@clear-capabilities/agentic-security-scanner 0.74.0

package/src/posture/streak.js

@@ -0,0 +1,249 @@
+// Streaks + achievements state module.
+//
+// Persists `.agentic-security/streak.json` so the user can see progress
+// across sessions: days clean of critical findings, total scans, total
+// fixes applied, achievements earned. Pure transform — recordScan reads
+// the latest scan + previous streak file and writes the updated state.
+//
+// Achievement design: every achievement is derived from the streak state
+// itself, so we never have to detect "a fix happened" — we just compare
+// counters between scans.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+function _streakPath(stateDir) {
+  return path.join(stateDir, 'streak.json');
+}
+
+const _DEFAULT_STREAK = {
+  firstScanDate: null,
+  lastScanDate: null,
+  totalScans: 0,
+  daysCleanCritical: 0,
+  lastCleanDate: null,
+  lastCriticalDate: null,
+  hasEverHadCritical: false,
+  bestDaysCleanCritical: 0,
+  totalFindingsAtFirstScan: null,
+  totalFindingsAtLastScan: null,
+  totalFixesInferred: 0,
+  lastGrade: null,
+  bestGrade: null,
+  launchCheckPassedAt: null,
+  achievements: [],
+};
+
+export function loadStreak(stateDir) {
+  try {
+    const raw = fs.readFileSync(_streakPath(stateDir), 'utf8');
+    return { ..._DEFAULT_STREAK, ...JSON.parse(raw) };
+  } catch {
+    return { ..._DEFAULT_STREAK };
+  }
+}
+
+function _todayUTC() {
+  return new Date().toISOString().slice(0, 10);
+}
+
+function _daysBetween(aIso, bIso) {
+  if (!aIso || !bIso) return 0;
+  const a = new Date(aIso + 'T00:00:00Z').getTime();
+  const b = new Date(bIso + 'T00:00:00Z').getTime();
+  return Math.round((b - a) / 86_400_000);
+}
+
+// Compute a letter grade from severity counts. Mirrors /security-grade so
+// we can track grade-delta in the streak.
+function _computeGrade(scan) {
+  const findings = scan?.findings || [];
+  const supplyChain = scan?.supplyChain || [];
+  const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  for (const f of findings) counts[f.severity] = (counts[f.severity] || 0) + 1;
+  for (const s of supplyChain.filter(s => s.type === 'vulnerable_dep')) {
+    counts[s.severity || 'high'] = (counts[s.severity || 'high'] || 0) + 1;
+  }
+  const kev = [...findings, ...supplyChain].filter(f => f.kev === true).length;
+  const c = counts.critical, h = counts.high;
+  if (c > 10 || (c > 5 && kev > 0)) return 'F';
+  if (c >= 6) return 'D';
+  if (kev > 0) return 'D';
+  if (c >= 3) return 'C-';
+  if (c >= 1) return 'C';
+  if (h > 10) return 'B-';
+  if (h >= 3) return 'B';
+  if (h > 0) return 'A-';
+  if (counts.medium > 0) return 'A';
+  return 'A+';
+}
+
+const _GRADE_RANK = { 'F': 0, 'D': 1, 'C-': 2, 'C': 3, 'B-': 4, 'B': 5, 'A-': 6, 'A': 7, 'A+': 8 };
+
+function _gradeRank(g) { return _GRADE_RANK[g] ?? -1; }
+
+function _computeAchievements(streak, scan) {
+  const earned = new Set(streak.achievements || []);
+  const findings = scan?.findings || [];
+  const counts = { critical: 0, high: 0, medium: 0 };
+  for (const f of findings) counts[f.severity] = (counts[f.severity] || 0) + 1;
+
+  // Lifetime achievements (unlock once, never expire). Tiers escalate
+  // Bronze → Silver → Gold → Platinum → Diamond. Old IDs preserved for
+  // backward compatibility with persisted streak.json files.
+  if (streak.totalScans >= 1) earned.add('first-scan');
+  if (streak.hasEverHadCritical && counts.critical === 0) earned.add('clean-sweep');
+  if (streak.totalFixesInferred >= 1) earned.add('first-fix');
+  // Triage tiers (was: triage-master at 10)
+  if (streak.totalFixesInferred >= 10) earned.add('triage-master');
+  if (streak.totalFixesInferred >= 50) earned.add('triage-silver');
+  if (streak.totalFixesInferred >= 200) earned.add('triage-gold');
+  // Streak tiers (Bronze/Silver/Gold/Platinum/Diamond)
+  if (streak.daysCleanCritical >= 7) earned.add('streak-7');         // Bronze
+  if (streak.daysCleanCritical >= 30) earned.add('streak-30');       // Silver
+  if (streak.daysCleanCritical >= 90) earned.add('streak-90');       // Gold
+  if (streak.daysCleanCritical >= 180) earned.add('streak-180');     // Platinum
+  if (streak.daysCleanCritical >= 365) earned.add('streak-365');     // Diamond
+  if (_gradeRank(streak.lastGrade) >= _gradeRank('A')) earned.add('grade-a');
+  if (streak.lastGrade === 'A+') earned.add('grade-a-plus');
+  if (streak.launchCheckPassedAt) earned.add('launch-ready');
+  if (streak.totalScans >= 25) earned.add('scan-veteran-25');
+  if (streak.totalScans >= 100) earned.add('scan-veteran-100');
+
+  return [...earned].sort();
+}
+
+// Public — invoked by the CLI after every full scan.
+export function recordScan(stateDir, scan) {
+  try { fs.mkdirSync(stateDir, { recursive: true }); } catch {}
+  const prev = loadStreak(stateDir);
+  const today = _todayUTC();
+
+  const findings = scan?.findings || [];
+  const supplyChain = scan?.supplyChain || [];
+  const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  for (const f of findings) counts[f.severity] = (counts[f.severity] || 0) + 1;
+  for (const s of supplyChain.filter(s => s.type === 'vulnerable_dep')) {
+    counts[s.severity || 'high'] = (counts[s.severity || 'high'] || 0) + 1;
+  }
+
+  const totalNow = findings.length + supplyChain.filter(s => s.type === 'vulnerable_dep').length;
+  const grade = _computeGrade(scan);
+
+  // Streak math: increment days-clean only when we're clean today AND today is a new date
+  let daysCleanCritical = prev.daysCleanCritical || 0;
+  let lastCleanDate = prev.lastCleanDate;
+  let lastCriticalDate = prev.lastCriticalDate;
+  let hasEverHadCritical = prev.hasEverHadCritical;
+
+  if (counts.critical === 0) {
+    if (lastCleanDate !== today) {
+      // If yesterday was the last clean, +1; otherwise reset to 1 (new clean run)
+      const gap = _daysBetween(lastCleanDate, today);
+      daysCleanCritical = gap === 1 ? daysCleanCritical + 1 : 1;
+      lastCleanDate = today;
+    }
+  } else {
+    daysCleanCritical = 0;
+    lastCriticalDate = today;
+    hasEverHadCritical = true;
+  }
+
+  const bestDaysCleanCritical = Math.max(prev.bestDaysCleanCritical || 0, daysCleanCritical);
+
+  // Infer "fixes applied" from finding count drops between consecutive scans
+  let totalFixesInferred = prev.totalFixesInferred || 0;
+  if (prev.totalFindingsAtLastScan != null && totalNow < prev.totalFindingsAtLastScan) {
+    totalFixesInferred += (prev.totalFindingsAtLastScan - totalNow);
+  }
+
+  const next = {
+    ...prev,
+    firstScanDate: prev.firstScanDate || new Date().toISOString(),
+    lastScanDate: new Date().toISOString(),
+    totalScans: (prev.totalScans || 0) + 1,
+    daysCleanCritical,
+    lastCleanDate,
+    lastCriticalDate,
+    hasEverHadCritical,
+    bestDaysCleanCritical,
+    totalFindingsAtFirstScan: prev.totalFindingsAtFirstScan ?? totalNow,
+    totalFindingsAtLastScan: totalNow,
+    totalFixesInferred,
+    previousGrade: prev.lastGrade,
+    lastGrade: grade,
+    bestGrade: prev.bestGrade && _gradeRank(prev.bestGrade) >= _gradeRank(grade) ? prev.bestGrade : grade,
+  };
+  next.achievements = _computeAchievements(next, scan);
+
+  try { fs.writeFileSync(_streakPath(stateDir), JSON.stringify(next, null, 2)); } catch {}
+  return next;
+}
+
+// Mark "launch check passed 10/10" — called from /security-launch-check
+export function markLaunchCheckPassed(stateDir) {
+  const prev = loadStreak(stateDir);
+  const next = { ...prev, launchCheckPassedAt: new Date().toISOString() };
+  next.achievements = _computeAchievements(next, { findings: [] });
+  try { fs.mkdirSync(stateDir, { recursive: true }); fs.writeFileSync(_streakPath(stateDir), JSON.stringify(next, null, 2)); } catch {}
+  return next;
+}
+
+export function formatStreakLine(streak) {
+  if (!streak || !streak.totalScans) return null;
+  const parts = [];
+  if (streak.daysCleanCritical >= 1) {
+    const flame = streak.daysCleanCritical >= 7 ? '🔥 ' : '';
+    parts.push(`${flame}${streak.daysCleanCritical} day${streak.daysCleanCritical === 1 ? '' : 's'} clean of critical findings`);
+  }
+  if (streak.lastGrade) {
+    parts.push(`grade ${streak.lastGrade}`);
+  }
+  if (streak.totalFixesInferred > 0) {
+    parts.push(`${streak.totalFixesInferred} fix${streak.totalFixesInferred === 1 ? '' : 'es'} applied`);
+  }
+  return parts.length ? parts.join(' · ') : null;
+}
+
+export function formatGradeDelta(streak) {
+  if (!streak || !streak.previousGrade || !streak.lastGrade) return null;
+  if (streak.previousGrade === streak.lastGrade) return null;
+  const prev = _gradeRank(streak.previousGrade);
+  const now = _gradeRank(streak.lastGrade);
+  if (now > prev) return `📈 Grade up: ${streak.previousGrade} → ${streak.lastGrade}`;
+  if (now < prev) return `📉 Grade down: ${streak.previousGrade} → ${streak.lastGrade}`;
+  return null;
+}
+
+const ACHIEVEMENT_LABELS = {
+  'first-scan':      { icon: '🛡️', label: 'First Scan', desc: 'Ran your first security scan' },
+  'first-fix':       { icon: '🔧', label: 'First Fix', desc: 'Applied at least one fix' },
+  'clean-sweep':     { icon: '🧹', label: 'Clean Sweep', desc: 'Took your project from criticals to zero' },
+  // Triage tiers
+  'triage-master':   { icon: '🎯', label: 'Bronze Fixer', desc: '10+ findings remediated' },
+  'triage-silver':   { icon: '🥈', label: 'Silver Fixer', desc: '50+ findings remediated' },
+  'triage-gold':     { icon: '🥇', label: 'Gold Fixer', desc: '200+ findings remediated' },
+  // Streak tiers (Bronze → Diamond)
+  'streak-7':        { icon: '🥉', label: 'Bronze Streak', desc: '7 days clean of critical findings' },
+  'streak-30':       { icon: '🥈', label: 'Silver Streak', desc: '30 days clean of critical findings' },
+  'streak-90':       { icon: '🥇', label: 'Gold Streak', desc: '90 days clean of critical findings' },
+  'streak-180':      { icon: '💎', label: 'Platinum Streak', desc: '180 days clean of critical findings' },
+  'streak-365':      { icon: '💠', label: 'Diamond Streak', desc: '365 days clean of critical findings' },
+  // Grade
+  'grade-a':         { icon: '🏆', label: 'Grade A', desc: 'Reached an A-tier security grade' },
+  'grade-a-plus':    { icon: '🌟', label: 'Grade A+', desc: 'Reached the perfect grade — zero findings' },
+  'launch-ready':    { icon: '🚀', label: 'Launch Ready', desc: 'Passed all 10 launch-check items' },
+  // Scan veteran
+  'scan-veteran-25': { icon: '⭐', label: 'Scan Veteran (25)', desc: '25 scans completed' },
+  'scan-veteran-100':{ icon: '🎖️', label: 'Scan Centurion (100)', desc: '100 scans completed' },
+};
+
+export function formatAchievements(streak) {
+  if (!streak?.achievements?.length) return [];
+  return streak.achievements.map(id => ({
+    id,
+    ...ACHIEVEMENT_LABELS[id] || { icon: '🏅', label: id, desc: '' },
+  }));
+}
+
+export const _internal = { _computeGrade, _GRADE_RANK, _DEFAULT_STREAK, ACHIEVEMENT_LABELS };

package/src/posture/suppressions.js

@@ -0,0 +1,135 @@
+// Dual suppression schemas (R4).
+//   - vibecoder:  .agentic-security/accepted.json  (soft, 30-day, auto-reminder)
+//   - pro:        .agentic-security/suppressions.yml (audit-grade: reason +
+//                  reviewer + expiry + rule-version pin)
+// One function `applySuppressions(findings, scanRoot, profile)` filters in
+// place. Loaders accept malformed input gracefully (skip bad entries, log).
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as yaml from 'js-yaml';
+
+const VIBECODER_PATH = '.agentic-security/accepted.json';
+const PRO_PATH = '.agentic-security/suppressions.yml';
+
+const MS_PER_DAY = 86400000;
+const SOFT_TTL_DAYS = 30;
+
+function _now() { return Date.now(); }
+function _dateOnly(iso) {
+  // Accept full ISO or YYYY-MM-DD.
+  try { return new Date(iso).getTime(); } catch (_) { return NaN; }
+}
+
+export function loadSoftAccepted(scanRoot) {
+  const fp = path.join(scanRoot || process.cwd(), VIBECODER_PATH);
+  if (!fs.existsSync(fp)) return [];
+  try {
+    const raw = JSON.parse(fs.readFileSync(fp, 'utf8'));
+    return Array.isArray(raw.accepted) ? raw.accepted : [];
+  } catch (_) { return []; }
+}
+
+export function saveSoftAccepted(scanRoot, items) {
+  const fp = path.join(scanRoot || process.cwd(), VIBECODER_PATH);
+  fs.mkdirSync(path.dirname(fp), { recursive: true });
+  fs.writeFileSync(fp, JSON.stringify({ accepted: items }, null, 2));
+}
+
+export function addSoftAcceptance(scanRoot, finding, reason) {
+  const items = loadSoftAccepted(scanRoot);
+  const expires = new Date(_now() + SOFT_TTL_DAYS * MS_PER_DAY).toISOString().slice(0, 10);
+  items.push({
+    id: finding.id || `${finding.file}:${finding.line}:${finding.vuln}`,
+    file: finding.file,
+    line: finding.line,
+    vuln: finding.vuln,
+    reason: reason || 'vibecoded for now',
+    accepted_at: new Date().toISOString().slice(0, 10),
+    expires_at: expires,
+  });
+  saveSoftAccepted(scanRoot, items);
+  return expires;
+}
+
+export function loadProSuppressions(scanRoot) {
+  const fp = path.join(scanRoot || process.cwd(), PRO_PATH);
+  if (!fs.existsSync(fp)) return [];
+  try {
+    const parsed = yaml.load(fs.readFileSync(fp, 'utf8'));
+    return Array.isArray(parsed) ? parsed : (parsed?.suppressions || []);
+  } catch (_) { return []; }
+}
+
+// Validate one entry. Returns { ok, errors }.
+export function validateProSuppression(entry) {
+  const errors = [];
+  for (const k of ['finding_id', 'file', 'reason', 'justification_signed_by', 'reviewer', 'expires_at']) {
+    if (!entry[k] || (typeof entry[k] === 'string' && !entry[k].trim())) errors.push(`missing: ${k}`);
+  }
+  if (entry.justification_signed_by && entry.reviewer && entry.justification_signed_by === entry.reviewer) {
+    errors.push('justification_signed_by must differ from reviewer (two-person rule)');
+  }
+  if (entry.expires_at) {
+    const t = _dateOnly(entry.expires_at);
+    if (!Number.isFinite(t)) errors.push('expires_at must be ISO date');
+    else if (t < _now()) errors.push('expires_at is in the past');
+  }
+  if (entry.severity === 'critical' && !entry._accept_critical) {
+    errors.push('cannot suppress critical without --accept-critical flag at suppress time');
+  }
+  return { ok: errors.length === 0, errors };
+}
+
+export function applySuppressions(findings, scanRoot, profile) {
+  const isVib = (profile?.profile || 'vibecoder') === 'vibecoder';
+  const isPro = (profile?.profile) === 'pro';
+  const items = isPro ? loadProSuppressions(scanRoot) : loadSoftAccepted(scanRoot);
+  if (!items.length) return findings;
+
+  const now = _now();
+  const kept = [];
+  const suppressed = [];
+
+  for (const f of findings) {
+    const fid = f.id || `${f.file}:${f.line}:${f.vuln}`;
+    let matched = null;
+    for (const s of items) {
+      const matchId = s.id || s.finding_id;
+      if (matchId && matchId === fid) { matched = s; break; }
+      // Also match by (file, line, vuln) tuple.
+      if (s.file === f.file && s.line === f.line && s.vuln === f.vuln) { matched = s; break; }
+    }
+    if (matched) {
+      // Has it expired?
+      const exp = _dateOnly(matched.expires_at || matched.expires || '');
+      if (Number.isFinite(exp) && exp < now) {
+        kept.push({ ...f, _suppressionExpired: true });
+        continue;
+      }
+      // Pro: validate the entry still passes
+      if (isPro) {
+        const v = validateProSuppression({ ...matched, severity: f.severity });
+        if (!v.ok) { kept.push({ ...f, _suppressionInvalid: v.errors }); continue; }
+      }
+      suppressed.push({ ...f, _suppressed: matched });
+      continue;
+    }
+    kept.push(f);
+  }
+
+  if (process.env.DEBUG_SUPPRESSIONS) {
+    console.error(`[suppressions] ${suppressed.length} suppressed, ${kept.length} kept`);
+  }
+  return kept;
+}
+
+// Return suppressions that have expired so callers can remind the user.
+export function expiredSoftAcceptances(scanRoot) {
+  const items = loadSoftAccepted(scanRoot);
+  const now = _now();
+  return items.filter(s => {
+    const exp = _dateOnly(s.expires_at);
+    return Number.isFinite(exp) && exp < now;
+  });
+}

package/src/posture/telemetry-ingest.js

@@ -0,0 +1,112 @@
+// FR-PROD-2 — Production telemetry ingest.
+//
+// Build a route → request-count map from a customer-supplied telemetry
+// digest. The customer-side shim is responsible for producing the digest
+// (no PII; counts and rates only). Expected format at
+// `.agentic-security/telemetry.json`:
+//
+//   {
+//     "windowDays": 30,
+//     "routes": {
+//       "GET /api/health":      { "count": 42000, "lastSeen": "2026-05-17T..." },
+//       "POST /admin/users":    { "count": 0,     "lastSeen": null },
+//       "POST /api/webhooks":   { "count": 8800,  "lastSeen": "2026-05-18T..." }
+//     }
+//   }
+//
+// Findings whose location matches a route with 0 requests over the window
+// get `coldPath: true` and a confidence dampener — likely the code path is
+// behind a flag or dead. Findings on hot paths (>1k req/30d) get
+// `hotPath: true` and a small priority bump.
+//
+// We deliberately do NOT call Sentry/Datadog APIs from this module. The
+// customer-side shim is in PRD as a separate workstream because cross-vendor
+// API access in the scanner has too many privacy and auth-token concerns.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const CANDIDATE_PATHS = [
+  '.agentic-security/telemetry.json',
+  '.agentic-security/prod-telemetry.json',
+];
+
+const HOT_THRESHOLD = 1000;     // requests / window — promotes to hot
+const COLD_THRESHOLD = 0;       // exactly zero requests → cold
+
+export function loadTelemetry(scanRoot) {
+  const root = scanRoot || process.cwd();
+  for (const rel of CANDIDATE_PATHS) {
+    const fp = path.join(root, rel);
+    if (!fs.existsSync(fp)) continue;
+    try {
+      const data = JSON.parse(fs.readFileSync(fp, 'utf8'));
+      if (data && typeof data === 'object' && data.routes) return data;
+    } catch {}
+  }
+  return null;
+}
+
+// Heuristic: extract a route-shape signal from a finding's file path or
+// content. Returns null when no route is inferable.
+function routeShapeFor(f) {
+  const fp = String(f.file || '');
+  const inferred = [];
+  // Next.js / SvelteKit / Remix style.
+  let m;
+  if ((m = /\/(?:app|pages|routes)\/(.+?)(?:\/route\.[a-z]+|\.[a-z]+)$/i.exec(fp))) {
+    let r = '/' + m[1].replace(/\/(?:index|page|route)$/i, '');
+    r = r.replace(/\[([^\]]+)\]/g, ':$1');
+    inferred.push('* ' + r);
+  }
+  // Express / FastAPI / Flask: search the file snippet for app.METHOD('/path', ...)
+  if (f.snippet && typeof f.snippet === 'string') {
+    const sm = /app\.(get|post|put|patch|delete)\s*\(\s*['"`]([^'"`]+)['"`]/i.exec(f.snippet);
+    if (sm) inferred.push(`${sm[1].toUpperCase()} ${sm[2]}`);
+  }
+  return inferred.length ? inferred : null;
+}
+
+// Match a finding's inferred routes against the telemetry route map.
+// Telemetry routes are like "GET /api/health"; finding routes may have
+// `:param` placeholders. Use a permissive parameter-equivalence match.
+function findRouteEntry(routes, candidates) {
+  if (!routes || !candidates) return null;
+  const norm = (s) => s.replace(/:\w+|\{\w+\}/g, '_PARAM_').trim();
+  for (const c of candidates) {
+    const cn = norm(c);
+    for (const [route, info] of Object.entries(routes)) {
+      if (norm(route) === cn) return info;
+      // method-agnostic match for cases where the finding only knows the path
+      const cmStar = cn.startsWith('* ');
+      if (cmStar) {
+        const cpath = cn.slice(2);
+        if (norm(route).endsWith(' ' + cpath)) return info;
+      }
+    }
+  }
+  return null;
+}
+
+export function annotateTelemetry(findings, scanRoot) {
+  if (!Array.isArray(findings)) return findings;
+  const telem = loadTelemetry(scanRoot);
+  if (!telem) return findings;
+  for (const f of findings) {
+    if (!f || typeof f !== 'object') continue;
+    const candidates = routeShapeFor(f);
+    if (!candidates) continue;
+    const entry = findRouteEntry(telem.routes, candidates);
+    if (!entry) continue;
+    f.prodRequestCount = entry.count || 0;
+    f.prodLastSeen = entry.lastSeen || null;
+    if ((entry.count || 0) <= COLD_THRESHOLD) {
+      f.coldPath = true;
+      if (typeof f.confidence === 'number') f.confidence = Math.max(0, f.confidence - 0.08);
+    } else if ((entry.count || 0) >= HOT_THRESHOLD) {
+      f.hotPath = true;
+      if (typeof f.confidence === 'number') f.confidence = Math.min(1, f.confidence + 0.05);
+    }
+  }
+  return findings;
+}

package/src/posture/threat-model.js

@@ -0,0 +1,145 @@
+// FR-LOGIC-10 — Threat-model auto-derivation (STRIDE).
+//
+// Build a lightweight STRIDE-aligned threat model for the project from
+// observed signals — data flows, trust boundaries, asset inventory. The
+// output feeds two consumers:
+//
+//   1. The PR-comment bot, which uses the threat model to write a "what
+//      the attacker would do here" paragraph next to high+ findings.
+//   2. persona-prioritization.js (FR-ADV-2), which uses the asset list
+//      to weight crown-jewel-adjacent findings higher for the personas
+//      that care.
+//
+// We do NOT attempt a full STRIDE walkthrough — that would require running
+// an LLM over the whole codebase. We DO emit a structured summary that an
+// LLM can hydrate into a full narrative on demand.
+//
+// Output shape:
+//   {
+//     assets:        [{ name, file, line, category, exposure }],
+//     trustBoundaries: [{ type, location, traffic }],
+//     stride: {
+//       spoofing:    [...]   // findings that bear on this STRIDE category
+//       tampering:   [...]
+//       repudiation: [...]
+//       informationDisclosure: [...]
+//       denialOfService: [...]
+//       elevationOfPrivilege: [...]
+//     },
+//   }
+
+const ASSET_PATTERNS = [
+  // [regex, category, exposure]
+  [/(?:stripe|paddle|braintree)\.\w+\.create/g, 'payment-method', 'public-api'],
+  [/(?:User|users?)\.create\(|prisma\.user\.create/g, 'identity', 'public-api'],
+  [/(?:session|token|jwt)\s*=\s*/g, 'session', 'internal'],
+  [/process\.env\.([A-Z_]+(?:KEY|SECRET|TOKEN))/g, 'secret', 'internal'],
+  [/(?:aws-sdk|@aws-sdk).*\.upload|s3\.put/g, 'object-storage', 'public-api'],
+  [/(?:openai|anthropic|together|groq)\.(?:chat|messages|completions)/g, 'llm-egress', 'external-api'],
+];
+
+const TRUST_BOUNDARY_PATTERNS = [
+  [/app\.(?:get|post|put|patch|delete)\s*\(\s*['"`]([^'"`]+)['"`]/g, 'http-route'],
+  [/router\.(?:get|post|put|patch|delete)\s*\(\s*['"`]([^'"`]+)['"`]/g, 'http-route'],
+  [/@(?:Get|Post|Put|Patch|Delete)Mapping\s*\(/g, 'http-route-java'],
+  [/@(?:app|router)\.(?:get|post|put|patch|delete)\s*\(\s*['"`]([^'"`]+)['"`]/g, 'http-route-py'],
+  [/(?:kafka|pubsub|sqs|sns)\.consume|\.subscribe|\.receiveMessage/gi, 'queue-consumer'],
+  [/(?:kafka|pubsub|sqs|sns)\.produce|\.publish|\.sendMessage/gi, 'queue-producer'],
+  [/grpc\.Server|new\s+Server\s*\(\s*\)/g, 'grpc-server'],
+  [/(?:db|pool|client)\.(?:query|execute|raw)\s*\(/g, 'db-edge'],
+];
+
+export function buildAssetInventory(fileContents) {
+  const assets = [];
+  if (!fileContents) return assets;
+  for (const [fp, text] of Object.entries(fileContents)) {
+    if (!text || typeof text !== 'string') continue;
+    for (const [re, category, exposure] of ASSET_PATTERNS) {
+      re.lastIndex = 0;
+      let m;
+      while ((m = re.exec(text))) {
+        const line = text.slice(0, m.index).split('\n').length;
+        const name = m[1] || category;
+        assets.push({ name, file: fp, line, category, exposure });
+        if (assets.length >= 200) return assets;
+      }
+    }
+  }
+  return assets;
+}
+
+export function buildTrustBoundaries(fileContents) {
+  const boundaries = [];
+  if (!fileContents) return boundaries;
+  for (const [fp, text] of Object.entries(fileContents)) {
+    if (!text || typeof text !== 'string') continue;
+    for (const [re, type] of TRUST_BOUNDARY_PATTERNS) {
+      re.lastIndex = 0;
+      let m;
+      while ((m = re.exec(text))) {
+        const line = text.slice(0, m.index).split('\n').length;
+        boundaries.push({ type, file: fp, line, label: m[1] || null });
+        if (boundaries.length >= 500) return boundaries;
+      }
+    }
+  }
+  return boundaries;
+}
+
+function strideCategoryFor(f) {
+  const v = (f.vuln || '').toLowerCase();
+  if (/auth|jwt|session|csrf|spoof/.test(v)) return 'spoofing';
+  if (/injection|deserial|tampered|prototype.pollution|toctou|race/.test(v)) return 'tampering';
+  if (/log.injection|missing.audit|no.audit/.test(v)) return 'repudiation';
+  if (/leak|disclos|info.expos|stack.trace|verbose.err/.test(v)) return 'informationDisclosure';
+  if (/dos|denial|unbounded|max_tokens|rate.limit|redos/.test(v)) return 'denialOfService';
+  if (/idor|missing.authz|broken.access|priv.esc|admin/.test(v)) return 'elevationOfPrivilege';
+  if (/sql.injection|command.injection|ssrf|xxe|rce|code.injection/.test(v)) return 'tampering';
+  if (/xss/.test(v)) return 'tampering';
+  return null;
+}
+
+export function classifyFindingsByStride(findings) {
+  const out = {
+    spoofing: [], tampering: [], repudiation: [],
+    informationDisclosure: [], denialOfService: [], elevationOfPrivilege: [],
+  };
+  if (!Array.isArray(findings)) return out;
+  for (const f of findings) {
+    if (!f || typeof f !== 'object') continue;
+    const cat = strideCategoryFor(f);
+    if (!cat) continue;
+    out[cat].push({ vuln: f.vuln, file: f.file, line: f.line, severity: f.severity });
+  }
+  return out;
+}
+
+export function buildThreatModel(findings, fileContents) {
+  const assets = buildAssetInventory(fileContents);
+  const trustBoundaries = buildTrustBoundaries(fileContents);
+  const stride = classifyFindingsByStride(findings || []);
+  // Cap each STRIDE bucket so the model object stays compact in SARIF.
+  for (const k of Object.keys(stride)) stride[k] = stride[k].slice(0, 25);
+  return {
+    summary: {
+      assetCount: assets.length,
+      boundaryCount: trustBoundaries.length,
+      strideCounts: Object.fromEntries(Object.entries(stride).map(([k, v]) => [k, v.length])),
+    },
+    assets: assets.slice(0, 50),
+    trustBoundaries: trustBoundaries.slice(0, 50),
+    stride,
+  };
+}
+
+// Compose: annotate each finding with its STRIDE category so consumers can
+// pivot by attacker objective rather than by CWE.
+export function annotateStrideCategory(findings) {
+  if (!Array.isArray(findings)) return findings;
+  for (const f of findings) {
+    if (!f || typeof f !== 'object') continue;
+    const cat = strideCategoryFor(f);
+    if (cat) f.strideCategory = cat;
+  }
+  return findings;
+}