@rexymayderio/sentinel 0.1.0

package/dist/domain/index.js

@@ -0,0 +1,7 @@
+export * from './target.js';
+export * from './finding.js';
+export * from './risk.js';
+export * from './artifact.js';
+export * from './permission.js';
+export * from './report.js';
+//# sourceMappingURL=index.js.map

package/dist/domain/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/domain/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,eAAe,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAChC,cAAc,aAAa,CAAC"}

package/dist/domain/permission.d.ts

@@ -0,0 +1,8 @@
+export declare const PERMISSION_TYPES: readonly ["filesystem-read", "filesystem-write", "filesystem-delete", "network-internet", "network-localhost", "network-lan", "shell", "clipboard", "camera", "microphone", "notifications", "browser", "mcp-tools", "secrets", "git", "ssh", "docker", "kubernetes"];
+export type PermissionType = (typeof PERMISSION_TYPES)[number];
+export interface Permission {
+    readonly type: PermissionType;
+    readonly description: string;
+    readonly source?: string;
+}
+//# sourceMappingURL=permission.d.ts.map

package/dist/domain/permission.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission.d.ts","sourceRoot":"","sources":["../../src/domain/permission.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,gBAAgB,uQAmBnB,CAAC;AAEX,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE/D,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B"}

package/dist/domain/permission.js

@@ -0,0 +1,21 @@
+export const PERMISSION_TYPES = [
+    'filesystem-read',
+    'filesystem-write',
+    'filesystem-delete',
+    'network-internet',
+    'network-localhost',
+    'network-lan',
+    'shell',
+    'clipboard',
+    'camera',
+    'microphone',
+    'notifications',
+    'browser',
+    'mcp-tools',
+    'secrets',
+    'git',
+    'ssh',
+    'docker',
+    'kubernetes',
+];
+//# sourceMappingURL=permission.js.map

package/dist/domain/permission.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission.js","sourceRoot":"","sources":["../../src/domain/permission.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,iBAAiB;IACjB,kBAAkB;IAClB,mBAAmB;IACnB,kBAAkB;IAClB,mBAAmB;IACnB,aAAa;IACb,OAAO;IACP,WAAW;IACX,QAAQ;IACR,YAAY;IACZ,eAAe;IACf,SAAS;IACT,WAAW;IACX,SAAS;IACT,KAAK;IACL,KAAK;IACL,QAAQ;IACR,YAAY;CACJ,CAAC"}

package/dist/domain/report.d.ts

@@ -0,0 +1,35 @@
+import type { Finding } from './finding.js';
+import type { Permission } from './permission.js';
+import type { PolicyDecision } from './risk.js';
+import type { RiskScore } from './risk.js';
+import type { Target } from './target.js';
+export declare const REPORT_FORMATS: readonly ["terminal", "json", "markdown", "sarif", "html", "pdf"];
+export type ReportFormat = (typeof REPORT_FORMATS)[number];
+export interface PolicyResult {
+    readonly decision: PolicyDecision;
+    readonly reasons: string[];
+    readonly overrides: string[];
+}
+export interface DataAssessment {
+    readonly sufficient: boolean;
+    readonly confidence: number;
+    readonly reasons: string[];
+}
+export interface VerificationReport {
+    readonly target: Target;
+    readonly findings: Finding[];
+    readonly risk: RiskScore;
+    readonly policy: PolicyResult;
+    readonly permissions: Permission[];
+    readonly dataAssessment: DataAssessment;
+    readonly summary: string;
+    readonly recommendedAction: string;
+    readonly scannedAt: string;
+    readonly durationMs: number;
+}
+export interface InstallResult {
+    readonly success: boolean;
+    readonly message: string;
+    readonly report: VerificationReport;
+}
+//# sourceMappingURL=report.d.ts.map

package/dist/domain/report.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.d.ts","sourceRoot":"","sources":["../../src/domain/report.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAE1C,eAAO,MAAM,cAAc,mEAAoE,CAAC;AAChG,MAAM,MAAM,YAAY,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC;AAE3D,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,QAAQ,CAAC,WAAW,EAAE,UAAU,EAAE,CAAC;IACnC,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,kBAAkB,CAAC;CACrC"}

package/dist/domain/report.js

@@ -0,0 +1,2 @@
+export const REPORT_FORMATS = ['terminal', 'json', 'markdown', 'sarif', 'html', 'pdf'];
+//# sourceMappingURL=report.js.map

package/dist/domain/report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.js","sourceRoot":"","sources":["../../src/domain/report.ts"],"names":[],"mappings":"AAMA,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAU,CAAC"}

package/dist/domain/risk.d.ts

@@ -0,0 +1,14 @@
+export declare const RISK_LEVELS: readonly ["LOW", "MEDIUM", "HIGH", "CRITICAL"];
+export type RiskLevel = (typeof RISK_LEVELS)[number];
+export declare const POLICY_DECISIONS: readonly ["AUTO_APPROVE", "APPROVE", "WARN", "REQUIRE_APPROVAL", "BLOCK"];
+export type PolicyDecision = (typeof POLICY_DECISIONS)[number];
+export interface RiskScore {
+    readonly score: number;
+    readonly level: RiskLevel;
+    readonly confidence: number;
+    readonly positiveSignals: number;
+    readonly negativeSignals: number;
+}
+export declare function scoreToLevel(score: number): RiskLevel;
+export declare function clampScore(score: number): number;
+//# sourceMappingURL=risk.d.ts.map

package/dist/domain/risk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"risk.d.ts","sourceRoot":"","sources":["../../src/domain/risk.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,WAAW,gDAAiD,CAAC;AAC1E,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC;AAErD,eAAO,MAAM,gBAAgB,2EAA4E,CAAC;AAC1G,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE/D,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,SAAS,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;CAClC;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,CAKrD;AAED,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEhD"}

package/dist/domain/risk.js

@@ -0,0 +1,15 @@
+export const RISK_LEVELS = ['LOW', 'MEDIUM', 'HIGH', 'CRITICAL'];
+export const POLICY_DECISIONS = ['AUTO_APPROVE', 'APPROVE', 'WARN', 'REQUIRE_APPROVAL', 'BLOCK'];
+export function scoreToLevel(score) {
+    if (score >= 80)
+        return 'CRITICAL';
+    if (score >= 50)
+        return 'HIGH';
+    if (score >= 20)
+        return 'MEDIUM';
+    return 'LOW';
+}
+export function clampScore(score) {
+    return Math.max(0, Math.min(100, Math.round(score)));
+}
+//# sourceMappingURL=risk.js.map

package/dist/domain/risk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"risk.js","sourceRoot":"","sources":["../../src/domain/risk.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAU,CAAC;AAG1E,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,cAAc,EAAE,SAAS,EAAE,MAAM,EAAE,kBAAkB,EAAE,OAAO,CAAU,CAAC;AAW1G,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACnC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC;IACjC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,KAAa;IACtC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACvD,CAAC"}

package/dist/domain/target.d.ts

@@ -0,0 +1,12 @@
+export declare const ECOSYSTEMS: readonly ["npm", "github", "skill", "local", "mcp", "pip", "uv", "cargo", "go", "docker", "vscode", "cursor-rules", "git", "zip"];
+export type Ecosystem = (typeof ECOSYSTEMS)[number];
+export declare const MVP_ECOSYSTEMS: Ecosystem[];
+export interface Target {
+    readonly ecosystem: Ecosystem;
+    readonly raw: string;
+    readonly name: string;
+    readonly version?: string;
+}
+export declare function parseTarget(ecosystem: string, raw: string): Target;
+export declare function isMvpEcosystem(ecosystem: Ecosystem): boolean;
+//# sourceMappingURL=target.d.ts.map

package/dist/domain/target.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"target.d.ts","sourceRoot":"","sources":["../../src/domain/target.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,UAAU,mIAeb,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC;AAEpD,eAAO,MAAM,cAAc,EAAE,SAAS,EAAwC,CAAC;AAE/E,MAAM,WAAW,MAAM;IACrB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAsBlE;AAED,wBAAgB,cAAc,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAE5D"}

package/dist/domain/target.js

@@ -0,0 +1,43 @@
+export const ECOSYSTEMS = [
+    'npm',
+    'github',
+    'skill',
+    'local',
+    'mcp',
+    'pip',
+    'uv',
+    'cargo',
+    'go',
+    'docker',
+    'vscode',
+    'cursor-rules',
+    'git',
+    'zip',
+];
+export const MVP_ECOSYSTEMS = ['npm', 'github', 'skill', 'local'];
+export function parseTarget(ecosystem, raw) {
+    const normalized = ecosystem.toLowerCase();
+    if (!ECOSYSTEMS.includes(normalized)) {
+        throw new Error(`Unsupported ecosystem: ${ecosystem}`);
+    }
+    let name = raw;
+    let version;
+    if (normalized === 'npm' && raw.includes('@') && !raw.startsWith('@')) {
+        const atIndex = raw.lastIndexOf('@');
+        name = raw.slice(0, atIndex);
+        version = raw.slice(atIndex + 1);
+    }
+    else if (normalized === 'npm' && raw.startsWith('@') && raw.includes('@', 1)) {
+        const atIndex = raw.lastIndexOf('@');
+        name = raw.slice(0, atIndex);
+        version = raw.slice(atIndex + 1);
+    }
+    else if (normalized === 'github') {
+        name = raw.replace(/^https?:\/\/github\.com\//, '').replace(/\.git$/, '').replace(/\/$/, '');
+    }
+    return { ecosystem: normalized, raw, name, version };
+}
+export function isMvpEcosystem(ecosystem) {
+    return MVP_ECOSYSTEMS.includes(ecosystem);
+}
+//# sourceMappingURL=target.js.map

package/dist/domain/target.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"target.js","sourceRoot":"","sources":["../../src/domain/target.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,KAAK;IACL,QAAQ;IACR,OAAO;IACP,OAAO;IACP,KAAK;IACL,KAAK;IACL,IAAI;IACJ,OAAO;IACP,IAAI;IACJ,QAAQ;IACR,QAAQ;IACR,cAAc;IACd,KAAK;IACL,KAAK;CACG,CAAC;AAIX,MAAM,CAAC,MAAM,cAAc,GAAgB,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AAS/E,MAAM,UAAU,WAAW,CAAC,SAAiB,EAAE,GAAW;IACxD,MAAM,UAAU,GAAG,SAAS,CAAC,WAAW,EAAe,CAAC;IACxD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,0BAA0B,SAAS,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,IAAI,IAAI,GAAG,GAAG,CAAC;IACf,IAAI,OAA2B,CAAC;IAEhC,IAAI,UAAU,KAAK,KAAK,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACtE,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QAC7B,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;SAAM,IAAI,UAAU,KAAK,KAAK,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;QAC/E,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QAC7B,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;SAAM,IAAI,UAAU,KAAK,QAAQ,EAAE,CAAC;QACnC,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,2BAA2B,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC/F,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,SAAoB;IACjD,OAAO,cAAc,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC5C,CAAC"}

package/dist/engine/data-assessment.d.ts

@@ -0,0 +1,10 @@
+import type { Artifact } from '../domain/artifact.js';
+import type { Finding } from '../domain/finding.js';
+import type { DataAssessment } from '../domain/report.js';
+import type { RiskScore } from '../domain/risk.js';
+import type { Target } from '../domain/target.js';
+import type { PolicyConfig } from './default-policy.js';
+export declare function hasMeaningfulMetadata(metadata: Artifact['metadata']): boolean;
+export declare function assessData(target: Target, artifact: Artifact, findings: Finding[], risk: RiskScore, config: PolicyConfig): DataAssessment;
+export declare function unverifiableAssessment(reason: string): DataAssessment;
+//# sourceMappingURL=data-assessment.d.ts.map

package/dist/engine/data-assessment.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-assessment.d.ts","sourceRoot":"","sources":["../../src/engine/data-assessment.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AACnD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAIxD,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,GAAG,OAAO,CAS7E;AAED,wBAAgB,UAAU,CACxB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,QAAQ,EAClB,QAAQ,EAAE,OAAO,EAAE,EACnB,IAAI,EAAE,SAAS,EACf,MAAM,EAAE,YAAY,GACnB,cAAc,CA4BhB;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,cAAc,CAMrE"}

package/dist/engine/data-assessment.js

@@ -0,0 +1,39 @@
+const REMOTE_ECOSYSTEMS = ['npm', 'github', 'pip', 'uv', 'cargo', 'go', 'docker', 'vscode', 'mcp', 'git'];
+export function hasMeaningfulMetadata(metadata) {
+    return !!(metadata.version ||
+        metadata.publishDate ||
+        metadata.repository ||
+        metadata.downloadCount !== undefined ||
+        metadata.license ||
+        metadata.author);
+}
+export function assessData(target, artifact, findings, risk, config) {
+    const reasons = [];
+    const fileCount = artifact.files.length;
+    const isRemote = REMOTE_ECOSYSTEMS.includes(target.ecosystem);
+    if (fileCount === 0) {
+        reasons.push('No files were available to scan');
+    }
+    if (isRemote && !hasMeaningfulMetadata(artifact.metadata)) {
+        reasons.push('No package metadata could be gathered from the registry or source');
+    }
+    if (risk.confidence < config.minConfidence) {
+        reasons.push(`Analysis confidence ${risk.confidence}% is below the minimum threshold (${config.minConfidence}%)`);
+    }
+    if (findings.length === 0 && fileCount === 0) {
+        reasons.push('No analyzable signals were gathered');
+    }
+    return {
+        sufficient: reasons.length === 0,
+        confidence: risk.confidence,
+        reasons,
+    };
+}
+export function unverifiableAssessment(reason) {
+    return {
+        sufficient: false,
+        confidence: 0,
+        reasons: [reason],
+    };
+}
+//# sourceMappingURL=data-assessment.js.map

package/dist/engine/data-assessment.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-assessment.js","sourceRoot":"","sources":["../../src/engine/data-assessment.ts"],"names":[],"mappings":"AAOA,MAAM,iBAAiB,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;AAE1G,MAAM,UAAU,qBAAqB,CAAC,QAA8B;IAClE,OAAO,CAAC,CAAC,CACP,QAAQ,CAAC,OAAO;QAChB,QAAQ,CAAC,WAAW;QACpB,QAAQ,CAAC,UAAU;QACnB,QAAQ,CAAC,aAAa,KAAK,SAAS;QACpC,QAAQ,CAAC,OAAO;QAChB,QAAQ,CAAC,MAAM,CAChB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,MAAc,EACd,QAAkB,EAClB,QAAmB,EACnB,IAAe,EACf,MAAoB;IAEpB,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC;IACxC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAE9D,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;QACpB,OAAO,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IAClD,CAAC;IAED,IAAI,QAAQ,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1D,OAAO,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;IACpF,CAAC;IAED,IAAI,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,aAAa,EAAE,CAAC;QAC3C,OAAO,CAAC,IAAI,CACV,uBAAuB,IAAI,CAAC,UAAU,qCAAqC,MAAM,CAAC,aAAa,IAAI,CACpG,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;IACtD,CAAC;IAED,OAAO;QACL,UAAU,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC;QAChC,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,OAAO;KACR,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,MAAc;IACnD,OAAO;QACL,UAAU,EAAE,KAAK;QACjB,UAAU,EAAE,CAAC;QACb,OAAO,EAAE,CAAC,MAAM,CAAC;KAClB,CAAC;AACJ,CAAC"}

package/dist/engine/default-policy.d.ts

@@ -0,0 +1,16 @@
+export interface PolicyConfig {
+    readonly blockThreshold: number;
+    readonly warnThreshold: number;
+    readonly minConfidence: number;
+    readonly trustedPublishers: string[];
+    readonly corporateWhitelist: string[];
+    readonly corporateBlacklist: string[];
+    readonly autoApproveTrusted: boolean;
+    readonly requireApprovalForNetwork: boolean;
+    readonly warnOnInstallScript: boolean;
+    readonly warnOnShellAccess: boolean;
+    readonly allowOverrides: boolean;
+    readonly scoreTestCodeFully: boolean;
+}
+export declare const DEFAULT_POLICY: PolicyConfig;
+//# sourceMappingURL=default-policy.d.ts.map

package/dist/engine/default-policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"default-policy.d.ts","sourceRoot":"","sources":["../../src/engine/default-policy.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,EAAE,CAAC;IACrC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAC;IACrC,QAAQ,CAAC,yBAAyB,EAAE,OAAO,CAAC;IAC5C,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC;IACtC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAC;CACtC;AAED,eAAO,MAAM,cAAc,EAAE,YAa5B,CAAC"}

package/dist/engine/default-policy.js

@@ -0,0 +1,15 @@
+export const DEFAULT_POLICY = {
+    blockThreshold: 80,
+    warnThreshold: 50,
+    minConfidence: 40,
+    trustedPublishers: [],
+    corporateWhitelist: [],
+    corporateBlacklist: [],
+    autoApproveTrusted: true,
+    requireApprovalForNetwork: true,
+    warnOnInstallScript: true,
+    warnOnShellAccess: true,
+    allowOverrides: true,
+    scoreTestCodeFully: false,
+};
+//# sourceMappingURL=default-policy.js.map

package/dist/engine/default-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"default-policy.js","sourceRoot":"","sources":["../../src/engine/default-policy.ts"],"names":[],"mappings":"AAeA,MAAM,CAAC,MAAM,cAAc,GAAiB;IAC1C,cAAc,EAAE,EAAE;IAClB,aAAa,EAAE,EAAE;IACjB,aAAa,EAAE,EAAE;IACjB,iBAAiB,EAAE,EAAE;IACrB,kBAAkB,EAAE,EAAE;IACtB,kBAAkB,EAAE,EAAE;IACtB,kBAAkB,EAAE,IAAI;IACxB,yBAAyB,EAAE,IAAI;IAC/B,mBAAmB,EAAE,IAAI;IACzB,iBAAiB,EAAE,IAAI;IACvB,cAAc,EAAE,IAAI;IACpB,kBAAkB,EAAE,KAAK;CAC1B,CAAC"}

package/dist/engine/index.d.ts

@@ -0,0 +1,4 @@
+export * from './risk-calculator.js';
+export * from './policy-engine.js';
+export * from './default-policy.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/engine/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/engine/index.ts"],"names":[],"mappings":"AAAA,cAAc,sBAAsB,CAAC;AACrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,qBAAqB,CAAC"}

package/dist/engine/index.js

@@ -0,0 +1,4 @@
+export * from './risk-calculator.js';
+export * from './policy-engine.js';
+export * from './default-policy.js';
+//# sourceMappingURL=index.js.map

package/dist/engine/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/engine/index.ts"],"names":[],"mappings":"AAAA,cAAc,sBAAsB,CAAC;AACrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,qBAAqB,CAAC"}

package/dist/engine/policy-engine.d.ts

@@ -0,0 +1,13 @@
+import type { Finding } from '../domain/finding.js';
+import type { Permission } from '../domain/permission.js';
+import type { DataAssessment, PolicyResult } from '../domain/report.js';
+import type { RiskScore } from '../domain/risk.js';
+import type { Target } from '../domain/target.js';
+import type { PolicyConfig } from './default-policy.js';
+export declare class PolicyEngine {
+    private readonly config;
+    constructor(config?: PolicyConfig);
+    evaluate(target: Target, risk: RiskScore, findings: Finding[], permissions: Permission[], dataAssessment: DataAssessment): PolicyResult;
+}
+export declare function loadPolicyConfig(overrides?: Partial<PolicyConfig>): PolicyConfig;
+//# sourceMappingURL=policy-engine.d.ts.map

package/dist/engine/policy-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-engine.d.ts","sourceRoot":"","sources":["../../src/engine/policy-engine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACxE,OAAO,KAAK,EAAkB,SAAS,EAAE,MAAM,mBAAmB,CAAC;AACnE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGxD,qBAAa,YAAY;IACX,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,GAAE,YAA6B;IAElE,QAAQ,CACN,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,OAAO,EAAE,EACnB,WAAW,EAAE,UAAU,EAAE,EACzB,cAAc,EAAE,cAAc,GAC7B,YAAY;CAqFhB;AAED,wBAAgB,gBAAgB,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAEhF"}

package/dist/engine/policy-engine.js

@@ -0,0 +1,78 @@
+import { DEFAULT_POLICY } from './default-policy.js';
+export class PolicyEngine {
+    config;
+    constructor(config = DEFAULT_POLICY) {
+        this.config = config;
+    }
+    evaluate(target, risk, findings, permissions, dataAssessment) {
+        const reasons = [];
+        const overrides = [];
+        const name = target.name.toLowerCase();
+        if (this.config.corporateBlacklist.some((b) => name.includes(b.toLowerCase()))) {
+            return { decision: 'BLOCK', reasons: ['Package is on corporate blacklist'], overrides };
+        }
+        if (this.config.corporateWhitelist.some((w) => name.includes(w.toLowerCase()))) {
+            return { decision: 'AUTO_APPROVE', reasons: ['Package is on corporate whitelist'], overrides };
+        }
+        if (risk.score >= this.config.blockThreshold) {
+            reasons.push(`Risk score ${risk.score} exceeds block threshold (${this.config.blockThreshold})`);
+            return { decision: 'BLOCK', reasons, overrides };
+        }
+        if (!dataAssessment.sufficient) {
+            return {
+                decision: 'REQUIRE_APPROVAL',
+                reasons: [
+                    'Not enough data was gathered to verify this target automatically',
+                    ...dataAssessment.reasons,
+                ],
+                overrides,
+            };
+        }
+        if (this.config.autoApproveTrusted) {
+            const verified = findings.some((f) => f.ruleId === 'verified-publisher' && f.positive);
+            if (verified) {
+                reasons.push('Verified publisher');
+                return { decision: 'AUTO_APPROVE', reasons, overrides };
+            }
+            if (this.config.trustedPublishers.some((p) => name.includes(p.toLowerCase()))) {
+                reasons.push('Trusted publisher');
+                return { decision: 'AUTO_APPROVE', reasons, overrides };
+            }
+        }
+        let decision = 'APPROVE';
+        if (this.config.warnOnInstallScript) {
+            const hasInstallScript = findings.some((f) => f.category === 'install-script' && f.ruleId?.startsWith('script-'));
+            if (hasInstallScript) {
+                reasons.push('Package has install scripts');
+                decision = 'WARN';
+            }
+        }
+        if (this.config.warnOnShellAccess) {
+            const hasShell = findings.some((f) => f.category === 'static-code' && ['spawn', 'exec', 'child-process', 'os-system', 'subprocess'].includes(f.ruleId ?? ''));
+            if (hasShell) {
+                reasons.push('Package requires shell access');
+                decision = decision === 'WARN' ? 'WARN' : 'REQUIRE_APPROVAL';
+            }
+        }
+        if (this.config.requireApprovalForNetwork) {
+            const hasNetwork = permissions.some((p) => p.type.startsWith('network-')) ||
+                findings.some((f) => f.category === 'network' && f.severity !== 'LOW');
+            if (hasNetwork) {
+                reasons.push('Package requires network access');
+                decision = 'REQUIRE_APPROVAL';
+            }
+        }
+        if (risk.score >= this.config.warnThreshold && decision === 'APPROVE') {
+            reasons.push(`Risk score ${risk.score} exceeds warn threshold (${this.config.warnThreshold})`);
+            decision = 'WARN';
+        }
+        if (reasons.length === 0) {
+            reasons.push('No policy violations detected');
+        }
+        return { decision, reasons, overrides };
+    }
+}
+export function loadPolicyConfig(overrides) {
+    return { ...DEFAULT_POLICY, ...overrides };
+}
+//# sourceMappingURL=policy-engine.js.map

package/dist/engine/policy-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-engine.js","sourceRoot":"","sources":["../../src/engine/policy-engine.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD,MAAM,OAAO,YAAY;IACM;IAA7B,YAA6B,SAAuB,cAAc;QAArC,WAAM,GAAN,MAAM,CAA+B;IAAG,CAAC;IAEtE,QAAQ,CACN,MAAc,EACd,IAAe,EACf,QAAmB,EACnB,WAAyB,EACzB,cAA8B;QAE9B,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAa,EAAE,CAAC;QAE/B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAEvC,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;YAC/E,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,mCAAmC,CAAC,EAAE,SAAS,EAAE,CAAC;QAC1F,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;YAC/E,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,mCAAmC,CAAC,EAAE,SAAS,EAAE,CAAC;QACjG,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAC7C,OAAO,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,KAAK,6BAA6B,IAAI,CAAC,MAAM,CAAC,cAAc,GAAG,CAAC,CAAC;YACjG,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;QACnD,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,CAAC;YAC/B,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,OAAO,EAAE;oBACP,kEAAkE;oBAClE,GAAG,cAAc,CAAC,OAAO;iBAC1B;gBACD,SAAS;aACV,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACnC,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,oBAAoB,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;YACvF,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;gBACnC,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;YAC1D,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;gBAC9E,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;gBAClC,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;YAC1D,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,GAAmB,SAAS,CAAC;QAEzC,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;YACpC,MAAM,gBAAgB,GAAG,QAAQ,CAAC,IAAI,CACpC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,gBAAgB,IAAI,CAAC,CAAC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAC1E,CAAC;YACF,IAAI,gBAAgB,EAAE,CAAC;gBACrB,OAAO,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;gBAC5C,QAAQ,GAAG,MAAM,CAAC;YACpB,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;YAClC,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAC5B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,aAAa,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAC9H,CAAC;YACF,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;gBAC9C,QAAQ,GAAG,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC;YAC/D,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,yBAAyB,EAAE,CAAC;YAC1C,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;gBACvE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC;YACzE,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;gBAChD,QAAQ,GAAG,kBAAkB,CAAC;YAChC,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YACtE,OAAO,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,KAAK,4BAA4B,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,CAAC,CAAC;YAC/F,QAAQ,GAAG,MAAM,CAAC;QACpB,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAChD,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;CACF;AAED,MAAM,UAAU,gBAAgB,CAAC,SAAiC;IAChE,OAAO,EAAE,GAAG,cAAc,EAAE,GAAG,SAAS,EAAE,CAAC;AAC7C,CAAC"}

package/dist/engine/risk-calculator.d.ts

@@ -0,0 +1,15 @@
+import type { Finding } from '../domain/finding.js';
+import type { RiskScore } from '../domain/risk.js';
+export declare const TEST_FINDING_WEIGHT = 0.1;
+export interface AnalysisEvidence {
+    readonly hasMetadata: boolean;
+    readonly fileCount: number;
+}
+export interface RiskOptions {
+    readonly testFindingWeight?: number;
+}
+export declare class RiskCalculator {
+    calculate(findings: Finding[], evidence?: AnalysisEvidence, options?: RiskOptions): RiskScore;
+    private computeConfidence;
+}
+//# sourceMappingURL=risk-calculator.d.ts.map

package/dist/engine/risk-calculator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"risk-calculator.d.ts","sourceRoot":"","sources":["../../src/engine/risk-calculator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAEpD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAMnD,eAAO,MAAM,mBAAmB,MAAM,CAAC;AAUvC,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;CACrC;AAED,qBAAa,cAAc;IACzB,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,QAAQ,CAAC,EAAE,gBAAgB,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,SAAS;IA+B7F,OAAO,CAAC,iBAAiB;CAe1B"}

package/dist/engine/risk-calculator.js

@@ -0,0 +1,57 @@
+import { SEVERITY_WEIGHTS } from '../domain/finding.js';
+import { clampScore, scoreToLevel } from '../domain/risk.js';
+const POSITIVE_SIGNAL_WEIGHT = 5;
+const MAX_POSITIVE_REDUCTION = 30;
+export const TEST_FINDING_WEIGHT = 0.1;
+const FULL_WEIGHT = 1;
+const CONFIDENCE_METADATA = 35;
+const CONFIDENCE_HAS_FILES = 25;
+const CONFIDENCE_PER_FILE = 2;
+const CONFIDENCE_MAX_FILE_BONUS = 20;
+const CONFIDENCE_PER_SIGNAL = 2;
+const CONFIDENCE_MAX_SIGNAL_BONUS = 20;
+export class RiskCalculator {
+    calculate(findings, evidence, options) {
+        const testFindingWeight = options?.testFindingWeight ?? FULL_WEIGHT;
+        let negativeScore = 0;
+        let positiveReduction = 0;
+        let positiveSignals = 0;
+        let negativeSignals = 0;
+        for (const finding of findings) {
+            if (finding.positive) {
+                positiveSignals++;
+                positiveReduction += POSITIVE_SIGNAL_WEIGHT;
+            }
+            else if (finding.severity !== 'INFO') {
+                negativeSignals++;
+                const weight = finding.isTest ? testFindingWeight : FULL_WEIGHT;
+                negativeScore += SEVERITY_WEIGHTS[finding.severity] * weight;
+            }
+        }
+        const cappedReduction = Math.min(positiveReduction, MAX_POSITIVE_REDUCTION);
+        const finalScore = clampScore(negativeScore - cappedReduction);
+        const totalSignals = positiveSignals + negativeSignals;
+        return {
+            score: finalScore,
+            level: scoreToLevel(finalScore),
+            confidence: this.computeConfidence(totalSignals, evidence),
+            positiveSignals,
+            negativeSignals,
+        };
+    }
+    computeConfidence(totalSignals, evidence) {
+        if (!evidence) {
+            return totalSignals > 0 ? Math.min(100, 50 + totalSignals * 5) : 30;
+        }
+        let confidence = 0;
+        if (evidence.hasMetadata)
+            confidence += CONFIDENCE_METADATA;
+        if (evidence.fileCount > 0) {
+            confidence += CONFIDENCE_HAS_FILES;
+            confidence += Math.min(evidence.fileCount * CONFIDENCE_PER_FILE, CONFIDENCE_MAX_FILE_BONUS);
+        }
+        confidence += Math.min(totalSignals * CONFIDENCE_PER_SIGNAL, CONFIDENCE_MAX_SIGNAL_BONUS);
+        return clampScore(confidence);
+    }
+}
+//# sourceMappingURL=risk-calculator.js.map

package/dist/engine/risk-calculator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"risk-calculator.js","sourceRoot":"","sources":["../../src/engine/risk-calculator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExD,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAE7D,MAAM,sBAAsB,GAAG,CAAC,CAAC;AACjC,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAElC,MAAM,CAAC,MAAM,mBAAmB,GAAG,GAAG,CAAC;AACvC,MAAM,WAAW,GAAG,CAAC,CAAC;AAEtB,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAC/B,MAAM,oBAAoB,GAAG,EAAE,CAAC;AAChC,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,MAAM,yBAAyB,GAAG,EAAE,CAAC;AACrC,MAAM,qBAAqB,GAAG,CAAC,CAAC;AAChC,MAAM,2BAA2B,GAAG,EAAE,CAAC;AAWvC,MAAM,OAAO,cAAc;IACzB,SAAS,CAAC,QAAmB,EAAE,QAA2B,EAAE,OAAqB;QAC/E,MAAM,iBAAiB,GAAG,OAAO,EAAE,iBAAiB,IAAI,WAAW,CAAC;QACpE,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,iBAAiB,GAAG,CAAC,CAAC;QAC1B,IAAI,eAAe,GAAG,CAAC,CAAC;QACxB,IAAI,eAAe,GAAG,CAAC,CAAC;QAExB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACrB,eAAe,EAAE,CAAC;gBAClB,iBAAiB,IAAI,sBAAsB,CAAC;YAC9C,CAAC;iBAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACvC,eAAe,EAAE,CAAC;gBAClB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,WAAW,CAAC;gBAChE,aAAa,IAAI,gBAAgB,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC;YAC/D,CAAC;QACH,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,iBAAiB,EAAE,sBAAsB,CAAC,CAAC;QAC5E,MAAM,UAAU,GAAG,UAAU,CAAC,aAAa,GAAG,eAAe,CAAC,CAAC;QAC/D,MAAM,YAAY,GAAG,eAAe,GAAG,eAAe,CAAC;QAEvD,OAAO;YACL,KAAK,EAAE,UAAU;YACjB,KAAK,EAAE,YAAY,CAAC,UAAU,CAAC;YAC/B,UAAU,EAAE,IAAI,CAAC,iBAAiB,CAAC,YAAY,EAAE,QAAQ,CAAC;YAC1D,eAAe;YACf,eAAe;SAChB,CAAC;IACJ,CAAC;IAEO,iBAAiB,CAAC,YAAoB,EAAE,QAA2B;QACzE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,YAAY,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,YAAY,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACtE,CAAC;QAED,IAAI,UAAU,GAAG,CAAC,CAAC;QACnB,IAAI,QAAQ,CAAC,WAAW;YAAE,UAAU,IAAI,mBAAmB,CAAC;QAC5D,IAAI,QAAQ,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;YAC3B,UAAU,IAAI,oBAAoB,CAAC;YACnC,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,GAAG,mBAAmB,EAAE,yBAAyB,CAAC,CAAC;QAC9F,CAAC;QACD,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,GAAG,qBAAqB,EAAE,2BAA2B,CAAC,CAAC;QAE1F,OAAO,UAAU,CAAC,UAAU,CAAC,CAAC;IAChC,CAAC;CACF"}

package/dist/factory.d.ts

@@ -0,0 +1,14 @@
+import type { PolicyConfig } from './engine/default-policy.js';
+import type { ReportFormat } from './domain/report.js';
+import type { ApprovalPrompt } from './ports/approval-prompt.js';
+import type { ProcessRunner } from './ports/process-runner.js';
+export interface SentinelFactoryOptions {
+    policyConfig?: Partial<PolicyConfig>;
+    reportFormat?: ReportFormat;
+    autoApprove?: boolean;
+    approvalPrompt?: ApprovalPrompt;
+    processRunner?: ProcessRunner;
+    registryUrl?: string;
+}
+export declare function createDefaultSentinel(options?: SentinelFactoryOptions): import("./core/sentinel.js").Sentinel;
+//# sourceMappingURL=factory.d.ts.map

package/dist/factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../src/factory.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAE/D,MAAM,WAAW,sBAAsB;IACrC,YAAY,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,wBAAgB,qBAAqB,CAAC,OAAO,GAAE,sBAA2B,yCAkBzE"}

package/dist/factory.js

@@ -0,0 +1,25 @@
+import { AcquirerRegistry, GithubAcquirer, LocalAcquirer, NpmAcquirer } from './acquire/acquirer.js';
+import { createDefaultAnalyzers } from './analyzers/index.js';
+import { CliApprovalPrompt } from './adapters/cli-approval-prompt.js';
+import { GithubRepoClient } from './adapters/github-repo-client.js';
+import { NodeProcessRunner } from './adapters/node-process-runner.js';
+import { NpmRegistryClient } from './adapters/npm-registry-client.js';
+import { createSentinel } from './core/sentinel.js';
+export function createDefaultSentinel(options = {}) {
+    const registry = new NpmRegistryClient(options.registryUrl);
+    const repoClient = new GithubRepoClient();
+    const acquirerRegistry = new AcquirerRegistry();
+    acquirerRegistry.register(new NpmAcquirer(registry));
+    acquirerRegistry.register(new GithubAcquirer(repoClient));
+    acquirerRegistry.register(new LocalAcquirer('skill'));
+    acquirerRegistry.register(new LocalAcquirer('local'));
+    return createSentinel({
+        acquirerRegistry,
+        analyzers: createDefaultAnalyzers(registry),
+        policyConfig: options.policyConfig,
+        approvalPrompt: options.approvalPrompt ?? new CliApprovalPrompt(options.autoApprove),
+        processRunner: options.processRunner ?? new NodeProcessRunner(),
+        reportFormat: options.reportFormat,
+    });
+}
+//# sourceMappingURL=factory.js.map

package/dist/factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.js","sourceRoot":"","sources":["../src/factory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrG,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAepD,MAAM,UAAU,qBAAqB,CAAC,UAAkC,EAAE;IACxE,MAAM,QAAQ,GAAG,IAAI,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,IAAI,gBAAgB,EAAE,CAAC;IAE1C,MAAM,gBAAgB,GAAG,IAAI,gBAAgB,EAAE,CAAC;IAChD,gBAAgB,CAAC,QAAQ,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC;IACrD,gBAAgB,CAAC,QAAQ,CAAC,IAAI,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC;IAC1D,gBAAgB,CAAC,QAAQ,CAAC,IAAI,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC;IACtD,gBAAgB,CAAC,QAAQ,CAAC,IAAI,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC;IAEtD,OAAO,cAAc,CAAC;QACpB,gBAAgB;QAChB,SAAS,EAAE,sBAAsB,CAAC,QAAQ,CAAC;QAC3C,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,IAAI,iBAAiB,CAAC,OAAO,CAAC,WAAW,CAAC;QACpF,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,IAAI,iBAAiB,EAAE;QAC/D,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,CAAC,CAAC;AACL,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export * from './domain/index.js';
+export * from './core/index.js';
+export * from './factory.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,iBAAiB,CAAC;AAChC,cAAc,cAAc,CAAC"}

package/dist/index.js

@@ -0,0 +1,4 @@
+export * from './domain/index.js';
+export * from './core/index.js';
+export * from './factory.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,iBAAiB,CAAC;AAChC,cAAc,cAAc,CAAC"}

package/dist/mcp/server.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=server.d.ts.map

package/dist/mcp/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":""}