vskill 0.1.2 → 0.1.3

package/dist/audit/formatters/sarif-formatter.js

@@ -0,0 +1,87 @@
+/**
+ * SARIF v2.1.0 formatter — generates SARIF-compliant JSON for CI tools.
+ *
+ * Enables integration with GitHub Code Scanning, VS Code SARIF Viewer,
+ * and other standard static analysis result consumers.
+ */
+/** Map severity to SARIF result level */
+function toSarifLevel(severity) {
+    switch (severity) {
+        case "critical":
+        case "high":
+            return "error";
+        case "medium":
+            return "warning";
+        case "low":
+        case "info":
+            return "note";
+    }
+}
+/**
+ * Format an AuditResult as SARIF v2.1.0 JSON string.
+ */
+export function formatSarif(result) {
+    // Collect unique rules from findings
+    const rulesMap = new Map();
+    for (const f of result.findings) {
+        if (!rulesMap.has(f.ruleId)) {
+            rulesMap.set(f.ruleId, {
+                id: f.ruleId,
+                shortDescription: f.message,
+                category: f.category,
+            });
+        }
+    }
+    const rules = Array.from(rulesMap.values()).map((r) => ({
+        id: r.id,
+        name: r.id,
+        shortDescription: { text: r.shortDescription },
+        properties: { category: r.category },
+    }));
+    const results = result.findings.map((f) => ({
+        ruleId: f.ruleId,
+        level: toSarifLevel(f.severity),
+        message: { text: f.message },
+        locations: [
+            {
+                physicalLocation: {
+                    artifactLocation: { uri: f.filePath },
+                    region: {
+                        startLine: f.line,
+                        ...(f.column ? { startColumn: f.column } : {}),
+                        ...(f.endLine ? { endLine: f.endLine } : {}),
+                    },
+                },
+            },
+        ],
+        properties: {
+            confidence: f.confidence,
+            source: f.source,
+        },
+    }));
+    const sarif = {
+        $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+        version: "2.1.0",
+        runs: [
+            {
+                tool: {
+                    driver: {
+                        name: "vskill-audit",
+                        informationUri: "https://verified-skill.com",
+                        rules,
+                    },
+                },
+                results,
+                invocations: [
+                    {
+                        executionSuccessful: true,
+                        startTimeUtc: result.startedAt,
+                        endTimeUtc: result.completedAt,
+                    },
+                ],
+            },
+        ],
+    };
+    return JSON.stringify(sarif, null, 2);
+}
+//# sourceMappingURL=sarif-formatter.js.map

package/dist/audit/formatters/sarif-formatter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif-formatter.js","sourceRoot":"","sources":["../../../src/audit/formatters/sarif-formatter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,yCAAyC;AACzC,SAAS,YAAY,CAAC,QAAkB;IACtC,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU,CAAC;QAChB,KAAK,MAAM;YACT,OAAO,OAAO,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,SAAS,CAAC;QACnB,KAAK,KAAK,CAAC;QACX,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;IAClB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,MAAmB;IAC7C,qCAAqC;IACrC,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAsE,CAAC;IAC/F,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5B,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE;gBACrB,EAAE,EAAE,CAAC,CAAC,MAAM;gBACZ,gBAAgB,EAAE,CAAC,CAAC,OAAO;gBAC3B,QAAQ,EAAE,CAAC,CAAC,QAAQ;aACrB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACtD,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,IAAI,EAAE,CAAC,CAAC,EAAE;QACV,gBAAgB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,gBAAgB,EAAE;QAC9C,UAAU,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE;KACrC,CAAC,CAAC,CAAC;IAEJ,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1C,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC,QAAoB,CAAC;QAC3C,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE;QAC5B,SAAS,EAAE;YACT;gBACE,gBAAgB,EAAE;oBAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE;oBACrC,MAAM,EAAE;wBACN,SAAS,EAAE,CAAC,CAAC,IAAI;wBACjB,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC9C,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBAC7C;iBACF;aACF;SACF;QACD,UAAU,EAAE;YACV,UAAU,EAAE,CAAC,CAAC,UAAU;YACxB,MAAM,EAAE,CAAC,CAAC,MAAM;SACjB;KACF,CAAC,CAAC,CAAC;IAEJ,MAAM,KAAK,GAAG;QACZ,OAAO,EAAE,sGAAsG;QAC/G,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE;YACJ;gBACE,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,cAAc;wBACpB,cAAc,EAAE,4BAA4B;wBAC5C,KAAK;qBACN;iBACF;gBACD,OAAO;gBACP,WAAW,EAAE;oBACX;wBACE,mBAAmB,EAAE,IAAI;wBACzB,YAAY,EAAE,MAAM,CAAC,SAAS;wBAC9B,UAAU,EAAE,MAAM,CAAC,WAAW;qBAC/B;iBACF;aACF;SACF;KACF,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACxC,CAAC"}

package/dist/audit/formatters/sarif-formatter.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/formatters/sarif-formatter.test.js

@@ -0,0 +1,71 @@
+import { describe, it, expect } from "vitest";
+import { formatSarif } from "./sarif-formatter.js";
+import { createDefaultAuditConfig } from "../audit-types.js";
+function makeResult(overrides = {}) {
+    return {
+        rootPath: "/project",
+        startedAt: "2026-02-20T18:00:00Z",
+        completedAt: "2026-02-20T18:00:01Z",
+        durationMs: 1000,
+        filesScanned: 10,
+        filesWithFindings: 0,
+        findings: [],
+        summary: {
+            critical: 0, high: 0, medium: 0, low: 0, info: 0,
+            total: 0, score: 100, verdict: "PASS",
+        },
+        config: createDefaultAuditConfig(),
+        ...overrides,
+    };
+}
+describe("sarif-formatter", () => {
+    it("TC-033: output matches SARIF v2.1.0 structure", () => {
+        const output = formatSarif(makeResult());
+        const parsed = JSON.parse(output);
+        expect(parsed.$schema).toContain("sarif");
+        expect(parsed.version).toBe("2.1.0");
+        expect(parsed.runs).toBeInstanceOf(Array);
+        expect(parsed.runs).toHaveLength(1);
+    });
+    it("TC-034: tool information is correct", () => {
+        const output = formatSarif(makeResult());
+        const parsed = JSON.parse(output);
+        const driver = parsed.runs[0].tool.driver;
+        expect(driver.name).toBe("vskill-audit");
+        expect(driver.informationUri).toContain("verified-skill.com");
+    });
+    it("TC-035: findings map to SARIF results with correct locations", () => {
+        const result = makeResult({
+            findings: [
+                { id: "AF-001", ruleId: "CI-001", severity: "critical", confidence: "high", category: "cmd", message: "exec call", filePath: "src/a.ts", line: 42, snippet: "code", source: "tier1" },
+                { id: "AF-002", ruleId: "XSS-001", severity: "high", confidence: "high", category: "xss", message: "innerHTML", filePath: "src/b.ts", line: 10, snippet: "code", source: "tier1" },
+            ],
+            summary: { critical: 1, high: 1, medium: 0, low: 0, info: 0, total: 2, score: 60, verdict: "CONCERNS" },
+        });
+        const parsed = JSON.parse(formatSarif(result));
+        const results = parsed.runs[0].results;
+        expect(results).toHaveLength(2);
+        expect(results[0].locations[0].physicalLocation.artifactLocation.uri).toBe("src/a.ts");
+        expect(results[0].locations[0].physicalLocation.region.startLine).toBe(42);
+    });
+    it("TC-036: severity maps to correct SARIF levels", () => {
+        const result = makeResult({
+            findings: [
+                { id: "AF-001", ruleId: "R1", severity: "critical", confidence: "high", category: "c", message: "m", filePath: "f.ts", line: 1, snippet: "", source: "tier1" },
+                { id: "AF-002", ruleId: "R2", severity: "high", confidence: "high", category: "c", message: "m", filePath: "f.ts", line: 2, snippet: "", source: "tier1" },
+                { id: "AF-003", ruleId: "R3", severity: "medium", confidence: "high", category: "c", message: "m", filePath: "f.ts", line: 3, snippet: "", source: "tier1" },
+                { id: "AF-004", ruleId: "R4", severity: "low", confidence: "high", category: "c", message: "m", filePath: "f.ts", line: 4, snippet: "", source: "tier1" },
+                { id: "AF-005", ruleId: "R5", severity: "info", confidence: "high", category: "c", message: "m", filePath: "f.ts", line: 5, snippet: "", source: "tier1" },
+            ],
+            summary: { critical: 1, high: 1, medium: 1, low: 1, info: 1, total: 5, score: 49, verdict: "FAIL" },
+        });
+        const parsed = JSON.parse(formatSarif(result));
+        const results = parsed.runs[0].results;
+        expect(results[0].level).toBe("error"); // critical
+        expect(results[1].level).toBe("error"); // high
+        expect(results[2].level).toBe("warning"); // medium
+        expect(results[3].level).toBe("note"); // low
+        expect(results[4].level).toBe("note"); // info
+    });
+});
+//# sourceMappingURL=sarif-formatter.test.js.map

package/dist/audit/formatters/sarif-formatter.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif-formatter.test.js","sourceRoot":"","sources":["../../../src/audit/formatters/sarif-formatter.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,wBAAwB,EAAoB,MAAM,mBAAmB,CAAC;AAE/E,SAAS,UAAU,CAAC,YAAkC,EAAE;IACtD,OAAO;QACL,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,sBAAsB;QACjC,WAAW,EAAE,sBAAsB;QACnC,UAAU,EAAE,IAAI;QAChB,YAAY,EAAE,EAAE;QAChB,iBAAiB,EAAE,CAAC;QACpB,QAAQ,EAAE,EAAE;QACZ,OAAO,EAAE;YACP,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;YAChD,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM;SACtC;QACD,MAAM,EAAE,wBAAwB,EAAE;QAClC,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAElC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC;QAE1C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACzC,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,MAAM,GAAG,UAAU,CAAC;YACxB,QAAQ,EAAE;gBACR,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE;gBACrL,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE;aACnL;YACD,OAAO,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE;SACxG,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;QAC/C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAEvC,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACvF,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,MAAM,GAAG,UAAU,CAAC;YACxB,QAAQ,EAAE;gBACR,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE;gBAC9J,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE;gBAC1J,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE;gBAC5J,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE;gBACzJ,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE;aAC3J;YACD,OAAO,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE;SACpG,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;QAC/C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAEvC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAG,WAAW;QACrD,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAG,OAAO;QACjD,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QACnD,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAI,MAAM;QAChD,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAI,OAAO;IACnD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/formatters/terminal-formatter.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Terminal formatter — renders AuditResult as colored terminal output.
+ */
+import type { AuditResult } from "../audit-types.js";
+/**
+ * Format an AuditResult as a human-readable terminal string.
+ * Uses plain text (colors applied by the CLI command layer).
+ */
+export declare function formatTerminal(result: AuditResult): string;

package/dist/audit/formatters/terminal-formatter.js

@@ -0,0 +1,61 @@
+/**
+ * Terminal formatter — renders AuditResult as colored terminal output.
+ */
+/**
+ * Format an AuditResult as a human-readable terminal string.
+ * Uses plain text (colors applied by the CLI command layer).
+ */
+export function formatTerminal(result) {
+    const lines = [];
+    // Header
+    lines.push("vskill audit");
+    lines.push("");
+    lines.push(`Score: ${result.summary.score}/100  ` +
+        `Verdict: ${result.summary.verdict}  ` +
+        `Files: ${result.filesScanned}  ` +
+        `Time: ${result.durationMs}ms`);
+    lines.push("");
+    if (result.findings.length === 0) {
+        lines.push("No security issues found.");
+        lines.push("");
+        return lines.join("\n");
+    }
+    // Summary counts
+    const parts = [];
+    if (result.summary.critical > 0)
+        parts.push(`${result.summary.critical} critical`);
+    if (result.summary.high > 0)
+        parts.push(`${result.summary.high} high`);
+    if (result.summary.medium > 0)
+        parts.push(`${result.summary.medium} medium`);
+    if (result.summary.low > 0)
+        parts.push(`${result.summary.low} low`);
+    if (result.summary.info > 0)
+        parts.push(`${result.summary.info} info`);
+    lines.push(`Findings: ${parts.join("  ")}`);
+    lines.push("");
+    // Group findings by file
+    const byFile = new Map();
+    for (const f of result.findings) {
+        const group = byFile.get(f.filePath) || [];
+        group.push(f);
+        byFile.set(f.filePath, group);
+    }
+    for (const [filePath, findings] of byFile) {
+        lines.push(`── ${filePath} (${findings.length} finding${findings.length > 1 ? "s" : ""})`);
+        lines.push("");
+        for (const f of findings) {
+            lines.push(`  ${f.severity.toUpperCase()} [${f.ruleId}] ${f.message}`);
+            lines.push(`  Line ${f.line}`);
+            if (f.snippet) {
+                lines.push("");
+                for (const snippetLine of f.snippet.split("\n")) {
+                    lines.push(`    ${snippetLine}`);
+                }
+                lines.push("");
+            }
+        }
+    }
+    return lines.join("\n");
+}
+//# sourceMappingURL=terminal-formatter.js.map

package/dist/audit/formatters/terminal-formatter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"terminal-formatter.js","sourceRoot":"","sources":["../../../src/audit/formatters/terminal-formatter.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,MAAmB;IAChD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,SAAS;IACT,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CACR,UAAU,MAAM,CAAC,OAAO,CAAC,KAAK,QAAQ;QACtC,YAAY,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI;QACtC,UAAU,MAAM,CAAC,YAAY,IAAI;QACjC,SAAS,MAAM,CAAC,UAAU,IAAI,CAC/B,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACxC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,iBAAiB;IACjB,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,WAAW,CAAC,CAAC;IACnF,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,CAAC;IACvE,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,SAAS,CAAC,CAAC;IAC7E,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;IACpE,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,CAAC;IACvE,KAAK,CAAC,IAAI,CAAC,aAAa,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC5C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,yBAAyB;IACzB,MAAM,MAAM,GAAG,IAAI,GAAG,EAA0B,CAAC;IACjD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC3C,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACd,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,MAAM,EAAE,CAAC;QAC1C,KAAK,CAAC,IAAI,CAAC,MAAM,QAAQ,KAAK,QAAQ,CAAC,MAAM,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAC3F,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACvE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC/B,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;gBACd,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACf,KAAK,MAAM,WAAW,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChD,KAAK,CAAC,IAAI,CAAC,OAAO,WAAW,EAAE,CAAC,CAAC;gBACnC,CAAC;gBACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACjB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/audit/formatters/terminal-formatter.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/formatters/terminal-formatter.test.js

@@ -0,0 +1,51 @@
+import { describe, it, expect } from "vitest";
+import { formatTerminal } from "./terminal-formatter.js";
+import { createDefaultAuditConfig } from "../audit-types.js";
+function makeResult(overrides = {}) {
+    return {
+        rootPath: "/project",
+        startedAt: "2026-02-20T18:00:00Z",
+        completedAt: "2026-02-20T18:00:01Z",
+        durationMs: 1000,
+        filesScanned: 10,
+        filesWithFindings: 0,
+        findings: [],
+        summary: {
+            critical: 0, high: 0, medium: 0, low: 0, info: 0,
+            total: 0, score: 100, verdict: "PASS",
+        },
+        config: createDefaultAuditConfig(),
+        ...overrides,
+    };
+}
+describe("terminal-formatter", () => {
+    it("TC-027: formats empty results correctly", () => {
+        const output = formatTerminal(makeResult());
+        expect(output).toContain("No security issues found");
+    });
+    it("TC-028: groups findings by file", () => {
+        const output = formatTerminal(makeResult({
+            filesWithFindings: 3,
+            findings: [
+                { id: "AF-001", ruleId: "CI-001", severity: "critical", confidence: "high", category: "cmd", message: "exec", filePath: "src/a.ts", line: 1, snippet: "code", source: "tier1" },
+                { id: "AF-002", ruleId: "XSS-001", severity: "high", confidence: "high", category: "xss", message: "xss", filePath: "src/b.ts", line: 2, snippet: "code", source: "tier1" },
+                { id: "AF-003", ruleId: "SQLI-001", severity: "critical", confidence: "high", category: "sql", message: "sql", filePath: "src/c.ts", line: 3, snippet: "code", source: "tier1" },
+            ],
+            summary: { critical: 2, high: 1, medium: 0, low: 0, info: 0, total: 3, score: 35, verdict: "FAIL" },
+        }));
+        expect(output).toContain("src/a.ts");
+        expect(output).toContain("src/b.ts");
+        expect(output).toContain("src/c.ts");
+    });
+    it("TC-029: includes code snippets", () => {
+        const output = formatTerminal(makeResult({
+            filesWithFindings: 1,
+            findings: [
+                { id: "AF-001", ruleId: "CI-001", severity: "critical", confidence: "high", category: "cmd", message: "exec call", filePath: "src/a.ts", line: 1, snippet: "> 1 | exec(command);", source: "tier1" },
+            ],
+            summary: { critical: 1, high: 0, medium: 0, low: 0, info: 0, total: 1, score: 75, verdict: "CONCERNS" },
+        }));
+        expect(output).toContain("exec(command)");
+    });
+});
+//# sourceMappingURL=terminal-formatter.test.js.map

package/dist/audit/formatters/terminal-formatter.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"terminal-formatter.test.js","sourceRoot":"","sources":["../../../src/audit/formatters/terminal-formatter.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,wBAAwB,EAAoB,MAAM,mBAAmB,CAAC;AAE/E,SAAS,UAAU,CAAC,YAAkC,EAAE;IACtD,OAAO;QACL,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,sBAAsB;QACjC,WAAW,EAAE,sBAAsB;QACnC,UAAU,EAAE,IAAI;QAChB,YAAY,EAAE,EAAE;QAChB,iBAAiB,EAAE,CAAC;QACpB,QAAQ,EAAE,EAAE;QACZ,OAAO,EAAE;YACP,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;YAChD,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM;SACtC;QACD,MAAM,EAAE,wBAAwB,EAAE;QAClC,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,MAAM,GAAG,cAAc,CAAC,UAAU,EAAE,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,MAAM,GAAG,cAAc,CAAC,UAAU,CAAC;YACvC,iBAAiB,EAAE,CAAC;YACpB,QAAQ,EAAE;gBACR,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE;gBAC/K,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE;gBAC3K,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE;aACjL;YACD,OAAO,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE;SACpG,CAAC,CAAC,CAAC;QAEJ,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,MAAM,GAAG,cAAc,CAAC,UAAU,CAAC;YACvC,iBAAiB,EAAE,CAAC;YACpB,QAAQ,EAAE;gBACR,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,EAAE,OAAO,EAAE;aACrM;YACD,OAAO,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE;SACxG,CAAC,CAAC,CAAC;QAEJ,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/index.d.ts

@@ -0,0 +1,2 @@
+export { createDefaultAuditConfig, } from "./audit-types.js";
+export type { AuditConfig, AuditFile, AuditFinding, AuditResult, AuditSummary, Confidence, DataFlowStep, DataFlowTrace, FindingSource, } from "./audit-types.js";

package/dist/audit/index.js

@@ -0,0 +1,2 @@
+export { createDefaultAuditConfig, } from "./audit-types.js";
+//# sourceMappingURL=index.js.map

package/dist/audit/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,wBAAwB,GACzB,MAAM,kBAAkB,CAAC"}

package/dist/blocklist/blocklist-e2e.test.d.ts

@@ -0,0 +1 @@
+export {};