Entry Points & API
vega-core exposes three product-facing operations through src/api/. These
are the only functions vega-backend should call into this package. All other
internal types and classes are implementation details.
Service wiring
Before calling any entrypoint, the caller must wire up the core services once per process. There are two wiring paths:
Option A — environment-driven (production)
from api import configure_core_runtime
configure_core_runtime(
config=None, # defaults to RuntimeConfig.from_env()
event_sink=my_sink, # callable(CoreEvent) -> None
cancellation_token=tok, # CancellationToken | None
)
configure_core_runtime builds all services from environment variables (see
Configuration) and stores them globally. You can also pass
an explicit RuntimeConfig object.
Option B — explicit injection (testing / custom runtimes)
from api import configure_core_services
configure_core_services(
event_bus=bus,
artifact_store=store,
cancellation=cancellation_manager,
agent_runner=runner,
plugin_resolver=resolver,
triage=triage_service,
policy=policy, # RunPolicy | None
stages=None, # custom stage map | None
)
Call reset_core_services() between test cases to clear the global state.
Entrypoints
All three entrypoints are exported from api/__init__.py:
from api import plan_repo, run_scan, verify_and_patch
plan_repo(request: PlanRequest) -> CoreResult
Reads a source snapshot, generates a component plan, and stores a vega.plan
artifact.
@dataclass(frozen=True)
class PlanRequest:
repo_id: str
source_snapshot: ArtifactRef # reference to uploaded source archive
include_paths: tuple[str, ...] = ()
policy: RunPolicy = field(default_factory=RunPolicy)
metadata: Mapping[str, Any] = field(default_factory=dict)
The result CoreResult.artifacts["plan"] is the ArtifactRef to store and
pass back with future scan requests.
Stage sequence: [PLAN]
Transition: PlanTransition
run_scan(request: ScanRequest) -> CoreResult
Selects a plugin, runs threat modeling and auditing, and delivers raw findings to the shared triage service.
@dataclass(frozen=True)
class ScanRequest:
repo_id: str
scan_id: str
source_snapshot: ArtifactRef
plan_artifact: ArtifactRef
intent: ScanIntent = field(default_factory=ScanIntent)
execution: ScanExecution = field(default_factory=ScanExecution)
policy: RunPolicy = field(default_factory=RunPolicy)
metadata: Mapping[str, Any] = field(default_factory=dict)
ScanIntent — what to look for
ScanDepth = Literal["quick", "standard", "deep"]
@dataclass(frozen=True)
class ScanIntent:
include_paths: tuple[str, ...] = () # path scope (empty = whole repo)
bug_classes: tuple[str, ...] = () # bug class ids to focus on
depth: ScanDepth = "standard"
variant_context: str | None = None # for variant_analysis audit strategy
ScanExecution — how to run it
AuditResumePolicy = Literal["fresh", "skip_completed"]
@dataclass(frozen=True)
class ScanExecution:
threat_model_strategy: str = "codex_direct"
# "codex_direct" | "llm_bug_class_selection" | "default"
audit_strategy: str = "default"
# "default" | "variant_analysis"
threat_model_artifact: ArtifactRef | None = None
# pass a cached threat model to skip the threat-model stage
audit_resume_artifact: ArtifactRef | None = None
# pass a vega.audit_component_state to resume a previous audit
audit_resume_policy: AuditResumePolicy = "fresh"
assigned_component_ids: tuple[str, ...] = ()
# restrict audit to these component ids (sharding)
audit_shard_id: str | None = None
Threat model caching
When execution.threat_model_artifact is set, the orchestrator validates the
cached threat model's fingerprint against the current source, plan, plugin,
policy, prompt template, and strategy. A valid cache skips the threat-model
stage entirely. A stale cache fails the scan with stale_threat_model_cache.
Audit resume
When execution.audit_resume_artifact is set with
audit_resume_policy="skip_completed", the audit stage loads the saved
vega.audit_component_state, skips completed components, and preserves their
findings.
PR review mode
PR review context is passed as metadata["pr_review"] — a JSON object with
PR number, title, URL, base/head refs, changed files, and unified diff patch.
AuditStage renders a dedicated review-focus prompt block from this metadata.
Domain plugins are selected independently and still contribute their normal
sections.
Stage sequence: [PLAN, THREAT_MODEL, AUDIT] when no plan_artifact is
provided; [THREAT_MODEL, AUDIT] when plan_artifact is provided; [AUDIT]
when a valid cached threat model is supplied.
Transition: ScanTransition
Result: CoreResult.data["deduplicated_bugs"] contains triage output; raw
findings are also in CoreResult.data["raw_findings"].
verify_and_patch(request: VerificationRequest) -> CoreResult
Verifies deduplicated bugs and produces patch artifacts.
@dataclass(frozen=True)
class VerificationRequest:
repo_id: str
verification_id: str
deduplicated_bugs: tuple[Mapping[str, Any], ...]
source_snapshot: ArtifactRef
plan_artifact: ArtifactRef | None = None
policy: RunPolicy = field(default_factory=RunPolicy)
metadata: Mapping[str, Any] = field(default_factory=dict)
Pass the deduplicated_bugs from a previous run_scan result (or from the
backend's persisted bug records). The selected plugin id/version from the
original scan should be carried in metadata["plugin_id"] and
metadata["plugin_version"] so the verify/patch stages use consistent plugin
behavior without re-resolving.
Stage sequence: [VERIFY, PATCH]
Transition: VerifyPatchTransition
Result: CoreResult.artifacts["patch"] is the vega.remediation_results
artifact ref.
CoreResult
All three entrypoints return:
@dataclass(frozen=True)
class CoreResult:
status: StageStatus # "completed" | "cancelled" | "failed"
run_id: str
artifacts: Mapping[str, ArtifactRef] = field(default_factory=dict)
data: Mapping[str, Any] = field(default_factory=dict)
error: StageError | None = None
Check result.status first. If status == "failed", inspect result.error
for code, message, and retryable.
ArtifactRef
All artifact inputs and outputs use typed references:
@dataclass(frozen=True)
class ArtifactRef:
uri: str # "file:///..." or "s3://bucket/key"
kind: str # artifact_kind string (e.g. "vega.plan")
content_type: str # MIME type
metadata: Mapping[str, Any] = field(default_factory=dict)
Refs are opaque to the caller — store them in the database and pass them back to vega-core. Do not construct URIs manually.
Example: full scan flow
from api import configure_core_runtime, plan_repo, run_scan, verify_and_patch
from api.requests import (
PlanRequest, ScanRequest, ScanIntent, ScanExecution, VerificationRequest
)
from artifacts.refs import ArtifactRef
from framework.policy import RunPolicy
configure_core_runtime(event_sink=my_event_sink)
# 1. Plan the repository (done once per snapshot)
plan_result = plan_repo(PlanRequest(
repo_id="repo_abc",
source_snapshot=source_ref,
))
plan_ref = plan_result.artifacts["plan"]
# 2. Scan
scan_result = run_scan(ScanRequest(
repo_id="repo_abc",
scan_id="scan_xyz",
source_snapshot=source_ref,
plan_artifact=plan_ref,
intent=ScanIntent(depth="standard"),
execution=ScanExecution(threat_model_strategy="codex_direct"),
))
bugs = scan_result.data.get("deduplicated_bugs", ())
# 3. Verify and patch
patch_result = verify_and_patch(VerificationRequest(
repo_id="repo_abc",
verification_id="verify_xyz",
deduplicated_bugs=tuple(bugs),
source_snapshot=source_ref,
plan_artifact=plan_ref,
metadata={"plugin_id": scan_result.data.get("selected_plugin_id")},
))
patch_ref = patch_result.artifacts.get("patch")