@clear-capabilities/agentic-security-scanner 0.79.0 → 0.84.1

package/src/posture/triage-learning.js

@@ -0,0 +1,170 @@
+// Continuous learning from triage decisions — Recommendation #8 of the
+// world-class roadmap.
+//
+// Every triage transition (open → fixed | wont-fix | false-positive)
+// auto-tunes a per-(project, family, file-glob, sink-method) calibration
+// store. The store directly modifies finding confidence scores on
+// subsequent scans, so the scanner's precision on each individual
+// codebase improves monotonically the longer it runs.
+//
+// Calibration shape:
+//
+//   { "global": {  // per-(family, sink-method) prior across all projects
+//       "sql-injection|.executeQuery": { tp: 142, fp: 7, lastUpdated: "..." }
+//     },
+//     "perProject": {  // per-(file-glob, family) project-specific delta
+//       "src/admin/**|hardcoded-secret": { tp: 0, fp: 23, lastUpdated: "..." }
+//     }
+//   }
+//
+// Update rule on triage:
+//   transition → 'fixed' / 'wont-fix-because-not-exploitable' counts as TP+1
+//   transition → 'false-positive' counts as FP+1
+//
+// Application rule at scan time:
+//   confidence *= bayesianFactor(prior, project)
+// where bayesianFactor uses a beta-distribution update of the priors.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { statePath, safeWriteState } from './state-dir.js';
+
+const CALIBRATION_FILE = 'triage-calibration.json';
+
+// Minimum sample size before per-project calibration takes effect. With
+// fewer than this many triage decisions, we fall back to global priors.
+const MIN_PROJECT_SAMPLES = 5;
+
+// Bayesian prior — beta(α, β) over the precision rate. α=1, β=1 is a
+// uniform prior (no opinion); α=2, β=1 mildly favors precision.
+const PRIOR_ALPHA = 2;
+const PRIOR_BETA = 1;
+
+function _storePath(scanRoot) {
+  return statePath(scanRoot, CALIBRATION_FILE);
+}
+
+export function loadCalibration(scanRoot) {
+  const fp = _storePath(scanRoot);
+  if (!fs.existsSync(fp)) return { global: {}, perProject: {} };
+  try { return JSON.parse(fs.readFileSync(fp, 'utf8')); }
+  catch { return { global: {}, perProject: {} }; }
+}
+
+function _save(scanRoot, data) {
+  const fp = _storePath(scanRoot);
+  safeWriteState(fp, JSON.stringify(data, null, 2));
+}
+
+function _bucketKey(family, sinkMethod) {
+  return `${family || 'unknown'}|${sinkMethod || ''}`;
+}
+
+function _projectKey(fileGlob, family) {
+  return `${fileGlob || '*'}|${family || 'unknown'}`;
+}
+
+/**
+ * Record a triage decision. Called by the triage transition path.
+ *   verdict ∈ { 'true-positive', 'false-positive' }
+ */
+export function recordTriageDecision(scanRoot, finding, verdict) {
+  if (!finding || !verdict) return null;
+  const data = loadCalibration(scanRoot);
+  const family = finding.family;
+  const sinkMethod = _extractSinkMethod(finding);
+  const fileGlob = _fileGlobFor(finding.file);
+  const now = new Date().toISOString();
+
+  const gk = _bucketKey(family, sinkMethod);
+  data.global[gk] ||= { tp: 0, fp: 0, lastUpdated: now };
+  if (verdict === 'true-positive') data.global[gk].tp++;
+  if (verdict === 'false-positive') data.global[gk].fp++;
+  data.global[gk].lastUpdated = now;
+
+  const pk = _projectKey(fileGlob, family);
+  data.perProject[pk] ||= { tp: 0, fp: 0, lastUpdated: now };
+  if (verdict === 'true-positive') data.perProject[pk].tp++;
+  if (verdict === 'false-positive') data.perProject[pk].fp++;
+  data.perProject[pk].lastUpdated = now;
+
+  _save(scanRoot, data);
+  return { gk, pk, data };
+}
+
+/**
+ * Apply learned calibration to a fresh batch of findings. Modifies
+ * confidence in place. Returns { adjusted: int, suppressed: int }
+ * — findings whose adjusted confidence drops below `suppressThreshold`
+ * are filtered out (added to the suppression log instead).
+ */
+export function applyLearnedCalibration(scanRoot, findings, opts = {}) {
+  if (!Array.isArray(findings)) return { adjusted: 0, suppressed: 0 };
+  const data = loadCalibration(scanRoot);
+  const suppressThreshold = opts.suppressThreshold ?? 0.2;
+  let adjusted = 0;
+  const suppressedList = [];
+  for (const f of findings) {
+    const factor = _learnedFactor(data, f);
+    if (factor === 1.0) continue;
+    const before = typeof f.confidence === 'number' ? f.confidence : 0.85;
+    const after = Math.max(0.01, Math.min(0.99, before * factor));
+    f.confidence = after;
+    f._learnedCalibration = { factor, before, samples: _sampleCount(data, f) };
+    adjusted++;
+    if (after < suppressThreshold) {
+      f._suppressed_by = 'triage-learning';
+      suppressedList.push(f);
+    }
+  }
+  return { adjusted, suppressed: suppressedList.length, suppressedList, data };
+}
+
+function _learnedFactor(data, finding) {
+  const family = finding.family;
+  const sinkMethod = _extractSinkMethod(finding);
+  const fileGlob = _fileGlobFor(finding.file);
+
+  // Per-project: beta-distribution precision estimate when N is large enough.
+  const pk = _projectKey(fileGlob, family);
+  const proj = data.perProject?.[pk];
+  if (proj && proj.tp + proj.fp >= MIN_PROJECT_SAMPLES) {
+    const p = (PRIOR_ALPHA + proj.tp) / (PRIOR_ALPHA + PRIOR_BETA + proj.tp + proj.fp);
+    return p / 0.5;  // 0.5 = neutral prior precision
+  }
+  // Global: same formula, less aggressive scaling.
+  const gk = _bucketKey(family, sinkMethod);
+  const glob = data.global?.[gk];
+  if (glob && glob.tp + glob.fp >= MIN_PROJECT_SAMPLES) {
+    const p = (PRIOR_ALPHA + glob.tp) / (PRIOR_ALPHA + PRIOR_BETA + glob.tp + glob.fp);
+    return (0.7 * (p / 0.5)) + 0.3; // weight: 70% global, 30% neutral
+  }
+  return 1.0;
+}
+
+function _sampleCount(data, finding) {
+  const family = finding.family;
+  const sinkMethod = _extractSinkMethod(finding);
+  const fileGlob = _fileGlobFor(finding.file);
+  const pk = _projectKey(fileGlob, family);
+  const gk = _bucketKey(family, sinkMethod);
+  const proj = data.perProject?.[pk] || { tp: 0, fp: 0 };
+  const glob = data.global?.[gk] || { tp: 0, fp: 0 };
+  return { perProject: proj.tp + proj.fp, global: glob.tp + glob.fp };
+}
+
+function _extractSinkMethod(finding) {
+  if (finding.sink?.method) return finding.sink.method;
+  // Try to parse from the vuln string ("SQL Injection — executeQuery").
+  const m = (finding.vuln || '').match(/\b([A-Za-z_]\w*)\s*\(/);
+  return m ? m[1] : '';
+}
+
+function _fileGlobFor(file) {
+  if (!file) return '*';
+  const parts = file.split('/');
+  if (parts.length <= 2) return file;
+  return parts.slice(0, 2).join('/') + '/**';
+}
+
+export const _internals = { _bucketKey, _projectKey, _extractSinkMethod, _fileGlobFor, MIN_PROJECT_SAMPLES };

package/src/posture/triage-memory.js

@@ -0,0 +1,151 @@
+// Triage memory — conversational triage memory layer.
+//
+// When a finding transitions to wont-fix or false-positive (via the
+// triage CLI / MCP tool / agent action), this module:
+//
+//   1. writes a structured entry to AGENTS.md so the lesson is captured
+//      for next session (continual-learning surface),
+//   2. records the decision shape (family + file-glob + reason) into
+//      .agentic-security/triage-memory.jsonl for fast pattern matching,
+//   3. provides suppressByPastDecisions() — an annotator that pre-demotes
+//      findings whose (family, file-glob) was previously marked wont-fix
+//      or false-positive in the same project.
+//
+// This is the dialogue-aware analogue to posture/triage-learning.js,
+// which adjusts confidence calibration from triage counts. triage-memory
+// works on the discrete narrative ("we decided this is fine, here's
+// why") rather than on calibration math.
+//
+// Opt-out: AGENTIC_SECURITY_NO_TRIAGE_MEMORY=1
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const STATE_DIR = '.agentic-security';
+const MEMORY_FILE = 'triage-memory.jsonl';
+const AGENTS_FILE = 'AGENTS.md';
+
+function _stateDir(scanRoot) { return path.join(scanRoot, STATE_DIR); }
+function _memPath(scanRoot)  { return path.join(_stateDir(scanRoot), MEMORY_FILE); }
+function _agentsPath(scanRoot) { return path.join(_stateDir(scanRoot), AGENTS_FILE); }
+
+function _bucketKey(finding) {
+  const file = finding.file || finding.file_path || '';
+  const dir = file.split('/').slice(0, -1).join('/') || '.';
+  return `${finding.family || finding.parser || 'unknown'}::${dir}`;
+}
+
+/**
+ * Record a triage decision into both AGENTS.md (narrative) and
+ * triage-memory.jsonl (structured). Idempotent — repeated calls add a
+ * single new line; existing entries are not deduped (history is a feature).
+ */
+export function recordDecision(scanRoot, finding, decision, reason) {
+  if (!scanRoot || !finding || !decision) return null;
+  if (!['wont-fix', 'false-positive'].includes(decision)) return null;
+  try { fs.mkdirSync(_stateDir(scanRoot), { recursive: true }); } catch {}
+
+  const entry = {
+    at: new Date().toISOString(),
+    decision,
+    reason: String(reason || '').slice(0, 280),
+    bucket: _bucketKey(finding),
+    family: finding.family || null,
+    severity: finding.severity || null,
+    cwe: finding.cwe || null,
+    vuln: (finding.vuln || finding.title || '').slice(0, 160),
+    file: finding.file || finding.file_path || '',
+    line: finding.line || 0,
+    id: finding.id || finding.stableId || null,
+  };
+  try { fs.appendFileSync(_memPath(scanRoot), JSON.stringify(entry) + '\n'); } catch {}
+
+  // Narrative entry in AGENTS.md — short, human-readable, surfaced at SessionStart.
+  const narrative = [
+    `## Triage decision — ${entry.at.slice(0, 10)}  (${decision})`,
+    `- Finding: ${entry.vuln || entry.family || 'unknown'} at ${entry.file}:${entry.line}`,
+    `- Bucket: \`${entry.bucket}\``,
+    reason ? `- Why: ${entry.reason}` : null,
+    `- Future scans should treat similar findings under this bucket as already-reviewed.`,
+    '',
+  ].filter(Boolean).join('\n');
+  try { fs.appendFileSync(_agentsPath(scanRoot), '\n' + narrative); } catch {}
+
+  return entry;
+}
+
+/**
+ * Load past decisions from triage-memory.jsonl.
+ */
+export function loadMemory(scanRoot) {
+  const fp = _memPath(scanRoot);
+  if (!fs.existsSync(fp)) return [];
+  try {
+    return fs.readFileSync(fp, 'utf8')
+      .split('\n').filter(Boolean)
+      .map(l => { try { return JSON.parse(l); } catch { return null; } })
+      .filter(Boolean);
+  } catch { return []; }
+}
+
+/**
+ * Annotator: for each finding, check if its (family, file-glob) bucket
+ * was previously marked wont-fix or false-positive in this project. If
+ * so, attach `pastDecision` metadata and lower confidence.
+ *
+ * Does NOT remove findings — only annotates. UI / report layer decides
+ * how to display.
+ */
+export function suppressByPastDecisions(scanRoot, findings) {
+  if (process.env.AGENTIC_SECURITY_NO_TRIAGE_MEMORY === '1') return { applied: 0 };
+  if (!Array.isArray(findings) || findings.length === 0) return { applied: 0 };
+  const memory = loadMemory(scanRoot);
+  if (!memory.length) return { applied: 0 };
+
+  // Build bucket → most-recent decision map.
+  const bucketDecision = new Map();
+  for (const e of memory) {
+    if (!bucketDecision.has(e.bucket) || bucketDecision.get(e.bucket).at < e.at) {
+      bucketDecision.set(e.bucket, e);
+    }
+  }
+
+  let applied = 0;
+  for (const f of findings) {
+    const key = _bucketKey(f);
+    const past = bucketDecision.get(key);
+    if (!past) continue;
+    f.pastDecision = {
+      decision: past.decision,
+      at: past.at,
+      reason: past.reason,
+      sameBucket: true,
+    };
+    // Soft demote: drop confidence and add a tag explaining why.
+    if (typeof f.confidence === 'number') f.confidence = Math.max(0.2, f.confidence * 0.5);
+    f.tags = Array.isArray(f.tags) ? f.tags : [];
+    if (!f.tags.includes('past-decision')) f.tags.push('past-decision');
+    applied++;
+  }
+  return { applied, total: findings.length };
+}
+
+/**
+ * Search past triage decisions by natural-language query terms. Naive
+ * keyword match for v1 — sufficient when memory is < 1000 entries.
+ * Future: vector search against an embedding store.
+ */
+export function queryMemory(scanRoot, query) {
+  const memory = loadMemory(scanRoot);
+  if (!query || !memory.length) return memory.slice(-10);
+  const terms = String(query).toLowerCase().split(/\s+/).filter(Boolean);
+  if (!terms.length) return memory.slice(-10);
+  const scored = memory.map(e => {
+    const haystack = [e.reason, e.vuln, e.family, e.file, e.bucket].join(' ').toLowerCase();
+    const score = terms.reduce((s, t) => s + (haystack.includes(t) ? 1 : 0), 0);
+    return { ...e, score };
+  });
+  return scored.filter(e => e.score > 0).sort((a, b) => b.score - a.score).slice(0, 10);
+}
+
+export const _internals = { _bucketKey, _memPath, _agentsPath };

package/src/posture/triage.js

@@ -5,6 +5,9 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import { statePath, safeWriteState } from './state-dir.js';
+import { appendAcceptRiskFromTriage } from './sca-policy.js';
+import { recordDecision as recordTriageMemory } from './triage-memory.js';
+import { recordTriage as recordCrossRepoTriage } from './cross-repo-memory.js';
 
 export const STATES = ['open', 'in-progress', 'fixed', 'wont-fix', 'false-positive'];
 
@@ -44,6 +47,15 @@ export function syncWithScan(scanRoot, findings) {
         assignee: null,
         opened_at: now,
         comments: [],
+        // Phase 4 / Item 7: capture SCA-relevant fields so the
+        // triage → sca-policy bridge has enough data to materialize an
+        // accept-risk entry on wont-fix. No-ops for SAST findings.
+        type: f.type || null,
+        name: f.name || null,
+        version: f.version || null,
+        ecosystem: f.ecosystem || null,
+        osvId: f.osvId || null,
+        cveAliases: Array.isArray(f.cveAliases) ? f.cveAliases : [],
       };
       data.transitions.push({ id, from: null, to: 'open', at: now });
     }
@@ -80,7 +92,34 @@ export function transition(scanRoot, id, toState, comment) {
   if (toState === 'fixed') cur.fixed_at = new Date().toISOString();
   data.transitions.push({ id, from, to: toState, at: new Date().toISOString(), comment });
   _save(scanRoot, data);
-  return { ok: true };
+
+  // Phase 4 / Item 7 of the SCA improvement plan — bridge wont-fix
+  // transitions on SCA findings into sca-policy.yml accept-risk entries
+  // so the suppression is durable across rescans. The finding object on
+  // the triage store has a `type` field when it was synced from a scan
+  // via syncWithScan; we only bridge type === 'vulnerable_dep'.
+  let policyBridge = null;
+  if (toState === 'wont-fix' && cur.type === 'vulnerable_dep') {
+    try {
+      const reason = comment || `Marked wont-fix in triage on ${new Date().toISOString().slice(0,10)}`;
+      policyBridge = appendAcceptRiskFromTriage(scanRoot, cur, reason);
+    } catch (e) {
+      policyBridge = { ok: false, reason: String(e && e.message || e) };
+    }
+  }
+  // Triage-memory bridge — write a narrative entry to AGENTS.md and a
+  // structured entry to triage-memory.jsonl whenever a finding is marked
+  // wont-fix or false-positive. The next scan's suppressByPastDecisions
+  // annotator demotes similar findings by bucket (family + dir).
+  let memoryBridge = null;
+  if (['wont-fix', 'false-positive'].includes(toState)) {
+    try { memoryBridge = recordTriageMemory(scanRoot, cur, toState, comment); }
+    catch (e) { memoryBridge = { ok: false, reason: String(e && e.message || e) }; }
+    // Also mirror into the cross-repo store so sibling repos benefit.
+    try { recordCrossRepoTriage({ scanRoot, finding: cur, decision: toState, reason: comment }); }
+    catch {}
+  }
+  return { ok: true, policyBridge, memoryBridge };
 }
 
 export function comment(scanRoot, id, author, body) {

package/src/posture/watch-mode.js

@@ -0,0 +1,171 @@
+// Watch mode — continuous incremental scan as the developer edits.
+//
+// Spawns a long-running scan watcher that:
+//   1. Subscribes to file-system events under the project root
+//   2. When a file matching the scan glob changes, re-scans incrementally
+//      using dataflow/incremental-cache.js (per-file cache hits avoid the
+//      full IR build)
+//   3. Diffs against the prior scan to compute a "risk delta" string
+//      (added/removed/changed criticals + highs)
+//   4. Writes the delta to .agentic-security/watch-status.{md,json}
+//
+// The Claude Code statusline / a chat command can poll watch-status.md
+// (cheap file read) to surface the delta inline without re-running anything.
+//
+// Implementation is deliberately node-only — no chokidar dep, uses
+// fs.promises.watch (Node ≥ 20). Debounces to 350ms.
+//
+// Lifecycle: start() returns an AbortController-like handle. The caller
+// (a /watch slash command or a long-running daemon spawn) is responsible
+// for keeping the process alive; this module is the pure logic.
+
+import * as fs from 'node:fs/promises';
+import * as fsSync from 'node:fs';
+import * as path from 'node:path';
+
+const STATE = '.agentic-security';
+const STATUS_MD   = 'watch-status.md';
+const STATUS_JSON = 'watch-status.json';
+const DEBOUNCE_MS = 350;
+const MAX_BURST   = 50; // ignore beyond this # of rapid events
+
+const SCAN_EXT_RE = /\.(?:[jt]sx?|mjs|cjs|py|java|kt|go|rb|php|cs|c|cc|cpp|h|hpp|rs|sol|vy|swift|dart|toml|yml|yaml|json|tf|tfvars|bicep)$/i;
+const IGNORE_DIR_RE = /(?:^|\/)(?:\.git|node_modules|\.bench-cache|dist|build|\.next|coverage|\.agentic-security)(?:$|\/)/;
+
+function _isScanable(rel) {
+  if (!rel || IGNORE_DIR_RE.test(rel)) return false;
+  return SCAN_EXT_RE.test(rel);
+}
+
+function _readJsonSafe(fp) {
+  try { return JSON.parse(fsSync.readFileSync(fp, 'utf8')); } catch { return null; }
+}
+
+function _sevRank(s) { return ['info', 'low', 'medium', 'high', 'critical'].indexOf(s) + 1; }
+
+/**
+ * Pure delta computation between two finding arrays. Same logic
+ * baseline-compare uses, surfaced as a single ASCII status line.
+ */
+export function computeDelta(prevFindings, currFindings) {
+  const key = (f) => `${f.file || ''}::${f.line || 0}::${f.family || f.parser || ''}`;
+  const prev = new Map();
+  for (const f of prevFindings || []) prev.set(key(f), f);
+  const cur  = new Map();
+  for (const f of currFindings || []) cur.set(key(f), f);
+  const added = [], removed = [];
+  for (const [k, f] of cur) if (!prev.has(k)) added.push(f);
+  for (const [k, f] of prev) if (!cur.has(k)) removed.push(f);
+  const newCrit = added.filter(f => f.severity === 'critical').length;
+  const newHigh = added.filter(f => f.severity === 'high').length;
+  const fixedCrit = removed.filter(f => f.severity === 'critical').length;
+  const fixedHigh = removed.filter(f => f.severity === 'high').length;
+  return {
+    addedCount: added.length, removedCount: removed.length,
+    newCritical: newCrit, newHigh, fixedCritical: fixedCrit, fixedHigh,
+    added, removed,
+  };
+}
+
+/**
+ * Render a one-line status string for the Claude Code statusline.
+ */
+export function renderStatusLine(delta) {
+  const parts = [];
+  if (delta.newCritical) parts.push(`🛑 +${delta.newCritical} crit`);
+  if (delta.newHigh)     parts.push(`⚠️  +${delta.newHigh} high`);
+  if (delta.fixedCritical) parts.push(`✅ -${delta.fixedCritical} crit`);
+  if (delta.fixedHigh)     parts.push(`✅ -${delta.fixedHigh} high`);
+  if (!parts.length && (delta.addedCount + delta.removedCount) === 0) return 'agentic-security: clean';
+  if (!parts.length) return `agentic-security: +${delta.addedCount} / -${delta.removedCount}`;
+  return 'agentic-security: ' + parts.join(' · ');
+}
+
+/**
+ * Persist watch-status.{md,json}. Cheap atomic write (write tmp, rename).
+ */
+export function persistStatus(scanRoot, delta) {
+  const dir = path.join(scanRoot, STATE);
+  try { fsSync.mkdirSync(dir, { recursive: true }); } catch {}
+  const status = {
+    ts: new Date().toISOString(),
+    line: renderStatusLine(delta),
+    delta: {
+      addedCount: delta.addedCount, removedCount: delta.removedCount,
+      newCritical: delta.newCritical, newHigh: delta.newHigh,
+      fixedCritical: delta.fixedCritical, fixedHigh: delta.fixedHigh,
+    },
+    addedTop5: (delta.added || []).slice(0, 5).map(f => ({
+      file: f.file, line: f.line, family: f.family, severity: f.severity, vuln: f.vuln,
+    })),
+  };
+  const jsonPath = path.join(dir, STATUS_JSON);
+  const mdPath   = path.join(dir, STATUS_MD);
+  try { fsSync.writeFileSync(jsonPath, JSON.stringify(status, null, 2)); } catch {}
+  const md = [
+    `# Watch status — ${status.ts.slice(11, 19)} UTC`,
+    '',
+    status.line,
+    '',
+  ];
+  if (status.addedTop5.length) {
+    md.push('## New findings');
+    for (const f of status.addedTop5) {
+      md.push(`- **[${(f.severity || '?').toUpperCase()}]** ${f.vuln || f.family || 'finding'} — \`${f.file}:${f.line}\``);
+    }
+  }
+  try { fsSync.writeFileSync(mdPath, md.join('\n')); } catch {}
+  return status;
+}
+
+/**
+ * Read the latest watch-status (returns null if none).
+ */
+export function readStatus(scanRoot) {
+  return _readJsonSafe(path.join(scanRoot, STATE, STATUS_JSON));
+}
+
+/**
+ * Subscribe to FS events and call onChange(absPath, eventType) for each
+ * matching event. Debounces bursts. Returns a controller with stop().
+ *
+ * The actual incremental scan call lives in the caller — this module
+ * stays pure for testability.
+ */
+export async function watchProject(scanRoot, onChange, opts = {}) {
+  if (process.env.AGENTIC_SECURITY_NO_WATCH === '1') return { stop: async () => {}, _disabled: true };
+  const recursive = opts.recursive !== false;
+  const ac = new AbortController();
+  let timer = null;
+  const pending = new Set();
+  const flush = () => {
+    timer = null;
+    if (pending.size > MAX_BURST) { pending.clear(); return; }
+    const batch = Array.from(pending);
+    pending.clear();
+    try { onChange(batch); } catch {}
+  };
+  let stopped = false;
+  (async () => {
+    try {
+      for await (const evt of fs.watch(scanRoot, { recursive, signal: ac.signal })) {
+        if (stopped) break;
+        const rel = String(evt.filename || '').replace(/\\/g, '/');
+        if (!_isScanable(rel)) continue;
+        pending.add(path.join(scanRoot, rel));
+        if (timer) clearTimeout(timer);
+        timer = setTimeout(flush, DEBOUNCE_MS);
+      }
+    } catch (e) {
+      if (e && e.name !== 'AbortError') {
+        // Surface but don't crash — caller decides how to handle.
+        try { onChange([], e); } catch {}
+      }
+    }
+  })();
+  return {
+    stop: async () => { stopped = true; ac.abort(); if (timer) clearTimeout(timer); },
+  };
+}
+
+export const _internals = { _isScanable, SCAN_EXT_RE, IGNORE_DIR_RE };