@clear-capabilities/agentic-security-scanner 0.80.0 → 0.84.1

package/src/posture/.agentic-security/streak.json

@@ -1,14 +1,14 @@
 {
   "firstScanDate": "2026-05-28T17:47:06.515Z",
-  "lastScanDate": "2026-05-29T16:57:31.774Z",
-  "totalScans": 34,
+  "lastScanDate": "2026-05-29T22:40:15.935Z",
+  "totalScans": 63,
   "daysCleanCritical": 0,
   "lastCleanDate": null,
   "lastCriticalDate": "2026-05-29",
   "hasEverHadCritical": true,
   "bestDaysCleanCritical": 0,
   "totalFindingsAtFirstScan": 256,
-  "totalFindingsAtLastScan": 320,
+  "totalFindingsAtLastScan": 381,
   "totalFixesInferred": 0,
   "lastGrade": "C",
   "bestGrade": "C",

package/src/posture/auditor-walkthrough.js

@@ -0,0 +1,252 @@
+// Auditor-walkthrough generator.
+//
+// Produces a step-by-step narrative an engineering team can follow to
+// demonstrate evidence for a compliance framework's controls to an
+// external auditor.
+//
+// Built-in frameworks (all public-domain — no copyrighted text reproduced):
+//
+//   nist-csf-2          NIST Cybersecurity Framework 2.0
+//   nist-ai-600-1       NIST AI Risk Management Framework, GenAI profile
+//   owasp-asvs-5        OWASP Application Security Verification Standard 5.0
+//   owasp-llm-top-10    OWASP Top 10 for LLM Applications 2025
+//   eu-ai-act           EU AI Act (Regulation 2024/1689)
+//   gdpr                General Data Protection Regulation
+//   hipaa-security-rule HIPAA Security Rule (45 CFR Part 164)
+//   ccpa                California Consumer Privacy Act
+//
+// Proprietary frameworks (SOC2 Trust Services Criteria, ISO 27001/27002,
+// PCI-DSS, HITRUST CSF) are intentionally NOT bundled because their
+// control text is copyrighted by their respective publishers. For those,
+// the BYO mechanism is:
+//
+//   .agentic-security/compliance/<framework>/controls.json
+//
+// User supplies their own control mapping in the same shape as the
+// bundled ones. The auditor-walkthrough renders evidence against it.
+//
+// Disclaimer: this module organizes scanner evidence into a narrative.
+// It does not certify compliance. A licensed assessor (CPA / auditor /
+// DPO) is responsible for the final attestation.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const BUNDLED_DIR = path.join(path.dirname(new URL(import.meta.url).pathname), 'compliance-frameworks');
+const STATE = '.agentic-security';
+
+function _readJson(fp) {
+  try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }
+}
+
+/**
+ * List the available frameworks (bundled + project-byo).
+ */
+export function listFrameworks(scanRoot) {
+  const out = [];
+  try {
+    for (const fn of fs.readdirSync(BUNDLED_DIR)) {
+      if (!fn.endsWith('.json')) continue;
+      const fw = _readJson(path.join(BUNDLED_DIR, fn));
+      if (fw && fw.id) out.push({ id: fw.id, name: fw.name, source: 'bundled', license: fw.license });
+    }
+  } catch {}
+  if (scanRoot) {
+    const projDir = path.join(scanRoot, STATE, 'compliance');
+    if (fs.existsSync(projDir)) {
+      try {
+        for (const sub of fs.readdirSync(projDir)) {
+          const fp = path.join(projDir, sub, 'controls.json');
+          if (fs.existsSync(fp)) {
+            const fw = _readJson(fp);
+            if (fw && fw.id) out.push({ id: fw.id, name: fw.name, source: 'project', license: fw.license || 'user-provided' });
+          }
+        }
+      } catch {}
+    }
+  }
+  return out;
+}
+
+/**
+ * Load a framework definition by id. Project BYO overrides bundled.
+ */
+export function loadFramework(scanRoot, id) {
+  if (scanRoot) {
+    const projFp = path.join(scanRoot, STATE, 'compliance', id, 'controls.json');
+    if (fs.existsSync(projFp)) return _readJson(projFp);
+  }
+  for (const fn of fs.readdirSync(BUNDLED_DIR)) {
+    if (!fn.endsWith('.json')) continue;
+    const fw = _readJson(path.join(BUNDLED_DIR, fn));
+    if (fw && fw.id === id) return fw;
+  }
+  return null;
+}
+
+/**
+ * For each control, evaluate evidence against the current scan.
+ *
+ * Returns an array of:
+ *   { control, status, observations[] }
+ *
+ * Status:
+ *   'present'   — all mapsTo families have zero open critical findings AND
+ *                 module artifacts exist
+ *   'partial'   — some signal present but with open issues
+ *   'absent'    — no signal / open critical findings on every mapsTo family
+ *   'manual'    — control has no mapsTo (requires manual attestation)
+ */
+export function evaluateFramework(scanRoot, fw, scan) {
+  const findings = (scan && Array.isArray(scan.findings)) ? scan.findings : [];
+  const components = (scan && Array.isArray(scan.components)) ? scan.components : [];
+  const families = new Map();
+  for (const f of findings) {
+    const k = f.family || 'unknown';
+    if (!families.has(k)) families.set(k, []);
+    families.get(k).push(f);
+  }
+
+  const results = [];
+  for (const c of fw.controls || []) {
+    const obs = [];
+    let status = 'manual';
+    const maps = Array.isArray(c.mapsTo) ? c.mapsTo : [];
+
+    if (maps.length === 0) {
+      obs.push('No automated mapping — requires manual evidence collection.');
+      results.push({ control: c, status, observations: obs });
+      continue;
+    }
+
+    let allCleared = true;
+    let anySignal = false;
+    for (const m of maps) {
+      if (m.startsWith('family:')) {
+        const fam = m.slice('family:'.length).split(':')[0];
+        const open = (families.get(fam) || []).filter(f => !f.intentSuppressed && !f.pastDecision && (f.severity === 'critical' || f.severity === 'high'));
+        if (open.length) {
+          allCleared = false;
+          obs.push(`${open.length} open ${fam} finding(s) at high/critical.`);
+        } else {
+          obs.push(`✓ ${fam}: no open critical/high findings.`);
+        }
+        anySignal = true;
+      } else if (m.startsWith('module:')) {
+        const mod = m.slice('module:'.length);
+        const ARTIFACT = {
+          'sbom-diff':            'sbom-history/',
+          'license-attributions': 'ATTRIBUTIONS.md',
+          'threat-model-auto':    'threat-model.json',
+          'compliance-policy':    'compliance-evidence.json',
+          'mcp-audit':            'mcp-audit.log',
+          'fix-history':          'fix-history/log.json',
+          'privacy-taint':        'dpia.md',
+          'aibom':                'aibom.json',
+          'attack-taxonomy':      'last-scan.json',
+          'why-fired':            'last-scan.json',
+          'scan-history':         'scan-history/',
+          'integrity':            'last-scan.json.sig',
+          'watch-mode':           'watch-status.json',
+          'cve-alert-daemon':     'cve-alerts/',
+          'triage':               'triage.json',
+          'triage-memory':        'triage-memory.jsonl',
+          'verifier':             'verifier-runs/',
+          'calibration':          'calibration-seed.json',
+          'holdout-eval':         'holdout-eval.jsonl',
+          'sigstore-verify':      'sigstore-attestations/',
+          'pre-edit-bodyguard':   '.../hooks/pre-edit-bodyguard.js',
+          'apply-fix':            'fix-history/log.json',
+          'security-fixer':       '.../agents/security-fixer.md',
+          'mcp-tools':            '.../scanner/src/mcp/tools.js',
+        };
+        const target = ARTIFACT[mod];
+        if (target && fs.existsSync(path.join(scanRoot, STATE, target))) {
+          obs.push(`✓ ${mod}: ${target} present.`);
+          anySignal = true;
+        } else {
+          obs.push(`✗ ${mod}: expected ${target || '(unmapped)'} not present.`);
+          allCleared = false;
+        }
+      } else if (m.startsWith('rule:')) {
+        // Could check whether a custom rule fires zero — leave a hint for now.
+        obs.push(`(rule mapping) ${m} — verify manually that the bodyguard rule is enabled.`);
+        anySignal = true;
+      }
+    }
+
+    if (!anySignal) status = 'manual';
+    else if (allCleared) status = 'present';
+    else status = 'partial';
+
+    results.push({ control: c, status, observations: obs });
+  }
+  return results;
+}
+
+/**
+ * Render the walkthrough Markdown narrative.
+ */
+export function renderWalkthrough(fw, evaluation, opts = {}) {
+  const lines = [];
+  lines.push(`# Auditor walkthrough — ${fw.name}`);
+  lines.push('');
+  lines.push(`> Publisher: ${fw.publisher}`);
+  lines.push(`> License: ${fw.license}`);
+  if (fw.url) lines.push(`> Source: ${fw.url}`);
+  lines.push('');
+  lines.push('> **This walkthrough organizes scanner evidence into a narrative for an external auditor.** It does NOT certify compliance. A licensed assessor is responsible for the final attestation.');
+  lines.push('');
+
+  const present  = evaluation.filter(e => e.status === 'present').length;
+  const partial  = evaluation.filter(e => e.status === 'partial').length;
+  const absent   = evaluation.filter(e => e.status === 'absent').length;
+  const manual   = evaluation.filter(e => e.status === 'manual').length;
+  const total    = evaluation.length;
+  lines.push(`## Summary`);
+  lines.push('');
+  lines.push(`Controls evaluated: **${total}**`);
+  lines.push(`- ✅ Evidence present: **${present}**`);
+  lines.push(`- 🟡 Partial evidence: **${partial}**`);
+  lines.push(`- ⛔ No evidence: **${absent}**`);
+  lines.push(`- 📝 Manual attestation required: **${manual}**`);
+  lines.push('');
+
+  lines.push(`## Controls — step by step`);
+  lines.push('');
+  for (const ev of evaluation) {
+    const c = ev.control;
+    const glyph = { present: '✅', partial: '🟡', absent: '⛔', manual: '📝' }[ev.status] || '?';
+    lines.push(`### ${glyph} ${c.id}${c.function ? ` (${c.function})` : ''} — ${c.summary}`);
+    lines.push('');
+    if (c.evidence && c.evidence.length) {
+      lines.push('**Evidence the auditor expects:**');
+      for (const e of c.evidence) lines.push(`- ${e}`);
+      lines.push('');
+    }
+    if (ev.observations.length) {
+      lines.push('**Current state:**');
+      for (const o of ev.observations) lines.push(`- ${o}`);
+      lines.push('');
+    }
+    if (ev.status === 'absent' || ev.status === 'partial') {
+      lines.push(`**Remediation:** address the bullet(s) above, then re-run \`/auditor-walkthrough ${fw.id}\` to update this report.`);
+      lines.push('');
+    }
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Persist the walkthrough at .agentic-security/auditor-walkthroughs/<id>.md
+ */
+export function persistWalkthrough(scanRoot, fw, body) {
+  const dir = path.join(scanRoot, STATE, 'auditor-walkthroughs');
+  try { fs.mkdirSync(dir, { recursive: true }); } catch {}
+  const fp = path.join(dir, `${fw.id}.md`);
+  try { fs.writeFileSync(fp, body); } catch {}
+  return fp;
+}
+
+export const _internals = { _readJson };

package/src/posture/claude-authorship.js

@@ -0,0 +1,197 @@
+// Claude-authorship analysis — closes the prompt-engineering loop.
+//
+// Builds on posture/git-history.js (which already tags individual findings
+// with aiAuthored=true via the "Co-Authored-By: Claude" trailer detection).
+//
+// What this module adds:
+//
+//   1. analyzeAuthorshipPatterns(scanRoot, findings)
+//      Aggregates findings by (family, aiAuthored, file-pattern). Returns
+//      patterns like:
+//        "12 of 47 Claude-authored commits introduced auth-missing findings"
+//        "Claude-authored commits 3.2× more likely to ship SQLi than human-authored"
+//
+//   2. suggestClaudeMdEvolution(scanRoot, findings)
+//      For each clustered Claude pattern, drafts a one-paragraph addition
+//      to CLAUDE.md that would have prevented it. The user reviews + accepts.
+//
+//   3. extractOriginatingPromptCluster(findings)
+//      When findings carry `originatingPrompt` (set by git-history.js), clusters
+//      similar prompts to surface "the same kind of ask repeatedly produces
+//      vulnerable code."
+//
+// Pure analysis — no LLM calls in this module. The result is structured
+// data that a /claude-vuln-audit command formats for the user.
+
+const SEVERITY_RANK = { info: 0, low: 1, medium: 2, high: 3, critical: 4 };
+
+function _normalizePrompt(p) {
+  return String(p || '')
+    .toLowerCase()
+    .replace(/['"`]/g, '')
+    .replace(/\s+/g, ' ')
+    .trim();
+}
+
+function _promptKeyTerms(p) {
+  // Heuristic clustering — extract content nouns / verbs typical of
+  // request shapes. v1 = stop-word removal + token bag.
+  const STOP = new Set(['a','an','the','and','or','but','to','for','of','in','on','at','by','from','with','as','is','are','be','was','were','this','that','it','i','you','we','please','can','could','would','should','add','make','create','write','build','give','need','want','have']);
+  return _normalizePrompt(p).split(/[^a-z0-9]+/).filter(t => t.length > 2 && !STOP.has(t));
+}
+
+function _jaccard(a, b) {
+  const sa = new Set(a), sb = new Set(b);
+  let inter = 0;
+  for (const x of sa) if (sb.has(x)) inter++;
+  const union = sa.size + sb.size - inter;
+  return union === 0 ? 0 : inter / union;
+}
+
+/**
+ * Aggregate findings into pattern statistics.
+ */
+export function analyzeAuthorshipPatterns(findings) {
+  if (!Array.isArray(findings)) return null;
+  const ai = findings.filter(f => f.aiAuthored);
+  const hu = findings.filter(f => f.introducedBy && !f.aiAuthored);
+  const total = ai.length + hu.length;
+  if (total === 0) return { total: 0, ai: 0, human: 0, patterns: [] };
+
+  // Per-family breakdown.
+  const byFamily = new Map();
+  for (const f of ai) {
+    const k = f.family || 'unknown';
+    if (!byFamily.has(k)) byFamily.set(k, { ai: 0, human: 0, severity: 0, files: new Set() });
+    const ent = byFamily.get(k);
+    ent.ai++;
+    ent.severity = Math.max(ent.severity, SEVERITY_RANK[f.severity] || 0);
+    if (f.file) ent.files.add(f.file);
+  }
+  for (const f of hu) {
+    const k = f.family || 'unknown';
+    if (!byFamily.has(k)) byFamily.set(k, { ai: 0, human: 0, severity: 0, files: new Set() });
+    byFamily.get(k).human++;
+  }
+
+  const patterns = [];
+  for (const [family, ent] of byFamily) {
+    if (ent.ai === 0) continue;
+    const familyTotal = ent.ai + ent.human;
+    const aiShare = familyTotal > 0 ? ent.ai / familyTotal : 0;
+    const expectedAiShare = ai.length / total;
+    const lift = expectedAiShare > 0 ? aiShare / expectedAiShare : 0;
+    patterns.push({
+      family,
+      aiCount: ent.ai,
+      humanCount: ent.human,
+      aiShare: Number(aiShare.toFixed(3)),
+      expectedShare: Number(expectedAiShare.toFixed(3)),
+      lift: Number(lift.toFixed(2)),
+      maxSeverity: Object.keys(SEVERITY_RANK).find(k => SEVERITY_RANK[k] === ent.severity) || 'unknown',
+      fileCount: ent.files.size,
+    });
+  }
+  patterns.sort((a, b) => b.lift - a.lift || b.aiCount - a.aiCount);
+  return {
+    total,
+    ai: ai.length,
+    human: hu.length,
+    aiShare: Number((ai.length / total).toFixed(3)),
+    patterns,
+  };
+}
+
+/**
+ * Cluster findings by similar originating prompts. Returns groups of
+ * findings whose prompts share at least JACCARD_FLOOR token overlap.
+ */
+export function extractOriginatingPromptCluster(findings, opts = {}) {
+  const floor = opts.jaccardFloor || 0.35;
+  const withPrompts = (findings || []).filter(f => f.originatingPrompt);
+  if (withPrompts.length === 0) return [];
+  const termCache = new Map();
+  const term = (f) => {
+    if (!termCache.has(f.id || f.stableId)) {
+      termCache.set(f.id || f.stableId, _promptKeyTerms(f.originatingPrompt));
+    }
+    return termCache.get(f.id || f.stableId);
+  };
+
+  const used = new Set();
+  const clusters = [];
+  for (let i = 0; i < withPrompts.length; i++) {
+    if (used.has(i)) continue;
+    const seed = withPrompts[i];
+    const seedTerms = term(seed);
+    const group = [seed];
+    used.add(i);
+    for (let j = i + 1; j < withPrompts.length; j++) {
+      if (used.has(j)) continue;
+      const sim = _jaccard(seedTerms, term(withPrompts[j]));
+      if (sim >= floor) {
+        group.push(withPrompts[j]);
+        used.add(j);
+      }
+    }
+    if (group.length >= 2) {
+      clusters.push({
+        size: group.length,
+        samplePrompt: seed.originatingPrompt,
+        families: Array.from(new Set(group.map(f => f.family).filter(Boolean))),
+        findings: group.map(f => ({ id: f.id, file: f.file, line: f.line, family: f.family, severity: f.severity })),
+      });
+    }
+  }
+  clusters.sort((a, b) => b.size - a.size);
+  return clusters;
+}
+
+/**
+ * Draft CLAUDE.md additions for the top patterns. Each suggestion is a
+ * short stanza the user can paste into CLAUDE.md or AGENTS.md to
+ * pre-empt the recurring AI-authored vuln pattern.
+ */
+export function suggestClaudeMdEvolution(analysis) {
+  if (!analysis || !Array.isArray(analysis.patterns)) return [];
+  const out = [];
+  for (const p of analysis.patterns.slice(0, 5)) {
+    if (p.lift < 1.2 || p.aiCount < 2) continue;  // not enough signal
+    out.push({
+      family: p.family,
+      aiCount: p.aiCount,
+      lift: p.lift,
+      maxSeverity: p.maxSeverity,
+      suggestion: _draftSuggestion(p),
+    });
+  }
+  return out;
+}
+
+function _draftSuggestion(p) {
+  const FAMILY_HINTS = {
+    'sqli':              'when asked to add a database query, always use parameterized queries via the existing helper rather than string interpolation. If no helper exists, use the driver\'s prepared-statement API directly (`db.prepare(sql).run(params)`).',
+    'sql-injection':     'when asked to add a database query, always use parameterized queries via the existing helper rather than string interpolation. If no helper exists, use the driver\'s prepared-statement API directly (`db.prepare(sql).run(params)`).',
+    'xss':               'when asked to render user-supplied content, default to text rendering and escape HTML explicitly. Avoid `dangerouslySetInnerHTML` / `v-html` / `eval` / template-literal HTML construction without sanitization.',
+    'command-injection': 'when asked to shell out, use `spawn(cmd, [args], { shell: false })` with explicit argv arrays. Never interpolate user input into a shell string.',
+    'auth-missing':      'when asked to add a route or endpoint, surface the route\'s authn/authz requirement explicitly. Default to auth-required unless the route is on the explicit public allowlist.',
+    'authz':             'when asked to look up a resource by id, also assert that the caller owns the resource (or has a relevant permission tier). Use the project\'s `assertResourceOwner` / equivalent helper.',
+    'csrf':              'when asked to add a state-changing endpoint, ensure CSRF protection is in place. Use the existing middleware or add it as part of the same change.',
+    'hardcoded-secret':  'when asked to use an API key or credential, read it from `process.env.X` (or the project\'s secret manager) — never embed the literal in source.',
+    'path-traversal':    'when asked to read/write a file based on user input, resolve to absolute path and assert it stays under a trusted root before any fs call.',
+    'crypto-weak-cipher':'when asked to encrypt, default to AES-256-GCM or ChaCha20-Poly1305 with crypto.randomBytes IVs. Never DES/3DES/RC4/Blowfish/ECB.',
+    'crypto-weak-hash':  'when asked to hash for security purposes (signing, password storage, integrity), use SHA-256+ for hashes and Argon2id/bcrypt/scrypt for passwords. MD5/SHA-1 only for non-security checksums, explicitly tagged.',
+  };
+  const advice = FAMILY_HINTS[p.family] || `when working in code that could introduce a ${p.family} finding, default to the project's safest established pattern.`;
+  return [
+    `## Security default — ${p.family}`,
+    '',
+    `Past Claude-authored work in this repo has introduced ${p.aiCount} ${p.family} finding(s) (${p.lift}× the rate of human-authored work). To pre-empt:`,
+    '',
+    `> ${advice}`,
+    '',
+    `Consider this a hard default unless the user explicitly asks for an exception.`,
+  ].join('\n');
+}
+
+export const _internals = { _normalizePrompt, _promptKeyTerms, _jaccard, _draftSuggestion };

package/src/posture/compliance-frameworks/.agentic-security/findings.json

@@ -0,0 +1,80 @@
+{
+  "scanId": "aeb3cf41-7bb6-49c6-b4ae-b126e5afd726",
+  "startedAt": "2026-05-29T21:02:56.188Z",
+  "durationMs": 15,
+  "scanned": {
+    "files": 0,
+    "lines": 0
+  },
+  "findings": [],
+  "bundles": [],
+  "routes": [],
+  "components": [],
+  "suppressedCount": 0,
+  "blastRadiusSignals": {
+    "industry": "generic",
+    "industryConfidence": "low",
+    "jurisdictions": [],
+    "controls": [],
+    "estimatedUsers": 50,
+    "revenueIndicator": "pre-revenue",
+    "hasStripe": false,
+    "hasAuth": false,
+    "hasUserTable": false,
+    "hasPII": false,
+    "hasPHI": false,
+    "hasS3": false
+  },
+  "_v3": {
+    "counterfactual": {
+      "spofControls": [],
+      "note": "no-controls-detected"
+    },
+    "threatModel": {
+      "summary": {
+        "assetCount": 0,
+        "boundaryCount": 0,
+        "strideCounts": {
+          "spoofing": 0,
+          "tampering": 0,
+          "repudiation": 0,
+          "informationDisclosure": 0,
+          "denialOfService": 0,
+          "elevationOfPrivilege": 0
+        }
+      },
+      "assets": [],
+      "trustBoundaries": [],
+      "stride": {
+        "spoofing": [],
+        "tampering": [],
+        "repudiation": [],
+        "informationDisclosure": [],
+        "denialOfService": [],
+        "elevationOfPrivilege": []
+      }
+    },
+    "trustBoundaryDiagram": {
+      "mermaid": "flowchart LR\n  INTERNET((Internet))\n  APP[\"Application\"]\n  classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n  classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n  classDef sev_medium fill:#fff3cd,stroke:#a80;\n  classDef sev_low fill:#e8eaf6,stroke:#557;",
+      "nodes": [
+        {
+          "id": "INTERNET",
+          "kind": "external",
+          "label": "Internet"
+        },
+        {
+          "id": "APP",
+          "kind": "app",
+          "label": "Application"
+        }
+      ],
+      "edges": [],
+      "decorations": []
+    },
+    "calibrationDrift": {
+      "alarms": [],
+      "note": "no-feedback-data"
+    }
+  },
+  "annotatorErrors": []
+}

package/src/posture/compliance-frameworks/.agentic-security/last-scan.json

@@ -0,0 +1,80 @@
+{
+  "scanId": "aeb3cf41-7bb6-49c6-b4ae-b126e5afd726",
+  "startedAt": "2026-05-29T21:02:56.188Z",
+  "durationMs": 15,
+  "scanned": {
+    "files": 0,
+    "lines": 0
+  },
+  "findings": [],
+  "bundles": [],
+  "routes": [],
+  "components": [],
+  "suppressedCount": 0,
+  "blastRadiusSignals": {
+    "industry": "generic",
+    "industryConfidence": "low",
+    "jurisdictions": [],
+    "controls": [],
+    "estimatedUsers": 50,
+    "revenueIndicator": "pre-revenue",
+    "hasStripe": false,
+    "hasAuth": false,
+    "hasUserTable": false,
+    "hasPII": false,
+    "hasPHI": false,
+    "hasS3": false
+  },
+  "_v3": {
+    "counterfactual": {
+      "spofControls": [],
+      "note": "no-controls-detected"
+    },
+    "threatModel": {
+      "summary": {
+        "assetCount": 0,
+        "boundaryCount": 0,
+        "strideCounts": {
+          "spoofing": 0,
+          "tampering": 0,
+          "repudiation": 0,
+          "informationDisclosure": 0,
+          "denialOfService": 0,
+          "elevationOfPrivilege": 0
+        }
+      },
+      "assets": [],
+      "trustBoundaries": [],
+      "stride": {
+        "spoofing": [],
+        "tampering": [],
+        "repudiation": [],
+        "informationDisclosure": [],
+        "denialOfService": [],
+        "elevationOfPrivilege": []
+      }
+    },
+    "trustBoundaryDiagram": {
+      "mermaid": "flowchart LR\n  INTERNET((Internet))\n  APP[\"Application\"]\n  classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n  classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n  classDef sev_medium fill:#fff3cd,stroke:#a80;\n  classDef sev_low fill:#e8eaf6,stroke:#557;",
+      "nodes": [
+        {
+          "id": "INTERNET",
+          "kind": "external",
+          "label": "Internet"
+        },
+        {
+          "id": "APP",
+          "kind": "app",
+          "label": "Application"
+        }
+      ],
+      "edges": [],
+      "decorations": []
+    },
+    "calibrationDrift": {
+      "alarms": [],
+      "note": "no-feedback-data"
+    }
+  },
+  "annotatorErrors": []
+}

package/src/posture/compliance-frameworks/.agentic-security/last-scan.json.sig

@@ -0,0 +1 @@
+ccd53b45945cf534ddf095b46bb3a987246676e48f0308cf01946295f9d3e448