Part of #306. This is the real work — it replaces MCP as the agent integration path.
Today scanning is config-file-driven: init writes agesec.toml, then ci reads it. An agent must do two steps with hidden disk state. Replace with a direct one-shot command.
Target UX (finalize in design)
Open design questions
- Output format: JSON lines vs single JSON doc vs both behind a flag
- Does
scan need the FastAPI app, or call fuzzer.scan_router() directly via lib.SecurityScanner (preferred — fully standalone)
- Minimal spec an agent must pass (llmSpec only? + datasets?)
Done when
- An agent runs a full scan with a single CLI command, no server, no config file, and parses results from stdout.
Part of #306. This is the real work — it replaces MCP as the agent integration path.
Today scanning is config-file-driven:
initwritesagesec.toml, thencireads it. An agent must do two steps with hidden disk state. Replace with a direct one-shot command.Target UX (finalize in design)
agentic_security scan --spec <file|->— stateless, noagesec.tomlrequired; spec from arg, file, or stdinci: keepcifor config workflows, addscanfor ad-hoc/agent useOpen design questions
scanneed the FastAPIapp, or callfuzzer.scan_router()directly vialib.SecurityScanner(preferred — fully standalone)Done when