kekkai-cli 1.1.1__py3-none-any.whl → 2.0.1__py3-none-any.whl

kekkai/cli.py

@@ -58,6 +58,11 @@ def main(argv: Sequence[str] | None = None) -> int:
     init_parser = subparsers.add_parser("init", help="initialize config and directories")
     init_parser.add_argument("--config", type=str, help="Path to config file")
     init_parser.add_argument("--force", action="store_true", help="Overwrite existing config")
+    init_parser.add_argument(
+        "--ci",
+        action="store_true",
+        help="Auto-generate GitHub Actions workflow for CI/CD integration",
+    )
 
     scan_parser = subparsers.add_parser("scan", help="run a scan pipeline")
     scan_parser.add_argument("--config", type=str, help="Path to config file")
@@ -147,7 +152,7 @@ def main(argv: Sequence[str] | None = None) -> int:
         help="Minimum severity for PR comments (default: medium)",
     )
 
-    dojo_parser = subparsers.add_parser("dojo", help="manage local DefectDojo stack")
+    dojo_parser = subparsers.add_parser("dojo", help=argparse.SUPPRESS)
     dojo_subparsers = dojo_parser.add_subparsers(dest="dojo_command")
 
     dojo_up = dojo_subparsers.add_parser("up", help="start the local DefectDojo stack")
@@ -378,7 +383,7 @@ def main(argv: Sequence[str] | None = None) -> int:
 
     parsed = parser.parse_args(args)
     if parsed.command == "init":
-        return _command_init(parsed.config, parsed.force)
+        return _command_init(parsed.config, parsed.force, parsed.ci)
     if parsed.command == "scan":
         return _command_scan(
             parsed.config,
@@ -427,7 +432,7 @@ def _handle_no_args() -> int:
     return 0
 
 
-def _command_init(config_override: str | None, force: bool) -> int:
+def _command_init(config_override: str | None, force: bool, ci: bool = False) -> int:
     cfg_path = _resolve_config_path(config_override)
     if cfg_path.exists() and not force:
         print(f"Config already exists at {cfg_path}. Use --force to overwrite.")
@@ -441,6 +446,27 @@ def _command_init(config_override: str | None, force: bool) -> int:
     cfg_path.write_text(load_config_text(base_dir))
     print_dashboard()
     console.print(f"\n[success]Initialized config at[/success] [cyan]{cfg_path}[/cyan]\n")
+
+    # Auto-generate GitHub Actions workflow if --ci flag is set
+    if ci:
+        workflow_created = _generate_github_workflow()
+        if workflow_created:
+            console.print(
+                "[success]✓[/success] Created GitHub Actions workflow: "
+                "[cyan].github/workflows/kekkai-security.yml[/cyan]"
+            )
+            console.print(
+                "\n[info]Next steps:[/info]\n"
+                "  1. Commit the workflow file:\n"
+                "     [dim]git add .github/workflows/kekkai-security.yml[/dim]\n"
+                "  2. Push to GitHub\n"
+                "  3. Security scans will run automatically on pull requests\n"
+            )
+        else:
+            console.print(
+                "[warning]⚠[/warning]  Not a Git repository or .github/workflows/ cannot be created"
+            )
+
     return 0
 
 
@@ -1752,6 +1778,91 @@ def _resolve_dojo_open_port(parsed: argparse.Namespace, compose_root: Path) -> i
     return dojo.DEFAULT_PORT
 
 
+def _generate_github_workflow() -> bool:
+    """Generate GitHub Actions workflow file for security scanning.
+
+    Returns:
+        True if workflow was created successfully, False otherwise.
+    """
+    # Check if we're in a git repository
+    cwd = Path.cwd()
+    git_dir = cwd / ".git"
+    if not git_dir.exists():
+        return False
+
+    # Create .github/workflows directory
+    workflows_dir = cwd / ".github" / "workflows"
+    try:
+        workflows_dir.mkdir(parents=True, exist_ok=True)
+    except (OSError, PermissionError):
+        return False
+
+    # Generate workflow file
+    workflow_path = workflows_dir / "kekkai-security.yml"
+    if workflow_path.exists():
+        # Don't overwrite existing workflow
+        return False
+
+    workflow_content = """name: Kekkai Security Scan
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches:
+      - main
+      - develop
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install Kekkai
+        run: |
+          python -m pip install --upgrade pip
+          pip install kekkai-cli
+
+      - name: Run Security Scan
+        run: |
+          kekkai scan --ci --fail-on high
+        continue-on-error: true
+
+      - name: Post PR Comments (if PR)
+        if: github.event_name == 'pull_request'
+        run: |
+          kekkai scan --pr-comment --max-comments 50
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        continue-on-error: true
+
+      - name: Upload Results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: kekkai-scan-results
+          path: ~/.kekkai/runs/*/
+          retention-days: 30
+"""
+
+    try:
+        workflow_path.write_text(workflow_content, encoding="utf-8")
+        return True
+    except (OSError, PermissionError):
+        return False
+
+
 def _resolve_config_path(config_override: str | None) -> Path:
     if config_override:
         return Path(config_override).expanduser().resolve()

kekkai/output.py

@@ -57,7 +57,7 @@ BANNER_ASCII = r"""
 /_/\_\\___/_/\_/_/\_\\_,_/_/
 """
 
-VERSION = "1.1.1"
+VERSION = "2.0.1"
 
 
 def print_dashboard() -> None:
@@ -88,9 +88,8 @@ def print_dashboard() -> None:
     menu_table.add_column("Description", style="desc", ratio=3)
 
     menu_table.add_row("kekkai scan", "Run security scan in current directory")
-    menu_table.add_row("kekkai threatflow", "Generate AI-powered threat model")
-    menu_table.add_row("kekkai dojo", "Manage local DefectDojo instance")
     menu_table.add_row("kekkai triage", "Interactive finding review (TUI)")
+    menu_table.add_row("kekkai threatflow", "Generate AI-powered threat model")
     menu_table.add_row("kekkai report", "Generate compliance reports")
     menu_table.add_row("kekkai config", "Manage settings and keys")
 

kekkai/triage/fix_screen.py

@@ -0,0 +1,232 @@
+"""Fix generation screen for AI-powered code fixes.
+
+Provides a modal screen that shows fix generation progress
+and preview of AI-generated patches.
+"""
+
+from __future__ import annotations
+
+import os
+from collections.abc import Callable
+from typing import TYPE_CHECKING
+
+from rich.text import Text
+from textual.app import ComposeResult
+from textual.binding import Binding
+from textual.containers import Vertical, VerticalScroll
+from textual.screen import ModalScreen
+from textual.widgets import Footer, Label, Static
+
+if TYPE_CHECKING:
+    from .models import FindingEntry
+
+__all__ = ["FixGenerationScreen"]
+
+
+class FixGenerationScreen(ModalScreen[bool]):
+    """Modal screen for generating AI-powered fixes.
+
+    Shows progress, model configuration, and fix preview.
+
+    Bindings:
+        escape: Cancel and go back
+        enter: Accept fix (if generated)
+    """
+
+    BINDINGS = [
+        Binding("escape", "cancel", "Cancel"),
+        Binding("enter", "accept", "Accept Fix", show=False),
+    ]
+
+    DEFAULT_CSS = """
+    FixGenerationScreen {
+        align: center middle;
+    }
+    #fix-dialog {
+        width: 80;
+        height: 30;
+        border: thick $primary;
+        background: $surface;
+        padding: 1;
+    }
+    #fix-title {
+        dock: top;
+        height: 3;
+        content-align: center middle;
+        background: $primary;
+        color: $text;
+    }
+    #fix-content {
+        height: 1fr;
+        padding: 1;
+    }
+    #fix-preview {
+        height: 1fr;
+        border: solid $accent;
+        padding: 1;
+        background: $panel;
+    }
+    #fix-status {
+        dock: bottom;
+        height: 3;
+        padding: 1;
+        background: $surface;
+    }
+    .fix-button {
+        margin: 1;
+    }
+    """
+
+    def __init__(
+        self,
+        finding: FindingEntry,
+        on_fix_generated: Callable[[bool, str], None] | None = None,
+        name: str | None = None,
+        id: str | None = None,
+    ) -> None:
+        super().__init__(name=name, id=id)
+        self.finding = finding
+        self.on_fix_generated = on_fix_generated
+        self.fix_preview: str | None = None
+        self.fix_generated = False
+
+    def compose(self) -> ComposeResult:
+        with Vertical(id="fix-dialog"):
+            yield Label("🤖 AI-Powered Fix Generation", id="fix-title")
+            with VerticalScroll(id="fix-content"):
+                yield Label(self._get_finding_summary())
+                yield Label(self._get_model_info())
+                yield Static("", id="fix-preview")
+            yield Static(self._get_initial_status(), id="fix-status")
+            yield Footer()
+
+    def _get_finding_summary(self) -> Text:
+        """Generate summary of finding to fix."""
+        text = Text()
+        text.append("Finding:\n", style="bold")
+        text.append(f"  {self.finding.scanner}: ", style="cyan")
+        text.append(f"{self.finding.title}\n")
+        if self.finding.file_path:
+            text.append(f"  File: {self.finding.file_path}", style="dim")
+            if self.finding.line:
+                text.append(f":{self.finding.line}", style="dim")
+            text.append("\n")
+        return text
+
+    def _get_model_info(self) -> Text:
+        """Display model configuration info."""
+        text = Text()
+        text.append("\nModel Configuration:\n", style="bold")
+
+        # Check for Ollama
+        if self._is_ollama_available():
+            text.append("  ✓ Ollama detected (local-first AI)\n", style="green")
+            text.append("  No API keys needed - runs on your machine\n", style="dim")
+        # Check for API keys
+        elif os.environ.get("KEKKAI_FIX_API_KEY"):
+            text.append("  ⚠ Using remote API (OpenAI/Anthropic)\n", style="yellow")
+            text.append("  Code will be sent to external service\n", style="dim")
+        else:
+            text.append("  ✗ No AI backend configured\n", style="red")
+            text.append("  Install Ollama or set KEKKAI_FIX_API_KEY\n", style="dim")
+
+        return text
+
+    def _get_initial_status(self) -> Text:
+        """Initial status message."""
+        if self._is_ollama_available() or os.environ.get("KEKKAI_FIX_API_KEY"):
+            return Text("Press Enter to generate fix, or Escape to cancel", style="italic")
+        else:
+            return Text(
+                "❌ Cannot generate fix: No AI backend configured\n"
+                "Install Ollama (recommended) or set KEKKAI_FIX_API_KEY",
+                style="red",
+            )
+
+    def _is_ollama_available(self) -> bool:
+        """Check if Ollama is available on the system."""
+        import shutil
+
+        return shutil.which("ollama") is not None
+
+    def on_mount(self) -> None:
+        """Auto-generate fix if backend is available."""
+        if self._is_ollama_available() or os.environ.get("KEKKAI_FIX_API_KEY"):
+            # Auto-start fix generation
+            self.set_timer(0.5, self._generate_fix)
+
+    def _generate_fix(self) -> None:
+        """Generate AI-powered fix."""
+        status = self.query_one("#fix-status", Static)
+        status.update(Text("⏳ Generating fix with AI...", style="yellow italic"))
+
+        try:
+            # Import fix engine
+            from ..fix import FixConfig
+
+            # Determine model mode
+            if self._is_ollama_available():
+                model_mode = "ollama"
+                model_name = os.environ.get("KEKKAI_FIX_MODEL_NAME", "mistral")
+            else:
+                model_mode = "openai"
+                model_name = None
+
+            # Create fix config (for future integration)
+            _config = FixConfig(
+                model_mode=model_mode,
+                model_name=model_name,
+                api_key=os.environ.get("KEKKAI_FIX_API_KEY"),
+                max_fixes=1,
+                timeout_seconds=60,
+                dry_run=True,
+            )
+
+            # Note: This is a simplified mock - actual implementation would:
+            # 1. Convert FindingEntry to proper format for FixEngine
+            # 2. Call fix engine with proper error handling
+            # 3. Display actual fix preview
+
+            # For now, show a placeholder
+            self.fix_preview = (
+                "# AI-Powered Fix (Preview)\n"
+                f"# Finding: {self.finding.title}\n"
+                f"# Scanner: {self.finding.scanner}\n\n"
+                "# Fix would be generated here using:\n"
+                f"# - Model: {model_name or 'gpt-4'}\n"
+                f"# - Mode: {model_mode}\n"
+                "# - Context from source file\n\n"
+                "# Press Enter to apply (dry-run mode)\n"
+                "# Press Escape to cancel"
+            )
+
+            preview = self.query_one("#fix-preview", Static)
+            preview.update(Text(self.fix_preview, style="green"))
+
+            status.update(
+                Text("✓ Fix generated! Press Enter to apply or Escape to cancel", style="green")
+            )
+            self.fix_generated = True
+
+        except Exception as e:
+            status.update(Text(f"✗ Fix generation failed: {e}", style="red"))
+            self.fix_generated = False
+
+    def action_accept(self) -> None:
+        """Accept and apply the generated fix."""
+        if not self.fix_generated:
+            return
+
+        if self.on_fix_generated:
+            self.on_fix_generated(
+                True, "Fix generated successfully (dry-run mode - review before applying)"
+            )
+
+        self.dismiss(True)
+
+    def action_cancel(self) -> None:
+        """Cancel fix generation."""
+        if self.on_fix_generated:
+            self.on_fix_generated(False, "Fix generation cancelled")
+
+        self.dismiss(False)

kekkai/triage/screens.py

@@ -49,6 +49,7 @@ class FindingListScreen(Screen[None]):
         Binding("down", "cursor_down", "Next", show=False),
         Binding("up", "cursor_up", "Previous", show=False),
         Binding("enter", "view_detail", "View"),
+        Binding("x", "fix_with_ai", "🤖 Fix with AI"),
         Binding("f", "mark_false_positive", "False Positive"),
         Binding("c", "mark_confirmed", "Confirmed"),
         Binding("d", "mark_deferred", "Deferred"),

kekkai_cli-2.0.1.dist-info/METADATA

@@ -0,0 +1,318 @@
+Metadata-Version: 2.4
+Name: kekkai-cli
+Version: 2.0.1
+Summary: Terminal UI for Trivy/Semgrep/Gitleaks. Local-first security triage.
+Requires-Python: >=3.12
+Description-Content-Type: text/markdown
+Requires-Dist: rich>=13.0.0
+Requires-Dist: jsonschema>=4.20.0
+Requires-Dist: textual>=0.50.0
+Requires-Dist: httpx>=0.24.0
+Requires-Dist: jinja2>=3.1.6
+
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/logos/kekkai-slim.png" alt="Kekkai CLI Logo" width="250"/>
+</p>
+
+<p align="center"><strong>Stop parsing JSON. Security triage in your terminal.</strong></p>
+
+<p align="center">
+  <img src="https://img.shields.io/github/actions/workflow/status/kademoslabs/kekkai/docker-publish.yml?logo=github"/>
+  <img src="https://img.shields.io/circleci/build/github/kademoslabs/kekkai?logo=circleci"/>
+  <img src="https://img.shields.io/pypi/v/kekkai-cli?pypiBaseUrl=https%3A%2F%2Fpypi.org&logo=pypi"/>
+</p>
+
+---
+
+# Kekkai
+
+**Interactive security triage in the terminal.**
+
+Kekkai is a small open-source CLI that wraps existing security scanners (Trivy, Semgrep, Gitleaks) and focuses on the part that tends to be slow and frustrating: reviewing and triaging results.
+
+Running scanners is easy. Interpreting noisy output, dealing with false positives, and making CI usable is not. Kekkai exists to make that part tolerable..
+
+![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai.gif)
+
+---
+
+## What it does
+
+- Runs Trivy (dependencies), Semgrep (code), and Gitleaks (secrets)
+- Normalizes their outputs into a single report format
+- Provides an interactive terminal UI for reviewing findings
+- Lets you mark findings as false positives and persist decisions locally
+- Supports CI mode with severity-based failure thresholds
+
+Kekkai does not replace scanners or introduce proprietary detection logic. It sits on top of existing tools and focuses on workflow and UX.
+
+---
+
+## Quick Start
+
+> Requires Docker and Python 3.12
+
+### 1. Install
+
+```bash
+pipx install kekkai-cli
+```
+
+### 2. Scan
+
+```bash
+kekkai scan
+# Runs Trivy (CVEs), Semgrep (code), Gitleaks (secrets)
+# Outputs unified kekkai-report.json
+```
+
+### 3. Triage
+
+```bash
+kekkai triage
+# Interactive TUI to review findings with keyboard navigation
+```
+
+No signup, no cloud service required.
+
+---
+
+## Why Kekkai?
+
+| Problem | Kekkai Solution |
+|---------|-----------------|
+| **Juggling 3+ tools** | One CLI for Trivy, Semgrep, Gitleaks |
+| **Reading JSON logs** | Interactive terminal UI |
+| **Installing scanners** | Auto-pulls Docker containers |
+| **Parsing different formats** | Unified `kekkai-report.json` |
+| **False positives** | Mark and ignore with `.kekkaiignore` |
+| **CI/CD integration** | `kekkai scan --ci --fail-on high` |
+
+---
+
+## Features
+
+### Interactive Triage TUI
+
+Stop reading JSON. Use keyboard navigation to review findings, mark false positives, and generate ignore files.
+
+```bash
+kekkai triage
+```
+
+**Controls:**
+- `j/k` or `↑/↓`: Navigate findings
+- `f`: Mark as false positive
+- `c`: Confirm finding
+- `d`: Defer/ignore
+- `Ctrl+S`: Save decisions
+- `q`: Quit
+
+![Triage TUI](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-triage.png)
+
+[Full Triage Documentation →](docs/triage/README.md)
+
+---
+
+### CI/CD Policy Gate
+
+Break builds on severity thresholds.
+
+Kekkai can be used as a CI gate based on severity thresholds.
+
+```bash
+# Fail on any critical or high findings
+kekkai scan --ci --fail-on high
+
+# Fail only on critical
+kekkai scan --ci --fail-on critical
+```
+
+**Exit Codes:**
+| Code | Meaning |
+|------|---------|
+| 0 | No findings above threshold |
+| 1 | Findings exceed threshold |
+| 2 | Scanner error |
+
+**GitHub Actions Example:**
+
+```yaml
+- name: Security Scan
+  run: |
+    pipx install kekkai-cli
+    kekkai scan --ci --fail-on high
+```
+
+[Full CI Documentation →](docs/ci/ci-mode.md)
+
+---
+
+### GitHub PR Comments
+
+Get security feedback directly in pull requests.
+
+```bash
+export GITHUB_TOKEN="ghp_..."
+kekkai scan --pr-comment
+```
+---
+
+### Unified Scanning
+
+Run industry-standard scanners without installing them individually. Each scanner runs in an isolated Docker container.
+
+```bash
+kekkai scan                          # Scan current directory
+kekkai scan --repo /path/to/project  # Scan specific path
+kekkai scan --output results.json    # Custom output path
+```
+
+**Scanners Included:**
+| Scanner | Finds | Image |
+|---------|-------|-------|
+| Trivy | CVEs in dependencies | `aquasec/trivy:latest` |
+| Semgrep | Code vulnerabilities | `semgrep/semgrep:latest` |
+| Gitleaks | Hardcoded secrets | `zricethezav/gitleaks:latest` |
+
+**Container Security:**
+- Read-only filesystem
+- No network access
+- Memory limited (2GB)
+- No privilege escalation
+
+---
+
+#### Design choices
+
+- Local-first: no SaaS required, runs entirely on your machine or CI
+- No network access for scanner containers
+- Read-only filesystems, memory-limited containers
+- Uses existing tools instead of reimplementing scanners
+- Terminal-first UX instead of dashboards
+
+---
+
+## Optional features
+
+These are opt-in and not required for basic use:
+
+### Local-First AI Threat Modeling
+
+Generate STRIDE threat models with AI that runs on **your machine**. No API keys. No cloud.
+
+```bash
+# Ollama (recommended - easy setup, privacy-preserving)
+ollama pull mistral
+kekkai threatflow --repo . --model-mode ollama --model-name mistral
+
+# Output: THREATS.md with attack surface analysis and Mermaid.js diagrams
+```
+
+**Supports:**
+- Ollama (recommended)
+- Local GGUF models (llama.cpp)
+- OpenAI/Anthropic (if you trust them with your code)
+
+[Full Local-First AI Threat Modeling Documentation →](docs/threatflow/README.md)
+
+---
+
+### DefectDojo Integration
+
+Spin up a vulnerability management dashboard locally if you need it.
+
+```bash
+kekkai dojo up --wait    # Start DefectDojo
+kekkai upload            # Import scan results
+```
+
+**What You Get:**
+- DefectDojo web UI at `http://localhost:8080`
+- Automatic credential generation
+- Pre-configured for Kekkai imports
+
+[DefectDojo Quick Start →](docs/dojo/dojo-quickstart.md)
+
+---
+
+### AI-Powered Fix Engine
+
+Generate code patches for findings (experimental).
+
+```bash
+kekkai fix --input scan-results.json --apply
+```
+
+---
+
+### Compliance Reporting
+
+Map findings to PCI-DSS, OWASP, HIPAA, SOC 2.
+
+```bash
+kekkai report --input scan-results.json --format pdf --frameworks PCI-DSS,OWASP
+```
+
+---
+
+## What this is not
+
+- Not a replacement for commercial AppSec platforms
+- Not a new scanner or detection engine
+- Not optimized for large enterprises (yet)
+- Not a hosted service
+
+Right now, Kekkai is aimed at individual developers and small teams who already run scanners but want better triage and less noise.
+
+---
+
+## Security
+
+Kekkai is designed with security as a core principle:
+
+- **Container Isolation**: Scanners run in hardened Docker containers
+- **No Network Access**: Containers cannot reach external networks
+- **Local-First AI**: run entirely on your machine
+- **SLSA Level 3**: Release artifacts include provenance attestations
+- **Signed Images**: Docker images are Cosign-signed
+
+For vulnerability reports, see [SECURITY.md](SECURITY.md).
+
+---
+
+## Documentation
+
+| Guide | Description |
+|-------|-------------|
+| [Installation](docs/README.md#installation-methods) | All installation methods |
+| [ThreatFlow](docs/threatflow/README.md) | AI threat modeling setup |
+| [Triage TUI](docs/triage/README.md) | Interactive finding review |
+| [CI Mode](docs/ci/ci-mode.md) | Pipeline integration |
+| [DefectDojo](docs/dojo/dojo-quickstart.md) | Optional vulnerability management |
+| [Security](docs/security/slsa-provenance.md) | SLSA provenance verification |
+
+---
+
+## Roadmap (short-term)
+
+1. Persistent triage state across runs (baselines)
+2. “New findings only” diffs
+3. Better PR-level workflows
+4. Cleaner reporting for small teams
+
+---
+
+## Contributing
+
+We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+
+---
+
+## License
+
+Apache-2.0 — See [LICENSE](LICENSE) for details.
+
+---
+
+<p align="center"><i>Built by <a href="https://kademos.org">Kademos Labs</a></i></p>

{kekkai_cli-1.1.1.dist-info → kekkai_cli-2.0.1.dist-info}/RECORD

@@ -1,10 +1,10 @@
 kekkai/__init__.py,sha256=_VrBvJRyqHiXs31S8HOhATk_O2iy-ac0_9X7rHH75j8,143
-kekkai/cli.py,sha256=-Kix3HMEsroCgtOLu-QCtPwi7OqOSi3YzXzboT5tGvU,63529
+kekkai/cli.py,sha256=Y99dHzSRLV4sqbFiSe81nJRtvx2dQWmRDPyOVdghIIQ,66616
 kekkai/config.py,sha256=LE7bKsmv5dim5KnZya0V7_LtviNQ1V0pMN_6FyAsMpc,13084
 kekkai/dojo.py,sha256=erLdTMOioTyzVhXYW8xgdbU5Ro-KQx1OcTQN7_zemmY,18634
 kekkai/dojo_import.py,sha256=D0ZQM_0JYHqUqJA3l4nKD-RkpvcOcgj-4zv59HRcQ6k,7274
 kekkai/manifest.py,sha256=Ph5xGDKuVxMW1GVIisRhxUelaiVZQe-W5sZWsq4lHqs,1887
-kekkai/output.py,sha256=nPKsf3FjWtWf_nHj4HVpgqeZtLpPOtZoLJElVLSyPK4,5500
+kekkai/output.py,sha256=IJrO36C79WTxCqYp9LEVn5OI4GtPVBWUWH6I-TttfmQ,5426
 kekkai/paths.py,sha256=EcyG3CEOQFQygowu7O5Mp85dKkXWWvnm1h0j_BetGxY,1190
 kekkai/policy.py,sha256=0XCUH-SbnO1PsM-exjSFHYHRnLkiNa50QfkyPakwNko,9792
 kekkai/runner.py,sha256=MBFUiJ4sSVEGNbJ6cv-8p1WHaHqjio6yWEfr_K4GuTs,2037
@@ -61,10 +61,11 @@ kekkai/threatflow/sanitizer.py,sha256=uQsxYZ5VDXutZoj-WMl7fo5T07uHuQZqgVzoVMoaKe
 kekkai/triage/__init__.py,sha256=gYf4XPIYZTthU0Q0kaptbgMKulkjLxWQWG0HQvtlu-o,2182
 kekkai/triage/app.py,sha256=MU2tBI50d8sOdDKESGNrWYiREG9bBtrSccaMoiMv5gM,5027
 kekkai/triage/audit.py,sha256=UVaSKKC6tZkHxEoMcnIZkMOT_ngj7QzHWYuDAHas_sc,5842
+kekkai/triage/fix_screen.py,sha256=mj_waXwKPCrT01bVSSu5Ohi-3JvN2lT18Yy44xICItY,7667
 kekkai/triage/ignore.py,sha256=uBKM7zKyzORj9LJ5AAnoYWZQTRy57P0ZofSapiDWcfI,7305
 kekkai/triage/loader.py,sha256=vywhS8fcre7PiBX3H2CpKXFxzvO7LcDnIHIB0kzG3R4,5850
 kekkai/triage/models.py,sha256=nRmWtELMqHWHX1NqZ2upH2ZAJVeBxa3Wh8f3kkB9WYo,5384
-kekkai/triage/screens.py,sha256=6eEiHvuuS_gGESS_K3NjPiQx8G7CR18-j9upU1p5nRg,11004
+kekkai/triage/screens.py,sha256=MbudQkdQ4JFt5c80V3LtqCeXxAIu7nIfZpm7G5wRXT0,11061
 kekkai/triage/widgets.py,sha256=eOF6Qoo5uBqjxiEkbpgcO1tbIOGBQBKn75wP9Jw_AaE,4733
 kekkai_core/__init__.py,sha256=gREN4oarM0azTkSTWTnlDnPZGgv1msai2Deq9Frj3gc,122
 kekkai_core/redaction.py,sha256=EeWYPjAs2hIXlLKGmGn_PRdK08G4KcOBmbRCoFklbHc,2893
@@ -84,8 +85,8 @@ kekkai_core/windows/chocolatey.py,sha256=tF5S5eN-HeENRt6yQ4TZgwng0oRMX_ScskQ3-eb
 kekkai_core/windows/installer.py,sha256=MePAywHH3JTIAENv52XtkUMOGqmYqZqkH77VW5PST8o,6945
 kekkai_core/windows/scoop.py,sha256=lvothICrAoB3lGfkvhqVeNTB50eMmVGA0BE7JNCfHdI,5284
 kekkai_core/windows/validators.py,sha256=45xUuAbHcKc0WLIZ-0rByPeDD88MAV8KvopngyYBHpQ,6525
-kekkai_cli-1.1.1.dist-info/METADATA,sha256=_Wt5_uAwnvnEK-Hmc7RxwZozkiwU_6JpLFD_xTpgDTM,11667
-kekkai_cli-1.1.1.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-kekkai_cli-1.1.1.dist-info/entry_points.txt,sha256=MBV1OIfxJmT2oJvzeeFKIH1eh8M9kKAn7JqFBeuMfWA,43
-kekkai_cli-1.1.1.dist-info/top_level.txt,sha256=wWwh7GGPaUjcaCRmt70ueL3WQoQbeGa5L0T0hgOh-MY,19
-kekkai_cli-1.1.1.dist-info/RECORD,,
+kekkai_cli-2.0.1.dist-info/METADATA,sha256=WNYk460xPTeXtMnwDW2Z6zDhHysNhltYOS726u-i2q4,8118
+kekkai_cli-2.0.1.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+kekkai_cli-2.0.1.dist-info/entry_points.txt,sha256=MBV1OIfxJmT2oJvzeeFKIH1eh8M9kKAn7JqFBeuMfWA,43
+kekkai_cli-2.0.1.dist-info/top_level.txt,sha256=wWwh7GGPaUjcaCRmt70ueL3WQoQbeGa5L0T0hgOh-MY,19
+kekkai_cli-2.0.1.dist-info/RECORD,,

kekkai_cli-1.1.1.dist-info/METADATA

@@ -1,379 +0,0 @@
-Metadata-Version: 2.4
-Name: kekkai-cli
-Version: 1.1.1
-Summary: Kekkai monorepo (local-first AppSec orchestration + compliance checker)
-Requires-Python: >=3.12
-Description-Content-Type: text/markdown
-Requires-Dist: rich>=13.0.0
-Requires-Dist: jsonschema>=4.20.0
-Requires-Dist: textual>=0.50.0
-Requires-Dist: httpx>=0.24.0
-
-<p align="center">
-  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/logos/kekkai-slim.png" alt="Kekkai CLI Logo" width="250"/>
-</p>
-
-<p align="center"><strong>Security orchestration at developer speed.</strong></p>
-<p align="center"><i>One tool for the entire AppSec lifecycle: Predict, Detect, Triage, Manage.</i></p>
-
-<p align="center">
-  <img src="https://img.shields.io/github/actions/workflow/status/kademoslabs/kekkai/docker-publish.yml?logo=github"/>
-  <img src="https://img.shields.io/circleci/build/github/kademoslabs/kekkai?logo=circleci"/>
-  <img src="https://img.shields.io/pypi/v/kekkai-cli?pypiBaseUrl=https%3A%2F%2Fpypi.org&logo=pypi"/>
-</p>
-
----
-
-# Kekkai
-
-Stop juggling security tools. **Kekkai orchestrates your entire AppSec lifecycle** — from AI-powered threat modeling to vulnerability management — in a single CLI.
-
-![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-start.gif)
-
----
-
-## The Five Pillars
-
-| Pillar | Feature | Command | Description |
-|--------|---------|---------|-------------|
-| 🔮 **Predict** | AI Threat Modeling | `kekkai threatflow` | Generate STRIDE threat models before writing code |
-| 🔍 **Detect** | Unified Scanning | `kekkai scan` | Run Trivy, Semgrep, Gitleaks in isolated containers |
-| ✅ **Triage** | Interactive Review | `kekkai triage` | Review findings in a terminal UI, mark false positives |
-| 🚦 **Gate** | CI/CD Policy | `kekkai scan --ci` | Break builds on severity thresholds |
-| 📊 **Manage** | DefectDojo | `kekkai dojo up` | Spin up vulnerability management in 60 seconds |
-
----
-
-## Quick Start (60 Seconds)
-
-### 1. Install
-
-```bash
-pipx install kekkai-cli
-```
-
-### 2. Predict (Threat Model)
-
-```bash
-kekkai threatflow --repo . --model-mode local
-# Generates THREATS.md with STRIDE analysis and Data Flow Diagram
-```
-
-### 3. Detect (Scan)
-
-```bash
-kekkai scan
-# Runs Trivy (CVEs), Semgrep (code), Gitleaks (secrets)
-# Outputs unified kekkai-report.json
-```
-
-### 4. Triage (Review)
-
-```bash
-kekkai triage
-# Interactive TUI to accept, reject, or ignore findings
-```
-
-### 5. Manage (DefectDojo)
-
-```bash
-kekkai dojo up --wait
-kekkai upload
-# Full vulnerability management platform + automated import
-```
-
----
-
-## Why Kekkai?
-
-| Capability | Manual Approach | Kekkai |
-|------------|-----------------|--------|
-| **Tooling** | Install/update 5+ tools individually | One binary, auto-pulls scanner containers |
-| **Output** | Parse 5 different JSON formats | Unified `kekkai-report.json` |
-| **Threat Modeling** | Expensive consultants or whiteboarding | AI-generated `THREATS.md` locally |
-| **DefectDojo** | 200-line docker-compose + debugging | `kekkai dojo up` (one command) |
-| **Triage** | Read JSON files manually | Interactive terminal UI |
-| **CI/CD** | Complex bash scripts | `kekkai scan --ci --fail-on high` |
-| **PR Feedback** | Manual security review comments | Auto-comments on GitHub PRs |
-
----
-
-## Feature Deep Dives
-
-### 🔮 ThreatFlow — AI-Powered Threat Modeling
-
-Generate STRIDE-aligned threat models and Mermaid.js Data Flow Diagrams from your codebase.
-
-![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-threatflow.gif)
-
-```bash
-# Ollama (recommended - easy setup, privacy-preserving)
-ollama pull mistral
-kekkai threatflow --repo . --model-mode ollama --model-name mistral
-
-# Local GGUF model (requires llama-cpp-python)
-kekkai threatflow --repo . --model-mode local --model-path ./mistral-7b.gguf
-
-# Remote API (faster, requires API key)
-export KEKKAI_THREATFLOW_API_KEY="sk-..."
-kekkai threatflow --repo . --model-mode openai
-```
-
-**Output:** `THREATS.md` containing:
-- Attack surface analysis
-- STRIDE threat classification
-- Mermaid.js architecture diagram
-- Recommended mitigations
-
-[Full ThreatFlow Documentation →](docs/threatflow/README.md)
-
----
-
-### 🔍 Unified Scanning
-
-Run industry-standard scanners without installing them individually. Each scanner runs in an isolated Docker container with security hardening.
-
-```bash
-kekkai scan                          # Scan current directory
-kekkai scan --repo /path/to/project  # Scan specific path
-kekkai scan --output results.json    # Custom output path
-```
-
-**Scanners Included:**
-| Scanner | Finds | Image |
-|---------|-------|-------|
-| Trivy | CVEs in dependencies | `aquasec/trivy:latest` |
-| Semgrep | Code vulnerabilities | `semgrep/semgrep:latest` |
-| Gitleaks | Hardcoded secrets | `zricethezav/gitleaks:latest` |
-
-**Container Security:**
-- Read-only filesystem
-- No network access
-- Memory limited (2GB)
-- No privilege escalation
-
----
-
-### ✅ Interactive Triage TUI
-
-Stop reading JSON. Review security findings in your terminal.
-
-```bash
-kekkai triage
-```
-
-**Features:**
-- Navigate findings with keyboard
-- Mark as: Accept, Reject, False Positive, Ignore
-- Filter by severity, scanner, or status
-- Persist decisions in `.kekkai-ignore`
-- Export triaged results
-
-<!-- Screenshot placeholder: ![Triage TUI](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/triage-tui.png) -->
-
-[Full Triage Documentation →](docs/triage/README.md)
-
----
-
-### 🚦 CI/CD Policy Gate
-
-Automate security enforcement in your pipelines.
-
-<p align="center">
-  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-scan.png" alt="Kekkai Scanning" width="650"/>
-</p>
-
-```bash
-# Fail on any critical or high findings
-kekkai scan --ci --fail-on high
-
-# Fail only on critical
-kekkai scan --ci --fail-on critical
-
-# Custom threshold: fail on 5+ medium findings
-kekkai scan --ci --fail-on medium --max-findings 5
-```
-
-**Exit Codes:**
-| Code | Meaning |
-|------|---------|
-| 0 | No findings above threshold |
-| 1 | Findings exceed threshold |
-| 2 | Scanner error |
-
-**GitHub Actions Example:**
-
-```yaml
-- name: Security Scan
-  run: |
-    pipx install kekkai-cli
-    kekkai scan --ci --fail-on high
-```
-
-[Full CI Documentation →](docs/ci/ci-mode.md)
-
----
-
-### 📊 DefectDojo Integration
-
-Spin up a complete vulnerability management platform locally.
-
-<p align="center">
-  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-dojo.png" alt="Kekkai Dojo" width="650"/>
-</p>
-
-```bash
-kekkai dojo up --wait    # Start DefectDojo (Nginx, Postgres, Redis, Celery)
-kekkai dojo status       # Check service health
-kekkai upload            # Import scan results
-kekkai dojo down         # Stop and clean up (removes volumes)
-```
-
-**What You Get:**
-- DefectDojo web UI at `http://localhost:8080`
-- Automatic credential generation
-- Pre-configured for Kekkai imports
-- Clean teardown (no orphaned volumes)
-
-<p align="center">
-  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/Active-Engagements-kekkai-dojo.png" alt="Kekkai Dojo" width="850"/>
-</p>
-
-<p align="center">
-  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-dojo-dashboard-findings.png" alt="Kekkai Dojo" width="850"/>
-</p
-
-[Full Dojo Documentation →](docs/dojo/dojo.md)
-
----
-
-### 🔔 GitHub PR Comments
-
-Get security feedback directly in pull requests.
-
-```bash
-export GITHUB_TOKEN="ghp_..."
-kekkai scan --github-comment
-```
-
-Kekkai will:
-1. Run all scanners
-2. Post findings as PR review comments
-3. Annotate specific lines with inline comments
-
----
-
-## Installation
-
-### pipx (Recommended)
-
-Isolated environment, no conflicts with system Python.
-
-```bash
-pipx install kekkai-cli
-```
-
-### Homebrew (macOS/Linux)
-
-```bash
-brew install kademoslabs/tap/kekkai
-```
-
-### Scoop (Windows)
-
-```bash
-scoop bucket add kademoslabs https://github.com/kademoslabs/scoop-bucket
-scoop install kekkai
-```
-
-### Docker (No Python Required)
-
-```bash
-docker pull kademoslabs/kekkai:latest
-alias kekkai='docker run --rm -v "$(pwd):/repo" kademoslabs/kekkai:latest'
-```
-
-### pip (Traditional)
-
-```bash
-pip install kekkai-cli
-```
-
----
-
-## Enterprise Features
-
-For organizations that need advanced capabilities, **Kekkai Enterprise** provides:
-
-| Feature | Description |
-|---------|-------------|
-| **Multi-Tenant Portal** | Web dashboard for managing multiple teams/projects ([Learn More](docs/portal/README.md)) |
-| **SAML 2.0 SSO** | Integrate with Okta, Azure AD, Google Workspace |
-| **Role-Based Access Control** | Fine-grained permissions per team/project |
-| **Advanced Operations** | Automated backup/restore, monitoring, zero-downtime upgrades ([Learn More](docs/ops/README.md)) |
-| **Compliance Reporting** | Map findings to OWASP, PCI-DSS, HIPAA, SOC 2 |
-| **Audit Logging** | Cryptographically signed compliance trails |
-
-**Architecture:**
-- Open-source CLI remains fully functional standalone
-- Enterprise features available in separate private repository for licensed customers
-- Optional integration: CLI can sync results to enterprise portal
-- Self-hosted or Kademos-managed deployment options
-
-[Contact us for enterprise access →](mailto:sales@kademos.org)
-
----
-
-## Security
-
-Kekkai is designed with security as a core principle:
-
-- **Container Isolation**: Scanners run in hardened Docker containers
-- **No Network Access**: Containers cannot reach external networks
-- **Local-First AI**: ThreatFlow can run entirely on your machine
-- **SLSA Level 3**: Release artifacts include provenance attestations
-- **Signed Images**: Docker images are Cosign-signed
-
-For vulnerability reports, see [SECURITY.md](SECURITY.md).
-
----
-
-## Documentation
-
-| Guide | Description |
-|-------|-------------|
-| [Installation](docs/README.md#installation-methods) | All installation methods |
-| [ThreatFlow](docs/threatflow/README.md) | AI threat modeling setup |
-| [Dojo Quick Start](docs/dojo/dojo-quickstart.md) | DefectDojo in 5 minutes |
-| [CI Mode](docs/ci/ci-mode.md) | Pipeline integration |
-| [Portal](docs/portal/README.md) | Enterprise features overview |
-| [Portal SSO](docs/portal/saml-setup.md) | SAML 2.0 SSO configuration |
-| [Portal RBAC](docs/portal/rbac.md) | Role-based access control |
-| [Portal Deployment](docs/portal/deployment.md) | Self-hosted deployment |
-| [Security](docs/security/slsa-provenance.md) | SLSA provenance verification |
-
----
-
-## CI/CD Status
-
-[![Kekkai Security Scan](https://github.com/kademoslabs/kekkai/actions/workflows/kekkai-pr-scan.yml/badge.svg)](https://github.com/kademoslabs/kekkai/actions/workflows/kekkai-pr-scan.yml)
-[![Docker Image Publish](https://github.com/kademoslabs/kekkai/actions/workflows/docker-publish.yml/badge.svg)](https://github.com/kademoslabs/kekkai/actions/workflows/docker-publish.yml)
-[![Docker Security Scan](https://github.com/kademoslabs/kekkai/actions/workflows/docker-security-scan.yml/badge.svg)](https://github.com/kademoslabs/kekkai/actions/workflows/docker-security-scan.yml)
-[![Cross-Platform Tests](https://github.com/kademoslabs/kekkai/actions/workflows/test-cross-platform.yml/badge.svg)](https://github.com/kademoslabs/kekkai/actions/workflows/test-cross-platform.yml)
-[![Release with SLSA Provenance](https://github.com/kademoslabs/kekkai/actions/workflows/release-slsa.yml/badge.svg)](https://github.com/kademoslabs/kekkai/actions/workflows/release-slsa.yml)
-
----
-
-## Contributing
-
-We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
-
----
-
-## License
-
-Apache-2.0 — See [LICENSE](LICENSE) for details.
-
----
-
-<p align="center"><i>Built by <a href="https://kademos.org">Kademos Labs</a></i></p>