@clear-capabilities/agentic-security-scanner 0.78.0 → 0.79.0

package/dist/agentic-security.mjs.sha256

@@ -1 +1 @@
-25827a67ed38d68ccda93ff583b328939807335db8d019da0516c1e62eda5a98  agentic-security.mjs
+3ec7e435269654d09e2168e1cd8a6586f88b9c2edce86f48c18a2dc5f321e358  agentic-security.mjs

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clear-capabilities/agentic-security-scanner",
-  "version": "0.78.0",
+  "version": "0.79.0",
   "description": "Scanner engine for the agentic-security Claude Code plugin \u2014 SAST, SCA (function-level reachability + CISA KEV), secrets, IaC, prompt-injection, MCP/agent-tool audit, auth/authZ deep analysis, attack chains, PoC generation, business logic, toxic-combinations scoring, SBOM, SARIF ingest, pipeline integrity, compliance attestation, and more.",
   "type": "module",
   "main": "src/index.js",
@@ -55,7 +55,7 @@
     "test": "npm run test:smoke && npm run test:sast && npm run test:posture && npm run test:dataflow && npm run test:mcp && npm run test:report && npm run test:bench-modules && npm run test:lifecycle && AGENTIC_SECURITY_CPP_DATAFLOW=1 node --test test/cpp-dataflow.test.js",
     "test:smoke": "node --test test/smoke.test.js",
     "test:sast": "node --test test/llm.test.js test/llm-owasp.test.js test/logic.test.js test/authz.test.js test/model-load.test.js test/prompt-template.test.js test/business-logic.test.js test/python-sinks.test.js test/phase1-detectors.test.js test/phase2-detectors.test.js test/phase3-v3.test.js test/phase7-extensions.test.js test/phase8-extensions.test.js test/new-cwe-detectors.test.js test/llmsecops-detectors.test.js test/db-taint.test.js test/dart-swift.test.js test/redos-nfa.test.js test/weak-randomness.test.js",
-    "test:posture": "node --test test/material-change.test.js test/drift.test.js test/scorecard.test.js test/mttr.test.js test/license-policy.test.js test/aibom.test.js test/sbom.test.js test/api-inventory.test.js test/iam-policy.test.js test/container.test.js test/container-runtime.test.js test/kev.test.js test/dep-confusion.test.js test/sca-deprecated.test.js test/packs.test.js test/flow-narration.test.js test/regression-test-gen.test.js test/rule-synthesis.test.js test/policy-gate.test.js test/agents-memory.test.js test/cve-lookup.test.js test/cve-alert-daemon.test.js test/fix-verify-loop.test.js test/exploitability-probability.test.js test/history-scan.test.js test/viral-features.test.js test/viral-v074.test.js",
+    "test:posture": "node --test test/material-change.test.js test/drift.test.js test/scorecard.test.js test/mttr.test.js test/license-policy.test.js test/aibom.test.js test/sbom.test.js test/api-inventory.test.js test/iam-policy.test.js test/container.test.js test/container-runtime.test.js test/kev.test.js test/dep-confusion.test.js test/sca-deprecated.test.js test/packs.test.js test/flow-narration.test.js test/regression-test-gen.test.js test/rule-synthesis.test.js test/policy-gate.test.js test/agents-memory.test.js test/cve-lookup.test.js test/cve-alert-daemon.test.js test/fix-verify-loop.test.js test/exploitability-probability.test.js test/history-scan.test.js test/viral-features.test.js test/viral-v074.test.js test/state-dir.test.js",
     "test:dataflow": "node --test test/fn-reach.test.js test/deep-taint.test.js test/calibration.test.js test/holdout-eval.test.js test/cross-lang-meta.test.js test/cross-lang-queues.test.js test/phase5-xlang.test.js test/phase5-coverage.test.js test/phase6-taint.test.js test/llm-validator-consistency.test.js test/llm-validator-default-on.test.js test/parser-py-cst.test.js test/parser-cs-kt.test.js test/parser-go.test.js test/parser-php-rb.test.js test/interproc-k2.test.js test/proven-clean.test.js test/backward-default.test.js test/incremental-cache.test.js test/string-regex-lattice.test.js test/closure-capture.test.js test/points-to.test.js test/type-stubs.test.js test/soft-taint.test.js test/ifds.test.js test/symbolic-exec-proof.test.js test/ifds-summary-edges.test.js test/stub-aware-filter.test.js test/cross-repo.test.js",
     "test:mcp": "node --test test/mcp.test.js test/mcp-audit.test.js test/audit-cli.test.js test/mcp-scratchpad.test.js test/mcp-offload.test.js",
     "test:report": "node --test test/sarif-ingest.test.js test/junit.test.js test/ci.test.js test/poc-generator.test.js test/verifier.test.js test/verifier-target.test.js test/annotator-errors.test.js test/grader-calibration.test.js",

package/src/dataflow/engine.js

@@ -62,13 +62,13 @@ function _addPathAliasAware(state, path, callContext) {
   return s;
 }
 
+let _activeConstantVars = null;
+
 function exprTaint(expr, state) {
-  // Returns true iff this expression evaluates to a tainted value under the
-  // given taint state. ALSO treats catalog-registered source patterns as
-  // tainted at-read — `req.body.host` used inline (no intermediate local)
-  // is tainted because the source resolves at the read site.
   if (expr && expr.kind === 'member' && exprIsSource(expr)) return true;
   if (!expr) return false;
+  // Constant propagation: variables assigned from literals are never tainted
+  if (expr.kind === 'ident' && _activeConstantVars && _activeConstantVars.has(expr.name)) return false;
   // P1.1 — field-sensitive access path: if the expression is a pure
   // ident/member chain ("x.y.z"), ask the access-path lattice whether any
   // shorter prefix in the state covers it. This is what makes
@@ -157,13 +157,35 @@ function exprIsSource(expr) {
     const hit = matchSource(expr);
     if (hit) return hit;
   }
-  // Recurse — `req.body.name` should still find `req.body` as source.
   if (expr.kind === 'member' && expr.object) {
     return exprIsSource(expr.object);
   }
   return null;
 }
 
+const _SQL_KEYWORDS = /\b(SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|UNION|WHERE|FROM|JOIN|INTO|VALUES|SET|EXEC|EXECUTE)\b/i;
+const _HTML_META = /[<>'"&]|innerHTML|outerHTML|document\.write/;
+const _SHELL_META = /[;|`$(){}]|&&|\|\|/;
+
+function _literalPartsOfExpr(expr) {
+  if (!expr) return [];
+  if (expr.kind === 'literal') return [String(expr.value || '')];
+  if (expr.kind === 'tpl') return (expr.parts || []).filter(p => p.kind === 'literal').map(p => String(p.value || ''));
+  if (expr.kind === 'binary') return [..._literalPartsOfExpr(expr.left), ..._literalPartsOfExpr(expr.right)];
+  return [];
+}
+
+function literalSkeletonMatchesFamily(expr, cwe) {
+  const literals = _literalPartsOfExpr(expr);
+  if (!literals.length) return true;
+  const joined = literals.join(' ');
+  if (!joined.trim()) return true;
+  if (cwe === 'CWE-89' || cwe === 'CWE-943') return _SQL_KEYWORDS.test(joined);
+  if (cwe === 'CWE-79') return _HTML_META.test(joined);
+  if (cwe === 'CWE-78') return _SHELL_META.test(joined);
+  return true;
+}
+
 // Apply a CFG node to a taint-state. Returns the new state + any finding emitted.
 function step(node, stateIn, callContext) {
   const state = new Set(stateIn);
@@ -177,9 +199,13 @@ function step(node, stateIn, callContext) {
       return { state, findings };
 
     case 'assign': {
-      // Source detection on RHS.
       const src = exprIsSource(node.source);
       const target = typeof node.target === 'string' ? node.target : null;
+      // Constant propagation: track variables assigned from literals
+      if (target && _activeConstantVars) {
+        if (node.source && node.source.kind === 'literal') _activeConstantVars.set(target, node.source.value);
+        else _activeConstantVars.delete(target);
+      }
       let newState = state;
       // Premortem #7: interprocedural return-taint via SummaryCache. If the
       // RHS is a call to a known callee whose empty-entry-state summary says
@@ -340,6 +366,8 @@ function step(node, stateIn, callContext) {
             const taintedArgIdx = e.argIndex === 'all'
               ? argTaints.findIndex(Boolean) : e.argIndex;
             const taintedArgExpr = (node.args || [])[taintedArgIdx];
+            // String content analysis: skip if literal skeleton doesn't match injection family
+            if (e.vuln && taintedArgExpr && !literalSkeletonMatchesFamily(taintedArgExpr, e.vuln.cwe)) continue;
             // Premortem #10: attribute the source for THIS sink to the
             // source(s) that taint the actual argument expression — not the
             // first source the worklist happened to record. We walk the
@@ -438,12 +466,13 @@ function step(node, stateIn, callContext) {
 // every 100 iterations. A pathological CFG (large generated file with dense
 // control flow) can otherwise hold past the global timeout.
 function analyzeFunction(fn, entryState, callContext) {
-  const nodes = fn.cfg.nodes; // plain object
+  const nodes = fn.cfg.nodes;
   const work = [];
-  const inStates = new Map(); // nodeId → Set<varName>
+  const inStates = new Map();
   const outStates = new Map();
   inStates.set(fn.cfg.entry, new Set(entryState));
   work.push(fn.cfg.entry);
+  _activeConstantVars = new Map();
   // v0.70 #2 — points-to context for the step() transfer. Setting it here
   // (instead of plumbing through step's signature) keeps the worklist loop
   // unchanged and lets `step` consult `aliasesForVar` when callContext._pointsTo
@@ -712,6 +741,21 @@ export function runTaintEngine(perFileIR, callGraph, opts = {}) {
     }
   }
   // v0.69 — expose cache to caller (runDeepAnalysis) for incremental persistence.
+  // Dead code suppression: demote findings in functions with zero callers
+  // (except route handlers which are entry points)
+  const calledQids = new Set();
+  if (callGraph.edges) for (const e of callGraph.edges) calledQids.add(typeof e.to === 'string' ? e.to : e.to?.qid);
+  if (callGraph.callersOf) for (const [qid, callers] of callGraph.callersOf) { if (callers && callers.size) calledQids.add(qid); }
+  for (const f of all) {
+    if (!f._funcQid) continue;
+    const fn = callGraph.functions?.get(f._funcQid);
+    if (!fn) continue;
+    if (calledQids.has(f._funcQid)) continue;
+    if (/handler|route|controller|middleware|endpoint/i.test(fn.name || '')) continue;
+    f._inDeadCode = true;
+    const dg = { critical: 'high', high: 'medium', medium: 'low', low: 'info' };
+    if (dg[f.severity]) f.severity = dg[f.severity];
+  }
   Object.defineProperty(all, '_summaryCache', { value: summaryCache, enumerable: false });
   return all;
 }

package/src/engine.js

@@ -55,7 +55,7 @@ import { scanCpp } from './sast/cpp.js';
 import { scanJulietShape, applyJulietJavaSuppressions, applyJulietCsSuppressions } from './sast/juliet-shape.js';
 import { scanCppDataflow, _parseErrorCount as _cppDataflowParseErrors } from './sast/cpp-dataflow.js';
 import { scanSolidity } from './sast/solidity.js';
-import { scanRust } from './sast/rust.js';
+import { scanRust, extractRustImportMap } from './sast/rust.js';
 import { scanGoExtended } from './sast/go-extended.js';
 import { scanDatabaseRLS } from './sast/db-rls.js';
 import { scanRateLimit } from './sast/rate-limit.js';
@@ -4563,10 +4563,14 @@ function scanMiddlewareOrdering(fp, raw){
     if (isAuth && line < firstAuthAt) firstAuthAt = line;
     if (mountPath) mounts.push({ line, mountPath, handlerArgs, isAuth });
   }
+  let firstRateLimitAt = Infinity;
+  for (const mt of mounts) {
+    if (/rateLimit|rate.?limit|throttle|slowDown/i.test(mt.handlerArgs) && mt.line < firstRateLimitAt) firstRateLimitAt = mt.line;
+  }
   for (const mt of mounts) {
     if (mt.isAuth) continue;
     if (!_SENSITIVE_PATH_RE.test(mt.mountPath)) continue;
-    if (mt.line >= firstAuthAt) continue;     // mounted after auth — fine
+    if (mt.line >= firstAuthAt) continue;
     findings.push({
       vuln: `Sensitive Route Mounted Before Auth Middleware (${mt.mountPath})`,
       severity: 'high', cwe: 'CWE-285', stride: 'Elevation of Privilege',
@@ -4574,6 +4578,27 @@ function scanMiddlewareOrdering(fp, raw){
       fix: `Register your auth middleware before mounting ${mt.mountPath}. Either move app.use(authMiddleware) above this line, or pass authMiddleware directly: app.use('${mt.mountPath}', authMiddleware, router).`,
     });
   }
+  // Check rate-limiting before auth (auth endpoints should be rate-limited)
+  if (firstAuthAt < Infinity && firstRateLimitAt > firstAuthAt) {
+    findings.push({
+      vuln: 'Rate Limiting After Auth Middleware — brute-force attacks bypass rate limits',
+      severity: 'medium', cwe: 'CWE-307', stride: 'Denial of Service',
+      file: fp, line: firstAuthAt, snippet: lines[firstAuthAt - 1]?.trim() || '',
+      fix: 'Register rate-limiting middleware BEFORE auth middleware so brute-force login attempts are throttled: app.use(rateLimit({...})); app.use(authMiddleware);',
+    });
+  }
+  // Check for method-level auth on sensitive routes
+  const routeRe = /\b(?:app|router)\.(get|post|put|patch|delete)\s*\(\s*['"]([^'"]*(?:admin|user|account|settings|profile|payment|billing|dashboard)[^'"]*)['"]\s*,\s*(?!.*(?:auth|protect|verify|guard))/gi;
+  for (const rm of cleaned.matchAll(routeRe)) {
+    const routeLine = lineAt(cleaned, rm.index);
+    if (routeLine >= firstAuthAt) continue;
+    findings.push({
+      vuln: `Sensitive Route Without Auth — ${rm[1].toUpperCase()} ${rm[2]}`,
+      severity: 'high', cwe: 'CWE-306', stride: 'Elevation of Privilege',
+      file: fp, line: routeLine, snippet: lines[routeLine - 1]?.trim() || '',
+      fix: `Add auth middleware to this route: router.${rm[1]}('${rm[2]}', authMiddleware, handler). Or ensure app.use(authMiddleware) appears before this route definition.`,
+    });
+  }
   return findings;
 }
 
@@ -5507,17 +5532,50 @@ const VULN_FUNCTION_HINTS = {
   ...(typeof _VULN_FUNCTION_HINTS_GENERATED === 'object' && !Array.isArray(_VULN_FUNCTION_HINTS_GENERATED) ? Object.fromEntries(Object.entries(_VULN_FUNCTION_HINTS_GENERATED).filter(([k])=>!k.startsWith('_'))) : {}),
   ...(typeof _VULN_FUNCTION_HINTS_DATA === 'object' && !Array.isArray(_VULN_FUNCTION_HINTS_DATA) ? Object.fromEntries(Object.entries(_VULN_FUNCTION_HINTS_DATA).filter(([k])=>!k.startsWith('_'))) : {}),
 };
+function _semverSatisfies(ver,range){
+  if(!ver||!range)return false;
+  const parse=v=>{const m=(v||'').match(/^[=v]*(\d+)\.(\d+)\.(\d+)/);return m?[+m[1],+m[2],+m[3]]:null;};
+  const cmp=(a,b)=>{for(let i=0;i<3;i++){if(a[i]!==b[i])return a[i]-b[i];}return 0;};
+  const v=parse(ver);if(!v)return false;
+  for(const part of range.split(/\s*\|\|\s*/)){
+    let ok=true;
+    for(const cond of part.split(/\s+/).filter(Boolean)){
+      const m=cond.match(/^([<>=!]+)(.+)$/);if(!m)continue;
+      const t=parse(m[2]);if(!t){ok=false;break;}
+      const c=cmp(v,t);const op=m[1];
+      if(op==='>='&&c<0){ok=false;break;}
+      if(op==='>'&&c<=0){ok=false;break;}
+      if(op==='<='&&c>0){ok=false;break;}
+      if(op==='<'&&c>=0){ok=false;break;}
+      if(op==='='&&c!==0){ok=false;break;}
+      if(op==='!='&&c===0){ok=false;break;}
+    }
+    if(ok)return true;
+  }
+  return false;
+}
 function markUsedVulnFunctions(supplyChain,fc){
   const used={};
   const perFile={};
   for(const[fp,content] of Object.entries(fc)){
     const lines=content.split('\n');
+    // Rust import-aware matching: build import map for .rs files
+    let _rustImports=null;
+    if(/\.rs$/i.test(fp)){try{_rustImports=extractRustImportMap(content);}catch(_){}}
     for(const[pkg,fns] of Object.entries(VULN_FUNCTION_HINTS)){
       if(!perFile[pkg])perFile[pkg]=[];
       for(const fn of fns){
         const re=new RegExp(`\\b(?:${pkg.replace(/\W/g,'\\$&')}|_)\\.${fn}\\b`,'g');
+        // Rust: also match bare function calls if import map traces them to this package
+        const rustBareRe=_rustImports?new RegExp(`\\b${fn.replace(/\W/g,'\\$&')}\\s*[(<]`,'g'):null;
         for(let li=0;li<lines.length;li++){
-          if(re.test(lines[li])){
+          let matched=re.test(lines[li]);
+          re.lastIndex=0;
+          if(!matched&&rustBareRe){
+            if(rustBareRe.test(lines[li])&&(_rustImports.map.get(fn)===pkg||_rustImports.map.get(fn)===pkg.replace(/-/g,'_')||_rustImports.globs.has(pkg)||_rustImports.globs.has(pkg.replace(/-/g,'_')))){matched=true;}
+            rustBareRe.lastIndex=0;
+          }
+          if(matched){
             perFile[pkg].push({pkg,fn,file:fp,line:li+1});
             if(!used[pkg])used[pkg]=new Set();
             used[pkg].add(fn);
@@ -5529,10 +5587,20 @@ function markUsedVulnFunctions(supplyChain,fc){
   }
   for(const sc of supplyChain||[]){
     if(sc.type!=='vulnerable_dep')continue;
-    // Merge hints: hardcoded → OSV ecosystem_specific → skip if none
+    // Merge hints: versioned → hardcoded → OSV ecosystem_specific → skip if none
     const hardcoded=VULN_FUNCTION_HINTS[sc.name]||[];
+    // Version-scoped hints: check pkg@range keys
+    const versionedFns=[];
+    for(const[hk,hv] of Object.entries(VULN_FUNCTION_HINTS)){
+      if(!hk.includes('@'))continue;
+      const atIdx=hk.indexOf('@');
+      const hPkg=hk.slice(0,atIdx);
+      const hRange=hk.slice(atIdx+1);
+      if(hPkg!==sc.name)continue;
+      try{if(_semverSatisfies(sc.version,hRange))versionedFns.push(...hv);}catch(_){}
+    }
     const osvFns=Array.isArray(sc.osvVulnFunctions)?sc.osvVulnFunctions.map(f=>{const d=f.lastIndexOf('.');return d>0?f.slice(d+1):f;}):[];
-    const allFns=[...new Set([...hardcoded,...osvFns])];
+    const allFns=[...new Set([...versionedFns,...hardcoded,...osvFns])];
     if(!allFns.length){sc.functionReachable='unknown';sc.noKnownCallSite=true;sc._hintSource='none';continue;}
     sc._hintSource=osvFns.length?(hardcoded.length?'hardcoded+osv':'osv'):'hardcoded';
     // Search codebase for these functions (if not already searched via VULN_FUNCTION_HINTS)
@@ -6339,8 +6407,33 @@ function _parsePubspecLock(text,filePath){
   }return out;
 }
 
+const _APT_TO_LIB={'libssl-dev':'openssl','libssl3':'openssl','openssl':'openssl','zlib1g-dev':'zlib','zlib1g':'zlib','libcurl4-openssl-dev':'libcurl','libcurl4':'libcurl','libxml2-dev':'libxml2','libxml2':'libxml2','libpq-dev':'postgresql','libsqlite3-dev':'sqlite','libjpeg-dev':'libjpeg','libpng-dev':'libpng','libfreetype6-dev':'freetype','libexpat1-dev':'expat','libyaml-dev':'libyaml','libffi-dev':'libffi','libgmp-dev':'gmp','libncurses-dev':'ncurses','libreadline-dev':'readline'};
+function _parseCMakeLists(text,filePath){
+  const out=[];
+  for(const m of text.matchAll(/find_package\s*\(\s*(\w+)(?:\s+(\d+[\d.]*))?\s*(?:REQUIRED|COMPONENTS)?/gi)){
+    const name=m[1].toLowerCase();const ver=m[2]||'0.0.0';
+    out.push({name,version:ver,group:'',scope:'required',purl:`pkg:generic/${name}@${ver}`,ecosystem:'system',filePath,isUnpinned:!m[2]});
+  }
+  return out;
+}
+function _parseConanfile(text,filePath){
+  const out=[];
+  for(const m of text.matchAll(/(?:requires|build_requires)\s*[=(]\s*["']([^/]+)\/([^"'@]+)/g)){
+    out.push({name:m[1].toLowerCase(),version:m[2],group:'',scope:'required',purl:`pkg:generic/${m[1].toLowerCase()}@${m[2]}`,ecosystem:'system',filePath,isUnpinned:false});
+  }
+  return out;
+}
+function _parseVcpkgJson(text,filePath){
+  const out=[];try{const d=JSON.parse(text);
+    for(const dep of(d.dependencies||[])){
+      const name=typeof dep==='string'?dep:dep.name;
+      const ver=(typeof dep==='object'&&dep['version>='])?dep['version>=']:'0.0.0';
+      if(name)out.push({name:name.toLowerCase(),version:ver,group:'',scope:'required',purl:`pkg:generic/${name.toLowerCase()}@${ver}`,ecosystem:'system',filePath,isUnpinned:ver==='0.0.0'});
+    }
+  }catch(_){}return out;
+}
 function parseManifests(allFileContents){
-  const PARSERS={'package.json':_parsePackageJson,'package-lock.json':_parsePackageLockJson,'yarn.lock':_parseYarnLock,'pnpm-lock.yaml':_parsePnpmLock,'requirements.txt':_parseRequirementsTxt,'pyproject.toml':_parsePyprojectToml,'poetry.lock':_parsePoetryLock,'Pipfile.lock':_parsePipfileLock,'composer.json':_parseComposerJson,'composer.lock':_parseComposerLock,'Gemfile':_parseGemfile,'Gemfile.lock':_parseGemfileLock,'go.mod':_parseGoMod,'Cargo.toml':_parseCargoToml,'Cargo.lock':_parseCargoLock,'pom.xml':_parsePomXml,'build.gradle':_parseBuildGradle,'build.gradle.kts':_parseBuildGradle,'pubspec.yaml':_parsePubspecYaml,'pubspec.lock':_parsePubspecLock};
+  const PARSERS={'package.json':_parsePackageJson,'package-lock.json':_parsePackageLockJson,'yarn.lock':_parseYarnLock,'pnpm-lock.yaml':_parsePnpmLock,'requirements.txt':_parseRequirementsTxt,'pyproject.toml':_parsePyprojectToml,'poetry.lock':_parsePoetryLock,'Pipfile.lock':_parsePipfileLock,'composer.json':_parseComposerJson,'composer.lock':_parseComposerLock,'Gemfile':_parseGemfile,'Gemfile.lock':_parseGemfileLock,'go.mod':_parseGoMod,'Cargo.toml':_parseCargoToml,'Cargo.lock':_parseCargoLock,'pom.xml':_parsePomXml,'build.gradle':_parseBuildGradle,'build.gradle.kts':_parseBuildGradle,'pubspec.yaml':_parsePubspecYaml,'pubspec.lock':_parsePubspecLock,'CMakeLists.txt':_parseCMakeLists,'conanfile.txt':_parseConanfile,'vcpkg.json':_parseVcpkgJson};
   const out=[],seen=new Set();
   for(const[fp,content]of Object.entries(allFileContents)){
     const base=fp.split('/').pop();
@@ -6931,6 +7024,8 @@ async function runFullScan({fileContents={}, depFileContents={}, scanRoot=null},
   // 0.10.0: enrich SCA findings with CISA KEV (CISA KEV catalog)
   try{supplyChain=await _enrichWithKEV(supplyChain);}catch(_){}
   try{markUsedVulnFunctions(supplyChain,fc);}catch(_){}
+  // Python AST-based function validation (deep mode only)
+  if(process.env.AGENTIC_SECURITY_DEEP==='1'){try{const{validateOsvFunctionsExist}=await import('./sca/py-package-functions.js');for(const sc of supplyChain){if(sc.type!=='vulnerable_dep'||sc.ecosystem!=='pypi')continue;if(!sc.osvVulnFunctions||!sc.osvVulnFunctions.length)continue;const{validated,missing}=validateOsvFunctionsExist(sc.name,sc.osvVulnFunctions,scanRoot);if(validated.length)sc._pyAstValidated=validated;if(missing.length)sc._pyAstMissing=missing;}}catch(_){}}
   // LLM-assisted function extraction for CVEs without hints (opt-in: AGENTIC_SECURITY_LLM_SCA=1)
   if(process.env.AGENTIC_SECURITY_LLM_SCA==='1'){try{const{extractVulnFunctionsViaLLM}=await import('./sca/llm-function-extract.js');const enriched=await extractVulnFunctionsViaLLM(supplyChain);if(enriched.length){markUsedVulnFunctions(supplyChain,fc);}}catch(_){}}
   setProgress({current:i,total:files.length,file:"Registry metadata...",phase:"SCA"});
@@ -7457,6 +7552,12 @@ async function runFullScan({fileContents={}, depFileContents={}, scanRoot=null},
   // v3 next-gen: why-fired provenance is captured LAST so it reflects the
   // final state of each finding after every other annotator has run.
   _runAnnotator("annotateWhyFired", () => { annotateWhyFired(finalFindings, {}); });
+  // SCA-SAST correlation: link SAST findings to SCA vulnerable packages
+  try{for(const f of finalFindings){if(!f.chain||!f.chain.length)continue;const src=f.chain[0]?.label||'';for(const sc of supplyChain){if(sc.type!=='vulnerable_dep')continue;if(src.includes(sc.name)||f.vuln?.toLowerCase().includes(sc.name)){f.scaCorrelation={osvId:sc.osvId,package:sc.name,version:sc.version,confirmed:true};sc.sastConfirmed=true;break;}}}}catch(_){}
+  // Multi-sink chain detection: group findings by source variable
+  try{const srcGroups=new Map();for(const f of finalFindings){const src=f.chain?.[0]?.label;if(!src)continue;if(!srcGroups.has(src))srcGroups.set(src,[]);srcGroups.get(src).push(f);}for(const[src,group]of srcGroups){if(group.length<2)continue;const groupId=`multi-sink:${src}:${group.length}`;for(const f of group)f._multiSinkGroupId=groupId;finalFindings.push({id:groupId,file:group[0].file,line:group[0].line,vuln:`Multi-Sink Taint Chain — ${src} reaches ${group.length} sinks`,severity:group.some(f=>f.severity==='critical')?'critical':'high',cwe:'CWE-20',parser:'MULTI-SINK',confidence:0.85,sinks:group.map(f=>({file:f.file,line:f.line,vuln:f.vuln})),_aggregated:true});}}catch(_){}
+  // SCA transitive dedup: collapse duplicate CVEs across dep chains
+  try{const osvGroups=new Map();for(const sc of supplyChain){if(sc.type!=='vulnerable_dep'||!sc.osvId)continue;if(!osvGroups.has(sc.osvId))osvGroups.set(sc.osvId,[]);osvGroups.get(sc.osvId).push(sc);}for(const[osvId,group]of osvGroups){if(group.length<=1)continue;const primary=group.find(s=>s.isDirect)||group[0];primary.dependents=group.filter(s=>s!==primary).map(s=>({name:s.name,version:s.version,depChain:s.depChain,isDirect:s.isDirect}));primary._transitiveDeduped=group.length-1;for(const dup of group){if(dup!==primary)dup._deduplicatedInto=primary.osvId;}supplyChain.splice(0,supplyChain.length,...supplyChain.filter(s=>!s._deduplicatedInto));}}catch(_){}
   const _scanMeta={filesScanned:files.length,filesSkipped:_filesSkipped,filesTimedOut:_filesTimedOut,fileTimings:_fileTimings.sort((a,b)=>b.ms-a.ms).slice(0,20),findingsBySeverity:{critical:finalFindings.filter(f=>f.severity==='critical').length,high:finalFindings.filter(f=>f.severity==='high').length,medium:finalFindings.filter(f=>f.severity==='medium').length,low:finalFindings.filter(f=>f.severity==='low').length,info:finalFindings.filter(f=>f.severity==='info').length}};
   return{routes:dd(aR,r=>`${r.method}:${r.path}:${r.file}:${r.line}`),findings:finalFindings,sources:aSrc,sinks:aSink,sanitizers:aSan,filesScanned:files.length,crossFileCount:cf.length,logicVulns:aLogic,supplyChain,components:annotatedComponents,secrets:aSecrets,ciphers:{atRest:aCiphersRest,inTransit:aCiphersTransit},pfr,fc,suppressions:_getSuppressions(),_v3,_scanMeta,_engineErrors:{cppDataflowParseErrors:_cppDataflowParseErrors.value},annotatorErrors:_annotatorErrors};}
 

package/src/integrations/index.js

@@ -13,9 +13,10 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as yaml from 'js-yaml';
+import { statePath } from '../posture/state-dir.js';
 
 function _configPath(scanRoot) {
-  return path.join(scanRoot || process.cwd(), '.agentic-security', 'integrations.yml');
+  return statePath(scanRoot, 'integrations.yml');
 }
 
 export function loadIntegrationConfig(scanRoot) {

package/src/ir/callgraph.js

@@ -8,11 +8,25 @@
 //   4. Anything else → unresolved; the dataflow engine treats the callee as
 //      an opaque sink for taint.
 
-export function buildCallGraph(perFileIR) {
-  // perFileIR is { [file]: parseJsFile output }
-  const functions = new Map(); // qid → FunctionIR
-  const byNameInFile = new Map(); // file → Map<name, qid>
-  const classMethods = new Map(); // 'ClassName.method' → qid
+export function buildCallGraph(perFileIR, fileContents) {
+  const functions = new Map();
+  const byNameInFile = new Map();
+  const classMethods = new Map();
+  // Re-export resolution: track `export { x } from './y'` and `module.exports = require('./y')`
+  const reexportMap = new Map();
+  if (fileContents) {
+    for (const [file, code] of Object.entries(fileContents)) {
+      if (!code || typeof code !== 'string') continue;
+      for (const m of code.matchAll(/export\s*\{\s*([^}]+)\s*\}\s*from\s*['"]([^'"]+)['"]/g)) {
+        const names = m[1].split(',').map(n => n.trim().split(/\s+as\s+/));
+        for (const [orig, alias] of names) {
+          reexportMap.set(`${file}::${alias || orig}`, { sourceFile: m[2], sourceName: orig.trim() });
+        }
+      }
+      const cjsReexport = code.match(/module\.exports\s*=\s*require\s*\(\s*['"]([^'"]+)['"]\s*\)/);
+      if (cjsReexport) reexportMap.set(`${file}::*`, { sourceFile: cjsReexport[1], sourceName: '*' });
+    }
+  }
 
   for (const file of Object.keys(perFileIR || {})) {
     const ir = perFileIR[file];
@@ -21,7 +35,6 @@ export function buildCallGraph(perFileIR) {
     for (const fn of ir.functions) {
       functions.set(fn.qid, fn);
       byNameInFile.get(file).set(fn.name, fn.qid);
-      // Class methods: qid carries the class name as the scope.
       const m = fn.qid.match(/::([A-Z]\w*)::(\w+)@/);
       if (m) classMethods.set(`${m[1]}.${m[2]}`, fn.qid);
     }
@@ -56,7 +69,6 @@ export function buildCallGraph(perFileIR) {
   // ClassName.method falls back).
   function resolve(name) {
     if (!name || typeof name !== 'string') return null;
-    // Direct ident match — search every file's same-file map.
     for (const m of byNameInFile.values()) {
       if (m.has(name)) return m.get(name);
     }
@@ -67,6 +79,14 @@ export function buildCallGraph(perFileIR) {
         if (m.has(tail)) return m.get(tail);
       }
     }
+    // Follow re-exports: if name was re-exported from another file, resolve there
+    for (const [key, { sourceName }] of reexportMap) {
+      if (key.endsWith(`::${name}`) || (sourceName === name)) {
+        for (const m of byNameInFile.values()) {
+          if (m.has(sourceName)) return m.get(sourceName);
+        }
+      }
+    }
     return null;
   }
   return { functions, edges, callersOf, resolve };

package/src/llm-validator/index.js

@@ -44,6 +44,7 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as crypto from 'node:crypto';
+import { statePath, ensureStateDir, safeWriteState } from '../posture/state-dir.js';
 
 // Bump on every prompt change so the cache invalidates. Exported as a
 // stable public symbol (premortem 4R-15) so the validator-cache GC subcommand
@@ -98,7 +99,9 @@ function endpointConfig() {
 }
 
 function ensureCacheDir(scanRoot) {
-  const dir = path.join(scanRoot || process.cwd(), CACHE_DIR);
+  const base = ensureStateDir(scanRoot);
+  if (!base) return null;
+  const dir = path.join(base, 'llm-cache');
   try { fs.mkdirSync(dir, { recursive: true }); } catch {}
   return dir;
 }
@@ -112,15 +115,14 @@ function cacheKey(finding, fileHash, modelId) {
 }
 
 function readCache(scanRoot, key) {
-  const fp = path.join(scanRoot || process.cwd(), CACHE_DIR, key + '.json');
+  const fp = statePath(scanRoot, 'llm-cache', key + '.json');
   if (!fs.existsSync(fp)) return null;
   try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }
 }
 
 function writeCache(scanRoot, key, value) {
-  ensureCacheDir(scanRoot);
-  const fp = path.join(scanRoot || process.cwd(), CACHE_DIR, key + '.json');
-  try { fs.writeFileSync(fp, JSON.stringify(value, null, 2)); } catch {}
+  const fp = statePath(scanRoot, 'llm-cache', key + '.json');
+  safeWriteState(fp, JSON.stringify(value, null, 2));
 }
 
 function fileHashOf(fileContents, file) {

package/src/mcp/audit.js

@@ -82,6 +82,11 @@ async function _postRemote(url, entry) {
 export function auditCall({ sessionRoot, tool, args, outcome, reason }) {
   if (!sessionRoot) return;
   try {
+    // Safety: only write audit log if sessionRoot looks like a project root
+    const MARKERS = ['.git', 'package.json', 'pyproject.toml', 'go.mod', 'Cargo.toml', 'pom.xml', 'composer.json', 'Gemfile'];
+    let hasMarker = false;
+    for (const m of MARKERS) { try { if (fs.existsSync(path.join(sessionRoot, m))) { hasMarker = true; break; } } catch {} }
+    if (!hasMarker) return;
     const dir = path.join(sessionRoot, '.agentic-security');
     fs.mkdirSync(dir, { recursive: true });
     const logFile = path.join(dir, 'mcp-audit.log');

package/src/posture/calibration-drift.js

@@ -28,13 +28,14 @@
 
 import * as fs from 'node:fs';
 import * as path from 'node:path';
+import { statePath } from './state-dir.js';
 
 const DEFAULT_THRESHOLD = 0.15;
 const MIN_SAMPLE_SIZE = 10;
 const WINDOW_DAYS = 30;
 
 function loadTriageFeedback(scanRoot) {
-  const fp = path.join(scanRoot || process.cwd(), '.agentic-security', 'triage-feedback.json');
+  const fp = statePath(scanRoot, 'triage-feedback.json');
   try {
     if (!fs.existsSync(fp)) return [];
     const data = JSON.parse(fs.readFileSync(fp, 'utf8'));

package/src/posture/calibration.js

@@ -27,6 +27,7 @@
 
 import * as fs from 'node:fs';
 import * as path from 'node:path';
+import { statePath } from './state-dir.js';
 
 const MIN_SAMPLES_FOR_CALIBRATION = 30;
 
@@ -102,7 +103,7 @@ function _readJsonMaybe(fp) {
 // seed file. The bundled seed ships with this release; the customer file
 // overrides per-family when N is higher there.
 export function loadCalibrationHistory(scanRoot) {
-  const customer = _readJsonMaybe(path.join(scanRoot || process.cwd(), '.agentic-security', 'validator-metrics.json')) || {};
+  const customer = _readJsonMaybe(statePath(scanRoot, 'validator-metrics.json')) || {};
   const seedPath = new URL('./calibration-seed.json', import.meta.url);
   let seed = null;
   try { seed = JSON.parse(fs.readFileSync(seedPath, 'utf8')); } catch { seed = null; }
@@ -122,7 +123,7 @@ export function loadCalibrationHistory(scanRoot) {
   if (customer) merge(customer);
   // Merge triage-derived TP/FP counts (auto-feedback loop)
   try {
-    const triage = _readJsonMaybe(path.join(scanRoot || process.cwd(), '.agentic-security', 'triage.json'));
+    const triage = _readJsonMaybe(statePath(scanRoot, 'triage.json'));
     if (triage && triage.findings) {
       const triageFams = {};
       for (const f of Object.values(triage.findings)) {

package/src/posture/fix-history.js

@@ -12,13 +12,19 @@ import * as fs from 'node:fs';
 import * as fsp from 'node:fs/promises';
 import * as path from 'node:path';
 import * as crypto from 'node:crypto';
+import { isSafeStateDir, statePath } from './state-dir.js';
 
 function historyDir(scanRoot) {
-  return path.join(scanRoot, '.agentic-security', 'fix-history');
+  return statePath(scanRoot, 'fix-history');
 }
 function logPath(scanRoot) { return path.join(historyDir(scanRoot), 'log.json'); }
 
-function ensure(scanRoot) { fs.mkdirSync(historyDir(scanRoot), { recursive: true }); }
+function ensure(scanRoot) {
+  const dir = historyDir(scanRoot);
+  if (!isSafeStateDir(path.dirname(dir))) return false;
+  fs.mkdirSync(dir, { recursive: true });
+  return true;
+}
 
 export function readLog(scanRoot) {
   const fp = logPath(scanRoot);

package/src/posture/profile.js

@@ -6,6 +6,7 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as yaml from 'js-yaml';
+import { statePath, safeWriteState, resolveProjectRoot } from './state-dir.js';
 
 export const PROFILES = ['vibecoder', 'pro'];
 
@@ -35,7 +36,7 @@ export const DEFAULTS = {
 };
 
 function _profilePath(scanRoot) {
-  return path.join(scanRoot || process.cwd(), '.agentic-security', 'profile.yml');
+  return statePath(scanRoot, 'profile.yml');
 }
 
 export function loadProfile(scanRoot) {
@@ -52,10 +53,8 @@ export function loadProfile(scanRoot) {
 
 export function saveProfile(scanRoot, updates) {
   const fp = _profilePath(scanRoot);
-  fs.mkdirSync(path.dirname(fp), { recursive: true });
   const current = loadProfile(scanRoot);
   const next = { ...current, ...updates };
-  // Strip values equal to defaults so the file stays minimal.
   const defaults = DEFAULTS[next.profile];
   const out = {};
   for (const k of Object.keys(next)) {
@@ -63,7 +62,7 @@ export function saveProfile(scanRoot, updates) {
     out[k] = next[k];
   }
   if (!('profile' in out)) out.profile = next.profile;
-  fs.writeFileSync(fp, yaml.dump(out));
+  safeWriteState(fp, yaml.dump(out));
   return next;
 }
 
@@ -71,7 +70,7 @@ export function saveProfile(scanRoot, updates) {
 // Returns 'pro' if the repo has signals indicating professional security work,
 // otherwise 'vibecoder'. Run only on first scan.
 export function detectProfile(scanRoot) {
-  const root = scanRoot || process.cwd();
+  const root = resolveProjectRoot(scanRoot);
   const signals = ['SECURITY.md', '.github/workflows/security.yml', '.semgrep.yml',
                    '.snyk', 'codeql-config.yml', 'compliance/', 'docs/threat-model.md'];
   for (const s of signals) {

package/src/posture/rule-overrides.js

@@ -11,11 +11,10 @@ import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as yaml from 'js-yaml';
 import { verifyLastScan } from './integrity.js';
-
-const OVERRIDES_PATH = '.agentic-security/rules.yml';
+import { statePath } from './state-dir.js';
 
 function _path(scanRoot) {
-  return path.join(scanRoot || process.cwd(), OVERRIDES_PATH);
+  return statePath(scanRoot, 'rules.yml');
 }
 
 export function loadOverrides(scanRoot) {

package/src/posture/rule-pack-signing.js

@@ -30,8 +30,7 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as crypto from 'node:crypto';
-
-const TRUSTED_KEYS_FILE = '.agentic-security/trusted-keys.json';
+import { statePath } from './state-dir.js';
 
 // Built-in trust root. These are the keys the maintainers of agentic-security
 // use to sign official rule packs. Production deployment requires the
@@ -49,7 +48,7 @@ export const BUNDLED_OFFICIAL_KEYS = [
 ];
 
 function _trustedKeysPath(scanRoot) {
-  return path.join(scanRoot || process.cwd(), TRUSTED_KEYS_FILE);
+  return statePath(scanRoot, 'trusted-keys.json');
 }
 
 // Load the EFFECTIVE trusted-key set. Composition:

package/src/posture/rule-synthesis.js

@@ -13,14 +13,12 @@
 
 import * as fs from 'node:fs';
 import * as path from 'node:path';
-
-const TRIAGE_PATH = path.join('.agentic-security', 'triage-feedback.json');
-const PROPOSED_DIR = path.join('.agentic-security', 'rules-proposed');
+import { statePath, isSafeStateDir } from './state-dir.js';
 
 const DEFAULT_FP_THRESHOLD = 5;
 
 function _readTriage(scanRoot) {
-  const fp = path.join(scanRoot || process.cwd(), TRIAGE_PATH);
+  const fp = statePath(scanRoot, 'triage-feedback.json');
   if (!fs.existsSync(fp)) return null;
   try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }
 }
@@ -87,7 +85,8 @@ export function synthesizeRules(scanRoot, opts = {}) {
     groups.get(k).push(e);
   }
   const proposals = [];
-  const dir = path.join(scanRoot || process.cwd(), PROPOSED_DIR);
+  const dir = statePath(scanRoot, 'rules-proposed');
+  if (!opts.dryRun && !isSafeStateDir(path.dirname(dir))) return [];
   for (const [, group] of groups) {
     if (group.length < threshold) continue;
     const summary = _summarizeGroup(group);
@@ -105,4 +104,4 @@ export function synthesizeRules(scanRoot, opts = {}) {
   return proposals;
 }
 
-export const _internals = { DEFAULT_FP_THRESHOLD, TRIAGE_PATH, PROPOSED_DIR };
+export const _internals = { DEFAULT_FP_THRESHOLD };