kekkai-cli 2.0.1__py3-none-any.whl → 2.2.1__py3-none-any.whl

kekkai/cli.py

@@ -221,6 +221,17 @@ def main(argv: Sequence[str] | None = None) -> int:
         type=str,
         help="Path for .kekkaiignore output (default: .kekkaiignore)",
     )
+    triage_parser.add_argument(
+        "--repo",
+        type=str,
+        help="Repository root path (default: auto-detect from run.json)",
+    )
+    triage_parser.add_argument(
+        "--context-lines",
+        type=int,
+        default=10,
+        help="Context lines before/after line (default: 10, range: 5-100)",
+    )
 
     # Fix subcommand - AI-powered remediation
     fix_parser = subparsers.add_parser("fix", help="generate AI-powered code fixes for findings")
@@ -1186,6 +1197,11 @@ def _command_triage(parsed: argparse.Namespace) -> int:
 
     input_path_str = cast(str | None, getattr(parsed, "input", None))
     output_path_str = cast(str | None, getattr(parsed, "output", None))
+    repo_path_str = cast(str | None, getattr(parsed, "repo", None))
+    context_lines = cast(int, getattr(parsed, "context_lines", 10))
+
+    # Validate context_lines range
+    context_lines = max(5, min(100, context_lines))
 
     # Default to latest run if no input specified
     if not input_path_str:
@@ -1232,7 +1248,39 @@ def _command_triage(parsed: argparse.Namespace) -> int:
 
     console.print(f"[info]Loaded {len(findings)} finding(s)[/info]\n")
 
-    return run_triage(findings=findings, output_path=output_path)
+    # Auto-detect repo_path from run.json if not explicitly provided
+    repo_path: Path | None = None
+    if repo_path_str:
+        repo_path = Path(repo_path_str).expanduser().resolve()
+    elif input_path.is_dir():
+        # Try to read repo_path from run.json
+        manifest_path = input_path / "run.json"
+        if manifest_path.exists():
+            try:
+                import json
+
+                with manifest_path.open() as f:
+                    manifest_data = json.load(f)
+                stored_repo = manifest_data.get("repo_path")
+                if stored_repo:
+                    repo_path = Path(stored_repo).expanduser().resolve()
+                    console.print(f"[dim]Using repo path from run metadata: {repo_path}[/dim]\n")
+            except (OSError, json.JSONDecodeError, KeyError):
+                pass
+
+    # Fall back to current directory if still not set (with warning)
+    if repo_path is None:
+        repo_path = Path.cwd()
+        console.print("[warning]⚠ Repo path not detected. Using current directory.[/warning]")
+        console.print("[dim]Tip: Use --repo to specify repository root explicitly.[/dim]")
+        console.print(f"[dim]Current directory: {repo_path}[/dim]\n")
+
+    return run_triage(
+        findings=findings,
+        output_path=output_path,
+        repo_path=repo_path,
+        context_lines=context_lines,
+    )
 
 
 def _command_fix(parsed: argparse.Namespace) -> int:

kekkai/output.py

@@ -57,7 +57,7 @@ BANNER_ASCII = r"""
 /_/\_\\___/_/\_/_/\_\\_,_/_/
 """
 
-VERSION = "2.0.1"
+VERSION = "2.2.1"
 
 
 def print_dashboard() -> None:

kekkai/triage/__init__.py

@@ -29,6 +29,8 @@ def run_triage(
     input_path: Path | None = None,
     output_path: Path | None = None,
     findings: Sequence[FindingEntry] | None = None,
+    repo_path: Path | None = None,
+    context_lines: int = 10,
 ) -> int:
     """Run the triage TUI (lazy import).
 
@@ -36,6 +38,8 @@ def run_triage(
         input_path: Path to findings JSON file.
         output_path: Path for .kekkaiignore output.
         findings: Pre-loaded findings (alternative to input_path).
+        repo_path: Repository root path for code context display.
+        context_lines: Number of lines to show before/after vulnerable line.
 
     Returns:
         Exit code (0 for success).
@@ -50,6 +54,8 @@ def run_triage(
             input_path=input_path,
             output_path=output_path,
             findings=findings,
+            repo_path=repo_path,
+            context_lines=context_lines,
         )
     except ImportError as e:
         raise RuntimeError(

kekkai/triage/app.py

@@ -51,6 +51,8 @@ class TriageApp(App[None]):
         input_path: Path | None = None,
         output_path: Path | None = None,
         audit_path: Path | None = None,
+        repo_path: Path | None = None,
+        context_lines: int = 10,
     ) -> None:
         """Initialize triage application.
 
@@ -59,6 +61,8 @@ class TriageApp(App[None]):
             input_path: Path to findings JSON file.
             output_path: Path for .kekkaiignore output.
             audit_path: Path for audit log.
+            repo_path: Repository root path for code context display.
+            context_lines: Number of lines to show before/after vulnerable line.
         """
         super().__init__()
         self._input_path = input_path
@@ -66,6 +70,8 @@ class TriageApp(App[None]):
         self.ignore_file = IgnoreFile(output_path)
         self.audit_log = TriageAuditLog(audit_path)
         self._decisions: dict[str, TriageDecision] = {}
+        self.repo_path = repo_path or Path.cwd()
+        self.context_lines = context_lines
 
     @property
     def findings(self) -> list[FindingEntry]:
@@ -148,6 +154,8 @@ def run_triage(
     input_path: Path | None = None,
     output_path: Path | None = None,
     findings: Sequence[FindingEntry] | None = None,
+    repo_path: Path | None = None,
+    context_lines: int = 10,
 ) -> int:
     """Run the triage TUI.
 
@@ -155,6 +163,8 @@ def run_triage(
         input_path: Path to findings JSON file.
         output_path: Path for .kekkaiignore output.
         findings: Pre-loaded findings (alternative to input_path).
+        repo_path: Repository root path for code context display.
+        context_lines: Number of lines to show before/after vulnerable line.
 
     Returns:
         Exit code (0 for success).
@@ -163,6 +173,8 @@ def run_triage(
         findings=findings,
         input_path=input_path,
         output_path=output_path,
+        repo_path=repo_path,
+        context_lines=context_lines,
     )
     app.run()
     return 0

kekkai/triage/code_context.py

@@ -0,0 +1,369 @@
+"""Code context extraction for triage TUI.
+
+Provides secure code context extraction with security controls:
+- Path traversal protection (ASVS V5.3.3)
+- File size limits (ASVS V10.3.3)
+- Sensitive file detection (ASVS V8.3.4)
+- Error sanitization (ASVS V7.4.1)
+"""
+
+from __future__ import annotations
+
+import logging
+from dataclasses import dataclass
+from pathlib import Path
+
+from ..fix.prompts import FixPromptBuilder
+
+logger = logging.getLogger(__name__)
+
+__all__ = [
+    "CodeContext",
+    "CodeContextExtractor",
+]
+
+# Security limits per ASVS V10.3.3
+MAX_FILE_SIZE_MB = 10
+
+# Sensitive file extensions to block (ASVS V8.3.4)
+SENSITIVE_EXTENSIONS = {
+    ".env",
+    ".pem",
+    ".key",
+    ".crt",
+    ".p12",
+    ".pfx",
+    ".jks",
+    ".keystore",
+    ".pub",
+    "id_rsa",
+    "id_dsa",
+    "id_ecdsa",
+    "id_ed25519",
+}
+
+# Binary file extensions to skip
+BINARY_EXTENSIONS = {
+    ".pyc",
+    ".pyo",
+    ".so",
+    ".dll",
+    ".dylib",
+    ".exe",
+    ".bin",
+    ".class",
+    ".jar",
+    ".war",
+    ".ear",
+    ".png",
+    ".jpg",
+    ".jpeg",
+    ".gif",
+    ".bmp",
+    ".ico",
+    ".pdf",
+    ".zip",
+    ".tar",
+    ".gz",
+    ".bz2",
+    ".7z",
+    ".rar",
+    ".whl",
+    ".egg",
+}
+
+
+@dataclass
+class CodeContext:
+    """Code context with syntax highlighting metadata.
+
+    Attributes:
+        code: Formatted code with line numbers and >>> marker.
+        language: Detected programming language for syntax highlighting.
+        vulnerable_line: The specific vulnerable line text.
+        error: Error message if extraction failed (None on success).
+    """
+
+    code: str
+    language: str
+    vulnerable_line: str
+    error: str | None = None
+
+
+class CodeContextExtractor:
+    """Extracts code context from files with security controls.
+
+    Security features:
+    - Path validation to prevent traversal attacks (ASVS V5.3.3)
+    - File size limits to prevent DoS (ASVS V10.3.3)
+    - Sensitive file detection (ASVS V8.3.4)
+    - Sanitized error messages (ASVS V7.4.1)
+
+    Performance features:
+    - LRU cache for file contents (max 20 files, ~200KB per file = ~4MB total)
+    - Reduces re-reads when navigating between findings in same files
+    """
+
+    def __init__(self, repo_path: Path, max_file_size_mb: int = MAX_FILE_SIZE_MB) -> None:
+        """Initialize code context extractor.
+
+        Args:
+            repo_path: Repository root path (for path validation).
+            max_file_size_mb: Maximum file size in MB (DoS protection).
+        """
+        self.repo_path = repo_path.resolve()
+        self.max_file_size_mb = max_file_size_mb
+        self._prompt_builder = FixPromptBuilder(context_lines=10)
+        # Simple LRU cache: {file_path: file_content}
+        # Limited to 20 files to prevent memory bloat
+        self._file_cache: dict[str, str] = {}
+        self._cache_max_size = 20
+
+    def extract(self, file_path: str, line: int | None) -> CodeContext | None:
+        """Extract code context from a file.
+
+        Args:
+            file_path: Relative or absolute path to the file.
+            line: Line number (1-indexed) of the vulnerability.
+
+        Returns:
+            CodeContext object with code and metadata, or None if unavailable.
+
+        Security:
+            - Path validation (ASVS V5.3.3)
+            - Size limits (ASVS V10.3.3)
+            - Sensitive file blocking (ASVS V8.3.4)
+            - Error sanitization (ASVS V7.4.1)
+        """
+        if not file_path or not line:
+            return None
+
+        # Resolve path
+        try:
+            full_path = (self.repo_path / file_path).resolve()
+        except (ValueError, OSError):
+            # ASVS V7.4.1: Sanitized error (no full path)
+            logger.warning(
+                "code_context_path_invalid",
+                extra={"file_path": Path(file_path).name, "reason": "invalid_path"},
+            )
+            return CodeContext(
+                code="",
+                language="",
+                vulnerable_line="",
+                error="Invalid file path",
+            )
+
+        # ASVS V5.3.3: Path traversal check
+        if not self._validate_path(full_path):
+            logger.warning(
+                "code_context_path_traversal",
+                extra={"file_path": Path(file_path).name, "reason": "path_traversal"},
+            )
+            return None
+
+        # Check if file exists
+        if not full_path.exists():
+            logger.info(
+                "code_context_file_not_found",
+                extra={"file_path": Path(file_path).name},
+            )
+            return CodeContext(
+                code="",
+                language="",
+                vulnerable_line="",
+                error="File not found",
+            )
+
+        # ASVS V8.3.4: Sensitive file check
+        if self._is_sensitive_file(full_path):
+            logger.info(
+                "code_context_sensitive_file",
+                extra={"file_path": Path(file_path).name},
+            )
+            return CodeContext(
+                code="",
+                language="",
+                vulnerable_line="",
+                error="Code hidden (sensitive file type)",
+            )
+
+        # Binary file check
+        if not self._is_text_file(full_path):
+            logger.info(
+                "code_context_binary_file",
+                extra={"file_path": Path(file_path).name},
+            )
+            return None
+
+        # ASVS V10.3.3: File size check
+        size_mb = full_path.stat().st_size / (1024 * 1024)
+        if size_mb > self.max_file_size_mb:
+            logger.warning(
+                "code_context_file_too_large",
+                extra={"file_path": Path(file_path).name, "size_mb": f"{size_mb:.1f}"},
+            )
+            return CodeContext(
+                code="",
+                language="",
+                vulnerable_line="",
+                error=f"File too large for display ({size_mb:.1f}MB)",
+            )
+
+        # Read file content (with caching for performance and encoding fallback)
+        cache_key = str(full_path)
+        if cache_key in self._file_cache:
+            file_content = self._file_cache[cache_key]
+        else:
+            try:
+                # Try UTF-8 first (strict mode)
+                file_content = full_path.read_text(encoding="utf-8")
+            except UnicodeDecodeError:
+                # HOTFIX: Fallback to UTF-8 with replacement characters
+                # This allows viewing legacy files (Windows-1252, Latin-1) with � for invalid chars
+                # instead of completely hiding the file with "Cannot read file" error
+                logger.info(
+                    "code_context_encoding_fallback",
+                    extra={"file_path": Path(file_path).name, "reason": "non_utf8"},
+                )
+                try:
+                    file_content = full_path.read_text(encoding="utf-8", errors="replace")
+                except (OSError, UnicodeDecodeError) as e:
+                    # Even fallback failed (should be rare - permissions, etc.)
+                    logger.warning(
+                        "code_context_read_error",
+                        extra={"file_path": Path(file_path).name, "error": str(e)},
+                    )
+                    return CodeContext(
+                        code="",
+                        language="",
+                        vulnerable_line="",
+                        error="Cannot read file (encoding error)",
+                    )
+            except OSError as e:
+                # File read error (permissions, etc.)
+                logger.warning(
+                    "code_context_read_error",
+                    extra={"file_path": Path(file_path).name, "error": str(e)},
+                )
+                return CodeContext(
+                    code="",
+                    language="",
+                    vulnerable_line="",
+                    error="Cannot read file",
+                )
+
+            # Cache the content
+            self._file_cache[cache_key] = file_content
+            # Evict oldest entry if cache is full (simple FIFO)
+            if len(self._file_cache) > self._cache_max_size:
+                # Remove first (oldest) entry
+                oldest_key = next(iter(self._file_cache))
+                del self._file_cache[oldest_key]
+
+        # Extract code context using existing logic from fix engine
+        code_context, vulnerable_line = self._prompt_builder.extract_code_context(
+            file_content, line
+        )
+
+        # Detect language for syntax highlighting
+        language = self._detect_language(full_path)
+
+        return CodeContext(
+            code=code_context,
+            language=language,
+            vulnerable_line=vulnerable_line,
+            error=None,
+        )
+
+    def _validate_path(self, path: Path) -> bool:
+        """Validate that path is within repo_path (prevent traversal).
+
+        Args:
+            path: Resolved path to validate.
+
+        Returns:
+            True if path is safe, False otherwise.
+
+        Security:
+            ASVS V5.3.3: Path validation to prevent directory traversal.
+        """
+        try:
+            # Check if path is within repo_path
+            path.relative_to(self.repo_path)
+            return True
+        except ValueError:
+            return False
+
+    def _is_text_file(self, path: Path) -> bool:
+        """Check if file is a text file (not binary).
+
+        Args:
+            path: Path to check.
+
+        Returns:
+            True if likely a text file, False if binary.
+        """
+        suffix = path.suffix.lower()
+        name = path.name.lower()
+
+        # Check against binary extensions
+        if suffix in BINARY_EXTENSIONS:
+            return False
+
+        # Special cases without extensions
+        if name in ("dockerfile", "makefile", "vagrantfile", "jenkinsfile"):
+            return True
+
+        return True
+
+    def _is_sensitive_file(self, path: Path) -> bool:
+        """Check if file contains sensitive data (secrets, keys).
+
+        Args:
+            path: Path to check.
+
+        Returns:
+            True if file is sensitive and should not be displayed.
+
+        Security:
+            ASVS V8.3.4: Prevent sensitive data in outputs.
+        """
+        suffix = path.suffix.lower()
+        name = path.name.lower()
+
+        # Check extension
+        if suffix in SENSITIVE_EXTENSIONS:
+            return True
+
+        # Check if the entire filename (including leading dot) matches sensitive patterns
+        # For files like .env, .pem, etc., the suffix is empty but name includes the dot
+        if name in {".env", ".pem", ".key", ".crt"}:
+            return True
+
+        # Check filename patterns
+        return any(
+            pattern in name
+            for pattern in [
+                "secret",
+                "credential",
+                "password",
+                "token",
+                "apikey",
+                "private_key",
+                "id_rsa",
+                "id_dsa",
+                "id_ecdsa",
+            ]
+        )
+
+    def _detect_language(self, path: Path) -> str:
+        """Detect programming language from file extension.
+
+        Args:
+            path: Path to the file.
+
+        Returns:
+            Language identifier for syntax highlighting.
+        """
+        return self._prompt_builder._detect_language(str(path))

kekkai/triage/editor_support.py

@@ -0,0 +1,166 @@
+"""Editor-specific line jump syntax support.
+
+Provides detection and command building for popular editors with
+security validation per ASVS V5.1.3.
+"""
+
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+from pathlib import Path
+
+__all__ = [
+    "EditorConfig",
+    "detect_editor_config",
+    "validate_editor_name",
+    "EDITOR_REGISTRY",
+]
+
+# ASVS V5.1.3: Only allow safe characters in editor names
+EDITOR_NAME_PATTERN = re.compile(r"^[a-zA-Z0-9/_.-]+$")
+
+
+@dataclass
+class EditorConfig:
+    """Editor-specific command line configuration.
+
+    Attributes:
+        name: Canonical editor name (e.g., "vim", "code", "subl").
+        syntax_type: Command syntax category for building commands.
+    """
+
+    name: str
+    syntax_type: str  # "vim", "vscode", "sublime", "notepadpp", "jetbrains"
+
+
+# Editor registry mapping base names to configurations
+EDITOR_REGISTRY: dict[str, EditorConfig] = {
+    # Vim family (syntax: editor +LINE file)
+    "vim": EditorConfig("vim", "vim"),
+    "nvim": EditorConfig("nvim", "vim"),
+    "neovim": EditorConfig("neovim", "vim"),
+    "vi": EditorConfig("vi", "vim"),
+    # Emacs family (syntax: editor +LINE file)
+    "emacs": EditorConfig("emacs", "vim"),
+    "nano": EditorConfig("nano", "vim"),
+    # VS Code (syntax: code -g file:line)
+    "code": EditorConfig("code", "vscode"),
+    "code-insiders": EditorConfig("code-insiders", "vscode"),
+    "codium": EditorConfig("codium", "vscode"),  # VSCodium (FOSS fork)
+    # Sublime Text (syntax: subl file:line)
+    "subl": EditorConfig("subl", "sublime"),
+    "sublime": EditorConfig("sublime", "sublime"),
+    "sublime_text": EditorConfig("sublime_text", "sublime"),
+    # Atom (syntax: atom file:line) - legacy but still used
+    "atom": EditorConfig("atom", "sublime"),
+    # Notepad++ (syntax: notepad++ -nLINE file)
+    "notepad++": EditorConfig("notepad++", "notepadpp"),
+    "notepad++.exe": EditorConfig("notepad++.exe", "notepadpp"),
+    # JetBrains IDEs (syntax: editor --line LINE file)
+    "idea": EditorConfig("idea", "jetbrains"),
+    "pycharm": EditorConfig("pycharm", "jetbrains"),
+    "webstorm": EditorConfig("webstorm", "jetbrains"),
+    "phpstorm": EditorConfig("phpstorm", "jetbrains"),
+    "goland": EditorConfig("goland", "jetbrains"),
+    "rider": EditorConfig("rider", "jetbrains"),
+    "clion": EditorConfig("clion", "jetbrains"),
+    "rubymine": EditorConfig("rubymine", "jetbrains"),
+}
+
+
+def detect_editor_config(editor_name: str) -> EditorConfig:
+    """Detect editor configuration from name.
+
+    Args:
+        editor_name: Editor executable name (e.g., "vim", "/usr/bin/code").
+
+    Returns:
+        EditorConfig for the detected editor, or vim-style default if unknown.
+
+    Examples:
+        >>> detect_editor_config("vim").syntax_type
+        'vim'
+        >>> detect_editor_config("/usr/local/bin/code").syntax_type
+        'vscode'
+        >>> detect_editor_config("unknown-editor").syntax_type
+        'vim'
+    """
+    # Extract base name from path
+    base_name = Path(editor_name).stem.lower()
+
+    # Handle .exe extension on Windows
+    if base_name.endswith(".exe"):
+        base_name = base_name[:-4]
+
+    # Lookup in registry
+    config = EDITOR_REGISTRY.get(base_name)
+    if config:
+        return config
+
+    # Default to vim-style syntax for unknown editors
+    return EditorConfig("unknown", "vim")
+
+
+def validate_editor_name(editor: str) -> bool:
+    """Validate that editor name is safe to use.
+
+    Security: ASVS V5.1.3 - Validate data at trust boundaries.
+    Rejects editor names containing shell metacharacters to prevent
+    command injection attacks.
+
+    Args:
+        editor: Editor name from environment variable.
+
+    Returns:
+        True if editor name is safe, False if it contains unsafe characters.
+
+    Examples:
+        >>> validate_editor_name("vim")
+        True
+        >>> validate_editor_name("/usr/bin/code")
+        True
+        >>> validate_editor_name("vim; curl evil.com")
+        False
+        >>> validate_editor_name("vim && rm -rf /")
+        False
+    """
+    if not editor:
+        return False
+
+    # Check against safe pattern (alphanumeric + /.-_ only)
+    return bool(EDITOR_NAME_PATTERN.match(editor))
+
+
+def build_editor_command(
+    editor_path: str, file_path: Path, line: int, editor_config: EditorConfig
+) -> list[str]:
+    """Build editor command arguments based on editor type.
+
+    Args:
+        editor_path: Full path to editor executable.
+        file_path: Path to file to open.
+        line: Line number to jump to.
+        editor_config: Editor configuration with syntax type.
+
+    Returns:
+        List of command arguments for subprocess.run().
+
+    Security:
+        ASVS V14.2.1 - Uses list args (not shell string) to prevent injection.
+    """
+    if editor_config.syntax_type == "vscode":
+        # VS Code: code -g file:line
+        return [editor_path, "-g", f"{file_path}:{line}"]
+    elif editor_config.syntax_type == "sublime":
+        # Sublime Text / Atom: editor file:line
+        return [editor_path, f"{file_path}:{line}"]
+    elif editor_config.syntax_type == "notepadpp":
+        # Notepad++: notepad++ -nLINE file
+        return [editor_path, f"-n{line}", str(file_path)]
+    elif editor_config.syntax_type == "jetbrains":
+        # JetBrains IDEs: editor --line LINE file
+        return [editor_path, "--line", str(line), str(file_path)]
+    else:
+        # Default (Vim/Emacs/Nano): editor +LINE file
+        return [editor_path, f"+{line}", str(file_path)]

kekkai/triage/fix_screen.py

@@ -213,17 +213,47 @@ class FixGenerationScreen(ModalScreen[bool]):
             self.fix_generated = False
 
     def action_accept(self) -> None:
-        """Accept and apply the generated fix."""
+        """Accept and apply the generated fix (workbench: step 3 - verification)."""
         if not self.fix_generated:
             return
 
+        # Generate post-fix verification hints
+        verification_message = self._get_verification_hints()
+
         if self.on_fix_generated:
-            self.on_fix_generated(
-                True, "Fix generated successfully (dry-run mode - review before applying)"
-            )
+            self.on_fix_generated(True, verification_message)
 
         self.dismiss(True)
 
+    def _get_verification_hints(self) -> str:
+        """Generate next-steps hints after fix is applied."""
+        file_path = self.finding.file_path or "file"
+        file_name = file_path.split("/")[-1] if "/" in file_path else file_path
+
+        # Detect likely test command based on file extension
+        test_cmd = "pytest tests/"
+        if file_path.endswith(".js") or file_path.endswith(".ts"):
+            test_cmd = "npm test"
+        elif file_path.endswith(".go"):
+            test_cmd = "go test ./..."
+        elif file_path.endswith(".rs"):
+            test_cmd = "cargo test"
+        elif file_path.endswith(".java"):
+            test_cmd = "mvn test"
+
+        hints = [
+            f"✓ Fix applied to {file_name}",
+            "",
+            "📋 Next steps:",
+            f"  1. Run tests: {test_cmd}",
+            "  2. Re-scan: kekkai scan --repo .",
+            f"  3. Commit: git add {file_path} && git commit -m 'fix: {self.finding.title[:50]}'",
+            "",
+            "💡 Tip: Review the changes carefully before committing!",
+        ]
+
+        return "\n".join(hints)
+
     def action_cancel(self) -> None:
         """Cancel fix generation."""
         if self.on_fix_generated:

kekkai/triage/screens.py

@@ -6,8 +6,10 @@ with keyboard navigation and action handling.
 
 from __future__ import annotations
 
+from pathlib import Path
 from typing import TYPE_CHECKING
 
+from rich.syntax import Syntax
 from rich.text import Text
 from textual.app import ComposeResult
 from textual.binding import Binding
@@ -15,6 +17,7 @@ from textual.containers import Vertical, VerticalScroll
 from textual.screen import Screen
 from textual.widgets import Footer, Header, Label, Static, TextArea
 
+from .code_context import CodeContextExtractor
 from .models import TriageState
 from .widgets import FindingCard, sanitize_display
 
@@ -149,10 +152,15 @@ class FindingListScreen(Screen[None]):
         if not self.findings:
             return
         finding = self.findings[self.selected_index]
+        # Get repo_path and context_lines from app if available
+        repo_path = getattr(self.app, "repo_path", None)
+        context_lines = getattr(self.app, "context_lines", 10)
         self.app.push_screen(
             FindingDetailScreen(
                 finding,
                 on_state_change=self._handle_detail_state_change,
+                repo_path=repo_path,
+                context_lines=context_lines,
             )
         )
 
@@ -212,6 +220,10 @@ class FindingDetailScreen(Screen[None]):
     """
 
     BINDINGS = [
+        Binding("x", "fix_with_ai", "🤖 AI Fix"),
+        Binding("ctrl+o", "open_in_editor", "Open in Editor"),
+        Binding("e", "expand_context", "Expand Context"),
+        Binding("s", "shrink_context", "Shrink Context"),
         Binding("f", "mark_false_positive", "False Positive"),
         Binding("c", "mark_confirmed", "Confirmed"),
         Binding("d", "mark_deferred", "Deferred"),
@@ -234,6 +246,24 @@ class FindingDetailScreen(Screen[None]):
         padding: 1;
         border: solid $primary;
     }
+    #code-context-display {
+        height: 20;
+        border: solid $accent;
+        padding: 1;
+        margin: 1 0;
+        overflow-y: scroll;
+    }
+    .error-message {
+        color: $warning;
+        italic: true;
+    }
+    #action-hints {
+        height: auto;
+        padding: 1;
+        margin: 1 0;
+        background: $panel;
+        border: solid $secondary;
+    }
     #notes-area {
         height: 8;
         margin-top: 1;
@@ -245,12 +275,17 @@ class FindingDetailScreen(Screen[None]):
         self,
         finding: FindingEntry,
         on_state_change: Callable[[TriageState, str], None] | None = None,
+        repo_path: Path | None = None,
+        context_lines: int = 10,
         name: str | None = None,
         id: str | None = None,
     ) -> None:
         super().__init__(name=name, id=id)
         self.finding = finding
         self.on_state_change = on_state_change
+        self.repo_path = repo_path or Path.cwd()
+        self.context_lines = context_lines
+        self._code_extractor = CodeContextExtractor(self.repo_path)
 
     def compose(self) -> ComposeResult:
         yield Header()
@@ -258,6 +293,13 @@ class FindingDetailScreen(Screen[None]):
             yield Static(self._header_text(), id="detail-header")
             with VerticalScroll(id="detail-content"):
                 yield Static(self._detail_text())
+            # Add code context if available
+            code_widget = self._render_code_context()
+            if code_widget:
+                yield Label("Code Context:")
+                yield code_widget
+            # Add action hints to make workflow discoverable
+            yield Static(self._action_hints(), id="action-hints")
             yield Label("Notes (will be saved with decision):")
             yield TextArea(self.finding.notes, id="notes-area")
         yield Footer()
@@ -340,3 +382,201 @@ class FindingDetailScreen(Screen[None]):
     def action_go_back(self) -> None:
         """Go back to list screen."""
         self.app.pop_screen()
+
+    def _action_hints(self) -> Text:
+        """Generate action hints to make workflow discoverable."""
+        text = Text()
+        text.append("💡 Actions: ", style="bold")
+        text.append("Press ", style="dim")
+        text.append("X", style="bold cyan")
+        text.append(" for AI-powered fix | ", style="dim")
+        text.append("Ctrl+O", style="bold cyan")
+        text.append(" to open in ", style="dim")
+        text.append("$EDITOR", style="italic")
+        text.append(" | ", style="dim")
+        text.append("E", style="bold cyan")
+        text.append("/", style="dim")
+        text.append("S", style="bold cyan")
+        text.append(" to expand/shrink context", style="dim")
+        return text
+
+    def action_fix_with_ai(self) -> None:
+        """Trigger AI-powered fix generation (workbench: step 2)."""
+        # Check if file path and line exist (required for fix)
+        if not self.finding.file_path or not self.finding.line:
+            self.notify(
+                "Cannot generate fix: no file path or line number",
+                severity="warning",
+            )
+            return
+
+        # Import and show fix generation screen
+        try:
+            from .fix_screen import FixGenerationScreen
+
+            def on_fix_result(accepted: bool, preview: str) -> None:
+                if accepted:
+                    self.notify("Fix generation completed!", severity="information")
+                else:
+                    self.notify("Fix generation cancelled", severity="information")
+
+            self.app.push_screen(
+                FixGenerationScreen(
+                    finding=self.finding,
+                    on_fix_generated=on_fix_result,
+                )
+            )
+        except ImportError:
+            self.notify("AI fix feature not available", severity="error")
+
+    def action_open_in_editor(self) -> None:
+        """Open file in external $EDITOR at the vulnerable line (workbench: step 2)."""
+        import logging
+        import os
+        import shutil
+        import subprocess
+
+        from .editor_support import build_editor_command, detect_editor_config, validate_editor_name
+
+        logger = logging.getLogger(__name__)
+
+        if not self.finding.file_path or not self.finding.line:
+            self.notify(
+                "Cannot open editor: no file path or line number",
+                severity="warning",
+            )
+            return
+
+        # Get editor from environment (ASVS V5.1.3: validate before use)
+        editor = os.environ.get("EDITOR", "vim")
+
+        # ASVS V5.1.3: Validate EDITOR value before use (reject shell metacharacters)
+        if not validate_editor_name(editor):
+            self.notify(
+                f"Editor '{editor}' contains unsafe characters. Set a valid $EDITOR.",
+                severity="error",
+            )
+            logger.warning("unsafe_editor_value", extra={"editor": editor})
+            return
+
+        # Security validation: check editor exists and is executable
+        editor_path = shutil.which(editor)
+        if not editor_path:
+            self.notify(
+                f"Editor '{editor}' not found. Set $EDITOR environment variable.",
+                severity="error",
+            )
+            return
+
+        # Construct file path relative to repo
+        file_path = self.repo_path / self.finding.file_path
+        if not file_path.exists():
+            self.notify(f"File not found: {self.finding.file_path}", severity="error")
+            return
+
+        # Detect editor type and build appropriate command
+        editor_config = detect_editor_config(editor)
+
+        # Log editor invocation (ASVS V16.7.1)
+        logger.info(
+            "editor_opened",
+            extra={
+                "editor": editor,
+                "editor_type": editor_config.syntax_type,
+                "file": self.finding.file_path,
+                "line": self.finding.line,
+            },
+        )
+
+        # ASVS V14.2.1: Use list args (not shell=True) to prevent injection
+        cmd = build_editor_command(editor_path, file_path, self.finding.line, editor_config)
+
+        try:
+            # Suspend TUI, run editor, then resume
+            with self.app.suspend():
+                # S603: subprocess with validated input (editor_path checked via shutil.which)
+                result = subprocess.run(cmd, check=False)  # noqa: S603
+                if result.returncode != 0:
+                    self.notify(
+                        f"Editor exited with code {result.returncode}",
+                        severity="warning",
+                    )
+        except Exception as e:
+            logger.error("editor_failed", extra={"error": str(e)})
+            self.notify(f"Failed to open editor: {e}", severity="error")
+
+    def action_expand_context(self) -> None:
+        """Expand code context by 10 lines (addresses keyhole effect)."""
+        self.context_lines = min(100, self.context_lines + 10)
+        self._refresh_code_context()
+        self.notify(f"Context expanded to {self.context_lines} lines", severity="information")
+
+    def action_shrink_context(self) -> None:
+        """Shrink code context by 10 lines."""
+        self.context_lines = max(5, self.context_lines - 10)
+        self._refresh_code_context()
+        self.notify(f"Context shrunk to {self.context_lines} lines", severity="information")
+
+    def _refresh_code_context(self) -> None:
+        """Refresh code context display with new context_lines setting."""
+        import logging
+
+        logger = logging.getLogger(__name__)
+
+        try:
+            # Update the prompt builder's context lines
+            self._code_extractor._prompt_builder.context_lines = self.context_lines
+
+            # Re-render code context
+            code_widget = self._render_code_context()
+            if code_widget:
+                # Find and update the existing widget
+                try:
+                    old_widget = self.query_one("#code-context-display")
+                    # Replace content by removing old and adding new
+                    old_widget.remove()
+                    # Find the label and insert after it
+                    container = self.query_one("#detail-container")
+                    container.mount(code_widget)
+                except Exception as e:
+                    # Widget not found or couldn't refresh
+                    logger.debug("code_context_refresh_failed", extra={"error": str(e)})
+        except Exception as e:
+            # Refresh failed, log but don't crash
+            logger.debug("code_context_update_failed", extra={"error": str(e)})
+
+    def _render_code_context(self) -> Static | None:
+        """Render code context with syntax highlighting.
+
+        Returns:
+            Static widget with Syntax-highlighted code, or None if unavailable.
+
+        Security:
+            - File size limit: 10MB (ASVS V10.3.3)
+            - Path validation: must be within repo_path (ASVS V5.3.3)
+            - Error sanitization: no full paths in errors (ASVS V7.4.1)
+            - Sensitive file blocking (ASVS V8.3.4)
+        """
+        if not self.finding.file_path or not self.finding.line:
+            return None
+
+        context = self._code_extractor.extract(self.finding.file_path, self.finding.line)
+        if not context:
+            return None
+
+        if context.error:
+            return Static(f"Code unavailable: {context.error}", classes="error-message")
+
+        # Create syntax-highlighted code display
+        try:
+            syntax = Syntax(
+                context.code,
+                context.language,
+                line_numbers=False,  # We already have line numbers in the context
+                theme="monokai",
+                word_wrap=False,
+            )
+            return Static(syntax, id="code-context-display")
+        except Exception:
+            # Fallback to plain text if syntax highlighting fails
+            return Static(context.code, id="code-context-display")

{kekkai_cli-2.0.1.dist-info → kekkai_cli-2.2.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: kekkai-cli
-Version: 2.0.1
+Version: 2.2.1
 Summary: Terminal UI for Trivy/Semgrep/Gitleaks. Local-first security triage.
 Requires-Python: >=3.12
 Description-Content-Type: text/markdown
@@ -14,19 +14,20 @@ Requires-Dist: jinja2>=3.1.6
   <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/logos/kekkai-slim.png" alt="Kekkai CLI Logo" width="250"/>
 </p>
 
-<p align="center"><strong>Stop parsing JSON. Security triage in your terminal.</strong></p>
+<p align="center"><strong>Interactive security triage in the terminal.</strong></p>
 
 <p align="center">
   <img src="https://img.shields.io/github/actions/workflow/status/kademoslabs/kekkai/docker-publish.yml?logo=github"/>
   <img src="https://img.shields.io/circleci/build/github/kademoslabs/kekkai?logo=circleci"/>
-  <img src="https://img.shields.io/pypi/v/kekkai-cli?pypiBaseUrl=https%3A%2F%2Fpypi.org&logo=pypi"/>
+  <img alt="PyPI - Version" src="https://img.shields.io/pypi/v/kekkai-cli">
+
 </p>
 
 ---
 
 # Kekkai
 
-**Interactive security triage in the terminal.**
+**Stop parsing JSON.**
 
 Kekkai is a small open-source CLI that wraps existing security scanners (Trivy, Semgrep, Gitleaks) and focuses on the part that tends to be slow and frustrating: reviewing and triaging results.
 
@@ -73,6 +74,17 @@ kekkai triage
 # Interactive TUI to review findings with keyboard navigation
 ```
 
+### ⚡️ Auto-Install (Pre-commit)
+
+Add this to your `.pre-commit-config.yaml` to scan on every commit:
+
+```yaml
+  - repo: [https://github.com/kademoslabs/kekkai](https://github.com/kademoslabs/kekkai)
+    rev: v2.0.1
+    hooks:
+      - id: kekkai-scan
+```
+
 No signup, no cloud service required.
 
 ---
@@ -114,34 +126,11 @@ kekkai triage
 
 ---
 
-### CI/CD Policy Gate
-
-Break builds on severity thresholds.
-
-Kekkai can be used as a CI gate based on severity thresholds.
+### 🚦 CI/CD in 1 Second
 
+Don't write YAML. Run this in your repo:
 ```bash
-# Fail on any critical or high findings
-kekkai scan --ci --fail-on high
-
-# Fail only on critical
-kekkai scan --ci --fail-on critical
-```
-
-**Exit Codes:**
-| Code | Meaning |
-|------|---------|
-| 0 | No findings above threshold |
-| 1 | Findings exceed threshold |
-| 2 | Scanner error |
-
-**GitHub Actions Example:**
-
-```yaml
-- name: Security Scan
-  run: |
-    pipx install kekkai-cli
-    kekkai scan --ci --fail-on high
+kekkai init --ci
 ```
 
 [Full CI Documentation →](docs/ci/ci-mode.md)

{kekkai_cli-2.0.1.dist-info → kekkai_cli-2.2.1.dist-info}/RECORD

@@ -1,10 +1,10 @@
 kekkai/__init__.py,sha256=_VrBvJRyqHiXs31S8HOhATk_O2iy-ac0_9X7rHH75j8,143
-kekkai/cli.py,sha256=Y99dHzSRLV4sqbFiSe81nJRtvx2dQWmRDPyOVdghIIQ,66616
+kekkai/cli.py,sha256=Mua85FZFkpEmPtP3IUFh1sKkBsQLllln_Qe-ju5okgw,68479
 kekkai/config.py,sha256=LE7bKsmv5dim5KnZya0V7_LtviNQ1V0pMN_6FyAsMpc,13084
 kekkai/dojo.py,sha256=erLdTMOioTyzVhXYW8xgdbU5Ro-KQx1OcTQN7_zemmY,18634
 kekkai/dojo_import.py,sha256=D0ZQM_0JYHqUqJA3l4nKD-RkpvcOcgj-4zv59HRcQ6k,7274
 kekkai/manifest.py,sha256=Ph5xGDKuVxMW1GVIisRhxUelaiVZQe-W5sZWsq4lHqs,1887
-kekkai/output.py,sha256=IJrO36C79WTxCqYp9LEVn5OI4GtPVBWUWH6I-TttfmQ,5426
+kekkai/output.py,sha256=1T077PHznM8yfDWycfihvGTGrrpymoAkaHlMr8hAjkk,5426
 kekkai/paths.py,sha256=EcyG3CEOQFQygowu7O5Mp85dKkXWWvnm1h0j_BetGxY,1190
 kekkai/policy.py,sha256=0XCUH-SbnO1PsM-exjSFHYHRnLkiNa50QfkyPakwNko,9792
 kekkai/runner.py,sha256=MBFUiJ4sSVEGNbJ6cv-8p1WHaHqjio6yWEfr_K4GuTs,2037
@@ -58,14 +58,16 @@ kekkai/threatflow/model_adapter.py,sha256=Vl0wBWvBUxEGTmFghjwpp-N7Zt3qkpUSxrPVjK
 kekkai/threatflow/prompts.py,sha256=lgbj7FJ1c3UYj4ofGnlLoRmywYBfdAKY0QEHmIB_JFw,8525
 kekkai/threatflow/redaction.py,sha256=mGUcNQB6YPVKArtMrEYcXCWslgUiCkloiowY9IlZ1iY,7622
 kekkai/threatflow/sanitizer.py,sha256=uQsxYZ5VDXutZoj-WMl7fo5T07uHuQZqgVzoVMoaKec,22688
-kekkai/triage/__init__.py,sha256=gYf4XPIYZTthU0Q0kaptbgMKulkjLxWQWG0HQvtlu-o,2182
-kekkai/triage/app.py,sha256=MU2tBI50d8sOdDKESGNrWYiREG9bBtrSccaMoiMv5gM,5027
+kekkai/triage/__init__.py,sha256=lUDFJqQk0EjQD2ZP6s3WQnZ8R-KGds8_W7RmFzBDPN8,2463
+kekkai/triage/app.py,sha256=WKvT00UDO2ywVgahLlHAcqB-OnPN05Ps_FKoN6RY0lc,5615
 kekkai/triage/audit.py,sha256=UVaSKKC6tZkHxEoMcnIZkMOT_ngj7QzHWYuDAHas_sc,5842
-kekkai/triage/fix_screen.py,sha256=mj_waXwKPCrT01bVSSu5Ohi-3JvN2lT18Yy44xICItY,7667
+kekkai/triage/code_context.py,sha256=kmAkQaxgGIxzf2n5s9vkwOBetmuZrQhoDuygxmU9cjg,11311
+kekkai/triage/editor_support.py,sha256=IpOe4KXUdxKBAQMoCWGTNRK2sGYRpuVySiHQRLm4ugc,5497
+kekkai/triage/fix_screen.py,sha256=jL0ZXoNKBvkhrnWxutPrviMRL5iacJ19qpxX3hKEZvc,8843
 kekkai/triage/ignore.py,sha256=uBKM7zKyzORj9LJ5AAnoYWZQTRy57P0ZofSapiDWcfI,7305
 kekkai/triage/loader.py,sha256=vywhS8fcre7PiBX3H2CpKXFxzvO7LcDnIHIB0kzG3R4,5850
 kekkai/triage/models.py,sha256=nRmWtELMqHWHX1NqZ2upH2ZAJVeBxa3Wh8f3kkB9WYo,5384
-kekkai/triage/screens.py,sha256=MbudQkdQ4JFt5c80V3LtqCeXxAIu7nIfZpm7G5wRXT0,11061
+kekkai/triage/screens.py,sha256=it253GNli37S2CkijbVfoxmiobEV3M3-FYdqXhp1tWk,20575
 kekkai/triage/widgets.py,sha256=eOF6Qoo5uBqjxiEkbpgcO1tbIOGBQBKn75wP9Jw_AaE,4733
 kekkai_core/__init__.py,sha256=gREN4oarM0azTkSTWTnlDnPZGgv1msai2Deq9Frj3gc,122
 kekkai_core/redaction.py,sha256=EeWYPjAs2hIXlLKGmGn_PRdK08G4KcOBmbRCoFklbHc,2893
@@ -85,8 +87,8 @@ kekkai_core/windows/chocolatey.py,sha256=tF5S5eN-HeENRt6yQ4TZgwng0oRMX_ScskQ3-eb
 kekkai_core/windows/installer.py,sha256=MePAywHH3JTIAENv52XtkUMOGqmYqZqkH77VW5PST8o,6945
 kekkai_core/windows/scoop.py,sha256=lvothICrAoB3lGfkvhqVeNTB50eMmVGA0BE7JNCfHdI,5284
 kekkai_core/windows/validators.py,sha256=45xUuAbHcKc0WLIZ-0rByPeDD88MAV8KvopngyYBHpQ,6525
-kekkai_cli-2.0.1.dist-info/METADATA,sha256=WNYk460xPTeXtMnwDW2Z6zDhHysNhltYOS726u-i2q4,8118
-kekkai_cli-2.0.1.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-kekkai_cli-2.0.1.dist-info/entry_points.txt,sha256=MBV1OIfxJmT2oJvzeeFKIH1eh8M9kKAn7JqFBeuMfWA,43
-kekkai_cli-2.0.1.dist-info/top_level.txt,sha256=wWwh7GGPaUjcaCRmt70ueL3WQoQbeGa5L0T0hgOh-MY,19
-kekkai_cli-2.0.1.dist-info/RECORD,,
+kekkai_cli-2.2.1.dist-info/METADATA,sha256=rFe0gsYLeFJPliwHjenTd3jk6VCsB0qlwCkO6OAzxJo,7865
+kekkai_cli-2.2.1.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+kekkai_cli-2.2.1.dist-info/entry_points.txt,sha256=MBV1OIfxJmT2oJvzeeFKIH1eh8M9kKAn7JqFBeuMfWA,43
+kekkai_cli-2.2.1.dist-info/top_level.txt,sha256=wWwh7GGPaUjcaCRmt70ueL3WQoQbeGa5L0T0hgOh-MY,19
+kekkai_cli-2.2.1.dist-info/RECORD,,