@hongmaple0820/scale-engine 0.29.0 → 0.33.0

package/dist/workflow/SecurityAudit.js

@@ -0,0 +1,294 @@
+// SCALE Engine — Security Audit Engine (v0.33.0)
+// OWASP Top 10 + STRIDE security audit for code review.
+// Inspired by gstack's /cso security audit skill.
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+const SECURITY_PATTERNS = [
+    // Injection
+    {
+        id: 'sql-concat',
+        category: 'injection',
+        severity: 'critical',
+        title: 'SQL string concatenation detected',
+        pattern: /(?:query|execute|raw)\s*\(\s*[`'"].*\$\{|(?:query|execute|raw)\s*\(\s*['"].*\+\s*(?:req\.|params\.|input|user)/i,
+        description: 'SQL query built with string concatenation or template literals using user input.',
+        recommendation: 'Use parameterized queries or an ORM with built-in escaping.',
+    },
+    {
+        id: 'eval-usage',
+        category: 'injection',
+        severity: 'critical',
+        title: 'Dynamic code execution detected',
+        pattern: /\b(?:eval|Function|setTimeout|setInterval)\s*\(\s*(?:req\.|params\.|input|user|req\[)/i,
+        description: 'Dynamic code execution with user-controlled input.',
+        recommendation: 'Never pass user input to eval/Function. Use safe alternatives like JSON.parse or a sandboxed VM.',
+    },
+    // Auth
+    {
+        id: 'hardcoded-password',
+        category: 'auth',
+        severity: 'critical',
+        title: 'Hardcoded password or secret',
+        pattern: /(?:password|passwd|secret|api[_-]?key|token|auth[_-]?key)\s*[:=]\s*['"][^'"]{8,}['"]/i,
+        description: 'Hardcoded credential found in source code.',
+        recommendation: 'Move secrets to environment variables or a secret manager.',
+        testFileExempt: true,
+    },
+    {
+        id: 'weak-crypto',
+        category: 'auth',
+        severity: 'high',
+        title: 'Weak cryptographic algorithm',
+        pattern: /\b(?:md5|sha1)\b.*(?:hash|digest|createHash)/i,
+        description: 'Weak hash algorithm (MD5/SHA1) used for security-sensitive operation.',
+        recommendation: 'Use SHA-256 or stronger. For passwords, use bcrypt, argon2, or scrypt.',
+    },
+    // XSS
+    {
+        id: 'innerhtml',
+        category: 'xss',
+        severity: 'high',
+        title: 'innerHTML assignment detected',
+        pattern: /\.innerHTML\s*=\s*(?!['"]\s*['"])/,
+        description: 'Direct innerHTML assignment may allow XSS if input is not sanitized.',
+        recommendation: 'Use textContent, or sanitize with DOMPurify before assigning to innerHTML.',
+        testFileExempt: true,
+    },
+    {
+        id: 'dangerously-set-html',
+        category: 'xss',
+        severity: 'high',
+        title: 'dangerouslySetInnerHTML usage',
+        pattern: /dangerouslySetInnerHTML\s*:/,
+        description: 'React dangerouslySetInnerHTML bypasses XSS protection.',
+        recommendation: 'Sanitize HTML with DOMPurify before passing to dangerouslySetInnerHTML.',
+        testFileExempt: true,
+    },
+    // Exposure
+    {
+        id: 'stack-trace-exposure',
+        category: 'exposure',
+        severity: 'medium',
+        title: 'Stack trace exposure in response',
+        pattern: /(?:res\.|response\.)\s*(?:send|json|write)\s*\(\s*(?:err|error)\s*(?:\.stack)?\s*\)/i,
+        description: 'Error stack trace sent to client, leaking internal implementation details.',
+        recommendation: 'Return generic error messages to clients. Log detailed errors server-side only.',
+    },
+    // Access Control
+    {
+        id: 'path-traversal',
+        category: 'access-control',
+        severity: 'critical',
+        title: 'Potential path traversal vulnerability',
+        pattern: /(?:readFile|readFileSync|createReadStream|access)\s*\(\s*(?:req\.|params\.|query\.|input|user)/i,
+        description: 'File system operation with user-controlled path.',
+        recommendation: 'Validate and normalize paths. Use path.resolve with a base directory check.',
+    },
+    // Logging
+    {
+        id: 'sensitive-logging',
+        category: 'logging',
+        severity: 'medium',
+        title: 'Sensitive data in log output',
+        pattern: /console\.\w+\s*\(.*(?:password|secret|token|key|credential)/i,
+        description: 'Sensitive data may be written to logs.',
+        recommendation: 'Redact sensitive fields before logging.',
+    },
+    // Deserialization
+    {
+        id: 'unsafe-deserialize',
+        category: 'deserialization',
+        severity: 'high',
+        title: 'Unsafe deserialization',
+        pattern: /JSON\.parse\s*\(\s*(?:req\.|params\.|body|input|user)/i,
+        description: 'JSON.parse with untrusted input without validation.',
+        recommendation: 'Validate JSON schema after parsing. Consider using a schema validator like zod or ajv.',
+        testFileExempt: true,
+    },
+];
+// ============================================================================
+// Core Audit
+// ============================================================================
+export async function runSecurityAudit(opts) {
+    const projectDir = opts?.projectDir ?? process.cwd();
+    const files = opts?.files ?? [];
+    const findings = [];
+    let findingCounter = 0;
+    // Scan each file
+    for (const filePath of files) {
+        const fullPath = join(projectDir, filePath);
+        if (!existsSync(fullPath))
+            continue;
+        let content;
+        try {
+            content = readFileSync(fullPath, 'utf-8');
+        }
+        catch {
+            continue;
+        }
+        const lines = content.split('\n');
+        const isTestFile = isTestPath(filePath);
+        for (const patternDef of SECURITY_PATTERNS) {
+            if (patternDef.testFileExempt && isTestFile)
+                continue;
+            for (let i = 0; i < lines.length; i++) {
+                if (patternDef.pattern.test(lines[i])) {
+                    findingCounter++;
+                    findings.push({
+                        id: `SEC-${String(findingCounter).padStart(3, '0')}`,
+                        category: patternDef.category,
+                        severity: patternDef.severity,
+                        title: patternDef.title,
+                        description: patternDef.description,
+                        file: filePath,
+                        line: i + 1,
+                        evidence: lines[i].trim().slice(0, 200),
+                        recommendation: patternDef.recommendation,
+                    });
+                    break; // One finding per pattern per file
+                }
+            }
+        }
+    }
+    // Build coverage maps
+    const owaspCoverage = buildOwaspCoverage(findings);
+    const strideCoverage = buildStrideCoverage(findings);
+    const riskScore = calculateRiskScore(findings);
+    const summary = buildSummary(findings, riskScore);
+    return { findings, owaspCoverage, strideCoverage, riskScore, summary };
+}
+// ============================================================================
+// Coverage
+// ============================================================================
+function buildOwaspCoverage(findings) {
+    const categories = [
+        'injection', 'auth', 'exposure', 'xxe', 'access-control',
+        'misconfig', 'xss', 'deserialization', 'components', 'logging',
+    ];
+    const foundCategories = new Set(findings.map(f => f.category));
+    const result = {};
+    for (const cat of categories) {
+        if (foundCategories.has(cat)) {
+            result[cat] = 'checked';
+        }
+        else {
+            result[cat] = 'not-applicable';
+        }
+    }
+    return result;
+}
+function buildStrideCoverage(findings) {
+    const categories = [
+        'spoofing', 'tampering', 'repudiation', 'info-disclosure', 'denial-of-service', 'elevation-of-privilege',
+    ];
+    // Map OWASP categories to STRIDE
+    const owaspToStride = {
+        'auth': 'spoofing',
+        'injection': 'tampering',
+        'xss': 'tampering',
+        'deserialization': 'tampering',
+        'logging': 'repudiation',
+        'exposure': 'info-disclosure',
+        'xxe': 'info-disclosure',
+        'access-control': 'elevation-of-privilege',
+        'components': 'elevation-of-privilege',
+        'misconfig': 'denial-of-service',
+    };
+    const foundStride = new Set();
+    for (const f of findings) {
+        const stride = owaspToStride[f.category];
+        if (stride)
+            foundStride.add(stride);
+    }
+    const result = {};
+    for (const cat of categories) {
+        result[cat] = foundStride.has(cat) ? 'checked' : 'not-applicable';
+    }
+    return result;
+}
+// ============================================================================
+// Risk Score
+// ============================================================================
+function calculateRiskScore(findings) {
+    if (findings.length === 0)
+        return 0;
+    const weights = {
+        critical: 25,
+        high: 15,
+        medium: 8,
+        low: 3,
+    };
+    let score = 0;
+    for (const f of findings) {
+        score += weights[f.severity];
+    }
+    return Math.min(100, score);
+}
+// ============================================================================
+// Summary
+// ============================================================================
+function buildSummary(findings, riskScore) {
+    if (findings.length === 0) {
+        return 'No security findings detected.';
+    }
+    const critical = findings.filter(f => f.severity === 'critical').length;
+    const high = findings.filter(f => f.severity === 'high').length;
+    const medium = findings.filter(f => f.severity === 'medium').length;
+    const low = findings.filter(f => f.severity === 'low').length;
+    const lines = [
+        `Security audit found ${findings.length} finding(s):`,
+        `  Critical: ${critical}, High: ${high}, Medium: ${medium}, Low: ${low}`,
+        `  Risk Score: ${riskScore}/100`,
+    ];
+    if (critical > 0) {
+        lines.push('  ⚠️  CRITICAL findings require immediate remediation before merge.');
+    }
+    return lines.join('\n');
+}
+// ============================================================================
+// Formatter
+// ============================================================================
+export function summarizeSecurityAudit(result) {
+    const lines = ['## Security Audit Result\n'];
+    if (result.findings.length === 0) {
+        lines.push('No security findings detected.');
+        return lines.join('\n');
+    }
+    lines.push(`**Risk Score:** ${result.riskScore}/100\n`);
+    const bySeverity = {
+        critical: result.findings.filter(f => f.severity === 'critical'),
+        high: result.findings.filter(f => f.severity === 'high'),
+        medium: result.findings.filter(f => f.severity === 'medium'),
+        low: result.findings.filter(f => f.severity === 'low'),
+    };
+    for (const [severity, items] of Object.entries(bySeverity)) {
+        if (items.length === 0)
+            continue;
+        const icon = severity === 'critical' ? '🔴' : severity === 'high' ? '🟠' : severity === 'medium' ? '🟡' : '🔵';
+        lines.push(`### ${icon} ${severity.toUpperCase()} (${items.length})\n`);
+        for (const f of items) {
+            lines.push(`**${f.id}: ${f.title}**`);
+            if (f.file)
+                lines.push(`  File: \`${f.file}${f.line ? `:${f.line}` : ''}\``);
+            lines.push(`  ${f.description}`);
+            lines.push(`  Recommendation: ${f.recommendation}`);
+            lines.push('');
+        }
+    }
+    // OWASP coverage
+    lines.push('### OWASP Top 10 Coverage\n');
+    for (const [cat, status] of Object.entries(result.owaspCoverage)) {
+        const icon = status === 'checked' ? '✅' : '⬜';
+        lines.push(`${icon} ${cat}`);
+    }
+    return lines.join('\n');
+}
+// ============================================================================
+// Helpers
+// ============================================================================
+function isTestPath(path) {
+    const normalized = path.replace(/\\/g, '/');
+    return /(^|\/)(tests?|__tests__)\//i.test(normalized) ||
+        /\.(test|spec)\.(ts|tsx|js|jsx|mjs|cjs)$/i.test(normalized);
+}
+//# sourceMappingURL=SecurityAudit.js.map

package/dist/workflow/SecurityAudit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecurityAudit.js","sourceRoot":"","sources":["../../src/workflow/SecurityAudit.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,wDAAwD;AACxD,kDAAkD;AAElD,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAoEhC,MAAM,iBAAiB,GAAsB;IAC3C,YAAY;IACZ;QACE,EAAE,EAAE,YAAY;QAChB,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,mCAAmC;QAC1C,OAAO,EAAE,iHAAiH;QAC1H,WAAW,EAAE,kFAAkF;QAC/F,cAAc,EAAE,6DAA6D;KAC9E;IACD;QACE,EAAE,EAAE,YAAY;QAChB,QAAQ,EAAE,WAAW;QACrB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,iCAAiC;QACxC,OAAO,EAAE,wFAAwF;QACjG,WAAW,EAAE,oDAAoD;QACjE,cAAc,EAAE,kGAAkG;KACnH;IAED,OAAO;IACP;QACE,EAAE,EAAE,oBAAoB;QACxB,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,8BAA8B;QACrC,OAAO,EAAE,uFAAuF;QAChG,WAAW,EAAE,4CAA4C;QACzD,cAAc,EAAE,4DAA4D;QAC5E,cAAc,EAAE,IAAI;KACrB;IACD;QACE,EAAE,EAAE,aAAa;QACjB,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,8BAA8B;QACrC,OAAO,EAAE,+CAA+C;QACxD,WAAW,EAAE,uEAAuE;QACpF,cAAc,EAAE,wEAAwE;KACzF;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,+BAA+B;QACtC,OAAO,EAAE,mCAAmC;QAC5C,WAAW,EAAE,sEAAsE;QACnF,cAAc,EAAE,4EAA4E;QAC5F,cAAc,EAAE,IAAI;KACrB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,+BAA+B;QACtC,OAAO,EAAE,6BAA6B;QACtC,WAAW,EAAE,wDAAwD;QACrE,cAAc,EAAE,yEAAyE;QACzF,cAAc,EAAE,IAAI;KACrB;IAED,WAAW;IACX;QACE,EAAE,EAAE,sBAAsB;QAC1B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,OAAO,EAAE,sFAAsF;QAC/F,WAAW,EAAE,4EAA4E;QACzF,cAAc,EAAE,iFAAiF;KAClG;IAED,iBAAiB;IACjB;QACE,EAAE,EAAE,gBAAgB;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,wCAAwC;QAC/C,OAAO,EAAE,iGAAiG;QAC1G,WAAW,EAAE,kDAAkD;QAC/D,cAAc,EAAE,6EAA6E;KAC9F;IAED,UAAU;IACV;QACE,EAAE,EAAE,mBAAmB;QACvB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,8BAA8B;QACrC,OAAO,EAAE,8DAA8D;QACvE,WAAW,EAAE,wCAAwC;QACrD,cAAc,EAAE,yCAAyC;KAC1D;IAED,kBAAkB;IAClB;QACE,EAAE,EAAE,oBAAoB;QACxB,QAAQ,EAAE,iBAAiB;QAC3B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,wBAAwB;QAC/B,OAAO,EAAE,wDAAwD;QACjE,WAAW,EAAE,qDAAqD;QAClE,cAAc,EAAE,wFAAwF;QACxG,cAAc,EAAE,IAAI;KACrB;CACF,CAAA;AAED,+EAA+E;AAC/E,aAAa;AACb,+EAA+E;AAE/E,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAmB;IACxD,MAAM,UAAU,GAAG,IAAI,EAAE,UAAU,IAAI,OAAO,CAAC,GAAG,EAAE,CAAA;IACpD,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,EAAE,CAAA;IAE/B,MAAM,QAAQ,GAAsB,EAAE,CAAA;IACtC,IAAI,cAAc,GAAG,CAAC,CAAA;IAEtB,iBAAiB;IACjB,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;QAC3C,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,SAAQ;QAEnC,IAAI,OAAe,CAAA;QACnB,IAAI,CAAC;YACH,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,SAAQ;QACV,CAAC;QAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACjC,MAAM,UAAU,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAA;QAEvC,KAAK,MAAM,UAAU,IAAI,iBAAiB,EAAE,CAAC;YAC3C,IAAI,UAAU,CAAC,cAAc,IAAI,UAAU;gBAAE,SAAQ;YAErD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACtC,cAAc,EAAE,CAAA;oBAChB,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,OAAO,MAAM,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;wBACpD,QAAQ,EAAE,UAAU,CAAC,QAAQ;wBAC7B,QAAQ,EAAE,UAAU,CAAC,QAAQ;wBAC7B,KAAK,EAAE,UAAU,CAAC,KAAK;wBACvB,WAAW,EAAE,UAAU,CAAC,WAAW;wBACnC,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBACvC,cAAc,EAAE,UAAU,CAAC,cAAc;qBAC1C,CAAC,CAAA;oBACF,MAAK,CAAC,mCAAmC;gBAC3C,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,MAAM,aAAa,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAA;IAClD,MAAM,cAAc,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAA;IACpD,MAAM,SAAS,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAA;IAE9C,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAA;IAEjD,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,cAAc,EAAE,SAAS,EAAE,OAAO,EAAE,CAAA;AACxE,CAAC;AAED,+EAA+E;AAC/E,WAAW;AACX,+EAA+E;AAE/E,SAAS,kBAAkB,CAAC,QAA2B;IACrD,MAAM,UAAU,GAAoB;QAClC,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,gBAAgB;QACxD,WAAW,EAAE,KAAK,EAAE,iBAAiB,EAAE,YAAY,EAAE,SAAS;KAC/D,CAAA;IAED,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAA;IAC9D,MAAM,MAAM,GAA+D,EAAE,CAAA;IAE7E,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAA;QACzB,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAA;QAChC,CAAC;IACH,CAAC;IAED,OAAO,MAA2E,CAAA;AACpF,CAAC;AAED,SAAS,mBAAmB,CAAC,QAA2B;IACtD,MAAM,UAAU,GAAqB;QACnC,UAAU,EAAE,WAAW,EAAE,aAAa,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,wBAAwB;KACzG,CAAA;IAED,iCAAiC;IACjC,MAAM,aAAa,GAAmC;QACpD,MAAM,EAAE,UAAU;QAClB,WAAW,EAAE,WAAW;QACxB,KAAK,EAAE,WAAW;QAClB,iBAAiB,EAAE,WAAW;QAC9B,SAAS,EAAE,aAAa;QACxB,UAAU,EAAE,iBAAiB;QAC7B,KAAK,EAAE,iBAAiB;QACxB,gBAAgB,EAAE,wBAAwB;QAC1C,YAAY,EAAE,wBAAwB;QACtC,WAAW,EAAE,mBAAmB;KACjC,CAAA;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAA;IAC7C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA;QACxC,IAAI,MAAM;YAAE,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IACrC,CAAC;IAED,MAAM,MAAM,GAA+D,EAAE,CAAA;IAC7E,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAA;IACnE,CAAC;IAED,OAAO,MAA4E,CAAA;AACrF,CAAC;AAED,+EAA+E;AAC/E,aAAa;AACb,+EAA+E;AAE/E,SAAS,kBAAkB,CAAC,QAA2B;IACrD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAA;IAEnC,MAAM,OAAO,GAAoC;QAC/C,QAAQ,EAAE,EAAE;QACZ,IAAI,EAAE,EAAE;QACR,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;KACP,CAAA;IAED,IAAI,KAAK,GAAG,CAAC,CAAA;IACb,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,KAAK,IAAI,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA;IAC9B,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;AAC7B,CAAC;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,SAAS,YAAY,CAAC,QAA2B,EAAE,SAAiB;IAClE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,gCAAgC,CAAA;IACzC,CAAC;IAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAA;IACvE,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAA;IAC/D,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAA;IACnE,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM,CAAA;IAE7D,MAAM,KAAK,GAAa;QACtB,wBAAwB,QAAQ,CAAC,MAAM,cAAc;QACrD,eAAe,QAAQ,WAAW,IAAI,aAAa,MAAM,UAAU,GAAG,EAAE;QACxE,iBAAiB,SAAS,MAAM;KACjC,CAAA;IAED,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QACjB,KAAK,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAA;IACnF,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AACzB,CAAC;AAED,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,UAAU,sBAAsB,CAAC,MAA2B;IAChE,MAAM,KAAK,GAAa,CAAC,4BAA4B,CAAC,CAAA;IAEtD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAA;QAC5C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACzB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,SAAS,QAAQ,CAAC,CAAA;IAEvD,MAAM,UAAU,GAAG;QACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC;QAChE,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC;QACxD,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC;QAC5D,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC;KACvD,CAAA;IAED,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,SAAQ;QAChC,MAAM,IAAI,GAAG,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAA;QAC9G,KAAK,CAAC,IAAI,CAAC,OAAO,IAAI,IAAI,QAAQ,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,MAAM,KAAK,CAAC,CAAA;QAEvE,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,IAAI,CAAC,CAAA;YACrC,IAAI,CAAC,CAAC,IAAI;gBAAE,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAA;YAC5E,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;YAChC,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,cAAc,EAAE,CAAC,CAAA;YACnD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QAChB,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,KAAK,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAA;IACzC,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,GAAG,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAA;QAC7C,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAA;IAC9B,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AACzB,CAAC;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;IAC3C,OAAO,6BAA6B,CAAC,IAAI,CAAC,UAAU,CAAC;QACnD,0CAA0C,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;AAC/D,CAAC"}

package/dist/workflow/SessionPreamble.d.ts

@@ -0,0 +1,19 @@
+export interface SessionPreamble {
+    sessionId: string;
+    timestamp: string;
+    gitBranch: string;
+    gitRoot: string;
+    projectSlug: string;
+    scaleVersion: string;
+    activeRunCount: number;
+    learningCount: number;
+    verificationProfile: string;
+    governanceMode: string;
+    warnings: string[];
+}
+export interface PreambleOptions {
+    projectDir?: string;
+    scaleDir?: string;
+}
+export declare function collectSessionPreamble(opts?: PreambleOptions): SessionPreamble;
+export declare function formatPreambleForAgent(preamble: SessionPreamble): string;

package/dist/workflow/SessionPreamble.js

@@ -0,0 +1,125 @@
+// SCALE Engine — Session Preamble (v0.31.0)
+// Automatic environment context collection before workflow execution.
+// Inspired by gstack's preamble pattern: collect branch, sessions, learnings, etc.
+import { existsSync, readdirSync, readFileSync } from 'node:fs';
+import { join, basename } from 'node:path';
+import { randomUUID } from 'node:crypto';
+import { execSync } from 'node:child_process';
+import { SCALE_ENGINE_VERSION } from '../version.js';
+// ============================================================================
+// Collector
+// ============================================================================
+export function collectSessionPreamble(opts) {
+    const projectDir = opts?.projectDir ?? process.cwd();
+    const scaleDir = opts?.scaleDir ?? '.scale';
+    const warnings = [];
+    // Git branch
+    let gitBranch = 'unknown';
+    try {
+        gitBranch = execSync('git branch --show-current', { cwd: projectDir, encoding: 'utf-8', timeout: 5000 }).trim();
+    }
+    catch {
+        warnings.push('Not in a git repository or git not available');
+    }
+    // Git root
+    let gitRoot = projectDir;
+    try {
+        gitRoot = execSync('git rev-parse --show-toplevel', { cwd: projectDir, encoding: 'utf-8', timeout: 5000 }).trim();
+    }
+    catch {
+        // Use projectDir as fallback
+    }
+    // Project slug
+    const projectSlug = deriveProjectSlug(projectDir);
+    // Active run count
+    const activeRunCount = countActiveRuns(scaleDir);
+    // Learning count
+    const learningCount = countLearnings(scaleDir, projectSlug);
+    // Verification profile
+    const verificationProfile = resolveCurrentProfile(scaleDir, projectDir);
+    // Governance mode (default)
+    const governanceMode = 'standard';
+    return {
+        sessionId: randomUUID().slice(0, 8),
+        timestamp: new Date().toISOString(),
+        gitBranch,
+        gitRoot,
+        projectSlug,
+        scaleVersion: SCALE_ENGINE_VERSION,
+        activeRunCount,
+        learningCount,
+        verificationProfile,
+        governanceMode,
+        warnings,
+    };
+}
+// ============================================================================
+// Formatter
+// ============================================================================
+export function formatPreambleForAgent(preamble) {
+    const lines = [
+        `SESSION: ${preamble.sessionId}`,
+        `BRANCH: ${preamble.gitBranch}`,
+        `PROJECT: ${preamble.projectSlug}`,
+        `SCALE_VERSION: ${preamble.scaleVersion}`,
+        `ACTIVE_RUNS: ${preamble.activeRunCount}`,
+        `LEARNINGS: ${preamble.learningCount}`,
+        `VERIFICATION_PROFILE: ${preamble.verificationProfile}`,
+        `GOVERNANCE_MODE: ${preamble.governanceMode}`,
+    ];
+    if (preamble.warnings.length > 0) {
+        lines.push(`WARNINGS: ${preamble.warnings.join('; ')}`);
+    }
+    return lines.join('\n');
+}
+// ============================================================================
+// Helpers
+// ============================================================================
+function deriveProjectSlug(projectDir) {
+    try {
+        return basename(projectDir).replace(/[^a-zA-Z0-9-]/g, '-').toLowerCase();
+    }
+    catch {
+        return 'unknown';
+    }
+}
+function countActiveRuns(scaleDir) {
+    const runsDir = join(scaleDir, 'ai-os', 'runs');
+    if (!existsSync(runsDir))
+        return 0;
+    try {
+        return readdirSync(runsDir).filter(f => f.endsWith('.json')).length;
+    }
+    catch {
+        return 0;
+    }
+}
+function countLearnings(scaleDir, projectSlug) {
+    const learningsDir = join(scaleDir, 'learnings');
+    if (!existsSync(learningsDir))
+        return 0;
+    try {
+        const jsonlPath = join(learningsDir, `${projectSlug}.jsonl`);
+        if (!existsSync(jsonlPath))
+            return 0;
+        const content = readFileSync(jsonlPath, 'utf-8');
+        return content.split('\n').filter(line => line.trim()).length;
+    }
+    catch {
+        return 0;
+    }
+}
+function resolveCurrentProfile(scaleDir, projectDir) {
+    try {
+        const matrixPath = join(projectDir, scaleDir, 'verification-matrix.json');
+        if (existsSync(matrixPath)) {
+            const matrix = JSON.parse(readFileSync(matrixPath, 'utf-8'));
+            return matrix.defaultProfile ?? 'default';
+        }
+    }
+    catch {
+        // Ignore
+    }
+    return 'default';
+}
+//# sourceMappingURL=SessionPreamble.js.map

package/dist/workflow/SessionPreamble.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SessionPreamble.js","sourceRoot":"","sources":["../../src/workflow/SessionPreamble.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAC5C,sEAAsE;AACtE,mFAAmF;AAEnF,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAC/D,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAA;AAC7C,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAA;AAyBpD,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,UAAU,sBAAsB,CAAC,IAAsB;IAC3D,MAAM,UAAU,GAAG,IAAI,EAAE,UAAU,IAAI,OAAO,CAAC,GAAG,EAAE,CAAA;IACpD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,QAAQ,CAAA;IAE3C,MAAM,QAAQ,GAAa,EAAE,CAAA;IAE7B,aAAa;IACb,IAAI,SAAS,GAAG,SAAS,CAAA;IACzB,IAAI,CAAC;QACH,SAAS,GAAG,QAAQ,CAAC,2BAA2B,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAA;IACjH,CAAC;IAAC,MAAM,CAAC;QACP,QAAQ,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAA;IAC/D,CAAC;IAED,WAAW;IACX,IAAI,OAAO,GAAG,UAAU,CAAA;IACxB,IAAI,CAAC;QACH,OAAO,GAAG,QAAQ,CAAC,+BAA+B,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAA;IACnH,CAAC;IAAC,MAAM,CAAC;QACP,6BAA6B;IAC/B,CAAC;IAED,eAAe;IACf,MAAM,WAAW,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAA;IAEjD,mBAAmB;IACnB,MAAM,cAAc,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAA;IAEhD,iBAAiB;IACjB,MAAM,aAAa,GAAG,cAAc,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;IAE3D,uBAAuB;IACvB,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;IAEvE,4BAA4B;IAC5B,MAAM,cAAc,GAAG,UAAU,CAAA;IAEjC,OAAO;QACL,SAAS,EAAE,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;QACnC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,SAAS;QACT,OAAO;QACP,WAAW;QACX,YAAY,EAAE,oBAAoB;QAClC,cAAc;QACd,aAAa;QACb,mBAAmB;QACnB,cAAc;QACd,QAAQ;KACT,CAAA;AACH,CAAC;AAED,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,UAAU,sBAAsB,CAAC,QAAyB;IAC9D,MAAM,KAAK,GAAa;QACtB,YAAY,QAAQ,CAAC,SAAS,EAAE;QAChC,WAAW,QAAQ,CAAC,SAAS,EAAE;QAC/B,YAAY,QAAQ,CAAC,WAAW,EAAE;QAClC,kBAAkB,QAAQ,CAAC,YAAY,EAAE;QACzC,gBAAgB,QAAQ,CAAC,cAAc,EAAE;QACzC,cAAc,QAAQ,CAAC,aAAa,EAAE;QACtC,yBAAyB,QAAQ,CAAC,mBAAmB,EAAE;QACvD,oBAAoB,QAAQ,CAAC,cAAc,EAAE;KAC9C,CAAA;IAED,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IACzD,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AACzB,CAAC;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,SAAS,iBAAiB,CAAC,UAAkB;IAC3C,IAAI,CAAC;QACH,OAAO,QAAQ,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,CAAA;IAC1E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAA;IAClB,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;IAC/C,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,CAAC,CAAA;IAClC,IAAI,CAAC;QACH,OAAO,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAA;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,CAAA;IACV,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB,EAAE,WAAmB;IAC3D,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;IAChD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO,CAAC,CAAA;IACvC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,EAAE,GAAG,WAAW,QAAQ,CAAC,CAAA;QAC5D,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,CAAC,CAAA;QACpC,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;QAChD,OAAO,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAA;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,CAAA;IACV,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAgB,EAAE,UAAkB;IACjE,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,0BAA0B,CAAC,CAAA;QACzE,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAgC,CAAA;YAC3F,OAAO,MAAM,CAAC,cAAc,IAAI,SAAS,CAAA;QAC3C,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC"}

package/dist/workflow/ShipPipeline.d.ts

@@ -0,0 +1,30 @@
+export type ShipStep = 'sync-base' | 'test' | 'review-diff' | 'bump-version' | 'changelog' | 'commit' | 'push' | 'create-pr';
+export interface ShipPipelineInput {
+    projectDir?: string;
+    scaleDir?: string;
+    baseBranch?: string;
+    remote?: string;
+    prTitle?: string;
+    prBody?: string;
+    skipSteps?: ShipStep[];
+    dryRun?: boolean;
+    versionBump?: 'patch' | 'minor' | 'major';
+}
+export interface ShipStepResult {
+    step: ShipStep;
+    status: 'passed' | 'skipped' | 'failed' | 'blocked';
+    duration: number;
+    evidence?: string;
+    error?: string;
+}
+export interface ShipPipelineResult {
+    success: boolean;
+    steps: ShipStepResult[];
+    prUrl?: string;
+    commitSha?: string;
+    totalDuration: number;
+    changedFiles: string[];
+    warnings: string[];
+}
+export declare function runShipPipeline(input: ShipPipelineInput): Promise<ShipPipelineResult>;
+export declare function summarizeShipPipeline(result: ShipPipelineResult): string;