ZeroDay: Autonomous CVE Patch Agent

ZeroDay is an autonomous AI agent that closes the gap between CVE detection and CVE remediation. A critical vulnerability drops. Every scanner in the organization flags it. Then someone still has to read the code, decide if the vulnerability is actually exploitable in this codebase, write the fix, test it, and ship the pull request. ZeroDay does all of that work autonomously in approximately 42 seconds. The user provides two inputs: a GitHub repository URL and a CVE identifier. The agent runs a six-stage pipeline. Stage one fetches the advisory from the National Vulnerability Database and normalizes affected packages and version ranges. Stage two scans the repository across nine languages (Python, JavaScript, TypeScript, Go, Ruby, Java, Rust, PHP, C#) and identifies vulnerable dependencies and the source files that import them. Stage three is the differentiator: a hybrid syntactic plus language-model analyzer decides whether the vulnerable function is actually reachable in this codebase, distinguishing a dependency that sits on disk from one that gets called at runtime. Stage four generates the patch as a unified diff, with the strategy decision (version-bump versus code-fix) made automatically and alternatives documented. Stage five predicts test outcomes by reasoning about the patch against the existing test files. Stage six writes the pull request: a Conventional Commits title, a Markdown description with vulnerability details and patch strategy, a stakeholder summary for non-engineers, a rollback plan, and a merge checklist. The output is a copy-ready artifact a developer can paste straight into GitHub. The frontend streams stage progress to the user in real time via Server-Sent Events. Every claim ZeroDay makes is sourced and explainable. The hackathon scope is documented honestly against the production roadmap inside the codebase, because security buyers do not trust pitches that oversell. Built solo in 48 hours. Deployed live and working.