@shepai/cli 1.174.0 → 1.175.0-pr527.9ada632

package/dist/packages/core/src/infrastructure/services/spec/spec-initializer.service.d.ts

@@ -8,6 +8,7 @@
 import type { ISpecInitializerService, SpecInitializerResult } from '../../../application/ports/output/services/spec-initializer.interface.js';
 export declare class SpecInitializerService implements ISpecInitializerService {
     initialize(basePath: string, slug: string, featureNumber: number, description: string, mode?: 'fast'): Promise<SpecInitializerResult>;
+    scaffoldSecurityPolicy(repositoryPath: string): Promise<string>;
     /**
      * Scan specs/ for existing NNN-* directories and return the next available number.
      * Uses the DB-derived hint as a minimum, but always respects filesystem state.

package/dist/packages/core/src/infrastructure/services/spec/spec-initializer.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"spec-initializer.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/infrastructure/services/spec/spec-initializer.service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EACV,uBAAuB,EACvB,qBAAqB,EACtB,MAAM,mEAAmE,CAAC;AA8P3E,qBAAa,sBAAuB,YAAW,uBAAuB;IAC9D,UAAU,CACd,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC,qBAAqB,CAAC;IAqCjC;;;OAGG;YACW,iBAAiB;CAoBhC"}
+{"version":3,"file":"spec-initializer.service.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/infrastructure/services/spec/spec-initializer.service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EACV,uBAAuB,EACvB,qBAAqB,EACtB,MAAM,mEAAmE,CAAC;AAwT3E,qBAAa,sBAAuB,YAAW,uBAAuB;IAC9D,UAAU,CACd,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC,qBAAqB,CAAC;IAqC3B,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAMrE;;;OAGG;YACW,iBAAiB;CAoBhC"}

package/dist/packages/core/src/infrastructure/services/spec/spec-initializer.service.js

@@ -7,6 +7,7 @@
  */
 import { mkdir, readdir, writeFile } from 'node:fs/promises';
 import { join } from 'node:path';
+import { SECURITY_POLICY_FILENAME } from '../../services/security/security-policy-file-reader.js';
 /**
  * Pad a number to 3 digits with leading zeros.
  */
@@ -239,6 +240,61 @@ const TEMPLATES = [
     { filename: 'tasks.yaml', content: TASKS_YAML },
     { filename: 'feature.yaml', content: FEATURE_YAML },
 ];
+// ─── Security Policy Template ─────────────────────────────────────
+// Baseline shep.security.yaml for new repositories.
+const SECURITY_POLICY_YAML = `# Shep Supply Chain Security Policy
+# This file defines the security posture for this repository.
+# Shep evaluates this policy during agent execution and CI enforcement.
+#
+# Docs: https://shep.bot/docs/security/policy
+
+# Security mode controls enforcement behavior:
+#   Disabled  - Security checks are skipped entirely
+#   Advisory  - Checks run and findings are reported, but nothing is blocked
+#   Enforce   - Checks run and violations block agent actions and CI jobs
+mode: Advisory
+
+# Action dispositions control how the agent handles each action category.
+# Each entry maps a category to a disposition:
+#   Allowed          - Action proceeds without interruption
+#   Denied           - Action is blocked before execution
+#   ApprovalRequired - Action pauses for human approval via HITL gate
+actionDispositions:
+  - category: DependencyInstall
+    disposition: ApprovalRequired
+  - category: PackageScriptExec
+    disposition: ApprovalRequired
+  - category: CiWorkflowModify
+    disposition: ApprovalRequired
+  - category: PublishRelease
+    disposition: Denied
+  - category: SandboxEscalation
+    disposition: Denied
+
+# Dependency risk rules evaluated by "shep security enforce"
+dependencyRules:
+  # Verify lockfile matches package.json (detects phantom dependencies)
+  checkLockfileConsistency: true
+  # Flag packages with risky lifecycle scripts (preinstall, postinstall)
+  checkLifecycleScripts: true
+  # Flag dependencies sourced from git, file, or HTTP instead of registry
+  checkNonRegistrySource: true
+  # Require exact versions (no ^, ~, *, >= ranges)
+  enforceStrictVersionRanges: false
+  # Packages explicitly allowed (empty = allow all registry packages)
+  allowlist: []
+  # Packages explicitly blocked (takes precedence over allowlist)
+  denylist: []
+
+# Release integrity rules for publish-path enforcement
+releaseRules:
+  # Require publishing only from CI (not local machines)
+  requireCiOnlyPublishing: true
+  # Require npm provenance attestation on published packages
+  requireProvenance: true
+  # Check that release workflow has not been tampered with
+  checkWorkflowIntegrity: true
+`;
 export class SpecInitializerService {
     async initialize(basePath, slug, featureNumber, description, mode) {
         // Scan existing specs/ directory for highest NNN prefix to avoid collisions
@@ -262,6 +318,11 @@ export class SpecInitializerService {
         await Promise.all(templates.map(({ filename, content }) => writeFile(join(specDir, filename), applyTemplate(content, vars), 'utf-8')));
         return { specDir, featureNumber: nnn };
     }
+    async scaffoldSecurityPolicy(repositoryPath) {
+        const filePath = join(repositoryPath, SECURITY_POLICY_FILENAME);
+        await writeFile(filePath, SECURITY_POLICY_YAML, 'utf-8');
+        return filePath;
+    }
     /**
      * Scan specs/ for existing NNN-* directories and return the next available number.
      * Uses the DB-derived hint as a minimum, but always respects filesystem state.

package/dist/src/presentation/cli/commands/feat/new.command.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"new.command.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/cli/commands/feat/new.command.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAyEpC;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAsK1C"}
+{"version":3,"file":"new.command.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/cli/commands/feat/new.command.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA2EpC;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAmM1C"}

package/dist/src/presentation/cli/commands/feat/new.command.js

@@ -15,6 +15,7 @@ import { existsSync } from 'node:fs';
 import { join, resolve } from 'node:path';
 import { container } from '../../../../../packages/core/src/infrastructure/di/container.js';
 import { CreateFeatureUseCase } from '../../../../../packages/core/src/application/use-cases/features/create/create-feature.use-case.js';
+import { CreateFeatureFromRemoteUseCase } from '../../../../../packages/core/src/application/use-cases/features/create/create-feature-from-remote.use-case.js';
 import { SdlcLifecycle } from '../../../../../packages/core/src/domain/generated/output.js';
 import { colors, messages, spinner } from '../../ui/index.js';
 import { getCliI18n } from '../../i18n.js';
@@ -57,6 +58,7 @@ export function createNewCommand() {
         .description(t('cli:commands.feat.new.description'))
         .argument('<description>', t('cli:commands.feat.new.descriptionArgument'))
         .option('-r, --repo <path>', t('cli:commands.feat.new.repoOption'))
+        .option('--remote <url>', t('cli:commands.feat.new.remoteOption'))
         .option('--push', t('cli:commands.feat.new.pushOption'))
         .option('--pr', t('cli:commands.feat.new.prOption'))
         .option('--no-pr', t('cli:commands.feat.new.noPrOption'))
@@ -75,6 +77,12 @@ export function createNewCommand() {
         .option('--attach <path>', t('cli:commands.feat.new.attachOption'), collect, [])
         .action(async (description, options) => {
         try {
+            // Conflict check: --remote and --repo are mutually exclusive
+            if (options.remote && options.repo) {
+                messages.error(t('cli:commands.feat.new.remoteConflict'));
+                process.exitCode = 1;
+                return;
+            }
             // First-run onboarding gate — only for interactive terminals
             if (process.stdin.isTTY) {
                 const { isComplete } = await new CheckOnboardingStatusUseCase().execute();
@@ -82,7 +90,6 @@ export function createNewCommand() {
                     await onboardingWizard();
                 }
             }
-            const useCase = container.resolve(CreateFeatureUseCase);
             const repoPath = options.repo ?? process.cwd();
             // Resolve openPr from CLI flags or settings defaults
             const defaults = getWorkflowDefaults();
@@ -122,9 +129,8 @@ export function createNewCommand() {
                 }
             }
             const fast = options.fast ?? defaults.fast;
-            const result = await spinner(t('cli:commands.feat.new.spinnerText'), () => useCase.execute({
+            const commonInput = {
                 userInput: description,
-                repositoryPath: repoPath,
                 approvalGates,
                 push,
                 openPr,
@@ -133,9 +139,29 @@ export function createNewCommand() {
                 ...(fast && { fast: true }),
                 ...(options.model !== undefined && { model: options.model }),
                 ...(attachmentPaths.length > 0 && { attachmentPaths }),
-                ...(options.injectSkills !== undefined && { injectSkills: options.injectSkills }),
-                rebaseBeforeBranch: options.rebase,
-            }));
+            };
+            let result;
+            if (options.remote) {
+                // Remote path: clone (or fork) then create feature
+                const settings = getSettings();
+                const defaultCloneDir = settings.environment?.defaultCloneDirectory;
+                const remoteUseCase = container.resolve(CreateFeatureFromRemoteUseCase);
+                result = await spinner(t('cli:commands.feat.new.spinnerText'), () => remoteUseCase.execute({
+                    ...commonInput,
+                    remoteUrl: options.remote,
+                    defaultCloneDir,
+                }));
+            }
+            else {
+                // Local path: create feature on existing repo
+                const useCase = container.resolve(CreateFeatureUseCase);
+                result = await spinner(t('cli:commands.feat.new.spinnerText'), () => useCase.execute({
+                    ...commonInput,
+                    repositoryPath: repoPath,
+                    ...(options.injectSkills !== undefined && { injectSkills: options.injectSkills }),
+                    rebaseBeforeBranch: options.rebase,
+                }));
+            }
             const { feature, warning } = result;
             const repoHash = createHash('sha256').update(repoPath).digest('hex').slice(0, 16);
             const wtSlug = feature.branch.replace(/\//g, '-');

package/dist/src/presentation/cli/commands/repo/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/cli/commands/repo/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAMpC;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAS3C"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/cli/commands/repo/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAOpC;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAU3C"}

package/dist/src/presentation/cli/commands/repo/index.js

@@ -15,6 +15,7 @@ import { Command } from 'commander';
 import { createShowCommand } from './show.command.js';
 import { createLsCommand } from './ls.command.js';
 import { createAddCommand } from './add.command.js';
+import { createInitRemoteCommand } from './init-remote.command.js';
 import { getCliI18n } from '../../i18n.js';
 /**
  * Create the repo command with all subcommands
@@ -25,6 +26,7 @@ export function createRepoCommand() {
         .description(t('cli:commands.repo.description'))
         .addCommand(createLsCommand())
         .addCommand(createShowCommand())
-        .addCommand(createAddCommand());
+        .addCommand(createAddCommand())
+        .addCommand(createInitRemoteCommand());
     return repo;
 }

package/dist/src/presentation/cli/commands/repo/init-remote.command.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Repo Init-Remote Command
+ *
+ * Creates a GitHub repository from a local repo that has no remote,
+ * configures the origin remote, and pushes the current branch.
+ *
+ * Usage:
+ *   shep repo init-remote              # Private repo, name from cwd basename
+ *   shep repo init-remote my-project   # Explicit repo name
+ *   shep repo init-remote --public     # Public repo
+ *   shep repo init-remote --org myorg  # Create under an organization
+ */
+import { Command } from 'commander';
+export declare function createInitRemoteCommand(): Command;
+//# sourceMappingURL=init-remote.command.d.ts.map

package/dist/src/presentation/cli/commands/repo/init-remote.command.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init-remote.command.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/cli/commands/repo/init-remote.command.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAMpC,wBAAgB,uBAAuB,IAAI,OAAO,CA6BjD"}

package/dist/src/presentation/cli/commands/repo/init-remote.command.js

@@ -0,0 +1,44 @@
+/**
+ * Repo Init-Remote Command
+ *
+ * Creates a GitHub repository from a local repo that has no remote,
+ * configures the origin remote, and pushes the current branch.
+ *
+ * Usage:
+ *   shep repo init-remote              # Private repo, name from cwd basename
+ *   shep repo init-remote my-project   # Explicit repo name
+ *   shep repo init-remote --public     # Public repo
+ *   shep repo init-remote --org myorg  # Create under an organization
+ */
+import { Command } from 'commander';
+import { container } from '../../../../../packages/core/src/infrastructure/di/container.js';
+import { InitRemoteRepositoryUseCase } from '../../../../../packages/core/src/application/use-cases/repositories/init-remote-repository.use-case.js';
+import { messages, colors } from '../../ui/index.js';
+import { getCliI18n } from '../../i18n.js';
+export function createInitRemoteCommand() {
+    const t = getCliI18n().t;
+    return new Command('init-remote')
+        .description(t('cli:commands.repo.initRemote.description'))
+        .argument('[name]', t('cli:commands.repo.initRemote.nameArgument'))
+        .option('--public', t('cli:commands.repo.initRemote.publicOption'))
+        .option('--org <name>', t('cli:commands.repo.initRemote.orgOption'))
+        .action(async (name, options) => {
+        try {
+            const useCase = container.resolve(InitRemoteRepositoryUseCase);
+            const cwd = process.cwd();
+            const result = await useCase.execute({
+                cwd,
+                name,
+                isPrivate: !options.public,
+                org: options.org,
+            });
+            messages.success(t('cli:commands.repo.initRemote.created', { name: result.name }));
+            console.log(`  ${colors.muted(t('cli:commands.repo.initRemote.urlLabel'))} ${colors.accent(result.url)}`);
+        }
+        catch (error) {
+            const err = error instanceof Error ? error : new Error(String(error));
+            messages.error(t('cli:commands.repo.initRemote.failed'), err);
+            process.exitCode = 1;
+        }
+    });
+}

package/dist/src/presentation/cli/commands/security.command.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Security Command Group
+ *
+ * Top-level security command with subcommands for supply-chain security
+ * policy management and enforcement.
+ *
+ * Usage:
+ *   shep security enforce          Evaluate and enforce security posture
+ *   shep security enforce --output json   Machine-readable output for CI
+ */
+import { Command } from 'commander';
+/**
+ * Create the security command group with all subcommands.
+ */
+export declare function createSecurityCommand(): Command;
+//# sourceMappingURL=security.command.d.ts.map

package/dist/src/presentation/cli/commands/security.command.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.command.d.ts","sourceRoot":"","sources":["../../../../../src/presentation/cli/commands/security.command.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQpC;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAqH/C"}

package/dist/src/presentation/cli/commands/security.command.js

@@ -0,0 +1,118 @@
+/**
+ * Security Command Group
+ *
+ * Top-level security command with subcommands for supply-chain security
+ * policy management and enforcement.
+ *
+ * Usage:
+ *   shep security enforce          Evaluate and enforce security posture
+ *   shep security enforce --output json   Machine-readable output for CI
+ */
+import { Command } from 'commander';
+import { container } from '../../../../packages/core/src/infrastructure/di/container.js';
+import { EnforceSecurityUseCase } from '../../../../packages/core/src/application/use-cases/security/enforce-security.use-case.js';
+import { SecurityMode } from '../../../../packages/core/src/domain/generated/output.js';
+import { colors, fmt, messages } from '../ui/index.js';
+import { OutputFormatter } from '../ui/output.js';
+import { getCliI18n } from '../i18n.js';
+/**
+ * Create the security command group with all subcommands.
+ */
+export function createSecurityCommand() {
+    const t = getCliI18n().t;
+    const security = new Command('security').description(t('cli:commands.security.description'));
+    security
+        .command('enforce')
+        .description(t('cli:commands.security.enforce.description'))
+        .option('-r, --repo <path>', t('cli:commands.security.enforce.repoOption'), process.cwd())
+        .option('-o, --output <format>', t('cli:commands.security.enforce.outputOption'), 'table')
+        .action(async (options) => {
+        try {
+            const useCase = container.resolve(EnforceSecurityUseCase);
+            const result = await useCase.execute({ repositoryPath: options.repo });
+            const outputFormat = options.output;
+            if (outputFormat === 'json' || outputFormat === 'yaml') {
+                // Machine-readable output
+                console.log(OutputFormatter.format(result, outputFormat));
+            }
+            else {
+                // Human-readable table output
+                messages.newline();
+                if (result.mode === SecurityMode.Disabled) {
+                    messages.info(t('cli:commands.security.enforce.disabledNote'));
+                    messages.newline();
+                }
+                else {
+                    // Summary header
+                    console.log(`${fmt.label(t('cli:commands.security.enforce.modeLabel'))}:     ${result.mode}`);
+                    console.log(`${fmt.label(t('cli:commands.security.enforce.sourceLabel'))}:   ${result.policy.source}`);
+                    console.log(`${fmt.label(t('cli:commands.security.enforce.totalFindingsLabel'))}: ${result.totalFindings}`);
+                    messages.newline();
+                    // Dependency findings
+                    if (result.dependencyFindings.length > 0) {
+                        console.log(fmt.heading(t('cli:commands.security.enforce.dependencyFindingsLabel')));
+                        for (const finding of result.dependencyFindings) {
+                            const severityColor = finding.severity === 'Critical' || finding.severity === 'High'
+                                ? colors.error
+                                : colors.warning;
+                            console.log(`  ${severityColor(`[${finding.severity}]`)} ${finding.packageName}: ${finding.message}`);
+                            if (finding.remediation) {
+                                console.log(`    ${colors.muted(finding.remediation)}`);
+                            }
+                        }
+                        messages.newline();
+                    }
+                    // Release integrity
+                    const failedChecks = result.releaseIntegrity.checks.filter((c) => !c.passed);
+                    if (failedChecks.length > 0) {
+                        console.log(fmt.heading(t('cli:commands.security.enforce.releaseIntegrityLabel')));
+                        for (const check of failedChecks) {
+                            const severityColor = check.severity === 'Critical' || check.severity === 'High'
+                                ? colors.error
+                                : colors.warning;
+                            console.log(`  ${severityColor(`[${check.severity}]`)} ${check.message}`);
+                        }
+                        messages.newline();
+                    }
+                    // Governance findings (audit-only)
+                    if (result.governanceFindings.length > 0) {
+                        console.log(fmt.heading(t('cli:commands.security.enforce.governanceFindingsLabel')));
+                        for (const finding of result.governanceFindings) {
+                            const severityColor = finding.severity === 'Critical' || finding.severity === 'High'
+                                ? colors.error
+                                : colors.warning;
+                            console.log(`  ${severityColor(`[${finding.severity}]`)} ${finding.message}`);
+                            if (finding.remediation) {
+                                console.log(`    ${colors.muted(finding.remediation)}`);
+                            }
+                        }
+                        messages.newline();
+                    }
+                    // Result
+                    if (result.totalFindings === 0) {
+                        messages.info(t('cli:commands.security.enforce.noFindings'));
+                    }
+                    if (result.passed) {
+                        messages.success(t('cli:commands.security.enforce.passed'));
+                        if (result.mode === SecurityMode.Advisory && result.totalFindings > 0) {
+                            messages.info(t('cli:commands.security.enforce.advisoryNote'));
+                        }
+                    }
+                    else {
+                        messages.error(t('cli:commands.security.enforce.failed'));
+                    }
+                }
+                messages.newline();
+            }
+            if (!result.passed) {
+                process.exitCode = 1;
+            }
+        }
+        catch (error) {
+            const err = error instanceof Error ? error : new Error(String(error));
+            messages.error(t('cli:commands.security.enforce.failedToEnforce'), err);
+            process.exitCode = 1;
+        }
+    });
+    return security;
+}

package/dist/src/presentation/cli/index.js

@@ -42,6 +42,7 @@ import { createIdeOpenCommand } from './commands/ide-open.command.js';
 import { createInstallCommand } from './commands/install.command.js';
 import { createUpgradeCommand } from './commands/upgrade.command.js';
 import { createToolsCommand } from './commands/tools.command.js';
+import { createSecurityCommand } from './commands/security.command.js';
 import { messages } from './ui/index.js';
 // Daemon lifecycle commands
 import { createStartCommand } from './commands/start.command.js';
@@ -121,6 +122,7 @@ async function bootstrap() {
         program.addCommand(createIdeOpenCommand());
         program.addCommand(createInstallCommand());
         program.addCommand(createToolsCommand());
+        program.addCommand(createSecurityCommand());
         program.addCommand(createUpgradeCommand());
         // Daemon lifecycle commands (task-9)
         program.addCommand(createStartCommand());

package/dist/src/presentation/web/app/(dashboard)/get-graph-data.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"get-graph-data.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/web/app/(dashboard)/get-graph-data.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uCAAuC,CAAC;AAE5E,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAI1C,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAiFD,MAAM,MAAM,aAAa,GACrB;IAAE,MAAM,EAAE,SAAS,CAAA;CAAE,GACrB;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,WAAW,CAAA;CAAE,GACtC;IAAE,MAAM,EAAE,YAAY,CAAA;CAAE,CAAC;AA6B7B,wBAAsB,YAAY,IAAI,OAAO,CAAC;IAAE,KAAK,EAAE,cAAc,EAAE,CAAC;IAAC,KAAK,EAAE,IAAI,EAAE,CAAA;CAAE,CAAC,CA+ExF"}
+{"version":3,"file":"get-graph-data.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/web/app/(dashboard)/get-graph-data.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uCAAuC,CAAC;AAE5E,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAI1C,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAiFD,MAAM,MAAM,aAAa,GACrB;IAAE,MAAM,EAAE,SAAS,CAAA;CAAE,GACrB;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,WAAW,CAAA;CAAE,GACtC;IAAE,MAAM,EAAE,YAAY,CAAA;CAAE,CAAC;AA6B7B,wBAAsB,YAAY,IAAI,OAAO,CAAC;IAAE,KAAK,EAAE,cAAc,EAAE,CAAC;IAAC,KAAK,EAAE,IAAI,EAAE,CAAA;CAAE,CAAC,CAgFxF"}

package/dist/src/presentation/web/app/(dashboard)/get-graph-data.js

@@ -135,13 +135,14 @@ export async function getGraphData() {
         const run = feature.agentRunId ? await agentRunRepo.findById(feature.agentRunId) : null;
         return { feature, run };
     }));
-    const { workflow } = getSettings();
+    const { workflow, security } = getSettings();
     const { nodes, edges } = buildGraphNodes(repositories, featuresWithRuns, {
         enableEvidence: workflow.enableEvidence,
         commitEvidence: workflow.commitEvidence,
         ciWatchEnabled: workflow.ciWatchEnabled,
         repoGitInfo: repoGitInfoMap,
         repoGitStatus: repoGitStatusMap,
+        securityMode: security?.mode,
     });
     // Enrich feature nodes with deployment status
     let deploymentService = null;

package/dist/src/presentation/web/app/actions/create-feature-from-remote.d.ts

@@ -0,0 +1,31 @@
+import type { Feature } from '../../../../../packages/core/src/domain/generated/output.js';
+interface Attachment {
+    path: string;
+    name: string;
+    notes?: string;
+}
+interface CreateFeatureFromRemoteInput {
+    /** GitHub URL or owner/repo shorthand */
+    remoteUrl: string;
+    description: string;
+    attachments?: Attachment[];
+    sessionId?: string;
+    approvalGates?: {
+        allowPrd: boolean;
+        allowPlan: boolean;
+        allowMerge?: boolean;
+    };
+    push?: boolean;
+    openPr?: boolean;
+    parentId?: string;
+    fast?: boolean;
+    pending?: boolean;
+    agentType?: string;
+    model?: string;
+}
+export declare function createFeatureFromRemote(input: CreateFeatureFromRemoteInput): Promise<{
+    feature?: Feature;
+    error?: string;
+}>;
+export {};
+//# sourceMappingURL=create-feature-from-remote.d.ts.map

package/dist/src/presentation/web/app/actions/create-feature-from-remote.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-feature-from-remote.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/web/app/actions/create-feature-from-remote.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sCAAsC,CAAC;AAQpE,UAAU,UAAU;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAQD,UAAU,4BAA4B;IACpC,yCAAyC;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE;QACd,QAAQ,EAAE,OAAO,CAAC;QAClB,SAAS,EAAE,OAAO,CAAC;QACnB,UAAU,CAAC,EAAE,OAAO,CAAC;KACtB,CAAC;IACF,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,4BAA4B,GAClC,OAAO,CAAC;IAAE,OAAO,CAAC,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAuFhD"}

package/dist/src/presentation/web/app/actions/create-feature-from-remote.js

@@ -0,0 +1,69 @@
+'use server';
+import { resolve } from '../../lib/server-container.js';
+import { GitHubAuthError, GitHubUrlParseError, GitHubCloneError, } from '../../../../../packages/core/src/application/ports/output/services/github-repository-service.interface.js';
+import { composeUserInput } from './compose-user-input.js';
+export async function createFeatureFromRemote(input) {
+    const { remoteUrl, description, attachments, sessionId, approvalGates, push, openPr, parentId, fast, pending, agentType, model, } = input;
+    if (!remoteUrl?.trim()) {
+        return { error: 'GitHub URL is required' };
+    }
+    if (!description?.trim()) {
+        return { error: 'Description is required' };
+    }
+    const userInput = composeUserInput(description, attachments);
+    const gates = {
+        allowPrd: approvalGates?.allowPrd ?? false,
+        allowPlan: approvalGates?.allowPlan ?? false,
+        allowMerge: approvalGates?.allowMerge ?? false,
+    };
+    try {
+        const useCase = resolve('CreateFeatureFromRemoteUseCase');
+        // Phase 1 (fast): import repo + create DB record — returns immediately
+        const { feature, shouldSpawn } = await useCase.createRecord({
+            remoteUrl,
+            userInput,
+            approvalGates: gates,
+            push: push ?? false,
+            openPr: openPr ?? false,
+            ...(parentId ? { parentId } : {}),
+            description,
+            ...(fast ? { fast } : {}),
+            ...(pending ? { pending } : {}),
+            ...(agentType ? { agentType } : {}),
+            ...(model ? { model } : {}),
+        });
+        // Phase 2 (background): metadata generation, worktree, spec, agent spawn
+        useCase
+            .initializeAndSpawn(feature, {
+            remoteUrl,
+            userInput,
+            approvalGates: gates,
+            push: push ?? false,
+            openPr: openPr ?? false,
+            ...(parentId ? { parentId } : {}),
+            ...(fast ? { fast } : {}),
+            ...(pending ? { pending } : {}),
+            ...(agentType ? { agentType } : {}),
+            ...(model ? { model } : {}),
+            ...(sessionId ? { sessionId } : {}),
+        }, shouldSpawn)
+            .catch((err) => {
+            // eslint-disable-next-line no-console
+            console.error('[createFeatureFromRemote] initializeAndSpawn failed:', err);
+        });
+        return { feature };
+    }
+    catch (error) {
+        if (error instanceof GitHubAuthError) {
+            return { error: 'GitHub CLI is not authenticated. Run `gh auth login` to sign in.' };
+        }
+        if (error instanceof GitHubUrlParseError) {
+            return { error: `Invalid GitHub URL: ${error.message}` };
+        }
+        if (error instanceof GitHubCloneError) {
+            return { error: `Clone failed: ${error.message}` };
+        }
+        const message = error instanceof Error ? error.message : 'Failed to create feature from remote';
+        return { error: message };
+    }
+}

package/dist/src/presentation/web/app/actions/import-github-repository.d.ts

@@ -5,6 +5,7 @@ interface ImportGitHubRepositoryInput {
 }
 export declare function importGitHubRepository(input: ImportGitHubRepositoryInput): Promise<{
     repository?: Repository;
+    forked?: boolean;
     error?: string;
 }>;
 export {};

package/dist/src/presentation/web/app/actions/import-github-repository.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"import-github-repository.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/web/app/actions/import-github-repository.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sCAAsC,CAAC;AAOvE,UAAU,2BAA2B;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,2BAA2B,GACjC,OAAO,CAAC;IAAE,UAAU,CAAC,EAAE,UAAU,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAwBtD"}
+{"version":3,"file":"import-github-repository.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/web/app/actions/import-github-repository.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sCAAsC,CAAC;AAOvE,UAAU,2BAA2B;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,2BAA2B,GACjC,OAAO,CAAC;IAAE,UAAU,CAAC,EAAE,UAAU,CAAC;IAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAwBxE"}

package/dist/src/presentation/web/app/actions/import-github-repository.js

@@ -9,7 +9,7 @@ export async function importGitHubRepository(input) {
     try {
         const useCase = resolve('ImportGitHubRepositoryUseCase');
         const repository = await useCase.execute({ url, dest });
-        return { repository };
+        return { repository, forked: repository.isFork === true };
     }
     catch (error) {
         if (error instanceof GitHubAuthError) {

package/dist/src/presentation/web/app/actions/security.d.ts

@@ -0,0 +1,28 @@
+import type { SecurityState } from '../../../../../packages/core/src/application/use-cases/security/get-security-state.use-case.js';
+import type { EnforceSecurityResult } from '../../../../../packages/core/src/application/use-cases/security/enforce-security.use-case.js';
+import type { SecurityMode } from '../../../../../packages/core/src/domain/generated/output.js';
+export interface GetSecurityStateResult {
+    state?: SecurityState;
+    error?: string;
+}
+export interface EnforceSecurityActionResult {
+    result?: EnforceSecurityResult;
+    error?: string;
+}
+export interface UpdateSecurityModeResult {
+    success: boolean;
+    error?: string;
+}
+/**
+ * Fetches the current security state for a repository.
+ */
+export declare function getSecurityStateAction(repositoryPath: string): Promise<GetSecurityStateResult>;
+/**
+ * Runs the full security enforcement flow for a repository.
+ */
+export declare function enforceSecurityAction(repositoryPath: string): Promise<EnforceSecurityActionResult>;
+/**
+ * Updates the security mode in settings.
+ */
+export declare function updateSecurityModeAction(mode: SecurityMode): Promise<UpdateSecurityModeResult>;
+//# sourceMappingURL=security.d.ts.map

package/dist/src/presentation/web/app/actions/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/web/app/actions/security.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAEV,aAAa,EACd,MAAM,yEAAyE,CAAC;AACjF,OAAO,KAAK,EAEV,qBAAqB,EACtB,MAAM,uEAAuE,CAAC;AAC/E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sCAAsC,CAAC;AAEzE,MAAM,WAAW,sBAAsB;IACrC,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,2BAA2B;IAC1C,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,sBAAsB,CAAC,CASjC;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,2BAA2B,CAAC,CAUtC;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,wBAAwB,CAAC,CAyBnC"}