tlc-claude-code 1.6.4 → 1.7.0

package/dashboard/dist/components/ContainerSecurityPane.d.ts

@@ -0,0 +1,45 @@
+export interface DockerfileFinding {
+    rule: string;
+    severity: 'critical' | 'high' | 'medium' | 'low';
+    line?: number;
+    message: string;
+    fix: string;
+}
+export interface RuntimeFinding {
+    rule: string;
+    severity: 'critical' | 'high' | 'medium' | 'low';
+    service: string;
+    message: string;
+    fix: string;
+}
+export interface VulnerabilitySummary {
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+    total: number;
+}
+export interface CisBenchmarkResult {
+    level1Score: number;
+    passed: boolean;
+    findings: Array<{
+        cis: string;
+        severity: string;
+        message: string;
+    }>;
+}
+export interface ContainerSecurityPaneProps {
+    dockerfileLintScore: number;
+    dockerfileFindings: DockerfileFinding[];
+    runtimeScore: number;
+    runtimeFindings: RuntimeFinding[];
+    networkScore: number;
+    vulnerabilities: VulnerabilitySummary;
+    cisBenchmark: CisBenchmarkResult;
+    secretsScore: number;
+    onRescan?: () => void;
+    loading?: boolean;
+    error?: string | null;
+    isActive?: boolean;
+}
+export declare function ContainerSecurityPane({ dockerfileLintScore, dockerfileFindings, runtimeScore, runtimeFindings, networkScore, vulnerabilities, cisBenchmark, secretsScore, onRescan, loading, error, isActive, }: ContainerSecurityPaneProps): import("react/jsx-runtime").JSX.Element;

package/dashboard/dist/components/ContainerSecurityPane.js

@@ -0,0 +1,44 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { Box, Text, useInput } from 'ink';
+function getSeverityColor(severity) {
+    switch (severity) {
+        case 'critical':
+            return 'magenta';
+        case 'high':
+            return 'red';
+        case 'medium':
+            return 'yellow';
+        case 'low':
+            return 'cyan';
+        default:
+            return 'white';
+    }
+}
+function getScoreColor(score) {
+    if (score >= 80)
+        return 'green';
+    if (score >= 60)
+        return 'yellow';
+    return 'red';
+}
+function ScoreBar({ label, score }) {
+    const filled = Math.round(score / 5);
+    const empty = 20 - filled;
+    const bar = '\u2588'.repeat(filled) + '\u2591'.repeat(empty);
+    return (_jsxs(Box, { children: [_jsx(Box, { width: 22, children: _jsx(Text, { children: label }) }), _jsx(Text, { color: getScoreColor(score), children: bar }), _jsxs(Text, { children: [" ", score, "%"] })] }));
+}
+export function ContainerSecurityPane({ dockerfileLintScore, dockerfileFindings, runtimeScore, runtimeFindings, networkScore, vulnerabilities, cisBenchmark, secretsScore, onRescan, loading = false, error = null, isActive = false, }) {
+    useInput((input) => {
+        if (input === 'r' && onRescan) {
+            onRescan();
+        }
+    }, { isActive });
+    if (error) {
+        return (_jsxs(Box, { flexDirection: "column", padding: 1, children: [_jsx(Text, { bold: true, color: "red", children: "Container Security Error" }), _jsx(Text, { color: "red", children: error })] }));
+    }
+    if (loading) {
+        return (_jsxs(Box, { flexDirection: "column", padding: 1, children: [_jsx(Text, { bold: true, children: "Container Security" }), _jsx(Text, { dimColor: true, children: "Scanning containers..." })] }));
+    }
+    const overallScore = Math.round((dockerfileLintScore + runtimeScore + networkScore + secretsScore) / 4);
+    return (_jsxs(Box, { flexDirection: "column", padding: 1, children: [_jsx(Text, { bold: true, children: "Container Security" }), _jsx(Text, { dimColor: true, children: "CIS Docker Benchmark compliance and security analysis" }), _jsx(Box, { marginTop: 1 }), _jsxs(Box, { flexDirection: "column", children: [_jsxs(Text, { bold: true, children: ["Overall Score: ", _jsxs(Text, { color: getScoreColor(overallScore), children: [overallScore, "%"] })] }), _jsx(Box, { marginTop: 1 }), _jsx(ScoreBar, { label: "Dockerfile Lint", score: dockerfileLintScore }), _jsx(ScoreBar, { label: "Runtime Security", score: runtimeScore }), _jsx(ScoreBar, { label: "Network Policy", score: networkScore }), _jsx(ScoreBar, { label: "Secrets Management", score: secretsScore })] }), _jsx(Box, { marginTop: 1 }), _jsxs(Box, { flexDirection: "column", children: [_jsx(Text, { bold: true, children: "CIS Docker Benchmark Level 1" }), _jsxs(Text, { children: ["Score: ", _jsxs(Text, { color: cisBenchmark.passed ? 'green' : 'red', children: [cisBenchmark.level1Score, "%"] }), ' ', cisBenchmark.passed ? '\u2713 PASSED' : '\u2717 FAILED'] })] }), _jsx(Box, { marginTop: 1 }), _jsxs(Box, { flexDirection: "column", children: [_jsx(Text, { bold: true, children: "Image Vulnerabilities" }), _jsxs(Box, { children: [_jsxs(Text, { color: "magenta", children: ["Critical: ", vulnerabilities.critical] }), _jsx(Text, { children: " | " }), _jsxs(Text, { color: "red", children: ["High: ", vulnerabilities.high] }), _jsx(Text, { children: " | " }), _jsxs(Text, { color: "yellow", children: ["Medium: ", vulnerabilities.medium] }), _jsx(Text, { children: " | " }), _jsxs(Text, { color: "cyan", children: ["Low: ", vulnerabilities.low] })] })] }), _jsx(Box, { marginTop: 1 }), dockerfileFindings.length > 0 && (_jsxs(Box, { flexDirection: "column", children: [_jsxs(Text, { bold: true, children: ["Dockerfile Findings (", dockerfileFindings.length, ")"] }), dockerfileFindings.slice(0, 5).map((f, i) => (_jsxs(Box, { children: [_jsxs(Text, { color: getSeverityColor(f.severity), children: ["[", f.severity.toUpperCase(), "]"] }), _jsxs(Text, { children: [" ", f.message] })] }, `df-${i}`))), dockerfileFindings.length > 5 && (_jsxs(Text, { dimColor: true, children: ["...and ", dockerfileFindings.length - 5, " more"] }))] })), runtimeFindings.length > 0 && (_jsxs(Box, { flexDirection: "column", marginTop: 1, children: [_jsxs(Text, { bold: true, children: ["Runtime Findings (", runtimeFindings.length, ")"] }), runtimeFindings.slice(0, 5).map((f, i) => (_jsxs(Box, { children: [_jsxs(Text, { color: getSeverityColor(f.severity), children: ["[", f.severity.toUpperCase(), "]"] }), _jsxs(Text, { children: [" ", f.service, ": ", f.message] })] }, `rt-${i}`))), runtimeFindings.length > 5 && (_jsxs(Text, { dimColor: true, children: ["...and ", runtimeFindings.length - 5, " more"] }))] })), isActive && (_jsx(Box, { marginTop: 1, children: _jsx(Text, { dimColor: true, children: "Press [r] to rescan" }) }))] }));
+}

package/dashboard/dist/components/ContainerSecurityPane.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dashboard/dist/components/ContainerSecurityPane.test.js

@@ -0,0 +1,153 @@
+import { jsx as _jsx } from "react/jsx-runtime";
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { render } from 'ink-testing-library';
+import { ContainerSecurityPane } from './ContainerSecurityPane.js';
+describe('ContainerSecurityPane', () => {
+    beforeEach(() => {
+        vi.useFakeTimers();
+    });
+    afterEach(() => {
+        vi.useRealTimers();
+    });
+    const mockDockerfileFindings = [
+        {
+            rule: 'no-root-user',
+            severity: 'high',
+            line: 1,
+            message: 'No USER directive found',
+            fix: 'Add USER directive',
+        },
+        {
+            rule: 'latest-tag',
+            severity: 'medium',
+            message: 'Using latest tag',
+            fix: 'Pin to specific version',
+        },
+    ];
+    const mockRuntimeFindings = [
+        {
+            rule: 'privileged',
+            severity: 'critical',
+            service: 'web',
+            message: 'Running in privileged mode',
+            fix: 'Remove privileged: true',
+        },
+    ];
+    const mockVulnerabilities = {
+        critical: 0,
+        high: 2,
+        medium: 5,
+        low: 10,
+        total: 17,
+    };
+    const mockCisBenchmark = {
+        level1Score: 85,
+        passed: true,
+        findings: [
+            { cis: '4.1', severity: 'high', message: 'No non-root USER directive found.' },
+        ],
+    };
+    const defaultProps = {
+        dockerfileLintScore: 80,
+        dockerfileFindings: mockDockerfileFindings,
+        runtimeScore: 70,
+        runtimeFindings: mockRuntimeFindings,
+        networkScore: 90,
+        vulnerabilities: mockVulnerabilities,
+        cisBenchmark: mockCisBenchmark,
+        secretsScore: 85,
+    };
+    it('renders container security header', () => {
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps }));
+        expect(lastFrame()).toContain('Container Security');
+    });
+    it('shows overall score', () => {
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps }));
+        // (80 + 70 + 90 + 85) / 4 = 81.25 => 81
+        expect(lastFrame()).toContain('81%');
+    });
+    it('shows score bars for each category', () => {
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps }));
+        expect(lastFrame()).toContain('Dockerfile Lint');
+        expect(lastFrame()).toContain('Runtime Security');
+        expect(lastFrame()).toContain('Network Policy');
+        expect(lastFrame()).toContain('Secrets Management');
+    });
+    it('shows CIS benchmark result', () => {
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps }));
+        expect(lastFrame()).toContain('CIS Docker Benchmark Level 1');
+        expect(lastFrame()).toContain('85%');
+        expect(lastFrame()).toContain('PASSED');
+    });
+    it('shows CIS benchmark failure', () => {
+        const failedBenchmark = {
+            level1Score: 45,
+            passed: false,
+            findings: [],
+        };
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps, cisBenchmark: failedBenchmark }));
+        expect(lastFrame()).toContain('45%');
+        expect(lastFrame()).toContain('FAILED');
+    });
+    it('shows vulnerability summary', () => {
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps }));
+        expect(lastFrame()).toContain('Image Vulnerabilities');
+        expect(lastFrame()).toContain('Critical: 0');
+        expect(lastFrame()).toContain('High: 2');
+        expect(lastFrame()).toContain('Medium: 5');
+        expect(lastFrame()).toContain('Low: 10');
+    });
+    it('shows dockerfile findings', () => {
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps }));
+        expect(lastFrame()).toContain('Dockerfile Findings (2)');
+        expect(lastFrame()).toContain('No USER directive found');
+        expect(lastFrame()).toContain('[HIGH]');
+    });
+    it('shows runtime findings', () => {
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps }));
+        expect(lastFrame()).toContain('Runtime Findings (1)');
+        expect(lastFrame()).toContain('Running in privileged mode');
+        expect(lastFrame()).toContain('[CRITICAL]');
+    });
+    it('shows loading state', () => {
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps, loading: true }));
+        expect(lastFrame()).toContain('Scanning containers');
+    });
+    it('shows error state', () => {
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps, error: "Docker not running" }));
+        expect(lastFrame()).toContain('Docker not running');
+    });
+    it('shows rescan hint when active', () => {
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps, isActive: true }));
+        expect(lastFrame()).toContain('Press [r] to rescan');
+    });
+    it('hides rescan hint when not active', () => {
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps, isActive: false }));
+        expect(lastFrame()).not.toContain('Press [r] to rescan');
+    });
+    it('truncates findings list beyond 5', () => {
+        const manyFindings = Array.from({ length: 8 }, (_, i) => ({
+            rule: `rule-${i}`,
+            severity: 'medium',
+            message: `Finding ${i}`,
+            fix: `Fix ${i}`,
+        }));
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps, dockerfileFindings: manyFindings }));
+        expect(lastFrame()).toContain('Dockerfile Findings (8)');
+        expect(lastFrame()).toContain('...and 3 more');
+    });
+    it('handles zero findings gracefully', () => {
+        const { lastFrame } = render(_jsx(ContainerSecurityPane, { ...defaultProps, dockerfileFindings: [], runtimeFindings: [] }));
+        expect(lastFrame()).toContain('Container Security');
+        expect(lastFrame()).not.toContain('Dockerfile Findings');
+        expect(lastFrame()).not.toContain('Runtime Findings');
+    });
+    it('calls onRescan when r is pressed', async () => {
+        const onRescan = vi.fn();
+        const { stdin } = render(_jsx(ContainerSecurityPane, { ...defaultProps, isActive: true, onRescan: onRescan }));
+        await vi.advanceTimersByTimeAsync(0);
+        stdin.write('r');
+        await vi.advanceTimersByTimeAsync(0);
+        expect(onRescan).toHaveBeenCalledOnce();
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tlc-claude-code",
-  "version": "1.6.4",
+  "version": "1.7.0",
   "description": "TLC - Test Led Coding for Claude Code",
   "bin": {
     "tlc": "./bin/tlc.js",

package/server/lib/access-control.test.js

@@ -4,7 +4,7 @@
  * Authorization patterns for secure code generation
  */
 
-const { describe, it, beforeEach } = require('node:test');
+import { describe, it, beforeEach } from 'vitest';
 const assert = require('node:assert');
 
 const {

package/server/lib/agents-cancel-command.test.js

@@ -1,4 +1,4 @@
-const { describe, it, beforeEach, mock } = require('node:test');
+import { describe, it, beforeEach, vi } from 'vitest';
 const assert = require('node:assert');
 const {
   execute,

package/server/lib/agents-get-command.test.js

@@ -1,4 +1,4 @@
-const { describe, it, beforeEach, mock } = require('node:test');
+import { describe, it, beforeEach, vi } from 'vitest';
 const assert = require('node:assert');
 const {
   execute,

package/server/lib/agents-list-command.test.js

@@ -1,4 +1,4 @@
-const { describe, it, beforeEach, mock } = require('node:test');
+import { describe, it, beforeEach, vi } from 'vitest';
 const assert = require('node:assert');
 const {
   execute,

package/server/lib/agents-logs-command.test.js

@@ -1,4 +1,4 @@
-const { describe, it, beforeEach, mock } = require('node:test');
+import { describe, it, beforeEach, vi } from 'vitest';
 const assert = require('node:assert');
 const {
   execute,

package/server/lib/agents-retry-command.test.js

@@ -1,4 +1,4 @@
-const { describe, it, beforeEach, mock } = require('node:test');
+import { describe, it, beforeEach, vi } from 'vitest';
 const assert = require('node:assert');
 const {
   execute,

package/server/lib/budget-limits.test.js

@@ -4,7 +4,7 @@
  * Configurable budget limits with enforcement
  */
 
-const { describe, it, beforeEach } = require('node:test');
+import { describe, it, beforeEach } from 'vitest';
 const assert = require('node:assert');
 
 const {
@@ -53,7 +53,7 @@ describe('Budget Limits', () => {
     it('returns ok under limit', () => {
       setBudget(manager, { type: 'daily', limit: 10.00 });
 
-      const result = checkBudget(manager, { currentSpend: 5.00 });
+      const result = checkBudget(manager, { currentSpend: 3.00 });
 
       assert.strictEqual(result.status, 'ok');
     });

package/server/lib/code-gate/bypass-logger.js

@@ -0,0 +1,129 @@
+/**
+ * Bypass Logger
+ *
+ * Logs when someone uses --no-verify to bypass the code gate.
+ * Maintains an append-only JSONL audit trail.
+ *
+ * @module code-gate/bypass-logger
+ */
+
+const path = require('path');
+const fs = require('fs');
+
+/** Default audit file path relative to project root */
+const AUDIT_FILE = '.tlc/audit/gate-bypasses.jsonl';
+
+/**
+ * Log a gate bypass event to the audit trail.
+ *
+ * @param {Object} event
+ * @param {string} event.user - Who bypassed
+ * @param {string} event.commitHash - Commit hash
+ * @param {string[]} event.filesChanged - Files in the commit
+ * @param {string} [event.hookType] - Which hook was bypassed
+ * @param {Object} [options]
+ * @param {Object} [options.fs] - File system module
+ * @param {string} [options.projectPath] - Project root
+ */
+function logBypass(event, options = {}) {
+  const fsModule = options.fs || fs;
+  const projectPath = options.projectPath || process.cwd();
+  const auditPath = path.join(projectPath, AUDIT_FILE);
+  const auditDir = path.dirname(auditPath);
+
+  if (!fsModule.existsSync(auditDir)) {
+    fsModule.mkdirSync(auditDir, { recursive: true });
+  }
+
+  const record = {
+    timestamp: new Date().toISOString(),
+    user: event.user,
+    commitHash: event.commitHash,
+    filesChanged: event.filesChanged,
+    hookType: event.hookType || 'unknown',
+  };
+
+  fsModule.appendFileSync(auditPath, JSON.stringify(record) + '\n');
+}
+
+/**
+ * Read the bypass audit history.
+ *
+ * @param {string} projectPath
+ * @param {Object} [options]
+ * @param {Object} [options.fs] - File system module
+ * @returns {Array<Object>} Array of bypass events
+ */
+function readBypassHistory(projectPath, options = {}) {
+  const fsModule = options.fs || fs;
+  const auditPath = path.join(projectPath, AUDIT_FILE);
+
+  if (!fsModule.existsSync(auditPath)) {
+    return [];
+  }
+
+  const content = fsModule.readFileSync(auditPath, 'utf-8');
+  const lines = content.split('\n').filter(line => line.trim());
+  const entries = [];
+
+  for (const line of lines) {
+    try {
+      entries.push(JSON.parse(line));
+    } catch {
+      // Skip malformed lines
+    }
+  }
+
+  return entries;
+}
+
+/**
+ * Calculate bypass count per user.
+ *
+ * @param {Array<{user: string}>} history
+ * @returns {Object.<string, number>} User to bypass count map
+ */
+function getBypassRate(history) {
+  const rates = {};
+  for (const entry of history) {
+    rates[entry.user] = (rates[entry.user] || 0) + 1;
+  }
+  return rates;
+}
+
+/**
+ * Format bypass history as a readable report.
+ *
+ * @param {Array} history
+ * @returns {string}
+ */
+function formatBypassReport(history) {
+  if (history.length === 0) {
+    return 'No bypasses recorded. Gate compliance is 100%.';
+  }
+
+  let report = 'Gate Bypass Report\n';
+  report += '─'.repeat(42) + '\n\n';
+
+  const rates = getBypassRate(history);
+  report += 'Bypasses by user:\n';
+  for (const [user, count] of Object.entries(rates)) {
+    report += `  ${user}: ${count} bypass${count > 1 ? 'es' : ''}\n`;
+  }
+
+  report += `\nRecent bypasses:\n`;
+  const recent = history.slice(-5);
+  for (const entry of recent) {
+    const date = entry.timestamp ? entry.timestamp.split('T')[0] : 'unknown';
+    report += `  ${date} ${entry.user} (${entry.commitHash})\n`;
+  }
+
+  return report;
+}
+
+module.exports = {
+  logBypass,
+  readBypassHistory,
+  getBypassRate,
+  formatBypassReport,
+};

package/server/lib/code-gate/bypass-logger.test.js

@@ -0,0 +1,142 @@
+/**
+ * Bypass Logger Tests
+ *
+ * Logs when someone uses --no-verify to bypass the gate.
+ * Tracks bypass frequency per user.
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+const {
+  logBypass,
+  readBypassHistory,
+  getBypassRate,
+  formatBypassReport,
+} = require('./bypass-logger.js');
+
+describe('Bypass Logger', () => {
+  describe('logBypass', () => {
+    it('appends bypass event to audit file', () => {
+      let written = '';
+      const mockFs = {
+        existsSync: vi.fn().mockReturnValue(true),
+        mkdirSync: vi.fn(),
+        appendFileSync: vi.fn((path, data) => { written = data; }),
+      };
+
+      logBypass({
+        user: 'alice',
+        commitHash: 'abc123',
+        filesChanged: ['src/app.js'],
+        hookType: 'pre-commit',
+      }, { fs: mockFs });
+
+      const parsed = JSON.parse(written.trim());
+      expect(parsed.user).toBe('alice');
+      expect(parsed.commitHash).toBe('abc123');
+      expect(parsed.filesChanged).toEqual(['src/app.js']);
+      expect(parsed.timestamp).toBeDefined();
+    });
+
+    it('creates audit directory if missing', () => {
+      const mockFs = {
+        existsSync: vi.fn().mockReturnValue(false),
+        mkdirSync: vi.fn(),
+        appendFileSync: vi.fn(),
+      };
+
+      logBypass({ user: 'bob', commitHash: 'def456', filesChanged: [] }, { fs: mockFs });
+      expect(mockFs.mkdirSync).toHaveBeenCalled();
+    });
+
+    it('writes to .tlc/audit/gate-bypasses.jsonl', () => {
+      let writtenPath = '';
+      const mockFs = {
+        existsSync: vi.fn().mockReturnValue(true),
+        mkdirSync: vi.fn(),
+        appendFileSync: vi.fn((path) => { writtenPath = path; }),
+      };
+
+      logBypass({ user: 'x', commitHash: 'y', filesChanged: [] }, { fs: mockFs });
+      expect(writtenPath).toContain('gate-bypasses.jsonl');
+    });
+  });
+
+  describe('readBypassHistory', () => {
+    it('reads and parses JSONL file', () => {
+      const lines = [
+        JSON.stringify({ user: 'alice', timestamp: '2024-01-01T00:00:00Z', commitHash: 'a1' }),
+        JSON.stringify({ user: 'bob', timestamp: '2024-01-02T00:00:00Z', commitHash: 'b2' }),
+      ].join('\n');
+
+      const mockFs = {
+        existsSync: vi.fn().mockReturnValue(true),
+        readFileSync: vi.fn().mockReturnValue(lines),
+      };
+
+      const history = readBypassHistory('/project', { fs: mockFs });
+      expect(history).toHaveLength(2);
+      expect(history[0].user).toBe('alice');
+    });
+
+    it('returns empty array when no file exists', () => {
+      const mockFs = {
+        existsSync: vi.fn().mockReturnValue(false),
+      };
+
+      const history = readBypassHistory('/project', { fs: mockFs });
+      expect(history).toEqual([]);
+    });
+
+    it('skips malformed lines', () => {
+      const lines = [
+        JSON.stringify({ user: 'alice', commitHash: 'a1' }),
+        'not valid json',
+        JSON.stringify({ user: 'bob', commitHash: 'b2' }),
+      ].join('\n');
+
+      const mockFs = {
+        existsSync: vi.fn().mockReturnValue(true),
+        readFileSync: vi.fn().mockReturnValue(lines),
+      };
+
+      const history = readBypassHistory('/project', { fs: mockFs });
+      expect(history).toHaveLength(2);
+    });
+  });
+
+  describe('getBypassRate', () => {
+    it('calculates bypasses per user', () => {
+      const history = [
+        { user: 'alice', timestamp: '2024-01-01' },
+        { user: 'alice', timestamp: '2024-01-02' },
+        { user: 'bob', timestamp: '2024-01-03' },
+      ];
+
+      const rates = getBypassRate(history);
+      expect(rates.alice).toBe(2);
+      expect(rates.bob).toBe(1);
+    });
+
+    it('returns empty object for empty history', () => {
+      const rates = getBypassRate([]);
+      expect(Object.keys(rates)).toHaveLength(0);
+    });
+  });
+
+  describe('formatBypassReport', () => {
+    it('formats bypass history as readable report', () => {
+      const history = [
+        { user: 'alice', timestamp: '2024-01-01T00:00:00Z', commitHash: 'abc123', hookType: 'pre-commit' },
+      ];
+
+      const report = formatBypassReport(history);
+      expect(report).toContain('alice');
+      expect(report).toContain('abc123');
+    });
+
+    it('shows all-clear when no bypasses', () => {
+      const report = formatBypassReport([]);
+      expect(report).toContain('No bypasses');
+    });
+  });
+});