owasp-aghast/aghast — reverse-engineered prompt

Build me a beta quality command line tool in TypeScript for custom application security scanning of source repos. I want something like AGHAST, where a team can define its own security checks in config, point them at one or more repositories, and run scans that combine AI analysis with normal static discovery.

It should support three modes, full repository AI review, targeted checks where tools like Semgrep, OpenAnt, or existing SARIF findings identify code locations first and then AI reviews each one, and static only checks with no AI. The results should be clean structured JSON and SARIF, with per check status, issue counts, file paths, line numbers, descriptions, code snippets, and a final summary. If AI is used, make it work with an Anthropic key by default and also support OpenCode style provider setup.

Please include sensible config files, example checks, docs for getting started and creating checks, cost tracking for scans, tests, and a smooth local developer setup on Node 20 or newer. Look up current docs online if you need to.