npm - coverme-scanner - Versions diffs - 4.0.1 → 4.0.3 - Mend

coverme-scanner 4.0.1 → 4.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli/init.d.ts.map +1 -1
package/dist/cli/init.js +34 -547
package/dist/cli/init.js.map +1 -1
package/dist/prompts/coverme-command.md +22 -22
package/package.json +1 -1

package/dist/cli/init.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":"AAIA,UAAU,WAAW;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;~~AAihBD~~,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CA+~~K9D~~"}
1	+ {"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":"AAIA,UAAU,WAAW;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CA+L9D"}

package/dist/cli/init.js CHANGED Viewed

@@ -37,537 +37,11 @@ exports.init = init;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const os = __importStar(require("os"));
-const SLASH_COMMAND = `# CoverMe - Ultimate AI Security Scanner
-The most comprehensive AI-powered code scanner. 10 specialized agents + 3 validators + deep analysis.
-$ARGUMENTS
-## CRITICAL INSTRUCTIONS - READ FIRST!
-1. **DO NOT ASK ANY QUESTIONS** - Run the entire scan autonomously from start to finish
-2. **DO NOT STOP FOR CONFIRMATION** - Just keep going through all phases
-3. **DO NOT ASK ABOUT FILE CHANGES** - Automatically update/overwrite scan.json
-4. **DO NOT ASK TO OPEN REPORT** - Just open it automatically at the end
-5. **COMPLETE EVERYTHING IN ONE GO** - All 5 phases without interruption
-6. **RUN AGENTS IN BACKGROUND** - Use \`run_in_background: true\` for all Task tool calls
-7. **RUN BASH IN BACKGROUND** - Use \`run_in_background: true\` for long Bash commands
-Execute ALL phases automatically. Do NOT stop until the HTML report is open.
----
-## Phase 1: Discovery (10 parallel agents)
-Launch ALL 10 agents IN PARALLEL using the Task tool with \`run_in_background: true\`:
-**IMPORTANT**: Set \`run_in_background: true\` on ALL Task tool calls to run agents in parallel without blocking.
-### Agent 1: Security Scanner (Core)
-\`\`\`
-Scan for OWASP Top 10 and common vulnerabilities:
-INJECTION:
-- SQL injection (string concatenation in queries, raw queries)
-- NoSQL injection (MongoDB $where, $regex with user input)
-- Command injection (exec, spawn, system with user input)
-- LDAP injection, XPath injection
-- Template injection (SSTI in Jinja2, EJS, Handlebars)
-- Header injection (CRLF in headers)
-- Log injection (unescaped user input in logs)
-XSS:
-- Reflected XSS (user input in response without encoding)
-- Stored XSS (database content rendered without escaping)
-- DOM XSS (innerHTML, document.write, eval with user data)
-- dangerouslySetInnerHTML in React without sanitization
-AUTHENTICATION:
-- Hardcoded credentials (check git ls-files first!)
-- Weak password policies (no complexity, short length)
-- Missing rate limiting on login/register
-- Session fixation (session ID not rotated after login)
-- JWT issues (none algorithm, weak secret, no expiry)
-- Missing MFA on sensitive operations
-AUTHORIZATION:
-- IDOR (direct object references without ownership check)
-- Missing authorization checks on endpoints
-- Privilege escalation paths
-- Horizontal access (user A accessing user B's data)
-- Vertical access (user accessing admin functions)
-CRYPTOGRAPHY:
-- MD5/SHA1 for passwords (use bcrypt/argon2)
-- Math.random() for security (use crypto.randomBytes)
-- Hardcoded encryption keys/IVs
-- ECB mode usage
-- Missing HTTPS enforcement
-Output JSON: [{id: "SEC-XXX", title, severity, category: "security", file, line, code, description, recommendation, confidence}]
-\`\`\`
-### Agent 2: Auth & Session Scanner
-\`\`\`
-Deep dive into authentication and session management:
-SSO/OAUTH:
-- Open redirect in return_url/redirect_uri (CRITICAL!)
-- State parameter missing or predictable
-- PKCE not implemented for public clients
-- Token stored in localStorage (XSS vulnerable)
-- Refresh token rotation missing
-- ID token validation incomplete
-SESSION:
-- Session ID in URL
-- Session not invalidated on logout
-- Session timeout too long (>24h)
-- Same session across devices without tracking
-- Session data not encrypted
-COOKIES:
-- Missing Secure flag
-- Missing HttpOnly flag
-- Missing SameSite attribute
-- Overly broad domain/path
-- Sensitive data in cookies
-PASSWORD RESET:
-- Predictable reset tokens
-- Token not expiring
-- No rate limiting on reset requests
-- User enumeration via reset flow
-- Reset link not single-use
-Output JSON: [{id: "AUTH-XXX", title, severity, category: "security", file, line, code, description, recommendation, confidence}]
-\`\`\`
-### Agent 3: API Security Scanner
-\`\`\`
-Scan API endpoints for security issues:
-INPUT VALIDATION:
-- Missing input validation on request body
-- Type coercion attacks (string vs number)
-- Array/object pollution
-- Prototype pollution
-- Mass assignment vulnerabilities
-- GraphQL introspection enabled in production
-- GraphQL depth/complexity limits missing
-RATE LIMITING:
-- No rate limiting on expensive operations
-- Rate limit bypass via headers (X-Forwarded-For)
-- Missing rate limiting on auth endpoints
-- No account lockout after failed attempts
-API DESIGN:
-- Verbose error messages leaking internals
-- Stack traces in production
-- Version information exposed
-- Debug endpoints accessible
-- CORS misconfiguration (wildcard origin with credentials)
-- Missing security headers (CSP, HSTS, X-Frame-Options)
-WEBHOOKS:
-- Webhook signature not verified
-- SSRF via webhook URLs
-- No webhook replay protection
-- Webhook secrets logged
-Output JSON: [{id: "API-XXX", title, severity, category: "security", file, line, code, description, recommendation, confidence}]
-\`\`\`
-### Agent 4: Infrastructure Scanner
-\`\`\`
-Scan infrastructure and deployment configs:
-DOCKER:
-- Running as root user
-- Secrets in Dockerfile or build args
-- Latest tag usage (unpinned versions)
-- Sensitive ports exposed
-- Missing health checks
-- No resource limits
-- Privileged mode enabled
-- Writable root filesystem
-KUBERNETES/HELM:
-- No resource limits/requests
-- Running as root
-- Privileged containers
-- Host network/PID enabled
-- Missing network policies
-- Secrets not encrypted at rest
-- No pod security policies/standards
-- Service account auto-mount enabled
-CI/CD:
-- Secrets in CI config files
-- Credentials in environment variables logged
-- Missing secret scanning in pipeline
-- Deploy keys with write access
-- No branch protection
-- Missing SAST/DAST in pipeline
-CLOUD:
-- S3 buckets public or misconfigured
-- IAM roles too permissive
-- Security groups too open
-- Logging not enabled
-- Encryption at rest disabled
-Output JSON: [{id: "INFRA-XXX", title, severity, category: "infrastructure", file, line, code, description, recommendation, confidence}]
-\`\`\`
-### Agent 5: Data & Privacy Scanner
-\`\`\`
-Scan for data protection and privacy issues:
-PII HANDLING:
-- PII logged (emails, names, IPs, phone numbers)
-- PII in URLs/query strings
-- PII in error messages
-- PII not encrypted at rest
-- PII not masked in UI/logs
-GDPR/PRIVACY:
-- Missing data retention policy implementation
-- No data deletion mechanism (right to erasure)
-- No data export mechanism (data portability)
-- Consent not tracked properly
-- Third-party data sharing without consent
-- Cross-border data transfer issues
-DATABASE:
-- Sensitive data not encrypted (column-level)
-- No audit logging for sensitive operations
-- Backup not encrypted
-- Connection strings with credentials in code
-SECRETS:
-- API keys in code (check git ls-files!)
-- Secrets in environment files committed
-- Secrets logged
-- Secrets in client-side code
-- Hardcoded tokens/passwords
-- .env files not in .gitignore
-Output JSON: [{id: "DATA-XXX", title, severity, category: "privacy", file, line, code, description, recommendation, confidence}]
-\`\`\`
-### Agent 6: AI/LLM Security Scanner
-\`\`\`
-Scan for AI/LLM specific vulnerabilities:
-PROMPT INJECTION:
-- User input directly in prompts without sanitization
-- System prompts exposed to users
-- Prompt leakage via error messages
-- No input length limits on prompts
-- Missing output validation from LLM
-- Jailbreak vulnerabilities
-DATA LEAKAGE:
-- Training data in responses
-- PII in AI context
-- Conversation history not cleared
-- AI accessing unauthorized data
-- Model output not sanitized
-SUPPLY CHAIN:
-- CDN imports without Subresource Integrity (SRI)
-- Unpinned AI model versions
-- External AI APIs without TLS verification
-- Model files from untrusted sources
-RESOURCE:
-- No token limits on AI calls
-- Missing rate limiting on AI endpoints
-- Cost explosion attacks (large inputs)
-- Denial of service via AI
-BUSINESS LOGIC:
-- AI bypassing business rules
-- AI making unauthorized decisions
-- Content filter bypasses
-- AI output directly executed (code injection)
-Output JSON: [{id: "AI-XXX", title, severity, category: "ai-security", file, line, code, description, recommendation, confidence}]
-\`\`\`
-### Agent 7: Performance & DoS Scanner
-\`\`\`
-Scan for performance issues and DoS vectors:
-DATABASE:
-- N+1 query patterns
-- Missing indexes on filtered/sorted columns
-- Full table scans
-- Unbounded queries (no LIMIT)
-- Connection pool exhaustion
-- Long-running transactions
-MEMORY:
-- Memory leaks (event listeners not removed)
-- Unbounded caches
-- Large object accumulation
-- Buffer handling issues
-- Stream not properly closed
-- SSE/WebSocket buffer accumulation
-CPU:
-- ReDoS (Regular Expression DoS)
-- Algorithmic complexity attacks
-- Synchronous crypto operations
-- JSON parsing of large payloads
-- XML parsing without limits (billion laughs)
-NETWORK:
-- No timeout on external calls
-- Missing circuit breakers
-- Retry storms
-- No backpressure handling
-- Connection leaks
-RESOURCE EXHAUSTION:
-- File upload without size limits
-- Zip bomb potential
-- Unbounded pagination
-- Missing request size limits
-- Too many concurrent connections
-Output JSON: [{id: "PERF-XXX", title, severity, category: "performance", file, line, code, description, recommendation, confidence}]
-\`\`\`
-### Agent 8: Business Logic Scanner
-\`\`\`
-Scan for business logic vulnerabilities:
-RACE CONDITIONS:
-- TOCTOU (time-of-check-time-of-use)
-- Double-spend in transactions
-- Inventory overselling
-- Concurrent booking conflicts
-- Non-atomic read-modify-write
-WORKFLOW:
-- Step skipping in multi-step processes
-- State manipulation attacks
-- Order of operations bypass
-- Workflow replay attacks
-FINANCIAL:
-- Rounding errors in calculations
-- Currency handling issues
-- Negative amount bypass
-- Discount stacking exploits
-- Price manipulation
-ACCESS CONTROL:
-- Role hierarchy bypass
-- Feature flag manipulation
-- Subscription level bypass
-- Time-based access bypass
-DATA INTEGRITY:
-- Missing referential integrity
-- Orphaned records possible
-- Data inconsistency between services
-- Missing transaction boundaries
-Output JSON: [{id: "BIZ-XXX", title, severity, category: "business-logic", file, line, code, description, recommendation, confidence}]
-\`\`\`
-### Agent 9: Code Quality Scanner
-\`\`\`
-Scan for code quality and maintainability issues:
-COMPLEXITY:
-- Cyclomatic complexity > 10
-- Functions > 50 lines
-- Files > 500 lines
-- Deep nesting (> 4 levels)
-- Too many parameters (> 5)
-DRY VIOLATIONS:
-- Duplicated code blocks (> 10 lines)
-- Copy-paste code with minor changes
-- Similar functions that should be unified
-ANTI-PATTERNS:
-- God objects/classes
-- Callback hell
-- Magic numbers/strings
-- Dead code
-- Unused imports/variables
-- Any type overuse (TypeScript)
-- Console.log in production
-- TODO/FIXME comments in production
-ERROR HANDLING:
-- Empty catch blocks
-- Generic error swallowing
-- Missing error boundaries (React)
-- Unhandled promise rejections
-- Missing finally blocks for cleanup
-NAMING:
-- Inconsistent naming conventions
-- Misleading names
-- Single letter variables (except i,j,k)
-- Abbreviations without context
-Output JSON: [{id: "QUAL-XXX", title, severity, category: "quality", file, line, code, description, recommendation, confidence}]
-\`\`\`
-### Agent 10: Testing & Reliability Scanner
-\`\`\`
-Scan for testing gaps and reliability issues:
-TEST COVERAGE:
-- Critical paths without tests (auth, payments, data access)
-- Error handlers not tested
-- Edge cases not covered
-- No integration tests
-- No E2E tests for main flows
-TEST QUALITY:
-- Tests without assertions
-- Mocked security checks (dangerous!)
-- Flaky tests (time-dependent)
-- Tests with hardcoded data that can expire
-- Missing negative tests (what should fail)
-RELIABILITY:
-- Missing health checks
-- No graceful shutdown
-- Missing readiness/liveness probes
-- No circuit breakers for external calls
-- Missing retry logic with backoff
-- No fallback mechanisms
-OBSERVABILITY:
-- Missing structured logging
-- No correlation IDs
-- Missing metrics collection
-- No distributed tracing
-- Errors not properly categorized
-DEPLOYMENT:
-- No feature flags for risky changes
-- Missing rollback mechanism
-- No canary/blue-green deployment
-- Database migrations not reversible
-Output JSON: [{id: "TEST-XXX", title, severity, category: "testing", file, line, code, description, recommendation, confidence}]
-\`\`\`
----
-## Phase 2: Cross-Validation (3 parallel validators)
-Wait for all Phase 1 background agents to complete using \`AgentOutputTool\`.
-Then launch 3 validators IN PARALLEL with \`run_in_background: true\`:
-### Validator A: False Positive Hunter
-\`\`\`
-Review ALL findings from Phase 1. For each finding:
-1. Read the actual code file
-2. Check if there are mitigating controls elsewhere
-3. For secrets: run "git ls-files <file>" - if not tracked, mark FALSE POSITIVE
-4. Check if code is actually reachable in production
-5. Verify the context (is it test code? example code? disabled feature?)
-Output: { confirmed: ["SEC-001",...], falsePositives: [{id, reason},...] }
-\`\`\`
-### Validator B: Evidence Challenger
-\`\`\`
-Challenge every HIGH and CRITICAL finding:
-1. Read the actual code with 20 lines of context
-2. Trace data flow from source to sink
-3. Check for sanitization/validation in between
-4. Verify the exploit scenario is realistic
-5. Consider the deployment environment
-6. Check if it's actually exploitable in production
-Output: { confirmed: ["SEC-001",...], falsePositives: [{id, reason},...] }
-\`\`\`
-### Validator C: Missing Issues Hunter
-\`\`\`
-Look for issues that Phase 1 agents MISSED:
-- Race conditions in critical operations
-- Business logic flaws specific to this application
-- Edge cases (empty input, null, undefined, max length)
-- Integration point vulnerabilities
-- Configuration issues for specific environment
-- Combination attacks (multiple low issues = high)
-Output: { missedIssues: [{id, title, severity, file, line, description, recommendation},...] }
-\`\`\`
----
-## Phase 3: Build Consensus
-Wait for all Phase 2 background validators to complete using \`AgentOutputTool\`.
-Combine all results:
-1. Calculate confidence: (confirmations / validators) * 100
-2. Remove findings with confidence < 50%
-3. Add missed issues from Validator C
-4. Identify positive observations (good patterns found)
----
-## Phase 4: Generate Report
-**DO NOT ASK - JUST OVERWRITE THE FILE!**
-Update \`.coverme/scan.json\` with the scan results. Overwrite any existing content without asking:
-- **projectName**: from package.json or folder name
-- **scanDate**: today's date
-- **findings**: array of issues found (each with id, title, severity, category, file, line, description, code, recommendation, confidence)
-- **positiveObservations**: array of good patterns found
-- **scanDuration**: time taken in ms
-- **agentCount**: 7
-Use the Write tool to overwrite \`.coverme/scan.json\` with the results. Do not ask for confirmation.
----
-## Phase 5: Generate HTML Report
-**DO NOT ASK - JUST RUN THE COMMANDS!**
-Generate the HTML report and open it automatically:
-\`\`\`bash
-TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
-npx coverme-scanner report .coverme/scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
-cp .coverme/scan.json ".coverme/scan_$TIMESTAMP.json"
-open ".coverme/report_$TIMESTAMP.html"
-\`\`\`
-Run these commands without asking for permission.
----
-## DONE
-Tell the user: "Scan complete! Report saved to .coverme/ and opened in browser."
-**REMINDER: You should have completed all 5 phases without asking ANY questions or stopping for confirmation.**
-`;
 async function init(options) {
     const targetDir = options.global
         ? path.join(os.homedir(), '.claude', 'commands')
         : path.join(process.cwd(), '.claude', 'commands');
-    console.log(`Installing vibecode commands to: ${targetDir}`);
+    console.log(`Installing CoverMe v4.0 commands to: ${targetDir}`);
     // Create directory if needed
     if (!fs.existsSync(targetDir)) {
         fs.mkdirSync(targetDir, { recursive: true });
@@ -581,11 +55,17 @@ async function init(options) {
         console.log(`Use --force to overwrite.`);
     }
     else {
-        // Try to read from package's distributed file first
+        // Read from package's distributed file - this is the ONLY source
         const distCommandPath = path.join(__dirname, '..', 'prompts', 'coverme-command.md');
-        let commandContent = SLASH_COMMAND;
-        if (fs.existsSync(distCommandPath)) {
-            commandContent = fs.readFileSync(distCommandPath, 'utf-8');
+        if (!fs.existsSync(distCommandPath)) {
+            console.error(`ERROR: Command file not found at ${distCommandPath}`);
+            console.error(`This is a packaging error. Please reinstall: npm install -g coverme-scanner@latest`);
+            process.exit(1);
+        }
+        const commandContent = fs.readFileSync(distCommandPath, 'utf-8');
+        // Verify it's the latest version
+        if (!commandContent.includes('33 specialized agents')) {
+            console.warn(`WARNING: Command file may be outdated. Please reinstall: npm install -g coverme-scanner@latest --force`);
         }
         fs.writeFileSync(commandPath, commandContent);
         console.log(`${options.force ? 'Updated' : 'Created'}: ${commandPath}`);
@@ -596,6 +76,12 @@ async function init(options) {
         fs.mkdirSync(covermeDir, { recursive: true });
         console.log(`Created: ${covermeDir}/`);
     }
+    // Create .coverme/agents directory for agent outputs
+    const agentsDir = path.join(covermeDir, 'agents');
+    if (!fs.existsSync(agentsDir)) {
+        fs.mkdirSync(agentsDir, { recursive: true });
+        console.log(`Created: ${agentsDir}/`);
+    }
     // Create scan.json template
     const scanJsonPath = path.join(covermeDir, 'scan.json');
     if (!fs.existsSync(scanJsonPath)) {
@@ -605,7 +91,7 @@ async function init(options) {
             findings: [],
             positiveObservations: [],
             scanDuration: 0,
-            agentCount: 7
+            agentCount: 33
         };
         fs.writeFileSync(scanJsonPath, JSON.stringify(scanTemplate, null, 2));
         console.log(`Created: ${scanJsonPath}`);
@@ -635,6 +121,7 @@ async function init(options) {
             allow: [
                 // Basic file operations
                 "Bash(mkdir:*)",
+                "Bash(rm:*)",
                 "Bash(ls:*)",
                 "Bash(cat:*)",
                 "Bash(cp:*)",
@@ -656,11 +143,10 @@ async function init(options) {
                 "Bash(date:*)",
                 "Bash(echo:*)",
                 // Report generation
+                "Bash(coverme:*)",
                 "Bash(npx coverme*:*)",
                 "Bash(npx coverme-scanner*:*)",
                 "Bash(open:*)",
-                // SSH for runtime verification
-                "Bash(ssh:*)",
                 // .coverme directory access
                 "Read(.coverme/*)",
                 "Write(.coverme/*)",
@@ -693,35 +179,36 @@ async function init(options) {
     console.log(`Created/updated: ${settingsPath} with coverme permissions`);
     console.log(`
 ================================================================================
-                           COVERME INSTALLED
+                        COVERME v4.0 INSTALLED
 ================================================================================
+  33 Security Agents including 9 AI-code-specific detectors
 Usage:
   1. Open Claude Code in your project
   2. Type /coverme and press Enter
-  3. Wait for the scan to complete (~8-12 minutes)
-  4. Report opens automatically in your browser
+  3. Wait for the scan to complete
+  4. PDF report opens automatically
 What it scans:
   - Security (SEC): OWASP Top 10, injection, XSS, crypto
   - Authentication (AUTH): JWT, OAuth, sessions, passwords
   - API Security (API): Input validation, rate limiting, CORS
   - Infrastructure (INFRA): Docker, K8s, CI/CD, secrets
+  - AI Code Detection: Assumptions, trust boundaries, silent failures
   - Business Logic (BIZ): Race conditions, authorization
-  - Code Quality (QUAL): Dead code, test coverage
-Features:
-  - DREAD scoring for critical/high findings
-  - Attack chain analysis
-  - Executive summary for leadership
-  - Positive observations (what you did well)
-  - Quality review (code to delete/merge)
+NEW in v4.0 - AI-Generated Code Detection:
+  - ASSUME: Dangerous assumptions (data!, as any)
+  - TRUST: Trust boundary violations
+  - SILENT: Silent error handling
+  - LOGICGAP: Logic gaps (if (!x) return;)
+  - AISTYLE: AI code style heuristics
+  - ADVERSARIAL: Systemic weakness review
 Reports saved to: .coverme/
   - scan.json (raw data)
-  - report_YYYY-MM-DD_HH-MM-SS.html (visual report)
-The .coverme/ folder is automatically added to .gitignore
+  - security-report-YYYY-MM-DD.pdf (PDF report)
 ================================================================================
 `);

package/dist/cli/init.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~AAwhBA~~,oBA+KC;~~AAvsBD~~,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;~~AAOzB~~,MAAM,aAAa,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6gBrB,CAAC;AAEK,KAAK,UAAU,IAAI,CAAC,OAAoB;IAC7C,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM;QAC9B,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC;QAChD,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IAEpD,OAAO,CAAC,GAAG,CAAC,~~oCAAoC~~,SAAS,EAAE,CAAC,CAAC;~~IAE7D~~,6BAA6B;IAC7B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,sBAAsB,SAAS,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,0BAA0B;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IAEvD,iDAAiD;IACjD,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,wBAAwB,WAAW,EAAE,CAAC,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,~~oDAAoD~~;~~QACpD~~,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,oBAAoB,CAAC,CAAC;~~QACpF~~,IAAI,~~cAAc~~,~~GAAG~~,~~aAAa~~,CAAC~~;QAEnC~~,~~IAAI~~,EAAE,CAAC,~~UAAU~~,CAAC,~~eAAe~~,CAAC,EAAE,CAAC;~~YACnC~~,cAAc,GAAG,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;~~QAC7D~~,CAAC;QAED,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,KAAK,WAAW,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,wCAAwC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,YAAY,UAAU,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,4BAA4B;IAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,MAAM,YAAY,GAAG;YACnB,WAAW,EAAE,EAAE;YACf,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,EAAE;YACZ,oBAAoB,EAAE,EAAE;YACxB,YAAY,EAAE,CAAC;YACf,UAAU,EAAE,~~CAAC~~;~~SACd~~,CAAC;QACF,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACtE,OAAO,CAAC,GAAG,CAAC,YAAY,YAAY,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,kDAAkD;IAClD,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,YAAY,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,uCAAuC,CAAC;IAE9D,IAAI,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACjE,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3C,EAAE,CAAC,cAAc,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;YAChD,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,aAAa,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACnD,CAAC;IAED,kEAAkE;IAClE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,qBAAqB,CAAC,CAAC;IACnE,MAAM,kBAAkB,GAAG;QACzB,WAAW,EAAE;YACX,KAAK,EAAE;gBACL,wBAAwB;gBACxB,eAAe;gBACf,YAAY;gBACZ,aAAa;gBACb,YAAY;gBACZ,cAAc;gBACd,cAAc;gBACd,YAAY;gBACZ,uBAAuB;gBACvB,cAAc;gBACd,cAAc;gBACd,cAAc;gBACd,eAAe;gBACf,iBAAiB;gBACjB,sBAAsB;gBACtB,iBAAiB;gBACjB,oBAAoB;gBACpB,kBAAkB;gBAClB,0BAA0B;gBAC1B,iBAAiB;gBACjB,cAAc;gBACd,cAAc;gBACd,oBAAoB;gBACpB,sBAAsB;gBACtB,8BAA8B;gBAC9B,cAAc;gBACd~~,+BAA+B;gBAC/B~~,~~aAAa;gBACb,~~4BAA4B;gBAC5B,kBAAkB;gBAClB,mBAAmB;gBACnB,kBAAkB;aACnB;SACF;KACF,CAAC;IAEF,0CAA0C;IAC1C,IAAI,gBAAgB,GAAQ,EAAE,CAAC;IAC/B,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;QACxE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,sCAAsC;QACxC,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,MAAM,cAAc,GAAG;QACrB,GAAG,gBAAgB;QACnB,WAAW,EAAE;YACX,GAAG,gBAAgB,CAAC,WAAW;YAC/B,KAAK,EAAE;gBACL,GAAG,CAAC,gBAAgB,CAAC,WAAW,EAAE,KAAK,IAAI,EAAE,CAAC;gBAC9C,GAAG,kBAAkB,CAAC,WAAW,CAAC,KAAK;aACxC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;SACpD;KACF,CAAC;IAEF,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,CAAC,GAAG,CAAC,oBAAoB,YAAY,2BAA2B,CAAC,CAAC;IAEzE,OAAO,CAAC,GAAG,CAAC~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiCb~~,CAAC,CAAC;AACH,CAAC"}
1	+ {"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AASA,oBA+LC;AAxMD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAOlB,KAAK,UAAU,IAAI,CAAC,OAAoB;IAC7C,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM;QAC9B,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC;QAChD,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IAEpD,OAAO,CAAC,GAAG,CAAC,wCAAwC,SAAS,EAAE,CAAC,CAAC;IAEjE,6BAA6B;IAC7B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,sBAAsB,SAAS,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,0BAA0B;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IAEvD,iDAAiD;IACjD,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,wBAAwB,WAAW,EAAE,CAAC,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,iEAAiE;QACjE,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,oBAAoB,CAAC,CAAC;QAEpF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YACpC,OAAO,CAAC,KAAK,CAAC,oCAAoC,eAAe,EAAE,CAAC,CAAC;YACrE,OAAO,CAAC,KAAK,CAAC,oFAAoF,CAAC,CAAC;YACpG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,cAAc,GAAG,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;QAEjE,iCAAiC;QACjC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,wGAAwG,CAAC,CAAC;QACzH,CAAC;QAED,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,KAAK,WAAW,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,wCAAwC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,YAAY,UAAU,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,qDAAqD;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAClD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,YAAY,SAAS,GAAG,CAAC,CAAC;IACxC,CAAC;IAED,4BAA4B;IAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,MAAM,YAAY,GAAG;YACnB,WAAW,EAAE,EAAE;YACf,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,EAAE;YACZ,oBAAoB,EAAE,EAAE;YACxB,YAAY,EAAE,CAAC;YACf,UAAU,EAAE,EAAE;SACf,CAAC;QACF,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACtE,OAAO,CAAC,GAAG,CAAC,YAAY,YAAY,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,kDAAkD;IAClD,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,YAAY,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,uCAAuC,CAAC;IAE9D,IAAI,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACjE,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3C,EAAE,CAAC,cAAc,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;YAChD,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,aAAa,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACnD,CAAC;IAED,kEAAkE;IAClE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,qBAAqB,CAAC,CAAC;IACnE,MAAM,kBAAkB,GAAG;QACzB,WAAW,EAAE;YACX,KAAK,EAAE;gBACL,wBAAwB;gBACxB,eAAe;gBACf,YAAY;gBACZ,YAAY;gBACZ,aAAa;gBACb,YAAY;gBACZ,cAAc;gBACd,cAAc;gBACd,YAAY;gBACZ,uBAAuB;gBACvB,cAAc;gBACd,cAAc;gBACd,cAAc;gBACd,eAAe;gBACf,iBAAiB;gBACjB,sBAAsB;gBACtB,iBAAiB;gBACjB,oBAAoB;gBACpB,kBAAkB;gBAClB,0BAA0B;gBAC1B,iBAAiB;gBACjB,cAAc;gBACd,cAAc;gBACd,oBAAoB;gBACpB,iBAAiB;gBACjB,sBAAsB;gBACtB,8BAA8B;gBAC9B,cAAc;gBACd,4BAA4B;gBAC5B,kBAAkB;gBAClB,mBAAmB;gBACnB,kBAAkB;aACnB;SACF;KACF,CAAC;IAEF,0CAA0C;IAC1C,IAAI,gBAAgB,GAAQ,EAAE,CAAC;IAC/B,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;QACxE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,sCAAsC;QACxC,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,MAAM,cAAc,GAAG;QACrB,GAAG,gBAAgB;QACnB,WAAW,EAAE;YACX,GAAG,gBAAgB,CAAC,WAAW;YAC/B,KAAK,EAAE;gBACL,GAAG,CAAC,gBAAgB,CAAC,WAAW,EAAE,KAAK,IAAI,EAAE,CAAC;gBAC9C,GAAG,kBAAkB,CAAC,WAAW,CAAC,KAAK;aACxC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;SACpD;KACF,CAAC;IAEF,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,CAAC,GAAG,CAAC,oBAAoB,YAAY,2BAA2B,CAAC,CAAC;IAEzE,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkCb,CAAC,CAAC;AACH,CAAC"}

package/dist/prompts/coverme-command.md CHANGED Viewed

@@ -566,47 +566,47 @@ Return ONLY: "done"
 ---
-## Phase 3: Aggregate Results
+## Phase 3: Aggregate Results (FAST)
-**CRITICAL: Use Write tool directly, NOT bash heredoc**
+**SPEED IS CRITICAL - Do this quickly:**
-1. List agent files:
+1. Read agent files in PARALLEL:
 ```bash
-ls .coverme/agents/*.json 2>/dev/null | head -30
+cat .coverme/agents/*.json 2>/dev/null | head -500
 ```
-2. Read each agent JSON file using the Read tool (in parallel if possible)
-3. **Use the Write tool** to save `.coverme/scan.json` with this structure:
+2. Build a MINIMAL scan.json with only essential fields:
 ```json
 {
-  "projectName": "from package.json or folder name",
-  "scanDate": "ISO timestamp",
-  "filesScanned": N,
-  "linesOfCode": N,
-  "findings": [merged from all agent files, deduplicated],
-  "positiveObservations": [from POSITIVE.json],
+  "projectName": "PROJECT_NAME",
+  "scanDate": "DATE",
+  "findings": [/* max 30 findings, critical/high first */],
   "summary": {"critical":N,"high":N,"medium":N,"low":N}
 }
 ```
-**IMPORTANT**:
-- Use Write tool, not bash echo/cat
-- Keep max 50 findings (prioritize by severity)
-- Max 3 code snippets per finding
+3. **Write scan.json using Write tool** - keep it under 50KB!
+   - Max 30 findings total
+   - Max 100 chars per code snippet
+   - No duplicate findings
 ---
-## Phase 4: Generate Report
+## Phase 4: Generate PDF Report
+**Run this IMMEDIATELY after writing scan.json:**
+```bash
+coverme .coverme/scan.json security-report-$(date +%Y-%m-%d).pdf && open security-report-$(date +%Y-%m-%d).pdf
+```
+If that fails, try:
 ```bash
-TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
-npx coverme-scanner report .coverme/scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
-open ".coverme/report_$TIMESTAMP.html"
+npx coverme-scanner .coverme/scan.json security-report.pdf && open security-report.pdf
 ```
 ---
 ## DONE
-Tell user: "Scan complete! Report opened."
+Tell user: "Scan complete! PDF report opened."

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "coverme-scanner",
-  "version": "4.0.1",
+  "version": "4.0.3",
   "description": "AI-powered security scanner with 33 agents including AI-generated code detection. STRIDE/DREAD scoring, adversarial review, professional PDF reports.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",