sapper-ai 0.5.0 → 0.6.1

package/dist/scan.d.ts

@@ -1,5 +1,6 @@
 export interface ScanOptions {
     targets?: string[];
+    policyPath?: string;
     fix?: boolean;
     deep?: boolean;
     system?: boolean;
@@ -7,6 +8,8 @@ export interface ScanOptions {
     ai?: boolean;
     noSave?: boolean;
     noOpen?: boolean;
+    noPrompt?: boolean;
+    noColor?: boolean;
 }
 export interface ScanResult {
     version: '1.0';
@@ -14,10 +17,16 @@ export interface ScanResult {
     scope: string;
     target: string;
     ai: boolean;
+    filters: {
+        configLikeOnly: boolean;
+    };
     summary: {
         totalFiles: number;
+        eligibleFiles: number;
         scannedFiles: number;
         skippedFiles: number;
+        skippedNotEligible: number;
+        skippedEmptyOrUnreadable: number;
         threats: number;
     };
     findings: Array<{
@@ -30,6 +39,12 @@ export interface ScanResult {
         snippet: string;
         detectors: string[];
         aiAnalysis: string | null;
+        ruleMatches: Array<{
+            label: string;
+            severity: 'high' | 'medium';
+            matchText: string;
+            context: string;
+        }>;
     }>;
 }
 export declare function runScan(options?: ScanOptions): Promise<number>;

package/dist/scan.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../src/scan.ts"],"names":[],"mappings":"AAoBA,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,GAAG,CAAC,EAAE,OAAO,CAAA;IACb,IAAI,CAAC,EAAE,OAAO,CAAA;IACd,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,EAAE,CAAC,EAAE,OAAO,CAAA;IACZ,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,MAAM,CAAC,EAAE,OAAO,CAAA;CACjB;AAeD,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,KAAK,CAAA;IACd,SAAS,EAAE,MAAM,CAAA;IACjB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,MAAM,CAAA;IACd,EAAE,EAAE,OAAO,CAAA;IACX,OAAO,EAAE;QACP,UAAU,EAAE,MAAM,CAAA;QAClB,YAAY,EAAE,MAAM,CAAA;QACpB,YAAY,EAAE,MAAM,CAAA;QACpB,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;IACD,QAAQ,EAAE,KAAK,CAAC;QACd,QAAQ,EAAE,MAAM,CAAA;QAChB,IAAI,EAAE,MAAM,CAAA;QACZ,UAAU,EAAE,MAAM,CAAA;QAClB,MAAM,EAAE,MAAM,CAAA;QACd,QAAQ,EAAE,MAAM,EAAE,CAAA;QAClB,OAAO,EAAE,MAAM,EAAE,CAAA;QACjB,OAAO,EAAE,MAAM,CAAA;QACf,SAAS,EAAE,MAAM,EAAE,CAAA;QACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;KAC1B,CAAC,CAAA;CACH;AAqYD,wBAAsB,OAAO,CAAC,OAAO,GAAE,WAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,CAyPxE"}
+{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../src/scan.ts"],"names":[],"mappings":"AAuBA,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,GAAG,CAAC,EAAE,OAAO,CAAA;IACb,IAAI,CAAC,EAAE,OAAO,CAAA;IACd,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,EAAE,CAAC,EAAE,OAAO,CAAA;IACZ,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,OAAO,CAAC,EAAE,OAAO,CAAA;CAClB;AAiBD,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,KAAK,CAAA;IACd,SAAS,EAAE,MAAM,CAAA;IACjB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,MAAM,CAAA;IACd,EAAE,EAAE,OAAO,CAAA;IACX,OAAO,EAAE;QACP,cAAc,EAAE,OAAO,CAAA;KACxB,CAAA;IACD,OAAO,EAAE;QACP,UAAU,EAAE,MAAM,CAAA;QAClB,aAAa,EAAE,MAAM,CAAA;QACrB,YAAY,EAAE,MAAM,CAAA;QACpB,YAAY,EAAE,MAAM,CAAA;QACpB,kBAAkB,EAAE,MAAM,CAAA;QAC1B,wBAAwB,EAAE,MAAM,CAAA;QAChC,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;IACD,QAAQ,EAAE,KAAK,CAAC;QACd,QAAQ,EAAE,MAAM,CAAA;QAChB,IAAI,EAAE,MAAM,CAAA;QACZ,UAAU,EAAE,MAAM,CAAA;QAClB,MAAM,EAAE,MAAM,CAAA;QACd,QAAQ,EAAE,MAAM,EAAE,CAAA;QAClB,OAAO,EAAE,MAAM,EAAE,CAAA;QACjB,OAAO,EAAE,MAAM,CAAA;QACf,SAAS,EAAE,MAAM,EAAE,CAAA;QACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;QACzB,WAAW,EAAE,KAAK,CAAC;YACjB,KAAK,EAAE,MAAM,CAAA;YACb,QAAQ,EAAE,MAAM,GAAG,QAAQ,CAAA;YAC3B,SAAS,EAAE,MAAM,CAAA;YACjB,OAAO,EAAE,MAAM,CAAA;SAChB,CAAC,CAAA;KACH,CAAC,CAAA;CACH;AA8XD,wBAAsB,OAAO,CAAC,OAAO,GAAE,WAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,CAiQxE"}

package/dist/scan.js

@@ -34,17 +34,14 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runScan = runScan;
-const node_fs_1 = require("node:fs");
 const promises_1 = require("node:fs/promises");
 const node_os_1 = require("node:os");
 const node_path_1 = require("node:path");
 const core_1 = require("@sapper-ai/core");
+const auth_1 = require("./auth");
 const presets_1 = require("./presets");
-const CONFIG_FILE_NAMES = ['sapperai.config.yaml', 'sapperai.config.yml'];
-const GREEN = '\x1b[32m';
-const YELLOW = '\x1b[33m';
-const RED = '\x1b[31m';
-const RESET = '\x1b[0m';
+const format_1 = require("./utils/format");
+const repoRoot_1 = require("./utils/repoRoot");
 const SYSTEM_SCAN_PATHS = (() => {
     const home = (0, node_os_1.homedir)();
     return [
@@ -55,21 +52,18 @@ const SYSTEM_SCAN_PATHS = (() => {
         (0, node_path_1.join)(home, 'Library', 'Application Support', 'Claude'),
     ];
 })();
-function findConfigFile(cwd) {
-    for (const name of CONFIG_FILE_NAMES) {
-        const fullPath = (0, node_path_1.resolve)(cwd, name);
-        if ((0, node_fs_1.existsSync)(fullPath)) {
-            return fullPath;
-        }
+function resolvePolicy(cwd, options) {
+    const manager = new core_1.PolicyManager();
+    const explicitPath = options.policyPath ?? process.env.SAPPERAI_POLICY_PATH;
+    if (explicitPath) {
+        return manager.loadFromFile(explicitPath);
     }
-    return null;
-}
-function resolvePolicy(cwd) {
-    const configPath = findConfigFile(cwd);
-    if (!configPath) {
+    const repoRoot = (0, repoRoot_1.findRepoRoot)(cwd);
+    const resolved = (0, core_1.resolvePolicyPath)({ repoRoot, homeDir: (0, node_os_1.homedir)() });
+    if (!resolved) {
         return { ...presets_1.presets.standard.policy };
     }
-    return new core_1.PolicyManager().loadFromFile(configPath);
+    return manager.loadFromFile(resolved.path);
 }
 function getThresholds(policy) {
     const extended = policy;
@@ -138,84 +132,37 @@ async function collectFiles(targetPath, deep) {
     }
     return results;
 }
-function riskColor(risk) {
-    if (risk >= 0.8)
-        return RED;
-    if (risk >= 0.5)
-        return YELLOW;
-    return GREEN;
-}
-function stripAnsi(text) {
-    return text.replace(/\x1b\[[0-9;]*m/g, '');
-}
-function truncateToWidth(text, maxWidth) {
-    if (maxWidth <= 0) {
-        return '';
-    }
-    if (text.length <= maxWidth) {
-        return text;
-    }
-    if (maxWidth <= 3) {
-        return '.'.repeat(maxWidth);
-    }
-    return `...${text.slice(text.length - (maxWidth - 3))}`;
-}
-function renderProgressBar(current, total, width) {
-    const safeTotal = Math.max(1, total);
-    const pct = Math.floor((current / safeTotal) * 100);
-    const filled = Math.floor((current / safeTotal) * width);
-    const bar = '█'.repeat(filled) + '░'.repeat(Math.max(0, width - filled));
-    return `  ${bar}  ${pct}% │ ${current}/${total} files`;
-}
 function extractPatternLabel(decision) {
     const reason = decision.reasons[0];
     if (!reason)
         return 'threat';
     return reason.startsWith('Detected pattern: ') ? reason.slice('Detected pattern: '.length) : reason;
 }
-function padRight(text, width) {
-    if (text.length >= width)
-        return text;
-    return text + ' '.repeat(width - text.length);
-}
-function padRightVisual(text, width) {
-    const visLen = stripAnsi(text).length;
-    if (visLen >= width)
-        return text;
-    return text + ' '.repeat(width - visLen);
-}
-function padLeft(text, width) {
-    if (text.length >= width)
-        return text;
-    return ' '.repeat(width - text.length) + text;
-}
 function renderFindingsTable(findings, opts) {
-    const rows = findings.map((f, i) => {
-        const file = f.filePath.startsWith(opts.cwd + '/') ? f.filePath.slice(opts.cwd.length + 1) : f.filePath;
-        const pattern = extractPatternLabel(f.decision);
-        const riskValue = f.decision.risk.toFixed(2);
-        const riskPlain = padLeft(riskValue, 4);
-        const risk = opts.color ? `${riskColor(f.decision.risk)}${riskPlain}${RESET}` : riskPlain;
-        return { idx: String(i + 1), file, risk, pattern };
-    });
-    const idxWidth = Math.max(1, ...rows.map((r) => r.idx.length));
     const riskWidth = 4;
-    const patternWidth = Math.min(20, Math.max('Pattern'.length, ...rows.map((r) => r.pattern.length)));
-    const baseWidth = 2 + idxWidth + 2 + 2 + riskWidth + 2 + 2 + patternWidth + 2;
+    const patternWidth = Math.min(20, Math.max('Pattern'.length, ...findings.map((f) => extractPatternLabel(f.decision).length)));
+    const sourceWidth = opts.includeSource ? Math.max('Source'.length, 5) : 0;
     const maxTableWidth = Math.max(60, Math.min(opts.columns || 80, 120));
+    const sepWidth = 2;
+    const baseWidth = 'File'.length + sepWidth + riskWidth + sepWidth + patternWidth + (opts.includeSource ? sepWidth + sourceWidth : 0);
     const fileWidth = Math.max(20, Math.min(50, maxTableWidth - baseWidth));
-    const top = `  ┌${'─'.repeat(idxWidth + 2)}┬${'─'.repeat(fileWidth + 2)}┬${'─'.repeat(riskWidth + 2)}┬${'─'.repeat(patternWidth + 2)}┐`;
-    const header = `  │ ${padRight('#', idxWidth)} │ ${padRight('File', fileWidth)} │ ${padRight('Risk', riskWidth)} │ ${padRight('Pattern', patternWidth)} │`;
-    const sep = `  ├${'─'.repeat(idxWidth + 2)}┼${'─'.repeat(fileWidth + 2)}┼${'─'.repeat(riskWidth + 2)}┼${'─'.repeat(patternWidth + 2)}┤`;
-    const lines = [top, header, sep];
-    for (const r of rows) {
-        const file = truncateToWidth(r.file, fileWidth);
-        const pattern = truncateToWidth(r.pattern, patternWidth);
-        lines.push(`  │ ${padRight(r.idx, idxWidth)} │ ${padRight(file, fileWidth)} │ ${padRightVisual(r.risk, riskWidth)} │ ${padRight(pattern, patternWidth)} │`);
-    }
-    const bottom = `  └${'─'.repeat(idxWidth + 2)}┴${'─'.repeat(fileWidth + 2)}┴${'─'.repeat(riskWidth + 2)}┴${'─'.repeat(patternWidth + 2)}┘`;
-    lines.push(bottom);
-    return lines;
+    const headers = opts.includeSource ? ['File', 'Risk', 'Pattern', 'Source'] : ['File', 'Risk', 'Pattern'];
+    const rows = findings.map((f) => {
+        const relative = f.filePath.startsWith(opts.cwd + '/') ? f.filePath.slice(opts.cwd.length + 1) : f.filePath;
+        const file = (0, format_1.truncateToWidth)(relative, fileWidth);
+        const label = extractPatternLabel(f.decision);
+        const patternPlain = (0, format_1.truncateToWidth)(label, patternWidth);
+        const pattern = `${opts.colors.dim}${patternPlain}${opts.colors.reset}`;
+        const riskValue = f.decision.risk.toFixed(2);
+        const riskPlain = (0, format_1.padLeft)(riskValue, riskWidth);
+        const risk = `${(0, format_1.riskColor)(f.decision.risk, opts.colors)}${riskPlain}${opts.colors.reset}`;
+        if (!opts.includeSource) {
+            return [file, risk, pattern];
+        }
+        const src = f.source === 'ai' ? `${opts.colors.olive}ai${opts.colors.reset}` : `${opts.colors.dim}rules${opts.colors.reset}`;
+        return [file, risk, pattern, src];
+    });
+    return (0, format_1.table)(headers, rows, opts.colors);
 }
 function isThreat(decision, policy) {
     const { riskThreshold, blockMinConfidence } = getThresholds(policy);
@@ -231,11 +178,11 @@ async function readFileIfPresent(filePath) {
 }
 async function scanFile(filePath, policy, scanner, detectors, fix, quarantineManager) {
     if (!(0, core_1.isConfigLikeFile)(filePath)) {
-        return { scanned: false };
+        return { scanned: false, skipReason: 'not_eligible' };
     }
     const raw = await readFileIfPresent(filePath);
     if (raw === null || raw.trim().length === 0) {
-        return { scanned: false };
+        return { scanned: false, skipReason: 'empty_or_unreadable' };
     }
     const fileSurface = (0, core_1.normalizeSurfaceText)(raw);
     const targetType = (0, core_1.classifyTargetType)(filePath);
@@ -243,6 +190,11 @@ async function scanFile(filePath, policy, scanner, detectors, fix, quarantineMan
         {
             id: `${targetType}:${(0, core_1.buildEntryName)(filePath)}`,
             surface: fileSurface,
+            meta: {
+                scanSource: 'file_surface',
+                sourcePath: filePath,
+                sourceType: targetType,
+            },
         },
     ];
     if (filePath.endsWith('.json')) {
@@ -250,7 +202,15 @@ async function scanFile(filePath, policy, scanner, detectors, fix, quarantineMan
             const parsed = JSON.parse(raw);
             const mcpTargets = (0, core_1.collectMcpTargetsFromJson)(filePath, parsed);
             for (const t of mcpTargets) {
-                targets.push({ id: `${t.type}:${t.name}`, surface: t.surface });
+                targets.push({
+                    id: `${t.type}:${t.name}`,
+                    surface: t.surface,
+                    meta: {
+                        scanSource: 'file_surface',
+                        sourcePath: t.source,
+                        sourceType: t.type,
+                    },
+                });
             }
         }
         catch {
@@ -259,7 +219,7 @@ async function scanFile(filePath, policy, scanner, detectors, fix, quarantineMan
     let bestDecision = null;
     let bestThreat = null;
     for (const target of targets) {
-        const decision = await scanner.scanTool(target.id, target.surface, policy, detectors);
+        const decision = await scanner.scanTool(target.id, target.surface, policy, detectors, target.meta);
         if (!bestDecision || decision.risk > bestDecision.risk) {
             bestDecision = decision;
         }
@@ -299,6 +259,37 @@ function extractPatternsFromReasons(reasons) {
 function toDetectorsList(decision) {
     return uniq(decision.evidence.map((e) => e.detectorId));
 }
+function extractRuleMatches(decision) {
+    const evidence = Array.isArray(decision.evidence) ? decision.evidence : [];
+    const output = evidence.find((e) => e && e.detectorId === 'rules');
+    if (!output || !output.evidence || typeof output.evidence !== 'object') {
+        return [];
+    }
+    const maybeMatches = output.evidence.matches;
+    if (!Array.isArray(maybeMatches)) {
+        return [];
+    }
+    const results = [];
+    for (const m of maybeMatches) {
+        if (!m || typeof m !== 'object')
+            continue;
+        const match = m;
+        const label = typeof match.label === 'string' ? match.label : '';
+        const severity = match.severity === 'high' ? 'high' : 'medium';
+        const matchText = typeof match.matchText === 'string' ? match.matchText : '';
+        const context = typeof match.context === 'string'
+            ? match.context
+            : typeof match.sample === 'string'
+                ? match.sample
+                : '';
+        if (!label || !matchText)
+            continue;
+        results.push({ label, severity, matchText, context });
+        if (results.length >= 24)
+            break;
+    }
+    return results;
+}
 function truncateSnippet(text, maxChars) {
     if (text.length <= maxChars) {
         return text;
@@ -313,6 +304,7 @@ async function buildScanResult(params) {
         const reasons = f.decision.reasons;
         const patterns = extractPatternsFromReasons(reasons);
         const detectors = toDetectorsList(f.decision);
+        const ruleMatches = extractRuleMatches(f.decision);
         return {
             filePath: f.filePath,
             risk: f.decision.risk,
@@ -323,6 +315,7 @@ async function buildScanResult(params) {
             snippet,
             detectors,
             aiAnalysis: f.aiAnalysis ?? null,
+            ruleMatches,
         };
     }));
     return {
@@ -331,10 +324,16 @@ async function buildScanResult(params) {
         scope: params.scope,
         target: params.target,
         ai: params.ai,
+        filters: {
+            configLikeOnly: true,
+        },
         summary: {
             totalFiles: params.totalFiles,
+            eligibleFiles: params.eligibleFiles,
             scannedFiles: params.scannedFiles,
             skippedFiles: params.skippedFiles,
+            skippedNotEligible: params.skippedNotEligible,
+            skippedEmptyOrUnreadable: params.skippedEmptyOrUnreadable,
             threats: params.threats,
         },
         findings,
@@ -342,15 +341,34 @@ async function buildScanResult(params) {
 }
 async function runScan(options = {}) {
     const cwd = process.cwd();
-    const policy = resolvePolicy(cwd);
+    const colors = (0, format_1.createColors)({ noColor: options.noColor });
+    const policy = resolvePolicy(cwd, { policyPath: options.policyPath });
     const fix = options.fix === true;
+    console.log(`\n${(0, format_1.header)('scan', colors)}\n`);
     const aiEnabled = options.ai === true;
     let llmConfig = null;
     if (aiEnabled) {
-        const apiKey = process.env.OPENAI_API_KEY;
+        let apiKey = await (0, auth_1.loadOpenAiApiKey)();
         if (!apiKey) {
-            console.log('\n  Error: OPENAI_API_KEY environment variable is required for --ai mode.\n');
-            return 1;
+            const canPrompt = options.noPrompt !== true && process.stdout.isTTY === true && process.stdin.isTTY === true;
+            if (!canPrompt) {
+                console.log('  Error: OPENAI_API_KEY environment variable is required for --ai mode.\n');
+                return 1;
+            }
+            console.log('  No OpenAI API key found.\n');
+            console.log(`  ${colors.olive}Get one at https://platform.openai.com/api-keys${colors.reset}`);
+            console.log();
+            apiKey = await (0, auth_1.promptAndSaveOpenAiApiKey)();
+            if (!apiKey) {
+                console.log('\n  Error: API key is required for --ai mode.\n');
+                return 1;
+            }
+            const authPath = (0, auth_1.getAuthPath)();
+            const home = (0, node_os_1.homedir)();
+            const displayAuthPath = authPath === home ? '~' : authPath.startsWith(home + '/') ? `~/${authPath.slice(home.length + 1)}` : authPath;
+            console.log();
+            console.log(`${colors.dim}  Key saved to ${displayAuthPath}${colors.reset}`);
+            console.log();
         }
         llmConfig = { provider: 'openai', apiKey, model: 'gpt-4.1-mini' };
     }
@@ -364,17 +382,6 @@ async function runScan(options = {}) {
     const detectors = (0, core_1.createDetectors)({ policy, preferredDetectors: ['rules'] });
     const quarantineDir = process.env.SAPPERAI_QUARANTINE_DIR;
     const quarantineManager = quarantineDir ? new core_1.QuarantineManager({ quarantineDir }) : new core_1.QuarantineManager();
-    const isTTY = process.stdout.isTTY === true;
-    const color = isTTY;
-    const scopeLabel = options.scopeLabel ??
-        (options.system
-            ? 'AI system scan'
-            : deep
-                ? 'Current + subdirectories'
-                : 'Current directory only');
-    console.log('\n  SapperAI Security Scanner\n');
-    console.log(`  Scope: ${scopeLabel}`);
-    console.log();
     const fileSet = new Set();
     for (const target of targets) {
         const files = await collectFiles(target, deep);
@@ -383,70 +390,44 @@ async function runScan(options = {}) {
         }
     }
     const files = Array.from(fileSet).sort();
-    console.log(`  Collecting files...  ${files.length} files found`);
+    const eligibleFiles = files.filter((f) => (0, core_1.isConfigLikeFile)(f));
+    const eligibleByName = eligibleFiles.length;
+    const skippedNotEligible = Math.max(0, files.length - eligibleByName);
+    console.log(`${colors.dim}  Scanning ${eligibleByName} files...${colors.reset}`);
     console.log();
-    if (aiEnabled) {
-        console.log('  Phase 1/2: Rules scan');
-        console.log();
-    }
     const scannedFindings = [];
     let scannedFiles = 0;
-    const total = files.length;
-    const progressWidth = Math.max(10, Math.min(30, (process.stdout.columns ?? 80) - 30));
-    for (let i = 0; i < files.length; i += 1) {
-        const filePath = files[i];
-        if (isTTY && total > 0) {
-            const bar = renderProgressBar(i + 1, total, progressWidth);
-            const label = '  Scanning: ';
-            const maxPath = Math.max(10, (process.stdout.columns ?? 80) - stripAnsi(bar).length - label.length);
-            const scanning = `${label}${truncateToWidth(filePath, maxPath)}`;
-            if (i === 0) {
-                process.stdout.write(`${bar}\n${scanning}\n`);
-            }
-            else {
-                process.stdout.write(`\x1b[2A\x1b[2K\r${bar}\n\x1b[2K\r${scanning}\n`);
-            }
-        }
+    let skippedEmptyOrUnreadable = 0;
+    for (const filePath of eligibleFiles) {
         const result = await scanFile(filePath, policy, scanner, detectors, fix, quarantineManager);
+        if (result.skipReason === 'empty_or_unreadable') {
+            skippedEmptyOrUnreadable += 1;
+            continue;
+        }
         if (result.scanned && result.decision) {
             scannedFiles += 1;
-            scannedFindings.push({ filePath, decision: result.decision, quarantinedId: result.quarantinedId });
+            scannedFindings.push({
+                filePath,
+                decision: result.decision,
+                quarantinedId: result.quarantinedId,
+                source: aiEnabled ? 'rules' : undefined,
+            });
         }
     }
-    if (isTTY && total > 0) {
-        process.stdout.write('\x1b[2A\x1b[2K\r\x1b[1B\x1b[2K\r');
-    }
+    let aiTargetsCount = 0;
     if (aiEnabled && llmConfig) {
         const suspiciousFindings = scannedFindings.filter((f) => f.decision.risk >= 0.5);
         const maxAiFiles = 50;
         if (suspiciousFindings.length > 0) {
             const aiTargets = suspiciousFindings.slice(0, maxAiFiles);
-            if (suspiciousFindings.length > maxAiFiles) {
-                console.log(`  Note: AI scan limited to ${maxAiFiles} files (${suspiciousFindings.length} suspicious)`);
-            }
-            console.log();
-            console.log(`  Phase 2/2: AI deep scan (${aiTargets.length} files)`);
-            console.log();
+            aiTargetsCount = aiTargets.length;
             const detectorsList = (policy.detectors ?? ['rules']).slice();
             if (!detectorsList.includes('llm')) {
                 detectorsList.push('llm');
             }
             const aiPolicy = { ...policy, llm: llmConfig, detectors: detectorsList };
             const aiDetectors = (0, core_1.createDetectors)({ policy: aiPolicy, preferredDetectors: ['rules', 'llm'] });
-            for (let i = 0; i < aiTargets.length; i += 1) {
-                const finding = aiTargets[i];
-                if (isTTY) {
-                    const bar = renderProgressBar(i + 1, aiTargets.length, progressWidth);
-                    const label = '  Analyzing: ';
-                    const maxPath = Math.max(10, (process.stdout.columns ?? 80) - stripAnsi(bar).length - label.length);
-                    const scanning = `${label}${truncateToWidth(finding.filePath, maxPath)}`;
-                    if (i === 0) {
-                        process.stdout.write(`${bar}\n${scanning}\n`);
-                    }
-                    else {
-                        process.stdout.write(`\x1b[2A\x1b[2K\r${bar}\n\x1b[2K\r${scanning}\n`);
-                    }
-                }
+            for (const finding of aiTargets) {
                 try {
                     const raw = await readFileIfPresent(finding.filePath);
                     if (!raw)
@@ -454,8 +435,15 @@ async function runScan(options = {}) {
                     const surface = (0, core_1.normalizeSurfaceText)(raw);
                     const targetType = (0, core_1.classifyTargetType)(finding.filePath);
                     const id = `${targetType}:${(0, core_1.buildEntryName)(finding.filePath)}`;
-                    const aiDecision = await scanner.scanTool(id, surface, aiPolicy, aiDetectors);
-                    const mergedReasons = uniq([...finding.decision.reasons, ...aiDecision.reasons]);
+                    const aiDecision = await scanner.scanTool(id, surface, aiPolicy, aiDetectors, {
+                        scanSource: 'file_surface',
+                        sourcePath: finding.filePath,
+                        sourceType: targetType,
+                    });
+                    const aiDominates = aiDecision.risk > finding.decision.risk;
+                    const mergedReasons = aiDominates
+                        ? uniq([...aiDecision.reasons, ...finding.decision.reasons])
+                        : uniq([...finding.decision.reasons, ...aiDecision.reasons]);
                     const existingEvidence = finding.decision.evidence;
                     const mergedEvidence = [...existingEvidence];
                     for (const ev of aiDecision.evidence) {
@@ -468,7 +456,8 @@ async function runScan(options = {}) {
                         reasons: mergedReasons,
                         evidence: mergedEvidence,
                     };
-                    if (aiDecision.risk > finding.decision.risk) {
+                    if (aiDominates) {
+                        finding.source = 'ai';
                         finding.decision = {
                             ...nextDecision,
                             action: aiDecision.action,
@@ -477,6 +466,7 @@ async function runScan(options = {}) {
                         };
                     }
                     else {
+                        finding.source = finding.source ?? 'rules';
                         finding.decision = nextDecision;
                     }
                     finding.aiAnalysis =
@@ -485,20 +475,26 @@ async function runScan(options = {}) {
                 catch {
                 }
             }
-            if (isTTY && aiTargets.length > 0) {
-                process.stdout.write('\x1b[2A\x1b[2K\r\x1b[1B\x1b[2K\r');
-            }
         }
     }
-    const skippedFiles = total - scannedFiles;
+    const scopeLabel = options.scopeLabel ??
+        (options.system
+            ? 'AI system scan'
+            : deep
+                ? 'Current + subdirectories'
+                : 'Current directory only');
+    const skippedFiles = skippedNotEligible + skippedEmptyOrUnreadable;
     const threats = scannedFindings.filter((f) => isThreat(f.decision, policy));
     const scanResult = await buildScanResult({
         scope: scopeLabel,
         target: targets.join(', '),
         ai: aiEnabled,
-        totalFiles: total,
+        totalFiles: files.length,
+        eligibleFiles: eligibleByName,
         scannedFiles,
         skippedFiles,
+        skippedNotEligible,
+        skippedEmptyOrUnreadable,
         threats: threats.length,
         findings: scannedFindings,
     });
@@ -512,8 +508,8 @@ async function runScan(options = {}) {
         const html = generateHtmlReport(scanResult);
         const htmlPath = (0, node_path_1.join)(scanDir, `${ts}.html`);
         await (0, promises_1.writeFile)(htmlPath, html, 'utf8');
-        console.log(`  Saved to ${jsonPath}`);
-        console.log(`  Report: ${htmlPath}`);
+        console.log(`${colors.dim}  Saved to ${jsonPath}${colors.reset}`);
+        console.log(`${colors.dim}  Report: ${htmlPath}${colors.reset}`);
         console.log();
         if (options.noOpen !== true) {
             try {
@@ -530,28 +526,33 @@ async function runScan(options = {}) {
             }
         }
     }
+    if (aiEnabled) {
+        const countWidth = Math.max(String(eligibleByName).length, String(aiTargetsCount).length);
+        const rulesName = `${colors.dim}rules${colors.reset}`;
+        const aiName = `${colors.olive}ai${colors.reset}`;
+        console.log(`  Phase 1  ${(0, format_1.padRightVisual)(rulesName, 5)}  ${(0, format_1.padLeft)(String(eligibleByName), countWidth)} files`);
+        console.log(`  Phase 2  ${(0, format_1.padRightVisual)(aiName, 5)}  ${(0, format_1.padLeft)(String(aiTargetsCount), countWidth)} files`);
+        console.log();
+    }
     if (threats.length === 0) {
-        const msg = `  ✓ All clear — ${scannedFiles} files scanned, 0 threats detected`;
-        console.log(color ? `${GREEN}${msg}${RESET}` : msg);
+        console.log(`  ${colors.olive}All clear — 0 threats in ${eligibleByName} files${colors.reset}`);
         console.log();
+        return 0;
+    }
+    console.log(renderFindingsTable(threats, {
+        cwd,
+        columns: process.stdout.columns ?? 80,
+        colors,
+        includeSource: aiEnabled,
+    }));
+    console.log();
+    console.log(`  ${threats.length} threats found in ${eligibleByName} files (${files.length} total)`);
+    console.log();
+    if (!fix) {
+        console.log('  Run npx sapper-ai scan --fix to quarantine.\n');
     }
     else {
-        const warn = `  ⚠ ${scannedFiles} files scanned, ${threats.length} threats detected`;
-        console.log(color ? `${RED}${warn}${RESET}` : warn);
-        console.log();
-        const tableLines = renderFindingsTable(threats, {
-            cwd,
-            columns: process.stdout.columns ?? 80,
-            color,
-        });
-        for (const line of tableLines) {
-            console.log(line);
-        }
         console.log();
-        if (!fix) {
-            console.log("  Run 'npx sapper-ai scan --fix' to quarantine blocked files.");
-            console.log();
-        }
     }
-    return threats.length > 0 ? 1 : 0;
+    return 1;
 }

package/dist/utils/env.d.ts

@@ -0,0 +1,3 @@
+export declare function parseBoolean(value: string | undefined, fallback: boolean): boolean;
+export declare function isCiEnv(env?: NodeJS.ProcessEnv): boolean;
+//# sourceMappingURL=env.d.ts.map

package/dist/utils/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/utils/env.ts"],"names":[],"mappings":"AAAA,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,EAAE,QAAQ,EAAE,OAAO,GAAG,OAAO,CAQlF;AAED,wBAAgB,OAAO,CAAC,GAAG,GAAE,MAAM,CAAC,UAAwB,GAAG,OAAO,CAYrE"}

package/dist/utils/env.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseBoolean = parseBoolean;
+exports.isCiEnv = isCiEnv;
+function parseBoolean(value, fallback) {
+    if (value === undefined)
+        return fallback;
+    const normalized = value.trim().toLowerCase();
+    if (normalized === 'true' || normalized === '1' || normalized === 'yes')
+        return true;
+    if (normalized === 'false' || normalized === '0' || normalized === 'no')
+        return false;
+    return fallback;
+}
+function isCiEnv(env = process.env) {
+    // CI providers generally set CI=true; also treat GitHub Actions as CI even if CI is unset.
+    const ci = env.CI;
+    if (ci && ci.trim().length > 0 && ci !== '0' && ci.toLowerCase() !== 'false') {
+        return true;
+    }
+    if (env.GITHUB_ACTIONS && env.GITHUB_ACTIONS !== 'false') {
+        return true;
+    }
+    return false;
+}

package/dist/utils/format.d.ts

@@ -0,0 +1,22 @@
+export interface Colors {
+    olive: string;
+    dim: string;
+    bold: string;
+    red: string;
+    yellow: string;
+    reset: string;
+}
+export declare function createColors(options?: {
+    noColor?: boolean;
+    env?: NodeJS.ProcessEnv;
+    stdoutIsTTY?: boolean;
+}): Colors;
+export declare function header(command: string, colors: Colors): string;
+export declare function riskColor(risk: number, colors: Colors): string;
+export declare function stripAnsi(text: string): string;
+export declare function truncateToWidth(text: string, maxWidth: number): string;
+export declare function padRight(text: string, width: number): string;
+export declare function padRightVisual(text: string, width: number): string;
+export declare function padLeft(text: string, width: number): string;
+export declare function table(headers: string[], rows: string[][], colors: Colors): string;
+//# sourceMappingURL=format.d.ts.map