@clear-capabilities/agentic-security-scanner 0.77.0 → 0.78.0

package/src/posture/.agentic-security/streak.json

@@ -0,0 +1,20 @@
+{
+  "firstScanDate": "2026-05-27T11:16:44.741Z",
+  "lastScanDate": "2026-05-27T11:19:53.871Z",
+  "totalScans": 3,
+  "daysCleanCritical": 0,
+  "lastCleanDate": null,
+  "lastCriticalDate": "2026-05-27",
+  "hasEverHadCritical": true,
+  "bestDaysCleanCritical": 0,
+  "totalFindingsAtFirstScan": 257,
+  "totalFindingsAtLastScan": 257,
+  "totalFixesInferred": 0,
+  "lastGrade": "C",
+  "bestGrade": "C",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "first-scan"
+  ],
+  "previousGrade": "C"
+}

package/src/posture/calibration.js

@@ -120,6 +120,20 @@ export function loadCalibrationHistory(scanRoot) {
   };
   if (seed) merge(seed);
   if (customer) merge(customer);
+  // Merge triage-derived TP/FP counts (auto-feedback loop)
+  try {
+    const triage = _readJsonMaybe(path.join(scanRoot || process.cwd(), '.agentic-security', 'triage.json'));
+    if (triage && triage.findings) {
+      const triageFams = {};
+      for (const f of Object.values(triage.findings)) {
+        const fam = f.family || 'unknown';
+        if (!triageFams[fam]) triageFams[fam] = { tp: 0, fp: 0 };
+        if (f.state === 'fixed' || f.state === 'open' || f.state === 'in-progress') triageFams[fam].tp++;
+        else if (f.state === 'false-positive') triageFams[fam].fp++;
+      }
+      merge({ families: triageFams });
+    }
+  } catch { /* triage file optional */ }
   return { families };
 }
 

package/src/posture/triage.js

@@ -144,3 +144,16 @@ export function trend(scanRoot, sinceDays = 30) {
     totalOpen: findings.filter(f => f.state === 'open' || f.state === 'in-progress').length,
   };
 }
+
+export function exportTriageMetrics(scanRoot) {
+  const triage = loadTriage(scanRoot);
+  const findings = Object.values(triage.findings || {});
+  const families = {};
+  for (const f of findings) {
+    const fam = f.family || 'unknown';
+    if (!families[fam]) families[fam] = { tp: 0, fp: 0 };
+    if (f.state === 'fixed' || f.state === 'open' || f.state === 'in-progress') families[fam].tp++;
+    else if (f.state === 'false-positive') families[fam].fp++;
+  }
+  return { families };
+}

package/src/report/.agentic-security/findings.json

@@ -0,0 +1,80 @@
+{
+  "scanId": "db8e3115-87e6-4e90-8041-31f9921c7b54",
+  "startedAt": "2026-05-27T11:09:28.873Z",
+  "durationMs": 183,
+  "scanned": {
+    "files": 2,
+    "lines": 0
+  },
+  "findings": [],
+  "bundles": [],
+  "routes": [],
+  "components": [],
+  "suppressedCount": 0,
+  "blastRadiusSignals": {
+    "industry": "generic",
+    "industryConfidence": "low",
+    "jurisdictions": [],
+    "controls": [],
+    "estimatedUsers": 50,
+    "revenueIndicator": "pre-revenue",
+    "hasStripe": false,
+    "hasAuth": false,
+    "hasUserTable": false,
+    "hasPII": false,
+    "hasPHI": false,
+    "hasS3": false
+  },
+  "_v3": {
+    "counterfactual": {
+      "spofControls": [],
+      "controlsDetected": 174
+    },
+    "threatModel": {
+      "summary": {
+        "assetCount": 0,
+        "boundaryCount": 0,
+        "strideCounts": {
+          "spoofing": 0,
+          "tampering": 0,
+          "repudiation": 0,
+          "informationDisclosure": 0,
+          "denialOfService": 0,
+          "elevationOfPrivilege": 0
+        }
+      },
+      "assets": [],
+      "trustBoundaries": [],
+      "stride": {
+        "spoofing": [],
+        "tampering": [],
+        "repudiation": [],
+        "informationDisclosure": [],
+        "denialOfService": [],
+        "elevationOfPrivilege": []
+      }
+    },
+    "trustBoundaryDiagram": {
+      "mermaid": "flowchart LR\n  INTERNET((Internet))\n  APP[\"Application\"]\n  classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n  classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n  classDef sev_medium fill:#fff3cd,stroke:#a80;\n  classDef sev_low fill:#e8eaf6,stroke:#557;",
+      "nodes": [
+        {
+          "id": "INTERNET",
+          "kind": "external",
+          "label": "Internet"
+        },
+        {
+          "id": "APP",
+          "kind": "app",
+          "label": "Application"
+        }
+      ],
+      "edges": [],
+      "decorations": []
+    },
+    "calibrationDrift": {
+      "alarms": [],
+      "note": "no-feedback-data"
+    }
+  },
+  "annotatorErrors": []
+}

package/src/report/.agentic-security/last-scan.json

@@ -0,0 +1,80 @@
+{
+  "scanId": "db8e3115-87e6-4e90-8041-31f9921c7b54",
+  "startedAt": "2026-05-27T11:09:28.873Z",
+  "durationMs": 183,
+  "scanned": {
+    "files": 2,
+    "lines": 0
+  },
+  "findings": [],
+  "bundles": [],
+  "routes": [],
+  "components": [],
+  "suppressedCount": 0,
+  "blastRadiusSignals": {
+    "industry": "generic",
+    "industryConfidence": "low",
+    "jurisdictions": [],
+    "controls": [],
+    "estimatedUsers": 50,
+    "revenueIndicator": "pre-revenue",
+    "hasStripe": false,
+    "hasAuth": false,
+    "hasUserTable": false,
+    "hasPII": false,
+    "hasPHI": false,
+    "hasS3": false
+  },
+  "_v3": {
+    "counterfactual": {
+      "spofControls": [],
+      "controlsDetected": 174
+    },
+    "threatModel": {
+      "summary": {
+        "assetCount": 0,
+        "boundaryCount": 0,
+        "strideCounts": {
+          "spoofing": 0,
+          "tampering": 0,
+          "repudiation": 0,
+          "informationDisclosure": 0,
+          "denialOfService": 0,
+          "elevationOfPrivilege": 0
+        }
+      },
+      "assets": [],
+      "trustBoundaries": [],
+      "stride": {
+        "spoofing": [],
+        "tampering": [],
+        "repudiation": [],
+        "informationDisclosure": [],
+        "denialOfService": [],
+        "elevationOfPrivilege": []
+      }
+    },
+    "trustBoundaryDiagram": {
+      "mermaid": "flowchart LR\n  INTERNET((Internet))\n  APP[\"Application\"]\n  classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n  classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n  classDef sev_medium fill:#fff3cd,stroke:#a80;\n  classDef sev_low fill:#e8eaf6,stroke:#557;",
+      "nodes": [
+        {
+          "id": "INTERNET",
+          "kind": "external",
+          "label": "Internet"
+        },
+        {
+          "id": "APP",
+          "kind": "app",
+          "label": "Application"
+        }
+      ],
+      "edges": [],
+      "decorations": []
+    },
+    "calibrationDrift": {
+      "alarms": [],
+      "note": "no-feedback-data"
+    }
+  },
+  "annotatorErrors": []
+}

package/src/report/.agentic-security/last-scan.json.sig

@@ -0,0 +1 @@
+e3726a5fd5c2a4b763554484c083d9136dbb026f1f913a0c9b35e3455711b303

package/src/report/.agentic-security/scan-history.json

@@ -0,0 +1,35 @@
+[
+  {
+    "timestamp": "2026-05-27T11:06:13.261Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  },
+  {
+    "timestamp": "2026-05-27T11:07:38.301Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  },
+  {
+    "timestamp": "2026-05-27T11:09:29.055Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  }
+]

package/src/report/.agentic-security/streak.json

@@ -0,0 +1,22 @@
+{
+  "firstScanDate": "2026-05-27T11:06:13.266Z",
+  "lastScanDate": "2026-05-27T11:09:29.061Z",
+  "totalScans": 3,
+  "daysCleanCritical": 1,
+  "lastCleanDate": "2026-05-27",
+  "lastCriticalDate": null,
+  "hasEverHadCritical": false,
+  "bestDaysCleanCritical": 1,
+  "totalFindingsAtFirstScan": 0,
+  "totalFindingsAtLastScan": 0,
+  "totalFixesInferred": 0,
+  "lastGrade": "A+",
+  "bestGrade": "A+",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "first-scan",
+    "grade-a",
+    "grade-a-plus"
+  ],
+  "previousGrade": "A+"
+}

package/src/report/index.js

@@ -322,6 +322,7 @@ export function toJSON(scan, meta={}, opts={}){
     // threw and were skipped. The findings still ship; downstream consumers
     // see the gap.
     annotatorErrors: Array.isArray(scan.annotatorErrors) ? scan.annotatorErrors : [],
+    _scanMeta: scan._scanMeta || null,
   };
   if (opts.includeSuppressed) out.suppressed = scan.suppressions||[];
   return out;
@@ -560,11 +561,31 @@ export function toSARIF(scan, meta={}){
           ...(scan && scan._rulesetVersionMismatch ? { rulesetVersionMismatch: scan._rulesetVersionMismatch } : {}),
         },
       }],
-      results: findings.map(f => ({
+      results: findings.map(f => {
+        const chain = Array.isArray(f.chain) ? f.chain : [];
+        const codeFlows = chain.length >= 2 ? [{
+          threadFlows: [{
+            locations: chain.map((hop, idx) => ({
+              location: {
+                physicalLocation: {
+                  artifactLocation: { uri: hop.file || f.file },
+                  region: { startLine: Math.max(1, hop.line || 1) },
+                },
+                message: { text: hop.label || (idx === 0 ? 'source' : idx === chain.length - 1 ? 'sink' : 'propagation') },
+              },
+            })),
+          }],
+        }] : undefined;
+        const fixes = f.remediation ? [{
+          description: { text: f.remediation.slice(0, 500) },
+        }] : undefined;
+        return {
         ruleId: f.vuln ? f.vuln.replace(/[^a-zA-Z0-9]/g, '_') : 'unknown',
         level: SEV_TO_SARIF[f.severity] || 'warning',
         message: { text: f.fix?.description || f.vuln || 'Security finding' },
         locations: [{ physicalLocation: { artifactLocation: { uri: f.file }, region: { startLine: Math.max(1, f.line||1) } } }],
+        ...(codeFlows ? { codeFlows } : {}),
+        ...(fixes ? { fixes } : {}),
         // Phase-1 (Sentinel-parity) fingerprint: stableId persists across
         // refactors. Keep partialFingerprints intact for tools that key on
         // the line-hash; add a 'stableId' fingerprint for tools that respect
@@ -595,7 +616,7 @@ export function toSARIF(scan, meta={}){
           ...(f._unsigned ? { unsigned: true } : {}),
           ...(f._passThroughSigning ? { passThroughSigning: true } : {}),
         },
-      })),
+      };}),
     }],
   };
 }