@shepai/cli 1.175.0 → 1.175.1-pr527.ea242b8

package/dist/packages/core/src/infrastructure/persistence/sqlite/migrations/056-add-feature-flag-supply-chain-security.js

@@ -0,0 +1,22 @@
+/**
+ * Migration 056: Add feature_flag_supply_chain_security column to settings table.
+ *
+ * Adds a boolean (INTEGER 0/1) master kill switch for the supply chain security
+ * feature. Defaults to 1 (enabled) to preserve behavior for users who already
+ * have the feature running in Advisory mode.
+ *
+ * When this flag is 0, the entire feature goes inert: no badge on the canvas,
+ * no Settings section, no agent pre-check, no CLI enforce, no CI gate —
+ * regardless of the SecurityMode value in the security config.
+ */
+export async function up({ context: db }) {
+    const columns = db.pragma('table_info(settings)');
+    const existing = new Set(columns.map((c) => c.name));
+    if (!existing.has('feature_flag_supply_chain_security')) {
+        db.exec('ALTER TABLE settings ADD COLUMN feature_flag_supply_chain_security INTEGER NOT NULL DEFAULT 1');
+    }
+}
+export async function down({ context: db }) {
+    // SQLite does not support DROP COLUMN before 3.35.0; column remains but is unused after rollback.
+    void db;
+}

package/dist/packages/core/src/infrastructure/repositories/sqlite-security-event.repository.d.ts

@@ -0,0 +1,24 @@
+/**
+ * SQLite Security Event Repository Implementation
+ *
+ * Implements ISecurityEventRepository using SQLite database.
+ * Uses prepared statements to prevent SQL injection.
+ * Supports 90-day retention cleanup.
+ */
+import type Database from 'better-sqlite3';
+import type { ISecurityEventRepository, SecurityEventQueryOptions } from '../../application/ports/output/repositories/security-event.repository.interface.js';
+import type { SecurityEvent } from '../../domain/generated/output.js';
+/**
+ * SQLite implementation of ISecurityEventRepository.
+ * Manages SecurityEvent persistence with repository-scoped queries.
+ */
+export declare class SQLiteSecurityEventRepository implements ISecurityEventRepository {
+    private readonly db;
+    constructor(db: Database.Database);
+    save(event: SecurityEvent): Promise<void>;
+    findByRepository(repositoryPath: string, options?: SecurityEventQueryOptions): Promise<SecurityEvent[]>;
+    findByFeature(featureId: string, options?: SecurityEventQueryOptions): Promise<SecurityEvent[]>;
+    deleteOlderThan(date: Date): Promise<number>;
+    count(repositoryPath: string): Promise<number>;
+}
+//# sourceMappingURL=sqlite-security-event.repository.d.ts.map

package/dist/packages/core/src/infrastructure/repositories/sqlite-security-event.repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqlite-security-event.repository.d.ts","sourceRoot":"","sources":["../../../../../../packages/core/src/infrastructure/repositories/sqlite-security-event.repository.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAE3C,OAAO,KAAK,EACV,wBAAwB,EACxB,yBAAyB,EAC1B,MAAM,oFAAoF,CAAC;AAC5F,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kCAAkC,CAAC;AAOtE;;;GAGG;AACH,qBACa,6BAA8B,YAAW,wBAAwB;IAChE,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,QAAQ,CAAC,QAAQ;IAE5C,IAAI,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAgBzC,gBAAgB,CACpB,cAAc,EAAE,MAAM,EACtB,OAAO,CAAC,EAAE,yBAAyB,GAClC,OAAO,CAAC,aAAa,EAAE,CAAC;IA2BrB,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,yBAAyB,GAClC,OAAO,CAAC,aAAa,EAAE,CAAC;IA2BrB,eAAe,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;IAM5C,KAAK,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAOrD"}

package/dist/packages/core/src/infrastructure/repositories/sqlite-security-event.repository.js

@@ -0,0 +1,96 @@
+/**
+ * SQLite Security Event Repository Implementation
+ *
+ * Implements ISecurityEventRepository using SQLite database.
+ * Uses prepared statements to prevent SQL injection.
+ * Supports 90-day retention cleanup.
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { injectable } from 'tsyringe';
+import { toDatabase, fromDatabase, } from '../persistence/sqlite/mappers/security-event.mapper.js';
+/**
+ * SQLite implementation of ISecurityEventRepository.
+ * Manages SecurityEvent persistence with repository-scoped queries.
+ */
+let SQLiteSecurityEventRepository = class SQLiteSecurityEventRepository {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    async save(event) {
+        const row = toDatabase(event);
+        const stmt = this.db.prepare(`
+      INSERT INTO security_events (
+        id, repository_path, feature_id, severity, category,
+        disposition, actor, message, remediation_summary, created_at
+      ) VALUES (
+        @id, @repository_path, @feature_id, @severity, @category,
+        @disposition, @actor, @message, @remediation_summary, @created_at
+      )
+    `);
+        stmt.run(row);
+    }
+    async findByRepository(repositoryPath, options) {
+        let sql = 'SELECT * FROM security_events WHERE repository_path = ?';
+        const params = [repositoryPath];
+        if (options?.severity) {
+            sql += ' AND severity = ?';
+            params.push(options.severity);
+        }
+        sql += ' ORDER BY created_at DESC';
+        if (options?.limit) {
+            sql += ' LIMIT ?';
+            params.push(options.limit);
+        }
+        if (options?.offset) {
+            sql += ' OFFSET ?';
+            params.push(options.offset);
+        }
+        const stmt = this.db.prepare(sql);
+        const rows = stmt.all(...params);
+        return rows.map(fromDatabase);
+    }
+    async findByFeature(featureId, options) {
+        let sql = 'SELECT * FROM security_events WHERE feature_id = ?';
+        const params = [featureId];
+        if (options?.severity) {
+            sql += ' AND severity = ?';
+            params.push(options.severity);
+        }
+        sql += ' ORDER BY created_at DESC';
+        if (options?.limit) {
+            sql += ' LIMIT ?';
+            params.push(options.limit);
+        }
+        if (options?.offset) {
+            sql += ' OFFSET ?';
+            params.push(options.offset);
+        }
+        const stmt = this.db.prepare(sql);
+        const rows = stmt.all(...params);
+        return rows.map(fromDatabase);
+    }
+    async deleteOlderThan(date) {
+        const stmt = this.db.prepare('DELETE FROM security_events WHERE created_at < ?');
+        const result = stmt.run(date.toISOString());
+        return result.changes;
+    }
+    async count(repositoryPath) {
+        const stmt = this.db.prepare('SELECT COUNT(*) as cnt FROM security_events WHERE repository_path = ?');
+        const row = stmt.get(repositoryPath);
+        return row.cnt;
+    }
+};
+SQLiteSecurityEventRepository = __decorate([
+    injectable(),
+    __metadata("design:paramtypes", [Object])
+], SQLiteSecurityEventRepository);
+export { SQLiteSecurityEventRepository };

package/dist/packages/core/src/infrastructure/repositories/sqlite-settings.repository.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sqlite-settings.repository.d.ts","sourceRoot":"","sources":["../../../../../../packages/core/src/infrastructure/repositories/sqlite-settings.repository.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAE3C,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8EAA8E,CAAC;AACxH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kCAAkC,CAAC;AAOjE;;;GAGG;AACH,qBACa,wBAAyB,YAAW,mBAAmB;IACtD,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,QAAQ,CAAC,QAAQ;IAElD;;;;;;OAMG;IACG,UAAU,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAmFnD;;;;OAIG;IACG,IAAI,IAAI,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAgBtC;;;;;OAKG;IACG,MAAM,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;CA2FhD"}
+{"version":3,"file":"sqlite-settings.repository.d.ts","sourceRoot":"","sources":["../../../../../../packages/core/src/infrastructure/repositories/sqlite-settings.repository.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAE3C,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8EAA8E,CAAC;AACxH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kCAAkC,CAAC;AAOjE;;;GAGG;AACH,qBACa,wBAAyB,YAAW,mBAAmB;IACtD,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,QAAQ,CAAC,QAAQ;IAElD;;;;;;OAMG;IACG,UAAU,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;IAyFnD;;;;OAIG;IACG,IAAI,IAAI,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAgBtC;;;;;OAKG;IACG,MAAM,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC;CAiGhD"}

package/dist/packages/core/src/infrastructure/repositories/sqlite-settings.repository.js

@@ -67,13 +67,16 @@ let SQLiteSettingsRepository = class SQLiteSettingsRepository {
         feature_flag_skills, feature_flag_env_deploy, feature_flag_debug, feature_flag_github_import, feature_flag_adopt_branch, feature_flag_git_rebase_sync,
         feature_flag_react_file_manager,
         feature_flag_inventory,
+        feature_flag_supply_chain_security,
         workflow_enable_evidence, workflow_commit_evidence,
         hide_ci_status, default_fast_mode,
         interactive_agent_enabled, interactive_agent_auto_timeout_minutes,
         interactive_agent_max_concurrent_sessions,
         auto_archive_delay_minutes,
         stage_timeout_fast_implement_ms,
-        fab_position_swapped
+        fab_position_swapped,
+        skill_injection_enabled, skill_injection_skills,
+        security_mode, security_last_evaluation_at, security_policy_source
       ) VALUES (
         @id, @created_at, @updated_at,
         @model_analyze, @model_requirements, @model_plan, @model_implement, @model_default,
@@ -99,13 +102,16 @@ let SQLiteSettingsRepository = class SQLiteSettingsRepository {
         @feature_flag_skills, @feature_flag_env_deploy, @feature_flag_debug, @feature_flag_github_import, @feature_flag_adopt_branch, @feature_flag_git_rebase_sync,
         @feature_flag_react_file_manager,
         @feature_flag_inventory,
+        @feature_flag_supply_chain_security,
         @workflow_enable_evidence, @workflow_commit_evidence,
         @hide_ci_status, @default_fast_mode,
         @interactive_agent_enabled, @interactive_agent_auto_timeout_minutes,
         @interactive_agent_max_concurrent_sessions,
         @auto_archive_delay_minutes,
         @stage_timeout_fast_implement_ms,
-        @fab_position_swapped
+        @fab_position_swapped,
+        @skill_injection_enabled, @skill_injection_skills,
+        @security_mode, @security_last_evaluation_at, @security_policy_source
       )
     `);
         // Execute with named parameters (safe from SQL injection)
@@ -202,6 +208,7 @@ let SQLiteSettingsRepository = class SQLiteSettingsRepository {
         feature_flag_git_rebase_sync = @feature_flag_git_rebase_sync,
         feature_flag_react_file_manager = @feature_flag_react_file_manager,
         feature_flag_inventory = @feature_flag_inventory,
+        feature_flag_supply_chain_security = @feature_flag_supply_chain_security,
         workflow_enable_evidence = @workflow_enable_evidence,
         workflow_commit_evidence = @workflow_commit_evidence,
         hide_ci_status = @hide_ci_status,
@@ -211,7 +218,12 @@ let SQLiteSettingsRepository = class SQLiteSettingsRepository {
         interactive_agent_max_concurrent_sessions = @interactive_agent_max_concurrent_sessions,
         auto_archive_delay_minutes = @auto_archive_delay_minutes,
         stage_timeout_fast_implement_ms = @stage_timeout_fast_implement_ms,
-        fab_position_swapped = @fab_position_swapped
+        fab_position_swapped = @fab_position_swapped,
+        skill_injection_enabled = @skill_injection_enabled,
+        skill_injection_skills = @skill_injection_skills,
+        security_mode = @security_mode,
+        security_last_evaluation_at = @security_last_evaluation_at,
+        security_policy_source = @security_policy_source
       WHERE id = @id
     `);
         // Execute with named parameters (safe from SQL injection)

package/dist/packages/core/src/infrastructure/services/agents/common/executors/claude-code-executor.service.d.ts

@@ -23,6 +23,8 @@ export declare class ClaudeCodeExecutorService implements IAgentExecutor {
     constructor(spawn: SpawnFunction);
     /** Debug logging — writes to stdout so it appears in the worker log file */
     private log;
+    /** Executor capabilities for security constraint validation */
+    private static readonly CAPABILITIES;
     execute(prompt: string, options?: AgentExecutionOptions): Promise<AgentExecutionResult>;
     executeStream(prompt: string, options?: AgentExecutionOptions): AsyncIterable<AgentExecutionStreamEvent>;
     /**

package/dist/packages/core/src/infrastructure/services/agents/common/executors/claude-code-executor.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"claude-code-executor.service.d.ts","sourceRoot":"","sources":["../../../../../../../../../packages/core/src/infrastructure/services/agents/common/executors/claude-code-executor.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,2CAA2C,CAAC;AACzF,OAAO,KAAK,EACV,cAAc,EACd,qBAAqB,EACrB,oBAAoB,EAEpB,yBAAyB,EAC1B,MAAM,4EAA4E,CAAC;AACpF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAajD;;;GAGG;AACH,qBAAa,yBAA0B,YAAW,cAAc;IAMlD,OAAO,CAAC,QAAQ,CAAC,KAAK;IALlC,QAAQ,CAAC,SAAS,EAAE,SAAS,CAA8B;IAE3D,4EAA4E;IAC5E,OAAO,CAAC,MAAM,CAAS;gBAEM,KAAK,EAAE,aAAa;IAEjD,4EAA4E;IAC5E,OAAO,CAAC,GAAG;IAML,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAoHtF,aAAa,CAClB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,qBAAqB,GAC9B,aAAa,CAAC,yBAAyB,CAAC;IAgG3C;;;OAGG;IACH,OAAO,CAAC,cAAc;IA0CtB,eAAe,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO;IAI/C,OAAO,CAAC,SAAS;IAejB,OAAO,CAAC,eAAe;IAUvB,OAAO,CAAC,iBAAiB;IAyBzB,OAAO,CAAC,eAAe;IA6BvB;;;OAGG;IACH,OAAO,CAAC,YAAY;IAqBpB,OAAO,CAAC,eAAe;CAkExB"}
+{"version":3,"file":"claude-code-executor.service.d.ts","sourceRoot":"","sources":["../../../../../../../../../packages/core/src/infrastructure/services/agents/common/executors/claude-code-executor.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,2CAA2C,CAAC;AACzF,OAAO,KAAK,EACV,cAAc,EACd,qBAAqB,EACrB,oBAAoB,EAEpB,yBAAyB,EAC1B,MAAM,4EAA4E,CAAC;AACpF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAiBjD;;;GAGG;AACH,qBAAa,yBAA0B,YAAW,cAAc;IAMlD,OAAO,CAAC,QAAQ,CAAC,KAAK;IALlC,QAAQ,CAAC,SAAS,EAAE,SAAS,CAA8B;IAE3D,4EAA4E;IAC5E,OAAO,CAAC,MAAM,CAAS;gBAEM,KAAK,EAAE,aAAa;IAEjD,4EAA4E;IAC5E,OAAO,CAAC,GAAG;IAMX,+DAA+D;IAC/D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAGlC;IAEI,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IA2HtF,aAAa,CAClB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,qBAAqB,GAC9B,aAAa,CAAC,yBAAyB,CAAC;IAsG3C;;;OAGG;IACH,OAAO,CAAC,cAAc;IA0CtB,eAAe,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO;IAI/C,OAAO,CAAC,SAAS;IAejB,OAAO,CAAC,eAAe;IAUvB,OAAO,CAAC,iBAAiB;IAyBzB,OAAO,CAAC,eAAe;IA6BvB;;;OAGG;IACH,OAAO,CAAC,YAAY;IAqBpB,OAAO,CAAC,eAAe;CAkExB"}

package/dist/packages/core/src/infrastructure/services/agents/common/executors/claude-code-executor.service.js

@@ -10,6 +10,7 @@
  */
 import { getCurrentPhase, getLogPrefix } from '../../feature-agent/log-context.js';
 import { IS_WINDOWS } from '../../../../platform.js';
+import { validateSecurityConstraints, } from './security-constraint-validator.js';
 /** Features supported by Claude Code CLI */
 const SUPPORTED_FEATURES = new Set([
     'session-resume',
@@ -37,8 +38,16 @@ export class ClaudeCodeExecutorService {
         const ts = new Date().toISOString();
         process.stdout.write(`[${ts}] ${getCurrentPhase()}${getLogPrefix()}${message}\n`);
     }
+    /** Executor capabilities for security constraint validation */
+    static CAPABILITIES = {
+        requiresPermissiveMode: true, // uses --dangerously-skip-permissions
+        executorName: 'claude-code',
+    };
     async execute(prompt, options) {
         this.silent = options?.silent ?? false;
+        const warning = validateSecurityConstraints(options?.securityConstraints, ClaudeCodeExecutorService.CAPABILITIES);
+        if (warning)
+            this.log(warning);
         // Use stream-json so we get real-time events in the worker log
         // instead of zero output for minutes with --output-format json
         const args = this.buildStreamArgs(prompt, options);
@@ -141,6 +150,9 @@ export class ClaudeCodeExecutorService {
         });
     }
     async *executeStream(prompt, options) {
+        const warning = validateSecurityConstraints(options?.securityConstraints, ClaudeCodeExecutorService.CAPABILITIES);
+        if (warning)
+            this.log(warning);
         const args = this.buildStreamArgs(prompt, options);
         const spawnOpts = this.buildSpawnOptions(options);
         const proc = this.spawn('claude', args, spawnOpts);

package/dist/packages/core/src/infrastructure/services/agents/common/executors/claude-code-interactive-executor.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"claude-code-interactive-executor.service.d.ts","sourceRoot":"","sources":["../../../../../../../../../packages/core/src/infrastructure/services/agents/common/executors/claude-code-interactive-executor.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAOH,OAAO,KAAK,EACV,yBAAyB,EACzB,uBAAuB,EACvB,6BAA6B,EAI9B,MAAM,wFAAwF,CAAC;AAgBhG,qBAAa,6BAA8B,YAAW,yBAAyB;IACvE,aAAa,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,6BAA6B,CAAC;IAOvF,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,uBAAuB,GAC/B,OAAO,CAAC,6BAA6B,CAAC;IAOzC;;;;;;OAMG;IACH,OAAO,CAAC,OAAO;IAmBf,OAAO,CAAC,eAAe;IAgDvB,OAAO,CAAC,WAAW;IAqCnB;;;;;;OAMG;YACY,SAAS;IA6BxB;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,aAAa;CA4PtB"}
+{"version":3,"file":"claude-code-interactive-executor.service.d.ts","sourceRoot":"","sources":["../../../../../../../../../packages/core/src/infrastructure/services/agents/common/executors/claude-code-interactive-executor.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAOH,OAAO,KAAK,EACV,yBAAyB,EACzB,uBAAuB,EACvB,6BAA6B,EAI9B,MAAM,wFAAwF,CAAC;AAsDhG,qBAAa,6BAA8B,YAAW,yBAAyB;IACvE,aAAa,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,6BAA6B,CAAC;IAOvF,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,uBAAuB,GAC/B,OAAO,CAAC,6BAA6B,CAAC;IAOzC;;;;;;OAMG;IACH,OAAO,CAAC,OAAO;IAmBf,OAAO,CAAC,eAAe;IAmDvB,OAAO,CAAC,WAAW;IAqCnB;;;;;;OAMG;YACY,SAAS;IA6BxB;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,aAAa;CA4PtB"}

package/dist/packages/core/src/infrastructure/services/agents/common/executors/claude-code-interactive-executor.service.js

@@ -39,6 +39,43 @@
 import { unstable_v2_createSession, unstable_v2_resumeSession, } from '@anthropic-ai/claude-agent-sdk';
 /** Default model used when options.model is not specified. */
 const DEFAULT_MODEL = 'claude-sonnet-4-6';
+/**
+ * All standard Claude Code tool names to auto-allow without permission prompts.
+ *
+ * The V2 SDK API hardcodes `allowDangerouslySkipPermissions: false`, so
+ * `permissionMode: 'bypassPermissions'` does not work. Instead, V2 provides
+ * `allowedTools` to pre-approve tools at the CLI level — no callback needed.
+ *
+ * AskUserQuestion is intentionally excluded: it is intercepted by the
+ * `canUseTool` callback so the session service can pause the stream and
+ * collect user answers before resuming.
+ */
+const AUTO_ALLOWED_TOOLS = [
+    'Bash',
+    'Read',
+    'Write',
+    'Edit',
+    'Glob',
+    'Grep',
+    'LS',
+    'Agent',
+    'WebFetch',
+    'WebSearch',
+    'NotebookEdit',
+    'NotebookRead',
+    'TodoWrite',
+    'TaskCreate',
+    'TaskGet',
+    'TaskList',
+    'TaskUpdate',
+    'TaskOutput',
+    'TaskStop',
+    'EnterPlanMode',
+    'ExitPlanMode',
+    'SendMessage',
+    'KillShell',
+    'LSP',
+];
 /**
  * Process-level mutex for process.chdir().
  *
@@ -113,10 +150,13 @@ export class ClaudeCodeInteractiveExecutor {
             : undefined;
         return {
             model: options.model ?? DEFAULT_MODEL,
-            // When onUserQuestion is provided, use canUseTool to intercept AskUserQuestion
-            // while auto-allowing everything else (replaces bypassPermissions).
-            // When not provided, use bypassPermissions for backward compatibility.
-            ...(canUseTool ? { canUseTool } : { permissionMode: 'bypassPermissions' }),
+            // Auto-allow all standard tools at the CLI level. This replaces the V1
+            // bypassPermissions approach — V2 hardcodes allowDangerouslySkipPermissions
+            // to false, so bypassPermissions silently falls back to default mode.
+            allowedTools: AUTO_ALLOWED_TOOLS,
+            // When onUserQuestion is provided, use canUseTool to intercept
+            // AskUserQuestion while auto-allowing any unlisted tools as a fallback.
+            ...(canUseTool ? { canUseTool } : {}),
             env: cleanEnv,
             // Forward system prompt using preset+append pattern
             ...(options.systemPrompt && {

package/dist/packages/core/src/infrastructure/services/agents/common/executors/security-constraint-validator.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Security Constraint Validator
+ *
+ * Pure function that validates security constraints against executor capabilities.
+ * Reusable across all executor types. Throws SecurityViolationError in Enforce mode
+ * when constraints are incompatible. Logs warnings in Advisory mode.
+ */
+import type { SecurityConstraints } from '../../../../../application/ports/output/agents/agent-executor.interface.js';
+export interface ExecutorCapabilities {
+    /** Whether this executor requires --dangerously-skip-permissions or equivalent */
+    requiresPermissiveMode: boolean;
+    /** Human-readable executor name for error messages */
+    executorName: string;
+}
+/**
+ * Validate security constraints against executor capabilities.
+ *
+ * @returns A warning message if Advisory mode detects an issue, or undefined if clean.
+ * @throws SecurityViolationError in Enforce mode when constraints are incompatible.
+ */
+export declare function validateSecurityConstraints(constraints: SecurityConstraints | undefined, capabilities: ExecutorCapabilities): string | undefined;
+//# sourceMappingURL=security-constraint-validator.d.ts.map

package/dist/packages/core/src/infrastructure/services/agents/common/executors/security-constraint-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-constraint-validator.d.ts","sourceRoot":"","sources":["../../../../../../../../../packages/core/src/infrastructure/services/agents/common/executors/security-constraint-validator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,4EAA4E,CAAC;AAGtH,MAAM,WAAW,oBAAoB;IACnC,kFAAkF;IAClF,sBAAsB,EAAE,OAAO,CAAC;IAChC,sDAAsD;IACtD,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CACzC,WAAW,EAAE,mBAAmB,GAAG,SAAS,EAC5C,YAAY,EAAE,oBAAoB,GACjC,MAAM,GAAG,SAAS,CAiBpB"}

package/dist/packages/core/src/infrastructure/services/agents/common/executors/security-constraint-validator.js

@@ -0,0 +1,30 @@
+/**
+ * Security Constraint Validator
+ *
+ * Pure function that validates security constraints against executor capabilities.
+ * Reusable across all executor types. Throws SecurityViolationError in Enforce mode
+ * when constraints are incompatible. Logs warnings in Advisory mode.
+ */
+import { SecurityMode, SecurityActionCategory } from '../../../../../domain/generated/output.js';
+import { SecurityViolationError } from '../../../../../domain/errors/security-violation.error.js';
+/**
+ * Validate security constraints against executor capabilities.
+ *
+ * @returns A warning message if Advisory mode detects an issue, or undefined if clean.
+ * @throws SecurityViolationError in Enforce mode when constraints are incompatible.
+ */
+export function validateSecurityConstraints(constraints, capabilities) {
+    if (!constraints)
+        return undefined;
+    if (constraints.mode === SecurityMode.Disabled)
+        return undefined;
+    if (constraints.sandboxLevel === 'strict' && capabilities.requiresPermissiveMode) {
+        const rule = `Executor "${capabilities.executorName}" requires permissive mode but policy demands strict sandbox`;
+        const remediation = 'Either switch to an executor that supports strict sandboxing, or relax the sandbox policy to permissive.';
+        if (constraints.mode === SecurityMode.Enforce) {
+            throw new SecurityViolationError(rule, SecurityActionCategory.SandboxEscalation, remediation);
+        }
+        return `[security:advisory] ${rule}. ${remediation}`;
+    }
+    return undefined;
+}

package/dist/packages/core/src/infrastructure/services/agents/feature-agent/fast-feature-agent-graph.d.ts

@@ -69,6 +69,8 @@ export declare function createFastFeatureAgentGraph(depsOrExecutor: FastFeatureA
     ciFixAttempts: number;
     ciFixHistory: import("../../../../domain/index.js").CiFixRecord[];
     ciFixStatus: "success" | "timeout" | "idle" | "watching" | "fixing" | "exhausted";
+    securityMode: import("../../../../domain/index.js").SecurityMode;
+    securityActionDispositions: Partial<Record<import("../../../../domain/index.js").SecurityActionCategory, import("../../../../domain/index.js").SecurityActionDisposition>>;
 }, {
     featureId?: string | undefined;
     repositoryPath?: string | undefined;
@@ -102,6 +104,8 @@ export declare function createFastFeatureAgentGraph(depsOrExecutor: FastFeatureA
     ciFixAttempts?: number | undefined;
     ciFixHistory?: import("../../../../domain/index.js").CiFixRecord[] | undefined;
     ciFixStatus?: "success" | "timeout" | "idle" | "watching" | "fixing" | "exhausted" | undefined;
+    securityMode?: import("../../../../domain/index.js").SecurityMode | undefined;
+    securityActionDispositions?: Partial<Record<import("../../../../domain/index.js").SecurityActionCategory, import("../../../../domain/index.js").SecurityActionDisposition>> | undefined;
 }, "__start__" | "fast-implement", {
     featureId: {
         (): import("@langchain/langgraph").LastValue<string>;
@@ -155,6 +159,8 @@ export declare function createFastFeatureAgentGraph(depsOrExecutor: FastFeatureA
     ciFixAttempts: import("@langchain/langgraph").BinaryOperatorAggregate<number, number>;
     ciFixHistory: import("@langchain/langgraph").BinaryOperatorAggregate<import("../../../../domain/index.js").CiFixRecord[], import("../../../../domain/index.js").CiFixRecord[]>;
     ciFixStatus: import("@langchain/langgraph").BinaryOperatorAggregate<"success" | "timeout" | "idle" | "watching" | "fixing" | "exhausted", "success" | "timeout" | "idle" | "watching" | "fixing" | "exhausted">;
+    securityMode: import("@langchain/langgraph").BinaryOperatorAggregate<import("../../../../domain/index.js").SecurityMode, import("../../../../domain/index.js").SecurityMode>;
+    securityActionDispositions: import("@langchain/langgraph").BinaryOperatorAggregate<Partial<Record<import("../../../../domain/index.js").SecurityActionCategory, import("../../../../domain/index.js").SecurityActionDisposition>>, Partial<Record<import("../../../../domain/index.js").SecurityActionCategory, import("../../../../domain/index.js").SecurityActionDisposition>>>;
 }, {
     featureId: {
         (): import("@langchain/langgraph").LastValue<string>;
@@ -208,6 +214,8 @@ export declare function createFastFeatureAgentGraph(depsOrExecutor: FastFeatureA
     ciFixAttempts: import("@langchain/langgraph").BinaryOperatorAggregate<number, number>;
     ciFixHistory: import("@langchain/langgraph").BinaryOperatorAggregate<import("../../../../domain/index.js").CiFixRecord[], import("../../../../domain/index.js").CiFixRecord[]>;
     ciFixStatus: import("@langchain/langgraph").BinaryOperatorAggregate<"success" | "timeout" | "idle" | "watching" | "fixing" | "exhausted", "success" | "timeout" | "idle" | "watching" | "fixing" | "exhausted">;
+    securityMode: import("@langchain/langgraph").BinaryOperatorAggregate<import("../../../../domain/index.js").SecurityMode, import("../../../../domain/index.js").SecurityMode>;
+    securityActionDispositions: import("@langchain/langgraph").BinaryOperatorAggregate<Partial<Record<import("../../../../domain/index.js").SecurityActionCategory, import("../../../../domain/index.js").SecurityActionDisposition>>, Partial<Record<import("../../../../domain/index.js").SecurityActionCategory, import("../../../../domain/index.js").SecurityActionDisposition>>>;
 }, import("@langchain/langgraph").StateDefinition, {
     "fast-implement": Partial<import("@langchain/langgraph").StateType<{
         featureId: {
@@ -262,6 +270,8 @@ export declare function createFastFeatureAgentGraph(depsOrExecutor: FastFeatureA
         ciFixAttempts: import("@langchain/langgraph").BinaryOperatorAggregate<number, number>;
         ciFixHistory: import("@langchain/langgraph").BinaryOperatorAggregate<import("../../../../domain/index.js").CiFixRecord[], import("../../../../domain/index.js").CiFixRecord[]>;
         ciFixStatus: import("@langchain/langgraph").BinaryOperatorAggregate<"success" | "timeout" | "idle" | "watching" | "fixing" | "exhausted", "success" | "timeout" | "idle" | "watching" | "fixing" | "exhausted">;
+        securityMode: import("@langchain/langgraph").BinaryOperatorAggregate<import("../../../../domain/index.js").SecurityMode, import("../../../../domain/index.js").SecurityMode>;
+        securityActionDispositions: import("@langchain/langgraph").BinaryOperatorAggregate<Partial<Record<import("../../../../domain/index.js").SecurityActionCategory, import("../../../../domain/index.js").SecurityActionDisposition>>, Partial<Record<import("../../../../domain/index.js").SecurityActionCategory, import("../../../../domain/index.js").SecurityActionDisposition>>>;
     }>>;
 }, unknown, unknown>;
 //# sourceMappingURL=fast-feature-agent-graph.d.ts.map

package/dist/packages/core/src/infrastructure/services/agents/feature-agent/fast-feature-agent-graph.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fast-feature-agent-graph.d.ts","sourceRoot":"","sources":["../../../../../../../../packages/core/src/infrastructure/services/agents/feature-agent/fast-feature-agent-graph.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAA0B,KAAK,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AACxF,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,+DAA+D,CAAC;AAGpG,OAAO,EAAmB,KAAK,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAGlF,OAAO,EAAE,sBAAsB,EAAE,KAAK,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE5E;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,cAAc,CAAC;IACzB,aAAa,CAAC,EAAE,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;CACjD;AAkBD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,2BAA2B,CACzC,cAAc,EAAE,yBAAyB,GAAG,cAAc,EAC1D,YAAY,CAAC,EAAE,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qBA6BnC"}
+{"version":3,"file":"fast-feature-agent-graph.d.ts","sourceRoot":"","sources":["../../../../../../../../packages/core/src/infrastructure/services/agents/feature-agent/fast-feature-agent-graph.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAA0B,KAAK,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AACxF,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,+DAA+D,CAAC;AAGpG,OAAO,EAAmB,KAAK,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAGlF,OAAO,EAAE,sBAAsB,EAAE,KAAK,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE5E;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,cAAc,CAAC;IACzB,aAAa,CAAC,EAAE,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;CACjD;AAkBD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,2BAA2B,CACzC,cAAc,EAAE,yBAAyB,GAAG,cAAc,EAC1D,YAAY,CAAC,EAAE,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qBA6BnC"}