infernoflow 0.37.0 → 0.37.3

package/dist/lib/commands/ask.mjs

@@ -1,299 +1,4 @@
-/**
- * infernoflow ask
- *
- * Query session memory by keyword, topic, or type.
- * The killer use case: before an AI agent tries something, it asks
- * "what have we already tried for this?" — avoiding repeated mistakes.
- *
- * Ranking:
- *   1. gotcha   (highest — these are landmines, must surface first)
- *   2. decision (architectural choices)
- *   3. attempt  (things tried, especially failed ones)
- *   4. preference
- *   5. theme
- *   6. note / error / handoff
- *
- * Usage:
- *   infernoflow ask "auth"                  Search all entries containing "auth"
- *   infernoflow ask "upload flow"           Multi-word fuzzy search
- *   infernoflow ask --type gotcha           All gotchas, no filter
- *   infernoflow ask "s3" --type attempt     Attempts mentioning S3
- *   infernoflow ask --recent                Last 10 entries regardless of type
- *   infernoflow ask "stripe" --json         Machine-readable results
- *
- * MCP use (agent-facing):
- *   infernoflow_ask({ query: "what did we try for payments?" })
- *   → Returns relevant entries so the agent avoids repeating failed work
- */
-
-import * as fs   from "node:fs";
-import * as path from "node:path";
-import { bold, cyan, gray, green, yellow, red } from "../ui/output.mjs";
-
-const INFERNO_DIR   = "inferno";
-const SESSIONS_FILE = path.join(INFERNO_DIR, "sessions.jsonl");
-
-// ── Type priority (lower = shown first) ──────────────────────────────────────
-
-const TYPE_PRIORITY = {
-  gotcha:     0,
-  decision:   1,
-  attempt:    2,
-  preference: 3,
-  theme:      4,
-  note:       5,
-  error:      5,
-  handoff:    6,
-};
-
-const TYPE_ICONS = {
-  gotcha:     "⚠",
-  decision:   "✓",
-  attempt:    "↺",
-  preference: "♦",
-  theme:      "🎨",
-  note:       "·",
-  error:      "✗",
-  handoff:    "→",
-};
-
-const TYPE_COLORS = {
-  gotcha:     yellow,
-  decision:   green,
-  attempt:    cyan,
-  preference: cyan,
-  theme:      cyan,
-  note:       gray,
-  error:      red,
-  handoff:    gray,
-};
-
-// ── Tokeniser for fuzzy matching ──────────────────────────────────────────────
-
-function tokenise(str) {
-  return str.toLowerCase()
-    .replace(/[^a-z0-9\s]/g, " ")
-    .split(/\s+/)
-    .filter(t => t.length > 1);
-}
-
-/**
- * Score an entry against a query.
- * Returns 0 if no match, >0 otherwise.
- * Higher score = more relevant.
- */
-function scoreEntry(entry, queryTokens) {
-  const text = [entry.summary || "", entry.type || ""].join(" ").toLowerCase();
-  const entryTokens = tokenise(text);
-
-  let score = 0;
-  for (const qt of queryTokens) {
-    // Exact substring match in summary (strongest signal)
-    if ((entry.summary || "").toLowerCase().includes(qt)) {
-      score += 3;
-    }
-    // Token in entry text
-    if (entryTokens.includes(qt)) {
-      score += 1;
-    }
-    // Partial prefix match (e.g. "auth" matches "authentication")
-    if (entryTokens.some(et => et.startsWith(qt) || qt.startsWith(et))) {
-      score += 0.5;
-    }
-  }
-
-  return score;
-}
-
-// ── formatters ────────────────────────────────────────────────────────────────
-
-function fmtRelDate(iso) {
-  if (!iso) return "";
-  const d = new Date(iso);
-  const diff = Date.now() - d.getTime();
-  const days = Math.floor(diff / 86400000);
-  if (days === 0) return "today";
-  if (days === 1) return "yesterday";
-  if (days < 7)  return `${days}d ago`;
-  if (days < 30) return `${Math.floor(days / 7)}w ago`;
-  return d.toLocaleDateString("en-GB", { day: "2-digit", month: "short" });
-}
-
-function printEntry(entry, highlight) {
-  const type     = entry.type || "note";
-  const icon     = TYPE_ICONS[type]  || "·";
-  const colorFn  = TYPE_COLORS[type] || gray;
-  const result   = entry.result ? gray(` [${entry.result}]`) : "";
-  const agent    = entry.agent ? gray(` — ${entry.agent}`) : "";
-  const date     = gray(` (${fmtRelDate(entry.ts)})`);
-
-  let summary = entry.summary || "";
-
-  // Bold the matched keyword in the summary
-  if (highlight) {
-    for (const word of highlight) {
-      const re = new RegExp(`(${word})`, "gi");
-      summary = summary.replace(re, (m) => bold(m));
-    }
-  }
-
-  console.log(`  ${colorFn(icon + " " + type.padEnd(11))}${result}${agent}${date}`);
-  console.log(`    ${summary}`);
-}
-
-// ── load + search ─────────────────────────────────────────────────────────────
-
-function loadSessions(cwd) {
-  const p = path.join(cwd, SESSIONS_FILE);
-  if (!fs.existsSync(p)) return [];
-  return fs.readFileSync(p, "utf8")
-    .split("\n").filter(Boolean)
-    .map(l => { try { return JSON.parse(l); } catch { return null; } })
-    .filter(Boolean);
-}
-
-function search(entries, queryTokens, typeFilter, limit) {
-  let candidates = entries;
-
-  // Filter by type if specified
-  if (typeFilter) {
-    candidates = candidates.filter(e => (e.type || "note") === typeFilter);
-  }
-
-  // Score and filter
-  let scored;
-  if (queryTokens.length > 0) {
-    scored = candidates
-      .map(e => ({ entry: e, score: scoreEntry(e, queryTokens) }))
-      .filter(({ score }) => score > 0)
-      .sort((a, b) => {
-        // Primary: score descending
-        if (b.score !== a.score) return b.score - a.score;
-        // Secondary: type priority
-        const pa = TYPE_PRIORITY[a.entry.type] ?? 9;
-        const pb = TYPE_PRIORITY[b.entry.type] ?? 9;
-        if (pa !== pb) return pa - pb;
-        // Tertiary: newest first
-        return new Date(b.entry.ts || 0) - new Date(a.entry.ts || 0);
-      });
-  } else {
-    // No query — sort by type priority then newest
-    scored = candidates
-      .map(e => ({ entry: e, score: 1 }))
-      .sort((a, b) => {
-        const pa = TYPE_PRIORITY[a.entry.type] ?? 9;
-        const pb = TYPE_PRIORITY[b.entry.type] ?? 9;
-        if (pa !== pb) return pa - pb;
-        return new Date(b.entry.ts || 0) - new Date(a.entry.ts || 0);
-      });
-  }
-
-  return scored.slice(0, limit || 20);
-}
-
-// ── entry point ───────────────────────────────────────────────────────────────
-
-export async function askCommand(rawArgs = []) {
-  const args = rawArgs;
-
-  // Parse flags
-  const typeIdx   = args.indexOf("--type");
-  const typeFilter = typeIdx !== -1 ? args[typeIdx + 1] : null;
-  const limitIdx  = args.indexOf("--limit") !== -1 ? args.indexOf("--limit") : args.indexOf("-n");
-  const limit     = limitIdx !== -1 ? parseInt(args[limitIdx + 1] || "20", 10) : 15;
-  const jsonMode  = args.includes("--json");
-  const recentMode = args.includes("--recent") || args.includes("-r");
-
-  // Query = all non-flag args joined
-  const queryWords = args.filter((a, i) => {
-    if (a.startsWith("--")) return false;
-    if (i > 0 && args[i - 1].startsWith("--")) return false; // flag value
-    return true;
-  });
-  const queryStr    = queryWords.join(" ").trim();
-  const queryTokens = recentMode ? [] : tokenise(queryStr);
-
-  const cwd      = process.cwd();
-  const sessions = loadSessions(cwd);
-
-  if (sessions.length === 0) {
-    if (jsonMode) { console.log(JSON.stringify({ results: [], total: 0 })); return; }
-    console.log(gray("\n  No session memory yet."));
-    console.log(gray("  Run: infernoflow log \"<what happened>\" --type gotcha\n"));
-    return;
-  }
-
-  // For --recent: just return last N entries without scoring
-  const results = recentMode
-    ? sessions.slice(-limit).reverse().map(e => ({ entry: e, score: 1 }))
-    : search(sessions, queryTokens, typeFilter, limit);
-
-  if (jsonMode) {
-    console.log(JSON.stringify({
-      query:   queryStr,
-      type:    typeFilter,
-      total:   sessions.length,
-      matched: results.length,
-      results: results.map(({ entry, score }) => ({ ...entry, relevanceScore: score })),
-    }, null, 2));
-    return;
-  }
-
-  // ── Header ──────────────────────────────────────────────────────────────
-  console.log();
-  if (queryStr) {
-    console.log(`  ${bold("🔥 infernoflow ask")} ${cyan(`"${queryStr}"`)}${typeFilter ? gray(` [${typeFilter}]`) : ""}`);
-  } else if (recentMode) {
-    console.log(`  ${bold("🔥 infernoflow ask")} ${gray("— recent entries")}`);
-  } else {
-    console.log(`  ${bold("🔥 infernoflow ask")} ${gray("— all entries")}${typeFilter ? gray(` [${typeFilter}]`) : ""}`);
-  }
-  console.log(gray(`  ${"─".repeat(52)}`));
-
-  if (results.length === 0) {
-    console.log();
-    if (queryStr) {
-      console.log(gray(`  No entries found for "${queryStr}"`));
-      if (typeFilter) console.log(gray(`  Try removing --type ${typeFilter} to widen the search`));
-    } else {
-      console.log(gray("  No entries found."));
-    }
-    console.log();
-    return;
-  }
-
-  // ── Group by type for display ────────────────────────────────────────────
-  const byType = new Map();
-  for (const { entry, score } of results) {
-    const t = entry.type || "note";
-    if (!byType.has(t)) byType.set(t, []);
-    byType.get(t).push({ entry, score });
-  }
-
-  // Print in priority order
-  const typeOrder = Object.keys(TYPE_PRIORITY).sort((a, b) => TYPE_PRIORITY[a] - TYPE_PRIORITY[b]);
-
-  let printed = 0;
-  for (const type of typeOrder) {
-    const group = byType.get(type);
-    if (!group?.length) continue;
-
-    console.log();
-    const colorFn = TYPE_COLORS[type] || gray;
-    console.log(colorFn(`  ${TYPE_ICONS[type]} ${type.toUpperCase()}S (${group.length})`));
-    console.log(gray("  " + "─".repeat(50)));
-
-    for (const { entry } of group) {
-      console.log();
-      printEntry(entry, queryTokens);
-      printed++;
-    }
-  }
-
-  console.log();
-  console.log(gray(`  ${printed} result${printed !== 1 ? "s" : ""} from ${sessions.length} total entries`));
-  if (results.length === limit && sessions.length > limit) {
-    console.log(gray(`  Use --limit N to see more`));
-  }
-  console.log();
-}
+import*as x from"node:fs";import*as E from"node:path";import{bold as w,cyan as S,gray as s,green as k,yellow as C,red as L}from"../ui/output.mjs";const W="inferno",q=E.join(W,"sessions.jsonl"),p={gotcha:0,decision:1,attempt:2,preference:3,theme:4,note:5,error:5,handoff:6},I={gotcha:"\u26A0",decision:"\u2713",attempt:"\u21BA",preference:"\u2666",theme:"\u{1F3A8}",note:"\xB7",error:"\u2717",handoff:"\u2192"},D={gotcha:C,decision:k,attempt:S,preference:S,theme:S,note:s,error:L,handoff:s};function j(o){return o.toLowerCase().replace(/[^a-z0-9\s]/g," ").split(/\s+/).filter(e=>e.length>1)}function F(o,e){const r=[o.summary||"",o.type||""].join(" ").toLowerCase(),n=j(r);let i=0;for(const c of e)(o.summary||"").toLowerCase().includes(c)&&(i+=3),n.includes(c)&&(i+=1),n.some(t=>t.startsWith(c)||c.startsWith(t))&&(i+=.5);return i}function M(o){if(!o)return"";const e=new Date(o),r=Date.now()-e.getTime(),n=Math.floor(r/864e5);return n===0?"today":n===1?"yesterday":n<7?`${n}d ago`:n<30?`${Math.floor(n/7)}w ago`:e.toLocaleDateString("en-GB",{day:"2-digit",month:"short"})}function _(o,e){const r=o.type||"note",n=I[r]||"\xB7",i=D[r]||s,c=o.result?s(` [${o.result}]`):"",t=o.agent?s(` \u2014 ${o.agent}`):"",a=s(` (${M(o.ts)})`);let g=o.summary||"";if(e)for(const f of e){const h=new RegExp(`(${f})`,"gi");g=g.replace(h,O=>w(O))}console.log(`  ${i(n+" "+r.padEnd(11))}${c}${t}${a}`),console.log(`    ${g}`)}function P(o){const e=E.join(o,q);return x.existsSync(e)?x.readFileSync(e,"utf8").split(`
+`).filter(Boolean).map(r=>{try{return JSON.parse(r)}catch{return null}}).filter(Boolean):[]}function Y(o,e,r,n){let i=o;r&&(i=i.filter(t=>(t.type||"note")===r));let c;return e.length>0?c=i.map(t=>({entry:t,score:F(t,e)})).filter(({score:t})=>t>0).sort((t,a)=>{if(a.score!==t.score)return a.score-t.score;const g=p[t.entry.type]??9,f=p[a.entry.type]??9;return g!==f?g-f:new Date(a.entry.ts||0)-new Date(t.entry.ts||0)}):c=i.map(t=>({entry:t,score:1})).sort((t,a)=>{const g=p[t.entry.type]??9,f=p[a.entry.type]??9;return g!==f?g-f:new Date(a.entry.ts||0)-new Date(t.entry.ts||0)}),c.slice(0,n||20)}async function B(o=[]){const e=o,r=e.indexOf("--type"),n=r!==-1?e[r+1]:null,i=e.indexOf("--limit")!==-1?e.indexOf("--limit"):e.indexOf("-n"),c=i!==-1?parseInt(e[i+1]||"20",10):15,t=e.includes("--json"),a=e.includes("--recent")||e.includes("-r"),f=e.filter((l,u)=>!(l.startsWith("--")||u>0&&e[u-1].startsWith("--"))).join(" ").trim(),h=a?[]:j(f),O=process.cwd(),y=P(O);if(y.length===0){if(t){console.log(JSON.stringify({results:[],total:0}));return}console.log(s(`
+  No session memory yet.`)),console.log(s(`  Run: infernoflow log "<what happened>" --type gotcha
+`));return}const d=a?y.slice(-c).reverse().map(l=>({entry:l,score:1})):Y(y,h,n,c);if(t){console.log(JSON.stringify({query:f,type:n,total:y.length,matched:d.length,results:d.map(({entry:l,score:u})=>({...l,relevanceScore:u}))},null,2));return}if(console.log(),console.log(f?`  ${w("\u{1F525} infernoflow ask")} ${S(`"${f}"`)}${n?s(` [${n}]`):""}`:a?`  ${w("\u{1F525} infernoflow ask")} ${s("\u2014 recent entries")}`:`  ${w("\u{1F525} infernoflow ask")} ${s("\u2014 all entries")}${n?s(` [${n}]`):""}`),console.log(s(`  ${"\u2500".repeat(52)}`)),d.length===0){console.log(),f?(console.log(s(`  No entries found for "${f}"`)),n&&console.log(s(`  Try removing --type ${n} to widen the search`))):console.log(s("  No entries found.")),console.log();return}const $=new Map;for(const{entry:l,score:u}of d){const m=l.type||"note";$.has(m)||$.set(m,[]),$.get(m).push({entry:l,score:u})}const R=Object.keys(p).sort((l,u)=>p[l]-p[u]);let N=0;for(const l of R){const u=$.get(l);if(!u?.length)continue;console.log();const m=D[l]||s;console.log(m(`  ${I[l]} ${l.toUpperCase()}S (${u.length})`)),console.log(s("  "+"\u2500".repeat(50)));for(const{entry:T}of u)console.log(),_(T,h),N++}console.log(),console.log(s(`  ${N} result${N!==1?"s":""} from ${y.length} total entries`)),d.length===c&&y.length>c&&console.log(s("  Use --limit N to see more")),console.log()}export{B as askCommand};

package/dist/lib/commands/audit.mjs

@@ -1,204 +1,6 @@
-/**
- * infernoflow audit
- *
- * Classify capabilities by security sensitivity and generate a surface map.
- * Tags each capability with one or more sensitivity labels:
- *   auth      — authentication / authorization / sessions / tokens
- *   payment   — billing, subscriptions, pricing, invoices
- *   pii       — personal data, email, address, phone, GDPR scope
- *   admin     — privileged operations, configuration, user management
- *   public    — read-only, no auth required
- *
- * Stores results in inferno/audit.json (git-trackable).
- *
- * Usage:
- *   infernoflow audit                   Run audit, print summary
- *   infernoflow audit --format json     Machine-readable JSON to stdout
- *   infernoflow audit --format html     Write HTML report
- *   infernoflow audit --out audit.html  Custom output path
- *   infernoflow audit --fail-on high    Exit 1 if any HIGH caps are unreviewed
- *   infernoflow audit --json            Alias for --format json
- */
-
-import * as fs   from "node:fs";
-import * as path from "node:path";
-import { done, warn, info, bold, cyan, gray, green, yellow, red } from "../ui/output.mjs";
-
-const AUDIT_FILE = "audit.json";
-
-// ── Sensitivity keyword maps ──────────────────────────────────────────────────
-
-const SENSITIVITY_RULES = [
-  {
-    tag:      "auth",
-    severity: "high",
-    label:    "Authentication / Authorization",
-    keywords: [
-      "auth", "login", "logout", "signin", "signout", "signup",
-      "password", "credential", "token", "session", "oauth",
-      "jwt", "permission", "role", "access", "privilege", "2fa",
-      "mfa", "sso", "saml", "openid", "verify", "authenticate",
-    ],
-  },
-  {
-    tag:      "payment",
-    severity: "high",
-    label:    "Payment / Billing",
-    keywords: [
-      "payment", "billing", "invoice", "charge", "subscription",
-      "checkout", "stripe", "card", "credit", "debit", "price",
-      "plan", "tier", "coupon", "refund", "transaction", "purchase",
-      "order", "cart", "paypal", "wallet",
-    ],
-  },
-  {
-    tag:      "pii",
-    severity: "high",
-    label:    "Personal / PII Data",
-    keywords: [
-      "pii", "personal", "profile", "email", "phone", "address",
-      "name", "user", "account", "gdpr", "privacy", "data",
-      "export", "download", "delete account", "identity", "dob",
-      "birthday", "ssn", "passport", "tax",
-    ],
-  },
-  {
-    tag:      "admin",
-    severity: "medium",
-    label:    "Admin / Privileged",
-    keywords: [
-      "admin", "manage", "config", "setting", "system", "deploy",
-      "migration", "seed", "reset", "purge", "archive", "batch",
-      "bulk", "impersonate", "override", "feature flag",
-    ],
-  },
-  {
-    tag:      "public",
-    severity: "low",
-    label:    "Public / Read-only",
-    keywords: [
-      "list", "search", "view", "read", "fetch", "get", "show",
-      "display", "browse", "filter", "sort", "paginate",
-    ],
-  },
-];
-
-const SEVERITY_ORDER = { high: 3, medium: 2, low: 1, unknown: 0 };
-
-// ── Classification ────────────────────────────────────────────────────────────
-
-function classifyCapability(cap) {
-  const text = [
-    typeof cap === "string" ? cap : "",
-    cap?.id     || "",
-    cap?.name   || "",
-    cap?.description || "",
-    (cap?.tags  || []).join(" "),
-  ].join(" ").toLowerCase();
-
-  const matched = [];
-  for (const rule of SENSITIVITY_RULES) {
-    if (rule.keywords.some(kw => text.includes(kw))) {
-      matched.push(rule);
-    }
-  }
-
-  // Remove "public" if any higher-severity tag also matched
-  const hasHigher = matched.some(r => r.tag !== "public" && r.severity !== "low");
-  const filtered  = hasHigher ? matched.filter(r => r.tag !== "public") : matched;
-
-  if (!filtered.length) {
-    return { tags: ["unknown"], severity: "unknown", labels: ["Unclassified"] };
-  }
-
-  const severity = filtered.reduce((best, r) => {
-    return SEVERITY_ORDER[r.severity] > SEVERITY_ORDER[best] ? r.severity : best;
-  }, "low");
-
-  return {
-    tags:     filtered.map(r => r.tag),
-    severity,
-    labels:   filtered.map(r => r.label),
-  };
-}
-
-// ── Storage ───────────────────────────────────────────────────────────────────
-
-function readAudit(infernoDir) {
-  const p = path.join(infernoDir, AUDIT_FILE);
-  if (!fs.existsSync(p)) return {};
-  try { return JSON.parse(fs.readFileSync(p, "utf8")); } catch { return {}; }
-}
-
-function writeAudit(infernoDir, data) {
-  fs.writeFileSync(path.join(infernoDir, AUDIT_FILE), JSON.stringify(data, null, 2) + "\n");
-}
-
-function readContract(infernoDir) {
-  for (const f of ["contract.json", "capabilities.json"]) {
-    const p = path.join(infernoDir, f);
-    if (fs.existsSync(p)) {
-      try { return JSON.parse(fs.readFileSync(p, "utf8")); } catch {}
-    }
-  }
-  return null;
-}
-
-// ── Formatters ────────────────────────────────────────────────────────────────
-
-function severityColor(sev) {
-  if (sev === "high")    return red;
-  if (sev === "medium")  return yellow;
-  if (sev === "low")     return green;
-  return gray;
-}
-
-function severityIcon(sev) {
-  if (sev === "high")   return "🔴";
-  if (sev === "medium") return "🟡";
-  if (sev === "low")    return "🟢";
-  return "⚪";
-}
-
-function printTextReport(results, stats) {
-  const bySeverity = { high: [], medium: [], low: [], unknown: [] };
-  for (const r of results) (bySeverity[r.severity] || bySeverity.unknown).push(r);
-
-  console.log();
-  console.log(`  ${bold("🔥 infernoflow audit — Security Surface Map")}`);
-  console.log();
-  console.log(`  ${bold(String(results.length))} capabilities scanned`);
-  console.log(`  ${red(String(stats.high))} high · ${yellow(String(stats.medium))} medium · ${green(String(stats.low))} low · ${gray(String(stats.unknown))} unclassified`);
-  console.log();
-
-  for (const [sev, items] of Object.entries(bySeverity)) {
-    if (!items.length) continue;
-    const col = severityColor(sev);
-    console.log(`  ${col(bold(`${sev.toUpperCase()} (${items.length})`))}`);
-    for (const item of items) {
-      const tagStr = item.tags.join(", ");
-      console.log(`  ${col("▸")} ${bold(item.id.padEnd(30))} ${gray(tagStr)}`);
-      if (item.description) console.log(`    ${gray(item.description.slice(0, 72))}`);
-    }
-    console.log();
-  }
-
-  if (stats.unknown > 0) {
-    console.log(`  ${gray("Tip: Add descriptions to unclassified capabilities for better detection.")}`);
-    console.log();
-  }
-}
-
-function buildHtmlReport(results, stats, runAt) {
-  const rows = results.map(r => {
-    const sev  = r.severity;
-    const cls  = sev === "high" ? "high" : sev === "medium" ? "med" : sev === "low" ? "low" : "unk";
-    const tags = r.tags.join(", ");
-    const icon = severityIcon(sev);
-    return `<tr class="${cls}"><td>${icon} ${sev}</td><td><strong>${escHtml(r.id)}</strong></td><td>${escHtml(tags)}</td><td>${escHtml(r.description || "")}</td></tr>`;
-  }).join("\n");
-
-  return `<!DOCTYPE html>
+import*as d from"node:fs";import*as u from"node:path";import{done as I,warn as N,bold as g,gray as m,green as T,yellow as C,red as b}from"../ui/output.mjs";const x="audit.json",A=[{tag:"auth",severity:"high",label:"Authentication / Authorization",keywords:["auth","login","logout","signin","signout","signup","password","credential","token","session","oauth","jwt","permission","role","access","privilege","2fa","mfa","sso","saml","openid","verify","authenticate"]},{tag:"payment",severity:"high",label:"Payment / Billing",keywords:["payment","billing","invoice","charge","subscription","checkout","stripe","card","credit","debit","price","plan","tier","coupon","refund","transaction","purchase","order","cart","paypal","wallet"]},{tag:"pii",severity:"high",label:"Personal / PII Data",keywords:["pii","personal","profile","email","phone","address","name","user","account","gdpr","privacy","data","export","download","delete account","identity","dob","birthday","ssn","passport","tax"]},{tag:"admin",severity:"medium",label:"Admin / Privileged",keywords:["admin","manage","config","setting","system","deploy","migration","seed","reset","purge","archive","batch","bulk","impersonate","override","feature flag"]},{tag:"public",severity:"low",label:"Public / Read-only",keywords:["list","search","view","read","fetch","get","show","display","browse","filter","sort","paginate"]}],p={high:3,medium:2,low:1,unknown:0};function R(o){const t=[typeof o=="string"?o:"",o?.id||"",o?.name||"",o?.description||"",(o?.tags||[]).join(" ")].join(" ").toLowerCase(),n=[];for(const e of A)e.keywords.some(l=>t.includes(l))&&n.push(e);const s=n.some(e=>e.tag!=="public"&&e.severity!=="low")?n.filter(e=>e.tag!=="public"):n;if(!s.length)return{tags:["unknown"],severity:"unknown",labels:["Unclassified"]};const r=s.reduce((e,l)=>p[l.severity]>p[e]?l.severity:e,"low");return{tags:s.map(e=>e.tag),severity:r,labels:s.map(e=>e.label)}}function _(o){const t=u.join(o,x);if(!d.existsSync(t))return{};try{return JSON.parse(d.readFileSync(t,"utf8"))}catch{return{}}}function H(o,t){d.writeFileSync(u.join(o,x),JSON.stringify(t,null,2)+`
+`)}function P(o){for(const t of["contract.json","capabilities.json"]){const n=u.join(o,t);if(d.existsSync(n))try{return JSON.parse(d.readFileSync(n,"utf8"))}catch{}}return null}function U(o){return o==="high"?b:o==="medium"?C:o==="low"?T:m}function F(o){return o==="high"?"\u{1F534}":o==="medium"?"\u{1F7E1}":o==="low"?"\u{1F7E2}":"\u26AA"}function J(o,t){const n={high:[],medium:[],low:[],unknown:[]};for(const c of o)(n[c.severity]||n.unknown).push(c);console.log(),console.log(`  ${g("\u{1F525} infernoflow audit \u2014 Security Surface Map")}`),console.log(),console.log(`  ${g(String(o.length))} capabilities scanned`),console.log(`  ${b(String(t.high))} high \xB7 ${C(String(t.medium))} medium \xB7 ${T(String(t.low))} low \xB7 ${m(String(t.unknown))} unclassified`),console.log();for(const[c,s]of Object.entries(n)){if(!s.length)continue;const r=U(c);console.log(`  ${r(g(`${c.toUpperCase()} (${s.length})`))}`);for(const e of s){const l=e.tags.join(", ");console.log(`  ${r("\u25B8")} ${g(e.id.padEnd(30))} ${m(l)}`),e.description&&console.log(`    ${m(e.description.slice(0,72))}`)}console.log()}t.unknown>0&&(console.log(`  ${m("Tip: Add descriptions to unclassified capabilities for better detection.")}`),console.log())}function z(o,t,n){const c=o.map(s=>{const r=s.severity,e=r==="high"?"high":r==="medium"?"med":r==="low"?"low":"unk",l=s.tags.join(", "),y=F(r);return`<tr class="${e}"><td>${y} ${r}</td><td><strong>${k(s.id)}</strong></td><td>${k(l)}</td><td>${k(s.description||"")}</td></tr>`}).join(`
+`);return`<!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="UTF-8">
@@ -226,110 +28,21 @@ function buildHtmlReport(results, stats, runAt) {
 </style>
 </head>
 <body>
-<h1>🔥 infernoflow audit</h1>
-<p class="meta">Generated ${runAt}</p>
+<h1>\u{1F525} infernoflow audit</h1>
+<p class="meta">Generated ${n}</p>
 <div class="stats">
-  <div class="stat high"><div class="n">${stats.high}</div><div class="l">HIGH</div></div>
-  <div class="stat med"><div class="n">${stats.medium}</div><div class="l">MEDIUM</div></div>
-  <div class="stat low"><div class="n">${stats.low}</div><div class="l">LOW</div></div>
-  <div class="stat unk"><div class="n">${stats.unknown}</div><div class="l">UNKNOWN</div></div>
+  <div class="stat high"><div class="n">${t.high}</div><div class="l">HIGH</div></div>
+  <div class="stat med"><div class="n">${t.medium}</div><div class="l">MEDIUM</div></div>
+  <div class="stat low"><div class="n">${t.low}</div><div class="l">LOW</div></div>
+  <div class="stat unk"><div class="n">${t.unknown}</div><div class="l">UNKNOWN</div></div>
 </div>
 <table>
 <thead><tr><th>Severity</th><th>Capability</th><th>Tags</th><th>Description</th></tr></thead>
 <tbody>
-${rows}
+${c}
 </tbody>
 </table>
 </body>
-</html>`;
-}
-
-function escHtml(str) {
-  return String(str).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
-}
-
-// ── Entry ─────────────────────────────────────────────────────────────────────
-
-export async function auditCommand(rawArgs) {
-  const args      = rawArgs.slice(1);
-  const jsonMode  = args.includes("--json") || args.includes("--format") && args[args.indexOf("--format") + 1] === "json";
-  const cwd       = process.cwd();
-  const infernoDir = path.join(cwd, "inferno");
-
-  if (!fs.existsSync(infernoDir)) {
-    const msg = "inferno/ not found. Run: infernoflow init";
-    if (jsonMode) { console.log(JSON.stringify({ ok: false, error: msg })); }
-    else { warn(msg); }
-    process.exit(1);
-  }
-
-  // Parse flags
-  const fmtIdx    = args.indexOf("--format");
-  const format    = fmtIdx !== -1 ? args[fmtIdx + 1] : (jsonMode ? "json" : "text");
-  const outIdx    = args.indexOf("--out");
-  const outPath   = outIdx !== -1 ? args[outIdx + 1] : null;
-  const failOnIdx = args.indexOf("--fail-on");
-  const failOn    = failOnIdx !== -1 ? args[failOnIdx + 1] : null;
-
-  const contract = readContract(infernoDir);
-  if (!contract) {
-    const msg = "No contract.json or capabilities.json found.";
-    if (jsonMode) { console.log(JSON.stringify({ ok: false, error: msg })); }
-    else { warn(msg); }
-    process.exit(1);
-  }
-
-  const rawCaps = contract.capabilities || [];
-  const runAt   = new Date().toISOString();
-
-  // Classify every capability
-  const results = rawCaps.map(cap => {
-    const id          = typeof cap === "string" ? cap : (cap.id || cap.name || "unknown");
-    const description = typeof cap === "string" ? "" : (cap.description || "");
-    const cls         = classifyCapability(cap);
-    return { id, description, ...cls };
-  });
-
-  // Sort by severity descending
-  results.sort((a, b) => (SEVERITY_ORDER[b.severity] || 0) - (SEVERITY_ORDER[a.severity] || 0));
-
-  // Stats
-  const stats = { high: 0, medium: 0, low: 0, unknown: 0 };
-  for (const r of results) {
-    const key = r.severity in stats ? r.severity : "unknown";
-    stats[key]++;
-  }
-
-  // Persist to audit.json
-  const auditData = {
-    runAt,
-    stats,
-    capabilities: results,
-  };
-  writeAudit(infernoDir, auditData);
-
-  // Output
-  if (format === "json" || jsonMode) {
-    console.log(JSON.stringify({ ok: true, ...auditData }));
-  } else if (format === "html") {
-    const html = buildHtmlReport(results, stats, runAt);
-    const dest = outPath || path.join(infernoDir, "audit.html");
-    fs.writeFileSync(dest, html);
-    if (!jsonMode) done(`HTML audit report written to ${bold(dest)}`);
-  } else {
-    printTextReport(results, stats);
-    if (!jsonMode) done(`Saved to ${bold(path.join(infernoDir, AUDIT_FILE))}`);
-  }
-
-  // Exit code enforcement
-  if (failOn) {
-    const threshold = SEVERITY_ORDER[failOn] || 0;
-    const violations = results.filter(r => (SEVERITY_ORDER[r.severity] || 0) >= threshold);
-    if (violations.length > 0) {
-      if (!jsonMode) {
-        console.error(red(`\n  ✗  ${violations.length} capability/capabilities at or above "${failOn}" severity — review required.\n`));
-      }
-      process.exit(1);
-    }
-  }
-}
+</html>`}function k(o){return String(o).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;")}async function G(o){const t=o.slice(1),n=t.includes("--json")||t.includes("--format")&&t[t.indexOf("--format")+1]==="json",c=process.cwd(),s=u.join(c,"inferno");if(!d.existsSync(s)){const i="inferno/ not found. Run: infernoflow init";n?console.log(JSON.stringify({ok:!1,error:i})):N(i),process.exit(1)}const r=t.indexOf("--format"),e=r!==-1?t[r+1]:n?"json":"text",l=t.indexOf("--out"),y=l!==-1?t[l+1]:null,S=t.indexOf("--fail-on"),v=S!==-1?t[S+1]:null,$=P(s);if(!$){const i="No contract.json or capabilities.json found.";n?console.log(JSON.stringify({ok:!1,error:i})):N(i),process.exit(1)}const D=$.capabilities||[],j=new Date().toISOString(),f=D.map(i=>{const a=typeof i=="string"?i:i.id||i.name||"unknown",w=typeof i=="string"?"":i.description||"",E=R(i);return{id:a,description:w,...E}});f.sort((i,a)=>(p[a.severity]||0)-(p[i.severity]||0));const h={high:0,medium:0,low:0,unknown:0};for(const i of f){const a=i.severity in h?i.severity:"unknown";h[a]++}const O={runAt:j,stats:h,capabilities:f};if(H(s,O),e==="json"||n)console.log(JSON.stringify({ok:!0,...O}));else if(e==="html"){const i=z(f,h,j),a=y||u.join(s,"audit.html");d.writeFileSync(a,i),n||I(`HTML audit report written to ${g(a)}`)}else J(f,h),n||I(`Saved to ${g(u.join(s,x))}`);if(v){const i=p[v]||0,a=f.filter(w=>(p[w.severity]||0)>=i);a.length>0&&(n||console.error(b(`
+  \u2717  ${a.length} capability/capabilities at or above "${v}" severity \u2014 review required.
+`)),process.exit(1))}}export{G as auditCommand};