Skip to content

feat: DI-aware forward tracing and get_static_dependencies tool for agentic enhancer#60

Draft
joshbouncesecurity wants to merge 1 commit into
knostic:masterfrom
joshbouncesecurity:feat/issue16-07-ts-di-enhancer
Draft

feat: DI-aware forward tracing and get_static_dependencies tool for agentic enhancer#60
joshbouncesecurity wants to merge 1 commit into
knostic:masterfrom
joshbouncesecurity:feat/issue16-07-ts-di-enhancer

Conversation

@joshbouncesecurity
Copy link
Copy Markdown
Contributor

@joshbouncesecurity joshbouncesecurity commented May 12, 2026

Context

Split from #39 per reviewer request — the agentic enhancer changes have a different risk profile from the parser changes and warrant a separate eval pass before merging.

Summary

  • Adds get_static_dependencies tool to the agentic enhancer's tool set, so the exploration agent can retrieve statically-resolved callee and caller IDs and examine them with read_function
  • Adds resolve_dependencies() to RepositoryIndex to map raw function IDs / qualified names back to function metadata
  • Adds set_unit_context() to ToolExecutor so per-unit static dep data is available when the tool is called
  • Updates the enhancer prompt to instruct the agent to trace forward into called functions (service/repository methods) and check for delegated authorization or validation before classifying a finding as EXPLOITABLE

Why independent of #39

The parser DI changes (#39) improve call graph edges regardless of how the LLM consumes them. This PR changes what the LLM does with those edges (and with the existing call graph for all languages). The classification impact — particularly the new "delegated security controls" branch — needs a before/after eval on a known dataset before hitting production.

Test plan

  • test_enhancer_tools.py: resolve_dependencies, get_static_dependencies via ToolExecutor, context reset between units
  • Before/after eval comparing verdict distributions on a representative scan corpus (EXPLOITABLE / VULNERABLE_INTERNAL / NEUTRAL / SECURITY_CONTROL rates)

🤖 Generated with Claude Code

@joshbouncesecurity @claude
feat: add get_static_dependencies tool and DI-aware forward tracing t…
b543a21 
…o agentic enhancer

Adds `get_static_dependencies` tool so the exploration agent can retrieve
call graph data (callee IDs, caller IDs) resolved from static analysis,
then use `read_function` to examine service/repository methods for
authorization and validation checks.

Also updates the enhancer prompt to instruct the agent to trace forward
into called functions before classifying a finding as EXPLOITABLE, since
security controls are often delegated to the service layer in NestJS codebases.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@joshbouncesecurity joshbouncesecurity mentioned this pull request May 12, 2026
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sounil sounil Awaiting requested review from sounil sounil will be requested when the pull request is marked ready for review sounil is a code owner

@shahar-davidson shahar-davidson Awaiting requested review from shahar-davidson shahar-davidson will be requested when the pull request is marked ready for review shahar-davidson is a code owner

@yotamleo yotamleo Awaiting requested review from yotamleo yotamleo will be requested when the pull request is marked ready for review yotamleo is a code owner

@dgeyshis dgeyshis Awaiting requested review from dgeyshis dgeyshis will be requested when the pull request is marked ready for review dgeyshis is a code owner

@ar7casper ar7casper Awaiting requested review from ar7casper ar7casper will be requested when the pull request is marked ready for review ar7casper is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joshbouncesecurity