fix: four audit findings (config wiring, stale analysis, agent output validation, vitest workspace)

[leap21ai]

Summary

Four independent fixes surfaced by an internal audit while running deepsec across multiple Convex/Hono products at Leap21. All four are quality-of-life issues that were either silently degrading scan accuracy or breaking type/test infrastructure.

1. Wire config intelligence end-to-end (CLI > config > legacy data > defaults)

Previously the deepsec.config.{ts,mjs} file was loaded but its values weren't always honored downstream — CLI flags always won, but plugin contracts and data-derived defaults could silently override config. Now precedence is explicit: CLI > config file > data dir defaults > built-in defaults.

2. Hash-change detection clears stale findings on re-scan

When a file's content hash changed between scans, prior findings for that file were kept in the index, producing zombie findings (line numbers wrong, snippets stale). The fix invalidates findings whose fileHash no longer matches the current file and re-runs the matcher pipeline on changed files.

3. Zod validation on agent output before persistence

The Claude/Codex SDK can occasionally return tool-call output that doesn't conform to the expected AgentFindingSchema (a structured-output edge case). Previously these silently corrupted the findings store. Now agent output is parsed through Zod at the boundary and rejected with a clear error if it fails to validate.

4. Root vitest.config.ts replaces deprecated bare-array workspace file

Vitest 4 deprecated the bare-array form of vitest.workspace.ts. The fix moves the workspace declaration into a root vitest.config.ts with test.projects and removes the deprecated file. Resolves a TypeScript build warning + a vitest 4.x deprecation log line.

Test plan

• pnpm -r build — typecheck clean across all packages
• pnpm test — 2104/2104 tests pass
• pnpm bundle — esbuild bundle clean
• Manual scan against an internal Convex app — config precedence behaves as documented
• Manual scan with file content modified between runs — stale findings correctly invalidated

Context

Authored while operating deepsec as the security gate for ParentSplit (a COPPA-regulated Convex+Expo product). The deprecated-vitest-workspace and stale-findings fixes were blocking our CI integration; the config-wiring and agent-output-validation fixes surfaced as scan-accuracy issues during a 90-day backtest.

Happy to split into separate PRs if preferred — all four changes are independent.

🤖 Generated with Claude Code

[vercel]

@treyanderson is attempting to deploy a commit to the Vercel Labs Team on Vercel.

A member of the Team first needs to authorize it.

[vercel]

Stale-file cleanup in RegexScannerDriver.scan() unconditionally destroys candidates, findings, and status for ALL file records not matched by the current scan's matchers, causing data loss when running with a subset of matchers (--matchers, config.matchers.only, or config.matchers.exclude).