@shepai/cli 1.175.0 → 1.175.1-pr527.ea242b8

package/dist/packages/core/src/application/ports/output/services/security-policy-service.interface.d.ts

@@ -0,0 +1,77 @@
+/**
+ * Security Policy Service Interface
+ *
+ * Output port for the central security policy engine.
+ * Implementations handle policy file reading, validation, merging
+ * with persisted settings, and deterministic policy evaluation.
+ *
+ * Following Clean Architecture:
+ * - Application and use-case layers depend on this interface
+ * - Infrastructure layer provides the concrete implementation
+ * - All consumers (CLI, runtime, CI, UI) resolve the same instance via DI
+ */
+import type { EffectivePolicySnapshot, SecurityActionCategory, SecurityActionDisposition } from '../../../../domain/generated/output.js';
+/**
+ * Result of validating a security policy file.
+ */
+export interface PolicyValidationResult {
+    /** Whether the policy file is valid */
+    valid: boolean;
+    /** Per-field validation error messages (empty when valid) */
+    errors: string[];
+}
+/**
+ * Service interface for security policy evaluation.
+ *
+ * Implementations must:
+ * - Read shep.security.yaml from the repository root
+ * - Merge repository policy with persisted settings defaults
+ * - Apply deterministic precedence (global defaults < repo policy)
+ * - Cache effective policy per repository path
+ * - Fail fast on invalid policy files with actionable errors
+ */
+export interface ISecurityPolicyService {
+    /**
+     * Evaluate and compute the effective security policy for a repository.
+     *
+     * Reads the policy file, merges with persisted settings defaults,
+     * validates, and returns a deterministic snapshot. Re-evaluates
+     * on every call (no cache).
+     *
+     * @param repositoryPath - Absolute path to the repository root
+     * @returns Computed effective policy snapshot
+     * @throws Error if the policy file exists but is invalid
+     */
+    evaluatePolicy(repositoryPath: string): Promise<EffectivePolicySnapshot>;
+    /**
+     * Get the effective security policy for a repository.
+     *
+     * Returns a cached snapshot if available, otherwise computes
+     * and caches the result. Use evaluatePolicy() to force re-evaluation.
+     *
+     * @param repositoryPath - Absolute path to the repository root
+     * @returns Cached or freshly computed effective policy snapshot
+     * @throws Error if the policy file exists but is invalid
+     */
+    getEffectivePolicy(repositoryPath: string): Promise<EffectivePolicySnapshot>;
+    /**
+     * Validate a security policy file without computing effective policy.
+     *
+     * Parses and validates the file against the expected schema.
+     * Returns a structured result with per-field error messages.
+     *
+     * @param filePath - Absolute path to the policy file
+     * @returns Validation result with errors array
+     */
+    validatePolicyFile(filePath: string): Promise<PolicyValidationResult>;
+    /**
+     * Look up the enforcement disposition for a specific action category
+     * within a given effective policy snapshot.
+     *
+     * @param policy - The effective policy snapshot to query
+     * @param actionCategory - The action category to look up
+     * @returns The disposition (Allowed, Denied, or ApprovalRequired)
+     */
+    getActionDisposition(policy: EffectivePolicySnapshot, actionCategory: SecurityActionCategory): SecurityActionDisposition;
+}
+//# sourceMappingURL=security-policy-service.interface.d.ts.map

package/dist/packages/core/src/application/ports/output/services/security-policy-service.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-policy-service.interface.d.ts","sourceRoot":"","sources":["../../../../../../../../packages/core/src/application/ports/output/services/security-policy-service.interface.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EACV,uBAAuB,EACvB,sBAAsB,EACtB,yBAAyB,EAC1B,MAAM,wCAAwC,CAAC;AAEhD;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,uCAAuC;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,6DAA6D;IAC7D,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;;;;;;;GASG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;;;;;;;;OAUG;IACH,cAAc,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAEzE;;;;;;;;;OASG;IACH,kBAAkB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAE7E;;;;;;;;OAQG;IACH,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAEtE;;;;;;;OAOG;IACH,oBAAoB,CAClB,MAAM,EAAE,uBAAuB,EAC/B,cAAc,EAAE,sBAAsB,GACrC,yBAAyB,CAAC;CAC9B"}

package/dist/packages/core/src/application/ports/output/services/security-policy-service.interface.js

@@ -0,0 +1,13 @@
+/**
+ * Security Policy Service Interface
+ *
+ * Output port for the central security policy engine.
+ * Implementations handle policy file reading, validation, merging
+ * with persisted settings, and deterministic policy evaluation.
+ *
+ * Following Clean Architecture:
+ * - Application and use-case layers depend on this interface
+ * - Infrastructure layer provides the concrete implementation
+ * - All consumers (CLI, runtime, CI, UI) resolve the same instance via DI
+ */
+export {};

package/dist/packages/core/src/application/ports/output/services/spec-initializer.interface.d.ts

@@ -32,5 +32,16 @@ export interface ISpecInitializerService {
      * @returns The spec directory path and feature number used
      */
     initialize(basePath: string, slug: string, featureNumber: number, description: string, mode?: 'fast'): Promise<SpecInitializerResult>;
+    /**
+     * Scaffold a baseline shep.security.yaml file at the repository root.
+     *
+     * Creates the security policy file with Advisory mode, default action
+     * dispositions, and dependency/release rules. Includes YAML comments
+     * explaining each section.
+     *
+     * @param repositoryPath - Absolute path to the repository root
+     * @returns The absolute path to the created security policy file
+     */
+    scaffoldSecurityPolicy(repositoryPath: string): Promise<string>;
 }
 //# sourceMappingURL=spec-initializer.interface.d.ts.map

package/dist/packages/core/src/application/ports/output/services/spec-initializer.interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"spec-initializer.interface.d.ts","sourceRoot":"","sources":["../../../../../../../../packages/core/src/application/ports/output/services/spec-initializer.interface.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,qBAAqB;IACpC,kDAAkD;IAClD,OAAO,EAAE,MAAM,CAAC;IAChB,8CAA8C;IAC9C,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,uBAAuB;IACtC;;;;;;;;;;;;;;;;;;OAkBG;IACH,UAAU,CACR,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC,qBAAqB,CAAC,CAAC;CACnC"}
+{"version":3,"file":"spec-initializer.interface.d.ts","sourceRoot":"","sources":["../../../../../../../../packages/core/src/application/ports/output/services/spec-initializer.interface.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,qBAAqB;IACpC,kDAAkD;IAClD,OAAO,EAAE,MAAM,CAAC;IAChB,8CAA8C;IAC9C,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,uBAAuB;IACtC;;;;;;;;;;;;;;;;;;OAkBG;IACH,UAAU,CACR,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE,MAAM,GACZ,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAElC;;;;;;;;;OASG;IACH,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACjE"}

package/dist/packages/core/src/application/use-cases/agents/approve-agent-run.use-case.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"approve-agent-run.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/agents/approve-agent-run.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gEAAgE,CAAC;AAC7G,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAE1G,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qCAAqC,CAAC;AAO9E,qBACa,sBAAsB;IAG/B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IAEnC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,qBAAqB;gBANrB,kBAAkB,EAAE,mBAAmB,EAEvC,cAAc,EAAE,2BAA2B,EAE3C,iBAAiB,EAAE,kBAAkB,EAErC,qBAAqB,EAAE,sBAAsB;IAG1D,OAAO,CACX,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;CA0GlD"}
+{"version":3,"file":"approve-agent-run.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/agents/approve-agent-run.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gEAAgE,CAAC;AAC7G,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAE1G,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qCAAqC,CAAC;AAQ9E,qBACa,sBAAsB;IAG/B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IAEnC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,qBAAqB;gBANrB,kBAAkB,EAAE,mBAAmB,EAEvC,cAAc,EAAE,2BAA2B,EAE3C,iBAAiB,EAAE,kBAAkB,EAErC,qBAAqB,EAAE,sBAAsB;IAG1D,OAAO,CACX,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;CA2GlD"}

package/dist/packages/core/src/application/use-cases/agents/approve-agent-run.use-case.js

@@ -25,6 +25,7 @@ import { join } from 'node:path';
 import { AgentRunStatus } from '../../../domain/generated/output.js';
 import { writeSpecFileAtomic, safeYamlDump, } from '../../../infrastructure/services/agents/feature-agent/nodes/node-helpers.js';
 import { computeWorktreePath } from '../../../infrastructure/services/ide-launchers/compute-worktree-path.js';
+import { getSettings } from '../../../infrastructure/services/settings.service.js';
 let ApproveAgentRunUseCase = class ApproveAgentRunUseCase {
     agentRunRepository;
     processService;
@@ -120,6 +121,7 @@ let ApproveAgentRunUseCase = class ApproveAgentRunUseCase {
             agentType: run.agentType,
             ...(run.modelId ? { model: run.modelId } : {}),
             ...(feature?.fast ? { fast: true } : {}),
+            securityMode: getSettings().security?.mode,
         });
         return { approved: true, reason: 'Approved and resumed' };
     }

package/dist/packages/core/src/application/use-cases/agents/reject-agent-run.use-case.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"reject-agent-run.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/agents/reject-agent-run.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gEAAgE,CAAC;AAC7G,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAa1G,qBACa,qBAAqB;IAG9B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IAEnC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,qBAAqB;gBANrB,kBAAkB,EAAE,mBAAmB,EAEvC,cAAc,EAAE,2BAA2B,EAE3C,iBAAiB,EAAE,kBAAkB,EAErC,qBAAqB,EAAE,sBAAsB;IAG1D,OAAO,CACX,EAAE,EAAE,MAAM,EACV,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,EAAE,GACrB,OAAO,CAAC;QACT,QAAQ,EAAE,OAAO,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,gBAAgB,CAAC,EAAE,OAAO,CAAC;KAC5B,CAAC;CAkIH"}
+{"version":3,"file":"reject-agent-run.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/agents/reject-agent-run.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gEAAgE,CAAC;AAC7G,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAc1G,qBACa,qBAAqB;IAG9B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IAEnC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,qBAAqB;gBANrB,kBAAkB,EAAE,mBAAmB,EAEvC,cAAc,EAAE,2BAA2B,EAE3C,iBAAiB,EAAE,kBAAkB,EAErC,qBAAqB,EAAE,sBAAsB;IAG1D,OAAO,CACX,EAAE,EAAE,MAAM,EACV,QAAQ,EAAE,MAAM,EAChB,WAAW,CAAC,EAAE,MAAM,EAAE,GACrB,OAAO,CAAC;QACT,QAAQ,EAAE,OAAO,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,gBAAgB,CAAC,EAAE,OAAO,CAAC;KAC5B,CAAC;CAmIH"}

package/dist/packages/core/src/application/use-cases/agents/reject-agent-run.use-case.js

@@ -25,6 +25,7 @@ import { AgentRunStatus } from '../../../domain/generated/output.js';
 import { writeSpecFileAtomic, safeYamlDump, } from '../../../infrastructure/services/agents/feature-agent/nodes/node-helpers.js';
 import { recordLifecycleEvent } from '../../../infrastructure/services/agents/feature-agent/phase-timing-context.js';
 import { computeWorktreePath } from '../../../infrastructure/services/ide-launchers/compute-worktree-path.js';
+import { getSettings } from '../../../infrastructure/services/settings.service.js';
 let RejectAgentRunUseCase = class RejectAgentRunUseCase {
     agentRunRepository;
     processService;
@@ -136,6 +137,7 @@ let RejectAgentRunUseCase = class RejectAgentRunUseCase {
             agentType: run.agentType,
             ...(run.modelId ? { model: run.modelId } : {}),
             ...(feature.fast ? { fast: true } : {}),
+            securityMode: getSettings().security?.mode,
         });
         return {
             rejected: true,

package/dist/packages/core/src/application/use-cases/features/check-and-unblock-features.use-case.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"check-and-unblock-features.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/features/check-and-unblock-features.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAC1G,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAGhH,qBACa,8BAA8B;IAET,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE1D,OAAO,CAAC,QAAQ,CAAC,YAAY;gBAFkB,WAAW,EAAE,kBAAkB,EAE7D,YAAY,EAAE,2BAA2B;IAG5D;;;;OAIG;IACG,OAAO,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CA4CtD"}
+{"version":3,"file":"check-and-unblock-features.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/features/check-and-unblock-features.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAC1G,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAIhH,qBACa,8BAA8B;IAET,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE1D,OAAO,CAAC,QAAQ,CAAC,YAAY;gBAFkB,WAAW,EAAE,kBAAkB,EAE7D,YAAY,EAAE,2BAA2B;IAG5D;;;;OAIG;IACG,OAAO,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CA6CtD"}

package/dist/packages/core/src/application/use-cases/features/check-and-unblock-features.use-case.js

@@ -29,6 +29,7 @@ var __param = (this && this.__param) || function (paramIndex, decorator) {
 import { injectable, inject } from 'tsyringe';
 import { SdlcLifecycle } from '../../../domain/generated/output.js';
 import { POST_IMPLEMENTATION } from '../../../domain/lifecycle-gates.js';
+import { getSettings } from '../../../infrastructure/services/settings.service.js';
 let CheckAndUnblockFeaturesUseCase = class CheckAndUnblockFeaturesUseCase {
     featureRepo;
     agentProcess;
@@ -70,6 +71,7 @@ let CheckAndUnblockFeaturesUseCase = class CheckAndUnblockFeaturesUseCase {
                     enableEvidence: child.enableEvidence,
                     commitEvidence: child.commitEvidence,
                     ...(child.fast ? { fast: true } : {}),
+                    securityMode: getSettings().security?.mode,
                 });
             }
         }

package/dist/packages/core/src/application/use-cases/features/create/create-feature.use-case.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"create-feature.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../../packages/core/src/application/use-cases/features/create/create-feature.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,wCAAwC,CAAC;AAMtE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oEAAoE,CAAC;AAC7G,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,8DAA8D,CAAC;AACrG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,iEAAiE,CAAC;AACnH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gEAAgE,CAAC;AAC1G,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,8DAA8D,CAAC;AAC5G,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,uEAAuE,CAAC;AACnH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4DAA4D,CAAC;AAChG,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,2DAA2D,CAAC;AACjG,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4DAA4D,CAAC;AAIxG,OAAO,EAAE,wBAAwB,EAAE,MAAM,mEAAmE,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAE9F,qBACa,oBAAoB;IAG7B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,aAAa;gBAtBb,WAAW,EAAE,kBAAkB,EAE/B,eAAe,EAAE,gBAAgB,EAEjC,YAAY,EAAE,2BAA2B,EAEzC,aAAa,EAAE,mBAAmB,EAElC,eAAe,EAAE,uBAAuB,EAExC,iBAAiB,EAAE,iBAAiB,EAEpC,YAAY,EAAE,YAAY,EAE1B,cAAc,EAAE,qBAAqB,EAErC,YAAY,EAAE,aAAa,EAE3B,iBAAiB,EAAE,wBAAwB,EAE3C,cAAc,EAAE,eAAe,EAE/B,aAAa,EAAE,qBAAqB;IAGvD;;;OAGG;IACG,OAAO,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAMtE;;;;OAIG;IACG,YAAY,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAyI1E;;;OAGG;IACG,kBAAkB,CACtB,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,kBAAkB,EACzB,WAAW,EAAE,OAAO,GACnB,OAAO,CAAC;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,cAAc,EAAE,OAAO,CAAA;KAAE,CAAC;CAsK1D"}
+{"version":3,"file":"create-feature.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../../packages/core/src/application/use-cases/features/create/create-feature.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,wCAAwC,CAAC;AAMtE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oEAAoE,CAAC;AAC7G,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,8DAA8D,CAAC;AACrG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,iEAAiE,CAAC;AACnH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gEAAgE,CAAC;AAC1G,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,8DAA8D,CAAC;AAC5G,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,uEAAuE,CAAC;AACnH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4DAA4D,CAAC;AAChG,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,2DAA2D,CAAC;AACjG,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4DAA4D,CAAC;AAIxG,OAAO,EAAE,wBAAwB,EAAE,MAAM,mEAAmE,CAAC;AAC7G,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAE9F,qBACa,oBAAoB;IAG7B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,YAAY;IAE7B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAElC,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,aAAa;gBAtBb,WAAW,EAAE,kBAAkB,EAE/B,eAAe,EAAE,gBAAgB,EAEjC,YAAY,EAAE,2BAA2B,EAEzC,aAAa,EAAE,mBAAmB,EAElC,eAAe,EAAE,uBAAuB,EAExC,iBAAiB,EAAE,iBAAiB,EAEpC,YAAY,EAAE,YAAY,EAE1B,cAAc,EAAE,qBAAqB,EAErC,YAAY,EAAE,aAAa,EAE3B,iBAAiB,EAAE,wBAAwB,EAE3C,cAAc,EAAE,eAAe,EAE/B,aAAa,EAAE,qBAAqB;IAGvD;;;OAGG;IACG,OAAO,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAMtE;;;;OAIG;IACG,YAAY,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAyI1E;;;OAGG;IACG,kBAAkB,CACtB,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,kBAAkB,EACzB,WAAW,EAAE,OAAO,GACnB,OAAO,CAAC;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,cAAc,EAAE,OAAO,CAAA;KAAE,CAAC;CAuK1D"}

package/dist/packages/core/src/application/use-cases/features/create/create-feature.use-case.js

@@ -326,6 +326,7 @@ let CreateFeatureUseCase = class CreateFeatureUseCase {
                 ...(input.fast ? { fast: true } : {}),
                 ...(input.agentType ? { agentType: input.agentType } : {}),
                 ...(input.model ? { model: input.model } : {}),
+                securityMode: settings.security?.mode,
             });
         }
         return { warning, updatedFeature };

package/dist/packages/core/src/application/use-cases/features/resume-feature.use-case.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resume-feature.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/features/resume-feature.use-case.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAC1G,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2DAA2D,CAAC;AAQlG,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,QAAQ,CAAC;CAClB;AAED,qBACa,oBAAoB;IAG7B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAExB,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,eAAe;gBANf,WAAW,EAAE,kBAAkB,EAE/B,OAAO,EAAE,mBAAmB,EAE5B,cAAc,EAAE,2BAA2B,EAE3C,eAAe,EAAE,gBAAgB;IAG9C,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAClC,OAAO,CAAC,mBAAmB,CAAC;CA4GhC"}
+{"version":3,"file":"resume-feature.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/features/resume-feature.use-case.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAC1G,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2DAA2D,CAAC;AASlG,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,QAAQ,CAAC;CAClB;AAED,qBACa,oBAAoB;IAG7B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAExB,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,eAAe;gBANf,WAAW,EAAE,kBAAkB,EAE/B,OAAO,EAAE,mBAAmB,EAE5B,cAAc,EAAE,2BAA2B,EAE3C,eAAe,EAAE,gBAAgB;IAG9C,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAClC,OAAO,CAAC,mBAAmB,CAAC;CA6GhC"}

package/dist/packages/core/src/application/use-cases/features/resume-feature.use-case.js

@@ -19,6 +19,7 @@ var __param = (this && this.__param) || function (paramIndex, decorator) {
 import { injectable, inject } from 'tsyringe';
 import { randomUUID } from 'node:crypto';
 import { AgentRunStatus } from '../../../domain/generated/output.js';
+import { getSettings } from '../../../infrastructure/services/settings.service.js';
 const RESUMABLE_STATUSES = new Set([
     AgentRunStatus.interrupted,
     AgentRunStatus.failed,
@@ -118,6 +119,7 @@ let ResumeFeatureUseCase = class ResumeFeatureUseCase {
             ...(feature.fast ? { fast: true } : {}),
             ...(lastRun.modelId ? { model: lastRun.modelId } : {}),
             resumeReason: lastRun.status,
+            securityMode: getSettings().security?.mode,
         });
         return { feature, newRun };
     }

package/dist/packages/core/src/application/use-cases/features/start-feature.use-case.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"start-feature.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/features/start-feature.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAC1G,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2DAA2D,CAAC;AAGlG,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED,qBACa,mBAAmB;IAG5B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAExB,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,eAAe;gBANf,WAAW,EAAE,kBAAkB,EAE/B,OAAO,EAAE,mBAAmB,EAE5B,cAAc,EAAE,2BAA2B,EAE3C,eAAe,EAAE,gBAAgB;IAG9C,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;CAyG9D"}
+{"version":3,"file":"start-feature.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/features/start-feature.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iEAAiE,CAAC;AAC1G,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AACvG,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,8DAA8D,CAAC;AAChH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2DAA2D,CAAC;AAIlG,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED,qBACa,mBAAmB;IAG5B,OAAO,CAAC,QAAQ,CAAC,WAAW;IAE5B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAExB,OAAO,CAAC,QAAQ,CAAC,cAAc;IAE/B,OAAO,CAAC,QAAQ,CAAC,eAAe;gBANf,WAAW,EAAE,kBAAkB,EAE/B,OAAO,EAAE,mBAAmB,EAE5B,cAAc,EAAE,2BAA2B,EAE3C,eAAe,EAAE,gBAAgB;IAG9C,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;CA0G9D"}

package/dist/packages/core/src/application/use-cases/features/start-feature.use-case.js

@@ -20,6 +20,7 @@ var __param = (this && this.__param) || function (paramIndex, decorator) {
 import { injectable, inject } from 'tsyringe';
 import { SdlcLifecycle } from '../../../domain/generated/output.js';
 import { POST_IMPLEMENTATION } from '../../../domain/lifecycle-gates.js';
+import { getSettings } from '../../../infrastructure/services/settings.service.js';
 let StartFeatureUseCase = class StartFeatureUseCase {
     featureRepo;
     runRepo;
@@ -105,6 +106,7 @@ let StartFeatureUseCase = class StartFeatureUseCase {
                 agentType: agentRun.agentType,
                 ...(resolved.fast ? { fast: true } : {}),
                 ...(agentRun.modelId ? { model: agentRun.modelId } : {}),
+                securityMode: getSettings().security?.mode,
             });
         }
         return { feature: updatedFeature, agentRun };

package/dist/packages/core/src/application/use-cases/security/enforce-security.use-case.d.ts

@@ -0,0 +1,71 @@
+/**
+ * Enforce Security Use Case
+ *
+ * Orchestrates the full security enforcement flow:
+ * 1. Evaluate effective policy
+ * 2. Run dependency-risk checks
+ * 3. Run release-integrity checks
+ * 4. Persist findings as security events
+ * 5. Return structured enforcement result
+ *
+ * Supports Advisory (always pass) and Enforce (fail on violations) modes.
+ * Disabled mode returns empty pass result.
+ */
+import { SecurityMode } from '../../../domain/generated/output.js';
+import type { EffectivePolicySnapshot, DependencyFinding, ReleaseIntegrityResult } from '../../../domain/generated/output.js';
+import type { ISecurityPolicyService } from '../../ports/output/services/security-policy-service.interface.js';
+import type { ISecurityEventRepository } from '../../ports/output/repositories/security-event.repository.interface.js';
+import type { ISettingsRepository } from '../../ports/output/repositories/settings.repository.interface.js';
+import type { IGitHubRepositoryService, GovernanceFinding } from '../../ports/output/services/github-repository-service.interface.js';
+import { DependencyRiskEvaluator } from '../../../infrastructure/services/security/dependency-risk-evaluator.js';
+import { ReleaseIntegrityEvaluator } from '../../../infrastructure/services/security/release-integrity-evaluator.js';
+/**
+ * Input for the enforce security use case.
+ */
+export interface EnforceSecurityInput {
+    /** Absolute path to the repository to evaluate */
+    repositoryPath: string;
+}
+/**
+ * Result of the enforcement flow.
+ */
+export interface EnforceSecurityResult {
+    /** Whether all checks passed (Advisory always passes, Enforce fails on violations) */
+    passed: boolean;
+    /** Effective security mode used for evaluation */
+    mode: SecurityMode;
+    /** Effective policy snapshot */
+    policy: EffectivePolicySnapshot;
+    /** Dependency risk findings */
+    dependencyFindings: DependencyFinding[];
+    /** Release integrity result */
+    releaseIntegrity: ReleaseIntegrityResult;
+    /** GitHub governance audit findings (audit-only, do not affect pass/fail) */
+    governanceFindings: GovernanceFinding[];
+    /** Total number of findings (excludes governance — governance is audit-only) */
+    totalFindings: number;
+}
+export declare class EnforceSecurityUseCase {
+    private readonly policyService;
+    private readonly eventRepository;
+    private readonly settingsRepository;
+    private readonly dependencyEvaluator;
+    private readonly releaseEvaluator;
+    private readonly githubService;
+    constructor(policyService: ISecurityPolicyService, eventRepository: ISecurityEventRepository, settingsRepository: ISettingsRepository, dependencyEvaluator: DependencyRiskEvaluator, releaseEvaluator: ReleaseIntegrityEvaluator, githubService: IGitHubRepositoryService);
+    execute(input: EnforceSecurityInput): Promise<EnforceSecurityResult>;
+    /**
+     * Resolve GitHub owner/repo from the repository's git remote and run governance audit.
+     * Returns empty array if the remote cannot be resolved (not a GitHub repo, no remote, etc.).
+     */
+    private runGovernanceAudit;
+    /**
+     * Persist dependency findings, failed release checks, and governance findings as security events.
+     */
+    private persistFindings;
+    /**
+     * Update settings with the latest evaluation timestamp and policy source.
+     */
+    private updateEvaluationTimestamp;
+}
+//# sourceMappingURL=enforce-security.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/security/enforce-security.use-case.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforce-security.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/security/enforce-security.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,YAAY,EAA0B,MAAM,qCAAqC,CAAC;AAC3F,OAAO,KAAK,EACV,uBAAuB,EACvB,iBAAiB,EACjB,sBAAsB,EAIvB,MAAM,qCAAqC,CAAC;AAC7C,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,kEAAkE,CAAC;AAC/G,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,wEAAwE,CAAC;AACvH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kEAAkE,CAAC;AAC5G,OAAO,KAAK,EACV,wBAAwB,EACxB,iBAAiB,EAClB,MAAM,oEAAoE,CAAC;AAC5E,OAAO,EAAE,uBAAuB,EAAE,MAAM,wEAAwE,CAAC;AACjH,OAAO,EAAE,yBAAyB,EAAE,MAAM,0EAA0E,CAAC;AAOrH;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,kDAAkD;IAClD,cAAc,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,sFAAsF;IACtF,MAAM,EAAE,OAAO,CAAC;IAChB,kDAAkD;IAClD,IAAI,EAAE,YAAY,CAAC;IACnB,gCAAgC;IAChC,MAAM,EAAE,uBAAuB,CAAC;IAChC,+BAA+B;IAC/B,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,+BAA+B;IAC/B,gBAAgB,EAAE,sBAAsB,CAAC;IACzC,6EAA6E;IAC7E,kBAAkB,EAAE,iBAAiB,EAAE,CAAC;IACxC,gFAAgF;IAChF,aAAa,EAAE,MAAM,CAAC;CACvB;AAuBD,qBACa,sBAAsB;IAG/B,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,kBAAkB;IAEnC,OAAO,CAAC,QAAQ,CAAC,mBAAmB;IAEpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB;IAEjC,OAAO,CAAC,QAAQ,CAAC,aAAa;gBAVb,aAAa,EAAE,sBAAsB,EAErC,eAAe,EAAE,wBAAwB,EAEzC,kBAAkB,EAAE,mBAAmB,EAEvC,mBAAmB,EAAE,uBAAuB,EAE5C,gBAAgB,EAAE,yBAAyB,EAE3C,aAAa,EAAE,wBAAwB;IAGpD,OAAO,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IA8D1E;;;OAGG;YACW,kBAAkB;IAgBhC;;OAEG;YACW,eAAe;IA6D7B;;OAEG;YACW,yBAAyB;CAgBxC"}

package/dist/packages/core/src/application/use-cases/security/enforce-security.use-case.js

@@ -0,0 +1,215 @@
+/**
+ * Enforce Security Use Case
+ *
+ * Orchestrates the full security enforcement flow:
+ * 1. Evaluate effective policy
+ * 2. Run dependency-risk checks
+ * 3. Run release-integrity checks
+ * 4. Persist findings as security events
+ * 5. Return structured enforcement result
+ *
+ * Supports Advisory (always pass) and Enforce (fail on violations) modes.
+ * Disabled mode returns empty pass result.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { SecurityMode, SecurityActionCategory } from '../../../domain/generated/output.js';
+import { DependencyRiskEvaluator } from '../../../infrastructure/services/security/dependency-risk-evaluator.js';
+import { ReleaseIntegrityEvaluator } from '../../../infrastructure/services/security/release-integrity-evaluator.js';
+import { randomUUID } from 'node:crypto';
+import { execFile as execFileCb } from 'node:child_process';
+import { promisify } from 'node:util';
+const execFileAsync = promisify(execFileCb);
+/**
+ * Default dependency rules when no policy file defines them.
+ */
+const DEFAULT_DEPENDENCY_RULES = {
+    checkLockfileConsistency: true,
+    checkLifecycleScripts: true,
+    checkNonRegistrySource: true,
+    enforceStrictVersionRanges: false,
+    allowlist: [],
+    denylist: [],
+};
+/**
+ * Default release rules when no policy file defines them.
+ */
+const DEFAULT_RELEASE_RULES = {
+    requireCiOnlyPublishing: true,
+    requireProvenance: true,
+    checkWorkflowIntegrity: true,
+};
+let EnforceSecurityUseCase = class EnforceSecurityUseCase {
+    policyService;
+    eventRepository;
+    settingsRepository;
+    dependencyEvaluator;
+    releaseEvaluator;
+    githubService;
+    constructor(policyService, eventRepository, settingsRepository, dependencyEvaluator, releaseEvaluator, githubService) {
+        this.policyService = policyService;
+        this.eventRepository = eventRepository;
+        this.settingsRepository = settingsRepository;
+        this.dependencyEvaluator = dependencyEvaluator;
+        this.releaseEvaluator = releaseEvaluator;
+        this.githubService = githubService;
+    }
+    async execute(input) {
+        // Evaluate effective policy
+        const policy = await this.policyService.evaluatePolicy(input.repositoryPath);
+        // Disabled mode — return empty pass result
+        if (policy.mode === SecurityMode.Disabled) {
+            return {
+                passed: true,
+                mode: SecurityMode.Disabled,
+                policy,
+                dependencyFindings: [],
+                releaseIntegrity: { checks: [], passed: true },
+                governanceFindings: [],
+                totalFindings: 0,
+            };
+        }
+        // Run dependency-risk checks
+        const dependencyFindings = this.dependencyEvaluator.evaluate(input.repositoryPath, DEFAULT_DEPENDENCY_RULES);
+        // Run release-integrity checks
+        const releaseIntegrity = this.releaseEvaluator.evaluate(input.repositoryPath, DEFAULT_RELEASE_RULES);
+        // Run governance audit (audit-only — does not affect pass/fail)
+        const governanceFindings = await this.runGovernanceAudit(input.repositoryPath);
+        // Count total findings (governance excluded — audit-only per FR-15)
+        const failedReleaseChecks = releaseIntegrity.checks.filter((c) => !c.passed);
+        const totalFindings = dependencyFindings.length + failedReleaseChecks.length;
+        // Persist findings as security events
+        await this.persistFindings(input.repositoryPath, dependencyFindings, releaseIntegrity, governanceFindings);
+        // Update settings with evaluation timestamp
+        await this.updateEvaluationTimestamp(policy.source);
+        // Determine pass/fail based on mode (governance is always advisory)
+        const hasFailures = totalFindings > 0;
+        const passed = policy.mode === SecurityMode.Advisory ? true : !hasFailures;
+        return {
+            passed,
+            mode: policy.mode,
+            policy,
+            dependencyFindings,
+            releaseIntegrity,
+            governanceFindings,
+            totalFindings,
+        };
+    }
+    /**
+     * Resolve GitHub owner/repo from the repository's git remote and run governance audit.
+     * Returns empty array if the remote cannot be resolved (not a GitHub repo, no remote, etc.).
+     */
+    async runGovernanceAudit(repositoryPath) {
+        try {
+            const { stdout } = await execFileAsync('git', ['remote', 'get-url', 'origin'], {
+                cwd: repositoryPath,
+            });
+            const remoteUrl = stdout.trim();
+            if (!remoteUrl)
+                return [];
+            const parsed = this.githubService.parseGitHubUrl(remoteUrl);
+            return await this.githubService.auditRepositoryGovernance(parsed.owner, parsed.repo);
+        }
+        catch {
+            // Not a GitHub repository, no remote configured, or parse failure — skip governance audit
+            return [];
+        }
+    }
+    /**
+     * Persist dependency findings, failed release checks, and governance findings as security events.
+     */
+    async persistFindings(repositoryPath, depFindings, releaseResult, govFindings) {
+        const now = new Date().toISOString();
+        for (const finding of depFindings) {
+            const event = {
+                id: randomUUID(),
+                repositoryPath,
+                severity: finding.severity,
+                category: SecurityActionCategory.DependencyInstall,
+                disposition: 'Denied',
+                message: finding.message,
+                remediationSummary: finding.remediation,
+                createdAt: now,
+                updatedAt: now,
+            };
+            await this.eventRepository.save(event);
+        }
+        for (const check of releaseResult.checks) {
+            if (!check.passed) {
+                const event = {
+                    id: randomUUID(),
+                    repositoryPath,
+                    severity: check.severity,
+                    category: SecurityActionCategory.PublishRelease,
+                    disposition: 'Denied',
+                    message: check.message,
+                    createdAt: now,
+                    updatedAt: now,
+                };
+                await this.eventRepository.save(event);
+            }
+        }
+        // Persist governance findings as advisory events
+        for (const finding of govFindings) {
+            // Map governance severity to SecuritySeverity (Unknown → Low for persistence)
+            const severity = finding.severity === 'Unknown'
+                ? 'Low'
+                : finding.severity;
+            const event = {
+                id: randomUUID(),
+                repositoryPath,
+                severity,
+                category: SecurityActionCategory.CiWorkflowModify,
+                disposition: 'Allowed',
+                message: `[Governance Audit] ${finding.message}`,
+                remediationSummary: finding.remediation,
+                createdAt: now,
+                updatedAt: now,
+            };
+            await this.eventRepository.save(event);
+        }
+    }
+    /**
+     * Update settings with the latest evaluation timestamp and policy source.
+     */
+    async updateEvaluationTimestamp(policySource) {
+        try {
+            const settings = await this.settingsRepository.load();
+            if (settings) {
+                settings.security = {
+                    ...settings.security,
+                    mode: settings.security?.mode ?? SecurityMode.Advisory,
+                    lastEvaluationAt: new Date().toISOString(),
+                    policySource,
+                };
+                await this.settingsRepository.update(settings);
+            }
+        }
+        catch {
+            // Non-fatal — evaluation results are still returned even if settings update fails
+        }
+    }
+};
+EnforceSecurityUseCase = __decorate([
+    injectable(),
+    __param(0, inject('ISecurityPolicyService')),
+    __param(1, inject('ISecurityEventRepository')),
+    __param(2, inject('ISettingsRepository')),
+    __param(3, inject('DependencyRiskEvaluator')),
+    __param(4, inject('ReleaseIntegrityEvaluator')),
+    __param(5, inject('IGitHubRepositoryService')),
+    __metadata("design:paramtypes", [Object, Object, Object, DependencyRiskEvaluator,
+        ReleaseIntegrityEvaluator, Object])
+], EnforceSecurityUseCase);
+export { EnforceSecurityUseCase };

package/dist/packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Evaluate Security Policy Use Case
+ *
+ * Wraps ISecurityPolicyService.evaluatePolicy() as a use case.
+ * Updates settings with the latest evaluation timestamp and policy source.
+ * Returns the effective policy snapshot.
+ */
+import type { EffectivePolicySnapshot } from '../../../domain/generated/output.js';
+import type { ISecurityPolicyService } from '../../ports/output/services/security-policy-service.interface.js';
+import type { ISettingsRepository } from '../../ports/output/repositories/settings.repository.interface.js';
+/**
+ * Input for the evaluate security policy use case.
+ */
+export interface EvaluateSecurityPolicyInput {
+    /** Absolute path to the repository to evaluate */
+    repositoryPath: string;
+}
+export declare class EvaluateSecurityPolicyUseCase {
+    private readonly policyService;
+    private readonly settingsRepository;
+    constructor(policyService: ISecurityPolicyService, settingsRepository: ISettingsRepository);
+    execute(input: EvaluateSecurityPolicyInput): Promise<EffectivePolicySnapshot>;
+}
+//# sourceMappingURL=evaluate-security-policy.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluate-security-policy.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,qCAAqC,CAAC;AACnF,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,kEAAkE,CAAC;AAC/G,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kEAAkE,CAAC;AAE5G;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,kDAAkD;IAClD,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,qBACa,6BAA6B;IAGtC,OAAO,CAAC,QAAQ,CAAC,aAAa;IAE9B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;gBAFlB,aAAa,EAAE,sBAAsB,EAErC,kBAAkB,EAAE,mBAAmB;IAGpD,OAAO,CAAC,KAAK,EAAE,2BAA2B,GAAG,OAAO,CAAC,uBAAuB,CAAC;CAqBpF"}

package/dist/packages/core/src/application/use-cases/security/evaluate-security-policy.use-case.js

@@ -0,0 +1,56 @@
+/**
+ * Evaluate Security Policy Use Case
+ *
+ * Wraps ISecurityPolicyService.evaluatePolicy() as a use case.
+ * Updates settings with the latest evaluation timestamp and policy source.
+ * Returns the effective policy snapshot.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { SecurityMode } from '../../../domain/generated/output.js';
+let EvaluateSecurityPolicyUseCase = class EvaluateSecurityPolicyUseCase {
+    policyService;
+    settingsRepository;
+    constructor(policyService, settingsRepository) {
+        this.policyService = policyService;
+        this.settingsRepository = settingsRepository;
+    }
+    async execute(input) {
+        const policy = await this.policyService.evaluatePolicy(input.repositoryPath);
+        // Update settings with evaluation timestamp and source
+        try {
+            const settings = await this.settingsRepository.load();
+            if (settings) {
+                settings.security = {
+                    ...settings.security,
+                    mode: settings.security?.mode ?? SecurityMode.Advisory,
+                    lastEvaluationAt: new Date().toISOString(),
+                    policySource: policy.source,
+                };
+                await this.settingsRepository.update(settings);
+            }
+        }
+        catch {
+            // Non-fatal — policy is still returned even if settings update fails
+        }
+        return policy;
+    }
+};
+EvaluateSecurityPolicyUseCase = __decorate([
+    injectable(),
+    __param(0, inject('ISecurityPolicyService')),
+    __param(1, inject('ISettingsRepository')),
+    __metadata("design:paramtypes", [Object, Object])
+], EvaluateSecurityPolicyUseCase);
+export { EvaluateSecurityPolicyUseCase };