npm - @clear-capabilities/agentic-security-scanner - Versions diffs - 0.80.0 → 0.86.0 - Mend

@clear-capabilities/agentic-security-scanner 0.80.0 → 0.86.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

package/dist/178.index.js +1 -1
package/dist/384.index.js +1 -1
package/dist/637.index.js +1 -1
package/dist/838.index.js +1 -1
package/dist/839.index.js +170 -0
package/dist/985.index.js +51 -1
package/dist/agentic-security.mjs +83 -83
package/dist/agentic-security.mjs.sha256 +1 -1
package/package.json +3 -3
package/src/.agentic-security/findings.json +21283 -8189
package/src/.agentic-security/last-scan.json +21283 -8189
package/src/.agentic-security/last-scan.json.sig +1 -1
package/src/.agentic-security/scan-history.json +512 -128
package/src/.agentic-security/streak.json +3 -3
package/src/engine.js +41 -0
package/src/mcp/.agentic-security/findings.json +4 -4
package/src/mcp/.agentic-security/last-scan.json +4 -4
package/src/mcp/.agentic-security/last-scan.json.sig +1 -1
package/src/mcp/.agentic-security/scan-history.json +188 -0
package/src/mcp/.agentic-security/streak.json +5 -5
package/src/mcp/tools.js +51 -1
package/src/posture/.agentic-security/dpia.md +26 -0
package/src/posture/.agentic-security/findings.json +17234 -4057
package/src/posture/.agentic-security/last-scan.json +17234 -4057
package/src/posture/.agentic-security/last-scan.json.sig +1 -1
package/src/posture/.agentic-security/pqc-migration-plan.json +65 -0
package/src/posture/.agentic-security/pqc-migration-plan.md +30 -0
package/src/posture/.agentic-security/sbom-history/7d45b5e03804aac084b4a2b4dc8c6f10107d2005.json +6 -0
package/src/posture/.agentic-security/scan-history.json +1942 -200
package/src/posture/.agentic-security/streak.json +3 -3
package/src/posture/.agentic-security/threat-model.json +2038 -0
package/src/posture/.agentic-security/threat-model.md +73 -0
package/src/posture/auditor-walkthrough.js +252 -0
package/src/posture/claude-authorship.js +197 -0
package/src/posture/compliance-frameworks/.agentic-security/findings.json +80 -0
package/src/posture/compliance-frameworks/.agentic-security/last-scan.json +80 -0
package/src/posture/compliance-frameworks/.agentic-security/last-scan.json.sig +1 -0
package/src/posture/compliance-frameworks/.agentic-security/scan-history.json +90 -0
package/src/posture/compliance-frameworks/.agentic-security/streak.json +22 -0
package/src/posture/compliance-frameworks/ccpa.json +32 -0
package/src/posture/compliance-frameworks/eu-ai-act.json +51 -0
package/src/posture/compliance-frameworks/gdpr.json +45 -0
package/src/posture/compliance-frameworks/hipaa-security-rule.json +56 -0
package/src/posture/compliance-frameworks/nist-ai-600-1.json +51 -0
package/src/posture/compliance-frameworks/nist-csf-2.json +73 -0
package/src/posture/compliance-frameworks/owasp-asvs-5.json +79 -0
package/src/posture/compliance-frameworks/owasp-llm-top-10.json +69 -0
package/src/posture/cross-repo-memory.js +180 -0
package/src/posture/dep-add-guard.js +197 -0
package/src/posture/findings-memory.js +152 -0
package/src/posture/fix-style-mirror.js +118 -0
package/src/posture/git-history.js +141 -0
package/src/posture/intent-context.js +175 -0
package/src/posture/model-rescan.js +76 -0
package/src/posture/pattern-propagation.js +39 -0
package/src/posture/pr-augment.js +234 -0
package/src/posture/risk-dollars.js +158 -0
package/src/posture/router.js +4 -4
package/src/posture/threat-model-grounding.js +169 -0
package/src/posture/time-to-fix.js +129 -0
package/src/posture/triage-memory.js +151 -0
package/src/posture/triage.js +15 -1
package/src/posture/watch-mode.js +171 -0
package/src/posture/workflow-installer.js +231 -0
package/src/report/.agentic-security/sbom-history/7d45b5e03804aac084b4a2b4dc8c6f10107d2005.json +6 -0
package/src/report/.agentic-security/threat-model.json +7 -0
package/src/report/.agentic-security/threat-model.md +22 -0
package/src/report/index.js +1 -1

package/src/.agentic-security/streak.json CHANGED Viewed

@@ -1,14 +1,14 @@
 {
   "firstScanDate": "2026-05-28T17:41:23.688Z",
-  "lastScanDate": "2026-05-29T16:40:09.988Z",
-  "totalScans": 48,
+  "lastScanDate": "2026-05-29T22:33:27.822Z",
+  "totalScans": 58,
   "daysCleanCritical": 0,
   "lastCleanDate": null,
   "lastCriticalDate": "2026-05-29",
   "hasEverHadCritical": true,
   "bestDaysCleanCritical": 0,
   "totalFindingsAtFirstScan": 432,
-  "totalFindingsAtLastScan": 524,
+  "totalFindingsAtLastScan": 584,
   "totalFixesInferred": 0,
   "lastGrade": "C",
   "bestGrade": "C",

package/src/engine.js CHANGED Viewed

@@ -159,6 +159,13 @@ import { buildMigrationPlan as buildPqcPlan, persistMigrationPlan as persistPqcP
 import { analyzeLicenseGraph, loadLicenseGraphPolicy } from './posture/license-graph.js';
 import { generateAttributions, persistAttributions } from './posture/license-attributions.js';
 import { annotateAttackTaxonomy, summarizeTaxonomy } from './posture/attack-taxonomy.js';
+import { suppressByPastDecisions } from './posture/triage-memory.js';
+import { suppressByIntent } from './posture/intent-context.js';
+import { annotateGitHistory } from './posture/git-history.js';
+import { applyThreatModel } from './posture/threat-model-grounding.js';
+import { annotateCrossRepoSignals } from './posture/pattern-propagation.js';
+import { annotateRiskDollars } from './posture/risk-dollars.js';
+import { annotateTimeToFix }   from './posture/time-to-fix.js';
 import { annotateTypeNarrowing } from './posture/type-narrowing.js';
 import { annotateWhyFired } from './posture/why-fired.js';
 import { scanSpecificationDrift } from './posture/specification-mining.js';
@@ -7736,6 +7743,40 @@ async function runFullScan({fileContents={}, depFileContents={}, scanRoot=null},
     if (process.env.AGENTIC_SECURITY_NO_ATTACK_TAX !== '1') {
       _runAnnotator("annotateAttackTaxonomy", () => { annotateAttackTaxonomy(finalFindings); });
     }
+    // Triage memory — demote findings whose (family, dir) bucket was
+    // previously marked wont-fix or false-positive in this project.
+    if (process.env.AGENTIC_SECURITY_NO_TRIAGE_MEMORY !== '1') {
+      _runAnnotator("suppressByPastDecisions", () => { suppressByPastDecisions(scanRoot, finalFindings); });
+    }
+    // Intent-aware FP suppression — demote findings on files marked as
+    // intentionally vulnerable (sandbox/CTF/tutorial/example/etc.).
+    if (process.env.AGENTIC_SECURITY_NO_INTENT_CTX !== '1') {
+      _runAnnotator("suppressByIntent", () => { suppressByIntent(scanRoot, finalFindings); });
+    }
+    // Git history — stamp each finding with introducedBy / introducedIn /
+    // originatingPrompt by running `git blame` on the finding's line.
+    if (process.env.AGENTIC_SECURITY_NO_GIT_HISTORY !== '1') {
+      _runAnnotator("annotateGitHistory", () => { annotateGitHistory(scanRoot, finalFindings); });
+    }
+    // Threat-model grounding — bump severity on crown-jewels, demote
+    // out-of-scope, tag compliance regimes, stamp attacker profile.
+    if (process.env.AGENTIC_SECURITY_NO_THREAT_MODEL_GROUNDING !== '1') {
+      _runAnnotator("applyThreatModel", () => { applyThreatModel(scanRoot, finalFindings); });
+    }
+    // Cross-repo pattern propagation — surface sibling-repo fixes and
+    // triage decisions for the same family from this developer's history.
+    if (process.env.AGENTIC_SECURITY_NO_CROSS_REPO !== '1') {
+      _runAnnotator("annotateCrossRepoSignals", () => { annotateCrossRepoSignals(scanRoot, finalFindings); });
+    }
+    // Risk-in-dollars — combine EPSS + crown-jewel + reachability into an
+    // expected-value-of-exploitation USD figure per finding.
+    if (process.env.AGENTIC_SECURITY_NO_RISK_DOLLARS !== '1') {
+      _runAnnotator("annotateRiskDollars", () => { annotateRiskDollars(scanRoot, finalFindings); });
+    }
+    // Time-to-fix — estimate engineering hours per finding.
+    if (process.env.AGENTIC_SECURITY_NO_TIME_TO_FIX !== '1') {
+      _runAnnotator("annotateTimeToFix", () => { annotateTimeToFix(scanRoot, finalFindings); });
+    }
   }
   // v3 next-gen: crown-jewel mapping (FR-PROD-5) — score each file/finding by
   // business impact. Must run before persona prioritization (which uses it).

package/src/mcp/.agentic-security/findings.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
-  "scanId": "8b572c4d-add7-4731-b9bb-f9e1f46ae535",
-  "startedAt": "2026-05-28T18:13:59.832Z",
-  "durationMs": 216,
+  "scanId": "47925823-e41f-4a38-acec-1c5dfb77f44d",
+  "startedAt": "2026-05-29T20:35:23.218Z",
+  "durationMs": 217,
   "scanned": {
     "files": 6,
     "lines": 0
@@ -8417,7 +8417,7 @@
   "_v3": {
     "counterfactual": {
       "spofControls": [],
-      "controlsDetected": 73
+      "controlsDetected": 75
     },
     "threatModel": {
       "summary": {

package/src/mcp/.agentic-security/last-scan.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
-  "scanId": "8b572c4d-add7-4731-b9bb-f9e1f46ae535",
-  "startedAt": "2026-05-28T18:13:59.832Z",
-  "durationMs": 216,
+  "scanId": "47925823-e41f-4a38-acec-1c5dfb77f44d",
+  "startedAt": "2026-05-29T20:35:23.218Z",
+  "durationMs": 217,
   "scanned": {
     "files": 6,
     "lines": 0
@@ -8417,7 +8417,7 @@
   "_v3": {
     "counterfactual": {
       "spofControls": [],
-      "controlsDetected": 73
+      "controlsDetected": 75
     },
     "threatModel": {
       "summary": {

package/src/mcp/.agentic-security/last-scan.json.sig CHANGED Viewed

	@@ -1 +1 @@
1	- ~~45066aa2e5bc1eff0060249590f9b659f87ee1b5bf259c508d585c75d5be346a~~
1	+ 7bb61d3bece7b47b3d112df139e09a5a95a0c51828999fa1734804ee3f7b6efc

package/src/mcp/.agentic-security/scan-history.json CHANGED Viewed

@@ -139,5 +139,193 @@
       "toctou-fs:tools.js:753",
       "toctou-fs:tools.js:835"
     ]
+  },
+  {
+    "timestamp": "2026-05-29T20:12:38.328Z",
+    "label": "scan",
+    "total": 35,
+    "critical": 0,
+    "high": 0,
+    "medium": 35,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:audit.js:102:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:113:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:127:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:128:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:88:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:159:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:163:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:167:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:196:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:211:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:226:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:227:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:281:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:320:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:328:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:535:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:671:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:746:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:748:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:753:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:756:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:835:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:844:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:873:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:875:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:audit.js:127",
+      "toctou-fs:audit.js:52",
+      "toctou-fs:tools.js:196",
+      "toctou-fs:tools.js:320",
+      "toctou-fs:tools.js:753",
+      "toctou-fs:tools.js:835"
+    ]
+  },
+  {
+    "timestamp": "2026-05-29T20:12:45.655Z",
+    "label": "scan",
+    "total": 35,
+    "critical": 0,
+    "high": 0,
+    "medium": 35,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:audit.js:102:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:113:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:127:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:128:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:88:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:159:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:163:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:167:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:196:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:211:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:226:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:227:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:281:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:320:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:328:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:535:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:671:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:746:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:748:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:753:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:756:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:835:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:844:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:873:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:875:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:audit.js:127",
+      "toctou-fs:audit.js:52",
+      "toctou-fs:tools.js:196",
+      "toctou-fs:tools.js:320",
+      "toctou-fs:tools.js:753",
+      "toctou-fs:tools.js:835"
+    ]
+  },
+  {
+    "timestamp": "2026-05-29T20:35:14.131Z",
+    "label": "scan",
+    "total": 35,
+    "critical": 0,
+    "high": 0,
+    "medium": 35,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:audit.js:102:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:113:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:127:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:128:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:88:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:159:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:163:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:167:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:196:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:211:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:226:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:227:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:281:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:320:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:328:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:535:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:671:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:746:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:748:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:753:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:756:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:835:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:844:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:873:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:875:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:audit.js:127",
+      "toctou-fs:audit.js:52",
+      "toctou-fs:tools.js:196",
+      "toctou-fs:tools.js:320",
+      "toctou-fs:tools.js:753",
+      "toctou-fs:tools.js:835"
+    ]
+  },
+  {
+    "timestamp": "2026-05-29T20:35:23.436Z",
+    "label": "scan",
+    "total": 35,
+    "critical": 0,
+    "high": 0,
+    "medium": 35,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:audit.js:102:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:113:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:127:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:128:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:52:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:audit.js:88:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:server.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:159:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:163:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:167:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:196:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:211:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:226:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:227:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:281:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:320:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:328:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:535:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:671:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:746:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:748:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:753:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:756:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:835:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:844:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:873:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:tools.js:875:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:audit.js:127",
+      "toctou-fs:audit.js:52",
+      "toctou-fs:tools.js:196",
+      "toctou-fs:tools.js:320",
+      "toctou-fs:tools.js:753",
+      "toctou-fs:tools.js:835"
+    ]
   }
 ]

package/src/mcp/.agentic-security/streak.json CHANGED Viewed

@@ -1,12 +1,12 @@
 {
   "firstScanDate": "2026-05-28T17:48:43.176Z",
-  "lastScanDate": "2026-05-28T18:14:00.070Z",
-  "totalScans": 3,
-  "daysCleanCritical": 1,
-  "lastCleanDate": "2026-05-28",
+  "lastScanDate": "2026-05-29T20:35:23.458Z",
+  "totalScans": 7,
+  "daysCleanCritical": 2,
+  "lastCleanDate": "2026-05-29",
   "lastCriticalDate": null,
   "hasEverHadCritical": false,
-  "bestDaysCleanCritical": 1,
+  "bestDaysCleanCritical": 2,
   "totalFindingsAtFirstScan": 40,
   "totalFindingsAtLastScan": 40,
   "totalFixesInferred": 0,

package/src/mcp/tools.js CHANGED Viewed

@@ -946,6 +946,56 @@ export const read_agents_memory = {
   },
 };
+// ─── query_triage_memory ───────────────────────────────────────────────────
+// Natural-language Q&A over past triage decisions (wont-fix / false-positive
+// markings + reasons). Backed by .agentic-security/triage-memory.jsonl, which
+// is auto-populated by triage.transition(). Returns at most 10 most-relevant
+// past decisions.
+export const query_triage_memory = {
+  name: 'query_triage_memory',
+  description: 'Search past triage decisions (wont-fix / false-positive) by natural-language query. Returns up to 10 most-relevant past decisions with their reasons. Use when you see a new finding and want to know "did we already decide on something like this?" — answers in seconds without re-reading the full AGENTS.md narrative.',
+  inputSchema: {
+    type: 'object',
+    additionalProperties: false,
+    properties: {
+      query: { type: 'string', description: 'Free-text terms to match against past reasons / vuln text / file paths / family names.' },
+    },
+  },
+  async handler({ query }, ctx) {
+    const { queryMemory } = await import('../posture/triage-memory.js');
+    const results = queryMemory(ctx.sessionRoot, query || '');
+    return {
+      _meta: META,
+      count: results.length,
+      results,
+    };
+  },
+};
+// ─── query_findings_memory ─────────────────────────────────────────────────
+// Natural-language Q&A across the scanner's accumulated institutional
+// memory: current findings + past triage decisions + scan history +
+// AGENTS.md narrative. Use to answer "have we seen something like this
+// before?" without reading multiple files.
+export const query_findings_memory = {
+  name: 'query_findings_memory',
+  description: 'Search the scanner accumulated memory (current scan findings + past wont-fix/false-positive decisions + scan history + AGENTS.md narrative) by natural-language terms. Returns top-10 results scored by term-match count and ranked finding > triage > history > AGENTS.md.',
+  inputSchema: {
+    type: 'object',
+    additionalProperties: false,
+    properties: {
+      query: { type: 'string', description: 'Natural-language search terms (2+ chars each).' },
+    },
+    required: ['query'],
+  },
+  async handler({ query }, ctx) {
+    const { queryFindingsMemory } = await import('../posture/findings-memory.js');
+    return { _meta: META, ...queryFindingsMemory(ctx.sessionRoot, query || '') };
+  },
+};
 // ─── lookup_cve ────────────────────────────────────────────────────────────
 // LangChain harness-anatomy #8: bridge the knowledge-cutoff gap by exposing
 // the local OSV / KEV / EPSS cache as a structured tool. Read-only — never
@@ -1041,4 +1091,4 @@ export const apply_sca_upgrade = {
   },
 };
-export const ALL_TOOLS = [scan_diff, query_taint, explain_finding, apply_fix, verify_fix, synthesize_fix, find_rule_module, append_scratchpad, read_scratchpad, append_agents_memory, read_agents_memory, lookup_cve, synthesize_sca_upgrade, apply_sca_upgrade];
+export const ALL_TOOLS = [scan_diff, query_taint, explain_finding, apply_fix, verify_fix, synthesize_fix, find_rule_module, append_scratchpad, read_scratchpad, append_agents_memory, read_agents_memory, lookup_cve, synthesize_sca_upgrade, apply_sca_upgrade, query_triage_memory, query_findings_memory];

package/src/posture/.agentic-security/dpia.md ADDED Viewed

@@ -0,0 +1,26 @@
+# Data Protection Impact Assessment (DPIA)
+Generated by agentic-security scanner on 2026-05-30.
+This is an automated DPIA scaffold derived from static analysis.
+It must be reviewed and completed by a privacy officer before use.
+## Data classes identified
+## Privacy-related findings
+| Severity | File:Line | Class → Sink | Description |
+|---|---|---|---|
+## Regulatory framework mapping
+- **GDPR Art. 35** — DPIA required when processing is likely to result in high risk to data subjects.
+- **CCPA §1798.130** — Notice + access rights for collected personal information.
+## Reviewer checklist
+- [ ] Confirm each PII field's collection has a documented lawful basis
+- [ ] Confirm retention period for each class is documented
+- [ ] Confirm DSAR (data subject access request) workflow exists
+- [ ] Confirm encryption at rest + in transit for each class
+- [ ] Confirm logging of PII access for audit (where applicable)