@clear-capabilities/agentic-security-scanner 0.75.0 → 0.77.0

package/CHANGELOG.md

@@ -1,5 +1,62 @@
 # Changelog
 
+## 0.76.0 — Command consolidation: 80 → 38 slash commands
+
+Simplified the command surface from 80 individual slash commands down to
+38 by merging related commands into consolidated routers with flags.
+No functionality removed — all logic preserved behind flags on fewer,
+more discoverable parent commands.
+
+### New consolidated commands
+
+| New command | Absorbed | Routing |
+|---|---|---|
+| `/audit` | db-audit, auth-audit, rate-limit-check, webhook-audit, env-check, csp-cors, deploy-check, launch-check, llm-cost-ceiling, prompt-firewall | `--target <area>` or `--all` |
+| `/threat` | threat-model, personas, playbook, bounty, adversary, attack-surface, trust-boundary, spof | `--view <name>` |
+| `/llm` | llm-redteam, jailbreak-detector, llm-eval | `--mode redteam\|jailbreak\|eval` |
+| `/ci` | ci-gate, predeploy-gate, install-hooks | default / `--predeploy` / `--hooks` |
+| `/generate` | privacy-docs, disaster-playbook, social-media, security-tests | `--type privacy\|disaster\|social\|tests` |
+| `/scanner` | self-test, diff-scan, scan-baseline, concurrency-bugs, spec-drift | `--self-test` / `--diff` / `--baseline` / `--concurrency` / `--spec-drift` |
+
+### Commands absorbed into existing commands
+
+- `/why-fired` → `/explain --provenance --finding <id>`
+- `/why-not` → `/explain --gap <CWE>`
+- `/install-script-audit` → `/supply-chain-check --show install-scripts`
+- `/vendor-audit` → `/supply-chain-check --show vendored`
+
+### Deleted deprecated aliases (11)
+
+ci-gate-multi, rotate-key-auto, trim-dead-code, trim-dependencies,
+story-explain, security-badge, security-onepager, trust-page,
+dep-pinning, dep-freshness, dep-alternatives.
+
+## 0.75.1 — /agent-harness-assessment + interactive compliance routing + README badge relocation
+
+Three follow-ups to the 0.75.0 surface:
+
+**Renamed `/executive-summary` → `/agent-harness-assessment`.** The
+previous name framed this as a finance-style report. The actual artifact
+is an assessment of the AI-agent harness: a CISO/buyer reading it wants
+to know whether to trust an AI agent working in this project, not just
+see a posture grade. The new name reflects the audience.
+
+**Interactive compliance step.** After printing the six-control
+assessment, the command now asks (via AskUserQuestion) which compliance
+frameworks the reader wants generated NOW — NIST AI 600-1, OWASP ASVS,
+OWASP LLM Top 10 (2025), or none. For each selection, the model invokes
+`/compliance-report <fw>` with the matching positional argument
+(`nist`, `asvs`, `llm`) so an auditor-ready file lands on disk. The
+Compliance section in the assessment now says what evidence COULD be
+produced; the interactive step closes the loop to evidence that EXISTS.
+
+**README "Status badge" section relocated** from the top-of-README hero
+region into the Security Pros section, between the 5-minute pro setup
+and the full pro catalog. Adopting the badge is a pro-shaped step
+(it requires CI wiring + a baseline scan). Three example badges now
+render on three distinct lines via trailing `<br>` so the severity
+ladder is legible at a glance.
+
 ## 0.75.0 — /executive-summary: CISO-facing six-control posture report
 
 New top-level command for buyer-questionnaire / diligence / CISO use.

package/bin/agentic-security.js

@@ -137,7 +137,7 @@ function printBanner(args) {
     BOLD:  '\x1b[1m',
     RESET: '\x1b[0m',
   } : { FROG:'', DEEP:'', CREAM:'', DIM:'', BOLD:'', RESET:'' };
-  const v = '0.75.0';
+  const v = '0.75.1';
   const compact = !args.flags.full;
   if (compact) {
     const lines = [
@@ -1665,7 +1665,7 @@ async function main() {
         }
         process.exit(0);
       }
-      case 'version':  console.log('agentic-security 0.75.0  ·  created by ClearCapabilities.Com'); process.exit(0);
+      case 'version':  console.log('agentic-security 0.75.1  ·  created by ClearCapabilities.Com'); process.exit(0);
       case 'banner':   { printBanner(args); process.exit(0); }
       case 'harness':  process.exit(await cmdHarness(args));
       case 'scan-baseline': process.exit(await cmdScanBaseline(args));

package/dist/838.index.js

@@ -0,0 +1,152 @@
+export const id = 838;
+export const ids = [838];
+export const modules = {
+
+/***/ 7838:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+__webpack_require__.r(__webpack_exports__);
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   runProjectLinter: () => (/* binding */ runProjectLinter),
+/* harmony export */   verifyFix: () => (/* binding */ verifyFix),
+/* harmony export */   verifyPatch: () => (/* binding */ verifyPatch)
+/* harmony export */ });
+/* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
+/* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
+/* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(3291);
+// Closed-loop /fix verification (Sentinel-parity FR-L4-4, FR-L4-5).
+//
+// Given a candidate patch (the new file content + the finding stableId being
+// fixed), verify it:
+//
+//   1. The original finding's stableId no longer fires on the patched file.
+//   2. No new findings at severity ≥ medium were introduced by the patch.
+//   3. The project's existing linter (when present) passes on the patched file.
+//
+// If any of those fail, the caller is expected to NOT apply the patch and
+// instead surface a "fix plan" — a numbered list of steps the engineer can
+// follow — rather than dump a broken patch on the user.
+
+
+
+
+
+
+const SEVERITY_RANK = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+
+// Run a focused re-scan over just the patched file(s) using the in-memory
+// engine. No filesystem write needed — we hand the new content in via the
+// fileContents map.
+async function verifyPatch({
+  scanRoot,
+  originalFindingStableId,
+  files,   // { [relPath]: newContent }
+  depFileContents = {},
+} = {}) {
+  if (!files || typeof files !== 'object') return { ok: false, reason: 'no-files-provided' };
+  const fileContents = { ...files };
+  let scan;
+  try {
+    scan = await (0,_engine_js__WEBPACK_IMPORTED_MODULE_3__/* .runFullScan */ .wW)({ fileContents, depFileContents, scanRoot }, () => {});
+  } catch (e) {
+    return { ok: false, reason: 'rescan-failed', error: e.message };
+  }
+  const findings = (scan && scan.findings) || [];
+  const stillHasOriginal = !!originalFindingStableId &&
+    findings.some(f => f.stableId === originalFindingStableId);
+  if (stillHasOriginal) {
+    return { ok: false, reason: 'original-finding-still-present', stableId: originalFindingStableId };
+  }
+  const introducedHighOrAbove = findings.filter(f =>
+    (SEVERITY_RANK[f.severity] ?? 9) <= SEVERITY_RANK.medium);
+  // Don't count findings on lines outside the patched files — but our
+  // fileContents map IS the patched files, so every finding is in-scope.
+  return {
+    ok: introducedHighOrAbove.length === 0,
+    reason: introducedHighOrAbove.length === 0 ? 'verified' : 'introduced-new-findings',
+    introduced: introducedHighOrAbove.map(f => ({
+      vuln: f.vuln, file: f.file, line: f.line, severity: f.severity,
+      stableId: f.stableId,
+    })),
+  };
+}
+
+// Detect which linter the project uses and run it on the patched files.
+// Returns { ok, runner, output } or { ok: true, runner: 'none' } when no
+// linter is configured (silent pass).
+function runProjectLinter(scanRoot, filePaths) {
+  if (!scanRoot || !Array.isArray(filePaths) || filePaths.length === 0) {
+    return { ok: true, runner: 'none' };
+  }
+  const has = (p) => { try { return node_fs__WEBPACK_IMPORTED_MODULE_1__.existsSync(node_path__WEBPACK_IMPORTED_MODULE_2__.join(scanRoot, p)); } catch { return false; } };
+  // Pick the linter by config file present in the repo root.
+  const jsFiles = filePaths.filter(f => /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(f));
+  const pyFiles = filePaths.filter(f => /\.py$/i.test(f));
+  const goFiles = filePaths.filter(f => /\.go$/i.test(f));
+  const javaFiles = filePaths.filter(f => /\.java$/i.test(f));
+
+  if (jsFiles.length && (has('.eslintrc') || has('.eslintrc.json') || has('.eslintrc.js') || has('eslint.config.js') || has('eslint.config.mjs'))) {
+    return runLinter(scanRoot, 'eslint', ['--no-error-on-unmatched-pattern', ...jsFiles]);
+  }
+  if (pyFiles.length && (has('pyproject.toml') || has('ruff.toml') || has('.ruff.toml'))) {
+    return runLinter(scanRoot, 'ruff', ['check', ...pyFiles]);
+  }
+  if (pyFiles.length && has('.flake8')) {
+    return runLinter(scanRoot, 'flake8', pyFiles);
+  }
+  if (goFiles.length && (has('.golangci.yml') || has('.golangci.yaml'))) {
+    return runLinter(scanRoot, 'golangci-lint', ['run', ...goFiles]);
+  }
+  if (javaFiles.length && has('checkstyle.xml')) {
+    return runLinter(scanRoot, 'checkstyle', ['-c', 'checkstyle.xml', ...javaFiles]);
+  }
+  return { ok: true, runner: 'none' };
+}
+
+function runLinter(cwd, cmd, args) {
+  let r;
+  try {
+    r = (0,node_child_process__WEBPACK_IMPORTED_MODULE_0__.spawnSync)(cmd, args, { cwd, encoding: 'utf8', timeout: 60_000 });
+  } catch (e) {
+    return { ok: true, runner: cmd, skipped: true, reason: 'binary-missing', error: e.message };
+  }
+  if (r.error && r.error.code === 'ENOENT') {
+    return { ok: true, runner: cmd, skipped: true, reason: 'binary-missing' };
+  }
+  if (r.status === null) {
+    return { ok: false, runner: cmd, reason: 'timed-out', output: (r.stderr || r.stdout || '').slice(-2000) };
+  }
+  return {
+    ok: r.status === 0,
+    runner: cmd,
+    exitCode: r.status,
+    output: ((r.stderr || '') + (r.stdout || '')).slice(-2000),
+  };
+}
+
+// Top-level verify: re-scan + lint. Returns the combined verdict + a
+// human-readable summary string suitable for surfacing to the user.
+async function verifyFix({
+  scanRoot,
+  originalFindingStableId,
+  files,
+  depFileContents,
+} = {}) {
+  const rescan = await verifyPatch({ scanRoot, originalFindingStableId, files, depFileContents });
+  const lint = runProjectLinter(scanRoot, Object.keys(files || {}));
+  const ok = rescan.ok && (lint.ok || lint.skipped);
+  const summary = [
+    `re-scan: ${rescan.ok ? 'PASS' : 'FAIL — ' + rescan.reason}`,
+    `linter:  ${lint.runner === 'none' ? 'skipped (no linter config)'
+              : lint.skipped ? `${lint.runner} not installed`
+              : lint.ok ? `${lint.runner} PASS`
+              : `${lint.runner} FAIL (exit ${lint.exitCode})`}`,
+  ].join('\n');
+  return { ok, rescan, lint, summary };
+}
+
+
+/***/ })
+
+};

package/dist/{634.index.js → 985.index.js}

@@ -1,8 +1,8 @@
-export const id = 634;
-export const ids = [634];
+export const id = 985;
+export const ids = [985];
 export const modules = {
 
-/***/ 7634:
+/***/ 3985:
 /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
 
 
@@ -21,8 +21,6 @@ var external_node_path_ = __webpack_require__(6760);
 var external_node_url_ = __webpack_require__(3136);
 // EXTERNAL MODULE: external "node:fs/promises"
 var promises_ = __webpack_require__(1455);
-// EXTERNAL MODULE: ./src/runScan.js + 2 modules
-var runScan = __webpack_require__(9099);
 // EXTERNAL MODULE: ./src/posture/fix-history.js
 var fix_history = __webpack_require__(4407);
 // EXTERNAL MODULE: ./src/posture/integrity.js
@@ -104,142 +102,6 @@ function redactArgsBlob(s) {
   return redactString(s);
 }
 
-// EXTERNAL MODULE: external "node:child_process"
-var external_node_child_process_ = __webpack_require__(1421);
-// EXTERNAL MODULE: ./src/engine.js + 442 modules
-var engine = __webpack_require__(3291);
-;// CONCATENATED MODULE: ./src/posture/fix-verify.js
-// Closed-loop /fix verification (Sentinel-parity FR-L4-4, FR-L4-5).
-//
-// Given a candidate patch (the new file content + the finding stableId being
-// fixed), verify it:
-//
-//   1. The original finding's stableId no longer fires on the patched file.
-//   2. No new findings at severity ≥ medium were introduced by the patch.
-//   3. The project's existing linter (when present) passes on the patched file.
-//
-// If any of those fail, the caller is expected to NOT apply the patch and
-// instead surface a "fix plan" — a numbered list of steps the engineer can
-// follow — rather than dump a broken patch on the user.
-
-
-
-
-
-
-const SEVERITY_RANK = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
-
-// Run a focused re-scan over just the patched file(s) using the in-memory
-// engine. No filesystem write needed — we hand the new content in via the
-// fileContents map.
-async function verifyPatch({
-  scanRoot,
-  originalFindingStableId,
-  files,   // { [relPath]: newContent }
-  depFileContents = {},
-} = {}) {
-  if (!files || typeof files !== 'object') return { ok: false, reason: 'no-files-provided' };
-  const fileContents = { ...files };
-  let scan;
-  try {
-    scan = await (0,engine/* runFullScan */.wW)({ fileContents, depFileContents, scanRoot }, () => {});
-  } catch (e) {
-    return { ok: false, reason: 'rescan-failed', error: e.message };
-  }
-  const findings = (scan && scan.findings) || [];
-  const stillHasOriginal = !!originalFindingStableId &&
-    findings.some(f => f.stableId === originalFindingStableId);
-  if (stillHasOriginal) {
-    return { ok: false, reason: 'original-finding-still-present', stableId: originalFindingStableId };
-  }
-  const introducedHighOrAbove = findings.filter(f =>
-    (SEVERITY_RANK[f.severity] ?? 9) <= SEVERITY_RANK.medium);
-  // Don't count findings on lines outside the patched files — but our
-  // fileContents map IS the patched files, so every finding is in-scope.
-  return {
-    ok: introducedHighOrAbove.length === 0,
-    reason: introducedHighOrAbove.length === 0 ? 'verified' : 'introduced-new-findings',
-    introduced: introducedHighOrAbove.map(f => ({
-      vuln: f.vuln, file: f.file, line: f.line, severity: f.severity,
-      stableId: f.stableId,
-    })),
-  };
-}
-
-// Detect which linter the project uses and run it on the patched files.
-// Returns { ok, runner, output } or { ok: true, runner: 'none' } when no
-// linter is configured (silent pass).
-function runProjectLinter(scanRoot, filePaths) {
-  if (!scanRoot || !Array.isArray(filePaths) || filePaths.length === 0) {
-    return { ok: true, runner: 'none' };
-  }
-  const has = (p) => { try { return external_node_fs_.existsSync(external_node_path_.join(scanRoot, p)); } catch { return false; } };
-  // Pick the linter by config file present in the repo root.
-  const jsFiles = filePaths.filter(f => /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(f));
-  const pyFiles = filePaths.filter(f => /\.py$/i.test(f));
-  const goFiles = filePaths.filter(f => /\.go$/i.test(f));
-  const javaFiles = filePaths.filter(f => /\.java$/i.test(f));
-
-  if (jsFiles.length && (has('.eslintrc') || has('.eslintrc.json') || has('.eslintrc.js') || has('eslint.config.js') || has('eslint.config.mjs'))) {
-    return runLinter(scanRoot, 'eslint', ['--no-error-on-unmatched-pattern', ...jsFiles]);
-  }
-  if (pyFiles.length && (has('pyproject.toml') || has('ruff.toml') || has('.ruff.toml'))) {
-    return runLinter(scanRoot, 'ruff', ['check', ...pyFiles]);
-  }
-  if (pyFiles.length && has('.flake8')) {
-    return runLinter(scanRoot, 'flake8', pyFiles);
-  }
-  if (goFiles.length && (has('.golangci.yml') || has('.golangci.yaml'))) {
-    return runLinter(scanRoot, 'golangci-lint', ['run', ...goFiles]);
-  }
-  if (javaFiles.length && has('checkstyle.xml')) {
-    return runLinter(scanRoot, 'checkstyle', ['-c', 'checkstyle.xml', ...javaFiles]);
-  }
-  return { ok: true, runner: 'none' };
-}
-
-function runLinter(cwd, cmd, args) {
-  let r;
-  try {
-    r = (0,external_node_child_process_.spawnSync)(cmd, args, { cwd, encoding: 'utf8', timeout: 60_000 });
-  } catch (e) {
-    return { ok: true, runner: cmd, skipped: true, reason: 'binary-missing', error: e.message };
-  }
-  if (r.error && r.error.code === 'ENOENT') {
-    return { ok: true, runner: cmd, skipped: true, reason: 'binary-missing' };
-  }
-  if (r.status === null) {
-    return { ok: false, runner: cmd, reason: 'timed-out', output: (r.stderr || r.stdout || '').slice(-2000) };
-  }
-  return {
-    ok: r.status === 0,
-    runner: cmd,
-    exitCode: r.status,
-    output: ((r.stderr || '') + (r.stdout || '')).slice(-2000),
-  };
-}
-
-// Top-level verify: re-scan + lint. Returns the combined verdict + a
-// human-readable summary string suitable for surfacing to the user.
-async function verifyFix({
-  scanRoot,
-  originalFindingStableId,
-  files,
-  depFileContents,
-} = {}) {
-  const rescan = await verifyPatch({ scanRoot, originalFindingStableId, files, depFileContents });
-  const lint = runProjectLinter(scanRoot, Object.keys(files || {}));
-  const ok = rescan.ok && (lint.ok || lint.skipped);
-  const summary = [
-    `re-scan: ${rescan.ok ? 'PASS' : 'FAIL — ' + rescan.reason}`,
-    `linter:  ${lint.runner === 'none' ? 'skipped (no linter config)'
-              : lint.skipped ? `${lint.runner} not installed`
-              : lint.ok ? `${lint.runner} PASS`
-              : `${lint.runner} FAIL (exit ${lint.exitCode})`}`,
-  ].join('\n');
-  return { ok, rescan, lint, summary };
-}
-
 ;// CONCATENATED MODULE: ./src/posture/agents-memory.js
 // AGENTS.md — writable continual-learning memory (harness-anatomy #2).
 //
@@ -533,7 +395,20 @@ const cve_lookup_internals = { CACHE_DIR, CVE_RE, _stalenessTier };
 
 
 
-
+// Lazy-loaded: these transitively pull in npm packages (fast-glob,
+// @babel/core) that aren't available in the plugin-cache install path
+// (no node_modules). Deferring keeps the MCP server bootable everywhere;
+// the import only runs when a tool that needs them is actually called.
+let _runScan;
+async function getRunScan() {
+  if (!_runScan) _runScan = (await Promise.resolve(/* import() */).then(__webpack_require__.bind(__webpack_require__, 9099))).runScan;
+  return _runScan;
+}
+let _verifyFixCore;
+async function getVerifyFixCore() {
+  if (!_verifyFixCore) _verifyFixCore = (await __webpack_require__.e(/* import() */ 838).then(__webpack_require__.bind(__webpack_require__, 7838))).verifyFix;
+  return _verifyFixCore;
+}
 
 const MAX_FILES_PER_SCAN = 1024;
 const MAX_FILE_BYTES = 500_000;
@@ -828,7 +703,8 @@ const scan_diff = {
       fileContents[rel] = content;
     }
 
-    const result = await (0,runScan.runScan)(sessionRoot, { network: false, fileContents });
+    const runScan = await getRunScan();
+    const result = await runScan(sessionRoot, { network: false, fileContents });
     const wantSet = new Set(Object.keys(fileContents));
     const sevRank = { info: 0, low: 1, medium: 2, high: 3, critical: 4 };
     const min = sevRank[severity] ?? 0;
@@ -1101,7 +977,8 @@ const verify_fix = {
       confined[relPath] = String(content);
     }
     try {
-      const r = await verifyFix({
+      const verifyFixCore = await getVerifyFixCore();
+      const r = await verifyFixCore({
         scanRoot: ctx.sessionRoot,
         originalFindingStableId: stable_id,
         files: confined,