npm - coverme-scanner - Versions diffs - 1.5.1 → 1.6.0 - Mend

coverme-scanner 1.5.1 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/prompts/coverme-command.md +140 -911
package/package.json +1 -1

package/dist/prompts/coverme-command.md CHANGED Viewed

@@ -1,1021 +1,250 @@
 # CoverMe - Ultimate AI Security Scanner
-The most comprehensive AI-powered code scanner. 22 specialized agents + validators + deep analysis.
+The most comprehensive AI-powered code scanner. 22 specialized agents + validators.
 $ARGUMENTS
-## CRITICAL INSTRUCTIONS - READ FIRST!
+## CRITICAL INSTRUCTIONS
-1. **DO NOT ASK ANY QUESTIONS** - Run the entire scan autonomously from start to finish
-2. **DO NOT STOP FOR CONFIRMATION** - Just keep going through all phases
-3. **DO NOT ASK ABOUT FILE CHANGES** - Automatically update/overwrite scan.json
-4. **DO NOT ASK TO OPEN REPORT** - Just open it automatically at the end
-5. **COMPLETE EVERYTHING IN ONE GO** - All phases without interruption
-6. **RUN AGENTS IN BACKGROUND** - Use `run_in_background: true` for all Task tool calls
-7. **RUN BASH IN BACKGROUND** - Use `run_in_background: true` for long Bash commands
-Execute ALL phases automatically. Do NOT stop until the HTML report is open.
+1. **DO NOT ASK ANY QUESTIONS** - Run autonomously
+2. **DO NOT STOP FOR CONFIRMATION** - Keep going
+3. **COMPLETE EVERYTHING** - All phases without interruption
+4. **AGENTS WRITE TO FILES** - Each agent writes results to `.coverme/agents/{ID}.json`
+5. **AGENTS RETURN ONLY "done" or "skipped"** - Never return findings in response
 ---
-## Phase 0: Project Discovery & Statistics
-### Step 1: Gather Project Statistics
+## Phase 0: Setup
 ```bash
-# Count files and lines of code
-find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.tsx" -o -name "*.jsx" -o -name "*.py" -o -name "*.go" -o -name "*.java" -o -name "*.rb" -o -name "*.php" -o -name "*.cs" -o -name "*.swift" -o -name "*.kt" \) -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/dist/*" -not -path "*/build/*" -not -path "*/__pycache__/*" | wc -l
-# Count lines of code (approximate)
-find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.tsx" -o -name "*.jsx" -o -name "*.py" -o -name "*.go" \) -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/dist/*" 2>/dev/null | head -100 | xargs wc -l 2>/dev/null | tail -1
-# Generate project tree (max 3 levels deep, exclude node_modules etc)
-find . -maxdepth 3 -type d -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/dist/*" -not -path "*/__pycache__/*" | head -30 | sort
+mkdir -p .coverme/agents
+rm -f .coverme/agents/*.json 2>/dev/null
 ```
-### Step 2: Read Project Info
+Get project stats:
 ```bash
-cat package.json 2>/dev/null | head -30
-cat README.md 2>/dev/null | head -100
-ls -la
-ls src/ 2>/dev/null || ls app/ 2>/dev/null || ls lib/ 2>/dev/null
-```
-### Step 3: Load Custom Agents (if exists)
-```bash
-cat .coverme/agents.json 2>/dev/null || echo "NO_CUSTOM_AGENTS"
-```
-### Step 4: Check for Runtime Verification (SSH)
-```bash
-cat .coverme/runtime.json 2>/dev/null || echo "NO_RUNTIME_CONFIG"
+FILES=$(find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.py" -o -name "*.go" \) -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/dist/*" 2>/dev/null | wc -l | tr -d ' ')
+LINES=$(find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.py" \) -not -path "*/node_modules/*" -not -path "*/dist/*" 2>/dev/null | head -50 | xargs wc -l 2>/dev/null | tail -1 | awk '{print $1}')
+echo "Files: $FILES, Lines: ~$LINES"
 ```
 ---
-## Phase 1: Discovery (22 parallel agents)
-Launch ALL agents IN PARALLEL using the Task tool with `run_in_background: true`.
-### Agent 1: Security Core Scanner (SEC)
-```
-Scan for OWASP Top 10 and common vulnerabilities:
-INJECTION:
-- SQL injection (string concatenation in queries, raw queries)
-- NoSQL injection (MongoDB $where, $regex with user input)
-- Command injection (exec, spawn, system with user input)
-- LDAP injection, XPath injection
-- Template injection (SSTI in Jinja2, EJS, Handlebars)
-- Header injection (CRLF in headers)
-- Log injection (unescaped user input in logs)
-XSS:
-- Reflected XSS (user input in response without encoding)
-- Stored XSS (database content rendered without escaping)
-- DOM XSS (innerHTML, document.write, eval with user data)
-- dangerouslySetInnerHTML in React without sanitization
-AUTHENTICATION:
-- Hardcoded credentials (check git ls-files first!)
-- Weak password policies (no complexity, short length)
-- Missing rate limiting on login/register
-- Session fixation (session ID not rotated after login)
-- JWT issues (none algorithm, weak secret, no expiry)
-- Missing MFA on sensitive operations
-AUTHORIZATION:
-- IDOR (direct object references without ownership check)
-- Missing authorization checks on endpoints
-- Privilege escalation paths
-- Horizontal access (user A accessing user B's data)
-- Vertical access (user accessing admin functions)
-CRYPTOGRAPHY:
-- MD5/SHA1 for passwords (use bcrypt/argon2)
-- Math.random() for security (use crypto.randomBytes)
-- Hardcoded encryption keys/IVs
-- ECB mode usage
-- Missing HTTPS enforcement
-DATABASE-SPECIFIC DANGEROUS FUNCTIONS:
-- DuckDB: read_text(), read_blob(), read_csv_auto(), read_parquet(), glob(), getenv(), httpfs
-- SQLite: load_extension(), readfile(), writefile()
-- PostgreSQL: pg_read_file(), pg_ls_dir(), COPY TO/FROM
-- MySQL: LOAD_FILE(), INTO OUTFILE, INTO DUMPFILE
-- MongoDB: $where with user input, mapReduce with user functions
-- Redis: EVAL/EVALSHA with user input, CONFIG, DEBUG commands
-Output JSON: [{id: "SEC-XXX", title, severity, category, file, line, code, description, impact, recommendation, cwe, confidence, fixOwner, fixType, dread: {damage, reproducibility, exploitability, affectedUsers, discoverability, score}}]
-```
-### Agent 2: Auth & Session Scanner (AUTH)
-```
-Deep dive into authentication and session management:
-FIRST: Detect which auth method(s) this project uses:
-| Auth Type | Detection Pattern |
-|-----------|-------------------|
-| OAuth/OIDC | oauth, oidc, authorization_code, client_id, redirect_uri |
-| JWT | jsonwebtoken, jwt, Bearer, accessToken, refreshToken |
-| Session-based | express-session, cookie-session, session.save, req.session |
-| API Keys | x-api-key, apiKey, api_key, API_SECRET |
-| Clerk | @clerk, useAuth, clerkMiddleware |
-| Auth0 | @auth0, auth0-js, auth0-react |
-| Firebase Auth | firebase/auth, signInWith, onAuthStateChanged |
-| Passport.js | passport, passport-local, passport-jwt |
-| Supabase Auth | @supabase/auth, supabase.auth |
-| NextAuth | next-auth, NextAuth, getServerSession |
-FOR EACH AUTH TYPE DETECTED, check specific vulnerabilities:
-OAuth/OIDC:
-- Open redirect in return_url/redirect_uri (CRITICAL!)
-- State parameter missing or predictable
-- PKCE not implemented for public clients
-- Token stored in localStorage (XSS vulnerable)
-JWT:
-- alg: none accepted (signature bypass)
-- Weak secret (< 256 bits)
-- No expiry (exp claim missing)
-- Token not invalidated on logout
-Session-based:
-- Session ID in URL (referer leak)
-- Session not invalidated on logout
-- Session fixation
-- Missing secure, httpOnly, sameSite on cookies
-TIMING ATTACKS:
-- Non-constant-time string comparison for tokens/secrets
-- Early return on auth failure leaking valid usernames
-Output JSON: [{id: "AUTH-XXX", ...full format with DREAD}]
-```
-### Agent 3: API Security Scanner (API)
-```
-Scan API endpoints for security issues:
-INPUT VALIDATION:
-- Missing input validation on request body
-- Type coercion attacks (string vs number)
-- Array/object pollution
-- Prototype pollution
-- Mass assignment vulnerabilities
-- GraphQL introspection enabled in production
-- GraphQL depth/complexity limits missing
-RATE LIMITING:
-- No rate limiting on expensive operations
-- Rate limit bypass via headers (X-Forwarded-For)
-- Non-atomic INCR+EXPIRE in Redis
-CORS MISCONFIGURATION:
-- res.header('Access-Control-Allow-Origin', req.headers.origin)
-- res.header('Access-Control-Allow-Origin', '*')
-- app.use(cors({ origin: true }))
-FAIL-OPEN vs FAIL-CLOSED PATTERNS (CRITICAL):
-- IP whitelist empty/missing = allow all
-- Auth middleware errors = request passes through
-- Rate limiter Redis down = no limiting
-- Config missing = insecure defaults
-WEBHOOKS:
-- Webhook signature not verified
-- SSRF via webhook URLs
-- No webhook replay protection
-Output JSON: [{id: "API-XXX", ...full format with DREAD}]
-```
-### Agent 4: Infrastructure Scanner (INFRA)
-```
-Scan infrastructure and deployment configs:
-DOCKER:
-- Running as root user
-- Secrets in Dockerfile or build args
-- Latest tag usage (unpinned versions)
-- Sensitive ports exposed
-- Missing health checks
-- No resource limits
-- Privileged mode enabled
+## Phase 1: Launch 22 Agents (parallel, background)
-KUBERNETES/HELM:
-- No resource limits/requests
-- Running as root
-- Privileged containers
-- Host network/PID enabled
-- Missing network policies
-- Secrets not encrypted at rest
-- Service account auto-mount enabled
-CI/CD:
-- Secrets in CI config files
-- Missing SAST/DAST in pipeline
-- No branch protection
-SECRETS IN GIT HISTORY (CRITICAL CHECK!):
-Run: git log --all --full-history -- "**/secrets*" "**/credentials*" "**/*.env"
-If secrets appear in history, they are EXPOSED even if now gitignored!
+**CRITICAL**: Each agent MUST:
+1. Scan the codebase for its specific issues
+2. Write findings to `.coverme/agents/{PREFIX}.json`
+3. Return ONLY the word "done" or "skipped" - NOTHING ELSE
-DEPENDENCY SECURITY (HIGH if missing):
-- npm audit or yarn audit in CI pipeline
-- Dependabot/Renovate configuration
-- SBOM generation
+Launch ALL with `run_in_background: true`:
-Output JSON: [{id: "INFRA-XXX", ...full format with DREAD}]
+### Agent 1: SEC - Security Core
 ```
-### Agent 5: Data & Privacy Scanner (DATA)
+Scan for: SQL injection, XSS, command injection, SSTI, hardcoded secrets, weak crypto.
+Write to .coverme/agents/SEC.json:
+[{"id":"SEC-001","title":"...","severity":"critical|high|medium|low","file":"...","line":N,"description":"...","recommendation":"..."}]
+Return ONLY: "done" or "skipped"
 ```
-Scan for data protection and privacy issues:
-PII HANDLING:
-- PII logged (emails, IPs, names, phone numbers)
-- PII in URLs/query strings
-- PII in error messages
-- PII not encrypted at rest
-- PII not masked in UI/logs
-GDPR/PRIVACY:
-- Missing data retention policy implementation
-- No data deletion mechanism (right to erasure)
-- No data export mechanism (data portability)
-- Consent not tracked properly
-- Third-party data sharing without consent
-DATABASE:
-- Sensitive data not encrypted (column-level)
-- No audit logging for sensitive operations
-- Connection strings with credentials in code
-SECRETS:
-- API keys in code (check git ls-files!)
-- Secrets in environment files committed
-- .env files not in .gitignore
-Output JSON: [{id: "DATA-XXX", ...full format with DREAD}]
+### Agent 2: AUTH - Authentication
 ```
-### Agent 6: AI/LLM Security Scanner (AI)
+Scan for: JWT issues, session problems, OAuth flaws, weak passwords, missing MFA.
+Write to .coverme/agents/AUTH.json
+Return ONLY: "done" or "skipped"
 ```
-CONDITIONAL: First detect if this project uses AI/LLM:
-grep -r -l "openai\|anthropic\|langchain\|ollama\|huggingface\|llama\|gpt-\|claude\|gemini\|bedrock\|vertex" --include="*.ts" --include="*.js" --include="*.py" --include="*.json" .
-IF NO AI CODE FOUND: Output: {"skipped": true, "reason": "No AI/LLM code detected", "findings": []}
-IF AI CODE FOUND:
-PROMPT INJECTION:
-- User input directly in prompts without sanitization
-- System prompts exposed to users
-- No input length limits on prompts
-- Missing output validation from LLM
-- Jailbreak vulnerabilities
-LLM OUTPUT → CODE EXECUTION CHAINS:
-- LLM generates SQL that gets executed
-- LLM generates code that gets eval'd
-- LLM generates shell commands that get executed
-- LLM output used in template rendering (SSTI)
-SUPPLY CHAIN:
-- CDN imports without Subresource Integrity (SRI)
-- Unpinned AI model versions
-Output JSON: [{id: "AI-XXX", ...full format with DREAD}]
+### Agent 3: API - API Security
 ```
-### Agent 7: Performance & DoS Scanner (PERF)
+Scan for: CORS issues, rate limiting, input validation, mass assignment, GraphQL issues.
+Write to .coverme/agents/API.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for performance and denial-of-service issues:
-DATABASE:
-- N+1 query patterns
-- Missing indexes on filtered/sorted columns
-- Full table scans
-- Unbounded queries (no LIMIT)
-MEMORY:
-- Memory leaks (event listeners not removed)
-- Unbounded caches
-- Stream not properly closed
-- SSE/WebSocket buffer accumulation
-CPU:
-- ReDoS (Regular Expression DoS)
-- Algorithmic complexity attacks
-- Synchronous crypto operations
-- JSON parsing of large payloads
-DANGEROUS DATABASE OPERATIONS IN HOT PATHS:
-- Redis KEYS command (blocks entire server, O(n) scan)
-- MongoDB find() without limit
-- SQL SELECT without LIMIT
-Output JSON: [{id: "PERF-XXX", ...full format with DREAD}]
+### Agent 4: INFRA - Infrastructure
 ```
-### Agent 8: Business Logic Scanner (BIZ)
+Scan for: Docker issues, K8s misconfig, CI/CD secrets, cloud misconfig.
+Write to .coverme/agents/INFRA.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for business logic vulnerabilities:
-RACE CONDITIONS:
-- TOCTOU (time-of-check-time-of-use)
-- Double-spend in transactions
-- Inventory overselling
-- Non-atomic read-modify-write
-WORKFLOW:
-- Step skipping in multi-step processes
-- State manipulation attacks
-- Workflow replay attacks
-FINANCIAL:
-- Rounding errors in calculations
-- Currency handling issues
-- Negative amount bypass
-- Discount stacking exploits
-Output JSON: [{id: "BIZ-XXX", ...full format with DREAD}]
+### Agent 5: DATA - Data & Privacy
 ```
-### Agent 9: Code Quality Scanner (QUAL)
+Scan for: PII exposure, GDPR issues, unencrypted data, secrets in code.
+Write to .coverme/agents/DATA.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for code quality issues that affect security/reliability:
-COMPLEXITY:
-- Cyclomatic complexity > 10
-- Functions > 50 lines
-- Files > 500 lines
-- Deep nesting (> 4 levels)
-ANTI-PATTERNS:
-- God objects/classes
-- Callback hell
-- Magic numbers/strings
-- Dead code
-- Console.log in production
-- TODO/FIXME comments about security issues
-ERROR HANDLING:
-- Empty catch blocks
-- Generic error swallowing
-- Missing error boundaries (React)
-- Unhandled promise rejections
-DEAD CODE WITH SECURITY IMPLICATIONS:
-- Old/commented code that has BETTER security than current code
-- Deprecated functions with security controls not ported
-Output JSON: [{id: "QUAL-XXX", ...full format with DREAD}]
+### Agent 6: AI - AI/LLM Security
 ```
-### Agent 10: Testing & Reliability Scanner (TEST)
+FIRST: Check if AI code exists (openai, anthropic, langchain, etc.)
+If no AI code: Write {"skipped":true} and return "skipped"
+If AI code: Scan for prompt injection, data leakage, output validation.
+Write to .coverme/agents/AI.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for testing gaps and reliability issues:
-TEST COVERAGE:
-- Critical paths without tests (auth, payments, data access)
-- Error handlers not tested
-- No integration tests
-- No E2E tests for main flows
-TEST QUALITY:
-- Tests without assertions
-- Mocked security checks (dangerous!)
-- Flaky tests (time-dependent)
-RELIABILITY:
-- Missing health checks
-- No graceful shutdown
-- Missing readiness/liveness probes
-- No circuit breakers for external calls
-- Missing retry logic with backoff
-Output JSON: [{id: "TEST-XXX", ...full format with DREAD}]
+### Agent 7: PERF - Performance & DoS
 ```
-### Agent 11: Redis & Cache Security Scanner (REDIS)
+Scan for: ReDoS, N+1 queries, memory leaks, unbounded operations.
+Write to .coverme/agents/PERF.json
+Return ONLY: "done" or "skipped"
 ```
-CONDITIONAL: First detect if this project uses Redis/Cache:
-grep -r -l "redis\|ioredis\|memcached\|node-cache\|lru-cache\|cache-manager" --include="*.ts" --include="*.js" --include="*.json" --include="*.yaml" .
-IF NO CACHE CODE FOUND: Output: {"skipped": true, "reason": "No Redis/Cache code detected", "findings": []}
-IF CACHE CODE FOUND:
-DANGEROUS COMMANDS:
-- KEYS * in production code (blocks entire server, use SCAN instead)
-- FLUSHALL, FLUSHDB accessible without protection
-- DEBUG, CONFIG commands enabled in production
-- EVAL/EVALSHA with user-controlled scripts (Lua injection)
-AUTHENTICATION & ACCESS:
-- Redis without AUTH (requirepass not set)
-- Redis exposed on 0.0.0.0 instead of 127.0.0.1
-- Missing TLS for Redis connections
-- Connection strings with passwords in code/logs
-DATA SECURITY:
-- Sensitive data stored without encryption
-- PII in Redis without TTL
-- Cache keys predictable/enumerable
-- No key prefix separation between tenants (multi-tenant leak)
-RACE CONDITIONS:
-- Non-atomic read-modify-write patterns
-- Missing WATCH/MULTI/EXEC for transactions
-- INCR + EXPIRE not atomic
-Output JSON: [{id: "REDIS-XXX", ...full format with DREAD}]
+### Agent 8: BIZ - Business Logic
 ```
-### Agent 12: Resilience & Fallback Scanner (RESIL)
+Scan for: Race conditions, TOCTOU, workflow bypass, financial issues.
+Write to .coverme/agents/BIZ.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for resilience patterns and fallback mechanisms:
-CIRCUIT BREAKERS:
-- External service calls without circuit breaker
-- Circuit breaker without proper thresholds
-- No fallback when circuit is open
-RETRY PATTERNS:
-- Retries without exponential backoff
-- Retries without jitter (thundering herd)
-- Retries without max attempts limit
-- Retrying non-idempotent operations
-TIMEOUTS:
-- HTTP calls without timeout
-- Database queries without timeout
-- External API calls without timeout
-FALLBACKS:
-- No fallback for critical external dependencies
-- Missing cached fallback data
-- No degraded mode implementation
-HEALTH CHECKS:
-- Health check that calls external dependencies
-- No distinction between liveness and readiness
-Output JSON: [{id: "RESIL-XXX", ...full format with DREAD}]
+### Agent 9: QUAL - Code Quality
 ```
-### Agent 13: PII & Sensitive Data Scanner (PII)
+Scan for: High complexity, dead code, error swallowing, anti-patterns.
+Write to .coverme/agents/QUAL.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for PII exposure and sensitive data handling issues:
-PII IN LOGS:
-- Email addresses logged
-- Phone numbers logged
-- IP addresses logged without justification
-- Names/addresses in logs
-- Request/response bodies logged without redaction
-PII IN URLS:
-- PII in URL path (e.g., /user/john@email.com)
-- PII in query parameters
-- Session tokens in URLs (referer leak)
-PII IN STORAGE:
-- PII stored without encryption at rest
-- PII in local storage/session storage (browser)
-- PII in cookies without encryption
-GDPR/CCPA COMPLIANCE:
-- No data export functionality
-- No data deletion on request
-- Missing consent tracking
-SENSITIVE DATA TYPES TO FIND:
-- SSN, passport numbers, national IDs
-- Credit card numbers (even partial)
-- Bank account numbers
-- Health/medical information
-- Authentication credentials
-Output JSON: [{id: "PII-XXX", ...full format with DREAD}]
+### Agent 10: TEST - Testing
 ```
-### Agent 14: Dead Code & Unused Scanner (DEAD)
+Scan for: Missing tests on critical paths, mocked security, no E2E.
+Write to .coverme/agents/TEST.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for dead code, unused dependencies, and technical debt:
-UNUSED CODE:
-- Functions never called
-- Classes never instantiated
-- Variables assigned but never read
-- API endpoints not used by any client
-COMMENTED CODE:
-- Large blocks of commented-out code
-- TODO/FIXME comments older than 6 months
-- Console.log/print statements
-UNUSED DEPENDENCIES:
-- npm/pip packages installed but never imported
-- Devdependencies in production bundle
-- Duplicate dependencies (different versions)
-SECURITY IMPLICATIONS:
-- Commented security checks (why removed?)
-- Unused auth middleware (was security removed?)
-- Dead validation code (security regression?)
-Output JSON: [{id: "DEAD-XXX", ...full format with DREAD}]
+### Agent 11: REDIS - Cache Security
 ```
-### Agent 15: Database Security Scanner (DB)
+FIRST: Check if Redis/cache code exists.
+If not: Write {"skipped":true} and return "skipped"
+If yes: Scan for dangerous commands, auth issues, race conditions.
+Write to .coverme/agents/REDIS.json
+Return ONLY: "done" or "skipped"
 ```
-AUTO-DETECT DATABASE TYPE(S):
-| Database | Detection Pattern |
-|----------|-------------------|
-| PostgreSQL | pg, postgres, @prisma, typeorm, knex |
-| MySQL | mysql, mysql2, mariadb |
-| SQLite | sqlite, better-sqlite3, sql.js |
-| MongoDB | mongoose, mongodb |
-| DuckDB | duckdb, @duckdb |
-| Supabase | @supabase/supabase-js |
-IF NO DATABASE FOUND: Output: {"skipped": true, "reason": "No database code detected", "findings": []}
-SQL INJECTION:
-- String concatenation in queries
-- Template literals with user input in SQL
-- Raw queries without parameterization
-- Dynamic table/column names from user input
-NOSQL INJECTION:
-- MongoDB: $where with user input
-- MongoDB: operator injection ({$gt: ""})
-ACCESS CONTROL:
-- Database user with excessive privileges (GRANT ALL)
-- Application using root/admin database user
-- No row-level security (RLS) for multi-tenant
-CONNECTION SECURITY:
-- Database connection without TLS/SSL
-- Connection strings with credentials in code
-- Database exposed on public IP
-ORM SPECIFIC:
-- Prisma.$queryRawUnsafe() - VULNERABLE
-- Sequelize.query() with user input - VULNERABLE
-- TypeORM repository.query() with string concat - VULNERABLE
-- Mongoose User.find({ username: req.body.username }) - operator injection
-Output JSON: [{id: "DB-XXX", ...full format with DREAD}]
+### Agent 12: RESIL - Resilience
 ```
-### Agent 16: Network & Architecture Scanner (ARCH)
+Scan for: Missing circuit breakers, no timeouts, no retries, no fallbacks.
+Write to .coverme/agents/RESIL.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for network architecture and service boundary issues:
-SERVICE BOUNDARIES:
-- Internal endpoints exposed externally
-- Missing network segmentation between services
-- Service-to-service communication without mTLS
-- Admin/debug ports accessible from outside
-For EACH FINDING, determine fixOwner:
-- Fixable by code? → fixOwner: "developer"
-- Fixable by NetworkPolicy/firewall/K8s config? → fixOwner: "devops"
-- Needs architecture redesign? → fixOwner: "architect"
-KUBERNETES/INFRASTRUCTURE:
-- Missing NetworkPolicies for namespace isolation
-- Services using ClusterIP that should be internal
-- LoadBalancer exposing internal services
-- Pod-to-pod communication without restrictions
-Output JSON: [{id: "ARCH-XXX", ...full format with notCodeFix: true if devops/architect}]
+### Agent 13: PII - PII Scanner
 ```
-### Agent 17: Design Decision Detector (DESIGN)
+Scan for: PII in logs, PII in URLs, unencrypted PII, missing GDPR controls.
+Write to .coverme/agents/PII.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for intentional design decisions that might look like bugs.
-GOAL: Prevent false positives by identifying documented/intentional patterns
-DOCUMENTED DECISIONS:
-- Comments explaining WHY something is done a certain way
-- README/docs explaining architecture choices
-- ADR (Architecture Decision Records) files
-CODE PATTERNS THAT ARE NOT BUGS:
-- // Intentional: .... or // Design decision: ...
-- // SECURITY: This is safe because...
-- Feature flags controlling security features with documentation
-FOR EACH PATTERN FOUND, output:
-{
-  "id": "DESIGN-001",
-  "type": "documented_decision",
-  "title": "Content filtering disabled",
-  "file": "src/ai/chat.ts",
-  "line": 45,
-  "reason": "Documented in code comment",
-  "relatedFindings": ["AI-001"],
-  "recommendation": "Not a bug - document as accepted risk"
-}
-These findings will be EXCLUDED from main report and moved to "Design Decisions" section.
+### Agent 14: DEAD - Dead Code
 ```
-### Agent 18: Context-Aware Validator (CTX)
+Scan for: Unused functions, unused deps, commented code, TODO/FIXME.
+Write to .coverme/agents/DEAD.json
+Return ONLY: "done" or "skipped"
 ```
-Scan to understand the CONTEXT of each potential finding.
-GOAL: Reduce false positives by understanding deployment context
-FOR EACH FINDING FROM OTHER AGENTS, determine:
-DEPLOYMENT CONTEXT:
-- Is this code running in a container with network isolation?
-- Is this behind an API gateway that handles auth?
-- Is this internal-only service behind VPN?
-RUNTIME CONTEXT:
-- Is this code path actually reachable in production?
-- Is this only used in development/testing?
-- Is this protected by feature flag that's disabled?
-DATA FLOW CONTEXT:
-- Is the input already validated upstream?
-- Is there middleware that applies to this route?
-OUTPUT:
-{
-  "findingId": "SEC-001",
-  "contextAnalysis": {
-    "deploymentContext": "Runs in K8s with NetworkPolicy",
-    "runtimeContext": "Only reachable from internal services",
-    "verdict": "false_positive|confirmed|needs_review",
-    "reason": "Protected by network policy"
-  }
-}
+### Agent 15: DB - Database Security
 ```
-### Agent 19: Enclave & Trusted Compute Scanner (ENC)
+Scan for: SQL injection, NoSQL injection, missing RLS, exposed connections.
+Write to .coverme/agents/DB.json
+Return ONLY: "done" or "skipped"
 ```
-CONDITIONAL: First detect if this project uses enclaves/TEE:
-grep -r -l "enclave\|nitro\|sgx\|tee\|attestation\|trusted.compute\|confidential.computing\|vsock" --include="*.ts" --include="*.js" --include="*.py" --include="*.yaml" --include="*.yml" .
-IF NO ENCLAVE CODE FOUND: Output: {"skipped": true, "reason": "No enclave/TEE code detected", "findings": []}
-ENCLAVE REGISTRATION:
-- Enclave-to-backend registration without attestation
-- IP-based trust without cryptographic verification
-- Enclave secrets transmitted without encryption
-Output JSON: [{id: "ENC-XXX", ...full format with DREAD}]
+### Agent 16: ARCH - Architecture
 ```
-### Agent 20: Executive Summary Generator (EXEC)
+Scan for: Internal endpoints exposed, missing mTLS, network issues.
+Write to .coverme/agents/ARCH.json
+Return ONLY: "done" or "skipped"
 ```
-After all other agents complete, generate an executive summary.
-OUTPUT FORMAT:
-{
-  "executiveSummary": {
-    "headline": "3 Critical + 5 High findings require immediate attention",
-    "riskLevel": "HIGH",
-    "topRisks": [
-      "SQL injection in user search allows database access",
-      "Missing rate limiting enables brute force attacks"
-    ],
-    "positives": [
-      "Authentication flow is well-implemented",
-      "Good use of parameterized queries in core modules"
-    ],
-    "recommendedActions": [
-      {
-        "priority": 1,
-        "action": "Fix SQL injection in src/search.ts",
-        "owner": "developer",
-        "effort": "1-2 hours"
-      }
-    ],
-    "byOwner": {
-      "developer": 5,
-      "devops": 3,
-      "architect": 1
-    }
-  }
-}
+### Agent 17: DESIGN - Design Decisions
 ```
-### Agent 21: Duplicate & Existing Solutions Scanner (DUP)
+Find documented design decisions that might look like bugs (intentional patterns).
+Write to .coverme/agents/DESIGN.json
+Return ONLY: "done" or "skipped"
 ```
-CRITICAL: Before recommending ANY fix, check if a solution ALREADY EXISTS.
-For EVERY finding from Phase 1, search the codebase for:
-1. Existing utilities/helpers:
-   - Search for similar function names (sanitize, validate, escape)
-   - Check utils/, helpers/, lib/, common/ folders
-2. Existing patterns:
-   - How do OTHER files handle the same issue?
-   - Is there a project-wide convention?
-3. Duplicate findings:
-   - Is this the same issue reported multiple times?
-   - Are multiple findings actually ONE root cause?
-For EACH finding, add:
-- "EXISTING: Found sanitizeHtml() in src/utils/security.ts - use this"
-- "PATTERN: Other files use zod.string().email() - follow same pattern"
-- "DUPLICATE: Same root cause as SEC-003, fix once in middleware"
-Output:
-{
-  "findingId": "SEC-001",
-  "existingSolution": "Found: src/utils/sanitize.ts exports sanitizeUserInput()",
-  "duplicateOf": null,
-  "suggestedApproach": "Import and use existing function"
-}
+### Agent 18: CTX - Context Validator
 ```
-### Agent 22: Runtime Verification Scanner (RUNTIME)
+For critical findings from other agents, check deployment context.
+Write to .coverme/agents/CTX.json
+Return ONLY: "done" or "skipped"
 ```
-CONDITIONAL: Only runs if SSH is configured in Phase 0 runtime.json.
-IF NO runtime.json → Skip this agent entirely
-PURPOSE: Find dangerous mismatches between code configuration and actual runtime.
-STEP 1: Gather Code Expectations
-grep -E "^USER|^EXPOSE|^ENV" Dockerfile 2>/dev/null
-grep -E "runAsUser|runAsNonRoot|readOnlyRootFilesystem" k8s/*.yaml 2>/dev/null
-STEP 2: SSH and Check Actual Runtime
-ssh user@server "docker ps -q | head -1 | xargs -I {} docker exec {} id"
-ssh user@server "kubectl get pods -o name | head -1 | xargs -I {} kubectl exec {} -- id"
-STEP 3: Compare and Generate Findings
-| Mismatch | Severity |
-|----------|----------|
-| Code says non-root, runs as root | CRITICAL |
-| Dockerfile USER ignored | CRITICAL |
-| ReadOnlyRootFilesystem not enforced | HIGH |
-| Unexpected ports exposed | MEDIUM |
-Output JSON: [{id: "RUNTIME-XXX", expected: {...}, actual: {...}, ...full format}]
+### Agent 19: ENC - Enclave Security
 ```
----
-## Phase 2: Mitigation Validation (CRITICAL)
-Wait for all Phase 1 background agents to complete using `AgentOutputTool`.
-### Validator M: Mitigation Hunter
-For EVERY finding, search the codebase for mitigations:
-1. **Input Validation** - Is input sanitized before reaching the vulnerable sink?
-2. **Middleware Protection** - Is there middleware that protects this route?
-3. **Framework Auto-Protection** - Does the framework handle this automatically?
-4. **Route Protection** - Is the endpoint protected by auth/authorization?
-Output Per Finding:
-```json
-{
-  "findingId": "SEC-001",
-  "verdict": "mitigated|partial|confirmed|false_positive",
-  "mitigationType": "input_validation|middleware|framework|config|none",
-  "evidence": ["Found Zod validation at src/routes/user.ts:23"],
-  "adjustedSeverity": "low"
-}
+FIRST: Check if enclave/TEE code exists.
+If not: Write {"skipped":true} and return "skipped"
+If yes: Scan for attestation issues.
+Write to .coverme/agents/ENC.json
+Return ONLY: "done" or "skipped"
 ```
----
-## Phase 3: Cross-Validation (3 parallel validators)
-Launch 3 validators IN PARALLEL with `run_in_background: true`:
-### Validator A: False Positive Hunter
-Review ALL findings. For each finding:
-1. Read the actual code file
-2. Check if there are mitigating controls elsewhere
-3. For secrets: run "git ls-files <file>" - if not tracked, mark FALSE POSITIVE
-4. Check if code is actually reachable in production
-Output: { confirmed: ["SEC-001",...], falsePositives: [{id, reason},...] }
-### Validator B: Evidence Challenger
-Challenge every HIGH and CRITICAL finding:
-1. Read the actual code with 20 lines of context
-2. Trace data flow from source to sink
-3. Check for sanitization/validation in between
-4. Verify the exploit scenario is realistic
-Output: { confirmed: ["SEC-001",...], falsePositives: [{id, reason},...] }
+### Agent 20: EXEC - Executive Summary
+```
+After scanning, generate executive summary with top risks and positives.
+Write to .coverme/agents/EXEC.json
+Return ONLY: "done"
+```
-### Validator C: Missing Issues Hunter
-Look for issues that Phase 1 agents MISSED:
-- Race conditions in critical operations
-- Business logic flaws specific to this application
-- Combination attacks (multiple low issues = high)
+### Agent 21: DUP - Duplicate Finder
+```
+Find existing solutions in codebase that could fix other findings.
+Write to .coverme/agents/DUP.json
+Return ONLY: "done" or "skipped"
+```
-Output: { missedIssues: [{full finding object},...] }
+### Agent 22: POSITIVE - Good Patterns
+```
+Find positive security patterns and good practices in the codebase.
+Write to .coverme/agents/POSITIVE.json
+Return ONLY: "done"
+```
 ---
-## Phase 4: Build Consensus
-Wait for all Phase 3 background validators to complete using `AgentOutputTool`.
+## Phase 2: Wait for Agents
-Combine all results:
-1. Calculate confidence: (confirmations / validators) * 100
-2. Remove findings with confidence < 50%
-3. Add missed issues from Validator C
-4. Remove mitigated and false positive findings
-5. Identify positive observations (good patterns found)
+Wait for ALL background agents using `AgentOutputTool`.
+Each should return only "done" or "skipped".
 ---
-## Phase 5: Generate Report
-**DO NOT ASK - JUST OVERWRITE THE FILE!**
-Update `.coverme/scan.json` with the full scan results including:
+## Phase 3: Aggregate Results
-### Required Fields:
-- **projectName**: from package.json or folder name
-- **scanDate**: today's date
-- **filesScanned**: count of source files analyzed
-- **linesOfCode**: total lines in source files
-- **projectTree**: ASCII tree of main directories
-### projectOverview:
-```json
-{
-  "name": "project-name",
-  "type": "Backend API | Frontend SPA | Full-stack | CLI | Library",
-  "stack": ["Node.js", "TypeScript", "React", "PostgreSQL"],
-  "purpose": "Brief description of what this project does",
-  "architecture": "Monolith | Microservices | Serverless",
-  "keyComponents": ["auth service", "payment processing", "AI chat"]
-}
-```
+Read all agent files and merge:
-### architectureOverview:
-```json
-{
-  "components": [
-    {"name": "API Server", "type": "service", "description": "Express.js REST API", "trustLevel": "semi-trusted"},
-    {"name": "PostgreSQL", "type": "database", "description": "Primary data store", "trustLevel": "trusted"}
-  ],
-  "trustBoundaries": [
-    {"name": "Client to API", "from": "Browser", "to": "API Server", "protocol": "HTTPS"}
-  ],
-  "criticalAssets": [
-    {"name": "User Credentials", "type": "credential", "location": "PostgreSQL", "protection": "bcrypt hashed"}
-  ],
-  "dataFlows": ["User Authentication Flow", "Payment Processing Flow"]
-}
-```
-### executiveSummary:
-```json
-{
-  "headline": "3 Critical + 5 High findings require immediate attention",
-  "riskLevel": "CRITICAL | HIGH | MEDIUM | LOW",
-  "topRisks": ["SQL injection in user search", "Missing rate limiting"],
-  "positives": ["Good authentication flow", "Proper input validation"],
-  "recommendedActions": [
-    {"priority": 1, "action": "Fix SQL injection", "owner": "developer", "effort": "1-2 hours"}
-  ],
-  "byOwner": {"developer": 5, "devops": 3, "architect": 1}
-}
+```bash
+echo "Aggregating results..."
+ls -la .coverme/agents/
 ```
-### threatModel:
-```json
-[
-  {
-    "id": "T-001",
-    "threat": "SQL Injection via user input",
-    "category": "STRIDE",
-    "strideType": "T",
-    "status": "open | partial | mitigated",
-    "relatedFindings": ["SEC-001", "DB-002"],
-    "mitigation": "Use parameterized queries",
-    "dreadScore": 8.5
-  }
-]
-```
-### qualityReview:
-```json
-{
-  "deleteItems": [
-    {"type": "delete", "file": "src/utils/oldHelpers.ts", "lines": 250, "description": "Dead code", "reason": "No imports found"}
-  ],
-  "mergeItems": [
-    {"type": "merge", "file": "src/utils/validate.ts, src/helpers/validation.ts", "description": "Overlapping functions", "reason": "DRY violation"}
-  ],
-  "simplifyItems": [
-    {"type": "simplify", "file": "src/services/payment.ts", "lines": 450, "description": "Overly complex", "reason": "Can be reduced"}
-  ],
-  "totalLinesRemovable": 680,
-  "percentageOfCodebase": 4.2
-}
-```
+Use the Read tool to read each `.coverme/agents/*.json` file.
-### actionItems:
-```json
-[
-  {
-    "id": "A-001",
-    "title": "Fix SQL injection in user search",
-    "priority": "immediate | high | medium | long-term",
-    "relatedFindings": ["SEC-001"],
-    "effort": "low | medium | high",
-    "description": "Replace string concatenation with parameterized query"
-  }
-]
-```
-### findings:
-Each finding MUST include ALL these fields:
+Merge all findings into `.coverme/scan.json`:
 ```json
 {
-  "id": "SEC-001",
-  "title": "SQL Injection in User Search",
-  "severity": "critical | high | medium | low | info",
-  "category": "security | auth | api | infra | data | ai | performance | business-logic | quality | testing",
-  "file": "src/routes/users.ts",
-  "line": 45,
-  "code": "db.query(`SELECT * FROM users WHERE name LIKE '%${searchTerm}%'`)",
-  "description": "User search parameter directly concatenated into SQL query",
-  "impact": "Attacker can extract entire database contents",
-  "attackChain": [
-    {"step": 1, "action": "Send malicious search term", "result": "Query returns all users"},
-    {"step": 2, "action": "Use UNION SELECT", "result": "Database schema exposed"}
-  ],
-  "recommendation": "Use parameterized queries",
-  "cwe": "CWE-89",
-  "owasp": "A03:2021",
-  "dread": {
-    "damage": 10,
-    "reproducibility": 10,
-    "exploitability": 9,
-    "affectedUsers": 10,
-    "discoverability": 8,
-    "total": 9.4
-  },
-  "status": "open",
-  "confidence": 95,
-  "fixOwner": "developer | devops | architect",
-  "fixType": "code | config | infrastructure | design"
+  "projectName": "...",
+  "scanDate": "...",
+  "filesScanned": N,
+  "linesOfCode": N,
+  "findings": [...all from agent files...],
+  "positiveObservations": [...from POSITIVE.json...],
+  "summary": {"critical":N,"high":N,"medium":N,"low":N}
 }
 ```
-### Other sections:
-- **designDecisions**: Intentional patterns that look like bugs
-- **mitigatedFindings**: Findings with existing protection
-- **falsePositives**: Findings that are not actually vulnerabilities
-- **positiveObservations**: Good practices found
-- **validationSummary**: Stats on mitigation validation
-- **summary**: Total counts by severity
-- **agentsUsed**: List of agents that ran
-- **scanDuration**: Time taken in ms
-Use the Write tool to overwrite `.coverme/scan.json` with the results.
 ---
-## Phase 6: Generate HTML Report
-**DO NOT ASK - JUST RUN THE COMMANDS!**
+## Phase 4: Generate Report
-Generate the HTML report and open it automatically:
 ```bash
 TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
 npx coverme-scanner report .coverme/scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
-cp .coverme/scan.json ".coverme/scan_$TIMESTAMP.json"
 open ".coverme/report_$TIMESTAMP.html"
 ```
-Run these commands without asking for permission.
 ---
 ## DONE
-Tell the user: "Scan complete! Report saved to .coverme/ and opened in browser."
-**REMINDER: You should have completed all 6 phases without asking ANY questions or stopping for confirmation.**
+Tell user: "Scan complete! Report opened."

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "coverme-scanner",
-  "version": "1.5.1",
+  "version": "1.6.0",
   "description": "AI-powered code scanner with multi-agent verification for Claude Code. One command scans everything.",
   "main": "dist/index.js",
   "files": [