hackmyagent 0.17.0 → 0.17.2

package/dist/nanomind-core/inference/security-analyst.d.ts

@@ -0,0 +1,95 @@
+/**
+ * NanoMind Security Analyst -- Generative model inference
+ *
+ * Runs the nanomind-security-analyst model (SmolLM2-1.7B 12L SFT)
+ * for structured security analysis. This is a GENERATIVE model that
+ * produces JSON output, NOT a replacement for the TME classifier.
+ *
+ * Two inference backends (auto-detected):
+ *   1. MLX (mlx_lm)     -- Apple Silicon only, safetensors (1.8GB)
+ *   2. llama.cpp         -- Cross-platform, GGUF Q4_K_M (~1GB) [planned]
+ *
+ * Task types:
+ *   - threatAnalysis, credentialContextClassification, falsePositiveDetection,
+ *     artifactClassification, checkExplanation, governanceReasoning, intelReport
+ *
+ * Gated behind --analm flag. Model downloaded on-demand via `analm setup`.
+ */
+export type AnalystTaskType = 'threatAnalysis' | 'credentialContextClassification' | 'falsePositiveDetection' | 'artifactClassification' | 'checkExplanation' | 'governanceReasoning' | 'intelReport';
+export interface AnalystRequest {
+    taskType: AnalystTaskType;
+    content: string;
+    context?: string;
+}
+export interface AnalystResponse {
+    taskType: AnalystTaskType;
+    result: Record<string, unknown>;
+    confidence: number;
+    modelVersion: string;
+    durationMs: number;
+    backend: AnalystBackend;
+}
+export interface ThreatAnalysis {
+    threatLevel: string;
+    attackVector: string;
+    description: string;
+    mitigations: string[];
+    confidence: number;
+}
+export interface CredentialContext {
+    classification: 'real' | 'test' | 'example' | 'placeholder' | 'unknown';
+    reasoning: string;
+    confidence: number;
+}
+export interface FalsePositiveAssessment {
+    isFalsePositive: boolean;
+    reasoning: string;
+    confidence: number;
+}
+export type AnalystBackend = 'mlx' | 'llamacpp' | 'none';
+export interface AnalystStatus {
+    available: boolean;
+    backend: AnalystBackend;
+    modelCached: boolean;
+    platform: string;
+    setupCommand: string;
+}
+/**
+ * Get the full status of the analyst subsystem.
+ * Used by `analyst status` and scan hints.
+ */
+export declare function getAnalystStatus(): Promise<AnalystStatus>;
+/**
+ * Quick check: is the analyst ready to run right now?
+ * Does NOT trigger downloads. Used by orchestrator to decide whether
+ * to show the "run analyst setup" hint.
+ */
+export declare function isAnalystReady(): Promise<boolean>;
+/**
+ * Download the AnaLM model. Called by `analm setup` command.
+ * Returns true on success.
+ */
+export declare function setupAnalystModel(quiet?: boolean): Promise<boolean>;
+/**
+ * Run analyst inference on the given request.
+ * Returns null if the analyst is unavailable or inference fails.
+ * Caller must gate behind --analyze flag.
+ */
+export declare function runAnalystInference(request: AnalystRequest): Promise<AnalystResponse | null>;
+/**
+ * Run threat analysis on content flagged as suspicious/malicious.
+ */
+export declare function analyzeThreat(content: string, attackClass: string): Promise<ThreatAnalysis | null>;
+/**
+ * Assess whether a credential finding is a real credential or test/example.
+ */
+export declare function assessCredentialContext(content: string): Promise<CredentialContext | null>;
+/**
+ * Assess whether a finding is a false positive.
+ */
+export declare function assessFalsePositive(content: string, findingDescription: string): Promise<FalsePositiveAssessment | null>;
+/**
+ * Generate an intelligence report summarizing scan findings.
+ */
+export declare function generateIntelReport(findingsSummary: string): Promise<AnalystResponse | null>;
+//# sourceMappingURL=security-analyst.d.ts.map

package/dist/nanomind-core/inference/security-analyst.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-analyst.d.ts","sourceRoot":"","sources":["../../../src/nanomind-core/inference/security-analyst.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAUH,MAAM,MAAM,eAAe,GACvB,gBAAgB,GAChB,iCAAiC,GACjC,wBAAwB,GACxB,wBAAwB,GACxB,kBAAkB,GAClB,qBAAqB,GACrB,aAAa,CAAC;AAElB,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,eAAe,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,eAAe,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,cAAc,CAAC;CACzB;AAED,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,cAAc,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,GAAG,aAAa,GAAG,SAAS,CAAC;IACxE,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,uBAAuB;IACtC,eAAe,EAAE,OAAO,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,MAAM,cAAc,GAAG,KAAK,GAAG,UAAU,GAAG,MAAM,CAAC;AAEzD,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,cAAc,CAAC;IACxB,WAAW,EAAE,OAAO,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB;AAmFD;;;GAGG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,aAAa,CAAC,CAW/D;AAED;;;;GAIG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC,CAIvD;AAMD;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,UAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,CA0DvE;AAMD;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAajC;AAqDD;;GAEG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAgBhC;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAkBnC;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,EACf,kBAAkB,EAAE,MAAM,GACzB,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAczC;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAKjC"}

package/dist/nanomind-core/inference/security-analyst.js

@@ -0,0 +1,372 @@
+"use strict";
+/**
+ * NanoMind Security Analyst -- Generative model inference
+ *
+ * Runs the nanomind-security-analyst model (SmolLM2-1.7B 12L SFT)
+ * for structured security analysis. This is a GENERATIVE model that
+ * produces JSON output, NOT a replacement for the TME classifier.
+ *
+ * Two inference backends (auto-detected):
+ *   1. MLX (mlx_lm)     -- Apple Silicon only, safetensors (1.8GB)
+ *   2. llama.cpp         -- Cross-platform, GGUF Q4_K_M (~1GB) [planned]
+ *
+ * Task types:
+ *   - threatAnalysis, credentialContextClassification, falsePositiveDetection,
+ *     artifactClassification, checkExplanation, governanceReasoning, intelReport
+ *
+ * Gated behind --analm flag. Model downloaded on-demand via `analm setup`.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAnalystStatus = getAnalystStatus;
+exports.isAnalystReady = isAnalystReady;
+exports.setupAnalystModel = setupAnalystModel;
+exports.runAnalystInference = runAnalystInference;
+exports.analyzeThreat = analyzeThreat;
+exports.assessCredentialContext = assessCredentialContext;
+exports.assessFalsePositive = assessFalsePositive;
+exports.generateIntelReport = generateIntelReport;
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+const node_child_process_1 = require("node:child_process");
+// ============================================================================
+// Constants
+// ============================================================================
+const HF_REPO = 'opena2a/nanomind-security-analyst';
+const MODEL_VERSION = '0.1.0';
+/** Maximum input length sent to the analyst (tokens are ~4 chars avg) */
+const MAX_INPUT_CHARS = 2048;
+/** Inference timeout. The 1.7B model runs ~2-5s per request on M-series. */
+const INFERENCE_TIMEOUT_MS = 30000;
+// ============================================================================
+// Backend Detection
+// ============================================================================
+let _detectedBackend;
+let _modelCached;
+/**
+ * Detect the best available inference backend.
+ * MLX is preferred (Apple Silicon), llama.cpp is cross-platform fallback.
+ */
+async function detectBackend() {
+    if (_detectedBackend !== undefined)
+        return _detectedBackend;
+    // Try MLX (Apple Silicon only)
+    if (process.platform === 'darwin') {
+        try {
+            await execAsync('uv', [
+                'run', '--with', 'mlx-lm', 'python3', '-c',
+                'import mlx_lm; print("ok")',
+            ], { timeout: 15000 });
+            _detectedBackend = 'mlx';
+            return _detectedBackend;
+        }
+        catch {
+            // MLX not available, try llama.cpp
+        }
+    }
+    // Try llama.cpp (cross-platform) -- planned for future release
+    // When implemented, check for llama-cpp-python or llamafile binary
+    // try {
+    //   await execAsync('uv', [
+    //     'run', '--with', 'llama-cpp-python', 'python3', '-c',
+    //     'from llama_cpp import Llama; print("ok")',
+    //   ], { timeout: 15_000 });
+    //   _detectedBackend = 'llamacpp';
+    //   return _detectedBackend;
+    // } catch { /* not available */ }
+    _detectedBackend = 'none';
+    return _detectedBackend;
+}
+/**
+ * Check if the model is already cached locally.
+ */
+async function isModelCached() {
+    if (_modelCached !== undefined)
+        return _modelCached;
+    try {
+        const checkScript = `
+from huggingface_hub import try_to_load_from_cache
+import json
+path = try_to_load_from_cache("${HF_REPO}", "config.json")
+print(json.dumps({"cached": path is not None}))
+`;
+        const result = await execAsync('uv', [
+            'run', '--with', 'huggingface-hub', 'python3', '-c', checkScript,
+        ], { timeout: 10000 });
+        const parsed = JSON.parse(result.stdout.trim());
+        _modelCached = Boolean(parsed.cached);
+    }
+    catch {
+        _modelCached = false;
+    }
+    return _modelCached;
+}
+/**
+ * Get the full status of the analyst subsystem.
+ * Used by `analyst status` and scan hints.
+ */
+async function getAnalystStatus() {
+    const backend = await detectBackend();
+    const cached = backend !== 'none' ? await isModelCached() : false;
+    return {
+        available: backend !== 'none' && cached,
+        backend,
+        modelCached: cached,
+        platform: process.platform === 'darwin' ? 'Apple Silicon (MLX)' : process.platform,
+        setupCommand: 'hackmyagent analm setup',
+    };
+}
+/**
+ * Quick check: is the analyst ready to run right now?
+ * Does NOT trigger downloads. Used by orchestrator to decide whether
+ * to show the "run analyst setup" hint.
+ */
+async function isAnalystReady() {
+    const backend = await detectBackend();
+    if (backend === 'none')
+        return false;
+    return isModelCached();
+}
+// ============================================================================
+// Model Setup
+// ============================================================================
+/**
+ * Download the AnaLM model. Called by `analm setup` command.
+ * Returns true on success.
+ */
+async function setupAnalystModel(quiet = false) {
+    const backend = await detectBackend();
+    if (backend === 'none') {
+        if (!quiet) {
+            process.stderr.write('No supported inference backend found.\n' +
+                (process.platform === 'darwin'
+                    ? 'Install uv (https://docs.astral.sh/uv/) and run again.\n'
+                    : 'Cross-platform support (llama.cpp) coming soon.\n' +
+                        'Currently requires Apple Silicon Mac with MLX.\n'));
+        }
+        return false;
+    }
+    if (await isModelCached()) {
+        if (!quiet)
+            process.stderr.write('AnaLM model already downloaded.\n');
+        return true;
+    }
+    if (!quiet) {
+        process.stderr.write(`Downloading AnaLM v${MODEL_VERSION} ` +
+            `(${backend === 'mlx' ? '1.8GB safetensors' : '~1GB GGUF'})...\n`);
+    }
+    try {
+        const downloadScript = `
+from huggingface_hub import snapshot_download
+import json
+path = snapshot_download("${HF_REPO}")
+print(json.dumps({"status": "ok", "path": path}))
+`;
+        const result = await execAsync('uv', [
+            'run', '--with', 'huggingface-hub', 'python3', '-c', downloadScript,
+        ], { timeout: 600000 }); // 10 min for large model
+        const parsed = JSON.parse(result.stdout.trim());
+        if (parsed.status === 'ok') {
+            _modelCached = true;
+            if (!quiet) {
+                process.stderr.write('AnaLM model ready.\n');
+                process.stderr.write('Use --analm with any scan command for AI-powered analysis.\n');
+            }
+            return true;
+        }
+    }
+    catch (err) {
+        if (!quiet) {
+            process.stderr.write(`Download failed: ${err?.message ?? 'unknown error'}\n` +
+                'Check your network connection and try again.\n');
+        }
+    }
+    return false;
+}
+// ============================================================================
+// Inference
+// ============================================================================
+/**
+ * Run analyst inference on the given request.
+ * Returns null if the analyst is unavailable or inference fails.
+ * Caller must gate behind --analyze flag.
+ */
+async function runAnalystInference(request) {
+    const backend = await detectBackend();
+    if (backend === 'none')
+        return null;
+    const cached = await isModelCached();
+    if (!cached)
+        return null;
+    if (backend === 'mlx') {
+        return runMlxInference(request);
+    }
+    // llamacpp backend -- planned
+    return null;
+}
+async function runMlxInference(request) {
+    const startMs = Date.now();
+    const truncatedContent = request.content.slice(0, MAX_INPUT_CHARS);
+    const systemPrompt = getSystemPrompt(request.taskType);
+    const userMessage = request.context
+        ? `Context: ${request.context}\n\nContent:\n${truncatedContent}`
+        : truncatedContent;
+    // Use external Python script to avoid template literal escaping issues
+    const scriptPath = (0, node_path_1.join)(__dirname, 'analm-infer.py');
+    try {
+        const result = await execAsync('uv', [
+            'run', '--with', 'mlx-lm', 'python3', scriptPath,
+            HF_REPO,
+            request.taskType,
+            JSON.stringify(systemPrompt),
+            JSON.stringify(userMessage),
+        ], { timeout: INFERENCE_TIMEOUT_MS });
+        // stdout may contain HuggingFace progress bars before the JSON line
+        const jsonLine = result.stdout.trim().split('\n')
+            .reverse()
+            .find(line => line.trim().startsWith('{'));
+        if (!jsonLine)
+            return null;
+        const parsed = JSON.parse(jsonLine.trim());
+        const durationMs = Date.now() - startMs;
+        if (parsed.ok && parsed.result) {
+            return {
+                taskType: request.taskType,
+                result: parsed.result,
+                confidence: typeof parsed.result.confidence === 'number' ? parsed.result.confidence : 0.5,
+                modelVersion: `nanomind-analyst-v${MODEL_VERSION}`,
+                durationMs,
+                backend: 'mlx',
+            };
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+// ============================================================================
+// Task-Specific Runners
+// ============================================================================
+/**
+ * Run threat analysis on content flagged as suspicious/malicious.
+ */
+async function analyzeThreat(content, attackClass) {
+    const response = await runAnalystInference({
+        taskType: 'threatAnalysis',
+        content,
+        context: `Detected attack class: ${attackClass}`,
+    });
+    if (!response)
+        return null;
+    const r = response.result;
+    return {
+        threatLevel: String(r.threatLevel ?? 'unknown'),
+        attackVector: String(r.attackVector ?? attackClass),
+        description: String(r.description ?? ''),
+        mitigations: Array.isArray(r.mitigations) ? r.mitigations.map(String) : [],
+        confidence: response.confidence,
+    };
+}
+/**
+ * Assess whether a credential finding is a real credential or test/example.
+ */
+async function assessCredentialContext(content) {
+    const response = await runAnalystInference({
+        taskType: 'credentialContextClassification',
+        content,
+    });
+    if (!response)
+        return null;
+    const r = response.result;
+    const validClasses = ['real', 'test', 'example', 'placeholder', 'unknown'];
+    const classification = validClasses.includes(r.classification)
+        ? r.classification
+        : 'unknown';
+    return {
+        classification,
+        reasoning: String(r.reasoning ?? ''),
+        confidence: response.confidence,
+    };
+}
+/**
+ * Assess whether a finding is a false positive.
+ */
+async function assessFalsePositive(content, findingDescription) {
+    const response = await runAnalystInference({
+        taskType: 'falsePositiveDetection',
+        content,
+        context: `Finding: ${findingDescription}`,
+    });
+    if (!response)
+        return null;
+    const r = response.result;
+    return {
+        isFalsePositive: Boolean(r.isFalsePositive),
+        reasoning: String(r.reasoning ?? ''),
+        confidence: response.confidence,
+    };
+}
+/**
+ * Generate an intelligence report summarizing scan findings.
+ */
+async function generateIntelReport(findingsSummary) {
+    return runAnalystInference({
+        taskType: 'intelReport',
+        content: findingsSummary,
+    });
+}
+// ============================================================================
+// System Prompts
+// ============================================================================
+function getSystemPrompt(taskType) {
+    const prompts = {
+        threatAnalysis: 'You are a security analyst. Analyze the given content for threats. ' +
+            'Respond with JSON: {"threatLevel": "critical|high|medium|low|none", ' +
+            '"attackVector": "string", "description": "string", "mitigations": ["string"], ' +
+            '"confidence": 0.0-1.0}',
+        credentialContextClassification: 'You are a credential context classifier. Determine if the credential in the content ' +
+            'is real, test, example, or placeholder. ' +
+            'Respond with JSON: {"classification": "real|test|example|placeholder|unknown", ' +
+            '"reasoning": "string", "confidence": 0.0-1.0}',
+        falsePositiveDetection: 'You are a false positive detector for security findings. ' +
+            'Determine if the described finding is a false positive based on the content. ' +
+            'Respond with JSON: {"isFalsePositive": true|false, "reasoning": "string", ' +
+            '"confidence": 0.0-1.0}',
+        artifactClassification: 'You are a security artifact classifier. Classify the type of the given artifact. ' +
+            'Respond with JSON: {"artifactType": "string", "reasoning": "string", ' +
+            '"confidence": 0.0-1.0}',
+        checkExplanation: 'You are a security check explainer. Explain what the security check found and why it matters. ' +
+            'Respond with JSON: {"explanation": "string", "impact": "string", ' +
+            '"recommendation": "string", "confidence": 0.0-1.0}',
+        governanceReasoning: 'You are a governance analyst. Analyze the governance posture of the given artifact. ' +
+            'Respond with JSON: {"gaps": ["string"], "strengths": ["string"], ' +
+            '"recommendations": ["string"], "confidence": 0.0-1.0}',
+        intelReport: 'You are a security intelligence analyst. Generate an intelligence report for the scan results. ' +
+            'Respond with JSON: {"summary": "string", "keyFindings": ["string"], ' +
+            '"riskAssessment": "string", "recommendations": ["string"], "confidence": 0.0-1.0}',
+    };
+    return prompts[taskType];
+}
+// ============================================================================
+// Subprocess Helper
+// ============================================================================
+function execAsync(cmd, args, options = {}) {
+    return new Promise((resolve, reject) => {
+        (0, node_child_process_1.execFile)(cmd, args, {
+            timeout: options.timeout ?? 30000,
+            maxBuffer: 10 * 1024 * 1024, // 10MB
+            env: {
+                ...process.env,
+                HF_HOME: (0, node_path_1.join)((0, node_os_1.homedir)(), '.cache', 'huggingface'),
+            },
+        }, (error, stdout, stderr) => {
+            if (error) {
+                reject(error);
+            }
+            else {
+                resolve({ stdout: String(stdout), stderr: String(stderr) });
+            }
+        });
+    });
+}
+//# sourceMappingURL=security-analyst.js.map

package/dist/nanomind-core/inference/security-analyst.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-analyst.js","sourceRoot":"","sources":["../../../src/nanomind-core/inference/security-analyst.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;GAgBG;;AAqJH,4CAWC;AAOD,wCAIC;AAUD,8CA0DC;AAWD,kDAeC;AAwDD,sCAmBC;AAKD,0DAoBC;AAKD,kDAiBC;AAKD,kDAOC;AA7YD,yCAAiC;AACjC,qCAAkC;AAClC,2DAA8C;AA4D9C,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,OAAO,GAAG,mCAAmC,CAAC;AACpD,MAAM,aAAa,GAAG,OAAO,CAAC;AAE9B,yEAAyE;AACzE,MAAM,eAAe,GAAG,IAAI,CAAC;AAE7B,4EAA4E;AAC5E,MAAM,oBAAoB,GAAG,KAAM,CAAC;AAEpC,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E,IAAI,gBAA4C,CAAC;AACjD,IAAI,YAAiC,CAAC;AAEtC;;;GAGG;AACH,KAAK,UAAU,aAAa;IAC1B,IAAI,gBAAgB,KAAK,SAAS;QAAE,OAAO,gBAAgB,CAAC;IAE5D,+BAA+B;IAC/B,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,IAAI,EAAE;gBACpB,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI;gBAC1C,4BAA4B;aAC7B,EAAE,EAAE,OAAO,EAAE,KAAM,EAAE,CAAC,CAAC;YACxB,gBAAgB,GAAG,KAAK,CAAC;YACzB,OAAO,gBAAgB,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,mCAAmC;QACrC,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,mEAAmE;IACnE,QAAQ;IACR,4BAA4B;IAC5B,4DAA4D;IAC5D,kDAAkD;IAClD,6BAA6B;IAC7B,mCAAmC;IACnC,6BAA6B;IAC7B,kCAAkC;IAElC,gBAAgB,GAAG,MAAM,CAAC;IAC1B,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa;IAC1B,IAAI,YAAY,KAAK,SAAS;QAAE,OAAO,YAAY,CAAC;IAEpD,IAAI,CAAC;QACH,MAAM,WAAW,GAAG;;;iCAGS,OAAO;;CAEvC,CAAC;QACE,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE;YACnC,KAAK,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,IAAI,EAAE,WAAW;SACjE,EAAE,EAAE,OAAO,EAAE,KAAM,EAAE,CAAC,CAAC;QACxB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAChD,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,YAAY,GAAG,KAAK,CAAC;IACvB,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,gBAAgB;IACpC,MAAM,OAAO,GAAG,MAAM,aAAa,EAAE,CAAC;IACtC,MAAM,MAAM,GAAG,OAAO,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,aAAa,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;IAElE,OAAO;QACL,SAAS,EAAE,OAAO,KAAK,MAAM,IAAI,MAAM;QACvC,OAAO;QACP,WAAW,EAAE,MAAM;QACnB,QAAQ,EAAE,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ;QAClF,YAAY,EAAE,yBAAyB;KACxC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,cAAc;IAClC,MAAM,OAAO,GAAG,MAAM,aAAa,EAAE,CAAC;IACtC,IAAI,OAAO,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IACrC,OAAO,aAAa,EAAE,CAAC;AACzB,CAAC;AAED,+EAA+E;AAC/E,cAAc;AACd,+EAA+E;AAE/E;;;GAGG;AACI,KAAK,UAAU,iBAAiB,CAAC,KAAK,GAAG,KAAK;IACnD,MAAM,OAAO,GAAG,MAAM,aAAa,EAAE,CAAC;IAEtC,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,yCAAyC;gBACzC,CAAC,OAAO,CAAC,QAAQ,KAAK,QAAQ;oBAC5B,CAAC,CAAC,0DAA0D;oBAC5D,CAAC,CAAC,mDAAmD;wBACnD,kDAAkD,CAAC,CACxD,CAAC;QACJ,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,MAAM,aAAa,EAAE,EAAE,CAAC;QAC1B,IAAI,CAAC,KAAK;YAAE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,sBAAsB,aAAa,GAAG;YACtC,IAAI,OAAO,KAAK,KAAK,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,WAAW,QAAQ,CAClE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,GAAG;;;4BAGC,OAAO;;CAElC,CAAC;QACE,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE;YACnC,KAAK,EAAE,QAAQ,EAAE,iBAAiB,EAAE,SAAS,EAAE,IAAI,EAAE,cAAc;SACpE,EAAE,EAAE,OAAO,EAAE,MAAO,EAAE,CAAC,CAAC,CAAC,yBAAyB;QAEnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;YAC3B,YAAY,GAAG,IAAI,CAAC;YACpB,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;gBAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8DAA8D,CAAC,CAAC;YACvF,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,oBAAoB,GAAG,EAAE,OAAO,IAAI,eAAe,IAAI;gBACvD,gDAAgD,CACjD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E;;;;GAIG;AACI,KAAK,UAAU,mBAAmB,CACvC,OAAuB;IAEvB,MAAM,OAAO,GAAG,MAAM,aAAa,EAAE,CAAC;IACtC,IAAI,OAAO,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,MAAM,GAAG,MAAM,aAAa,EAAE,CAAC;IACrC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;QACtB,OAAO,eAAe,CAAC,OAAO,CAAC,CAAC;IAClC,CAAC;IAED,8BAA8B;IAC9B,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,OAAuB;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE3B,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;IACnE,MAAM,YAAY,GAAG,eAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACvD,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO;QACjC,CAAC,CAAC,YAAY,OAAO,CAAC,OAAO,iBAAiB,gBAAgB,EAAE;QAChE,CAAC,CAAC,gBAAgB,CAAC;IAErB,uEAAuE;IACvE,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;IAErD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE;YACnC,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU;YAChD,OAAO;YACP,OAAO,CAAC,QAAQ;YAChB,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC;YAC5B,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;SAC5B,EAAE,EAAE,OAAO,EAAE,oBAAoB,EAAE,CAAC,CAAC;QAEtC,oEAAoE;QACpE,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC;aAC9C,OAAO,EAAE;aACT,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC;QAExC,IAAI,MAAM,CAAC,EAAE,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAC/B,OAAO;gBACL,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,UAAU,EAAE,OAAO,MAAM,CAAC,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG;gBACzF,YAAY,EAAE,qBAAqB,aAAa,EAAE;gBAClD,UAAU;gBACV,OAAO,EAAE,KAAK;aACf,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;GAEG;AACI,KAAK,UAAU,aAAa,CACjC,OAAe,EACf,WAAmB;IAEnB,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC;QACzC,QAAQ,EAAE,gBAAgB;QAC1B,OAAO;QACP,OAAO,EAAE,0BAA0B,WAAW,EAAE;KACjD,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,MAAM,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC;IAC1B,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,IAAI,SAAS,CAAC;QAC/C,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,IAAI,WAAW,CAAC;QACnD,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,IAAI,EAAE,CAAC;QACxC,WAAW,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE;QAC1E,UAAU,EAAE,QAAQ,CAAC,UAAU;KAChC,CAAC;AACJ,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,uBAAuB,CAC3C,OAAe;IAEf,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC;QACzC,QAAQ,EAAE,iCAAiC;QAC3C,OAAO;KACR,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,MAAM,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC;IAC1B,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,SAAS,CAAU,CAAC;IACpF,MAAM,cAAc,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAqB,CAAC;QACnE,CAAC,CAAE,CAAC,CAAC,cAAsD;QAC3D,CAAC,CAAC,SAAS,CAAC;IAEd,OAAO;QACL,cAAc;QACd,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC;QACpC,UAAU,EAAE,QAAQ,CAAC,UAAU;KAChC,CAAC;AACJ,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,mBAAmB,CACvC,OAAe,EACf,kBAA0B;IAE1B,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC;QACzC,QAAQ,EAAE,wBAAwB;QAClC,OAAO;QACP,OAAO,EAAE,YAAY,kBAAkB,EAAE;KAC1C,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,MAAM,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC;IAC1B,OAAO;QACL,eAAe,EAAE,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QAC3C,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC;QACpC,UAAU,EAAE,QAAQ,CAAC,UAAU;KAChC,CAAC;AACJ,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,mBAAmB,CACvC,eAAuB;IAEvB,OAAO,mBAAmB,CAAC;QACzB,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,eAAe;KACzB,CAAC,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E,SAAS,eAAe,CAAC,QAAyB;IAChD,MAAM,OAAO,GAAoC;QAC/C,cAAc,EACZ,qEAAqE;YACrE,sEAAsE;YACtE,gFAAgF;YAChF,wBAAwB;QAC1B,+BAA+B,EAC7B,sFAAsF;YACtF,0CAA0C;YAC1C,iFAAiF;YACjF,+CAA+C;QACjD,sBAAsB,EACpB,2DAA2D;YAC3D,+EAA+E;YAC/E,4EAA4E;YAC5E,wBAAwB;QAC1B,sBAAsB,EACpB,mFAAmF;YACnF,uEAAuE;YACvE,wBAAwB;QAC1B,gBAAgB,EACd,gGAAgG;YAChG,mEAAmE;YACnE,oDAAoD;QACtD,mBAAmB,EACjB,sFAAsF;YACtF,mEAAmE;YACnE,uDAAuD;QACzD,WAAW,EACT,iGAAiG;YACjG,sEAAsE;YACtE,mFAAmF;KACtF,CAAC;IAEF,OAAO,OAAO,CAAC,QAAQ,CAAC,CAAC;AAC3B,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E,SAAS,SAAS,CAChB,GAAW,EACX,IAAc,EACd,UAAgC,EAAE;IAElC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAA,6BAAQ,EAAC,GAAG,EAAE,IAAI,EAAE;YAClB,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,KAAM;YAClC,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,OAAO;YACpC,GAAG,EAAE;gBACH,GAAG,OAAO,CAAC,GAAG;gBACd,OAAO,EAAE,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,QAAQ,EAAE,aAAa,CAAC;aAClD;SACF,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YAC3B,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,KAAK,CAAC,CAAC;YAChB,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/nanomind-core/orchestrate.d.ts

@@ -14,11 +14,14 @@
  * Defense-in-depth: static findings can NEVER be suppressed, only upgraded.
  */
 import type { SecurityFinding } from '../hardening/security-check.js';
+import type { AnalystResponse } from './inference/security-analyst.js';
 export interface OrchestrationOptions {
     staticOnly?: boolean;
     ci?: boolean;
     deep?: boolean;
     silent?: boolean;
+    /** Run AnaLM generative analysis (--analm flag). */
+    analm?: boolean;
 }
 export interface OrchestrationResult {
     mergedFindings: SecurityFinding[];
@@ -26,6 +29,10 @@ export interface OrchestrationResult {
     compiledArtifacts: number;
     newSemanticFindings: number;
     integrityStatus: string;
+    /** AnaLM results (present when --analm is used and model is available). */
+    analystFindings?: AnalystResponse[];
+    /** Hint shown to user when analyst is available but not used. */
+    analystHint?: string;
 }
 /**
  * Run NanoMind semantic analysis and merge with existing findings.

package/dist/nanomind-core/orchestrate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"orchestrate.d.ts","sourceRoot":"","sources":["../../src/nanomind-core/orchestrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AAGtE,MAAM,WAAW,oBAAoB;IACnC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,mBAAmB;IAClC,cAAc,EAAE,eAAe,EAAE,CAAC;IAClC,YAAY,EAAE,OAAO,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,eAAe,EAAE,MAAM,CAAC;CACzB;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,SAAS,EAAE,MAAM,EACjB,gBAAgB,EAAE,eAAe,EAAE,EACnC,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,mBAAmB,CAAC,CAsE9B"}
+{"version":3,"file":"orchestrate.d.ts","sourceRoot":"","sources":["../../src/nanomind-core/orchestrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AAEtE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAEvE,MAAM,WAAW,oBAAoB;IACnC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,oDAAoD;IACpD,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,cAAc,EAAE,eAAe,EAAE,CAAC;IAClC,YAAY,EAAE,OAAO,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,eAAe,EAAE,MAAM,CAAC;IACxB,2EAA2E;IAC3E,eAAe,CAAC,EAAE,eAAe,EAAE,CAAC;IACpC,iEAAiE;IACjE,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,SAAS,EAAE,MAAM,EACjB,gBAAgB,EAAE,eAAe,EAAE,EACnC,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,mBAAmB,CAAC,CAuG9B"}

package/dist/nanomind-core/orchestrate.js

@@ -55,7 +55,7 @@ exports.orchestrateNanoMind = orchestrateNanoMind;
  * is unavailable (returns original findings unchanged).
  */
 async function orchestrateNanoMind(targetDir, existingFindings, options = {}) {
-    const { staticOnly = false, ci = false, silent = false } = options;
+    const { staticOnly = false, ci = false, silent = false, analm = false } = options;
     // Skip NanoMind only when explicitly opted out
     // CI mode still runs NanoMind (deterministic, no cost, better results)
     if (staticOnly) {
@@ -95,13 +95,39 @@ async function orchestrateNanoMind(targetDir, existingFindings, options = {}) {
         // Flush NanoMind classification telemetry (non-blocking, best-effort)
         Promise.resolve().then(() => __importStar(require('../telemetry/nanomind-telemetry.js'))).then(m => m.flushNanoMindTelemetry())
             .catch(() => { });
-        return {
+        const result = {
             mergedFindings: nmResult.mergedFindings,
             nanomindUsed: nmResult.nanomindAvailable,
             compiledArtifacts: nmResult.compiledArtifacts,
             newSemanticFindings: newFindings,
             integrityStatus: nmResult.integrityStatus,
         };
+        // --- Security Analyst (generative model, --analyze flag) ---
+        const { isAnalystReady, runAnalystInference } = await Promise.resolve().then(() => __importStar(require('./inference/security-analyst.js')));
+        if (analm) {
+            const ready = await isAnalystReady();
+            if (ready) {
+                if (!silent)
+                    process.stderr.write('Running AnaLM analysis...\n');
+                result.analystFindings = await runAnalystOnFindings(nmResult.mergedFindings, runAnalystInference);
+                if (!silent && result.analystFindings.length > 0) {
+                    process.stderr.write(`Analyst: ${result.analystFindings.length} finding(s) analyzed\n`);
+                }
+            }
+            else {
+                if (!silent) {
+                    process.stderr.write('AnaLM not set up. Run: hackmyagent analm setup\n');
+                }
+            }
+        }
+        else if (!silent && !ci) {
+            // Check if analyst is available but not used -- show hint once
+            const ready = await isAnalystReady();
+            if (ready) {
+                result.analystHint = 'Add --analm for AI-powered threat analysis';
+            }
+        }
+        return result;
     }
     catch {
         // NanoMind unavailable -- static results are still valid
@@ -114,4 +140,44 @@ async function orchestrateNanoMind(targetDir, existingFindings, options = {}) {
         };
     }
 }
+/**
+ * Run the analyst model on failed findings that warrant deeper analysis.
+ * Targets: suspicious/malicious classifications, credential findings,
+ * and high/critical severity findings.
+ */
+async function runAnalystOnFindings(findings, runInference) {
+    const results = [];
+    const failed = findings.filter(f => !f.passed && !f.fixed);
+    // Limit to top 10 most important findings to keep inference time reasonable
+    const prioritized = failed
+        .sort((a, b) => {
+        const sevRank = { critical: 4, high: 3, medium: 2, low: 1 };
+        return (sevRank[b.severity] ?? 0) - (sevRank[a.severity] ?? 0);
+    })
+        .slice(0, 10);
+    for (const finding of prioritized) {
+        // Choose task type based on finding category
+        const isCredential = finding.checkId?.startsWith('CRED') ||
+            finding.attackClass === 'credential_abuse';
+        const taskType = isCredential
+            ? 'credentialContextClassification'
+            : 'threatAnalysis';
+        const content = [
+            finding.name,
+            finding.description,
+            finding.message,
+            finding.file ? `File: ${finding.file}` : '',
+            finding.attackClass ? `Attack class: ${finding.attackClass}` : '',
+        ].filter(Boolean).join('\n');
+        const response = await runInference({
+            taskType,
+            content,
+            context: `Check ID: ${finding.checkId}, Severity: ${finding.severity}`,
+        });
+        if (response) {
+            results.push(response);
+        }
+    }
+    return results;
+}
 //# sourceMappingURL=orchestrate.js.map

package/dist/nanomind-core/orchestrate.js.map

@@ -1 +1 @@
-{"version":3,"file":"orchestrate.js","sourceRoot":"","sources":["../../src/nanomind-core/orchestrate.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyBH,kDA0EC;AA/ED;;;;GAIG;AACI,KAAK,UAAU,mBAAmB,CACvC,SAAiB,EACjB,gBAAmC,EACnC,UAAgC,EAAE;IAElC,MAAM,EAAE,UAAU,GAAG,KAAK,EAAE,EAAE,GAAG,KAAK,EAAE,MAAM,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAEnE,+CAA+C;IAC/C,uEAAuE;IACvE,IAAI,UAAU,EAAE,CAAC;QACf,OAAO;YACL,cAAc,EAAE,CAAC,GAAG,gBAAgB,CAAC;YACrC,YAAY,EAAE,KAAK;YACnB,iBAAiB,EAAE,CAAC;YACpB,mBAAmB,EAAE,CAAC;YACtB,eAAe,EAAE,SAAS;SAC3B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,0DAA0D;QAC1D,yEAAyE;QACzE,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,uBAAuB,GAAC,CAAC;QAC/D,MAAM,eAAe,GAAG,MAAM,YAAY,EAAE,CAAC;QAC7C,IAAI,CAAC,MAAM,IAAI,eAAe,EAAE,CAAC;YAC/B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACvD,CAAC;QAED,sDAAsD;QACtD,gEAAgE;QAChE,iEAAiE;QACjE,mEAAmE;QACnE,mEAAmE;QACnE,MAAM,EAAE,gBAAgB,EAAE,GAAG,wDAAa,+BAA+B,GAAC,CAAC;QAC3E,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC;QAC/B,MAAM,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAE9B,MAAM,EAAE,eAAe,EAAE,GAAG,wDAAa,qBAAqB,GAAC,CAAC;QAChE,MAAM,QAAQ,GAAuB,MAAM,eAAe,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;QAExF,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;QAEvE,IAAI,CAAC,MAAM,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,aAAa,QAAQ,CAAC,iBAAiB,0BAA0B,WAAW,8BAA8B,CAC3G,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,IAAI,QAAQ,CAAC,eAAe,KAAK,OAAO,EAAE,CAAC;YACpD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,QAAQ,CAAC,eAAe,IAAI,CAAC,CAAC;QACrE,CAAC;QAED,sEAAsE;QACtE,kDAAO,oCAAoC,IACxC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,sBAAsB,EAAE,CAAC;aACrC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAEnB,OAAO;YACL,cAAc,EAAE,QAAQ,CAAC,cAAc;YACvC,YAAY,EAAE,QAAQ,CAAC,iBAAiB;YACxC,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB;YAC7C,mBAAmB,EAAE,WAAW;YAChC,eAAe,EAAE,QAAQ,CAAC,eAAe;SAC1C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,yDAAyD;QACzD,OAAO;YACL,cAAc,EAAE,CAAC,GAAG,gBAAgB,CAAC;YACrC,YAAY,EAAE,KAAK;YACnB,iBAAiB,EAAE,CAAC;YACpB,mBAAmB,EAAE,CAAC;YACtB,eAAe,EAAE,aAAa;SAC/B,CAAC;IACJ,CAAC;AACH,CAAC"}
+{"version":3,"file":"orchestrate.js","sourceRoot":"","sources":["../../src/nanomind-core/orchestrate.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCH,kDA2GC;AAhHD;;;;GAIG;AACI,KAAK,UAAU,mBAAmB,CACvC,SAAiB,EACjB,gBAAmC,EACnC,UAAgC,EAAE;IAElC,MAAM,EAAE,UAAU,GAAG,KAAK,EAAE,EAAE,GAAG,KAAK,EAAE,MAAM,GAAG,KAAK,EAAE,KAAK,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAElF,+CAA+C;IAC/C,uEAAuE;IACvE,IAAI,UAAU,EAAE,CAAC;QACf,OAAO;YACL,cAAc,EAAE,CAAC,GAAG,gBAAgB,CAAC;YACrC,YAAY,EAAE,KAAK;YACnB,iBAAiB,EAAE,CAAC;YACpB,mBAAmB,EAAE,CAAC;YACtB,eAAe,EAAE,SAAS;SAC3B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,0DAA0D;QAC1D,yEAAyE;QACzE,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,uBAAuB,GAAC,CAAC;QAC/D,MAAM,eAAe,GAAG,MAAM,YAAY,EAAE,CAAC;QAC7C,IAAI,CAAC,MAAM,IAAI,eAAe,EAAE,CAAC;YAC/B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACvD,CAAC;QAED,sDAAsD;QACtD,gEAAgE;QAChE,iEAAiE;QACjE,mEAAmE;QACnE,mEAAmE;QACnE,MAAM,EAAE,gBAAgB,EAAE,GAAG,wDAAa,+BAA+B,GAAC,CAAC;QAC3E,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC;QAC/B,MAAM,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAE9B,MAAM,EAAE,eAAe,EAAE,GAAG,wDAAa,qBAAqB,GAAC,CAAC;QAChE,MAAM,QAAQ,GAAuB,MAAM,eAAe,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;QAExF,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;QAEvE,IAAI,CAAC,MAAM,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,aAAa,QAAQ,CAAC,iBAAiB,0BAA0B,WAAW,8BAA8B,CAC3G,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,MAAM,IAAI,QAAQ,CAAC,eAAe,KAAK,OAAO,EAAE,CAAC;YACpD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,QAAQ,CAAC,eAAe,IAAI,CAAC,CAAC;QACrE,CAAC;QAED,sEAAsE;QACtE,kDAAO,oCAAoC,IACxC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,sBAAsB,EAAE,CAAC;aACrC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAEnB,MAAM,MAAM,GAAwB;YAClC,cAAc,EAAE,QAAQ,CAAC,cAAc;YACvC,YAAY,EAAE,QAAQ,CAAC,iBAAiB;YACxC,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB;YAC7C,mBAAmB,EAAE,WAAW;YAChC,eAAe,EAAE,QAAQ,CAAC,eAAe;SAC1C,CAAC;QAEF,8DAA8D;QAC9D,MAAM,EAAE,cAAc,EAAE,mBAAmB,EAAE,GAAG,wDAAa,iCAAiC,GAAC,CAAC;QAEhG,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,KAAK,GAAG,MAAM,cAAc,EAAE,CAAC;YACrC,IAAI,KAAK,EAAE,CAAC;gBACV,IAAI,CAAC,MAAM;oBAAE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;gBACjE,MAAM,CAAC,eAAe,GAAG,MAAM,oBAAoB,CACjD,QAAQ,CAAC,cAAc,EACvB,mBAAmB,CACpB,CAAC;gBACF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACjD,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,YAAY,MAAM,CAAC,eAAe,CAAC,MAAM,wBAAwB,CAClE,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,kDAAkD,CACnD,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,EAAE,CAAC;YAC1B,+DAA+D;YAC/D,MAAM,KAAK,GAAG,MAAM,cAAc,EAAE,CAAC;YACrC,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,WAAW,GAAG,4CAA4C,CAAC;YACpE,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,yDAAyD;QACzD,OAAO;YACL,cAAc,EAAE,CAAC,GAAG,gBAAgB,CAAC;YACrC,YAAY,EAAE,KAAK;YACnB,iBAAiB,EAAE,CAAC;YACpB,mBAAmB,EAAE,CAAC;YACtB,eAAe,EAAE,aAAa;SAC/B,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,oBAAoB,CACjC,QAA2B,EAC3B,YAAkF;IAElF,MAAM,OAAO,GAAsB,EAAE,CAAC;IACtC,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAE3D,4EAA4E;IAC5E,MAAM,WAAW,GAAG,MAAM;SACvB,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACb,MAAM,OAAO,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QACpF,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IACjE,CAAC,CAAC;SACD,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAEhB,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,6CAA6C;QAC7C,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC;YACtD,OAAO,CAAC,WAAW,KAAK,kBAAkB,CAAC;QAC7C,MAAM,QAAQ,GAAG,YAAY;YAC3B,CAAC,CAAC,iCAA0C;YAC5C,CAAC,CAAC,gBAAyB,CAAC;QAE9B,MAAM,OAAO,GAAG;YACd,OAAO,CAAC,IAAI;YACZ,OAAO,CAAC,WAAW;YACnB,OAAO,CAAC,OAAO;YACf,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE;YAC3C,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,iBAAiB,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE;SAClE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE7B,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC;YAClC,QAAQ;YACR,OAAO;YACP,OAAO,EAAE,aAAa,OAAO,CAAC,OAAO,eAAe,OAAO,CAAC,QAAQ,EAAE;SACvE,CAAC,CAAC;QAEH,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/nanomind-core/scanner-bridge.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scanner-bridge.d.ts","sourceRoot":"","sources":["../../src/nanomind-core/scanner-bridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,KAAK,EAAE,eAAe,EAAY,MAAM,gCAAgC,CAAC;AAEhF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oCAAoC,CAAC;AACrE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AA+CxE,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,eAAe,EAAE,CAAC;IAClC,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,eAAe,EAAE,eAAe,CAAC;IACjC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CACnC,SAAS,EAAE,MAAM,EACjB,gBAAgB,EAAE,eAAe,EAAE,GAClC,OAAO,CAAC,kBAAkB,CAAC,CAmF7B;AA2KD;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAC3B,cAAc,EAAE,eAAe,EAAE,EACjC,WAAW,EAAE,UAAU,EAAE,GACxB,eAAe,EAAE,CAkDnB"}
+{"version":3,"file":"scanner-bridge.d.ts","sourceRoot":"","sources":["../../src/nanomind-core/scanner-bridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,KAAK,EAAE,eAAe,EAAY,MAAM,gCAAgC,CAAC;AAEhF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oCAAoC,CAAC;AACrE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AA+CxE,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,eAAe,EAAE,CAAC;IAClC,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,eAAe,EAAE,eAAe,CAAC;IACjC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CACnC,SAAS,EAAE,MAAM,EACjB,gBAAgB,EAAE,eAAe,EAAE,GAClC,OAAO,CAAC,kBAAkB,CAAC,CAmG7B;AA6LD;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAC3B,cAAc,EAAE,eAAe,EAAE,EACjC,WAAW,EAAE,UAAU,EAAE,GACxB,eAAe,EAAE,CAkDnB"}