@clear-capabilities/agentic-security-scanner 0.74.0

package/src/posture/verifier-ephemeral.js

@@ -0,0 +1,118 @@
+// FR-VER-10 — Ephemeral verification target (Docker driver).
+//
+// Docker-based ephemeral sandbox for running generated PoCs against a fresh
+// copy of the customer's app. The customer supplies the image (or a
+// docker-compose.yml); we spin it up, run the PoC, tear down. Network is
+// disabled by default; mount is read-only.
+//
+// Public API:
+//   isAvailable() → boolean — `docker --version` succeeds
+//   startTarget({ image, env, port, scanRoot }) → { containerId, url, stop() }
+//   runPoCAgainst(transcript, target, pocCode) → { exitCode, stdout, stderr }
+//
+// Falls back gracefully to `infra-unavailable` when Docker is missing. This
+// module does NOT make cloud API calls; it only wraps the local Docker CLI.
+
+import { spawnSync, spawn } from 'node:child_process';
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+
+const STARTUP_TIMEOUT_MS = 30_000;
+const POC_TIMEOUT_MS = 15_000;
+
+export function isAvailable() {
+  try {
+    const r = spawnSync('docker', ['--version'], { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] });
+    return r.status === 0;
+  } catch { return false; }
+}
+
+export function startTarget(opts = {}) {
+  if (!isAvailable()) {
+    return { available: false, reason: 'docker-not-installed' };
+  }
+  const image = opts.image || '';
+  if (!image) return { available: false, reason: 'no-image-supplied' };
+  const containerName = `as-target-${crypto.randomBytes(4).toString('hex')}`;
+  const port = opts.port || 3000;
+  const args = [
+    'run', '--rm', '--detach',
+    '--name', containerName,
+    '--network', opts.network === 'host' ? 'host' : 'bridge',
+    '--cap-drop=ALL',
+    '--memory=512m',
+    '--cpus=0.5',
+    '--read-only',
+    '--tmpfs', '/tmp:size=64m',
+    '--publish', `127.0.0.1:0:${port}`,
+  ];
+  for (const [k, v] of Object.entries(opts.env || {})) args.push('--env', `${k}=${v}`);
+  args.push(image);
+  if (opts.cmd) args.push(...(Array.isArray(opts.cmd) ? opts.cmd : [opts.cmd]));
+
+  const r = spawnSync('docker', args, { encoding: 'utf8', timeout: STARTUP_TIMEOUT_MS });
+  if (r.status !== 0) {
+    return { available: false, reason: `docker-run-failed:${(r.stderr || '').slice(0, 200)}` };
+  }
+  const containerId = (r.stdout || '').trim();
+
+  // Resolve the actually-assigned host port.
+  let url = null;
+  try {
+    const inspect = spawnSync('docker', [
+      'port', containerId, String(port),
+    ], { encoding: 'utf8' });
+    const hostPortLine = (inspect.stdout || '').split('\n').find(l => l.startsWith('127.0.0.1:'));
+    if (hostPortLine) url = 'http://' + hostPortLine.trim();
+  } catch {}
+
+  return {
+    available: true,
+    containerId,
+    url,
+    stop() {
+      try { spawnSync('docker', ['kill', containerId], { timeout: 10_000 }); } catch {}
+    },
+  };
+}
+
+// Run a PoC string in a one-shot Node container; return its exit code +
+// captured stdout/stderr. Network is host-bridged so the PoC can reach the
+// target URL the caller provides via TARGET_URL env.
+export function runPoCAgainst(target, pocCode, opts = {}) {
+  if (!isAvailable()) {
+    return { available: false, reason: 'docker-not-installed' };
+  }
+  if (!target || !target.url) return { available: false, reason: 'no-target' };
+  const tmp = path.join(os.tmpdir(), `as-poc-${crypto.randomBytes(4).toString('hex')}.mjs`);
+  try { fs.writeFileSync(tmp, pocCode, 'utf8'); }
+  catch (e) { return { available: false, reason: `tmp-write-failed:${e.message}` }; }
+  try {
+    const args = [
+      'run', '--rm',
+      '--network', 'bridge',
+      '--cap-drop=ALL',
+      '--memory=128m',
+      '--cpus=0.25',
+      '--read-only',
+      '--tmpfs', '/tmp:size=16m',
+      '--volume', `${tmp}:/poc.mjs:ro`,
+      '--env', `TARGET_URL=${target.url}`,
+      '--workdir', '/tmp',
+      opts.runtimeImage || 'node:20-alpine',
+      'node', '/poc.mjs',
+    ];
+    const r = spawnSync('docker', args, { encoding: 'utf8', timeout: POC_TIMEOUT_MS });
+    return {
+      available: true,
+      exitCode: r.status,
+      stdout: r.stdout || '',
+      stderr: r.stderr || '',
+      timedOut: r.signal === 'SIGTERM' || r.error?.code === 'ETIMEDOUT',
+    };
+  } finally {
+    try { fs.unlinkSync(tmp); } catch {}
+  }
+}

package/src/posture/verifier-target.js

@@ -0,0 +1,147 @@
+// Verifier target harness (FR-LIVE-HARNESS).
+//
+// Customer projects describe how to bring up the app they want the verifier
+// to execute PoCs against. The manifest lives at
+// `.agentic-security/verifier-target.yaml` and the verifier reads it before
+// running `--live` mode. v1 supports two manifest shapes:
+//
+//   shape: docker-compose
+//   compose: docker-compose.yml
+//   service: web
+//   port: 3000
+//   wait-for: http://localhost:3000/healthz
+//
+//   ─── or ───
+//
+//   shape: command
+//   start: npm run dev
+//   port: 3000
+//   wait-for: http://localhost:3000/healthz
+//   stop: pkill -f "npm run dev"
+//
+// We DO NOT execute the manifest in this module — that's the verifier
+// sandbox's job (and the customer's explicit opt-in via --live). This
+// module parses, validates, and surfaces a structured object the verifier
+// can act on (or refuse to act on).
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const MANIFEST_PATH = path.join('.agentic-security', 'verifier-target.yaml');
+
+// Minimal YAML subset parser — keep parity with the polyglot bench parser,
+// scoped to the small set of keys this manifest uses. Standalone here to
+// avoid a runtime dep.
+function _parse(text) {
+  const out = {};
+  for (const raw of String(text || '').split(/\r?\n/)) {
+    const line = raw.replace(/#.*$/, '').trim();
+    if (!line) continue;
+    const m = line.match(/^([\w-]+)\s*:\s*(.*)$/);
+    if (!m) continue;
+    const [, key, val] = m;
+    out[key] = _coerce(val);
+  }
+  return out;
+}
+
+function _coerce(v) {
+  if (v === undefined || v === null) return null;
+  v = String(v).trim();
+  if (/^".*"$/.test(v)) return v.slice(1, -1);
+  if (/^'.*'$/.test(v)) return v.slice(1, -1);
+  if (/^-?\d+$/.test(v)) return parseInt(v, 10);
+  return v;
+}
+
+/**
+ * Read the verifier-target manifest from scanRoot. Returns:
+ *   { ok: true, target } — successfully parsed and validated
+ *   { ok: false, reason } — manifest missing or invalid
+ *
+ * Never throws.
+ */
+export function loadTargetManifest(scanRoot) {
+  const fp = path.join(scanRoot || process.cwd(), MANIFEST_PATH);
+  if (!fs.existsSync(fp)) return { ok: false, reason: 'no-manifest' };
+  let raw;
+  try { raw = fs.readFileSync(fp, 'utf8'); }
+  catch (e) { return { ok: false, reason: `read-error:${e.message}` }; }
+  const parsed = _parse(raw);
+  const shape = parsed.shape;
+  if (shape !== 'docker-compose' && shape !== 'command') {
+    return { ok: false, reason: `unknown-shape:${shape || 'missing'}` };
+  }
+  if (shape === 'docker-compose') {
+    if (!parsed.compose || !parsed.service) {
+      return { ok: false, reason: 'docker-compose-shape-needs-compose-and-service' };
+    }
+  }
+  if (shape === 'command') {
+    if (!parsed.start) {
+      return { ok: false, reason: 'command-shape-needs-start' };
+    }
+  }
+  const target = {
+    shape,
+    compose: parsed.compose || null,
+    service: parsed.service || null,
+    start:   parsed.start   || null,
+    stop:    parsed.stop    || null,
+    port:    parsed.port    || null,
+    waitFor: parsed['wait-for'] || parsed.waitFor || null,
+    url:     parsed.url || (parsed.port ? `http://localhost:${parsed.port}` : null),
+  };
+  return { ok: true, target };
+}
+
+/**
+ * Render a quick summary for human consumption (CLI output, logs).
+ */
+export function describeTarget(target) {
+  if (!target) return '(none)';
+  if (target.shape === 'docker-compose') {
+    return `docker-compose service ${target.service} from ${target.compose} on ${target.url || `:${target.port}`}`;
+  }
+  if (target.shape === 'command') {
+    return `command "${target.start}" on ${target.url || `:${target.port}`}`;
+  }
+  return `unknown-shape ${target.shape}`;
+}
+
+/**
+ * Pre-flight safety check: refuse to bring up a target whose start command
+ * looks dangerous. Curated allowlist of common shapes; everything else
+ * requires AGENTIC_SECURITY_VERIFY_TARGET_OK=1 to opt in explicitly.
+ */
+export function validateTarget(target) {
+  if (!target) return { ok: false, reason: 'no-target' };
+  if (target.shape === 'docker-compose') {
+    // docker-compose is safe-ish by design.
+    return { ok: true };
+  }
+  if (target.shape === 'command') {
+    const SAFE_HINTS = [
+      /^npm\s+(?:run\s+)?(?:dev|start|serve)/,
+      /^yarn\s+(?:dev|start|serve)/,
+      /^pnpm\s+(?:run\s+)?(?:dev|start|serve)/,
+      /^node\s+/,
+      /^python(?:\d?)\s+-m\s+/,
+      /^python(?:\d?)\s+\S+\.py/,
+      /^uvicorn\s+/,
+      /^gunicorn\s+/,
+      /^flask\s+run/,
+      /^go\s+run\s+/,
+      /^java\s+-jar\s+/,
+      /^cargo\s+run/,
+    ];
+    if (process.env.AGENTIC_SECURITY_VERIFY_TARGET_OK === '1') return { ok: true, escaped: true };
+    if (!SAFE_HINTS.some(re => re.test(target.start))) {
+      return { ok: false, reason: `start-command-not-in-safe-allowlist (set AGENTIC_SECURITY_VERIFY_TARGET_OK=1 to override)` };
+    }
+    return { ok: true };
+  }
+  return { ok: false, reason: `unknown-shape:${target.shape}` };
+}
+
+export const _internals = { MANIFEST_PATH };

package/src/posture/verifier.js

@@ -0,0 +1,257 @@
+// Verifier sandbox loop (FR-VER-3, FR-VER-6, FR-VER-7 — Phase-1 P1.2).
+//
+// Consumes the PoC artifacts produced by P1.1 (`f.poc`) and assigns a
+// per-finding `verifier_verdict` in:
+//
+//   verified-exploit       — PoC ran against a live target and exited 0
+//   verified-by-llm        — Layer-3 LLM accepted the finding (no PoC ran)
+//   verified-sanitizer-absence — pattern-based proof that no sanitizer is on the flow
+//   unverified-by-design   — CWE family for which v1 explicitly doesn't ship a PoC
+//   cannot-verify          — PoC failed to run / LLM returned escalate / sandbox error
+//
+// Honest scope for v1:
+//   * Default mode is "validate-only": parse the PoC, refuse to ship one that
+//     contains a destructive payload, but do NOT execute it. Findings get
+//     `verifier_verdict` set from the static signals.
+//   * Live execution mode (AGENTIC_SECURITY_VERIFY_LIVE=1) runs each PoC
+//     against a caller-provided target URL (AGENTIC_SECURITY_VERIFY_TARGET).
+//     Without a target, live mode falls back to validate-only with a
+//     `cannot-verify` verdict + reason 'no-target'.
+//   * Sandbox: Docker by default with restrictive flags; subprocess fallback
+//     with ulimit. The sandbox runner is exported so the CLI subcommand can
+//     reuse it.
+//
+// Fail-closed semantics (FR-VER-7): any error — Docker missing, target down,
+// PoC throws — produces `cannot-verify`, never `rejected`. An attacker who
+// can break the verifier can only make findings UNVERIFIED, never SILENCED.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import { spawnSync } from 'node:child_process';
+import { isExplicitlyNoPoc } from './poc-cwe-map.js';
+
+// ─── PoC static validation ──────────────────────────────────────────────────
+//
+// Refuse to ship a PoC that:
+//   - is too long (template runaway)
+//   - mentions a banned pattern (destructive shell, fork bomb)
+//   - hardcodes a real cloud-metadata IP
+//   - doesn't end with a `process.exit(...)` so verdict assignment is reliable
+
+const MAX_POC_BYTES = 16_384;
+
+const BANNED_PATTERNS = [
+  /rm\s+-rf\s+\//,        // recursive destructive
+  /mkfs/,
+  /dd\s+if=\/dev\/(?:zero|random|urandom)/,
+  /:\(\)\s*\{\s*:\s*\|\s*:/,  // fork bomb
+  /shutdown\b/,
+  /reboot\b/,
+  /chmod\s+777\s+\//,
+];
+
+const BANNED_HOSTS = [
+  '169.254.169.254',
+  'metadata.google.internal',
+  'fd00:ec2::254',
+];
+
+export function validatePoc(poc) {
+  if (!poc || typeof poc !== 'object') return { ok: false, reason: 'no-poc' };
+  if (typeof poc.code !== 'string' || poc.code.length === 0) return { ok: false, reason: 'empty-code' };
+  if (poc.code.length > MAX_POC_BYTES) return { ok: false, reason: 'code-too-long' };
+  for (const re of BANNED_PATTERNS) {
+    if (re.test(poc.code)) return { ok: false, reason: `banned-pattern:${re.source.slice(0, 30)}` };
+  }
+  for (const h of BANNED_HOSTS) {
+    if (poc.code.includes(h)) return { ok: false, reason: `banned-host:${h}` };
+  }
+  if (!/process\.exit\s*\(/.test(poc.code) && poc.lang === 'node') {
+    return { ok: false, reason: 'no-deterministic-exit' };
+  }
+  return { ok: true };
+}
+
+// ─── Sanitizer-absence proof ────────────────────────────────────────────────
+//
+// For a flow-based finding with a clear source → sink path, we can prove a
+// SANITIZER IS ABSENT by checking that none of the family's known sanitizers
+// appears in the surrounding code window.
+
+const SANITIZER_TABLE = {
+  'sql-injection':           /\bprepare(?:Statement)?\s*\(|parameterized|\$\d+\b(?![=A-Za-z])|sequelize\.literal\b|\bescape\s*\(|(?:\bquery|\bexecute|\b\$queryRaw|\b\$executeRaw)\s*\([^)]*,\s*\[/i,
+  'command-injection':       /execFile\s*\(|spawn\s*\(\s*['"][^'"]+['"]\s*,\s*\[|shlex\.quote/i,
+  'xss':                     /escapeHtml|sanitize-html|DOMPurify|encodeURIComponent\(|textContent\s*=|res\.json\(/i,
+  'path-traversal':          /path\.resolve\s*\(|path\.basename\s*\(|\.startsWith\s*\(\s*\w+\s*\)/i,
+  'ssrf':                    /isPrivateIP|new\s+URL\s*\(|allowlist|allowedHosts|trustedHosts/i,
+  'code-injection':          /(?!eval).*?\beval\s*\(.*JSON/i,    // very weak; intentionally narrow
+  'open-redirect':           /allowed(?:Redirects|Urls|Hosts)|\.includes\s*\(\s*\w+\s*\)\s*\?/i,
+  'xxe':                     /\bnoent\s*[:=]\s*false|resolve_entities\s*=\s*False|XMLInputFactory.*IS_SUPPORTING_EXTERNAL_ENTITIES.*false/i,
+  'insecure-deserialization':/JSON\.parse|yaml\.safe_load|safe_load_all/i,
+};
+
+function _windowAroundLine(file, line, fileContents) {
+  if (!file || !line || !fileContents || !fileContents[file]) return '';
+  const lines = fileContents[file].split('\n');
+  const start = Math.max(0, line - 11);
+  const end = Math.min(lines.length, line + 10);
+  return lines.slice(start, end).join('\n');
+}
+
+export function proveSanitizerAbsence(finding, fileContents) {
+  const fam = finding.family;
+  if (!fam) return { ok: false, reason: 'no-family' };
+  const rx = SANITIZER_TABLE[fam];
+  if (!rx) return { ok: false, reason: 'no-rule' };
+  const file = finding.file || finding.sink?.file;
+  const line = finding.line || finding.sink?.line || 0;
+  const window = _windowAroundLine(file, line, fileContents);
+  if (!window) return { ok: false, reason: 'no-source-window' };
+  if (rx.test(window)) return { ok: false, reason: 'sanitizer-present' };
+  return { ok: true, reason: `no-sanitizer-in-window`, window: window.length };
+}
+
+// ─── Sandbox execution ──────────────────────────────────────────────────────
+//
+// Runs the PoC and returns { ok, exitCode, stderr, runner }.
+// Caller decides what to do with the result. Internal — surfaced via
+// `_internals.runSandboxed` for tests; the public contract is
+// `annotateVerifierVerdicts`.
+
+function runSandboxed(poc, opts = {}) {
+  const target = opts.target;
+  if (!target) return { ok: false, reason: 'no-target' };
+  // Materialise the PoC to a temp file.
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'as-poc-'));
+  const file = path.join(dir, poc.lang === 'python' ? 'poc.py' : 'poc.mjs');
+  try {
+    fs.writeFileSync(file, _patchTarget(poc.code, target));
+  } catch (e) {
+    return { ok: false, reason: `write-failed:${e.message}` };
+  }
+  const docker = _haveDocker() ? _runDocker(file, dir, poc.lang, opts) : null;
+  const result = docker || _runSubprocess(file, poc.lang, opts);
+  try { fs.rmSync(dir, { recursive: true, force: true }); } catch {}
+  return result;
+}
+
+function _patchTarget(code, target) {
+  // Replace the localhost:3000 placeholder with the caller-provided target.
+  return code.replace(/http:\/\/localhost:3000/g, target);
+}
+
+function _haveDocker() {
+  try {
+    const r = spawnSync('docker', ['version'], { stdio: 'ignore', timeout: 3000 });
+    return r.status === 0;
+  } catch { return false; }
+}
+
+function _runDocker(file, dir, lang, opts) {
+  const image = lang === 'python' ? 'python:3.12-slim' : 'node:22-slim';
+  const cmd = lang === 'python' ? ['python3', '/work/poc.py'] : ['node', '/work/poc.mjs'];
+  const args = [
+    'run', '--rm',
+    '--network=host',          // PoC must reach the target; host is the smallest blast radius
+    '--cap-drop=ALL',
+    '--memory=256m',
+    '--cpu-quota=20000',
+    '--pids-limit=64',
+    '--read-only',
+    '--tmpfs=/tmp',
+    '--user', 'nobody',
+    '-v', `${dir}:/work:ro`,
+    image,
+    ...cmd,
+  ];
+  const r = spawnSync('docker', args, {
+    timeout: opts.timeoutMs || 15000,
+    encoding: 'utf8',
+  });
+  if (r.error) return { ok: false, reason: `docker-error:${r.error.code || r.error.message}`, runner: 'docker' };
+  return { ok: true, exitCode: r.status, stderr: r.stderr || '', stdout: r.stdout || '', runner: 'docker' };
+}
+
+function _runSubprocess(file, lang, opts) {
+  const bin = lang === 'python' ? 'python3' : 'node';
+  const r = spawnSync(bin, [file], {
+    timeout: opts.timeoutMs || 15000,
+    encoding: 'utf8',
+    // Best-effort containment without Docker. Operators are warned in stderr
+    // that the subprocess fallback offers materially weaker isolation.
+    env: { PATH: process.env.PATH || '', NODE_OPTIONS: '' },
+  });
+  if (r.error) return { ok: false, reason: `subprocess-error:${r.error.code || r.error.message}`, runner: 'subprocess' };
+  return { ok: true, exitCode: r.status, stderr: r.stderr || '', stdout: r.stdout || '', runner: 'subprocess' };
+}
+
+// ─── Per-finding verdict assignment ─────────────────────────────────────────
+
+export function verdictForFinding(finding, ctx = {}) {
+  // 1. Families we explicitly do not ship a PoC for.
+  if (isExplicitlyNoPoc(finding.family)) {
+    return { verdict: 'unverified-by-design', reason: `family-no-poc:${finding.family}` };
+  }
+  // 2. Validator already passed it via the LLM.
+  if (finding.validator_verdict === 'accept') {
+    return { verdict: 'verified-by-llm', reason: 'llm-accept' };
+  }
+  // 3. PoC present and live mode is on — run it.
+  const liveMode = process.env.AGENTIC_SECURITY_VERIFY_LIVE === '1';
+  const target = ctx.target || process.env.AGENTIC_SECURITY_VERIFY_TARGET || null;
+  if (finding.poc && liveMode && target) {
+    const v = validatePoc(finding.poc);
+    if (!v.ok) return { verdict: 'cannot-verify', reason: `poc-rejected:${v.reason}` };
+    const r = runSandboxed(finding.poc, { target, timeoutMs: ctx.timeoutMs });
+    if (!r.ok) return { verdict: 'cannot-verify', reason: r.reason || 'sandbox-error', runner: r.runner };
+    if (r.exitCode === 0) return { verdict: 'verified-exploit', reason: 'poc-exit-0', runner: r.runner };
+    return { verdict: 'cannot-verify', reason: `poc-exit:${r.exitCode}`, runner: r.runner, stderr: (r.stderr || '').slice(0, 240) };
+  }
+  // 4. PoC present but we're not running it — static validate only.
+  if (finding.poc) {
+    const v = validatePoc(finding.poc);
+    if (!v.ok) return { verdict: 'cannot-verify', reason: `poc-validation-failed:${v.reason}` };
+    // Static validation says the PoC is shippable; absent live execution we
+    // can't claim verified-exploit. Try the sanitizer-absence proof next.
+  }
+  // 5. Sanitizer-absence proof.
+  if (ctx.fileContents) {
+    const sa = proveSanitizerAbsence(finding, ctx.fileContents);
+    if (sa.ok) return { verdict: 'verified-sanitizer-absence', reason: sa.reason };
+  }
+  return { verdict: 'cannot-verify', reason: 'no-poc-no-sanitizer-rule' };
+}
+
+// ─── Batch annotation ───────────────────────────────────────────────────────
+
+export function annotateVerifierVerdicts(findings, opts = {}) {
+  if (!Array.isArray(findings)) return;
+  for (const f of findings) {
+    if (!f || typeof f !== 'object') continue;
+    try {
+      const v = verdictForFinding(f, opts);
+      f.verifier_verdict = v.verdict;
+      f.verifier_reason = v.reason || null;
+      if (v.runner) f.verifier_runner = v.runner;
+    } catch (e) {
+      // Defense in depth: any exception → cannot-verify, never throws upward.
+      f.verifier_verdict = 'cannot-verify';
+      f.verifier_reason = `verifier-exception:${e.message?.slice(0, 80)}`;
+    }
+  }
+}
+
+// ─── Summary helpers ────────────────────────────────────────────────────────
+
+export function verifierCoverageSummary(findings) {
+  const out = { 'verified-exploit': 0, 'verified-by-llm': 0, 'verified-sanitizer-absence': 0, 'unverified-by-design': 0, 'cannot-verify': 0 };
+  for (const f of findings || []) {
+    const v = f?.verifier_verdict;
+    if (v && v in out) out[v]++;
+  }
+  return out;
+}
+
+// For tests and the no-dead-modules check.
+export const _internals = { MAX_POC_BYTES, BANNED_HOSTS, SANITIZER_TABLE, runSandboxed };

package/src/posture/version.js

@@ -0,0 +1,75 @@
+// Shared version source — read from scanner/package.json at module load.
+//
+// Premortems 3R1.3 / 3R2.1: previously CURRENT_RULESET_VERSION and
+// SARIF tool.driver.version were independently hardcoded constants that
+// diverged from the actual scanner version on every release. This module
+// reads the truth from package.json so the version is single-sourced.
+//
+// The bundled scanner is built via ncc into dist/agentic-security.mjs; ncc
+// inlines the package.json import at build time, so this module returns the
+// frozen version that was bundled with the build.
+
+import { createRequire } from 'node:module';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+// Premortem 4R-7: silently falling back to 'unknown' meant downstream
+// consumers (CI gate, telemetry, ruleset-version stamp) couldn't tell whether
+// they were looking at a real version or a packaging failure. We now read
+// the version eagerly and surface a clear stderr error when package.json
+// isn't readable, instead of poisoning every report with 'unknown'. Tests can
+// opt out of the eager assertion with AGENTIC_SECURITY_VERSION_UNCHECKED=1.
+//
+// Bundled mode (P1.3 follow-up): under ncc, `import.meta.url` resolves to
+// `dist/agentic-security.mjs`, so `../../package.json` (relative to src/posture/)
+// no longer maps to scanner/package.json. We probe a small set of likely
+// paths so the bundle and the source tree both work.
+function _readVersion() {
+  const candidates = [];
+  // 1. require('../../package.json') works in the source tree.
+  candidates.push(() => {
+    const require = createRequire(import.meta.url);
+    return require('../../package.json');
+  });
+  // 2. Walk upward from the current file looking for any package.json that
+  //    carries `@clear-capabilities/agentic-security-scanner`. Survives ncc.
+  candidates.push(() => {
+    let dir;
+    try { dir = path.dirname(fileURLToPath(import.meta.url)); }
+    catch { return null; }
+    for (let i = 0; i < 6; i++) {
+      const fp = path.join(dir, 'package.json');
+      if (fs.existsSync(fp)) {
+        const pkg = JSON.parse(fs.readFileSync(fp, 'utf8'));
+        if (pkg && pkg.name && pkg.name.endsWith('agentic-security-scanner')) return pkg;
+      }
+      const parent = path.dirname(dir);
+      if (parent === dir) break;
+      dir = parent;
+    }
+    return null;
+  });
+  for (const fn of candidates) {
+    try {
+      const pkg = fn();
+      if (pkg && typeof pkg.version === 'string' && pkg.version) return pkg.version;
+    } catch { /* try next */ }
+  }
+  throw new Error('scanner/package.json not found in any expected location');
+}
+
+let _version;
+try {
+  _version = _readVersion();
+} catch (e) {
+  _version = 'unknown';
+  if (process.env.AGENTIC_SECURITY_VERSION_UNCHECKED !== '1') {
+    process.stderr.write(
+      `agentic-security: WARNING — could not resolve scanner version (${e.message}). ` +
+      `Reports will carry version='unknown'. Set AGENTIC_SECURITY_VERSION_UNCHECKED=1 to silence.\n`
+    );
+  }
+}
+
+export const SCANNER_VERSION = _version;