fix: add required utils and audit docs (db_connection, retry_policies)

- scripts/utils/db_connection.py, retry_policies.py: required by audit_monitor, feedback_tracker, dast_scanner, threat_intel_enricher, supply_chain_analyzer, run_ai_audit
- docs: CODE_REVIEW_STILL_LEFT.md, CONFIG_REFERENCE.md, V3_CONTINUOUS_SECURITY_MODULES.md, ADR 0004
- tests: unit tests for agent_chain_discovery, app_context_builder, autofix_pr_generator, findings_store

Made-with: Cursor

Author: devatsecure

docs/CODE_REVIEW_STILL_LEFT.md

@@ -0,0 +1,84 @@
+# Code Review — What’s Still Left
+
+**Date:** March 2026  
+**Context:** Follow-up to the audit fixes (path traversal, Ruff, test robustness, docs). This document lists **remaining** items: not yet done, or optional improvements.
+
+---
+
+## Already fixed (no action needed)
+
+- **Path traversal in AutoFix** — `_apply_fix()` validates `file_path` via `validate_path_safe()`; empty and out-of-project paths rejected.
+- **Ruff** — Lint and format applied across `scripts/`.
+- **Fixtures doc** — `tests/fixtures/README.md`; test_remediation_fixes_apply_cleanly.py docstring states that `subprocess.run(cmd, shell=True)` appears only in fixture/file content and is never executed by the test runner.
+- **Production security** — No `shell=True` with user input in production; parameterized SQL; `yaml.safe_load()` in production code.
+- **validate_path_safe** — Uses `os.path.commonpath()` for portability (e.g. Windows). advanced_suppression optional `project_root` validation added.
+- **Config reference** — `docs/CONFIG_REFERENCE.md` lists 47+ config keys and env vars.
+- **v3 summary** — `docs/V3_CONTINUOUS_SECURITY_MODULES.md` and CLAUDE.md link diff scope, findings store, app context, autofix.
+- **ADR v3** — `docs/adrs/0004-v3-continuous-security.md`.
+- **HybridSecurityAnalyzer** — Scanner/feature loading extracted to `_load_scanners_and_features()`.
+- **run_ai_audit** — `_run_single_path_audit()` and `_run_multi_agent_audit()` extracted; `run_audit()` delegates to them.
+- **Shared SQLite helper** — `scripts/utils/db_connection.py`; audit_monitor and feedback_tracker use `with db_connection(...)` throughout.
+- **Shared retry policies** — `scripts/utils/retry_policies.py`; run_ai_audit, threat_intel_enricher, dast_scanner, supply_chain_analyzer use them.
+- **Scanner runner harness** — `run_scanner_guarded()` in `scripts/hybrid/scanner_runners.py`; run_semgrep, run_trivy, run_checkov, run_api_security, run_supply_chain, run_fuzzing, run_runtime_security, run_regression_testing, run_dast, run_gitleaks all use it. run_threat_intel and run_remediation are enrichment-style (return original list on exception) and can stay as-is or use a variant harness.
+- **Fixture comments** — conftest and test_phase1_integration: short comments/docstrings state that fixture content written to disk is vulnerable-by-design for scanners only and must not be executed with untrusted input.
+- **advanced_suppression config_path** — Optional `project_root` validation: when set, `config_path` is validated against project root via `validate_path_safe`; on failure a warning is logged and a safe default is used.
+- **Unit tests** — test_autofix_pr_generator.py, test_agent_chain_discovery.py, test_findings_store.py, test_app_context_builder.py added.
+
+---
+
+## 1. Security (optional)
+
+### 1.1 Test and fixture code
+
+- **test_remediation_fixes_apply_cleanly.py** — The `subprocess.run(cmd, shell=True)` occurrences are inside **string literals** (fixture content / file content for scanners). The test runner never executes subprocess with shell=True. Docstring updated; no code change required.
+- **conftest / test_phase1** — Done: comments/docstrings added that fixture content written to disk is vulnerable-by-design for scanners only and must not be executed with untrusted input.
+- **advanced_suppression** — Done: optional `project_root` validation for `config_path` when set from config.
+
+---
+
+## 2. Architecture and code quality (remaining)
+
+### 2.1 Done
+
+- Scanner loader in hybrid_analyzer (`_load_scanners_and_features`).
+- run_audit split (`_run_single_path_audit`, `_run_multi_agent_audit`).
+- Shared db_connection and retry_policies.
+- Scanner runner harness (`run_scanner_guarded`); run_semgrep, run_trivy, run_checkov, run_api_security, run_supply_chain, run_fuzzing, run_runtime_security, run_regression_testing, run_dast, run_gitleaks all migrated. run_threat_intel and run_remediation are enrichment-style and optionally can use a variant that returns the original list on exception.
+
+### 2.2 Still optional
+
+- **Large-file splits** — run_ai_audit, supply_chain_analyzer, audit_monitor, etc. remain single large files. Splitting by feature/phase is long-term (> 5 days).
+- **Enrichment runners** — run_threat_intel and run_remediation could use a guarded variant that returns the original findings list on exception (optional).
+
+---
+
+## 3. Testing
+
+- **autofix_pr_generator** — `tests/unit/test_autofix_pr_generator.py` (path validation, mocked git).
+- **agent_chain_discovery** — `tests/unit/test_agent_chain_discovery.py` (mocked LLM).
+- **FindingsStore** — `tests/unit/test_findings_store.py` (edge cases: empty scan, get_finding missing, fingerprint).
+- **AppContextBuilder** — `tests/unit/test_app_context_builder.py` (empty dir, to_prompt_context, nonexistent path).
+
+---
+
+## 4. Summary table
+
+| Category              | Done | Still left |
+|-----------------------|------|------------|
+| **Security (critical)** | Path traversal, path validation, fixture comments, advanced_suppression config_path | — |
+| **Security (production)** | Subprocess, SQL, YAML OK | — |
+| **Architecture**      | Scanner loader, run_audit split, db_connection, retry_policies, scanner harness | Large-file splits (long-term) |
+| **Config / v3 docs**  | CONFIG_REFERENCE, v3 summary, ADR 0004 | — |
+| **Tests**             | autofix, agent_chain, FindingsStore, AppContextBuilder | — |
+| **Maintainability**   | ADR v3, shared SQLite, retry policies | — |
+
+---
+
+## References
+
+- [CODE_AUDIT_REPORT.md](CODE_AUDIT_REPORT.md) — Full audit and action plan  
+- [CODE_REVIEW_FINDINGS.md](CODE_REVIEW_FINDINGS.md) — Security-focused review  
+- [CLAUDE.md](../CLAUDE.md) — Project overview  
+- [CONFIG_REFERENCE.md](CONFIG_REFERENCE.md) — Config keys and env vars  
+- [V3_CONTINUOUS_SECURITY_MODULES.md](V3_CONTINUOUS_SECURITY_MODULES.md) — v3 module summary  
+- [adrs/0004-v3-continuous-security.md](adrs/0004-v3-continuous-security.md) — ADR v3  

docs/CONFIG_REFERENCE.md

@@ -0,0 +1,157 @@
+# Config Reference
+
+All configuration keys and their defaults. Override via **profile YAML**, **.argus.yml**, **environment variables**, or **CLI**. Precedence: defaults < profile < .argus.yml < env < CLI.
+
+Source: `scripts/config_loader.get_default_config()` and `_ENV_MAPPINGS`.
+
+---
+
+## AI
+
+| Key | Default | Env var(s) |
+|-----|---------|------------|
+| ai_provider | auto | AI_PROVIDER, INPUT_AI_PROVIDER |
+| model | auto | MODEL, INPUT_MODEL |
+| multi_agent_mode | single | MULTI_AGENT_MODE, INPUT_MULTI_AGENT_MODE |
+| anthropic_api_key | "" | ANTHROPIC_API_KEY |
+| openai_api_key | "" | OPENAI_API_KEY |
+| ollama_endpoint | "" | OLLAMA_ENDPOINT |
+
+## Scanners
+
+| Key | Default | Env var(s) |
+|-----|---------|------------|
+| enable_semgrep | true | ENABLE_SEMGREP, SEMGREP_ENABLED |
+| enable_trivy | true | ENABLE_TRIVY |
+| enable_checkov | true | ENABLE_CHECKOV |
+| enable_api_security | true | ENABLE_API_SECURITY |
+| enable_dast | false | ENABLE_DAST |
+| enable_supply_chain | true | ENABLE_SUPPLY_CHAIN |
+| enable_fuzzing | false | ENABLE_FUZZING |
+| enable_threat_intel | true | ENABLE_THREAT_INTEL |
+| enable_remediation | true | ENABLE_REMEDIATION |
+| enable_runtime_security | false | ENABLE_RUNTIME_SECURITY |
+| enable_regression_testing | true | ENABLE_REGRESSION_TESTING |
+| enable_gitleaks | true | ENABLE_GITLEAKS |
+| enable_nuclei_templates | true | ENABLE_NUCLEI_TEMPLATES |
+| enable_zap_baseline | false | ENABLE_ZAP_BASELINE |
+
+## DAST (orchestrator)
+
+| Key | Default | Env var(s) |
+|-----|---------|------------|
+| dast_target_url | "" | DAST_TARGET_URL |
+| dast_auth_config_path | "" | DAST_AUTH_CONFIG_PATH |
+| dast_enable_nuclei | true | DAST_ENABLE_NUCLEI |
+| dast_enable_zap | true | DAST_ENABLE_ZAP |
+| dast_max_duration | 900 | DAST_MAX_DURATION |
+| dast_parallel_agents | true | DAST_PARALLEL_AGENTS |
+
+## Feature toggles
+
+| Key | Default | Env var(s) |
+|-----|---------|------------|
+| enable_multi_agent | true | ENABLE_MULTI_AGENT, INPUT_ENABLE_MULTI_AGENT |
+| enable_spontaneous_discovery | true | ENABLE_SPONTANEOUS_DISCOVERY |
+| enable_collaborative_reasoning | false | ENABLE_COLLABORATIVE_REASONING |
+| enable_ai_enrichment | true | ENABLE_AI_ENRICHMENT |
+| enable_threat_modeling | true | ENABLE_THREAT_MODELING |
+| enable_sandbox_validation | true | ENABLE_SANDBOX_VALIDATION |
+| enable_heuristics | true | ENABLE_HEURISTICS |
+| enable_consensus | true | ENABLE_CONSENSUS |
+| enable_iris | true | ENABLE_IRIS |
+| enable_proof_by_exploitation | false | ENABLE_PROOF_BY_EXPLOITATION |
+| max_exploit_attempts | 10 | MAX_EXPLOIT_ATTEMPTS |
+| enable_audit_trail | true | ENABLE_AUDIT_TRAIL |
+| audit_save_prompts | true | AUDIT_SAVE_PROMPTS |
+| enable_smart_retry | true | ENABLE_SMART_RETRY |
+| retry_max_attempts | 3 | RETRY_MAX_ATTEMPTS |
+| retry_billing_delay | 60 | RETRY_BILLING_DELAY |
+
+## Limits & files
+
+| Key | Default | Env var(s) |
+|-----|---------|------------|
+| max_files | 50 | MAX_FILES, INPUT_MAX_FILES |
+| max_file_size | 50000 | MAX_FILE_SIZE, INPUT_MAX_FILE_SIZE |
+| max_tokens | 8000 | MAX_TOKENS, INPUT_MAX_TOKENS |
+| cost_limit | 1.0 | COST_LIMIT, INPUT_COST_LIMIT |
+| only_changed | false | ONLY_CHANGED, INPUT_ONLY_CHANGED |
+| include_paths | "" | INCLUDE_PATHS, INPUT_INCLUDE_PATHS |
+| exclude_paths | .github/**,node_modules/**,... | EXCLUDE_PATHS, INPUT_EXCLUDE_PATHS |
+
+## Deep analysis
+
+| Key | Default | Env var(s) |
+|-----|---------|------------|
+| deep_analysis_mode | off | DEEP_ANALYSIS_MODE |
+| deep_analysis_max_files | 50 | DEEP_ANALYSIS_MAX_FILES, MAX_FILES_DEEP_ANALYSIS |
+| deep_analysis_timeout | 300 | DEEP_ANALYSIS_TIMEOUT |
+| deep_analysis_cost_ceiling | 5.0 | DEEP_ANALYSIS_COST_CEILING |
+
+## Phase gating & parallel
+
+| Key | Default | Env var(s) |
+|-----|---------|------------|
+| enable_phase_gating | true | ENABLE_PHASE_GATING |
+| phase_gate_strict | false | PHASE_GATE_STRICT |
+| enable_parallel_agents | true | ENABLE_PARALLEL_AGENTS |
+| parallel_agent_workers | 3 | PARALLEL_AGENT_WORKERS |
+
+## Vulnerability enrichment & compliance
+
+| Key | Default | Env var(s) |
+|-----|---------|------------|
+| enable_license_risk_scoring | true | ENABLE_LICENSE_RISK_SCORING |
+| enable_epss_scoring | true | ENABLE_EPSS_SCORING |
+| epss_cache_ttl_hours | 24 | EPSS_CACHE_TTL_HOURS |
+| enable_fix_version_tracking | true | ENABLE_FIX_VERSION_TRACKING |
+| enable_vex | true | ENABLE_VEX |
+| vex_paths | "" | VEX_PATHS |
+| vex_auto_discover_dir | .argus/vex | VEX_AUTO_DISCOVER_DIR |
+| enable_vuln_deduplication | true | ENABLE_VULN_DEDUPLICATION |
+| deduplication_strategy | auto | DEDUPLICATION_STRATEGY |
+| enable_advanced_suppression | true | ENABLE_ADVANCED_SUPPRESSION |
+| suppression_auto_expire_days | 90 | SUPPRESSION_AUTO_EXPIRE_DAYS |
+| enable_compliance_mapping | true | ENABLE_COMPLIANCE_MAPPING |
+| compliance_frameworks | "" | COMPLIANCE_FRAMEWORKS |
+
+## Continuous security (v3)
+
+| Key | Default | Env var(s) |
+|-----|---------|------------|
+| enable_diff_scoping | true | ENABLE_DIFF_SCOPING |
+| diff_expand_impact_radius | true | DIFF_EXPAND_IMPACT_RADIUS |
+| enable_autofix_pr | false | ENABLE_AUTOFIX_PR |
+| autofix_confidence_threshold | high | AUTOFIX_CONFIDENCE_THRESHOLD |
+| autofix_max_prs_per_scan | 5 | AUTOFIX_MAX_PRS_PER_SCAN |
+| enable_findings_store | true | ENABLE_FINDINGS_STORE |
+| findings_db_path | .argus/findings.db | FINDINGS_DB_PATH |
+| inject_historical_context | true | INJECT_HISTORICAL_CONTEXT |
+| enable_agent_chain_discovery | false | ENABLE_AGENT_CHAIN_DISCOVERY |
+| enable_cross_component_analysis | true | ENABLE_CROSS_COMPONENT_ANALYSIS |
+| enable_app_context | true | ENABLE_APP_CONTEXT |
+| enable_live_validation | false | ENABLE_LIVE_VALIDATION |
+| live_validation_environment | staging | LIVE_VALIDATION_ENVIRONMENT |
+
+## Other
+
+| Key | Default | Env var(s) |
+|-----|---------|------------|
+| enable_mcp_server | false | ENABLE_MCP_SERVER |
+| enable_quality_filter | true | ENABLE_QUALITY_FILTER |
+| quality_filter_min_confidence | 0.30 | QUALITY_FILTER_MIN_CONFIDENCE |
+| review_type | audit | — |
+| project_type | auto | — |
+| fail_on | "" | FAIL_ON, INPUT_FAIL_ON |
+| agent_profile | default | — |
+| enable_temporal | false | ENABLE_TEMPORAL |
+| temporal_server | localhost:7233 | TEMPORAL_SERVER |
+| temporal_namespace | argus | TEMPORAL_NAMESPACE |
+| temporal_retry_mode | production | TEMPORAL_RETRY_MODE |
+| consensus_threshold | 0.5 | CONSENSUS_THRESHOLD |
+| exploitability_threshold | moderate | EXPLOITABILITY_THRESHOLD |
+| fuzzing_duration | 300 | FUZZING_DURATION |
+| runtime_monitoring_duration | 60 | RUNTIME_MONITORING_DURATION |
+
+For full env-to-key mapping and types, see `config_loader._ENV_MAPPINGS` and `build_unified_config()`.

docs/V3_CONTINUOUS_SECURITY_MODULES.md

@@ -0,0 +1,26 @@
+# Continuous Security (v3) — Module Summary
+
+One-place overview of v3 modules. For full architecture, see [CONTINUOUS_SECURITY_TESTING_GUIDE.md](CONTINUOUS_SECURITY_TESTING_GUIDE.md).
+
+---
+
+## Modules
+
+| Module | Script | Config toggles | Purpose |
+|--------|--------|----------------|---------|
+| **Diff-intelligent scoping** | `scripts/diff_impact_analyzer.py` | enable_diff_scoping, diff_expand_impact_radius | Scope scanners to changed files; expand blast radius (e.g. if auth middleware changed, scan all files that import it). |
+| **Persistent findings store** | `scripts/findings_store.py` | enable_findings_store, findings_db_path, inject_historical_context | SQLite-backed cross-scan store; regression detection; historical context into LLM prompts. |
+| **Application context** | `scripts/app_context_builder.py` | enable_app_context | Detect framework, auth, cloud, IaC; generate context string for LLM. |
+| **AutoFix PR generation** | `scripts/autofix_pr_generator.py` | enable_autofix_pr, autofix_confidence_threshold, autofix_max_prs_per_scan | Generate branches/PRs from remediation suggestions; path-validated file writes. |
+| **Agent chain discovery** | `scripts/agent_chain_discovery.py` | enable_agent_chain_discovery | LLM-powered multi-step attack chain discovery. |
+| **Cross-component analysis** | (in agent_chain_discovery) | enable_cross_component_analysis | Detect dangerous finding combinations across boundaries. |
+| **SAST-to-DAST validation** | `scripts/sast_dast_validator.py` | enable_live_validation, live_validation_environment | Validate SAST findings against live (staging) targets. |
+
+---
+
+## Quick links
+
+- [CONTINUOUS_SECURITY_TESTING_GUIDE.md](CONTINUOUS_SECURITY_TESTING_GUIDE.md) — Architecture and gap analysis  
+- [ADR-0004](adrs/0004-v3-continuous-security.md) — Decisions and trade-offs  
+- [.claude/rules/features.md](../.claude/rules/features.md) — Feature toggles and config keys  
+- [CONFIG_REFERENCE.md](CONFIG_REFERENCE.md) — All config keys and env vars

docs/adrs/0004-v3-continuous-security.md

@@ -0,0 +1,43 @@
+---
+title: ADR-0004 - v3 Continuous Security (Findings Store, Diff Scoping, App Context, AutoFix)
+status: Accepted
+date: 2026-03
+---
+
+# ADR-0004: v3 Continuous Security
+
+## Status
+
+**Accepted** | Date: 2026-03
+
+## Context
+
+Post–Phase 6 we need:
+
+- **Cross-scan intelligence** — Know what was fixed, what regressed, and feed history into triage.
+- **Efficient rescans** — Scope to changed code and blast radius instead of full repo every time.
+- **Context-aware triage** — LLM should know framework, auth, and deployment context.
+- **Closed-loop remediation** — Generate fix branches/PRs from suggestions with safety (path validation, no arbitrary writes).
+
+## Decision
+
+Introduce **v3 continuous security** modules, all opt-in or default-on with safe defaults:
+
+1. **Persistent findings store** — SQLite at `.argus/findings.db`; content-based fingerprinting; regression detection; optional historical context injection into Phase 2 prompts. Toggle: `enable_findings_store`, `inject_historical_context`.
+2. **Diff-intelligent scoping** — Classify changed files by security relevance; expand to dependents (e.g. callers of changed auth). Drive Semgrep/scan include paths. Toggles: `enable_diff_scoping`, `diff_expand_impact_radius`.
+3. **Application context builder** — Detect framework, auth, cloud, IaC; produce a context string for LLM. Toggle: `enable_app_context`.
+4. **AutoFix PR generator** — Create branches and apply fixes from remediation suggestions; **path validation** so `file_path` never escapes project root. Toggles: `enable_autofix_pr`, `autofix_confidence_threshold`, `autofix_max_prs_per_scan`.
+5. **Agent chain discovery** — LLM-powered attack chain discovery. Toggle: `enable_agent_chain_discovery` (opt-in, uses credits).
+6. **SAST-to-DAST live validation** — Optional validation against staging; never production by default. Toggles: `enable_live_validation`, `live_validation_environment`.
+
+## Consequences
+
+- **Positive:** Regression visibility, faster rescans, better triage, safe autofix, optional live validation.
+- **Operational:** SQLite and `.argus/` directory; config surface increases (see CONFIG_REFERENCE).
+- **Security:** Path validation in AutoFix and optional `project_root` in advanced_suppression; no execution of user-controlled paths without validation.
+
+## References
+
+- [CONTINUOUS_SECURITY_TESTING_GUIDE.md](../CONTINUOUS_SECURITY_TESTING_GUIDE.md)
+- [V3_CONTINUOUS_SECURITY_MODULES.md](../V3_CONTINUOUS_SECURITY_MODULES.md)
+- [CONFIG_REFERENCE.md](../CONFIG_REFERENCE.md)

scripts/utils/db_connection.py

@@ -0,0 +1,27 @@
+"""
+Shared SQLite connection helper for audit_monitor and feedback_tracker.
+Provides a context manager that opens a connection, yields (conn, cursor), commits on success, and closes.
+"""
+
+import sqlite3
+from contextlib import contextmanager
+from pathlib import Path
+from typing import Iterator
+
+
+@contextmanager
+def db_connection(db_path: str | Path) -> Iterator[tuple[sqlite3.Connection, sqlite3.Cursor]]:
+    """
+    Context manager for SQLite: connect, yield (conn, cursor), commit, then close.
+
+    Usage:
+        with db_connection(self.db_path) as (conn, cursor):
+            cursor.execute(...)
+    """
+    conn = sqlite3.connect(str(db_path))
+    try:
+        cursor = conn.cursor()
+        yield conn, cursor
+        conn.commit()
+    finally:
+        conn.close()

scripts/utils/retry_policies.py

@@ -0,0 +1,49 @@
+"""
+Shared tenacity retry policies for LLM, HTTP, and subprocess calls.
+Use these instead of defining retry logic inline for consistency and maintainability.
+"""
+
+import json
+import subprocess
+from tenacity import (
+    retry_if_exception_type,
+    stop_after_attempt,
+    wait_exponential,
+)
+
+# ---------------------------------------------------------------------------
+# LLM / API (Connection, Timeout)
+# ---------------------------------------------------------------------------
+
+LLM_RETRY_EXCEPTIONS = (ConnectionError, TimeoutError)
+LLM_STOP = stop_after_attempt(3)
+LLM_WAIT = wait_exponential(multiplier=1, min=4, max=10)
+LLM_RETRY = retry_if_exception_type(LLM_RETRY_EXCEPTIONS)
+
+# ---------------------------------------------------------------------------
+# HTTP / URL (URLError, HTTPError, ConnectionError, TimeoutError)
+# ---------------------------------------------------------------------------
+
+def get_http_retry_exceptions():
+    import urllib.error
+    return (urllib.error.URLError, urllib.error.HTTPError, ConnectionError, TimeoutError)
+
+HTTP_STOP = stop_after_attempt(3)
+HTTP_WAIT = wait_exponential(multiplier=1, min=2, max=60)
+
+def http_retry_if():
+    return retry_if_exception_type(get_http_retry_exceptions())
+
+# ---------------------------------------------------------------------------
+# Subprocess (SubprocessError, OSError, RuntimeError)
+# ---------------------------------------------------------------------------
+
+SUBPROCESS_RETRY_EXCEPTIONS = (subprocess.SubprocessError, OSError, RuntimeError)
+SUBPROCESS_STOP = stop_after_attempt(3)
+SUBPROCESS_WAIT = wait_exponential(multiplier=1, min=2, max=60)
+SUBPROCESS_RETRY = retry_if_exception_type(SUBPROCESS_RETRY_EXCEPTIONS)
+
+# Subprocess + JSON decode (e.g. supply chain scorecard)
+SUBPROCESS_JSON_RETRY = retry_if_exception_type(
+    (subprocess.SubprocessError, OSError, RuntimeError, json.JSONDecodeError)
+)