feat(cli): Add skills

.github/workflows/release-cli.yaml

@@ -169,8 +169,29 @@ jobs:
           mkdir -p lib/rules
           tar -xzf /tmp/opentaint-rules.tar.gz -C lib/rules
 
+          cp internal/globals/versions.yaml lib/.versions
+          if [ ! -f lib/.versions ]; then
+            echo "::error::lib/.versions was not created; the bundled release would ship without a version marker" >&2
+            exit 1
+          fi
+
           echo "Bundled artifacts:"
           ls -la lib/
+      -
+        name: Set up JDK for test-util jar
+        if: ${{ steps.release_version.outputs.status == 'succeeded' }}
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: '21'
+      -
+        name: Build and embed test-util jar
+        if: ${{ steps.release_version.outputs.status == 'succeeded' }}
+        run: |
+          set -euo pipefail
+          (cd core && ./gradlew :opentaint-sast-test-util:jar)
+          (cd cli && go generate ./...)
+          cp core/opentaint-sast-test-util/build/libs/opentaint-sast-test-util.jar cli/lib/
       -
         name: Run GoReleaser
         if: ${{ steps.release_version.outputs.status == 'succeeded' }}

.gitignore

@@ -24,6 +24,8 @@ config.local.*
 
 **/.gradle
 **/build
+/install/
+core/**/bin/
 
 # Ignore all hidden files and directories
 .*

Makefile

@@ -0,0 +1,70 @@
+MAKE ?= make
+GRADLEW := $(CURDIR)/core/gradlew
+INSTALL ?= install
+
+PREFIX ?= /usr/local
+BINDIR ?= $(PREFIX)/bin
+LIBDIR ?= $(PREFIX)/lib
+
+CORE_DIR := core
+CLI_DIR := cli
+
+CLI_BINARY_NAME := opentaint
+CLI_DEV_BINARY_NAME := opentaint-dev
+ANALYZER_TASK := :projectAnalyzerJar
+AUTOBUILDER_TASK := opentaint-jvm-autobuilder:projectAutoBuilderJar
+TEST_UTIL_TASK := :opentaint-sast-test-util:jar
+
+ANALYZER_JAR := $(CORE_DIR)/build/libs/opentaint-project-analyzer.jar
+AUTOBUILDER_JAR := $(CORE_DIR)/opentaint-jvm-autobuilder/build/libs/opentaint-project-auto-builder.jar
+TEST_UTIL_JAR := $(CORE_DIR)/opentaint-sast-test-util/build/libs/opentaint-sast-test-util.jar
+RULES_SRC := rules/ruleset
+INSTALLED_ANALYZER_JAR := $(LIBDIR)/$(notdir $(ANALYZER_JAR))
+INSTALLED_AUTOBUILDER_JAR := $(LIBDIR)/$(notdir $(AUTOBUILDER_JAR))
+INSTALLED_RULES_DIR := $(LIBDIR)/rules
+INSTALLED_CLI_BINARY := $(BINDIR)/$(CLI_BINARY_NAME)
+INSTALLED_DEV_BINARY := $(BINDIR)/$(CLI_DEV_BINARY_NAME)
+
+.PHONY: all core projectAnalyzerJar core/autobuilder core/opentaint-sast-test-util cli install clean
+
+all: core cli
+
+core:
+	cd $(CORE_DIR) && $(GRADLEW) $(ANALYZER_TASK) $(AUTOBUILDER_TASK) $(TEST_UTIL_TASK)
+
+projectAnalyzerJar:
+	cd $(CORE_DIR) && $(GRADLEW) $(ANALYZER_TASK)
+
+core/autobuilder:
+	cd $(CORE_DIR) && $(GRADLEW) $(AUTOBUILDER_TASK)
+
+core/opentaint-sast-test-util:
+	cd $(CORE_DIR) && $(GRADLEW) $(TEST_UTIL_TASK)
+
+cli: core/opentaint-sast-test-util
+	$(MAKE) -C $(CLI_DIR) build
+
+install: core
+	mkdir -p $(BINDIR) $(LIBDIR)
+	$(MAKE) -C $(CLI_DIR) install PREFIX=$(PREFIX) BINDIR=$(abspath $(BINDIR))
+	$(INSTALL) -m 0644 $(ANALYZER_JAR) $(INSTALLED_ANALYZER_JAR)
+	$(INSTALL) -m 0644 $(AUTOBUILDER_JAR) $(INSTALLED_AUTOBUILDER_JAR)
+	$(INSTALL) -m 0644 $(TEST_UTIL_JAR) $(LIBDIR)/$(notdir $(TEST_UTIL_JAR))
+	rm -rf $(INSTALLED_RULES_DIR)
+	mkdir -p $(INSTALLED_RULES_DIR)
+	cp -R $(RULES_SRC)/. $(INSTALLED_RULES_DIR)/
+	printf '%s\n' \
+		'#!/bin/sh' \
+		'set -eu' \
+		'if command -v realpath >/dev/null 2>&1; then SELF=$$(realpath "$$0"); else SELF=$$0; fi' \
+		'BIN_DIR=$$(CDPATH= cd -- "$$(dirname -- "$$SELF")" && pwd -P)' \
+		'PREFIX_DIR=$$(CDPATH= cd -- "$$BIN_DIR/.." && pwd)' \
+		'LIB_DIR="$$PREFIX_DIR/lib"' \
+		'exec "$$BIN_DIR/$(CLI_BINARY_NAME)" --experimental --analyzer-jar "$$LIB_DIR/$(notdir $(ANALYZER_JAR))" --autobuilder-jar "$$LIB_DIR/$(notdir $(AUTOBUILDER_JAR))" "$$@"' \
+		> $(INSTALLED_DEV_BINARY)
+	chmod 0755 $(INSTALLED_DEV_BINARY)
+	$(INSTALLED_CLI_BINARY) pull
+
+clean:
+	$(MAKE) -C $(CLI_DIR) clean
+	cd $(CORE_DIR) && $(GRADLEW) clean

README.md

@@ -125,6 +125,16 @@ brew install --cask seqra/tap/opentaint
 irm https://opentaint.org/install.ps1 | iex
 ```
 
+**Install via npm (Linux/macOS/Windows):**
+```bash
+npm install -g @seqra/opentaint
+```
+
+**Or run instantly with npx — no install required (needs Node.js):**
+```bash
+npx @seqra/opentaint scan
+```
+
 **Scan your project:**
 ```bash
 opentaint scan
@@ -141,6 +151,24 @@ For more options, see [Installation](docs/README.md#installation) and [Usage](do
 
 ---
 
+## AI Agent Workflows
+
+OpenTaint includes agent skills that turn static analysis into an end-to-end application-security workflow. Install them with:
+
+```bash
+npx skills add https://github.com/seqra/opentaint
+```
+
+The `appsec-agent` skill orchestrates a full project assessment: build the project, run OpenTaint, discover the attack surface, add targeted rules, model missing library data flows, triage findings, and optionally generate dynamic proof-of-concept checks for confirmed vulnerabilities.
+
+Included skills cover the common security-analysis loop:
+
+- **Scan and triage:** `build-project`, `run-scan`, `analyze-findings`, `generate-poc`
+- **Coverage expansion:** `triage-dependencies`, `discover-attack-surface`, `create-test-project`, `create-rule`, `assemble-lib-rules`
+- **Dataflow modeling:** `analyze-external-methods`, `create-pass-through-approximation`, `create-dataflow-approximation`, `debug-rule`, `report-analyzer-issue`
+
+---
+
 ## Documentation
 
 Full guides — installation, usage, configuration, CI/CD integration: **[Documentation](docs/README.md)**.

cli/.gitignore

@@ -3,7 +3,7 @@ bin/
 !npm/bin/
 dist/
 dist-npm/
-lib/
+/lib/
 /opentaint
 
 # Operating system files

cli/Makefile

@@ -0,0 +1,27 @@
+GO ?= go
+
+BINARY_NAME ?= opentaint
+BUILD_DIR ?= bin
+BINARY_PATH := $(BUILD_DIR)/$(BINARY_NAME)
+
+PREFIX ?= /usr/local
+BINDIR ?= $(PREFIX)/bin
+INSTALL_GOBIN := $(abspath $(BINDIR))
+
+.PHONY: all generate build install clean
+
+all: build
+
+generate:
+	$(GO) generate ./...
+
+build: generate
+	mkdir -p $(BUILD_DIR)
+	$(GO) build -o $(BINARY_PATH) .
+
+install: build
+	mkdir -p $(INSTALL_GOBIN)
+	install -m 0755 $(BINARY_PATH) $(INSTALL_GOBIN)/$(BINARY_NAME)
+
+clean:
+	rm -f $(BINARY_PATH)

cli/cmd/analyzer_inputs.go

@@ -0,0 +1,22 @@
+package cmd
+
+import (
+	"github.com/seqra/opentaint/internal/utils/log"
+)
+
+func addDataflowApproximations(b *AnalyzerBuilder, paths []string, analyzerJarPath, projectModelDir string) {
+	for _, approxPath := range paths {
+		absApproxPath := log.AbsPathOrExit(approxPath, "dataflow-approximations")
+		compiledPath, err := compileApproximationsIfNeeded(absApproxPath, analyzerJarPath, projectModelDir)
+		if err != nil {
+			out.Fatalf("Approximation compilation failed: %s", err)
+		}
+		b.AddDataflowApproximations(compiledPath)
+	}
+}
+
+func addPassthroughApproximations(b *AnalyzerBuilder, paths []string) {
+	for _, passthrough := range paths {
+		b.AddPassthroughApproximations(log.AbsPathOrExit(passthrough, "passthrough-approximations"))
+	}
+}

cli/cmd/artifacts.go

@@ -4,8 +4,36 @@ import (
 	"errors"
 	"fmt"
 	"os"
+
+	"github.com/seqra/opentaint/internal/globals"
+	"github.com/seqra/opentaint/internal/utils"
 )
 
+func ensureArtifactJar(def globals.ArtifactDef) (string, error) {
+	path, err := utils.ResolveJarPath(def)
+	if err != nil {
+		return "", fmt.Errorf("failed to construct path to the %s: %w", def.Kind(), err)
+	}
+	if def.Override != "" {
+		return path, nil
+	}
+
+	if err := ensureArtifactAvailable(def.Kind(), def.Version, path, func() error {
+		return utils.DownloadGithubReleaseAsset(globals.Config.Owner, globals.Config.Repo, def.Version, def.AssetName, path, globals.Config.Github.Token, globals.Config.SkipVerify, out)
+	}); err != nil {
+		return "", err
+	}
+	return path, nil
+}
+
+func ensureAnalyzerAvailable() (string, error) {
+	return ensureArtifactJar(globals.ArtifactByKind("analyzer"))
+}
+
+func ensureAutobuilderAvailable() (string, error) {
+	return ensureArtifactJar(globals.ArtifactByKind("autobuilder"))
+}
+
 func ensureArtifactAvailable(name, version, artifactPath string, download func() error) error {
 	if _, err := os.Stat(artifactPath); err == nil {
 		return nil

cli/cmd/command_builder.go

@@ -42,26 +42,28 @@ func NewAutobuilderBuilder() *AutobuilderBuilder {
 
 type AnalyzerBuilder struct {
 	*BaseCommandBuilder
-	projectPath                string
-	outputDir                  string
-	sarifFileName              string
-	sarifCodeFlowLimit         int64
-	sarifToolVersion           string
-	sarifToolSemanticVersion   string
-	sarifUriBase               string
-	semgrepCompatibility       bool
-	partialFingerprints        bool
-	ifdsAnalysisTimeout        int64
-	severities                 []string
-	ruleSetPaths               []string
-	ruleLoadTracePath          string
-	jarPath                    string
-	maxMemory                  string
-	ruleIDs                    []string
-	approximationsConfig       []string
-	dataflowApproximations     []string
-	trackExternalMethods       bool
-	debugFactReachabilitySarif bool
+	projectPath                           string
+	outputDir                             string
+	sarifFileName                         string
+	sarifCodeFlowLimit                    int64
+	sarifToolVersion                      string
+	sarifToolSemanticVersion              string
+	sarifUriBase                          string
+	semgrepCompatibility                  bool
+	partialFingerprints                   bool
+	ifdsAnalysisTimeout                   int64
+	severities                            []string
+	ruleSetPaths                          []string
+	ruleLoadTracePath                     string
+	jarPath                               string
+	maxMemory                             string
+	ruleIDs                               []string
+	passthroughApproximations             []string
+	dataflowApproximations                []string
+	trackExternalMethods                  bool
+	debugFactReachabilitySarif            bool
+	runRuleTests                          bool
+	debugRunAnalysisOnSelectedEntryPoints string
 }
 
 func (a *AnalyzerBuilder) SetProject(projectPath string) *AnalyzerBuilder {
@@ -144,8 +146,8 @@ func (a *AnalyzerBuilder) AddRuleID(ruleID string) *AnalyzerBuilder {
 	return a
 }
 
-func (a *AnalyzerBuilder) AddApproximationsConfig(configPath string) *AnalyzerBuilder {
-	a.approximationsConfig = append(a.approximationsConfig, configPath)
+func (a *AnalyzerBuilder) AddPassthroughApproximations(path string) *AnalyzerBuilder {
+	a.passthroughApproximations = append(a.passthroughApproximations, path)
 	return a
 }
 
@@ -164,6 +166,16 @@ func (a *AnalyzerBuilder) EnableDebugFactReachabilitySarif() *AnalyzerBuilder {
 	return a
 }
 
+func (a *AnalyzerBuilder) SetDebugRunAnalysisOnSelectedEntryPoints(entryPoints string) *AnalyzerBuilder {
+	a.debugRunAnalysisOnSelectedEntryPoints = entryPoints
+	return a
+}
+
+func (a *AnalyzerBuilder) EnableRunRuleTests() *AnalyzerBuilder {
+	a.runRuleTests = true
+	return a
+}
+
 func (a *AnalyzerBuilder) BuildNativeCommand() []string {
 	// For native execution, create a temporary logs directory
 	tempLogsDir, err := os.MkdirTemp("", "opentaint-*")
@@ -237,8 +249,8 @@ func (a *AnalyzerBuilder) BuildNativeCommand() []string {
 		flags = append(flags, "--semgrep-rule-id", ruleID)
 	}
 
-	for _, configPath := range a.approximationsConfig {
-		flags = append(flags, "--approximations-config", configPath)
+	for _, passthrough := range a.passthroughApproximations {
+		flags = append(flags, "--passthrough-approximations", passthrough)
 	}
 
 	for _, approxPath := range a.dataflowApproximations {
@@ -253,6 +265,14 @@ func (a *AnalyzerBuilder) BuildNativeCommand() []string {
 		flags = append(flags, "--debug-fact-reachability-sarif")
 	}
 
+	if a.debugRunAnalysisOnSelectedEntryPoints != "" {
+		flags = append(flags, "--debug-run-analysis-on-selected-entry-points", a.debugRunAnalysisOnSelectedEntryPoints)
+	}
+
+	if a.runRuleTests {
+		flags = append(flags, "--debug-run-rule-tests")
+	}
+
 	return append(command, flags...)
 }
 

cli/cmd/compile.go

@@ -73,7 +73,7 @@ Arguments:
 		}
 		sb.FieldNode("Project", absProjectRoot).
 			FieldNode("Output project model", absOutputProjectModelPath).
-			FieldNode("Autobuilder", utils.ArtifactDisplayVersion(globals.ArtifactByKind("autobuilder"), globals.Config.Autobuilder.JarPath)).
+			FieldNode("Autobuilder", utils.ArtifactVersionWithPath(globals.ArtifactByKind("autobuilder"))).
 			Render()
 
 		if DryRunCompile {
@@ -88,11 +88,7 @@ Arguments:
 			out.Fatalf("Native compile preparation failed: %s", err)
 		}
 
-		compileJavaRunner := java.NewJavaRunner().
-			WithSkipVerify(globals.Config.SkipVerify).
-			WithDebugOutput(out.DebugStream("Autobuilder")).
-			TrySystem().
-			TrySpecificVersion(globals.Config.Java.Version)
+		compileJavaRunner := newAutobuilderJavaRunner()
 		if _, err := compileJavaRunner.EnsureJava(); err != nil {
 			out.Fatalf("Failed to resolve Java for compilation: %s", err)
 		}
@@ -119,25 +115,6 @@ func init() {
 	compileCmd.Flags().StringVar(&CompileLogFile, "log-file", "", "Path to the log file (default: <cache-dir>/logs/<timestamp>.log)")
 }
 
-func ensureAutobuilderAvailable() (string, error) {
-	if globals.Config.Autobuilder.JarPath != "" {
-		return globals.Config.Autobuilder.JarPath, nil
-	}
-
-	autobuilderJarPath, err := utils.GetAutobuilderJarPath(globals.Config.Autobuilder.Version)
-	if err != nil {
-		return "", fmt.Errorf("failed to construct path to the autobuilder: %w", err)
-	}
-
-	if err = ensureArtifactAvailable("autobuilder", globals.Config.Autobuilder.Version, autobuilderJarPath, func() error {
-		return utils.DownloadGithubReleaseAsset(globals.Config.Owner, globals.Config.Repo, globals.Config.Autobuilder.Version, globals.AutobuilderAssetName, autobuilderJarPath, globals.Config.Github.Token, globals.Config.SkipVerify, out)
-	}); err != nil {
-		return "", err
-	}
-
-	return autobuilderJarPath, nil
-}
-
 func compile(absProjectRoot, absOutputProjectModelPath, autobuilderJarPath string, javaRunner java.JavaRunner) error {
 	if err := validation.ValidateCompileInputs(absProjectRoot, absOutputProjectModelPath); err != nil {
 		return err