circle-ir-ai 1.3.1 → 1.4.1

package/LICENSE

@@ -1,15 +1,120 @@
-ISC License
+PolyForm Noncommercial License 1.0.0
 
-Copyright (c) 2025 Cognium Labs
+<https://polyformproject.org/licenses/noncommercial/1.0.0>
 
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
+Required Notice: Copyright (c) 2025 Cognium Labs
 
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
-OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
+Acceptance
+
+To obtain any license under these terms, you must agree to them as both
+strict obligations and conditions to all your licenses.
+
+Copyright License
+
+The licensor grants you a copyright license for the software to do
+everything you might do with the software that would otherwise infringe
+the licensor's copyright in it for any permitted purpose. However, you
+may only distribute the software according to Distribution License and
+make changes or new works based on the software according to Changes and
+New Works License.
+
+Distribution License
+
+The licensor grants you an additional copyright license to distribute
+copies of the software. Your license to distribute covers distributing
+the software with changes and new works permitted by Changes and New
+Works License.
+
+Notices
+
+You must ensure that anyone who gets a copy of any part of the software
+from you also gets a copy of these terms or the URL for them above, as
+well as copies of any plain-text lines beginning with Required Notice:
+that the licensor provided with the software. For example:
+
+  Required Notice: Copyright (c) 2025 Cognium Labs
+
+Changes and New Works License
+
+The licensor grants you an additional copyright license to make changes
+and new works based on the software for any permitted purpose.
+
+Patent License
+
+The licensor grants you a patent license for the software that covers
+patent claims the licensor can license, or becomes able to license, that
+you would infringe by using the software.
+
+Noncommercial Purposes
+
+Any noncommercial purpose is a permitted purpose.
+
+Personal Uses
+
+Personal use for research, experiment, and testing for the benefit of
+public knowledge, personal study, private entertainment, hobby projects,
+amateur pursuits, or religious observance, without any anticipated
+commercial application, is use for a permitted purpose.
+
+Noncommercial Organizations
+
+Use by any charitable organization, educational institution, public
+research organization, public safety or health organization,
+environmental protection organization, or government institution is use
+for a permitted purpose regardless of the source of funding or
+obligations resulting from the funding.
+
+Fair Use
+
+You may have "fair use" rights for the software under the law. These
+terms do not limit them.
+
+No Other Rights
+
+These terms do not allow you to sublicense or transfer any of your
+licenses to anyone else, or prevent the licensor from granting licenses
+to anyone else. These terms do not imply any other licenses.
+
+Patent Defense
+
+If you make any written claim that the software infringes or contributes
+to infringement of any patent, your patent license for the software
+granted under these terms ends immediately. If your company makes such a
+claim, your patent license ends immediately for work on behalf of your
+company.
+
+Violations
+
+The first time you are notified in writing that you have violated any of
+these terms, or done anything with the software not covered by your
+licenses, your licenses can nonetheless continue if you come into full
+compliance with these terms, and take practical steps to correct past
+violations, within 32 days of receiving notice. Otherwise, all your
+licenses end immediately.
+
+No Liability
+
+As far as the law allows, the software comes as is, without any warranty
+or condition, and the licensor will not be liable to you for any damages
+arising out of these terms or the use or nature of the software, under
+any kind of legal claim.
+
+Definitions
+
+The licensor is the individual or entity offering these terms, and the
+software is the software the licensor makes available under these terms.
+
+You refers to the individual or entity agreeing to these terms.
+
+Your company is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control
+over, are under the control of, or are under common control with that
+organization. Control means ownership of substantially all the assets of
+an entity, or the power to direct its management and policies by vote,
+contract, or otherwise. Control can be direct or indirect.
+
+Your licenses are all the licenses granted to you for the software under
+these terms.
+
+Use means anything you do with the software requiring one of your
+licenses.

package/README.md

@@ -1,19 +1,17 @@
 # circle-ir-ai
 
-LLM-enhanced static analysis built on [circle-ir](https://github.com/cognitim/circle-ir). Provides CLI tools, AI-powered vulnerability verification, and comprehensive security analysis.
+LLM-enhanced static analysis built on [circle-ir](https://github.com/cogniumhq/circle-ir). Provides CLI tools, AI-powered vulnerability verification, and comprehensive security analysis.
 
 ## Features
 
 - **Multi-Language Support**: Java, JavaScript/TypeScript, Python, Rust
-- **LLM Verification**: Verify exploitability of detected vulnerabilities
-- **Pattern Discovery**: Discover sources/sinks beyond YAML patterns
+- **LLM Discovery**: Discover vulnerabilities beyond static patterns via LLM
 - **Cross-File Analysis**: Track taint across file boundaries
-- **AI Skills Analysis**: Security analysis for AI agent skills (OpenClaw, MCP servers)
+- **AI Skills Analysis**: Security analysis for AI agent skills (MCP servers)
 - **Security Scanning**: OWASP Top 10 mapping with trend tracking
 - **Dead Code Detection**: Find unreachable code via call graph analysis
 - **Secret Scanning**: Detect secrets in code and Git history
 - **Health Scoring**: Calculate overall codebase health
-- **Benchmark Suite**: OWASP, Juliet, SecuriBench, CWE-Bench test runners
 
 ## Installation
 
@@ -21,316 +19,196 @@ LLM-enhanced static analysis built on [circle-ir](https://github.com/cognitim/ci
 npm install circle-ir-ai circle-ir
 ```
 
-## Quick Start
-
-### CLI
+## CLI
 
 ```bash
-# Analyze a single file
-circle-ir-ai src/App.java
-
-# Analyze with LLM verification
-circle-ir-ai src/App.java --llm
-
-# Analyze a directory (auto-parallelized)
-circle-ir-ai ./src --threads 20
-
-# Security scan with OWASP Top 10 mapping
-circle-ir-ai scan ./src
-
-# Detect dead/unreachable code
-circle-ir-ai dead-code ./src
-
-# Scan for secrets
-circle-ir-ai secrets ./src
-
-# Calculate codebase health score
-circle-ir-ai health ./src
-
-# Run OWASP Benchmark
-circle-ir-ai benchmark ./testcode --expected ./expected.csv
-
-# Analyze AI Skills (OpenClaw, MCP servers)
-circle-ir-ai analyze-skill ./my-skill
-circle-ir-ai analyze-skill ./my-skill --format json -o report.json
+circle-ir-ai src/App.java                # Analyze a single file
+circle-ir-ai src/App.java --llm          # With LLM verification
+circle-ir-ai ./src --threads 20          # Analyze directory (parallelized)
+circle-ir-ai scan ./src                  # Security scan (OWASP Top 10)
+circle-ir-ai dead-code ./src             # Dead code detection
+circle-ir-ai secrets ./src               # Secret scanning
+circle-ir-ai health ./src                # Codebase health score
+circle-ir-ai analyze-skill ./my-skill    # AI skill security analysis
 ```
 
-### AI Skills Analysis
-
-Analyze AI agent skills for security issues and capability mismatches. Supports OpenClaw skills and MCP servers.
+Options: `--format json|summary|sarif`, `-o <file>`, `--threads <n>`, `--llm`, `-q`
 
-**CLI Usage:**
+### LLM CLI Flags
 
 ```bash
-# Analyze a skill directory
-circle-ir-ai analyze-skill ./my-skill
-
-# With JSON output
-circle-ir-ai analyze-skill ./my-skill --format json -o report.json
-
-# With markdown report
-circle-ir-ai analyze-skill ./my-skill --format markdown -o SECURITY.md
-
-# Filter by severity and confidence
-circle-ir-ai analyze-skill ./my-skill --min-severity high --min-confidence 0.8
-```
-
-**What it analyzes:**
-
-- `SKILL.md` - Natural language instructions (extracts declared capabilities)
-- Code files (`.ts`, `.js`, `.py`, `.java`, `.rs`) - Actual implementation
-- `mcp-server.json` - MCP server configuration (if present)
-- Cross-artifact analysis - Detects capability mismatches between documentation and code
-
-**Output:**
-
-```
-================================================================================
-SKILL ANALYSIS REPORT: github-reader
-================================================================================
-
-Skill ID:       github-reader-001
-Version:        1.0.0
-Trust Score:    22.0% 🚨
-Findings:       13
-Analysis Time:  21.84s
-
-CRITICAL FINDINGS (1)
-────────────────────────────────────────────────────────────────────────────────
-
-1. Server-Side Request Forgery (CWE-918) not declared
-   Type:       capability_mismatch
-   Artifact:   src/index.ts
-   Confidence: 90%
-   Description: The code performs outbound HTTP requests via `https.request()`
-                but SKILL.md does not list any such sink.
-
-RECOMMENDATIONS
-────────────────────────────────────────────────────────────────────────────────
-
-1. Update SKILL.md to accurately describe all capabilities
-2. Add input validation and sanitization
-```
-
-**Trust Score Interpretation:**
-
-- `90-100%` ✅ - High trust, minimal issues
-- `70-89%` ⚠️ - Medium trust, some concerns
-- `50-69%` ❌ - Low trust, significant issues
-- `<50%` 🚨 - Critical issues, do not deploy
-
-**Programmatic API:**
-
-```typescript
-import { analyzeSkillBundle } from 'circle-ir-ai/skills';
-
-const result = await analyzeSkillBundle('./my-skill', {
-  enableCrossArtifact: true,    // Detect capability mismatches
-  enableVerification: true,      // LLM verification
-  minConfidence: 0.7,
-  minSeverity: 'medium',
-  onProgress: (status) => console.log(status.message),
-});
-
-console.log(`Trust Score: ${result.score}`);
-console.log(`Findings: ${result.findings.length}`);
-console.log(`Recommendations: ${result.recommendations.join('\n')}`);
+circle-ir-ai ./src --llm                           # Enable LLM enrichment + verification
+circle-ir-ai ./src --llm-enrich                    # LLM enrichment only
+circle-ir-ai ./src --llm-verify                    # LLM verification only
+circle-ir-ai ./src --llm --llm-model gpt-4o        # Override model
+circle-ir-ai ./src --llm --llm-base-url <url>      # Override API base URL
+circle-ir-ai ./src --llm --llm-api-key <key>       # Override API key
 ```
 
-**Key Features:**
+| Flag | Description | Default |
+|------|-------------|---------|
+| `--llm` | Enable both enrichment and verification | off |
+| `--llm-enrich` | Enable LLM source/sink discovery | off |
+| `--llm-verify` | Enable LLM exploitability verification | off |
+| `--llm-base-url <url>` | LLM API base URL (OpenAI-compatible) | `http://localhost:4000/v1` |
+| `--llm-api-key <key>` | LLM API key | `LLM_API_KEY` env var |
+| `--llm-model <model>` | LLM model name | `cognium/gpt-oss-120b` |
 
-- **Multi-Artifact Analysis**: Analyzes SKILL.md + code + MCP config together
-- **Capability Mismatch Detection**: LLM-based semantic comparison between declared and actual behavior
-- **Vulnerability Detection**: Standard taint analysis on code files
-- **Trust Score**: 0.0-1.0 score based on severity-weighted findings
-- **Actionable Recommendations**: Specific guidance for remediation
+CLI flags override environment variables. Any OpenAI-compatible API works (OpenAI, Azure, Ollama, Together, GitHub Models, etc.).
 
-**Production Quality:**
-
-- ✅ **74% false positive reduction** through test file exclusion, validation utility recognition, and timeout fixes
-- ✅ **Real-world validated** on official MCP servers (fetch: 84% trust, filesystem: accurate findings)
-- ✅ **Fast analysis** (~25s for typical skills)
-- ⚠️ Large SKILL.md files (>10KB) may take longer to extract
-
-**Known Limitations:**
-
-- Capability mismatch detection quality depends on LLM model used
-- Trust score may be conservative for complex codebases with many filesystem operations
-
-### Programmatic API
+## Programmatic API
 
 ```typescript
-import { analyze, initAnalyzer } from 'circle-ir';
-import { runHybridAnalysis, applyLLMAnalysis } from 'circle-ir-ai';
+import { initAnalyzer } from 'circle-ir';
+import { analyzeFile } from 'circle-ir-ai';
 
-// Initialize
 await initAnalyzer();
 
-// Run hybrid analysis with LLM
-const result = await runHybridAnalysis(
-  'MyClass.java',
-  code,
-  sources,
-  sinks,
-  types,
-  imports,
-  {
-    enableEnrichment: true,
-    enableVerification: true,
-  }
-);
-
-console.log('Verified vulnerabilities:', result.vulnerabilities);
+const result = await analyzeFile('MyClass.java', code, {
+  language: 'java',
+  enableEnrichment: true,
+  enableVerification: true,
+});
+
+console.log('Findings:', result.findings);
 ```
 
-### Project-Level Analysis
+### Multi-file analysis
 
 ```typescript
 import { analyzeProjectTwoPhase } from 'circle-ir-ai';
 
-const files = [
-  { path: 'src/Controller.java', content: controllerCode },
-  { path: 'src/Service.java', content: serviceCode },
-];
-
 const result = await analyzeProjectTwoPhase(files, 'java', {
   enableEnrichment: true,
   parallelPhase1: true,
   maxConcurrency: 10,
-  enablePhase2: true,
 });
 
 console.log('Cross-file taint flows:', result.crossFileFlows);
 ```
 
-### Security Scanning
+### Security scanning, dead code, secrets, health
 
 ```typescript
-import { scanDirectory, formatScanReport } from 'circle-ir-ai';
+import { scanDirectory, detectDeadCode, scanForSecrets, calculateHealthScore } from 'circle-ir-ai';
 
-const result = await scanDirectory('/path/to/project');
-console.log(formatScanReport(result));
-// Shows vulnerabilities mapped to OWASP Top 10 categories
+const scan = await scanDirectory('/path/to/project');
+const deadCode = await detectDeadCode({ target: '/path/to/project' });
+const secrets = await scanForSecrets('/path/to/project', { scanHistory: true });
+const health = await calculateHealthScore('/path/to/project');
 ```
 
-### Dead Code Detection
+### AI skill analysis
 
 ```typescript
-import { detectDeadCode, formatDeadCodeReport } from 'circle-ir-ai';
+import { analyzeSkillBundle } from 'circle-ir-ai';
 
-const result = await detectDeadCode({
-  target: '/path/to/project',
-  languages: ['javascript', 'typescript'],
+const result = await analyzeSkillBundle('./my-skill', {
+  enableCrossArtifact: true,
+  enableVerification: true,
 });
 
-console.log(formatDeadCodeReport(result));
-// Shows: dead methods, entry points, and LOC with reachability info
+console.log(`Trust Score: ${result.score}`);
+console.log(`Findings: ${result.findings.length}`);
 ```
 
-### Secret Scanning
+## LLM Configuration
 
-```typescript
-import { scanForSecrets, formatSecretReport } from 'circle-ir-ai';
+Configure via environment variables or CLI flags (flags take precedence):
 
-const result = await scanForSecrets('/path/to/project', {
-  scanHistory: true,      // Scan Git history
-  maxCommits: 100,
-  minSeverity: 'medium',
-});
+```bash
+# Environment variables
+export LLM_API_KEY=your-api-key
+export LLM_BASE_URL=http://localhost:4000/v1
+export LLM_ENRICHMENT_MODEL=cognium/gpt-oss-120b   # default (FREE)
 
-console.log(formatSecretReport(result));
+# Or use CLI flags directly
+circle-ir-ai ./src --llm \
+  --llm-base-url https://api.openai.com/v1 \
+  --llm-api-key sk-... \
+  --llm-model gpt-4o
 ```
 
-### Health Scoring
+### Provider Examples
 
-```typescript
-import { calculateHealthScore, formatHealthReport } from 'circle-ir-ai';
+| Provider | `--llm-base-url` | `--llm-model` |
+|----------|-------------------|---------------|
+| Cognium (free) | `http://localhost:4000/v1` | `cognium/gpt-oss-120b` |
+| OpenAI | `https://api.openai.com/v1` | `gpt-4o` |
+| GitHub Models (free) | `https://models.github.ai/inference` | `openai/gpt-5` |
+| Azure OpenAI | `https://YOUR.openai.azure.com/...` | `gpt-4o` |
+| Ollama (local) | `http://localhost:11434/v1` | `llama3` |
+| Together AI | `https://api.together.xyz/v1` | `meta-llama/Llama-3-70b` |
 
-const result = await calculateHealthScore('/path/to/project', {
-  includeSecurity: true,
-  includeSecrets: true,
-  includeDeadCode: true,
-});
+## CI/CD with GitHub Actions
 
-console.log(formatHealthReport(result));
-// Scores: Security 35%, Maintainability 25%, Quality 25%, Performance 15%
-```
+Run LLM-enhanced SAST in CI using [GitHub Models](https://github.com/marketplace?type=models) free tier -- no API keys needed:
 
-## LLM Configuration
+```yaml
+name: SAST Scan
+on: [pull_request]
 
-Set environment variables or pass options:
+permissions:
+  contents: read
+  models: read
 
-```bash
-export LLM_API_KEY=your-api-key
-export LLM_BASE_URL=http://localhost:4000/v1
-```
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "22"
 
-Or in code:
+      - run: npm ci && npm run build
+        working-directory: circle-ir-ai
 
-```typescript
-import { createLLMConfig } from 'circle-ir-ai';
+      # Required: symlink WASM files for tree-sitter
+      - run: ln -s node_modules/circle-ir/dist/wasm wasm
+        working-directory: circle-ir-ai
 
-const config = createLLMConfig({
-  baseUrl: 'http://localhost:4000/v1',
-  apiKey: 'your-api-key',
-});
+      - name: LLM-enhanced SAST scan
+        working-directory: circle-ir-ai
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          node dist/cli/index.js ./src --llm \
+            --llm-base-url https://models.github.ai/inference \
+            --llm-api-key "$GITHUB_TOKEN" \
+            --llm-model openai/gpt-5 \
+            --format json -o sast-results.json
 ```
 
-## CLI Options
-
-```
-circle-ir-ai <file|dir> [options]
-
-Commands:
-  <file|dir>           Analyze file or directory
-  scan <dir>           Security scan with OWASP mapping
-  dead-code <dir>      Detect unreachable code
-  secrets <dir>        Scan for secrets
-  health <dir>         Calculate health score
-  benchmark <dir>      Run benchmark suite
-
-Options:
-  -f, --format <fmt>       Output format: json, summary, sarif
-  -o, --output <file>      Write output to file
-  --llm                    Enable LLM enrichment and verification
-  --llm-enrich             Enable LLM enrichment only
-  --llm-verify             Enable LLM verification only
-  --llm-base-url <url>     LLM proxy URL
-  --llm-api-key <key>      LLM API key
-  --threads <n>            Parallel analysis threads (default: 10)
-  -d, --discover-patterns  Enable dynamic pattern discovery
-  -q, --quiet              Suppress progress messages
-  -h, --help               Show help
-```
+**GitHub Models free tier limits**: `openai/gpt-5` = 50 req/day, `openai/gpt-4o-mini` = 150 req/day. Auth uses the built-in `GITHUB_TOKEN` with `models: read` permission.
 
 ## Benchmark Results
 
-| Benchmark | Score | Details |
-|-----------|-------|---------|
-| **OWASP Benchmark** (Java) | +100% | 1415/1415 perfect |
-| **OWASP BenchmarkPython** | 25.2% | 1230 test cases |
-| **Juliet Test Suite** | +100% | 156/156 perfect |
-| **SecuriBench Micro** | 97.7% TPR | 105/108 vulns, 6.7% FPR |
-| **CWE-Bench-Java** | 81.7% (with LLM) | 98/120 projects (vs CodeQL 22.5%, IRIS+GPT-4 45.8%) |
-| **NodeJS Synthetic** | 100% TPR | 25 test cases, 94.1% Precision |
-| **OWASP NodeGoat** | +100% | 14 tests, 5 vulns detected |
-| **CWE-Bench-Rust** | +100% | 30 test cases (6 CWEs) |
+| Benchmark | Score |
+|-----------|-------|
+| OWASP Benchmark (Java, 1415 tests) | +100% |
+| Juliet Test Suite (156 tests) | +100% |
+| SecuriBench Micro | 97.7% TPR, 6.7% FPR |
+| CWE-Bench-Java (120 CVEs) | 42.5% static, 81.7% +LLM Discovery |
+| NodeJS Synthetic (25 tests) | 100% TPR |
+| CWE-Bench-Rust (30 tests) | 77.8% TPR, 0% FPR |
+
+CWE-Bench-Java reference: CodeQL 22.5%, IRIS+GPT-4 45.8%.
 
 ## Supported Languages
 
-| Language | Extensions | Frameworks |
-|----------|-----------|------------|
-| **Java** | .java | Spring, JAX-RS, Servlet API |
-| **JavaScript** | .js, .jsx, .mjs, .cjs | Express, Fastify, Node.js |
-| **TypeScript** | .ts, .tsx, .mts, .cts | Express, Fastify, Node.js |
-| **Python** | .py | Flask, Django, FastAPI |
-| **Rust** | .rs | Actix-web, Rocket, Axum |
+| Language | Frameworks |
+|----------|------------|
+| Java | Spring, JAX-RS, Servlet API |
+| JavaScript/TypeScript | Express, Fastify, Node.js |
+| Python | Flask, Django, FastAPI |
+| Rust | Actix-web, Rocket, Axum |
 
 ## Related Packages
 
-- **[circle-ir](https://github.com/cognitim/circle-ir)**: Core SAST library
-- **[circle-pack](https://github.com/cognitim/circle-pack)**: Cloudflare Workers API deployment
+- **[circle-ir](https://github.com/cogniumhq/circle-ir)**: Core SAST library (open source, MIT)
 
 ## License
 
-ISC
+PolyForm Noncommercial License 1.0.0 -- free for noncommercial use.
+Commercial use requires a separate license. See [LICENSE](./LICENSE) for details.

package/dist/agents/mastra/agents.d.ts

@@ -90,14 +90,14 @@ export declare const verificationAgent: Agent<"verification-agent", {
 export declare const crossFileAgent: Agent<"cross-file-agent", {
     crossFileTaint: import("@mastra/core/tools").Tool<{
         sourceCode: string;
-        sourceFile: string;
-        targetFile: string;
-        targetCode: string;
         exportedTaint: {
             symbol: string;
             type: string;
             line: number;
         }[];
+        targetFile: string;
+        sourceFile: string;
+        targetCode: string;
         importedSymbols: string[];
     }, {
         taintFlows: Array<{
@@ -178,14 +178,14 @@ export declare const orchestratorAgent: Agent<"orchestrator-agent", {
     }, unknown, unknown, import("@mastra/core/tools").ToolExecutionContext<unknown, unknown, unknown>, "verify-vulnerability", unknown>;
     crossFileTaint: import("@mastra/core/tools").Tool<{
         sourceCode: string;
-        sourceFile: string;
-        targetFile: string;
-        targetCode: string;
         exportedTaint: {
             symbol: string;
             type: string;
             line: number;
         }[];
+        targetFile: string;
+        sourceFile: string;
+        targetCode: string;
         importedSymbols: string[];
     }, {
         taintFlows: Array<{
@@ -266,14 +266,14 @@ export declare const agents: {
     crossFile: Agent<"cross-file-agent", {
         crossFileTaint: import("@mastra/core/tools").Tool<{
             sourceCode: string;
-            sourceFile: string;
-            targetFile: string;
-            targetCode: string;
             exportedTaint: {
                 symbol: string;
                 type: string;
                 line: number;
             }[];
+            targetFile: string;
+            sourceFile: string;
+            targetCode: string;
             importedSymbols: string[];
         }, {
             taintFlows: Array<{
@@ -349,14 +349,14 @@ export declare const agents: {
         }, unknown, unknown, import("@mastra/core/tools").ToolExecutionContext<unknown, unknown, unknown>, "verify-vulnerability", unknown>;
         crossFileTaint: import("@mastra/core/tools").Tool<{
             sourceCode: string;
-            sourceFile: string;
-            targetFile: string;
-            targetCode: string;
             exportedTaint: {
                 symbol: string;
                 type: string;
                 line: number;
             }[];
+            targetFile: string;
+            sourceFile: string;
+            targetCode: string;
             importedSymbols: string[];
         }, {
             taintFlows: Array<{