@clear-capabilities/agentic-security-scanner 0.77.0 → 0.79.0

package/bin/.agentic-security/last-scan.json.sig

@@ -0,0 +1 @@
+5bb921912d508574fede241a7e16cd7ac261f415b200e9eff04093fa70426dd1

package/bin/.agentic-security/scan-history.json

@@ -0,0 +1,166 @@
+[
+  {
+    "timestamp": "2026-05-26T04:00:10.464Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1108"
+    ]
+  },
+  {
+    "timestamp": "2026-05-26T04:00:56.905Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1108"
+    ]
+  },
+  {
+    "timestamp": "2026-05-26T04:02:41.681Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1108"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T01:03:34.318Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1109"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T01:05:45.968Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1114"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T11:21:25.101Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1116"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T11:23:11.242Z",
+    "label": "scan",
+    "total": 5,
+    "critical": 0,
+    "high": 0,
+    "medium": 5,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1136",
+      "toctou-fs:agentic-security.js:362"
+    ]
+  },
+  {
+    "timestamp": "2026-05-28T14:13:54.951Z",
+    "label": "scan",
+    "total": 5,
+    "critical": 0,
+    "high": 0,
+    "medium": 5,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1141",
+      "toctou-fs:agentic-security.js:362"
+    ]
+  },
+  {
+    "timestamp": "2026-05-28T14:16:39.437Z",
+    "label": "scan",
+    "total": 5,
+    "critical": 0,
+    "high": 0,
+    "medium": 5,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1146",
+      "toctou-fs:agentic-security.js:367"
+    ]
+  },
+  {
+    "timestamp": "2026-05-28T14:16:53.162Z",
+    "label": "scan",
+    "total": 5,
+    "critical": 0,
+    "high": 0,
+    "medium": 5,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1151",
+      "toctou-fs:agentic-security.js:367"
+    ]
+  }
+]

package/bin/.agentic-security/streak.json

@@ -0,0 +1,20 @@
+{
+  "firstScanDate": "2026-05-26T04:00:10.482Z",
+  "lastScanDate": "2026-05-28T14:16:53.192Z",
+  "totalScans": 10,
+  "daysCleanCritical": 3,
+  "lastCleanDate": "2026-05-28",
+  "lastCriticalDate": null,
+  "hasEverHadCritical": false,
+  "bestDaysCleanCritical": 3,
+  "totalFindingsAtFirstScan": 11,
+  "totalFindingsAtLastScan": 13,
+  "totalFixesInferred": 0,
+  "lastGrade": "A-",
+  "bestGrade": "A-",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "first-scan"
+  ],
+  "previousGrade": "A-"
+}

package/bin/agentic-security.js

@@ -4,6 +4,9 @@
 import * as fs from 'node:fs';
 import * as fsp from 'node:fs/promises';
 import * as path from 'node:path';
+import { createRequire } from 'node:module';
+const __require = createRequire(import.meta.url);
+const PKG_VERSION = __require('../package.json').version;
 import { signLastScan as _signLastScan, verifyLastScan as _verifyLastScanShared } from '../src/posture/integrity.js';
 import { runScan } from '../src/runScan.js';
 import { toJSON, toMarkdown, toSARIF, toSTIX, toCSV, toJUnit, toCLI, toCLIByProfile, toShipVerdict, toProTable, toHTML, toSummary, exitCodeFor, normalizeFindings } from '../src/report/index.js';
@@ -103,6 +106,9 @@ Options:
   --no-network                 Skip OSV/registry queries (offline mode)
   --pr [ref]                   Diff-aware: scan only files changed since ref (auto-detects PR base)
   --deterministic              Reproducible scan: stable sort, no-network, lockfile-checked
+  --incremental                Reuse taint summaries from prior scans (speeds up deep mode in CI)
+  --set-baseline               Save current findings as baseline (suppresses pre-existing issues)
+  --since-baseline             Only show findings NOT in the saved baseline
   --no-epss                    Skip EPSS exploit-prediction enrichment (default: enabled)
   --no-blast-radius            Skip blast-radius / cost framing (default: enabled)
   --verbose                    Include fix bodies + taxonomy in CLI output
@@ -137,7 +143,7 @@ function printBanner(args) {
     BOLD:  '\x1b[1m',
     RESET: '\x1b[0m',
   } : { FROG:'', DEEP:'', CREAM:'', DIM:'', BOLD:'', RESET:'' };
-  const v = '0.75.1';
+  const v = PKG_VERSION;
   const compact = !args.flags.full;
   if (compact) {
     const lines = [
@@ -263,6 +269,11 @@ function renderV3Blocks(scan, flags) {
 // Always-on machine output (R2). Vibecoder gets JSON only; pro gets JSON+SARIF+CSV.
 async function writeMachineOutput(targetAbs, scan, meta, profile) {
   const stateDir = path.join(targetAbs, '.agentic-security');
+  const { isSafeStateDir: _isSafe } = await import('../src/posture/state-dir.js');
+  if (!_isSafe(stateDir)) {
+    if (process.env.AGENTIC_SECURITY_DEBUG === '1') process.stderr.write(`[agentic-security] refusing to write machine output at ${stateDir} — no project marker\n`);
+    return;
+  }
   await fsp.mkdir(stateDir, { recursive: true });
   // Always JSON (used by /security-fix and /security-report).
   await fsp.writeFile(path.join(stateDir, 'findings.json'),
@@ -314,6 +325,11 @@ async function cmdScan(args) {
     }
   }
 
+  // --incremental : reuse taint summaries from prior scans for faster deep mode.
+  if (args.flags['incremental'] || process.env.AGENTIC_SECURITY_INCREMENTAL === '1') {
+    process.env.AGENTIC_SECURITY_INCREMENTAL = '1';
+  }
+
   // --pr [ref] : friendlier alias for --changed-since that auto-detects the PR
   // base ref (GitHub/GitLab/Buildkite/Bitbucket env vars) when no value is given.
   let changedSince = args.flags['changed-since'] || null;
@@ -338,6 +354,26 @@ async function cmdScan(args) {
     if (only === 'secrets') { scan.findings = []; scan.supplyChain = []; }
   }
 
+  // --set-baseline: save current findings as baseline for future --since-baseline filtering
+  const baselinePath = path.join(target || '.', '.agentic-security', 'baseline.json');
+  if (args.flags['set-baseline']) {
+    const { normalizeFindings } = await import('../src/report/index.js');
+    const baselineIds = new Set(normalizeFindings(scan).map(f => f.stableId || f.id));
+    fs.mkdirSync(path.dirname(baselinePath), { recursive: true });
+    fs.writeFileSync(baselinePath, JSON.stringify({ ids: [...baselineIds], createdAt: new Date().toISOString(), count: baselineIds.size }, null, 2));
+    process.stderr.write(`[baseline] saved ${baselineIds.size} findings as baseline\n`);
+  }
+  // --since-baseline: filter out findings that existed in the saved baseline
+  if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {
+    try {
+      const baseline = JSON.parse(fs.readFileSync(baselinePath, 'utf8'));
+      const baselineSet = new Set(baseline.ids || []);
+      const before = scan.findings.length;
+      scan.findings = (scan.findings || []).filter(f => !baselineSet.has(f.stableId || f.id));
+      process.stderr.write(`[baseline] filtered ${before - scan.findings.length} baseline findings, ${scan.findings.length} new\n`);
+    } catch { /* baseline file unreadable, skip */ }
+  }
+
   // 0.9.0 Feat-18: --scorecard flag enables OSSF Scorecard enrichment
   if (args.flags['scorecard']) process.env.AGENTIC_SECURITY_SCORECARD = '1';
 
@@ -464,14 +500,19 @@ async function cmdScan(args) {
   else process.stdout.write(body + '\n');
 
   // Persist last scan for /security-fix and /security-report
+  const { isSafeStateDir: _isSafeStateDir } = await import('../src/posture/state-dir.js');
   const stateDir = path.join(path.resolve(target), '.agentic-security');
-  await fsp.mkdir(stateDir, { recursive: true });
-  const persistedScan = toJSON(scan, meta);
-  const lastScanBody = JSON.stringify(persistedScan, null, 2);
-  await fsp.writeFile(path.join(stateDir, 'last-scan.json'), lastScanBody);
-  try {
-    await fsp.writeFile(path.join(stateDir, 'last-scan.json.sig'), _signLastScan(lastScanBody));
-  } catch { /* non-fatal — sig file is best-effort */ }
+  if (_isSafeStateDir(stateDir)) {
+    await fsp.mkdir(stateDir, { recursive: true });
+    const persistedScan = toJSON(scan, meta);
+    const lastScanBody = JSON.stringify(persistedScan, null, 2);
+    await fsp.writeFile(path.join(stateDir, 'last-scan.json'), lastScanBody);
+    try {
+      await fsp.writeFile(path.join(stateDir, 'last-scan.json.sig'), _signLastScan(lastScanBody));
+    } catch { /* non-fatal — sig file is best-effort */ }
+  } else {
+    if (process.env.AGENTIC_SECURITY_DEBUG === '1') process.stderr.write(`[agentic-security] refusing to write state at ${stateDir} — no project marker in ${path.resolve(target)}\n`);
+  }
 
   // 0.14.0 — update streak / achievements after every full scan. Suppress
   // streak side effects when the user only wants raw JSON output (CI piping).
@@ -556,6 +597,11 @@ async function cmdCi(args) {
 
   // Persist the three CI artifacts.
   const stateDir = path.join(targetAbs, '.agentic-security');
+  const { isSafeStateDir: _isSafeCi } = await import('../src/posture/state-dir.js');
+  if (!_isSafeCi(stateDir)) {
+    if (process.env.AGENTIC_SECURITY_DEBUG === '1') process.stderr.write(`[agentic-security] refusing to write CI artifacts at ${stateDir} — no project marker\n`);
+    return;
+  }
   await fsp.mkdir(stateDir, { recursive: true });
   await fsp.writeFile(path.join(stateDir, 'findings.json'),
     JSON.stringify(toJSON(scan, meta), null, 2));
@@ -1665,7 +1711,7 @@ async function main() {
         }
         process.exit(0);
       }
-      case 'version':  console.log('agentic-security 0.75.1  ·  created by ClearCapabilities.Com'); process.exit(0);
+      case 'version':  console.log(`agentic-security ${PKG_VERSION}  ·  created by ClearCapabilities.Com`); process.exit(0);
       case 'banner':   { printBanner(args); process.exit(0); }
       case 'harness':  process.exit(await cmdHarness(args));
       case 'scan-baseline': process.exit(await cmdScanBaseline(args));

package/dist/178.index.js

@@ -13,7 +13,7 @@ export const modules = {
 /* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
 /* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
 /* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(3291);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(6048);
 // Time-travel + counterfactual scanning (v0.68).
 //
 // Two new modes that exploit the pure-input shape of runFullScan:

package/dist/384.index.js

@@ -8,7 +8,7 @@ export const modules = {
 /* harmony export */ __webpack_require__.d(__webpack_exports__, {
 /* harmony export */   scanCredentials: () => (/* reexport safe */ _engine_js__WEBPACK_IMPORTED_MODULE_0__.Sv)
 /* harmony export */ });
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(3291);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(6048);
 // Secrets submodule view of the engine — credential + entropy + TODO scanning.
 
 

package/dist/476.index.js

@@ -11,6 +11,7 @@ export const modules = {
 /* unused harmony export _internals */
 /* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(3024);
 /* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(6760);
+/* harmony import */ var _state_dir_js__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(1174);
 // Auto-rule synthesis from repeated FPs (FR-LEARN-6).
 //
 // Reads `.agentic-security/triage-feedback.json` (populated by the /triage
@@ -27,13 +28,11 @@ export const modules = {
 
 
 
-const TRIAGE_PATH = node_path__WEBPACK_IMPORTED_MODULE_1__.join('.agentic-security', 'triage-feedback.json');
-const PROPOSED_DIR = node_path__WEBPACK_IMPORTED_MODULE_1__.join('.agentic-security', 'rules-proposed');
 
 const DEFAULT_FP_THRESHOLD = 5;
 
 function _readTriage(scanRoot) {
-  const fp = node_path__WEBPACK_IMPORTED_MODULE_1__.join(scanRoot || process.cwd(), TRIAGE_PATH);
+  const fp = (0,_state_dir_js__WEBPACK_IMPORTED_MODULE_2__/* .statePath */ .BQ)(scanRoot, 'triage-feedback.json');
   if (!node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(fp)) return null;
   try { return JSON.parse(node_fs__WEBPACK_IMPORTED_MODULE_0__.readFileSync(fp, 'utf8')); } catch { return null; }
 }
@@ -100,7 +99,8 @@ function synthesizeRules(scanRoot, opts = {}) {
     groups.get(k).push(e);
   }
   const proposals = [];
-  const dir = node_path__WEBPACK_IMPORTED_MODULE_1__.join(scanRoot || process.cwd(), PROPOSED_DIR);
+  const dir = (0,_state_dir_js__WEBPACK_IMPORTED_MODULE_2__/* .statePath */ .BQ)(scanRoot, 'rules-proposed');
+  if (!opts.dryRun && !(0,_state_dir_js__WEBPACK_IMPORTED_MODULE_2__.isSafeStateDir)(node_path__WEBPACK_IMPORTED_MODULE_1__.dirname(dir))) return [];
   for (const [, group] of groups) {
     if (group.length < threshold) continue;
     const summary = _summarizeGroup(group);
@@ -118,7 +118,7 @@ function synthesizeRules(scanRoot, opts = {}) {
   return proposals;
 }
 
-const _internals = { DEFAULT_FP_THRESHOLD, TRIAGE_PATH, PROPOSED_DIR };
+const _internals = { DEFAULT_FP_THRESHOLD };
 
 
 /***/ })

package/dist/637.index.js

@@ -10,7 +10,7 @@ export const modules = {
 /* harmony export */   renderPrDeltaText: () => (/* binding */ renderPrDeltaText)
 /* harmony export */ });
 /* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3291);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(6048);
 // Shadowscan / security-DELTA on PR (v0.72).
 //
 // Most SAST PR-comment integrations show absolute counts — "12 findings

package/dist/700.index.js

@@ -0,0 +1,138 @@
+export const id = 700;
+export const ids = [700];
+export const modules = {
+
+/***/ 1700:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   validateOsvFunctionsExist: () => (/* binding */ validateOsvFunctionsExist)
+/* harmony export */ });
+/* unused harmony export extractPythonPackageFunctions */
+/* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(3024);
+/* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(6760);
+/* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(1421);
+/* harmony import */ var _ir_parser_py_cst_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(682);
+// Python package function extraction via the CST parser.
+//
+// Locates an installed Python package in site-packages or .venv,
+// parses its source files via the Python CST parser, and returns
+// a map of exported function names. Used by markUsedVulnFunctions
+// to validate that OSV-named vulnerable functions actually exist
+// in the installed version.
+
+
+
+
+
+
+const VENV_DIRS = ['.venv', 'venv', '.env', 'env'];
+
+function _findSitePackages(scanRoot) {
+  for (const vdir of VENV_DIRS) {
+    const base = node_path__WEBPACK_IMPORTED_MODULE_1__.join(scanRoot || '.', vdir);
+    if (!node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(base)) continue;
+    const lib = node_path__WEBPACK_IMPORTED_MODULE_1__.join(base, 'lib');
+    if (!node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(lib)) continue;
+    const pydirs = node_fs__WEBPACK_IMPORTED_MODULE_0__.readdirSync(lib).filter(d => d.startsWith('python'));
+    for (const pydir of pydirs) {
+      const sp = node_path__WEBPACK_IMPORTED_MODULE_1__.join(lib, pydir, 'site-packages');
+      if (node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(sp)) return sp;
+    }
+  }
+  // Fallback: ask python3 directly
+  try {
+    const out = (0,node_child_process__WEBPACK_IMPORTED_MODULE_2__.execFileSync)('python3', ['-c', 'import site; print(site.getsitepackages()[0])'], {
+      encoding: 'utf8', timeout: 5000,
+    }).trim();
+    if (out && node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(out)) return out;
+  } catch { /* no python3 or no site-packages */ }
+  return null;
+}
+
+function _findPackageDir(sitePackages, packageName) {
+  if (!sitePackages) return null;
+  const normalized = packageName.replace(/-/g, '_').toLowerCase();
+  const candidates = [
+    normalized,
+    packageName.toLowerCase(),
+    packageName,
+  ];
+  for (const name of candidates) {
+    const dir = node_path__WEBPACK_IMPORTED_MODULE_1__.join(sitePackages, name);
+    if (node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(dir) && node_fs__WEBPACK_IMPORTED_MODULE_0__.statSync(dir).isDirectory()) return dir;
+  }
+  return null;
+}
+
+function _readPyFilesFromDir(dir, maxFiles = 50) {
+  const entries = [];
+  try {
+    const files = node_fs__WEBPACK_IMPORTED_MODULE_0__.readdirSync(dir, { recursive: true })
+      .filter(f => f.endsWith('.py'))
+      .slice(0, maxFiles);
+    for (const f of files) {
+      const fp = node_path__WEBPACK_IMPORTED_MODULE_1__.join(dir, f);
+      try {
+        const content = node_fs__WEBPACK_IMPORTED_MODULE_0__.readFileSync(fp, 'utf8');
+        if (content.length < 1_000_000) {
+          entries.push({ file: f, content });
+        }
+      } catch { /* skip unreadable files */ }
+    }
+  } catch { /* dir not readable */ }
+  return entries;
+}
+
+function extractPythonPackageFunctions(packageName, scanRoot) {
+  const cap = (0,_ir_parser_py_cst_js__WEBPACK_IMPORTED_MODULE_3__/* .probePythonAvailable */ .w4)();
+  if (!cap.ok) return null;
+
+  const sitePackages = _findSitePackages(scanRoot);
+  const pkgDir = _findPackageDir(sitePackages, packageName);
+  if (!pkgDir) return null;
+
+  const pyFiles = _readPyFilesFromDir(pkgDir);
+  if (!pyFiles.length) return null;
+
+  const batch = (0,_ir_parser_py_cst_js__WEBPACK_IMPORTED_MODULE_3__/* .parsePythonFilesBatch */ .H2)(pyFiles);
+  if (!batch || !Array.isArray(batch)) return null;
+
+  const functionMap = new Map();
+  for (const fileIR of batch) {
+    if (!fileIR || !fileIR.functions) continue;
+    for (const fn of fileIR.functions) {
+      if (fn.name && !fn.name.startsWith('_')) {
+        functionMap.set(fn.name, {
+          file: fileIR.file,
+          line: fn.line,
+          qid: fn.qid,
+          params: fn.params,
+        });
+      }
+    }
+  }
+  return functionMap;
+}
+
+function validateOsvFunctionsExist(packageName, osvFunctions, scanRoot) {
+  if (!osvFunctions || !osvFunctions.length) return { validated: [], missing: [] };
+  const fnMap = extractPythonPackageFunctions(packageName, scanRoot);
+  if (!fnMap) return { validated: osvFunctions, missing: [] };
+  const validated = [];
+  const missing = [];
+  for (const fn of osvFunctions) {
+    const shortFn = fn.includes('.') ? fn.split('.').pop() : fn;
+    if (fnMap.has(shortFn) || fnMap.has(fn)) {
+      validated.push(shortFn);
+    } else {
+      missing.push(fn);
+    }
+  }
+  return { validated, missing };
+}
+
+
+/***/ })
+
+};