# Report Schema

## Purpose

This document defines the expected report and receipt schemas for the local review harness.

## Finding Schema

```json
{
  "id": "",
  "title": "",
  "severity": "low|medium|high|critical",
  "status": "confirmed|suspected|rejected|blocked",
  "file": "",
  "line_hint": "",
  "evidence": "",
  "reason": "",
  "suggested_fix": "",
  "source": "static|llm|validator",
  "confidence": 0.0
}
```

## Severity Rules

### Critical

Use for:

- credential exposure
- destructive command risk
- unauthenticated mutation endpoint
- remote code execution risk
- data corruption risk

### High

Use for:

- SQL injection risk
- broad CORS on sensitive service
- fail-open security behavior
- unsafe filesystem access
- missing validation on critical inputs

### Medium

Use for:

- hardcoded paths
- excessive file size
- weak error handling
- missing tests around important code
- fragile environment assumptions

### Low

Use for:

- minor duplication
- naming confusion
- documentation drift
- small maintainability issues

## Scrum Test Report Sections

Every Scrum test report must include:

```text
Verdict
Evidence
Confirmed Risks
Suspected Risks
Blocked Checks
Sprint Backlog
Acceptance Gates
Next Commands
```

## Risk Register Schema

```json
{
  "risks": [
    {
      "id": "",
      "title": "",
      "severity": "",
      "affected_area": "",
      "evidence": "",
      "impact": "",
      "mitigation": "",
      "owner": "",
      "status": "open|mitigated|accepted|blocked"
    }
  ]
}
```

## Receipt Schema

```json
{
  "run_id": "",
  "repo_path": "",
  "started_at": "",
  "finished_at": "",
  "phases": [
    {
      "name": "",
      "status": "ok|degraded|failed|skipped",
      "input_hash": "",
      "output_hash": "",
      "output_files": [],
      "errors": []
    }
  ],
  "summary": {
    "confirmed_findings": 0,
    "suspected_findings": 0,
    "blocked_checks": 0,
    "critical": 0,
    "high": 0,
    "medium": 0,
    "low": 0
  }
}
```

## Claim Coverage Table

Use this Markdown table:

```text
| Claim | Code Location | Existing Test | Missing Test | Risk |
|---|---|---|---|---|
```

## No Fake Evidence Rule

Reports must not include:

- invented file paths
- invented command output
- invented tests
- unsupported claims
- false pass/fail statements

If evidence is missing, say missing evidence.