ship-safe 9.1.0 → 9.1.2

package/cli/commands/team-report.js

@@ -0,0 +1,415 @@
+/**
+ * Team Report Command
+ * ====================
+ *
+ * Converts raw Hermes Agent team output into a professional Ship Safe report.
+ * Strips ANSI codes and terminal chrome, parses structured FINDING: lines,
+ * and renders everything through Ship Safe's HTML reporter.
+ *
+ * USAGE:
+ *   ship-safe team-report                     Read from stdin (pipe Hermes output)
+ *   ship-safe team-report output.txt          Read from file
+ *   ship-safe team-report output.txt --html   Save as HTML
+ *   ship-safe team-report output.txt --json   JSON output
+ */
+
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import * as output from '../utils/output.js';
+import { printBanner } from '../utils/output.js';
+
+// =============================================================================
+// ANSI + TERMINAL NOISE STRIPPING
+// =============================================================================
+
+function stripAnsi(str) {
+  // Remove all ANSI escape sequences (colors, cursor moves, clears, etc.)
+  return str
+    .replace(/\x1b\[[0-9;?]*[A-Za-z]/g, '')
+    .replace(/\x1b\][^\x07]*\x07/g, '')
+    .replace(/\x1b[()][AB012]/g, '')
+    .replace(/\x9b[0-9;]*[A-Za-z]/g, '');
+}
+
+function stripHermesChrome(text) {
+  const lines = text.split('\n');
+  const cleaned = [];
+  let inSplash = false;
+
+  for (const line of lines) {
+    const t = line.trim();
+
+    // Skip the Hermes splash box (╭─ ... ─╮ ... ╰─ ... ─╯)
+    if (t.startsWith('╭─') || t.startsWith('╰─')) { inSplash = !inSplash; continue; }
+    if (inSplash) continue;
+
+    // Skip raw system prompt instructions leaked into output
+    if (t.startsWith('EXACTLY this format') || t.startsWith('FINDING: {"severity"')) continue;
+    if (t.match(/^─{10,}$/)) continue;
+
+    // Skip Hermes warning lines
+    if (t.startsWith('⚠') && t.includes('hermes')) continue;
+    if (t.startsWith('⚠') && t.includes('OPENROUTER')) continue;
+    if (t.startsWith('⚠') && (t.includes('API call failed') || t.includes('credits'))) continue;
+    if (t.startsWith('⏱') || t.startsWith('❌')) continue;
+
+    // Skip terminal screen-clear sequences
+    if (t === '[2J' || t === '[H' || t === '[2J[H') continue;
+
+    cleaned.push(line);
+  }
+
+  return cleaned.join('\n');
+}
+
+// =============================================================================
+// FINDING PARSER
+// =============================================================================
+
+function parseFindings(text) {
+  const findings = [];
+  const findingRegex = /^FINDING:\s*(\{.+\})\s*$/gm;
+  let match;
+
+  while ((match = findingRegex.exec(text)) !== null) {
+    try {
+      const f = JSON.parse(match[1]);
+      if (f.severity && f.title) findings.push(f);
+    } catch { /* skip malformed */ }
+  }
+
+  return findings;
+}
+
+// =============================================================================
+// AGENT SECTION PARSER
+// =============================================================================
+
+function parseAgentSections(text) {
+  const sections = [];
+  // Matches: ### Agent Name (Role) — N finding(s)
+  const sectionRegex = /###\s+(.+?)\s*(?:\(([^)]+)\))?\s*[—–-]+\s*(\d+)\s*finding/gi;
+  let match;
+
+  while ((match = sectionRegex.exec(text)) !== null) {
+    sections.push({
+      name: match[1].trim(),
+      role: match[2]?.trim() || '',
+      count: parseInt(match[3], 10),
+    });
+  }
+
+  // Also collect bullet findings under each section
+  const bulletRegex = /\[(CRITICAL|HIGH|MEDIUM|LOW|INFO)\]\s+(.+?)\s*[—–-]+\s*(.+)/gi;
+  const bullets = [];
+  while ((match = bulletRegex.exec(text)) !== null) {
+    bullets.push({
+      severity: match[1].toLowerCase(),
+      title: match[2].trim(),
+      location: match[3].trim(),
+    });
+  }
+
+  return { sections, bullets };
+}
+
+// =============================================================================
+// SYNTHESIS PARSER
+// =============================================================================
+
+function parseSynthesis(text) {
+  // Extract the Hermes synthesis block (inside ╭─ ⚕ Hermes ─╮ ... ╰─╯)
+  // After stripping chrome, look for the summary block
+  const lines = text.split('\n');
+  const synthesisLines = [];
+  let capturing = false;
+
+  for (const line of lines) {
+    const t = line.trim();
+
+    // The synthesis is the content after the agent section summary and before errors
+    if (t.match(/^Overall risk posture:/i)) { capturing = true; }
+    if (capturing) {
+      if (t.startsWith('⚠') || t.startsWith('❌') || t.startsWith('⏱')) break;
+      synthesisLines.push(line);
+    }
+  }
+
+  // Also look for risk posture statement
+  const riskMatch = text.match(/Overall risk posture:\s*(.+)/i);
+  const riskPosture = riskMatch ? riskMatch[1].trim() : null;
+
+  // Parse roadmap sections
+  const immediateMatch = text.match(/\*\*Immediate[^*]*\*\*:?\s*([^\n]+(?:\n(?!\*\*)[^\n]+)*)/i);
+  const shortTermMatch = text.match(/\*\*Short-term[^*]*\*\*:?\s*([^\n]+(?:\n(?!\*\*)[^\n]+)*)/i);
+  const longTermMatch  = text.match(/\*\*Long-term[^*]*\*\*:?\s*([^\n]+(?:\n(?!\*\*)[^\n]+)*)/i);
+
+  return {
+    riskPosture,
+    synthesis: synthesisLines.join('\n').trim(),
+    roadmap: {
+      immediate: immediateMatch?.[1]?.trim() || null,
+      shortTerm: shortTermMatch?.[1]?.trim() || null,
+      longTerm:  longTermMatch?.[1]?.trim()  || null,
+    },
+  };
+}
+
+// =============================================================================
+// TARGET PARSER
+// =============================================================================
+
+function parseTarget(text) {
+  const match = text.match(/assessments?\s+of\s+\*\*([^*]+)\*\*/i);
+  return match ? match[1].trim() : 'Unknown Target';
+}
+
+// =============================================================================
+// HTML RENDERER
+// =============================================================================
+
+function generateHTML(target, findings, agentSections, synthesis, bullets) {
+  const date = new Date().toLocaleDateString('en-US', {
+    year: 'numeric', month: 'long', day: 'numeric', hour: '2-digit', minute: '2-digit',
+  });
+
+  const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  for (const f of findings) counts[f.severity] = (counts[f.severity] || 0) + 1;
+
+  // Merge FINDING: JSON lines with bullet-parsed findings (bullets are fallback)
+  const allFindings = findings.length > 0 ? findings : bullets.map(b => ({
+    severity: b.severity,
+    title: b.title,
+    location: b.location,
+    remediation: '',
+  }));
+
+  // Recalculate counts from allFindings
+  const sevCounts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  for (const f of allFindings) sevCounts[f.severity] = (sevCounts[f.severity] || 0) + 1;
+
+  const riskColor = (rp) => {
+    if (!rp) return '#94a3b8';
+    const lc = rp.toLowerCase();
+    if (lc.includes('critical')) return '#dc2626';
+    if (lc.includes('high')) return '#f97316';
+    if (lc.includes('medium')) return '#eab308';
+    return '#22c55e';
+  };
+
+  const sevColors = { critical: '#dc2626', high: '#f97316', medium: '#eab308', low: '#3b82f6', info: '#94a3b8' };
+
+  const findingRows = allFindings.map(f => `
+    <tr>
+      <td><span class="sev sev-${f.severity}">${f.severity.toUpperCase()}</span></td>
+      <td><code>${f.location || '—'}</code></td>
+      <td><strong>${f.title}</strong>${f.cve ? `<br><small>CVE: ${f.cve}</small>` : ''}</td>
+      <td><small>${f.remediation || '—'}</small></td>
+    </tr>`).join('');
+
+  const agentRows = agentSections.sections.map(s => `
+    <tr>
+      <td>${s.name}</td>
+      <td><code>${s.role || '—'}</code></td>
+      <td style="color:${s.count > 0 ? '#f97316' : '#22c55e'}">${s.count}</td>
+    </tr>`).join('');
+
+  const roadmap = synthesis.roadmap;
+  const roadmapHTML = (roadmap.immediate || roadmap.shortTerm || roadmap.longTerm) ? `
+    <h2>Remediation Roadmap</h2>
+    <table>
+      <tbody>
+        ${roadmap.immediate ? `<tr><td style="color:#dc2626;white-space:nowrap;font-weight:600">⚡ Immediate (24–48h)</td><td>${roadmap.immediate}</td></tr>` : ''}
+        ${roadmap.shortTerm ? `<tr><td style="color:#f97316;white-space:nowrap;font-weight:600">📅 Short-term (1–2 weeks)</td><td>${roadmap.shortTerm}</td></tr>` : ''}
+        ${roadmap.longTerm  ? `<tr><td style="color:#eab308;white-space:nowrap;font-weight:600">🏗 Long-term (1–3 months)</td><td>${roadmap.longTerm}</td></tr>` : ''}
+      </tbody>
+    </table>` : '';
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Ship Safe Team Report — ${target}</title>
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+body{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;background:#0f172a;color:#e2e8f0;padding:2rem}
+.container{max-width:1100px;margin:0 auto}
+.header{display:flex;align-items:center;gap:1rem;margin-bottom:2rem}
+.logo{font-size:1.5rem;font-weight:800;color:#38bdf8;letter-spacing:-1px}
+.badge{background:#1e293b;padding:3px 10px;border-radius:20px;font-size:0.75rem;color:#94a3b8;border:1px solid #334155}
+h1{font-size:1.8rem;font-weight:700;color:#f1f5f9;margin-bottom:0.25rem}
+h2{font-size:1.1rem;font-weight:600;margin:2rem 0 1rem;color:#94a3b8;border-bottom:1px solid #1e293b;padding-bottom:0.5rem;text-transform:uppercase;letter-spacing:0.05em}
+.meta{color:#64748b;font-size:0.85rem;margin-bottom:2rem}
+.risk-card{background:#1e293b;border:1px solid #334155;border-radius:12px;padding:1.5rem 2rem;margin-bottom:2rem;display:flex;align-items:center;gap:1.5rem}
+.risk-label{font-size:0.75rem;text-transform:uppercase;color:#64748b;margin-bottom:0.25rem}
+.risk-value{font-size:1.5rem;font-weight:700}
+.risk-desc{color:#94a3b8;font-size:0.9rem;flex:1}
+.stats{display:grid;grid-template-columns:repeat(5,1fr);gap:0.75rem;margin-bottom:2rem}
+.stat{background:#1e293b;padding:1.25rem;border-radius:8px;text-align:center;border:1px solid #334155}
+.stat-number{font-size:2rem;font-weight:bold}
+.stat-label{color:#64748b;font-size:0.75rem;margin-top:0.25rem;text-transform:uppercase}
+table{width:100%;border-collapse:collapse;background:#1e293b;border-radius:8px;overflow:hidden;margin-bottom:2rem;border:1px solid #334155}
+th{background:#334155;text-align:left;padding:0.75rem 1rem;font-size:0.75rem;text-transform:uppercase;color:#94a3b8;font-weight:600;letter-spacing:0.05em}
+td{padding:0.75rem 1rem;border-top:1px solid #0f172a;font-size:0.85rem;vertical-align:top}
+tr:hover{background:#263248}
+code{background:#0f172a;padding:2px 6px;border-radius:4px;font-size:0.8rem;color:#38bdf8;word-break:break-all}
+small{color:#64748b}
+.sev{padding:2px 8px;border-radius:4px;font-size:0.7rem;font-weight:700;text-transform:uppercase;letter-spacing:0.05em}
+.sev-critical{background:#dc262622;color:#fca5a5;border:1px solid #dc262644}
+.sev-high{background:#f9731622;color:#fdba74;border:1px solid #f9731644}
+.sev-medium{background:#eab30822;color:#fde047;border:1px solid #eab30844}
+.sev-low{background:#3b82f622;color:#93c5fd;border:1px solid #3b82f644}
+.sev-info{background:#94a3b822;color:#cbd5e1;border:1px solid #94a3b844}
+.empty{text-align:center;color:#22c55e;padding:2rem}
+.footer{text-align:center;color:#334155;margin-top:3rem;padding-top:1.5rem;border-top:1px solid #1e293b;font-size:0.8rem}
+.powered{color:#38bdf8}
+</style>
+</head>
+<body>
+<div class="container">
+
+  <div class="header">
+    <span class="logo">Ship Safe</span>
+    <span class="badge">Team Security Report</span>
+    <span class="badge">Powered by Hermes Agent</span>
+  </div>
+
+  <h1>${target}</h1>
+  <p class="meta">Generated ${date} · ${allFindings.length} finding${allFindings.length !== 1 ? 's' : ''} · ${agentSections.sections.length} agent${agentSections.sections.length !== 1 ? 's' : ''}</p>
+
+  ${synthesis.riskPosture ? `
+  <div class="risk-card">
+    <div>
+      <div class="risk-label">Overall Risk Posture</div>
+      <div class="risk-value" style="color:${riskColor(synthesis.riskPosture)}">${synthesis.riskPosture.split('—')[0].trim()}</div>
+    </div>
+    <div class="risk-desc">${synthesis.riskPosture.includes('—') ? synthesis.riskPosture.split('—').slice(1).join('—').trim() : ''}</div>
+  </div>` : ''}
+
+  <div class="stats">
+    <div class="stat"><div class="stat-number" style="color:#dc2626">${sevCounts.critical}</div><div class="stat-label">Critical</div></div>
+    <div class="stat"><div class="stat-number" style="color:#f97316">${sevCounts.high}</div><div class="stat-label">High</div></div>
+    <div class="stat"><div class="stat-number" style="color:#eab308">${sevCounts.medium}</div><div class="stat-label">Medium</div></div>
+    <div class="stat"><div class="stat-number" style="color:#3b82f6">${sevCounts.low}</div><div class="stat-label">Low</div></div>
+    <div class="stat"><div class="stat-number" style="color:#94a3b8">${sevCounts.info}</div><div class="stat-label">Info</div></div>
+  </div>
+
+  <h2>Findings</h2>
+  <table>
+    <thead><tr><th>Severity</th><th>Location</th><th>Issue</th><th>Remediation</th></tr></thead>
+    <tbody>${findingRows || '<tr><td colspan="4" class="empty">No findings — clean!</td></tr>'}</tbody>
+  </table>
+
+  ${agentSections.sections.length > 0 ? `
+  <h2>Agent Team Summary</h2>
+  <table>
+    <thead><tr><th>Agent</th><th>Role</th><th>Findings</th></tr></thead>
+    <tbody>${agentRows}</tbody>
+  </table>` : ''}
+
+  ${roadmapHTML}
+
+  <div class="footer">
+    Secured by <span class="powered">Ship Safe</span> · shipsafecli.com · <code>npx ship-safe red-team .</code>
+  </div>
+</div>
+</body>
+</html>`;
+}
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+export async function teamReportCommand(inputFile, options = {}) {
+  let raw;
+
+  if (inputFile) {
+    if (!fs.existsSync(inputFile)) {
+      output.error(`File not found: ${inputFile}`);
+      process.exit(1);
+    }
+    raw = fs.readFileSync(inputFile, 'utf-8');
+  } else {
+    // Read from stdin
+    raw = fs.readFileSync('/dev/stdin', 'utf-8');
+  }
+
+  // Clean the input
+  const stripped = stripAnsi(raw);
+  const cleaned  = stripHermesChrome(stripped);
+
+  // Parse
+  const target       = parseTarget(stripped);
+  const findings     = parseFindings(cleaned);
+  const agentSections = parseAgentSections(cleaned);
+  const synthesis    = parseSynthesis(cleaned);
+
+  const allFindings = findings.length > 0 ? findings : agentSections.bullets.map(b => ({
+    severity: b.severity,
+    title: b.title,
+    location: b.location,
+    remediation: '',
+  }));
+
+  if (options.json) {
+    console.log(JSON.stringify({ target, findings: allFindings, agentSections: agentSections.sections, synthesis }, null, 2));
+    return;
+  }
+
+  if (options.html !== undefined) {
+    const htmlPath = typeof options.html === 'string' ? options.html : 'team-report.html';
+    const html = generateHTML(target, findings, agentSections, synthesis, agentSections.bullets);
+    fs.writeFileSync(htmlPath, html, 'utf-8');
+    output.success(`Team report saved to ${htmlPath}`);
+    return;
+  }
+
+  // Terminal output
+  printBanner();
+  console.log(chalk.cyan.bold('  Team Security Report'));
+  console.log(chalk.gray(`  Target: ${target}`));
+  console.log();
+
+  if (synthesis.riskPosture) {
+    const rp = synthesis.riskPosture;
+    const color = rp.toLowerCase().includes('critical') ? chalk.red.bold
+      : rp.toLowerCase().includes('high') ? chalk.yellow.bold
+      : rp.toLowerCase().includes('medium') ? chalk.yellow
+      : chalk.green;
+    console.log(`  ${chalk.white.bold('Risk Posture:')} ${color(rp)}`);
+    console.log();
+  }
+
+  const sevColor = { critical: chalk.red.bold, high: chalk.yellow, medium: chalk.blue, low: chalk.gray, info: chalk.gray };
+  for (const f of allFindings) {
+    const col = sevColor[f.severity] || chalk.white;
+    console.log(`  ${col(`[${f.severity.toUpperCase()}]`.padEnd(11))} ${chalk.white(f.title)}`);
+    if (f.location) console.log(`  ${' '.repeat(11)} ${chalk.gray(f.location)}`);
+    if (f.remediation) console.log(`  ${' '.repeat(11)} ${chalk.green('Fix:')} ${f.remediation.slice(0, 90)}`);
+  }
+
+  if (allFindings.length === 0) {
+    console.log(chalk.green('  No findings — clean!'));
+  }
+
+  console.log();
+  if (synthesis.roadmap.immediate) {
+    console.log(chalk.red.bold('  ⚡ Immediate (24–48h):'));
+    console.log(chalk.gray(`     ${synthesis.roadmap.immediate}`));
+  }
+  if (synthesis.roadmap.shortTerm) {
+    console.log(chalk.yellow.bold('  📅 Short-term (1–2 weeks):'));
+    console.log(chalk.gray(`     ${synthesis.roadmap.shortTerm}`));
+  }
+  if (synthesis.roadmap.longTerm) {
+    console.log(chalk.white.bold('  🏗  Long-term (1–3 months):'));
+    console.log(chalk.gray(`     ${synthesis.roadmap.longTerm}`));
+  }
+
+  console.log();
+  console.log(chalk.gray('  Generate HTML report: ') + chalk.cyan(`ship-safe team-report ${inputFile || '<file>'} --html report.html`));
+  console.log();
+}

package/cli/commands/watch.js

@@ -50,6 +50,11 @@ export async function watchCommand(targetPath = '.', options = {}) {
     return watchConfigs(absolutePath);
   }
 
+  // Stateful mode: persistent K2.6 session (subset of deep)
+  if (options.stateful) {
+    return watchStateful(absolutePath, options);
+  }
+
   // Deep mode: run full orchestrator on changes
   if (options.deep) {
     return watchDeep(absolutePath, options);
@@ -289,6 +294,135 @@ function showWatchStatus(rootPath) {
 // DEEP WATCH MODE (full orchestrator)
 // =============================================================================
 
+async function watchStateful(absolutePath, options = {}) {
+  const { StatefulWatcher } = await import('../agents/stateful-watcher.js');
+  const { ReconAgent } = await import('../agents/recon-agent.js');
+
+  const debounceMs = options.debounce || 2000;
+  const scoringEngine = new ScoringEngine();
+
+  console.log();
+  output.header('Ship Safe — Stateful Watch Mode (Kimi K2.6)');
+  console.log();
+  console.log(chalk.cyan('  Persistent security session — context builds over time'));
+  console.log(chalk.gray(`  Debounce: ${debounceMs}ms`));
+  console.log(chalk.gray('  Press Ctrl+C to stop'));
+  console.log();
+
+  const watcher = StatefulWatcher.create(absolutePath, {
+    provider: options.provider || 'kimi',
+    model: options.model || 'kimi-k2.6',
+    verbose: options.verbose,
+  });
+
+  if (!watcher) {
+    output.error('Stateful watch requires MOONSHOT_API_KEY. Set it and retry.');
+    process.exit(1);
+  }
+
+  // Prime session with baseline
+  const reconAgent = new ReconAgent();
+  console.log(chalk.gray('  Building baseline...'));
+  let recon;
+  try {
+    const reconResult = await reconAgent.analyze({ rootPath: absolutePath });
+    recon = Array.isArray(reconResult) ? {} : reconResult;
+  } catch { recon = {}; }
+  const files = await reconAgent.discoverFiles(absolutePath);
+  await watcher.setBaseline(recon, files);
+  console.log(chalk.green(`  Baseline set (${watcher.provider.name} / ${watcher.provider.model}). Watching...\n`));
+
+  let pendingFiles = new Set();
+  let debounceTimer = null;
+  let allFindings = [];
+
+  const dbDir = path.join(absolutePath, WATCH_DB_DIR);
+  const dbFile = path.join(dbDir, WATCH_DB_FILE);
+
+  const processChanges = async () => {
+    const changedFiles = [...pendingFiles];
+    pendingFiles.clear();
+    if (changedFiles.length === 0) return;
+
+    const timestamp = new Date().toLocaleTimeString();
+    console.log(chalk.gray(`  [${timestamp}] ${changedFiles.length} file(s) changed — stateful scan...`));
+
+    try {
+      const newFindings = await watcher.analyzeChanges(changedFiles);
+
+      if (newFindings.length === 0) {
+        console.log(chalk.green(`  [${timestamp}] ✔ Clean\n`));
+      } else {
+        allFindings = allFindings.concat(newFindings);
+        const scoreResult = scoringEngine.compute(allFindings);
+        const scoreColor = scoreResult.score >= 75 ? chalk.cyan : scoreResult.score >= 50 ? chalk.yellow : chalk.red;
+        console.log(`  [${timestamp}] ${chalk.white(`${newFindings.length} new finding(s)`)}: Score ${scoreColor(`${scoreResult.score}/100`)}`);
+        for (const f of newFindings.filter(f => f.severity === 'critical' || f.severity === 'high')) {
+          const relFile = path.relative(absolutePath, f.file || '');
+          const sev = f.severity === 'critical' ? chalk.red.bold('!!') : chalk.yellow(' !');
+          console.log(`    ${sev} ${f.title} — ${relFile}:${f.line}`);
+        }
+        console.log('');
+
+        // Persist
+        try {
+          if (!fs.existsSync(dbDir)) fs.mkdirSync(dbDir, { recursive: true });
+          const stats = watcher.getStats();
+          fs.writeFileSync(dbFile, JSON.stringify({
+            mode: 'stateful',
+            lastScan: new Date().toISOString(),
+            scanCount: stats.scanCount,
+            provider: stats.provider,
+            model: stats.model,
+            findings: allFindings.map(f => ({
+              file: path.relative(absolutePath, f.file || ''),
+              line: f.line,
+              severity: f.severity,
+              rule: f.rule,
+              title: f.title,
+            })),
+          }, null, 2));
+        } catch { /* non-fatal */ }
+      }
+    } catch (err) {
+      console.log(chalk.red(`  [${timestamp}] Scan error: ${err.message}\n`));
+    }
+  };
+
+  try {
+    const fsWatcher = fs.watch(absolutePath, { recursive: true }, (eventType, filename) => {
+      if (!filename) return;
+      const relPath = filename.replace(/\\/g, '/');
+      for (const skipDir of SKIP_DIRS) {
+        if (relPath.includes(`${skipDir}/`)) return;
+      }
+      const ext = path.extname(filename).toLowerCase();
+      if (SKIP_EXTENSIONS.has(ext)) return;
+      if (SKIP_FILENAMES.has(path.basename(filename))) return;
+      if (filename.endsWith('.min.js') || filename.endsWith('.min.css')) return;
+
+      const fullPath = path.join(absolutePath, filename);
+      if (!fs.existsSync(fullPath)) return;
+
+      pendingFiles.add(fullPath);
+      if (debounceTimer) clearTimeout(debounceTimer);
+      debounceTimer = setTimeout(processChanges, debounceMs);
+    });
+
+    process.on('SIGINT', () => {
+      fsWatcher.close();
+      const stats = watcher.getStats();
+      console.log(`\n  Stateful watch stopped. ${stats.scanCount} scan(s), ${allFindings.length} total finding(s).\n`);
+      process.exit(0);
+    });
+
+    setInterval(() => {}, 1000 * 60 * 60);
+  } catch (err) {
+    output.error(`Stateful watch failed: ${err.message}`);
+    process.exit(1);
+  }
+}
+
 async function watchDeep(absolutePath, options = {}) {
   const { buildOrchestratorAsync } = await import('../agents/index.js');
   const { ReconAgent } = await import('../agents/recon-agent.js');

package/cli/providers/llm-provider.js

@@ -360,10 +360,13 @@ const OPENAI_COMPATIBLE_PRESETS = {
   together:   { baseUrl: 'https://api.together.xyz/v1/chat/completions',             model: 'meta-llama/Llama-3-70b-chat-hf', envKey: 'TOGETHER_API_KEY' },
   mistral:    { baseUrl: 'https://api.mistral.ai/v1/chat/completions',               model: 'mistral-large-latest',       envKey: 'MISTRAL_API_KEY' },
   cohere:     { baseUrl: 'https://api.cohere.com/compatibility/v1/chat/completions', model: 'command-r-plus',             envKey: 'COHERE_API_KEY' },
-  deepseek:   { baseUrl: 'https://api.deepseek.com/v1/chat/completions',             model: 'deepseek-chat',              envKey: 'DEEPSEEK_API_KEY' },
+  deepseek:   { baseUrl: 'https://api.deepseek.com/v1/chat/completions',             model: 'deepseek-v4-pro',            envKey: 'DEEPSEEK_API_KEY' },
+  'deepseek-flash': { baseUrl: 'https://api.deepseek.com/v1/chat/completions',      model: 'deepseek-v4-flash',          envKey: 'DEEPSEEK_API_KEY' },
   perplexity: { baseUrl: 'https://api.perplexity.ai/chat/completions',               model: 'llama-3.1-sonar-large-128k-online', envKey: 'PERPLEXITY_API_KEY' },
   lmstudio:   { baseUrl: 'http://localhost:1234/v1/chat/completions',                model: null,                         envKey: null },
   xai:        { baseUrl: 'https://api.x.ai/v1/chat/completions',                    model: 'grok-3-mini',                envKey: 'XAI_API_KEY' },
+  kimi:       { baseUrl: 'https://api.moonshot.ai/v1/chat/completions',             model: 'kimi-k2.6',                  envKey: 'MOONSHOT_API_KEY' },
+  moonshot:   { baseUrl: 'https://api.moonshot.ai/v1/chat/completions',             model: 'kimi-k2.6',                  envKey: 'MOONSHOT_API_KEY' },
   // Gemma 4 via Ollama — runs fully local, no API key required
   // e4b: MoE 4B active params, ~8GB RAM;  27b: dense, ~20GB RAM
   gemma4:     { baseUrl: 'http://localhost:11434/v1/chat/completions',               model: 'gemma4:e4b',                 envKey: null },
@@ -375,6 +378,90 @@ class OpenAICompatibleProvider extends OpenAIProvider {
     super(apiKey, options);
     this.name = name;
   }
+
+  /** Models known to support OpenAI function calling reliably */
+  get supportsStructuredOutput() {
+    return /kimi|moonshot|gpt-4|grok|deepseek|mistral-large/i.test(this.model || '');
+  }
+
+  async complete(systemPrompt, userPrompt, options = {}) {
+    const body = {
+      model: options.model || this.model,
+      max_tokens: options.maxTokens || 2048,
+      messages: [
+        { role: 'system', content: systemPrompt },
+        { role: 'user', content: userPrompt },
+      ],
+    };
+    if (options.jsonMode) body.response_format = { type: 'json_object' };
+
+    const response = await fetch(this.baseUrl, {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${this.apiKey}`,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify(body),
+    });
+
+    if (!response.ok) {
+      const errBody = await response.text().catch(() => '');
+      throw new Error(`${this.name} API error: HTTP ${response.status} ${errBody.slice(0, 200)}`);
+    }
+
+    const data = await response.json();
+    const msg = data.choices?.[0]?.message;
+    // Kimi K2.6 thinking mode: actual answer in `content`; `reasoning_content` is internal thinking only
+    // With jsonMode, rely only on content (json_object format guarantees it); otherwise fall back to reasoning
+    if (options.jsonMode) return msg?.content || '';
+    return msg?.content || msg?.reasoning_content || '';
+  }
+
+  /**
+   * Complete with structured output via OpenAI tool-use format.
+   * Used by DeepAnalyzer multi-tier pipeline on non-Anthropic providers.
+   */
+  async completeWithTools(systemPrompt, userPrompt, toolName, inputSchema, options = {}) {
+    const response = await fetch(this.baseUrl, {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${this.apiKey}`,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        model: options.model || this.model,
+        max_tokens: options.maxTokens || 2048,
+        messages: [
+          { role: 'system', content: systemPrompt },
+          { role: 'user', content: userPrompt },
+        ],
+        tools: [{
+          type: 'function',
+          function: {
+            name: toolName,
+            description: `Report ${toolName} results`,
+            parameters: inputSchema,
+          },
+        }],
+        tool_choice: 'required',
+      }),
+    });
+
+    if (!response.ok) {
+      const body = await response.text().catch(() => '');
+      throw new Error(`${this.name} API error: HTTP ${response.status} ${body.slice(0, 200)}`);
+    }
+
+    const data = await response.json();
+    const toolCall = data.choices?.[0]?.message?.tool_calls?.[0];
+    if (!toolCall) return null;
+
+    try {
+      return JSON.parse(toolCall.function.arguments);
+    } catch {
+      return null;
+    }
+  }
 }
 
 // =============================================================================
@@ -439,7 +526,7 @@ export function createProvider(provider, apiKey, options = {}) {
   throw new Error(
     `Unknown LLM provider: "${provider}".\n` +
     `Built-in: anthropic, openai, google, ollama\n` +
-    `Presets:  groq, together, mistral, cohere, deepseek, perplexity, lmstudio, xai\n` +
+    `Presets:  groq, together, mistral, cohere, deepseek, deepseek-flash, perplexity, lmstudio, xai, kimi\n` +
     `Custom:   pass any name with --base-url <url>`
   );
 }
@@ -480,6 +567,8 @@ export function autoDetectProvider(rootPath, options = {}) {
     MISTRAL_API_KEY:   'mistral',
     DEEPSEEK_API_KEY:  'deepseek',
     XAI_API_KEY:       'xai',
+    MOONSHOT_API_KEY:  'kimi',
+    KIMI_API_KEY:      'kimi',
   };
 
   for (const [envVar, providerName] of Object.entries(envKeys)) {