Session 92: Add P0/P1/P2 security tools to Java orchestrator

- Add gitleaks, checkov, trivy, grype, spectral, graphql-cop to
  JAVA_TOOL_CATEGORIES mapping
- Update shouldJavaToolRun() to check P0/P1/P2 categories
  (secrets, iacSecurity, containerSecurity, apiDesign, graphqlSecurity)
- Add P0/P1/P2 tools to getToolsToRun() based on analysis mode:
  - P0 (secrets): gitleaks - fast/standard/thorough/complete
  - P0 (iac): checkov - standard/thorough/complete
  - P0 (container): trivy, grype - standard/thorough/complete
  - P1 (api): spectral - thorough/complete
  - P1 (graphql): graphql-cop - thorough/complete
- Update getAgentToolCategories() to include P0/P1/P2 tools
- Add executeUniversalTool() handlers for all new tools:
  - SecretScanner.runGitleaks() for secret detection
  - IaCScanner.runCheckov() for IaC security
  - ContainerScanner.scanDockerfiles() for Trivy
  - ContainerScanner.scanFilesystemWithGrype() for Grype
  - runSpectral() for API schema validation
  - runGraphQLScanner() for GraphQL security

This enables the full P0/P1/P2 tool suite for Java PR analysis,
matching the tool configurations in analysis-modes.ts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: alpsla

packages/agents/src/two-branch/tools/base-tool-orchestrator.ts

@@ -528,6 +528,169 @@ export abstract class BaseToolOrchestrator {
           break;
         }
 
+        // ============================================================
+        // SESSION 92: P0/P1/P2 Universal Security Tools
+        // ============================================================
+
+        case 'gitleaks': {
+          // P0: Secret detection
+          logger.info('🔐 Running Gitleaks secret detection...');
+          const { SecretScanner } = await import('./universal');
+          const scanner = new SecretScanner();
+          const secretResult = await scanner.runGitleaks(repoPath);
+          issues = secretResult.issues.map(issue => ({
+            id: `gitleaks-${issue.file}-${issue.line}`,
+            tool: 'gitleaks',
+            file: issue.file,
+            line: issue.line,
+            severity: issue.severity,
+            title: issue.ruleId,
+            description: issue.description,
+            category: 'Security',
+            rule: issue.ruleId,
+            // Required V9 Issue fields
+            status: 'new' as const,
+            agent: 'Security',
+            impact: 'Exposed secrets can lead to unauthorized access',
+            businessImpact: 'High risk of credential theft and data breach'
+          }));
+          logger.info(`🔐 Gitleaks completed: ${issues.length} secrets found`);
+          break;
+        }
+
+        case 'checkov': {
+          // P0: IaC security scanning
+          logger.info('🏗️ Running Checkov IaC security scan...');
+          const { IaCScanner } = await import('./universal');
+          const iacScannerInstance = new IaCScanner();
+          const iacResult = await iacScannerInstance.runCheckov(repoPath);
+          issues = iacResult.issues.map(issue => ({
+            id: `checkov-${issue.file}-${issue.line}`,
+            tool: 'checkov',
+            file: issue.file,
+            line: issue.line,
+            severity: issue.severity,
+            title: issue.checkId,
+            description: issue.description,
+            category: 'Security',
+            rule: issue.checkId,
+            cwe: issue.guideline,
+            // Required V9 Issue fields
+            status: 'new' as const,
+            agent: 'Security',
+            impact: 'Infrastructure misconfiguration',
+            businessImpact: 'May expose cloud resources to attacks'
+          }));
+          logger.info(`🏗️ Checkov completed: ${issues.length} IaC issues found`);
+          break;
+        }
+
+        case 'trivy': {
+          // P0: Container security scanning (scans Dockerfiles)
+          logger.info('🐳 Running Trivy container security scan...');
+          const { ContainerScanner } = await import('./universal');
+          const containerScannerInstance = new ContainerScanner();
+          const trivyResult = await containerScannerInstance.scanDockerfiles(repoPath);
+          // Convert Dockerfile issues to Issue format
+          issues = (trivyResult.dockerfileIssues || []).map(issue => ({
+            id: `trivy-dockerfile-${issue.file}-${issue.line}`,
+            tool: 'trivy',
+            file: issue.file,
+            line: issue.line,
+            severity: issue.severity === 'negligible' ? 'low' as const : issue.severity,
+            title: issue.rule,
+            description: issue.message,
+            category: 'Security',
+            rule: issue.rule,
+            // Required V9 Issue fields
+            status: 'new' as const,
+            agent: 'Security',
+            impact: 'Container security misconfiguration',
+            businessImpact: 'May allow container escape or privilege escalation'
+          }));
+          logger.info(`🐳 Trivy completed: ${issues.length} container issues found`);
+          break;
+        }
+
+        case 'grype': {
+          // P0: SBOM-based vulnerability scanning
+          logger.info('📦 Running Grype SBOM vulnerability scan...');
+          const { ContainerScanner: GrypeScanner } = await import('./universal');
+          const grypeInstance = new GrypeScanner();
+          const grypeResult = await grypeInstance.scanFilesystemWithGrype(repoPath);
+          issues = grypeResult.vulnerabilities.map(vuln => ({
+            id: `grype-${vuln.pkgName}-${vuln.vulnerabilityId}`,
+            tool: 'grype',
+            file: 'package dependencies',
+            line: 1,
+            severity: vuln.severity === 'negligible' ? 'low' as const : vuln.severity,
+            title: vuln.vulnerabilityId,
+            description: `${vuln.pkgName}@${vuln.installedVersion}: ${vuln.title}`,
+            category: 'Dependency',
+            rule: vuln.vulnerabilityId,
+            cwe: vuln.cvss?.toString(),
+            // Required V9 Issue fields
+            status: 'new' as const,
+            agent: 'Dependency',
+            impact: 'Known vulnerability in dependency',
+            businessImpact: 'May be exploited by attackers'
+          }));
+          logger.info(`📦 Grype completed: ${issues.length} vulnerabilities found`);
+          break;
+        }
+
+        case 'spectral': {
+          // P1: API schema validation
+          logger.info('📋 Running Spectral API schema validation...');
+          const { runSpectral } = await import('./universal');
+          const spectralResult = await runSpectral(repoPath);
+          issues = spectralResult.issues.map(issue => ({
+            id: `spectral-${issue.file}-${issue.line}-${issue.ruleId}`,
+            tool: 'spectral',
+            file: issue.file,
+            line: issue.line,
+            severity: issue.severity,
+            title: issue.ruleId,
+            description: issue.message,
+            category: 'Architecture',
+            rule: issue.ruleId,
+            // Required V9 Issue fields
+            status: 'new' as const,
+            agent: 'Architecture',
+            impact: 'API schema design issue',
+            businessImpact: 'May cause API compatibility or security issues'
+          }));
+          logger.info(`📋 Spectral completed: ${issues.length} API schema issues found`);
+          break;
+        }
+
+        case 'graphql-cop':
+        case 'graphql-scanner': {
+          // P1: GraphQL security scanning
+          logger.info('🔮 Running GraphQL security scan...');
+          const { runGraphQLScanner } = await import('./universal');
+          const gqlResult = await runGraphQLScanner(repoPath);
+          issues = gqlResult.issues.map(issue => ({
+            id: `graphql-${issue.file || 'unknown'}-${issue.line || 0}-${issue.ruleId}`,
+            tool: 'graphql-cop',
+            file: issue.file || 'graphql-schema',
+            line: issue.line || 1,
+            severity: issue.severity,
+            title: issue.ruleId,
+            description: issue.message,
+            category: 'Security',
+            rule: issue.ruleId,
+            cwe: issue.impact,
+            // Required V9 Issue fields
+            status: 'new' as const,
+            agent: 'Security',
+            impact: 'GraphQL API security issue',
+            businessImpact: 'May allow unauthorized data access or DoS'
+          }));
+          logger.info(`🔮 GraphQL scan completed: ${issues.length} security issues found`);
+          break;
+        }
+
         default:
           throw new Error(`Unknown universal tool: ${toolName}`);
       }

packages/agents/src/two-branch/tools/java/java-tool-orchestrator.ts

@@ -163,6 +163,7 @@ export const DEFAULT_JAVA_CONFIG: JavaToolConfig = {
  * Java tool category mapping
  * SESSION 57 Part 5: Added jdepend for architecture analysis
  * SESSION 58: Added performance static analysis
+ * SESSION 92: Added P0/P1/P2 universal tools
  */
 const JAVA_TOOL_CATEGORIES = {
   pmd: ToolCategory.CODE_QUALITY,
@@ -171,19 +172,32 @@ const JAVA_TOOL_CATEGORIES = {
   checkstyle: ToolCategory.STYLE_LINT,
   spotbugs: ToolCategory.ADVANCED,
   jdepend: ToolCategory.ADVANCED,  // Architecture analysis
-  performance: ToolCategory.ADVANCED  // Static performance analysis
+  performance: ToolCategory.ADVANCED,  // Static performance analysis
+  // P0: Secret detection (Session 92)
+  gitleaks: ToolCategory.SECRETS,
+  // P0: IaC security (Session 92)
+  checkov: ToolCategory.IAC_SECURITY,
+  // P0: Container security (Session 92)
+  trivy: ToolCategory.CONTAINER_SECURITY,
+  grype: ToolCategory.CONTAINER_SECURITY,
+  // P1: API schema validation (Session 92)
+  spectral: ToolCategory.API_DESIGN,
+  // P1: GraphQL security (Session 92)
+  'graphql-cop': ToolCategory.GRAPHQL_SECURITY
 };
 
 /**
  * Check if a Java tool should run based on analysis mode
+ * SESSION 92: Added P0/P1/P2 tool category checks
  */
 function shouldJavaToolRun(toolName: string, mode: AnalysisMode): boolean {
   const category = JAVA_TOOL_CATEGORIES[toolName as keyof typeof JAVA_TOOL_CATEGORIES];
   if (!category) return false;
-  
+
   const modeConfig = UNIVERSAL_ANALYSIS_MODES[mode];
-  
+
   switch (category) {
+    // Core categories
     case ToolCategory.CODE_QUALITY:
       return modeConfig.toolCategories.codeQuality;
     case ToolCategory.SECURITY:
@@ -194,6 +208,21 @@ function shouldJavaToolRun(toolName: string, mode: AnalysisMode): boolean {
       return modeConfig.toolCategories.styleLint;
     case ToolCategory.ADVANCED:
       return modeConfig.toolCategories.advanced;
+    // P0 categories (Session 92)
+    case ToolCategory.SECRETS:
+      return modeConfig.toolCategories.secrets;
+    case ToolCategory.IAC_SECURITY:
+      return modeConfig.toolCategories.iacSecurity;
+    case ToolCategory.CONTAINER_SECURITY:
+      return modeConfig.toolCategories.containerSecurity;
+    // P1 categories (Session 92)
+    case ToolCategory.API_DESIGN:
+      return modeConfig.toolCategories.apiDesign;
+    case ToolCategory.GRAPHQL_SECURITY:
+      return modeConfig.toolCategories.graphqlSecurity;
+    // P2 categories
+    case ToolCategory.ARCHITECTURE:
+      return modeConfig.toolCategories.architecture;
     default:
       return false;
   }
@@ -308,6 +337,39 @@ export class JavaToolOrchestrator extends BaseToolOrchestrator {
       tools.push('performance');
     }
 
+    // ============================================================
+    // SESSION 92: P0/P1/P2 Universal Security Tools
+    // These are language-agnostic tools handled by base orchestrator
+    // ============================================================
+
+    // P0: Secret detection (gitleaks) - enabled in fast/standard/thorough/complete
+    if (shouldJavaToolRun('gitleaks', mode)) {
+      tools.push('gitleaks');
+    }
+
+    // P0: IaC security (checkov) - enabled in standard/thorough/complete
+    if (shouldJavaToolRun('checkov', mode)) {
+      tools.push('checkov');
+    }
+
+    // P0: Container security (trivy, grype) - enabled in standard/thorough/complete
+    if (shouldJavaToolRun('trivy', mode)) {
+      tools.push('trivy');
+    }
+    if (shouldJavaToolRun('grype', mode)) {
+      tools.push('grype');
+    }
+
+    // P1: API schema validation (spectral) - enabled in thorough/complete
+    if (shouldJavaToolRun('spectral', mode)) {
+      tools.push('spectral');
+    }
+
+    // P1: GraphQL security (graphql-cop) - enabled in thorough/complete
+    if (shouldJavaToolRun('graphql-cop', mode)) {
+      tools.push('graphql-cop');
+    }
+
     return tools;
   }
 
@@ -357,15 +419,24 @@ export class JavaToolOrchestrator extends BaseToolOrchestrator {
 
   /**
    * SESSION 57 Part 5: Override to include JDepend under Architecture
+   * SESSION 92: Added P0/P1/P2 tools
    */
   protected getAgentToolCategories(): Record<string, string[]> {
     return {
-      'Security': ['semgrep', 'dependency-check', 'spotbugs'],  // SpotBugs can find security issues
+      // Core tools
+      'Security': [
+        'semgrep', 'dependency-check', 'spotbugs',
+        // P0 security tools (Session 92)
+        'gitleaks', 'checkov', 'trivy', 'grype',
+        // P1 security tools (Session 92)
+        'graphql-cop'
+      ],
       'Code Quality': ['pmd', 'checkstyle', 'spotbugs'],
       // SESSION 58: Added static performance analysis
       'Performance': ['performance'],  // PMD perf rules, memory patterns, complexity
-      'Architecture': ['jdepend'],  // SESSION 57 Part 5: JDepend for architecture analysis
-      'Dependencies': ['dependency-check']
+      // SESSION 57 Part 5 + Session 92: Architecture analysis
+      'Architecture': ['jdepend', 'spectral'],  // JDepend + API schema validation
+      'Dependencies': ['dependency-check', 'trivy', 'grype']  // Session 92: Added container scanners
     };
   }