@clear-capabilities/agentic-security-scanner 0.80.0 → 0.86.0

package/src/posture/compliance-frameworks/.agentic-security/last-scan.json.sig

@@ -0,0 +1 @@
+ccd53b45945cf534ddf095b46bb3a987246676e48f0308cf01946295f9d3e448

package/src/posture/compliance-frameworks/.agentic-security/scan-history.json

@@ -0,0 +1,90 @@
+[
+  {
+    "timestamp": "2026-05-29T21:01:01.146Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  },
+  {
+    "timestamp": "2026-05-29T21:01:20.024Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  },
+  {
+    "timestamp": "2026-05-29T21:01:41.003Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  },
+  {
+    "timestamp": "2026-05-29T21:01:56.122Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  },
+  {
+    "timestamp": "2026-05-29T21:02:10.982Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  },
+  {
+    "timestamp": "2026-05-29T21:02:27.759Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  },
+  {
+    "timestamp": "2026-05-29T21:02:44.397Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  },
+  {
+    "timestamp": "2026-05-29T21:02:56.203Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  }
+]

package/src/posture/compliance-frameworks/.agentic-security/streak.json

@@ -0,0 +1,22 @@
+{
+  "firstScanDate": "2026-05-29T21:01:01.152Z",
+  "lastScanDate": "2026-05-29T21:02:56.210Z",
+  "totalScans": 8,
+  "daysCleanCritical": 1,
+  "lastCleanDate": "2026-05-29",
+  "lastCriticalDate": null,
+  "hasEverHadCritical": false,
+  "bestDaysCleanCritical": 1,
+  "totalFindingsAtFirstScan": 0,
+  "totalFindingsAtLastScan": 0,
+  "totalFixesInferred": 0,
+  "lastGrade": "A+",
+  "bestGrade": "A+",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "first-scan",
+    "grade-a",
+    "grade-a-plus"
+  ],
+  "previousGrade": "A+"
+}

package/src/posture/compliance-frameworks/ccpa.json

@@ -0,0 +1,32 @@
+{
+  "id": "ccpa",
+  "name": "California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.)",
+  "publisher": "California Legislature",
+  "license": "California statute (public)",
+  "url": "https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5",
+  "controls": [
+    {
+      "id": "§1798.100",
+      "summary": "Consumer right to know — businesses inform consumers about categories of personal info collected.",
+      "evidence": ["DPIA artifact lists every PII field with file:line provenance."],
+      "mapsTo": ["module:privacy-taint"]
+    },
+    {
+      "id": "§1798.105",
+      "summary": "Right to delete — businesses comply with verified deletion requests.",
+      "evidence": ["No data-exposure findings on PII storage paths."]
+    },
+    {
+      "id": "§1798.150",
+      "summary": "Civil action for security breach affecting personal information.",
+      "evidence": ["Crypto findings cleared on PII handling code.", "TLS pinning checks pass."],
+      "mapsTo": ["family:crypto-weak-cipher", "family:crypto-tls-version", "family:crypto-tls-no-verify"]
+    },
+    {
+      "id": "§1798.81.5",
+      "summary": "Reasonable security procedures and practices.",
+      "evidence": ["No critical findings on user-data endpoints.", "Auth-missing zero on PII paths."],
+      "mapsTo": ["family:auth-missing", "family:authz", "family:hardcoded-secret"]
+    }
+  ]
+}

package/src/posture/compliance-frameworks/eu-ai-act.json

@@ -0,0 +1,51 @@
+{
+  "id": "eu-ai-act",
+  "name": "EU Artificial Intelligence Act (Regulation 2024/1689)",
+  "publisher": "European Parliament & Council",
+  "license": "EU law (Official Journal)",
+  "url": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj",
+  "controls": [
+    {
+      "id": "Art.9",
+      "summary": "Risk management system — continuous, iterative risk identification and mitigation.",
+      "evidence": ["Threat model artifact (.agentic-security/threat-model.{json,md}).", "Continuous scan history present."],
+      "mapsTo": ["module:threat-model-auto", "module:scan-history"]
+    },
+    {
+      "id": "Art.10",
+      "summary": "Data governance — training/validation data is relevant, representative, and bias-checked.",
+      "evidence": ["No training-data-pii findings.", "DPIA artifact for any PII handling."],
+      "mapsTo": ["family:training-data-pii", "family:pii-exposure"]
+    },
+    {
+      "id": "Art.11",
+      "summary": "Technical documentation — system architecture, components, training procedures documented.",
+      "evidence": ["AIBOM artifact at .agentic-security/aibom.json.", "Threat model + DPIA + compliance-evidence present."],
+      "mapsTo": ["module:aibom", "module:threat-model-auto", "module:compliance-policy"]
+    },
+    {
+      "id": "Art.12",
+      "summary": "Record-keeping — automatic logging of system events for traceability.",
+      "evidence": ["MCP audit log .agentic-security/mcp-audit.log present.", "Scan history retained."],
+      "mapsTo": ["module:mcp-audit", "module:scan-history"]
+    },
+    {
+      "id": "Art.13",
+      "summary": "Transparency — instructions for use enable users to interpret the system's output correctly.",
+      "evidence": ["why-fired annotation surfaces detection provenance on every finding."],
+      "mapsTo": ["module:why-fired"]
+    },
+    {
+      "id": "Art.14",
+      "summary": "Human oversight — system permits humans to override / interrupt.",
+      "evidence": ["Fix application requires confirm:true.", "Bodyguard hook can refuse risky edits."],
+      "mapsTo": ["module:pre-edit-bodyguard", "module:apply-fix"]
+    },
+    {
+      "id": "Art.15",
+      "summary": "Accuracy, robustness, cybersecurity — appropriate level of accuracy and resilience.",
+      "evidence": ["Calibration + held-out evaluation present (.agentic-security/calibration-seed.json).", "OWASP Benchmark regression gate."],
+      "mapsTo": ["module:calibration", "module:holdout-eval"]
+    }
+  ]
+}

package/src/posture/compliance-frameworks/gdpr.json

@@ -0,0 +1,45 @@
+{
+  "id": "gdpr",
+  "name": "General Data Protection Regulation (EU 2016/679)",
+  "publisher": "European Parliament & Council",
+  "license": "EU law (Official Journal)",
+  "url": "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
+  "controls": [
+    {
+      "id": "Art.5",
+      "summary": "Principles relating to processing of personal data (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, accountability).",
+      "evidence": ["DPIA artifact at .agentic-security/dpia.md.", "PII fields enumerated by the privacy-taint module."],
+      "mapsTo": ["family:pii-exposure", "module:privacy-taint"]
+    },
+    {
+      "id": "Art.25",
+      "summary": "Data protection by design and by default.",
+      "evidence": ["Threat model produced before code.", "PII annotation runs at scan time, not as an afterthought."],
+      "mapsTo": ["module:threat-model-auto", "module:privacy-taint"]
+    },
+    {
+      "id": "Art.30",
+      "summary": "Records of processing activities — controller maintains a register.",
+      "evidence": ["DPIA + privacy-taint annotations cover each PII field with file:line provenance."],
+      "mapsTo": ["module:privacy-taint"]
+    },
+    {
+      "id": "Art.32",
+      "summary": "Security of processing — appropriate technical and organizational measures.",
+      "evidence": ["Zero open critical crypto findings.", "Auth-missing findings zero on user-data endpoints.", "TLS pinning checks pass."],
+      "mapsTo": ["family:crypto-weak-cipher", "family:crypto-tls-version", "family:crypto-tls-no-verify", "family:auth-missing"]
+    },
+    {
+      "id": "Art.33",
+      "summary": "Notification of personal data breach to the supervisory authority within 72 hours.",
+      "evidence": ["Fix history retained.", "Audit log preserves the breach-window evidence."],
+      "mapsTo": ["module:fix-history", "module:mcp-audit"]
+    },
+    {
+      "id": "Art.35",
+      "summary": "Data protection impact assessment (DPIA) for high-risk processing.",
+      "evidence": ["DPIA artifact present at .agentic-security/dpia.md."],
+      "mapsTo": ["module:privacy-taint:emitDpiaArtifact"]
+    }
+  ]
+}

package/src/posture/compliance-frameworks/hipaa-security-rule.json

@@ -0,0 +1,56 @@
+{
+  "id": "hipaa-security-rule",
+  "name": "HIPAA Security Rule (45 CFR Part 164, Subparts C & E)",
+  "publisher": "US Department of Health and Human Services",
+  "license": "US Federal regulation (public)",
+  "url": "https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164",
+  "controls": [
+    {
+      "id": "§164.308(a)(1)",
+      "summary": "Security management process — risk analysis and risk management.",
+      "evidence": ["Scan history under .agentic-security/scan-history/.", "Triage transitions logged."],
+      "mapsTo": ["module:scan-history", "module:triage"]
+    },
+    {
+      "id": "§164.308(a)(3)",
+      "summary": "Workforce security — authorization and supervision of access.",
+      "evidence": ["Zero auth-missing on PHI endpoints.", "IAM policy reviewed via cloud-iam scanner."],
+      "mapsTo": ["family:auth-missing", "family:iam-overpermissive"]
+    },
+    {
+      "id": "§164.308(a)(4)",
+      "summary": "Information access management — minimum necessary access.",
+      "evidence": ["Zero open findings in family idor / authz / k8s-rbac-cluster-admin."],
+      "mapsTo": ["family:idor", "family:authz", "family:k8s-rbac-cluster-admin"]
+    },
+    {
+      "id": "§164.308(a)(5)",
+      "summary": "Security awareness and training.",
+      "evidence": ["CLAUDE.md / AGENTS.md documents the project's security defaults."]
+    },
+    {
+      "id": "§164.312(a)(1)",
+      "summary": "Technical safeguards — access control (unique user identification, automatic logoff, encryption/decryption).",
+      "evidence": ["Zero hardcoded-secret findings.", "Crypto findings cleared on PHI handling code."],
+      "mapsTo": ["family:hardcoded-secret", "family:crypto-weak-cipher"]
+    },
+    {
+      "id": "§164.312(b)",
+      "summary": "Audit controls — record and examine activity in systems containing PHI.",
+      "evidence": ["MCP audit log + fix history present and hash-chained."],
+      "mapsTo": ["module:mcp-audit", "module:fix-history"]
+    },
+    {
+      "id": "§164.312(c)",
+      "summary": "Integrity — PHI not altered or destroyed in an unauthorized manner.",
+      "evidence": ["last-scan.json HMAC integrity check passing.", "Sigstore provenance verified for ML model files (if opt-in)."],
+      "mapsTo": ["module:integrity", "module:sigstore-verify"]
+    },
+    {
+      "id": "§164.312(e)",
+      "summary": "Transmission security — PHI in transit is protected.",
+      "evidence": ["Zero TLS-no-verify / TLS-version findings."],
+      "mapsTo": ["family:crypto-tls-no-verify", "family:crypto-tls-version"]
+    }
+  ]
+}

package/src/posture/compliance-frameworks/nist-ai-600-1.json

@@ -0,0 +1,51 @@
+{
+  "id": "nist-ai-600-1",
+  "name": "NIST AI 600-1 — Generative AI Profile",
+  "publisher": "NIST",
+  "license": "public-domain (US Federal publication)",
+  "url": "https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf",
+  "controls": [
+    {
+      "id": "GV-1.1-001",
+      "function": "GOVERN",
+      "summary": "Document and disseminate AI policies, processes, and procedures.",
+      "evidence": ["CLAUDE.md / SECURITY.md present.", ".agentic-security/compliance.policy.yml present."],
+      "mapsTo": ["module:compliance-policy"]
+    },
+    {
+      "id": "MP-2.3-002",
+      "function": "MAP",
+      "summary": "Identify and document GAI risks (CBRN, confabulation, harmful bias, prompt injection, IP, etc.).",
+      "evidence": ["Threat model artifact.", "Attack-taxonomy ATLAS mappings on findings."],
+      "mapsTo": ["module:threat-model-auto", "module:attack-taxonomy"]
+    },
+    {
+      "id": "MS-2.1-001",
+      "function": "MEASURE",
+      "summary": "Continuously monitor GAI system for risks identified during the MAP function.",
+      "evidence": ["Watch mode artifacts.", "Continuous scan history."],
+      "mapsTo": ["module:watch-mode", "module:scan-history"]
+    },
+    {
+      "id": "MG-3.2-005",
+      "function": "MANAGE",
+      "summary": "Manage GAI risks tied to prompt injection.",
+      "evidence": ["Zero open critical findings in family prompt-injection / llm-app-security."],
+      "mapsTo": ["family:prompt-injection", "family:llm-app-security"]
+    },
+    {
+      "id": "MG-4.1-001",
+      "function": "MANAGE",
+      "summary": "Establish processes for managing GAI supply chain risks.",
+      "evidence": ["No mlflow-untrusted-uri / hf-datasets-rce / streaming-dataset-url findings.", "AIBOM artifact present."],
+      "mapsTo": ["family:mlflow-untrusted-uri", "family:hf-datasets-rce", "family:streaming-dataset-url", "module:aibom"]
+    },
+    {
+      "id": "MG-2.4-001",
+      "function": "MANAGE",
+      "summary": "Establish content provenance / authenticity controls.",
+      "evidence": ["Sigstore provenance opt-in configured for model loads.", "ATTRIBUTIONS.md generated."],
+      "mapsTo": ["module:sigstore-verify", "module:license-attributions"]
+    }
+  ]
+}

package/src/posture/compliance-frameworks/nist-csf-2.json

@@ -0,0 +1,73 @@
+{
+  "id": "nist-csf-2",
+  "name": "NIST Cybersecurity Framework 2.0",
+  "publisher": "NIST",
+  "license": "public-domain (US Federal publication)",
+  "url": "https://www.nist.gov/cyberframework",
+  "controls": [
+    {
+      "id": "GV.PO",
+      "function": "GOVERN",
+      "category": "Policy",
+      "summary": "Organizational cybersecurity policy is established, communicated, and enforced.",
+      "evidence": ["Repo contains CLAUDE.md / SECURITY.md / .agentic-security/sca-policy.yml that documents the project's security policy.", "Triage decisions reference an organizational policy."],
+      "mapsTo": ["family:hardcoded-secret", "family:license-graph"]
+    },
+    {
+      "id": "ID.AM",
+      "function": "IDENTIFY",
+      "category": "Asset Management",
+      "summary": "Assets (hardware, software, data) are inventoried.",
+      "evidence": [".agentic-security/sbom-history/*.json snapshots present.", "ATTRIBUTIONS.md generated."],
+      "mapsTo": ["module:sbom-diff", "module:license-attributions"]
+    },
+    {
+      "id": "ID.RA",
+      "function": "IDENTIFY",
+      "category": "Risk Assessment",
+      "summary": "Vulnerabilities and threats are identified.",
+      "evidence": ["Regular scan history under .agentic-security/scan-history/.", "ATT&CK / ATLAS technique mapping on findings."],
+      "mapsTo": ["module:attack-taxonomy", "module:exploitability-probability"]
+    },
+    {
+      "id": "PR.AA",
+      "function": "PROTECT",
+      "category": "Identity Management & Access Control",
+      "summary": "Access to assets is limited to authorized users.",
+      "evidence": ["Zero open critical findings in family auth-missing / authz / iam-overpermissive on the current scan."],
+      "mapsTo": ["family:auth-missing", "family:authz", "family:iam-overpermissive", "family:k8s-rbac-cluster-admin"]
+    },
+    {
+      "id": "PR.DS",
+      "function": "PROTECT",
+      "category": "Data Security",
+      "summary": "Data is managed consistent with the organization's risk strategy.",
+      "evidence": ["No critical/high crypto findings.", "DPIA artifact present (.agentic-security/dpia.md) when handling PII."],
+      "mapsTo": ["family:crypto-tls-version", "family:crypto-tls-no-verify", "family:crypto-weak-cipher", "family:pii-exposure"]
+    },
+    {
+      "id": "DE.CM",
+      "function": "DETECT",
+      "category": "Continuous Monitoring",
+      "summary": "Anomalous activity, indicators of compromise are monitored.",
+      "evidence": ["Watch mode artifacts at .agentic-security/watch-status.{md,json}.", "CVE-alert daemon configured."],
+      "mapsTo": ["module:watch-mode", "module:cve-alert-daemon"]
+    },
+    {
+      "id": "RS.AN",
+      "function": "RESPOND",
+      "category": "Analysis",
+      "summary": "Notifications from detection systems are investigated.",
+      "evidence": ["Triage transitions logged in triage.json.", "Triage-memory entries with reasons."],
+      "mapsTo": ["module:triage", "module:triage-memory"]
+    },
+    {
+      "id": "RC.RP",
+      "function": "RECOVER",
+      "category": "Recovery Planning",
+      "summary": "Recovery plans are executed and improved after an incident.",
+      "evidence": ["Fix history under .agentic-security/fix-history/log.json.", "Verifier outcomes recorded."],
+      "mapsTo": ["module:fix-history", "module:verifier"]
+    }
+  ]
+}

package/src/posture/compliance-frameworks/owasp-asvs-5.json

@@ -0,0 +1,79 @@
+{
+  "id": "owasp-asvs-5",
+  "name": "OWASP Application Security Verification Standard 5.0",
+  "publisher": "OWASP Foundation",
+  "license": "Creative Commons Attribution-ShareAlike 4.0",
+  "url": "https://owasp.org/www-project-application-security-verification-standard/",
+  "controls": [
+    {
+      "id": "V2.1",
+      "category": "Authentication",
+      "summary": "Verify that authentication is performed for protected functions.",
+      "evidence": ["Zero open critical findings in family auth-missing on the current scan."],
+      "mapsTo": ["family:auth-missing"]
+    },
+    {
+      "id": "V2.7",
+      "category": "Authentication",
+      "summary": "Verify that MFA / secondary authentication is used for high-value operations.",
+      "evidence": ["aws-no-mfa-condition zero findings (if AWS in scope)."],
+      "mapsTo": ["family:aws-no-mfa"]
+    },
+    {
+      "id": "V4.1",
+      "category": "Access Control",
+      "summary": "Verify that authorization is enforced for every resource access.",
+      "evidence": ["Zero idor / authz findings."],
+      "mapsTo": ["family:idor", "family:authz"]
+    },
+    {
+      "id": "V5.1",
+      "category": "Input Validation",
+      "summary": "Verify input validation for type, length, and content.",
+      "evidence": ["Zero open critical findings in sqli/xss/command-injection/ldap-injection/xpath-injection."],
+      "mapsTo": ["family:sqli", "family:xss", "family:command-injection", "family:ldap-injection", "family:xpath-injection", "family:nosql-injection"]
+    },
+    {
+      "id": "V6.1",
+      "category": "Cryptography",
+      "summary": "Verify use of strong cryptography per a documented policy.",
+      "evidence": ["Zero open findings in crypto-weak-cipher / crypto-weak-hash / crypto-ecb / crypto-static-iv."],
+      "mapsTo": ["family:crypto-weak-cipher", "family:crypto-weak-hash", "family:crypto-ecb", "family:crypto-static-iv", "family:crypto-kdf-weak"]
+    },
+    {
+      "id": "V6.2",
+      "category": "Cryptography",
+      "summary": "Verify all transit data uses TLS ≥ 1.2.",
+      "evidence": ["Zero findings in crypto-tls-version / crypto-tls-no-verify."],
+      "mapsTo": ["family:crypto-tls-version", "family:crypto-tls-no-verify"]
+    },
+    {
+      "id": "V7.1",
+      "category": "Error Handling & Logging",
+      "summary": "Verify that error handling does not disclose sensitive information.",
+      "evidence": ["No findings in family data-exposure."],
+      "mapsTo": ["family:data-exposure"]
+    },
+    {
+      "id": "V8.1",
+      "category": "Data Protection",
+      "summary": "Verify that personal data is protected at rest and in transit.",
+      "evidence": ["DPIA artifact at .agentic-security/dpia.md.", "Zero pii-exposure findings."],
+      "mapsTo": ["family:pii-exposure", "family:training-data-pii"]
+    },
+    {
+      "id": "V10.1",
+      "category": "Malicious Code",
+      "summary": "Verify the application does not include known-malicious or compromised dependencies.",
+      "evidence": [".agentic-security/sbom-history snapshots clean.", "No dependency-confusion or dependency-drift findings."],
+      "mapsTo": ["family:vulnerable-dependency", "family:dependency-confusion", "family:dependency-drift"]
+    },
+    {
+      "id": "V14.1",
+      "category": "Configuration",
+      "summary": "Verify that build, deployment, and configuration are secure.",
+      "evidence": ["No findings in family iam-overpermissive / k8s-rbac-cluster-admin / k8s-pod-security-privileged."],
+      "mapsTo": ["family:iam-overpermissive", "family:k8s-rbac-cluster-admin", "family:k8s-pod-security-privileged"]
+    }
+  ]
+}

package/src/posture/compliance-frameworks/owasp-llm-top-10.json

@@ -0,0 +1,69 @@
+{
+  "id": "owasp-llm-top-10",
+  "name": "OWASP Top 10 for LLM Applications 2025",
+  "publisher": "OWASP Foundation",
+  "license": "Creative Commons Attribution-ShareAlike 4.0",
+  "url": "https://owasp.org/www-project-top-10-for-large-language-model-applications/",
+  "controls": [
+    {
+      "id": "LLM01",
+      "summary": "Prompt Injection — controls preventing injected instructions from overriding the system prompt.",
+      "evidence": ["Zero open findings in family prompt-injection / llm-app-security.", "Prompt-template integrity check passing."],
+      "mapsTo": ["family:prompt-injection", "family:llm-app-security", "family:prompt-integrity"]
+    },
+    {
+      "id": "LLM02",
+      "summary": "Insecure Output Handling — LLM output is not directly piped to dangerous sinks (eval/shell/SQL/HTML).",
+      "evidence": ["Zero open findings in subfamily llm-output-untrusted-sink."],
+      "mapsTo": ["family:llm-app-security:llm-output-untrusted-sink"]
+    },
+    {
+      "id": "LLM03",
+      "summary": "Training Data Poisoning — provenance and integrity controls on training/fine-tuning data.",
+      "evidence": ["No streaming-dataset-url findings.", "datasets.load_dataset uses pinned revisions."],
+      "mapsTo": ["family:streaming-dataset-url", "family:hf-datasets-rce"]
+    },
+    {
+      "id": "LLM04",
+      "summary": "Model Denial of Service — rate-limit / token-cap controls.",
+      "evidence": ["LLM API calls in source carry an explicit max_tokens cap (bodyguard rule no-max-tokens)."],
+      "mapsTo": ["rule:no-max-tokens"]
+    },
+    {
+      "id": "LLM05",
+      "summary": "Supply Chain — model & dataset supply-chain integrity.",
+      "evidence": ["No mlflow-untrusted-uri / model-format / hf-endpoint-override findings.", "Sigstore provenance verification configured if opt-in."],
+      "mapsTo": ["family:mlflow-untrusted-uri", "family:model-format", "family:hf-endpoint-override"]
+    },
+    {
+      "id": "LLM06",
+      "summary": "Sensitive Information Disclosure — output filters prevent leakage.",
+      "evidence": ["Zero findings in subfamily llm-credential-in-prompt.", "Redact module covers prompt + response."],
+      "mapsTo": ["family:llm-app-security:llm-credential-in-prompt"]
+    },
+    {
+      "id": "LLM07",
+      "summary": "Insecure Plugin / Tool Design — tools the LLM can invoke are narrowly scoped.",
+      "evidence": ["Zero llm-app-security:llm-tool-exec findings.", "Agent tool definitions reviewed for excessive agency."],
+      "mapsTo": ["family:agent-tool-exec", "family:llm-app-security:llm-tool-exec"]
+    },
+    {
+      "id": "LLM08",
+      "summary": "Excessive Agency — agent autonomy is bounded by explicit guards.",
+      "evidence": ["MCP server config limits write-tools to confirm:true + reserved-write-path refusal.", "Apply-fix path requires HMAC-verified scan."],
+      "mapsTo": ["module:mcp-tools", "module:apply-fix"]
+    },
+    {
+      "id": "LLM09",
+      "summary": "Overreliance — human review checkpoints exist.",
+      "evidence": ["security-fixer agent has Stop-on-verify-fail loop.", "PreToolUse bodyguard exists."],
+      "mapsTo": ["module:security-fixer", "module:pre-edit-bodyguard"]
+    },
+    {
+      "id": "LLM10",
+      "summary": "Model Theft — model access controls.",
+      "evidence": ["No private-key-in-frontend or rpc-key-inline findings in client code."],
+      "mapsTo": ["family:private-key-in-frontend", "family:rpc-key-inline"]
+    }
+  ]
+}