sapper-ai 0.3.0 → 0.4.0

package/dist/cli.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAWA,wBAAsB,MAAM,CAAC,IAAI,GAAE,MAAM,EAA0B,GAAG,OAAO,CAAC,MAAM,CAAC,CAiCpF"}
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAaA,wBAAsB,MAAM,CAAC,IAAI,GAAE,MAAM,EAA0B,GAAG,OAAO,CAAC,MAAM,CAAC,CAiCpF"}

package/dist/cli.js

@@ -33,6 +33,9 @@ var __importStar = (this && this.__importStar) || (function () {
         return result;
     };
 })();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runCli = runCli;
 const node_fs_1 = require("node:fs");
@@ -40,6 +43,7 @@ const node_child_process_1 = require("node:child_process");
 const node_os_1 = require("node:os");
 const node_path_1 = require("node:path");
 const readline = __importStar(require("node:readline"));
+const select_1 = __importDefault(require("@inquirer/select"));
 const presets_1 = require("./presets");
 const scan_1 = require("./scan");
 async function runCli(argv = process.argv.slice(2)) {
@@ -81,6 +85,9 @@ Usage:
   sapper-ai scan --system     AI system paths (~/.claude, ~/.cursor, ...)
   sapper-ai scan ./path       Scan a specific file/directory
   sapper-ai scan --fix        Quarantine blocked files
+  sapper-ai scan --ai         Deep scan with AI analysis (requires OPENAI_API_KEY)
+  sapper-ai scan --report     Generate HTML report and open in browser
+  sapper-ai scan --no-save    Skip saving scan results to ~/.sapperai/scans/
   sapper-ai init          Interactive setup wizard
   sapper-ai dashboard     Launch web dashboard
   sapper-ai --help        Show this help
@@ -93,6 +100,9 @@ function parseScanArgs(argv) {
     let fix = false;
     let deep = false;
     let system = false;
+    let ai = false;
+    let report = false;
+    let noSave = false;
     for (const arg of argv) {
         if (arg === '--fix') {
             fix = true;
@@ -106,12 +116,24 @@ function parseScanArgs(argv) {
             system = true;
             continue;
         }
+        if (arg === '--ai') {
+            ai = true;
+            continue;
+        }
+        if (arg === '--report') {
+            report = true;
+            continue;
+        }
+        if (arg === '--no-save') {
+            noSave = true;
+            continue;
+        }
         if (arg.startsWith('-')) {
             return null;
         }
         targets.push(arg);
     }
-    return { targets, fix, deep, system };
+    return { targets, fix, deep, system, ai, report, noSave };
 }
 function displayPath(path) {
     const home = (0, node_os_1.homedir)();
@@ -120,60 +142,80 @@ function displayPath(path) {
     return path.startsWith(home + '/') ? `~/${path.slice(home.length + 1)}` : path;
 }
 async function promptScanScope(cwd) {
-    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-    const ask = (q) => new Promise((res) => rl.question(q, res));
-    try {
-        console.log('\n  SapperAI Security Scanner\n');
-        console.log('  ? Scan scope:');
-        console.log(`  ❯ 1) Current directory only     ${displayPath(cwd)}`);
-        console.log(`    2) Current + subdirectories   ${displayPath((0, node_path_1.join)(cwd, '**'))}`);
-        console.log('    3) AI system scan              ~/.claude, ~/.cursor, ~/.vscode ...');
-        console.log();
-        const answer = await ask('  Choose [1-3] (default: 2): ');
-        const picked = Number.parseInt(answer.trim(), 10);
-        if (picked === 1)
-            return 'shallow';
-        if (picked === 3)
-            return 'system';
-        return 'deep';
-    }
-    finally {
-        rl.close();
-    }
+    const answer = await (0, select_1.default)({
+        message: 'Scan scope:',
+        choices: [
+            { name: `Current directory only     ${displayPath(cwd)}`, value: 'shallow' },
+            { name: `Current + subdirectories   ${displayPath((0, node_path_1.join)(cwd, '**'))}`, value: 'deep' },
+            {
+                name: 'AI system scan              ~/.claude, ~/.cursor, ~/.vscode ...',
+                value: 'system',
+            },
+        ],
+        default: 'deep',
+    });
+    return answer;
+}
+async function promptScanDepth() {
+    const answer = await (0, select_1.default)({
+        message: 'Scan depth:',
+        choices: [
+            { name: 'Quick scan (rules only)      Fast regex pattern matching', value: false },
+            {
+                name: 'Deep scan (rules + AI)       AI-powered analysis (requires OPENAI_API_KEY)',
+                value: true,
+            },
+        ],
+        default: false,
+    });
+    return answer;
 }
 async function resolveScanOptions(args) {
     const cwd = process.cwd();
+    const common = {
+        fix: args.fix,
+        report: args.report,
+        noSave: args.noSave,
+    };
     if (args.system) {
         if (args.targets.length > 0) {
             return null;
         }
-        return { system: true, fix: args.fix, scopeLabel: 'AI system scan' };
+        return { ...common, system: true, ai: args.ai, scopeLabel: 'AI system scan' };
     }
     if (args.targets.length > 0) {
         if (args.targets.length === 1 && args.targets[0] === '.' && !args.deep) {
-            return { targets: [cwd], deep: false, fix: args.fix, scopeLabel: 'Current directory only' };
+            return {
+                ...common,
+                targets: [cwd],
+                deep: false,
+                ai: args.ai,
+                scopeLabel: 'Current directory only',
+            };
         }
         return {
+            ...common,
             targets: args.targets,
             deep: true,
-            fix: args.fix,
+            ai: args.ai,
             scopeLabel: args.targets.length === 1 && args.targets[0] === '.' ? 'Current + subdirectories' : 'Custom path',
         };
     }
     if (args.deep) {
-        return { targets: [cwd], deep: true, fix: args.fix, scopeLabel: 'Current + subdirectories' };
+        return { ...common, targets: [cwd], deep: true, ai: args.ai, scopeLabel: 'Current + subdirectories' };
     }
     if (process.stdout.isTTY !== true) {
-        return { targets: [cwd], deep: true, fix: args.fix, scopeLabel: 'Current + subdirectories' };
+        return { ...common, targets: [cwd], deep: true, ai: false, scopeLabel: 'Current + subdirectories' };
     }
     const scope = await promptScanScope(cwd);
+    const ai = args.ai ? true : await promptScanDepth();
     if (scope === 'system') {
-        return { system: true, fix: args.fix, scopeLabel: 'AI system scan' };
+        return { ...common, system: true, ai, scopeLabel: 'AI system scan' };
     }
     if (scope === 'shallow') {
-        return { targets: [cwd], deep: false, fix: args.fix, scopeLabel: 'Current directory only' };
+        return { ...common, targets: [cwd], deep: false, ai, scopeLabel: 'Current directory only' };
     }
-    return { targets: [cwd], deep: true, fix: args.fix, scopeLabel: 'Current + subdirectories' };
+    return { ...common, targets: [cwd], deep: true, ai, scopeLabel: 'Current + subdirectories' };
 }
 async function runDashboard() {
     const configuredPort = process.env.PORT;

package/dist/report.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from './scan';
+export declare function generateHtmlReport(result: ScanResult): string;
+//# sourceMappingURL=report.d.ts.map

package/dist/report.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.d.ts","sourceRoot":"","sources":["../src/report.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AA2nBxC,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAoB7D"}

package/dist/report.js

@@ -0,0 +1,651 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateHtmlReport = generateHtmlReport;
+function escapeHtml(text) {
+    return text
+        .replace(/&/g, '&')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+function generateCss() {
+    return `
+:root, [data-theme="dark"] {
+  --bg-primary: #0a0a0a;
+  --bg-secondary: #1a1a1a;
+  --bg-tertiary: #2a2a2a;
+  --border: #333333;
+  --text-primary: #f5f5f5;
+  --text-secondary: #a0a0a0;
+  --text-muted: #666666;
+  --accent: #00d9ff;
+  --accent-glow: rgba(0, 217, 255, 0.15);
+  --risk-critical: #ef4444;
+  --risk-high: #f59e0b;
+  --risk-low: #22c55e;
+}
+
+[data-theme="light"] {
+  --bg-primary: #ffffff;
+  --bg-secondary: #f9fafb;
+  --bg-tertiary: #f3f4f6;
+  --border: #e5e7eb;
+  --text-primary: #0a0a0a;
+  --text-secondary: #4b5563;
+  --text-muted: #9ca3af;
+  --accent: #0284c7;
+  --accent-glow: rgba(2, 132, 199, 0.1);
+}
+
+* { box-sizing: border-box; }
+html, body { height: 100%; }
+body {
+  margin: 0;
+  font-family: system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+  background: var(--bg-primary);
+  color: var(--text-primary);
+}
+
+header {
+  position: sticky;
+  top: 0;
+  z-index: 10;
+  height: 72px;
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: 0 20px;
+  background: var(--bg-secondary);
+  border-bottom: 1px solid var(--border);
+}
+
+.logo {
+  font-weight: 700;
+  letter-spacing: 0.2px;
+}
+
+.meta {
+  font-size: 12px;
+  color: var(--text-secondary);
+  text-align: right;
+}
+
+#theme-toggle {
+  border: 1px solid var(--border);
+  background: transparent;
+  color: var(--text-primary);
+  padding: 8px 12px;
+  border-radius: 10px;
+  cursor: pointer;
+}
+
+.container {
+  padding: 18px 20px 28px;
+  max-width: 1200px;
+  margin: 0 auto;
+}
+
+.summary {
+  display: grid;
+  grid-template-columns: repeat(4, minmax(0, 1fr));
+  gap: 12px;
+}
+
+.metric-card {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border);
+  border-radius: 14px;
+  padding: 12px;
+}
+
+.metric-card .label {
+  display: block;
+  font-size: 12px;
+  color: var(--text-secondary);
+}
+
+.metric-card .value {
+  display: block;
+  margin-top: 6px;
+  font-size: 20px;
+  font-variant-numeric: tabular-nums;
+}
+
+.metric-card .value.danger { color: var(--risk-critical); }
+
+.chart {
+  margin-top: 12px;
+  background: var(--bg-secondary);
+  border: 1px solid var(--border);
+  border-radius: 14px;
+  padding: 12px;
+}
+
+.chart-bars { display: flex; gap: 10px; align-items: flex-end; height: 48px; }
+.bar {
+  flex: 1;
+  border-radius: 10px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border);
+  cursor: pointer;
+  position: relative;
+  overflow: hidden;
+}
+.bar > span { position: absolute; inset: 0; display: block; }
+.bar .critical { background: var(--risk-critical); }
+.bar .high { background: var(--risk-high); }
+.bar .clean { background: var(--risk-low); }
+.chart-legend { display: flex; gap: 14px; margin-top: 10px; color: var(--text-secondary); font-size: 12px; }
+
+.main {
+  margin-top: 14px;
+  display: grid;
+  grid-template-columns: 30% 70%;
+  gap: 12px;
+  min-height: 520px;
+}
+
+.panel {
+  background: var(--bg-secondary);
+  border: 1px solid var(--border);
+  border-radius: 14px;
+  overflow: hidden;
+}
+
+.file-tree {
+  display: flex;
+  flex-direction: column;
+}
+
+.file-tree .controls {
+  padding: 12px;
+  border-bottom: 1px solid var(--border);
+}
+
+#tree-search {
+  width: 100%;
+  padding: 10px 12px;
+  border-radius: 10px;
+  border: 1px solid var(--border);
+  background: var(--bg-tertiary);
+  color: var(--text-primary);
+}
+
+.toggle {
+  margin-top: 10px;
+  font-size: 12px;
+  color: var(--text-secondary);
+  display: flex;
+  align-items: center;
+  gap: 8px;
+}
+
+#tree {
+  padding: 10px;
+  overflow: auto;
+  flex: 1;
+}
+
+details {
+  border-radius: 10px;
+}
+summary {
+  cursor: pointer;
+  padding: 8px 10px;
+  border-radius: 10px;
+  color: var(--text-primary);
+}
+summary:hover { background: var(--bg-tertiary); }
+
+.file-btn {
+  width: 100%;
+  text-align: left;
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  padding: 8px 10px;
+  border: 1px solid transparent;
+  background: transparent;
+  color: var(--text-primary);
+  border-radius: 10px;
+  cursor: pointer;
+}
+
+.file-btn:hover { background: var(--bg-tertiary); }
+.file-btn.active {
+  background: var(--accent-glow);
+  border-color: var(--accent);
+  border-left: 3px solid var(--accent);
+}
+
+.dot { width: 10px; height: 10px; border-radius: 50%; display: inline-block; }
+.dot.critical { background: var(--risk-critical); }
+.dot.high { background: var(--risk-high); }
+.dot.clean { background: var(--risk-low); }
+
+.detail-panel { display: flex; flex-direction: column; }
+.detail-inner {
+  padding: 14px;
+  overflow: auto;
+  flex: 1;
+}
+
+.file-header { padding-bottom: 12px; border-bottom: 1px solid var(--border); }
+.file-path { font-size: 12px; color: var(--text-secondary); word-break: break-all; }
+.file-name { margin-top: 6px; font-size: 18px; font-weight: 700; }
+.metrics { margin-top: 10px; display: flex; gap: 12px; flex-wrap: wrap; font-size: 12px; color: var(--text-secondary); }
+.badge { padding: 2px 8px; border-radius: 999px; border: 1px solid var(--border); }
+.badge.block { border-color: var(--risk-critical); color: var(--risk-critical); }
+.badge.allow { border-color: var(--risk-low); color: var(--risk-low); }
+
+.section { margin-top: 14px; }
+.section h3 { margin: 0 0 8px; font-size: 13px; color: var(--text-secondary); }
+.patterns ul { margin: 0; padding-left: 18px; }
+
+pre {
+  margin: 0;
+  padding: 12px;
+  border-radius: 12px;
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border);
+  overflow: auto;
+}
+code {
+  font-family: 'JetBrains Mono', 'Fira Code', Consolas, monospace;
+  font-size: 12px;
+  color: var(--text-primary);
+  white-space: pre;
+}
+
+@media (max-width: 1024px) {
+  .main { grid-template-columns: 40% 60%; }
+}
+
+@media (max-width: 768px) {
+  header { height: auto; padding: 12px 14px; gap: 10px; flex-wrap: wrap; }
+  .container { padding: 14px; }
+  .summary { grid-template-columns: repeat(2, minmax(0, 1fr)); }
+  .main { grid-template-columns: 1fr; }
+  #tree { max-height: 260px; }
+}
+
+@media print {
+  * { print-color-adjust: exact; -webkit-print-color-adjust: exact; }
+  header { position: static; }
+  .main { grid-template-columns: 1fr; }
+}
+`.trim();
+}
+function generateJs() {
+    return `
+const el = (sel) => document.querySelector(sel);
+
+function escapeHtml(text) {
+  return String(text)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/\"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
+function riskLevel(risk) {
+  if (risk >= 0.8) return 'critical';
+  if (risk >= 0.5) return 'high';
+  return 'clean';
+}
+
+function debounce(fn, ms) {
+  let t;
+  return (...args) => {
+    clearTimeout(t);
+    t = setTimeout(() => fn(...args), ms);
+  };
+}
+
+function buildFileTree(findings) {
+  const root = { files: [], dirs: new Map() };
+  for (const f of findings) {
+    const parts = String(f.filePath).split('/').filter(Boolean);
+    let node = root;
+    for (let i = 0; i < parts.length; i++) {
+      const part = parts[i];
+      const isFile = i === parts.length - 1;
+      if (isFile) {
+        node.files.push(f);
+      } else {
+        if (!node.dirs.has(part)) {
+          node.dirs.set(part, { name: part, files: [], dirs: new Map() });
+        }
+        node = node.dirs.get(part);
+      }
+    }
+  }
+  return root;
+}
+
+function renderTreeNode(node, opts) {
+  const container = document.createElement('div');
+
+  const dirEntries = Array.from(node.dirs.values()).sort((a, b) => a.name.localeCompare(b.name));
+  for (const dir of dirEntries) {
+    const details = document.createElement('details');
+    details.open = true;
+    const summary = document.createElement('summary');
+    summary.textContent = dir.name;
+    details.appendChild(summary);
+    details.appendChild(renderTreeNode(dir, opts));
+    container.appendChild(details);
+  }
+
+  const files = node.files.slice().sort((a, b) => String(a.filePath).localeCompare(String(b.filePath)));
+  for (const f of files) {
+    const threat = Number(f.risk) >= 0.5;
+    if (opts.threatsOnly && !threat) continue;
+    if (opts.query) {
+      const name = String(f.filePath).split('/').pop() || '';
+      if (!name.toLowerCase().includes(opts.query.toLowerCase())) continue;
+    }
+
+    const btn = document.createElement('button');
+    btn.className = 'file-btn';
+    btn.type = 'button';
+    btn.setAttribute('data-file', String(f.filePath));
+    btn.setAttribute('role', 'treeitem');
+    btn.tabIndex = -1;
+
+    const dot = document.createElement('span');
+    dot.className = 'dot ' + riskLevel(Number(f.risk));
+    btn.appendChild(dot);
+
+    const label = document.createElement('span');
+    label.textContent = String(f.filePath).split('/').pop() || String(f.filePath);
+    btn.appendChild(label);
+
+    btn.addEventListener('click', () => handleFileClick(String(f.filePath)));
+    container.appendChild(btn);
+  }
+
+  return container;
+}
+
+function handleFileClick(filePath) {
+  const finding = (SCAN_DATA.findings || []).find((f) => f.filePath === filePath);
+  if (!finding) return;
+
+  document.querySelectorAll('.file-btn').forEach((b) => b.classList.remove('active'));
+  const active = document.querySelector('.file-btn[data-file="' + CSS.escape(filePath) + '"]');
+  if (active) active.classList.add('active');
+
+  const detail = el('#detail');
+  const name = String(filePath).split('/').pop() || filePath;
+  const patterns = Array.isArray(finding.patterns) ? finding.patterns : [];
+  const detectors = Array.isArray(finding.detectors) ? finding.detectors : [];
+  const badgeClass = finding.action === 'block' ? 'block' : 'allow';
+  const badgeText = String(finding.action || '').toUpperCase();
+
+  const patternsHtml = patterns.length
+    ? patterns.map((p) => '<li>' + escapeHtml(p) + '</li>').join('')
+    : '<li>None</li>';
+  const detectorsHtml = detectors.length
+    ? detectors.map((d) => '<span class="badge">' + escapeHtml(d) + '</span>').join('')
+    : '<span class="badge">none</span>';
+
+  detail.innerHTML =
+    '<div class="detail-inner">' +
+      '<div class="file-header">' +
+        '<div class="file-path">' + escapeHtml(filePath) + '</div>' +
+        '<div class="file-name">' + escapeHtml(name) + '</div>' +
+        '<div class="metrics">' +
+          '<span>Risk: <span class="badge">' + Number(finding.risk).toFixed(2) + '</span></span>' +
+          '<span>Confidence: <span class="badge">' + Math.round(Number(finding.confidence) * 100) + '%</span></span>' +
+          '<span class="badge ' + badgeClass + '">' + escapeHtml(badgeText) + '</span>' +
+        '</div>' +
+      '</div>' +
+      '<div class="section patterns">' +
+        '<h3>Detected Patterns</h3>' +
+        '<ul>' + patternsHtml + '</ul>' +
+      '</div>' +
+      '<div class="section snippet">' +
+        '<h3>Code Snippet</h3>' +
+        '<pre><code>' + escapeHtml(finding.snippet || '') + '</code></pre>' +
+      '</div>' +
+      '<div class="section detectors">' +
+        '<h3>Detectors</h3>' +
+        detectorsHtml +
+      '</div>' +
+      '<div class="section ai-analysis">' +
+        '<h3>AI Analysis</h3>' +
+        '<p>' + escapeHtml(finding.aiAnalysis || '') + '</p>' +
+      '</div>' +
+    '</div>';
+}
+
+function handleSearch(query) {
+  renderTree({ query });
+}
+
+function handleThreatsOnlyToggle() {
+  renderTree({});
+}
+
+function handleThemeToggle() {
+  const root = document.documentElement;
+  const current = root.getAttribute('data-theme') || 'dark';
+  const next = current === 'dark' ? 'light' : 'dark';
+  root.setAttribute('data-theme', next);
+  try { localStorage.setItem('sapper-theme', next); } catch {}
+}
+
+function handleChartBarClick(level) {
+  const state = window.__TREE_STATE || {};
+  state.riskFilter = level;
+  window.__TREE_STATE = state;
+  renderTree({});
+}
+
+function renderChart() {
+  const findings = Array.isArray(SCAN_DATA.findings) ? SCAN_DATA.findings : [];
+  const critical = findings.filter((f) => Number(f.risk) >= 0.8).length;
+  const high = findings.filter((f) => Number(f.risk) >= 0.5 && Number(f.risk) < 0.8).length;
+  const clean = findings.filter((f) => Number(f.risk) < 0.5).length;
+  const total = Math.max(1, findings.length);
+
+  const bars = el('#chart-bars');
+  if (!bars) return;
+  bars.innerHTML = '';
+
+  function mk(cls, count, level) {
+    const wrap = document.createElement('div');
+    wrap.className = 'bar';
+    wrap.title = level + ': ' + count;
+    wrap.addEventListener('click', () => handleChartBarClick(level));
+    const span = document.createElement('span');
+    span.className = cls;
+    span.style.height = Math.round((count / total) * 100) + '%';
+    span.style.position = 'absolute';
+    span.style.bottom = '0';
+    wrap.appendChild(span);
+    return wrap;
+  }
+
+  bars.appendChild(mk('critical', critical, 'critical'));
+  bars.appendChild(mk('high', high, 'high'));
+  bars.appendChild(mk('clean', clean, 'clean'));
+
+  const legend = el('#chart-legend');
+  if (legend) {
+    legend.innerHTML =
+      '<span>Critical (>=0.8): ' + critical + '</span>' +
+      '<span>High (>=0.5): ' + high + '</span>' +
+      '<span>Clean (<0.5): ' + clean + '</span>';
+  }
+}
+
+function renderTree(partial) {
+  const state = window.__TREE_STATE || { query: '', riskFilter: null };
+  window.__TREE_STATE = Object.assign({}, state, partial);
+
+  const findings = Array.isArray(SCAN_DATA.findings) ? SCAN_DATA.findings : [];
+  const threatsOnlyEl = el('#threats-only');
+  const threatsOnly = threatsOnlyEl ? !!threatsOnlyEl.checked : true;
+
+  let visible = findings;
+  if (window.__TREE_STATE.riskFilter) {
+    const level = window.__TREE_STATE.riskFilter;
+    visible = visible.filter((f) => {
+      const r = Number(f.risk);
+      if (level === 'critical') return r >= 0.8;
+      if (level === 'high') return r >= 0.5 && r < 0.8;
+      if (level === 'clean') return r < 0.5;
+      return true;
+    });
+  }
+
+  const treeRoot = buildFileTree(visible);
+  const tree = el('#tree');
+  if (!tree) return;
+  tree.innerHTML = '';
+  const query = window.__TREE_STATE.query || '';
+  const node = renderTreeNode(treeRoot, { query, threatsOnly });
+  tree.appendChild(node);
+
+  const first = tree.querySelector('.file-btn');
+  if (first) first.tabIndex = 0;
+}
+
+function installKeyboardNav() {
+  document.addEventListener('keydown', (e) => {
+    const items = Array.from(document.querySelectorAll('.file-btn'));
+    if (items.length === 0) return;
+    const active = document.activeElement;
+    const idx = items.indexOf(active);
+
+    if (e.key === 'ArrowDown') {
+      e.preventDefault();
+      const next = items[Math.min(items.length - 1, Math.max(0, idx + 1))] || items[0];
+      next.focus();
+      return;
+    }
+    if (e.key === 'ArrowUp') {
+      e.preventDefault();
+      const next = items[Math.max(0, idx - 1)] || items[0];
+      next.focus();
+      return;
+    }
+    if (e.key === 'Enter') {
+      if (active && active.classList && active.classList.contains('file-btn')) {
+        active.click();
+      }
+    }
+  });
+}
+
+function bootstrap() {
+  try {
+    const saved = localStorage.getItem('sapper-theme');
+    if (saved === 'light' || saved === 'dark') {
+      document.documentElement.setAttribute('data-theme', saved);
+    }
+  } catch {}
+
+  const toggle = el('#theme-toggle');
+  if (toggle) toggle.addEventListener('click', handleThemeToggle);
+
+  const search = el('#tree-search');
+  if (search) {
+    search.addEventListener('input', debounce((e) => handleSearch(e.target.value || ''), 300));
+  }
+
+  const threatsOnly = el('#threats-only');
+  if (threatsOnly) threatsOnly.addEventListener('change', handleThreatsOnlyToggle);
+
+  renderChart();
+  renderTree({ query: '' });
+  installKeyboardNav();
+
+  const detail = el('#detail');
+  if (detail) {
+    detail.innerHTML = '<div class="detail-inner"><div class="file-path">Select a file to view details</div></div>';
+  }
+}
+
+bootstrap();
+`.trim();
+}
+function renderHeader(result) {
+    return `
+<header>
+  <div class="logo">SapperAI Scan Report</div>
+  <div class="meta">Scanned: ${escapeHtml(result.timestamp)} | Scope: ${escapeHtml(result.scope)}</div>
+  <button id="theme-toggle" type="button">Dark/Light</button>
+</header>
+`.trim();
+}
+function renderSummary(result) {
+    const total = result.summary.totalFiles;
+    const threats = result.summary.threats;
+    const maxRisk = result.findings.reduce((m, f) => Math.max(m, f.risk), 0);
+    return `
+<section class="summary">
+  <div class="metric-card">
+    <span class="label">Total Files</span>
+    <span class="value">${total.toLocaleString()}</span>
+  </div>
+  <div class="metric-card">
+    <span class="label">Threats</span>
+    <span class="value danger">${threats.toLocaleString()}</span>
+  </div>
+  <div class="metric-card">
+    <span class="label">Max Risk</span>
+    <span class="value">${maxRisk.toFixed(2)}</span>
+  </div>
+  <div class="metric-card">
+    <span class="label">AI Scan</span>
+    <span class="value">${result.ai ? 'Enabled' : 'Disabled'}</span>
+  </div>
+</section>
+
+<section class="chart">
+  <div class="chart-bars" id="chart-bars"></div>
+  <div class="chart-legend" id="chart-legend"></div>
+</section>
+`.trim();
+}
+function renderMainContent(result) {
+    const threatsCount = result.findings.filter((f) => f.risk >= 0.5).length;
+    return `
+<section class="main">
+  <aside class="panel file-tree">
+    <div class="controls">
+      <input type="text" placeholder="Search files..." id="tree-search" />
+      <label class="toggle"><input type="checkbox" id="threats-only" checked /> Threats only (${threatsCount})</label>
+    </div>
+    <div id="tree" role="tree"></div>
+  </aside>
+  <main class="panel detail-panel" id="detail"></main>
+</section>
+`.trim();
+}
+function generateHtmlReport(result) {
+    const safeJson = JSON.stringify(result).replace(/<\//g, '<\\/');
+    return `<!DOCTYPE html>
+<html lang="ko" data-theme="dark">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>SapperAI Scan Report - ${escapeHtml(result.timestamp)}</title>
+  <style>${generateCss()}</style>
+</head>
+<body>
+  ${renderHeader(result)}
+  <div class="container">
+    ${renderSummary(result)}
+    ${renderMainContent(result)}
+  </div>
+  <script>const SCAN_DATA = ${safeJson};</script>
+  <script>${generateJs()}</script>
+</body>
+</html>`;
+}

package/dist/scan.d.ts

@@ -4,6 +4,33 @@ export interface ScanOptions {
     deep?: boolean;
     system?: boolean;
     scopeLabel?: string;
+    ai?: boolean;
+    report?: boolean;
+    noSave?: boolean;
+}
+export interface ScanResult {
+    version: '1.0';
+    timestamp: string;
+    scope: string;
+    target: string;
+    ai: boolean;
+    summary: {
+        totalFiles: number;
+        scannedFiles: number;
+        skippedFiles: number;
+        threats: number;
+    };
+    findings: Array<{
+        filePath: string;
+        risk: number;
+        confidence: number;
+        action: string;
+        patterns: string[];
+        reasons: string[];
+        snippet: string;
+        detectors: string[];
+        aiAnalysis: string | null;
+    }>;
 }
 export declare function runScan(options?: ScanOptions): Promise<number>;
 //# sourceMappingURL=scan.d.ts.map

package/dist/scan.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../src/scan.ts"],"names":[],"mappings":"AAoBA,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,GAAG,CAAC,EAAE,OAAO,CAAA;IACb,IAAI,CAAC,EAAE,OAAO,CAAA;IACd,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AA6TD,wBAAsB,OAAO,CAAC,OAAO,GAAE,WAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,CAsGxE"}
+{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../src/scan.ts"],"names":[],"mappings":"AAoBA,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,GAAG,CAAC,EAAE,OAAO,CAAA;IACb,IAAI,CAAC,EAAE,OAAO,CAAA;IACd,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,EAAE,CAAC,EAAE,OAAO,CAAA;IACZ,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,MAAM,CAAC,EAAE,OAAO,CAAA;CACjB;AAeD,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,KAAK,CAAA;IACd,SAAS,EAAE,MAAM,CAAA;IACjB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,MAAM,CAAA;IACd,EAAE,EAAE,OAAO,CAAA;IACX,OAAO,EAAE;QACP,UAAU,EAAE,MAAM,CAAA;QAClB,YAAY,EAAE,MAAM,CAAA;QACpB,YAAY,EAAE,MAAM,CAAA;QACpB,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;IACD,QAAQ,EAAE,KAAK,CAAC;QACd,QAAQ,EAAE,MAAM,CAAA;QAChB,IAAI,EAAE,MAAM,CAAA;QACZ,UAAU,EAAE,MAAM,CAAA;QAClB,MAAM,EAAE,MAAM,CAAA;QACd,QAAQ,EAAE,MAAM,EAAE,CAAA;QAClB,OAAO,EAAE,MAAM,EAAE,CAAA;QACjB,OAAO,EAAE,MAAM,CAAA;QACf,SAAS,EAAE,MAAM,EAAE,CAAA;QACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;KAC1B,CAAC,CAAA;CACH;AAqYD,wBAAsB,OAAO,CAAC,OAAO,GAAE,WAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,CAyPxE"}

package/dist/scan.js

@@ -1,4 +1,37 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runScan = runScan;
 const node_fs_1 = require("node:fs");
@@ -223,9 +256,13 @@ async function scanFile(filePath, policy, scanner, detectors, fix, quarantineMan
         catch {
         }
     }
+    let bestDecision = null;
     let bestThreat = null;
     for (const target of targets) {
         const decision = await scanner.scanTool(target.id, target.surface, policy, detectors);
+        if (!bestDecision || decision.risk > bestDecision.risk) {
+            bestDecision = decision;
+        }
         if (!isThreat(decision, policy)) {
             continue;
         }
@@ -235,21 +272,88 @@ async function scanFile(filePath, policy, scanner, detectors, fix, quarantineMan
         if (fix && decision.action === 'block') {
             try {
                 const record = await quarantineManager.quarantine(filePath, decision);
-                return { scanned: true, finding: { filePath, decision, quarantinedId: record.id } };
+                return { scanned: true, decision: bestDecision ?? decision, quarantinedId: record.id };
             }
             catch {
             }
         }
     }
-    if (!bestThreat) {
-        return { scanned: true };
+    if (!bestDecision) {
+        return { scanned: false };
+    }
+    return { scanned: true, decision: bestThreat ?? bestDecision };
+}
+function uniq(values) {
+    return Array.from(new Set(values));
+}
+function extractPatternsFromReasons(reasons) {
+    const prefix = 'Detected pattern: ';
+    const patterns = [];
+    for (const r of reasons) {
+        if (r.startsWith(prefix)) {
+            patterns.push(r.slice(prefix.length));
+        }
+    }
+    return patterns;
+}
+function toDetectorsList(decision) {
+    return uniq(decision.evidence.map((e) => e.detectorId));
+}
+function truncateSnippet(text, maxChars) {
+    if (text.length <= maxChars) {
+        return text;
     }
-    return { scanned: true, finding: { filePath, decision: bestThreat } };
+    return text.slice(0, maxChars);
+}
+async function buildScanResult(params) {
+    const timestamp = new Date().toISOString();
+    const findings = await Promise.all(params.findings.map(async (f) => {
+        const raw = await readFileIfPresent(f.filePath);
+        const snippet = raw ? truncateSnippet(raw, 400) : '';
+        const reasons = f.decision.reasons;
+        const patterns = extractPatternsFromReasons(reasons);
+        const detectors = toDetectorsList(f.decision);
+        return {
+            filePath: f.filePath,
+            risk: f.decision.risk,
+            confidence: f.decision.confidence,
+            action: f.decision.action,
+            patterns,
+            reasons,
+            snippet,
+            detectors,
+            aiAnalysis: f.aiAnalysis ?? null,
+        };
+    }));
+    return {
+        version: '1.0',
+        timestamp,
+        scope: params.scope,
+        target: params.target,
+        ai: params.ai,
+        summary: {
+            totalFiles: params.totalFiles,
+            scannedFiles: params.scannedFiles,
+            skippedFiles: params.skippedFiles,
+            threats: params.threats,
+        },
+        findings,
+    };
 }
 async function runScan(options = {}) {
     const cwd = process.cwd();
     const policy = resolvePolicy(cwd);
     const fix = options.fix === true;
+    const aiEnabled = options.ai === true;
+    let llmConfig = null;
+    if (aiEnabled) {
+        const apiKey = process.env.OPENAI_API_KEY;
+        if (!apiKey) {
+            console.log('\n  Error: OPENAI_API_KEY environment variable is required for --ai mode.\n');
+            return 1;
+        }
+        llmConfig = { provider: 'openai', apiKey, model: 'gpt-4.1-mini' };
+    }
     const deep = options.system ? true : options.deep !== false;
     const targets = options.system === true
         ? SYSTEM_SCAN_PATHS
@@ -257,7 +361,7 @@ async function runScan(options = {}) {
             ? options.targets
             : [cwd];
     const scanner = new core_1.Scanner();
-    const detectors = (0, core_1.createDetectors)({ policy });
+    const detectors = (0, core_1.createDetectors)({ policy, preferredDetectors: ['rules'] });
     const quarantineDir = process.env.SAPPERAI_QUARANTINE_DIR;
     const quarantineManager = quarantineDir ? new core_1.QuarantineManager({ quarantineDir }) : new core_1.QuarantineManager();
     const isTTY = process.stdout.isTTY === true;
@@ -281,7 +385,12 @@ async function runScan(options = {}) {
     const files = Array.from(fileSet).sort();
     console.log(`  Collecting files...  ${files.length} files found`);
     console.log();
-    const findings = [];
+    if (aiEnabled) {
+        console.log('  Phase 1/2: Rules scan');
+        console.log();
+    }
+    const scannedFindings = [];
+    let scannedFiles = 0;
     const total = files.length;
     const progressWidth = Math.max(10, Math.min(30, (process.stdout.columns ?? 80) - 30));
     for (let i = 0; i < files.length; i += 1) {
@@ -299,34 +408,151 @@ async function runScan(options = {}) {
             }
         }
         const result = await scanFile(filePath, policy, scanner, detectors, fix, quarantineManager);
-        if (result.finding) {
-            findings.push(result.finding);
+        if (result.scanned && result.decision) {
+            scannedFiles += 1;
+            scannedFindings.push({ filePath, decision: result.decision, quarantinedId: result.quarantinedId });
         }
     }
     if (isTTY && total > 0) {
         process.stdout.write('\x1b[2A\x1b[2K\r\x1b[1B\x1b[2K\r');
     }
-    if (findings.length === 0) {
-        const msg = `  ✓ All clear — ${total} files scanned, 0 threats detected`;
+    if (aiEnabled && llmConfig) {
+        const suspiciousFindings = scannedFindings.filter((f) => f.decision.risk >= 0.5);
+        const maxAiFiles = 50;
+        if (suspiciousFindings.length > 0) {
+            const aiTargets = suspiciousFindings.slice(0, maxAiFiles);
+            if (suspiciousFindings.length > maxAiFiles) {
+                console.log(`  Note: AI scan limited to ${maxAiFiles} files (${suspiciousFindings.length} suspicious)`);
+            }
+            console.log();
+            console.log(`  Phase 2/2: AI deep scan (${aiTargets.length} files)`);
+            console.log();
+            const detectorsList = (policy.detectors ?? ['rules']).slice();
+            if (!detectorsList.includes('llm')) {
+                detectorsList.push('llm');
+            }
+            const aiPolicy = { ...policy, llm: llmConfig, detectors: detectorsList };
+            const aiDetectors = (0, core_1.createDetectors)({ policy: aiPolicy, preferredDetectors: ['rules', 'llm'] });
+            for (let i = 0; i < aiTargets.length; i += 1) {
+                const finding = aiTargets[i];
+                if (isTTY) {
+                    const bar = renderProgressBar(i + 1, aiTargets.length, progressWidth);
+                    const label = '  Analyzing: ';
+                    const maxPath = Math.max(10, (process.stdout.columns ?? 80) - stripAnsi(bar).length - label.length);
+                    const scanning = `${label}${truncateToWidth(finding.filePath, maxPath)}`;
+                    if (i === 0) {
+                        process.stdout.write(`${bar}\n${scanning}\n`);
+                    }
+                    else {
+                        process.stdout.write(`\x1b[2A\x1b[2K\r${bar}\n\x1b[2K\r${scanning}\n`);
+                    }
+                }
+                try {
+                    const raw = await readFileIfPresent(finding.filePath);
+                    if (!raw)
+                        continue;
+                    const surface = (0, core_1.normalizeSurfaceText)(raw);
+                    const targetType = (0, core_1.classifyTargetType)(finding.filePath);
+                    const id = `${targetType}:${(0, core_1.buildEntryName)(finding.filePath)}`;
+                    const aiDecision = await scanner.scanTool(id, surface, aiPolicy, aiDetectors);
+                    const mergedReasons = uniq([...finding.decision.reasons, ...aiDecision.reasons]);
+                    const existingEvidence = finding.decision.evidence;
+                    const mergedEvidence = [...existingEvidence];
+                    for (const ev of aiDecision.evidence) {
+                        if (!mergedEvidence.some((e) => e.detectorId === ev.detectorId)) {
+                            mergedEvidence.push(ev);
+                        }
+                    }
+                    const nextDecision = {
+                        ...finding.decision,
+                        reasons: mergedReasons,
+                        evidence: mergedEvidence,
+                    };
+                    if (aiDecision.risk > finding.decision.risk) {
+                        finding.decision = {
+                            ...nextDecision,
+                            action: aiDecision.action,
+                            risk: aiDecision.risk,
+                            confidence: aiDecision.confidence,
+                        };
+                    }
+                    else {
+                        finding.decision = nextDecision;
+                    }
+                    finding.aiAnalysis =
+                        aiDecision.reasons.find((r) => !r.startsWith('Detected pattern:')) ?? null;
+                }
+                catch {
+                }
+            }
+            if (isTTY && aiTargets.length > 0) {
+                process.stdout.write('\x1b[2A\x1b[2K\r\x1b[1B\x1b[2K\r');
+            }
+        }
+    }
+    const skippedFiles = total - scannedFiles;
+    const threats = scannedFindings.filter((f) => isThreat(f.decision, policy));
+    const scanResult = await buildScanResult({
+        scope: scopeLabel,
+        target: targets.join(', '),
+        ai: aiEnabled,
+        totalFiles: total,
+        scannedFiles,
+        skippedFiles,
+        threats: threats.length,
+        findings: scannedFindings,
+    });
+    if (options.noSave !== true) {
+        const scanDir = (0, node_path_1.join)((0, node_os_1.homedir)(), '.sapperai', 'scans');
+        await (0, promises_1.mkdir)(scanDir, { recursive: true });
+        const filename = `${new Date().toISOString().replace(/[:.]/g, '-')}.json`;
+        const savedPath = (0, node_path_1.join)(scanDir, filename);
+        await (0, promises_1.writeFile)(savedPath, JSON.stringify(scanResult, null, 2), 'utf8');
+        console.log(`  Saved to ${savedPath}`);
+        console.log();
+    }
+    if (threats.length === 0) {
+        const msg = `  ✓ All clear — ${scannedFiles} files scanned, 0 threats detected`;
         console.log(color ? `${GREEN}${msg}${RESET}` : msg);
         console.log();
-        return 0;
     }
-    const warn = `  ⚠ ${total} files scanned, ${findings.length} threats detected`;
-    console.log(color ? `${RED}${warn}${RESET}` : warn);
-    console.log();
-    const tableLines = renderFindingsTable(findings, {
-        cwd,
-        columns: process.stdout.columns ?? 80,
-        color,
-    });
-    for (const line of tableLines) {
-        console.log(line);
+    else {
+        const warn = `  ⚠ ${scannedFiles} files scanned, ${threats.length} threats detected`;
+        console.log(color ? `${RED}${warn}${RESET}` : warn);
+        console.log();
+        const tableLines = renderFindingsTable(threats, {
+            cwd,
+            columns: process.stdout.columns ?? 80,
+            color,
+        });
+        for (const line of tableLines) {
+            console.log(line);
+        }
+        console.log();
+        if (!fix) {
+            console.log("  Run 'npx sapper-ai scan --fix' to quarantine blocked files.");
+            console.log();
+        }
     }
-    console.log();
-    if (!fix) {
-        console.log("  Run 'npx sapper-ai scan --fix' to quarantine blocked files.");
+    if (options.report) {
+        const { generateHtmlReport } = await Promise.resolve().then(() => __importStar(require('./report')));
+        const html = generateHtmlReport(scanResult);
+        const reportPath = (0, node_path_1.join)(process.cwd(), 'sapper-report.html');
+        await (0, promises_1.writeFile)(reportPath, html, 'utf8');
+        console.log(`  Report saved to ${reportPath}`);
+        try {
+            const { execFile } = await Promise.resolve().then(() => __importStar(require('node:child_process')));
+            if (process.platform === 'win32') {
+                execFile('cmd', ['/c', 'start', '', reportPath]);
+            }
+            else {
+                const openCmd = process.platform === 'darwin' ? 'open' : 'xdg-open';
+                execFile(openCmd, [reportPath]);
+            }
+        }
+        catch {
+        }
         console.log();
     }
-    return 1;
+    return threats.length > 0 ? 1 : 0;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sapper-ai",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "AI security guardrails - single install, sensible defaults",
   "keywords": [
     "security",
@@ -39,6 +39,7 @@
     "access": "public"
   },
   "dependencies": {
+    "@inquirer/select": "^4.0.0",
     "@sapper-ai/core": "0.2.1",
     "@sapper-ai/types": "0.2.1"
   },