triage field missing from both `--format json` and `--format md-dir` exports

[diegofcornejo]

What happened

The triage field is correctly written to FileRecords by deepsec triage, but it's missing from the output of both deepsec export --format json and deepsec export --format md-dir. Findings that have been triaged appear in exports without their priority/exploitability/impact/reasoning data.

Reproduction

# Run a scan + process + triage cycle
pnpm deepsec scan
pnpm deepsec process --project-id my-app
pnpm deepsec triage --project-id my-app

# Confirm triage IS in the FileRecord
FILE=$(find data/my-app/files -name "*.json" -exec grep -l '"triage"' {} \; | head -1)
cat "$FILE" | python3 -m json.tool | grep -A 6 '"triage"'

Output (FileRecord has the field, fully populated):

"triage": {
  "priority": "P0",
  "exploitability": "trivial",
  "impact": "high",
  "reasoning": "External attacker crafts ...",
  "triagedAt": "2026-05-07T12:45:23.759Z",
  "model": "claude-sonnet-4-6"
}

JSON export

pnpm deepsec export --format json --out findings.json

python3 -c "
import json
data = json.load(open('findings.json'))
triaged = sum(1 for f in data if f.get('metadata', {}).get('triage'))
print(f'Findings with triage in JSON export: {triaged} / {len(data)}')
"

Output:

Findings with triage in JSON export: 0 / 126

md-dir export

pnpm deepsec export --format md-dir --out ./findings

# The triage timestamp would be a unique marker if the field were exported
grep -r "triagedAt" ./findings/ | wc -l

Output:

0

The markdown files contain the agent's reasoning text (which can incidentally include words like "exploitability" within prose), but no structured triage metadata: no priority, no exploitability rating, no impact rating, no triage reasoning, no triagedAt. The markdown shape is the same as before triage existed.

Expected vs actual

Expected: Both export formats should surface the triage data when present:

• JSON export: include metadata.triage with the full object as stored in the FileRecord (priority, exploitability, impact, reasoning, triagedAt, model).
• md-dir export: surface the same fields in the markdown output — frontmatter or a dedicated section, whichever fits the existing template.

Actual: The field is not included in either export. Consumers of the JSON or md-dir output (issue trackers, dashboards, ticket generators, custom integrations) currently need to read the FileRecords directly to access triage data.

Environment

• deepsec version: 2.0.3
• Node version: v24.14.1
• OS: macOS
• Agent backend: claude-agent-sdk
• Triage model: claude-sonnet-4-6 (default)

Logs

No errors. Both exports complete normally.

Suggested fix

Both exporters should propagate metadata.triage (matching the shape stored in the FileRecord) when present.

Looking at docs/architecture.md, the pipeline is documented as scan → process → revalidate → enrich → export. Adding triage to that diagram and ensuring enrich/export propagate the field would close this gap consistently across both formats.