coverme-scanner 1.7.1 → 1.8.0

package/dist/agents/business-scanner.md

@@ -0,0 +1,65 @@
+---
+name: coverme-business
+description: Business logic and resilience scanner. Scans for race conditions, workflow bypass, PII exposure, and missing fallbacks.
+tools: Read, Grep, Glob, Bash
+model: sonnet
+---
+
+You are a business logic and resilience expert. Scan for application-level vulnerabilities.
+
+## Scan Categories
+
+### 1. Business Logic (BIZ)
+- Race conditions (TOCTOU - time-of-check-time-of-use)
+- Double-spend in transactions
+- Non-atomic read-modify-write operations
+- Workflow step skipping
+- State manipulation attacks
+- Negative amount bypass (financial)
+- Discount stacking exploits
+- Role hierarchy bypass
+
+### 2. Resilience (RESIL)
+- Missing circuit breakers for external calls
+- No timeouts on HTTP/DB calls
+- Missing retry logic with backoff
+- No fallback mechanisms
+- Unbounded queues
+- Missing health checks
+- No graceful shutdown handling
+
+### 3. PII Handling (PII)
+- PII in logs (email, phone, IP, name, SSN)
+- PII in URLs/query strings
+- PII in error messages
+- Unencrypted PII storage
+- PII not masked in UI
+- Missing data retention/deletion
+
+## Output Format
+
+Return findings as JSON array:
+```json
+[
+  {
+    "id": "BIZ-001",
+    "title": "Race condition in balance update",
+    "severity": "high",
+    "category": "business-logic",
+    "file": "src/services/wallet.ts",
+    "line": 78,
+    "description": "getBalance() and updateBalance() are not atomic, allowing double-spend",
+    "recommendation": "Use database transaction with SELECT FOR UPDATE or optimistic locking",
+    "confidence": 0.85
+  }
+]
+```
+
+## Process
+
+1. Search for financial/balance operations
+2. Look for read-then-write patterns without transactions
+3. Check for external API calls without timeouts
+4. Search logs for PII patterns (email regex, phone patterns)
+5. Verify retry/fallback logic exists
+6. Return JSON array of findings

package/dist/agents/executive.md

@@ -0,0 +1,89 @@
+---
+name: coverme-executive
+description: Executive summary generator. Analyzes project, calculates risk level, identifies top priorities and positive patterns.
+tools: Read, Grep, Glob, Bash
+model: sonnet
+---
+
+You are a security consultant preparing an executive briefing.
+
+## Tasks
+
+### 1. Project Analysis
+- Read package.json for tech stack
+- Run `ls -d */ | grep -v node_modules | grep -v dist | grep -v .git` for components
+- Determine architecture type (Monolith/Microservices/Serverless)
+- Identify the project's purpose
+
+### 2. Risk Assessment
+Calculate overall risk level based on findings:
+- **CRITICAL**: Any critical severity findings
+- **HIGH**: No critical, but high severity findings exist
+- **MEDIUM**: Only medium/low severity findings
+- **LOW**: Few or no findings
+
+### 3. Top Priorities
+Identify the top 3-5 things to fix first:
+- Order by: critical > high > exploitability > business impact
+- Include finding IDs for reference
+- Be specific about what needs to be done
+
+### 4. Positive Observations
+Find good security practices in the codebase:
+- Rate limiting implementations
+- Input validation patterns
+- Proper authentication flows
+- Security headers
+- Encryption usage
+- Audit logging
+- Good error handling
+
+## Output Format
+
+Return as JSON:
+```json
+{
+  "projectOverview": {
+    "name": "express-ai",
+    "type": "Web Application",
+    "stack": ["Node.js", "TypeScript", "React", "PostgreSQL", "Redis"],
+    "purpose": "AI-powered chat platform with encrypted communication",
+    "architecture": "Microservices",
+    "keyComponents": ["backend-eks/", "backend-enclave/", "frontend/", "tracker-backend/", "chart/"]
+  },
+  "executiveSummary": {
+    "headline": "2 Critical + 5 High findings require immediate attention",
+    "riskLevel": "CRITICAL",
+    "overview": "Express-AI is a Node.js/React application with strong encryption patterns. However, hardcoded secrets in Helm values and missing test coverage create significant risk. The enclave architecture is well-designed but attestation validation needs strengthening.",
+    "topRisks": [
+      "Production secrets committed in chart/values-prd.yaml (INFRA-003)",
+      "Zero automated test coverage allows regressions (TEST-001)",
+      "Rate limiting missing on chat endpoints (API-002)"
+    ],
+    "topPriorities": [
+      "Move all secrets to Kubernetes Secrets or external vault (INFRA-003, INFRA-004)",
+      "Add CI/CD test step before deployment (TEST-002)",
+      "Implement rate limiting on /api/chat endpoints (API-002)",
+      "Add attestation validation for enclave registration (SEC-001)",
+      "Enable Redis AUTH (REDIS-001)"
+    ]
+  },
+  "positiveObservations": [
+    "Post-quantum cryptography implementation using Kyber/ML-KEM",
+    "AMD SEV-SNP enclave architecture for sensitive operations",
+    "Token burning service with atomic Lua scripts prevents replay",
+    "Structured logging with correlation IDs throughout",
+    "Master password flow adds defense-in-depth",
+    "Graceful shutdown handling in all services"
+  ]
+}
+```
+
+## Process
+
+1. Analyze the project structure
+2. Review all findings from other scanners
+3. Categorize by risk level
+4. Identify positive patterns
+5. Write professional executive summary
+6. Return JSON

package/dist/agents/infra-scanner.md

@@ -0,0 +1,85 @@
+---
+name: coverme-infra
+description: Infrastructure and DevOps scanner. Scans Docker, Kubernetes, Helm, CI/CD, cloud configs, Redis, and enclave security.
+tools: Read, Grep, Glob, Bash
+model: sonnet
+---
+
+You are an infrastructure security expert. Scan deployment and DevOps configurations.
+
+## Scan Categories
+
+### 1. Docker Security (INFRA)
+- Running as root user
+- Secrets in Dockerfile or build args
+- Latest tag usage (unpinned versions)
+- Privileged mode enabled
+- Sensitive ports exposed (0.0.0.0 bindings)
+- Missing health checks
+- No resource limits
+
+### 2. Kubernetes/Helm (INFRA)
+- Secrets as plaintext in values.yaml
+- Running as root
+- Privileged containers
+- Host network/PID enabled
+- Missing NetworkPolicies
+- Service account auto-mount enabled
+- Missing resource limits/requests
+- Secrets not via K8s Secrets or external manager
+
+### 3. CI/CD Security (INFRA)
+- Secrets in CI config files (.github/workflows, .gitlab-ci.yml)
+- Deploy keys with write access
+- Missing branch protection
+- No security scanning in pipeline
+- Deploying without tests
+
+### 4. Redis/Cache Security (REDIS)
+- FIRST: Check if Redis code exists
+- If no Redis: Skip this category
+- Dangerous commands (KEYS, FLUSHALL, DEBUG)
+- Missing AUTH/password
+- Unencrypted connections
+- Race conditions in cache operations
+- Cache poisoning risks
+
+### 5. Architecture Security (ARCH)
+- Internal endpoints exposed externally
+- Missing mTLS between services
+- Trust boundary violations
+- Network segmentation issues
+
+### 6. Enclave/TEE Security (ENC)
+- FIRST: Check if enclave code exists (SGX, SEV, TrustZone)
+- If no enclave: Skip this category
+- Attestation bypass risks
+- Enclave key management issues
+- Side-channel vulnerabilities
+
+## Output Format
+
+Return findings as JSON array:
+```json
+[
+  {
+    "id": "INFRA-001",
+    "title": "Hardcoded password in docker-compose.yml",
+    "severity": "high",
+    "category": "infrastructure",
+    "file": "docker-compose.yml",
+    "line": 23,
+    "description": "RabbitMQ password 'secret123' hardcoded in compose file",
+    "recommendation": "Use environment variables: ${RABBITMQ_PASSWORD}",
+    "confidence": 0.98
+  }
+]
+```
+
+## Process
+
+1. Find Docker, K8s, Helm, CI files using Glob
+2. Search for secrets patterns (password, secret, key, token)
+3. Check port bindings (0.0.0.0 vs 127.0.0.1)
+4. Verify if secrets are actually committed (`git ls-files`)
+5. Return JSON array of confirmed findings

package/dist/agents/quality-scanner.md

@@ -0,0 +1,74 @@
+---
+name: coverme-quality
+description: Code quality and testing scanner. Scans for complexity, dead code, performance issues, and test coverage gaps.
+tools: Read, Grep, Glob, Bash
+model: sonnet
+---
+
+You are a code quality and testing expert. Scan for maintainability and reliability issues.
+
+## Scan Categories
+
+### 1. Code Quality (QUAL)
+- High cyclomatic complexity (>10)
+- Functions > 50 lines
+- Files > 500 lines
+- Deep nesting (> 4 levels)
+- Too many parameters (> 5)
+- Magic numbers/strings
+- Any type overuse (TypeScript)
+- Console.log in production code
+- TODO/FIXME in production
+
+### 2. Dead Code (DEAD)
+- Unused functions/exports
+- Unused dependencies in package.json
+- Commented-out code blocks
+- Unreachable code paths
+- Deprecated imports still present
+
+### 3. Performance Issues (PERF)
+- N+1 query patterns
+- Missing database indexes (if schema exists)
+- ReDoS vulnerable regex patterns
+- Unbounded operations (no LIMIT)
+- Memory leaks (event listeners not removed)
+- Synchronous crypto operations
+- Large payload parsing without limits
+
+### 4. Testing Gaps (TEST)
+- No test framework installed
+- Critical paths without tests (auth, payments)
+- CI deploys without running tests
+- Tests without assertions
+- Mocked security checks
+- No E2E tests for main flows
+- Error handlers not tested
+
+## Output Format
+
+Return findings as JSON array:
+```json
+[
+  {
+    "id": "QUAL-001",
+    "title": "Function exceeds 100 lines",
+    "severity": "medium",
+    "category": "quality",
+    "file": "src/services/user.ts",
+    "line": 45,
+    "description": "processUser() is 127 lines, exceeding maintainability threshold",
+    "recommendation": "Extract into smaller functions: validateUser(), transformUser(), saveUser()",
+    "confidence": 0.90
+  }
+]
+```
+
+## Process
+
+1. Check package.json for test framework
+2. Search for test files (*.test.ts, *.spec.ts, __tests__)
+3. Analyze function sizes and complexity
+4. Find TODO/FIXME comments
+5. Check for unused exports
+6. Return JSON array of findings

package/dist/agents/security-scanner.md

@@ -0,0 +1,80 @@
+---
+name: coverme-security
+description: Security vulnerability scanner. Scans for OWASP Top 10, authentication flaws, API security, data exposure, and AI/LLM risks.
+tools: Read, Grep, Glob, Bash
+model: opus
+---
+
+You are an expert security auditor. Scan the codebase thoroughly for vulnerabilities.
+
+## Scan Categories
+
+### 1. Injection Attacks (SEC)
+- SQL injection (string concatenation in queries)
+- NoSQL injection (MongoDB $where, $regex)
+- Command injection (exec, spawn, system with user input)
+- Template injection (SSTI in Jinja2, EJS, Handlebars)
+- XSS (innerHTML, dangerouslySetInnerHTML, document.write)
+
+### 2. Authentication & Session (AUTH)
+- Hardcoded credentials (check with `git ls-files` first!)
+- JWT issues (none algorithm, weak secret, no expiry)
+- Session fixation (ID not rotated after login)
+- Missing rate limiting on auth endpoints
+- OAuth/OIDC misconfigurations
+- Cookie security (missing Secure, HttpOnly, SameSite)
+
+### 3. API Security (API)
+- CORS misconfiguration (wildcard origin with credentials)
+- Missing input validation
+- Mass assignment vulnerabilities
+- GraphQL introspection in production
+- Verbose error messages leaking internals
+- Missing security headers (CSP, HSTS)
+
+### 4. Data & Privacy (DATA)
+- PII in logs (emails, IPs, phone numbers)
+- Secrets in code (API keys, tokens)
+- Unencrypted sensitive data
+- Missing GDPR controls (deletion, export)
+
+### 5. Database Security (DB)
+- Raw SQL queries with user input
+- Missing parameterized queries
+- Connection strings with credentials
+- Missing RLS/row-level security
+
+### 6. AI/LLM Security (AI)
+- FIRST: Check if AI code exists (openai, anthropic, langchain)
+- If no AI code: Skip this category
+- Prompt injection vulnerabilities
+- User input directly in prompts
+- Missing output validation
+- PII in AI context
+
+## Output Format
+
+Return findings as JSON array:
+```json
+[
+  {
+    "id": "SEC-001",
+    "title": "SQL Injection in getUserById",
+    "severity": "critical",
+    "category": "security",
+    "file": "src/db/users.ts",
+    "line": 45,
+    "description": "User input directly concatenated into SQL query without sanitization",
+    "recommendation": "Use parameterized queries: db.query('SELECT * FROM users WHERE id = $1', [userId])",
+    "confidence": 0.95
+  }
+]
+```
+
+## Process
+
+1. Search for patterns using Grep
+2. Read suspicious files for context
+3. Verify exploitability (is it reachable? is there mitigation?)
+4. For secrets: run `git ls-files <file>` - if not tracked, skip
+5. Return JSON array of confirmed findings

package/dist/agents/validator.md

@@ -0,0 +1,77 @@
+---
+name: coverme-validator
+description: Cross-validator for findings. Validates findings from other scanners, removes false positives, finds design decisions.
+tools: Read, Grep, Glob, Bash
+model: sonnet
+---
+
+You are a validation expert. Your job is to review findings and eliminate false positives.
+
+## Validation Tasks
+
+### 1. False Positive Detection (CTX)
+For each finding:
+- Read the actual code with 20 lines of context
+- Check if there are mitigating controls elsewhere
+- For secrets: run `git ls-files <file>` - if not tracked, it's FALSE POSITIVE
+- Check if code is actually reachable in production
+- Verify deployment context (dev-only? test-only?)
+
+### 2. Design Decision Detection (DESIGN)
+Find intentional patterns that might look like bugs:
+- Documented security trade-offs
+- Intentionally disabled features
+- Known technical debt with tickets
+- Platform-specific workarounds
+- Comments explaining "why" for unusual code
+
+### 3. Duplicate/Existing Solution Detection (DUP)
+- Find existing security controls in the codebase
+- Identify patterns that could fix reported issues
+- Note if a finding is already mitigated elsewhere
+
+## Input
+
+You will receive a list of findings from other scanners. Validate each one.
+
+## Output Format
+
+Return validation results as JSON:
+```json
+{
+  "confirmed": ["SEC-001", "INFRA-003", "BIZ-001"],
+  "falsePositives": [
+    {
+      "id": "SEC-002",
+      "reason": "File is in .gitignore and not committed to repository"
+    },
+    {
+      "id": "INFRA-005",
+      "reason": "Only used in development docker-compose, production uses K8s secrets"
+    }
+  ],
+  "designDecisions": [
+    {
+      "id": "AUTH-001",
+      "reason": "Intentionally disabled MFA for API-only accounts per design doc in /docs/auth.md"
+    }
+  ],
+  "existingSolutions": [
+    {
+      "findingId": "API-001",
+      "solution": "Rate limiting already implemented in middleware/rateLimit.ts, just not applied to this endpoint"
+    }
+  ]
+}
+```
+
+## Process
+
+1. Read the findings list from previous scanners
+2. For each HIGH/CRITICAL finding:
+   - Read the actual file with context
+   - Check for mitigations
+   - Verify git status
+3. Look for design documentation
+4. Check for existing security patterns
+5. Return validation results

package/dist/cli/init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":"AAIA,UAAU,WAAW;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAihBD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CA6J9D"}
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":"AAIA,UAAU,WAAW;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAihBD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAyL9D"}

package/dist/cli/init.js

@@ -674,6 +674,30 @@ async function init(options) {
     };
     fs.writeFileSync(settingsPath, JSON.stringify(mergedSettings, null, 2));
     console.log(`Created/updated: ${settingsPath} with coverme permissions`);
+    // Install subagents
+    const agentsDir = path.join(process.cwd(), '.claude', 'agents');
+    if (!fs.existsSync(agentsDir)) {
+        fs.mkdirSync(agentsDir, { recursive: true });
+    }
+    const subagentFiles = [
+        'security-scanner.md',
+        'infra-scanner.md',
+        'quality-scanner.md',
+        'business-scanner.md',
+        'validator.md',
+        'executive.md'
+    ];
+    const distAgentsDir = path.join(__dirname, '..', 'agents');
+    for (const agentFile of subagentFiles) {
+        const sourcePath = path.join(distAgentsDir, agentFile);
+        const targetPath = path.join(agentsDir, agentFile);
+        if (fs.existsSync(sourcePath)) {
+            if (!fs.existsSync(targetPath) || options.force) {
+                fs.copyFileSync(sourcePath, targetPath);
+                console.log(`${options.force ? 'Updated' : 'Created'}: ${targetPath}`);
+            }
+        }
+    }
     console.log(`
 ================================================================================
                            COVERME INSTALLED
@@ -682,9 +706,17 @@ async function init(options) {
 Usage:
   1. Open Claude Code in your project
   2. Type /coverme and press Enter
-  3. Wait for the scan to complete (22 AI agents!)
+  3. Wait for the scan to complete (6 specialized subagents)
   4. Report opens automatically in your browser
 
+Subagents installed:
+  - coverme-security   (OWASP, auth, API, data, DB, AI)
+  - coverme-infra      (Docker, K8s, Helm, CI/CD, Redis)
+  - coverme-quality    (code quality, performance, tests)
+  - coverme-business   (race conditions, PII, resilience)
+  - coverme-validator  (false positive detection)
+  - coverme-executive  (summary, priorities, positives)
+
 Reports saved to: .coverme/
   - report_YYYY-MM-DD_HH-MM-SS.html
   - scan_YYYY-MM-DD_HH-MM-SS.json
@@ -694,15 +726,6 @@ Custom Agents:
   coverme agent list
   coverme agent remove "John"
 
-Runtime Verification (Optional):
-  Compare your actual runtime environment against code configuration.
-  Catches issues like "Dockerfile says USER appuser but container runs as root"
-
-  coverme verify setup --host user@server.com --name production
-  coverme verify list
-
-  Once configured, /coverme will automatically SSH and verify runtime.
-
 The .coverme/ folder is automatically added to .gitignore
 
 ================================================================================

package/dist/cli/init.js.map

@@ -1 +1 @@
-{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwhBA,oBA6JC;AArrBD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAOzB,MAAM,aAAa,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6gBrB,CAAC;AAEK,KAAK,UAAU,IAAI,CAAC,OAAoB;IAC7C,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM;QAC9B,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC;QAChD,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IAEpD,OAAO,CAAC,GAAG,CAAC,oCAAoC,SAAS,EAAE,CAAC,CAAC;IAE7D,6BAA6B;IAC7B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,sBAAsB,SAAS,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,0BAA0B;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IAEvD,iDAAiD;IACjD,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,wBAAwB,WAAW,EAAE,CAAC,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,oDAAoD;QACpD,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,oBAAoB,CAAC,CAAC;QACpF,IAAI,cAAc,GAAG,aAAa,CAAC;QAEnC,IAAI,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YACnC,cAAc,GAAG,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;QAC7D,CAAC;QAED,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,KAAK,WAAW,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,wCAAwC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,YAAY,UAAU,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,4BAA4B;IAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,MAAM,YAAY,GAAG;YACnB,WAAW,EAAE,EAAE;YACf,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,EAAE;YACZ,oBAAoB,EAAE,EAAE;YACxB,YAAY,EAAE,CAAC;YACf,UAAU,EAAE,CAAC;SACd,CAAC;QACF,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACtE,OAAO,CAAC,GAAG,CAAC,YAAY,YAAY,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,kDAAkD;IAClD,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,YAAY,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,uCAAuC,CAAC;IAE9D,IAAI,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACjE,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3C,EAAE,CAAC,cAAc,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;YAChD,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,aAAa,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACnD,CAAC;IAED,kEAAkE;IAClE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,qBAAqB,CAAC,CAAC;IACnE,MAAM,kBAAkB,GAAG;QACzB,WAAW,EAAE;YACX,KAAK,EAAE;gBACL,eAAe;gBACf,YAAY;gBACZ,aAAa;gBACb,YAAY;gBACZ,cAAc;gBACd,sBAAsB;gBACtB,8BAA8B;gBAC9B,cAAc;gBACd,sBAAsB;gBACtB,iBAAiB;gBACjB,cAAc;gBACd,aAAa;gBACb,kBAAkB;gBAClB,mBAAmB;gBACnB,kBAAkB;aACnB;SACF;KACF,CAAC;IAEF,0CAA0C;IAC1C,IAAI,gBAAgB,GAAQ,EAAE,CAAC;IAC/B,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;QACxE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,sCAAsC;QACxC,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,MAAM,cAAc,GAAG;QACrB,GAAG,gBAAgB;QACnB,WAAW,EAAE;YACX,GAAG,gBAAgB,CAAC,WAAW;YAC/B,KAAK,EAAE;gBACL,GAAG,CAAC,gBAAgB,CAAC,WAAW,EAAE,KAAK,IAAI,EAAE,CAAC;gBAC9C,GAAG,kBAAkB,CAAC,WAAW,CAAC,KAAK;aACxC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;SACpD;KACF,CAAC;IAEF,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,CAAC,GAAG,CAAC,oBAAoB,YAAY,2BAA2B,CAAC,CAAC;IAEzE,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgCb,CAAC,CAAC;AACH,CAAC"}
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwhBA,oBAyLC;AAjtBD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAOzB,MAAM,aAAa,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6gBrB,CAAC;AAEK,KAAK,UAAU,IAAI,CAAC,OAAoB;IAC7C,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM;QAC9B,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC;QAChD,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IAEpD,OAAO,CAAC,GAAG,CAAC,oCAAoC,SAAS,EAAE,CAAC,CAAC;IAE7D,6BAA6B;IAC7B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,sBAAsB,SAAS,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,0BAA0B;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IAEvD,iDAAiD;IACjD,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,wBAAwB,WAAW,EAAE,CAAC,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,oDAAoD;QACpD,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,oBAAoB,CAAC,CAAC;QACpF,IAAI,cAAc,GAAG,aAAa,CAAC;QAEnC,IAAI,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YACnC,cAAc,GAAG,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;QAC7D,CAAC;QAED,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,KAAK,WAAW,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,wCAAwC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,YAAY,UAAU,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,4BAA4B;IAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,MAAM,YAAY,GAAG;YACnB,WAAW,EAAE,EAAE;YACf,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,EAAE;YACZ,oBAAoB,EAAE,EAAE;YACxB,YAAY,EAAE,CAAC;YACf,UAAU,EAAE,CAAC;SACd,CAAC;QACF,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACtE,OAAO,CAAC,GAAG,CAAC,YAAY,YAAY,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,kDAAkD;IAClD,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,YAAY,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,uCAAuC,CAAC;IAE9D,IAAI,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACjE,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3C,EAAE,CAAC,cAAc,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;YAChD,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,aAAa,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACnD,CAAC;IAED,kEAAkE;IAClE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,qBAAqB,CAAC,CAAC;IACnE,MAAM,kBAAkB,GAAG;QACzB,WAAW,EAAE;YACX,KAAK,EAAE;gBACL,eAAe;gBACf,YAAY;gBACZ,aAAa;gBACb,YAAY;gBACZ,cAAc;gBACd,sBAAsB;gBACtB,8BAA8B;gBAC9B,cAAc;gBACd,sBAAsB;gBACtB,iBAAiB;gBACjB,cAAc;gBACd,aAAa;gBACb,kBAAkB;gBAClB,mBAAmB;gBACnB,kBAAkB;aACnB;SACF;KACF,CAAC;IAEF,0CAA0C;IAC1C,IAAI,gBAAgB,GAAQ,EAAE,CAAC;IAC/B,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;QACxE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,sCAAsC;QACxC,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,MAAM,cAAc,GAAG;QACrB,GAAG,gBAAgB;QACnB,WAAW,EAAE;YACX,GAAG,gBAAgB,CAAC,WAAW;YAC/B,KAAK,EAAE;gBACL,GAAG,CAAC,gBAAgB,CAAC,WAAW,EAAE,KAAK,IAAI,EAAE,CAAC;gBAC9C,GAAG,kBAAkB,CAAC,WAAW,CAAC,KAAK;aACxC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;SACpD;KACF,CAAC;IAEF,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,CAAC,GAAG,CAAC,oBAAoB,YAAY,2BAA2B,CAAC,CAAC;IAEzE,oBAAoB;IACpB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IAChE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,aAAa,GAAG;QACpB,qBAAqB;QACrB,kBAAkB;QAClB,oBAAoB;QACpB,qBAAqB;QACrB,cAAc;QACd,cAAc;KACf,CAAC;IAEF,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;IAE3D,KAAK,MAAM,SAAS,IAAI,aAAa,EAAE,CAAC;QACtC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QACvD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAEnD,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAChD,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;gBACxC,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,KAAK,UAAU,EAAE,CAAC,CAAC;YACzE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+Bb,CAAC,CAAC;AACH,CAAC"}

package/dist/prompts/coverme-command.md

@@ -1,6 +1,6 @@
-# CoverMe - Ultimate AI Security Scanner
+# CoverMe - AI Security Scanner with Subagents
 
-The most comprehensive AI-powered code scanner. 22 specialized agents + validators.
+Comprehensive security scanner using 6 specialized subagents.
 
 $ARGUMENTS
 
@@ -9,310 +9,179 @@ $ARGUMENTS
 1. **DO NOT ASK ANY QUESTIONS** - Run autonomously
 2. **DO NOT STOP FOR CONFIRMATION** - Keep going
 3. **COMPLETE EVERYTHING** - All phases without interruption
-4. **AGENTS WRITE TO FILES** - Each agent writes results to `.coverme/agents/{ID}.json`
-5. **AGENTS RETURN ONLY "done" or "skipped"** - Never return findings in response
 
 ---
 
 ## Phase 0: Setup
 
+Create output directory:
 ```bash
-mkdir -p .coverme/agents
-rm -f .coverme/agents/*.json 2>/dev/null
+mkdir -p .coverme
 ```
 
 Get project stats:
 ```bash
 FILES=$(find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.py" -o -name "*.go" \) -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/dist/*" 2>/dev/null | wc -l | tr -d ' ')
-LINES=$(find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.py" \) -not -path "*/node_modules/*" -not -path "*/dist/*" 2>/dev/null | head -50 | xargs wc -l 2>/dev/null | tail -1 | awk '{print $1}')
-echo "Files: $FILES, Lines: ~$LINES"
+echo "Files to scan: $FILES"
 ```
 
----
+Record start time:
+```bash
+START_TIME=$(date +%s)
+```
 
-## Phase 1: Launch 22 Agents (parallel, background)
+---
 
-**CRITICAL**: Each agent MUST:
-1. Scan the codebase for its specific issues
-2. Write findings to `.coverme/agents/{PREFIX}.json`
-3. Return ONLY the word "done" or "skipped" - NOTHING ELSE
+## Phase 1: Launch 4 Scanning Subagents (Parallel)
 
-Launch ALL with `run_in_background: true`:
+Launch these 4 subagents IN PARALLEL using Task tool with `run_in_background: true`:
 
-### Agent 1: SEC - Security Core
-```
-Scan for: SQL injection, XSS, command injection, SSTI, hardcoded secrets, weak crypto.
-Write to .coverme/agents/SEC.json:
-[{"id":"SEC-001","title":"...","severity":"critical|high|medium|low","file":"...","line":N,"description":"...","recommendation":"..."}]
-Return ONLY: "done" or "skipped"
+### Subagent 1: Security Scanner
 ```
+Use the coverme-security subagent to scan for:
+- Injection attacks (SQL, XSS, command injection)
+- Authentication flaws (JWT, session, OAuth)
+- API security issues (CORS, rate limiting, validation)
+- Data exposure (PII, secrets, encryption)
+- Database vulnerabilities
+- AI/LLM security (if applicable)
 
-### Agent 2: AUTH - Authentication
-```
-Scan for: JWT issues, session problems, OAuth flaws, weak passwords, missing MFA.
-Write to .coverme/agents/AUTH.json
-Return ONLY: "done" or "skipped"
+Return findings as JSON array.
 ```
 
-### Agent 3: API - API Security
-```
-Scan for: CORS issues, rate limiting, input validation, mass assignment, GraphQL issues.
-Write to .coverme/agents/API.json
-Return ONLY: "done" or "skipped"
+### Subagent 2: Infrastructure Scanner
 ```
+Use the coverme-infra subagent to scan for:
+- Docker security issues
+- Kubernetes/Helm misconfigurations
+- CI/CD security gaps
+- Redis/cache vulnerabilities (if applicable)
+- Architecture security
+- Enclave/TEE issues (if applicable)
 
-### Agent 4: INFRA - Infrastructure
-```
-Scan for: Docker issues, K8s misconfig, CI/CD secrets, cloud misconfig.
-Write to .coverme/agents/INFRA.json
-Return ONLY: "done" or "skipped"
+Return findings as JSON array.
 ```
 
-### Agent 5: DATA - Data & Privacy
-```
-Scan for: PII exposure, GDPR issues, unencrypted data, secrets in code.
-Write to .coverme/agents/DATA.json
-Return ONLY: "done" or "skipped"
+### Subagent 3: Quality Scanner
 ```
+Use the coverme-quality subagent to scan for:
+- Code quality issues (complexity, dead code)
+- Performance problems (N+1, ReDoS, memory leaks)
+- Testing gaps (coverage, CI/CD)
 
-### Agent 6: AI - AI/LLM Security
-```
-FIRST: Check if AI code exists (openai, anthropic, langchain, etc.)
-If no AI code: Write {"skipped":true} and return "skipped"
-If AI code: Scan for prompt injection, data leakage, output validation.
-Write to .coverme/agents/AI.json
-Return ONLY: "done" or "skipped"
+Return findings as JSON array.
 ```
 
-### Agent 7: PERF - Performance & DoS
-```
-Scan for: ReDoS, N+1 queries, memory leaks, unbounded operations.
-Write to .coverme/agents/PERF.json
-Return ONLY: "done" or "skipped"
+### Subagent 4: Business Logic Scanner
 ```
+Use the coverme-business subagent to scan for:
+- Race conditions and TOCTOU
+- Workflow bypass vulnerabilities
+- PII handling issues
+- Resilience gaps (timeouts, circuit breakers)
 
-### Agent 8: BIZ - Business Logic
-```
-Scan for: Race conditions, TOCTOU, workflow bypass, financial issues.
-Write to .coverme/agents/BIZ.json
-Return ONLY: "done" or "skipped"
+Return findings as JSON array.
 ```
 
-### Agent 9: QUAL - Code Quality
-```
-Scan for: High complexity, dead code, error swallowing, anti-patterns.
-Write to .coverme/agents/QUAL.json
-Return ONLY: "done" or "skipped"
-```
+---
 
-### Agent 10: TEST - Testing
-```
-Scan for: Missing tests on critical paths, mocked security, no E2E.
-Write to .coverme/agents/TEST.json
-Return ONLY: "done" or "skipped"
-```
+## Phase 2: Wait and Collect Results
 
-### Agent 11: REDIS - Cache Security
-```
-FIRST: Check if Redis/cache code exists.
-If not: Write {"skipped":true} and return "skipped"
-If yes: Scan for dangerous commands, auth issues, race conditions.
-Write to .coverme/agents/REDIS.json
-Return ONLY: "done" or "skipped"
-```
+Wait for ALL 4 background subagents using `AgentOutputTool`.
 
-### Agent 12: RESIL - Resilience
-```
-Scan for: Missing circuit breakers, no timeouts, no retries, no fallbacks.
-Write to .coverme/agents/RESIL.json
-Return ONLY: "done" or "skipped"
-```
+Collect all findings into a single array.
 
-### Agent 13: PII - PII Scanner
-```
-Scan for: PII in logs, PII in URLs, unencrypted PII, missing GDPR controls.
-Write to .coverme/agents/PII.json
-Return ONLY: "done" or "skipped"
-```
+---
 
-### Agent 14: DEAD - Dead Code
-```
-Scan for: Unused functions, unused deps, commented code, TODO/FIXME.
-Write to .coverme/agents/DEAD.json
-Return ONLY: "done" or "skipped"
-```
+## Phase 3: Validation
 
-### Agent 15: DB - Database Security
-```
-Scan for: SQL injection, NoSQL injection, missing RLS, exposed connections.
-Write to .coverme/agents/DB.json
-Return ONLY: "done" or "skipped"
-```
+Launch the validator subagent (foreground):
 
-### Agent 16: ARCH - Architecture
-```
-Scan for: Internal endpoints exposed, missing mTLS, network issues.
-Write to .coverme/agents/ARCH.json
-Return ONLY: "done" or "skipped"
 ```
+Use the coverme-validator subagent to validate these findings:
+[paste the combined findings array]
 
-### Agent 17: DESIGN - Design Decisions
-```
-Find documented design decisions that might look like bugs (intentional patterns).
-Write to .coverme/agents/DESIGN.json
-Return ONLY: "done" or "skipped"
+Remove false positives and identify design decisions.
+Return validation results.
 ```
 
-### Agent 18: CTX - Context Validator
-```
-For critical findings from other agents, check deployment context.
-Write to .coverme/agents/CTX.json
-Return ONLY: "done" or "skipped"
-```
+Filter the findings based on validation results:
+- Remove findings marked as falsePositives
+- Keep only confirmed findings
+- Note design decisions for context
 
-### Agent 19: ENC - Enclave Security
-```
-FIRST: Check if enclave/TEE code exists.
-If not: Write {"skipped":true} and return "skipped"
-If yes: Scan for attestation issues.
-Write to .coverme/agents/ENC.json
-Return ONLY: "done" or "skipped"
-```
+---
 
-### Agent 20: EXEC - Executive Summary
-```
-Generate a comprehensive executive summary:
-
-1. Analyze the project:
-   - Read package.json for stack info
-   - Run `ls -d */ | grep -v node_modules` for key components
-   - Determine architecture type (Monolith/Microservices/Serverless)
-
-2. Calculate risk level:
-   - CRITICAL: Any critical findings
-   - HIGH: No critical but has high findings
-   - MEDIUM: Only medium/low findings
-   - LOW: Few or no findings
-
-3. Write professional summary:
-   - headline: "X Critical + Y High findings - brief assessment"
-   - overview: 2-3 sentences for leadership (architecture + posture + main risks)
-   - topRisks: Top 3-5 specific risks with technical detail
-   - topPriorities: Top 3-5 things to fix with finding IDs
-
-Write to .coverme/agents/EXEC.json:
-{
-  "projectOverview": {
-    "name": "...",
-    "type": "Web Application|API|CLI|Library",
-    "stack": ["Node.js", "TypeScript", ...],
-    "purpose": "What this project does",
-    "architecture": "Monolith|Microservices|Serverless",
-    "keyComponents": ["backend/", "frontend/", ...]
-  },
-  "executiveSummary": {
-    "headline": "...",
-    "riskLevel": "CRITICAL|HIGH|MEDIUM|LOW",
-    "overview": "...",
-    "topRisks": ["...", "...", "..."],
-    "topPriorities": ["...", "...", "..."]
-  }
-}
-Return ONLY: "done"
-```
+## Phase 4: Executive Summary
 
-### Agent 21: DUP - Duplicate Finder
-```
-Find existing solutions in codebase that could fix other findings.
-Write to .coverme/agents/DUP.json
-Return ONLY: "done" or "skipped"
-```
+Launch the executive subagent (foreground):
 
-### Agent 22: POSITIVE - Good Patterns
-```
-Find positive security patterns and good practices in the codebase.
-Write to .coverme/agents/POSITIVE.json
-Return ONLY: "done"
 ```
+Use the coverme-executive subagent to:
+1. Analyze the project structure
+2. Review these validated findings: [paste findings]
+3. Generate executive summary with risk level and priorities
+4. Identify positive security patterns
 
----
-
-## Phase 2: Wait for Agents
-
-Wait for ALL background agents using `AgentOutputTool`.
-Each should return only "done" or "skipped".
+Return the complete summary.
+```
 
 ---
 
-## Phase 3: Aggregate Results
-
-Read all agent files and merge:
+## Phase 5: Generate scan.json
 
+Calculate scan duration:
 ```bash
-echo "Aggregating results..."
-ls -la .coverme/agents/
+END_TIME=$(date +%s)
+DURATION=$((END_TIME - START_TIME))
+echo "Scan took ${DURATION}s"
 ```
 
-Use the Read tool to read each `.coverme/agents/*.json` file.
-
-**ALSO**: Analyze the project structure to gather:
-- Run `ls -d */ 2>/dev/null | grep -v node_modules | grep -v dist | grep -v .git` to get key components
-- Read `package.json` to get the tech stack
-- Count the actual scan duration
+Write `.coverme/scan.json` with this **COMPLETE** structure:
 
-Merge all findings into `.coverme/scan.json` with this **COMPLETE** structure:
 ```json
 {
   "projectName": "project-name",
   "scanDate": "2026-02-18T12:00:00Z",
   "filesScanned": 1234,
   "linesOfCode": 56789,
-  "scanDuration": "5m 30s",
-  "agentsUsed": ["SEC", "AUTH", "API", "INFRA", "DATA", "AI", "PERF", "BIZ", "QUAL", "TEST", "REDIS", "RESIL", "PII", "DEAD", "DB", "ARCH", "DESIGN", "CTX", "ENC", "EXEC", "DUP", "POSITIVE"],
+  "scanDuration": "2m 30s",
+  "agentsUsed": ["coverme-security", "coverme-infra", "coverme-quality", "coverme-business", "coverme-validator", "coverme-executive"],
 
   "projectOverview": {
     "name": "project-name",
     "type": "Web Application",
-    "stack": ["Node.js", "TypeScript", "React", "PostgreSQL"],
-    "purpose": "Brief 1-2 sentence description of what this project does",
-    "architecture": "Monolith | Microservices | Serverless",
-    "keyComponents": ["backend/", "frontend/", "services/", "chart/"]
+    "stack": ["Node.js", "TypeScript", "React"],
+    "purpose": "Brief description",
+    "architecture": "Monolith | Microservices",
+    "keyComponents": ["backend/", "frontend/", "services/"]
   },
 
   "executiveSummary": {
     "headline": "X Critical + Y High findings require attention",
     "riskLevel": "CRITICAL | HIGH | MEDIUM | LOW",
-    "overview": "A 2-3 sentence executive summary of the security posture. Example: 'This is a Node.js/React application with strong authentication patterns. The main risks are hardcoded secrets in Helm values and missing test coverage. No critical vulnerabilities in application code.'",
-    "topRisks": [
-      "Risk 1 with specific technical detail",
-      "Risk 2 with specific technical detail",
-      "Risk 3 with specific technical detail"
-    ],
-    "topPriorities": [
-      "Priority 1: What to fix first (FINDING-ID)",
-      "Priority 2: What to fix second (FINDING-ID)",
-      "Priority 3: What to fix third (FINDING-ID)"
-    ]
+    "overview": "2-3 sentence executive summary.",
+    "topRisks": ["Risk 1", "Risk 2", "Risk 3"],
+    "topPriorities": ["Priority 1 (ID)", "Priority 2 (ID)"]
   },
 
   "findings": [
     {
       "id": "SEC-001",
-      "title": "Descriptive title of the issue",
+      "title": "Issue title",
       "severity": "critical|high|medium|low",
-      "category": "security|infrastructure|quality|performance",
+      "category": "security|infrastructure|quality|business-logic",
       "file": "path/to/file.ts",
       "line": 123,
-      "description": "Detailed description of the vulnerability",
-      "recommendation": "Specific actionable fix",
+      "description": "Detailed description",
+      "recommendation": "How to fix",
       "confidence": 0.95
     }
   ],
 
   "positiveObservations": [
-    "Good pattern 1 with specific evidence (e.g., 'Rate limiting on /api/chat endpoints')",
-    "Good pattern 2 with specific evidence",
-    "Good pattern 3 with specific evidence"
+    "Good pattern 1",
+    "Good pattern 2"
   ],
 
   "summary": {
@@ -325,11 +194,11 @@ Merge all findings into `.coverme/scan.json` with this **COMPLETE** structure:
 }
 ```
 
-**IMPORTANT**: All fields are REQUIRED. Do not skip any field.
+**ALL FIELDS ARE REQUIRED.**
 
 ---
 
-## Phase 4: Generate Report
+## Phase 6: Generate HTML Report
 
 ```bash
 TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
@@ -341,4 +210,4 @@ open ".coverme/report_$TIMESTAMP.html"
 
 ## DONE
 
-Tell user: "Scan complete! Report opened."
+Tell user: "Scan complete! Found X critical, Y high, Z medium issues. Report opened."

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coverme-scanner",
-  "version": "1.7.1",
+  "version": "1.8.0",
   "description": "AI-powered code scanner with multi-agent verification for Claude Code. One command scans everything.",
   "main": "dist/index.js",
   "files": [
@@ -13,7 +13,7 @@
     "vibecode-tracker": "./dist/cli/index.js"
   },
   "scripts": {
-    "build": "tsc && cp -r src/templates dist/ && cp -r src/prompts dist/",
+    "build": "tsc && cp -r src/templates dist/ && cp -r src/prompts dist/ && cp -r src/agents dist/",
     "dev": "ts-node src/cli/index.ts",
     "test": "vitest",
     "prepublishOnly": "npm run build"