codeprobe-scanner 1.0.4 → 1.0.5

package/ORCHESTRATOR_SYNTHESIS.json

@@ -1,80 +0,0 @@
-{
-  "tldr": "CodeProbe MVP concept is sound (exploit verification differentiates from Snyk), but plan contains critical contradictions (Log4Shell cannot work in Node.js), unrealistic timeline (5h vs. 12-24h needed), and zero test infrastructure—recommend human-in-loop revision before build.",
-  "overall_confidence": 75,
-  "min_confidence": 75,
-  "confidence_details": {
-    "eng": 85,
-    "design": 82,
-    "qa": 75,
-    "security": 85
-  },
-  "overall_risk": "high",
-  "has_high_risk": true,
-  "risk_details": {
-    "eng": "high",
-    "design": "high",
-    "qa": "high",
-    "security": "high"
-  },
-  "consensus": "conflict",
-  "consensus_details": {
-    "eng": "revise",
-    "design": "revise",
-    "qa": "revise",
-    "security": "revise"
-  },
-  "any_block": false,
-  "decision": "human_in_loop",
-  "decision_reason": "min_confidence (75) is below auto-approve threshold (8/10). ALL four agents flagged HIGH risk. No agent recommended 'block,' but unanimous 'revise' indicates plan requires material changes before implementation. Specific blockers: (1) Log4Shell CVE incompatible with Node.js demo repo; (2) Sandbox isolation requirement contradicts Log4Shell PoC mechanism (requires LDAP/RMI callback); (3) Timeline is 5h, realistic delivery is 12-24h; (4) Zero test coverage with critical live paths (exploit execution, fallbacks) untested; (5) Security claims about 'user code never third-party' violated by Claude API fallback.",
-  "unanimous_high_confidence": false,
-  "summary_by_agent": {
-    "eng": "Sound concept, but Log4Shell cannot be exploited in Node.js; sandbox isolation vs. exploit mechanism are mutually exclusive; timeline severely underestimated.",
-    "design": "Strong wow moment, but interaction states dangerously incomplete (error, partial, empty, loading duration undefined); dashboard scope (2 full React views) unrealistic for 1 hour; accessibility gaps (color-only, no ARIA); auth/sharing model undefined.",
-    "qa": "MVP has zero test infrastructure; five untested fallback mechanisms (Bright Data, Daytona, Nosana, patch, OAuth) are single-points-of-failure; demo-day relies entirely on pre-recorded video backup and manual rehearsal.",
-    "security": "High-risk findings: (1) Dashboard public without authentication; (2) LLM patch output lacks validation gate; (3) OAuth token encryption key derivation undefined; (4) Sandbox escape risk; (5) Bright Data scraper integrity unchecked. All recommend revise + external security review."
-  },
-  "key_findings": [
-    "CRITICAL: Log4Shell (CVE-2021-44228) is Java/log4j, not Node.js npm-compatible. Demo repo is Node.js-only. Cannot genuinely exploit Log4Shell despite being locked as primary demo CVE. Breaks 50% of 'live exploit verification' wow moment.",
-    "CRITICAL: Sandbox network isolation requirement contradicts Log4Shell PoC mechanism. Log4Shell requires outbound LDAP/RMI callback. Fully isolated sandbox cannot execute. HTTP/2 Rapid Reset (CVE-2023-44487) is only viable demo CVE.",
-    "CRITICAL: Security claim 'user code never sent to third-party APIs (Nosana runs locally)' violated by Claude API fallback. On Nosana unavailability, user code uploads to Anthropic. Dashboard shows 'Powered by Nosana' during fallback, misleading judges.",
-    "CRITICAL: Timeline 5h vs. realistic 12-24h. GitHub App OAuth (2-3h) + Daytona orchestration (2-3h) + dashboard (1-2h) exceeds 5h allocation. Cuts to scope inevitable.",
-    "HIGH: Zero automated tests. Live exploit execution (the core 'wow moment') untested. All five fallback mechanisms (Bright Data, Daytona, Nosana, patch, OAuth) untested. Demo-day failure risk is high if external APIs fail.",
-    "HIGH: Dashboard auth model undefined. Scan results accessible via URL without authentication. Any person with scan URL can view complete CVE details, patches, PoC evidence. Security vulnerability (IDOR/AuthN failures).",
-    "HIGH: Interaction states dangerously incomplete. Error state undefined (Bright Data fails?), partial-result state undefined (sandbox crashes?), empty state undefined (no vulns found?). In security tools, silence is dangerous.",
-    "HIGH: Dashboard scope unrealistic. Two full React views (Technical + Executive) with responsive design, accessibility, error handling in 1 hour. Realistic: 3-5 days for production-ready dashboard.",
-    "HIGH: Patch generation validation missing. Plan targets 80% success rate (PRD §9) with zero harness. No automated check that generated patches compile or actually fix CVE. Nosana prompt uses CodeBERT (encoder, not generative—wrong model named).",
-    "MEDIUM: GitHub bot auto-creates PRs without user approval gate. Plan says 'read access' (Req 5.11) but auto-fix requires write + branch creation. Contradiction in scope.",
-    "MEDIUM: LLM eval suite missing. Nosana/Claude patch generation requires (1) compilation check, (2) vulnerability fix verification (re-run PoC against patched code). Zero test harness.",
-    "MEDIUM: PREFLIGHT_PLAN.md says 'Skip MCP,' but codeprobe-prd.md schedules 'GitHub Bot + MCP' in 15:00-16:00 block. Binding docs contradict.",
-    "MEDIUM: Accessibility gaps. Risk gauge uses color-only encoding (red=high). CVE table has no semantic ARIA. No mobile responsive strategy. Red-green colorblindness breaks usability."
-  ],
-  "auto_approve_eligible": false,
-  "auto_approve_reason_if_eligible": null,
-  "human_in_loop_reason_if_applicable": "Min confidence 75 < 80. Has high risk: YES (all four agents flagged HIGH). Consensus: unanimous 'revise' (no unanimous_approve). Specific blockers require material revision: (1) Fix CVE/repo mismatch, (2) Revise timeline estimate or cut scope, (3) Define critical interaction states (error, partial, empty, loading %), (4) Implement dashboard auth model, (5) Add patch generation validation harness, (6) Prioritize HTTP/2 Rapid Reset over Log4Shell, (7) Resolve security claims about third-party code sending. Recommend human review of revised plan before proceeding to implementation.",
-  "agent_outputs": [
-    {
-      "agent": "Eng Reviewer",
-      "confidence": 85,
-      "risk": "high",
-      "recommendation": "revise"
-    },
-    {
-      "agent": "Design Reviewer",
-      "confidence": 82,
-      "risk": "high",
-      "recommendation": "revise"
-    },
-    {
-      "agent": "QA Reviewer",
-      "confidence": 75,
-      "risk": "high",
-      "recommendation": "revise"
-    },
-    {
-      "agent": "Security Reviewer",
-      "confidence": 85,
-      "risk": "high",
-      "recommendation": "revise"
-    }
-  ]
-}

package/PENDING_WORK.md

@@ -1,308 +0,0 @@
-# CodeProbe: Pending Work Inventory
-
-## Quick Status Summary
-
-```
-FULLY WORKING (Green):  CLI scan, Dashboard views, API server, Parser
-PARTIALLY WORKING (Yellow): Patch application, Bot framework, Scraper (ejs only)
-NOT WORKING (Red):      Real Daytona, Real Nosana, Real Bright Data, Bot scanning
-MOCKED/SIMULATED:       Sandbox exploits (realistic demo), Patch generation
-```
-
-**Overall: 65% Complete** — Ready for demo, needs work for production
-
----
-
-## WHAT'S WORKING ✅
-
-### Frontend (100% Functional)
-- ✅ Dashboard loads at http://localhost:3000
-- ✅ GitHub OAuth login flow
-- ✅ Scans list page (paginated, filtered, sorted)
-- ✅ Scan detail page (risk gauge, CVE list, patch diffs)
-- ✅ Business impact card ($4.9M)
-- ✅ All components render correctly
-- ✅ API calls working (GET /api/scans, /api/scans/{id})
-
-### CLI (95% Functional)
-- ✅ `scan` command — End-to-end working
-- ✅ `report` command — Works
-- ✅ `config` command — Works
-- ✅ JSON output — Works
-- ✅ Verbose logging — Works
-- ❌ `--fix` flag — Creates branch but doesn't apply patches to files
-
-### Backend/API (90% Functional)
-- ✅ API server serves dashboard HTML
-- ✅ API endpoints working (/api/scans, /api/auth)
-- ✅ File-based scan storage working
-- ✅ OAuth integration working
-- ✅ Error handling working
-
-### Engine (Core Pipeline) (80% Functional)
-- ✅ Parser — Reads package.json correctly
-- ✅ Matcher — Matches CVEs to dependencies
-- ✅ Risk scoring — Calculates 0-10 scale
-- ⚠️ Scraper — Works for ejs, empty for others
-- ⚠️ Sandbox — Simulates ejs RCE, realistic output
-- ⚠️ Patcher — Returns pre-baked patches only
-
-### Tests (100% Passing)
-- ✅ 25/25 tests pass
-- ✅ Engine tests pass
-- ✅ CLI tests pass
-- ✅ Dashboard tests pass
-
----
-
-## WHAT'S PENDING (INCOMPLETE) 🔴
-
-### High Priority (Blocks Demo)
-
-| Feature | Issue | Impact | Fix Time |
-|---------|-------|--------|----------|
-| **Patch Application** | --fix creates branch but doesn't modify files | Users can't apply patches | 30 min |
-| **GitHub Bot Scanning** | Bot receives webhooks but doesn't scan repos | Can't scan PRs automatically | 2 hours |
-| **API Authentication** | Dev mode accepts any token; no production auth | Can't deploy to prod securely | 1 hour |
-
-### Medium Priority (Nice to Have for Demo)
-
-| Feature | Issue | Impact | Fix Time |
-|---------|-------|--------|----------|
-| **Real Daytona Integration** | Sandbox exploits are simulated | Can't verify real vulnerabilities | 4 hours |
-| **Real Nosana Integration** | Patches are pre-baked only | No LLM-generated fixes | 4 hours |
-| **Multi-Language Support** | Only Node.js (npm) works | Can't scan Python/Rust/Go/Java repos | 2+ days |
-| **WebSocket Updates** | Dashboard doesn't auto-refresh | No real-time progress | 2 hours |
-
-### Low Priority (Post-Hackathon)
-
-| Feature | Issue | Impact | Fix Time |
-|---------|-------|--------|----------|
-| **Database** | File-based storage only | No persistent history, no scaling | 1 day |
-| **MCP Full Integration** | Framework exists, no repo ops | Can't use from Claude Desktop | 2 hours |
-| **Production Deployment** | Hardcoded localhost everywhere | Can't run on servers | 2 hours |
-| **Audit Logs** | No logging of actions | Can't track who did what | 3 hours |
-
----
-
-## WHAT'S MOCKED (INTENTIONAL) 🎭
-
-### For MVP Demo (Acceptable)
-
-1. **Daytona Sandbox** → Simulates ejs RCE exploit
-   - Returns realistic output
-   - Works for demo, not production
-   - **To use real Daytona**: Requires Docker/K8s, ~4 hours
-
-2. **Nosana Patch Generation** → Returns pre-baked patches
-   - Demonstrates what patches would look like
-   - Only ejs@3.1.6 → 3.1.7 defined
-   - **To use real Nosana**: Requires GPU account, ~4 hours
-
-3. **Bright Data Scraping** → Falls back to NVD API
-   - Demonstrates what Bright Data would do
-   - Only ejs CVE-2022-29078 tested
-   - **To use real Bright Data**: Requires account, ~2 hours
-
----
-
-## SPECIFIC PENDING ITEMS BY COMPONENT
-
-### Frontend (src/dashboard/) — 95% DONE
-
-**Working:**
-```
-✅ frontend.tsx — Multi-page SPA
-✅ LoginPage.tsx — GitHub OAuth
-✅ ScansListPage.tsx — Lists scans
-✅ ScanDetailPage.tsx — Shows details
-✅ RiskGauge.tsx — Draws gauge
-✅ CVETable.tsx — Lists CVEs
-✅ BusinessImpactCard.tsx — Shows $4.9M
-✅ PatchDiffViewer.tsx — Shows diffs
-✅ useAuth.ts — Token management
-✅ useScan.ts — API calls
-```
-
-**Pending:**
-```
-❌ Executive/Technical view toggle
-❌ Real-time WebSocket updates
-❌ PDF export
-❌ Trend analysis (historical)
-⚠️ Hardcoded GitHub client ID (should be env var)
-⚠️ Hardcoded CORS origin
-```
-
-### Backend (src/api/) — 90% DONE
-
-**Working:**
-```
-✅ server.ts — Serves HTML + API
-✅ /api/scans — Lists scans
-✅ /api/scans/{id} — Gets scan
-✅ /api/auth/github — OAuth callback
-✅ CORS headers
-```
-
-**Pending:**
-```
-❌ Production authentication (JWT)
-❌ Webhook signature verification
-❌ Database integration
-⚠️ Hardcoded dev auth bypass
-```
-
-### Engine (src/engine/) — 80% DONE
-
-**Working:**
-```
-✅ parser.ts — Reads package.json
-✅ matcher.ts — Matches CVEs
-✅ report.ts — Saves scans
-```
-
-**Partially Working:**
-```
-⚠️ scraper.ts — Only ejs works, others empty
-⚠️ sandbox.ts — Simulates ejs, not real Daytona
-⚠️ patcher.ts — Pre-baked only, no LLM
-```
-
-**Pending:**
-```
-❌ Multi-language support (Python, Rust, etc.)
-❌ Real Daytona integration
-❌ Real Nosana integration
-❌ Real Bright Data integration
-```
-
-### CLI (src/cli/) — 95% DONE
-
-**Working:**
-```
-✅ index.ts — Command dispatch
-✅ commands/scan.ts — Scan execution
-✅ commands/report.ts — Display results
-✅ config.ts — Token management
-✅ progress.ts — Progress logging
-```
-
-**Partially Working:**
-```
-⚠️ commands/scan-with-fix.ts — Creates branch but doesn't apply patches
-```
-
-**Pending:**
-```
-❌ Actual file modification for --fix
-❌ Git push integration
-```
-
-### Bot (src/bot/) — 30% DONE
-
-**Working:**
-```
-✅ server.ts — Webhook listener
-✅ Posts initial comment
-```
-
-**Pending:**
-```
-❌ Clone repository
-❌ Run engine.scan()
-❌ Update PR comment with results
-❌ Create auto-fix PR
-❌ Webhook signature verification
-```
-
-### MCP (src/mcp/) — 30% DONE
-
-**Working:**
-```
-✅ server.ts — JSON-RPC listener
-✅ Tool definitions (scan_repository, get_scan_results, etc.)
-```
-
-**Pending:**
-```
-❌ Actual repo cloning
-❌ Scan execution
-❌ Patch application
-❌ Full integration with Claude Desktop
-```
-
-### CI/CD (.github/workflows/) — 100% DONE
-
-```
-✅ Workflow runs on every PR
-✅ Executes scan
-✅ Uploads SARIF
-✅ Posts results in PR comment
-```
-
----
-
-## QUESTIONS BEFORE I PROCEED ❓
-
-Before I start fixing everything, I need to clarify your priorities:
-
-### 1. **Demo Scope**
-   - **Option A**: Fix only what's needed for hackathon judging (60% effort)
-   - **Option B**: Make everything production-ready (200% effort)
-   - **Option C**: Fix critical path + real integrations (120% effort)
-
-### 2. **Sponsor APIs**
-   - **Option A**: Keep mocks, just add branding ✅ (DONE)
-   - **Option B**: Actually integrate real Daytona/Nosana/Bright Data APIs (8+ hours)
-   - **Option C**: Keep mocks but make them more realistic (2 hours)
-
-### 3. **Backend Features**
-   - **Priority 1**: Fix patch application (--fix flag actually modifies files)? (Yes/No)
-   - **Priority 2**: Implement bot scanning? (Yes/No)
-   - **Priority 3**: Add database instead of files? (Yes/No)
-   - **Priority 4**: Multi-language support? (Yes/No)
-
-### 4. **Frontend Enhancements**
-   - **Priority 1**: Fix hardcoded values (Client ID, CORS)? (Yes/No)
-   - **Priority 2**: Add Executive/Technical view toggle? (Yes/No)
-   - **Priority 3**: Add WebSocket updates? (Yes/No)
-
-### 5. **Tests**
-   - **Option A**: Keep unit tests only
-   - **Option B**: Add E2E tests (Playwright) for dashboard
-   - **Option C**: Add integration tests for full pipeline
-
----
-
-## WHAT I RECOMMEND 💡
-
-**For Hackathon (Next 2 hours):**
-1. ✅ Fix patch application (--fix flag)
-2. ✅ Remove hardcoded values (env vars)
-3. ✅ Fix bot framework to actually scan
-4. ✅ Add simple E2E test showing full flow
-5. ✅ Clean up demo data
-
-**For Production (After hackathon):**
-1. Real Daytona/Nosana/Bright Data integration
-2. Database instead of files
-3. JWT authentication
-4. Multi-language support
-5. Monitoring/alerting
-
----
-
-## Please Answer These 5 Questions:
-
-1. **What's your priority: Demo perfect OR All features working?**
-2. **Do you want real sponsor APIs or keep the mocks?**
-3. **How much time do you have? (1 hour? 4 hours? Full day?)**
-4. **Should I focus on backend or frontend first?**
-5. **Should I add tests or just fix the code?**
-
-Once you answer, I'll:
-- Create a detailed fix plan
-- Implement fixes in order of priority
-- Test everything end-to-end
-- Commit and push to main

package/PREFLIGHT_PLAN.md

@@ -1,182 +0,0 @@
-# CodeProbe MVP — Preflight Plan
-
-**Status:** Foundation Discovery Complete  
-**Build Window:** 5 hours (hackathon)  
-**Target Event:** AgentForge SG Super AI Edition, June 2026  
-
----
-
-## Scope
-
-### In Scope (Must Ship)
-- Working CLI (`codeprobe scan`) with live exploit verification
-- Bright Data CVE scraping (real integration)
-- Daytona sandbox spawning + PoC execution
-- Detailed terminal + JSON report output
-- GitHub bot (real OAuth, PR comments + auto-fix PR creation)
-- React dashboard (Technical + Executive views)
-- Business impact messaging ($4.9M breach cost)
-
-### Out of Scope (Nice to Have / Post-Hackathon)
-- MCP server (too risky time-wise; skip for MVP)
-- CI/CD GitHub Action (cut if time < 1 hour remaining)
-- Multi-language support (Node.js only for MVP)
-- Custom PoC upload
-- Historical scan tracking / audit logs
-
-### Demo Day Visible
-- Live CLI scan of demo repo with real Bright Data + Daytona exploit execution
-- 2 confirmed exploitable CVEs demonstrated
-- GitHub bot commenting on a test PR
-- Dashboard showing business impact
-
----
-
-## Grill-Me Decisions (Locked)
-
-| Decision | Choice | Rationale |
-|----------|--------|-----------|
-| **Demo CVEs** | HTTP/2 Rapid Reset (CVE-2023-44487) ONLY (Log4Shell removed — Java/log4j incompatible with Node.js demo repo) | Log4Shell can't work in Node.js repo + requires outbound callbacks incompatible with isolated sandbox. HTTP/2 is DoS, works in isolation, Node.js compatible, public PoCs exist. |
-| **Time Crunch Fallback** | **Revised priority**: CLI + exploit verification first (non-negotiable). Dashboard minimal second. Bot + GitHub OAuth as stretch. MCP + CI cut. | Exploit verification is the only "wow moment" that matters. Everything else is bonus. |
-| **Wow Moment** | Live sandbox exploit execution (real-time PoC success/failure proof) — HTTP/2 DoS verified in isolated container | Differentiates from theoretical scanning; judges see actual vulnerability confirmation with pre-baked patches as fallback. |
-| **GitHub Bot** | Cut from MVP unless time allows (2-3h for OAuth + webhook setup) | Exploit verification alone is sufficient for hackathon. Bot is nice-to-have, not must-have. |
-| **Patch Generation** | Pre-bake patches for demo CVEs into codebase + validate harness for LLM fallback | Zero failure risk on patches. LLM (Nosana/Claude) generation is stretch goal with validation test. |
-| **Dashboard Auth** | GitHub OAuth required (scan results are sensitive security data) | Without auth, anyone with scan URL can view CVE details, PoCs, patches — IDOR vulnerability. Implement simple login. |
-
----
-
-## Foundations (Nine Technical Locks)
-
-| # | Area | Decision | Notes |
-|----|------|----------|-------|
-| 1 | **Schema** | Simple JSON: `{ scan_id, timestamp, repo_url, cves: [{id, severity, exploitable, patch_diff}], risk_score }` | No database (MVP); filesystem storage `~/.codeprobe/scans/` + S3 for dashboard |
-| 2 | **TypeScript** | TypeScript strict mode + shared types across CLI, engine, bot, dashboard | `src/shared/types.ts` for all data contracts |
-| 3 | **Validation** | Zod for runtime schema validation (repo URLs, CVE data, patch diffs) | Zero runtime overhead post-validation; lightweight for Bun |
-| 4 | **Routing** | REST API: POST `/api/scan` (start), GET `/api/scan/:id` (status), GET `/api/results/:id` (full report) | Stateless, simple webhooks for bot |
-| 5 | **Auth** | GitHub OAuth for bot + CLI (store encrypted in `~/.codeprobe/auth.json`). Sponsor API keys as env vars. | No user accounts (MVP). OAuth flow pre-tested. |
-| 6 | **CSS** | TailwindCSS for dashboard React app | Fast, responsive utilities, no build friction |
-| 7 | **UI Framework** | React 18 + Vite for dashboard. Terminal UI (chalk + table-like output) for CLI. | No heavy Terminal UI framework; keep CLI simple |
-| 8 | **Client-Server** | **Streaming** (Server-Sent Events). CLI spawns local scan engine, polls/streams progress via event emitter. | Event-driven; CLI sees real-time: "Scraping...", "Spinning up...", "Exploit running...", "Done." |
-| 9 | **Folders** | Monorepo: `src/cli`, `src/engine`, `src/dashboard`, `src/bot`, `src/shared`. Each is independently testable. | Clear boundaries; minimal cross-module coupling. |
-
----
-
-## Architecture Overview
-
-```
-CLI (Bun CLI executable)
-  ↓
-Local Engine (dependency parser, CVE matcher, sandbox orchestrator)
-  ↓
-Bright Data (async CVE scraping)
-  ↓
-Daytona (sandbox pool, exploit runner)
-  ↓
-Nosana LLM or Claude API (patch generation)
-  ↓
-Report Builder (JSON + formatted output)
-  ↓
-Dashboard (React, pulls latest scan from S3/local cache)
-  ↓
-GitHub Bot (webhook handler, PR comments, auto-fix)
-```
-
----
-
-## Data Flow
-
-1. **CLI Input**: `codeprobe scan <repo-url-or-local-path>`
-2. **Dependency Parsing**: Extract versions from `package.json`, `package-lock.json`
-3. **CVE Scraping**: Bright Data scrapes NVD, Exploit-DB, Snyk (parallel, 30s target)
-4. **CVE Matching**: Semver matching of dependencies to known CVEs
-5. **Sandbox Spawning**: Daytona creates isolated containers for CRITICAL CVEs (3 at a time)
-6. **Exploit Execution**: PoC script runs in sandbox, captures output/filesystem/network
-7. **Verification**: Exploit succeeded = "Confirmed Exploitable"; failed = "Theoretical Risk"
-8. **Patch Generation**: Nosana LLM generates code diffs (or pre-baked fallback)
-9. **Report Output**: JSON saved locally, uploaded to S3, displayed in dashboard + CLI
-10. **GitHub Bot**: Webhook fetches latest scan, posts PR comment, offers auto-fix PR
-
----
-
-## MVP Deliverables
-
-### Hour 0 (Prep, before build): Critical Setup
-- [ ] Bun project with TypeScript strict mode + shared types
-- [ ] Provision Bright Data, Daytona, Nosana API keys
-- [ ] Create demo repo with HTTP/2 vulnerable server
-- [ ] Pre-generate + validate patches for demo CVE
-- [ ] Test Daytona sandbox spawn + exploit execution (offline)
-- [ ] Set up GitHub OAuth test app (if dashboard included)
-
-### Hour 1 (0:00–1:00): Core Engine + CLI Bootstrap
-- [ ] Bun project initialized with TypeScript
-- [ ] Dependency parser (Node.js package.json parsing)
-- [ ] Bright Data scraper (test with NVD — fallback to cached JSON if fails)
-- [ ] Daytona sandbox integration (spawn, install, run PoC)
-- [ ] Report builder (JSON schema: scan_id, CVEs, risk_score, patches)
-- [ ] CLI `codeprobe scan` command skeleton
-
-### Hour 2 (1:00–2:00): Orchestration + Exploit Verification
-- [ ] Sandbox orchestrator (single CVE execution, capture output)
-- [ ] Exploit runner (inject PoC script, timeout + retry logic)
-- [ ] Verification logic (exploit succeeded/failed detection)
-- [ ] CLI end-to-end test on demo repo (live Bright Data + Daytona)
-- [ ] Terminal output (colors, progress, results table)
-
-### Hour 3 (2:00–3:00): Validation + Fallbacks
-- [ ] LLM patch generation (pre-baked patches + Nosana/Claude fallback with validation)
-- [ ] Error handling (Bright Data fails → cached CVE data, Daytona crashes → retry)
-- [ ] Config file (`~/.codeprobe/config`, GitHub auth token storage)
-- [ ] `codeprobe scan --fix` branch creation + commit
-- [ ] Full integration test (CLI start-to-finish on demo repo)
-
-### Hour 4+ (3:00–5:00): Dashboard (if time) + Polish
-- **If 4+ hours available**: React dashboard (Technical view only) + GitHub OAuth login
-  - [ ] Scan history list + detail view
-  - [ ] Risk score display + CVE table
-  - [ ] Patch diff viewer
-  - [ ] GitHub OAuth integration
-- **Always by 5:00**: Demo rehearsal (3–5 times), record fallback video, final bug fixes
-
-### Stretch Goals (if time > 5h, include ONLY if time safe):
-- [ ] Executive view (business impact messaging)
-- [ ] GitHub bot webhook (PR comments, auto-fix PR)
-- [ ] SARIF output for CI/CD
-
----
-
-## Risk Assessment (Pre-Preflight)
-
-| Risk | Likelihood | Mitigation |
-|------|------------|-----------|
-| Bright Data rate-limited during demo | Medium | Pre-cache CVE data; have offline mode |
-| Daytona sandbox timeout | Low | Retry logic (max 2 retries); mark as "Verification Failed" |
-| Nosana cold start > 60s | Medium | Pre-test; have Claude API fallback ready |
-| GitHub OAuth fails demo day | Low | Test pre-hackathon; have manual token fallback |
-| Patch generation broken | Medium | Pre-generate 2–3 patches for demo CVEs; bake into dashboard |
-| Scope creep / time overrun | High | **Strict cut order: skip MCP → skip CI → skip dashboard polish → keep CLI + bot + exploit** |
-
----
-
-## Success Criteria
-
-**MVP Demo Must Show:**
-1. Live Bright Data scraping
-2. Daytona sandbox spawning
-3. PoC exploit running in sandbox
-4. Output: 2 CVEs marked "Confirmed Exploitable"
-5. Patch generated (or shown as example)
-6. GitHub bot commenting on a PR
-7. Business impact messaging (judge understands $4.9M value)
-
-**Non-negotiable:**
-- Working CLI
-- Real Daytona exploit verification
-- Real GitHub bot (not mock)
-- Business impact clear
-
----
-
-## Known Unknowns
-
-None. All decisions locked. Sponsor API keys provisioned. Ready to preflight agent review.