HeadyZhang
diff --git a/‎.github/ISSUE_TEMPLATE/config.yml‎
Lines changed: 6 additions & 3 deletions b/‎.github/ISSUE_TEMPLATE/config.yml‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎PROMPT-v0.14.0-adjustment.txt‎
Lines changed: 47 additions & 0 deletions b/‎PROMPT-v0.14.0-adjustment.txt‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎action.yml‎
Lines changed: 82 additions & 12 deletions b/‎action.yml‎
Lines changed: 82 additions & 12 deletions
diff --git a/‎docs/README.md‎
Lines changed: 199 additions & 0 deletions b/‎docs/README.md‎
Lines changed: 199 additions & 0 deletions
@@ -1,8 +1,11 @@
 blank_issues_enabled: false
 contact_links:
-  - name: Questions & Discussions
+  - name: General Question
     url: https://github.com/HeadyZhang/agent-audit/discussions
-    about: Ask questions and discuss ideas in GitHub Discussions
-  - name: Documentation
+    about: Ask general questions in GitHub Discussions
+  - name: Rule Documentation
     url: https://github.com/HeadyZhang/agent-audit/blob/main/docs/RULES.md
     about: Check the rule reference for detailed information about each rule
+  - name: OWASP Agentic Top 10
+    url: https://genai.owasp.org/llm-top-10/
+    about: Learn about the OWASP Agentic Top 10 vulnerabilities
@@ -0,0 +1,47 @@
+数据很漂亮，但有一个需要诚实面对的问题
+
+先说好的：Recall 68.2%、Precision 83.3%、F1 75.0%、Taint Accuracy 31.8%——从 v0.4.1 baseline 一路走来，这是实质性的进步。三个版本的轨迹非常健康：
+
+Recall Precision Taint Acc
+
+v0.4.1 17.6% - 0.0%
+
+v0.13.0 50.0% 78.6% 9.1%
+
+v0.14.0 68.2% 83.3% 31.8%
+
+Precision 在 Recall 提升的同时还涨了 4.7pp，说明不是靠"什么都报"来刷 Recall。
+
+但第 3 和第 4 点改动需要警惕
+
+Fixed oracle line numbers in KNOWN-001, KNOWN-002, KNOWN-005
+
+Added source type equivalence in oracle_eval.py: user_input ≈ llm_output
+
+这两项改的不是检测引擎，而是benchmark 本身。
+
+Oracle 行号修正如果确实是 oracle 写错了，那没问题——benchmark 本身也需要 debug。但需要确认：是 oracle 的行号原本就标错了，还是因为检测引擎报的行号和 oracle 不一致所以去改 oracle 来迁就？如果是后者，就是在拟合评测集。
+
+user_input ≈ llm_output 等价性更微妙。从安全语义上说，这个等价有一定道理——两者都是不可信外部输入。但这个变更让 oracle 评估变得更宽松了，Taint Accuracy 从 9.1% 跳到 31.8% 有多少是因为检测能力提升、多少是因为评估标准放松？
+
+建议：在 benchmark 报告中分离两个数字：
+
+Strict Taint Accuracy（原始 oracle，不做等价映射）
+
+Relaxed Taint Accuracy（含 source type 等价）
+
+这样每个版本的改进中，工具能力提升和评估标准调整的贡献是透明的。这不是说等价映射不合理，而是作为学术级 benchmark 需要这种可追溯性。
+
+Sink type mapping 修复是纯正的改进
+
+eval() → code_execution 而不是 eval——这是检测引擎的输出和 oracle 术语的对齐，是合理的 normalization，不存在拟合问题。Source type 在 method call chain 中的传播保持也是 taint tracker 的实质性能力增强。
+
+两个关键追问：
+
+KNOWN-001 和 KNOWN-002 现在能检出了吗？ 上个版本它们还是 0% Recall，这次你改了它们的 oracle 行号，但没明确说检测结果是否翻转。
+
+Set B（MCP）和 Set C（Data）的分类 Recall 是多少？ 整体 Recall 68.2% 可能掩盖了 Set B 仍然为 0% 的问题——这在 context 文档中被标为 P0。
+
+总结
+
+v0.14.0 的核心技术改进（sink mapping、source propagation）是扎实的。但 benchmark 侧的修改（oracle 行号、source 等价性）引入了评估标准的变化，需要用 strict/relaxed 双指标来保持透明度。下一步应该聚焦 Recall 最后的 12pp gap，优先确认 Set B/C 的分类表现和 KNOWN-001/002 的检出状态。
@@ -35,12 +35,33 @@ inputs:
     default: 'true'
 
 outputs:
+  total_findings:
+    description: 'Total number of security findings detected'
+    value: ${{ steps.scan.outputs.total_findings }}
+  critical_count:
+    description: 'Number of CRITICAL severity findings (security-severity >= 9.0)'
+    value: ${{ steps.scan.outputs.critical_count }}
+  high_count:
+    description: 'Number of HIGH severity findings (security-severity >= 7.0, < 9.0)'
+    value: ${{ steps.scan.outputs.high_count }}
+  medium_count:
+    description: 'Number of MEDIUM severity findings (security-severity >= 4.0, < 7.0)'
+    value: ${{ steps.scan.outputs.medium_count }}
+  low_count:
+    description: 'Number of LOW severity findings (security-severity < 4.0)'
+    value: ${{ steps.scan.outputs.low_count }}
+  scan_status:
+    description: 'Scan status: success (exit code 0) or failure (findings exceed fail-on threshold)'
+    value: ${{ steps.scan.outputs.scan_status }}
+  sarif_file:
+    description: 'Path to the generated SARIF file (if format=sarif)'
+    value: ${{ steps.scan.outputs.sarif_file }}
   findings-count:
-    description: 'Total number of findings'
-    value: ${{ steps.scan.outputs.findings }}
+    description: 'Total number of findings (deprecated: use total_findings)'
+    value: ${{ steps.scan.outputs.total_findings }}
   exit-code:
-    description: 'Exit code from the scan (0 = pass, 1 = fail)'
-    value: ${{ steps.scan.outputs.exit-code }}
+    description: 'Exit code from scan (deprecated: use scan_status)'
+    value: ${{ steps.scan.outputs.exit_code }}
 
 runs:
   using: 'composite'
@@ -64,8 +85,9 @@ runs:
         ARGS="${{ inputs.path }}"
         ARGS="$ARGS --format ${{ inputs.format }}"
 
-        if [ "${{ inputs.format }}" == "sarif" ] || [ -n "${{ inputs.output }}" ]; then
-          ARGS="$ARGS --output ${{ inputs.output }}"
+        OUTPUT_FILE="${{ inputs.output }}"
+        if [ "${{ inputs.format }}" == "sarif" ] || [ -n "$OUTPUT_FILE" ]; then
+          ARGS="$ARGS --output $OUTPUT_FILE"
         fi
 
         ARGS="$ARGS --severity ${{ inputs.severity }}"
@@ -78,14 +100,62 @@ runs:
         agent-audit scan $ARGS
         EXIT_CODE=$?
 
-        echo "exit-code=$EXIT_CODE" >> $GITHUB_OUTPUT
+        # Set exit code and scan status
+        echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT
+        if [ $EXIT_CODE -eq 0 ]; then
+          echo "scan_status=success" >> $GITHUB_OUTPUT
+        else
+          echo "scan_status=failure" >> $GITHUB_OUTPUT
+        fi
+
+        # Parse SARIF file to extract structured counts
+        if [ -f "$OUTPUT_FILE" ]; then
+          echo "sarif_file=$OUTPUT_FILE" >> $GITHUB_OUTPUT
+
+          # Total findings count
+          TOTAL=$(jq '.runs[0].results | length' "$OUTPUT_FILE" 2>/dev/null || echo "0")
+          echo "total_findings=$TOTAL" >> $GITHUB_OUTPUT
+
+          # Count findings by severity using rule security-severity scores
+          # CVSS-aligned thresholds: Critical>=9.0, High>=7.0, Medium>=4.0, Low<4.0
+          COUNTS=$(jq -r '
+            # Build a map of ruleId -> security-severity score
+            (
+              [.runs[0].tool.driver.rules[]? |
+               {key: .id, value: ((.properties."security-severity" // "0") | tonumber)}
+              ] | from_entries
+            ) as $sev_map |
+
+            # Count results by severity category
+            reduce (.runs[0].results[]?) as $r (
+              {critical: 0, high: 0, medium: 0, low: 0};
+              ($sev_map[$r.ruleId] // 0) as $score |
+              if $score >= 9 then .critical += 1
+              elif $score >= 7 then .high += 1
+              elif $score >= 4 then .medium += 1
+              else .low += 1
+              end
+            ) |
+            "critical_count=\(.critical)\nhigh_count=\(.high)\nmedium_count=\(.medium)\nlow_count=\(.low)"
+          ' "$OUTPUT_FILE" 2>/dev/null)
 
-        # Count findings from SARIF if available
-        if [ -f "${{ inputs.output }}" ]; then
-          FINDINGS=$(jq '.runs[0].results | length' "${{ inputs.output }}" 2>/dev/null || echo "0")
-          echo "findings=$FINDINGS" >> $GITHUB_OUTPUT
+          if [ -n "$COUNTS" ]; then
+            echo "$COUNTS" >> $GITHUB_OUTPUT
+          else
+            # Fallback if jq parsing fails
+            echo "critical_count=0" >> $GITHUB_OUTPUT
+            echo "high_count=0" >> $GITHUB_OUTPUT
+            echo "medium_count=0" >> $GITHUB_OUTPUT
+            echo "low_count=0" >> $GITHUB_OUTPUT
+          fi
         else
-          echo "findings=0" >> $GITHUB_OUTPUT
+          # No SARIF file - set all counts to 0
+          echo "sarif_file=" >> $GITHUB_OUTPUT
+          echo "total_findings=0" >> $GITHUB_OUTPUT
+          echo "critical_count=0" >> $GITHUB_OUTPUT
+          echo "high_count=0" >> $GITHUB_OUTPUT
+          echo "medium_count=0" >> $GITHUB_OUTPUT
+          echo "low_count=0" >> $GITHUB_OUTPUT
         fi
 
         exit $EXIT_CODE
 
@@ -0,0 +1,199 @@
+# Agent Audit Documentation
+
+> **Version:** v0.15.1
+> **CLI static analysis tool for AI agent security — "ESLint for AI agents"**
+
+---
+
+## For Users
+
+| Document | Description |
+|----------|-------------|
+| [Rule Reference](RULES.md) | Complete list of 40+ detection rules with OWASP mapping |
+| [CI/CD Integration](CI-INTEGRATION.md) | GitHub Actions, GitLab CI, Jenkins, Azure DevOps setup |
+| [API Stability](STABILITY.md) | Public interface stability guarantees |
+
+### Quick Start
+
+```bash
+# Install
+pip install agent-audit
+
+# Scan your project
+agent-audit scan ./my-agent-project
+
+# Output SARIF for GitHub Code Scanning
+agent-audit scan . --format sarif --output results.sarif
+```
+
+---
+
+## For Contributors
+
+| Document | Description |
+|----------|-------------|
+| [Architecture](ARCHITECTURE.md) | System design, module dependencies, extension points |
+| [Contributing](../CONTRIBUTING.md) | How to contribute rules, scanners, and fixes |
+
+### Development Setup
+
+```bash
+cd packages/audit
+poetry install
+poetry run pytest ../../tests/ -v
+```
+
+---
+
+## Architecture Overview
+
+```
+┌──────────────────────────────────────────────────────────────────┐
+│                          CLI Layer                                │
+│    scan.py  │  inspect_cmd.py  │  formatters/*.py                │
+└──────────────────────────────────┬───────────────────────────────┘
+                                   │
+┌──────────────────────────────────▼───────────────────────────────┐
+│                        Scanner Layer                              │
+│  ┌────────────────┐  ┌─────────────────┐  ┌─────────────────┐    │
+│  │ PythonScanner  │  │ MCPConfigScanner│  │  SecretScanner  │    │
+│  │   (AST-based)  │  │  (JSON/YAML)    │  │ (regex+semantic)│    │
+│  └────────────────┘  └─────────────────┘  └─────────────────┘    │
+└──────────────────────────────────┬───────────────────────────────┘
+                                   │
+┌──────────────────────────────────▼───────────────────────────────┐
+│                       Analysis Layer                              │
+│  ┌─────────────────┐  ┌─────────────────┐  ┌──────────────────┐  │
+│  │SemanticAnalyzer │  │  TaintTracker   │  │FrameworkDetector │  │
+│  │ (3-stage cred)  │  │  (data flow)    │  │  (FP reduction)  │  │
+│  └─────────────────┘  └─────────────────┘  └──────────────────┘  │
+└──────────────────────────────────┬───────────────────────────────┘
+                                   │
+┌──────────────────────────────────▼───────────────────────────────┐
+│                        Rules Engine                               │
+│              engine.py  +  rules/builtin/*.yaml                   │
+└──────────────────────────────────┬───────────────────────────────┘
+                                   │
+┌──────────────────────────────────▼───────────────────────────────┐
+│                         Data Models                               │
+│            Finding  │  Severity  │  Location  │  Category         │
+└──────────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Scanners
+
+### PythonScanner
+**Input:** `.py` files
+**Method:** Python AST parsing
+**Detects:**
+- Dangerous function calls (`eval`, `exec`, `subprocess.run(shell=True)`)
+- `@tool` decorated functions and their permissions
+- SQL injection via string interpolation
+- Framework-specific patterns (LangChain, CrewAI, AutoGen)
+
+### SecretScanner
+**Input:** All text files
+**Method:** Regex patterns + Semantic analysis + Entropy calculation
+**Detects:**
+- Hardcoded API keys (AWS, OpenAI, Anthropic, etc.)
+- Database connection strings
+- Private keys and tokens
+
+### MCPConfigScanner
+**Input:** `claude_desktop_config.json`, MCP YAML configs
+**Method:** JSON/YAML parsing + Policy validation
+**Detects:**
+- Overly broad filesystem access
+- Unverified MCP server sources
+- Sensitive environment variable exposure
+- Missing authentication
+
+### PrivilegeScanner
+**Input:** Python files
+**Method:** AST pattern matching
+**Detects:**
+- Privilege escalation patterns
+- Unsandboxed subprocess execution
+- Credential store access
+
+---
+
+## Taint Analysis
+
+The `TaintTracker` module performs intra-procedural data flow analysis:
+
+### Components
+
+1. **TaintSource** — Entry points (function parameters, `os.getenv()`, `request.json()`)
+2. **TaintSink** — Dangerous operations (`subprocess.run`, `eval`, `cursor.execute`)
+3. **TaintFlow** — Tracks data propagation through assignments and operations
+4. **Sanitization Detection** — Identifies validation/sanitization nodes
+
+### Strategy
+
+- **Conservative:** If uncertain, assume tainted (minimize false negatives)
+- **Intra-procedural:** Analysis within single functions (no cross-function tracking yet)
+- **Contextual:** Adjusts confidence based on decorator context (`@tool` = higher confidence)
+
+---
+
+## Confidence Scoring
+
+All findings include a confidence score (0.0-1.0) and are assigned to tiers:
+
+| Tier | Confidence | Action |
+|------|------------|--------|
+| **BLOCK** | >= 0.90 | Fix immediately — very high confidence |
+| **WARN** | >= 0.60 | Should fix — high confidence |
+| **INFO** | >= 0.30 | Review recommended |
+| **SUPPRESSED** | < 0.30 | Likely false positive — auto-suppressed |
+
+### Confidence Factors
+
+- **Context:** Tool decorator (+), class method (neutral), standalone function (-)
+- **Value analysis:** High entropy (+), placeholder patterns (-)
+- **Framework detection:** Pydantic Field definitions (-), LangChain internals (-)
+- **File path:** Test files (-), example code (-)
+
+---
+
+## Limitations
+
+1. **Intra-procedural only** — Taint analysis does not track data flow across functions or files
+2. **Python only** — TypeScript/JavaScript MCP servers require separate tooling
+3. **Static analysis** — Cannot detect runtime-only vulnerabilities
+4. **Pattern-based** — Novel attack patterns may not be detected until rules are added
+5. **No symbolic execution** — Cannot reason about complex conditional logic
+
+---
+
+## Technical Specifications
+
+For detailed technical specifications (internal use):
+
+- [Security Analysis Specification](SECURITY-ANALYSIS-SPECIFICATION.md) — Detection methodology and threat mapping
+- [specs/technical-spec.md](../specs/technical-spec.md) — Full system architecture and implementation details
+- [specs/delta-spec.md](../specs/delta-spec.md) — Design decisions and refinements
+
+---
+
+## OWASP Agentic Top 10 Coverage
+
+Agent Audit covers all 10 categories of the [OWASP Agentic Top 10 (2026)](https://genai.owasp.org/):
+
+| ASI | Category | Rules |
+|-----|----------|-------|
+| ASI-01 | Agent Goal Hijacking | AGENT-010, 011, 027, 050 |
+| ASI-02 | Tool Misuse | AGENT-001, 026, 029, 032, 034-036, 040, 041 |
+| ASI-03 | Privilege Abuse | AGENT-002, 013, 014, 042 |
+| ASI-04 | Supply Chain | AGENT-004, 005, 015, 016, 030 |
+| ASI-05 | Code Execution | AGENT-003, 017, 031 |
+| ASI-06 | Memory Poisoning | AGENT-018, 019 |
+| ASI-07 | Inter-Agent Comms | AGENT-020 |
+| ASI-08 | Cascading Failures | AGENT-021, 022, 028 |
+| ASI-09 | Trust Exploitation | AGENT-023, 033, 037-039, 052 |
+| ASI-10 | Rogue Agents | AGENT-024, 025, 053 |
+
+**Coverage: 10/10 ASI categories, 40+ rules**