npm - @shepai/cli - Versions diffs - 1.175.0 → 1.175.1-pr527.ea242b8 - Mend

@shepai/cli 1.175.0 → 1.175.1-pr527.ea242b8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (416) hide show

package/dist/src/presentation/web/components/common/repository-node/security-panel.stories.js ADDED Viewed

@@ -0,0 +1,53 @@
+import { SecuritySeverity, SecurityActionCategory, SecurityActionDisposition, } from '../../../../../../packages/core/src/domain/generated/output.js';
+import { SecurityPanel } from './security-panel.js';
+const meta = {
+    title: 'Common/SecurityPanel',
+    component: SecurityPanel,
+    tags: ['autodocs'],
+};
+export default meta;
+/** No findings — clean repository. */
+export const NoFindings = {
+    args: {
+        events: [],
+    },
+};
+/** Mixed governance and dependency findings. */
+export const MixedFindings = {
+    args: {
+        events: [
+            {
+                id: 'evt-1',
+                repositoryPath: '/path/to/repo',
+                severity: SecuritySeverity.High,
+                category: SecurityActionCategory.DependencyInstall,
+                disposition: SecurityActionDisposition.Denied,
+                message: 'Package has postinstall lifecycle script: suspicious-pkg@2.0.0',
+                remediationSummary: 'Review and approve the lifecycle script or add to denylist',
+                createdAt: new Date().toISOString(),
+                updatedAt: new Date().toISOString(),
+            },
+            {
+                id: 'evt-2',
+                repositoryPath: '/path/to/repo',
+                severity: SecuritySeverity.Medium,
+                category: SecurityActionCategory.CiWorkflowModify,
+                disposition: SecurityActionDisposition.Allowed,
+                message: '[Governance Audit] Branch protection not enabled on main',
+                remediationSummary: 'Enable branch protection rules for the main branch',
+                createdAt: new Date().toISOString(),
+                updatedAt: new Date().toISOString(),
+            },
+            {
+                id: 'evt-3',
+                repositoryPath: '/path/to/repo',
+                severity: SecuritySeverity.Low,
+                category: SecurityActionCategory.DependencyInstall,
+                disposition: SecurityActionDisposition.Allowed,
+                message: 'Dependency uses git source: lodash@git+https://github.com/lodash/lodash.git',
+                createdAt: new Date().toISOString(),
+                updatedAt: new Date().toISOString(),
+            },
+        ],
+    },
+};

package/dist/src/presentation/web/components/common/security-badge.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { SecurityMode } from '../../../../../packages/core/src/domain/generated/output.js';
+export interface SecurityBadgeProps {
+    mode: SecurityMode;
+    className?: string;
+}
+export declare function SecurityBadge({ mode, className }: SecurityBadgeProps): import("react/jsx-runtime").JSX.Element;
+//# sourceMappingURL=security-badge.d.ts.map

package/dist/src/presentation/web/components/common/security-badge.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"security-badge.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/web/components/common/security-badge.tsx"],"names":[],"mappings":"AAMA,OAAO,EAAE,YAAY,EAAE,MAAM,sCAAsC,CAAC;AAEpE,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,YAAY,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAuBD,wBAAgB,aAAa,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,kBAAkB,2CAsBpE"}

package/dist/src/presentation/web/components/common/security-badge.js ADDED Viewed

@@ -0,0 +1,30 @@
+'use client';
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { Shield, ShieldAlert, ShieldOff } from 'lucide-react';
+import { useTranslation } from 'react-i18next';
+import { cn } from '../../lib/utils.js';
+import { Tooltip, TooltipContent, TooltipProvider, TooltipTrigger } from '../ui/tooltip.js';
+import { SecurityMode } from '../../../../../packages/core/src/domain/generated/output.js';
+const BADGE_CONFIG = {
+    [SecurityMode.Disabled]: {
+        icon: ShieldOff,
+        colorClass: 'text-gray-400',
+        labelKey: 'settings.security.badge.disabled',
+    },
+    [SecurityMode.Advisory]: {
+        icon: Shield,
+        colorClass: 'text-yellow-500',
+        labelKey: 'settings.security.badge.advisory',
+    },
+    [SecurityMode.Enforce]: {
+        icon: ShieldAlert,
+        colorClass: 'text-red-500',
+        labelKey: 'settings.security.badge.enforce',
+    },
+};
+export function SecurityBadge({ mode, className }) {
+    const { t } = useTranslation('web');
+    const config = BADGE_CONFIG[mode];
+    const Icon = config.icon;
+    return (_jsx(TooltipProvider, { children: _jsxs(Tooltip, { children: [_jsx(TooltipTrigger, { asChild: true, children: _jsx("span", { "data-testid": "security-badge", className: cn('inline-flex shrink-0 items-center', className), children: _jsx(Icon, { className: cn('h-3.5 w-3.5', config.colorClass) }) }) }), _jsx(TooltipContent, { side: "top", children: _jsx("p", { className: "text-xs", children: t(config.labelKey) }) })] }) }));
+}

package/dist/src/presentation/web/components/common/security-badge.stories.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { Meta, StoryObj } from '@storybook/react';
+import { SecurityBadge } from './security-badge.js';
+declare const meta: Meta<typeof SecurityBadge>;
+export default meta;
+type Story = StoryObj<typeof SecurityBadge>;
+/** Advisory mode — yellow shield indicating findings are logged but not blocked. */
+export declare const Advisory: Story;
+/** Enforce mode — red shield indicating violations are actively blocked. */
+export declare const Enforce: Story;
+/** Disabled mode — gray shield indicating security is turned off. */
+export declare const Disabled: Story;
+//# sourceMappingURL=security-badge.stories.d.ts.map

package/dist/src/presentation/web/components/common/security-badge.stories.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security-badge.stories.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/web/components/common/security-badge.stories.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAEvD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEjD,QAAA,MAAM,IAAI,EAAE,IAAI,CAAC,OAAO,aAAa,CAIpC,CAAC;AAEF,eAAe,IAAI,CAAC;AACpB,KAAK,KAAK,GAAG,QAAQ,CAAC,OAAO,aAAa,CAAC,CAAC;AAE5C,oFAAoF;AACpF,eAAO,MAAM,QAAQ,EAAE,KAEtB,CAAC;AAEF,4EAA4E;AAC5E,eAAO,MAAM,OAAO,EAAE,KAErB,CAAC;AAEF,qEAAqE;AACrE,eAAO,MAAM,QAAQ,EAAE,KAEtB,CAAC"}

package/dist/src/presentation/web/components/common/security-badge.stories.js ADDED Viewed

@@ -0,0 +1,20 @@
+import { SecurityMode } from '../../../../../packages/core/src/domain/generated/output.js';
+import { SecurityBadge } from './security-badge.js';
+const meta = {
+    title: 'Common/SecurityBadge',
+    component: SecurityBadge,
+    tags: ['autodocs'],
+};
+export default meta;
+/** Advisory mode — yellow shield indicating findings are logged but not blocked. */
+export const Advisory = {
+    args: { mode: SecurityMode.Advisory },
+};
+/** Enforce mode — red shield indicating violations are actively blocked. */
+export const Enforce = {
+    args: { mode: SecurityMode.Enforce },
+};
+/** Disabled mode — gray shield indicating security is turned off. */
+export const Disabled = {
+    args: { mode: SecurityMode.Disabled },
+};

package/dist/src/presentation/web/components/features/settings/feature-flags-settings-section.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"feature-flags-settings-section.d.ts","sourceRoot":"","sources":["../../../../../../../src/presentation/web/components/features/settings/feature-flags-settings-section.tsx"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sCAAsC,CAAC;~~AAoCzE~~,MAAM,WAAW,gCAAgC;IAC/C,YAAY,EAAE,YAAY,CAAC;CAC5B;AAED,wBAAgB,2BAA2B,CAAC,EAAE,YAAY,EAAE,EAAE,gCAAgC,2CAgE7F"}
1	+ {"version":3,"file":"feature-flags-settings-section.d.ts","sourceRoot":"","sources":["../../../../../../../src/presentation/web/components/features/settings/feature-flags-settings-section.tsx"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sCAAsC,CAAC;AAwCzE,MAAM,WAAW,gCAAgC;IAC/C,YAAY,EAAE,YAAY,CAAC;CAC5B;AAED,wBAAgB,2BAA2B,CAAC,EAAE,YAAY,EAAE,EAAE,gCAAgC,2CAgE7F"}

package/dist/src/presentation/web/components/features/settings/feature-flags-settings-section.js CHANGED Viewed

@@ -16,6 +16,7 @@ const FLAG_DESCRIPTIONS = {
     gitRebaseSync: 'Enable git rebase-on-main and sync-main operations in the web UI',
     reactFileManager: 'Use the built-in React file manager instead of the native OS folder picker. Also serves as automatic fallback when the native picker is unavailable.',
     inventory: 'Enable the Inventory page showing all repositories and features in a tree view',
+    supplyChainSecurity: 'Master switch for the supply chain security feature (policy engine, canvas badges, Settings section, CLI enforce, CI gate). Turn off to disable the entire feature regardless of Security Mode.',
 };
 const FLAG_LABELS = {
     skills: 'Skills',
@@ -26,6 +27,7 @@ const FLAG_LABELS = {
     gitRebaseSync: 'Git Rebase & Sync',
     reactFileManager: 'React File Manager',
     inventory: 'Inventory',
+    supplyChainSecurity: 'Supply Chain Security',
 };
 const FLAG_KEYS = [
     'skills',
@@ -36,6 +38,7 @@ const FLAG_KEYS = [
     'gitRebaseSync',
     'reactFileManager',
     'inventory',
+    'supplyChainSecurity',
 ];
 export function FeatureFlagsSettingsSection({ featureFlags }) {
     const [flags, setFlags] = useState({ ...featureFlags });

package/dist/src/presentation/web/components/features/settings/feature-flags-settings-section.stories.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"feature-flags-settings-section.stories.d.ts","sourceRoot":"","sources":["../../../../../../../src/presentation/web/components/features/settings/feature-flags-settings-section.stories.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAQ,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAE/E,QAAA,MAAM,IAAI;;;;;;;CAO0C,CAAC;AAErD,eAAe,IAAI,CAAC;AACpB,KAAK,KAAK,GAAG,QAAQ,CAAC,OAAO,IAAI,CAAC,CAAC;AAEnC,eAAO,MAAM,OAAO,EAAE,~~KAarB~~,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,~~KAaxB~~,CAAC;AAEF,eAAO,MAAM,WAAW,EAAE,~~KAazB~~,CAAC"}
1	+ {"version":3,"file":"feature-flags-settings-section.stories.d.ts","sourceRoot":"","sources":["../../../../../../../src/presentation/web/components/features/settings/feature-flags-settings-section.stories.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAQ,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAC;AAE/E,QAAA,MAAM,IAAI;;;;;;;CAO0C,CAAC;AAErD,eAAe,IAAI,CAAC;AACpB,KAAK,KAAK,GAAG,QAAQ,CAAC,OAAO,IAAI,CAAC,CAAC;AAEnC,eAAO,MAAM,OAAO,EAAE,KAcrB,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,KAcxB,CAAC;AAEF,eAAO,MAAM,WAAW,EAAE,KAczB,CAAC"}

package/dist/src/presentation/web/components/features/settings/feature-flags-settings-section.stories.js CHANGED Viewed

@@ -19,6 +19,7 @@ export const Default = {
             gitRebaseSync: false,
             reactFileManager: false,
             inventory: false,
+            supplyChainSecurity: true,
         },
     },
 };
@@ -33,6 +34,7 @@ export const AllEnabled = {
             gitRebaseSync: true,
             reactFileManager: true,
             inventory: true,
+            supplyChainSecurity: true,
         },
     },
 };
@@ -47,6 +49,7 @@ export const AllDisabled = {
             gitRebaseSync: false,
             reactFileManager: false,
             inventory: false,
+            supplyChainSecurity: false,
         },
     },
 };

package/dist/src/presentation/web/components/features/settings/settings-page-client.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"settings-page-client.d.ts","sourceRoot":"","sources":["../../../../../../../src/presentation/web/components/features/settings/settings-page-client.tsx"],"names":[],"mappings":"~~AA4CA~~,OAAO,KAAK,EACV,QAAQ,EAKT,MAAM,sCAAsC,CAAC;AAC9C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;~~AA8B~~/E,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,QAAQ,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,CAAC,EAAE,iBAAiB,EAAE,CAAC;CAC1C;AA+QD,wBAAgB,kBAAkB,CAAC,EACjC,QAAQ,EACR,QAAQ,EACR,UAAU,EACV,kBAAkB,GACnB,EAAE,uBAAuB,~~2CAw5CzB~~"}
1	+ {"version":3,"file":"settings-page-client.d.ts","sourceRoot":"","sources":["../../../../../../../src/presentation/web/components/features/settings/settings-page-client.tsx"],"names":[],"mappings":"AA+CA,OAAO,KAAK,EACV,QAAQ,EAKT,MAAM,sCAAsC,CAAC;AAC9C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AA+B/E,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,QAAQ,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,CAAC,EAAE,iBAAiB,EAAE,CAAC;CAC1C;AA+QD,wBAAgB,kBAAkB,CAAC,EACjC,QAAQ,EACR,QAAQ,EACR,UAAU,EACV,kBAAkB,GACnB,EAAE,uBAAuB,2CA+7CzB"}

package/dist/src/presentation/web/components/features/settings/settings-page-client.js CHANGED Viewed

@@ -1,7 +1,7 @@
 'use client';
 import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
-import { useState, useTransition, useRef, useEffect, useCallback } from 'react';
-import { Check, Bot, Terminal, GitBranch, Activity, Bell, Flag, Database, Globe, Minus, Plus, ExternalLink, Settings2, Timer, MessageSquare, LayoutGrid, } from 'lucide-react';
+import { useState, useTransition, useRef, useEffect, useCallback, useMemo } from 'react';
+import { Check, Bot, Terminal, GitBranch, Activity, Bell, Flag, Database, Globe, Minus, Plus, ExternalLink, Settings2, Timer, MessageSquare, LayoutGrid, Shield, } from 'lucide-react';
 import { toast } from 'sonner';
 import { useTranslation } from 'react-i18next';
 import { cn } from '../../../lib/utils.js';
@@ -9,11 +9,12 @@ import { Label } from '../../ui/label.js';
 import { Switch } from '../../ui/switch.js';
 import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue, } from '../../ui/select.js';
 import { updateSettingsAction } from '../../../app/actions/update-settings.js';
-import { EditorType, Language, TerminalType, } from '../../../../../../packages/core/src/domain/generated/output.js';
+import { EditorType, Language, SecurityMode, TerminalType, } from '../../../../../../packages/core/src/domain/generated/output.js';
 import { getEditorTypeIcon } from '../../common/editor-type-icons.js';
 import { AgentModelPicker } from '../../features/settings/AgentModelPicker/index.js';
 import { LanguageSettingsSection } from '../../features/settings/language-settings-section.js';
 import { TimeoutSlider } from '../../features/settings/timeout-slider.js';
+import { SupplyChainSecuritySettingsSection } from '../../features/settings/supply-chain-security-settings-section.js';
 const EDITOR_OPTIONS = [
     { value: EditorType.VsCode, label: 'VS Code' },
     { value: EditorType.Cursor, label: 'Cursor' },
@@ -31,6 +32,7 @@ const SECTIONS = [
     { id: 'agent', labelKey: 'settings.sections.agent', icon: Bot },
     { id: 'environment', labelKey: 'settings.sections.environment', icon: Terminal },
     { id: 'workflow', labelKey: 'settings.sections.workflow', icon: GitBranch },
+    { id: 'security', labelKey: 'settings.sections.security', icon: Shield },
     { id: 'ci', labelKey: 'settings.sections.ci', icon: Activity },
     { id: 'stage-timeouts', labelKey: 'settings.sections.timeouts', icon: Timer },
     { id: 'notifications', labelKey: 'settings.sections.notifications', icon: Bell },
@@ -132,6 +134,7 @@ export function SettingsPageClient({ settings, shepHome, dbFileSize, availableTe
         gitRebaseSync: false,
         reactFileManager: false,
         inventory: false,
+        supplyChainSecurity: true,
     };
     // Agent state
     const [agentType, setAgentType] = useState(settings.agent.type);
@@ -299,9 +302,14 @@ export function SettingsPageClient({ settings, shepHome, dbFileSize, availableTe
         };
     }
     const [activeSection, setActiveSection] = useState('agent');
+    // Filter sections based on feature flags. When supplyChainSecurity is off,
+    // hide the Security nav tab AND the section below so the feature is fully inert.
+    const visibleSections = useMemo(() => SECTIONS.filter((s) => s.id !== 'security' || flags.supplyChainSecurity), [flags.supplyChainSecurity]);
     // Track which section is in view via IntersectionObserver
     useEffect(() => {
-        const els = SECTIONS.map((s) => document.getElementById(`section-${s.id}`)).filter(Boolean);
+        const els = visibleSections
+            .map((s) => document.getElementById(`section-${s.id}`))
+            .filter(Boolean);
         if (els.length === 0)
             return;
         const observer = new IntersectionObserver((entries) => {
@@ -314,7 +322,7 @@ export function SettingsPageClient({ settings, shepHome, dbFileSize, availableTe
         for (const el of els)
             observer.observe(el);
         return () => observer.disconnect();
-    }, []);
+    }, [visibleSections]);
     const scrollToSection = useCallback((id) => {
         const el = document.getElementById(`section-${id}`);
         if (!el)
@@ -326,7 +334,7 @@ export function SettingsPageClient({ settings, shepHome, dbFileSize, availableTe
         void el.offsetHeight;
         el.style.animation = 'section-flash 1s ease-out';
     }, []);
-    return (_jsxs("div", { "data-testid": "settings-page-client", className: "max-w-5xl", children: [_jsx("div", { className: "bg-background/95 supports-backdrop-filter:bg-background/80 sticky top-0 z-10 grid grid-cols-1 gap-x-5 pt-6 pb-4 backdrop-blur lg:grid-cols-[1fr_280px]", children: _jsxs("div", { className: "flex items-center gap-2", children: [_jsx(Settings2, { className: "text-muted-foreground h-4 w-4" }), _jsx("h1", { className: "text-sm font-bold tracking-tight", children: t('settings.title') }), _jsxs("span", { className: "relative h-4 w-16", children: [_jsx("span", { className: cn('text-muted-foreground absolute inset-0 flex items-center text-xs transition-opacity duration-300', showSaving ? 'opacity-100' : 'opacity-0'), children: t('settings.saving') }), _jsxs("span", { className: cn('absolute inset-0 flex items-center gap-1 text-xs text-green-600 transition-opacity duration-300', showSaved && !showSaving ? 'opacity-100' : 'opacity-0'), children: [_jsx(Check, { className: "h-3 w-3" }), t('settings.saved')] })] }), _jsx("nav", { className: "ml-auto flex items-center gap-0.5", children: SECTIONS.map((s) => {
+    return (_jsxs("div", { "data-testid": "settings-page-client", className: "max-w-5xl", children: [_jsx("div", { className: "bg-background/95 supports-backdrop-filter:bg-background/80 sticky top-0 z-10 grid grid-cols-1 gap-x-5 pt-6 pb-4 backdrop-blur lg:grid-cols-[1fr_280px]", children: _jsxs("div", { className: "flex items-center gap-2", children: [_jsx(Settings2, { className: "text-muted-foreground h-4 w-4" }), _jsx("h1", { className: "text-sm font-bold tracking-tight", children: t('settings.title') }), _jsxs("span", { className: "relative h-4 w-16", children: [_jsx("span", { className: cn('text-muted-foreground absolute inset-0 flex items-center text-xs transition-opacity duration-300', showSaving ? 'opacity-100' : 'opacity-0'), children: t('settings.saving') }), _jsxs("span", { className: cn('absolute inset-0 flex items-center gap-1 text-xs text-green-600 transition-opacity duration-300', showSaved && !showSaving ? 'opacity-100' : 'opacity-0'), children: [_jsx(Check, { className: "h-3 w-3" }), t('settings.saved')] })] }), _jsx("nav", { className: "ml-auto flex items-center gap-0.5", children: visibleSections.map((s) => {
                                 const SectionIcon = s.icon;
                                 const isActive = activeSection === s.id;
                                 return (_jsxs("button", { type: "button", onClick: () => scrollToSection(s.id), className: cn('flex cursor-pointer items-center gap-1 rounded-md px-1.5 py-1 text-[11px] transition-all', isActive
@@ -440,7 +448,18 @@ export function SettingsPageClient({ settings, shepHome, dbFileSize, availableTe
                                         label: t('settings.workflow.links.pushAndPrFlags'),
                                         href: 'https://github.com/shep-ai/shep/blob/main/specs/037-feature-pr-push-flags/spec.yaml',
                                     },
-                                ], children: t('settings.workflow.hint') })] }), _jsxs("div", { id: "section-ci", className: "grid scroll-mt-18 grid-cols-1 gap-x-5 rounded-lg lg:grid-cols-[1fr_280px]", children: [_jsxs(SettingsSection, { icon: Activity, title: t('settings.ci.title'), description: t('settings.ci.description'), testId: "ci-settings-section", children: [_jsx(SettingsRow, { label: t('settings.ci.maxFixAttempts'), description: t('settings.ci.maxFixAttemptsDescription'), htmlFor: "ci-max-fix", children: _jsx(NumberStepper, { id: "ci-max-fix", testId: "ci-max-fix-input", placeholder: "3", value: ciMaxFix, onChange: setCiMaxFix, onBlur: () => {
+                                ], children: t('settings.workflow.hint') })] }), flags.supplyChainSecurity ? (_jsxs("div", { id: "section-security", className: "grid scroll-mt-18 grid-cols-1 gap-x-5 rounded-lg lg:grid-cols-[1fr_280px]", children: [_jsx(SupplyChainSecuritySettingsSection, { securityState: {
+                                    mode: settings.security?.mode ?? SecurityMode.Advisory,
+                                    lastEvaluationAt: settings.security?.lastEvaluationAt ?? null,
+                                    policySource: settings.security?.policySource ?? null,
+                                    recentEvents: [],
+                                    highestSeverityFinding: null,
+                                } }), _jsx(SectionHint, { links: [
+                                    {
+                                        label: t('settings.security.links.securitySpec'),
+                                        href: 'https://github.com/shep-ai/shep/blob/main/specs/083-supply-chain-security/spec.yaml',
+                                    },
+                                ], children: t('settings.security.hint') })] })) : null, _jsxs("div", { id: "section-ci", className: "grid scroll-mt-18 grid-cols-1 gap-x-5 rounded-lg lg:grid-cols-[1fr_280px]", children: [_jsxs(SettingsSection, { icon: Activity, title: t('settings.ci.title'), description: t('settings.ci.description'), testId: "ci-settings-section", children: [_jsx(SettingsRow, { label: t('settings.ci.maxFixAttempts'), description: t('settings.ci.maxFixAttemptsDescription'), htmlFor: "ci-max-fix", children: _jsx(NumberStepper, { id: "ci-max-fix", testId: "ci-max-fix-input", placeholder: "3", value: ciMaxFix, onChange: setCiMaxFix, onBlur: () => {
                                                 if (ciMaxFix !== originalCiMaxFix)
                                                     save(buildWorkflowPayload({ ciMaxFix }));
                                             }, min: 1, max: 10 }) }), _jsx(SettingsRow, { label: t('settings.ci.watchTimeout'), description: t('settings.ci.watchTimeoutDescription'), htmlFor: "ci-timeout", children: _jsx(NumberStepper, { id: "ci-timeout", testId: "ci-timeout-input", placeholder: "300", value: ciTimeout, onChange: setCiTimeout, onBlur: () => {

package/dist/src/presentation/web/components/features/settings/settings-page-client.stories.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"settings-page-client.stories.d.ts","sourceRoot":"","sources":["../../../../../../../src/presentation/web/components/features/settings/settings-page-client.stories.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAQ,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAM5D,QAAA,MAAM,IAAI;;;;;;;CAOiC,CAAC;AAE5C,eAAe,IAAI,CAAC;AACpB,KAAK,KAAK,GAAG,QAAQ,CAAC,OAAO,IAAI,CAAC,CAAC;AAEnC,eAAO,MAAM,OAAO,EAAE,KAMrB,CAAC;AAEF,eAAO,MAAM,WAAW,EAAE,~~KAsBzB~~,CAAC;AAEF,eAAO,MAAM,eAAe,EAAE,KAa7B,CAAC;AAEF,eAAO,MAAM,cAAc,EAAE,KAuB5B,CAAC"}
1	+ {"version":3,"file":"settings-page-client.stories.d.ts","sourceRoot":"","sources":["../../../../../../../src/presentation/web/components/features/settings/settings-page-client.stories.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAQ,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAM5D,QAAA,MAAM,IAAI;;;;;;;CAOiC,CAAC;AAE5C,eAAe,IAAI,CAAC;AACpB,KAAK,KAAK,GAAG,QAAQ,CAAC,OAAO,IAAI,CAAC,CAAC;AAEnC,eAAO,MAAM,OAAO,EAAE,KAMrB,CAAC;AAEF,eAAO,MAAM,WAAW,EAAE,KAuBzB,CAAC;AAEF,eAAO,MAAM,eAAe,EAAE,KAa7B,CAAC;AAEF,eAAO,MAAM,cAAc,EAAE,KAuB5B,CAAC"}

package/dist/src/presentation/web/components/features/settings/settings-page-client.stories.js CHANGED Viewed

@@ -35,6 +35,7 @@ export const AllSections = {
                 gitRebaseSync: false,
                 reactFileManager: false,
                 inventory: false,
+                supplyChainSecurity: true,
             },
         },
         shepHome: '/opt/shep',

package/dist/src/presentation/web/components/features/settings/supply-chain-security-settings-section.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import type { SecurityState } from '../../../../../../packages/core/src/application/use-cases/security/get-security-state.use-case.js';
+export interface SupplyChainSecuritySettingsSectionProps {
+    securityState: SecurityState;
+}
+export declare function SupplyChainSecuritySettingsSection({ securityState, }: SupplyChainSecuritySettingsSectionProps): import("react/jsx-runtime").JSX.Element;
+//# sourceMappingURL=supply-chain-security-settings-section.d.ts.map

package/dist/src/presentation/web/components/features/settings/supply-chain-security-settings-section.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"supply-chain-security-settings-section.d.ts","sourceRoot":"","sources":["../../../../../../../src/presentation/web/components/features/settings/supply-chain-security-settings-section.tsx"],"names":[],"mappings":"AAiBA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yEAAyE,CAAC;AAE7G,MAAM,WAAW,uCAAuC;IACtD,aAAa,EAAE,aAAa,CAAC;CAC9B;AAeD,wBAAgB,kCAAkC,CAAC,EACjD,aAAa,GACd,EAAE,uCAAuC,2CAgKzC"}

package/dist/src/presentation/web/components/features/settings/supply-chain-security-settings-section.js ADDED Viewed

@@ -0,0 +1,60 @@
+'use client';
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useState, useTransition, useRef, useEffect } from 'react';
+import { Shield, Check, AlertTriangle, ShieldAlert, ShieldOff } from 'lucide-react';
+import { toast } from 'sonner';
+import { useTranslation } from 'react-i18next';
+import { cn } from '../../../lib/utils.js';
+import { Badge } from '../../ui/badge.js';
+import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue, } from '../../ui/select.js';
+import { updateSecurityModeAction } from '../../../app/actions/security.js';
+import { SecurityMode } from '../../../../../../packages/core/src/domain/generated/output.js';
+const MODE_OPTIONS = [
+    { value: SecurityMode.Disabled, icon: ShieldOff },
+    { value: SecurityMode.Advisory, icon: Shield },
+    { value: SecurityMode.Enforce, icon: ShieldAlert },
+];
+const SEVERITY_COLORS = {
+    Low: 'bg-blue-100 text-blue-700 dark:bg-blue-900/40 dark:text-blue-300',
+    Medium: 'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/40 dark:text-yellow-300',
+    High: 'bg-orange-100 text-orange-700 dark:bg-orange-900/40 dark:text-orange-300',
+    Critical: 'bg-red-100 text-red-700 dark:bg-red-900/40 dark:text-red-300',
+};
+export function SupplyChainSecuritySettingsSection({ securityState, }) {
+    const { t } = useTranslation('web');
+    const [mode, setMode] = useState(securityState.mode);
+    const [isPending, startTransition] = useTransition();
+    const [showSaved, setShowSaved] = useState(false);
+    const prevPendingRef = useRef(false);
+    useEffect(() => {
+        if (prevPendingRef.current && !isPending) {
+            setShowSaved(true);
+            const timer = setTimeout(() => setShowSaved(false), 2000);
+            return () => clearTimeout(timer);
+        }
+        prevPendingRef.current = isPending;
+    }, [isPending]);
+    function handleModeChange(value) {
+        const newMode = value;
+        setMode(newMode);
+        startTransition(async () => {
+            const result = await updateSecurityModeAction(newMode);
+            if (!result.success) {
+                toast.error(result.error ?? t('settings.failedToSave'));
+                setMode(securityState.mode);
+            }
+        });
+    }
+    const lastEvalDisplay = securityState.lastEvaluationAt
+        ? new Date(securityState.lastEvaluationAt).toLocaleString()
+        : t('settings.security.lastEvaluationNever');
+    const policySourceDisplay = securityState.policySource ?? t('settings.security.policySourceNone');
+    return (_jsxs("div", { className: "bg-background rounded-lg border", "data-testid": "security-settings-section", children: [_jsxs("div", { className: "bg-muted/30 border-b px-4 py-3", children: [_jsxs("div", { className: "flex items-center gap-2", children: [_jsx(Shield, { className: "text-muted-foreground h-3.5 w-3.5" }), _jsx("h2", { className: "text-sm font-semibold", children: t('settings.security.sectionTitle') }), isPending ? (_jsx("span", { className: "text-muted-foreground text-xs", children: t('settings.saving') })) : null, showSaved && !isPending ? (_jsxs("span", { className: "flex items-center gap-1 text-xs text-green-600", children: [_jsx(Check, { className: "h-3 w-3" }), t('settings.saved')] })) : null] }), _jsx("p", { className: "text-muted-foreground mt-0.5 text-[11px]", children: t('settings.security.sectionDescription') })] }), _jsxs("div", { className: "px-4", children: [_jsxs("div", { className: "flex items-center justify-between gap-4 border-b py-2.5", children: [_jsxs("div", { className: "min-w-0", children: [_jsx("label", { htmlFor: "security-mode", className: "cursor-pointer text-sm font-normal whitespace-nowrap", children: t('settings.security.mode') }), _jsx("p", { className: "text-muted-foreground text-[11px] leading-tight", children: t('settings.security.modeDescription') })] }), _jsx("div", { className: "flex shrink-0 items-center gap-2", children: _jsxs(Select, { value: mode, onValueChange: handleModeChange, children: [_jsx(SelectTrigger, { id: "security-mode", "data-testid": "security-mode-select", className: "w-40 cursor-pointer text-xs", children: _jsx(SelectValue, {}) }), _jsx(SelectContent, { children: MODE_OPTIONS.map((opt) => {
+                                                const Icon = opt.icon;
+                                                return (_jsx(SelectItem, { value: opt.value, children: _jsxs("span", { className: "flex items-center gap-2 text-xs", children: [_jsx(Icon, { className: "h-3.5 w-3.5 shrink-0" }), t(`settings.security.mode${opt.value}`)] }) }, opt.value));
+                                            }) })] }) })] }), _jsxs("div", { className: "flex items-center justify-between gap-4 border-b py-2.5", children: [_jsx("div", { className: "min-w-0", children: _jsx("span", { className: "text-sm font-normal whitespace-nowrap", children: t('settings.security.policySource') }) }), _jsx("span", { className: "text-muted-foreground max-w-50 truncate font-mono text-xs", children: policySourceDisplay })] }), _jsxs("div", { className: "flex items-center justify-between gap-4 border-b py-2.5", children: [_jsx("div", { className: "min-w-0", children: _jsx("span", { className: "text-sm font-normal whitespace-nowrap", children: t('settings.security.lastEvaluation') }) }), _jsx("span", { className: "text-muted-foreground text-xs", children: lastEvalDisplay })] }), _jsxs("div", { className: "py-2.5 last:border-b-0", children: [_jsx("div", { className: "mb-2", children: _jsx("span", { className: "text-sm font-normal", children: t('settings.security.recentFindings') }) }), securityState.recentEvents.length === 0 ? (_jsx("p", { className: "text-muted-foreground text-xs", children: t('settings.security.noFindings') })) : (_jsx("div", { className: "flex flex-col gap-1.5", children: securityState.recentEvents.slice(0, 5).map((event) => (_jsxs("div", { className: "flex items-start gap-2 rounded-md border px-2.5 py-1.5", children: [_jsx(AlertTriangle, { className: cn('mt-0.5 h-3 w-3 shrink-0', event.severity === 'Critical' || event.severity === 'High'
+                                                ? 'text-red-500'
+                                                : event.severity === 'Medium'
+                                                    ? 'text-yellow-500'
+                                                    : 'text-blue-500') }), _jsxs("div", { className: "min-w-0 flex-1", children: [_jsxs("div", { className: "flex items-center gap-1.5", children: [_jsx(Badge, { variant: "secondary", className: cn('px-1 py-0 text-[9px]', SEVERITY_COLORS[event.severity]), children: t(`settings.security.severity.${event.severity}`) }), _jsx("span", { className: "text-muted-foreground text-[10px]", children: event.category })] }), _jsx("p", { className: "mt-0.5 truncate text-[11px]", children: event.message })] })] }, event.id))) }))] })] })] }));
+}

package/dist/src/presentation/web/components/features/settings/supply-chain-security-settings-section.stories.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import type { Meta, StoryObj } from '@storybook/react';
+import { SupplyChainSecuritySettingsSection } from './supply-chain-security-settings-section.js';
+declare const meta: Meta<typeof SupplyChainSecuritySettingsSection>;
+export default meta;
+type Story = StoryObj<typeof SupplyChainSecuritySettingsSection>;
+/** Advisory mode with no findings — default posture for new repositories. */
+export declare const AdvisoryNoFindings: Story;
+/** Disabled mode — security enforcement is turned off. */
+export declare const Disabled: Story;
+/** Enforce mode with a critical finding. */
+export declare const EnforceWithCriticalFinding: Story;
+/** Advisory mode with multiple findings of varying severity. */
+export declare const AdvisoryWithMultipleFindings: Story;
+//# sourceMappingURL=supply-chain-security-settings-section.stories.d.ts.map

package/dist/src/presentation/web/components/features/settings/supply-chain-security-settings-section.stories.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"supply-chain-security-settings-section.stories.d.ts","sourceRoot":"","sources":["../../../../../../../src/presentation/web/components/features/settings/supply-chain-security-settings-section.stories.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAOvD,OAAO,EAAE,kCAAkC,EAAE,MAAM,0CAA0C,CAAC;AAG9F,QAAA,MAAM,IAAI,EAAE,IAAI,CAAC,OAAO,kCAAkC,CAIzD,CAAC;AAEF,eAAe,IAAI,CAAC;AACpB,KAAK,KAAK,GAAG,QAAQ,CAAC,OAAO,kCAAkC,CAAC,CAAC;AAUjE,6EAA6E;AAC7E,eAAO,MAAM,kBAAkB,EAAE,KAIhC,CAAC;AAEF,0DAA0D;AAC1D,eAAO,MAAM,QAAQ,EAAE,KAOtB,CAAC;AAEF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B,EAAE,KAgCxC,CAAC;AAEF,gEAAgE;AAChE,eAAO,MAAM,4BAA4B,EAAE,KAkD1C,CAAC"}

package/dist/src/presentation/web/components/features/settings/supply-chain-security-settings-section.stories.js ADDED Viewed

@@ -0,0 +1,116 @@
+import { SecurityMode, SecuritySeverity, SecurityActionCategory, SecurityActionDisposition, } from '../../../../../../packages/core/src/domain/generated/output.js';
+import { SupplyChainSecuritySettingsSection } from './supply-chain-security-settings-section.js';
+const meta = {
+    title: 'Settings/SupplyChainSecuritySettingsSection',
+    component: SupplyChainSecuritySettingsSection,
+    tags: ['autodocs'],
+};
+export default meta;
+const baseState = {
+    mode: SecurityMode.Advisory,
+    lastEvaluationAt: null,
+    policySource: null,
+    recentEvents: [],
+    highestSeverityFinding: null,
+};
+/** Advisory mode with no findings — default posture for new repositories. */
+export const AdvisoryNoFindings = {
+    args: {
+        securityState: baseState,
+    },
+};
+/** Disabled mode — security enforcement is turned off. */
+export const Disabled = {
+    args: {
+        securityState: {
+            ...baseState,
+            mode: SecurityMode.Disabled,
+        },
+    },
+};
+/** Enforce mode with a critical finding. */
+export const EnforceWithCriticalFinding = {
+    args: {
+        securityState: {
+            mode: SecurityMode.Enforce,
+            lastEvaluationAt: new Date().toISOString(),
+            policySource: 'shep.security.yaml',
+            recentEvents: [
+                {
+                    id: 'evt-1',
+                    repositoryPath: '/path/to/repo',
+                    severity: SecuritySeverity.Critical,
+                    category: SecurityActionCategory.PublishRelease,
+                    disposition: SecurityActionDisposition.Denied,
+                    message: 'Missing npm provenance configuration in release workflow',
+                    remediationSummary: 'Add --provenance flag to npm publish step',
+                    createdAt: new Date().toISOString(),
+                    updatedAt: new Date().toISOString(),
+                },
+            ],
+            highestSeverityFinding: {
+                id: 'evt-1',
+                repositoryPath: '/path/to/repo',
+                severity: SecuritySeverity.Critical,
+                category: SecurityActionCategory.PublishRelease,
+                disposition: SecurityActionDisposition.Denied,
+                message: 'Missing npm provenance configuration in release workflow',
+                remediationSummary: 'Add --provenance flag to npm publish step',
+                createdAt: new Date().toISOString(),
+                updatedAt: new Date().toISOString(),
+            },
+        },
+    },
+};
+/** Advisory mode with multiple findings of varying severity. */
+export const AdvisoryWithMultipleFindings = {
+    args: {
+        securityState: {
+            mode: SecurityMode.Advisory,
+            lastEvaluationAt: new Date(Date.now() - 3600000).toISOString(),
+            policySource: 'shep.security.yaml',
+            recentEvents: [
+                {
+                    id: 'evt-1',
+                    repositoryPath: '/path/to/repo',
+                    severity: SecuritySeverity.High,
+                    category: SecurityActionCategory.DependencyInstall,
+                    disposition: SecurityActionDisposition.Denied,
+                    message: 'Package has postinstall lifecycle script: malicious-pkg@1.0.0',
+                    createdAt: new Date().toISOString(),
+                    updatedAt: new Date().toISOString(),
+                },
+                {
+                    id: 'evt-2',
+                    repositoryPath: '/path/to/repo',
+                    severity: SecuritySeverity.Medium,
+                    category: SecurityActionCategory.CiWorkflowModify,
+                    disposition: SecurityActionDisposition.Allowed,
+                    message: '[Governance Audit] Branch protection not enabled on main',
+                    createdAt: new Date().toISOString(),
+                    updatedAt: new Date().toISOString(),
+                },
+                {
+                    id: 'evt-3',
+                    repositoryPath: '/path/to/repo',
+                    severity: SecuritySeverity.Low,
+                    category: SecurityActionCategory.DependencyInstall,
+                    disposition: SecurityActionDisposition.Allowed,
+                    message: 'Dependency uses git source instead of registry: lodash@git+https://...',
+                    createdAt: new Date().toISOString(),
+                    updatedAt: new Date().toISOString(),
+                },
+            ],
+            highestSeverityFinding: {
+                id: 'evt-1',
+                repositoryPath: '/path/to/repo',
+                severity: SecuritySeverity.High,
+                category: SecurityActionCategory.DependencyInstall,
+                disposition: SecurityActionDisposition.Denied,
+                message: 'Package has postinstall lifecycle script: malicious-pkg@1.0.0',
+                createdAt: new Date().toISOString(),
+                updatedAt: new Date().toISOString(),
+            },
+        },
+    },
+};

package/dist/translations/ar/cli.json CHANGED Viewed

@@ -187,6 +187,27 @@
         "failedToList": "خطأ في عرض الأدوات: {{error}}"
       }
     },
+    "security": {
+      "description": "Supply-chain security policy management",
+      "enforce": {
+        "description": "Evaluate repository security posture and enforce policy",
+        "repoOption": "Repository path (defaults to current directory)",
+        "outputOption": "Output format (table, json, yaml)",
+        "passed": "Security enforcement passed",
+        "failed": "Security enforcement failed",
+        "advisoryNote": "Mode is Advisory — findings are reported but do not block",
+        "disabledNote": "Security mode is Disabled — no checks performed",
+        "modeLabel": "Mode",
+        "sourceLabel": "Source",
+        "dependencyFindingsLabel": "Dependency Findings",
+        "releaseIntegrityLabel": "Release Integrity",
+        "totalFindingsLabel": "Total Findings",
+        "governanceFindingsLabel": "GitHub Governance (audit-only)",
+        "noFindings": "No findings",
+        "failedToEnforce": "Failed to evaluate security posture",
+        "flagDisabledNote": "Supply chain security feature flag is off — enforce is a no-op"
+      }
+    },
     "feat": {
       "description": "إدارة الميزات عبر دورة حياة تطوير البرمجيات",
       "new": {

package/dist/translations/ar/web.json CHANGED Viewed

@@ -15,7 +15,8 @@
       "flags": "العلامات",
       "chat": "المحادثة",
       "layout": "التخطيط",
-      "database": "قاعدة البيانات"
+      "database": "قاعدة البيانات",
+      "security": "Security"
     },
     "language": {
       "title": "اللغة",
@@ -224,6 +225,47 @@
       "swapPositionDescription": "نقل زر المحادثة إلى اليسار وزر الإنشاء إلى اليمين",
       "hint": "يوجد زران عائمان (إنشاء ومحادثة) في الزوايا السفلية لمركز التحكم. قم بتفعيل هذا الخيار لتبديل مواضعهما."
     },
+    "security": {
+      "title": "Supply Chain Security",
+      "sectionTitle": "Supply Chain Security",
+      "sectionDescription": "Configure security mode and review policy enforcement findings",
+      "mode": "Security mode",
+      "modeDescription": "Controls how the policy engine responds to violations",
+      "modeDisabled": "Disabled",
+      "modeAdvisory": "Advisory",
+      "modeEnforce": "Enforce",
+      "policySource": "Policy source",
+      "policySourceNone": "No policy loaded",
+      "lastEvaluation": "Last evaluation",
+      "lastEvaluationNever": "Never",
+      "recentFindings": "Recent findings",
+      "noFindings": "No security findings recorded",
+      "runEnforcement": "Run enforcement",
+      "running": "Running...",
+      "severity": {
+        "Low": "Low",
+        "Medium": "Medium",
+        "High": "High",
+        "Critical": "Critical"
+      },
+      "hint": "Security mode controls how the policy engine handles violations. Advisory mode logs findings without blocking. Enforce mode blocks risky actions and fails builds.",
+      "links": {
+        "securitySpec": "Security spec"
+      },
+      "badge": {
+        "advisory": "Security: Advisory",
+        "enforce": "Security: Enforce",
+        "disabled": "Security: Disabled"
+      },
+      "panel": {
+        "title": "Security",
+        "governance": "Governance",
+        "dependencies": "Dependencies",
+        "noFindings": "No security findings",
+        "findingsByCategory": "Findings by category",
+        "totalFindings": "{{count}} finding(s)"
+      }
+    },
     "database": {
       "title": "قاعدة البيانات",
       "description": "مسار قاعدة البيانات وإدارتها",