har-o-scope 0.1.0

package/dist/cli/formatters.js

@@ -0,0 +1,249 @@
+import { bold, dim, red, green, yellow, cyan, severityColor, severityIcon, healthScoreColor, scoreBar, } from './colors.js';
+// ── Shared helpers ──────────────────────────────────────────────
+function ms(n) {
+    if (n >= 10_000)
+        return `${(n / 1000).toFixed(1)}s`;
+    return `${Math.round(n)}ms`;
+}
+function rootCauseLabel(rootCause) {
+    const entries = Object.entries(rootCause);
+    entries.sort((a, b) => b[1] - a[1]);
+    const top = entries[0];
+    if (top[1] === 0)
+        return 'none (no findings)';
+    const pct = Math.round(top[1] * 100);
+    return `${top[0]} (confidence: ${pct}%)`;
+}
+function findingsByServerity(findings) {
+    const critical = findings.filter(f => f.severity === 'critical');
+    const warning = findings.filter(f => f.severity === 'warning');
+    const info = findings.filter(f => f.severity === 'info');
+    return { critical, warning, info };
+}
+// ── Text formatter ──────────────────────────────────────────────
+export function formatText(result, score, verbose) {
+    const lines = [];
+    // Health score
+    const scoreStr = `${score.score}/100`;
+    const bar = scoreBar(score.score);
+    const colorFn = healthScoreColor(score.score);
+    lines.push('');
+    lines.push(`  ${bold('Health Score:')} ${colorFn(scoreStr)}  ${colorFn(bar)}`);
+    // Root cause + stats
+    lines.push(`  ${bold('Root Cause:')}   ${rootCauseLabel(result.rootCause)}`);
+    lines.push(`  ${dim(`Requests: ${result.metadata.totalRequests} | Time: ${ms(result.metadata.totalTimeMs)} | Analysis: ${ms(result.metadata.analysisTimeMs)}`)}`);
+    lines.push('');
+    // Findings
+    const { findings } = result;
+    if (findings.length === 0) {
+        lines.push(`  ${green('No issues found.')}`);
+    }
+    else {
+        const { critical, warning, info } = findingsByServerity(findings);
+        const counts = [];
+        if (critical.length)
+            counts.push(red(`${critical.length} critical`));
+        if (warning.length)
+            counts.push(yellow(`${warning.length} warning`));
+        if (info.length)
+            counts.push(dim(`${info.length} info`));
+        lines.push(`  ${bold('Findings')} (${counts.join(', ')})`);
+        lines.push('');
+        const sorted = [...critical, ...warning, ...info];
+        for (const finding of sorted) {
+            const icon = severityIcon(finding.severity);
+            const color = severityColor(finding.severity);
+            lines.push(`  ${color(icon)} ${color(`[${finding.severity}]`)} ${finding.title}`);
+            lines.push(`    ${dim(finding.description)}`);
+            lines.push(`    ${cyan('\u2192')} ${finding.recommendation}`);
+            lines.push(`    ${dim(`Affected: ${finding.affectedEntries.length} entries`)}`);
+            lines.push('');
+        }
+    }
+    // Warnings
+    if (result.warnings.length > 0) {
+        lines.push(`  ${bold('Warnings')}`);
+        lines.push('');
+        for (const w of result.warnings) {
+            lines.push(`  ${yellow('\u26A0')} ${dim(`[${w.code}]`)} ${w.message}`);
+            lines.push(`    ${dim(`Help: ${w.help}`)}`);
+        }
+        lines.push('');
+    }
+    // Verbose: per-entry timing
+    if (verbose) {
+        lines.push(`  ${bold('Per-Entry Timing')}`);
+        lines.push('');
+        lines.push(`  ${'URL'.padEnd(60)} ${'Wait'.padStart(8)} ${'Total'.padStart(8)} ${'Status'.padStart(6)}`);
+        lines.push(`  ${'\u2500'.repeat(60)} ${'\u2500'.repeat(8)} ${'\u2500'.repeat(8)} ${'\u2500'.repeat(6)}`);
+        const sorted = [...result.entries]
+            .filter(e => !e.isWebSocket)
+            .sort((a, b) => b.timings.wait - a.timings.wait);
+        for (const entry of sorted) {
+            const url = entry.entry.request?.url ?? 'unknown';
+            const truncUrl = url.length > 58 ? url.slice(0, 55) + '...' : url;
+            const status = entry.entry.response?.status ?? 0;
+            const statusStr = status >= 400 ? red(String(status)) : String(status);
+            lines.push(`  ${truncUrl.padEnd(60)} ${ms(entry.timings.wait).padStart(8)} ${ms(entry.totalDuration).padStart(8)} ${statusStr.padStart(6)}`);
+        }
+        lines.push('');
+    }
+    return lines.join('\n');
+}
+// ── JSON formatter ──────────────────────────────────────────────
+export function formatJson(result, score) {
+    const output = {
+        healthScore: score.score,
+        scoreBreakdown: score.breakdown,
+        rootCause: result.rootCause,
+        findings: result.findings.map(f => ({
+            ruleId: f.ruleId,
+            severity: f.severity,
+            category: f.category,
+            title: f.title,
+            description: f.description,
+            recommendation: f.recommendation,
+            affectedEntries: f.affectedEntries.length,
+            impact: f.impact,
+        })),
+        metadata: result.metadata,
+        warnings: result.warnings,
+    };
+    return JSON.stringify(output, null, 2);
+}
+// ── Markdown formatter ──────────────────────────────────────────
+export function formatMarkdown(result, score) {
+    const lines = [];
+    lines.push(`# HAR Analysis Report`);
+    lines.push('');
+    lines.push(`**Health Score:** ${score.score}/100`);
+    lines.push(`**Root Cause:** ${rootCauseLabel(result.rootCause)}`);
+    lines.push(`**Requests:** ${result.metadata.totalRequests} | **Total Time:** ${ms(result.metadata.totalTimeMs)}`);
+    lines.push('');
+    if (result.findings.length === 0) {
+        lines.push('No issues found.');
+    }
+    else {
+        lines.push('## Findings');
+        lines.push('');
+        lines.push('| Severity | Rule | Title | Affected |');
+        lines.push('|----------|------|-------|----------|');
+        for (const f of result.findings) {
+            const sev = f.severity === 'critical' ? '\u274C' : f.severity === 'warning' ? '\u26A0\uFE0F' : '\u2139\uFE0F';
+            lines.push(`| ${sev} ${f.severity} | ${f.ruleId} | ${f.title} | ${f.affectedEntries.length} |`);
+        }
+        lines.push('');
+        for (const f of result.findings) {
+            lines.push(`### ${f.title}`);
+            lines.push('');
+            lines.push(f.description);
+            lines.push('');
+            lines.push(`**Recommendation:** ${f.recommendation}`);
+            lines.push('');
+        }
+    }
+    if (result.warnings.length > 0) {
+        lines.push('## Warnings');
+        lines.push('');
+        for (const w of result.warnings) {
+            lines.push(`- **${w.code}:** ${w.message}`);
+        }
+        lines.push('');
+    }
+    return lines.join('\n');
+}
+// ── CI annotations ──────────────────────────────────────────────
+export function formatCi(result, score, threshold) {
+    const lines = [];
+    for (const finding of result.findings) {
+        // CI annotations: critical → error, warning → warning, info → skip
+        if (finding.severity === 'info')
+            continue;
+        const level = finding.severity === 'critical' ? 'error' : 'warning';
+        const msg = `[${finding.ruleId}] ${finding.title}`.replace(/\n/g, '%0A');
+        lines.push(`::${level}::${msg}`);
+    }
+    if (score.score < threshold) {
+        lines.push(`::error::Health score ${score.score} is below threshold ${threshold}`);
+    }
+    return lines.join('\n');
+}
+// ── Diff formatters ─────────────────────────────────────────────
+export function formatDiffText(diff) {
+    const lines = [];
+    lines.push('');
+    const deltaColor = diff.scoreDelta >= 0 ? green : red;
+    const deltaSign = diff.scoreDelta >= 0 ? '+' : '';
+    lines.push(`  ${bold('Score Delta:')} ${deltaColor(`${deltaSign}${diff.scoreDelta}`)}`);
+    lines.push(`  ${bold('Request Delta:')} ${diff.requestCountDelta >= 0 ? '+' : ''}${diff.requestCountDelta}`);
+    lines.push(`  ${bold('Time Delta:')} ${diff.totalTimeDelta >= 0 ? '+' : ''}${ms(diff.totalTimeDelta)}`);
+    lines.push('');
+    if (diff.newFindings.length > 0) {
+        lines.push(`  ${red(bold('New Issues'))} (${diff.newFindings.length})`);
+        for (const f of diff.newFindings) {
+            lines.push(`    ${red('+')} [${f.severity}] ${f.title}`);
+        }
+        lines.push('');
+    }
+    if (diff.resolvedFindings.length > 0) {
+        lines.push(`  ${green(bold('Resolved'))} (${diff.resolvedFindings.length})`);
+        for (const f of diff.resolvedFindings) {
+            lines.push(`    ${green('-')} [${f.severity}] ${f.title}`);
+        }
+        lines.push('');
+    }
+    if (diff.persistedFindings.length > 0) {
+        lines.push(`  ${yellow(bold('Persisted'))} (${diff.persistedFindings.length})`);
+        for (const f of diff.persistedFindings) {
+            const delta = f.afterCount - f.beforeCount;
+            const deltaStr = delta === 0 ? '=' : delta > 0 ? `+${delta}` : `${delta}`;
+            lines.push(`    ${dim('\u2022')} ${f.ruleId}: ${f.beforeSeverity} \u2192 ${f.afterSeverity} (${deltaStr} entries)`);
+        }
+        lines.push('');
+    }
+    if (diff.timingDeltas.length > 0) {
+        lines.push(`  ${bold('Top Timing Changes')}`);
+        const top = diff.timingDeltas.slice(0, 10);
+        for (const td of top) {
+            const color = td.deltaMs > 0 ? red : green;
+            const sign = td.deltaMs > 0 ? '+' : '';
+            lines.push(`    ${td.urlPattern.slice(0, 50).padEnd(50)} ${color(`${sign}${ms(td.deltaMs)}`)} (${sign}${td.deltaPercent}%)`);
+        }
+        lines.push('');
+    }
+    return lines.join('\n');
+}
+export function formatDiffJson(diff) {
+    return JSON.stringify(diff, null, 2);
+}
+export function formatDiffMarkdown(diff) {
+    const lines = [];
+    lines.push('# HAR Diff Report');
+    lines.push('');
+    lines.push(`**Score Delta:** ${diff.scoreDelta >= 0 ? '+' : ''}${diff.scoreDelta}`);
+    lines.push(`**Request Delta:** ${diff.requestCountDelta >= 0 ? '+' : ''}${diff.requestCountDelta}`);
+    lines.push(`**Time Delta:** ${diff.totalTimeDelta >= 0 ? '+' : ''}${ms(diff.totalTimeDelta)}`);
+    lines.push('');
+    if (diff.newFindings.length > 0) {
+        lines.push('## New Issues');
+        for (const f of diff.newFindings)
+            lines.push(`- \u274C **[${f.severity}]** ${f.title}`);
+        lines.push('');
+    }
+    if (diff.resolvedFindings.length > 0) {
+        lines.push('## Resolved');
+        for (const f of diff.resolvedFindings)
+            lines.push(`- \u2705 **[${f.severity}]** ${f.title}`);
+        lines.push('');
+    }
+    if (diff.timingDeltas.length > 0) {
+        lines.push('## Timing Changes');
+        lines.push('| URL Pattern | Before | After | Delta |');
+        lines.push('|-------------|--------|-------|-------|');
+        for (const td of diff.timingDeltas.slice(0, 15)) {
+            lines.push(`| ${td.urlPattern} | ${ms(td.beforeAvgMs)} | ${ms(td.afterAvgMs)} | ${td.deltaMs >= 0 ? '+' : ''}${ms(td.deltaMs)} |`);
+        }
+        lines.push('');
+    }
+    return lines.join('\n');
+}

package/dist/cli/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":""}

package/dist/cli/index.js

@@ -0,0 +1,260 @@
+#!/usr/bin/env node
+/**
+ * har-o-scope CLI entry point.
+ *
+ * Subcommands: analyze, diff, sanitize, validate
+ * Exit codes: 0 = clean, 1 = warnings, 2 = critical or below threshold
+ */
+import { readFile, writeFile } from 'node:fs/promises';
+import { resolve } from 'node:path';
+import { Command } from 'commander';
+import { analyze } from '../lib/analyze.js';
+import { diff } from '../lib/diff.js';
+import { sanitize } from '../lib/sanitizer.js';
+import { validate } from '../lib/validator.js';
+import { computeHealthScore } from '../lib/health-score.js';
+import { parseHar } from '../lib/normalizer.js';
+import { HarError } from '../lib/errors.js';
+import { setColorEnabled } from './colors.js';
+import { loadBuiltinRules, loadCustomRules } from './rules.js';
+import { demoHar } from './demo.js';
+import { formatText, formatJson, formatMarkdown, formatCi, formatDiffText, formatDiffJson, formatDiffMarkdown } from './formatters.js';
+import { formatSarif } from './sarif.js';
+import { generateHtmlReport } from '../lib/html-report.js';
+const VERSION = '0.1.0';
+// ── Exit code logic ─────────────────────────────────────────────
+function computeExitCode(result, score, threshold) {
+    const hasCritical = result.findings.some(f => f.severity === 'critical');
+    if (hasCritical || score.score < threshold)
+        return 2;
+    const hasWarning = result.findings.some(f => f.severity === 'warning');
+    if (hasWarning)
+        return 1;
+    return 0;
+}
+// ── Helpers ─────────────────────────────────────────────────────
+async function readHarFile(path) {
+    const resolved = resolve(path);
+    try {
+        return await readFile(resolved, 'utf-8');
+    }
+    catch (err) {
+        const e = err;
+        if (e.code === 'ENOENT') {
+            process.stderr.write(`Error: File not found: ${resolved}\n`);
+            process.exit(2);
+        }
+        throw err;
+    }
+}
+function output(text) {
+    process.stdout.write(text + '\n');
+}
+// ── Commands ────────────────────────────────────────────────────
+async function runAnalyze(file, opts) {
+    if (!opts.color)
+        setColorEnabled(false);
+    await loadBuiltinRules();
+    // Determine input
+    let harData;
+    if (opts.demo) {
+        harData = JSON.stringify(demoHar);
+    }
+    else if (file) {
+        harData = await readHarFile(file);
+    }
+    else {
+        process.stderr.write('Error: Provide a HAR file or use --demo\n');
+        process.exit(2);
+        return; // unreachable, but satisfies TS definite assignment
+    }
+    // Load custom rules if specified
+    const customRulesData = opts.rules ? await loadCustomRules(opts.rules) : undefined;
+    const result = analyze(harData, { customRulesData });
+    const score = computeHealthScore(result);
+    const threshold = parseInt(opts.threshold, 10) || 50;
+    // Baseline comparison mode
+    if (opts.baseline) {
+        const baselineData = await readHarFile(opts.baseline);
+        const baselineResult = analyze(baselineData, { customRulesData });
+        const diffResult = diff(baselineResult, result);
+        if (opts.format === 'json') {
+            output(formatDiffJson(diffResult));
+        }
+        else if (opts.format === 'markdown') {
+            output(formatDiffMarkdown(diffResult));
+        }
+        else {
+            output(formatDiffText(diffResult));
+        }
+        // Exit 2 if score dropped below threshold
+        const exitCode = computeExitCode(result, score, threshold);
+        process.exit(exitCode);
+        return;
+    }
+    // Output format selection
+    if (opts.sarif) {
+        output(formatSarif(result, score, VERSION));
+    }
+    else if (opts.ci) {
+        const ciOutput = formatCi(result, score, threshold);
+        if (ciOutput)
+            output(ciOutput);
+    }
+    else {
+        switch (opts.format) {
+            case 'json':
+                output(formatJson(result, score));
+                break;
+            case 'markdown':
+                output(formatMarkdown(result, score));
+                break;
+            case 'html':
+                output(generateHtmlReport(result, score));
+                break;
+            default:
+                output(formatText(result, score, opts.verbose));
+        }
+    }
+    process.exit(computeExitCode(result, score, threshold));
+}
+async function runDiff(before, after, opts) {
+    if (!opts.color)
+        setColorEnabled(false);
+    await loadBuiltinRules();
+    const [beforeData, afterData] = await Promise.all([
+        readHarFile(before),
+        readHarFile(after),
+    ]);
+    const beforeResult = analyze(beforeData);
+    const afterResult = analyze(afterData);
+    const diffResult = diff(beforeResult, afterResult);
+    switch (opts.format) {
+        case 'json':
+            output(formatDiffJson(diffResult));
+            break;
+        case 'markdown':
+            output(formatDiffMarkdown(diffResult));
+            break;
+        default:
+            output(formatDiffText(diffResult));
+    }
+    // Exit 1 if new findings, 2 if new critical findings
+    const hasCriticalNew = diffResult.newFindings.some(f => f.severity === 'critical');
+    if (hasCriticalNew)
+        process.exit(2);
+    if (diffResult.newFindings.length > 0)
+        process.exit(1);
+}
+async function runSanitize(file, opts) {
+    const data = await readHarFile(file);
+    const har = parseHar(data);
+    const sanitized = sanitize(har, { mode: opts.mode });
+    const json = JSON.stringify(sanitized, null, 2);
+    if (opts.output) {
+        await writeFile(resolve(opts.output), json, 'utf-8');
+        process.stderr.write(`Sanitized HAR written to ${opts.output}\n`);
+    }
+    else {
+        output(json);
+    }
+}
+async function runValidate(file, opts) {
+    const data = await readHarFile(file);
+    // Validate as HAR
+    try {
+        parseHar(data);
+        process.stderr.write('HAR structure: valid\n');
+    }
+    catch (err) {
+        if (err instanceof HarError) {
+            process.stderr.write(`HAR structure: invalid\n`);
+            process.stderr.write(`  ${err.code}: ${err.message}\n`);
+            process.stderr.write(`  Help: ${err.help}\n`);
+            process.exit(2);
+        }
+        throw err;
+    }
+    // Validate custom rules if specified
+    if (opts.rules) {
+        const rulesContent = await readFile(resolve(opts.rules), 'utf-8');
+        const result = validate(rulesContent);
+        if (result.errors.length > 0) {
+            process.stderr.write(`Rules validation: ${result.errors.length} error(s)\n`);
+            for (const e of result.errors) {
+                process.stderr.write(`  ${e.code}: ${e.message}\n`);
+                if (e.suggestion)
+                    process.stderr.write(`    Suggestion: ${e.suggestion}\n`);
+            }
+        }
+        if (result.warnings.length > 0) {
+            process.stderr.write(`Rules validation: ${result.warnings.length} warning(s)\n`);
+            for (const w of result.warnings) {
+                process.stderr.write(`  ${w.code}: ${w.message}\n`);
+            }
+        }
+        if (result.valid) {
+            process.stderr.write('Rules validation: valid\n');
+        }
+        else {
+            process.exit(2);
+        }
+    }
+}
+// ── Program ─────────────────────────────────────────────────────
+const program = new Command()
+    .name('har-o-scope')
+    .description('Zero-trust intelligent HAR file analyzer')
+    .version(VERSION);
+program
+    .command('analyze')
+    .argument('[file]', 'HAR file to analyze')
+    .description('Analyze a HAR file for performance and security issues')
+    .option('-f, --format <format>', 'Output format: text, json, markdown, html', 'text')
+    .option('--sarif', 'Output SARIF 2.1.0 JSON')
+    .option('--ci', 'Output GitHub-compatible annotations')
+    .option('--baseline <file>', 'Compare against a baseline HAR file')
+    .option('--threshold <score>', 'Minimum health score (default: 50)', '50')
+    .option('--verbose', 'Show per-entry timing details', false)
+    .option('--rules <path>', 'Path to custom YAML rules file or directory')
+    .option('--demo', 'Analyze a built-in demo HAR file', false)
+    .option('--no-color', 'Disable colored output')
+    .action(runAnalyze);
+program
+    .command('diff')
+    .arguments('<before> <after>')
+    .description('Compare two HAR files for regressions and improvements')
+    .option('-f, --format <format>', 'Output format: text, json, markdown, html', 'text')
+    .option('--no-color', 'Disable colored output')
+    .action(runDiff);
+program
+    .command('sanitize')
+    .argument('<file>', 'HAR file to sanitize')
+    .description('Strip secrets and sensitive data from a HAR file')
+    .option('-o, --output <file>', 'Output file (default: stdout)')
+    .option('-m, --mode <mode>', 'Sanitization mode: aggressive, selective', 'aggressive')
+    .action(runSanitize);
+program
+    .command('validate')
+    .argument('<file>', 'HAR file to validate')
+    .description('Validate HAR file structure and optionally custom rules')
+    .option('--rules <path>', 'Also validate a YAML rules file')
+    .action(runValidate);
+// Handle errors globally
+program.exitOverride();
+try {
+    await program.parseAsync();
+}
+catch (err) {
+    if (err instanceof HarError) {
+        process.stderr.write(`\nError [${err.code}]: ${err.message}\n`);
+        process.stderr.write(`Help: ${err.help}\n`);
+        process.stderr.write(`Docs: ${err.docsUrl}\n`);
+        process.exit(2);
+    }
+    // Commander exits with code 0 for --help and --version
+    if (err && typeof err === 'object' && 'exitCode' in err) {
+        process.exit(err.exitCode);
+    }
+    throw err;
+}

package/dist/cli/rules.d.ts

@@ -0,0 +1,3 @@
+export declare function loadBuiltinRules(): Promise<void>;
+export declare function loadCustomRules(path: string): Promise<unknown[]>;
+//# sourceMappingURL=rules.d.ts.map

package/dist/cli/rules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rules.d.ts","sourceRoot":"","sources":["../../src/cli/rules.ts"],"names":[],"mappings":"AAaA,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC,CAatD;AAED,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CActE"}

package/dist/cli/rules.js

@@ -0,0 +1,36 @@
+/**
+ * YAML rule loading for CLI.
+ * Reads rules from the package's rules/ directory at runtime.
+ */
+import { readFile, readdir, stat } from 'node:fs/promises';
+import { resolve, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import yaml from 'js-yaml';
+import { setBuiltinRules } from '../lib/analyze.js';
+const __dirname = resolve(fileURLToPath(import.meta.url), '..');
+export async function loadBuiltinRules() {
+    const packageRoot = resolve(__dirname, '..', '..');
+    const rulesDir = join(packageRoot, 'rules', 'generic');
+    const rulesYaml = await readFile(join(rulesDir, 'issue-rules.yaml'), 'utf-8');
+    const conditionsYaml = await readFile(join(rulesDir, 'shared', 'base-conditions.yaml'), 'utf-8');
+    const filtersYaml = await readFile(join(rulesDir, 'shared', 'filters.yaml'), 'utf-8');
+    const rules = yaml.load(rulesYaml);
+    const conditions = yaml.load(conditionsYaml);
+    const filters = yaml.load(filtersYaml);
+    setBuiltinRules(rules, conditions, filters);
+}
+export async function loadCustomRules(path) {
+    const info = await stat(path);
+    if (info.isDirectory()) {
+        const files = await readdir(path);
+        const yamlFiles = files.filter(f => f.endsWith('.yaml') || f.endsWith('.yml'));
+        const results = [];
+        for (const file of yamlFiles) {
+            const content = await readFile(join(path, file), 'utf-8');
+            results.push(yaml.load(content));
+        }
+        return results;
+    }
+    const content = await readFile(path, 'utf-8');
+    return [yaml.load(content)];
+}

package/dist/cli/sarif.d.ts

@@ -0,0 +1,9 @@
+/**
+ * SARIF 2.1.0 output formatter.
+ *
+ * Uses logicalLocation (URL patterns, not source files) since
+ * HAR findings reference network requests, not code.
+ */
+import type { AnalysisResult, HealthScore } from '../lib/types.js';
+export declare function formatSarif(result: AnalysisResult, score: HealthScore, version: string): string;
+//# sourceMappingURL=sarif.d.ts.map

package/dist/cli/sarif.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/cli/sarif.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAW,MAAM,iBAAiB,CAAA;AAoD3E,wBAAgB,WAAW,CACzB,MAAM,EAAE,cAAc,EACtB,KAAK,EAAE,WAAW,EAClB,OAAO,EAAE,MAAM,GACd,MAAM,CA+DR"}

package/dist/cli/sarif.js

@@ -0,0 +1,104 @@
+// ── SARIF severity mapping ─────────────────────────────────────
+// har-o-scope: info | warning | critical
+// SARIF:       note | warning | error
+function sarifLevel(severity) {
+    switch (severity) {
+        case 'critical': return 'error';
+        case 'warning': return 'warning';
+        case 'info': return 'note';
+        default: return 'none';
+    }
+}
+// ── Extract URL patterns from affected entries ──────────────────
+function extractLogicalLocations(finding, entries) {
+    const patterns = new Map();
+    for (const idx of finding.affectedEntries) {
+        const entry = entries[idx];
+        if (!entry)
+            continue;
+        const url = entry.entry.request?.url ?? '';
+        try {
+            const parsed = new URL(url);
+            // Normalize: strip query params, replace numeric/UUID segments
+            const path = parsed.pathname
+                .split('/')
+                .map(seg => /^\d+$/.test(seg) ? '*' : seg)
+                .join('/');
+            const pattern = `${parsed.hostname}${path}`;
+            if (!patterns.has(pattern)) {
+                patterns.set(pattern, path);
+            }
+        }
+        catch {
+            // Malformed URL, skip
+        }
+    }
+    return [...patterns.entries()].map(([fqn, name]) => ({
+        name,
+        kind: 'url-pattern',
+        fullyQualifiedName: fqn,
+    }));
+}
+// ── Main SARIF formatter ────────────────────────────────────────
+export function formatSarif(result, score, version) {
+    // Build rule definitions
+    const ruleMap = new Map();
+    for (const finding of result.findings) {
+        if (!ruleMap.has(finding.ruleId)) {
+            ruleMap.set(finding.ruleId, {
+                id: finding.ruleId,
+                shortDescription: finding.title,
+            });
+        }
+    }
+    const sarif = {
+        $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json',
+        version: '2.1.0',
+        runs: [
+            {
+                tool: {
+                    driver: {
+                        name: 'har-o-scope',
+                        version,
+                        informationUri: 'https://github.com/vegaPDX/har-o-scope',
+                        rules: [...ruleMap.values()].map(r => ({
+                            id: r.id,
+                            shortDescription: { text: r.shortDescription },
+                            helpUri: `https://github.com/vegaPDX/har-o-scope/blob/main/docs/rules/${r.id}.md`,
+                        })),
+                        properties: {
+                            healthScore: score.score,
+                            scoreBreakdown: score.breakdown,
+                        },
+                    },
+                },
+                results: result.findings.map(finding => ({
+                    ruleId: finding.ruleId,
+                    ruleIndex: [...ruleMap.keys()].indexOf(finding.ruleId),
+                    level: sarifLevel(finding.severity),
+                    message: {
+                        text: `${finding.title}\n\n${finding.description}\n\nRecommendation: ${finding.recommendation}`,
+                    },
+                    logicalLocations: extractLogicalLocations(finding, result.entries),
+                    properties: {
+                        severity: finding.severity,
+                        category: finding.category,
+                        affectedEntries: finding.affectedEntries.length,
+                        impact: finding.impact,
+                    },
+                })),
+                invocations: [
+                    {
+                        executionSuccessful: true,
+                        properties: {
+                            healthScore: score.score,
+                            totalRequests: result.metadata.totalRequests,
+                            analysisTimeMs: result.metadata.analysisTimeMs,
+                        },
+                    },
+                ],
+            },
+        ],
+    };
+    return JSON.stringify(sarif, null, 2);
+}