npm - coverme-scanner - Versions diffs - 1.5.2 → 1.6.0 - Mend

coverme-scanner 1.5.2 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/prompts/coverme-command.md +134 -918
package/package.json +1 -1

package/dist/prompts/coverme-command.md CHANGED Viewed

@@ -1,1034 +1,250 @@
 # CoverMe - Ultimate AI Security Scanner
-The most comprehensive AI-powered code scanner. 22 specialized agents + validators + deep analysis.
+The most comprehensive AI-powered code scanner. 22 specialized agents + validators.
 $ARGUMENTS
-## CRITICAL INSTRUCTIONS - READ FIRST!
+## CRITICAL INSTRUCTIONS
-1. **DO NOT ASK ANY QUESTIONS** - Run the entire scan autonomously from start to finish
-2. **DO NOT STOP FOR CONFIRMATION** - Just keep going through all phases
-3. **DO NOT ASK ABOUT FILE CHANGES** - Automatically update/overwrite scan.json
-4. **DO NOT ASK TO OPEN REPORT** - Just open it automatically at the end
-5. **COMPLETE EVERYTHING IN ONE GO** - All phases without interruption
-6. **RUN AGENTS IN BACKGROUND** - Use `run_in_background: true` for all Task tool calls
-7. **RUN BASH IN BACKGROUND** - Use `run_in_background: true` for long Bash commands
-Execute ALL phases automatically. Do NOT stop until the HTML report is open.
+1. **DO NOT ASK ANY QUESTIONS** - Run autonomously
+2. **DO NOT STOP FOR CONFIRMATION** - Keep going
+3. **COMPLETE EVERYTHING** - All phases without interruption
+4. **AGENTS WRITE TO FILES** - Each agent writes results to `.coverme/agents/{ID}.json`
+5. **AGENTS RETURN ONLY "done" or "skipped"** - Never return findings in response
 ---
-## Phase 0: Project Discovery & Statistics
-### Step 1: Gather Project Statistics
+## Phase 0: Setup
 ```bash
-# Count files and lines of code
-find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.tsx" -o -name "*.jsx" -o -name "*.py" -o -name "*.go" -o -name "*.java" -o -name "*.rb" -o -name "*.php" -o -name "*.cs" -o -name "*.swift" -o -name "*.kt" \) -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/dist/*" -not -path "*/build/*" -not -path "*/__pycache__/*" | wc -l
-# Count lines of code (approximate)
-find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.tsx" -o -name "*.jsx" -o -name "*.py" -o -name "*.go" \) -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/dist/*" 2>/dev/null | head -100 | xargs wc -l 2>/dev/null | tail -1
-# Generate project tree (max 3 levels deep, exclude node_modules etc)
-find . -maxdepth 3 -type d -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/dist/*" -not -path "*/__pycache__/*" | head -30 | sort
+mkdir -p .coverme/agents
+rm -f .coverme/agents/*.json 2>/dev/null
 ```
-### Step 2: Read Project Info
-```bash
-cat package.json 2>/dev/null | head -30
-cat README.md 2>/dev/null | head -100
-ls -la
-ls src/ 2>/dev/null || ls app/ 2>/dev/null || ls lib/ 2>/dev/null
-```
-### Step 3: Load Custom Agents (if exists)
-```bash
-cat .coverme/agents.json 2>/dev/null || echo "NO_CUSTOM_AGENTS"
-```
-### Step 4: Check for Runtime Verification (SSH)
+Get project stats:
 ```bash
-cat .coverme/runtime.json 2>/dev/null || echo "NO_RUNTIME_CONFIG"
+FILES=$(find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.py" -o -name "*.go" \) -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/dist/*" 2>/dev/null | wc -l | tr -d ' ')
+LINES=$(find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.py" \) -not -path "*/node_modules/*" -not -path "*/dist/*" 2>/dev/null | head -50 | xargs wc -l 2>/dev/null | tail -1 | awk '{print $1}')
+echo "Files: $FILES, Lines: ~$LINES"
 ```
 ---
-## Phase 1: Discovery (22 parallel agents)
+## Phase 1: Launch 22 Agents (parallel, background)
-Launch ALL agents IN PARALLEL using the Task tool with `run_in_background: true`.
+**CRITICAL**: Each agent MUST:
+1. Scan the codebase for its specific issues
+2. Write findings to `.coverme/agents/{PREFIX}.json`
+3. Return ONLY the word "done" or "skipped" - NOTHING ELSE
-**CRITICAL FOR CONTEXT MANAGEMENT**: Each agent MUST return ONLY a compact JSON array of findings.
-- NO explanatory text before or after the JSON
-- NO tool output summaries
-- ONLY the final JSON array
-- Keep descriptions short (max 100 chars)
-- If no findings, return: `[]`
+Launch ALL with `run_in_background: true`:
-Example agent output format:
-```json
-[{"id":"SEC-001","title":"SQL Injection","severity":"critical","file":"src/db.ts","line":45,"description":"User input concatenated into query","recommendation":"Use parameterized queries"}]
+### Agent 1: SEC - Security Core
 ```
-### Agent 1: Security Core Scanner (SEC)
+Scan for: SQL injection, XSS, command injection, SSTI, hardcoded secrets, weak crypto.
+Write to .coverme/agents/SEC.json:
+[{"id":"SEC-001","title":"...","severity":"critical|high|medium|low","file":"...","line":N,"description":"...","recommendation":"..."}]
+Return ONLY: "done" or "skipped"
 ```
-Scan for OWASP Top 10 and common vulnerabilities:
-INJECTION:
-- SQL injection (string concatenation in queries, raw queries)
-- NoSQL injection (MongoDB $where, $regex with user input)
-- Command injection (exec, spawn, system with user input)
-- LDAP injection, XPath injection
-- Template injection (SSTI in Jinja2, EJS, Handlebars)
-- Header injection (CRLF in headers)
-- Log injection (unescaped user input in logs)
-XSS:
-- Reflected XSS (user input in response without encoding)
-- Stored XSS (database content rendered without escaping)
-- DOM XSS (innerHTML, document.write, eval with user data)
-- dangerouslySetInnerHTML in React without sanitization
-AUTHENTICATION:
-- Hardcoded credentials (check git ls-files first!)
-- Weak password policies (no complexity, short length)
-- Missing rate limiting on login/register
-- Session fixation (session ID not rotated after login)
-- JWT issues (none algorithm, weak secret, no expiry)
-- Missing MFA on sensitive operations
-AUTHORIZATION:
-- IDOR (direct object references without ownership check)
-- Missing authorization checks on endpoints
-- Privilege escalation paths
-- Horizontal access (user A accessing user B's data)
-- Vertical access (user accessing admin functions)
-CRYPTOGRAPHY:
-- MD5/SHA1 for passwords (use bcrypt/argon2)
-- Math.random() for security (use crypto.randomBytes)
-- Hardcoded encryption keys/IVs
-- ECB mode usage
-- Missing HTTPS enforcement
-DATABASE-SPECIFIC DANGEROUS FUNCTIONS:
-- DuckDB: read_text(), read_blob(), read_csv_auto(), read_parquet(), glob(), getenv(), httpfs
-- SQLite: load_extension(), readfile(), writefile()
-- PostgreSQL: pg_read_file(), pg_ls_dir(), COPY TO/FROM
-- MySQL: LOAD_FILE(), INTO OUTFILE, INTO DUMPFILE
-- MongoDB: $where with user input, mapReduce with user functions
-- Redis: EVAL/EVALSHA with user input, CONFIG, DEBUG commands
-RETURN ONLY THIS JSON (no other text):
-[{"id":"SEC-001","title":"...","severity":"critical|high|medium|low","file":"path","line":N,"description":"max 100 chars","recommendation":"max 100 chars"}]
+### Agent 2: AUTH - Authentication
 ```
-### Agent 2: Auth & Session Scanner (AUTH)
+Scan for: JWT issues, session problems, OAuth flaws, weak passwords, missing MFA.
+Write to .coverme/agents/AUTH.json
+Return ONLY: "done" or "skipped"
 ```
-Deep dive into authentication and session management:
-FIRST: Detect which auth method(s) this project uses:
-| Auth Type | Detection Pattern |
-|-----------|-------------------|
-| OAuth/OIDC | oauth, oidc, authorization_code, client_id, redirect_uri |
-| JWT | jsonwebtoken, jwt, Bearer, accessToken, refreshToken |
-| Session-based | express-session, cookie-session, session.save, req.session |
-| API Keys | x-api-key, apiKey, api_key, API_SECRET |
-| Clerk | @clerk, useAuth, clerkMiddleware |
-| Auth0 | @auth0, auth0-js, auth0-react |
-| Firebase Auth | firebase/auth, signInWith, onAuthStateChanged |
-| Passport.js | passport, passport-local, passport-jwt |
-| Supabase Auth | @supabase/auth, supabase.auth |
-| NextAuth | next-auth, NextAuth, getServerSession |
-FOR EACH AUTH TYPE DETECTED, check specific vulnerabilities:
-OAuth/OIDC:
-- Open redirect in return_url/redirect_uri (CRITICAL!)
-- State parameter missing or predictable
-- PKCE not implemented for public clients
-- Token stored in localStorage (XSS vulnerable)
-JWT:
-- alg: none accepted (signature bypass)
-- Weak secret (< 256 bits)
-- No expiry (exp claim missing)
-- Token not invalidated on logout
-Session-based:
-- Session ID in URL (referer leak)
-- Session not invalidated on logout
-- Session fixation
-- Missing secure, httpOnly, sameSite on cookies
-TIMING ATTACKS:
-- Non-constant-time string comparison for tokens/secrets
-- Early return on auth failure leaking valid usernames
-RETURN ONLY JSON: [{"id":"AUTH-001","title":"...","severity":"...","file":"...","line":N,"description":"...","recommendation":"..."}]
+### Agent 3: API - API Security
 ```
-### Agent 3: API Security Scanner (API)
+Scan for: CORS issues, rate limiting, input validation, mass assignment, GraphQL issues.
+Write to .coverme/agents/API.json
+Return ONLY: "done" or "skipped"
 ```
-Scan API endpoints for security issues:
-INPUT VALIDATION:
-- Missing input validation on request body
-- Type coercion attacks (string vs number)
-- Array/object pollution
-- Prototype pollution
-- Mass assignment vulnerabilities
-- GraphQL introspection enabled in production
-- GraphQL depth/complexity limits missing
-RATE LIMITING:
-- No rate limiting on expensive operations
-- Rate limit bypass via headers (X-Forwarded-For)
-- Non-atomic INCR+EXPIRE in Redis
-CORS MISCONFIGURATION:
-- res.header('Access-Control-Allow-Origin', req.headers.origin)
-- res.header('Access-Control-Allow-Origin', '*')
-- app.use(cors({ origin: true }))
-FAIL-OPEN vs FAIL-CLOSED PATTERNS (CRITICAL):
-- IP whitelist empty/missing = allow all
-- Auth middleware errors = request passes through
-- Rate limiter Redis down = no limiting
-- Config missing = insecure defaults
-WEBHOOKS:
-- Webhook signature not verified
-- SSRF via webhook URLs
-- No webhook replay protection
-RETURN ONLY JSON: [{"id":"API-001","title":"...","severity":"...","file":"...","line":N,"description":"...","recommendation":"..."}]
+### Agent 4: INFRA - Infrastructure
 ```
-### Agent 4: Infrastructure Scanner (INFRA)
+Scan for: Docker issues, K8s misconfig, CI/CD secrets, cloud misconfig.
+Write to .coverme/agents/INFRA.json
+Return ONLY: "done" or "skipped"
 ```
-Scan infrastructure and deployment configs:
-DOCKER:
-- Running as root user
-- Secrets in Dockerfile or build args
-- Latest tag usage (unpinned versions)
-- Sensitive ports exposed
-- Missing health checks
-- No resource limits
-- Privileged mode enabled
-KUBERNETES/HELM:
-- No resource limits/requests
-- Running as root
-- Privileged containers
-- Host network/PID enabled
-- Missing network policies
-- Secrets not encrypted at rest
-- Service account auto-mount enabled
-CI/CD:
-- Secrets in CI config files
-- Missing SAST/DAST in pipeline
-- No branch protection
-SECRETS IN GIT HISTORY (CRITICAL CHECK!):
-Run: git log --all --full-history -- "**/secrets*" "**/credentials*" "**/*.env"
-If secrets appear in history, they are EXPOSED even if now gitignored!
-DEPENDENCY SECURITY (HIGH if missing):
-- npm audit or yarn audit in CI pipeline
-- Dependabot/Renovate configuration
-- SBOM generation
-RETURN ONLY JSON: [{"id":"INFRA-001","title":"...","severity":"...","file":"...","line":N,"description":"...","recommendation":"..."}]
+### Agent 5: DATA - Data & Privacy
 ```
-### Agent 5: Data & Privacy Scanner (DATA)
+Scan for: PII exposure, GDPR issues, unencrypted data, secrets in code.
+Write to .coverme/agents/DATA.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for data protection and privacy issues:
-PII HANDLING:
-- PII logged (emails, IPs, names, phone numbers)
-- PII in URLs/query strings
-- PII in error messages
-- PII not encrypted at rest
-- PII not masked in UI/logs
-GDPR/PRIVACY:
-- Missing data retention policy implementation
-- No data deletion mechanism (right to erasure)
-- No data export mechanism (data portability)
-- Consent not tracked properly
-- Third-party data sharing without consent
-DATABASE:
-- Sensitive data not encrypted (column-level)
-- No audit logging for sensitive operations
-- Connection strings with credentials in code
-SECRETS:
-- API keys in code (check git ls-files!)
-- Secrets in environment files committed
-- .env files not in .gitignore
-RETURN ONLY JSON: [{"id":"DATA-001","title":"...","severity":"...","file":"...","line":N,"description":"...","recommendation":"..."}]
+### Agent 6: AI - AI/LLM Security
 ```
-### Agent 6: AI/LLM Security Scanner (AI)
+FIRST: Check if AI code exists (openai, anthropic, langchain, etc.)
+If no AI code: Write {"skipped":true} and return "skipped"
+If AI code: Scan for prompt injection, data leakage, output validation.
+Write to .coverme/agents/AI.json
+Return ONLY: "done" or "skipped"
 ```
-CONDITIONAL: First detect if this project uses AI/LLM:
-grep -r -l "openai\|anthropic\|langchain\|ollama\|huggingface\|llama\|gpt-\|claude\|gemini\|bedrock\|vertex" --include="*.ts" --include="*.js" --include="*.py" --include="*.json" .
-IF NO AI CODE FOUND: Output: {"skipped": true, "reason": "No AI/LLM code detected", "findings": []}
-IF AI CODE FOUND:
-PROMPT INJECTION:
-- User input directly in prompts without sanitization
-- System prompts exposed to users
-- No input length limits on prompts
-- Missing output validation from LLM
-- Jailbreak vulnerabilities
-LLM OUTPUT → CODE EXECUTION CHAINS:
-- LLM generates SQL that gets executed
-- LLM generates code that gets eval'd
-- LLM generates shell commands that get executed
-- LLM output used in template rendering (SSTI)
-SUPPLY CHAIN:
-- CDN imports without Subresource Integrity (SRI)
-- Unpinned AI model versions
-RETURN ONLY JSON (no other text): []
-```
-### Agent 7: Performance & DoS Scanner (PERF)
-```
-Scan for performance and denial-of-service issues:
-DATABASE:
-- N+1 query patterns
-- Missing indexes on filtered/sorted columns
-- Full table scans
-- Unbounded queries (no LIMIT)
-MEMORY:
-- Memory leaks (event listeners not removed)
-- Unbounded caches
-- Stream not properly closed
-- SSE/WebSocket buffer accumulation
-CPU:
-- ReDoS (Regular Expression DoS)
-- Algorithmic complexity attacks
-- Synchronous crypto operations
-- JSON parsing of large payloads
-DANGEROUS DATABASE OPERATIONS IN HOT PATHS:
-- Redis KEYS command (blocks entire server, O(n) scan)
-- MongoDB find() without limit
-- SQL SELECT without LIMIT
-RETURN ONLY JSON (no other text): []
+### Agent 7: PERF - Performance & DoS
 ```
-### Agent 8: Business Logic Scanner (BIZ)
+Scan for: ReDoS, N+1 queries, memory leaks, unbounded operations.
+Write to .coverme/agents/PERF.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for business logic vulnerabilities:
-RACE CONDITIONS:
-- TOCTOU (time-of-check-time-of-use)
-- Double-spend in transactions
-- Inventory overselling
-- Non-atomic read-modify-write
-WORKFLOW:
-- Step skipping in multi-step processes
-- State manipulation attacks
-- Workflow replay attacks
-FINANCIAL:
-- Rounding errors in calculations
-- Currency handling issues
-- Negative amount bypass
-- Discount stacking exploits
-RETURN ONLY JSON (no other text): []
+### Agent 8: BIZ - Business Logic
 ```
-### Agent 9: Code Quality Scanner (QUAL)
+Scan for: Race conditions, TOCTOU, workflow bypass, financial issues.
+Write to .coverme/agents/BIZ.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for code quality issues that affect security/reliability:
-COMPLEXITY:
-- Cyclomatic complexity > 10
-- Functions > 50 lines
-- Files > 500 lines
-- Deep nesting (> 4 levels)
-ANTI-PATTERNS:
-- God objects/classes
-- Callback hell
-- Magic numbers/strings
-- Dead code
-- Console.log in production
-- TODO/FIXME comments about security issues
-ERROR HANDLING:
-- Empty catch blocks
-- Generic error swallowing
-- Missing error boundaries (React)
-- Unhandled promise rejections
-DEAD CODE WITH SECURITY IMPLICATIONS:
-- Old/commented code that has BETTER security than current code
-- Deprecated functions with security controls not ported
-RETURN ONLY JSON (no other text): []
+### Agent 9: QUAL - Code Quality
 ```
-### Agent 10: Testing & Reliability Scanner (TEST)
+Scan for: High complexity, dead code, error swallowing, anti-patterns.
+Write to .coverme/agents/QUAL.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for testing gaps and reliability issues:
-TEST COVERAGE:
-- Critical paths without tests (auth, payments, data access)
-- Error handlers not tested
-- No integration tests
-- No E2E tests for main flows
-TEST QUALITY:
-- Tests without assertions
-- Mocked security checks (dangerous!)
-- Flaky tests (time-dependent)
-RELIABILITY:
-- Missing health checks
-- No graceful shutdown
-- Missing readiness/liveness probes
-- No circuit breakers for external calls
-- Missing retry logic with backoff
-RETURN ONLY JSON (no other text): []
+### Agent 10: TEST - Testing
 ```
-### Agent 11: Redis & Cache Security Scanner (REDIS)
+Scan for: Missing tests on critical paths, mocked security, no E2E.
+Write to .coverme/agents/TEST.json
+Return ONLY: "done" or "skipped"
 ```
-CONDITIONAL: First detect if this project uses Redis/Cache:
-grep -r -l "redis\|ioredis\|memcached\|node-cache\|lru-cache\|cache-manager" --include="*.ts" --include="*.js" --include="*.json" --include="*.yaml" .
-IF NO CACHE CODE FOUND: Output: {"skipped": true, "reason": "No Redis/Cache code detected", "findings": []}
-IF CACHE CODE FOUND:
-DANGEROUS COMMANDS:
-- KEYS * in production code (blocks entire server, use SCAN instead)
-- FLUSHALL, FLUSHDB accessible without protection
-- DEBUG, CONFIG commands enabled in production
-- EVAL/EVALSHA with user-controlled scripts (Lua injection)
-AUTHENTICATION & ACCESS:
-- Redis without AUTH (requirepass not set)
-- Redis exposed on 0.0.0.0 instead of 127.0.0.1
-- Missing TLS for Redis connections
-- Connection strings with passwords in code/logs
-DATA SECURITY:
-- Sensitive data stored without encryption
-- PII in Redis without TTL
-- Cache keys predictable/enumerable
-- No key prefix separation between tenants (multi-tenant leak)
-RACE CONDITIONS:
-- Non-atomic read-modify-write patterns
-- Missing WATCH/MULTI/EXEC for transactions
-- INCR + EXPIRE not atomic
-RETURN ONLY JSON (no other text): []
+### Agent 11: REDIS - Cache Security
 ```
-### Agent 12: Resilience & Fallback Scanner (RESIL)
+FIRST: Check if Redis/cache code exists.
+If not: Write {"skipped":true} and return "skipped"
+If yes: Scan for dangerous commands, auth issues, race conditions.
+Write to .coverme/agents/REDIS.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for resilience patterns and fallback mechanisms:
-CIRCUIT BREAKERS:
-- External service calls without circuit breaker
-- Circuit breaker without proper thresholds
-- No fallback when circuit is open
-RETRY PATTERNS:
-- Retries without exponential backoff
-- Retries without jitter (thundering herd)
-- Retries without max attempts limit
-- Retrying non-idempotent operations
-TIMEOUTS:
-- HTTP calls without timeout
-- Database queries without timeout
-- External API calls without timeout
-FALLBACKS:
-- No fallback for critical external dependencies
-- Missing cached fallback data
-- No degraded mode implementation
-HEALTH CHECKS:
-- Health check that calls external dependencies
-- No distinction between liveness and readiness
-RETURN ONLY JSON (no other text): []
+### Agent 12: RESIL - Resilience
 ```
-### Agent 13: PII & Sensitive Data Scanner (PII)
+Scan for: Missing circuit breakers, no timeouts, no retries, no fallbacks.
+Write to .coverme/agents/RESIL.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for PII exposure and sensitive data handling issues:
-PII IN LOGS:
-- Email addresses logged
-- Phone numbers logged
-- IP addresses logged without justification
-- Names/addresses in logs
-- Request/response bodies logged without redaction
-PII IN URLS:
-- PII in URL path (e.g., /user/john@email.com)
-- PII in query parameters
-- Session tokens in URLs (referer leak)
-PII IN STORAGE:
-- PII stored without encryption at rest
-- PII in local storage/session storage (browser)
-- PII in cookies without encryption
-GDPR/CCPA COMPLIANCE:
-- No data export functionality
-- No data deletion on request
-- Missing consent tracking
-SENSITIVE DATA TYPES TO FIND:
-- SSN, passport numbers, national IDs
-- Credit card numbers (even partial)
-- Bank account numbers
-- Health/medical information
-- Authentication credentials
-RETURN ONLY JSON (no other text): []
+### Agent 13: PII - PII Scanner
 ```
-### Agent 14: Dead Code & Unused Scanner (DEAD)
+Scan for: PII in logs, PII in URLs, unencrypted PII, missing GDPR controls.
+Write to .coverme/agents/PII.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for dead code, unused dependencies, and technical debt:
-UNUSED CODE:
-- Functions never called
-- Classes never instantiated
-- Variables assigned but never read
-- API endpoints not used by any client
-COMMENTED CODE:
-- Large blocks of commented-out code
-- TODO/FIXME comments older than 6 months
-- Console.log/print statements
-UNUSED DEPENDENCIES:
-- npm/pip packages installed but never imported
-- Devdependencies in production bundle
-- Duplicate dependencies (different versions)
-SECURITY IMPLICATIONS:
-- Commented security checks (why removed?)
-- Unused auth middleware (was security removed?)
-- Dead validation code (security regression?)
-RETURN ONLY JSON (no other text): []
+### Agent 14: DEAD - Dead Code
 ```
-### Agent 15: Database Security Scanner (DB)
+Scan for: Unused functions, unused deps, commented code, TODO/FIXME.
+Write to .coverme/agents/DEAD.json
+Return ONLY: "done" or "skipped"
 ```
-AUTO-DETECT DATABASE TYPE(S):
-| Database | Detection Pattern |
-|----------|-------------------|
-| PostgreSQL | pg, postgres, @prisma, typeorm, knex |
-| MySQL | mysql, mysql2, mariadb |
-| SQLite | sqlite, better-sqlite3, sql.js |
-| MongoDB | mongoose, mongodb |
-| DuckDB | duckdb, @duckdb |
-| Supabase | @supabase/supabase-js |
-IF NO DATABASE FOUND: Output: {"skipped": true, "reason": "No database code detected", "findings": []}
-SQL INJECTION:
-- String concatenation in queries
-- Template literals with user input in SQL
-- Raw queries without parameterization
-- Dynamic table/column names from user input
-NOSQL INJECTION:
-- MongoDB: $where with user input
-- MongoDB: operator injection ({$gt: ""})
-ACCESS CONTROL:
-- Database user with excessive privileges (GRANT ALL)
-- Application using root/admin database user
-- No row-level security (RLS) for multi-tenant
-CONNECTION SECURITY:
-- Database connection without TLS/SSL
-- Connection strings with credentials in code
-- Database exposed on public IP
-ORM SPECIFIC:
-- Prisma.$queryRawUnsafe() - VULNERABLE
-- Sequelize.query() with user input - VULNERABLE
-- TypeORM repository.query() with string concat - VULNERABLE
-- Mongoose User.find({ username: req.body.username }) - operator injection
-RETURN ONLY JSON (no other text): []
+### Agent 15: DB - Database Security
 ```
-### Agent 16: Network & Architecture Scanner (ARCH)
+Scan for: SQL injection, NoSQL injection, missing RLS, exposed connections.
+Write to .coverme/agents/DB.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for network architecture and service boundary issues:
-SERVICE BOUNDARIES:
-- Internal endpoints exposed externally
-- Missing network segmentation between services
-- Service-to-service communication without mTLS
-- Admin/debug ports accessible from outside
-For EACH FINDING, determine fixOwner:
-- Fixable by code? → fixOwner: "developer"
-- Fixable by NetworkPolicy/firewall/K8s config? → fixOwner: "devops"
-- Needs architecture redesign? → fixOwner: "architect"
-KUBERNETES/INFRASTRUCTURE:
-- Missing NetworkPolicies for namespace isolation
-- Services using ClusterIP that should be internal
-- LoadBalancer exposing internal services
-- Pod-to-pod communication without restrictions
-RETURN ONLY JSON (no other text): []
+### Agent 16: ARCH - Architecture
 ```
-### Agent 17: Design Decision Detector (DESIGN)
+Scan for: Internal endpoints exposed, missing mTLS, network issues.
+Write to .coverme/agents/ARCH.json
+Return ONLY: "done" or "skipped"
 ```
-Scan for intentional design decisions that might look like bugs.
-GOAL: Prevent false positives by identifying documented/intentional patterns
-DOCUMENTED DECISIONS:
-- Comments explaining WHY something is done a certain way
-- README/docs explaining architecture choices
-- ADR (Architecture Decision Records) files
-CODE PATTERNS THAT ARE NOT BUGS:
-- // Intentional: .... or // Design decision: ...
-- // SECURITY: This is safe because...
-- Feature flags controlling security features with documentation
-FOR EACH PATTERN FOUND, output:
-{
-  "id": "DESIGN-001",
-  "type": "documented_decision",
-  "title": "Content filtering disabled",
-  "file": "src/ai/chat.ts",
-  "line": 45,
-  "reason": "Documented in code comment",
-  "relatedFindings": ["AI-001"],
-  "recommendation": "Not a bug - document as accepted risk"
-}
-These findings will be EXCLUDED from main report and moved to "Design Decisions" section.
+### Agent 17: DESIGN - Design Decisions
 ```
-### Agent 18: Context-Aware Validator (CTX)
+Find documented design decisions that might look like bugs (intentional patterns).
+Write to .coverme/agents/DESIGN.json
+Return ONLY: "done" or "skipped"
 ```
-Scan to understand the CONTEXT of each potential finding.
-GOAL: Reduce false positives by understanding deployment context
-FOR EACH FINDING FROM OTHER AGENTS, determine:
-DEPLOYMENT CONTEXT:
-- Is this code running in a container with network isolation?
-- Is this behind an API gateway that handles auth?
-- Is this internal-only service behind VPN?
-RUNTIME CONTEXT:
-- Is this code path actually reachable in production?
-- Is this only used in development/testing?
-- Is this protected by feature flag that's disabled?
-DATA FLOW CONTEXT:
-- Is the input already validated upstream?
-- Is there middleware that applies to this route?
-OUTPUT:
-{
-  "findingId": "SEC-001",
-  "contextAnalysis": {
-    "deploymentContext": "Runs in K8s with NetworkPolicy",
-    "runtimeContext": "Only reachable from internal services",
-    "verdict": "false_positive|confirmed|needs_review",
-    "reason": "Protected by network policy"
-  }
-}
+### Agent 18: CTX - Context Validator
 ```
-### Agent 19: Enclave & Trusted Compute Scanner (ENC)
+For critical findings from other agents, check deployment context.
+Write to .coverme/agents/CTX.json
+Return ONLY: "done" or "skipped"
 ```
-CONDITIONAL: First detect if this project uses enclaves/TEE:
-grep -r -l "enclave\|nitro\|sgx\|tee\|attestation\|trusted.compute\|confidential.computing\|vsock" --include="*.ts" --include="*.js" --include="*.py" --include="*.yaml" --include="*.yml" .
-IF NO ENCLAVE CODE FOUND: Output: {"skipped": true, "reason": "No enclave/TEE code detected", "findings": []}
-ENCLAVE REGISTRATION:
-- Enclave-to-backend registration without attestation
-- IP-based trust without cryptographic verification
-- Enclave secrets transmitted without encryption
-RETURN ONLY JSON (no other text): []
+### Agent 19: ENC - Enclave Security
 ```
-### Agent 20: Executive Summary Generator (EXEC)
+FIRST: Check if enclave/TEE code exists.
+If not: Write {"skipped":true} and return "skipped"
+If yes: Scan for attestation issues.
+Write to .coverme/agents/ENC.json
+Return ONLY: "done" or "skipped"
 ```
-After all other agents complete, generate an executive summary.
-OUTPUT FORMAT:
-{
-  "executiveSummary": {
-    "headline": "3 Critical + 5 High findings require immediate attention",
-    "riskLevel": "HIGH",
-    "topRisks": [
-      "SQL injection in user search allows database access",
-      "Missing rate limiting enables brute force attacks"
-    ],
-    "positives": [
-      "Authentication flow is well-implemented",
-      "Good use of parameterized queries in core modules"
-    ],
-    "recommendedActions": [
-      {
-        "priority": 1,
-        "action": "Fix SQL injection in src/search.ts",
-        "owner": "developer",
-        "effort": "1-2 hours"
-      }
-    ],
-    "byOwner": {
-      "developer": 5,
-      "devops": 3,
-      "architect": 1
-    }
-  }
-}
+### Agent 20: EXEC - Executive Summary
 ```
-### Agent 21: Duplicate & Existing Solutions Scanner (DUP)
+After scanning, generate executive summary with top risks and positives.
+Write to .coverme/agents/EXEC.json
+Return ONLY: "done"
 ```
-CRITICAL: Before recommending ANY fix, check if a solution ALREADY EXISTS.
-For EVERY finding from Phase 1, search the codebase for:
-1. Existing utilities/helpers:
-   - Search for similar function names (sanitize, validate, escape)
-   - Check utils/, helpers/, lib/, common/ folders
-2. Existing patterns:
-   - How do OTHER files handle the same issue?
-   - Is there a project-wide convention?
-3. Duplicate findings:
-   - Is this the same issue reported multiple times?
-   - Are multiple findings actually ONE root cause?
-For EACH finding, add:
-- "EXISTING: Found sanitizeHtml() in src/utils/security.ts - use this"
-- "PATTERN: Other files use zod.string().email() - follow same pattern"
-- "DUPLICATE: Same root cause as SEC-003, fix once in middleware"
-Output:
-{
-  "findingId": "SEC-001",
-  "existingSolution": "Found: src/utils/sanitize.ts exports sanitizeUserInput()",
-  "duplicateOf": null,
-  "suggestedApproach": "Import and use existing function"
-}
+### Agent 21: DUP - Duplicate Finder
 ```
-### Agent 22: Runtime Verification Scanner (RUNTIME)
+Find existing solutions in codebase that could fix other findings.
+Write to .coverme/agents/DUP.json
+Return ONLY: "done" or "skipped"
 ```
-CONDITIONAL: Only runs if SSH is configured in Phase 0 runtime.json.
-IF NO runtime.json → Skip this agent entirely
-PURPOSE: Find dangerous mismatches between code configuration and actual runtime.
-STEP 1: Gather Code Expectations
-grep -E "^USER|^EXPOSE|^ENV" Dockerfile 2>/dev/null
-grep -E "runAsUser|runAsNonRoot|readOnlyRootFilesystem" k8s/*.yaml 2>/dev/null
-STEP 2: SSH and Check Actual Runtime
-ssh user@server "docker ps -q | head -1 | xargs -I {} docker exec {} id"
-ssh user@server "kubectl get pods -o name | head -1 | xargs -I {} kubectl exec {} -- id"
-STEP 3: Compare and Generate Findings
-| Mismatch | Severity |
-|----------|----------|
-| Code says non-root, runs as root | CRITICAL |
-| Dockerfile USER ignored | CRITICAL |
-| ReadOnlyRootFilesystem not enforced | HIGH |
-| Unexpected ports exposed | MEDIUM |
-RETURN ONLY JSON (no other text): []
+### Agent 22: POSITIVE - Good Patterns
 ```
----
-## Phase 2: Mitigation Validation (CRITICAL)
-Wait for all Phase 1 background agents to complete using `AgentOutputTool`.
-### Validator M: Mitigation Hunter
-For EVERY finding, search the codebase for mitigations:
-1. **Input Validation** - Is input sanitized before reaching the vulnerable sink?
-2. **Middleware Protection** - Is there middleware that protects this route?
-3. **Framework Auto-Protection** - Does the framework handle this automatically?
-4. **Route Protection** - Is the endpoint protected by auth/authorization?
-Output Per Finding:
-```json
-{
-  "findingId": "SEC-001",
-  "verdict": "mitigated|partial|confirmed|false_positive",
-  "mitigationType": "input_validation|middleware|framework|config|none",
-  "evidence": ["Found Zod validation at src/routes/user.ts:23"],
-  "adjustedSeverity": "low"
-}
+Find positive security patterns and good practices in the codebase.
+Write to .coverme/agents/POSITIVE.json
+Return ONLY: "done"
 ```
 ---
-## Phase 3: Cross-Validation (3 parallel validators)
-Launch 3 validators IN PARALLEL with `run_in_background: true`:
-### Validator A: False Positive Hunter
-Review ALL findings. For each finding:
-1. Read the actual code file
-2. Check if there are mitigating controls elsewhere
-3. For secrets: run "git ls-files <file>" - if not tracked, mark FALSE POSITIVE
-4. Check if code is actually reachable in production
-Output: { confirmed: ["SEC-001",...], falsePositives: [{id, reason},...] }
-### Validator B: Evidence Challenger
-Challenge every HIGH and CRITICAL finding:
-1. Read the actual code with 20 lines of context
-2. Trace data flow from source to sink
-3. Check for sanitization/validation in between
-4. Verify the exploit scenario is realistic
-Output: { confirmed: ["SEC-001",...], falsePositives: [{id, reason},...] }
-### Validator C: Missing Issues Hunter
-Look for issues that Phase 1 agents MISSED:
-- Race conditions in critical operations
-- Business logic flaws specific to this application
-- Combination attacks (multiple low issues = high)
-Output: { missedIssues: [{full finding object},...] }
----
-## Phase 4: Build Consensus
-Wait for all Phase 3 background validators to complete using `AgentOutputTool`.
+## Phase 2: Wait for Agents
-Combine all results:
-1. Calculate confidence: (confirmations / validators) * 100
-2. Remove findings with confidence < 50%
-3. Add missed issues from Validator C
-4. Remove mitigated and false positive findings
-5. Identify positive observations (good patterns found)
+Wait for ALL background agents using `AgentOutputTool`.
+Each should return only "done" or "skipped".
 ---
-## Phase 5: Generate Report
-**DO NOT ASK - JUST OVERWRITE THE FILE!**
-Update `.coverme/scan.json` with the full scan results including:
-### Required Fields:
-- **projectName**: from package.json or folder name
-- **scanDate**: today's date
-- **filesScanned**: count of source files analyzed
-- **linesOfCode**: total lines in source files
-- **projectTree**: ASCII tree of main directories
-### projectOverview:
-```json
-{
-  "name": "project-name",
-  "type": "Backend API | Frontend SPA | Full-stack | CLI | Library",
-  "stack": ["Node.js", "TypeScript", "React", "PostgreSQL"],
-  "purpose": "Brief description of what this project does",
-  "architecture": "Monolith | Microservices | Serverless",
-  "keyComponents": ["auth service", "payment processing", "AI chat"]
-}
-```
-### architectureOverview:
-```json
-{
-  "components": [
-    {"name": "API Server", "type": "service", "description": "Express.js REST API", "trustLevel": "semi-trusted"},
-    {"name": "PostgreSQL", "type": "database", "description": "Primary data store", "trustLevel": "trusted"}
-  ],
-  "trustBoundaries": [
-    {"name": "Client to API", "from": "Browser", "to": "API Server", "protocol": "HTTPS"}
-  ],
-  "criticalAssets": [
-    {"name": "User Credentials", "type": "credential", "location": "PostgreSQL", "protection": "bcrypt hashed"}
-  ],
-  "dataFlows": ["User Authentication Flow", "Payment Processing Flow"]
-}
-```
-### executiveSummary:
-```json
-{
-  "headline": "3 Critical + 5 High findings require immediate attention",
-  "riskLevel": "CRITICAL | HIGH | MEDIUM | LOW",
-  "topRisks": ["SQL injection in user search", "Missing rate limiting"],
-  "positives": ["Good authentication flow", "Proper input validation"],
-  "recommendedActions": [
-    {"priority": 1, "action": "Fix SQL injection", "owner": "developer", "effort": "1-2 hours"}
-  ],
-  "byOwner": {"developer": 5, "devops": 3, "architect": 1}
-}
-```
+## Phase 3: Aggregate Results
-### threatModel:
-```json
-[
-  {
-    "id": "T-001",
-    "threat": "SQL Injection via user input",
-    "category": "STRIDE",
-    "strideType": "T",
-    "status": "open | partial | mitigated",
-    "relatedFindings": ["SEC-001", "DB-002"],
-    "mitigation": "Use parameterized queries",
-    "dreadScore": 8.5
-  }
-]
-```
+Read all agent files and merge:
-### qualityReview:
-```json
-{
-  "deleteItems": [
-    {"type": "delete", "file": "src/utils/oldHelpers.ts", "lines": 250, "description": "Dead code", "reason": "No imports found"}
-  ],
-  "mergeItems": [
-    {"type": "merge", "file": "src/utils/validate.ts, src/helpers/validation.ts", "description": "Overlapping functions", "reason": "DRY violation"}
-  ],
-  "simplifyItems": [
-    {"type": "simplify", "file": "src/services/payment.ts", "lines": 450, "description": "Overly complex", "reason": "Can be reduced"}
-  ],
-  "totalLinesRemovable": 680,
-  "percentageOfCodebase": 4.2
-}
+```bash
+echo "Aggregating results..."
+ls -la .coverme/agents/
 ```
-### actionItems:
-```json
-[
-  {
-    "id": "A-001",
-    "title": "Fix SQL injection in user search",
-    "priority": "immediate | high | medium | long-term",
-    "relatedFindings": ["SEC-001"],
-    "effort": "low | medium | high",
-    "description": "Replace string concatenation with parameterized query"
-  }
-]
-```
+Use the Read tool to read each `.coverme/agents/*.json` file.
-### findings:
-Each finding MUST include ALL these fields:
+Merge all findings into `.coverme/scan.json`:
 ```json
 {
-  "id": "SEC-001",
-  "title": "SQL Injection in User Search",
-  "severity": "critical | high | medium | low | info",
-  "category": "security | auth | api | infra | data | ai | performance | business-logic | quality | testing",
-  "file": "src/routes/users.ts",
-  "line": 45,
-  "code": "db.query(`SELECT * FROM users WHERE name LIKE '%${searchTerm}%'`)",
-  "description": "User search parameter directly concatenated into SQL query",
-  "impact": "Attacker can extract entire database contents",
-  "attackChain": [
-    {"step": 1, "action": "Send malicious search term", "result": "Query returns all users"},
-    {"step": 2, "action": "Use UNION SELECT", "result": "Database schema exposed"}
-  ],
-  "recommendation": "Use parameterized queries",
-  "cwe": "CWE-89",
-  "owasp": "A03:2021",
-  "dread": {
-    "damage": 10,
-    "reproducibility": 10,
-    "exploitability": 9,
-    "affectedUsers": 10,
-    "discoverability": 8,
-    "total": 9.4
-  },
-  "status": "open",
-  "confidence": 95,
-  "fixOwner": "developer | devops | architect",
-  "fixType": "code | config | infrastructure | design"
+  "projectName": "...",
+  "scanDate": "...",
+  "filesScanned": N,
+  "linesOfCode": N,
+  "findings": [...all from agent files...],
+  "positiveObservations": [...from POSITIVE.json...],
+  "summary": {"critical":N,"high":N,"medium":N,"low":N}
 }
 ```
-### Other sections:
-- **designDecisions**: Intentional patterns that look like bugs
-- **mitigatedFindings**: Findings with existing protection
-- **falsePositives**: Findings that are not actually vulnerabilities
-- **positiveObservations**: Good practices found
-- **validationSummary**: Stats on mitigation validation
-- **summary**: Total counts by severity
-- **agentsUsed**: List of agents that ran
-- **scanDuration**: Time taken in ms
-Use the Write tool to overwrite `.coverme/scan.json` with the results.
 ---
-## Phase 6: Generate HTML Report
+## Phase 4: Generate Report
-**DO NOT ASK - JUST RUN THE COMMANDS!**
-Generate the HTML report and open it automatically:
 ```bash
 TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
 npx coverme-scanner report .coverme/scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
-cp .coverme/scan.json ".coverme/scan_$TIMESTAMP.json"
 open ".coverme/report_$TIMESTAMP.html"
 ```
-Run these commands without asking for permission.
 ---
 ## DONE
-Tell the user: "Scan complete! Report saved to .coverme/ and opened in browser."
-**REMINDER: You should have completed all 6 phases without asking ANY questions or stopping for confirmation.**
+Tell user: "Scan complete! Report opened."

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "coverme-scanner",
-  "version": "1.5.2",
+  "version": "1.6.0",
   "description": "AI-powered code scanner with multi-agent verification for Claude Code. One command scans everything.",
   "main": "dist/index.js",
   "files": [