@hstm-labs/forge-security-generator 0.1.11

package/README.md

@@ -0,0 +1,39 @@
+# @hstm-labs/forge-security-generator
+
+Security layer generation stage for Forge — produces authentication models, RBAC configurations, security middleware, input validation rules, and security headers from architecture output.
+
+## Installation
+
+```bash
+npm install @hstm-labs/forge-security-generator
+```
+
+## Public API
+
+### Types
+
+- `SecurityArtifact` — complete security layer output
+- `AuthModel` — authentication strategy and configuration
+- `RbacConfig`, `RoleDefinition`, `PermissionMapping` — role-based access control
+- `SecurityMiddleware` — middleware implementation
+- `InputValidationRule` — input validation definitions
+- `SecurityHeadersConfig`, `SecurityHeader` — HTTP security headers
+
+### Classes
+
+- `SecurityGenerateStage` — pipeline stage implementing `PipelineStage` interface
+- `SecurityOutputValidator` — validates LLM-produced security output (includes hardcoded secret scanning)
+
+## Usage
+
+```typescript
+import { SecurityGenerateStage } from '@hstm-labs/forge-security-generator';
+
+const stage = new SecurityGenerateStage();
+const result = await stage.execute(input);
+// result.data contains SecurityArtifact
+```
+
+## License
+
+[MIT](../../LICENSE)

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export type { SecurityArtifact, AuthModel, RbacConfig, RoleDefinition, PermissionMapping, SecurityMiddleware, InputValidationRule, SecurityHeadersConfig, SecurityHeader, } from './types.js';
+export { SecurityGenerateStage } from './security-generate-stage.js';
+export { SecurityOutputValidator } from './validator.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EACV,gBAAgB,EAChB,SAAS,EACT,UAAU,EACV,cAAc,EACd,iBAAiB,EACjB,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,EACrB,cAAc,GACf,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/index.js

@@ -0,0 +1,3 @@
+export { SecurityGenerateStage } from './security-generate-stage.js';
+export { SecurityOutputValidator } from './validator.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/security-generate-stage.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Security generation pipeline stage.
+ *
+ * Produces authentication middleware, RBAC rules, security middleware,
+ * input validation schemas, and security headers configuration from
+ * specification requirements, API endpoints, architecture, and
+ * technology profile. Follows the stage implementation pattern
+ * established by prior generation stages.
+ *
+ * In API mode, renders prompt templates, calls the LLM via
+ * {@link ApiStageExecutor}, validates the output, unpacks individual
+ * files, and returns the parsed {@link SecurityArtifact} in the
+ * stage output data.
+ *
+ * In agent mode, the pipeline runner intercepts before calling
+ * `execute()` and exports a prompt via {@link AgentStageExecutor}.
+ */
+import type { StageName } from '@hstm-labs/forge-common';
+import type { PipelineStage, PipelineStageInput, PipelineStageOutput, PipelineContext, AgentPromptContext } from '@hstm-labs/forge-core';
+/**
+ * Pipeline stage that generates the security layer.
+ *
+ * Produces a {@link SecurityArtifact} containing auth model, RBAC
+ * configuration, security middleware, input validation, and security
+ * headers. Each element is written as a separate file artifact.
+ *
+ * @example
+ * ```ts
+ * const stage = new SecurityGenerateStage();
+ * const output = await stage.execute(input, context);
+ * const security = output.data?.security as SecurityArtifact;
+ * ```
+ */
+export declare class SecurityGenerateStage implements PipelineStage {
+    readonly name: StageName;
+    readonly dependsOn: StageName[];
+    readonly requiresLLM = true;
+    /**
+     * Return rendered agent-mode prompt context using `security-generate-agent.hbs`.
+     *
+     * @param input - Input from prior stages
+     * @param context - Pipeline context with config, workspace, and runId
+     * @returns Agent prompt context with rendered template and output schema
+     */
+    getAgentContext(input: PipelineStageInput, context: PipelineContext): AgentPromptContext;
+    /**
+     * Execute the security generation stage.
+     *
+     * @param input - Input from prior stages (expects validate + architect + services-generate output)
+     * @param context - Pipeline context with config, workspace, and adapter
+     * @returns Stage output with security artifacts and parsed SecurityArtifact in data
+     * @throws {ForgeError} FORGE-PIPE-003 if dependency stage output is missing
+     * @throws {ForgeError} FORGE-PIPE-001 if adapter is missing
+     * @throws {ForgeError} FORGE-GEN-003 if max retries exhausted
+     */
+    execute(input: PipelineStageInput, context: PipelineContext): Promise<PipelineStageOutput>;
+}
+//# sourceMappingURL=security-generate-stage.d.ts.map

package/dist/security-generate-stage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-generate-stage.d.ts","sourceRoot":"","sources":["../src/security-generate-stage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAEzD,OAAO,KAAK,EACV,aAAa,EACb,kBAAkB,EAClB,mBAAmB,EACnB,eAAe,EAEf,kBAAkB,EACnB,MAAM,uBAAuB,CAAC;AAW/B;;;;;;;;;;;;;GAaG;AACH,qBAAa,qBAAsB,YAAW,aAAa;IACzD,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAuB;IAC/C,QAAQ,CAAC,SAAS,EAAE,SAAS,EAAE,CAAsC;IACrE,QAAQ,CAAC,WAAW,QAAQ;IAE5B;;;;;;OAMG;IACH,eAAe,CACb,KAAK,EAAE,kBAAkB,EACzB,OAAO,EAAE,eAAe,GACvB,kBAAkB;IA4CrB;;;;;;;;;OASG;IACG,OAAO,CACX,KAAK,EAAE,kBAAkB,EACzB,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,mBAAmB,CAAC;CAoLhC"}

package/dist/security-generate-stage.js

@@ -0,0 +1,195 @@
+/**
+ * Security generation pipeline stage.
+ *
+ * Produces authentication middleware, RBAC rules, security middleware,
+ * input validation schemas, and security headers configuration from
+ * specification requirements, API endpoints, architecture, and
+ * technology profile. Follows the stage implementation pattern
+ * established by prior generation stages.
+ *
+ * In API mode, renders prompt templates, calls the LLM via
+ * {@link ApiStageExecutor}, validates the output, unpacks individual
+ * files, and returns the parsed {@link SecurityArtifact} in the
+ * stage output data.
+ *
+ * In agent mode, the pipeline runner intercepts before calling
+ * `execute()` and exports a prompt via {@link AgentStageExecutor}.
+ */
+import { join, dirname } from 'node:path';
+import { writeFileSync, mkdirSync } from 'node:fs';
+import { ForgeError, ErrorCodes, hashContent } from '@hstm-labs/forge-common';
+import { ApiStageExecutor } from '@hstm-labs/forge-core';
+import { loadProfile } from '@hstm-labs/forge-profiles';
+import { loadTemplate, renderTemplate } from '@hstm-labs/forge-templates';
+import { SecurityOutputValidator } from './validator.js';
+/**
+ * Pipeline stage that generates the security layer.
+ *
+ * Produces a {@link SecurityArtifact} containing auth model, RBAC
+ * configuration, security middleware, input validation, and security
+ * headers. Each element is written as a separate file artifact.
+ *
+ * @example
+ * ```ts
+ * const stage = new SecurityGenerateStage();
+ * const output = await stage.execute(input, context);
+ * const security = output.data?.security as SecurityArtifact;
+ * ```
+ */
+export class SecurityGenerateStage {
+    name = 'security-generate';
+    dependsOn = ['architect', 'services-generate'];
+    requiresLLM = true;
+    /**
+     * Return rendered agent-mode prompt context using `security-generate-agent.hbs`.
+     *
+     * @param input - Input from prior stages
+     * @param context - Pipeline context with config, workspace, and runId
+     * @returns Agent prompt context with rendered template and output schema
+     */
+    getAgentContext(input, context) {
+        const parsedSpec = input['validate']?.data?.['parsedSpec'];
+        const architecture = input['architect']?.data?.['architecture'];
+        const api = input['services-generate']?.data?.['api'];
+        const profile = loadProfile(context.config.profileName, context.workspace.rootDir);
+        const outputDir = join(context.workspace.forgeDir, 'runs', context.runId, 'stages', 'security-generate', 'artifacts');
+        const agentTemplate = loadTemplate('security-generate-agent', context.workspace.rootDir);
+        const rendered = renderTemplate(agentTemplate, {
+            spec: (parsedSpec ?? {}),
+            profile: profile,
+            architecture: (architecture ?? {}),
+            api: (api ?? {}),
+            stage: { outputDir },
+        });
+        return {
+            prompt: rendered.content,
+            outputSchema: { format: 'json' },
+        };
+    }
+    /**
+     * Execute the security generation stage.
+     *
+     * @param input - Input from prior stages (expects validate + architect + services-generate output)
+     * @param context - Pipeline context with config, workspace, and adapter
+     * @returns Stage output with security artifacts and parsed SecurityArtifact in data
+     * @throws {ForgeError} FORGE-PIPE-003 if dependency stage output is missing
+     * @throws {ForgeError} FORGE-PIPE-001 if adapter is missing
+     * @throws {ForgeError} FORGE-GEN-003 if max retries exhausted
+     */
+    async execute(input, context) {
+        // 1. Get parsed spec from validate stage output
+        const validateOutput = input['validate'];
+        if (validateOutput === undefined) {
+            throw new ForgeError(ErrorCodes.PIPE.DEPENDENCY_UNMET, "Security generate stage requires 'validate' stage output, but it was not found. " +
+                'Ensure the validate stage runs before the security-generate stage.');
+        }
+        const parsedSpec = validateOutput.data?.['parsedSpec'];
+        if (parsedSpec === undefined) {
+            throw new ForgeError(ErrorCodes.PIPE.STAGE_FAILURE, 'Validate stage did not produce a parsed specification in its output data. ' +
+                'Ensure the validate stage includes parsedSpec in its data output.');
+        }
+        // 2. Get architecture from architect stage output
+        const architectOutput = input['architect'];
+        if (architectOutput === undefined) {
+            throw new ForgeError(ErrorCodes.PIPE.DEPENDENCY_UNMET, "Security generate stage requires 'architect' stage output, but it was not found. " +
+                'Ensure the architect stage runs before the security-generate stage.');
+        }
+        const architecture = architectOutput.data?.['architecture'];
+        if (architecture === undefined) {
+            throw new ForgeError(ErrorCodes.PIPE.STAGE_FAILURE, 'Architect stage did not produce an architecture in its output data. ' +
+                'Ensure the architect stage includes architecture in its data output.');
+        }
+        // 3. Get API artifact from services-generate stage output
+        const servicesGenerateOutput = input['services-generate'];
+        if (servicesGenerateOutput === undefined) {
+            throw new ForgeError(ErrorCodes.PIPE.DEPENDENCY_UNMET, "Security generate stage requires 'services-generate' stage output, but it was not found. " +
+                'Ensure the services-generate stage runs before the security-generate stage.');
+        }
+        const api = servicesGenerateOutput.data?.['api'];
+        if (api === undefined) {
+            throw new ForgeError(ErrorCodes.PIPE.STAGE_FAILURE, 'Services generate stage did not produce an API artifact in its output data. ' +
+                'Ensure the services-generate stage includes api in its data output.');
+        }
+        // 4. Load profile
+        const profile = loadProfile(context.config.profileName, context.workspace.rootDir);
+        // 5. Compute output directory
+        const outputDir = join(context.workspace.forgeDir, 'runs', context.runId, 'stages', 'security-generate', 'artifacts');
+        // 6. Load and render templates
+        const systemTemplate = loadTemplate('security-generate-system', context.workspace.rootDir);
+        const userTemplate = loadTemplate('security-generate-user', context.workspace.rootDir);
+        const templateContext = {
+            spec: parsedSpec,
+            profile: profile,
+            architecture: architecture,
+            api: api,
+            stage: {
+                outputDir,
+            },
+        };
+        const systemPrompt = renderTemplate(systemTemplate, templateContext);
+        const userPrompt = renderTemplate(userTemplate, templateContext);
+        // 7. Execute via API mode StageExecutor
+        if (context.adapter === undefined) {
+            throw new ForgeError(ErrorCodes.PIPE.STAGE_FAILURE, 'Security generate stage requires an LLM adapter in API mode, but none was provided. ' +
+                'Configure an LLM provider in forge.config.json or use agent mode.');
+        }
+        const entityNames = architecture.dataModel.map((e) => e.name);
+        const validator = new SecurityOutputValidator(entityNames);
+        const executor = new ApiStageExecutor({
+            adapter: context.adapter,
+            validator,
+            retryPolicy: {
+                maxRetries: 3,
+                backoffMs: 1000,
+                includeErrorInRetry: true,
+            },
+        });
+        const result = await executor.execute({
+            prompt: userPrompt.content,
+            systemPrompt: systemPrompt.content,
+            stageName: 'security-generate',
+            outputDir,
+            runId: context.runId,
+            mode: 'api',
+            outputSchema: { format: 'json' },
+        });
+        // 8. Parse SecurityArtifact from LLM output
+        const rawContent = result.artifacts[0]?.content ?? '';
+        const securityArtifact = JSON.parse(rawContent);
+        // 9. Write individual files to artifacts directory
+        const artifacts = [];
+        const writeArtifact = (filePath, content) => {
+            const fullPath = join(outputDir, filePath);
+            mkdirSync(dirname(fullPath), { recursive: true });
+            writeFileSync(fullPath, content, 'utf-8');
+            artifacts.push({
+                filePath,
+                content,
+                contentHash: hashContent(content),
+                sizeBytes: Buffer.byteLength(content, 'utf-8'),
+            });
+        };
+        // Auth model
+        writeArtifact(securityArtifact.authModel.fileName, securityArtifact.authModel.content);
+        // RBAC middleware
+        writeArtifact(securityArtifact.rbac.fileName, securityArtifact.rbac.content);
+        // Security middleware files
+        for (const mw of securityArtifact.middleware) {
+            writeArtifact(mw.fileName, mw.content);
+        }
+        // Input validation files
+        for (const rule of securityArtifact.inputValidation) {
+            writeArtifact(rule.fileName, rule.content);
+        }
+        // Security headers config
+        writeArtifact(securityArtifact.securityHeaders.fileName, securityArtifact.securityHeaders.content);
+        // 10. Return PipelineStageOutput with all artifacts and data
+        return {
+            artifacts,
+            data: {
+                security: securityArtifact,
+            },
+        };
+    }
+}
+//# sourceMappingURL=security-generate-stage.js.map

package/dist/security-generate-stage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-generate-stage.js","sourceRoot":"","sources":["../src/security-generate-stage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEnD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAS9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAIzD,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AAG1E,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;;;;;;;;;;;;GAaG;AACH,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAc,mBAAmB,CAAC;IACtC,SAAS,GAAgB,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC;IAC5D,WAAW,GAAG,IAAI,CAAC;IAE5B;;;;;;OAMG;IACH,eAAe,CACb,KAAyB,EACzB,OAAwB;QAExB,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,EAAE,IAAI,EAAE,CAAC,YAAY,CAE5C,CAAC;QACd,MAAM,YAAY,GAAG,KAAK,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,CAAC,cAAc,CAEjD,CAAC;QACd,MAAM,GAAG,GAAG,KAAK,CAAC,mBAAmB,CAAC,EAAE,IAAI,EAAE,CAAC,KAAK,CAEvC,CAAC;QAEd,MAAM,OAAO,GAAG,WAAW,CACzB,OAAO,CAAC,MAAM,CAAC,WAAW,EAC1B,OAAO,CAAC,SAAS,CAAC,OAAO,CAC1B,CAAC;QAEF,MAAM,SAAS,GAAG,IAAI,CACpB,OAAO,CAAC,SAAS,CAAC,QAAQ,EAC1B,MAAM,EACN,OAAO,CAAC,KAAK,EACb,QAAQ,EACR,mBAAmB,EACnB,WAAW,CACZ,CAAC;QAEF,MAAM,aAAa,GAAG,YAAY,CAChC,yBAAyB,EACzB,OAAO,CAAC,SAAS,CAAC,OAAO,CAC1B,CAAC;QAEF,MAAM,QAAQ,GAAG,cAAc,CAAC,aAAa,EAAE;YAC7C,IAAI,EAAE,CAAC,UAAU,IAAI,EAAE,CAAuC;YAC9D,OAAO,EAAE,OAA6C;YACtD,YAAY,EAAE,CAAC,YAAY,IAAI,EAAE,CAAuC;YACxE,GAAG,EAAE,CAAC,GAAG,IAAI,EAAE,CAAuC;YACtD,KAAK,EAAE,EAAE,SAAS,EAAE;SACrB,CAAC,CAAC;QAEH,OAAO;YACL,MAAM,EAAE,QAAQ,CAAC,OAAO;YACxB,YAAY,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;SACjC,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,OAAO,CACX,KAAyB,EACzB,OAAwB;QAExB,gDAAgD;QAChD,MAAM,cAAc,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC;QACzC,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YACjC,MAAM,IAAI,UAAU,CAClB,UAAU,CAAC,IAAI,CAAC,gBAAgB,EAChC,kFAAkF;gBAChF,oEAAoE,CACvE,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC,YAAY,CAExC,CAAC;QACd,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,UAAU,CAClB,UAAU,CAAC,IAAI,CAAC,aAAa,EAC7B,4EAA4E;gBAC1E,mEAAmE,CACtE,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,MAAM,eAAe,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC;QAC3C,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,UAAU,CAClB,UAAU,CAAC,IAAI,CAAC,gBAAgB,EAChC,mFAAmF;gBACjF,qEAAqE,CACxE,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,EAAE,CAAC,cAAc,CAE7C,CAAC;QACd,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC/B,MAAM,IAAI,UAAU,CAClB,UAAU,CAAC,IAAI,CAAC,aAAa,EAC7B,sEAAsE;gBACpE,sEAAsE,CACzE,CAAC;QACJ,CAAC;QAED,0DAA0D;QAC1D,MAAM,sBAAsB,GAAG,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAC1D,IAAI,sBAAsB,KAAK,SAAS,EAAE,CAAC;YACzC,MAAM,IAAI,UAAU,CAClB,UAAU,CAAC,IAAI,CAAC,gBAAgB,EAChC,2FAA2F;gBACzF,6EAA6E,CAChF,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,sBAAsB,CAAC,IAAI,EAAE,CAAC,KAAK,CAElC,CAAC;QACd,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACtB,MAAM,IAAI,UAAU,CAClB,UAAU,CAAC,IAAI,CAAC,aAAa,EAC7B,8EAA8E;gBAC5E,qEAAqE,CACxE,CAAC;QACJ,CAAC;QAED,kBAAkB;QAClB,MAAM,OAAO,GAAG,WAAW,CACzB,OAAO,CAAC,MAAM,CAAC,WAAW,EAC1B,OAAO,CAAC,SAAS,CAAC,OAAO,CAC1B,CAAC;QAEF,8BAA8B;QAC9B,MAAM,SAAS,GAAG,IAAI,CACpB,OAAO,CAAC,SAAS,CAAC,QAAQ,EAC1B,MAAM,EACN,OAAO,CAAC,KAAK,EACb,QAAQ,EACR,mBAAmB,EACnB,WAAW,CACZ,CAAC;QAEF,+BAA+B;QAC/B,MAAM,cAAc,GAAG,YAAY,CACjC,0BAA0B,EAC1B,OAAO,CAAC,SAAS,CAAC,OAAO,CAC1B,CAAC;QACF,MAAM,YAAY,GAAG,YAAY,CAC/B,wBAAwB,EACxB,OAAO,CAAC,SAAS,CAAC,OAAO,CAC1B,CAAC;QAEF,MAAM,eAAe,GAAG;YACtB,IAAI,EAAE,UAAgD;YACtD,OAAO,EAAE,OAA6C;YACtD,YAAY,EAAE,YAAkD;YAChE,GAAG,EAAE,GAAyC;YAC9C,KAAK,EAAE;gBACL,SAAS;aACV;SACF,CAAC;QAEF,MAAM,YAAY,GAAG,cAAc,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC;QACrE,MAAM,UAAU,GAAG,cAAc,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;QAEjE,wCAAwC;QACxC,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,UAAU,CAClB,UAAU,CAAC,IAAI,CAAC,aAAa,EAC7B,sFAAsF;gBACpF,mEAAmE,CACtE,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,YAAY,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC9D,MAAM,SAAS,GAAG,IAAI,uBAAuB,CAAC,WAAW,CAAC,CAAC;QAC3D,MAAM,QAAQ,GAAG,IAAI,gBAAgB,CAAC;YACpC,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,SAAS;YACT,WAAW,EAAE;gBACX,UAAU,EAAE,CAAC;gBACb,SAAS,EAAE,IAAI;gBACf,mBAAmB,EAAE,IAAI;aAC1B;SACF,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC;YACpC,MAAM,EAAE,UAAU,CAAC,OAAO;YAC1B,YAAY,EAAE,YAAY,CAAC,OAAO;YAClC,SAAS,EAAE,mBAAmB;YAC9B,SAAS;YACT,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,IAAI,EAAE,KAAK;YACX,YAAY,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;SACjC,CAAC,CAAC;QAEH,4CAA4C;QAC5C,MAAM,UAAU,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,EAAE,CAAC;QACtD,MAAM,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAqB,CAAC;QAEpE,mDAAmD;QACnD,MAAM,SAAS,GAAoB,EAAE,CAAC;QAEtC,MAAM,aAAa,GAAG,CAAC,QAAgB,EAAE,OAAe,EAAQ,EAAE;YAChE,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAC3C,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAClD,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;YAC1C,SAAS,CAAC,IAAI,CAAC;gBACb,QAAQ;gBACR,OAAO;gBACP,WAAW,EAAE,WAAW,CAAC,OAAO,CAAC;gBACjC,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC;aAC/C,CAAC,CAAC;QACL,CAAC,CAAC;QAEF,aAAa;QACb,aAAa,CAAC,gBAAgB,CAAC,SAAS,CAAC,QAAQ,EAAE,gBAAgB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAEvF,kBAAkB;QAClB,aAAa,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE7E,4BAA4B;QAC5B,KAAK,MAAM,EAAE,IAAI,gBAAgB,CAAC,UAAU,EAAE,CAAC;YAC7C,aAAa,CAAC,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC;QACzC,CAAC;QAED,yBAAyB;QACzB,KAAK,MAAM,IAAI,IAAI,gBAAgB,CAAC,eAAe,EAAE,CAAC;YACpD,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7C,CAAC;QAED,0BAA0B;QAC1B,aAAa,CAAC,gBAAgB,CAAC,eAAe,CAAC,QAAQ,EAAE,gBAAgB,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAEnG,6DAA6D;QAC7D,OAAO;YACL,SAAS;YACT,IAAI,EAAE;gBACJ,QAAQ,EAAE,gBAAgB;aAC3B;SACF,CAAC;IACJ,CAAC;CACF"}

package/dist/types.d.ts

@@ -0,0 +1,95 @@
+/**
+ * Security artifact type definitions for the Forge security generation stage.
+ *
+ * Defines the output schema produced by the security generation stage,
+ * including authentication, RBAC, middleware, input validation, and
+ * security headers.
+ */
+/** Complete security layer output produced by the security-generate stage. */
+export interface SecurityArtifact {
+    /** Authentication model. */
+    authModel: AuthModel;
+    /** Role-based access control definitions. */
+    rbac: RbacConfig;
+    /** Security middleware implementations. */
+    middleware: SecurityMiddleware[];
+    /** Input validation schemas/rules. */
+    inputValidation: InputValidationRule[];
+    /** Security headers configuration. */
+    securityHeaders: SecurityHeadersConfig;
+}
+/** Authentication model configuration. */
+export interface AuthModel {
+    /** Auth strategy (e.g., "jwt", "session", "oauth2", "none"). */
+    strategy: string;
+    /** Auth implementation file. */
+    fileName: string;
+    /** File content (source code). */
+    content: string;
+    /** Description. */
+    description: string;
+}
+/** Role-based access control configuration. */
+export interface RbacConfig {
+    /** Defined roles. */
+    roles: RoleDefinition[];
+    /** Permission mappings (role → endpoint permissions). */
+    permissions: PermissionMapping[];
+    /** RBAC middleware/guard file. */
+    fileName: string;
+    /** File content. */
+    content: string;
+}
+/** A role definition. */
+export interface RoleDefinition {
+    /** Role name (e.g., "admin", "user", "guest"). */
+    name: string;
+    /** Description. */
+    description: string;
+}
+/** A permission mapping from role to allowed endpoints. */
+export interface PermissionMapping {
+    /** Role name. */
+    role: string;
+    /** Allowed endpoint patterns (e.g., "GET /api/pets", "* /api/admin/*"). */
+    allowedEndpoints: string[];
+}
+/** A security middleware implementation. */
+export interface SecurityMiddleware {
+    /** Middleware name (e.g., "authGuard", "rateLimiter", "cors"). */
+    name: string;
+    /** File name. */
+    fileName: string;
+    /** File content. */
+    content: string;
+    /** Description. */
+    description: string;
+}
+/** An input validation rule for an entity or endpoint. */
+export interface InputValidationRule {
+    /** Entity or endpoint this validation covers. */
+    target: string;
+    /** Validation type (e.g., "request-body", "query-params", "path-params"). */
+    type: string;
+    /** File name. */
+    fileName: string;
+    /** File content. */
+    content: string;
+}
+/** Security headers configuration. */
+export interface SecurityHeadersConfig {
+    /** Headers configuration file. */
+    fileName: string;
+    /** File content. */
+    content: string;
+    /** Headers applied. */
+    headers: SecurityHeader[];
+}
+/** A single security header definition. */
+export interface SecurityHeader {
+    /** Header name. */
+    name: string;
+    /** Header value. */
+    value: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,8EAA8E;AAC9E,MAAM,WAAW,gBAAgB;IAC/B,4BAA4B;IAC5B,SAAS,EAAE,SAAS,CAAC;IACrB,6CAA6C;IAC7C,IAAI,EAAE,UAAU,CAAC;IACjB,2CAA2C;IAC3C,UAAU,EAAE,kBAAkB,EAAE,CAAC;IACjC,sCAAsC;IACtC,eAAe,EAAE,mBAAmB,EAAE,CAAC;IACvC,sCAAsC;IACtC,eAAe,EAAE,qBAAqB,CAAC;CACxC;AAMD,0CAA0C;AAC1C,MAAM,WAAW,SAAS;IACxB,gEAAgE;IAChE,QAAQ,EAAE,MAAM,CAAC;IACjB,gCAAgC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAMD,+CAA+C;AAC/C,MAAM,WAAW,UAAU;IACzB,qBAAqB;IACrB,KAAK,EAAE,cAAc,EAAE,CAAC;IACxB,yDAAyD;IACzD,WAAW,EAAE,iBAAiB,EAAE,CAAC;IACjC,kCAAkC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB;IACpB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,yBAAyB;AACzB,MAAM,WAAW,cAAc;IAC7B,kDAAkD;IAClD,IAAI,EAAE,MAAM,CAAC;IACb,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,2DAA2D;AAC3D,MAAM,WAAW,iBAAiB;IAChC,iBAAiB;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,2EAA2E;IAC3E,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAMD,4CAA4C;AAC5C,MAAM,WAAW,kBAAkB;IACjC,kEAAkE;IAClE,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAMD,0DAA0D;AAC1D,MAAM,WAAW,mBAAmB;IAClC,iDAAiD;IACjD,MAAM,EAAE,MAAM,CAAC;IACf,6EAA6E;IAC7E,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB;IACpB,OAAO,EAAE,MAAM,CAAC;CACjB;AAMD,sCAAsC;AACtC,MAAM,WAAW,qBAAqB;IACpC,kCAAkC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,uBAAuB;IACvB,OAAO,EAAE,cAAc,EAAE,CAAC;CAC3B;AAED,2CAA2C;AAC3C,MAAM,WAAW,cAAc;IAC7B,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,oBAAoB;IACpB,KAAK,EAAE,MAAM,CAAC;CACf"}

package/dist/types.js

@@ -0,0 +1,9 @@
+/**
+ * Security artifact type definitions for the Forge security generation stage.
+ *
+ * Defines the output schema produced by the security generation stage,
+ * including authentication, RBAC, middleware, input validation, and
+ * security headers.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG"}

package/dist/validator.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Security output validator for the Forge security generation stage.
+ *
+ * Validates LLM-generated security output against the
+ * {@link SecurityArtifact} schema with structural, semantic, and
+ * security checks.
+ */
+import type { OutputValidator, OutputSchema, ValidationResult } from '@hstm-labs/forge-core';
+/**
+ * Validator for security generation stage output.
+ *
+ * Performs the following checks:
+ * 1. JSON parse validation
+ * 2. Required top-level keys
+ * 3. AuthModel has strategy, fileName, content
+ * 4. RBAC has non-empty roles and permissions arrays
+ * 5. Middleware is non-empty array
+ * 6. Security check: scan content for hardcoded secrets
+ * 7. SecurityHeaders has non-empty headers array
+ *
+ * @example
+ * ```ts
+ * const validator = new SecurityOutputValidator(['User', 'Post']);
+ * const result = validator.validate(llmOutput, { format: 'json' });
+ * ```
+ */
+export declare class SecurityOutputValidator implements OutputValidator {
+    private readonly entityNames;
+    /**
+     * @param entityNames - Entity names for endpoint coverage reference
+     */
+    constructor(entityNames: string[]);
+    /**
+     * Validate security output against the SecurityArtifact schema.
+     *
+     * @param output - Raw LLM output text
+     * @param _schema - Output schema (format expected to be 'json')
+     * @returns Validation result with descriptive errors
+     */
+    validate(output: string, _schema: OutputSchema): ValidationResult;
+    /**
+     * Recursively scan all string fields for hardcoded secret patterns.
+     * Best-effort check, not exhaustive.
+     */
+    private scanForSecrets;
+}
+//# sourceMappingURL=validator.d.ts.map

package/dist/validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../src/validator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EACV,eAAe,EACf,YAAY,EACZ,gBAAgB,EAEjB,MAAM,uBAAuB,CAAC;AA0B/B;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,uBAAwB,YAAW,eAAe;IAC7D,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAW;IAEvC;;OAEG;gBACS,WAAW,EAAE,MAAM,EAAE;IAIjC;;;;;;OAMG;IAEH,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,gBAAgB;IAyIjE;;;OAGG;IACH,OAAO,CAAC,cAAc;CA2BvB"}

package/dist/validator.js

@@ -0,0 +1,219 @@
+/**
+ * Security output validator for the Forge security generation stage.
+ *
+ * Validates LLM-generated security output against the
+ * {@link SecurityArtifact} schema with structural, semantic, and
+ * security checks.
+ */
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const REQUIRED_TOP_LEVEL_KEYS = [
+    'authModel',
+    'rbac',
+    'middleware',
+    'inputValidation',
+    'securityHeaders',
+];
+/**
+ * Best-effort regex patterns to detect hardcoded secrets in content.
+ * Matches values that look like real credentials rather than placeholders.
+ */
+const HARDCODED_SECRET_PATTERNS = [
+    /(?:password|passwd|secret|api_key|apikey|token|auth)\s*[=:]\s*["']?(?!(\$\{|<|CHANGEME|changeme|placeholder|your_|TODO|xxx|process\.env))[A-Za-z0-9!@#$%^&*]{8,}["']?/i,
+];
+// ---------------------------------------------------------------------------
+// Implementation
+// ---------------------------------------------------------------------------
+/**
+ * Validator for security generation stage output.
+ *
+ * Performs the following checks:
+ * 1. JSON parse validation
+ * 2. Required top-level keys
+ * 3. AuthModel has strategy, fileName, content
+ * 4. RBAC has non-empty roles and permissions arrays
+ * 5. Middleware is non-empty array
+ * 6. Security check: scan content for hardcoded secrets
+ * 7. SecurityHeaders has non-empty headers array
+ *
+ * @example
+ * ```ts
+ * const validator = new SecurityOutputValidator(['User', 'Post']);
+ * const result = validator.validate(llmOutput, { format: 'json' });
+ * ```
+ */
+export class SecurityOutputValidator {
+    entityNames;
+    /**
+     * @param entityNames - Entity names for endpoint coverage reference
+     */
+    constructor(entityNames) {
+        this.entityNames = entityNames;
+    }
+    /**
+     * Validate security output against the SecurityArtifact schema.
+     *
+     * @param output - Raw LLM output text
+     * @param _schema - Output schema (format expected to be 'json')
+     * @returns Validation result with descriptive errors
+     */
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    validate(output, _schema) {
+        const errors = [];
+        // 1. Parse as JSON
+        let parsed;
+        try {
+            parsed = JSON.parse(output);
+        }
+        catch {
+            errors.push({
+                message: 'Security output is not valid JSON. Ensure the LLM produces only raw JSON without markdown fences or explanatory text.',
+                severity: 'error',
+            });
+            return { valid: false, errors };
+        }
+        if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+            errors.push({
+                message: 'Security output must be a JSON object, not an array or primitive.',
+                severity: 'error',
+            });
+            return { valid: false, errors };
+        }
+        const obj = parsed;
+        // 2. Verify required top-level keys
+        for (const key of REQUIRED_TOP_LEVEL_KEYS) {
+            if (!(key in obj)) {
+                errors.push({
+                    message: `Missing required top-level key: '${key}'.`,
+                    path: key,
+                    severity: 'error',
+                });
+            }
+        }
+        if (errors.length > 0) {
+            return { valid: false, errors };
+        }
+        // 3. Verify authModel has strategy, fileName, content
+        const authModel = obj['authModel'];
+        if (typeof authModel !== 'object' || authModel === null || Array.isArray(authModel)) {
+            errors.push({
+                message: "Key 'authModel' must be an object.",
+                path: 'authModel',
+                severity: 'error',
+            });
+        }
+        else {
+            const auth = authModel;
+            if (typeof auth['strategy'] !== 'string' || auth['strategy'].length === 0) {
+                errors.push({
+                    message: "authModel is missing required field 'strategy'.",
+                    path: 'authModel.strategy',
+                    severity: 'error',
+                });
+            }
+            if (typeof auth['fileName'] !== 'string' || auth['fileName'].length === 0) {
+                errors.push({
+                    message: "authModel is missing required field 'fileName'.",
+                    path: 'authModel.fileName',
+                    severity: 'error',
+                });
+            }
+            if (typeof auth['content'] !== 'string' || auth['content'].length === 0) {
+                errors.push({
+                    message: "authModel is missing required field 'content'.",
+                    path: 'authModel.content',
+                    severity: 'error',
+                });
+            }
+        }
+        // 4. Verify RBAC has non-empty roles and permissions
+        const rbac = obj['rbac'];
+        if (typeof rbac !== 'object' || rbac === null || Array.isArray(rbac)) {
+            errors.push({
+                message: "Key 'rbac' must be an object.",
+                path: 'rbac',
+                severity: 'error',
+            });
+        }
+        else {
+            const r = rbac;
+            if (!Array.isArray(r['roles']) || r['roles'].length === 0) {
+                errors.push({
+                    message: "RBAC 'roles' must be a non-empty array.",
+                    path: 'rbac.roles',
+                    severity: 'error',
+                });
+            }
+            if (!Array.isArray(r['permissions']) || r['permissions'].length === 0) {
+                errors.push({
+                    message: "RBAC 'permissions' must be a non-empty array.",
+                    path: 'rbac.permissions',
+                    severity: 'error',
+                });
+            }
+        }
+        // 5. Verify middleware is non-empty array
+        const middleware = obj['middleware'];
+        if (!Array.isArray(middleware) || middleware.length === 0) {
+            errors.push({
+                message: "Key 'middleware' must be a non-empty array — at least an auth guard is required.",
+                path: 'middleware',
+                severity: 'error',
+            });
+        }
+        // 6. Security check: scan content for hardcoded secrets
+        this.scanForSecrets(obj, errors);
+        // 7. Verify securityHeaders has non-empty headers array
+        const securityHeaders = obj['securityHeaders'];
+        if (typeof securityHeaders !== 'object' || securityHeaders === null || Array.isArray(securityHeaders)) {
+            errors.push({
+                message: "Key 'securityHeaders' must be an object.",
+                path: 'securityHeaders',
+                severity: 'error',
+            });
+        }
+        else {
+            const sh = securityHeaders;
+            if (!Array.isArray(sh['headers']) || sh['headers'].length === 0) {
+                errors.push({
+                    message: "securityHeaders 'headers' must be a non-empty array.",
+                    path: 'securityHeaders.headers',
+                    severity: 'error',
+                });
+            }
+        }
+        return { valid: errors.length === 0, errors };
+    }
+    /**
+     * Recursively scan all string fields for hardcoded secret patterns.
+     * Best-effort check, not exhaustive.
+     */
+    scanForSecrets(obj, errors) {
+        for (const [key, value] of Object.entries(obj)) {
+            if (typeof value === 'string') {
+                for (const pattern of HARDCODED_SECRET_PATTERNS) {
+                    if (pattern.test(value)) {
+                        errors.push({
+                            message: `Potential hardcoded secret detected in field '${key}'. Use environment variable references (process.env.*) instead.`,
+                            path: key,
+                            severity: 'error',
+                        });
+                        break;
+                    }
+                }
+            }
+            else if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (typeof item === 'object' && item !== null && !Array.isArray(item)) {
+                        this.scanForSecrets(item, errors);
+                    }
+                }
+            }
+            else if (typeof value === 'object' && value !== null) {
+                this.scanForSecrets(value, errors);
+            }
+        }
+    }
+}
+//# sourceMappingURL=validator.js.map

package/dist/validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validator.js","sourceRoot":"","sources":["../src/validator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AASH,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,uBAAuB,GAAG;IAC9B,WAAW;IACX,MAAM;IACN,YAAY;IACZ,iBAAiB;IACjB,iBAAiB;CACT,CAAC;AAEX;;;GAGG;AACH,MAAM,yBAAyB,GAAa;IAC1C,wKAAwK;CACzK,CAAC;AAEF,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,OAAO,uBAAuB;IACjB,WAAW,CAAW;IAEvC;;OAEG;IACH,YAAY,WAAqB;QAC/B,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;IACjC,CAAC;IAED;;;;;;OAMG;IACH,6DAA6D;IAC7D,QAAQ,CAAC,MAAc,EAAE,OAAqB;QAC5C,MAAM,MAAM,GAAsB,EAAE,CAAC;QAErC,mBAAmB;QACnB,IAAI,MAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EACL,uHAAuH;gBACzH,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClC,CAAC;QAED,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3E,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EACL,mEAAmE;gBACrE,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClC,CAAC;QAED,MAAM,GAAG,GAAG,MAAiC,CAAC;QAE9C,oCAAoC;QACpC,KAAK,MAAM,GAAG,IAAI,uBAAuB,EAAE,CAAC;YAC1C,IAAI,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC;gBAClB,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,oCAAoC,GAAG,IAAI;oBACpD,IAAI,EAAE,GAAG;oBACT,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClC,CAAC;QAED,sDAAsD;QACtD,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC;QACnC,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YACpF,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,oCAAoC;gBAC7C,IAAI,EAAE,WAAW;gBACjB,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,GAAG,SAAoC,CAAC;YAClD,IAAI,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,QAAQ,IAAK,IAAI,CAAC,UAAU,CAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACtF,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,iDAAiD;oBAC1D,IAAI,EAAE,oBAAoB;oBAC1B,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;YACD,IAAI,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,QAAQ,IAAK,IAAI,CAAC,UAAU,CAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACtF,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,iDAAiD;oBAC1D,IAAI,EAAE,oBAAoB;oBAC1B,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;YACD,IAAI,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,QAAQ,IAAK,IAAI,CAAC,SAAS,CAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACpF,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,gDAAgD;oBACzD,IAAI,EAAE,mBAAmB;oBACzB,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,qDAAqD;QACrD,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;QACzB,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACrE,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,+BAA+B;gBACxC,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,IAA+B,CAAC;YAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAK,CAAC,CAAC,OAAO,CAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACzE,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,yCAAyC;oBAClD,IAAI,EAAE,YAAY;oBAClB,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,IAAK,CAAC,CAAC,aAAa,CAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACrF,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,+CAA+C;oBACxD,IAAI,EAAE,kBAAkB;oBACxB,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1D,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EACL,kFAAkF;gBACpF,IAAI,EAAE,YAAY;gBAClB,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;QACL,CAAC;QAED,wDAAwD;QACxD,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAEjC,wDAAwD;QACxD,MAAM,eAAe,GAAG,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAC/C,IAAI,OAAO,eAAe,KAAK,QAAQ,IAAI,eAAe,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;YACtG,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,0CAA0C;gBACnD,IAAI,EAAE,iBAAiB;gBACvB,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,GAAG,eAA0C,CAAC;YACtD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,IAAK,EAAE,CAAC,SAAS,CAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/E,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,sDAAsD;oBAC/D,IAAI,EAAE,yBAAyB;oBAC/B,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IAChD,CAAC;IAED;;;OAGG;IACK,cAAc,CACpB,GAA4B,EAC5B,MAAyB;QAEzB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,KAAK,MAAM,OAAO,IAAI,yBAAyB,EAAE,CAAC;oBAChD,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;wBACxB,MAAM,CAAC,IAAI,CAAC;4BACV,OAAO,EAAE,iDAAiD,GAAG,iEAAiE;4BAC9H,IAAI,EAAE,GAAG;4BACT,QAAQ,EAAE,OAAO;yBAClB,CAAC,CAAC;wBACH,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;oBACzB,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;wBACtE,IAAI,CAAC,cAAc,CAAC,IAA+B,EAAE,MAAM,CAAC,CAAC;oBAC/D,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;gBACvD,IAAI,CAAC,cAAc,CAAC,KAAgC,EAAE,MAAM,CAAC,CAAC;YAChE,CAAC;QACH,CAAC;IACH,CAAC;CACF"}

package/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "@hstm-labs/forge-security-generator",
+  "version": "0.1.11",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "@hstm-labs/forge-common": "0.1.11",
+    "@hstm-labs/forge-core": "0.1.11",
+    "@hstm-labs/forge-architect": "0.1.11",
+    "@hstm-labs/forge-services-generator": "0.1.11",
+    "@hstm-labs/forge-spec-parser": "0.1.11",
+    "@hstm-labs/forge-profiles": "0.1.11",
+    "@hstm-labs/forge-templates": "0.1.11"
+  }
+}