vskill 0.5.2 → 0.5.4

package/dist/audit/audit-llm.test.js

@@ -0,0 +1,110 @@
+import { describe, it, expect } from "vitest";
+import { buildLlmPrompt, parseLlmResponse, runLlmAnalysis } from "./audit-llm.js";
+import { createDefaultAuditConfig } from "./audit-types.js";
+describe("audit-llm", () => {
+    describe("buildLlmPrompt", () => {
+        it("TC-040: builds correct prompt with file content and Tier 1 findings", () => {
+            const file = {
+                path: "src/handler.ts",
+                content: 'const msg = req.body.message;\nexec(`echo ${msg}`);',
+                sizeBytes: 50,
+            };
+            const findings = [
+                {
+                    id: "AF-001", ruleId: "CI-001", severity: "critical", confidence: "high",
+                    category: "command-injection", message: "exec() call detected",
+                    filePath: "src/handler.ts", line: 2, snippet: "exec(`echo ${msg}`);",
+                    source: "tier1",
+                },
+            ];
+            const prompt = buildLlmPrompt(file, findings);
+            expect(prompt).toContain("src/handler.ts");
+            expect(prompt).toContain("exec(`echo ${msg}`)");
+            expect(prompt).toContain("CI-001");
+            expect(prompt).toContain("command-injection");
+        });
+    });
+    describe("parseLlmResponse", () => {
+        it("TC-041: parses valid LLM JSON response", () => {
+            const response = JSON.stringify({
+                findings: [
+                    {
+                        ruleId: "LLM-CI-001",
+                        severity: "critical",
+                        confidence: "high",
+                        category: "command-injection",
+                        message: "Command injection via webhook payload",
+                        line: 2,
+                        dataFlow: {
+                            steps: [
+                                { file: "src/handler.ts", line: 1, description: "User input", code: "const msg = req.body.message;" },
+                                { file: "src/handler.ts", line: 2, description: "Shell exec", code: "exec(`echo ${msg}`);" },
+                            ],
+                        },
+                        suggestedFix: "Use execFile with array args instead of exec with template",
+                    },
+                ],
+            });
+            const parsed = parseLlmResponse(response, "src/handler.ts");
+            expect(parsed).toHaveLength(1);
+            expect(parsed[0].ruleId).toBe("LLM-CI-001");
+            expect(parsed[0].source).toBe("llm");
+            expect(parsed[0].filePath).toBe("src/handler.ts");
+        });
+        it("TC-042: returns empty array on invalid JSON", () => {
+            const parsed = parseLlmResponse("not json at all", "src/file.ts");
+            expect(parsed).toHaveLength(0);
+        });
+        it("TC-045: data flow trace is parsed from LLM response", () => {
+            const response = JSON.stringify({
+                findings: [{
+                        ruleId: "LLM-SSRF-001",
+                        severity: "high",
+                        confidence: "high",
+                        category: "ssrf",
+                        message: "SSRF via user URL",
+                        line: 10,
+                        dataFlow: {
+                            steps: [
+                                { file: "src/api.ts", line: 5, description: "Input received", code: "const url = req.query.url;" },
+                                { file: "src/api.ts", line: 10, description: "Fetch called", code: "fetch(url);" },
+                            ],
+                        },
+                    }],
+            });
+            const parsed = parseLlmResponse(response, "src/api.ts");
+            expect(parsed[0].dataFlow).toBeDefined();
+            expect(parsed[0].dataFlow.steps).toHaveLength(2);
+            expect(parsed[0].dataFlow.steps[0].file).toBe("src/api.ts");
+            expect(parsed[0].dataFlow.steps[1].line).toBe(10);
+        });
+        it("TC-046: missing data flow is handled gracefully", () => {
+            const response = JSON.stringify({
+                findings: [{
+                        ruleId: "LLM-XSS-001",
+                        severity: "high",
+                        confidence: "medium",
+                        category: "xss",
+                        message: "Potential XSS",
+                        line: 5,
+                    }],
+            });
+            const parsed = parseLlmResponse(response, "src/page.ts");
+            expect(parsed[0].dataFlow).toBeUndefined();
+        });
+    });
+    describe("runLlmAnalysis", () => {
+        it("TC-043: skips LLM when tier1Only is true", async () => {
+            const config = createDefaultAuditConfig();
+            config.tier1Only = true;
+            const result = await runLlmAnalysis([], [], config);
+            expect(result).toHaveLength(0);
+        });
+        it("TC-044: returns empty when no flagged files", async () => {
+            const config = createDefaultAuditConfig();
+            const result = await runLlmAnalysis([], [], config);
+            expect(result).toHaveLength(0);
+        });
+    });
+});
+//# sourceMappingURL=audit-llm.test.js.map

package/dist/audit/audit-llm.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-llm.test.js","sourceRoot":"","sources":["../../src/audit/audit-llm.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAkB,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAClF,OAAO,EAAE,wBAAwB,EAAqC,MAAM,kBAAkB,CAAC;AAE/F,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,qEAAqE,EAAE,GAAG,EAAE;YAC7E,MAAM,IAAI,GAAc;gBACtB,IAAI,EAAE,gBAAgB;gBACtB,OAAO,EAAE,qDAAqD;gBAC9D,SAAS,EAAE,EAAE;aACd,CAAC;YACF,MAAM,QAAQ,GAAmB;gBAC/B;oBACE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM;oBACxE,QAAQ,EAAE,mBAAmB,EAAE,OAAO,EAAE,sBAAsB;oBAC9D,QAAQ,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,sBAAsB;oBACpE,MAAM,EAAE,OAAO;iBAChB;aACF,CAAC;YAEF,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAE9C,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YACnC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAChC,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC9B,QAAQ,EAAE;oBACR;wBACE,MAAM,EAAE,YAAY;wBACpB,QAAQ,EAAE,UAAU;wBACpB,UAAU,EAAE,MAAM;wBAClB,QAAQ,EAAE,mBAAmB;wBAC7B,OAAO,EAAE,uCAAuC;wBAChD,IAAI,EAAE,CAAC;wBACP,QAAQ,EAAE;4BACR,KAAK,EAAE;gCACL,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAC,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,+BAA+B,EAAE;gCACrG,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAC,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,sBAAsB,EAAE;6BAC7F;yBACF;wBACD,YAAY,EAAE,4DAA4D;qBAC3E;iBACF;aACF,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;YAE5D,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC5C,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;YACrD,MAAM,MAAM,GAAG,gBAAgB,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;YAClE,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;YAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC9B,QAAQ,EAAE,CAAC;wBACT,MAAM,EAAE,cAAc;wBACtB,QAAQ,EAAE,MAAM;wBAChB,UAAU,EAAE,MAAM;wBAClB,QAAQ,EAAE,MAAM;wBAChB,OAAO,EAAE,mBAAmB;wBAC5B,IAAI,EAAE,EAAE;wBACR,QAAQ,EAAE;4BACR,KAAK,EAAE;gCACL,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,EAAE,WAAW,EAAE,gBAAgB,EAAE,IAAI,EAAE,4BAA4B,EAAE;gCAClG,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE;6BACnF;yBACF;qBACF,CAAC;aACH,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YAExD,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;YACzC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAS,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAClD,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC7D,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC9B,QAAQ,EAAE,CAAC;wBACT,MAAM,EAAE,aAAa;wBACrB,QAAQ,EAAE,MAAM;wBAChB,UAAU,EAAE,QAAQ;wBACpB,QAAQ,EAAE,KAAK;wBACf,OAAO,EAAE,eAAe;wBACxB,IAAI,EAAE,CAAC;qBACR,CAAC;aACH,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,gBAAgB,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;YAEzD,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,aAAa,EAAE,CAAC;QAC7C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;YAC1C,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC;YAExB,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;YAEpD,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;YAC1C,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;YACpD,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/audit-patterns.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/audit-patterns.test.js

@@ -0,0 +1,91 @@
+import { describe, it, expect } from "vitest";
+import { AUDIT_PATTERNS, PROJECT_PATTERNS } from "./audit-patterns.js";
+import { SCAN_PATTERNS } from "../scanner/patterns.js";
+describe("audit-patterns", () => {
+    it("TC-009: AUDIT_PATTERNS includes all 37 original SCAN_PATTERNS", () => {
+        const auditIds = new Set(AUDIT_PATTERNS.map((p) => p.id));
+        for (const original of SCAN_PATTERNS) {
+            expect(auditIds.has(original.id)).toBe(true);
+        }
+    });
+    it("TC-010: AUDIT_PATTERNS adds at least 15 new project-specific patterns", () => {
+        const originalIds = new Set(SCAN_PATTERNS.map((p) => p.id));
+        const newPatterns = AUDIT_PATTERNS.filter((p) => !originalIds.has(p.id));
+        expect(newPatterns.length).toBeGreaterThanOrEqual(15);
+    });
+    it("TC-011: SQL injection pattern detects string concatenation in queries", () => {
+        const sqliPatterns = PROJECT_PATTERNS.filter((p) => p.category === "sql-injection");
+        expect(sqliPatterns.length).toBeGreaterThan(0);
+        const testLine = `"SELECT * FROM users WHERE id = '" + userId + "'"`;
+        const matched = sqliPatterns.some((p) => {
+            const regex = new RegExp(p.pattern.source, p.pattern.flags);
+            return regex.test(testLine);
+        });
+        expect(matched).toBe(true);
+    });
+    it("TC-012: SSRF pattern detects URL construction from variables", () => {
+        const ssrfPatterns = PROJECT_PATTERNS.filter((p) => p.category === "ssrf");
+        expect(ssrfPatterns.length).toBeGreaterThan(0);
+        const testLine = `fetch(userProvidedUrl)`;
+        const matched = ssrfPatterns.some((p) => {
+            const regex = new RegExp(p.pattern.source, p.pattern.flags);
+            return regex.test(testLine);
+        });
+        expect(matched).toBe(true);
+    });
+    it("TC-013: Hardcoded secret pattern detects API key assignments", () => {
+        const secretPatterns = PROJECT_PATTERNS.filter((p) => p.category === "hardcoded-secrets");
+        expect(secretPatterns.length).toBeGreaterThan(0);
+        const testLine = `const API_KEY = "sk-1234567890abcdef"`;
+        const matched = secretPatterns.some((p) => {
+            const regex = new RegExp(p.pattern.source, p.pattern.flags);
+            return regex.test(testLine);
+        });
+        expect(matched).toBe(true);
+    });
+    it("TC-014: XSS pattern detects innerHTML assignment", () => {
+        const xssPatterns = PROJECT_PATTERNS.filter((p) => p.category === "xss");
+        expect(xssPatterns.length).toBeGreaterThan(0);
+        const testLine = `element.innerHTML = userInput`;
+        const matched = xssPatterns.some((p) => {
+            const regex = new RegExp(p.pattern.source, p.pattern.flags);
+            return regex.test(testLine);
+        });
+        expect(matched).toBe(true);
+    });
+    it("TC-015: safe contexts suppress false positives", () => {
+        const patternsWithSafe = PROJECT_PATTERNS.filter((p) => p.safeContexts && p.safeContexts.length > 0);
+        expect(patternsWithSafe.length).toBeGreaterThan(0);
+        // For each pattern with safeContexts, at least one safe context regex exists
+        for (const pattern of patternsWithSafe) {
+            expect(pattern.safeContexts.length).toBeGreaterThan(0);
+            expect(pattern.safeContexts[0]).toBeInstanceOf(RegExp);
+        }
+    });
+    it("TC-016: all pattern IDs are unique across combined set", () => {
+        const ids = AUDIT_PATTERNS.map((p) => p.id);
+        const uniqueIds = new Set(ids);
+        expect(uniqueIds.size).toBe(ids.length);
+    });
+    it("detects open redirect pattern", () => {
+        const redirectPatterns = PROJECT_PATTERNS.filter((p) => p.category === "open-redirect");
+        expect(redirectPatterns.length).toBeGreaterThan(0);
+        const testLine = `res.redirect(req.query.url)`;
+        const matched = redirectPatterns.some((p) => {
+            const regex = new RegExp(p.pattern.source, p.pattern.flags);
+            return regex.test(testLine);
+        });
+        expect(matched).toBe(true);
+    });
+    it("detects insecure deserialization", () => {
+        const deserPatterns = PROJECT_PATTERNS.filter((p) => p.category === "insecure-deserialization");
+        expect(deserPatterns.length).toBeGreaterThan(0);
+        const testLine = `yaml.load(userInput)`;
+        const matched = deserPatterns.some((p) => {
+            const regex = new RegExp(p.pattern.source, p.pattern.flags);
+            return regex.test(testLine);
+        });
+        expect(matched).toBe(true);
+    });
+});
+//# sourceMappingURL=audit-patterns.test.js.map

package/dist/audit/audit-patterns.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-patterns.test.js","sourceRoot":"","sources":["../../src/audit/audit-patterns.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvE,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAEvD,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC1D,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;YACrC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACzE,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,YAAY,GAAG,gBAAgB,CAAC,MAAM,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,eAAe,CACtC,CAAC;QACF,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAE/C,MAAM,QAAQ,GAAG,mDAAmD,CAAC;QACrE,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACtC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,YAAY,GAAG,gBAAgB,CAAC,MAAM,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAC7B,CAAC;QACF,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAE/C,MAAM,QAAQ,GAAG,wBAAwB,CAAC;QAC1C,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACtC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,cAAc,GAAG,gBAAgB,CAAC,MAAM,CAC5C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,mBAAmB,CAC1C,CAAC;QACF,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAEjD,MAAM,QAAQ,GAAG,uCAAuC,CAAC;QACzD,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACxC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,WAAW,GAAG,gBAAgB,CAAC,MAAM,CACzC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAC5B,CAAC;QACF,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAE9C,MAAM,QAAQ,GAAG,+BAA+B,CAAC;QACjD,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACrC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,MAAM,CAC9C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CACnD,CAAC;QACF,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAEnD,6EAA6E;QAC7E,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;YACvC,MAAM,CAAC,OAAO,CAAC,YAAa,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACxD,MAAM,CAAC,OAAO,CAAC,YAAa,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,MAAM,CAC9C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,eAAe,CACtC,CAAC;QACF,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAEnD,MAAM,QAAQ,GAAG,6BAA6B,CAAC;QAC/C,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YAC1C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,aAAa,GAAG,gBAAgB,CAAC,MAAM,CAC3C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,0BAA0B,CACjD,CAAC;QACF,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAEhD,MAAM,QAAQ,GAAG,sBAAsB,CAAC;QACxC,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACvC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/audit-scanner.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/audit-scanner.test.js

@@ -0,0 +1,112 @@
+import { describe, it, expect } from "vitest";
+import { runAuditScan } from "./audit-scanner.js";
+import { createDefaultAuditConfig } from "./audit-types.js";
+function makeFile(path, content) {
+    return { path, content, sizeBytes: Buffer.byteLength(content) };
+}
+describe("audit-scanner", () => {
+    it("TC-017: returns empty findings for clean files", () => {
+        const files = [
+            makeFile("src/clean.ts", "const x = 1;\nconst y = 2;\nexport { x, y };"),
+            makeFile("src/utils.ts", "export function add(a: number, b: number) { return a + b; }"),
+        ];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        expect(result.findings).toHaveLength(0);
+        expect(result.summary.verdict).toBe("PASS");
+        expect(result.summary.total).toBe(0);
+        expect(result.summary.score).toBe(100);
+    });
+    it("TC-018: detects findings across multiple files", () => {
+        const files = [
+            makeFile("src/cmd.ts", 'exec("rm -rf /");'),
+            makeFile("src/xss.ts", 'element.innerHTML = userInput;'),
+            makeFile("src/sql.ts", '`SELECT * FROM users WHERE id = ${userId}`'),
+        ];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        expect(result.findings.length).toBeGreaterThanOrEqual(3);
+        const filePaths = new Set(result.findings.map((f) => f.filePath));
+        expect(filePaths.has("src/cmd.ts")).toBe(true);
+        expect(filePaths.has("src/xss.ts")).toBe(true);
+        expect(filePaths.has("src/sql.ts")).toBe(true);
+    });
+    it("TC-019: findings are sorted by severity then file path", () => {
+        const files = [
+            makeFile("z-file.ts", "element.innerHTML = x;"), // high
+            makeFile("a-file.ts", 'eval("code");'), // critical
+        ];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        // Critical should come before high
+        const severities = result.findings.map((f) => f.severity);
+        const criticalIndex = severities.indexOf("critical");
+        const highIndex = severities.indexOf("high");
+        if (criticalIndex !== -1 && highIndex !== -1) {
+            expect(criticalIndex).toBeLessThan(highIndex);
+        }
+    });
+    it("TC-020: summary statistics are accurate", () => {
+        const files = [
+            makeFile("src/a.ts", 'eval("x");'), // critical (CE-001)
+            makeFile("src/b.ts", "element.innerHTML = y;"), // high (XSS-001)
+        ];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        expect(result.summary.total).toBe(result.findings.length);
+        expect(result.summary.critical + result.summary.high + result.summary.medium +
+            result.summary.low + result.summary.info).toBe(result.summary.total);
+    });
+    it("TC-021: score and verdict are calculated correctly", () => {
+        // Clean project -> score 100, PASS
+        const cleanFiles = [
+            makeFile("src/clean.ts", "const x = 1;"),
+        ];
+        const config = createDefaultAuditConfig();
+        const cleanResult = runAuditScan(cleanFiles, config);
+        expect(cleanResult.summary.score).toBe(100);
+        expect(cleanResult.summary.verdict).toBe("PASS");
+        // Many critical findings -> score < 50, FAIL
+        const badFiles = [
+            makeFile("src/bad.ts", [
+                'eval("a");',
+                'eval("b");',
+                'eval("c");',
+                'eval("d");',
+                'eval("e");',
+            ].join("\n")),
+        ];
+        const badResult = runAuditScan(badFiles, config);
+        expect(badResult.summary.score).toBeLessThan(50);
+        expect(badResult.summary.verdict).toBe("FAIL");
+    });
+    it("TC-022: duration is tracked", () => {
+        const files = [makeFile("src/a.ts", "const x = 1;")];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        expect(result.durationMs).toBeGreaterThanOrEqual(0);
+        expect(typeof result.durationMs).toBe("number");
+    });
+    it("populates filesScanned and filesWithFindings", () => {
+        const files = [
+            makeFile("src/clean.ts", "const x = 1;"),
+            makeFile("src/bad.ts", 'eval("x");'),
+            makeFile("src/also-clean.ts", "const y = 2;"),
+        ];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        expect(result.filesScanned).toBe(3);
+        expect(result.filesWithFindings).toBe(1);
+    });
+    it("applies safeContexts to suppress false positives", () => {
+        // innerHTML in a line with DOMPurify should be suppressed
+        const files = [
+            makeFile("src/safe.ts", "element.innerHTML = DOMPurify.sanitize(input);"),
+        ];
+        const config = createDefaultAuditConfig();
+        const result = runAuditScan(files, config);
+        const xssFindings = result.findings.filter((f) => f.ruleId === "XSS-001");
+        expect(xssFindings).toHaveLength(0);
+    });
+});
+//# sourceMappingURL=audit-scanner.test.js.map

package/dist/audit/audit-scanner.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-scanner.test.js","sourceRoot":"","sources":["../../src/audit/audit-scanner.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,wBAAwB,EAAkB,MAAM,kBAAkB,CAAC;AAE5E,SAAS,QAAQ,CAAC,IAAY,EAAE,OAAe;IAC7C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;AAClE,CAAC;AAED,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,KAAK,GAAgB;YACzB,QAAQ,CAAC,cAAc,EAAE,8CAA8C,CAAC;YACxE,QAAQ,CAAC,cAAc,EAAE,6DAA6D,CAAC;SACxF,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,KAAK,GAAgB;YACzB,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAAC;YAC3C,QAAQ,CAAC,YAAY,EAAE,gCAAgC,CAAC;YACxD,QAAQ,CAAC,YAAY,EAAE,4CAA4C,CAAC;SACrE,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACzD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAClE,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,KAAK,GAAgB;YACzB,QAAQ,CAAC,WAAW,EAAE,wBAAwB,CAAC,EAAE,OAAO;YACxD,QAAQ,CAAC,WAAW,EAAE,eAAe,CAAC,EAAE,WAAW;SACpD,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,mCAAmC;QACnC,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC1D,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,aAAa,KAAK,CAAC,CAAC,IAAI,SAAS,KAAK,CAAC,CAAC,EAAE,CAAC;YAC7C,MAAM,CAAC,aAAa,CAAC,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,KAAK,GAAgB;YACzB,QAAQ,CAAC,UAAU,EAAE,YAAY,CAAC,EAAE,oBAAoB;YACxD,QAAQ,CAAC,UAAU,EAAE,wBAAwB,CAAC,EAAE,iBAAiB;SAClE,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC1D,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM;YAC1E,MAAM,CAAC,OAAO,CAAC,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,mCAAmC;QACnC,MAAM,UAAU,GAAgB;YAC9B,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;SACzC,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,WAAW,GAAG,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACrD,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAEjD,6CAA6C;QAC7C,MAAM,QAAQ,GAAgB;YAC5B,QAAQ,CAAC,YAAY,EAAE;gBACrB,YAAY;gBACZ,YAAY;gBACZ,YAAY;gBACZ,YAAY;gBACZ,YAAY;aACb,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;SACd,CAAC;QACF,MAAM,SAAS,GAAG,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QACjD,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,KAAK,GAAgB,CAAC,QAAQ,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACpD,MAAM,CAAC,OAAO,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,KAAK,GAAgB;YACzB,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;YACxC,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;YACpC,QAAQ,CAAC,mBAAmB,EAAE,cAAc,CAAC;SAC9C,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,0DAA0D;QAC1D,MAAM,KAAK,GAAgB;YACzB,QAAQ,CAAC,aAAa,EAAE,gDAAgD,CAAC;SAC1E,CAAC;QACF,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;QAC1E,MAAM,CAAC,WAAW,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/audit-types.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/audit-types.test.js

@@ -0,0 +1,140 @@
+import { describe, it, expect } from "vitest";
+import { createDefaultAuditConfig, } from "./audit-types.js";
+describe("audit-types", () => {
+    describe("AuditFinding", () => {
+        it("TC-001: is correctly importable and all fields are typed", () => {
+            const finding = {
+                id: "AF-001",
+                ruleId: "CI-001",
+                severity: "critical",
+                confidence: "high",
+                category: "command-injection",
+                message: "exec() call detected",
+                filePath: "src/index.ts",
+                line: 42,
+                snippet: "  exec(command);",
+                source: "tier1",
+            };
+            expect(finding.id).toBe("AF-001");
+            expect(finding.ruleId).toBe("CI-001");
+            expect(finding.severity).toBe("critical");
+            expect(finding.confidence).toBe("high");
+            expect(finding.category).toBe("command-injection");
+            expect(finding.message).toBe("exec() call detected");
+            expect(finding.filePath).toBe("src/index.ts");
+            expect(finding.line).toBe(42);
+            expect(finding.snippet).toBe("  exec(command);");
+            expect(finding.source).toBe("tier1");
+        });
+        it("supports optional fields: column, endLine, dataFlow, suggestedFix", () => {
+            const finding = {
+                id: "AF-002",
+                ruleId: "SSRF-001",
+                severity: "high",
+                confidence: "medium",
+                category: "ssrf",
+                message: "SSRF via user-controlled URL",
+                filePath: "src/api.ts",
+                line: 10,
+                column: 5,
+                endLine: 12,
+                snippet: "  fetch(url);",
+                source: "llm",
+                dataFlow: {
+                    steps: [
+                        {
+                            file: "src/api.ts",
+                            line: 5,
+                            description: "User input received",
+                            code: "const url = req.query.url;",
+                        },
+                    ],
+                },
+                suggestedFix: "Validate URL against an allowlist",
+            };
+            expect(finding.column).toBe(5);
+            expect(finding.endLine).toBe(12);
+            expect(finding.dataFlow?.steps).toHaveLength(1);
+            expect(finding.suggestedFix).toBe("Validate URL against an allowlist");
+        });
+    });
+    describe("AuditConfig", () => {
+        it("TC-002: default values are correct", () => {
+            const config = createDefaultAuditConfig();
+            expect(config.excludePaths).toEqual([]);
+            expect(config.severityThreshold).toBe("low");
+            expect(config.maxFiles).toBe(500);
+            expect(config.maxFileSize).toBe(100 * 1024);
+            expect(config.tier1Only).toBe(false);
+            expect(config.llmProvider).toBeNull();
+            expect(config.llmTimeout).toBe(30_000);
+            expect(config.llmConcurrency).toBe(5);
+            expect(config.customPatterns).toEqual([]);
+            expect(config.fix).toBe(false);
+        });
+    });
+    describe("AuditResult", () => {
+        it("contains all required fields for a complete result", () => {
+            const result = {
+                rootPath: "/project",
+                startedAt: "2026-02-20T18:00:00Z",
+                completedAt: "2026-02-20T18:00:05Z",
+                durationMs: 5000,
+                filesScanned: 100,
+                filesWithFindings: 3,
+                findings: [],
+                summary: {
+                    critical: 0,
+                    high: 0,
+                    medium: 0,
+                    low: 0,
+                    info: 0,
+                    total: 0,
+                    score: 100,
+                    verdict: "PASS",
+                },
+                config: createDefaultAuditConfig(),
+            };
+            expect(result.rootPath).toBe("/project");
+            expect(result.filesScanned).toBe(100);
+            expect(result.summary.verdict).toBe("PASS");
+            expect(result.summary.score).toBe(100);
+        });
+    });
+    describe("DataFlowTrace", () => {
+        it("has steps with file, line, description, code", () => {
+            const trace = {
+                steps: [
+                    {
+                        file: "src/handler.ts",
+                        line: 10,
+                        description: "User input received from webhook",
+                        code: 'const msg = req.body.message;',
+                    },
+                    {
+                        file: "src/handler.ts",
+                        line: 15,
+                        description: "Passed to shell execution",
+                        code: 'exec(`echo ${msg}`);',
+                    },
+                ],
+            };
+            expect(trace.steps).toHaveLength(2);
+            expect(trace.steps[0].file).toBe("src/handler.ts");
+            expect(trace.steps[1].line).toBe(15);
+        });
+    });
+    describe("AuditFile", () => {
+        it("represents a discovered file with path, content, sizeBytes", () => {
+            const file = {
+                path: "src/index.ts",
+                content: "console.log('hello');",
+                sizeBytes: 21,
+            };
+            expect(file.path).toBe("src/index.ts");
+            expect(file.content).toBe("console.log('hello');");
+            expect(file.sizeBytes).toBe(21);
+        });
+    });
+});
+//# sourceMappingURL=audit-types.test.js.map

package/dist/audit/audit-types.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-types.test.js","sourceRoot":"","sources":["../../src/audit/audit-types.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EACL,wBAAwB,GAQzB,MAAM,kBAAkB,CAAC;AAE1B,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;QAC5B,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;YAClE,MAAM,OAAO,GAAiB;gBAC5B,EAAE,EAAE,QAAQ;gBACZ,MAAM,EAAE,QAAQ;gBAChB,QAAQ,EAAE,UAAU;gBACpB,UAAU,EAAE,MAAM;gBAClB,QAAQ,EAAE,mBAAmB;gBAC7B,OAAO,EAAE,sBAAsB;gBAC/B,QAAQ,EAAE,cAAc;gBACxB,IAAI,EAAE,EAAE;gBACR,OAAO,EAAE,kBAAkB;gBAC3B,MAAM,EAAE,OAAO;aAChB,CAAC;YAEF,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAClC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACtC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC1C,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACxC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;YACnD,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;YACrD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAC9C,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC9B,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YACjD,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mEAAmE,EAAE,GAAG,EAAE;YAC3E,MAAM,OAAO,GAAiB;gBAC5B,EAAE,EAAE,QAAQ;gBACZ,MAAM,EAAE,UAAU;gBAClB,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,QAAQ;gBACpB,QAAQ,EAAE,MAAM;gBAChB,OAAO,EAAE,8BAA8B;gBACvC,QAAQ,EAAE,YAAY;gBACtB,IAAI,EAAE,EAAE;gBACR,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,EAAE;gBACX,OAAO,EAAE,eAAe;gBACxB,MAAM,EAAE,KAAK;gBACb,QAAQ,EAAE;oBACR,KAAK,EAAE;wBACL;4BACE,IAAI,EAAE,YAAY;4BAClB,IAAI,EAAE,CAAC;4BACP,WAAW,EAAE,qBAAqB;4BAClC,IAAI,EAAE,4BAA4B;yBACnC;qBACF;iBACF;gBACD,YAAY,EAAE,mCAAmC;aAClD,CAAC;YAEF,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACjC,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAChD,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,MAAM,GAAG,wBAAwB,EAAE,CAAC;YAE1C,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACxC,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;YAC5C,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC;YACtC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACvC,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACtC,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YAC1C,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,MAAM,MAAM,GAAgB;gBAC1B,QAAQ,EAAE,UAAU;gBACpB,SAAS,EAAE,sBAAsB;gBACjC,WAAW,EAAE,sBAAsB;gBACnC,UAAU,EAAE,IAAI;gBAChB,YAAY,EAAE,GAAG;gBACjB,iBAAiB,EAAE,CAAC;gBACpB,QAAQ,EAAE,EAAE;gBACZ,OAAO,EAAE;oBACP,QAAQ,EAAE,CAAC;oBACX,IAAI,EAAE,CAAC;oBACP,MAAM,EAAE,CAAC;oBACT,GAAG,EAAE,CAAC;oBACN,IAAI,EAAE,CAAC;oBACP,KAAK,EAAE,CAAC;oBACR,KAAK,EAAE,GAAG;oBACV,OAAO,EAAE,MAAM;iBAChB;gBACD,MAAM,EAAE,wBAAwB,EAAE;aACnC,CAAC;YAEF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACzC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC7B,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,MAAM,KAAK,GAAkB;gBAC3B,KAAK,EAAE;oBACL;wBACE,IAAI,EAAE,gBAAgB;wBACtB,IAAI,EAAE,EAAE;wBACR,WAAW,EAAE,kCAAkC;wBAC/C,IAAI,EAAE,+BAA+B;qBACtC;oBACD;wBACE,IAAI,EAAE,gBAAgB;wBACtB,IAAI,EAAE,EAAE;wBACR,WAAW,EAAE,2BAA2B;wBACxC,IAAI,EAAE,sBAAsB;qBAC7B;iBACF;aACF,CAAC;YAEF,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACpC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YACnD,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;QACzB,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;YACpE,MAAM,IAAI,GAAc;gBACtB,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,uBAAuB;gBAChC,SAAS,EAAE,EAAE;aACd,CAAC;YAEF,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACvC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/config.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/config.test.js

@@ -0,0 +1,44 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtemp, writeFile, rm } from "node:fs/promises";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { loadAuditConfig } from "./config.js";
+describe("config", () => {
+    let tmpDir;
+    beforeEach(async () => {
+        tmpDir = await mkdtemp(join(tmpdir(), "vskill-config-"));
+    });
+    afterEach(async () => {
+        await rm(tmpDir, { recursive: true, force: true });
+    });
+    it("TC-050: returns defaults when no config file exists", async () => {
+        const config = await loadAuditConfig(tmpDir, {});
+        expect(config.excludePaths).toEqual([]);
+        expect(config.maxFiles).toBe(500);
+        expect(config.severityThreshold).toBe("low");
+        expect(config.tier1Only).toBe(false);
+        expect(config.fix).toBe(false);
+    });
+    it("TC-051: loads and merges .vskill-audit.json", async () => {
+        await writeFile(join(tmpDir, ".vskill-audit.json"), JSON.stringify({ excludePaths: ["vendor/"], maxFiles: 200 }));
+        const config = await loadAuditConfig(tmpDir, {});
+        expect(config.excludePaths).toEqual(["vendor/"]);
+        expect(config.maxFiles).toBe(200);
+        // Other fields remain defaults
+        expect(config.severityThreshold).toBe("low");
+    });
+    it("TC-052: CLI flags override config file values", async () => {
+        await writeFile(join(tmpDir, ".vskill-audit.json"), JSON.stringify({ maxFiles: 100 }));
+        const config = await loadAuditConfig(tmpDir, { maxFiles: "50" });
+        expect(config.maxFiles).toBe(50);
+    });
+    it("TC-053: invalid severity value throws error", async () => {
+        await expect(loadAuditConfig(tmpDir, { severity: "invalid" })).rejects.toThrow();
+    });
+    it("loads .vskillrc as fallback", async () => {
+        await writeFile(join(tmpDir, ".vskillrc"), JSON.stringify({ tier1Only: true }));
+        const config = await loadAuditConfig(tmpDir, {});
+        expect(config.tier1Only).toBe(true);
+    });
+});
+//# sourceMappingURL=config.test.js.map

package/dist/audit/config.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.test.js","sourceRoot":"","sources":["../../src/audit/config.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,QAAQ,CAAC,QAAQ,EAAE,GAAG,EAAE;IACtB,IAAI,MAAc,CAAC;IAEnB,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,gBAAgB,CAAC,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAEjD,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,SAAS,CACb,IAAI,CAAC,MAAM,EAAE,oBAAoB,CAAC,EAClC,IAAI,CAAC,SAAS,CAAC,EAAE,YAAY,EAAE,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAC7D,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAEjD,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClC,+BAA+B;QAC/B,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,SAAS,CACb,IAAI,CAAC,MAAM,EAAE,oBAAoB,CAAC,EAClC,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAClC,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QAEjE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,MAAM,CACV,eAAe,CAAC,MAAM,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CACjD,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;IACtB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;QAC3C,MAAM,SAAS,CACb,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,EACzB,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CACpC,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAEjD,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/audit/file-discovery.test.d.ts

@@ -0,0 +1 @@
+export {};