@clear-capabilities/agentic-security-scanner 0.74.1 → 0.76.1

package/CHANGELOG.md

@@ -1,5 +1,93 @@
 # Changelog
 
+## 0.76.0 — Command consolidation: 80 → 38 slash commands
+
+Simplified the command surface from 80 individual slash commands down to
+38 by merging related commands into consolidated routers with flags.
+No functionality removed — all logic preserved behind flags on fewer,
+more discoverable parent commands.
+
+### New consolidated commands
+
+| New command | Absorbed | Routing |
+|---|---|---|
+| `/audit` | db-audit, auth-audit, rate-limit-check, webhook-audit, env-check, csp-cors, deploy-check, launch-check, llm-cost-ceiling, prompt-firewall | `--target <area>` or `--all` |
+| `/threat` | threat-model, personas, playbook, bounty, adversary, attack-surface, trust-boundary, spof | `--view <name>` |
+| `/llm` | llm-redteam, jailbreak-detector, llm-eval | `--mode redteam\|jailbreak\|eval` |
+| `/ci` | ci-gate, predeploy-gate, install-hooks | default / `--predeploy` / `--hooks` |
+| `/generate` | privacy-docs, disaster-playbook, social-media, security-tests | `--type privacy\|disaster\|social\|tests` |
+| `/scanner` | self-test, diff-scan, scan-baseline, concurrency-bugs, spec-drift | `--self-test` / `--diff` / `--baseline` / `--concurrency` / `--spec-drift` |
+
+### Commands absorbed into existing commands
+
+- `/why-fired` → `/explain --provenance --finding <id>`
+- `/why-not` → `/explain --gap <CWE>`
+- `/install-script-audit` → `/supply-chain-check --show install-scripts`
+- `/vendor-audit` → `/supply-chain-check --show vendored`
+
+### Deleted deprecated aliases (11)
+
+ci-gate-multi, rotate-key-auto, trim-dead-code, trim-dependencies,
+story-explain, security-badge, security-onepager, trust-page,
+dep-pinning, dep-freshness, dep-alternatives.
+
+## 0.75.1 — /agent-harness-assessment + interactive compliance routing + README badge relocation
+
+Three follow-ups to the 0.75.0 surface:
+
+**Renamed `/executive-summary` → `/agent-harness-assessment`.** The
+previous name framed this as a finance-style report. The actual artifact
+is an assessment of the AI-agent harness: a CISO/buyer reading it wants
+to know whether to trust an AI agent working in this project, not just
+see a posture grade. The new name reflects the audience.
+
+**Interactive compliance step.** After printing the six-control
+assessment, the command now asks (via AskUserQuestion) which compliance
+frameworks the reader wants generated NOW — NIST AI 600-1, OWASP ASVS,
+OWASP LLM Top 10 (2025), or none. For each selection, the model invokes
+`/compliance-report <fw>` with the matching positional argument
+(`nist`, `asvs`, `llm`) so an auditor-ready file lands on disk. The
+Compliance section in the assessment now says what evidence COULD be
+produced; the interactive step closes the loop to evidence that EXISTS.
+
+**README "Status badge" section relocated** from the top-of-README hero
+region into the Security Pros section, between the 5-minute pro setup
+and the full pro catalog. Adopting the badge is a pro-shaped step
+(it requires CI wiring + a baseline scan). Three example badges now
+render on three distinct lines via trailing `<br>` so the severity
+ladder is legible at a glance.
+
+## 0.75.0 — /executive-summary: CISO-facing six-control posture report
+
+New top-level command for buyer-questionnaire / diligence / CISO use.
+`/executive-summary` prints a plain-English briefing of the six harness
+controls (Tool access, Guardrails, Feedback loops, Audit evidence,
+Failure mode, Compliance) with live status indicators drawn from the
+current project state — hook activation, scan-signature presence,
+audit-log entry count, remote-witness configuration, compliance artifacts.
+
+Each control renders four named subsections modeled on `/explain`:
+**What it does** (2-3 paragraphs of plain English), **Specifically**
+(the concrete enumerated list of allows/blocks/intercepts), **What would
+have to go wrong for this to fail** (threat model in one paragraph), and
+**Live status (this project)** (verifiable indicators). The "Specifically"
+block names actual reserved paths, every shell command intercepted, every
+code-edit pattern blocked, every audit-log property, every refusal point,
+and every compliance artifact format — so a reviewer can verify the claim
+without opening any source file.
+
+Flags: `--format md` for markdown output; `--output PATH` writes to disk
+(typically `EXECUTIVE_SUMMARY.md` for buyer questionnaires).
+
+## 0.74.2 — npm package + version alignment
+
+First release published to npm under the org that owns the scope:
+`@clear-capabilities/agentic-security-scanner`. Adds a bin alias
+`agentic-security-scanner` (→ same dist bundle) so the documented
+`npx @clear-capabilities/agentic-security-scanner secure .` resolves
+an executable. Aligns the source-tree version with the npm registry
+after the 0.74.1 metadata-only publish.
+
 ## 0.74.0 — viral surface: PoC video gen + security-tutor skill + personality voices + compare runner
 
 Four shareability lifts.

package/bin/.agentic-security/findings.json

@@ -1,7 +1,7 @@
 {
-  "scanId": "e6825f8d-bb61-42eb-9f3c-3847b2e493fd",
-  "startedAt": "2026-05-20T21:28:34.505Z",
-  "durationMs": 297,
+  "scanId": "d01219ed-b5bf-4fde-bf3c-4f31c0ceaa41",
+  "startedAt": "2026-05-21T16:13:40.849Z",
+  "durationMs": 281,
   "scanned": {
     "files": 7,
     "lines": 0
@@ -86,7 +86,9 @@
         "comparable": "Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil",
         "confidence": "low",
         "narrative": "Sensitive Directory Path Construction on `agentic-security-audit.js:51` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "toctou-fs:agentic-security-audit.js:55",
@@ -195,6 +197,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -418,6 +421,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -639,6 +643,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -860,6 +865,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1053,7 +1059,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "Missing Unsigned Numeric Validation on `agentic-security-audit.js:131` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:agentic-security-audit.js:55:TOCTOU:_existsSync_followed_by_file_op",
@@ -1134,7 +1142,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-audit.js:55` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "e2445e40b5e43c01",
@@ -1215,7 +1225,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "Race Condition (TOCTOU) on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:agentic-security-consistency.js:44:TOCTOU:_existsSync_followed_by_file_op",
@@ -1296,7 +1308,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-consistency.js:44` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:agentic-security-consistency.js:66:TOCTOU:_existsSync_followed_by_file_op",
@@ -1377,7 +1391,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "49e1e00962a1950c",
@@ -1458,7 +1474,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "Weak Randomness on `agentic-security-rule.js:98` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     }
   ],
   "bundles": [],
@@ -1573,5 +1591,6 @@
       "alarms": [],
       "note": "no-feedback-data"
     }
-  }
+  },
+  "annotatorErrors": []
 }

package/bin/.agentic-security/last-scan.json

@@ -1,7 +1,7 @@
 {
-  "scanId": "e6825f8d-bb61-42eb-9f3c-3847b2e493fd",
-  "startedAt": "2026-05-20T21:28:34.505Z",
-  "durationMs": 297,
+  "scanId": "d01219ed-b5bf-4fde-bf3c-4f31c0ceaa41",
+  "startedAt": "2026-05-21T16:13:40.849Z",
+  "durationMs": 281,
   "scanned": {
     "files": 7,
     "lines": 0
@@ -86,7 +86,9 @@
         "comparable": "Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil",
         "confidence": "low",
         "narrative": "Sensitive Directory Path Construction on `agentic-security-audit.js:51` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "toctou-fs:agentic-security-audit.js:55",
@@ -195,6 +197,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -418,6 +421,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -639,6 +643,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -860,6 +865,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1053,7 +1059,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "Missing Unsigned Numeric Validation on `agentic-security-audit.js:131` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:agentic-security-audit.js:55:TOCTOU:_existsSync_followed_by_file_op",
@@ -1134,7 +1142,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-audit.js:55` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "e2445e40b5e43c01",
@@ -1215,7 +1225,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "Race Condition (TOCTOU) on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:agentic-security-consistency.js:44:TOCTOU:_existsSync_followed_by_file_op",
@@ -1296,7 +1308,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-consistency.js:44` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:agentic-security-consistency.js:66:TOCTOU:_existsSync_followed_by_file_op",
@@ -1377,7 +1391,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "49e1e00962a1950c",
@@ -1458,7 +1474,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "Weak Randomness on `agentic-security-rule.js:98` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     }
   ],
   "bundles": [],
@@ -1573,5 +1591,6 @@
       "alarms": [],
       "note": "no-feedback-data"
     }
-  }
+  },
+  "annotatorErrors": []
 }

package/bin/.agentic-security/last-scan.json.sig

@@ -1 +1 @@
-dddfa3a4abc90266b882b4945a7aba57b8e97cc726aa60f4578cfaefcd23b95b
+ec16cd87a90fed8ff54e93a2bc69d4e8053d22cd80ffc701a4668d3c3e929f7d

package/bin/.agentic-security/scan-history.json

@@ -1,26 +1,4 @@
 [
-  {
-    "timestamp": "2026-05-19T15:44:43.087Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T16:01:41.762Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
   {
     "timestamp": "2026-05-19T18:33:22.830Z",
     "label": "scan",
@@ -461,5 +439,37 @@
       "toctou-fs:agentic-security-consistency.js:66",
       "toctou-fs:agentic-security.js:1105"
     ]
+  },
+  {
+    "timestamp": "2026-05-21T15:57:04.808Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1105"
+    ]
+  },
+  {
+    "timestamp": "2026-05-21T16:13:41.128Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1105"
+    ]
   }
 ]

package/bin/.agentic-security/streak.json

@@ -1,12 +1,12 @@
 {
   "firstScanDate": "2026-05-15T12:24:29.316Z",
-  "lastScanDate": "2026-05-20T21:28:34.823Z",
-  "totalScans": 121,
-  "daysCleanCritical": 3,
-  "lastCleanDate": "2026-05-20",
+  "lastScanDate": "2026-05-21T16:13:41.148Z",
+  "totalScans": 123,
+  "daysCleanCritical": 4,
+  "lastCleanDate": "2026-05-21",
   "lastCriticalDate": null,
   "hasEverHadCritical": false,
-  "bestDaysCleanCritical": 3,
+  "bestDaysCleanCritical": 4,
   "totalFindingsAtFirstScan": 0,
   "totalFindingsAtLastScan": 11,
   "totalFixesInferred": 1,

package/bin/agentic-security.js

@@ -137,7 +137,7 @@ function printBanner(args) {
     BOLD:  '\x1b[1m',
     RESET: '\x1b[0m',
   } : { FROG:'', DEEP:'', CREAM:'', DIM:'', BOLD:'', RESET:'' };
-  const v = '0.74.0';
+  const v = '0.75.1';
   const compact = !args.flags.full;
   if (compact) {
     const lines = [
@@ -1665,7 +1665,7 @@ async function main() {
         }
         process.exit(0);
       }
-      case 'version':  console.log('agentic-security 0.74.0  ·  created by ClearCapabilities.Com'); process.exit(0);
+      case 'version':  console.log('agentic-security 0.75.1  ·  created by ClearCapabilities.Com'); process.exit(0);
       case 'banner':   { printBanner(args); process.exit(0); }
       case 'harness':  process.exit(await cmdHarness(args));
       case 'scan-baseline': process.exit(await cmdScanBaseline(args));

package/dist/838.index.js

@@ -0,0 +1,152 @@
+export const id = 838;
+export const ids = [838];
+export const modules = {
+
+/***/ 7838:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+__webpack_require__.r(__webpack_exports__);
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   runProjectLinter: () => (/* binding */ runProjectLinter),
+/* harmony export */   verifyFix: () => (/* binding */ verifyFix),
+/* harmony export */   verifyPatch: () => (/* binding */ verifyPatch)
+/* harmony export */ });
+/* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
+/* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
+/* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(3291);
+// Closed-loop /fix verification (Sentinel-parity FR-L4-4, FR-L4-5).
+//
+// Given a candidate patch (the new file content + the finding stableId being
+// fixed), verify it:
+//
+//   1. The original finding's stableId no longer fires on the patched file.
+//   2. No new findings at severity ≥ medium were introduced by the patch.
+//   3. The project's existing linter (when present) passes on the patched file.
+//
+// If any of those fail, the caller is expected to NOT apply the patch and
+// instead surface a "fix plan" — a numbered list of steps the engineer can
+// follow — rather than dump a broken patch on the user.
+
+
+
+
+
+
+const SEVERITY_RANK = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+
+// Run a focused re-scan over just the patched file(s) using the in-memory
+// engine. No filesystem write needed — we hand the new content in via the
+// fileContents map.
+async function verifyPatch({
+  scanRoot,
+  originalFindingStableId,
+  files,   // { [relPath]: newContent }
+  depFileContents = {},
+} = {}) {
+  if (!files || typeof files !== 'object') return { ok: false, reason: 'no-files-provided' };
+  const fileContents = { ...files };
+  let scan;
+  try {
+    scan = await (0,_engine_js__WEBPACK_IMPORTED_MODULE_3__/* .runFullScan */ .wW)({ fileContents, depFileContents, scanRoot }, () => {});
+  } catch (e) {
+    return { ok: false, reason: 'rescan-failed', error: e.message };
+  }
+  const findings = (scan && scan.findings) || [];
+  const stillHasOriginal = !!originalFindingStableId &&
+    findings.some(f => f.stableId === originalFindingStableId);
+  if (stillHasOriginal) {
+    return { ok: false, reason: 'original-finding-still-present', stableId: originalFindingStableId };
+  }
+  const introducedHighOrAbove = findings.filter(f =>
+    (SEVERITY_RANK[f.severity] ?? 9) <= SEVERITY_RANK.medium);
+  // Don't count findings on lines outside the patched files — but our
+  // fileContents map IS the patched files, so every finding is in-scope.
+  return {
+    ok: introducedHighOrAbove.length === 0,
+    reason: introducedHighOrAbove.length === 0 ? 'verified' : 'introduced-new-findings',
+    introduced: introducedHighOrAbove.map(f => ({
+      vuln: f.vuln, file: f.file, line: f.line, severity: f.severity,
+      stableId: f.stableId,
+    })),
+  };
+}
+
+// Detect which linter the project uses and run it on the patched files.
+// Returns { ok, runner, output } or { ok: true, runner: 'none' } when no
+// linter is configured (silent pass).
+function runProjectLinter(scanRoot, filePaths) {
+  if (!scanRoot || !Array.isArray(filePaths) || filePaths.length === 0) {
+    return { ok: true, runner: 'none' };
+  }
+  const has = (p) => { try { return node_fs__WEBPACK_IMPORTED_MODULE_1__.existsSync(node_path__WEBPACK_IMPORTED_MODULE_2__.join(scanRoot, p)); } catch { return false; } };
+  // Pick the linter by config file present in the repo root.
+  const jsFiles = filePaths.filter(f => /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(f));
+  const pyFiles = filePaths.filter(f => /\.py$/i.test(f));
+  const goFiles = filePaths.filter(f => /\.go$/i.test(f));
+  const javaFiles = filePaths.filter(f => /\.java$/i.test(f));
+
+  if (jsFiles.length && (has('.eslintrc') || has('.eslintrc.json') || has('.eslintrc.js') || has('eslint.config.js') || has('eslint.config.mjs'))) {
+    return runLinter(scanRoot, 'eslint', ['--no-error-on-unmatched-pattern', ...jsFiles]);
+  }
+  if (pyFiles.length && (has('pyproject.toml') || has('ruff.toml') || has('.ruff.toml'))) {
+    return runLinter(scanRoot, 'ruff', ['check', ...pyFiles]);
+  }
+  if (pyFiles.length && has('.flake8')) {
+    return runLinter(scanRoot, 'flake8', pyFiles);
+  }
+  if (goFiles.length && (has('.golangci.yml') || has('.golangci.yaml'))) {
+    return runLinter(scanRoot, 'golangci-lint', ['run', ...goFiles]);
+  }
+  if (javaFiles.length && has('checkstyle.xml')) {
+    return runLinter(scanRoot, 'checkstyle', ['-c', 'checkstyle.xml', ...javaFiles]);
+  }
+  return { ok: true, runner: 'none' };
+}
+
+function runLinter(cwd, cmd, args) {
+  let r;
+  try {
+    r = (0,node_child_process__WEBPACK_IMPORTED_MODULE_0__.spawnSync)(cmd, args, { cwd, encoding: 'utf8', timeout: 60_000 });
+  } catch (e) {
+    return { ok: true, runner: cmd, skipped: true, reason: 'binary-missing', error: e.message };
+  }
+  if (r.error && r.error.code === 'ENOENT') {
+    return { ok: true, runner: cmd, skipped: true, reason: 'binary-missing' };
+  }
+  if (r.status === null) {
+    return { ok: false, runner: cmd, reason: 'timed-out', output: (r.stderr || r.stdout || '').slice(-2000) };
+  }
+  return {
+    ok: r.status === 0,
+    runner: cmd,
+    exitCode: r.status,
+    output: ((r.stderr || '') + (r.stdout || '')).slice(-2000),
+  };
+}
+
+// Top-level verify: re-scan + lint. Returns the combined verdict + a
+// human-readable summary string suitable for surfacing to the user.
+async function verifyFix({
+  scanRoot,
+  originalFindingStableId,
+  files,
+  depFileContents,
+} = {}) {
+  const rescan = await verifyPatch({ scanRoot, originalFindingStableId, files, depFileContents });
+  const lint = runProjectLinter(scanRoot, Object.keys(files || {}));
+  const ok = rescan.ok && (lint.ok || lint.skipped);
+  const summary = [
+    `re-scan: ${rescan.ok ? 'PASS' : 'FAIL — ' + rescan.reason}`,
+    `linter:  ${lint.runner === 'none' ? 'skipped (no linter config)'
+              : lint.skipped ? `${lint.runner} not installed`
+              : lint.ok ? `${lint.runner} PASS`
+              : `${lint.runner} FAIL (exit ${lint.exitCode})`}`,
+  ].join('\n');
+  return { ok, rescan, lint, summary };
+}
+
+
+/***/ })
+
+};