Finding shape

Every finding uses the same structure across CLI, Action, and MCP:

{
  contract: string;       // e.g. "access"
  severity: 'high' | 'medium' | 'low';
  entity: string;         // e.g. "user:usr_abc", "price:price_xyz"
  message: string;
  fix?: string;
}

Entity patterns

Pattern	Example
User	`user:usr_alice`
Stripe customer	`customer:cus_abc`
Price	`price:price_1ABC`
Migration file	`migration:migrations/unsafe/001.sql`
Env var	`env:STRIPE_WEBHOOK_SECRET`

Verdict aggregation

Findings	Verdict
Any `high`	`fail`
Only `medium` / `low`	`warn`
None	`pass`

Agent remediation

Use the fix field in agent prompts — it is written for automated remediation, not end-user display.

Entity patterns​

Verdict aggregation​

Agent remediation​

Entity patterns

Verdict aggregation

Agent remediation