ship-safe 6.1.0 → 6.2.0

package/cli/agents/deep-analyzer.js

@@ -100,8 +100,12 @@ export class DeepAnalyzer {
       return new DeepAnalyzer({ provider, ...options });
     }
 
-    // Auto-detect from env
-    const provider = autoDetectProvider(rootPath);
+    // Auto-detect from env, honouring explicit --provider / --base-url / --model
+    const provider = autoDetectProvider(rootPath, {
+      provider: options.provider,
+      baseUrl:  options.baseUrl,
+      model:    options.model,
+    });
     if (!provider) return null;
 
     return new DeepAnalyzer({ provider, ...options });

package/cli/agents/git-history-scanner.js

@@ -1,170 +1,170 @@
-/**
- * GitHistoryScanner Agent
- * ========================
- *
- * Scans git commit history for secrets that were committed
- * and later removed but remain in repository history.
- * These are the most dangerous secrets — developers think
- * they're deleted but they're still accessible.
- */
-
-import { execSync, execFileSync } from 'child_process';
-import path from 'path';
-import { BaseAgent, createFinding } from './base-agent.js';
-import { SECRET_PATTERNS } from '../utils/patterns.js';
-
-// Compile a fast combined regex from all secret patterns
-const FAST_SECRET_PATTERNS = SECRET_PATTERNS.map(p => ({
-  name: p.name,
-  pattern: p.pattern,
-  severity: p.severity,
-}));
-
-export class GitHistoryScanner extends BaseAgent {
-  constructor() {
-    super('GitHistoryScanner', 'Scan git history for leaked secrets', 'history');
-  }
-
-  async analyze(context) {
-    const { rootPath, options } = context;
-    const findings = [];
-
-    // Check if this is a git repository
-    if (!this.isGitRepo(rootPath)) return [];
-
-    try {
-      // Get recent commits (default: last 50, configurable)
-      const maxCommits = options?.maxCommits || 50;
-      const since = options?.since || null;
-
-      const gitArgs = ['-C', rootPath, 'log', '--all', '--diff-filter=A', '--diff-filter=M', '-p', '--no-color', `--max-count=${parseInt(maxCommits, 10)}`];
-      if (since) {
-        gitArgs.push(`--since=${since}`);
-      }
-
-      let diffOutput;
-      try {
-        diffOutput = execFileSync('git', gitArgs, {
-          cwd: rootPath,
-          encoding: 'utf-8',
-          maxBuffer: 50 * 1024 * 1024, // 50MB buffer
-          timeout: 60000, // 60s timeout
-        });
-      } catch {
-        // git log failed — might be a shallow clone or no history
-        return [];
-      }
-
-      if (!diffOutput) return [];
-
-      // Parse the diff output
-      let currentFile = '';
-      let currentCommit = '';
-      let currentDate = '';
-      const lines = diffOutput.split('\n');
-
-      for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-
-        // Track current commit
-        if (line.startsWith('commit ')) {
-          currentCommit = line.slice(7, 17); // First 10 chars of hash
-        }
-        if (line.startsWith('Date:')) {
-          currentDate = line.slice(5).trim();
-        }
-
-        // Track current file
-        if (line.startsWith('diff --git ')) {
-          const match = line.match(/diff --git a\/(.+) b\//);
-          if (match) currentFile = match[1];
-        }
-
-        // Only check added lines (lines starting with +)
-        if (!line.startsWith('+') || line.startsWith('+++')) continue;
-
-        const addedLine = line.slice(1); // Remove the leading +
-
-        // Check against all secret patterns
-        for (const p of FAST_SECRET_PATTERNS) {
-          p.pattern.lastIndex = 0;
-          const match = p.pattern.exec(addedLine);
-          if (match) {
-            // Check if this secret still exists in current working tree
-            const stillExists = this.existsInWorkingTree(rootPath, match[0]);
-
-            findings.push(createFinding({
-              file: path.join(rootPath, currentFile),
-              line: 0, // Line number not meaningful in history
-              severity: stillExists ? p.severity : this.elevateSeverity(p.severity),
-              category: 'history',
-              rule: 'GIT_HISTORY_SECRET',
-              title: `Historical Secret: ${p.name}`,
-              description: stillExists
-                ? `Secret found in current code AND in git history (commit ${currentCommit}).`
-                : `Secret was removed from code but still exists in git history (commit ${currentCommit}, ${currentDate}). Anyone with repo access can retrieve it.`,
-              matched: this.maskSecret(match[0]),
-              confidence: 'high',
-              fix: stillExists
-                ? 'Remove from code, rotate the credential, then clean git history with BFG or git filter-repo'
-                : 'Rotate this credential immediately, then clean history: npx bfg --replace-text passwords.txt',
-            }));
-          }
-        }
-      }
-
-      // Deduplicate by matched value (same secret in multiple commits)
-      const seen = new Set();
-      return findings.filter(f => {
-        const key = `${f.matched}:${f.title}`;
-        if (seen.has(key)) return false;
-        seen.add(key);
-        return true;
-      });
-
-    } catch (err) {
-      // Don't fail the entire scan if git history scan fails
-      return [];
-    }
-  }
-
-  isGitRepo(dir) {
-    try {
-      execSync('git rev-parse --is-inside-work-tree', { cwd: dir, stdio: 'pipe' });
-      return true;
-    } catch {
-      return false;
-    }
-  }
-
-  existsInWorkingTree(rootPath, secret) {
-    try {
-      const result = execFileSync('git', [
-        '-C', rootPath, 'grep', '-l', secret.slice(0, 12),
-        '--', '*.js', '*.ts', '*.py', '*.env', '*.json'
-      ], {
-        cwd: rootPath,
-        encoding: 'utf-8',
-        timeout: 5000,
-        stdio: ['pipe', 'pipe', 'pipe'],
-      });
-      return result.trim().length > 0;
-    } catch {
-      return false;
-    }
-  }
-
-  elevateSeverity(sev) {
-    // Secrets in history-only are MORE dangerous (developer thinks they're gone)
-    if (sev === 'medium') return 'high';
-    if (sev === 'high') return 'critical';
-    return sev;
-  }
-
-  maskSecret(secret) {
-    if (secret.length <= 10) return secret.slice(0, 4) + '***';
-    return secret.slice(0, 8) + '***' + secret.slice(-4);
-  }
-}
-
-export default GitHistoryScanner;
+/**
+ * GitHistoryScanner Agent
+ * ========================
+ *
+ * Scans git commit history for secrets that were committed
+ * and later removed but remain in repository history.
+ * These are the most dangerous secrets — developers think
+ * they're deleted but they're still accessible.
+ */
+
+import { execSync, execFileSync } from 'child_process';
+import path from 'path';
+import { BaseAgent, createFinding } from './base-agent.js';
+import { SECRET_PATTERNS } from '../utils/patterns.js';
+
+// Compile a fast combined regex from all secret patterns
+const FAST_SECRET_PATTERNS = SECRET_PATTERNS.map(p => ({
+  name: p.name,
+  pattern: p.pattern,
+  severity: p.severity,
+}));
+
+export class GitHistoryScanner extends BaseAgent {
+  constructor() {
+    super('GitHistoryScanner', 'Scan git history for leaked secrets', 'history');
+  }
+
+  async analyze(context) {
+    const { rootPath, options } = context;
+    const findings = [];
+
+    // Check if this is a git repository
+    if (!this.isGitRepo(rootPath)) return [];
+
+    try {
+      // Get recent commits (default: last 50, configurable)
+      const maxCommits = options?.maxCommits || 50;
+      const since = options?.since || null;
+
+      const gitArgs = ['-C', rootPath, 'log', '--all', '--diff-filter=A', '--diff-filter=M', '-p', '--no-color', `--max-count=${parseInt(maxCommits, 10)}`];
+      if (since) {
+        gitArgs.push(`--since=${since}`);
+      }
+
+      let diffOutput;
+      try {
+        diffOutput = execFileSync('git', gitArgs, {
+          cwd: rootPath,
+          encoding: 'utf-8',
+          maxBuffer: 50 * 1024 * 1024, // 50MB buffer
+          timeout: 60000, // 60s timeout
+        });
+      } catch {
+        // git log failed — might be a shallow clone or no history
+        return [];
+      }
+
+      if (!diffOutput) return [];
+
+      // Parse the diff output
+      let currentFile = '';
+      let currentCommit = '';
+      let currentDate = '';
+      const lines = diffOutput.split('\n');
+
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+
+        // Track current commit
+        if (line.startsWith('commit ')) {
+          currentCommit = line.slice(7, 17); // First 10 chars of hash
+        }
+        if (line.startsWith('Date:')) {
+          currentDate = line.slice(5).trim();
+        }
+
+        // Track current file
+        if (line.startsWith('diff --git ')) {
+          const match = line.match(/diff --git a\/(.+) b\//);
+          if (match) currentFile = match[1];
+        }
+
+        // Only check added lines (lines starting with +)
+        if (!line.startsWith('+') || line.startsWith('+++')) continue;
+
+        const addedLine = line.slice(1); // Remove the leading +
+
+        // Check against all secret patterns
+        for (const p of FAST_SECRET_PATTERNS) {
+          p.pattern.lastIndex = 0;
+          const match = p.pattern.exec(addedLine);
+          if (match) {
+            // Check if this secret still exists in current working tree
+            const stillExists = this.existsInWorkingTree(rootPath, match[0]);
+
+            findings.push(createFinding({
+              file: path.join(rootPath, currentFile),
+              line: 0, // Line number not meaningful in history
+              severity: stillExists ? p.severity : this.elevateSeverity(p.severity),
+              category: 'history',
+              rule: 'GIT_HISTORY_SECRET',
+              title: `Historical Secret: ${p.name}`,
+              description: stillExists
+                ? `Secret found in current code AND in git history (commit ${currentCommit}).`
+                : `Secret was removed from code but still exists in git history (commit ${currentCommit}, ${currentDate}). Anyone with repo access can retrieve it.`,
+              matched: this.maskSecret(match[0]),
+              confidence: 'high',
+              fix: stillExists
+                ? 'Remove from code, rotate the credential, then clean git history with BFG or git filter-repo'
+                : 'Rotate this credential immediately, then clean history: npx bfg --replace-text passwords.txt',
+            }));
+          }
+        }
+      }
+
+      // Deduplicate by matched value (same secret in multiple commits)
+      const seen = new Set();
+      return findings.filter(f => {
+        const key = `${f.matched}:${f.title}`;
+        if (seen.has(key)) return false;
+        seen.add(key);
+        return true;
+      });
+
+    } catch (err) {
+      // Don't fail the entire scan if git history scan fails
+      return [];
+    }
+  }
+
+  isGitRepo(dir) {
+    try {
+      execSync('git rev-parse --is-inside-work-tree', { cwd: dir, stdio: 'pipe' });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  existsInWorkingTree(rootPath, secret) {
+    try {
+      const result = execFileSync('git', [
+        '-C', rootPath, 'grep', '-l', secret.slice(0, 12),
+        '--', '*.js', '*.ts', '*.py', '*.env', '*.json'
+      ], {
+        cwd: rootPath,
+        encoding: 'utf-8',
+        timeout: 5000,
+        stdio: ['pipe', 'pipe', 'pipe'],
+      });
+      return result.trim().length > 0;
+    } catch {
+      return false;
+    }
+  }
+
+  elevateSeverity(sev) {
+    // Secrets in history-only are MORE dangerous (developer thinks they're gone)
+    if (sev === 'medium') return 'high';
+    if (sev === 'high') return 'critical';
+    return sev;
+  }
+
+  maskSecret(secret) {
+    if (secret.length <= 10) return secret.slice(0, 4) + '***';
+    return secret.slice(0, 8) + '***' + secret.slice(-4);
+  }
+}
+
+export default GitHistoryScanner;

package/cli/agents/html-reporter.js

@@ -154,9 +154,14 @@ small{color:#64748b}
     </tbody>
   </table>` : ''}
 
+  <div style="text-align:center;margin:1.5rem 0">
+    <a href="https://twitter.com/intent/tweet?text=${encodeURIComponent(`My project scored ${scoreResult.score}/100 (Grade ${scoreResult.grade.letter}) on Ship Safe! Scan yours: npx ship-safe audit . https://shipsafecli.com`)}" target="_blank" rel="noopener" style="display:inline-block;padding:8px 18px;background:#000;color:#fff;border-radius:6px;font-size:0.85rem;font-weight:600;text-decoration:none;margin:0 4px">Share on X</a>
+    <a href="https://www.linkedin.com/sharing/share-offsite/?url=https://shipsafecli.com" target="_blank" rel="noopener" style="display:inline-block;padding:8px 18px;background:#0a66c2;color:#fff;border-radius:6px;font-size:0.85rem;font-weight:600;text-decoration:none;margin:0 4px">Share on LinkedIn</a>
+  </div>
+
   <div class="footer">
-    Generated by <strong>Ship Safe v6.0</strong> — Security toolkit for developers<br>
-    <a href="https://shipsafecli.com" style="color:#38bdf8">shipsafecli.com</a>
+    Generated by <strong>Ship Safe v6.1</strong> — Security toolkit for developers<br>
+    <a href="https://shipsafecli.com" style="color:#38bdf8">shipsafecli.com</a> &middot; <a href="https://shipsafecli.com/pricing" style="color:#38bdf8">Cloud Dashboard</a>
   </div>
 </div>
 </body>
@@ -340,6 +345,16 @@ small{color:#94a3b8}
 .toc a:hover{text-decoration:underline}
 .footer{text-align:center;color:#475569;margin-top:3rem;padding:2rem;border-top:1px solid #1e293b}
 .footer a{color:#38bdf8}
+.share-bar{display:flex;justify-content:center;gap:0.75rem;margin:1.5rem 0}
+.share-btn{display:inline-flex;align-items:center;gap:6px;padding:8px 18px;border-radius:6px;font-size:0.85rem;font-weight:600;text-decoration:none;cursor:pointer;border:none;transition:opacity .15s}
+.share-btn:hover{opacity:0.85}
+.share-btn-x{background:#000;color:#fff}
+.share-btn-li{background:#0a66c2;color:#fff}
+.share-btn-copy{background:#334155;color:#38bdf8;border:1px solid #475569}
+.share-btn-copy.copied{background:#22c55e33;color:#22c55e;border-color:#22c55e}
+.badge-section{background:#1e293b;border-radius:8px;padding:1.5rem;margin-top:1.5rem;text-align:center}
+.badge-section img{margin-bottom:0.75rem}
+.badge-section code{display:block;background:#0f172a;padding:8px 12px;border-radius:4px;font-size:0.75rem;margin-top:0.5rem;word-break:break-all;user-select:all}
 /* Hidden row */
 .hidden-row{display:none}
 /* Print */
@@ -445,13 +460,34 @@ small{color:#94a3b8}
     </tbody>
   </table>` : ''}
 
+  <div class="share-bar">
+    <a class="share-btn share-btn-x" href="https://twitter.com/intent/tweet?text=${encodeURIComponent(`My project scored ${scoreResult.score}/100 (Grade ${scoreResult.grade.letter}) on Ship Safe security audit! 18 AI agents, 80+ attack classes.\n\nScan yours: npx ship-safe audit .\n\nhttps://shipsafecli.com`)}" target="_blank" rel="noopener">Share on X</a>
+    <a class="share-btn share-btn-li" href="https://www.linkedin.com/sharing/share-offsite/?url=https://shipsafecli.com" target="_blank" rel="noopener">Share on LinkedIn</a>
+    <button class="share-btn share-btn-copy" onclick="copyShareText(this)">Copy Score Summary</button>
+  </div>
+
+  <div class="badge-section">
+    <p style="color:#94a3b8;margin-bottom:0.75rem"><strong>Add a security badge to your README:</strong></p>
+    <img src="https://img.shields.io/badge/Ship_Safe-${scoreResult.grade.letter}-${gradeColors[scoreResult.grade.letter].replace('#','')}" alt="Ship Safe Grade ${scoreResult.grade.letter}" />
+    <code>[![Ship Safe](https://img.shields.io/badge/Ship_Safe-${scoreResult.grade.letter}-${gradeColors[scoreResult.grade.letter].replace('#','')})](https://shipsafecli.com)</code>
+  </div>
+
   <div class="footer">
-    Generated by <strong>Ship Safe v6.0</strong> — Full Security Audit<br>
-    <a href="https://shipsafecli.com">shipsafecli.com</a>
+    Generated by <strong>Ship Safe v6.1</strong> — Full Security Audit<br>
+    <a href="https://shipsafecli.com">shipsafecli.com</a> &middot; <a href="https://shipsafecli.com/pricing">Cloud Dashboard</a>
   </div>
 </div>
 
 <script>
+function copyShareText(btn) {
+  const text = 'My project scored ${scoreResult.score}/100 (Grade ${scoreResult.grade.letter}) on Ship Safe security audit!\\nScan yours: npx ship-safe audit .\\nhttps://shipsafecli.com';
+  navigator.clipboard.writeText(text).then(() => {
+    btn.textContent = 'Copied!';
+    btn.classList.add('copied');
+    setTimeout(() => { btn.textContent = 'Copy Score Summary'; btn.classList.remove('copied'); }, 2000);
+  });
+}
+
 // ── Severity filter ────────────────────────────────────────────────────────
 let activeSev = 'all';
 let searchTerm = '';

package/cli/agents/index.js

@@ -1,84 +1,84 @@
-/**
- * Agent Registry
- * ===============
- *
- * Central export of all agents and supporting classes.
- */
-
-export { BaseAgent, createFinding } from './base-agent.js';
-export { Orchestrator } from './orchestrator.js';
-export { ReconAgent } from './recon-agent.js';
-export { InjectionTester } from './injection-tester.js';
-export { AuthBypassAgent } from './auth-bypass-agent.js';
-export { SSRFProber } from './ssrf-prober.js';
-export { SupplyChainAudit } from './supply-chain-agent.js';
-export { ConfigAuditor } from './config-auditor.js';
-export { LLMRedTeam } from './llm-redteam.js';
-export { MobileScanner } from './mobile-scanner.js';
-export { GitHistoryScanner } from './git-history-scanner.js';
-export { CICDScanner } from './cicd-scanner.js';
-export { APIFuzzer } from './api-fuzzer.js';
-export { SupabaseRLSAgent } from './supabase-rls-agent.js';
-export { MCPSecurityAgent } from './mcp-security-agent.js';
-export { AgenticSecurityAgent } from './agentic-security-agent.js';
-export { RAGSecurityAgent } from './rag-security-agent.js';
-export { PIIComplianceAgent } from './pii-compliance-agent.js';
-export { VibeCodingAgent } from './vibe-coding-agent.js';
-export { ExceptionHandlerAgent } from './exception-handler-agent.js';
-export { AgentConfigScanner } from './agent-config-scanner.js';
-export { ABOMGenerator } from './abom-generator.js';
-export { VerifierAgent } from './verifier-agent.js';
-export { DeepAnalyzer } from './deep-analyzer.js';
-export { ScoringEngine, GRADES, CATEGORIES } from './scoring-engine.js';
-export { SBOMGenerator } from './sbom-generator.js';
-export { PolicyEngine } from './policy-engine.js';
-export { HTMLReporter } from './html-reporter.js';
-
-/**
- * Create a fully configured orchestrator with all 16 scanning agents.
- * (VerifierAgent and DeepAnalyzer run as post-processors, not in the agent pool.)
- */
-import { Orchestrator as OrchestratorClass } from './orchestrator.js';
-import { InjectionTester as InjectionTesterClass } from './injection-tester.js';
-import { AuthBypassAgent as AuthBypassAgentClass } from './auth-bypass-agent.js';
-import { SSRFProber as SSRFProberClass } from './ssrf-prober.js';
-import { SupplyChainAudit as SupplyChainAuditClass } from './supply-chain-agent.js';
-import { ConfigAuditor as ConfigAuditorClass } from './config-auditor.js';
-import { LLMRedTeam as LLMRedTeamClass } from './llm-redteam.js';
-import { MobileScanner as MobileScannerClass } from './mobile-scanner.js';
-import { GitHistoryScanner as GitHistoryScannerClass } from './git-history-scanner.js';
-import { CICDScanner as CICDScannerClass } from './cicd-scanner.js';
-import { APIFuzzer as APIFuzzerClass } from './api-fuzzer.js';
-import { SupabaseRLSAgent as SupabaseRLSAgentClass } from './supabase-rls-agent.js';
-import { MCPSecurityAgent as MCPSecurityAgentClass } from './mcp-security-agent.js';
-import { AgenticSecurityAgent as AgenticSecurityAgentClass } from './agentic-security-agent.js';
-import { RAGSecurityAgent as RAGSecurityAgentClass } from './rag-security-agent.js';
-import { PIIComplianceAgent as PIIComplianceAgentClass } from './pii-compliance-agent.js';
-import { VibeCodingAgent as VibeCodingAgentClass } from './vibe-coding-agent.js';
-import { ExceptionHandlerAgent as ExceptionHandlerAgentClass } from './exception-handler-agent.js';
-import { AgentConfigScanner as AgentConfigScannerClass } from './agent-config-scanner.js';
-
-export function buildOrchestrator() {
-  const orchestrator = new OrchestratorClass();
-  orchestrator.registerAll([
-    new InjectionTesterClass(),
-    new AuthBypassAgentClass(),
-    new SSRFProberClass(),
-    new SupplyChainAuditClass(),
-    new ConfigAuditorClass(),
-    new LLMRedTeamClass(),
-    new MobileScannerClass(),
-    new GitHistoryScannerClass(),
-    new CICDScannerClass(),
-    new APIFuzzerClass(),
-    new SupabaseRLSAgentClass(),
-    new MCPSecurityAgentClass(),
-    new AgenticSecurityAgentClass(),
-    new RAGSecurityAgentClass(),
-    new PIIComplianceAgentClass(),
-    new VibeCodingAgentClass(),
-    new ExceptionHandlerAgentClass(),
-    new AgentConfigScannerClass(),
-  ]);
-  return orchestrator;
-}
+/**
+ * Agent Registry
+ * ===============
+ *
+ * Central export of all agents and supporting classes.
+ */
+
+export { BaseAgent, createFinding } from './base-agent.js';
+export { Orchestrator } from './orchestrator.js';
+export { ReconAgent } from './recon-agent.js';
+export { InjectionTester } from './injection-tester.js';
+export { AuthBypassAgent } from './auth-bypass-agent.js';
+export { SSRFProber } from './ssrf-prober.js';
+export { SupplyChainAudit } from './supply-chain-agent.js';
+export { ConfigAuditor } from './config-auditor.js';
+export { LLMRedTeam } from './llm-redteam.js';
+export { MobileScanner } from './mobile-scanner.js';
+export { GitHistoryScanner } from './git-history-scanner.js';
+export { CICDScanner } from './cicd-scanner.js';
+export { APIFuzzer } from './api-fuzzer.js';
+export { SupabaseRLSAgent } from './supabase-rls-agent.js';
+export { MCPSecurityAgent } from './mcp-security-agent.js';
+export { AgenticSecurityAgent } from './agentic-security-agent.js';
+export { RAGSecurityAgent } from './rag-security-agent.js';
+export { PIIComplianceAgent } from './pii-compliance-agent.js';
+export { VibeCodingAgent } from './vibe-coding-agent.js';
+export { ExceptionHandlerAgent } from './exception-handler-agent.js';
+export { AgentConfigScanner } from './agent-config-scanner.js';
+export { ABOMGenerator } from './abom-generator.js';
+export { VerifierAgent } from './verifier-agent.js';
+export { DeepAnalyzer } from './deep-analyzer.js';
+export { ScoringEngine, GRADES, CATEGORIES } from './scoring-engine.js';
+export { SBOMGenerator } from './sbom-generator.js';
+export { PolicyEngine } from './policy-engine.js';
+export { HTMLReporter } from './html-reporter.js';
+
+/**
+ * Create a fully configured orchestrator with all 16 scanning agents.
+ * (VerifierAgent and DeepAnalyzer run as post-processors, not in the agent pool.)
+ */
+import { Orchestrator as OrchestratorClass } from './orchestrator.js';
+import { InjectionTester as InjectionTesterClass } from './injection-tester.js';
+import { AuthBypassAgent as AuthBypassAgentClass } from './auth-bypass-agent.js';
+import { SSRFProber as SSRFProberClass } from './ssrf-prober.js';
+import { SupplyChainAudit as SupplyChainAuditClass } from './supply-chain-agent.js';
+import { ConfigAuditor as ConfigAuditorClass } from './config-auditor.js';
+import { LLMRedTeam as LLMRedTeamClass } from './llm-redteam.js';
+import { MobileScanner as MobileScannerClass } from './mobile-scanner.js';
+import { GitHistoryScanner as GitHistoryScannerClass } from './git-history-scanner.js';
+import { CICDScanner as CICDScannerClass } from './cicd-scanner.js';
+import { APIFuzzer as APIFuzzerClass } from './api-fuzzer.js';
+import { SupabaseRLSAgent as SupabaseRLSAgentClass } from './supabase-rls-agent.js';
+import { MCPSecurityAgent as MCPSecurityAgentClass } from './mcp-security-agent.js';
+import { AgenticSecurityAgent as AgenticSecurityAgentClass } from './agentic-security-agent.js';
+import { RAGSecurityAgent as RAGSecurityAgentClass } from './rag-security-agent.js';
+import { PIIComplianceAgent as PIIComplianceAgentClass } from './pii-compliance-agent.js';
+import { VibeCodingAgent as VibeCodingAgentClass } from './vibe-coding-agent.js';
+import { ExceptionHandlerAgent as ExceptionHandlerAgentClass } from './exception-handler-agent.js';
+import { AgentConfigScanner as AgentConfigScannerClass } from './agent-config-scanner.js';
+
+export function buildOrchestrator() {
+  const orchestrator = new OrchestratorClass();
+  orchestrator.registerAll([
+    new InjectionTesterClass(),
+    new AuthBypassAgentClass(),
+    new SSRFProberClass(),
+    new SupplyChainAuditClass(),
+    new ConfigAuditorClass(),
+    new LLMRedTeamClass(),
+    new MobileScannerClass(),
+    new GitHistoryScannerClass(),
+    new CICDScannerClass(),
+    new APIFuzzerClass(),
+    new SupabaseRLSAgentClass(),
+    new MCPSecurityAgentClass(),
+    new AgenticSecurityAgentClass(),
+    new RAGSecurityAgentClass(),
+    new PIIComplianceAgentClass(),
+    new VibeCodingAgentClass(),
+    new ExceptionHandlerAgentClass(),
+    new AgentConfigScannerClass(),
+  ]);
+  return orchestrator;
+}