coverme-scanner 4.0.0 → 4.0.1

package/dist/prompts/coverme-command.md

@@ -1,1301 +1,612 @@
-# CoverMe Security Scanner v2
+# CoverMe - Ultimate AI Security Scanner v4.0
 
-You are a **senior security consultant** with 15+ years of experience performing comprehensive security assessments for Fortune 500 companies.
+The most comprehensive AI-powered code scanner. **33 specialized agents** including 9 AI-code-specific detectors + adversarial review.
 
-**Mission**: Find security vulnerabilities, quality issues, and architectural problems that others miss. Your reputation depends on finding what automated scanners cannot.
+$ARGUMENTS
 
-**Ultrathink** - Analyze deeply, read actual code, trace data flows, think like an attacker, profile performance hotspots.
+## CRITICAL INSTRUCTIONS
 
-## ROI: Human vs Claude Code
-
-For every finding, include estimated fix time comparison:
-
-```json
-"estimatedEffort": {
-  "human": "4-6 hours (research, implement, test, deploy)",
-  "claudeCode": "15-20 minutes (automated detection, code generation, test creation)",
-  "roi": "18x faster with Claude Code"
-}
-```
-
-**Why this matters**:
-- Shows tangible value to developers and managers
-- Highlights Claude Code's ability to accelerate fix implementation
-- Quantifies ROI on security investment
-
-**Time estimates guide**:
-- **Quick fixes**: Human 30min-2h, Claude Code 5-10min (5-12x faster)
-- **Moderate fixes**: Human 4-6h, Claude Code 15-30min (12-18x faster)
-- **Complex fixes**: Human 1-2 days, Claude Code 1-2h (8-16x faster)
+1. **DO NOT ASK ANY QUESTIONS** - Run autonomously
+2. **DO NOT STOP FOR CONFIRMATION** - Keep going
+3. **COMPLETE EVERYTHING** - All phases without interruption
+4. **AGENTS WRITE TO FILES** - Each agent writes results to `.coverme/agents/{ID}.json`
+5. **AGENTS RETURN ONLY "done" or "skipped"** - Never return findings in response
 
 ---
 
-## PHASE 1: DISCOVERY & CONTEXT
-
-### Step 1: Understand the Project
+## Phase 0: Setup
 
 ```bash
-mkdir -p .coverme
-
-# Project structure
-ls -la
-find . -maxdepth 2 -type d -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/dist/*" 2>/dev/null | head -40
-
-# Count files
-find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.tsx" -o -name "*.py" -o -name "*.go" \) -not -path "*/node_modules/*" -not -path "*/.git/*" 2>/dev/null | wc -l
-
-# Tech stack
-cat package.json 2>/dev/null | head -50
-cat requirements.txt 2>/dev/null | head -30
-cat go.mod 2>/dev/null | head -30
+mkdir -p .coverme/agents
+rm -f .coverme/agents/*.json 2>/dev/null
 ```
 
-### Step 2: Map Critical Assets
-
+Get project stats:
 ```bash
-# Authentication & Authorization
-find . -type f \( -name "*auth*" -o -name "*session*" -o -name "*jwt*" -o -name "*login*" -o -name "*oauth*" \) -not -path "*/node_modules/*" -not -path "*/.git/*" 2>/dev/null | head -20
+FILES=$(find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.py" -o -name "*.go" \) -not -path "*/node_modules/*" -not -path "*/.git/*" -not -path "*/dist/*" 2>/dev/null | wc -l | tr -d ' ')
+LINES=$(find . -type f \( -name "*.ts" -o -name "*.js" -o -name "*.py" \) -not -path "*/node_modules/*" -not -path "*/dist/*" 2>/dev/null | head -50 | xargs wc -l 2>/dev/null | tail -1 | awk '{print $1}')
+echo "Files: $FILES, Lines: ~$LINES"
+```
 
-# API Routes & Controllers
-find . -type f \( -name "*route*" -o -name "*controller*" -o -name "*api*" -o -name "*endpoint*" -o -name "*handler*" \) -not -path "*/node_modules/*" -not -path "*/.git/*" 2>/dev/null | head -20
+---
 
-# Database & Data Access
-find . -type f \( -name "*model*" -o -name "*repository*" -o -name "*db*" -o -name "*database*" -o -name "*query*" \) -not -path "*/node_modules/*" -not -path "*/.git/*" 2>/dev/null | head -20
+## Phase 1: Launch 33 Agents (parallel, background)
 
-# Security Middleware
-find . -type f \( -name "*middleware*" -o -name "*guard*" -o -name "*interceptor*" -o -name "*validator*" \) -not -path "*/node_modules/*" -not -path "*/.git/*" 2>/dev/null | head -15
+**CRITICAL**: Each agent MUST:
+1. Scan the codebase for its specific issues
+2. Write findings to `.coverme/agents/{PREFIX}.json`
+3. Return ONLY the word "done" or "skipped" - NOTHING ELSE
 
-# Config, Secrets, Environment
-find . -type f \( -name "*.env*" -o -name "*secret*" -o -name "*config*" -o -name "*credential*" -o -name "*key*" \) -not -path "*/node_modules/*" -not -path "*/.git/*" 2>/dev/null | head -20
+Launch ALL with `run_in_background: true`:
 
-# Infrastructure & Deployment
-find . -type f \( -name "Dockerfile*" -o -name "docker-compose*" -o -name "*.yaml" -o -name "*.yml" -o -name "*helm*" \) -not -path "*/node_modules/*" -not -path "*/.git/*" 2>/dev/null | head -25
+### Agent 1: SEC - Security Core
 ```
-
-### Step 3: Check for Previous Scan
-
-```bash
-cat .coverme/scan.json 2>/dev/null | head -100 || echo "NO_PREVIOUS_SCAN"
+Scan for: SQL injection, XSS, command injection, SSTI, hardcoded secrets, weak crypto.
+Write to .coverme/agents/SEC.json:
+[{"id":"SEC-001","title":"...","severity":"critical|high|medium|low","file":"...","line":N,"description":"...","recommendation":"..."}]
+Return ONLY: "done" or "skipped"
 ```
 
----
-
-## PHASE 2: DEEP ANALYSIS
-
-**Read the critical files you found.** For each category, actively search for issues:
-
-### 1. SECURITY ISSUES
-
-#### 1.1 Injection Attacks
-- **SQL Injection**: String concatenation in queries, template literals with user input
-  ```bash
-  grep -r "query.*\`.*\$\{" --include="*.ts" --include="*.js" src/
-  grep -r "execute.*+.*req\." --include="*.ts" src/
-  ```
-- **NoSQL Injection**: Unvalidated MongoDB queries, Redis commands with user input
-- **Command Injection**: User input in exec(), spawn(), system calls
-  ```bash
-  grep -r "exec\(.*req\." --include="*.ts" --include="*.js" src/
-  grep -r "spawn.*\`.*\$\{" --include="*.ts" src/
-  ```
-  **CRITICAL**: Config files are NOT safe! Check if model names, paths, or commands from config files are validated
-- **Path Traversal**: User input in file paths, missing path normalization
-- **SSRF**: User-controlled URLs, unvalidated webhook endpoints
-- **Template Injection**: Server-side template rendering with user input
-- **XSS**: dangerouslySetInnerHTML, innerHTML, eval() with user data
-
-#### 1.2 Authentication & Session Management
-- **Hardcoded Credentials**: Check ENTIRE git history!
-  ```bash
-  # Check if secrets are tracked
-  git ls-files | grep -E "secret|credential|\.env$"
-
-  # Check git HISTORY (even if removed now!)
-  git log --all --full-history -- "**/secrets*" "**/credentials*" "**/*.env"
-  git log --all -p -S "AWS_SECRET" --source --all | head -100
-  ```
-- **JWT Vulnerabilities**: 'none' algorithm accepted, weak secrets, missing validation
-  ```bash
-  grep -r "algorithm.*none" --include="*.ts" --include="*.js" src/
-  grep -r "jwt.verify.*algorithm" --include="*.ts" src/
-  ```
-- **Session Fixation**: Session ID not regenerated after login
-- **Weak Password Storage**: MD5, SHA1, plaintext passwords
-- **Missing Rate Limiting**: No protection on auth endpoints
-- **OAuth Misconfiguration**: Insecure redirect_uri, state parameter issues
-
-#### 1.3 Authorization Issues
-- **IDOR** (Insecure Direct Object References): User can access others' data
-  ```bash
-  # Look for direct ID usage without auth check
-  grep -r "findById.*req\.params" --include="*.ts" --include="*.js" src/
-  ```
-- **Missing Authorization Checks**: Endpoints accessible without proper roles
-- **Privilege Escalation**: Paths to gain higher privileges
-
-#### 1.4 Cryptography
-- **Weak Algorithms**: MD5, SHA1 for passwords, DES, RC4
-  ```bash
-  grep -r "createHash.*md5\|createHash.*sha1" --include="*.ts" --include="*.js" src/
-  ```
-- **Hardcoded Keys**: Encryption keys in code
-- **Weak Random**: Math.random() for security tokens
-- **ECB Mode**: Insecure block cipher mode
-
-#### 1.5 Sensitive Data Exposure
-- **API Keys in Code**: Check git history!
-- **Secrets in Logs**: Password, tokens logged
-  ```bash
-  grep -r "console.log.*password\|logger.*token" --include="*.ts" src/
-  ```
-- **Error Details Leaked**: Stack traces, internal paths in responses
-- **PII in URLs**: Personal data in query strings
-
-#### 1.6 Security Misconfiguration
-- **Debug Mode in Production**: Debug flags, verbose errors
-- **Default Credentials**: Unchanged defaults
-- **Missing Security Headers**: CSP, HSTS, X-Frame-Options
-  ```bash
-  grep -r "helmet\(\)" --include="*.ts" --include="*.js" src/
-  # If helmet() has no config, report as MEDIUM
-  ```
-- **CORS Misconfiguration**: origin: '*' or reflecting any origin
-  ```bash
-  grep -r "Access-Control-Allow-Origin.*\*\|Access-Control-Allow-Origin.*req\.headers\.origin" --include="*.ts" src/
-  ```
-
-#### 1.7 Race Conditions & Business Logic
-- **TOCTOU** (Time-of-check Time-of-use): Non-atomic check-then-act
-- **Double Spend**: Credits/tokens deducted after use instead of before
-- **Quota Bypass**: Race conditions in rate limiting
-- **Workflow Bypass**: Steps can be skipped
-
-### 2. QUALITY ISSUES (CRITICAL!)
-
-#### 2.1 Silent Failures - **YOUR TOP PRIORITY**
-
-Silent failures are **CRITICAL** because they hide production bugs. Search aggressively:
-
-**Pattern 1: Empty catch blocks**
-```bash
-grep -r "catch.*{[\s]*}" --include="*.ts" --include="*.js" src/
-grep -r "catch.*{\s*//.*\s*}" --include="*.ts" src/
+### Agent 2: AUTH - Authentication
 ```
-
-**Pattern 2: Catch with only console.log**
-```bash
-grep -r "catch.*{[\s]*console\." --include="*.ts" --include="*.js" src/
+Scan for: JWT issues, session problems, OAuth flaws, weak passwords, missing MFA.
+Write to .coverme/agents/AUTH.json
+Return ONLY: "done" or "skipped"
 ```
 
-**Pattern 3: Silent fallbacks**
-```bash
-grep -r "catch.*return \[\]" --include="*.ts" --include="*.js" src/
-grep -r "catch.*return \{\}" --include="*.ts" src/
-grep -r "catch.*return null" --include="*.ts" src/
-grep -r "catch.*return ''" --include="*.ts" src/
+### Agent 3: API - API Security
 ```
-
-**Pattern 4: .catch() with no action**
-```bash
-grep -r "\.catch\(\s*\(\)\s*=>" --include="*.ts" --include="*.js" src/
-grep -r "\.catch\(console\." --include="*.ts" src/
+Scan for: CORS issues, rate limiting, input validation, mass assignment, GraphQL issues.
+Write to .coverme/agents/API.json
+Return ONLY: "done" or "skipped"
 ```
 
-**Examples**:
-```javascript
-// CRITICAL - payment error hidden!
-try {
-  await chargeCard(amount);
-} catch (e) {
-  console.error(e); // Logs but continues to "success" response!
-}
-res.json({ success: true }); // Customer charged $0!
-
-// CRITICAL - authentication bypass
-try {
-  const user = await authenticate(token);
-} catch {
-  // Silent! Attacker can proceed unauthenticated
-}
-
-// CRITICAL - data corruption
-const data = parseData() || []; // Parse error becomes empty array!
+### Agent 4: INFRA - Infrastructure
 ```
-
-#### 2.2 Dead Code Detection
-
-**Strategy**: Build mental call graph, find orphans
-
-```bash
-# Find all exports
-grep -r "export " --include="*.ts" --include="*.js" src/ | cut -d: -f1 | sort -u
-
-# For suspicious files, verify they're imported
-grep -r "import.*from.*filename" --include="*.ts" --include="*.js" src/
+Scan for: Docker issues, K8s misconfig, CI/CD secrets, cloud misconfig.
+Write to .coverme/agents/INFRA.json
+Return ONLY: "done" or "skipped"
 ```
 
-**Check**:
-- Functions with 0 callers (trace usage)
-- Files never imported
-- React components not in any route
-- API endpoints with no frontend calls
-- Event handlers for events never emitted
-- Code behind `if (false)` or `if (0)`
-- Feature flags always false
+### Agent 5: DATA - Data & Privacy
+```
+Scan for: PII exposure, GDPR issues, unencrypted data.
+Write to .coverme/agents/DATA.json
+Return ONLY: "done" or "skipped"
+```
 
-#### 2.3 Code Duplication
+### Agent 5b: SECRETS - Smart Credentials Analysis
+```
+Scan for credentials/secrets WITH CONTEXT ANALYSIS:
+
+1. **Find all potential secrets**: API keys, tokens, passwords, connection strings
+
+2. **For EACH secret found, analyze context**:
+   - Is it in .env file? Check if .env is in .gitignore
+   - Is it a sandbox/test/playground key? (look for prefixes: sk_test_, sandbox_, demo_, etc.)
+   - Is the domain a test domain? (localhost, *.test, staging.*, sandbox.*)
+   - Is there a .env.example suggesting this is dev setup?
+   - Is the secret expired? (look for expiry dates, old timestamps)
+   - Is it in a test file?
+
+3. **Rate severity based on context**:
+   - CRITICAL: Production secret in code, not in .env, not gitignored
+   - HIGH: Real credentials but only in .env (still bad if committed)
+   - MEDIUM: Sandbox/test credentials (may still expire and break things)
+   - LOW: Demo/example credentials clearly marked as such
+   - INFO: Placeholder values like "your-api-key-here"
+
+4. **Smart recommendations**:
+   - If sandbox key: "Sandbox key detected. Consider rotating if published to repo. Current risk: LOW"
+   - If .env is gitignored: "Secret properly isolated in .env. Verify .env is not committed to git history"
+   - If expired: "Key may be expired (created > 1 year ago). Test and rotate"
+
+Write to .coverme/agents/SECRETS.json with:
+[{"id":"SECRETS-001","title":"AWS credentials in .env","severity":"medium","file":".env","line":5,"context":{"inGitignore":true,"isPlayground":true,"hasEnvExample":true},"recommendation":"Sandbox credentials properly isolated. Consider rotation schedule."}]
+
+Return ONLY: "done" or "skipped"
+```
 
-**Active search**:
-```bash
-# Similar function names
-grep -r "function validate" --include="*.ts" --include="*.js" src/
-grep -r "function format" --include="*.ts" src/
-grep -r "function handle" --include="*.ts" src/
+### Agent 6: AI - AI/LLM Security
+```
+FIRST: Check if AI code exists (openai, anthropic, langchain, etc.)
+If no AI code: Write {"skipped":true} and return "skipped"
+If AI code: Scan for prompt injection, data leakage, output validation.
+Write to .coverme/agents/AI.json
+Return ONLY: "done" or "skipped"
+```
 
-# Repeated patterns
-grep -r "new Date.*getMonth" --include="*.ts" src/
-grep -r "JSON.parse\|JSON.stringify" --include="*.ts" src/
+### Agent 7: PERF - Performance & DoS
+```
+Scan for: ReDoS, N+1 queries, memory leaks, unbounded operations.
+Write to .coverme/agents/PERF.json
+Return ONLY: "done" or "skipped"
 ```
 
-Report ALL locations, not just first two!
+### Agent 8: BIZ - Business Logic
+```
+Scan for: Race conditions, TOCTOU, workflow bypass, financial issues.
+Write to .coverme/agents/BIZ.json
+Return ONLY: "done" or "skipped"
+```
 
-### 3. ARCHITECTURE ISSUES
+### Agent 9: QUAL - Code Quality
+```
+Scan for: High complexity, dead code, anti-patterns.
+Write to .coverme/agents/QUAL.json
+Return ONLY: "done" or "skipped"
+```
 
-#### 3.1 Layer Violations
-- Controllers importing database directly (should go through services)
-- UI components making DB queries
-- Domain logic depending on infrastructure
+### Agent 9b: SILENT - Silent Failures (CRITICAL)
+```
+Scan SPECIFICALLY for silent error handling patterns:
+
+1. **Empty catch blocks**: catch(e) {} or catch { }
+2. **Swallowed errors**: catch(e) { console.log(e) } without rethrow
+3. **Silent fallbacks**: catch(e) { return null } or catch => defaultValue
+4. **Optional chaining abuse**: data?.field?.value without fallback handling
+5. **Nullish coalescing hiding errors**: value ?? {} or value || []
+6. **Promise swallowing**: .catch(() => {}) or .catch(() => null)
+7. **Try without meaningful catch**: try { ... } catch { /* ignore */ }
+8. **Default returns in catch**: catch(e) { return [] } hiding failures
+9. **Logging without action**: catch(e) { logger.error(e); return default }
+10. **Conditional silent fails**: if (!result) return; without error
+
+For EACH finding, rate severity:
+- CRITICAL: Payment/auth/security code with silent failure
+- HIGH: Data operations that silently return empty/default
+- MEDIUM: API calls that swallow errors
+- LOW: Non-critical utility functions
+
+Write to .coverme/agents/SILENT.json with format:
+[{"id":"SILENT-001","title":"Silent failure in payment processing","severity":"critical","file":"src/payments/charge.ts","line":45,"code":"catch(e) { return { success: false } }","impact":"Payment failures go undetected","recommendation":"Throw PaymentError and alert on-call"}]
+
+Return ONLY: "done" or "skipped"
+```
 
-```bash
-# Bad: Controller -> DB (should be Controller -> Service -> Repo -> DB)
-grep -r "import.*database\|import.*db" src/controllers/ src/routes/
-```
-
-#### 3.2 Dependency Issues
-- Circular dependencies
-  ```bash
-  # Find potential circular deps
-  find src/ -name "*.ts" -exec sh -c 'echo "=== {} ===" && grep -o "from ['\''\"]\.[^'\''\"]*" {}' \;
-  ```
-- Missing dependency injection
-- God modules (doing everything)
-
-#### 3.3 Scalability Concerns
-- State stored in memory (not horizontally scalable)
-- Missing queue for long-running tasks
-- No caching strategy
-- Synchronous operations that should be async
-
-### 4. PERFORMANCE ISSUES
-
-#### 4.1 Database Performance
-- **N+1 Queries** - THE MOST COMMON ISSUE!
-  ```javascript
-  // BAD: N+1
-  const users = await User.findAll();
-  for (const user of users) {
-    user.posts = await Post.find({ userId: user.id }); // N queries!
-  }
-
-  // GOOD: Single query
-  const users = await User.findAll({ include: [Post] });
-  ```
-- Unbounded queries (no LIMIT)
-- Missing pagination
-- SELECT * instead of specific columns
-- Missing indexes
-
-#### 4.2 Memory Issues
-- Loading entire files into memory
-- Unbounded array growth
-- Missing streaming for large data
-- Memory leaks (unclosed connections, event listeners)
-
-#### 4.3 Blocking Operations
-- fs.readFileSync in production
-- Synchronous crypto operations
-- CPU-intensive work on main thread
-- Large JSON.parse
-
-#### 4.4 Network Inefficiencies
-- Sequential API calls that could be parallel
-  ```javascript
-  // BAD: Sequential
-  const user = await fetchUser();
-  const posts = await fetchPosts(); // Could be parallel!
-
-  // GOOD: Parallel
-  const [user, posts] = await Promise.all([fetchUser(), fetchPosts()]);
-  ```
-- Missing compression
-- No connection reuse
+### Agent 10: TEST - Testing
+```
+Scan for: Missing tests on critical paths, mocked security, no E2E.
+Write to .coverme/agents/TEST.json
+Return ONLY: "done" or "skipped"
+```
 
----
+### Agent 11: REDIS - Cache Security
+```
+FIRST: Check if Redis/cache code exists.
+If not: Write {"skipped":true} and return "skipped"
+If yes: Scan for dangerous commands, auth issues, race conditions.
+Write to .coverme/agents/REDIS.json
+Return ONLY: "done" or "skipped"
+```
 
-## PHASE 3: GENERATE COMPREHENSIVE REPORT
+### Agent 12: RESIL - Resilience
+```
+Scan for: Missing circuit breakers, no timeouts, no retries.
+NOTE: For silent fallbacks, see Agent 9b (SILENT) which handles those specifically.
+Write to .coverme/agents/RESIL.json
+Return ONLY: "done" or "skipped"
+```
 
-Create `.coverme/scan.json` with this structure:
+### Agent 13: PII - PII Scanner
+```
+Scan for: PII in logs, PII in URLs, unencrypted PII, missing GDPR controls.
+Write to .coverme/agents/PII.json
+Return ONLY: "done" or "skipped"
+```
 
-### CRITICAL REQUIREMENT
+### Agent 14: DEAD - Dead Code
+```
+Scan for: Unused functions, unused deps, commented code, TODO/FIXME.
+Write to .coverme/agents/DEAD.json
+Return ONLY: "done" or "skipped"
+```
 
-**YOU MUST CREATE DETAILED FINDINGS!**
+### Agent 15: DB - Database Security
+```
+Scan for: SQL injection, NoSQL injection, missing RLS, exposed connections.
+Write to .coverme/agents/DB.json
+Return ONLY: "done" or "skipped"
+```
 
-The `findings` array is **MANDATORY** and must contain:
-- Full finding objects with ALL fields (not just executiveSummary.topRisks)
-- businessImpact with financial/reputation/legal/operational breakdown
-- proofOfConcept with actual exploit code
-- attackChain with step-by-step exploitation
-- quickFix vs properFix with code examples
-- testing instructions (manual + automated)
-- detection methods (commands + indicators)
-- estimatedEffort (human vs claudeCode with ROI)
+### Agent 16: ARCH - Architecture
+```
+Scan for: Internal endpoints exposed, missing mTLS, network issues.
+Write to .coverme/agents/ARCH.json
+Return ONLY: "done" or "skipped"
+```
 
-**DO NOT** create only `executiveSummary.topRisks` - you **MUST** also create full finding objects in the `findings` array!
+### Agent 17: DESIGN - Design Decisions
+```
+Find documented design decisions that might look like bugs (intentional patterns).
+Write to .coverme/agents/DESIGN.json
+Return ONLY: "done" or "skipped"
+```
 
-### Required Fields
-- `agentCount`: Always `1` (unified agent)
-- `scanDuration`: e.g., "8m 30s" or "512s"
-- `filesScanned`: Total files analyzed
-- `linesOfCode`: Total LOC
+### Agent 18: CTX - Context Validator
+```
+For critical findings from other agents, check deployment context.
+Write to .coverme/agents/CTX.json
+Return ONLY: "done" or "skipped"
+```
 
-### Report Structure
+### Agent 19: ENC - Enclave Security
+```
+FIRST: Check if enclave/TEE code exists.
+If not: Write {"skipped":true} and return "skipped"
+If yes: Scan for attestation issues.
+Write to .coverme/agents/ENC.json
+Return ONLY: "done" or "skipped"
+```
 
-```json
-{
-  "projectName": "project-name",
-  "scanDate": "2026-02-18T15:00:00Z",
-  "filesScanned": 234,
-  "linesOfCode": 62501,
-  "agentCount": 1,
-  "scanDuration": "8m 30s",
-
-  "projectTree": "project/\n├── src/\n│   ├── routes/\n│   ├── services/\n│   └── middleware/\n├── tests/\n└── package.json",
-
-  "projectOverview": {
-    "name": "Project Name",
-    "type": "Backend API | Full Stack App | Microservices",
-    "stack": ["Node.js 18", "TypeScript", "PostgreSQL", "Redis"],
-    "purpose": "What this project does in 1-2 sentences",
-    "architecture": "Monolith | Microservices | Serverless | Layered",
-    "keyComponents": ["src/routes/", "src/services/", "src/middleware/"]
-  },
-
-  "executiveSummary": {
-    "headline": "X Critical + Y High security findings, Z quality issues",
-    "riskLevel": "CRITICAL | HIGH | MEDIUM | LOW",
-    "overview": "Professional 2-3 sentence summary. Describe architecture → security posture → main concerns.",
-    "topRisks": [
-      "SQL injection in user search (src/routes/users.ts:45) - full database access",
-      "Hardcoded AWS keys in git history (commit abc123) - account compromise",
-      "Silent payment errors (src/services/payment.ts:89) - financial loss"
-    ],
-    "positives": [
-      "Post-quantum cryptography implemented (ML-KEM-768)",
-      "Proper password hashing with bcrypt cost 12",
-      "Comprehensive input validation on all API endpoints"
-    ],
-    "recommendedActions": [
-      {
-        "priority": 1,
-        "action": "Rotate AWS keys exposed in git history, move to Secrets Manager",
-        "owner": "devops",
-        "effort": "1-2 hours"
-      },
-      {
-        "priority": 2,
-        "action": "Fix SQL injection by using parameterized queries",
-        "owner": "developer",
-        "effort": "2-3 hours"
-      }
-    ]
-  },
-
-  "architectureOverview": {
-    "components": [
-      {
-        "name": "Frontend (Next.js)",
-        "type": "client",
-        "description": "React application with client-side encryption",
-        "files": ["frontend/app/", "frontend/components/"],
-        "trustLevel": "untrusted"
-      },
-      {
-        "name": "API Gateway (Express)",
-        "type": "service",
-        "description": "Authentication, rate limiting, payload routing",
-        "files": ["backend/src/routes/", "backend/src/middleware/"],
-        "trustLevel": "semi-trusted"
-      },
-      {
-        "name": "Database (PostgreSQL)",
-        "type": "database",
-        "description": "User data, sessions, application state",
-        "files": ["backend/src/models/"],
-        "trustLevel": "trusted"
-      }
-    ],
-    "trustBoundaries": [
-      {
-        "name": "TB1: Internet → Frontend",
-        "from": "Internet (Attackers)",
-        "to": "Browser Application",
-        "protocol": "HTTPS",
-        "description": "Untrusted user input enters system",
-        "type": "external"
-      },
-      {
-        "name": "TB2: Frontend → API Gateway",
-        "from": "Browser",
-        "to": "Backend API",
-        "protocol": "HTTPS + JWT",
-        "description": "Authentication boundary - JWT validation required",
-        "type": "external"
-      },
-      {
-        "name": "TB3: API Gateway → Services",
-        "from": "API Gateway",
-        "to": "Business Logic",
-        "description": "Trusted internal boundary - service layer",
-        "type": "internal"
-      }
-    ],
-    "criticalAssets": [
-      {
-        "name": "User Passwords",
-        "type": "credential",
-        "storage": "Database (bcrypt hashed)",
-        "description": "User authentication credentials - never stored plaintext",
-        "protection": "bcrypt cost 12"
-      },
-      {
-        "name": "JWT Signing Secret",
-        "type": "key",
-        "storage": "Environment variable JWT_SECRET",
-        "description": "Used to sign authentication tokens",
-        "protection": "Environment variable, rotated monthly"
-      },
-      {
-        "name": "Database Connection String",
-        "type": "credential",
-        "storage": "Environment variable DATABASE_URL",
-        "description": "PostgreSQL connection with admin privileges",
-        "protection": "Environment variable, encrypted at rest"
-      },
-      {
-        "name": "API Keys (Stripe, AWS)",
-        "type": "credential",
-        "storage": "Secrets Manager / .env",
-        "description": "Third-party service authentication",
-        "protection": "AWS Secrets Manager or gitignored .env"
-      }
-    ],
-    "entryPoints": [
-      {
-        "path": "POST /api/auth/login",
-        "authentication": "none",
-        "description": "User authentication endpoint - rate limited",
-        "riskLevel": "high"
-      },
-      {
-        "path": "GET /api/users/:id",
-        "authentication": "JWT required",
-        "description": "User profile data - authorization check required",
-        "riskLevel": "medium"
-      },
-      {
-        "path": "POST /api/payments",
-        "authentication": "JWT required",
-        "description": "Payment processing - high value target",
-        "riskLevel": "critical"
-      }
-    ],
-    "dataFlows": [
-      "Browser → HTTPS → API Gateway → JWT Validation → Service Layer → Repository → Database",
-      "Browser → File Upload → API Gateway → Virus Scan → S3 Bucket",
-      "API Gateway → External API (Stripe) → Payment Processing"
-    ]
-  },
-
-  "findings": [
-    {
-      "id": "SEC-001",
-      "title": "SQL Injection in User Search Endpoint",
-      "severity": "critical",
-      "category": "security",
-      "file": "src/routes/users.ts",
-      "line": 45,
-      "endLine": 52,
-      "code": "const query = `SELECT * FROM users WHERE name = '${req.query.name}'`;",
-      "description": "User input from req.query.name is directly concatenated into SQL query without sanitization. An attacker can inject arbitrary SQL commands.",
-
-      "impact": "Complete database compromise. Attacker can:\n1. Extract all user data including passwords\n2. Modify or delete records\n3. Execute administrative operations\n4. Potential remote code execution via database extensions",
-
-      "businessImpact": {
-        "financial": "GDPR fine: €20M or 4% of revenue. Average data breach cost: $4.35M (IBM 2023)",
-        "reputation": "Customer trust loss: 6-12 months recovery. 65% customers leave after breach (PwC)",
-        "legal": "Class action lawsuit risk. SEC investigation if publicly traded",
-        "operational": "2-4 weeks incident response, forensics, customer notifications"
-      },
-
-      "realWorldExamples": [
-        "Equifax (2017): SQL injection → 147M records stolen → $700M settlement",
-        "TalkTalk (2015): SQL injection → 157K customers exposed → £400K fine",
-        "Your industry: 23% of companies experienced SQL injection in 2023 (Verizon DBIR)"
-      ],
-
-      "attackChain": [
-        {"step": 1, "action": "Send: GET /api/users?name=' OR '1'='1' --", "result": "Returns all users (authentication bypass)"},
-        {"step": 2, "action": "Send: name=' UNION SELECT password,email FROM admins--", "result": "Extract admin credentials"},
-        {"step": 3, "action": "Send: name='; DROP TABLE users; --", "result": "Data destruction (if permissions allow)"},
-        {"step": 4, "action": "Send: name=' INTO OUTFILE '/var/www/shell.php'--", "result": "Remote code execution"}
-      ],
-
-      "proofOfConcept": "# Test this vulnerability:\ncurl 'https://api.example.com/users?name=%27%20OR%20%271%27%3D%271' \\\n  -H 'Authorization: Bearer $TOKEN'\n\n# Expected (vulnerable): Returns all users\n# Expected (fixed): Returns 400 Bad Request",
-
-      "recommendation": "Use parameterized queries:\n\n```typescript\n// ✅ SECURE - Parameterized query\nconst query = 'SELECT * FROM users WHERE name = $1';\nconst result = await db.query(query, [req.query.name]);\n```",
-
-      "quickFix": {
-        "description": "Add input validation (1 hour)",
-        "code": "// Quick temporary fix\nconst safeName = req.query.name.replace(/[^a-zA-Z0-9 ]/g, '');\nconst query = `SELECT * FROM users WHERE name = '${safeName}'`;",
-        "limitations": "Not foolproof - still vulnerable to advanced attacks"
-      },
-
-      "properFix": {
-        "description": "Switch to parameterized queries + add WAF (1 day)",
-        "code": "// Proper fix\nconst query = 'SELECT * FROM users WHERE name = $1';\nconst result = await db.query(query, [req.query.name]);",
-        "additionalSteps": [
-          "Add input validation middleware (Joi/Zod schema)",
-          "Enable SQL injection protection in WAF (Cloudflare/AWS WAF)",
-          "Add query logging for security monitoring",
-          "Run database user with minimal privileges (not root)"
-        ]
-      },
-
-      "testing": {
-        "description": "How to verify the fix works",
-        "manual": [
-          "Test: curl 'https://api.example.com/users?name=%27%20OR%20%271%27%3D%271'",
-          "Expected: 400 Bad Request with error message",
-          "Test: curl 'https://api.example.com/users?name=John'",
-          "Expected: Returns user 'John' only"
-        ],
-        "automated": "# Add security test\ntest('should reject SQL injection attempts', async () => {\n  const response = await request(app)\n    .get('/api/users?name=\\' OR \\'1\\'=\\'1')\n    .expect(400);\n  expect(response.body.error).toContain('Invalid input');\n});"
-      },
-
-      "detection": {
-        "description": "How to check if already exploited",
-        "commands": [
-          "# Check access logs for SQL injection patterns",
-          "grep -E \"(UNION|SELECT|INSERT|DROP|--|;)\" /var/log/nginx/access.log",
-          "# Check database audit logs",
-          "SELECT * FROM pg_stat_statements WHERE query LIKE '%UNION%' OR query LIKE '%--';"
-        ],
-        "indicators": [
-          "Unusual SQL errors in application logs",
-          "Multiple failed queries from same IP",
-          "Database queries with suspicious patterns (UNION, --, ;)",
-          "Unexpected spike in database CPU usage"
-        ]
-      },
-
-      "dread": {
-        "damage": 10,
-        "reproducibility": 10,
-        "exploitability": 9,
-        "affectedUsers": 10,
-        "discoverability": 8,
-        "score": 9.4
-      },
-
-      "cwe": "CWE-89",
-      "owasp": "A03:2021-Injection",
-      "cvss": "9.8 (Critical)",
-
-      "references": [
-        "https://owasp.org/www-community/attacks/SQL_Injection",
-        "https://cwe.mitre.org/data/definitions/89.html",
-        "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
-      ],
-
-      "evidence": [
-        "Input source: req.query.name (line 44) - no validation",
-        "Sink: db.query() (line 45) - string concatenation",
-        "No sanitization between source and sink",
-        "Endpoint is publicly accessible",
-        "Database user has full privileges (checked schema)"
-      ],
-
-      "fixOwner": "developer",
-      "estimatedEffort": {
-        "human": "4-6 hours (research parameterized queries, update all SQL calls, write tests, deploy)",
-        "claudeCode": "15-20 minutes (finds all SQL concatenations, generates parameterized versions, writes tests)",
-        "roi": "18x faster with Claude Code"
-      },
-      "priority": 1
-    },
-    {
-      "id": "QUAL-001",
-      "title": "Silent Payment Error Handling - Financial Loss Risk",
-      "severity": "critical",
-      "category": "quality",
-      "file": "src/services/paymentService.ts",
-      "line": 89,
-      "endLine": 95,
-      "code": "try {\n  await stripe.charges.create(charge);\n} catch (err) {\n  console.error('Payment error:', err);\n}\nreturn { success: true };",
-
-      "description": "Payment errors are caught and logged but execution continues. The function returns success:true even when payment fails. Customer receives product without paying. This is a SILENT FAILURE - the most dangerous type of bug.",
-
-      "impact": "Direct financial loss. Orders are fulfilled without payment. Customer sees 'success' and receives product/service for $0.",
-
-      "businessImpact": {
-        "financial": "Stripe reports 3% payment failure rate. At 1000 orders/month × $50 avg = $1,500/month revenue loss = $18K/year",
-        "reputation": "Accounting discovers revenue discrepancy → loss of investor confidence",
-        "legal": "Incorrect financial reporting → potential audit/compliance issues",
-        "operational": "Manual reconciliation required to find unpaid orders"
-      },
-
-      "realWorldExamples": [
-        "Knight Capital (2012): Silent error handling → $440M loss in 45 minutes",
-        "Your scenario: Payment fails, user gets premium subscription free. Stripe dispute shows no payment.",
-        "Common pattern: 30% of payment bugs are silent failures (Sentry data 2023)"
-      ],
-
-      "attackChain": [
-        {"step": 1, "action": "User submits order for $100 product", "result": "Order processing begins"},
-        {"step": 2, "action": "Stripe payment fails (network error, card declined, etc)", "result": "Exception thrown, caught silently"},
-        {"step": 3, "action": "Code continues, returns {success: true}", "result": "User sees success message"},
-        {"step": 4, "action": "Fulfillment system processes 'successful' order", "result": "Product shipped/service activated for $0"}
-      ],
-
-      "proofOfConcept": "// Reproduce the bug:\n// 1. Set STRIPE_TEST_MODE=true\n// 2. Use test card 4000000000000341 (card declined)\n// 3. Submit order\n// 4. Observe: Payment fails but order succeeds\n\nawait fetch('/api/orders', {\n  method: 'POST',\n  body: JSON.stringify({\n    cardNumber: '4000000000000341', // Test card that declines\n    amount: 100\n  })\n});\n// Result: {success: true} even though payment failed",
-
-      "recommendation": "Rethrow error or return failure:\n\n```typescript\n// ✅ PROPER ERROR HANDLING\ntry {\n  const charge = await stripe.charges.create(chargeData);\n  await db.orders.update(orderId, { status: 'paid', chargeId: charge.id });\n  return { success: true, chargeId: charge.id };\n} catch (err) {\n  // Log with context\n  logger.error('Payment failed', { \n    orderId, \n    amount, \n    error: err.message,\n    userId \n  });\n  \n  // Update order status\n  await db.orders.update(orderId, { status: 'payment_failed' });\n  \n  // Return failure to caller\n  throw new PaymentError('Payment processing failed', { cause: err });\n}\n```",
-
-      "quickFix": {
-        "description": "Add return statement in catch (30 minutes)",
-        "code": "try {\n  await stripe.charges.create(charge);\n} catch (err) {\n  console.error('Payment error:', err);\n  return { success: false, error: 'Payment failed' }; // FIX: Return failure\n}\nreturn { success: true };",
-        "limitations": "Still loses error details, no proper logging, no order status update"
-      },
-
-      "properFix": {
-        "description": "Comprehensive error handling with transaction rollback (4 hours)",
-        "code": "async function processPayment(orderId, chargeData) {\n  const transaction = await db.transaction();\n  \n  try {\n    // 1. Charge the card\n    const charge = await stripe.charges.create(chargeData);\n    \n    // 2. Update order in transaction\n    await transaction.orders.update(orderId, { \n      status: 'paid',\n      chargeId: charge.id,\n      paidAt: new Date()\n    });\n    \n    await transaction.commit();\n    \n    return { success: true, chargeId: charge.id };\n    \n  } catch (err) {\n    // Rollback database changes\n    await transaction.rollback();\n    \n    // Structured logging\n    logger.error('Payment failed', {\n      orderId,\n      userId: chargeData.customer,\n      amount: chargeData.amount,\n      currency: chargeData.currency,\n      errorType: err.type,\n      errorMessage: err.message,\n      stripeRequestId: err.requestId\n    });\n    \n    // Update order status\n    await db.orders.update(orderId, { \n      status: 'payment_failed',\n      failureReason: err.message \n    });\n    \n    // Throw typed error\n    throw new PaymentError('Payment processing failed', { \n      cause: err,\n      orderId,\n      retryable: err.type === 'card_error'\n    });\n  }\n}",
-        "additionalSteps": [
-          "Add payment monitoring/alerting (e.g., Sentry, DataDog)",
-          "Implement dead letter queue for failed payments",
-          "Add manual reconciliation job (daily check: orders vs Stripe charges)",
-          "Create customer notification for payment failures"
-        ]
-      },
-
-      "testing": {
-        "description": "Test all error scenarios",
-        "manual": [
-          "Test 1: Use Stripe test card 4000000000000341 (card declined) → should return error",
-          "Test 2: Disable internet → should handle network error",
-          "Test 3: Invalid API key → should catch auth error",
-          "Test 4: Check database: failed orders should have status='payment_failed'"
-        ],
-        "automated": "describe('Payment error handling', () => {\n  it('should fail order when payment declines', async () => {\n    // Mock Stripe to throw error\n    stripe.charges.create.mockRejectedValue(\n      new Error('card_declined')\n    );\n    \n    await expect(\n      processPayment(orderId, chargeData)\n    ).rejects.toThrow(PaymentError);\n    \n    // Verify order status updated\n    const order = await db.orders.find(orderId);\n    expect(order.status).toBe('payment_failed');\n  });\n  \n  it('should not fulfill order on payment failure', async () => {\n    stripe.charges.create.mockRejectedValue(new Error());\n    \n    try {\n      await processPayment(orderId, chargeData);\n    } catch (err) {\n      // Expected\n    }\n    \n    const order = await db.orders.find(orderId);\n    expect(order.fulfilledAt).toBeNull();\n  });\n});"
-      },
-
-      "detection": {
-        "description": "Find orders that were fulfilled without payment",
-        "commands": [
-          "# Find orders with status='success' but no Stripe charge",
-          "SELECT * FROM orders WHERE status = 'completed' AND charge_id IS NULL;",
-          "",
-          "# Check logs for silent payment errors",
-          "grep 'Payment error' /var/log/app.log | grep -v 'PaymentError thrown'",
-          "",
-          "# Reconciliation: Compare orders vs Stripe charges",
-          "node scripts/reconcile-payments.js --date 2026-02-01"
-        ],
-        "indicators": [
-          "Orders table: status='completed' but charge_id is NULL",
-          "Stripe dashboard: Fewer charges than completed orders",
-          "Revenue mismatch: Reported revenue < Stripe deposits",
-          "Customer support: Users report being charged $0"
-        ]
-      },
-
-      "references": [
-        "https://stripe.com/docs/error-handling",
-        "https://martinfowler.com/articles/replaceThrowWithNotification.html"
-      ],
-
-      "evidence": [
-        "catch block at line 91 only logs - no rethrow, no return false",
-        "No return/throw in catch block",
-        "Success returned at line 95 regardless of payment result",
-        "No database rollback on payment failure",
-        "Checked Stripe webhook logs: confirms payment failures happen but are ignored"
-      ],
-
-      "fixOwner": "developer",
-      "estimatedEffort": {
-        "human": "4-6 hours (identify all error paths, add transaction handling, write error tests, manual reconciliation check)",
-        "claudeCode": "25-30 minutes (finds all try-catch blocks, adds proper error handling, generates test cases)",
-        "roi": "12x faster with Claude Code"
-      },
-      "priority": 1
-    }
-  ],
-
-  "qualityReview": {
-    "deleteItems": [
-      {
-        "file": "src/legacy/oldAuth.ts",
-        "lines": 450,
-        "description": "Entire file unused - no imports found in codebase"
-      }
-    ],
-    "mergeItems": [
-      {
-        "file": "src/utils/dateFormat.ts + src/helpers/formatDate.ts",
-        "description": "Identical date formatting logic in 2 files (180 lines total)"
-      }
-    ],
-    "simplifyItems": [
-      {
-        "file": "src/services/userService.ts",
-        "description": "1000+ line function should be split into smaller functions"
-      }
-    ],
-    "totalLinesRemovable": 630,
-    "percentageOfCodebase": 1.0
-  },
-
-  "positiveObservations": [
-    {
-      "title": "Proper Password Hashing",
-      "description": "Uses bcrypt with cost factor 12 in src/auth/password.ts:23. Passwords are never stored in plaintext."
-    },
-    {
-      "title": "Rate Limiting Implemented",
-      "description": "Express-rate-limit configured on all auth endpoints (src/middleware/rateLimit.ts:15) - prevents brute force."
-    },
-    {
-      "title": "Comprehensive Input Validation",
-      "description": "Joi schemas defined for all API inputs (src/validators/) - prevents injection attacks."
-    }
-  ],
-
-  "summary": {
-    "critical": 2,
-    "high": 5,
-    "medium": 8,
-    "low": 3,
-    "total": 18
-  }
-}
+### Agent 20: EXEC - Executive Summary
+```
+After scanning, generate executive summary with top risks and positives.
+Write to .coverme/agents/EXEC.json
+Return ONLY: "done"
 ```
 
-### DREAD Scoring (REQUIRED for critical/high)
+### Agent 21: DUP - Duplicate Finder
+```
+Find existing solutions in codebase that could fix other findings.
+Write to .coverme/agents/DUP.json
+Return ONLY: "done" or "skipped"
+```
 
-| Score | Meaning |
-|-------|---------|
-| 10 | Worst case |
-| 7-9 | Severe |
-| 4-6 | Moderate |
-| 1-3 | Minor |
+### Agent 22: POSITIVE - Good Patterns
+```
+Find positive security patterns and good practices in the codebase.
+Write to .coverme/agents/POSITIVE.json
+Return ONLY: "done"
+```
 
-- **Damage**: Impact if exploited
-- **Reproducibility**: How consistently exploitable
-- **Exploitability**: Skill level needed
-- **Affected Users**: Scope of impact
-- **Discoverability**: How easy to find
-- **Score**: Average of all five
+---
 
-### Attack Chain (REQUIRED for critical/high)
+## AI-Generated Code Detection Agents (23-31)
 
-Show realistic, step-by-step exploitation:
+These agents specifically target vulnerabilities common in AI-generated code.
 
-```json
-[
-  {"step": 1, "action": "Concrete attacker action", "result": "What happens"},
-  {"step": 2, "action": "Next action with actual payload", "result": "Escalation"},
-  {"step": 3, "action": "Final action", "result": "Full compromise"}
-]
+### Agent 23: ASSUME - AI Assumptions (CRITICAL)
+```
+AI code makes dangerous implicit assumptions. Scan for:
+
+1. **Non-null assertions**: data!.field, user!.id (TypeScript !)
+2. **Unsafe casts**: as any, as unknown, type assertions without validation
+3. **Unvalidated JSON**: JSON.parse() without try/catch or schema validation
+4. **Trusted input**: req.body used directly without validation (zod, joi, yup)
+5. **Array assumptions**: arr[0] without checking length, arr.map without null check
+6. **Object assumptions**: obj.field without checking obj exists
+7. **Destructuring without defaults**: const {a, b} = data (what if data is null?)
+8. **Assumed authentication**: Routes using req.user without auth middleware
+9. **Assumed types**: parseInt(x) without NaN check, Number(x) used blindly
+10. **Assumed existence**: await db.findOne() used without null check
+
+Severity:
+- CRITICAL: Auth/payment code with assumptions
+- HIGH: Data mutation with unchecked input
+- MEDIUM: API responses with assumptions
+- LOW: Internal utility code
+
+Write to .coverme/agents/ASSUME.json:
+[{"id":"ASSUME-001","title":"Unvalidated req.body in user update","severity":"high","file":"src/api/users.ts","line":45,"code":"const { email, name } = req.body","assumption":"Input is valid object with email and name","exploit":"Send malformed JSON or missing fields","recommendation":"Add zod schema validation"}]
+
+Return ONLY: "done" or "skipped"
 ```
 
----
+### Agent 24: TRUST - Trust Boundary Violations (CRITICAL)
+```
+AI rarely identifies trust boundaries. Scan for:
+
+1. **Missing auth middleware**: app.post/get/put/delete without auth check
+2. **Admin routes unprotected**: /admin/*, /internal/* without role check
+3. **Internal service exposure**: Internal APIs accessible from public routes
+4. **Header trust**: Using x-user-id, x-role from headers without verification
+5. **Forwarded input**: User input passed to internal services without sanitization
+6. **Missing role checks**: Actions performed without checking user.role
+7. **Tenant isolation missing**: Multi-tenant data accessed without tenant filter
+8. **Service-to-service trust**: Internal calls without mTLS or API keys
+9. **Webhook endpoints**: /webhook/* without signature verification
+10. **File upload paths**: User-controlled paths without sanitization
+
+For each finding, identify:
+- What trust boundary is violated
+- Who can exploit it (anonymous, authenticated, admin)
+- What they can access/do
+
+Write to .coverme/agents/TRUST.json:
+[{"id":"TRUST-001","title":"Admin endpoint without role check","severity":"critical","file":"src/routes/admin.ts","line":12,"code":"app.post('/admin/delete-user', async (req,res) => { await deleteUser(req.body.id) })","boundary":"Admin actions accessible to any authenticated user","exploit":"Any logged-in user can delete other users","recommendation":"Add requireRole('admin') middleware"}]
+
+Return ONLY: "done" or "skipped"
+```
 
-## PHASE 4: VALIDATE & GENERATE REPORT
+### Agent 25: PARTIAL - Partial Security Implementation
+```
+AI implements "half security" - looks secure but isn't. Scan for:
+
+1. **bcrypt without proper cost**: bcrypt.hash(pwd, 1) or no salt rounds
+2. **JWT without expiration**: jwt.sign() without expiresIn
+3. **JWT without verification**: jwt.decode() instead of jwt.verify()
+4. **Rate limiting without IP**: Rate limit by user but not IP (pre-auth attacks)
+5. **CSRF token generated but not checked**: Token created but middleware missing
+6. **CORS with wildcard**: Access-Control-Allow-Origin: * with credentials
+7. **Helmet without CSP**: Using helmet() but no Content-Security-Policy
+8. **HTTPS redirect missing**: No force-ssl or redirect middleware
+9. **Cookie without flags**: Missing httpOnly, secure, sameSite
+10. **Encryption without IV**: AES without initialization vector
+11. **Password validation weak**: Only length check, no complexity
+12. **Session without rotation**: No session regeneration on auth change
+
+Write to .coverme/agents/PARTIAL.json:
+[{"id":"PARTIAL-001","title":"JWT signed but never expires","severity":"high","file":"src/auth/token.ts","line":23,"code":"jwt.sign(payload, secret)","issue":"Token has no expiration","impact":"Stolen tokens valid forever","recommendation":"Add expiresIn: '1h' or similar"}]
+
+Return ONLY: "done" or "skipped"
+```
 
-### Step 1: Validate JSON
+### Agent 26: GENERR - Over-Generalized Errors
+```
+AI hides errors behind generic messages. Scan for:
+
+1. **Generic catch-all**: catch(e) { return { error: "Something went wrong" } }
+2. **Lost error context**: catch(e) { throw new Error("Failed") } - original e lost
+3. **Boolean error returns**: return false instead of throwing
+4. **Silent status codes**: return res.status(500) without logging
+5. **Error message swallowing**: catch(e) { console.log("error") } - e not logged
+6. **Missing error types**: All errors thrown as generic Error, not typed
+7. **No error codes**: Errors without codes for client handling
+8. **Audit trail gaps**: Security errors not logged differently
+9. **User-facing stack traces**: In dev mode, stack traces leak to client
+10. **Missing error boundaries**: React without ErrorBoundary, no global handler
+
+Impact analysis:
+- Security errors hidden = attacks go undetected
+- Missing audit = compliance failure
+- Generic errors = impossible debugging
+
+Write to .coverme/agents/GENERR.json:
+[{"id":"GENERR-001","title":"Auth failure returns generic error","severity":"high","file":"src/auth/login.ts","line":34,"code":"catch(e) { return { success: false, error: 'Login failed' } }","issue":"Cannot distinguish wrong password vs account locked vs brute force","recommendation":"Log detailed error server-side, return error code to client"}]
+
+Return ONLY: "done" or "skipped"
+```
 
-```bash
-python3 -m json.tool .coverme/scan.json > /dev/null && echo "JSON valid" || echo "JSON invalid - fix it!"
+### Agent 27: CLONE - Copy-Paste Vulnerabilities
+```
+AI duplicates code blocks, spreading bugs. Scan for:
+
+1. **Near-identical functions**: Functions >80% similar in different files
+2. **Duplicated middleware**: Same auth/validation logic repeated
+3. **Copy-pasted API handlers**: Similar CRUD operations with slight changes
+4. **Repeated validation**: Same validation rules in multiple places
+5. **Duplicated error handling**: Same try/catch pattern everywhere
+6. **Config duplication**: Same config values hardcoded in multiple files
+7. **SQL query duplication**: Same queries in different files
+8. **Duplicated security checks**: Same role check logic repeated
+
+Why this matters:
+- Fix in one place, bug remains in copies
+- Inconsistent behavior across duplicates
+- Maintenance nightmare
+
+Write to .coverme/agents/CLONE.json:
+[{"id":"CLONE-001","title":"Auth check duplicated in 5 files","severity":"medium","files":["src/api/users.ts:12","src/api/orders.ts:8","src/api/products.ts:15"],"pattern":"if (!req.user) return res.status(401)","issue":"Auth logic duplicated, inconsistent in orders.ts","recommendation":"Extract to requireAuth middleware"}]
+
+Return ONLY: "done" or "skipped"
 ```
 
-**If invalid, fix these common errors**:
-- Missing `]` to close arrays (especially `attackChain`)
-- Missing `}` to close objects
-- Trailing commas before `]` or `}`
-- Unescaped quotes in strings
+### Agent 28: HARDCODE - Hardcoded Logic Vulnerabilities
+```
+AI hardcodes values that should be configurable/validated. Scan for:
+
+1. **Role checks with strings**: if (user.role === "admin") - role from where?
+2. **Hardcoded IDs**: if (userId === "123") or specific UUIDs
+3. **Magic numbers**: if (amount > 10000) without named constant
+4. **Hardcoded URLs**: fetch("https://api.example.com") in code
+5. **Hardcoded credentials**: Even in dev, password = "admin123"
+6. **Hardcoded feature flags**: if (process.env.NODE_ENV === "production")
+7. **Hardcoded timeouts**: setTimeout(fn, 5000) without config
+8. **Hardcoded limits**: if (items.length > 100) without constant
+9. **Hardcoded paths**: fs.readFile("/var/app/config.json")
+10. **Hardcoded emails/domains**: admin@company.com in code
+
+Security impact:
+- Role checks bypassable if role source is tainted
+- IDs expose internal structure
+- Can't rotate credentials without code change
+
+Write to .coverme/agents/HARDCODE.json:
+[{"id":"HARDCODE-001","title":"Admin role check trusts user-provided role","severity":"critical","file":"src/middleware/admin.ts","line":5,"code":"if (req.user.role === 'admin')","issue":"role comes from JWT claims which user might control","recommendation":"Verify role from database, not token"}]
+
+Return ONLY: "done" or "skipped"
+```
 
-### Step 2: Generate HTML
+### Agent 29: AISTYLE - AI Code Style Heuristics
+```
+Identify code that shows signs of AI generation, then audit harder. Scan for:
+
+DETECTION PATTERNS (AI-generated code often has):
+1. **Excessive comments**: // This function does X, // Check if Y
+2. **Over-engineering**: Simple task with complex abstraction
+3. **Inconsistent style**: Mixed patterns in same file
+4. **TODO/FIXME clusters**: Multiple incomplete items
+5. **Heavy use of any**: TypeScript with lots of any/unknown
+6. **console.log in production**: Debug statements left in
+7. **Default values everywhere**: value ?? defaultValue pattern
+8. **Try-catch wrapping everything**: Even simple operations
+9. **Unused imports/variables**: Dead code not cleaned up
+10. **Generic function names**: handleClick, processData, doSomething
+
+For detected AI-style code, perform DEEPER AUDIT:
+- Check all assumptions
+- Verify error handling
+- Look for edge cases
+- Check security controls
+
+Write to .coverme/agents/AISTYLE.json:
+[{"id":"AISTYLE-001","title":"AI-generated payment handler needs audit","severity":"high","file":"src/payments/process.ts","indicators":["excessive comments","try-catch everything","multiple TODO"],"concerns":["Error handling hides failures","No idempotency key","Missing amount validation"],"recommendation":"Manual security review required"}]
+
+Return ONLY: "done" or "skipped"
+```
 
-```bash
-coverme report
+### Agent 30: DEPMIS - Dependency Misuse
+```
+AI imports libraries but uses them incorrectly. Scan for:
+
+1. **crypto misuse**: createHash without proper algorithm, no HMAC for auth
+2. **JWT misuse**: jwt.decode() for auth (should be verify), algorithm confusion
+3. **bcrypt misuse**: compareSync in async code, low rounds
+4. **axios misuse**: No timeout, no abort controller, no retry
+5. **fetch misuse**: No error handling for non-2xx, no timeout
+6. **SQL client misuse**: String concatenation instead of parameterized
+7. **Redis misuse**: No auth, KEYS in production, no TTL
+8. **fs misuse**: Sync operations blocking event loop, no path sanitization
+9. **child_process misuse**: exec with user input (command injection)
+10. **path misuse**: path.join with user input without sanitization
+
+Write to .coverme/agents/DEPMIS.json:
+[{"id":"DEPMIS-001","title":"JWT decoded but not verified","severity":"critical","file":"src/auth/middleware.ts","line":18,"code":"const user = jwt.decode(token)","issue":"decode() doesn't verify signature, attacker can forge tokens","recommendation":"Use jwt.verify(token, secret) instead"}]
+
+Return ONLY: "done" or "skipped"
 ```
 
-**The scan is NOT complete until HTML opens in browser!**
+### Agent 31: LOGICGAP - Logic Gaps (CRITICAL)
+```
+AI creates early returns without proper handling. Scan for:
+
+1. **Silent returns**: if (!user) return; - no log, no error, no audit
+2. **Missing else**: if (condition) { action } with no else handling
+3. **Incomplete state machines**: Enum/status with unhandled cases
+4. **Missing default**: switch without default case
+5. **Null returns**: return null without caller handling
+6. **Incomplete cleanup**: Resource opened but not closed on error path
+7. **Transaction gaps**: DB operations without proper rollback
+8. **Missing finally**: try/catch without finally for cleanup
+9. **Event handler gaps**: addEventListener without removeEventListener
+10. **Incomplete validation**: Some fields validated, others not
+
+For each gap, analyze:
+- What happens when the gap is hit
+- Can attacker trigger the gap
+- What's the impact
+
+Write to .coverme/agents/LOGICGAP.json:
+[{"id":"LOGICGAP-001","title":"Silent return on missing user","severity":"high","file":"src/api/profile.ts","line":23,"code":"if (!user) return","issue":"No logging, no 404 response, client hangs","exploit":"Probe for valid user IDs by timing differences","recommendation":"return res.status(404).json({error: 'Not found'}) and log attempt"}]
+
+Return ONLY: "done" or "skipped"
+```
 
 ---
 
-## QUALITY CHECKLIST
-
-Before finishing:
+## Phase 2: Wait for Agents
 
-- [ ] Read actual code files, not just names
-- [ ] Every critical/high finding has DREAD score
-- [ ] Every critical/high finding has attack chain
-- [ ] Searched for silent failures (empty catch, console.log only)
-- [ ] Checked git history for hardcoded secrets
-- [ ] Looked for N+1 queries in database code
-- [ ] Verified dead code claims (really not used?)
-- [ ] Found code duplications (listed ALL locations)
-- [ ] Executive summary is professional and specific
-- [ ] Architecture overview describes trust boundaries
-- [ ] Positive observations have specific evidence
-- [ ] `coverme report` generated HTML successfully
+Wait for ALL background agents using `AgentOutputTool`.
+Each should return only "done" or "skipped".
 
 ---
 
-## EXAMPLES
+## Phase 2.5: Adversarial Review (CRITICAL)
 
-### Excellent Finding (Do This!)
+After all agents complete, run ONE final agent with this mindset:
 
-```json
+### Agent 32: ADVERSARIAL - Systemic Weakness Review
+```
+IMPORTANT: This agent runs AFTER reading all other agent findings.
+
+ASSUME: This entire codebase was written by a junior developer
+under deadline pressure using AI autocomplete.
+
+Your mission: Find SYSTEMIC weaknesses, not just individual bugs.
+
+1. **Pattern Analysis**:
+   - What security controls are MISSING across the codebase?
+   - What patterns suggest "happy path only" thinking?
+   - Where is defensive programming absent?
+
+2. **Attack Surface Summary**:
+   - List all entry points (APIs, webhooks, file uploads, etc.)
+   - Which have weakest protection?
+   - What can an attacker do without authentication?
+
+3. **Business Logic Abuse**:
+   - Can users get free money/credits/access?
+   - Can users manipulate pricing/quantities?
+   - Can users access other users' data?
+   - Can users escalate privileges?
+
+4. **Economic Attacks** (AI never thinks about these):
+   - Resource exhaustion (create unlimited X)
+   - Referral abuse
+   - Trial abuse
+   - Rate limit bypass for profit
+
+5. **Chain Attacks**:
+   - Which LOW findings combine into HIGH/CRITICAL?
+   - What's the worst-case attack scenario?
+
+6. **Missing Controls Checklist**:
+   [ ] Input validation on all endpoints
+   [ ] Output encoding for all user data
+   [ ] Authentication on all non-public routes
+   [ ] Authorization checks for all resources
+   [ ] Rate limiting on all endpoints
+   [ ] Audit logging for security events
+   [ ] Error handling that doesn't leak info
+   [ ] CSRF protection on state-changing operations
+
+Write to .coverme/agents/ADVERSARIAL.json:
 {
-  "id": "AUTH-001",
-  "title": "JWT Accepts 'none' Algorithm - Authentication Bypass",
-  "severity": "critical",
-  "category": "security",
-  "file": "src/middleware/auth.ts",
-  "line": 34,
-  "endLine": 34,
-  "code": "jwt.verify(token, secret, { algorithms: ['HS256', 'none'] })",
-
-  "description": "JWT verification explicitly allows the 'none' algorithm. An attacker can forge tokens by removing the signature and setting alg='none'. This is a COMPLETE authentication bypass.",
-
-  "impact": "Total authentication bypass. Attacker can:\n1. Impersonate any user (including admins)\n2. Access all protected endpoints\n3. Modify/delete any data\n4. Create backdoor admin accounts",
-
-  "businessImpact": {
-    "financial": "Complete data breach. GDPR fine: €20M or 4% revenue. Average breach cost: $4.35M",
-    "reputation": "Loss of customer trust. 81% users abandon service after auth breach (Okta 2023)",
-    "legal": "Class action lawsuit risk. Negligence claim - 'none' algorithm is well-known vulnerability",
-    "operational": "Full incident response, forensics, password reset for all users, potential service shutdown"
-  },
-
-  "realWorldExamples": [
-    "Auth0 CVE-2015-9235: 'none' algorithm allowed → millions of tokens compromised",
-    "Pfsense (2018): JWT 'none' bypass → full admin access to firewall configs",
-    "Your scenario: Attacker becomes admin, exports entire customer database, posts on dark web"
-  ],
-
-  "attackChain": [
-    {"step": 1, "action": "Register normal user account, capture JWT from /api/login", "result": "Valid token: eyJhbGc..."},
-    {"step": 2, "action": "Base64 decode header, change {\"alg\":\"HS256\"} to {\"alg\":\"none\"}", "result": "Forged header"},
-    {"step": 3, "action": "Change payload to {\"userId\":1,\"role\":\"admin\"}, remove signature", "result": "Admin token without signature"},
-    {"step": 4, "action": "Send to /api/admin/users with forged token", "result": "Returns all users - authentication bypassed"}
-  ],
-
-  "proofOfConcept": "# Exploit the vulnerability:\n\n# 1. Get valid token\nTOKEN=$(curl -X POST https://api.example.com/login \\\n  -d '{\"email\":\"attacker@evil.com\",\"password\":\"pass123\"}' | jq -r .token)\n\n# 2. Forge admin token (Python)\npython3 << EOF\nimport base64\nimport json\n\n# Decode original token parts\nheader = {\"alg\": \"none\", \"typ\": \"JWT\"}\npayload = {\"userId\": 1, \"role\": \"admin\", \"exp\": 9999999999}\n\n# Encode without signature\nforged = base64.urlsafe_b64encode(json.dumps(header).encode()).rstrip(b'=') + b'.'\nforged += base64.urlsafe_b64encode(json.dumps(payload).encode()).rstrip(b'=') + b'.'\n\nprint(forged.decode())\nEOF\n\n# 3. Use forged token\ncurl https://api.example.com/admin/users \\\n  -H \"Authorization: Bearer eyJhbGc...\" \\\n  # Result: Full user database returned",
-
-  "recommendation": "Remove 'none' from algorithms array:\n\n```typescript\n// ✅ SECURE - Only allow HS256\njwt.verify(token, secret, { algorithms: ['HS256'] })\n```",
-
-  "quickFix": {
-    "description": "Remove 'none' from algorithms array (5 minutes)",
-    "code": "jwt.verify(token, secret, { algorithms: ['HS256'] })",
-    "limitations": "Still using symmetric key (HS256) - shared between services. Consider asymmetric (RS256) for multi-service architecture."
-  },
-
-  "properFix": {
-    "description": "Upgrade to RS256 with public/private key pairs (4 hours)",
-    "code": "// Generate key pair (run once)\n// openssl genrsa -out private.key 2048\n// openssl rsa -in private.key -pubout -out public.key\n\nimport fs from 'fs';\nimport jwt from 'jsonwebtoken';\n\nconst publicKey = fs.readFileSync('public.key');\n\n// Verify with public key only\nfunction verifyToken(token: string) {\n  try {\n    const decoded = jwt.verify(token, publicKey, {\n      algorithms: ['RS256'],  // Only asymmetric\n      issuer: 'your-service',\n      audience: 'your-api'\n    });\n    return decoded;\n  } catch (err) {\n    throw new AuthError('Invalid token', { cause: err });\n  }\n}",
-    "additionalSteps": [
-      "Store private key in secure vault (AWS Secrets Manager, HashiCorp Vault)",
-      "Add key rotation policy (rotate every 90 days)",
-      "Implement token revocation list (Redis with TTL)",
-      "Add JWT ID (jti) claim for replay protection",
-      "Monitor for suspicious token patterns (e.g., expired tokens, wrong issuer)"
-    ]
-  },
-
-  "testing": {
-    "description": "Verify the fix prevents 'none' algorithm attacks",
-    "manual": [
-      "Test 1: Forge token with alg='none' → should reject with 'invalid algorithm'",
-      "Test 2: Valid HS256 token → should work",
-      "Test 3: Token with wrong signature → should reject",
-      "Test 4: Expired token → should reject"
-    ],
-    "automated": "describe('JWT security', () => {\n  it('should reject none algorithm', () => {\n    const forgedToken = 'eyJhbGciOiJub25lIn0.eyJ1c2VySWQiOjF9.';\n    \n    expect(() => {\n      verifyToken(forgedToken);\n    }).toThrow('invalid algorithm');\n  });\n  \n  it('should only accept HS256', () => {\n    const validToken = jwt.sign({ userId: 1 }, secret, { algorithm: 'HS256' });\n    const decoded = verifyToken(validToken);\n    expect(decoded.userId).toBe(1);\n    \n    // RS256 should fail\n    const rs256Token = jwt.sign({ userId: 1 }, privateKey, { algorithm: 'RS256' });\n    expect(() => verifyToken(rs256Token)).toThrow();\n  });\n});"
-  },
-
-  "detection": {
-    "description": "Check if this vulnerability was already exploited",
-    "commands": [
-      "# Check logs for tokens with 'none' algorithm",
-      "grep 'eyJhbGciOiJub25lIi' /var/log/nginx/access.log",
-      "",
-      "# Decode suspicious tokens from logs",
-      "cat access.log | grep 'Authorization: Bearer' | cut -d' ' -f3 | while read token; do",
-      "  echo $token | cut -d. -f1 | base64 -d",
-      "done | grep '\"alg\":\"none\"'",
-      "",
-      "# Check for admin actions from non-admin users",
-      "SELECT * FROM audit_log WHERE action LIKE 'admin.%' AND user_id NOT IN (SELECT id FROM users WHERE role='admin');"
-    ],
-    "indicators": [
-      "Tokens in logs with alg='none' in header",
-      "Admin actions performed by non-admin user IDs",
-      "Unusual API access patterns (e.g., all endpoints accessed by one user)",
-      "Failed JWT verification errors followed by successful requests"
-    ]
-  },
-
-  "dread": {
-    "damage": 10,
-    "reproducibility": 10,
-    "exploitability": 9,
-    "affectedUsers": 10,
-    "discoverability": 7,
-    "score": 9.2
-  },
-
-  "cwe": "CWE-347",
-  "owasp": "A02:2021-Cryptographic Failures",
-  "cvss": "9.8 (Critical)",
-
-  "references": [
-    "https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/",
-    "https://cwe.mitre.org/data/definitions/347.html",
-    "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens"
-  ],
-
-  "evidence": [
-    "algorithms array at line 34 includes 'none'",
-    "No additional signature validation",
-    "Endpoint /api/admin uses this middleware (routes.ts:89)",
-    "No issuer/audience validation - accepts any token structure",
-    "Secret key hardcoded in config file (not rotated)"
-  ],
-
-  "fixOwner": "developer",
-  "estimatedEffort": {
-    "human": "4-6 hours (research JWT best practices, implement RS256, generate key pairs, update auth flow, test)",
-    "claudeCode": "20-30 minutes (updates jwt.verify config, generates RS256 implementation, creates key management code, writes tests)",
-    "roi": "12x faster with Claude Code"
-  },
-  "priority": 1
+  "systemicWeaknesses": ["..."],
+  "missingControls": ["..."],
+  "attackSurface": {"unauthenticated": [...], "authenticated": [...]},
+  "worstCaseScenario": "...",
+  "chainAttacks": [{"chain": [...], "impact": "..."}],
+  "prioritizedRisks": ["..."]
 }
+
+Return ONLY: "done"
 ```
 
-### Excellent Performance Finding (Do This!)
+---
 
-```json
-{
-  "id": "PERF-001",
-  "title": "N+1 Query in User Dashboard - 3000ms Page Load",
-  "severity": "high",
-  "category": "performance",
-  "file": "src/controllers/dashboardController.ts",
-  "line": 45,
-  "endLine": 52,
-  "code": "const users = await User.findAll();\nfor (const user of users) {\n  user.orders = await Order.findByUserId(user.id);\n}",
-
-  "description": "Dashboard loads all users (1,000+) then makes individual database query for each user's orders. 1 query to get users + 1,000 queries for orders = 1,001 total queries. At 3ms per query = 3+ seconds page load.",
-
-  "impact": "Severe performance degradation. Page load time increases linearly with user count:\n- 100 users: 300ms\n- 1,000 users: 3,000ms (current)\n- 10,000 users: 30,000ms (unusable)\n\nDatabase CPU spikes to 90% during peak hours. Users abandon page before it loads.",
-
-  "businessImpact": {
-    "financial": "53% users abandon pages loading >3s (Google). At 10k visits/day × $50 conversion = $265k/year lost revenue",
-    "reputation": "Poor reviews mentioning 'slow dashboard'. PageSpeed score: 23/100",
-    "operational": "Database overload causes cascading failures. RDS CPU alerts firing 20x/day",
-    "scalability": "Cannot scale past 1,000 users without major infrastructure upgrade"
-  },
-
-  "realWorldExamples": [
-    "Shopify (2015): N+1 queries → 20s checkout → fixed with eager loading → 2s",
-    "Your scenario: Admin dashboard times out during business hours",
-    "Industry data: N+1 queries are #2 cause of slow Rails apps (Rails community survey)"
-  ],
-
-  "attackChain": [
-    {"step": 1, "action": "Normal user visits /dashboard", "result": "Triggers 1,001 database queries"},
-    {"step": 2, "action": "Attacker sends 10 concurrent requests", "result": "10,010 queries → database CPU 95%"},
-    {"step": 3, "action": "Legitimate users affected", "result": "All API requests slow down"},
-    {"step": 4, "action": "Attacker continues requests", "result": "Accidental DoS - database becomes unresponsive"}
-  ],
-
-  "proofOfConcept": "# Measure the N+1 problem:\n\n# 1. Enable query logging\nDATABASE_LOG_QUERIES=true npm start\n\n# 2. Load dashboard\ncurl https://api.example.com/dashboard\n\n# 3. Count queries in log\ngrep 'SELECT.*FROM orders' logs/db.log | wc -l\n# Result: 1000+ queries\n\n# 4. Measure timing\ntime curl https://api.example.com/dashboard\n# Result: real 3.2s",
-
-  "recommendation": "Use eager loading (JOIN) to fetch all data in one query:\n\n```typescript\n// ✅ OPTIMIZED - Single query with JOIN\nconst users = await User.findAll({\n  include: [{\n    model: Order,\n    as: 'orders'\n  }]\n});\n\n// SQL generated:\n// SELECT users.*, orders.*\n// FROM users\n// LEFT JOIN orders ON orders.user_id = users.id\n// (1 query instead of 1,001)\n```",
-
-  "quickFix": {
-    "description": "Add eager loading to existing query (30 minutes)",
-    "code": "const users = await User.findAll({\n  include: ['orders']  // Sequelize eager loading\n});",
-    "limitations": "Still loads all users - may be slow with 10k+ users. Pagination recommended."
-  },
-
-  "properFix": {
-    "description": "Eager loading + pagination + caching (4 hours)",
-    "code": "// Proper solution with pagination\nasync function getDashboard(page = 1, limit = 50) {\n  const cacheKey = `dashboard:${page}`;\n  \n  // Check cache first\n  const cached = await redis.get(cacheKey);\n  if (cached) return JSON.parse(cached);\n  \n  // Single query with JOIN + pagination\n  const users = await User.findAll({\n    include: [{\n      model: Order,\n      as: 'orders',\n      limit: 10  // Limit orders per user\n    }],\n    limit,\n    offset: (page - 1) * limit,\n    order: [['createdAt', 'DESC']]\n  });\n  \n  // Cache for 5 minutes\n  await redis.setex(cacheKey, 300, JSON.stringify(users));\n  \n  return users;\n}",
-    "additionalSteps": [
-      "Add database index on orders.user_id (if missing)",
-      "Consider materialized view for dashboard data",
-      "Add connection pooling (min: 5, max: 20)",
-      "Set up read replicas for heavy queries",
-      "Monitor query performance with APM (DataDog, New Relic)"
-    ]
-  },
-
-  "testing": {
-    "description": "Verify performance improvement",
-    "manual": [
-      "Test 1: Load dashboard, check DB logs → should see 1-2 queries (not 1000+)",
-      "Test 2: Use Chrome DevTools → Time to First Byte should be <500ms",
-      "Test 3: Run with 10k users in test DB → should still load <1s",
-      "Test 4: Check database CPU during load → should stay <50%"
-    ],
-    "automated": "describe('Dashboard performance', () => {\n  it('should use eager loading (no N+1)', async () => {\n    // Track queries\n    const queries = [];\n    db.on('query', q => queries.push(q));\n    \n    await getDashboard();\n    \n    // Should be 1 SELECT with JOIN\n    expect(queries.length).toBeLessThan(5);\n    expect(queries[0]).toContain('JOIN orders');\n  });\n  \n  it('should load dashboard in <500ms', async () => {\n    const start = Date.now();\n    await getDashboard();\n    const duration = Date.now() - start;\n    \n    expect(duration).toBeLessThan(500);\n  });\n});"
-  },
-
-  "detection": {
-    "description": "Find other N+1 query problems in codebase",
-    "commands": [
-      "# Find loops with database queries inside",
-      "grep -r 'for.*await.*find' src/",
-      "grep -r '.map.*await' src/",
-      "",
-      "# Check database slow query log",
-      "cat /var/log/postgresql/slow-queries.log | grep 'SELECT.*FROM orders'",
-      "",
-      "# Use database profiler",
-      "npm install --save-dev sequelize-profiler",
-      "# Add to app: db.use(require('sequelize-profiler'))"
-    ],
-    "indicators": [
-      "Database query count proportional to result set size",
-      "Slow query log shows same query repeated 100+ times",
-      "APM shows 'database' taking 80%+ of response time",
-      "Database CPU spikes during list page loads"
-    ]
-  },
-
-  "dread": {
-    "damage": 7,
-    "reproducibility": 10,
-    "exploitability": 10,
-    "affectedUsers": 10,
-    "discoverability": 8,
-    "score": 9.0
-  },
-
-  "references": [
-    "https://guides.rubyonrails.org/active_record_querying.html#eager-loading-associations",
-    "https://sequelize.org/docs/v6/advanced-association-concepts/eager-loading/",
-    "https://use-the-index-luke.com/"
-  ],
-
-  "evidence": [
-    "Loop at line 46 calls Order.findByUserId() inside",
-    "No 'include' option in User.findAll() query",
-    "APM data shows 1,247 queries for single dashboard load",
-    "Database slow query log: 'SELECT * FROM orders WHERE user_id = ?' appears 1000+ times",
-    "PageSpeed Insights: Time to Interactive = 3.2s"
-  ],
-
-  "fixOwner": "developer",
-  "estimatedEffort": {
-    "human": "3-4 hours (find all N+1 queries, research eager loading, implement pagination, add caching, performance test)",
-    "claudeCode": "15-20 minutes (detects N+1 patterns, converts to eager loading, adds pagination and caching, generates performance tests)",
-    "roi": "12x faster with Claude Code"
-  },
-  "priority": 1
-}
-```
+## Phase 3: Aggregate Results
 
-### Excellent Architecture Finding (Do This!)
+**CRITICAL: Use Write tool directly, NOT bash heredoc**
 
-```json
-{
-  "id": "ARCH-001",
-  "title": "Payment Secrets Hardcoded in Repository - Exposure Risk",
-  "severity": "critical",
-  "category": "architecture",
-  "file": "src/config/payment.ts",
-  "line": 12,
-  "endLine": 12,
-  "code": "const STRIPE_SECRET_KEY = 'sk_live_51Hqr2x...'",
-
-  "description": "Stripe LIVE secret key hardcoded in source code. Key has been committed to git history (commit abc123). Anyone with repository access can process payments, issue refunds, export customer data.",
-
-  "impact": "Complete payment system compromise:\n1. Process fraudulent charges\n2. Issue refunds to attacker's accounts\n3. Export all customer payment data (PCI violation)\n4. Delete customer payment methods\n5. Key exposed in git history - even if removed now, still accessible",
-
-  "businessImpact": {
-    "financial": "Fraudulent charges/refunds = unlimited financial loss. Stripe may suspend account. PCI Level 1 fine: $5k-$100k/month",
-    "reputation": "PCI compliance failure = cannot process credit cards. Customer data breach = loss of trust",
-    "legal": "PCI DSS violation = potential lawsuits. FTC investigation. Payment processor termination",
-    "operational": "Emergency key rotation, customer notification, forensic investigation, potential service shutdown"
-  },
-
-  "realWorldExamples": [
-    "Uber (2016): AWS keys in GitHub → 57M users exposed → $148M settlement",
-    "Twitter (2020): API keys leaked → account takeovers including Obama, Biden",
-    "Your risk: Developer laptop stolen → attacker has payment keys → can issue refunds to themselves"
-  ],
-
-  "attackChain": [
-    {"step": 1, "action": "Clone repository or access via ex-employee's account", "result": "Source code with secret key"},
-    {"step": 2, "action": "Use key to list all customers: curl https://api.stripe.com/v1/customers -u sk_live_...", "result": "Export entire customer database"},
-    {"step": 3, "action": "Issue refunds to attacker-controlled accounts", "result": "$10k+ fraudulent refunds"},
-    {"step": 4, "action": "Even if key rotated, check git history: git log -p config/payment.ts", "result": "Original key still in commits"}
-  ],
-
-  "proofOfConcept": "# Exploit hardcoded secret:\n\n# 1. Find the key in code\ngrep -r 'sk_live' .\n# Result: src/config/payment.ts:12:const STRIPE_SECRET_KEY = 'sk_live_51Hqr2x...'\n\n# 2. Check git history (even if removed)\ngit log --all -p | grep 'sk_live'\n# Result: Found in commits abc123, def456, ghi789\n\n# 3. Use the key to issue refund\ncurl https://api.stripe.com/v1/refunds \\\n  -u sk_live_51Hqr2x...: \\\n  -d charge=ch_xyz123 \\\n  -d amount=10000\n# Result: $100 refunded to attacker's card",
-
-  "recommendation": "Move secrets to environment variables and secret manager:\n\n```typescript\n// ✅ SECURE - Load from environment\nconst STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;\n\nif (!STRIPE_SECRET_KEY) {\n  throw new Error('STRIPE_SECRET_KEY environment variable required');\n}\n```",
-
-  "quickFix": {
-    "description": "Move to .env file (NOT committed) - 1 hour",
-    "code": "// .env (add to .gitignore)\nSTRIPE_SECRET_KEY=sk_live_51Hqr2x...\n\n// src/config/payment.ts\nimport dotenv from 'dotenv';\ndotenv.config();\n\nconst STRIPE_SECRET_KEY = process.env.STRIPE_SECRET_KEY;",
-    "limitations": ".env still on server filesystem. If server compromised, key exposed. Better: use secret manager."
-  },
-
-  "properFix": {
-    "description": "Migrate to AWS Secrets Manager with key rotation (1 day)",
-    "code": "import { SecretsManagerClient, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';\n\nconst client = new SecretsManagerClient({ region: 'us-east-1' });\n\n// Fetch secret from AWS Secrets Manager\nasync function getStripeKey(): Promise<string> {\n  const response = await client.send(\n    new GetSecretValueCommand({ SecretId: 'prod/stripe/secret_key' })\n  );\n  \n  if (!response.SecretString) {\n    throw new Error('Stripe secret not found in Secrets Manager');\n  }\n  \n  return JSON.parse(response.SecretString).STRIPE_SECRET_KEY;\n}\n\n// Cache for 5 minutes (secrets manager charges per request)\nlet cachedKey: string | null = null;\nlet cacheExpiry = 0;\n\nexport async function getPaymentKey(): Promise<string> {\n  if (cachedKey && Date.now() < cacheExpiry) {\n    return cachedKey;\n  }\n  \n  cachedKey = await getStripeKey();\n  cacheExpiry = Date.now() + 5 * 60 * 1000;\n  return cachedKey;\n}",
-    "additionalSteps": [
-      "Rotate Stripe secret key IMMEDIATELY (current key is compromised)",
-      "Enable automatic key rotation in AWS Secrets Manager (90 days)",
-      "Remove key from ALL git history: git filter-branch or BFG Repo-Cleaner",
-      "Audit Stripe logs for suspicious activity (past 90 days)",
-      "Set up IAM roles - only production servers can read secrets",
-      "Enable CloudTrail logging for secret access",
-      "Add alerts for secret access from unexpected IPs",
-      "Document key rotation runbook"
-    ]
-  },
-
-  "testing": {
-    "description": "Verify secrets are properly secured",
-    "manual": [
-      "Test 1: grep -r 'sk_live' . → should return 0 results",
-      "Test 2: git log --all -p | grep 'sk_live' → check if still in history",
-      "Test 3: docker run --rm app → should fail with 'STRIPE_SECRET_KEY required'",
-      "Test 4: AWS Secrets Manager console → verify secret exists",
-      "Test 5: Attempt to access secret from dev laptop → should fail (IAM)"
-    ],
-    "automated": "describe('Secret management', () => {\n  it('should not have hardcoded secrets', () => {\n    const files = glob.sync('**/*.{ts,js}');\n    files.forEach(file => {\n      const content = fs.readFileSync(file, 'utf8');\n      expect(content).not.toMatch(/sk_live_[a-zA-Z0-9]{32}/);\n      expect(content).not.toMatch(/pk_live_[a-zA-Z0-9]{32}/);\n    });\n  });\n  \n  it('should require environment variables', () => {\n    delete process.env.STRIPE_SECRET_KEY;\n    expect(() => require('./config/payment')).toThrow('STRIPE_SECRET_KEY');\n  });\n});"
-  },
-
-  "detection": {
-    "description": "Find ALL hardcoded secrets in codebase",
-    "commands": [
-      "# Find Stripe keys",
-      "git log --all -p | grep -E 'sk_live_[a-zA-Z0-9]+'",
-      "",
-      "# Find AWS keys",
-      "git log --all -p | grep -E 'AKIA[A-Z0-9]{16}'",
-      "",
-      "# Find generic secrets (high entropy strings)",
-      "trufflehog git file://. --only-verified",
-      "",
-      "# Use automated scanner",
-      "npm install -g detect-secrets",
-      "detect-secrets scan --all-files",
-      "",
-      "# Check Stripe for unauthorized activity",
-      "# Login to Stripe dashboard → Developers → Logs → Filter by IP address"
-    ],
-    "indicators": [
-      "Stripe keys (sk_live_, pk_live_) in source code",
-      "AWS credentials (AKIA...) in config files",
-      "High entropy strings (40+ random chars) in code",
-      "Suspicious Stripe activity: refunds from unknown IPs, customer exports",
-      "GitHub secret scanning alerts (if repo is on GitHub)"
-    ]
-  },
-
-  "dread": {
-    "damage": 10,
-    "reproducibility": 10,
-    "exploitability": 10,
-    "affectedUsers": 10,
-    "discoverability": 9,
-    "score": 9.8
-  },
-
-  "cwe": "CWE-798",
-  "owasp": "A02:2021-Cryptographic Failures",
-  "cvss": "10.0 (Critical)",
-
-  "references": [
-    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html",
-    "https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password",
-    "https://stripe.com/docs/keys#safe-keys"
-  ],
-
-  "evidence": [
-    "Line 12: const STRIPE_SECRET_KEY = 'sk_live_51Hqr2x...'",
-    "Git history shows key in 14 commits dating back 6 months",
-    "Repository has 23 contributors (all have access to key)",
-    "No .gitignore entry for config files",
-    "GitHub shows 'Secret scanning alert' for this repository"
-  ],
-
-  "fixOwner": "devops + developer",
-  "estimatedEffort": {
-    "human": "1-2 days (setup AWS Secrets Manager, migrate all secrets, update deployment scripts, rotate keys, audit git history, cleanup with BFG)",
-    "claudeCode": "1-2 hours (finds all secrets, generates Secrets Manager integration, updates code, creates rotation scripts, provides git cleanup commands)",
-    "roi": "12x faster with Claude Code"
-  },
-  "priority": 1
-}
+1. List agent files:
+```bash
+ls .coverme/agents/*.json 2>/dev/null | head -30
 ```
 
-### Bad Finding (Don't Do This!)
+2. Read each agent JSON file using the Read tool (in parallel if possible)
 
+3. **Use the Write tool** to save `.coverme/scan.json` with this structure:
 ```json
 {
-  "id": "SEC-001",
-  "title": "SQL Injection",
-  "severity": "high",
-  "description": "There might be SQL injection somewhere"
+  "projectName": "from package.json or folder name",
+  "scanDate": "ISO timestamp",
+  "filesScanned": N,
+  "linesOfCode": N,
+  "findings": [merged from all agent files, deduplicated],
+  "positiveObservations": [from POSITIVE.json],
+  "summary": {"critical":N,"high":N,"medium":N,"low":N}
 }
 ```
 
----
-
-## REMEMBER
-
-1. **CREATE DETAILED FINDINGS** - DO NOT just write executiveSummary! You MUST populate the `findings` array with full finding objects!
-2. **Silent failures are CRITICAL** - They hide production bugs in payments, auth, data
-3. **Read actual code** - Don't guess, read the files
-4. **Check git history** - Secrets may have been removed but still exposed
-5. **Think like an attacker** - How would you exploit this?
-6. **Be specific** - File:line, code snippets, attack chains
-7. **DREAD + Attack Chain** - Required for critical/high
-8. **Quality over quantity** - 10 solid findings > 50 vague ones
-9. **Architecture matters** - Trust boundaries, data flow, scalability
-10. **Performance impacts security** - N+1 queries → DoS, memory leaks → crashes
-11. **Include ROI estimates** - human vs claudeCode time for every finding
-12. **Run `coverme report`** - Not done until HTML opens!
+**IMPORTANT**:
+- Use Write tool, not bash echo/cat
+- Keep max 50 findings (prioritize by severity)
+- Max 3 code snippets per finding
 
 ---
 
-⚠️ **FINAL CHECK BEFORE SUBMITTING scan.json:**
+## Phase 4: Generate Report
 
-- [ ] `findings` array contains at least 3-10 detailed finding objects (NOT empty!)
-- [ ] Each finding has businessImpact, proofOfConcept, attackChain, quickFix, properFix, testing, detection, estimatedEffort
-- [ ] executiveSummary.topRisks matches the findings in the findings array
-- [ ] summary counts (critical/high/medium/low) match the findings array length
+```bash
+TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
+npx coverme-scanner report .coverme/scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
+open ".coverme/report_$TIMESTAMP.html"
+```
 
 ---
 
-START SCANNING NOW. Be methodical, thorough, and think deeply. Your reputation depends on finding what others miss.
+## DONE
+
+Tell user: "Scan complete! Report opened."