npm - @shepai/cli - Versions diffs - 1.170.0 → 1.171.0-pr527.e2ee839 - Mend

@shepai/cli 1.170.0 → 1.171.0-pr527.e2ee839

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (464) hide show

package/dist/packages/core/src/application/ports/output/services/security-policy-service.interface.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security-policy-service.interface.d.ts","sourceRoot":"","sources":["../../../../../../../../packages/core/src/application/ports/output/services/security-policy-service.interface.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EACV,uBAAuB,EACvB,sBAAsB,EACtB,yBAAyB,EAC1B,MAAM,wCAAwC,CAAC;AAEhD;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,uCAAuC;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,6DAA6D;IAC7D,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;;;;;;;GASG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;;;;;;;;OAUG;IACH,cAAc,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAEzE;;;;;;;;;OASG;IACH,kBAAkB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAE7E;;;;;;;;OAQG;IACH,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAEtE;;;;;;;OAOG;IACH,oBAAoB,CAClB,MAAM,EAAE,uBAAuB,EAC/B,cAAc,EAAE,sBAAsB,GACrC,yBAAyB,CAAC;CAC9B"}

package/dist/packages/core/src/application/ports/output/services/security-policy-service.interface.js ADDED Viewed

@@ -0,0 +1,13 @@
+/**
+ * Security Policy Service Interface
+ *
+ * Output port for the central security policy engine.
+ * Implementations handle policy file reading, validation, merging
+ * with persisted settings, and deterministic policy evaluation.
+ *
+ * Following Clean Architecture:
+ * - Application and use-case layers depend on this interface
+ * - Infrastructure layer provides the concrete implementation
+ * - All consumers (CLI, runtime, CI, UI) resolve the same instance via DI
+ */
+export {};

package/dist/packages/core/src/application/ports/output/services/spec-initializer.interface.d.ts CHANGED Viewed

@@ -32,5 +32,16 @@ export interface ISpecInitializerService {
      * @returns The spec directory path and feature number used
      */
     initialize(basePath: string, slug: string, featureNumber: number, description: string, mode?: 'fast'): Promise<SpecInitializerResult>;
+    /**
+     * Scaffold a baseline shep.security.yaml file at the repository root.
+     *
+     * Creates the security policy file with Advisory mode, default action
+     * dispositions, and dependency/release rules. Includes YAML comments
+     * explaining each section.
+     *
+     * @param repositoryPath - Absolute path to the repository root
+     * @returns The absolute path to the created security policy file
+     */
+    scaffoldSecurityPolicy(repositoryPath: string): Promise<string>;
 }
 //# sourceMappingURL=spec-initializer.interface.d.ts.map

package/dist/packages/core/src/application/ports/output/services/spec-initializer.interface.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"spec-initializer.interface.d.ts","sourceRoot":"","sources":["../../../../../../../../packages/core/src/application/ports/output/services/spec-initializer.interface.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,qBAAqB;IACpC,kDAAkD;IAClD,OAAO,EAAE,MAAM,CAAC;IAChB,8CAA8C;IAC9C,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,uBAAuB;IACtC;;;;;;;;;;;;;;;;;;OAkBG;IACH,UAAU,CACR,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC,qBAAqB,CAAC,CAAC;~~CACnC~~"}
1	+ {"version":3,"file":"spec-initializer.interface.d.ts","sourceRoot":"","sources":["../../../../../../../../packages/core/src/application/ports/output/services/spec-initializer.interface.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,qBAAqB;IACpC,kDAAkD;IAClD,OAAO,EAAE,MAAM,CAAC;IAChB,8CAA8C;IAC9C,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,uBAAuB;IACtC;;;;;;;;;;;;;;;;;;OAkBG;IACH,UAAU,CACR,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAElC;;;;;;;;;OASG;IACH,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACjE"}

package/dist/packages/core/src/application/use-cases/agents/approve-agent-run.use-case.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"approve-agent-run.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/agents/approve-agent-run.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gEAAgE,CAAC;AAC7G,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAE1G,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qCAAqC,CAAC;~~AAO9E~~,qBACa,sBAAsB;IAG/B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IAEnC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,qBAAqB;gBANrB,kBAAkB,EAAE,mBAAmB,EAEvC,cAAc,EAAE,2BAA2B,EAE3C,iBAAiB,EAAE,kBAAkB,EAErC,qBAAqB,EAAE,sBAAsB;IAG1D,OAAO,CACX,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;~~CA0GlD~~"}
1	+ {"version":3,"file":"approve-agent-run.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/agents/approve-agent-run.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gEAAgE,CAAC;AAC7G,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAE1G,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qCAAqC,CAAC;AAQ9E,qBACa,sBAAsB;IAG/B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IAEnC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,qBAAqB;gBANrB,kBAAkB,EAAE,mBAAmB,EAEvC,cAAc,EAAE,2BAA2B,EAE3C,iBAAiB,EAAE,kBAAkB,EAErC,qBAAqB,EAAE,sBAAsB;IAG1D,OAAO,CACX,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;CA2GlD"}

package/dist/packages/core/src/application/use-cases/agents/approve-agent-run.use-case.js CHANGED Viewed

@@ -25,6 +25,7 @@ import { join } from 'node:path';
 import { AgentRunStatus } from '../../../domain/generated/output.js';
 import { writeSpecFileAtomic, safeYamlDump, } from '../../../infrastructure/services/agents/feature-agent/nodes/node-helpers.js';
 import { computeWorktreePath } from '../../../infrastructure/services/ide-launchers/compute-worktree-path.js';
+import { getSettings } from '../../../infrastructure/services/settings.service.js';
 let ApproveAgentRunUseCase = class ApproveAgentRunUseCase {
     agentRunRepository;
     processService;
@@ -120,6 +121,7 @@ let ApproveAgentRunUseCase = class ApproveAgentRunUseCase {
             agentType: run.agentType,
             ...(run.modelId ? { model: run.modelId } : {}),
             ...(feature?.fast ? { fast: true } : {}),
+            securityMode: getSettings().security?.mode,
         });
         return { approved: true, reason: 'Approved and resumed' };
     }

package/dist/packages/core/src/application/use-cases/agents/reject-agent-run.use-case.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"reject-agent-run.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/agents/reject-agent-run.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gEAAgE,CAAC;AAC7G,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;~~AAa1G~~,qBACa,qBAAqB;IAG9B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IAEnC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,qBAAqB;gBANrB,kBAAkB,EAAE,mBAAmB,EAEvC,cAAc,EAAE,2BAA2B,EAE3C,iBAAiB,EAAE,kBAAkB,EAErC,qBAAqB,EAAE,sBAAsB;IAG1D,OAAO,CACX,EAAE,EAAE,MAAM,EACV,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,EAAE,GACrB,OAAO,CAAC;QACT,QAAQ,EAAE,OAAO,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,gBAAgB,CAAC,EAAE,OAAO,CAAC;KAC5B,CAAC;~~CAkIH~~"}
1	+ {"version":3,"file":"reject-agent-run.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/agents/reject-agent-run.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gEAAgE,CAAC;AAC7G,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAc1G,qBACa,qBAAqB;IAG9B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IAEnC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,qBAAqB;gBANrB,kBAAkB,EAAE,mBAAmB,EAEvC,cAAc,EAAE,2BAA2B,EAE3C,iBAAiB,EAAE,kBAAkB,EAErC,qBAAqB,EAAE,sBAAsB;IAG1D,OAAO,CACX,EAAE,EAAE,MAAM,EACV,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,EAAE,GACrB,OAAO,CAAC;QACT,QAAQ,EAAE,OAAO,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,gBAAgB,CAAC,EAAE,OAAO,CAAC;KAC5B,CAAC;CAmIH"}

package/dist/packages/core/src/application/use-cases/agents/reject-agent-run.use-case.js CHANGED Viewed

@@ -25,6 +25,7 @@ import { AgentRunStatus } from '../../../domain/generated/output.js';
 import { writeSpecFileAtomic, safeYamlDump, } from '../../../infrastructure/services/agents/feature-agent/nodes/node-helpers.js';
 import { recordLifecycleEvent } from '../../../infrastructure/services/agents/feature-agent/phase-timing-context.js';
 import { computeWorktreePath } from '../../../infrastructure/services/ide-launchers/compute-worktree-path.js';
+import { getSettings } from '../../../infrastructure/services/settings.service.js';
 let RejectAgentRunUseCase = class RejectAgentRunUseCase {
     agentRunRepository;
     processService;
@@ -136,6 +137,7 @@ let RejectAgentRunUseCase = class RejectAgentRunUseCase {
             agentType: run.agentType,
             ...(run.modelId ? { model: run.modelId } : {}),
             ...(feature.fast ? { fast: true } : {}),
+            securityMode: getSettings().security?.mode,
         });
         return {
             rejected: true,

package/dist/packages/core/src/application/use-cases/features/check-and-unblock-features.use-case.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"check-and-unblock-features.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/features/check-and-unblock-features.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAC1G,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;~~AAGhH~~,qBACa,8BAA8B;IAET,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE1D,OAAO,CAAC,QAAQ,CAAC,YAAY;gBAFkB,WAAW,EAAE,kBAAkB,EAE7D,YAAY,EAAE,2BAA2B;IAG5D;;;;OAIG;IACG,OAAO,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;~~CA4CtD~~"}
1	+ {"version":3,"file":"check-and-unblock-features.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/features/check-and-unblock-features.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAC1G,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAIhH,qBACa,8BAA8B;IAET,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE1D,OAAO,CAAC,QAAQ,CAAC,YAAY;gBAFkB,WAAW,EAAE,kBAAkB,EAE7D,YAAY,EAAE,2BAA2B;IAG5D;;;;OAIG;IACG,OAAO,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CA6CtD"}

package/dist/packages/core/src/application/use-cases/features/check-and-unblock-features.use-case.js CHANGED Viewed

@@ -29,6 +29,7 @@ var __param = (this && this.__param) || function (paramIndex, decorator) {
 import { injectable, inject } from 'tsyringe';
 import { SdlcLifecycle } from '../../../domain/generated/output.js';
 import { POST_IMPLEMENTATION } from '../../../domain/lifecycle-gates.js';
+import { getSettings } from '../../../infrastructure/services/settings.service.js';
 let CheckAndUnblockFeaturesUseCase = class CheckAndUnblockFeaturesUseCase {
     featureRepo;
     agentProcess;
@@ -70,6 +71,7 @@ let CheckAndUnblockFeaturesUseCase = class CheckAndUnblockFeaturesUseCase {
                     enableEvidence: child.enableEvidence,
                     commitEvidence: child.commitEvidence,
                     ...(child.fast ? { fast: true } : {}),
+                    securityMode: getSettings().security?.mode,
                 });
             }
         }

package/dist/packages/core/src/application/use-cases/features/create/create-feature.use-case.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"create-feature.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../../packages/core/src/application/use-cases/features/create/create-feature.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,wCAAwC,CAAC;AAMtE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oEAAoE,CAAC;AAC7G,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,8DAA8D,CAAC;AACrG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,iEAAiE,CAAC;AACnH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gEAAgE,CAAC;AAC1G,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,8DAA8D,CAAC;AAC5G,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,uEAAuE,CAAC;AACnH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4DAA4D,CAAC;AAChG,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,2DAA2D,CAAC;AACjG,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4DAA4D,CAAC;AAIxG,OAAO,EAAE,wBAAwB,EAAE,MAAM,mEAAmE,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAE9F,qBACa,oBAAoB;IAG7B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,aAAa;gBAtBb,WAAW,EAAE,kBAAkB,EAE/B,eAAe,EAAE,gBAAgB,EAEjC,YAAY,EAAE,2BAA2B,EAEzC,aAAa,EAAE,mBAAmB,EAElC,eAAe,EAAE,uBAAuB,EAExC,iBAAiB,EAAE,iBAAiB,EAEpC,YAAY,EAAE,YAAY,EAE1B,cAAc,EAAE,qBAAqB,EAErC,YAAY,EAAE,aAAa,EAE3B,iBAAiB,EAAE,wBAAwB,EAE3C,cAAc,EAAE,eAAe,EAE/B,aAAa,EAAE,qBAAqB;IAGvD;;;OAGG;IACG,OAAO,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAMtE;;;;OAIG;IACG,YAAY,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAyI1E;;;OAGG;IACG,kBAAkB,CACtB,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,kBAAkB,EACzB,WAAW,EAAE,OAAO,GACnB,OAAO,CAAC;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,cAAc,EAAE,OAAO,CAAA;KAAE,CAAC;~~CAsK1D~~"}
1	+ {"version":3,"file":"create-feature.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../../packages/core/src/application/use-cases/features/create/create-feature.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,wCAAwC,CAAC;AAMtE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oEAAoE,CAAC;AAC7G,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,8DAA8D,CAAC;AACrG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,iEAAiE,CAAC;AACnH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gEAAgE,CAAC;AAC1G,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,8DAA8D,CAAC;AAC5G,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,uEAAuE,CAAC;AACnH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4DAA4D,CAAC;AAChG,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,2DAA2D,CAAC;AACjG,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4DAA4D,CAAC;AAIxG,OAAO,EAAE,wBAAwB,EAAE,MAAM,mEAAmE,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAE9F,qBACa,oBAAoB;IAG7B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,aAAa;gBAtBb,WAAW,EAAE,kBAAkB,EAE/B,eAAe,EAAE,gBAAgB,EAEjC,YAAY,EAAE,2BAA2B,EAEzC,aAAa,EAAE,mBAAmB,EAElC,eAAe,EAAE,uBAAuB,EAExC,iBAAiB,EAAE,iBAAiB,EAEpC,YAAY,EAAE,YAAY,EAE1B,cAAc,EAAE,qBAAqB,EAErC,YAAY,EAAE,aAAa,EAE3B,iBAAiB,EAAE,wBAAwB,EAE3C,cAAc,EAAE,eAAe,EAE/B,aAAa,EAAE,qBAAqB;IAGvD;;;OAGG;IACG,OAAO,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAMtE;;;;OAIG;IACG,YAAY,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAyI1E;;;OAGG;IACG,kBAAkB,CACtB,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,kBAAkB,EACzB,WAAW,EAAE,OAAO,GACnB,OAAO,CAAC;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,cAAc,EAAE,OAAO,CAAA;KAAE,CAAC;CAuK1D"}

package/dist/packages/core/src/application/use-cases/features/create/create-feature.use-case.js CHANGED Viewed

@@ -326,6 +326,7 @@ let CreateFeatureUseCase = class CreateFeatureUseCase {
                 ...(input.fast ? { fast: true } : {}),
                 ...(input.agentType ? { agentType: input.agentType } : {}),
                 ...(input.model ? { model: input.model } : {}),
+                securityMode: settings.security?.mode,
             });
         }
         return { warning, updatedFeature };

package/dist/packages/core/src/application/use-cases/features/resume-feature.use-case.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"resume-feature.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/features/resume-feature.use-case.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAC1G,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2DAA2D,CAAC;~~AAQlG~~,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,QAAQ,CAAC;CAClB;AAED,qBACa,oBAAoB;IAG7B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAExB,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,eAAe;gBANf,WAAW,EAAE,kBAAkB,EAE/B,OAAO,EAAE,mBAAmB,EAE5B,cAAc,EAAE,2BAA2B,EAE3C,eAAe,EAAE,gBAAgB;IAG9C,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAClC,OAAO,CAAC,mBAAmB,CAAC;~~CA4GhC~~"}
1	+ {"version":3,"file":"resume-feature.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/features/resume-feature.use-case.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAC1G,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2DAA2D,CAAC;AASlG,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,QAAQ,CAAC;CAClB;AAED,qBACa,oBAAoB;IAG7B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAExB,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,eAAe;gBANf,WAAW,EAAE,kBAAkB,EAE/B,OAAO,EAAE,mBAAmB,EAE5B,cAAc,EAAE,2BAA2B,EAE3C,eAAe,EAAE,gBAAgB;IAG9C,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAClC,OAAO,CAAC,mBAAmB,CAAC;CA6GhC"}

package/dist/packages/core/src/application/use-cases/features/resume-feature.use-case.js CHANGED Viewed

@@ -19,6 +19,7 @@ var __param = (this && this.__param) || function (paramIndex, decorator) {
 import { injectable, inject } from 'tsyringe';
 import { randomUUID } from 'node:crypto';
 import { AgentRunStatus } from '../../../domain/generated/output.js';
+import { getSettings } from '../../../infrastructure/services/settings.service.js';
 const RESUMABLE_STATUSES = new Set([
     AgentRunStatus.interrupted,
     AgentRunStatus.failed,
@@ -118,6 +119,7 @@ let ResumeFeatureUseCase = class ResumeFeatureUseCase {
             ...(feature.fast ? { fast: true } : {}),
             ...(lastRun.modelId ? { model: lastRun.modelId } : {}),
             resumeReason: lastRun.status,
+            securityMode: getSettings().security?.mode,
         });
         return { feature, newRun };
     }

package/dist/packages/core/src/application/use-cases/features/start-feature.use-case.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"start-feature.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/features/start-feature.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAC1G,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2DAA2D,CAAC;~~AAGlG~~,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED,qBACa,mBAAmB;IAG5B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAExB,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,eAAe;gBANf,WAAW,EAAE,kBAAkB,EAE/B,OAAO,EAAE,mBAAmB,EAE5B,cAAc,EAAE,2BAA2B,EAE3C,eAAe,EAAE,gBAAgB;IAG9C,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;~~CAyG9D~~"}
1	+ {"version":3,"file":"start-feature.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/features/start-feature.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAC1G,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2DAA2D,CAAC;AAIlG,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED,qBACa,mBAAmB;IAG5B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAExB,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,eAAe;gBANf,WAAW,EAAE,kBAAkB,EAE/B,OAAO,EAAE,mBAAmB,EAE5B,cAAc,EAAE,2BAA2B,EAE3C,eAAe,EAAE,gBAAgB;IAG9C,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;CA0G9D"}

package/dist/packages/core/src/application/use-cases/features/start-feature.use-case.js CHANGED Viewed

@@ -20,6 +20,7 @@ var __param = (this && this.__param) || function (paramIndex, decorator) {
 import { injectable, inject } from 'tsyringe';
 import { SdlcLifecycle } from '../../../domain/generated/output.js';
 import { POST_IMPLEMENTATION } from '../../../domain/lifecycle-gates.js';
+import { getSettings } from '../../../infrastructure/services/settings.service.js';
 let StartFeatureUseCase = class StartFeatureUseCase {
     featureRepo;
     runRepo;
@@ -105,6 +106,7 @@ let StartFeatureUseCase = class StartFeatureUseCase {
                 agentType: agentRun.agentType,
                 ...(resolved.fast ? { fast: true } : {}),
                 ...(agentRun.modelId ? { model: agentRun.modelId } : {}),
+                securityMode: getSettings().security?.mode,
             });
         }
         return { feature: updatedFeature, agentRun };

package/dist/packages/core/src/application/use-cases/security/enforce-security.use-case.d.ts ADDED Viewed

@@ -0,0 +1,71 @@
+/**
+ * Enforce Security Use Case
+ *
+ * Orchestrates the full security enforcement flow:
+ * 1. Evaluate effective policy
+ * 2. Run dependency-risk checks
+ * 3. Run release-integrity checks
+ * 4. Persist findings as security events
+ * 5. Return structured enforcement result
+ *
+ * Supports Advisory (always pass) and Enforce (fail on violations) modes.
+ * Disabled mode returns empty pass result.
+ */
+import { SecurityMode } from '../../../domain/generated/output.js';
+import type { EffectivePolicySnapshot, DependencyFinding, ReleaseIntegrityResult } from '../../../domain/generated/output.js';
+import type { ISecurityPolicyService } from '../../ports/output/services/security-policy-service.interface.js';
+import type { ISecurityEventRepository } from '../../ports/output/repositories/security-event.repository.interface.js';
+import type { ISettingsRepository } from '../../ports/output/repositories/settings.repository.interface.js';
+import type { IGitHubRepositoryService, GovernanceFinding } from '../../ports/output/services/github-repository-service.interface.js';
+import { DependencyRiskEvaluator } from '../../../infrastructure/services/security/dependency-risk-evaluator.js';
+import { ReleaseIntegrityEvaluator } from '../../../infrastructure/services/security/release-integrity-evaluator.js';
+/**
+ * Input for the enforce security use case.
+ */
+export interface EnforceSecurityInput {
+    /** Absolute path to the repository to evaluate */
+    repositoryPath: string;
+}
+/**
+ * Result of the enforcement flow.
+ */
+export interface EnforceSecurityResult {
+    /** Whether all checks passed (Advisory always passes, Enforce fails on violations) */
+    passed: boolean;
+    /** Effective security mode used for evaluation */
+    mode: SecurityMode;
+    /** Effective policy snapshot */
+    policy: EffectivePolicySnapshot;
+    /** Dependency risk findings */
+    dependencyFindings: DependencyFinding[];
+    /** Release integrity result */
+    releaseIntegrity: ReleaseIntegrityResult;
+    /** GitHub governance audit findings (audit-only, do not affect pass/fail) */
+    governanceFindings: GovernanceFinding[];
+    /** Total number of findings (excludes governance — governance is audit-only) */
+    totalFindings: number;
+}
+export declare class EnforceSecurityUseCase {
+    private readonly policyService;
+    private readonly eventRepository;
+    private readonly settingsRepository;
+    private readonly dependencyEvaluator;
+    private readonly releaseEvaluator;
+    private readonly githubService;
+    constructor(policyService: ISecurityPolicyService, eventRepository: ISecurityEventRepository, settingsRepository: ISettingsRepository, dependencyEvaluator: DependencyRiskEvaluator, releaseEvaluator: ReleaseIntegrityEvaluator, githubService: IGitHubRepositoryService);
+    execute(input: EnforceSecurityInput): Promise<EnforceSecurityResult>;
+    /**
+     * Resolve GitHub owner/repo from the repository's git remote and run governance audit.
+     * Returns empty array if the remote cannot be resolved (not a GitHub repo, no remote, etc.).
+     */
+    private runGovernanceAudit;
+    /**
+     * Persist dependency findings, failed release checks, and governance findings as security events.
+     */
+    private persistFindings;
+    /**
+     * Update settings with the latest evaluation timestamp and policy source.
+     */
+    private updateEvaluationTimestamp;
+}
+//# sourceMappingURL=enforce-security.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/security/enforce-security.use-case.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"enforce-security.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/security/enforce-security.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,YAAY,EAA0B,MAAM,qCAAqC,CAAC;AAC3F,OAAO,KAAK,EACV,uBAAuB,EACvB,iBAAiB,EACjB,sBAAsB,EAIvB,MAAM,qCAAqC,CAAC;AAC7C,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,kEAAkE,CAAC;AAC/G,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,wEAAwE,CAAC;AACvH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kEAAkE,CAAC;AAC5G,OAAO,KAAK,EACV,wBAAwB,EACxB,iBAAiB,EAClB,MAAM,oEAAoE,CAAC;AAC5E,OAAO,EAAE,uBAAuB,EAAE,MAAM,wEAAwE,CAAC;AACjH,OAAO,EAAE,yBAAyB,EAAE,MAAM,0EAA0E,CAAC;AAOrH;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,kDAAkD;IAClD,cAAc,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,sFAAsF;IACtF,MAAM,EAAE,OAAO,CAAC;IAChB,kDAAkD;IAClD,IAAI,EAAE,YAAY,CAAC;IACnB,gCAAgC;IAChC,MAAM,EAAE,uBAAuB,CAAC;IAChC,+BAA+B;IAC/B,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,+BAA+B;IAC/B,gBAAgB,EAAE,sBAAsB,CAAC;IACzC,6EAA6E;IAC7E,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,gFAAgF;IAChF,aAAa,EAAE,MAAM,CAAC;CACvB;AAuBD,qBACa,sBAAsB;IAG/B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IAEnC,OAAO,CAAC,QAAQ,CAAC,mBAAmB;IAEpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB;IAEjC,OAAO,CAAC,QAAQ,CAAC,aAAa;gBAVb,aAAa,EAAE,sBAAsB,EAErC,eAAe,EAAE,wBAAwB,EAEzC,kBAAkB,EAAE,mBAAmB,EAEvC,mBAAmB,EAAE,uBAAuB,EAE5C,gBAAgB,EAAE,yBAAyB,EAE3C,aAAa,EAAE,wBAAwB;IAGpD,OAAO,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IA8D1E;;;OAGG;YACW,kBAAkB;IAgBhC;;OAEG;YACW,eAAe;IA6D7B;;OAEG;YACW,yBAAyB;CAgBxC"}

package/dist/packages/core/src/application/use-cases/security/enforce-security.use-case.js ADDED Viewed

@@ -0,0 +1,215 @@
+/**
+ * Enforce Security Use Case
+ *
+ * Orchestrates the full security enforcement flow:
+ * 1. Evaluate effective policy
+ * 2. Run dependency-risk checks
+ * 3. Run release-integrity checks
+ * 4. Persist findings as security events
+ * 5. Return structured enforcement result
+ *
+ * Supports Advisory (always pass) and Enforce (fail on violations) modes.
+ * Disabled mode returns empty pass result.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { SecurityMode, SecurityActionCategory } from '../../../domain/generated/output.js';
+import { DependencyRiskEvaluator } from '../../../infrastructure/services/security/dependency-risk-evaluator.js';
+import { ReleaseIntegrityEvaluator } from '../../../infrastructure/services/security/release-integrity-evaluator.js';
+import { randomUUID } from 'node:crypto';
+import { execFile as execFileCb } from 'node:child_process';
+import { promisify } from 'node:util';
+const execFileAsync = promisify(execFileCb);
+/**
+ * Default dependency rules when no policy file defines them.
+ */
+const DEFAULT_DEPENDENCY_RULES = {
+    checkLockfileConsistency: true,
+    checkLifecycleScripts: true,
+    checkNonRegistrySource: true,
+    enforceStrictVersionRanges: false,
+    allowlist: [],
+    denylist: [],
+};
+/**
+ * Default release rules when no policy file defines them.
+ */
+const DEFAULT_RELEASE_RULES = {
+    requireCiOnlyPublishing: true,
+    requireProvenance: true,
+    checkWorkflowIntegrity: true,
+};
+let EnforceSecurityUseCase = class EnforceSecurityUseCase {
+    policyService;
+    eventRepository;
+    settingsRepository;
+    dependencyEvaluator;
+    releaseEvaluator;
+    githubService;
+    constructor(policyService, eventRepository, settingsRepository, dependencyEvaluator, releaseEvaluator, githubService) {
+        this.policyService = policyService;
+        this.eventRepository = eventRepository;
+        this.settingsRepository = settingsRepository;
+        this.dependencyEvaluator = dependencyEvaluator;
+        this.releaseEvaluator = releaseEvaluator;
+        this.githubService = githubService;
+    }
+    async execute(input) {
+        // Evaluate effective policy
+        const policy = await this.policyService.evaluatePolicy(input.repositoryPath);
+        // Disabled mode — return empty pass result
+        if (policy.mode === SecurityMode.Disabled) {
+            return {
+                passed: true,
+                mode: SecurityMode.Disabled,
+                policy,
+                dependencyFindings: [],
+                releaseIntegrity: { checks: [], passed: true },
+                governanceFindings: [],
+                totalFindings: 0,
+            };
+        }
+        // Run dependency-risk checks
+        const dependencyFindings = this.dependencyEvaluator.evaluate(input.repositoryPath, DEFAULT_DEPENDENCY_RULES);
+        // Run release-integrity checks
+        const releaseIntegrity = this.releaseEvaluator.evaluate(input.repositoryPath, DEFAULT_RELEASE_RULES);
+        // Run governance audit (audit-only — does not affect pass/fail)
+        const governanceFindings = await this.runGovernanceAudit(input.repositoryPath);
+        // Count total findings (governance excluded — audit-only per FR-15)
+        const failedReleaseChecks = releaseIntegrity.checks.filter((c) => !c.passed);
+        const totalFindings = dependencyFindings.length + failedReleaseChecks.length;
+        // Persist findings as security events
+        await this.persistFindings(input.repositoryPath, dependencyFindings, releaseIntegrity, governanceFindings);
+        // Update settings with evaluation timestamp
+        await this.updateEvaluationTimestamp(policy.source);
+        // Determine pass/fail based on mode (governance is always advisory)
+        const hasFailures = totalFindings > 0;
+        const passed = policy.mode === SecurityMode.Advisory ? true : !hasFailures;
+        return {
+            passed,
+            mode: policy.mode,
+            policy,
+            dependencyFindings,
+            releaseIntegrity,
+            governanceFindings,
+            totalFindings,
+        };
+    }
+    /**
+     * Resolve GitHub owner/repo from the repository's git remote and run governance audit.
+     * Returns empty array if the remote cannot be resolved (not a GitHub repo, no remote, etc.).
+     */
+    async runGovernanceAudit(repositoryPath) {
+        try {
+            const { stdout } = await execFileAsync('git', ['remote', 'get-url', 'origin'], {
+                cwd: repositoryPath,
+            });
+            const remoteUrl = stdout.trim();
+            if (!remoteUrl)
+                return [];
+            const parsed = this.githubService.parseGitHubUrl(remoteUrl);
+            return await this.githubService.auditRepositoryGovernance(parsed.owner, parsed.repo);
+        }
+        catch {
+            // Not a GitHub repository, no remote configured, or parse failure — skip governance audit
+            return [];
+        }
+    }
+    /**
+     * Persist dependency findings, failed release checks, and governance findings as security events.
+     */
+    async persistFindings(repositoryPath, depFindings, releaseResult, govFindings) {
+        const now = new Date().toISOString();
+        for (const finding of depFindings) {
+            const event = {
+                id: randomUUID(),
+                repositoryPath,
+                severity: finding.severity,
+                category: SecurityActionCategory.DependencyInstall,
+                disposition: 'Denied',
+                message: finding.message,
+                remediationSummary: finding.remediation,
+                createdAt: now,
+                updatedAt: now,
+            };
+            await this.eventRepository.save(event);
+        }
+        for (const check of releaseResult.checks) {
+            if (!check.passed) {
+                const event = {
+                    id: randomUUID(),
+                    repositoryPath,
+                    severity: check.severity,
+                    category: SecurityActionCategory.PublishRelease,
+                    disposition: 'Denied',
+                    message: check.message,
+                    createdAt: now,
+                    updatedAt: now,
+                };
+                await this.eventRepository.save(event);
+            }
+        }
+        // Persist governance findings as advisory events
+        for (const finding of govFindings) {
+            // Map governance severity to SecuritySeverity (Unknown → Low for persistence)
+            const severity = finding.severity === 'Unknown'
+                ? 'Low'
+                : finding.severity;
+            const event = {
+                id: randomUUID(),
+                repositoryPath,
+                severity,
+                category: SecurityActionCategory.CiWorkflowModify,
+                disposition: 'Allowed',
+                message: `[Governance Audit] ${finding.message}`,
+                remediationSummary: finding.remediation,
+                createdAt: now,
+                updatedAt: now,
+            };
+            await this.eventRepository.save(event);
+        }
+    }
+    /**
+     * Update settings with the latest evaluation timestamp and policy source.
+     */
+    async updateEvaluationTimestamp(policySource) {
+        try {
+            const settings = await this.settingsRepository.load();
+            if (settings) {
+                settings.security = {
+                    ...settings.security,
+                    mode: settings.security?.mode ?? SecurityMode.Advisory,
+                    lastEvaluationAt: new Date().toISOString(),
+                    policySource,
+                };
+                await this.settingsRepository.update(settings);
+            }
+        }
+        catch {
+            // Non-fatal — evaluation results are still returned even if settings update fails
+        }
+    }
+};
+EnforceSecurityUseCase = __decorate([
+    injectable(),
+    __param(0, inject('ISecurityPolicyService')),
+    __param(1, inject('ISecurityEventRepository')),
+    __param(2, inject('ISettingsRepository')),
+    __param(3, inject('DependencyRiskEvaluator')),
+    __param(4, inject('ReleaseIntegrityEvaluator')),
+    __param(5, inject('IGitHubRepositoryService')),
+    __metadata("design:paramtypes", [Object, Object, Object, DependencyRiskEvaluator,
+        ReleaseIntegrityEvaluator, Object])
+], EnforceSecurityUseCase);
+export { EnforceSecurityUseCase };

package/dist/packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * Evaluate Security Policy Use Case
+ *
+ * Wraps ISecurityPolicyService.evaluatePolicy() as a use case.
+ * Updates settings with the latest evaluation timestamp and policy source.
+ * Returns the effective policy snapshot.
+ */
+import type { EffectivePolicySnapshot } from '../../../domain/generated/output.js';
+import type { ISecurityPolicyService } from '../../ports/output/services/security-policy-service.interface.js';
+import type { ISettingsRepository } from '../../ports/output/repositories/settings.repository.interface.js';
+/**
+ * Input for the evaluate security policy use case.
+ */
+export interface EvaluateSecurityPolicyInput {
+    /** Absolute path to the repository to evaluate */
+    repositoryPath: string;
+}
+export declare class EvaluateSecurityPolicyUseCase {
+    private readonly policyService;
+    private readonly settingsRepository;
+    constructor(policyService: ISecurityPolicyService, settingsRepository: ISettingsRepository);
+    execute(input: EvaluateSecurityPolicyInput): Promise<EffectivePolicySnapshot>;
+}
+//# sourceMappingURL=evaluate-security-policy.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"evaluate-security-policy.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,qCAAqC,CAAC;AACnF,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,kEAAkE,CAAC;AAC/G,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kEAAkE,CAAC;AAE5G;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,kDAAkD;IAClD,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,qBACa,6BAA6B;IAGtC,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;gBAFlB,aAAa,EAAE,sBAAsB,EAErC,kBAAkB,EAAE,mBAAmB;IAGpD,OAAO,CAAC,KAAK,EAAE,2BAA2B,GAAG,OAAO,CAAC,uBAAuB,CAAC;CAqBpF"}

package/dist/packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.js ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * Evaluate Security Policy Use Case
+ *
+ * Wraps ISecurityPolicyService.evaluatePolicy() as a use case.
+ * Updates settings with the latest evaluation timestamp and policy source.
+ * Returns the effective policy snapshot.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { SecurityMode } from '../../../domain/generated/output.js';
+let EvaluateSecurityPolicyUseCase = class EvaluateSecurityPolicyUseCase {
+    policyService;
+    settingsRepository;
+    constructor(policyService, settingsRepository) {
+        this.policyService = policyService;
+        this.settingsRepository = settingsRepository;
+    }
+    async execute(input) {
+        const policy = await this.policyService.evaluatePolicy(input.repositoryPath);
+        // Update settings with evaluation timestamp and source
+        try {
+            const settings = await this.settingsRepository.load();
+            if (settings) {
+                settings.security = {
+                    ...settings.security,
+                    mode: settings.security?.mode ?? SecurityMode.Advisory,
+                    lastEvaluationAt: new Date().toISOString(),
+                    policySource: policy.source,
+                };
+                await this.settingsRepository.update(settings);
+            }
+        }
+        catch {
+            // Non-fatal — policy is still returned even if settings update fails
+        }
+        return policy;
+    }
+};
+EvaluateSecurityPolicyUseCase = __decorate([
+    injectable(),
+    __param(0, inject('ISecurityPolicyService')),
+    __param(1, inject('ISettingsRepository')),
+    __metadata("design:paramtypes", [Object, Object])
+], EvaluateSecurityPolicyUseCase);
+export { EvaluateSecurityPolicyUseCase };

package/dist/packages/core/src/application/use-cases/security/get-security-state.use-case.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * Get Security State Use Case
+ *
+ * Returns the current security state for UI projection:
+ * - Effective mode from settings
+ * - Recent security events (limited)
+ * - Highest-severity open finding
+ * - Last evaluation timestamp
+ */
+import { SecurityMode } from '../../../domain/generated/output.js';
+import type { SecurityEvent } from '../../../domain/generated/output.js';
+import type { ISecurityEventRepository } from '../../ports/output/repositories/security-event.repository.interface.js';
+import type { ISettingsRepository } from '../../ports/output/repositories/settings.repository.interface.js';
+/**
+ * Security state summary for UI projection.
+ */
+export interface SecurityState {
+    /** Effective security mode */
+    mode: SecurityMode;
+    /** Last evaluation timestamp (ISO string) or null */
+    lastEvaluationAt: string | null;
+    /** Policy source or null */
+    policySource: string | null;
+    /** Recent security events (most recent first, limited) */
+    recentEvents: SecurityEvent[];
+    /** Highest-severity finding from recent events, or null */
+    highestSeverityFinding: SecurityEvent | null;
+}
+export declare class GetSecurityStateUseCase {
+    private readonly eventRepository;
+    private readonly settingsRepository;
+    constructor(eventRepository: ISecurityEventRepository, settingsRepository: ISettingsRepository);
+    execute(repositoryPath: string): Promise<SecurityState>;
+    private findHighestSeverity;
+}
+//# sourceMappingURL=get-security-state.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/security/get-security-state.use-case.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"get-security-state.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/security/get-security-state.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,YAAY,EAAoB,MAAM,qCAAqC,CAAC;AACrF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAC;AACzE,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,wEAAwE,CAAC;AACvH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kEAAkE,CAAC;AAK5G;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,8BAA8B;IAC9B,IAAI,EAAE,YAAY,CAAC;IACnB,qDAAqD;IACrD,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,4BAA4B;IAC5B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,0DAA0D;IAC1D,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,2DAA2D;IAC3D,sBAAsB,EAAE,aAAa,GAAG,IAAI,CAAC;CAC9C;AAUD,qBACa,uBAAuB;IAGhC,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,kBAAkB;gBAFlB,eAAe,EAAE,wBAAwB,EAEzC,kBAAkB,EAAE,mBAAmB;IAGpD,OAAO,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAmB7D,OAAO,CAAC,mBAAmB;CAgB5B"}