@clear-capabilities/agentic-security-scanner 0.74.0

package/src/posture/rule-overrides.js

@@ -0,0 +1,198 @@
+// Rule pack overrides (R9). Pro users edit .agentic-security/rules.yml to:
+//   - severityOverrides: per-rule severity remap
+//   - disable: list of rule vuln strings or rule IDs to skip entirely
+//   - custom: user-defined regex rules (with vuln/severity/cwe/fix metadata)
+//   - version: pin to a specific scanner version for reproducibility
+//
+// Engine integration: scanner consults this module after producing findings.
+// `applyOverrides(findings, scanRoot)` returns a filtered/remapped list.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as yaml from 'js-yaml';
+import { verifyLastScan } from './integrity.js';
+
+const OVERRIDES_PATH = '.agentic-security/rules.yml';
+
+function _path(scanRoot) {
+  return path.join(scanRoot || process.cwd(), OVERRIDES_PATH);
+}
+
+export function loadOverrides(scanRoot) {
+  const fp = _path(scanRoot);
+  if (!fs.existsSync(fp)) return {};
+  try {
+    const raw = yaml.load(fs.readFileSync(fp, 'utf8')) || {};
+    return {
+      version: raw.version || null,
+      severityOverrides: raw.severityOverrides || {},
+      disable: Array.isArray(raw.disable) ? raw.disable : [],
+      custom: Array.isArray(raw.custom) ? raw.custom : [],
+      ignorePaths: Array.isArray(raw.ignorePaths) ? raw.ignorePaths : [],
+    };
+  } catch (_) { return {}; }
+}
+
+// Validate the user's rules.yml. Returns { ok, errors[] }.
+export function validateOverrides(scanRoot) {
+  const errors = [];
+  const o = loadOverrides(scanRoot);
+  if (o.severityOverrides) {
+    for (const [vuln, sev] of Object.entries(o.severityOverrides)) {
+      if (!['critical', 'high', 'medium', 'low', 'info'].includes(sev)) {
+        errors.push(`severityOverrides["${vuln}"]: invalid severity "${sev}"`);
+      }
+    }
+  }
+  if (o.custom) {
+    for (let i = 0; i < o.custom.length; i++) {
+      const c = o.custom[i];
+      if (!c.id) errors.push(`custom[${i}]: missing id`);
+      if (!c.regex) errors.push(`custom[${i}]: missing regex`);
+      else { try { new RegExp(c.regex); } catch (e) { errors.push(`custom[${i}]: bad regex: ${e.message}`); } }
+      if (!c.vuln) errors.push(`custom[${i}]: missing vuln`);
+      if (!c.severity) errors.push(`custom[${i}]: missing severity`);
+    }
+  }
+  return { ok: errors.length === 0, errors };
+}
+
+// Premortem #4 — gate disable: entries on a sibling signature or explicit
+// opt-out. `disable:` silently suppresses rules; without a guard, a PR that
+// adds `disable: [cmd-injection-nodejs]` ships and the scanner stops firing
+// on that family. By default we now REFUSE to honor `disable:` unless:
+//   1. .agentic-security/rules.yml.sig exists and verifies the file body
+//      with the same HMAC key the rest of the engine uses, OR
+//   2. AGENTIC_SECURITY_RULES_UNSIGNED=1 is set (developer escape hatch —
+//      this should NEVER be set in CI for an outside contribution).
+// `severityOverrides`, `custom`, and `ignorePaths` remain in effect either
+// way: they don't reduce coverage, they only add or remap.
+function _disableAllowed(scanRoot) {
+  if (process.env.AGENTIC_SECURITY_RULES_UNSIGNED === '1') return { ok: true, reason: 'unsigned-opt-in' };
+  const fp = _path(scanRoot);
+  if (!fs.existsSync(fp)) return { ok: true, reason: 'no-rules-file' };
+  let body;
+  try { body = fs.readFileSync(fp, 'utf8'); }
+  catch { return { ok: false, reason: 'rules-unreadable' }; }
+  const sigPath = fp + '.sig';
+  if (!fs.existsSync(sigPath)) return { ok: false, reason: 'no-signature' };
+  const ok = verifyLastScan(body, sigPath);
+  return { ok: ok === true, reason: ok === true ? 'signed' : 'bad-signature' };
+}
+
+// Apply severity overrides + disable filter to a finding list.
+// Harness-engineering note (post-derived): validate the overrides file BEFORE
+// honoring any of it. If the YAML has a malformed severity, a broken custom
+// regex, or any other syntax error, refuse the entire file and surface the
+// reason on stderr. The previous shape "load, ignore broken entries, apply
+// the rest" is exactly the silent-failure mode the post warns against.
+export function applyOverrides(findings, scanRoot) {
+  const o = loadOverrides(scanRoot);
+  if (!o || (!o.severityOverrides && !o.disable?.length)) return findings;
+  const v = validateOverrides(scanRoot);
+  if (!v.ok) {
+    if (!globalThis.__as_overrides_warned) {
+      globalThis.__as_overrides_warned = true;
+      try {
+        process.stderr.write(`agentic-security: ignoring .agentic-security/rules.yml — validation failed:\n`);
+        for (const e of v.errors) process.stderr.write(`  · ${e}\n`);
+        process.stderr.write(`  Fix the errors above, or remove rules.yml. Findings will be returned unfiltered.\n`);
+      } catch {}
+    }
+    return findings;
+  }
+  let disable;
+  if (o.disable?.length) {
+    const gate = _disableAllowed(scanRoot);
+    if (gate.ok) {
+      disable = new Set(o.disable);
+    } else {
+      // Refused. Surface the reason on stderr once per process so operators
+      // who *meant* to disable a rule see why it didn't take.
+      if (!globalThis.__as_disable_warned) {
+        globalThis.__as_disable_warned = true;
+        try {
+          process.stderr.write(`agentic-security: ignoring 'disable:' in rules.yml — ${gate.reason}. Sign rules.yml with \`agentic-security rules sign\` or set AGENTIC_SECURITY_RULES_UNSIGNED=1 to opt in.\n`);
+        } catch {}
+      }
+      disable = new Set();
+    }
+  } else {
+    disable = new Set();
+  }
+  const sevMap = o.severityOverrides || {};
+  return findings
+    .filter(f => !disable.has(f.vuln) && !disable.has(f.id))
+    .map(f => sevMap[f.vuln] ? { ...f, severity: sevMap[f.vuln] } : f);
+}
+
+// Cache: compiled custom rules per scanRoot. Validated at first call;
+// subsequent calls for the same scan reuse the compiled regexes.
+const _compiledCustomRules = new Map();   // scanRoot → { compiled[], errors[] }
+
+function _compileCustomRules(scanRoot) {
+  if (_compiledCustomRules.has(scanRoot)) return _compiledCustomRules.get(scanRoot);
+  const o = loadOverrides(scanRoot);
+  const result = { compiled: [], errors: [] };
+  if (!o.custom || !o.custom.length) {
+    _compiledCustomRules.set(scanRoot, result);
+    return result;
+  }
+  for (let i = 0; i < o.custom.length; i++) {
+    const rule = o.custom[i];
+    if (!rule.id) { result.errors.push(`custom[${i}]: missing id`); continue; }
+    if (!rule.regex) { result.errors.push(`custom[${i}] (${rule.id}): missing regex`); continue; }
+    if (!rule.vuln) { result.errors.push(`custom[${i}] (${rule.id}): missing vuln`); continue; }
+    if (!rule.severity) { result.errors.push(`custom[${i}] (${rule.id}): missing severity`); continue; }
+    try {
+      const re = new RegExp(rule.regex, rule.flags || 'g');
+      result.compiled.push({ rule, re });
+    } catch (e) {
+      result.errors.push(`custom[${i}] (${rule.id}): bad regex: ${e.message}`);
+    }
+  }
+  _compiledCustomRules.set(scanRoot, result);
+  return result;
+}
+
+// Run user-defined custom regex rules against a file. Returns custom findings.
+//
+// Harness-engineering note (post-derived): rules are compiled and validated
+// at first invocation per scan; if ANY rule fails to compile, that rule is
+// excluded AND surfaced via stderr — never silently skipped per-call.
+export function runCustomRules(filePath, fileContent, scanRoot) {
+  const { compiled, errors } = _compileCustomRules(scanRoot);
+  if (errors.length && !globalThis.__as_custom_rules_warned) {
+    globalThis.__as_custom_rules_warned = true;
+    try {
+      process.stderr.write(`agentic-security: ${errors.length} custom rule(s) in .agentic-security/rules.yml failed to compile and were skipped:\n`);
+      for (const e of errors) process.stderr.write(`  · ${e}\n`);
+    } catch {}
+  }
+  if (!compiled.length) return [];
+  const lines = fileContent.split('\n');
+  const out = [];
+  for (const { rule, re } of compiled) {
+    re.lastIndex = 0;   // each file starts fresh for global regexes
+    let m;
+    while ((m = re.exec(fileContent)) !== null) {
+      const lineNum = fileContent.substring(0, m.index).split('\n').length;
+      out.push({
+        id: `custom:${rule.id}:${filePath}:${lineNum}`,
+        vuln: rule.vuln,
+        severity: rule.severity,
+        cwe: rule.cwe || '',
+        stride: rule.stride || '',
+        file: filePath,
+        line: lineNum,
+        snippet: lines[lineNum - 1]?.trim() || m[0],
+        fix: rule.fix || '',
+        description: rule.description || '',
+        custom: true,
+        parser: 'CUSTOM_RULE',
+      });
+      if (!re.global) break;
+    }
+  }
+  return out;
+}

package/src/posture/rule-pack-signing.js

@@ -0,0 +1,209 @@
+// Signed rule-pack verification (Sentinel-parity PRD FR-DSL-2; hardened in
+// premortems R3.1, 2R3.1, 2R3.2).
+//
+// Threat model: a malicious PR drops a `.agentic-security/rules/foo.yml`
+// into the repo. The next scanner run loads it and:
+//   - The rule's regex contains a ReDoS payload → hangs CI.
+//   - The rule fires custom-rule findings with attacker-controlled fix
+//     replacement strings → potential supply-chain attack via /fix.
+//   - The rule's llm_validate prompt exfiltrates context to an attacker
+//     endpoint.
+//
+// Defense (multi-layer):
+//
+//   1. Every rule file must be Ed25519-signed; the signature lives at
+//      `<rulefile>.sig` (raw 64 bytes).
+//
+//   2. The TRUST ROOT is bundled with the scanner code (BUNDLED_OFFICIAL_KEYS
+//      below), NOT read from the project tree by default. An attacker who
+//      can drop a `.agentic-security/trusted-keys.json` cannot bootstrap
+//      their own key into trust. Project-local keys are honored ONLY when
+//      AGENTIC_SECURITY_ALLOW_PROJECT_KEYS=1 (audit-logged).
+//
+//   3. Keys carry an optional `revokedAt` timestamp. A signature is rejected
+//      when the rule-file's mtime postdates the revocation, OR the signature's
+//      SHA-256 hash appears in the project's `crl[]` array.
+//
+//   4. Unsigned packs refused unless AGENTIC_SECURITY_ALLOW_UNSIGNED_PACKS=1
+//      (audit-logged + findings tagged `_unsigned: true`).
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as crypto from 'node:crypto';
+
+const TRUSTED_KEYS_FILE = '.agentic-security/trusted-keys.json';
+
+// Built-in trust root. These are the keys the maintainers of agentic-security
+// use to sign official rule packs. Production deployment requires the
+// maintainers to generate a real keypair, distribute the private key offline,
+// and ship the corresponding public key here on a release. Until then the
+// effective behavior is "no official keys, unsigned-only via the opt-in env."
+export const BUNDLED_OFFICIAL_KEYS = [
+  // {
+  //   id: 'agentic-security-official-2026-q1',
+  //   alg: 'ed25519',
+  //   publicKey: '<base64-32-bytes>',
+  //   issuedAt: '2026-01-01T00:00:00Z',
+  //   revokedAt: null,
+  // },
+];
+
+function _trustedKeysPath(scanRoot) {
+  return path.join(scanRoot || process.cwd(), TRUSTED_KEYS_FILE);
+}
+
+// Load the EFFECTIVE trusted-key set. Composition:
+//   1. Always: BUNDLED_OFFICIAL_KEYS (built into the scanner code).
+//   2. When AGENTIC_SECURITY_ALLOW_PROJECT_KEYS=1: union with
+//      .agentic-security/trusted-keys.json from the project tree (logged).
+//
+// CRL: trusted-keys.json may also carry a top-level `crl` array of revoked
+// signature hashes (sha256 of the signature bytes). These apply project-
+// locally regardless of opt-in.
+export function loadTrustedKeys(scanRoot) {
+  const keys = [...BUNDLED_OFFICIAL_KEYS];
+  let projectCrl = [];
+  const fp = _trustedKeysPath(scanRoot);
+  if (fs.existsSync(fp)) {
+    let data;
+    try { data = JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { data = null; }
+    if (data && Array.isArray(data.crl)) projectCrl = data.crl.filter(x => typeof x === 'string');
+    if (data && Array.isArray(data.keys)) {
+      if (process.env.AGENTIC_SECURITY_ALLOW_PROJECT_KEYS === '1') {
+        console.error('agentic-security: WARNING — project-local trusted-keys.json honored (AGENTIC_SECURITY_ALLOW_PROJECT_KEYS=1). An attacker who can write to .agentic-security/ can bypass signing — use only on trusted workstations.');
+        for (const k of data.keys) {
+          if (k && k.publicKey && k.alg === 'ed25519') keys.push(k);
+        }
+      } else if (data.keys.length > 0) {
+        console.error('agentic-security: ignoring project-local trusted-keys.json (set AGENTIC_SECURITY_ALLOW_PROJECT_KEYS=1 to honor; audit-logged).');
+      }
+    }
+  }
+  Object.defineProperty(keys, '_crl', { value: projectCrl, enumerable: false });
+  return keys;
+}
+
+// Pass-through warning issued at most once per process.
+let _passThroughWarned = false;
+
+// Verify a rule-pack file. Returns one of:
+//   { ok: true, keyId: '<id>' }                              // signature valid
+//   { ok: true, passThrough: true }                          // bundled trust root empty AND no project keys — pass-through (premortem 3R3.1)
+//   { ok: false, reason: 'unsigned', allowUnsigned: bool }   // no sig file
+//   { ok: false, reason: 'bad-signature' }                   // sig present but invalid
+//   { ok: false, reason: 'no-trusted-keys' }                  // no keys configured (no bundled, no project)
+//   { ok: false, reason: 'revoked-key', keyId }               // key revoked + rule mtime > revokedAt
+//   { ok: false, reason: 'revoked-signature' }                // signature SHA in project CRL
+//   { ok: false, reason: 'read-error' }
+//
+// PREMORTEM 3R3.1 — pass-through mode. When BUNDLED_OFFICIAL_KEYS is empty
+// (today's reality during product bring-up) AND the operator has not opted
+// into project-local keys, REFUSING every rule pack trains operators to set
+// AGENTIC_SECURITY_ALLOW_PROJECT_KEYS=1 permanently — which recreates the
+// exact threat model signing was supposed to defend. Instead we accept
+// rule packs in pass-through mode with a one-time warning + a _passThrough
+// flag on each accepted rule. Operators get visibility AND the gate doesn't
+// train them to bypass.
+export function verifyRulePack(rulePackPath, trustedKeys) {
+  const sigPath = rulePackPath + '.sig';
+  if (!fs.existsSync(sigPath)) {
+    return { ok: false, reason: 'unsigned', allowUnsigned: process.env.AGENTIC_SECURITY_ALLOW_UNSIGNED_PACKS === '1' };
+  }
+  if (!Array.isArray(trustedKeys) || trustedKeys.length === 0) {
+    // Pass-through mode: empty bundled trust root + no project keys.
+    // Issue ONE warning per process, then accept with passThrough flag.
+    //
+    // Premortem 4R-1: CI mode is fail-closed. CI environments are the place
+    // where supply-chain compromise gets weaponized, and the per-session stderr
+    // warning is invisible there. So when CI=true (or any common CI env-var is
+    // set), refuse pass-through entirely. Operators can opt-in by setting
+    // AGENTIC_SECURITY_ALLOW_PASSTHROUGH_IN_CI=1 — making the bypass an
+    // intentional, auditable decision rather than the silent default.
+    const inCi = !!(
+      process.env.CI ||
+      process.env.GITHUB_ACTIONS ||
+      process.env.GITLAB_CI ||
+      process.env.BUILDKITE ||
+      process.env.CIRCLECI ||
+      process.env.JENKINS_URL ||
+      process.env.TF_BUILD
+    );
+    const allowPassThroughInCi = process.env.AGENTIC_SECURITY_ALLOW_PASSTHROUGH_IN_CI === '1';
+    if (BUNDLED_OFFICIAL_KEYS.length === 0 && process.env.AGENTIC_SECURITY_STRICT_SIGNING !== '1') {
+      if (inCi && !allowPassThroughInCi) {
+        return {
+          ok: false,
+          reason: 'pass-through-disabled-in-ci',
+          remediation: 'CI run detected with no signing keys configured. Either (a) set AGENTIC_SECURITY_ALLOW_PASSTHROUGH_IN_CI=1 to accept unsigned rule packs in this CI run, or (b) configure project keys in .agentic-security/trusted-keys.json and set AGENTIC_SECURITY_ALLOW_PROJECT_KEYS=1.',
+        };
+      }
+      if (!_passThroughWarned) {
+        _passThroughWarned = true;
+        console.error('agentic-security: signed-rule-pack defense in PASS-THROUGH mode.');
+        console.error('  · No bundled official keys are baked into this release.');
+        console.error('  · Rule packs will be ACCEPTED, tagged _passThroughSigning:true.');
+        console.error('  · To switch to refuse-mode set AGENTIC_SECURITY_STRICT_SIGNING=1.');
+        console.error('  · To honor project-local trusted-keys.json, set AGENTIC_SECURITY_ALLOW_PROJECT_KEYS=1.');
+      }
+      return { ok: true, passThrough: true };
+    }
+    return { ok: false, reason: 'no-trusted-keys' };
+  }
+  let body, sig, ruleMtime;
+  try {
+    body = fs.readFileSync(rulePackPath);
+    sig  = fs.readFileSync(sigPath);
+    ruleMtime = fs.statSync(rulePackPath).mtime;
+  } catch { return { ok: false, reason: 'read-error' }; }
+  // CRL check first — independent of which key signed.
+  const sigHash = crypto.createHash('sha256').update(sig).digest('hex');
+  const crl = trustedKeys._crl || [];
+  if (crl.includes(sigHash)) return { ok: false, reason: 'revoked-signature' };
+  for (const k of trustedKeys) {
+    try {
+      const keyBytes = Buffer.from(k.publicKey, 'base64');
+      if (keyBytes.length !== 32) continue;
+      const keyObj = crypto.createPublicKey({
+        key: { kty: 'OKP', crv: 'Ed25519', x: keyBytes.toString('base64url') },
+        format: 'jwk',
+      });
+      const valid = crypto.verify(null, body, keyObj, sig);
+      if (!valid) continue;
+      // Signature is valid by this key. Check revocation.
+      if (k.revokedAt) {
+        const revokedAt = new Date(k.revokedAt);
+        if (Number.isFinite(revokedAt.getTime()) && ruleMtime > revokedAt) {
+          return { ok: false, reason: 'revoked-key', keyId: k.id || '(unnamed)' };
+        }
+      }
+      return { ok: true, keyId: k.id || '(unnamed)' };
+    } catch { /* try next key */ }
+  }
+  return { ok: false, reason: 'bad-signature' };
+}
+
+// CLI helper — generate an Ed25519 key pair. Returns { publicKey, privateKey }
+// as base64 strings.
+export function keygen() {
+  const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519');
+  const pubRaw  = publicKey.export({ format: 'jwk' }).x;     // base64url
+  const privRaw = privateKey.export({ format: 'jwk' }).d;    // base64url
+  return {
+    publicKey:  Buffer.from(pubRaw, 'base64url').toString('base64'),
+    privateKey: Buffer.from(privRaw, 'base64url').toString('base64'),
+  };
+}
+
+// Sign a rule-pack file. Writes <path>.sig as raw 64 bytes.
+export function signRulePack(rulePackPath, privateKeyB64) {
+  const body = fs.readFileSync(rulePackPath);
+  const privBytes = Buffer.from(privateKeyB64, 'base64');
+  if (privBytes.length !== 32) throw new Error('private key must be 32 bytes (raw ed25519)');
+  const keyObj = crypto.createPrivateKey({
+    key: { kty: 'OKP', crv: 'Ed25519', d: privBytes.toString('base64url') },
+    format: 'jwk',
+  });
+  const sig = crypto.sign(null, body, keyObj);
+  fs.writeFileSync(rulePackPath + '.sig', sig);
+  return sig;
+}

package/src/posture/rule-packs.js

@@ -0,0 +1,143 @@
+// Curated rule packs. Each pack is a focused view of the engine's findings
+// based on a CWE allowlist. Activated via `--pack <name>` on the CLI.
+//
+// Packs do not change *detection* — they filter the scan output to the rules
+// the user wants to focus on, and optionally bump severity for matching rules.
+
+export const PACKS = {
+  'owasp-top-10': {
+    description: 'OWASP Top 10 (2021) — A01 through A10',
+    cwes: [
+      // A01 Broken Access Control
+      'CWE-22', 'CWE-200', 'CWE-269', 'CWE-284', 'CWE-352', 'CWE-639', 'CWE-732', 'CWE-862', 'CWE-863',
+      // A02 Cryptographic Failures
+      'CWE-261', 'CWE-296', 'CWE-310', 'CWE-319', 'CWE-321', 'CWE-322', 'CWE-323', 'CWE-324',
+      'CWE-325', 'CWE-326', 'CWE-327', 'CWE-328', 'CWE-329', 'CWE-330', 'CWE-331', 'CWE-335',
+      'CWE-336', 'CWE-337', 'CWE-338', 'CWE-340', 'CWE-347', 'CWE-523', 'CWE-720', 'CWE-757',
+      'CWE-759', 'CWE-760', 'CWE-780', 'CWE-818', 'CWE-916',
+      // A03 Injection
+      'CWE-20', 'CWE-74', 'CWE-77', 'CWE-78', 'CWE-79', 'CWE-83', 'CWE-87', 'CWE-88', 'CWE-89',
+      'CWE-90', 'CWE-91', 'CWE-93', 'CWE-94', 'CWE-95', 'CWE-96', 'CWE-97', 'CWE-98', 'CWE-99',
+      'CWE-100', 'CWE-113', 'CWE-116', 'CWE-138', 'CWE-184', 'CWE-470', 'CWE-471', 'CWE-564',
+      'CWE-610', 'CWE-643', 'CWE-644', 'CWE-652', 'CWE-917', 'CWE-1336', 'CWE-1427',
+      // A04 Insecure Design
+      'CWE-209', 'CWE-256', 'CWE-501', 'CWE-522',
+      // A05 Security Misconfiguration
+      'CWE-2', 'CWE-11', 'CWE-13', 'CWE-15', 'CWE-16', 'CWE-260', 'CWE-315', 'CWE-520',
+      'CWE-526', 'CWE-537', 'CWE-541', 'CWE-547', 'CWE-611', 'CWE-614', 'CWE-756', 'CWE-776',
+      'CWE-942', 'CWE-1004', 'CWE-1032', 'CWE-1174',
+      // A06 Vulnerable and Outdated Components
+      'CWE-937', 'CWE-1035', 'CWE-1104',
+      // A07 Identification and Authentication Failures
+      'CWE-255', 'CWE-259', 'CWE-287', 'CWE-288', 'CWE-290', 'CWE-294', 'CWE-295', 'CWE-297',
+      'CWE-300', 'CWE-302', 'CWE-304', 'CWE-306', 'CWE-307', 'CWE-346', 'CWE-384', 'CWE-521',
+      'CWE-613', 'CWE-620', 'CWE-640', 'CWE-798',
+      // A08 Software and Data Integrity Failures
+      'CWE-345', 'CWE-353', 'CWE-426', 'CWE-494', 'CWE-502', 'CWE-565', 'CWE-784', 'CWE-829',
+      'CWE-830', 'CWE-915',
+      // A09 Security Logging and Monitoring Failures
+      'CWE-117', 'CWE-223', 'CWE-532', 'CWE-778',
+      // A10 Server-Side Request Forgery
+      'CWE-918',
+    ],
+  },
+
+  'cwe-top-25': {
+    description: 'CWE Top 25 Most Dangerous Software Weaknesses (2023)',
+    cwes: [
+      'CWE-787', 'CWE-79', 'CWE-89', 'CWE-416', 'CWE-78', 'CWE-20', 'CWE-125', 'CWE-22',
+      'CWE-352', 'CWE-434', 'CWE-862', 'CWE-476', 'CWE-287', 'CWE-190', 'CWE-502', 'CWE-77',
+      'CWE-119', 'CWE-798', 'CWE-918', 'CWE-306', 'CWE-362', 'CWE-269', 'CWE-94', 'CWE-863',
+      'CWE-276',
+    ],
+  },
+
+  'llm-security': {
+    description: 'LLM / agent / prompt-injection risks (OWASP LLM Top 10)',
+    cwes: [
+      'CWE-20',    // Improper Input Validation (prompts)
+      'CWE-74',    // Injection family
+      'CWE-77',    // Command Injection (via tools)
+      'CWE-78',    // OS Command Injection (via tools)
+      'CWE-79',    // XSS (LLM-generated output)
+      'CWE-94',    // Code Injection
+      'CWE-200',   // Information Disclosure (model leakage)
+      'CWE-285',   // Improper Authorization (over-privileged agents)
+      'CWE-285',
+      'CWE-352',   // CSRF (agent state)
+      'CWE-494',   // Download of Code Without Integrity Check (model weights)
+      'CWE-502',   // Insecure Deserialization (pickle / torch.load)
+      'CWE-732',   // Incorrect Permission Assignment (MCP tools)
+      'CWE-798',   // Hardcoded credentials (in prompts / tools)
+      'CWE-918',   // SSRF (LLM-controlled requests)
+      'CWE-1336',  // Improper Neutralization of Special Elements (template injection)
+      'CWE-1357',  // Reliance on Insufficiently Trustworthy Component
+      'CWE-1427',  // LLM prompt injection (CWE assigned 2025)
+    ],
+  },
+
+  'supply-chain': {
+    description: 'Dependency vulnerabilities, dep-confusion, pipeline & container risks',
+    cwes: [
+      'CWE-494',   // Download of Code Without Integrity Check
+      'CWE-502',   // Insecure Deserialization
+      'CWE-532',   // Insertion of Sensitive Information into Log File
+      'CWE-693',   // Protection Mechanism Failure
+      'CWE-829',   // Inclusion of Functionality from Untrusted Control Sphere
+      'CWE-830',   // Inclusion of Web Functionality from Untrusted Source
+      'CWE-915',   // Improperly Controlled Modification of Dynamically-Determined Object Attributes
+      'CWE-937',   // Using Components with Known Vulnerabilities
+      'CWE-1035',  // OWASP A06 — Vulnerable and Outdated Components
+      'CWE-1104',  // Use of Unmaintained Third-Party Components
+      'CWE-1188',  // Insecure Default Initialization of Resource
+      'CWE-1336',  // Template Injection
+      'CWE-1357',  // Reliance on Insufficiently Trustworthy Component
+      'CWE-272',   // Least Privilege Violation (CI permissions)
+      'CWE-78',    // OS Command Injection (CI script injection)
+    ],
+  },
+};
+
+export function listPacks() {
+  return Object.entries(PACKS).map(([name, p]) => ({
+    name,
+    description: p.description,
+    cweCount: p.cwes.length,
+  }));
+}
+
+export function loadPack(name) {
+  const p = PACKS[name];
+  if (!p) {
+    const known = Object.keys(PACKS).join(', ');
+    throw new Error(`Unknown pack "${name}". Known: ${known}`);
+  }
+  return { name, ...p };
+}
+
+// Return the set of CWE IDs covered by the given pack names.
+// Multiple packs union their CWE sets.
+export function packsCweSet(names) {
+  const set = new Set();
+  for (const n of names) {
+    const p = loadPack(n);
+    for (const c of p.cwes) set.add(c);
+  }
+  return set;
+}
+
+// Filter a scan object's findings/secrets/supplyChain arrays to those whose CWE
+// is present in the union of `packNames`' CWE sets. Returns a new scan object.
+// If `packNames` is empty/falsy, returns the scan unchanged.
+export function applyPacks(scan, packNames) {
+  if (!packNames || !packNames.length) return scan;
+  const cwes = packsCweSet(packNames);
+  const keep = (f) => f && f.cwe && cwes.has(f.cwe);
+  return {
+    ...scan,
+    findings: (scan.findings || []).filter(keep),
+    secrets: (scan.secrets || []).filter(keep),
+    logicVulns: (scan.logicVulns || []).filter(keep),
+    supplyChain: (scan.supplyChain || []).filter(keep),
+  };
+}

package/src/posture/rule-synthesis.js

@@ -0,0 +1,108 @@
+// Auto-rule synthesis from repeated FPs (FR-LEARN-6).
+//
+// Reads `.agentic-security/triage-feedback.json` (populated by the /triage
+// slash command). When 5+ findings sharing a similar shape get marked FP,
+// propose a YAML suppression rule and write it to
+// `.agentic-security/rules-proposed/auto-<timestamp>.yml`. The operator
+// reviews and either drops it into `rules/` (active) or deletes it.
+//
+// Honest scope:
+//   - We propose, we don't auto-activate. The customer decides.
+//   - Similar-shape = same (rule_id or vuln-family) AND same file glob root.
+//   - Threshold = 5 occurrences by default (env override).
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const TRIAGE_PATH = path.join('.agentic-security', 'triage-feedback.json');
+const PROPOSED_DIR = path.join('.agentic-security', 'rules-proposed');
+
+const DEFAULT_FP_THRESHOLD = 5;
+
+function _readTriage(scanRoot) {
+  const fp = path.join(scanRoot || process.cwd(), TRIAGE_PATH);
+  if (!fs.existsSync(fp)) return null;
+  try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }
+}
+
+function _shapeKey(entry) {
+  // Group by rule/family + the dir prefix (first two path segments) so we
+  // suggest rules scoped to the same module — never project-wide.
+  const fam = entry.family || entry.cwe || entry.vuln || 'unknown';
+  const file = entry.file || '';
+  const dir = file.split('/').slice(0, 2).join('/') || '.';
+  return `${fam}::${dir}`;
+}
+
+function _summarizeGroup(entries) {
+  const e0 = entries[0];
+  return {
+    family: e0.family || null,
+    rule:   e0.cwe || e0.vuln || 'unknown',
+    dirGlob: (e0.file || '').split('/').slice(0, 2).join('/') + '/**',
+    count: entries.length,
+    examples: entries.slice(0, 3).map(e => `${e.file}:${e.line}`),
+  };
+}
+
+function _yamlProposal(group) {
+  const ruleId = `auto-suppress-${group.family || group.rule}-${Date.now().toString(36)}`;
+  return `# Auto-synthesised suppression proposal (FR-LEARN-6).
+# Generated from ${group.count} false-positive verdicts on ${group.family || group.rule}
+# in ${group.dirGlob}.
+#
+# Examples:
+${group.examples.map(e => '#   - ' + e).join('\n')}
+#
+# Review carefully BEFORE moving into rules/. This is a PROPOSAL.
+
+- id: ${ruleId}
+  title: "Auto-suppress: ${group.family || group.rule}"
+  description: "Repeated FP verdicts in ${group.dirGlob}"
+  shadow: true                  # never blocks CI; safe by default
+  match:
+    family: ${group.family || group.rule}
+    paths:
+      - "${group.dirGlob}"
+  action: suppress
+`;
+}
+
+/**
+ * Public entry: scan the triage history and emit a proposal YAML for any
+ * group with ≥ threshold FP verdicts. Returns the list of proposals written.
+ */
+export function synthesizeRules(scanRoot, opts = {}) {
+  const threshold = parseInt(opts.threshold || process.env.AGENTIC_SECURITY_RULE_SYNTHESIS_THRESHOLD || String(DEFAULT_FP_THRESHOLD), 10);
+  const triage = _readTriage(scanRoot);
+  if (!triage) return [];
+  // triage format (per v0.46): { verdicts: [{file, line, vuln, family, verdict, ...}] }
+  const verdicts = triage.verdicts || [];
+  const fps = verdicts.filter(v => v.verdict === 'fp' || v.verdict === 'false-positive');
+  if (!fps.length) return [];
+  const groups = new Map();
+  for (const e of fps) {
+    const k = _shapeKey(e);
+    if (!groups.has(k)) groups.set(k, []);
+    groups.get(k).push(e);
+  }
+  const proposals = [];
+  const dir = path.join(scanRoot || process.cwd(), PROPOSED_DIR);
+  for (const [, group] of groups) {
+    if (group.length < threshold) continue;
+    const summary = _summarizeGroup(group);
+    const yaml = _yamlProposal(summary);
+    const name = `auto-${(summary.family || summary.rule).replace(/[^a-zA-Z0-9_-]/g, '-')}-${Date.now().toString(36)}.yml`;
+    const fp = path.join(dir, name);
+    if (!opts.dryRun) {
+      try {
+        fs.mkdirSync(dir, { recursive: true });
+        fs.writeFileSync(fp, yaml);
+      } catch { /* non-fatal */ }
+    }
+    proposals.push({ ...summary, file: fp, yaml });
+  }
+  return proposals;
+}
+
+export const _internals = { DEFAULT_FP_THRESHOLD, TRIAGE_PATH, PROPOSED_DIR };