heron-ai 0.2.2 → 0.4.0

package/dist/bin/heron.js

@@ -8,7 +8,7 @@ const program = new Command();
 program
     .name('heron')
     .description('Open-source agent checkpoint — vet AI agents before granting production access')
-    .version('0.2.2');
+    .version('0.4.0');
 // ─── scan: active mode (Heron → Agent) ───────────────────────────────────
 program
     .command('scan')
@@ -81,6 +81,35 @@ program
         process.exit(1);
     }
 });
+// ─── diff: compare two audit reports ────────────────────────────────────
+program
+    .command('diff')
+    .description('Compare two Heron audit reports and produce a markdown delta')
+    .argument('<old>', 'Path to the older report markdown')
+    .argument('<new>', 'Path to the newer report markdown')
+    .option('--llm-provider <provider>', 'LLM provider: anthropic, openai, or gemini (auto-detected from key)')
+    .option('--llm-model <model>', 'LLM model (auto-selected per provider)')
+    .option('--llm-key <key>', 'LLM API key (or set HERON_LLM_API_KEY)')
+    .option('-o, --output <path>', 'Save diff to this path (overrides default)')
+    .option('--report-dir <dir>', 'Directory to save diff when -o not used', './reports')
+    .action(async (oldPath, newPath, opts) => {
+    try {
+        const { runDiffCommand } = await import('../src/commands/diff.js');
+        await runDiffCommand({
+            oldPath,
+            newPath,
+            outputPath: opts.output,
+            reportDir: opts.reportDir,
+            llmProvider: opts.llmProvider,
+            llmModel: opts.llmModel,
+            llmKey: opts.llmKey,
+        });
+    }
+    catch (err) {
+        logger.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    }
+});
 // ─── install-skill: install Claude Code skill ───────────────────────────────
 program
     .command('install-skill')
@@ -193,7 +222,7 @@ async function interactiveStart() {
     }
 }
 const args = process.argv.slice(2);
-const hasSubcommand = args.length > 0 && ['scan', 'serve', 'install-skill', 'help', '--help', '-h', '--version', '-V'].includes(args[0]);
+const hasSubcommand = args.length > 0 && ['scan', 'serve', 'install-skill', 'diff', 'help', '--help', '-h', '--version', '-V'].includes(args[0]);
 if (!hasSubcommand && args.length > 0) {
     // Legacy: flags without subcommand → scan
     process.argv.splice(2, 0, 'scan');

package/dist/bin/heron.js.map

@@ -1 +1 @@
-{"version":3,"file":"heron.js","sourceRoot":"","sources":["../../bin/heron.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAC;AACtC,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,MAAM,MAAM,uBAAuB,CAAC;AAEhD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,OAAO,CAAC;KACb,WAAW,CAAC,gFAAgF,CAAC;KAC7F,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,4EAA4E;AAE5E,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,+CAA+C,CAAC;KAC5D,MAAM,CAAC,oBAAoB,EAAE,+CAA+C,CAAC;KAC7E,MAAM,CAAC,sBAAsB,EAAE,sCAAsC,EAAE,MAAM,CAAC;KAC9E,MAAM,CAAC,2BAA2B,EAAE,qEAAqE,CAAC;KAC1G,MAAM,CAAC,qBAAqB,EAAE,wCAAwC,CAAC;KACvE,MAAM,CAAC,iBAAiB,EAAE,wCAAwC,CAAC;KACnE,MAAM,CAAC,qBAAqB,EAAE,uCAAuC,CAAC;KACtE,MAAM,CAAC,uBAAuB,EAAE,iCAAiC,EAAE,UAAU,CAAC;KAC9E,MAAM,CAAC,qBAAqB,EAAE,gCAAgC,CAAC;KAC/D,MAAM,CAAC,qBAAqB,EAAE,sCAAsC,EAAE,GAAG,CAAC;KAC1E,MAAM,CAAC,oBAAoB,EAAE,2BAA2B,EAAE,WAAW,CAAC;KACtE,MAAM,CAAC,eAAe,EAAE,kCAAkC,CAAC;KAC3D,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,UAAU,KAAK,aAAa,EAAE,CAAC;YACtE,OAAO,CAAC,KAAK,CAAC,kFAAkF,CAAC,CAAC;YAClG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,MAAM,GAAG,mBAAmB,CAAC;YACjC,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB,CAAC,CAAC;QAEH,MAAM,GAAG,CAAC,MAAM,EAAE;YAChB,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,KAAK;YAC9B,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,IAAI,GAAG,EAAE,EAAE,CAAC;YACpD,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,4EAA4E;AAE5E,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,wDAAwD,CAAC;KACrE,MAAM,CAAC,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,CAAC;KACxD,MAAM,CAAC,mBAAmB,EAAE,iBAAiB,EAAE,SAAS,CAAC;KACzD,MAAM,CAAC,2BAA2B,EAAE,qEAAqE,CAAC;KAC1G,MAAM,CAAC,qBAAqB,EAAE,wCAAwC,CAAC;KACvE,MAAM,CAAC,iBAAiB,EAAE,wCAAwC,CAAC;KACnE,MAAM,CAAC,qBAAqB,EAAE,sCAAsC,EAAE,GAAG,CAAC;KAC1E,MAAM,CAAC,oBAAoB,EAAE,2BAA2B,EAAE,WAAW,CAAC;KACtE,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC;QACH,MAAM,WAAW,CAAC;YAChB,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YAC7B,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,EAAE;gBACH,QAAQ,EAAE,IAAI,CAAC,WAAgD;gBAC/D,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,KAAK,EAAE,IAAI,CAAC,QAAQ;aACrB;YACD,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,IAAI,GAAG,EAAE,EAAE,CAAC;YACpD,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,+EAA+E;AAE/E,OAAO;KACJ,OAAO,CAAC,eAAe,CAAC;KACxB,WAAW,CAAC,gDAAgD,CAAC;KAC7D,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,kCAAkC,CAAC,CAAC;QAC1E,MAAM,YAAY,EAAE,CAAC;IACvB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,+EAA+E;AAE/E,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAQhD,qDAAqD;AACrD,SAAS,YAAY,CAAC,KAAa,EAAE,OAAuB;IAC1D,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE;QAC3B,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;QAE3B,SAAS,MAAM;YACb,gDAAgD;YAChD,KAAK,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;gBACzC,MAAM,SAAS,GAAG,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC5D,MAAM,KAAK,GAAG,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,KAAK,SAAS,CAAC;gBAC3F,MAAM,IAAI,GAAG,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,GAAG,CAAC,WAAW,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxE,GAAG,CAAC,KAAK,CAAC,KAAK,SAAS,IAAI,KAAK,GAAG,IAAI,IAAI,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QAED,SAAS,KAAK;YACZ,8BAA8B;YAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACxC,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,GAAG,CAAC,KAAK,CAAC,cAAc,KAAK,aAAa,CAAC,CAAC;QAC5C,MAAM,EAAE,CAAC;QAET,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACzB,+BAA+B;YAC/B,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC/B,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAEnC,SAAS,MAAM,CAAC,GAAW;YACzB,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;gBACpC,gBAAgB;gBAChB,QAAQ,GAAG,CAAC,QAAQ,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;gBAC5D,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,CAAC;YACX,CAAC;iBAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;gBAC3C,kBAAkB;gBAClB,QAAQ,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;gBAC3C,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,CAAC;YACX,CAAC;iBAAM,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;gBACxC,QAAQ;gBACR,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;gBAChC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;gBACtB,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAC7C,oCAAoC;gBACpC,KAAK,EAAE,CAAC;gBACR,KAAK,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;oBACzC,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;wBACnB,GAAG,CAAC,KAAK,CAAC,6BAA6B,GAAG,CAAC,KAAK,WAAW,CAAC,CAAC;oBAC/D,CAAC;gBACH,CAAC;gBACD,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAChB,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC;iBAAM,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;gBAC1B,SAAS;gBACT,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;gBAChC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,MAAM,EAAE,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7E,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE;QAC3B,EAAE,CAAC,QAAQ,CAAC,KAAK,KAAK,EAAE,EAAE,CAAC,MAAM,EAAE,EAAE;YACnC,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACzB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,gBAAgB;IAC7B,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,0BAA0B,EAAE;QAC1D,EAAE,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,uBAAuB,EAAE,KAAK,EAAE,OAAO,EAAE;QAC/E,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,yBAAyB,EAAE,KAAK,EAAE,MAAM,EAAE;KAClF,CAAC,CAAC;IAEH,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACrB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;QACnC,OAAO,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,aAAa,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;QACnD,OAAO,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACnC,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AAEzI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;IACtC,0CAA0C;IAC1C,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;IAClC,OAAO,CAAC,KAAK,EAAE,CAAC;AAClB,CAAC;KAAM,IAAI,CAAC,aAAa,EAAE,CAAC;IAC1B,oCAAoC;IACpC,gBAAgB,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;QAC7B,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;KAAM,CAAC;IACN,OAAO,CAAC,KAAK,EAAE,CAAC;AAClB,CAAC"}
+{"version":3,"file":"heron.js","sourceRoot":"","sources":["../../bin/heron.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAC;AACtC,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,MAAM,MAAM,uBAAuB,CAAC;AAEhD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,OAAO,CAAC;KACb,WAAW,CAAC,gFAAgF,CAAC;KAC7F,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,4EAA4E;AAE5E,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,+CAA+C,CAAC;KAC5D,MAAM,CAAC,oBAAoB,EAAE,+CAA+C,CAAC;KAC7E,MAAM,CAAC,sBAAsB,EAAE,sCAAsC,EAAE,MAAM,CAAC;KAC9E,MAAM,CAAC,2BAA2B,EAAE,qEAAqE,CAAC;KAC1G,MAAM,CAAC,qBAAqB,EAAE,wCAAwC,CAAC;KACvE,MAAM,CAAC,iBAAiB,EAAE,wCAAwC,CAAC;KACnE,MAAM,CAAC,qBAAqB,EAAE,uCAAuC,CAAC;KACtE,MAAM,CAAC,uBAAuB,EAAE,iCAAiC,EAAE,UAAU,CAAC;KAC9E,MAAM,CAAC,qBAAqB,EAAE,gCAAgC,CAAC;KAC/D,MAAM,CAAC,qBAAqB,EAAE,sCAAsC,EAAE,GAAG,CAAC;KAC1E,MAAM,CAAC,oBAAoB,EAAE,2BAA2B,EAAE,WAAW,CAAC;KACtE,MAAM,CAAC,eAAe,EAAE,kCAAkC,CAAC;KAC3D,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,UAAU,KAAK,aAAa,EAAE,CAAC;YACtE,OAAO,CAAC,KAAK,CAAC,kFAAkF,CAAC,CAAC;YAClG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,MAAM,GAAG,mBAAmB,CAAC;YACjC,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB,CAAC,CAAC;QAEH,MAAM,GAAG,CAAC,MAAM,EAAE;YAChB,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,KAAK;YAC9B,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,IAAI,GAAG,EAAE,EAAE,CAAC;YACpD,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,4EAA4E;AAE5E,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,wDAAwD,CAAC;KACrE,MAAM,CAAC,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,CAAC;KACxD,MAAM,CAAC,mBAAmB,EAAE,iBAAiB,EAAE,SAAS,CAAC;KACzD,MAAM,CAAC,2BAA2B,EAAE,qEAAqE,CAAC;KAC1G,MAAM,CAAC,qBAAqB,EAAE,wCAAwC,CAAC;KACvE,MAAM,CAAC,iBAAiB,EAAE,wCAAwC,CAAC;KACnE,MAAM,CAAC,qBAAqB,EAAE,sCAAsC,EAAE,GAAG,CAAC;KAC1E,MAAM,CAAC,oBAAoB,EAAE,2BAA2B,EAAE,WAAW,CAAC;KACtE,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC;QACH,MAAM,WAAW,CAAC;YAChB,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YAC7B,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,EAAE;gBACH,QAAQ,EAAE,IAAI,CAAC,WAAgD;gBAC/D,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,KAAK,EAAE,IAAI,CAAC,QAAQ;aACrB;YACD,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,IAAI,GAAG,EAAE,EAAE,CAAC;YACpD,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,2EAA2E;AAE3E,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,8DAA8D,CAAC;KAC3E,QAAQ,CAAC,OAAO,EAAE,mCAAmC,CAAC;KACtD,QAAQ,CAAC,OAAO,EAAE,mCAAmC,CAAC;KACtD,MAAM,CAAC,2BAA2B,EAAE,qEAAqE,CAAC;KAC1G,MAAM,CAAC,qBAAqB,EAAE,wCAAwC,CAAC;KACvE,MAAM,CAAC,iBAAiB,EAAE,wCAAwC,CAAC;KACnE,MAAM,CAAC,qBAAqB,EAAE,4CAA4C,CAAC;KAC3E,MAAM,CAAC,oBAAoB,EAAE,yCAAyC,EAAE,WAAW,CAAC;KACpF,MAAM,CAAC,KAAK,EAAE,OAAe,EAAE,OAAe,EAAE,IAAI,EAAE,EAAE;IACvD,IAAI,CAAC;QACH,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QACnE,MAAM,cAAc,CAAC;YACnB,OAAO;YACP,OAAO;YACP,UAAU,EAAE,IAAI,CAAC,MAAM;YACvB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,+EAA+E;AAE/E,OAAO;KACJ,OAAO,CAAC,eAAe,CAAC;KACxB,WAAW,CAAC,gDAAgD,CAAC;KAC7D,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,kCAAkC,CAAC,CAAC;QAC1E,MAAM,YAAY,EAAE,CAAC;IACvB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,+EAA+E;AAE/E,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAQhD,qDAAqD;AACrD,SAAS,YAAY,CAAC,KAAa,EAAE,OAAuB;IAC1D,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE;QAC3B,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;QAE3B,SAAS,MAAM;YACb,gDAAgD;YAChD,KAAK,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;gBACzC,MAAM,SAAS,GAAG,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC5D,MAAM,KAAK,GAAG,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,KAAK,SAAS,CAAC;gBAC3F,MAAM,IAAI,GAAG,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,GAAG,CAAC,WAAW,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxE,GAAG,CAAC,KAAK,CAAC,KAAK,SAAS,IAAI,KAAK,GAAG,IAAI,IAAI,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QAED,SAAS,KAAK;YACZ,8BAA8B;YAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACxC,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,GAAG,CAAC,KAAK,CAAC,cAAc,KAAK,aAAa,CAAC,CAAC;QAC5C,MAAM,EAAE,CAAC;QAET,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACzB,+BAA+B;YAC/B,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC/B,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAEnC,SAAS,MAAM,CAAC,GAAW;YACzB,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;gBACpC,gBAAgB;gBAChB,QAAQ,GAAG,CAAC,QAAQ,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;gBAC5D,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,CAAC;YACX,CAAC;iBAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;gBAC3C,kBAAkB;gBAClB,QAAQ,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;gBAC3C,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,CAAC;YACX,CAAC;iBAAM,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;gBACxC,QAAQ;gBACR,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;gBAChC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;gBACtB,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAC7C,oCAAoC;gBACpC,KAAK,EAAE,CAAC;gBACR,KAAK,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;oBACzC,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;wBACnB,GAAG,CAAC,KAAK,CAAC,6BAA6B,GAAG,CAAC,KAAK,WAAW,CAAC,CAAC;oBAC/D,CAAC;gBACH,CAAC;gBACD,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAChB,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC;iBAAM,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;gBAC1B,SAAS;gBACT,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;gBAChC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,MAAM,EAAE,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7E,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE;QAC3B,EAAE,CAAC,QAAQ,CAAC,KAAK,KAAK,EAAE,EAAE,CAAC,MAAM,EAAE,EAAE;YACnC,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACzB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,gBAAgB;IAC7B,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,0BAA0B,EAAE;QAC1D,EAAE,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,uBAAuB,EAAE,KAAK,EAAE,OAAO,EAAE;QAC/E,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,yBAAyB,EAAE,KAAK,EAAE,MAAM,EAAE;KAClF,CAAC,CAAC;IAEH,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACrB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;QACnC,OAAO,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,aAAa,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;QACnD,OAAO,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACnC,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AAEjJ,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;IACtC,0CAA0C;IAC1C,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;IAClC,OAAO,CAAC,KAAK,EAAE,CAAC;AAClB,CAAC;KAAM,IAAI,CAAC,aAAa,EAAE,CAAC;IAC1B,oCAAoC;IACpC,gBAAgB,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;QAC7B,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;KAAM,CAAC;IACN,OAAO,CAAC,KAAK,EAAE,CAAC;AAClB,CAAC"}

package/dist/src/analysis/analyzer.d.ts

@@ -10,5 +10,5 @@ export interface FullAnalysisResult extends AnalysisResult {
  * Validates output with Zod schema. Retries once on parse failure.
  * Falls back to partial report on double failure.
  */
-export declare function analyzeTranscript(llmClient: LLMClient, transcript: QAPair[]): Promise<FullAnalysisResult>;
+export declare function analyzeTranscript(llmClient: LLMClient, transcript: QAPair[], sessionId?: string): Promise<FullAnalysisResult>;
 //# sourceMappingURL=analyzer.d.ts.map

package/dist/src/analysis/analyzer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,QAAQ,EAA0B,MAAM,oBAAoB,CAAC;AACrG,OAAO,EAAwB,KAAK,cAAc,EAAuB,MAAM,oBAAoB,CAAC;AAKpG,MAAM,WAAW,kBAAmB,SAAQ,cAAc;IACxD,SAAS,EAAE,QAAQ,EAAE,CAAC;IACtB,gBAAgB,EAAE,gBAAgB,CAAC;CACpC;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,MAAM,EAAE,GACnB,OAAO,CAAC,kBAAkB,CAAC,CAwB7B"}
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAElD,OAAO,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,QAAQ,EAA0B,MAAM,oBAAoB,CAAC;AACrG,OAAO,EAAwB,KAAK,cAAc,EAAuB,MAAM,oBAAoB,CAAC;AAOpG,MAAM,WAAW,kBAAmB,SAAQ,cAAc;IACxD,SAAS,EAAE,QAAQ,EAAE,CAAC;IACtB,gBAAgB,EAAE,gBAAgB,CAAC;CACpC;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,MAAM,EAAE,EACpB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,kBAAkB,CAAC,CAyB7B"}

package/dist/src/analysis/analyzer.js

@@ -1,20 +1,24 @@
+import { seedFromSessionId } from '../llm/client.js';
 import { analysisResultSchema } from '../report/types.js';
 import { ANALYSIS_SYSTEM_PROMPT, buildAnalysisPrompt } from '../llm/prompts.js';
 import * as logger from '../util/logger.js';
+import { scrubUnprovided, isNegativeScope } from '../util/provided.js';
+import { isBusinessSystem } from '../util/systems.js';
 /**
  * Uses LLM to analyze the interview transcript and produce a structured audit.
  * Validates output with Zod schema. Retries once on parse failure.
  * Falls back to partial report on double failure.
  */
-export async function analyzeTranscript(llmClient, transcript) {
+export async function analyzeTranscript(llmClient, transcript, sessionId) {
     // Note: caller shows "⏳ Analyzing transcript..." already
     const prompt = buildAnalysisPrompt(transcript);
+    const seed = sessionId ? seedFromSessionId(sessionId) : undefined;
     // Attempt 1
-    let parsed = await tryParse(llmClient, prompt);
+    let parsed = await tryParse(llmClient, prompt, seed);
     // Attempt 2 (retry) if first attempt failed
     if (!parsed) {
         logger.warn('First analysis attempt failed, retrying...');
-        parsed = await tryParse(llmClient, prompt);
+        parsed = await tryParse(llmClient, prompt, seed);
     }
     // Double failure — partial report fallback
     if (!parsed) {
@@ -25,9 +29,88 @@ export async function analyzeTranscript(llmClient, transcript) {
     // Derive legacy flat fields from per-system data
     return enrichWithLegacyFields(parsed);
 }
-async function tryParse(llmClient, prompt) {
+const ORCHESTRATION_ONLY_PATTERN = /\b(local\s*(filesystem|file.?system|disk|storage|log|sqlite|database|db|cache|store)|\.env\b|env(ironment)?\s*(var|variable|file)|idempotency|secrets?\s*manager)\b/i;
+const SCOPE_CREEP_RISK_PATTERN = /\b(scope|permission|oauth|excessive|over.?priv|least.?privilege|access.?control)/i;
+/**
+ * Return true when a risk is scoped only to orchestration components
+ * (e.g. "Local filesystem log has excessive scope") and mentions no real
+ * business system. Used to drop "template pollution" risks.
+ */
+function isRiskAboutOrchestrationOnly(risk, businessSystemIds) {
+    const text = `${risk.title} ${risk.description}`.toLowerCase();
+    const mentionsOrchestration = ORCHESTRATION_ONLY_PATTERN.test(text);
+    if (!mentionsOrchestration)
+        return false;
+    const mentionsBusinessSystem = Array.from(businessSystemIds).some((id) => id.length > 3 && text.includes(id));
+    if (mentionsBusinessSystem)
+        return false;
+    // Only drop scope-creep/access risks; keep e.g. secrets-handling recommendations
+    return SCOPE_CREEP_RISK_PATTERN.test(text);
+}
+/**
+ * Recursively walk a parsed JSON object and normalize any "NOT PROVIDED"-style
+ * string values to `undefined`. Leaves other types untouched. Mutates in place.
+ *
+ * For arrays of strings (e.g. `systems[].scopesRequested`) the scrubbed
+ * elements are *removed* (compacted), not left as `undefined` in place — Zod
+ * rejects `[undefined]` against `z.array(z.string())` even when the array
+ * itself has a `.default([])`. Compacting `["NOT PROVIDED"]` → `[]` lets the
+ * default fire correctly.
+ *
+ * AAP-43 post-merge fix (2026-04-25): the original implementation set
+ * `value[i] = undefined`, which produced the regression observed on copy-
+ * prod — Zod parse failed with `invalid_type expected string received
+ * undefined` and the analyzer fell back to "Automated analysis failed".
+ */
+function scrubNotProvidedInPlace(value) {
+    if (Array.isArray(value)) {
+        for (let i = 0; i < value.length; i++) {
+            const item = value[i];
+            if (typeof item === 'string') {
+                if (scrubUnprovided(item) === undefined)
+                    value[i] = undefined;
+            }
+            else if (item && typeof item === 'object') {
+                scrubNotProvidedInPlace(item);
+            }
+        }
+        // Compact: drop `undefined` entries we just produced from scrubbed
+        // strings. Walk back-to-front so splicing doesn't shift unvisited
+        // indices. We never produce `undefined` from object recursion, only
+        // from string scrub, so this only affects string arrays.
+        for (let i = value.length - 1; i >= 0; i--) {
+            if (value[i] === undefined)
+                value.splice(i, 1);
+        }
+        return;
+    }
+    if (value && typeof value === 'object') {
+        const obj = value;
+        for (const key of Object.keys(obj)) {
+            const v = obj[key];
+            if (typeof v === 'string') {
+                if (scrubUnprovided(v) === undefined)
+                    obj[key] = undefined;
+            }
+            else if (v && typeof v === 'object') {
+                scrubNotProvidedInPlace(v);
+            }
+        }
+    }
+}
+async function tryParse(llmClient, prompt, deterministicSeed) {
+    let response;
     try {
-        const response = await llmClient.chat(ANALYSIS_SYSTEM_PROMPT, prompt);
+        // AAP-43 regression fix (2026-04-24): request JSON-mode so OpenAI and
+        // Gemini return a syntactically-valid JSON payload instead of a free-form
+        // string that sometimes truncates or emits prose before the `{`. This
+        // combined with the provider-side `max_tokens` bump in client.ts resolves
+        // the "Automated analysis failed" fallback observed on 18-question
+        // transcripts in the copy-prod deploy.
+        response = await llmClient.chat(ANALYSIS_SYSTEM_PROMPT, prompt, {
+            deterministicSeed,
+            jsonMode: true,
+        });
         // Strip markdown fences if present
         let jsonStr = response.trim();
         if (jsonStr.startsWith('```')) {
@@ -41,12 +124,43 @@ async function tryParse(llmClient, prompt) {
             }
         }
         const raw = JSON.parse(jsonStr);
+        // AAP-43 P0 #2: scrub "NOT PROVIDED" sentinel from LLM output before Zod
+        // default substitution. This distinguishes "LLM explicitly wrote NOT
+        // PROVIDED" from "field was absent" — both are normalized to undefined so
+        // Zod's .default() applies uniformly and the renderer can surface an
+        // explicit "Unknown — ask deployer" marker instead of leaking the string.
+        scrubNotProvidedInPlace(raw);
         // Zod validation — parse with defaults and coercion
         const result = analysisResultSchema.parse(raw);
+        // AAP-43 P2 #8: drop scope-creep / excessive-access risks that reference
+        // only internal/orchestration components (local filesystem, SQLite, env
+        // vars, etc.). The prompt tells the LLM not to do this, but some models
+        // still emit them — this is the belt-and-braces guarantee.
+        const businessSystemIds = new Set(result.systems.filter(isBusinessSystem).map((s) => s.systemId.toLowerCase()));
+        result.risks = result.risks.filter((r) => !isRiskAboutOrchestrationOnly(r, businessSystemIds));
+        // Reviewer-feedback fix (2026-04-25): drop "negative" content from
+        // scopesDelta (and scopesNeeded) where the LLM put a constraint
+        // ("read-only access", "scoped to profile scraping", "no write access")
+        // instead of an actual revokable permission. Without this filter the
+        // Permissions Delta block in the report ends up listing those constraints
+        // under "Excessive (can be revoked):" — auditor-hostile inversion.
+        for (const sys of result.systems) {
+            sys.scopesDelta = sys.scopesDelta.filter((s) => !isNegativeScope(s));
+            sys.scopesNeeded = sys.scopesNeeded.filter((s) => !isNegativeScope(s));
+        }
         return result;
     }
     catch (e) {
-        logger.warn(`Parse attempt failed: ${e instanceof Error ? e.message : String(e)}`);
+        // AAP-43 regression fix (2026-04-24): log a bounded preview of the raw
+        // LLM response so the next operator can tell truncation apart from
+        // schema mismatch. Previously the warn line only carried the exception
+        // message, which leaves the "Automated analysis failed" report without
+        // a diagnostic trail.
+        const errMsg = e instanceof Error ? e.message : String(e);
+        const preview = response === undefined
+            ? '(no response — LLM call threw)'
+            : `${response.slice(0, 400)}${response.length > 400 ? `…[+${response.length - 400} chars]` : ''}`;
+        logger.warn(`Parse attempt failed: ${errMsg} | response preview: ${preview}`);
         return null;
     }
 }

package/dist/src/analysis/analyzer.js.map

@@ -1 +1 @@
-{"version":3,"file":"analyzer.js","sourceRoot":"","sources":["../../../src/analysis/analyzer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,oBAAoB,EAA4C,MAAM,oBAAoB,CAAC;AACpG,OAAO,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAChF,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAC;AAQ5C;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,SAAoB,EACpB,UAAoB;IAEpB,yDAAyD;IAEzD,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAE/C,YAAY;IACZ,IAAI,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAE/C,4CAA4C;IAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC1D,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC7C,CAAC;IAED,2CAA2C;IAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;QACnE,OAAO,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;IAED,gEAAgE;IAEhE,iDAAiD;IACjD,OAAO,sBAAsB,CAAC,MAAM,CAAC,CAAC;AACxC,CAAC;AAED,KAAK,UAAU,QAAQ,CACrB,SAAoB,EACpB,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,sBAAsB,EAAE,MAAM,CAAC,CAAC;QAEtE,mCAAmC;QACnC,IAAI,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAC3E,CAAC;QAED,yCAAyC;QACzC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YAC/C,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAEhC,oDAAoD;QACpD,MAAM,MAAM,GAAG,oBAAoB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/C,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACnF,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAAC,MAAsB;IACpD,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,MAAM,OAAO,GAAuE,EAAE,CAAC;IACvF,MAAM,cAAc,GAAmB,EAAE,CAAC;IAC1C,MAAM,SAAS,GAAmB,EAAE,CAAC;IACrC,MAAM,OAAO,GAAmB,EAAE,CAAC;IAEnC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACjC,iCAAiC;QACjC,SAAS,CAAC,IAAI,CAAC;YACb,QAAQ,EAAE,GAAG,CAAC,eAAe;YAC7B,MAAM,EAAE,GAAG,CAAC,QAAQ;YACpB,aAAa,EAAE,GAAG,CAAC,kBAAkB;SACtC,CAAC,CAAC;QAEH,iBAAiB;QACjB,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;YACxC,OAAO,CAAC,IAAI,CAAC;gBACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,WAAW,EAAE,KAAK;gBAClB,aAAa,EAAE,oBAAoB;aACpC,CAAC,CAAC;QACL,CAAC;QAED,kBAAkB;QAClB,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YACrC,cAAc,CAAC,IAAI,CAAC;gBAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,WAAW,EAAE,KAAK;gBAClB,aAAa,EAAE,iCAAiC;aACjD,CAAC,CAAC;QACL,CAAC;QAED,oBAAoB;QACpB,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YACpC,SAAS,CAAC,IAAI,CAAC;gBACb,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,WAAW,EAAE,KAAK;gBAClB,aAAa,EAAE,6BAA6B;aAC7C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO;QACL,GAAG,MAAM;QACT,SAAS;QACT,gBAAgB,EAAE,EAAE,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,OAAO,EAAE;KAClE,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,UAAoB;IACjD,+CAA+C;IAC/C,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAC1F,MAAM,cAAc,GAAG,WAAW;SAC/B,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,QAAQ,KAAK,SAAS,CAAC;SACvC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC;SACpB,IAAI,CAAC,GAAG,CAAC,CAAC;IACb,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAE9D,oDAAoD;IACpD,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC;QACpC,CAAC,CAAC,iDAAiD,WAAW,CAAC,MAAM,+BAA+B,UAAU,CAAC,MAAM,sDAAsD;QAC3K,CAAC,CAAC,sGAAsG,CAAC;IAE3G,OAAO;QACL,OAAO;QACP,YAAY,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,sCAAsC;QACpF,OAAO,EAAE,EAAE,EAAE,0BAA0B;QACvC,KAAK,EAAE,EAAE;QACT,eAAe,EAAE,CAAC,iGAAiG,CAAC;QACpH,cAAc,EAAE,yBAAyB;QACzC,gBAAgB,EAAE,QAAQ;QAC1B,SAAS,EAAE,EAAE;QACb,gBAAgB,EAAE;YAChB,OAAO,EAAE,EAAE;YACX,cAAc,EAAE,EAAE;YAClB,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;SACZ;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"analyzer.js","sourceRoot":"","sources":["../../../src/analysis/analyzer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAErD,OAAO,EAAE,oBAAoB,EAA4C,MAAM,oBAAoB,CAAC;AACpG,OAAO,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAChF,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACvE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAQtD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,SAAoB,EACpB,UAAoB,EACpB,SAAkB;IAElB,yDAAyD;IAEzD,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAElE,YAAY;IACZ,IAAI,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;IAErD,4CAA4C;IAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC1D,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;IACnD,CAAC;IAED,2CAA2C;IAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;QACnE,OAAO,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;IAED,gEAAgE;IAEhE,iDAAiD;IACjD,OAAO,sBAAsB,CAAC,MAAM,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,0BAA0B,GAC9B,sKAAsK,CAAC;AAEzK,MAAM,wBAAwB,GAAG,mFAAmF,CAAC;AAErH;;;;GAIG;AACH,SAAS,4BAA4B,CACnC,IAA4C,EAC5C,iBAA8B;IAE9B,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,WAAW,EAAE,CAAC;IAC/D,MAAM,qBAAqB,GAAG,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,CAAC,qBAAqB;QAAE,OAAO,KAAK,CAAC;IACzC,MAAM,sBAAsB,GAAG,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CACvE,EAAE,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CACnC,CAAC;IACF,IAAI,sBAAsB;QAAE,OAAO,KAAK,CAAC;IACzC,iFAAiF;IACjF,OAAO,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAS,uBAAuB,CAAC,KAAc;IAC7C,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,IAAI,eAAe,CAAC,IAAI,CAAC,KAAK,SAAS;oBAAE,KAAK,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC;YAChE,CAAC;iBAAM,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC5C,uBAAuB,CAAC,IAAI,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;QACD,mEAAmE;QACnE,kEAAkE;QAClE,oEAAoE;QACpE,yDAAyD;QACzD,KAAK,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3C,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,SAAS;gBAAE,KAAK,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACjD,CAAC;QACD,OAAO;IACT,CAAC;IACD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,KAAgC,CAAC;QAC7C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;YACnB,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;gBAC1B,IAAI,eAAe,CAAC,CAAC,CAAC,KAAK,SAAS;oBAAE,GAAG,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;YAC7D,CAAC;iBAAM,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACtC,uBAAuB,CAAC,CAAC,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,QAAQ,CACrB,SAAoB,EACpB,MAAc,EACd,iBAA0B;IAE1B,IAAI,QAA4B,CAAC;IACjC,IAAI,CAAC;QACH,sEAAsE;QACtE,0EAA0E;QAC1E,sEAAsE;QACtE,0EAA0E;QAC1E,mEAAmE;QACnE,uCAAuC;QACvC,QAAQ,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,sBAAsB,EAAE,MAAM,EAAE;YAC9D,iBAAiB;YACjB,QAAQ,EAAE,IAAI;SACf,CAAC,CAAC;QAEH,mCAAmC;QACnC,IAAI,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAC3E,CAAC;QAED,yCAAyC;QACzC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YAC/C,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAEhC,yEAAyE;QACzE,qEAAqE;QACrE,0EAA0E;QAC1E,qEAAqE;QACrE,0EAA0E;QAC1E,uBAAuB,CAAC,GAAG,CAAC,CAAC;QAE7B,oDAAoD;QACpD,MAAM,MAAM,GAAG,oBAAoB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE/C,yEAAyE;QACzE,wEAAwE;QACxE,wEAAwE;QACxE,2DAA2D;QAC3D,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAC/B,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAC7E,CAAC;QACF,MAAM,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,4BAA4B,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC,CAAC;QAE/F,mEAAmE;QACnE,gEAAgE;QAChE,wEAAwE;QACxE,qEAAqE;QACrE,0EAA0E;QAC1E,mEAAmE;QACnE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACjC,GAAG,CAAC,WAAW,GAAG,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;YACrE,GAAG,CAAC,YAAY,GAAG,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;QACzE,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,uEAAuE;QACvE,mEAAmE;QACnE,uEAAuE;QACvE,uEAAuE;QACvE,sBAAsB;QACtB,MAAM,MAAM,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC1D,MAAM,OAAO,GAAG,QAAQ,KAAK,SAAS;YACpC,CAAC,CAAC,gCAAgC;YAClC,CAAC,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,QAAQ,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,MAAM,QAAQ,CAAC,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACpG,MAAM,CAAC,IAAI,CAAC,yBAAyB,MAAM,wBAAwB,OAAO,EAAE,CAAC,CAAC;QAC9E,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAAC,MAAsB;IACpD,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,MAAM,OAAO,GAAuE,EAAE,CAAC;IACvF,MAAM,cAAc,GAAmB,EAAE,CAAC;IAC1C,MAAM,SAAS,GAAmB,EAAE,CAAC;IACrC,MAAM,OAAO,GAAmB,EAAE,CAAC;IAEnC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACjC,iCAAiC;QACjC,SAAS,CAAC,IAAI,CAAC;YACb,QAAQ,EAAE,GAAG,CAAC,eAAe;YAC7B,MAAM,EAAE,GAAG,CAAC,QAAQ;YACpB,aAAa,EAAE,GAAG,CAAC,kBAAkB;SACtC,CAAC,CAAC;QAEH,iBAAiB;QACjB,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;YACxC,OAAO,CAAC,IAAI,CAAC;gBACX,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,WAAW,EAAE,KAAK;gBAClB,aAAa,EAAE,oBAAoB;aACpC,CAAC,CAAC;QACL,CAAC;QAED,kBAAkB;QAClB,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YACrC,cAAc,CAAC,IAAI,CAAC;gBAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,WAAW,EAAE,KAAK;gBAClB,aAAa,EAAE,iCAAiC;aACjD,CAAC,CAAC;QACL,CAAC;QAED,oBAAoB;QACpB,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YACpC,SAAS,CAAC,IAAI,CAAC;gBACb,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,WAAW,EAAE,KAAK;gBAClB,aAAa,EAAE,6BAA6B;aAC7C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO;QACL,GAAG,MAAM;QACT,SAAS;QACT,gBAAgB,EAAE,EAAE,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,OAAO,EAAE;KAClE,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,UAAoB;IACjD,+CAA+C;IAC/C,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAC1F,MAAM,cAAc,GAAG,WAAW;SAC/B,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,QAAQ,KAAK,SAAS,CAAC;SACvC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC;SACpB,IAAI,CAAC,GAAG,CAAC,CAAC;IACb,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAE9D,oDAAoD;IACpD,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC;QACpC,CAAC,CAAC,iDAAiD,WAAW,CAAC,MAAM,+BAA+B,UAAU,CAAC,MAAM,sDAAsD;QAC3K,CAAC,CAAC,sGAAsG,CAAC;IAE3G,OAAO;QACL,OAAO;QACP,YAAY,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,sCAAsC;QACpF,OAAO,EAAE,EAAE,EAAE,0BAA0B;QACvC,KAAK,EAAE,EAAE;QACT,eAAe,EAAE,CAAC,iGAAiG,CAAC;QACpH,cAAc,EAAE,yBAAyB;QACzC,gBAAgB,EAAE,QAAQ;QAC1B,SAAS,EAAE,EAAE;QACb,gBAAgB,EAAE;YAChB,OAAO,EAAE,EAAE;YACX,cAAc,EAAE,EAAE;YAClB,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,EAAE;SACZ;KACF,CAAC;AACJ,CAAC"}

package/dist/src/analysis/risk-scorer.d.ts

@@ -17,4 +17,36 @@ export interface RiskScore {
  * Each component scores 0-100, then weighted sum → overall 0-100 → severity level.
  */
 export declare function computeRiskScore(systems: SystemAssessment[], risks: Risk[]): RiskScore;
+export interface SeveritySignals {
+    hasSensitivePII: boolean;
+    hasIrreversibleWrites: boolean;
+    hasExcessivePerms: boolean;
+    hasOrgWideWrites: boolean;
+    hasDecisionsAboutPeople: boolean;
+    /**
+     * AAP-43 post-merge fix (2026-04-24): public PII processed at scale
+     * (>=500 records per run OR org-wide blast radius). This is the LinkedIn
+     * ICP profile: names/emails/LinkedIn URLs aren't SSN-grade, but writing
+     * 500 of them into a Google Sheet still activates GDPR data-minimisation
+     * and least-privilege floors. Used by the access/data severity floor to
+     * raise HIGH when the LLM misses it.
+     */
+    hasPublicPIIAtScale: boolean;
+}
+/**
+ * Aggregate deterministic signals from structured per-system data.
+ * Used to compute severity floors so per-risk labels are stable across LLM runs.
+ */
+export declare function computeSeveritySignals(systems: SystemAssessment[], makesDecisionsAboutPeople?: boolean): SeveritySignals;
+/**
+ * Apply deterministic rule-based overrides to LLM-assigned risk severities.
+ *
+ * Rationale (AAP-43 P0 #1): LLMs at temperature=0 still flip severity labels
+ * run-to-run because of MoE routing / float arithmetic / load-balancer hops.
+ * For compliance-audit use this is unacceptable (reviewers: "determinism isn't
+ * optional in audit"). We therefore compute a rule-based severity floor from
+ * structured signals and take MAX(LLM, floor). LLM senior-auditor intuition
+ * is preserved when it exceeds the floor; otherwise the floor holds.
+ */
+export declare function applySeverityOverrides(risks: Risk[], systems: SystemAssessment[], makesDecisionsAboutPeople?: boolean): Risk[];
 //# sourceMappingURL=risk-scorer.d.ts.map

package/dist/src/analysis/risk-scorer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"risk-scorer.d.ts","sourceRoot":"","sources":["../../../src/analysis/risk-scorer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAe,MAAM,oBAAoB,CAAC;AAExF,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,QAAQ,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE;QACT,eAAe,EAAE,MAAM,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,EAAE,MAAM,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AA6BD;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,gBAAgB,EAAE,EAC3B,KAAK,EAAE,IAAI,EAAE,GACZ,SAAS,CAyBX"}
+{"version":3,"file":"risk-scorer.d.ts","sourceRoot":"","sources":["../../../src/analysis/risk-scorer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAe,MAAM,oBAAoB,CAAC;AAExF,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,QAAQ,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE;QACT,eAAe,EAAE,MAAM,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,EAAE,MAAM,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAqDD;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,gBAAgB,EAAE,EAC3B,KAAK,EAAE,IAAI,EAAE,GACZ,SAAS,CAyBX;AAoHD,MAAM,WAAW,eAAe;IAC9B,eAAe,EAAE,OAAO,CAAC;IACzB,qBAAqB,EAAE,OAAO,CAAC;IAC/B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,uBAAuB,EAAE,OAAO,CAAC;IACjC;;;;;;;OAOG;IACH,mBAAmB,EAAE,OAAO,CAAC;CAC9B;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,gBAAgB,EAAE,EAC3B,yBAAyB,CAAC,EAAE,OAAO,GAClC,eAAe,CAyCjB;AAkDD;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,IAAI,EAAE,EACb,OAAO,EAAE,gBAAgB,EAAE,EAC3B,yBAAyB,CAAC,EAAE,OAAO,GAClC,IAAI,EAAE,CAOR"}

package/dist/src/analysis/risk-scorer.js

@@ -19,6 +19,29 @@ const SENSITIVE_KEYWORDS = [
     'password', 'secret', 'token', 'ssn', 'credit card', 'health',
     'medical', 'salary', 'compensation',
 ];
+// ─── Public-PII-at-scale keywords (AAP-43 post-merge fix 2026-04-24) ────────
+//
+// LinkedIn-style agents handle *public* PII (names, emails, profile URLs,
+// titles) which never contains SSN/bank-level sensitivity keywords above, so
+// `hasSensitivePII` is always false. The AAP-43 severity-anchor in
+// src/llm/prompts.ts nevertheless tells the LLM that "OAuth scope
+// `spreadsheets` with 500 PII rows → HIGH", but the rule-based floor could
+// not enforce the same thing because it only recognised sensitive PII.
+//
+// The fix: recognise public PII explicitly. When it is stored at scale (org-
+// wide blast radius, >=500 rows per run, or scraping) floor-severity for
+// access / data risks is raised to HIGH so the LinkedIn ICP case matches
+// the stated anchor even without LLM escalation.
+const PUBLIC_PII_KEYWORDS = [
+    'linkedin', 'profile url', 'full name', 'first name', 'last name',
+    'email', 'phone', 'address', 'scrape', 'scraped', 'scraping',
+    'job title', 'employer', 'company', 'career', 'resume',
+];
+const LARGE_VOLUME_KEYWORDS = [
+    ' 500', '500 rows', '500 profiles', '500 leads', '500 connections',
+    '1000', '10k', '10 000', '10,000', 'at scale', 'scrape', 'scraping',
+    'batch of 5', 'bulk', 'batched',
+];
 /**
  * Rubric-driven risk scorer.
  * Computes risk from structured per-system data, not keyword-grepping risk descriptions.
@@ -140,4 +163,115 @@ function scoreToLevel(score) {
         return 'high';
     return 'critical';
 }
+// ─── Rule-based severity override (AAP-43 P0 determinism) ──────────────────
+const SEVERITY_ORDER = {
+    low: 0,
+    medium: 1,
+    high: 2,
+    critical: 3,
+};
+function maxSeverity(a, b) {
+    return SEVERITY_ORDER[a] >= SEVERITY_ORDER[b] ? a : b;
+}
+/**
+ * Aggregate deterministic signals from structured per-system data.
+ * Used to compute severity floors so per-risk labels are stable across LLM runs.
+ */
+export function computeSeveritySignals(systems, makesDecisionsAboutPeople) {
+    const hasSensitivePII = systems.some(s => {
+        const text = s.dataSensitivity.toLowerCase();
+        return SENSITIVE_KEYWORDS.some(k => text.includes(k));
+    });
+    const hasIrreversibleWrites = systems.some(s => s.writeOperations.some(w => !w.reversible));
+    const hasExcessivePerms = systems.some(s => s.scopesDelta.length > 0);
+    const hasOrgWideWrites = systems.some(s => {
+        const broad = s.blastRadius === 'org-wide' || s.blastRadius === 'cross-tenant';
+        return broad && s.writeOperations.length > 0;
+    });
+    // Public PII at scale: public personal data (LinkedIn profiles, scraped
+    // contacts, etc.) combined with either an explicit large-volume marker or
+    // an org-wide/cross-tenant blast radius. Either indicator alone is weak;
+    // the combination is the shape reviewers called HIGH on the LinkedIn ICP
+    // reference case.
+    const hasPublicPIIAtScale = systems.some(s => {
+        const haystack = `${s.dataSensitivity} ${s.frequencyAndVolume} ${s.systemId}`.toLowerCase();
+        const mentionsPublicPII = PUBLIC_PII_KEYWORDS.some(k => haystack.includes(k));
+        if (!mentionsPublicPII)
+            return false;
+        const mentionsScale = LARGE_VOLUME_KEYWORDS.some(k => haystack.includes(k));
+        const broadBlast = s.blastRadius === 'org-wide' || s.blastRadius === 'cross-tenant';
+        return mentionsScale || broadBlast;
+    });
+    return {
+        hasSensitivePII,
+        hasIrreversibleWrites,
+        hasExcessivePerms,
+        hasOrgWideWrites,
+        hasDecisionsAboutPeople: Boolean(makesDecisionsAboutPeople),
+        hasPublicPIIAtScale,
+    };
+}
+function inferRiskKind(risk) {
+    const text = `${risk.title} ${risk.description}`.toLowerCase();
+    if (/decision|hiring|recruit|scoring|profil|rank|select.*people|access.control/.test(text))
+        return 'decisions';
+    if (/pii|personal|data.minim|retention|confidential|sensitive|health|financial/.test(text))
+        return 'data';
+    if (/write|send|create|delete|update|modify|post|irrevers/.test(text))
+        return 'write';
+    if (/scope|permission|access|oauth|excessive|over.?priv/.test(text))
+        return 'access';
+    return 'unknown';
+}
+/**
+ * Compute severity floor for a given risk kind, given aggregate signals.
+ * Returns the minimum acceptable severity — the final severity is
+ * MAX(LLM-assigned, floor) so senior-auditor insight isn't lost.
+ */
+function severityFloor(kind, signals) {
+    const { hasSensitivePII, hasIrreversibleWrites, hasExcessivePerms, hasOrgWideWrites, hasDecisionsAboutPeople, hasPublicPIIAtScale, } = signals;
+    if (kind === 'decisions' && hasDecisionsAboutPeople)
+        return 'high';
+    // Excessive permissions paired with PII of any kind at scale is HIGH.
+    // Covers the LinkedIn ICP reference case where public PII + Google
+    // Sheets `spreadsheets` scope must not be MEDIUM per the prompt-anchor.
+    if (kind === 'access' && hasExcessivePerms && (hasSensitivePII || hasPublicPIIAtScale))
+        return 'high';
+    if (kind === 'access' && hasExcessivePerms)
+        return 'medium';
+    if (kind === 'write' && (hasOrgWideWrites || (hasIrreversibleWrites && hasSensitivePII)))
+        return 'high';
+    if (kind === 'write' && hasIrreversibleWrites)
+        return 'medium';
+    if (kind === 'data' && hasSensitivePII && (hasIrreversibleWrites || hasExcessivePerms))
+        return 'high';
+    if (kind === 'data' && hasSensitivePII)
+        return 'medium';
+    // Public PII at scale also raises the data-risk floor — retention,
+    // minimisation, and breach-readiness are active obligations regardless
+    // of sensitivity tier once volume crosses the threshold.
+    if (kind === 'data' && hasPublicPIIAtScale && hasExcessivePerms)
+        return 'high';
+    if (kind === 'data' && hasPublicPIIAtScale)
+        return 'medium';
+    return 'low';
+}
+/**
+ * Apply deterministic rule-based overrides to LLM-assigned risk severities.
+ *
+ * Rationale (AAP-43 P0 #1): LLMs at temperature=0 still flip severity labels
+ * run-to-run because of MoE routing / float arithmetic / load-balancer hops.
+ * For compliance-audit use this is unacceptable (reviewers: "determinism isn't
+ * optional in audit"). We therefore compute a rule-based severity floor from
+ * structured signals and take MAX(LLM, floor). LLM senior-auditor intuition
+ * is preserved when it exceeds the floor; otherwise the floor holds.
+ */
+export function applySeverityOverrides(risks, systems, makesDecisionsAboutPeople) {
+    const signals = computeSeveritySignals(systems, makesDecisionsAboutPeople);
+    return risks.map(risk => {
+        const kind = inferRiskKind(risk);
+        const floor = severityFloor(kind, signals);
+        return { ...risk, severity: maxSeverity(risk.severity, floor) };
+    });
+}
 //# sourceMappingURL=risk-scorer.js.map

package/dist/src/analysis/risk-scorer.js.map

@@ -1 +1 @@
-{"version":3,"file":"risk-scorer.js","sourceRoot":"","sources":["../../../src/analysis/risk-scorer.ts"],"names":[],"mappings":"AAaA,+EAA+E;AAE/E,MAAM,OAAO,GAAG;IACd,eAAe,EAAE,IAAI;IACrB,SAAS,EAAE,IAAI;IACf,aAAa,EAAE,IAAI;IACnB,UAAU,EAAE,IAAI;CACR,CAAC;AAEX,gFAAgF;AAEhF,MAAM,uBAAuB,GAAgC;IAC3D,eAAe,EAAE,GAAG;IACpB,aAAa,EAAE,GAAG;IAClB,YAAY,EAAE,GAAG;IACjB,UAAU,EAAE,IAAI;IAChB,cAAc,EAAE,GAAG;CACpB,CAAC;AAEF,gFAAgF;AAEhF,MAAM,kBAAkB,GAAG;IACzB,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc,EAAE,WAAW;IAC5D,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ;IAC7D,SAAS,EAAE,QAAQ,EAAE,cAAc;CACpC,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAA2B,EAC3B,KAAa;IAEb,MAAM,SAAS,GAAG;QAChB,eAAe,EAAE,oBAAoB,CAAC,OAAO,CAAC;QAC9C,SAAS,EAAE,cAAc,CAAC,OAAO,CAAC;QAClC,aAAa,EAAE,kBAAkB,CAAC,OAAO,CAAC;QAC1C,UAAU,EAAE,eAAe,CAAC,OAAO,CAAC;KACrC,CAAC;IAEF,MAAM,QAAQ,GACZ,SAAS,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe;QACnD,SAAS,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS;QACvC,SAAS,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa;QAC/C,SAAS,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAE5C,yEAAyE;IACzE,MAAM,mBAAmB,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;IAClG,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAE5D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC;IAE/D,OAAO;QACL,OAAO,EAAE,YAAY,CAAC,KAAK,CAAC;QAC5B,KAAK;QACL,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,OAA2B;IACvD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEnC,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,IAAI,cAAc,GAAG,CAAC,CAAC;IAEvB,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,MAAM,SAAS,GAAG,GAAG,CAAC,eAAe,CAAC,MAAM,IAAI,CAAC,CAAC;QAClD,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC;QACzC,MAAM,UAAU,GAAG,uBAAuB,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC;QACnE,aAAa,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC,GAAG,UAAU,GAAG,GAAG,CAAC;QAC5D,cAAc,EAAE,CAAC;IACnB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa,GAAG,cAAc,CAAC,CAAC,CAAC;AACnE,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,OAA2B;IACjD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEnC,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,MAAM,UAAU,GAAG,uBAAuB,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC;QAEnE,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;YACxC,IAAI,UAAU,GAAG,EAAE,CAAC,CAAC,qBAAqB;YAE1C,IAAI,CAAC,KAAK,CAAC,UAAU;gBAAE,UAAU,IAAI,EAAE,CAAC,CAAS,oBAAoB;YACrE,IAAI,CAAC,KAAK,CAAC,gBAAgB;gBAAE,UAAU,IAAI,EAAE,CAAC,CAAI,mBAAmB;YACrE,UAAU,IAAI,UAAU,CAAC,CAA0B,wBAAwB;YAE3E,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CAAC,OAA2B;IACrD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEnC,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,GAAG,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;QAChD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;QAE5E,IAAI,QAAQ,KAAK,CAAC;YAAE,SAAS;QAE7B,MAAM,UAAU,GAAG,uBAAuB,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC;QACnE,MAAM,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,GAAG,EAAE,CAAC,GAAG,UAAU,CAAC;QACnE,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;IAClD,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,OAA2B;IAClD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEnC,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,WAAW,GAAG,CAAC,CAAC;IAEpB,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,cAAc,IAAI,GAAG,CAAC,eAAe,CAAC,MAAM,CAAC;QAC7C,WAAW,IAAI,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC;IACzC,CAAC;IAED,IAAI,WAAW,KAAK,CAAC;QAAE,OAAO,cAAc,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAE1D,MAAM,KAAK,GAAG,cAAc,GAAG,WAAW,CAAC;IAC3C,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IACzB,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,EAAE,CAAC;IAC5B,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IAC1B,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IAC1B,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,KAAK,CAAC;IAC9B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC;IACjC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,OAAO,UAAU,CAAC;AACpB,CAAC"}
+{"version":3,"file":"risk-scorer.js","sourceRoot":"","sources":["../../../src/analysis/risk-scorer.ts"],"names":[],"mappings":"AAaA,+EAA+E;AAE/E,MAAM,OAAO,GAAG;IACd,eAAe,EAAE,IAAI;IACrB,SAAS,EAAE,IAAI;IACf,aAAa,EAAE,IAAI;IACnB,UAAU,EAAE,IAAI;CACR,CAAC;AAEX,gFAAgF;AAEhF,MAAM,uBAAuB,GAAgC;IAC3D,eAAe,EAAE,GAAG;IACpB,aAAa,EAAE,GAAG;IAClB,YAAY,EAAE,GAAG;IACjB,UAAU,EAAE,IAAI;IAChB,cAAc,EAAE,GAAG;CACpB,CAAC;AAEF,gFAAgF;AAEhF,MAAM,kBAAkB,GAAG;IACzB,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,cAAc,EAAE,WAAW;IAC5D,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ;IAC7D,SAAS,EAAE,QAAQ,EAAE,cAAc;CACpC,CAAC;AAEF,+EAA+E;AAC/E,EAAE;AACF,0EAA0E;AAC1E,6EAA6E;AAC7E,mEAAmE;AACnE,kEAAkE;AAClE,2EAA2E;AAC3E,uEAAuE;AACvE,EAAE;AACF,6EAA6E;AAC7E,yEAAyE;AACzE,yEAAyE;AACzE,iDAAiD;AACjD,MAAM,mBAAmB,GAAG;IAC1B,UAAU,EAAE,aAAa,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW;IACjE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU;IAC5D,WAAW,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ;CACvD,CAAC;AACF,MAAM,qBAAqB,GAAG;IAC5B,MAAM,EAAE,UAAU,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB;IAClE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU;IACnE,YAAY,EAAE,MAAM,EAAE,SAAS;CAChC,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAA2B,EAC3B,KAAa;IAEb,MAAM,SAAS,GAAG;QAChB,eAAe,EAAE,oBAAoB,CAAC,OAAO,CAAC;QAC9C,SAAS,EAAE,cAAc,CAAC,OAAO,CAAC;QAClC,aAAa,EAAE,kBAAkB,CAAC,OAAO,CAAC;QAC1C,UAAU,EAAE,eAAe,CAAC,OAAO,CAAC;KACrC,CAAC;IAEF,MAAM,QAAQ,GACZ,SAAS,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe;QACnD,SAAS,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS;QACvC,SAAS,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa;QAC/C,SAAS,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAE5C,yEAAyE;IACzE,MAAM,mBAAmB,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;IAClG,MAAM,UAAU,GAAG,mBAAmB,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAE5D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC;IAE/D,OAAO;QACL,OAAO,EAAE,YAAY,CAAC,KAAK,CAAC;QAC5B,KAAK;QACL,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,OAA2B;IACvD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEnC,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,IAAI,cAAc,GAAG,CAAC,CAAC;IAEvB,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,MAAM,SAAS,GAAG,GAAG,CAAC,eAAe,CAAC,MAAM,IAAI,CAAC,CAAC;QAClD,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC;QACzC,MAAM,UAAU,GAAG,uBAAuB,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC;QACnE,aAAa,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC,GAAG,UAAU,GAAG,GAAG,CAAC;QAC5D,cAAc,EAAE,CAAC;IACnB,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa,GAAG,cAAc,CAAC,CAAC,CAAC;AACnE,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,OAA2B;IACjD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEnC,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,MAAM,UAAU,GAAG,uBAAuB,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC;QAEnE,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;YACxC,IAAI,UAAU,GAAG,EAAE,CAAC,CAAC,qBAAqB;YAE1C,IAAI,CAAC,KAAK,CAAC,UAAU;gBAAE,UAAU,IAAI,EAAE,CAAC,CAAS,oBAAoB;YACrE,IAAI,CAAC,KAAK,CAAC,gBAAgB;gBAAE,UAAU,IAAI,EAAE,CAAC,CAAI,mBAAmB;YACrE,UAAU,IAAI,UAAU,CAAC,CAA0B,wBAAwB;YAE3E,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CAAC,OAA2B;IACrD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEnC,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,GAAG,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;QAChD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;QAE5E,IAAI,QAAQ,KAAK,CAAC;YAAE,SAAS;QAE7B,MAAM,UAAU,GAAG,uBAAuB,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC;QACnE,MAAM,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,GAAG,EAAE,CAAC,GAAG,UAAU,CAAC;QACnE,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;IAClD,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,OAA2B;IAClD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEnC,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,WAAW,GAAG,CAAC,CAAC;IAEpB,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,cAAc,IAAI,GAAG,CAAC,eAAe,CAAC,MAAM,CAAC;QAC7C,WAAW,IAAI,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC;IACzC,CAAC;IAED,IAAI,WAAW,KAAK,CAAC;QAAE,OAAO,cAAc,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAE1D,MAAM,KAAK,GAAG,cAAc,GAAG,WAAW,CAAC;IAC3C,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IACzB,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,EAAE,CAAC;IAC5B,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IAC1B,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IAC1B,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,KAAK,CAAC;IAC9B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC;IACjC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,8EAA8E;AAE9E,MAAM,cAAc,GAA6B;IAC/C,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,SAAS,WAAW,CAAC,CAAW,EAAE,CAAW;IAC3C,OAAO,cAAc,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACxD,CAAC;AAmBD;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CACpC,OAA2B,EAC3B,yBAAmC;IAEnC,MAAM,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;QACvC,MAAM,IAAI,GAAG,CAAC,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;QAC7C,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,MAAM,qBAAqB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC7C,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAC3C,CAAC;IAEF,MAAM,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAEtE,MAAM,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;QACxC,MAAM,KAAK,GAAG,CAAC,CAAC,WAAW,KAAK,UAAU,IAAI,CAAC,CAAC,WAAW,KAAK,cAAc,CAAC;QAC/E,OAAO,KAAK,IAAI,CAAC,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,wEAAwE;IACxE,0EAA0E;IAC1E,yEAAyE;IACzE,yEAAyE;IACzE,kBAAkB;IAClB,MAAM,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;QAC3C,MAAM,QAAQ,GACZ,GAAG,CAAC,CAAC,eAAe,IAAI,CAAC,CAAC,kBAAkB,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,WAAW,EAAE,CAAC;QAC7E,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9E,IAAI,CAAC,iBAAiB;YAAE,OAAO,KAAK,CAAC;QACrC,MAAM,aAAa,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5E,MAAM,UAAU,GACd,CAAC,CAAC,WAAW,KAAK,UAAU,IAAI,CAAC,CAAC,WAAW,KAAK,cAAc,CAAC;QACnE,OAAO,aAAa,IAAI,UAAU,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,eAAe;QACf,qBAAqB;QACrB,iBAAiB;QACjB,gBAAgB;QAChB,uBAAuB,EAAE,OAAO,CAAC,yBAAyB,CAAC;QAC3D,mBAAmB;KACpB,CAAC;AACJ,CAAC;AAID,SAAS,aAAa,CAAC,IAAU;IAC/B,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,WAAW,EAAE,CAAC;IAC/D,IAAI,2EAA2E,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,WAAW,CAAC;IAC/G,IAAI,2EAA2E,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC;IAC1G,IAAI,sDAAsD,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,OAAO,CAAC;IACtF,IAAI,oDAAoD,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC;IACrF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,IAAc,EAAE,OAAwB;IAC7D,MAAM,EACJ,eAAe,EACf,qBAAqB,EACrB,iBAAiB,EACjB,gBAAgB,EAChB,uBAAuB,EACvB,mBAAmB,GACpB,GAAG,OAAO,CAAC;IAEZ,IAAI,IAAI,KAAK,WAAW,IAAI,uBAAuB;QAAE,OAAO,MAAM,CAAC;IAEnE,sEAAsE;IACtE,mEAAmE;IACnE,wEAAwE;IACxE,IAAI,IAAI,KAAK,QAAQ,IAAI,iBAAiB,IAAI,CAAC,eAAe,IAAI,mBAAmB,CAAC;QAAE,OAAO,MAAM,CAAC;IACtG,IAAI,IAAI,KAAK,QAAQ,IAAI,iBAAiB;QAAE,OAAO,QAAQ,CAAC;IAE5D,IAAI,IAAI,KAAK,OAAO,IAAI,CAAC,gBAAgB,IAAI,CAAC,qBAAqB,IAAI,eAAe,CAAC,CAAC;QAAE,OAAO,MAAM,CAAC;IACxG,IAAI,IAAI,KAAK,OAAO,IAAI,qBAAqB;QAAE,OAAO,QAAQ,CAAC;IAE/D,IAAI,IAAI,KAAK,MAAM,IAAI,eAAe,IAAI,CAAC,qBAAqB,IAAI,iBAAiB,CAAC;QAAE,OAAO,MAAM,CAAC;IACtG,IAAI,IAAI,KAAK,MAAM,IAAI,eAAe;QAAE,OAAO,QAAQ,CAAC;IACxD,mEAAmE;IACnE,uEAAuE;IACvE,yDAAyD;IACzD,IAAI,IAAI,KAAK,MAAM,IAAI,mBAAmB,IAAI,iBAAiB;QAAE,OAAO,MAAM,CAAC;IAC/E,IAAI,IAAI,KAAK,MAAM,IAAI,mBAAmB;QAAE,OAAO,QAAQ,CAAC;IAE5D,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,sBAAsB,CACpC,KAAa,EACb,OAA2B,EAC3B,yBAAmC;IAEnC,MAAM,OAAO,GAAG,sBAAsB,CAAC,OAAO,EAAE,yBAAyB,CAAC,CAAC;IAC3E,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;QACtB,MAAM,IAAI,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,KAAK,GAAG,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC3C,OAAO,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/src/commands/diff.d.ts

@@ -0,0 +1,17 @@
+export interface DiffCommandOptions {
+    oldPath: string;
+    newPath: string;
+    /** -o flag. If set, diff is written here. */
+    outputPath?: string;
+    /** --report-dir flag. Defaults to ./reports. Ignored if outputPath is set. */
+    reportDir?: string;
+    llmProvider?: string;
+    llmModel?: string;
+    llmKey?: string;
+}
+/**
+ * CLI handler for `heron diff <old> <new>`. Reads both reports, generates a
+ * markdown diff via the LLM, writes it to disk, and prints a short summary.
+ */
+export declare function runDiffCommand(opts: DiffCommandOptions): Promise<void>;
+//# sourceMappingURL=diff.d.ts.map

package/dist/src/commands/diff.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../../../src/commands/diff.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,6CAA6C;IAC7C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8EAA8E;IAC9E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CA+C5E"}

package/dist/src/commands/diff.js

@@ -0,0 +1,63 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'node:fs';
+import { basename, dirname } from 'node:path';
+import { createLLMClient } from '../llm/client.js';
+import { diffReports } from '../diff/differ.js';
+import * as logger from '../util/logger.js';
+/**
+ * CLI handler for `heron diff <old> <new>`. Reads both reports, generates a
+ * markdown diff via the LLM, writes it to disk, and prints a short summary.
+ */
+export async function runDiffCommand(opts) {
+    // 1. Check both input files exist.
+    if (!existsSync(opts.oldPath)) {
+        throw new Error(`file not found: ${opts.oldPath}`);
+    }
+    if (!existsSync(opts.newPath)) {
+        throw new Error(`file not found: ${opts.newPath}`);
+    }
+    // 2. Read both reports.
+    const oldReport = readFileSync(opts.oldPath, 'utf-8');
+    const newReport = readFileSync(opts.newPath, 'utf-8');
+    // 3. Extract metadata from report headers for stdout summary.
+    const oldMeta = extractReportMeta(oldReport);
+    const newMeta = extractReportMeta(newReport);
+    // 4. Decide save path.
+    const reportDir = opts.reportDir ?? './reports';
+    const defaultName = `diff-${stripMdExt(basename(opts.oldPath))}-${stripMdExt(basename(opts.newPath))}.md`;
+    const savePath = opts.outputPath ?? `${reportDir}/${defaultName}`;
+    // 5. Create LLM client (same flow as `scan`).
+    const llmConfig = {
+        provider: opts.llmProvider ?? 'anthropic',
+        model: opts.llmModel,
+        apiKey: opts.llmKey,
+    };
+    const llmClient = await createLLMClient(llmConfig);
+    // 6. Run the diff.
+    logger.raw('');
+    logger.raw(`  \x1b[1mHeron Report Diff\x1b[0m`);
+    logger.raw('');
+    logger.raw(`  \x1b[33m⏳ Comparing reports...\x1b[0m`);
+    const diff = await diffReports(oldReport, newReport, llmClient);
+    // 7. Write to disk (mkdirp the directory).
+    mkdirSync(dirname(savePath), { recursive: true });
+    writeFileSync(savePath, diff, 'utf-8');
+    // 8. Print the summary.
+    logger.raw('');
+    logger.raw(`  Old:   ${opts.oldPath}  (${oldMeta.date}, ${oldMeta.risk})`);
+    logger.raw(`  New:   ${opts.newPath}  (${newMeta.date}, ${newMeta.risk})`);
+    logger.raw(`  Diff:  ${savePath}`);
+    logger.raw('');
+}
+/** Extract `**Generated**: <date>` and `**Risk Level**: <level>` from a Heron report header. */
+function extractReportMeta(report) {
+    const dateMatch = report.match(/\*\*Generated\*\*:\s*([^\s|]+)/);
+    const riskMatch = report.match(/\*\*Risk Level\*\*:\s*(\w+)/i);
+    return {
+        date: dateMatch?.[1] ?? 'unknown',
+        risk: riskMatch?.[1]?.toUpperCase() ?? 'unknown',
+    };
+}
+function stripMdExt(name) {
+    return name.replace(/\.md$/i, '');
+}
+//# sourceMappingURL=diff.js.map

package/dist/src/commands/diff.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diff.js","sourceRoot":"","sources":["../../../src/commands/diff.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,OAAO,KAAK,MAAM,MAAM,mBAAmB,CAAC;AAc5C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,IAAwB;IAC3D,mCAAmC;IACnC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACrD,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,wBAAwB;IACxB,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAEtD,8DAA8D;IAC9D,MAAM,OAAO,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAC7C,MAAM,OAAO,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAE7C,uBAAuB;IACvB,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,WAAW,CAAC;IAChD,MAAM,WAAW,GAAG,QAAQ,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC;IAC1G,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,IAAI,GAAG,SAAS,IAAI,WAAW,EAAE,CAAC;IAElE,8CAA8C;IAC9C,MAAM,SAAS,GAAc;QAC3B,QAAQ,EAAG,IAAI,CAAC,WAAiD,IAAI,WAAW;QAChF,KAAK,EAAE,IAAI,CAAC,QAAQ;QACpB,MAAM,EAAE,IAAI,CAAC,MAAM;KACpB,CAAC;IACF,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,SAAS,CAAC,CAAC;IAEnD,mBAAmB;IACnB,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACf,MAAM,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IAChD,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACf,MAAM,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IAEhE,2CAA2C;IAC3C,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,aAAa,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAEvC,wBAAwB;IACxB,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACf,MAAM,CAAC,GAAG,CAAC,YAAY,IAAI,CAAC,OAAO,MAAM,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC;IAC3E,MAAM,CAAC,GAAG,CAAC,YAAY,IAAI,CAAC,OAAO,MAAM,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC;IAC3E,MAAM,CAAC,GAAG,CAAC,YAAY,QAAQ,EAAE,CAAC,CAAC;IACnC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AACjB,CAAC;AAOD,gGAAgG;AAChG,SAAS,iBAAiB,CAAC,MAAc;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAC/D,OAAO;QACL,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,SAAS;QACjC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,SAAS;KACjD,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;AACpC,CAAC"}