kekkai-cli 2.0.0__py3-none-any.whl → 2.2.0__py3-none-any.whl

kekkai/cli.py

@@ -221,6 +221,17 @@ def main(argv: Sequence[str] | None = None) -> int:
         type=str,
         help="Path for .kekkaiignore output (default: .kekkaiignore)",
     )
+    triage_parser.add_argument(
+        "--repo",
+        type=str,
+        help="Repository root path (default: auto-detect from run.json)",
+    )
+    triage_parser.add_argument(
+        "--context-lines",
+        type=int,
+        default=10,
+        help="Context lines before/after line (default: 10, range: 5-100)",
+    )
 
     # Fix subcommand - AI-powered remediation
     fix_parser = subparsers.add_parser("fix", help="generate AI-powered code fixes for findings")
@@ -1186,6 +1197,11 @@ def _command_triage(parsed: argparse.Namespace) -> int:
 
     input_path_str = cast(str | None, getattr(parsed, "input", None))
     output_path_str = cast(str | None, getattr(parsed, "output", None))
+    repo_path_str = cast(str | None, getattr(parsed, "repo", None))
+    context_lines = cast(int, getattr(parsed, "context_lines", 10))
+
+    # Validate context_lines range
+    context_lines = max(5, min(100, context_lines))
 
     # Default to latest run if no input specified
     if not input_path_str:
@@ -1232,7 +1248,36 @@ def _command_triage(parsed: argparse.Namespace) -> int:
 
     console.print(f"[info]Loaded {len(findings)} finding(s)[/info]\n")
 
-    return run_triage(findings=findings, output_path=output_path)
+    # Auto-detect repo_path from run.json if not explicitly provided
+    repo_path: Path | None = None
+    if repo_path_str:
+        repo_path = Path(repo_path_str).expanduser().resolve()
+    elif input_path.is_dir():
+        # Try to read repo_path from run.json
+        manifest_path = input_path / "run.json"
+        if manifest_path.exists():
+            try:
+                import json
+
+                with manifest_path.open() as f:
+                    manifest_data = json.load(f)
+                stored_repo = manifest_data.get("repo_path")
+                if stored_repo:
+                    repo_path = Path(stored_repo).expanduser().resolve()
+                    console.print(f"[dim]Using repo path from run metadata: {repo_path}[/dim]\n")
+            except (OSError, json.JSONDecodeError, KeyError):
+                pass
+
+    # Fall back to current directory if still not set
+    if repo_path is None:
+        repo_path = Path.cwd()
+
+    return run_triage(
+        findings=findings,
+        output_path=output_path,
+        repo_path=repo_path,
+        context_lines=context_lines,
+    )
 
 
 def _command_fix(parsed: argparse.Namespace) -> int:

kekkai/output.py

@@ -57,7 +57,7 @@ BANNER_ASCII = r"""
 /_/\_\\___/_/\_/_/\_\\_,_/_/
 """
 
-VERSION = "2.0.0"
+VERSION = "2.2.0"
 
 
 def print_dashboard() -> None:

kekkai/triage/__init__.py

@@ -29,6 +29,8 @@ def run_triage(
     input_path: Path | None = None,
     output_path: Path | None = None,
     findings: Sequence[FindingEntry] | None = None,
+    repo_path: Path | None = None,
+    context_lines: int = 10,
 ) -> int:
     """Run the triage TUI (lazy import).
 
@@ -36,6 +38,8 @@ def run_triage(
         input_path: Path to findings JSON file.
         output_path: Path for .kekkaiignore output.
         findings: Pre-loaded findings (alternative to input_path).
+        repo_path: Repository root path for code context display.
+        context_lines: Number of lines to show before/after vulnerable line.
 
     Returns:
         Exit code (0 for success).
@@ -50,6 +54,8 @@ def run_triage(
             input_path=input_path,
             output_path=output_path,
             findings=findings,
+            repo_path=repo_path,
+            context_lines=context_lines,
         )
     except ImportError as e:
         raise RuntimeError(

kekkai/triage/app.py

@@ -51,6 +51,8 @@ class TriageApp(App[None]):
         input_path: Path | None = None,
         output_path: Path | None = None,
         audit_path: Path | None = None,
+        repo_path: Path | None = None,
+        context_lines: int = 10,
     ) -> None:
         """Initialize triage application.
 
@@ -59,6 +61,8 @@ class TriageApp(App[None]):
             input_path: Path to findings JSON file.
             output_path: Path for .kekkaiignore output.
             audit_path: Path for audit log.
+            repo_path: Repository root path for code context display.
+            context_lines: Number of lines to show before/after vulnerable line.
         """
         super().__init__()
         self._input_path = input_path
@@ -66,6 +70,8 @@ class TriageApp(App[None]):
         self.ignore_file = IgnoreFile(output_path)
         self.audit_log = TriageAuditLog(audit_path)
         self._decisions: dict[str, TriageDecision] = {}
+        self.repo_path = repo_path or Path.cwd()
+        self.context_lines = context_lines
 
     @property
     def findings(self) -> list[FindingEntry]:
@@ -148,6 +154,8 @@ def run_triage(
     input_path: Path | None = None,
     output_path: Path | None = None,
     findings: Sequence[FindingEntry] | None = None,
+    repo_path: Path | None = None,
+    context_lines: int = 10,
 ) -> int:
     """Run the triage TUI.
 
@@ -155,6 +163,8 @@ def run_triage(
         input_path: Path to findings JSON file.
         output_path: Path for .kekkaiignore output.
         findings: Pre-loaded findings (alternative to input_path).
+        repo_path: Repository root path for code context display.
+        context_lines: Number of lines to show before/after vulnerable line.
 
     Returns:
         Exit code (0 for success).
@@ -163,6 +173,8 @@ def run_triage(
         findings=findings,
         input_path=input_path,
         output_path=output_path,
+        repo_path=repo_path,
+        context_lines=context_lines,
     )
     app.run()
     return 0

kekkai/triage/code_context.py

@@ -0,0 +1,345 @@
+"""Code context extraction for triage TUI.
+
+Provides secure code context extraction with security controls:
+- Path traversal protection (ASVS V5.3.3)
+- File size limits (ASVS V10.3.3)
+- Sensitive file detection (ASVS V8.3.4)
+- Error sanitization (ASVS V7.4.1)
+"""
+
+from __future__ import annotations
+
+import logging
+from dataclasses import dataclass
+from pathlib import Path
+
+from ..fix.prompts import FixPromptBuilder
+
+logger = logging.getLogger(__name__)
+
+__all__ = [
+    "CodeContext",
+    "CodeContextExtractor",
+]
+
+# Security limits per ASVS V10.3.3
+MAX_FILE_SIZE_MB = 10
+
+# Sensitive file extensions to block (ASVS V8.3.4)
+SENSITIVE_EXTENSIONS = {
+    ".env",
+    ".pem",
+    ".key",
+    ".crt",
+    ".p12",
+    ".pfx",
+    ".jks",
+    ".keystore",
+    ".pub",
+    "id_rsa",
+    "id_dsa",
+    "id_ecdsa",
+    "id_ed25519",
+}
+
+# Binary file extensions to skip
+BINARY_EXTENSIONS = {
+    ".pyc",
+    ".pyo",
+    ".so",
+    ".dll",
+    ".dylib",
+    ".exe",
+    ".bin",
+    ".class",
+    ".jar",
+    ".war",
+    ".ear",
+    ".png",
+    ".jpg",
+    ".jpeg",
+    ".gif",
+    ".bmp",
+    ".ico",
+    ".pdf",
+    ".zip",
+    ".tar",
+    ".gz",
+    ".bz2",
+    ".7z",
+    ".rar",
+    ".whl",
+    ".egg",
+}
+
+
+@dataclass
+class CodeContext:
+    """Code context with syntax highlighting metadata.
+
+    Attributes:
+        code: Formatted code with line numbers and >>> marker.
+        language: Detected programming language for syntax highlighting.
+        vulnerable_line: The specific vulnerable line text.
+        error: Error message if extraction failed (None on success).
+    """
+
+    code: str
+    language: str
+    vulnerable_line: str
+    error: str | None = None
+
+
+class CodeContextExtractor:
+    """Extracts code context from files with security controls.
+
+    Security features:
+    - Path validation to prevent traversal attacks (ASVS V5.3.3)
+    - File size limits to prevent DoS (ASVS V10.3.3)
+    - Sensitive file detection (ASVS V8.3.4)
+    - Sanitized error messages (ASVS V7.4.1)
+
+    Performance features:
+    - LRU cache for file contents (max 20 files, ~200KB per file = ~4MB total)
+    - Reduces re-reads when navigating between findings in same files
+    """
+
+    def __init__(self, repo_path: Path, max_file_size_mb: int = MAX_FILE_SIZE_MB) -> None:
+        """Initialize code context extractor.
+
+        Args:
+            repo_path: Repository root path (for path validation).
+            max_file_size_mb: Maximum file size in MB (DoS protection).
+        """
+        self.repo_path = repo_path.resolve()
+        self.max_file_size_mb = max_file_size_mb
+        self._prompt_builder = FixPromptBuilder(context_lines=10)
+        # Simple LRU cache: {file_path: file_content}
+        # Limited to 20 files to prevent memory bloat
+        self._file_cache: dict[str, str] = {}
+        self._cache_max_size = 20
+
+    def extract(self, file_path: str, line: int | None) -> CodeContext | None:
+        """Extract code context from a file.
+
+        Args:
+            file_path: Relative or absolute path to the file.
+            line: Line number (1-indexed) of the vulnerability.
+
+        Returns:
+            CodeContext object with code and metadata, or None if unavailable.
+
+        Security:
+            - Path validation (ASVS V5.3.3)
+            - Size limits (ASVS V10.3.3)
+            - Sensitive file blocking (ASVS V8.3.4)
+            - Error sanitization (ASVS V7.4.1)
+        """
+        if not file_path or not line:
+            return None
+
+        # Resolve path
+        try:
+            full_path = (self.repo_path / file_path).resolve()
+        except (ValueError, OSError):
+            # ASVS V7.4.1: Sanitized error (no full path)
+            logger.warning(
+                "code_context_path_invalid",
+                extra={"file_path": Path(file_path).name, "reason": "invalid_path"},
+            )
+            return CodeContext(
+                code="",
+                language="",
+                vulnerable_line="",
+                error="Invalid file path",
+            )
+
+        # ASVS V5.3.3: Path traversal check
+        if not self._validate_path(full_path):
+            logger.warning(
+                "code_context_path_traversal",
+                extra={"file_path": Path(file_path).name, "reason": "path_traversal"},
+            )
+            return None
+
+        # Check if file exists
+        if not full_path.exists():
+            logger.info(
+                "code_context_file_not_found",
+                extra={"file_path": Path(file_path).name},
+            )
+            return CodeContext(
+                code="",
+                language="",
+                vulnerable_line="",
+                error="File not found",
+            )
+
+        # ASVS V8.3.4: Sensitive file check
+        if self._is_sensitive_file(full_path):
+            logger.info(
+                "code_context_sensitive_file",
+                extra={"file_path": Path(file_path).name},
+            )
+            return CodeContext(
+                code="",
+                language="",
+                vulnerable_line="",
+                error="Code hidden (sensitive file type)",
+            )
+
+        # Binary file check
+        if not self._is_text_file(full_path):
+            logger.info(
+                "code_context_binary_file",
+                extra={"file_path": Path(file_path).name},
+            )
+            return None
+
+        # ASVS V10.3.3: File size check
+        size_mb = full_path.stat().st_size / (1024 * 1024)
+        if size_mb > self.max_file_size_mb:
+            logger.warning(
+                "code_context_file_too_large",
+                extra={"file_path": Path(file_path).name, "size_mb": f"{size_mb:.1f}"},
+            )
+            return CodeContext(
+                code="",
+                language="",
+                vulnerable_line="",
+                error=f"File too large for display ({size_mb:.1f}MB)",
+            )
+
+        # Read file content (with caching for performance)
+        cache_key = str(full_path)
+        if cache_key in self._file_cache:
+            file_content = self._file_cache[cache_key]
+        else:
+            try:
+                file_content = full_path.read_text(encoding="utf-8")
+                # Cache the content
+                self._file_cache[cache_key] = file_content
+                # Evict oldest entry if cache is full (simple FIFO)
+                if len(self._file_cache) > self._cache_max_size:
+                    # Remove first (oldest) entry
+                    oldest_key = next(iter(self._file_cache))
+                    del self._file_cache[oldest_key]
+            except (OSError, UnicodeDecodeError) as e:
+                # ASVS V7.4.1: Sanitized error
+                logger.warning(
+                    "code_context_read_error",
+                    extra={"file_path": Path(file_path).name, "error": str(e)},
+                )
+                return CodeContext(
+                    code="",
+                    language="",
+                    vulnerable_line="",
+                    error="Cannot read file",
+                )
+
+        # Extract code context using existing logic from fix engine
+        code_context, vulnerable_line = self._prompt_builder.extract_code_context(
+            file_content, line
+        )
+
+        # Detect language for syntax highlighting
+        language = self._detect_language(full_path)
+
+        return CodeContext(
+            code=code_context,
+            language=language,
+            vulnerable_line=vulnerable_line,
+            error=None,
+        )
+
+    def _validate_path(self, path: Path) -> bool:
+        """Validate that path is within repo_path (prevent traversal).
+
+        Args:
+            path: Resolved path to validate.
+
+        Returns:
+            True if path is safe, False otherwise.
+
+        Security:
+            ASVS V5.3.3: Path validation to prevent directory traversal.
+        """
+        try:
+            # Check if path is within repo_path
+            path.relative_to(self.repo_path)
+            return True
+        except ValueError:
+            return False
+
+    def _is_text_file(self, path: Path) -> bool:
+        """Check if file is a text file (not binary).
+
+        Args:
+            path: Path to check.
+
+        Returns:
+            True if likely a text file, False if binary.
+        """
+        suffix = path.suffix.lower()
+        name = path.name.lower()
+
+        # Check against binary extensions
+        if suffix in BINARY_EXTENSIONS:
+            return False
+
+        # Special cases without extensions
+        if name in ("dockerfile", "makefile", "vagrantfile", "jenkinsfile"):
+            return True
+
+        return True
+
+    def _is_sensitive_file(self, path: Path) -> bool:
+        """Check if file contains sensitive data (secrets, keys).
+
+        Args:
+            path: Path to check.
+
+        Returns:
+            True if file is sensitive and should not be displayed.
+
+        Security:
+            ASVS V8.3.4: Prevent sensitive data in outputs.
+        """
+        suffix = path.suffix.lower()
+        name = path.name.lower()
+
+        # Check extension
+        if suffix in SENSITIVE_EXTENSIONS:
+            return True
+
+        # Check if the entire filename (including leading dot) matches sensitive patterns
+        # For files like .env, .pem, etc., the suffix is empty but name includes the dot
+        if name in {".env", ".pem", ".key", ".crt"}:
+            return True
+
+        # Check filename patterns
+        return any(
+            pattern in name
+            for pattern in [
+                "secret",
+                "credential",
+                "password",
+                "token",
+                "apikey",
+                "private_key",
+                "id_rsa",
+                "id_dsa",
+                "id_ecdsa",
+            ]
+        )
+
+    def _detect_language(self, path: Path) -> str:
+        """Detect programming language from file extension.
+
+        Args:
+            path: Path to the file.
+
+        Returns:
+            Language identifier for syntax highlighting.
+        """
+        return self._prompt_builder._detect_language(str(path))

kekkai/triage/fix_screen.py

@@ -213,17 +213,47 @@ class FixGenerationScreen(ModalScreen[bool]):
             self.fix_generated = False
 
     def action_accept(self) -> None:
-        """Accept and apply the generated fix."""
+        """Accept and apply the generated fix (workbench: step 3 - verification)."""
         if not self.fix_generated:
             return
 
+        # Generate post-fix verification hints
+        verification_message = self._get_verification_hints()
+
         if self.on_fix_generated:
-            self.on_fix_generated(
-                True, "Fix generated successfully (dry-run mode - review before applying)"
-            )
+            self.on_fix_generated(True, verification_message)
 
         self.dismiss(True)
 
+    def _get_verification_hints(self) -> str:
+        """Generate next-steps hints after fix is applied."""
+        file_path = self.finding.file_path or "file"
+        file_name = file_path.split("/")[-1] if "/" in file_path else file_path
+
+        # Detect likely test command based on file extension
+        test_cmd = "pytest tests/"
+        if file_path.endswith(".js") or file_path.endswith(".ts"):
+            test_cmd = "npm test"
+        elif file_path.endswith(".go"):
+            test_cmd = "go test ./..."
+        elif file_path.endswith(".rs"):
+            test_cmd = "cargo test"
+        elif file_path.endswith(".java"):
+            test_cmd = "mvn test"
+
+        hints = [
+            f"✓ Fix applied to {file_name}",
+            "",
+            "📋 Next steps:",
+            f"  1. Run tests: {test_cmd}",
+            "  2. Re-scan: kekkai scan --repo .",
+            f"  3. Commit: git add {file_path} && git commit -m 'fix: {self.finding.title[:50]}'",
+            "",
+            "💡 Tip: Review the changes carefully before committing!",
+        ]
+
+        return "\n".join(hints)
+
     def action_cancel(self) -> None:
         """Cancel fix generation."""
         if self.on_fix_generated:

kekkai/triage/screens.py

@@ -6,8 +6,10 @@ with keyboard navigation and action handling.
 
 from __future__ import annotations
 
+from pathlib import Path
 from typing import TYPE_CHECKING
 
+from rich.syntax import Syntax
 from rich.text import Text
 from textual.app import ComposeResult
 from textual.binding import Binding
@@ -15,6 +17,7 @@ from textual.containers import Vertical, VerticalScroll
 from textual.screen import Screen
 from textual.widgets import Footer, Header, Label, Static, TextArea
 
+from .code_context import CodeContextExtractor
 from .models import TriageState
 from .widgets import FindingCard, sanitize_display
 
@@ -149,10 +152,15 @@ class FindingListScreen(Screen[None]):
         if not self.findings:
             return
         finding = self.findings[self.selected_index]
+        # Get repo_path and context_lines from app if available
+        repo_path = getattr(self.app, "repo_path", None)
+        context_lines = getattr(self.app, "context_lines", 10)
         self.app.push_screen(
             FindingDetailScreen(
                 finding,
                 on_state_change=self._handle_detail_state_change,
+                repo_path=repo_path,
+                context_lines=context_lines,
             )
         )
 
@@ -212,6 +220,10 @@ class FindingDetailScreen(Screen[None]):
     """
 
     BINDINGS = [
+        Binding("x", "fix_with_ai", "🤖 AI Fix"),
+        Binding("ctrl+o", "open_in_editor", "Open in Editor"),
+        Binding("e", "expand_context", "Expand Context"),
+        Binding("s", "shrink_context", "Shrink Context"),
         Binding("f", "mark_false_positive", "False Positive"),
         Binding("c", "mark_confirmed", "Confirmed"),
         Binding("d", "mark_deferred", "Deferred"),
@@ -234,6 +246,24 @@ class FindingDetailScreen(Screen[None]):
         padding: 1;
         border: solid $primary;
     }
+    #code-context-display {
+        height: 20;
+        border: solid $accent;
+        padding: 1;
+        margin: 1 0;
+        overflow-y: scroll;
+    }
+    .error-message {
+        color: $warning;
+        italic: true;
+    }
+    #action-hints {
+        height: auto;
+        padding: 1;
+        margin: 1 0;
+        background: $panel;
+        border: solid $secondary;
+    }
     #notes-area {
         height: 8;
         margin-top: 1;
@@ -245,12 +275,17 @@ class FindingDetailScreen(Screen[None]):
         self,
         finding: FindingEntry,
         on_state_change: Callable[[TriageState, str], None] | None = None,
+        repo_path: Path | None = None,
+        context_lines: int = 10,
         name: str | None = None,
         id: str | None = None,
     ) -> None:
         super().__init__(name=name, id=id)
         self.finding = finding
         self.on_state_change = on_state_change
+        self.repo_path = repo_path or Path.cwd()
+        self.context_lines = context_lines
+        self._code_extractor = CodeContextExtractor(self.repo_path)
 
     def compose(self) -> ComposeResult:
         yield Header()
@@ -258,6 +293,13 @@ class FindingDetailScreen(Screen[None]):
             yield Static(self._header_text(), id="detail-header")
             with VerticalScroll(id="detail-content"):
                 yield Static(self._detail_text())
+            # Add code context if available
+            code_widget = self._render_code_context()
+            if code_widget:
+                yield Label("Code Context:")
+                yield code_widget
+            # Add action hints to make workflow discoverable
+            yield Static(self._action_hints(), id="action-hints")
             yield Label("Notes (will be saved with decision):")
             yield TextArea(self.finding.notes, id="notes-area")
         yield Footer()
@@ -340,3 +382,186 @@ class FindingDetailScreen(Screen[None]):
     def action_go_back(self) -> None:
         """Go back to list screen."""
         self.app.pop_screen()
+
+    def _action_hints(self) -> Text:
+        """Generate action hints to make workflow discoverable."""
+        text = Text()
+        text.append("💡 Actions: ", style="bold")
+        text.append("Press ", style="dim")
+        text.append("X", style="bold cyan")
+        text.append(" for AI-powered fix | ", style="dim")
+        text.append("Ctrl+O", style="bold cyan")
+        text.append(" to open in ", style="dim")
+        text.append("$EDITOR", style="italic")
+        text.append(" | ", style="dim")
+        text.append("E", style="bold cyan")
+        text.append("/", style="dim")
+        text.append("S", style="bold cyan")
+        text.append(" to expand/shrink context", style="dim")
+        return text
+
+    def action_fix_with_ai(self) -> None:
+        """Trigger AI-powered fix generation (workbench: step 2)."""
+        # Check if file path and line exist (required for fix)
+        if not self.finding.file_path or not self.finding.line:
+            self.notify(
+                "Cannot generate fix: no file path or line number",
+                severity="warning",
+            )
+            return
+
+        # Import and show fix generation screen
+        try:
+            from .fix_screen import FixGenerationScreen
+
+            def on_fix_result(accepted: bool, preview: str) -> None:
+                if accepted:
+                    self.notify("Fix generation completed!", severity="information")
+                else:
+                    self.notify("Fix generation cancelled", severity="information")
+
+            self.app.push_screen(
+                FixGenerationScreen(
+                    finding=self.finding,
+                    on_fix_generated=on_fix_result,
+                )
+            )
+        except ImportError:
+            self.notify("AI fix feature not available", severity="error")
+
+    def action_open_in_editor(self) -> None:
+        """Open file in external $EDITOR at the vulnerable line (workbench: step 2)."""
+        import logging
+        import os
+        import shutil
+        import subprocess
+
+        logger = logging.getLogger(__name__)
+
+        if not self.finding.file_path or not self.finding.line:
+            self.notify(
+                "Cannot open editor: no file path or line number",
+                severity="warning",
+            )
+            return
+
+        # Get editor from environment (ASVS V5.1.3: validate before use)
+        editor = os.environ.get("EDITOR", "vim")
+
+        # Security validation: check editor exists and is executable
+        editor_path = shutil.which(editor)
+        if not editor_path:
+            self.notify(
+                f"Editor '{editor}' not found. Set $EDITOR environment variable.",
+                severity="error",
+            )
+            return
+
+        # Construct file path relative to repo
+        file_path = self.repo_path / self.finding.file_path
+        if not file_path.exists():
+            self.notify(f"File not found: {self.finding.file_path}", severity="error")
+            return
+
+        # Log editor invocation (ASVS V16.7.1)
+        logger.info(
+            "editor_opened",
+            extra={
+                "editor": editor,
+                "file": self.finding.file_path,
+                "line": self.finding.line,
+            },
+        )
+
+        # ASVS V14.2.1: Use list args (not shell=True) to prevent injection
+        cmd = [editor_path, f"+{self.finding.line}", str(file_path)]
+
+        try:
+            # Suspend TUI, run editor, then resume
+            with self.app.suspend():
+                # S603: subprocess with validated input (editor_path checked via shutil.which)
+                result = subprocess.run(cmd, check=False)  # noqa: S603
+                if result.returncode != 0:
+                    self.notify(
+                        f"Editor exited with code {result.returncode}",
+                        severity="warning",
+                    )
+        except Exception as e:
+            logger.error("editor_failed", extra={"error": str(e)})
+            self.notify(f"Failed to open editor: {e}", severity="error")
+
+    def action_expand_context(self) -> None:
+        """Expand code context by 10 lines (addresses keyhole effect)."""
+        self.context_lines = min(100, self.context_lines + 10)
+        self._refresh_code_context()
+        self.notify(f"Context expanded to {self.context_lines} lines", severity="information")
+
+    def action_shrink_context(self) -> None:
+        """Shrink code context by 10 lines."""
+        self.context_lines = max(5, self.context_lines - 10)
+        self._refresh_code_context()
+        self.notify(f"Context shrunk to {self.context_lines} lines", severity="information")
+
+    def _refresh_code_context(self) -> None:
+        """Refresh code context display with new context_lines setting."""
+        import logging
+
+        logger = logging.getLogger(__name__)
+
+        try:
+            # Update the prompt builder's context lines
+            self._code_extractor._prompt_builder.context_lines = self.context_lines
+
+            # Re-render code context
+            code_widget = self._render_code_context()
+            if code_widget:
+                # Find and update the existing widget
+                try:
+                    old_widget = self.query_one("#code-context-display")
+                    # Replace content by removing old and adding new
+                    old_widget.remove()
+                    # Find the label and insert after it
+                    container = self.query_one("#detail-container")
+                    container.mount(code_widget)
+                except Exception as e:
+                    # Widget not found or couldn't refresh
+                    logger.debug("code_context_refresh_failed", extra={"error": str(e)})
+        except Exception as e:
+            # Refresh failed, log but don't crash
+            logger.debug("code_context_update_failed", extra={"error": str(e)})
+
+    def _render_code_context(self) -> Static | None:
+        """Render code context with syntax highlighting.
+
+        Returns:
+            Static widget with Syntax-highlighted code, or None if unavailable.
+
+        Security:
+            - File size limit: 10MB (ASVS V10.3.3)
+            - Path validation: must be within repo_path (ASVS V5.3.3)
+            - Error sanitization: no full paths in errors (ASVS V7.4.1)
+            - Sensitive file blocking (ASVS V8.3.4)
+        """
+        if not self.finding.file_path or not self.finding.line:
+            return None
+
+        context = self._code_extractor.extract(self.finding.file_path, self.finding.line)
+        if not context:
+            return None
+
+        if context.error:
+            return Static(f"Code unavailable: {context.error}", classes="error-message")
+
+        # Create syntax-highlighted code display
+        try:
+            syntax = Syntax(
+                context.code,
+                context.language,
+                line_numbers=False,  # We already have line numbers in the context
+                theme="monokai",
+                word_wrap=False,
+            )
+            return Static(syntax, id="code-context-display")
+        except Exception:
+            # Fallback to plain text if syntax highlighting fails
+            return Static(context.code, id="code-context-display")

{kekkai_cli-2.0.0.dist-info → kekkai_cli-2.2.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: kekkai-cli
-Version: 2.0.0
+Version: 2.2.0
 Summary: Terminal UI for Trivy/Semgrep/Gitleaks. Local-first security triage.
 Requires-Python: >=3.12
 Description-Content-Type: text/markdown
@@ -8,30 +8,32 @@ Requires-Dist: rich>=13.0.0
 Requires-Dist: jsonschema>=4.20.0
 Requires-Dist: textual>=0.50.0
 Requires-Dist: httpx>=0.24.0
+Requires-Dist: jinja2>=3.1.6
 
 <p align="center">
   <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/logos/kekkai-slim.png" alt="Kekkai CLI Logo" width="250"/>
 </p>
 
-<p align="center"><strong>Stop parsing JSON. Security triage in your terminal.</strong></p>
+<p align="center"><strong>Interactive security triage in the terminal.</strong></p>
 
 <p align="center">
   <img src="https://img.shields.io/github/actions/workflow/status/kademoslabs/kekkai/docker-publish.yml?logo=github"/>
   <img src="https://img.shields.io/circleci/build/github/kademoslabs/kekkai?logo=circleci"/>
-  <img src="https://img.shields.io/pypi/v/kekkai-cli?pypiBaseUrl=https%3A%2F%2Fpypi.org&logo=pypi"/>
+  <img alt="PyPI - Version" src="https://img.shields.io/pypi/v/kekkai-cli">
+
 </p>
 
 ---
 
 # Kekkai
 
-**Interactive security triage in the terminal.**
+**Stop parsing JSON.**
 
 Kekkai is a small open-source CLI that wraps existing security scanners (Trivy, Semgrep, Gitleaks) and focuses on the part that tends to be slow and frustrating: reviewing and triaging results.
 
 Running scanners is easy. Interpreting noisy output, dealing with false positives, and making CI usable is not. Kekkai exists to make that part tolerable..
 
-![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-start.gif)
+![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai.gif)
 
 ---
 
@@ -72,6 +74,17 @@ kekkai triage
 # Interactive TUI to review findings with keyboard navigation
 ```
 
+### ⚡️ Auto-Install (Pre-commit)
+
+Add this to your `.pre-commit-config.yaml` to scan on every commit:
+
+```yaml
+  - repo: [https://github.com/kademoslabs/kekkai](https://github.com/kademoslabs/kekkai)
+    rev: v2.0.1
+    hooks:
+      - id: kekkai-scan
+```
+
 No signup, no cloud service required.
 
 ---
@@ -107,40 +120,17 @@ kekkai triage
 - `Ctrl+S`: Save decisions
 - `q`: Quit
 
-<!-- Screenshot placeholder: ![Triage TUI](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/triage-tui.png) -->
+![Triage TUI](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-triage.png)
 
 [Full Triage Documentation →](docs/triage/README.md)
 
 ---
 
-### CI/CD Policy Gate
-
-Break builds on severity thresholds.
-
-Kekkai can be used as a CI gate based on severity thresholds.
+### 🚦 CI/CD in 1 Second
 
+Don't write YAML. Run this in your repo:
 ```bash
-# Fail on any critical or high findings
-kekkai scan --ci --fail-on high
-
-# Fail only on critical
-kekkai scan --ci --fail-on critical
-```
-
-**Exit Codes:**
-| Code | Meaning |
-|------|---------|
-| 0 | No findings above threshold |
-| 1 | Findings exceed threshold |
-| 2 | Scanner error |
-
-**GitHub Actions Example:**
-
-```yaml
-- name: Security Scan
-  run: |
-    pipx install kekkai-cli
-    kekkai scan --ci --fail-on high
+kekkai init --ci
 ```
 
 [Full CI Documentation →](docs/ci/ci-mode.md)

{kekkai_cli-2.0.0.dist-info → kekkai_cli-2.2.0.dist-info}/RECORD

@@ -1,10 +1,10 @@
 kekkai/__init__.py,sha256=_VrBvJRyqHiXs31S8HOhATk_O2iy-ac0_9X7rHH75j8,143
-kekkai/cli.py,sha256=Y99dHzSRLV4sqbFiSe81nJRtvx2dQWmRDPyOVdghIIQ,66616
+kekkai/cli.py,sha256=Rj8lsUciI4Rsn5_wfwYDkrD3EsR5FFy2PZzd2qbq3XQ,68206
 kekkai/config.py,sha256=LE7bKsmv5dim5KnZya0V7_LtviNQ1V0pMN_6FyAsMpc,13084
 kekkai/dojo.py,sha256=erLdTMOioTyzVhXYW8xgdbU5Ro-KQx1OcTQN7_zemmY,18634
 kekkai/dojo_import.py,sha256=D0ZQM_0JYHqUqJA3l4nKD-RkpvcOcgj-4zv59HRcQ6k,7274
 kekkai/manifest.py,sha256=Ph5xGDKuVxMW1GVIisRhxUelaiVZQe-W5sZWsq4lHqs,1887
-kekkai/output.py,sha256=QdIFsXCRb9aT5PaKmj0j0y2fg3IRjcLXQMzuGlASNFY,5426
+kekkai/output.py,sha256=V8GkFgaT8oYQOxplBeSXv60q6BeBICTfrrLE-5qDuIc,5426
 kekkai/paths.py,sha256=EcyG3CEOQFQygowu7O5Mp85dKkXWWvnm1h0j_BetGxY,1190
 kekkai/policy.py,sha256=0XCUH-SbnO1PsM-exjSFHYHRnLkiNa50QfkyPakwNko,9792
 kekkai/runner.py,sha256=MBFUiJ4sSVEGNbJ6cv-8p1WHaHqjio6yWEfr_K4GuTs,2037
@@ -58,14 +58,15 @@ kekkai/threatflow/model_adapter.py,sha256=Vl0wBWvBUxEGTmFghjwpp-N7Zt3qkpUSxrPVjK
 kekkai/threatflow/prompts.py,sha256=lgbj7FJ1c3UYj4ofGnlLoRmywYBfdAKY0QEHmIB_JFw,8525
 kekkai/threatflow/redaction.py,sha256=mGUcNQB6YPVKArtMrEYcXCWslgUiCkloiowY9IlZ1iY,7622
 kekkai/threatflow/sanitizer.py,sha256=uQsxYZ5VDXutZoj-WMl7fo5T07uHuQZqgVzoVMoaKec,22688
-kekkai/triage/__init__.py,sha256=gYf4XPIYZTthU0Q0kaptbgMKulkjLxWQWG0HQvtlu-o,2182
-kekkai/triage/app.py,sha256=MU2tBI50d8sOdDKESGNrWYiREG9bBtrSccaMoiMv5gM,5027
+kekkai/triage/__init__.py,sha256=lUDFJqQk0EjQD2ZP6s3WQnZ8R-KGds8_W7RmFzBDPN8,2463
+kekkai/triage/app.py,sha256=WKvT00UDO2ywVgahLlHAcqB-OnPN05Ps_FKoN6RY0lc,5615
 kekkai/triage/audit.py,sha256=UVaSKKC6tZkHxEoMcnIZkMOT_ngj7QzHWYuDAHas_sc,5842
-kekkai/triage/fix_screen.py,sha256=mj_waXwKPCrT01bVSSu5Ohi-3JvN2lT18Yy44xICItY,7667
+kekkai/triage/code_context.py,sha256=UyPtvUwdfZLuJjDpzmusYkLzs27GyiInTer95wrYg94,10111
+kekkai/triage/fix_screen.py,sha256=jL0ZXoNKBvkhrnWxutPrviMRL5iacJ19qpxX3hKEZvc,8843
 kekkai/triage/ignore.py,sha256=uBKM7zKyzORj9LJ5AAnoYWZQTRy57P0ZofSapiDWcfI,7305
 kekkai/triage/loader.py,sha256=vywhS8fcre7PiBX3H2CpKXFxzvO7LcDnIHIB0kzG3R4,5850
 kekkai/triage/models.py,sha256=nRmWtELMqHWHX1NqZ2upH2ZAJVeBxa3Wh8f3kkB9WYo,5384
-kekkai/triage/screens.py,sha256=MbudQkdQ4JFt5c80V3LtqCeXxAIu7nIfZpm7G5wRXT0,11061
+kekkai/triage/screens.py,sha256=XeQUiTagNXL_CdH_oqtDnPOdusteRiNBMRBnXeoypK0,19891
 kekkai/triage/widgets.py,sha256=eOF6Qoo5uBqjxiEkbpgcO1tbIOGBQBKn75wP9Jw_AaE,4733
 kekkai_core/__init__.py,sha256=gREN4oarM0azTkSTWTnlDnPZGgv1msai2Deq9Frj3gc,122
 kekkai_core/redaction.py,sha256=EeWYPjAs2hIXlLKGmGn_PRdK08G4KcOBmbRCoFklbHc,2893
@@ -85,8 +86,8 @@ kekkai_core/windows/chocolatey.py,sha256=tF5S5eN-HeENRt6yQ4TZgwng0oRMX_ScskQ3-eb
 kekkai_core/windows/installer.py,sha256=MePAywHH3JTIAENv52XtkUMOGqmYqZqkH77VW5PST8o,6945
 kekkai_core/windows/scoop.py,sha256=lvothICrAoB3lGfkvhqVeNTB50eMmVGA0BE7JNCfHdI,5284
 kekkai_core/windows/validators.py,sha256=45xUuAbHcKc0WLIZ-0rByPeDD88MAV8KvopngyYBHpQ,6525
-kekkai_cli-2.0.0.dist-info/METADATA,sha256=FiwQoECQj5ks2uQEiZ3oMkOSlkf7QE0d9ke-UNRnbPw,8125
-kekkai_cli-2.0.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-kekkai_cli-2.0.0.dist-info/entry_points.txt,sha256=MBV1OIfxJmT2oJvzeeFKIH1eh8M9kKAn7JqFBeuMfWA,43
-kekkai_cli-2.0.0.dist-info/top_level.txt,sha256=wWwh7GGPaUjcaCRmt70ueL3WQoQbeGa5L0T0hgOh-MY,19
-kekkai_cli-2.0.0.dist-info/RECORD,,
+kekkai_cli-2.2.0.dist-info/METADATA,sha256=EreFgZdr64N1_IITenfMRgnQCDBtQ6Fabvye96QT3g8,7865
+kekkai_cli-2.2.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+kekkai_cli-2.2.0.dist-info/entry_points.txt,sha256=MBV1OIfxJmT2oJvzeeFKIH1eh8M9kKAn7JqFBeuMfWA,43
+kekkai_cli-2.2.0.dist-info/top_level.txt,sha256=wWwh7GGPaUjcaCRmt70ueL3WQoQbeGa5L0T0hgOh-MY,19
+kekkai_cli-2.2.0.dist-info/RECORD,,