@aegis-scan/core 0.16.5 → 0.17.0

package/dist/oversight/cia-scoring.d.ts

@@ -0,0 +1,56 @@
+/**
+ * CIA impact classification + threshold-breach escalation.
+ *
+ * Closes APTS-SC-001 (Impact Classification + CIA Scoring) +
+ * APTS-HO-012 (Impact Threshold Breach Escalation).
+ *
+ * Design notes:
+ *   - Each finding gets a `cia_vector` with three ordinal axes
+ *     (confidentiality, integrity, availability), each in
+ *     `none | low | medium | high`. Per-CWE default mappings map
+ *     OWASP/CWE classes to the impact axes most directly affected.
+ *   - Operators override per-finding via the existing suppression
+ *     pipeline (out-of-scope here — pipeline is in
+ *     `packages/core/src/suppression-filter.ts`).
+ *   - HO-012 reuses the same vector: when any axis ≥ threshold the
+ *     orchestrator halts pending operator approval.
+ */
+import type { CiaImpact, Finding } from '../types.js';
+/**
+ * Per-CWE default CIA mapping. Conservative: unmapped CWEs return
+ * `default-low` so the orchestrator never silently misses an issue.
+ */
+export declare const CWE_CIA_DEFAULTS: Readonly<Record<number, {
+    c: CiaImpact;
+    i: CiaImpact;
+    a: CiaImpact;
+}>>;
+/**
+ * Assign a CIA vector to a finding. Per-CWE default if mapped;
+ * otherwise fall back to severity-based default.
+ */
+export declare function assignCiaVector(f: Pick<Finding, 'cwe' | 'severity'>): {
+    c: CiaImpact;
+    i: CiaImpact;
+    a: CiaImpact;
+};
+export interface CiaThresholdEvaluation {
+    breach: boolean;
+    axes_breached: Array<'c' | 'i' | 'a'>;
+    rationale: string;
+    apts_refs: string[];
+}
+/**
+ * Evaluate a CIA vector against a threshold. Returns breach=true if
+ * ANY axis equals-or-exceeds the configured threshold for that axis.
+ */
+export declare function evaluateCiaThreshold(vector: {
+    c: CiaImpact;
+    i: CiaImpact;
+    a: CiaImpact;
+}, threshold: {
+    c?: CiaImpact;
+    i?: CiaImpact;
+    a?: CiaImpact;
+}): CiaThresholdEvaluation;
+//# sourceMappingURL=cia-scoring.d.ts.map

package/dist/oversight/cia-scoring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cia-scoring.d.ts","sourceRoot":"","sources":["../../src/oversight/cia-scoring.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAEtD;;;GAGG;AACH,eAAO,MAAM,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE;IAAE,CAAC,EAAE,SAAS,CAAC;IAAC,CAAC,EAAE,SAAS,CAAC;IAAC,CAAC,EAAE,SAAS,CAAA;CAAE,CAAC,CAyClG,CAAC;AAWH;;;GAGG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAAE,IAAI,CAAC,OAAO,EAAE,KAAK,GAAG,UAAU,CAAC,GAAG;IAAE,CAAC,EAAE,SAAS,CAAC;IAAC,CAAC,EAAE,SAAS,CAAC;IAAC,CAAC,EAAE,SAAS,CAAA;CAAE,CAKlH;AASD,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,OAAO,CAAC;IAChB,aAAa,EAAE,KAAK,CAAC,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC,CAAC;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE;IAAE,CAAC,EAAE,SAAS,CAAC;IAAC,CAAC,EAAE,SAAS,CAAC;IAAC,CAAC,EAAE,SAAS,CAAA;CAAE,EACpD,SAAS,EAAE;IAAE,CAAC,CAAC,EAAE,SAAS,CAAC;IAAC,CAAC,CAAC,EAAE,SAAS,CAAC;IAAC,CAAC,CAAC,EAAE,SAAS,CAAA;CAAE,GACzD,sBAAsB,CAsBxB"}

package/dist/oversight/cia-scoring.js

@@ -0,0 +1,98 @@
+/**
+ * Per-CWE default CIA mapping. Conservative: unmapped CWEs return
+ * `default-low` so the orchestrator never silently misses an issue.
+ */
+export const CWE_CIA_DEFAULTS = Object.freeze({
+    // SQL Injection — direct DB access, full triad impact
+    89: { c: 'high', i: 'high', a: 'medium' },
+    // Cross-Site Scripting — confidentiality (cookie/storage exfil) + integrity (DOM tamper)
+    79: { c: 'high', i: 'medium', a: 'low' },
+    // CSRF — operator-driven state change
+    352: { c: 'medium', i: 'high', a: 'medium' },
+    // Path Traversal — direct file-read + occasional write
+    22: { c: 'high', i: 'medium', a: 'medium' },
+    // OS Command Injection — full RCE class
+    78: { c: 'high', i: 'high', a: 'high' },
+    // SSRF — internal-network reach + downstream confidentiality
+    918: { c: 'high', i: 'medium', a: 'medium' },
+    // Hardcoded Credentials — confidentiality + integrity
+    798: { c: 'high', i: 'high', a: 'low' },
+    // Information Exposure / Sensitive Disclosure
+    200: { c: 'high', i: 'low', a: 'low' },
+    // XML External Entity (XXE) — file-read + DoS
+    611: { c: 'high', i: 'low', a: 'high' },
+    // Insecure Deserialization
+    502: { c: 'high', i: 'high', a: 'high' },
+    // Improper Authentication
+    287: { c: 'high', i: 'high', a: 'medium' },
+    // Improper Authorization
+    285: { c: 'high', i: 'high', a: 'low' },
+    // Privilege Escalation
+    269: { c: 'high', i: 'high', a: 'medium' },
+    // Open Redirect — phishing-class confidentiality
+    601: { c: 'medium', i: 'low', a: 'low' },
+    // Cryptographic Issues — confidentiality + integrity
+    327: { c: 'high', i: 'high', a: 'low' },
+    // Race Condition / TOCTOU
+    362: { c: 'medium', i: 'high', a: 'medium' },
+    // Resource Exhaustion / DoS
+    400: { c: 'low', i: 'low', a: 'high' },
+    // Improper Input Validation — generic
+    20: { c: 'medium', i: 'medium', a: 'low' },
+    // Use of Hardcoded Cryptographic Key
+    321: { c: 'high', i: 'high', a: 'low' },
+    // CRLF / HTTP Response Splitting
+    113: { c: 'medium', i: 'medium', a: 'low' },
+});
+const SEVERITY_TO_DEFAULT_CIA = Object.freeze({
+    blocker: { c: 'high', i: 'high', a: 'high' },
+    critical: { c: 'high', i: 'high', a: 'medium' },
+    high: { c: 'high', i: 'medium', a: 'low' },
+    medium: { c: 'medium', i: 'medium', a: 'low' },
+    low: { c: 'low', i: 'low', a: 'low' },
+    info: { c: 'low', i: 'low', a: 'none' },
+});
+/**
+ * Assign a CIA vector to a finding. Per-CWE default if mapped;
+ * otherwise fall back to severity-based default.
+ */
+export function assignCiaVector(f) {
+    if (f.cwe !== undefined && CWE_CIA_DEFAULTS[f.cwe]) {
+        return { ...CWE_CIA_DEFAULTS[f.cwe] };
+    }
+    return { ...SEVERITY_TO_DEFAULT_CIA[f.severity] };
+}
+const IMPACT_RANK = Object.freeze({
+    none: 0,
+    low: 1,
+    medium: 2,
+    high: 3,
+});
+/**
+ * Evaluate a CIA vector against a threshold. Returns breach=true if
+ * ANY axis equals-or-exceeds the configured threshold for that axis.
+ */
+export function evaluateCiaThreshold(vector, threshold) {
+    const breached = [];
+    for (const axis of ['c', 'i', 'a']) {
+        const t = threshold[axis];
+        if (t !== undefined && IMPACT_RANK[vector[axis]] >= IMPACT_RANK[t]) {
+            breached.push(axis);
+        }
+    }
+    if (breached.length === 0) {
+        return {
+            breach: false,
+            axes_breached: [],
+            rationale: 'CIA vector below all configured thresholds',
+            apts_refs: ['APTS-SC-001'],
+        };
+    }
+    return {
+        breach: true,
+        axes_breached: breached,
+        rationale: `CIA threshold breached on ${breached.join(', ')} axis (${breached.map((a) => `${a}=${vector[a]}`).join(', ')})`,
+        apts_refs: ['APTS-SC-001', 'APTS-HO-012'],
+    };
+}
+//# sourceMappingURL=cia-scoring.js.map

package/dist/oversight/cia-scoring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cia-scoring.js","sourceRoot":"","sources":["../../src/oversight/cia-scoring.ts"],"names":[],"mappings":"AAmBA;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAA2E,MAAM,CAAC,MAAM,CAAC;IACpH,sDAAsD;IACtD,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE;IACzC,yFAAyF;IACzF,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,KAAK,EAAE;IACxC,sCAAsC;IACtC,GAAG,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE;IAC5C,uDAAuD;IACvD,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE;IAC3C,wCAAwC;IACxC,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE;IACvC,6DAA6D;IAC7D,GAAG,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE;IAC5C,sDAAsD;IACtD,GAAG,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE;IACvC,8CAA8C;IAC9C,GAAG,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE;IACtC,8CAA8C;IAC9C,GAAG,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE;IACvC,2BAA2B;IAC3B,GAAG,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE;IACxC,0BAA0B;IAC1B,GAAG,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE;IAC1C,yBAAyB;IACzB,GAAG,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE;IACvC,uBAAuB;IACvB,GAAG,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE;IAC1C,iDAAiD;IACjD,GAAG,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE;IACxC,qDAAqD;IACrD,GAAG,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE;IACvC,0BAA0B;IAC1B,GAAG,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE;IAC5C,4BAA4B;IAC5B,GAAG,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE;IACtC,sCAAsC;IACtC,EAAE,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,KAAK,EAAE;IAC1C,qCAAqC;IACrC,GAAG,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE;IACvC,iCAAiC;IACjC,GAAG,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,KAAK,EAAE;CAC5C,CAAC,CAAC;AAEH,MAAM,uBAAuB,GAAwF,MAAM,CAAC,MAAM,CAAC;IACjI,OAAO,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE;IAC5C,QAAQ,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE;IAC/C,IAAI,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,KAAK,EAAE;IAC1C,MAAM,EAAE,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,KAAK,EAAE;IAC9C,GAAG,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE;IACrC,IAAI,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE;CACxC,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,CAAoC;IAClE,IAAI,CAAC,CAAC,GAAG,KAAK,SAAS,IAAI,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;QACnD,OAAO,EAAE,GAAG,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;IACxC,CAAC;IACD,OAAO,EAAE,GAAG,uBAAuB,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;AACpD,CAAC;AAED,MAAM,WAAW,GAAwC,MAAM,CAAC,MAAM,CAAC;IACrE,IAAI,EAAE,CAAC;IACP,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;CACR,CAAC,CAAC;AASH;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAoD,EACpD,SAA0D;IAE1D,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAU,EAAE,CAAC;QAC5C,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QAC1B,IAAI,CAAC,KAAK,SAAS,IAAI,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;YACnE,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,MAAM,EAAE,KAAK;YACb,aAAa,EAAE,EAAE;YACjB,SAAS,EAAE,4CAA4C;YACvD,SAAS,EAAE,CAAC,aAAa,CAAC;SAC3B,CAAC;IACJ,CAAC;IACD,OAAO;QACL,MAAM,EAAE,IAAI;QACZ,aAAa,EAAE,QAAQ;QACvB,SAAS,EAAE,6BAA6B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;QAC3H,SAAS,EAAE,CAAC,aAAa,EAAE,aAAa,CAAC;KAC1C,CAAC;AACJ,CAAC"}

package/dist/oversight/escalation.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Unexpected-finding + confidence-based + compliance-trigger escalation.
+ *
+ * Closes APTS-HO-011 (Unexpected Findings Escalation Framework) +
+ * APTS-HO-013 (Confidence-Based Escalation) +
+ * APTS-HO-014 (Legal/Compliance Escalation Triggers).
+ *
+ * Design notes:
+ *   - HO-011: when a finding's severity ≥ a configurable escalation
+ *     threshold, return a halt-pending decision so the orchestrator
+ *     emits a critical-finding event with stop_action `halt` and
+ *     surfaces the finding for operator review.
+ *   - HO-013: when finding.confidence === 'low', return a pause
+ *     decision so operators can verify before continuing — extends
+ *     the post-hoc `[LOW-CONFIDENCE]` PR badge to in-engagement.
+ *   - HO-014: scan finding text for regulatory class markers
+ *     (PII, PCI, PHI, GDPR, HIPAA) supplied by the operator's RoE.
+ *     `on_match` is `halt` (default) or `notify`.
+ */
+import type { Finding, Severity } from '../types.js';
+export interface SeverityEscalationConfig {
+    /** Severity at which escalation fires. Default 'high'. */
+    threshold?: Severity;
+}
+export interface EscalationDecision {
+    escalate: boolean;
+    /** Action: 'halt' for halt-pending-approval, 'notify' for soft notify, 'continue' for no-op. */
+    action: 'halt' | 'notify' | 'continue';
+    reason: string;
+    apts_refs: string[];
+}
+/**
+ * HO-011 — escalate findings whose severity meets or exceeds threshold.
+ */
+export declare function escalateOnSeverity(finding: Pick<Finding, 'severity' | 'id'>, config?: SeverityEscalationConfig): EscalationDecision;
+export interface ConfidencePauseConfig {
+    /** When true, pause-on-low fires. Default false (operator opt-in). */
+    pause_on_low?: boolean;
+}
+/**
+ * HO-013 — pause when finding.confidence === 'low' and the operator
+ * has opted into pause_on_low. Otherwise emit a notify (soft) for the
+ * audit trail.
+ */
+export declare function escalateOnConfidence(finding: Pick<Finding, 'confidence' | 'id'>, config?: ConfidencePauseConfig): EscalationDecision;
+export interface ComplianceTriggerConfig {
+    /** Regulatory class markers operators want flagged. */
+    regulatory_class: string[];
+    /** Action on match. Default `halt`. */
+    on_match?: 'halt' | 'notify';
+}
+/**
+ * HO-014 — match a finding's text against the operator's regulatory
+ * class triggers. Returns escalate=true when any class matches; the
+ * action is `halt` or `notify` per the operator's policy.
+ */
+export declare function escalateOnComplianceTrigger(finding: Pick<Finding, 'title' | 'description' | 'id'>, config: ComplianceTriggerConfig): EscalationDecision;
+//# sourceMappingURL=escalation.d.ts.map

package/dist/oversight/escalation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"escalation.d.ts","sourceRoot":"","sources":["../../src/oversight/escalation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAc,MAAM,aAAa,CAAC;AAWjE,MAAM,WAAW,wBAAwB;IACvC,0DAA0D;IAC1D,SAAS,CAAC,EAAE,QAAQ,CAAC;CACtB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,OAAO,CAAC;IAClB,gGAAgG;IAChG,MAAM,EAAE,MAAM,GAAG,QAAQ,GAAG,UAAU,CAAC;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,UAAU,GAAG,IAAI,CAAC,EACzC,MAAM,GAAE,wBAA6B,GACpC,kBAAkB,CAgBpB;AAED,MAAM,WAAW,qBAAqB;IACpC,sEAAsE;IACtE,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC,EAC3C,MAAM,GAAE,qBAA0B,GACjC,kBAAkB,CAwBpB;AAED,MAAM,WAAW,uBAAuB;IACtC,uDAAuD;IACvD,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,uCAAuC;IACvC,QAAQ,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC;CAC9B;AAWD;;;;GAIG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,OAAO,GAAG,aAAa,GAAG,IAAI,CAAC,EACtD,MAAM,EAAE,uBAAuB,GAC9B,kBAAkB,CAsBpB"}

package/dist/oversight/escalation.js

@@ -0,0 +1,97 @@
+const SEVERITY_RANK = Object.freeze({
+    info: 0,
+    low: 1,
+    medium: 2,
+    high: 3,
+    critical: 4,
+    blocker: 5,
+});
+/**
+ * HO-011 — escalate findings whose severity meets or exceeds threshold.
+ */
+export function escalateOnSeverity(finding, config = {}) {
+    const threshold = config.threshold ?? 'high';
+    if (SEVERITY_RANK[finding.severity] >= SEVERITY_RANK[threshold]) {
+        return {
+            escalate: true,
+            action: 'halt',
+            reason: `finding ${finding.id} severity ${finding.severity} ≥ escalation threshold ${threshold}`,
+            apts_refs: ['APTS-HO-011'],
+        };
+    }
+    return {
+        escalate: false,
+        action: 'continue',
+        reason: `finding ${finding.id} severity ${finding.severity} below threshold ${threshold}`,
+        apts_refs: ['APTS-HO-011'],
+    };
+}
+/**
+ * HO-013 — pause when finding.confidence === 'low' and the operator
+ * has opted into pause_on_low. Otherwise emit a notify (soft) for the
+ * audit trail.
+ */
+export function escalateOnConfidence(finding, config = {}) {
+    const c = finding.confidence;
+    if (c !== 'low') {
+        return {
+            escalate: false,
+            action: 'continue',
+            reason: `finding ${finding.id} confidence "${c ?? 'unset'}" not low`,
+            apts_refs: ['APTS-HO-013'],
+        };
+    }
+    if (config.pause_on_low === true) {
+        return {
+            escalate: true,
+            action: 'halt',
+            reason: `finding ${finding.id} confidence is low — engagement paused for verification`,
+            apts_refs: ['APTS-HO-013'],
+        };
+    }
+    return {
+        escalate: true,
+        action: 'notify',
+        reason: `finding ${finding.id} confidence is low — soft escalation (set pause_on_low to halt)`,
+        apts_refs: ['APTS-HO-013'],
+    };
+}
+const DEFAULT_REGULATORY_PATTERNS = Object.freeze({
+    PII: /\b(?:PII|personal[\s-]?identifiable|personally[\s-]?identifiable|GDPR)\b/iu,
+    PCI: /\b(?:PCI(?:[\s-]?DSS)?|cardholder[\s-]?data|primary[\s-]?account[\s-]?number|CVV)\b/iu,
+    PHI: /\b(?:PHI|protected[\s-]?health|HIPAA|patient[\s-]?record)\b/iu,
+    GDPR: /\b(?:GDPR|right[\s-]?to[\s-]?erasure|data[\s-]?subject)\b/iu,
+    HIPAA: /\bHIPAA\b/iu,
+    SOX: /\b(?:Sarbanes[\s-]?Oxley|SOX[\s-]?compliance|SOX)\b/iu,
+});
+/**
+ * HO-014 — match a finding's text against the operator's regulatory
+ * class triggers. Returns escalate=true when any class matches; the
+ * action is `halt` or `notify` per the operator's policy.
+ */
+export function escalateOnComplianceTrigger(finding, config) {
+    const text = `${finding.title}\n${finding.description ?? ''}`;
+    const matched = [];
+    for (const cls of config.regulatory_class) {
+        const re = DEFAULT_REGULATORY_PATTERNS[cls.toUpperCase()];
+        if (!re)
+            continue;
+        if (re.test(text))
+            matched.push(cls);
+    }
+    if (matched.length === 0) {
+        return {
+            escalate: false,
+            action: 'continue',
+            reason: `finding ${finding.id} did not match any configured regulatory class`,
+            apts_refs: ['APTS-HO-014'],
+        };
+    }
+    return {
+        escalate: true,
+        action: config.on_match ?? 'halt',
+        reason: `finding ${finding.id} matched regulatory class(es): ${matched.join(', ')}`,
+        apts_refs: ['APTS-HO-014'],
+    };
+}
+//# sourceMappingURL=escalation.js.map

package/dist/oversight/escalation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"escalation.js","sourceRoot":"","sources":["../../src/oversight/escalation.ts"],"names":[],"mappings":"AAqBA,MAAM,aAAa,GAAuC,MAAM,CAAC,MAAM,CAAC;IACtE,IAAI,EAAE,CAAC;IACP,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;IACX,OAAO,EAAE,CAAC;CACX,CAAC,CAAC;AAeH;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAyC,EACzC,SAAmC,EAAE;IAErC,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC;IAC7C,IAAI,aAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,aAAa,CAAC,SAAS,CAAC,EAAE,CAAC;QAChE,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,WAAW,OAAO,CAAC,EAAE,aAAa,OAAO,CAAC,QAAQ,2BAA2B,SAAS,EAAE;YAChG,SAAS,EAAE,CAAC,aAAa,CAAC;SAC3B,CAAC;IACJ,CAAC;IACD,OAAO;QACL,QAAQ,EAAE,KAAK;QACf,MAAM,EAAE,UAAU;QAClB,MAAM,EAAE,WAAW,OAAO,CAAC,EAAE,aAAa,OAAO,CAAC,QAAQ,oBAAoB,SAAS,EAAE;QACzF,SAAS,EAAE,CAAC,aAAa,CAAC;KAC3B,CAAC;AACJ,CAAC;AAOD;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAA2C,EAC3C,SAAgC,EAAE;IAElC,MAAM,CAAC,GAA2B,OAAO,CAAC,UAAU,CAAC;IACrD,IAAI,CAAC,KAAK,KAAK,EAAE,CAAC;QAChB,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,WAAW,OAAO,CAAC,EAAE,gBAAgB,CAAC,IAAI,OAAO,WAAW;YACpE,SAAS,EAAE,CAAC,aAAa,CAAC;SAC3B,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;QACjC,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,WAAW,OAAO,CAAC,EAAE,yDAAyD;YACtF,SAAS,EAAE,CAAC,aAAa,CAAC;SAC3B,CAAC;IACJ,CAAC;IACD,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,QAAQ;QAChB,MAAM,EAAE,WAAW,OAAO,CAAC,EAAE,iEAAiE;QAC9F,SAAS,EAAE,CAAC,aAAa,CAAC;KAC3B,CAAC;AACJ,CAAC;AASD,MAAM,2BAA2B,GAAqC,MAAM,CAAC,MAAM,CAAC;IAClF,GAAG,EAAE,4EAA4E;IACjF,GAAG,EAAE,uFAAuF;IAC5F,GAAG,EAAE,+DAA+D;IACpE,IAAI,EAAE,6DAA6D;IACnE,KAAK,EAAE,aAAa;IACpB,GAAG,EAAE,uDAAuD;CAC7D,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAsD,EACtD,MAA+B;IAE/B,MAAM,IAAI,GAAG,GAAG,OAAO,CAAC,KAAK,KAAK,OAAO,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;IAC9D,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC1C,MAAM,EAAE,GAAG,2BAA2B,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;QAC1D,IAAI,CAAC,EAAE;YAAE,SAAS;QAClB,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACvC,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,WAAW,OAAO,CAAC,EAAE,gDAAgD;YAC7E,SAAS,EAAE,CAAC,aAAa,CAAC;SAC3B,CAAC;IACJ,CAAC;IACD,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,MAAM,CAAC,QAAQ,IAAI,MAAM;QACjC,MAAM,EAAE,WAAW,OAAO,CAAC,EAAE,kCAAkC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;QACnF,SAAS,EAAE,CAAC,aAAa,CAAC;KAC3B,CAAC;AACJ,CAAC"}

package/dist/oversight/index.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Oversight public surface.
+ *
+ * Closes APTS Tier-1 entries: SC-001 (CIA scoring), HO-001 (pre-approval
+ * gates per AL-level), HO-004 (authority delegation matrix), HO-010
+ * (mandatory human decision points), HO-011 (unexpected-finding
+ * escalation), HO-012 (impact-threshold-breach escalation), HO-013
+ * (confidence-based escalation), HO-014 (legal/compliance escalation
+ * triggers).
+ */
+export { assignCiaVector, evaluateCiaThreshold, CWE_CIA_DEFAULTS, type CiaThresholdEvaluation, } from './cia-scoring.js';
+export { evaluateApprovalGate, detectIrreversibleActions, evaluateIrreversibleGate, PHASE_TO_AUTONOMY_LEVEL, type AutonomyLevel, type AutonomyLevelPolicy, type AutonomyLevelsConfig, type ApprovalGateDecision, type IrreversibleGateDecision, } from './approval-gates.js';
+export { validateDelegationMatrix, rolesForAction, type DelegationEntry, type AuthorityMatrixValidation, } from './authority-matrix.js';
+export { escalateOnSeverity, escalateOnConfidence, escalateOnComplianceTrigger, type SeverityEscalationConfig, type ConfidencePauseConfig, type ComplianceTriggerConfig, type EscalationDecision, } from './escalation.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/oversight/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/oversight/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,gBAAgB,EAChB,KAAK,sBAAsB,GAC5B,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,oBAAoB,EACpB,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,KAAK,aAAa,EAClB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,oBAAoB,EACzB,KAAK,wBAAwB,GAC9B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,wBAAwB,EACxB,cAAc,EACd,KAAK,eAAe,EACpB,KAAK,yBAAyB,GAC/B,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,2BAA2B,EAC3B,KAAK,wBAAwB,EAC7B,KAAK,qBAAqB,EAC1B,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,GACxB,MAAM,iBAAiB,CAAC"}

package/dist/oversight/index.js

@@ -0,0 +1,15 @@
+/**
+ * Oversight public surface.
+ *
+ * Closes APTS Tier-1 entries: SC-001 (CIA scoring), HO-001 (pre-approval
+ * gates per AL-level), HO-004 (authority delegation matrix), HO-010
+ * (mandatory human decision points), HO-011 (unexpected-finding
+ * escalation), HO-012 (impact-threshold-breach escalation), HO-013
+ * (confidence-based escalation), HO-014 (legal/compliance escalation
+ * triggers).
+ */
+export { assignCiaVector, evaluateCiaThreshold, CWE_CIA_DEFAULTS, } from './cia-scoring.js';
+export { evaluateApprovalGate, detectIrreversibleActions, evaluateIrreversibleGate, PHASE_TO_AUTONOMY_LEVEL, } from './approval-gates.js';
+export { validateDelegationMatrix, rolesForAction, } from './authority-matrix.js';
+export { escalateOnSeverity, escalateOnConfidence, escalateOnComplianceTrigger, } from './escalation.js';
+//# sourceMappingURL=index.js.map

package/dist/oversight/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/oversight/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,gBAAgB,GAEjB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,oBAAoB,EACpB,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,GAMxB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,wBAAwB,EACxB,cAAc,GAGf,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,2BAA2B,GAK5B,MAAM,iBAAiB,CAAC"}

package/dist/roe/index.d.ts

@@ -0,0 +1,3 @@
+export { RoESchema, validateTargetInScope, validateTemporalEnvelope, getAssetCriticality, validateAction, synthesizeMinimalRoE, type RoE, type ValidationDecision, } from './types.js';
+export { loadRoE, type RoEParseResult, type RoEParseSuccess, type RoEParseFailure, } from './loader.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/roe/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/roe/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,qBAAqB,EACrB,wBAAwB,EACxB,mBAAmB,EACnB,cAAc,EACd,oBAAoB,EACpB,KAAK,GAAG,EACR,KAAK,kBAAkB,GACxB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,OAAO,EACP,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,KAAK,eAAe,GACrB,MAAM,aAAa,CAAC"}

package/dist/roe/index.js

@@ -0,0 +1,3 @@
+export { RoESchema, validateTargetInScope, validateTemporalEnvelope, getAssetCriticality, validateAction, synthesizeMinimalRoE, } from './types.js';
+export { loadRoE, } from './loader.js';
+//# sourceMappingURL=index.js.map

package/dist/roe/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/roe/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,qBAAqB,EACrB,wBAAwB,EACxB,mBAAmB,EACnB,cAAc,EACd,oBAAoB,GAGrB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,OAAO,GAIR,MAAM,aAAa,CAAC"}

package/dist/roe/loader.d.ts

@@ -0,0 +1,15 @@
+import { type RoE } from './types.js';
+export interface RoEParseSuccess {
+    ok: true;
+    roe: RoE;
+}
+export interface RoEParseFailure {
+    ok: false;
+    /** Operator-readable error message safe to print to stderr. */
+    error: string;
+    /** Phase the error occurred in. */
+    phase: 'file-missing' | 'json-parse' | 'schema-validation';
+}
+export type RoEParseResult = RoEParseSuccess | RoEParseFailure;
+export declare function loadRoE(path: string): RoEParseResult;
+//# sourceMappingURL=loader.d.ts.map

package/dist/roe/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/roe/loader.ts"],"names":[],"mappings":"AAQA,OAAO,EAAa,KAAK,GAAG,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,GAAG,CAAC;CACV;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,KAAK,CAAC;IACV,+DAA+D;IAC/D,KAAK,EAAE,MAAM,CAAC;IACd,mCAAmC;IACnC,KAAK,EAAE,cAAc,GAAG,YAAY,GAAG,mBAAmB,CAAC;CAC5D;AAED,MAAM,MAAM,cAAc,GAAG,eAAe,GAAG,eAAe,CAAC;AAE/D,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,CA+CpD"}

package/dist/roe/loader.js

@@ -0,0 +1,56 @@
+/**
+ * RoE loader — read + validate from disk. Accepts JSON; YAML support deferred.
+ *
+ * Returns either a validated RoE or a structured ParseError (file-missing,
+ * invalid-JSON, schema-violation) so the caller can surface a precise
+ * operator-readable message.
+ */
+import { readFileSync, existsSync } from 'node:fs';
+import { RoESchema } from './types.js';
+export function loadRoE(path) {
+    if (!existsSync(path)) {
+        return {
+            ok: false,
+            error: `RoE file not found at ${path}`,
+            phase: 'file-missing',
+        };
+    }
+    let raw;
+    try {
+        raw = readFileSync(path, 'utf-8');
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: `RoE file unreadable at ${path}: ${err instanceof Error ? err.message : String(err)}`,
+            phase: 'file-missing',
+        };
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: `RoE file at ${path} is not valid JSON: ${err instanceof Error ? err.message : String(err)}`,
+            phase: 'json-parse',
+        };
+    }
+    const result = RoESchema.safeParse(parsed);
+    if (!result.success) {
+        const formatted = result.error.issues
+            .map((issue) => {
+            const path = issue.path.length > 0 ? issue.path.join('.') : '<root>';
+            return `  ${path}: ${issue.message}`;
+        })
+            .join('\n');
+        return {
+            ok: false,
+            error: `RoE schema validation failed:\n${formatted}`,
+            phase: 'schema-validation',
+        };
+    }
+    return { ok: true, roe: result.data };
+}
+//# sourceMappingURL=loader.js.map

package/dist/roe/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/roe/loader.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,SAAS,EAAY,MAAM,YAAY,CAAC;AAiBjD,MAAM,UAAU,OAAO,CAAC,IAAY;IAClC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,yBAAyB,IAAI,EAAE;YACtC,KAAK,EAAE,cAAc;SACtB,CAAC;IACJ,CAAC;IAED,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACpC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,0BAA0B,IAAI,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YAC5F,KAAK,EAAE,cAAc;SACtB,CAAC;IACJ,CAAC;IAED,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,eAAe,IAAI,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YACnG,KAAK,EAAE,YAAY;SACpB,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC3C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;aAClC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YACb,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;YACrE,OAAO,KAAK,IAAI,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;QACvC,CAAC,CAAC;aACD,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,kCAAkC,SAAS,EAAE;YACpD,KAAK,EAAE,mBAAmB;SAC3B,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;AACxC,CAAC"}