kuzushi 0.1.0

package/dist/scanners/run-semgrep.js

@@ -0,0 +1,115 @@
+import { createHash } from "node:crypto";
+import { spawn } from "node:child_process";
+import { scoreFindingMetadata } from "./scoring.js";
+/** Score a Semgrep finding by severity * likelihood * impact * subcategory. */
+export function scoreSemgrepFinding(finding) {
+    const extra = finding.extra ?? {};
+    const meta = extra.metadata ?? {};
+    return scoreFindingMetadata({
+        severity: extra.severity,
+        likelihood: meta.likelihood,
+        impact: meta.impact,
+        subcategory: meta.subcategory,
+    });
+}
+/** Content-based fingerprint that survives line shifts. */
+export function computeFingerprint(repoName, ref, finding) {
+    const extra = finding.extra ?? {};
+    let matched = (extra.lines ?? "").trim();
+    if (!matched || matched === "requires login") {
+        matched = String(finding.start?.line ?? "");
+    }
+    const source = `${repoName}|${ref}|${finding.check_id}|${finding.path}|${matched}|${extra.message ?? ""}`;
+    return createHash("sha256").update(source).digest("hex");
+}
+/** Run semgrep/opengrep and return parsed JSON output. */
+export async function runSemgrep(repoRoot, opts, scannerBin = "semgrep", configFlag = "auto") {
+    const binName = scannerBin.split("/").pop() ?? "scanner";
+    const args = [
+        "--config", configFlag,
+        "--json",
+        "--metrics", "on",
+    ];
+    for (const sev of opts.severity) {
+        args.push("--severity", sev);
+    }
+    for (const pattern of opts.excludePatterns) {
+        args.push("--exclude", pattern);
+    }
+    args.push(".");
+    return new Promise((resolve, reject) => {
+        const proc = spawn(scannerBin, args, {
+            cwd: repoRoot,
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        const stdoutChunks = [];
+        proc.stdout.on("data", (chunk) => stdoutChunks.push(chunk));
+        proc.stderr.on("data", (chunk) => {
+            process.stderr.write(`  [${binName}] ${chunk.toString()}`);
+        });
+        proc.on("close", (code) => {
+            if (code !== null && code > 1) {
+                reject(new Error(`${binName} failed (exit ${code})`));
+                return;
+            }
+            try {
+                const json = JSON.parse(Buffer.concat(stdoutChunks).toString());
+                resolve(json);
+            }
+            catch (err) {
+                reject(new Error(`Failed to parse ${binName} output: ${err}`));
+            }
+        });
+        proc.on("error", (err) => {
+            reject(new Error(`Failed to spawn ${binName}: ${err.message}`));
+        });
+    });
+}
+/** Rank, deduplicate, and select top findings. */
+export function selectFindings(semgrepOutput, repoName, ref, maxFindings) {
+    const results = semgrepOutput.results ?? [];
+    const scored = results.map((f) => [
+        scoreSemgrepFinding(f),
+        f,
+    ]);
+    scored.sort((a, b) => b[0] - a[0]);
+    const seen = new Map();
+    for (const [score, finding] of scored) {
+        const fp = computeFingerprint(repoName, ref, finding);
+        const existing = seen.get(fp);
+        if (!existing || score > existing[0]) {
+            seen.set(fp, [score, finding]);
+        }
+    }
+    const deduped = [...seen.entries()]
+        .sort((a, b) => b[1][0] - a[1][0])
+        .slice(0, maxFindings);
+    return deduped.map(([fp, [score, finding]]) => {
+        const extra = finding.extra ?? {};
+        const meta = extra.metadata ?? {};
+        return {
+            scanner: "semgrep",
+            fingerprint: fp,
+            ruleId: finding.check_id,
+            filePath: finding.path,
+            startLine: finding.start.line,
+            severity: extra.severity ?? "UNKNOWN",
+            message: extra.message ?? "",
+            evidence: normalizeEvidence(extra.lines),
+            scannerConfidence: meta.confidence ?? "UNKNOWN",
+            subcategory: meta.subcategory ?? ["unknown"],
+            likelihood: meta.likelihood ?? "UNKNOWN",
+            impact: meta.impact ?? "UNKNOWN",
+            cwe: meta.cwe ?? [],
+            score,
+        };
+    });
+}
+function normalizeEvidence(value) {
+    if (typeof value !== "string") {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed || null;
+}
+//# sourceMappingURL=run-semgrep.js.map

package/dist/scanners/run-semgrep.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-semgrep.js","sourceRoot":"","sources":["../../src/scanners/run-semgrep.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAG3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AA6BpD,+EAA+E;AAC/E,MAAM,UAAU,mBAAmB,CAAC,OAAsB;IACxD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC;IAClC,OAAO,oBAAoB,CAAC;QAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,WAAW,EAAE,IAAI,CAAC,WAAW;KAC9B,CAAC,CAAC;AACL,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,kBAAkB,CAChC,QAAgB,EAChB,GAAW,EACX,OAAsB;IAEtB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAClC,IAAI,OAAO,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,gBAAgB,EAAE,CAAC;QAC7C,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC;IACD,MAAM,MAAM,GAAG,GAAG,QAAQ,IAAI,GAAG,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;IAC1G,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC3D,CAAC;AAED,0DAA0D;AAC1D,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,QAAgB,EAChB,IAAc,EACd,aAAqB,SAAS,EAC9B,aAAqB,MAAM;IAE3B,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,SAAS,CAAC;IACzD,MAAM,IAAI,GAAG;QACX,UAAU,EAAE,UAAU;QACtB,QAAQ;QACR,WAAW,EAAE,IAAI;KAClB,CAAC;IAEF,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;QAC3C,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAClC,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEf,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,EAAE,IAAI,EAAE;YACnC,GAAG,EAAE,QAAQ;YACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QAEH,MAAM,YAAY,GAAa,EAAE,CAAC;QAElC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACpE,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACvC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,OAAO,KAAK,KAAK,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC7D,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;gBAC9B,MAAM,CAAC,IAAI,KAAK,CAAC,GAAG,OAAO,iBAAiB,IAAI,GAAG,CAAC,CAAC,CAAC;gBACtD,OAAO;YACT,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAChE,OAAO,CAAC,IAAqB,CAAC,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,IAAI,KAAK,CAAC,mBAAmB,OAAO,YAAY,GAAG,EAAE,CAAC,CAAC,CAAC;YACjE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACvB,MAAM,CAAC,IAAI,KAAK,CAAC,mBAAmB,OAAO,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,kDAAkD;AAClD,MAAM,UAAU,cAAc,CAC5B,aAA4B,EAC5B,QAAgB,EAChB,GAAW,EACX,WAAoB;IAEpB,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,IAAI,EAAE,CAAC;IAC5C,MAAM,MAAM,GAAmC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAChE,mBAAmB,CAAC,CAAC,CAAC;QACtB,CAAC;KACF,CAAC,CAAC;IACH,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAmC,CAAC;IACxD,KAAK,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,MAAM,EAAE,CAAC;QACtC,MAAM,EAAE,GAAG,kBAAkB,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC9B,IAAI,CAAC,QAAQ,IAAI,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;YACrC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;SAChC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SACjC,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IAEzB,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,EAAE,EAAE;QAC5C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC;QAClC,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,WAAW,EAAE,EAAE;YACf,MAAM,EAAE,OAAO,CAAC,QAAQ;YACxB,QAAQ,EAAE,OAAO,CAAC,IAAI;YACtB,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YAC7B,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,SAAS;YACrC,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,EAAE;YAC5B,QAAQ,EAAE,iBAAiB,CAAC,KAAK,CAAC,KAAK,CAAC;YACxC,iBAAiB,EAAE,IAAI,CAAC,UAAU,IAAI,SAAS;YAC/C,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,CAAC,SAAS,CAAC;YAC5C,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,SAAS;YACxC,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,SAAS;YAChC,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,EAAE;YACnB,KAAK;SACN,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,OAAO,OAAO,IAAI,IAAI,CAAC;AACzB,CAAC"}

package/dist/scanners/scoring.d.ts

@@ -0,0 +1,7 @@
+/** Shared risk scoring used by all scanners. */
+export declare function scoreFindingMetadata(input: {
+    severity?: string;
+    likelihood?: string;
+    impact?: string;
+    subcategory?: string[];
+}): number;

package/dist/scanners/scoring.js

@@ -0,0 +1,14 @@
+const SEVERITY_SCORE = { ERROR: 3, WARNING: 2, INFO: 1 };
+const LIKELIHOOD_SCORE = { HIGH: 3, MEDIUM: 2, LOW: 1 };
+const IMPACT_SCORE = { HIGH: 3, MEDIUM: 2, LOW: 1 };
+const SUBCATEGORY_SCORE = { vuln: 2, audit: 1 };
+/** Shared risk scoring used by all scanners. */
+export function scoreFindingMetadata(input) {
+    const severity = SEVERITY_SCORE[input.severity ?? "INFO"] ?? 1;
+    const likelihood = LIKELIHOOD_SCORE[input.likelihood ?? "LOW"] ?? 1;
+    const impact = IMPACT_SCORE[input.impact ?? "LOW"] ?? 1;
+    const subcategories = input.subcategory ?? ["audit"];
+    const subcategory = Math.max(...subcategories.map((s) => SUBCATEGORY_SCORE[s] ?? 0), 1);
+    return severity * likelihood * impact * subcategory;
+}
+//# sourceMappingURL=scoring.js.map

package/dist/scanners/scoring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoring.js","sourceRoot":"","sources":["../../src/scanners/scoring.ts"],"names":[],"mappings":"AAAA,MAAM,cAAc,GAA2B,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;AACjF,MAAM,gBAAgB,GAA2B,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AAChF,MAAM,YAAY,GAA2B,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AAC5E,MAAM,iBAAiB,GAA2B,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;AAExE,gDAAgD;AAChD,MAAM,UAAU,oBAAoB,CAAC,KAKpC;IACC,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC;IAC/D,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC;IACpE,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC;IACxD,MAAM,aAAa,GAAG,KAAK,CAAC,WAAW,IAAI,CAAC,OAAO,CAAC,CAAC;IACrD,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACxF,OAAO,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,WAAW,CAAC;AACtD,CAAC"}

package/dist/scanners/semgrep.d.ts

@@ -0,0 +1,11 @@
+import type { ScanOpts } from "../types.js";
+import type { Finding, ScannerConfig, ScannerPlugin, TriageAgentConfig } from "./types.js";
+export declare class SemgrepPlugin implements ScannerPlugin {
+    readonly id = "semgrep";
+    readonly displayName = "Semgrep/Opengrep";
+    private scannerBin;
+    private configFlag;
+    init(config: ScannerConfig): Promise<void>;
+    scan(repoRoot: string, opts: ScanOpts, _config: ScannerConfig): Promise<Finding[]>;
+    triageAgentConfig(finding: Finding, repoName: string): TriageAgentConfig;
+}

package/dist/scanners/semgrep.js

@@ -0,0 +1,64 @@
+import path from "node:path";
+import { resolveSemgrepBinary } from "./resolve-semgrep.js";
+import { runSemgrep, selectFindings } from "./run-semgrep.js";
+export class SemgrepPlugin {
+    id = "semgrep";
+    displayName = "Semgrep/Opengrep";
+    scannerBin = "semgrep";
+    configFlag = "auto";
+    async init(config) {
+        const configuredBinary = asOptionalString(config["binary"]);
+        const configuredFlag = asOptionalString(config["configFlag"]);
+        this.configFlag = configuredFlag || "auto";
+        if (configuredBinary) {
+            this.scannerBin = configuredBinary;
+            return;
+        }
+        this.scannerBin = await resolveSemgrepBinary();
+    }
+    async scan(repoRoot, opts, _config) {
+        const repoName = path.basename(repoRoot);
+        const output = await runSemgrep(repoRoot, opts, this.scannerBin, this.configFlag);
+        return selectFindings(output, repoName, "HEAD", opts.maxFindings);
+    }
+    triageAgentConfig(finding, repoName) {
+        return {
+            prompt: [
+                "You are a Semgrep-focused security triage agent.",
+                "Semgrep findings come from syntactic/AST pattern matches and can include false positives without full program context.",
+                "Investigate thoroughly before deciding verdict.",
+                "",
+                "## Finding",
+                `Repo: ${repoName}`,
+                `Scanner: ${finding.scanner}`,
+                `Rule: ${finding.ruleId}`,
+                `File: ${finding.filePath}:${finding.startLine}`,
+                `Severity: ${finding.severity}`,
+                `Scanner Confidence: ${finding.scannerConfidence}`,
+                `Likelihood: ${finding.likelihood}`,
+                `Impact: ${finding.impact}`,
+                `CWE: ${finding.cwe.join(", ") || "none"}`,
+                `Message: ${finding.message}`,
+                `Evidence: ${finding.evidence || "none"}`,
+                `Fingerprint: ${finding.fingerprint}`,
+                "",
+                "## Investigation instructions",
+                "1. Use Read on the flagged file and inspect code around the target line.",
+                "2. Use Grep/Glob to find callers, data sources, sinks, validators, sanitizers, and guards.",
+                "3. Trace end-to-end dataflow and trust boundaries.",
+                "4. Confirm reachability and realistic attacker control.",
+                "5. Explicitly explain why Semgrep's pattern signal is correct or a false alarm.",
+                "",
+                "## Output requirements",
+                "Return ONLY a JSON object with:",
+                "fingerprint, verdict(tp|fp|needs_review), confidence(0..1), rationale, verification_steps(array), fix_patch(string|null)",
+            ].join("\n"),
+        };
+    }
+}
+function asOptionalString(value) {
+    if (typeof value !== "string")
+        return "";
+    return value.trim();
+}
+//# sourceMappingURL=semgrep.js.map

package/dist/scanners/semgrep.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semgrep.js","sourceRoot":"","sources":["../../src/scanners/semgrep.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAE9D,MAAM,OAAO,aAAa;IACf,EAAE,GAAG,SAAS,CAAC;IACf,WAAW,GAAG,kBAAkB,CAAC;IAElC,UAAU,GAAW,SAAS,CAAC;IAC/B,UAAU,GAAW,MAAM,CAAC;IAEpC,KAAK,CAAC,IAAI,CAAC,MAAqB;QAC9B,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5D,MAAM,cAAc,GAAG,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;QAE9D,IAAI,CAAC,UAAU,GAAG,cAAc,IAAI,MAAM,CAAC;QAC3C,IAAI,gBAAgB,EAAE,CAAC;YACrB,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAAC;YACnC,OAAO;QACT,CAAC;QAED,IAAI,CAAC,UAAU,GAAG,MAAM,oBAAoB,EAAE,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,QAAgB,EAAE,IAAc,EAAE,OAAsB;QACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAClF,OAAO,cAAc,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IACpE,CAAC;IAED,iBAAiB,CAAC,OAAgB,EAAE,QAAgB;QAClD,OAAO;YACL,MAAM,EAAE;gBACN,kDAAkD;gBAClD,wHAAwH;gBACxH,iDAAiD;gBACjD,EAAE;gBACF,YAAY;gBACZ,SAAS,QAAQ,EAAE;gBACnB,YAAY,OAAO,CAAC,OAAO,EAAE;gBAC7B,SAAS,OAAO,CAAC,MAAM,EAAE;gBACzB,SAAS,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,SAAS,EAAE;gBAChD,aAAa,OAAO,CAAC,QAAQ,EAAE;gBAC/B,uBAAuB,OAAO,CAAC,iBAAiB,EAAE;gBAClD,eAAe,OAAO,CAAC,UAAU,EAAE;gBACnC,WAAW,OAAO,CAAC,MAAM,EAAE;gBAC3B,QAAQ,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,EAAE;gBAC1C,YAAY,OAAO,CAAC,OAAO,EAAE;gBAC7B,aAAa,OAAO,CAAC,QAAQ,IAAI,MAAM,EAAE;gBACzC,gBAAgB,OAAO,CAAC,WAAW,EAAE;gBACrC,EAAE;gBACF,+BAA+B;gBAC/B,0EAA0E;gBAC1E,4FAA4F;gBAC5F,oDAAoD;gBACpD,yDAAyD;gBACzD,iFAAiF;gBACjF,EAAE;gBACF,wBAAwB;gBACxB,iCAAiC;gBACjC,0HAA0H;aAC3H,CAAC,IAAI,CAAC,IAAI,CAAC;SACb,CAAC;IACJ,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,EAAE,CAAC;IACzC,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;AACtB,CAAC"}

package/dist/scanners/types.d.ts

@@ -0,0 +1,36 @@
+import type { ScanOpts } from "../types.js";
+export type ScannerId = string;
+export type ScannerConfig = Record<string, unknown>;
+export interface Finding {
+    scanner: ScannerId;
+    fingerprint: string;
+    ruleId: string;
+    filePath: string;
+    startLine: number;
+    severity: string;
+    message: string;
+    /** Optional scanner-provided evidence (for example, source-to-sink flow summaries). */
+    evidence?: string | null;
+    scannerConfidence: string;
+    subcategory: string[];
+    likelihood: string;
+    impact: string;
+    cwe: string[];
+    score: number;
+}
+export type AllowedTriageTool = "Read" | "Glob" | "Grep";
+export interface TriageAgentConfig {
+    /** Prompt for the Agent SDK query(). Finding metadata + investigation instructions. */
+    prompt: string;
+    /** Override default tools. Defaults to ["Read", "Glob", "Grep"]. */
+    allowedTools?: AllowedTriageTool[];
+    /** Override default max turns. Defaults to config.triageMaxTurns. */
+    maxTurns?: number;
+}
+export interface ScannerPlugin {
+    readonly id: ScannerId;
+    readonly displayName: string;
+    scan(repoRoot: string, opts: ScanOpts, config: ScannerConfig): Promise<Finding[]>;
+    triageAgentConfig(finding: Finding, repoName: string): TriageAgentConfig;
+    init?(config: ScannerConfig): Promise<void>;
+}

package/dist/scanners/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/scanners/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/scanners/types.ts"],"names":[],"mappings":""}

package/dist/scanners.d.ts

@@ -0,0 +1,25 @@
+import { type KuzushiConfig, type RawFinding, type ScanOpts, type Scanner } from "./types.js";
+export interface ScannerPlugin {
+    id: Scanner;
+    displayName: string;
+    scan(ctx: {
+        repoRoot: string;
+        repoName: string;
+        ref: string;
+        opts: ScanOpts;
+    }): Promise<RawFinding[]>;
+}
+export interface ScannerRunResult {
+    scanner: Scanner;
+    findings: RawFinding[];
+}
+/** Parse a comma-separated scanner list into validated scanner IDs. */
+export declare function parseScannerList(raw: string): Scanner[];
+/** Validate scanner IDs and de-duplicate while preserving order. */
+export declare function validateScannerList(raw: string[]): Scanner[];
+/** Resolve scanner selection from CLI opts and config defaults. */
+export declare function resolveSelectedScanners(opts: ScanOpts, config: KuzushiConfig): Scanner[];
+/** Run all selected scanners and merge their findings. */
+export declare function runSelectedScanners(repoRoot: string, opts: ScanOpts, config: KuzushiConfig): Promise<ScannerRunResult[]>;
+/** Merge scanner outputs, dedupe by fingerprint, and rank globally by score. */
+export declare function mergeScannerFindings(scannerResults: ScannerRunResult[], maxFindings?: number): RawFinding[];

package/dist/scanners.js

@@ -0,0 +1,88 @@
+import path from "node:path";
+import { SCANNERS, isScanner, } from "./types.js";
+import { runSemgrep, selectFindings } from "./scanner.js";
+import { resolveScanner } from "./scanner/resolve.js";
+import { runClaudeAdk, selectClaudeFindings } from "./scanner/claude-adk.js";
+const PLUGIN_FACTORIES = {
+    "semgrep": createSemgrepPlugin,
+    "claude-adk": createClaudeAdkPlugin,
+};
+/** Parse a comma-separated scanner list into validated scanner IDs. */
+export function parseScannerList(raw) {
+    const scanners = raw
+        .split(",")
+        .map((s) => s.trim().toLowerCase())
+        .filter(Boolean);
+    return validateScannerList(scanners);
+}
+/** Validate scanner IDs and de-duplicate while preserving order. */
+export function validateScannerList(raw) {
+    const invalid = raw.filter((s) => !isScanner(s));
+    if (invalid.length > 0) {
+        throw new Error(`Unknown scanner(s): ${invalid.join(", ")}. Supported scanners: ${SCANNERS.join(", ")}`);
+    }
+    const deduped = [...new Set(raw)];
+    if (deduped.length === 0) {
+        throw new Error("At least one scanner must be configured.");
+    }
+    return deduped;
+}
+/** Resolve scanner selection from CLI opts and config defaults. */
+export function resolveSelectedScanners(opts, config) {
+    const selected = opts.scanners?.length ? opts.scanners : config.scanners;
+    return validateScannerList(selected);
+}
+/** Run all selected scanners and merge their findings. */
+export async function runSelectedScanners(repoRoot, opts, config) {
+    const repoName = path.basename(repoRoot);
+    const ref = "HEAD";
+    const selectedScanners = resolveSelectedScanners(opts, config);
+    const results = [];
+    for (const scannerId of selectedScanners) {
+        const factory = PLUGIN_FACTORIES[scannerId];
+        const plugin = await factory(config);
+        const findings = await plugin.scan({ repoRoot, repoName, ref, opts });
+        results.push({
+            scanner: plugin.id,
+            findings,
+        });
+    }
+    return results;
+}
+/** Merge scanner outputs, dedupe by fingerprint, and rank globally by score. */
+export function mergeScannerFindings(scannerResults, maxFindings) {
+    const deduped = new Map();
+    for (const result of scannerResults) {
+        for (const finding of result.findings) {
+            const existing = deduped.get(finding.fingerprint);
+            if (!existing || finding.score > existing.score) {
+                deduped.set(finding.fingerprint, finding);
+            }
+        }
+    }
+    return [...deduped.values()]
+        .sort((a, b) => b.score - a.score)
+        .slice(0, maxFindings);
+}
+async function createSemgrepPlugin() {
+    const scannerBin = await resolveScanner();
+    return {
+        id: "semgrep",
+        displayName: "Semgrep/Opengrep",
+        async scan({ repoRoot, repoName, ref, opts }) {
+            const output = await runSemgrep(repoRoot, opts, scannerBin);
+            return selectFindings(output, repoName, ref);
+        },
+    };
+}
+async function createClaudeAdkPlugin(config) {
+    return {
+        id: "claude-adk",
+        displayName: "Claude Agent SDK",
+        async scan({ repoRoot, repoName, ref, opts }) {
+            const output = await runClaudeAdk(repoRoot, opts, config.claudeAdkModel, config.claudeAdkMaxFindings);
+            return selectClaudeFindings(output, repoRoot, repoName, ref);
+        },
+    };
+}
+//# sourceMappingURL=scanners.js.map

package/dist/scanners.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanners.js","sourceRoot":"","sources":["../src/scanners.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,QAAQ,EACR,SAAS,GAKV,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAoB7E,MAAM,gBAAgB,GAA0C;IAC9D,SAAS,EAAE,mBAAmB;IAC9B,YAAY,EAAE,qBAAqB;CACpC,CAAC;AAEF,uEAAuE;AACvE,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,QAAQ,GAAG,GAAG;SACjB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;SAClC,MAAM,CAAC,OAAO,CAAC,CAAC;IAEnB,OAAO,mBAAmB,CAAC,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,oEAAoE;AACpE,MAAM,UAAU,mBAAmB,CAAC,GAAa;IAC/C,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,uBAAuB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,yBAAyB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3G,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAc,CAAC;IAC/C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,mEAAmE;AACnE,MAAM,UAAU,uBAAuB,CAAC,IAAc,EAAE,MAAqB;IAC3E,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC;IACzE,OAAO,mBAAmB,CAAC,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,0DAA0D;AAC1D,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAgB,EAChB,IAAc,EACd,MAAqB;IAErB,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,MAAM,CAAC;IACnB,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC/D,MAAM,OAAO,GAAuB,EAAE,CAAC;IAEvC,KAAK,MAAM,SAAS,IAAI,gBAAgB,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;QACrC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC;YACX,OAAO,EAAE,MAAM,CAAC,EAAE;YAClB,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,oBAAoB,CAClC,cAAkC,EAClC,WAAoB;IAEpB,MAAM,OAAO,GAAG,IAAI,GAAG,EAAsB,CAAC;IAE9C,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;QACpC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAClD,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,KAAK,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAC;gBAChD,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;YAC5C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;SACzB,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;SACjC,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;AAC3B,CAAC;AAED,KAAK,UAAU,mBAAmB;IAChC,MAAM,UAAU,GAAG,MAAM,cAAc,EAAE,CAAC;IAC1C,OAAO;QACL,EAAE,EAAE,SAAS;QACb,WAAW,EAAE,kBAAkB;QAC/B,KAAK,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,IAAI,EAAE;YAC1C,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;YAC5D,OAAO,cAAc,CAAC,MAAM,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC/C,CAAC;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,qBAAqB,CAAC,MAAqB;IACxD,OAAO;QACL,EAAE,EAAE,YAAY;QAChB,WAAW,EAAE,kBAAkB;QAC/B,KAAK,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,IAAI,EAAE;YAC1C,MAAM,MAAM,GAAG,MAAM,YAAY,CAC/B,QAAQ,EACR,IAAI,EACJ,MAAM,CAAC,cAAc,EACrB,MAAM,CAAC,oBAAoB,CAC5B,CAAC;YACF,OAAO,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC/D,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/store.d.ts

@@ -0,0 +1,106 @@
+import Database from "better-sqlite3";
+import type { KuzushiConfig, PocHarnessResult, RepoContext, ScanOpts, TriageResult, VerificationResult, Verdict } from "./types.js";
+import type { Finding, ScannerId } from "./scanners/types.js";
+export type PipelineRunStatus = "scanning" | "triaging" | "verifying" | "poc-harnessing" | "complete" | "error";
+export interface PipelineRunRecord {
+    runId: string;
+    repo: string;
+    startedAt: string;
+    status: PipelineRunStatus;
+    configJson: string;
+    scanOptsJson: string;
+    findingsJson: string | null;
+    contextJson: string | null;
+    totalCostUsd: number;
+    completedAt: string | null;
+    updatedAt: string;
+}
+/** Initialize the SQLite database with the findings schema. */
+export declare function initDb(dbPath: string): Database.Database;
+/** Default DB path: .kuzushi/findings.sqlite3 in the scanned repo root. */
+export declare function defaultDbPath(repoRoot: string): string;
+/** Upsert a triage result into the database. */
+export declare function upsertFinding(db: Database.Database, finding: Finding, triage: TriageResult, repo: string, ref: string): void;
+/** Get set of already-triaged fingerprints from the database. */
+export declare function getTriagedFingerprints(db: Database.Database): Set<string>;
+/** Get set of already-verified fingerprints from the database. */
+export declare function getVerifiedFingerprints(db: Database.Database): Set<string>;
+/** Get set of fingerprints with completed PoC harness generation. */
+export declare function getPocHarnessedFingerprints(db: Database.Database): Set<string>;
+/** Load persisted triage results for a set of fingerprints. */
+export declare function getStoredTriageResults(db: Database.Database, fingerprints: string[]): Map<string, TriageResult>;
+/** Load persisted verification results for a set of fingerprints. */
+export declare function getStoredVerificationResults(db: Database.Database, fingerprints: string[]): Map<string, VerificationResult>;
+/** Get summary counts by verdict. */
+export declare function getVerdictCounts(db: Database.Database, repo?: string): Record<Verdict, number>;
+/** Get total triage cost in USD from persisted findings. */
+export declare function getTotalCost(db: Database.Database, repo?: string): number;
+/** Get total verification cost in USD from persisted findings. */
+export declare function getTotalVerificationCost(db: Database.Database, repo?: string): number;
+/** Get total PoC harness generation cost in USD from persisted findings. */
+export declare function getTotalPocHarnessCost(db: Database.Database, repo?: string): number;
+/** Get verification counts grouped by exploitability outcome. */
+export declare function getVerificationCounts(db: Database.Database, repo?: string): {
+    exploitable: number;
+    notExploitable: number;
+};
+/** Get PoC harness generation counts. */
+export declare function getPocHarnessCounts(db: Database.Database, repo?: string): {
+    generated: number;
+    skipped: number;
+};
+/** Get triaged findings, ordered by verdict priority and confidence. */
+export declare function getActionableFindings(db: Database.Database, repo?: string, options?: {
+    includeFalsePositives?: boolean;
+}): Array<{
+    scanner: ScannerId;
+    fingerprint: string;
+    ruleId: string;
+    filePath: string;
+    startLine: number;
+    severity: string;
+    message: string;
+    verdict: Verdict;
+    confidence: number;
+    rationale: string;
+    fixPatch: string | null;
+    verifyExploitable: number | null;
+    verifyPocPayload: string | null;
+    verifyPocDescription: string | null;
+    verifyAttackVector: string | null;
+    verifyPreconditions: string | null;
+    verifyConfidence: number | null;
+    verifyCostUsd: number | null;
+    pocHarnessPath: string | null;
+    pocHarnessLanguage: string | null;
+    pocHarnessParsed: number | null;
+    pocHarnessParseError: string | null;
+    pocHarnessSkipped: number | null;
+    pocHarnessSkipReason: string | null;
+    pocHarnessCostUsd: number | null;
+}>;
+/** Create a new persisted pipeline run checkpoint. */
+export declare function createRun(db: Database.Database, runId: string, repo: string, config: KuzushiConfig, scanOpts: ScanOpts): void;
+/** Update run status, optionally setting additional persisted fields. */
+export declare function updateRunStatus(db: Database.Database, runId: string, status: PipelineRunStatus, extra?: {
+    findingsJson?: string | null;
+    completedAt?: string | null;
+}): void;
+/** Persist ranked findings checkpoint after scan completes. */
+export declare function updateRunFindings(db: Database.Database, runId: string, findings: Finding[]): void;
+/** Persist gathered repository context for resume support. */
+export declare function updateRunContext(db: Database.Database, runId: string, repoContext: RepoContext): void;
+/** Increment persisted run cost in USD. */
+export declare function updateRunCost(db: Database.Database, runId: string, costUsd: number): void;
+/** Persist verification result fields for an existing finding row. */
+export declare function updateVerificationResult(db: Database.Database, fingerprint: string, result: VerificationResult): void;
+/** Persist verification cost for a finding even when verification errors. */
+export declare function updateVerificationCost(db: Database.Database, fingerprint: string, costUsd: number): void;
+/** Persist PoC harness generation result fields for an existing finding row. */
+export declare function updatePocHarnessResult(db: Database.Database, fingerprint: string, result: PocHarnessResult): void;
+/** Persist PoC harness generation cost for a finding even when generation errors. */
+export declare function updatePocHarnessCost(db: Database.Database, fingerprint: string, costUsd: number): void;
+/** Get latest resumable run for repo, if any. */
+export declare function getLatestResumableRun(db: Database.Database, repo: string): PipelineRunRecord | undefined;
+/** Get persisted run checkpoint by run id. */
+export declare function getRun(db: Database.Database, runId: string): PipelineRunRecord | undefined;