itworksbut 0.4.0 → 0.6.0

package/src/checks/tauri/remote-url-permissions-risk.js

@@ -0,0 +1,115 @@
+import { lineFromOffset, parseJsonWithComments } from "../helpers.js";
+
+const CONFIG_FILES = ["src-tauri/tauri.conf.json", "src-tauri/tauri.conf.json5", "src-tauri/Tauri.toml"];
+const WEAK_CSP_RE =
+  /"csp"\s*:\s*(?:null|false|""|"[^"]*(?:\*|unsafe-inline|unsafe-eval)[^"]*")|csp\s*=\s*(?:false|""|"[^"]*(?:\*|unsafe-inline|unsafe-eval)[^"]*")/gi;
+const DANGEROUS_ASSET_CSP_RE = /"dangerousDisableAssetCspModification"\s*:\s*true|dangerousDisableAssetCspModification\s*=\s*true/gi;
+const BROAD_ALLOWLIST_RE = /"allowlist"\s*:\s*{[\s\S]{0,400}?"all"\s*:\s*true|"all"\s*:\s*true[\s\S]{0,120}?"(?:shell|fs|http)"/gi;
+const BROAD_PERMISSION_RE =
+  /"permissions"\s*:\s*\[[\s\S]{0,240}?["'`]\*["'`]|["'`](?:shell|fs|http):(?:\*|allow-\*|allow-all|allow-execute|allow-fetch)["'`]|["'`]fs:allow-[^"'`]*["'`][\s\S]{0,160}(?:\*\*|["'`]\*["'`]|\/)|["'`]http:allow-fetch["'`][\s\S]{0,220}(?:["'`]\*["'`]|https?:\/\/\*)/gi;
+const REMOTE_URL_RE = /"(?:devUrl|frontendDist|url)"\s*:\s*"https?:\/\/(?!localhost\b|127\.0\.0\.1\b|0\.0\.0\.0\b)[^"]+"|(?:devUrl|frontendDist|url)\s*=\s*"https?:\/\/(?!localhost\b|127\.0\.0\.1\b|0\.0\.0\.0\b)[^"]+"/gi;
+
+export default {
+  id: "tauri.remote-url-permissions-risk",
+  title: "Tauri remote URLs and permissions should be least privilege",
+  category: "tauri",
+  severity: "high",
+  tags: ["tauri", "desktop", "permissions", "heuristic"],
+  run: async (context) => {
+    if (!isTauriProject(context)) return [];
+    const findings = [];
+
+    for (const file of collectTauriFiles(context)) {
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      if (file.endsWith(".json") || file.endsWith(".json5")) {
+        inspectParsedJson(content, file, findings);
+      }
+
+      inspectRegexPattern(content, file, findings, WEAK_CSP_RE, "weak-csp");
+      inspectRegexPattern(content, file, findings, DANGEROUS_ASSET_CSP_RE, "dangerous-asset-csp");
+      inspectRegexPattern(content, file, findings, BROAD_ALLOWLIST_RE, "broad-allowlist");
+      inspectRegexPattern(content, file, findings, BROAD_PERMISSION_RE, "broad-permission");
+      inspectRegexPattern(content, file, findings, REMOTE_URL_RE, "remote-url");
+    }
+
+    return dedupe(findings).slice(0, 100);
+  }
+};
+
+function isTauriProject(context) {
+  return (
+    context.allFiles.some((file) => file.startsWith("src-tauri/")) ||
+    context.hasDependency("@tauri-apps/api") ||
+    context.hasDevDependency("@tauri-apps/cli") ||
+    context.hasDependency("@tauri-apps/cli")
+  );
+}
+
+function collectTauriFiles(context) {
+  return context.textFiles.filter((file) => {
+    return (
+      CONFIG_FILES.includes(file) ||
+      /^src-tauri\/capabilities\/[^/]+\.json$/i.test(file) ||
+      /^src-tauri\/permissions\/[^/]+\.json$/i.test(file)
+    );
+  });
+}
+
+function inspectParsedJson(content, file, findings) {
+  let parsed;
+  try {
+    parsed = parseJsonWithComments(content);
+  } catch {
+    return;
+  }
+
+  const security = parsed?.app?.security || parsed?.tauri?.security || {};
+  if (security.csp === null || security.csp === false || security.csp === "") {
+    findings.push(finding(file, lineOfKey(content, "csp"), "weak-csp"));
+  }
+  if (security.dangerousDisableAssetCspModification === true) {
+    findings.push(finding(file, lineOfKey(content, "dangerousDisableAssetCspModification"), "dangerous-asset-csp"));
+  }
+
+  const permissions = JSON.stringify(parsed?.permissions || parsed?.app?.permissions || parsed?.tauri?.allowlist || []);
+  if (/"\*"|"all":true|shell:allow-execute|fs:allow-|http:allow-fetch/.test(permissions)) {
+    findings.push(finding(file, undefined, "broad-permission"));
+  }
+}
+
+function inspectRegexPattern(content, file, findings, regex, pattern) {
+  regex.lastIndex = 0;
+  let match;
+  while ((match = regex.exec(content)) !== null) {
+    findings.push(finding(file, lineFromOffset(content, match.index), pattern));
+  }
+}
+
+function finding(file, line, pattern) {
+  return {
+    message: "Tauri configuration appears to allow broad permissions, remote URLs or weak CSP settings.",
+    file,
+    line,
+    recommendation:
+      "Use least-privilege capabilities, restrict shell/fs/http permissions, avoid broad wildcards, and configure a strict CSP.",
+    heuristic: true,
+    metadata: { pattern }
+  };
+}
+
+function lineOfKey(content, key) {
+  const index = content.indexOf(`"${key}"`);
+  return index >= 0 ? lineFromOffset(content, index) : undefined;
+}
+
+function dedupe(findings) {
+  const seen = new Set();
+  return findings.filter((item) => {
+    const key = `${item.file}:${item.line || 0}:${item.metadata?.pattern || ""}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}

package/src/cli/output.js

@@ -1,11 +1,10 @@
 import gradient from 'gradient-string';
 
 export function printUsage() {
-  process.stdout.write(`ItWorksBut
+    process.stdout.write(`ItWorksBut
 
 Usage:
   itworksbut scan [options]
-  node ./bin/itworksbut.js scan [options]
 
 Options:
   --path <path>       Project path to scan. Defaults to current directory.
@@ -15,6 +14,7 @@ Options:
   --json              Print machine-readable JSON.
   --sarif             Print SARIF for GitHub Code Scanning.
   --todo              Write an AI-ready todo.md to the scanned project.
+  --report            Write a Markdown scan report.md to the current directory.
   --no-color          Disable color styling.
   --no-banner         Disable the intro banner.
   --quiet             Print only the summary.
@@ -25,14 +25,14 @@ Options:
 }
 
 export function printVersion(version) {
-  try {
-    process.stdout.write(`${gradient.rainbow(version)}\n`);
-  } catch {
-    process.stdout.write(`${version}\n`);
-  }
+    try {
+        process.stdout.write(`${gradient.rainbow(version)}\n`);
+    } catch {
+        process.stdout.write(`${version}\n`);
+    }
 }
 
 export function printRuntimeError(error) {
-  const message = error instanceof Error ? error.message : String(error);
-  process.stderr.write(`ItWorksBut runtime error: ${message}\n`);
+    const message = error instanceof Error ? error.message : String(error);
+    process.stderr.write(`ItWorksBut runtime error: ${message}\n`);
 }

package/src/cli/parseArgs.js

@@ -1,5 +1,5 @@
 const FLAG_WITH_VALUE = new Set(["--fail-on", "--config", "--path"]);
-const BOOLEAN_FLAGS = new Set(["--json", "--sarif", "--todo", "--verbose", "--help", "-h", "--version", "-v", "--no-color", "--no-banner", "--quiet"]);
+const BOOLEAN_FLAGS = new Set(["--json", "--sarif", "--todo", "--report", "--verbose", "--help", "-h", "--version", "-v", "--no-color", "--no-banner", "--quiet"]);
 
 export function parseArgs(argv) {
   const args = {
@@ -10,6 +10,7 @@ export function parseArgs(argv) {
     json: false,
     sarif: false,
     todo: false,
+    report: false,
     verbose: false,
     noColor: false,
     noBanner: false,
@@ -48,6 +49,7 @@ export function parseArgs(argv) {
       if (token === "--json") args.json = true;
       if (token === "--sarif") args.sarif = true;
       if (token === "--todo") args.todo = true;
+      if (token === "--report") args.report = true;
       if (token === "--verbose") args.verbose = true;
       if (token === "--no-color") args.noColor = true;
       if (token === "--no-banner") args.noBanner = true;

package/src/core/checkResults.js

@@ -0,0 +1,53 @@
+export const CHECK_STATUSES = ["pass", "warn", "fail", "skip"];
+
+export function normalizeCheckResult(check, value = {}, findings = []) {
+  const status = normalizeStatus(value.status || deriveStatusFromFindings(findings));
+  const details = Array.isArray(value.details) ? value.details : detailsFromFindings(findings);
+
+  return {
+    id: value.id || check.id,
+    title: value.title || check.title,
+    category: value.category || check.category,
+    status,
+    summary: value.summary || defaultSummary(status, findings),
+    details,
+    metadata: value.metadata || undefined
+  };
+}
+
+export function deriveStatusFromFindings(findings = []) {
+  if (!findings.length) return "pass";
+  if (findings.some((finding) => finding.severity === "critical" || finding.severity === "high")) return "fail";
+  return "warn";
+}
+
+export function countByStatus(checks = []) {
+  return Object.fromEntries(
+    CHECK_STATUSES.map((status) => [status, checks.filter((check) => check.status === status).length])
+  );
+}
+
+function normalizeStatus(value) {
+  const normalized = String(value || "pass").toLowerCase();
+  return CHECK_STATUSES.includes(normalized) ? normalized : "fail";
+}
+
+function defaultSummary(status, findings) {
+  if (status === "pass") return "No issues found.";
+  if (status === "skip") return "Skipped.";
+  if (!findings.length) return status === "fail" ? "Check failed." : "Check needs review.";
+
+  const count = findings.length;
+  const noun = count === 1 ? "finding" : "findings";
+  return `${count} ${noun} reported.`;
+}
+
+function detailsFromFindings(findings) {
+  return findings.map((finding) => ({
+    message: finding.message,
+    file: finding.file,
+    line: finding.line,
+    severity: finding.severity,
+    recommendation: finding.recommendation
+  }));
+}

package/src/core/scanner.js

@@ -1,5 +1,6 @@
 import checks from "../checks/index.js";
 import { createContext } from "./context.js";
+import { normalizeCheckResult } from "./checkResults.js";
 import { normalizeFinding, severityRank } from "./findings.js";
 import { packageInfo } from "./packageInfo.js";
 
@@ -7,28 +8,54 @@ export async function scanProject(options = {}) {
   const startedAt = new Date();
   const context = await createContext(options);
   const findings = [];
+  const checkResults = [];
   const warnings = [];
 
   for (const check of checks) {
-    if (context.config.checks[check.id] === false) continue;
+    if (context.config.checks[check.id] === false) {
+      checkResults.push(normalizeCheckResult(check, {
+        status: "skip",
+        summary: "Disabled by configuration."
+      }));
+      continue;
+    }
 
     try {
-      const checkFindings = await check.run(context);
+      const rawResult = await check.run(context);
+      const checkFindings = Array.isArray(rawResult) ? rawResult : rawResult?.findings;
+      const explicitCheckResult = Array.isArray(rawResult) ? null : rawResult?.result || rawResult?.checkResult;
+
       if (!Array.isArray(checkFindings)) {
         warnings.push({
           checkId: check.id,
           message: "Check returned a non-array result and was ignored."
         });
+        checkResults.push(normalizeCheckResult(check, {
+          status: "fail",
+          summary: "Check returned an invalid result.",
+          details: [{ message: "Check returned a non-array result and was ignored." }]
+        }));
         continue;
       }
+
+      const normalizedFindings = [];
       for (const finding of checkFindings) {
-        findings.push(normalizeFinding(check, finding));
+        const normalizedFinding = normalizeFinding(check, finding);
+        normalizedFindings.push(normalizedFinding);
+        findings.push(normalizedFinding);
       }
+      checkResults.push(normalizeCheckResult(check, explicitCheckResult || {}, normalizedFindings));
     } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
       warnings.push({
         checkId: check.id,
-        message: error instanceof Error ? error.message : String(error)
+        message
       });
+      checkResults.push(normalizeCheckResult(check, {
+        status: "fail",
+        summary: message,
+        details: [{ message }]
+      }));
     }
   }
 
@@ -40,12 +67,14 @@ export async function scanProject(options = {}) {
 
   return {
     findings,
+    checks: checkResults,
     warnings,
     config: context.config,
     meta: {
       tool: "ItWorksBut",
       version: packageInfo.version,
       rootPath: context.rootPath,
+      packageName: context.packageJson?.name,
       packageManager: context.packageManager,
       gitAvailable: context.gitAvailable,
       filesScanned: context.allFiles.length,

package/src/reporters/consoleReporter.js

@@ -12,15 +12,17 @@ import {
 
 export function reportConsole(result, options = {}) {
     const { findings, warnings, config, meta } = result;
+    const checks = result.checks || [];
     const counts = countBySeverity(findings);
     const colors = getChalk(options);
     const rich = isFancyOutputEnabled(options);
+    const hasReviewCheck = checks.some(check => check.status === 'warn' || check.status === 'fail');
 
     if (!options.quiet && !rich) {
         process.stdout.write(`${colors.bold('ItWorksBut receipts')}\n\n`);
     }
 
-    if (!options.quiet && findings.length === 0) {
+    if (!options.quiet && findings.length === 0 && !hasReviewCheck) {
         process.stdout.write(
             `${colors.green ? colors.green('Suspiciously clean. No findings.') : 'Suspiciously clean. No findings.'}\n\n`,
         );
@@ -36,6 +38,10 @@ export function reportConsole(result, options = {}) {
         }
     }
 
+    if (!options.quiet) {
+        writeOutdatedPackagesCheck(checks, options);
+    }
+
     if (options.verbose && warnings.length > 0) {
         process.stdout.write('WARNINGS\n');
         for (const warning of warnings) {
@@ -55,6 +61,41 @@ export function reportConsole(result, options = {}) {
     }
 }
 
+function writeOutdatedPackagesCheck(checks, options) {
+    const check = checks.find(candidate => candidate.id === 'dependencies.outdated-packages');
+    if (!check) return;
+
+    const colors = getChalk(options);
+    const title = colors.bold('Outdated packages');
+
+    if (check.status === 'pass') {
+        process.stdout.write(`${colors.green('✓')} ${title}: ${check.summary}\n\n`);
+        return;
+    }
+
+    if (check.status === 'skip') {
+        process.stdout.write(`- ${title}: ${check.summary}\n\n`);
+        return;
+    }
+
+    if (check.status === 'fail') {
+        process.stdout.write(`${colors.red('✖')} ${title}: ${check.summary}\n\n`);
+        return;
+    }
+
+    process.stdout.write(`${colors.yellow('⚠')} ${title}: ${check.summary}\n`);
+    const packages = check.details.filter(detail => detail?.name).slice(0, 10);
+    for (const detail of packages) {
+        process.stdout.write(
+            `  - ${detail.name}: ${detail.current} → ${detail.wanted} wanted, ${detail.latest} latest\n`,
+        );
+    }
+    if (check.details.length > packages.length) {
+        process.stdout.write(`  - and ${check.details.length - packages.length} more\n`);
+    }
+    process.stdout.write('\n');
+}
+
 function writeFinding(finding, options) {
     const colors = getChalk(options);
     const severity = formatSeverity(finding.severity, options);

package/src/reporters/consoleStyle.js

@@ -26,6 +26,10 @@ const EDGY_TITLES = {
     'api.idor-risk': 'It works, but this ID lookup may belong to someone else.',
     'auth.jwt-secret-weak-or-fallback': 'It works, but your JWT secret has a fallback key.',
     'auth.password-hashing-missing': 'It works, but your passwords may be stored too honestly.',
+    'auth.missing-csrf-protection': 'It works, but your browser may be submitting forms behind your back.',
+    'api.missing-method-guard': 'It works, but your API does not care how it gets called.',
+    'api.mass-assignment-risk': 'It works, but your users may be editing fields they should never touch.',
+    'api.no-schema-validation': 'It works, but your API believes whatever the request says.',
     'database.raw-sql-interpolation': 'It works, but your SQL query is one template string away from pain.',
     'database.no-migrations': 'It works, but your database schema has no paper trail.',
     'cookies.insecure-session-cookie': 'It works, but your session cookie is dressed for localhost.',
@@ -33,10 +37,16 @@ const EDGY_TITLES = {
     'webhooks.missing-raw-body': 'It works, but your webhook signature check may be checking the wrong body.',
     'llm.prompt-injection-risk': 'It works, but your AI output has admin energy.',
     'frontend.sourcemaps-production': 'It works, but your source code may be shipping with the app.',
+    'frontend.localstorage-token': 'It works, but your auth token lives where XSS can read it.',
+    'files.path-traversal-risk': 'It works, but your file path may be taking requests too literally.',
+    'ssrf.user-controlled-fetch': 'It works, but your server is fetching whatever strangers ask for.',
+    'next.public-server-code-risk': 'It works, but your client component is carrying server baggage.',
     'config.debug-production': 'It works, but production still thinks it is a dev server.',
     'electron.node-integration-enabled': 'It works, but Electron is holding the Node.js door open.',
     'electron.context-isolation-disabled': 'It works, but your renderer and backend are sharing a room.',
+    'electron.remote-content-with-node': 'It works, but Electron is letting the internet sit next to Node.js.',
     'tauri.dangerous-allowlist-or-capabilities': 'It works, but your Tauri permissions look too generous.',
+    'tauri.remote-url-permissions-risk': 'It works, but your Tauri app is trusting too much surface area.',
 };
 
 const SEVERITY_META = {
@@ -100,6 +110,14 @@ const FIX_PROMPT_ACTIONS = {
         'Require a strong JWT secret from the environment in production and fail startup if it is missing.',
     'auth.password-hashing-missing':
         'Hash passwords with argon2, bcrypt, scrypt or PBKDF2 before storage. Never store raw passwords.',
+    'auth.missing-csrf-protection':
+        'Use SameSite cookies, CSRF tokens or another explicit CSRF mitigation for state-changing routes.',
+    'api.missing-method-guard':
+        'Restrict API routes to the intended HTTP methods and return 405 Method Not Allowed for unsupported methods.',
+    'api.mass-assignment-risk':
+        'Whitelist allowed fields explicitly. Never pass req.body directly into database create/update calls.',
+    'api.no-schema-validation':
+        'Validate request body, query and params with a schema library such as Zod, Joi, Valibot, AJV or equivalent.',
     'database.raw-sql-interpolation':
         'Replace SQL string interpolation or concatenation with parameterized queries, prepared statements, or a safe ORM query builder.',
     'database.no-migrations': 'Add versioned database migrations that match the detected ORM or database stack.',
@@ -113,14 +131,26 @@ const FIX_PROMPT_ACTIONS = {
         'Treat model output as untrusted input. Validate with schemas, use allowlists, require human approval for dangerous actions, and never execute raw model output.',
     'frontend.sourcemaps-production':
         'Disable public production source maps unless intentionally needed. If needed, upload them privately to error tracking instead of serving them publicly.',
+    'frontend.localstorage-token':
+        'Prefer secure, httpOnly cookies for session tokens where appropriate. If browser storage is unavoidable, minimize token lifetime and harden XSS protections.',
+    'files.path-traversal-risk':
+        'Normalize and validate paths, use allowlists, reject traversal sequences, and ensure resolved paths stay inside an intended base directory.',
+    'ssrf.user-controlled-fetch':
+        'Use strict URL allowlists, block private/internal IP ranges including 127.0.0.1, localhost, 169.254.169.254 and RFC1918 ranges, and avoid fetching arbitrary user-provided URLs.',
+    'next.public-server-code-risk':
+        'Move database, filesystem, secret and server-only logic into Server Components, API routes or server actions. Keep Client Components free of backend dependencies.',
     'config.debug-production':
         'Disable verbose errors and debug flags in production. Avoid exposing stack traces, internal paths or development tooling.',
     'electron.node-integration-enabled':
         'Set nodeIntegration to false and expose only narrowly scoped APIs through preload.',
     'electron.context-isolation-disabled':
         'Enable contextIsolation and review preload boundaries for renderer-to-main communication.',
+    'electron.remote-content-with-node':
+        'Avoid loading remote content with Node.js integration. Use nodeIntegration: false, contextIsolation: true, sandbox: true, webSecurity: true and a minimal preload bridge.',
     'tauri.dangerous-allowlist-or-capabilities':
         'Tighten Tauri allowlists, capabilities, scopes, shell access, filesystem access, remote URLs, and CSP.',
+    'tauri.remote-url-permissions-risk':
+        'Use least-privilege capabilities, restrict shell/fs/http permissions, avoid broad wildcards, and configure a strict CSP.',
 };
 
 export function getConsoleFindingTitle(finding) {

package/src/reporters/jsonReporter.js

@@ -1,4 +1,5 @@
 import { countBySeverity, getExitCode } from "../core/findings.js";
+import { countByStatus } from "../core/checkResults.js";
 
 export function reportJson(result) {
   return {
@@ -8,9 +9,11 @@ export function reportJson(result) {
     summary: {
       total: result.findings.length,
       bySeverity: countBySeverity(result.findings),
+      byStatus: countByStatus(result.checks || []),
       failOn: result.config.failOn,
       exitCode: getExitCode(result.findings, result.config.failOn)
     },
+    checks: result.checks || [],
     findings: result.findings,
     warnings: result.warnings
   };

package/src/reporters/markdownReport.js

@@ -0,0 +1,203 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { countByStatus } from "../core/checkResults.js";
+
+const ANSI_PATTERN = /\u001B\[[0-?]*[ -/]*[@-~]/g;
+
+export async function writeMarkdownReport(result, options = {}) {
+  const filePath = options.filePath || path.join(options.directoryPath || process.cwd(), "report.md");
+  let overwritten = false;
+
+  try {
+    await fs.access(filePath);
+    overwritten = true;
+  } catch {
+    overwritten = false;
+  }
+
+  await fs.writeFile(filePath, reportMarkdown(result), "utf8");
+  return { filePath, overwritten };
+}
+
+export function reportMarkdown(result) {
+  const checks = result.checks || checksFromFindings(result.findings || []);
+  const counts = countByStatus(checks);
+  const projectName = result.meta?.packageName || path.basename(result.meta?.rootPath || "") || "unknown";
+  const generatedAt = formatTimestamp(result.meta?.completedAt || new Date());
+
+  return stripAnsi(`${[
+    "# ItWorksBut Scan Report",
+    "",
+    `Generated: ${generatedAt}`,
+    "",
+    `Project: ${projectName}`,
+    `Path: ${result.meta?.rootPath || "unknown"}`,
+    "",
+    "## Summary",
+    "",
+    "| Status | Count |",
+    "|---|---:|",
+    `| Pass | ${counts.pass} |`,
+    `| Warn | ${counts.warn} |`,
+    `| Fail | ${counts.fail} |`,
+    `| Skip | ${counts.skip} |`,
+    "",
+    "## Checks",
+    "",
+    renderChecks(checks),
+    renderScannerWarnings(result.warnings || []),
+    renderRecommendations(checks, result.findings || []),
+  ].filter((line) => line !== null && line !== undefined).join("\n")}\n`);
+}
+
+function renderChecks(checks) {
+  if (!checks.length) return "No checks were recorded.\n";
+
+  return checks.map(renderCheck).join("\n");
+}
+
+function renderCheck(check) {
+  return [
+    `### ${check.title || check.id}`,
+    "",
+    `Status: ${check.status || "unknown"}`,
+    "",
+    "Summary:",
+    check.summary || "No summary available.",
+    "",
+    "Details:",
+    renderDetails(check),
+    ""
+  ].join("\n");
+}
+
+function renderDetails(check) {
+  const details = Array.isArray(check.details) ? check.details : [];
+  if (!details.length) return "None.";
+
+  if (isOutdatedPackageCheck(check)) {
+    return renderOutdatedPackageTable(details);
+  }
+
+  return details.map(renderDetailBullet).join("\n");
+}
+
+function renderOutdatedPackageTable(details) {
+  const packageDetails = details.filter((detail) => detail?.name);
+  if (!packageDetails.length) return details.map(renderDetailBullet).join("\n");
+
+  return [
+    "| Package | Current | Wanted | Latest | Type |",
+    "|---|---:|---:|---:|---|",
+    ...packageDetails.map((detail) => (
+      `| ${escapeTable(detail.name)} | ${escapeTable(detail.current)} | ${escapeTable(detail.wanted)} | ${escapeTable(detail.latest)} | ${escapeTable(detail.type)} |`
+    ))
+  ].join("\n");
+}
+
+function renderDetailBullet(detail) {
+  if (typeof detail === "string") return `- ${detail}`;
+  if (!detail || typeof detail !== "object") return `- ${String(detail)}`;
+
+  if (detail.message) return `- ${detail.message}`;
+  return `- ${Object.entries(detail).map(([key, value]) => `${key}: ${String(value)}`).join(", ")}`;
+}
+
+function renderScannerWarnings(warnings) {
+  if (!warnings.length) return "";
+
+  return [
+    "## Scanner Warnings",
+    "",
+    ...warnings.map((warning) => `- ${warning.checkId}: ${warning.message}`),
+    ""
+  ].join("\n");
+}
+
+function renderRecommendations(checks, findings) {
+  const needsReview = checks.some((check) => check.status === "warn" || check.status === "fail");
+  if (!needsReview && findings.length === 0) return "";
+
+  const recommendations = [];
+  if (checks.some((check) => isOutdatedPackageCheck(check) && (check.status === "warn" || check.status === "fail"))) {
+    recommendations.push("Update outdated packages carefully.");
+    recommendations.push("Review major-version upgrades manually.");
+    recommendations.push("Run tests after dependency updates.");
+  }
+
+  for (const finding of findings) {
+    if (finding.recommendation) recommendations.push(finding.recommendation);
+  }
+
+  if (checks.some((check) => check.status === "fail")) {
+    recommendations.push("Review failed checks and scanner warnings before shipping.");
+  }
+  if (recommendations.length === 0) {
+    recommendations.push("Review warning and failure details before shipping.");
+  }
+
+  return [
+    "## Recommendations",
+    "",
+    ...unique(recommendations).map((recommendation) => `- ${recommendation}`),
+    ""
+  ].join("\n");
+}
+
+function checksFromFindings(findings) {
+  const byCheck = new Map();
+  for (const finding of findings) {
+    const existing = byCheck.get(finding.checkId) || {
+      id: finding.checkId,
+      title: finding.title,
+      category: finding.category,
+      status: finding.severity === "critical" || finding.severity === "high" ? "fail" : "warn",
+      summary: "Finding reported.",
+      details: []
+    };
+    existing.details.push({
+      message: finding.message,
+      file: finding.file,
+      line: finding.line,
+      severity: finding.severity
+    });
+    byCheck.set(finding.checkId, existing);
+  }
+  return [...byCheck.values()];
+}
+
+function isOutdatedPackageCheck(check) {
+  return check.id === "dependencies.outdated-packages" || check.title === "Outdated packages";
+}
+
+function formatTimestamp(value) {
+  const date = value instanceof Date ? value : new Date(value);
+  if (Number.isNaN(date.getTime())) return String(value);
+
+  const pad = (number) => String(number).padStart(2, "0");
+  return [
+    date.getFullYear(),
+    "-",
+    pad(date.getMonth() + 1),
+    "-",
+    pad(date.getDate()),
+    " ",
+    pad(date.getHours()),
+    ":",
+    pad(date.getMinutes()),
+    ":",
+    pad(date.getSeconds())
+  ].join("");
+}
+
+function escapeTable(value) {
+  return stripAnsi(String(value ?? "unknown")).replace(/\|/g, "\\|");
+}
+
+function stripAnsi(value) {
+  return String(value).replace(ANSI_PATTERN, "");
+}
+
+function unique(values) {
+  return [...new Set(values.filter(Boolean))];
+}