agentic-qe 3.7.19 → 3.7.21

package/dist/coordination/protocols/security-audit.d.ts

@@ -169,14 +169,11 @@ export declare class SecurityAuditProtocol {
      */
     execute(trigger: SecurityAuditTrigger): Promise<Result<SecurityAuditResult>>;
     /**
-     * Scan for vulnerabilities using SAST
-     * Delegates to real SecurityScannerService with semgrep integration when available
+     * Scan for vulnerabilities using SAST.
+     * SASTScanner now integrates semgrep internally (runs alongside pattern scanning
+     * when semgrep is installed), so no separate fallback is needed here.
      */
     scanVulnerabilities(options: SecurityAuditOptions): Promise<Result<SASTResult>>;
-    /**
-     * Map semgrep OWASP category to VulnerabilityCategory
-     */
-    private mapSemgrepCategory;
     /**
      * Scan dependencies for vulnerabilities
      * Delegates to real SecurityScannerService which uses OSV API for real vulnerability data

package/dist/coordination/protocols/security-audit.js

@@ -10,6 +10,7 @@ import { v4 as uuidv4 } from 'uuid';
 import { ok, err, } from '../../shared/types/index.js';
 import { FilePath, RiskScore } from '../../shared/value-objects/index.js';
 import { createEvent, } from '../../shared/events/domain-events.js';
+// Semgrep is now integrated directly into SASTScanner (no coordination-layer fallback needed)
 import { toError } from '../../shared/error-utils.js';
 // CQ-005: Use DomainServiceRegistry instead of dynamic imports from domains/
 import { DomainServiceRegistry, ServiceKeys } from '../../shared/domain-service-registry.js';
@@ -22,18 +23,6 @@ function resolveSecurityScannerService(memory) {
     const factory = DomainServiceRegistry.resolve(ServiceKeys.SecurityScannerService);
     return factory(memory);
 }
-function resolveIsSemgrepAvailable() {
-    const fn = DomainServiceRegistry.resolve(ServiceKeys.isSemgrepAvailable);
-    return fn();
-}
-function resolveRunSemgrepWithRules(targetPath, ruleSetIds) {
-    const fn = DomainServiceRegistry.resolve(ServiceKeys.runSemgrepWithRules);
-    return fn(targetPath, ruleSetIds);
-}
-function resolveConvertSemgrepFindings(findings) {
-    const fn = DomainServiceRegistry.resolve(ServiceKeys.convertSemgrepFindings);
-    return fn(findings);
-}
 // ============================================================================
 // Protocol Events
 // ============================================================================
@@ -208,8 +197,9 @@ export class SecurityAuditProtocol {
     // Scanning Methods
     // ==========================================================================
     /**
-     * Scan for vulnerabilities using SAST
-     * Delegates to real SecurityScannerService with semgrep integration when available
+     * Scan for vulnerabilities using SAST.
+     * SASTScanner now integrates semgrep internally (runs alongside pattern scanning
+     * when semgrep is installed), so no separate fallback is needed here.
      */
     async scanVulnerabilities(options) {
         try {
@@ -219,96 +209,26 @@ export class SecurityAuditProtocol {
                 return err(agentId.error);
             }
             const files = this.config.scanPaths.map(path => FilePath.create(path));
-            // Try real SecurityScannerService first
             try {
                 const scanner = this.getSecurityScanner();
                 const ruleSetIds = options.ruleSetIds || ['owasp-top-10', 'cwe-sans-25'];
+                // SASTScanner.scanWithRules now runs pattern scanning + semgrep in parallel
                 const scanResult = await scanner.scanWithRules(files, ruleSetIds);
                 if (scanResult.success) {
                     return ok(scanResult.value);
                 }
-                // If scanner fails, continue to fallback
+                return err(scanResult.error);
             }
             catch (scannerError) {
-                // Scanner unavailable - log and continue to fallback
                 await this.memory.set('security-audit:scanner-error', { error: String(scannerError), timestamp: new Date().toISOString() }, { namespace: 'security-compliance', ttl: 3600 });
+                return err(new Error(`SAST scanning failed: ${String(scannerError)}. ` +
+                    'Ensure SecurityScannerService is properly configured.'));
             }
-            // Try semgrep if available as secondary option
-            const semgrepAvailable = await resolveIsSemgrepAvailable();
-            if (semgrepAvailable) {
-                try {
-                    const semgrepResult = await resolveRunSemgrepWithRules(this.config.scanPaths[0] || '.', options.ruleSetIds || ['owasp-top-10']);
-                    if (semgrepResult.success && semgrepResult.findings.length > 0) {
-                        const convertedFindings = resolveConvertSemgrepFindings(semgrepResult.findings);
-                        const vulnerabilities = convertedFindings.map(f => ({
-                            id: uuidv4(),
-                            cveId: undefined,
-                            title: f.title,
-                            description: f.description,
-                            severity: f.severity,
-                            category: this.mapSemgrepCategory(f.owaspCategory || 'injection'),
-                            location: {
-                                file: f.file,
-                                line: f.line,
-                                column: f.column,
-                                snippet: f.snippet,
-                            },
-                            remediation: {
-                                description: f.remediation,
-                                estimatedEffort: 'moderate',
-                                automatable: false,
-                            },
-                            references: f.references,
-                        }));
-                        const summary = this.calculateSummary(vulnerabilities);
-                        return ok({
-                            scanId: uuidv4(),
-                            vulnerabilities,
-                            summary,
-                            coverage: {
-                                filesScanned: files.length,
-                                linesScanned: vulnerabilities.length * 50,
-                                rulesApplied: 45,
-                            },
-                        });
-                    }
-                }
-                catch (semgrepError) {
-                    // Semgrep failed - log error
-                    await this.memory.set('security-audit:semgrep-error', { error: String(semgrepError), timestamp: new Date().toISOString() }, { namespace: 'security-compliance', ttl: 3600 });
-                }
-            }
-            // NO FALLBACK - Security scans must either succeed or fail explicitly
-            // An empty vulnerability list would falsely indicate "scan succeeded, nothing found"
-            // when in reality we couldn't scan at all
-            return err(new Error('SAST scanning unavailable: neither SecurityScannerService nor semgrep could execute. ' +
-                'Install semgrep (pip install semgrep) or ensure SecurityScannerService is properly configured.'));
         }
         catch (error) {
             return err(toError(error));
         }
     }
-    /**
-     * Map semgrep OWASP category to VulnerabilityCategory
-     */
-    mapSemgrepCategory(owaspCategory) {
-        const categoryMap = {
-            'A01': 'access-control',
-            'A02': 'sensitive-data',
-            'A03': 'injection',
-            'A04': 'insecure-deserialization',
-            'A05': 'security-misconfiguration',
-            'A06': 'vulnerable-components',
-            'A07': 'broken-auth',
-            'A08': 'insecure-deserialization',
-            'A09': 'insufficient-logging',
-            'A10': 'xxe',
-            'injection': 'injection',
-            'xss': 'xss',
-            'broken-auth': 'broken-auth',
-        };
-        return categoryMap[owaspCategory] || 'security-misconfiguration';
-    }
     /**
      * Scan dependencies for vulnerabilities
      * Delegates to real SecurityScannerService which uses OSV API for real vulnerability data

package/dist/coordination/queen-coordinator.d.ts

@@ -21,6 +21,7 @@ import { EventBus, AgentCoordinator, AgentInfo, DomainPlugin, DomainHealth, Memo
 import { CrossDomainRouter, ProtocolExecutor, WorkflowExecutor } from './interfaces';
 import { QueenMinCutBridge } from './mincut/queen-integration';
 import { QueenRouterAdapter } from '../routing/queen-integration.js';
+import { type DependencyGraphResult } from '../routing/agent-dependency-graph.js';
 import { AgentTeamsAdapter } from './agent-teams/index.js';
 import { DomainTeamManager } from './agent-teams/domain-team-manager.js';
 import { DomainBreakerRegistry } from './circuit-breaker/index.js';
@@ -73,6 +74,9 @@ export declare class QueenCoordinator implements IQueenCoordinator {
     private hypothesisManager;
     private federationMailbox;
     private dynamicScaler;
+    private coExecutionRepo;
+    private dependencyGraph;
+    private availableMcpServers;
     constructor(eventBus: EventBus, agentCoordinator: AgentCoordinator, memory: MemoryBackend, router: CrossDomainRouter, protocolExecutor?: ProtocolExecutor | undefined, workflowExecutor?: WorkflowExecutor | undefined, domainPlugins?: Map<DomainName, DomainPlugin> | undefined, config?: Partial<QueenConfig>);
     initialize(): Promise<void>;
     dispose(): Promise<void>;
@@ -84,6 +88,15 @@ export declare class QueenCoordinator implements IQueenCoordinator {
     getDomainLoad(domain: DomainName): number;
     getIdleDomains(): DomainName[];
     getBusyDomains(): DomainName[];
+    /**
+     * Get a phased spawn plan that respects hard agent dependencies.
+     * Use this when spawning multiple agents for a swarm task.
+     */
+    getSpawnPlan(agentNames: string[]): import("..").SpawnPlan;
+    /**
+     * Get the dependency graph for the agent fleet.
+     */
+    getDependencyGraph(): DependencyGraphResult | null;
     enableWorkStealing(): void;
     disableWorkStealing(): void;
     triggerWorkStealing(): Promise<number>;

package/dist/coordination/queen-coordinator.js

@@ -24,6 +24,10 @@ import { createQueenMinCutBridge, } from './mincut/queen-integration';
 import { getSharedMinCutGraph } from './mincut/shared-singleton';
 // V3 Integration: TinyDancer intelligent model routing (TD-004, TD-005, TD-006)
 import { QueenRouterAdapter, } from '../routing/queen-integration.js';
+// Issue #342: Dependency intelligence integration
+import { getCoExecutionRepository } from '../routing/co-execution-repository.js';
+import { getAvailableMcpServers } from '../validation/steps/agent-mcp-validator.js';
+import { buildDependencyGraph, createSpawnPlan } from '../routing/agent-dependency-graph.js';
 // V3 Integration: @claude-flow/guidance governance (ADR-058)
 import { queenGovernanceAdapter } from '../governance/index.js';
 // ADR-064 Integration: Agent Teams, Circuit Breakers, Fleet Tiers
@@ -102,6 +106,10 @@ export class QueenCoordinator {
     hypothesisManager = null;
     federationMailbox = null;
     dynamicScaler = null;
+    // Issue #342: Dependency intelligence
+    coExecutionRepo = null;
+    dependencyGraph = null;
+    availableMcpServers = [];
     constructor(eventBus, agentCoordinator, memory, router, protocolExecutor, workflowExecutor, domainPlugins, config = {}) {
         this.eventBus = eventBus;
         this.agentCoordinator = agentCoordinator;
@@ -177,6 +185,32 @@ export class QueenCoordinator {
         }
         // ADR-064: Initialize subsystems (non-fatal failures)
         this.initializeSubsystems();
+        // Issue #342: Initialize dependency intelligence (non-fatal)
+        try {
+            // Build dependency graph from agent definitions
+            const { join } = await import('path');
+            const agentsDir = join(process.cwd(), '.claude', 'agents', 'v3');
+            this.dependencyGraph = buildDependencyGraph(agentsDir);
+            this.availableMcpServers = getAvailableMcpServers(process.cwd());
+            // Initialize co-execution repository for behavioral learning
+            const { getUnifiedMemory } = await import('../kernel/unified-memory.js');
+            const unifiedMemory = getUnifiedMemory();
+            await unifiedMemory.initialize();
+            this.coExecutionRepo = getCoExecutionRepository();
+            this.coExecutionRepo.initialize(unifiedMemory.getDatabase());
+            if (this.dependencyGraph.warnings.length > 0) {
+                logger.warn(`Dependency graph: ${this.dependencyGraph.warnings.length} warning(s)`, {
+                    warnings: this.dependencyGraph.warnings.slice(0, 5),
+                });
+            }
+            logger.info('Dependency intelligence initialized', {
+                agents: this.dependencyGraph.nodes.size,
+                mcpServers: this.availableMcpServers.length,
+            });
+        }
+        catch (depError) {
+            logger.warn('Dependency intelligence initialization failed (continuing)', { error: depError });
+        }
         // Publish initialization event
         await this.publishEvent('QueenInitialized', {
             timestamp: new Date(),
@@ -365,6 +399,24 @@ export class QueenCoordinator {
         return ALL_DOMAINS.filter(domain => this.getDomainLoad(domain) > this.config.workStealing.loadThreshold);
     }
     // ============================================================================
+    // Issue #342 Item 2: Dependency-Aware Spawn Planning
+    // ============================================================================
+    /**
+     * Get a phased spawn plan that respects hard agent dependencies.
+     * Use this when spawning multiple agents for a swarm task.
+     */
+    getSpawnPlan(agentNames) {
+        if (!this.dependencyGraph)
+            return { phases: [agentNames], warnings: [], unsatisfiedHardDeps: [] };
+        return createSpawnPlan(agentNames, this.dependencyGraph);
+    }
+    /**
+     * Get the dependency graph for the agent fleet.
+     */
+    getDependencyGraph() {
+        return this.dependencyGraph;
+    }
+    // ============================================================================
     // Work Stealing
     // ============================================================================
     enableWorkStealing() {
@@ -394,6 +446,29 @@ export class QueenCoordinator {
         if (!this.agentCoordinator.canSpawn()) {
             return err(new Error('Maximum concurrent agents reached (15)'));
         }
+        // Issue #342 Item 1: Pre-spawn MCP validation (advisory only — never blocks).
+        // Check dependency graph nodes in this domain for declared MCP server requirements.
+        if (this.dependencyGraph && this.availableMcpServers.length > 0) {
+            try {
+                // Find agents in this domain that have MCP server declarations
+                for (const [, node] of this.dependencyGraph.nodes) {
+                    const mcpDeps = node.dependencies.mcpServers;
+                    if (!mcpDeps || mcpDeps.length === 0)
+                        continue;
+                    const missing = mcpDeps
+                        .filter(s => s.required && !this.availableMcpServers.includes(s.name));
+                    if (missing.length > 0) {
+                        logger.warn(`Pre-spawn MCP advisory: ${node.agentName} needs ${missing.map(m => m.name).join(', ')}`, {
+                            agent: node.agentName, domain, missing: missing.map(m => m.name),
+                        });
+                        break; // Log once per spawn, not per agent
+                    }
+                }
+            }
+            catch {
+                // Advisory validation must never block spawning
+            }
+        }
         const result = await this.agentCoordinator.spawn({
             name: `${domain}-${type}-${Date.now()}`, domain, type, capabilities,
         });
@@ -738,6 +813,7 @@ export class QueenCoordinator {
             get tierSelector() { return self.tierSelector; },
             get traceCollector() { return self.traceCollector; },
             taskTraceContexts: self.taskTraceContexts,
+            get coExecutionRepo() { return self.coExecutionRepo; },
             requestAgentSpawn: (d, t, c) => self.requestAgentSpawn(d, t, c),
             publishEvent: (t, p) => self.publishEvent(t, p),
             getDomainLoad: (d) => self.getDomainLoad(d),

package/dist/coordination/queen-task-management.d.ts

@@ -7,6 +7,7 @@ import type { DomainName, Priority, Result } from '../shared/types';
 import type { AgentCoordinator, DomainPlugin } from '../kernel/interfaces';
 import type { TaskAuditLogger } from './services';
 import type { QueenRouterAdapter } from '../routing/queen-integration.js';
+import type { CoExecutionRepository } from '../routing/co-execution-repository.js';
 import type { DomainBreakerRegistry } from './circuit-breaker/index.js';
 import type { DomainTeamManager } from './agent-teams/domain-team-manager.js';
 import type { TierSelector } from './fleet-tiers/index.js';
@@ -41,6 +42,7 @@ export interface QueenTaskContext {
     readonly tierSelector: TierSelector | null;
     readonly traceCollector: TraceCollector | null;
     readonly taskTraceContexts: Map<string, TraceContext>;
+    readonly coExecutionRepo: CoExecutionRepository | null;
     requestAgentSpawn(domain: DomainName, type: string, capabilities: string[]): Promise<Result<string, Error>>;
     publishEvent(type: string, payload: Record<string, unknown>): Promise<void>;
     getDomainLoad(domain: DomainName): number;

package/dist/coordination/queen-task-management.js

@@ -310,6 +310,16 @@ async function handleTaskCompletionCallback(ctx, result) {
     }
     // CC-002: Decrement running task counter
     ctx.runningTaskCounter = Math.max(0, ctx.runningTaskCounter - 1);
+    // Issue #342 Item 3: Record co-execution behavioral data for all agents in this task.
+    // This feeds the behavioral signal into the signal merger for future routing decisions.
+    if (ctx.coExecutionRepo && execution.assignedAgents.length >= 2) {
+        try {
+            ctx.coExecutionRepo.recordSwarmCoExecution(execution.assignedAgents, execution.assignedDomain || 'unknown', result.success, execution.task.type);
+        }
+        catch {
+            // Non-blocking: behavioral recording failure should not affect task completion
+        }
+    }
     // Stop assigned agents
     for (const agentId of execution.assignedAgents) {
         await ctx.agentCoordinator.stop(agentId);

package/dist/coordination/queen-types.d.ts

@@ -9,6 +9,7 @@ import type { DomainBreakerRegistry } from './circuit-breaker/index.js';
 import type { DomainTeamManager } from './agent-teams/domain-team-manager.js';
 import type { TierSelector } from './fleet-tiers/index.js';
 import type { TraceCollector } from './agent-teams/tracing.js';
+import type { DependencyGraphResult, SpawnPlan } from '../routing/agent-dependency-graph.js';
 import type { HypothesisManager } from './competing-hypotheses/index.js';
 import type { FederationMailbox } from './federation/index.js';
 import type { DynamicScaler } from './dynamic-scaling/index.js';
@@ -155,6 +156,8 @@ export interface IQueenCoordinator {
     getHypothesisManager(): HypothesisManager | null;
     getFederationMailbox(): FederationMailbox | null;
     getDynamicScaler(): DynamicScaler | null;
+    getSpawnPlan(agentNames: string[]): SpawnPlan;
+    getDependencyGraph(): DependencyGraphResult | null;
 }
 export interface TaskFilter {
     status?: TaskExecution['status'];

package/dist/coordination/task-executor.js

@@ -15,6 +15,7 @@
 import { v4 as uuidv4 } from 'uuid';
 import { toErrorMessage } from '../shared/error-utils.js';
 import { createResultSaver } from './result-saver';
+import { createLogger } from '../logging/logger-factory.js';
 // ADR-051: Agent Booster integration for Tier 0 tasks
 import { createAgentBoosterAdapter, } from '../integrations/agentic-flow/agent-booster';
 // ADR-051: Task Router for outcome recording
@@ -23,6 +24,7 @@ import { getTaskRouter } from '../mcp/services/task-router';
 import { DomainServiceRegistry, ServiceKeys } from '../shared/domain-service-registry';
 // Handler registration functions (extracted from the monolithic registerHandlers)
 import { registerTestExecutionHandlers, registerCoverageHandlers, registerSecurityHandlers, registerQualityHandlers, registerRequirementsHandlers, registerCodeIntelligenceHandlers, registerMiscHandlers, } from './handlers/index';
+const logger = createLogger('TaskExecutor');
 // ============================================================================
 // CQ-005: Domain Service Resolution via Registry (no coordination -> domains imports)
 // Domain modules register their factories in their index.ts files.
@@ -339,7 +341,7 @@ export class DomainTaskExecutor {
                 const boosterResult = await this.executeWithAgentBooster(task, startTime, domain);
                 if (boosterResult) {
                     // Agent Booster succeeded - record outcome and return
-                    this.recordOutcome(task, 0, true, Date.now() - startTime).catch(() => { });
+                    this.recordOutcome(task, 0, true, Date.now() - startTime).catch((e) => { logger.warn('recordOutcome failed', { error: e instanceof Error ? e.message : String(e), taskId: task.id }); });
                     await this.publishTaskCompleted(task.id, boosterResult.data, domain);
                     return boosterResult;
                 }
@@ -355,7 +357,7 @@ export class DomainTaskExecutor {
                     duration: Date.now() - startTime,
                     domain,
                 };
-                this.recordOutcome(task, routingTier, false, Date.now() - startTime).catch(() => { });
+                this.recordOutcome(task, routingTier, false, Date.now() - startTime).catch((e) => { logger.warn('recordOutcome failed', { error: e instanceof Error ? e.message : String(e), taskId: task.id }); });
                 return result;
             }
             // Execute with timeout
@@ -367,7 +369,7 @@ export class DomainTaskExecutor {
                 const errorMsg = 'error' in result ? result.error.message : 'Unknown error';
                 await this.publishTaskFailed(task.id, errorMsg, domain);
                 // ADR-051: Record failed outcome
-                this.recordOutcome(task, routingTier, false, Date.now() - startTime).catch(() => { });
+                this.recordOutcome(task, routingTier, false, Date.now() - startTime).catch((e) => { logger.warn('recordOutcome failed', { error: e instanceof Error ? e.message : String(e), taskId: task.id }); });
                 return {
                     taskId: task.id,
                     success: false,
@@ -378,7 +380,7 @@ export class DomainTaskExecutor {
             }
             await this.publishTaskCompleted(task.id, result.value, domain);
             // ADR-051: Record successful outcome
-            this.recordOutcome(task, routingTier, true, Date.now() - startTime).catch(() => { });
+            this.recordOutcome(task, routingTier, true, Date.now() - startTime).catch((e) => { logger.warn('recordOutcome failed', { error: e instanceof Error ? e.message : String(e), taskId: task.id }); });
             // Save results to files if enabled
             let savedFiles;
             if (this._config.saveResults) {
@@ -417,7 +419,7 @@ export class DomainTaskExecutor {
             const errorMessage = toErrorMessage(error);
             await this.publishTaskFailed(task.id, errorMessage, domain);
             // ADR-051: Record failed outcome
-            this.recordOutcome(task, routingTier, false, Date.now() - startTime).catch(() => { });
+            this.recordOutcome(task, routingTier, false, Date.now() - startTime).catch((e) => { logger.warn('recordOutcome failed', { error: e instanceof Error ? e.message : String(e), taskId: task.id }); });
             return {
                 taskId: task.id,
                 success: false,

package/dist/domains/security-compliance/services/scanners/sast-scanner.d.ts

@@ -20,9 +20,33 @@ export declare class SASTScanner {
      */
     scanFiles(files: FilePath[]): Promise<Result<SASTResult>>;
     /**
-     * Scan with specific rule sets
+     * Scan with specific rule sets.
+     * Runs pattern-based scanning and semgrep (when available) in parallel,
+     * then merges and deduplicates results.
      */
     scanWithRules(files: FilePath[], ruleSetIds: string[]): Promise<Result<SASTResult>>;
+    /**
+     * Run pattern-based scanning on all files
+     */
+    private runPatternScanning;
+    /**
+     * Run semgrep scanning when enabled and available.
+     * Returns converted vulnerabilities or empty array on failure/unavailability.
+     */
+    private runSemgrepScanning;
+    /**
+     * Resolve the common parent directory from a set of file paths
+     */
+    private resolveTargetDirectory;
+    /**
+     * Map semgrep OWASP category string to VulnerabilityCategory
+     */
+    private mapSemgrepCategory;
+    /**
+     * Merge pattern-based and semgrep vulnerabilities, deduplicating
+     * findings that overlap on the same file and line.
+     */
+    private mergeVulnerabilities;
     /**
      * Get available rule sets
      */

package/dist/domains/security-compliance/services/scanners/sast-scanner.js

@@ -7,6 +7,7 @@ import { ok, err } from '@shared/types/index.js';
 import { ALL_SECURITY_PATTERNS, BUILT_IN_RULE_SETS } from './security-patterns.js';
 import { toError } from '@shared/error-utils.js';
 import { safeJsonParse } from '@shared/safe-json.js';
+import { isSemgrepAvailable, runSemgrepWithRules, convertSemgrepFindings, } from '../semgrep-integration.js';
 // ============================================================================
 // SAST Scanner Service
 // ============================================================================
@@ -35,7 +36,9 @@ export class SASTScanner {
         return this.scanWithRules(files, this.config.defaultRuleSets);
     }
     /**
-     * Scan with specific rule sets
+     * Scan with specific rule sets.
+     * Runs pattern-based scanning and semgrep (when available) in parallel,
+     * then merges and deduplicates results.
      */
     async scanWithRules(files, ruleSetIds) {
         const scanId = uuidv4();
@@ -50,22 +53,23 @@ export class SASTScanner {
             if (ruleSets.length === 0) {
                 return err(new Error(`No valid rule sets found: ${ruleSetIds.join(', ')}`));
             }
-            // Perform static analysis on each file
-            const vulnerabilities = [];
-            let linesScanned = 0;
-            for (const file of files) {
-                const fileVulns = await this.analyzeFile(file, ruleSets);
-                vulnerabilities.push(...fileVulns.vulnerabilities);
-                linesScanned += fileVulns.linesScanned;
-            }
+            // Run pattern-based scanning and semgrep in parallel
+            const [patternResult, semgrepVulns] = await Promise.all([
+                this.runPatternScanning(files, ruleSets),
+                this.runSemgrepScanning(files, ruleSetIds),
+            ]);
+            // Merge pattern-based and semgrep findings, deduplicating by file+line
+            const vulnerabilities = this.mergeVulnerabilities(patternResult.vulnerabilities, semgrepVulns);
+            const linesScanned = patternResult.linesScanned;
             const scanDurationMs = Date.now() - startTime;
             // Calculate summary
             const summary = this.calculateSummary(vulnerabilities, files.length, scanDurationMs);
-            // Calculate coverage
+            // Calculate coverage — include semgrep rules when they ran
+            const patternRules = ruleSets.reduce((acc, rs) => acc + rs.ruleCount, 0);
             const coverage = {
                 filesScanned: files.length,
                 linesScanned,
-                rulesApplied: ruleSets.reduce((acc, rs) => acc + rs.ruleCount, 0),
+                rulesApplied: patternRules + (semgrepVulns.length > 0 ? semgrepVulns.length : 0),
             };
             // Store scan results in memory
             await this.storeScanResults(scanId, 'sast', vulnerabilities, summary);
@@ -82,6 +86,131 @@ export class SASTScanner {
             return err(toError(error));
         }
     }
+    /**
+     * Run pattern-based scanning on all files
+     */
+    async runPatternScanning(files, ruleSets) {
+        const vulnerabilities = [];
+        let linesScanned = 0;
+        for (const file of files) {
+            const fileVulns = await this.analyzeFile(file, ruleSets);
+            vulnerabilities.push(...fileVulns.vulnerabilities);
+            linesScanned += fileVulns.linesScanned;
+        }
+        return { vulnerabilities, linesScanned };
+    }
+    /**
+     * Run semgrep scanning when enabled and available.
+     * Returns converted vulnerabilities or empty array on failure/unavailability.
+     */
+    async runSemgrepScanning(files, ruleSetIds) {
+        if (!this.config.enableSemgrep) {
+            return [];
+        }
+        try {
+            const available = await isSemgrepAvailable();
+            if (!available) {
+                return [];
+            }
+            // Determine target directory from files (use common parent)
+            const targetDir = this.resolveTargetDirectory(files);
+            const semgrepResult = await runSemgrepWithRules(targetDir, ruleSetIds);
+            if (!semgrepResult.success || semgrepResult.findings.length === 0) {
+                return [];
+            }
+            // Convert semgrep findings to our Vulnerability format
+            const converted = convertSemgrepFindings(semgrepResult.findings);
+            return converted.map(f => ({
+                id: uuidv4(),
+                cveId: undefined,
+                title: f.title,
+                description: `[semgrep] ${f.description}`,
+                severity: f.severity,
+                category: this.mapSemgrepCategory(f.owaspCategory),
+                location: {
+                    file: f.file,
+                    line: f.line,
+                    column: f.column,
+                    snippet: f.snippet,
+                },
+                remediation: {
+                    description: f.remediation,
+                    estimatedEffort: 'moderate',
+                    automatable: false,
+                },
+                references: f.references,
+            }));
+        }
+        catch {
+            // Semgrep failure is non-fatal — pattern scanning still covers us
+            return [];
+        }
+    }
+    /**
+     * Resolve the common parent directory from a set of file paths
+     */
+    resolveTargetDirectory(files) {
+        if (files.length === 0)
+            return '.';
+        if (files.length === 1)
+            return files[0].directory || '.';
+        // Find common prefix of all directories
+        const dirs = files.map(f => f.directory || '.');
+        const first = dirs[0];
+        let commonLen = first.length;
+        for (let i = 1; i < dirs.length; i++) {
+            const dir = dirs[i];
+            const maxLen = Math.min(commonLen, dir.length);
+            let j = 0;
+            while (j < maxLen && first[j] === dir[j])
+                j++;
+            commonLen = j;
+        }
+        const common = first.substring(0, commonLen);
+        // Trim to last path separator
+        const lastSep = common.lastIndexOf('/');
+        return lastSep > 0 ? common.substring(0, lastSep) : common || '.';
+    }
+    /**
+     * Map semgrep OWASP category string to VulnerabilityCategory
+     */
+    mapSemgrepCategory(owaspCategory) {
+        if (!owaspCategory)
+            return 'injection';
+        const categoryMap = {
+            'A01': 'access-control',
+            'A02': 'sensitive-data',
+            'A03': 'injection',
+            'A04': 'insecure-deserialization',
+            'A05': 'security-misconfiguration',
+            'A06': 'vulnerable-components',
+            'A07': 'broken-auth',
+            'A08': 'insecure-deserialization',
+            'A09': 'insufficient-logging',
+            'A10': 'xxe',
+        };
+        // Try exact match or prefix match (e.g. "A03:2021-Injection")
+        for (const [key, value] of Object.entries(categoryMap)) {
+            if (owaspCategory.startsWith(key))
+                return value;
+        }
+        return 'injection';
+    }
+    /**
+     * Merge pattern-based and semgrep vulnerabilities, deduplicating
+     * findings that overlap on the same file and line.
+     */
+    mergeVulnerabilities(patternVulns, semgrepVulns) {
+        if (semgrepVulns.length === 0)
+            return patternVulns;
+        if (patternVulns.length === 0)
+            return semgrepVulns;
+        // Build a set of file:line keys from pattern results
+        const patternKeys = new Set(patternVulns.map(v => `${v.location.file}:${v.location.line ?? 0}:${v.category}`));
+        // Only add semgrep findings that don't overlap with pattern findings
+        const uniqueSemgrep = semgrepVulns.filter(v => !patternKeys.has(`${v.location.file}:${v.location.line ?? 0}:${v.category}`));
+        return [...patternVulns, ...uniqueSemgrep];
+    }
     /**
      * Get available rule sets
      */

package/dist/domains/security-compliance/services/scanners/scanner-types.d.ts

@@ -19,6 +19,8 @@ export interface SecurityScannerConfig {
     enableLLMAnalysis: boolean;
     /** ADR-051: Model tier for LLM calls (1=Haiku, 2=Sonnet, 4=Opus) */
     llmModelTier: number;
+    /** Enable semgrep integration when semgrep is installed (default: true) */
+    enableSemgrep: boolean;
 }
 /**
  * Dependencies for SecurityScannerService

package/dist/domains/security-compliance/services/scanners/scanner-types.js

@@ -11,5 +11,6 @@ export const DEFAULT_CONFIG = {
     dastActiveScanning: false,
     enableLLMAnalysis: true, // On by default - opt-out (ADR-051)
     llmModelTier: 4, // Opus for security analysis (needs expert reasoning)
+    enableSemgrep: true, // Use semgrep when installed for real SAST
 };
 //# sourceMappingURL=scanner-types.js.map