cognium-ai 2.5.8 → 2.5.9

package/README.md

@@ -12,7 +12,7 @@ npm install -g cognium-ai
 
 ```bash
 cognium-ai scan <path>          # Scan for security vulnerabilities (LLM-enhanced)
-cognium-ai trust <path>         # Trust score across 30+ passes (supply chain, security, AI safety, compliance)
+cognium-ai trust <path>         # Trust score across 36 passes (supply chain, security, AI safety, compliance)
 cognium-ai quality <path>       # Quality score (complexity, tests, docs, maintainability, performance)
 cognium-ai spec-diff <path>     # Spec-gap analysis (code vs Specifica spec alignment)
 cognium-ai generate-spec <path> # Generate Specifica spec from code
@@ -34,15 +34,18 @@ are hidden from the headline `--help` until they soak.
 cognium-ai scan src/                              # LLM-enhanced scan (default)
 cognium-ai scan src/ --no-llm                     # Static-only (no LLM)
 cognium-ai scan src/ -f json -o results.json      # JSON output to file
+cognium-ai scan src/ -f sarif -o results.sarif    # SARIF 2.1.0 (GitHub code-scanning)
 cognium-ai scan src/ --severity high              # High+ severity only
 cognium-ai scan src/ --exclude-tests              # Skip test files
 cognium-ai scan src/ --threads 20                 # Custom parallelism
 cognium-ai scan src/ -x '**/vendor/**'            # Exclude paths
+cognium-ai scan src/ --llm-timeout 180            # Raise per-call LLM timeout (slow local models)
 cognium-ai scan src/ --exit-code                  # Exit 1 on findings (CI)
 ```
 
-For SARIF output, use `cognium-ai trust` (`-f sarif -o trust.sarif`),
-which produces SARIF 2.1.0 against all trust passes.
+`cognium-ai trust src/ -f sarif -o trust.sarif` produces SARIF 2.1.0
+across all 36 trust passes (richer than `scan -f sarif`, which is
+scoped to OWASP Top 10 findings only).
 
 ## LLM Configuration
 
@@ -65,9 +68,9 @@ export LLM_ENRICHMENT_MODEL=cognium/gpt-oss-120b
 |------|-------------|---------|
 | `--llm-base-url <url>` | LLM API base URL (OpenAI-compatible) | `http://localhost:4000/v1` |
 | `--llm-api-key <key>` | LLM API key | `LLM_API_KEY` env var |
-| `--llm-model <model>` | LLM model name | `cognium/gpt-oss-120b` |
+| `--llm-model <model>` | LLM model name (universal — applies to all phases) | `cognium/gpt-oss-120b` |
+| `--llm-timeout <seconds>` | Per-call LLM timeout. Raise for slow local models (e.g. `--llm-timeout 180`); lower for fail-fast iteration. | `60` |
 | `--no-llm` | Disable LLM, use static analysis only | LLM enabled by default |
-| `--no-llm-discovery` | Disable LLM discovery mode | discovery enabled by default |
 
 ### Provider Examples
 
@@ -141,15 +144,16 @@ jobs:
 
 | Benchmark | Score |
 |-----------|-------|
-| OWASP Benchmark (Java, 1415 tests) | +100% |
-| Juliet Test Suite (156 tests) | +100% |
+| OWASP Benchmark (Java) | 100% (1415/1415) |
+| Juliet Test Suite (14 CWEs) | 100% (243/243) |
 | SecuriBench Micro | 97.7% TPR, 6.7% FPR |
-| CWE-Bench-Java (120 CVEs) | 42.5% static, 81.7% +LLM Discovery |
-| NodeJS Synthetic (25 tests) | 100% TPR |
-| CWE-Bench-Rust (30 tests) | 77.8% TPR, 0% FPR |
-| Bash Synthetic (31 tests) | 68.2% TPR, 0% FPR |
+| CWE-Bench-Java (120 CVEs) | 50.8% static (61/120), **86.7% +LLM Discovery** (104/120, Claude Opus) |
+| OWASP NodeGoat / Juice Shop / DVJA | 100% |
+| NodeJS Synthetic (25 tests) | 92.9% Score (96.2% TPR, 11.1% FPR) |
+| CWE-Bench-Rust (30 tests) | 94.4% TPR, 0% FPR |
+| Bash Synthetic (31 tests) | 100% TPR, 0% FPR |
 
-CWE-Bench-Java reference: CodeQL 22.5%, IRIS+GPT-4 45.8%.
+CWE-Bench-Java reference: **CodeQL 22.5%**, IRIS+GPT-4 45.8% — cognium-ai with Claude Opus is **2.85× CodeQL**.
 
 ## License
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cognium-ai",
-  "version": "2.5.8",
+  "version": "2.5.9",
   "description": "AI-powered static analysis CLI with LLM-enhanced vulnerability detection",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",