npm - @clear-capabilities/agentic-security-scanner - Versions diffs - 0.77.0 → 0.78.0 - Mend

@clear-capabilities/agentic-security-scanner 0.77.0 → 0.78.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/bin/.agentic-security/findings.json +1907 -0
package/bin/.agentic-security/last-scan.json +1907 -0
package/bin/.agentic-security/last-scan.json.sig +1 -0
package/bin/.agentic-security/scan-history.json +115 -0
package/bin/.agentic-security/streak.json +20 -0
package/bin/agentic-security.js +33 -2
package/dist/178.index.js +1 -1
package/dist/384.index.js +1 -1
package/dist/637.index.js +1 -1
package/dist/718.index.js +106 -0
package/dist/824.index.js +126 -0
package/dist/838.index.js +1 -1
package/dist/agentic-security.mjs +32 -32
package/dist/agentic-security.mjs.sha256 +1 -1
package/package.json +3 -3
package/src/.agentic-security/findings.json +82642 -0
package/src/.agentic-security/last-scan.json +82642 -0
package/src/.agentic-security/last-scan.json.sig +1 -0
package/src/.agentic-security/scan-history.json +10054 -0
package/src/.agentic-security/streak.json +21 -0
package/src/dataflow/.agentic-security/findings.json +3515 -0
package/src/dataflow/.agentic-security/last-scan.json +3515 -0
package/src/dataflow/.agentic-security/last-scan.json.sig +1 -0
package/src/dataflow/.agentic-security/scan-history.json +702 -0
package/src/dataflow/.agentic-security/streak.json +22 -0
package/src/dataflow/async-sequencing.js +16 -7
package/src/dataflow/builtin-summaries.js +131 -0
package/src/dataflow/catalog.js +107 -0
package/src/dataflow/cross-repo.js +75 -1
package/src/dataflow/engine.js +129 -0
package/src/dataflow/implicit-flow.js +24 -6
package/src/dataflow/stub-aware-filter.js +69 -11
package/src/dataflow/summaries.js +28 -3
package/src/engine-parallel.js +70 -0
package/src/engine.js +165 -15
package/src/ir/.agentic-security/findings.json +3777 -0
package/src/ir/.agentic-security/last-scan.json +3777 -0
package/src/ir/.agentic-security/last-scan.json.sig +1 -0
package/src/ir/.agentic-security/scan-history.json +771 -0
package/src/ir/.agentic-security/streak.json +21 -0
package/src/ir/index.js +22 -1
package/src/ir/parser-go.js +403 -0
package/src/ir/parser-js.js +2 -0
package/src/ir/parser-php.js +330 -0
package/src/ir/parser-py.helper.py +137 -11
package/src/ir/parser-rb.js +309 -0
package/src/posture/.agentic-security/findings.json +51562 -0
package/src/posture/.agentic-security/last-scan.json +51562 -0
package/src/posture/.agentic-security/last-scan.json.sig +1 -0
package/src/posture/.agentic-security/scan-history.json +650 -0
package/src/posture/.agentic-security/streak.json +20 -0
package/src/posture/calibration.js +14 -0
package/src/posture/triage.js +13 -0
package/src/report/.agentic-security/findings.json +80 -0
package/src/report/.agentic-security/last-scan.json +80 -0
package/src/report/.agentic-security/last-scan.json.sig +1 -0
package/src/report/.agentic-security/scan-history.json +35 -0
package/src/report/.agentic-security/streak.json +22 -0
package/src/report/index.js +23 -2
package/src/sast/.agentic-security/findings.json +5190 -0
package/src/sast/.agentic-security/last-scan.json +5190 -0
package/src/sast/.agentic-security/last-scan.json.sig +1 -0
package/src/sast/.agentic-security/scan-history.json +408 -0
package/src/sast/.agentic-security/streak.json +20 -0
package/src/sast/cache-poisoning.js +77 -0
package/src/sast/comparison-safety.js +73 -0
package/src/sast/db-taint.js +54 -0
package/src/sast/graphql.js +127 -0
package/src/sast/llm-stored-prompt.js +57 -0
package/src/sast/mutation-xss.js +43 -0
package/src/sast/nosql-injection.js +5 -0
package/src/sast/null-byte-injection.js +76 -0
package/src/sast/redos-nfa.js +338 -0
package/src/sast/sensitive-data-logging.js +73 -0
package/src/sast/weak-password-hash.js +77 -0
package/src/sast/weak-randomness.js +100 -0
package/src/sca/.agentic-security/findings.json +1587 -0
package/src/sca/.agentic-security/last-scan.json +1587 -0
package/src/sca/.agentic-security/last-scan.json.sig +1 -0
package/src/sca/.agentic-security/scan-history.json +36 -0
package/src/sca/.agentic-security/streak.json +21 -0
package/src/sca/llm-function-extract.js +107 -0
package/src/sca/vendor-detect.js +91 -0

package/src/posture/.agentic-security/scan-history.json ADDED Viewed

@@ -0,0 +1,650 @@
+[
+  {
+    "timestamp": "2026-05-27T11:16:44.690Z",
+    "label": "scan",
+    "total": 204,
+    "critical": 0,
+    "high": 0,
+    "medium": 11,
+    "low": 193,
+    "kev": 0,
+    "ids": [
+      "llm-redteam:noMaxTokens:aibom.js:31",
+      "llm-redteam:noMaxTokens:aibom.js:34",
+      "llm-redteam:userInputInSystem:adversary-agent.js:109",
+      "prompt-firewall:MISSING_MAX_TOKENS:aibom.js:31",
+      "prompt-tpl:llm-redteam-prompts.js:332:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "prototype-pollution-direct:adversarial-self-test.js:60",
+      "ssrf-meta-hardcoded:attack-playbooks.js:72",
+      "ssrf-meta-hardcoded:defender-agent.js:41",
+      "ssrf-meta-hardcoded:flow-narration.js:24",
+      "ssrf-meta-hardcoded:verifier.js:55",
+      "state-machine:business-logic.js:141:<not in set>",
+      "state-machine:fix-history.js:255:failed",
+      "state-machine:fix-history.js:261:applied",
+      "state-machine:fix-history.js:306:failed",
+      "state-machine:fix-history.js:316:applied-stale",
+      "state-machine:fix-history.js:319:applied",
+      "state-machine:fix-history.js:324:failed",
+      "state-machine:fix-history.js:329:failed",
+      "state-machine:triage.js:58:fixed",
+      "struct:agents-memory.js:103:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:107:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:117:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:45:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:69:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:70:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:72:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:82:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:auth-posture-import.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:auth-posture-import.js:55:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:201:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:202:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:289:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:291:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:293:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:332:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:334:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:369:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:370:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:387:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:calibration-drift.js:39:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:calibration-drift.js:40:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:calibration.js:108:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:calibration.js:98:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:323:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:345:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:57:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:60:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:94:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:218:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:228:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:271:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:273:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:281:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:289:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:290:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-lookup.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-lookup.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-lookup.js:40:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deploy-platform.js:13:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deploy-platform.js:16:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deterministic.js:47:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deterministic.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deterministic.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:epss.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:epss.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:epss.js:38:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:epss.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:exploitability-probability.js:142:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:exploitability-probability.js:145:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:feature-flags.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:feature-flags.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:30:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:348:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:42:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-plan.js:111:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-verify-loop.js:33:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-verify-loop.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-verify.js:65:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:grader-calibration.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:grader-calibration.js:35:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:grader-calibration.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:holdout-eval.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:holdout-eval.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:69:Mass_Assignment_(req.body_Direct_to_Model)",
+      "struct:integrity.js:77:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:79:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:83:Mass_Assignment_(req.body_Direct_to_Model)",
+      "struct:learning.js:30:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:learning.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:learning.js:39:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:license-policy.js:30:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:license-policy.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:51:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:85:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:87:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:policy-gate.js:154:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:policy-gate.js:157:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:policy-gate.js:162:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:pre-incident-archaeology.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:45:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:46:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:78:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:82:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:router.js:21:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:router.js:22:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:router.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:router.js:27:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:23:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:73:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:75:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:78:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:109:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:154:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:155:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:156:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:199:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:207:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:69:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-synthesis.js:100:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-synthesis.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-synthesis.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:ruleset-version.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:ruleset-version.js:37:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:security-trend.js:16:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:security-trend.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:stack-playbook.js:13:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:stack-playbook.js:14:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:streak.js:179:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:streak.js:188:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:streak.js:39:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:suppressions.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:suppressions.js:28:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:suppressions.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:suppressions.js:59:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:telemetry-ingest.js:41:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:telemetry-ingest.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:triage.js:18:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:triage.js:19:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:triage.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:validator-metrics.js:35:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:validator-metrics.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:validator-metrics.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:verifier-ephemeral.js:90:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:verifier-target.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:verifier-target.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:verifier.js:129:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:version.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:version.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:waf-ingest.js:138:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:waf-ingest.js:140:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:agents-memory.js:107",
+      "toctou-fs:agents-memory.js:44",
+      "toctou-fs:agents-memory.js:69",
+      "toctou-fs:agents-memory.js:72",
+      "toctou-fs:auth-posture-import.js:53",
+      "toctou-fs:calibration-drift.js:39",
+      "toctou-fs:cve-alert-daemon.js:271",
+      "toctou-fs:cve-alert-daemon.js:289",
+      "toctou-fs:cve-lookup.js:32",
+      "toctou-fs:deterministic.js:53",
+      "toctou-fs:epss.js:34",
+      "toctou-fs:exploitability-probability.js:142",
+      "toctou-fs:feature-flags.js:53",
+      "toctou-fs:fix-history.js:25",
+      "toctou-fs:fix-history.js:42",
+      "toctou-fs:fix-verify-loop.js:33",
+      "toctou-fs:grader-calibration.js:34",
+      "toctou-fs:harness-discovery.js:39",
+      "toctou-fs:holdout-eval.js:53",
+      "toctou-fs:integrity.js:43",
+      "toctou-fs:integrity.js:77",
+      "toctou-fs:learning.js:30",
+      "toctou-fs:license-policy.js:30",
+      "toctou-fs:network-policy-import.js:85",
+      "toctou-fs:policy-gate.js:154",
+      "toctou-fs:profile.js:45",
+      "toctou-fs:profile.js:78",
+      "toctou-fs:router.js:21",
+      "toctou-fs:rule-overrides.js:23",
+      "toctou-fs:rule-overrides.js:73",
+      "toctou-fs:rule-pack-signing.js:109",
+      "toctou-fs:rule-pack-signing.js:156",
+      "toctou-fs:rule-pack-signing.js:67",
+      "toctou-fs:rule-synthesis.js:24",
+      "toctou-fs:ruleset-version.js:36",
+      "toctou-fs:suppressions.js:26",
+      "toctou-fs:telemetry-ingest.js:41",
+      "toctou-fs:triage.js:18",
+      "toctou-fs:validator-metrics.js:35",
+      "toctou-fs:verifier-target.js:66",
+      "toctou-fs:version.js:43",
+      "toctou-fs:waf-ingest.js:138"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T11:18:32.723Z",
+    "label": "scan",
+    "total": 204,
+    "critical": 0,
+    "high": 0,
+    "medium": 11,
+    "low": 193,
+    "kev": 0,
+    "ids": [
+      "llm-redteam:noMaxTokens:aibom.js:31",
+      "llm-redteam:noMaxTokens:aibom.js:34",
+      "llm-redteam:userInputInSystem:adversary-agent.js:109",
+      "prompt-firewall:MISSING_MAX_TOKENS:aibom.js:31",
+      "prompt-tpl:llm-redteam-prompts.js:332:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "prototype-pollution-direct:adversarial-self-test.js:60",
+      "ssrf-meta-hardcoded:attack-playbooks.js:72",
+      "ssrf-meta-hardcoded:defender-agent.js:41",
+      "ssrf-meta-hardcoded:flow-narration.js:24",
+      "ssrf-meta-hardcoded:verifier.js:55",
+      "state-machine:business-logic.js:141:<not in set>",
+      "state-machine:fix-history.js:255:failed",
+      "state-machine:fix-history.js:261:applied",
+      "state-machine:fix-history.js:306:failed",
+      "state-machine:fix-history.js:316:applied-stale",
+      "state-machine:fix-history.js:319:applied",
+      "state-machine:fix-history.js:324:failed",
+      "state-machine:fix-history.js:329:failed",
+      "state-machine:triage.js:58:fixed",
+      "struct:agents-memory.js:103:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:107:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:117:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:45:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:69:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:70:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:72:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:82:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:auth-posture-import.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:auth-posture-import.js:55:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:201:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:202:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:289:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:291:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:293:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:332:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:334:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:369:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:370:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:387:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:calibration-drift.js:39:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:calibration-drift.js:40:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:calibration.js:108:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:calibration.js:98:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:323:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:345:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:57:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:60:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:94:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:218:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:228:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:271:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:273:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:281:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:289:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:290:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-lookup.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-lookup.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-lookup.js:40:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deploy-platform.js:13:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deploy-platform.js:16:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deterministic.js:47:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deterministic.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deterministic.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:epss.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:epss.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:epss.js:38:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:epss.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:exploitability-probability.js:142:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:exploitability-probability.js:145:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:feature-flags.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:feature-flags.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:30:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:348:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:42:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-plan.js:111:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-verify-loop.js:33:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-verify-loop.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-verify.js:65:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:grader-calibration.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:grader-calibration.js:35:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:grader-calibration.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:holdout-eval.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:holdout-eval.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:69:Mass_Assignment_(req.body_Direct_to_Model)",
+      "struct:integrity.js:77:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:79:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:83:Mass_Assignment_(req.body_Direct_to_Model)",
+      "struct:learning.js:30:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:learning.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:learning.js:39:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:license-policy.js:30:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:license-policy.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:51:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:85:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:87:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:policy-gate.js:154:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:policy-gate.js:157:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:policy-gate.js:162:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:pre-incident-archaeology.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:45:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:46:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:78:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:82:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:router.js:21:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:router.js:22:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:router.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:router.js:27:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:23:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:73:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:75:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:78:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:109:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:154:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:155:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:156:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:199:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:207:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:69:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-synthesis.js:100:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-synthesis.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-synthesis.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:ruleset-version.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:ruleset-version.js:37:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:security-trend.js:16:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:security-trend.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:stack-playbook.js:13:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:stack-playbook.js:14:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:streak.js:179:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:streak.js:188:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:streak.js:39:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:suppressions.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:suppressions.js:28:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:suppressions.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:suppressions.js:59:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:telemetry-ingest.js:41:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:telemetry-ingest.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:triage.js:18:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:triage.js:19:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:triage.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:validator-metrics.js:35:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:validator-metrics.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:validator-metrics.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:verifier-ephemeral.js:90:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:verifier-target.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:verifier-target.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:verifier.js:129:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:version.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:version.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:waf-ingest.js:138:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:waf-ingest.js:140:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:agents-memory.js:107",
+      "toctou-fs:agents-memory.js:44",
+      "toctou-fs:agents-memory.js:69",
+      "toctou-fs:agents-memory.js:72",
+      "toctou-fs:auth-posture-import.js:53",
+      "toctou-fs:calibration-drift.js:39",
+      "toctou-fs:cve-alert-daemon.js:271",
+      "toctou-fs:cve-alert-daemon.js:289",
+      "toctou-fs:cve-lookup.js:32",
+      "toctou-fs:deterministic.js:53",
+      "toctou-fs:epss.js:34",
+      "toctou-fs:exploitability-probability.js:142",
+      "toctou-fs:feature-flags.js:53",
+      "toctou-fs:fix-history.js:25",
+      "toctou-fs:fix-history.js:42",
+      "toctou-fs:fix-verify-loop.js:33",
+      "toctou-fs:grader-calibration.js:34",
+      "toctou-fs:harness-discovery.js:39",
+      "toctou-fs:holdout-eval.js:53",
+      "toctou-fs:integrity.js:43",
+      "toctou-fs:integrity.js:77",
+      "toctou-fs:learning.js:30",
+      "toctou-fs:license-policy.js:30",
+      "toctou-fs:network-policy-import.js:85",
+      "toctou-fs:policy-gate.js:154",
+      "toctou-fs:profile.js:45",
+      "toctou-fs:profile.js:78",
+      "toctou-fs:router.js:21",
+      "toctou-fs:rule-overrides.js:23",
+      "toctou-fs:rule-overrides.js:73",
+      "toctou-fs:rule-pack-signing.js:109",
+      "toctou-fs:rule-pack-signing.js:156",
+      "toctou-fs:rule-pack-signing.js:67",
+      "toctou-fs:rule-synthesis.js:24",
+      "toctou-fs:ruleset-version.js:36",
+      "toctou-fs:suppressions.js:26",
+      "toctou-fs:telemetry-ingest.js:41",
+      "toctou-fs:triage.js:18",
+      "toctou-fs:validator-metrics.js:35",
+      "toctou-fs:verifier-target.js:66",
+      "toctou-fs:version.js:43",
+      "toctou-fs:waf-ingest.js:138"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T11:19:53.822Z",
+    "label": "scan",
+    "total": 204,
+    "critical": 0,
+    "high": 0,
+    "medium": 11,
+    "low": 193,
+    "kev": 0,
+    "ids": [
+      "llm-redteam:noMaxTokens:aibom.js:31",
+      "llm-redteam:noMaxTokens:aibom.js:34",
+      "llm-redteam:userInputInSystem:adversary-agent.js:109",
+      "prompt-firewall:MISSING_MAX_TOKENS:aibom.js:31",
+      "prompt-tpl:llm-redteam-prompts.js:332:Prompt_Template__user_input_interpolated_into_prompt_string_",
+      "prototype-pollution-direct:adversarial-self-test.js:60",
+      "ssrf-meta-hardcoded:attack-playbooks.js:72",
+      "ssrf-meta-hardcoded:defender-agent.js:41",
+      "ssrf-meta-hardcoded:flow-narration.js:24",
+      "ssrf-meta-hardcoded:verifier.js:55",
+      "state-machine:business-logic.js:141:<not in set>",
+      "state-machine:fix-history.js:255:failed",
+      "state-machine:fix-history.js:261:applied",
+      "state-machine:fix-history.js:306:failed",
+      "state-machine:fix-history.js:316:applied-stale",
+      "state-machine:fix-history.js:319:applied",
+      "state-machine:fix-history.js:324:failed",
+      "state-machine:fix-history.js:329:failed",
+      "state-machine:triage.js:58:fixed",
+      "struct:agents-memory.js:103:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:107:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:117:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:45:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:69:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:70:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:72:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:agents-memory.js:82:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:auth-posture-import.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:auth-posture-import.js:55:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:201:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:202:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:289:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:291:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:293:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:332:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:334:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:369:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:370:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:blast-radius.js:387:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:calibration-drift.js:39:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:calibration-drift.js:40:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:calibration.js:108:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:calibration.js:98:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:323:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:345:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:57:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:60:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:custom-rules.js:94:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:218:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:228:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:271:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:273:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:281:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:289:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-alert-daemon.js:290:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-lookup.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-lookup.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:cve-lookup.js:40:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deploy-platform.js:13:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deploy-platform.js:16:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deterministic.js:47:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deterministic.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:deterministic.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:epss.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:epss.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:epss.js:38:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:epss.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:exploitability-probability.js:142:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:exploitability-probability.js:145:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:feature-flags.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:feature-flags.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:30:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:348:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:42:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-history.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-plan.js:111:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-verify-loop.js:33:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-verify-loop.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:fix-verify.js:65:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:grader-calibration.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:grader-calibration.js:35:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:grader-calibration.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:holdout-eval.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:holdout-eval.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:69:Mass_Assignment_(req.body_Direct_to_Model)",
+      "struct:integrity.js:77:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:79:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:integrity.js:83:Mass_Assignment_(req.body_Direct_to_Model)",
+      "struct:learning.js:30:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:learning.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:learning.js:39:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:license-policy.js:30:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:license-policy.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:51:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:85:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:network-policy-import.js:87:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:policy-gate.js:154:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:policy-gate.js:157:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:policy-gate.js:162:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:pre-incident-archaeology.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:45:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:46:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:78:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:profile.js:82:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:router.js:21:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:router.js:22:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:router.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:router.js:27:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:23:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:73:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:75:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-overrides.js:78:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:109:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:154:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:155:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:156:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:199:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:207:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-pack-signing.js:69:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-synthesis.js:100:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-synthesis.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:rule-synthesis.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:ruleset-version.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:ruleset-version.js:37:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:security-trend.js:16:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:security-trend.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:stack-playbook.js:13:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:stack-playbook.js:14:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:streak.js:179:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:streak.js:188:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:streak.js:39:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:suppressions.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:suppressions.js:28:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:suppressions.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:suppressions.js:59:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:telemetry-ingest.js:41:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:telemetry-ingest.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:triage.js:18:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:triage.js:19:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:triage.js:26:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:validator-metrics.js:35:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:validator-metrics.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:validator-metrics.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:verifier-ephemeral.js:90:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:verifier-target.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:verifier-target.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:verifier.js:129:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:version.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:version.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:waf-ingest.js:138:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:waf-ingest.js:140:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:agents-memory.js:107",
+      "toctou-fs:agents-memory.js:44",
+      "toctou-fs:agents-memory.js:69",
+      "toctou-fs:agents-memory.js:72",
+      "toctou-fs:auth-posture-import.js:53",
+      "toctou-fs:calibration-drift.js:39",
+      "toctou-fs:cve-alert-daemon.js:271",
+      "toctou-fs:cve-alert-daemon.js:289",
+      "toctou-fs:cve-lookup.js:32",
+      "toctou-fs:deterministic.js:53",
+      "toctou-fs:epss.js:34",
+      "toctou-fs:exploitability-probability.js:142",
+      "toctou-fs:feature-flags.js:53",
+      "toctou-fs:fix-history.js:25",
+      "toctou-fs:fix-history.js:42",
+      "toctou-fs:fix-verify-loop.js:33",
+      "toctou-fs:grader-calibration.js:34",
+      "toctou-fs:harness-discovery.js:39",
+      "toctou-fs:holdout-eval.js:53",
+      "toctou-fs:integrity.js:43",
+      "toctou-fs:integrity.js:77",
+      "toctou-fs:learning.js:30",
+      "toctou-fs:license-policy.js:30",
+      "toctou-fs:network-policy-import.js:85",
+      "toctou-fs:policy-gate.js:154",
+      "toctou-fs:profile.js:45",
+      "toctou-fs:profile.js:78",
+      "toctou-fs:router.js:21",
+      "toctou-fs:rule-overrides.js:23",
+      "toctou-fs:rule-overrides.js:73",
+      "toctou-fs:rule-pack-signing.js:109",
+      "toctou-fs:rule-pack-signing.js:156",
+      "toctou-fs:rule-pack-signing.js:67",
+      "toctou-fs:rule-synthesis.js:24",
+      "toctou-fs:ruleset-version.js:36",
+      "toctou-fs:suppressions.js:26",
+      "toctou-fs:telemetry-ingest.js:41",
+      "toctou-fs:triage.js:18",
+      "toctou-fs:validator-metrics.js:35",
+      "toctou-fs:verifier-target.js:66",
+      "toctou-fs:version.js:43",
+      "toctou-fs:waf-ingest.js:138"
+    ]
+  }
+]