@runhalo/engine 0.4.0 → 0.6.0

package/dist/frameworks/index.js

@@ -0,0 +1,99 @@
+"use strict";
+/**
+ * Framework Allowlisting System
+ *
+ * Entry point for Halo's framework-aware rule management. When a developer
+ * declares their framework in .halorc.json (e.g. { "framework": "nextjs" }),
+ * Halo loads the corresponding profile and automatically suppresses or
+ * downgrades rules that the framework already handles natively.
+ *
+ * Usage:
+ *   import { applyFrameworkOverrides } from './frameworks';
+ *   const result = applyFrameworkOverrides(violations, 'nextjs');
+ *   // result.violations  — filtered/downgraded violations
+ *   // result.suppressedCount — number of violations removed
+ *   // result.downgradedCount — number of violations with reduced severity
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getFrameworkProfile = getFrameworkProfile;
+exports.listFrameworks = listFrameworks;
+exports.applyFrameworkOverrides = applyFrameworkOverrides;
+const nextjs_1 = require("./nextjs");
+const django_1 = require("./django");
+const rails_1 = require("./rails");
+const react_1 = require("./react");
+const vue_1 = require("./vue");
+const angular_1 = require("./angular");
+/** Registry of all built-in framework profiles keyed by id. */
+const FRAMEWORK_REGISTRY = {
+    nextjs: nextjs_1.nextjsProfile,
+    django: django_1.djangoProfile,
+    rails: rails_1.railsProfile,
+    react: react_1.reactProfile,
+    vue: vue_1.vueProfile,
+    angular: angular_1.angularProfile,
+};
+/**
+ * Look up a framework profile by its id.
+ *
+ * @param id - Framework identifier (e.g. "nextjs", "django", "rails")
+ * @returns The matching FrameworkProfile, or null if not found
+ */
+function getFrameworkProfile(id) {
+    return FRAMEWORK_REGISTRY[id] ?? null;
+}
+/**
+ * List all registered framework ids.
+ *
+ * @returns Sorted array of framework id strings
+ */
+function listFrameworks() {
+    return Object.keys(FRAMEWORK_REGISTRY).sort();
+}
+/**
+ * Apply a framework's rule overrides to a set of violations.
+ *
+ * For each violation whose ruleId appears in the framework's handled_rules:
+ * - "suppress" removes the violation from the output entirely
+ * - "downgrade" reduces the violation's severity to the specified level
+ *
+ * Violations whose ruleId is NOT in the framework's profile are passed
+ * through unchanged.
+ *
+ * @param violations - Array of violation objects to filter
+ * @param frameworkId - Framework identifier to look up
+ * @returns Object with the filtered violations array and counts
+ */
+function applyFrameworkOverrides(violations, frameworkId) {
+    const profile = getFrameworkProfile(frameworkId);
+    if (!profile) {
+        return { violations: [...violations], suppressedCount: 0, downgradedCount: 0 };
+    }
+    // Build a lookup map from rule_id to override for O(1) access
+    const overrideMap = new Map(profile.handled_rules.map((override) => [override.rule_id, override]));
+    let suppressedCount = 0;
+    let downgradedCount = 0;
+    const filtered = [];
+    for (const violation of violations) {
+        const override = overrideMap.get(violation.ruleId);
+        if (!override) {
+            filtered.push(violation);
+            continue;
+        }
+        if (override.action === 'suppress') {
+            suppressedCount++;
+            // Violation is removed from output
+            continue;
+        }
+        if (override.action === 'downgrade' && override.downgrade_to) {
+            downgradedCount++;
+            // Create a shallow copy with the new severity to avoid mutating the original
+            filtered.push({ ...violation, severity: override.downgrade_to });
+            continue;
+        }
+        // Fallback: pass through if action is unrecognized
+        filtered.push(violation);
+    }
+    return { violations: filtered, suppressedCount, downgradedCount };
+}
+//# sourceMappingURL=index.js.map

package/dist/frameworks/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/frameworks/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;AAuCH,kDAEC;AAOD,wCAEC;AAgBD,0DA6CC;AA1GD,qCAAyC;AACzC,qCAAyC;AACzC,mCAAuC;AACvC,mCAAuC;AACvC,+BAAmC;AACnC,uCAA2C;AAa3C,+DAA+D;AAC/D,MAAM,kBAAkB,GAAqC;IAC3D,MAAM,EAAE,sBAAa;IACrB,MAAM,EAAE,sBAAa;IACrB,KAAK,EAAE,oBAAY;IACnB,KAAK,EAAE,oBAAY;IACnB,GAAG,EAAE,gBAAU;IACf,OAAO,EAAE,wBAAc;CACxB,CAAC;AAEF;;;;;GAKG;AACH,SAAgB,mBAAmB,CAAC,EAAU;IAC5C,OAAO,kBAAkB,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;AACxC,CAAC;AAED;;;;GAIG;AACH,SAAgB,cAAc;IAC5B,OAAO,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,IAAI,EAAE,CAAC;AAChD,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAgB,uBAAuB,CACrC,UAAe,EACf,WAAmB;IAEnB,MAAM,OAAO,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;IAEjD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,UAAU,EAAE,CAAC,GAAG,UAAU,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,CAAC;IACjF,CAAC;IAED,8DAA8D;IAC9D,MAAM,WAAW,GAAG,IAAI,GAAG,CACzB,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CACtE,CAAC;IAEF,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,MAAM,QAAQ,GAAQ,EAAE,CAAC;IAEzB,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAEnD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACzB,SAAS;QACX,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YACnC,eAAe,EAAE,CAAC;YAClB,mCAAmC;YACnC,SAAS;QACX,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,WAAW,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC;YAC7D,eAAe,EAAE,CAAC;YAClB,6EAA6E;YAC7E,QAAQ,CAAC,IAAI,CAAC,EAAE,GAAG,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,YAAY,EAAE,CAAC,CAAC;YACjE,SAAS;QACX,CAAC;QAED,mDAAmD;QACnD,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC3B,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,eAAe,EAAE,eAAe,EAAE,CAAC;AACpE,CAAC"}

package/dist/frameworks/nextjs.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Next.js Framework Profile
+ *
+ * Next.js provides built-in protections that overlap with several COPPA rules:
+ * - React JSX auto-escaping mitigates most XSS vectors
+ * - HTTPS enforcement in production covers unencrypted PII transmission
+ * - Next.js Link component handles external navigation safely
+ * - Middleware provides centralized cookie management
+ */
+import { FrameworkProfile } from './types';
+export declare const nextjsProfile: FrameworkProfile;

package/dist/frameworks/nextjs.js

@@ -0,0 +1,59 @@
+"use strict";
+/**
+ * Next.js Framework Profile
+ *
+ * Next.js provides built-in protections that overlap with several COPPA rules:
+ * - React JSX auto-escaping mitigates most XSS vectors
+ * - HTTPS enforcement in production covers unencrypted PII transmission
+ * - Next.js Link component handles external navigation safely
+ * - Middleware provides centralized cookie management
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.nextjsProfile = void 0;
+exports.nextjsProfile = {
+    id: 'nextjs',
+    name: 'Next.js',
+    ecosystem: 'javascript',
+    handled_rules: [
+        {
+            rule_id: 'coppa-sec-015',
+            action: 'downgrade',
+            downgrade_to: 'low',
+            reason: 'React auto-escapes JSX output by default. dangerouslySetInnerHTML is the only XSS vector and is flagged separately.',
+            documentation_url: 'https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html',
+        },
+        {
+            rule_id: 'coppa-sec-006',
+            action: 'suppress',
+            reason: 'Next.js enforces HTTPS in production. API routes run server-side. Development HTTP is expected.',
+            documentation_url: 'https://nextjs.org/docs/app/api-reference/next-config-js/headers',
+        },
+        {
+            rule_id: 'coppa-ext-017',
+            action: 'downgrade',
+            downgrade_to: 'low',
+            reason: "Next.js Link component handles external navigation. rel='noopener noreferrer' is auto-added.",
+            documentation_url: 'https://nextjs.org/docs/app/api-reference/components/link',
+        },
+        {
+            rule_id: 'coppa-cookies-016',
+            action: 'downgrade',
+            downgrade_to: 'low',
+            reason: 'Next.js middleware can intercept and manage cookies centrally.',
+            documentation_url: 'https://nextjs.org/docs/app/building-your-application/routing/middleware',
+        },
+    ],
+    safe_patterns: [
+        {
+            description: 'Next.js Image component for optimized, safe image handling',
+            patterns: [/next\/image/, /<Image\s/],
+            applies_to_rules: ['coppa-ugc-014'],
+        },
+        {
+            description: 'Next.js middleware for centralized request/response interception',
+            patterns: [/middleware\.(ts|js)/, /NextResponse/],
+            applies_to_rules: ['coppa-sec-015'],
+        },
+    ],
+};
+//# sourceMappingURL=nextjs.js.map

package/dist/frameworks/nextjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs.js","sourceRoot":"","sources":["../../src/frameworks/nextjs.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAIU,QAAA,aAAa,GAAqB;IAC7C,EAAE,EAAE,QAAQ;IACZ,IAAI,EAAE,SAAS;IACf,SAAS,EAAE,YAAY;IACvB,aAAa,EAAE;QACb;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,qHAAqH;YAC7H,iBAAiB,EAAE,4FAA4F;SAChH;QACD;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,iGAAiG;YACzG,iBAAiB,EAAE,kEAAkE;SACtF;QACD;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,8FAA8F;YACtG,iBAAiB,EAAE,2DAA2D;SAC/E;QACD;YACE,OAAO,EAAE,mBAAmB;YAC5B,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,gEAAgE;YACxE,iBAAiB,EAAE,0EAA0E;SAC9F;KACF;IACD,aAAa,EAAE;QACb;YACE,WAAW,EAAE,4DAA4D;YACzE,QAAQ,EAAE,CAAC,aAAa,EAAE,UAAU,CAAC;YACrC,gBAAgB,EAAE,CAAC,eAAe,CAAC;SACpC;QACD;YACE,WAAW,EAAE,kEAAkE;YAC/E,QAAQ,EAAE,CAAC,qBAAqB,EAAE,cAAc,CAAC;YACjD,gBAAgB,EAAE,CAAC,eAAe,CAAC;SACpC;KACF;CACF,CAAC"}

package/dist/frameworks/rails.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Ruby on Rails Framework Profile
+ *
+ * Rails provides built-in protections that overlap with several COPPA rules:
+ * - ERB templates auto-escape all output by default
+ * - Strong parameters filter mass assignment (mitigates PII leaks)
+ * - ActiveRecord supports soft delete via acts_as_paranoid or discard gem
+ * - force_ssl config enforces HTTPS application-wide
+ */
+import { FrameworkProfile } from './types';
+export declare const railsProfile: FrameworkProfile;

package/dist/frameworks/rails.js

@@ -0,0 +1,58 @@
+"use strict";
+/**
+ * Ruby on Rails Framework Profile
+ *
+ * Rails provides built-in protections that overlap with several COPPA rules:
+ * - ERB templates auto-escape all output by default
+ * - Strong parameters filter mass assignment (mitigates PII leaks)
+ * - ActiveRecord supports soft delete via acts_as_paranoid or discard gem
+ * - force_ssl config enforces HTTPS application-wide
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.railsProfile = void 0;
+exports.railsProfile = {
+    id: 'rails',
+    name: 'Ruby on Rails',
+    ecosystem: 'ruby',
+    handled_rules: [
+        {
+            rule_id: 'coppa-sec-015',
+            action: 'suppress',
+            reason: 'ERB templates auto-escape all output by default.',
+            documentation_url: 'https://guides.rubyonrails.org/security.html#cross-site-scripting-xss',
+        },
+        {
+            rule_id: 'coppa-data-002',
+            action: 'downgrade',
+            downgrade_to: 'low',
+            reason: 'Rails strong parameters filter mass assignment.',
+            documentation_url: 'https://guides.rubyonrails.org/action_controller_overview.html#strong-parameters',
+        },
+        {
+            rule_id: 'coppa-retention-005',
+            action: 'downgrade',
+            downgrade_to: 'low',
+            reason: 'ActiveRecord supports soft delete via acts_as_paranoid or discard gem.',
+            documentation_url: 'https://github.com/jhawthorn/discard',
+        },
+        {
+            rule_id: 'coppa-sec-006',
+            action: 'suppress',
+            reason: 'Rails force_ssl config enforces HTTPS.',
+            documentation_url: 'https://guides.rubyonrails.org/configuring.html#config-force-ssl',
+        },
+    ],
+    safe_patterns: [
+        {
+            description: 'Rails CSRF protection via protect_from_forgery and authenticity tokens',
+            patterns: [/protect_from_forgery/, /authenticity_token/],
+            applies_to_rules: ['coppa-sec-015'],
+        },
+        {
+            description: 'Rails ActiveRecord encryption for sensitive attributes',
+            patterns: [/encrypts\s+:/, /has_encrypted/],
+            applies_to_rules: ['coppa-sec-006'],
+        },
+    ],
+};
+//# sourceMappingURL=rails.js.map

package/dist/frameworks/rails.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rails.js","sourceRoot":"","sources":["../../src/frameworks/rails.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAIU,QAAA,YAAY,GAAqB;IAC5C,EAAE,EAAE,OAAO;IACX,IAAI,EAAE,eAAe;IACrB,SAAS,EAAE,MAAM;IACjB,aAAa,EAAE;QACb;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,kDAAkD;YAC1D,iBAAiB,EAAE,uEAAuE;SAC3F;QACD;YACE,OAAO,EAAE,gBAAgB;YACzB,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,iDAAiD;YACzD,iBAAiB,EAAE,kFAAkF;SACtG;QACD;YACE,OAAO,EAAE,qBAAqB;YAC9B,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,wEAAwE;YAChF,iBAAiB,EAAE,sCAAsC;SAC1D;QACD;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,wCAAwC;YAChD,iBAAiB,EAAE,kEAAkE;SACtF;KACF;IACD,aAAa,EAAE;QACb;YACE,WAAW,EAAE,wEAAwE;YACrF,QAAQ,EAAE,CAAC,sBAAsB,EAAE,oBAAoB,CAAC;YACxD,gBAAgB,EAAE,CAAC,eAAe,CAAC;SACpC;QACD;YACE,WAAW,EAAE,wDAAwD;YACrE,QAAQ,EAAE,CAAC,cAAc,EAAE,eAAe,CAAC;YAC3C,gBAAgB,EAAE,CAAC,eAAe,CAAC;SACpC;KACF;CACF,CAAC"}

package/dist/frameworks/react.d.ts

@@ -0,0 +1,13 @@
+/**
+ * React Framework Profile
+ *
+ * React provides JSX auto-escaping which mitigates most XSS vectors.
+ * Unlike Next.js, React does NOT provide:
+ * - HTTPS enforcement (deployment-dependent)
+ * - Safe link component (no built-in <Link> with rel attributes)
+ * - Cookie middleware (client-side only)
+ *
+ * This profile is deliberately narrower than the Next.js profile.
+ */
+import { FrameworkProfile } from './types';
+export declare const reactProfile: FrameworkProfile;

package/dist/frameworks/react.js

@@ -0,0 +1,36 @@
+"use strict";
+/**
+ * React Framework Profile
+ *
+ * React provides JSX auto-escaping which mitigates most XSS vectors.
+ * Unlike Next.js, React does NOT provide:
+ * - HTTPS enforcement (deployment-dependent)
+ * - Safe link component (no built-in <Link> with rel attributes)
+ * - Cookie middleware (client-side only)
+ *
+ * This profile is deliberately narrower than the Next.js profile.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.reactProfile = void 0;
+exports.reactProfile = {
+    id: 'react',
+    name: 'React',
+    ecosystem: 'javascript',
+    handled_rules: [
+        {
+            rule_id: 'coppa-sec-015',
+            action: 'downgrade',
+            downgrade_to: 'low',
+            reason: 'React auto-escapes JSX output by default. dangerouslySetInnerHTML is the only XSS vector.',
+            documentation_url: 'https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html',
+        },
+    ],
+    safe_patterns: [
+        {
+            description: 'React JSX auto-escaping protects against reflected XSS',
+            patterns: [/React/, /jsx/, /createElement/],
+            applies_to_rules: ['coppa-sec-015'],
+        },
+    ],
+};
+//# sourceMappingURL=react.js.map

package/dist/frameworks/react.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"react.js","sourceRoot":"","sources":["../../src/frameworks/react.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AAIU,QAAA,YAAY,GAAqB;IAC5C,EAAE,EAAE,OAAO;IACX,IAAI,EAAE,OAAO;IACb,SAAS,EAAE,YAAY;IACvB,aAAa,EAAE;QACb;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,2FAA2F;YACnG,iBAAiB,EAAE,4FAA4F;SAChH;KACF;IACD,aAAa,EAAE;QACb;YACE,WAAW,EAAE,wDAAwD;YACrE,QAAQ,EAAE,CAAC,OAAO,EAAE,KAAK,EAAE,eAAe,CAAC;YAC3C,gBAAgB,EAAE,CAAC,eAAe,CAAC;SACpC;KACF;CACF,CAAC"}

package/dist/frameworks/types.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Framework Allowlisting Type Definitions
+ *
+ * Defines the type contracts for framework profiles that declare which
+ * COPPA/ethical rules a framework already handles natively. When a developer
+ * declares their framework in .halorc.json, Halo uses these profiles to
+ * suppress or downgrade rules the framework covers automatically.
+ */
+export type FrameworkAction = 'suppress' | 'downgrade';
+export interface FrameworkRuleOverride {
+    rule_id: string;
+    action: FrameworkAction;
+    downgrade_to?: 'critical' | 'high' | 'medium' | 'low';
+    condition?: string;
+    reason: string;
+    documentation_url?: string;
+}
+export interface FrameworkSafePattern {
+    description: string;
+    patterns: RegExp[];
+    applies_to_rules: string[];
+}
+export interface FrameworkProfile {
+    id: string;
+    name: string;
+    ecosystem: 'javascript' | 'python' | 'ruby';
+    handled_rules: FrameworkRuleOverride[];
+    safe_patterns: FrameworkSafePattern[];
+}

package/dist/frameworks/types.js

@@ -0,0 +1,11 @@
+"use strict";
+/**
+ * Framework Allowlisting Type Definitions
+ *
+ * Defines the type contracts for framework profiles that declare which
+ * COPPA/ethical rules a framework already handles natively. When a developer
+ * declares their framework in .halorc.json, Halo uses these profiles to
+ * suppress or downgrade rules the framework covers automatically.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/frameworks/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/frameworks/types.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG"}

package/dist/frameworks/vue.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Vue.js Framework Profile
+ *
+ * Vue provides template auto-escaping which mitigates XSS vectors.
+ * v-html is the explicit escape hatch (similar to React's dangerouslySetInnerHTML).
+ * Vue Router provides safe navigation handling.
+ */
+import { FrameworkProfile } from './types';
+export declare const vueProfile: FrameworkProfile;

package/dist/frameworks/vue.js

@@ -0,0 +1,39 @@
+"use strict";
+/**
+ * Vue.js Framework Profile
+ *
+ * Vue provides template auto-escaping which mitigates XSS vectors.
+ * v-html is the explicit escape hatch (similar to React's dangerouslySetInnerHTML).
+ * Vue Router provides safe navigation handling.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.vueProfile = void 0;
+exports.vueProfile = {
+    id: 'vue',
+    name: 'Vue.js',
+    ecosystem: 'javascript',
+    handled_rules: [
+        {
+            rule_id: 'coppa-sec-015',
+            action: 'downgrade',
+            downgrade_to: 'low',
+            reason: 'Vue auto-escapes template interpolation by default. v-html is the only XSS vector.',
+            documentation_url: 'https://vuejs.org/guide/best-practices/security.html#rule-no-1-never-use-non-trusted-templates',
+        },
+        {
+            rule_id: 'coppa-ext-017',
+            action: 'downgrade',
+            downgrade_to: 'low',
+            reason: 'Vue Router can be configured to handle external navigation with guards.',
+            documentation_url: 'https://router.vuejs.org/guide/advanced/navigation-guards.html',
+        },
+    ],
+    safe_patterns: [
+        {
+            description: 'Vue template auto-escaping protects against XSS',
+            patterns: [/Vue/, /createApp/, /\.vue$/],
+            applies_to_rules: ['coppa-sec-015'],
+        },
+    ],
+};
+//# sourceMappingURL=vue.js.map

package/dist/frameworks/vue.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vue.js","sourceRoot":"","sources":["../../src/frameworks/vue.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAIU,QAAA,UAAU,GAAqB;IAC1C,EAAE,EAAE,KAAK;IACT,IAAI,EAAE,QAAQ;IACd,SAAS,EAAE,YAAY;IACvB,aAAa,EAAE;QACb;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,oFAAoF;YAC5F,iBAAiB,EAAE,gGAAgG;SACpH;QACD;YACE,OAAO,EAAE,eAAe;YACxB,MAAM,EAAE,WAAW;YACnB,YAAY,EAAE,KAAK;YACnB,MAAM,EAAE,yEAAyE;YACjF,iBAAiB,EAAE,gEAAgE;SACpF;KACF;IACD,aAAa,EAAE;QACb;YACE,WAAW,EAAE,iDAAiD;YAC9D,QAAQ,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC;YACxC,gBAAgB,EAAE,CAAC,eAAe,CAAC;SACpC;KACF;CACF,CAAC"}

package/dist/graduation/fp-verdict-logger.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Sprint 13a Week 2: FP Verdict Logger
+ *
+ * Stage 1 of the Graduation Pipeline.
+ * Logs each AI Review Board verdict to a structured JSONL file.
+ * Captures the fpPatternId, confidence, and context needed for
+ * downstream aggregation.
+ *
+ * Output: One JSONL file per scan, written to a configurable directory.
+ * Each line is a complete VerdictLogEntry.
+ */
+export interface VerdictLogEntry {
+    /** Timestamp of the verdict */
+    timestamp: string;
+    /** Scan identifier (for grouping entries from the same scan) */
+    scanId: string;
+    /** The rule that was evaluated */
+    ruleId: string;
+    /** File where the violation was found */
+    filePath: string;
+    /** Line number */
+    line: number;
+    /** The verdict from the Review Board */
+    verdict: 'confirmed' | 'downgraded' | 'escalated' | 'dismissed';
+    /** Confidence score (1-10) */
+    confidence: number;
+    /** FP pattern ID if dismissed */
+    fpPatternId?: string;
+    /** Human-readable FP reason */
+    fpReason?: string;
+    /** Code snippet for pattern analysis */
+    codeSnippet?: string;
+    /** File metadata flags at time of scan */
+    fileMetadata?: {
+        language: string;
+        isVendor: boolean;
+        isTest: boolean;
+        isAdmin: boolean;
+        isConsent: boolean;
+        isDocGenerator: boolean;
+    };
+    /** Whether this was from multi-agent review */
+    multiAgent?: boolean;
+    /** If multi-agent, the agreement level */
+    agreementLevel?: 'full' | 'partial' | 'split';
+    /** Model used for the review */
+    modelUsed?: string;
+    /** Prompt version identifier */
+    promptVersion?: string;
+}
+export declare class FPVerdictLogger {
+    private logDir;
+    private scanId;
+    private logPath;
+    private promptVersion;
+    constructor(options: {
+        logDir: string;
+        scanId: string;
+        promptVersion?: string;
+    });
+    /**
+     * Log a single verdict entry.
+     */
+    log(entry: Omit<VerdictLogEntry, 'timestamp' | 'scanId' | 'promptVersion'>): void;
+    /**
+     * Log a batch of verdict entries (from a Review Board response).
+     */
+    logBatch(entries: Array<Omit<VerdictLogEntry, 'timestamp' | 'scanId' | 'promptVersion'>>): void;
+    /**
+     * Get the path to the current log file.
+     */
+    getLogPath(): string;
+    /**
+     * Read all entries from a log file.
+     */
+    static readLog(logPath: string): VerdictLogEntry[];
+    /**
+     * Read all log files from a directory.
+     */
+    static readAllLogs(logDir: string): VerdictLogEntry[];
+}

package/dist/graduation/fp-verdict-logger.js

@@ -0,0 +1,130 @@
+"use strict";
+/**
+ * Sprint 13a Week 2: FP Verdict Logger
+ *
+ * Stage 1 of the Graduation Pipeline.
+ * Logs each AI Review Board verdict to a structured JSONL file.
+ * Captures the fpPatternId, confidence, and context needed for
+ * downstream aggregation.
+ *
+ * Output: One JSONL file per scan, written to a configurable directory.
+ * Each line is a complete VerdictLogEntry.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FPVerdictLogger = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+// ─── Logger ─────────────────────────────────────────────────────────────────
+class FPVerdictLogger {
+    constructor(options) {
+        this.logDir = options.logDir;
+        this.scanId = options.scanId;
+        this.promptVersion = options.promptVersion || 'v1.0';
+        this.logPath = path.join(this.logDir, `verdicts-${this.scanId}.jsonl`);
+        // Ensure log directory exists
+        if (!fs.existsSync(this.logDir)) {
+            fs.mkdirSync(this.logDir, { recursive: true });
+        }
+    }
+    /**
+     * Log a single verdict entry.
+     */
+    log(entry) {
+        const fullEntry = {
+            ...entry,
+            timestamp: new Date().toISOString(),
+            scanId: this.scanId,
+            promptVersion: this.promptVersion,
+        };
+        fs.appendFileSync(this.logPath, JSON.stringify(fullEntry) + '\n', 'utf-8');
+    }
+    /**
+     * Log a batch of verdict entries (from a Review Board response).
+     */
+    logBatch(entries) {
+        const lines = entries.map(entry => {
+            const fullEntry = {
+                ...entry,
+                timestamp: new Date().toISOString(),
+                scanId: this.scanId,
+                promptVersion: this.promptVersion,
+            };
+            return JSON.stringify(fullEntry);
+        });
+        fs.appendFileSync(this.logPath, lines.join('\n') + '\n', 'utf-8');
+    }
+    /**
+     * Get the path to the current log file.
+     */
+    getLogPath() {
+        return this.logPath;
+    }
+    /**
+     * Read all entries from a log file.
+     */
+    static readLog(logPath) {
+        if (!fs.existsSync(logPath))
+            return [];
+        return fs.readFileSync(logPath, 'utf-8')
+            .split('\n')
+            .filter(line => line.trim())
+            .map(line => {
+            try {
+                return JSON.parse(line);
+            }
+            catch {
+                return null;
+            }
+        })
+            .filter((entry) => entry !== null);
+    }
+    /**
+     * Read all log files from a directory.
+     */
+    static readAllLogs(logDir) {
+        if (!fs.existsSync(logDir))
+            return [];
+        const files = fs.readdirSync(logDir)
+            .filter(f => f.startsWith('verdicts-') && f.endsWith('.jsonl'));
+        const allEntries = [];
+        for (const file of files) {
+            allEntries.push(...FPVerdictLogger.readLog(path.join(logDir, file)));
+        }
+        return allEntries;
+    }
+}
+exports.FPVerdictLogger = FPVerdictLogger;
+//# sourceMappingURL=fp-verdict-logger.js.map

package/dist/graduation/fp-verdict-logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fp-verdict-logger.js","sourceRoot":"","sources":["../../src/graduation/fp-verdict-logger.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,2CAA6B;AA4C7B,+EAA+E;AAE/E,MAAa,eAAe;IAM1B,YAAY,OAIX;QACC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,MAAM,CAAC;QACrD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,IAAI,CAAC,MAAM,QAAQ,CAAC,CAAC;QAEvE,8BAA8B;QAC9B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,KAAsE;QACxE,MAAM,SAAS,GAAoB;YACjC,GAAG,KAAK;YACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,aAAa,EAAE,IAAI,CAAC,aAAa;SAClC,CAAC;QAEF,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IAC7E,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,OAA+E;QACtF,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE;YAChC,MAAM,SAAS,GAAoB;gBACjC,GAAG,KAAK;gBACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,aAAa,EAAE,IAAI,CAAC,aAAa;aAClC,CAAC;YACF,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IACpE,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,OAAe;QAC5B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAC;QAEvC,OAAO,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC;aACrC,KAAK,CAAC,IAAI,CAAC;aACX,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;aAC3B,GAAG,CAAC,IAAI,CAAC,EAAE;YACV,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAoB,CAAC;YAC7C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC,CAAC;aACD,MAAM,CAAC,CAAC,KAAK,EAA4B,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC;IACjE,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,MAAc;QAC/B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,EAAE,CAAC;QAEtC,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC;aACjC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QAElE,MAAM,UAAU,GAAsB,EAAE,CAAC;QACzC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,UAAU,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;QACvE,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;CACF;AA/FD,0CA+FC"}