vaspera 2.5.0 → 2.8.0

package/CHANGELOG.md

@@ -5,6 +5,68 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.8.0] - 2026-04-29
+
+### Added
+
+#### Agent Batch Submit Tool
+- New `agent_batch_submit` tool for submitting findings from subagent JSON output
+- Solves MCP permission issues when certification agents run as subagents
+- Accepts array of findings and optional summary in one call
+- Updated certification command docs to recommend batch submit
+
+### Fixed
+
+#### CI/CD Improvements
+- Lazy Stripe initialization to allow builds without `STRIPE_SECRET_KEY`
+- Fixed TypeScript test timeout for CI environments
+- Synced package-lock.json for CI compatibility
+
+## [2.7.0] - 2026-04-26
+
+### Added
+
+#### Plan Enforcement
+- New plan-limits system for free/pro/enterprise tiers
+- Certification monthly limits enforced at API level
+- Agent count limits based on subscription plan
+- Compliance framework access gating (SOC2 free, HIPAA/NIST pro+)
+- 403 responses with `PLAN_LIMIT_EXCEEDED` code and upgrade prompts
+
+#### Plan Limits
+
+| Limit | Free | Pro | Enterprise |
+|-------|------|-----|------------|
+| Certifications/month | 3 | 50 | Unlimited |
+| Projects | 2 | 20 | Unlimited |
+| Agents | 3 | 7 | All |
+| Frameworks | SOC2 | SOC2, HIPAA, NIST | All |
+| Red team | ❌ | ❌ | ✓ |
+
+## [2.6.0] - 2026-04-26
+
+### Added
+
+#### Test Coverage
+- 147 new tests across 5 test files
+- `agent-integrity.test.ts` - Consensus analysis and outlier detection
+- `agent-privacy.test.ts` - PII detection with Luhn validation
+- `otel.test.ts` - OpenTelemetry metrics and tracing
+- `loader.test.ts` - Plugin registry and sandboxed execution
+- `flags.test.ts` - Feature flags and config loading
+
+#### Feature Flags System
+- New `.vaspera/config.yaml` configuration format
+- Per-agent weights and model selection
+- Per-scanner timeouts and custom rules
+- Feature toggles for multiModel, costTracking, autofix, etc.
+
+#### Plugin System
+- Scanner plugin architecture with manifest schema
+- Local plugins from `.vaspera/plugins/`
+- npm plugins from `vaspera-scanner-*` packages
+- Sandboxed execution in child processes
+
 ## [2.5.0] - 2026-04-24
 
 ### Added

package/dist/agents/adversary/config.d.ts

@@ -0,0 +1,92 @@
+/**
+ * Adversary Agent - Configuration
+ *
+ * Default configurations and model settings for the adversary agent.
+ *
+ * @module agents/adversary/config
+ */
+import type { AdversaryConfig, AdversaryModel, AggressivenessLevel, AttackFocusArea } from "./types.js";
+/**
+ * Default configuration for passive analysis
+ */
+export declare const PASSIVE_CONFIG: Partial<AdversaryConfig>;
+/**
+ * Default configuration for active analysis
+ */
+export declare const ACTIVE_CONFIG: Partial<AdversaryConfig>;
+/**
+ * Default configuration for aggressive analysis
+ */
+export declare const AGGRESSIVE_CONFIG: Partial<AdversaryConfig>;
+/**
+ * All attack focus areas
+ */
+export declare const ALL_FOCUS_AREAS: AttackFocusArea[];
+/**
+ * Web-focused attack areas
+ */
+export declare const WEB_FOCUS_AREAS: AttackFocusArea[];
+/**
+ * LLM/AI-focused attack areas
+ */
+export declare const LLM_FOCUS_AREAS: AttackFocusArea[];
+/**
+ * Infrastructure-focused attack areas
+ */
+export declare const INFRA_FOCUS_AREAS: AttackFocusArea[];
+/**
+ * Model pricing per million tokens (as of 2026)
+ */
+export declare const MODEL_PRICING: Record<AdversaryModel, {
+    input: number;
+    output: number;
+}>;
+/**
+ * Model capabilities
+ */
+export declare const MODEL_CAPABILITIES: Record<AdversaryModel, {
+    contextWindow: number;
+    maxOutputTokens: number;
+    bestFor: string[];
+}>;
+/**
+ * Get model for plan tier
+ */
+export declare function getModelForTier(tier: "free" | "pro" | "enterprise"): AdversaryModel | null;
+/**
+ * Default include patterns for analysis
+ */
+export declare const DEFAULT_INCLUDE_PATTERNS: string[];
+/**
+ * Default exclude patterns
+ */
+export declare const DEFAULT_EXCLUDE_PATTERNS: string[];
+/**
+ * Security-relevant file patterns (prioritized)
+ */
+export declare const SECURITY_RELEVANT_PATTERNS: string[];
+/**
+ * MITRE ATT&CK technique mappings for focus areas
+ */
+export declare const FOCUS_AREA_MITRE_MAPPING: Record<AttackFocusArea, string[]>;
+/**
+ * Common CWE mappings for focus areas
+ */
+export declare const FOCUS_AREA_CWE_MAPPING: Record<AttackFocusArea, string[]>;
+/**
+ * Create default adversary configuration
+ */
+export declare function createDefaultConfig(model: AdversaryModel, aggressiveness?: AggressivenessLevel): AdversaryConfig;
+/**
+ * Create focused adversary configuration
+ */
+export declare function createFocusedConfig(model: AdversaryModel, focusAreas: AttackFocusArea[], aggressiveness?: AggressivenessLevel): AdversaryConfig;
+/**
+ * Estimate token usage for analysis
+ */
+export declare function estimateTokenUsage(filesCount: number, avgFileSize: number, config: AdversaryConfig): {
+    estimatedInputTokens: number;
+    estimatedOutputTokens: number;
+    estimatedCost: number;
+};
+//# sourceMappingURL=config.d.ts.map

package/dist/agents/adversary/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/agents/adversary/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,eAAe,EAChB,MAAM,YAAY,CAAC;AAMpB;;GAEG;AACH,eAAO,MAAM,cAAc,EAAE,OAAO,CAAC,eAAe,CAMnD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,OAAO,CAAC,eAAe,CAMlD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,EAAE,OAAO,CAAC,eAAe,CAMtD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAU5C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAK5C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAI5C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,EAAE,eAAe,EAI9C,CAAC;AAMF;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,cAAc,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAGnF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,MAAM,CAAC,cAAc,EAAE;IACtD,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CAWA,CAAC;AAEF;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,KAAK,GAAG,YAAY,GAAG,cAAc,GAAG,IAAI,CAS1F;AAMD;;GAEG;AACH,eAAO,MAAM,wBAAwB,EAAE,MAAM,EAY5C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,wBAAwB,EAAE,MAAM,EAe5C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,EAAE,MAAM,EA6B9C,CAAC;AAMF;;GAEG;AACH,eAAO,MAAM,wBAAwB,EAAE,MAAM,CAAC,eAAe,EAAE,MAAM,EAAE,CA+CtE,CAAC;AAMF;;GAEG;AACH,eAAO,MAAM,sBAAsB,EAAE,MAAM,CAAC,eAAe,EAAE,MAAM,EAAE,CAoDpE,CAAC;AAMF;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,cAAc,EACrB,cAAc,GAAE,mBAA8B,GAC7C,eAAe,CAkBjB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,cAAc,EACrB,UAAU,EAAE,eAAe,EAAE,EAC7B,cAAc,GAAE,mBAA8B,GAC7C,eAAe,CAIjB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,eAAe,GACtB;IACD,oBAAoB,EAAE,MAAM,CAAC;IAC7B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;CACvB,CA2BA"}

package/dist/agents/adversary/config.js

@@ -0,0 +1,361 @@
+/**
+ * Adversary Agent - Configuration
+ *
+ * Default configurations and model settings for the adversary agent.
+ *
+ * @module agents/adversary/config
+ */
+// ============================================================================
+// Default Configurations
+// ============================================================================
+/**
+ * Default configuration for passive analysis
+ */
+export const PASSIVE_CONFIG = {
+    aggressiveness: "passive",
+    generatePoC: false,
+    maxAnalysisTime: 60000, // 1 minute
+    maxFiles: 50,
+    enableChaining: true,
+};
+/**
+ * Default configuration for active analysis
+ */
+export const ACTIVE_CONFIG = {
+    aggressiveness: "active",
+    generatePoC: true,
+    maxAnalysisTime: 300000, // 5 minutes
+    maxFiles: 100,
+    enableChaining: true,
+};
+/**
+ * Default configuration for aggressive analysis
+ */
+export const AGGRESSIVE_CONFIG = {
+    aggressiveness: "aggressive",
+    generatePoC: true,
+    maxAnalysisTime: 600000, // 10 minutes
+    maxFiles: 200,
+    enableChaining: true,
+};
+/**
+ * All attack focus areas
+ */
+export const ALL_FOCUS_AREAS = [
+    "web-app",
+    "api",
+    "auth",
+    "injection",
+    "llm",
+    "infra",
+    "crypto",
+    "data-flow",
+    "supply-chain",
+];
+/**
+ * Web-focused attack areas
+ */
+export const WEB_FOCUS_AREAS = [
+    "web-app",
+    "api",
+    "auth",
+    "injection",
+];
+/**
+ * LLM/AI-focused attack areas
+ */
+export const LLM_FOCUS_AREAS = [
+    "llm",
+    "data-flow",
+    "supply-chain",
+];
+/**
+ * Infrastructure-focused attack areas
+ */
+export const INFRA_FOCUS_AREAS = [
+    "infra",
+    "crypto",
+    "supply-chain",
+];
+// ============================================================================
+// Model Configuration
+// ============================================================================
+/**
+ * Model pricing per million tokens (as of 2026)
+ */
+export const MODEL_PRICING = {
+    "claude-sonnet-4": { input: 3.0, output: 15.0 },
+    "claude-opus-4": { input: 15.0, output: 75.0 },
+};
+/**
+ * Model capabilities
+ */
+export const MODEL_CAPABILITIES = {
+    "claude-sonnet-4": {
+        contextWindow: 200000,
+        maxOutputTokens: 64000,
+        bestFor: ["Fast analysis", "Pattern detection", "Code review"],
+    },
+    "claude-opus-4": {
+        contextWindow: 200000,
+        maxOutputTokens: 64000,
+        bestFor: ["Deep reasoning", "Novel vulnerability discovery", "Complex chains"],
+    },
+};
+/**
+ * Get model for plan tier
+ */
+export function getModelForTier(tier) {
+    switch (tier) {
+        case "free":
+            return null; // Adversary not available on free
+        case "pro":
+            return "claude-sonnet-4";
+        case "enterprise":
+            return "claude-opus-4";
+    }
+}
+// ============================================================================
+// File Patterns
+// ============================================================================
+/**
+ * Default include patterns for analysis
+ */
+export const DEFAULT_INCLUDE_PATTERNS = [
+    "**/*.ts",
+    "**/*.tsx",
+    "**/*.js",
+    "**/*.jsx",
+    "**/*.py",
+    "**/*.go",
+    "**/*.rs",
+    "**/*.java",
+    "**/*.rb",
+    "**/*.php",
+    "**/*.cs",
+];
+/**
+ * Default exclude patterns
+ */
+export const DEFAULT_EXCLUDE_PATTERNS = [
+    "**/node_modules/**",
+    "**/dist/**",
+    "**/build/**",
+    "**/.git/**",
+    "**/vendor/**",
+    "**/venv/**",
+    "**/__pycache__/**",
+    "**/coverage/**",
+    "**/*.test.*",
+    "**/*.spec.*",
+    "**/test/**",
+    "**/tests/**",
+    "**/__tests__/**",
+    "**/fixtures/**",
+];
+/**
+ * Security-relevant file patterns (prioritized)
+ */
+export const SECURITY_RELEVANT_PATTERNS = [
+    "**/auth/**",
+    "**/authentication/**",
+    "**/authorization/**",
+    "**/login/**",
+    "**/session/**",
+    "**/jwt/**",
+    "**/oauth/**",
+    "**/api/**",
+    "**/routes/**",
+    "**/handlers/**",
+    "**/controllers/**",
+    "**/middleware/**",
+    "**/crypto/**",
+    "**/encryption/**",
+    "**/db/**",
+    "**/database/**",
+    "**/sql/**",
+    "**/graphql/**",
+    "**/upload/**",
+    "**/download/**",
+    "**/file/**",
+    "**/admin/**",
+    "**/config/**",
+    "**/secrets/**",
+    "**/*password*",
+    "**/*credential*",
+    "**/*token*",
+    "**/*key*",
+];
+// ============================================================================
+// MITRE ATT&CK Mappings
+// ============================================================================
+/**
+ * MITRE ATT&CK technique mappings for focus areas
+ */
+export const FOCUS_AREA_MITRE_MAPPING = {
+    "web-app": [
+        "T1189", // Drive-by Compromise
+        "T1190", // Exploit Public-Facing Application
+        "T1059", // Command and Scripting Interpreter
+    ],
+    "api": [
+        "T1190", // Exploit Public-Facing Application
+        "T1106", // Native API
+        "T1071", // Application Layer Protocol
+    ],
+    "auth": [
+        "T1078", // Valid Accounts
+        "T1110", // Brute Force
+        "T1539", // Steal Web Session Cookie
+        "T1556", // Modify Authentication Process
+    ],
+    "injection": [
+        "T1059", // Command and Scripting Interpreter
+        "T1203", // Exploitation for Client Execution
+        "T1505", // Server Software Component
+    ],
+    "llm": [
+        "AML.T0043", // Craft Adversarial Data (ATLAS)
+        "AML.T0048", // LLM Prompt Injection (ATLAS)
+        "AML.T0051", // LLM Jailbreak (ATLAS)
+    ],
+    "infra": [
+        "T1610", // Deploy Container
+        "T1525", // Implant Internal Image
+        "T1611", // Escape to Host
+    ],
+    "crypto": [
+        "T1552", // Unsecured Credentials
+        "T1557", // Adversary-in-the-Middle
+        "T1600", // Weaken Encryption
+    ],
+    "data-flow": [
+        "T1020", // Automated Exfiltration
+        "T1041", // Exfiltration Over C2 Channel
+        "T1567", // Exfiltration Over Web Service
+    ],
+    "supply-chain": [
+        "T1195", // Supply Chain Compromise
+        "T1199", // Trusted Relationship
+        "T1505", // Server Software Component
+    ],
+};
+// ============================================================================
+// CWE Mappings
+// ============================================================================
+/**
+ * Common CWE mappings for focus areas
+ */
+export const FOCUS_AREA_CWE_MAPPING = {
+    "web-app": [
+        "CWE-79", // XSS
+        "CWE-352", // CSRF
+        "CWE-1021", // Clickjacking
+        "CWE-942", // CORS Misconfiguration
+    ],
+    "api": [
+        "CWE-284", // Improper Access Control
+        "CWE-770", // Resource Allocation Without Limits
+        "CWE-200", // Exposure of Sensitive Information
+        "CWE-639", // IDOR
+    ],
+    "auth": [
+        "CWE-287", // Improper Authentication
+        "CWE-384", // Session Fixation
+        "CWE-798", // Hard-coded Credentials
+        "CWE-307", // Brute Force
+    ],
+    "injection": [
+        "CWE-89", // SQL Injection
+        "CWE-78", // OS Command Injection
+        "CWE-611", // XXE
+        "CWE-94", // Code Injection
+        "CWE-1336", // SSTI
+    ],
+    "llm": [
+        "CWE-1421", // Prompt Injection (proposed)
+        "CWE-200", // Sensitive Information Exposure
+        "CWE-284", // Improper Access Control
+    ],
+    "infra": [
+        "CWE-250", // Execution with Unnecessary Privileges
+        "CWE-269", // Improper Privilege Management
+        "CWE-668", // Exposure of Resource to Wrong Sphere
+    ],
+    "crypto": [
+        "CWE-327", // Use of Broken Crypto Algorithm
+        "CWE-326", // Inadequate Encryption Strength
+        "CWE-320", // Key Management Errors
+        "CWE-338", // Use of Weak PRNG
+    ],
+    "data-flow": [
+        "CWE-200", // Exposure of Sensitive Information
+        "CWE-532", // Log Injection
+        "CWE-209", // Generation of Error Message Containing Sensitive Info
+    ],
+    "supply-chain": [
+        "CWE-1104", // Use of Unmaintained Third-Party Components
+        "CWE-494", // Download of Code Without Integrity Check
+        "CWE-829", // Inclusion of Functionality from Untrusted Control Sphere
+    ],
+};
+// ============================================================================
+// Factory Functions
+// ============================================================================
+/**
+ * Create default adversary configuration
+ */
+export function createDefaultConfig(model, aggressiveness = "active") {
+    const baseConfig = aggressiveness === "passive"
+        ? PASSIVE_CONFIG
+        : aggressiveness === "active"
+            ? ACTIVE_CONFIG
+            : AGGRESSIVE_CONFIG;
+    return {
+        model,
+        aggressiveness,
+        focusAreas: ALL_FOCUS_AREAS,
+        maxAnalysisTime: baseConfig.maxAnalysisTime,
+        generatePoC: baseConfig.generatePoC,
+        maxFiles: baseConfig.maxFiles,
+        enableChaining: baseConfig.enableChaining,
+        includePatterns: DEFAULT_INCLUDE_PATTERNS,
+        excludePatterns: DEFAULT_EXCLUDE_PATTERNS,
+    };
+}
+/**
+ * Create focused adversary configuration
+ */
+export function createFocusedConfig(model, focusAreas, aggressiveness = "active") {
+    const config = createDefaultConfig(model, aggressiveness);
+    config.focusAreas = focusAreas;
+    return config;
+}
+/**
+ * Estimate token usage for analysis
+ */
+export function estimateTokenUsage(filesCount, avgFileSize, config) {
+    // Rough estimates based on typical analysis
+    const tokensPerKB = 250;
+    const avgFileSizeKB = avgFileSize / 1024;
+    // Input: code context + prompts
+    const codeTokens = filesCount * avgFileSizeKB * tokensPerKB;
+    const promptOverhead = filesCount * 500; // ~500 tokens per file for prompts
+    const estimatedInputTokens = Math.round(codeTokens + promptOverhead);
+    // Output: findings, reasoning, PoCs
+    const findingsPerFile = config.aggressiveness === "aggressive" ? 3 :
+        config.aggressiveness === "active" ? 2 : 1;
+    const tokensPerFinding = config.generatePoC ? 1000 : 500;
+    const estimatedOutputTokens = Math.round(filesCount * findingsPerFile * tokensPerFinding);
+    // Calculate cost
+    const pricing = MODEL_PRICING[config.model];
+    const inputCost = (estimatedInputTokens / 1_000_000) * pricing.input;
+    const outputCost = (estimatedOutputTokens / 1_000_000) * pricing.output;
+    const estimatedCost = inputCost + outputCost;
+    return {
+        estimatedInputTokens,
+        estimatedOutputTokens,
+        estimatedCost: Math.round(estimatedCost * 100) / 100,
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/agents/adversary/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/agents/adversary/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AASH,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,cAAc,GAA6B;IACtD,cAAc,EAAE,SAAS;IACzB,WAAW,EAAE,KAAK;IAClB,eAAe,EAAE,KAAK,EAAE,WAAW;IACnC,QAAQ,EAAE,EAAE;IACZ,cAAc,EAAE,IAAI;CACrB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAA6B;IACrD,cAAc,EAAE,QAAQ;IACxB,WAAW,EAAE,IAAI;IACjB,eAAe,EAAE,MAAM,EAAE,YAAY;IACrC,QAAQ,EAAE,GAAG;IACb,cAAc,EAAE,IAAI;CACrB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAA6B;IACzD,cAAc,EAAE,YAAY;IAC5B,WAAW,EAAE,IAAI;IACjB,eAAe,EAAE,MAAM,EAAE,aAAa;IACtC,QAAQ,EAAE,GAAG;IACb,cAAc,EAAE,IAAI;CACrB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,SAAS;IACT,KAAK;IACL,MAAM;IACN,WAAW;IACX,KAAK;IACL,OAAO;IACP,QAAQ;IACR,WAAW;IACX,cAAc;CACf,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,SAAS;IACT,KAAK;IACL,MAAM;IACN,WAAW;CACZ,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,KAAK;IACL,WAAW;IACX,cAAc;CACf,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAsB;IAClD,OAAO;IACP,QAAQ;IACR,cAAc;CACf,CAAC;AAEF,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAA8D;IACtF,iBAAiB,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE;IAC/C,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;CAC/C,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAI1B;IACH,iBAAiB,EAAE;QACjB,aAAa,EAAE,MAAM;QACrB,eAAe,EAAE,KAAK;QACtB,OAAO,EAAE,CAAC,eAAe,EAAE,mBAAmB,EAAE,aAAa,CAAC;KAC/D;IACD,eAAe,EAAE;QACf,aAAa,EAAE,MAAM;QACrB,eAAe,EAAE,KAAK;QACtB,OAAO,EAAE,CAAC,gBAAgB,EAAE,+BAA+B,EAAE,gBAAgB,CAAC;KAC/E;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,IAAmC;IACjE,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,MAAM;YACT,OAAO,IAAI,CAAC,CAAC,kCAAkC;QACjD,KAAK,KAAK;YACR,OAAO,iBAAiB,CAAC;QAC3B,KAAK,YAAY;YACf,OAAO,eAAe,CAAC;IAC3B,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAa;IAChD,SAAS;IACT,UAAU;IACV,SAAS;IACT,UAAU;IACV,SAAS;IACT,SAAS;IACT,SAAS;IACT,WAAW;IACX,SAAS;IACT,UAAU;IACV,SAAS;CACV,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAa;IAChD,oBAAoB;IACpB,YAAY;IACZ,aAAa;IACb,YAAY;IACZ,cAAc;IACd,YAAY;IACZ,mBAAmB;IACnB,gBAAgB;IAChB,aAAa;IACb,aAAa;IACb,YAAY;IACZ,aAAa;IACb,iBAAiB;IACjB,gBAAgB;CACjB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAa;IAClD,YAAY;IACZ,sBAAsB;IACtB,qBAAqB;IACrB,aAAa;IACb,eAAe;IACf,WAAW;IACX,aAAa;IACb,WAAW;IACX,cAAc;IACd,gBAAgB;IAChB,mBAAmB;IACnB,kBAAkB;IAClB,cAAc;IACd,kBAAkB;IAClB,UAAU;IACV,gBAAgB;IAChB,WAAW;IACX,eAAe;IACf,cAAc;IACd,gBAAgB;IAChB,YAAY;IACZ,aAAa;IACb,cAAc;IACd,eAAe;IACf,eAAe;IACf,iBAAiB;IACjB,YAAY;IACZ,UAAU;CACX,CAAC;AAEF,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAsC;IACzE,SAAS,EAAE;QACT,OAAO,EAAE,sBAAsB;QAC/B,OAAO,EAAE,oCAAoC;QAC7C,OAAO,EAAE,oCAAoC;KAC9C;IACD,KAAK,EAAE;QACL,OAAO,EAAE,oCAAoC;QAC7C,OAAO,EAAE,aAAa;QACtB,OAAO,EAAE,6BAA6B;KACvC;IACD,MAAM,EAAE;QACN,OAAO,EAAE,iBAAiB;QAC1B,OAAO,EAAE,cAAc;QACvB,OAAO,EAAE,2BAA2B;QACpC,OAAO,EAAE,gCAAgC;KAC1C;IACD,WAAW,EAAE;QACX,OAAO,EAAE,oCAAoC;QAC7C,OAAO,EAAE,oCAAoC;QAC7C,OAAO,EAAE,4BAA4B;KACtC;IACD,KAAK,EAAE;QACL,WAAW,EAAE,iCAAiC;QAC9C,WAAW,EAAE,+BAA+B;QAC5C,WAAW,EAAE,wBAAwB;KACtC;IACD,OAAO,EAAE;QACP,OAAO,EAAE,mBAAmB;QAC5B,OAAO,EAAE,yBAAyB;QAClC,OAAO,EAAE,iBAAiB;KAC3B;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,wBAAwB;QACjC,OAAO,EAAE,0BAA0B;QACnC,OAAO,EAAE,oBAAoB;KAC9B;IACD,WAAW,EAAE;QACX,OAAO,EAAE,yBAAyB;QAClC,OAAO,EAAE,+BAA+B;QACxC,OAAO,EAAE,gCAAgC;KAC1C;IACD,cAAc,EAAE;QACd,OAAO,EAAE,0BAA0B;QACnC,OAAO,EAAE,uBAAuB;QAChC,OAAO,EAAE,4BAA4B;KACtC;CACF,CAAC;AAEF,+EAA+E;AAC/E,eAAe;AACf,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAsC;IACvE,SAAS,EAAE;QACT,QAAQ,EAAG,MAAM;QACjB,SAAS,EAAE,OAAO;QAClB,UAAU,EAAE,eAAe;QAC3B,SAAS,EAAE,wBAAwB;KACpC;IACD,KAAK,EAAE;QACL,SAAS,EAAE,0BAA0B;QACrC,SAAS,EAAE,qCAAqC;QAChD,SAAS,EAAE,oCAAoC;QAC/C,SAAS,EAAE,OAAO;KACnB;IACD,MAAM,EAAE;QACN,SAAS,EAAE,0BAA0B;QACrC,SAAS,EAAE,mBAAmB;QAC9B,SAAS,EAAE,yBAAyB;QACpC,SAAS,EAAE,cAAc;KAC1B;IACD,WAAW,EAAE;QACX,QAAQ,EAAG,gBAAgB;QAC3B,QAAQ,EAAG,uBAAuB;QAClC,SAAS,EAAE,MAAM;QACjB,QAAQ,EAAG,iBAAiB;QAC5B,UAAU,EAAE,OAAO;KACpB;IACD,KAAK,EAAE;QACL,UAAU,EAAE,8BAA8B;QAC1C,SAAS,EAAE,iCAAiC;QAC5C,SAAS,EAAE,0BAA0B;KACtC;IACD,OAAO,EAAE;QACP,SAAS,EAAE,wCAAwC;QACnD,SAAS,EAAE,gCAAgC;QAC3C,SAAS,EAAE,uCAAuC;KACnD;IACD,QAAQ,EAAE;QACR,SAAS,EAAE,iCAAiC;QAC5C,SAAS,EAAE,iCAAiC;QAC5C,SAAS,EAAE,wBAAwB;QACnC,SAAS,EAAE,mBAAmB;KAC/B;IACD,WAAW,EAAE;QACX,SAAS,EAAE,oCAAoC;QAC/C,SAAS,EAAE,gBAAgB;QAC3B,SAAS,EAAE,wDAAwD;KACpE;IACD,cAAc,EAAE;QACd,UAAU,EAAE,6CAA6C;QACzD,SAAS,EAAE,2CAA2C;QACtD,SAAS,EAAE,2DAA2D;KACvE;CACF,CAAC;AAEF,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAqB,EACrB,iBAAsC,QAAQ;IAE9C,MAAM,UAAU,GAAG,cAAc,KAAK,SAAS;QAC7C,CAAC,CAAC,cAAc;QAChB,CAAC,CAAC,cAAc,KAAK,QAAQ;YAC3B,CAAC,CAAC,aAAa;YACf,CAAC,CAAC,iBAAiB,CAAC;IAExB,OAAO;QACL,KAAK;QACL,cAAc;QACd,UAAU,EAAE,eAAe;QAC3B,eAAe,EAAE,UAAU,CAAC,eAAgB;QAC5C,WAAW,EAAE,UAAU,CAAC,WAAY;QACpC,QAAQ,EAAE,UAAU,CAAC,QAAQ;QAC7B,cAAc,EAAE,UAAU,CAAC,cAAc;QACzC,eAAe,EAAE,wBAAwB;QACzC,eAAe,EAAE,wBAAwB;KAC1C,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAqB,EACrB,UAA6B,EAC7B,iBAAsC,QAAQ;IAE9C,MAAM,MAAM,GAAG,mBAAmB,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;IAC1D,MAAM,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,UAAkB,EAClB,WAAmB,EACnB,MAAuB;IAMvB,4CAA4C;IAC5C,MAAM,WAAW,GAAG,GAAG,CAAC;IACxB,MAAM,aAAa,GAAG,WAAW,GAAG,IAAI,CAAC;IAEzC,gCAAgC;IAChC,MAAM,UAAU,GAAG,UAAU,GAAG,aAAa,GAAG,WAAW,CAAC;IAC5D,MAAM,cAAc,GAAG,UAAU,GAAG,GAAG,CAAC,CAAC,mCAAmC;IAC5E,MAAM,oBAAoB,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,cAAc,CAAC,CAAC;IAErE,oCAAoC;IACpC,MAAM,eAAe,GAAG,MAAM,CAAC,cAAc,KAAK,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5C,MAAM,CAAC,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnE,MAAM,gBAAgB,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;IACzD,MAAM,qBAAqB,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,eAAe,GAAG,gBAAgB,CAAC,CAAC;IAE1F,iBAAiB;IACjB,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5C,MAAM,SAAS,GAAG,CAAC,oBAAoB,GAAG,SAAS,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC;IACrE,MAAM,UAAU,GAAG,CAAC,qBAAqB,GAAG,SAAS,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;IACxE,MAAM,aAAa,GAAG,SAAS,GAAG,UAAU,CAAC;IAE7C,OAAO;QACL,oBAAoB;QACpB,qBAAqB;QACrB,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa,GAAG,GAAG,CAAC,GAAG,GAAG;KACrD,CAAC;AACJ,CAAC"}

package/dist/agents/adversary/index.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Adversary Agent - Main Orchestrator
+ *
+ * The Adversary agent is a mythos-class ethical hacker that uses real
+ * Claude API reasoning to find vulnerabilities that pattern-based scanners
+ * miss. It coordinates four analysis phases:
+ *
+ * 1. Reconnaissance - Technology stack detection, framework identification
+ * 2. Attack Surface - Entry points, trust boundaries, data flows
+ * 3. Exploitation - LLM-powered vulnerability discovery with PoCs
+ * 4. Chaining - Multi-vulnerability attack path discovery
+ *
+ * @module agents/adversary
+ */
+import type { Finding } from "../../certification/types.js";
+import type { AdversaryConfig, AdversaryResult } from "./types.js";
+export * from "./types.js";
+export * from "./config.js";
+/**
+ * Run full adversary analysis
+ */
+export declare function runAdversaryAnalysis(projectPath: string, config: AdversaryConfig): Promise<AdversaryResult>;
+/**
+ * Convert adversary findings to certification findings
+ */
+export declare function adversaryToFindings(result: AdversaryResult): Finding[];
+/**
+ * Estimate cost for adversary analysis
+ */
+export declare function estimateAdversaryCost(filesCount: number, config: AdversaryConfig): {
+    estimatedCost: number;
+    estimatedTokens: number;
+};
+//# sourceMappingURL=index.d.ts.map

package/dist/agents/adversary/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/agents/adversary/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAQH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,KAAK,EACV,eAAe,EACf,eAAe,EAWhB,MAAM,YAAY,CAAC;AAYpB,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAqrB5B;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,eAAe,GACtB,OAAO,CAAC,eAAe,CAAC,CA+F1B;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,EAAE,CAsBtE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,eAAe,GACtB;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAA;CAAE,CAmBpD"}