npm - @shepai/cli - Versions diffs - 1.170.0 → 1.171.0-pr527.e2ee839 - Mend

@shepai/cli 1.170.0 → 1.171.0-pr527.e2ee839

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (464) hide show

package/dist/packages/core/src/infrastructure/services/security/security-policy-validator.js ADDED Viewed

@@ -0,0 +1,147 @@
+/**
+ * Security Policy Validator
+ *
+ * Validates a parsed security policy object against the expected schema.
+ * Checks required fields, valid enum values, contradictory rules,
+ * and reasonable input limits. Returns structured validation results
+ * with per-field error messages.
+ */
+import { SecurityMode, SecurityActionCategory, SecurityActionDisposition, } from '../../../domain/generated/output.js';
+/** Maximum number of action disposition entries allowed */
+const MAX_ACTION_DISPOSITIONS = 100;
+/** Maximum number of entries in allowlist or denylist */
+const MAX_LIST_ENTRIES = 100;
+const VALID_MODES = Object.values(SecurityMode);
+const VALID_CATEGORIES = Object.values(SecurityActionCategory);
+const VALID_DISPOSITIONS = Object.values(SecurityActionDisposition);
+/**
+ * Validates parsed security policy objects against the expected schema.
+ */
+export class SecurityPolicyValidator {
+    /**
+     * Validate a parsed policy object.
+     *
+     * @param policy - The parsed policy object (from YAML)
+     * @returns Validation result with errors array
+     */
+    validate(policy) {
+        const errors = [];
+        // Validate mode (optional, but if present must be valid)
+        if (policy.mode !== undefined) {
+            if (!VALID_MODES.includes(policy.mode)) {
+                errors.push(`Invalid mode: "${String(policy.mode)}". Valid values: ${VALID_MODES.join(', ')}`);
+            }
+        }
+        // Validate actionDispositions (optional, but if present must be valid)
+        if (policy.actionDispositions !== undefined) {
+            this.validateActionDispositions(policy.actionDispositions, errors);
+        }
+        // Validate dependencyRules (optional, but if present must be valid)
+        if (policy.dependencyRules !== undefined) {
+            this.validateDependencyRules(policy.dependencyRules, errors);
+        }
+        // Validate releaseRules (optional, but if present must be valid)
+        if (policy.releaseRules !== undefined) {
+            this.validateReleaseRules(policy.releaseRules, errors);
+        }
+        return {
+            valid: errors.length === 0,
+            errors,
+        };
+    }
+    validateActionDispositions(value, errors) {
+        if (!Array.isArray(value)) {
+            errors.push('actionDispositions must be an array');
+            return;
+        }
+        if (value.length > MAX_ACTION_DISPOSITIONS) {
+            errors.push(`actionDispositions exceeds limit: ${value.length} entries (max ${MAX_ACTION_DISPOSITIONS})`);
+            return;
+        }
+        // Track categories to detect contradictions
+        const categoryToDisposition = new Map();
+        for (let i = 0; i < value.length; i++) {
+            const entry = value[i];
+            if (!entry || typeof entry !== 'object') {
+                errors.push(`actionDispositions[${i}] must be an object`);
+                continue;
+            }
+            const category = entry.category;
+            const disposition = entry.disposition;
+            if (!VALID_CATEGORIES.includes(category)) {
+                errors.push(`actionDispositions[${i}].category: invalid value "${String(category)}". Valid values: ${VALID_CATEGORIES.join(', ')}`);
+            }
+            if (!VALID_DISPOSITIONS.includes(disposition)) {
+                errors.push(`actionDispositions[${i}].disposition: invalid value "${String(disposition)}". Valid values: ${VALID_DISPOSITIONS.join(', ')}`);
+            }
+            // Check for contradictory entries (same category, different disposition)
+            if (VALID_CATEGORIES.includes(category) &&
+                VALID_DISPOSITIONS.includes(disposition)) {
+                const existing = categoryToDisposition.get(category);
+                if (existing !== undefined && existing !== disposition) {
+                    errors.push(`Contradictory action dispositions for category "${category}": "${existing}" vs "${disposition}"`);
+                }
+                else {
+                    categoryToDisposition.set(category, disposition);
+                }
+            }
+        }
+    }
+    validateDependencyRules(value, errors) {
+        if (!value || typeof value !== 'object') {
+            errors.push('dependencyRules must be an object');
+            return;
+        }
+        const rules = value;
+        // Validate boolean fields
+        const booleanFields = [
+            'checkLockfileConsistency',
+            'checkLifecycleScripts',
+            'checkNonRegistrySource',
+            'enforceStrictVersionRanges',
+        ];
+        for (const field of booleanFields) {
+            if (rules[field] !== undefined && typeof rules[field] !== 'boolean') {
+                errors.push(`dependencyRules.${field} must be a boolean, got ${typeof rules[field]}`);
+            }
+        }
+        // Validate list fields
+        if (rules.allowlist !== undefined) {
+            this.validateStringList('dependencyRules.allowlist', rules.allowlist, errors);
+        }
+        if (rules.denylist !== undefined) {
+            this.validateStringList('dependencyRules.denylist', rules.denylist, errors);
+        }
+    }
+    validateReleaseRules(value, errors) {
+        if (!value || typeof value !== 'object') {
+            errors.push('releaseRules must be an object');
+            return;
+        }
+        const rules = value;
+        const booleanFields = [
+            'requireCiOnlyPublishing',
+            'requireProvenance',
+            'checkWorkflowIntegrity',
+        ];
+        for (const field of booleanFields) {
+            if (rules[field] !== undefined && typeof rules[field] !== 'boolean') {
+                errors.push(`releaseRules.${field} must be a boolean, got ${typeof rules[field]}`);
+            }
+        }
+    }
+    validateStringList(path, value, errors) {
+        if (!Array.isArray(value)) {
+            errors.push(`${path} must be an array`);
+            return;
+        }
+        if (value.length > MAX_LIST_ENTRIES) {
+            errors.push(`${path} exceeds limit: ${value.length} entries (max ${MAX_LIST_ENTRIES})`);
+        }
+        for (let i = 0; i < value.length; i++) {
+            if (typeof value[i] !== 'string') {
+                errors.push(`${path}[${i}] must be a string`);
+            }
+        }
+    }
+}

package/dist/packages/core/src/infrastructure/services/security/security-policy.service.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * Security Policy Service
+ *
+ * Central policy engine implementing ISecurityPolicyService.
+ * Reads the policy file, validates it, merges with persisted settings defaults
+ * using deterministic precedence, and returns an EffectivePolicySnapshot.
+ *
+ * Precedence: global settings defaults < repository policy file (stricter wins).
+ * A lower-precedence layer cannot weaken a stricter higher-precedence rule.
+ */
+import { SecurityActionCategory, SecurityActionDisposition } from '../../../domain/generated/output.js';
+import type { EffectivePolicySnapshot } from '../../../domain/generated/output.js';
+import type { ISecurityPolicyService, PolicyValidationResult } from '../../../application/ports/output/services/security-policy-service.interface.js';
+import type { ISettingsRepository } from '../../../application/ports/output/repositories/settings.repository.interface.js';
+import { SecurityPolicyFileReader } from './security-policy-file-reader.js';
+import { SecurityPolicyValidator } from './security-policy-validator.js';
+export declare class SecurityPolicyService implements ISecurityPolicyService {
+    private readonly fileReader;
+    private readonly validator;
+    private readonly settingsRepo;
+    private readonly cache;
+    constructor(fileReader: SecurityPolicyFileReader, validator: SecurityPolicyValidator, settingsRepo: ISettingsRepository);
+    evaluatePolicy(repositoryPath: string): Promise<EffectivePolicySnapshot>;
+    getEffectivePolicy(repositoryPath: string): Promise<EffectivePolicySnapshot>;
+    validatePolicyFile(filePath: string): Promise<PolicyValidationResult>;
+    getActionDisposition(policy: EffectivePolicySnapshot, actionCategory: SecurityActionCategory): SecurityActionDisposition;
+    /**
+     * Build a default snapshot from settings mode only (no policy file).
+     */
+    private buildDefaultSnapshot;
+    /**
+     * Merge settings defaults with policy file, applying strict-wins precedence.
+     */
+    private mergePolicy;
+    /**
+     * Return the stricter of two SecurityMode values.
+     */
+    private stricterMode;
+    /**
+     * Return the stricter of two SecurityActionDisposition values.
+     */
+    private stricterDisposition;
+}
+//# sourceMappingURL=security-policy.service.d.ts.map

package/dist/packages/core/src/infrastructure/services/security/security-policy.service.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security-policy.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/infrastructure/services/security/security-policy.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAEL,sBAAsB,EACtB,yBAAyB,EAC1B,MAAM,qCAAqC,CAAC;AAC7C,OAAO,KAAK,EACV,uBAAuB,EAGxB,MAAM,qCAAqC,CAAC;AAC7C,OAAO,KAAK,EACV,sBAAsB,EACtB,sBAAsB,EACvB,MAAM,iFAAiF,CAAC;AACzF,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,iFAAiF,CAAC;AAC3H,OAAO,EACL,wBAAwB,EAEzB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AA4BzE,qBACa,qBAAsB,YAAW,sBAAsB;IAKhE,OAAO,CAAC,QAAQ,CAAC,UAAU;IAE3B,OAAO,CAAC,QAAQ,CAAC,SAAS;IAE1B,OAAO,CAAC,QAAQ,CAAC,YAAY;IAR/B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA8C;gBAIjD,UAAU,EAAE,wBAAwB,EAEpC,SAAS,EAAE,uBAAuB,EAElC,YAAY,EAAE,mBAAmB;IAG9C,cAAc,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC;IA6BxE,kBAAkB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAQ5E,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAY3E,oBAAoB,CAClB,MAAM,EAAE,uBAAuB,EAC/B,cAAc,EAAE,sBAAsB,GACrC,yBAAyB;IAK5B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAY5B;;OAEG;IACH,OAAO,CAAC,WAAW;IAuCnB;;OAEG;IACH,OAAO,CAAC,YAAY;IAMpB;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAQ5B"}

package/dist/packages/core/src/infrastructure/services/security/security-policy.service.js ADDED Viewed

@@ -0,0 +1,174 @@
+/**
+ * Security Policy Service
+ *
+ * Central policy engine implementing ISecurityPolicyService.
+ * Reads the policy file, validates it, merges with persisted settings defaults
+ * using deterministic precedence, and returns an EffectivePolicySnapshot.
+ *
+ * Precedence: global settings defaults < repository policy file (stricter wins).
+ * A lower-precedence layer cannot weaken a stricter higher-precedence rule.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { SecurityMode, SecurityActionCategory, SecurityActionDisposition, } from '../../../domain/generated/output.js';
+import { SecurityPolicyFileReader, SECURITY_POLICY_FILENAME, } from './security-policy-file-reader.js';
+import { SecurityPolicyValidator } from './security-policy-validator.js';
+import { dirname } from 'node:path';
+/**
+ * Numeric rank for comparing SecurityMode strictness.
+ * Higher number = stricter mode.
+ */
+const MODE_STRICTNESS = {
+    [SecurityMode.Disabled]: 0,
+    [SecurityMode.Advisory]: 1,
+    [SecurityMode.Enforce]: 2,
+};
+/**
+ * Numeric rank for comparing disposition strictness.
+ * Higher number = more restrictive.
+ */
+const DISPOSITION_STRICTNESS = {
+    [SecurityActionDisposition.Allowed]: 0,
+    [SecurityActionDisposition.ApprovalRequired]: 1,
+    [SecurityActionDisposition.Denied]: 2,
+};
+/**
+ * All action categories for building default dispositions.
+ */
+const ALL_CATEGORIES = Object.values(SecurityActionCategory);
+let SecurityPolicyService = class SecurityPolicyService {
+    fileReader;
+    validator;
+    settingsRepo;
+    cache = new Map();
+    constructor(fileReader, validator, settingsRepo) {
+        this.fileReader = fileReader;
+        this.validator = validator;
+        this.settingsRepo = settingsRepo;
+    }
+    async evaluatePolicy(repositoryPath) {
+        // Load settings defaults
+        const settings = await this.settingsRepo.load();
+        const settingsMode = settings?.security?.mode ?? SecurityMode.Advisory;
+        // Read policy file
+        const policyFile = await this.fileReader.read(repositoryPath);
+        if (!policyFile) {
+            // No policy file — use settings defaults
+            const snapshot = this.buildDefaultSnapshot(settingsMode);
+            this.cache.set(repositoryPath, snapshot);
+            return snapshot;
+        }
+        // Validate policy file
+        const validation = this.validator.validate(policyFile);
+        if (!validation.valid) {
+            throw new Error(`Security policy validation failed for ${repositoryPath}:\n${validation.errors.join('\n')}`);
+        }
+        // Merge with precedence: settings defaults < policy file (stricter wins)
+        const snapshot = this.mergePolicy(settingsMode, policyFile);
+        this.cache.set(repositoryPath, snapshot);
+        return snapshot;
+    }
+    async getEffectivePolicy(repositoryPath) {
+        const cached = this.cache.get(repositoryPath);
+        if (cached) {
+            return cached;
+        }
+        return this.evaluatePolicy(repositoryPath);
+    }
+    async validatePolicyFile(filePath) {
+        // Read the file from the directory containing it
+        const dirPath = dirname(filePath);
+        const policyFile = await this.fileReader.read(dirPath);
+        if (!policyFile) {
+            return { valid: true, errors: [] };
+        }
+        return this.validator.validate(policyFile);
+    }
+    getActionDisposition(policy, actionCategory) {
+        const entry = policy.actionDispositions.find((d) => d.category === actionCategory);
+        return entry?.disposition ?? SecurityActionDisposition.Allowed;
+    }
+    /**
+     * Build a default snapshot from settings mode only (no policy file).
+     */
+    buildDefaultSnapshot(mode) {
+        return {
+            mode,
+            source: 'settings-default',
+            evaluatedAt: new Date().toISOString(),
+            actionDispositions: ALL_CATEGORIES.map((category) => ({
+                category,
+                disposition: SecurityActionDisposition.Allowed,
+            })),
+        };
+    }
+    /**
+     * Merge settings defaults with policy file, applying strict-wins precedence.
+     */
+    mergePolicy(settingsMode, policyFile) {
+        // Mode: stricter wins
+        const fileMode = policyFile.mode ?? SecurityMode.Advisory;
+        const effectiveMode = this.stricterMode(settingsMode, fileMode);
+        // Action dispositions: merge file entries with defaults, stricter wins
+        const dispositionMap = new Map();
+        // Start with defaults (all Allowed)
+        for (const category of ALL_CATEGORIES) {
+            dispositionMap.set(category, SecurityActionDisposition.Allowed);
+        }
+        // Apply policy file entries (can only make stricter, not weaker)
+        if (policyFile.actionDispositions) {
+            for (const entry of policyFile.actionDispositions) {
+                const current = dispositionMap.get(entry.category);
+                if (current !== undefined) {
+                    dispositionMap.set(entry.category, this.stricterDisposition(current, entry.disposition));
+                }
+            }
+        }
+        const actionDispositions = [];
+        for (const [category, disposition] of dispositionMap) {
+            actionDispositions.push({ category, disposition });
+        }
+        return {
+            mode: effectiveMode,
+            source: SECURITY_POLICY_FILENAME,
+            evaluatedAt: new Date().toISOString(),
+            actionDispositions,
+        };
+    }
+    /**
+     * Return the stricter of two SecurityMode values.
+     */
+    stricterMode(a, b) {
+        const rankA = MODE_STRICTNESS[a] ?? 0;
+        const rankB = MODE_STRICTNESS[b] ?? 0;
+        return rankA >= rankB ? a : b;
+    }
+    /**
+     * Return the stricter of two SecurityActionDisposition values.
+     */
+    stricterDisposition(a, b) {
+        const rankA = DISPOSITION_STRICTNESS[a] ?? 0;
+        const rankB = DISPOSITION_STRICTNESS[b] ?? 0;
+        return rankA >= rankB ? a : b;
+    }
+};
+SecurityPolicyService = __decorate([
+    injectable(),
+    __param(0, inject('SecurityPolicyFileReader')),
+    __param(1, inject('SecurityPolicyValidator')),
+    __param(2, inject('ISettingsRepository')),
+    __metadata("design:paramtypes", [SecurityPolicyFileReader,
+        SecurityPolicyValidator, Object])
+], SecurityPolicyService);
+export { SecurityPolicyService };

package/dist/packages/core/src/infrastructure/services/spec/spec-initializer.service.d.ts CHANGED Viewed

@@ -8,6 +8,7 @@
 import type { ISpecInitializerService, SpecInitializerResult } from '../../../application/ports/output/services/spec-initializer.interface.js';
 export declare class SpecInitializerService implements ISpecInitializerService {
     initialize(basePath: string, slug: string, featureNumber: number, description: string, mode?: 'fast'): Promise<SpecInitializerResult>;
+    scaffoldSecurityPolicy(repositoryPath: string): Promise<string>;
     /**
      * Scan specs/ for existing NNN-* directories and return the next available number.
      * Uses the DB-derived hint as a minimum, but always respects filesystem state.

package/dist/packages/core/src/infrastructure/services/spec/spec-initializer.service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"spec-initializer.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/infrastructure/services/spec/spec-initializer.service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EACV,uBAAuB,EACvB,qBAAqB,EACtB,MAAM,mEAAmE,CAAC;~~AA8P3E~~,qBAAa,sBAAuB,YAAW,uBAAuB;IAC9D,UAAU,CACd,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC,qBAAqB,CAAC;~~IAqCjC~~;;;OAGG;YACW,iBAAiB;CAoBhC"}
1	+ {"version":3,"file":"spec-initializer.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/infrastructure/services/spec/spec-initializer.service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EACV,uBAAuB,EACvB,qBAAqB,EACtB,MAAM,mEAAmE,CAAC;AAwT3E,qBAAa,sBAAuB,YAAW,uBAAuB;IAC9D,UAAU,CACd,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC,qBAAqB,CAAC;IAqC3B,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAMrE;;;OAGG;YACW,iBAAiB;CAoBhC"}

package/dist/packages/core/src/infrastructure/services/spec/spec-initializer.service.js CHANGED Viewed

@@ -7,6 +7,7 @@
  */
 import { mkdir, readdir, writeFile } from 'node:fs/promises';
 import { join } from 'node:path';
+import { SECURITY_POLICY_FILENAME } from '../../services/security/security-policy-file-reader.js';
 /**
  * Pad a number to 3 digits with leading zeros.
  */
@@ -239,6 +240,61 @@ const TEMPLATES = [
     { filename: 'tasks.yaml', content: TASKS_YAML },
     { filename: 'feature.yaml', content: FEATURE_YAML },
 ];
+// ─── Security Policy Template ─────────────────────────────────────
+// Baseline shep.security.yaml for new repositories.
+const SECURITY_POLICY_YAML = `# Shep Supply Chain Security Policy
+# This file defines the security posture for this repository.
+# Shep evaluates this policy during agent execution and CI enforcement.
+#
+# Docs: https://shep.bot/docs/security/policy
+# Security mode controls enforcement behavior:
+#   Disabled  - Security checks are skipped entirely
+#   Advisory  - Checks run and findings are reported, but nothing is blocked
+#   Enforce   - Checks run and violations block agent actions and CI jobs
+mode: Advisory
+# Action dispositions control how the agent handles each action category.
+# Each entry maps a category to a disposition:
+#   Allowed          - Action proceeds without interruption
+#   Denied           - Action is blocked before execution
+#   ApprovalRequired - Action pauses for human approval via HITL gate
+actionDispositions:
+  - category: DependencyInstall
+    disposition: ApprovalRequired
+  - category: PackageScriptExec
+    disposition: ApprovalRequired
+  - category: CiWorkflowModify
+    disposition: ApprovalRequired
+  - category: PublishRelease
+    disposition: Denied
+  - category: SandboxEscalation
+    disposition: Denied
+# Dependency risk rules evaluated by "shep security enforce"
+dependencyRules:
+  # Verify lockfile matches package.json (detects phantom dependencies)
+  checkLockfileConsistency: true
+  # Flag packages with risky lifecycle scripts (preinstall, postinstall)
+  checkLifecycleScripts: true
+  # Flag dependencies sourced from git, file, or HTTP instead of registry
+  checkNonRegistrySource: true
+  # Require exact versions (no ^, ~, *, >= ranges)
+  enforceStrictVersionRanges: false
+  # Packages explicitly allowed (empty = allow all registry packages)
+  allowlist: []
+  # Packages explicitly blocked (takes precedence over allowlist)
+  denylist: []
+# Release integrity rules for publish-path enforcement
+releaseRules:
+  # Require publishing only from CI (not local machines)
+  requireCiOnlyPublishing: true
+  # Require npm provenance attestation on published packages
+  requireProvenance: true
+  # Check that release workflow has not been tampered with
+  checkWorkflowIntegrity: true
+`;
 export class SpecInitializerService {
     async initialize(basePath, slug, featureNumber, description, mode) {
         // Scan existing specs/ directory for highest NNN prefix to avoid collisions
@@ -262,6 +318,11 @@ export class SpecInitializerService {
         await Promise.all(templates.map(({ filename, content }) => writeFile(join(specDir, filename), applyTemplate(content, vars), 'utf-8')));
         return { specDir, featureNumber: nnn };
     }
+    async scaffoldSecurityPolicy(repositoryPath) {
+        const filePath = join(repositoryPath, SECURITY_POLICY_FILENAME);
+        await writeFile(filePath, SECURITY_POLICY_YAML, 'utf-8');
+        return filePath;
+    }
     /**
      * Scan specs/ for existing NNN-* directories and return the next available number.
      * Uses the DB-derived hint as a minimum, but always respects filesystem state.

package/dist/src/presentation/cli/commands/security.command.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * Security Command Group
+ *
+ * Top-level security command with subcommands for supply-chain security
+ * policy management and enforcement.
+ *
+ * Usage:
+ *   shep security enforce          Evaluate and enforce security posture
+ *   shep security enforce --output json   Machine-readable output for CI
+ */
+import { Command } from 'commander';
+/**
+ * Create the security command group with all subcommands.
+ */
+export declare function createSecurityCommand(): Command;
+//# sourceMappingURL=security.command.d.ts.map

package/dist/src/presentation/cli/commands/security.command.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"security.command.d.ts","sourceRoot":"","sources":["../../../../../src/presentation/cli/commands/security.command.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQpC;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAqH/C"}

package/dist/src/presentation/cli/commands/security.command.js ADDED Viewed

@@ -0,0 +1,118 @@
+/**
+ * Security Command Group
+ *
+ * Top-level security command with subcommands for supply-chain security
+ * policy management and enforcement.
+ *
+ * Usage:
+ *   shep security enforce          Evaluate and enforce security posture
+ *   shep security enforce --output json   Machine-readable output for CI
+ */
+import { Command } from 'commander';
+import { container } from '../../../../packages/core/src/infrastructure/di/container.js';
+import { EnforceSecurityUseCase } from '../../../../packages/core/src/application/use-cases/security/enforce-security.use-case.js';
+import { SecurityMode } from '../../../../packages/core/src/domain/generated/output.js';
+import { colors, fmt, messages } from '../ui/index.js';
+import { OutputFormatter } from '../ui/output.js';
+import { getCliI18n } from '../i18n.js';
+/**
+ * Create the security command group with all subcommands.
+ */
+export function createSecurityCommand() {
+    const t = getCliI18n().t;
+    const security = new Command('security').description(t('cli:commands.security.description'));
+    security
+        .command('enforce')
+        .description(t('cli:commands.security.enforce.description'))
+        .option('-r, --repo <path>', t('cli:commands.security.enforce.repoOption'), process.cwd())
+        .option('-o, --output <format>', t('cli:commands.security.enforce.outputOption'), 'table')
+        .action(async (options) => {
+        try {
+            const useCase = container.resolve(EnforceSecurityUseCase);
+            const result = await useCase.execute({ repositoryPath: options.repo });
+            const outputFormat = options.output;
+            if (outputFormat === 'json' || outputFormat === 'yaml') {
+                // Machine-readable output
+                console.log(OutputFormatter.format(result, outputFormat));
+            }
+            else {
+                // Human-readable table output
+                messages.newline();
+                if (result.mode === SecurityMode.Disabled) {
+                    messages.info(t('cli:commands.security.enforce.disabledNote'));
+                    messages.newline();
+                }
+                else {
+                    // Summary header
+                    console.log(`${fmt.label(t('cli:commands.security.enforce.modeLabel'))}:     ${result.mode}`);
+                    console.log(`${fmt.label(t('cli:commands.security.enforce.sourceLabel'))}:   ${result.policy.source}`);
+                    console.log(`${fmt.label(t('cli:commands.security.enforce.totalFindingsLabel'))}: ${result.totalFindings}`);
+                    messages.newline();
+                    // Dependency findings
+                    if (result.dependencyFindings.length > 0) {
+                        console.log(fmt.heading(t('cli:commands.security.enforce.dependencyFindingsLabel')));
+                        for (const finding of result.dependencyFindings) {
+                            const severityColor = finding.severity === 'Critical' || finding.severity === 'High'
+                                ? colors.error
+                                : colors.warning;
+                            console.log(`  ${severityColor(`[${finding.severity}]`)} ${finding.packageName}: ${finding.message}`);
+                            if (finding.remediation) {
+                                console.log(`    ${colors.muted(finding.remediation)}`);
+                            }
+                        }
+                        messages.newline();
+                    }
+                    // Release integrity
+                    const failedChecks = result.releaseIntegrity.checks.filter((c) => !c.passed);
+                    if (failedChecks.length > 0) {
+                        console.log(fmt.heading(t('cli:commands.security.enforce.releaseIntegrityLabel')));
+                        for (const check of failedChecks) {
+                            const severityColor = check.severity === 'Critical' || check.severity === 'High'
+                                ? colors.error
+                                : colors.warning;
+                            console.log(`  ${severityColor(`[${check.severity}]`)} ${check.message}`);
+                        }
+                        messages.newline();
+                    }
+                    // Governance findings (audit-only)
+                    if (result.governanceFindings.length > 0) {
+                        console.log(fmt.heading(t('cli:commands.security.enforce.governanceFindingsLabel')));
+                        for (const finding of result.governanceFindings) {
+                            const severityColor = finding.severity === 'Critical' || finding.severity === 'High'
+                                ? colors.error
+                                : colors.warning;
+                            console.log(`  ${severityColor(`[${finding.severity}]`)} ${finding.message}`);
+                            if (finding.remediation) {
+                                console.log(`    ${colors.muted(finding.remediation)}`);
+                            }
+                        }
+                        messages.newline();
+                    }
+                    // Result
+                    if (result.totalFindings === 0) {
+                        messages.info(t('cli:commands.security.enforce.noFindings'));
+                    }
+                    if (result.passed) {
+                        messages.success(t('cli:commands.security.enforce.passed'));
+                        if (result.mode === SecurityMode.Advisory && result.totalFindings > 0) {
+                            messages.info(t('cli:commands.security.enforce.advisoryNote'));
+                        }
+                    }
+                    else {
+                        messages.error(t('cli:commands.security.enforce.failed'));
+                    }
+                }
+                messages.newline();
+            }
+            if (!result.passed) {
+                process.exitCode = 1;
+            }
+        }
+        catch (error) {
+            const err = error instanceof Error ? error : new Error(String(error));
+            messages.error(t('cli:commands.security.enforce.failedToEnforce'), err);
+            process.exitCode = 1;
+        }
+    });
+    return security;
+}

package/dist/src/presentation/cli/commands/upgrade.command.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"upgrade.command.d.ts","sourceRoot":"","sources":["../../../../../src/presentation/cli/commands/upgrade.command.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,KAAK,IAAI,YAAY,EAAqB,MAAM,oBAAoB,CAAC;~~AAS9E~~,KAAK,OAAO,GAAG,OAAO,YAAY,CAAC;~~AA8EnC~~;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,GAAE,OAAsB,GAAG,OAAO,~~CAqE7E~~"}
1	+ {"version":3,"file":"upgrade.command.d.ts","sourceRoot":"","sources":["../../../../../src/presentation/cli/commands/upgrade.command.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,KAAK,IAAI,YAAY,EAAqB,MAAM,oBAAoB,CAAC;AAY9E,KAAK,OAAO,GAAG,OAAO,YAAY,CAAC;AA8InC;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,GAAE,OAAsB,GAAG,OAAO,CA6E7E"}