verification-layer 0.4.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Simon Franco
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,345 @@
+# vlayer - HIPAA Compliance Scanner
+
+**Automated security scanning for healthcare applications.** Detect PHI exposure, fix vulnerabilities, and generate audit-ready compliance reports.
+
+[![CI](https://github.com/Francosimon53/verification-layer/actions/workflows/ci.yml/badge.svg)](https://github.com/Francosimon53/verification-layer/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/verification-layer)](https://www.npmjs.com/package/verification-layer)
+[![License](https://img.shields.io/badge/license-MIT-blue)](LICENSE)
+[![Node](https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen)](package.json)
+
+---
+
+## What is vlayer?
+
+vlayer is a CLI tool that scans your codebase for HIPAA compliance issues. It's designed for healthcare startups and developers building applications that handle Protected Health Information (PHI).
+
+**Key capabilities:**
+- Scan for 50+ security vulnerabilities and PHI exposure patterns
+- Auto-fix common issues with one command
+- Generate professional audit reports (HTML, PDF, JSON)
+- Detect your tech stack and provide tailored recommendations
+- Create cryptographic audit trails for compliance documentation
+
+---
+
+## Quick Start
+
+```bash
+# Install
+npm install
+npm run build
+
+# Scan a project
+node dist/cli.js scan /path/to/your/project
+
+# Generate HTML report
+node dist/cli.js scan /path/to/project -f html -o report.html
+
+# Auto-fix issues
+node dist/cli.js scan /path/to/project --fix
+
+# Generate audit PDF
+node dist/cli.js audit /path/to/project --generate-report
+```
+
+---
+
+## Features
+
+### 1. Vulnerability Detection
+
+Scans for **50+ security patterns** across 5 HIPAA compliance categories:
+
+| Category | What it detects |
+|----------|-----------------|
+| **PHI Exposure** | SSN/MRN in code, PHI in logs, localStorage, URLs |
+| **Encryption** | Weak crypto (MD5, DES), disabled SSL/TLS, HTTP URLs |
+| **Access Control** | SQL injection, XSS, CORS wildcards, hardcoded credentials |
+| **Audit Logging** | Missing logging framework, unlogged PHI operations |
+| **Data Retention** | Bulk deletes without audit, missing retention policies |
+
+<details>
+<summary><strong>View all detection patterns</strong></summary>
+
+**PHI Exposure (18 patterns)**
+- Social Security Numbers (XXX-XX-XXXX)
+- Medical Record Numbers (MRN patterns)
+- Date of Birth handling
+- Diagnosis codes (ICD-10)
+- PHI in console.log statements
+- PHI in localStorage/sessionStorage
+- Patient data in URLs
+- Unencrypted patient contact info
+
+**Security Vulnerabilities (20+ patterns)**
+- Hardcoded passwords and secrets
+- API keys (generic, Stripe, AWS)
+- Database URIs with credentials
+- SQL injection (template literals & concatenation)
+- innerHTML without sanitization
+- eval() and Function constructor
+- dangerouslySetInnerHTML in React
+
+**Infrastructure Issues**
+- HTTP URLs for PHI transmission
+- Disabled SSL/TLS verification
+- CORS wildcard origins
+- Sessions without expiration
+- Missing authentication checks
+
+</details>
+
+---
+
+### 2. Auto-Fix (`--fix`)
+
+Automatically remediate common vulnerabilities:
+
+```bash
+node dist/cli.js scan ./my-app --fix
+```
+
+| Issue | Auto-Fix Applied |
+|-------|------------------|
+| SQL injection | Convert to parameterized query `query('SELECT * FROM users WHERE id = ?', [id])` |
+| Hardcoded password | Replace with `process.env.PASSWORD` |
+| Hardcoded API key | Replace with `process.env.API_KEY` |
+| HTTP URL | Upgrade to HTTPS |
+| innerHTML | Replace with `textContent` |
+| PHI in console.log | Comment out with review marker |
+
+**Example output:**
+```
+✔ Scan complete. Found 29 issues.
+✔ Applied 8 automatic fixes.
+
+Changes by file:
+  src/api/users.ts
+    Line 45: SQL injection → parameterized query
+    Line 89: Hardcoded password → process.env.DB_PASSWORD
+  src/utils/logger.ts
+    Line 12: PHI in console.log → commented out
+```
+
+---
+
+### 3. Stack Detection
+
+vlayer automatically detects your tech stack and provides **personalized code examples**:
+
+```
+Stack detected:
+  Framework: Next.js
+  Database: Supabase
+  Auth: Supabase Auth
+```
+
+**Supported technologies:**
+
+| Type | Detected |
+|------|----------|
+| Frameworks | Next.js, React, Vue, Nuxt, Angular, Express, Fastify, NestJS |
+| Databases | Supabase, Firebase, PostgreSQL, MySQL, MongoDB, Prisma, Drizzle |
+| Auth | NextAuth, Supabase Auth, Firebase Auth, Auth0, Clerk, Passport |
+
+**Stack-specific recommendations include:**
+
+- **Next.js + Supabase**: Server Components for PHI, Row Level Security (RLS), middleware protection
+- **Express + PostgreSQL**: express-session with Redis, parameterized queries
+- **React + Firebase**: Firestore Security Rules, Admin SDK for PHI
+
+---
+
+### 4. Remediation Guides
+
+Each finding includes a detailed remediation guide with:
+
+- **HIPAA Impact**: Why this matters for compliance
+- **Multiple fix options**: Different approaches with trade-offs
+- **Code examples**: Copy-paste ready solutions
+- **Documentation links**: Official resources
+
+The guides are **personalized to your stack** - if you're using Supabase, you'll see Supabase-specific code examples, not generic SQL.
+
+---
+
+### 5. Audit Trail & PDF Reports
+
+Generate compliance documentation with cryptographic verification:
+
+```bash
+# Run scan with fixes (creates audit trail)
+node dist/cli.js scan ./my-app --fix
+
+# Generate PDF report
+node dist/cli.js audit ./my-app --generate-report --org "Healthcare Inc" --auditor "Jane Smith"
+```
+
+**Audit trail includes:**
+
+| For Auto-Fixed Issues | For Manual Review Items |
+|-----------------------|-------------------------|
+| Code before & after | Status: "Pending human review" |
+| SHA256 file hashes | Assigned responsible party |
+| Timestamp of change | Suggested deadline by severity |
+| HIPAA reference resolved | Full finding details |
+
+**PDF Report sections:**
+1. Cover Page - Project info, scan statistics
+2. Executive Summary - Remediation rate, risk breakdown
+3. Fix Evidence - Cryptographic proof of each change
+4. Manual Reviews - Pending items with deadlines
+5. Verification Page - Report hash, signature fields
+
+---
+
+## Report Examples
+
+### HTML Report
+
+The HTML report includes:
+- Summary cards with severity counts
+- Stack detection section with tailored recommendations
+- Each finding with code context and line highlighting
+- Expandable remediation guides with code examples
+- Auto-fixable badge on issues that can be fixed automatically
+
+### JSON Report
+
+Machine-readable format for CI/CD integration:
+
+```json
+{
+  "summary": {
+    "total": 29,
+    "critical": 8,
+    "high": 12,
+    "medium": 6,
+    "low": 3
+  },
+  "stack": {
+    "framework": "nextjs",
+    "database": "supabase",
+    "auth": "supabase-auth"
+  },
+  "findings": [...]
+}
+```
+
+---
+
+## Configuration
+
+Create `.vlayerrc.json` in your project root:
+
+```json
+{
+  "exclude": ["**/*.test.ts", "**/__mocks__/**"],
+  "ignorePaths": ["sample-data", "fixtures"],
+  "safeHttpDomains": ["my-internal-cdn.com"],
+  "contextLines": 3,
+  "categories": ["phi-exposure", "encryption", "access-control"]
+}
+```
+
+| Option | Description | Default |
+|--------|-------------|---------|
+| `exclude` | Glob patterns to skip | `[]` |
+| `ignorePaths` | Path substrings to ignore | `[]` |
+| `safeHttpDomains` | HTTP domains to allow (CDNs) | Built-in list |
+| `contextLines` | Lines of context in reports | `2` |
+| `categories` | Categories to scan | All |
+
+---
+
+## CLI Reference
+
+```bash
+# Basic scan
+vlayer scan <path>
+
+# Scan options
+vlayer scan <path> -f html -o report.html    # HTML report
+vlayer scan <path> -f markdown -o report.md  # Markdown report
+vlayer scan <path> -c phi-exposure encryption # Specific categories
+vlayer scan <path> --fix                      # Auto-fix issues
+
+# Audit commands
+vlayer audit <path> --summary                 # View audit summary
+vlayer audit <path> --generate-report         # Generate PDF
+vlayer audit <path> --generate-report --text  # Generate text instead
+vlayer audit <path> --generate-report --org "Company" --auditor "Name"
+```
+
+**Exit codes:**
+- `0` - No critical issues
+- `1` - Critical issues found (useful for CI/CD)
+
+---
+
+## HIPAA References
+
+Each finding maps to specific HIPAA regulations:
+
+| Reference | Requirement |
+|-----------|-------------|
+| §164.502, §164.514 | PHI disclosure and de-identification |
+| §164.312(a)(1) | Access control mechanisms |
+| §164.312(a)(2)(iv) | Encryption and decryption |
+| §164.312(b) | Audit controls |
+| §164.312(d) | Person or entity authentication |
+| §164.312(e)(1) | Transmission security |
+| §164.530(j) | Documentation retention (6 years) |
+
+---
+
+## Roadmap
+
+### Coming Soon
+- [x] GitHub Action for CI/CD integration
+- [ ] VS Code extension with inline warnings
+- [ ] Slack/Teams notifications for new findings
+- [ ] Custom rule definitions (YAML)
+
+### Planned
+- [ ] HITRUST CSF mapping
+- [ ] SOC 2 compliance checks
+- [ ] AWS/GCP/Azure infrastructure scanning
+- [ ] Team dashboard with trend tracking
+- [ ] Jira/Linear integration for issue tracking
+
+### Future
+- [ ] AI-powered fix suggestions
+- [ ] Dependency vulnerability scanning
+- [ ] Runtime PHI detection agent
+- [ ] Compliance certification workflows
+
+---
+
+## Contributing
+
+Contributions are welcome! Please read our contributing guidelines before submitting PRs.
+
+```bash
+# Development
+npm install
+npm run dev      # Watch mode
+npm run test     # Run tests
+npm run lint     # Lint code
+```
+
+---
+
+## License
+
+MIT License - see [LICENSE](LICENSE) for details.
+
+---
+
+<p align="center">
+  Built for healthcare developers who take compliance seriously.
+  <br>
+  <a href="https://github.com/Francosimon53/verification-layer/issues">Report Bug</a>
+  ·
+  <a href="https://github.com/Francosimon53/verification-layer/issues">Request Feature</a>
+</p>

package/dist/audit/evidence.d.ts

@@ -0,0 +1,25 @@
+import type { AuditEvidence, CodeSnapshot, Finding, FixType } from '../types.js';
+/**
+ * Generate SHA256 hash of file content
+ */
+export declare function hashContent(content: string): string;
+/**
+ * Extract code snapshot with context lines
+ */
+export declare function extractCodeSnapshot(lines: string[], lineNumber: number, contextSize?: number): CodeSnapshot;
+/**
+ * Create audit evidence for a fix
+ */
+export declare function createEvidence(finding: Finding, filePath: string, contentBefore: string, contentAfter: string, lineNumber: number, fixType: FixType): Promise<AuditEvidence>;
+/**
+ * Generate a hash for the entire audit trail (for verification)
+ */
+export declare function generateAuditTrailHash(evidence: AuditEvidence[]): string;
+/**
+ * Read file and compute hash
+ */
+export declare function getFileWithHash(filePath: string): Promise<{
+    content: string;
+    hash: string;
+}>;
+//# sourceMappingURL=evidence.d.ts.map

package/dist/audit/evidence.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"evidence.d.ts","sourceRoot":"","sources":["../../src/audit/evidence.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAe,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE9F;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEnD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EAAE,EACf,UAAU,EAAE,MAAM,EAClB,WAAW,GAAE,MAAU,GACtB,YAAY,CAkBd;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,aAAa,CAAC,CAoBxB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,aAAa,EAAE,GAAG,MAAM,CAKxE;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAMlG"}

package/dist/audit/evidence.js

@@ -0,0 +1,70 @@
+import { createHash, randomUUID } from 'crypto';
+import { readFile } from 'fs/promises';
+/**
+ * Generate SHA256 hash of file content
+ */
+export function hashContent(content) {
+    return createHash('sha256').update(content, 'utf8').digest('hex');
+}
+/**
+ * Extract code snapshot with context lines
+ */
+export function extractCodeSnapshot(lines, lineNumber, contextSize = 3) {
+    const context = [];
+    const start = Math.max(0, lineNumber - contextSize);
+    const end = Math.min(lines.length - 1, lineNumber + contextSize);
+    for (let i = start; i <= end; i++) {
+        context.push({
+            lineNumber: i + 1,
+            content: lines[i] || '',
+            isMatch: i === lineNumber,
+        });
+    }
+    return {
+        content: lines[lineNumber] || '',
+        context,
+        lineNumber: lineNumber + 1,
+    };
+}
+/**
+ * Create audit evidence for a fix
+ */
+export async function createEvidence(finding, filePath, contentBefore, contentAfter, lineNumber, fixType) {
+    const linesBefore = contentBefore.split('\n');
+    const linesAfter = contentAfter.split('\n');
+    const before = extractCodeSnapshot(linesBefore, lineNumber);
+    const after = extractCodeSnapshot(linesAfter, lineNumber);
+    return {
+        id: randomUUID(),
+        findingId: finding.id,
+        timestamp: new Date().toISOString(),
+        filePath,
+        before,
+        after,
+        fileHashBefore: hashContent(contentBefore),
+        fileHashAfter: hashContent(contentAfter),
+        hipaaReference: finding.hipaaReference || 'General HIPAA Security Rule',
+        fixType,
+        description: `Auto-fixed: ${finding.title}`,
+    };
+}
+/**
+ * Generate a hash for the entire audit trail (for verification)
+ */
+export function generateAuditTrailHash(evidence) {
+    const evidenceStr = evidence
+        .map(e => `${e.id}|${e.fileHashBefore}|${e.fileHashAfter}|${e.timestamp}`)
+        .join('\n');
+    return hashContent(evidenceStr);
+}
+/**
+ * Read file and compute hash
+ */
+export async function getFileWithHash(filePath) {
+    const content = await readFile(filePath, 'utf-8');
+    return {
+        content,
+        hash: hashContent(content),
+    };
+}
+//# sourceMappingURL=evidence.js.map

package/dist/audit/evidence.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"evidence.js","sourceRoot":"","sources":["../../src/audit/evidence.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACpE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAe,EACf,UAAkB,EAClB,cAAsB,CAAC;IAEvB,MAAM,OAAO,GAAkB,EAAE,CAAC;IAClC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,WAAW,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,UAAU,GAAG,WAAW,CAAC,CAAC;IAEjE,KAAK,IAAI,CAAC,GAAG,KAAK,EAAE,CAAC,IAAI,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,OAAO,CAAC,IAAI,CAAC;YACX,UAAU,EAAE,CAAC,GAAG,CAAC;YACjB,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE;YACvB,OAAO,EAAE,CAAC,KAAK,UAAU;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE;QAChC,OAAO;QACP,UAAU,EAAE,UAAU,GAAG,CAAC;KAC3B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAgB,EAChB,QAAgB,EAChB,aAAqB,EACrB,YAAoB,EACpB,UAAkB,EAClB,OAAgB;IAEhB,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC9C,MAAM,UAAU,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE5C,MAAM,MAAM,GAAG,mBAAmB,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IAC5D,MAAM,KAAK,GAAG,mBAAmB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAE1D,OAAO;QACL,EAAE,EAAE,UAAU,EAAE;QAChB,SAAS,EAAE,OAAO,CAAC,EAAE;QACrB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ;QACR,MAAM;QACN,KAAK;QACL,cAAc,EAAE,WAAW,CAAC,aAAa,CAAC;QAC1C,aAAa,EAAE,WAAW,CAAC,YAAY,CAAC;QACxC,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,6BAA6B;QACvE,OAAO;QACP,WAAW,EAAE,eAAe,OAAO,CAAC,KAAK,EAAE;KAC5C,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,QAAyB;IAC9D,MAAM,WAAW,GAAG,QAAQ;SACzB,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;SACzE,IAAI,CAAC,IAAI,CAAC,CAAC;IACd,OAAO,WAAW,CAAC,WAAW,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,QAAgB;IACpD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAClD,OAAO;QACL,OAAO;QACP,IAAI,EAAE,WAAW,CAAC,OAAO,CAAC;KAC3B,CAAC;AACJ,CAAC"}

package/dist/audit/index.d.ts

@@ -0,0 +1,54 @@
+import type { AuditTrail, AuditEvidence, ManualReviewItem, Finding, ManualReviewStatus } from '../types.js';
+/**
+ * Create a new audit trail
+ */
+export declare function createAuditTrail(projectPath: string): AuditTrail;
+/**
+ * Add evidence to audit trail
+ */
+export declare function addEvidence(trail: AuditTrail, evidence: AuditEvidence): void;
+/**
+ * Create a manual review item for findings that cannot be auto-fixed
+ */
+export declare function createManualReview(finding: Finding): ManualReviewItem;
+/**
+ * Add manual review items for non-fixable findings
+ */
+export declare function addManualReviews(trail: AuditTrail, findings: Finding[]): void;
+/**
+ * Update scan statistics
+ */
+export declare function updateScanStats(trail: AuditTrail, totalFindings: number, scannedFiles: number, scanDuration: number): void;
+/**
+ * Finalize audit trail with hash
+ */
+export declare function finalizeAuditTrail(trail: AuditTrail): void;
+/**
+ * Save audit trail to file
+ */
+export declare function saveAuditTrail(trail: AuditTrail, projectPath: string): Promise<string>;
+/**
+ * Load existing audit trail
+ */
+export declare function loadAuditTrail(projectPath: string): Promise<AuditTrail | null>;
+/**
+ * Get audit trail file path
+ */
+export declare function getAuditTrailPath(projectPath: string): string;
+/**
+ * Update manual review status
+ */
+export declare function updateManualReviewStatus(trail: AuditTrail, reviewId: string, status: ManualReviewStatus, assignedTo?: string, notes?: string): boolean;
+/**
+ * Get summary statistics from audit trail
+ */
+export declare function getAuditSummary(trail: AuditTrail): {
+    totalFindings: number;
+    autoFixed: number;
+    pendingManualReview: number;
+    reviewsByStatus: Record<string, number>;
+    reviewsBySeverity: Record<string, number>;
+    overdueCount: number;
+    reportHash: string | undefined;
+};
+//# sourceMappingURL=index.d.ts.map

package/dist/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,UAAU,EACV,aAAa,EACb,gBAAgB,EAChB,OAAO,EACP,kBAAkB,EACnB,MAAM,aAAa,CAAC;AAMrB;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,UAAU,CAchE;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,aAAa,GAAG,IAAI,CAG5E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,OAAO,GAAG,gBAAgB,CA4BrE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,IAAI,CAO7E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,UAAU,EACjB,aAAa,EAAE,MAAM,EACrB,YAAY,EAAE,MAAM,EACpB,YAAY,EAAE,MAAM,GACnB,IAAI,CAIN;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI,CAE1D;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAY5F;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CASpF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAE7D;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,UAAU,EACjB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,kBAAkB,EAC1B,UAAU,CAAC,EAAE,MAAM,EACnB,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAUT;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,UAAU;;;;;;;;EAwBhD"}

package/dist/audit/index.js

@@ -0,0 +1,159 @@
+import { randomUUID } from 'crypto';
+import { readFile, writeFile, mkdir } from 'fs/promises';
+import { basename, join } from 'path';
+import { generateAuditTrailHash } from './evidence.js';
+const AUDIT_DIR = '.vlayer';
+const AUDIT_FILE = 'audit-trail.json';
+/**
+ * Create a new audit trail
+ */
+export function createAuditTrail(projectPath) {
+    return {
+        id: randomUUID(),
+        createdAt: new Date().toISOString(),
+        projectPath,
+        projectName: basename(projectPath),
+        scanDuration: 0,
+        scannedFiles: 0,
+        totalFindings: 0,
+        autoFixedCount: 0,
+        manualReviewCount: 0,
+        evidence: [],
+        manualReviews: [],
+    };
+}
+/**
+ * Add evidence to audit trail
+ */
+export function addEvidence(trail, evidence) {
+    trail.evidence.push(evidence);
+    trail.autoFixedCount = trail.evidence.length;
+}
+/**
+ * Create a manual review item for findings that cannot be auto-fixed
+ */
+export function createManualReview(finding) {
+    const now = new Date();
+    const suggestedDeadline = new Date(now);
+    // Set deadline based on severity
+    switch (finding.severity) {
+        case 'critical':
+            suggestedDeadline.setDate(now.getDate() + 7); // 1 week
+            break;
+        case 'high':
+            suggestedDeadline.setDate(now.getDate() + 14); // 2 weeks
+            break;
+        case 'medium':
+            suggestedDeadline.setDate(now.getDate() + 30); // 1 month
+            break;
+        default:
+            suggestedDeadline.setDate(now.getDate() + 60); // 2 months
+    }
+    return {
+        id: randomUUID(),
+        findingId: finding.id,
+        finding,
+        status: 'pending_review',
+        suggestedDeadline: suggestedDeadline.toISOString(),
+        createdAt: now.toISOString(),
+        updatedAt: now.toISOString(),
+    };
+}
+/**
+ * Add manual review items for non-fixable findings
+ */
+export function addManualReviews(trail, findings) {
+    const nonFixableFindings = findings.filter(f => !f.fixType);
+    for (const finding of nonFixableFindings) {
+        const review = createManualReview(finding);
+        trail.manualReviews.push(review);
+    }
+    trail.manualReviewCount = trail.manualReviews.length;
+}
+/**
+ * Update scan statistics
+ */
+export function updateScanStats(trail, totalFindings, scannedFiles, scanDuration) {
+    trail.totalFindings = totalFindings;
+    trail.scannedFiles = scannedFiles;
+    trail.scanDuration = scanDuration;
+}
+/**
+ * Finalize audit trail with hash
+ */
+export function finalizeAuditTrail(trail) {
+    trail.reportHash = generateAuditTrailHash(trail.evidence);
+}
+/**
+ * Save audit trail to file
+ */
+export async function saveAuditTrail(trail, projectPath) {
+    const auditDir = join(projectPath, AUDIT_DIR);
+    const auditPath = join(auditDir, AUDIT_FILE);
+    try {
+        await mkdir(auditDir, { recursive: true });
+    }
+    catch {
+        // Directory may already exist
+    }
+    await writeFile(auditPath, JSON.stringify(trail, null, 2), 'utf-8');
+    return auditPath;
+}
+/**
+ * Load existing audit trail
+ */
+export async function loadAuditTrail(projectPath) {
+    const auditPath = join(projectPath, AUDIT_DIR, AUDIT_FILE);
+    try {
+        const content = await readFile(auditPath, 'utf-8');
+        return JSON.parse(content);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get audit trail file path
+ */
+export function getAuditTrailPath(projectPath) {
+    return join(projectPath, AUDIT_DIR, AUDIT_FILE);
+}
+/**
+ * Update manual review status
+ */
+export function updateManualReviewStatus(trail, reviewId, status, assignedTo, notes) {
+    const review = trail.manualReviews.find(r => r.id === reviewId);
+    if (!review)
+        return false;
+    review.status = status;
+    review.updatedAt = new Date().toISOString();
+    if (assignedTo)
+        review.assignedTo = assignedTo;
+    if (notes)
+        review.notes = notes;
+    return true;
+}
+/**
+ * Get summary statistics from audit trail
+ */
+export function getAuditSummary(trail) {
+    const reviewsByStatus = trail.manualReviews.reduce((acc, review) => {
+        acc[review.status] = (acc[review.status] || 0) + 1;
+        return acc;
+    }, {});
+    const reviewsBySeverity = trail.manualReviews.reduce((acc, review) => {
+        acc[review.finding.severity] = (acc[review.finding.severity] || 0) + 1;
+        return acc;
+    }, {});
+    const overdueReviews = trail.manualReviews.filter(r => new Date(r.suggestedDeadline) < new Date() && r.status === 'pending_review');
+    return {
+        totalFindings: trail.totalFindings,
+        autoFixed: trail.autoFixedCount,
+        pendingManualReview: trail.manualReviewCount,
+        reviewsByStatus,
+        reviewsBySeverity,
+        overdueCount: overdueReviews.length,
+        reportHash: trail.reportHash,
+    };
+}
+//# sourceMappingURL=index.js.map