getEnv().NODE_ENV === 'development';
+}
+
+export function isProduction(): boolean {
+  return getEnv().NODE_ENV === 'production';
+}
+
+export function isTest(): boolean {
+  return getEnv().NODE_ENV === 'test';
+}

package/src/fix-packs/__tests__/generate-fix-packs.test.ts

@@ -0,0 +1,317 @@
+/**
+ * Fix Packs Generator Tests
+ * 
+ * Tests for deterministic grouping and fix pack generation.
+ */
+
+import {
+  generateFixPacks,
+  parseFindingsFromScanOutput,
+} from '../generate-fix-packs';
+import {
+  Finding,
+  FindingCategory,
+  SeverityLevel,
+  compareSeverity,
+  sortPacksBySeverity,
+  generatePackId,
+} from '../types';
+
+describe('generateFixPacks', () => {
+  const mockRepoFingerprint = {
+    id: 'repo-abc123',
+    name: 'test-repo',
+    hasTypeScript: true,
+    hasTests: true,
+    packageManager: 'pnpm' as const,
+    hash: 'abc123def456',
+  };
+
+  const createFinding = (
+    id: string,
+    category: FindingCategory,
+    severity: SeverityLevel,
+    file: string
+  ): Finding => ({
+    id,
+    category,
+    severity,
+    title: `Test finding ${id}`,
+    description: `Description for ${id}`,
+    file,
+    line: 10,
+  });
+
+  describe('deterministic grouping', () => {
+    it('should produce identical output for identical input', () => {
+      const findings: Finding[] = [
+        createFinding('f1', 'secrets', 'critical', 'src/config.ts'),
+        createFinding('f2', 'secrets', 'high', 'src/auth.ts'),
+        createFinding('f3', 'routes', 'medium', 'src/routes/api.ts'),
+      ];
+
+      const result1 = generateFixPacks({ findings, repoFingerprint: mockRepoFingerprint });
+      const result2 = generateFixPacks({ findings, repoFingerprint: mockRepoFingerprint });
+
+      expect(result1.packs.length).toBe(result2.packs.length);
+      expect(result1.packs.map(p => p.id)).toEqual(result2.packs.map(p => p.id));
+    });
+
+    it('should produce stable pack IDs across runs', () => {
+      const findings: Finding[] = [
+        createFinding('f1', 'mocks', 'medium', 'src/test/mock.ts'),
+        createFinding('f2', 'mocks', 'medium', 'src/test/fixture.ts'),
+      ];
+
+      const result1 = generateFixPacks({ findings, repoFingerprint: mockRepoFingerprint });
+      const result2 = generateFixPacks({ findings, repoFingerprint: mockRepoFingerprint });
+
+      expect(result1.packs[0]!.id).toBe(result2.packs[0]!.id);
+    });
+
+    it('should maintain order independence for same findings', () => {
+      const findings1: Finding[] = [
+        createFinding('f1', 'secrets', 'critical', 'src/a.ts'),
+        createFinding('f2', 'secrets', 'high', 'src/b.ts'),
+      ];
+
+      const findings2: Finding[] = [
+        createFinding('f2', 'secrets', 'high', 'src/b.ts'),
+        createFinding('f1', 'secrets', 'critical', 'src/a.ts'),
+      ];
+
+      const result1 = generateFixPacks({ findings: findings1, repoFingerprint: mockRepoFingerprint });
+      const result2 = generateFixPacks({ findings: findings2, repoFingerprint: mockRepoFingerprint });
+
+      expect(result1.packs.length).toBe(result2.packs.length);
+      expect(result1.packs[0]!.findings.length).toBe(result2.packs[0]!.findings.length);
+    });
+  });
+
+  describe('category grouping', () => {
+    it('should group findings by category', () => {
+      const findings: Finding[] = [
+        createFinding('f1', 'secrets', 'critical', 'src/a.ts'),
+        createFinding('f2', 'routes', 'medium', 'src/b.ts'),
+        createFinding('f3', 'secrets', 'high', 'src/c.ts'),
+      ];
+
+      const result = generateFixPacks({
+        findings,
+        repoFingerprint: mockRepoFingerprint,
+        groupByCategory: true,
+      });
+
+      const secretsPack = result.packs.find(p => p.category === 'secrets');
+      const routesPack = result.packs.find(p => p.category === 'routes');
+
+      expect(secretsPack).toBeDefined();
+      expect(routesPack).toBeDefined();
+      expect(secretsPack!.findings.length).toBe(2);
+      expect(routesPack!.findings.length).toBe(1);
+    });
+
+    it('should prioritize categories correctly', () => {
+      const findings: Finding[] = [
+        createFinding('f1', 'placeholders', 'medium', 'src/a.ts'),
+        createFinding('f2', 'secrets', 'critical', 'src/b.ts'),
+        createFinding('f3', 'auth', 'high', 'src/c.ts'),
+      ];
+
+      const result = generateFixPacks({ findings, repoFingerprint: mockRepoFingerprint });
+
+      expect(result.packs[0]!.category).toBe('secrets');
+      expect(result.packs[1]!.category).toBe('auth');
+      expect(result.packs[2]!.category).toBe('placeholders');
+    });
+  });
+
+  describe('severity sorting', () => {
+    it('should sort packs by severity (highest first)', () => {
+      const findings: Finding[] = [
+        createFinding('f1', 'routes', 'low', 'src/a.ts'),
+        createFinding('f2', 'mocks', 'critical', 'src/b.ts'),
+        createFinding('f3', 'deps', 'medium', 'src/c.ts'),
+      ];
+
+      const result = generateFixPacks({ findings, repoFingerprint: mockRepoFingerprint });
+
+      expect(result.packs[0]!.severity).toBe('critical');
+    });
+
+    it('should assign pack severity based on highest finding severity', () => {
+      const findings: Finding[] = [
+        createFinding('f1', 'secrets', 'low', 'src/a.ts'),
+        createFinding('f2', 'secrets', 'critical', 'src/b.ts'),
+        createFinding('f3', 'secrets', 'medium', 'src/c.ts'),
+      ];
+
+      const result = generateFixPacks({ findings, repoFingerprint: mockRepoFingerprint });
+      const secretsPack = result.packs.find(p => p.category === 'secrets');
+
+      expect(secretsPack!.severity).toBe('critical');
+    });
+  });
+
+  describe('pack size limits', () => {
+    it('should respect maxPackSize', () => {
+      const findings: Finding[] = Array.from({ length: 25 }, (_, i) =>
+        createFinding(`f${i}`, 'secrets', 'medium', `src/file${i}.ts`)
+      );
+
+      const result = generateFixPacks({
+        findings,
+        repoFingerprint: mockRepoFingerprint,
+        maxPackSize: 10,
+      });
+
+      result.packs.forEach(pack => {
+        expect(pack.findings.length).toBeLessThanOrEqual(10);
+      });
+    });
+
+    it('should respect minPackSize', () => {
+      const findings: Finding[] = [
+        createFinding('f1', 'secrets', 'medium', 'src/a.ts'),
+      ];
+
+      const result = generateFixPacks({
+        findings,
+        repoFingerprint: mockRepoFingerprint,
+        minPackSize: 2,
+      });
+
+      expect(result.ungrouped.length).toBe(1);
+      expect(result.packs.length).toBe(0);
+    });
+  });
+
+  describe('empty input', () => {
+    it('should handle empty findings array', () => {
+      const result = generateFixPacks({
+        findings: [],
+        repoFingerprint: mockRepoFingerprint,
+      });
+
+      expect(result.packs).toEqual([]);
+      expect(result.ungrouped).toEqual([]);
+      expect(result.stats.totalFindings).toBe(0);
+      expect(result.stats.totalPacks).toBe(0);
+    });
+  });
+
+  describe('stats calculation', () => {
+    it('should calculate correct stats', () => {
+      const findings: Finding[] = [
+        createFinding('f1', 'secrets', 'critical', 'src/a.ts'),
+        createFinding('f2', 'secrets', 'high', 'src/b.ts'),
+        createFinding('f3', 'routes', 'medium', 'src/c.ts'),
+        createFinding('f4', 'mocks', 'low', 'src/d.ts'),
+      ];
+
+      const result = generateFixPacks({ findings, repoFingerprint: mockRepoFingerprint });
+
+      expect(result.stats.totalFindings).toBe(4);
+      expect(result.stats.byCategory.secrets).toBe(2);
+      expect(result.stats.byCategory.routes).toBe(1);
+      expect(result.stats.byCategory.mocks).toBe(1);
+      expect(result.stats.bySeverity.critical).toBe(1);
+      expect(result.stats.bySeverity.high).toBe(1);
+      expect(result.stats.bySeverity.medium).toBe(1);
+      expect(result.stats.bySeverity.low).toBe(1);
+    });
+  });
+});
+
+describe('helper functions', () => {
+  describe('compareSeverity', () => {
+    it('should order critical < high < medium < low < info', () => {
+      expect(compareSeverity('critical', 'high')).toBeLessThan(0);
+      expect(compareSeverity('high', 'medium')).toBeLessThan(0);
+      expect(compareSeverity('medium', 'low')).toBeLessThan(0);
+      expect(compareSeverity('low', 'info')).toBeLessThan(0);
+    });
+
+    it('should return 0 for equal severities', () => {
+      expect(compareSeverity('critical', 'critical')).toBe(0);
+      expect(compareSeverity('medium', 'medium')).toBe(0);
+    });
+  });
+
+  describe('generatePackId', () => {
+    it('should generate stable IDs', () => {
+      const id1 = generatePackId('secrets', 1, 'abc123');
+      const id2 = generatePackId('secrets', 1, 'abc123');
+      expect(id1).toBe(id2);
+    });
+
+    it('should include category prefix', () => {
+      const id = generatePackId('secrets', 0, 'abc123');
+      expect(id).toMatch(/^FP-SEC-/);
+    });
+
+    it('should include index', () => {
+      const id1 = generatePackId('routes', 0, 'abc123');
+      const id2 = generatePackId('routes', 1, 'abc123');
+      expect(id1).toContain('-000-');
+      expect(id2).toContain('-001-');
+    });
+  });
+
+  describe('sortPacksBySeverity', () => {
+    it('should sort packs by severity', () => {
+      const packs = [
+        { severity: 'low' as const },
+        { severity: 'critical' as const },
+        { severity: 'medium' as const },
+      ] as any[];
+
+      const sorted = sortPacksBySeverity(packs);
+      expect(sorted[0]!.severity).toBe('critical');
+      expect(sorted[1]!.severity).toBe('medium');
+      expect(sorted[2]!.severity).toBe('low');
+    });
+  });
+});
+
+describe('parseFindingsFromScanOutput', () => {
+  it('should parse JSON array format', () => {
+    const input = JSON.stringify([
+      { id: 'f1', category: 'secrets', severity: 'high', title: 'Test', file: 'a.ts' },
+    ]);
+
+    const findings = parseFindingsFromScanOutput(input);
+    expect(findings.length).toBe(1);
+    expect(findings[0]!.category).toBe('secrets');
+  });
+
+  it('should parse findings object format', () => {
+    const input = JSON.stringify({
+      findings: [
+        { id: 'f1', category: 'mocks', severity: 'medium', message: 'Mock detected', filePath: 'b.ts' },
+      ],
+    });
+
+    const findings = parseFindingsFromScanOutput(input);
+    expect(findings.length).toBe(1);
+    expect(findings[0]!.category).toBe('mocks');
+  });
+
+  it('should normalize category names', () => {
+    const input = JSON.stringify([
+      { id: 'f1', type: 'credential', severity: 'high', title: 'API key', file: 'c.ts' },
+    ]);
+
+    const findings = parseFindingsFromScanOutput(input);
+    expect(findings[0]!.category).toBe('secrets');
+  });
+
+  it('should normalize severity levels', () => {
+    const input = JSON.stringify([
+      { id: 'f1', category: 'security', level: 'error', title: 'XSS', file: 'd.ts' },
+    ]);
+
+    const findings = parseFindingsFromScanOutput(input);
+    expect(findings[0]!.severity).toBe('high');
+  });
+});