evadex 3.0.2__tar.gz → 3.2.0__tar.gz

{evadex-3.0.2/src/evadex.egg-info → evadex-3.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: evadex
-Version: 3.0.2
+Version: 3.2.0
 Summary: Comprehensive DLP evasion test suite — scanner-agnostic, file-aware
 License-Expression: MIT
 Project-URL: Homepage, https://github.com/tbustenk/evadex
@@ -724,6 +724,10 @@ evadex scan [OPTIONS]
 | `--audit-log` | *(off)* | Append a one-line JSON audit record for this run to a file. Parent directories are created if they do not exist. Can also be set via `audit_log` in `evadex.yaml`. |
 | `--feedback-report` | *(off)* | Save a structured JSON feedback report to PATH. Contains per-technique evasion counts with example variant values, actionable fix suggestions, and the generated regression test code as a string field. Always written when specified, even if there are no evasions. |
 | `--require-context` | off | Pass `--require-context` to dlpscan-rs: only flag matches when surrounding keywords are present. Reduces false positives but may reduce detection rate for obfuscated variants lacking keyword context. Requires `--cmd-style rust`. Can also be set via `require_context` in `evadex.yaml`. |
+| `--wrap-context` | **auto (rust)** | Embed every variant value in a realistic keyword sentence before submission. **Automatically enabled when `--cmd-style rust` is used** — dlpscan-rs requires surrounding context keywords to flag most matches; submitting a bare value produces artificially low detection rates. Pass `--no-wrap-context` to suppress. Can also be set via `wrap_context` in `evadex.yaml`. |
+| `--no-wrap-context` | off | Explicitly disable context wrapping even when `--cmd-style rust` is active. |
+
+> **Note for dlpscan-rs users:** dlpscan-rs requires surrounding context keywords (e.g. "credit card", "SSN", "IBAN") to be present near a matched value before it will flag it. Submitting a bare value like `4532015112830366` without context will produce a false *no-match* — the scanner can see the number but will not fire without contextual evidence. `evadex scan` auto-enables `--wrap-context` when `--cmd-style rust` is used so every variant is embedded in a realistic business sentence. Use `--no-wrap-context` only if you are deliberately testing bare-value behaviour or your dlpscan-rs build is configured with context matching disabled.
 
 ### `evadex generate`
 

{evadex-3.0.2 → evadex-3.2.0}/README.md

@@ -684,6 +684,10 @@ evadex scan [OPTIONS]
 | `--audit-log` | *(off)* | Append a one-line JSON audit record for this run to a file. Parent directories are created if they do not exist. Can also be set via `audit_log` in `evadex.yaml`. |
 | `--feedback-report` | *(off)* | Save a structured JSON feedback report to PATH. Contains per-technique evasion counts with example variant values, actionable fix suggestions, and the generated regression test code as a string field. Always written when specified, even if there are no evasions. |
 | `--require-context` | off | Pass `--require-context` to dlpscan-rs: only flag matches when surrounding keywords are present. Reduces false positives but may reduce detection rate for obfuscated variants lacking keyword context. Requires `--cmd-style rust`. Can also be set via `require_context` in `evadex.yaml`. |
+| `--wrap-context` | **auto (rust)** | Embed every variant value in a realistic keyword sentence before submission. **Automatically enabled when `--cmd-style rust` is used** — dlpscan-rs requires surrounding context keywords to flag most matches; submitting a bare value produces artificially low detection rates. Pass `--no-wrap-context` to suppress. Can also be set via `wrap_context` in `evadex.yaml`. |
+| `--no-wrap-context` | off | Explicitly disable context wrapping even when `--cmd-style rust` is active. |
+
+> **Note for dlpscan-rs users:** dlpscan-rs requires surrounding context keywords (e.g. "credit card", "SSN", "IBAN") to be present near a matched value before it will flag it. Submitting a bare value like `4532015112830366` without context will produce a false *no-match* — the scanner can see the number but will not fire without contextual evidence. `evadex scan` auto-enables `--wrap-context` when `--cmd-style rust` is used so every variant is embedded in a realistic business sentence. Use `--no-wrap-context` only if you are deliberately testing bare-value behaviour or your dlpscan-rs build is configured with context matching disabled.
 
 ### `evadex generate`
 

{evadex-3.0.2 → evadex-3.2.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "evadex"
-version = "3.0.2"
+version = "3.2.0"
 description = "Comprehensive DLP evasion test suite — scanner-agnostic, file-aware"
 readme = "README.md"
 requires-python = ">=3.10"

{evadex-3.0.2 → evadex-3.2.0}/src/evadex/adapters/dlpscan_cli/adapter.py

@@ -1,5 +1,6 @@
 import asyncio
 import json
+import random
 import subprocess
 import tempfile
 import os
@@ -7,6 +8,7 @@ from evadex.adapters.base import BaseAdapter
 from evadex.adapters.dlpscan.file_builder import FileBuilder
 from evadex.core.registry import register_adapter
 from evadex.core.result import Payload, Variant, ScanResult
+from evadex.generate.filler import get_keyword_sentence
 
 # cmd_style="python"  →  dlpscan -f json <file>         → bare list of matches
 # cmd_style="rust"    →  dlpscan --format json scan <file> → list of file objects with nested matches
@@ -20,6 +22,7 @@ class DlpscanCliAdapter(BaseAdapter):
         super().__init__(config)
         self._exe = self.config.extra.get("executable", "dlpscan")
         self._cmd_style = self.config.extra.get("cmd_style", "python")
+        self._wrap_context = self.config.extra.get("wrap_context", False)
 
     async def health_check(self) -> bool:
         try:
@@ -39,7 +42,13 @@ class DlpscanCliAdapter(BaseAdapter):
         loop = asyncio.get_running_loop()
 
         if strategy == "text":
-            matches = await loop.run_in_executor(None, self._scan_text, variant.value)
+            text = variant.value
+            if self._wrap_context:
+                # Embed the variant value in a realistic keyword sentence so that
+                # dlpscan-rs context requirements are satisfied.  The original
+                # variant.value is preserved in the result for reporting.
+                text = get_keyword_sentence(random.Random(), payload.category, text)
+            matches = await loop.run_in_executor(None, self._scan_text, text)
         else:
             data, _ = FileBuilder.build(variant.value, strategy)
             matches = await loop.run_in_executor(None, self._scan_bytes, data, strategy)

evadex-3.2.0/src/evadex/archive.py

@@ -0,0 +1,264 @@
+"""Results archive — auto-saves timestamped scan/falsepos runs and maintains
+results/audit.jsonl.  All public functions swallow exceptions so that a disk
+or permission failure never affects a scan run's exit code or output.
+"""
+from __future__ import annotations
+
+import json
+import shutil
+import subprocess
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Optional
+
+try:
+    from importlib.metadata import version as _pkg_version, PackageNotFoundError
+    try:
+        _VERSION = _pkg_version("evadex")
+    except PackageNotFoundError:
+        _VERSION = "unknown"
+except ImportError:
+    _VERSION = "unknown"
+
+# All archive files live under <cwd>/results/
+_RESULTS_DIR = Path("results")
+
+
+# ── Internal helpers ───────────────────────────────────────────────────────────
+
+def _ensure_dirs() -> Path:
+    """Create results directory structure if needed and return it."""
+    for sub in ("scans", "falsepos", "comparisons"):
+        (_RESULTS_DIR / sub).mkdir(parents=True, exist_ok=True)
+    return _RESULTS_DIR
+
+
+def _safe_label(s: str) -> str:
+    """Sanitise label string for use in a filename (max 40 chars)."""
+    cleaned = "".join(c if (c.isalnum() or c in "-_.") else "_" for c in (s or ""))
+    return cleaned[:40] or "unlabelled"
+
+
+# ── Public helpers ─────────────────────────────────────────────────────────────
+
+def get_commit_hash() -> Optional[str]:
+    """Return the short git commit hash of HEAD, or None if unavailable."""
+    try:
+        result = subprocess.run(
+            ["git", "rev-parse", "--short", "HEAD"],
+            capture_output=True, text=True, timeout=5,
+        )
+        if result.returncode == 0:
+            return result.stdout.strip() or None
+    except Exception:
+        pass
+    return None
+
+
+# ── Archive functions ──────────────────────────────────────────────────────────
+
+def archive_scan(
+    rendered_json: str,
+    scanner_label: str,
+    *,
+    ts: Optional[datetime] = None,
+) -> Path:
+    """Save *rendered_json* to results/scans/ with a timestamped name.
+
+    Never overwrites an existing file.  Returns the path written.
+    Silently returns a placeholder Path on any error.
+    """
+    try:
+        ts = ts or datetime.now(timezone.utc)
+        stamp = ts.strftime("%Y%m%dT%H%M%SZ")
+        name = f"scan_{stamp}_{_safe_label(scanner_label)}.json"
+        path = _ensure_dirs() / "scans" / name
+        if not path.exists():
+            path.write_text(rendered_json, encoding="utf-8")
+        return path
+    except Exception:
+        return _RESULTS_DIR / "scans" / "error.json"
+
+
+def archive_falsepos(
+    report: dict,
+    scanner_label: str = "",
+    *,
+    ts: Optional[datetime] = None,
+) -> Path:
+    """Save *report* to results/falsepos/ with a timestamped name.
+
+    Never overwrites an existing file.  Returns the path written.
+    Silently returns a placeholder Path on any error.
+    """
+    try:
+        ts = ts or datetime.now(timezone.utc)
+        stamp = ts.strftime("%Y%m%dT%H%M%SZ")
+        name = f"falsepos_{stamp}_{_safe_label(scanner_label)}.json"
+        path = _ensure_dirs() / "falsepos" / name
+        if not path.exists():
+            path.write_text(
+                json.dumps(report, indent=2, ensure_ascii=False), encoding="utf-8"
+            )
+        return path
+    except Exception:
+        return _RESULTS_DIR / "falsepos" / "error.json"
+
+
+def append_results_audit(entry: dict) -> None:
+    """Append one JSON line to results/audit.jsonl.  Silently ignores errors."""
+    try:
+        audit_path = _ensure_dirs() / "audit.jsonl"
+        line = json.dumps(entry, ensure_ascii=False) + "\n"
+        with open(audit_path, "a", encoding="utf-8") as f:
+            f.write(line)
+    except Exception:
+        pass
+
+
+# ── Audit entry builders ───────────────────────────────────────────────────────
+
+def build_scan_audit_entry(
+    *,
+    scanner_label: str,
+    tool: str,
+    categories: list[str],
+    strategies: list[str],
+    total: int,
+    passes: int,
+    fails: int,
+    pass_rate: float,
+    archive_file: str,
+    commit_hash: Optional[str] = None,
+    ts: Optional[datetime] = None,
+) -> dict:
+    return {
+        "timestamp":      (ts or datetime.now(timezone.utc)).isoformat(),
+        "type":           "scan",
+        "evadex_version": _VERSION,
+        "scanner_label":  scanner_label,
+        "tool":           tool,
+        "categories":     categories,
+        "strategies":     strategies,
+        "total":          total,
+        "pass":           passes,
+        "fail":           fails,
+        "pass_rate":      pass_rate,
+        "commit_hash":    commit_hash,
+        "archive_file":   archive_file,
+    }
+
+
+def build_falsepos_audit_entry(
+    *,
+    tool: str,
+    categories: list[str],
+    total_tested: int,
+    total_flagged: int,
+    fp_rate: float,
+    archive_file: str,
+    commit_hash: Optional[str] = None,
+    scanner_label: str = "",
+    ts: Optional[datetime] = None,
+) -> dict:
+    return {
+        "timestamp":      (ts or datetime.now(timezone.utc)).isoformat(),
+        "type":           "falsepos",
+        "evadex_version": _VERSION,
+        "scanner_label":  scanner_label,
+        "tool":           tool,
+        "categories":     categories,
+        "total_tested":   total_tested,
+        "total_flagged":  total_flagged,
+        "fp_rate":        fp_rate,
+        "commit_hash":    commit_hash,
+        "archive_file":   archive_file,
+    }
+
+
+# ── Backfill ───────────────────────────────────────────────────────────────────
+
+def backfill_from_directory(directory: str = ".") -> int:
+    """Scan *directory* for existing evadex result JSON files and add them
+    to results/audit.jsonl.  Skips files already inside results/.
+
+    Returns the number of entries added.
+    """
+    added = 0
+    for path in sorted(Path(directory).glob("*.json")):
+        if path.name.startswith("."):
+            continue
+        try:
+            data = json.loads(path.read_text(encoding="utf-8"))
+        except Exception:
+            continue
+
+        # ── Scan result: has 'meta' with 'pass_rate' and 'results' list ──────
+        if isinstance(data, dict) and "meta" in data and "results" in data:
+            meta = data.get("meta", {})
+            if not isinstance(meta, dict) or "pass_rate" not in meta:
+                continue
+            ts_str = meta.get("timestamp", "")
+            try:
+                ts = datetime.fromisoformat(ts_str)
+            except Exception:
+                ts = datetime.fromtimestamp(path.stat().st_mtime, tz=timezone.utc)
+
+            scanner_label = meta.get("scanner", "")
+            stamp = ts.strftime("%Y%m%dT%H%M%SZ")
+            dest_name = f"scan_{stamp}_{_safe_label(scanner_label)}.json"
+            dest = _ensure_dirs() / "scans" / dest_name
+            if not dest.exists():
+                shutil.copy2(path, dest)
+
+            entry = {
+                "timestamp":      ts.isoformat(),
+                "type":           "scan",
+                "evadex_version": meta.get("evadex_version", "unknown"),
+                "scanner_label":  scanner_label,
+                "tool":           "dlpscan-cli",
+                "categories":     list(meta.get("summary_by_category", {}).keys()),
+                "strategies":     [],
+                "total":          meta.get("total", 0),
+                "pass":           meta.get("pass", 0),
+                "fail":           meta.get("fail", 0),
+                "pass_rate":      meta.get("pass_rate", 0.0),
+                "commit_hash":    None,
+                "archive_file":   str(dest),
+                "_backfilled_from": str(path),
+            }
+            append_results_audit(entry)
+            added += 1
+            continue
+
+        # ── Falsepos result: has 'total_tested' and 'overall_false_positive_rate' ──
+        if (
+            isinstance(data, dict)
+            and "total_tested" in data
+            and "overall_false_positive_rate" in data
+        ):
+            ts = datetime.fromtimestamp(path.stat().st_mtime, tz=timezone.utc)
+            stamp = ts.strftime("%Y%m%dT%H%M%SZ")
+            dest_name = f"falsepos_{stamp}_{_safe_label(data.get('tool', ''))}.json"
+            dest = _ensure_dirs() / "falsepos" / dest_name
+            if not dest.exists():
+                shutil.copy2(path, dest)
+
+            entry = {
+                "timestamp":      ts.isoformat(),
+                "type":           "falsepos",
+                "evadex_version": "unknown",
+                "scanner_label":  "",
+                "tool":           data.get("tool", ""),
+                "categories":     list(data.get("by_category", {}).keys()),
+                "total_tested":   data.get("total_tested", 0),
+                "total_flagged":  data.get("total_flagged", 0),
+                "fp_rate":        data.get("overall_false_positive_rate", 0.0),
+                "commit_hash":    None,
+                "archive_file":   str(dest),
+                "_backfilled_from": str(path),
+            }
+            append_results_audit(entry)
+            added += 1
+
+    return added

{evadex-3.0.2 → evadex-3.2.0}/src/evadex/cli/app.py

@@ -8,6 +8,8 @@ from evadex.cli.commands.list_payloads import list_payloads
 from evadex.cli.commands.list_techniques import list_techniques
 from evadex.cli.commands.init import init_cmd
 from evadex.cli.commands.falsepos import falsepos
+from evadex.cli.commands.history import history
+from evadex.cli.commands.trend import trend
 
 # Ensure stdout/stderr use UTF-8 on Windows so that Rich tables with Unicode
 # box-drawing characters and special symbols render without codec errors.
@@ -31,3 +33,5 @@ main.add_command(list_payloads)
 main.add_command(list_techniques)
 main.add_command(init_cmd)
 main.add_command(falsepos)
+main.add_command(history)
+main.add_command(trend)

{evadex-3.0.2 → evadex-3.2.0}/src/evadex/cli/commands/falsepos.py

@@ -235,6 +235,26 @@ def falsepos(
         "by_category": by_category,
     }
 
+    # ── Archive: save timestamped copy and append to audit.jsonl ─────────────
+    from evadex.archive import (
+        archive_falsepos, append_results_audit,
+        build_falsepos_audit_entry, get_commit_hash,
+    )
+    _scanner_label = f"{tool}:{mode_label}" if mode_label != "baseline (no context)" else tool
+    _archive_path = archive_falsepos(report, scanner_label=_scanner_label)
+    _commit = get_commit_hash()
+    _audit_entry = build_falsepos_audit_entry(
+        tool=tool,
+        categories=active_cats,
+        total_tested=total_tested,
+        total_flagged=total_flagged,
+        fp_rate=overall_rate,
+        archive_file=str(_archive_path),
+        commit_hash=_commit,
+        scanner_label=_scanner_label,
+    )
+    append_results_audit(_audit_entry)
+
     # ── Output ────────────────────────────────────────────────────────────────
     if fmt == "json" or output:
         rendered = json.dumps(report, indent=2)

evadex-3.2.0/src/evadex/cli/commands/history.py

@@ -0,0 +1,134 @@
+"""evadex history — show past scan and falsepos run results."""
+from __future__ import annotations
+
+import json
+import sys
+from pathlib import Path
+from typing import Optional
+
+import click
+from rich.console import Console
+from rich.table import Table
+
+err_console = Console(stderr=True)
+
+
+def _load_audit(audit_path: Path) -> list[dict]:
+    if not audit_path.exists():
+        return []
+    entries = []
+    for line in audit_path.read_text(encoding="utf-8").splitlines():
+        line = line.strip()
+        if not line:
+            continue
+        try:
+            entries.append(json.loads(line))
+        except json.JSONDecodeError:
+            continue
+    return entries
+
+
+def _fmt_rate(entry: dict) -> str:
+    if entry.get("type") == "scan":
+        rate = entry.get("pass_rate")
+        if rate is None:
+            return "—"
+        return f"{rate:.1f}%"
+    elif entry.get("type") == "falsepos":
+        rate = entry.get("fp_rate")
+        if rate is None:
+            return "—"
+        return f"{rate:.1f}% FP"
+    return "—"
+
+
+def _fmt_total(entry: dict) -> str:
+    if entry.get("type") == "scan":
+        return str(entry.get("total", "—"))
+    elif entry.get("type") == "falsepos":
+        return str(entry.get("total_tested", "—"))
+    return "—"
+
+
+def _fmt_date(ts: str) -> str:
+    """Shorten ISO timestamp to a readable date+time."""
+    if not ts:
+        return "—"
+    # e.g. "2026-04-14T12:34:56.789+00:00" → "2026-04-14 12:34"
+    try:
+        date_part, time_part = ts[:19].split("T")
+        return f"{date_part} {time_part[:5]}"
+    except Exception:
+        return ts[:16]
+
+
+@click.command("history")
+@click.option("--last", default=20, show_default=True, type=int,
+              help="Number of most recent entries to show.")
+@click.option("--type", "entry_type", default=None,
+              type=click.Choice(["scan", "falsepos"]),
+              help="Filter by entry type.")
+@click.option("--results-dir", default="results", show_default=True,
+              help="Path to results directory (must contain audit.jsonl).")
+def history(last: int, entry_type: Optional[str], results_dir: str) -> None:
+    """Show history of past scan and false positive runs.
+
+    \b
+    Examples:
+      evadex history
+      evadex history --last 10
+      evadex history --type scan
+      evadex history --type falsepos
+    """
+    audit_path = Path(results_dir) / "audit.jsonl"
+    entries = _load_audit(audit_path)
+
+    if not entries:
+        err_console.print(
+            f"[yellow]No audit entries found in {audit_path}.[/yellow]\n"
+            "Run [bold]evadex scan[/bold] or [bold]evadex falsepos[/bold] to start "
+            "building history, or use [bold]evadex history --results-dir PATH[/bold] "
+            "to point to a different results directory."
+        )
+        sys.exit(0)
+
+    if entry_type:
+        entries = [e for e in entries if e.get("type") == entry_type]
+
+    # Most-recent first, then truncate
+    entries = list(reversed(entries))[:last]
+
+    table = Table(show_header=True, header_style="bold", box=None, pad_edge=False)
+    table.add_column("Date",          style="dim",    min_width=16)
+    table.add_column("Type",          style="cyan",   min_width=8)
+    table.add_column("Scanner Label", style="",       min_width=18, overflow="fold")
+    table.add_column("Total",         style="",       min_width=6,  justify="right")
+    table.add_column("Rate",          style="",       min_width=10, justify="right")
+    table.add_column("Commit",        style="dim",    min_width=8)
+
+    for e in entries:
+        rate_str = _fmt_rate(e)
+        entry_t = e.get("type", "?")
+
+        if entry_t == "scan":
+            rate = e.get("pass_rate", 0)
+            colour = "green" if rate >= 80 else ("yellow" if rate >= 60 else "red")
+        else:
+            rate = e.get("fp_rate", 0)
+            colour = "red" if rate >= 50 else ("yellow" if rate >= 20 else "green")
+
+        table.add_row(
+            _fmt_date(e.get("timestamp", "")),
+            entry_t,
+            e.get("scanner_label", "") or "—",
+            _fmt_total(e),
+            f"[{colour}]{rate_str}[/{colour}]",
+            e.get("commit_hash") or "—",
+        )
+
+    console = Console()
+    console.print(table)
+    console.print(
+        f"\n[dim]Showing {len(entries)} entr{'y' if len(entries) == 1 else 'ies'} "
+        f"from {audit_path}[/dim]"
+    )

{evadex-3.0.2 → evadex-3.2.0}/src/evadex/cli/commands/scan.py

@@ -273,13 +273,21 @@ def _print_summary(results, err_console):
               help="Pass --require-context to dlpscan-rs: only flag matches when surrounding "
                    "keywords are present. Reduces false positives but may also reduce detection "
                    "rate for variants lacking keyword context. Requires --cmd-style rust.")
+@click.option("--wrap-context", "wrap_context", is_flag=True, default=False,
+              help="Embed every variant value in a realistic keyword sentence before submission. "
+                   "dlpscan-rs requires surrounding context words to flag matches — submitting a "
+                   "bare value produces misleading (artificially low) detection rates. "
+                   "Automatically enabled when --cmd-style rust is used. "
+                   "Pass --no-wrap-context to disable.")
+@click.option("--no-wrap-context", "no_wrap_context", is_flag=True, default=False,
+              help="Explicitly disable context wrapping even when --cmd-style rust is active.")
 def scan(
     ctx,
     config_path, tool, input_value, fmt, output, url, api_key, timeout,
     strategies, concurrency, categories, variant_groups, include_heuristic,
     scanner_label, executable, cmd_style, min_detection_rate,
     save_baseline, compare_baseline, audit_log, feedback_report,
-    require_context,
+    require_context, wrap_context, no_wrap_context,
 ):
     """Run DLP evasion tests."""
     load_builtins()
@@ -340,6 +348,20 @@ def scan(
             audit_log = cfg.audit_log
         if _is_default("require_context") and cfg.require_context is not None:
             require_context = cfg.require_context
+        if not wrap_context and not no_wrap_context and cfg.wrap_context is not None:
+            wrap_context = cfg.wrap_context
+
+    # ── Auto-enable wrap_context for dlpscan-rs ───────────────────────────────
+    # dlpscan-rs requires surrounding context keywords to fire most rules.
+    # Submitting a bare value (no sentence context) produces artificially low
+    # detection rates that do not reflect real-world scanner behaviour.
+    # When --cmd-style rust is active and the user has not explicitly opted out
+    # with --no-wrap-context, enable context wrapping automatically.
+    effective_cmd_style = cmd_style or "python"
+    if not no_wrap_context and not wrap_context and effective_cmd_style == "rust":
+        wrap_context = True
+    if no_wrap_context:
+        wrap_context = False
 
     # ── Heuristic warning ─────────────────────────────────────────────────────
     if include_heuristic:
@@ -386,6 +408,8 @@ def scan(
         config["cmd_style"] = cmd_style
     if require_context:
         config["require_context"] = True
+    if wrap_context:
+        config["wrap_context"] = True
     try:
         adapter = get_adapter(tool, config)
     except KeyError as e:
@@ -460,6 +484,28 @@ def scan(
     reporter = HtmlReporter() if fmt == "html" else JsonReporter(scanner_label=scanner_label)
     rendered = reporter.render(results)
 
+    # ── Archive: save timestamped copy and append to audit.jsonl ─────────────
+    if fmt == "json":
+        from evadex.archive import (
+            archive_scan, append_results_audit,
+            build_scan_audit_entry, get_commit_hash,
+        )
+        _archive_path = archive_scan(rendered, scanner_label)
+        _commit = get_commit_hash()
+        _audit_entry = build_scan_audit_entry(
+            scanner_label=scanner_label,
+            tool=tool,
+            categories=list(categories) if categories else [],
+            strategies=active_strategies,
+            total=total,
+            passes=passes,
+            fails=fails,
+            pass_rate=pass_rate,
+            archive_file=str(_archive_path),
+            commit_hash=_commit,
+        )
+        append_results_audit(_audit_entry)
+
     if output:
         try:
             with open(output, "w", encoding="utf-8") as f: