kuzushi 0.2.0 → 0.9.2

package/dist/prompts/languages/ruby.js

@@ -0,0 +1,219 @@
+// NOTE: This file contains DETECTION PATTERNS for a security scanner.
+// The API references are DETECTION TARGETS describing what the scanner
+// looks for in scanned codebases, not code this file runs.
+export const rubyProfile = {
+    languageId: "Ruby",
+    aliases: ["ruby", "rb"],
+    generalHints: {
+        grepPatterns: [
+            "class\\s+\\w+Controller",
+            "def\\s+\\w+.*params",
+            "before_action",
+            "protect_from_forgery",
+            "permit\\(",
+            "render\\s+",
+        ],
+        fileHints: [
+            "Gemfile / Gemfile.lock for dependencies",
+            "config/routes.rb for route definitions",
+            "config/initializers/ for security configuration",
+            "app/controllers/ for request handlers",
+            "app/models/ for ActiveRecord models",
+            "config/environments/production.rb for production settings",
+        ],
+        instructions: [
+            "Check Gemfile for outdated gems with known CVEs (bundle audit)",
+            "Look at config/initializers for security settings (CSRF, session, cookies)",
+            "Check strong parameters — are permit calls allowing too many fields?",
+            "Review before_action chains — are auth filters applied to all sensitive actions?",
+        ],
+    },
+    generalAntiHallucination: [
+        "Rails ActiveRecord with parameterized queries (where(field: val)) is SAFE against SQL injection",
+        "Rails ERB auto-escapes with <%= %> — only flag raw() or html_safe usage",
+        "Rails CSRF protection is ON by default — only flag if protect_from_forgery is explicitly skipped",
+    ],
+    vulnClasses: {
+        deserialization: {
+            sinks: [
+                { api: "Marshal.load(data)", risk: "Deserializes arbitrary Ruby objects — can trigger method_missing or other gadgets for RCE", cwes: ["CWE-502"] },
+                { api: "YAML.load(data)", risk: "YAML allows Ruby object instantiation via !ruby/object tags", cwes: ["CWE-502"] },
+                { api: "YAML.unsafe_load(data)", risk: "Explicitly unsafe YAML parsing", cwes: ["CWE-502"] },
+            ],
+            safePatterns: [
+                { api: "JSON.parse(data)", why: "JSON parsing does not instantiate objects" },
+                { api: "YAML.safe_load(data)", why: "Restricts allowed YAML tags — blocks object instantiation" },
+                { api: "Psych.safe_load(data, permitted_classes: [...])", why: "Allowlisted classes only" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "Marshal\\.load",
+                    "Marshal\\.restore",
+                    "YAML\\.load\\b",
+                    "YAML\\.unsafe_load",
+                    "YAML\\.safe_load",
+                ],
+                fileHints: [
+                    "Session storage configuration",
+                    "Cache serialization code",
+                    "Job/worker serialization (Sidekiq, Resque)",
+                    "Cookie handling",
+                ],
+                instructions: [
+                    "Check if Marshal.load/YAML.load processes data from cookies, HTTP requests, or message queues",
+                    "Look at Rails session store — CookieStore uses Marshal by default in older Rails versions",
+                    "Check Sidekiq/Resque job arguments — are they deserialized from untrusted sources?",
+                    "In Rails 7+, default session serializer is JSON — check for overrides",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Cookie-based Marshal deserialization",
+                    vulnerableCode: 'def load_preferences\n  data = Base64.decode64(cookies[:prefs])\n  @prefs = Marshal.load(data)\nend',
+                    explanation: "User controls cookie value. Marshal.load instantiates arbitrary Ruby objects. Known gadget chains (ERB::Util, Gem::Requirement) enable RCE.",
+                },
+            ],
+            frameworkGuidance: [
+                {
+                    framework: "Rails",
+                    defaults: ["Rails 7+ uses JSON for session serialization by default"],
+                    pitfalls: ["Older Rails versions use Marshal for sessions", "Custom session stores may still use Marshal"],
+                    configChecks: ["Check config.action_dispatch.cookies_serializer setting"],
+                },
+            ],
+            antiHallucinationExtra: [
+                "JSON.parse() is SAFE — does not instantiate objects",
+                "YAML.safe_load() is SAFE — only flag YAML.load() or YAML.unsafe_load()",
+            ],
+        },
+        "template-injection": {
+            sinks: [
+                { api: "ERB.new(user_str).result", risk: "User-controlled ERB template enables Ruby code via <%= %> tags", cwes: ["CWE-1336"] },
+                { api: "Haml::Engine.new(user_str).render", risk: "Haml template with user-controlled source", cwes: ["CWE-1336"] },
+                { api: "Slim::Template.new { user_str }.render", risk: "Slim template with user source", cwes: ["CWE-1336"] },
+                { api: "send(user_method)", risk: "Calls arbitrary method on object", cwes: ["CWE-470"] },
+            ],
+            safePatterns: [
+                { api: "render template: 'file', locals: { var: user_data }", why: "Template file is fixed, user data is a variable" },
+                { api: "ERB.new(constant_string).result_with_hash(user: data)", why: "Template is constant" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "ERB\\.new\\(",
+                    "Haml::Engine",
+                    "\\beval\\(",
+                    "\\.send\\(",
+                    "public_send\\(",
+                    "render\\s+inline:",
+                ],
+                fileHints: [
+                    "Custom template rendering code",
+                    "Email/notification templates",
+                    "Report generation",
+                ],
+                instructions: [
+                    "Check if the template source (not data) comes from user input",
+                    "Look for render inline: in Rails controllers — this compiles user string as ERB",
+                    "Check for send/public_send with user-controlled method names",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Rails render inline with user input",
+                    vulnerableCode: 'def preview\n  template = params[:template]\n  render inline: template\nend',
+                    explanation: "render inline: compiles the string as ERB. Attacker sends template with embedded Ruby code tags for RCE.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "render template: 'file.html.erb' with user data as local variables is SAFE",
+                "Rails ERB auto-escapes with <%= %> for XSS — but if user controls the TEMPLATE itself, it is SSTI",
+            ],
+        },
+        "mass-assignment": {
+            sinks: [
+                { api: "Model.new(params) without strong params", risk: "Attacker can set any model attribute including admin, role, password", cwes: ["CWE-915"] },
+                { api: "Model.update(params) without permit", risk: "Unfiltered params update any column", cwes: ["CWE-915"] },
+                { api: "Overly broad permit (permit!)", risk: "permit! allows ALL parameters — defeats strong params", cwes: ["CWE-915"] },
+            ],
+            safePatterns: [
+                { api: "params.require(:model).permit(:field1, :field2)", why: "Strong parameters — explicit allowlist" },
+                { api: "attr_accessible in older Rails (< 4)", why: "Model-level attribute allowlist" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "\\.permit\\(",
+                    "\\.permit!",
+                    "params\\[",
+                    "attr_accessible",
+                    "attr_protected",
+                ],
+                fileHints: [
+                    "Controller actions (create, update)",
+                    "Private parameter filtering methods",
+                    "API controllers",
+                ],
+                instructions: [
+                    "Check every create/update action — are params filtered through permit?",
+                    "Look for permit! (bang version) — this allows ALL parameters",
+                    "Check if sensitive fields (admin, role, email_verified) are excluded from permit lists",
+                    "In API controllers, check if params are used directly without strong params",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Admin privilege escalation via mass assignment",
+                    vulnerableCode: 'def update\n  @user = User.find(params[:id])\n  @user.update(params[:user].permit!)\nend',
+                    explanation: "permit! allows all parameters. Attacker sends user[admin]=true to escalate privileges.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "params.require(:model).permit(:specific_fields) is SAFE — properly filtered",
+                "Strong parameters in Rails 4+ are the standard protection — do NOT flag properly filtered params",
+            ],
+        },
+        "command-injection": {
+            sinks: [
+                { api: "system(cmd) single-arg", risk: "Shell interpretation of command string", shellInvoking: true, cwes: ["CWE-78"] },
+                { api: "backtick operator `cmd`", risk: "Shell interpretation", shellInvoking: true, cwes: ["CWE-78"] },
+                { api: "%x{cmd}", risk: "Shell interpretation (alternative syntax)", shellInvoking: true, cwes: ["CWE-78"] },
+                { api: "IO.popen(cmd)", risk: "Shell interpretation", shellInvoking: true, cwes: ["CWE-78"] },
+                { api: "Open3.capture3(cmd) single string", risk: "Shell interpretation for single string arg", shellInvoking: true, cwes: ["CWE-78"] },
+            ],
+            safePatterns: [
+                { api: "system('cmd', arg1, arg2)", why: "Multi-arg system bypasses shell — arguments passed directly" },
+                { api: "Open3.capture3('cmd', arg1, arg2)", why: "Multi-arg form bypasses shell" },
+                { api: "Shellwords.escape(user_input)", why: "Proper shell escaping" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "\\bsystem\\(",
+                    "IO\\.popen",
+                    "Open3\\.",
+                    "Shellwords",
+                ],
+                fileHints: [
+                    "Rake tasks",
+                    "Background job processors",
+                    "File processing handlers",
+                ],
+                instructions: [
+                    "Check for string interpolation in backtick commands",
+                    "system() with a single string argument uses shell — multi-arg form is safe",
+                    "Look for Shellwords.escape — if applied to all user input, it is safe",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Backtick command with interpolation",
+                    vulnerableCode: 'def convert(filename)\n  output = `convert #{filename} output.png`\n  output\nend',
+                    explanation: "filename interpolated into shell command via backticks. Attacker sends 'img.png; rm -rf /' — shell interprets the semicolon.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "system('cmd', arg1, arg2) multi-arg form is SAFE — no shell interpretation",
+                "Do NOT flag shell commands with hardcoded strings and no user input",
+            ],
+        },
+    },
+};
+//# sourceMappingURL=ruby.js.map

package/dist/prompts/languages/ruby.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ruby.js","sourceRoot":"","sources":["../../../src/prompts/languages/ruby.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,uEAAuE;AACvE,2DAA2D;AAI3D,MAAM,CAAC,MAAM,WAAW,GAAoB;IAC1C,UAAU,EAAE,MAAM;IAClB,OAAO,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC;IACvB,YAAY,EAAE;QACZ,YAAY,EAAE;YACZ,yBAAyB;YACzB,qBAAqB;YACrB,eAAe;YACf,sBAAsB;YACtB,WAAW;YACX,YAAY;SACb;QACD,SAAS,EAAE;YACT,yCAAyC;YACzC,wCAAwC;YACxC,iDAAiD;YACjD,uCAAuC;YACvC,qCAAqC;YACrC,2DAA2D;SAC5D;QACD,YAAY,EAAE;YACZ,gEAAgE;YAChE,4EAA4E;YAC5E,sEAAsE;YACtE,kFAAkF;SACnF;KACF;IACD,wBAAwB,EAAE;QACxB,iGAAiG;QACjG,yEAAyE;QACzE,kGAAkG;KACnG;IACD,WAAW,EAAE;QACX,eAAe,EAAE;YACf,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,oBAAoB,EAAE,IAAI,EAAE,2FAA2F,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACnJ,EAAE,GAAG,EAAE,iBAAiB,EAAE,IAAI,EAAE,6DAA6D,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAClH,EAAE,GAAG,EAAE,wBAAwB,EAAE,IAAI,EAAE,gCAAgC,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aAC7F;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,kBAAkB,EAAE,GAAG,EAAE,2CAA2C,EAAE;gBAC7E,EAAE,GAAG,EAAE,sBAAsB,EAAE,GAAG,EAAE,2DAA2D,EAAE;gBACjG,EAAE,GAAG,EAAE,iDAAiD,EAAE,GAAG,EAAE,0BAA0B,EAAE;aAC5F;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,gBAAgB;oBAChB,mBAAmB;oBACnB,gBAAgB;oBAChB,oBAAoB;oBACpB,kBAAkB;iBACnB;gBACD,SAAS,EAAE;oBACT,+BAA+B;oBAC/B,0BAA0B;oBAC1B,4CAA4C;oBAC5C,iBAAiB;iBAClB;gBACD,YAAY,EAAE;oBACZ,+FAA+F;oBAC/F,2FAA2F;oBAC3F,oFAAoF;oBACpF,uEAAuE;iBACxE;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,sCAAsC;oBAChD,cAAc,EAAE,qGAAqG;oBACrH,WAAW,EAAE,6IAA6I;iBAC3J;aACF;YACD,iBAAiB,EAAE;gBACjB;oBACE,SAAS,EAAE,OAAO;oBAClB,QAAQ,EAAE,CAAC,yDAAyD,CAAC;oBACrE,QAAQ,EAAE,CAAC,+CAA+C,EAAE,6CAA6C,CAAC;oBAC1G,YAAY,EAAE,CAAC,yDAAyD,CAAC;iBAC1E;aACF;YACD,sBAAsB,EAAE;gBACtB,qDAAqD;gBACrD,wEAAwE;aACzE;SACF;QACD,oBAAoB,EAAE;YACpB,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,0BAA0B,EAAE,IAAI,EAAE,gEAAgE,EAAE,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE;gBAC/H,EAAE,GAAG,EAAE,mCAAmC,EAAE,IAAI,EAAE,2CAA2C,EAAE,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE;gBACnH,EAAE,GAAG,EAAE,wCAAwC,EAAE,IAAI,EAAE,gCAAgC,EAAE,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE;gBAC7G,EAAE,GAAG,EAAE,mBAAmB,EAAE,IAAI,EAAE,kCAAkC,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aAC1F;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,qDAAqD,EAAE,GAAG,EAAE,iDAAiD,EAAE;gBACtH,EAAE,GAAG,EAAE,uDAAuD,EAAE,GAAG,EAAE,sBAAsB,EAAE;aAC9F;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,cAAc;oBACd,cAAc;oBACd,YAAY;oBACZ,YAAY;oBACZ,gBAAgB;oBAChB,mBAAmB;iBACpB;gBACD,SAAS,EAAE;oBACT,gCAAgC;oBAChC,8BAA8B;oBAC9B,mBAAmB;iBACpB;gBACD,YAAY,EAAE;oBACZ,+DAA+D;oBAC/D,iFAAiF;oBACjF,8DAA8D;iBAC/D;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,qCAAqC;oBAC/C,cAAc,EAAE,6EAA6E;oBAC7F,WAAW,EAAE,0GAA0G;iBACxH;aACF;YACD,sBAAsB,EAAE;gBACtB,4EAA4E;gBAC5E,mGAAmG;aACpG;SACF;QACD,iBAAiB,EAAE;YACjB,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,yCAAyC,EAAE,IAAI,EAAE,sEAAsE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACnJ,EAAE,GAAG,EAAE,qCAAqC,EAAE,IAAI,EAAE,qCAAqC,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC9G,EAAE,GAAG,EAAE,+BAA+B,EAAE,IAAI,EAAE,uDAAuD,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aAC3H;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,iDAAiD,EAAE,GAAG,EAAE,wCAAwC,EAAE;gBACzG,EAAE,GAAG,EAAE,sCAAsC,EAAE,GAAG,EAAE,iCAAiC,EAAE;aACxF;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,cAAc;oBACd,YAAY;oBACZ,WAAW;oBACX,iBAAiB;oBACjB,gBAAgB;iBACjB;gBACD,SAAS,EAAE;oBACT,qCAAqC;oBACrC,qCAAqC;oBACrC,iBAAiB;iBAClB;gBACD,YAAY,EAAE;oBACZ,wEAAwE;oBACxE,8DAA8D;oBAC9D,wFAAwF;oBACxF,6EAA6E;iBAC9E;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,gDAAgD;oBAC1D,cAAc,EAAE,0FAA0F;oBAC1G,WAAW,EAAE,wFAAwF;iBACtG;aACF;YACD,sBAAsB,EAAE;gBACtB,6EAA6E;gBAC7E,kGAAkG;aACnG;SACF;QACD,mBAAmB,EAAE;YACnB,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,wBAAwB,EAAE,IAAI,EAAE,wCAAwC,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBACxH,EAAE,GAAG,EAAE,yBAAyB,EAAE,IAAI,EAAE,sBAAsB,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBACvG,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,2CAA2C,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBAC5G,EAAE,GAAG,EAAE,eAAe,EAAE,IAAI,EAAE,sBAAsB,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBAC7F,EAAE,GAAG,EAAE,mCAAmC,EAAE,IAAI,EAAE,4CAA4C,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;aACxI;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,2BAA2B,EAAE,GAAG,EAAE,6DAA6D,EAAE;gBACxG,EAAE,GAAG,EAAE,mCAAmC,EAAE,GAAG,EAAE,+BAA+B,EAAE;gBAClF,EAAE,GAAG,EAAE,+BAA+B,EAAE,GAAG,EAAE,uBAAuB,EAAE;aACvE;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,cAAc;oBACd,YAAY;oBACZ,UAAU;oBACV,YAAY;iBACb;gBACD,SAAS,EAAE;oBACT,YAAY;oBACZ,2BAA2B;oBAC3B,0BAA0B;iBAC3B;gBACD,YAAY,EAAE;oBACZ,qDAAqD;oBACrD,4EAA4E;oBAC5E,uEAAuE;iBACxE;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,qCAAqC;oBAC/C,cAAc,EAAE,mFAAmF;oBACnG,WAAW,EAAE,8HAA8H;iBAC5I;aACF;YACD,sBAAsB,EAAE;gBACtB,4EAA4E;gBAC5E,qEAAqE;aACtE;SACF;KACF;CACF,CAAC"}

package/dist/prompts/languages/rust.d.ts

@@ -0,0 +1,2 @@
+import type { LanguageProfile } from "./types.js";
+export declare const rustProfile: LanguageProfile;

package/dist/prompts/languages/rust.js

@@ -0,0 +1,149 @@
+// NOTE: This file contains DETECTION PATTERNS for a security scanner.
+// The API references are DETECTION TARGETS describing what the scanner
+// looks for in scanned codebases, not code this file executes.
+export const rustProfile = {
+    languageId: "Rust",
+    aliases: ["rust", "rs"],
+    generalHints: {
+        grepPatterns: [
+            "unsafe\\s*\\{",
+            "extern\\s+\"C\"",
+            "\\.unwrap\\(",
+            "panic!\\(",
+            "#\\[no_mangle\\]",
+            "std::process::Command",
+        ],
+        fileHints: [
+            "Cargo.toml for dependencies and features",
+            "src/main.rs or src/lib.rs for entry points",
+            "build.rs for build-time code generation and FFI bindings",
+            "Files with 'unsafe' blocks",
+        ],
+        instructions: [
+            "Check Cargo.toml for known vulnerable crate versions (cargo audit)",
+            "Focus on unsafe blocks — Rust's safety guarantees do not apply inside them",
+            "Check FFI boundaries — data crossing into/from C code needs manual validation",
+            "Look for .unwrap() on user-controlled Results — can panic and crash the service",
+        ],
+    },
+    generalAntiHallucination: [
+        "Safe Rust prevents buffer overflows, use-after-free, and data races at compile time — only flag these inside unsafe blocks",
+        "Rust's borrow checker prevents most memory safety issues — do NOT flag safe Rust code for memory bugs",
+        "serde JSON/TOML/YAML deserialization is SAFE by default — it does not execute code",
+    ],
+    vulnClasses: {
+        "unsafe-blocks": {
+            sinks: [
+                { api: "unsafe { ptr::read/write }", risk: "Manual pointer operations bypass borrow checker — UB if pointer is invalid", cwes: ["CWE-787", "CWE-416"] },
+                { api: "unsafe { slice::from_raw_parts }", risk: "Creating slice from raw pointer — UB if length is wrong or ptr is invalid", cwes: ["CWE-120"] },
+                { api: "unsafe { transmute }", risk: "Reinterprets bits as different type — UB if invariants violated", cwes: ["CWE-843"] },
+                { api: "unsafe impl Send/Sync", risk: "Manual Send/Sync impl can enable data races if invariants are wrong", cwes: ["CWE-362"] },
+            ],
+            safePatterns: [
+                { api: "unsafe in well-audited FFI wrapper with validation", why: "FFI requires unsafe but wrapper validates inputs" },
+                { api: "unsafe for performance with documented invariants", why: "Acceptable if invariants are proven and tested" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "unsafe\\s*\\{",
+                    "transmute",
+                    "from_raw_parts",
+                    "ptr::",
+                    "as\\s*\\*const",
+                    "as\\s*\\*mut",
+                ],
+                fileHints: [
+                    "FFI binding modules",
+                    "Performance-critical inner loops",
+                    "Custom allocator implementations",
+                ],
+                instructions: [
+                    "For each unsafe block, identify what invariant must hold and whether it can be violated by external input",
+                    "Check slice::from_raw_parts — is the length from a trusted source? Can an attacker control it?",
+                    "Look for unsafe impl Send for types containing raw pointers — is concurrent access actually safe?",
+                    "Check transmute calls — does the source type actually have the same layout as the target?",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Unsafe slice creation with attacker-controlled length",
+                    vulnerableCode: 'fn parse_packet(data: &[u8]) -> &[u32] {\n    let len = u32::from_be_bytes(data[0..4].try_into().unwrap()) as usize;\n    unsafe { std::slice::from_raw_parts(data[4..].as_ptr() as *const u32, len) }\n}',
+                    explanation: "len comes from the packet (attacker-controlled). If len exceeds the actual data size, from_raw_parts creates an out-of-bounds slice — reading arbitrary memory.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "Safe Rust code (no unsafe keyword) CANNOT have buffer overflows or use-after-free — do NOT flag it",
+                "Unsafe blocks for calling well-known C libraries (libc, OpenSSL bindings) with correct signatures are generally safe",
+            ],
+        },
+        "ffi-boundary": {
+            sinks: [
+                { api: "extern \"C\" fn receiving *const/*mut", risk: "C code may pass invalid pointers — Rust code must validate before deref", cwes: ["CWE-476", "CWE-787"] },
+                { api: "CString::from_raw(ptr)", risk: "Takes ownership of C-allocated string — double free if C also frees it", cwes: ["CWE-415"] },
+                { api: "Box::from_raw(ptr)", risk: "Takes ownership — UB if ptr was not from Box::into_raw", cwes: ["CWE-416"] },
+            ],
+            safePatterns: [
+                { api: "CStr::from_ptr(ptr) for borrowed access", why: "Borrows without taking ownership — C retains ownership" },
+                { api: "Null check before deref", why: "Prevents null pointer dereference from C callers" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "extern\\s+\"C\"",
+                    "#\\[no_mangle\\]",
+                    "CString",
+                    "CStr",
+                    "Box::from_raw",
+                    "from_raw_parts",
+                ],
+                fileHints: [
+                    "FFI modules (ffi.rs, bindings.rs, sys/)",
+                    "build.rs for bindgen usage",
+                    "C header files (.h) that define the FFI interface",
+                ],
+                instructions: [
+                    "Check every extern function — are pointer parameters validated for null before use?",
+                    "Look for ownership confusion: does Rust take ownership (Box::from_raw) of memory C will also free?",
+                    "Check lifetime assumptions — does Rust hold references to C-allocated memory that C may free?",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "FFI callback with null pointer dereference",
+                    vulnerableCode: '#[no_mangle]\npub extern "C" fn process_buffer(ptr: *const u8, len: usize) -> i32 {\n    let data = unsafe { std::slice::from_raw_parts(ptr, len) };\n    // ...\n}',
+                    explanation: "C caller may pass null ptr. from_raw_parts with null pointer is immediate UB. Must check ptr.is_null() before creating the slice.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "FFI unsafe blocks are EXPECTED in Rust — the question is whether inputs are validated, not whether unsafe exists",
+            ],
+        },
+        "command-injection": {
+            sinks: [
+                { api: "std::process::Command::new(\"sh\").arg(\"-c\").arg(user_str)", risk: "Shell interpretation of user-controlled string", shellInvoking: true, cwes: ["CWE-78"] },
+                { api: "std::process::Command::new(user_binary)", risk: "User controls which binary is executed", shellInvoking: false, cwes: ["CWE-78"] },
+            ],
+            safePatterns: [
+                { api: "Command::new(\"fixed-binary\").arg(user_arg)", why: "Fixed binary with user args — no shell involved" },
+            ],
+            investigationHints: {
+                grepPatterns: ["Command::new\\(", "\\.arg\\(", "\\.args\\("],
+                fileHints: ["Process spawning utilities", "Build/CI helpers"],
+                instructions: [
+                    "Check if Command::new uses \"sh\" or \"bash\" with \"-c\" — this enables shell interpretation",
+                    "Command::new(\"fixed\").arg(user_input) is safe against shell injection (no shell involved)",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Shell command with user-controlled argument",
+                    vulnerableCode: 'let output = Command::new("sh")\n    .arg("-c")\n    .arg(format!("ffmpeg -i {} output.mp4", user_filename))\n    .output()?;',
+                    explanation: "user_filename is interpolated into a shell command string. Attacker sends 'input.mp4; rm -rf /' — shell interprets the semicolon.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "Command::new(\"binary\").arg(user_input) without shell is NOT vulnerable to shell metachar injection",
+            ],
+        },
+    },
+};
+//# sourceMappingURL=rust.js.map

package/dist/prompts/languages/rust.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rust.js","sourceRoot":"","sources":["../../../src/prompts/languages/rust.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,uEAAuE;AACvE,+DAA+D;AAI/D,MAAM,CAAC,MAAM,WAAW,GAAoB;IAC1C,UAAU,EAAE,MAAM;IAClB,OAAO,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC;IACvB,YAAY,EAAE;QACZ,YAAY,EAAE;YACZ,eAAe;YACf,iBAAiB;YACjB,cAAc;YACd,WAAW;YACX,kBAAkB;YAClB,uBAAuB;SACxB;QACD,SAAS,EAAE;YACT,0CAA0C;YAC1C,4CAA4C;YAC5C,0DAA0D;YAC1D,4BAA4B;SAC7B;QACD,YAAY,EAAE;YACZ,oEAAoE;YACpE,4EAA4E;YAC5E,+EAA+E;YAC/E,iFAAiF;SAClF;KACF;IACD,wBAAwB,EAAE;QACxB,4HAA4H;QAC5H,uGAAuG;QACvG,oFAAoF;KACrF;IACD,WAAW,EAAE;QACX,eAAe,EAAE;YACf,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,4BAA4B,EAAE,IAAI,EAAE,4EAA4E,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE;gBACvJ,EAAE,GAAG,EAAE,kCAAkC,EAAE,IAAI,EAAE,2EAA2E,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACjJ,EAAE,GAAG,EAAE,sBAAsB,EAAE,IAAI,EAAE,iEAAiE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC3H,EAAE,GAAG,EAAE,uBAAuB,EAAE,IAAI,EAAE,qEAAqE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aACjI;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,oDAAoD,EAAE,GAAG,EAAE,kDAAkD,EAAE;gBACtH,EAAE,GAAG,EAAE,mDAAmD,EAAE,GAAG,EAAE,gDAAgD,EAAE;aACpH;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,eAAe;oBACf,WAAW;oBACX,gBAAgB;oBAChB,OAAO;oBACP,gBAAgB;oBAChB,cAAc;iBACf;gBACD,SAAS,EAAE;oBACT,qBAAqB;oBACrB,kCAAkC;oBAClC,kCAAkC;iBACnC;gBACD,YAAY,EAAE;oBACZ,2GAA2G;oBAC3G,gGAAgG;oBAChG,mGAAmG;oBACnG,2FAA2F;iBAC5F;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,uDAAuD;oBACjE,cAAc,EAAE,2MAA2M;oBAC3N,WAAW,EAAE,iKAAiK;iBAC/K;aACF;YACD,sBAAsB,EAAE;gBACtB,oGAAoG;gBACpG,sHAAsH;aACvH;SACF;QACD,cAAc,EAAE;YACd,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,uCAAuC,EAAE,IAAI,EAAE,yEAAyE,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE;gBAC/J,EAAE,GAAG,EAAE,wBAAwB,EAAE,IAAI,EAAE,wEAAwE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACpI,EAAE,GAAG,EAAE,oBAAoB,EAAE,IAAI,EAAE,wDAAwD,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aACjH;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,yCAAyC,EAAE,GAAG,EAAE,wDAAwD,EAAE;gBACjH,EAAE,GAAG,EAAE,yBAAyB,EAAE,GAAG,EAAE,kDAAkD,EAAE;aAC5F;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,iBAAiB;oBACjB,kBAAkB;oBAClB,SAAS;oBACT,MAAM;oBACN,eAAe;oBACf,gBAAgB;iBACjB;gBACD,SAAS,EAAE;oBACT,yCAAyC;oBACzC,4BAA4B;oBAC5B,mDAAmD;iBACpD;gBACD,YAAY,EAAE;oBACZ,qFAAqF;oBACrF,oGAAoG;oBACpG,+FAA+F;iBAChG;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,4CAA4C;oBACtD,cAAc,EAAE,qKAAqK;oBACrL,WAAW,EAAE,mIAAmI;iBACjJ;aACF;YACD,sBAAsB,EAAE;gBACtB,kHAAkH;aACnH;SACF;QACD,mBAAmB,EAAE;YACnB,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,8DAA8D,EAAE,IAAI,EAAE,gDAAgD,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBACtK,EAAE,GAAG,EAAE,yCAAyC,EAAE,IAAI,EAAE,wCAAwC,EAAE,aAAa,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;aAC3I;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,8CAA8C,EAAE,GAAG,EAAE,iDAAiD,EAAE;aAChH;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE,CAAC,iBAAiB,EAAE,WAAW,EAAE,YAAY,CAAC;gBAC5D,SAAS,EAAE,CAAC,4BAA4B,EAAE,kBAAkB,CAAC;gBAC7D,YAAY,EAAE;oBACZ,+FAA+F;oBAC/F,6FAA6F;iBAC9F;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,6CAA6C;oBACvD,cAAc,EAAE,+HAA+H;oBAC/I,WAAW,EAAE,mIAAmI;iBACjJ;aACF;YACD,sBAAsB,EAAE;gBACtB,sGAAsG;aACvG;SACF;KACF;CACF,CAAC"}

package/dist/prompts/languages/types.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Language-specific prompt tuning types.
+ *
+ * Each language profile provides per-vulnerability-class guidance:
+ * sinks, safe patterns, investigation hints, few-shot examples,
+ * and framework-specific advice.
+ */
+/** A language-specific dangerous sink/API for a vulnerability class. */
+export interface LanguageSink {
+    /** The API or function name */
+    api: string;
+    /** Why it's dangerous in this context */
+    risk: string;
+    /** Whether this is a shell-invoking variant (for command injection) */
+    shellInvoking?: boolean;
+    /** CWEs this sink relates to */
+    cwes?: string[];
+}
+/** A safe alternative that should NOT be flagged. */
+export interface LanguageSafePattern {
+    api: string;
+    why: string;
+}
+/** Investigation methodology hints for the LLM agent. */
+export interface InvestigationHint {
+    /** Grep patterns specific to this language (regex strings) */
+    grepPatterns: string[];
+    /** Files or paths to prioritize reading */
+    fileHints: string[];
+    /** Step-by-step investigation instructions */
+    instructions: string[];
+}
+/** A few-shot example for a specific (language, vuln-class) pair. */
+export interface LanguageFewShot {
+    /** Short scenario label */
+    scenario: string;
+    /** The vulnerable code snippet */
+    vulnerableCode: string;
+    /** Why it's vulnerable */
+    explanation: string;
+}
+/** Framework-specific security guidance within a language. */
+export interface FrameworkGuidance {
+    framework: string;
+    /** Secure defaults the framework provides */
+    defaults: string[];
+    /** Known pitfalls or bypass patterns */
+    pitfalls: string[];
+    /** Config files/settings to check */
+    configChecks: string[];
+}
+/** Content for a specific vulnerability class within a language. */
+export interface VulnClassContent {
+    /** Dangerous sinks/APIs to detect */
+    sinks: LanguageSink[];
+    /** Safe patterns to NOT flag */
+    safePatterns: LanguageSafePattern[];
+    /** Investigation methodology hints */
+    investigationHints: InvestigationHint;
+    /** Few-shot examples */
+    fewShots: LanguageFewShot[];
+    /** Framework-specific guidance (filtered by detected frameworks) */
+    frameworkGuidance?: FrameworkGuidance[];
+    /** Additional anti-hallucination constraints */
+    antiHallucinationExtra?: string[];
+}
+/** Complete language security profile. */
+export interface LanguageProfile {
+    /** Language identifier matching RepoContext.languages values */
+    languageId: string;
+    /** Alternative identifiers */
+    aliases: string[];
+    /** Vulnerability class content, keyed by canonical vuln class ID */
+    vulnClasses: Record<string, VulnClassContent>;
+    /** Language-wide investigation hints (not vuln-specific) */
+    generalHints: InvestigationHint;
+    /** Language-wide anti-hallucination constraints */
+    generalAntiHallucination: string[];
+}

package/dist/prompts/languages/types.js

@@ -0,0 +1,9 @@
+/**
+ * Language-specific prompt tuning types.
+ *
+ * Each language profile provides per-vulnerability-class guidance:
+ * sinks, safe patterns, investigation hints, few-shot examples,
+ * and framework-specific advice.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/prompts/languages/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/prompts/languages/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG"}

package/dist/scanners/run-agentic.d.ts

@@ -1,5 +1,5 @@
 import type { AgentRuntime } from "../agent-runtime/types.js";
-import type { ScanOpts } from "../types.js";
+import type { RepoContext, ScanOpts } from "../types.js";
 import type { Finding } from "./types.js";
 import { FINDING_SCHEMA, parseFindingOutput, type FindingOutput, type NormalizedFinding } from "./normalize-findings.js";
 export { FINDING_SCHEMA as AGENTIC_SCHEMA };
@@ -11,7 +11,7 @@ export interface AgenticRuntimeOptions {
     maxBudgetUsd?: number;
 }
 /** Run the agentic scanner and return structured findings. */
-export declare function runAgentic(repoRoot: string, opts: ScanOpts, model: string, defaultMaxFindings: number, runtimeOptions?: AgenticRuntimeOptions): Promise<AgenticOutput>;
+export declare function runAgentic(repoRoot: string, opts: ScanOpts, model: string, defaultMaxFindings: number, runtimeOptions?: AgenticRuntimeOptions, repoContext?: RepoContext): Promise<AgenticOutput>;
 /** Rank and map agentic findings into Finding records. */
 export declare function selectAgenticFindings(output: AgenticOutput, repoRoot: string, repoName: string, ref: string, maxFindings?: number): Finding[];
 /** Parse and normalize structured output from the agentic scanner. */

package/dist/scanners/run-agentic.js

@@ -1,12 +1,13 @@
 import { getLogger } from "../logger.js";
+import { languageTuningModule } from "../prompts/language-tuning.js";
 import { FINDING_SCHEMA, parseFindingOutput, selectFindings, computeFingerprint, } from "./normalize-findings.js";
 const log = getLogger("agentic-scan");
 // Re-export under old names for backward compatibility
 export { FINDING_SCHEMA as AGENTIC_SCHEMA };
 /** Run the agentic scanner and return structured findings. */
-export async function runAgentic(repoRoot, opts, model, defaultMaxFindings, runtimeOptions = {}) {
+export async function runAgentic(repoRoot, opts, model, defaultMaxFindings, runtimeOptions = {}, repoContext) {
     const requestedMax = Math.max(1, opts.maxFindings ?? defaultMaxFindings);
-    const prompt = buildPrompt(opts, requestedMax);
+    const prompt = buildPrompt(opts, requestedMax, repoContext);
     const runtime = runtimeOptions.runtime;
     if (!runtime) {
         throw new Error("Agentic scanner requires an explicit runtime.");
@@ -68,7 +69,7 @@ export const parseAgenticOutput = parseFindingOutput;
 export function computeAgenticFingerprint(repoName, ref, finding) {
     return computeFingerprint(repoName, ref, "agentic", finding);
 }
-function buildPrompt(opts, maxFindings) {
+function buildPrompt(opts, maxFindings, repoContext) {
     const reviewContext = opts.agenticReviewContext
         ? [
             "",
@@ -96,6 +97,13 @@ function buildPrompt(opts, maxFindings) {
         "",
         ...scanPathsContext,
         ...reviewContext,
+        ...(repoContext?.languages.length
+            ? [
+                `## Detected stack: ${repoContext.languages.join(", ")}${repoContext.frameworks.length ? ` (${repoContext.frameworks.join(", ")})` : ""}`,
+                languageTuningModule({ taskId: "agentic", repoContext, frameworks: repoContext.frameworks }),
+                "",
+            ]
+            : []),
         `Severity filter: ${opts.severity.join(", ") || "ERROR, WARNING, INFO"}`,
         `Max findings: ${maxFindings}`,
         `Exclude paths/globs: ${opts.excludePatterns.join(", ") || "(none)"}`,

package/dist/scanners/run-agentic.js.map

@@ -1 +1 @@
-{"version":3,"file":"run-agentic.js","sourceRoot":"","sources":["../../src/scanners/run-agentic.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAGzC,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,cAAc,EACd,kBAAkB,GAGnB,MAAM,yBAAyB,CAAC;AAEjC,MAAM,GAAG,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC;AAEtC,uDAAuD;AACvD,OAAO,EAAE,cAAc,IAAI,cAAc,EAAE,CAAC;AAU5C,8DAA8D;AAC9D,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,QAAgB,EAChB,IAAc,EACd,KAAa,EACb,kBAA0B,EAC1B,iBAAwC,EAAE;IAE1C,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,WAAW,IAAI,kBAAkB,CAAC,CAAC;IACzE,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC;IACvC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,UAAU,GAAG,EAAE,CAAC;IACpB,IAAI,gBAAgB,GAAY,SAAS,CAAC;IAC1C,IAAI,cAAc,GAAkB,IAAI,CAAC;IACzC,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,MAAM,GAAG,GAAG,WAAW,CAAC;IACxB,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,yBAAyB,KAAK,SAAS,QAAQ,GAAG,CAAC,CAAC;IAEnE,IAAI,KAAK,EAAE,MAAM,OAAO,IAAI,OAAO,CAAC,KAAK,CAAC;QACxC,MAAM;QACN,OAAO,EAAE;YACP,GAAG,EAAE,QAAQ;YACb,KAAK;YACL,YAAY,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YACtC,cAAc,EAAE,SAAS;YACzB,YAAY,EAAE,cAAc,CAAC,YAAY;YACzC,eAAe,EAAE,cAAc,CAAC,eAAe;YAC/C,YAAY,EAAE;gBACZ,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,cAAc;gBACtB,MAAM,EAAE,IAAI;gBACZ,4BAA4B,EAAE,CAAC;aAChC;SACF;KACF,CAAC,EAAE,CAAC;QACH,gEAAgE;QAChE,IAAI,OAAO,CAAC,IAAI,KAAK,eAAe,IAAI,OAAO,CAAC,IAAI,KAAK,cAAc,IAAI,OAAO,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YACxG,SAAS;QACX,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ;YAAE,SAAS;QACxC,IAAI,OAAO,OAAO,CAAC,YAAY,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YACtF,OAAO,GAAG,OAAO,CAAC,YAAY,CAAC;QACjC,CAAC;QACD,IAAI,QAAQ,IAAI,OAAO,EAAE,CAAC;YACxB,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC;YAC5B,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;YAC5C,MAAM,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YACtF,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,gBAAgB,WAAW,OAAO,OAAO,CAAC,QAAQ,YAAY,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC;YACxH,MAAM;QACR,CAAC;QAED,cAAc,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,OAAO,CAAC,OAAO,IAAI,eAAe,CAAC;IAC1H,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,2BAA2B,cAAc,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,gBAAgB,IAAI,UAAU,CAAC,CAAC;IAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;AAChD,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,qBAAqB,CACnC,MAAqB,EACrB,QAAgB,EAChB,QAAgB,EAChB,GAAW,EACX,WAAoB;IAEpB,OAAO,cAAc,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;AACjF,CAAC;AAED,sEAAsE;AACtE,MAAM,CAAC,MAAM,kBAAkB,GAAG,kBAAkB,CAAC;AAErD,+CAA+C;AAC/C,MAAM,UAAU,yBAAyB,CACvC,QAAgB,EAChB,GAAW,EACX,OAAuB;IAEvB,OAAO,kBAAkB,CAAC,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,WAAW,CAAC,IAAc,EAAE,WAAmB;IACtD,MAAM,aAAa,GAAG,IAAI,CAAC,oBAAoB;QAC7C,CAAC,CAAC;YACE,EAAE;YACF,IAAI,CAAC,oBAAoB;YACzB,EAAE;YACF,uFAAuF;YACvF,wFAAwF;YACxF,EAAE;SACH;QACH,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;QAClE,CAAC,CAAC;YACE,EAAE;YACF,mCAAmC;YACnC,0FAA0F;YAC1F,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;YACtC,4EAA4E;YAC5E,EAAE;SACH;QACH,CAAC,CAAC,EAAE,CAAC;IAEP,OAAO;QACL,kGAAkG;QAClG,kGAAkG;QAClG,oFAAoF;QACpF,EAAE;QACF,GAAG,gBAAgB;QACnB,GAAG,aAAa;QAChB,oBAAoB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,sBAAsB,EAAE;QACxE,iBAAiB,WAAW,EAAE;QAC9B,wBAAwB,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE;QACrE,EAAE;QACF,8BAA8B;QAC9B,uCAAuC;QACvC,+LAA+L;QAC/L,6EAA6E;QAC7E,gFAAgF;QAChF,EAAE;QACF,kCAAkC;QAClC,0CAA0C;QAC1C,+EAA+E;QAC/E,uGAAuG;QACvG,2IAA2I;QAC3I,EAAE;QACF,sCAAsC;QACtC,wCAAwC;QACxC,mEAAmE;QACnE,uEAAuE;QACvE,iEAAiE;QACjE,EAAE;QACF,qDAAqD;QACrD,uEAAuE;QACvE,uFAAuF;QACvF,oEAAoE;QACpE,EAAE;QACF,0BAA0B;QAC1B,mBAAmB;QACnB,sCAAsC;QACtC,+BAA+B;QAC/B,iCAAiC;QACjC,mCAAmC;QACnC,gCAAgC;QAChC,6DAA6D;QAC7D,gCAAgC;QAChC,4BAA4B;QAC5B,wCAAwC;QACxC,qCAAqC;QACrC,EAAE;QACF,sBAAsB;QACtB,EAAE;QACF,8CAA8C;QAC9C,SAAS;QACT,8EAA8E;QAC9E,qHAAqH;QACrH,yFAAyF;QACzF,gKAAgK;QAChK,KAAK;QACL,EAAE;QACF,kDAAkD;QAClD,+FAA+F;QAC/F,mHAAmH;QACnH,EAAE;QACF,qDAAqD;QACrD,SAAS;QACT,oFAAoF;QACpF,oJAAoJ;QACpJ,6FAA6F;QAC7F,uNAAuN;QACvN,KAAK;QACL,EAAE;QACF,mCAAmC;QACnC,0EAA0E;QAC1E,wDAAwD;QACxD,0DAA0D;QAC1D,+EAA+E;KAChF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC"}
+{"version":3,"file":"run-agentic.js","sourceRoot":"","sources":["../../src/scanners/run-agentic.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AAErE,OAAO,EACL,cAAc,EACd,kBAAkB,EAClB,cAAc,EACd,kBAAkB,GAGnB,MAAM,yBAAyB,CAAC;AAEjC,MAAM,GAAG,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC;AAEtC,uDAAuD;AACvD,OAAO,EAAE,cAAc,IAAI,cAAc,EAAE,CAAC;AAU5C,8DAA8D;AAC9D,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,QAAgB,EAChB,IAAc,EACd,KAAa,EACb,kBAA0B,EAC1B,iBAAwC,EAAE,EAC1C,WAAyB;IAEzB,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,WAAW,IAAI,kBAAkB,CAAC,CAAC;IACzE,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;IAC5D,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC;IACvC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,UAAU,GAAG,EAAE,CAAC;IACpB,IAAI,gBAAgB,GAAY,SAAS,CAAC;IAC1C,IAAI,cAAc,GAAkB,IAAI,CAAC;IACzC,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,MAAM,GAAG,GAAG,WAAW,CAAC;IACxB,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,yBAAyB,KAAK,SAAS,QAAQ,GAAG,CAAC,CAAC;IAEnE,IAAI,KAAK,EAAE,MAAM,OAAO,IAAI,OAAO,CAAC,KAAK,CAAC;QACxC,MAAM;QACN,OAAO,EAAE;YACP,GAAG,EAAE,QAAQ;YACb,KAAK;YACL,YAAY,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YACtC,cAAc,EAAE,SAAS;YACzB,YAAY,EAAE,cAAc,CAAC,YAAY;YACzC,eAAe,EAAE,cAAc,CAAC,eAAe;YAC/C,YAAY,EAAE;gBACZ,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,cAAc;gBACtB,MAAM,EAAE,IAAI;gBACZ,4BAA4B,EAAE,CAAC;aAChC;SACF;KACF,CAAC,EAAE,CAAC;QACH,gEAAgE;QAChE,IAAI,OAAO,CAAC,IAAI,KAAK,eAAe,IAAI,OAAO,CAAC,IAAI,KAAK,cAAc,IAAI,OAAO,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YACxG,SAAS;QACX,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ;YAAE,SAAS;QACxC,IAAI,OAAO,OAAO,CAAC,YAAY,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YACtF,OAAO,GAAG,OAAO,CAAC,YAAY,CAAC;QACjC,CAAC;QACD,IAAI,QAAQ,IAAI,OAAO,EAAE,CAAC;YACxB,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC;YAC5B,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;YAC5C,MAAM,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YACtF,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,gBAAgB,WAAW,OAAO,OAAO,CAAC,QAAQ,YAAY,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC;YACxH,MAAM;QACR,CAAC;QAED,cAAc,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,OAAO,CAAC,OAAO,IAAI,eAAe,CAAC;IAC1H,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,2BAA2B,cAAc,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,gBAAgB,IAAI,UAAU,CAAC,CAAC;IAClE,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;AAChD,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,qBAAqB,CACnC,MAAqB,EACrB,QAAgB,EAChB,QAAgB,EAChB,GAAW,EACX,WAAoB;IAEpB,OAAO,cAAc,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;AACjF,CAAC;AAED,sEAAsE;AACtE,MAAM,CAAC,MAAM,kBAAkB,GAAG,kBAAkB,CAAC;AAErD,+CAA+C;AAC/C,MAAM,UAAU,yBAAyB,CACvC,QAAgB,EAChB,GAAW,EACX,OAAuB;IAEvB,OAAO,kBAAkB,CAAC,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,WAAW,CAAC,IAAc,EAAE,WAAmB,EAAE,WAAyB;IACjF,MAAM,aAAa,GAAG,IAAI,CAAC,oBAAoB;QAC7C,CAAC,CAAC;YACE,EAAE;YACF,IAAI,CAAC,oBAAoB;YACzB,EAAE;YACF,uFAAuF;YACvF,wFAAwF;YACxF,EAAE;SACH;QACH,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;QAClE,CAAC,CAAC;YACE,EAAE;YACF,mCAAmC;YACnC,0FAA0F;YAC1F,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;YACtC,4EAA4E;YAC5E,EAAE;SACH;QACH,CAAC,CAAC,EAAE,CAAC;IAEP,OAAO;QACL,kGAAkG;QAClG,kGAAkG;QAClG,oFAAoF;QACpF,EAAE;QACF,GAAG,gBAAgB;QACnB,GAAG,aAAa;QAChB,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,MAAM;YAC/B,CAAC,CAAC;gBACE,sBAAsB,WAAW,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;gBACzI,oBAAoB,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW,CAAC,UAAU,EAAE,CAAC;gBAC5F,EAAE;aACH;YACH,CAAC,CAAC,EAAE,CAAC;QACP,oBAAoB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,sBAAsB,EAAE;QACxE,iBAAiB,WAAW,EAAE;QAC9B,wBAAwB,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE;QACrE,EAAE;QACF,8BAA8B;QAC9B,uCAAuC;QACvC,+LAA+L;QAC/L,6EAA6E;QAC7E,gFAAgF;QAChF,EAAE;QACF,kCAAkC;QAClC,0CAA0C;QAC1C,+EAA+E;QAC/E,uGAAuG;QACvG,2IAA2I;QAC3I,EAAE;QACF,sCAAsC;QACtC,wCAAwC;QACxC,mEAAmE;QACnE,uEAAuE;QACvE,iEAAiE;QACjE,EAAE;QACF,qDAAqD;QACrD,uEAAuE;QACvE,uFAAuF;QACvF,oEAAoE;QACpE,EAAE;QACF,0BAA0B;QAC1B,mBAAmB;QACnB,sCAAsC;QACtC,+BAA+B;QAC/B,iCAAiC;QACjC,mCAAmC;QACnC,gCAAgC;QAChC,6DAA6D;QAC7D,gCAAgC;QAChC,4BAA4B;QAC5B,wCAAwC;QACxC,qCAAqC;QACrC,EAAE;QACF,sBAAsB;QACtB,EAAE;QACF,8CAA8C;QAC9C,SAAS;QACT,8EAA8E;QAC9E,qHAAqH;QACrH,yFAAyF;QACzF,gKAAgK;QAChK,KAAK;QACL,EAAE;QACF,kDAAkD;QAClD,+FAA+F;QAC/F,mHAAmH;QACnH,EAAE;QACF,qDAAqD;QACrD,SAAS;QACT,oFAAoF;QACpF,oJAAoJ;QACpJ,6FAA6F;QAC7F,uNAAuN;QACvN,KAAK;QACL,EAAE;QACF,mCAAmC;QACnC,0EAA0E;QAC1E,wDAAwD;QACxD,0DAA0D;QAC1D,+EAA+E;KAChF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC"}

package/dist/store.js

@@ -17,6 +17,10 @@ export function initDb(dbPath) {
     db.pragma("journal_mode = WAL");
     db.pragma("busy_timeout = 5000");
     runMigrations(db, allMigrations);
+    // Force a WAL checkpoint so the main DB file is fully written before the
+    // scan starts.  This prevents data loss if the process crashes before
+    // SQLite's automatic checkpoint threshold is reached.
+    db.pragma("wal_checkpoint(TRUNCATE)");
     return db;
 }
 /** Default DB path: .kuzushi/findings.sqlite3 in the scanned repo root. */