@clear-capabilities/agentic-security-scanner 0.77.0 → 0.79.0

package/src/ir/parser-rb.js

@@ -0,0 +1,309 @@
+// Ruby IR frontend.
+//
+// Regex-based, follows the parser-cs.js / parser-go.js pattern. Focused on
+// Rails params, ActiveRecord, Kernel methods surface area.
+//
+// What we model:
+//   - def / def self. method declarations
+//   - var = expr assignments
+//   - method calls: obj.method(args) and method(args)
+//   - return
+//   - each/map/select blocks as loop-header
+//
+// What we do NOT model:
+//   - blocks / procs / lambdas as first-class values
+//   - metaprogramming (define_method, method_missing)
+//   - module_function / protected / private method visibility scoping
+//   - control flow (if/unless/while/until/case) — body is straight-line
+//
+// Ruby body extraction: count def/class/module/do/if/unless/while/until/
+// for/case/begin as openers and `end` as closers. Return null on balance
+// failure (heredocs, multi-line strings can confuse the regex parser).
+
+import * as crypto from 'node:crypto';
+
+const DEF_RE = /(?:^|\n)\s*def\s+(?:self\.)?(\w+[?!=]?)\s*(?:\(([^)]*)\))?/g;
+
+function _extractRubyBody(src, defEnd) {
+  let depth = 1;
+  let i = defEnd;
+  let inStr = null;
+  let escape = false;
+  const openers = /\b(?:def|class|module|do|if|unless|while|until|for|case|begin)\b/;
+  while (i < src.length && depth > 0) {
+    const c = src[i];
+    if (escape) { escape = false; i++; continue; }
+    if (inStr) {
+      if (c === '\\') { escape = true; i++; continue; }
+      if (c === inStr) inStr = null;
+      i++; continue;
+    }
+    if (c === '"' || c === '\'') { inStr = c; i++; continue; }
+    if (c === '#') {
+      while (i < src.length && src[i] !== '\n') i++;
+      continue;
+    }
+    // Check for keyword boundaries
+    if (/[a-z]/i.test(c)) {
+      let word = '';
+      const start = i;
+      while (i < src.length && /\w/.test(src[i])) { word += src[i]; i++; }
+      if (word === 'end' && (start === 0 || /[^.\w]/.test(src[start - 1] || ' '))) {
+        depth--;
+      } else if (openers.test(word) && (start === 0 || /[^.\w]/.test(src[start - 1] || ' '))) {
+        // Only count as opener if not preceded by . (e.g., x.if would be wrong but rare)
+        depth++;
+      }
+      continue;
+    }
+    i++;
+  }
+  if (depth !== 0) return null;
+  // `end` keyword ends at position `i`; body is between defEnd and the start of `end`
+  return { body: src.slice(defEnd, i - 3).trimEnd(), end: i };
+}
+
+const _RB_OPENERS = /^(?:if|unless|while|until|for|case|begin|do)\b/;
+const _RB_BLOCK_KW = /\b(?:def|class|module|if|unless|while|until|for|case|begin|do)\b/;
+
+function _splitStatements(body) {
+  const lines = body.split('\n');
+  const out = [];
+  let buf = '';
+  let depth = 0;
+  for (const rawLine of lines) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith('#')) continue;
+    if (depth === 0 && _RB_OPENERS.test(line)) {
+      if (buf.trim()) out.push(buf.trim());
+      buf = line + '\n';
+      for (const m of line.matchAll(/\b(?:if|unless|while|until|for|case|begin|do|def|class|module)\b/g)) depth++;
+      if (/\bend\b/.test(line)) depth--;
+      if (depth <= 0) { depth = 0; out.push(buf.trim()); buf = ''; }
+      continue;
+    }
+    if (depth > 0) {
+      buf += line + '\n';
+      for (const m of line.matchAll(/\b(?:if|unless|while|until|for|case|begin|do|def|class|module)\b/g)) depth++;
+      const endMatches = line.match(/\bend\b/g);
+      if (endMatches) depth -= endMatches.length;
+      if (depth <= 0) { depth = 0; out.push(buf.trim()); buf = ''; }
+      continue;
+    }
+    out.push(line);
+  }
+  if (buf.trim()) out.push(buf.trim());
+  return out;
+}
+
+function _lowerExpr(text) {
+  const s = String(text || '').trim();
+  if (!s) return { kind: 'unknown' };
+  // String interpolation before plain literal check
+  if (/^".*#\{/.test(s)) {
+    const parts = [];
+    for (const m of s.matchAll(/#\{([^}]+)\}/g)) parts.push(_lowerExpr(m[1]));
+    if (parts.length) return { kind: 'tpl', parts };
+  }
+  if (/^['"]/.test(s)) return { kind: 'literal', value: s };
+  if (/^\d/.test(s)) return { kind: 'literal', value: s };
+  if (/^(true|false|nil)\b/.test(s)) return { kind: 'literal', value: s };
+  // Symbol
+  if (/^:\w+/.test(s)) return { kind: 'literal', value: s };
+  // Call: obj.method(args) or method(args)
+  const callMatch = s.match(/^([\w.]+)\s*\((.*)\)\s*$/s);
+  if (callMatch) {
+    return { kind: 'call', callee: callMatch[1], args: _splitTopLevelCommas(callMatch[2]).map(_lowerExpr) };
+  }
+  // Method call without parens is very common in Ruby but hard to detect
+  // reliably with regex. We handle the explicit-paren form above.
+  // Dotted member: obj.prop
+  if (/^[A-Za-z_]\w*(?:\.\w+)+$/.test(s)) {
+    const parts = s.split('.');
+    let cur = { kind: 'ident', name: parts[0] };
+    for (let i = 1; i < parts.length; i++) cur = { kind: 'member', object: cur, prop: parts[i] };
+    return cur;
+  }
+  // Hash access: params[:key]
+  if (/^[A-Za-z_]\w*\[/.test(s)) {
+    const lb = s.indexOf('[');
+    const base = s.slice(0, lb);
+    return { kind: 'member', object: { kind: 'ident', name: base }, prop: '[]' };
+  }
+  // Simple ident
+  if (/^[A-Za-z_@]\w*$/.test(s)) return { kind: 'ident', name: s };
+  // Concat with +
+  if (s.includes('+')) {
+    const parts = s.split('+').map(p => _lowerExpr(p.trim()));
+    return { kind: 'tpl', parts };
+  }
+  return { kind: 'unknown' };
+}
+
+function _splitTopLevelCommas(s) {
+  const out = [];
+  let buf = '';
+  let depth = 0;
+  let inStr = null;
+  for (let i = 0; i < s.length; i++) {
+    const c = s[i];
+    if (inStr) {
+      buf += c;
+      if (c === '\\') { i++; buf += s[i] || ''; continue; }
+      if (c === inStr) inStr = null;
+      continue;
+    }
+    if (c === '"' || c === '\'') { inStr = c; buf += c; continue; }
+    if (c === '(' || c === '{' || c === '[') depth++;
+    if (c === ')' || c === '}' || c === ']') depth--;
+    if (c === ',' && depth === 0) { out.push(buf.trim()); buf = ''; continue; }
+    buf += c;
+  }
+  if (buf.trim()) out.push(buf.trim());
+  return out;
+}
+
+function _lowerStmt(stmt, line) {
+  const s = stmt.trim();
+  if (!s || s.startsWith('#')) return null;
+  if (/^return\b/.test(s)) {
+    const rest = s.replace(/^return\s*/, '').trim();
+    return { kind: 'return', line, value: rest ? _lowerExpr(rest) : null };
+  }
+  if (/^raise\b/.test(s)) {
+    return { kind: 'throw', line, value: _lowerExpr(s.replace(/^raise\s*/, '')) };
+  }
+  // Assignment: var = expr
+  const assign = s.match(/^(@?\w+)\s*=\s*(.+)$/s);
+  if (assign && !/^={2}/.test(assign[2])) {
+    return { kind: 'assign', line, target: assign[1], source: _lowerExpr(assign[2]) };
+  }
+  // Statement-form call with parens
+  const call = s.match(/^([\w.]+)\s*\((.*)\)\s*$/s);
+  if (call) {
+    return { kind: 'call', line, callee: call[1], args: _splitTopLevelCommas(call[2]).map(_lowerExpr) };
+  }
+  // Statement-form call without parens (common Ruby idiom): redirect_to expr
+  const bareCall = s.match(/^([a-z_]\w*)\s+(.+)$/s);
+  if (bareCall && /^[a-z_]/.test(bareCall[1]) && !/^(?:if|unless|while|until|for|case|when|elsif|else|end|return|raise|require|include|extend|attr_\w+)$/.test(bareCall[1])) {
+    return { kind: 'call', line, callee: bareCall[1], args: [_lowerExpr(bareCall[2])] };
+  }
+  return null;
+}
+
+function _lineAt(src, idx) {
+  let line = 1;
+  for (let i = 0; i < idx && i < src.length; i++) if (src[i] === '\n') line++;
+  return line;
+}
+
+function _qid(file, name, line, body) {
+  const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);
+  return `${file}::${name}@${line}#${sha}`;
+}
+
+let _nid = 0;
+function _nextId() { return `rn${++_nid}`; }
+
+function _addNode(nodes, node) {
+  const id = _nextId();
+  node.succ = node.succ || [];
+  node.pred = node.pred || [];
+  nodes[id] = node;
+  return id;
+}
+
+function _linkNodes(nodes, src, dst) {
+  if (!nodes[src] || !nodes[dst]) return;
+  if (!nodes[src].succ.includes(dst)) nodes[src].succ.push(dst);
+  if (!nodes[dst].pred.includes(src)) nodes[dst].pred.push(src);
+}
+
+function _extractRubyBlockBody(compound) {
+  const lines = compound.split('\n');
+  if (lines.length < 2) return '';
+  return lines.slice(1, -1).join('\n');
+}
+
+function _buildCfg(bodyText, nodes, prevId, startLine) {
+  const stmts = _splitStatements(bodyText);
+  let prev = prevId;
+  let line = startLine;
+  for (const stmt of stmts) {
+    const s = stmt.trim();
+    if (!s || s.startsWith('#')) { line++; continue; }
+
+    const ifMatch = s.match(/^(if|unless)\s+(.+)$/m);
+    if (ifMatch && /\bend\b\s*$/.test(s)) {
+      const condText = ifMatch[2].trim();
+      const innerBody = _extractRubyBlockBody(s);
+      const ifNode = _addNode(nodes, { kind: 'if', cond: _lowerExpr(condText), line });
+      _linkNodes(nodes, prev, ifNode);
+      const join = _addNode(nodes, { kind: 'noop', line });
+      const thenTail = _buildCfg(innerBody, nodes, ifNode, line + 1);
+      _linkNodes(nodes, thenTail, join);
+      _linkNodes(nodes, ifNode, join);
+      prev = join;
+      line += (s.match(/\n/g) || []).length + 1;
+      continue;
+    }
+
+    const whileMatch = s.match(/^(while|until)\s+(.+)$/m);
+    if (whileMatch && /\bend\b\s*$/.test(s)) {
+      const innerBody = _extractRubyBlockBody(s);
+      const header = _addNode(nodes, { kind: 'loop-header', line });
+      _linkNodes(nodes, prev, header);
+      const bodyTail = _buildCfg(innerBody, nodes, header, line + 1);
+      _linkNodes(nodes, bodyTail, header);
+      const join = _addNode(nodes, { kind: 'noop', line });
+      _linkNodes(nodes, header, join);
+      prev = join;
+      line += (s.match(/\n/g) || []).length + 1;
+      continue;
+    }
+
+    const node = _lowerStmt(s, line);
+    if (!node) { line += (s.match(/\n/g) || []).length + 1; continue; }
+    const id = _addNode(nodes, node);
+    _linkNodes(nodes, prev, id);
+    prev = id;
+    line += (s.match(/\n/g) || []).length + 1;
+  }
+  return prev;
+}
+
+export function parseRubyFile(file, code) {
+  if (!file || typeof code !== 'string') return null;
+  if (!/\.rb$/i.test(file)) return null;
+  if (code.length > 1_000_000) return null;
+
+  const functions = [];
+  DEF_RE.lastIndex = 0;
+  _nid = 0;
+  let m;
+  while ((m = DEF_RE.exec(code)) !== null) {
+    const name = m[1];
+    const paramsText = m[2] || '';
+    const params = paramsText.split(',').map(p => {
+      const t = p.trim().replace(/\s*=\s*.*$/, '').replace(/^[*&]+/, '');
+      return t && /^\w+$/.test(t) ? t : null;
+    }).filter(Boolean);
+    const defLineEnd = code.indexOf('\n', m.index + m[0].length);
+    if (defLineEnd < 0) continue;
+    const extracted = _extractRubyBody(code, defLineEnd + 1);
+    if (!extracted) continue;
+    const startLine = _lineAt(code, m.index);
+    const nodes = {};
+    const entry = _addNode(nodes, { kind: 'entry', line: startLine });
+    const exit = _addNode(nodes, { kind: 'exit', line: startLine });
+    const tail = _buildCfg(extracted.body, nodes, entry, startLine + 1);
+    _linkNodes(nodes, tail, exit);
+    functions.push({
+      qid: _qid(file, name, startLine, extracted.body),
+      name, line: startLine, params, file,
+      cfg: { entry, exit, nodes },
+    });
+    DEF_RE.lastIndex = extracted.end;
+  }
+  return functions.length ? { file, functions, topLevel: null } : null;
+}

package/src/llm-validator/index.js

@@ -44,6 +44,7 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as crypto from 'node:crypto';
+import { statePath, ensureStateDir, safeWriteState } from '../posture/state-dir.js';
 
 // Bump on every prompt change so the cache invalidates. Exported as a
 // stable public symbol (premortem 4R-15) so the validator-cache GC subcommand
@@ -98,7 +99,9 @@ function endpointConfig() {
 }
 
 function ensureCacheDir(scanRoot) {
-  const dir = path.join(scanRoot || process.cwd(), CACHE_DIR);
+  const base = ensureStateDir(scanRoot);
+  if (!base) return null;
+  const dir = path.join(base, 'llm-cache');
   try { fs.mkdirSync(dir, { recursive: true }); } catch {}
   return dir;
 }
@@ -112,15 +115,14 @@ function cacheKey(finding, fileHash, modelId) {
 }
 
 function readCache(scanRoot, key) {
-  const fp = path.join(scanRoot || process.cwd(), CACHE_DIR, key + '.json');
+  const fp = statePath(scanRoot, 'llm-cache', key + '.json');
   if (!fs.existsSync(fp)) return null;
   try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }
 }
 
 function writeCache(scanRoot, key, value) {
-  ensureCacheDir(scanRoot);
-  const fp = path.join(scanRoot || process.cwd(), CACHE_DIR, key + '.json');
-  try { fs.writeFileSync(fp, JSON.stringify(value, null, 2)); } catch {}
+  const fp = statePath(scanRoot, 'llm-cache', key + '.json');
+  safeWriteState(fp, JSON.stringify(value, null, 2));
 }
 
 function fileHashOf(fileContents, file) {

package/src/mcp/audit.js

@@ -82,6 +82,11 @@ async function _postRemote(url, entry) {
 export function auditCall({ sessionRoot, tool, args, outcome, reason }) {
   if (!sessionRoot) return;
   try {
+    // Safety: only write audit log if sessionRoot looks like a project root
+    const MARKERS = ['.git', 'package.json', 'pyproject.toml', 'go.mod', 'Cargo.toml', 'pom.xml', 'composer.json', 'Gemfile'];
+    let hasMarker = false;
+    for (const m of MARKERS) { try { if (fs.existsSync(path.join(sessionRoot, m))) { hasMarker = true; break; } } catch {} }
+    if (!hasMarker) return;
     const dir = path.join(sessionRoot, '.agentic-security');
     fs.mkdirSync(dir, { recursive: true });
     const logFile = path.join(dir, 'mcp-audit.log');

package/src/posture/calibration-drift.js

@@ -28,13 +28,14 @@
 
 import * as fs from 'node:fs';
 import * as path from 'node:path';
+import { statePath } from './state-dir.js';
 
 const DEFAULT_THRESHOLD = 0.15;
 const MIN_SAMPLE_SIZE = 10;
 const WINDOW_DAYS = 30;
 
 function loadTriageFeedback(scanRoot) {
-  const fp = path.join(scanRoot || process.cwd(), '.agentic-security', 'triage-feedback.json');
+  const fp = statePath(scanRoot, 'triage-feedback.json');
   try {
     if (!fs.existsSync(fp)) return [];
     const data = JSON.parse(fs.readFileSync(fp, 'utf8'));

package/src/posture/calibration.js

@@ -27,6 +27,7 @@
 
 import * as fs from 'node:fs';
 import * as path from 'node:path';
+import { statePath } from './state-dir.js';
 
 const MIN_SAMPLES_FOR_CALIBRATION = 30;
 
@@ -102,7 +103,7 @@ function _readJsonMaybe(fp) {
 // seed file. The bundled seed ships with this release; the customer file
 // overrides per-family when N is higher there.
 export function loadCalibrationHistory(scanRoot) {
-  const customer = _readJsonMaybe(path.join(scanRoot || process.cwd(), '.agentic-security', 'validator-metrics.json')) || {};
+  const customer = _readJsonMaybe(statePath(scanRoot, 'validator-metrics.json')) || {};
   const seedPath = new URL('./calibration-seed.json', import.meta.url);
   let seed = null;
   try { seed = JSON.parse(fs.readFileSync(seedPath, 'utf8')); } catch { seed = null; }
@@ -120,6 +121,20 @@ export function loadCalibrationHistory(scanRoot) {
   };
   if (seed) merge(seed);
   if (customer) merge(customer);
+  // Merge triage-derived TP/FP counts (auto-feedback loop)
+  try {
+    const triage = _readJsonMaybe(statePath(scanRoot, 'triage.json'));
+    if (triage && triage.findings) {
+      const triageFams = {};
+      for (const f of Object.values(triage.findings)) {
+        const fam = f.family || 'unknown';
+        if (!triageFams[fam]) triageFams[fam] = { tp: 0, fp: 0 };
+        if (f.state === 'fixed' || f.state === 'open' || f.state === 'in-progress') triageFams[fam].tp++;
+        else if (f.state === 'false-positive') triageFams[fam].fp++;
+      }
+      merge({ families: triageFams });
+    }
+  } catch { /* triage file optional */ }
   return { families };
 }
 

package/src/posture/fix-history.js

@@ -12,13 +12,19 @@ import * as fs from 'node:fs';
 import * as fsp from 'node:fs/promises';
 import * as path from 'node:path';
 import * as crypto from 'node:crypto';
+import { isSafeStateDir, statePath } from './state-dir.js';
 
 function historyDir(scanRoot) {
-  return path.join(scanRoot, '.agentic-security', 'fix-history');
+  return statePath(scanRoot, 'fix-history');
 }
 function logPath(scanRoot) { return path.join(historyDir(scanRoot), 'log.json'); }
 
-function ensure(scanRoot) { fs.mkdirSync(historyDir(scanRoot), { recursive: true }); }
+function ensure(scanRoot) {
+  const dir = historyDir(scanRoot);
+  if (!isSafeStateDir(path.dirname(dir))) return false;
+  fs.mkdirSync(dir, { recursive: true });
+  return true;
+}
 
 export function readLog(scanRoot) {
   const fp = logPath(scanRoot);

package/src/posture/profile.js

@@ -6,6 +6,7 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as yaml from 'js-yaml';
+import { statePath, safeWriteState, resolveProjectRoot } from './state-dir.js';
 
 export const PROFILES = ['vibecoder', 'pro'];
 
@@ -35,7 +36,7 @@ export const DEFAULTS = {
 };
 
 function _profilePath(scanRoot) {
-  return path.join(scanRoot || process.cwd(), '.agentic-security', 'profile.yml');
+  return statePath(scanRoot, 'profile.yml');
 }
 
 export function loadProfile(scanRoot) {
@@ -52,10 +53,8 @@ export function loadProfile(scanRoot) {
 
 export function saveProfile(scanRoot, updates) {
   const fp = _profilePath(scanRoot);
-  fs.mkdirSync(path.dirname(fp), { recursive: true });
   const current = loadProfile(scanRoot);
   const next = { ...current, ...updates };
-  // Strip values equal to defaults so the file stays minimal.
   const defaults = DEFAULTS[next.profile];
   const out = {};
   for (const k of Object.keys(next)) {
@@ -63,7 +62,7 @@ export function saveProfile(scanRoot, updates) {
     out[k] = next[k];
   }
   if (!('profile' in out)) out.profile = next.profile;
-  fs.writeFileSync(fp, yaml.dump(out));
+  safeWriteState(fp, yaml.dump(out));
   return next;
 }
 
@@ -71,7 +70,7 @@ export function saveProfile(scanRoot, updates) {
 // Returns 'pro' if the repo has signals indicating professional security work,
 // otherwise 'vibecoder'. Run only on first scan.
 export function detectProfile(scanRoot) {
-  const root = scanRoot || process.cwd();
+  const root = resolveProjectRoot(scanRoot);
   const signals = ['SECURITY.md', '.github/workflows/security.yml', '.semgrep.yml',
                    '.snyk', 'codeql-config.yml', 'compliance/', 'docs/threat-model.md'];
   for (const s of signals) {

package/src/posture/rule-overrides.js

@@ -11,11 +11,10 @@ import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as yaml from 'js-yaml';
 import { verifyLastScan } from './integrity.js';
-
-const OVERRIDES_PATH = '.agentic-security/rules.yml';
+import { statePath } from './state-dir.js';
 
 function _path(scanRoot) {
-  return path.join(scanRoot || process.cwd(), OVERRIDES_PATH);
+  return statePath(scanRoot, 'rules.yml');
 }
 
 export function loadOverrides(scanRoot) {

package/src/posture/rule-pack-signing.js

@@ -30,8 +30,7 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as crypto from 'node:crypto';
-
-const TRUSTED_KEYS_FILE = '.agentic-security/trusted-keys.json';
+import { statePath } from './state-dir.js';
 
 // Built-in trust root. These are the keys the maintainers of agentic-security
 // use to sign official rule packs. Production deployment requires the
@@ -49,7 +48,7 @@ export const BUNDLED_OFFICIAL_KEYS = [
 ];
 
 function _trustedKeysPath(scanRoot) {
-  return path.join(scanRoot || process.cwd(), TRUSTED_KEYS_FILE);
+  return statePath(scanRoot, 'trusted-keys.json');
 }
 
 // Load the EFFECTIVE trusted-key set. Composition:

package/src/posture/rule-synthesis.js

@@ -13,14 +13,12 @@
 
 import * as fs from 'node:fs';
 import * as path from 'node:path';
-
-const TRIAGE_PATH = path.join('.agentic-security', 'triage-feedback.json');
-const PROPOSED_DIR = path.join('.agentic-security', 'rules-proposed');
+import { statePath, isSafeStateDir } from './state-dir.js';
 
 const DEFAULT_FP_THRESHOLD = 5;
 
 function _readTriage(scanRoot) {
-  const fp = path.join(scanRoot || process.cwd(), TRIAGE_PATH);
+  const fp = statePath(scanRoot, 'triage-feedback.json');
   if (!fs.existsSync(fp)) return null;
   try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }
 }
@@ -87,7 +85,8 @@ export function synthesizeRules(scanRoot, opts = {}) {
     groups.get(k).push(e);
   }
   const proposals = [];
-  const dir = path.join(scanRoot || process.cwd(), PROPOSED_DIR);
+  const dir = statePath(scanRoot, 'rules-proposed');
+  if (!opts.dryRun && !isSafeStateDir(path.dirname(dir))) return [];
   for (const [, group] of groups) {
     if (group.length < threshold) continue;
     const summary = _summarizeGroup(group);
@@ -105,4 +104,4 @@ export function synthesizeRules(scanRoot, opts = {}) {
   return proposals;
 }
 
-export const _internals = { DEFAULT_FP_THRESHOLD, TRIAGE_PATH, PROPOSED_DIR };
+export const _internals = { DEFAULT_FP_THRESHOLD };

package/src/posture/security-trend.js

@@ -6,12 +6,12 @@
 
 import * as fs from 'node:fs';
 import * as path from 'node:path';
+import { statePath, safeWriteState } from './state-dir.js';
 
-const HISTORY_FILE = '.agentic-security/scan-history.json';
 const MAX_HISTORY = 30; // rolling window
 
 function _readHistory(scanRoot) {
-  const histPath = scanRoot ? path.join(scanRoot, HISTORY_FILE) : HISTORY_FILE;
+  const histPath = statePath(scanRoot, 'scan-history.json');
   try {
     return JSON.parse(fs.readFileSync(histPath, 'utf8'));
   } catch {
@@ -20,11 +20,8 @@ function _readHistory(scanRoot) {
 }
 
 function _writeHistory(scanRoot, history) {
-  const histPath = scanRoot ? path.join(scanRoot, HISTORY_FILE) : HISTORY_FILE;
-  try {
-    fs.mkdirSync(path.dirname(histPath), { recursive: true });
-    fs.writeFileSync(histPath, JSON.stringify(history.slice(-MAX_HISTORY), null, 2));
-  } catch {}
+  const histPath = statePath(scanRoot, 'scan-history.json');
+  safeWriteState(histPath, JSON.stringify(history.slice(-MAX_HISTORY), null, 2));
 }
 
 function _snapshotFromScan(scan, label) {