@clear-capabilities/agentic-security-scanner 0.79.0 → 0.80.0

package/src/posture/runtime-correlation.js

@@ -0,0 +1,174 @@
+// eBPF runtime instrumentation correlation — Recommendation #5 of the
+// world-class roadmap.
+//
+// The hardest false-positive class is "this code path is technically
+// reachable but is DEAD in production." Static analysis can't distinguish
+// dead code from reachable code; runtime observation can. This module
+// consumes an eBPF trace dataset (produced by an out-of-band collector
+// running in the customer's prod environment) and demotes findings
+// whose call-graph paths were unobserved.
+//
+// Trace format (JSONL, one record per observation):
+//
+//   { "ts": "2026-05-28T...", "host": "prod-host-1",
+//     "kind": "function-call", "qid": "com.acme.UserController.getUser",
+//     "fileRel": "src/main/java/com/acme/UserController.java", "line": 42,
+//     "count": 1234, "lastSeen": "2026-05-28T..." }
+//
+// Common record kinds:
+//   - "function-call":   QID was invoked at least once in the trace window
+//   - "route-hit":       HTTP route received traffic
+//   - "syscall":         filesystem / network / process syscall fired
+//   - "file-touch":      file was read / written
+//
+// The trace file lives at one of:
+//   .agentic-security/runtime-trace.jsonl (per-project, committed)
+//   $AGENTIC_SECURITY_RUNTIME_TRACE_PATH    (override)
+//
+// Output: every finding gets a `runtimeObserved: true|false|unknown` field.
+//   true   — at least one node on the finding's call-graph path appears in trace
+//   false  — none of the nodes appear (finding's path is dead in observed window)
+//   unknown — no trace data available
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as readline from 'node:readline';
+import { createReadStream } from 'node:fs';
+
+const DEFAULT_TRACE_NAMES = ['runtime-trace.jsonl', 'runtime.jsonl', 'ebpf-trace.jsonl'];
+const DEFAULT_OBSERVATION_WINDOW_DAYS = 30;
+
+export async function loadTrace(scanRoot, opts = {}) {
+  const explicit = opts.tracePath || process.env.AGENTIC_SECURITY_RUNTIME_TRACE_PATH;
+  const candidates = explicit ? [explicit] : DEFAULT_TRACE_NAMES.map(n => path.join(scanRoot, '.agentic-security', n));
+  let chosen = null;
+  for (const c of candidates) {
+    if (fs.existsSync(c)) { chosen = c; break; }
+  }
+  if (!chosen) return null;
+  const trace = {
+    path: chosen,
+    qidsObserved: new Set(),
+    routesObserved: new Set(),
+    filesObserved: new Set(),
+    fileLinesObserved: new Map(), // file → Set<line>
+    syscallsObserved: new Set(),
+    recordCount: 0,
+  };
+  const window = (opts.windowDays || DEFAULT_OBSERVATION_WINDOW_DAYS) * 86400_000;
+  const now = Date.now();
+  const stream = createReadStream(chosen, { encoding: 'utf8' });
+  const rl = readline.createInterface({ input: stream, crlfDelay: Infinity });
+  for await (const line of rl) {
+    if (!line.trim()) continue;
+    let r;
+    try { r = JSON.parse(line); } catch { continue; }
+    if (r.ts) {
+      const tsMs = Date.parse(r.ts);
+      if (Number.isFinite(tsMs) && now - tsMs > window) continue;
+    }
+    trace.recordCount++;
+    switch (r.kind) {
+      case 'function-call':
+        if (r.qid) trace.qidsObserved.add(r.qid);
+        if (r.fileRel && typeof r.line === 'number') {
+          let set = trace.fileLinesObserved.get(r.fileRel);
+          if (!set) { set = new Set(); trace.fileLinesObserved.set(r.fileRel, set); }
+          set.add(r.line);
+        }
+        if (r.fileRel) trace.filesObserved.add(r.fileRel);
+        break;
+      case 'route-hit':
+        if (r.route) trace.routesObserved.add(r.route);
+        break;
+      case 'syscall':
+        if (r.name) trace.syscallsObserved.add(r.name);
+        break;
+      case 'file-touch':
+        if (r.fileRel) trace.filesObserved.add(r.fileRel);
+        break;
+    }
+  }
+  return trace;
+}
+
+/**
+ * Test whether a finding's call-graph path was observed in trace.
+ * Checks:
+ *   1. The finding's file appears in filesObserved (necessary condition)
+ *   2. AT LEAST ONE line on the finding's chain (source, sink, intermediate
+ *      nodes) was observed in that file
+ *   3. The finding's containing function's qid appears in qidsObserved
+ */
+export function findingObservedInRuntime(finding, trace) {
+  if (!trace) return 'unknown';
+  // qid match (most specific)
+  if (finding.scope && trace.qidsObserved.has(finding.scope)) return true;
+  if (finding.functionQid && trace.qidsObserved.has(finding.functionQid)) return true;
+  // file + any-line on the chain match
+  const file = finding.file || (finding.sink && finding.sink.file);
+  if (file && trace.filesObserved.has(file)) {
+    const linesObserved = trace.fileLinesObserved.get(file);
+    if (linesObserved) {
+      const chainLines = [
+        finding.line,
+        ...(finding.chain || []).map(s => s.line),
+        ...(finding.taintPath || []).map(s => s.line),
+      ].filter(n => typeof n === 'number');
+      for (const ln of chainLines) {
+        // Allow ±2 line tolerance for compiler reordering / minor inlining.
+        for (let off = -2; off <= 2; off++) {
+          if (linesObserved.has(ln + off)) return true;
+        }
+      }
+    }
+    // File appears but no line match — partial evidence. Don't claim
+    // observed; don't claim dead.
+    return 'unknown';
+  }
+  // route match — every finding inside a route handler whose route was hit.
+  if (finding._inRoute && finding._inRoute.path && trace.routesObserved.has(finding._inRoute.path)) return true;
+  if (finding.routeRooted && finding._inRoute && trace.routesObserved.size > 0) {
+    for (const r of trace.routesObserved) {
+      if (finding._inRoute.path && r.includes(finding._inRoute.path)) return true;
+    }
+  }
+  return false;
+}
+
+/**
+ * Annotate all findings with runtimeObserved + demote unobserved findings.
+ * Demotion: critical → high, high → medium, medium → low.
+ *
+ * Findings classified as unknown are left alone (no demotion). This is
+ * the principled position — absence of observation in a partial trace
+ * is not evidence of dead code.
+ */
+export async function annotateRuntimeCorrelation(scanRoot, findings, opts = {}) {
+  if (!Array.isArray(findings)) return { observed: 0, dead: 0, unknown: 0 };
+  const trace = await loadTrace(scanRoot, opts);
+  if (!trace) {
+    for (const f of findings) f.runtimeObserved = 'unknown';
+    return { observed: 0, dead: 0, unknown: findings.length, trace: null };
+  }
+  let observed = 0, dead = 0, unknown = 0;
+  const demoteLadder = { critical: 'high', high: 'medium', medium: 'low', low: 'info' };
+  for (const f of findings) {
+    const v = findingObservedInRuntime(f, trace);
+    f.runtimeObserved = v;
+    if (v === true) observed++;
+    else if (v === false) {
+      dead++;
+      // Demote one tier — the finding is real but unobserved in 30 days
+      // of production traffic, so it's not P0.
+      const next = demoteLadder[f.severity];
+      if (next) {
+        f._runtimeDemoted = f.severity;
+        f.severity = next;
+      }
+    } else unknown++;
+  }
+  return { observed, dead, unknown, trace: { recordCount: trace.recordCount, path: trace.path } };
+}
+
+export const _internals = { DEFAULT_TRACE_NAMES, DEFAULT_OBSERVATION_WINDOW_DAYS };

package/src/posture/sbom-diff.js

@@ -0,0 +1,171 @@
+// SBOM diff + dependency drift detection — Recommendation #10 of the
+// world-class+2 plan.
+//
+// Tracks SBOMs across releases (keyed by git commit hash). On each scan,
+// compares the current SBOM against the previous snapshot to surface
+// drift before a CVE-publication catches it:
+//
+//   - dependency-added              new package since previous SBOM
+//   - dependency-removed            package no longer present
+//   - dependency-version-bumped     version changed
+//   - dependency-substitution       SAME package name but different
+//                                   ecosystem / publisher / repo source
+//                                   (the SolarWinds / event-stream pattern)
+//   - dependency-deprecated         transitioned to a deprecated state
+//
+// Suspicious additions (i.e., a new package that doesn't appear in any
+// PR diff / commit message) get a higher severity tier than expected ones.
+//
+// Snapshots live at .agentic-security/sbom-history/<sha>.json. The
+// engine writes the current snapshot at the end of every scan; this
+// module produces the diff on the next scan.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as crypto from 'node:crypto';
+import { execSync } from 'node:child_process';
+
+const HISTORY_DIR = 'sbom-history';
+
+function _historyDir(scanRoot) {
+  return path.join(scanRoot, '.agentic-security', HISTORY_DIR);
+}
+
+function _gitHead(scanRoot) {
+  try {
+    return execSync('git rev-parse HEAD', { cwd: scanRoot, encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] }).trim();
+  } catch { return null; }
+}
+
+function _snapshotKey(component) {
+  return `${component.ecosystem || 'unknown'}:${component.name || ''}`;
+}
+
+/**
+ * Persist the current SBOM as a snapshot keyed by the current git HEAD.
+ * If no git, falls back to a content hash of the components list.
+ */
+export function persistSbom(scanRoot, components) {
+  const dir = _historyDir(scanRoot);
+  try { fs.mkdirSync(dir, { recursive: true }); } catch {}
+  const sha = _gitHead(scanRoot) || crypto.createHash('sha256').update(JSON.stringify(components)).digest('hex').slice(0, 12);
+  const snap = {
+    sha, ts: new Date().toISOString(),
+    componentCount: components.length,
+    components: components.map(c => ({
+      ecosystem: c.ecosystem, name: c.name, version: c.version,
+      purl: c.purl, scope: c.scope, isUnpinned: !!c.isUnpinned,
+      sha256: c.sha256 || c.integrity || null,
+    })),
+  };
+  try { fs.writeFileSync(path.join(dir, `${sha}.json`), JSON.stringify(snap, null, 2)); } catch {}
+  return snap;
+}
+
+/**
+ * Load the previous SBOM snapshot for diffing.
+ */
+export function loadPreviousSnapshot(scanRoot, currentSha) {
+  const dir = _historyDir(scanRoot);
+  if (!fs.existsSync(dir)) return null;
+  let snaps;
+  try { snaps = fs.readdirSync(dir); } catch { return null; }
+  snaps = snaps.filter(f => f.endsWith('.json') && f !== `${currentSha}.json`);
+  if (!snaps.length) return null;
+  // Sort by mtime descending; take the most recent.
+  snaps.sort((a, b) => fs.statSync(path.join(dir, b)).mtimeMs - fs.statSync(path.join(dir, a)).mtimeMs);
+  try {
+    return JSON.parse(fs.readFileSync(path.join(dir, snaps[0]), 'utf8'));
+  } catch { return null; }
+}
+
+/**
+ * Compute the structured diff between two SBOMs and emit drift findings.
+ */
+export function diffSboms(previous, current) {
+  if (!previous || !current) return { findings: [], summary: { added: 0, removed: 0, bumped: 0, substituted: 0 } };
+  const findings = [];
+  const prevByKey = new Map();
+  for (const c of previous.components || []) prevByKey.set(_snapshotKey(c), c);
+  const curByKey = new Map();
+  for (const c of current.components || []) curByKey.set(_snapshotKey(c), c);
+  let added = 0, removed = 0, bumped = 0, substituted = 0;
+
+  // Added
+  for (const [key, cur] of curByKey) {
+    if (prevByKey.has(key)) continue;
+    added++;
+    findings.push({
+      family: 'dependency-drift', subfamily: 'dependency-added',
+      severity: 'medium', cwe: 'CWE-1357',
+      vuln: `Dependency added since previous release: ${cur.ecosystem}:${cur.name}@${cur.version}`,
+      file: cur.purl || 'package-lock.json', line: 0,
+      drift: { kind: 'added', component: cur, sinceSha: previous.sha },
+      remediation: 'Confirm this addition appears in a reviewed PR. Unexplained additions are the standard supply-chain-attack pattern.',
+    });
+  }
+  // Removed
+  for (const [key, prev] of prevByKey) {
+    if (curByKey.has(key)) continue;
+    removed++;
+    findings.push({
+      family: 'dependency-drift', subfamily: 'dependency-removed',
+      severity: 'low', cwe: 'CWE-1357',
+      vuln: `Dependency removed since previous release: ${prev.ecosystem}:${prev.name}@${prev.version}`,
+      file: prev.purl || 'package-lock.json', line: 0,
+      drift: { kind: 'removed', component: prev, sinceSha: previous.sha },
+      remediation: 'Confirm the removal was intentional. Silent removal of a vulnerable dep is fine; silent removal of a fix-receiving dep means CVEs may re-introduce.',
+    });
+  }
+  // Bumped
+  for (const [key, cur] of curByKey) {
+    const prev = prevByKey.get(key);
+    if (!prev) continue;
+    if (prev.version !== cur.version) {
+      bumped++;
+      const isMajor = _isMajorBump(prev.version, cur.version);
+      findings.push({
+        family: 'dependency-drift', subfamily: 'dependency-version-bumped',
+        severity: isMajor ? 'medium' : 'low',
+        cwe: 'CWE-1357',
+        vuln: `${cur.ecosystem}:${cur.name} bumped ${prev.version} → ${cur.version}${isMajor ? ' (MAJOR)' : ''}`,
+        file: cur.purl || 'package-lock.json', line: 0,
+        drift: { kind: 'bumped', from: prev.version, to: cur.version, isMajor, sinceSha: previous.sha },
+        remediation: 'Major-version bumps are breaking-change candidates AND attack pivot points. Verify the changelog signals match what your dependency intended.',
+      });
+    }
+    // Substitution check: integrity / hash changed but version stayed the same
+    if (prev.sha256 && cur.sha256 && prev.sha256 !== cur.sha256 && prev.version === cur.version) {
+      substituted++;
+      findings.push({
+        family: 'dependency-drift', subfamily: 'dependency-substitution',
+        severity: 'critical', cwe: 'CWE-1357',
+        vuln: `Suspicious substitution: ${cur.ecosystem}:${cur.name}@${cur.version} hash changed without version change`,
+        file: cur.purl || 'package-lock.json', line: 0,
+        drift: { kind: 'substituted', component: cur, oldHash: prev.sha256, newHash: cur.sha256, sinceSha: previous.sha },
+        remediation: 'Same package + same version + DIFFERENT content hash = the registry served a different artifact under the same identity. Investigate immediately; rotate the lockfile via fresh install.',
+      });
+    }
+  }
+  return { findings, summary: { added, removed, bumped, substituted } };
+}
+
+function _isMajorBump(prev, cur) {
+  const pa = (prev || '').match(/^(\d+)/);
+  const pc = (cur || '').match(/^(\d+)/);
+  if (!pa || !pc) return false;
+  return parseInt(pa[1], 10) !== parseInt(pc[1], 10);
+}
+
+/**
+ * Convenience entry — run the full pipeline: persist current, diff
+ * against previous, return findings.
+ */
+export function runSbomDiff(scanRoot, components) {
+  const current = persistSbom(scanRoot, components);
+  const previous = loadPreviousSnapshot(scanRoot, current.sha);
+  if (!previous) return { findings: [], summary: { added: 0, removed: 0, bumped: 0, substituted: 0 }, first: true };
+  return diffSboms(previous, current);
+}
+
+export const _internals = { _historyDir, _gitHead, _isMajorBump, _snapshotKey };

package/src/posture/sca-policy.js

@@ -0,0 +1,235 @@
+// SCA policy — declarative per-project rules for vulnerable_dep findings.
+// Phase 4 / Item 7 of the SCA improvement plan.
+//
+// Reads .agentic-security/sca-policy.yml. Three classes of rule:
+//
+//   accept-risk        — per-CVE or per-package suppression with reason +
+//                        optional expiry. Treated as "wont-fix" — the
+//                        finding still appears but is marked suppressed.
+//   sla                — per-severity / per-tier deadlines for remediation.
+//                        Findings older than the SLA are escalated.
+//   major-version-freeze — refuse automated major-version bumps per
+//                          ecosystem. /fix --sca consults this before
+//                          calling apply_sca_upgrade on a breaking change.
+//
+// Policy file shape:
+//
+//   accept-risk:
+//     - cve: CVE-2024-12345
+//       reason: "patched upstream; bundled vendor copy doesn't include affected code"
+//       expires: 2026-12-31
+//     - package: log4j-core
+//       version: 2.17.1
+//       reason: "we run on Java 21; JNDI lookup is disabled at runtime"
+//       expires: 2026-06-30
+//
+//   sla:
+//     critical-kev: 7d
+//     critical: 30d
+//     high: 90d
+//     medium: 180d
+//
+//   major-version-freeze:
+//     npm: [react, vue]            # never auto-upgrade these across majors
+//     pypi: [django]
+//
+// Default policy (no file) is permissive: nothing is suppressed and no
+// SLA is enforced. Users opt in by creating the file.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as yaml from 'js-yaml';
+
+const DEFAULT_POLICY = {
+  acceptRisk: [],
+  sla: {},
+  majorVersionFreeze: {},
+};
+
+export function loadScaPolicy(scanRoot) {
+  if (!scanRoot) return null;
+  for (const name of ['sca-policy.yml', 'sca-policy.yaml', 'sca-policy.json']) {
+    const p = path.join(scanRoot, '.agentic-security', name);
+    if (!fs.existsSync(p)) continue;
+    try {
+      const raw = fs.readFileSync(p, 'utf8');
+      const doc = name.endsWith('.json') ? JSON.parse(raw) : yaml.load(raw);
+      return _normalize(doc);
+    } catch (e) {
+      return { _error: `Failed to parse ${p}: ${e.message}` };
+    }
+  }
+  return null;
+}
+
+function _normalize(doc) {
+  return {
+    acceptRisk: Array.isArray(doc?.['accept-risk']) ? doc['accept-risk'].map(_normalizeAccept) : [],
+    sla: _normalizeSla(doc?.sla || {}),
+    majorVersionFreeze: _normalizeMajor(doc?.['major-version-freeze'] || {}),
+  };
+}
+
+function _normalizeAccept(entry) {
+  return {
+    cve: entry.cve ? String(entry.cve).toUpperCase() : null,
+    package: entry.package ? String(entry.package).toLowerCase() : null,
+    version: entry.version ? String(entry.version) : null,
+    ecosystem: entry.ecosystem ? String(entry.ecosystem).toLowerCase() : null,
+    reason: entry.reason || '',
+    expires: entry.expires || null,
+  };
+}
+
+function _normalizeSla(sla) {
+  const out = {};
+  for (const [k, v] of Object.entries(sla)) {
+    out[k.toLowerCase()] = _parseSlaDuration(v);
+  }
+  return out;
+}
+
+function _parseSlaDuration(v) {
+  if (typeof v === 'number') return v * 86400_000; // bare number = days
+  const m = String(v).match(/^(\d+)([dwmy])$/i);
+  if (!m) return null;
+  const n = parseInt(m[1], 10);
+  const unit = m[2].toLowerCase();
+  const factor = { d: 86400_000, w: 7 * 86400_000, m: 30 * 86400_000, y: 365 * 86400_000 }[unit];
+  return factor ? n * factor : null;
+}
+
+function _normalizeMajor(maj) {
+  const out = {};
+  for (const [eco, list] of Object.entries(maj)) {
+    if (Array.isArray(list)) out[eco.toLowerCase()] = list.map(s => String(s).toLowerCase());
+  }
+  return out;
+}
+
+// Check whether an accept-risk entry is currently active (not expired).
+function _accepted(entry, today = new Date()) {
+  if (!entry.expires) return true;
+  const exp = new Date(entry.expires);
+  if (Number.isNaN(+exp)) return true; // unparseable: treat as still active
+  return exp >= today;
+}
+
+// Match a finding against the accept-risk list. Returns the matching entry
+// or null.
+export function matchAcceptRisk(finding, policy, today = new Date()) {
+  if (!policy || !Array.isArray(policy.acceptRisk)) return null;
+  const cves = Array.isArray(finding.cveAliases) ? finding.cveAliases.map(c => String(c).toUpperCase()) : [];
+  if (finding.osvId) cves.push(String(finding.osvId).toUpperCase());
+  const pkgName = String(finding.name || '').toLowerCase();
+  for (const entry of policy.acceptRisk) {
+    if (!_accepted(entry, today)) continue;
+    if (entry.cve && cves.includes(entry.cve)) return entry;
+    if (entry.package && pkgName === entry.package) {
+      if (entry.version && finding.version && entry.version !== finding.version) continue;
+      if (entry.ecosystem && finding.ecosystem && entry.ecosystem !== finding.ecosystem) continue;
+      return entry;
+    }
+  }
+  return null;
+}
+
+// Apply policy to a list of SCA findings. Marks accept-risk hits as
+// suppressed; computes SLA deadlines; flags major-version-freeze packages
+// so /fix --sca knows not to auto-upgrade them.
+//
+// Returns { suppressed: number, slaTagged: number, frozen: number }.
+export function applyScaPolicy(findings, policy, scanTime = new Date()) {
+  const stats = { suppressed: 0, slaTagged: 0, frozen: 0 };
+  if (!policy || !Array.isArray(findings)) return stats;
+  for (const f of findings) {
+    if (!f || f.type !== 'vulnerable_dep') continue;
+    // Accept-risk suppression
+    const acceptance = matchAcceptRisk(f, policy, scanTime);
+    if (acceptance) {
+      f.suppressed = true;
+      f.suppressionReason = acceptance.reason || 'accepted-risk';
+      f.suppressionSource = 'sca-policy.yml';
+      f.suppressionExpires = acceptance.expires || null;
+      stats.suppressed++;
+      continue;
+    }
+    // SLA tag: pick the narrowest applicable bucket.
+    const slaKey = (f.kev || f.kevListed) && f.severity === 'critical' ? 'critical-kev'
+                 : f.severity;
+    if (policy.sla && policy.sla[slaKey]) {
+      const startMs = f.firstSeenAt ? Date.parse(f.firstSeenAt) : +scanTime;
+      const deadline = startMs + policy.sla[slaKey];
+      f.slaDeadline = new Date(deadline).toISOString();
+      f.slaOverdue = +scanTime > deadline;
+      stats.slaTagged++;
+    }
+    // Major-version freeze
+    if (policy.majorVersionFreeze
+        && Array.isArray(policy.majorVersionFreeze[f.ecosystem])
+        && policy.majorVersionFreeze[f.ecosystem].includes(String(f.name).toLowerCase())) {
+      f.majorVersionFrozen = true;
+      stats.frozen++;
+    }
+  }
+  return stats;
+}
+
+// Materialize a wont-fix triage decision into a new accept-risk entry.
+// Called by the triage → suppression bridge (Phase 4 / Item 7 of the SCA
+// plan): when a user marks a vulnerable_dep finding wont-fix, the policy
+// file is updated so future scans automatically suppress it.
+//
+// If the policy file doesn't exist, one is created with safe defaults.
+export function appendAcceptRiskFromTriage(scanRoot, finding, reason) {
+  if (!scanRoot || !finding) return { ok: false, reason: 'missing arguments' };
+  const dir = path.join(scanRoot, '.agentic-security');
+  const fp = path.join(dir, 'sca-policy.yml');
+  let policy = loadScaPolicy(scanRoot);
+  if (policy && policy._error) return { ok: false, reason: policy._error };
+  if (!policy) policy = { acceptRisk: [], sla: {}, majorVersionFreeze: {} };
+  // Defensive: even if a policy file existed, it may have been parsed into a
+  // value that shares references with DEFAULT_POLICY. Force a fresh array.
+  if (!Array.isArray(policy.acceptRisk)) policy.acceptRisk = [];
+
+  // De-dupe — don't add a second entry for the same CVE.
+  const cves = Array.isArray(finding.cveAliases) ? finding.cveAliases.map(c => String(c).toUpperCase()) : [];
+  if (finding.osvId) cves.push(String(finding.osvId).toUpperCase());
+  for (const entry of policy.acceptRisk) {
+    if (entry.cve && cves.includes(entry.cve)) return { ok: false, reason: 'CVE already in accept-risk list', cve: entry.cve };
+  }
+
+  const newEntry = {
+    cve: cves[0] || null,
+    package: finding.name ? String(finding.name).toLowerCase() : null,
+    version: finding.version || null,
+    ecosystem: finding.ecosystem || null,
+    reason: reason || `Marked wont-fix in triage on ${new Date().toISOString().slice(0, 10)}`,
+    expires: null,
+  };
+  policy.acceptRisk.push(newEntry);
+
+  try { fs.mkdirSync(dir, { recursive: true }); } catch {}
+  const serialized = yaml.dump({
+    'accept-risk': policy.acceptRisk.map(e => {
+      const o = {};
+      if (e.cve) o.cve = e.cve;
+      if (e.package) o.package = e.package;
+      if (e.version) o.version = e.version;
+      if (e.ecosystem) o.ecosystem = e.ecosystem;
+      o.reason = e.reason;
+      if (e.expires) o.expires = e.expires;
+      return o;
+    }),
+    sla: policy.sla && Object.keys(policy.sla).length ? Object.fromEntries(Object.entries(policy.sla).map(([k, v]) => [k, _formatSlaDuration(v)])) : undefined,
+    'major-version-freeze': policy.majorVersionFreeze && Object.keys(policy.majorVersionFreeze).length ? policy.majorVersionFreeze : undefined,
+  });
+  fs.writeFileSync(fp, serialized);
+  return { ok: true, entry: newEntry, path: fp };
+}
+
+function _formatSlaDuration(ms) {
+  if (typeof ms !== 'number') return ms;
+  const days = Math.round(ms / 86400_000);
+  return `${days}d`;
+}