{"id":50516493,"url":"https://github.com/allsmog/kuzushi-security-plugin","last_synced_at":"2026-06-03T00:31:27.836Z","repository":{"id":360577177,"uuid":"1246121002","full_name":"allsmog/kuzushi-security-plugin","owner":"allsmog","description":"Autonomous, language-aware security pipeline for Claude Code: builds repo context, then x-ray → PASTA threat model → CVE threat-intel → invariant testing \u0026 adversarial threat-hunting. Wires conditional LSP/MCP tooling (tree-sitter, semgrep, CodeQL, Joern); promotes findings to a shared index. Self-contained, no external engine.","archived":false,"fork":false,"pushed_at":"2026-05-27T02:36:05.000Z","size":165,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-27T03:13:00.271Z","etag":null,"topics":["claude-code","claude-code-plugin","codeql","devsecops","joern","sast","security","semgrep","static-analysis","threat-intelligence","threat-modeling","tree-sitter"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/allsmog.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-21T22:29:58.000Z","updated_at":"2026-05-27T02:36:08.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/allsmog/kuzushi-security-plugin","commit_stats":null,"previous_names":["allsmog/kuzushi-security-plugin"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/allsmog/kuzushi-security-plugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allsmog%2Fkuzushi-security-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allsmog%2Fkuzushi-security-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allsmog%2Fkuzushi-security-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allsmog%2Fkuzushi-security-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/allsmog","download_url":"https://codeload.github.com/allsmog/kuzushi-security-plugin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allsmog%2Fkuzushi-security-plugin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33843611,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-02T02:00:07.132Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["claude-code","claude-code-plugin","codeql","devsecops","joern","sast","security","semgrep","static-analysis","threat-intelligence","threat-modeling","tree-sitter"],"created_at":"2026-06-03T00:31:24.427Z","updated_at":"2026-06-03T00:31:27.829Z","avatar_url":"https://github.com/allsmog.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kuzushi-security-plugin\n\n[![test](https://github.com/allsmog/kuzushi-security-plugin/actions/workflows/test.yml/badge.svg)](https://github.com/allsmog/kuzushi-security-plugin/actions/workflows/test.yml)\n\n**A local-first vulnerability confirmation and remediation pipeline that lives inside Claude Code.**\n\nPoint it at source you already have checked out and kuzushi turns security review into a\nreproducible evidence pipeline: map the code, threat-model it, hunt source-to-sink paths, verify\nexploitability, build sandboxed proof, synthesize variant rules, and validate patches before they\ntouch your working tree.\n\nkuzushi is built for maintainers and product-security teams who need answers they can ship:\n\n- **Is it real?** Findings advance through explicit proof states instead of staying as scanner hits.\n- **Can I reproduce it?** Verification, PoC, fuzz, rule-pack, and patch artifacts stay under\n  `.kuzushi/` with provenance and policy digests.\n- **Can I fix it safely?** `/fix` validates exploit regression, functional behavior, and supported\n  semantic oracles in a sandbox copy before apply.\n- **Can I trust the workflow?** The plugin is local-first, policy-gated, network-denied by default\n  for locked profiles, and designed for auditable CI/SARIF output.\n\nIt is self-contained Node (no daemon, no hosted service): plain stdio MCP servers, skills, agents,\nschemas, and a SessionStart hook wire up Tree-sitter, Semgrep, CodeQL, Joern, fuzz harnesses, and\nlanguage tooling only when the repo needs them.\n\n```\ncontext ─► x-ray ─► threat-model ─► threat-intel ─► ┌ invariant-test ┐ ─► findings.json ─► verify ─► poc ─► fix\n (langs,    (entry    (PASTA DFD +    (CVEs for       └ threat-hunt   ┘     (open          (exploit-  (sandbox- (PoC⁺\n  deps)      points)   threats)        stack + peers)  (adversarial)         findings)      ability)    proven)   patch)\n                                                                                  │\n                                                                                  └─► mem-exploitability\n                                                                                      (memory-corruption tier\n                                                                                       + mitigation posture)\n```\n\nEach step writes an artifact under `.kuzushi/` that the next step consumes. You stay in\ncontrol: heavy or outbound steps **ask first**, and everything runs against your local repo.\n\n---\n\n## Scope \u0026 boundaries\n\nThis is a **local source-code** tool with static-first analysis and sandboxed dynamic proof\nfor harnessable targets. How complete that is depends on what you point it at.\n\n**Always in scope** (any target with source on disk): PASTA threat model, version-checked CVE\nintel, source→sink taint analysis, adversarial guard-bypass review, static exploitability\nverdicts, memory-corruption exploitability assessment, and a sandboxed PoC harness.\n\n**Web apps / HTTP services** — the plugin covers the *static* half of a grey-box review. Pair\nit with a dynamic tool (Burp / DAST) for the rest: browsing the live app, mapping observed\ntraffic (endpoints, parameters, cookies, roles) to handlers, and triggering against a running\ntarget. None of that lives here.\n\n**Libraries, native / systems code, parsers, CLIs** — there's no HTTP layer to proxy, so most\nof that dynamic half simply doesn't apply. Source→sink plus the sandboxed `/poc` harness is\nmuch of the standard workflow. The dynamic complement *here* is fuzzing: `/fuzz` creates a\ncampaign plan from confirmed/proven findings, executes runnable harnesses in the same offline\nsandbox model, triages/minimizes crashes, and only advances findings when empirical crash or\nsanitizer evidence exists.\n\n**Across the board:** it loads source, it does not *recover* it (no decompilation / bytecode);\n`/poc` proves the code in an isolated sandbox (`--network none`), not a deployed app. Findings are\ntriaged independently; `/chain` then reasons over them to surface multi-bug **attack chains** as an\nanalysis overlay (it does not auto-build a combined exploit — the chain is a documented composition).\n\n---\n\n## Install\n\n**Via the plugin marketplace (recommended):**\n\n```\n/plugin marketplace add allsmog/kuzushi-security-plugin\n/plugin install kuzushi-security-plugin@kuzushi-security\n```\n\nThen `npm install` once in the plugin directory (bundles the MCP SDK, tree-sitter grammars,\nand the TypeScript/Python language servers).\n\n**For local development:**\n\n```bash\ngit clone https://github.com/allsmog/kuzushi-security-plugin\ncd kuzushi-security-plugin \u0026\u0026 npm install\nclaude --plugin-dir .\n```\n\n\u003e Requires **Node ≥ 20**. Some analysis backends need a system toolchain (see [Tooling](#tooling)).\n\n---\n\n## Quickstart\n\n1. Start Claude Code in any source repo. The SessionStart hook **auto-builds repository\n   context** (file inventory, languages, component hints) and prints a status report.\n2. It then offers the next steps as you go — run x-ray, build a PASTA threat model, research\n   CVEs, hunt threats. Or drive them yourself with the skills below.\n\n```\n/deep-context        # deep system-understanding pass (modules, trust boundaries, invariants)\n/code-graph          # cache entry points + per-symbol caller counts (blast-radius signal)\n/traffic-map         # offline Burp/HAR import → correlate observed endpoints to source handlers\n/threat-model        # PASTA model → .kuzushi/threat-model.json (+ ASCII data-flow diagram)\n/threat-intel        # research critical/high CVEs (this stack + similar apps) → invariants\n/supply-chain        # dependency takeover/abandonment risk (maintainers, cadence) → findings\n/threat-hunt         # adversarial per-threat review → .kuzushi/findings.json\n/invariant-test      # check the CVE-derived invariants against the code\n/taint-analysis      # IRIS-style source→sink taint hunt (label sinks/sources → trace → triage)\n/sast                # semgrep scan → triage hits into findings.json\n/sharp-edges         # footgun APIs / dangerous defaults (misuse-resistance review) → findings\n/crypto-review       # timing side-channels, missing zeroization, weak crypto RNG → findings\n/authz               # authorization-model review: missing authz, IDOR, privilege escalation → findings\n/iac                 # config \u0026 container security: Dockerfile/k8s/Terraform misconfig → findings\n/diff-review         # security review of a change (regressions + blast radius) → findings\n/variant-hunt        # find siblings of a confirmed bug across the repo → findings.json\n/semgrep-rule        # distill confirmed findings into test-driven Semgrep rules\n/rule-synth          # distill confirmed findings into validated CodeQL/Joern rules (digest-attested pack)\n/verify              # reconstruct each open finding's trigger → exploitability verdict + PoC sketch\n/path-solve          # solve the guard predicate to reach a sink /verify left inconclusive (concolic-lite)\n/poc                 # build a harness for each verified finding, run it in a sandbox → empirical proof\n/fuzz                # plan/run/triage/minimize/promote local fuzz proof\n/mem-exploitability  # memory-corruption findings → exploitability tier + mitigation posture (assessment only)\n/fix                 # generate + PoC⁺-validate a patch per finding; apply behind explicit approval\n/chain               # link related findings into higher-impact attack chains (analysis overlay)\n/export-sarif        # export findings.json as SARIF 2.1.0 for CI / IDE code-scanning\n/doctor              # what's installed / missing, with install commands\n```\n\n---\n\n## Skills\n\n| Command | What it does | Writes |\n|---|---|---|\n| `/deep-context` | **Deep system-understanding pass** (before threat modeling). The context-analyst agent reads the code line-by-line where it matters and builds a grounded model — modules, entry points, actors, trust boundaries, data stores, and **system invariants** — with file:line evidence and anti-hallucination rules. **Context only** (no vuln-finding/fixes/severity); `/threat-model` consumes it. | `.kuzushi/deep-context.json` |\n| `/threat-model` | Agent builds a **PASTA** threat model in phases (objectives → scope → decomposition → threats) + an ASCII data-flow diagram. | `.kuzushi/threat-model.json`, `threat-model-dfd.txt` |\n| `/threat-intel` | Researches recent **critical/high CVEs** for the detected stack (version-checked) and **similar apps**, distilled into machine-checkable invariants. *(uses web search)* | `.kuzushi/threat-intel.json` |\n| `/invariant-test` | Verifies each CVE-derived invariant against the code with tree-sitter taint queries (CodeQL/Joern if built). | `.kuzushi/invariant-results.json` |\n| `/threat-hunt` | **Adversarial per-threat review** (the Carlini doctrine): state attacker capabilities → trace source→sink → bypass *every* guard → verdict from a closed set. Promotes verdicts to the findings index. | `.kuzushi/threat-hunt.json`, `findings.json` |\n| `/systems-hunt` | **Native / memory-safety review.** Scans for systems patterns (loadLibrary/JNI, `memcpy`/`Unsafe`/`gets`, archive parsers, deserialization, exec), then a subagent confirms reachability + memory-safety impact (OOB, UAF, integer overflow, RCE). Best on C/C++/Rust/native; promotes to findings. | `.kuzushi/systems-hunt.json`, `findings.json` |\n| `/taint-analysis` | **IRIS-style source→sink taint hunt.** Ranks a typed CWE catalog for the repo, then runs subagents in sequence — label dangerous **sinks** → label **sources** of user input → trace source→sink with **Joern/CodeQL** queries (or same-file linking) → **triage** each flow `finding`/`candidate`/`rejected` with an evidence level (`path`/`linked`/`candidate`). Deeper with a prebuilt DB/CPG; degrades gracefully without. | `.kuzushi/taint-analysis.json`, `findings.json` |\n| `/supply-chain` | **Dependency takeover/abandonment risk.** Parses manifests for direct deps, then the supply-chain-auditor agent rates each by maintainer count, popularity, CVE history, and release cadence (via `gh` + web), promoting high→finding / medium→candidate (`source: supply-chain`). Complements `/threat-intel` (CVEs). *Uses the network — asks first.* | `.kuzushi/supply-chain.json`, `findings.json` |\n| `/diff-review` | **Change-focused security review.** Resolves a base ref, risk-scores changed files, then the diff-reviewer agent walks source→sink on the new code, uses `git blame` to catch **regressions**, and estimates **blast radius** by caller count. Threat-hunt verdict set. Needs git. | `.kuzushi/diff-review.json`, `findings.json` |\n| `/sharp-edges` | **Misuse-resistance review.** Scans for footgun APIs / dangerous defaults, then the sharp-edges-analyzer agent reasons through three adversaries (scoundrel / lazy / confused dev) across six categories (e.g. JWT `alg:none`, TLS verify off, stringly-typed auth). Distinct from `/sast` (injection). | `.kuzushi/sharp-edges.json`, `findings.json` |\n| `/sast` | **Semgrep SAST pass.** The sast-triager agent runs `semgrep:scan`, then reads the source behind each hit to classify it `finding`/`candidate`/`rejected` (scanner hits are leads, not findings). Promotes the kept ones into findings. Needs semgrep installed. | `.kuzushi/sast.json`, `findings.json` |\n| `/crypto-review` | **Crypto-misuse review.** The crypto-reviewer agent confirms each candidate handles a secret, then flags timing side-channels (variable-time compare of a MAC/token, CWE-208), missing/elidable zeroization (CWE-226/14), and non-cryptographic RNG minting secrets (CWE-338). Distinct from `/sast` and `/sharp-edges`. | `.kuzushi/crypto-review.json`, `findings.json` |\n| `/authz` | **Authorization-model review.** Scans endpoints + object-access-by-id sites; the authz-reviewer agent finds missing authz (CWE-862), IDOR / broken object-level authz (CWE-639), privilege escalation, and broken ownership. | `.kuzushi/authz.json`, `findings.json` |\n| `/iac` | **Config \u0026 container security.** Scans Dockerfiles, Kubernetes/Compose, and Terraform/IaC for misconfigurations (privileged containers, root, unpinned images, hardcoded secrets, public network/storage, disabled TLS); the iac-reviewer agent confirms each in context. | `.kuzushi/iac.json`, `findings.json` |\n| `/traffic-map` | **Offline Burp/HAR import.** Parses a HAR or Burp \"Save items\" XML export into observed endpoints, then the traffic-mapper agent correlates each to its source handler (x-ray + code-graph) and flags the gaps the traffic reveals (shadow surface, unauthenticated mutating endpoints, params reaching sinks). Offline — no proxy. | `.kuzushi/traffic-map.json`, `findings.json` |\n| `/export-sarif` | **SARIF export.** Deterministic transform of `findings.json` into SARIF 2.1.0 (`.kuzushi/findings.sarif`) for CI code-scanning, dashboards, and IDEs — one rule per CWE, severity→level, fingerprints carried. `all` includes reviewed/noise too. | `.kuzushi/findings.sarif` |\n| `/variant-hunt` | **Variant analysis.** For each confirmed/proven finding (the *seed*), the variant-hunter agent sweeps the repo for other sites with the same bug class — exact-match → generalize one step at a time (ripgrep → Semgrep → CodeQL/Joern) → triage each. Promotes variants into findings with `refId` `variant-of:\u003cseed\u003e` so they trace back to origin. Requires a confirmed finding first. | `.kuzushi/variant-hunt.json`, `findings.json` |\n| `/semgrep-rule` | **Test-driven detection from a confirmed bug.** For each seed finding, the semgrep-rule-author agent writes a positive/negative fixture and a Semgrep rule matching the bug shape under `.kuzushi/rules/`, validates it with `semgrep:scan`, and indexes it. The rules seed `/variant-hunt` and `/sast`. | `.kuzushi/rules/*.yaml`, `semgrep-rules.json` |\n| `/rule-synth` | **Validated CodeQL/Joern rules from a confirmed bug** — the heavy semantic engines `/semgrep-rule` doesn't cover. The rule-synthesist agent writes a query per seed; a **native gate** (compile → fire-on-seed → repo-run → precision-cap) accepts only passing rules into a **digest-attested pack** (`.kuzushi/rules/{codeql,joern}/` + `pack.json`). The codeql/joern MCP servers refuse to run a pack query whose bytes don't match the manifest, so generated queries are validated before they execute. New matches promote as `candidate` leads. Needs a built CodeQL DB / Joern CPG. | `.kuzushi/rules/{codeql,joern}/`, `pack.json`, `rule-synth.json`, `findings.json` |\n| `/verify` | **Exploitability verification** of the open findings: reconstruct source→sink, build a concrete trigger, defeat every guard → verdict (`confirmed-exploitable` / `not-exploitable` / `inconclusive`) + confidence + PoC sketch. Read-only; attaches a `verification` block onto each finding and tags the PoC-ready ones. | `.kuzushi/verify.json`, `findings.json` |\n| `/path-solve` | **Concolic-lite path solving** for findings `/verify` left `inconclusive`. The path-solver agent extracts the guard predicate between source and sink (tree-sitter) and solves it into a concrete reaching input — via the optional concolic MCP backend (**Z3** for numeric/string, **CrossHair** for Python) when installed, else by reasoning (LLM). Attaches a `pathSolution` block that feeds `/verify` + `/fuzz`. Heuristic, not a proof. | `.kuzushi/path-solve.json`, `findings.json` |\n| `/poc` | **Empirical proof**: for each verified finding, synthesize a minimal harness and run it in a sandbox (Docker `--network none`, else a gated local run) — a crash/expected exit is the proof. Attaches a `poc` block (`proofLevel`/`proofVerdict`) onto each finding. | `.kuzushi/poc.json`, `findings.json` |\n| `/fuzz` | **Consolidated fuzz proof loop.** Plans a fuzz campaign from confirmed/proven findings, creates harness directories, runs declared harness commands offline, groups crashes, records minimization status, and promotes only `proofVerdict:\"exploited\"` evidence to `proven`. Lower-level `/fuzz-init`, `/fuzz-run`, `/fuzz-triage`, `/fuzz-minimize`, and `/fuzz-promote` remain replay/debug stages. | `.kuzushi/fuzz/*.json`, `findings.json` |\n| `/mem-exploitability` | **Memory-corruption exploitability assessment.** For each memory-safety finding, an agent works the analysis phases — vuln shape, control/offset plausibility, input constraints, and **mitigation posture** (NX/PIE/canary/RELRO/FORTIFY/CFG from build flags + read-only binary inspection via checksec/readelf/otool) — and assigns an exploitability **tier** (`crash-only`/`dos`/`info-leak`/`control-flow-hijack-plausible`/`likely-code-exec`) + remediation. **Assessment only** — no shellcode, ROP chains, or mitigation bypasses; empirical crash proof stays in `/poc`. Attaches an `exploitability` block onto each finding. | `.kuzushi/mem-exploitability.json`, `findings.json` |\n| `/fix` | **Patch generation + PoC⁺ validation.** For each confirmed/proven finding, an agent root-causes the bug and writes a minimal **defensive** unified-diff patch + functional and semantic checks. The host applies it to a **sandbox copy**, re-runs the existing PoC harness (must no longer fire), the functional check, and the semantic oracle check for supported CWEs — a patch is **`validated`** only if all required gates pass. The working tree is never modified until you **explicitly approve** the apply step (one finding at a time; native Allow/Deny + a rollback command). Status advances `patched` → `remediated` on apply. | `.kuzushi/fix.json`, `findings.json` |\n| `/chain` | **Cross-finding attack chains.** The chain-finder agent reasons over the findings index for compositions (precondition → pivot → impact) — e.g. an auth bypass that turns a read-only SSRF into internal RCE, or a `/mem-exploitability` info-leak that defeats a canary for a control-flow hijack — and records each chain (ordered narrative + member fingerprints), attaching a `chains` ref onto each member (status unchanged). An analysis overlay, not a combined exploit. | `.kuzushi/chains.json`, `findings.json` |\n| `/code-graph` | Builds a cached **code-graph** — entry points + per-symbol **caller counts** (blast-radius / attack-surface signal) — via a deterministic ripgrep heuristic (no heavy tooling). `/diff-review` reads it for deterministic blast radius; hunters consult it for reachability. | `.kuzushi/code-graph.json` |\n| `/build-databases` | Builds the **CodeQL database** + **Joern CPG** (async, in the background) that power the deep-query backends. | `.kuzushi/codeql-db/`, `joern/cpg.bin.zip` |\n| `/install` | Vendors / installs the tooling relevant to the repo's languages. | `vendor/` |\n| `/doctor` | Preflight: Node deps, MCP server health, CLI/LSP install status + install hints. | — |\n\nSkills are backed by purpose-built subagents (`context-analyst`, `threat-modeler`, `threat-intel-researcher`,\n`threat-hunter`, `systems-hunter`, `invariant-tester`, `verifier`, `poc-builder`,\n`mem-exploit-analyst`, `variant-hunter`, `sast-triager`, `semgrep-rule-author`, `supply-chain-auditor`,\n`diff-reviewer`, `sharp-edges-analyzer`, `crypto-reviewer`, `fuzz-harness-author`, `path-solver`,\n`iac-reviewer`, `authz-reviewer`, `traffic-mapper`, `rule-synthesist`,\n`fixer`, `chain-finder`) that run in isolated context and\ninherit the plugin's MCP tools. `/taint-analysis` is a **coordinator** that sequences four of\nthem — `taint-sink-labeler` and `taint-source-labeler` (in parallel), then `taint-flow-tracer`,\nthen `taint-triager` — passing data through staged JSON drafts.\n\n### Companion skills\n\nkuzushi stays focused on white-box source→sink work. For orthogonal angles — config/secrets\ndefaults, supply-chain risk, crypto side-channels, per-PR diffs — the\n[Trail of Bits skills](https://github.com/trailofbits/skills) marketplace installs alongside\nkuzushi and complements it. See **[docs/COMPANIONS.md](docs/COMPANIONS.md)** for which to add and\nthe gap each fills.\n\n---\n\n## Tooling — conditional \u0026 self-installing\n\nThe plugin only spins up what your repo needs, and installs what it can.\n\n- **LSP** is gated by file extension automatically — Go tooling never starts in a Java repo.\n  `typescript-language-server` and `pyright` ship bundled; `gopls`/`jdtls`/`rust-analyzer`/\n  `clangd` resolve from a vendored copy or your PATH.\n- **MCP servers** (always connected, self-reporting): a self-gating **tree-sitter** server\n  (AST + taint source/sink queries, scoped to detected languages) plus wrappers for\n  **semgrep, CodeQL, Joern, gtags, codegraph** — each returns a structured \"missing\" until its\n  CLI is present.\n- **Vendoring**: light tools (rust-analyzer, clangd, jdtls, codegraph) can auto-install in the\n  background on first session in `developer-fast`; `review-safe` and `ci-locked` disable surprise\n  downloads. Heavy ones (CodeQL ~1 GB, Joern ~2 GB) are opt-in via `/install codeql|joern`.\n  Install state records source URLs and digests where available.\n- **Databases**: `/build-databases` creates the CodeQL DB + Joern CPG **asynchronously** (logs\n  to `.kuzushi/db-build.log`) so deep semantic queries work without blocking your session.\n\nRun `/doctor` any time to see exactly what's available — including the effective\n**tool-boundary policy**.\n\n**System prerequisites** (only for the tools you use): Java 17+ (jdtls, Joern), Go (gopls),\nPython (semgrep). The plugin tells you what's missing and how to get it.\n\n### Trust plane\n\nThe analyzer query surface, working-tree writes, hook error posture, and tool downloads are governed by a policy\n(`policy.default.json`, override per-repo with `.kuzushi/policy.json`). Always-on: CodeQL/Joern\nquery **path-confinement** (no escapes to `~/.ssh`, `/etc`, …) and an inline-script **size cap**.\nConfigurable profiles:\n\n- `developer-fast`: raw queries allowed, hook errors fail open, light auto-install enabled.\n- `review-safe`: raw queries require approval, hook errors block, auto-install disabled.\n- `ci-locked`: raw queries denied, git apply denied, network installs denied, hook errors fail closed.\n\nEvery artifact carries a `provenance` block (toolchain/repo/scope/policy digests). See\n[docs/HARDENING.md](docs/HARDENING.md).\n\n---\n\n## How it works\n\nEverything persists under `.kuzushi/` in the target repo. Two artifacts are **forward\ncontracts** that later steps (and your own tooling) build on:\n\n- **Invariants** (`threat-intel.json.invariants[]`) — `{ statement, cwe, severity, sourceCves,\n  sourceSignals, sinkSignals, sanitizerSignals, taintClass, languages, checkHint }`. CVE\n  intelligence turned into checkable assertions.\n- **Findings** (`findings.json`) — versioned as `findings.v1` / `finding.v1` with\n  `{ fingerprint, source, refId, title, severity, cwe, verdict, status, proofState,\n  evidence:[{filePath,startLine}], rationale, nextChecks }`, deduped by fingerprint.\n  The proof ladder is explicit: `lead/candidate → open → confirmed → proven → patched →\n  remediated`, with reviewed/noise states kept separate. `/verify`, `/poc`, `/fuzz`,\n  and `/fix` attach `verification`, `poc`, `fuzz`, and `fix` blocks instead of replacing the\n  finding, so a finding accretes its full discovery → proof → remediation story in one place.\n\nSchemas live under `schemas/`, and `npm run bench:smoke` verifies the core contracts plus SARIF\nmetadata and locked policy behavior. See [BENCHMARKS.md](BENCHMARKS.md).\n\nIt's a faithful Node port/adaptation of the [kuzushi](#acknowledgements) security toolkit —\nno Rust build, no external binary, no daemon.\n\n## Hardening\n\nkuzushi opens **source you may not trust**, which changes the threat model for your own session.\nThe plugin ships `PreToolUse` guardrail hooks that block `rm -rf`, `git push` to `main`/`master`,\nand reads of secret paths (`~/.ssh`, `~/.aws`, keychains, wallets, registry tokens). Hook errors\nfail open only in `developer-fast`; `review-safe` and `ci-locked` block on hook errors. For the\nuser-level settings a plugin can't set itself — notably `enableAllProjectMcpServers: false` so a\ntarget repo's own `.mcp.json` is never auto-loaded — see **[docs/HARDENING.md](docs/HARDENING.md)**.\n\n## Privacy\n\nAll analysis runs **locally** against your repo. The only steps that reach the network are\n`/threat-intel` (web search for CVEs) and optional tool downloads in `/install` /\n`/build-databases`, and those are policy-gated. Nothing is uploaded.\n\n## Contributing\n\nIssues and PRs welcome. The codebase is small, dependency-light Node; each capability is a\n`prepare → agent → assemble` trio under `scripts/cmd/` with a matching skill + agent. Run\n`/doctor` to validate your environment.\n\nRun **`npm test`** before sending a change — `test/` covers the shared-lib contracts the whole\npipeline depends on (findings index + schema, verdict→status maps, the policy/attestation gate,\nand the rule-synth / fix / chain / mem-exploitability validators) with Node's built-in runner (no\nextra deps). Engine-backed tests (a real Joern `/rule-synth` run) self-skip when the CLI is absent,\nso the suite is green offline and exercises the real path in CI where Joern/CodeQL exist.\n\n## License\n\n[MIT](LICENSE).\n\n## Acknowledgements\n\nPorts and adapts the **kuzushi** security toolkit (PASTA staging, the Carlini adversarial\nthreat-hunt doctrine, the analysis-engine conventions). Thanks to the CodeQL, Joern,\nSemgrep, tree-sitter, and Eclipse JDT projects whose tools this orchestrates.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fallsmog%2Fkuzushi-security-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fallsmog%2Fkuzushi-security-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fallsmog%2Fkuzushi-security-plugin/lists"}