@jigyasudham/veto 0.8.0

package/src/agents/security/scanner.ts

@@ -0,0 +1,322 @@
+import type { AgentPlan, AgentAnalysis, AgentFinding, FindingSeverity } from '../types.js';
+
+export function plan(task: string, context?: string): AgentPlan {
+  return {
+    agent: 'security-scanner',
+    task,
+    tier: 2,
+    approach:
+      'Apply OWASP Top 10 methodology: enumerate attack surface, check each category ' +
+      'systematically, prioritise critical and high findings, produce actionable remediation.',
+    steps: [
+      'Identify all entry points: HTTP endpoints, file uploads, WebSocket, CLI args',
+      'Map authentication and authorisation boundaries',
+      'A01 – Broken Access Control: ownership checks, privilege escalation paths',
+      'A02 – Cryptographic Failures: cipher strength, data-in-transit, data-at-rest',
+      'A03 – Injection: SQL, NoSQL, OS command, LDAP, template injection',
+      'A04 – Insecure Design: missing input validation, business logic flaws',
+      'A05 – Security Misconfiguration: debug flags, default creds, verbose errors',
+      'A06 – Vulnerable Components: dependency CVEs, outdated libraries',
+      'A07 – Authentication Failures: rate limiting, session management, token strength',
+      'A08 – Software Integrity: deserialization, supply-chain, CI integrity checks',
+      'A09 – Logging Failures: audit trail completeness, sensitive data in logs',
+      'A10 – SSRF: user-supplied URLs in outbound calls',
+      'Aggregate findings, calculate score, produce verdict and remediation plan',
+    ],
+    checklist: [
+      'All HTTP routes require authentication where data is user-specific',
+      'Object-level authorisation verifies ownership before returning or mutating records',
+      'No MD5 or SHA-1 used for password hashing or data integrity',
+      'TLS enforced on all external connections; HSTS header present',
+      'SQL queries use parameterised statements or ORM; no string concatenation',
+      'eval() and new Function() constructors are absent from production code',
+      'Input validated with schema library (zod/joi) at every API boundary',
+      'Error responses do not leak stack traces or internal file paths',
+      'Debug/development flags disabled in production builds',
+      'Default credentials and example secrets removed from all config files',
+      'Auth endpoints protected by rate limiting and account-lockout logic',
+      'Session tokens stored in httpOnly, Secure, SameSite=Strict cookies',
+      'Deserialisation of untrusted data avoided or performed with strict schema',
+      'Audit log written for every sensitive operation (login, delete, privilege change)',
+      'Passwords and secrets never appear in log output',
+      'Outbound HTTP requests validate/whitelist target URLs; no raw user-supplied URLs',
+      'npm audit / yarn audit run in CI with zero high/critical failure threshold',
+      'Security headers set: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy',
+    ],
+    pitfalls: [
+      'Trusting client-supplied IDs without server-side ownership validation (IDOR)',
+      'Comparing password hashes with == instead of a constant-time function',
+      'Sending res.json(err) in Express error handlers — leaks internal details',
+      'Forgetting to validate JWT claims server-side; client-side role inflation',
+      'Server-Side Template Injection when user input is interpolated into templates',
+      'Prototype pollution through lodash merge on untrusted objects',
+      'CORS wildcard (*) combined with credentials:true',
+      'Logging req.body at DEBUG level — captures passwords in plaintext',
+    ],
+    patterns: [
+      'Parameterised queries / prepared statements for all DB access',
+      'Repository pattern isolates data access and makes auth injection consistent',
+      'Middleware chain: authenticate → authorise → validate → handle',
+      'Allow-list validation (reject unknown fields) via zod strict() mode',
+      'Centralised error handler strips internal details before response',
+      'Structured logging with automatic redaction of secret fields',
+    ],
+    duration_estimate: context?.includes('large') ? '4-6 hours' : '1-2 hours',
+  };
+}
+
+// ─── Pattern definitions ───────────────────────────────────────────────────
+
+interface CheckPattern {
+  regex: RegExp;
+  severity: FindingSeverity;
+  category: string;
+  description: string;
+  fix: string;
+  cwe?: string;
+  owasp: string;
+}
+
+const CHECKS: CheckPattern[] = [
+  // A01 – Broken Access Control
+  {
+    regex: /req\.params\.(id|userId|user_id)\b/,
+    severity: 'high',
+    category: 'A01 Broken Access Control',
+    description: 'req.params.id used — verify ownership check exists to prevent IDOR.',
+    fix: 'Assert req.user.id === record.userId before returning or mutating the resource.',
+    cwe: 'CWE-639',
+    owasp: 'A01:2021',
+  },
+  {
+    regex: /role\s*=\s*req\.body\.role|req\.body\[['"]role['"]\]/,
+    severity: 'critical',
+    category: 'A01 Broken Access Control',
+    description: 'Role assigned directly from request body — allows privilege escalation.',
+    fix: 'Never accept role from client input. Derive roles server-side from the session.',
+    cwe: 'CWE-269',
+    owasp: 'A01:2021',
+  },
+
+  // A02 – Cryptographic Failures
+  {
+    regex: /createHash\s*\(\s*['"](?:md5|sha1)['"]\s*\)/i,
+    severity: 'high',
+    category: 'A02 Cryptographic Failures',
+    description: 'Weak cryptographic hash (MD5/SHA-1) detected.',
+    fix: 'Replace with SHA-256 or SHA-512 for hashing; use bcrypt/argon2 for passwords.',
+    cwe: 'CWE-327',
+    owasp: 'A02:2021',
+  },
+  {
+    regex: /createCipher\s*\(\s*['"](?:des|rc4)['"]\s*\)/i,
+    severity: 'high',
+    category: 'A02 Cryptographic Failures',
+    description: 'Broken symmetric cipher (DES/RC4) detected.',
+    fix: 'Replace with AES-256-GCM.',
+    cwe: 'CWE-327',
+    owasp: 'A02:2021',
+  },
+  {
+    regex: /http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0)/,
+    severity: 'medium',
+    category: 'A02 Cryptographic Failures',
+    description: 'Plain HTTP URL detected — data transmitted without encryption.',
+    fix: 'Use HTTPS for all external URLs. Enforce HSTS in production.',
+    cwe: 'CWE-319',
+    owasp: 'A02:2021',
+  },
+
+  // A03 – Injection
+  {
+    regex: /['"`]\s*(?:SELECT|INSERT|UPDATE|DELETE)\b[^'"`]*\+\s*(?:req\.|params\.|body\.|query\.)\w+/i,
+    severity: 'critical',
+    category: 'A03 Injection',
+    description: 'String concatenation inside SQL query — SQL injection risk.',
+    fix: 'Use parameterised queries: db.query("SELECT ... WHERE id = $1", [id])',
+    cwe: 'CWE-89',
+    owasp: 'A03:2021',
+  },
+  {
+    regex: /\beval\s*\(|new\s+Function\s*\(/,
+    severity: 'critical',
+    category: 'A03 Injection',
+    description: 'eval() or new Function() detected — JavaScript injection vector.',
+    fix: 'Remove eval(). Use JSON.parse() for data or a dedicated expression parser.',
+    cwe: 'CWE-95',
+    owasp: 'A03:2021',
+  },
+  {
+    regex: /(?:exec|execSync|spawn)\s*\(\s*`[^`]*\$\{(?:req|params|body|query)\./,
+    severity: 'critical',
+    category: 'A03 Injection',
+    description: 'User input interpolated into shell command — OS command injection.',
+    fix: 'Use execFile() with a fixed command and an array of sanitised arguments.',
+    cwe: 'CWE-78',
+    owasp: 'A03:2021',
+  },
+
+  // A04 – Insecure Design
+  {
+    regex: /req\.body\.\w+\s*(?:&&|\|\||,|\))[^;]{0,120}(?:\.save\s*\(|\.create\s*\(|\.insert\s*\()/,
+    severity: 'medium',
+    category: 'A04 Insecure Design',
+    description: 'Request body values passed to persistence layer without visible validation.',
+    fix: 'Validate and sanitise all inputs with zod or joi before saving.',
+    cwe: 'CWE-20',
+    owasp: 'A04:2021',
+  },
+
+  // A05 – Security Misconfiguration
+  {
+    regex: /debug\s*[:=]\s*true/i,
+    severity: 'medium',
+    category: 'A05 Security Misconfiguration',
+    description: 'Debug mode flag set to true in source.',
+    fix: 'Guard debug features with NODE_ENV checks; never enable in production.',
+    cwe: 'CWE-16',
+    owasp: 'A05:2021',
+  },
+  {
+    regex: /password\s*[:=]\s*['"](?:admin|root|password|123456|secret|test|demo)['"]/i,
+    severity: 'critical',
+    category: 'A05 Security Misconfiguration',
+    description: 'Default or trivial credential detected in source.',
+    fix: 'Remove default credentials. Store only bcrypt hashes; move to env vars.',
+    cwe: 'CWE-1392',
+    owasp: 'A05:2021',
+  },
+  {
+    regex: /res\s*\.\s*(?:json|send)\s*\(\s*(?:err|error)\s*\)/,
+    severity: 'medium',
+    category: 'A05 Security Misconfiguration',
+    description: 'Raw error object sent in HTTP response — may expose internals.',
+    fix: 'Use a centralised error handler that maps errors to safe user-facing messages.',
+    cwe: 'CWE-209',
+    owasp: 'A05:2021',
+  },
+
+  // A06 – Vulnerable Components
+  {
+    regex: /require\s*\(\s*['"]node-serialize['"]\s*\)|from\s+['"]node-serialize['"]/,
+    severity: 'critical',
+    category: 'A06 Vulnerable Components',
+    description: 'node-serialize has a known Remote Code Execution vulnerability.',
+    fix: 'Remove node-serialize. Use JSON.parse() for safe deserialisation.',
+    cwe: 'CWE-502',
+    owasp: 'A06:2021',
+  },
+  {
+    regex: /require\s*\(\s*['"]request['"]\s*\)|from\s+['"]request['"]/,
+    severity: 'low',
+    category: 'A06 Vulnerable Components',
+    description: 'The "request" package is deprecated and unmaintained.',
+    fix: 'Replace with native fetch() (Node 18+), axios, or got.',
+    owasp: 'A06:2021',
+  },
+
+  // A07 – Authentication Failures
+  {
+    regex: /localStorage\s*\.\s*setItem\s*\(\s*['"][^'"]*(?:token|jwt|auth)[^'"]*['"]/i,
+    severity: 'high',
+    category: 'A07 Authentication Failures',
+    description: 'Auth token stored in localStorage — vulnerable to XSS theft.',
+    fix: 'Store tokens in httpOnly, Secure, SameSite=Strict cookies.',
+    cwe: 'CWE-922',
+    owasp: 'A07:2021',
+  },
+  {
+    regex: /router\s*\.\s*post\s*\(\s*['"]\/(?:login|signin|auth)['"]/i,
+    severity: 'high',
+    category: 'A07 Authentication Failures',
+    description: 'Auth endpoint found — verify rate limiting is applied.',
+    fix: 'Apply express-rate-limit to all auth routes to prevent brute-force attacks.',
+    cwe: 'CWE-307',
+    owasp: 'A07:2021',
+  },
+
+  // A08 – Software Integrity
+  {
+    regex: /JSON\.parse\s*\(\s*(?:req\.|body\.|params\.|query\.)\w+/,
+    severity: 'medium',
+    category: 'A08 Software Integrity',
+    description: 'JSON.parse on user-supplied data without visible try/catch or schema validation.',
+    fix: 'Wrap JSON.parse in try/catch and validate the result structure with zod.',
+    cwe: 'CWE-502',
+    owasp: 'A08:2021',
+  },
+
+  // A09 – Logging Failures
+  {
+    regex: /console\s*\.\s*log\s*\([^)]*(?:password|passwd|secret|token|apikey|api_key)[^)]*\)/i,
+    severity: 'high',
+    category: 'A09 Logging Failures',
+    description: 'Sensitive value (password/secret/token) may be written to logs.',
+    fix: 'Never log sensitive fields. Redact before passing to the logger.',
+    cwe: 'CWE-532',
+    owasp: 'A09:2021',
+  },
+
+  // A10 – SSRF
+  {
+    regex: /(?:fetch|axios\.get|axios\.post|http\.get)\s*\(\s*(?:req\.|body\.|params\.|query\.)\w+/,
+    severity: 'critical',
+    category: 'A10 SSRF',
+    description: 'User-supplied value passed directly to HTTP client — SSRF risk.',
+    fix: 'Validate the URL against a strict allow-list of permitted domains. Reject internal IP ranges.',
+    cwe: 'CWE-918',
+    owasp: 'A10:2021',
+  },
+];
+
+// ─── Public API ────────────────────────────────────────────────────────────
+
+export function analyze(code: string, context?: string): AgentAnalysis {
+  const findings: AgentFinding[] = [];
+
+  for (const check of CHECKS) {
+    if (check.regex.test(code)) {
+      const finding: AgentFinding = {
+        severity: check.severity,
+        category: check.category,
+        description: check.description,
+        fix: check.fix,
+        owasp: check.owasp,
+      };
+      if (check.cwe) finding.cwe = check.cwe;
+      findings.push(finding);
+    }
+  }
+
+  const critical = findings.filter(f => f.severity === 'critical').length;
+  const high = findings.filter(f => f.severity === 'high').length;
+  const medium = findings.filter(f => f.severity === 'medium').length;
+  const low = findings.filter(f => f.severity === 'low').length;
+
+  const raw = 100 - (critical * 25 + high * 10 + medium * 5 + low * 2);
+  const score = Math.max(0, raw);
+
+  const verdict: AgentAnalysis['verdict'] =
+    score >= 90 ? 'approved'
+    : score >= 70 ? 'approved_with_warnings'
+    : score >= 50 ? 'needs_revision'
+    : 'rejected';
+
+  const subject = context ?? 'provided code';
+
+  const summary =
+    findings.length === 0
+      ? `No OWASP Top 10 violations detected in ${subject}. Score: ${score}/100.`
+      : `Found ${findings.length} issue(s) in ${subject}: ${critical} critical, ${high} high, ${medium} medium, ${low} low. Score: ${score}/100 — ${verdict.replace(/_/g, ' ')}.`;
+
+  return {
+    agent: 'security-scanner',
+    subject,
+    findings,
+    score,
+    verdict,
+    summary,
+    critical_count: critical,
+    high_count: high,
+  };
+}

package/src/agents/security/secrets.ts

@@ -0,0 +1,249 @@
+import type { AgentPlan, AgentAnalysis, AgentFinding, FindingSeverity } from '../types.js';
+
+export interface SecretsFinding {
+  type: string;
+  value: string;   // first 4 chars + ****
+  line: number;
+  severity: FindingSeverity;
+  fix: string;
+}
+
+// ─── Plan ──────────────────────────────────────────────────────────────────
+
+export function plan(task: string, _context?: string): AgentPlan {
+  return {
+    agent: 'secrets',
+    task,
+    tier: 1,
+    approach:
+      'Systematically detect, rotate, and vault all credentials. ' +
+      'Apply defence-in-depth: scan source, enforce pre-commit hooks, ' +
+      'use a secrets manager, and never let secrets reach version control.',
+    steps: [
+      'Run static scan (this agent) across the entire codebase including .env files',
+      'Identify all credential types: API keys, DB connection strings, private keys, tokens',
+      'Rotate any exposed credentials immediately — assume they are compromised',
+      'Move all secrets to a secrets manager (AWS Secrets Manager, Vault, Doppler)',
+      'Replace hardcoded values with environment-variable references',
+      'Add .env* to .gitignore; add .env.example with placeholder values',
+      'Install a pre-commit hook (git-secrets, gitleaks) to block future commits',
+      'Configure CI/CD secret scanning (GitHub secret scanning, Trufflehog action)',
+      'Set minimum secret rotation period in policy (90 days for API keys, 30 for DB)',
+      'Document which services own which secrets in a secrets inventory',
+    ],
+    checklist: [
+      'No secrets committed to the repository (scan with gitleaks/trufflehog)',
+      '.env files listed in .gitignore at the repo root',
+      '.env.example present with only placeholder values, no real secrets',
+      'All API keys loaded from process.env at runtime, not import-time constants',
+      'AWS credentials use IAM roles / instance profiles, not access key + secret pairs',
+      'Private keys stored in a hardware security module or secrets manager',
+      'JWT_SECRET is at least 256 bits of random entropy, not a dictionary word',
+      'Database connection strings contain no credentials (use socket auth or Secrets Manager)',
+      'GitHub tokens scoped to minimal required permissions and set to expire',
+      'Secret scanning enabled in GitHub repository settings',
+      'Pre-commit hook configured to block secrets (git-secrets or gitleaks)',
+      'CI pipeline fails if any secret pattern is detected in changed files',
+      'Secrets rotated after any team-member departure or suspected exposure',
+      'Audit log maintained of who accessed each secret and when',
+    ],
+    pitfalls: [
+      'Committing .env files accidentally when .gitignore is misconfigured',
+      'Hardcoding secrets in Dockerfile ARG/ENV layers visible in image history',
+      'Logging full request headers which include Authorization bearer tokens',
+      'Storing secrets in client-side code bundled into the browser',
+      'Using short or guessable JWT secrets ("secret", "mysecret", "1234")',
+      'Checking in AWS credentials profile files (~/.aws/credentials) via CI runners',
+      'Embedding secrets in CI/CD YAML files instead of using encrypted variables',
+    ],
+    patterns: [
+      'Twelve-Factor App: config via environment variables',
+      'Secrets manager pattern: centralised vault with short-lived leases',
+      'Secret rotation pattern: automated rotation with zero-downtime swap',
+      'Pre-commit hook pattern: block secrets before they enter git history',
+    ],
+    duration_estimate: '2-4 hours for full secrets audit and remediation',
+  };
+}
+
+// ─── Scan patterns ─────────────────────────────────────────────────────────
+
+interface ScanPattern {
+  type: string;
+  regex: RegExp;
+  severity: FindingSeverity;
+  fix: string;
+}
+
+const PATTERNS: ScanPattern[] = [
+  {
+    type: 'AWS Access Key',
+    regex: /AKIA[0-9A-Z]{16}/,
+    severity: 'critical',
+    fix: 'Immediately revoke this AWS access key in the IAM console. Use IAM roles or instance profiles instead.',
+  },
+  {
+    type: 'AWS Secret Access Key',
+    regex: /aws_secret_access_key\s*=\s*['"]?[A-Za-z0-9/+]{40}['"]?/i,
+    severity: 'critical',
+    fix: 'Rotate the AWS secret access key immediately. Store credentials in AWS Secrets Manager or via instance role.',
+  },
+  {
+    type: 'GitHub Token (ghp_)',
+    regex: /ghp_[a-zA-Z0-9]{36}/,
+    severity: 'critical',
+    fix: 'Revoke this GitHub personal access token immediately. Use short-lived tokens with minimal scopes.',
+  },
+  {
+    type: 'GitHub Token (env var)',
+    regex: /github_token\s*=\s*['"][a-zA-Z0-9_]{20,}['"]/i,
+    severity: 'high',
+    fix: 'Move the GitHub token to a CI/CD secret variable. Never hardcode tokens.',
+  },
+  {
+    type: 'RSA Private Key',
+    regex: /-----BEGIN RSA PRIVATE KEY-----/,
+    severity: 'critical',
+    fix: 'Remove the private key from source. Store in a secrets manager or HSM. Rotate the key pair immediately.',
+  },
+  {
+    type: 'EC Private Key',
+    regex: /-----BEGIN EC PRIVATE KEY-----/,
+    severity: 'critical',
+    fix: 'Remove the private key from source. Store in a secrets manager or HSM. Rotate the key pair immediately.',
+  },
+  {
+    type: 'OpenSSH Private Key',
+    regex: /-----BEGIN OPENSSH PRIVATE KEY-----/,
+    severity: 'critical',
+    fix: 'Remove the private key from source. Store in a secrets manager or HSM. Rotate the key pair immediately.',
+  },
+  {
+    type: 'API Key (generic)',
+    regex: /(?:api_key|apikey|api-key)\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/i,
+    severity: 'high',
+    fix: 'Move the API key to an environment variable. Load via process.env.API_KEY at runtime.',
+  },
+  {
+    type: 'JWT Secret',
+    regex: /jwt_secret\s*[:=]\s*['"][^'"]{8,}['"]/i,
+    severity: 'high',
+    fix: 'Move JWT_SECRET to an environment variable. Use at least 256 bits of random entropy.',
+  },
+  {
+    type: 'Hardcoded Password',
+    regex: /password\s*[:=]\s*['"][^'"]{4,}['"]/i,
+    severity: 'high',
+    fix: 'Remove hardcoded password. Store in environment variable and load at runtime.',
+  },
+  {
+    type: 'MongoDB Connection String',
+    regex: /mongodb(?:\+srv)?:\/\/[^:]+:[^@]+@/,
+    severity: 'critical',
+    fix: 'Rotate MongoDB credentials immediately. Use environment variable MONGODB_URI with no credentials in source.',
+  },
+  {
+    type: 'PostgreSQL Connection String',
+    regex: /postgres(?:ql)?:\/\/[^:]+:[^@]+@/,
+    severity: 'critical',
+    fix: 'Rotate PostgreSQL credentials immediately. Use DATABASE_URL environment variable.',
+  },
+  {
+    type: 'MySQL Connection String',
+    regex: /mysql:\/\/[^:]+:[^@]+@/,
+    severity: 'critical',
+    fix: 'Rotate MySQL credentials immediately. Use DATABASE_URL environment variable.',
+  },
+  {
+    type: 'Slack Token',
+    regex: /xox[baprs]-[0-9A-Za-z\-]{10,}/,
+    severity: 'high',
+    fix: 'Revoke this Slack token immediately. Store in a secrets manager.',
+  },
+  {
+    type: 'Generic High-Entropy Secret',
+    regex: /(?:secret|token|key|passwd)\s*[:=]\s*['"][A-Za-z0-9+/=_\-]{32,}['"]/i,
+    severity: 'medium',
+    fix: 'Review this value. If it is a secret, move it to an environment variable or secrets manager.',
+  },
+];
+
+// ─── Helper: mask value ────────────────────────────────────────────────────
+
+function maskValue(raw: string): string {
+  const match = raw.match(/['"]([^'"]+)['"]/);
+  const secret = match ? match[1] : raw.replace(/.*[:=]\s*/, '');
+  return secret.length >= 4 ? `${secret.slice(0, 4)}****` : '****';
+}
+
+// ─── Public API ────────────────────────────────────────────────────────────
+
+export function scan(text: string): SecretsFinding[] {
+  const findings: SecretsFinding[] = [];
+  const lines = text.split('\n');
+
+  for (let lineIndex = 0; lineIndex < lines.length; lineIndex++) {
+    const line = lines[lineIndex];
+    for (const pattern of PATTERNS) {
+      const match = line.match(pattern.regex);
+      if (match) {
+        findings.push({
+          type: pattern.type,
+          value: maskValue(match[0]),
+          line: lineIndex + 1,
+          severity: pattern.severity,
+          fix: pattern.fix,
+        });
+        break; // one finding per pattern per line
+      }
+    }
+  }
+
+  return findings;
+}
+
+export function analyze(code: string, context?: string): AgentAnalysis {
+  const secretFindings = scan(code);
+
+  const findings: AgentFinding[] = secretFindings.map(sf => ({
+    severity: sf.severity,
+    category: 'Credential Exposure',
+    description: `${sf.type} detected at line ${sf.line} (value: ${sf.value})`,
+    fix: sf.fix,
+    location: `line ${sf.line}`,
+    cwe: 'CWE-798',
+    owasp: 'A02:2021',
+  }));
+
+  const critical = findings.filter(f => f.severity === 'critical').length;
+  const high = findings.filter(f => f.severity === 'high').length;
+  const medium = findings.filter(f => f.severity === 'medium').length;
+  const low = findings.filter(f => f.severity === 'low').length;
+
+  const raw = 100 - (critical * 25 + high * 10 + medium * 5 + low * 2);
+  const score = Math.max(0, raw);
+
+  const verdict: AgentAnalysis['verdict'] =
+    score >= 90 ? 'approved'
+    : score >= 70 ? 'approved_with_warnings'
+    : score >= 50 ? 'needs_revision'
+    : 'rejected';
+
+  const subject = context ?? 'provided code';
+
+  const summary =
+    findings.length === 0
+      ? `No credentials or secrets detected in ${subject}. Score: ${score}/100.`
+      : `Found ${findings.length} credential(s) in ${subject}: ${critical} critical, ${high} high, ${medium} medium. Score: ${score}/100 — ${verdict.replace(/_/g, ' ')}.`;
+
+  return {
+    agent: 'secrets',
+    subject,
+    findings,
+    score,
+    verdict,
+    summary,
+    critical_count: critical,
+    high_count: high,
+  };
+}

package/src/agents/types.ts

@@ -0,0 +1,66 @@
+export type WorkerAgentType =
+  | 'coder' | 'reviewer' | 'tester' | 'debugger' | 'refactor'
+  | 'database' | 'api' | 'frontend' | 'backend' | 'devops'
+  | 'performance' | 'migration'
+  | 'security-scanner' | 'auth' | 'privacy' | 'secrets'
+  | 'dependency-audit' | 'penetration'
+  | 'context-manager' | 'decision-logger' | 'project-mapper'
+  | 'pattern-learner' | 'knowledge-base'
+  | 'researcher' | 'tech-advisor' | 'cost-analyzer'
+  | 'competitor-analyzer' | 'risk-assessor' | 'estimator'
+  | 'ethics-bias'
+  | 'code-quality' | 'documentation' | 'accessibility' | 'compatibility' | 'error-handling'
+  | 'task-planner' | 'task-coordinator' | 'file-manager' | 'git-agent'
+  | 'search-agent' | 'reporter' | 'automation';
+
+export type FindingSeverity = 'critical' | 'high' | 'medium' | 'low' | 'info';
+
+export interface AgentFinding {
+  severity: FindingSeverity;
+  category: string;
+  description: string;
+  fix: string;
+  location?: string;
+  cwe?: string;
+  owasp?: string;
+}
+
+export interface AgentPlan {
+  agent: WorkerAgentType;
+  task: string;
+  tier: 1 | 2 | 3;
+  approach: string;
+  steps: string[];
+  checklist: string[];
+  pitfalls: string[];
+  patterns: string[];
+  duration_estimate: string;
+}
+
+export interface AgentAnalysis {
+  agent: WorkerAgentType;
+  subject: string;
+  findings: AgentFinding[];
+  score: number;
+  verdict: 'approved' | 'approved_with_warnings' | 'needs_revision' | 'rejected';
+  summary: string;
+  critical_count: number;
+  high_count: number;
+}
+
+export interface AgentTask {
+  id: string;
+  agent: WorkerAgentType;
+  task: string;
+  code?: string;
+  context?: string;
+}
+
+export interface AgentResult {
+  id: string;
+  agent: WorkerAgentType;
+  plan?: AgentPlan;
+  analysis?: AgentAnalysis;
+  duration_ms: number;
+  error?: string;
+}