feat: readme as context

app/api/analyze/prompt.txt

@@ -57,6 +57,11 @@ Sensitive files found: {{sensitiveFiles}}
 Config files found: {{configFiles}}
 Agent instruction files found: {{agentInstructionFiles}}
 
+README (for understanding what the project does):
+{{readme}}
+
+Use the README to understand the project's purpose, architecture, and what services it connects to. This should inform which findings are plausible. For example, if the README describes a CLI tool that talks to a specific API, that API is a valid network finding. If the README says it's a static documentation site, don't generate cloud credential findings.
+
 Respond with ONLY valid JSON (no markdown, no code fences, no explanation):
 {
   "riskScore": <number 0-100>,

app/api/analyze/route.ts

@@ -10,7 +10,7 @@ const CACHE_TTL = 1000 * 60 * 60 * 24 // 24 hours
 
 export async function POST(req: NextRequest) {
   try {
-    const { owner, repo, files, stack, dependencies, sensitiveFiles, configFiles, agentInstructionFiles } = await req.json()
+    const { owner, repo, files, stack, dependencies, sensitiveFiles, configFiles, agentInstructionFiles, readme } = await req.json()
     const baseUrl = process.env.SHARED_LLM_BASE_URL
     const apiKey = process.env.SHARED_LLM_API_KEY
 
@@ -34,6 +34,7 @@ export async function POST(req: NextRequest) {
       .replace('{{sensitiveFiles}}', sensitiveFiles.join(', ') || 'None')
       .replace('{{configFiles}}', configFiles.join(', ') || 'None')
       .replace('{{agentInstructionFiles}}', (agentInstructionFiles || []).join(', ') || 'None')
+      .replace('{{readme}}', (readme || '').slice(0, 8000) || 'No README found')
 
     let endpoint = baseUrl.replace(/\/+$/, '')
     endpoint = endpoint.replace(/\/v1$/, '')