verification-layer 0.24.4 → 0.25.0

package/dist/reporters/auditor-report.d.ts

@@ -1,9 +1,10 @@
-import type { ScanResult } from '../types.js';
+import type { ScanResult, ResolvedBranding } from '../types.js';
 interface AuditorReportOptions {
     organizationName?: string;
     reportPeriod?: string;
     auditorName?: string;
     includeBaseline?: boolean;
+    branding?: ResolvedBranding;
 }
 /**
  * Generate auditor-ready HTML report with compliance score and SHA256 hash

package/dist/reporters/auditor-report.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auditor-report.d.ts","sourceRoot":"","sources":["../../src/reporters/auditor-report.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAG9C,UAAU,oBAAoB;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,OAAO,GAAE,oBAAyB,GACjC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CA6YhC"}
+{"version":3,"file":"auditor-report.d.ts","sourceRoot":"","sources":["../../src/reporters/auditor-report.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAWhE,UAAU,oBAAoB;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,EAAE,gBAAgB,CAAC;CAC7B;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,OAAO,GAAE,oBAAyB,GACjC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAwkBhC"}

package/dist/reporters/auditor-report.js

@@ -1,14 +1,30 @@
 import { createHash } from 'crypto';
 import { generateComplianceScoreGauge, generateExecutiveSummary, generateEnhancedCSS } from './enhanced-html.js';
+import { brandFooterText, brandPreparedBy, logoDataUri } from './branding.js';
+import { groupFindingsByLocation, countGroupsBySeverity, formatHipaaRef, partitionFindingsByStatus, sortProposedFindings, } from './finding-presentation.js';
 /**
  * Generate auditor-ready HTML report with compliance score and SHA256 hash
  */
 export function generateAuditorReport(result, targetPath, options = {}) {
-    const { organizationName = 'Organization', reportPeriod = new Date().toLocaleDateString('en-US', { year: 'numeric', month: 'long' }), auditorName = 'VLayer Automated Scan', includeBaseline = false, } = options;
+    const { organizationName = 'Organization', reportPeriod = new Date().toLocaleDateString('en-US', { year: 'numeric', month: 'long' }), auditorName = 'VLayer Automated Scan', includeBaseline = false, branding, } = options;
+    // White-label branding. When a brand is supplied the cover shows the brand
+    // logo + "Prepared by {brand}", and a footer line repeats on every printed
+    // page. With no branding the report renders exactly as before (default VLayer).
+    const brandLogo = logoDataUri(branding);
+    const hasBrand = Boolean(branding?.name || brandLogo);
+    const preparedBy = brandPreparedBy(branding);
+    const footerLine = brandFooterText(branding);
     const timestamp = new Date().toISOString();
     const score = result.complianceScore;
     // Calculate findings
     const activeFindings = result.findings.filter(f => !f.isBaseline && !f.suppressed);
+    // Presentation-only: separate proposed (NPRM) findings from current ones, then
+    // collapse multiple rules on the same file:line into one grouped entry. The
+    // findings themselves are untouched (count is preserved).
+    const { current: currentFindings, proposed: proposedRaw } = partitionFindingsByStatus(activeFindings);
+    const proposedFindings = sortProposedFindings(proposedRaw);
+    const locationGroups = groupFindingsByLocation(currentFindings);
+    const groupCounts = countGroupsBySeverity(locationGroups);
     const acknowledgedFindings = result.findings.filter(f => f.acknowledged && !f.acknowledgment?.expired);
     const suppressedFindings = result.findings.filter(f => f.suppressed);
     const baselineFindings = result.findings.filter(f => f.isBaseline);
@@ -50,6 +66,20 @@ export function generateAuditorReport(result, targetPath, options = {}) {
       font-weight: bold;
     }
 
+    .brand-logo {
+      max-height: 80px;
+      max-width: 240px;
+      margin: 0 auto 1rem;
+      display: block;
+      object-fit: contain;
+    }
+
+    .report-header .prepared-by {
+      opacity: 0.95;
+      font-size: 0.95rem;
+      margin-top: 0.5rem;
+    }
+
     .report-header h1 {
       font-size: 2rem;
       margin-bottom: 0.5rem;
@@ -151,6 +181,83 @@ export function generateAuditorReport(result, targetPath, options = {}) {
     .severity-high { background: #ea580c; }
     .severity-medium { background: #ca8a04; }
     .severity-low { background: #2563eb; }
+    .severity-info { background: #6b7280; }
+    /* Proposed (NPRM) — deliberately neutral: not a current violation. */
+    .severity-proposed { background: #64748b; }
+
+    .upcoming-subtitle {
+      font-size: 0.85rem;
+      font-weight: 500;
+      color: #64748b;
+    }
+
+    .upcoming-note {
+      background: #f1f5f9;
+      border-left: 3px solid #64748b;
+      padding: 0.75rem 1rem;
+      margin: 0.5rem 0 1rem;
+      font-size: 0.9rem;
+      color: #475569;
+    }
+
+    .upcoming-inline {
+      color: #475569;
+      font-weight: 600;
+    }
+
+    /* Consolidated multi-rule location entries */
+    .findings-count-note {
+      color: #4b5563;
+      font-size: 0.95rem;
+      margin: 0.25rem 0 0.75rem;
+    }
+
+    .finding-group td { vertical-align: top; }
+
+    .group-location {
+      font-weight: 600;
+      color: #374151;
+      margin-bottom: 0.5rem;
+    }
+
+    .group-location-path {
+      font-family: 'SF Mono', Monaco, 'Courier New', monospace;
+      font-size: 0.9rem;
+    }
+
+    .group-controls {
+      list-style: none;
+      margin: 0;
+      padding: 0;
+    }
+
+    .group-control {
+      display: grid;
+      grid-template-columns: 90px 1fr auto;
+      gap: 0.75rem;
+      align-items: baseline;
+      padding: 0.35rem 0;
+      border-top: 1px solid #f3f4f6;
+    }
+
+    .group-control:first-child { border-top: none; }
+    .group-control-sev { justify-self: start; }
+    .group-control-title { color: #1f2937; }
+
+    .group-control-ref {
+      color: #6b7280;
+      font-size: 0.85rem;
+      text-align: right;
+      white-space: normal;
+    }
+
+    @media (max-width: 640px) {
+      .group-control {
+        grid-template-columns: 1fr;
+        gap: 0.15rem;
+      }
+      .group-control-ref { text-align: left; }
+    }
 
     .evidence-box {
       background: #f9fafb;
@@ -176,6 +283,23 @@ export function generateAuditorReport(result, targetPath, options = {}) {
       color: #6b7280;
     }
 
+    /* Per-page footer: only visible when printing / exporting to PDF. */
+    .brand-page-footer { display: none; }
+    @media print {
+      .brand-page-footer {
+        display: block;
+        position: fixed;
+        bottom: 0;
+        left: 0;
+        right: 0;
+        text-align: center;
+        font-size: 0.7rem;
+        color: #6b7280;
+        padding: 0.4rem 0;
+      }
+      @page { margin-bottom: 2.2cm; }
+    }
+
     .report-hash {
       font-family: 'SF Mono', Monaco, 'Courier New', monospace;
       font-size: 0.75rem;
@@ -223,9 +347,12 @@ export function generateAuditorReport(result, targetPath, options = {}) {
 <body>
   <div class="container">
     <div class="report-header">
-      <div class="logo-placeholder">VL</div>
+      ${brandLogo
+        ? `<img src="${brandLogo}" alt="${escapeHtml(preparedBy)} logo" class="brand-logo">`
+        : '<div class="logo-placeholder">VL</div>'}
       <h1>HIPAA Compliance Audit Report</h1>
-      <div class="subtitle">${organizationName} - ${reportPeriod}</div>
+      <div class="subtitle">${escapeHtml(organizationName)} - ${escapeHtml(reportPeriod)}</div>
+      ${hasBrand ? `<div class="prepared-by">Prepared by ${escapeHtml(preparedBy)}</div>` : ''}
     </div>
 
     <div class="report-meta">
@@ -255,13 +382,21 @@ export function generateAuditorReport(result, targetPath, options = {}) {
       ${generateComplianceScoreGauge(score)}
 
       <h2>📋 Findings Summary</h2>
+      <p class="findings-count-note">
+        <strong>${currentFindings.length} current findings</strong> across
+        <strong>${locationGroups.length} entries</strong>
+        — grouped by file, line &amp; control family. Filters count entries.
+        ${proposedFindings.length > 0
+        ? `<br><span class="upcoming-inline">+ ${proposedFindings.length} upcoming requirement${proposedFindings.length === 1 ? '' : 's'} (NPRM — proposed rule)</span> — listed separately below.`
+        : ''}
+      </p>
       <div class="filters">
         <div class="filter-buttons">
-          <button class="filter-btn active" onclick="filterFindings('all')">All (${activeFindings.length})</button>
-          <button class="filter-btn" onclick="filterFindings('critical')">Critical (${activeFindings.filter(f => f.severity === 'critical').length})</button>
-          <button class="filter-btn" onclick="filterFindings('high')">High (${activeFindings.filter(f => f.severity === 'high').length})</button>
-          <button class="filter-btn" onclick="filterFindings('medium')">Medium (${activeFindings.filter(f => f.severity === 'medium').length})</button>
-          <button class="filter-btn" onclick="filterFindings('low')">Low (${activeFindings.filter(f => f.severity === 'low').length})</button>
+          <button class="filter-btn active" onclick="filterFindings('all')">All (${locationGroups.length})</button>
+          <button class="filter-btn" onclick="filterFindings('critical')">Critical (${groupCounts.critical})</button>
+          <button class="filter-btn" onclick="filterFindings('high')">High (${groupCounts.high})</button>
+          <button class="filter-btn" onclick="filterFindings('medium')">Medium (${groupCounts.medium})</button>
+          <button class="filter-btn" onclick="filterFindings('low')">Low (${groupCounts.low})</button>
         </div>
       </div>
 
@@ -275,17 +410,66 @@ export function generateAuditorReport(result, targetPath, options = {}) {
           </tr>
         </thead>
         <tbody>
-          ${activeFindings.map(f => `
-            <tr class="finding-row" data-severity="${f.severity}">
-              <td><span class="severity-badge severity-${f.severity}">${f.severity}</span></td>
+          ${locationGroups.map(g => {
+        const fileLine = `${escapeHtml(g.file)}:${g.line ?? 'N/A'}`;
+        if (g.members.length === 1) {
+            const f = g.members[0];
+            return `
+            <tr class="finding-row" data-severity="${g.severity}">
+              <td><span class="severity-badge severity-${g.severity}">${g.severity}</span></td>
               <td>${escapeHtml(f.title)}</td>
-              <td style="font-family: monospace; font-size: 0.875rem;">${escapeHtml(f.file)}:${f.line || 'N/A'}</td>
-              <td>${f.hipaaReference || '-'}</td>
-            </tr>
-          `).join('')}
+              <td style="font-family: monospace; font-size: 0.875rem;">${fileLine}</td>
+              <td>${escapeHtml(formatHipaaRef(f.hipaaReference))}</td>
+            </tr>`;
+        }
+        const controls = g.members.map(f => `
+                <li class="group-control">
+                  <span class="severity-badge severity-${f.severity} group-control-sev">${f.severity}</span>
+                  <span class="group-control-title">${escapeHtml(f.title)}</span>
+                  <span class="group-control-ref">${escapeHtml(formatHipaaRef(f.hipaaReference))}</span>
+                </li>`).join('');
+        return `
+            <tr class="finding-row finding-group" data-severity="${g.severity}">
+              <td><span class="severity-badge severity-${g.severity}">${g.severity}</span></td>
+              <td colspan="3">
+                <div class="group-location"><span class="group-location-path">${fileLine}</span> · ${g.members.length} controls flagged at this location</div>
+                <ul class="group-controls">${controls}
+                </ul>
+              </td>
+            </tr>`;
+    }).join('')}
         </tbody>
       </table>
 
+      ${proposedFindings.length > 0 ? `
+        <h2>🕓 Upcoming Requirements <span class="upcoming-subtitle">(NPRM — proposed rule, not yet in effect)</span></h2>
+        <p class="upcoming-note">
+          These reference the proposed 2026 HIPAA Security Rule (NPRM). They are
+          <strong>not current obligations</strong> and are excluded from the severity counts above.
+          They will apply if and when the rule is finalized — treat them as forward-looking guidance.
+        </p>
+        <table class="findings-table">
+          <thead>
+            <tr>
+              <th>Status</th>
+              <th>Requirement</th>
+              <th>File</th>
+              <th>HIPAA Ref</th>
+            </tr>
+          </thead>
+          <tbody>
+            ${proposedFindings.map(f => `
+              <tr>
+                <td><span class="severity-badge severity-proposed">Proposed</span></td>
+                <td>${escapeHtml(f.title)}</td>
+                <td style="font-family: monospace; font-size: 0.875rem;">${escapeHtml(f.file)}:${f.line ?? 'N/A'}</td>
+                <td>${escapeHtml(formatHipaaRef(f.hipaaReference))}</td>
+              </tr>
+            `).join('')}
+          </tbody>
+        </table>
+      ` : ''}
+
       ${suppressedFindings.length > 0 ? `
         <h2>🔕 Suppression Audit Trail</h2>
         <p>The following findings have been suppressed with documented justifications:</p>
@@ -351,11 +535,14 @@ export function generateAuditorReport(result, targetPath, options = {}) {
     </div>
 
     <div class="report-footer">
-      <p><strong>VLayer HIPAA Compliance Scanner</strong></p>
+      ${hasBrand
+        ? `<p><strong>${escapeHtml(footerLine)}</strong></p>`
+        : '<p><strong>VLayer HIPAA Compliance Scanner</strong></p>'}
       <p>Automated compliance scanning for healthcare applications</p>
       <p style="margin-top: 1rem; font-size: 0.875rem;">Generated: ${new Date(timestamp).toLocaleString()}</p>
     </div>
   </div>
+  ${hasBrand ? `<div class="brand-page-footer">${escapeHtml(footerLine)}</div>` : ''}
 
   <script>
     function filterFindings(severity) {

package/dist/reporters/auditor-report.js.map

@@ -1 +1 @@
-{"version":3,"file":"auditor-report.js","sourceRoot":"","sources":["../../src/reporters/auditor-report.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEpC,OAAO,EAAE,4BAA4B,EAAE,wBAAwB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AASjH;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,MAAkB,EAClB,UAAkB,EAClB,UAAgC,EAAE;IAElC,MAAM,EACJ,gBAAgB,GAAG,cAAc,EACjC,YAAY,GAAG,IAAI,IAAI,EAAE,CAAC,kBAAkB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,EACzF,WAAW,GAAG,uBAAuB,EACrC,eAAe,GAAG,KAAK,GACxB,GAAG,OAAO,CAAC;IAEZ,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,MAAM,CAAC,eAAgB,CAAC;IAEtC,qBAAqB;IACrB,MAAM,cAAc,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IACnF,MAAM,oBAAoB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;IACvG,MAAM,kBAAkB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IACrE,MAAM,gBAAgB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IAEnE,MAAM,IAAI,GAAG;;;;;2CAK4B,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MA2FrD,mBAAmB,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8BAqHG,gBAAgB,MAAM,YAAY;;;;;;;oCAO5B,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,cAAc,EAAE;;;;oCAIpC,WAAW;;;;oCAIX,UAAU;;;;oCAIV,MAAM,CAAC,YAAY;;;;;;QAM/C,wBAAwB,CAAC,KAAK,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC;;QAEzE,4BAA4B,CAAC,KAAK,CAAC;;;;;mFAKwC,cAAc,CAAC,MAAM;sFAClB,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;8EACpE,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;kFACpD,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;4EAChE,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;;;;;;;;;;;;;;YAcvH,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;qDACiB,CAAC,CAAC,QAAQ;yDACN,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,QAAQ;oBAC9D,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC;yEACkC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,KAAK;oBAC1F,CAAC,CAAC,cAAc,IAAI,GAAG;;WAEhC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;;;;QAIb,kBAAkB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;cAY1B,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;;sBAEpB,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC;sBACnB,CAAC,CAAC,WAAW,EAAE,MAAM,IAAI,oBAAoB;2EACQ,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,KAAK;;aAEnG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;;;OAGhB,CAAC,CAAC,CAAC,EAAE;;QAEJ,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;cAa5B,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;;sBAEtB,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC;sBACnB,CAAC,CAAC,cAAc,EAAE,MAAM,IAAI,oBAAoB;sBAChD,CAAC,CAAC,cAAc,EAAE,cAAc,IAAI,SAAS;sBAC7C,CAAC,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAC,KAAK;;aAElH,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;;;OAGhB,CAAC,CAAC,CAAC,EAAE;;QAEJ,eAAe,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;;aAE5C,gBAAgB,CAAC,MAAM;OAC7B,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;qEAgByD,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAiCjG,CAAC;IAEP,wBAAwB;IACxB,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAE7D,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,GAAG,GAA8B;QACrC,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,QAAQ;KACd,CAAC;IACF,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/C,CAAC"}
+{"version":3,"file":"auditor-report.js","sourceRoot":"","sources":["../../src/reporters/auditor-report.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEpC,OAAO,EAAE,4BAA4B,EAAE,wBAAwB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACjH,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC9E,OAAO,EACL,uBAAuB,EACvB,qBAAqB,EACrB,cAAc,EACd,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,2BAA2B,CAAC;AAUnC;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,MAAkB,EAClB,UAAkB,EAClB,UAAgC,EAAE;IAElC,MAAM,EACJ,gBAAgB,GAAG,cAAc,EACjC,YAAY,GAAG,IAAI,IAAI,EAAE,CAAC,kBAAkB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,EACzF,WAAW,GAAG,uBAAuB,EACrC,eAAe,GAAG,KAAK,EACvB,QAAQ,GACT,GAAG,OAAO,CAAC;IAEZ,2EAA2E;IAC3E,2EAA2E;IAC3E,gFAAgF;IAChF,MAAM,SAAS,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,IAAI,SAAS,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IAE7C,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,MAAM,CAAC,eAAgB,CAAC;IAEtC,qBAAqB;IACrB,MAAM,cAAc,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IACnF,+EAA+E;IAC/E,4EAA4E;IAC5E,0DAA0D;IAC1D,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,yBAAyB,CAAC,cAAc,CAAC,CAAC;IACtG,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;IAC3D,MAAM,cAAc,GAAG,uBAAuB,CAAC,eAAe,CAAC,CAAC;IAChE,MAAM,WAAW,GAAG,qBAAqB,CAAC,cAAc,CAAC,CAAC;IAC1D,MAAM,oBAAoB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;IACvG,MAAM,kBAAkB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IACrE,MAAM,gBAAgB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IAEnE,MAAM,IAAI,GAAG;;;;;2CAK4B,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAyGrD,mBAAmB,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAiNnB,SAAS;QACT,CAAC,CAAC,aAAa,SAAS,UAAU,UAAU,CAAC,UAAU,CAAC,4BAA4B;QACpF,CAAC,CAAC,wCAAwC;;8BAEpB,UAAU,CAAC,gBAAgB,CAAC,MAAM,UAAU,CAAC,YAAY,CAAC;QAChF,QAAQ,CAAC,CAAC,CAAC,wCAAwC,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;;;;;;;oCAO1D,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,cAAc,EAAE;;;;oCAIpC,WAAW;;;;oCAIX,UAAU;;;;oCAIV,MAAM,CAAC,YAAY;;;;;;QAM/C,wBAAwB,CAAC,KAAK,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC;;QAEzE,4BAA4B,CAAC,KAAK,CAAC;;;;kBAIzB,eAAe,CAAC,MAAM;kBACtB,cAAc,CAAC,MAAM;;UAE7B,gBAAgB,CAAC,MAAM,GAAG,CAAC;QAC3B,CAAC,CAAC,uCAAuC,gBAAgB,CAAC,MAAM,wBAAwB,gBAAgB,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,2DAA2D;QAC3L,CAAC,CAAC,EAAE;;;;mFAIqE,cAAc,CAAC,MAAM;sFAClB,WAAW,CAAC,QAAQ;8EAC5B,WAAW,CAAC,IAAI;kFACZ,WAAW,CAAC,MAAM;4EACxB,WAAW,CAAC,GAAG;;;;;;;;;;;;;;YAc/E,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QACvB,MAAM,QAAQ,GAAG,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,KAAK,EAAE,CAAC;QAC5D,IAAI,CAAC,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YACvB,OAAO;qDACgC,CAAC,CAAC,QAAQ;yDACN,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,QAAQ;oBAC9D,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC;yEACkC,QAAQ;oBAC7D,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;kBAC9C,CAAC;QACP,CAAC;QACD,MAAM,QAAQ,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;;yDAES,CAAC,CAAC,QAAQ,uBAAuB,CAAC,CAAC,QAAQ;sDAC9C,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC;oDACrB,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;sBAC1E,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrB,OAAO;mEACgD,CAAC,CAAC,QAAQ;yDACpB,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,QAAQ;;gFAEF,QAAQ,aAAa,CAAC,CAAC,OAAO,CAAC,MAAM;6CACxE,QAAQ;;;kBAGnC,CAAC;IACT,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;;;;QAIb,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;cAiBxB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;;;sBAGlB,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC;2EACkC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,KAAK;sBAC1F,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;;aAErD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;;;OAGhB,CAAC,CAAC,CAAC,EAAE;;QAEJ,kBAAkB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;cAY1B,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;;sBAEpB,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC;sBACnB,CAAC,CAAC,WAAW,EAAE,MAAM,IAAI,oBAAoB;2EACQ,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,KAAK;;aAEnG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;;;OAGhB,CAAC,CAAC,CAAC,EAAE;;QAEJ,oBAAoB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;cAa5B,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;;sBAEtB,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC;sBACnB,CAAC,CAAC,cAAc,EAAE,MAAM,IAAI,oBAAoB;sBAChD,CAAC,CAAC,cAAc,EAAE,cAAc,IAAI,SAAS;sBAC7C,CAAC,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAC,KAAK;;aAElH,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;;;OAGhB,CAAC,CAAC,CAAC,EAAE;;QAEJ,eAAe,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;;aAE5C,gBAAgB,CAAC,MAAM;OAC7B,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;QAcJ,QAAQ;QACR,CAAC,CAAC,cAAc,UAAU,CAAC,UAAU,CAAC,eAAe;QACrD,CAAC,CAAC,yDAAyD;;qEAEE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,cAAc,EAAE;;;IAGrG,QAAQ,CAAC,CAAC,CAAC,kCAAkC,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA+B5E,CAAC;IAEP,wBAAwB;IACxB,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAE7D,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,GAAG,GAA8B;QACrC,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,QAAQ;KACd,CAAC;IACF,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/C,CAAC"}

package/dist/reporters/branding.d.ts

@@ -0,0 +1,39 @@
+import type { Branding, ResolvedBranding } from '../types.js';
+/** Default author shown when no brand name is provided. */
+export declare const DEFAULT_BRAND_NAME = "VLayer Automated Scan";
+/**
+ * Resolve branding from CLI flags (which take precedence) and config, validating
+ * the logo. This never throws: an invalid or missing logo becomes a warning and
+ * is dropped so the scan/report always completes.
+ *
+ * @param cli      Branding from CLI flags (`--brand-name`, `--brand-logo`).
+ * @param config   Branding from the `branding` block in config.
+ * @param baseDir  Directory used to resolve a relative logo path (defaults to cwd).
+ */
+export declare function resolveBranding(cli: Branding | undefined, config: Branding | undefined, baseDir?: string): ResolvedBranding;
+/**
+ * Footer line shown on every page. With branding it reads
+ * "Prepared by {name} · Powered by VLayer"; without, just "Powered by VLayer".
+ */
+export declare function brandFooterText(branding?: ResolvedBranding): string;
+/** Author label for the cover ("Prepared by ..."), falling back to the default. */
+export declare function brandPreparedBy(branding?: ResolvedBranding): string;
+/**
+ * Read the logo and return a base64 data URI for embedding in HTML `<img src>`.
+ * Returns null if the logo can't be read (the report still renders).
+ */
+export declare function logoDataUri(branding?: ResolvedBranding): string | null;
+/**
+ * Whether the logo can be drawn into a PDF via pdfkit. pdfkit's `image()`
+ * supports PNG and JPEG but not SVG, so SVG logos are skipped in PDFs.
+ */
+export declare function pdfLogoPath(branding?: ResolvedBranding): string | null;
+/** Whether the brand logo is an SVG that PDF output cannot embed. */
+export declare function isSvgLogo(branding?: ResolvedBranding): boolean;
+/**
+ * Escape a string for safe interpolation into HTML text/attribute context.
+ * Mirrors the escaping used across the existing reporters so brand-supplied
+ * values (e.g. names with `<` or `"`) cannot inject markup.
+ */
+export declare function escapeHtml(text: string): string;
+//# sourceMappingURL=branding.d.ts.map

package/dist/reporters/branding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"branding.d.ts","sourceRoot":"","sources":["../../src/reporters/branding.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAU9D,2DAA2D;AAC3D,eAAO,MAAM,kBAAkB,0BAA0B,CAAC;AAE1D;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,QAAQ,GAAG,SAAS,EACzB,MAAM,EAAE,QAAQ,GAAG,SAAS,EAC5B,OAAO,GAAE,MAAsB,GAC9B,gBAAgB,CAsBlB;AA4BD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,QAAQ,CAAC,EAAE,gBAAgB,GAAG,MAAM,CAKnE;AAED,mFAAmF;AACnF,wBAAgB,eAAe,CAAC,QAAQ,CAAC,EAAE,gBAAgB,GAAG,MAAM,CAEnE;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,QAAQ,CAAC,EAAE,gBAAgB,GAAG,MAAM,GAAG,IAAI,CAWtE;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,QAAQ,CAAC,EAAE,gBAAgB,GAAG,MAAM,GAAG,IAAI,CAItE;AAED,qEAAqE;AACrE,wBAAgB,SAAS,CAAC,QAAQ,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAE9D;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAS/C"}

package/dist/reporters/branding.js

@@ -0,0 +1,124 @@
+import { existsSync, readFileSync } from 'fs';
+import path from 'path';
+/** Logo extensions we support, mapped to their resolved format + MIME type. */
+const SUPPORTED_LOGO_FORMATS = {
+    '.png': { format: 'png', mime: 'image/png' },
+    '.jpg': { format: 'jpg', mime: 'image/jpeg' },
+    '.jpeg': { format: 'jpg', mime: 'image/jpeg' },
+    '.svg': { format: 'svg', mime: 'image/svg+xml' },
+};
+/** Default author shown when no brand name is provided. */
+export const DEFAULT_BRAND_NAME = 'VLayer Automated Scan';
+/**
+ * Resolve branding from CLI flags (which take precedence) and config, validating
+ * the logo. This never throws: an invalid or missing logo becomes a warning and
+ * is dropped so the scan/report always completes.
+ *
+ * @param cli      Branding from CLI flags (`--brand-name`, `--brand-logo`).
+ * @param config   Branding from the `branding` block in config.
+ * @param baseDir  Directory used to resolve a relative logo path (defaults to cwd).
+ */
+export function resolveBranding(cli, config, baseDir = process.cwd()) {
+    const warnings = [];
+    // CLI flag wins over config for each field independently.
+    const rawName = firstNonEmpty(cli?.name, config?.name);
+    const rawLogo = firstNonEmpty(cli?.logo, config?.logo);
+    const result = { warnings };
+    if (rawName) {
+        result.name = rawName.trim();
+    }
+    if (rawLogo) {
+        const logo = validateLogo(rawLogo, baseDir, warnings);
+        if (logo) {
+            result.logoPath = logo.absolutePath;
+            result.logoFormat = logo.format;
+        }
+    }
+    return result;
+}
+function validateLogo(logo, baseDir, warnings) {
+    const absolutePath = path.isAbsolute(logo) ? logo : path.resolve(baseDir, logo);
+    const ext = path.extname(absolutePath).toLowerCase();
+    const spec = SUPPORTED_LOGO_FORMATS[ext];
+    if (!spec) {
+        warnings.push(`Brand logo "${logo}" has an unsupported format (${ext || 'no extension'}). ` +
+            `Supported: .png, .jpg, .jpeg, .svg. Continuing without a logo.`);
+        return null;
+    }
+    if (!existsSync(absolutePath)) {
+        warnings.push(`Brand logo not found at "${absolutePath}". Continuing without a logo.`);
+        return null;
+    }
+    return { absolutePath, format: spec.format };
+}
+/**
+ * Footer line shown on every page. With branding it reads
+ * "Prepared by {name} · Powered by VLayer"; without, just "Powered by VLayer".
+ */
+export function brandFooterText(branding) {
+    if (branding?.name) {
+        return `Prepared by ${branding.name} · Powered by VLayer`;
+    }
+    return 'Powered by VLayer';
+}
+/** Author label for the cover ("Prepared by ..."), falling back to the default. */
+export function brandPreparedBy(branding) {
+    return branding?.name || DEFAULT_BRAND_NAME;
+}
+/**
+ * Read the logo and return a base64 data URI for embedding in HTML `<img src>`.
+ * Returns null if the logo can't be read (the report still renders).
+ */
+export function logoDataUri(branding) {
+    if (!branding?.logoPath || !branding.logoFormat)
+        return null;
+    const ext = path.extname(branding.logoPath).toLowerCase();
+    const mime = SUPPORTED_LOGO_FORMATS[ext]?.mime;
+    if (!mime)
+        return null;
+    try {
+        const data = readFileSync(branding.logoPath);
+        return `data:${mime};base64,${data.toString('base64')}`;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Whether the logo can be drawn into a PDF via pdfkit. pdfkit's `image()`
+ * supports PNG and JPEG but not SVG, so SVG logos are skipped in PDFs.
+ */
+export function pdfLogoPath(branding) {
+    if (!branding?.logoPath)
+        return null;
+    if (branding.logoFormat === 'svg')
+        return null;
+    return branding.logoPath;
+}
+/** Whether the brand logo is an SVG that PDF output cannot embed. */
+export function isSvgLogo(branding) {
+    return branding?.logoFormat === 'svg';
+}
+/**
+ * Escape a string for safe interpolation into HTML text/attribute context.
+ * Mirrors the escaping used across the existing reporters so brand-supplied
+ * values (e.g. names with `<` or `"`) cannot inject markup.
+ */
+export function escapeHtml(text) {
+    const map = {
+        '&': '&amp;',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': '&quot;',
+        "'": '&#039;',
+    };
+    return text.replace(/[&<>"']/g, m => map[m]);
+}
+function firstNonEmpty(...values) {
+    for (const v of values) {
+        if (typeof v === 'string' && v.trim().length > 0)
+            return v;
+    }
+    return undefined;
+}
+//# sourceMappingURL=branding.js.map

package/dist/reporters/branding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"branding.js","sourceRoot":"","sources":["../../src/reporters/branding.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAC9C,OAAO,IAAI,MAAM,MAAM,CAAC;AAGxB,+EAA+E;AAC/E,MAAM,sBAAsB,GAAoE;IAC9F,MAAM,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE;IAC5C,MAAM,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;IAC7C,OAAO,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE;IAC9C,MAAM,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,eAAe,EAAE;CACjD,CAAC;AAEF,2DAA2D;AAC3D,MAAM,CAAC,MAAM,kBAAkB,GAAG,uBAAuB,CAAC;AAE1D;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAyB,EACzB,MAA4B,EAC5B,UAAkB,OAAO,CAAC,GAAG,EAAE;IAE/B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,0DAA0D;IAC1D,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;IACvD,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;IAEvD,MAAM,MAAM,GAAqB,EAAE,QAAQ,EAAE,CAAC;IAE9C,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QACtD,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC;YACpC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC;QAClC,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAOD,SAAS,YAAY,CAAC,IAAY,EAAE,OAAe,EAAE,QAAkB;IACrE,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAChF,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;IACrD,MAAM,IAAI,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAEzC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,QAAQ,CAAC,IAAI,CACX,eAAe,IAAI,gCAAgC,GAAG,IAAI,cAAc,KAAK;YAC3E,gEAAgE,CACnE,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,QAAQ,CAAC,IAAI,CAAC,4BAA4B,YAAY,+BAA+B,CAAC,CAAC;QACvF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,QAA2B;IACzD,IAAI,QAAQ,EAAE,IAAI,EAAE,CAAC;QACnB,OAAO,eAAe,QAAQ,CAAC,IAAI,sBAAsB,CAAC;IAC5D,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,eAAe,CAAC,QAA2B;IACzD,OAAO,QAAQ,EAAE,IAAI,IAAI,kBAAkB,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,QAA2B;IACrD,IAAI,CAAC,QAAQ,EAAE,QAAQ,IAAI,CAAC,QAAQ,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1D,MAAM,IAAI,GAAG,sBAAsB,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC;IAC/C,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC7C,OAAO,QAAQ,IAAI,WAAW,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,QAA2B;IACrD,IAAI,CAAC,QAAQ,EAAE,QAAQ;QAAE,OAAO,IAAI,CAAC;IACrC,IAAI,QAAQ,CAAC,UAAU,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAC/C,OAAO,QAAQ,CAAC,QAAQ,CAAC;AAC3B,CAAC;AAED,qEAAqE;AACrE,MAAM,UAAU,SAAS,CAAC,QAA2B;IACnD,OAAO,QAAQ,EAAE,UAAU,KAAK,KAAK,CAAC;AACxC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,MAAM,GAAG,GAA2B;QAClC,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,QAAQ;KACd,CAAC;IACF,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,aAAa,CAAC,GAAG,MAAiC;IACzD,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/reporters/finding-presentation.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Presentation-layer helpers for the HTML/PDF reports.
+ *
+ * IMPORTANT: this module is purely cosmetic. It never mutates findings, never
+ * changes detection, and is NOT used to build the JSON output. It only decides
+ * how rows are *grouped and labelled* in the rendered reports. The underlying
+ * findings (and the JSON downstream tools depend on) are unchanged — every
+ * finding still exists, it is just shown once per file:line when several rules
+ * fire on the same location.
+ */
+import type { Finding, Severity } from '../types.js';
+/**
+ * A finding is "proposed" when its HIPAA reference cites the NPRM (the proposed
+ * 2026 Security Rule), not a current obligation. Such findings are still shown,
+ * but they must not inflate a group's headline severity.
+ */
+export declare function isProposedFinding(f: Finding): boolean;
+/**
+ * Split findings into CURRENT obligations and PROPOSED (NPRM) ones. Proposed
+ * findings are rendered in their own "Upcoming Requirements" subsection and are
+ * excluded from the current-severity Scan Summary, so a proposed rule is never
+ * shown as a current red/critical violation.
+ */
+export declare function partitionFindingsByStatus(findings: Finding[]): {
+    current: Finding[];
+    proposed: Finding[];
+};
+/** Stable ordering for the proposed-requirements list: by file, line, title. */
+export declare function sortProposedFindings(findings: Finding[]): Finding[];
+/** One screen entry: findings that share a (file, line, rule category). */
+export interface LocationGroup {
+    key: string;
+    file: string;
+    line: number | undefined;
+    /** Rule category shared by all members (the "family"). */
+    category: string;
+    /** Headline severity — highest among CURRENT (non-proposed) members. */
+    severity: Severity;
+    /** Members, sorted highest-severity first then by title. */
+    members: Finding[];
+}
+/**
+ * Group findings by (file + line + rule category). Several rules that flag the
+ * same line for the SAME reason (e.g. all PHI-in-logs on route.ts:36) collapse
+ * into one entry; unrelated rules on the same line (e.g. MFA + backup) stay as
+ * separate rows. A single-member group renders as a normal row.
+ *
+ * The headline severity reflects only CURRENT requirements — proposed (NPRM)
+ * findings never raise it (they stay listed inside with their own badge). When
+ * every member is proposed, the highest proposed severity is used.
+ *
+ * Groups are ordered by group severity (critical first), then file, line, and
+ * category. The total member count always equals the input length — nothing is
+ * dropped.
+ */
+export declare function groupFindingsByLocation(findings: Finding[]): LocationGroup[];
+/** Count location-groups by their group severity (for summary/filter labels). */
+export declare function countGroupsBySeverity(groups: LocationGroup[]): Record<Severity, number>;
+/**
+ * Normalize any hipaaReference string to one canonical style:
+ * "45 CFR §164.312(c) — Integrity Controls".
+ *
+ * Handles the three styles currently emitted by the scanners:
+ *   - already-full  "45 CFR §164.312(c) - Integrity Controls"
+ *   - bare section  "§164.502, §164.514"
+ *   - NPRM-prefixed "NPRM §164.312(d) - Person or Entity Authentication"
+ *     → kept distinct as a proposed rule:
+ *       "45 CFR §164.312(d) — Person or Entity Authentication (NPRM — proposed rule)"
+ *
+ * Multi-section refs (comma-separated) are expanded into each canonical ref,
+ * joined with "; ". The original string is never mutated on the finding object.
+ */
+export declare function formatHipaaRef(raw: string | undefined | null): string;
+//# sourceMappingURL=finding-presentation.d.ts.map

package/dist/reporters/finding-presentation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"finding-presentation.d.ts","sourceRoot":"","sources":["../../src/reporters/finding-presentation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAUrD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,OAAO,GAAG,OAAO,CAErD;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG;IAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IAAC,QAAQ,EAAE,OAAO,EAAE,CAAA;CAAE,CAO1G;AAED,gFAAgF;AAChF,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,OAAO,EAAE,CAInE;AAED,2EAA2E;AAC3E,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,SAAS,CAAC;IACzB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,wEAAwE;IACxE,QAAQ,EAAE,QAAQ,CAAC;IACnB,4DAA4D;IAC5D,OAAO,EAAE,OAAO,EAAE,CAAC;CACpB;AAWD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,aAAa,EAAE,CAoC5E;AAED,iFAAiF;AACjF,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAIvF;AAyDD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,MAAM,CAOrE"}