@shepai/cli 1.175.0 → 1.175.1-pr527.ea242b8

package/dist/packages/core/src/application/use-cases/security/get-security-state.use-case.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Get Security State Use Case
+ *
+ * Returns the current security state for UI projection:
+ * - Effective mode from settings
+ * - Recent security events (limited)
+ * - Highest-severity open finding
+ * - Last evaluation timestamp
+ */
+import { SecurityMode } from '../../../domain/generated/output.js';
+import type { SecurityEvent } from '../../../domain/generated/output.js';
+import type { ISecurityEventRepository } from '../../ports/output/repositories/security-event.repository.interface.js';
+import type { ISettingsRepository } from '../../ports/output/repositories/settings.repository.interface.js';
+/**
+ * Security state summary for UI projection.
+ */
+export interface SecurityState {
+    /** Effective security mode */
+    mode: SecurityMode;
+    /** Last evaluation timestamp (ISO string) or null */
+    lastEvaluationAt: string | null;
+    /** Policy source or null */
+    policySource: string | null;
+    /** Recent security events (most recent first, limited) */
+    recentEvents: SecurityEvent[];
+    /** Highest-severity finding from recent events, or null */
+    highestSeverityFinding: SecurityEvent | null;
+}
+export declare class GetSecurityStateUseCase {
+    private readonly eventRepository;
+    private readonly settingsRepository;
+    constructor(eventRepository: ISecurityEventRepository, settingsRepository: ISettingsRepository);
+    execute(repositoryPath: string): Promise<SecurityState>;
+    private findHighestSeverity;
+}
+//# sourceMappingURL=get-security-state.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/security/get-security-state.use-case.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-security-state.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/security/get-security-state.use-case.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,YAAY,EAAoB,MAAM,qCAAqC,CAAC;AACrF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAC;AACzE,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,wEAAwE,CAAC;AACvH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kEAAkE,CAAC;AAK5G;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,8BAA8B;IAC9B,IAAI,EAAE,YAAY,CAAC;IACnB,qDAAqD;IACrD,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,4BAA4B;IAC5B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,0DAA0D;IAC1D,YAAY,EAAE,aAAa,EAAE,CAAC;IAC9B,2DAA2D;IAC3D,sBAAsB,EAAE,aAAa,GAAG,IAAI,CAAC;CAC9C;AAUD,qBACa,uBAAuB;IAGhC,OAAO,CAAC,QAAQ,CAAC,eAAe;IAEhC,OAAO,CAAC,QAAQ,CAAC,kBAAkB;gBAFlB,eAAe,EAAE,wBAAwB,EAEzC,kBAAkB,EAAE,mBAAmB;IAGpD,OAAO,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAmB7D,OAAO,CAAC,mBAAmB;CAgB5B"}

package/dist/packages/core/src/application/use-cases/security/get-security-state.use-case.js

@@ -0,0 +1,76 @@
+/**
+ * Get Security State Use Case
+ *
+ * Returns the current security state for UI projection:
+ * - Effective mode from settings
+ * - Recent security events (limited)
+ * - Highest-severity open finding
+ * - Last evaluation timestamp
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { SecurityMode, SecuritySeverity } from '../../../domain/generated/output.js';
+/** Maximum number of recent events returned. */
+const RECENT_EVENTS_LIMIT = 20;
+/** Severity ordering for comparison (higher = more severe). */
+const SEVERITY_RANK = {
+    [SecuritySeverity.Low]: 0,
+    [SecuritySeverity.Medium]: 1,
+    [SecuritySeverity.High]: 2,
+    [SecuritySeverity.Critical]: 3,
+};
+let GetSecurityStateUseCase = class GetSecurityStateUseCase {
+    eventRepository;
+    settingsRepository;
+    constructor(eventRepository, settingsRepository) {
+        this.eventRepository = eventRepository;
+        this.settingsRepository = settingsRepository;
+    }
+    async execute(repositoryPath) {
+        const settings = await this.settingsRepository.load();
+        const securityConfig = settings?.security;
+        const recentEvents = await this.eventRepository.findByRepository(repositoryPath, {
+            limit: RECENT_EVENTS_LIMIT,
+        });
+        const highestSeverityFinding = this.findHighestSeverity(recentEvents);
+        return {
+            mode: securityConfig?.mode ?? SecurityMode.Advisory,
+            lastEvaluationAt: securityConfig?.lastEvaluationAt ?? null,
+            policySource: securityConfig?.policySource ?? null,
+            recentEvents,
+            highestSeverityFinding,
+        };
+    }
+    findHighestSeverity(events) {
+        if (events.length === 0) {
+            return null;
+        }
+        let highest = events[0];
+        for (const event of events) {
+            const eventRank = SEVERITY_RANK[event.severity] ?? 0;
+            const highestRank = SEVERITY_RANK[highest.severity] ?? 0;
+            if (eventRank > highestRank) {
+                highest = event;
+            }
+        }
+        return highest;
+    }
+};
+GetSecurityStateUseCase = __decorate([
+    injectable(),
+    __param(0, inject('ISecurityEventRepository')),
+    __param(1, inject('ISettingsRepository')),
+    __metadata("design:paramtypes", [Object, Object])
+], GetSecurityStateUseCase);
+export { GetSecurityStateUseCase };

package/dist/packages/core/src/application/use-cases/security/record-security-event.use-case.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Record Security Event Use Case
+ *
+ * Persists a security event and triggers 90-day retention cleanup.
+ * Used by runtime guardrails and enforcement flow to record findings.
+ */
+import type { SecurityEvent } from '../../../domain/generated/output.js';
+import type { ISecurityEventRepository } from '../../ports/output/repositories/security-event.repository.interface.js';
+export declare class RecordSecurityEventUseCase {
+    private readonly eventRepository;
+    constructor(eventRepository: ISecurityEventRepository);
+    execute(event: SecurityEvent): Promise<void>;
+}
+//# sourceMappingURL=record-security-event.use-case.d.ts.map

package/dist/packages/core/src/application/use-cases/security/record-security-event.use-case.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"record-security-event.use-case.d.ts","sourceRoot":"","sources":["../../../../../../../packages/core/src/application/use-cases/security/record-security-event.use-case.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAC;AACzE,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,wEAAwE,CAAC;AAMvH,qBACa,0BAA0B;IAGnC,OAAO,CAAC,QAAQ,CAAC,eAAe;gBAAf,eAAe,EAAE,wBAAwB;IAGtD,OAAO,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;CAcnD"}

package/dist/packages/core/src/application/use-cases/security/record-security-event.use-case.js

@@ -0,0 +1,46 @@
+/**
+ * Record Security Event Use Case
+ *
+ * Persists a security event and triggers 90-day retention cleanup.
+ * Used by runtime guardrails and enforcement flow to record findings.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { injectable, inject } from 'tsyringe';
+import { randomUUID } from 'node:crypto';
+/** Retention window in days for security events. */
+const SECURITY_EVENT_RETENTION_DAYS = 90;
+let RecordSecurityEventUseCase = class RecordSecurityEventUseCase {
+    eventRepository;
+    constructor(eventRepository) {
+        this.eventRepository = eventRepository;
+    }
+    async execute(event) {
+        // Ensure the event has an ID
+        const eventToSave = {
+            ...event,
+            id: event.id || randomUUID(),
+        };
+        await this.eventRepository.save(eventToSave);
+        // Trigger 90-day retention cleanup
+        const cutoff = new Date();
+        cutoff.setDate(cutoff.getDate() - SECURITY_EVENT_RETENTION_DAYS);
+        await this.eventRepository.deleteOlderThan(cutoff);
+    }
+};
+RecordSecurityEventUseCase = __decorate([
+    injectable(),
+    __param(0, inject('ISecurityEventRepository')),
+    __metadata("design:paramtypes", [Object])
+], RecordSecurityEventUseCase);
+export { RecordSecurityEventUseCase };

package/dist/packages/core/src/domain/errors/security-violation.error.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Security Violation Error
+ *
+ * Thrown when a security policy constraint is violated during agent execution.
+ * Contains structured information about the violated rule, the action category,
+ * and actionable remediation guidance.
+ */
+import type { SecurityActionCategory } from '../generated/output.js';
+export declare class SecurityViolationError extends Error {
+    readonly rule: string;
+    readonly category: SecurityActionCategory;
+    readonly remediation: string;
+    constructor(rule: string, category: SecurityActionCategory, remediation: string);
+}
+//# sourceMappingURL=security-violation.error.d.ts.map

package/dist/packages/core/src/domain/errors/security-violation.error.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-violation.error.d.ts","sourceRoot":"","sources":["../../../../../../packages/core/src/domain/errors/security-violation.error.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAElE,qBAAa,sBAAuB,SAAQ,KAAK;aAE7B,IAAI,EAAE,MAAM;aACZ,QAAQ,EAAE,sBAAsB;aAChC,WAAW,EAAE,MAAM;gBAFnB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,sBAAsB,EAChC,WAAW,EAAE,MAAM;CAMtC"}

package/dist/packages/core/src/domain/errors/security-violation.error.js

@@ -0,0 +1,20 @@
+/**
+ * Security Violation Error
+ *
+ * Thrown when a security policy constraint is violated during agent execution.
+ * Contains structured information about the violated rule, the action category,
+ * and actionable remediation guidance.
+ */
+export class SecurityViolationError extends Error {
+    rule;
+    category;
+    remediation;
+    constructor(rule, category, remediation) {
+        super(`Security policy violation: ${rule}`);
+        this.rule = rule;
+        this.category = category;
+        this.remediation = remediation;
+        this.name = 'SecurityViolationError';
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}

package/dist/packages/core/src/domain/factories/settings-defaults.factory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"settings-defaults.factory.d.ts","sourceRoot":"","sources":["../../../../../../packages/core/src/domain/factories/settings-defaults.factory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,QAAQ,EAWT,MAAM,qBAAqB,CAAC;AAmD7B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,IAAI,QAAQ,CA8IhD"}
+{"version":3,"file":"settings-defaults.factory.d.ts","sourceRoot":"","sources":["../../../../../../packages/core/src/domain/factories/settings-defaults.factory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,QAAQ,EAYT,MAAM,qBAAqB,CAAC;AAoD7B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,IAAI,QAAQ,CAoJhD"}

package/dist/packages/core/src/domain/factories/settings-defaults.factory.js

@@ -11,7 +11,7 @@
  * - Auto-update enabled, log level set to info
  * - Unique IDs and timestamps generated for each instance
  */
-import { AgentType, AgentAuthMethod, EditorType, SkillSourceType, TerminalType, } from '../generated/output.js';
+import { AgentType, AgentAuthMethod, EditorType, SkillSourceType, SecurityMode, TerminalType, } from '../generated/output.js';
 /**
  * Default AI model for all SDLC agents.
  * Provides balanced performance and cost for all workflow stages.
@@ -184,6 +184,10 @@ export function createDefaultSettings() {
         gitRebaseSync: false,
         reactFileManager: false,
         inventory: false,
+        supplyChainSecurity: true,
+    };
+    const security = {
+        mode: SecurityMode.Advisory,
     };
     return {
         id: globalThis.crypto.randomUUID(),
@@ -195,6 +199,7 @@ export function createDefaultSettings() {
         notifications,
         workflow,
         featureFlags,
+        security,
         onboardingComplete: false,
         createdAt: now,
         updatedAt: now,

package/dist/packages/core/src/domain/generated/output.d.ts

@@ -632,6 +632,10 @@ export type FeatureFlags = {
      * Enable the Inventory page showing all repositories and features
      */
     inventory: boolean;
+    /**
+     * Enable the supply chain security feature (policy engine, badges, settings, CLI, CI gate). When false, the feature is inert regardless of SecurityMode.
+     */
+    supplyChainSecurity: boolean;
 };
 /**
  * Interactive agent chat tab configuration
@@ -659,6 +663,28 @@ export type FabLayoutConfig = {
      */
     swapPosition: boolean;
 };
+export declare enum SecurityMode {
+    Disabled = "Disabled",
+    Advisory = "Advisory",
+    Enforce = "Enforce"
+}
+/**
+ * Supply-chain security configuration persisted in settings
+ */
+export type SecurityConfig = {
+    /**
+     * Effective security mode (default: Advisory)
+     */
+    mode: SecurityMode;
+    /**
+     * ISO timestamp of last policy evaluation (null if never evaluated)
+     */
+    lastEvaluationAt?: string;
+    /**
+     * Source of the active security policy (null if never evaluated)
+     */
+    policySource?: string;
+};
 /**
  * Global Shep platform settings (singleton)
  */
@@ -707,6 +733,10 @@ export type Settings = BaseEntity & {
      * FAB layout configuration (optional, defaults applied at runtime)
      */
     fabLayout?: FabLayoutConfig;
+    /**
+     * Supply-chain security configuration (optional, defaults applied at runtime)
+     */
+    security?: SecurityConfig;
 };
 export declare enum TaskState {
     Todo = "Todo",
@@ -1678,6 +1708,239 @@ export type Repository = SoftDeletableEntity & {
      */
     upstreamUrl?: string;
 };
+export declare enum SecurityActionCategory {
+    DependencyInstall = "DependencyInstall",
+    PackageScriptExec = "PackageScriptExec",
+    CiWorkflowModify = "CiWorkflowModify",
+    PublishRelease = "PublishRelease",
+    SandboxEscalation = "SandboxEscalation"
+}
+export declare enum SecurityActionDisposition {
+    Allowed = "Allowed",
+    Denied = "Denied",
+    ApprovalRequired = "ApprovalRequired"
+}
+/**
+ * Mapping of an action category to its enforcement disposition
+ */
+export type ActionDispositionEntry = {
+    /**
+     * The action category
+     */
+    category: SecurityActionCategory;
+    /**
+     * How this action should be handled
+     */
+    disposition: SecurityActionDisposition;
+};
+/**
+ * Dependency risk evaluation policy rules
+ */
+export type DependencyRules = {
+    /**
+     * Check manifest-lockfile consistency (default: true)
+     */
+    checkLockfileConsistency: boolean;
+    /**
+     * Flag packages with lifecycle scripts (default: true)
+     */
+    checkLifecycleScripts: boolean;
+    /**
+     * Flag non-registry dependency sources (default: true)
+     */
+    checkNonRegistrySource: boolean;
+    /**
+     * Enforce strict version ranges — no ^ or * (default: false)
+     */
+    enforceStrictVersionRanges: boolean;
+    /**
+     * Packages explicitly allowed (empty = allow all)
+     */
+    allowlist: string[];
+    /**
+     * Packages explicitly denied
+     */
+    denylist: string[];
+};
+/**
+ * Release integrity policy rules
+ */
+export type ReleaseRules = {
+    /**
+     * Require publishing from CI only, not local (default: true)
+     */
+    requireCiOnlyPublishing: boolean;
+    /**
+     * Require npm provenance flags on publish (default: true)
+     */
+    requireProvenance: boolean;
+    /**
+     * Check that release workflow has not been tampered with (default: true)
+     */
+    checkWorkflowIntegrity: boolean;
+};
+/**
+ * Security policy configuration from shep.security.yaml
+ */
+export type SecurityPolicy = {
+    /**
+     * Desired security mode for this repository
+     */
+    mode: SecurityMode;
+    /**
+     * Per-action-category enforcement dispositions
+     */
+    actionDispositions: ActionDispositionEntry[];
+    /**
+     * Dependency risk evaluation rules
+     */
+    dependencyRules: DependencyRules;
+    /**
+     * Release integrity check rules
+     */
+    releaseRules: ReleaseRules;
+};
+export declare enum SecuritySeverity {
+    Low = "Low",
+    Medium = "Medium",
+    High = "High",
+    Critical = "Critical"
+}
+/**
+ * Persisted security event for audit and observability
+ */
+export type SecurityEvent = BaseEntity & {
+    /**
+     * Absolute path to the repository this event belongs to
+     */
+    repositoryPath: string;
+    /**
+     * Feature ID if this event occurred during a feature run
+     */
+    featureId?: string;
+    /**
+     * Severity of this security event
+     */
+    severity: SecuritySeverity;
+    /**
+     * Action category that triggered this event
+     */
+    category: SecurityActionCategory;
+    /**
+     * How the action was handled (allowed, denied, approval-required)
+     */
+    disposition: SecurityActionDisposition;
+    /**
+     * Actor or source that triggered this event (agent, user, CI)
+     */
+    actor?: string;
+    /**
+     * Human-readable event description
+     */
+    message?: string;
+    /**
+     * Actionable remediation guidance
+     */
+    remediationSummary?: string;
+};
+export declare enum DependencyRiskType {
+    LockfileInconsistency = "LockfileInconsistency",
+    NonRegistrySource = "NonRegistrySource",
+    LifecycleScript = "LifecycleScript",
+    DenylistViolation = "DenylistViolation",
+    AllowlistViolation = "AllowlistViolation",
+    VersionRangePolicy = "VersionRangePolicy"
+}
+/**
+ * Single dependency risk finding
+ */
+export type DependencyFinding = {
+    /**
+     * Package name (e.g. 'lodash', '@types/node')
+     */
+    packageName: string;
+    /**
+     * Package version or range (e.g. '^4.17.0')
+     */
+    version?: string;
+    /**
+     * Severity of this finding
+     */
+    severity: SecuritySeverity;
+    /**
+     * Type of dependency risk detected
+     */
+    riskType: DependencyRiskType;
+    /**
+     * Human-readable description of the finding
+     */
+    message: string;
+    /**
+     * Actionable remediation guidance
+     */
+    remediation?: string;
+};
+export declare enum ReleaseIntegrityCheckType {
+    CiOnlyPublishing = "CiOnlyPublishing",
+    SecretConfiguration = "SecretConfiguration",
+    ProvenanceConfiguration = "ProvenanceConfiguration",
+    WorkflowIntegrity = "WorkflowIntegrity"
+}
+/**
+ * Result of a single release integrity check
+ */
+export type ReleaseIntegrityCheck = {
+    /**
+     * Type of check performed
+     */
+    checkType: ReleaseIntegrityCheckType;
+    /**
+     * Whether this check passed
+     */
+    passed: boolean;
+    /**
+     * Human-readable description of the result
+     */
+    message: string;
+    /**
+     * Severity when this check fails
+     */
+    severity: SecuritySeverity;
+};
+/**
+ * Aggregated release integrity evaluation result
+ */
+export type ReleaseIntegrityResult = {
+    /**
+     * Individual check results
+     */
+    checks: ReleaseIntegrityCheck[];
+    /**
+     * Whether all checks passed
+     */
+    passed: boolean;
+};
+/**
+ * Computed effective security policy snapshot
+ */
+export type EffectivePolicySnapshot = {
+    /**
+     * Resolved effective security mode
+     */
+    mode: SecurityMode;
+    /**
+     * Where the policy was sourced from (e.g. 'shep.security.yaml', 'settings-default')
+     */
+    source: string;
+    /**
+     * ISO timestamp when this snapshot was computed
+     */
+    evaluatedAt: string;
+    /**
+     * Resolved per-action-category enforcement dispositions
+     */
+    actionDispositions: ActionDispositionEntry[];
+};
 /**
  * Single installation suggestion for a tool
  */