sanicode 0.1.0__tar.gz

sanicode-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,105 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Extract tag version
+        id: tag
+        run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
+
+      - name: Read version.py
+        id: pyver
+        run: |
+          PY_VERSION=$(grep '__version__' src/sanicode/version.py | cut -d'"' -f2)
+          echo "version=$PY_VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Read pyproject.toml version
+        id: tomlver
+        run: |
+          TOML_VERSION=$(grep '^version = ' pyproject.toml | head -1 | cut -d'"' -f2)
+          echo "version=$TOML_VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Verify versions match
+        run: |
+          TAG="${{ steps.tag.outputs.version }}"
+          PY="${{ steps.pyver.outputs.version }}"
+          TOML="${{ steps.tomlver.outputs.version }}"
+          echo "Tag:          $TAG"
+          echo "version.py:   $PY"
+          echo "pyproject.toml: $TOML"
+          if [[ "$TAG" != "$PY" || "$TAG" != "$TOML" ]]; then
+            echo "::error::Version mismatch! Tag=$TAG, version.py=$PY, pyproject.toml=$TOML"
+            exit 1
+          fi
+
+  test:
+    needs: verify
+    uses: ./.github/workflows/test.yml
+
+  create-release:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Extract version
+        id: version
+        run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release create "$GITHUB_REF_NAME" \
+            --title "sanicode v${{ steps.version.outputs.version }}" \
+            --generate-notes
+
+  build:
+    needs: create-release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install build tools
+        run: pip install build
+
+      - name: Build distribution
+        run: python -m build
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish-to-pypi:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

sanicode-0.1.0/.github/workflows/test.yml

@@ -0,0 +1,55 @@
+name: Tests
+
+on:
+  push:
+    branches: [main]
+    tags:
+      - 'v*.*.*'
+  pull_request:
+    branches: [main]
+  workflow_call:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Lint with ruff
+        run: ruff check src/ tests/
+
+      - name: Run tests with coverage
+        run: pytest --cov=sanicode --cov-report=xml --cov-report=term-missing
+
+  build:
+    needs: test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install build tools
+        run: pip install build twine
+
+      - name: Build distribution
+        run: python -m build
+
+      - name: Validate distribution
+        run: twine check dist/*

sanicode-0.1.0/.gitignore

@@ -0,0 +1,38 @@
+# Secrets and credentials
+.env
+.env.local
+.env.*.local
+*.key
+*.pem
+*.p12
+*.pfx
+credentials.json
+secrets.yaml
+secrets.yml
+
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+*.egg
+dist/
+build/
+
+# Virtual environments
+.venv/
+venv/
+
+# Tool caches
+.pytest_cache/
+.ruff_cache/
+.mypy_cache/
+htmlcov/
+.coverage
+
+# IDE
+.idea/
+.vscode/
+*.swp
+
+# OS
+.DS_Store

sanicode-0.1.0/.gitleaks.toml

@@ -0,0 +1,13 @@
+[allowlist]
+  description = "Project-specific allowlist for false positives"
+
+  paths = [
+    '''\/examples\/''',
+    '''\/tests?\/fixtures\/''',
+    '''docs\/.*\.md$''',
+  ]
+
+  regexes = [
+    '''YOUR_.*_HERE''',
+    '''REPLACE_WITH_YOUR''',
+  ]

sanicode-0.1.0/CLAUDE.md

@@ -0,0 +1,103 @@
+# Sanicode — Project Context
+
+Sanicode is a PyPI-distributed CLI tool that uses an AI agent (configurable LLM backend) to build a codebase-level knowledge graph, then outputs security/sanitization recommendations mapped to OWASP ASVS, NIST 800-53, and ASD STIG controls. The key differentiator over tools like Bandit or Semgrep is data flow context via LLM reasoning over a knowledge graph, not just AST pattern matching.
+
+See `RESEARCH.md` for the full standards baseline, architecture rationale, and tooling landscape.
+
+## Getting Started
+
+Start with issue #1 in the Phase 1 milestone. Issues have dependency notes in their descriptions — check "blocked by" before starting. Work issues in order within each milestone.
+
+## Tech Stack
+
+- Python 3.10+, package name `sanicode`
+- CLI: Click or Typer (decided in issue #1)
+- AST parsing: Python `ast` module (tree-sitter for multi-language, later)
+- Knowledge graph: NetworkX (in-memory); Neo4j for persistent/large codebases
+- LLM integration: LiteLLM (multi-provider, tiered endpoints)
+- API server: FastAPI (`sanicode serve`)
+- Config: TOML (`sanicode.toml` or `~/.config/sanicode/config.toml`)
+- Output formats: Markdown, JSON, SARIF
+- Container base: `registry.redhat.io/ubi9/python-311` (UBI9, multi-stage)
+- Phase 3 operator: kopf (Python); Phase 4: Go Operator SDK if needed
+
+## Project Structure
+
+```
+sanicode/
+├── src/sanicode/       # Main package
+├── data/               # Compliance cross-reference DB (JSON/TOML)
+├── rules/              # Rule definitions (YAML, Bandit-style)
+├── prompts/            # Prompt templates (YAML, with {variable} substitution)
+├── tests/              # Mirrors src/sanicode/ structure; pytest, 80%+ coverage
+└── sanicode.toml       # Project config (or ~/.config/sanicode/)
+```
+
+## Phase Structure
+
+- **Phase 1** (starting now): Python package + CLI. Scan → knowledge graph → compliance-mapped report. Local mode + `sanicode serve` API mode.
+- **Phase 2**: Containerized deployment on OpenShift. Helm chart, Prometheus metrics, Grafana dashboard, MLflow integration, Tekton task, KFP pipeline.
+- **Phase 3**: Lightweight Python Operator via kopf. CRDs: SanicodeConfig, SanicodeScan, SanicodeProfile, SanicodeException. Auto-discover InferenceService CRs.
+- **Phase 4**: Production Operator (Go/Operator SDK or Helm-based), OLM packaging, OperatorHub submission.
+
+## CLI Surface
+
+```
+sanicode config    # Configure LLM backend (tiered endpoints)
+sanicode scan      # Scan codebase, build knowledge graph
+sanicode serve     # Start FastAPI server (containerized/remote mode)
+sanicode report    # Generate compliance-mapped report
+sanicode recommend # Output prioritized recommendations
+sanicode graph     # Inspect/export the knowledge graph
+```
+
+The CLI operates in three modes: **local** (all in-process), **remote** (thin client to sanicode-api), **hybrid** (AST local, LLM remote).
+
+## Key Architectural Decisions
+
+**Degraded mode is not optional.** With no LLM configured, sanicode must still produce useful output: AST pattern matching, known-bad function detection, data flow graph construction, compliance lookups, and SARIF output. LLM adds context-awareness and false-positive reduction on top.
+
+**Compliance mapping is cross-cutting.** Every finding must carry: CWE ID, OWASP ASVS 5.0 requirement (with L1/L2/L3 level), NIST 800-53 control (SI-10, SI-15, etc.), ASD STIG check ID and CAT level (I/II/III). PCI DSS mapping where applicable.
+
+**Knowledge graph is the differentiator.** Graph nodes: entry points, sanitization points, sink points, trust boundaries. Edges: data flow paths. LLM reasons over the graph to assess whether sanitization actually covers the identified threat.
+
+**API is designed for machine consumption first.** A refactoring agent (Konveyor, custom agent) needs to iterate programmatically. REST endpoints: `POST /api/v1/scan`, `GET /api/v1/scan/{id}`, `GET /api/v1/scan/{id}/findings`, `GET /api/v1/scan/{id}/graph`, `POST /api/v1/analyze`, `GET /api/v1/compliance/map`.
+
+**Offline-native, not offline-compatible.** Zero egress at runtime. All compliance data, rules, and prompt templates ship in the package. Model weights are a separate supply chain artifact (PVC or ModelCar OCI image) — never bundled with sanicode.
+
+**Tiered model support.** `sanicode.toml` allows separate endpoints for fast (classification), analysis (data flow), and reasoning (compliance mapping + report generation) tiers. Recommended: Granite Nano → Granite Code 8B → Llama 3.1 70B.
+
+## Backlog Discipline
+
+Work backlog items until they are 100% complete. 99% rounds to zero. If during implementation we discover scope that should wait (separate concern, large effort, blocked on something else), the standard procedure is:
+
+1. Create a new backlog issue for the carved-out work, with full context.
+2. Update the current issue to document what moved and reference the new issue(s).
+3. Only then close the current issue.
+
+This prevents hidden technical debt from accumulating behind "done" items. An agent should never offer to close an item until the carve-out issues exist and the current item's description reflects the reduced scope.
+
+## Releasing
+
+The version lives in two files that must stay in sync:
+- `src/sanicode/version.py` — `__version__ = "x.y.z"`
+- `pyproject.toml` — `version = "x.y.z"`
+
+To release, run from the project root:
+
+```bash
+./scripts/release.sh <version> "<description>"
+```
+
+This updates both version files, commits, tags, and pushes. GitHub Actions handles testing, GitHub Release creation, and PyPI publishing via OIDC trusted publishing. See `PUBLISHING.md` for one-time setup steps.
+
+Never update version files manually — always use the release script to ensure consistency.
+
+## Don't Forget
+
+- SARIF output is critical for ecosystem interoperability (GitHub Code Scanning, VS Code, Azure DevOps, Tekton gating). Prioritize this over custom formats.
+- OWASP ASVS reference is version **5.0** (released May 2025). The chapter is now "V1: Encoding and Sanitization" — not the old V5. Use `v5.0.0-V1-x.x` identifiers.
+- ASD STIG version is **v4 r11**. Key IDs: APSC-DV-002510 (command injection, CAT I), APSC-DV-002520 (XSS, CAT II), APSC-DV-002530 (input validation, CAT II).
+- CWE is the lingua franca across all frameworks. Core sanitization CWEs: 20, 77, 78, 79, 89, 94, 116, 918, 1333.
+- `SanicodeException` CRs (Phase 3) are critical for ATO workflows — RBAC-controlled, expiring, GitOps-managed risk acceptances.
+- Expose `/metrics` (Prometheus) from day one in `sanicode serve`. Compliance score, findings by severity/CWE/namespace, LLM usage.

sanicode-0.1.0/PKG-INFO

@@ -0,0 +1,161 @@
+Metadata-Version: 2.4
+Name: sanicode
+Version: 0.1.0
+Summary: AI-assisted code sanitization scanner with OWASP ASVS, NIST 800-53, and ASD STIG compliance mapping.
+Project-URL: Homepage, https://github.com/rdwj/sanicode
+Project-URL: Repository, https://github.com/rdwj/sanicode
+Project-URL: Issues, https://github.com/rdwj/sanicode/issues
+Author: Sanicode Contributors
+License: Apache-2.0
+Keywords: compliance,llm,owasp,sast,security,stig
+Classifier: Development Status :: 2 - Pre-Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Requires-Python: >=3.10
+Requires-Dist: fastapi>=0.100
+Requires-Dist: litellm>=1.0
+Requires-Dist: networkx>=3.0
+Requires-Dist: prometheus-client>=0.17
+Requires-Dist: rich>=13.0
+Requires-Dist: tomli>=2.0; python_version < '3.11'
+Requires-Dist: typer>=0.9.0
+Requires-Dist: uvicorn[standard]>=0.20
+Provides-Extra: dev
+Requires-Dist: build>=1.0; extra == 'dev'
+Requires-Dist: httpx>=0.24; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.21; extra == 'dev'
+Requires-Dist: pytest-cov>=4.0; extra == 'dev'
+Requires-Dist: pytest>=7.0; extra == 'dev'
+Requires-Dist: ruff>=0.1.0; extra == 'dev'
+Requires-Dist: twine>=5.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# Sanicode
+
+Sanicode scans Python codebases for input validation and sanitization gaps, builds a knowledge graph of data flow (entry points, sanitizers, sinks), and maps every finding to OWASP ASVS 5.0, NIST 800-53, and ASD STIG v4r11 controls. Output formats include SARIF (for GitHub Code Scanning integration), JSON, and Markdown.
+
+Unlike pattern-only tools like Bandit or Semgrep, sanicode constructs a data flow graph so findings carry context about *how* tainted data reaches a sink and *whether* sanitization exists along the path.
+
+## Install
+
+```
+pip install sanicode
+```
+
+Requires Python 3.10+.
+
+## Quick start
+
+Scan a codebase and generate a Markdown report:
+
+```
+sanicode scan .
+```
+
+Generate SARIF output for CI integration:
+
+```
+sanicode scan . -f sarif
+```
+
+Reports are written to `sanicode-reports/` by default.
+
+## API server
+
+Start the FastAPI server for remote or hybrid scan mode:
+
+```
+sanicode serve
+```
+
+This starts on port 8080 with Prometheus metrics at `/metrics`.
+
+### Endpoints
+
+```
+POST /api/v1/scan              Submit a scan (async)
+GET  /api/v1/scan/{id}         Poll scan status
+GET  /api/v1/scan/{id}/findings   Retrieve findings (JSON or ?format=sarif)
+GET  /api/v1/scan/{id}/graph      Retrieve knowledge graph
+POST /api/v1/analyze           Instant snippet analysis
+GET  /api/v1/compliance/map    Compliance framework lookup
+GET  /api/v1/health            Liveness check
+GET  /metrics                  Prometheus metrics
+```
+
+## CLI commands
+
+```
+sanicode scan .                       # Scan codebase, generate reports
+sanicode scan . -f sarif              # SARIF output
+sanicode scan . -f json -f sarif      # Multiple formats
+sanicode serve                        # Start API server on :8080
+sanicode report scan-result.json      # Re-generate reports from saved results
+sanicode report scan-result.json -s high   # Filter by severity
+sanicode report scan-result.json --cwe 89  # Filter by CWE
+sanicode config --show                # Show resolved configuration
+sanicode config --init                # Create starter sanicode.toml
+sanicode graph . --export graph.json  # Export knowledge graph
+```
+
+## Detection rules
+
+| Rule   | Description                      | CWE     |
+|--------|----------------------------------|---------|
+| SC001  | `eval()`                         | CWE-78  |
+| SC002  | `exec()`                         | CWE-78  |
+| SC003  | `os.system()`                    | CWE-78  |
+| SC004  | `subprocess` with `shell=True`   | CWE-78  |
+| SC005  | `pickle.loads()`                 | CWE-502 |
+| SC006  | SQL string formatting            | CWE-89  |
+| SC007  | `__import__()`                   | CWE-94  |
+| SC008  | `yaml.load()` without `Loader`   | CWE-502 |
+
+Each finding is enriched with CWE metadata and mapped to the active compliance profiles.
+
+## Compliance frameworks
+
+Sanicode maps findings to three frameworks out of the box:
+
+- **OWASP ASVS 5.0** -- V1: Encoding and Sanitization requirements (L1/L2/L3)
+- **NIST 800-53** -- SI-10 (Information Input Validation), SI-15 (Information Output Filtering), and related controls
+- **ASD STIG v4r11** -- APSC-DV-002510 (CAT I), APSC-DV-002520 (CAT II), APSC-DV-002530 (CAT II), and related checks
+
+## Configuration
+
+Create a config file:
+
+```
+sanicode config --init
+```
+
+This writes a `sanicode.toml` in the current directory. Config is loaded from (in order):
+
+1. `--config` flag
+2. `sanicode.toml` in the current directory
+3. `~/.config/sanicode/config.toml`
+
+Sanicode works fully without any configuration. LLM tiers are optional -- without them, the tool runs in degraded mode using AST pattern matching, knowledge graph construction, and compliance lookups. LLM integration adds context-aware reasoning on top of these.
+
+### LLM tiers (optional)
+
+The config supports three tiers for different task complexities, each pointing at any OpenAI-compatible endpoint (Ollama, vLLM, OpenShift AI):
+
+| Tier        | Purpose                           | Recommended model       |
+|-------------|-----------------------------------|-------------------------|
+| `fast`      | Classification, severity scoring  | Granite Nano, Mistral 7B |
+| `analysis`  | Data flow reasoning               | Granite Code 8B         |
+| `reasoning` | Compliance mapping, reports       | Llama 3.1 70B           |
+
+## Current status
+
+Phase 1 MVP: Python-only scanning, 8 detection rules, local and API server modes. LLM integration is planned but not yet wired; the tool operates in degraded mode with AST patterns and compliance mapping.
+
+## License
+
+Apache-2.0

sanicode-0.1.0/PUBLISHING.md

@@ -0,0 +1,94 @@
+# Publishing sanicode to PyPI
+
+## One-Time Setup
+
+### 1. Configure PyPI Trusted Publisher
+
+Trusted publishing uses OpenID Connect (OIDC) — no API tokens needed.
+
+1. Go to https://pypi.org/manage/account/publishing/
+2. Click "Add a new pending publisher"
+3. Fill in:
+   - **PyPI Project Name:** `sanicode`
+   - **Owner:** `rdwj`
+   - **Repository name:** `sanicode`
+   - **Workflow name:** `release.yml`
+   - **Environment name:** `pypi`
+4. Click "Add"
+
+### 2. Create GitHub Environment
+
+1. Go to https://github.com/rdwj/sanicode/settings/environments
+2. Create environment named `pypi`
+3. (Optional) Add yourself as a required reviewer for manual approval before publishing
+4. Set deployment branches to "main" only
+
+## Releasing
+
+### Automated (Recommended)
+
+From the project root:
+
+```bash
+./scripts/release.sh <version> "<description>"
+
+# Example:
+./scripts/release.sh 0.2.0 "Add API server and Prometheus metrics"
+```
+
+The script:
+1. Validates version format (x.y.z)
+2. Updates `src/sanicode/version.py` and `pyproject.toml`
+3. Verifies both files match
+4. Commits, creates annotated tag `v<version>`, pushes both
+
+GitHub Actions then:
+1. Verifies tag/version.py/pyproject.toml all agree
+2. Runs full test suite across Python 3.10-3.13
+3. Creates a GitHub Release with auto-generated notes
+4. Builds sdist + wheel
+5. Publishes to PyPI via OIDC
+
+### Manual Fallback
+
+If GitHub Actions is unavailable:
+
+```bash
+# Build
+rm -rf dist/
+python -m build
+
+# Validate
+twine check dist/*
+
+# Upload (requires PyPI API token)
+twine upload dist/*
+```
+
+## Version Numbering
+
+Semantic versioning: `MAJOR.MINOR.PATCH`
+
+- **MAJOR**: Breaking API changes
+- **MINOR**: New features (backward compatible)
+- **PATCH**: Bug fixes
+
+The version lives in two files that must stay in sync:
+- `src/sanicode/version.py` — `__version__ = "x.y.z"`
+- `pyproject.toml` — `version = "x.y.z"`
+
+The release script and GitHub Actions both enforce this invariant.
+
+## Verification
+
+After a release:
+
+```bash
+# Check PyPI
+pip install sanicode==<version>
+sanicode --version
+
+# Check GitHub
+# https://github.com/rdwj/sanicode/releases
+# https://github.com/rdwj/sanicode/actions
+```

sanicode-0.1.0/README.md

@@ -0,0 +1,124 @@
+# Sanicode
+
+Sanicode scans Python codebases for input validation and sanitization gaps, builds a knowledge graph of data flow (entry points, sanitizers, sinks), and maps every finding to OWASP ASVS 5.0, NIST 800-53, and ASD STIG v4r11 controls. Output formats include SARIF (for GitHub Code Scanning integration), JSON, and Markdown.
+
+Unlike pattern-only tools like Bandit or Semgrep, sanicode constructs a data flow graph so findings carry context about *how* tainted data reaches a sink and *whether* sanitization exists along the path.
+
+## Install
+
+```
+pip install sanicode
+```
+
+Requires Python 3.10+.
+
+## Quick start
+
+Scan a codebase and generate a Markdown report:
+
+```
+sanicode scan .
+```
+
+Generate SARIF output for CI integration:
+
+```
+sanicode scan . -f sarif
+```
+
+Reports are written to `sanicode-reports/` by default.
+
+## API server
+
+Start the FastAPI server for remote or hybrid scan mode:
+
+```
+sanicode serve
+```
+
+This starts on port 8080 with Prometheus metrics at `/metrics`.
+
+### Endpoints
+
+```
+POST /api/v1/scan              Submit a scan (async)
+GET  /api/v1/scan/{id}         Poll scan status
+GET  /api/v1/scan/{id}/findings   Retrieve findings (JSON or ?format=sarif)
+GET  /api/v1/scan/{id}/graph      Retrieve knowledge graph
+POST /api/v1/analyze           Instant snippet analysis
+GET  /api/v1/compliance/map    Compliance framework lookup
+GET  /api/v1/health            Liveness check
+GET  /metrics                  Prometheus metrics
+```
+
+## CLI commands
+
+```
+sanicode scan .                       # Scan codebase, generate reports
+sanicode scan . -f sarif              # SARIF output
+sanicode scan . -f json -f sarif      # Multiple formats
+sanicode serve                        # Start API server on :8080
+sanicode report scan-result.json      # Re-generate reports from saved results
+sanicode report scan-result.json -s high   # Filter by severity
+sanicode report scan-result.json --cwe 89  # Filter by CWE
+sanicode config --show                # Show resolved configuration
+sanicode config --init                # Create starter sanicode.toml
+sanicode graph . --export graph.json  # Export knowledge graph
+```
+
+## Detection rules
+
+| Rule   | Description                      | CWE     |
+|--------|----------------------------------|---------|
+| SC001  | `eval()`                         | CWE-78  |
+| SC002  | `exec()`                         | CWE-78  |
+| SC003  | `os.system()`                    | CWE-78  |
+| SC004  | `subprocess` with `shell=True`   | CWE-78  |
+| SC005  | `pickle.loads()`                 | CWE-502 |
+| SC006  | SQL string formatting            | CWE-89  |
+| SC007  | `__import__()`                   | CWE-94  |
+| SC008  | `yaml.load()` without `Loader`   | CWE-502 |
+
+Each finding is enriched with CWE metadata and mapped to the active compliance profiles.
+
+## Compliance frameworks
+
+Sanicode maps findings to three frameworks out of the box:
+
+- **OWASP ASVS 5.0** -- V1: Encoding and Sanitization requirements (L1/L2/L3)
+- **NIST 800-53** -- SI-10 (Information Input Validation), SI-15 (Information Output Filtering), and related controls
+- **ASD STIG v4r11** -- APSC-DV-002510 (CAT I), APSC-DV-002520 (CAT II), APSC-DV-002530 (CAT II), and related checks
+
+## Configuration
+
+Create a config file:
+
+```
+sanicode config --init
+```
+
+This writes a `sanicode.toml` in the current directory. Config is loaded from (in order):
+
+1. `--config` flag
+2. `sanicode.toml` in the current directory
+3. `~/.config/sanicode/config.toml`
+
+Sanicode works fully without any configuration. LLM tiers are optional -- without them, the tool runs in degraded mode using AST pattern matching, knowledge graph construction, and compliance lookups. LLM integration adds context-aware reasoning on top of these.
+
+### LLM tiers (optional)
+
+The config supports three tiers for different task complexities, each pointing at any OpenAI-compatible endpoint (Ollama, vLLM, OpenShift AI):
+
+| Tier        | Purpose                           | Recommended model       |
+|-------------|-----------------------------------|-------------------------|
+| `fast`      | Classification, severity scoring  | Granite Nano, Mistral 7B |
+| `analysis`  | Data flow reasoning               | Granite Code 8B         |
+| `reasoning` | Compliance mapping, reports       | Llama 3.1 70B           |
+
+## Current status
+
+Phase 1 MVP: Python-only scanning, 8 detection rules, local and API server modes. LLM integration is planned but not yet wired; the tool operates in degraded mode with AST patterns and compliance mapping.
+
+## License
+
+Apache-2.0