Namespace finding kinds with 'capability_echo.' prefix (agent-gov-core@v0.2.0)

dist/detectors/dockerfile-capability.js

@@ -16,7 +16,7 @@ function detectRemoteAdd(added) {
     }
     return [
         {
-            kind: 'dockerfile_remote_add',
+            kind: 'capability_echo.dockerfile_remote_add',
             surface: 'container',
             severity: 'high',
             file: added.file,
@@ -33,7 +33,7 @@ function detectPipeToShell(added) {
     }
     return [
         {
-            kind: 'dockerfile_pipe_to_shell',
+            kind: 'capability_echo.dockerfile_pipe_to_shell',
             surface: 'container',
             severity: 'critical',
             file: added.file,

dist/detectors/js-capability.js

@@ -53,7 +53,7 @@ function detectFetch(added, testFile) {
     }
     return [
         {
-            kind: 'external_fetch_added',
+            kind: 'capability_echo.external_fetch_added',
             surface: 'source',
             severity: testFile ? 'low' : 'medium',
             file: added.file,
@@ -71,7 +71,7 @@ function detectSecretExfil(added, testFile, secretVariables) {
     }
     return [
         {
-            kind: 'source_secret_exfil_pattern',
+            kind: 'capability_echo.source_secret_exfil_pattern',
             surface: 'source',
             severity: testFile ? 'medium' : 'high',
             file: added.file,
@@ -101,7 +101,7 @@ function detectSubprocess(added, testFile) {
     }
     return [
         {
-            kind: 'subprocess_spawn_added',
+            kind: 'capability_echo.subprocess_spawn_added',
             surface: 'source',
             severity: testFile ? 'low' : 'high',
             file: added.file,
@@ -118,7 +118,7 @@ function detectDynamicEval(added, testFile) {
     }
     return [
         {
-            kind: 'dynamic_eval_added',
+            kind: 'capability_echo.dynamic_eval_added',
             surface: 'source',
             severity: testFile ? 'medium' : 'critical',
             file: added.file,

dist/detectors/package-deps.js

@@ -50,7 +50,7 @@ function compareDeps(file, oldText, newText) {
         }
         if (HIGH_CAPABILITY_DEPS.has(name)) {
             findings.push({
-                kind: 'high_capability_dep_added',
+                kind: 'capability_echo.high_capability_dep_added',
                 surface: 'package',
                 severity: 'high',
                 file,
@@ -63,7 +63,7 @@ function compareDeps(file, oldText, newText) {
         }
         if (TELEMETRY_DEPS.has(name)) {
             findings.push({
-                kind: 'telemetry_dep_added',
+                kind: 'capability_echo.telemetry_dep_added',
                 surface: 'package',
                 severity: 'medium',
                 file,

dist/detectors/package-scripts.js

@@ -67,7 +67,7 @@ function compareScripts(file, oldScripts, newScripts, newText) {
         }
         const line = lineOfJsonKey(newText, key) ?? lineOfJsonStringValue(newText, newValue);
         findings.push({
-            kind: 'lifecycle_script_added',
+            kind: 'capability_echo.lifecycle_script_added',
             surface: 'package',
             severity: 'high',
             file,
@@ -95,7 +95,7 @@ function analyzeScriptContent(file, key, script, newText) {
     const line = lineOfJsonStringValue(newText, script) ?? lineOfJsonKey(newText, key);
     if (/(?:curl[^\n|]*\|\s*(?:ba)?sh|wget[^\n|]*\|\s*sh|Invoke-Expression|iex\s*\()/i.test(script)) {
         findings.push({
-            kind: 'script_pipe_to_shell',
+            kind: 'capability_echo.script_pipe_to_shell',
             surface: 'package',
             severity: 'critical',
             file,
@@ -107,7 +107,7 @@ function analyzeScriptContent(file, key, script, newText) {
     }
     if (/\b(curl|wget|npm publish)\b/i.test(script) || /\bnpx\b(?![^\s]*@\d+\.\d+\.\d+)/i.test(script)) {
         findings.push({
-            kind: 'script_network_command',
+            kind: 'capability_echo.script_network_command',
             surface: 'package',
             severity: 'medium',
             file,

dist/detectors/py-capability.js

@@ -63,7 +63,7 @@ function detectPyNetwork(added, testFile) {
     }
     return [
         {
-            kind: 'external_fetch_added',
+            kind: 'capability_echo.external_fetch_added',
             surface: 'source',
             severity: testFile ? 'low' : 'medium',
             file: added.file,
@@ -81,7 +81,7 @@ function detectPySecretExfil(added, testFile, secretVariables) {
     }
     return [
         {
-            kind: 'source_secret_exfil_pattern',
+            kind: 'capability_echo.source_secret_exfil_pattern',
             surface: 'source',
             severity: testFile ? 'medium' : 'high',
             file: added.file,
@@ -115,7 +115,7 @@ function detectPySubprocess(added, testFile) {
     }
     return [
         {
-            kind: 'subprocess_spawn_added',
+            kind: 'capability_echo.subprocess_spawn_added',
             surface: 'source',
             severity: testFile ? 'low' : 'high',
             file: added.file,
@@ -136,7 +136,7 @@ function detectPyDynamicExec(added, testFile) {
     }
     return [
         {
-            kind: 'dynamic_eval_added',
+            kind: 'capability_echo.dynamic_eval_added',
             surface: 'source',
             severity: testFile ? 'medium' : 'critical',
             file: added.file,
@@ -157,7 +157,7 @@ function detectPyUnsafeDeserialize(added, testFile) {
     }
     return [
         {
-            kind: 'unsafe_deserialize_added',
+            kind: 'capability_echo.unsafe_deserialize_added',
             surface: 'source',
             severity: testFile ? 'medium' : 'critical',
             file: added.file,

dist/detectors/shell-capability.js

@@ -16,7 +16,7 @@ function detectPipeToShell(added) {
     }
     return [
         {
-            kind: 'shell_pipe_to_shell',
+            kind: 'capability_echo.shell_pipe_to_shell',
             surface: 'source',
             severity: 'critical',
             file: added.file,
@@ -33,7 +33,7 @@ function detectExternalDownload(added) {
     }
     return [
         {
-            kind: 'shell_external_download',
+            kind: 'capability_echo.shell_external_download',
             surface: 'source',
             severity: 'medium',
             file: added.file,

dist/detectors/workflow-permissions.js

@@ -60,7 +60,7 @@ function detectWritePermissions(added) {
     if (githubTokenWritePermissionPattern.test(content)) {
         return [
             {
-                kind: 'workflow_permission_write',
+                kind: 'capability_echo.workflow_permission_write',
                 surface: 'workflow',
                 severity: 'high',
                 file: added.file,
@@ -74,7 +74,7 @@ function detectWritePermissions(added) {
     if (/^\s*permissions\s*:\s*(?:write|write-all|admin)\b/i.test(content)) {
         return [
             {
-                kind: 'workflow_permission_write',
+                kind: 'capability_echo.workflow_permission_write',
                 surface: 'workflow',
                 severity: 'high',
                 file: added.file,
@@ -93,7 +93,7 @@ function detectPullRequestTarget(added) {
     }
     return [
         {
-            kind: 'workflow_pull_request_target',
+            kind: 'capability_echo.workflow_pull_request_target',
             surface: 'workflow',
             severity: 'high',
             file: added.file,
@@ -110,7 +110,7 @@ function detectPullRequestHeadCheckoutOnTarget(added, hasPullRequestTarget) {
     }
     return [
         {
-            kind: 'workflow_pr_head_checkout_on_target',
+            kind: 'capability_echo.workflow_pr_head_checkout_on_target',
             surface: 'workflow',
             severity: 'high',
             file: added.file,
@@ -137,7 +137,7 @@ function detectSelfHostedRunner(added) {
     }
     return [
         {
-            kind: 'workflow_self_hosted_runner',
+            kind: 'capability_echo.workflow_self_hosted_runner',
             surface: 'workflow',
             severity: 'high',
             file: added.file,
@@ -163,7 +163,7 @@ function detectMutableActionRef(added) {
     }
     return [
         {
-            kind: 'workflow_mutable_action_ref',
+            kind: 'capability_echo.workflow_mutable_action_ref',
             surface: 'workflow',
             severity: 'medium',
             file: added.file,
@@ -189,7 +189,7 @@ function detectExternalCurl(added) {
     }
     return [
         {
-            kind: 'workflow_external_curl',
+            kind: 'capability_echo.workflow_external_curl',
             surface: 'workflow',
             severity: 'medium',
             file: added.file,
@@ -206,7 +206,7 @@ function detectSecretsInherit(added) {
     }
     return [
         {
-            kind: 'workflow_secrets_inherit',
+            kind: 'capability_echo.workflow_secrets_inherit',
             surface: 'workflow',
             severity: 'high',
             file: added.file,
@@ -228,7 +228,7 @@ function detectSecretExfil(added, secretEnvVars) {
     }
     return [
         {
-            kind: 'workflow_secret_exfil_pattern',
+            kind: 'capability_echo.workflow_secret_exfil_pattern',
             surface: 'workflow',
             severity: 'high',
             file: added.file,
@@ -251,7 +251,7 @@ function detectDockerHostControl(added) {
     const content = added.content;
     if (/\/var\/run\/docker\.sock(?::\/var\/run\/docker\.sock)?/i.test(content)) {
         findings.push({
-            kind: 'workflow_docker_socket_mount',
+            kind: 'capability_echo.workflow_docker_socket_mount',
             surface: 'workflow',
             severity: 'critical',
             file: added.file,
@@ -263,7 +263,7 @@ function detectDockerHostControl(added) {
     }
     if (/\bdocker\s+run\b.*\s--privileged(?:\s|$)/i.test(content)) {
         findings.push({
-            kind: 'workflow_privileged_container',
+            kind: 'capability_echo.workflow_privileged_container',
             surface: 'workflow',
             severity: 'high',
             file: added.file,

dist/report.js

@@ -14,30 +14,30 @@ const severityRank = {
     critical: 4
 };
 const SUMMARY_LABELS = {
-    external_fetch_added: 'external network fetch calls',
-    source_secret_exfil_pattern: 'source secret exfiltration patterns',
-    subprocess_spawn_added: 'subprocess or shell spawn calls',
-    dynamic_eval_added: 'dynamic code execution',
-    shell_pipe_to_shell: 'shell pipe-to-shell downloads',
-    shell_external_download: 'shell external downloads',
-    dockerfile_remote_add: 'Dockerfile remote ADD instructions',
-    dockerfile_pipe_to_shell: 'Dockerfile pipe-to-shell builds',
-    workflow_permission_write: 'GitHub Actions write permissions',
-    workflow_pull_request_target: 'GitHub Actions pull_request_target triggers',
-    workflow_pr_head_checkout_on_target: 'GitHub Actions PR-head checkout under pull_request_target',
-    workflow_self_hosted_runner: 'GitHub Actions self-hosted runners',
-    workflow_mutable_action_ref: 'GitHub Actions mutable action references',
-    workflow_secrets_inherit: 'GitHub Actions inherited secrets',
-    workflow_external_curl: 'workflow external network requests',
-    workflow_secret_exfil_pattern: 'workflow secret exfiltration patterns',
-    workflow_docker_socket_mount: 'workflow Docker socket mounts',
-    workflow_privileged_container: 'workflow privileged containers',
-    lifecycle_script_added: 'npm lifecycle scripts',
-    script_pipe_to_shell: 'pipe-to-shell install scripts',
-    script_network_command: 'network or publish npm scripts',
-    high_capability_dep_added: 'high-capability dependency additions',
-    telemetry_dep_added: 'telemetry dependency additions',
-    unsafe_deserialize_added: 'unsafe deserialization'
+    'capability_echo.external_fetch_added': 'external network fetch calls',
+    'capability_echo.source_secret_exfil_pattern': 'source secret exfiltration patterns',
+    'capability_echo.subprocess_spawn_added': 'subprocess or shell spawn calls',
+    'capability_echo.dynamic_eval_added': 'dynamic code execution',
+    'capability_echo.shell_pipe_to_shell': 'shell pipe-to-shell downloads',
+    'capability_echo.shell_external_download': 'shell external downloads',
+    'capability_echo.dockerfile_remote_add': 'Dockerfile remote ADD instructions',
+    'capability_echo.dockerfile_pipe_to_shell': 'Dockerfile pipe-to-shell builds',
+    'capability_echo.workflow_permission_write': 'GitHub Actions write permissions',
+    'capability_echo.workflow_pull_request_target': 'GitHub Actions pull_request_target triggers',
+    'capability_echo.workflow_pr_head_checkout_on_target': 'GitHub Actions PR-head checkout under pull_request_target',
+    'capability_echo.workflow_self_hosted_runner': 'GitHub Actions self-hosted runners',
+    'capability_echo.workflow_mutable_action_ref': 'GitHub Actions mutable action references',
+    'capability_echo.workflow_secrets_inherit': 'GitHub Actions inherited secrets',
+    'capability_echo.workflow_external_curl': 'workflow external network requests',
+    'capability_echo.workflow_secret_exfil_pattern': 'workflow secret exfiltration patterns',
+    'capability_echo.workflow_docker_socket_mount': 'workflow Docker socket mounts',
+    'capability_echo.workflow_privileged_container': 'workflow privileged containers',
+    'capability_echo.lifecycle_script_added': 'npm lifecycle scripts',
+    'capability_echo.script_pipe_to_shell': 'pipe-to-shell install scripts',
+    'capability_echo.script_network_command': 'network or publish npm scripts',
+    'capability_echo.high_capability_dep_added': 'high-capability dependency additions',
+    'capability_echo.telemetry_dep_added': 'telemetry dependency additions',
+    'capability_echo.unsafe_deserialize_added': 'unsafe deserialization'
 };
 export function createReport(findings, context) {
     return {

package.json

@@ -12,7 +12,7 @@
     "test": "node --test test/*.test.mjs"
   },
   "dependencies": {
-    "agent-gov-core": "github:Conalh/agent-gov-core#v0.1.2"
+    "agent-gov-core": "github:Conalh/agent-gov-core#v0.2.0"
   },
   "devDependencies": {
     "@types/node": "^24.0.0",

src/detectors/dockerfile-capability.ts

@@ -23,7 +23,7 @@ function detectRemoteAdd(added: AddedLine): Finding[] {
 
   return [
     {
-      kind: 'dockerfile_remote_add',
+      kind: 'capability_echo.dockerfile_remote_add',
       surface: 'container',
       severity: 'high',
       file: added.file,
@@ -42,7 +42,7 @@ function detectPipeToShell(added: AddedLine): Finding[] {
 
   return [
     {
-      kind: 'dockerfile_pipe_to_shell',
+      kind: 'capability_echo.dockerfile_pipe_to_shell',
       surface: 'container',
       severity: 'critical',
       file: added.file,

src/detectors/js-capability.ts

@@ -71,7 +71,7 @@ function detectFetch(added: AddedLine, testFile: boolean): Finding[] {
 
   return [
     {
-      kind: 'external_fetch_added',
+      kind: 'capability_echo.external_fetch_added',
       surface: 'source',
       severity: testFile ? 'low' : 'medium',
       file: added.file,
@@ -93,7 +93,7 @@ function detectSecretExfil(added: AddedLine, testFile: boolean, secretVariables:
 
   return [
     {
-      kind: 'source_secret_exfil_pattern',
+      kind: 'capability_echo.source_secret_exfil_pattern',
       surface: 'source',
       severity: testFile ? 'medium' : 'high',
       file: added.file,
@@ -133,7 +133,7 @@ function detectSubprocess(added: AddedLine, testFile: boolean): Finding[] {
 
   return [
     {
-      kind: 'subprocess_spawn_added',
+      kind: 'capability_echo.subprocess_spawn_added',
       surface: 'source',
       severity: testFile ? 'low' : 'high',
       file: added.file,
@@ -152,7 +152,7 @@ function detectDynamicEval(added: AddedLine, testFile: boolean): Finding[] {
 
   return [
     {
-      kind: 'dynamic_eval_added',
+      kind: 'capability_echo.dynamic_eval_added',
       surface: 'source',
       severity: testFile ? 'medium' : 'critical',
       file: added.file,