ship-safe 6.4.0 → 8.0.0

package/cli/agents/scoring-engine.js

@@ -11,7 +11,7 @@
 
 import fs from 'fs';
 import path from 'path';
-import { getComplianceSummary } from '../utils/compliance-map.js';
+import { getComplianceSummary, getAgenticSummary, enrichAgenticRisk } from '../utils/compliance-map.js';
 
 // =============================================================================
 // SCORING CONFIGURATION
@@ -49,6 +49,7 @@ const FALLBACK_CATEGORY_MAP = {
   'vibe': 'injection',        // Vibe coding findings → Code Vulnerabilities
   'exception': 'injection',   // OWASP A10:2025 — Mishandling of Exceptional Conditions
   'agent-config': 'llm',      // Agent config security → AI/LLM category
+  'memory-poisoning': 'llm',  // Memory poisoning → AI/LLM category
   'recon': null,               // skip recon findings
 };
 
@@ -87,6 +88,11 @@ export class ScoringEngine {
       };
     }
 
+    // ── Enrich findings with OWASP Agentic AI Top 10 metadata ──────────────
+    for (const finding of findings) {
+      enrichAgenticRisk(finding);
+    }
+
     // ── Classify findings into categories ─────────────────────────────────────
     for (const finding of findings) {
       const cat = this.resolveCategory(finding.category);
@@ -146,6 +152,14 @@ export class ScoringEngine {
       compliance = null;
     }
 
+    // ── OWASP Agentic AI Top 10 summary ──────────────────────────────────
+    let agenticSummary;
+    try {
+      agenticSummary = getAgenticSummary(findings);
+    } catch {
+      agenticSummary = null;
+    }
+
     return {
       score,
       grade,
@@ -153,6 +167,7 @@ export class ScoringEngine {
       totalFindings: findings.length,
       totalDepVulns: depVulns.length,
       compliance,
+      agenticSummary,
     };
   }
 

package/cli/agents/supply-chain-agent.js

@@ -26,7 +26,7 @@ const COMPROMISED_PACKAGES = [
   {
     name: 'axios',
     badVersions: ['1.8.2'],
-    note: 'TeamPCP/CanisterWorm campaign (Mar 31 2026). Malicious publish delivered a Remote Access Trojan with persistence.',
+    note: 'TeamPCP/CanisterWorm campaign (Mar 31 2026). Attributed to Sapphire Sleet (North Korean state actor) by Microsoft Threat Intelligence. Malicious publish connected to C2 domain delivering a second-stage RAT with persistence.',
   },
   {
     name: 'telnyx',
@@ -582,7 +582,8 @@ export class SupplyChainAudit extends BaseAgent {
       }));
     }
 
-    // ── 9. Blockchain C2 indicators (CanisterWorm / ICP) ──────────────────────
+    // ── 9. Trojanized package behavioral signatures ───────────────────────────
+    //    Patterns from Axios 1.8.2, LiteLLM 1.82.7, TeamPCP campaign (Mar 2026)
     if (fs.existsSync(path.join(rootPath, 'node_modules'))) {
       try {
         const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
@@ -590,7 +591,132 @@ export class SupplyChainAudit extends BaseAgent {
           ...(pkg.dependencies || {}),
           ...(pkg.devDependencies || {}),
         };
-        for (const depName of Object.keys(allDeps)) {
+
+        for (const depName of Object.keys(allDeps).slice(0, 80)) {
+          const depDir = path.join(rootPath, 'node_modules', depName);
+          const depPkgPath = path.join(depDir, 'package.json');
+          if (!fs.existsSync(depPkgPath)) continue;
+
+          try {
+            const depPkg = JSON.parse(fs.readFileSync(depPkgPath, 'utf-8'));
+
+            // 9a. Hidden dependencies added by attacker
+            //     Axios 1.8.2 injected a hidden malicious dep that wasn't in the legitimate version.
+            //     Check for deps that only exist in certain version ranges.
+            const depDeps = depPkg.dependencies || {};
+            for (const [subDep, subVer] of Object.entries(depDeps)) {
+              // Packages with very high download counts that suddenly gain unknown subdependencies
+              if (/^[a-z]+-[a-z0-9]+-[a-z0-9]+$/.test(subDep) && typeof subVer === 'string' && subVer.startsWith('git+')) {
+                findings.push(createFinding({
+                  file: depPkgPath,
+                  line: 0,
+                  severity: 'critical',
+                  category: 'supply-chain',
+                  rule: 'TROJAN_HIDDEN_DEP',
+                  title: `Suspicious Hidden Dependency in ${depName}: ${subDep}`,
+                  description: `"${depName}" depends on "${subDep}" via a git URL. This matches the Axios/TeamPCP trojanization pattern where attackers inject a malicious dependency into a popular package.`,
+                  matched: `${subDep}: ${subVer}`,
+                  fix: `Compare this version's dependencies against the official release. If "${subDep}" was not in the previous version, this package may be trojanized.`,
+                }));
+              }
+            }
+
+            // 9b. Install scripts that read and exfiltrate env vars
+            //     LiteLLM 1.82.7 harvested AWS/GCP/Azure tokens + SSH keys
+            const scripts = depPkg.scripts || {};
+            for (const hook of ['preinstall', 'install', 'postinstall']) {
+              const cmd = scripts[hook];
+              if (!cmd) continue;
+
+              // Environment variable harvesting
+              if (/process\.env|os\.environ|ENV\[|getenv/i.test(cmd) &&
+                  /https?:|fetch|request|axios|curl|wget|net\./i.test(cmd)) {
+                findings.push(createFinding({
+                  file: depPkgPath,
+                  line: 0,
+                  severity: 'critical',
+                  category: 'supply-chain',
+                  rule: 'TROJAN_ENV_EXFIL',
+                  title: `Credential Harvesting in ${hook}: ${depName}`,
+                  description: `"${depName}" reads environment variables and makes network requests during ${hook}. This is the exact pattern used in the LiteLLM/TeamPCP attack to steal cloud credentials.`,
+                  matched: cmd.slice(0, 200),
+                  fix: 'Remove this package immediately. Rotate any credentials (AWS, GCP, Azure tokens, SSH keys) that may have been exfiltrated.',
+                }));
+              }
+
+              // SSH key / credential file access in install scripts
+              if (/\.ssh|\.aws|\.azure|\.gcp|\.kube|\.docker|credentials|\.npmrc|\.pypirc/i.test(cmd)) {
+                findings.push(createFinding({
+                  file: depPkgPath,
+                  line: 0,
+                  severity: 'critical',
+                  category: 'supply-chain',
+                  rule: 'TROJAN_CREDENTIAL_ACCESS',
+                  title: `Credential File Access in ${hook}: ${depName}`,
+                  description: `"${depName}" accesses credential files (.ssh, .aws, .kube, etc.) during ${hook}. This matches the TeamPCP credential theft pattern.`,
+                  matched: cmd.slice(0, 200),
+                  fix: 'Remove this package immediately and rotate all credentials in the accessed directories.',
+                }));
+              }
+            }
+
+            // 9c. Scan actual JS entry files for runtime exfiltration patterns
+            const main = depPkg.main || 'index.js';
+            const entryPath = path.join(depDir, main);
+            if (fs.existsSync(entryPath)) {
+              try {
+                const entryContent = fs.readFileSync(entryPath, 'utf-8');
+                if (entryContent.length < 500_000) {
+                  // DNS-based exfiltration (encode data in subdomain)
+                  if (/dns\.resolve|dns\.lookup/i.test(entryContent) &&
+                      /process\.env|os\.hostname/i.test(entryContent)) {
+                    findings.push(createFinding({
+                      file: entryPath,
+                      line: 1,
+                      severity: 'high',
+                      category: 'supply-chain',
+                      rule: 'TROJAN_DNS_EXFIL',
+                      title: `DNS Exfiltration Pattern: ${depName}`,
+                      description: `"${depName}" combines DNS lookups with system/env data reads — a known technique for exfiltrating data via DNS subdomains to bypass firewalls.`,
+                      matched: 'dns.resolve + process.env',
+                      confidence: 'medium',
+                      fix: 'Inspect the DNS usage. Legitimate packages rarely combine DNS with environment variable reading.',
+                    }));
+                  }
+
+                  // WebSocket-based C2
+                  if (/new\s+WebSocket/i.test(entryContent) &&
+                      /process\.env|child_process|exec/i.test(entryContent)) {
+                    findings.push(createFinding({
+                      file: entryPath,
+                      line: 1,
+                      severity: 'critical',
+                      category: 'supply-chain',
+                      rule: 'TROJAN_WEBSOCKET_C2',
+                      title: `WebSocket C2 Pattern: ${depName}`,
+                      description: `"${depName}" opens WebSocket connections combined with system command execution — consistent with a Remote Access Trojan.`,
+                      matched: 'WebSocket + child_process',
+                      fix: 'Remove this package immediately. Scan for persistence mechanisms (cron jobs, startup scripts).',
+                    }));
+                  }
+                }
+              } catch { /* skip */ }
+            }
+
+          } catch { /* skip */ }
+        }
+      } catch { /* skip */ }
+    }
+
+    // ── 10. Blockchain C2 indicators (CanisterWorm / ICP) ────────────────────
+    if (fs.existsSync(path.join(rootPath, 'node_modules'))) {
+      try {
+        const pkg2 = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+        const allDeps2 = {
+          ...(pkg2.dependencies || {}),
+          ...(pkg2.devDependencies || {}),
+        };
+        for (const depName of Object.keys(allDeps2)) {
           const depPkgPath = path.join(rootPath, 'node_modules', depName, 'package.json');
           if (!fs.existsSync(depPkgPath)) continue;
           try {

package/cli/bin/ship-safe.js

@@ -47,6 +47,12 @@ import { abomCommand } from '../commands/abom.js';
 import { updateIntelCommand } from '../commands/update-intel.js';
 import { hooksCommand } from '../commands/hooks.js';
 import { legalCommand } from '../commands/legal.js';
+import { runLiveAdvisories } from '../commands/live-advisories.js';
+import { envAuditCommand } from '../commands/env-audit.js';
+import { autofixCommand } from '../commands/autofix.js';
+import { memoryCommand } from '../utils/security-memory.js';
+import { playbookCommand } from '../utils/scan-playbook.js';
+import { listPluginFiles, scaffoldPlugin } from '../utils/plugin-loader.js';
 import { ABOMGenerator } from '../agents/abom-generator.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
 import { SBOMGenerator } from '../agents/sbom-generator.js';
@@ -202,7 +208,7 @@ program
 // -----------------------------------------------------------------------------
 program
   .command('audit [path]')
-  .description('Full security audit: secrets + 18 agents + deps + score + deep analysis + remediation plan')
+  .description('Full security audit: secrets + 22 agents + deps + score + deep analysis + remediation plan')
   .option('--json', 'Output results as JSON')
   .option('--sarif', 'Output results in SARIF format')
   .option('--csv', 'Output results as CSV')
@@ -223,6 +229,8 @@ program
   .option('--budget <cents>', 'Max spend in cents for deep analysis (default: 50)', parseInt)
   .option('--verify', 'Check if leaked secrets are still active (probes provider APIs)')
   .option('--include-legal', 'Also run the legal risk scan (DMCA, leaked source, IP disputes)')
+  .option('--agentic [iterations]', 'Agentic scan→fix→verify loop (default: 3 iterations, target score: 75)', (v) => v ? parseInt(v) : true)
+  .option('--agentic-target <score>', 'Target security score for agentic loop (default: 75)', parseInt)
   .option('-v, --verbose', 'Verbose output')
   .action(auditCommand);
 
@@ -243,7 +251,7 @@ program
 // -----------------------------------------------------------------------------
 program
   .command('red-team [path]')
-  .description('Multi-agent security audit: 18 agents scan for 80+ attack classes')
+  .description('Multi-agent security audit: 22 agents scan for 80+ attack classes')
   .option('--agents <list>', 'Comma-separated list of agents to run')
   .option('--json', 'Output results as JSON')
   .option('--sarif', 'Output results in SARIF format')
@@ -268,8 +276,62 @@ program
   .description('Continuous monitoring: watch files for security issues in real-time')
   .option('--poll', 'Use polling mode (for network drives)')
   .option('--configs', 'Watch only agent config files (openclaw.json, .cursorrules, mcp.json, etc.)')
+  .option('--deep', 'Run full agent scanning on changes (not just pattern matching)')
+  .option('--status', 'Show current watch status and exit')
+  .option('--threshold <score>', 'Alert when score drops below threshold', parseInt)
+  .option('--debounce <ms>', 'Debounce interval in ms (default: 1500)', parseInt)
+  .option('--slack [webhook]', 'Post findings to Slack webhook URL (or set SHIP_SAFE_SLACK_WEBHOOK env var)')
+  .option('--pr-comment', 'Post inline findings as GitHub PR review comments (requires gh CLI)')
   .action(watchCommand);
 
+// -----------------------------------------------------------------------------
+// ADVISORIES COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('advisories [path]')
+  .description('Check dependencies against live advisory feeds (OSV.dev, GitHub Advisories)')
+  .option('--ecosystem <type>', 'Filter by ecosystem (npm, PyPI)')
+  .option('--json', 'Output as JSON')
+  .action(async (targetPath = '.', options) => {
+    const { resolve } = await import('path');
+    const absolutePath = resolve(targetPath);
+    try {
+      const result = await runLiveAdvisories(absolutePath, options);
+      if (options.json) {
+        console.log(JSON.stringify(result, null, 2));
+        return;
+      }
+      console.log();
+      console.log(chalk.cyan.bold('  Ship Safe — Live Advisories'));
+      console.log(chalk.gray(`  Checked ${result.checked} dependencies against OSV.dev`));
+      console.log();
+      if (result.advisories.length === 0) {
+        console.log(chalk.green('  ✔ No known advisories for your current dependency versions.\n'));
+      } else {
+        const malware = result.advisories.filter(a => a.isMalware);
+        const vulns = result.advisories.filter(a => !a.isMalware);
+        if (malware.length > 0) {
+          console.log(chalk.red.bold(`  !! ${malware.length} MALWARE ADVISORY(S) FOUND`));
+          for (const a of malware) {
+            console.log(chalk.red(`     ${a.package}@${a.version} — ${a.id}: ${a.summary.slice(0, 80)}`));
+          }
+          console.log();
+        }
+        if (vulns.length > 0) {
+          console.log(chalk.yellow(`  ${vulns.length} vulnerability advisory(s):`));
+          for (const a of vulns) {
+            const sev = a.severity === 'critical' ? chalk.red.bold(a.severity) : a.severity === 'high' ? chalk.yellow(a.severity) : chalk.blue(a.severity);
+            console.log(`    ${sev} ${a.package}@${a.version} — ${a.id}`);
+          }
+          console.log();
+        }
+      }
+    } catch (err) {
+      console.error(chalk.red(`  Error: ${err.message}\n`));
+      process.exit(1);
+    }
+  });
+
 // -----------------------------------------------------------------------------
 // SBOM COMMAND
 // -----------------------------------------------------------------------------
@@ -404,6 +466,15 @@ How it works:
 `)
   .action(hooksCommand);
 
+// -----------------------------------------------------------------------------
+// ENV AUDIT COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('env-audit [path]')
+  .description('Credential health check: verify .env coverage, cross-reference source, check git history')
+  .option('--json', 'Output results as JSON')
+  .action(envAuditCommand);
+
 // -----------------------------------------------------------------------------
 // LEGAL COMMAND
 // -----------------------------------------------------------------------------
@@ -430,6 +501,100 @@ program
   .description('Diagnose environment: check Node.js, git, API keys, cache, and dependencies')
   .action(doctorCommand);
 
+// -----------------------------------------------------------------------------
+// AUTOFIX COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('autofix [path]')
+  .description('Apply LLM-generated security fixes from a deep analysis report and open a GitHub PR')
+  .option('--report <file>', 'Path to ship-safe JSON report (default: ship-safe-report.json)')
+  .option('--severity <level>', 'Minimum severity to fix: critical, high, medium (default: high)')
+  .option('--dry-run', 'Preview fixes without applying them or creating a branch')
+  .option('--yes', 'Skip confirmation prompt')
+  .action((targetPath, options) => autofixCommand({ ...options, path: targetPath }));
+
+// -----------------------------------------------------------------------------
+// MEMORY COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('memory [subcommand]')
+  .description('Manage security memory: false-positive learning that auto-suppresses known safe findings')
+  .addHelpText('after', `
+Subcommands:
+  list           Show all suppressed findings in memory (default)
+  forget <key>   Remove a specific entry by key
+  clear          Wipe all memory entries
+
+How it works:
+  When --deep analysis confirms a finding is a false positive, it is added to
+  .ship-safe/memory.json and suppressed automatically on all future scans.
+`)
+  .argument('[args...]')
+  .action((subcommand, args, options) => memoryCommand(subcommand, args, options));
+
+// -----------------------------------------------------------------------------
+// PLAYBOOK COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('playbook [subcommand]')
+  .description('Manage scan playbooks: repo-specific context injected into every LLM analysis')
+  .addHelpText('after', `
+Subcommands:
+  show                Show the current playbook (default)
+  add-note "text"     Add a custom note to the playbook
+
+How it works:
+  After 2+ scans, a playbook is auto-generated in .ship-safe/playbook.md with
+  your repo's tech stack, auth patterns, and score history. This is injected
+  into the LLM system prompt so deep analysis is more accurate for your project.
+`)
+  .argument('[args...]')
+  .action((subcommand, args, options) => playbookCommand(subcommand, args, options));
+
+// -----------------------------------------------------------------------------
+// PLUGINS COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('plugins [action]')
+  .description('Manage custom security agent plugins from .ship-safe/agents/')
+  .addHelpText('after', `
+Actions:
+  list              List loaded plugins (default)
+  new <name>        Scaffold a new plugin in .ship-safe/agents/<name>.js
+
+How it works:
+  Drop any .js file into .ship-safe/agents/ that exports a default class
+  extending BaseAgent with an analyze() method. It will be loaded automatically
+  on every audit or watch --deep run.
+`)
+  .action((action, options) => {
+    const rootPath = path.resolve(process.cwd());
+    if (action === 'new') {
+      const pluginName = options.args?.[0] || options._name || 'my-rule';
+      try {
+        const filePath = scaffoldPlugin(rootPath, pluginName);
+        console.log(chalk.green(`  ✔ Plugin scaffolded: ${filePath}`));
+        console.log(chalk.gray('  Edit the file to implement your custom rule, then run ship-safe audit to activate it.'));
+      } catch (err) {
+        console.error(chalk.red(`  Error: ${err.message}`));
+        process.exit(1);
+      }
+    } else {
+      // list
+      const plugins = listPluginFiles(rootPath);
+      if (plugins.length === 0) {
+        console.log('\n  No custom plugins found in .ship-safe/agents/');
+        console.log(chalk.gray('  Create one with: npx ship-safe plugins new my-rule\n'));
+      } else {
+        console.log(`\n  ${chalk.cyan.bold('Custom Plugins')} — ${plugins.length} found\n`);
+        for (const p of plugins) {
+          console.log(`  ${chalk.white(p.name)}  ${chalk.gray(`(${(p.size / 1024).toFixed(1)} KB)  ${p.path}`)}`);
+        }
+        console.log();
+      }
+    }
+  });
+
 // -----------------------------------------------------------------------------
 // PARSE AND RUN
 // -----------------------------------------------------------------------------
@@ -438,10 +603,10 @@ program
 if (process.argv.length === 2) {
   console.log(banner);
   console.log(chalk.yellow('\nQuick start:\n'));
-  console.log(chalk.cyan.bold('  v6.0 — Full Security Audit'));
-  console.log(chalk.white('  npx ship-safe audit .       ') + chalk.gray('# Full audit: secrets + 18 agents + deps + remediation'));
+  console.log(chalk.cyan.bold('  v8.0 — Ship Safe × Hermes Agent'));
+  console.log(chalk.white('  npx ship-safe audit .       ') + chalk.gray('# Full audit: secrets + 22 agents + deps + remediation'));
   console.log(chalk.white('  npx ship-safe audit . --deep') + chalk.gray('# LLM-powered taint analysis (Anthropic/Ollama)'));
-  console.log(chalk.white('  npx ship-safe red-team .    ') + chalk.gray('# 18-agent red team scan (80+ attack classes)'));
+  console.log(chalk.white('  npx ship-safe red-team .    ') + chalk.gray('# 22-agent red team scan (80+ attack classes)'));
   console.log(chalk.white('  npx ship-safe vibe-check .  ') + chalk.gray('# Fun security check with emoji & shareable badge'));
   console.log(chalk.white('  npx ship-safe benchmark .   ') + chalk.gray('# Compare score against industry averages'));
   console.log(chalk.white('  npx ship-safe ci .          ') + chalk.gray('# CI/CD mode: scan, score, exit code'));
@@ -464,9 +629,17 @@ if (process.argv.length === 2) {
   console.log(chalk.white('  npx ship-safe rotate .      ') + chalk.gray('# Revoke exposed keys (provider guides)'));
   console.log(chalk.white('  npx ship-safe deps .        ') + chalk.gray('# Audit dependencies for CVEs'));
   console.log(chalk.white('  npx ship-safe score .       ') + chalk.gray('# Security health score (0-100)'));
+  console.log(chalk.white('  npx ship-safe env-audit .   ') + chalk.gray('# Credential health check (after stripe projects env --pull)'));
   console.log(chalk.white('  npx ship-safe hooks install ') + chalk.gray('# Real-time security gate inside Claude Code (PreToolUse/PostToolUse)'));
   console.log(chalk.white('  npx ship-safe guard         ') + chalk.gray('# Block git push if secrets found'));
   console.log(chalk.white('  npx ship-safe init          ') + chalk.gray('# Add security configs to your project'));
+  console.log();
+  console.log(chalk.gray('  Intelligence commands:'));
+  console.log(chalk.white('  npx ship-safe autofix .     ') + chalk.gray('# Apply LLM fixes from --deep report, open PR'));
+  console.log(chalk.white('  npx ship-safe memory list   ') + chalk.gray('# View / manage false-positive memory'));
+  console.log(chalk.white('  npx ship-safe playbook show ') + chalk.gray('# View repo-specific LLM context playbook'));
+  console.log(chalk.white('  npx ship-safe plugins list  ') + chalk.gray('# Manage custom agent plugins'));
+  console.log(chalk.white('  npx ship-safe watch . --deep --slack ') + chalk.gray('# Guardian mode with Slack alerts + PR comments'));
   console.log(chalk.white('\n  npx ship-safe --help        ') + chalk.gray('# Show all options'));
   console.log();
   process.exit(0);

package/cli/commands/audit.js

@@ -17,7 +17,7 @@ import path from 'path';
 import chalk from 'chalk';
 import ora from 'ora';
 import fg from 'fast-glob';
-import { buildOrchestrator } from '../agents/index.js';
+import { buildOrchestrator, buildOrchestratorAsync } from '../agents/index.js';
 import { LegalRiskAgent } from '../agents/legal-risk-agent.js';
 import { ScoringEngine } from '../agents/scoring-engine.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
@@ -37,8 +37,11 @@ import {
 import { isHighEntropyMatch, getConfidence } from '../utils/entropy.js';
 import { CacheManager } from '../utils/cache-manager.js';
 import { filterBaseline } from './baseline.js';
+import { SecurityMemory } from '../utils/security-memory.js';
+import { ScanPlaybook } from '../utils/scan-playbook.js';
 import { generatePDF, generatePrintHTML, isChromeAvailable } from '../utils/pdf-generator.js';
 import { SecretsVerifier } from '../utils/secrets-verifier.js';
+import { applyInlineAnnotations } from './autofix.js';
 
 // =============================================================================
 // CONSTANTS
@@ -186,7 +189,7 @@ export async function auditCommand(targetPath = '.', options = {}) {
   }
 
   // ── Phase 2: Agent Scan ───────────────────────────────────────────────────
-  const orchestrator = buildOrchestrator();
+  const orchestrator = await buildOrchestratorAsync(absolutePath, { quiet: true });
   const registeredAgentCount = orchestrator.agents?.length || 15;
   const agentSpinner = machineOutput ? null : ora({ text: chalk.white(`[Phase 2/4] Running ${registeredAgentCount} security agents...`), color: 'cyan' }).start();
   let agentFindings = [];
@@ -278,6 +281,30 @@ export async function auditCommand(targetPath = '.', options = {}) {
     }
   }
 
+  // ── Scan Playbook — update with latest recon + findings ─────────────────
+  try {
+    const playbook = new ScanPlaybook(absolutePath);
+    const suppressedRules = new SecurityMemory(absolutePath).list().map(e => e.rule).filter(Boolean);
+    playbook.update(recon, { score: scoreResult.score, grade: scoreResult.grade?.letter || scoreResult.grade, totalFindings: filteredFindings.length }, filteredFindings, suppressedRules);
+  } catch { /* non-fatal */ }
+
+  // ── Security Memory Filter ──────────────────────────────────────────────
+  // Auto-learn false positives from deep analysis results, then suppress
+  // any finding that memory recognises from a previous scan.
+  const secMemory = new SecurityMemory(absolutePath);
+  if (options.deep) {
+    // After deep analysis ran, learn any new false positives
+    const newFPs = secMemory.learnFromAnalysis(filteredFindings);
+    if (newFPs > 0 && !machineOutput) {
+      console.log(chalk.gray(`  Memory: ${newFPs} new false positive(s) learned and will be suppressed in future scans`));
+    }
+  }
+  const { kept: memFiltered, suppressedCount: memSuppressed } = secMemory.filter(filteredFindings);
+  filteredFindings = memFiltered;
+  if (memSuppressed > 0 && !machineOutput) {
+    console.log(chalk.gray(`  Memory: ${memSuppressed} previously-confirmed false positive(s) suppressed`));
+  }
+
   // Count suppressions (ship-safe-ignore comments)
   const suppressions = countSuppressions(allFiles);
 
@@ -395,6 +422,11 @@ export async function auditCommand(targetPath = '.', options = {}) {
   // ── Build Remediation Plan ────────────────────────────────────────────────
   const remediationPlan = buildRemediationPlan(filteredFindings, depVulns, absolutePath);
 
+  // Skip all output and file generation for inner agentic re-scans
+  if (options._agenticInner) {
+    return { score: scoreResult.score, findings: filteredFindings };
+  }
+
   // ── Output ────────────────────────────────────────────────────────────────
   console.log();
 
@@ -465,9 +497,91 @@ export async function auditCommand(targetPath = '.', options = {}) {
     console.log();
   }
 
+  // ── Agentic Loop (--agentic) ────────────────────────────────────────────
+  // Scan → annotate fixes → re-scan cycle until score >= target or maxIter.
+  // NOTE: process.exit() is deferred until after the loop so all iterations
+  // can run. The inner re-scans use _agenticInner: true to skip process.exit.
+  if (options.agentic && !options._agenticInner) {
+    const maxIter = typeof options.agentic === 'number' ? options.agentic : 3;
+    const targetScore = options.agenticTarget ?? 75;
+    let iteration = 1;
+    let currentScore = scoreResult.score;
+    let currentFindings = filteredFindings;
+
+    if (!machineOutput) {
+      console.log();
+      console.log(chalk.cyan.bold(`  Agentic mode: scan→fix→verify loop (max ${maxIter} iterations, target score: ${targetScore})`));
+    }
+
+    while (currentScore < targetScore && iteration <= maxIter) {
+      if (!machineOutput) {
+        console.log(chalk.cyan(`\n  ─── Agentic iteration ${iteration}/${maxIter} (current score: ${currentScore}) ───`));
+      }
+
+      const actionable = currentFindings.filter(f => f.fix && f.severity !== 'low');
+      if (actionable.length === 0) {
+        if (!machineOutput) console.log(chalk.gray('  No auto-fixable findings — stopping agentic loop.'));
+        break;
+      }
+
+      // Delegate annotation to autofix module (handles comment style, idempotency, NEVER_EDIT list)
+      const fixCount = applyInlineAnnotations(actionable);
+      if (!machineOutput) {
+        console.log(chalk.yellow(`  Annotated ${fixCount} finding(s). Re-scanning...`));
+      }
+      if (fixCount === 0) break;
+
+      // Re-scan without recursing into the agentic loop or calling process.exit
+      const innerResult = await runAuditInner(targetPath, {
+        ...options,
+        agentic: false,
+        _agenticInner: true,
+        json: false,
+        sarif: false,
+        csv: false,
+        md: false,
+        html: false,
+        pdf: false,
+        quiet: true,
+      });
+
+      const prevScore = currentScore;
+      currentScore = innerResult?.score ?? currentScore;
+      currentFindings = innerResult?.findings ?? currentFindings;
+
+      if (!machineOutput) {
+        const diff = currentScore - prevScore;
+        const arrow = diff > 0 ? chalk.green(`↑ +${diff.toFixed(1)}`) : diff < 0 ? chalk.red(`↓ ${diff.toFixed(1)}`) : chalk.gray('→ 0');
+        console.log(chalk.cyan(`  Re-scan score: ${currentScore} ${arrow}`));
+      }
+
+      iteration++;
+    }
+
+    if (!machineOutput) {
+      if (currentScore >= targetScore) {
+        console.log(chalk.green.bold(`\n  Agentic loop complete — target score ${targetScore} reached (${currentScore}).`));
+      } else {
+        console.log(chalk.yellow(`\n  Agentic loop stopped after ${iteration - 1} iteration(s). Final score: ${currentScore}`));
+      }
+    }
+  }
+
   process.exit(scoreResult.score >= 75 ? 0 : 1);
 }
 
+/**
+ * Run a lightweight inner audit that returns { score, findings } without
+ * calling process.exit(). Used exclusively by the --agentic loop.
+ */
+async function runAuditInner(targetPath, options) {
+  try {
+    return await auditCommand(targetPath, options);
+  } catch {
+    return null;
+  }
+}
+
 // =============================================================================
 // REMEDIATION PLAN BUILDER
 // =============================================================================