@clear-capabilities/agentic-security-scanner 0.78.0 → 0.80.0

package/bin/.agentic-security/findings.json

@@ -1,7 +1,7 @@
 {
-  "scanId": "0c2c7713-e7de-4bc9-ab48-f6473ad81d9f",
-  "startedAt": "2026-05-27T11:23:10.965Z",
-  "durationMs": 278,
+  "scanId": "bb8f9491-46eb-4ec6-a21b-df7b0a436001",
+  "startedAt": "2026-05-28T14:16:52.841Z",
+  "durationMs": 320,
   "scanned": {
     "files": 7,
     "lines": 0
@@ -759,7 +759,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "toctou-fs:agentic-security.js:362",
+      "id": "toctou-fs:agentic-security.js:367",
       "kind": "sast",
       "severity": "medium",
       "vuln": "TOCTOU: file existence/permission check before open",
@@ -767,7 +767,7 @@
       "owaspLlm": null,
       "stride": "Tampering",
       "file": "agentic-security.js",
-      "line": 362,
+      "line": 367,
       "snippet": "if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {",
       "fix": null,
       "reachable": false,
@@ -848,7 +848,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
-        "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:362` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:367` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
       },
       "stableId": "ba3080b44d262d10",
       "confidenceTier": "medium",
@@ -981,7 +981,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "toctou-fs:agentic-security.js:1136",
+      "id": "toctou-fs:agentic-security.js:1151",
       "kind": "sast",
       "severity": "medium",
       "vuln": "TOCTOU: file existence/permission check before open",
@@ -989,7 +989,7 @@
       "owaspLlm": null,
       "stride": "Tampering",
       "file": "agentic-security.js",
-      "line": 1136,
+      "line": 1151,
       "snippet": "const st = fs.statSync(abs);",
       "fix": null,
       "reachable": false,
@@ -1070,7 +1070,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
-        "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:1136` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:1151` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
       },
       "stableId": "17f63a600e3a68b4",
       "confidenceTier": "medium",
@@ -1701,14 +1701,14 @@
       "family": null
     },
     {
-      "id": "logic:agentic-security.js:362:TOCTOU:_existsSync_followed_by_file_op",
+      "id": "logic:agentic-security.js:367:TOCTOU:_existsSync_followed_by_file_op",
       "kind": "logic",
       "severity": "medium",
       "vuln": "TOCTOU: existsSync followed by file op",
       "cwe": "CWE-367",
       "stride": "Tampering",
       "file": "agentic-security.js",
-      "line": 362,
+      "line": 367,
       "snippet": "if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {",
       "fix": {
         "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
@@ -1778,7 +1778,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
-        "narrative": "TOCTOU: existsSync followed by file op on `agentic-security.js:362` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "TOCTOU: existsSync followed by file op on `agentic-security.js:367` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
       },
       "parser": "LOGIC",
       "family": null
@@ -1787,7 +1787,7 @@
   "bundles": [],
   "routes": [],
   "components": [],
-  "suppressedCount": 39,
+  "suppressedCount": 42,
   "blastRadiusSignals": {
     "industry": "generic",
     "industryConfidence": "low",
@@ -1805,7 +1805,7 @@
   "_v3": {
     "counterfactual": {
       "spofControls": [],
-      "controlsDetected": 118
+      "controlsDetected": 119
     },
     "threatModel": {
       "summary": {
@@ -1854,13 +1854,13 @@
           {
             "vuln": "TOCTOU: file existence/permission check before open",
             "file": "agentic-security.js",
-            "line": 362,
+            "line": 367,
             "severity": "medium"
           },
           {
             "vuln": "TOCTOU: file existence/permission check before open",
             "file": "agentic-security.js",
-            "line": 1136,
+            "line": 1151,
             "severity": "medium"
           }
         ],

package/bin/.agentic-security/last-scan.json

@@ -1,7 +1,7 @@
 {
-  "scanId": "0c2c7713-e7de-4bc9-ab48-f6473ad81d9f",
-  "startedAt": "2026-05-27T11:23:10.965Z",
-  "durationMs": 278,
+  "scanId": "bb8f9491-46eb-4ec6-a21b-df7b0a436001",
+  "startedAt": "2026-05-28T14:16:52.841Z",
+  "durationMs": 320,
   "scanned": {
     "files": 7,
     "lines": 0
@@ -759,7 +759,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "toctou-fs:agentic-security.js:362",
+      "id": "toctou-fs:agentic-security.js:367",
       "kind": "sast",
       "severity": "medium",
       "vuln": "TOCTOU: file existence/permission check before open",
@@ -767,7 +767,7 @@
       "owaspLlm": null,
       "stride": "Tampering",
       "file": "agentic-security.js",
-      "line": 362,
+      "line": 367,
       "snippet": "if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {",
       "fix": null,
       "reachable": false,
@@ -848,7 +848,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
-        "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:362` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:367` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
       },
       "stableId": "ba3080b44d262d10",
       "confidenceTier": "medium",
@@ -981,7 +981,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "toctou-fs:agentic-security.js:1136",
+      "id": "toctou-fs:agentic-security.js:1151",
       "kind": "sast",
       "severity": "medium",
       "vuln": "TOCTOU: file existence/permission check before open",
@@ -989,7 +989,7 @@
       "owaspLlm": null,
       "stride": "Tampering",
       "file": "agentic-security.js",
-      "line": 1136,
+      "line": 1151,
       "snippet": "const st = fs.statSync(abs);",
       "fix": null,
       "reachable": false,
@@ -1070,7 +1070,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
-        "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:1136` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:1151` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
       },
       "stableId": "17f63a600e3a68b4",
       "confidenceTier": "medium",
@@ -1701,14 +1701,14 @@
       "family": null
     },
     {
-      "id": "logic:agentic-security.js:362:TOCTOU:_existsSync_followed_by_file_op",
+      "id": "logic:agentic-security.js:367:TOCTOU:_existsSync_followed_by_file_op",
       "kind": "logic",
       "severity": "medium",
       "vuln": "TOCTOU: existsSync followed by file op",
       "cwe": "CWE-367",
       "stride": "Tampering",
       "file": "agentic-security.js",
-      "line": 362,
+      "line": 367,
       "snippet": "if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {",
       "fix": {
         "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
@@ -1778,7 +1778,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
-        "narrative": "TOCTOU: existsSync followed by file op on `agentic-security.js:362` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "TOCTOU: existsSync followed by file op on `agentic-security.js:367` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
       },
       "parser": "LOGIC",
       "family": null
@@ -1787,7 +1787,7 @@
   "bundles": [],
   "routes": [],
   "components": [],
-  "suppressedCount": 39,
+  "suppressedCount": 42,
   "blastRadiusSignals": {
     "industry": "generic",
     "industryConfidence": "low",
@@ -1805,7 +1805,7 @@
   "_v3": {
     "counterfactual": {
       "spofControls": [],
-      "controlsDetected": 118
+      "controlsDetected": 119
     },
     "threatModel": {
       "summary": {
@@ -1854,13 +1854,13 @@
           {
             "vuln": "TOCTOU: file existence/permission check before open",
             "file": "agentic-security.js",
-            "line": 362,
+            "line": 367,
             "severity": "medium"
           },
           {
             "vuln": "TOCTOU: file existence/permission check before open",
             "file": "agentic-security.js",
-            "line": 1136,
+            "line": 1151,
             "severity": "medium"
           }
         ],

package/bin/.agentic-security/last-scan.json.sig

@@ -1 +1 @@
-1a7a7e91a1b09ea956d4e722c3d9df15e8c662dba64e487bdc6f8ba875fd48b9
+5bb921912d508574fede241a7e16cd7ac261f415b200e9eff04093fa70426dd1

package/bin/.agentic-security/scan-history.json

@@ -111,5 +111,56 @@
       "toctou-fs:agentic-security.js:1136",
       "toctou-fs:agentic-security.js:362"
     ]
+  },
+  {
+    "timestamp": "2026-05-28T14:13:54.951Z",
+    "label": "scan",
+    "total": 5,
+    "critical": 0,
+    "high": 0,
+    "medium": 5,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1141",
+      "toctou-fs:agentic-security.js:362"
+    ]
+  },
+  {
+    "timestamp": "2026-05-28T14:16:39.437Z",
+    "label": "scan",
+    "total": 5,
+    "critical": 0,
+    "high": 0,
+    "medium": 5,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1146",
+      "toctou-fs:agentic-security.js:367"
+    ]
+  },
+  {
+    "timestamp": "2026-05-28T14:16:53.162Z",
+    "label": "scan",
+    "total": 5,
+    "critical": 0,
+    "high": 0,
+    "medium": 5,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1151",
+      "toctou-fs:agentic-security.js:367"
+    ]
   }
 ]

package/bin/.agentic-security/streak.json

@@ -1,12 +1,12 @@
 {
   "firstScanDate": "2026-05-26T04:00:10.482Z",
-  "lastScanDate": "2026-05-27T11:23:11.268Z",
-  "totalScans": 7,
-  "daysCleanCritical": 2,
-  "lastCleanDate": "2026-05-27",
+  "lastScanDate": "2026-05-28T14:16:53.192Z",
+  "totalScans": 10,
+  "daysCleanCritical": 3,
+  "lastCleanDate": "2026-05-28",
   "lastCriticalDate": null,
   "hasEverHadCritical": false,
-  "bestDaysCleanCritical": 2,
+  "bestDaysCleanCritical": 3,
   "totalFindingsAtFirstScan": 11,
   "totalFindingsAtLastScan": 13,
   "totalFixesInferred": 0,

package/bin/agentic-security.js

@@ -269,6 +269,11 @@ function renderV3Blocks(scan, flags) {
 // Always-on machine output (R2). Vibecoder gets JSON only; pro gets JSON+SARIF+CSV.
 async function writeMachineOutput(targetAbs, scan, meta, profile) {
   const stateDir = path.join(targetAbs, '.agentic-security');
+  const { isSafeStateDir: _isSafe } = await import('../src/posture/state-dir.js');
+  if (!_isSafe(stateDir)) {
+    if (process.env.AGENTIC_SECURITY_DEBUG === '1') process.stderr.write(`[agentic-security] refusing to write machine output at ${stateDir} — no project marker\n`);
+    return;
+  }
   await fsp.mkdir(stateDir, { recursive: true });
   // Always JSON (used by /security-fix and /security-report).
   await fsp.writeFile(path.join(stateDir, 'findings.json'),
@@ -495,14 +500,19 @@ async function cmdScan(args) {
   else process.stdout.write(body + '\n');
 
   // Persist last scan for /security-fix and /security-report
+  const { isSafeStateDir: _isSafeStateDir } = await import('../src/posture/state-dir.js');
   const stateDir = path.join(path.resolve(target), '.agentic-security');
-  await fsp.mkdir(stateDir, { recursive: true });
-  const persistedScan = toJSON(scan, meta);
-  const lastScanBody = JSON.stringify(persistedScan, null, 2);
-  await fsp.writeFile(path.join(stateDir, 'last-scan.json'), lastScanBody);
-  try {
-    await fsp.writeFile(path.join(stateDir, 'last-scan.json.sig'), _signLastScan(lastScanBody));
-  } catch { /* non-fatal — sig file is best-effort */ }
+  if (_isSafeStateDir(stateDir)) {
+    await fsp.mkdir(stateDir, { recursive: true });
+    const persistedScan = toJSON(scan, meta);
+    const lastScanBody = JSON.stringify(persistedScan, null, 2);
+    await fsp.writeFile(path.join(stateDir, 'last-scan.json'), lastScanBody);
+    try {
+      await fsp.writeFile(path.join(stateDir, 'last-scan.json.sig'), _signLastScan(lastScanBody));
+    } catch { /* non-fatal — sig file is best-effort */ }
+  } else {
+    if (process.env.AGENTIC_SECURITY_DEBUG === '1') process.stderr.write(`[agentic-security] refusing to write state at ${stateDir} — no project marker in ${path.resolve(target)}\n`);
+  }
 
   // 0.14.0 — update streak / achievements after every full scan. Suppress
   // streak side effects when the user only wants raw JSON output (CI piping).
@@ -587,6 +597,11 @@ async function cmdCi(args) {
 
   // Persist the three CI artifacts.
   const stateDir = path.join(targetAbs, '.agentic-security');
+  const { isSafeStateDir: _isSafeCi } = await import('../src/posture/state-dir.js');
+  if (!_isSafeCi(stateDir)) {
+    if (process.env.AGENTIC_SECURITY_DEBUG === '1') process.stderr.write(`[agentic-security] refusing to write CI artifacts at ${stateDir} — no project marker\n`);
+    return;
+  }
   await fsp.mkdir(stateDir, { recursive: true });
   await fsp.writeFile(path.join(stateDir, 'findings.json'),
     JSON.stringify(toJSON(scan, meta), null, 2));

package/dist/178.index.js

@@ -13,7 +13,7 @@ export const modules = {
 /* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
 /* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
 /* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(8636);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(9072);
 // Time-travel + counterfactual scanning (v0.68).
 //
 // Two new modes that exploit the pure-input shape of runFullScan: