npm - kuzushi - Versions diffs - 0.12.0 → 0.17.0 - Mend

kuzushi 0.12.0 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1057) hide show

package/README.md +126 -27
package/dist/agent-runtime/batch-files.js +1 -1
package/dist/agent-runtime/batch-files.js.map +1 -1
package/dist/agent-runtime/claude.d.ts +8 -2
package/dist/agent-runtime/claude.js +126 -78
package/dist/agent-runtime/claude.js.map +1 -1
package/dist/agent-runtime/context-guards.js.map +1 -1
package/dist/agent-runtime/error-classification.js +2 -7
package/dist/agent-runtime/error-classification.js.map +1 -1
package/dist/agent-runtime/execution.d.ts +1 -1
package/dist/agent-runtime/execution.js +21 -19
package/dist/agent-runtime/execution.js.map +1 -1
package/dist/agent-runtime/index.d.ts +2 -2
package/dist/agent-runtime/index.js +3 -3
package/dist/agent-runtime/index.js.map +1 -1
package/dist/agent-runtime/logging-runtime.js +1 -1
package/dist/agent-runtime/logging-runtime.js.map +1 -1
package/dist/agent-runtime/loop-detector.js +9 -7
package/dist/agent-runtime/loop-detector.js.map +1 -1
package/dist/agent-runtime/model-fallback.js.map +1 -1
package/dist/agent-runtime/model-spec.js.map +1 -1
package/dist/agent-runtime/pi-ai.js +29 -24
package/dist/agent-runtime/pi-ai.js.map +1 -1
package/dist/agent-runtime/tools.js +253 -77
package/dist/agent-runtime/tools.js.map +1 -1
package/dist/agent-runtime/turn-watchdog.js.map +1 -1
package/dist/agents/handoff.js.map +1 -1
package/dist/agents/index.d.ts +1 -1
package/dist/agents/index.js +45 -38
package/dist/agents/index.js.map +1 -1
package/dist/agents/registry.d.ts +1 -1
package/dist/agents/registry.js +3 -3
package/dist/agents/registry.js.map +1 -1
package/dist/agents/scanner-adapter.d.ts +1 -1
package/dist/agents/scanner-adapter.js +1 -3
package/dist/agents/scanner-adapter.js.map +1 -1
package/dist/agents/task-loader.d.ts +1 -1
package/dist/agents/task-loader.js +2 -2
package/dist/agents/task-loader.js.map +1 -1
package/dist/agents/task-manifest.d.ts +2 -2
package/dist/agents/task-manifest.js +7 -7
package/dist/agents/task-manifest.js.map +1 -1
package/dist/agents/task-wrappers.js +1 -1
package/dist/agents/task-wrappers.js.map +1 -1
package/dist/agents/tasks/app-model-build.js +55 -34
package/dist/agents/tasks/app-model-build.js.map +1 -1
package/dist/agents/tasks/approval-gate.d.ts +1 -1
package/dist/agents/tasks/approval-gate.js.map +1 -1
package/dist/agents/tasks/auth-logic-detect.js +31 -9
package/dist/agents/tasks/auth-logic-detect.js.map +1 -1
package/dist/agents/tasks/call-graph-assist.js +1 -1
package/dist/agents/tasks/call-graph-assist.js.map +1 -1
package/dist/agents/tasks/category-filter.js +28 -14
package/dist/agents/tasks/category-filter.js.map +1 -1
package/dist/agents/tasks/chain-analysis.js +3 -6
package/dist/agents/tasks/chain-analysis.js.map +1 -1
package/dist/agents/tasks/code-config-detect.d.ts +1 -1
package/dist/agents/tasks/code-config-detect.js +280 -144
package/dist/agents/tasks/code-config-detect.js.map +1 -1
package/dist/agents/tasks/code-graph/build.d.ts +1 -1
package/dist/agents/tasks/code-graph/build.js +170 -66
package/dist/agents/tasks/code-graph/build.js.map +1 -1
package/dist/agents/tasks/code-graph/enrich.js +9 -4
package/dist/agents/tasks/code-graph/enrich.js.map +1 -1
package/dist/agents/tasks/code-graph/prompts.js +27 -9
package/dist/agents/tasks/code-graph/prompts.js.map +1 -1
package/dist/agents/tasks/code-graph/store.d.ts +4 -4
package/dist/agents/tasks/code-graph/store.js +38 -22
package/dist/agents/tasks/code-graph/store.js.map +1 -1
package/dist/agents/tasks/command-injection.js +70 -20
package/dist/agents/tasks/command-injection.js.map +1 -1
package/dist/agents/tasks/context-enricher.js +12 -3
package/dist/agents/tasks/context-enricher.js.map +1 -1
package/dist/agents/tasks/context-gatherer.d.ts +1 -1
package/dist/agents/tasks/context-gatherer.js +110 -31
package/dist/agents/tasks/context-gatherer.js.map +1 -1
package/dist/agents/tasks/crypto-behavioral-test.d.ts +1 -1
package/dist/agents/tasks/crypto-behavioral-test.js +19 -23
package/dist/agents/tasks/crypto-behavioral-test.js.map +1 -1
package/dist/agents/tasks/deep-semantic/cwe-select.d.ts +1 -1
package/dist/agents/tasks/deep-semantic/cwe-select.js +1 -1
package/dist/agents/tasks/deep-semantic/cwe-select.js.map +1 -1
package/dist/agents/tasks/deep-semantic/hunt.js +25 -15
package/dist/agents/tasks/deep-semantic/hunt.js.map +1 -1
package/dist/agents/tasks/deep-semantic/types.js +16 -6
package/dist/agents/tasks/deep-semantic/types.js.map +1 -1
package/dist/agents/tasks/deserialization-detection.js +45 -18
package/dist/agents/tasks/deserialization-detection.js.map +1 -1
package/dist/agents/tasks/detection-task-utils.d.ts +49 -0
package/dist/agents/tasks/detection-task-utils.js +110 -0
package/dist/agents/tasks/detection-task-utils.js.map +1 -0
package/dist/agents/tasks/diff-review.js +52 -45
package/dist/agents/tasks/diff-review.js.map +1 -1
package/dist/agents/tasks/graphql-security.js +55 -40
package/dist/agents/tasks/graphql-security.js.map +1 -1
package/dist/agents/tasks/invariant-analysis/check.js +22 -8
package/dist/agents/tasks/invariant-analysis/check.js.map +1 -1
package/dist/agents/tasks/invariant-analysis/extract.d.ts +1 -1
package/dist/agents/tasks/invariant-analysis/extract.js +21 -9
package/dist/agents/tasks/invariant-analysis/extract.js.map +1 -1
package/dist/agents/tasks/invariant-analysis/types.js +36 -4
package/dist/agents/tasks/invariant-analysis/types.js.map +1 -1
package/dist/agents/tasks/nosql-injection.js +80 -90
package/dist/agents/tasks/nosql-injection.js.map +1 -1
package/dist/agents/tasks/plugin-finding-scanner.d.ts +41 -0
package/dist/agents/tasks/plugin-finding-scanner.js +56 -0
package/dist/agents/tasks/plugin-finding-scanner.js.map +1 -0
package/dist/agents/tasks/pre-read-prompt.js +1 -1
package/dist/agents/tasks/pre-read-prompt.js.map +1 -1
package/dist/agents/tasks/pre-read.js +12 -4
package/dist/agents/tasks/pre-read.js.map +1 -1
package/dist/agents/tasks/prompt-armor/resolve-promptarmor-plugin.d.ts +8 -0
package/dist/agents/tasks/prompt-armor/resolve-promptarmor-plugin.js +29 -0
package/dist/agents/tasks/prompt-armor/resolve-promptarmor-plugin.js.map +1 -0
package/dist/agents/tasks/prototype-pollution.js +50 -40
package/dist/agents/tasks/prototype-pollution.js.map +1 -1
package/dist/agents/tasks/race-condition.js +52 -37
package/dist/agents/tasks/race-condition.js.map +1 -1
package/dist/agents/tasks/reachability-check.js +8 -2
package/dist/agents/tasks/reachability-check.js.map +1 -1
package/dist/agents/tasks/runtime-overrides.js +10 -4
package/dist/agents/tasks/runtime-overrides.js.map +1 -1
package/dist/agents/tasks/scenario-guidance.js +7 -4
package/dist/agents/tasks/scenario-guidance.js.map +1 -1
package/dist/agents/tasks/secrets-crypto-detect.d.ts +1 -1
package/dist/agents/tasks/secrets-crypto-detect.js +50 -43
package/dist/agents/tasks/secrets-crypto-detect.js.map +1 -1
package/dist/agents/tasks/sharp-edges-detect.d.ts +16 -6
package/dist/agents/tasks/sharp-edges-detect.js +95 -96
package/dist/agents/tasks/sharp-edges-detect.js.map +1 -1
package/dist/agents/tasks/shinsa/resolve-shinsa-plugin.d.ts +9 -0
package/dist/agents/tasks/shinsa/resolve-shinsa-plugin.js +36 -0
package/dist/agents/tasks/shinsa/resolve-shinsa-plugin.js.map +1 -0
package/dist/agents/tasks/ssrf-detection.d.ts +3 -6
package/dist/agents/tasks/ssrf-detection.js +79 -94
package/dist/agents/tasks/ssrf-detection.js.map +1 -1
package/dist/agents/tasks/supply-chain.js +63 -37
package/dist/agents/tasks/supply-chain.js.map +1 -1
package/dist/agents/tasks/systems-hunt/artifacts.js.map +1 -1
package/dist/agents/tasks/systems-hunt/context.js +49 -14
package/dist/agents/tasks/systems-hunt/context.js.map +1 -1
package/dist/agents/tasks/systems-hunt/helpers.d.ts +1 -1
package/dist/agents/tasks/systems-hunt/helpers.js +28 -30
package/dist/agents/tasks/systems-hunt/helpers.js.map +1 -1
package/dist/agents/tasks/systems-hunt/hunt.js +80 -26
package/dist/agents/tasks/systems-hunt/hunt.js.map +1 -1
package/dist/agents/tasks/systems-hunt/invariant-extract.js +15 -4
package/dist/agents/tasks/systems-hunt/invariant-extract.js.map +1 -1
package/dist/agents/tasks/systems-hunt/trigger-synth.js +2 -2
package/dist/agents/tasks/systems-hunt/trigger-synth.js.map +1 -1
package/dist/agents/tasks/systems-hunt/types.js +5 -2
package/dist/agents/tasks/systems-hunt/types.js.map +1 -1
package/dist/agents/tasks/taint-analysis/analyze.d.ts +1 -1
package/dist/agents/tasks/taint-analysis/analyze.js +50 -62
package/dist/agents/tasks/taint-analysis/analyze.js.map +1 -1
package/dist/agents/tasks/taint-analysis/codeql-compat.js +6 -12
package/dist/agents/tasks/taint-analysis/codeql-compat.js.map +1 -1
package/dist/agents/tasks/taint-analysis/cross-service/analyze.js +6 -4
package/dist/agents/tasks/taint-analysis/cross-service/analyze.js.map +1 -1
package/dist/agents/tasks/taint-analysis/cross-service/boundary-agent.d.ts +2 -3
package/dist/agents/tasks/taint-analysis/cross-service/boundary-agent.js +10 -5
package/dist/agents/tasks/taint-analysis/cross-service/boundary-agent.js.map +1 -1
package/dist/agents/tasks/taint-analysis/cross-service/discover.d.ts +1 -1
package/dist/agents/tasks/taint-analysis/cross-service/discover.js +10 -13
package/dist/agents/tasks/taint-analysis/cross-service/discover.js.map +1 -1
package/dist/agents/tasks/taint-analysis/cross-service/stitch.js +88 -59
package/dist/agents/tasks/taint-analysis/cross-service/stitch.js.map +1 -1
package/dist/agents/tasks/taint-analysis/cross-service/types.js +32 -14
package/dist/agents/tasks/taint-analysis/cross-service/types.js.map +1 -1
package/dist/agents/tasks/taint-analysis/csv.js +6 -8
package/dist/agents/tasks/taint-analysis/csv.js.map +1 -1
package/dist/agents/tasks/taint-analysis/diff-scope.js.map +1 -1
package/dist/agents/tasks/taint-analysis/extraction-agent.js +24 -12
package/dist/agents/tasks/taint-analysis/extraction-agent.js.map +1 -1
package/dist/agents/tasks/taint-analysis/grounding.js +3 -1
package/dist/agents/tasks/taint-analysis/grounding.js.map +1 -1
package/dist/agents/tasks/taint-analysis/label.d.ts +1 -1
package/dist/agents/tasks/taint-analysis/label.js +219 -118
package/dist/agents/tasks/taint-analysis/label.js.map +1 -1
package/dist/agents/tasks/taint-analysis/preflight.js +70 -92
package/dist/agents/tasks/taint-analysis/preflight.js.map +1 -1
package/dist/agents/tasks/taint-analysis/ti-prior.js +378 -74
package/dist/agents/tasks/taint-analysis/ti-prior.js.map +1 -1
package/dist/agents/tasks/taint-analysis/types.js +35 -10
package/dist/agents/tasks/taint-analysis/types.js.map +1 -1
package/dist/agents/tasks/taint-iris/cwe-select.d.ts +6 -1
package/dist/agents/tasks/taint-iris/cwe-select.js +1 -1
package/dist/agents/tasks/taint-iris/cwe-select.js.map +1 -1
package/dist/agents/tasks/taint-iris/iris.js +11 -3
package/dist/agents/tasks/taint-iris/iris.js.map +1 -1
package/dist/agents/tasks/task-selector.js +68 -21
package/dist/agents/tasks/task-selector.js.map +1 -1
package/dist/agents/tasks/template-injection.js +83 -91
package/dist/agents/tasks/template-injection.js.map +1 -1
package/dist/agents/tasks/threat-hunt.d.ts +9 -0
package/dist/agents/tasks/threat-hunt.js +33 -15
package/dist/agents/tasks/threat-hunt.js.map +1 -1
package/dist/agents/tasks/threat-model-guidance.d.ts +1 -1
package/dist/agents/tasks/threat-model-guidance.js +14 -8
package/dist/agents/tasks/threat-model-guidance.js.map +1 -1
package/dist/agents/tasks/threat-modeling/randori-adapter.js +99 -12
package/dist/agents/tasks/threat-modeling/randori-adapter.js.map +1 -1
package/dist/agents/tasks/threat-modeling/randori-artifacts.d.ts +2 -0
package/dist/agents/tasks/threat-modeling/randori-artifacts.js +10 -2
package/dist/agents/tasks/threat-modeling/randori-artifacts.js.map +1 -1
package/dist/agents/tasks/threat-modeling/randori-runner.d.ts +61 -0
package/dist/agents/tasks/threat-modeling/randori-runner.js +408 -0
package/dist/agents/tasks/threat-modeling/randori-runner.js.map +1 -0
package/dist/agents/tasks/threat-modeling/randori.d.ts +1 -0
package/dist/agents/tasks/threat-modeling/randori.js +27 -200
package/dist/agents/tasks/threat-modeling/randori.js.map +1 -1
package/dist/agents/tasks/threat-modeling/resolve-randori.js +3 -3
package/dist/agents/tasks/threat-modeling/resolve-randori.js.map +1 -1
package/dist/agents/tasks/threat-modeling/types.d.ts +67 -0
package/dist/agents/tasks/threat-modeling/types.js.map +1 -1
package/dist/agents/tasks/threat-scenario-build.d.ts +1 -1
package/dist/agents/tasks/threat-scenario-build.js +23 -8
package/dist/agents/tasks/threat-scenario-build.js.map +1 -1
package/dist/agents/tasks/tob-audit/resolve-tob-plugin.js +5 -5
package/dist/agents/tasks/tob-audit/resolve-tob-plugin.js.map +1 -1
package/dist/agents/tasks/tob-audit/tob-audit.d.ts +11 -2
package/dist/agents/tasks/tob-audit/tob-audit.js +26 -52
package/dist/agents/tasks/tob-audit/tob-audit.js.map +1 -1
package/dist/agents/tasks/variant-analysis.js +10 -8
package/dist/agents/tasks/variant-analysis.js.map +1 -1
package/dist/agents/tasks/vuln-scout/resolve-vuln-scout.js +3 -3
package/dist/agents/tasks/vuln-scout/resolve-vuln-scout.js.map +1 -1
package/dist/agents/tasks/vuln-scout/vuln-scout.d.ts +10 -2
package/dist/agents/tasks/vuln-scout/vuln-scout.js +26 -52
package/dist/agents/tasks/vuln-scout/vuln-scout.js.map +1 -1
package/dist/agents/tasks/xxe-detection.js +45 -18
package/dist/agents/tasks/xxe-detection.js.map +1 -1
package/dist/agents/types.d.ts +2 -2
package/dist/analysis-support/code-intelligence.js +16 -12
package/dist/analysis-support/code-intelligence.js.map +1 -1
package/dist/analysis-support/index.d.ts +2 -2
package/dist/analysis-support/index.js +2 -2
package/dist/analysis-support/index.js.map +1 -1
package/dist/analysis-support/simple-index.js +6 -6
package/dist/analysis-support/simple-index.js.map +1 -1
package/dist/banner.js +8 -6
package/dist/banner.js.map +1 -1
package/dist/bus/adapters/in-process.js +45 -14
package/dist/bus/adapters/in-process.js.map +1 -1
package/dist/bus/adapters/index.js +1 -2
package/dist/bus/adapters/index.js.map +1 -1
package/dist/bus/event-log.js +3 -3
package/dist/bus/event-log.js.map +1 -1
package/dist/bus/events.d.ts +17 -13
package/dist/bus/index.d.ts +10 -9
package/dist/bus/index.js +24 -21
package/dist/bus/index.js.map +1 -1
package/dist/bus/orchestrator/cheap-verify.js +15 -6
package/dist/bus/orchestrator/cheap-verify.js.map +1 -1
package/dist/bus/orchestrator/patch-dispatcher.d.ts +1 -1
package/dist/bus/orchestrator/patch-dispatcher.js +3 -4
package/dist/bus/orchestrator/patch-dispatcher.js.map +1 -1
package/dist/bus/orchestrator/poc-dispatcher.d.ts +2 -2
package/dist/bus/orchestrator/poc-dispatcher.js +7 -7
package/dist/bus/orchestrator/poc-dispatcher.js.map +1 -1
package/dist/bus/orchestrator/task-policy.js +8 -11
package/dist/bus/orchestrator/task-policy.js.map +1 -1
package/dist/bus/orchestrator/triage-dispatcher.d.ts +13 -3
package/dist/bus/orchestrator/triage-dispatcher.js +150 -41
package/dist/bus/orchestrator/triage-dispatcher.js.map +1 -1
package/dist/bus/orchestrator/types.d.ts +6 -4
package/dist/bus/orchestrator/verification-dispatcher.d.ts +2 -2
package/dist/bus/orchestrator/verification-dispatcher.js +7 -5
package/dist/bus/orchestrator/verification-dispatcher.js.map +1 -1
package/dist/bus/orchestrator/verify-gate.js +14 -7
package/dist/bus/orchestrator/verify-gate.js.map +1 -1
package/dist/bus/orchestrator.d.ts +3 -1
package/dist/bus/orchestrator.js +286 -136
package/dist/bus/orchestrator.js.map +1 -1
package/dist/bus/run-context.d.ts +15 -0
package/dist/bus/run-context.js +8 -0
package/dist/bus/run-context.js.map +1 -0
package/dist/bus/task-execution.d.ts +2 -2
package/dist/bus/task-execution.js +11 -2
package/dist/bus/task-execution.js.map +1 -1
package/dist/bus/workers/audit-worker.js.map +1 -1
package/dist/bus/workers/blame-worker.d.ts +6 -0
package/dist/bus/workers/blame-worker.js +26 -0
package/dist/bus/workers/blame-worker.js.map +1 -0
package/dist/bus/workers/dynamic-analysis-worker.js +41 -14
package/dist/bus/workers/dynamic-analysis-worker.js.map +1 -1
package/dist/bus/workers/github-worker.d.ts +1 -1
package/dist/bus/workers/github-worker.js +18 -7
package/dist/bus/workers/github-worker.js.map +1 -1
package/dist/bus/workers/patch-verify-worker.d.ts +1 -1
package/dist/bus/workers/patch-verify-worker.js +3 -3
package/dist/bus/workers/patch-verify-worker.js.map +1 -1
package/dist/bus/workers/patch-worker.d.ts +1 -1
package/dist/bus/workers/patch-worker.js +2 -2
package/dist/bus/workers/patch-worker.js.map +1 -1
package/dist/bus/workers/poc-executor-worker.d.ts +1 -1
package/dist/bus/workers/poc-executor-worker.js +1 -1
package/dist/bus/workers/poc-executor-worker.js.map +1 -1
package/dist/bus/workers/poc-harness-worker.js +6 -5
package/dist/bus/workers/poc-harness-worker.js.map +1 -1
package/dist/bus/workers/report-worker.d.ts +1 -1
package/dist/bus/workers/report-worker.js +86 -47
package/dist/bus/workers/report-worker.js.map +1 -1
package/dist/bus/workers/scan-worker.d.ts +2 -2
package/dist/bus/workers/scan-worker.js +8 -6
package/dist/bus/workers/scan-worker.js.map +1 -1
package/dist/bus/workers/store-worker.d.ts +1 -1
package/dist/bus/workers/store-worker.js +17 -7
package/dist/bus/workers/store-worker.js.map +1 -1
package/dist/bus/workers/taint-analysis-artifact-worker.js +12 -2
package/dist/bus/workers/taint-analysis-artifact-worker.js.map +1 -1
package/dist/bus/workers/taint-analysis-refinement-worker.js +11 -10
package/dist/bus/workers/taint-analysis-refinement-worker.js.map +1 -1
package/dist/bus/workers/triage-worker.d.ts +3 -3
package/dist/bus/workers/triage-worker.js +92 -39
package/dist/bus/workers/triage-worker.js.map +1 -1
package/dist/bus/workers/variant-analysis-worker.d.ts +1 -1
package/dist/bus/workers/variant-analysis-worker.js +5 -5
package/dist/bus/workers/variant-analysis-worker.js.map +1 -1
package/dist/bus/workers/verification-worker.d.ts +2 -2
package/dist/bus/workers/verification-worker.js +29 -18
package/dist/bus/workers/verification-worker.js.map +1 -1
package/dist/bypass-knowledge.js +7 -7
package/dist/bypass-knowledge.js.map +1 -1
package/dist/cache.js +1 -1
package/dist/cache.js.map +1 -1
package/dist/capabilities.d.ts +0 -2
package/dist/capabilities.js +11 -11
package/dist/capabilities.js.map +1 -1
package/dist/cli/commands/monorepo-scan.js +26 -22
package/dist/cli/commands/monorepo-scan.js.map +1 -1
package/dist/cli/commands/scan.d.ts +8 -2
package/dist/cli/commands/scan.js +108 -29
package/dist/cli/commands/scan.js.map +1 -1
package/dist/cli/create-module.d.ts +33 -0
package/dist/cli/create-module.js +246 -0
package/dist/cli/create-module.js.map +1 -0
package/dist/cli/errors.d.ts +25 -0
package/dist/cli/errors.js +44 -2
package/dist/cli/errors.js.map +1 -1
package/dist/cli/pi-ai.d.ts +0 -4
package/dist/cli/pi-ai.js +10 -17
package/dist/cli/pi-ai.js.map +1 -1
package/dist/cli/preflight.d.ts +34 -0
package/dist/cli/preflight.js +163 -0
package/dist/cli/preflight.js.map +1 -0
package/dist/cli/scan-config.d.ts +1 -0
package/dist/cli/scan-config.js +8 -9
package/dist/cli/scan-config.js.map +1 -1
package/dist/cli/shared.js +4 -4
package/dist/cli/shared.js.map +1 -1
package/dist/cli.js +487 -29
package/dist/cli.js.map +1 -1
package/dist/confidence-calibration.d.ts +0 -11
package/dist/confidence-calibration.js +25 -50
package/dist/confidence-calibration.js.map +1 -1
package/dist/config/defaults.d.ts +0 -1
package/dist/config/defaults.js +11 -8
package/dist/config/defaults.js.map +1 -1
package/dist/config/docs.d.ts +24 -0
package/dist/config/docs.js +134 -0
package/dist/config/docs.js.map +1 -0
package/dist/config/paths.d.ts +0 -3
package/dist/config/paths.js +2 -11
package/dist/config/paths.js.map +1 -1
package/dist/config/presets.js +6 -7
package/dist/config/presets.js.map +1 -1
package/dist/config/validation.js +9 -5
package/dist/config/validation.js.map +1 -1
package/dist/config-io.js +1 -1
package/dist/config-io.js.map +1 -1
package/dist/config.d.ts +2 -2
package/dist/config.js +48 -48
package/dist/config.js.map +1 -1
package/dist/copilot/core.d.ts +21 -3
package/dist/copilot/core.js +220 -14
package/dist/copilot/core.js.map +1 -1
package/dist/copilot/index.d.ts +3 -3
package/dist/copilot/index.js.map +1 -1
package/dist/copilot/run.d.ts +1 -1
package/dist/copilot/run.js +1 -4
package/dist/copilot/run.js.map +1 -1
package/dist/copilot/shell.d.ts +70 -2
package/dist/copilot/shell.js +1447 -408
package/dist/copilot/shell.js.map +1 -1
package/dist/crypto-behavioral/harness-generator.js +2 -1
package/dist/crypto-behavioral/harness-generator.js.map +1 -1
package/dist/crypto-behavioral/harness-prompts.js +22 -23
package/dist/crypto-behavioral/harness-prompts.js.map +1 -1
package/dist/crypto-behavioral/index.d.ts +2 -2
package/dist/crypto-behavioral/index.js +2 -2
package/dist/crypto-behavioral/index.js.map +1 -1
package/dist/crypto-behavioral/result-parser.js +14 -4
package/dist/crypto-behavioral/result-parser.js.map +1 -1
package/dist/discovery/adapters/bazel-adapter.js +1 -6
package/dist/discovery/adapters/bazel-adapter.js.map +1 -1
package/dist/discovery/adapters/go-adapter.js +1 -3
package/dist/discovery/adapters/go-adapter.js.map +1 -1
package/dist/discovery/adapters/msvs-adapter.js.map +1 -1
package/dist/discovery/adapters/native-adapter.js.map +1 -1
package/dist/discovery/adapters/node-adapter.js +5 -7
package/dist/discovery/adapters/node-adapter.js.map +1 -1
package/dist/discovery/adapters/rust-adapter.js +4 -3
package/dist/discovery/adapters/rust-adapter.js.map +1 -1
package/dist/discovery/graph.js +21 -12
package/dist/discovery/graph.js.map +1 -1
package/dist/discovery/helpers.js +9 -4
package/dist/discovery/helpers.js.map +1 -1
package/dist/discovery/llm-refinement.d.ts +1 -1
package/dist/discovery/llm-refinement.js +9 -9
package/dist/discovery/llm-refinement.js.map +1 -1
package/dist/discovery/repo-discovery.js +4 -4
package/dist/discovery/repo-discovery.js.map +1 -1
package/dist/discovery/workspace-clustering.js +5 -7
package/dist/discovery/workspace-clustering.js.map +1 -1
package/dist/errors.d.ts +0 -12
package/dist/errors.js +2 -2
package/dist/errors.js.map +1 -1
package/dist/findings/taint-path.js +1 -4
package/dist/findings/taint-path.js.map +1 -1
package/dist/fuzz/crashes.d.ts +51 -0
package/dist/fuzz/crashes.js +153 -0
package/dist/fuzz/crashes.js.map +1 -0
package/dist/fuzz/runners.d.ts +76 -0
package/dist/fuzz/runners.js +344 -0
package/dist/fuzz/runners.js.map +1 -0
package/dist/fuzz/sandbox.d.ts +79 -0
package/dist/fuzz/sandbox.js +232 -0
package/dist/fuzz/sandbox.js.map +1 -0
package/dist/git/blame.d.ts +11 -0
package/dist/git/blame.js +49 -0
package/dist/git/blame.js.map +1 -0
package/dist/governance/audit.d.ts +17 -0
package/dist/governance/audit.js +31 -0
package/dist/governance/audit.js.map +1 -0
package/dist/governance/enforcer.d.ts +38 -0
package/dist/governance/enforcer.js +158 -0
package/dist/governance/enforcer.js.map +1 -0
package/dist/governance/types.d.ts +76 -0
package/dist/governance/types.js +26 -0
package/dist/governance/types.js.map +1 -0
package/dist/hooks/chain.d.ts +1 -1
package/dist/hooks/index.d.ts +2 -2
package/dist/hooks/index.js +1 -1
package/dist/hooks/index.js.map +1 -1
package/dist/hooks/loader.js +1 -1
package/dist/hooks/loader.js.map +1 -1
package/dist/http-agent.d.ts +0 -5
package/dist/http-agent.js +5 -2
package/dist/http-agent.js.map +1 -1
package/dist/incremental.d.ts +0 -9
package/dist/incremental.js +10 -4
package/dist/incremental.js.map +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.js +1 -1
package/dist/index.js.map +1 -1
package/dist/intel/cve-feed.d.ts +85 -0
package/dist/intel/cve-feed.js +280 -0
package/dist/intel/cve-feed.js.map +1 -0
package/dist/intel/store.d.ts +22 -0
package/dist/intel/store.js +169 -0
package/dist/intel/store.js.map +1 -0
package/dist/intel/types.d.ts +57 -0
package/dist/intel/types.js +8 -0
package/dist/intel/types.js.map +1 -0
package/dist/knowledge/index.d.ts +1 -1
package/dist/knowledge/index.js +13 -9
package/dist/knowledge/index.js.map +1 -1
package/dist/knowledge/modules/auth-bypass.js +56 -12
package/dist/knowledge/modules/auth-bypass.js.map +1 -1
package/dist/knowledge/modules/command-injection.js +41 -10
package/dist/knowledge/modules/command-injection.js.map +1 -1
package/dist/knowledge/modules/crypto.js +64 -13
package/dist/knowledge/modules/crypto.js.map +1 -1
package/dist/knowledge/modules/deserialization.js +40 -10
package/dist/knowledge/modules/deserialization.js.map +1 -1
package/dist/knowledge/modules/file-upload.js +38 -9
package/dist/knowledge/modules/file-upload.js.map +1 -1
package/dist/knowledge/modules/idor.js +47 -12
package/dist/knowledge/modules/idor.js.map +1 -1
package/dist/knowledge/modules/n-day-patterns.d.ts +8 -0
package/dist/knowledge/modules/n-day-patterns.js +179 -0
package/dist/knowledge/modules/n-day-patterns.js.map +1 -0
package/dist/knowledge/modules/nosql-injection.js +46 -10
package/dist/knowledge/modules/nosql-injection.js.map +1 -1
package/dist/knowledge/modules/parser-attack-surface.d.ts +10 -0
package/dist/knowledge/modules/parser-attack-surface.js +200 -0
package/dist/knowledge/modules/parser-attack-surface.js.map +1 -0
package/dist/knowledge/modules/path-traversal.js +36 -8
package/dist/knowledge/modules/path-traversal.js.map +1 -1
package/dist/knowledge/modules/race-condition.js +48 -10
package/dist/knowledge/modules/race-condition.js.map +1 -1
package/dist/knowledge/modules/sqli.js +50 -10
package/dist/knowledge/modules/sqli.js.map +1 -1
package/dist/knowledge/modules/ssrf.js +44 -9
package/dist/knowledge/modules/ssrf.js.map +1 -1
package/dist/knowledge/modules/xss.js +46 -10
package/dist/knowledge/modules/xss.js.map +1 -1
package/dist/knowledge/modules/xxe.js +47 -12
package/dist/knowledge/modules/xxe.js.map +1 -1
package/dist/knowledge/registry.js.map +1 -1
package/dist/logger.d.ts +5 -0
package/dist/logger.js +46 -4
package/dist/logger.js.map +1 -1
package/dist/migrations/100_schema_reset.d.ts +25 -0
package/dist/migrations/100_schema_reset.js +381 -0
package/dist/migrations/100_schema_reset.js.map +1 -0
package/dist/migrations/index.d.ts +10 -2
package/dist/migrations/index.js +11 -51
package/dist/migrations/index.js.map +1 -1
package/dist/migrations/runner.d.ts +4 -1
package/dist/migrations/runner.js +5 -116
package/dist/migrations/runner.js.map +1 -1
package/dist/modules/core-prompt-armor.d.ts +33 -0
package/dist/modules/core-prompt-armor.js +316 -0
package/dist/modules/core-prompt-armor.js.map +1 -0
package/dist/modules/core-randori.d.ts +29 -0
package/dist/modules/core-randori.js +282 -0
package/dist/modules/core-randori.js.map +1 -0
package/dist/modules/core-sast.d.ts +1 -0
package/dist/modules/core-sast.js +737 -95
package/dist/modules/core-sast.js.map +1 -1
package/dist/modules/core-shinsa.d.ts +37 -0
package/dist/modules/core-shinsa.js +259 -0
package/dist/modules/core-shinsa.js.map +1 -0
package/dist/modules/core-tob.d.ts +23 -0
package/dist/modules/core-tob.js +220 -0
package/dist/modules/core-tob.js.map +1 -0
package/dist/modules/core-vuln-scout.d.ts +23 -0
package/dist/modules/core-vuln-scout.js +149 -0
package/dist/modules/core-vuln-scout.js.map +1 -0
package/dist/modules/index.d.ts +4 -2
package/dist/modules/index.js +3 -1
package/dist/modules/index.js.map +1 -1
package/dist/modules/loader.d.ts +31 -0
package/dist/modules/loader.js +138 -0
package/dist/modules/loader.js.map +1 -0
package/dist/modules/mcp-bridge.d.ts +21 -0
package/dist/modules/mcp-bridge.js +317 -0
package/dist/modules/mcp-bridge.js.map +1 -0
package/dist/modules/n-day-diff-hunter.d.ts +128 -0
package/dist/modules/n-day-diff-hunter.js +550 -0
package/dist/modules/n-day-diff-hunter.js.map +1 -0
package/dist/modules/registry.d.ts +2 -2
package/dist/modules/types.d.ts +6 -1
package/dist/modules/variant-hunter.d.ts +66 -0
package/dist/modules/variant-hunter.js +385 -0
package/dist/modules/variant-hunter.js.map +1 -0
package/dist/monorepo/architectural-analysis.js +48 -25
package/dist/monorepo/architectural-analysis.js.map +1 -1
package/dist/monorepo/attack-surface.js +47 -22
package/dist/monorepo/attack-surface.js.map +1 -1
package/dist/monorepo/boundary-manifest.d.ts +1 -1
package/dist/monorepo/boundary-manifest.js +14 -8
package/dist/monorepo/boundary-manifest.js.map +1 -1
package/dist/monorepo/budget-controller.js +4 -5
package/dist/monorepo/budget-controller.js.map +1 -1
package/dist/monorepo/context-index.js +18 -3
package/dist/monorepo/context-index.js.map +1 -1
package/dist/monorepo/cross-module-tracing.js +1 -1
package/dist/monorepo/cross-module-tracing.js.map +1 -1
package/dist/monorepo/dependency-graph.js +9 -6
package/dist/monorepo/dependency-graph.js.map +1 -1
package/dist/monorepo/types.d.ts +1 -1
package/dist/multi-agent-triage.d.ts +1 -1
package/dist/multi-agent-triage.js +14 -9
package/dist/multi-agent-triage.js.map +1 -1
package/dist/operator-context.d.ts +24 -0
package/dist/operator-context.js +341 -0
package/dist/operator-context.js.map +1 -0
package/dist/parameter-risk.js +74 -13
package/dist/parameter-risk.js.map +1 -1
package/dist/patch.js +17 -11
package/dist/patch.js.map +1 -1
package/dist/poc-executor/docker.js +12 -6
package/dist/poc-executor/docker.js.map +1 -1
package/dist/poc-executor/index.d.ts +1 -1
package/dist/poc-executor/index.js +1 -1
package/dist/poc-executor/index.js.map +1 -1
package/dist/poc-executor/process.js.map +1 -1
package/dist/poc-harness.js +40 -39
package/dist/poc-harness.js.map +1 -1
package/dist/precedents.js +1 -2
package/dist/precedents.js.map +1 -1
package/dist/prompts/bootstrap.js +5 -8
package/dist/prompts/bootstrap.js.map +1 -1
package/dist/prompts/context.js +1 -1
package/dist/prompts/context.js.map +1 -1
package/dist/prompts/index.d.ts +7 -7
package/dist/prompts/index.js +5 -5
package/dist/prompts/index.js.map +1 -1
package/dist/prompts/language-tuning.js +1 -5
package/dist/prompts/language-tuning.js.map +1 -1
package/dist/prompts/languages/c-cpp.js +169 -44
package/dist/prompts/languages/c-cpp.js.map +1 -1
package/dist/prompts/languages/go.js +112 -28
package/dist/prompts/languages/go.js.map +1 -1
package/dist/prompts/languages/index.js +3 -3
package/dist/prompts/languages/index.js.map +1 -1
package/dist/prompts/languages/java-kotlin.js +220 -52
package/dist/prompts/languages/java-kotlin.js.map +1 -1
package/dist/prompts/languages/javascript-typescript.js +326 -72
package/dist/prompts/languages/javascript-typescript.js.map +1 -1
package/dist/prompts/languages/php.js +138 -44
package/dist/prompts/languages/php.js.map +1 -1
package/dist/prompts/languages/python.js +162 -41
package/dist/prompts/languages/python.js.map +1 -1
package/dist/prompts/languages/ruby.js +105 -35
package/dist/prompts/languages/ruby.js.map +1 -1
package/dist/prompts/languages/rust.js +69 -19
package/dist/prompts/languages/rust.js.map +1 -1
package/dist/prompts/modules.js +2 -5
package/dist/prompts/modules.js.map +1 -1
package/dist/prompts/prompt-report.js.map +1 -1
package/dist/prompts/sanitize.js +34 -17
package/dist/prompts/sanitize.js.map +1 -1
package/dist/prompts/templates/triage.d.ts +3 -3
package/dist/prompts/templates/triage.js +37 -7
package/dist/prompts/templates/triage.js.map +1 -1
package/dist/prompts/templates/verify.d.ts +5 -5
package/dist/prompts/templates/verify.js +49 -10
package/dist/prompts/templates/verify.js.map +1 -1
package/dist/prompts/tool-policy.js.map +1 -1
package/dist/quality-gate-types.d.ts +26 -0
package/dist/quality-gate-types.js +8 -0
package/dist/quality-gate-types.js.map +1 -0
package/dist/quality-gate.d.ts +2 -20
package/dist/quality-gate.js +2 -4
package/dist/quality-gate.js.map +1 -1
package/dist/repo-context.js +8 -12
package/dist/repo-context.js.map +1 -1
package/dist/report-csv.js +1 -1
package/dist/report-csv.js.map +1 -1
package/dist/report-json.d.ts +1 -1
package/dist/report-json.js +17 -2
package/dist/report-json.js.map +1 -1
package/dist/report-jsonl.js +1 -1
package/dist/report-jsonl.js.map +1 -1
package/dist/report-junit.d.ts +28 -0
package/dist/report-junit.js +103 -0
package/dist/report-junit.js.map +1 -0
package/dist/report-markdown.d.ts +1 -1
package/dist/report-markdown.js +121 -19
package/dist/report-markdown.js.map +1 -1
package/dist/report-monorepo.js +5 -4
package/dist/report-monorepo.js.map +1 -1
package/dist/report-sarif.d.ts +1 -1
package/dist/report-sarif.js +60 -23
package/dist/report-sarif.js.map +1 -1
package/dist/report.d.ts +3 -3
package/dist/report.js +36 -19
package/dist/report.js.map +1 -1
package/dist/retry.js +3 -5
package/dist/retry.js.map +1 -1
package/dist/scan-opts.d.ts +21 -0
package/dist/scan-opts.js +9 -0
package/dist/scan-opts.js.map +1 -0
package/dist/scanner-cache.js +10 -6
package/dist/scanner-cache.js.map +1 -1
package/dist/scanners/agentic.d.ts +1 -1
package/dist/scanners/agentic.js.map +1 -1
package/dist/scanners/codeql.d.ts +1 -1
package/dist/scanners/codeql.js +4 -2
package/dist/scanners/codeql.js.map +1 -1
package/dist/scanners/dedup.d.ts +5 -0
package/dist/scanners/dedup.js +102 -72
package/dist/scanners/dedup.js.map +1 -1
package/dist/scanners/design-decision-classifier.d.ts +1 -1
package/dist/scanners/design-decision-classifier.js +1 -1
package/dist/scanners/design-decision-classifier.js.map +1 -1
package/dist/scanners/finding-selection.js.map +1 -1
package/dist/scanners/fp-filter.js +9 -9
package/dist/scanners/fp-filter.js.map +1 -1
package/dist/scanners/index.d.ts +1 -1
package/dist/scanners/index.js +3 -3
package/dist/scanners/index.js.map +1 -1
package/dist/scanners/llm-rescore.js +5 -3
package/dist/scanners/llm-rescore.js.map +1 -1
package/dist/scanners/normalization.d.ts +1 -1
package/dist/scanners/normalization.js +1 -4
package/dist/scanners/normalization.js.map +1 -1
package/dist/scanners/normalize-findings.js +3 -7
package/dist/scanners/normalize-findings.js.map +1 -1
package/dist/scanners/registry.d.ts +1 -1
package/dist/scanners/registry.js +3 -9
package/dist/scanners/registry.js.map +1 -1
package/dist/scanners/resolve-codeql.js.map +1 -1
package/dist/scanners/resolve-semgrep.js +7 -7
package/dist/scanners/resolve-semgrep.js.map +1 -1
package/dist/scanners/run-agentic.d.ts +20 -2
package/dist/scanners/run-agentic.js +20 -7
package/dist/scanners/run-agentic.js.map +1 -1
package/dist/scanners/run-codeql.js +42 -42
package/dist/scanners/run-codeql.js.map +1 -1
package/dist/scanners/run-semgrep.js +4 -9
package/dist/scanners/run-semgrep.js.map +1 -1
package/dist/scanners/scoring.js.map +1 -1
package/dist/scanners/semgrep.d.ts +1 -1
package/dist/scanners/semgrep.js +1 -1
package/dist/scanners/semgrep.js.map +1 -1
package/dist/scanners/types.d.ts +8 -3
package/dist/scheduler/index.js.map +1 -1
package/dist/scheduler/rate-limit-registry.js +3 -4
package/dist/scheduler/rate-limit-registry.js.map +1 -1
package/dist/schemas.d.ts +160 -16
package/dist/schemas.js +145 -48
package/dist/schemas.js.map +1 -1
package/dist/scoring/composite-confidence.d.ts +0 -10
package/dist/scoring/composite-confidence.js +4 -5
package/dist/scoring/composite-confidence.js.map +1 -1
package/dist/scoring/prompt-versioning.js +1 -1
package/dist/scoring/prompt-versioning.js.map +1 -1
package/dist/scoring/run-metrics-types.d.ts +83 -0
package/dist/scoring/run-metrics-types.js +9 -0
package/dist/scoring/run-metrics-types.js.map +1 -0
package/dist/scoring/run-metrics.d.ts +3 -77
package/dist/scoring/run-metrics.js.map +1 -1
package/dist/scoring/triage-assertions.d.ts +0 -60
package/dist/scoring/triage-assertions.js +28 -30
package/dist/scoring/triage-assertions.js.map +1 -1
package/dist/security-profiles.js.map +1 -1
package/dist/store/crypto-behavioral.js +4 -2
package/dist/store/crypto-behavioral.js.map +1 -1
package/dist/store/dynamic-analysis.js +8 -4
package/dist/store/dynamic-analysis.js.map +1 -1
package/dist/store/patch-results.js +8 -4
package/dist/store/patch-results.js.map +1 -1
package/dist/store.d.ts +46 -28
package/dist/store.js +592 -154
package/dist/store.js.map +1 -1
package/dist/strategies/auto-rule.d.ts +1 -1
package/dist/strategies/auto-rule.js +25 -14
package/dist/strategies/auto-rule.js.map +1 -1
package/dist/strategies/cwe-strategy-map.js +13 -17
package/dist/strategies/cwe-strategy-map.js.map +1 -1
package/dist/strategies/dataflow/index.js +18 -9
package/dist/strategies/dataflow/index.js.map +1 -1
package/dist/strategies/execution/index.js +16 -10
package/dist/strategies/execution/index.js.map +1 -1
package/dist/strategies/executor.d.ts +1 -1
package/dist/strategies/executor.js +5 -3
package/dist/strategies/executor.js.map +1 -1
package/dist/strategies/index.d.ts +4 -4
package/dist/strategies/index.js +3 -3
package/dist/strategies/index.js.map +1 -1
package/dist/strategies/init.js +3 -3
package/dist/strategies/init.js.map +1 -1
package/dist/strategies/merge.d.ts +1 -1
package/dist/strategies/merge.js +11 -9
package/dist/strategies/merge.js.map +1 -1
package/dist/strategies/multi-strategy-task.d.ts +1 -1
package/dist/strategies/multi-strategy-task.js.map +1 -1
package/dist/strategies/reasoning/index.js +41 -15
package/dist/strategies/reasoning/index.js.map +1 -1
package/dist/strategies/rule-persistence.js +1 -1
package/dist/strategies/rule-persistence.js.map +1 -1
package/dist/strategies/syntactic/index.js +86 -22
package/dist/strategies/syntactic/index.js.map +1 -1
package/dist/strategies/task-profile-map.js.map +1 -1
package/dist/strategies/types.d.ts +1 -1
package/dist/streaming.js +1 -1
package/dist/streaming.js.map +1 -1
package/dist/task-output-meta.js.map +1 -1
package/dist/testing/index.d.ts +40 -0
package/dist/testing/index.js +74 -0
package/dist/testing/index.js.map +1 -0
package/dist/threat-model-renderer.d.ts +29 -0
package/dist/threat-model-renderer.js +302 -0
package/dist/threat-model-renderer.js.map +1 -0
package/dist/trajectory-memory.d.ts +0 -10
package/dist/trajectory-memory.js +27 -44
package/dist/trajectory-memory.js.map +1 -1
package/dist/triage.d.ts +290 -0
package/dist/triage.js +360 -38
package/dist/triage.js.map +1 -1
package/dist/types.d.ts +173 -26
package/dist/types.js +1 -1
package/dist/types.js.map +1 -1
package/dist/ui/App.js +29 -18
package/dist/ui/App.js.map +1 -1
package/dist/ui/components/AgentActivity.d.ts +6 -7
package/dist/ui/components/AgentActivity.js +23 -15
package/dist/ui/components/AgentActivity.js.map +1 -1
package/dist/ui/components/AnimatedCounter.d.ts +1 -1
package/dist/ui/components/AnimatedCounter.js +3 -3
package/dist/ui/components/AnimatedCounter.js.map +1 -1
package/dist/ui/components/AttackChainDiagram.js +26 -23
package/dist/ui/components/AttackChainDiagram.js.map +1 -1
package/dist/ui/components/Banner.d.ts +1 -1
package/dist/ui/components/Banner.js +8 -6
package/dist/ui/components/Banner.js.map +1 -1
package/dist/ui/components/CodePreview.d.ts +5 -12
package/dist/ui/components/CodePreview.js +20 -17
package/dist/ui/components/CodePreview.js.map +1 -1
package/dist/ui/components/CommandInput.d.ts +5 -4
package/dist/ui/components/CommandInput.js +53 -45
package/dist/ui/components/CommandInput.js.map +1 -1
package/dist/ui/components/CompactHeader.d.ts +1 -1
package/dist/ui/components/CompactHeader.js +3 -3
package/dist/ui/components/CompactHeader.js.map +1 -1
package/dist/ui/components/ConfigBanner.d.ts +4 -9
package/dist/ui/components/ConfigBanner.js +20 -10
package/dist/ui/components/ConfigBanner.js.map +1 -1
package/dist/ui/components/ConfigConfirm.d.ts +4 -11
package/dist/ui/components/ConfigConfirm.js +43 -12
package/dist/ui/components/ConfigConfirm.js.map +1 -1
package/dist/ui/components/ContextIntake.d.ts +18 -0
package/dist/ui/components/ContextIntake.js +311 -0
package/dist/ui/components/ContextIntake.js.map +1 -0
package/dist/ui/components/CopilotShell.d.ts +8 -5
package/dist/ui/components/CopilotShell.js +86 -37
package/dist/ui/components/CopilotShell.js.map +1 -1
package/dist/ui/components/CredentialPrompt.d.ts +6 -20
package/dist/ui/components/CredentialPrompt.js +54 -80
package/dist/ui/components/CredentialPrompt.js.map +1 -1
package/dist/ui/components/DiffView.d.ts +3 -8
package/dist/ui/components/DiffView.js +20 -13
package/dist/ui/components/DiffView.js.map +1 -1
package/dist/ui/components/ErrorCard.d.ts +15 -10
package/dist/ui/components/ErrorCard.js +22 -11
package/dist/ui/components/ErrorCard.js.map +1 -1
package/dist/ui/components/ExportActions.d.ts +2 -2
package/dist/ui/components/ExportActions.js +23 -15
package/dist/ui/components/ExportActions.js.map +1 -1
package/dist/ui/components/FindingCard.d.ts +1 -1
package/dist/ui/components/FindingCard.js +104 -32
package/dist/ui/components/FindingCard.js.map +1 -1
package/dist/ui/components/InteractiveReview.d.ts +2 -2
package/dist/ui/components/InteractiveReview.js +13 -5
package/dist/ui/components/InteractiveReview.js.map +1 -1
package/dist/ui/components/MonorepoProgress.d.ts +6 -11
package/dist/ui/components/MonorepoProgress.js +35 -22
package/dist/ui/components/MonorepoProgress.js.map +1 -1
package/dist/ui/components/NoticeRail.d.ts +1 -1
package/dist/ui/components/NoticeRail.js +12 -13
package/dist/ui/components/NoticeRail.js.map +1 -1
package/dist/ui/components/PipelineIndicator.d.ts +1 -1
package/dist/ui/components/PipelineIndicator.js +109 -88
package/dist/ui/components/PipelineIndicator.js.map +1 -1
package/dist/ui/components/ProgressBar.d.ts +4 -1
package/dist/ui/components/ProgressBar.js +15 -5
package/dist/ui/components/ProgressBar.js.map +1 -1
package/dist/ui/components/QualityGate.d.ts +1 -1
package/dist/ui/components/QualityGate.js +7 -4
package/dist/ui/components/QualityGate.js.map +1 -1
package/dist/ui/components/ResultLine.d.ts +3 -7
package/dist/ui/components/ResultLine.js +19 -12
package/dist/ui/components/ResultLine.js.map +1 -1
package/dist/ui/components/ResumeDiff.d.ts +1 -10
package/dist/ui/components/ResumeDiff.js +11 -7
package/dist/ui/components/ResumeDiff.js.map +1 -1
package/dist/ui/components/ScanSummary.d.ts +1 -1
package/dist/ui/components/ScanSummary.js +64 -23
package/dist/ui/components/ScanSummary.js.map +1 -1
package/dist/ui/components/SectionBox.d.ts +1 -1
package/dist/ui/components/SectionBox.js +6 -2
package/dist/ui/components/SectionBox.js.map +1 -1
package/dist/ui/components/SetupWizard.d.ts +5 -14
package/dist/ui/components/SetupWizard.js +117 -78
package/dist/ui/components/SetupWizard.js.map +1 -1
package/dist/ui/components/Spinner.d.ts +4 -2
package/dist/ui/components/Spinner.js +11 -4
package/dist/ui/components/Spinner.js.map +1 -1
package/dist/ui/components/StageHeader.d.ts +1 -1
package/dist/ui/components/StageHeader.js +14 -9
package/dist/ui/components/StageHeader.js.map +1 -1
package/dist/ui/components/StatusFooter.d.ts +3 -2
package/dist/ui/components/StatusFooter.js +14 -21
package/dist/ui/components/StatusFooter.js.map +1 -1
package/dist/ui/components/ThreatModelEditor.d.ts +17 -0
package/dist/ui/components/ThreatModelEditor.js +155 -0
package/dist/ui/components/ThreatModelEditor.js.map +1 -0
package/dist/ui/components/TrophyScreen.d.ts +5 -5
package/dist/ui/components/TrophyScreen.js +47 -21
package/dist/ui/components/TrophyScreen.js.map +1 -1
package/dist/ui/demo.js +89 -21
package/dist/ui/demo.js.map +1 -1
package/dist/ui/error-format.d.ts +26 -0
package/dist/ui/error-format.js +103 -0
package/dist/ui/error-format.js.map +1 -0
package/dist/ui/format.d.ts +50 -3
package/dist/ui/format.js +114 -20
package/dist/ui/format.js.map +1 -1
package/dist/ui/hooks/useBoundedIndex.d.ts +13 -0
package/dist/ui/hooks/useBoundedIndex.js +66 -0
package/dist/ui/hooks/useBoundedIndex.js.map +1 -0
package/dist/ui/hooks/useCursorVisibility.d.ts +5 -0
package/dist/ui/hooks/useCursorVisibility.js +50 -0
package/dist/ui/hooks/useCursorVisibility.js.map +1 -0
package/dist/ui/hooks/useExpanded.d.ts +12 -0
package/dist/ui/hooks/useExpanded.js +38 -0
package/dist/ui/hooks/useExpanded.js.map +1 -0
package/dist/ui/hooks/useFocusTrap.d.ts +5 -0
package/dist/ui/hooks/useFocusTrap.js +36 -0
package/dist/ui/hooks/useFocusTrap.js.map +1 -0
package/dist/ui/hooks/useKeybindings.d.ts +27 -0
package/dist/ui/hooks/useKeybindings.js +67 -0
package/dist/ui/hooks/useKeybindings.js.map +1 -0
package/dist/ui/hooks/useTerminalSize.d.ts +5 -0
package/dist/ui/hooks/useTerminalSize.js +43 -0
package/dist/ui/hooks/useTerminalSize.js.map +1 -0
package/dist/ui/hooks.d.ts +23 -1
package/dist/ui/hooks.js +27 -1
package/dist/ui/hooks.js.map +1 -1
package/dist/ui/hyperlink.d.ts +9 -0
package/dist/ui/hyperlink.js +1 -1
package/dist/ui/hyperlink.js.map +1 -1
package/dist/ui/icons.d.ts +4 -4
package/dist/ui/icons.js +5 -5
package/dist/ui/icons.js.map +1 -1
package/dist/ui/markdown.js.map +1 -1
package/dist/ui/monorepo-render.js +5 -6
package/dist/ui/monorepo-render.js.map +1 -1
package/dist/ui/notify.js +4 -1
package/dist/ui/notify.js.map +1 -1
package/dist/ui/output.js +4 -4
package/dist/ui/output.js.map +1 -1
package/dist/ui/plain-renderer.js +79 -50
package/dist/ui/plain-renderer.js.map +1 -1
package/dist/ui/primitives/Breadcrumb.d.ts +9 -0
package/dist/ui/primitives/Breadcrumb.js +38 -0
package/dist/ui/primitives/Breadcrumb.js.map +1 -0
package/dist/ui/primitives/ConfirmDialog.d.ts +11 -0
package/dist/ui/primitives/ConfirmDialog.js +36 -0
package/dist/ui/primitives/ConfirmDialog.js.map +1 -0
package/dist/ui/primitives/Divider.d.ts +12 -0
package/dist/ui/primitives/Divider.js +27 -0
package/dist/ui/primitives/Divider.js.map +1 -0
package/dist/ui/primitives/ExpandableSection.d.ts +14 -0
package/dist/ui/primitives/ExpandableSection.js +22 -0
package/dist/ui/primitives/ExpandableSection.js.map +1 -0
package/dist/ui/primitives/KeybindFooter.d.ts +7 -0
package/dist/ui/primitives/KeybindFooter.js +31 -0
package/dist/ui/primitives/KeybindFooter.js.map +1 -0
package/dist/ui/primitives/MultilineText.d.ts +19 -0
package/dist/ui/primitives/MultilineText.js +22 -0
package/dist/ui/primitives/MultilineText.js.map +1 -0
package/dist/ui/primitives/SelectList.d.ts +30 -0
package/dist/ui/primitives/SelectList.js +80 -0
package/dist/ui/primitives/SelectList.js.map +1 -0
package/dist/ui/primitives/Table.d.ts +22 -0
package/dist/ui/primitives/Table.js +114 -0
package/dist/ui/primitives/Table.js.map +1 -0
package/dist/ui/primitives/TextInput.d.ts +15 -0
package/dist/ui/primitives/TextInput.js +46 -0
package/dist/ui/primitives/TextInput.js.map +1 -0
package/dist/ui/primitives/index.d.ts +22 -0
package/dist/ui/primitives/index.js +14 -0
package/dist/ui/primitives/index.js.map +1 -0
package/dist/ui/render.d.ts +6 -0
package/dist/ui/render.js +44 -1
package/dist/ui/render.js.map +1 -1
package/dist/ui/repl.d.ts +1 -1
package/dist/ui/repl.js +6 -0
package/dist/ui/repl.js.map +1 -1
package/dist/ui/review.d.ts +2 -2
package/dist/ui/review.js +11 -2
package/dist/ui/review.js.map +1 -1
package/dist/ui/setup.d.ts +30 -4
package/dist/ui/setup.js +81 -10
package/dist/ui/setup.js.map +1 -1
package/dist/ui/state.d.ts +116 -5
package/dist/ui/state.js +139 -17
package/dist/ui/state.js.map +1 -1
package/dist/ui/summary-data.d.ts +1 -1
package/dist/ui/summary-data.js +34 -3
package/dist/ui/summary-data.js.map +1 -1
package/dist/ui/theme.js +7 -13
package/dist/ui/theme.js.map +1 -1
package/dist/ui/tokens.d.ts +61 -0
package/dist/ui/tokens.js +105 -0
package/dist/ui/tokens.js.map +1 -0
package/dist/utils/index.d.ts +1 -1
package/dist/utils/index.js +1 -1
package/dist/utils/index.js.map +1 -1
package/dist/verify.d.ts +156 -0
package/dist/verify.js +150 -38
package/dist/verify.js.map +1 -1
package/dist/workspace/manager.d.ts +19 -0
package/dist/workspace/manager.js +112 -0
package/dist/workspace/manager.js.map +1 -0
package/dist/workspace/types.d.ts +15 -0
package/dist/workspace/types.js +2 -0
package/dist/workspace/types.js.map +1 -0
package/package.json +51 -26
package/dist/migrations/001_initial_schema.d.ts +0 -7
package/dist/migrations/001_initial_schema.js +0 -50
package/dist/migrations/001_initial_schema.js.map +0 -1
package/dist/migrations/002_add_scanner_column.d.ts +0 -3
package/dist/migrations/002_add_scanner_column.js +0 -14
package/dist/migrations/002_add_scanner_column.js.map +0 -1
package/dist/migrations/003_add_triage_cost_column.d.ts +0 -3
package/dist/migrations/003_add_triage_cost_column.js +0 -12
package/dist/migrations/003_add_triage_cost_column.js.map +0 -1
package/dist/migrations/004_add_triage_details_column.d.ts +0 -3
package/dist/migrations/004_add_triage_details_column.js +0 -12
package/dist/migrations/004_add_triage_details_column.js.map +0 -1
package/dist/migrations/005_add_verification_columns.d.ts +0 -3
package/dist/migrations/005_add_verification_columns.js +0 -24
package/dist/migrations/005_add_verification_columns.js.map +0 -1
package/dist/migrations/006_add_poc_harness_columns.d.ts +0 -3
package/dist/migrations/006_add_poc_harness_columns.js +0 -24
package/dist/migrations/006_add_poc_harness_columns.js.map +0 -1
package/dist/migrations/007_add_poc_execution_columns.d.ts +0 -3
package/dist/migrations/007_add_poc_execution_columns.js +0 -22
package/dist/migrations/007_add_poc_execution_columns.js.map +0 -1
package/dist/migrations/008_pipeline_runs_status_values.d.ts +0 -8
package/dist/migrations/008_pipeline_runs_status_values.js +0 -72
package/dist/migrations/008_pipeline_runs_status_values.js.map +0 -1
package/dist/migrations/009_add_pipeline_runs_context.d.ts +0 -3
package/dist/migrations/009_add_pipeline_runs_context.js +0 -12
package/dist/migrations/009_add_pipeline_runs_context.js.map +0 -1
package/dist/migrations/010_add_calibration_schema.d.ts +0 -3
package/dist/migrations/010_add_calibration_schema.js +0 -26
package/dist/migrations/010_add_calibration_schema.js.map +0 -1
package/dist/migrations/011_add_trajectories_table.d.ts +0 -3
package/dist/migrations/011_add_trajectories_table.js +0 -27
package/dist/migrations/011_add_trajectories_table.js.map +0 -1
package/dist/migrations/012_add_finding_provenance_columns.d.ts +0 -3
package/dist/migrations/012_add_finding_provenance_columns.js +0 -19
package/dist/migrations/012_add_finding_provenance_columns.js.map +0 -1
package/dist/migrations/013_add_composite_confidence_columns.d.ts +0 -3
package/dist/migrations/013_add_composite_confidence_columns.js +0 -16
package/dist/migrations/013_add_composite_confidence_columns.js.map +0 -1
package/dist/migrations/014_add_metrics_column.d.ts +0 -3
package/dist/migrations/014_add_metrics_column.js +0 -13
package/dist/migrations/014_add_metrics_column.js.map +0 -1
package/dist/migrations/015_add_assertion_tracking.d.ts +0 -2
package/dist/migrations/015_add_assertion_tracking.js +0 -31
package/dist/migrations/015_add_assertion_tracking.js.map +0 -1
package/dist/migrations/016_add_structured_finding_evidence.d.ts +0 -5
package/dist/migrations/016_add_structured_finding_evidence.js +0 -21
package/dist/migrations/016_add_structured_finding_evidence.js.map +0 -1
package/dist/migrations/017_add_dynamic_and_patch_persistence.d.ts +0 -5
package/dist/migrations/017_add_dynamic_and_patch_persistence.js +0 -69
package/dist/migrations/017_add_dynamic_and_patch_persistence.js.map +0 -1
package/dist/migrations/018_add_crypto_behavioral_runs.d.ts +0 -2
package/dist/migrations/018_add_crypto_behavioral_runs.js +0 -40
package/dist/migrations/018_add_crypto_behavioral_runs.js.map +0 -1
package/dist/migrations/019_add_code_graph_tables.d.ts +0 -2
package/dist/migrations/019_add_code_graph_tables.js +0 -72
package/dist/migrations/019_add_code_graph_tables.js.map +0 -1
package/dist/migrations/020_add_verified_patch_status.d.ts +0 -6
package/dist/migrations/020_add_verified_patch_status.js +0 -38
package/dist/migrations/020_add_verified_patch_status.js.map +0 -1
package/dist/migrations/021_add_incremental_scanning_support.d.ts +0 -2
package/dist/migrations/021_add_incremental_scanning_support.js +0 -13
package/dist/migrations/021_add_incremental_scanning_support.js.map +0 -1
package/dist/migrations/022_add_verdict_index.d.ts +0 -2
package/dist/migrations/022_add_verdict_index.js +0 -8
package/dist/migrations/022_add_verdict_index.js.map +0 -1
package/dist/migrations/023_expand_pipeline_status_constraint.d.ts +0 -6
package/dist/migrations/023_expand_pipeline_status_constraint.js +0 -58
package/dist/migrations/023_expand_pipeline_status_constraint.js.map +0 -1
package/dist/migrations/024_rename_scanner_to_task_id.d.ts +0 -13
package/dist/migrations/024_rename_scanner_to_task_id.js +0 -25
package/dist/migrations/024_rename_scanner_to_task_id.js.map +0 -1

package/README.md CHANGED Viewed

@@ -24,18 +24,18 @@ kuzushi
 Just type `kuzushi`. The interactive copilot shell starts with your loaded modules, available tools, and any active workspace. Talk naturally or use structured commands.
 ```
-kuzushi shell                            # default — just `kuzushi` works
-kuzushi shell --workspace acme-pentest   # resume an engagement
-kuzushi shell --target ./repo            # set initial target
-kuzushi shell --load blackbox,honeypot   # pre-load specific modules
+kuzushi shell                                  # default — just `kuzushi` works
+kuzushi shell --workspace acme-pentest         # resume an engagement
+kuzushi shell --target ./repo                  # set initial target
+kuzushi shell --load randori,vuln-scout,tob    # pre-load specific built-in modules
 ```
 ```
-┌─────────────────────────────────────────────────────────────┐
+╭─────────────────────────────────────────────────────────────╮
 │  kuzushi shell                      workspace: acme-api     │
-│  modules: sast, randori, blackbox, honeypot, shinsa         │
+│  modules: sast, randori, vuln-scout, tob, variant-hunter    │
 │  target: ./acme-api  (Node.js + Express + PostgreSQL)       │
-└─────────────────────────────────────────────────────────────┘
+╰─────────────────────────────────────────────────────────────╯
 kuzushi> modules
 kuzushi> use sast
@@ -93,26 +93,94 @@ kuzushi scan /path/to/repo --model google:gemini-2.0-flash
 Kuzushi auto-downloads Opengrep if you don't have a scanner installed. Zero dependencies to manage.
+## Quick Start (Contributors)
+Two commands, deterministic, loud on failure:
+```sh
+git clone https://github.com/allsmog/Kuzushi.git
+cd Kuzushi
+pnpm setup      # verifies Node 22+, pins pnpm via corepack, checks externals, pnpm install
+pnpm doctor     # optional: re-verify the environment at any time
+```
+Then:
+```sh
+pnpm dev --help       # run the CLI from source via tsx
+pnpm test             # unit tests (vitest)
+pnpm check:types      # typecheck src + benchmarks + perf (in parallel)
+pnpm build            # incremental compile to dist/ — incremental, fast
+pnpm build:clean      # wipe dist/ and rebuild from scratch (used by `pnpm prepack`)
+```
+Optional benchmark corpuses (clones 3rd-party vulnerable apps on demand):
+```sh
+pnpm setup:benchmarks list          # list available corpuses
+pnpm setup:benchmarks govwa         # clone one
+pnpm setup:benchmarks all           # clone everything
+```
+Prefer a containerised environment? Open the repo in VS Code / Codespaces and
+"Reopen in Container" — the `.devcontainer/devcontainer.json` runs
+`pnpm setup --strict` automatically and installs semgrep + python for you.
 ## Module System
-Kuzushi's capabilities come from pluggable modules. Each module exposes tools (for shell and run modes) and optionally pipeline tasks (for scan mode DAG execution).
-| Module | Category | What It Does |
-|--------|----------|-------------|
-| **sast** (built-in) | offense | 40+ task SAST pipeline: Semgrep, CodeQL, agentic detectors, AI triage, verification, PoC, patch |
-| **randori** | intel | 7-stage PASTA threat modeling with ATT&CK/CAPEC/NVD intel, attack trees, probabilistic risk |
-| **vuln-scout** | offense | Whitebox SAST with 15 Joern CPG verification scripts, 8 autonomous agents |
-| **augur** | offense | Neuro-symbolic SAST (IRIS/ICLR 2025 LLM-driven CodeQL taint analysis) |
-| **blackbox** | offense | Black/grey-box pentesting: nmap, gobuster, nikto, hydra, privilege escalation |
-| **pwn** | offense | Binary exploitation: checksec, GDB, ROP chains, heap exploitation, SROP |
-| **pentest** | offense | MCP server wrapping metasploit, nmap, hydra, john |
-| **honeypot** | defense | Autonomous honeypot orchestration: 14 service types, 6 honeytokens, Falco |
-| **yokai** | defense | Supply chain tripwires: dependency confusion, typosquatting, registry canaries |
-| **prompt-armor** | offense | LLM red teaming: 80+ attack plugins, 25+ mutation strategies |
-| **shinsa** | governance | Multi-framework compliance: ISO 27001, NIST 800-53, SOC 2, PCI DSS |
-| **revgraph** | intel | Binary reverse engineering: Ghidra + Neo4j, NL2Cypher, function embeddings |
-Modules are loaded via the shell (`use <module>`) or at startup (`--load blackbox,honeypot`).
+Kuzushi's capabilities come from `CopilotModule`s that expose tools (for shell and run modes) and optionally pipeline tasks (for scan mode DAG execution), plus a set of Claude Code plugins that are wrapped by built-in modules. Three buckets:
+### Built-in `CopilotModule`s (always available)
+| Module | Category | What It Does | Key Tools |
+|--------|----------|--------------|-----------|
+| **sast** | offense | 40+ task SAST pipeline: Semgrep, CodeQL, agentic detectors, AI triage, verification, PoC, patch | `sast:scan`, `sast:semgrep`, `sast:codeql`, `sast:triage`, `sast:verify`, `sast:patch`, `sast:findings`, `sast:context`, `sast:threat-hunt`, `sast:taint-iris` |
+| **randori** | intel | PASTA threat modeling via the `@kuzushi/randori-plugin` — S1–S4 stages plus narrative synthesis, returning a `ThreatModelDocument` | `randori:pasta`, `randori:threat-model` |
+| **vuln-scout** | offense | Whitebox pentest via the `@kuzushi/vuln-scout` plugin — agentic SAST + taint analysis returning normalized Findings | `vuln-scout:audit` |
+| **tob** | offense | Trail of Bits skills audit via `@kuzushi/tob-skills` — fp-check, sharp-edges, insecure-defaults, static-analysis, variant-analysis, and more | `tob:audit`, `tob:skills` |
+| **shinsa** | governance | ISO 27001 Annex A + NIST SP 800-53 Rev 5 compliance assessment via `shinsa-plugin` — evidence-backed controls mapped to file:line citations | `shinsa:scan`, `shinsa:quick-check`, `shinsa:nist-scan`, `shinsa:nist-quick-check`, `shinsa:frameworks` |
+| **prompt-armor** | offense | LLM red teaming via `promptarmor-plugin` — 80+ attack plugins, 25+ mutation strategies, code-aware remediation (network commands require `authorized: true`) | `prompt-armor:scan`, `prompt-armor:analyze`, `prompt-armor:attack`, `prompt-armor:diff`, `prompt-armor:report`, `prompt-armor:config` |
+| **variant-hunter** | offense | Lifts confirmed findings into portable signatures and hunts for variants across the repo (including vendored deps) | `variant:lift-pattern`, `variant:hunt` |
+| **n-day-diff-hunter** | offense | CVE-diff-based n-day hunting and variant search against a target | `ndiff:fetch-cve`, `ndiff:search-patch-shape`, `ndiff:hunt-variants` |
+Load with the shell or at startup: `kuzushi shell --load randori,vuln-scout,tob,shinsa,prompt-armor,variant-hunter,n-day-diff-hunter` (the bare id works — `builtin:` prefix is optional).
+### External `CopilotModule` packages
+| Package | Module ID | Usage |
+|---------|-----------|-------|
+| `@kuzushi/augur` | `augur` | Neuro-symbolic SAST (IRIS/ICLR 2025 LLM-driven CodeQL taint analysis). Load with `--load package:@kuzushi/augur`. |
+### Referenced Claude Code plugins
+These are dependencies consumed by the built-in wrappers above, not directly loadable as `CopilotModule`s. Attempting `--load package:@kuzushi/randori-plugin` (etc.) prints a pointer to the corresponding built-in module.
+| Package | Wrapped by | Notes |
+|---------|------------|-------|
+| `@kuzushi/randori-plugin` | built-in `randori` | PASTA threat-modeling plugin (commands, agents, skills, hooks). |
+| `@kuzushi/vuln-scout` | built-in `vuln-scout` | Whitebox pentest skill pack under `whitebox-pentest/`. |
+| `@kuzushi/tob-skills` | built-in `tob` | Fork of trailofbits/skills — security-relevant plugins under `plugins/`. |
+| `shinsa-plugin` | built-in `shinsa` | ISO 27001 + NIST 800-53 compliance assessment (4 commands, 10 assessor agents). |
+| `promptarmor-plugin` | built-in `prompt-armor` | LLM red teaming (6 commands + MCP server under `server/`). |
+### Roadmap (not yet shipped)
+`blackbox`, `pwn`, `pentest`, `honeypot`, `yokai`, `revgraph` — referenced in the long-term vision but not currently implemented as loadable modules. See [VISION.md](VISION.md) for direction.
+### Authoring your own module
+```sh
+kuzushi create-module my-module --template offense   # scaffolds manifest + starter tool + vitest
+```
+The scaffolder emits `module.manifest.json`, a TypeScript starter tool, and a vitest skeleton. Import types and test helpers from the SDK subpaths:
+```ts
+import type { CopilotModule, ModuleTool, ToolResult } from "kuzushi/modules"
+import { createMockToolContext, createMockBus, noopRuntime } from "kuzushi/testing"
+```
+Load a local build with `--load file:///abs/path/to/my-module`, or a published package with `--load package:@scope/name`. MCP servers can be bridged with `--load mcp:<spec>` (stdio or HTTP Streamable). See [CLAUDE.md](CLAUDE.md) for the full module authoring guide.
 ## The SAST Pipeline
@@ -159,7 +227,7 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 22
-      - run: npx kuzushi scan . --sarif results.sarif --quality-gate --fail-on-tp
+      - run: npx kuzushi scan . --sarif results.sarif --junit results.xml --quality-gate --fail-on-tp
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
       - uses: github/codeql-action/upload-sarif@v3
@@ -168,6 +236,8 @@ jobs:
           sarif_file: results.sarif
 ```
+Exit codes: `0` clean, `1` findings (or task failures), `2` usage/config/auth, `3` unexpected crash. See `.github/workflows/kuzushi-reference.yml` for a reference workflow with SARIF upload, JUnit publish, and PR sticky comment.
 ### Quality Gates
 ```sh
@@ -207,7 +277,7 @@ kuzushi scan <repo> --preset glasswing   # + PoC + threat-informed hunting + fro
 **Resumable runs** — checkpoints to SQLite. `--resume` picks up where you left off.
-**Interactive terminal UI** — React+Ink-powered live display with pipeline progress tree, spinners, trophy screen for confirmed exploits. REPL during scans (pause, skip, inspect). First-run setup wizard. Falls back to plain text in non-TTY.
+**Interactive terminal UI** — React+Ink-powered live display with pipeline progress tree, spinners, trophy screen for confirmed exploits. REPL during scans (pause, skip, inspect). First-run setup wizard. Falls back to plain text in non-TTY. Built on a unified primitive library (`src/ui/primitives/`: `SelectList`, `TextInput`, `ConfirmDialog`, `Table`, `Breadcrumb`, `KeybindFooter`, `ExpandableSection`, `Divider`, `MultilineText`) with shared hooks (`src/ui/hooks/`: `useBoundedIndex`, `useFocusTrap`, `useTerminalSize`, `useCursorVisibility`, `useExpanded`, `useKeybindings`) for consistent focus, keyboard navigation, and resize handling.
 **Incremental scanning** — skips re-triage for unchanged findings. Dependency-aware invalidation via import graph.
@@ -267,10 +337,20 @@ kuzushi scan <repo> --output report.md
 kuzushi scan <repo> --sarif results.sarif
 kuzushi scan <repo> --json results.json
 kuzushi scan <repo> --csv results.csv
+kuzushi scan <repo> --junit results.xml
 kuzushi scan <repo> --stream
 kuzushi scan <repo> --audit-log
 ```
+### Run History
+```
+kuzushi runs list                          # 50 most recent runs
+kuzushi runs list --status interrupted     # only resumable runs
+kuzushi runs show <runId> --costs          # details + cost breakdown
+kuzushi runs show <runId> --json           # JSON output for tooling
+```
 ### Run Mode
 ```
@@ -367,6 +447,25 @@ kuzushi config set tasks semgrep,codeql
 See [VISION.md](VISION.md) for the full architecture vision, module system design, workspace/knowledge graph, intel layer, governance model, and implementation roadmap.
+### Terminal UI layer
+The Ink React frontend lives in `src/ui/`:
+| Path | Role |
+| --- | --- |
+| `src/ui/App.tsx` | Root Ink component; dispatches on `UIState.mode` (`preflight`, `running`, `summary`, `review`, `done`, `shell`). |
+| `src/ui/state.ts` | `UIStore` — observer-pattern state + `useSyncExternalStore` binding. |
+| `src/ui/render.ts` | Entry point; TTY detection and Ink mount / plain fallback. |
+| `src/ui/plain-renderer.ts` | Non-TTY subscriber that prints delta-based updates. |
+| `src/ui/tokens.ts` | Semantic color/typography tokens + `SPACING` / `COLUMN_WIDTHS` constants. |
+| `src/ui/format.ts` | Terminal formatting utilities — progress bars, cost/duration, column padding, ANSI-aware truncation (`truncateEnd`, `truncateMiddle`, `padCell`, `visibleWidth`). |
+| `src/ui/error-format.ts` | Ink-free error classification (`classifyError`, `formatError`, `suggestNextStep`) consumed by `ErrorCard`. |
+| `src/ui/primitives/` | Reusable building blocks: `SelectList`, `TextInput`, `ConfirmDialog`, `Table`, `Breadcrumb`, `KeybindFooter`, `ExpandableSection`, `Divider`, `MultilineText`. |
+| `src/ui/hooks/` | Behavioral hooks: `useBoundedIndex`, `useFocusTrap`, `useTerminalSize` (SIGWINCH-aware), `useCursorVisibility`, `useExpanded`, `useKeybindings`. |
+| `src/ui/components/` | Feature components (pipeline, findings, setup wizard, copilot shell) composed from the primitives above. |
+Styling discipline: components import from `tokens` (never `chalk` directly) and lay out with Ink `<Box>` flexbox properties (`flexDirection`, `justifyContent`, `gap`, `padding`, `margin`) rather than string-padding tricks.
 ## License
 MIT

package/dist/agent-runtime/batch-files.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { mkdirSync, writeFileSync, rmSync } from "node:fs";
+import { mkdirSync, rmSync, writeFileSync } from "node:fs";
 import path from "node:path";
 /** Sanitize a path component to prevent traversal (strip slashes, .., etc.) */
 function sanitizeComponent(value) {

package/dist/agent-runtime/batch-files.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"batch-files.js","sourceRoot":"","sources":["../../src/agent-runtime/batch-files.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,~~aAAa~~,EAAE,~~MAAM~~,EAAE,MAAM,SAAS,CAAC;AAC3D,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,+EAA+E;AAC/E,SAAS,iBAAiB,CAAC,KAAa;IACtC,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC;AACrD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,QAAgB,EAChB,KAAa,EACb,MAAc,EACd,QAAgB,EAChB,IAAa;IAEb,MAAM,SAAS,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IAClE,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAC3F,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACvD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE,KAAa;IAC/D,MAAM,SAAS,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IAClE,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAChD,CAAC"}
1	+ {"version":3,"file":"batch-files.js","sourceRoot":"","sources":["../../src/agent-runtime/batch-files.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC3D,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,+EAA+E;AAC/E,SAAS,iBAAiB,CAAC,KAAa;IACtC,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC;AACrD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,QAAgB,EAChB,KAAa,EACb,MAAc,EACd,QAAgB,EAChB,IAAa;IAEb,MAAM,SAAS,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IAClE,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAC3F,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACvD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE,KAAa;IAC/D,MAAM,SAAS,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IAClE,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAChD,CAAC"}

package/dist/agent-runtime/claude.d.ts CHANGED Viewed

@@ -1,7 +1,13 @@
-import type { AgentRuntimeConfig } from "../types.js";
 import type { MessageBus } from "../bus/types.js";
-import type { AgentBatchRequest, AgentMessage, AgentQueryOptions, AgentQueryRequest, AgentRuntime, AgentSession } from "./types.js";
+import type { AgentRuntimeConfig } from "../types.js";
 import type { AgentQueryExecutionResult } from "./execution.js";
+import type { AgentBatchRequest, AgentMessage, AgentQueryOptions, AgentQueryRequest, AgentRuntime, AgentSession } from "./types.js";
+/** Exported for tests only — observes internal semaphore state. */
+export declare function __getSemaphoreState(): {
+    active: number;
+    leaked: number;
+    waiting: number;
+};
 export declare class ClaudeAgentRuntime implements AgentRuntime {
     readonly id = "claude";
     private readonly config;

package/dist/agent-runtime/claude.js CHANGED Viewed

@@ -1,7 +1,7 @@
-import Anthropic from "@anthropic-ai/sdk";
 import { query as claudeQuery, } from "@anthropic-ai/claude-agent-sdk";
-import { normalizeCostUsd, toErrorMessage } from "../utils.js";
+import Anthropic from "@anthropic-ai/sdk";
 import { getLogger } from "../logger.js";
+import { normalizeCostUsd, toErrorMessage } from "../utils.js";
 const log = getLogger("claude-runtime");
 // Prevent EPIPE from crashing the process when Claude SDK subprocesses die.
 // Multiple concurrent query() calls each spawn a Claude Code subprocess;
@@ -27,22 +27,32 @@ for (const stream of [process.stdout, process.stderr]) {
 // rapid "process exited with code 1" failures.
 const MAX_CONCURRENT_QUERIES = 5;
 let activeQueries = 0;
+// Slots marked as leaked — a prior caller timed out waiting, so we assume
+// its holder died. A subsequent release pays the leak marker down instead
+// of decrementing the live count, which keeps the effective capacity honest
+// even if the "dead" subprocess later recovers and releases.
+let leakedSlots = 0;
 const waitQueue = [];
 const SLOT_TIMEOUT_MS = 600_000; // 10 minutes max wait for a slot
+function effectiveActive() {
+    return Math.max(0, activeQueries - leakedSlots);
+}
 async function acquireSlot() {
-    if (activeQueries < MAX_CONCURRENT_QUERIES) {
+    if (effectiveActive() < MAX_CONCURRENT_QUERIES) {
         activeQueries++;
         return;
     }
     let forcedAcquire = false;
-    await new Promise((resolve, reject) => {
+    await new Promise((resolve) => {
         const timer = setTimeout(() => {
-            // Remove from queue and force-acquire — a subprocess likely died without releasing.
-            // Don't increment activeQueries; the orphaned slot already holds that count.
+            // Remove from queue; treat one existing holder as leaked. The next
+            // healthy release() will pay the leak marker down, so ultimately
+            // capacity can never drift negative or permanently below MAX.
             const idx = waitQueue.indexOf(resolve);
             if (idx >= 0)
                 waitQueue.splice(idx, 1);
-            log.warn("Semaphore slot timeout — force-acquiring (likely leaked slot from dead subprocess)");
+            log.warn("Semaphore slot timeout — assuming leaked slot from dead subprocess, force-acquiring");
+            leakedSlots++;
             forcedAcquire = true;
             resolve();
         }, SLOT_TIMEOUT_MS);
@@ -51,16 +61,29 @@ async function acquireSlot() {
             resolve();
         });
     });
-    if (!forcedAcquire) {
-        activeQueries++;
+    activeQueries++;
+    if (forcedAcquire) {
+        // leakedSlots was incremented in the timeout handler. We own a live slot
+        // now; the leak marker remains until paid down by a subsequent release.
     }
 }
 function releaseSlot() {
-    activeQueries = Math.max(0, activeQueries - 1);
+    if (leakedSlots > 0) {
+        // Pay down the leak marker instead of touching the live count; this
+        // release "belongs" to the orphaned slot, not our caller.
+        leakedSlots--;
+    }
+    else {
+        activeQueries = Math.max(0, activeQueries - 1);
+    }
     const next = waitQueue.shift();
     if (next)
         next();
 }
+/** Exported for tests only — observes internal semaphore state. */
+export function __getSemaphoreState() {
+    return { active: activeQueries, leaked: leakedSlots, waiting: waitQueue.length };
+}
 export class ClaudeAgentRuntime {
     id = "claude";
     config;
@@ -135,9 +158,7 @@ export class ClaudeAgentRuntime {
                 stream: false,
                 service_tier: "standard_only",
                 ...(Object.keys(outputConfig).length > 0 ? { output_config: outputConfig } : {}),
-                ...(thinkingDisabled
-                    ? { thinking: { type: "disabled" } }
-                    : {}),
+                ...(thinkingDisabled ? { thinking: { type: "disabled" } } : {}),
             };
             return { custom_id: req.id, params };
         });
@@ -145,10 +166,17 @@ export class ClaudeAgentRuntime {
         let batch = await this.client.messages.batches.create({ requests: batchRequests });
         log.info(`Batch ${batch.id} submitted, polling for completion`);
         const startMs = Date.now();
-        const POLL_INTERVAL_MS = 2_000;
-        const MAX_POLL_MS = 600_000; // 10 minutes
+        // Exponential backoff: batches typically run for minutes. A fixed 2 s
+        // poll wastes ~30 retrieves per minute after the first minute; this
+        // starts at 2 s and grows to a 30 s cap.
+        const INITIAL_POLL_MS = 2_000;
+        const MAX_POLL_MS_PER_CYCLE = 30_000;
+        const BACKOFF_FACTOR = 1.5;
+        const MAX_POLL_MS = 600_000; // 10 minutes overall cap
+        let pollDelay = INITIAL_POLL_MS;
         while (batch.processing_status !== "ended") {
-            await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
+            await new Promise((r) => setTimeout(r, pollDelay));
+            pollDelay = Math.min(MAX_POLL_MS_PER_CYCLE, Math.floor(pollDelay * BACKOFF_FACTOR));
             batch = await this.client.messages.batches.retrieve(batch.id);
             if (Date.now() - startMs > MAX_POLL_MS) {
                 await this.client.messages.batches.cancel(batch.id);
@@ -172,19 +200,17 @@ export class ClaudeAgentRuntime {
                 const usage = msg.usage;
                 const inputCost = (usage.input_tokens / 1_000_000) * inputRate;
                 const outputCost = (usage.output_tokens / 1_000_000) * outputRate;
-                const cacheReadTokens = usage["cache_read_input_tokens"] ?? 0;
+                const cacheReadTokens = usage.cache_read_input_tokens ?? 0;
                 const cacheSavings = (cacheReadTokens / 1_000_000) * (inputRate * 0.9);
                 results.set(item.custom_id, {
                     resultText: textBlock?.text ?? "",
-                    structuredOutput: msg["parsed_output"] ?? undefined,
+                    structuredOutput: msg.parsed_output ?? undefined,
                     executionError: null,
                     costUsd: normalizeCostUsd(inputCost + outputCost - cacheSavings),
                 });
             }
             else {
-                const errorMsg = item.result.type === "errored"
-                    ? JSON.stringify(item.result.error)
-                    : item.result.type;
+                const errorMsg = item.result.type === "errored" ? JSON.stringify(item.result.error) : item.result.type;
                 results.set(item.custom_id, {
                     resultText: "",
                     structuredOutput: undefined,
@@ -237,7 +263,9 @@ export class ClaudeAgentRuntime {
                     payload: { model, promptLength: request.prompt.length, runId: turnRunId },
                 });
             }
-            catch { /* non-fatal */ }
+            catch {
+                /* non-fatal */
+            }
         }
         try {
             // Build output_config — effort errors on Haiku, so skip it
@@ -255,9 +283,7 @@ export class ClaudeAgentRuntime {
             const maxTokens = request.options.maxOutputTokens ?? 16000;
             // Thinking: disable for classification, use adaptive+omitted for analysis
             // display: "omitted" skips streaming thinking tokens (faster time-to-first-text)
-            const shouldDisableThinking = request.options.thinkingDisabled
-                || isHaiku
-                || request.options.effort === "low";
+            const shouldDisableThinking = request.options.thinkingDisabled || isHaiku || request.options.effort === "low";
             // Use streaming + finalMessage() to avoid HTTP timeouts on large outputs
             const stream = this.client.messages.stream({
                 model,
@@ -301,7 +327,7 @@ export class ClaudeAgentRuntime {
             const outputRate = isHaiku ? 5 : isMythos ? 125 : isOpus ? 25 : 15;
             const inputCost = (response.usage.input_tokens / 1_000_000) * inputRate;
             const outputCost = (response.usage.output_tokens / 1_000_000) * outputRate;
-            const cacheReadTokens = response.usage["cache_read_input_tokens"] ?? 0;
+            const cacheReadTokens = response.usage.cache_read_input_tokens ?? 0;
             const cacheSavings = (cacheReadTokens / 1_000_000) * (inputRate * 0.9); // 90% savings on cached tokens
             const totalCostUsd = normalizeCostUsd(inputCost + outputCost - cacheSavings);
             // Extract text result
@@ -312,17 +338,29 @@ export class ClaudeAgentRuntime {
                 try {
                     await this.bus.publish({
                         type: "llm:call-complete",
-                        meta: { id: crypto.randomUUID(), timestamp: new Date().toISOString(), runId: turnRunId },
-                        payload: { model, durationMs, tokensUsed: response.usage.input_tokens + response.usage.output_tokens, costUsd: totalCostUsd, runId: turnRunId },
+                        meta: {
+                            id: crypto.randomUUID(),
+                            timestamp: new Date().toISOString(),
+                            runId: turnRunId,
+                        },
+                        payload: {
+                            model,
+                            durationMs,
+                            tokensUsed: response.usage.input_tokens + response.usage.output_tokens,
+                            costUsd: totalCostUsd,
+                            runId: turnRunId,
+                        },
                     });
                 }
-                catch { /* non-fatal */ }
+                catch {
+                    /* non-fatal */
+                }
             }
             yield {
                 type: "result",
                 subtype: "success",
                 result: resultText,
-                structuredOutput: response["parsed_output"] ?? undefined,
+                structuredOutput: response.parsed_output ?? undefined,
                 durationMs,
                 numTurns: 1,
                 totalCostUsd,
@@ -330,18 +368,23 @@ export class ClaudeAgentRuntime {
         }
         catch (error) {
             const durationMs = Date.now() - startedAtMs;
-            const retryable = error instanceof Anthropic.RateLimitError
-                || error instanceof Anthropic.InternalServerError;
+            const retryable = error instanceof Anthropic.RateLimitError || error instanceof Anthropic.InternalServerError;
             log.error(`Direct API query failed (${durationMs}ms, retryable=${retryable}): ${toErrorMessage(error)}`);
             if (this.bus) {
                 try {
                     await this.bus.publish({
                         type: "llm:call-error",
-                        meta: { id: crypto.randomUUID(), timestamp: new Date().toISOString(), runId: turnRunId },
+                        meta: {
+                            id: crypto.randomUUID(),
+                            timestamp: new Date().toISOString(),
+                            runId: turnRunId,
+                        },
                         payload: { model, error: toErrorMessage(error), retryable, runId: turnRunId },
                     });
                 }
-                catch { /* non-fatal */ }
+                catch {
+                    /* non-fatal */
+                }
             }
             yield {
                 type: "result",
@@ -356,9 +399,9 @@ export class ClaudeAgentRuntime {
     async *query(request) {
         // Fast path: tool-less calls go directly to Anthropic API — no subprocess.
         // Only when an API key is available — OAuth mode must use subprocess path.
-        if (!request.options.allowedTools?.length
-            && !request.options.disallowedTools?.length
-            && this.config?.apiKey) {
+        if (!request.options.allowedTools?.length &&
+            !request.options.disallowedTools?.length &&
+            this.config?.apiKey) {
             yield* this.queryDirect(request);
             return;
         }
@@ -482,16 +525,16 @@ export class ClaudeAgentRuntime {
                     continue;
                 if (mapped.type === "result") {
                     // Extract cost and metadata from SDK result
-                    const sdkMsg = message;
-                    totalCostUsd = normalizeCostUsd(sdkMsg["total_cost_usd"]);
-                    numTurns = sdkMsg["num_turns"] ?? 0;
+                    const sdkResult = message;
+                    totalCostUsd = normalizeCostUsd(sdkResult.total_cost_usd);
+                    numTurns = sdkResult.num_turns ?? 0;
                     const durationMs = Date.now() - startedAtMs;
-                    if (mapped.subtype === "success" && "result" in mapped) {
+                    if (sdkResult.subtype === "success" && "result" in mapped) {
                         yield {
                             type: "result",
                             subtype: "success",
                             result: mapped.result,
-                            structuredOutput: sdkMsg["structured_output"],
+                            structuredOutput: sdkResult.structured_output,
                             durationMs,
                             numTurns,
                             totalCostUsd,
@@ -610,9 +653,13 @@ class MessageQueue {
         if (this.isDone) {
             return Promise.resolve({ done: true, value: undefined });
         }
-        return new Promise((resolve) => { this.resolve = resolve; });
+        return new Promise((resolve) => {
+            this.resolve = resolve;
+        });
+    }
+    [Symbol.asyncIterator]() {
+        return this;
     }
-    [Symbol.asyncIterator]() { return this; }
 }
 /**
  * A session backed by a single Claude Code subprocess. Uses the SDK's
@@ -623,18 +670,18 @@ class MessageQueue {
 class ClaudeSession {
     baseOptions;
     config;
-    bus;
-    runId;
+    _bus;
+    _runId;
     messageQueue = new MessageQueue();
     queryIterator = null;
     closed = false;
     slotAcquired = false;
     queryInFlight = false; // Mutex: prevent concurrent query() calls
-    constructor(baseOptions, config, bus, runId) {
+    constructor(baseOptions, config, _bus, _runId) {
         this.baseOptions = baseOptions;
         this.config = config;
-        this.bus = bus;
-        this.runId = runId;
+        this._bus = _bus;
+        this._runId = _runId;
     }
     ensureStarted() {
         if (this.queryIterator)
@@ -770,15 +817,15 @@ class ClaudeSession {
                 if (!mapped)
                     continue;
                 if (mapped.type === "result") {
-                    const sdkMsg = value;
-                    const totalCostUsd = normalizeCostUsd(sdkMsg["total_cost_usd"]);
-                    const numTurns = sdkMsg["num_turns"] ?? 0;
-                    if (mapped.subtype === "success" && "result" in mapped) {
+                    const sdkResult = value;
+                    const totalCostUsd = normalizeCostUsd(sdkResult.total_cost_usd);
+                    const numTurns = sdkResult.num_turns ?? 0;
+                    if (sdkResult.subtype === "success" && "result" in mapped) {
                         yield {
                             type: "result",
                             subtype: "success",
                             result: mapped.result,
-                            structuredOutput: sdkMsg["structured_output"],
+                            structuredOutput: sdkResult.structured_output,
                             numTurns,
                             totalCostUsd,
                         };
@@ -828,52 +875,53 @@ function mapPermissionMode(mode) {
     }
 }
 function mapMessage(msg) {
-    const type = msg["type"];
-    switch (type) {
+    switch (msg.type) {
         case "result": {
-            const sdkMsg = msg;
-            const subtype = sdkMsg["subtype"];
-            if (subtype === "success") {
+            const sdkResult = msg;
+            if (sdkResult.subtype === "success") {
                 return {
                     type: "result",
                     subtype: "success",
-                    result: sdkMsg["result"] ?? "",
-                    structuredOutput: sdkMsg["structured_output"],
-                    totalCostUsd: normalizeCostUsd(sdkMsg["total_cost_usd"]),
+                    result: sdkResult.result ?? "",
+                    structuredOutput: sdkResult.structured_output,
+                    totalCostUsd: normalizeCostUsd(sdkResult.total_cost_usd),
                 };
             }
             return {
                 type: "result",
-                subtype: subtype ?? "error_runtime",
-                errors: Array.isArray(sdkMsg["errors"])
-                    ? sdkMsg["errors"]
-                    : [String(sdkMsg["errors"] ?? "Unknown error")],
-                totalCostUsd: normalizeCostUsd(sdkMsg["total_cost_usd"]),
+                subtype: sdkResult.subtype ?? "error_runtime",
+                errors: Array.isArray(sdkResult.errors)
+                    ? sdkResult.errors
+                    : [String(sdkResult.errors ?? "Unknown error")],
+                totalCostUsd: normalizeCostUsd(sdkResult.total_cost_usd),
             };
         }
         case "assistant": {
-            const sdkMsg = msg;
+            const sdkAssistant = msg;
+            const content = sdkAssistant.message?.content;
             return {
                 type: "assistant",
-                content: Array.isArray(sdkMsg["content"]) ? sdkMsg["content"] : [],
+                // BetaContentBlock[] -> Record<string, unknown>[] via spread to satisfy
+                // the AgentAssistantMessage interface (strips the rigid index signature constraint)
+                content: Array.isArray(content) ? content.map((block) => ({ ...block })) : [],
             };
         }
-        case "tool_use_progress": {
-            const sdkMsg = msg;
+        case "tool_progress": {
+            const sdkProgress = msg;
             return {
                 type: "tool-progress",
-                toolUseId: String(sdkMsg["tool_use_id"] ?? ""),
-                toolName: String(sdkMsg["tool_name"] ?? ""),
-                elapsedSeconds: sdkMsg["elapsed_seconds"] ?? 0,
+                toolUseId: sdkProgress.tool_use_id ?? "",
+                toolName: sdkProgress.tool_name ?? "",
+                elapsedSeconds: sdkProgress.elapsed_time_seconds ?? 0,
             };
         }
         case "tool_use_summary": {
-            const sdkMsg = msg;
+            const sdkSummary = msg;
             return {
                 type: "tool-summary",
-                summary: String(sdkMsg["summary"] ?? ""),
-                precedingToolUseIds: Array.isArray(sdkMsg["preceding_tool_use_ids"])
-                    ? sdkMsg["preceding_tool_use_ids"]
+                summary: sdkSummary.summary ?? "",
+                precedingToolUseIds: Array.isArray(sdkSummary.preceding_tool_use_ids)
+                    ? sdkSummary.preceding_tool_use_ids
                     : [],
             };
         }