guardrail-core 1.0.0

package/dist/env.d.ts

@@ -0,0 +1,113 @@
+import { z } from 'zod';
+declare const envSchema: z.ZodObject<{
+    NODE_ENV: z.ZodDefault<z.ZodEnum<["development", "production", "test", "staging"]>>;
+    PORT: z.ZodDefault<z.ZodEffects<z.ZodString, number, string>>;
+    HOST: z.ZodDefault<z.ZodString>;
+    DATABASE_URL: z.ZodString;
+    JWT_SECRET: z.ZodString;
+    JWT_REFRESH_SECRET: z.ZodOptional<z.ZodString>;
+    JWT_EXPIRES_IN: z.ZodDefault<z.ZodString>;
+    JWT_REFRESH_EXPIRES_IN: z.ZodDefault<z.ZodString>;
+    GITHUB_CLIENT_ID: z.ZodOptional<z.ZodString>;
+    GITHUB_CLIENT_SECRET: z.ZodOptional<z.ZodString>;
+    GITHUB_CALLBACK_URL: z.ZodOptional<z.ZodString>;
+    GITHUB_WEBHOOK_SECRET: z.ZodOptional<z.ZodString>;
+    STRIPE_SECRET_KEY: z.ZodOptional<z.ZodString>;
+    STRIPE_PUBLISHABLE_KEY: z.ZodOptional<z.ZodString>;
+    STRIPE_WEBHOOK_SECRET: z.ZodOptional<z.ZodString>;
+    STRIPE_PRICE_ID_STARTER: z.ZodOptional<z.ZodString>;
+    STRIPE_PRICE_ID_PRO: z.ZodOptional<z.ZodString>;
+    STRIPE_PRICE_ID_ENTERPRISE: z.ZodOptional<z.ZodString>;
+    API_BASE_URL: z.ZodOptional<z.ZodString>;
+    NEXT_PUBLIC_API_URL: z.ZodOptional<z.ZodString>;
+    NEXT_PUBLIC_APP_URL: z.ZodOptional<z.ZodString>;
+    OPENAI_API_KEY: z.ZodOptional<z.ZodString>;
+    REDIS_URL: z.ZodOptional<z.ZodString>;
+    CORS_ORIGIN: z.ZodDefault<z.ZodString>;
+    RATE_LIMIT_WINDOW_MS: z.ZodDefault<z.ZodEffects<z.ZodString, number, string>>;
+    RATE_LIMIT_MAX_REQUESTS: z.ZodDefault<z.ZodEffects<z.ZodString, number, string>>;
+    SENTRY_DSN: z.ZodOptional<z.ZodString>;
+    SENTRY_ORG: z.ZodOptional<z.ZodString>;
+    SENTRY_PROJECT: z.ZodOptional<z.ZodString>;
+    ENABLE_METRICS: z.ZodDefault<z.ZodEffects<z.ZodString, boolean, string>>;
+    ENABLE_AI_FEATURES: z.ZodDefault<z.ZodEffects<z.ZodString, boolean, string>>;
+    Guardrail_DEMO_MODE: z.ZodDefault<z.ZodEffects<z.ZodString, boolean, string>>;
+    Guardrail_POLICY_STRICT: z.ZodDefault<z.ZodEffects<z.ZodString, boolean, string>>;
+}, "strip", z.ZodTypeAny, {
+    NODE_ENV: "development" | "production" | "test" | "staging";
+    PORT: number;
+    HOST: string;
+    DATABASE_URL: string;
+    JWT_SECRET: string;
+    JWT_EXPIRES_IN: string;
+    JWT_REFRESH_EXPIRES_IN: string;
+    CORS_ORIGIN: string;
+    RATE_LIMIT_WINDOW_MS: number;
+    RATE_LIMIT_MAX_REQUESTS: number;
+    ENABLE_METRICS: boolean;
+    ENABLE_AI_FEATURES: boolean;
+    Guardrail_DEMO_MODE: boolean;
+    Guardrail_POLICY_STRICT: boolean;
+    JWT_REFRESH_SECRET?: string | undefined;
+    GITHUB_CLIENT_ID?: string | undefined;
+    GITHUB_CLIENT_SECRET?: string | undefined;
+    GITHUB_CALLBACK_URL?: string | undefined;
+    GITHUB_WEBHOOK_SECRET?: string | undefined;
+    STRIPE_SECRET_KEY?: string | undefined;
+    STRIPE_PUBLISHABLE_KEY?: string | undefined;
+    STRIPE_WEBHOOK_SECRET?: string | undefined;
+    STRIPE_PRICE_ID_STARTER?: string | undefined;
+    STRIPE_PRICE_ID_PRO?: string | undefined;
+    STRIPE_PRICE_ID_ENTERPRISE?: string | undefined;
+    API_BASE_URL?: string | undefined;
+    NEXT_PUBLIC_API_URL?: string | undefined;
+    NEXT_PUBLIC_APP_URL?: string | undefined;
+    OPENAI_API_KEY?: string | undefined;
+    REDIS_URL?: string | undefined;
+    SENTRY_DSN?: string | undefined;
+    SENTRY_ORG?: string | undefined;
+    SENTRY_PROJECT?: string | undefined;
+}, {
+    DATABASE_URL: string;
+    JWT_SECRET: string;
+    NODE_ENV?: "development" | "production" | "test" | "staging" | undefined;
+    PORT?: string | undefined;
+    HOST?: string | undefined;
+    JWT_REFRESH_SECRET?: string | undefined;
+    JWT_EXPIRES_IN?: string | undefined;
+    JWT_REFRESH_EXPIRES_IN?: string | undefined;
+    GITHUB_CLIENT_ID?: string | undefined;
+    GITHUB_CLIENT_SECRET?: string | undefined;
+    GITHUB_CALLBACK_URL?: string | undefined;
+    GITHUB_WEBHOOK_SECRET?: string | undefined;
+    STRIPE_SECRET_KEY?: string | undefined;
+    STRIPE_PUBLISHABLE_KEY?: string | undefined;
+    STRIPE_WEBHOOK_SECRET?: string | undefined;
+    STRIPE_PRICE_ID_STARTER?: string | undefined;
+    STRIPE_PRICE_ID_PRO?: string | undefined;
+    STRIPE_PRICE_ID_ENTERPRISE?: string | undefined;
+    API_BASE_URL?: string | undefined;
+    NEXT_PUBLIC_API_URL?: string | undefined;
+    NEXT_PUBLIC_APP_URL?: string | undefined;
+    OPENAI_API_KEY?: string | undefined;
+    REDIS_URL?: string | undefined;
+    CORS_ORIGIN?: string | undefined;
+    RATE_LIMIT_WINDOW_MS?: string | undefined;
+    RATE_LIMIT_MAX_REQUESTS?: string | undefined;
+    SENTRY_DSN?: string | undefined;
+    SENTRY_ORG?: string | undefined;
+    SENTRY_PROJECT?: string | undefined;
+    ENABLE_METRICS?: string | undefined;
+    ENABLE_AI_FEATURES?: string | undefined;
+    Guardrail_DEMO_MODE?: string | undefined;
+    Guardrail_POLICY_STRICT?: string | undefined;
+}>;
+export type Env = z.infer<typeof envSchema>;
+export declare function validateEnv(): Env;
+export declare function getEnv(): Env;
+export declare function checkRequiredEnv(): void;
+export declare function isDevelopment(): boolean;
+export declare function isProduction(): boolean;
+export declare function isTest(): boolean;
+export {};
+//# sourceMappingURL=env.d.ts.map

package/dist/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../src/env.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AA8BxB,QAAA,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2Db,CAAC;AAGH,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAC;AAG5C,wBAAgB,WAAW,IAAI,GAAG,CA0GjC;AAID,wBAAgB,MAAM,IAAI,GAAG,CAK5B;AAGD,wBAAgB,gBAAgB,IAAI,IAAI,CAoBvC;AAGD,wBAAgB,aAAa,IAAI,OAAO,CAEvC;AAED,wBAAgB,YAAY,IAAI,OAAO,CAEtC;AAED,wBAAgB,MAAM,IAAI,OAAO,CAEhC"}

package/dist/env.js

@@ -0,0 +1,204 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateEnv = validateEnv;
+exports.getEnv = getEnv;
+exports.checkRequiredEnv = checkRequiredEnv;
+exports.isDevelopment = isDevelopment;
+exports.isProduction = isProduction;
+exports.isTest = isTest;
+const zod_1 = require("zod");
+// Build DATABASE_URL from individual PG* variables if DATABASE_URL is invalid
+function getDatabaseUrl() {
+    const dbUrl = process.env['DATABASE_URL'];
+    // Check if DATABASE_URL is valid (starts with postgresql:// or postgres://)
+    if (dbUrl && (dbUrl.startsWith('postgresql://') || dbUrl.startsWith('postgres://'))) {
+        return dbUrl;
+    }
+    // Fallback: Build from individual PG* variables (Replit provides these)
+    const pgHost = process.env['PGHOST'];
+    const pgPort = process.env['PGPORT'] || '5432';
+    const pgUser = process.env['PGUSER'] || 'postgres';
+    const pgPassword = process.env['PGPASSWORD'] || 'password';
+    const pgDatabase = process.env['PGDATABASE'];
+    if (pgHost && pgDatabase) {
+        const constructedUrl = `postgresql://${pgUser}:${pgPassword}@${pgHost}:${pgPort}/${pgDatabase}`;
+        // Update process.env so other parts of the app can use it
+        process.env['DATABASE_URL'] = constructedUrl;
+        return constructedUrl;
+    }
+    // Return original (will fail validation but with helpful error)
+    return dbUrl || '';
+}
+// Environment variable schema
+const envSchema = zod_1.z.object({
+    // Node environment
+    NODE_ENV: zod_1.z.enum(['development', 'production', 'test', 'staging']).default('development'),
+    // Server configuration
+    PORT: zod_1.z.string().transform(Number).default('3000'),
+    HOST: zod_1.z.string().default('localhost'),
+    // Database - use custom getter that falls back to PG* variables
+    DATABASE_URL: zod_1.z.string().url('Invalid database URL format'),
+    // Authentication
+    JWT_SECRET: zod_1.z.string().min(32, 'JWT secret must be at least 32 characters'),
+    JWT_REFRESH_SECRET: zod_1.z.string().optional(),
+    JWT_EXPIRES_IN: zod_1.z.string().default('15m'),
+    JWT_REFRESH_EXPIRES_IN: zod_1.z.string().default('7d'),
+    // GitHub OAuth (required in production)
+    GITHUB_CLIENT_ID: zod_1.z.string().optional(),
+    GITHUB_CLIENT_SECRET: zod_1.z.string().optional(),
+    GITHUB_CALLBACK_URL: zod_1.z.string().url().optional(),
+    GITHUB_WEBHOOK_SECRET: zod_1.z.string().optional(),
+    // Stripe (required for billing)
+    STRIPE_SECRET_KEY: zod_1.z.string().optional(),
+    STRIPE_PUBLISHABLE_KEY: zod_1.z.string().optional(),
+    STRIPE_WEBHOOK_SECRET: zod_1.z.string().optional(),
+    STRIPE_PRICE_ID_STARTER: zod_1.z.string().optional(),
+    STRIPE_PRICE_ID_PRO: zod_1.z.string().optional(),
+    STRIPE_PRICE_ID_ENTERPRISE: zod_1.z.string().optional(),
+    // API URLs
+    API_BASE_URL: zod_1.z.string().url().optional(),
+    NEXT_PUBLIC_API_URL: zod_1.z.string().url().optional(),
+    NEXT_PUBLIC_APP_URL: zod_1.z.string().url().optional(),
+    // OpenAI (optional for development)
+    OPENAI_API_KEY: zod_1.z.string().optional(),
+    // Redis (optional)
+    REDIS_URL: zod_1.z.string().optional(),
+    // CORS
+    CORS_ORIGIN: zod_1.z.string().default('http://localhost:3000'),
+    // API Rate Limiting
+    RATE_LIMIT_WINDOW_MS: zod_1.z.string().transform(Number).default('900000'),
+    RATE_LIMIT_MAX_REQUESTS: zod_1.z.string().transform(Number).default('100'),
+    // Monitoring
+    SENTRY_DSN: zod_1.z.string().optional(),
+    SENTRY_ORG: zod_1.z.string().optional(),
+    SENTRY_PROJECT: zod_1.z.string().optional(),
+    // Feature flags
+    ENABLE_METRICS: zod_1.z.string().transform(val => val === 'true').default('false'),
+    ENABLE_AI_FEATURES: zod_1.z.string().transform(val => val === 'true').default('true'),
+    Guardrail_DEMO_MODE: zod_1.z.string().transform(val => val === 'true').default('false'),
+    Guardrail_POLICY_STRICT: zod_1.z.string().transform(val => val === 'true').default('false'),
+});
+// Validate and parse environment variables
+function validateEnv() {
+    try {
+        // Fix DATABASE_URL before validation if needed
+        getDatabaseUrl();
+        const env = envSchema.parse(process.env);
+        // Additional production/staging checks
+        const isProdLike = env.NODE_ENV === 'production' || env.NODE_ENV === 'staging';
+        if (isProdLike) {
+            const productionErrors = [];
+            const productionWarnings = [];
+            // =======================================================================
+            // CRITICAL: Required for production
+            // =======================================================================
+            // GitHub OAuth is optional for now
+            // if (!process.env['GITHUB_CLIENT_ID']) {
+            //   productionErrors.push('GITHUB_CLIENT_ID is required in production');
+            // }
+            // if (!process.env['GITHUB_CLIENT_SECRET']) {
+            //   productionErrors.push('GITHUB_CLIENT_SECRET is required in production');
+            // }
+            // API URL must be configured
+            if (!process.env['API_BASE_URL'] && !process.env['NEXT_PUBLIC_API_URL']) {
+                productionErrors.push('API_BASE_URL or NEXT_PUBLIC_API_URL is required in production');
+            }
+            // =======================================================================
+            // SECURITY: No localhost in production
+            // =======================================================================
+            if (env.CORS_ORIGIN.includes('localhost')) {
+                productionErrors.push('CORS_ORIGIN should not include localhost in production');
+            }
+            if (env.DATABASE_URL.includes('localhost')) {
+                productionErrors.push('DATABASE_URL should not use localhost in production');
+            }
+            if (env.HOST === 'localhost') {
+                productionErrors.push('HOST should not be localhost in production (use 0.0.0.0)');
+            }
+            // Check callback URLs don't use localhost
+            if (process.env['GITHUB_CALLBACK_URL']?.includes('localhost')) {
+                productionErrors.push('GITHUB_CALLBACK_URL should not use localhost in production');
+            }
+            // =======================================================================
+            // WARNINGS: Recommended but not blocking
+            // =======================================================================
+            // Stripe is needed for billing
+            if (!process.env['STRIPE_SECRET_KEY']) {
+                productionWarnings.push('STRIPE_SECRET_KEY not set - billing features will be disabled');
+            }
+            if (!process.env['STRIPE_WEBHOOK_SECRET']) {
+                productionWarnings.push('STRIPE_WEBHOOK_SECRET not set - webhook verification disabled');
+            }
+            // Monitoring - disabled silently
+            // if (!process.env['SENTRY_DSN']) {
+            //   productionWarnings.push('SENTRY_DSN not set - error monitoring disabled');
+            // }
+            // Redis for caching/sessions - disabled silently  
+            // if (!process.env['REDIS_URL']) {
+            //   productionWarnings.push('REDIS_URL not set - using in-memory caching');
+            // }
+            // Output warnings
+            if (productionWarnings.length > 0) {
+                console.warn('\n⚠️  Production warnings:');
+                productionWarnings.forEach(warning => console.warn(`  - ${warning}`));
+                console.warn('');
+            }
+            // Exit on errors
+            if (productionErrors.length > 0) {
+                console.error('\n❌ Production environment validation failed:');
+                productionErrors.forEach(error => console.error(`  - ${error}`));
+                console.error('\n🚨 Application will exit due to invalid production configuration.\n');
+                process.exit(1);
+            }
+        }
+        return env;
+    }
+    catch (error) {
+        if (error instanceof zod_1.z.ZodError) {
+            console.error('❌ Invalid environment variables:');
+            error.errors.forEach(err => {
+                console.error(`  - ${err.path.join('.')}: ${err.message}`);
+            });
+            // Always exit on validation errors
+            console.error('\n🚨 Application will exit due to invalid configuration.\n');
+            process.exit(1);
+        }
+        throw error;
+    }
+}
+// Get validated environment (cached)
+let cachedEnv = null;
+function getEnv() {
+    if (!cachedEnv) {
+        cachedEnv = validateEnv();
+    }
+    return cachedEnv;
+}
+// Check if required environment variables are set
+function checkRequiredEnv() {
+    const isProd = process.env['NODE_ENV'] === 'production';
+    const required = ['DATABASE_URL', 'JWT_SECRET'];
+    // Additional requirements in production
+    if (isProd) {
+        required.push('GITHUB_CLIENT_ID', 'GITHUB_CLIENT_SECRET');
+    }
+    const missing = required.filter(key => !process.env[key]);
+    if (missing.length > 0) {
+        console.error('❌ Missing required environment variables:');
+        missing.forEach(key => console.error(`  - ${key}`));
+        if (isProd) {
+            console.error('\n🚨 Production deployment requires all environment variables to be set.\n');
+            process.exit(1);
+        }
+    }
+}
+// Development environment check
+function isDevelopment() {
+    return getEnv().NODE_ENV === 'development';
+}
+function isProduction() {
+    return getEnv().NODE_ENV === 'production';
+}
+function isTest() {
+    return getEnv().NODE_ENV === 'test';
+}

package/dist/fix-packs/__tests__/generate-fix-packs.test.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Fix Packs Generator Tests
+ *
+ * Tests for deterministic grouping and fix pack generation.
+ */
+export {};
+//# sourceMappingURL=generate-fix-packs.test.d.ts.map

package/dist/fix-packs/__tests__/generate-fix-packs.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-fix-packs.test.d.ts","sourceRoot":"","sources":["../../../src/fix-packs/__tests__/generate-fix-packs.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}

package/dist/fix-packs/__tests__/generate-fix-packs.test.js

@@ -0,0 +1,250 @@
+"use strict";
+/**
+ * Fix Packs Generator Tests
+ *
+ * Tests for deterministic grouping and fix pack generation.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const generate_fix_packs_1 = require("../generate-fix-packs");
+const types_1 = require("../types");
+describe('generateFixPacks', () => {
+    const mockRepoFingerprint = {
+        id: 'repo-abc123',
+        name: 'test-repo',
+        hasTypeScript: true,
+        hasTests: true,
+        packageManager: 'pnpm',
+        hash: 'abc123def456',
+    };
+    const createFinding = (id, category, severity, file) => ({
+        id,
+        category,
+        severity,
+        title: `Test finding ${id}`,
+        description: `Description for ${id}`,
+        file,
+        line: 10,
+    });
+    describe('deterministic grouping', () => {
+        it('should produce identical output for identical input', () => {
+            const findings = [
+                createFinding('f1', 'secrets', 'critical', 'src/config.ts'),
+                createFinding('f2', 'secrets', 'high', 'src/auth.ts'),
+                createFinding('f3', 'routes', 'medium', 'src/routes/api.ts'),
+            ];
+            const result1 = (0, generate_fix_packs_1.generateFixPacks)({ findings, repoFingerprint: mockRepoFingerprint });
+            const result2 = (0, generate_fix_packs_1.generateFixPacks)({ findings, repoFingerprint: mockRepoFingerprint });
+            expect(result1.packs.length).toBe(result2.packs.length);
+            expect(result1.packs.map(p => p.id)).toEqual(result2.packs.map(p => p.id));
+        });
+        it('should produce stable pack IDs across runs', () => {
+            const findings = [
+                createFinding('f1', 'mocks', 'medium', 'src/test/mock.ts'),
+                createFinding('f2', 'mocks', 'medium', 'src/test/fixture.ts'),
+            ];
+            const result1 = (0, generate_fix_packs_1.generateFixPacks)({ findings, repoFingerprint: mockRepoFingerprint });
+            const result2 = (0, generate_fix_packs_1.generateFixPacks)({ findings, repoFingerprint: mockRepoFingerprint });
+            expect(result1.packs[0].id).toBe(result2.packs[0].id);
+        });
+        it('should maintain order independence for same findings', () => {
+            const findings1 = [
+                createFinding('f1', 'secrets', 'critical', 'src/a.ts'),
+                createFinding('f2', 'secrets', 'high', 'src/b.ts'),
+            ];
+            const findings2 = [
+                createFinding('f2', 'secrets', 'high', 'src/b.ts'),
+                createFinding('f1', 'secrets', 'critical', 'src/a.ts'),
+            ];
+            const result1 = (0, generate_fix_packs_1.generateFixPacks)({ findings: findings1, repoFingerprint: mockRepoFingerprint });
+            const result2 = (0, generate_fix_packs_1.generateFixPacks)({ findings: findings2, repoFingerprint: mockRepoFingerprint });
+            expect(result1.packs.length).toBe(result2.packs.length);
+            expect(result1.packs[0].findings.length).toBe(result2.packs[0].findings.length);
+        });
+    });
+    describe('category grouping', () => {
+        it('should group findings by category', () => {
+            const findings = [
+                createFinding('f1', 'secrets', 'critical', 'src/a.ts'),
+                createFinding('f2', 'routes', 'medium', 'src/b.ts'),
+                createFinding('f3', 'secrets', 'high', 'src/c.ts'),
+            ];
+            const result = (0, generate_fix_packs_1.generateFixPacks)({
+                findings,
+                repoFingerprint: mockRepoFingerprint,
+                groupByCategory: true,
+            });
+            const secretsPack = result.packs.find(p => p.category === 'secrets');
+            const routesPack = result.packs.find(p => p.category === 'routes');
+            expect(secretsPack).toBeDefined();
+            expect(routesPack).toBeDefined();
+            expect(secretsPack.findings.length).toBe(2);
+            expect(routesPack.findings.length).toBe(1);
+        });
+        it('should prioritize categories correctly', () => {
+            const findings = [
+                createFinding('f1', 'placeholders', 'medium', 'src/a.ts'),
+                createFinding('f2', 'secrets', 'critical', 'src/b.ts'),
+                createFinding('f3', 'auth', 'high', 'src/c.ts'),
+            ];
+            const result = (0, generate_fix_packs_1.generateFixPacks)({ findings, repoFingerprint: mockRepoFingerprint });
+            expect(result.packs[0].category).toBe('secrets');
+            expect(result.packs[1].category).toBe('auth');
+            expect(result.packs[2].category).toBe('placeholders');
+        });
+    });
+    describe('severity sorting', () => {
+        it('should sort packs by severity (highest first)', () => {
+            const findings = [
+                createFinding('f1', 'routes', 'low', 'src/a.ts'),
+                createFinding('f2', 'mocks', 'critical', 'src/b.ts'),
+                createFinding('f3', 'deps', 'medium', 'src/c.ts'),
+            ];
+            const result = (0, generate_fix_packs_1.generateFixPacks)({ findings, repoFingerprint: mockRepoFingerprint });
+            expect(result.packs[0].severity).toBe('critical');
+        });
+        it('should assign pack severity based on highest finding severity', () => {
+            const findings = [
+                createFinding('f1', 'secrets', 'low', 'src/a.ts'),
+                createFinding('f2', 'secrets', 'critical', 'src/b.ts'),
+                createFinding('f3', 'secrets', 'medium', 'src/c.ts'),
+            ];
+            const result = (0, generate_fix_packs_1.generateFixPacks)({ findings, repoFingerprint: mockRepoFingerprint });
+            const secretsPack = result.packs.find(p => p.category === 'secrets');
+            expect(secretsPack.severity).toBe('critical');
+        });
+    });
+    describe('pack size limits', () => {
+        it('should respect maxPackSize', () => {
+            const findings = Array.from({ length: 25 }, (_, i) => createFinding(`f${i}`, 'secrets', 'medium', `src/file${i}.ts`));
+            const result = (0, generate_fix_packs_1.generateFixPacks)({
+                findings,
+                repoFingerprint: mockRepoFingerprint,
+                maxPackSize: 10,
+            });
+            result.packs.forEach(pack => {
+                expect(pack.findings.length).toBeLessThanOrEqual(10);
+            });
+        });
+        it('should respect minPackSize', () => {
+            const findings = [
+                createFinding('f1', 'secrets', 'medium', 'src/a.ts'),
+            ];
+            const result = (0, generate_fix_packs_1.generateFixPacks)({
+                findings,
+                repoFingerprint: mockRepoFingerprint,
+                minPackSize: 2,
+            });
+            expect(result.ungrouped.length).toBe(1);
+            expect(result.packs.length).toBe(0);
+        });
+    });
+    describe('empty input', () => {
+        it('should handle empty findings array', () => {
+            const result = (0, generate_fix_packs_1.generateFixPacks)({
+                findings: [],
+                repoFingerprint: mockRepoFingerprint,
+            });
+            expect(result.packs).toEqual([]);
+            expect(result.ungrouped).toEqual([]);
+            expect(result.stats.totalFindings).toBe(0);
+            expect(result.stats.totalPacks).toBe(0);
+        });
+    });
+    describe('stats calculation', () => {
+        it('should calculate correct stats', () => {
+            const findings = [
+                createFinding('f1', 'secrets', 'critical', 'src/a.ts'),
+                createFinding('f2', 'secrets', 'high', 'src/b.ts'),
+                createFinding('f3', 'routes', 'medium', 'src/c.ts'),
+                createFinding('f4', 'mocks', 'low', 'src/d.ts'),
+            ];
+            const result = (0, generate_fix_packs_1.generateFixPacks)({ findings, repoFingerprint: mockRepoFingerprint });
+            expect(result.stats.totalFindings).toBe(4);
+            expect(result.stats.byCategory.secrets).toBe(2);
+            expect(result.stats.byCategory.routes).toBe(1);
+            expect(result.stats.byCategory.mocks).toBe(1);
+            expect(result.stats.bySeverity.critical).toBe(1);
+            expect(result.stats.bySeverity.high).toBe(1);
+            expect(result.stats.bySeverity.medium).toBe(1);
+            expect(result.stats.bySeverity.low).toBe(1);
+        });
+    });
+});
+describe('helper functions', () => {
+    describe('compareSeverity', () => {
+        it('should order critical < high < medium < low < info', () => {
+            expect((0, types_1.compareSeverity)('critical', 'high')).toBeLessThan(0);
+            expect((0, types_1.compareSeverity)('high', 'medium')).toBeLessThan(0);
+            expect((0, types_1.compareSeverity)('medium', 'low')).toBeLessThan(0);
+            expect((0, types_1.compareSeverity)('low', 'info')).toBeLessThan(0);
+        });
+        it('should return 0 for equal severities', () => {
+            expect((0, types_1.compareSeverity)('critical', 'critical')).toBe(0);
+            expect((0, types_1.compareSeverity)('medium', 'medium')).toBe(0);
+        });
+    });
+    describe('generatePackId', () => {
+        it('should generate stable IDs', () => {
+            const id1 = (0, types_1.generatePackId)('secrets', 1, 'abc123');
+            const id2 = (0, types_1.generatePackId)('secrets', 1, 'abc123');
+            expect(id1).toBe(id2);
+        });
+        it('should include category prefix', () => {
+            const id = (0, types_1.generatePackId)('secrets', 0, 'abc123');
+            expect(id).toMatch(/^FP-SEC-/);
+        });
+        it('should include index', () => {
+            const id1 = (0, types_1.generatePackId)('routes', 0, 'abc123');
+            const id2 = (0, types_1.generatePackId)('routes', 1, 'abc123');
+            expect(id1).toContain('-000-');
+            expect(id2).toContain('-001-');
+        });
+    });
+    describe('sortPacksBySeverity', () => {
+        it('should sort packs by severity', () => {
+            const packs = [
+                { severity: 'low' },
+                { severity: 'critical' },
+                { severity: 'medium' },
+            ];
+            const sorted = (0, types_1.sortPacksBySeverity)(packs);
+            expect(sorted[0].severity).toBe('critical');
+            expect(sorted[1].severity).toBe('medium');
+            expect(sorted[2].severity).toBe('low');
+        });
+    });
+});
+describe('parseFindingsFromScanOutput', () => {
+    it('should parse JSON array format', () => {
+        const input = JSON.stringify([
+            { id: 'f1', category: 'secrets', severity: 'high', title: 'Test', file: 'a.ts' },
+        ]);
+        const findings = (0, generate_fix_packs_1.parseFindingsFromScanOutput)(input);
+        expect(findings.length).toBe(1);
+        expect(findings[0].category).toBe('secrets');
+    });
+    it('should parse findings object format', () => {
+        const input = JSON.stringify({
+            findings: [
+                { id: 'f1', category: 'mocks', severity: 'medium', message: 'Mock detected', filePath: 'b.ts' },
+            ],
+        });
+        const findings = (0, generate_fix_packs_1.parseFindingsFromScanOutput)(input);
+        expect(findings.length).toBe(1);
+        expect(findings[0].category).toBe('mocks');
+    });
+    it('should normalize category names', () => {
+        const input = JSON.stringify([
+            { id: 'f1', type: 'credential', severity: 'high', title: 'API key', file: 'c.ts' },
+        ]);
+        const findings = (0, generate_fix_packs_1.parseFindingsFromScanOutput)(input);
+        expect(findings[0].category).toBe('secrets');
+    });
+    it('should normalize severity levels', () => {
+        const input = JSON.stringify([
+            { id: 'f1', category: 'security', level: 'error', title: 'XSS', file: 'd.ts' },
+        ]);
+        const findings = (0, generate_fix_packs_1.parseFindingsFromScanOutput)(input);
+        expect(findings[0].severity).toBe('high');
+    });
+});

package/dist/fix-packs/generate-fix-packs.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Fix Packs Generator
+ *
+ * Generates deterministic Fix Packs from findings and repo fingerprint.
+ * Groups findings by category, file proximity, and risk level.
+ */
+import { Finding, RepoFingerprint, GenerateFixPacksOptions, GenerateFixPacksResult } from './types';
+export declare function generateFixPacks(options: GenerateFixPacksOptions): GenerateFixPacksResult;
+export declare function generateRepoFingerprint(projectPath: string, options?: {
+    name?: string;
+    framework?: string;
+    language?: string;
+}): RepoFingerprint;
+export declare function parseFindingsFromScanOutput(scanOutput: string): Finding[];
+//# sourceMappingURL=generate-fix-packs.d.ts.map

package/dist/fix-packs/generate-fix-packs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-fix-packs.d.ts","sourceRoot":"","sources":["../../src/fix-packs/generate-fix-packs.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,OAAO,EAIP,eAAe,EACf,uBAAuB,EACvB,sBAAsB,EAOvB,MAAM,SAAS,CAAC;AAqDjB,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,uBAAuB,GAAG,sBAAsB,CAmEzF;AA0OD,wBAAgB,uBAAuB,CACrC,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;IACR,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,eAAe,CAoDjB;AAMD,wBAAgB,2BAA2B,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,EAAE,CAmBzE"}