@clear-capabilities/agentic-security-scanner 0.74.0

package/src/integrations/.agentic-security/scan-history.json

@@ -0,0 +1,40 @@
+[
+  {
+    "timestamp": "2026-05-15T12:30:28.201Z",
+    "label": "scan",
+    "total": 7,
+    "critical": 0,
+    "high": 0,
+    "medium": 7,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:index.js:23:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:index.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tickets.js:146:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tickets.js:147:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tickets.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tickets.js:27:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tickets.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)"
+    ]
+  },
+  {
+    "timestamp": "2026-05-18T17:50:17.394Z",
+    "label": "scan",
+    "total": 7,
+    "critical": 0,
+    "high": 0,
+    "medium": 7,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:index.js:23:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:index.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tickets.js:146:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tickets.js:147:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tickets.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tickets.js:27:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tickets.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)"
+    ]
+  }
+]

package/src/integrations/.agentic-security/streak.json

@@ -0,0 +1,21 @@
+{
+  "firstScanDate": "2026-05-15T12:30:28.207Z",
+  "lastScanDate": "2026-05-18T17:50:17.413Z",
+  "totalScans": 2,
+  "daysCleanCritical": 1,
+  "lastCleanDate": "2026-05-18",
+  "lastCriticalDate": null,
+  "hasEverHadCritical": false,
+  "bestDaysCleanCritical": 1,
+  "totalFindingsAtFirstScan": 14,
+  "totalFindingsAtLastScan": 17,
+  "totalFixesInferred": 0,
+  "lastGrade": "A",
+  "bestGrade": "A",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "first-scan",
+    "grade-a"
+  ],
+  "previousGrade": "A"
+}

package/src/integrations/index.js

@@ -0,0 +1,321 @@
+// Integration adapters (R7). Persona-split:
+//   - vibecoder: Slack/Discord daily digest, PR comment renderer
+//   - pro:       Jira sync, ServiceNow incident, GH Security tab (SARIF), SIEM
+//
+// Each adapter takes (findings, config) and returns either:
+//   - a payload (for webhook-based integrations)
+//   - a side-effect summary (for sync-based integrations like Jira)
+//
+// Adapters are lazy-loaded — vibecoders don't pay for Jira when they never
+// configure it. The config file lives at .agentic-security/integrations.yml
+// and is gitignored by default (it carries webhook URLs and API tokens).
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as yaml from 'js-yaml';
+
+function _configPath(scanRoot) {
+  return path.join(scanRoot || process.cwd(), '.agentic-security', 'integrations.yml');
+}
+
+export function loadIntegrationConfig(scanRoot) {
+  const fp = _configPath(scanRoot);
+  if (!fs.existsSync(fp)) return {};
+  try { return yaml.load(fs.readFileSync(fp, 'utf8')) || {}; }
+  catch (_) { return {}; }
+}
+
+export function configHas(scanRoot, key) {
+  const c = loadIntegrationConfig(scanRoot);
+  return !!c[key];
+}
+
+// ─── Slack webhook (vibecoder) ───────────────────────────────────────────────
+export function buildSlackDigest(findings, summary, options = {}) {
+  const project = options.project || 'project';
+  const status = (summary.critical || 0) === 0 && (summary.high || 0) === 0
+    ? '✅ safe to deploy' : '❌ not safe to deploy';
+  const top = (findings || []).slice(0, 3);
+
+  const lines = [
+    `*🛡 agentic-security daily — ${new Date().toISOString().slice(0,10)}*`,
+    `Project: \`${project}\``,
+    `Status: ${status}`,
+    '',
+    `*Findings:* ${summary.critical || 0} critical · ${summary.high || 0} high · ${summary.medium || 0} medium`,
+  ];
+  if (top.length) {
+    lines.push('');
+    lines.push('*Top findings:*');
+    for (const f of top) {
+      lines.push(`• \`${f.file}:${f.line}\` — ${f.vuln}`);
+    }
+  }
+  if (summary.streak) lines.push(`\n_Streak: ${summary.streak} days clean 🔥_`);
+  lines.push(`\n_Powered by agentic-security · ClearCapabilities.Com_`);
+  return { text: lines.join('\n') };
+}
+
+// ─── Discord webhook (vibecoder) ─────────────────────────────────────────────
+export function buildDiscordDigest(findings, summary, options = {}) {
+  const project = options.project || 'project';
+  const safe = (summary.critical || 0) === 0 && (summary.high || 0) === 0;
+  const top = (findings || []).slice(0, 3);
+  return {
+    embeds: [{
+      title: `🛡 agentic-security — ${project}`,
+      color: safe ? 0x2ecc71 : 0xe74c3c,
+      description: safe ? '✅ safe to deploy' : '❌ not safe to deploy',
+      fields: [
+        { name: 'Critical', value: String(summary.critical || 0), inline: true },
+        { name: 'High',     value: String(summary.high || 0),     inline: true },
+        { name: 'Medium',   value: String(summary.medium || 0),   inline: true },
+        ...top.map(f => ({ name: f.file.split('/').pop() + ':' + f.line, value: f.vuln })),
+      ],
+      footer: { text: 'Powered by ClearCapabilities.Com' },
+    }],
+  };
+}
+
+export async function postWebhook(url, payload) {
+  if (!url || process.env.AGENTIC_SECURITY_OFFLINE === '1') return { ok: false, reason: 'offline-or-no-url' };
+  try {
+    const res = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(payload),
+    });
+    return { ok: res.ok, status: res.status };
+  } catch (e) {
+    return { ok: false, reason: e.message };
+  }
+}
+
+// ─── Jira sync (pro) ─────────────────────────────────────────────────────────
+// Build the Jira issue body for one finding. Caller is responsible for actual
+// API calls — we keep network code in one place (postWebhook) and let callers
+// pipe the body through their own Jira client.
+export function buildJiraIssue(finding, project) {
+  const summary = `[${(finding.severity || 'medium').toUpperCase()}] ${finding.vuln} at ${finding.file}:${finding.line}`;
+  const description = [
+    `**Vulnerability:** ${finding.vuln}`,
+    `**File:** \`${finding.file}\``,
+    `**Line:** ${finding.line}`,
+    `**Severity:** ${finding.severity}`,
+    finding.cwe ? `**CWE:** ${finding.cwe}` : null,
+    finding.cvss ? `**CVSS:** ${finding.cvss}` : null,
+    '',
+    '**Code:**',
+    '```',
+    finding.snippet || '',
+    '```',
+    '',
+    finding.fix ? `**Recommended fix:**\n${finding.fix}` : null,
+    '',
+    '---',
+    `_Surfaced by agentic-security · ClearCapabilities.Com · Finding ID: ${finding.id}_`,
+  ].filter(Boolean).join('\n');
+  return {
+    fields: {
+      project: { key: project || 'SEC' },
+      summary,
+      description,
+      issuetype: { name: 'Bug' },
+      priority: { name: _sevToJiraPriority(finding.severity) },
+      labels: [
+        'agentic-security',
+        finding.cwe ? finding.cwe.toLowerCase().replace(/[^a-z0-9-]/g, '-') : null,
+      ].filter(Boolean),
+    },
+  };
+}
+
+function _sevToJiraPriority(sev) {
+  return { critical: 'Highest', high: 'High', medium: 'Medium', low: 'Low', info: 'Lowest' }[sev] || 'Medium';
+}
+
+// ─── ServiceNow incident (pro) ───────────────────────────────────────────────
+export function buildServiceNowIncident(finding) {
+  return {
+    short_description: `${finding.vuln} at ${finding.file}:${finding.line}`,
+    description: finding.fix
+      ? `${finding.vuln}\n\n${finding.snippet || ''}\n\nFix:\n${finding.fix}`
+      : `${finding.vuln}\n\n${finding.snippet || ''}`,
+    urgency: _sevToServiceNowUrgency(finding.severity),
+    impact: _sevToServiceNowImpact(finding.severity),
+    caller_id: 'agentic-security',
+    work_notes: 'Created by agentic-security · ClearCapabilities.Com',
+  };
+}
+
+function _sevToServiceNowUrgency(sev) {
+  return { critical: '1', high: '2', medium: '3', low: '3', info: '4' }[sev] || '3';
+}
+function _sevToServiceNowImpact(sev) {
+  return { critical: '1', high: '2', medium: '3', low: '3', info: '3' }[sev] || '3';
+}
+
+// ─── SIEM log line (pro) ─────────────────────────────────────────────────────
+// Structured event suitable for piping into Splunk/Datadog/Elastic.
+export function buildSiemEvent(finding, options = {}) {
+  return {
+    timestamp: new Date().toISOString(),
+    event: 'security.finding',
+    source: 'agentic-security',
+    source_attribution: 'ClearCapabilities.Com',
+    severity: finding.severity,
+    vuln: finding.vuln,
+    file: finding.file,
+    line: finding.line,
+    cwe: finding.cwe || null,
+    cvss: finding.cvss || null,
+    confidence: finding.confidence ?? null,
+    rule_version: options.ruleVersion || null,
+    project: options.project || null,
+  };
+}
+
+// ─── ServiceNow REST API poster ──────────────────────────────────────────────
+// Activated by AGENTIC_SECURITY_SERVICENOW_URL +
+// AGENTIC_SECURITY_SERVICENOW_USER + AGENTIC_SECURITY_SERVICENOW_PASS.
+// URL example: https://example.service-now.com/api/now/table/incident
+export async function postServiceNowIncident(finding) {
+  const url = process.env.AGENTIC_SECURITY_SERVICENOW_URL;
+  const user = process.env.AGENTIC_SECURITY_SERVICENOW_USER;
+  const pass = process.env.AGENTIC_SECURITY_SERVICENOW_PASS;
+  if (!url || !user || !pass) {
+    return { ok: false, reason: 'servicenow-not-configured' };
+  }
+  const body = buildServiceNowIncident(finding);
+  const auth = Buffer.from(`${user}:${pass}`).toString('base64');
+  try {
+    const r = await fetch(url, {
+      method: 'POST',
+      headers: {
+        'Authorization': `Basic ${auth}`,
+        'Content-Type': 'application/json',
+        'Accept': 'application/json',
+      },
+      body: JSON.stringify(body),
+    });
+    return { ok: r.ok, status: r.status, body: await r.text().catch(() => '') };
+  } catch (e) {
+    return { ok: false, error: e.message };
+  }
+}
+
+// ─── PagerDuty Events API v2 ────────────────────────────────────────────────
+// Activated by AGENTIC_SECURITY_PAGERDUTY_KEY (a routing key, NOT a user API
+// token). One event per critical finding; PagerDuty handles de-dup by
+// dedup_key so the same finding doesn't spam.
+export async function postPagerDutyEvent(finding) {
+  const routingKey = process.env.AGENTIC_SECURITY_PAGERDUTY_KEY;
+  if (!routingKey) return { ok: false, reason: 'pagerduty-not-configured' };
+  const dedupKey = finding.stableId || finding.id || `${finding.file}:${finding.line}:${finding.vuln}`;
+  const sevMap = { critical: 'critical', high: 'error', medium: 'warning', low: 'info', info: 'info' };
+  const payload = {
+    routing_key: routingKey,
+    event_action: 'trigger',
+    dedup_key: dedupKey,
+    payload: {
+      summary: `[${(finding.severity || '').toUpperCase()}] ${finding.vuln} — ${finding.file}:${finding.line}`,
+      source: 'agentic-security',
+      severity: sevMap[finding.severity] || 'warning',
+      class: finding.cwe || finding.family || 'security',
+      custom_details: {
+        file: finding.file,
+        line: finding.line,
+        cwe: finding.cwe || null,
+        confidence: finding.confidence ?? null,
+        exploitability: finding.exploitability ?? null,
+        snippet: finding.snippet,
+        remediation: typeof finding.remediation === 'string' ? finding.remediation.slice(0, 500) : null,
+      },
+    },
+  };
+  try {
+    const r = await fetch('https://events.pagerduty.com/v2/enqueue', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(payload),
+    });
+    return { ok: r.ok, status: r.status, body: await r.text().catch(() => '') };
+  } catch (e) {
+    return { ok: false, error: e.message };
+  }
+}
+
+// ─── Microsoft Teams (Adaptive Card via Incoming Webhook) ───────────────────
+// Activated by AGENTIC_SECURITY_TEAMS_WEBHOOK (a webhook URL from a Teams
+// channel's "Incoming Webhook" connector).
+export function buildTeamsCard(findings, summary) {
+  const sev = summary || {};
+  const total = (sev.critical || 0) + (sev.high || 0) + (sev.medium || 0) + (sev.low || 0);
+  const top = (findings || []).filter(f => /critical|high/.test(f.severity || '')).slice(0, 5);
+  const card = {
+    type: 'message',
+    attachments: [{
+      contentType: 'application/vnd.microsoft.card.adaptive',
+      content: {
+        $schema: 'http://adaptivecards.io/schemas/adaptive-card.json',
+        type: 'AdaptiveCard',
+        version: '1.4',
+        body: [
+          { type: 'TextBlock', size: 'Medium', weight: 'Bolder', text: '🛡 agentic-security scan' },
+          { type: 'FactSet', facts: [
+            { title: 'Critical', value: String(sev.critical || 0) },
+            { title: 'High',     value: String(sev.high || 0) },
+            { title: 'Medium',   value: String(sev.medium || 0) },
+            { title: 'Low',      value: String(sev.low || 0) },
+            { title: 'Total',    value: String(total) },
+          ]},
+          ...(top.length ? [
+            { type: 'TextBlock', wrap: true, weight: 'Bolder', text: 'Top critical/high' },
+            ...top.map(f => ({
+              type: 'TextBlock', wrap: true, isSubtle: false,
+              text: `**[${(f.severity || '').toUpperCase()}]** ${f.vuln} — \`${f.file}:${f.line}\``,
+            })),
+          ] : []),
+        ],
+      },
+    }],
+  };
+  return card;
+}
+
+export async function postTeamsCard(findings, summary) {
+  const url = process.env.AGENTIC_SECURITY_TEAMS_WEBHOOK;
+  if (!url) return { ok: false, reason: 'teams-not-configured' };
+  const card = buildTeamsCard(findings, summary);
+  try {
+    const r = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(card),
+    });
+    return { ok: r.ok, status: r.status, body: await r.text().catch(() => '') };
+  } catch (e) {
+    return { ok: false, error: e.message };
+  }
+}
+
+// ─── GH PR comment (vibecoder) ───────────────────────────────────────────────
+export function buildPrComment(findings, summary, options = {}) {
+  const sev = summary;
+  const top = (findings || []).filter(f => /critical|high/.test(f.severity)).slice(0, 10);
+  const body = [
+    '## 🛡 agentic-security',
+    '',
+    '| Critical | High | Medium | Low | Info |',
+    '|---:|---:|---:|---:|---:|',
+    `| ${sev.critical||0} | ${sev.high||0} | ${sev.medium||0} | ${sev.low||0} | ${sev.info||0} |`,
+    '',
+    top.length ? '### Top critical/high findings' : '_No critical or high findings._',
+    '',
+    ...top.map(f => `- **[${(f.severity||'').toUpperCase()}]** \`${f.file}:${f.line}\` — ${f.vuln}${f.cwe ? ` (${f.cwe})` : ''}`),
+    '',
+    '---',
+    '_Powered by [agentic-security](https://clearcapabilities.com) · created by ClearCapabilities.Com_',
+  ].join('\n');
+  return { body };
+}

package/src/integrations/tickets.js

@@ -0,0 +1,200 @@
+// Two-way ticket sync — GitHub Issues / Linear / Jira.
+//
+// State file: .agentic-security/tickets.json
+//   { findingId → { provider, externalId, externalUrl, state, syncedAt } }
+//
+// Sync algorithm:
+//   - For every open critical/high finding without a ticket → create one.
+//   - For every existing ticket whose finding is no longer in last-scan → close it.
+//   - The state file is idempotent: re-running sync is a no-op once everything matches.
+//
+// Auth via environment variables:
+//   GitHub  — `gh` CLI (uses existing auth)
+//   Linear  — LINEAR_API_KEY
+//   Jira    — JIRA_BASE_URL, JIRA_EMAIL, JIRA_TOKEN, JIRA_PROJECT_KEY
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as cp from 'node:child_process';
+import { buildJiraIssue } from './index.js';
+
+function statePath(scanRoot) {
+  return path.join(scanRoot, '.agentic-security', 'tickets.json');
+}
+export function readState(scanRoot) {
+  const fp = statePath(scanRoot);
+  if (!fs.existsSync(fp)) return {};
+  try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return {}; }
+}
+function writeState(scanRoot, state) {
+  fs.mkdirSync(path.dirname(statePath(scanRoot)), { recursive: true });
+  fs.writeFileSync(statePath(scanRoot), JSON.stringify(state, null, 2));
+}
+
+function findingTitle(f) {
+  return `[${(f.severity || 'medium').toUpperCase()}] ${f.vuln || f.title || 'security finding'} at ${f.file}:${f.line}`;
+}
+function findingBody(f) {
+  const br = f.blastRadius;
+  const exploited = f.exploitedNow ? `\n> ⚠️ **EPSS percentile ${(f.epssPercentile * 100).toFixed(1)}%** — actively exploited.\n` : '';
+  return [
+    `**File:** \`${f.file}:${f.line}\``,
+    `**Severity:** ${f.severity}`,
+    f.cwe ? `**CWE:** ${f.cwe}` : null,
+    f.epss != null ? `**EPSS:** ${f.epss.toFixed(4)} (percentile ${(f.epssPercentile * 100).toFixed(1)}%)` : null,
+    exploited,
+    f.description ? `\n${f.description}` : null,
+    br?.narrative ? `\n**Blast radius:** ${br.narrative}` : null,
+    f.snippet ? `\n\`\`\`\n${f.snippet}\n\`\`\`` : null,
+    f.remediation ? `\n**Remediation:** ${f.remediation}` : null,
+    `\n---\n_Surfaced by agentic-security · finding id: ${f.id}_`,
+  ].filter(Boolean).join('\n');
+}
+
+// ─── GitHub Issues (via gh CLI) ──────────────────────────────────────────────
+function ghCreate(repo, title, body, labels) {
+  const args = ['issue', 'create', '--title', title, '--body', body];
+  if (repo) args.unshift('--repo', repo);
+  for (const l of labels) args.push('--label', l);
+  try {
+    const out = cp.execFileSync('gh', args, { encoding: 'utf8' });
+    return { ok: true, url: out.trim() };
+  } catch (e) { return { ok: false, error: e.message }; }
+}
+function ghClose(repo, url, comment) {
+  const args = ['issue', 'close', url, '--comment', comment];
+  if (repo) args.unshift('--repo', repo);
+  try { cp.execFileSync('gh', args, { encoding: 'utf8' }); return { ok: true }; }
+  catch (e) { return { ok: false, error: e.message }; }
+}
+
+// ─── Linear (REST GraphQL) ───────────────────────────────────────────────────
+async function linearGraphQL(query, variables) {
+  const key = process.env.LINEAR_API_KEY;
+  if (!key) return { ok: false, error: 'LINEAR_API_KEY not set' };
+  try {
+    const res = await fetch('https://api.linear.app/graphql', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'Authorization': key },
+      body: JSON.stringify({ query, variables }),
+    });
+    const body = await res.json();
+    if (body.errors) return { ok: false, error: JSON.stringify(body.errors) };
+    return { ok: true, data: body.data };
+  } catch (e) { return { ok: false, error: e.message }; }
+}
+async function linearCreate(teamId, title, description) {
+  const m = `mutation($input: IssueCreateInput!) { issueCreate(input: $input) { issue { id url } } }`;
+  const r = await linearGraphQL(m, { input: { teamId, title, description } });
+  if (!r.ok) return r;
+  const issue = r.data?.issueCreate?.issue;
+  return issue ? { ok: true, externalId: issue.id, url: issue.url } : { ok: false, error: 'no issue returned' };
+}
+async function linearClose(issueId, stateName) {
+  const sm = `query($id: String!) { issue(id: $id) { team { states { nodes { id name } } } } }`;
+  const sr = await linearGraphQL(sm, { id: issueId });
+  if (!sr.ok) return sr;
+  const states = sr.data?.issue?.team?.states?.nodes || [];
+  const target = states.find(s => s.name.toLowerCase() === (stateName || 'done').toLowerCase()) || states[states.length - 1];
+  if (!target) return { ok: false, error: 'no target state' };
+  const m = `mutation($id: String!, $stateId: String!) { issueUpdate(id: $id, input: {stateId: $stateId}) { success } }`;
+  return linearGraphQL(m, { id: issueId, stateId: target.id });
+}
+
+// ─── Jira (REST) ─────────────────────────────────────────────────────────────
+async function jiraRequest(method, urlPath, body) {
+  const base = process.env.JIRA_BASE_URL;
+  const email = process.env.JIRA_EMAIL;
+  const token = process.env.JIRA_TOKEN;
+  if (!base || !email || !token) return { ok: false, error: 'JIRA_BASE_URL, JIRA_EMAIL, JIRA_TOKEN required' };
+  const auth = Buffer.from(`${email}:${token}`).toString('base64');
+  try {
+    const res = await fetch(`${base.replace(/\/$/, '')}${urlPath}`, {
+      method,
+      headers: { 'Authorization': `Basic ${auth}`, 'Content-Type': 'application/json', 'Accept': 'application/json' },
+      body: body ? JSON.stringify(body) : undefined,
+    });
+    const text = await res.text();
+    let data; try { data = JSON.parse(text); } catch { data = text; }
+    return res.ok ? { ok: true, data } : { ok: false, error: `HTTP ${res.status}: ${text.slice(0, 200)}` };
+  } catch (e) { return { ok: false, error: e.message }; }
+}
+async function jiraCreate(finding) {
+  const project = process.env.JIRA_PROJECT_KEY || 'SEC';
+  const issue = buildJiraIssue(finding, project);
+  const r = await jiraRequest('POST', '/rest/api/2/issue', issue);
+  if (!r.ok) return r;
+  const key = r.data?.key;
+  const base = process.env.JIRA_BASE_URL.replace(/\/$/, '');
+  return { ok: true, externalId: key, url: `${base}/browse/${key}` };
+}
+async function jiraClose(externalId) {
+  const t = await jiraRequest('GET', `/rest/api/2/issue/${externalId}/transitions`);
+  if (!t.ok) return t;
+  const transitions = t.data?.transitions || [];
+  const done = transitions.find(x => /done|closed|resolved/i.test(x.name)) || transitions[transitions.length - 1];
+  if (!done) return { ok: false, error: 'no transition available' };
+  return jiraRequest('POST', `/rest/api/2/issue/${externalId}/transitions`, { transition: { id: done.id } });
+}
+
+// ─── orchestrator ────────────────────────────────────────────────────────────
+const SEV_RANK = { critical: 4, high: 3, medium: 2, low: 1, info: 0 };
+
+export async function syncTickets({ scanRoot, provider, severity = 'high', repo, teamId, dryRun = false }) {
+  const minRank = SEV_RANK[severity] ?? 3;
+  const lastScanPath = path.join(scanRoot, '.agentic-security', 'last-scan.json');
+  if (!fs.existsSync(lastScanPath)) return { ok: false, error: 'no last-scan.json — run a scan first' };
+  const last = JSON.parse(fs.readFileSync(lastScanPath, 'utf8'));
+  const allFindings = [...(last.findings || []), ...(last.secrets || []), ...(last.supplyChain || [])];
+  const eligible = allFindings.filter(f => (SEV_RANK[f.severity] ?? 0) >= minRank);
+  const stillOpen = new Set(eligible.map(f => f.id));
+  const state = readState(scanRoot);
+  const created = [], closed = [], failed = [];
+
+  // Create tickets for new findings.
+  for (const f of eligible) {
+    if (state[f.id] && !state[f.id].closedAt) continue; // already tracked + open
+    const title = findingTitle(f);
+    const body = findingBody(f);
+    if (dryRun) { created.push({ id: f.id, title, dryRun: true }); continue; }
+    let r;
+    if (provider === 'github') {
+      const labels = ['security', `severity:${f.severity}`];
+      if (f.cwe) labels.push(f.cwe.toLowerCase());
+      r = ghCreate(repo, title, body, labels);
+      if (r.ok) state[f.id] = { provider, externalUrl: r.url, externalId: r.url, state: 'open', syncedAt: new Date().toISOString() };
+    } else if (provider === 'linear') {
+      if (!teamId) { failed.push({ id: f.id, error: 'linear: --team-id required' }); continue; }
+      r = await linearCreate(teamId, title, body);
+      if (r.ok) state[f.id] = { provider, externalId: r.externalId, externalUrl: r.url, state: 'open', syncedAt: new Date().toISOString() };
+    } else if (provider === 'jira') {
+      r = await jiraCreate(f);
+      if (r.ok) state[f.id] = { provider, externalId: r.externalId, externalUrl: r.url, state: 'open', syncedAt: new Date().toISOString() };
+    } else {
+      return { ok: false, error: `unknown provider: ${provider}` };
+    }
+    if (r.ok) created.push({ id: f.id, externalId: r.externalId || r.url });
+    else failed.push({ id: f.id, error: r.error });
+  }
+
+  // Close tickets for findings no longer present.
+  for (const [findingId, entry] of Object.entries(state)) {
+    if (entry.closedAt || stillOpen.has(findingId)) continue;
+    if (entry.provider !== provider) continue;
+    if (dryRun) { closed.push({ id: findingId, dryRun: true }); continue; }
+    let r;
+    if (provider === 'github') r = ghClose(repo, entry.externalUrl, 'Auto-closed by agentic-security: finding no longer present.');
+    else if (provider === 'linear') r = await linearClose(entry.externalId);
+    else if (provider === 'jira') r = await jiraClose(entry.externalId);
+    if (r?.ok) {
+      entry.closedAt = new Date().toISOString();
+      entry.state = 'closed';
+      closed.push({ id: findingId, externalId: entry.externalId });
+    } else {
+      failed.push({ id: findingId, error: r?.error || 'close failed' });
+    }
+  }
+
+  if (!dryRun) writeState(scanRoot, state);
+  return { ok: true, created, closed, failed, totalTracked: Object.keys(state).length };
+}