kramscan 0.3.0 → 0.4.0

package/dist/agent/skills/health-check.js

@@ -64,11 +64,11 @@ class HealthCheckSkill {
             },
         ],
     };
-    validateParameters(params) {
+    validateParameters(_params) {
         // No required parameters
         return { valid: true, errors: [] };
     }
-    async execute(params, context) {
+    async execute(params, _context) {
         const verbose = params.verbose ?? false;
         logger_1.logger.info("Running health check...");
         const checks = [];

package/dist/agent/skills/verify-finding.js

@@ -48,7 +48,7 @@ class VerifyFindingSkill {
             // Get type from finding metadata or title
             const vulnType = finding.metadata?.type || (finding.title.toLowerCase().includes("sql") ? "sqli" : "xss");
             // Generate non-destructive verification payloads
-            const payloads = await payloadGenerator.generatePayloads(vulnType, {
+            await payloadGenerator.generatePayloads(vulnType, {
                 parameterName: finding.metadata?.parameter || "verify",
                 url: finding.metadata?.url || context.currentTarget || "",
             });

package/dist/agent/skills/web-scan.d.ts

@@ -17,6 +17,6 @@ export declare class WebScanSkill implements AgentSkill {
         valid: boolean;
         errors: string[];
     };
-    execute(params: Record<string, unknown>, context: AgentContext): Promise<SkillResult>;
+    execute(params: Record<string, unknown>, _context: AgentContext): Promise<SkillResult>;
     run(): Promise<SkillResult>;
 }

package/dist/agent/skills/web-scan.js

@@ -126,7 +126,7 @@ class WebScanSkill {
             errors,
         };
     }
-    async execute(params, context) {
+    async execute(params, _context) {
         const targetUrl = params.targetUrl;
         const depth = params.depth ?? 2;
         const timeout = params.timeout ?? 30000;

package/dist/cli.js

@@ -53,6 +53,7 @@ const scans_1 = require("./commands/scans");
 const ai_1 = require("./commands/ai");
 const dev_1 = require("./commands/dev");
 const gate_1 = require("./commands/gate");
+const init_1 = require("./commands/init");
 const config_2 = require("./core/config");
 const theme_1 = require("./utils/theme");
 let verboseMode = false;
@@ -71,6 +72,7 @@ function debugLog(...args) {
 const menuChoices = [
     { label: "Agent", value: "agent", description: "AI-powered interactive security assistant", icon: "🤖", status: "active" },
     { label: "Onboard", value: "onboard", description: "First-time setup wizard", icon: "⚡", status: "active" },
+    { label: "Init", value: "init", description: "Generate .kramscanrc for this project", icon: "📁", status: "active" },
     { label: "Scan", value: "scan", description: "Scan a target URL for vulnerabilities", icon: "🔍", status: "active" },
     { label: "Dev", value: "dev", description: "Watch-mode scanning for localhost dev servers", icon: "🛠️", status: "active" },
     { label: "Gate", value: "gate", description: "CI/CD security quality gate", icon: "🚧", status: "active" },
@@ -107,7 +109,7 @@ async function showInteractiveMenu() {
         console.log(theme_1.theme.gray(`  Run ${theme_1.theme.cyan("kramscan --help")} for available commands.\n`));
         return;
     }
-    let args = [action];
+    const args = [action];
     // Specific handling for commands that need input
     if (action === "scan") {
         const { url } = await inquirer_1.default.prompt([
@@ -117,7 +119,8 @@ async function showInteractiveMenu() {
                 message: theme_1.theme.cyan("Enter the URL to scan:"),
                 validate: (input) => {
                     try {
-                        new URL(input);
+                        const urlToTest = /^https?:\/\//i.test(input) ? input : `http://${input}`;
+                        new URL(urlToTest);
                         return true;
                     }
                     catch {
@@ -178,6 +181,7 @@ async function showInteractiveMenu() {
         // Error handling is managed by the commands themselves or global handlers
     }
 }
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
 async function showDirectCommandInput() {
     (0, theme_1.printBanner)();
     (0, theme_1.printInfo)();
@@ -226,6 +230,7 @@ function createProgram() {
     (0, ai_1.registerAiCommand)(program);
     (0, dev_1.registerDevCommand)(program);
     (0, gate_1.registerGateCommand)(program);
+    (0, init_1.registerInitCommand)(program);
     // Version subcommand with detailed environment info
     program
         .command("version")

package/dist/commands/config.js

@@ -107,8 +107,8 @@ function registerConfigCommand(program) {
                 type: "list",
                 name: "reportFormat",
                 message: "Default report format:",
-                choices: ["word", "json", "txt"],
-                default: config.report.defaultFormat,
+                choices: ["markdown", "word", "json", "txt"],
+                default: config.report.defaultFormat || "markdown",
             },
             {
                 type: "number",

package/dist/commands/dev.js

@@ -25,7 +25,7 @@ function registerDevCommand(program) {
         .option("--no-watch", "Run a single scan without watching (useful for CI)")
         .action(async (url, options) => {
         // Resolve target URL
-        const targetUrl = url || (options.port ? `http://localhost:${options.port}` : null);
+        let targetUrl = url || (options.port ? `http://localhost:${options.port}` : null);
         if (!targetUrl) {
             console.log("");
             console.log(theme_1.theme.error("✗ No target URL specified."));
@@ -34,6 +34,9 @@ function registerDevCommand(program) {
             console.log("");
             process.exit(1);
         }
+        if (!/^https?:\/\//i.test(targetUrl)) {
+            targetUrl = `http://${targetUrl}`;
+        }
         const isLocal = (0, server_probe_1.isLocalhost)(targetUrl);
         console.log("");
         console.log(theme_1.theme.brand.bold("🛠️  KramScan Dev Mode"));

package/dist/commands/doctor.js

@@ -138,7 +138,7 @@ async function checkPuppeteer() {
 }
 async function checkConfig() {
     try {
-        const config = await (0, config_1.getConfig)();
+        await (0, config_1.getConfig)();
         return {
             name: "Configuration",
             status: "pass",

package/dist/commands/gate.js

@@ -15,6 +15,9 @@ function registerGateCommand(program) {
         .option("--timeout <ms>", "Maximum scan duration", "60000")
         .option("--json", "Output results as JSON")
         .action(async (url, options) => {
+        if (!/^https?:\/\//i.test(url)) {
+            url = `http://${url}`;
+        }
         const jsonMode = options.json === true;
         if (!jsonMode) {
             console.log("");

package/dist/commands/init.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Init Command
+ * Generates a .kramscanrc project configuration file in the current directory.
+ */
+import { Command } from "commander";
+export declare function registerInitCommand(program: Command): void;

package/dist/commands/init.js

@@ -0,0 +1,191 @@
+"use strict";
+/**
+ * Init Command
+ * Generates a .kramscanrc project configuration file in the current directory.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerInitCommand = registerInitCommand;
+const chalk_1 = __importDefault(require("chalk"));
+const inquirer_1 = __importDefault(require("inquirer"));
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+const project_config_1 = require("../core/project-config");
+const logger_1 = require("../utils/logger");
+function registerInitCommand(program) {
+    program
+        .command("init")
+        .description("Generate a .kramscanrc project configuration file")
+        .option("-y, --yes", "Skip prompts and generate with defaults")
+        .option("--force", "Overwrite existing .kramscanrc file")
+        .action(async (options) => {
+        const targetPath = path_1.default.join(process.cwd(), project_config_1.PROJECT_CONFIG_FILENAME);
+        console.log("");
+        console.log(chalk_1.default.bold.cyan("KramScan Project Setup"));
+        console.log(chalk_1.default.gray("─".repeat(50)));
+        console.log("");
+        // Check if file already exists
+        try {
+            await promises_1.default.access(targetPath);
+            if (!options.force) {
+                console.log(chalk_1.default.yellow(`  A ${project_config_1.PROJECT_CONFIG_FILENAME} file already exists in this directory.`));
+                console.log(chalk_1.default.gray(`  Use ${chalk_1.default.white("--force")} to overwrite it.`));
+                console.log("");
+                return;
+            }
+        }
+        catch {
+            // File doesn't exist — good
+        }
+        let config;
+        if (options.yes) {
+            config = getDefaultProjectConfig();
+        }
+        else {
+            config = await runInteractiveSetup();
+        }
+        // Write the file
+        const content = JSON.stringify(config, null, 2) + "\n";
+        await promises_1.default.writeFile(targetPath, content, "utf-8");
+        console.log("");
+        logger_1.logger.success(`Created ${project_config_1.PROJECT_CONFIG_FILENAME} in ${process.cwd()}`);
+        console.log("");
+        console.log(chalk_1.default.gray("  This file configures KramScan for this project."));
+        console.log(chalk_1.default.gray("  Commit it to version control so your team shares the same settings."));
+        console.log(chalk_1.default.gray(`  API keys are never stored here — use ${chalk_1.default.white("kramscan onboard")} or env vars.`));
+        console.log("");
+    });
+}
+function getDefaultProjectConfig() {
+    return {
+        scan: {
+            defaultProfile: "balanced",
+            defaultTimeout: 30000,
+            strictScope: true,
+            exclude: [
+                "logout",
+                "signout",
+                "delete",
+            ],
+        },
+        report: {
+            defaultFormat: "markdown",
+            companyName: "Your Company",
+        },
+        gate: {
+            failOn: "high",
+            maxVulns: 0,
+        },
+        plugins: {
+            disabled: [],
+        },
+    };
+}
+async function runInteractiveSetup() {
+    const answers = await inquirer_1.default.prompt([
+        {
+            type: "list",
+            name: "profile",
+            message: "Default scan profile:",
+            choices: [
+                { name: "quick    — fast surface-level scan", value: "quick" },
+                { name: "balanced — good coverage, moderate speed", value: "balanced" },
+                { name: "deep     — thorough crawl, slower", value: "deep" },
+            ],
+            default: "balanced",
+        },
+        {
+            type: "input",
+            name: "timeout",
+            message: "Default request timeout (ms):",
+            default: "30000",
+            validate: (input) => {
+                const n = parseInt(input, 10);
+                if (isNaN(n) || n < 1000)
+                    return "Must be a number >= 1000";
+                return true;
+            },
+            filter: (input) => parseInt(input, 10),
+        },
+        {
+            type: "confirm",
+            name: "strictScope",
+            message: "Stay within the target domain? (strict scope)",
+            default: true,
+        },
+        {
+            type: "input",
+            name: "exclude",
+            message: "URL patterns to exclude (comma-separated, e.g. logout,signout):",
+            default: "logout,signout,delete",
+            filter: (input) => input
+                .split(",")
+                .map((s) => s.trim())
+                .filter(Boolean),
+        },
+        {
+            type: "list",
+            name: "reportFormat",
+            message: "Default report format:",
+            choices: [
+                { name: "markdown", value: "markdown" },
+                { name: "word (.docx)", value: "word" },
+                { name: "json", value: "json" },
+                { name: "txt", value: "txt" },
+            ],
+            default: "markdown",
+        },
+        {
+            type: "input",
+            name: "companyName",
+            message: "Company or project name (for report headers):",
+            default: path_1.default.basename(process.cwd()),
+        },
+        {
+            type: "list",
+            name: "gateFailOn",
+            message: "CI/CD gate — fail on severity at or above:",
+            choices: [
+                { name: "critical — only block on critical issues", value: "critical" },
+                { name: "high     — block on high and critical", value: "high" },
+                { name: "medium   — block on medium and above", value: "medium" },
+                { name: "low      — block on everything except info", value: "low" },
+            ],
+            default: "high",
+        },
+        {
+            type: "input",
+            name: "gateMaxVulns",
+            message: "CI/CD gate — max allowed vulnerabilities before failing:",
+            default: "0",
+            validate: (input) => {
+                const n = parseInt(input, 10);
+                if (isNaN(n) || n < 0)
+                    return "Must be a non-negative number";
+                return true;
+            },
+            filter: (input) => parseInt(input, 10),
+        },
+    ]);
+    return {
+        scan: {
+            defaultProfile: answers.profile,
+            defaultTimeout: answers.timeout,
+            strictScope: answers.strictScope,
+            exclude: answers.exclude,
+        },
+        report: {
+            defaultFormat: answers.reportFormat,
+            companyName: answers.companyName,
+        },
+        gate: {
+            failOn: answers.gateFailOn,
+            maxVulns: answers.gateMaxVulns,
+        },
+        plugins: {
+            disabled: [],
+        },
+    };
+}

package/dist/commands/onboard.js

@@ -140,8 +140,8 @@ function registerOnboardCommand(program) {
                 type: "list",
                 name: "reportFormat",
                 message: "Default report format",
-                choices: ["word", "txt", "json"],
-                default: config.report.defaultFormat,
+                choices: ["markdown", "word", "txt", "json"],
+                default: config.report.defaultFormat || "markdown",
             },
             {
                 type: "confirm",

package/dist/commands/report.js

@@ -8,6 +8,8 @@ const chalk_1 = __importDefault(require("chalk"));
 const docx_1 = require("docx");
 const promises_1 = __importDefault(require("fs/promises"));
 const path_1 = __importDefault(require("path"));
+const os_1 = __importDefault(require("os"));
+const inquirer_1 = __importDefault(require("inquirer"));
 const config_1 = require("../core/config");
 const scan_storage_1 = require("../core/scan-storage");
 const ai_client_1 = require("../core/ai-client");
@@ -16,7 +18,7 @@ function registerReportCommand(program) {
     program
         .command("report [scan-file]")
         .description("Generate a professional security report")
-        .option("-f, --format <type>", "Report format: word|json|txt")
+        .option("-f, --format <type>", "Report format: word|json|txt|markdown")
         .option("-o, --output <file>", "Output filename")
         .option("--ai-summary", "Generate an AI-powered executive summary")
         .action(async (scanFile, options) => {
@@ -34,7 +36,10 @@ function registerReportCommand(program) {
             const content = await promises_1.default.readFile(filepath, "utf-8");
             const scanResult = JSON.parse(content);
             const config = await (0, config_1.getConfig)();
-            const format = (options.format || config.report.defaultFormat);
+            let format = (options.format || config.report.defaultFormat);
+            if (!options.format && !config.report.defaultFormat) {
+                format = "markdown";
+            }
             let aiSummary;
             if (options.aiSummary) {
                 spinner = logger_1.logger.spinner("Generating AI executive summary...");
@@ -47,17 +52,42 @@ function registerReportCommand(program) {
                     spinner.warn(`AI summary failed: ${err.message}`);
                 }
             }
+            let outputDir = "";
+            if (!options.output) {
+                const { location } = await inquirer_1.default.prompt([
+                    {
+                        type: "list",
+                        name: "location",
+                        message: "Where should the report be saved?",
+                        choices: [
+                            { name: "Current Project Directory (./)", value: "cwd" },
+                            { name: "Desktop", value: "desktop" },
+                            { name: "Default Reports Directory (~/.kramscan/reports/)", value: "default" }
+                        ]
+                    }
+                ]);
+                if (location === "cwd") {
+                    outputDir = process.cwd();
+                }
+                else if (location === "desktop") {
+                    outputDir = path_1.default.join(os_1.default.homedir(), "Desktop");
+                }
+            }
             spinner = logger_1.logger.spinner(`Generating ${format.toUpperCase()} report...`);
             let outputPath;
             switch (format) {
                 case "word":
-                    outputPath = await generateWordReport(scanResult, options.output, aiSummary);
+                    outputPath = await generateWordReport(scanResult, options.output, aiSummary, outputDir);
                     break;
                 case "json":
-                    outputPath = await generateJsonReport(scanResult, options.output, aiSummary);
+                    outputPath = await generateJsonReport(scanResult, options.output, aiSummary, outputDir);
                     break;
                 case "txt":
-                    outputPath = await generateTxtReport(scanResult, options.output, aiSummary);
+                    outputPath = await generateTxtReport(scanResult, options.output, aiSummary, outputDir);
+                    break;
+                case "markdown":
+                case "md":
+                    outputPath = await generateMarkdownReport(scanResult, options.output, aiSummary, outputDir);
                     break;
                 default:
                     throw new Error(`Unsupported format: ${format}`);
@@ -76,7 +106,7 @@ function registerReportCommand(program) {
         }
     });
 }
-async function generateWordReport(scanResult, outputFile, aiSummary) {
+async function generateWordReport(scanResult, outputFile, aiSummary, outputDir) {
     const doc = new docx_1.Document({
         sections: [
             {
@@ -145,15 +175,15 @@ async function generateWordReport(scanResult, outputFile, aiSummary) {
         ],
     });
     const buffer = await docx_1.Packer.toBuffer(doc);
-    const reportsDir = await (0, scan_storage_1.ensureReportsDirectory)();
+    const reportsDir = outputDir || await (0, scan_storage_1.ensureReportsDirectory)();
     const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
     const filename = outputFile || `report-${timestamp}.docx`;
     const filepath = path_1.default.isAbsolute(filename) ? filename : path_1.default.join(reportsDir, filename);
     await promises_1.default.writeFile(filepath, buffer);
     return filepath;
 }
-async function generateJsonReport(scanResult, outputFile, aiSummary) {
-    const reportsDir = await (0, scan_storage_1.ensureReportsDirectory)();
+async function generateJsonReport(scanResult, outputFile, aiSummary, outputDir) {
+    const reportsDir = outputDir || await (0, scan_storage_1.ensureReportsDirectory)();
     const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
     const filename = outputFile || `report-${timestamp}.json`;
     const filepath = path_1.default.isAbsolute(filename) ? filename : path_1.default.join(reportsDir, filename);
@@ -161,7 +191,7 @@ async function generateJsonReport(scanResult, outputFile, aiSummary) {
     await promises_1.default.writeFile(filepath, JSON.stringify(finalResult, null, 2));
     return filepath;
 }
-async function generateTxtReport(scanResult, outputFile, aiSummary) {
+async function generateTxtReport(scanResult, outputFile, aiSummary, outputDir) {
     const lines = [];
     lines.push("=".repeat(60));
     lines.push("SECURITY ASSESSMENT REPORT");
@@ -208,10 +238,58 @@ async function generateTxtReport(scanResult, outputFile, aiSummary) {
     lines.push("=".repeat(60));
     lines.push("End of Report");
     lines.push("=".repeat(60));
-    const reportsDir = await (0, scan_storage_1.ensureReportsDirectory)();
+    const reportsDir = outputDir || await (0, scan_storage_1.ensureReportsDirectory)();
     const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
     const filename = outputFile || `report-${timestamp}.txt`;
     const filepath = path_1.default.isAbsolute(filename) ? filename : path_1.default.join(reportsDir, filename);
     await promises_1.default.writeFile(filepath, lines.join("\n"));
     return filepath;
 }
+async function generateMarkdownReport(scanResult, outputFile, aiSummary, outputDir) {
+    const lines = [];
+    lines.push("# Security Assessment Report");
+    lines.push("");
+    lines.push(`**Target:** \`${scanResult.target}\``);
+    lines.push(`**Date:** ${new Date(scanResult.timestamp).toLocaleString()}`);
+    lines.push(`**Duration:** ${(scanResult.duration / 1000).toFixed(2)}s`);
+    lines.push("");
+    lines.push("## Executive Summary");
+    if (aiSummary) {
+        lines.push(aiSummary);
+    }
+    else {
+        lines.push(`Total Vulnerabilities: **${scanResult.summary.total}** (${scanResult.summary.critical} Critical, ${scanResult.summary.high} High, ${scanResult.summary.medium} Medium, ${scanResult.summary.low} Low, ${scanResult.summary.info} Info)`);
+    }
+    lines.push("");
+    lines.push("## Scan Statistics");
+    lines.push(`- **URLs Crawled:** ${scanResult.metadata.crawledUrls}`);
+    lines.push(`- **Forms Tested:** ${scanResult.metadata.testedForms}`);
+    lines.push(`- **Requests Made:** ${scanResult.metadata.requestsMade}`);
+    lines.push("");
+    lines.push("## Detailed Findings");
+    lines.push("");
+    scanResult.vulnerabilities.forEach((vuln, index) => {
+        lines.push(`### ${index + 1}. ${vuln.title} [${vuln.severity.toUpperCase()}]`);
+        lines.push(`- **URL:** \`${vuln.url}\``);
+        lines.push(`- **Type:** ${vuln.type}`);
+        lines.push(`- **Description:** ${vuln.description}`);
+        if (vuln.evidence) {
+            lines.push(`- **Evidence:** \`${vuln.evidence}\``);
+        }
+        if (vuln.remediation) {
+            lines.push(`- **Remediation:** ${vuln.remediation}`);
+        }
+        if (vuln.cwe) {
+            lines.push(`- **CWE:** ${vuln.cwe}`);
+        }
+        lines.push("");
+    });
+    lines.push("---");
+    lines.push("*Generated by KramScan*");
+    const reportsDir = outputDir || await (0, scan_storage_1.ensureReportsDirectory)();
+    const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
+    const filename = outputFile || `report-${timestamp}.md`;
+    const filepath = path_1.default.isAbsolute(filename) ? filename : path_1.default.join(reportsDir, filename);
+    await promises_1.default.writeFile(filepath, lines.join("\n"));
+    return filepath;
+}

package/dist/commands/scan.js

@@ -71,6 +71,9 @@ function registerScanCommand(program) {
             console.log(theme_1.theme.gray("─".repeat(50)));
             console.log("");
         }
+        if (!/^https?:\/\//i.test(url)) {
+            url = `http://${url}`;
+        }
         // Validate URL
         try {
             new URL(url);
@@ -116,23 +119,18 @@ function registerScanCommand(program) {
                 console.log("");
             }
             const scanner = new scanner_1.Scanner(options.plugins !== false);
-            // Set up event listeners for progress feedback
-            let currentStage = "initializing";
             let vulnerabilitiesFound = 0;
             scanner.on("scan:start", () => {
                 if (spinner)
                     spinner.text = `Starting scan of ${url}...`;
-                currentStage = "scanning";
             });
             scanner.on("crawl:page", (data) => {
                 if (spinner)
                     spinner.text = `Crawling: ${data.url} (${data.crawledCount}/${data.maxPages})`;
-                currentStage = "crawling";
             });
             scanner.on("form:test", (data) => {
                 if (spinner)
                     spinner.text = `Testing forms on ${data.url} (${data.formCount} forms)...`;
-                currentStage = "testing forms";
             });
             scanner.on("vuln:found", (data) => {
                 vulnerabilitiesFound++;
@@ -273,6 +271,7 @@ function registerScanCommand(program) {
                         choices: [
                             { name: "🧠  Analyze findings with AI", value: "analyze" },
                             { name: "📄  Generate a professional report", value: "report" },
+                            { name: "🤖  Generate AI-ready Markdown report for fixing issues", value: "markdown" },
                             { name: "👋  Exit to main menu", value: "exit" }
                         ]
                     }
@@ -289,6 +288,12 @@ function registerScanCommand(program) {
                     registerReportCommand(reportProgram);
                     await reportProgram.parseAsync(["node", "kramscan", "report", filepath]);
                 }
+                else if (nextAction === "markdown") {
+                    const { registerReportCommand } = await Promise.resolve().then(() => __importStar(require("./report")));
+                    const reportProgram = new commander_1.Command();
+                    registerReportCommand(reportProgram);
+                    await reportProgram.parseAsync(["node", "kramscan", "report", filepath, "-f", "markdown"]);
+                }
             }
         }
         catch (error) {

package/dist/core/config.js

@@ -49,6 +49,7 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const os = __importStar(require("os"));
 const config_schema_1 = require("./config-schema");
+const project_config_1 = require("./project-config");
 const theme_1 = require("../utils/theme");
 var config_schema_2 = require("./config-schema");
 Object.defineProperty(exports, "scanProfiles", { enumerable: true, get: function () { return config_schema_2.defaultScanProfiles; } });
@@ -363,7 +364,13 @@ function getConfigStore() {
 }
 async function getConfig() {
     await ensureInitialized();
-    return store.store;
+    const globalConfig = store.store;
+    // Merge project-level .kramscanrc if present
+    const project = (0, project_config_1.findProjectConfig)();
+    if (project) {
+        return (0, project_config_1.deepMerge)(globalConfig, project.config);
+    }
+    return globalConfig;
 }
 async function getConfigValue(key) {
     await ensureInitialized();

package/dist/core/project-config.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Project-level configuration (.kramscanrc)
+ *
+ * Discovers and loads a .kramscanrc file from the current working directory
+ * (or any parent directory) and merges it with the global config. Project
+ * settings override global settings, but sensitive fields (ai.apiKey) are
+ * never read from the project file.
+ */
+export declare const PROJECT_CONFIG_FILENAME = ".kramscanrc";
+/**
+ * Represents the subset of config fields that can be set at the project level.
+ * Intentionally excludes ai.apiKey for security.
+ */
+export interface ProjectConfig {
+    scan?: {
+        defaultProfile?: string;
+        defaultTimeout?: number;
+        maxThreads?: number;
+        followRedirects?: boolean;
+        verifySSL?: boolean;
+        rateLimitPerSecond?: number;
+        strictScope?: boolean;
+        include?: string[];
+        exclude?: string[];
+        profiles?: Record<string, {
+            depth?: number;
+            timeout?: number;
+            maxPages?: number;
+            maxLinksPerPage?: number;
+        }>;
+    };
+    report?: {
+        defaultFormat?: string;
+        companyName?: string;
+        includeScreenshots?: boolean;
+        severityThreshold?: string;
+    };
+    gate?: {
+        failOn?: string;
+        maxVulns?: number;
+    };
+    plugins?: {
+        disabled?: string[];
+    };
+}
+/**
+ * Search for a .kramscanrc file starting from `startDir` and walking up
+ * to the filesystem root. Returns the parsed contents and file path,
+ * or null if no file is found.
+ */
+export declare function findProjectConfig(startDir?: string): {
+    config: ProjectConfig;
+    filepath: string;
+} | null;
+/**
+ * Deep merge `source` into `target`, returning a new object. Arrays are
+ * replaced, not concatenated. Undefined values in source are skipped.
+ */
+export declare function deepMerge<T extends Record<string, unknown>>(target: T, source: Record<string, unknown>): T;