@clear-capabilities/agentic-security-scanner 0.76.1 → 0.78.0

package/bin/.agentic-security/scan-history.json

@@ -1,255 +1,6 @@
 [
   {
-    "timestamp": "2026-05-19T18:33:22.830Z",
-    "label": "scan",
-    "total": 1,
-    "critical": 0,
-    "high": 0,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T18:33:28.315Z",
-    "label": "scan",
-    "total": 1,
-    "critical": 0,
-    "high": 0,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T22:20:41.048Z",
-    "label": "scan",
-    "total": 3,
-    "critical": 0,
-    "high": 0,
-    "medium": 3,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T22:27:05.052Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:53",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T22:59:58.518Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T23:00:22.780Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T23:44:16.929Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T23:44:23.410Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T03:55:11.940Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T03:55:17.682Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T04:58:44.060Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T04:58:56.341Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T05:13:43.297Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T05:34:26.018Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T05:34:33.300Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T12:41:04.981Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T12:41:11.169Z",
+    "timestamp": "2026-05-26T04:00:10.464Z",
     "label": "scan",
     "total": 4,
     "critical": 0,
@@ -261,11 +12,11 @@
       "toctou-fs:agentic-security-audit.js:55",
       "toctou-fs:agentic-security-consistency.js:44",
       "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
+      "toctou-fs:agentic-security.js:1108"
     ]
   },
   {
-    "timestamp": "2026-05-20T12:55:32.034Z",
+    "timestamp": "2026-05-26T04:00:56.905Z",
     "label": "scan",
     "total": 4,
     "critical": 0,
@@ -277,11 +28,11 @@
       "toctou-fs:agentic-security-audit.js:55",
       "toctou-fs:agentic-security-consistency.js:44",
       "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
+      "toctou-fs:agentic-security.js:1108"
     ]
   },
   {
-    "timestamp": "2026-05-20T15:38:53.724Z",
+    "timestamp": "2026-05-26T04:02:41.681Z",
     "label": "scan",
     "total": 4,
     "critical": 0,
@@ -293,11 +44,11 @@
       "toctou-fs:agentic-security-audit.js:55",
       "toctou-fs:agentic-security-consistency.js:44",
       "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
+      "toctou-fs:agentic-security.js:1108"
     ]
   },
   {
-    "timestamp": "2026-05-20T16:34:56.575Z",
+    "timestamp": "2026-05-27T01:03:34.318Z",
     "label": "scan",
     "total": 4,
     "critical": 0,
@@ -309,11 +60,11 @@
       "toctou-fs:agentic-security-audit.js:55",
       "toctou-fs:agentic-security-consistency.js:44",
       "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
+      "toctou-fs:agentic-security.js:1109"
     ]
   },
   {
-    "timestamp": "2026-05-20T17:09:07.083Z",
+    "timestamp": "2026-05-27T01:05:45.968Z",
     "label": "scan",
     "total": 4,
     "critical": 0,
@@ -325,11 +76,11 @@
       "toctou-fs:agentic-security-audit.js:55",
       "toctou-fs:agentic-security-consistency.js:44",
       "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
+      "toctou-fs:agentic-security.js:1114"
     ]
   },
   {
-    "timestamp": "2026-05-20T17:16:51.009Z",
+    "timestamp": "2026-05-27T11:21:25.101Z",
     "label": "scan",
     "total": 4,
     "critical": 0,
@@ -341,135 +92,24 @@
       "toctou-fs:agentic-security-audit.js:55",
       "toctou-fs:agentic-security-consistency.js:44",
       "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
+      "toctou-fs:agentic-security.js:1116"
     ]
   },
   {
-    "timestamp": "2026-05-20T17:30:57.470Z",
+    "timestamp": "2026-05-27T11:23:11.242Z",
     "label": "scan",
-    "total": 4,
+    "total": 5,
     "critical": 0,
     "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T19:30:22.196Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T19:32:44.938Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T20:02:44.607Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T21:21:28.677Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T21:28:34.802Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-21T15:57:04.808Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "toctou-fs:agentic-security-audit.js:55",
-      "toctou-fs:agentic-security-consistency.js:44",
-      "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
-    ]
-  },
-  {
-    "timestamp": "2026-05-21T16:13:41.128Z",
-    "label": "scan",
-    "total": 4,
-    "critical": 0,
-    "high": 0,
-    "medium": 4,
+    "medium": 5,
     "low": 0,
     "kev": 0,
     "ids": [
       "toctou-fs:agentic-security-audit.js:55",
       "toctou-fs:agentic-security-consistency.js:44",
       "toctou-fs:agentic-security-consistency.js:66",
-      "toctou-fs:agentic-security.js:1105"
+      "toctou-fs:agentic-security.js:1136",
+      "toctou-fs:agentic-security.js:362"
     ]
   }
 ]

package/bin/.agentic-security/streak.json

@@ -1,25 +1,20 @@
 {
-  "firstScanDate": "2026-05-15T12:24:29.316Z",
-  "lastScanDate": "2026-05-21T16:13:41.148Z",
-  "totalScans": 123,
-  "daysCleanCritical": 4,
-  "lastCleanDate": "2026-05-21",
+  "firstScanDate": "2026-05-26T04:00:10.482Z",
+  "lastScanDate": "2026-05-27T11:23:11.268Z",
+  "totalScans": 7,
+  "daysCleanCritical": 2,
+  "lastCleanDate": "2026-05-27",
   "lastCriticalDate": null,
   "hasEverHadCritical": false,
-  "bestDaysCleanCritical": 4,
-  "totalFindingsAtFirstScan": 0,
-  "totalFindingsAtLastScan": 11,
-  "totalFixesInferred": 1,
+  "bestDaysCleanCritical": 2,
+  "totalFindingsAtFirstScan": 11,
+  "totalFindingsAtLastScan": 13,
+  "totalFixesInferred": 0,
   "lastGrade": "A-",
-  "bestGrade": "A+",
+  "bestGrade": "A-",
   "launchCheckPassedAt": null,
   "achievements": [
-    "first-fix",
-    "first-scan",
-    "grade-a",
-    "grade-a-plus",
-    "scan-veteran-100",
-    "scan-veteran-25"
+    "first-scan"
   ],
   "previousGrade": "A-"
 }

package/bin/agentic-security.js

@@ -4,6 +4,9 @@
 import * as fs from 'node:fs';
 import * as fsp from 'node:fs/promises';
 import * as path from 'node:path';
+import { createRequire } from 'node:module';
+const __require = createRequire(import.meta.url);
+const PKG_VERSION = __require('../package.json').version;
 import { signLastScan as _signLastScan, verifyLastScan as _verifyLastScanShared } from '../src/posture/integrity.js';
 import { runScan } from '../src/runScan.js';
 import { toJSON, toMarkdown, toSARIF, toSTIX, toCSV, toJUnit, toCLI, toCLIByProfile, toShipVerdict, toProTable, toHTML, toSummary, exitCodeFor, normalizeFindings } from '../src/report/index.js';
@@ -103,6 +106,9 @@ Options:
   --no-network                 Skip OSV/registry queries (offline mode)
   --pr [ref]                   Diff-aware: scan only files changed since ref (auto-detects PR base)
   --deterministic              Reproducible scan: stable sort, no-network, lockfile-checked
+  --incremental                Reuse taint summaries from prior scans (speeds up deep mode in CI)
+  --set-baseline               Save current findings as baseline (suppresses pre-existing issues)
+  --since-baseline             Only show findings NOT in the saved baseline
   --no-epss                    Skip EPSS exploit-prediction enrichment (default: enabled)
   --no-blast-radius            Skip blast-radius / cost framing (default: enabled)
   --verbose                    Include fix bodies + taxonomy in CLI output
@@ -137,7 +143,7 @@ function printBanner(args) {
     BOLD:  '\x1b[1m',
     RESET: '\x1b[0m',
   } : { FROG:'', DEEP:'', CREAM:'', DIM:'', BOLD:'', RESET:'' };
-  const v = '0.75.1';
+  const v = PKG_VERSION;
   const compact = !args.flags.full;
   if (compact) {
     const lines = [
@@ -314,6 +320,11 @@ async function cmdScan(args) {
     }
   }
 
+  // --incremental : reuse taint summaries from prior scans for faster deep mode.
+  if (args.flags['incremental'] || process.env.AGENTIC_SECURITY_INCREMENTAL === '1') {
+    process.env.AGENTIC_SECURITY_INCREMENTAL = '1';
+  }
+
   // --pr [ref] : friendlier alias for --changed-since that auto-detects the PR
   // base ref (GitHub/GitLab/Buildkite/Bitbucket env vars) when no value is given.
   let changedSince = args.flags['changed-since'] || null;
@@ -338,6 +349,26 @@ async function cmdScan(args) {
     if (only === 'secrets') { scan.findings = []; scan.supplyChain = []; }
   }
 
+  // --set-baseline: save current findings as baseline for future --since-baseline filtering
+  const baselinePath = path.join(target || '.', '.agentic-security', 'baseline.json');
+  if (args.flags['set-baseline']) {
+    const { normalizeFindings } = await import('../src/report/index.js');
+    const baselineIds = new Set(normalizeFindings(scan).map(f => f.stableId || f.id));
+    fs.mkdirSync(path.dirname(baselinePath), { recursive: true });
+    fs.writeFileSync(baselinePath, JSON.stringify({ ids: [...baselineIds], createdAt: new Date().toISOString(), count: baselineIds.size }, null, 2));
+    process.stderr.write(`[baseline] saved ${baselineIds.size} findings as baseline\n`);
+  }
+  // --since-baseline: filter out findings that existed in the saved baseline
+  if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {
+    try {
+      const baseline = JSON.parse(fs.readFileSync(baselinePath, 'utf8'));
+      const baselineSet = new Set(baseline.ids || []);
+      const before = scan.findings.length;
+      scan.findings = (scan.findings || []).filter(f => !baselineSet.has(f.stableId || f.id));
+      process.stderr.write(`[baseline] filtered ${before - scan.findings.length} baseline findings, ${scan.findings.length} new\n`);
+    } catch { /* baseline file unreadable, skip */ }
+  }
+
   // 0.9.0 Feat-18: --scorecard flag enables OSSF Scorecard enrichment
   if (args.flags['scorecard']) process.env.AGENTIC_SECURITY_SCORECARD = '1';
 
@@ -1665,7 +1696,7 @@ async function main() {
         }
         process.exit(0);
       }
-      case 'version':  console.log('agentic-security 0.75.1  ·  created by ClearCapabilities.Com'); process.exit(0);
+      case 'version':  console.log(`agentic-security ${PKG_VERSION}  ·  created by ClearCapabilities.Com`); process.exit(0);
       case 'banner':   { printBanner(args); process.exit(0); }
       case 'harness':  process.exit(await cmdHarness(args));
       case 'scan-baseline': process.exit(await cmdScanBaseline(args));

package/dist/178.index.js

@@ -13,7 +13,7 @@ export const modules = {
 /* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
 /* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
 /* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(3291);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(8636);
 // Time-travel + counterfactual scanning (v0.68).
 //
 // Two new modes that exploit the pure-input shape of runFullScan:

package/dist/384.index.js

@@ -8,7 +8,7 @@ export const modules = {
 /* harmony export */ __webpack_require__.d(__webpack_exports__, {
 /* harmony export */   scanCredentials: () => (/* reexport safe */ _engine_js__WEBPACK_IMPORTED_MODULE_0__.Sv)
 /* harmony export */ });
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(3291);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(8636);
 // Secrets submodule view of the engine — credential + entropy + TODO scanning.
 
 

package/dist/637.index.js

@@ -10,7 +10,7 @@ export const modules = {
 /* harmony export */   renderPrDeltaText: () => (/* binding */ renderPrDeltaText)
 /* harmony export */ });
 /* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3291);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(8636);
 // Shadowscan / security-DELTA on PR (v0.72).
 //
 // Most SAST PR-comment integrations show absolute counts — "12 findings