npm - logcop - Versions diffs - 1.0.0 - Mend

logcop 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,286 @@
+# 🚓 logcop
+<p align="center">
+  <img src="./logcop.png" alt="logcop" width="600" />
+</p>
+### Detect. Remove. Protect.
+---
+You're three hours deep into a bug.
+You've added `console.log` everywhere function arguments, API responses, auth tokens, the whole request object. You finally find the bug, fix it, close the laptop.
+You forgot to remove the logs.
+They ship. They hit production. Your JWT is now sitting in Datadog. Your `user.password` is in CloudWatch. Your entire `process.env` just got logged in a platform that your whole team and maybe your infrastructure vendor has access to.
+You didn't mean to do it. Nobody does. That's exactly the problem.
+**logcop is the last check before code leaves your machine.**
+```bash
+npx logcop scan
+```
+---
+## The problem is bigger than you think
+Every developer debugs with `console.log`. It's fast, it's easy, it works. The issue isn't the logs themselves it's what they contain, and that they never get cleaned up.
+Here's what a typical debugging session looks like:
+```js
+console.log("user object:", user); // contains email, role, password hash
+console.log("auth response:", response.data); // contains JWT token
+console.log("env check:", process.env); // contains every secret in your app
+console.log("request body:", req.body); // contains raw user input
+console.log("here"); // the classic
+```
+Five logs. Four of them are a security incident waiting to happen.
+The code works so you ship it. The logs go with it. Now those values are streaming into your log aggregator on every request silently, permanently, until someone notices or something goes wrong.
+This is not a hypothetical. It happens constantly. It happens to senior engineers. It happens at companies with security teams. It happens because cleanup is the last thing on your mind when you've finally fixed the bug.
+logcop makes cleanup automatic.
+---
+## What it does
+Scans your entire codebase for every `console.log`, `console.error`, `console.warn`, and `console.debug` and tells you not just that they exist, but **what they're logging and how dangerous it is.**
+```
+✔ Scan completed
+  ⚠ CRITICAL RISK  potential secret leaks:
+    CRITICAL  src/auth.js:14
+      → console.log(password)
+    CRITICAL  src/api.js:8
+      → console.log(process.env)
+  src/auth.js
+    → console.log(password) :14        CRITICAL
+    → console.log(token) :22           CRITICAL
+    → console.log(user) :31            HIGH
+    → console.log("starting app") :45
+┌──────────────────────────────────────────────────┐
+│                                                  │
+│   Found 4 console statements across 1 file       │
+│   🔴 2 critical                                  │
+│   🟡 1 high risk                                 │
+│   Run logcop fix to remove them                  │
+│                                                  │
+└──────────────────────────────────────────────────┘
+```
+This is the difference between logcop and ESLint's `no-console`:
+ESLint sees `console.log(x)` and flags it.
+logcop looks **inside** and tells you `x` is your JWT token.
+---
+## Install
+```bash
+npm install -g logcop
+```
+Or run without installing:
+```bash
+npx logcop scan
+```
+---
+## Commands
+### Scan
+```bash
+logcop scan
+```
+Scans every `.js`, `.ts`, `.jsx`, `.tsx` file in your project. Prints results grouped by file with risk levels inline. Critical findings are pulled to the top impossible to miss.
+### Fix
+```bash
+logcop fix
+```
+Removes all console statements automatically. Handles trailing semicolons, blank lines, and indentation leaves your code clean, not full of ghost whitespace.
+```bash
+logcop fix --dry-run
+```
+Preview exactly what would be removed before touching anything. Always a good idea before running on a real codebase.
+### Comment
+```bash
+logcop comment
+```
+Not ready to delete? Comments them out instead of removing them:
+```js
+// console.log(user) // logcop: disabled
+```
+Non-destructive, reversible, and still silences the output. Useful when you want to keep the log for reference but not have it run.
+```bash
+logcop comment --dry-run
+```
+### Git Hook
+```bash
+logcop install-hook
+```
+Installs a git pre-commit hook that runs `logcop scan --ci` before every commit. If console statements are found, the commit is blocked. One command. No configuration. Works forever.
+### CI Mode
+```bash
+logcop scan --ci
+```
+Exits with code `1` if any console statements are found, `0` if the project is clean. Drop this into any pipeline and no console statement ever merges to main again.
+### JSON Output
+```bash
+logcop scan --json
+```
+Machine-readable output for pipelines, scripts, dashboards, and custom tooling:
+```json
+{
+  "total": 4,
+  "files": 1,
+  "critical": 2,
+  "high": 1,
+  "results": [
+    {
+      "file": "src/auth.js",
+      "line": 14,
+      "type": "log",
+      "risk": "critical",
+      "argsSource": "password"
+    }
+  ]
+}
+```
+---
+## Risk Levels
+logcop doesn't just find console statements it reads their arguments and scores them by how dangerous they are. String contents are ignored. Only actual variable names and object properties are checked, so `console.log("request failed")` won't be flagged but `console.log(request)` will.
+| Level       | What it catches                                                                                                             |
+| ----------- | --------------------------------------------------------------------------------------------------------------------------- |
+| 🔴 Critical | `password`, `secret`, `token`, `apiKey`, `jwt`, `privateKey`, `Authorization`, `process.env`, `accessToken`, `clientSecret` |
+| 🟡 High     | `user`, `userData`, `req.body`, `headers`, `config`, `db`, `connectionString`, `response.data`                              |
+| 🟢 Medium   | `email`, `phone`, `payload`, `data`, `body`                                                                                 |
+Critical findings are always shown first, separated from the rest of the output. If your scan has red you should not ship.
+---
+## GitHub Actions
+Add this to your repo and logcop runs on every pull request:
+```yaml
+# .github/workflows/logcop.yml
+name: logcop
+on: [pull_request]
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - run: npx logcop scan --ci
+```
+PRs with console statements fail the check. They cannot merge until the logs are removed or the risk is reviewed. This is the zero-effort way to make console hygiene a team standard without adding it to your code review checklist.
+---
+## Config
+Create `logcop.config.js` in your project root to customize behavior for your team:
+```js
+module.exports = {
+  // folders to skip
+  ignore: ["node_modules/**", "dist/**", "build/**"],
+  // console methods to never touch
+  // useful if your team uses console.error for intentional error logging
+  keep: ["error", "warn"],
+  // customize risk patterns to match your codebase
+  risk: {
+    critical: ["password", "secret", "token", "process.env", "apiKey", "jwt"],
+    high: ["user", "userData", "req.body", "headers", "config", "db"],
+    medium: ["email", "phone", "payload"],
+  },
+};
+```
+Commit this file to your repo and the whole team runs with the same rules. No per-developer configuration needed.
+---
+## Why not just use ESLint?
+You probably already have ESLint. You might already have `no-console` enabled. Here's why that's not enough:
+ESLint tells you a log exists. It has no idea what's inside it. `console.log(password)` and `console.log("hello")` look identical to ESLint both get flagged the same way, both get fixed the same way.
+logcop treats them differently because they are different. One is noise. One is a credentials leak.
+Beyond that logcop gives you choices. You can fix, comment, preview, or just scan. You can keep `error` and `warn` while removing `log` and `debug`. You can run it in CI, wire it to a git hook, or pipe its output as JSON into your own tooling.
+It's not a replacement for ESLint. It's the thing ESLint can't do.
+---
+## Roadmap
+- [x] Console statement detection
+- [x] Security risk scanner
+- [x] Auto-fix with clean removal
+- [x] Comment mode
+- [x] Dry run mode
+- [x] Git hook integration
+- [x] CI/CD pipeline mode
+- [x] JSON output
+- [x] Team config file
+---
+## License
+MIT © Prakhar Mishra

package/bin/logcop.js ADDED Viewed

@@ -0,0 +1,108 @@
+#!/usr/bin/env node
+const fs = require("fs");
+const path = require("path");
+const { Command } = require("commander");
+const chalk = require("chalk");
+const ora = require("ora").default;
+const boxen = require("boxen").default;
+const figlet = require("figlet");
+const gradient = require("gradient-string");
+const { scanProject } = require("../src/core/scanner");
+const { fixProject, commentProject } = require("../src/core/fixer");
+const program = new Command();
+program
+  .name("logcop")
+  .description("🚓 Detect and remove console.log statements")
+  .version("1.0.0");
+//  SCAN
+/*program
+  .command("scan")
+  .description("Scan project for console logs")
+  .option("--ci", "Exit with code 1 if any console statements found")
+  .action(async (options) => {
+    await scanProject({ ci: options.ci });
+  });
+*/
+program
+  .command("scan")
+  .description("Scan project for console logs")
+  .option("--ci", "Exit with code 1 if any console statements found")
+  .option("--json", "Output results as JSON")
+  .action(async (options) => {
+    await scanProject({ ci: options.ci, json: options.json });
+  });
+/*
+program
+  .command("fix")
+  .description("Remove console logs automatically")
+  .action(async () => {
+    await fixProject();
+  });
+*
+// INSTALL
+/*program
+  .command("install-hook")
+  .description("Install git pre-commit hook")
+  .action(async () => {
+    const spinner = ora("Installing git hook...").start();
+    await new Promise((r) => setTimeout(r, 1000));
+    spinner.succeed(chalk.green("Git hook installed"));
+  });
+*/
+//  FIX
+program
+  .command("fix")
+  .description("Remove console logs automatically")
+  .option("--dry-run", "Preview what would be removed without changing files")
+  .action(async (options) => {
+    await fixProject({ dryRun: options.dryRun });
+  });
+//comment rather than fully removing the logs;
+// COMMENT
+program
+  .command("comment")
+  .description("Comment out console statements instead of removing them")
+  .option("--dry-run", "Preview what would be commented without changing files")
+  .action(async (options) => {
+    await commentProject({ dryRun: options.dryRun });
+  });
+program
+  .command("install-hook")
+  .description("Install git pre-commit hook")
+  .action(async () => {
+    const spinner = ora("Installing git hook...").start();
+    const hookDir = path.join(process.cwd(), ".git", "hooks");
+    const hookPath = path.join(hookDir, "pre-commit");
+    //check for .git's existence
+    if (!fs.existsSync(hookDir)) {
+      spinner.fail(
+        chalk.red("No .git directory found. Are you in a git repo?"),
+      );
+      process.exit(1);
+    }
+    const hookScript = `#!/bin/sh
+npx logcop scan --ci
+if [ $? -ne 0 ]; then
+  echo ""
+  echo " logcop: console statements detected. Run 'logcop fix' to remove them."
+  exit 1
+fi
+`;
+    fs.writeFileSync(hookPath, hookScript, { mode: 0o755 });
+    spinner.succeed(chalk.green("Git hook installed"));
+    console.log(chalk.gray(`  → ${hookPath}`));
+    console.log(chalk.gray("  logcop will now run before every commit."));
+  });
+program.parse(process.argv);

package/package.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "name": "logcop",
+  "version": "1.0.0",
+  "description": "CLI tool to detect and remove console.log statements before committing code",
+  "main": "index.js",
+  "bin": {
+    "logcop": "bin/logcop.js"
+  },
+  "scripts": {
+    "test": "echo \"No tests yet\""
+  },
+  "keywords": [
+    "console-log",
+    "cleanup",
+    "cli",
+    "git-hook",
+    "developer-tool",
+    "vibe-coding",
+    "security",
+    "linter",
+    "javascript",
+    "typescript"
+  ],
+  "author": "Prakhar Mishra",
+  "license": "MIT",
+  "type": "commonjs",
+  "dependencies": {
+    "acorn": "^8.16.0",
+    "acorn-walk": "^8.3.5",
+    "boxen": "^8.0.1",
+    "chalk": "^4.1.2",
+    "commander": "^14.0.3",
+    "figlet": "^1.10.0",
+    "glob": "^13.0.6",
+    "gradient-string": "^3.0.0",
+    "ora": "^9.3.0"
+  }
+}

package/src/core/config.js ADDED Viewed

@@ -0,0 +1,81 @@
+const fs = require("fs");
+const path = require("path");
+const defaults = {
+  ignore: ["node_modules/**", "dist/**", "build/**", "coverage/**", ".next/**"],
+  keep: [],
+  risk: {
+    critical: [
+      "process.env",
+      "password",
+      "secret",
+      "token",
+      "apiKey",
+      "api_key",
+      "privateKey",
+      "private_key",
+      "jwt",
+      "Authorization",
+      "accessToken",
+      "access_token",
+      "clientSecret",
+      "client_secret",
+    ],
+    high: [
+      "user",
+      "userData",
+      "currentUser",
+      "req.body",
+      "request.body",
+      "response.data",
+      "result",
+      "headers",
+      "req.headers",
+      "config",
+      "settings",
+      "db",
+      "connection",
+      "connectionString",
+    ],
+    medium: [
+      "email",
+      "phone",
+      "ssn",
+      "payload",
+      "data",
+      "body",
+      "res",
+      "ctx",
+      "context",
+    ],
+  },
+};
+function loadConfig() {
+  const configPath = path.join(process.cwd(), "logcop.config.js");
+  // no config file found, use defaults
+  if (!fs.existsSync(configPath)) {
+    return defaults;
+  }
+  try {
+    const userConfig = require(configPath);
+    // deep merge
+    return {
+      ignore: userConfig.ignore || defaults.ignore,
+      keep: userConfig.keep || defaults.keep,
+      risk: {
+        critical: userConfig.risk?.critical || defaults.risk.critical,
+        high: userConfig.risk?.high || defaults.risk.high,
+        medium: userConfig.risk?.medium || defaults.risk.medium,
+      },
+    };
+  } catch (e) {
+    console.warn("⚠ Could not load logcop.config.js, using defaults.");
+    return defaults;
+  }
+}
+module.exports = { loadConfig };

package/src/core/fixer.js ADDED Viewed

@@ -0,0 +1,179 @@
+const fs = require("fs");
+const glob = require("glob");
+const ora = require("ora").default;
+const chalk = require("chalk");
+const boxen = require("boxen").default;
+const { parseFile } = require("./scanner");
+const { loadConfig } = require("./config");
+//detect logs
+function fixFile(file) {
+  const code = fs.readFileSync(file, "utf-8");
+  if (!code.includes("console")) return 0;
+  const logs = parseFile(file); //reusing the old parsefile function instead of reinventing the wheel;
+  if (!logs.length) return 0;
+  let updated = code;
+  // removing from bottom → top to avoid index shift
+  logs
+    .sort((a, b) => b.start - a.start)
+    .forEach((log) => {
+      let start = log.start;
+      let end = log.end;
+      //consumptioon of trailing semicolon ;edge case
+      if (updated[end] === ";") end += 1;
+      //consumption of the entire line if nothinng else is on it
+      const lineStart = updated.lastIndexOf("\n", start - 1) + 1;
+      const beforeLog = updated.slice(lineStart, start).trim();
+      if (beforeLog === "") {
+        // line is only whitespace + the console statement, remove whole line
+        start = lineStart;
+        if (updated[end] === "\n") end += 1;
+      }
+      updated = updated.slice(0, start) + updated.slice(end);
+    });
+  // collapse multiple blank lines into one
+  updated = updated.replace(/\n{3,}/g, "\n\n");
+  fs.writeFileSync(file, updated, "utf-8");
+  return logs.length;
+}
+function commentFile(file) {
+  const code = fs.readFileSync(file, "utf-8");
+  if (!code.includes("console")) return 0;
+  const logs = parseFile(file);
+  if (!logs.length) return 0;
+  const lines = code.split("\n");
+  let commented = 0;
+  logs.forEach((log) => {
+    const lineIndex = log.line - 1;
+    const line = lines[lineIndex];
+    // skip if already commented out
+    if (line.trimStart().startsWith("//")) return;
+    // get the indentation
+    const indent = line.match(/^(\s*)/)[1];
+    // comment it out with a logcop tag
+    lines[lineIndex] = `${indent}// ${line.trim()} // logcop: disabled`;
+    commented++;
+  });
+  fs.writeFileSync(file, lines.join("\n"), "utf-8");
+  return commented;
+}
+async function commentProject({ dryRun = false } = {}) {
+  const spinner = ora(
+    dryRun ? "Previewing comments..." : "Commenting out console statements...",
+  ).start();
+  const config = loadConfig();
+  const files = glob.sync("**/*.{js,ts,jsx,tsx}", {
+    ignore: config.ignore,
+  });
+  let commented = 0;
+  files.forEach((file) => {
+    if (dryRun) {
+      const logs = parseFile(file);
+      const uncommented = logs.filter((log) => {
+        const lines = fs.readFileSync(file, "utf-8").split("\n");
+        return !lines[log.line - 1].trimStart().startsWith("//");
+      });
+      if (uncommented.length > 0) {
+        console.log("");
+        console.log(chalk.cyan.bold(`  ${file}`));
+        uncommented.forEach((log) => {
+          console.log(
+            `    ${chalk.gray("→")} would comment console.${chalk.yellow(log.type)}${chalk.gray(`(${log.argsSource})`)} ${chalk.gray(`:${log.line}`)}`,
+          );
+        });
+        commented += uncommented.length;
+      }
+    } else {
+      commented += commentFile(file);
+    }
+  });
+  spinner.succeed(
+    chalk.green(dryRun ? "Dry run completed" : "Comment completed"),
+  );
+  console.log(
+    boxen(
+      dryRun
+        ? chalk.cyan(
+            ` Would comment ${commented} console statement${commented === 1 ? "" : "s"}\n`,
+          ) +
+            chalk.gray(" (no files were changed)\n") +
+            chalk.gray(" Run logcop comment to apply")
+        : chalk.cyan(
+            ` Commented out ${commented} console statement${commented === 1 ? "" : "s"}`,
+          ),
+      { padding: 1, borderColor: "cyan" },
+    ),
+  );
+}
+async function fixProject({ dryRun = false } = {}) {
+  const spinner = ora(
+    dryRun ? "Previewing changes..." : "Removing console statements...",
+  ).start();
+  const config = loadConfig();
+  const files = glob.sync("**/*.{js,ts,jsx,tsx}", {
+    ignore: config.ignore,
+  });
+  let removed = 0;
+  files.forEach((file) => {
+    if (dryRun) {
+      const logs = parseFile(file);
+      if (logs.length > 0) {
+        console.log("");
+        console.log(chalk.cyan.bold(`  ${file}`));
+        logs.forEach((log) => {
+          console.log(
+            `    ${chalk.gray("→")} would remove console.${chalk.yellow(log.type)}${chalk.gray(`(${log.argsSource})`)} ${chalk.gray(`:${log.line}`)}`,
+          );
+        });
+        removed += logs.length;
+      }
+    } else {
+      removed += fixFile(file);
+    }
+  });
+  spinner.succeed(chalk.green(dryRun ? "Dry run completed" : "Fix completed"));
+  console.log(
+    boxen(
+      dryRun
+        ? chalk.cyan(
+            ` Would remove ${removed} console statement${removed === 1 ? "" : "s"}\n`,
+          ) +
+            chalk.gray(" (no files were changed)\n") +
+            chalk.gray(" Run logcop fix to apply")
+        : chalk.cyan(
+            ` Removed ${removed} console statement${removed === 1 ? "" : "s"}`,
+          ),
+      { padding: 1, borderColor: "cyan" },
+    ),
+  );
+}
+module.exports = { fixProject, commentProject };

package/src/core/scanner.js ADDED Viewed

@@ -0,0 +1,213 @@
+const fs = require("fs");
+const ora = require("ora").default;
+const chalk = require("chalk");
+const boxen = require("boxen").default;
+const glob = require("glob");
+const acorn = require("acorn");
+const walk = require("acorn-walk");
+const { loadConfig } = require("./config");
+function detectRisk(argsSource, config) {
+  // strip string literals before checking — we only care about variable names
+  // e.g. console.log("request failed") should NOT match "request"
+  const withoutStrings = argsSource
+    .replace(/"[^"]*"/g, '""') // remove double quoted strings
+    .replace(/'[^']*'/g, "''") // remove single quoted strings
+    .replace(/`[^`]*`/g, "``"); // remove template literals
+  const text = withoutStrings.toLowerCase();
+  for (const pattern of config.risk.critical) {
+    if (text.includes(pattern.toLowerCase())) return "critical";
+  }
+  for (const pattern of config.risk.high) {
+    if (text.includes(pattern.toLowerCase())) return "high";
+  }
+  for (const pattern of config.risk.medium) {
+    if (text.includes(pattern.toLowerCase())) return "medium";
+  }
+  return null;
+}
+// parse a single file
+function parseFile(file) {
+  const code = fs.readFileSync(file, "utf-8");
+  const logs = [];
+  // fast skip if file doesn't contain console
+  if (!code.includes("console")) {
+    return logs;
+  }
+  const config = loadConfig();
+  const allowedMethods = ["log", "error", "warn", "debug"].filter(
+    (x) => !config.keep.includes(x),
+  );
+  try {
+    const ast = acorn.parse(code, {
+      ecmaVersion: "latest",
+      sourceType: "module",
+      locations: true,
+    });
+    walk.simple(ast, {
+      CallExpression(node) {
+        if (
+          node.callee.type === "MemberExpression" &&
+          node.callee.object.name === "console" &&
+          allowedMethods.includes(node.callee.property.name)
+        ) {
+          const argsSource = code.slice(
+            node.arguments[0]?.start ?? node.start,
+            node.arguments[node.arguments.length - 1]?.end ?? node.end,
+          );
+          const risk =
+            node.arguments.length > 0 ? detectRisk(argsSource, config) : null;
+          logs.push({
+            file,
+            line: node.loc.start.line,
+            type: node.callee.property.name,
+            risk,
+            argsSource,
+            start: node.start,
+            end: node.end,
+          }); //added start and end of the console statements just to reuse it in fixer.js;
+        }
+      },
+    });
+  } catch (error) {
+    // ignore parse errors
+  }
+  return logs;
+}
+async function scanProject({ ci = false, json = false } = {}) {
+  const spinner = ora("Scanning project...").start();
+  //real engine for the file scan/
+  const config = loadConfig();
+  const files = glob.sync("**/*.{js,ts,jsx,tsx}", {
+    ignore: config.ignore,
+  });
+  let results = [];
+  files.forEach((file) => {
+    const logs = parseFile(file);
+    results.push(...logs);
+  });
+  const grouped = {};
+  results.forEach((r) => {
+    if (!grouped[r.file]) {
+      grouped[r.file] = [];
+    }
+    grouped[r.file].push(r);
+  });
+  if (!json) spinner.succeed(chalk.green("Scan completed"));
+  else spinner.stop();
+  if (results.length === 0) {
+    if (json) {
+      console.log(
+        JSON.stringify(
+          { total: 0, files: 0, critical: 0, high: 0, results: [] },
+          null,
+          2,
+        ),
+      );
+    } else {
+      console.log(
+        boxen(chalk.green(" ✔ No console statements found"), {
+          padding: 1,
+          borderColor: "green",
+        }),
+      );
+    }
+    return;
+  }
+  // json output mode
+  if (json) {
+    const output = {
+      total: results.length,
+      files: Object.keys(grouped).length,
+      critical: results.filter((r) => r.risk === "critical").length,
+      high: results.filter((r) => r.risk === "high").length,
+      results: results.map((r) => ({
+        file: r.file,
+        line: r.line,
+        type: r.type,
+        risk: r.risk || null,
+        argsSource: r.argsSource || null,
+      })),
+    };
+    console.log(JSON.stringify(output, null, 2));
+    if (ci && results.length > 0) process.exit(1);
+    return;
+  }
+  // risk badge helper
+  const riskBadge = (risk) => {
+    if (risk === "critical") return chalk.bgRed.white(" CRITICAL ");
+    if (risk === "high") return chalk.bgYellow.black(" HIGH ");
+    if (risk === "medium") return chalk.bgCyan.black(" MEDIUM ");
+    return "";
+  };
+  // pull out critical ones first  can't miss them
+  const criticals = results.filter((r) => r.risk === "critical");
+  if (criticals.length > 0) {
+    console.log(
+      chalk.red.bold("\n   CRITICAL RISK  potential secret leaks:\n"),
+    );
+    criticals.forEach((log) => {
+      console.log(
+        `    ${riskBadge("critical")} ${chalk.gray(log.file)}${chalk.gray(`:${log.line}`)}`,
+      );
+      console.log(
+        `      ${chalk.gray("→")} console.${chalk.yellow(log.type)}(${chalk.red(log.argsSource)})\n`,
+      );
+    });
+  }
+  // then print all files grouped
+  console.log("");
+  Object.keys(grouped).forEach((file) => {
+    console.log(chalk.cyan.bold(`  ${file}`));
+    grouped[file].forEach((log) => {
+      const badge = riskBadge(log.risk);
+      const args = log.argsSource ? chalk.gray(`(${log.argsSource})`) : "";
+      console.log(
+        `    ${chalk.gray("→")} console.${chalk.yellow(log.type)}${args} ${chalk.gray(`:${log.line}`)} ${badge}`,
+      );
+    });
+    console.log("");
+  });
+  // summary box
+  const criticalCount = results.filter((r) => r.risk === "critical").length;
+  const highCount = results.filter((r) => r.risk === "high").length;
+  console.log(
+    boxen(
+      chalk.yellow(
+        ` Found ${results.length} console statement${results.length === 1 ? "" : "s"} across ${Object.keys(grouped).length} file${Object.keys(grouped).length === 1 ? "" : "s"}\n`,
+      ) +
+        (criticalCount > 0
+          ? chalk.red(` 🔴 ${criticalCount} critical\n`)
+          : "") +
+        (highCount > 0 ? chalk.yellow(` 🟡 ${highCount} high risk\n`) : "") +
+        chalk.gray(" Run logcop fix to remove them"),
+      { padding: 1, borderColor: criticalCount > 0 ? "red" : "yellow" },
+    ),
+    // ci mode  exit 1 so pipelines fail
+  );
+  if (ci && results.length > 0) {
+    process.exit(1);
+  }
+}
+module.exports = { scanProject, parseFile };