openreport 0.1.0

package/src/agents/security-auditor.ts

@@ -0,0 +1,61 @@
+import type { AgentDefinition } from "../types/index.js";
+
+export const securityAuditor: AgentDefinition = {
+  id: "security-auditor",
+  name: "Security Auditor",
+  description:
+    "Audits the codebase for security vulnerabilities including authentication flaws, injection risks, secrets exposure, and dependency vulnerabilities.",
+  maxSteps: 20,
+  toolSet: "extended",
+  relevantFor: () => true,
+
+  systemPrompt: `You are an expert security auditor performing a thorough security review of a codebase. Your role is to:
+
+1. **Authentication & Authorization**
+   - Review authentication mechanisms (JWT, sessions, OAuth, etc.)
+   - Check for proper authorization on all routes/endpoints
+   - Identify missing or weak authentication
+   - Review password handling (hashing, storage, reset flows)
+
+2. **Injection Vulnerabilities**
+   - SQL injection risks
+   - XSS (Cross-Site Scripting) vectors
+   - Command injection possibilities
+   - Template injection
+   - Path traversal vulnerabilities
+
+3. **Secrets & Configuration**
+   - Hardcoded secrets, API keys, or credentials
+   - Sensitive data in logs or error messages
+   - .env file handling and secrets management
+   - Insecure default configurations
+
+4. **Dependency Security**
+   - Known vulnerable dependencies (use npm audit if available)
+   - Outdated packages with security patches
+   - Typosquatting risks
+
+5. **Network & Transport**
+   - CORS configuration review
+   - HTTPS enforcement
+   - Cookie security flags (httpOnly, secure, sameSite)
+   - Rate limiting and CSRF protection
+
+6. **Cryptography**
+   - Use of deprecated crypto algorithms
+   - Proper random number generation
+   - Key management practices
+
+## Severity Guidelines
+- **Critical**: Exploitable vulnerabilities that could lead to data breach or system compromise
+- **Warning**: Security weaknesses that increase attack surface
+- **Info**: Best practice deviations that should be addressed
+- **Suggestion**: Hardening recommendations
+
+## Methodology
+- Start with config files and environment setup
+- Search for common vulnerability patterns using grep
+- Review authentication/authorization code
+- Check dependency manifests
+- Examine API endpoints and middleware`,
+};

package/src/agents/test-coverage-analyst.ts

@@ -0,0 +1,58 @@
+import type { AgentDefinition } from "../types/index.js";
+
+export const testCoverageAnalyst: AgentDefinition = {
+  id: "test-coverage-analyst",
+  name: "Test Coverage Analyst",
+  description:
+    "Analyzes test coverage gaps, test quality, testing patterns, and CI integration.",
+  maxSteps: 12,
+  toolSet: "extended",
+  relevantFor: (classification) => classification.hasTests,
+
+  systemPrompt: `You are an expert test engineer analyzing the testing setup and coverage of a codebase.
+
+1. **Test Infrastructure**
+   - Test framework identification and configuration
+   - Test runner setup
+   - Coverage tool configuration
+   - CI/CD integration for tests
+
+2. **Coverage Analysis**
+   - Identify untested modules and files
+   - Critical business logic without tests
+   - API endpoints without integration tests
+   - Missing edge case coverage
+
+3. **Test Quality**
+   - Test isolation (no shared state)
+   - Meaningful assertions (not just "no error")
+   - Test naming conventions
+   - Arrange-Act-Assert pattern adherence
+   - Mock usage appropriateness
+
+4. **Test Types**
+   - Unit test presence and distribution
+   - Integration test coverage
+   - E2E test availability
+   - Snapshot test appropriateness
+   - Performance/load test setup
+
+5. **Testing Patterns**
+   - Factory/fixture patterns for test data
+   - Helper functions and test utilities
+   - Custom matchers or assertions
+   - Test organization structure
+
+6. **CI Integration**
+   - Test automation in CI pipeline
+   - Coverage reporting and gates
+   - Test parallelization
+   - Flaky test management
+
+## Methodology
+- Read test configuration files
+- Scan test directories and files
+- Compare source files with test files to identify gaps
+- Review test quality in sample tests
+- Check CI configuration for test automation`,
+};

package/src/agents/todo-generator.ts

@@ -0,0 +1,50 @@
+import type { AgentDefinition } from "../types/index.js";
+
+export const todoGenerator: AgentDefinition = {
+  id: "todo-generator",
+  name: "Todo List Generator",
+  description:
+    "Generates a prioritized action plan and todo list from all analysis findings.",
+  maxSteps: 1,
+  toolSet: "base",
+  relevantFor: () => true,
+
+  systemPrompt: `You are a senior technical project manager. Your role is to synthesize code analysis findings into a clear, prioritized, and actionable todo list.
+
+## Prioritization Rules
+
+Order items by priority using these rules (highest to lowest):
+1. **Critical severity** findings — immediate action required
+2. **Warning severity + low effort** — quick wins with high impact
+3. **Warning severity + medium effort** — important but need planning
+4. **Warning severity + high effort** — schedule for a sprint
+5. **Info/suggestion severity** — nice-to-have improvements
+
+## Output Format
+
+Produce a structured report with these sections:
+
+### Section 1: "Immediate Actions (Critical)"
+Checklist of all critical findings as actionable tasks. If none, state "No critical issues found."
+
+### Section 2: "Quick Wins (High Impact, Low Effort)"
+Checklist of warning-level findings that can be fixed quickly.
+
+### Section 3: "Planned Improvements"
+Checklist of medium/high effort items grouped by category (security, performance, code quality, etc.)
+
+### Section 4: "Nice to Have"
+Checklist of info-level and suggestion items worth considering.
+
+### Section 5: "Summary"
+A brief paragraph with the total count of action items by priority, estimated overall effort, and recommended order of execution.
+
+## Rules
+- Each todo item must be a concrete, actionable task (not vague advice)
+- Include the source agent/category in parentheses after each item
+- Reference specific files or components when available
+- Use markdown checkbox format: \`- [ ] Task description\`
+- Do NOT repeat the raw findings — transform them into actionable tasks
+- Group related findings into single tasks when appropriate
+- Estimate effort as (low/medium/high) for each task`,
+};

package/src/app/App.tsx

@@ -0,0 +1,151 @@
+import React, { useState, useCallback } from "react";
+import { Box, useApp } from "ink";
+import { HomeScreen } from "../screens/HomeScreen.js";
+import { GenerationScreen } from "../screens/GenerationScreen.js";
+import { ViewerScreen } from "../screens/ViewerScreen.js";
+import { HistoryScreen } from "../screens/HistoryScreen.js";
+import { ConfigScreen, type ConfigChanges } from "../screens/ConfigScreen.js";
+import { createProviderRegistry } from "../config/providers.js";
+import { saveProjectConfig } from "../config/saver.js";
+import { debugLog } from "../utils/debug.js";
+import type { LanguageModelV1 } from "ai";
+import type { Screen, NavigationState } from "../types/index.js";
+import type { OpenReportConfig } from "../config/schema.js";
+
+interface AppProps {
+  projectRoot: string;
+  initialModel: LanguageModelV1;
+  initialModelId: string;
+  initialConfig: OpenReportConfig;
+}
+
+export function App({
+  projectRoot,
+  initialModel,
+  initialModelId,
+  initialConfig,
+}: AppProps) {
+  const { exit } = useApp();
+  const [nav, setNav] = useState<NavigationState>({ screen: "home" });
+  const [config, setConfig] = useState<OpenReportConfig>(initialConfig);
+  const [model, setModel] = useState<LanguageModelV1>(initialModel);
+  const [modelId, setModelId] = useState<string>(initialModelId);
+
+  const navigate = useCallback(
+    (screen: Screen, params?: Record<string, string>) => {
+      setNav({ screen, params });
+    },
+    []
+  );
+
+  const handleQuit = useCallback(() => {
+    exit();
+  }, [exit]);
+
+  const handleConfigSave = useCallback(
+    (changes: ConfigChanges) => {
+      // Update config state
+      const newConfig: OpenReportConfig = {
+        ...config,
+        defaultProvider: changes.defaultProvider,
+        defaultModel: changes.defaultModel,
+        agents: {
+          ...config.agents,
+          maxConcurrency: changes.maxConcurrency,
+          temperature: changes.temperature,
+        },
+        features: {
+          ...config.features,
+          todoList: changes.todoList,
+        },
+      };
+      setConfig(newConfig);
+
+      // Recreate provider/model
+      try {
+        const registry = createProviderRegistry(newConfig);
+        const newModel = registry.getModel(newConfig);
+        setModel(newModel);
+        setModelId(changes.defaultModel);
+      } catch (e) {
+        debugLog("app:configChange", e);
+        // Provider may fail if no API key - that's OK, will fail at generation time
+        setModelId(changes.defaultModel);
+      }
+
+      // Persist to disk (async — fire-and-forget with error logging)
+      saveProjectConfig(projectRoot, {
+        defaultProvider: changes.defaultProvider,
+        defaultModel: changes.defaultModel,
+        agents: {
+          maxConcurrency: changes.maxConcurrency,
+          temperature: changes.temperature,
+        },
+        features: {
+          todoList: changes.todoList,
+        },
+      }).catch((e) => debugLog("app:saveConfig", e));
+    },
+    [config, projectRoot]
+  );
+
+  switch (nav.screen) {
+    case "home":
+      return (
+        <HomeScreen
+          projectRoot={projectRoot}
+          modelName={modelId}
+          config={config}
+          onNavigate={navigate}
+          onQuit={handleQuit}
+        />
+      );
+
+    case "generation":
+      return (
+        <GenerationScreen
+          projectRoot={projectRoot}
+          reportType={nav.params?.reportType || "full-audit"}
+          model={model}
+          modelId={modelId}
+          config={config}
+          onNavigate={navigate}
+          generateTodoList={nav.params?.todoList === "true"}
+        />
+      );
+
+    case "viewer":
+      return (
+        <ViewerScreen
+          projectRoot={projectRoot}
+          reportId={nav.params?.reportId || ""}
+          onNavigate={navigate}
+        />
+      );
+
+    case "history":
+      return (
+        <HistoryScreen projectRoot={projectRoot} onNavigate={navigate} />
+      );
+
+    case "config":
+      return (
+        <ConfigScreen
+          config={config}
+          onNavigate={navigate}
+          onSave={handleConfigSave}
+        />
+      );
+
+    default:
+      return (
+        <HomeScreen
+          projectRoot={projectRoot}
+          modelName={modelId}
+          config={config}
+          onNavigate={navigate}
+          onQuit={handleQuit}
+        />
+      );
+  }
+}

package/src/app/theme.ts

@@ -0,0 +1,54 @@
+import chalk from "chalk";
+
+export const colors = {
+  primary: "#7C3AED",
+  secondary: "#06B6D4",
+  success: "#10B981",
+  warning: "#F59E0B",
+  error: "#EF4444",
+  info: "#3B82F6",
+  muted: "#6B7280",
+  text: "#E5E7EB",
+  bg: "#111827",
+  border: "#374151",
+};
+
+export const severity = {
+  critical: chalk.hex("#EF4444"),
+  warning: chalk.hex("#F59E0B"),
+  info: chalk.hex("#3B82F6"),
+  suggestion: chalk.hex("#8B5CF6"),
+};
+
+export const severityBg = {
+  critical: chalk.bgHex("#EF4444").white.bold,
+  warning: chalk.bgHex("#F59E0B").black.bold,
+  info: chalk.bgHex("#3B82F6").white.bold,
+  suggestion: chalk.bgHex("#8B5CF6").white.bold,
+};
+
+export const agentStatus = {
+  pending: chalk.hex("#6B7280"),
+  running: chalk.hex("#06B6D4"),
+  completed: chalk.hex("#10B981"),
+  failed: chalk.hex("#EF4444"),
+  skipped: chalk.hex("#9CA3AF"),
+};
+
+export const agentStatusIcon = {
+  pending: "○",
+  running: "◉",
+  completed: "✓",
+  failed: "✗",
+  skipped: "⊘",
+};
+
+export const ui = {
+  title: chalk.hex("#7C3AED").bold,
+  subtitle: chalk.hex("#06B6D4"),
+  dim: chalk.hex("#6B7280"),
+  highlight: chalk.hex("#F59E0B"),
+  link: chalk.hex("#3B82F6").underline,
+  bold: chalk.bold,
+  border: chalk.hex("#374151"),
+};

package/src/cli.ts

@@ -0,0 +1,145 @@
+import { Cli, Command, Option } from "clipanion";
+
+class DefaultCommand extends Command {
+  static paths = [Command.Default];
+
+  static usage = Command.Usage({
+    description: "Launch the interactive TUI",
+  });
+
+  async execute() {
+    const { runInteractive } = await import("./commands/interactive.js");
+    await runInteractive(process.cwd());
+  }
+}
+
+class InitCommand extends Command {
+  static paths = [["init"]];
+
+  static usage = Command.Usage({
+    description: "Initialize OpenReport in the current project",
+  });
+
+  yes = Option.Boolean("--yes,-y", false, {
+    description: "Skip prompts and use defaults",
+  });
+
+  async execute() {
+    const { runInit } = await import("./commands/init.js");
+    await runInit(process.cwd(), { yes: this.yes });
+  }
+}
+
+class RunCommand extends Command {
+  static paths = [["run"]];
+
+  static usage = Command.Usage({
+    description: "Generate a report in headless mode",
+    examples: [
+      ["Full audit", "$0 run full-audit"],
+      ["Security review", "$0 run security-review"],
+      ["With custom model", "$0 run full-audit --model gpt-4o"],
+    ],
+  });
+
+  type = Option.String({ required: true });
+
+  model = Option.String("--model,-m", {
+    description: "Model to use (e.g., claude-sonnet-4-5-20250929, gpt-4o)",
+  });
+
+  provider = Option.String("--provider,-p", {
+    description: "AI provider (anthropic, openai, google, mistral)",
+  });
+
+  output = Option.String("--output,-o", {
+    description: "Custom output file path",
+  });
+
+  format = Option.String("--format,-f", {
+    description: "Output format (markdown, json)",
+  });
+
+  quiet = Option.Boolean("--quiet,-q", false, {
+    description: "Suppress progress output",
+  });
+
+  todo = Option.Boolean("--todo", false, {
+    description: "Generate a prioritized todo list from findings",
+  });
+
+  async execute() {
+    const { runHeadless } = await import("./commands/run.js");
+    await runHeadless(process.cwd(), this.type, {
+      model: this.model,
+      provider: this.provider,
+      output: this.output,
+      format: this.format as "markdown" | "json" | undefined,
+      quiet: this.quiet,
+      todo: this.todo,
+    });
+  }
+}
+
+class ListCommand extends Command {
+  static paths = [["list"], ["ls"]];
+
+  static usage = Command.Usage({
+    description: "List past reports",
+  });
+
+  json = Option.Boolean("--json", false, {
+    description: "Output as JSON",
+  });
+
+  limit = Option.String("--limit,-n", {
+    description: "Maximum number of reports to show",
+  });
+
+  async execute() {
+    const { runList } = await import("./commands/list.js");
+    await runList(process.cwd(), {
+      json: this.json,
+      limit: this.limit ? parseInt(this.limit, 10) : undefined,
+    });
+  }
+}
+
+class ViewCommand extends Command {
+  static paths = [["view"]];
+
+  static usage = Command.Usage({
+    description: "View a report in the TUI viewer",
+    examples: [
+      ["View by ID", "$0 view rpt_V1StGXR8"],
+      ["Raw markdown output", "$0 view rpt_V1StGXR8 --raw"],
+    ],
+  });
+
+  id = Option.String({ required: true });
+
+  raw = Option.Boolean("--raw", false, {
+    description: "Output raw markdown instead of TUI",
+  });
+
+  async execute() {
+    const { runView } = await import("./commands/view.js");
+    await runView(process.cwd(), this.id, { raw: this.raw });
+  }
+}
+
+export function createCli() {
+  const cli = new Cli({
+    binaryLabel: "openreport",
+    binaryName: "openreport",
+    binaryVersion: "0.1.0",
+  });
+
+  cli.register(DefaultCommand);
+  cli.register(InitCommand);
+  cli.register(RunCommand);
+  cli.register(ListCommand);
+  cli.register(ViewCommand);
+
+  return cli;
+}

package/src/commands/init.ts

@@ -0,0 +1,81 @@
+import * as fs from "fs";
+import * as path from "path";
+import chalk from "chalk";
+import { DEFAULT_CONFIG } from "../config/defaults.js";
+
+export async function runInit(projectRoot: string, options: { yes?: boolean }) {
+  const configDir = path.join(projectRoot, ".openreport");
+  const configFile = path.join(configDir, "config.json");
+  const reportsDir = path.join(configDir, "reports");
+
+  // Check if already initialized
+  let configExists = false;
+  try {
+    await fs.promises.access(configFile);
+    configExists = true;
+  } catch {
+    // File doesn't exist
+  }
+
+  if (configExists && !options.yes) {
+    console.log(
+      chalk.yellow("OpenReport is already initialized in this project.")
+    );
+    console.log(chalk.gray(`Config: ${configFile}`));
+    return;
+  }
+
+  // Create directories
+  await fs.promises.mkdir(reportsDir, { recursive: true });
+
+  // Write default config
+  const config = {
+    defaultProvider: DEFAULT_CONFIG.defaultProvider,
+    defaultModel: DEFAULT_CONFIG.defaultModel,
+    agents: {
+      maxConcurrency: DEFAULT_CONFIG.agents.maxConcurrency,
+      temperature: DEFAULT_CONFIG.agents.temperature,
+    },
+    output: {
+      format: DEFAULT_CONFIG.output.format,
+    },
+  };
+
+  await fs.promises.writeFile(configFile, JSON.stringify(config, null, 2), "utf-8");
+
+  // Add to .gitignore if it exists
+  const gitignorePath = path.join(projectRoot, ".gitignore");
+  let gitignoreExists = false;
+  try {
+    await fs.promises.access(gitignorePath);
+    gitignoreExists = true;
+  } catch {
+    // No .gitignore
+  }
+
+  if (gitignoreExists) {
+    const gitignore = await fs.promises.readFile(gitignorePath, "utf-8");
+    if (!gitignore.includes(".openreport/")) {
+      await fs.promises.appendFile(
+        gitignorePath,
+        "\n# OpenReport\n.openreport/\n",
+        "utf-8"
+      );
+      console.log(chalk.gray("Added .openreport/ to .gitignore"));
+    }
+  }
+
+  console.log(chalk.green("OpenReport initialized successfully!"));
+  console.log(chalk.gray(`Config: ${configFile}`));
+  console.log(chalk.gray(`Reports: ${reportsDir}`));
+  console.log();
+  console.log(
+    chalk.cyan("Set your API key as an environment variable:")
+  );
+  console.log(
+    chalk.white("  export ANTHROPIC_API_KEY=your-key-here")
+  );
+  console.log();
+  console.log(chalk.cyan("Then run:"));
+  console.log(chalk.white("  openreport"));
+}

package/src/commands/interactive.tsx

@@ -0,0 +1,29 @@
+import React from "react";
+import { render } from "ink";
+import { App } from "../app/App.js";
+import { loadConfig } from "../config/loader.js";
+import { createProviderRegistry } from "../config/providers.js";
+import { resolveProvider } from "../config/resolve-provider.js";
+
+export async function runInteractive(projectRoot: string) {
+  const config = await loadConfig({ projectRoot });
+  const registry = createProviderRegistry(config);
+  const { model, effectiveProvider, effectiveModel } = await resolveProvider(config, registry);
+
+  const effectiveConfig = {
+    ...config,
+    defaultProvider: effectiveProvider,
+    defaultModel: effectiveModel,
+  };
+
+  const { waitUntilExit } = render(
+    <App
+      projectRoot={projectRoot}
+      initialModel={model}
+      initialModelId={effectiveModel}
+      initialConfig={effectiveConfig}
+    />
+  );
+
+  await waitUntilExit();
+}

package/src/commands/list.ts

@@ -0,0 +1,53 @@
+import chalk from "chalk";
+import { listReports } from "../storage/report-store.js";
+import { formatDate, formatDuration, formatTokens } from "../utils/format.js";
+import { getGradeTerminalColor } from "../utils/grade-colors.js";
+
+const CHALK_COLORS: Record<string, (s: string) => string> = {
+  green: chalk.green,
+  cyan: chalk.cyan,
+  yellow: chalk.yellow,
+  red: chalk.red,
+  redBright: chalk.redBright,
+  white: chalk.white,
+};
+
+export interface ListOptions {
+  json?: boolean;
+  limit?: number;
+}
+
+export async function runList(projectRoot: string, options: ListOptions = {}) {
+  const limited = await listReports(projectRoot, options.limit || 50);
+
+  if (options.json) {
+    console.log(JSON.stringify(limited, null, 2));
+    return;
+  }
+
+  if (limited.length === 0) {
+    console.log(chalk.gray("No reports found."));
+    console.log(
+      chalk.gray('Run "openreport" to generate your first report.')
+    );
+    return;
+  }
+
+  console.log(chalk.bold(`Reports (${limited.length}):`));
+  console.log();
+
+  for (const report of limited) {
+    const colorName = getGradeTerminalColor(report.grade || "");
+    const gradeColor = CHALK_COLORS[colorName] || chalk.white;
+
+    const totalTokens = report.tokens.input + report.tokens.output;
+
+    console.log(
+      `  ${chalk.bold(report.id)} ${gradeColor(`[${report.grade || "?"}]`)} ${chalk.white(report.type)}`
+    );
+    console.log(
+      `    ${chalk.gray(formatDate(report.createdAt))} | ${chalk.gray(formatDuration(report.duration))} | ${chalk.gray(report.model)} | ${chalk.gray(formatTokens(totalTokens) + " tokens")}`
+    );
+    console.log();
+  }
+}