npm - @shepai/cli - Versions diffs - 1.170.0-pr513.cff27cb → 1.171.0-pr527.e2ee839 - Mend

@shepai/cli 1.170.0-pr513.cff27cb → 1.171.0-pr527.e2ee839

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (588) hide show

package/dist/packages/core/src/application/use-cases/security/enforce-security.use-case.js ADDED Viewed

@@ -0,0 +1,215 @@
+/**
+ * Enforce Security Use Case
+ *
+ * Orchestrates the full security enforcement flow:
+ * 1. Evaluate effective policy
+ * 2. Run dependency-risk checks
+ * 3. Run release-integrity checks
+ * 4. Persist findings as security events
+ * 5. Return structured enforcement result
+ *
+ * Supports Advisory (always pass) and Enforce (fail on violations) modes.
+ * Disabled mode returns empty pass result.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { SecurityMode, SecurityActionCategory } from '../../../domain/generated/output.js';
+import { DependencyRiskEvaluator } from '../../../infrastructure/services/security/dependency-risk-evaluator.js';
+import { ReleaseIntegrityEvaluator } from '../../../infrastructure/services/security/release-integrity-evaluator.js';
+import { randomUUID } from 'node:crypto';
+import { execFile as execFileCb } from 'node:child_process';
+import { promisify } from 'node:util';
+const execFileAsync = promisify(execFileCb);
+/**
+ * Default dependency rules when no policy file defines them.
+ */
+const DEFAULT_DEPENDENCY_RULES = {
+    checkLockfileConsistency: true,
+    checkLifecycleScripts: true,
+    checkNonRegistrySource: true,
+    enforceStrictVersionRanges: false,
+    allowlist: [],
+    denylist: [],
+};
+/**
+ * Default release rules when no policy file defines them.
+ */
+const DEFAULT_RELEASE_RULES = {
+    requireCiOnlyPublishing: true,
+    requireProvenance: true,
+    checkWorkflowIntegrity: true,
+};
+let EnforceSecurityUseCase = class EnforceSecurityUseCase {
+    policyService;
+    eventRepository;
+    settingsRepository;
+    dependencyEvaluator;
+    releaseEvaluator;
+    githubService;
+    constructor(policyService, eventRepository, settingsRepository, dependencyEvaluator, releaseEvaluator, githubService) {
+        this.policyService = policyService;
+        this.eventRepository = eventRepository;
+        this.settingsRepository = settingsRepository;
+        this.dependencyEvaluator = dependencyEvaluator;
+        this.releaseEvaluator = releaseEvaluator;
+        this.githubService = githubService;
+    }
+    async execute(input) {
+        // Evaluate effective policy
+        const policy = await this.policyService.evaluatePolicy(input.repositoryPath);
+        // Disabled mode — return empty pass result
+        if (policy.mode === SecurityMode.Disabled) {
+            return {
+                passed: true,
+                mode: SecurityMode.Disabled,
+                policy,
+                dependencyFindings: [],
+                releaseIntegrity: { checks: [], passed: true },
+                governanceFindings: [],
+                totalFindings: 0,
+            };
+        }
+        // Run dependency-risk checks
+        const dependencyFindings = this.dependencyEvaluator.evaluate(input.repositoryPath, DEFAULT_DEPENDENCY_RULES);
+        // Run release-integrity checks
+        const releaseIntegrity = this.releaseEvaluator.evaluate(input.repositoryPath, DEFAULT_RELEASE_RULES);
+        // Run governance audit (audit-only — does not affect pass/fail)
+        const governanceFindings = await this.runGovernanceAudit(input.repositoryPath);
+        // Count total findings (governance excluded — audit-only per FR-15)
+        const failedReleaseChecks = releaseIntegrity.checks.filter((c) => !c.passed);
+        const totalFindings = dependencyFindings.length + failedReleaseChecks.length;
+        // Persist findings as security events
+        await this.persistFindings(input.repositoryPath, dependencyFindings, releaseIntegrity, governanceFindings);
+        // Update settings with evaluation timestamp
+        await this.updateEvaluationTimestamp(policy.source);
+        // Determine pass/fail based on mode (governance is always advisory)
+        const hasFailures = totalFindings > 0;
+        const passed = policy.mode === SecurityMode.Advisory ? true : !hasFailures;
+        return {
+            passed,
+            mode: policy.mode,
+            policy,
+            dependencyFindings,
+            releaseIntegrity,
+            governanceFindings,
+            totalFindings,
+        };
+    }
+    /**
+     * Resolve GitHub owner/repo from the repository's git remote and run governance audit.
+     * Returns empty array if the remote cannot be resolved (not a GitHub repo, no remote, etc.).
+     */
+    async runGovernanceAudit(repositoryPath) {
+        try {
+            const { stdout } = await execFileAsync('git', ['remote', 'get-url', 'origin'], {
+                cwd: repositoryPath,
+            });
+            const remoteUrl = stdout.trim();
+            if (!remoteUrl)
+                return [];
+            const parsed = this.githubService.parseGitHubUrl(remoteUrl);
+            return await this.githubService.auditRepositoryGovernance(parsed.owner, parsed.repo);
+        }
+        catch {
+            // Not a GitHub repository, no remote configured, or parse failure — skip governance audit
+            return [];
+        }
+    }
+    /**
+     * Persist dependency findings, failed release checks, and governance findings as security events.
+     */
+    async persistFindings(repositoryPath, depFindings, releaseResult, govFindings) {
+        const now = new Date().toISOString();
+        for (const finding of depFindings) {
+            const event = {
+                id: randomUUID(),
+                repositoryPath,
+                severity: finding.severity,
+                category: SecurityActionCategory.DependencyInstall,
+                disposition: 'Denied',
+                message: finding.message,
+                remediationSummary: finding.remediation,
+                createdAt: now,
+                updatedAt: now,
+            };
+            await this.eventRepository.save(event);
+        }
+        for (const check of releaseResult.checks) {
+            if (!check.passed) {
+                const event = {
+                    id: randomUUID(),
+                    repositoryPath,
+                    severity: check.severity,
+                    category: SecurityActionCategory.PublishRelease,
+                    disposition: 'Denied',
+                    message: check.message,
+                    createdAt: now,
+                    updatedAt: now,
+                };
+                await this.eventRepository.save(event);
+            }
+        }
+        // Persist governance findings as advisory events
+        for (const finding of govFindings) {
+            // Map governance severity to SecuritySeverity (Unknown → Low for persistence)
+            const severity = finding.severity === 'Unknown'
+                ? 'Low'
+                : finding.severity;
+            const event = {
+                id: randomUUID(),
+                repositoryPath,
+                severity,
+                category: SecurityActionCategory.CiWorkflowModify,
+                disposition: 'Allowed',
+                message: `[Governance Audit] ${finding.message}`,
+                remediationSummary: finding.remediation,
+                createdAt: now,
+                updatedAt: now,
+            };
+            await this.eventRepository.save(event);
+        }
+    }
+    /**
+     * Update settings with the latest evaluation timestamp and policy source.
+     */
+    async updateEvaluationTimestamp(policySource) {
+        try {
+            const settings = await this.settingsRepository.load();
+            if (settings) {
+                settings.security = {
+                    ...settings.security,
+                    mode: settings.security?.mode ?? SecurityMode.Advisory,
+                    lastEvaluationAt: new Date().toISOString(),
+                    policySource,
+                };
+                await this.settingsRepository.update(settings);
+            }
+        }
+        catch {
+            // Non-fatal — evaluation results are still returned even if settings update fails
+        }
+    }
+};
+EnforceSecurityUseCase = __decorate([
+    injectable(),
+    __param(0, inject('ISecurityPolicyService')),
+    __param(1, inject('ISecurityEventRepository')),
+    __param(2, inject('ISettingsRepository')),
+    __param(3, inject('DependencyRiskEvaluator')),
+    __param(4, inject('ReleaseIntegrityEvaluator')),
+    __param(5, inject('IGitHubRepositoryService')),
+    __metadata("design:paramtypes", [Object, Object, Object, DependencyRiskEvaluator,
+        ReleaseIntegrityEvaluator, Object])
+], EnforceSecurityUseCase);
+export { EnforceSecurityUseCase };

package/dist/packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * Evaluate Security Policy Use Case
+ *
+ * Wraps ISecurityPolicyService.evaluatePolicy() as a use case.
+ * Updates settings with the latest evaluation timestamp and policy source.
+ * Returns the effective policy snapshot.
+ */
+import type { EffectivePolicySnapshot } from '../../../domain/generated/output.js';
+import type { ISecurityPolicyService } from '../../ports/output/services/security-policy-service.interface.js';
+import type { ISettingsRepository } from '../../ports/output/repositories/settings.repository.interface.js';
+/**
+ * Input for the evaluate security policy use case.
+ */
+export interface EvaluateSecurityPolicyInput {
+    /** Absolute path to the repository to evaluate */
+    repositoryPath: string;
+}
+export declare class EvaluateSecurityPolicyUseCase {
+    private readonly policyService;
+    private readonly settingsRepository;
+    constructor(policyService: ISecurityPolicyService, settingsRepository: ISettingsRepository);
+    execute(input: EvaluateSecurityPolicyInput): Promise<EffectivePolicySnapshot>;
+}
+//# sourceMappingURL=evaluate-security-policy.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"evaluate-security-policy.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,qCAAqC,CAAC;AACnF,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,kEAAkE,CAAC;AAC/G,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kEAAkE,CAAC;AAE5G;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,kDAAkD;IAClD,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,qBACa,6BAA6B;IAGtC,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;gBAFlB,aAAa,EAAE,sBAAsB,EAErC,kBAAkB,EAAE,mBAAmB;IAGpD,OAAO,CAAC,KAAK,EAAE,2BAA2B,GAAG,OAAO,CAAC,uBAAuB,CAAC;CAqBpF"}

package/dist/packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.js ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * Evaluate Security Policy Use Case
+ *
+ * Wraps ISecurityPolicyService.evaluatePolicy() as a use case.
+ * Updates settings with the latest evaluation timestamp and policy source.
+ * Returns the effective policy snapshot.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { SecurityMode } from '../../../domain/generated/output.js';
+let EvaluateSecurityPolicyUseCase = class EvaluateSecurityPolicyUseCase {
+    policyService;
+    settingsRepository;
+    constructor(policyService, settingsRepository) {
+        this.policyService = policyService;
+        this.settingsRepository = settingsRepository;
+    }
+    async execute(input) {
+        const policy = await this.policyService.evaluatePolicy(input.repositoryPath);
+        // Update settings with evaluation timestamp and source
+        try {
+            const settings = await this.settingsRepository.load();
+            if (settings) {
+                settings.security = {
+                    ...settings.security,
+                    mode: settings.security?.mode ?? SecurityMode.Advisory,
+                    lastEvaluationAt: new Date().toISOString(),
+                    policySource: policy.source,
+                };
+                await this.settingsRepository.update(settings);
+            }
+        }
+        catch {
+            // Non-fatal — policy is still returned even if settings update fails
+        }
+        return policy;
+    }
+};
+EvaluateSecurityPolicyUseCase = __decorate([
+    injectable(),
+    __param(0, inject('ISecurityPolicyService')),
+    __param(1, inject('ISettingsRepository')),
+    __metadata("design:paramtypes", [Object, Object])
+], EvaluateSecurityPolicyUseCase);
+export { EvaluateSecurityPolicyUseCase };

package/dist/packages/core/src/application/use-cases/security/get-security-state.use-case.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * Get Security State Use Case
+ *
+ * Returns the current security state for UI projection:
+ * - Effective mode from settings
+ * - Recent security events (limited)
+ * - Highest-severity open finding
+ * - Last evaluation timestamp
+ */
+import { SecurityMode } from '../../../domain/generated/output.js';
+import type { SecurityEvent } from '../../../domain/generated/output.js';
+import type { ISecurityEventRepository } from '../../ports/output/repositories/security-event.repository.interface.js';
+import type { ISettingsRepository } from '../../ports/output/repositories/settings.repository.interface.js';
+/**
+ * Security state summary for UI projection.
+ */
+export interface SecurityState {
+    /** Effective security mode */
+    mode: SecurityMode;
+    /** Last evaluation timestamp (ISO string) or null */
+    lastEvaluationAt: string | null;
+    /** Policy source or null */
+    policySource: string | null;
+    /** Recent security events (most recent first, limited) */
+    recentEvents: SecurityEvent[];
+    /** Highest-severity finding from recent events, or null */
+    highestSeverityFinding: SecurityEvent | null;
+}
+export declare class GetSecurityStateUseCase {
+    private readonly eventRepository;
+    private readonly settingsRepository;
+    constructor(eventRepository: ISecurityEventRepository, settingsRepository: ISettingsRepository);
+    execute(repositoryPath: string): Promise<SecurityState>;
+    private findHighestSeverity;
+}
+//# sourceMappingURL=get-security-state.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/security/get-security-state.use-case.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"get-security-state.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/security/get-security-state.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,YAAY,EAAoB,MAAM,qCAAqC,CAAC;AACrF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAC;AACzE,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,wEAAwE,CAAC;AACvH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kEAAkE,CAAC;AAK5G;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,8BAA8B;IAC9B,IAAI,EAAE,YAAY,CAAC;IACnB,qDAAqD;IACrD,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,4BAA4B;IAC5B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,0DAA0D;IAC1D,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,2DAA2D;IAC3D,sBAAsB,EAAE,aAAa,GAAG,IAAI,CAAC;CAC9C;AAUD,qBACa,uBAAuB;IAGhC,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,kBAAkB;gBAFlB,eAAe,EAAE,wBAAwB,EAEzC,kBAAkB,EAAE,mBAAmB;IAGpD,OAAO,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAmB7D,OAAO,CAAC,mBAAmB;CAgB5B"}

package/dist/packages/core/src/application/use-cases/security/get-security-state.use-case.js ADDED Viewed

@@ -0,0 +1,76 @@
+/**
+ * Get Security State Use Case
+ *
+ * Returns the current security state for UI projection:
+ * - Effective mode from settings
+ * - Recent security events (limited)
+ * - Highest-severity open finding
+ * - Last evaluation timestamp
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { SecurityMode, SecuritySeverity } from '../../../domain/generated/output.js';
+/** Maximum number of recent events returned. */
+const RECENT_EVENTS_LIMIT = 20;
+/** Severity ordering for comparison (higher = more severe). */
+const SEVERITY_RANK = {
+    [SecuritySeverity.Low]: 0,
+    [SecuritySeverity.Medium]: 1,
+    [SecuritySeverity.High]: 2,
+    [SecuritySeverity.Critical]: 3,
+};
+let GetSecurityStateUseCase = class GetSecurityStateUseCase {
+    eventRepository;
+    settingsRepository;
+    constructor(eventRepository, settingsRepository) {
+        this.eventRepository = eventRepository;
+        this.settingsRepository = settingsRepository;
+    }
+    async execute(repositoryPath) {
+        const settings = await this.settingsRepository.load();
+        const securityConfig = settings?.security;
+        const recentEvents = await this.eventRepository.findByRepository(repositoryPath, {
+            limit: RECENT_EVENTS_LIMIT,
+        });
+        const highestSeverityFinding = this.findHighestSeverity(recentEvents);
+        return {
+            mode: securityConfig?.mode ?? SecurityMode.Advisory,
+            lastEvaluationAt: securityConfig?.lastEvaluationAt ?? null,
+            policySource: securityConfig?.policySource ?? null,
+            recentEvents,
+            highestSeverityFinding,
+        };
+    }
+    findHighestSeverity(events) {
+        if (events.length === 0) {
+            return null;
+        }
+        let highest = events[0];
+        for (const event of events) {
+            const eventRank = SEVERITY_RANK[event.severity] ?? 0;
+            const highestRank = SEVERITY_RANK[highest.severity] ?? 0;
+            if (eventRank > highestRank) {
+                highest = event;
+            }
+        }
+        return highest;
+    }
+};
+GetSecurityStateUseCase = __decorate([
+    injectable(),
+    __param(0, inject('ISecurityEventRepository')),
+    __param(1, inject('ISettingsRepository')),
+    __metadata("design:paramtypes", [Object, Object])
+], GetSecurityStateUseCase);
+export { GetSecurityStateUseCase };

package/dist/packages/core/src/application/use-cases/security/record-security-event.use-case.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * Record Security Event Use Case
+ *
+ * Persists a security event and triggers 90-day retention cleanup.
+ * Used by runtime guardrails and enforcement flow to record findings.
+ */
+import type { SecurityEvent } from '../../../domain/generated/output.js';
+import type { ISecurityEventRepository } from '../../ports/output/repositories/security-event.repository.interface.js';
+export declare class RecordSecurityEventUseCase {
+    private readonly eventRepository;
+    constructor(eventRepository: ISecurityEventRepository);
+    execute(event: SecurityEvent): Promise<void>;
+}
+//# sourceMappingURL=record-security-event.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/security/record-security-event.use-case.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"record-security-event.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/security/record-security-event.use-case.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAC;AACzE,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,wEAAwE,CAAC;AAMvH,qBACa,0BAA0B;IAGnC,OAAO,CAAC,QAAQ,CAAC,eAAe;gBAAf,eAAe,EAAE,wBAAwB;IAGtD,OAAO,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;CAcnD"}

package/dist/packages/core/src/application/use-cases/security/record-security-event.use-case.js ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * Record Security Event Use Case
+ *
+ * Persists a security event and triggers 90-day retention cleanup.
+ * Used by runtime guardrails and enforcement flow to record findings.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { randomUUID } from 'node:crypto';
+/** Retention window in days for security events. */
+const SECURITY_EVENT_RETENTION_DAYS = 90;
+let RecordSecurityEventUseCase = class RecordSecurityEventUseCase {
+    eventRepository;
+    constructor(eventRepository) {
+        this.eventRepository = eventRepository;
+    }
+    async execute(event) {
+        // Ensure the event has an ID
+        const eventToSave = {
+            ...event,
+            id: event.id || randomUUID(),
+        };
+        await this.eventRepository.save(eventToSave);
+        // Trigger 90-day retention cleanup
+        const cutoff = new Date();
+        cutoff.setDate(cutoff.getDate() - SECURITY_EVENT_RETENTION_DAYS);
+        await this.eventRepository.deleteOlderThan(cutoff);
+    }
+};
+RecordSecurityEventUseCase = __decorate([
+    injectable(),
+    __param(0, inject('ISecurityEventRepository')),
+    __metadata("design:paramtypes", [Object])
+], RecordSecurityEventUseCase);
+export { RecordSecurityEventUseCase };

package/dist/packages/core/src/application/use-cases/upgrade/upgrade-cli.use-case.d.ts CHANGED Viewed

@@ -24,6 +24,7 @@ export declare class UpgradeCliUseCase {
     constructor(versionService: IVersionService, daemonService: IDaemonService);
     execute(onOutput?: (data: string) => void): Promise<UpgradeResult>;
     private getLatestVersion;
+    private preDownloadPackage;
     /**
      * Schedule a daemon self-restart after upgrade.
      * Reads the current daemon port, spawns a new daemon process with the

package/dist/packages/core/src/application/use-cases/upgrade/upgrade-cli.use-case.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"upgrade-cli.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/upgrade/upgrade-cli.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;~~AAIH~~,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0DAA0D,CAAC;AAChG,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yDAAyD,CAAC;AAE9F,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,YAAY,GAAG,UAAU,GAAG,OAAO,CAAC;IAC5C,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;~~AAOD~~,qBACa,iBAAiB;IAG1B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,aAAa;gBAFb,cAAc,EAAE,eAAe,EAE/B,aAAa,EAAE,cAAc;IAG1C,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC;~~IAkCxE~~,OAAO,CAAC,gBAAgB;IA6CxB;;;;OAIG;IACG,qBAAqB,IAAI,OAAO,CAAC,IAAI,CAAC;IA2B5C,OAAO,CAAC,aAAa;CAuBtB"}
1	+ {"version":3,"file":"upgrade-cli.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/upgrade/upgrade-cli.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAOH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0DAA0D,CAAC;AAChG,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yDAAyD,CAAC;AAE9F,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,YAAY,GAAG,UAAU,GAAG,OAAO,CAAC;IAC5C,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAQD,qBACa,iBAAiB;IAG1B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,aAAa;gBAFb,cAAc,EAAE,eAAe,EAE/B,aAAa,EAAE,cAAc;IAG1C,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC;IAyCxE,OAAO,CAAC,gBAAgB;IA6CxB,OAAO,CAAC,kBAAkB;IAwD1B;;;;OAIG;IACG,qBAAqB,IAAI,OAAO,CAAC,IAAI,CAAC;IA2B5C,OAAO,CAAC,aAAa;CAuBtB"}

package/dist/packages/core/src/application/use-cases/upgrade/upgrade-cli.use-case.js CHANGED Viewed

@@ -24,7 +24,11 @@ var __param = (this && this.__param) || function (paramIndex, decorator) {
 };
 import { injectable, inject } from 'tsyringe';
 import { spawn } from 'node:child_process';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
 const VERSION_CHECK_TIMEOUT_MS = 10_000;
+const NPM_CACHE_ADD_TIMEOUT_MS = 120_000;
 /** Delay (ms) before the current process exits to allow the SSE response to flush. */
 const SELF_RESTART_DELAY_MS = 1_000;
 let UpgradeCliUseCase = class UpgradeCliUseCase {
@@ -43,8 +47,14 @@ let UpgradeCliUseCase = class UpgradeCliUseCase {
             onOutput?.(`Already up to date (v${currentVersion})\n`);
             return { status: 'up-to-date', currentVersion, latestVersion };
         }
-        // 3. Run upgrade
+        // 3. Pre-download the package into npm cache before install
         const target = latestVersion ? `v${latestVersion}` : 'latest';
+        onOutput?.(`Downloading @shepai/cli@latest...\n`);
+        const cached = await this.preDownloadPackage();
+        if (!cached) {
+            onOutput?.('Pre-download did not complete — proceeding with install...\n');
+        }
+        // 4. Run install (fast if cached)
         onOutput?.(`Upgrading from v${currentVersion} to ${target}...\n`);
         try {
             const exitCode = await this.runNpmInstall(onOutput);
@@ -104,6 +114,53 @@ let UpgradeCliUseCase = class UpgradeCliUseCase {
             });
         });
     }
+    preDownloadPackage() {
+        let tmpDir;
+        try {
+            tmpDir = mkdtempSync(join(tmpdir(), 'shep-upgrade-'));
+        }
+        catch {
+            return Promise.resolve(false);
+        }
+        const cleanup = () => {
+            try {
+                rmSync(tmpDir, { recursive: true, force: true });
+            }
+            catch {
+                /* best-effort */
+            }
+        };
+        return new Promise((resolve) => {
+            let settled = false;
+            const child = spawn('npm', ['install', '--prefix', tmpDir, '--ignore-scripts', '@shepai/cli@latest'], {
+                stdio: ['ignore', 'ignore', 'pipe'],
+            });
+            const timeout = setTimeout(() => {
+                if (!settled) {
+                    settled = true;
+                    child.kill();
+                    cleanup();
+                    resolve(false);
+                }
+            }, NPM_CACHE_ADD_TIMEOUT_MS);
+            child.on('close', (code) => {
+                if (!settled) {
+                    settled = true;
+                    clearTimeout(timeout);
+                    cleanup();
+                    resolve(code === 0);
+                }
+            });
+            child.on('error', () => {
+                if (!settled) {
+                    settled = true;
+                    clearTimeout(timeout);
+                    cleanup();
+                    resolve(false);
+                }
+            });
+        });
+    }
     /**
      * Schedule a daemon self-restart after upgrade.
      * Reads the current daemon port, spawns a new daemon process with the
@@ -130,7 +187,7 @@ let UpgradeCliUseCase = class UpgradeCliUseCase {
     }
     runNpmInstall(onOutput) {
         return new Promise((resolve, reject) => {
-            const child = spawn('npm', ['i', '-g', '@shepai/cli@latest'], {
+            const child = spawn('npm', ['i', '-g', '@shepai/cli@latest', '--prefer-offline'], {
                 stdio: ['ignore', 'pipe', 'pipe'],
             });
             child.stdout?.on('data', (data) => {

package/dist/packages/core/src/domain/errors/security-violation.error.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Security Violation Error
+ *
+ * Thrown when a security policy constraint is violated during agent execution.
+ * Contains structured information about the violated rule, the action category,
+ * and actionable remediation guidance.
+ */
+import type { SecurityActionCategory } from '../generated/output.js';
+export declare class SecurityViolationError extends Error {
+    readonly rule: string;
+    readonly category: SecurityActionCategory;
+    readonly remediation: string;
+    constructor(rule: string, category: SecurityActionCategory, remediation: string);
+}
+//# sourceMappingURL=security-violation.error.d.ts.map

package/dist/packages/core/src/domain/errors/security-violation.error.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security-violation.error.d.ts","sourceRoot":"","sources":["../../../../../../packages/core/src/domain/errors/security-violation.error.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAElE,qBAAa,sBAAuB,SAAQ,KAAK;aAE7B,IAAI,EAAE,MAAM;aACZ,QAAQ,EAAE,sBAAsB;aAChC,WAAW,EAAE,MAAM;gBAFnB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,sBAAsB,EAChC,WAAW,EAAE,MAAM;CAMtC"}

package/dist/packages/core/src/domain/errors/security-violation.error.js ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+ * Security Violation Error
+ *
+ * Thrown when a security policy constraint is violated during agent execution.
+ * Contains structured information about the violated rule, the action category,
+ * and actionable remediation guidance.
+ */
+export class SecurityViolationError extends Error {
+    rule;
+    category;
+    remediation;
+    constructor(rule, category, remediation) {
+        super(`Security policy violation: ${rule}`);
+        this.rule = rule;
+        this.category = category;
+        this.remediation = remediation;
+        this.name = 'SecurityViolationError';
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}

package/dist/packages/core/src/domain/factories/settings-defaults.factory.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"settings-defaults.factory.d.ts","sourceRoot":"","sources":["../../../../../../packages/core/src/domain/factories/settings-defaults.factory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,QAAQ,~~EAWT~~,MAAM,qBAAqB,CAAC;~~AAmD7B~~;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,IAAI,QAAQ,~~CA+IhD~~"}
1	+ {"version":3,"file":"settings-defaults.factory.d.ts","sourceRoot":"","sources":["../../../../../../packages/core/src/domain/factories/settings-defaults.factory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,QAAQ,EAYT,MAAM,qBAAqB,CAAC;AAoD7B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,IAAI,QAAQ,CAmJhD"}