@bouncesecurity/aghast 0.0.13 → 0.2.0

package/dist/logging.js

@@ -1,34 +1,269 @@
-const LOG_PRIORITY = {
-    silent: 0,
-    info: 1,
-    debug: 2,
+/**
+ * Pluggable logging system with standard log levels and handler-based architecture.
+ *
+ * Log levels (standard, syslog-inspired):
+ *   error (0) > warn (1) > info (2) > debug (3) > trace (4)
+ *
+ * Handlers receive structured LogEntry objects and decide how to output them.
+ * A ConsoleHandler is registered by default. Additional handlers (e.g. FileHandler)
+ * can be added at runtime via addHandler().
+ */
+import { createWriteStream, mkdirSync } from 'node:fs';
+import { dirname } from 'node:path';
+const LOG_LEVEL_PRIORITY = {
+    error: 0,
+    warn: 1,
+    info: 2,
+    debug: 3,
+    trace: 4,
 };
-let cachedLogLevel;
-export function getLogLevel() {
-    if (cachedLogLevel)
-        return cachedLogLevel;
-    cachedLogLevel = 'info';
-    return cachedLogLevel;
+const VALID_LOG_LEVELS = new Set(Object.keys(LOG_LEVEL_PRIORITY));
+/**
+ * Check whether a string is a valid LogLevel.
+ */
+export function isValidLogLevel(s) {
+    return VALID_LOG_LEVELS.has(s);
+}
+/**
+ * A "silent" sentinel: priority -1 means no messages pass the threshold check.
+ * Used internally when setLogLevel('silent') is called.
+ */
+const SILENT_PRIORITY = -1;
+// --- Console Handler ---
+export class ConsoleHandler {
+    name = 'console';
+    level;
+    priority;
+    constructor(level = 'info') {
+        this.level = level;
+        this.priority = level === 'silent' ? SILENT_PRIORITY : LOG_LEVEL_PRIORITY[level];
+    }
+    setLevel(level) {
+        this.level = level;
+        this.priority = level === 'silent' ? SILENT_PRIORITY : LOG_LEVEL_PRIORITY[level];
+    }
+    handle(entry) {
+        const entryPriority = LOG_LEVEL_PRIORITY[entry.level];
+        if (entryPriority > this.priority)
+            return;
+        const levelTag = entry.level === 'info' ? '' : `[${entry.level}]`;
+        if (entry.data === undefined) {
+            console.log(`${entry.timestamp} [${entry.tag}]${levelTag} ${entry.message}`);
+        }
+        else {
+            const formatted = typeof entry.data === 'string' ? entry.data : JSON.stringify(entry.data);
+            // Truncate at debug level for console readability (matching legacy behavior)
+            if (entry.level === 'debug') {
+                const truncated = formatted.length > 200 ? formatted.slice(0, 200) + '...' : formatted;
+                console.log(`${entry.timestamp} [${entry.tag}]${levelTag} ${entry.message}: ${truncated}`);
+            }
+            else if (entry.level === 'trace') {
+                // Trace: full data, newline-separated (matching legacy logDebugFull)
+                console.log(`${entry.timestamp} [${entry.tag}]${levelTag} ${entry.message}:\n${formatted}`);
+            }
+            else {
+                console.log(`${entry.timestamp} [${entry.tag}]${levelTag} ${entry.message}: ${formatted}`);
+            }
+        }
+    }
 }
+// --- File Handler ---
+export class FileHandler {
+    name;
+    level;
+    priority;
+    stream = null;
+    constructor(filePath, level = 'trace', name = 'file') {
+        this.name = name;
+        this.level = level;
+        this.priority = level === 'silent' ? SILENT_PRIORITY : LOG_LEVEL_PRIORITY[level];
+        try {
+            mkdirSync(dirname(filePath), { recursive: true });
+            this.stream = createWriteStream(filePath, { flags: 'w', encoding: 'utf-8', mode: 0o600 });
+            this.stream.on('error', (err) => {
+                console.warn(`[logging] File handler write error: ${err.message}`);
+                this.stream = null;
+            });
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            console.warn(`[logging] Failed to open log file "${filePath}": ${msg}`);
+            this.stream = null;
+        }
+    }
+    handle(entry) {
+        if (!this.stream)
+            return;
+        const entryPriority = LOG_LEVEL_PRIORITY[entry.level];
+        if (entryPriority > this.priority)
+            return;
+        const levelTag = `[${entry.level}]`;
+        let line;
+        if (entry.data === undefined) {
+            line = `${entry.timestamp} [${entry.tag}]${levelTag} ${entry.message}`;
+        }
+        else {
+            const formatted = typeof entry.data === 'string' ? entry.data : JSON.stringify(entry.data);
+            line = `${entry.timestamp} [${entry.tag}]${levelTag} ${entry.message}: ${formatted}`;
+        }
+        this.stream.write(line + '\n');
+    }
+    close() {
+        if (!this.stream)
+            return Promise.resolve();
+        const stream = this.stream;
+        this.stream = null;
+        if (stream.destroyed || stream.closed)
+            return Promise.resolve();
+        return new Promise((resolve) => {
+            stream.end(() => {
+                stream.destroy();
+                resolve();
+            });
+        });
+    }
+}
+// --- Log Type Registry ---
+const LOG_TYPE_REGISTRY = {
+    file: (path, level) => new FileHandler(path, level),
+};
 /**
- * Programmatically set the log level (avoids env var race conditions with --debug flag).
+ * Create a log handler by type name.
+ * @throws Error if the type is not registered
+ */
+export function createHandlerByType(type, path, level = 'trace') {
+    const factory = LOG_TYPE_REGISTRY[type];
+    if (!factory) {
+        const available = Object.keys(LOG_TYPE_REGISTRY).join(', ');
+        throw new Error(`Unknown log type "${type}". Available types: ${available}`);
+    }
+    return factory(path, level);
+}
+/**
+ * Get the list of available log type names.
+ */
+export function getAvailableLogTypes() {
+    return Object.keys(LOG_TYPE_REGISTRY);
+}
+// --- Handler Registry ---
+const handlers = [];
+let consoleHandler;
+function ensureConsoleHandler() {
+    if (!consoleHandler) {
+        consoleHandler = new ConsoleHandler('info');
+        handlers.push(consoleHandler);
+    }
+    return consoleHandler;
+}
+// Initialize the default console handler
+ensureConsoleHandler();
+/**
+ * Add a log handler to the registry.
+ */
+export function addHandler(handler) {
+    handlers.push(handler);
+}
+/**
+ * Remove a log handler by name.
+ */
+export function removeHandler(name) {
+    const idx = handlers.findIndex((h) => h.name === name);
+    if (idx !== -1)
+        handlers.splice(idx, 1);
+}
+/**
+ * Close all handlers (flush file streams, etc.) and clear the registry.
+ * Re-initializes the console handler afterward.
+ */
+export async function closeAllHandlers() {
+    const closePromises = handlers
+        .map((h) => h.close?.())
+        .filter(Boolean)
+        .map((p) => p.catch((err) => console.warn(`[logging] Handler close failed: ${err.message}`)));
+    await Promise.all(closePromises);
+    handlers.length = 0;
+    consoleHandler = new ConsoleHandler('info');
+    handlers.push(consoleHandler);
+}
+/**
+ * Convenience: create a file handler via the type registry and add it.
+ */
+export function initFileHandler(filePath, type = 'file', level = 'trace') {
+    const handler = createHandlerByType(type, filePath, level);
+    addHandler(handler);
+}
+// --- Log Level Management (backward compatible) ---
+const LEGACY_LEVEL_MAP = {
+    silent: 'silent',
+    info: 'info',
+    debug: 'debug',
+};
+/**
+ * Set the console handler's log level.
+ * Accepts both new standard levels and legacy 3-level names ('silent', 'info', 'debug').
  */
 export function setLogLevel(level) {
-    cachedLogLevel = level;
+    const mapped = LEGACY_LEVEL_MAP[level] ?? level;
+    if (mapped !== 'silent' && !VALID_LOG_LEVELS.has(mapped)) {
+        throw new Error(`Invalid log level: "${level}". Valid levels: ${[...VALID_LOG_LEVELS].join(', ')}, silent`);
+    }
+    ensureConsoleHandler().setLevel(mapped);
 }
-function formatTimestamp() {
-    return new Date().toISOString().replace('T', ' ').replace('Z', '');
+/**
+ * Get the console handler's current log level.
+ */
+export function getLogLevel() {
+    return ensureConsoleHandler().level;
 }
+// --- Timestamp ---
+export function formatTimestamp() {
+    return new Date().toISOString().replace('T', ' ').replace('Z', ' UTC');
+}
+// --- Central Log Dispatcher ---
+function log(level, tag, message, data) {
+    const entry = {
+        timestamp: formatTimestamp(),
+        level,
+        tag,
+        message,
+        data,
+    };
+    for (const handler of handlers) {
+        handler.handle(entry);
+    }
+}
+// --- Convenience Wrappers (signatures unchanged for backward compat) ---
 /**
  * Log a progress/activity message at info level.
  */
 export function logProgress(tag, message, details) {
-    if (LOG_PRIORITY['info'] <= LOG_PRIORITY[getLogLevel()]) {
-        const timestamp = formatTimestamp();
-        const detailStr = details ? ` ${JSON.stringify(details)}` : '';
-        console.log(`${timestamp} [${tag}] ${message}${detailStr}`);
-    }
+    log('info', tag, message, details);
+}
+/**
+ * Log debug information (single line, compact — console truncates at 200 chars).
+ */
+export function logDebug(tag, message, data) {
+    log('debug', tag, message, data);
+}
+/**
+ * Log debug information without truncation (for full prompts and responses).
+ */
+export function logDebugFull(tag, message, data) {
+    log('trace', tag, message, data);
 }
+/**
+ * Log a warning message.
+ */
+export function logWarn(tag, message, data) {
+    log('warn', tag, message, data);
+}
+/**
+ * Log an error message.
+ */
+export function logError(tag, message, data) {
+    log('error', tag, message, data);
+}
+// --- Timer ---
 /**
  * Create a timer for measuring elapsed time.
  */
@@ -46,34 +281,25 @@ export function createTimer() {
         },
     };
 }
+// --- Test Helpers ---
 /**
- * Log debug information (single line, compact).
+ * Reset the handler registry to a clean state (for testing only).
+ * Removes all handlers and re-adds a fresh ConsoleHandler.
  */
-export function logDebug(tag, message, data) {
-    if (getLogLevel() !== 'debug')
-        return;
-    const timestamp = formatTimestamp();
-    if (data === undefined) {
-        console.log(`${timestamp} [${tag}][debug] ${message}`);
-    }
-    else {
-        const formatted = typeof data === 'string' ? data : JSON.stringify(data);
-        const truncated = formatted.length > 200 ? formatted.slice(0, 200) + '...' : formatted;
-        console.log(`${timestamp} [${tag}][debug] ${message}: ${truncated}`);
-    }
+export async function _resetHandlers(level = 'info') {
+    const closePromises = handlers
+        .map((h) => h.close?.())
+        .filter(Boolean)
+        .map((p) => p.catch(() => { }));
+    await Promise.all(closePromises);
+    handlers.length = 0;
+    consoleHandler = new ConsoleHandler(level);
+    handlers.push(consoleHandler);
 }
 /**
- * Log debug information without truncation (for full prompts and responses).
+ * Get a snapshot of currently registered handler names (for testing only).
  */
-export function logDebugFull(tag, message, data) {
-    if (getLogLevel() !== 'debug')
-        return;
-    const timestamp = formatTimestamp();
-    if (data === undefined) {
-        console.log(`${timestamp} [${tag}][debug] ${message}`);
-    }
-    else {
-        console.log(`${timestamp} [${tag}][debug] ${message}:\n${data}`);
-    }
+export function _getHandlerNames() {
+    return handlers.map((h) => h.name);
 }
 //# sourceMappingURL=logging.js.map

package/dist/logging.js.map

@@ -1 +1 @@
-{"version":3,"file":"logging.js","sourceRoot":"","sources":["../src/logging.ts"],"names":[],"mappings":"AAEA,MAAM,YAAY,GAA6B;IAC7C,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,IAAI,cAAoC,CAAC;AAEzC,MAAM,UAAU,WAAW;IACzB,IAAI,cAAc;QAAE,OAAO,cAAc,CAAC;IAC1C,cAAc,GAAG,MAAM,CAAC;IACxB,OAAO,cAAc,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,KAAe;IACzC,cAAc,GAAG,KAAK,CAAC;AACzB,CAAC;AAED,SAAS,eAAe;IACtB,OAAO,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW,EAAE,OAAe,EAAE,OAAiC;IACzF,IAAI,YAAY,CAAC,MAAM,CAAC,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QACxD,MAAM,SAAS,GAAG,eAAe,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,OAAO,CAAC,GAAG,CAAC,GAAG,SAAS,KAAK,GAAG,KAAK,OAAO,GAAG,SAAS,EAAE,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW;IACzB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,OAAO;QACL,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;QACjC,UAAU,EAAE,GAAG,EAAE;YACf,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;YAC9B,IAAI,EAAE,GAAG,IAAI;gBAAE,OAAO,GAAG,EAAE,IAAI,CAAC;YAChC,IAAI,EAAE,GAAG,KAAK;gBAAE,OAAO,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC;YACpD,OAAO,GAAG,CAAC,EAAE,GAAG,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC;QACvC,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,GAAW,EAAE,OAAe,EAAE,IAAc;IACnE,IAAI,WAAW,EAAE,KAAK,OAAO;QAAE,OAAO;IAEtC,MAAM,SAAS,GAAG,eAAe,EAAE,CAAC;IACpC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,GAAG,SAAS,KAAK,GAAG,YAAY,OAAO,EAAE,CAAC,CAAC;IACzD,CAAC;SAAM,CAAC;QACN,MAAM,SAAS,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACzE,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QACvF,OAAO,CAAC,GAAG,CAAC,GAAG,SAAS,KAAK,GAAG,YAAY,OAAO,KAAK,SAAS,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,GAAW,EAAE,OAAe,EAAE,IAAa;IACtE,IAAI,WAAW,EAAE,KAAK,OAAO;QAAE,OAAO;IAEtC,MAAM,SAAS,GAAG,eAAe,EAAE,CAAC;IACpC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,GAAG,SAAS,KAAK,GAAG,YAAY,OAAO,EAAE,CAAC,CAAC;IACzD,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,GAAG,SAAS,KAAK,GAAG,YAAY,OAAO,MAAM,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC;AACH,CAAC"}
+{"version":3,"file":"logging.js","sourceRoot":"","sources":["../src/logging.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAoB,MAAM,SAAS,CAAC;AACzE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AASpC,MAAM,kBAAkB,GAA6B;IACnD,KAAK,EAAE,CAAC;IACR,IAAI,EAAE,CAAC;IACP,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;IACR,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAS,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC;AAE1E;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,CAAS;IACvC,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,MAAM,eAAe,GAAG,CAAC,CAAC,CAAC;AA0B3B,0BAA0B;AAE1B,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,SAAS,CAAC;IAC1B,KAAK,CAAsB;IACnB,QAAQ,CAAS;IAEzB,YAAY,QAA6B,MAAM;QAC7C,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,QAAQ,GAAG,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACnF,CAAC;IAED,QAAQ,CAAC,KAA0B;QACjC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,QAAQ,GAAG,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,CAAC,KAAe;QACpB,MAAM,aAAa,GAAG,kBAAkB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACtD,IAAI,aAAa,GAAG,IAAI,CAAC,QAAQ;YAAE,OAAO;QAE1C,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,KAAK,GAAG,CAAC;QAClE,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC7B,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,GAAG,IAAI,QAAQ,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/E,CAAC;aAAM,CAAC;YACN,MAAM,SAAS,GAAG,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC3F,6EAA6E;YAC7E,IAAI,KAAK,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;gBAC5B,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;gBACvF,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,GAAG,IAAI,QAAQ,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC,CAAC;YAC7F,CAAC;iBAAM,IAAI,KAAK,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;gBACnC,qEAAqE;gBACrE,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,GAAG,IAAI,QAAQ,IAAI,KAAK,CAAC,OAAO,MAAM,SAAS,EAAE,CAAC,CAAC;YAC9F,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,GAAG,IAAI,QAAQ,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC,CAAC;YAC7F,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAED,uBAAuB;AAEvB,MAAM,OAAO,WAAW;IACb,IAAI,CAAS;IACtB,KAAK,CAAsB;IACnB,QAAQ,CAAS;IACjB,MAAM,GAAuB,IAAI,CAAC;IAE1C,YAAY,QAAgB,EAAE,QAA6B,OAAO,EAAE,IAAI,GAAG,MAAM;QAC/E,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,QAAQ,GAAG,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAEjF,IAAI,CAAC;YACH,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM,GAAG,iBAAiB,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YAC1F,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC9B,OAAO,CAAC,IAAI,CAAC,uCAAuC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;gBACnE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;YACrB,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,OAAO,CAAC,IAAI,CAAC,sCAAsC,QAAQ,MAAM,GAAG,EAAE,CAAC,CAAC;YACxE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,MAAM,CAAC,KAAe;QACpB,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO;QACzB,MAAM,aAAa,GAAG,kBAAkB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACtD,IAAI,aAAa,GAAG,IAAI,CAAC,QAAQ;YAAE,OAAO;QAE1C,MAAM,QAAQ,GAAG,IAAI,KAAK,CAAC,KAAK,GAAG,CAAC;QACpC,IAAI,IAAY,CAAC;QACjB,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,GAAG,IAAI,QAAQ,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,MAAM,SAAS,GAAG,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC3F,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,GAAG,IAAI,QAAQ,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACvF,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IACjC,CAAC;IAED,KAAK;QACH,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC3B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,MAAM;YAAE,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;QAChE,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YACnC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE;gBACd,MAAM,CAAC,OAAO,EAAE,CAAC;gBACjB,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,4BAA4B;AAE5B,MAAM,iBAAiB,GAAkE;IACvF,IAAI,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC;CACpD,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAY,EAAE,IAAY,EAAE,QAAkB,OAAO;IACvF,MAAM,OAAO,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,qBAAqB,IAAI,uBAAuB,SAAS,EAAE,CAAC,CAAC;IAC/E,CAAC;IACD,OAAO,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;AACxC,CAAC;AAED,2BAA2B;AAE3B,MAAM,QAAQ,GAAiB,EAAE,CAAC;AAClC,IAAI,cAA8B,CAAC;AAEnC,SAAS,oBAAoB;IAC3B,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,cAAc,GAAG,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;QAC5C,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,yCAAyC;AACzC,oBAAoB,EAAE,CAAC;AAEvB;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,OAAmB;IAC5C,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IACvD,IAAI,GAAG,KAAK,CAAC,CAAC;QAAE,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,MAAM,aAAa,GAAG,QAAQ;SAC3B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;SACvB,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAmB,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,mCAAmC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAC1H,MAAM,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IACjC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACpB,cAAc,GAAG,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;IAC5C,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB,EAAE,IAAI,GAAG,MAAM,EAAE,QAAkB,OAAO;IACxF,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC3D,UAAU,CAAC,OAAO,CAAC,CAAC;AACtB,CAAC;AAED,qDAAqD;AAErD,MAAM,gBAAgB,GAAgD;IACpE,MAAM,EAAE,QAAQ;IAChB,IAAI,EAAE,MAAM;IACZ,KAAK,EAAE,OAAO;CACf,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,KAA2C;IACrE,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAuB,CAAC,IAAI,KAAK,CAAC;IAClE,IAAI,MAAM,KAAK,QAAQ,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,uBAAuB,KAAK,oBAAoB,CAAC,GAAG,gBAAgB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC9G,CAAC;IACD,oBAAoB,EAAE,CAAC,QAAQ,CAAC,MAA6B,CAAC,CAAC;AACjE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW;IACzB,OAAO,oBAAoB,EAAE,CAAC,KAAK,CAAC;AACtC,CAAC;AAED,oBAAoB;AAEpB,MAAM,UAAU,eAAe;IAC7B,OAAO,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;AACzE,CAAC;AAED,iCAAiC;AAEjC,SAAS,GAAG,CAAC,KAAe,EAAE,GAAW,EAAE,OAAe,EAAE,IAAc;IACxE,MAAM,KAAK,GAAa;QACtB,SAAS,EAAE,eAAe,EAAE;QAC5B,KAAK;QACL,GAAG;QACH,OAAO;QACP,IAAI;KACL,CAAC;IACF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC;AACH,CAAC;AAED,0EAA0E;AAE1E;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW,EAAE,OAAe,EAAE,OAAiC;IACzF,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,GAAW,EAAE,OAAe,EAAE,IAAc;IACnE,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,GAAW,EAAE,OAAe,EAAE,IAAa;IACtE,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,GAAW,EAAE,OAAe,EAAE,IAAc;IAClE,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,GAAW,EAAE,OAAe,EAAE,IAAc;IACnE,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;AACnC,CAAC;AAED,gBAAgB;AAEhB;;GAEG;AACH,MAAM,UAAU,WAAW;IACzB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,OAAO;QACL,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;QACjC,UAAU,EAAE,GAAG,EAAE;YACf,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;YAC9B,IAAI,EAAE,GAAG,IAAI;gBAAE,OAAO,GAAG,EAAE,IAAI,CAAC;YAChC,IAAI,EAAE,GAAG,KAAK;gBAAE,OAAO,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC;YACpD,OAAO,GAAG,CAAC,EAAE,GAAG,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC;QACvC,CAAC;KACF,CAAC;AACJ,CAAC;AAED,uBAAuB;AAEvB;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAA6B,MAAM;IACtE,MAAM,aAAa,GAAG,QAAQ;SAC3B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;SACvB,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAmB,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC,CAAC;IACpD,MAAM,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IACjC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACpB,cAAc,GAAG,IAAI,cAAc,CAAC,KAAK,CAAC,CAAC;IAC3C,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;AACrC,CAAC"}

package/dist/mock-ai-provider.d.ts

@@ -11,8 +11,11 @@ export declare class MockAIProvider implements AIProvider {
         rawResponse: string;
     });
     initialize(_config: ProviderConfig): Promise<void>;
-    executeCheck(_instructions: string, _repositoryPath: string, _logPrefix?: string): Promise<AIResponse>;
+    executeCheck(_instructions: string, _repositoryPath: string, _logPrefix?: string, _options?: {
+        maxTurns?: number;
+    }): Promise<AIResponse>;
     validateConfig(): Promise<boolean>;
+    setModel(_model: string): void;
     enableDebug(): void;
 }
 //# sourceMappingURL=mock-ai-provider.d.ts.map

package/dist/mock-ai-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mock-ai-provider.d.ts","sourceRoot":"","sources":["../src/mock-ai-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEzE,qBAAa,cAAe,YAAW,UAAU;IAC/C,OAAO,CAAC,WAAW,CAAS;gBAEhB,OAAO,EAAE;QAAE,WAAW,EAAE,MAAM,CAAA;KAAE;IAItC,UAAU,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IAIlD,YAAY,CAChB,aAAa,EAAE,MAAM,EACrB,eAAe,EAAE,MAAM,EACvB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,UAAU,CAAC;IAOhB,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;IAIxC,WAAW,IAAI,IAAI;CAGpB"}
+{"version":3,"file":"mock-ai-provider.d.ts","sourceRoot":"","sources":["../src/mock-ai-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEzE,qBAAa,cAAe,YAAW,UAAU;IAC/C,OAAO,CAAC,WAAW,CAAS;gBAEhB,OAAO,EAAE;QAAE,WAAW,EAAE,MAAM,CAAA;KAAE;IAItC,UAAU,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IAIlD,YAAY,CAChB,aAAa,EAAE,MAAM,EACrB,eAAe,EAAE,MAAM,EACvB,UAAU,CAAC,EAAE,MAAM,EACnB,QAAQ,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAC/B,OAAO,CAAC,UAAU,CAAC;IAOhB,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;IAIxC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAI9B,WAAW,IAAI,IAAI;CAGpB"}

package/dist/mock-ai-provider.js

@@ -12,7 +12,7 @@ export class MockAIProvider {
     async initialize(_config) {
         // No-op
     }
-    async executeCheck(_instructions, _repositoryPath, _logPrefix) {
+    async executeCheck(_instructions, _repositoryPath, _logPrefix, _options) {
         return {
             raw: this.rawResponse,
             parsed: undefined,
@@ -21,6 +21,9 @@ export class MockAIProvider {
     async validateConfig() {
         return true;
     }
+    setModel(_model) {
+        // No-op for mock provider
+    }
     enableDebug() {
         // No-op
     }

package/dist/mock-ai-provider.js.map

@@ -1 +1 @@
-{"version":3,"file":"mock-ai-provider.js","sourceRoot":"","sources":["../src/mock-ai-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,OAAO,cAAc;IACjB,WAAW,CAAS;IAE5B,YAAY,OAAgC;QAC1C,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAAuB;QACtC,QAAQ;IACV,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,aAAqB,EACrB,eAAuB,EACvB,UAAmB;QAEnB,OAAO;YACL,GAAG,EAAE,IAAI,CAAC,WAAW;YACrB,MAAM,EAAE,SAAS;SAClB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,WAAW;QACT,QAAQ;IACV,CAAC;CACF"}
+{"version":3,"file":"mock-ai-provider.js","sourceRoot":"","sources":["../src/mock-ai-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,OAAO,cAAc;IACjB,WAAW,CAAS;IAE5B,YAAY,OAAgC;QAC1C,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAAuB;QACtC,QAAQ;IACV,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,aAAqB,EACrB,eAAuB,EACvB,UAAmB,EACnB,QAAgC;QAEhC,OAAO;YACL,GAAG,EAAE,IAAI,CAAC,WAAW;YACrB,MAAM,EAAE,SAAS;SAClB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,QAAQ,CAAC,MAAc;QACrB,0BAA0B;IAC5B,CAAC;IAED,WAAW;QACT,QAAQ;IACV,CAAC;CACF"}

package/dist/new-check.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"new-check.d.ts","sourceRoot":"","sources":["../src/new-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AA2YH,wBAAsB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAyF/D"}
+{"version":3,"file":"new-check.d.ts","sourceRoot":"","sources":["../src/new-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAgcH,wBAAsB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA0F/D"}

package/dist/new-check.js

@@ -15,6 +15,7 @@ import { createInterface } from 'node:readline/promises';
 import { stdin, stdout } from 'node:process';
 import { createRequire } from 'node:module';
 import { ERROR_CODES, formatError, formatFatalError } from './error-codes.js';
+import { getCheckType, getValidCheckTypes } from './check-types.js';
 const ID_PREFIX = 'aghast-';
 const SUPPORTED_LANGUAGES = {
     python: { semgrepId: 'python', extension: '.py', commentPrefix: '#' },
@@ -31,6 +32,7 @@ const CLI_FLAG_MAP = {
     '--name': 'name',
     '--severity': 'severity',
     '--confidence': 'confidence',
+    '--model': 'model',
     '--repositories': 'repositories',
     '--check-overview': 'checkOverview',
     '--check-items': 'checkItems',
@@ -38,7 +40,9 @@ const CLI_FLAG_MAP = {
     '--fail-condition': 'failCondition',
     '--flag-condition': 'flagCondition',
     '--check-type': 'checkType',
+    '--discovery': 'discovery',
     '--semgrep-rules': 'semgrepRules',
+    '--sarif-file': 'sarifFile',
     '--max-targets': 'maxTargets',
     '--language': 'language',
     '--config-dir': 'configDir',
@@ -109,28 +113,40 @@ async function promptForMissing(flags) {
         name: await ask('Check name (e.g. XSS Prevention)', flags.name),
         severity: await askOptional('Severity (critical/high/medium/low/informational)', flags.severity),
         confidence: await askOptional('Confidence (high/medium/low)', flags.confidence),
+        model: flags.model !== undefined ? flags.model : await askOptional('AI model override (e.g. claude-sonnet-4-6)', undefined),
         repositories: flags.repositories !== undefined ? flags.repositories : await askOptional('Repositories (comma-separated URLs, or empty for all)', undefined),
         checkOverview: await ask('Check overview / description', flags.checkOverview),
         checkItems: await ask('Check items (comma-separated)', flags.checkItems),
         passCondition: await ask('PASS condition', flags.passCondition),
         failCondition: await ask('FAIL condition', flags.failCondition),
         flagCondition: await askOptional('FLAG condition (requires human investigation)', flags.flagCondition),
-        checkType: await askWithDefault('Check type (repository/semgrep/semgrep-only)', 'repository', flags.checkType),
+        checkType: await askWithDefault(`Check type (${getValidCheckTypes().join('/')})`, 'repository', flags.checkType),
+        discovery: '',
         semgrepRules: '',
+        sarifFile: '',
         maxTargets: '',
         language: '',
     };
-    if (result.checkType === 'semgrep' || result.checkType === 'semgrep-only') {
-        result.semgrepRules = flags.semgrepRules !== undefined
-            ? flags.semgrepRules
-            : await askOptional('Semgrep rule file paths (comma-separated, or press Enter to generate template)', undefined);
+    if (result.checkType === 'targeted' || result.checkType === 'static') {
+        const discoveryChoices = result.checkType === 'targeted' ? 'semgrep/openant/sarif' : 'semgrep';
+        result.discovery = await askWithDefault(`Discovery (${discoveryChoices})`, 'semgrep', flags.discovery);
         result.maxTargets = await askOptional('Max targets', flags.maxTargets);
-        if (!result.semgrepRules) {
-            // Language is required when generating a rule template + test file
-            result.language = await ask(`Language (${LANGUAGE_CHOICES.join('/')})`, flags.language);
+        if (result.discovery === 'semgrep') {
+            result.semgrepRules = flags.semgrepRules !== undefined
+                ? flags.semgrepRules
+                : await askOptional('Semgrep rule file paths (comma-separated, or press Enter to generate template)', undefined);
+            if (!result.semgrepRules) {
+                // Language is required when generating a rule template + test file
+                result.language = await ask(`Language (${LANGUAGE_CHOICES.join('/')})`, flags.language);
+            }
+            else {
+                result.language = flags.language ?? '';
+            }
         }
-        else {
-            result.language = flags.language ?? '';
+        else if (result.discovery === 'sarif') {
+            result.sarifFile = flags.sarifFile !== undefined
+                ? flags.sarifFile
+                : await ask('SARIF file path (relative to target repo, e.g. ./sast-results.sarif)', flags.sarifFile);
         }
     }
     if (rl)
@@ -163,9 +179,9 @@ function validateInputs(inputs, registry) {
     if (inputs.confidence && !validConfidences.includes(inputs.confidence)) {
         errors.push(`Invalid confidence "${inputs.confidence}". Must be one of: ${validConfidences.join(', ')}`);
     }
-    const validCheckTypes = ['repository', 'semgrep', 'semgrep-only', ''];
-    if (!validCheckTypes.includes(inputs.checkType)) {
-        errors.push(`Invalid check type "${inputs.checkType}". Must be one of: repository, semgrep, semgrep-only`);
+    const validCheckTypes = getValidCheckTypes();
+    if (inputs.checkType && !validCheckTypes.includes(inputs.checkType)) {
+        errors.push(`Invalid check type "${inputs.checkType}". Must be one of: ${validCheckTypes.join(', ')}`);
     }
     if (inputs.maxTargets) {
         const parsed = parseInt(inputs.maxTargets, 10);
@@ -173,7 +189,16 @@ function validateInputs(inputs, registry) {
             errors.push(`Invalid maxTargets "${inputs.maxTargets}". Must be a positive integer`);
         }
     }
-    if ((inputs.checkType === 'semgrep' || inputs.checkType === 'semgrep-only') && inputs.language && !SUPPORTED_LANGUAGES[inputs.language]) {
+    if ((inputs.checkType === 'targeted' || inputs.checkType === 'static') && inputs.checkType) {
+        const validDiscoveries = inputs.checkType === 'targeted' ? ['semgrep', 'openant', 'sarif'] : ['semgrep'];
+        if (!inputs.discovery || !validDiscoveries.includes(inputs.discovery)) {
+            errors.push(`Invalid discovery "${inputs.discovery}" for check type "${inputs.checkType}". Must be one of: ${validDiscoveries.join(', ')}`);
+        }
+        if (inputs.discovery === 'sarif' && !inputs.sarifFile) {
+            errors.push('sarifFile is required for sarif discovery');
+        }
+    }
+    if (inputs.discovery === 'semgrep' && inputs.language && !SUPPORTED_LANGUAGES[inputs.language]) {
         errors.push(`Invalid language "${inputs.language}". Must be one of: ${Object.keys(SUPPORTED_LANGUAGES).join(', ')}`);
     }
     return errors;
@@ -240,8 +265,10 @@ function generateCheckDefinition(inputs) {
         id: inputs.id,
         name: inputs.name,
     };
-    // semgrep-only checks don't have an instructionsFile
-    if (inputs.checkType !== 'semgrep-only') {
+    // Only check types that need instructions get an instructionsFile.
+    // Discovery types with self-contained prompts (openant, sarif) don't need instructions.
+    const selfContained = inputs.discovery === 'openant' || inputs.discovery === 'sarif';
+    if (getCheckType(inputs.checkType).needsInstructions && !selfContained) {
         def.instructionsFile = `${inputs.id}.md`;
     }
     if (inputs.severity) {
@@ -250,14 +277,25 @@ function generateCheckDefinition(inputs) {
     if (inputs.confidence) {
         def.confidence = inputs.confidence;
     }
-    if (inputs.checkType === 'semgrep' || inputs.checkType === 'semgrep-only') {
-        const checkTarget = { type: inputs.checkType };
-        if (inputs.semgrepRules) {
-            const rules = inputs.semgrepRules.split(',').map((r) => r.trim()).filter(Boolean);
-            checkTarget.rules = rules.length === 1 ? rules[0] : rules;
+    if (inputs.model) {
+        def.model = inputs.model;
+    }
+    if (inputs.checkType === 'targeted' || inputs.checkType === 'static') {
+        const checkTarget = {
+            type: inputs.checkType,
+            discovery: inputs.discovery,
+        };
+        if (inputs.discovery === 'semgrep') {
+            if (inputs.semgrepRules) {
+                const rules = inputs.semgrepRules.split(',').map((r) => r.trim()).filter(Boolean);
+                checkTarget.rules = rules.length === 1 ? rules[0] : rules;
+            }
+            else {
+                checkTarget.rules = `${inputs.id}.yaml`;
+            }
         }
-        else {
-            checkTarget.rules = `${inputs.id}.yaml`;
+        else if (inputs.discovery === 'sarif') {
+            checkTarget.sarifFile = inputs.sarifFile;
         }
         if (inputs.maxTargets) {
             checkTarget.maxTargets = parseInt(inputs.maxTargets, 10);
@@ -290,15 +328,18 @@ Options:
   --name <name>              Human-readable check name (e.g. "XSS Prevention")
   --severity <level>         Severity: critical, high, medium, low, informational
   --confidence <level>       Confidence: high, medium, low
+  --model <model>            AI model override for this check (e.g. claude-sonnet-4-6)
   --repositories <urls>      Comma-separated repository URLs (empty = all repos)
   --check-overview <text>    Description of what this check does
   --check-items <items>      Comma-separated list of things to check
   --pass-condition <text>    Condition for a PASS result
   --fail-condition <text>    Condition for a FAIL result
   --flag-condition <text>    Condition for a FLAG result (optional)
-  --check-type <type>        Check type: repository (default), semgrep, semgrep-only
-  --semgrep-rules <paths>    Comma-separated Semgrep rule file paths
-  --max-targets <n>          Maximum number of Semgrep targets to analyze
+  --check-type <type>        Check type (default: repository). See 'Check types' below
+  --discovery <name>         Discovery mechanism for targeted/static checks. See below
+  --semgrep-rules <paths>    Comma-separated Semgrep rule file paths (for semgrep discovery)
+  --sarif-file <path>        SARIF file path in check definition, relative to repo (for sarif discovery)
+  --max-targets <n>          Maximum number of targets to analyze
   --language <lang>          Language for Semgrep template: python, javascript, typescript
   -h, --help                 Show this help message
 
@@ -306,14 +347,20 @@ Environment variables:
   AGHAST_CONFIG_DIR           Default config directory (CLI --config-dir takes precedence)
 
 Check types:
-  repository     AI analyzes the whole repository (no Semgrep)
-  semgrep        Semgrep finds targets, AI analyzes each one
-  semgrep-only   Semgrep findings mapped directly to issues (no AI)
+  repository  AI analyzes the whole repository
+  targeted    Discovery finds specific targets, AI analyzes each one
+  static      Discovery finds targets, mapped directly to issues (no AI)
+
+Discovery mechanisms:
+  semgrep     Semgrep rules find targets (targeted or static)
+  openant     OpenAnt code analysis finds units (targeted only)
+  sarif       External SARIF file provides findings (targeted only)
 
 Examples:
   aghast new-check --config-dir ./my-checks
   aghast new-check --config-dir ./my-checks --id xss --name "XSS Prevention"
-  aghast new-check --config-dir ./my-checks --check-type semgrep --language typescript`;
+  aghast new-check --config-dir ./my-checks --check-type targeted --discovery semgrep --language typescript
+  aghast new-check --config-dir ./my-checks --check-type targeted --discovery sarif --sarif-file ./sast-results.sarif`;
 export async function runNewCheck(args) {
     if (args.includes('--help') || args.includes('-h')) {
         console.log(NEW_CHECK_HELP);
@@ -362,14 +409,15 @@ export async function runNewCheck(args) {
     const checkDef = generateCheckDefinition(inputs);
     await writeFile(resolve(checkFolder, `${inputs.id}.json`), JSON.stringify(checkDef, null, 2) + '\n', 'utf-8');
     console.log(`Created: ${checkFolder}/${inputs.id}.json`);
-    // Generate and write instructions.md (skipped for semgrep-only)
-    if (inputs.checkType !== 'semgrep-only') {
+    // Generate and write instructions.md (only when instructions are needed)
+    const selfContainedDiscovery = inputs.discovery === 'openant' || inputs.discovery === 'sarif';
+    if (getCheckType(inputs.checkType).needsInstructions && !selfContainedDiscovery) {
         const markdown = generateMarkdown(inputs);
         await writeFile(resolve(checkFolder, `${inputs.id}.md`), markdown, 'utf-8');
         console.log(`Created: ${checkFolder}/${inputs.id}.md`);
     }
     // Generate Semgrep rule template and test file if needed
-    if ((inputs.checkType === 'semgrep' || inputs.checkType === 'semgrep-only') && !inputs.semgrepRules) {
+    if (inputs.discovery === 'semgrep' && !inputs.semgrepRules) {
         const rulePath = resolve(checkFolder, `${inputs.id}.yaml`);
         await writeFile(rulePath, generateSemgrepRule(inputs.id, inputs.language), 'utf-8');
         console.log(`Created: ${checkFolder}/${inputs.id}.yaml (template — edit before running)`);