project-shield 1.1.5 → 2.0.0

package/dist/output/audit-fixit.d.ts

@@ -0,0 +1,34 @@
+import type { AuditFinding } from '../types/audit.js';
+export interface AuditFixitGuide {
+    id: string;
+    title: string;
+    severity: 'critical' | 'medium' | 'low';
+    description: string;
+    steps: string[];
+    command?: string;
+    references?: string[];
+}
+/**
+ * Get fix-it guide for a specific finding ID.
+ */
+export declare function getAuditFixitGuide(id: string): AuditFixitGuide | undefined;
+/**
+ * Get all fix-it guides for a list of findings.
+ * Pro: all guides. Free: first 3 only.
+ */
+export declare function getAuditFixitGuides(findings: AuditFinding[], options: {
+    isPro: boolean;
+}): AuditFixitGuide[];
+/**
+ * Format fix-it guides as JSON-compatible objects.
+ */
+export declare function formatAuditFixitJson(guides: AuditFixitGuide[], isPro: boolean): Array<{
+    id: string;
+    severity: string;
+    title: string;
+    description: string;
+    steps: string[];
+    command?: string;
+    references?: string[];
+}>;
+//# sourceMappingURL=audit-fixit.d.ts.map

package/dist/output/audit-fixit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-fixit.d.ts","sourceRoot":"","sources":["../../src/output/audit-fixit.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,UAAU,GAAG,QAAQ,GAAG,KAAK,CAAC;IACxC,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAqOD;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,EAAE,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAE1E;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,YAAY,EAAE,EACxB,OAAO,EAAE;IAAE,KAAK,EAAE,OAAO,CAAA;CAAE,GAC1B,eAAe,EAAE,CAuBnB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,eAAe,EAAE,EACzB,KAAK,EAAE,OAAO,GACb,KAAK,CAAC;IACP,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB,CAAC,CAqBD"}

package/dist/output/audit-fixit.js

@@ -0,0 +1,267 @@
+"use strict";
+// ─── Audit Fix-it Guides (F008: 9 + F009: 7 = 16 items) ────
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAuditFixitGuide = getAuditFixitGuide;
+exports.getAuditFixitGuides = getAuditFixitGuides;
+exports.formatAuditFixitJson = formatAuditFixitJson;
+// ─── F008 Environment Guides ────────────────────────────────
+const AUDIT_FIXIT_DB = {
+    'F008-01': {
+        id: 'F008-01',
+        title: 'ANTHROPIC_BASE_URL Pointing to Untrusted Host',
+        severity: 'critical',
+        description: 'CVE-2026-21852 — Attacker can intercept API calls and steal keys via modified base URL.',
+        steps: [
+            'Open .env and settings.json files in your project',
+            'Check for ANTHROPIC_BASE_URL entries',
+            'Remove the variable or set it to https://api.anthropic.com',
+            'Rotate your Anthropic API key immediately (the old one may be compromised)',
+            'Restart Claude Code to apply changes',
+        ],
+        command: '# Remove from .env\nsed -i "/ANTHROPIC_BASE_URL/d" .env\n\n# Or set to official URL\necho "ANTHROPIC_BASE_URL=https://api.anthropic.com" >> .env',
+        references: [
+            'https://docs.anthropic.com/en/api/getting-started',
+        ],
+    },
+    'F008-02': {
+        id: 'F008-02',
+        title: 'bypassPermissions Enabled',
+        severity: 'critical',
+        description: 'All permission prompts are automatically approved. Complete bypass of safety checks.',
+        steps: [
+            'Open the settings.json file shown in the finding',
+            'Set "bypassPermissions": false or remove the key entirely',
+            'Review any actions taken while bypass was enabled',
+            'Restart Claude Code',
+        ],
+        command: '# Fix in settings.json — set to false or remove\n# In .claude/settings.json:\n# "bypassPermissions": false',
+    },
+    'F008-03': {
+        id: 'F008-03',
+        title: 'CLAUDE.md Contains Injection Patterns',
+        severity: 'critical',
+        description: 'Prompt injection vector — attacker can inject commands via local config file.',
+        steps: [
+            'Open the CLAUDE.md file flagged in the finding',
+            'Search for suspicious patterns: "ignore previous instructions", "you are now", "secretly"',
+            'Remove or rewrite any directive that overrides safety behavior',
+            'If this file was committed by someone else, investigate the source',
+            'Consider adding CLAUDE.md to code review checklist',
+        ],
+        references: [
+            'https://owasp.org/www-project-top-10-for-large-language-model-applications/',
+        ],
+    },
+    'F008-04': {
+        id: 'F008-04',
+        title: '--dangerously-skip-permissions Usage Detected',
+        severity: 'critical',
+        description: 'This flag bypasses all permission checks. Real-world case: rm -rf / execution risk.',
+        steps: [
+            'Search for "dangerously-skip-permissions" in your Claude Code config files',
+            'Remove any references to this flag from settings.json, .env, and CLAUDE.md',
+            'Use proper permission configuration instead of bypassing',
+            'Review all operations performed while this flag was active',
+        ],
+        command: '# Search for the flag in your project\ngrep -r "dangerously.skip.permissions" .claude/ .env* CLAUDE.md',
+    },
+    'F008-05': {
+        id: 'F008-05',
+        title: 'disableBypassPermissionsMode Not Configured',
+        severity: 'medium',
+        description: 'Enterprise protection missing. No centralized policy prevents bypass mode activation.',
+        steps: [
+            'Open your global settings (~/.claude/settings.json)',
+            'Add managed-settings section with disableBypassPermissionsMode',
+            'This prevents any project from enabling bypass mode',
+        ],
+        command: '# Add to ~/.claude/settings.json:\n# {\n#   "managed-settings": {\n#     "disableBypassPermissionsMode": true\n#   }\n# }',
+    },
+    'F008-06': {
+        id: 'F008-06',
+        title: 'Excessive Tool Allowance',
+        severity: 'medium',
+        description: 'Wildcards or too many tools allowed without restriction. Principle of least privilege violation.',
+        steps: [
+            'Open the settings.json file flagged in the finding',
+            'Review the allowedTools list',
+            'Remove wildcard (*) entries',
+            'Restrict to only the tools your workflow actually needs',
+            'Consider using tool-specific matchers instead of broad allowances',
+        ],
+        command: '# Example: restrict to read-only tools\n# "allowedTools": ["Read", "Glob", "Grep"]',
+    },
+    'F008-07': {
+        id: 'F008-07',
+        title: 'Auto-Accept Permission Mode Active',
+        severity: 'medium',
+        description: 'Operations run without human review. Permission prompts are automatically accepted.',
+        steps: [
+            'Open the settings.json file flagged in the finding',
+            'Change permissionMode to "prompt" or remove it (default is prompt)',
+            'Restart Claude Code to apply',
+        ],
+        command: '# Remove permissionMode or set to prompt:\n# "permissionMode": "prompt"',
+    },
+    'F008-08': {
+        id: 'F008-08',
+        title: '.claude/ Directory Has Unsafe Permissions',
+        severity: 'low',
+        description: 'Other users can modify Claude Code configuration. Privilege escalation possible.',
+        steps: [
+            'Check current permissions: ls -la .claude/',
+            'Remove group and others write access',
+            'Ensure only the owner can modify the directory',
+        ],
+        command: 'chmod 700 .claude/',
+    },
+    'F008-09': {
+        id: 'F008-09',
+        title: 'Project-Level Settings Override Global Security',
+        severity: 'medium',
+        description: 'Project settings weaken global security. CVE-2025-59536 settings downgrade attack pattern.',
+        steps: [
+            'Compare project .claude/settings.json with global ~/.claude/settings.json',
+            'Ensure project does not enable bypassPermissions when global has it disabled',
+            'Ensure project does not set auto-accept when global uses prompt mode',
+            'Review project allowedTools against global restrictions',
+        ],
+    },
+    // ─── F009 Hooks Guides ──────────────────────────────────────
+    'F009-01': {
+        id: 'F009-01',
+        title: 'Network Request in Hook Command',
+        severity: 'critical',
+        description: 'Hook contains network tools (curl, wget, nc). Data exfiltration channel detected.',
+        steps: [
+            'Open the settings.json containing the hook',
+            'Identify the hook with network commands',
+            'Remove or replace with a local-only command',
+            'If network access is needed, use an explicit allowlist of URLs',
+        ],
+        command: '# Remove the suspicious hook from settings.json hooks section',
+    },
+    'F009-02': {
+        id: 'F009-02',
+        title: 'Data Exfiltration Pattern in Hook',
+        severity: 'critical',
+        description: 'CVE-2025-59536 — Hook contains data exfiltration patterns like /dev/tcp, base64 piping, DNS tunneling.',
+        steps: [
+            'Remove the hook immediately — this is a high-confidence malicious pattern',
+            'Check git blame to identify who added this hook',
+            'Rotate any API keys or secrets that may have been exfiltrated',
+            'Report the incident to your security team',
+        ],
+    },
+    'F009-03': {
+        id: 'F009-03',
+        title: 'Reverse Shell Pattern in Hook',
+        severity: 'critical',
+        description: 'Hook contains reverse shell pattern. Remote access backdoor detected.',
+        steps: [
+            'Remove the hook immediately — this is a confirmed backdoor pattern',
+            'Disconnect from the network if possible',
+            'Check for other compromised files in the project',
+            'Report to your security team and rotate all credentials',
+        ],
+    },
+    'F009-04': {
+        id: 'F009-04',
+        title: 'Destructive File Operation in Hook',
+        severity: 'medium',
+        description: 'Hook contains file deletion commands (rm -rf, shred). Data destruction risk.',
+        steps: [
+            'Review the hook — is the deletion intentional cleanup or malicious?',
+            'If cleanup: restrict the path to a specific temp directory',
+            'If suspicious: remove the hook entirely',
+            'Consider using safer alternatives (e.g., move to trash instead of delete)',
+        ],
+    },
+    'F009-05': {
+        id: 'F009-05',
+        title: 'Environment Variable Access in Hook',
+        severity: 'medium',
+        description: 'Hook reads environment variables. Credential collection risk (API keys, secrets).',
+        steps: [
+            'Review the hook — is the env var access needed?',
+            'Remove references to sensitive variables ($ANTHROPIC_API_KEY, $AWS_SECRET_ACCESS_KEY)',
+            'If env access is needed, restrict to specific non-sensitive variables',
+        ],
+    },
+    'F009-06': {
+        id: 'F009-06',
+        title: 'Hooks in Project-Level Settings',
+        severity: 'medium',
+        description: 'Hooks in project settings auto-execute on all collaborator machines. Lateral movement risk.',
+        steps: [
+            'Move hooks from project .claude/settings.json to user-level ~/.claude/settings.json',
+            'If project hooks are needed, document them in CLAUDE.md and get team approval',
+            'Add hook review to your code review checklist',
+        ],
+    },
+    'F009-07': {
+        id: 'F009-07',
+        title: 'Obfuscated Command in Hook',
+        severity: 'critical',
+        description: 'Hook contains obfuscated command (base64+eval). Detection evasion attempt.',
+        steps: [
+            'Remove the hook immediately — obfuscation in hooks is almost always malicious',
+            'Decode the obfuscated content to understand what it does',
+            'Report to your security team',
+            'Replace with plain-text equivalent if the functionality is legitimate',
+        ],
+        command: '# Decode base64 content to inspect:\necho "<base64-content>" | base64 -d',
+    },
+};
+/**
+ * Get fix-it guide for a specific finding ID.
+ */
+function getAuditFixitGuide(id) {
+    return AUDIT_FIXIT_DB[id];
+}
+/**
+ * Get all fix-it guides for a list of findings.
+ * Pro: all guides. Free: first 3 only.
+ */
+function getAuditFixitGuides(findings, options) {
+    const guides = [];
+    const seen = new Set();
+    // Sort: critical first, then medium, then low
+    const sorted = [...findings].sort((a, b) => {
+        const order = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+        return order[a.severity] - order[b.severity];
+    });
+    for (const finding of sorted) {
+        if (seen.has(finding.id))
+            continue;
+        const guide = AUDIT_FIXIT_DB[finding.id];
+        if (guide) {
+            guides.push(guide);
+            seen.add(finding.id);
+        }
+    }
+    if (!options.isPro) {
+        return guides.slice(0, 3);
+    }
+    return guides;
+}
+/**
+ * Format fix-it guides as JSON-compatible objects.
+ */
+function formatAuditFixitJson(guides, isPro) {
+    return guides.map((g) => {
+        const base = {
+            id: g.id,
+            severity: g.severity,
+            title: g.title,
+            description: g.description,
+            steps: isPro ? g.steps : [g.steps[0]],
+        };
+        if (isPro && g.command)
+            base.command = g.command;
+        if (isPro && g.references)
+            base.references = g.references;
+        return base;
+    });
+}
+//# sourceMappingURL=audit-fixit.js.map

package/dist/output/audit-fixit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-fixit.js","sourceRoot":"","sources":["../../src/output/audit-fixit.ts"],"names":[],"mappings":";AAAA,8DAA8D;;AAoP9D,gDAEC;AAMD,kDA0BC;AAKD,oDAgCC;AA7SD,+DAA+D;AAE/D,MAAM,cAAc,GAAoC;IACtD,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,+CAA+C;QACtD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,yFAAyF;QACtG,KAAK,EAAE;YACL,mDAAmD;YACnD,sCAAsC;YACtC,4DAA4D;YAC5D,4EAA4E;YAC5E,sCAAsC;SACvC;QACD,OAAO,EAAE,kJAAkJ;QAC3J,UAAU,EAAE;YACV,mDAAmD;SACpD;KACF;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,2BAA2B;QAClC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,sFAAsF;QACnG,KAAK,EAAE;YACL,kDAAkD;YAClD,2DAA2D;YAC3D,mDAAmD;YACnD,qBAAqB;SACtB;QACD,OAAO,EAAE,4GAA4G;KACtH;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,uCAAuC;QAC9C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+EAA+E;QAC5F,KAAK,EAAE;YACL,gDAAgD;YAChD,2FAA2F;YAC3F,gEAAgE;YAChE,oEAAoE;YACpE,oDAAoD;SACrD;QACD,UAAU,EAAE;YACV,6EAA6E;SAC9E;KACF;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,+CAA+C;QACtD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qFAAqF;QAClG,KAAK,EAAE;YACL,4EAA4E;YAC5E,4EAA4E;YAC5E,0DAA0D;YAC1D,4DAA4D;SAC7D;QACD,OAAO,EAAE,wGAAwG;KAClH;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,6CAA6C;QACpD,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,uFAAuF;QACpG,KAAK,EAAE;YACL,qDAAqD;YACrD,gEAAgE;YAChE,qDAAqD;SACtD;QACD,OAAO,EAAE,2HAA2H;KACrI;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,0BAA0B;QACjC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,kGAAkG;QAC/G,KAAK,EAAE;YACL,oDAAoD;YACpD,8BAA8B;YAC9B,6BAA6B;YAC7B,yDAAyD;YACzD,mEAAmE;SACpE;QACD,OAAO,EAAE,oFAAoF;KAC9F;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,oCAAoC;QAC3C,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,qFAAqF;QAClG,KAAK,EAAE;YACL,oDAAoD;YACpD,oEAAoE;YACpE,8BAA8B;SAC/B;QACD,OAAO,EAAE,yEAAyE;KACnF;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,2CAA2C;QAClD,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,kFAAkF;QAC/F,KAAK,EAAE;YACL,4CAA4C;YAC5C,sCAAsC;YACtC,gDAAgD;SACjD;QACD,OAAO,EAAE,oBAAoB;KAC9B;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,iDAAiD;QACxD,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4FAA4F;QACzG,KAAK,EAAE;YACL,2EAA2E;YAC3E,8EAA8E;YAC9E,sEAAsE;YACtE,yDAAyD;SAC1D;KACF;IAED,+DAA+D;IAE/D,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,iCAAiC;QACxC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mFAAmF;QAChG,KAAK,EAAE;YACL,4CAA4C;YAC5C,yCAAyC;YACzC,6CAA6C;YAC7C,gEAAgE;SACjE;QACD,OAAO,EAAE,+DAA+D;KACzE;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,mCAAmC;QAC1C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wGAAwG;QACrH,KAAK,EAAE;YACL,2EAA2E;YAC3E,iDAAiD;YACjD,+DAA+D;YAC/D,2CAA2C;SAC5C;KACF;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,+BAA+B;QACtC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uEAAuE;QACpF,KAAK,EAAE;YACL,oEAAoE;YACpE,yCAAyC;YACzC,kDAAkD;YAClD,yDAAyD;SAC1D;KACF;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,oCAAoC;QAC3C,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,8EAA8E;QAC3F,KAAK,EAAE;YACL,qEAAqE;YACrE,4DAA4D;YAC5D,yCAAyC;YACzC,2EAA2E;SAC5E;KACF;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,qCAAqC;QAC5C,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,mFAAmF;QAChG,KAAK,EAAE;YACL,iDAAiD;YACjD,uFAAuF;YACvF,uEAAuE;SACxE;KACF;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,iCAAiC;QACxC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,6FAA6F;QAC1G,KAAK,EAAE;YACL,qFAAqF;YACrF,+EAA+E;YAC/E,+CAA+C;SAChD;KACF;IAED,SAAS,EAAE;QACT,EAAE,EAAE,SAAS;QACb,KAAK,EAAE,4BAA4B;QACnC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,4EAA4E;QACzF,KAAK,EAAE;YACL,+EAA+E;YAC/E,0DAA0D;YAC1D,8BAA8B;YAC9B,uEAAuE;SACxE;QACD,OAAO,EAAE,0EAA0E;KACpF;CACF,CAAC;AAEF;;GAEG;AACH,SAAgB,kBAAkB,CAAC,EAAU;IAC3C,OAAO,cAAc,CAAC,EAAE,CAAC,CAAC;AAC5B,CAAC;AAED;;;GAGG;AACH,SAAgB,mBAAmB,CACjC,QAAwB,EACxB,OAA2B;IAE3B,MAAM,MAAM,GAAsB,EAAE,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,8CAA8C;IAC9C,MAAM,MAAM,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACzC,MAAM,KAAK,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACnE,OAAO,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,KAAK,MAAM,OAAO,IAAI,MAAM,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YAAE,SAAS;QACnC,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACzC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnB,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAClC,MAAyB,EACzB,KAAc;IAUd,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACtB,MAAM,IAAI,GAQN;YACF,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,KAAK,EAAE,CAAC,CAAC,KAAK;YACd,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;SACtC,CAAC;QACF,IAAI,KAAK,IAAI,CAAC,CAAC,OAAO;YAAE,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC;QACjD,IAAI,KAAK,IAAI,CAAC,CAAC,UAAU;YAAE,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;QAC1D,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/output/audit-terminal.d.ts

@@ -0,0 +1,15 @@
+import type { AuditResult } from '../types/audit.js';
+import type { FeatureGate } from '../license/types.js';
+/**
+ * Format audit result as PRD box-style terminal output.
+ */
+export declare function formatAuditTerminal(result: AuditResult, gate: FeatureGate, options: {
+    fix: boolean;
+}): string;
+/**
+ * Format audit result as JSON output.
+ */
+export declare function formatAuditJson(result: AuditResult, gate: FeatureGate, options: {
+    fix: boolean;
+}): string;
+//# sourceMappingURL=audit-terminal.d.ts.map

package/dist/output/audit-terminal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-terminal.d.ts","sourceRoot":"","sources":["../../src/output/audit-terminal.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAgB,MAAM,mBAAmB,CAAC;AACnE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAkEvD;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,WAAW,EACjB,OAAO,EAAE;IAAE,GAAG,EAAE,OAAO,CAAA;CAAE,GACxB,MAAM,CAmIR;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,WAAW,EACjB,OAAO,EAAE;IAAE,GAAG,EAAE,OAAO,CAAA;CAAE,GACxB,MAAM,CAUR"}

package/dist/output/audit-terminal.js

@@ -0,0 +1,200 @@
+"use strict";
+// ─── Audit Terminal Output (PRD box format) ─────────────────
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatAuditTerminal = formatAuditTerminal;
+exports.formatAuditJson = formatAuditJson;
+const audit_fixit_js_1 = require("./audit-fixit.js");
+const c = {
+    red: (s) => `\x1b[31m${s}\x1b[0m`,
+    yellow: (s) => `\x1b[33m${s}\x1b[0m`,
+    green: (s) => `\x1b[32m${s}\x1b[0m`,
+    cyan: (s) => `\x1b[36m${s}\x1b[0m`,
+    bold: (s) => `\x1b[1m${s}\x1b[0m`,
+    dim: (s) => `\x1b[2m${s}\x1b[0m`,
+};
+const W = 53; // inner width of box
+function pad(text, width) {
+    // strip ANSI for length calc
+    const stripped = text.replace(/\x1b\[[0-9;]*m/g, '');
+    const diff = width - stripped.length;
+    return diff > 0 ? text + ' '.repeat(diff) : text;
+}
+function boxTop() {
+    return '\u2554' + '\u2550'.repeat(W) + '\u2557';
+}
+function boxMid() {
+    return '\u2560' + '\u2550'.repeat(W) + '\u2563';
+}
+function boxBot() {
+    return '\u255A' + '\u2550'.repeat(W) + '\u255D';
+}
+function boxLine(text) {
+    return '\u2551  ' + pad(text, W - 4) + '  \u2551';
+}
+function severityIcon(severity) {
+    switch (severity) {
+        case 'critical': return c.red('\u{1F534}');
+        case 'high': return c.red('\u{1F534}');
+        case 'medium': return c.yellow('\u{1F7E1}');
+        case 'low': return c.cyan('\u{1F535}');
+        case 'info': return c.dim('\u2139\uFE0F');
+        default: return '';
+    }
+}
+function severityLabel(severity) {
+    switch (severity) {
+        case 'critical': return c.red('CRITICAL');
+        case 'high': return c.red('HIGH');
+        case 'medium': return c.yellow('WARNING');
+        case 'low': return c.cyan('INFO');
+        case 'info': return c.dim('INFO');
+        default: return severity.toUpperCase();
+    }
+}
+function gradeColor(grade) {
+    if (grade === 'A' || grade === 'B')
+        return c.green;
+    if (grade === 'C')
+        return c.yellow;
+    return c.red;
+}
+function formatFindingLine(finding) {
+    return `${severityIcon(finding.severity)} ${severityLabel(finding.severity)}: ${finding.title}`;
+}
+/**
+ * Format audit result as PRD box-style terminal output.
+ */
+function formatAuditTerminal(result, gate, options) {
+    const lines = [];
+    const isPro = gate.isPro;
+    // Header
+    const headerLabel = isPro
+        ? `Claude Code Environment Audit              ${c.green('[Pro]')}`
+        : 'Claude Code Environment Audit';
+    lines.push(boxTop());
+    lines.push(boxLine(c.bold(headerLabel)));
+    lines.push(boxMid());
+    // Environment findings (F008)
+    const envFindings = result.environment;
+    const hookFindings = result.hooks;
+    if (envFindings.length === 0 && hookFindings.length === 0 && result.summary.total === 0) {
+        lines.push(boxLine(c.green('\u2705 No security issues detected')));
+    }
+    else {
+        // Environment findings
+        for (const f of envFindings) {
+            lines.push(boxLine(formatFindingLine(f)));
+        }
+        // Pass indicators for free checks with no findings
+        if (!isPro) {
+            const freeIds = ['F008-01', 'F008-02', 'F008-03'];
+            const foundFreeIds = new Set(envFindings.map((f) => f.id));
+            for (const id of freeIds) {
+                if (!foundFreeIds.has(id)) {
+                    const passLabel = id === 'F008-01' ? 'No ANTHROPIC_BASE_URL issues'
+                        : id === 'F008-02' ? 'bypassPermissions not enabled'
+                            : 'No CLAUDE.md injection patterns';
+                    lines.push(boxLine(`${c.green('\u2705')} PASS:     ${passLabel}`));
+                }
+            }
+        }
+        // Hooks section (Pro only)
+        if (isPro && hookFindings.length > 0) {
+            lines.push(boxLine(c.dim('\u2500\u2500 Hooks Analysis ' + '\u2500'.repeat(30))));
+            for (const f of hookFindings) {
+                lines.push(boxLine(formatFindingLine(f)));
+            }
+        }
+        else if (isPro && hookFindings.length === 0) {
+            lines.push(boxLine(c.dim('\u2500\u2500 Hooks Analysis ' + '\u2500'.repeat(30))));
+            lines.push(boxLine(`${c.green('\u2705')} PASS:     No malicious hook patterns detected`));
+        }
+    }
+    // Score section
+    lines.push(boxMid());
+    const gc = gradeColor(result.score.grade);
+    lines.push(boxLine(`Environment Score: ${gc(result.score.grade)} (${result.score.total}/100)`));
+    // Action line
+    if (result.summary.critical > 0 || result.summary.medium > 0) {
+        const parts = [];
+        if (result.summary.critical > 0)
+            parts.push(`${result.summary.critical} critical`);
+        const warnings = result.summary.medium + result.summary.low;
+        if (warnings > 0)
+            parts.push(`${warnings} warning`);
+        lines.push(boxLine(c.yellow(`\u26A0\uFE0F  Fix ${parts.join(' + ')} issues`)));
+    }
+    // Free tier upsell
+    if (!isPro && result.summary.proOnly > 0) {
+        lines.push(boxLine(c.yellow(`\u26A0\uFE0F  ${result.summary.proOnly} additional issues found \u2014 upgrade to Pro`)));
+    }
+    lines.push(boxBot());
+    // Fix-it guides below the box
+    if (options.fix) {
+        const allFindings = [...result.environment, ...result.hooks];
+        const guides = (0, audit_fixit_js_1.getAuditFixitGuides)(allFindings, { isPro });
+        if (guides.length > 0) {
+            lines.push('');
+            lines.push(c.bold('\u2501\u2501\u2501 Fix-it Guide \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501'));
+            lines.push('');
+            for (const guide of guides) {
+                const icon = guide.severity === 'critical' ? c.red('CRITICAL') : c.yellow('WARNING');
+                lines.push(`  ${icon}  ${c.bold(guide.title)}`);
+                lines.push(`   ${c.dim(guide.description)}`);
+                if (isPro) {
+                    for (let i = 0; i < guide.steps.length; i++) {
+                        lines.push(`   ${i + 1}. ${guide.steps[i]}`);
+                    }
+                    if (guide.command) {
+                        lines.push('');
+                        lines.push(c.dim('   Command:'));
+                        for (const cmdLine of guide.command.split('\n')) {
+                            lines.push(`   ${c.cyan(cmdLine)}`);
+                        }
+                    }
+                    if (guide.references && guide.references.length > 0) {
+                        lines.push(c.dim('   References:'));
+                        for (const ref of guide.references) {
+                            lines.push(`   - ${ref}`);
+                        }
+                    }
+                }
+                else {
+                    lines.push(`   1. ${guide.steps[0]}`);
+                    if (guide.steps.length > 1) {
+                        lines.push(c.dim(`   ... ${guide.steps.length - 1} more steps (Pro)`));
+                    }
+                }
+                lines.push('');
+            }
+            if (!isPro) {
+                const total = (0, audit_fixit_js_1.getAuditFixitGuides)(allFindings, { isPro: true }).length;
+                if (total > guides.length) {
+                    lines.push(c.dim(`  Showing ${guides.length} of ${total} guides. Upgrade to Pro for all guides.`));
+                    lines.push('');
+                }
+            }
+        }
+    }
+    // Upgrade prompt
+    if (!isPro && !options.fix && result.summary.proOnly > 0) {
+        lines.push('');
+        lines.push(c.yellow('  Upgrade to Pro for full audit + hooks analysis + fix-it guides'));
+        lines.push(c.yellow('  https://shield.codemeant.dev/#pricing'));
+        lines.push('');
+    }
+    return lines.join('\n');
+}
+/**
+ * Format audit result as JSON output.
+ */
+function formatAuditJson(result, gate, options) {
+    const output = { ...result };
+    if (options.fix) {
+        const allFindings = [...result.environment, ...result.hooks];
+        const guides = (0, audit_fixit_js_1.getAuditFixitGuides)(allFindings, { isPro: gate.isPro });
+        output.fixit = (0, audit_fixit_js_1.formatAuditFixitJson)(guides, gate.isPro);
+    }
+    return JSON.stringify(output, null, 2);
+}
+//# sourceMappingURL=audit-terminal.js.map

package/dist/output/audit-terminal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-terminal.js","sourceRoot":"","sources":["../../src/output/audit-terminal.ts"],"names":[],"mappings":";AAAA,+DAA+D;;AAwE/D,kDAuIC;AAKD,0CAcC;AA9ND,qDAA6E;AAE7E,MAAM,CAAC,GAAG;IACR,GAAG,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,SAAS;IACzC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,SAAS;IAC5C,KAAK,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,SAAS;IAC3C,IAAI,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,SAAS;IAC1C,IAAI,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,UAAU,CAAC,SAAS;IACzC,GAAG,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,UAAU,CAAC,SAAS;CACzC,CAAC;AAEF,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,qBAAqB;AAEnC,SAAS,GAAG,CAAC,IAAY,EAAE,KAAa;IACtC,6BAA6B;IAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC;IACrD,MAAM,IAAI,GAAG,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC;IACrC,OAAO,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACnD,CAAC;AAED,SAAS,MAAM;IACb,OAAO,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC;AAClD,CAAC;AACD,SAAS,MAAM;IACb,OAAO,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC;AAClD,CAAC;AACD,SAAS,MAAM;IACb,OAAO,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC;AAClD,CAAC;AACD,SAAS,OAAO,CAAC,IAAY;IAC3B,OAAO,UAAU,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,GAAG,UAAU,CAAC;AACpD,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB;IACpC,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAC3C,KAAK,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACvC,KAAK,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC5C,KAAK,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACvC,KAAK,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC1C,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC;IACrB,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB;IACrC,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC1C,KAAK,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,KAAK,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC1C,KAAK,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClC,KAAK,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,OAAO,CAAC,CAAC,OAAO,QAAQ,CAAC,WAAW,EAAE,CAAC;IACzC,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,IAAI,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,GAAG;QAAE,OAAO,CAAC,CAAC,KAAK,CAAC;IACnD,IAAI,KAAK,KAAK,GAAG;QAAE,OAAO,CAAC,CAAC,MAAM,CAAC;IACnC,OAAO,CAAC,CAAC,GAAG,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAqB;IAC9C,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,aAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC;AAClG,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CACjC,MAAmB,EACnB,IAAiB,EACjB,OAAyB;IAEzB,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IAEzB,SAAS;IACT,MAAM,WAAW,GAAG,KAAK;QACvB,CAAC,CAAC,8CAA8C,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE;QAClE,CAAC,CAAC,+BAA+B,CAAC;IACpC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACrB,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IACzC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAErB,8BAA8B;IAC9B,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;IACvC,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC;IAElC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,KAAK,CAAC,EAAE,CAAC;QACxF,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC;SAAM,CAAC;QACN,uBAAuB;QACvB,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5C,CAAC;QAED,mDAAmD;QACnD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;YAClD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC3D,KAAK,MAAM,EAAE,IAAI,OAAO,EAAE,CAAC;gBACzB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;oBAC1B,MAAM,SAAS,GAAG,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,8BAA8B;wBACjE,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,+BAA+B;4BACpD,CAAC,CAAC,iCAAiC,CAAC;oBACtC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,cAAc,SAAS,EAAE,CAAC,CAAC,CAAC;gBACrE,CAAC;YACH,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,IAAI,KAAK,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,8BAA8B,GAAG,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YACjF,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;gBAC7B,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC;QACH,CAAC;aAAM,IAAI,KAAK,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9C,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,8BAA8B,GAAG,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YACjF,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,gDAAgD,CAAC,CAAC,CAAC;QAC5F,CAAC;IACH,CAAC;IAED,gBAAgB;IAChB,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACrB,MAAM,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC1C,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,sBAAsB,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,KAAK,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC;IAEhG,cAAc;IACd,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,WAAW,CAAC,CAAC;QACnF,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;QAC5D,IAAI,QAAQ,GAAG,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,UAAU,CAAC,CAAC;QACpD,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,qBAAqB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACjF,CAAC;IAED,mBAAmB;IACnB,IAAI,CAAC,KAAK,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,EAAE,CAAC;QACzC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,iBAAiB,MAAM,CAAC,OAAO,CAAC,OAAO,gDAAgD,CAAC,CAAC,CAAC,CAAC;IACzH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAErB,8BAA8B;IAC9B,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,WAAW,GAAG,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAA,oCAAmB,EAAC,WAAW,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAE3D,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,8LAA8L,CAAC,CAAC,CAAC;YACnN,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAEf,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBACrF,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;gBAChD,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;gBAE7C,IAAI,KAAK,EAAE,CAAC;oBACV,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;wBAC5C,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC/C,CAAC;oBACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;wBAClB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;wBACf,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC;wBACjC,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;4BAChD,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;wBACtC,CAAC;oBACH,CAAC;oBACD,IAAI,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBACpD,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC;wBACpC,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;4BACnC,KAAK,CAAC,IAAI,CAAC,QAAQ,GAAG,EAAE,CAAC,CAAC;wBAC5B,CAAC;oBACH,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,KAAK,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBACtC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC3B,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC;oBACzE,CAAC;gBACH,CAAC;gBACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACjB,CAAC;YAED,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,KAAK,GAAG,IAAA,oCAAmB,EAAC,WAAW,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACvE,IAAI,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;oBAC1B,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,MAAM,OAAO,KAAK,yCAAyC,CAAC,CAAC,CAAC;oBACnG,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACjB,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,IAAI,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,EAAE,CAAC;QACzD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,kEAAkE,CAAC,CAAC,CAAC;QACzF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,yCAAyC,CAAC,CAAC,CAAC;QAChE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAC7B,MAAmB,EACnB,IAAiB,EACjB,OAAyB;IAEzB,MAAM,MAAM,GAA4B,EAAE,GAAG,MAAM,EAAE,CAAC;IAEtD,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,WAAW,GAAG,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAA,oCAAmB,EAAC,WAAW,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QACvE,MAAM,CAAC,KAAK,GAAG,IAAA,qCAAoB,EAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC"}

package/dist/retention/expiry.d.ts

@@ -0,0 +1,13 @@
+export interface ExpiryCheck {
+    hasAudit: boolean;
+    isExpired: boolean;
+    daysSinceAudit: number;
+    lastAuditAt: string;
+    message?: string;
+}
+/**
+ * Check if the last audit for a project is stale (>7 days).
+ * Used by scan command to show retention warning.
+ */
+export declare function checkAuditExpiry(projectDir: string): ExpiryCheck;
+//# sourceMappingURL=expiry.d.ts.map

package/dist/retention/expiry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"expiry.d.ts","sourceRoot":"","sources":["../../src/retention/expiry.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,OAAO,CAAC;IAClB,SAAS,EAAE,OAAO,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,WAAW,CA2BhE"}

package/dist/retention/expiry.js

@@ -0,0 +1,37 @@
+"use strict";
+// ─── Audit Expiry Detection ─────────────────────────────────
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkAuditExpiry = checkAuditExpiry;
+const storage_js_1 = require("./storage.js");
+const EXPIRY_DAYS = 7;
+const MS_PER_DAY = 24 * 60 * 60 * 1000;
+/**
+ * Check if the last audit for a project is stale (>7 days).
+ * Used by scan command to show retention warning.
+ */
+function checkAuditExpiry(projectDir) {
+    const state = (0, storage_js_1.readAuditState)(projectDir);
+    if (!state) {
+        return {
+            hasAudit: false,
+            isExpired: false,
+            daysSinceAudit: -1,
+            lastAuditAt: '',
+            message: 'No previous audit found. Run `project-shield audit` to check your Claude Code environment.',
+        };
+    }
+    const lastAudit = new Date(state.lastAuditAt).getTime();
+    const now = Date.now();
+    const daysSince = Math.floor((now - lastAudit) / MS_PER_DAY);
+    const isExpired = daysSince >= EXPIRY_DAYS;
+    return {
+        hasAudit: true,
+        isExpired,
+        daysSinceAudit: daysSince,
+        lastAuditAt: state.lastAuditAt,
+        message: isExpired
+            ? `Last audit: ${daysSince} days ago. Run \`project-shield audit\` for latest results.`
+            : undefined,
+    };
+}
+//# sourceMappingURL=expiry.js.map

package/dist/retention/expiry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"expiry.js","sourceRoot":"","sources":["../../src/retention/expiry.ts"],"names":[],"mappings":";AAAA,+DAA+D;;AAmB/D,4CA2BC;AA5CD,6CAA8C;AAE9C,MAAM,WAAW,GAAG,CAAC,CAAC;AACtB,MAAM,UAAU,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAUvC;;;GAGG;AACH,SAAgB,gBAAgB,CAAC,UAAkB;IACjD,MAAM,KAAK,GAAG,IAAA,2BAAc,EAAC,UAAU,CAAC,CAAC;IAEzC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,KAAK;YAChB,cAAc,EAAE,CAAC,CAAC;YAClB,WAAW,EAAE,EAAE;YACf,OAAO,EAAE,4FAA4F;SACtG,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,OAAO,EAAE,CAAC;IACxD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,GAAG,SAAS,CAAC,GAAG,UAAU,CAAC,CAAC;IAC7D,MAAM,SAAS,GAAG,SAAS,IAAI,WAAW,CAAC;IAE3C,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,SAAS;QACT,cAAc,EAAE,SAAS;QACzB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,OAAO,EAAE,SAAS;YAChB,CAAC,CAAC,eAAe,SAAS,6DAA6D;YACvF,CAAC,CAAC,SAAS;KACd,CAAC;AACJ,CAAC"}

package/dist/retention/hash-detect.d.ts

@@ -0,0 +1,12 @@
+export interface HashChangeResult {
+    hasChanged: boolean;
+    previousHash: string;
+    currentHash: string;
+    message?: string;
+}
+/**
+ * Compare stored settings hash with current hash.
+ * Returns change detection result.
+ */
+export declare function detectHashChange(projectDir: string, currentHash: string): HashChangeResult;
+//# sourceMappingURL=hash-detect.d.ts.map

package/dist/retention/hash-detect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash-detect.d.ts","sourceRoot":"","sources":["../../src/retention/hash-detect.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,gBAAgB,CAqBlB"}