@clear-capabilities/agentic-security-scanner 0.75.0 → 0.76.1

package/src/mcp/.agentic-security/findings.json

@@ -1,7 +1,7 @@
 {
-  "scanId": "fd9545b1-258a-4aee-a6a9-512c9f1c1397",
-  "startedAt": "2026-05-19T23:06:34.927Z",
-  "durationMs": 206,
+  "scanId": "b7dc55f1-c531-4200-b6b4-c55b94d2af74",
+  "startedAt": "2026-05-24T15:10:46.292Z",
+  "durationMs": 200,
   "scanned": {
     "files": 6,
     "lines": 0
@@ -86,7 +86,9 @@
         "comparable": "Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil",
         "confidence": "low",
         "narrative": "Sensitive Directory Path Construction on `audit.js:87` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "3fe487064529945e",
@@ -167,7 +169,9 @@
         "comparable": "Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil",
         "confidence": "low",
         "narrative": "Sensitive Directory Path Construction on `audit.js:107` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "struct:audit.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
@@ -278,6 +282,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -506,6 +511,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -734,6 +740,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -962,6 +969,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1190,6 +1198,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1418,6 +1427,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1646,6 +1656,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1874,6 +1885,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -1994,7 +2006,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:146:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:159:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -2002,7 +2014,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 146,
+      "line": 159,
       "snippet": "if (!fs.existsSync(base)) return 0;",
       "fix": null,
       "reachable": false,
@@ -2085,7 +2097,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:146` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:159` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "1e9acea1c604735d",
       "confidenceTier": "very-low",
@@ -2102,6 +2114,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -2222,7 +2235,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:150:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:163:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -2230,7 +2243,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 150,
+      "line": 163,
       "snippet": "try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }",
       "fix": null,
       "reachable": false,
@@ -2313,7 +2326,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:150` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:163` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "2fa201373bb88289",
       "confidenceTier": "very-low",
@@ -2330,6 +2343,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -2450,7 +2464,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:154:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:167:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -2458,7 +2472,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 154,
+      "line": 167,
       "snippet": "if (e.isFile()) { total += fs.statSync(fp).size; }",
       "fix": null,
       "reachable": false,
@@ -2541,7 +2555,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:154` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:167` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "547b2fb09d6b2ee6",
       "confidenceTier": "very-low",
@@ -2558,6 +2572,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -2678,7 +2693,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:183:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:196:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -2686,7 +2701,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 183,
+      "line": 196,
       "snippet": "if (fs.existsSync(abs)) {",
       "fix": null,
       "reachable": false,
@@ -2769,7 +2784,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:183` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:196` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "85516745fc5cd07d",
       "confidenceTier": "very-low",
@@ -2786,6 +2801,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -2906,7 +2922,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:198:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:211:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -2914,7 +2930,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 198,
+      "line": 211,
       "snippet": "while (parent !== path.dirname(parent) && !fs.existsSync(parent)) {",
       "fix": null,
       "reachable": false,
@@ -2997,7 +3013,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:198` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:211` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "7a9376b6ae56e112",
       "confidenceTier": "very-low",
@@ -3014,6 +3030,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -3134,7 +3151,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:213:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:226:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -3142,7 +3159,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 213,
+      "line": 226,
       "snippet": "if (!fs.existsSync(scanFile)) return { scan: null, status: 'missing' };",
       "fix": null,
       "reachable": false,
@@ -3225,7 +3242,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:213` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:226` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "b825ad3b2f959d4e",
       "confidenceTier": "very-low",
@@ -3242,6 +3259,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -3362,7 +3380,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:214:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:227:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -3370,7 +3388,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 214,
+      "line": 227,
       "snippet": "const body = fs.readFileSync(scanFile, 'utf8');",
       "fix": null,
       "reachable": false,
@@ -3453,7 +3471,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:214` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:227` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "eeec8daac4285882",
       "confidenceTier": "very-low",
@@ -3470,6 +3488,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -3590,7 +3609,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:266:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:279:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -3598,7 +3617,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 266,
+      "line": 279,
       "snippet": "fs.writeFileSync(abs, json);",
       "fix": null,
       "reachable": false,
@@ -3681,7 +3700,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:266` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:279` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "ed24011ab73ede75",
       "confidenceTier": "very-low",
@@ -3698,6 +3717,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -3818,7 +3838,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:305:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:318:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -3826,7 +3846,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 305,
+      "line": 318,
       "snippet": "try { stat = fs.statSync(a); } catch { continue; }",
       "fix": null,
       "reachable": false,
@@ -3909,7 +3929,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:305` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:318` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "dbe6f0f46abb1dd2",
       "confidenceTier": "very-low",
@@ -3926,6 +3946,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -4046,7 +4067,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:313:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:326:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -4054,7 +4075,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 313,
+      "line": 326,
       "snippet": "try { content = fs.readFileSync(a, 'utf8'); } catch { continue; }",
       "fix": null,
       "reachable": false,
@@ -4137,7 +4158,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:313` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:326` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "d42403835d68b343",
       "confidenceTier": "very-low",
@@ -4154,6 +4175,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -4274,7 +4296,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:506:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:520:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -4282,7 +4304,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 506,
+      "line": 520,
       "snippet": "if (!fs.existsSync(absFile)) {",
       "fix": null,
       "reachable": false,
@@ -4365,7 +4387,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:506` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:520` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "a515ef632995d759",
       "confidenceTier": "very-low",
@@ -4382,6 +4404,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -4502,7 +4525,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:641:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:656:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -4510,7 +4533,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 641,
+      "line": 656,
       "snippet": "orig = fs.readFileSync(abs, 'utf8');",
       "fix": null,
       "reachable": false,
@@ -4593,7 +4616,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:641` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:656` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "57f4b1b832698131",
       "confidenceTier": "very-low",
@@ -4610,6 +4633,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -4730,7 +4754,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:716:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:731:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -4738,7 +4762,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 716,
+      "line": 731,
       "snippet": "if (!fs.existsSync(root)) continue;",
       "fix": null,
       "reachable": false,
@@ -4821,7 +4845,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:716` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:731` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "c9859099f48df29b",
       "confidenceTier": "very-low",
@@ -4838,6 +4862,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -4958,7 +4983,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:718:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:733:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -4966,7 +4991,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 718,
+      "line": 733,
       "snippet": "try { entries = fs.readdirSync(root); } catch { continue; }",
       "fix": null,
       "reachable": false,
@@ -5049,7 +5074,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:718` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:733` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "89f91d08de0eb710",
       "confidenceTier": "very-low",
@@ -5066,6 +5091,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -5186,7 +5212,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:723:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:738:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -5194,7 +5220,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 723,
+      "line": 738,
       "snippet": "try { stat = fs.statSync(abs); } catch { continue; }",
       "fix": null,
       "reachable": false,
@@ -5277,7 +5303,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:723` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:738` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "2d09043bbc86acb2",
       "confidenceTier": "very-low",
@@ -5294,6 +5320,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -5414,7 +5441,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:726:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:741:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -5422,7 +5449,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 726,
+      "line": 741,
       "snippet": "try { body = fs.readFileSync(abs, 'utf8'); } catch { continue; }",
       "fix": null,
       "reachable": false,
@@ -5505,7 +5532,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:726` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:741` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "d35ae1ba160a099f",
       "confidenceTier": "very-low",
@@ -5522,6 +5549,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -5642,7 +5670,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:805:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:820:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -5650,7 +5678,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 805,
+      "line": 820,
       "snippet": "try { if (fs.existsSync(abs)) existing = fs.statSync(abs).size; } catch {}",
       "fix": null,
       "reachable": false,
@@ -5733,7 +5761,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:805` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:820` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "0f41b32c2a7726e9",
       "confidenceTier": "very-low",
@@ -5750,6 +5778,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -5870,7 +5899,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:814:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:829:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -5878,7 +5907,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 814,
+      "line": 829,
       "snippet": "fs.appendFileSync(abs, content);",
       "fix": null,
       "reachable": false,
@@ -5961,7 +5990,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:814` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:829` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "43b3be77acefb914",
       "confidenceTier": "very-low",
@@ -5978,6 +6007,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -6098,7 +6128,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:843:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:858:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -6106,7 +6136,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 843,
+      "line": 858,
       "snippet": "if (!fs.existsSync(abs)) return { _meta: META, ok: false, reason: 'not-found' };",
       "fix": null,
       "reachable": false,
@@ -6189,7 +6219,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:843` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:858` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "2c0b773208455585",
       "confidenceTier": "very-low",
@@ -6206,6 +6236,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -6326,7 +6357,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "struct:tools.js:845:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "id": "struct:tools.js:860:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
       "severity": "medium",
       "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
@@ -6334,7 +6365,7 @@
       "owaspLlm": null,
       "stride": "Denial of Service",
       "file": "tools.js",
-      "line": 845,
+      "line": 860,
       "snippet": "try { stat = fs.statSync(abs); } catch (e) { return { _meta: META, ok: false, reason: `stat-failed: ${e.message}` }; }",
       "fix": null,
       "reachable": false,
@@ -6417,7 +6448,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
         "confidence": "low",
-        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:845` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `tools.js:860` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
       },
       "stableId": "fcad03311769791b",
       "confidenceTier": "very-low",
@@ -6434,6 +6465,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -6660,6 +6692,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -6881,6 +6914,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -6996,7 +7030,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "toctou-fs:tools.js:183",
+      "id": "toctou-fs:tools.js:196",
       "kind": "sast",
       "severity": "medium",
       "vuln": "TOCTOU: file existence/permission check before open",
@@ -7004,7 +7038,7 @@
       "owaspLlm": null,
       "stride": "Tampering",
       "file": "tools.js",
-      "line": 183,
+      "line": 196,
       "snippet": "if (fs.existsSync(abs)) {",
       "fix": null,
       "reachable": false,
@@ -7085,7 +7119,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
-        "narrative": "TOCTOU: file existence/permission check before open on `tools.js:183` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "TOCTOU: file existence/permission check before open on `tools.js:196` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
       },
       "stableId": "6001d4045ab6d2ac",
       "confidenceTier": "medium",
@@ -7102,6 +7136,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -7217,7 +7252,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "toctou-fs:tools.js:305",
+      "id": "toctou-fs:tools.js:318",
       "kind": "sast",
       "severity": "medium",
       "vuln": "TOCTOU: file existence/permission check before open",
@@ -7225,7 +7260,7 @@
       "owaspLlm": null,
       "stride": "Tampering",
       "file": "tools.js",
-      "line": 305,
+      "line": 318,
       "snippet": "try { stat = fs.statSync(a); } catch { continue; }",
       "fix": null,
       "reachable": false,
@@ -7306,7 +7341,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
-        "narrative": "TOCTOU: file existence/permission check before open on `tools.js:305` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "TOCTOU: file existence/permission check before open on `tools.js:318` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
       },
       "stableId": "d2d919466a97f830",
       "confidenceTier": "medium",
@@ -7323,6 +7358,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -7438,7 +7474,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "toctou-fs:tools.js:723",
+      "id": "toctou-fs:tools.js:738",
       "kind": "sast",
       "severity": "medium",
       "vuln": "TOCTOU: file existence/permission check before open",
@@ -7446,7 +7482,7 @@
       "owaspLlm": null,
       "stride": "Tampering",
       "file": "tools.js",
-      "line": 723,
+      "line": 738,
       "snippet": "try { stat = fs.statSync(abs); } catch { continue; }",
       "fix": null,
       "reachable": false,
@@ -7527,7 +7563,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
-        "narrative": "TOCTOU: file existence/permission check before open on `tools.js:723` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "TOCTOU: file existence/permission check before open on `tools.js:738` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
       },
       "stableId": "4908178e2835d3e9",
       "confidenceTier": "medium",
@@ -7544,6 +7580,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -7659,7 +7696,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "toctou-fs:tools.js:805",
+      "id": "toctou-fs:tools.js:820",
       "kind": "sast",
       "severity": "medium",
       "vuln": "TOCTOU: file existence/permission check before open",
@@ -7667,7 +7704,7 @@
       "owaspLlm": null,
       "stride": "Tampering",
       "file": "tools.js",
-      "line": 805,
+      "line": 820,
       "snippet": "try { if (fs.existsSync(abs)) existing = fs.statSync(abs).size; } catch {}",
       "fix": null,
       "reachable": false,
@@ -7748,7 +7785,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
-        "narrative": "TOCTOU: file existence/permission check before open on `tools.js:805` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "TOCTOU: file existence/permission check before open on `tools.js:820` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
       },
       "stableId": "f1876a31fc5c2f66",
       "confidenceTier": "medium",
@@ -7765,6 +7802,7 @@
       "unvalidated": true,
       "cross_language": false,
       "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
       "_unsigned": false,
       "_passThroughSigning": false,
       "signatureStatus": "verified",
@@ -7958,7 +7996,9 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `audit.js:52` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
       "id": "logic:audit.js:122:TOCTOU:_existsSync_followed_by_file_op",
@@ -8039,17 +8079,19 @@
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
         "narrative": "TOCTOU: existsSync followed by file op on `audit.js:122` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+      },
+      "parser": "LOGIC",
+      "family": null
     },
     {
-      "id": "logic:tools.js:213:TOCTOU:_existsSync_followed_by_file_op",
+      "id": "logic:tools.js:226:TOCTOU:_existsSync_followed_by_file_op",
       "kind": "logic",
       "severity": "medium",
       "vuln": "TOCTOU: existsSync followed by file op",
       "cwe": "CWE-367",
       "stride": "Tampering",
       "file": "tools.js",
-      "line": 213,
+      "line": 226,
       "snippet": "if (!fs.existsSync(scanFile)) return { scan: null, status: 'missing' };",
       "fix": {
         "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
@@ -8119,8 +8161,10 @@
         "dominantDriver": "legal counsel",
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
-        "narrative": "TOCTOU: existsSync followed by file op on `tools.js:213` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
-      }
+        "narrative": "TOCTOU: existsSync followed by file op on `tools.js:226` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      },
+      "parser": "LOGIC",
+      "family": null
     }
   ],
   "bundles": [],
@@ -8179,25 +8223,25 @@
           {
             "vuln": "TOCTOU: file existence/permission check before open",
             "file": "tools.js",
-            "line": 183,
+            "line": 196,
             "severity": "medium"
           },
           {
             "vuln": "TOCTOU: file existence/permission check before open",
             "file": "tools.js",
-            "line": 305,
+            "line": 318,
             "severity": "medium"
           },
           {
             "vuln": "TOCTOU: file existence/permission check before open",
             "file": "tools.js",
-            "line": 723,
+            "line": 738,
             "severity": "medium"
           },
           {
             "vuln": "TOCTOU: file existence/permission check before open",
             "file": "tools.js",
-            "line": 805,
+            "line": 820,
             "severity": "medium"
           }
         ],
@@ -8354,5 +8398,6 @@
       "alarms": [],
       "note": "no-feedback-data"
     }
-  }
+  },
+  "annotatorErrors": []
 }