@clear-capabilities/agentic-security-scanner 0.77.0 → 0.78.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (83) hide show
  1. package/bin/.agentic-security/findings.json +1907 -0
  2. package/bin/.agentic-security/last-scan.json +1907 -0
  3. package/bin/.agentic-security/last-scan.json.sig +1 -0
  4. package/bin/.agentic-security/scan-history.json +115 -0
  5. package/bin/.agentic-security/streak.json +20 -0
  6. package/bin/agentic-security.js +33 -2
  7. package/dist/178.index.js +1 -1
  8. package/dist/384.index.js +1 -1
  9. package/dist/637.index.js +1 -1
  10. package/dist/718.index.js +106 -0
  11. package/dist/824.index.js +126 -0
  12. package/dist/838.index.js +1 -1
  13. package/dist/agentic-security.mjs +32 -32
  14. package/dist/agentic-security.mjs.sha256 +1 -1
  15. package/package.json +3 -3
  16. package/src/.agentic-security/findings.json +82642 -0
  17. package/src/.agentic-security/last-scan.json +82642 -0
  18. package/src/.agentic-security/last-scan.json.sig +1 -0
  19. package/src/.agentic-security/scan-history.json +10054 -0
  20. package/src/.agentic-security/streak.json +21 -0
  21. package/src/dataflow/.agentic-security/findings.json +3515 -0
  22. package/src/dataflow/.agentic-security/last-scan.json +3515 -0
  23. package/src/dataflow/.agentic-security/last-scan.json.sig +1 -0
  24. package/src/dataflow/.agentic-security/scan-history.json +702 -0
  25. package/src/dataflow/.agentic-security/streak.json +22 -0
  26. package/src/dataflow/async-sequencing.js +16 -7
  27. package/src/dataflow/builtin-summaries.js +131 -0
  28. package/src/dataflow/catalog.js +107 -0
  29. package/src/dataflow/cross-repo.js +75 -1
  30. package/src/dataflow/engine.js +129 -0
  31. package/src/dataflow/implicit-flow.js +24 -6
  32. package/src/dataflow/stub-aware-filter.js +69 -11
  33. package/src/dataflow/summaries.js +28 -3
  34. package/src/engine-parallel.js +70 -0
  35. package/src/engine.js +165 -15
  36. package/src/ir/.agentic-security/findings.json +3777 -0
  37. package/src/ir/.agentic-security/last-scan.json +3777 -0
  38. package/src/ir/.agentic-security/last-scan.json.sig +1 -0
  39. package/src/ir/.agentic-security/scan-history.json +771 -0
  40. package/src/ir/.agentic-security/streak.json +21 -0
  41. package/src/ir/index.js +22 -1
  42. package/src/ir/parser-go.js +403 -0
  43. package/src/ir/parser-js.js +2 -0
  44. package/src/ir/parser-php.js +330 -0
  45. package/src/ir/parser-py.helper.py +137 -11
  46. package/src/ir/parser-rb.js +309 -0
  47. package/src/posture/.agentic-security/findings.json +51562 -0
  48. package/src/posture/.agentic-security/last-scan.json +51562 -0
  49. package/src/posture/.agentic-security/last-scan.json.sig +1 -0
  50. package/src/posture/.agentic-security/scan-history.json +650 -0
  51. package/src/posture/.agentic-security/streak.json +20 -0
  52. package/src/posture/calibration.js +14 -0
  53. package/src/posture/triage.js +13 -0
  54. package/src/report/.agentic-security/findings.json +80 -0
  55. package/src/report/.agentic-security/last-scan.json +80 -0
  56. package/src/report/.agentic-security/last-scan.json.sig +1 -0
  57. package/src/report/.agentic-security/scan-history.json +35 -0
  58. package/src/report/.agentic-security/streak.json +22 -0
  59. package/src/report/index.js +23 -2
  60. package/src/sast/.agentic-security/findings.json +5190 -0
  61. package/src/sast/.agentic-security/last-scan.json +5190 -0
  62. package/src/sast/.agentic-security/last-scan.json.sig +1 -0
  63. package/src/sast/.agentic-security/scan-history.json +408 -0
  64. package/src/sast/.agentic-security/streak.json +20 -0
  65. package/src/sast/cache-poisoning.js +77 -0
  66. package/src/sast/comparison-safety.js +73 -0
  67. package/src/sast/db-taint.js +54 -0
  68. package/src/sast/graphql.js +127 -0
  69. package/src/sast/llm-stored-prompt.js +57 -0
  70. package/src/sast/mutation-xss.js +43 -0
  71. package/src/sast/nosql-injection.js +5 -0
  72. package/src/sast/null-byte-injection.js +76 -0
  73. package/src/sast/redos-nfa.js +338 -0
  74. package/src/sast/sensitive-data-logging.js +73 -0
  75. package/src/sast/weak-password-hash.js +77 -0
  76. package/src/sast/weak-randomness.js +100 -0
  77. package/src/sca/.agentic-security/findings.json +1587 -0
  78. package/src/sca/.agentic-security/last-scan.json +1587 -0
  79. package/src/sca/.agentic-security/last-scan.json.sig +1 -0
  80. package/src/sca/.agentic-security/scan-history.json +36 -0
  81. package/src/sca/.agentic-security/streak.json +21 -0
  82. package/src/sca/llm-function-extract.js +107 -0
  83. package/src/sca/vendor-detect.js +91 -0
package/bin/.agentic-security/findings.json ADDED
@@ -0,0 +1,1907 @@
1
+ {
2
+ "scanId": "0c2c7713-e7de-4bc9-ab48-f6473ad81d9f",
3
+ "startedAt": "2026-05-27T11:23:10.965Z",
4
+ "durationMs": 278,
5
+ "scanned": {
6
+ "files": 7,
7
+ "lines": 0
8
+ },
9
+ "findings": [
10
+ {
11
+ "id": "8ec5768f893c53c3",
12
+ "kind": "logic",
13
+ "severity": "high",
14
+ "vuln": "Sensitive Directory Path Construction",
15
+ "cwe": "CWE-22",
16
+ "stride": "Information Disclosure",
17
+ "file": "agentic-security-audit.js",
18
+ "line": 51,
19
+ "snippet": "function _logPath(root) { return path.join(root, '.agentic-security', 'mcp-audit.log'); }",
20
+ "fix": {
21
+ "description": "Restrict file paths to a specific allowed directory; reject '..' and absolute paths.",
22
+ "code": "const safe = path.resolve('./uploads', file);\nif (!safe.startsWith(path.resolve('./uploads'))) throw 403;"
23
+ },
24
+ "blastRadius": {
25
+ "scope": "all-users",
26
+ "dataAtRisk": [
27
+ "config"
28
+ ],
29
+ "userCount": 50,
30
+ "industry": "generic",
31
+ "jurisdictions": [],
32
+ "controlsApplied": [],
33
+ "dollarBest": 23250,
34
+ "dollarLikely": 136250,
35
+ "dollarWorst": 775000,
36
+ "dollarLow": 23250,
37
+ "dollarHigh": 775000,
38
+ "components": {
39
+ "incidentResponse": {
40
+ "low": 8000,
41
+ "likely": 50000,
42
+ "high": 250000
43
+ },
44
+ "legal": {
45
+ "low": 10000,
46
+ "likely": 75000,
47
+ "high": 500000
48
+ },
49
+ "crisisPR": {
50
+ "low": 0,
51
+ "likely": 0,
52
+ "high": 0
53
+ },
54
+ "notification": {
55
+ "low": 5000,
56
+ "likely": 10000,
57
+ "high": 15000
58
+ },
59
+ "creditMonitoring": {
60
+ "low": 0,
61
+ "likely": 0,
62
+ "high": 0
63
+ },
64
+ "regulatoryFines": {
65
+ "low": 0,
66
+ "likely": 0,
67
+ "high": 0
68
+ },
69
+ "directDamage": {
70
+ "low": 250,
71
+ "likely": 1250,
72
+ "high": 10000
73
+ },
74
+ "classAction": {
75
+ "low": 0,
76
+ "likely": 0,
77
+ "high": 0
78
+ },
79
+ "lostBusiness": {
80
+ "low": 0,
81
+ "likely": 0,
82
+ "high": 0
83
+ }
84
+ },
85
+ "dominantDriver": "legal counsel",
86
+ "comparable": "Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil",
87
+ "confidence": "low",
88
+ "narrative": "Sensitive Directory Path Construction on `agentic-security-audit.js:51` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil."
89
+ },
90
+ "parser": "LOGIC",
91
+ "family": null
92
+ },
93
+ {
94
+ "id": "toctou-fs:agentic-security-audit.js:55",
95
+ "kind": "sast",
96
+ "severity": "medium",
97
+ "vuln": "TOCTOU: file existence/permission check before open",
98
+ "cwe": "CWE-367",
99
+ "owaspLlm": null,
100
+ "stride": "Tampering",
101
+ "file": "agentic-security-audit.js",
102
+ "line": 55,
103
+ "snippet": "if (!fs.existsSync(fp)) return [];",
104
+ "fix": null,
105
+ "reachable": false,
106
+ "triage": 22,
107
+ "dataClasses": [],
108
+ "chain": null,
109
+ "confidence": 0.7,
110
+ "toxicity": 8,
111
+ "toxicityFactors": [],
112
+ "toxicityLabel": "Low",
113
+ "sources": null,
114
+ "epssScore": null,
115
+ "epssPercentile": null,
116
+ "epssCve": null,
117
+ "exploitedNow": false,
118
+ "tags": null,
119
+ "blastRadius": {
120
+ "scope": "all-users",
121
+ "dataAtRisk": [
122
+ "config"
123
+ ],
124
+ "userCount": 50,
125
+ "industry": "generic",
126
+ "jurisdictions": [],
127
+ "controlsApplied": [],
128
+ "dollarBest": 23250,
129
+ "dollarLikely": 136250,
130
+ "dollarWorst": 775000,
131
+ "dollarLow": 23250,
132
+ "dollarHigh": 775000,
133
+ "components": {
134
+ "incidentResponse": {
135
+ "low": 8000,
136
+ "likely": 50000,
137
+ "high": 250000
138
+ },
139
+ "legal": {
140
+ "low": 10000,
141
+ "likely": 75000,
142
+ "high": 500000
143
+ },
144
+ "crisisPR": {
145
+ "low": 0,
146
+ "likely": 0,
147
+ "high": 0
148
+ },
149
+ "notification": {
150
+ "low": 5000,
151
+ "likely": 10000,
152
+ "high": 15000
153
+ },
154
+ "creditMonitoring": {
155
+ "low": 0,
156
+ "likely": 0,
157
+ "high": 0
158
+ },
159
+ "regulatoryFines": {
160
+ "low": 0,
161
+ "likely": 0,
162
+ "high": 0
163
+ },
164
+ "directDamage": {
165
+ "low": 250,
166
+ "likely": 1250,
167
+ "high": 10000
168
+ },
169
+ "classAction": {
170
+ "low": 0,
171
+ "likely": 0,
172
+ "high": 0
173
+ },
174
+ "lostBusiness": {
175
+ "low": 0,
176
+ "likely": 0,
177
+ "high": 0
178
+ }
179
+ },
180
+ "dominantDriver": "legal counsel",
181
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
182
+ "confidence": "low",
183
+ "narrative": "TOCTOU: file existence/permission check before open on `agentic-security-audit.js:55` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
184
+ },
185
+ "stableId": "1e3825344bf7fde1",
186
+ "confidenceTier": "medium",
187
+ "exploitability": 0.2,
188
+ "exploitabilityTier": "low",
189
+ "exploitabilityFactors": [
190
+ "sev:medium",
191
+ "unreachable"
192
+ ],
193
+ "clusterSize": null,
194
+ "unreachable": false,
195
+ "validator_verdict": "unvalidated",
196
+ "llm_confidence": null,
197
+ "unvalidated": true,
198
+ "cross_language": false,
199
+ "family": "toctou-file-existence-permission-check-b",
200
+ "parser": "TOCTOU",
201
+ "_unsigned": false,
202
+ "_passThroughSigning": false,
203
+ "signatureStatus": "verified",
204
+ "regression_test": null,
205
+ "poc": null,
206
+ "calibrated_confidence": null,
207
+ "calibrated_confidence_ci": null,
208
+ "calibrated_n": 0,
209
+ "calibration_reason": "no-history",
210
+ "verifier_verdict": "cannot-verify",
211
+ "verifier_reason": "no-poc-no-sanitizer-rule",
212
+ "verifier_runner": null,
213
+ "narration": null,
214
+ "mitigationVerdict": "unreachable-in-prod",
215
+ "mitigationsApplied": [],
216
+ "mitigatedByWaf": false,
217
+ "wafRuleId": null,
218
+ "mitigatedByAuth": false,
219
+ "authMechanism": null,
220
+ "mitigatedByNetwork": false,
221
+ "networkExposure": null,
222
+ "featureFlag": null,
223
+ "featureFlagState": null,
224
+ "featureFlagRollout": null,
225
+ "exposedInProd": false,
226
+ "unreachableInProd": true,
227
+ "coldPath": false,
228
+ "hotPath": false,
229
+ "prodRequestCount": null,
230
+ "crownJewelScore": 0.15,
231
+ "crownJewelTier": "low-value",
232
+ "crownJewelFactors": [
233
+ "shell-execution"
234
+ ],
235
+ "cloneClusterId": "9c2182a3d2005edb",
236
+ "cloneClusterSize": 1,
237
+ "provenance": "human-likely",
238
+ "provenanceScore": 0,
239
+ "typeNarrowed": null,
240
+ "strideCategory": "tampering",
241
+ "personaScores": {
242
+ "script-kiddie": {
243
+ "score": 0.4,
244
+ "tier": "medium",
245
+ "factors": [
246
+ "sev:medium"
247
+ ]
248
+ },
249
+ "opportunistic-criminal": {
250
+ "score": 0.4,
251
+ "tier": "medium",
252
+ "factors": [
253
+ "sev:medium"
254
+ ]
255
+ },
256
+ "apt-nation-state": {
257
+ "score": 0.4,
258
+ "tier": "medium",
259
+ "factors": [
260
+ "sev:medium"
261
+ ]
262
+ },
263
+ "supply-chain-attacker": {
264
+ "score": 0.4,
265
+ "tier": "medium",
266
+ "factors": [
267
+ "sev:medium"
268
+ ]
269
+ },
270
+ "malicious-insider": {
271
+ "score": 0.4,
272
+ "tier": "medium",
273
+ "factors": [
274
+ "sev:medium"
275
+ ]
276
+ }
277
+ },
278
+ "personaTopTwo": [
279
+ "script-kiddie",
280
+ "opportunistic-criminal"
281
+ ],
282
+ "personaMaxName": "script-kiddie",
283
+ "personaMaxScore": 0.4,
284
+ "reverseExposure": null,
285
+ "specMined": null,
286
+ "whyFired": {
287
+ "detector": "sast/toctou-file-existence-permission-check-b",
288
+ "ruleId": "CWE-367",
289
+ "parser": "TOCTOU",
290
+ "evidence": {
291
+ "sinkSnippet": "if (!fs.existsSync(fp)) return [];",
292
+ "sourceSnippet": null,
293
+ "pathSteps": [],
294
+ "sanitizers": [],
295
+ "guards": []
296
+ },
297
+ "considered": {
298
+ "suppressionsApplied": [],
299
+ "suppressionsSkipped": [],
300
+ "reachabilityFilter": "unaffected",
301
+ "clusterCollapsed": false,
302
+ "typeNarrowed": false,
303
+ "crownJewelTier": "low-value",
304
+ "mitigationVerdict": "unreachable-in-prod"
305
+ },
306
+ "scanner": {
307
+ "rulesetVersion": null,
308
+ "packHash": null,
309
+ "modelId": null
310
+ }
311
+ },
312
+ "adversaryTranscript": null,
313
+ "predictedBountyUsd": null,
314
+ "bountyConfidence": null,
315
+ "attackPlaybook": null
316
+ },
317
+ {
318
+ "id": "toctou-fs:agentic-security-consistency.js:44",
319
+ "kind": "sast",
320
+ "severity": "medium",
321
+ "vuln": "TOCTOU: file existence/permission check before open",
322
+ "cwe": "CWE-367",
323
+ "owaspLlm": null,
324
+ "stride": "Tampering",
325
+ "file": "agentic-security-consistency.js",
326
+ "line": 44,
327
+ "snippet": "if (!fs.existsSync(scanFile)) {",
328
+ "fix": null,
329
+ "reachable": false,
330
+ "triage": 22,
331
+ "dataClasses": [],
332
+ "chain": null,
333
+ "confidence": 0.7,
334
+ "toxicity": 8,
335
+ "toxicityFactors": [],
336
+ "toxicityLabel": "Low",
337
+ "sources": null,
338
+ "epssScore": null,
339
+ "epssPercentile": null,
340
+ "epssCve": null,
341
+ "exploitedNow": false,
342
+ "tags": null,
343
+ "blastRadius": {
344
+ "scope": "all-users",
345
+ "dataAtRisk": [
346
+ "config"
347
+ ],
348
+ "userCount": 50,
349
+ "industry": "generic",
350
+ "jurisdictions": [],
351
+ "controlsApplied": [],
352
+ "dollarBest": 23250,
353
+ "dollarLikely": 136250,
354
+ "dollarWorst": 775000,
355
+ "dollarLow": 23250,
356
+ "dollarHigh": 775000,
357
+ "components": {
358
+ "incidentResponse": {
359
+ "low": 8000,
360
+ "likely": 50000,
361
+ "high": 250000
362
+ },
363
+ "legal": {
364
+ "low": 10000,
365
+ "likely": 75000,
366
+ "high": 500000
367
+ },
368
+ "crisisPR": {
369
+ "low": 0,
370
+ "likely": 0,
371
+ "high": 0
372
+ },
373
+ "notification": {
374
+ "low": 5000,
375
+ "likely": 10000,
376
+ "high": 15000
377
+ },
378
+ "creditMonitoring": {
379
+ "low": 0,
380
+ "likely": 0,
381
+ "high": 0
382
+ },
383
+ "regulatoryFines": {
384
+ "low": 0,
385
+ "likely": 0,
386
+ "high": 0
387
+ },
388
+ "directDamage": {
389
+ "low": 250,
390
+ "likely": 1250,
391
+ "high": 10000
392
+ },
393
+ "classAction": {
394
+ "low": 0,
395
+ "likely": 0,
396
+ "high": 0
397
+ },
398
+ "lostBusiness": {
399
+ "low": 0,
400
+ "likely": 0,
401
+ "high": 0
402
+ }
403
+ },
404
+ "dominantDriver": "legal counsel",
405
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
406
+ "confidence": "low",
407
+ "narrative": "TOCTOU: file existence/permission check before open on `agentic-security-consistency.js:44` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
408
+ },
409
+ "stableId": "7244448882e8be9f",
410
+ "confidenceTier": "medium",
411
+ "exploitability": 0.2,
412
+ "exploitabilityTier": "low",
413
+ "exploitabilityFactors": [
414
+ "sev:medium",
415
+ "unreachable"
416
+ ],
417
+ "clusterSize": null,
418
+ "unreachable": false,
419
+ "validator_verdict": "unvalidated",
420
+ "llm_confidence": null,
421
+ "unvalidated": true,
422
+ "cross_language": false,
423
+ "family": "toctou-file-existence-permission-check-b",
424
+ "parser": "TOCTOU",
425
+ "_unsigned": false,
426
+ "_passThroughSigning": false,
427
+ "signatureStatus": "verified",
428
+ "regression_test": null,
429
+ "poc": null,
430
+ "calibrated_confidence": null,
431
+ "calibrated_confidence_ci": null,
432
+ "calibrated_n": 0,
433
+ "calibration_reason": "no-history",
434
+ "verifier_verdict": "cannot-verify",
435
+ "verifier_reason": "no-poc-no-sanitizer-rule",
436
+ "verifier_runner": null,
437
+ "narration": null,
438
+ "mitigationVerdict": "unreachable-in-prod",
439
+ "mitigationsApplied": [],
440
+ "mitigatedByWaf": false,
441
+ "wafRuleId": null,
442
+ "mitigatedByAuth": false,
443
+ "authMechanism": null,
444
+ "mitigatedByNetwork": false,
445
+ "networkExposure": null,
446
+ "featureFlag": null,
447
+ "featureFlagState": null,
448
+ "featureFlagRollout": null,
449
+ "exposedInProd": false,
450
+ "unreachableInProd": true,
451
+ "coldPath": false,
452
+ "hotPath": false,
453
+ "prodRequestCount": null,
454
+ "crownJewelScore": 0,
455
+ "crownJewelTier": "unknown",
456
+ "crownJewelFactors": [],
457
+ "cloneClusterId": "7451b9ab4bcfdaf0",
458
+ "cloneClusterSize": 1,
459
+ "provenance": "human-likely",
460
+ "provenanceScore": 0.22,
461
+ "typeNarrowed": null,
462
+ "strideCategory": "tampering",
463
+ "personaScores": {
464
+ "script-kiddie": {
465
+ "score": 0.4,
466
+ "tier": "medium",
467
+ "factors": [
468
+ "sev:medium"
469
+ ]
470
+ },
471
+ "opportunistic-criminal": {
472
+ "score": 0.4,
473
+ "tier": "medium",
474
+ "factors": [
475
+ "sev:medium"
476
+ ]
477
+ },
478
+ "apt-nation-state": {
479
+ "score": 0.4,
480
+ "tier": "medium",
481
+ "factors": [
482
+ "sev:medium"
483
+ ]
484
+ },
485
+ "supply-chain-attacker": {
486
+ "score": 0.4,
487
+ "tier": "medium",
488
+ "factors": [
489
+ "sev:medium"
490
+ ]
491
+ },
492
+ "malicious-insider": {
493
+ "score": 0.4,
494
+ "tier": "medium",
495
+ "factors": [
496
+ "sev:medium"
497
+ ]
498
+ }
499
+ },
500
+ "personaTopTwo": [
501
+ "script-kiddie",
502
+ "opportunistic-criminal"
503
+ ],
504
+ "personaMaxName": "script-kiddie",
505
+ "personaMaxScore": 0.4,
506
+ "reverseExposure": null,
507
+ "specMined": null,
508
+ "whyFired": {
509
+ "detector": "sast/toctou-file-existence-permission-check-b",
510
+ "ruleId": "CWE-367",
511
+ "parser": "TOCTOU",
512
+ "evidence": {
513
+ "sinkSnippet": "if (!fs.existsSync(scanFile)) {",
514
+ "sourceSnippet": null,
515
+ "pathSteps": [],
516
+ "sanitizers": [],
517
+ "guards": []
518
+ },
519
+ "considered": {
520
+ "suppressionsApplied": [],
521
+ "suppressionsSkipped": [],
522
+ "reachabilityFilter": "unaffected",
523
+ "clusterCollapsed": false,
524
+ "typeNarrowed": false,
525
+ "crownJewelTier": "unknown",
526
+ "mitigationVerdict": "unreachable-in-prod"
527
+ },
528
+ "scanner": {
529
+ "rulesetVersion": null,
530
+ "packHash": null,
531
+ "modelId": null
532
+ }
533
+ },
534
+ "adversaryTranscript": null,
535
+ "predictedBountyUsd": null,
536
+ "bountyConfidence": null,
537
+ "attackPlaybook": null
538
+ },
539
+ {
540
+ "id": "toctou-fs:agentic-security-consistency.js:66",
541
+ "kind": "sast",
542
+ "severity": "medium",
543
+ "vuln": "TOCTOU: file existence/permission check before open",
544
+ "cwe": "CWE-367",
545
+ "owaspLlm": null,
546
+ "stride": "Tampering",
547
+ "file": "agentic-security-consistency.js",
548
+ "line": 66,
549
+ "snippet": "if (fs.existsSync(fp)) fileContents[f.file] = fs.readFileSync(fp, 'utf8');",
550
+ "fix": null,
551
+ "reachable": false,
552
+ "triage": 22,
553
+ "dataClasses": [],
554
+ "chain": null,
555
+ "confidence": 0.7,
556
+ "toxicity": 8,
557
+ "toxicityFactors": [],
558
+ "toxicityLabel": "Low",
559
+ "sources": null,
560
+ "epssScore": null,
561
+ "epssPercentile": null,
562
+ "epssCve": null,
563
+ "exploitedNow": false,
564
+ "tags": null,
565
+ "blastRadius": {
566
+ "scope": "all-users",
567
+ "dataAtRisk": [
568
+ "config"
569
+ ],
570
+ "userCount": 50,
571
+ "industry": "generic",
572
+ "jurisdictions": [],
573
+ "controlsApplied": [],
574
+ "dollarBest": 23250,
575
+ "dollarLikely": 136250,
576
+ "dollarWorst": 775000,
577
+ "dollarLow": 23250,
578
+ "dollarHigh": 775000,
579
+ "components": {
580
+ "incidentResponse": {
581
+ "low": 8000,
582
+ "likely": 50000,
583
+ "high": 250000
584
+ },
585
+ "legal": {
586
+ "low": 10000,
587
+ "likely": 75000,
588
+ "high": 500000
589
+ },
590
+ "crisisPR": {
591
+ "low": 0,
592
+ "likely": 0,
593
+ "high": 0
594
+ },
595
+ "notification": {
596
+ "low": 5000,
597
+ "likely": 10000,
598
+ "high": 15000
599
+ },
600
+ "creditMonitoring": {
601
+ "low": 0,
602
+ "likely": 0,
603
+ "high": 0
604
+ },
605
+ "regulatoryFines": {
606
+ "low": 0,
607
+ "likely": 0,
608
+ "high": 0
609
+ },
610
+ "directDamage": {
611
+ "low": 250,
612
+ "likely": 1250,
613
+ "high": 10000
614
+ },
615
+ "classAction": {
616
+ "low": 0,
617
+ "likely": 0,
618
+ "high": 0
619
+ },
620
+ "lostBusiness": {
621
+ "low": 0,
622
+ "likely": 0,
623
+ "high": 0
624
+ }
625
+ },
626
+ "dominantDriver": "legal counsel",
627
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
628
+ "confidence": "low",
629
+ "narrative": "TOCTOU: file existence/permission check before open on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
630
+ },
631
+ "stableId": "17c7a9503b897ade",
632
+ "confidenceTier": "medium",
633
+ "exploitability": 0.2,
634
+ "exploitabilityTier": "low",
635
+ "exploitabilityFactors": [
636
+ "sev:medium",
637
+ "unreachable"
638
+ ],
639
+ "clusterSize": null,
640
+ "unreachable": false,
641
+ "validator_verdict": "unvalidated",
642
+ "llm_confidence": null,
643
+ "unvalidated": true,
644
+ "cross_language": false,
645
+ "family": "toctou-file-existence-permission-check-b",
646
+ "parser": "TOCTOU",
647
+ "_unsigned": false,
648
+ "_passThroughSigning": false,
649
+ "signatureStatus": "verified",
650
+ "regression_test": null,
651
+ "poc": null,
652
+ "calibrated_confidence": null,
653
+ "calibrated_confidence_ci": null,
654
+ "calibrated_n": 0,
655
+ "calibration_reason": "no-history",
656
+ "verifier_verdict": "cannot-verify",
657
+ "verifier_reason": "no-poc-no-sanitizer-rule",
658
+ "verifier_runner": null,
659
+ "narration": null,
660
+ "mitigationVerdict": "unreachable-in-prod",
661
+ "mitigationsApplied": [],
662
+ "mitigatedByWaf": false,
663
+ "wafRuleId": null,
664
+ "mitigatedByAuth": false,
665
+ "authMechanism": null,
666
+ "mitigatedByNetwork": false,
667
+ "networkExposure": null,
668
+ "featureFlag": null,
669
+ "featureFlagState": null,
670
+ "featureFlagRollout": null,
671
+ "exposedInProd": false,
672
+ "unreachableInProd": true,
673
+ "coldPath": false,
674
+ "hotPath": false,
675
+ "prodRequestCount": null,
676
+ "crownJewelScore": 0,
677
+ "crownJewelTier": "unknown",
678
+ "crownJewelFactors": [],
679
+ "cloneClusterId": "71b3a66f0700d3d0",
680
+ "cloneClusterSize": 1,
681
+ "provenance": "human-likely",
682
+ "provenanceScore": 0.22,
683
+ "typeNarrowed": null,
684
+ "strideCategory": "tampering",
685
+ "personaScores": {
686
+ "script-kiddie": {
687
+ "score": 0.4,
688
+ "tier": "medium",
689
+ "factors": [
690
+ "sev:medium"
691
+ ]
692
+ },
693
+ "opportunistic-criminal": {
694
+ "score": 0.4,
695
+ "tier": "medium",
696
+ "factors": [
697
+ "sev:medium"
698
+ ]
699
+ },
700
+ "apt-nation-state": {
701
+ "score": 0.4,
702
+ "tier": "medium",
703
+ "factors": [
704
+ "sev:medium"
705
+ ]
706
+ },
707
+ "supply-chain-attacker": {
708
+ "score": 0.4,
709
+ "tier": "medium",
710
+ "factors": [
711
+ "sev:medium"
712
+ ]
713
+ },
714
+ "malicious-insider": {
715
+ "score": 0.4,
716
+ "tier": "medium",
717
+ "factors": [
718
+ "sev:medium"
719
+ ]
720
+ }
721
+ },
722
+ "personaTopTwo": [
723
+ "script-kiddie",
724
+ "opportunistic-criminal"
725
+ ],
726
+ "personaMaxName": "script-kiddie",
727
+ "personaMaxScore": 0.4,
728
+ "reverseExposure": null,
729
+ "specMined": null,
730
+ "whyFired": {
731
+ "detector": "sast/toctou-file-existence-permission-check-b",
732
+ "ruleId": "CWE-367",
733
+ "parser": "TOCTOU",
734
+ "evidence": {
735
+ "sinkSnippet": "if (fs.existsSync(fp)) fileContents[f.file] = fs.readFileSync(fp, 'utf8');",
736
+ "sourceSnippet": null,
737
+ "pathSteps": [],
738
+ "sanitizers": [],
739
+ "guards": []
740
+ },
741
+ "considered": {
742
+ "suppressionsApplied": [],
743
+ "suppressionsSkipped": [],
744
+ "reachabilityFilter": "unaffected",
745
+ "clusterCollapsed": false,
746
+ "typeNarrowed": false,
747
+ "crownJewelTier": "unknown",
748
+ "mitigationVerdict": "unreachable-in-prod"
749
+ },
750
+ "scanner": {
751
+ "rulesetVersion": null,
752
+ "packHash": null,
753
+ "modelId": null
754
+ }
755
+ },
756
+ "adversaryTranscript": null,
757
+ "predictedBountyUsd": null,
758
+ "bountyConfidence": null,
759
+ "attackPlaybook": null
760
+ },
761
+ {
762
+ "id": "toctou-fs:agentic-security.js:362",
763
+ "kind": "sast",
764
+ "severity": "medium",
765
+ "vuln": "TOCTOU: file existence/permission check before open",
766
+ "cwe": "CWE-367",
767
+ "owaspLlm": null,
768
+ "stride": "Tampering",
769
+ "file": "agentic-security.js",
770
+ "line": 362,
771
+ "snippet": "if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {",
772
+ "fix": null,
773
+ "reachable": false,
774
+ "triage": 22,
775
+ "dataClasses": [],
776
+ "chain": null,
777
+ "confidence": 0.7,
778
+ "toxicity": 8,
779
+ "toxicityFactors": [],
780
+ "toxicityLabel": "Low",
781
+ "sources": null,
782
+ "epssScore": null,
783
+ "epssPercentile": null,
784
+ "epssCve": null,
785
+ "exploitedNow": false,
786
+ "tags": null,
787
+ "blastRadius": {
788
+ "scope": "all-users",
789
+ "dataAtRisk": [
790
+ "config"
791
+ ],
792
+ "userCount": 50,
793
+ "industry": "generic",
794
+ "jurisdictions": [],
795
+ "controlsApplied": [],
796
+ "dollarBest": 23250,
797
+ "dollarLikely": 136250,
798
+ "dollarWorst": 775000,
799
+ "dollarLow": 23250,
800
+ "dollarHigh": 775000,
801
+ "components": {
802
+ "incidentResponse": {
803
+ "low": 8000,
804
+ "likely": 50000,
805
+ "high": 250000
806
+ },
807
+ "legal": {
808
+ "low": 10000,
809
+ "likely": 75000,
810
+ "high": 500000
811
+ },
812
+ "crisisPR": {
813
+ "low": 0,
814
+ "likely": 0,
815
+ "high": 0
816
+ },
817
+ "notification": {
818
+ "low": 5000,
819
+ "likely": 10000,
820
+ "high": 15000
821
+ },
822
+ "creditMonitoring": {
823
+ "low": 0,
824
+ "likely": 0,
825
+ "high": 0
826
+ },
827
+ "regulatoryFines": {
828
+ "low": 0,
829
+ "likely": 0,
830
+ "high": 0
831
+ },
832
+ "directDamage": {
833
+ "low": 250,
834
+ "likely": 1250,
835
+ "high": 10000
836
+ },
837
+ "classAction": {
838
+ "low": 0,
839
+ "likely": 0,
840
+ "high": 0
841
+ },
842
+ "lostBusiness": {
843
+ "low": 0,
844
+ "likely": 0,
845
+ "high": 0
846
+ }
847
+ },
848
+ "dominantDriver": "legal counsel",
849
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
850
+ "confidence": "low",
851
+ "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:362` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
852
+ },
853
+ "stableId": "ba3080b44d262d10",
854
+ "confidenceTier": "medium",
855
+ "exploitability": 0.2,
856
+ "exploitabilityTier": "low",
857
+ "exploitabilityFactors": [
858
+ "sev:medium",
859
+ "unreachable"
860
+ ],
861
+ "clusterSize": null,
862
+ "unreachable": false,
863
+ "validator_verdict": "unvalidated",
864
+ "llm_confidence": null,
865
+ "unvalidated": true,
866
+ "cross_language": false,
867
+ "family": "toctou-file-existence-permission-check-b",
868
+ "parser": "TOCTOU",
869
+ "_unsigned": false,
870
+ "_passThroughSigning": false,
871
+ "signatureStatus": "verified",
872
+ "regression_test": null,
873
+ "poc": null,
874
+ "calibrated_confidence": null,
875
+ "calibrated_confidence_ci": null,
876
+ "calibrated_n": 0,
877
+ "calibration_reason": "no-history",
878
+ "verifier_verdict": "cannot-verify",
879
+ "verifier_reason": "no-poc-no-sanitizer-rule",
880
+ "verifier_runner": null,
881
+ "narration": null,
882
+ "mitigationVerdict": "unreachable-in-prod",
883
+ "mitigationsApplied": [],
884
+ "mitigatedByWaf": false,
885
+ "wafRuleId": null,
886
+ "mitigatedByAuth": false,
887
+ "authMechanism": null,
888
+ "mitigatedByNetwork": false,
889
+ "networkExposure": null,
890
+ "featureFlag": null,
891
+ "featureFlagState": null,
892
+ "featureFlagRollout": null,
893
+ "exposedInProd": false,
894
+ "unreachableInProd": true,
895
+ "coldPath": false,
896
+ "hotPath": false,
897
+ "prodRequestCount": null,
898
+ "crownJewelScore": 0,
899
+ "crownJewelTier": "unknown",
900
+ "crownJewelFactors": [],
901
+ "cloneClusterId": "12b0776a772e2188",
902
+ "cloneClusterSize": 1,
903
+ "provenance": "human-likely",
904
+ "provenanceScore": 0.04,
905
+ "typeNarrowed": null,
906
+ "strideCategory": "tampering",
907
+ "personaScores": {
908
+ "script-kiddie": {
909
+ "score": 0.4,
910
+ "tier": "medium",
911
+ "factors": [
912
+ "sev:medium"
913
+ ]
914
+ },
915
+ "opportunistic-criminal": {
916
+ "score": 0.4,
917
+ "tier": "medium",
918
+ "factors": [
919
+ "sev:medium"
920
+ ]
921
+ },
922
+ "apt-nation-state": {
923
+ "score": 0.4,
924
+ "tier": "medium",
925
+ "factors": [
926
+ "sev:medium"
927
+ ]
928
+ },
929
+ "supply-chain-attacker": {
930
+ "score": 0.4,
931
+ "tier": "medium",
932
+ "factors": [
933
+ "sev:medium"
934
+ ]
935
+ },
936
+ "malicious-insider": {
937
+ "score": 0.4,
938
+ "tier": "medium",
939
+ "factors": [
940
+ "sev:medium"
941
+ ]
942
+ }
943
+ },
944
+ "personaTopTwo": [
945
+ "script-kiddie",
946
+ "opportunistic-criminal"
947
+ ],
948
+ "personaMaxName": "script-kiddie",
949
+ "personaMaxScore": 0.4,
950
+ "reverseExposure": null,
951
+ "specMined": null,
952
+ "whyFired": {
953
+ "detector": "sast/toctou-file-existence-permission-check-b",
954
+ "ruleId": "CWE-367",
955
+ "parser": "TOCTOU",
956
+ "evidence": {
957
+ "sinkSnippet": "if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {",
958
+ "sourceSnippet": null,
959
+ "pathSteps": [],
960
+ "sanitizers": [],
961
+ "guards": []
962
+ },
963
+ "considered": {
964
+ "suppressionsApplied": [],
965
+ "suppressionsSkipped": [],
966
+ "reachabilityFilter": "unaffected",
967
+ "clusterCollapsed": false,
968
+ "typeNarrowed": false,
969
+ "crownJewelTier": "unknown",
970
+ "mitigationVerdict": "unreachable-in-prod"
971
+ },
972
+ "scanner": {
973
+ "rulesetVersion": null,
974
+ "packHash": null,
975
+ "modelId": null
976
+ }
977
+ },
978
+ "adversaryTranscript": null,
979
+ "predictedBountyUsd": null,
980
+ "bountyConfidence": null,
981
+ "attackPlaybook": null
982
+ },
983
+ {
984
+ "id": "toctou-fs:agentic-security.js:1136",
985
+ "kind": "sast",
986
+ "severity": "medium",
987
+ "vuln": "TOCTOU: file existence/permission check before open",
988
+ "cwe": "CWE-367",
989
+ "owaspLlm": null,
990
+ "stride": "Tampering",
991
+ "file": "agentic-security.js",
992
+ "line": 1136,
993
+ "snippet": "const st = fs.statSync(abs);",
994
+ "fix": null,
995
+ "reachable": false,
996
+ "triage": 22,
997
+ "dataClasses": [],
998
+ "chain": null,
999
+ "confidence": 0.7,
1000
+ "toxicity": 8,
1001
+ "toxicityFactors": [],
1002
+ "toxicityLabel": "Low",
1003
+ "sources": null,
1004
+ "epssScore": null,
1005
+ "epssPercentile": null,
1006
+ "epssCve": null,
1007
+ "exploitedNow": false,
1008
+ "tags": null,
1009
+ "blastRadius": {
1010
+ "scope": "all-users",
1011
+ "dataAtRisk": [
1012
+ "config"
1013
+ ],
1014
+ "userCount": 50,
1015
+ "industry": "generic",
1016
+ "jurisdictions": [],
1017
+ "controlsApplied": [],
1018
+ "dollarBest": 23250,
1019
+ "dollarLikely": 136250,
1020
+ "dollarWorst": 775000,
1021
+ "dollarLow": 23250,
1022
+ "dollarHigh": 775000,
1023
+ "components": {
1024
+ "incidentResponse": {
1025
+ "low": 8000,
1026
+ "likely": 50000,
1027
+ "high": 250000
1028
+ },
1029
+ "legal": {
1030
+ "low": 10000,
1031
+ "likely": 75000,
1032
+ "high": 500000
1033
+ },
1034
+ "crisisPR": {
1035
+ "low": 0,
1036
+ "likely": 0,
1037
+ "high": 0
1038
+ },
1039
+ "notification": {
1040
+ "low": 5000,
1041
+ "likely": 10000,
1042
+ "high": 15000
1043
+ },
1044
+ "creditMonitoring": {
1045
+ "low": 0,
1046
+ "likely": 0,
1047
+ "high": 0
1048
+ },
1049
+ "regulatoryFines": {
1050
+ "low": 0,
1051
+ "likely": 0,
1052
+ "high": 0
1053
+ },
1054
+ "directDamage": {
1055
+ "low": 250,
1056
+ "likely": 1250,
1057
+ "high": 10000
1058
+ },
1059
+ "classAction": {
1060
+ "low": 0,
1061
+ "likely": 0,
1062
+ "high": 0
1063
+ },
1064
+ "lostBusiness": {
1065
+ "low": 0,
1066
+ "likely": 0,
1067
+ "high": 0
1068
+ }
1069
+ },
1070
+ "dominantDriver": "legal counsel",
1071
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1072
+ "confidence": "low",
1073
+ "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:1136` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1074
+ },
1075
+ "stableId": "17f63a600e3a68b4",
1076
+ "confidenceTier": "medium",
1077
+ "exploitability": 0.2,
1078
+ "exploitabilityTier": "low",
1079
+ "exploitabilityFactors": [
1080
+ "sev:medium",
1081
+ "unreachable"
1082
+ ],
1083
+ "clusterSize": null,
1084
+ "unreachable": false,
1085
+ "validator_verdict": "unvalidated",
1086
+ "llm_confidence": null,
1087
+ "unvalidated": true,
1088
+ "cross_language": false,
1089
+ "family": "toctou-file-existence-permission-check-b",
1090
+ "parser": "TOCTOU",
1091
+ "_unsigned": false,
1092
+ "_passThroughSigning": false,
1093
+ "signatureStatus": "verified",
1094
+ "regression_test": null,
1095
+ "poc": null,
1096
+ "calibrated_confidence": null,
1097
+ "calibrated_confidence_ci": null,
1098
+ "calibrated_n": 0,
1099
+ "calibration_reason": "no-history",
1100
+ "verifier_verdict": "cannot-verify",
1101
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1102
+ "verifier_runner": null,
1103
+ "narration": null,
1104
+ "mitigationVerdict": "unreachable-in-prod",
1105
+ "mitigationsApplied": [],
1106
+ "mitigatedByWaf": false,
1107
+ "wafRuleId": null,
1108
+ "mitigatedByAuth": false,
1109
+ "authMechanism": null,
1110
+ "mitigatedByNetwork": false,
1111
+ "networkExposure": null,
1112
+ "featureFlag": null,
1113
+ "featureFlagState": null,
1114
+ "featureFlagRollout": null,
1115
+ "exposedInProd": false,
1116
+ "unreachableInProd": true,
1117
+ "coldPath": false,
1118
+ "hotPath": false,
1119
+ "prodRequestCount": null,
1120
+ "crownJewelScore": 0,
1121
+ "crownJewelTier": "unknown",
1122
+ "crownJewelFactors": [],
1123
+ "cloneClusterId": "69ff35f4d54a4549",
1124
+ "cloneClusterSize": 1,
1125
+ "provenance": "human-likely",
1126
+ "provenanceScore": 0.04,
1127
+ "typeNarrowed": null,
1128
+ "strideCategory": "tampering",
1129
+ "personaScores": {
1130
+ "script-kiddie": {
1131
+ "score": 0.4,
1132
+ "tier": "medium",
1133
+ "factors": [
1134
+ "sev:medium"
1135
+ ]
1136
+ },
1137
+ "opportunistic-criminal": {
1138
+ "score": 0.4,
1139
+ "tier": "medium",
1140
+ "factors": [
1141
+ "sev:medium"
1142
+ ]
1143
+ },
1144
+ "apt-nation-state": {
1145
+ "score": 0.4,
1146
+ "tier": "medium",
1147
+ "factors": [
1148
+ "sev:medium"
1149
+ ]
1150
+ },
1151
+ "supply-chain-attacker": {
1152
+ "score": 0.4,
1153
+ "tier": "medium",
1154
+ "factors": [
1155
+ "sev:medium"
1156
+ ]
1157
+ },
1158
+ "malicious-insider": {
1159
+ "score": 0.4,
1160
+ "tier": "medium",
1161
+ "factors": [
1162
+ "sev:medium"
1163
+ ]
1164
+ }
1165
+ },
1166
+ "personaTopTwo": [
1167
+ "script-kiddie",
1168
+ "opportunistic-criminal"
1169
+ ],
1170
+ "personaMaxName": "script-kiddie",
1171
+ "personaMaxScore": 0.4,
1172
+ "reverseExposure": null,
1173
+ "specMined": null,
1174
+ "whyFired": {
1175
+ "detector": "sast/toctou-file-existence-permission-check-b",
1176
+ "ruleId": "CWE-367",
1177
+ "parser": "TOCTOU",
1178
+ "evidence": {
1179
+ "sinkSnippet": "const st = fs.statSync(abs);",
1180
+ "sourceSnippet": null,
1181
+ "pathSteps": [],
1182
+ "sanitizers": [],
1183
+ "guards": []
1184
+ },
1185
+ "considered": {
1186
+ "suppressionsApplied": [],
1187
+ "suppressionsSkipped": [],
1188
+ "reachabilityFilter": "unaffected",
1189
+ "clusterCollapsed": false,
1190
+ "typeNarrowed": false,
1191
+ "crownJewelTier": "unknown",
1192
+ "mitigationVerdict": "unreachable-in-prod"
1193
+ },
1194
+ "scanner": {
1195
+ "rulesetVersion": null,
1196
+ "packHash": null,
1197
+ "modelId": null
1198
+ }
1199
+ },
1200
+ "adversaryTranscript": null,
1201
+ "predictedBountyUsd": null,
1202
+ "bountyConfidence": null,
1203
+ "attackPlaybook": null
1204
+ },
1205
+ {
1206
+ "id": "40a1d57f1e523620",
1207
+ "kind": "logic",
1208
+ "severity": "medium",
1209
+ "vuln": "Missing Unsigned Numeric Validation",
1210
+ "cwe": "CWE-20",
1211
+ "stride": "Tampering",
1212
+ "file": "agentic-security-audit.js",
1213
+ "line": 131,
1214
+ "snippet": "const rejRate = c.total > 0 ? (c.rejected || 0) / c.total : 0;",
1215
+ "fix": {
1216
+ "description": "Validate that numeric inputs are positive integers server-side before processing.",
1217
+ "code": "// BEFORE\nawait BasketItem.update({ quantity: req.body.quantity });\n\n// AFTER\nif (!Number.isInteger(req.body.quantity) || req.body.quantity < 1)\n return res.status(400).json({ error: 'Invalid quantity' });"
1218
+ },
1219
+ "blastRadius": {
1220
+ "scope": "all-users",
1221
+ "dataAtRisk": [
1222
+ "config"
1223
+ ],
1224
+ "userCount": 50,
1225
+ "industry": "generic",
1226
+ "jurisdictions": [],
1227
+ "controlsApplied": [],
1228
+ "dollarBest": 23250,
1229
+ "dollarLikely": 136250,
1230
+ "dollarWorst": 775000,
1231
+ "dollarLow": 23250,
1232
+ "dollarHigh": 775000,
1233
+ "components": {
1234
+ "incidentResponse": {
1235
+ "low": 8000,
1236
+ "likely": 50000,
1237
+ "high": 250000
1238
+ },
1239
+ "legal": {
1240
+ "low": 10000,
1241
+ "likely": 75000,
1242
+ "high": 500000
1243
+ },
1244
+ "crisisPR": {
1245
+ "low": 0,
1246
+ "likely": 0,
1247
+ "high": 0
1248
+ },
1249
+ "notification": {
1250
+ "low": 5000,
1251
+ "likely": 10000,
1252
+ "high": 15000
1253
+ },
1254
+ "creditMonitoring": {
1255
+ "low": 0,
1256
+ "likely": 0,
1257
+ "high": 0
1258
+ },
1259
+ "regulatoryFines": {
1260
+ "low": 0,
1261
+ "likely": 0,
1262
+ "high": 0
1263
+ },
1264
+ "directDamage": {
1265
+ "low": 250,
1266
+ "likely": 1250,
1267
+ "high": 10000
1268
+ },
1269
+ "classAction": {
1270
+ "low": 0,
1271
+ "likely": 0,
1272
+ "high": 0
1273
+ },
1274
+ "lostBusiness": {
1275
+ "low": 0,
1276
+ "likely": 0,
1277
+ "high": 0
1278
+ }
1279
+ },
1280
+ "dominantDriver": "legal counsel",
1281
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1282
+ "confidence": "low",
1283
+ "narrative": "Missing Unsigned Numeric Validation on `agentic-security-audit.js:131` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1284
+ },
1285
+ "parser": "LOGIC",
1286
+ "family": null
1287
+ },
1288
+ {
1289
+ "id": "logic:agentic-security-audit.js:55:TOCTOU:_existsSync_followed_by_file_op",
1290
+ "kind": "logic",
1291
+ "severity": "medium",
1292
+ "vuln": "TOCTOU: existsSync followed by file op",
1293
+ "cwe": "CWE-367",
1294
+ "stride": "Tampering",
1295
+ "file": "agentic-security-audit.js",
1296
+ "line": 55,
1297
+ "snippet": "if (!fs.existsSync(fp)) return [];",
1298
+ "fix": {
1299
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
1300
+ "code": ""
1301
+ },
1302
+ "blastRadius": {
1303
+ "scope": "all-users",
1304
+ "dataAtRisk": [
1305
+ "config"
1306
+ ],
1307
+ "userCount": 50,
1308
+ "industry": "generic",
1309
+ "jurisdictions": [],
1310
+ "controlsApplied": [],
1311
+ "dollarBest": 23250,
1312
+ "dollarLikely": 136250,
1313
+ "dollarWorst": 775000,
1314
+ "dollarLow": 23250,
1315
+ "dollarHigh": 775000,
1316
+ "components": {
1317
+ "incidentResponse": {
1318
+ "low": 8000,
1319
+ "likely": 50000,
1320
+ "high": 250000
1321
+ },
1322
+ "legal": {
1323
+ "low": 10000,
1324
+ "likely": 75000,
1325
+ "high": 500000
1326
+ },
1327
+ "crisisPR": {
1328
+ "low": 0,
1329
+ "likely": 0,
1330
+ "high": 0
1331
+ },
1332
+ "notification": {
1333
+ "low": 5000,
1334
+ "likely": 10000,
1335
+ "high": 15000
1336
+ },
1337
+ "creditMonitoring": {
1338
+ "low": 0,
1339
+ "likely": 0,
1340
+ "high": 0
1341
+ },
1342
+ "regulatoryFines": {
1343
+ "low": 0,
1344
+ "likely": 0,
1345
+ "high": 0
1346
+ },
1347
+ "directDamage": {
1348
+ "low": 250,
1349
+ "likely": 1250,
1350
+ "high": 10000
1351
+ },
1352
+ "classAction": {
1353
+ "low": 0,
1354
+ "likely": 0,
1355
+ "high": 0
1356
+ },
1357
+ "lostBusiness": {
1358
+ "low": 0,
1359
+ "likely": 0,
1360
+ "high": 0
1361
+ }
1362
+ },
1363
+ "dominantDriver": "legal counsel",
1364
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1365
+ "confidence": "low",
1366
+ "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-audit.js:55` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1367
+ },
1368
+ "parser": "LOGIC",
1369
+ "family": null
1370
+ },
1371
+ {
1372
+ "id": "e2445e40b5e43c01",
1373
+ "kind": "logic",
1374
+ "severity": "medium",
1375
+ "vuln": "Race Condition (TOCTOU)",
1376
+ "cwe": "CWE-367",
1377
+ "stride": "Tampering",
1378
+ "file": "agentic-security-consistency.js",
1379
+ "line": 66,
1380
+ "snippet": "if (fs.existsSync(fp)) fileContents[f.file] = fs.readFileSync(fp, 'utf8');",
1381
+ "fix": {
1382
+ "description": "Use atomic operations instead of check-then-act patterns.",
1383
+ "code": "// BEFORE\nif (fs.existsSync(p)) fs.unlinkSync(p);\n\n// AFTER\ntry { fs.unlinkSync(p); } catch(e) { if(e.code!=='ENOENT') throw e; }"
1384
+ },
1385
+ "blastRadius": {
1386
+ "scope": "all-users",
1387
+ "dataAtRisk": [
1388
+ "config"
1389
+ ],
1390
+ "userCount": 50,
1391
+ "industry": "generic",
1392
+ "jurisdictions": [],
1393
+ "controlsApplied": [],
1394
+ "dollarBest": 23250,
1395
+ "dollarLikely": 136250,
1396
+ "dollarWorst": 775000,
1397
+ "dollarLow": 23250,
1398
+ "dollarHigh": 775000,
1399
+ "components": {
1400
+ "incidentResponse": {
1401
+ "low": 8000,
1402
+ "likely": 50000,
1403
+ "high": 250000
1404
+ },
1405
+ "legal": {
1406
+ "low": 10000,
1407
+ "likely": 75000,
1408
+ "high": 500000
1409
+ },
1410
+ "crisisPR": {
1411
+ "low": 0,
1412
+ "likely": 0,
1413
+ "high": 0
1414
+ },
1415
+ "notification": {
1416
+ "low": 5000,
1417
+ "likely": 10000,
1418
+ "high": 15000
1419
+ },
1420
+ "creditMonitoring": {
1421
+ "low": 0,
1422
+ "likely": 0,
1423
+ "high": 0
1424
+ },
1425
+ "regulatoryFines": {
1426
+ "low": 0,
1427
+ "likely": 0,
1428
+ "high": 0
1429
+ },
1430
+ "directDamage": {
1431
+ "low": 250,
1432
+ "likely": 1250,
1433
+ "high": 10000
1434
+ },
1435
+ "classAction": {
1436
+ "low": 0,
1437
+ "likely": 0,
1438
+ "high": 0
1439
+ },
1440
+ "lostBusiness": {
1441
+ "low": 0,
1442
+ "likely": 0,
1443
+ "high": 0
1444
+ }
1445
+ },
1446
+ "dominantDriver": "legal counsel",
1447
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1448
+ "confidence": "low",
1449
+ "narrative": "Race Condition (TOCTOU) on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1450
+ },
1451
+ "parser": "LOGIC",
1452
+ "family": null
1453
+ },
1454
+ {
1455
+ "id": "logic:agentic-security-consistency.js:44:TOCTOU:_existsSync_followed_by_file_op",
1456
+ "kind": "logic",
1457
+ "severity": "medium",
1458
+ "vuln": "TOCTOU: existsSync followed by file op",
1459
+ "cwe": "CWE-367",
1460
+ "stride": "Tampering",
1461
+ "file": "agentic-security-consistency.js",
1462
+ "line": 44,
1463
+ "snippet": "if (!fs.existsSync(scanFile)) {",
1464
+ "fix": {
1465
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
1466
+ "code": ""
1467
+ },
1468
+ "blastRadius": {
1469
+ "scope": "all-users",
1470
+ "dataAtRisk": [
1471
+ "config"
1472
+ ],
1473
+ "userCount": 50,
1474
+ "industry": "generic",
1475
+ "jurisdictions": [],
1476
+ "controlsApplied": [],
1477
+ "dollarBest": 23250,
1478
+ "dollarLikely": 136250,
1479
+ "dollarWorst": 775000,
1480
+ "dollarLow": 23250,
1481
+ "dollarHigh": 775000,
1482
+ "components": {
1483
+ "incidentResponse": {
1484
+ "low": 8000,
1485
+ "likely": 50000,
1486
+ "high": 250000
1487
+ },
1488
+ "legal": {
1489
+ "low": 10000,
1490
+ "likely": 75000,
1491
+ "high": 500000
1492
+ },
1493
+ "crisisPR": {
1494
+ "low": 0,
1495
+ "likely": 0,
1496
+ "high": 0
1497
+ },
1498
+ "notification": {
1499
+ "low": 5000,
1500
+ "likely": 10000,
1501
+ "high": 15000
1502
+ },
1503
+ "creditMonitoring": {
1504
+ "low": 0,
1505
+ "likely": 0,
1506
+ "high": 0
1507
+ },
1508
+ "regulatoryFines": {
1509
+ "low": 0,
1510
+ "likely": 0,
1511
+ "high": 0
1512
+ },
1513
+ "directDamage": {
1514
+ "low": 250,
1515
+ "likely": 1250,
1516
+ "high": 10000
1517
+ },
1518
+ "classAction": {
1519
+ "low": 0,
1520
+ "likely": 0,
1521
+ "high": 0
1522
+ },
1523
+ "lostBusiness": {
1524
+ "low": 0,
1525
+ "likely": 0,
1526
+ "high": 0
1527
+ }
1528
+ },
1529
+ "dominantDriver": "legal counsel",
1530
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1531
+ "confidence": "low",
1532
+ "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-consistency.js:44` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1533
+ },
1534
+ "parser": "LOGIC",
1535
+ "family": null
1536
+ },
1537
+ {
1538
+ "id": "logic:agentic-security-consistency.js:66:TOCTOU:_existsSync_followed_by_file_op",
1539
+ "kind": "logic",
1540
+ "severity": "medium",
1541
+ "vuln": "TOCTOU: existsSync followed by file op",
1542
+ "cwe": "CWE-367",
1543
+ "stride": "Tampering",
1544
+ "file": "agentic-security-consistency.js",
1545
+ "line": 66,
1546
+ "snippet": "if (fs.existsSync(fp)) fileContents[f.file] = fs.readFileSync(fp, 'utf8');",
1547
+ "fix": {
1548
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
1549
+ "code": ""
1550
+ },
1551
+ "blastRadius": {
1552
+ "scope": "all-users",
1553
+ "dataAtRisk": [
1554
+ "config"
1555
+ ],
1556
+ "userCount": 50,
1557
+ "industry": "generic",
1558
+ "jurisdictions": [],
1559
+ "controlsApplied": [],
1560
+ "dollarBest": 23250,
1561
+ "dollarLikely": 136250,
1562
+ "dollarWorst": 775000,
1563
+ "dollarLow": 23250,
1564
+ "dollarHigh": 775000,
1565
+ "components": {
1566
+ "incidentResponse": {
1567
+ "low": 8000,
1568
+ "likely": 50000,
1569
+ "high": 250000
1570
+ },
1571
+ "legal": {
1572
+ "low": 10000,
1573
+ "likely": 75000,
1574
+ "high": 500000
1575
+ },
1576
+ "crisisPR": {
1577
+ "low": 0,
1578
+ "likely": 0,
1579
+ "high": 0
1580
+ },
1581
+ "notification": {
1582
+ "low": 5000,
1583
+ "likely": 10000,
1584
+ "high": 15000
1585
+ },
1586
+ "creditMonitoring": {
1587
+ "low": 0,
1588
+ "likely": 0,
1589
+ "high": 0
1590
+ },
1591
+ "regulatoryFines": {
1592
+ "low": 0,
1593
+ "likely": 0,
1594
+ "high": 0
1595
+ },
1596
+ "directDamage": {
1597
+ "low": 250,
1598
+ "likely": 1250,
1599
+ "high": 10000
1600
+ },
1601
+ "classAction": {
1602
+ "low": 0,
1603
+ "likely": 0,
1604
+ "high": 0
1605
+ },
1606
+ "lostBusiness": {
1607
+ "low": 0,
1608
+ "likely": 0,
1609
+ "high": 0
1610
+ }
1611
+ },
1612
+ "dominantDriver": "legal counsel",
1613
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1614
+ "confidence": "low",
1615
+ "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1616
+ },
1617
+ "parser": "LOGIC",
1618
+ "family": null
1619
+ },
1620
+ {
1621
+ "id": "49e1e00962a1950c",
1622
+ "kind": "logic",
1623
+ "severity": "medium",
1624
+ "vuln": "Weak Randomness",
1625
+ "cwe": "CWE-330",
1626
+ "stride": "Spoofing",
1627
+ "file": "agentic-security-rule.js",
1628
+ "line": 98,
1629
+ "snippet": "id: `key-${new Date().toISOString().slice(0, 10)}-${Math.random().toString(36).slice(2, 6)}`,",
1630
+ "fix": {
1631
+ "description": "Use crypto.randomBytes or crypto.randomUUID for security-sensitive values.",
1632
+ "code": "// BEFORE\nconst token = Math.random().toString(36);\n\n// AFTER\nconst token = crypto.randomBytes(32).toString('hex');"
1633
+ },
1634
+ "blastRadius": {
1635
+ "scope": "all-users",
1636
+ "dataAtRisk": [
1637
+ "config"
1638
+ ],
1639
+ "userCount": 50,
1640
+ "industry": "generic",
1641
+ "jurisdictions": [],
1642
+ "controlsApplied": [],
1643
+ "dollarBest": 23250,
1644
+ "dollarLikely": 136250,
1645
+ "dollarWorst": 775000,
1646
+ "dollarLow": 23250,
1647
+ "dollarHigh": 775000,
1648
+ "components": {
1649
+ "incidentResponse": {
1650
+ "low": 8000,
1651
+ "likely": 50000,
1652
+ "high": 250000
1653
+ },
1654
+ "legal": {
1655
+ "low": 10000,
1656
+ "likely": 75000,
1657
+ "high": 500000
1658
+ },
1659
+ "crisisPR": {
1660
+ "low": 0,
1661
+ "likely": 0,
1662
+ "high": 0
1663
+ },
1664
+ "notification": {
1665
+ "low": 5000,
1666
+ "likely": 10000,
1667
+ "high": 15000
1668
+ },
1669
+ "creditMonitoring": {
1670
+ "low": 0,
1671
+ "likely": 0,
1672
+ "high": 0
1673
+ },
1674
+ "regulatoryFines": {
1675
+ "low": 0,
1676
+ "likely": 0,
1677
+ "high": 0
1678
+ },
1679
+ "directDamage": {
1680
+ "low": 250,
1681
+ "likely": 1250,
1682
+ "high": 10000
1683
+ },
1684
+ "classAction": {
1685
+ "low": 0,
1686
+ "likely": 0,
1687
+ "high": 0
1688
+ },
1689
+ "lostBusiness": {
1690
+ "low": 0,
1691
+ "likely": 0,
1692
+ "high": 0
1693
+ }
1694
+ },
1695
+ "dominantDriver": "legal counsel",
1696
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1697
+ "confidence": "low",
1698
+ "narrative": "Weak Randomness on `agentic-security-rule.js:98` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1699
+ },
1700
+ "parser": "LOGIC",
1701
+ "family": null
1702
+ },
1703
+ {
1704
+ "id": "logic:agentic-security.js:362:TOCTOU:_existsSync_followed_by_file_op",
1705
+ "kind": "logic",
1706
+ "severity": "medium",
1707
+ "vuln": "TOCTOU: existsSync followed by file op",
1708
+ "cwe": "CWE-367",
1709
+ "stride": "Tampering",
1710
+ "file": "agentic-security.js",
1711
+ "line": 362,
1712
+ "snippet": "if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {",
1713
+ "fix": {
1714
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
1715
+ "code": ""
1716
+ },
1717
+ "blastRadius": {
1718
+ "scope": "all-users",
1719
+ "dataAtRisk": [
1720
+ "config"
1721
+ ],
1722
+ "userCount": 50,
1723
+ "industry": "generic",
1724
+ "jurisdictions": [],
1725
+ "controlsApplied": [],
1726
+ "dollarBest": 23250,
1727
+ "dollarLikely": 136250,
1728
+ "dollarWorst": 775000,
1729
+ "dollarLow": 23250,
1730
+ "dollarHigh": 775000,
1731
+ "components": {
1732
+ "incidentResponse": {
1733
+ "low": 8000,
1734
+ "likely": 50000,
1735
+ "high": 250000
1736
+ },
1737
+ "legal": {
1738
+ "low": 10000,
1739
+ "likely": 75000,
1740
+ "high": 500000
1741
+ },
1742
+ "crisisPR": {
1743
+ "low": 0,
1744
+ "likely": 0,
1745
+ "high": 0
1746
+ },
1747
+ "notification": {
1748
+ "low": 5000,
1749
+ "likely": 10000,
1750
+ "high": 15000
1751
+ },
1752
+ "creditMonitoring": {
1753
+ "low": 0,
1754
+ "likely": 0,
1755
+ "high": 0
1756
+ },
1757
+ "regulatoryFines": {
1758
+ "low": 0,
1759
+ "likely": 0,
1760
+ "high": 0
1761
+ },
1762
+ "directDamage": {
1763
+ "low": 250,
1764
+ "likely": 1250,
1765
+ "high": 10000
1766
+ },
1767
+ "classAction": {
1768
+ "low": 0,
1769
+ "likely": 0,
1770
+ "high": 0
1771
+ },
1772
+ "lostBusiness": {
1773
+ "low": 0,
1774
+ "likely": 0,
1775
+ "high": 0
1776
+ }
1777
+ },
1778
+ "dominantDriver": "legal counsel",
1779
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1780
+ "confidence": "low",
1781
+ "narrative": "TOCTOU: existsSync followed by file op on `agentic-security.js:362` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1782
+ },
1783
+ "parser": "LOGIC",
1784
+ "family": null
1785
+ }
1786
+ ],
1787
+ "bundles": [],
1788
+ "routes": [],
1789
+ "components": [],
1790
+ "suppressedCount": 39,
1791
+ "blastRadiusSignals": {
1792
+ "industry": "generic",
1793
+ "industryConfidence": "low",
1794
+ "jurisdictions": [],
1795
+ "controls": [],
1796
+ "estimatedUsers": 50,
1797
+ "revenueIndicator": "pre-revenue",
1798
+ "hasStripe": false,
1799
+ "hasAuth": false,
1800
+ "hasUserTable": false,
1801
+ "hasPII": false,
1802
+ "hasPHI": false,
1803
+ "hasS3": false
1804
+ },
1805
+ "_v3": {
1806
+ "counterfactual": {
1807
+ "spofControls": [],
1808
+ "controlsDetected": 118
1809
+ },
1810
+ "threatModel": {
1811
+ "summary": {
1812
+ "assetCount": 1,
1813
+ "boundaryCount": 0,
1814
+ "strideCounts": {
1815
+ "spoofing": 0,
1816
+ "tampering": 5,
1817
+ "repudiation": 0,
1818
+ "informationDisclosure": 0,
1819
+ "denialOfService": 0,
1820
+ "elevationOfPrivilege": 0
1821
+ }
1822
+ },
1823
+ "assets": [
1824
+ {
1825
+ "name": "AGENTIC_SECURITY_PRIVATE_KEY",
1826
+ "file": "agentic-security-rule.js",
1827
+ "line": 121,
1828
+ "category": "secret",
1829
+ "exposure": "internal"
1830
+ }
1831
+ ],
1832
+ "trustBoundaries": [],
1833
+ "stride": {
1834
+ "spoofing": [],
1835
+ "tampering": [
1836
+ {
1837
+ "vuln": "TOCTOU: file existence/permission check before open",
1838
+ "file": "agentic-security-audit.js",
1839
+ "line": 55,
1840
+ "severity": "medium"
1841
+ },
1842
+ {
1843
+ "vuln": "TOCTOU: file existence/permission check before open",
1844
+ "file": "agentic-security-consistency.js",
1845
+ "line": 44,
1846
+ "severity": "medium"
1847
+ },
1848
+ {
1849
+ "vuln": "TOCTOU: file existence/permission check before open",
1850
+ "file": "agentic-security-consistency.js",
1851
+ "line": 66,
1852
+ "severity": "medium"
1853
+ },
1854
+ {
1855
+ "vuln": "TOCTOU: file existence/permission check before open",
1856
+ "file": "agentic-security.js",
1857
+ "line": 362,
1858
+ "severity": "medium"
1859
+ },
1860
+ {
1861
+ "vuln": "TOCTOU: file existence/permission check before open",
1862
+ "file": "agentic-security.js",
1863
+ "line": 1136,
1864
+ "severity": "medium"
1865
+ }
1866
+ ],
1867
+ "repudiation": [],
1868
+ "informationDisclosure": [],
1869
+ "denialOfService": [],
1870
+ "elevationOfPrivilege": []
1871
+ }
1872
+ },
1873
+ "trustBoundaryDiagram": {
1874
+ "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n asset_secret_AGENTIC_SECURITY_PRIVATE_KEY[/\"secret: AGENTIC_SECURITY_PRIVATE_KEY\"/]\n APP -->|asset| asset_secret_AGENTIC_SECURITY_PRIVATE_KEY\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
1875
+ "nodes": [
1876
+ {
1877
+ "id": "INTERNET",
1878
+ "kind": "external",
1879
+ "label": "Internet"
1880
+ },
1881
+ {
1882
+ "id": "APP",
1883
+ "kind": "app",
1884
+ "label": "Application"
1885
+ },
1886
+ {
1887
+ "id": "asset_secret_AGENTIC_SECURITY_PRIVATE_KEY",
1888
+ "kind": "asset",
1889
+ "label": "secret: AGENTIC_SECURITY_PRIVATE_KEY"
1890
+ }
1891
+ ],
1892
+ "edges": [
1893
+ {
1894
+ "from": "APP",
1895
+ "to": "asset_secret_AGENTIC_SECURITY_PRIVATE_KEY",
1896
+ "kind": "asset"
1897
+ }
1898
+ ],
1899
+ "decorations": []
1900
+ },
1901
+ "calibrationDrift": {
1902
+ "alarms": [],
1903
+ "note": "no-feedback-data"
1904
+ }
1905
+ },
1906
+ "annotatorErrors": []
1907
+ }