@shepai/cli 1.174.0 → 1.175.0-pr527.9ada632

package/dist/packages/core/src/application/use-cases/repositories/import-github-repository.use-case.d.ts

@@ -2,12 +2,12 @@
  * Import GitHub Repository Use Case
  *
  * Orchestrates importing a GitHub repository: validates the URL, checks auth,
- * detects duplicates by remoteUrl, clones via IGitHubRepositoryService,
- * delegates local registration to AddRepositoryUseCase, and updates the
- * repository record with the normalized remoteUrl.
+ * detects duplicates by remoteUrl/upstreamUrl, checks push access, and either
+ * clones directly or auto-forks when the user lacks push access.
  */
 import type { Repository } from '../../../domain/generated/output.js';
-import type { IGitHubRepositoryService, CloneOptions } from '../../ports/output/services/github-repository-service.interface.js';
+import type { IGitHubRepositoryService, CloneOptions, ForkOptions } from '../../ports/output/services/github-repository-service.interface.js';
+import type { IGitPrService } from '../../ports/output/services/git-pr-service.interface.js';
 import type { IRepositoryRepository } from '../../ports/output/repositories/repository-repository.interface.js';
 import { AddRepositoryUseCase } from './add-repository.use-case.js';
 export interface ImportGitHubRepositoryInput {
@@ -19,13 +19,24 @@ export interface ImportGitHubRepositoryInput {
     defaultCloneDir?: string;
     /** Options for the clone subprocess (e.g. progress callback) */
     cloneOptions?: CloneOptions;
+    /** Options for fork operations (e.g. progress callback) */
+    forkOptions?: ForkOptions;
 }
 export declare class ImportGitHubRepositoryUseCase {
     private readonly gitHubService;
     private readonly repositoryRepo;
     private readonly addRepositoryUseCase;
-    constructor(gitHubService: IGitHubRepositoryService, repositoryRepo: IRepositoryRepository, addRepositoryUseCase: AddRepositoryUseCase);
+    private readonly gitPrService;
+    constructor(gitHubService: IGitHubRepositoryService, repositoryRepo: IRepositoryRepository, addRepositoryUseCase: AddRepositoryUseCase, gitPrService: IGitPrService);
     execute(input: ImportGitHubRepositoryInput): Promise<Repository>;
+    /**
+     * Direct clone path — user has push access to the repository.
+     */
+    private cloneDirect;
+    /**
+     * Fork-and-clone path — user lacks push access, so we auto-fork first.
+     */
+    private forkAndClone;
     private resolveDestination;
 }
 //# sourceMappingURL=import-github-repository.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/repositories/import-github-repository.use-case.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"import-github-repository.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/repositories/import-github-repository.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qCAAqC,CAAC;AACtE,OAAO,KAAK,EACV,wBAAwB,EACxB,YAAY,EACb,MAAM,oEAAoE,CAAC;AAC5E,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,oEAAoE,CAAC;AAChH,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AAEpE,MAAM,WAAW,2BAA2B;IAC1C,kDAAkD;IAClD,GAAG,EAAE,MAAM,CAAC;IACZ,2CAA2C;IAC3C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wDAAwD;IACxD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gEAAgE;IAChE,YAAY,CAAC,EAAE,YAAY,CAAC;CAC7B;AAUD,qBACa,6BAA6B;IAGtC,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,oBAAoB;gBAJpB,aAAa,EAAE,wBAAwB,EAEvC,cAAc,EAAE,qBAAqB,EAErC,oBAAoB,EAAE,oBAAoB;IAGvD,OAAO,CAAC,KAAK,EAAE,2BAA2B,GAAG,OAAO,CAAC,UAAU,CAAC;IAoCtE,OAAO,CAAC,kBAAkB;CAW3B"}
+{"version":3,"file":"import-github-repository.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/repositories/import-github-repository.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qCAAqC,CAAC;AACtE,OAAO,KAAK,EACV,wBAAwB,EACxB,YAAY,EACZ,WAAW,EACZ,MAAM,oEAAoE,CAAC;AAC5E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yDAAyD,CAAC;AAC7F,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,oEAAoE,CAAC;AAChH,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AAKpE,MAAM,WAAW,2BAA2B;IAC1C,kDAAkD;IAClD,GAAG,EAAE,MAAM,CAAC;IACZ,2CAA2C;IAC3C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wDAAwD;IACxD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gEAAgE;IAChE,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,2DAA2D;IAC3D,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B;AAUD,qBACa,6BAA6B;IAGtC,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,oBAAoB;IAErC,OAAO,CAAC,QAAQ,CAAC,YAAY;gBANZ,aAAa,EAAE,wBAAwB,EAEvC,cAAc,EAAE,qBAAqB,EAErC,oBAAoB,EAAE,oBAAoB,EAE1C,YAAY,EAAE,aAAa;IAGxC,OAAO,CAAC,KAAK,EAAE,2BAA2B,GAAG,OAAO,CAAC,UAAU,CAAC;IAgCtE;;OAEG;YACW,WAAW;IAsBzB;;OAEG;YACW,YAAY;IAqD1B,OAAO,CAAC,kBAAkB;CAW3B"}

package/dist/packages/core/src/application/use-cases/repositories/import-github-repository.use-case.js

@@ -2,9 +2,8 @@
  * Import GitHub Repository Use Case
  *
  * Orchestrates importing a GitHub repository: validates the URL, checks auth,
- * detects duplicates by remoteUrl, clones via IGitHubRepositoryService,
- * delegates local registration to AddRepositoryUseCase, and updates the
- * repository record with the normalized remoteUrl.
+ * detects duplicates by remoteUrl/upstreamUrl, checks push access, and either
+ * clones directly or auto-forks when the user lacks push access.
  */
 var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
     var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
@@ -22,6 +21,8 @@ import { injectable, inject } from 'tsyringe';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 import { AddRepositoryUseCase } from './add-repository.use-case.js';
+/** Name of the git remote used to track the original upstream repo of a fork. */
+const UPSTREAM_REMOTE_NAME = 'upstream';
 /**
  * Normalizes a GitHub remote URL for storage and duplicate detection.
  * Lowercases and strips trailing .git suffix.
@@ -33,10 +34,12 @@ let ImportGitHubRepositoryUseCase = class ImportGitHubRepositoryUseCase {
     gitHubService;
     repositoryRepo;
     addRepositoryUseCase;
-    constructor(gitHubService, repositoryRepo, addRepositoryUseCase) {
+    gitPrService;
+    constructor(gitHubService, repositoryRepo, addRepositoryUseCase, gitPrService) {
         this.gitHubService = gitHubService;
         this.repositoryRepo = repositoryRepo;
         this.addRepositoryUseCase = addRepositoryUseCase;
+        this.gitPrService = gitPrService;
     }
     async execute(input) {
         // 1. Validate URL — throws GitHubUrlParseError for invalid formats
@@ -48,32 +51,81 @@ let ImportGitHubRepositoryUseCase = class ImportGitHubRepositoryUseCase {
         if (existing) {
             return existing;
         }
+        // 3b. Check for duplicate by upstreamUrl (fork of this repo already imported)
+        const existingFork = await this.repositoryRepo.findByUpstreamUrl(normalizedUrl);
+        if (existingFork) {
+            return existingFork;
+        }
         // 4. Check auth — throws GitHubAuthError if not authenticated
         await this.gitHubService.checkAuth();
-        // 5. Resolve clone destination
-        const destination = this.resolveDestination(input, parsed.repo);
-        // 6. Clone the repository
-        await this.gitHubService.cloneRepository(parsed.nameWithOwner, destination, input.cloneOptions);
-        // 7. Register the cloned repo via AddRepositoryUseCase
+        // 5. Check push access to determine if we need to fork
+        const { hasPushAccess } = await this.gitHubService.checkPushAccess(parsed.nameWithOwner);
+        if (hasPushAccess) {
+            return this.cloneDirect(input, parsed.nameWithOwner, parsed.repo, normalizedUrl);
+        }
+        return this.forkAndClone(input, parsed.nameWithOwner, parsed.repo, normalizedUrl);
+    }
+    /**
+     * Direct clone path — user has push access to the repository.
+     */
+    async cloneDirect(input, nameWithOwner, repoName, normalizedUrl) {
+        const destination = this.resolveDestination(input, repoName);
+        await this.gitHubService.cloneRepository(nameWithOwner, destination, input.cloneOptions);
         const repository = await this.addRepositoryUseCase.execute({
             path: destination,
-            name: parsed.repo,
+            name: repoName,
         });
-        // 8. Update with normalized remoteUrl
         await this.repositoryRepo.update(repository.id, {
             remoteUrl: normalizedUrl,
         });
         return { ...repository, remoteUrl: normalizedUrl };
     }
+    /**
+     * Fork-and-clone path — user lacks push access, so we auto-fork first.
+     */
+    async forkAndClone(input, originalNameWithOwner, repoName, normalizedOriginalUrl) {
+        // Fork the repository
+        const forkResult = await this.gitHubService.forkRepository(originalNameWithOwner, input.forkOptions);
+        // Check if fork was already tracked
+        const normalizedForkUrl = normalizeRemoteUrl(forkResult.nameWithOwner);
+        const existingForkByRemote = await this.repositoryRepo.findByRemoteUrl(normalizedForkUrl);
+        if (existingForkByRemote) {
+            return existingForkByRemote;
+        }
+        // Clone the fork
+        const destination = this.resolveDestination(input, repoName);
+        await this.gitHubService.cloneRepository(forkResult.nameWithOwner, destination, input.cloneOptions);
+        // Configure the upstream remote so users can `git fetch upstream` / sync
+        // with the original repo. Without this, the fork has no knowledge of its
+        // upstream — breaking PR workflows that rely on upstream as the merge base.
+        await this.gitPrService.addRemote(destination, UPSTREAM_REMOTE_NAME, normalizedOriginalUrl);
+        // Register the cloned fork
+        const repository = await this.addRepositoryUseCase.execute({
+            path: destination,
+            name: repoName,
+        });
+        // Update with fork metadata
+        await this.repositoryRepo.update(repository.id, {
+            remoteUrl: normalizedForkUrl,
+            isFork: true,
+            upstreamUrl: normalizedOriginalUrl,
+        });
+        return {
+            ...repository,
+            remoteUrl: normalizedForkUrl,
+            isFork: true,
+            upstreamUrl: normalizedOriginalUrl,
+        };
+    }
     resolveDestination(input, repoName) {
         if (input.dest) {
-            return input.dest;
+            return normalizePath(input.dest);
         }
         let baseDir = input.defaultCloneDir ?? join(homedir(), 'repos');
         if (baseDir.startsWith('~/')) {
             baseDir = join(homedir(), baseDir.slice(2));
         }
-        return join(baseDir, repoName);
+        return normalizePath(join(baseDir, repoName));
     }
 };
 ImportGitHubRepositoryUseCase = __decorate([
@@ -81,6 +133,16 @@ ImportGitHubRepositoryUseCase = __decorate([
     __param(0, inject('IGitHubRepositoryService')),
     __param(1, inject('IRepositoryRepository')),
     __param(2, inject(AddRepositoryUseCase)),
-    __metadata("design:paramtypes", [Object, Object, AddRepositoryUseCase])
+    __param(3, inject('IGitPrService')),
+    __metadata("design:paramtypes", [Object, Object, AddRepositoryUseCase, Object])
 ], ImportGitHubRepositoryUseCase);
 export { ImportGitHubRepositoryUseCase };
+/**
+ * Normalizes a filesystem path to use forward slashes.
+ *
+ * Per packages/CLAUDE.md, all paths stored in the database MUST use forward
+ * slashes so that Windows and POSIX callers resolve/compare identically.
+ */
+function normalizePath(p) {
+    return p.replace(/\\/g, '/');
+}

package/dist/packages/core/src/application/use-cases/repositories/init-remote-repository.use-case.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Init Remote Repository Use Case
+ *
+ * Orchestrates creating a GitHub repository from a local repo that has
+ * no remote yet. Uses `gh repo create` with `--source=.` to create the
+ * remote repo, configure the origin remote, and push the current branch.
+ */
+import { type IGitPrService } from '../../ports/output/services/git-pr-service.interface.js';
+export interface InitRemoteRepositoryInput {
+    /** Working directory of the local repository */
+    cwd: string;
+    /** Repository name (defaults to directory basename) */
+    name?: string;
+    /** Whether to create a private repository (default: true) */
+    isPrivate?: boolean;
+    /** GitHub organization to create the repo under */
+    org?: string;
+}
+export interface InitRemoteRepositoryResult {
+    /** URL of the created GitHub repository */
+    url: string;
+    /** Name used for the repository */
+    name: string;
+}
+export declare class InitRemoteRepositoryUseCase {
+    private readonly gitPrService;
+    constructor(gitPrService: IGitPrService);
+    execute(input: InitRemoteRepositoryInput): Promise<InitRemoteRepositoryResult>;
+}
+//# sourceMappingURL=init-remote-repository.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/repositories/init-remote-repository.use-case.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init-remote-repository.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/repositories/init-remote-repository.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAGL,KAAK,aAAa,EACnB,MAAM,yDAAyD,CAAC;AAEjE,MAAM,WAAW,yBAAyB;IACxC,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,uDAAuD;IACvD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6DAA6D;IAC7D,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,mDAAmD;IACnD,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,0BAA0B;IACzC,2CAA2C;IAC3C,GAAG,EAAE,MAAM,CAAC;IACZ,mCAAmC;IACnC,IAAI,EAAE,MAAM,CAAC;CACd;AAED,qBACa,2BAA2B;IAGpC,OAAO,CAAC,QAAQ,CAAC,YAAY;gBAAZ,YAAY,EAAE,aAAa;IAGxC,OAAO,CAAC,KAAK,EAAE,yBAAyB,GAAG,OAAO,CAAC,0BAA0B,CAAC;CAuBrF"}

package/dist/packages/core/src/application/use-cases/repositories/init-remote-repository.use-case.js

@@ -0,0 +1,51 @@
+/**
+ * Init Remote Repository Use Case
+ *
+ * Orchestrates creating a GitHub repository from a local repo that has
+ * no remote yet. Uses `gh repo create` with `--source=.` to create the
+ * remote repo, configure the origin remote, and push the current branch.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { basename } from 'node:path';
+import { GitPrError, GitPrErrorCode, } from '../../ports/output/services/git-pr-service.interface.js';
+let InitRemoteRepositoryUseCase = class InitRemoteRepositoryUseCase {
+    gitPrService;
+    constructor(gitPrService) {
+        this.gitPrService = gitPrService;
+    }
+    async execute(input) {
+        // 1. Guard: check if the repo already has a remote
+        const hasRemote = await this.gitPrService.hasRemote(input.cwd);
+        if (hasRemote) {
+            const existingUrl = await this.gitPrService.getRemoteUrl(input.cwd);
+            throw new GitPrError(`Repository already has a remote configured${existingUrl ? ` (${existingUrl})` : ''}. ` +
+                'Use `git remote set-url origin <url>` to change it.', GitPrErrorCode.REMOTE_ALREADY_EXISTS);
+        }
+        // 2. Derive repo name from directory if not provided
+        const name = input.name ?? basename(input.cwd);
+        // 3. Create the GitHub repo (also adds origin remote and pushes)
+        const url = await this.gitPrService.createGitHubRepo(input.cwd, name, {
+            isPrivate: input.isPrivate ?? true,
+            org: input.org,
+        });
+        return { url, name };
+    }
+};
+InitRemoteRepositoryUseCase = __decorate([
+    injectable(),
+    __param(0, inject('IGitPrService')),
+    __metadata("design:paramtypes", [Object])
+], InitRemoteRepositoryUseCase);
+export { InitRemoteRepositoryUseCase };

package/dist/packages/core/src/application/use-cases/security/enforce-security.use-case.d.ts

@@ -0,0 +1,71 @@
+/**
+ * Enforce Security Use Case
+ *
+ * Orchestrates the full security enforcement flow:
+ * 1. Evaluate effective policy
+ * 2. Run dependency-risk checks
+ * 3. Run release-integrity checks
+ * 4. Persist findings as security events
+ * 5. Return structured enforcement result
+ *
+ * Supports Advisory (always pass) and Enforce (fail on violations) modes.
+ * Disabled mode returns empty pass result.
+ */
+import { SecurityMode } from '../../../domain/generated/output.js';
+import type { EffectivePolicySnapshot, DependencyFinding, ReleaseIntegrityResult } from '../../../domain/generated/output.js';
+import type { ISecurityPolicyService } from '../../ports/output/services/security-policy-service.interface.js';
+import type { ISecurityEventRepository } from '../../ports/output/repositories/security-event.repository.interface.js';
+import type { ISettingsRepository } from '../../ports/output/repositories/settings.repository.interface.js';
+import type { IGitHubRepositoryService, GovernanceFinding } from '../../ports/output/services/github-repository-service.interface.js';
+import { DependencyRiskEvaluator } from '../../../infrastructure/services/security/dependency-risk-evaluator.js';
+import { ReleaseIntegrityEvaluator } from '../../../infrastructure/services/security/release-integrity-evaluator.js';
+/**
+ * Input for the enforce security use case.
+ */
+export interface EnforceSecurityInput {
+    /** Absolute path to the repository to evaluate */
+    repositoryPath: string;
+}
+/**
+ * Result of the enforcement flow.
+ */
+export interface EnforceSecurityResult {
+    /** Whether all checks passed (Advisory always passes, Enforce fails on violations) */
+    passed: boolean;
+    /** Effective security mode used for evaluation */
+    mode: SecurityMode;
+    /** Effective policy snapshot */
+    policy: EffectivePolicySnapshot;
+    /** Dependency risk findings */
+    dependencyFindings: DependencyFinding[];
+    /** Release integrity result */
+    releaseIntegrity: ReleaseIntegrityResult;
+    /** GitHub governance audit findings (audit-only, do not affect pass/fail) */
+    governanceFindings: GovernanceFinding[];
+    /** Total number of findings (excludes governance — governance is audit-only) */
+    totalFindings: number;
+}
+export declare class EnforceSecurityUseCase {
+    private readonly policyService;
+    private readonly eventRepository;
+    private readonly settingsRepository;
+    private readonly dependencyEvaluator;
+    private readonly releaseEvaluator;
+    private readonly githubService;
+    constructor(policyService: ISecurityPolicyService, eventRepository: ISecurityEventRepository, settingsRepository: ISettingsRepository, dependencyEvaluator: DependencyRiskEvaluator, releaseEvaluator: ReleaseIntegrityEvaluator, githubService: IGitHubRepositoryService);
+    execute(input: EnforceSecurityInput): Promise<EnforceSecurityResult>;
+    /**
+     * Resolve GitHub owner/repo from the repository's git remote and run governance audit.
+     * Returns empty array if the remote cannot be resolved (not a GitHub repo, no remote, etc.).
+     */
+    private runGovernanceAudit;
+    /**
+     * Persist dependency findings, failed release checks, and governance findings as security events.
+     */
+    private persistFindings;
+    /**
+     * Update settings with the latest evaluation timestamp and policy source.
+     */
+    private updateEvaluationTimestamp;
+}
+//# sourceMappingURL=enforce-security.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/security/enforce-security.use-case.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforce-security.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/security/enforce-security.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,YAAY,EAA0B,MAAM,qCAAqC,CAAC;AAC3F,OAAO,KAAK,EACV,uBAAuB,EACvB,iBAAiB,EACjB,sBAAsB,EAIvB,MAAM,qCAAqC,CAAC;AAC7C,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,kEAAkE,CAAC;AAC/G,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,wEAAwE,CAAC;AACvH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kEAAkE,CAAC;AAC5G,OAAO,KAAK,EACV,wBAAwB,EACxB,iBAAiB,EAClB,MAAM,oEAAoE,CAAC;AAC5E,OAAO,EAAE,uBAAuB,EAAE,MAAM,wEAAwE,CAAC;AACjH,OAAO,EAAE,yBAAyB,EAAE,MAAM,0EAA0E,CAAC;AAOrH;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,kDAAkD;IAClD,cAAc,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,sFAAsF;IACtF,MAAM,EAAE,OAAO,CAAC;IAChB,kDAAkD;IAClD,IAAI,EAAE,YAAY,CAAC;IACnB,gCAAgC;IAChC,MAAM,EAAE,uBAAuB,CAAC;IAChC,+BAA+B;IAC/B,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,+BAA+B;IAC/B,gBAAgB,EAAE,sBAAsB,CAAC;IACzC,6EAA6E;IAC7E,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,gFAAgF;IAChF,aAAa,EAAE,MAAM,CAAC;CACvB;AAuBD,qBACa,sBAAsB;IAG/B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IAEnC,OAAO,CAAC,QAAQ,CAAC,mBAAmB;IAEpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB;IAEjC,OAAO,CAAC,QAAQ,CAAC,aAAa;gBAVb,aAAa,EAAE,sBAAsB,EAErC,eAAe,EAAE,wBAAwB,EAEzC,kBAAkB,EAAE,mBAAmB,EAEvC,mBAAmB,EAAE,uBAAuB,EAE5C,gBAAgB,EAAE,yBAAyB,EAE3C,aAAa,EAAE,wBAAwB;IAGpD,OAAO,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IA8D1E;;;OAGG;YACW,kBAAkB;IAgBhC;;OAEG;YACW,eAAe;IA6D7B;;OAEG;YACW,yBAAyB;CAgBxC"}

package/dist/packages/core/src/application/use-cases/security/enforce-security.use-case.js

@@ -0,0 +1,215 @@
+/**
+ * Enforce Security Use Case
+ *
+ * Orchestrates the full security enforcement flow:
+ * 1. Evaluate effective policy
+ * 2. Run dependency-risk checks
+ * 3. Run release-integrity checks
+ * 4. Persist findings as security events
+ * 5. Return structured enforcement result
+ *
+ * Supports Advisory (always pass) and Enforce (fail on violations) modes.
+ * Disabled mode returns empty pass result.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { SecurityMode, SecurityActionCategory } from '../../../domain/generated/output.js';
+import { DependencyRiskEvaluator } from '../../../infrastructure/services/security/dependency-risk-evaluator.js';
+import { ReleaseIntegrityEvaluator } from '../../../infrastructure/services/security/release-integrity-evaluator.js';
+import { randomUUID } from 'node:crypto';
+import { execFile as execFileCb } from 'node:child_process';
+import { promisify } from 'node:util';
+const execFileAsync = promisify(execFileCb);
+/**
+ * Default dependency rules when no policy file defines them.
+ */
+const DEFAULT_DEPENDENCY_RULES = {
+    checkLockfileConsistency: true,
+    checkLifecycleScripts: true,
+    checkNonRegistrySource: true,
+    enforceStrictVersionRanges: false,
+    allowlist: [],
+    denylist: [],
+};
+/**
+ * Default release rules when no policy file defines them.
+ */
+const DEFAULT_RELEASE_RULES = {
+    requireCiOnlyPublishing: true,
+    requireProvenance: true,
+    checkWorkflowIntegrity: true,
+};
+let EnforceSecurityUseCase = class EnforceSecurityUseCase {
+    policyService;
+    eventRepository;
+    settingsRepository;
+    dependencyEvaluator;
+    releaseEvaluator;
+    githubService;
+    constructor(policyService, eventRepository, settingsRepository, dependencyEvaluator, releaseEvaluator, githubService) {
+        this.policyService = policyService;
+        this.eventRepository = eventRepository;
+        this.settingsRepository = settingsRepository;
+        this.dependencyEvaluator = dependencyEvaluator;
+        this.releaseEvaluator = releaseEvaluator;
+        this.githubService = githubService;
+    }
+    async execute(input) {
+        // Evaluate effective policy
+        const policy = await this.policyService.evaluatePolicy(input.repositoryPath);
+        // Disabled mode — return empty pass result
+        if (policy.mode === SecurityMode.Disabled) {
+            return {
+                passed: true,
+                mode: SecurityMode.Disabled,
+                policy,
+                dependencyFindings: [],
+                releaseIntegrity: { checks: [], passed: true },
+                governanceFindings: [],
+                totalFindings: 0,
+            };
+        }
+        // Run dependency-risk checks
+        const dependencyFindings = this.dependencyEvaluator.evaluate(input.repositoryPath, DEFAULT_DEPENDENCY_RULES);
+        // Run release-integrity checks
+        const releaseIntegrity = this.releaseEvaluator.evaluate(input.repositoryPath, DEFAULT_RELEASE_RULES);
+        // Run governance audit (audit-only — does not affect pass/fail)
+        const governanceFindings = await this.runGovernanceAudit(input.repositoryPath);
+        // Count total findings (governance excluded — audit-only per FR-15)
+        const failedReleaseChecks = releaseIntegrity.checks.filter((c) => !c.passed);
+        const totalFindings = dependencyFindings.length + failedReleaseChecks.length;
+        // Persist findings as security events
+        await this.persistFindings(input.repositoryPath, dependencyFindings, releaseIntegrity, governanceFindings);
+        // Update settings with evaluation timestamp
+        await this.updateEvaluationTimestamp(policy.source);
+        // Determine pass/fail based on mode (governance is always advisory)
+        const hasFailures = totalFindings > 0;
+        const passed = policy.mode === SecurityMode.Advisory ? true : !hasFailures;
+        return {
+            passed,
+            mode: policy.mode,
+            policy,
+            dependencyFindings,
+            releaseIntegrity,
+            governanceFindings,
+            totalFindings,
+        };
+    }
+    /**
+     * Resolve GitHub owner/repo from the repository's git remote and run governance audit.
+     * Returns empty array if the remote cannot be resolved (not a GitHub repo, no remote, etc.).
+     */
+    async runGovernanceAudit(repositoryPath) {
+        try {
+            const { stdout } = await execFileAsync('git', ['remote', 'get-url', 'origin'], {
+                cwd: repositoryPath,
+            });
+            const remoteUrl = stdout.trim();
+            if (!remoteUrl)
+                return [];
+            const parsed = this.githubService.parseGitHubUrl(remoteUrl);
+            return await this.githubService.auditRepositoryGovernance(parsed.owner, parsed.repo);
+        }
+        catch {
+            // Not a GitHub repository, no remote configured, or parse failure — skip governance audit
+            return [];
+        }
+    }
+    /**
+     * Persist dependency findings, failed release checks, and governance findings as security events.
+     */
+    async persistFindings(repositoryPath, depFindings, releaseResult, govFindings) {
+        const now = new Date().toISOString();
+        for (const finding of depFindings) {
+            const event = {
+                id: randomUUID(),
+                repositoryPath,
+                severity: finding.severity,
+                category: SecurityActionCategory.DependencyInstall,
+                disposition: 'Denied',
+                message: finding.message,
+                remediationSummary: finding.remediation,
+                createdAt: now,
+                updatedAt: now,
+            };
+            await this.eventRepository.save(event);
+        }
+        for (const check of releaseResult.checks) {
+            if (!check.passed) {
+                const event = {
+                    id: randomUUID(),
+                    repositoryPath,
+                    severity: check.severity,
+                    category: SecurityActionCategory.PublishRelease,
+                    disposition: 'Denied',
+                    message: check.message,
+                    createdAt: now,
+                    updatedAt: now,
+                };
+                await this.eventRepository.save(event);
+            }
+        }
+        // Persist governance findings as advisory events
+        for (const finding of govFindings) {
+            // Map governance severity to SecuritySeverity (Unknown → Low for persistence)
+            const severity = finding.severity === 'Unknown'
+                ? 'Low'
+                : finding.severity;
+            const event = {
+                id: randomUUID(),
+                repositoryPath,
+                severity,
+                category: SecurityActionCategory.CiWorkflowModify,
+                disposition: 'Allowed',
+                message: `[Governance Audit] ${finding.message}`,
+                remediationSummary: finding.remediation,
+                createdAt: now,
+                updatedAt: now,
+            };
+            await this.eventRepository.save(event);
+        }
+    }
+    /**
+     * Update settings with the latest evaluation timestamp and policy source.
+     */
+    async updateEvaluationTimestamp(policySource) {
+        try {
+            const settings = await this.settingsRepository.load();
+            if (settings) {
+                settings.security = {
+                    ...settings.security,
+                    mode: settings.security?.mode ?? SecurityMode.Advisory,
+                    lastEvaluationAt: new Date().toISOString(),
+                    policySource,
+                };
+                await this.settingsRepository.update(settings);
+            }
+        }
+        catch {
+            // Non-fatal — evaluation results are still returned even if settings update fails
+        }
+    }
+};
+EnforceSecurityUseCase = __decorate([
+    injectable(),
+    __param(0, inject('ISecurityPolicyService')),
+    __param(1, inject('ISecurityEventRepository')),
+    __param(2, inject('ISettingsRepository')),
+    __param(3, inject('DependencyRiskEvaluator')),
+    __param(4, inject('ReleaseIntegrityEvaluator')),
+    __param(5, inject('IGitHubRepositoryService')),
+    __metadata("design:paramtypes", [Object, Object, Object, DependencyRiskEvaluator,
+        ReleaseIntegrityEvaluator, Object])
+], EnforceSecurityUseCase);
+export { EnforceSecurityUseCase };

package/dist/packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Evaluate Security Policy Use Case
+ *
+ * Wraps ISecurityPolicyService.evaluatePolicy() as a use case.
+ * Updates settings with the latest evaluation timestamp and policy source.
+ * Returns the effective policy snapshot.
+ */
+import type { EffectivePolicySnapshot } from '../../../domain/generated/output.js';
+import type { ISecurityPolicyService } from '../../ports/output/services/security-policy-service.interface.js';
+import type { ISettingsRepository } from '../../ports/output/repositories/settings.repository.interface.js';
+/**
+ * Input for the evaluate security policy use case.
+ */
+export interface EvaluateSecurityPolicyInput {
+    /** Absolute path to the repository to evaluate */
+    repositoryPath: string;
+}
+export declare class EvaluateSecurityPolicyUseCase {
+    private readonly policyService;
+    private readonly settingsRepository;
+    constructor(policyService: ISecurityPolicyService, settingsRepository: ISettingsRepository);
+    execute(input: EvaluateSecurityPolicyInput): Promise<EffectivePolicySnapshot>;
+}
+//# sourceMappingURL=evaluate-security-policy.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluate-security-policy.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,qCAAqC,CAAC;AACnF,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,kEAAkE,CAAC;AAC/G,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kEAAkE,CAAC;AAE5G;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,kDAAkD;IAClD,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,qBACa,6BAA6B;IAGtC,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;gBAFlB,aAAa,EAAE,sBAAsB,EAErC,kBAAkB,EAAE,mBAAmB;IAGpD,OAAO,CAAC,KAAK,EAAE,2BAA2B,GAAG,OAAO,CAAC,uBAAuB,CAAC;CAqBpF"}

package/dist/packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.js

@@ -0,0 +1,56 @@
+/**
+ * Evaluate Security Policy Use Case
+ *
+ * Wraps ISecurityPolicyService.evaluatePolicy() as a use case.
+ * Updates settings with the latest evaluation timestamp and policy source.
+ * Returns the effective policy snapshot.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { SecurityMode } from '../../../domain/generated/output.js';
+let EvaluateSecurityPolicyUseCase = class EvaluateSecurityPolicyUseCase {
+    policyService;
+    settingsRepository;
+    constructor(policyService, settingsRepository) {
+        this.policyService = policyService;
+        this.settingsRepository = settingsRepository;
+    }
+    async execute(input) {
+        const policy = await this.policyService.evaluatePolicy(input.repositoryPath);
+        // Update settings with evaluation timestamp and source
+        try {
+            const settings = await this.settingsRepository.load();
+            if (settings) {
+                settings.security = {
+                    ...settings.security,
+                    mode: settings.security?.mode ?? SecurityMode.Advisory,
+                    lastEvaluationAt: new Date().toISOString(),
+                    policySource: policy.source,
+                };
+                await this.settingsRepository.update(settings);
+            }
+        }
+        catch {
+            // Non-fatal — policy is still returned even if settings update fails
+        }
+        return policy;
+    }
+};
+EvaluateSecurityPolicyUseCase = __decorate([
+    injectable(),
+    __param(0, inject('ISecurityPolicyService')),
+    __param(1, inject('ISettingsRepository')),
+    __metadata("design:paramtypes", [Object, Object])
+], EvaluateSecurityPolicyUseCase);
+export { EvaluateSecurityPolicyUseCase };