vskill 0.1.2 → 0.1.4

package/dist/audit/file-discovery.test.js

@@ -0,0 +1,120 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtemp, mkdir, writeFile, rm } from "node:fs/promises";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { discoverAuditFiles } from "./file-discovery.js";
+import { createDefaultAuditConfig } from "./audit-types.js";
+describe("file-discovery", () => {
+    let tmpDir;
+    beforeEach(async () => {
+        tmpDir = await mkdtemp(join(tmpdir(), "vskill-audit-test-"));
+    });
+    afterEach(async () => {
+        await rm(tmpDir, { recursive: true, force: true });
+    });
+    it("TC-003: discovers .ts, .js, .py files in a directory tree", async () => {
+        await mkdir(join(tmpDir, "src"), { recursive: true });
+        await writeFile(join(tmpDir, "src", "app.ts"), "const x = 1;");
+        await writeFile(join(tmpDir, "src", "utils.js"), "module.exports = {};");
+        await writeFile(join(tmpDir, "script.py"), "print('hello')");
+        // Non-scannable file
+        await writeFile(join(tmpDir, "image.png"), Buffer.from([0x89, 0x50, 0x4e, 0x47]));
+        const config = createDefaultAuditConfig();
+        const files = await discoverAuditFiles(tmpDir, config);
+        const paths = files.map((f) => f.path).sort();
+        expect(paths).toContain("src/app.ts");
+        expect(paths).toContain("src/utils.js");
+        expect(paths).toContain("script.py");
+        expect(paths).not.toContain("image.png");
+    });
+    it("TC-004: skips node_modules and .git directories", async () => {
+        await mkdir(join(tmpDir, "src"), { recursive: true });
+        await mkdir(join(tmpDir, "node_modules", "pkg"), { recursive: true });
+        await mkdir(join(tmpDir, ".git", "objects"), { recursive: true });
+        await writeFile(join(tmpDir, "src", "app.ts"), "const x = 1;");
+        await writeFile(join(tmpDir, "node_modules", "pkg", "index.js"), "bad");
+        await writeFile(join(tmpDir, ".git", "objects", "data.js"), "bad");
+        const config = createDefaultAuditConfig();
+        const files = await discoverAuditFiles(tmpDir, config);
+        const paths = files.map((f) => f.path);
+        expect(paths).toContain("src/app.ts");
+        expect(paths).not.toContain("node_modules/pkg/index.js");
+        expect(paths).not.toContain(".git/objects/data.js");
+    });
+    it("TC-005: scans a single file when path points to a file", async () => {
+        const filePath = join(tmpDir, "app.ts");
+        await writeFile(filePath, "const x = 1;");
+        const config = createDefaultAuditConfig();
+        const files = await discoverAuditFiles(filePath, config);
+        expect(files).toHaveLength(1);
+        expect(files[0].path).toBe("app.ts");
+        expect(files[0].content).toBe("const x = 1;");
+    });
+    it("TC-006: respects maxFiles limit", async () => {
+        await mkdir(join(tmpDir, "src"), { recursive: true });
+        for (let i = 0; i < 10; i++) {
+            await writeFile(join(tmpDir, "src", `file${i}.ts`), `const x = ${i};`);
+        }
+        const config = createDefaultAuditConfig();
+        config.maxFiles = 5;
+        const files = await discoverAuditFiles(tmpDir, config);
+        expect(files.length).toBeLessThanOrEqual(5);
+    });
+    it("TC-007: skips binary files", async () => {
+        await writeFile(join(tmpDir, "text.ts"), "const x = 1;");
+        // Create a file with null bytes (binary indicator)
+        const binaryContent = Buffer.alloc(100);
+        binaryContent[50] = 0; // null byte
+        binaryContent.write("const y = 2;", 0);
+        await writeFile(join(tmpDir, "binary.ts"), binaryContent);
+        const config = createDefaultAuditConfig();
+        const files = await discoverAuditFiles(tmpDir, config);
+        const paths = files.map((f) => f.path);
+        expect(paths).toContain("text.ts");
+        expect(paths).not.toContain("binary.ts");
+    });
+    it("TC-008: respects exclude patterns", async () => {
+        await mkdir(join(tmpDir, "src"), { recursive: true });
+        await mkdir(join(tmpDir, "test"), { recursive: true });
+        await writeFile(join(tmpDir, "src", "app.ts"), "const x = 1;");
+        await writeFile(join(tmpDir, "test", "app.test.ts"), "test code");
+        const config = createDefaultAuditConfig();
+        config.excludePaths = ["**/test/**"];
+        const files = await discoverAuditFiles(tmpDir, config);
+        const paths = files.map((f) => f.path);
+        expect(paths).toContain("src/app.ts");
+        expect(paths).not.toContain("test/app.test.ts");
+    });
+    it("skips dist, build, coverage, .next directories", async () => {
+        await mkdir(join(tmpDir, "src"), { recursive: true });
+        await mkdir(join(tmpDir, "dist"), { recursive: true });
+        await mkdir(join(tmpDir, "build"), { recursive: true });
+        await mkdir(join(tmpDir, "coverage"), { recursive: true });
+        await mkdir(join(tmpDir, ".next"), { recursive: true });
+        await writeFile(join(tmpDir, "src", "app.ts"), "const x = 1;");
+        await writeFile(join(tmpDir, "dist", "app.js"), "compiled");
+        await writeFile(join(tmpDir, "build", "app.js"), "compiled");
+        await writeFile(join(tmpDir, "coverage", "lcov.js"), "data");
+        await writeFile(join(tmpDir, ".next", "server.js"), "data");
+        const config = createDefaultAuditConfig();
+        const files = await discoverAuditFiles(tmpDir, config);
+        const paths = files.map((f) => f.path);
+        expect(paths).toContain("src/app.ts");
+        expect(paths).not.toContain("dist/app.js");
+        expect(paths).not.toContain("build/app.js");
+        expect(paths).not.toContain("coverage/lcov.js");
+        expect(paths).not.toContain(".next/server.js");
+    });
+    it("respects maxFileSize limit", async () => {
+        await writeFile(join(tmpDir, "small.ts"), "x");
+        // Create a file larger than default maxFileSize
+        const largeContent = "x".repeat(200 * 1024);
+        await writeFile(join(tmpDir, "large.ts"), largeContent);
+        const config = createDefaultAuditConfig();
+        const files = await discoverAuditFiles(tmpDir, config);
+        const paths = files.map((f) => f.path);
+        expect(paths).toContain("small.ts");
+        expect(paths).not.toContain("large.ts");
+    });
+});
+//# sourceMappingURL=file-discovery.test.js.map

package/dist/audit/file-discovery.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-discovery.test.js","sourceRoot":"","sources":["../../src/audit/file-discovery.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAE5D,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,IAAI,MAAc,CAAC;IAEnB,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,oBAAoB,CAAC,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,UAAU,CAAC,EAAE,sBAAsB,CAAC,CAAC;QACzE,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,gBAAgB,CAAC,CAAC;QAC7D,qBAAqB;QACrB,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;QAElF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEvD,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QACxC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACrC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,cAAc,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtE,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAElE,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,cAAc,EAAE,KAAK,EAAE,UAAU,CAAC,EAAE,KAAK,CAAC,CAAC;QACxE,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,EAAE,KAAK,CAAC,CAAC;QAEnE,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEvD,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,2BAA2B,CAAC,CAAC;QACzD,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACxC,MAAM,SAAS,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAEzD,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC;QACzE,CAAC;QAED,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,CAAC,QAAQ,GAAG,CAAC,CAAC;QACpB,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEvD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;QAC1C,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,cAAc,CAAC,CAAC;QACzD,mDAAmD;QACnD,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACxC,aAAa,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY;QACnC,aAAa,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC;QACvC,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,aAAa,CAAC,CAAC;QAE1D,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEvD,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACnC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,WAAW,CAAC,CAAC;QAElE,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,CAAC,YAAY,GAAG,CAAC,YAAY,CAAC,CAAC;QACrC,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEvD,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACxD,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAExD,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAE,cAAc,CAAC,CAAC;QAC/D,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;QAC5D,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;QAC7D,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC;QAC7D,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,EAAE,MAAM,CAAC,CAAC;QAE5D,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEvD,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QAC3C,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QAC5C,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;QAChD,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;QAC1C,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,GAAG,CAAC,CAAC;QAC/C,gDAAgD;QAChD,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;QAC5C,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,YAAY,CAAC,CAAC;QAExD,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEvD,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACpC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/fix-suggestions.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Fix suggestions for audit findings.
+ *
+ * Maps pattern IDs to human-readable remediation advice.
+ */
+import type { AuditFinding } from "./audit-types.js";
+/** Fix suggestion lookup by pattern ID */
+export declare const FIX_SUGGESTIONS: Record<string, string>;
+/**
+ * Attach fix suggestions to findings based on their ruleId.
+ * Only attaches when fix=true.
+ */
+export declare function attachFixSuggestions(findings: AuditFinding[], fix: boolean): AuditFinding[];

package/dist/audit/fix-suggestions.js

@@ -0,0 +1,84 @@
+/**
+ * Fix suggestions for audit findings.
+ *
+ * Maps pattern IDs to human-readable remediation advice.
+ */
+/** Fix suggestion lookup by pattern ID */
+export const FIX_SUGGESTIONS = {
+    // --- Original SCAN_PATTERNS (37) ---
+    "CI-001": "Replace exec() with execFile() or spawn() with explicit argument arrays to prevent command injection",
+    "CI-002": "Ensure spawn() arguments are not user-controlled; use argument arrays instead of shell strings",
+    "CI-003": "Replace system() with safer subprocess APIs that don't invoke a shell",
+    "CI-004": "Avoid embedding shell paths in strings; use Node.js APIs or explicit command arrays",
+    "CI-005": "Use execFile/spawn instead of execSync/spawnSync when possible; never pass unsanitized input",
+    "CI-006": "Avoid shell pipe operators in exec calls; use separate process pipelines",
+    "CI-007": "Never interpolate user input into exec() template strings; use execFile with argument arrays",
+    "DE-001": "Validate and allowlist URLs before making fetch requests; avoid dynamic URL construction",
+    "DE-002": "Replace XMLHttpRequest with fetch() and apply URL allowlisting",
+    "DE-003": "Validate WebSocket connection URLs against an allowlist",
+    "DE-004": "Avoid encoding data into DNS lookups; review data flow for exfiltration",
+    "DE-005": "Review base64 encoding patterns for data exfiltration; ensure data isn't being sent externally",
+    "PE-001": "Remove sudo invocations; run the required commands with appropriate user permissions",
+    "PE-002": "Avoid chmod in application code; set permissions during deployment instead",
+    "PE-003": "Avoid chown in application code; configure ownership during deployment",
+    "PE-004": "Never use setuid/setgid in application code; run with least privilege",
+    "PE-005": "Remove process.setuid/setgid calls; use proper OS-level privilege management",
+    "CT-001": "Use environment variables or a secrets manager instead of reading .env files at runtime",
+    "CT-002": "Never access SSH keys from application code; use a key management service",
+    "CT-003": "Use IAM roles or a secrets manager instead of directly accessing AWS credential files",
+    "CT-004": "Never access the system keychain from application code; use a proper secrets API",
+    "CT-005": "Access environment variables by specific name, not dynamically; use a config loader",
+    "CT-006": "Never hardcode secrets; use environment variables or a secrets manager",
+    "PI-001": "Never allow user input to override system prompts; use input validation and sandboxing",
+    "PI-002": "Filter and validate all input before passing to AI models; implement prompt guardrails",
+    "PI-003": "Validate AI model inputs to prevent role impersonation attacks",
+    "PI-004": "Sanitize input to remove instruction boundary markers; use structured prompting",
+    "FS-001": "Avoid recursive delete operations; use targeted file removal with path validation",
+    "FS-002": "Never write to system paths from application code; use application-specific directories",
+    "FS-003": "Validate and normalize file paths; reject paths containing '..'",
+    "FS-004": "Validate symlink targets before creation; use realpath() to resolve paths",
+    "NA-001": "Validate and allowlist URLs for curl/wget; use application-level HTTP clients instead",
+    "NA-002": "Remove reverse shell patterns; this is a critical security vulnerability",
+    "NA-003": "Avoid constructing URLs from variables; use allowlisted base URLs with parameterized paths",
+    "CE-001": "Replace eval() with JSON.parse() for data or Function constructor for code; never eval user input",
+    "CE-002": "Avoid new Function(); use explicit function definitions instead",
+    "CE-003": "Avoid dynamic imports with user-controlled paths; use a module allowlist",
+    // --- Project-specific AUDIT_PATTERNS ---
+    "SQLI-001": "Use parameterized queries or prepared statements instead of string concatenation in SQL",
+    "SQLI-002": "Use parameterized queries; never use template literals for SQL with user input",
+    "SQLI-003": "Use query parameters (?) or named parameters (:name) instead of string interpolation",
+    "SSRF-001": "Validate URLs against an allowlist of trusted domains before making requests",
+    "SSRF-002": "Never pass request parameters directly to HTTP clients; validate and sanitize URLs",
+    "BAC-001": "Add authentication middleware to all non-public route handlers",
+    "BAC-002": "Verify resource ownership by comparing request user ID with resource owner ID",
+    "HS-001": "Move API keys to environment variables or a secrets manager; never hardcode in source",
+    "HS-002": "Remove private keys from source code; use a key management service or environment variables",
+    "HS-003": "Move passwords to environment variables or a secrets manager; use bcrypt/argon2 for hashing",
+    "HS-004": "Remove cloud credentials from source code; use IAM roles or environment-based configuration",
+    "XSS-001": "Use textContent instead of innerHTML; if HTML is needed, sanitize with DOMPurify",
+    "XSS-002": "Ensure content passed to dangerouslySetInnerHTML is sanitized with DOMPurify or similar",
+    "XSS-003": "Replace document.write() with DOM manipulation methods (createElement, appendChild)",
+    "OR-001": "Validate redirect URLs against an allowlist of trusted paths/domains",
+    "OR-002": "Only set Location header from a predefined list of valid redirect targets",
+    "ID-001": "Use yaml.safeLoad() or yaml.load() with SAFE_SCHEMA instead of yaml.load()",
+    "ID-002": "Replace pickle with JSON or another safe serialization format; never deserialize untrusted data",
+    "ID-003": "Validate parsed JSON against a schema (Zod, Joi, or ajv) before using it",
+    "WC-001": "Replace MD5 with SHA-256 or SHA-3 for cryptographic hashing",
+    "WC-002": "Replace SHA-1 with SHA-256 or SHA-3; SHA-1 is deprecated for security use",
+};
+/**
+ * Attach fix suggestions to findings based on their ruleId.
+ * Only attaches when fix=true.
+ */
+export function attachFixSuggestions(findings, fix) {
+    if (!fix)
+        return findings;
+    return findings.map((f) => {
+        const suggestion = FIX_SUGGESTIONS[f.ruleId];
+        if (suggestion) {
+            return { ...f, suggestedFix: suggestion };
+        }
+        return f;
+    });
+}
+//# sourceMappingURL=fix-suggestions.js.map

package/dist/audit/fix-suggestions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fix-suggestions.js","sourceRoot":"","sources":["../../src/audit/fix-suggestions.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,0CAA0C;AAC1C,MAAM,CAAC,MAAM,eAAe,GAA2B;IACrD,sCAAsC;IACtC,QAAQ,EAAE,sGAAsG;IAChH,QAAQ,EAAE,gGAAgG;IAC1G,QAAQ,EAAE,uEAAuE;IACjF,QAAQ,EAAE,qFAAqF;IAC/F,QAAQ,EAAE,8FAA8F;IACxG,QAAQ,EAAE,0EAA0E;IACpF,QAAQ,EAAE,8FAA8F;IACxG,QAAQ,EAAE,0FAA0F;IACpG,QAAQ,EAAE,gEAAgE;IAC1E,QAAQ,EAAE,yDAAyD;IACnE,QAAQ,EAAE,yEAAyE;IACnF,QAAQ,EAAE,gGAAgG;IAC1G,QAAQ,EAAE,sFAAsF;IAChG,QAAQ,EAAE,4EAA4E;IACtF,QAAQ,EAAE,wEAAwE;IAClF,QAAQ,EAAE,uEAAuE;IACjF,QAAQ,EAAE,8EAA8E;IACxF,QAAQ,EAAE,yFAAyF;IACnG,QAAQ,EAAE,2EAA2E;IACrF,QAAQ,EAAE,uFAAuF;IACjG,QAAQ,EAAE,kFAAkF;IAC5F,QAAQ,EAAE,qFAAqF;IAC/F,QAAQ,EAAE,wEAAwE;IAClF,QAAQ,EAAE,wFAAwF;IAClG,QAAQ,EAAE,wFAAwF;IAClG,QAAQ,EAAE,gEAAgE;IAC1E,QAAQ,EAAE,iFAAiF;IAC3F,QAAQ,EAAE,mFAAmF;IAC7F,QAAQ,EAAE,yFAAyF;IACnG,QAAQ,EAAE,iEAAiE;IAC3E,QAAQ,EAAE,2EAA2E;IACrF,QAAQ,EAAE,uFAAuF;IACjG,QAAQ,EAAE,0EAA0E;IACpF,QAAQ,EAAE,4FAA4F;IACtG,QAAQ,EAAE,mGAAmG;IAC7G,QAAQ,EAAE,iEAAiE;IAC3E,QAAQ,EAAE,0EAA0E;IAEpF,0CAA0C;IAC1C,UAAU,EAAE,yFAAyF;IACrG,UAAU,EAAE,gFAAgF;IAC5F,UAAU,EAAE,sFAAsF;IAClG,UAAU,EAAE,8EAA8E;IAC1F,UAAU,EAAE,oFAAoF;IAChG,SAAS,EAAE,gEAAgE;IAC3E,SAAS,EAAE,+EAA+E;IAC1F,QAAQ,EAAE,uFAAuF;IACjG,QAAQ,EAAE,6FAA6F;IACvG,QAAQ,EAAE,6FAA6F;IACvG,QAAQ,EAAE,6FAA6F;IACvG,SAAS,EAAE,kFAAkF;IAC7F,SAAS,EAAE,yFAAyF;IACpG,SAAS,EAAE,qFAAqF;IAChG,QAAQ,EAAE,sEAAsE;IAChF,QAAQ,EAAE,2EAA2E;IACrF,QAAQ,EAAE,4EAA4E;IACtF,QAAQ,EAAE,iGAAiG;IAC3G,QAAQ,EAAE,0EAA0E;IACpF,QAAQ,EAAE,6DAA6D;IACvE,QAAQ,EAAE,2EAA2E;CACtF,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,QAAwB,EACxB,GAAY;IAEZ,IAAI,CAAC,GAAG;QAAE,OAAO,QAAQ,CAAC;IAE1B,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACxB,MAAM,UAAU,GAAG,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,EAAE,GAAG,CAAC,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC;QAC5C,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/audit/fix-suggestions.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/fix-suggestions.test.js

@@ -0,0 +1,35 @@
+import { describe, it, expect } from "vitest";
+import { FIX_SUGGESTIONS, attachFixSuggestions } from "./fix-suggestions.js";
+import { AUDIT_PATTERNS } from "./audit-patterns.js";
+describe("fix-suggestions", () => {
+    it("TC-047: every audit pattern ID has a fix suggestion", () => {
+        for (const pattern of AUDIT_PATTERNS) {
+            expect(FIX_SUGGESTIONS[pattern.id], `Missing fix suggestion for pattern ${pattern.id}`).toBeDefined();
+            expect(FIX_SUGGESTIONS[pattern.id].length).toBeGreaterThan(0);
+        }
+    });
+    it("TC-048: fix suggestion is attached to finding when fix=true", () => {
+        const findings = [
+            {
+                id: "AF-001", ruleId: "CI-001", severity: "critical", confidence: "high",
+                category: "command-injection", message: "exec() call",
+                filePath: "a.ts", line: 1, snippet: "code", source: "tier1",
+            },
+        ];
+        const result = attachFixSuggestions(findings, true);
+        expect(result[0].suggestedFix).toBeDefined();
+        expect(result[0].suggestedFix.length).toBeGreaterThan(0);
+    });
+    it("TC-049: fix suggestion is absent when fix=false", () => {
+        const findings = [
+            {
+                id: "AF-001", ruleId: "CI-001", severity: "critical", confidence: "high",
+                category: "command-injection", message: "exec() call",
+                filePath: "a.ts", line: 1, snippet: "code", source: "tier1",
+            },
+        ];
+        const result = attachFixSuggestions(findings, false);
+        expect(result[0].suggestedFix).toBeUndefined();
+    });
+});
+//# sourceMappingURL=fix-suggestions.test.js.map

package/dist/audit/fix-suggestions.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fix-suggestions.test.js","sourceRoot":"","sources":["../../src/audit/fix-suggestions.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC7E,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAGrD,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;YACrC,MAAM,CACJ,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,EAC3B,sCAAsC,OAAO,CAAC,EAAE,EAAE,CACnD,CAAC,WAAW,EAAE,CAAC;YAChB,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAChE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;QACrE,MAAM,QAAQ,GAAmB;YAC/B;gBACE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM;gBACxE,QAAQ,EAAE,mBAAmB,EAAE,OAAO,EAAE,aAAa;gBACrD,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO;aAC5D;SACF,CAAC;QAEF,MAAM,MAAM,GAAG,oBAAoB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAEpD,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,YAAa,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,QAAQ,GAAmB;YAC/B;gBACE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM;gBACxE,QAAQ,EAAE,mBAAmB,EAAE,OAAO,EAAE,aAAa;gBACrD,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO;aAC5D;SACF,CAAC;QAEF,MAAM,MAAM,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAErD,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,aAAa,EAAE,CAAC;IACjD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/formatters/json-formatter.d.ts

@@ -0,0 +1,8 @@
+/**
+ * JSON formatter — serializes AuditResult as structured JSON.
+ */
+import type { AuditResult } from "../audit-types.js";
+/**
+ * Format an AuditResult as a JSON string.
+ */
+export declare function formatJson(result: AuditResult): string;

package/dist/audit/formatters/json-formatter.js

@@ -0,0 +1,10 @@
+/**
+ * JSON formatter — serializes AuditResult as structured JSON.
+ */
+/**
+ * Format an AuditResult as a JSON string.
+ */
+export function formatJson(result) {
+    return JSON.stringify(result, null, 2);
+}
+//# sourceMappingURL=json-formatter.js.map

package/dist/audit/formatters/json-formatter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"json-formatter.js","sourceRoot":"","sources":["../../../src/audit/formatters/json-formatter.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,MAAmB;IAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC"}

package/dist/audit/formatters/json-formatter.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/formatters/json-formatter.test.js

@@ -0,0 +1,49 @@
+import { describe, it, expect } from "vitest";
+import { formatJson } from "./json-formatter.js";
+import { createDefaultAuditConfig } from "../audit-types.js";
+function makeResult(overrides = {}) {
+    return {
+        rootPath: "/project",
+        startedAt: "2026-02-20T18:00:00Z",
+        completedAt: "2026-02-20T18:00:01Z",
+        durationMs: 1000,
+        filesScanned: 10,
+        filesWithFindings: 0,
+        findings: [],
+        summary: {
+            critical: 0, high: 0, medium: 0, low: 0, info: 0,
+            total: 0, score: 100, verdict: "PASS",
+        },
+        config: createDefaultAuditConfig(),
+        ...overrides,
+    };
+}
+describe("json-formatter", () => {
+    it("TC-030: output is valid JSON", () => {
+        const output = formatJson(makeResult());
+        expect(() => JSON.parse(output)).not.toThrow();
+    });
+    it("TC-031: all findings are present in output", () => {
+        const findings = Array.from({ length: 5 }, (_, i) => ({
+            id: `AF-${i}`, ruleId: `R-${i}`, severity: "high", confidence: "high",
+            category: "test", message: `msg ${i}`, filePath: `f${i}.ts`, line: i + 1,
+            snippet: "code", source: "tier1",
+        }));
+        const output = formatJson(makeResult({ findings, summary: { critical: 0, high: 5, medium: 0, low: 0, info: 0, total: 5, score: 25, verdict: "FAIL" } }));
+        const parsed = JSON.parse(output);
+        expect(parsed.findings).toHaveLength(5);
+    });
+    it("TC-032: summary statistics are included", () => {
+        const output = formatJson(makeResult({
+            summary: { critical: 1, high: 2, medium: 3, low: 4, info: 5, total: 15, score: 50, verdict: "CONCERNS" },
+        }));
+        const parsed = JSON.parse(output);
+        expect(parsed.summary.critical).toBe(1);
+        expect(parsed.summary.high).toBe(2);
+        expect(parsed.summary.medium).toBe(3);
+        expect(parsed.summary.low).toBe(4);
+        expect(parsed.summary.info).toBe(5);
+        expect(parsed.summary.total).toBe(15);
+    });
+});
+//# sourceMappingURL=json-formatter.test.js.map

package/dist/audit/formatters/json-formatter.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"json-formatter.test.js","sourceRoot":"","sources":["../../../src/audit/formatters/json-formatter.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,wBAAwB,EAAoB,MAAM,mBAAmB,CAAC;AAE/E,SAAS,UAAU,CAAC,YAAkC,EAAE;IACtD,OAAO;QACL,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,sBAAsB;QACjC,WAAW,EAAE,sBAAsB;QACnC,UAAU,EAAE,IAAI;QAChB,YAAY,EAAE,EAAE;QAChB,iBAAiB,EAAE,CAAC;QACpB,QAAQ,EAAE,EAAE;QACZ,OAAO,EAAE;YACP,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;YAChD,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM;SACtC;QACD,MAAM,EAAE,wBAAwB,EAAE;QAClC,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,MAAM,GAAG,UAAU,CAAC,UAAU,EAAE,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;YACpD,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAe,EAAE,UAAU,EAAE,MAAe;YACvF,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC;YACxE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAgB;SAC1C,CAAC,CAAC,CAAC;QACJ,MAAM,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC;QACzJ,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC;YACnC,OAAO,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE;SACzG,CAAC,CAAC,CAAC;QACJ,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/formatters/report-formatter.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Markdown report formatter — generates a structured security audit report.
+ */
+import type { AuditResult } from "../audit-types.js";
+/**
+ * Format an AuditResult as a markdown report.
+ */
+export declare function formatReport(result: AuditResult): string;

package/dist/audit/formatters/report-formatter.js

@@ -0,0 +1,97 @@
+/**
+ * Markdown report formatter — generates a structured security audit report.
+ */
+/**
+ * Format an AuditResult as a markdown report.
+ */
+export function formatReport(result) {
+    const lines = [];
+    lines.push("# Security Audit Report");
+    lines.push("");
+    lines.push(`**Generated**: ${result.completedAt}`);
+    lines.push(`**Root**: ${result.rootPath}`);
+    lines.push("");
+    // Executive Summary
+    lines.push("## Executive Summary");
+    lines.push("");
+    lines.push(`| Metric | Value |`);
+    lines.push(`|--------|-------|`);
+    lines.push(`| Score | ${result.summary.score}/100 |`);
+    lines.push(`| Verdict | ${result.summary.verdict} |`);
+    lines.push(`| Files Scanned | ${result.filesScanned} |`);
+    lines.push(`| Files with Issues | ${result.filesWithFindings} |`);
+    lines.push(`| Total Findings | ${result.summary.total} |`);
+    lines.push(`| Duration | ${result.durationMs}ms |`);
+    lines.push("");
+    // Severity breakdown
+    lines.push("### Severity Breakdown");
+    lines.push("");
+    lines.push("| Severity | Count |");
+    lines.push("|----------|-------|");
+    lines.push(`| Critical | ${result.summary.critical} |`);
+    lines.push(`| High | ${result.summary.high} |`);
+    lines.push(`| Medium | ${result.summary.medium} |`);
+    lines.push(`| Low | ${result.summary.low} |`);
+    lines.push(`| Info | ${result.summary.info} |`);
+    lines.push("");
+    if (result.findings.length === 0) {
+        lines.push("No security issues found.");
+        lines.push("");
+        return lines.join("\n");
+    }
+    // Findings
+    lines.push("## Findings");
+    lines.push("");
+    // Group by file
+    const byFile = new Map();
+    for (const f of result.findings) {
+        const group = byFile.get(f.filePath) || [];
+        group.push(f);
+        byFile.set(f.filePath, group);
+    }
+    for (const [filePath, findings] of byFile) {
+        lines.push(`### ${filePath}`);
+        lines.push("");
+        for (const f of findings) {
+            lines.push(`**${f.severity.toUpperCase()}** — ${f.message} (${f.ruleId})`);
+            lines.push(`- Line: ${f.line}`);
+            lines.push(`- Confidence: ${f.confidence}`);
+            if (f.snippet) {
+                lines.push("");
+                lines.push("```");
+                lines.push(f.snippet);
+                lines.push("```");
+                lines.push("");
+            }
+            if (f.suggestedFix) {
+                lines.push(`**Fix**: ${f.suggestedFix}`);
+                lines.push("");
+            }
+        }
+    }
+    // Recommendations
+    lines.push("## Recommendations");
+    lines.push("");
+    if (result.summary.critical > 0) {
+        lines.push("- Address all critical findings immediately before deployment");
+    }
+    if (result.summary.high > 0) {
+        lines.push("- Review high-severity findings and apply fixes in the current sprint");
+    }
+    if (result.summary.medium > 0) {
+        lines.push("- Plan remediation of medium-severity findings");
+    }
+    lines.push("- Run `vskill audit --fix` for suggested remediations");
+    lines.push("- Consider enabling LLM analysis for deeper data flow tracing");
+    lines.push("");
+    // Scan metadata
+    lines.push("## Scan Metadata");
+    lines.push("");
+    lines.push(`- **Tool**: vskill audit`);
+    lines.push(`- **Tier 1 Only**: ${result.config.tier1Only}`);
+    lines.push(`- **Max Files**: ${result.config.maxFiles}`);
+    lines.push(`- **Exclude Paths**: ${result.config.excludePaths.join(", ") || "none"}`);
+    lines.push("");
+    return lines.join("\n");
+}
+//# sourceMappingURL=report-formatter.js.map

package/dist/audit/formatters/report-formatter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"report-formatter.js","sourceRoot":"","sources":["../../../src/audit/formatters/report-formatter.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,MAAmB;IAC9C,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACtC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,kBAAkB,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACnD,KAAK,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC3C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,oBAAoB;IACpB,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjC,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjC,KAAK,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;IACtD,KAAK,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI,CAAC,CAAC;IACtD,KAAK,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,YAAY,IAAI,CAAC,CAAC;IACzD,KAAK,CAAC,IAAI,CAAC,yBAAyB,MAAM,CAAC,iBAAiB,IAAI,CAAC,CAAC;IAClE,KAAK,CAAC,IAAI,CAAC,sBAAsB,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC;IAC3D,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,UAAU,MAAM,CAAC,CAAC;IACpD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,qBAAqB;IACrB,KAAK,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IACrC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC;IACxD,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC;IAChD,KAAK,CAAC,IAAI,CAAC,cAAc,MAAM,CAAC,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC;IACpD,KAAK,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;IAC9C,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC;IAChD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACxC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,WAAW;IACX,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,gBAAgB;IAChB,MAAM,MAAM,GAAG,IAAI,GAAG,EAA0B,CAAC;IACjD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC3C,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACd,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,MAAM,EAAE,CAAC;QAC1C,KAAK,CAAC,IAAI,CAAC,OAAO,QAAQ,EAAE,CAAC,CAAC;QAC9B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;YAC3E,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAChC,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;YAC5C,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;gBACd,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClB,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;gBACtB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACjB,CAAC;YACD,IAAI,CAAC,CAAC,YAAY,EAAE,CAAC;gBACnB,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC;gBACzC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACjB,CAAC;QACH,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;QAChC,KAAK,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IACtF,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,KAAK,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;IAC/D,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;IACpE,KAAK,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;IAC5E,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,gBAAgB;IAChB,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC/B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IACvC,KAAK,CAAC,IAAI,CAAC,sBAAsB,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IAC5D,KAAK,CAAC,IAAI,CAAC,oBAAoB,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;IACzD,KAAK,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,EAAE,CAAC,CAAC;IACtF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/audit/formatters/report-formatter.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/formatters/report-formatter.test.js

@@ -0,0 +1,51 @@
+import { describe, it, expect } from "vitest";
+import { formatReport } from "./report-formatter.js";
+import { createDefaultAuditConfig } from "../audit-types.js";
+function makeResult(overrides = {}) {
+    return {
+        rootPath: "/project",
+        startedAt: "2026-02-20T18:00:00Z",
+        completedAt: "2026-02-20T18:00:01Z",
+        durationMs: 1000,
+        filesScanned: 10,
+        filesWithFindings: 0,
+        findings: [],
+        summary: {
+            critical: 0, high: 0, medium: 0, low: 0, info: 0,
+            total: 0, score: 100, verdict: "PASS",
+        },
+        config: createDefaultAuditConfig(),
+        ...overrides,
+    };
+}
+describe("report-formatter", () => {
+    it("TC-037: report contains all sections", () => {
+        const output = formatReport(makeResult({
+            findings: [
+                { id: "AF-001", ruleId: "CI-001", severity: "critical", confidence: "high", category: "cmd", message: "exec", filePath: "a.ts", line: 1, snippet: "code", source: "tier1" },
+            ],
+            summary: { critical: 1, high: 0, medium: 0, low: 0, info: 0, total: 1, score: 75, verdict: "CONCERNS" },
+        }));
+        expect(output).toContain("Executive Summary");
+        expect(output).toContain("Findings");
+        expect(output).toContain("Recommendations");
+    });
+    it("TC-038: code snippets are in fenced code blocks", () => {
+        const output = formatReport(makeResult({
+            findings: [
+                { id: "AF-001", ruleId: "CI-001", severity: "critical", confidence: "high", category: "cmd", message: "exec", filePath: "a.ts", line: 1, snippet: "> 1 | exec(cmd);", source: "tier1" },
+            ],
+            summary: { critical: 1, high: 0, medium: 0, low: 0, info: 0, total: 1, score: 75, verdict: "CONCERNS" },
+        }));
+        expect(output).toContain("```");
+    });
+    it("TC-039: summary table has correct counts", () => {
+        const output = formatReport(makeResult({
+            summary: { critical: 2, high: 3, medium: 1, low: 0, info: 0, total: 6, score: 32, verdict: "FAIL" },
+        }));
+        expect(output).toContain("2");
+        expect(output).toContain("3");
+        expect(output).toContain("1");
+    });
+});
+//# sourceMappingURL=report-formatter.test.js.map

package/dist/audit/formatters/report-formatter.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"report-formatter.test.js","sourceRoot":"","sources":["../../../src/audit/formatters/report-formatter.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,wBAAwB,EAAoB,MAAM,mBAAmB,CAAC;AAE/E,SAAS,UAAU,CAAC,YAAkC,EAAE;IACtD,OAAO;QACL,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,sBAAsB;QACjC,WAAW,EAAE,sBAAsB;QACnC,UAAU,EAAE,IAAI;QAChB,YAAY,EAAE,EAAE;QAChB,iBAAiB,EAAE,CAAC;QACpB,QAAQ,EAAE,EAAE;QACZ,OAAO,EAAE;YACP,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;YAChD,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM;SACtC;QACD,MAAM,EAAE,wBAAwB,EAAE;QAClC,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,MAAM,GAAG,YAAY,CAAC,UAAU,CAAC;YACrC,QAAQ,EAAE;gBACR,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE;aAC5K;YACD,OAAO,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE;SACxG,CAAC,CAAC,CAAC;QAEJ,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,MAAM,GAAG,YAAY,CAAC,UAAU,CAAC;YACrC,QAAQ,EAAE;gBACR,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,EAAE,OAAO,EAAE;aACxL;YACD,OAAO,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE;SACxG,CAAC,CAAC,CAAC;QAEJ,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,MAAM,GAAG,YAAY,CAAC,UAAU,CAAC;YACrC,OAAO,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE;SACpG,CAAC,CAAC,CAAC;QAEJ,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/formatters/sarif-formatter.d.ts

@@ -0,0 +1,11 @@
+/**
+ * SARIF v2.1.0 formatter — generates SARIF-compliant JSON for CI tools.
+ *
+ * Enables integration with GitHub Code Scanning, VS Code SARIF Viewer,
+ * and other standard static analysis result consumers.
+ */
+import type { AuditResult } from "../audit-types.js";
+/**
+ * Format an AuditResult as SARIF v2.1.0 JSON string.
+ */
+export declare function formatSarif(result: AuditResult): string;