npm - @vigolium/piolium - Versions diffs - 0.0.1 - Mend

@vigolium/piolium 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (271) hide show

package/LICENSE +21 -0
package/README.md +117 -0
package/agents/access-auditor.md +300 -0
package/agents/assumption-breaker.md +154 -0
package/agents/attack-designer.md +116 -0
package/agents/code-scanner.md +139 -0
package/agents/concurrency-auditor.md +238 -0
package/agents/confirm-writer.md +257 -0
package/agents/context-reviewer.md +274 -0
package/agents/cross-verifier.md +165 -0
package/agents/cve-scout.md +381 -0
package/agents/env-builder.md +282 -0
package/agents/env-profiler.md +205 -0
package/agents/evidence-collector.md +140 -0
package/agents/finding-grader.md +142 -0
package/agents/finding-writer.md +148 -0
package/agents/flow-tracer.md +106 -0
package/agents/goal-backtracer.md +146 -0
package/agents/history-miner.md +467 -0
package/agents/independent-verifier.md +118 -0
package/agents/intent-mapper.md +183 -0
package/agents/longshot-collector.md +128 -0
package/agents/longshot-prober.md +126 -0
package/agents/patch-auditor.md +73 -0
package/agents/poc-author.md +124 -0
package/agents/poc-runner.md +194 -0
package/agents/probe-lead.md +269 -0
package/agents/red-challenger.md +101 -0
package/agents/report-composer.md +208 -0
package/agents/review-adjudicator.md +216 -0
package/agents/spec-auditor.md +155 -0
package/agents/taint-tracer.md +265 -0
package/agents/test-locator.md +209 -0
package/agents/threat-modeler.md +132 -0
package/agents/variant-scanner.md +108 -0
package/agents/variant-spotter.md +110 -0
package/bin/piolium.mjs +376 -0
package/extensions/piolium/_vendor/yaml.bundle.d.mts +6 -0
package/extensions/piolium/_vendor/yaml.bundle.mjs +139 -0
package/extensions/piolium/agent-runner.ts +322 -0
package/extensions/piolium/agents.ts +266 -0
package/extensions/piolium/audit-state.ts +522 -0
package/extensions/piolium/bundled-resources.ts +97 -0
package/extensions/piolium/candidate-scan.ts +966 -0
package/extensions/piolium/command-target.ts +177 -0
package/extensions/piolium/console-stream.ts +57 -0
package/extensions/piolium/export-results.ts +380 -0
package/extensions/piolium/findings.ts +448 -0
package/extensions/piolium/heartbeat.ts +182 -0
package/extensions/piolium/help.ts +234 -0
package/extensions/piolium/index.ts +1865 -0
package/extensions/piolium/longshot.ts +530 -0
package/extensions/piolium/matcher-suggestions.ts +196 -0
package/extensions/piolium/matcher-utils.ts +83 -0
package/extensions/piolium/modes/balanced.ts +750 -0
package/extensions/piolium/modes/confirm-bootstrap.ts +186 -0
package/extensions/piolium/modes/confirm.ts +697 -0
package/extensions/piolium/modes/deep.ts +917 -0
package/extensions/piolium/modes/diff.ts +177 -0
package/extensions/piolium/modes/lite.ts +540 -0
package/extensions/piolium/modes/longshot.ts +595 -0
package/extensions/piolium/modes/merge.ts +204 -0
package/extensions/piolium/modes/phase-runner.ts +267 -0
package/extensions/piolium/modes/reinvest.ts +546 -0
package/extensions/piolium/modes/revisit.ts +279 -0
package/extensions/piolium/modes.ts +48 -0
package/extensions/piolium/phase-labels.ts +123 -0
package/extensions/piolium/phase-status-strip.ts +92 -0
package/extensions/piolium/prompt-prefix-editor.ts +39 -0
package/extensions/piolium/providers/anthropic-vertex.ts +836 -0
package/extensions/piolium/recon.ts +409 -0
package/extensions/piolium/result-stats.ts +105 -0
package/extensions/piolium/retry.ts +120 -0
package/extensions/piolium/scheduler.ts +212 -0
package/extensions/piolium/secrets.ts +368 -0
package/extensions/piolium/tools/web-tools.ts +148 -0
package/package.json +77 -0
package/skills/agentic-actions-auditor/SKILL.md +327 -0
package/skills/agentic-actions-auditor/references/action-profiles.md +186 -0
package/skills/agentic-actions-auditor/references/cross-file-resolution.md +209 -0
package/skills/agentic-actions-auditor/references/foundations.md +94 -0
package/skills/agentic-actions-auditor/references/vector-a-env-var-intermediary.md +77 -0
package/skills/agentic-actions-auditor/references/vector-b-direct-expression-injection.md +83 -0
package/skills/agentic-actions-auditor/references/vector-c-cli-data-fetch.md +83 -0
package/skills/agentic-actions-auditor/references/vector-d-pr-target-checkout.md +88 -0
package/skills/agentic-actions-auditor/references/vector-e-error-log-injection.md +88 -0
package/skills/agentic-actions-auditor/references/vector-f-subshell-expansion.md +82 -0
package/skills/agentic-actions-auditor/references/vector-g-eval-of-ai-output.md +91 -0
package/skills/agentic-actions-auditor/references/vector-h-dangerous-sandbox-configs.md +102 -0
package/skills/agentic-actions-auditor/references/vector-i-wildcard-allowlists.md +88 -0
package/skills/audit/SKILL.md +562 -0
package/skills/audit/assets/icon.svg +7 -0
package/skills/audit/hooks/scripts/validate_phase_output.py +550 -0
package/skills/audit/references/adversarial-review.md +148 -0
package/skills/audit/references/architecture-aware-sast.md +306 -0
package/skills/audit/references/audit-workflow.md +737 -0
package/skills/audit/references/chamber-protocol.md +384 -0
package/skills/audit/references/creative-attack-modes.md +221 -0
package/skills/audit/references/deep-analysis.md +273 -0
package/skills/audit/references/domain-attack-playbooks.md +1129 -0
package/skills/audit/references/knowledge-base-template.md +513 -0
package/skills/audit/references/real-env-validation.md +191 -0
package/skills/audit/references/report-templates.md +417 -0
package/skills/audit/references/triage-and-prereqs.md +134 -0
package/skills/audit/scripts/consolidate_drafts.py +554 -0
package/skills/audit/scripts/partition_findings.py +152 -0
package/skills/audit/scripts/rg-hotspots.sh +121 -0
package/skills/audit/scripts/stamp_file_state.py +349 -0
package/skills/code-reviewer/SKILL.md +65 -0
package/skills/codeql/SKILL.md +281 -0
package/skills/codeql/references/build-fixes.md +90 -0
package/skills/codeql/references/diagnostic-query-templates.md +339 -0
package/skills/codeql/references/extension-yaml-format.md +209 -0
package/skills/codeql/references/important-only-suite.md +153 -0
package/skills/codeql/references/language-details.md +207 -0
package/skills/codeql/references/macos-arm64e-workaround.md +179 -0
package/skills/codeql/references/performance-tuning.md +111 -0
package/skills/codeql/references/quality-assessment.md +172 -0
package/skills/codeql/references/ruleset-catalog.md +63 -0
package/skills/codeql/references/run-all-suite.md +92 -0
package/skills/codeql/references/sarif-processing.md +79 -0
package/skills/codeql/references/threat-models.md +51 -0
package/skills/codeql/workflows/build-database.md +280 -0
package/skills/codeql/workflows/create-data-extensions.md +261 -0
package/skills/codeql/workflows/run-analysis.md +301 -0
package/skills/differential-review/SKILL.md +220 -0
package/skills/differential-review/adversarial.md +203 -0
package/skills/differential-review/methodology.md +234 -0
package/skills/differential-review/patterns.md +300 -0
package/skills/differential-review/reporting.md +369 -0
package/skills/fp-check/SKILL.md +125 -0
package/skills/fp-check/references/bug-class-verification.md +114 -0
package/skills/fp-check/references/deep-verification.md +143 -0
package/skills/fp-check/references/evidence-templates.md +91 -0
package/skills/fp-check/references/false-positive-patterns.md +115 -0
package/skills/fp-check/references/gate-reviews.md +27 -0
package/skills/fp-check/references/standard-verification.md +78 -0
package/skills/insecure-defaults/SKILL.md +117 -0
package/skills/insecure-defaults/references/examples.md +409 -0
package/skills/last30days/SKILL.md +444 -0
package/skills/sarif-parsing/SKILL.md +483 -0
package/skills/sarif-parsing/resources/jq-queries.md +162 -0
package/skills/sarif-parsing/resources/sarif_helpers.py +331 -0
package/skills/security-threat-model/LICENSE.txt +201 -0
package/skills/security-threat-model/SKILL.md +81 -0
package/skills/security-threat-model/agents/openai.yaml +4 -0
package/skills/security-threat-model/references/prompt-template.md +255 -0
package/skills/security-threat-model/references/security-controls-and-assets.md +32 -0
package/skills/semgrep/SKILL.md +212 -0
package/skills/semgrep/references/rulesets.md +162 -0
package/skills/semgrep/references/scan-modes.md +110 -0
package/skills/semgrep/references/scanner-task-prompt.md +140 -0
package/skills/semgrep/scripts/merge_sarif.py +203 -0
package/skills/semgrep/workflows/scan-workflow.md +311 -0
package/skills/semgrep-rule-creator/SKILL.md +168 -0
package/skills/semgrep-rule-creator/references/quick-reference.md +202 -0
package/skills/semgrep-rule-creator/references/workflow.md +240 -0
package/skills/semgrep-rule-variant-creator/SKILL.md +205 -0
package/skills/semgrep-rule-variant-creator/references/applicability-analysis.md +250 -0
package/skills/semgrep-rule-variant-creator/references/language-syntax-guide.md +324 -0
package/skills/semgrep-rule-variant-creator/references/workflow.md +518 -0
package/skills/sharp-edges/SKILL.md +292 -0
package/skills/sharp-edges/references/auth-patterns.md +252 -0
package/skills/sharp-edges/references/case-studies.md +274 -0
package/skills/sharp-edges/references/config-patterns.md +333 -0
package/skills/sharp-edges/references/crypto-apis.md +190 -0
package/skills/sharp-edges/references/lang-c.md +205 -0
package/skills/sharp-edges/references/lang-csharp.md +285 -0
package/skills/sharp-edges/references/lang-go.md +270 -0
package/skills/sharp-edges/references/lang-java.md +263 -0
package/skills/sharp-edges/references/lang-javascript.md +269 -0
package/skills/sharp-edges/references/lang-kotlin.md +265 -0
package/skills/sharp-edges/references/lang-php.md +245 -0
package/skills/sharp-edges/references/lang-python.md +274 -0
package/skills/sharp-edges/references/lang-ruby.md +273 -0
package/skills/sharp-edges/references/lang-rust.md +272 -0
package/skills/sharp-edges/references/lang-swift.md +287 -0
package/skills/sharp-edges/references/language-specific.md +588 -0
package/skills/spec-to-code-compliance/SKILL.md +357 -0
package/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md +69 -0
package/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md +417 -0
package/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md +105 -0
package/skills/supply-chain-risk-auditor/SKILL.md +67 -0
package/skills/supply-chain-risk-auditor/resources/results-template.md +41 -0
package/skills/variant-analysis/METHODOLOGY.md +327 -0
package/skills/variant-analysis/SKILL.md +142 -0
package/skills/variant-analysis/resources/codeql/cpp.ql +119 -0
package/skills/variant-analysis/resources/codeql/go.ql +69 -0
package/skills/variant-analysis/resources/codeql/java.ql +71 -0
package/skills/variant-analysis/resources/codeql/javascript.ql +63 -0
package/skills/variant-analysis/resources/codeql/python.ql +80 -0
package/skills/variant-analysis/resources/semgrep/cpp.yaml +98 -0
package/skills/variant-analysis/resources/semgrep/go.yaml +63 -0
package/skills/variant-analysis/resources/semgrep/java.yaml +61 -0
package/skills/variant-analysis/resources/semgrep/javascript.yaml +60 -0
package/skills/variant-analysis/resources/semgrep/python.yaml +72 -0
package/skills/variant-analysis/resources/variant-report-template.md +75 -0
package/skills/vuln-report/SKILL.md +137 -0
package/skills/vuln-report/agents/openai.yaml +4 -0
package/skills/vuln-report/references/report-template.md +135 -0
package/skills/wooyun-legacy/SKILL.md +367 -0
package/skills/wooyun-legacy/references/bank-penetration.md +222 -0
package/skills/wooyun-legacy/references/checklists/command-execution-checklist.md +119 -0
package/skills/wooyun-legacy/references/checklists/csrf-checklist.md +74 -0
package/skills/wooyun-legacy/references/checklists/file-upload-checklist.md +108 -0
package/skills/wooyun-legacy/references/checklists/info-disclosure-checklist.md +114 -0
package/skills/wooyun-legacy/references/checklists/logic-flaws-checklist.md +95 -0
package/skills/wooyun-legacy/references/checklists/misconfig-checklist.md +124 -0
package/skills/wooyun-legacy/references/checklists/path-traversal-checklist.md +87 -0
package/skills/wooyun-legacy/references/checklists/rce-checklist.md +93 -0
package/skills/wooyun-legacy/references/checklists/sql-injection-checklist.md +97 -0
package/skills/wooyun-legacy/references/checklists/ssrf-checklist.md +99 -0
package/skills/wooyun-legacy/references/checklists/unauthorized-access-checklist.md +89 -0
package/skills/wooyun-legacy/references/checklists/weak-password-checklist.md +115 -0
package/skills/wooyun-legacy/references/checklists/xss-checklist.md +103 -0
package/skills/wooyun-legacy/references/checklists/xxe-checklist.md +130 -0
package/skills/wooyun-legacy/references/info-disclosure.md +975 -0
package/skills/wooyun-legacy/references/logic-flaws.md +721 -0
package/skills/wooyun-legacy/references/path-traversal.md +1191 -0
package/skills/wooyun-legacy/references/telecom-penetration.md +156 -0
package/skills/wooyun-legacy/references/unauthorized-access.md +980 -0
package/skills/wooyun-legacy/references/xss.md +746 -0
package/skills/zeroize-audit/SKILL.md +371 -0
package/skills/zeroize-audit/configs/c.yaml +21 -0
package/skills/zeroize-audit/configs/default.yaml +128 -0
package/skills/zeroize-audit/configs/rust.yaml +83 -0
package/skills/zeroize-audit/prompts/report_template.md +238 -0
package/skills/zeroize-audit/prompts/system.md +163 -0
package/skills/zeroize-audit/prompts/task.md +97 -0
package/skills/zeroize-audit/references/compile-commands.md +231 -0
package/skills/zeroize-audit/references/detection-strategy.md +191 -0
package/skills/zeroize-audit/references/ir-analysis.md +252 -0
package/skills/zeroize-audit/references/mcp-analysis.md +221 -0
package/skills/zeroize-audit/references/poc-generation.md +470 -0
package/skills/zeroize-audit/references/rust-zeroization-patterns.md +867 -0
package/skills/zeroize-audit/schemas/input.json +83 -0
package/skills/zeroize-audit/schemas/output.json +140 -0
package/skills/zeroize-audit/tools/analyze_asm.sh +202 -0
package/skills/zeroize-audit/tools/analyze_cfg.py +381 -0
package/skills/zeroize-audit/tools/analyze_heap.sh +211 -0
package/skills/zeroize-audit/tools/analyze_ir_semantic.py +429 -0
package/skills/zeroize-audit/tools/diff_ir.sh +135 -0
package/skills/zeroize-audit/tools/diff_rust_mir.sh +189 -0
package/skills/zeroize-audit/tools/emit_asm.sh +67 -0
package/skills/zeroize-audit/tools/emit_ir.sh +77 -0
package/skills/zeroize-audit/tools/emit_rust_asm.sh +178 -0
package/skills/zeroize-audit/tools/emit_rust_ir.sh +150 -0
package/skills/zeroize-audit/tools/emit_rust_mir.sh +158 -0
package/skills/zeroize-audit/tools/extract_compile_flags.py +284 -0
package/skills/zeroize-audit/tools/generate_poc.py +1329 -0
package/skills/zeroize-audit/tools/mcp/apply_confidence_gates.py +113 -0
package/skills/zeroize-audit/tools/mcp/check_mcp.sh +68 -0
package/skills/zeroize-audit/tools/mcp/normalize_mcp_evidence.py +125 -0
package/skills/zeroize-audit/tools/scripts/check_llvm_patterns.py +481 -0
package/skills/zeroize-audit/tools/scripts/check_mir_patterns.py +554 -0
package/skills/zeroize-audit/tools/scripts/check_rust_asm.py +424 -0
package/skills/zeroize-audit/tools/scripts/check_rust_asm_aarch64.py +300 -0
package/skills/zeroize-audit/tools/scripts/check_rust_asm_x86.py +283 -0
package/skills/zeroize-audit/tools/scripts/find_dangerous_apis.py +375 -0
package/skills/zeroize-audit/tools/scripts/semantic_audit.py +923 -0
package/skills/zeroize-audit/tools/track_dataflow.sh +196 -0
package/skills/zeroize-audit/tools/validate_rust_toolchain.sh +298 -0
package/skills/zeroize-audit/workflows/phase-0-preflight.md +150 -0
package/skills/zeroize-audit/workflows/phase-1-source-analysis.md +144 -0
package/skills/zeroize-audit/workflows/phase-2-compiler-analysis.md +139 -0
package/skills/zeroize-audit/workflows/phase-3-interim-report.md +46 -0
package/skills/zeroize-audit/workflows/phase-4-poc-generation.md +46 -0
package/skills/zeroize-audit/workflows/phase-5-poc-validation.md +136 -0
package/skills/zeroize-audit/workflows/phase-6-final-report.md +44 -0
package/skills/zeroize-audit/workflows/phase-7-test-generation.md +42 -0
package/themes/piolium-srcery.json +94 -0

package/extensions/piolium/modes/diff.ts ADDED Viewed

@@ -0,0 +1,177 @@
+/**
+ * Diff mode (`/piolium-diff`).
+ *
+ * Re-audit only what's changed since the last audited commit. Conservative
+ * MVP: if the prior audit isn't found / completed, ask the user to run
+ * balanced first. If the change set is too broad, recommend rerunning
+ * balanced or deep.
+ *
+ * Otherwise, run a focused balanced-style pipeline limited to changed
+ * files. Implementation is a single agent run with the code-scanner
+ * agent and a tightly scoped task prompt.
+ */
+import { execFileSync } from "node:child_process";
+import { existsSync, mkdirSync } from "node:fs";
+import { join } from "node:path";
+import type { AgentRuntimeModel } from "../agent-runner.ts";
+import { loadAgents } from "../agents.ts";
+import {
+	type AuditRunState,
+	initAudit,
+	latestAudit,
+	markAuditStatus,
+	readAuditState,
+} from "../audit-state.ts";
+import { runCandidateScanAsync } from "../candidate-scan.ts";
+import { runReconAsync } from "../recon.ts";
+import { type PhaseUiHooks, runAgentPhase } from "./phase-runner.ts";
+export interface RunDiffOptions {
+	cwd: string;
+	signal?: AbortSignal;
+	ui?: PhaseUiHooks;
+	agentRuntime?: AgentRuntimeModel;
+	/** Compare against this commit instead of the prior audited commit. */
+	since?: string;
+	/** Hard limit on changed files; abort with guidance if exceeded. Default 200. */
+	maxChangedFiles?: number;
+}
+export interface RunDiffResult {
+	auditId?: string;
+	status: "complete" | "failed" | "skipped";
+	changedFiles: string[];
+	priorCommit?: string;
+}
+export const DIFF_ATTACK_SURFACE_DIR = "piolium/attack-surface";
+export const DIFF_SUMMARY = `${DIFF_ATTACK_SURFACE_DIR}/diff-summary.md`;
+function safeExec(file: string, args: string[], cwd: string): string | undefined {
+	try {
+		return execFileSync(file, args, {
+			cwd,
+			encoding: "utf8",
+			stdio: ["ignore", "pipe", "ignore"],
+			maxBuffer: 32 * 1024 * 1024,
+		}).trim();
+	} catch {
+		return undefined;
+	}
+}
+function findPriorCommit(state: AuditRunState | undefined, override?: string): string | undefined {
+	if (override) return override;
+	if (!state) return undefined;
+	if (state.status !== "complete") return undefined;
+	if (!state.commit) return undefined;
+	return state.commit;
+}
+export async function runDiffAudit(opts: RunDiffOptions): Promise<RunDiffResult> {
+	const { cwd, signal, ui } = opts;
+	ui?.setStatus?.("piolium-diff", "● preparing recon");
+	const recon = await runReconAsync(cwd, { signal });
+	mkdirSync(join(cwd, DIFF_ATTACK_SURFACE_DIR), { recursive: true });
+	ui?.setStatus?.("piolium-diff", "● scanning candidate files");
+	const candidateScan = await runCandidateScanAsync(cwd, { signal });
+	ui?.notify?.(
+		`Candidate scan: ${candidateScan.candidateCount} match(es) across ${candidateScan.candidateFiles} file(s).`,
+		"info",
+	);
+	if (!recon.historyAvailable) {
+		ui?.notify?.(
+			"Diff mode requires git history. Run /piolium-balanced or /piolium-deep instead.",
+			"warning",
+		);
+		return { status: "skipped", changedFiles: [] };
+	}
+	const stateFile = readAuditState(cwd).state;
+	const prior = findPriorCommit(stateFile ? latestAudit(stateFile) : undefined, opts.since);
+	if (!prior) {
+		ui?.notify?.(
+			"No completed prior audit found. Run /piolium-balanced or /piolium-deep first, then come back.",
+			"warning",
+		);
+		return { status: "skipped", changedFiles: [] };
+	}
+	const diff = safeExec("git", ["diff", "--name-only", `${prior}...HEAD`], cwd);
+	if (diff === undefined) {
+		ui?.notify?.(`git diff against ${prior} failed.`, "error");
+		return { status: "failed", changedFiles: [], priorCommit: prior };
+	}
+	const changedFiles = diff.split("\n").filter(Boolean);
+	const cap = opts.maxChangedFiles ?? 200;
+	if (changedFiles.length > cap) {
+		ui?.notify?.(
+			`${changedFiles.length} files changed since ${prior.slice(0, 10)} — too broad for diff mode. Run /piolium-balanced.`,
+			"warning",
+		);
+		return { status: "skipped", changedFiles, priorCommit: prior };
+	}
+	if (changedFiles.length === 0) {
+		ui?.notify?.(`No code changes since ${prior.slice(0, 10)}. Diff mode has nothing to do.`, "info");
+		return { status: "skipped", changedFiles, priorCommit: prior };
+	}
+	const audit = await initAudit(cwd, {
+		mode: "diff",
+		commit: recon.commit ?? null,
+		...(recon.branch ? { branch: recon.branch } : {}),
+		...(recon.repository ? { repository: recon.repository } : {}),
+		history_available: recon.historyAvailable,
+		agent_sdk: "pi",
+		phases: ["1"],
+	});
+	const { agents } = loadAgents({ cwd });
+	const codeScanner = agents.get("code-scanner");
+	let failed = false;
+	try {
+		await runAgentPhase({
+			cwd,
+			audit,
+			phaseName: "1",
+			statusKey: "piolium-diff",
+			statusLabel: "● diff scan",
+			agent: codeScanner,
+			missingAgentMessage: "code-scanner missing",
+			task: [
+				"You are running /piolium-diff against a previously-audited repository.",
+				`Prior commit: ${prior}`,
+				`Current commit: ${recon.commit ?? "(unknown)"}`,
+				"",
+				"Changed files:",
+				...changedFiles.map((f) => `  - ${f}`),
+				"",
+				"Read prior durable context from `piolium/attack-surface/` when present, especially `candidates-summary.md`, `candidates.jsonl`, `knowledge-base-report.md`, `architecture-entrypoints.md`, `source-sink-flows-all-severities.md`, and `manual-attack-surface-inventory.md`.",
+				"",
+				"Steps:",
+				"  1. Read the diff (`git diff PRIOR...HEAD -- <file>`) for each changed file.",
+				"  2. Apply the same patterns as lite L3 / deep D5 (command injection, SSRF, authn/z, race conditions, etc.) but ONLY against the changed regions and their immediate callers.",
+				"  3. Surface drafts to `piolium/findings-draft/diff-NNN-<slug>.md`.",
+				`  4. Write a durable changed-attack-surface summary to \`${DIFF_SUMMARY}\` listing changed files, scope decisions, touched routes/sources/sinks, and finding pointers.`,
+			].join("\n"),
+			gate: () => existsSync(join(cwd, DIFF_SUMMARY)),
+			mode: "diff",
+			ui,
+			agentRuntime: opts.agentRuntime,
+			...(signal ? { signal } : {}),
+		});
+	} catch {
+		failed = true;
+	}
+	await markAuditStatus(cwd, audit.audit_id, failed ? "failed" : "complete");
+	ui?.notify?.(failed ? "Diff mode failed." : "Diff mode complete.", failed ? "error" : "info");
+	return {
+		auditId: audit.audit_id,
+		status: failed ? "failed" : "complete",
+		changedFiles,
+		priorCommit: prior,
+	};
+}