wize-dev-kit 0.4.1 → 0.6.0

package/src/security-overlay/skills/wize-sec-pentest/scripts/run-pipeline.js

@@ -0,0 +1,157 @@
+'use strict';
+
+// run-pipeline.js — the orchestrator for the security-overlay. Chains
+// the four phase skills (recon -> enumerate -> exploit -> report) and
+// propagates --active. This module exposes a `runPipeline(opts)` function
+// so the test suite can drive it directly; the SKILL.md entrypoint
+// (wize-sec-pentest) is a thin wrapper that just calls runPipeline with
+// argv-derived options.
+
+const path = require('node:path');
+const fs = require('node:fs');
+
+// Default kit root when running from the kit itself. Tests inject their own.
+const DEFAULT_KIT_ROOT = path.resolve(__dirname, '..', '..', '..', '..', '..');
+
+const PHASES = ['wize-sec-recon', 'wize-sec-enumerate', 'wize-sec-exploit', 'wize-sec-report'];
+
+// Per-phase script manifests. Each phase can run one or more scripts.
+// Scripts in the same phase run sequentially and any failure (or skip)
+// marks the phase as incomplete, but does not abort the pipeline.
+const PHASE_SCRIPTS = {
+  'wize-sec-recon':     ['recon', 'gitleaks', 'osv'],
+  'wize-sec-enumerate': ['enumerate'],
+  'wize-sec-exploit':   ['nuclei', 'nikto', 'sqlmap', 'ffuf'],
+  'wize-sec-report':    ['report']
+};
+
+function parseArgv(argv) {
+  const out = { active: false, scopePath: null, kitRoot: DEFAULT_KIT_ROOT };
+  for (let i = 0; i < (argv || []).length; i++) {
+    const a = argv[i];
+    if (a === '--active') out.active = true;
+    else if (a === '--scope' && argv[i + 1]) { out.scopePath = argv[i + 1]; i++; }
+    else if (a.startsWith('--scope=')) out.scopePath = a.slice('--scope='.length);
+  }
+  if (!out.scopePath) out.scopePath = path.join(process.cwd(), '.wize', 'security', 'scope.md');
+  return out;
+}
+
+// runPipeline({ scopePath, active, kitRoot?, loadScopeFn?, invokePhase? })
+//   - loadScopeFn defaults to the real scope-gate loadScope.
+//   - invokePhase defaults to the real invokePhase (subprocess).
+// Both are injectable for testing. We resolve the defaults lazily via a
+// small indirection (a getter) so a test that mutates the real module's
+// exports before loading this file sees the mocked value.
+async function runPipeline(opts = {}) {
+  const scopePath = opts.scopePath;
+  const active = opts.active === true;
+  const kitRoot = opts.kitRoot || DEFAULT_KIT_ROOT;
+  const securityDir = opts.securityDir || path.join(process.cwd(), '.wize', 'security');
+
+  // Lazy default resolution — must read at call time, not destructured at
+  // module load, so a test that swaps the real module's exports is honored.
+  const loadScopeFn = opts.loadScopeFn
+    || require('../../../_shared/scope-gate.js').loadScope;
+  const invokePhase = opts.invokePhase
+    || require('../../../_shared/invoke-phase.js').invokePhase;
+
+  // 0. Preflight (permissive — always continues, but writes the install
+  // script if anything is missing). In test mode the env vars short-
+  // circuit the real probes so the result is deterministic.
+  const preflight = opts.preflight
+    || require('../../../_shared/preflight.js').runPreflight({ kitRoot });
+  if (preflight.missing.length > 0 && opts.writeInstallScript !== false) {
+    const { generateInstallScript } = require('../../../_shared/install-script.js');
+    const script = generateInstallScript(preflight);
+    try {
+      const scriptPath = path.join(securityDir, 'install-pentest-tools.sh');
+      // Don't clobber a user-edited script.
+      if (!fs.existsSync(scriptPath)) {
+        fs.mkdirSync(securityDir, { recursive: true });
+        fs.writeFileSync(scriptPath, script, 'utf8');
+        try { fs.chmodSync(scriptPath, 0o755); } catch (_) { /* best-effort */ }
+      }
+    } catch (_) { /* best-effort: a write failure here does not block the pipeline */ }
+  }
+
+  // 1. Gate first — if the scope is invalid, abort the whole pipeline.
+  const scope = loadScopeFn(scopePath);
+
+  const results = {};
+  const skipped = [];
+
+  for (const phase of PHASES) {
+    const scripts = PHASE_SCRIPTS[phase] || [phase.split('-').pop()];
+    const phaseResults = [];
+    for (const sub of scripts) {
+      // Naming convention: scripts in the skill dir are run-<sub>.js, except
+      // for the report phase which is render-report.js.
+      const baseName = phase === 'wize-sec-report' ? `render-${sub}` : `run-${sub}`;
+      const scriptName = baseName.endsWith('.js') ? baseName : baseName + '.js';
+      try {
+        const r = await invokePhase(phase, { kitRoot, active, securityDir, scopePath, scriptName });
+        phaseResults.push({ sub, ...r });
+        if (!r.ok) skipped.push(`${phase}/${sub}`);
+      } catch (_) {
+        phaseResults.push({ sub, ok: false, code: -1, stdout: '', stderr: '', error: 'invoke-threw' });
+        skipped.push(`${phase}/${sub}`);
+      }
+    }
+    // Phase is OK if at least one sub-script succeeded.
+    const anyOk = phaseResults.some(r => r && r.ok);
+    results[phase] = { ok: anyOk, subs: phaseResults };
+  }
+
+  const anyOk = Object.values(results).some(r => r && r.ok);
+  return {
+    ok: anyOk,
+    scopePath,
+    active,
+    preflight,
+    results,
+    skipped
+  };
+}
+
+// Entry point when invoked as a subprocess (the SKILL.md frontmatter
+// declares commands: [run-pipeline.js]). The harness's adapter renders
+// this file as the skill body and runs `node run-pipeline.js` when the
+// user invokes `/wize-sec-pentest`.
+async function main() {
+  const args = parseArgv(process.argv.slice(2));
+  let result;
+  try {
+    // Derive the securityDir from the scopePath's parent (the .wize/security
+    // directory) so the preflight's install script lands next to the scope.
+    const secDir = path.dirname(args.scopePath);
+    result = await runPipeline({
+      scopePath: args.scopePath,
+      active: args.active,
+      kitRoot: args.kitRoot,
+      securityDir: secDir
+    });
+  } catch (err) {
+    console.error('✖ wize-sec-pentest aborted:', err && err.message ? err.message : err);
+    process.exit(2);
+  }
+
+  // Minimal stdout surface — the partials already carry detail.
+  for (const phase of PHASES) {
+    const r = result.results[phase];
+    if (!r) { console.log(`= ${phase}: (no result)`); continue; }
+    const mark = r.ok ? '✓' : '✗';
+    const subs = (r.subs || []).map(s => `${s.sub}:${s.ok ? 'ok' : 'fail'}`).join(',');
+    console.log(`${mark} ${phase}: ${subs}`);
+  }
+  if (result.skipped.length) {
+    console.log(`! skipped: ${result.skipped.join(', ')}`);
+  }
+  process.exit(result.ok ? 0 : 1);
+}
+
+if (require.main === module) {
+  main();
+}
+
+module.exports = { runPipeline, parseArgv, PHASES };

package/src/security-overlay/skills/wize-sec-pentest/skill.md

@@ -0,0 +1,52 @@
+---
+code: wize-sec-pentest
+name: wize-sec-pentest
+overlay: security
+module: security-overlay
+owner: red-teamer
+status: ready
+---
+
+# wize-sec-pentest — Orchestrator (Security Overlay)
+
+End-to-end security pipeline. Chains **recon → enumerate → sast → dast → report** through the four phase skills (`wize-sec-recon`, `wize-sec-enumerate`, `wize-sec-exploit`, `wize-sec-report`). Loads `.wize/security/scope.md` first; aborts the whole pipeline if the scope is missing or invalid.
+
+## Usage
+
+```bash
+# Default (passive — read-only checks only)
+/wize-sec-pentest
+
+# Active exploitation (sqlmap, ffuf active fuzzing) — requires scope acceptance
+/wize-sec-pentest --active
+
+# Custom scope path (default: .wize/security/scope.md)
+/wize-sec-pentest --scope=/path/to/scope.md
+```
+
+## Phases (in order)
+
+1. **recon** — nmap (passive) → `recon.md`
+2. **enumerate** — nuclei passive, HTTP probing → `enumerate.md`
+3. **sast** — gitleaks (secrets) + osv-scanner/grype (deps) → `sast.md` (run inside `wize-sec-recon` per the architecture decision)
+4. **dast** — nuclei + nikto (passive) + sqlmap/ffuf (gated by `--active`) → `dast.md`
+5. **report** — render `report.md` + `report.html` from all partials
+
+Each phase produces a partial. The report phase consumes them. A phase that fails is marked `partial_status: skipped` and the pipeline continues with the next one.
+
+## Gate
+
+Before any phase, the orchestrator calls `loadScope()` (the shared gate). An invalid scope aborts the whole pipeline with the error code from `ScopeError`. The gate is the single source of truth — phases do not re-validate.
+
+## Propagation
+
+`--active` is read from argv and passed to every phase invocation. Each phase that supports active checks (currently `wize-sec-exploit`) decides what changes in active mode.
+
+## Output
+
+- `recon.md`, `enumerate.md`, `sast.md`, `dast.md` — partials (one per phase)
+- `report.md`, `report.html` — final consolidated report
+- `.refusals.log` — audit trail of out-of-scope refusals
+- `.tools.json` — detection cache for the toolchain
+
+Exits 0 if at least one phase ran; 1 if all phases failed; 2 if the scope gate aborted.

package/src/security-overlay/skills/wize-sec-recon/scripts/run-gitleaks.js

@@ -0,0 +1,139 @@
+'use strict';
+
+// run-gitleaks.js — SAST secrets via gitleaks. Runs inside the
+// wize-sec-recon skill (per the architecture decision that recon hosts
+// the no-app-running checks). Writes a redaction into sast.md and stores
+// the full gitleaks report in the security dir for the user to inspect.
+
+const path = require('node:path');
+const fs = require('node:fs');
+const { execFileSync } = require('node:child_process');
+
+const { filterArgs } = require('../../../_shared/allowlist.js');
+const { writePartial, loadPartial } = require('../../../_shared/partial.js');
+
+const REDACTED = '***REDACTED***';
+
+// runGitleaks({ securityDir, scope, active, execFn?, detectFn?, reportFilename? })
+//   -> { ok, partialStatus, findingsCount }
+async function runGitleaks(opts = {}) {
+  const sec = opts.securityDir;
+  const scope = opts.scope;
+  const active = opts.active === true;
+  const reportFilename = opts.reportFilename || 'gitleaks-report.json';
+  // The project to scan is the parent of `.wize/security/`. The scripts run
+  // with cwd = the kit, so we MUST point gitleaks at the target repo, not '.'.
+  const projectRoot = opts.projectRoot || (sec ? path.resolve(sec, '..', '..') : process.cwd());
+
+  const execFn = opts.execFn || ((bin, args) => {
+    return execFileSync(bin, args, { encoding: 'utf8', timeout: 5 * 60 * 1000 });
+  });
+  const detectFn = opts.detectFn || require('../../../_shared/detect.js').detectTools;
+
+  const tools = detectFn(['gitleaks'], { cacheDir: sec });
+  const present = !!(tools.gitleaks && tools.gitleaks.present);
+
+  if (!present) {
+    // Update or create sast.md with the degraded_checks entry.
+    mergeSast(sec, scope, active, tools, {
+      degraded: '- secrets: gitleaks ausente — instale gitleaks e re-rode para scan completo.'
+    });
+    return { ok: true, partialStatus: 'incomplete', findingsCount: 0 };
+  }
+
+  const reportPath = path.join(sec, reportFilename);
+  // gitleaks 8.18: `-s/--source` is the scan path, `-f/--report-format` is
+  // the output format (json), `-r/--report-path` is the file. (Earlier
+  // versions used `-f` for the path — do NOT use that here.)
+  const args = filterArgs('gitleaks', [
+    'detect', '--no-banner', '-s', projectRoot, '-f', 'json', '-r', reportPath, '--exit-code', '0'
+  ]);
+  // gitleaks exits non-zero when it FINDS leaks (default exit-code 1). That
+  // is the success path for us, not an error — so we pass --exit-code 0 and
+  // also swallow any non-zero status defensively (we read the JSON report
+  // regardless).
+  try {
+    execFn('gitleaks', args, { timeout: 5 * 60 * 1000 });
+  } catch (_) {
+    // Leaks found (or gitleaks returned non-zero) — the report file is still
+    // written; we parse it below.
+  }
+
+  // Read the JSON report gitleaks wrote. It is an array of findings.
+  let findings = [];
+  if (fs.existsSync(reportPath)) {
+    try {
+      findings = JSON.parse(fs.readFileSync(reportPath, 'utf8'));
+    } catch (_) {
+      findings = [];
+    }
+  }
+
+  // Build the secrets section from findings — ONLY redacted values.
+  const secretLines = findings.map(f => {
+    const file = f.File || f.file || '<unknown>';
+    const line = f.StartLine || f.startLine || '?';
+    const rule = f.RuleID || f.ruleID || 'unknown';
+    return `- **${file}** line ${line} rule \`${rule}\` — redacted_value: \`${REDACTED}\``;
+  });
+
+  // Merge into existing sast.md (preserve other sections like deps from E05-S02).
+  mergeSast(sec, scope, active, tools, {
+    secrets: secretLines.length ? secretLines.join('\n') : '_(nenhum secret encontrado)_'
+  });
+  return { ok: true, partialStatus: secretLines.length ? 'complete' : 'incomplete', findingsCount: secretLines.length };
+}
+
+// Helper: load existing sast.md, update the relevant section, and write back.
+// Preserves sections that other SAST scripts (e.g. run-osv) added.
+function mergeSast(sec, scope, active, tools, update) {
+  const existing = loadPartial({ securityDir: sec, phase: 'sast' });
+  const sections = {};
+  let mergedTools = Object.assign({}, tools);
+  if (existing) {
+    if (existing.body) {
+      // Extract known section bodies from the existing partial.
+      const re = /## ([a-z_]+)\n\n([\s\S]*?)(?=\n## |$)/g;
+      let m;
+      while ((m = re.exec(existing.body)) !== null) {
+        sections[m[1]] = m[2].trim();
+      }
+    }
+    // Preserve tools detected by sibling SAST scripts (gitleaks + osv each
+    // run separately; neither should clobber the other's tools block).
+    if (existing.frontmatter && existing.frontmatter.tools) {
+      mergedTools = Object.assign({}, existing.frontmatter.tools, tools);
+    }
+  }
+  // Apply updates.
+  if (update.degraded) {
+    // Append to degraded_checks if present, else create.
+    if (sections.degraded_checks) sections.degraded_checks += '\n' + update.degraded;
+    else sections.degraded_checks = update.degraded;
+  }
+  if (update.secrets !== undefined) sections.secrets = update.secrets;
+
+  const status = sections.degraded_checks ? 'incomplete' : 'complete';
+  writePartial({
+    securityDir: sec,
+    phase: 'sast',
+    mode: active ? 'active' : 'passive',
+    scope,
+    status,
+    tools: mergedTools,
+    sections
+  });
+}
+
+module.exports = { runGitleaks, mergeSast, REDACTED };
+
+if (require.main === module) {
+  require('../../../_shared/cli-runner.js').runFromArgv({
+    fn: ({ securityDir, scopePath, active, reportFilename } = {}) => {
+      const { loadScope } = require('../../../_shared/scope-gate.js');
+      const scope = loadScope(scopePath);
+      return runGitleaks({ securityDir, scope, active, reportFilename });
+    },
+    argMap: { 'securityDir': 'securityDir', 'scope': 'scopePath', 'active': 'active', 'reportFilename': 'reportFilename' }
+  });
+}

package/src/security-overlay/skills/wize-sec-recon/scripts/run-osv.js

@@ -0,0 +1,227 @@
+'use strict';
+
+// run-osv.js — SAST dependencies via osv-scanner (primary) or grype (fallback).
+// Auto-detects common manifest files in the project root and emits findings
+// into sast.md (composing with secrets from run-gitleaks.js).
+
+const path = require('node:path');
+const fs = require('node:fs');
+const { execFileSync } = require('node:child_process');
+
+const { filterArgs } = require('../../../_shared/allowlist.js');
+const { writePartial, loadPartial } = require('../../../_shared/partial.js');
+
+const MANIFEST_FILES = [
+  'package.json', 'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml',
+  'requirements.txt', 'Pipfile', 'Pipfile.lock', 'pyproject.toml', 'poetry.lock',
+  'go.mod', 'go.sum',
+  'Cargo.toml', 'Cargo.lock',
+  'composer.json', 'composer.lock',
+  'Gemfile', 'Gemfile.lock'
+];
+
+function detectManifests(root) {
+  const found = [];
+  for (const m of MANIFEST_FILES) {
+    if (fs.existsSync(path.join(root, m))) found.push(m);
+  }
+  return found;
+}
+
+function parseOsvReport(report) {
+  // osv-scanner JSON shape (simplified): { results: [{ packages: [{ package: {name, version}, vulnerabilities: [{id, severity, cvss: {score}}] }] }] }
+  const out = [];
+  const results = report && report.results ? report.results : [];
+  // Map a CVSS base score to a coarse severity label.
+  const sevFromScore = s => {
+    const n = parseFloat(s);
+    if (isNaN(n)) return null;
+    if (n === 0) return 'None';
+    if (n < 4) return 'Low';
+    if (n < 7) return 'Medium';
+    if (n < 9) return 'High';
+    return 'Critical';
+  };
+  for (const r of results) {
+    for (const p of (r.packages || [])) {
+      const name = p.package && p.package.name;
+      const version = p.package && p.package.version;
+      // osv-scanner v2 groups vulnerabilities and exposes a max_severity
+      // (CVSS) + aliases (CVE ids) per group. Prefer that; fall back to
+      // the raw vulnerabilities array for older shapes.
+      const groups = Array.isArray(p.groups) ? p.groups : [];
+      if (groups.length) {
+        for (const g of groups) {
+          const ids = g.aliases && g.aliases.length ? g.aliases : g.ids || [];
+          const cve = ids.find(x => /^CVE-/.test(x)) || ids[0] || '?';
+          const cvss = g.max_severity ? parseFloat(g.max_severity) : null;
+          out.push({ package: name, version, cve, severity: sevFromScore(g.max_severity) || 'UNKNOWN', cvss });
+        }
+      } else {
+        for (const v of (p.vulnerabilities || [])) {
+          const cve = v.id || '?';
+          const cvss = v.cvss && (typeof v.cvss === 'number' ? v.cvss : v.cvss.score);
+          out.push({ package: name, version, cve, severity: sevFromScore(cvss) || 'UNKNOWN', cvss });
+        }
+      }
+    }
+  }
+  return out;
+}
+
+function parseGrypeReport(report) {
+  // grype JSON shape: { matches: [{ artifact: {name, version}, vulnerability: {id, severity, cvss:[{metrics:{baseScore}}]} }] }
+  const out = [];
+  for (const m of (report && report.matches ? report.matches : [])) {
+    const name = m.artifact && m.artifact.name;
+    const version = m.artifact && m.artifact.version;
+    const v = m.vulnerability || {};
+    const cve = v.id || '?';
+    const severity = v.severity || 'UNKNOWN';
+    let cvss = null;
+    if (Array.isArray(v.cvss) && v.cvss[0] && v.cvss[0].metrics) {
+      cvss = v.cvss[0].metrics.baseScore;
+    } else if (typeof v.cvss === 'number') {
+      cvss = v.cvss;
+    }
+    out.push({ package: name, version, cve, severity, cvss });
+  }
+  return out;
+}
+
+function renderDepsSection(findings) {
+  if (!findings.length) return '_(nenhuma dep vulnerável encontrada)_';
+  return findings.map(f => {
+    const cvss = f.cvss != null ? ` cvss=${f.cvss}` : '';
+    return `- **${f.package}@${f.version || '?'}** \`${f.cve}\` severity=${f.severity}${cvss}`;
+  }).join('\n');
+}
+
+// runOsv({ securityDir, scope, active, execFn?, detectFn?, manifestRoot?, reportFilename? })
+async function runOsv(opts = {}) {
+  const sec = opts.securityDir;
+  const scope = opts.scope;
+  const active = opts.active === true;
+  // The project to scan is the parent of `.wize/security/`. Scripts run with
+  // cwd = the kit, so default to the target repo, not process.cwd().
+  const manifestRoot = opts.manifestRoot
+    || (sec ? path.resolve(sec, '..', '..') : process.cwd());
+  const osvReportName = 'osv-report.json';
+  const grypeReportName = 'grype-report.json';
+
+  const execFn = opts.execFn || ((bin, args) => {
+    return execFileSync(bin, args, { encoding: 'utf8', timeout: 5 * 60 * 1000 });
+  });
+  const detectFn = opts.detectFn || require('../../../_shared/detect.js').detectTools;
+
+  const tools = detectFn(['osv-scanner', 'grype'], { cacheDir: sec });
+  const osvPresent = !!(tools['osv-scanner'] && tools['osv-scanner'].present);
+  const grypePresent = !!(tools.grype && tools.grype.present);
+
+  // No tools at all -> degraded.
+  if (!osvPresent && !grypePresent) {
+    mergeSast(sec, scope, active, tools, {
+      degraded: '- deps: osv-scanner e grype ausentes — instale um dos dois e re-rode.'
+    });
+    return { ok: true, partialStatus: 'incomplete', tool: null, findings: [] };
+  }
+
+  // Manifest detection: warn if the project root has no known manifest.
+  const manifests = detectManifests(manifestRoot);
+  if (manifests.length === 0) {
+    mergeSast(sec, scope, active, tools, {
+      degraded: `- deps: nenhum manifesto encontrado em ${manifestRoot} (procurando package.json, requirements.txt, go.mod, Cargo.toml, pyproject.toml, composer.json, Gemfile).`
+    });
+    return { ok: true, partialStatus: 'incomplete', tool: null, findings: [] };
+  }
+
+  // Pick tool. Prefer osv-scanner; fallback to grype.
+  let findings = [];
+  let tool = null;
+  if (osvPresent) {
+    tool = 'osv-scanner';
+    const reportPath = path.join(sec, osvReportName);
+    // osv-scanner v2 needs explicit lockfiles (`-L <path>`); recursive
+    // directory scan misses composer.lock/package-lock.json. We pass each
+    // detected lockfile we found. Non-zero exit = vulns found (success).
+    const LOCKFILES = ['composer.lock', 'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml',
+      'requirements.txt', 'Pipfile.lock', 'poetry.lock', 'go.sum', 'Cargo.lock', 'Gemfile.lock'];
+    const lockArgs = [];
+    for (const lf of LOCKFILES) {
+      if (fs.existsSync(path.join(manifestRoot, lf))) {
+        lockArgs.push('-L', path.join(manifestRoot, lf));
+      }
+    }
+    const args = lockArgs.length
+      ? filterArgs('osv-scanner', ['scan', 'source', ...lockArgs, '--format', 'json', '--output-file', reportPath])
+      : filterArgs('osv-scanner', ['scan', 'source', '-r', '--format', 'json', '--output-file', reportPath, manifestRoot]);
+    try {
+      execFn('osv-scanner', args, { timeout: 5 * 60 * 1000 });
+    } catch (_) { /* vulns found -> non-zero exit; report still written */ }
+    if (fs.existsSync(reportPath)) {
+      try { findings = parseOsvReport(JSON.parse(fs.readFileSync(reportPath, 'utf8'))); }
+      catch (_) { findings = []; }
+    }
+  } else if (grypePresent) {
+    tool = 'grype';
+    const reportPath = path.join(sec, grypeReportName);
+    const args = filterArgs('grype', ['dir:' + manifestRoot, '-o', 'json']);
+    execFn('grype', args, { timeout: 5 * 60 * 1000 });
+    if (fs.existsSync(reportPath)) {
+      try { findings = parseGrypeReport(JSON.parse(fs.readFileSync(reportPath, 'utf8'))); }
+      catch (_) { findings = []; }
+    }
+  }
+
+  mergeSast(sec, scope, active, tools, {
+    deps: renderDepsSection(findings)
+  });
+  return { ok: true, partialStatus: 'complete', tool, findings };
+}
+
+function mergeSast(sec, scope, active, tools, update) {
+  const existing = loadPartial({ securityDir: sec, phase: 'sast' });
+  const sections = {};
+  let mergedTools = Object.assign({}, tools);
+  if (existing) {
+    if (existing.body) {
+      const re = /## ([a-z_]+)\n\n([\s\S]*?)(?=\n## |$)/g;
+      let m;
+      while ((m = re.exec(existing.body)) !== null) {
+        sections[m[1]] = m[2].trim();
+      }
+    }
+    if (existing.frontmatter && existing.frontmatter.tools) {
+      mergedTools = Object.assign({}, existing.frontmatter.tools, tools);
+    }
+  }
+  if (update.degraded) {
+    sections.degraded_checks = sections.degraded_checks
+      ? sections.degraded_checks + '\n' + update.degraded
+      : update.degraded;
+  }
+  if (update.deps !== undefined) sections.deps = update.deps;
+  const status = sections.degraded_checks ? 'incomplete' : 'complete';
+  writePartial({
+    securityDir: sec,
+    phase: 'sast',
+    mode: active ? 'active' : 'passive',
+    scope,
+    status,
+    tools: mergedTools,
+    sections
+  });
+}
+
+module.exports = { runOsv, parseOsvReport, parseGrypeReport, detectManifests, MANIFEST_FILES };
+
+if (require.main === module) {
+  require('../../../_shared/cli-runner.js').runFromArgv({
+    fn: ({ securityDir, scopePath, active, manifestRoot, reportFilename } = {}) => {
+      const { loadScope } = require('../../../_shared/scope-gate.js');
+      const scope = loadScope(scopePath);
+      return runOsv({ securityDir, scope, active, manifestRoot, reportFilename });
+    },
+    argMap: { 'securityDir': 'securityDir', 'scope': 'scopePath', 'active': 'active', 'manifestRoot': 'manifestRoot', 'reportFilename': 'reportFilename' }
+  });
+}