postquant 0.1.2 → 0.2.0

package/README.md

@@ -1,13 +1,11 @@
 # PostQuant
 
-**Find quantum-vulnerable cryptography in your TLS endpoints.**
+**Find quantum-vulnerable cryptography in your TLS endpoints and source code.**
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
 [![npm version](https://img.shields.io/npm/v/postquant)](https://www.npmjs.com/package/postquant)
 
-PostQuant scans TLS connections and reports which algorithms are vulnerable to quantum attacks. It grades endpoints A+ through F and tells you what to migrate to.
-
-> **Early development.** The TLS scanner works. Code scanning and CBOM generation are planned.
+PostQuant scans TLS connections and source code, reports which algorithms are vulnerable to quantum attacks, grades them A+ through F, and tells you what to migrate to. Supports Python, JavaScript/TypeScript, Go, and Java.
 
 ## Why
 
@@ -38,8 +36,18 @@ Output:
 
 Most sites today score C+ or C. That's expected — almost nobody has deployed post-quantum cryptography yet.
 
+### Scan Source Code
+
+```bash
+npx postquant analyze ./src
+```
+
+Scans Python, JavaScript/TypeScript, Go, and Java files for quantum-vulnerable cryptographic patterns (RSA, ECDSA, ECDH, DH, DSA, MD5, SHA-1, DES/3DES, AES-128) and reports findings with migration recommendations.
+
 ## Usage
 
+### TLS Scanning
+
 ```bash
 # Scan a single host
 postquant scan example.com
@@ -60,6 +68,37 @@ postquant scan --file hosts.txt
 postquant scan example.com --timeout 5000
 ```
 
+### Code Scanning
+
+```bash
+# Scan a directory
+postquant analyze ./src
+
+# Scan a single file
+postquant analyze ./src/auth.py
+
+# Filter by language
+postquant analyze ./src --language python
+
+# JSON output
+postquant analyze ./src --format json
+
+# SARIF output (for GitHub Code Scanning)
+postquant analyze ./src --format sarif > results.sarif
+
+# CycloneDX CBOM output
+postquant analyze ./src --format cbom > cbom.json
+
+# Exclude directories
+postquant analyze . --ignore "vendor/**" --ignore "test/**"
+
+# Set fail threshold for CI
+postquant analyze ./src --fail-grade D
+
+# Show all findings including safe ones
+postquant analyze ./src --verbose
+```
+
 ## Grading
 
 | Grade | Meaning |
@@ -75,13 +114,24 @@ postquant scan example.com --timeout 5000
 
 +/- modifiers reflect classical crypto hygiene within each grade band.
 
+### GitHub Actions
+
+```yaml
+- run: npx postquant analyze . --format sarif > results.sarif
+- uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: results.sarif
+    category: postquant
+```
+
 ## Development
 
 ```bash
 npm install        # Install dependencies
 npm run build      # Compile TypeScript
 npm test           # Run tests
-npm run dev -- scan example.com   # Run from source
+npm run dev -- scan example.com      # TLS scan from source
+npm run dev -- analyze ./src         # Code scan from source
 ```
 
 ## Roadmap
@@ -89,9 +139,9 @@ npm run dev -- scan example.com   # Run from source
 | Phase | Target | Status |
 |-------|--------|--------|
 | TLS scanner CLI | March 2026 | v0.1.0 |
-| Code scanner (Python, JS, Go, Java) | April 2026 | Planned |
-| CBOM generation + risk scoring | May 2026 | Planned |
-| Web dashboard | June 2026 | Planned |
+| Code scanner (Python, JS, Go, Java) | March 2026 | v0.2.0 |
+| Migration playbook engine | April 2026 | Planned |
+| Web dashboard | May 2026 | Planned |
 
 See [docs/ROADMAP.md](docs/ROADMAP.md) for details.
 

package/dist/commands/analyze.d.ts

@@ -0,0 +1,9 @@
+import type { AnalyzeOptions, Grade } from '../types/index.js';
+interface AnalyzeResult {
+    exitCode: number;
+    output: string;
+    grade: Grade | null;
+}
+export declare function analyzeCommand(targetPath: string, options: AnalyzeOptions): Promise<AnalyzeResult>;
+export {};
+//# sourceMappingURL=analyze.d.ts.map

package/dist/commands/analyze.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyze.d.ts","sourceRoot":"","sources":["../../src/commands/analyze.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,cAAc,EAAyB,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAmBtF,UAAU,aAAa;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED,wBAAsB,cAAc,CAClC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,aAAa,CAAC,CAgGxB"}

package/dist/commands/analyze.js

@@ -0,0 +1,119 @@
+import { stat } from 'node:fs/promises';
+import { join, resolve, basename, extname } from 'node:path';
+import chalk from 'chalk';
+import { discoverFiles } from '../scanner/code/discovery.js';
+import { matchFile } from '../scanner/code/matcher.js';
+import { classifyCodeFindings } from '../scanner/code/classifier.js';
+import { gradeCodeScan, shouldFailForCodeGrade } from '../scanner/code/grader.js';
+import { formatCodeTerminal } from '../output/terminal-code.js';
+import { formatCodeJson } from '../output/json-code.js';
+import { formatSarif } from '../output/sarif.js';
+import { formatCbom } from '../output/cbom.js';
+/** Extension → Language mapping (duplicated from discovery for single-file mode). */
+const EXTENSION_MAP = {
+    '.py': 'python',
+    '.pyw': 'python',
+    '.pyi': 'python',
+    '.js': 'javascript',
+    '.mjs': 'javascript',
+    '.cjs': 'javascript',
+    '.jsx': 'javascript',
+    '.ts': 'javascript',
+    '.mts': 'javascript',
+    '.cts': 'javascript',
+    '.tsx': 'javascript',
+    '.go': 'go',
+    '.java': 'java',
+};
+export async function analyzeCommand(targetPath, options) {
+    const absPath = resolve(targetPath);
+    let fileStat;
+    try {
+        fileStat = await stat(absPath);
+    }
+    catch {
+        return {
+            exitCode: 1,
+            output: chalk.red(`Error: path does not exist: ${targetPath}`),
+            grade: null,
+        };
+    }
+    const startTime = Date.now();
+    const allFindings = [];
+    let filesScanned = 0;
+    if (fileStat.isFile()) {
+        // Single file mode
+        const ext = extname(absPath);
+        const lang = EXTENSION_MAP[ext];
+        if (lang && (!options.language || options.language === lang)) {
+            const findings = await matchFile(absPath, lang);
+            // Normalize file paths to be relative-ish (just the basename for single files)
+            for (const f of findings) {
+                f.file = basename(absPath);
+            }
+            allFindings.push(...findings);
+            filesScanned = 1;
+        }
+        else {
+            filesScanned = 1;
+        }
+    }
+    else {
+        // Directory mode
+        const discovered = await discoverFiles(absPath, {
+            ignore: options.ignore,
+            ignoreFile: options.ignoreFile,
+            maxFiles: options.maxFiles,
+            language: options.language,
+        });
+        filesScanned = discovered.length;
+        for (const file of discovered) {
+            const fullPath = join(absPath, file.path);
+            try {
+                const findings = await matchFile(fullPath, file.language);
+                // Normalize to relative path from scan root
+                for (const f of findings) {
+                    f.file = file.path;
+                }
+                allFindings.push(...findings);
+            }
+            catch {
+                // Skip files that can't be read
+            }
+        }
+    }
+    const durationMs = Date.now() - startTime;
+    const scanRoot = fileStat.isFile() ? absPath : absPath;
+    // Pipeline: classify → grade → format
+    const classified = classifyCodeFindings(allFindings, scanRoot, filesScanned, durationMs);
+    const graded = gradeCodeScan(classified);
+    // Format output
+    let output;
+    switch (options.format) {
+        case 'json':
+            output = formatCodeJson(graded);
+            break;
+        case 'sarif':
+            output = formatSarif(graded);
+            break;
+        case 'cbom':
+            output = formatCbom(graded);
+            break;
+        case 'terminal':
+        default:
+            output = formatCodeTerminal(graded, {
+                verbose: options.verbose,
+                noMigration: options.noMigration,
+            });
+            break;
+    }
+    // Determine exit code
+    const shouldFail = shouldFailForCodeGrade(graded.baseGrade, options.failGrade);
+    const exitCode = shouldFail ? 1 : 0;
+    return {
+        exitCode,
+        output,
+        grade: graded.grade,
+    };
+}
+//# sourceMappingURL=analyze.js.map

package/dist/commands/analyze.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyze.js","sourceRoot":"","sources":["../../src/commands/analyze.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AACxC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7D,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAClF,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAG/C,qFAAqF;AACrF,MAAM,aAAa,GAA6B;IAC9C,KAAK,EAAE,QAAQ;IACf,MAAM,EAAE,QAAQ;IAChB,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,YAAY;IACnB,MAAM,EAAE,YAAY;IACpB,MAAM,EAAE,YAAY;IACpB,MAAM,EAAE,YAAY;IACpB,KAAK,EAAE,YAAY;IACnB,MAAM,EAAE,YAAY;IACpB,MAAM,EAAE,YAAY;IACpB,MAAM,EAAE,YAAY;IACpB,KAAK,EAAE,IAAI;IACX,OAAO,EAAE,MAAM;CAChB,CAAC;AAQF,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,UAAkB,EAClB,OAAuB;IAEvB,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAEpC,IAAI,QAAQ,CAAC;IACb,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,QAAQ,EAAE,CAAC;YACX,MAAM,EAAE,KAAK,CAAC,GAAG,CAAC,+BAA+B,UAAU,EAAE,CAAC;YAC9D,KAAK,EAAE,IAAI;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,WAAW,GAAkB,EAAE,CAAC;IACtC,IAAI,YAAY,GAAG,CAAC,CAAC;IAErB,IAAI,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;QACtB,mBAAmB;QACnB,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,IAAI,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,KAAK,IAAI,CAAC,EAAE,CAAC;YAC7D,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;YAChD,+EAA+E;YAC/E,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,CAAC,CAAC,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC7B,CAAC;YACD,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAC9B,YAAY,GAAG,CAAC,CAAC;QACnB,CAAC;aAAM,CAAC;YACN,YAAY,GAAG,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,iBAAiB;QACjB,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE;YAC9C,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC,CAAC;QAEH,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC;QAEjC,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1C,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAC1D,4CAA4C;gBAC5C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;oBACzB,CAAC,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;gBACrB,CAAC;gBACD,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAChC,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;IAC1C,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IAEvD,sCAAsC;IACtC,MAAM,UAAU,GAAG,oBAAoB,CAAC,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,CAAC,CAAC;IACzF,MAAM,MAAM,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;IAEzC,gBAAgB;IAChB,IAAI,MAAc,CAAC;IACnB,QAAQ,OAAO,CAAC,MAAM,EAAE,CAAC;QACvB,KAAK,MAAM;YACT,MAAM,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;YAChC,MAAM;QACR,KAAK,OAAO;YACV,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;YAC7B,MAAM;QACR,KAAK,MAAM;YACT,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;YAC5B,MAAM;QACR,KAAK,UAAU,CAAC;QAChB;YACE,MAAM,GAAG,kBAAkB,CAAC,MAAM,EAAE;gBAClC,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC,CAAC,CAAC;YACH,MAAM;IACV,CAAC;IAED,sBAAsB;IACtB,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAC/E,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEpC,OAAO;QACL,QAAQ;QACR,MAAM;QACN,KAAK,EAAE,MAAM,CAAC,KAAK;KACpB,CAAC;AACJ,CAAC"}

package/dist/index.js

@@ -1,12 +1,15 @@
 #!/usr/bin/env node
 import { Command } from 'commander';
 import { scanCommand } from './commands/scan.js';
+import { analyzeCommand } from './commands/analyze.js';
 const VALID_GRADES = ['A+', 'A', 'B', 'C', 'D', 'F'];
+const VALID_ANALYZE_FORMATS = ['terminal', 'json', 'sarif', 'cbom'];
+const VALID_LANGUAGES = ['python', 'javascript', 'go', 'java'];
 const program = new Command();
 program
     .name('postquant')
-    .description('Scan TLS endpoints for quantum-vulnerable cryptography')
-    .version('0.1.1');
+    .description('Scan TLS endpoints and source code for quantum-vulnerable cryptography')
+    .version('0.2.0');
 program
     .command('scan')
     .description('Scan one or more TLS endpoints for quantum readiness')
@@ -36,5 +39,45 @@ program
     });
     process.exit(exitCode);
 });
+program
+    .command('analyze')
+    .description('Scan source code for quantum-vulnerable cryptography')
+    .argument('<path>', 'Directory or file to scan')
+    .option('-f, --format <format>', 'Output format (terminal, json, sarif, cbom)', 'terminal')
+    .option('-l, --language <language>', 'Filter by language (python, javascript, go, java)')
+    .option('--fail-grade <grade>', 'Exit non-zero at this grade or worse', 'C')
+    .option('--ignore <patterns...>', 'Glob patterns to exclude')
+    .option('--ignore-file <path>', 'File with ignore patterns', '.postquantignore')
+    .option('--max-files <count>', 'Maximum files to scan', '10000')
+    .option('--verbose', 'Show all findings including safe ones', false)
+    .option('--no-migration', 'Hide migration recommendations')
+    .action(async (targetPath, opts) => {
+    const format = opts.format;
+    if (!VALID_ANALYZE_FORMATS.includes(format)) {
+        console.error(`Invalid format: ${format}. Use one of: ${VALID_ANALYZE_FORMATS.join(', ')}`);
+        process.exit(1);
+    }
+    if (opts.language && !VALID_LANGUAGES.includes(opts.language)) {
+        console.error(`Invalid language: ${opts.language}. Use one of: ${VALID_LANGUAGES.join(', ')}`);
+        process.exit(1);
+    }
+    const failGrade = opts.failGrade;
+    if (!VALID_GRADES.includes(failGrade)) {
+        console.error(`Invalid fail-grade: ${failGrade}. Use one of: ${VALID_GRADES.join(', ')}`);
+        process.exit(1);
+    }
+    const { exitCode, output } = await analyzeCommand(targetPath, {
+        format,
+        language: opts.language,
+        failGrade,
+        ignore: opts.ignore ?? [],
+        ignoreFile: opts.ignoreFile,
+        maxFiles: parseInt(opts.maxFiles, 10),
+        verbose: opts.verbose,
+        noMigration: !opts.migration,
+    });
+    console.log(output);
+    process.exit(exitCode);
+});
 program.parse();
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAGjD,MAAM,YAAY,GAAgB,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;AAElE,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,WAAW,CAAC;KACjB,WAAW,CAAC,wDAAwD,CAAC;KACrE,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,sDAAsD,CAAC;KACnE,QAAQ,CAAC,YAAY,EAAE,yCAAyC,CAAC;KACjE,MAAM,CAAC,uBAAuB,EAAE,gCAAgC,EAAE,UAAU,CAAC;KAC7E,MAAM,CAAC,eAAe,EAAE,qCAAqC,CAAC;KAC9D,MAAM,CAAC,gBAAgB,EAAE,oCAAoC,EAAE,OAAO,CAAC;KACvE,MAAM,CAAC,WAAW,EAAE,gCAAgC,EAAE,KAAK,CAAC;KAC5D,MAAM,CACL,sBAAsB,EACtB,sCAAsC,EACtC,GAAG,CACJ;KACA,MAAM,CAAC,KAAK,EAAE,KAAe,EAAE,IAAI,EAAE,EAAE;IACtC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAsB,CAAC;IAC3C,IAAI,MAAM,KAAK,UAAU,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/C,OAAO,CAAC,KAAK,CAAC,mBAAmB,MAAM,6BAA6B,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAsB,CAAC;IAC9C,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,KAAK,CACX,uBAAuB,SAAS,iBAAiB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3E,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE;QACxC,MAAM;QACN,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;QACnC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,SAAS;QACT,IAAI,EAAE,IAAI,CAAC,IAAI;KAChB,CAAC,CAAC;IAEH,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACzB,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAGvD,MAAM,YAAY,GAAgB,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;AAClE,MAAM,qBAAqB,GAA0B,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;AAC3F,MAAM,eAAe,GAAe,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;AAE3E,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,WAAW,CAAC;KACjB,WAAW,CAAC,wEAAwE,CAAC;KACrF,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,sDAAsD,CAAC;KACnE,QAAQ,CAAC,YAAY,EAAE,yCAAyC,CAAC;KACjE,MAAM,CAAC,uBAAuB,EAAE,gCAAgC,EAAE,UAAU,CAAC;KAC7E,MAAM,CAAC,eAAe,EAAE,qCAAqC,CAAC;KAC9D,MAAM,CAAC,gBAAgB,EAAE,oCAAoC,EAAE,OAAO,CAAC;KACvE,MAAM,CAAC,WAAW,EAAE,gCAAgC,EAAE,KAAK,CAAC;KAC5D,MAAM,CACL,sBAAsB,EACtB,sCAAsC,EACtC,GAAG,CACJ;KACA,MAAM,CAAC,KAAK,EAAE,KAAe,EAAE,IAAI,EAAE,EAAE;IACtC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAsB,CAAC;IAC3C,IAAI,MAAM,KAAK,UAAU,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/C,OAAO,CAAC,KAAK,CAAC,mBAAmB,MAAM,6BAA6B,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAsB,CAAC;IAC9C,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,KAAK,CACX,uBAAuB,SAAS,iBAAiB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3E,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE;QACxC,MAAM;QACN,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;QACnC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,SAAS;QACT,IAAI,EAAE,IAAI,CAAC,IAAI;KAChB,CAAC,CAAC;IAEH,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACzB,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,sDAAsD,CAAC;KACnE,QAAQ,CAAC,QAAQ,EAAE,2BAA2B,CAAC;KAC/C,MAAM,CAAC,uBAAuB,EAAE,6CAA6C,EAAE,UAAU,CAAC;KAC1F,MAAM,CAAC,2BAA2B,EAAE,mDAAmD,CAAC;KACxF,MAAM,CAAC,sBAAsB,EAAE,sCAAsC,EAAE,GAAG,CAAC;KAC3E,MAAM,CAAC,wBAAwB,EAAE,0BAA0B,CAAC;KAC5D,MAAM,CAAC,sBAAsB,EAAE,2BAA2B,EAAE,kBAAkB,CAAC;KAC/E,MAAM,CAAC,qBAAqB,EAAE,uBAAuB,EAAE,OAAO,CAAC;KAC/D,MAAM,CAAC,WAAW,EAAE,uCAAuC,EAAE,KAAK,CAAC;KACnE,MAAM,CAAC,gBAAgB,EAAE,gCAAgC,CAAC;KAC1D,MAAM,CAAC,KAAK,EAAE,UAAkB,EAAE,IAAI,EAAE,EAAE;IACzC,MAAM,MAAM,GAAG,IAAI,CAAC,MAA6B,CAAC;IAClD,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5C,OAAO,CAAC,KAAK,CACX,mBAAmB,MAAM,iBAAiB,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC7E,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAoB,CAAC,EAAE,CAAC;QAC1E,OAAO,CAAC,KAAK,CACX,qBAAqB,IAAI,CAAC,QAAQ,iBAAiB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAChF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAsB,CAAC;IAC9C,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,KAAK,CACX,uBAAuB,SAAS,iBAAiB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3E,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,UAAU,EAAE;QAC5D,MAAM;QACN,QAAQ,EAAE,IAAI,CAAC,QAAgC;QAC/C,SAAS;QACT,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE;QACzB,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC;QACrC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,WAAW,EAAE,CAAC,IAAI,CAAC,SAAS;KAC7B,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACpB,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACzB,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/output/cbom.d.ts

@@ -0,0 +1,3 @@
+import type { CodeGradedResult } from '../types/index.js';
+export declare function formatCbom(result: CodeGradedResult): string;
+//# sourceMappingURL=cbom.d.ts.map

package/dist/output/cbom.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cbom.d.ts","sourceRoot":"","sources":["../../src/output/cbom.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,gBAAgB,EAA+B,MAAM,mBAAmB,CAAC;AA0EvF,wBAAgB,UAAU,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAiF3D"}

package/dist/output/cbom.js

@@ -0,0 +1,235 @@
+import { randomUUID } from 'node:crypto';
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+function getVersion() {
+    try {
+        const __dirname = dirname(fileURLToPath(import.meta.url));
+        const pkg = JSON.parse(readFileSync(join(__dirname, '..', '..', 'package.json'), 'utf-8'));
+        return pkg.version;
+    }
+    catch {
+        return '0.1.1';
+    }
+}
+// --- Category → CycloneDX primitive mapping (Section 7.3) ---
+function categoryToPrimitive(category) {
+    switch (category) {
+        case 'asymmetric-encryption':
+            return 'pke';
+        case 'digital-signature':
+            return 'signature';
+        case 'key-exchange':
+            return 'kex';
+        case 'weak-symmetric':
+        case 'safe-symmetric':
+        case 'broken-cipher':
+            return 'ae';
+        case 'weak-hash':
+        case 'safe-hash':
+            return 'hash';
+        case 'pqc-algorithm':
+            return 'kem'; // default for PQC; could vary by algorithm
+    }
+}
+// --- NIST Quantum Security Level mapping (Section 7.4) ---
+function nistQuantumSecurityLevel(finding) {
+    // Level 0: broken by quantum computer (all critical asymmetric, weak-hash, broken-cipher)
+    if (finding.risk === 'critical')
+        return 0;
+    // Level 5: AES-256, SHA-384, SHA-512, SHA-3, ChaCha20
+    const algoUpper = finding.algorithm.toUpperCase();
+    if (algoUpper.includes('AES-256') ||
+        algoUpper.includes('SHA-384') ||
+        algoUpper.includes('SHA-512') ||
+        algoUpper.includes('SHA3') ||
+        algoUpper.includes('SHA-3') ||
+        algoUpper.includes('CHACHA20')) {
+        return 5;
+    }
+    // Moderate (AES-128): effectively ~level 1 post-Grover
+    if (algoUpper.includes('AES-128'))
+        return 1;
+    // PQC algorithms
+    if (finding.category === 'pqc-algorithm') {
+        if (algoUpper.includes('512') || algoUpper.includes('-44'))
+            return 1;
+        if (algoUpper.includes('768') || algoUpper.includes('-65'))
+            return 3;
+        if (algoUpper.includes('1024') || algoUpper.includes('-87'))
+            return 5;
+        return 3; // default PQC
+    }
+    // Safe hash/symmetric defaults
+    if (finding.risk === 'safe')
+        return 5;
+    return 0;
+}
+// --- Public API ---
+export function formatCbom(result) {
+    // Group findings by algorithm name
+    const byAlgorithm = new Map();
+    for (const f of result.findings) {
+        const list = byAlgorithm.get(f.algorithm) ?? [];
+        list.push(f);
+        byAlgorithm.set(f.algorithm, list);
+    }
+    // Build components
+    const components = [];
+    const componentRefs = [];
+    for (const [algorithm, findings] of byAlgorithm) {
+        const ref = randomUUID();
+        componentRefs.push(ref);
+        const representative = findings[0];
+        const occurrences = findings.map((f) => ({
+            location: f.file,
+            line: f.line,
+            additionalContext: f.matchedLine,
+        }));
+        components.push({
+            type: 'cryptographic-asset',
+            name: algorithm,
+            'bom-ref': ref,
+            evidence: { occurrences },
+            cryptoProperties: {
+                assetType: 'algorithm',
+                algorithmProperties: {
+                    primitive: categoryToPrimitive(representative.category),
+                    parameterSetIdentifier: extractParameterSet(representative),
+                    cryptoFunctions: inferCryptoFunctions(representative),
+                    classicalSecurityLevel: classicalSecurityLevel(representative),
+                    nistQuantumSecurityLevel: nistQuantumSecurityLevel(representative),
+                },
+            },
+        });
+    }
+    const cbom = {
+        bomFormat: 'CycloneDX',
+        specVersion: '1.6',
+        version: 1,
+        serialNumber: `urn:uuid:${randomUUID()}`,
+        metadata: {
+            timestamp: new Date().toISOString(),
+            tools: {
+                components: [
+                    {
+                        type: 'application',
+                        name: 'postquant',
+                        version: getVersion(),
+                        description: 'Quantum readiness scanner',
+                        externalReferences: [
+                            {
+                                type: 'website',
+                                url: 'https://postquant.dev',
+                            },
+                        ],
+                    },
+                ],
+            },
+            component: {
+                type: 'application',
+                name: extractProjectName(result.scanRoot),
+                'bom-ref': 'scanned-project',
+            },
+        },
+        components,
+        dependencies: [
+            {
+                ref: 'scanned-project',
+                dependsOn: componentRefs,
+            },
+        ],
+    };
+    return JSON.stringify(cbom, null, 2);
+}
+// --- Helpers ---
+function extractProjectName(scanRoot) {
+    const parts = scanRoot.split('/').filter(Boolean);
+    return parts[parts.length - 1] || 'unknown-project';
+}
+function extractParameterSet(finding) {
+    if (finding.keySize)
+        return String(finding.keySize);
+    // Try to pull numbers from algorithm name (e.g., "RSA-2048" → "2048")
+    const match = finding.algorithm.match(/(\d+)/);
+    return match ? match[1] : '';
+}
+function inferCryptoFunctions(finding) {
+    const id = finding.patternId.toLowerCase();
+    if (id.includes('keygen') || id.includes('generate'))
+        return ['keygen'];
+    if (id.includes('sign'))
+        return ['sign', 'verify'];
+    if (id.includes('encrypt') || id.includes('cipher'))
+        return ['encrypt', 'decrypt'];
+    if (id.includes('exchange') || id.includes('dh') || id.includes('ecdh'))
+        return ['keyexchange'];
+    if (id.includes('hash') || id.includes('md5') || id.includes('sha'))
+        return ['digest'];
+    // Default based on category
+    switch (finding.category) {
+        case 'asymmetric-encryption':
+            return ['keygen', 'encrypt', 'decrypt'];
+        case 'digital-signature':
+            return ['sign', 'verify'];
+        case 'key-exchange':
+            return ['keyexchange'];
+        case 'weak-hash':
+        case 'safe-hash':
+            return ['digest'];
+        case 'weak-symmetric':
+        case 'safe-symmetric':
+        case 'broken-cipher':
+            return ['encrypt', 'decrypt'];
+        case 'pqc-algorithm':
+            return ['keygen'];
+        default:
+            return ['unknown'];
+    }
+}
+function classicalSecurityLevel(finding) {
+    const algoUpper = finding.algorithm.toUpperCase();
+    // RSA key sizes
+    if (algoUpper.includes('RSA')) {
+        if (algoUpper.includes('4096'))
+            return 140;
+        if (algoUpper.includes('3072'))
+            return 128;
+        if (algoUpper.includes('2048'))
+            return 112;
+        if (algoUpper.includes('1024'))
+            return 80;
+        return 112;
+    }
+    // ECC curves
+    if (algoUpper.includes('P-521') || algoUpper.includes('SECP521'))
+        return 256;
+    if (algoUpper.includes('P-384') || algoUpper.includes('SECP384'))
+        return 192;
+    if (algoUpper.includes('P-256') || algoUpper.includes('SECP256') || algoUpper.includes('ED25519') || algoUpper.includes('X25519'))
+        return 128;
+    // Symmetric
+    if (algoUpper.includes('AES-256') || algoUpper.includes('CHACHA20'))
+        return 256;
+    if (algoUpper.includes('AES-192'))
+        return 192;
+    if (algoUpper.includes('AES-128'))
+        return 128;
+    if (algoUpper.includes('3DES'))
+        return 112;
+    if (algoUpper.includes('DES'))
+        return 56;
+    // Hashes
+    if (algoUpper.includes('SHA-512') || algoUpper.includes('SHA3-512'))
+        return 256;
+    if (algoUpper.includes('SHA-384') || algoUpper.includes('SHA3-384'))
+        return 192;
+    if (algoUpper.includes('SHA-256') || algoUpper.includes('SHA3-256'))
+        return 128;
+    if (algoUpper.includes('SHA-1') || algoUpper === 'SHA1')
+        return 80;
+    if (algoUpper.includes('MD5'))
+        return 64;
+    return 0;
+}
+//# sourceMappingURL=cbom.js.map

package/dist/output/cbom.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cbom.js","sourceRoot":"","sources":["../../src/output/cbom.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAG1C,SAAS,UAAU;IACjB,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CACpB,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CACnE,CAAC;QACF,OAAO,GAAG,CAAC,OAAO,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED,+DAA+D;AAE/D,SAAS,mBAAmB,CAAC,QAAwB;IACnD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,uBAAuB;YAC1B,OAAO,KAAK,CAAC;QACf,KAAK,mBAAmB;YACtB,OAAO,WAAW,CAAC;QACrB,KAAK,cAAc;YACjB,OAAO,KAAK,CAAC;QACf,KAAK,gBAAgB,CAAC;QACtB,KAAK,gBAAgB,CAAC;QACtB,KAAK,eAAe;YAClB,OAAO,IAAI,CAAC;QACd,KAAK,WAAW,CAAC;QACjB,KAAK,WAAW;YACd,OAAO,MAAM,CAAC;QAChB,KAAK,eAAe;YAClB,OAAO,KAAK,CAAC,CAAC,2CAA2C;IAC7D,CAAC;AACH,CAAC;AAED,4DAA4D;AAE5D,SAAS,wBAAwB,CAAC,OAAoB;IACpD,0FAA0F;IAC1F,IAAI,OAAO,CAAC,IAAI,KAAK,UAAU;QAAE,OAAO,CAAC,CAAC;IAE1C,sDAAsD;IACtD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;IAClD,IACE,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC7B,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC7B,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC7B,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC1B,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;QAC3B,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,EAC9B,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,uDAAuD;IACvD,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,CAAC,CAAC;IAE5C,iBAAiB;IACjB,IAAI,OAAO,CAAC,QAAQ,KAAK,eAAe,EAAE,CAAC;QACzC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,OAAO,CAAC,CAAC;QACrE,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,OAAO,CAAC,CAAC;QACrE,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,OAAO,CAAC,CAAC;QACtE,OAAO,CAAC,CAAC,CAAC,cAAc;IAC1B,CAAC;IAED,+BAA+B;IAC/B,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM;QAAE,OAAO,CAAC,CAAC;IAEtC,OAAO,CAAC,CAAC;AACX,CAAC;AAED,qBAAqB;AAErB,MAAM,UAAU,UAAU,CAAC,MAAwB;IACjD,mCAAmC;IACnC,MAAM,WAAW,GAAG,IAAI,GAAG,EAAyB,CAAC;IACrD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QAChD,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACb,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IACrC,CAAC;IAED,mBAAmB;IACnB,MAAM,UAAU,GAA8B,EAAE,CAAC;IACjD,MAAM,aAAa,GAAa,EAAE,CAAC;IAEnC,KAAK,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC;QAChD,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;QACzB,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAExB,MAAM,cAAc,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACvC,QAAQ,EAAE,CAAC,CAAC,IAAI;YAChB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,iBAAiB,EAAE,CAAC,CAAC,WAAW;SACjC,CAAC,CAAC,CAAC;QAEJ,UAAU,CAAC,IAAI,CAAC;YACd,IAAI,EAAE,qBAAqB;YAC3B,IAAI,EAAE,SAAS;YACf,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,EAAE,WAAW,EAAE;YACzB,gBAAgB,EAAE;gBAChB,SAAS,EAAE,WAAW;gBACtB,mBAAmB,EAAE;oBACnB,SAAS,EAAE,mBAAmB,CAAC,cAAc,CAAC,QAAQ,CAAC;oBACvD,sBAAsB,EAAE,mBAAmB,CAAC,cAAc,CAAC;oBAC3D,eAAe,EAAE,oBAAoB,CAAC,cAAc,CAAC;oBACrD,sBAAsB,EAAE,sBAAsB,CAAC,cAAc,CAAC;oBAC9D,wBAAwB,EAAE,wBAAwB,CAAC,cAAc,CAAC;iBACnE;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAED,MAAM,IAAI,GAAG;QACX,SAAS,EAAE,WAAW;QACtB,WAAW,EAAE,KAAK;QAClB,OAAO,EAAE,CAAC;QACV,YAAY,EAAE,YAAY,UAAU,EAAE,EAAE;QACxC,QAAQ,EAAE;YACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE;gBACL,UAAU,EAAE;oBACV;wBACE,IAAI,EAAE,aAAa;wBACnB,IAAI,EAAE,WAAW;wBACjB,OAAO,EAAE,UAAU,EAAE;wBACrB,WAAW,EAAE,2BAA2B;wBACxC,kBAAkB,EAAE;4BAClB;gCACE,IAAI,EAAE,SAAS;gCACf,GAAG,EAAE,uBAAuB;6BAC7B;yBACF;qBACF;iBACF;aACF;YACD,SAAS,EAAE;gBACT,IAAI,EAAE,aAAa;gBACnB,IAAI,EAAE,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC;gBACzC,SAAS,EAAE,iBAAiB;aAC7B;SACF;QACD,UAAU;QACV,YAAY,EAAE;YACZ;gBACE,GAAG,EAAE,iBAAiB;gBACtB,SAAS,EAAE,aAAa;aACzB;SACF;KACF,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,kBAAkB;AAElB,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAClD,OAAO,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,iBAAiB,CAAC;AACtD,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAoB;IAC/C,IAAI,OAAO,CAAC,OAAO;QAAE,OAAO,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACpD,sEAAsE;IACtE,MAAM,KAAK,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/C,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAoB;IAChD,MAAM,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;IAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxE,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACnD,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IACnF,IAAI,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,CAAC,aAAa,CAAC,CAAC;IAChG,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACvF,4BAA4B;IAC5B,QAAQ,OAAO,CAAC,QAAQ,EAAE,CAAC;QACzB,KAAK,uBAAuB;YAC1B,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAC1C,KAAK,mBAAmB;YACtB,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC5B,KAAK,cAAc;YACjB,OAAO,CAAC,aAAa,CAAC,CAAC;QACzB,KAAK,WAAW,CAAC;QACjB,KAAK,WAAW;YACd,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpB,KAAK,gBAAgB,CAAC;QACtB,KAAK,gBAAgB,CAAC;QACtB,KAAK,eAAe;YAClB,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAChC,KAAK,eAAe;YAClB,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpB;YACE,OAAO,CAAC,SAAS,CAAC,CAAC;IACvB,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAoB;IAClD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;IAClD,gBAAgB;IAChB,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,GAAG,CAAC;QAC3C,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,GAAG,CAAC;QAC3C,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,GAAG,CAAC;QAC3C,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,EAAE,CAAC;QAC1C,OAAO,GAAG,CAAC;IACb,CAAC;IACD,aAAa;IACb,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,GAAG,CAAC;IAC7E,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,GAAG,CAAC;IAC7E,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,GAAG,CAAC;IAC9I,YAAY;IACZ,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,GAAG,CAAC;IAChF,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,GAAG,CAAC;IAC9C,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,GAAG,CAAC;IAC9C,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,GAAG,CAAC;IAC3C,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACzC,SAAS;IACT,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,GAAG,CAAC;IAChF,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,GAAG,CAAC;IAChF,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,GAAG,CAAC;IAChF,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,KAAK,MAAM;QAAE,OAAO,EAAE,CAAC;IACnE,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACzC,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/output/json-code.d.ts

@@ -0,0 +1,3 @@
+import type { CodeGradedResult } from '../types/index.js';
+export declare function formatCodeJson(result: CodeGradedResult): string;
+//# sourceMappingURL=json-code.d.ts.map

package/dist/output/json-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"json-code.d.ts","sourceRoot":"","sources":["../../src/output/json-code.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAc1D,wBAAgB,cAAc,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAe/D"}

package/dist/output/json-code.js

@@ -0,0 +1,29 @@
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+function getVersion() {
+    try {
+        const __dirname = dirname(fileURLToPath(import.meta.url));
+        const pkg = JSON.parse(readFileSync(join(__dirname, '..', '..', 'package.json'), 'utf-8'));
+        return pkg.version;
+    }
+    catch {
+        return '0.1.1';
+    }
+}
+export function formatCodeJson(result) {
+    const output = {
+        version: getVersion(),
+        timestamp: new Date().toISOString(),
+        scanRoot: result.scanRoot,
+        grade: result.grade,
+        baseGrade: result.baseGrade,
+        modifier: result.modifier,
+        findings: result.findings,
+        summary: result.summary,
+        migrationNotes: result.migrationNotes,
+        fileBreakdown: result.fileBreakdown,
+    };
+    return JSON.stringify(output, null, 2);
+}
+//# sourceMappingURL=json-code.js.map

package/dist/output/json-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"json-code.js","sourceRoot":"","sources":["../../src/output/json-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAG1C,SAAS,UAAU;IACjB,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CACpB,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CACnE,CAAC;QACF,OAAO,GAAG,CAAC,OAAO,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAwB;IACrD,MAAM,MAAM,GAAG;QACb,OAAO,EAAE,UAAU,EAAE;QACrB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC"}

package/dist/output/sarif.d.ts

@@ -0,0 +1,3 @@
+import type { CodeGradedResult } from '../types/index.js';
+export declare function formatSarif(result: CodeGradedResult): string;
+//# sourceMappingURL=sarif.d.ts.map

package/dist/output/sarif.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/output/sarif.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,gBAAgB,EAA0C,MAAM,mBAAmB,CAAC;AA+MlG,wBAAgB,WAAW,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CA0D5D"}