appsec-agent 2.7.0 → 3.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +57 -18
- package/conf/appsec_agent.yaml +13 -0
- package/dist/bin/agent-run.js +16 -18
- package/dist/bin/agent-run.js.map +1 -1
- package/dist/conf/appsec_agent.yaml +13 -0
- package/dist/src/__tests__/mocks/codex_sdk.d.ts +53 -0
- package/dist/src/__tests__/mocks/codex_sdk.d.ts.map +1 -0
- package/dist/src/__tests__/mocks/codex_sdk.js +8 -0
- package/dist/src/__tests__/mocks/codex_sdk.js.map +1 -0
- package/dist/src/agent_actions.d.ts +22 -2
- package/dist/src/agent_actions.d.ts.map +1 -1
- package/dist/src/agent_actions.js +144 -26
- package/dist/src/agent_actions.js.map +1 -1
- package/dist/src/agent_options.d.ts +43 -83
- package/dist/src/agent_options.d.ts.map +1 -1
- package/dist/src/agent_options.js +237 -280
- package/dist/src/agent_options.js.map +1 -1
- package/dist/src/index.d.ts +1 -0
- package/dist/src/index.d.ts.map +1 -1
- package/dist/src/index.js +7 -1
- package/dist/src/index.js.map +1 -1
- package/dist/src/llm_query.d.ts +4 -43
- package/dist/src/llm_query.d.ts.map +1 -1
- package/dist/src/llm_query.js +4 -145
- package/dist/src/llm_query.js.map +1 -1
- package/dist/src/main.d.ts.map +1 -1
- package/dist/src/main.js +75 -7
- package/dist/src/main.js.map +1 -1
- package/dist/src/mcp_internal.d.ts +13 -0
- package/dist/src/mcp_internal.d.ts.map +1 -0
- package/dist/src/mcp_internal.js +34 -0
- package/dist/src/mcp_internal.js.map +1 -0
- package/dist/src/providers/claude_provider.d.ts +18 -0
- package/dist/src/providers/claude_provider.d.ts.map +1 -0
- package/dist/src/providers/claude_provider.js +27 -0
- package/dist/src/providers/claude_provider.js.map +1 -0
- package/dist/src/providers/claude_role_spec.d.ts +10 -0
- package/dist/src/providers/claude_role_spec.d.ts.map +1 -0
- package/dist/src/providers/claude_role_spec.js +85 -0
- package/dist/src/providers/claude_role_spec.js.map +1 -0
- package/dist/src/providers/codex_model.d.ts +12 -0
- package/dist/src/providers/codex_model.d.ts.map +1 -0
- package/dist/src/providers/codex_model.js +45 -0
- package/dist/src/providers/codex_model.js.map +1 -0
- package/dist/src/providers/codex_provider.d.ts +30 -0
- package/dist/src/providers/codex_provider.d.ts.map +1 -0
- package/dist/src/providers/codex_provider.js +170 -0
- package/dist/src/providers/codex_provider.js.map +1 -0
- package/dist/src/providers/codex_role_spec.d.ts +16 -0
- package/dist/src/providers/codex_role_spec.d.ts.map +1 -0
- package/dist/src/providers/codex_role_spec.js +63 -0
- package/dist/src/providers/codex_role_spec.js.map +1 -0
- package/dist/src/providers/query_message.d.ts +45 -0
- package/dist/src/providers/query_message.d.ts.map +1 -0
- package/dist/src/providers/query_message.js +8 -0
- package/dist/src/providers/query_message.js.map +1 -0
- package/dist/src/providers/resolve_provider.d.ts +10 -0
- package/dist/src/providers/resolve_provider.d.ts.map +1 -0
- package/dist/src/providers/resolve_provider.js +29 -0
- package/dist/src/providers/resolve_provider.js.map +1 -0
- package/dist/src/providers/role_spec.d.ts +39 -0
- package/dist/src/providers/role_spec.d.ts.map +1 -0
- package/dist/src/providers/role_spec.js +8 -0
- package/dist/src/providers/role_spec.js.map +1 -0
- package/dist/src/providers/structured_output.d.ts +21 -0
- package/dist/src/providers/structured_output.d.ts.map +1 -0
- package/dist/src/providers/structured_output.js +61 -0
- package/dist/src/providers/structured_output.js.map +1 -0
- package/dist/src/providers/types.d.ts +18 -0
- package/dist/src/providers/types.d.ts.map +1 -0
- package/dist/src/providers/types.js +15 -0
- package/dist/src/providers/types.js.map +1 -0
- package/dist/src/schemas/fp_adversary_pass.d.ts +188 -0
- package/dist/src/schemas/fp_adversary_pass.d.ts.map +1 -0
- package/dist/src/schemas/fp_adversary_pass.js +258 -0
- package/dist/src/schemas/fp_adversary_pass.js.map +1 -0
- package/dist/src/utils.js +1 -1
- package/dist/src/utils.js.map +1 -1
- package/package.json +4 -4
- package/dist/src/openai_tools.d.ts +0 -26
- package/dist/src/openai_tools.d.ts.map +0 -1
- package/dist/src/openai_tools.js +0 -194
- package/dist/src/openai_tools.js.map +0 -1
package/README.md
CHANGED
|
@@ -98,24 +98,6 @@ The agents can be configured through environment variables and configuration fil
|
|
|
98
98
|
|
|
99
99
|
Configuration file: `conf/appsec_agent.yaml`
|
|
100
100
|
|
|
101
|
-
### Optional: LLM failover (Anthropic → OpenAI)
|
|
102
|
-
|
|
103
|
-
**Failover is off by default.** The agent uses Anthropic only unless you enable failover. When enabled, if the Anthropic call fails (e.g. API outage or rate limit), the agent will retry using the OpenAI API so the parent app gets a single response path.
|
|
104
|
-
|
|
105
|
-
To enable failover, set:
|
|
106
|
-
|
|
107
|
-
- `FAILOVER_ENABLED`: set to `true` to enable (default is disabled).
|
|
108
|
-
- `OPENAI_API_KEY`: your OpenAI API key (required when failover is enabled).
|
|
109
|
-
- `OPENAI_BASE_URL`: (optional) custom OpenAI endpoint.
|
|
110
|
-
- `OPENAI_FALLBACK_MODEL`: (optional) model to use for fallback (e.g. `gpt-4o`); default is `gpt-4o`.
|
|
111
|
-
|
|
112
|
-
**CLI overrides env overrides config.** You can use:
|
|
113
|
-
|
|
114
|
-
- `--failover`: enable failover for this run.
|
|
115
|
-
- `--openai-api-key <key>`: OpenAI API key for this run (overrides `OPENAI_API_KEY`).
|
|
116
|
-
|
|
117
|
-
When failover runs, all agents (simple query, code reviewer, threat modeler, diff reviewer) use the same prompt and system message; tooled agents do not run tools on the fallback path. The response shape is unchanged so the parent app is unaffected.
|
|
118
|
-
|
|
119
101
|
## 🤖 Available Agents
|
|
120
102
|
|
|
121
103
|
### Simple Query Agent (`simple_query_agent`)
|
|
@@ -291,6 +273,63 @@ $ npx agent-run -r pr_adversary --adversarial-context candidates.json --diff-con
|
|
|
291
273
|
|
|
292
274
|
- **`--experiment-enabled`:** adds stricter false-positive instructions for this pass; for `pr_reviewer`, also tightens the initial diff review when your integrator passes this flag.
|
|
293
275
|
|
|
276
|
+
#### Full-repo adversarial false-positive filter (`fp_adversary`, v2.8.0)
|
|
277
|
+
|
|
278
|
+
The Lane-2 counterpart to `pr_adversary`: where `pr_adversary` re-filters PR-scoped findings, `fp_adversary` operates over a whole repository's first-pass `code_reviewer` findings and emits a per-finding **verdict** (`confirm` or `dismiss`) with a numeric 0–1 confidence and a concrete rationale. The output shape is a dedicated `fp_adversary_report` (distinct from `security_review_report`) so the parent app can route low-confidence dismissals to a "pre-dismissed" UI state and auto-dismiss only above an operator-configured confidence threshold.
|
|
279
|
+
|
|
280
|
+
```bash
|
|
281
|
+
# Full-repo false-positive filter — same --adversarial-context flag, distinct input/output schema.
|
|
282
|
+
$ npx agent-run -r fp_adversary --adversarial-context fp_in.json -s ./repo -f json \
|
|
283
|
+
-o fp_adversary_report.json
|
|
284
|
+
```
|
|
285
|
+
|
|
286
|
+
**Input shape** (`findings[].fingerprint` is the round-trip key; the four posture fields and `similar_dismissed` precedent array are all optional but recommended):
|
|
287
|
+
|
|
288
|
+
```json
|
|
289
|
+
{
|
|
290
|
+
"findings": [
|
|
291
|
+
{
|
|
292
|
+
"fingerprint": "fp-sha256-of-cwe-file-snippet-line",
|
|
293
|
+
"id": "SEC-001",
|
|
294
|
+
"title": "SQL injection",
|
|
295
|
+
"file": "src/db.ts",
|
|
296
|
+
"description": "…",
|
|
297
|
+
"severity": "HIGH",
|
|
298
|
+
"confidence": "MEDIUM",
|
|
299
|
+
"cwe_id": "CWE-89"
|
|
300
|
+
}
|
|
301
|
+
],
|
|
302
|
+
"project_summary": "A Next.js SaaS app",
|
|
303
|
+
"security_context": "Prisma ORM with parameterized queries",
|
|
304
|
+
"deployment_context": "Vercel, multi-tenant",
|
|
305
|
+
"developer_context": "PHI handling rules apply to user_data",
|
|
306
|
+
"similar_dismissed": [
|
|
307
|
+
{ "fingerprint": "fp-old", "file": "src/db.ts", "cwe": "CWE-89", "dismissal_reason": "Prisma parameterized query" }
|
|
308
|
+
],
|
|
309
|
+
"metadata": { "project_name": "parent-app" }
|
|
310
|
+
}
|
|
311
|
+
```
|
|
312
|
+
|
|
313
|
+
**Output shape:**
|
|
314
|
+
|
|
315
|
+
```json
|
|
316
|
+
{
|
|
317
|
+
"fp_adversary_report": {
|
|
318
|
+
"verdicts": [
|
|
319
|
+
{
|
|
320
|
+
"fingerprint": "fp-sha256-of-cwe-file-snippet-line",
|
|
321
|
+
"verdict": "dismiss",
|
|
322
|
+
"confidence": 0.92,
|
|
323
|
+
"rationale": "Prisma parameterized query mitigates; no concrete bypass path observed.",
|
|
324
|
+
"cost_usd_estimate": 0.001
|
|
325
|
+
}
|
|
326
|
+
]
|
|
327
|
+
}
|
|
328
|
+
}
|
|
329
|
+
```
|
|
330
|
+
|
|
331
|
+
`fp_adversary` is MCP-aware: passing `--mcp-server-url` exposes `queryFindingsHistory`, `queryImportGraph`, `queryCodebaseGraph`, and `queryRuntimeEnrichment` at runtime so the agent can verify reachability before confirming.
|
|
332
|
+
|
|
294
333
|
**Input file shape** (minimum per finding: `id`, `title`, `file`, `description`):
|
|
295
334
|
|
|
296
335
|
```json
|
package/conf/appsec_agent.yaml
CHANGED
|
@@ -55,6 +55,19 @@ default: &default
|
|
|
55
55
|
output_format: "json"
|
|
56
56
|
max_turns: 15
|
|
57
57
|
verbose: True
|
|
58
|
+
fp_adversary:
|
|
59
|
+
options:
|
|
60
|
+
# v2.8.0 / parent app full-repo Phase 2.5: full-tree adversarial false-positive
|
|
61
|
+
# filter that emits per-finding (fingerprint, verdict, confidence, rationale)
|
|
62
|
+
# verdicts so the parent app can route low-confidence dismissals to a
|
|
63
|
+
# pre_dismissed UI state and auto-dismiss only above the operator-configured
|
|
64
|
+
# threshold. Structured posture inputs (project_summary, security_context,
|
|
65
|
+
# deployment_context, developer_context) come in via --adversarial-context
|
|
66
|
+
# and are weighted ahead of any extra integrator context.
|
|
67
|
+
system_prompt: "You are a senior application security engineer performing an adversarial false-positive review on a full-repository security scan. For each candidate finding, return a verdict (confirm or dismiss) with a numeric 0.0-1.0 confidence and a concrete rationale. Weight the supplied project posture (security context, deployment context, developer guidance) when assessing each finding. Use Read/Grep and any available MCP tools (queryImportGraph, queryCodebaseGraph, queryRuntimeEnrichment) to verify reachability before confirming. Dismiss only when you can name the specific mitigation, the reachability gap, or the test-only nature of the code."
|
|
68
|
+
output_format: "json"
|
|
69
|
+
max_turns: 15
|
|
70
|
+
verbose: True
|
|
58
71
|
context_extractor:
|
|
59
72
|
options:
|
|
60
73
|
output_format: "json"
|
package/dist/bin/agent-run.js
CHANGED
|
@@ -75,9 +75,7 @@ program
|
|
|
75
75
|
.option('--diff-max-files <n>', 'Max files to include in PR review; rest skipped. Overrides config.')
|
|
76
76
|
.option('--diff-exclude <pattern>', 'Exclude path pattern (repeatable). Overrides config.', (v, acc) => { acc.push(v); return acc; }, [])
|
|
77
77
|
.option('-m, --model <model>', 'Claude model: family alias (sonnet, opus, haiku), SDK model ID (claude-sonnet-4-6), or version prefix (sonnet-4-6) - default to "opus"', 'opus')
|
|
78
|
-
.option('
|
|
79
|
-
.option('-K, --openai-api-key <key>', 'OpenAI API key for failover (overrides OPENAI_API_KEY env). Only used when failover is enabled.')
|
|
80
|
-
.option('-U, --openai-base-url <url>', 'OpenAI API base URL for failover (overrides OPENAI_BASE_URL env). Only used when failover is enabled.')
|
|
78
|
+
.option('--provider <provider>', 'Model provider: claude (default) or codex (opt-in; all roles via RoleSpec)', 'claude')
|
|
81
79
|
.option('--max-turns <n>', 'Max agent turns (tool-use iterations). Overrides per-role default.')
|
|
82
80
|
.option('--no-tools', 'Disable Read/Grep tools for single-turn analysis (use with --diff-context for fastest mode)')
|
|
83
81
|
.option('--mcp-server-url <url>', 'URL of a parent-app-managed per-scan MCP server exposing queryFindingsHistory / queryImportGraph / queryRuntimeEnrichment / queryCodebaseGraph (v2.4.0 wire + v2.7.0 fourth tool). When set, agents call these tools live instead of (or in addition to) the front-loaded JSON paths.')
|
|
@@ -119,26 +117,25 @@ if (options.anthropicApiKey) {
|
|
|
119
117
|
if (options.anthropicBaseUrl) {
|
|
120
118
|
process.env.ANTHROPIC_BASE_URL = options.anthropicBaseUrl;
|
|
121
119
|
}
|
|
122
|
-
|
|
123
|
-
if (
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
if (options.openaiApiKey !== undefined) {
|
|
127
|
-
console.warn('⚠️ SECURITY WARNING: OpenAI API key provided via command line argument.');
|
|
128
|
-
console.warn(' For better security, use the OPENAI_API_KEY environment variable instead.\n');
|
|
129
|
-
process.env.OPENAI_API_KEY = options.openaiApiKey;
|
|
130
|
-
}
|
|
131
|
-
if (options.openaiBaseUrl !== undefined) {
|
|
132
|
-
process.env.OPENAI_BASE_URL = options.openaiBaseUrl;
|
|
120
|
+
const providerId = (options.provider ?? 'claude').toLowerCase().trim();
|
|
121
|
+
if (providerId !== 'claude' && providerId !== 'codex') {
|
|
122
|
+
console.error(`Error: Invalid provider "${options.provider}". Valid values: claude, codex`);
|
|
123
|
+
process.exit(1);
|
|
133
124
|
}
|
|
134
|
-
|
|
125
|
+
process.env.AGENT_PROVIDER = providerId;
|
|
126
|
+
// Validate model option: provider-aware (Claude aliases/IDs vs Codex/OpenAI ids)
|
|
135
127
|
const FAMILY_ALIASES = ['sonnet', 'opus', 'haiku'];
|
|
136
128
|
const model = options.model.toLowerCase().trim();
|
|
137
|
-
const
|
|
129
|
+
const isClaudeModel = FAMILY_ALIASES.includes(model)
|
|
138
130
|
|| model.startsWith('claude-')
|
|
139
131
|
|| FAMILY_ALIASES.some(f => model.startsWith(`${f}-`));
|
|
132
|
+
const isCodexModel = model.startsWith('gpt-') || model.startsWith('o');
|
|
133
|
+
const isValidModel = providerId === 'codex' ? (isCodexModel || isClaudeModel) : isClaudeModel;
|
|
140
134
|
if (!isValidModel) {
|
|
141
|
-
|
|
135
|
+
const hint = providerId === 'codex'
|
|
136
|
+
? 'Codex/OpenAI id (gpt-*, o*) or Claude alias (sonnet, opus, haiku)'
|
|
137
|
+
: 'family alias (sonnet, opus, haiku), SDK model ID (claude-sonnet-4-6), or version prefix (sonnet-4-6)';
|
|
138
|
+
console.error(`Error: Invalid model "${options.model}". Valid formats for ${providerId}: ${hint}`);
|
|
142
139
|
process.exit(1);
|
|
143
140
|
}
|
|
144
141
|
// Prepare args (chunking: CLI overrides config; main will merge with conf)
|
|
@@ -246,11 +243,12 @@ if (args.mcp_server_url) {
|
|
|
246
243
|
'pr_reviewer',
|
|
247
244
|
'code_reviewer',
|
|
248
245
|
'pr_adversary',
|
|
246
|
+
'fp_adversary',
|
|
249
247
|
'finding_validator',
|
|
250
248
|
'code_fixer',
|
|
251
249
|
]);
|
|
252
250
|
if (!mcpAwareRoles.has(args.role)) {
|
|
253
|
-
console.warn('⚠️ Warning: --mcp-server-url is only consumed by pr_reviewer / code_reviewer / pr_adversary / finding_validator / code_fixer.');
|
|
251
|
+
console.warn('⚠️ Warning: --mcp-server-url is only consumed by pr_reviewer / code_reviewer / pr_adversary / fp_adversary / finding_validator / code_fixer.');
|
|
254
252
|
console.warn(` Current role: ${args.role}. The MCP server config will be ignored.\n`);
|
|
255
253
|
}
|
|
256
254
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"agent-run.js","sourceRoot":"","sources":["../../bin/agent-run.ts"],"names":[],"mappings":";;AACA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,2CAA6B;AAC7B,yCAAoC;AAEpC,yCAAyC;AACzC,0FAA0F;AAC1F,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,gBAAgB,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,CAAC;AAChH,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,CAAC;AAC9D,MAAM,EAAE,wBAAwB,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,CAAC,CAAC;AAEnG,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,WAAW,CAAC;KACjB,WAAW,CAAC,uCAAuC,CAAC;KACpD,MAAM,CAAC,mBAAmB,EAAE,gFAAgF,CAAC;KAC7G,MAAM,CAAC,yBAAyB,EAAE,wDAAwD,EAAE,aAAa,CAAC;KAC1G,MAAM,CAAC,mBAAmB,EAAE,0GAA0G,EAAE,oBAAoB,CAAC;KAC7J,MAAM,CAAC,qBAAqB,EAAE,wEAAwE,CAAC;KACvG,MAAM,CAAC,0BAA0B,EAAE,gFAAgF,CAAC;KACpH,MAAM,CAAC,8BAA8B,EAAE,uEAAuE,EAAE,UAAU,CAAC;KAC3H,MAAM,CAAC,+BAA+B,EAAE,sEAAsE,CAAC;KAC/G,MAAM,CAAC,gCAAgC,EAAE,4EAA4E,CAAC;KACtH,MAAM,CAAC,yBAAyB,EAAE,8GAA8G,CAAC;KACjJ,MAAM,CAAC,uBAAuB,EAAE,gFAAgF,CAAC;KACjH,MAAM,CAAC,sBAAsB,EAAE,yEAAyE,CAAC;KACzG,MAAM,CAAC,qBAAqB,EAAE,8EAA8E,CAAC;KAC7G,MAAM,CAAC,yBAAyB,EAAE,mFAAmF,CAAC;KACtH,MAAM,CACL,8BAA8B,EAC9B,mGAAmG,CACpG;KACA,MAAM,CACL,+BAA+B,EAC/B,gHAAgH,CACjH;KACA,MAAM,CACL,qCAAqC,EACrC,kIAAkI,CACnI;KACA,MAAM,CACL,iCAAiC,EACjC,4LAA4L,CAC7L;KACA,MAAM,CACL,iBAAiB,EACjB,4JAA4J,CAC7J;KACA,MAAM,CACL,sBAAsB,EACtB,sGAAsG,CACvG;KACA,MAAM,CAAC,0BAA0B,EAAE,sFAAsF,CAAC;KAC1H,MAAM,CAAC,uBAAuB,EAAE,wEAAwE,CAAC;KACzG,MAAM,CAAC,wBAAwB,EAAE,oDAAoD,CAAC;KACtF,MAAM,CAAC,sBAAsB,EAAE,oEAAoE,CAAC;KACpG,MAAM,CAAC,0BAA0B,EAAE,sDAAsD,EAAE,CAAC,CAAS,EAAE,GAAa,EAAE,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;KAC1J,MAAM,CAAC,qBAAqB,EAAE,wIAAwI,EAAE,MAAM,CAAC;KAC/K,MAAM,
|
|
1
|
+
{"version":3,"file":"agent-run.js","sourceRoot":"","sources":["../../bin/agent-run.ts"],"names":[],"mappings":";;AACA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,2CAA6B;AAC7B,yCAAoC;AAEpC,yCAAyC;AACzC,0FAA0F;AAC1F,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,gBAAgB,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,CAAC;AAChH,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,CAAC;AAC9D,MAAM,EAAE,wBAAwB,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,8BAA8B,CAAC,CAAC,CAAC;AAEnG,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,WAAW,CAAC;KACjB,WAAW,CAAC,uCAAuC,CAAC;KACpD,MAAM,CAAC,mBAAmB,EAAE,gFAAgF,CAAC;KAC7G,MAAM,CAAC,yBAAyB,EAAE,wDAAwD,EAAE,aAAa,CAAC;KAC1G,MAAM,CAAC,mBAAmB,EAAE,0GAA0G,EAAE,oBAAoB,CAAC;KAC7J,MAAM,CAAC,qBAAqB,EAAE,wEAAwE,CAAC;KACvG,MAAM,CAAC,0BAA0B,EAAE,gFAAgF,CAAC;KACpH,MAAM,CAAC,8BAA8B,EAAE,uEAAuE,EAAE,UAAU,CAAC;KAC3H,MAAM,CAAC,+BAA+B,EAAE,sEAAsE,CAAC;KAC/G,MAAM,CAAC,gCAAgC,EAAE,4EAA4E,CAAC;KACtH,MAAM,CAAC,yBAAyB,EAAE,8GAA8G,CAAC;KACjJ,MAAM,CAAC,uBAAuB,EAAE,gFAAgF,CAAC;KACjH,MAAM,CAAC,sBAAsB,EAAE,yEAAyE,CAAC;KACzG,MAAM,CAAC,qBAAqB,EAAE,8EAA8E,CAAC;KAC7G,MAAM,CAAC,yBAAyB,EAAE,mFAAmF,CAAC;KACtH,MAAM,CACL,8BAA8B,EAC9B,mGAAmG,CACpG;KACA,MAAM,CACL,+BAA+B,EAC/B,gHAAgH,CACjH;KACA,MAAM,CACL,qCAAqC,EACrC,kIAAkI,CACnI;KACA,MAAM,CACL,iCAAiC,EACjC,4LAA4L,CAC7L;KACA,MAAM,CACL,iBAAiB,EACjB,4JAA4J,CAC7J;KACA,MAAM,CACL,sBAAsB,EACtB,sGAAsG,CACvG;KACA,MAAM,CAAC,0BAA0B,EAAE,sFAAsF,CAAC;KAC1H,MAAM,CAAC,uBAAuB,EAAE,wEAAwE,CAAC;KACzG,MAAM,CAAC,wBAAwB,EAAE,oDAAoD,CAAC;KACtF,MAAM,CAAC,sBAAsB,EAAE,oEAAoE,CAAC;KACpG,MAAM,CAAC,0BAA0B,EAAE,sDAAsD,EAAE,CAAC,CAAS,EAAE,GAAa,EAAE,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;KAC1J,MAAM,CAAC,qBAAqB,EAAE,wIAAwI,EAAE,MAAM,CAAC;KAC/K,MAAM,CACL,uBAAuB,EACvB,4EAA4E,EAC5E,QAAQ,CACT;KACA,MAAM,CAAC,iBAAiB,EAAE,oEAAoE,CAAC;KAC/F,MAAM,CAAC,YAAY,EAAE,6FAA6F,CAAC;KACnH,MAAM,CACL,wBAAwB,EACxB,uRAAuR,CACxR;KACA,MAAM,CACL,0BAA0B,EAC1B,uUAAuU,CACxU;KACA,MAAM,CAAC,kBAAkB,EAAE,0BAA0B,CAAC;KACtD,MAAM,CAAC,eAAe,EAAE,iBAAiB,CAAC;KAC1C,MAAM,CAAC,eAAe,EAAE,cAAc,CAAC,CAAC;AAE3C,OAAO,CAAC,KAAK,EAAE,CAAC;AAEhB,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;AAE/B,sBAAsB;AACtB,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;IACpB,gBAAgB,EAAE,CAAC;IACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,sCAAsC;AACtC,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,mBAAmB,CAAC,CAAC;AAE1F,OAAO,CAAC,GAAG,CAAC,6CAA6C,EAAE,QAAQ,CAAC,CAAC;AACrE,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;AAErD,IAAI,CAAC,QAAQ,EAAE,CAAC;IACd,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;AAEpE,yBAAyB;AACzB,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;IACvB,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;IAC3D,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IACzC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,uEAAuE;AACvE,yFAAyF;AACzF,0EAA0E;AAC1E,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;IAC5B,OAAO,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;IAClF,OAAO,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAC;IAC7F,OAAO,CAAC,IAAI,CAAC,mFAAmF,CAAC,CAAC;IAClG,OAAO,CAAC,GAAG,CAAC,iBAAiB,GAAG,OAAO,CAAC,eAAe,CAAC;AAC1D,CAAC;AACD,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;IAC7B,OAAO,CAAC,GAAG,CAAC,kBAAkB,GAAG,OAAO,CAAC,gBAAgB,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;AACvE,IAAI,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;IACtD,OAAO,CAAC,KAAK,CAAC,4BAA4B,OAAO,CAAC,QAAQ,gCAAgC,CAAC,CAAC;IAC5F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AACD,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,UAAU,CAAC;AAExC,iFAAiF;AACjF,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AACnD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;AACjD,MAAM,aAAa,GACjB,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC;OAC3B,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC;OAC3B,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;AACzD,MAAM,YAAY,GAAG,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;AACvE,MAAM,YAAY,GAAG,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC,YAAY,IAAI,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC;AAC9F,IAAI,CAAC,YAAY,EAAE,CAAC;IAClB,MAAM,IAAI,GAAG,UAAU,KAAK,OAAO;QACjC,CAAC,CAAC,mEAAmE;QACrE,CAAC,CAAC,sGAAsG,CAAC;IAC3G,OAAO,CAAC,KAAK,CAAC,yBAAyB,OAAO,CAAC,KAAK,wBAAwB,UAAU,KAAK,IAAI,EAAE,CAAC,CAAC;IACnG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,2EAA2E;AAC3E,MAAM,SAAS,GAAG,wBAAwB,CAAC;IACzC,YAAY,EAAE,OAAO,CAAC,YAAY;IAClC,aAAa,EAAE,OAAO,CAAC,aAAa;CACrC,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG;IACX,IAAI,EAAE,OAAO,CAAC,IAAI;IAClB,WAAW,EAAE,OAAO,CAAC,WAAW;IAChC,OAAO,EAAE,OAAO,CAAC,OAAO;IACxB,WAAW,EAAE,OAAO,CAAC,WAAW;IAChC,aAAa,EAAE,OAAO,CAAC,aAAa;IACpC,OAAO,EAAE,OAAO,CAAC,OAAO;IACxB,OAAO,EAAE,OAAO,CAAC,OAAO;IACxB,YAAY,EAAE,OAAO,CAAC,WAAW;IACjC,WAAW,EAAE,OAAO,CAAC,UAAU;IAC/B,UAAU,EAAE,OAAO,CAAC,SAAS;IAC7B,cAAc,EAAE,OAAO,CAAC,aAAa;IACrC,eAAe,EAAE,OAAO,CAAC,cAAc;IACvC,mBAAmB,EAAE,OAAO,CAAC,kBAAkB;IAC/C,oBAAoB,EAAE,OAAO,CAAC,kBAAkB;IAChD,0BAA0B,EAAE,OAAO,CAAC,wBAAwB;IAC5D,sBAAsB,EAAE,OAAO,CAAC,oBAAoB;IACpD,MAAM,EAAE,OAAO,CAAC,MAAM;IACtB,kBAAkB,EAAE,OAAO,CAAC,iBAAiB,KAAK,IAAI;IACtD,KAAK,EAAE,KAAK;IACZ,yBAAyB,EAAE,OAAO,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS;IAChH,gBAAgB,EAAE,OAAO,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS;IACzG,cAAc,EAAE,OAAO,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS;IACnG,YAAY,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;IACpH,SAAS,EAAE,OAAO,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS;IACtF,QAAQ,EAAE,OAAO,CAAC,OAAO,KAAK,IAAI;IAClC,GAAG,SAAS;CACb,CAAC;AAEF,0BAA0B;AAC1B,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACzG,CAAC;AAED,+DAA+D;AAC/D,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;IACtB,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;IAC3D,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QACjE,OAAO,CAAC,IAAI,CAAC,sFAAsF,CAAC,CAAC;QACrG,OAAO,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,IAAI,qCAAqC,CAAC,CAAC;QACjF,OAAO,CAAC,IAAI,CAAC,oFAAoF,CAAC,CAAC;IACrG,CAAC;AACH,CAAC;AAED,2EAA2E;AAC3E,0EAA0E;AAC1E,IAAI,IAAI,CAAC,oBAAoB,EAAE,CAAC;IAC9B,OAAO,CAAC,GAAG,CAAC,kCAAkC,EAAE,IAAI,CAAC,oBAAoB,CAAC,CAAC;IAC3E,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,aAAa,IAAI,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;QACxD,OAAO,CAAC,IAAI,CAAC,2FAA2F,CAAC,CAAC;QAC1G,OAAO,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,+BAA+B,6CAA6C,CAAC,CAAC;QACpJ,OAAO,CAAC,IAAI,CAAC,qFAAqF,CAAC,CAAC;IACtG,CAAC;AACH,CAAC;AAED,0EAA0E;AAC1E,kEAAkE;AAClE,qEAAqE;AACrE,IAAI,IAAI,CAAC,0BAA0B,EAAE,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,wCAAwC,EAAE,IAAI,CAAC,0BAA0B,CAAC,CAAC;IACvF,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,aAAa,IAAI,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;QACxD,OAAO,CAAC,IAAI,CAAC,iGAAiG,CAAC,CAAC;QAChH,OAAO,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,+BAA+B,mDAAmD,CAAC,CAAC;QAC1J,OAAO,CAAC,IAAI,CAAC,4EAA4E,CAAC,CAAC;IAC7F,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,kEAAkE;AAClE,sEAAsE;AACtE,gCAAgC;AAChC,IAAI,IAAI,CAAC,sBAAsB,EAAE,CAAC;IAChC,OAAO,CAAC,GAAG,CAAC,oCAAoC,EAAE,IAAI,CAAC,sBAAsB,CAAC,CAAC;IAC/E,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,aAAa,IAAI,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;QACxD,OAAO,CAAC,IAAI,CAAC,6FAA6F,CAAC,CAAC;QAC5G,OAAO,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,+BAA+B,+CAA+C,CAAC,CAAC;QACtJ,OAAO,CAAC,IAAI,CAAC,+FAA+F,CAAC,CAAC;IAChH,CAAC;AACH,CAAC;AAED,kEAAkE;AAClE,oEAAoE;AACpE,eAAe;AACf,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,IAAI,CAAC,IAAI,KAAK,8BAA8B,EAAE,CAAC;QACjD,OAAO,CAAC,IAAI,CAAC,yEAAyE,CAAC,CAAC;QACxF,OAAO,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,IAAI,oCAAoC,CAAC,CAAC;QAChF,OAAO,CAAC,IAAI,CAAC,yEAAyE,CAAC,CAAC;IAC1F,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,iEAAiE;AACjE,wEAAwE;AACxE,qEAAqE;AACrE,uEAAuE;AACvE,mDAAmD;AACnD,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;IACxB,OAAO,CAAC,GAAG,CAAC,uBAAuB,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;IAC1D,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,iCAAiC,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;IACvE,CAAC;IACD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;QAC5B,aAAa;QACb,eAAe;QACf,cAAc;QACd,cAAc;QACd,mBAAmB;QACnB,YAAY;KACb,CAAC,CAAC;IACH,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAClC,OAAO,CAAC,IAAI,CAAC,+IAA+I,CAAC,CAAC;QAC9J,OAAO,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,IAAI,4CAA4C,CAAC,CAAC;IAC1F,CAAC;AACH,CAAC;KAAM,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;IAChC,uEAAuE;IACvE,oEAAoE;IACpE,8BAA8B;IAC9B,OAAO,CAAC,IAAI,CACV,yHAAyH,CAC1H,CAAC;AACJ,CAAC;AAED,oBAAoB;AACpB,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,KAAY,EAAE,EAAE;IAC1C,OAAO,CAAC,KAAK,CAAC,sBAAsB,EAAE,KAAK,CAAC,CAAC;IAC7C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
|
|
@@ -55,6 +55,19 @@ default: &default
|
|
|
55
55
|
output_format: "json"
|
|
56
56
|
max_turns: 15
|
|
57
57
|
verbose: True
|
|
58
|
+
fp_adversary:
|
|
59
|
+
options:
|
|
60
|
+
# v2.8.0 / parent app full-repo Phase 2.5: full-tree adversarial false-positive
|
|
61
|
+
# filter that emits per-finding (fingerprint, verdict, confidence, rationale)
|
|
62
|
+
# verdicts so the parent app can route low-confidence dismissals to a
|
|
63
|
+
# pre_dismissed UI state and auto-dismiss only above the operator-configured
|
|
64
|
+
# threshold. Structured posture inputs (project_summary, security_context,
|
|
65
|
+
# deployment_context, developer_context) come in via --adversarial-context
|
|
66
|
+
# and are weighted ahead of any extra integrator context.
|
|
67
|
+
system_prompt: "You are a senior application security engineer performing an adversarial false-positive review on a full-repository security scan. For each candidate finding, return a verdict (confirm or dismiss) with a numeric 0.0-1.0 confidence and a concrete rationale. Weight the supplied project posture (security context, deployment context, developer guidance) when assessing each finding. Use Read/Grep and any available MCP tools (queryImportGraph, queryCodebaseGraph, queryRuntimeEnrichment) to verify reachability before confirming. Dismiss only when you can name the specific mitigation, the reachability gap, or the test-only nature of the code."
|
|
68
|
+
output_format: "json"
|
|
69
|
+
max_turns: 15
|
|
70
|
+
verbose: True
|
|
58
71
|
context_extractor:
|
|
59
72
|
options:
|
|
60
73
|
output_format: "json"
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Jest stub for @openai/codex-sdk (ESM-only; CI stays mock-only).
|
|
3
|
+
*/
|
|
4
|
+
export declare const Codex: jest.Mock<any, any, any>;
|
|
5
|
+
export type CodexOptions = {
|
|
6
|
+
codexPathOverride?: string;
|
|
7
|
+
baseUrl?: string;
|
|
8
|
+
apiKey?: string;
|
|
9
|
+
config?: Record<string, unknown>;
|
|
10
|
+
env?: Record<string, string>;
|
|
11
|
+
};
|
|
12
|
+
export type Input = string | Array<{
|
|
13
|
+
type: string;
|
|
14
|
+
text?: string;
|
|
15
|
+
path?: string;
|
|
16
|
+
}>;
|
|
17
|
+
export type ThreadOptions = Record<string, unknown>;
|
|
18
|
+
export type TurnOptions = {
|
|
19
|
+
outputSchema?: unknown;
|
|
20
|
+
signal?: AbortSignal;
|
|
21
|
+
};
|
|
22
|
+
export type ThreadEvent = {
|
|
23
|
+
type: 'item.updated';
|
|
24
|
+
item: {
|
|
25
|
+
id: string;
|
|
26
|
+
type: string;
|
|
27
|
+
text?: string;
|
|
28
|
+
};
|
|
29
|
+
} | {
|
|
30
|
+
type: 'item.completed';
|
|
31
|
+
item: {
|
|
32
|
+
id: string;
|
|
33
|
+
type: string;
|
|
34
|
+
text?: string;
|
|
35
|
+
};
|
|
36
|
+
} | {
|
|
37
|
+
type: 'turn.completed';
|
|
38
|
+
usage: {
|
|
39
|
+
input_tokens: number;
|
|
40
|
+
output_tokens: number;
|
|
41
|
+
cached_input_tokens: number;
|
|
42
|
+
reasoning_output_tokens: number;
|
|
43
|
+
};
|
|
44
|
+
} | {
|
|
45
|
+
type: 'turn.failed';
|
|
46
|
+
error: {
|
|
47
|
+
message: string;
|
|
48
|
+
};
|
|
49
|
+
} | {
|
|
50
|
+
type: 'error';
|
|
51
|
+
message: string;
|
|
52
|
+
};
|
|
53
|
+
//# sourceMappingURL=codex_sdk.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"codex_sdk.d.ts","sourceRoot":"","sources":["../../../../src/__tests__/mocks/codex_sdk.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,eAAO,MAAM,KAAK,0BAAY,CAAC;AAE/B,MAAM,MAAM,YAAY,GAAG;IACzB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC9B,CAAC;AAEF,MAAM,MAAM,KAAK,GAAG,MAAM,GAAG,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AAEnF,MAAM,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AACpD,MAAM,MAAM,WAAW,GAAG;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,WAAW,CAAA;CAAE,CAAC;AAE3E,MAAM,MAAM,WAAW,GACnB;IAAE,IAAI,EAAE,cAAc,CAAC;IAAC,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GAC3E;IAAE,IAAI,EAAE,gBAAgB,CAAC;IAAC,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GAC7E;IACE,IAAI,EAAE,gBAAgB,CAAC;IACvB,KAAK,EAAE;QACL,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC;QACtB,mBAAmB,EAAE,MAAM,CAAC;QAC5B,uBAAuB,EAAE,MAAM,CAAC;KACjC,CAAC;CACH,GACD;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,KAAK,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GACnD;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"codex_sdk.js","sourceRoot":"","sources":["../../../../src/__tests__/mocks/codex_sdk.ts"],"names":[],"mappings":";AAAA;;GAEG;;;AAEU,QAAA,KAAK,GAAG,IAAI,CAAC,EAAE,EAAE,CAAC"}
|
|
@@ -82,13 +82,20 @@ export declare class AgentActions {
|
|
|
82
82
|
*/
|
|
83
83
|
simpleQueryClaudeWithOptions(yourPrompt: string, srcDir?: string | null): Promise<string>;
|
|
84
84
|
/**
|
|
85
|
-
* Secure code reviewer with options
|
|
85
|
+
* Secure code reviewer with options.
|
|
86
|
+
*
|
|
87
|
+
* v2.8.0 (B5a fix): MCP params are now threaded through to
|
|
88
|
+
* `getCodeReviewerOptions` so the SDK gets the per-scan MCP server config
|
|
89
|
+
* for full-repo `code_reviewer` runs. Previously the spawn accepted
|
|
90
|
+
* `--mcp-server-name` argv but the agent options never wired the URL,
|
|
91
|
+
* leaving the agent without `queryCodebaseGraph` / `queryImportGraph` /
|
|
92
|
+
* `queryRuntimeEnrichment` / `queryFindingsHistory` access.
|
|
86
93
|
*/
|
|
87
94
|
codeReviewerWithOptions(userPrompt: string): Promise<string>;
|
|
88
95
|
/**
|
|
89
96
|
* Threat modeler agent with options
|
|
90
97
|
*/
|
|
91
|
-
threatModelerAgentWithOptions(userPrompt: string): Promise<string>;
|
|
98
|
+
threatModelerAgentWithOptions(userPrompt: string, srcDir?: string | null): Promise<string>;
|
|
92
99
|
/**
|
|
93
100
|
* Code fixer agent with structured JSON output.
|
|
94
101
|
* Returns the structured fix JSON and prints cost to stdout.
|
|
@@ -118,6 +125,19 @@ export declare class AgentActions {
|
|
|
118
125
|
* `learned_guidance_synthesis_runs.cost_usd` column.
|
|
119
126
|
*/
|
|
120
127
|
learnedGuidanceSynthesizerWithOptions(userPrompt: string): Promise<string>;
|
|
128
|
+
/**
|
|
129
|
+
* fp_adversary (v2.8.0 / parent app full-repo Phase 2.5): batch false-positive
|
|
130
|
+
* filter over first-pass code_reviewer findings. Emits structured JSON
|
|
131
|
+
* matching `FP_ADVERSARY_REPORT_SCHEMA` with per-finding
|
|
132
|
+
* `(fingerprint, verdict, confidence, rationale, cost_usd_estimate?)`.
|
|
133
|
+
*
|
|
134
|
+
* The Claude Agent SDK's `total_cost_usd` is threaded onto every emitted
|
|
135
|
+
* verdict as `cost_usd_estimate` so the parent app can run a
|
|
136
|
+
* deterministic cost-cap accumulator without re-counting tokens. When
|
|
137
|
+
* the SDK omits cost (e.g. error path), the field is absent and the
|
|
138
|
+
* parent app falls back to a conservative per-finding estimate.
|
|
139
|
+
*/
|
|
140
|
+
fpAdversaryWithOptions(userPrompt: string, srcDir?: string | null): Promise<string>;
|
|
121
141
|
/**
|
|
122
142
|
* pr_adversary: batch adversarial pass over candidate findings (structured security report out).
|
|
123
143
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"agent_actions.d.ts","sourceRoot":"","sources":["../../src/agent_actions.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAGrC,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,yGAAyG;IACzG,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,6FAA6F;IAC7F,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,yGAAyG;IACzG,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,gJAAgJ;IAChJ,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,+GAA+G;IAC/G,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iFAAiF;IACjF,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;;;;;;;;;;;OAaG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;;;;;;;;OAYG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAOD,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAa;IAC7B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,IAAI,CAAY;IACxB,OAAO,CAAC,mBAAmB,CAA2B;gBAC1C,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS;IAMtE;;OAEG;IACG,4BAA4B,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;IAiJ/F
|
|
1
|
+
{"version":3,"file":"agent_actions.d.ts","sourceRoot":"","sources":["../../src/agent_actions.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAGrC,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,yGAAyG;IACzG,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,6FAA6F;IAC7F,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,yGAAyG;IACzG,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,gJAAgJ;IAChJ,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,+GAA+G;IAC/G,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iFAAiF;IACjF,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;;;;;;;;;;;OAaG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;;;;;;;;OAYG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAOD,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAa;IAC7B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,IAAI,CAAY;IACxB,OAAO,CAAC,mBAAmB,CAA2B;gBAC1C,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS;IAMtE;;OAEG;IACG,4BAA4B,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;IAiJ/F;;;;;;;;;OASG;IACG,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAuHlE;;OAEG;IACG,6BAA6B,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;IA4EhG;;;OAGG;IACG,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;IA2DvF;;;OAGG;IACG,qBAAqB,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;IAqDxF;;;OAGG;IACG,2BAA2B,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAqDtE;;;OAGG;IACG,2BAA2B,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;IA2D9F;;;;;;;OAOG;IACG,qCAAqC,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAsEhF;;;;;;;;;;;OAWG;IACG,sBAAsB,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;IAyFzF;;OAEG;IACG,sBAAsB,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;IA6DzF;;;;OAIG;IACG,uBAAuB,CAC3B,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,EACtB,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE;QAAE,cAAc,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,EACxD,OAAO,CAAC,EAAE,OAAO,GAChB,OAAO,CAAC,MAAM,CAAC;CAsInB"}
|