npm - @shepai/cli - Versions diffs - 1.170.0 → 1.171.0-pr527.e2ee839 - Mend

@shepai/cli 1.170.0 → 1.171.0-pr527.e2ee839

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (464) hide show

package/dist/packages/core/src/infrastructure/services/security/dependency-risk-evaluator.js ADDED Viewed

@@ -0,0 +1,241 @@
+/**
+ * Dependency Risk Evaluator
+ *
+ * Evaluates repository-local dependency risk signals without
+ * external services. Checks:
+ * - Manifest-lockfile consistency (package.json vs lockfile)
+ * - Dependency source types (registry vs git vs file)
+ * - Risky lifecycle scripts (preinstall, postinstall, prepare)
+ * - Allowlist/denylist enforcement
+ * - Version-range strictness
+ *
+ * Returns an array of DependencyFinding objects with severity and remediation.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { DependencyRiskType, SecuritySeverity } from '../../../domain/generated/output.js';
+/**
+ * Lockfile names in priority order.
+ */
+const LOCKFILE_NAMES = ['pnpm-lock.yaml', 'package-lock.json', 'yarn.lock'];
+/**
+ * Lifecycle script names that execute arbitrary code during install.
+ */
+const RISKY_LIFECYCLE_SCRIPTS = ['preinstall', 'install', 'postinstall', 'prepare'];
+/**
+ * Patterns indicating a non-registry dependency source.
+ */
+const NON_REGISTRY_PREFIXES = ['git+', 'git:', 'github:', 'file:', 'link:', 'http:', 'https:'];
+/**
+ * Patterns indicating loose version ranges.
+ */
+const LOOSE_RANGE_PATTERNS = [/^\*$/, /^\^/, /^~/, /^>=/, /^>(?!=)/];
+export class DependencyRiskEvaluator {
+    /**
+     * Evaluate dependency risk for a repository.
+     *
+     * @param repositoryPath - Absolute path to the repository root
+     * @param rules - Dependency risk policy rules
+     * @returns Array of dependency findings
+     */
+    evaluate(repositoryPath, rules) {
+        const packageJsonPath = join(repositoryPath, 'package.json');
+        if (!existsSync(packageJsonPath)) {
+            return [];
+        }
+        let packageJson;
+        try {
+            packageJson = JSON.parse(readFileSync(packageJsonPath, 'utf-8'));
+        }
+        catch {
+            return [];
+        }
+        const findings = [];
+        // Collect all dependencies
+        const allDeps = this.collectDependencies(packageJson);
+        // Check lockfile consistency
+        if (rules.checkLockfileConsistency) {
+            findings.push(...this.checkLockfileConsistency(repositoryPath, allDeps));
+        }
+        // Check non-registry sources
+        if (rules.checkNonRegistrySource) {
+            findings.push(...this.checkNonRegistrySources(allDeps));
+        }
+        // Check lifecycle scripts
+        if (rules.checkLifecycleScripts) {
+            findings.push(...this.checkLifecycleScripts(repositoryPath, allDeps));
+        }
+        // Check denylist
+        if (rules.denylist.length > 0) {
+            findings.push(...this.checkDenylist(allDeps, rules.denylist));
+        }
+        // Check allowlist
+        if (rules.allowlist.length > 0) {
+            findings.push(...this.checkAllowlist(allDeps, rules.allowlist));
+        }
+        // Check version-range strictness
+        if (rules.enforceStrictVersionRanges) {
+            findings.push(...this.checkVersionRangeStrictness(allDeps));
+        }
+        return findings;
+    }
+    /**
+     * Collect all dependencies from package.json (dependencies + devDependencies).
+     */
+    collectDependencies(packageJson) {
+        const deps = new Map();
+        const depSections = ['dependencies', 'devDependencies'];
+        for (const section of depSections) {
+            const sectionDeps = packageJson[section];
+            if (sectionDeps && typeof sectionDeps === 'object') {
+                for (const [name, version] of Object.entries(sectionDeps)) {
+                    deps.set(name, version);
+                }
+            }
+        }
+        return deps;
+    }
+    /**
+     * Check that a lockfile exists when there are dependencies.
+     */
+    checkLockfileConsistency(repositoryPath, deps) {
+        if (deps.size === 0) {
+            return [];
+        }
+        const hasLockfile = LOCKFILE_NAMES.some((name) => existsSync(join(repositoryPath, name)));
+        if (!hasLockfile) {
+            return [
+                {
+                    packageName: '*',
+                    severity: SecuritySeverity.High,
+                    riskType: DependencyRiskType.LockfileInconsistency,
+                    message: 'No lockfile found. Dependencies are not pinned to specific versions.',
+                    remediation: 'Run your package manager install command to generate a lockfile (e.g., pnpm install).',
+                },
+            ];
+        }
+        return [];
+    }
+    /**
+     * Check for dependencies installed from non-registry sources.
+     */
+    checkNonRegistrySources(deps) {
+        const findings = [];
+        for (const [name, version] of deps) {
+            const isNonRegistry = NON_REGISTRY_PREFIXES.some((prefix) => version.startsWith(prefix));
+            if (isNonRegistry) {
+                findings.push({
+                    packageName: name,
+                    version,
+                    severity: SecuritySeverity.Medium,
+                    riskType: DependencyRiskType.NonRegistrySource,
+                    message: `Package "${name}" is installed from a non-registry source: ${version}`,
+                    remediation: `Consider using a registry-published version of "${name}" instead of a direct source reference.`,
+                });
+            }
+        }
+        return findings;
+    }
+    /**
+     * Check installed packages for risky lifecycle scripts.
+     */
+    checkLifecycleScripts(repositoryPath, deps) {
+        const findings = [];
+        const nodeModules = join(repositoryPath, 'node_modules');
+        if (!existsSync(nodeModules)) {
+            return [];
+        }
+        for (const [name] of deps) {
+            const pkgJsonPath = join(nodeModules, name, 'package.json');
+            if (!existsSync(pkgJsonPath)) {
+                continue;
+            }
+            try {
+                const pkgJson = JSON.parse(readFileSync(pkgJsonPath, 'utf-8'));
+                const scripts = pkgJson.scripts;
+                if (!scripts || typeof scripts !== 'object') {
+                    continue;
+                }
+                const riskyScripts = RISKY_LIFECYCLE_SCRIPTS.filter((s) => typeof scripts[s] === 'string' && scripts[s].length > 0);
+                if (riskyScripts.length > 0) {
+                    findings.push({
+                        packageName: name,
+                        version: pkgJson.version,
+                        severity: SecuritySeverity.Medium,
+                        riskType: DependencyRiskType.LifecycleScript,
+                        message: `Package "${name}" has lifecycle scripts that execute during install: ${riskyScripts.join(', ')}`,
+                        remediation: `Review the lifecycle scripts in "${name}" or add it to the allowlist if trusted. Consider using --ignore-scripts during install.`,
+                    });
+                }
+            }
+            catch {
+                // Skip packages with unreadable package.json
+            }
+        }
+        return findings;
+    }
+    /**
+     * Check dependencies against the denylist.
+     */
+    checkDenylist(deps, denylist) {
+        const findings = [];
+        const denySet = new Set(denylist);
+        for (const [name, version] of deps) {
+            if (denySet.has(name)) {
+                findings.push({
+                    packageName: name,
+                    version,
+                    severity: SecuritySeverity.Critical,
+                    riskType: DependencyRiskType.DenylistViolation,
+                    message: `Package "${name}" is on the denylist and must be removed.`,
+                    remediation: `Remove "${name}" from your dependencies. It has been explicitly denied by security policy.`,
+                });
+            }
+        }
+        return findings;
+    }
+    /**
+     * Check dependencies against the allowlist (non-empty allowlist = only listed packages allowed).
+     */
+    checkAllowlist(deps, allowlist) {
+        const findings = [];
+        const allowSet = new Set(allowlist);
+        for (const [name, version] of deps) {
+            if (!allowSet.has(name)) {
+                findings.push({
+                    packageName: name,
+                    version,
+                    severity: SecuritySeverity.High,
+                    riskType: DependencyRiskType.AllowlistViolation,
+                    message: `Package "${name}" is not on the allowlist.`,
+                    remediation: `Add "${name}" to the allowlist in shep.security.yaml if it is a trusted dependency, or remove it.`,
+                });
+            }
+        }
+        return findings;
+    }
+    /**
+     * Check version ranges for strictness (no ^, ~, *, >= patterns).
+     */
+    checkVersionRangeStrictness(deps) {
+        const findings = [];
+        for (const [name, version] of deps) {
+            // Skip non-registry sources (already flagged separately)
+            if (NON_REGISTRY_PREFIXES.some((prefix) => version.startsWith(prefix))) {
+                continue;
+            }
+            const isLoose = LOOSE_RANGE_PATTERNS.some((pattern) => pattern.test(version));
+            if (isLoose) {
+                findings.push({
+                    packageName: name,
+                    version,
+                    severity: SecuritySeverity.Medium,
+                    riskType: DependencyRiskType.VersionRangePolicy,
+                    message: `Package "${name}" uses a loose version range "${version}". Strict version pinning is required by policy.`,
+                    remediation: `Pin "${name}" to an exact version (e.g., "4.17.21" instead of "${version}").`,
+                });
+            }
+        }
+        return findings;
+    }
+}

package/dist/packages/core/src/infrastructure/services/security/release-integrity-evaluator.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * Release Integrity Evaluator
+ *
+ * Checks release pipeline integrity for a repository:
+ * - CI workflow exists and publishes from CI (not local)
+ * - NPM_TOKEN and RELEASE_TOKEN referenced as secrets (not hardcoded)
+ * - npm provenance flags (--provenance) present in publish steps
+ * - Release workflow integrity (semantic-release configured)
+ *
+ * Returns a ReleaseIntegrityResult with individual check results and overall pass/fail.
+ */
+import type { ReleaseIntegrityResult, ReleaseRules } from '../../../domain/generated/output.js';
+export declare class ReleaseIntegrityEvaluator {
+    /**
+     * Evaluate release pipeline integrity.
+     *
+     * @param repositoryPath - Absolute path to the repository root
+     * @param rules - Release integrity policy rules
+     * @returns Aggregated result with individual check details
+     */
+    evaluate(repositoryPath: string, rules: ReleaseRules): ReleaseIntegrityResult;
+    /**
+     * Read all YAML workflow files from .github/workflows/.
+     */
+    private readWorkflowFiles;
+    /**
+     * Check that CI workflow files exist (publishing happens in CI, not locally).
+     */
+    private checkCiOnlyPublishing;
+    /**
+     * Check that tokens are referenced as secrets, not hardcoded.
+     * Scans for known token env var names and verifies they use ${{ secrets.* }}.
+     */
+    private checkSecretConfiguration;
+    /**
+     * Check that npm publish commands include --provenance flag.
+     */
+    private checkProvenanceConfiguration;
+    /**
+     * Check workflow integrity (semantic-release is configured).
+     */
+    private checkWorkflowIntegrity;
+}
+//# sourceMappingURL=release-integrity-evaluator.d.ts.map

package/dist/packages/core/src/infrastructure/services/security/release-integrity-evaluator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"release-integrity-evaluator.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/infrastructure/services/security/release-integrity-evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,OAAO,KAAK,EAEV,sBAAsB,EACtB,YAAY,EACb,MAAM,qCAAqC,CAAC;AA2B7C,qBAAa,yBAAyB;IACpC;;;;;;OAMG;IACH,QAAQ,CAAC,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,GAAG,sBAAsB;IAiC7E;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAgBzB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAsB7B;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IAkChC;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAyCpC;;OAEG;IACH,OAAO,CAAC,sBAAsB;CAoB/B"}

package/dist/packages/core/src/infrastructure/services/security/release-integrity-evaluator.js ADDED Viewed

@@ -0,0 +1,194 @@
+/**
+ * Release Integrity Evaluator
+ *
+ * Checks release pipeline integrity for a repository:
+ * - CI workflow exists and publishes from CI (not local)
+ * - NPM_TOKEN and RELEASE_TOKEN referenced as secrets (not hardcoded)
+ * - npm provenance flags (--provenance) present in publish steps
+ * - Release workflow integrity (semantic-release configured)
+ *
+ * Returns a ReleaseIntegrityResult with individual check results and overall pass/fail.
+ */
+import { existsSync, readFileSync, readdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { ReleaseIntegrityCheckType, SecuritySeverity } from '../../../domain/generated/output.js';
+/**
+ * Token env var names that should use secrets.* references.
+ */
+const TOKEN_ENV_NAMES = ['GITHUB_TOKEN', 'RELEASE_TOKEN', 'NPM_TOKEN', 'NODE_AUTH_TOKEN'];
+/**
+ * Pattern for a secrets.* reference in a YAML value.
+ */
+const SECRETS_REF_PATTERN = /\$\{\{\s*secrets\./;
+/**
+ * Pattern for detecting npm publish commands.
+ */
+const NPM_PUBLISH_PATTERN = /npm\s+publish/;
+/**
+ * Pattern for detecting --provenance flag.
+ */
+const PROVENANCE_FLAG_PATTERN = /--provenance/;
+/**
+ * Pattern for detecting semantic-release.
+ */
+const SEMANTIC_RELEASE_PATTERN = /semantic-release/;
+export class ReleaseIntegrityEvaluator {
+    /**
+     * Evaluate release pipeline integrity.
+     *
+     * @param repositoryPath - Absolute path to the repository root
+     * @param rules - Release integrity policy rules
+     * @returns Aggregated result with individual check details
+     */
+    evaluate(repositoryPath, rules) {
+        const checks = [];
+        const workflowDir = join(repositoryPath, '.github', 'workflows');
+        // Read all workflow files
+        const workflowContents = this.readWorkflowFiles(workflowDir);
+        // Check CI-only publishing
+        if (rules.requireCiOnlyPublishing) {
+            checks.push(this.checkCiOnlyPublishing(workflowDir, workflowContents));
+        }
+        // Check secret configuration (no hardcoded tokens)
+        if (rules.requireCiOnlyPublishing) {
+            checks.push(this.checkSecretConfiguration(workflowContents));
+        }
+        // Check provenance configuration
+        if (rules.requireProvenance) {
+            checks.push(...this.checkProvenanceConfiguration(workflowContents));
+        }
+        // Check workflow integrity
+        if (rules.checkWorkflowIntegrity) {
+            checks.push(this.checkWorkflowIntegrity(workflowContents));
+        }
+        return {
+            checks,
+            passed: checks.length === 0 || checks.every((c) => c.passed),
+        };
+    }
+    /**
+     * Read all YAML workflow files from .github/workflows/.
+     */
+    readWorkflowFiles(workflowDir) {
+        if (!existsSync(workflowDir)) {
+            return [];
+        }
+        try {
+            const files = readdirSync(workflowDir).filter((f) => f.endsWith('.yml') || f.endsWith('.yaml'));
+            return files.map((f) => readFileSync(join(workflowDir, f), 'utf-8'));
+        }
+        catch {
+            return [];
+        }
+    }
+    /**
+     * Check that CI workflow files exist (publishing happens in CI, not locally).
+     */
+    checkCiOnlyPublishing(workflowDir, workflowContents) {
+        if (workflowContents.length === 0) {
+            return {
+                checkType: ReleaseIntegrityCheckType.CiOnlyPublishing,
+                passed: false,
+                message: 'No CI workflow files found in .github/workflows/. Publishing must happen in CI, not locally.',
+                severity: SecuritySeverity.Critical,
+            };
+        }
+        return {
+            checkType: ReleaseIntegrityCheckType.CiOnlyPublishing,
+            passed: true,
+            message: 'CI workflow files found. Publishing is configured for CI execution.',
+            severity: SecuritySeverity.Critical,
+        };
+    }
+    /**
+     * Check that tokens are referenced as secrets, not hardcoded.
+     * Scans for known token env var names and verifies they use ${{ secrets.* }}.
+     */
+    checkSecretConfiguration(workflowContents) {
+        const allContent = workflowContents.join('\n');
+        const lines = allContent.split('\n');
+        for (const line of lines) {
+            const trimmed = line.trim();
+            for (const tokenName of TOKEN_ENV_NAMES) {
+                // Match lines like "NPM_TOKEN: value" or "NPM_TOKEN: 'value'"
+                const pattern = new RegExp(`^${tokenName}\\s*:\\s*(.+)$`);
+                const match = pattern.exec(trimmed);
+                if (match) {
+                    const value = match[1].trim();
+                    // Value must contain a secrets.* reference to be safe
+                    if (!SECRETS_REF_PATTERN.test(value)) {
+                        return {
+                            checkType: ReleaseIntegrityCheckType.SecretConfiguration,
+                            passed: false,
+                            message: 'Hardcoded token detected in workflow files. Tokens must use ${{ secrets.* }} references.',
+                            severity: SecuritySeverity.Critical,
+                        };
+                    }
+                }
+            }
+        }
+        return {
+            checkType: ReleaseIntegrityCheckType.SecretConfiguration,
+            passed: true,
+            message: 'Tokens are properly referenced using ${{ secrets.* }} expressions.',
+            severity: SecuritySeverity.Critical,
+        };
+    }
+    /**
+     * Check that npm publish commands include --provenance flag.
+     */
+    checkProvenanceConfiguration(workflowContents) {
+        const allContent = workflowContents.join('\n');
+        // If no npm publish commands found, provenance is not applicable
+        if (!NPM_PUBLISH_PATTERN.test(allContent)) {
+            return [];
+        }
+        // Check if all npm publish commands have --provenance
+        const lines = allContent.split('\n');
+        let hasPublishWithoutProvenance = false;
+        for (const line of lines) {
+            if (NPM_PUBLISH_PATTERN.test(line) && !PROVENANCE_FLAG_PATTERN.test(line)) {
+                hasPublishWithoutProvenance = true;
+                break;
+            }
+        }
+        if (hasPublishWithoutProvenance) {
+            return [
+                {
+                    checkType: ReleaseIntegrityCheckType.ProvenanceConfiguration,
+                    passed: false,
+                    message: 'npm publish command found without --provenance flag. Add --provenance to generate SLSA provenance attestations.',
+                    severity: SecuritySeverity.Medium,
+                },
+            ];
+        }
+        return [
+            {
+                checkType: ReleaseIntegrityCheckType.ProvenanceConfiguration,
+                passed: true,
+                message: 'npm publish commands include --provenance flag for SLSA provenance.',
+                severity: SecuritySeverity.Medium,
+            },
+        ];
+    }
+    /**
+     * Check workflow integrity (semantic-release is configured).
+     */
+    checkWorkflowIntegrity(workflowContents) {
+        const allContent = workflowContents.join('\n');
+        if (!SEMANTIC_RELEASE_PATTERN.test(allContent)) {
+            return {
+                checkType: ReleaseIntegrityCheckType.WorkflowIntegrity,
+                passed: false,
+                message: 'semantic-release not found in CI workflows. Automated release management is recommended.',
+                severity: SecuritySeverity.Medium,
+            };
+        }
+        return {
+            checkType: ReleaseIntegrityCheckType.WorkflowIntegrity,
+            passed: true,
+            message: 'semantic-release is configured in CI workflows.',
+            severity: SecuritySeverity.Medium,
+        };
+    }
+}

package/dist/packages/core/src/infrastructure/services/security/security-policy-file-reader.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * Security Policy File Reader
+ *
+ * Reads and parses shep.security.yaml from a repository root using js-yaml.
+ * Returns the parsed object or null if the file does not exist.
+ * Throws with actionable messages on YAML syntax errors.
+ *
+ * Uses DEFAULT_SCHEMA to prevent arbitrary code execution from YAML tags.
+ */
+import type { SecurityPolicy } from '../../../domain/generated/output.js';
+/**
+ * The filename for the security policy file at the repository root.
+ */
+export declare const SECURITY_POLICY_FILENAME = "shep.security.yaml";
+/**
+ * Reads and parses the security policy YAML file from a repository.
+ */
+export declare class SecurityPolicyFileReader {
+    /**
+     * Read and parse the security policy file from the given repository path.
+     *
+     * @param repositoryPath - Absolute path to the repository root
+     * @returns Parsed policy object, or null if file does not exist or is empty
+     * @throws Error with actionable message if YAML is malformed
+     */
+    read(repositoryPath: string): Promise<Partial<SecurityPolicy> | null>;
+}
+//# sourceMappingURL=security-policy-file-reader.d.ts.map

package/dist/packages/core/src/infrastructure/services/security/security-policy-file-reader.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security-policy-file-reader.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/infrastructure/services/security/security-policy-file-reader.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qCAAqC,CAAC;AAE1E;;GAEG;AACH,eAAO,MAAM,wBAAwB,uBAAuB,CAAC;AAE7D;;GAEG;AACH,qBAAa,wBAAwB;IACnC;;;;;;OAMG;IACG,IAAI,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC;CA0B5E"}

package/dist/packages/core/src/infrastructure/services/security/security-policy-file-reader.js ADDED Viewed

@@ -0,0 +1,50 @@
+/**
+ * Security Policy File Reader
+ *
+ * Reads and parses shep.security.yaml from a repository root using js-yaml.
+ * Returns the parsed object or null if the file does not exist.
+ * Throws with actionable messages on YAML syntax errors.
+ *
+ * Uses DEFAULT_SCHEMA to prevent arbitrary code execution from YAML tags.
+ */
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import yaml from 'js-yaml';
+/**
+ * The filename for the security policy file at the repository root.
+ */
+export const SECURITY_POLICY_FILENAME = 'shep.security.yaml';
+/**
+ * Reads and parses the security policy YAML file from a repository.
+ */
+export class SecurityPolicyFileReader {
+    /**
+     * Read and parse the security policy file from the given repository path.
+     *
+     * @param repositoryPath - Absolute path to the repository root
+     * @returns Parsed policy object, or null if file does not exist or is empty
+     * @throws Error with actionable message if YAML is malformed
+     */
+    async read(repositoryPath) {
+        const filePath = join(repositoryPath, SECURITY_POLICY_FILENAME);
+        if (!existsSync(filePath)) {
+            return null;
+        }
+        const content = readFileSync(filePath, 'utf-8');
+        try {
+            const parsed = yaml.load(content, {
+                schema: yaml.DEFAULT_SCHEMA,
+                filename: SECURITY_POLICY_FILENAME,
+            });
+            // Empty file or comment-only file yields null/undefined
+            if (parsed == null || typeof parsed !== 'object') {
+                return null;
+            }
+            return parsed;
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            throw new Error(`Failed to parse ${SECURITY_POLICY_FILENAME}: ${message}`);
+        }
+    }
+}

package/dist/packages/core/src/infrastructure/services/security/security-policy-validator.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * Security Policy Validator
+ *
+ * Validates a parsed security policy object against the expected schema.
+ * Checks required fields, valid enum values, contradictory rules,
+ * and reasonable input limits. Returns structured validation results
+ * with per-field error messages.
+ */
+import type { PolicyValidationResult } from '../../../application/ports/output/services/security-policy-service.interface.js';
+/**
+ * Validates parsed security policy objects against the expected schema.
+ */
+export declare class SecurityPolicyValidator {
+    /**
+     * Validate a parsed policy object.
+     *
+     * @param policy - The parsed policy object (from YAML)
+     * @returns Validation result with errors array
+     */
+    validate(policy: Record<string, unknown>): PolicyValidationResult;
+    private validateActionDispositions;
+    private validateDependencyRules;
+    private validateReleaseRules;
+    private validateStringList;
+}
+//# sourceMappingURL=security-policy-validator.d.ts.map

package/dist/packages/core/src/infrastructure/services/security/security-policy-validator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security-policy-validator.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/infrastructure/services/security/security-policy-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAOH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,iFAAiF,CAAC;AAY9H;;GAEG;AACH,qBAAa,uBAAuB;IAClC;;;;;OAKG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,sBAAsB;IAiCjE,OAAO,CAAC,0BAA0B;IAwDlC,OAAO,CAAC,uBAAuB;IAgC/B,OAAO,CAAC,oBAAoB;IAqB5B,OAAO,CAAC,kBAAkB;CAgB3B"}