@clear-capabilities/agentic-security-scanner 0.75.0 → 0.76.1

package/CHANGELOG.md

@@ -1,5 +1,62 @@
 # Changelog
 
+## 0.76.0 — Command consolidation: 80 → 38 slash commands
+
+Simplified the command surface from 80 individual slash commands down to
+38 by merging related commands into consolidated routers with flags.
+No functionality removed — all logic preserved behind flags on fewer,
+more discoverable parent commands.
+
+### New consolidated commands
+
+| New command | Absorbed | Routing |
+|---|---|---|
+| `/audit` | db-audit, auth-audit, rate-limit-check, webhook-audit, env-check, csp-cors, deploy-check, launch-check, llm-cost-ceiling, prompt-firewall | `--target <area>` or `--all` |
+| `/threat` | threat-model, personas, playbook, bounty, adversary, attack-surface, trust-boundary, spof | `--view <name>` |
+| `/llm` | llm-redteam, jailbreak-detector, llm-eval | `--mode redteam\|jailbreak\|eval` |
+| `/ci` | ci-gate, predeploy-gate, install-hooks | default / `--predeploy` / `--hooks` |
+| `/generate` | privacy-docs, disaster-playbook, social-media, security-tests | `--type privacy\|disaster\|social\|tests` |
+| `/scanner` | self-test, diff-scan, scan-baseline, concurrency-bugs, spec-drift | `--self-test` / `--diff` / `--baseline` / `--concurrency` / `--spec-drift` |
+
+### Commands absorbed into existing commands
+
+- `/why-fired` → `/explain --provenance --finding <id>`
+- `/why-not` → `/explain --gap <CWE>`
+- `/install-script-audit` → `/supply-chain-check --show install-scripts`
+- `/vendor-audit` → `/supply-chain-check --show vendored`
+
+### Deleted deprecated aliases (11)
+
+ci-gate-multi, rotate-key-auto, trim-dead-code, trim-dependencies,
+story-explain, security-badge, security-onepager, trust-page,
+dep-pinning, dep-freshness, dep-alternatives.
+
+## 0.75.1 — /agent-harness-assessment + interactive compliance routing + README badge relocation
+
+Three follow-ups to the 0.75.0 surface:
+
+**Renamed `/executive-summary` → `/agent-harness-assessment`.** The
+previous name framed this as a finance-style report. The actual artifact
+is an assessment of the AI-agent harness: a CISO/buyer reading it wants
+to know whether to trust an AI agent working in this project, not just
+see a posture grade. The new name reflects the audience.
+
+**Interactive compliance step.** After printing the six-control
+assessment, the command now asks (via AskUserQuestion) which compliance
+frameworks the reader wants generated NOW — NIST AI 600-1, OWASP ASVS,
+OWASP LLM Top 10 (2025), or none. For each selection, the model invokes
+`/compliance-report <fw>` with the matching positional argument
+(`nist`, `asvs`, `llm`) so an auditor-ready file lands on disk. The
+Compliance section in the assessment now says what evidence COULD be
+produced; the interactive step closes the loop to evidence that EXISTS.
+
+**README "Status badge" section relocated** from the top-of-README hero
+region into the Security Pros section, between the 5-minute pro setup
+and the full pro catalog. Adopting the badge is a pro-shaped step
+(it requires CI wiring + a baseline scan). Three example badges now
+render on three distinct lines via trailing `<br>` so the severity
+ladder is legible at a glance.
+
 ## 0.75.0 — /executive-summary: CISO-facing six-control posture report
 
 New top-level command for buyer-questionnaire / diligence / CISO use.

package/bin/.agentic-security/findings.json

@@ -1,7 +1,7 @@
 {
-  "scanId": "8f54c078-a0c8-41d7-8100-62ec5a527f14",
-  "startedAt": "2026-05-21T15:57:04.526Z",
-  "durationMs": 282,
+  "scanId": "d01219ed-b5bf-4fde-bf3c-4f31c0ceaa41",
+  "startedAt": "2026-05-21T16:13:40.849Z",
+  "durationMs": 281,
   "scanned": {
     "files": 7,
     "lines": 0

package/bin/.agentic-security/last-scan.json

@@ -1,7 +1,7 @@
 {
-  "scanId": "8f54c078-a0c8-41d7-8100-62ec5a527f14",
-  "startedAt": "2026-05-21T15:57:04.526Z",
-  "durationMs": 282,
+  "scanId": "d01219ed-b5bf-4fde-bf3c-4f31c0ceaa41",
+  "startedAt": "2026-05-21T16:13:40.849Z",
+  "durationMs": 281,
   "scanned": {
     "files": 7,
     "lines": 0

package/bin/.agentic-security/last-scan.json.sig

@@ -1 +1 @@
-db7c9e1d0d4480b37a981b7b3c87f70306042f6e8838cb6ea2bfafdd12ab20d2
+ec16cd87a90fed8ff54e93a2bc69d4e8053d22cd80ffc701a4668d3c3e929f7d

package/bin/.agentic-security/scan-history.json

@@ -1,15 +1,4 @@
 [
-  {
-    "timestamp": "2026-05-19T16:01:41.762Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
   {
     "timestamp": "2026-05-19T18:33:22.830Z",
     "label": "scan",
@@ -466,5 +455,21 @@
       "toctou-fs:agentic-security-consistency.js:66",
       "toctou-fs:agentic-security.js:1105"
     ]
+  },
+  {
+    "timestamp": "2026-05-21T16:13:41.128Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1105"
+    ]
   }
 ]

package/bin/.agentic-security/streak.json

@@ -1,7 +1,7 @@
 {
   "firstScanDate": "2026-05-15T12:24:29.316Z",
-  "lastScanDate": "2026-05-21T15:57:04.828Z",
-  "totalScans": 122,
+  "lastScanDate": "2026-05-21T16:13:41.148Z",
+  "totalScans": 123,
   "daysCleanCritical": 4,
   "lastCleanDate": "2026-05-21",
   "lastCriticalDate": null,

package/bin/agentic-security.js

@@ -137,7 +137,7 @@ function printBanner(args) {
     BOLD:  '\x1b[1m',
     RESET: '\x1b[0m',
   } : { FROG:'', DEEP:'', CREAM:'', DIM:'', BOLD:'', RESET:'' };
-  const v = '0.75.0';
+  const v = '0.75.1';
   const compact = !args.flags.full;
   if (compact) {
     const lines = [
@@ -1665,7 +1665,7 @@ async function main() {
         }
         process.exit(0);
       }
-      case 'version':  console.log('agentic-security 0.75.0  ·  created by ClearCapabilities.Com'); process.exit(0);
+      case 'version':  console.log('agentic-security 0.75.1  ·  created by ClearCapabilities.Com'); process.exit(0);
       case 'banner':   { printBanner(args); process.exit(0); }
       case 'harness':  process.exit(await cmdHarness(args));
       case 'scan-baseline': process.exit(await cmdScanBaseline(args));

package/dist/838.index.js

@@ -0,0 +1,152 @@
+export const id = 838;
+export const ids = [838];
+export const modules = {
+
+/***/ 7838:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+__webpack_require__.r(__webpack_exports__);
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   runProjectLinter: () => (/* binding */ runProjectLinter),
+/* harmony export */   verifyFix: () => (/* binding */ verifyFix),
+/* harmony export */   verifyPatch: () => (/* binding */ verifyPatch)
+/* harmony export */ });
+/* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
+/* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
+/* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(3291);
+// Closed-loop /fix verification (Sentinel-parity FR-L4-4, FR-L4-5).
+//
+// Given a candidate patch (the new file content + the finding stableId being
+// fixed), verify it:
+//
+//   1. The original finding's stableId no longer fires on the patched file.
+//   2. No new findings at severity ≥ medium were introduced by the patch.
+//   3. The project's existing linter (when present) passes on the patched file.
+//
+// If any of those fail, the caller is expected to NOT apply the patch and
+// instead surface a "fix plan" — a numbered list of steps the engineer can
+// follow — rather than dump a broken patch on the user.
+
+
+
+
+
+
+const SEVERITY_RANK = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+
+// Run a focused re-scan over just the patched file(s) using the in-memory
+// engine. No filesystem write needed — we hand the new content in via the
+// fileContents map.
+async function verifyPatch({
+  scanRoot,
+  originalFindingStableId,
+  files,   // { [relPath]: newContent }
+  depFileContents = {},
+} = {}) {
+  if (!files || typeof files !== 'object') return { ok: false, reason: 'no-files-provided' };
+  const fileContents = { ...files };
+  let scan;
+  try {
+    scan = await (0,_engine_js__WEBPACK_IMPORTED_MODULE_3__/* .runFullScan */ .wW)({ fileContents, depFileContents, scanRoot }, () => {});
+  } catch (e) {
+    return { ok: false, reason: 'rescan-failed', error: e.message };
+  }
+  const findings = (scan && scan.findings) || [];
+  const stillHasOriginal = !!originalFindingStableId &&
+    findings.some(f => f.stableId === originalFindingStableId);
+  if (stillHasOriginal) {
+    return { ok: false, reason: 'original-finding-still-present', stableId: originalFindingStableId };
+  }
+  const introducedHighOrAbove = findings.filter(f =>
+    (SEVERITY_RANK[f.severity] ?? 9) <= SEVERITY_RANK.medium);
+  // Don't count findings on lines outside the patched files — but our
+  // fileContents map IS the patched files, so every finding is in-scope.
+  return {
+    ok: introducedHighOrAbove.length === 0,
+    reason: introducedHighOrAbove.length === 0 ? 'verified' : 'introduced-new-findings',
+    introduced: introducedHighOrAbove.map(f => ({
+      vuln: f.vuln, file: f.file, line: f.line, severity: f.severity,
+      stableId: f.stableId,
+    })),
+  };
+}
+
+// Detect which linter the project uses and run it on the patched files.
+// Returns { ok, runner, output } or { ok: true, runner: 'none' } when no
+// linter is configured (silent pass).
+function runProjectLinter(scanRoot, filePaths) {
+  if (!scanRoot || !Array.isArray(filePaths) || filePaths.length === 0) {
+    return { ok: true, runner: 'none' };
+  }
+  const has = (p) => { try { return node_fs__WEBPACK_IMPORTED_MODULE_1__.existsSync(node_path__WEBPACK_IMPORTED_MODULE_2__.join(scanRoot, p)); } catch { return false; } };
+  // Pick the linter by config file present in the repo root.
+  const jsFiles = filePaths.filter(f => /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(f));
+  const pyFiles = filePaths.filter(f => /\.py$/i.test(f));
+  const goFiles = filePaths.filter(f => /\.go$/i.test(f));
+  const javaFiles = filePaths.filter(f => /\.java$/i.test(f));
+
+  if (jsFiles.length && (has('.eslintrc') || has('.eslintrc.json') || has('.eslintrc.js') || has('eslint.config.js') || has('eslint.config.mjs'))) {
+    return runLinter(scanRoot, 'eslint', ['--no-error-on-unmatched-pattern', ...jsFiles]);
+  }
+  if (pyFiles.length && (has('pyproject.toml') || has('ruff.toml') || has('.ruff.toml'))) {
+    return runLinter(scanRoot, 'ruff', ['check', ...pyFiles]);
+  }
+  if (pyFiles.length && has('.flake8')) {
+    return runLinter(scanRoot, 'flake8', pyFiles);
+  }
+  if (goFiles.length && (has('.golangci.yml') || has('.golangci.yaml'))) {
+    return runLinter(scanRoot, 'golangci-lint', ['run', ...goFiles]);
+  }
+  if (javaFiles.length && has('checkstyle.xml')) {
+    return runLinter(scanRoot, 'checkstyle', ['-c', 'checkstyle.xml', ...javaFiles]);
+  }
+  return { ok: true, runner: 'none' };
+}
+
+function runLinter(cwd, cmd, args) {
+  let r;
+  try {
+    r = (0,node_child_process__WEBPACK_IMPORTED_MODULE_0__.spawnSync)(cmd, args, { cwd, encoding: 'utf8', timeout: 60_000 });
+  } catch (e) {
+    return { ok: true, runner: cmd, skipped: true, reason: 'binary-missing', error: e.message };
+  }
+  if (r.error && r.error.code === 'ENOENT') {
+    return { ok: true, runner: cmd, skipped: true, reason: 'binary-missing' };
+  }
+  if (r.status === null) {
+    return { ok: false, runner: cmd, reason: 'timed-out', output: (r.stderr || r.stdout || '').slice(-2000) };
+  }
+  return {
+    ok: r.status === 0,
+    runner: cmd,
+    exitCode: r.status,
+    output: ((r.stderr || '') + (r.stdout || '')).slice(-2000),
+  };
+}
+
+// Top-level verify: re-scan + lint. Returns the combined verdict + a
+// human-readable summary string suitable for surfacing to the user.
+async function verifyFix({
+  scanRoot,
+  originalFindingStableId,
+  files,
+  depFileContents,
+} = {}) {
+  const rescan = await verifyPatch({ scanRoot, originalFindingStableId, files, depFileContents });
+  const lint = runProjectLinter(scanRoot, Object.keys(files || {}));
+  const ok = rescan.ok && (lint.ok || lint.skipped);
+  const summary = [
+    `re-scan: ${rescan.ok ? 'PASS' : 'FAIL — ' + rescan.reason}`,
+    `linter:  ${lint.runner === 'none' ? 'skipped (no linter config)'
+              : lint.skipped ? `${lint.runner} not installed`
+              : lint.ok ? `${lint.runner} PASS`
+              : `${lint.runner} FAIL (exit ${lint.exitCode})`}`,
+  ].join('\n');
+  return { ok, rescan, lint, summary };
+}
+
+
+/***/ })
+
+};