@clear-capabilities/agentic-security-scanner 0.74.0 → 0.75.0

package/CHANGELOG.md

@@ -1,5 +1,36 @@
 # Changelog
 
+## 0.75.0 — /executive-summary: CISO-facing six-control posture report
+
+New top-level command for buyer-questionnaire / diligence / CISO use.
+`/executive-summary` prints a plain-English briefing of the six harness
+controls (Tool access, Guardrails, Feedback loops, Audit evidence,
+Failure mode, Compliance) with live status indicators drawn from the
+current project state — hook activation, scan-signature presence,
+audit-log entry count, remote-witness configuration, compliance artifacts.
+
+Each control renders four named subsections modeled on `/explain`:
+**What it does** (2-3 paragraphs of plain English), **Specifically**
+(the concrete enumerated list of allows/blocks/intercepts), **What would
+have to go wrong for this to fail** (threat model in one paragraph), and
+**Live status (this project)** (verifiable indicators). The "Specifically"
+block names actual reserved paths, every shell command intercepted, every
+code-edit pattern blocked, every audit-log property, every refusal point,
+and every compliance artifact format — so a reviewer can verify the claim
+without opening any source file.
+
+Flags: `--format md` for markdown output; `--output PATH` writes to disk
+(typically `EXECUTIVE_SUMMARY.md` for buyer questionnaires).
+
+## 0.74.2 — npm package + version alignment
+
+First release published to npm under the org that owns the scope:
+`@clear-capabilities/agentic-security-scanner`. Adds a bin alias
+`agentic-security-scanner` (→ same dist bundle) so the documented
+`npx @clear-capabilities/agentic-security-scanner secure .` resolves
+an executable. Aligns the source-tree version with the npm registry
+after the 0.74.1 metadata-only publish.
+
 ## 0.74.0 — viral surface: PoC video gen + security-tutor skill + personality voices + compare runner
 
 Four shareability lifts.

package/bin/.agentic-security/findings.json

@@ -1,7 +1,7 @@
 {
-  "scanId": "e6825f8d-bb61-42eb-9f3c-3847b2e493fd",
-  "startedAt": "2026-05-20T21:28:34.505Z",
-  "durationMs": 297,
+  "scanId": "8f54c078-a0c8-41d7-8100-62ec5a527f14",
+  "startedAt": "2026-05-21T15:57:04.526Z",
+  "durationMs": 282,
   "scanned": {
     "files": 7,
     "lines": 0
@@ -86,7 +86,9 @@
         "comparable": "Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil",
         "confidence": "low",
         "narrative": "Sensitive Directory Path Construction on `agentic-security-audit.js:51` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "toctou-fs:agentic-security-audit.js:55",
@@ -195,6 +197,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -418,6 +421,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -639,6 +643,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -860,6 +865,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1053,7 +1059,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "Missing Unsigned Numeric Validation on `agentic-security-audit.js:131` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:agentic-security-audit.js:55:TOCTOU:_existsSync_followed_by_file_op",
@@ -1134,7 +1142,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-audit.js:55` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "e2445e40b5e43c01",
@@ -1215,7 +1225,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "Race Condition (TOCTOU) on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:agentic-security-consistency.js:44:TOCTOU:_existsSync_followed_by_file_op",
@@ -1296,7 +1308,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-consistency.js:44` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:agentic-security-consistency.js:66:TOCTOU:_existsSync_followed_by_file_op",
@@ -1377,7 +1391,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "49e1e00962a1950c",
@@ -1458,7 +1474,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "Weak Randomness on `agentic-security-rule.js:98` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     }
   ],
   "bundles": [],
@@ -1573,5 +1591,6 @@
       "alarms": [],
       "note": "no-feedback-data"
     }
-  }
+  },
+  "annotatorErrors": []
 }

package/bin/.agentic-security/last-scan.json

@@ -1,7 +1,7 @@
 {
-  "scanId": "e6825f8d-bb61-42eb-9f3c-3847b2e493fd",
-  "startedAt": "2026-05-20T21:28:34.505Z",
-  "durationMs": 297,
+  "scanId": "8f54c078-a0c8-41d7-8100-62ec5a527f14",
+  "startedAt": "2026-05-21T15:57:04.526Z",
+  "durationMs": 282,
   "scanned": {
     "files": 7,
     "lines": 0
@@ -86,7 +86,9 @@
         "comparable": "Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil",
         "confidence": "low",
         "narrative": "Sensitive Directory Path Construction on `agentic-security-audit.js:51` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "toctou-fs:agentic-security-audit.js:55",
@@ -195,6 +197,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -418,6 +421,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -639,6 +643,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -860,6 +865,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1053,7 +1059,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "Missing Unsigned Numeric Validation on `agentic-security-audit.js:131` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:agentic-security-audit.js:55:TOCTOU:_existsSync_followed_by_file_op",
@@ -1134,7 +1142,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-audit.js:55` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "e2445e40b5e43c01",
@@ -1215,7 +1225,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "Race Condition (TOCTOU) on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:agentic-security-consistency.js:44:TOCTOU:_existsSync_followed_by_file_op",
@@ -1296,7 +1308,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-consistency.js:44` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:agentic-security-consistency.js:66:TOCTOU:_existsSync_followed_by_file_op",
@@ -1377,7 +1391,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "49e1e00962a1950c",
@@ -1458,7 +1474,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "Weak Randomness on `agentic-security-rule.js:98` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     }
   ],
   "bundles": [],
@@ -1573,5 +1591,6 @@
       "alarms": [],
       "note": "no-feedback-data"
     }
-  }
+  },
+  "annotatorErrors": []
 }

package/bin/.agentic-security/last-scan.json.sig

@@ -1 +1 @@
-dddfa3a4abc90266b882b4945a7aba57b8e97cc726aa60f4578cfaefcd23b95b
+db7c9e1d0d4480b37a981b7b3c87f70306042f6e8838cb6ea2bfafdd12ab20d2

package/bin/.agentic-security/scan-history.json

@@ -1,15 +1,4 @@
 [
-  {
-    "timestamp": "2026-05-19T15:44:43.087Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
   {
     "timestamp": "2026-05-19T16:01:41.762Z",
     "label": "scan",
@@ -461,5 +450,21 @@
       "toctou-fs:agentic-security-consistency.js:66",
       "toctou-fs:agentic-security.js:1105"
     ]
+  },
+  {
+    "timestamp": "2026-05-21T15:57:04.808Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1105"
+    ]
   }
 ]

package/bin/.agentic-security/streak.json

@@ -1,12 +1,12 @@
 {
   "firstScanDate": "2026-05-15T12:24:29.316Z",
-  "lastScanDate": "2026-05-20T21:28:34.823Z",
-  "totalScans": 121,
-  "daysCleanCritical": 3,
-  "lastCleanDate": "2026-05-20",
+  "lastScanDate": "2026-05-21T15:57:04.828Z",
+  "totalScans": 122,
+  "daysCleanCritical": 4,
+  "lastCleanDate": "2026-05-21",
   "lastCriticalDate": null,
   "hasEverHadCritical": false,
-  "bestDaysCleanCritical": 3,
+  "bestDaysCleanCritical": 4,
   "totalFindingsAtFirstScan": 0,
   "totalFindingsAtLastScan": 11,
   "totalFixesInferred": 1,

package/bin/agentic-security.js

@@ -137,7 +137,7 @@ function printBanner(args) {
     BOLD:  '\x1b[1m',
     RESET: '\x1b[0m',
   } : { FROG:'', DEEP:'', CREAM:'', DIM:'', BOLD:'', RESET:'' };
-  const v = '0.74.0';
+  const v = '0.75.0';
   const compact = !args.flags.full;
   if (compact) {
     const lines = [
@@ -1665,7 +1665,7 @@ async function main() {
         }
         process.exit(0);
       }
-      case 'version':  console.log('agentic-security 0.74.0  ·  created by ClearCapabilities.Com'); process.exit(0);
+      case 'version':  console.log('agentic-security 0.75.0  ·  created by ClearCapabilities.Com'); process.exit(0);
       case 'banner':   { printBanner(args); process.exit(0); }
       case 'harness':  process.exit(await cmdHarness(args));
       case 'scan-baseline': process.exit(await cmdScanBaseline(args));