@maintainabilityai/research-runner 0.1.1

package/dist/mesh/threat-model-reader.js

@@ -0,0 +1,123 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseThreatModelYaml = parseThreatModelYaml;
+exports.summarizeThreatModel = summarizeThreatModel;
+exports.readThreatModelFromBar = readThreatModelFromBar;
+/**
+ * threat-model-reader — parse `<bar>/security/threat-model.yaml` into structured
+ * STRIDE entries the LLM nodes can ground against.
+ *
+ * Uses js-yaml directly (the file is valid YAML — we don't need the
+ * line-by-line parser that the vscode-extension uses for its writer-specific
+ * format). We DO normalise the field names to camelCase to match the shape
+ * the LLM prompts expect.
+ */
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const yaml = __importStar(require("js-yaml"));
+/** Snake-case YAML keys → camelCase TS fields. Missing fields get safe defaults. */
+function normalizeThreat(raw, fallbackIndex) {
+    if (!raw || typeof raw !== 'object') {
+        return null;
+    }
+    const r = raw;
+    return {
+        id: typeof r.id === 'string' ? r.id : `THR-${String(fallbackIndex + 1).padStart(3, '0')}`,
+        category: r.category || 'spoofing',
+        target: typeof r.target === 'string' ? r.target : '',
+        targetName: typeof r.target_name === 'string' ? r.target_name : '',
+        dataClassification: typeof r.data_classification === 'string' ? r.data_classification : '',
+        description: typeof r.description === 'string' ? r.description : '',
+        attackVector: typeof r.attack_vector === 'string' ? r.attack_vector : '',
+        impact: r.impact || 'medium',
+        likelihood: r.likelihood || 'medium',
+        existingControls: Array.isArray(r.existing_controls) ? r.existing_controls.filter(s => typeof s === 'string') : [],
+        controlEffectiveness: r.control_effectiveness || 'none',
+        residualRisk: r.residual_risk || 'medium',
+        recommendedMitigations: Array.isArray(r.recommended_mitigations) ? r.recommended_mitigations.filter(s => typeof s === 'string') : [],
+        nistReferences: Array.isArray(r.nist_references) ? r.nist_references.filter(s => typeof s === 'string') : [],
+    };
+}
+function parseThreatModelYaml(content) {
+    let doc;
+    try {
+        doc = yaml.load(content);
+    }
+    catch {
+        return [];
+    }
+    if (!doc || typeof doc !== 'object') {
+        return [];
+    }
+    const threatsRaw = doc.threats;
+    if (!Array.isArray(threatsRaw)) {
+        return [];
+    }
+    return threatsRaw
+        .map((t, i) => normalizeThreat(t, i))
+        .filter((t) => t !== null);
+}
+function summarizeThreatModel(threats) {
+    const byCategory = {};
+    const byRisk = {};
+    let unmitigatedCount = 0;
+    for (const t of threats) {
+        byCategory[t.category] = (byCategory[t.category] || 0) + 1;
+        byRisk[t.residualRisk] = (byRisk[t.residualRisk] || 0) + 1;
+        if (t.controlEffectiveness === 'none') {
+            unmitigatedCount++;
+        }
+    }
+    return { byCategory, byRisk, unmitigatedCount };
+}
+function readThreatModelFromBar(barPath) {
+    const yamlPath = path.join(barPath, 'security', 'threat-model.yaml');
+    if (!fs.existsSync(yamlPath)) {
+        return null;
+    }
+    let content;
+    try {
+        content = fs.readFileSync(yamlPath, 'utf8');
+    }
+    catch {
+        return null;
+    }
+    const threats = parseThreatModelYaml(content);
+    if (threats.length === 0) {
+        return null;
+    }
+    return { threats, summary: summarizeThreatModel(threats) };
+}

package/dist/runner/archeologist.d.ts

@@ -0,0 +1,39 @@
+export interface ArcheologistOptions {
+    brief: unknown;
+    meshDir: string;
+    outputDir: string;
+    auditDir: string;
+    emitPrBodyPath?: string;
+    agentVersion: string;
+    /** Provider keys — supply only the one your brief.llm_provider needs. Default from process.env. */
+    anthropicApiKey?: string;
+    /** GITHUB_TOKEN — used when brief.llm_provider === 'github-models'. */
+    githubToken?: string;
+    tavilyApiKey?: string;
+    /** Optional — when absent, uspto_search emits a node_error envelope and the run continues without patent coverage. */
+    usptoApiKey?: string;
+    /** Test injection point. */
+    fetchImpl?: typeof fetch;
+}
+export interface ArcheologistResult {
+    run_id: string;
+    topic: string;
+    artifact_path: string;
+    audit_log_path: string;
+    chain_root_hash: string;
+    pr_body_path: string | null;
+    total_input_tokens: number;
+    total_output_tokens: number;
+    total_cost_usd: number;
+    source_count: number;
+    /** Per-provider counts of raw results (post-dedupe deltas — useful for reviewer summary). */
+    provider_result_counts: Record<string, number>;
+    /** Whether gap_analysis fired this run. Research path only. */
+    gap_analysis_ran: boolean;
+    /** Number of archaeology gaps identified. Undefined on research-path runs. */
+    archaeology_gap_count?: number;
+    /** Synthesis structural validator outputs — quick reviewer signal. */
+    conclusion_count: number;
+    recommendation_count: number;
+}
+export declare function runArcheologist(opts: ArcheologistOptions): Promise<ArcheologistResult>;