verification-layer 0.24.5 → 0.25.1

package/dist/reporters/finding-presentation.d.ts

@@ -0,0 +1,84 @@
+import type { Finding, Severity } from '../types.js';
+/**
+ * A finding is "proposed" when its HIPAA reference cites the NPRM (the proposed
+ * 2026 Security Rule), not a current obligation. Such findings are still shown,
+ * but they must not inflate a group's headline severity.
+ */
+export declare function isProposedFinding(f: Finding): boolean;
+/**
+ * Split findings into CURRENT obligations and PROPOSED (NPRM) ones. Proposed
+ * findings are rendered in their own "Upcoming Requirements" subsection and are
+ * excluded from the current-severity Scan Summary, so a proposed rule is never
+ * shown as a current red/critical violation.
+ */
+export declare function partitionFindingsByStatus(findings: Finding[]): {
+    current: Finding[];
+    proposed: Finding[];
+};
+/** Stable ordering for the proposed-requirements list: by file, line, title. */
+export declare function sortProposedFindings(findings: Finding[]): Finding[];
+/** One screen entry: findings that share a (file, line, rule category). */
+export interface LocationGroup {
+    key: string;
+    file: string;
+    line: number | undefined;
+    /** Rule category shared by all members (the "family"). */
+    category: string;
+    /** Headline severity — highest among CURRENT (non-proposed) members. */
+    severity: Severity;
+    /** Members, sorted highest-severity first then by title. */
+    members: Finding[];
+}
+/**
+ * Group findings by (file + line + rule category). Several rules that flag the
+ * same line for the SAME reason (e.g. all PHI-in-logs on route.ts:36) collapse
+ * into one entry; unrelated rules on the same line (e.g. MFA + backup) stay as
+ * separate rows. A single-member group renders as a normal row.
+ *
+ * The headline severity reflects only CURRENT requirements — proposed (NPRM)
+ * findings never raise it (they stay listed inside with their own badge). When
+ * every member is proposed, the highest proposed severity is used.
+ *
+ * Groups are ordered by group severity (critical first), then file, line, and
+ * category. The total member count always equals the input length — nothing is
+ * dropped.
+ */
+export declare function groupFindingsByLocation(findings: Finding[]): LocationGroup[];
+/** Count location-groups by their group severity (for summary/filter labels). */
+export declare function countGroupsBySeverity(groups: LocationGroup[]): Record<Severity, number>;
+/**
+ * Count findings by their OWN severity — one tally per finding. Unlike
+ * countGroupsBySeverity (which counts location groups, so collapsing inflates
+ * nothing but deflates the visible numbers), this matches the raw per-severity
+ * numbers the Executive Summary uses, so the report shows the SAME counts in the
+ * summary cards, the recommendations, and the filter chips.
+ *
+ * Proposed (NPRM) findings must be excluded by the caller — pass only the
+ * current findings so a proposed rule never lands in a current-severity bucket.
+ */
+export declare function countFindingsBySeverity(findings: Finding[]): Record<Severity, number>;
+/**
+ * Render a file path for display relative to the scan target root. A white-label
+ * report an agency hands to its client must never leak the developer's absolute
+ * machine path or username, so an absolute path is always reduced to a path
+ * relative to the scan root (e.g. "src/app/api/patients/route.ts"). Already-
+ * relative paths are returned unchanged; an absolute path that escapes the root
+ * falls back to its basename rather than leaking the full path.
+ */
+export declare function toRelativeDisplayPath(file: string, root: string): string;
+/**
+ * Normalize any hipaaReference string to one canonical style:
+ * "45 CFR §164.312(c) — Integrity Controls".
+ *
+ * Handles the three styles currently emitted by the scanners:
+ *   - already-full  "45 CFR §164.312(c) - Integrity Controls"
+ *   - bare section  "§164.502, §164.514"
+ *   - NPRM-prefixed "NPRM §164.312(d) - Person or Entity Authentication"
+ *     → kept distinct as a proposed rule:
+ *       "45 CFR §164.312(d) — Person or Entity Authentication (NPRM — proposed rule)"
+ *
+ * Multi-section refs (comma-separated) are expanded into each canonical ref,
+ * joined with "; ". The original string is never mutated on the finding object.
+ */
+export declare function formatHipaaRef(raw: string | undefined | null): string;
+//# sourceMappingURL=finding-presentation.d.ts.map

package/dist/reporters/finding-presentation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"finding-presentation.d.ts","sourceRoot":"","sources":["../../src/reporters/finding-presentation.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAUrD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,OAAO,GAAG,OAAO,CAErD;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG;IAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IAAC,QAAQ,EAAE,OAAO,EAAE,CAAA;CAAE,CAO1G;AAED,gFAAgF;AAChF,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,OAAO,EAAE,CAInE;AAED,2EAA2E;AAC3E,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,SAAS,CAAC;IACzB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,wEAAwE;IACxE,QAAQ,EAAE,QAAQ,CAAC;IACnB,4DAA4D;IAC5D,OAAO,EAAE,OAAO,EAAE,CAAC;CACpB;AAWD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,aAAa,EAAE,CAoC5E;AAED,iFAAiF;AACjF,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAIvF;AAED;;;;;;;;;GASG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAIrF;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAMxE;AAyDD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,MAAM,CAOrE"}

package/dist/reporters/finding-presentation.js

@@ -0,0 +1,217 @@
+/**
+ * Presentation-layer helpers for the HTML/PDF reports.
+ *
+ * IMPORTANT: this module is purely cosmetic. It never mutates findings, never
+ * changes detection, and is NOT used to build the JSON output. It only decides
+ * how rows are *grouped and labelled* in the rendered reports. The underlying
+ * findings (and the JSON downstream tools depend on) are unchanged — every
+ * finding still exists, it is just shown once per file:line when several rules
+ * fire on the same location.
+ */
+import { relative, isAbsolute, basename } from 'path';
+const SEVERITY_RANK = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3,
+    info: 4,
+};
+/**
+ * A finding is "proposed" when its HIPAA reference cites the NPRM (the proposed
+ * 2026 Security Rule), not a current obligation. Such findings are still shown,
+ * but they must not inflate a group's headline severity.
+ */
+export function isProposedFinding(f) {
+    return /\bNPRM\b/i.test(f.hipaaReference ?? '');
+}
+/**
+ * Split findings into CURRENT obligations and PROPOSED (NPRM) ones. Proposed
+ * findings are rendered in their own "Upcoming Requirements" subsection and are
+ * excluded from the current-severity Scan Summary, so a proposed rule is never
+ * shown as a current red/critical violation.
+ */
+export function partitionFindingsByStatus(findings) {
+    const current = [];
+    const proposed = [];
+    for (const f of findings) {
+        (isProposedFinding(f) ? proposed : current).push(f);
+    }
+    return { current, proposed };
+}
+/** Stable ordering for the proposed-requirements list: by file, line, title. */
+export function sortProposedFindings(findings) {
+    return [...findings].sort((a, b) => a.file.localeCompare(b.file) || (a.line ?? 0) - (b.line ?? 0) || a.title.localeCompare(b.title));
+}
+/** Highest severity among the given findings; null if the list is empty. */
+function highestSeverity(findings) {
+    let best = null;
+    for (const f of findings) {
+        if (best === null || SEVERITY_RANK[f.severity] < SEVERITY_RANK[best])
+            best = f.severity;
+    }
+    return best;
+}
+/**
+ * Group findings by (file + line + rule category). Several rules that flag the
+ * same line for the SAME reason (e.g. all PHI-in-logs on route.ts:36) collapse
+ * into one entry; unrelated rules on the same line (e.g. MFA + backup) stay as
+ * separate rows. A single-member group renders as a normal row.
+ *
+ * The headline severity reflects only CURRENT requirements — proposed (NPRM)
+ * findings never raise it (they stay listed inside with their own badge). When
+ * every member is proposed, the highest proposed severity is used.
+ *
+ * Groups are ordered by group severity (critical first), then file, line, and
+ * category. The total member count always equals the input length — nothing is
+ * dropped.
+ */
+export function groupFindingsByLocation(findings) {
+    const byKey = new Map();
+    for (const f of findings) {
+        const key = `${f.file}::${f.line ?? ''}::${f.category}`;
+        const existing = byKey.get(key);
+        if (existing)
+            existing.push(f);
+        else
+            byKey.set(key, [f]);
+    }
+    const groups = [];
+    for (const [key, members] of byKey) {
+        const sorted = [...members].sort((a, b) => SEVERITY_RANK[a.severity] - SEVERITY_RANK[b.severity] || a.title.localeCompare(b.title));
+        const current = sorted.filter(f => !isProposedFinding(f));
+        // Headline severity: highest among current findings; if the group is
+        // entirely proposed, fall back to the highest proposed severity.
+        const severity = highestSeverity(current.length > 0 ? current : sorted);
+        groups.push({
+            key,
+            file: sorted[0].file,
+            line: sorted[0].line,
+            category: sorted[0].category,
+            severity,
+            members: sorted,
+        });
+    }
+    groups.sort((a, b) => SEVERITY_RANK[a.severity] - SEVERITY_RANK[b.severity] ||
+        a.file.localeCompare(b.file) ||
+        (a.line ?? 0) - (b.line ?? 0) ||
+        a.category.localeCompare(b.category));
+    return groups;
+}
+/** Count location-groups by their group severity (for summary/filter labels). */
+export function countGroupsBySeverity(groups) {
+    const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+    for (const g of groups)
+        counts[g.severity]++;
+    return counts;
+}
+/**
+ * Count findings by their OWN severity — one tally per finding. Unlike
+ * countGroupsBySeverity (which counts location groups, so collapsing inflates
+ * nothing but deflates the visible numbers), this matches the raw per-severity
+ * numbers the Executive Summary uses, so the report shows the SAME counts in the
+ * summary cards, the recommendations, and the filter chips.
+ *
+ * Proposed (NPRM) findings must be excluded by the caller — pass only the
+ * current findings so a proposed rule never lands in a current-severity bucket.
+ */
+export function countFindingsBySeverity(findings) {
+    const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+    for (const f of findings)
+        counts[f.severity]++;
+    return counts;
+}
+/**
+ * Render a file path for display relative to the scan target root. A white-label
+ * report an agency hands to its client must never leak the developer's absolute
+ * machine path or username, so an absolute path is always reduced to a path
+ * relative to the scan root (e.g. "src/app/api/patients/route.ts"). Already-
+ * relative paths are returned unchanged; an absolute path that escapes the root
+ * falls back to its basename rather than leaking the full path.
+ */
+export function toRelativeDisplayPath(file, root) {
+    if (!file)
+        return '';
+    if (!isAbsolute(file))
+        return file;
+    const rel = relative(root, file);
+    if (!rel || rel.startsWith('..'))
+        return basename(file);
+    return rel;
+}
+/**
+ * Official 45 CFR Part 164 control names, keyed by section. Used only to fill in
+ * the control name for findings whose hipaaReference is a bare citation
+ * (e.g. "§164.502"). Findings that already carry a name keep their own wording.
+ */
+const SECTION_NAMES = {
+    '164.308(a)(1)(ii)(A)': 'Risk Analysis',
+    '164.308(a)(7)(ii)(A)': 'Data Backup Plan',
+    '164.308(a)(8)': 'Evaluation',
+    '164.312(a)(1)': 'Access Control',
+    '164.312(a)(2)(i)': 'Unique User Identification',
+    '164.312(a)(2)(iii)': 'Automatic Logoff',
+    '164.312(a)(2)(iv)': 'Encryption and Decryption',
+    '164.312(b)': 'Audit Controls',
+    '164.312(c)': 'Integrity',
+    '164.312(d)': 'Person or Entity Authentication',
+    '164.312(e)(1)': 'Transmission Security',
+    '164.502': 'Uses and Disclosures of PHI: General Rules',
+    '164.502(b)': 'Minimum Necessary',
+    '164.514': 'De-identification and Minimum Necessary',
+    '164.530(j)': 'Documentation',
+};
+/** Progressively strip trailing "(...)" groups to find a fallback name. */
+function nameForSection(section) {
+    let candidate = section;
+    while (candidate) {
+        if (SECTION_NAMES[candidate])
+            return SECTION_NAMES[candidate];
+        const stripped = candidate.replace(/\([^)]*\)$/, '');
+        if (stripped === candidate)
+            break;
+        candidate = stripped;
+    }
+    return undefined;
+}
+function normalizeOneRef(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed || trimmed === '-' || trimmed === '—')
+        return null;
+    const sectionMatch = trimmed.match(/(\d{3}\.\d+(?:\s*\([^)]*\))*)/);
+    if (!sectionMatch)
+        return trimmed; // unrecognised shape — leave untouched
+    const section = sectionMatch[1].replace(/\s+/g, '');
+    // NPRM refs cite a PROPOSED rule, not a current obligation — keep that
+    // distinction explicit so the report never presents a proposed requirement
+    // as enforceable.
+    const isNprm = /\bNPRM\b/i.test(trimmed);
+    // Inline control name = text after a dash delimiter, if present.
+    const dashMatch = trimmed.match(/[-–—]\s*(.+)$/);
+    const name = (dashMatch ? dashMatch[1].trim() : undefined) ?? nameForSection(section);
+    const base = name ? `45 CFR §${section} — ${name}` : `45 CFR §${section}`;
+    return isNprm ? `${base} (NPRM — proposed rule)` : base;
+}
+/**
+ * Normalize any hipaaReference string to one canonical style:
+ * "45 CFR §164.312(c) — Integrity Controls".
+ *
+ * Handles the three styles currently emitted by the scanners:
+ *   - already-full  "45 CFR §164.312(c) - Integrity Controls"
+ *   - bare section  "§164.502, §164.514"
+ *   - NPRM-prefixed "NPRM §164.312(d) - Person or Entity Authentication"
+ *     → kept distinct as a proposed rule:
+ *       "45 CFR §164.312(d) — Person or Entity Authentication (NPRM — proposed rule)"
+ *
+ * Multi-section refs (comma-separated) are expanded into each canonical ref,
+ * joined with "; ". The original string is never mutated on the finding object.
+ */
+export function formatHipaaRef(raw) {
+    if (!raw)
+        return '—';
+    // Split only at commas that begin a new citation, so control names that
+    // happen to contain a comma are not broken apart.
+    const parts = raw.split(/,\s*(?=(?:45 CFR|NPRM|§|\d{3}\.))/);
+    const normalized = parts.map(normalizeOneRef).filter((p) => Boolean(p));
+    return normalized.length > 0 ? normalized.join('; ') : '—';
+}
+//# sourceMappingURL=finding-presentation.js.map

package/dist/reporters/finding-presentation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"finding-presentation.js","sourceRoot":"","sources":["../../src/reporters/finding-presentation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,MAAM,CAAC;AAGtD,MAAM,aAAa,GAA6B;IAC9C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,CAAU;IAC1C,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC;AAClD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,yBAAyB,CAAC,QAAmB;IAC3D,MAAM,OAAO,GAAc,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;AAC/B,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,oBAAoB,CAAC,QAAmB;IACtD,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CACvB,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,CAC1G,CAAC;AACJ,CAAC;AAeD,4EAA4E;AAC5E,SAAS,eAAe,CAAC,QAAmB;IAC1C,IAAI,IAAI,GAAoB,IAAI,CAAC;IACjC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,IAAI,KAAK,IAAI,IAAI,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC;YAAE,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC;IAC1F,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,uBAAuB,CAAC,QAAmB;IACzD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,IAAI,EAAE,KAAK,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,QAAQ;YAAE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;;YAC1B,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,MAAM,GAAoB,EAAE,CAAC;IACnC,KAAK,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,KAAK,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAC9B,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,CAClG,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,qEAAqE;QACrE,iEAAiE;QACjE,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAE,CAAC;QACzE,MAAM,CAAC,IAAI,CAAC;YACV,GAAG;YACH,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI;YACpB,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI;YACpB,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ;YAC5B,QAAQ;YACR,OAAO,EAAE,MAAM;SAChB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,CAAC,IAAI,CACT,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC;QACrD,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC;QAC5B,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QAC7B,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CACvC,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,qBAAqB,CAAC,MAAuB;IAC3D,MAAM,MAAM,GAA6B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IAC9F,KAAK,MAAM,CAAC,IAAI,MAAM;QAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC7C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,uBAAuB,CAAC,QAAmB;IACzD,MAAM,MAAM,GAA6B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IAC9F,KAAK,MAAM,CAAC,IAAI,QAAQ;QAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC/C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAY,EAAE,IAAY;IAC9D,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACjC,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC;IACxD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,aAAa,GAA2B;IAC5C,sBAAsB,EAAE,eAAe;IACvC,sBAAsB,EAAE,kBAAkB;IAC1C,eAAe,EAAE,YAAY;IAC7B,eAAe,EAAE,gBAAgB;IACjC,kBAAkB,EAAE,4BAA4B;IAChD,oBAAoB,EAAE,kBAAkB;IACxC,mBAAmB,EAAE,2BAA2B;IAChD,YAAY,EAAE,gBAAgB;IAC9B,YAAY,EAAE,WAAW;IACzB,YAAY,EAAE,iCAAiC;IAC/C,eAAe,EAAE,uBAAuB;IACxC,SAAS,EAAE,4CAA4C;IACvD,YAAY,EAAE,mBAAmB;IACjC,SAAS,EAAE,yCAAyC;IACpD,YAAY,EAAE,eAAe;CAC9B,CAAC;AAEF,2EAA2E;AAC3E,SAAS,cAAc,CAAC,OAAe;IACrC,IAAI,SAAS,GAAG,OAAO,CAAC;IACxB,OAAO,SAAS,EAAE,CAAC;QACjB,IAAI,aAAa,CAAC,SAAS,CAAC;YAAE,OAAO,aAAa,CAAC,SAAS,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QACrD,IAAI,QAAQ,KAAK,SAAS;YAAE,MAAM;QAClC,SAAS,GAAG,QAAQ,CAAC;IACvB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAEhE,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACpE,IAAI,CAAC,YAAY;QAAE,OAAO,OAAO,CAAC,CAAC,uCAAuC;IAE1E,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACpD,uEAAuE;IACvE,2EAA2E;IAC3E,kBAAkB;IAClB,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACzC,iEAAiE;IACjE,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;IAEtF,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,WAAW,OAAO,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,WAAW,OAAO,EAAE,CAAC;IAC1E,OAAO,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,yBAAyB,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1D,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,cAAc,CAAC,GAA8B;IAC3D,IAAI,CAAC,GAAG;QAAE,OAAO,GAAG,CAAC;IACrB,wEAAwE;IACxE,kDAAkD;IAClD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;IAC7D,MAAM,UAAU,GAAG,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACrF,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AAC7D,CAAC"}

package/dist/reporters/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/reporters/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAU,aAAa,EAA4E,MAAM,aAAa,CAAC;AAsrG/I,wBAAsB,cAAc,CAClC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,IAAI,CAAC,CA6Bf"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/reporters/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAU,aAAa,EAA4E,MAAM,aAAa,CAAC;AAitG/I,wBAAsB,cAAc,CAClC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,IAAI,CAAC,CAsCf"}

package/dist/reporters/index.js

@@ -3,6 +3,8 @@ import * as path from 'path';
 import chalk from 'chalk';
 import { getRemediationGuide } from './remediation-guides.js';
 import { getStackSpecificGuides } from '../stack-detector/stack-guides.js';
+import { brandFooterText, brandPreparedBy, logoDataUri } from './branding.js';
+import { generateScanPdf } from './scan-pdf-report.js';
 const PACKAGE_CATEGORIES = {
     // Frameworks
     'next': { category: 'framework', provider: 'Next.js Framework' },
@@ -884,6 +886,11 @@ async function generateHtml(report, targetPath, options) {
     const complianceScoreHtml = await renderComplianceScoreHtml(report, targetPath);
     const assetInventoryHtml = await renderAssetInventoryHtml(targetPath);
     const dataFlowMapHtml = await renderDataFlowMapHtml(targetPath, report.findings);
+    // White-label branding (no-op when no brand is supplied → output unchanged).
+    const brandLogo = logoDataUri(options.branding);
+    const hasBrand = Boolean(options.branding?.name || brandLogo);
+    const brandPreparedByLabel = brandPreparedBy(options.branding);
+    const brandFooterLine = brandFooterText(options.branding);
     const severityColors = {
         critical: '#dc2626',
         high: '#ea580c',
@@ -914,6 +921,17 @@ async function generateHtml(report, targetPath, options) {
     body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #1f2937; background: #f9fafb; padding: 2rem; }
     .container { max-width: 1400px; margin: 0 auto; }
 
+    /* White-label branding */
+    .brand-header { display: flex; align-items: center; gap: 1rem; margin-bottom: 1.5rem; padding-bottom: 1.5rem; border-bottom: 1px solid #e5e7eb; }
+    .brand-header img.brand-logo { max-height: 64px; max-width: 220px; object-fit: contain; }
+    .brand-header .brand-prepared-by { color: #6b7280; font-size: 0.95rem; }
+    .brand-header .brand-prepared-by strong { color: #111827; }
+    .brand-page-footer { display: none; }
+    @media print {
+      .brand-page-footer { display: block; position: fixed; bottom: 0; left: 0; right: 0; text-align: center; font-size: 0.7rem; color: #6b7280; padding: 0.4rem 0; }
+      @page { margin-bottom: 2.2cm; }
+    }
+
     /* Executive Summary Styles */
     .executive-summary-section { margin: 0 0 3rem 0; padding: 2.5rem; background: white; border-radius: 16px; box-shadow: 0 4px 6px rgba(0,0,0,0.07); }
     .exec-header h1 { color: #111827; font-size: 2.5rem; margin: 0 0 0.5rem 0; }
@@ -1299,6 +1317,12 @@ async function generateHtml(report, targetPath, options) {
 </head>
 <body>
   <div class="container">
+    ${hasBrand ? `
+    <div class="brand-header">
+      ${brandLogo ? `<img src="${brandLogo}" alt="${escapeHtml(brandPreparedByLabel)} logo" class="brand-logo">` : ''}
+      <div class="brand-prepared-by">Prepared by <strong>${escapeHtml(brandPreparedByLabel)}</strong></div>
+    </div>` : ''}
+
     ${renderExecutiveSummaryHtml(report)}
 
     <h1>HIPAA Compliance Report</h1>
@@ -1377,10 +1401,12 @@ async function generateHtml(report, targetPath, options) {
     </div>
 
     <footer style="margin-top: 3rem; padding-top: 1rem; border-top: 1px solid #e5e7eb; color: #6b7280; font-size: 0.875rem;">
+      ${hasBrand ? `<p><strong>${escapeHtml(brandFooterLine)}</strong></p>` : ''}
       <p>Generated by <strong>vlayer</strong> v0.2.0 - HIPAA Compliance Scanner for Healthcare Applications</p>
       <p>Run with <code>--fix</code> flag to automatically fix issues marked as "Auto-fixable"</p>
     </footer>
   </div>
+  ${hasBrand ? `<div class="brand-page-footer">${escapeHtml(brandFooterLine)}</div>` : ''}
 </body>
 </html>`;
 }
@@ -3026,6 +3052,14 @@ function severityBadge(severity) {
 }
 export async function generateReport(result, targetPath, options) {
     const report = buildReport(result, targetPath, options.vulnerabilities);
+    // PDF is binary: generate the buffer and write it directly.
+    if (options.format === 'pdf') {
+        const { buffer } = await generateScanPdf(result, targetPath, { branding: options.branding });
+        const pdfPath = options.outputPath || 'vlayer-report.pdf';
+        await writeFile(pdfPath, buffer);
+        console.log(chalk.green(`\nReport saved to: ${pdfPath}`));
+        return;
+    }
     let content;
     let extension;
     switch (options.format) {