opena2a-cli 0.1.0

package/dist/commands/protect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"protect.d.ts","sourceRoot":"","sources":["../../src/commands/protect.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AA0CH,MAAM,WAAW,cAAc;IAC7B,2CAA2C;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,qBAAqB;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,uCAAuC;IACvC,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,oBAAoB;IACpB,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,gCAAgC;IAChC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,4CAA4C;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAeD;;GAEG;AACH,wBAAsB,OAAO,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAsKtE"}

package/dist/commands/protect.js

@@ -0,0 +1,642 @@
+"use strict";
+/**
+ * opena2a protect — Detect credentials and migrate to Secretless vault.
+ *
+ * Flow:
+ * 1. Run HMA CRED + DRIFT checks on the target directory
+ * 2. For each detected credential with a raw value:
+ *    a. Store in Secretless SecretStore
+ *    b. Replace in source file with environment variable reference
+ *    c. Register broker policy (default: deny-all, must be explicitly allowed)
+ *    d. Add to .env.example
+ * 3. Re-run scan to verify clean
+ * 4. Output migration report
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.protect = protect;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const colors_js_1 = require("../util/colors.js");
+const spinner_js_1 = require("../util/spinner.js");
+const format_js_1 = require("../util/format.js");
+// --- Credential patterns (shared module) ---
+const credential_patterns_js_1 = require("../util/credential-patterns.js");
+// --- Core logic ---
+/**
+ * Main protect command. Scans for credentials, migrates to vault, verifies clean.
+ */
+async function protect(options) {
+    const startTime = Date.now();
+    const targetDir = path.resolve(options.targetDir);
+    if (!fs.existsSync(targetDir)) {
+        process.stderr.write((0, colors_js_1.red)(`Target directory not found: ${targetDir}\n`));
+        return 1;
+    }
+    if (options.dryRun) {
+        process.stdout.write((0, colors_js_1.yellow)('[DRY RUN] No files will be modified.\n\n'));
+    }
+    // Phase 1: Scan for credentials
+    const spinner = new spinner_js_1.Spinner('Scanning for credentials...');
+    spinner.start();
+    const matches = scanForCredentials(targetDir);
+    spinner.stop();
+    const isJson = options.format === 'json';
+    if (matches.length === 0) {
+        if (isJson) {
+            const report = {
+                targetDir,
+                totalFound: 0,
+                migrated: 0,
+                failed: 0,
+                skipped: 0,
+                results: [],
+                verificationPassed: true,
+                durationMs: Date.now() - startTime,
+            };
+            process.stdout.write(JSON.stringify(report, null, 2) + '\n');
+        }
+        else {
+            process.stdout.write((0, colors_js_1.green)('No hardcoded credentials detected.\n'));
+        }
+        return 0;
+    }
+    if (!isJson) {
+        process.stdout.write((0, colors_js_1.bold)(`Found ${matches.length} credential(s) in ${targetDir}\n\n`));
+        // Show findings table
+        const findingsRows = matches.map(m => [
+            (0, format_js_1.severityLabel)(m.severity),
+            m.findingId,
+            m.title,
+            path.relative(targetDir, m.filePath) + ':' + m.line,
+            m.envVar,
+        ]);
+        process.stdout.write((0, format_js_1.table)(findingsRows, ['Severity', 'ID', 'Type', 'Location', 'Env Var']) + '\n\n');
+        // Show detailed explanations (non-CI only)
+        if (!options.ci) {
+            for (const m of matches) {
+                process.stdout.write((0, colors_js_1.bold)(`${m.findingId}: ${m.title}`) + '\n');
+                if (m.explanation) {
+                    process.stdout.write((0, colors_js_1.dim)('  Why: ') + m.explanation + '\n');
+                }
+                if (m.businessImpact) {
+                    process.stdout.write((0, colors_js_1.dim)('  Impact: ') + (0, colors_js_1.yellow)(m.businessImpact) + '\n');
+                }
+                process.stdout.write('\n');
+            }
+        }
+    }
+    if (options.dryRun) {
+        if (!isJson) {
+            process.stdout.write((0, colors_js_1.yellow)('[DRY RUN] Would migrate the above credentials.\n'));
+            process.stdout.write((0, colors_js_1.dim)('Run without --dry-run to apply changes.\n'));
+        }
+        // Generate HTML report even in dry-run mode
+        if (options.report) {
+            await writeHtmlReport(options.report, targetDir, matches, isJson);
+        }
+        return 0;
+    }
+    // Phase 2: Migrate credentials
+    if (!isJson) {
+        spinner.update('Migrating credentials to Secretless vault...');
+        spinner.start();
+    }
+    const results = await migrateCredentials(matches, targetDir, options);
+    if (!isJson)
+        spinner.stop();
+    const migrated = results.filter(r => r.stored && r.replaced).length;
+    const failed = results.filter(r => r.error).length;
+    const skipped = results.filter(r => !r.stored && !r.replaced && !r.error).length;
+    // Phase 3: Update .env.example
+    updateEnvExample(targetDir, results.filter(r => r.stored), isJson);
+    // Phase 4: Verification re-scan
+    let verificationPassed = true;
+    if (!options.skipVerify && migrated > 0) {
+        if (!isJson) {
+            spinner.update('Verifying migration...');
+            spinner.start();
+        }
+        const remainingMatches = scanForCredentials(targetDir)
+            .filter(m => {
+            // Exclude .env files from verification — credentials are supposed to be there
+            const basename = path.basename(m.filePath);
+            return !basename.startsWith('.env');
+        });
+        verificationPassed = remainingMatches.length === 0;
+        if (!isJson) {
+            spinner.stop();
+            if (verificationPassed) {
+                process.stdout.write((0, colors_js_1.green)('Verification passed: no credentials remain in source.\n\n'));
+            }
+            else {
+                process.stdout.write((0, colors_js_1.yellow)(`Verification: ${remainingMatches.length} credential(s) still detected.\n` +
+                    'Some credentials may require manual migration.\n\n'));
+            }
+        }
+    }
+    // Phase 5: Report
+    const durationMs = Date.now() - startTime;
+    const report = {
+        targetDir,
+        totalFound: matches.length,
+        migrated,
+        failed,
+        skipped,
+        results,
+        verificationPassed,
+        durationMs,
+    };
+    if (options.format === 'json') {
+        process.stdout.write(JSON.stringify(report, null, 2) + '\n');
+    }
+    else {
+        printReport(report);
+        // Offer 1Password migration after successful credential migration
+        if (report.migrated > 0 && !options.ci) {
+            try {
+                const { offer1PasswordMigration } = await import('./onepassword-migration.js');
+                await offer1PasswordMigration({
+                    credentialCount: report.migrated,
+                    ci: options.ci,
+                });
+            }
+            catch {
+                // 1Password migration module not critical -- skip silently
+            }
+        }
+    }
+    // Generate interactive HTML report if --report path provided
+    if (options.report) {
+        await writeHtmlReport(options.report, targetDir, matches, isJson);
+    }
+    return failed > 0 ? 1 : 0;
+}
+// --- Scanning ---
+function scanForCredentials(targetDir) {
+    const matches = [];
+    const seen = new Set(); // dedup by value+file
+    (0, credential_patterns_js_1.walkFiles)(targetDir, (filePath) => {
+        let content;
+        try {
+            content = fs.readFileSync(filePath, 'utf-8');
+        }
+        catch {
+            return; // skip unreadable files
+        }
+        const lines = content.split('\n');
+        for (const pattern of credential_patterns_js_1.CREDENTIAL_PATTERNS) {
+            // Reset regex lastIndex for global patterns
+            pattern.pattern.lastIndex = 0;
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                let match;
+                // Clone regex to avoid shared state issues
+                const re = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+                while ((match = re.exec(line)) !== null) {
+                    // For capture group patterns, use group 1; otherwise full match
+                    const value = match[1] ?? match[0];
+                    const dedupKey = `${value}:${filePath}`;
+                    if (seen.has(dedupKey))
+                        continue;
+                    seen.add(dedupKey);
+                    // Skip if it looks like an env var reference already
+                    if (isEnvVarReference(line, match.index))
+                        continue;
+                    const envVar = deriveEnvVarName(pattern, filePath, matches);
+                    matches.push({
+                        value,
+                        filePath,
+                        line: i + 1,
+                        findingId: pattern.id,
+                        envVar,
+                        severity: pattern.severity,
+                        title: pattern.title,
+                        explanation: pattern.explanation,
+                        businessImpact: pattern.businessImpact,
+                    });
+                }
+            }
+        }
+    });
+    return matches;
+}
+function isEnvVarReference(line, matchIndex) {
+    // Check if the match is inside process.env.X, ${X}, $X, os.environ, etc.
+    const before = line.slice(0, matchIndex);
+    return /process\.env\.\w*$/.test(before) ||
+        /\$\{?\w*$/.test(before) ||
+        /os\.environ\[['"]?\w*$/.test(before) ||
+        /getenv\(['"]?\w*$/.test(before);
+}
+function deriveEnvVarName(pattern, _filePath, existingMatches) {
+    const base = pattern.envVarPrefix;
+    const existing = existingMatches.filter(m => m.envVar.startsWith(base));
+    if (existing.length === 0)
+        return base;
+    // If the same prefix already exists, append a number
+    return `${base}_${existing.length + 1}`;
+}
+// --- Migration ---
+async function migrateCredentials(matches, targetDir, options) {
+    const results = [];
+    for (const credential of matches) {
+        try {
+            // Step 1: Store in Secretless vault
+            const stored = await storeInVault(credential);
+            // Step 2: Replace in source file
+            const replaced = replaceInSource(credential);
+            // Step 3: Create broker policy
+            const policyCreated = createBrokerPolicy(credential, targetDir);
+            results.push({
+                credential,
+                stored,
+                replaced,
+                policyCreated,
+            });
+            if (options.verbose) {
+                const status = stored && replaced ? (0, colors_js_1.green)('[OK]') : (0, colors_js_1.yellow)('[PARTIAL]');
+                process.stdout.write(`${status} ${credential.envVar} <- ${path.relative(targetDir, credential.filePath)}:${credential.line}\n`);
+            }
+        }
+        catch (err) {
+            results.push({
+                credential,
+                stored: false,
+                replaced: false,
+                policyCreated: false,
+                error: err instanceof Error ? err.message : String(err),
+            });
+            if (options.verbose) {
+                process.stderr.write((0, colors_js_1.red)(`[FAIL] ${credential.envVar}: ${err instanceof Error ? err.message : String(err)}\n`));
+            }
+        }
+    }
+    return results;
+}
+/**
+ * Store a credential value in the Secretless SecretStore.
+ * Uses dynamic import to avoid hard dependency on secretless-ai.
+ */
+async function storeInVault(credential) {
+    try {
+        // Dynamic import -- secretless-ai may not be installed
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        const secretless = await Function('return import("secretless-ai")')();
+        const mod = 'default' in secretless ? secretless.default : secretless;
+        const { SecretStore } = mod;
+        const store = new SecretStore();
+        await store.setSecret(credential.envVar, credential.value);
+        return true;
+    }
+    catch {
+        // Secretless not available -- write to .env file as fallback
+        return storeInDotEnv(credential);
+    }
+}
+/**
+ * Fallback: append credential to .env file in the project root.
+ */
+function storeInDotEnv(credential) {
+    const projectRoot = findProjectRoot(credential.filePath);
+    if (!projectRoot)
+        return false;
+    const envPath = path.join(projectRoot, '.env');
+    let content = '';
+    if (fs.existsSync(envPath)) {
+        content = fs.readFileSync(envPath, 'utf-8');
+        // Don't add if already present
+        if (content.includes(`${credential.envVar}=`))
+            return true;
+        if (!content.endsWith('\n'))
+            content += '\n';
+    }
+    content += `${credential.envVar}=${credential.value}\n`;
+    // Write with restricted permissions (0o600)
+    const fd = fs.openSync(envPath, 'w', 0o600);
+    fs.writeSync(fd, content);
+    fs.closeSync(fd);
+    return true;
+}
+/**
+ * Replace the hardcoded credential in the source file with an environment variable reference.
+ *
+ * For programming languages (JS, Python, Go, etc.), the credential is typically
+ * inside quotes: `apiKey: "sk-ant-..."`. We must strip those quotes so the result
+ * is `apiKey: process.env.ANTHROPIC_API_KEY` (code expression) rather than
+ * `apiKey: "process.env.ANTHROPIC_API_KEY"` (string literal, broken at runtime).
+ */
+function replaceInSource(credential) {
+    const content = fs.readFileSync(credential.filePath, 'utf-8');
+    const ext = path.extname(credential.filePath).toLowerCase();
+    // Build the replacement string based on file type
+    const replacement = getEnvVarReplacement(credential.envVar, ext, content, credential.value);
+    if (!replacement)
+        return false;
+    let newContent;
+    if (shouldStripQuotes(ext)) {
+        // For programming languages, replace the entire quoted expression
+        // (including surrounding quotes) with the bare env var reference
+        const quotedDouble = `"${credential.value}"`;
+        const quotedSingle = `'${credential.value}'`;
+        if (content.includes(quotedDouble)) {
+            newContent = content.replace(quotedDouble, replacement);
+        }
+        else if (content.includes(quotedSingle)) {
+            newContent = content.replace(quotedSingle, replacement);
+        }
+        else {
+            // No quotes found (e.g., template literal or unquoted), replace value directly
+            newContent = content.replace(credential.value, replacement);
+        }
+    }
+    else {
+        // For config files (YAML, JSON, .env, etc.), replace value inside quotes
+        newContent = content.replace(credential.value, replacement);
+    }
+    if (newContent === content)
+        return false; // nothing changed
+    fs.writeFileSync(credential.filePath, newContent, 'utf-8');
+    return true;
+}
+/**
+ * Programming languages where env var references must NOT be inside string quotes.
+ */
+function shouldStripQuotes(ext) {
+    return ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs', '.py', '.go', '.rb', '.java', '.kt', '.rs'].includes(ext);
+}
+/**
+ * Generate the appropriate env var reference for the file type.
+ */
+function getEnvVarReplacement(envVar, ext, content, _original) {
+    // Detect language/framework from file extension and content
+    switch (ext) {
+        case '.ts':
+        case '.tsx':
+        case '.js':
+        case '.jsx':
+        case '.mjs':
+        case '.cjs':
+            return `process.env.${envVar}`;
+        case '.py':
+            return `os.environ.get('${envVar}')`;
+        case '.go':
+            return `os.Getenv("${envVar}")`;
+        case '.rb':
+            return `ENV['${envVar}']`;
+        case '.java':
+        case '.kt':
+            return `System.getenv("${envVar}")`;
+        case '.rs':
+            return `std::env::var("${envVar}").unwrap_or_default()`;
+        case '.yaml':
+        case '.yml':
+            return `\${${envVar}}`;
+        case '.toml':
+        case '.ini':
+        case '.cfg':
+        case '.conf':
+            return `\${${envVar}}`;
+        case '.env':
+        case '.sh':
+        case '.bash':
+        case '.zsh':
+            return `$${envVar}`;
+        case '.json':
+            // JSON doesn't support env var references natively.
+            // Replace with a placeholder that frameworks commonly understand.
+            return `\${${envVar}}`;
+        case '.dockerfile':
+            return `$${envVar}`;
+        default:
+            // For Dockerfiles without extension
+            if (content.includes('FROM ') || content.includes('RUN ')) {
+                return `$${envVar}`;
+            }
+            // Default to shell-style
+            return `\${${envVar}}`;
+    }
+}
+/**
+ * Create a deny-all broker policy for this credential.
+ * The user must explicitly add allow rules.
+ */
+function createBrokerPolicy(credential, targetDir) {
+    const policyDir = path.join(process.env.HOME ?? process.env.USERPROFILE ?? '.', '.secretless-ai');
+    try {
+        if (!fs.existsSync(policyDir)) {
+            fs.mkdirSync(policyDir, { recursive: true, mode: 0o700 });
+        }
+        const policyFile = path.join(policyDir, 'broker-policies.json');
+        let policies = [];
+        if (fs.existsSync(policyFile)) {
+            try {
+                const raw = fs.readFileSync(policyFile, 'utf-8');
+                const parsed = JSON.parse(raw);
+                policies = Array.isArray(parsed) ? parsed : parsed.rules ?? [];
+            }
+            catch {
+                // Corrupted file, start fresh
+                policies = [];
+            }
+        }
+        // Check if policy for this credential already exists
+        const existingPolicy = policies.find((p) => p.credentialSelector === credential.envVar);
+        if (existingPolicy)
+            return true;
+        // Add deny-all policy for this credential
+        const projectName = path.basename(targetDir);
+        policies.push({
+            id: `protect-${credential.envVar.toLowerCase()}-${Date.now()}`,
+            agentSelector: '*',
+            credentialSelector: credential.envVar,
+            constraints: {},
+            effect: 'deny',
+            comment: `Auto-generated by opena2a protect from ${projectName}. Add allow rules for authorized agents.`,
+        });
+        fs.writeFileSync(policyFile, JSON.stringify(policies, null, 2) + '\n', { encoding: 'utf-8', mode: 0o600 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Update .env.example with the migrated variable names.
+ */
+function updateEnvExample(targetDir, migratedResults, quiet = false) {
+    if (migratedResults.length === 0)
+        return;
+    const envExamplePath = path.join(targetDir, '.env.example');
+    let content = '';
+    if (fs.existsSync(envExamplePath)) {
+        content = fs.readFileSync(envExamplePath, 'utf-8');
+        if (!content.endsWith('\n'))
+            content += '\n';
+    }
+    let added = 0;
+    for (const result of migratedResults) {
+        const envVar = result.credential.envVar;
+        if (!content.includes(`${envVar}=`)) {
+            content += `${envVar}=\n`;
+            added++;
+        }
+    }
+    if (added > 0) {
+        fs.writeFileSync(envExamplePath, content, 'utf-8');
+        if (!quiet) {
+            process.stdout.write((0, colors_js_1.dim)(`Updated .env.example with ${added} variable(s).\n`));
+        }
+    }
+}
+// --- Reporting ---
+function printReport(report) {
+    process.stdout.write('\n' + (0, colors_js_1.bold)('Migration Report') + '\n');
+    process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
+    const rows = [];
+    for (const result of report.results) {
+        const status = result.error
+            ? (0, colors_js_1.red)('FAILED')
+            : result.stored && result.replaced
+                ? (0, colors_js_1.green)('MIGRATED')
+                : (0, colors_js_1.yellow)('PARTIAL');
+        rows.push([
+            status,
+            result.credential.findingId,
+            result.credential.envVar,
+            path.relative(report.targetDir, result.credential.filePath) + ':' + result.credential.line,
+        ]);
+        if (result.error) {
+            process.stdout.write((0, colors_js_1.dim)(`  Error: ${result.error}\n`));
+        }
+    }
+    process.stdout.write((0, format_js_1.table)(rows, ['Status', 'Finding', 'Env Var', 'Location']) + '\n\n');
+    // Summary
+    process.stdout.write((0, colors_js_1.bold)('Summary: '));
+    const parts = [];
+    if (report.migrated > 0)
+        parts.push((0, colors_js_1.green)(`${report.migrated} migrated`));
+    if (report.skipped > 0)
+        parts.push((0, colors_js_1.yellow)(`${report.skipped} skipped`));
+    if (report.failed > 0)
+        parts.push((0, colors_js_1.red)(`${report.failed} failed`));
+    process.stdout.write(parts.join(', ') + '\n');
+    process.stdout.write((0, colors_js_1.dim)(`Completed in ${(0, format_js_1.formatDuration)(report.durationMs)}\n`));
+    if (report.migrated > 0) {
+        process.stdout.write('\n' + (0, colors_js_1.cyan)('Next steps:') + '\n');
+        process.stdout.write('  1. Review changes: ' + (0, colors_js_1.dim)('git diff') + '\n');
+        process.stdout.write('  2. Add .env to .gitignore if not already present\n');
+        process.stdout.write('  3. Configure broker allow rules: ' + (0, colors_js_1.dim)('~/.secretless-ai/broker-policies.json') + '\n');
+        process.stdout.write('  4. Re-scan to confirm: ' + (0, colors_js_1.dim)('opena2a scan .') + '\n');
+        process.stdout.write('\n' + (0, colors_js_1.dim)('Continue hardening:') + '\n');
+        process.stdout.write((0, colors_js_1.dim)('  opena2a guard sign        Sign config files for tamper detection') + '\n');
+        process.stdout.write((0, colors_js_1.dim)('  opena2a runtime start     Enable runtime monitoring') + '\n');
+        process.stdout.write((0, colors_js_1.dim)('  opena2a init              Re-assess trust score after migration') + '\n');
+    }
+}
+// --- Utilities ---
+async function writeHtmlReport(reportPath, targetDir, matches, quiet) {
+    try {
+        const { generateInteractiveHtml } = await import('../report/interactive-html.js');
+        const reportData = {
+            metadata: {
+                generatedAt: new Date().toISOString(),
+                toolVersion: '0.1.0',
+                targetName: path.basename(targetDir),
+                scanType: 'protect',
+            },
+            summary: {
+                totalFindings: matches.length,
+                bySeverity: countBySeverity(matches),
+                score: calculateScore(matches),
+            },
+            findings: matches.map(m => ({
+                id: m.findingId,
+                severity: m.severity,
+                title: m.title,
+                description: `Hardcoded ${m.title} found in source code.`,
+                explanation: m.explanation,
+                businessImpact: m.businessImpact,
+                category: m.findingId.startsWith('DRIFT') ? 'Scope Drift' : 'Credential Exposure',
+                file: path.relative(targetDir, m.filePath),
+                line: m.line,
+                fix: `Replace with environment variable: ${m.envVar}`,
+                passed: false,
+            })),
+        };
+        const html = generateInteractiveHtml(reportData);
+        fs.writeFileSync(reportPath, html, 'utf-8');
+        if (!quiet) {
+            process.stdout.write((0, colors_js_1.green)(`\nHTML report written to ${reportPath}\n`));
+        }
+    }
+    catch (err) {
+        process.stderr.write((0, colors_js_1.red)(`Failed to generate HTML report: ${err instanceof Error ? err.message : String(err)}\n`));
+    }
+}
+function countBySeverity(matches) {
+    const counts = {};
+    for (const m of matches) {
+        counts[m.severity] = (counts[m.severity] || 0) + 1;
+    }
+    return counts;
+}
+function calculateScore(matches) {
+    if (matches.length === 0)
+        return 100;
+    const weights = { critical: 25, high: 15, medium: 8, low: 3, info: 1 };
+    let penalty = 0;
+    for (const m of matches) {
+        penalty += weights[m.severity] || 5;
+    }
+    return Math.max(0, 100 - penalty);
+}
+function findProjectRoot(startPath) {
+    let dir = path.dirname(startPath);
+    const root = path.parse(dir).root;
+    while (dir !== root) {
+        if (fs.existsSync(path.join(dir, 'package.json')) ||
+            fs.existsSync(path.join(dir, 'go.mod')) ||
+            fs.existsSync(path.join(dir, 'Cargo.toml')) ||
+            fs.existsSync(path.join(dir, 'pyproject.toml')) ||
+            fs.existsSync(path.join(dir, 'setup.py')) ||
+            fs.existsSync(path.join(dir, '.git'))) {
+            return dir;
+        }
+        dir = path.dirname(dir);
+    }
+    return null;
+}
+//# sourceMappingURL=protect.js.map