npm - @shrkcrft/inspector - Versions diffs - 0.1.0-alpha.1 - Mend

@shrkcrft/inspector 0.1.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (708) hide show

package/LICENSE +21 -0
package/README.md +15 -0
package/dist/acceptance-replay.d.ts +63 -0
package/dist/acceptance-replay.d.ts.map +1 -0
package/dist/acceptance-replay.js +240 -0
package/dist/action-hint-diagnostics.d.ts +32 -0
package/dist/action-hint-diagnostics.d.ts.map +1 -0
package/dist/action-hint-diagnostics.js +133 -0
package/dist/adoption-check.d.ts +28 -0
package/dist/adoption-check.d.ts.map +1 -0
package/dist/adoption-check.js +181 -0
package/dist/adoption-checkpoint.d.ts +97 -0
package/dist/adoption-checkpoint.d.ts.map +1 -0
package/dist/adoption-checkpoint.js +209 -0
package/dist/adoption-merge-preview.d.ts +28 -0
package/dist/adoption-merge-preview.d.ts.map +1 -0
package/dist/adoption-merge-preview.js +254 -0
package/dist/adoption-report-renderer.d.ts +33 -0
package/dist/adoption-report-renderer.d.ts.map +1 -0
package/dist/adoption-report-renderer.js +257 -0
package/dist/adoption-state.d.ts +100 -0
package/dist/adoption-state.d.ts.map +1 -0
package/dist/adoption-state.js +296 -0
package/dist/adoption-three-way.d.ts +46 -0
package/dist/adoption-three-way.d.ts.map +1 -0
package/dist/adoption-three-way.js +181 -0
package/dist/agent-brief.d.ts +77 -0
package/dist/agent-brief.d.ts.map +1 -0
package/dist/agent-brief.js +490 -0
package/dist/agent-contract-gate.d.ts +108 -0
package/dist/agent-contract-gate.d.ts.map +1 -0
package/dist/agent-contract-gate.js +412 -0
package/dist/agent-contract-templates.d.ts +63 -0
package/dist/agent-contract-templates.d.ts.map +1 -0
package/dist/agent-contract-templates.js +346 -0
package/dist/agent-contract.d.ts +65 -0
package/dist/agent-contract.d.ts.map +1 -0
package/dist/agent-contract.js +555 -0
package/dist/agent-handoff.d.ts +123 -0
package/dist/agent-handoff.d.ts.map +1 -0
package/dist/agent-handoff.js +470 -0
package/dist/agent-instructions.d.ts +2 -0
package/dist/agent-instructions.d.ts.map +1 -0
package/dist/agent-instructions.js +21 -0
package/dist/agent-orchestration.d.ts +61 -0
package/dist/agent-orchestration.d.ts.map +1 -0
package/dist/agent-orchestration.js +285 -0
package/dist/agent-task-prep.d.ts +31 -0
package/dist/agent-task-prep.d.ts.map +1 -0
package/dist/agent-task-prep.js +73 -0
package/dist/ai-readiness.d.ts +30 -0
package/dist/ai-readiness.d.ts.map +1 -0
package/dist/ai-readiness.js +279 -0
package/dist/api-report.d.ts +51 -0
package/dist/api-report.d.ts.map +1 -0
package/dist/api-report.js +254 -0
package/dist/apply-dispatch-trace.d.ts +93 -0
package/dist/apply-dispatch-trace.d.ts.map +1 -0
package/dist/apply-dispatch-trace.js +283 -0
package/dist/apply-gate-result.d.ts +52 -0
package/dist/apply-gate-result.d.ts.map +1 -0
package/dist/apply-gate-result.js +44 -0
package/dist/architecture-map.d.ts +118 -0
package/dist/architecture-map.d.ts.map +1 -0
package/dist/architecture-map.js +543 -0
package/dist/area-explore.d.ts +75 -0
package/dist/area-explore.d.ts.map +1 -0
package/dist/area-explore.js +438 -0
package/dist/area-map.d.ts +57 -0
package/dist/area-map.d.ts.map +1 -0
package/dist/area-map.js +214 -0
package/dist/asset-provenance.d.ts +123 -0
package/dist/asset-provenance.d.ts.map +1 -0
package/dist/asset-provenance.js +209 -0
package/dist/barrel-operations.d.ts +45 -0
package/dist/barrel-operations.d.ts.map +1 -0
package/dist/barrel-operations.js +159 -0
package/dist/boundaries-changed-only.d.ts +62 -0
package/dist/boundaries-changed-only.d.ts.map +1 -0
package/dist/boundaries-changed-only.js +97 -0
package/dist/boundary-suggestions.d.ts +20 -0
package/dist/boundary-suggestions.d.ts.map +1 -0
package/dist/boundary-suggestions.js +51 -0
package/dist/bundle-diff.d.ts +98 -0
package/dist/bundle-diff.d.ts.map +1 -0
package/dist/bundle-diff.js +531 -0
package/dist/bundle-replay.d.ts +68 -0
package/dist/bundle-replay.d.ts.map +1 -0
package/dist/bundle-replay.js +273 -0
package/dist/bundle-validate-html.d.ts +11 -0
package/dist/bundle-validate-html.d.ts.map +1 -0
package/dist/bundle-validate-html.js +60 -0
package/dist/change-intent.d.ts +36 -0
package/dist/change-intent.d.ts.map +1 -0
package/dist/change-intent.js +259 -0
package/dist/changed-preflight.d.ts +59 -0
package/dist/changed-preflight.d.ts.map +1 -0
package/dist/changed-preflight.js +358 -0
package/dist/changed-scope.d.ts +112 -0
package/dist/changed-scope.d.ts.map +1 -0
package/dist/changed-scope.js +172 -0
package/dist/changes-summary.d.ts +87 -0
package/dist/changes-summary.d.ts.map +1 -0
package/dist/changes-summary.js +323 -0
package/dist/check-result-v1.d.ts +90 -0
package/dist/check-result-v1.d.ts.map +1 -0
package/dist/check-result-v1.js +335 -0
package/dist/ci-integrity-report.d.ts +38 -0
package/dist/ci-integrity-report.d.ts.map +1 -0
package/dist/ci-integrity-report.js +324 -0
package/dist/ci-permissions-fix.d.ts +38 -0
package/dist/ci-permissions-fix.d.ts.map +1 -0
package/dist/ci-permissions-fix.js +382 -0
package/dist/ci-permissions.d.ts +51 -0
package/dist/ci-permissions.d.ts.map +1 -0
package/dist/ci-permissions.js +431 -0
package/dist/ci-predict.d.ts +42 -0
package/dist/ci-predict.d.ts.map +1 -0
package/dist/ci-predict.js +300 -0
package/dist/ci-scaffold.d.ts +47 -0
package/dist/ci-scaffold.d.ts.map +1 -0
package/dist/ci-scaffold.js +638 -0
package/dist/codemod-assist.d.ts +97 -0
package/dist/codemod-assist.d.ts.map +1 -0
package/dist/codemod-assist.js +261 -0
package/dist/command-recommender.d.ts +25 -0
package/dist/command-recommender.d.ts.map +1 -0
package/dist/command-recommender.js +145 -0
package/dist/command-suggester.d.ts +61 -0
package/dist/command-suggester.d.ts.map +1 -0
package/dist/command-suggester.js +159 -0
package/dist/command-taxonomy.d.ts +38 -0
package/dist/command-taxonomy.d.ts.map +1 -0
package/dist/command-taxonomy.js +164 -0
package/dist/compliance-evidence.d.ts +58 -0
package/dist/compliance-evidence.d.ts.map +1 -0
package/dist/compliance-evidence.js +260 -0
package/dist/compliance-profiles.d.ts +42 -0
package/dist/compliance-profiles.d.ts.map +1 -0
package/dist/compliance-profiles.js +171 -0
package/dist/construct-adoption-diff.d.ts +55 -0
package/dist/construct-adoption-diff.d.ts.map +1 -0
package/dist/construct-adoption-diff.js +331 -0
package/dist/construct-adoption.d.ts +71 -0
package/dist/construct-adoption.d.ts.map +1 -0
package/dist/construct-adoption.js +331 -0
package/dist/construct-inference.d.ts +44 -0
package/dist/construct-inference.d.ts.map +1 -0
package/dist/construct-inference.js +391 -0
package/dist/construct-registry.d.ts +32 -0
package/dist/construct-registry.d.ts.map +1 -0
package/dist/construct-registry.js +198 -0
package/dist/contract-file-rule.d.ts +37 -0
package/dist/contract-file-rule.d.ts.map +1 -0
package/dist/contract-file-rule.js +99 -0
package/dist/contract-template-registry.d.ts +28 -0
package/dist/contract-template-registry.d.ts.map +1 -0
package/dist/contract-template-registry.js +161 -0
package/dist/contradictions.d.ts +52 -0
package/dist/contradictions.d.ts.map +1 -0
package/dist/contradictions.js +391 -0
package/dist/convention-registry.d.ts +44 -0
package/dist/convention-registry.d.ts.map +1 -0
package/dist/convention-registry.js +195 -0
package/dist/coverage-report.d.ts +25 -0
package/dist/coverage-report.d.ts.map +1 -0
package/dist/coverage-report.js +190 -0
package/dist/custom-checks.d.ts +146 -0
package/dist/custom-checks.d.ts.map +1 -0
package/dist/custom-checks.js +260 -0
package/dist/dashboard/dashboard-data.d.ts +59 -0
package/dist/dashboard/dashboard-data.d.ts.map +1 -0
package/dist/dashboard/dashboard-data.js +653 -0
package/dist/dashboard-export.d.ts +67 -0
package/dist/dashboard-export.d.ts.map +1 -0
package/dist/dashboard-export.js +203 -0
package/dist/decision-records.d.ts +47 -0
package/dist/decision-records.d.ts.map +1 -0
package/dist/decision-records.js +255 -0
package/dist/demo-package.d.ts +49 -0
package/dist/demo-package.d.ts.map +1 -0
package/dist/demo-package.js +305 -0
package/dist/demo-script.d.ts +25 -0
package/dist/demo-script.d.ts.map +1 -0
package/dist/demo-script.js +198 -0
package/dist/demo-workflow.d.ts +28 -0
package/dist/demo-workflow.d.ts.map +1 -0
package/dist/demo-workflow.js +178 -0
package/dist/dev-cycle.d.ts +41 -0
package/dist/dev-cycle.d.ts.map +1 -0
package/dist/dev-cycle.js +94 -0
package/dist/dev-session-html.d.ts +13 -0
package/dist/dev-session-html.d.ts.map +1 -0
package/dist/dev-session-html.js +223 -0
package/dist/dev-session-report.d.ts +11 -0
package/dist/dev-session-report.d.ts.map +1 -0
package/dist/dev-session-report.js +206 -0
package/dist/dev-session.d.ts +257 -0
package/dist/dev-session.d.ts.map +1 -0
package/dist/dev-session.js +568 -0
package/dist/diagnostics-suggest.d.ts +17 -0
package/dist/diagnostics-suggest.d.ts.map +1 -0
package/dist/diagnostics-suggest.js +69 -0
package/dist/docs-check.d.ts +40 -0
package/dist/docs-check.d.ts.map +1 -0
package/dist/docs-check.js +221 -0
package/dist/doctor-acknowledgements.d.ts +69 -0
package/dist/doctor-acknowledgements.d.ts.map +1 -0
package/dist/doctor-acknowledgements.js +150 -0
package/dist/doctor-result.d.ts +51 -0
package/dist/doctor-result.d.ts.map +1 -0
package/dist/doctor-result.js +7 -0
package/dist/doctor-suppressions.d.ts +91 -0
package/dist/doctor-suppressions.d.ts.map +1 -0
package/dist/doctor-suppressions.js +238 -0
package/dist/drift-baseline.d.ts +29 -0
package/dist/drift-baseline.d.ts.map +1 -0
package/dist/drift-baseline.js +80 -0
package/dist/drift.d.ts +38 -0
package/dist/drift.d.ts.map +1 -0
package/dist/drift.js +107 -0
package/dist/entrypoint-matrix.d.ts +61 -0
package/dist/entrypoint-matrix.d.ts.map +1 -0
package/dist/entrypoint-matrix.js +221 -0
package/dist/examples-check.d.ts +36 -0
package/dist/examples-check.d.ts.map +1 -0
package/dist/examples-check.js +168 -0
package/dist/execution-graph.d.ts +98 -0
package/dist/execution-graph.d.ts.map +1 -0
package/dist/execution-graph.js +484 -0
package/dist/export-bundle.d.ts +10 -0
package/dist/export-bundle.d.ts.map +1 -0
package/dist/export-bundle.js +90 -0
package/dist/failure-diagnostics.d.ts +63 -0
package/dist/failure-diagnostics.d.ts.map +1 -0
package/dist/failure-diagnostics.js +243 -0
package/dist/feature-bundle.d.ts +111 -0
package/dist/feature-bundle.d.ts.map +1 -0
package/dist/feature-bundle.js +211 -0
package/dist/feedback-actions-v2.d.ts +65 -0
package/dist/feedback-actions-v2.d.ts.map +1 -0
package/dist/feedback-actions-v2.js +183 -0
package/dist/feedback-ingestion.d.ts +96 -0
package/dist/feedback-ingestion.d.ts.map +1 -0
package/dist/feedback-ingestion.js +400 -0
package/dist/fix-preview.d.ts +82 -0
package/dist/fix-preview.d.ts.map +1 -0
package/dist/fix-preview.js +365 -0
package/dist/fuzzy-impact.d.ts +50 -0
package/dist/fuzzy-impact.d.ts.map +1 -0
package/dist/fuzzy-impact.js +446 -0
package/dist/generated-code.d.ts +97 -0
package/dist/generated-code.d.ts.map +1 -0
package/dist/generated-code.js +395 -0
package/dist/git-helpers.d.ts +38 -0
package/dist/git-helpers.d.ts.map +1 -0
package/dist/git-helpers.js +173 -0
package/dist/golden-output.d.ts +33 -0
package/dist/golden-output.d.ts.map +1 -0
package/dist/golden-output.js +92 -0
package/dist/grounding/build-grounding.d.ts +53 -0
package/dist/grounding/build-grounding.d.ts.map +1 -0
package/dist/grounding/build-grounding.js +51 -0
package/dist/grounding/nx-projects.d.ts +29 -0
package/dist/grounding/nx-projects.d.ts.map +1 -0
package/dist/grounding/nx-projects.js +109 -0
package/dist/grounding/validate-extracted-plan.d.ts +20 -0
package/dist/grounding/validate-extracted-plan.d.ts.map +1 -0
package/dist/grounding/validate-extracted-plan.js +127 -0
package/dist/healing-plan.d.ts +33 -0
package/dist/healing-plan.d.ts.map +1 -0
package/dist/healing-plan.js +346 -0
package/dist/helper-registry.d.ts +90 -0
package/dist/helper-registry.d.ts.map +1 -0
package/dist/helper-registry.js +529 -0
package/dist/impact-analysis.d.ts +150 -0
package/dist/impact-analysis.d.ts.map +1 -0
package/dist/impact-analysis.js +697 -0
package/dist/impact-graph-render.d.ts +51 -0
package/dist/impact-graph-render.d.ts.map +1 -0
package/dist/impact-graph-render.js +139 -0
package/dist/impact-graph.d.ts +17 -0
package/dist/impact-graph.d.ts.map +1 -0
package/dist/impact-graph.js +119 -0
package/dist/impact-render.d.ts +22 -0
package/dist/impact-render.d.ts.map +1 -0
package/dist/impact-render.js +422 -0
package/dist/import-graph-analysis.d.ts +28 -0
package/dist/import-graph-analysis.d.ts.map +1 -0
package/dist/import-graph-analysis.js +193 -0
package/dist/import-hygiene.d.ts +93 -0
package/dist/import-hygiene.d.ts.map +1 -0
package/dist/import-hygiene.js +366 -0
package/dist/index.d.ts +224 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +234 -0
package/dist/ingest-adoption.d.ts +50 -0
package/dist/ingest-adoption.d.ts.map +1 -0
package/dist/ingest-adoption.js +183 -0
package/dist/ingest-apply.d.ts +80 -0
package/dist/ingest-apply.d.ts.map +1 -0
package/dist/ingest-apply.js +227 -0
package/dist/ingest-body-extractor.d.ts +28 -0
package/dist/ingest-body-extractor.d.ts.map +1 -0
package/dist/ingest-body-extractor.js +129 -0
package/dist/ingest-drafts.d.ts +16 -0
package/dist/ingest-drafts.d.ts.map +1 -0
package/dist/ingest-drafts.js +482 -0
package/dist/inspector-cache.d.ts +41 -0
package/dist/inspector-cache.d.ts.map +1 -0
package/dist/inspector-cache.js +104 -0
package/dist/install-smoke.d.ts +44 -0
package/dist/install-smoke.d.ts.map +1 -0
package/dist/install-smoke.js +31 -0
package/dist/knowledge-authoring.d.ts +151 -0
package/dist/knowledge-authoring.d.ts.map +1 -0
package/dist/knowledge-authoring.js +586 -0
package/dist/knowledge-graph.d.ts +76 -0
package/dist/knowledge-graph.d.ts.map +1 -0
package/dist/knowledge-graph.js +336 -0
package/dist/knowledge-lint.d.ts +97 -0
package/dist/knowledge-lint.d.ts.map +1 -0
package/dist/knowledge-lint.js +302 -0
package/dist/knowledge-rename.d.ts +38 -0
package/dist/knowledge-rename.d.ts.map +1 -0
package/dist/knowledge-rename.js +88 -0
package/dist/knowledge-stale.d.ts +124 -0
package/dist/knowledge-stale.d.ts.map +1 -0
package/dist/knowledge-stale.js +892 -0
package/dist/languages/command-inference.d.ts +27 -0
package/dist/languages/command-inference.d.ts.map +1 -0
package/dist/languages/command-inference.js +214 -0
package/dist/languages/dependency-scan.d.ts +33 -0
package/dist/languages/dependency-scan.d.ts.map +1 -0
package/dist/languages/dependency-scan.js +343 -0
package/dist/languages/index.d.ts +14 -0
package/dist/languages/index.d.ts.map +1 -0
package/dist/languages/index.js +13 -0
package/dist/languages/language-boundaries.d.ts +30 -0
package/dist/languages/language-boundaries.d.ts.map +1 -0
package/dist/languages/language-boundaries.js +176 -0
package/dist/languages/language-cache.d.ts +54 -0
package/dist/languages/language-cache.d.ts.map +1 -0
package/dist/languages/language-cache.js +236 -0
package/dist/languages/language-detection.d.ts +30 -0
package/dist/languages/language-detection.d.ts.map +1 -0
package/dist/languages/language-detection.js +584 -0
package/dist/languages/language-id.d.ts +15 -0
package/dist/languages/language-id.d.ts.map +1 -0
package/dist/languages/language-id.js +15 -0
package/dist/languages/language-runner.d.ts +90 -0
package/dist/languages/language-runner.d.ts.map +1 -0
package/dist/languages/language-runner.js +346 -0
package/dist/languages/polyglot-boundary.d.ts +80 -0
package/dist/languages/polyglot-boundary.d.ts.map +1 -0
package/dist/languages/polyglot-boundary.js +373 -0
package/dist/languages/polyglot-ci.d.ts +25 -0
package/dist/languages/polyglot-ci.d.ts.map +1 -0
package/dist/languages/polyglot-ci.js +278 -0
package/dist/languages/test-impact.d.ts +19 -0
package/dist/languages/test-impact.d.ts.map +1 -0
package/dist/languages/test-impact.js +157 -0
package/dist/loader-diagnostics.d.ts +40 -0
package/dist/loader-diagnostics.d.ts.map +1 -0
package/dist/loader-diagnostics.js +49 -0
package/dist/memory-diff.d.ts +60 -0
package/dist/memory-diff.d.ts.map +1 -0
package/dist/memory-diff.js +302 -0
package/dist/migration-profile-registry.d.ts +26 -0
package/dist/migration-profile-registry.d.ts.map +1 -0
package/dist/migration-profile-registry.js +135 -0
package/dist/migration-readiness.d.ts +101 -0
package/dist/migration-readiness.d.ts.map +1 -0
package/dist/migration-readiness.js +253 -0
package/dist/monorepo-onboarding.d.ts +51 -0
package/dist/monorepo-onboarding.d.ts.map +1 -0
package/dist/monorepo-onboarding.js +235 -0
package/dist/onboarding-adoption-diff.d.ts +53 -0
package/dist/onboarding-adoption-diff.d.ts.map +1 -0
package/dist/onboarding-adoption-diff.js +285 -0
package/dist/onboarding-adoption.d.ts +136 -0
package/dist/onboarding-adoption.d.ts.map +1 -0
package/dist/onboarding-adoption.js +702 -0
package/dist/onboarding-agent-import.d.ts +40 -0
package/dist/onboarding-agent-import.d.ts.map +1 -0
package/dist/onboarding-agent-import.js +114 -0
package/dist/onboarding-diff.d.ts +39 -0
package/dist/onboarding-diff.d.ts.map +1 -0
package/dist/onboarding-diff.js +240 -0
package/dist/onboarding-drafts-merge.d.ts +71 -0
package/dist/onboarding-drafts-merge.d.ts.map +1 -0
package/dist/onboarding-drafts-merge.js +174 -0
package/dist/onboarding-drafts.d.ts +42 -0
package/dist/onboarding-drafts.d.ts.map +1 -0
package/dist/onboarding-drafts.js +268 -0
package/dist/onboarding-report.d.ts +8 -0
package/dist/onboarding-report.d.ts.map +1 -0
package/dist/onboarding-report.js +239 -0
package/dist/onboarding.d.ts +134 -0
package/dist/onboarding.d.ts.map +1 -0
package/dist/onboarding.js +729 -0
package/dist/ownership.d.ts +38 -0
package/dist/ownership.d.ts.map +1 -0
package/dist/ownership.js +102 -0
package/dist/pack-author-ux.d.ts +58 -0
package/dist/pack-author-ux.d.ts.map +1 -0
package/dist/pack-author-ux.js +219 -0
package/dist/pack-author.d.ts +94 -0
package/dist/pack-author.d.ts.map +1 -0
package/dist/pack-author.js +208 -0
package/dist/pack-compatibility.d.ts +21 -0
package/dist/pack-compatibility.d.ts.map +1 -0
package/dist/pack-compatibility.js +114 -0
package/dist/pack-contributions-inventory.d.ts +121 -0
package/dist/pack-contributions-inventory.d.ts.map +1 -0
package/dist/pack-contributions-inventory.js +732 -0
package/dist/pack-docs.d.ts +11 -0
package/dist/pack-docs.d.ts.map +1 -0
package/dist/pack-docs.js +101 -0
package/dist/pack-doctor.d.ts +50 -0
package/dist/pack-doctor.d.ts.map +1 -0
package/dist/pack-doctor.js +302 -0
package/dist/pack-helper-registry.d.ts +29 -0
package/dist/pack-helper-registry.d.ts.map +1 -0
package/dist/pack-helper-registry.js +144 -0
package/dist/pack-pending.d.ts +68 -0
package/dist/pack-pending.d.ts.map +1 -0
package/dist/pack-pending.js +189 -0
package/dist/pack-quality-score.d.ts +44 -0
package/dist/pack-quality-score.d.ts.map +1 -0
package/dist/pack-quality-score.js +155 -0
package/dist/pack-release-check.d.ts +24 -0
package/dist/pack-release-check.d.ts.map +1 -0
package/dist/pack-release-check.js +258 -0
package/dist/pack-signature-status.d.ts +72 -0
package/dist/pack-signature-status.d.ts.map +1 -0
package/dist/pack-signature-status.js +222 -0
package/dist/pack-symbol-compat.d.ts +73 -0
package/dist/pack-symbol-compat.d.ts.map +1 -0
package/dist/pack-symbol-compat.js +519 -0
package/dist/pack-test-runner.d.ts +59 -0
package/dist/pack-test-runner.d.ts.map +1 -0
package/dist/pack-test-runner.js +211 -0
package/dist/pipeline-command-dictionary.d.ts +2 -0
package/dist/pipeline-command-dictionary.d.ts.map +1 -0
package/dist/pipeline-command-dictionary.js +20 -0
package/dist/pipeline-lint.d.ts +30 -0
package/dist/pipeline-lint.d.ts.map +1 -0
package/dist/pipeline-lint.js +134 -0
package/dist/plan-dependency-graph.d.ts +25 -0
package/dist/plan-dependency-graph.d.ts.map +1 -0
package/dist/plan-dependency-graph.js +195 -0
package/dist/plan-review.d.ts +64 -0
package/dist/plan-review.d.ts.map +1 -0
package/dist/plan-review.js +242 -0
package/dist/plan-simulation.d.ts +108 -0
package/dist/plan-simulation.d.ts.map +1 -0
package/dist/plan-simulation.js +767 -0
package/dist/playbook-registry.d.ts +25 -0
package/dist/playbook-registry.d.ts.map +1 -0
package/dist/playbook-registry.js +148 -0
package/dist/playbook-script.d.ts +60 -0
package/dist/playbook-script.d.ts.map +1 -0
package/dist/playbook-script.js +161 -0
package/dist/plugin-lifecycle-profile-registry.d.ts +52 -0
package/dist/plugin-lifecycle-profile-registry.d.ts.map +1 -0
package/dist/plugin-lifecycle-profile-registry.js +202 -0
package/dist/plugin-lifecycle.d.ts +132 -0
package/dist/plugin-lifecycle.d.ts.map +1 -0
package/dist/plugin-lifecycle.js +477 -0
package/dist/policy-engine.d.ts +101 -0
package/dist/policy-engine.d.ts.map +1 -0
package/dist/policy-engine.js +321 -0
package/dist/policy-override-audit.d.ts +18 -0
package/dist/policy-override-audit.d.ts.map +1 -0
package/dist/policy-override-audit.js +54 -0
package/dist/policy-overrides.d.ts +35 -0
package/dist/policy-overrides.d.ts.map +1 -0
package/dist/policy-overrides.js +84 -0
package/dist/policy-test.d.ts +83 -0
package/dist/policy-test.d.ts.map +1 -0
package/dist/policy-test.js +342 -0
package/dist/pr-summary.d.ts +34 -0
package/dist/pr-summary.d.ts.map +1 -0
package/dist/pr-summary.js +220 -0
package/dist/product-coherence.d.ts +21 -0
package/dist/product-coherence.d.ts.map +1 -0
package/dist/product-coherence.js +158 -0
package/dist/profile-registry.d.ts +42 -0
package/dist/profile-registry.d.ts.map +1 -0
package/dist/profile-registry.js +104 -0
package/dist/project-coupling-audit.d.ts +64 -0
package/dist/project-coupling-audit.d.ts.map +1 -0
package/dist/project-coupling-audit.js +282 -0
package/dist/project-overview.d.ts +14 -0
package/dist/project-overview.d.ts.map +1 -0
package/dist/project-overview.js +27 -0
package/dist/propose-knowledge.d.ts +64 -0
package/dist/propose-knowledge.d.ts.map +1 -0
package/dist/propose-knowledge.js +367 -0
package/dist/quality-baseline.d.ts +123 -0
package/dist/quality-baseline.d.ts.map +1 -0
package/dist/quality-baseline.js +433 -0
package/dist/quality-html.d.ts +7 -0
package/dist/quality-html.d.ts.map +1 -0
package/dist/quality-html.js +64 -0
package/dist/quality-report.d.ts +49 -0
package/dist/quality-report.d.ts.map +1 -0
package/dist/quality-report.js +296 -0
package/dist/query-resolver.d.ts +38 -0
package/dist/query-resolver.d.ts.map +1 -0
package/dist/query-resolver.js +163 -0
package/dist/ranker-explainability.d.ts +91 -0
package/dist/ranker-explainability.d.ts.map +1 -0
package/dist/ranker-explainability.js +550 -0
package/dist/reference-lookup.d.ts +8 -0
package/dist/reference-lookup.d.ts.map +1 -0
package/dist/reference-lookup.js +18 -0
package/dist/registration-hint-registry.d.ts +55 -0
package/dist/registration-hint-registry.d.ts.map +1 -0
package/dist/registration-hint-registry.js +327 -0
package/dist/registry-lifecycle.d.ts +47 -0
package/dist/registry-lifecycle.d.ts.map +1 -0
package/dist/registry-lifecycle.js +214 -0
package/dist/release-readiness.d.ts +64 -0
package/dist/release-readiness.d.ts.map +1 -0
package/dist/release-readiness.js +456 -0
package/dist/release-smoke.d.ts +138 -0
package/dist/release-smoke.d.ts.map +1 -0
package/dist/release-smoke.js +459 -0
package/dist/release-train.d.ts +33 -0
package/dist/release-train.d.ts.map +1 -0
package/dist/release-train.js +104 -0
package/dist/repo-memory.d.ts +95 -0
package/dist/repo-memory.d.ts.map +1 -0
package/dist/repo-memory.js +614 -0
package/dist/report-site.d.ts +92 -0
package/dist/report-site.d.ts.map +1 -0
package/dist/report-site.js +658 -0
package/dist/reposet.d.ts +56 -0
package/dist/reposet.d.ts.map +1 -0
package/dist/reposet.js +160 -0
package/dist/repository-intelligence.d.ts +145 -0
package/dist/repository-intelligence.d.ts.map +1 -0
package/dist/repository-intelligence.js +729 -0
package/dist/repository-knowledge-model.d.ts +218 -0
package/dist/repository-knowledge-model.d.ts.map +1 -0
package/dist/repository-knowledge-model.js +939 -0
package/dist/repository-map.d.ts +72 -0
package/dist/repository-map.d.ts.map +1 -0
package/dist/repository-map.js +332 -0
package/dist/repository-stats.d.ts +66 -0
package/dist/repository-stats.d.ts.map +1 -0
package/dist/repository-stats.js +329 -0
package/dist/review-comment-renderer.d.ts +59 -0
package/dist/review-comment-renderer.d.ts.map +1 -0
package/dist/review-comment-renderer.js +181 -0
package/dist/review-comment-v2.d.ts +9 -0
package/dist/review-comment-v2.d.ts.map +1 -0
package/dist/review-comment-v2.js +178 -0
package/dist/review-html.d.ts +13 -0
package/dist/review-html.d.ts.map +1 -0
package/dist/review-html.js +79 -0
package/dist/review-packet-v2.d.ts +29 -0
package/dist/review-packet-v2.d.ts.map +1 -0
package/dist/review-packet-v2.js +81 -0
package/dist/review-packet-v3.d.ts +22 -0
package/dist/review-packet-v3.d.ts.map +1 -0
package/dist/review-packet-v3.js +181 -0
package/dist/review-packet.d.ts +49 -0
package/dist/review-packet.d.ts.map +1 -0
package/dist/review-packet.js +129 -0
package/dist/risk-signals.d.ts +28 -0
package/dist/risk-signals.d.ts.map +1 -0
package/dist/risk-signals.js +68 -0
package/dist/role-views.d.ts +50 -0
package/dist/role-views.d.ts.map +1 -0
package/dist/role-views.js +334 -0
package/dist/rounds.d.ts +52 -0
package/dist/rounds.d.ts.map +1 -0
package/dist/rounds.js +172 -0
package/dist/rule-drift.d.ts +42 -0
package/dist/rule-drift.d.ts.map +1 -0
package/dist/rule-drift.js +148 -0
package/dist/rule-quality.d.ts +73 -0
package/dist/rule-quality.d.ts.map +1 -0
package/dist/rule-quality.js +356 -0
package/dist/rule-scaffold.d.ts +71 -0
package/dist/rule-scaffold.d.ts.map +1 -0
package/dist/rule-scaffold.js +258 -0
package/dist/safety-audit-deep.d.ts +38 -0
package/dist/safety-audit-deep.d.ts.map +1 -0
package/dist/safety-audit-deep.js +162 -0
package/dist/safety-audit.d.ts +91 -0
package/dist/safety-audit.d.ts.map +1 -0
package/dist/safety-audit.js +138 -0
package/dist/safety-html.d.ts +7 -0
package/dist/safety-html.d.ts.map +1 -0
package/dist/safety-html.js +70 -0
package/dist/scaffold-coverage.d.ts +46 -0
package/dist/scaffold-coverage.d.ts.map +1 -0
package/dist/scaffold-coverage.js +273 -0
package/dist/scaffold-patterns.d.ts +38 -0
package/dist/scaffold-patterns.d.ts.map +1 -0
package/dist/scaffold-patterns.js +282 -0
package/dist/schema-inventory.d.ts +55 -0
package/dist/schema-inventory.d.ts.map +1 -0
package/dist/schema-inventory.js +301 -0
package/dist/search-index.d.ts +75 -0
package/dist/search-index.d.ts.map +1 -0
package/dist/search-index.js +531 -0
package/dist/search-tuning-explain.d.ts +68 -0
package/dist/search-tuning-explain.d.ts.map +1 -0
package/dist/search-tuning-explain.js +207 -0
package/dist/search-tuning-registry.d.ts +54 -0
package/dist/search-tuning-registry.d.ts.map +1 -0
package/dist/search-tuning-registry.js +303 -0
package/dist/self-audit.d.ts +59 -0
package/dist/self-audit.d.ts.map +1 -0
package/dist/self-audit.js +192 -0
package/dist/self-config-doctor-v2.d.ts +57 -0
package/dist/self-config-doctor-v2.d.ts.map +1 -0
package/dist/self-config-doctor-v2.js +653 -0
package/dist/self-config-doctor.d.ts +47 -0
package/dist/self-config-doctor.d.ts.map +1 -0
package/dist/self-config-doctor.js +432 -0
package/dist/sharkcraft-inspector.d.ts +73 -0
package/dist/sharkcraft-inspector.d.ts.map +1 -0
package/dist/sharkcraft-inspector.js +745 -0
package/dist/spec/spec-cross-validate.d.ts +17 -0
package/dist/spec/spec-cross-validate.d.ts.map +1 -0
package/dist/spec/spec-cross-validate.js +53 -0
package/dist/spec/spec-discovery.d.ts +27 -0
package/dist/spec/spec-discovery.d.ts.map +1 -0
package/dist/spec/spec-discovery.js +78 -0
package/dist/spec/spec-review.d.ts +36 -0
package/dist/spec/spec-review.d.ts.map +1 -0
package/dist/spec/spec-review.js +37 -0
package/dist/stability-map.d.ts +62 -0
package/dist/stability-map.d.ts.map +1 -0
package/dist/stability-map.js +404 -0
package/dist/start-here.d.ts +49 -0
package/dist/start-here.d.ts.map +1 -0
package/dist/start-here.js +259 -0
package/dist/surface-profile-detect.d.ts +42 -0
package/dist/surface-profile-detect.d.ts.map +1 -0
package/dist/surface-profile-detect.js +76 -0
package/dist/symbol-index.d.ts +108 -0
package/dist/symbol-index.d.ts.map +1 -0
package/dist/symbol-index.js +483 -0
package/dist/task-decompose.d.ts +38 -0
package/dist/task-decompose.d.ts.map +1 -0
package/dist/task-decompose.js +154 -0
package/dist/task-packet.d.ts +104 -0
package/dist/task-packet.d.ts.map +1 -0
package/dist/task-packet.js +156 -0
package/dist/task-ranker.d.ts +51 -0
package/dist/task-ranker.d.ts.map +1 -0
package/dist/task-ranker.js +410 -0
package/dist/task-risk.d.ts +84 -0
package/dist/task-risk.d.ts.map +1 -0
package/dist/task-risk.js +731 -0
package/dist/task-routing-hint-registry.d.ts +36 -0
package/dist/task-routing-hint-registry.d.ts.map +1 -0
package/dist/task-routing-hint-registry.js +186 -0
package/dist/template-authoring.d.ts +113 -0
package/dist/template-authoring.d.ts.map +1 -0
package/dist/template-authoring.js +521 -0
package/dist/template-body-inference-v2.d.ts +19 -0
package/dist/template-body-inference-v2.d.ts.map +1 -0
package/dist/template-body-inference-v2.js +468 -0
package/dist/template-body-inference.d.ts +59 -0
package/dist/template-body-inference.d.ts.map +1 -0
package/dist/template-body-inference.js +277 -0
package/dist/template-drift.d.ts +39 -0
package/dist/template-drift.d.ts.map +1 -0
package/dist/template-drift.js +353 -0
package/dist/template-lint.d.ts +31 -0
package/dist/template-lint.d.ts.map +1 -0
package/dist/template-lint.js +113 -0
package/dist/test-definitions.d.ts +41 -0
package/dist/test-definitions.d.ts.map +1 -0
package/dist/test-definitions.js +6 -0
package/dist/test-impact.d.ts +30 -0
package/dist/test-impact.d.ts.map +1 -0
package/dist/test-impact.js +173 -0
package/dist/test-runner.d.ts +87 -0
package/dist/test-runner.d.ts.map +1 -0
package/dist/test-runner.js +560 -0
package/dist/uncertainty-report.d.ts +46 -0
package/dist/uncertainty-report.d.ts.map +1 -0
package/dist/uncertainty-report.js +108 -0
package/dist/uncertainty.d.ts +38 -0
package/dist/uncertainty.d.ts.map +1 -0
package/dist/uncertainty.js +115 -0
package/dist/universal-search.d.ts +64 -0
package/dist/universal-search.d.ts.map +1 -0
package/dist/universal-search.js +347 -0
package/dist/upgrade-advisor.d.ts +22 -0
package/dist/upgrade-advisor.d.ts.map +1 -0
package/dist/upgrade-advisor.js +109 -0
package/dist/why-file.d.ts +75 -0
package/dist/why-file.d.ts.map +1 -0
package/dist/why-file.js +202 -0
package/dist/workflow-simulation.d.ts +46 -0
package/dist/workflow-simulation.d.ts.map +1 -0
package/dist/workflow-simulation.js +154 -0
package/package.json +65 -0

package/dist/ci-permissions-fix.d.ts ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * CI permissions auto-fix preview.
+ *
+ * Reads the structured audit produced by `auditCiWorkflow` and returns a
+ * suggested edit — never writes. Output formats: `patch`, `markdown`, `json`.
+ *
+ * Heuristics:
+ *  - comment-posting step detected but no `pull-requests: write` → suggest
+ *    adding a permissions block.
+ *  - `pull-requests: write` requested but no comment-posting step → suggest
+ *    narrowing to `contents: read`.
+ *  - top-level permissions block missing → suggest the least-privilege
+ *    default for the provider.
+ */
+import type { ICiPermissionsAudit, CiProviderForAudit } from './ci-permissions.js';
+export declare const CI_PERMISSIONS_FIX_SCHEMA = "sharkcraft.ci-permissions-fix/v1";
+export type CiPermissionsFixFormat = 'patch' | 'markdown' | 'json';
+export interface ICiPermissionsFixHint {
+    code: 'add-permissions-block' | 'add-pull-requests-write' | 'narrow-permissions-block' | 'remove-pull-requests-write' | 'pin-action-sha' | 'pin-image-digest' | 'requires-manual' | 'add-oidc-block' | 'add-id-tokens-block' | 'add-azure-permissions-block' | 'no-action-required';
+    severity: 'info' | 'warning' | 'error';
+    message: string;
+    explanation: string;
+    /** Unified-diff style suggestion (best-effort, deterministic). */
+    patch?: string;
+    /** Plain text that an editor can paste in. */
+    insertion?: string;
+}
+export interface ICiPermissionsFixPreview {
+    schema: typeof CI_PERMISSIONS_FIX_SCHEMA;
+    provider: CiProviderForAudit;
+    workflowFile: string;
+    hints: readonly ICiPermissionsFixHint[];
+    /** Combined unified diff, or empty if no actionable hint. */
+    combinedPatch: string;
+}
+export declare function buildCiPermissionsFixPreview(audit: ICiPermissionsAudit): ICiPermissionsFixPreview;
+export declare function renderCiPermissionsFixPreview(preview: ICiPermissionsFixPreview, format: CiPermissionsFixFormat): string;
+//# sourceMappingURL=ci-permissions-fix.d.ts.map

package/dist/ci-permissions-fix.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ci-permissions-fix.d.ts","sourceRoot":"","sources":["../src/ci-permissions-fix.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAEnF,eAAO,MAAM,yBAAyB,qCAAqC,CAAC;AAE5E,MAAM,MAAM,sBAAsB,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;AAEnE,MAAM,WAAW,qBAAqB;IACpC,IAAI,EACA,uBAAuB,GACvB,yBAAyB,GACzB,0BAA0B,GAC1B,4BAA4B,GAC5B,gBAAgB,GAChB,kBAAkB,GAClB,iBAAiB,GACjB,gBAAgB,GAChB,qBAAqB,GACrB,6BAA6B,GAC7B,oBAAoB,CAAC;IACzB,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,kEAAkE;IAClE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,wBAAwB;IACvC,MAAM,EAAE,OAAO,yBAAyB,CAAC;IACzC,QAAQ,EAAE,kBAAkB,CAAC;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,SAAS,qBAAqB,EAAE,CAAC;IACxC,6DAA6D;IAC7D,aAAa,EAAE,MAAM,CAAC;CACvB;AAoPD,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,mBAAmB,GAAG,wBAAwB,CAkFjG;AA+CD,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,wBAAwB,EACjC,MAAM,EAAE,sBAAsB,GAC7B,MAAM,CAoCR"}

package/dist/ci-permissions-fix.js ADDED Viewed

@@ -0,0 +1,382 @@
+/**
+ * CI permissions auto-fix preview.
+ *
+ * Reads the structured audit produced by `auditCiWorkflow` and returns a
+ * suggested edit — never writes. Output formats: `patch`, `markdown`, `json`.
+ *
+ * Heuristics:
+ *  - comment-posting step detected but no `pull-requests: write` → suggest
+ *    adding a permissions block.
+ *  - `pull-requests: write` requested but no comment-posting step → suggest
+ *    narrowing to `contents: read`.
+ *  - top-level permissions block missing → suggest the least-privilege
+ *    default for the provider.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+export const CI_PERMISSIONS_FIX_SCHEMA = 'sharkcraft.ci-permissions-fix/v1';
+function leastPrivilegeBlock(provider, withPullRequestsWrite) {
+    if (provider === 'github-actions') {
+        return withPullRequestsWrite
+            ? 'permissions:\n  contents: read\n  pull-requests: write\n'
+            : 'permissions:\n  contents: read\n';
+    }
+    if (provider === 'gitlab') {
+        return withPullRequestsWrite
+            ? '# GitLab CI uses CI/CD variables, not file-level permissions.\n# Store a Project Access Token with `api` scope as a masked variable\n# named REVIEW_TOKEN, then reference it in the comment-posting job:\n#   variables:\n#     GIT_STRATEGY: clone\n#   id_tokens:\n#     GITLAB_OIDC_TOKEN:\n#       aud: https://gitlab.example.com\n'
+            : '# GitLab CI uses CI/CD variables, not file-level permissions.\n# $CI_JOB_TOKEN is read-only for repo metadata — no extra scopes required.\n';
+    }
+    if (provider === 'bitbucket') {
+        return withPullRequestsWrite
+            ? 'oidc: true   # add to each step that needs write scopes — pair with a repo access token in Bitbucket settings\n'
+            : '# Bitbucket Pipelines has no top-level permissions block.\n# Use repository access tokens (Bitbucket settings → Access tokens) and store them as secured variables.\n';
+    }
+    if (provider === 'azure') {
+        return withPullRequestsWrite
+            ? 'permissions:\n  contents: read\n  pull-requests: write   # Azure Pipelines job-level permissions (recent feature)\n'
+            : 'permissions:\n  contents: read\n';
+    }
+    if (provider === 'jenkins') {
+        return '// Jenkins permissions are configured in Manage Jenkins → Security → Authorization.\n// Use Matrix-based or Role-based security; the Jenkinsfile itself cannot grant or restrict scopes.\n';
+    }
+    return '# (least-privilege block — provider-specific)\n';
+}
+function makeAddPermissionsBlockPatch(file, body, withPullRequestsWrite) {
+    const block = leastPrivilegeBlock('github-actions', withPullRequestsWrite);
+    // Insert after the first `name:` line at the top level.
+    const lines = body.split(/\r?\n/);
+    let nameLine = -1;
+    for (let i = 0; i < lines.length; i += 1) {
+        if (/^name:\s+/.test(lines[i])) {
+            nameLine = i;
+            break;
+        }
+    }
+    if (nameLine < 0)
+        nameLine = 0;
+    const blockLines = block.split(/\r?\n/).filter((l) => l.length > 0);
+    const patch = [
+        `--- a/${file}`,
+        `+++ b/${file}`,
+        `@@ -${nameLine + 1},1 +${nameLine + 1},${1 + blockLines.length} @@`,
+        ` ${lines[nameLine] ?? ''}`,
+        ...blockLines.map((l) => `+${l}`),
+    ];
+    return patch.join('\n') + '\n';
+}
+function makeInsertAfterTopLineMatchingPatch(file, body, matcher, block) {
+    const lines = body.split(/\r?\n/);
+    let anchor = -1;
+    for (let i = 0; i < lines.length; i += 1) {
+        if (matcher.test(lines[i])) {
+            anchor = i;
+            break;
+        }
+    }
+    if (anchor < 0)
+        anchor = 0;
+    const blockLines = block.split(/\r?\n/).filter((l) => l.length > 0);
+    return [
+        `--- a/${file}`,
+        `+++ b/${file}`,
+        `@@ -${anchor + 1},1 +${anchor + 1},${1 + blockLines.length} @@`,
+        ` ${lines[anchor] ?? ''}`,
+        ...blockLines.map((l) => `+${l}`),
+    ].join('\n') + '\n';
+}
+function emitGitlabHints(audit, body) {
+    const hints = [];
+    if (audit.postsComments) {
+        const block = 'id_tokens:\n  GITLAB_OIDC_TOKEN:\n    aud: https://gitlab.example.com   # replace with your GitLab host\n';
+        // Anchor after the first `stages:` line if present, otherwise top.
+        const hasIdTokens = /\bid_tokens:\s*$/m.test(body);
+        if (hasIdTokens) {
+            hints.push({
+                code: 'requires-manual',
+                severity: 'info',
+                message: 'Pipeline already declares `id_tokens:` — confirm the `aud:` matches your GitLab instance and the consuming script trades the OIDC token for a scoped access token.',
+                explanation: 'GitLab CI has no native permissions block. Least-privilege comes from OIDC + a Project Access Token with `api` scope on the consuming job.',
+                insertion: leastPrivilegeBlock('gitlab', true),
+            });
+        }
+        else {
+            hints.push({
+                code: 'add-id-tokens-block',
+                severity: 'warning',
+                message: 'Pipeline posts MR comments without declaring an `id_tokens:` block — comment-posting will require a long-lived PRIVATE-TOKEN, which is harder to rotate.',
+                explanation: 'Use GitLab OIDC: declare `id_tokens.GITLAB_OIDC_TOKEN.aud` on the job, then exchange the token for a Project Access Token at runtime. Avoids storing long-lived secrets in CI/CD variables.',
+                patch: body ? makeInsertAfterTopLineMatchingPatch(audit.workflowFile, body, /^\s*stages:\s*$/, block) : undefined,
+                insertion: block,
+            });
+        }
+    }
+    else {
+        hints.push({
+            code: 'no-action-required',
+            severity: 'info',
+            message: 'No MR-comment-posting step detected — $CI_JOB_TOKEN is sufficient and no scoped token is required.',
+            explanation: 'GitLab CI runs each job with a read-only $CI_JOB_TOKEN by default; only enable write scopes (Project Access Tokens) on jobs that actually mutate the project.',
+        });
+    }
+    return hints;
+}
+function emitBitbucketHints(audit, body) {
+    const hints = [];
+    const hasOidc = /\boidc:\s*true\b/.test(body);
+    if (audit.postsComments && !hasOidc) {
+        const block = '      oidc: true   # exchange for a scoped repo access token at runtime\n';
+        hints.push({
+            code: 'add-oidc-block',
+            severity: 'warning',
+            message: 'Pipeline posts PR comments without declaring `oidc: true` — pair the comment-posting step with OIDC + a repository access token instead of a long-lived secret.',
+            explanation: 'Bitbucket Pipelines has no top-level permissions block; least-privilege comes from `oidc: true` + a repo-scoped access token configured in Bitbucket settings.',
+            patch: body
+                ? makeInsertAfterTopLineMatchingPatch(audit.workflowFile, body, /^\s*-\s*step:\s*$/, block)
+                : undefined,
+            insertion: block,
+        });
+    }
+    else if (!audit.postsComments) {
+        hints.push({
+            code: 'no-action-required',
+            severity: 'info',
+            message: 'No PR-comment-posting step detected — the default repository access token is read-only.',
+            explanation: 'Bitbucket Pipelines does not require explicit permissions for read-only operations. Avoid checking long-lived tokens into the file regardless.',
+        });
+    }
+    else {
+        hints.push({
+            code: 'requires-manual',
+            severity: 'info',
+            message: 'Pipeline already declares `oidc: true`. Confirm the consuming step exchanges the token for the minimum repo scope it needs.',
+            explanation: 'OIDC exchange happens at runtime — the workflow file cannot enforce the resulting token\'s scope. Audit the API calls in the step.',
+            insertion: leastPrivilegeBlock('bitbucket', true),
+        });
+    }
+    return hints;
+}
+function emitAzureHints(audit, body) {
+    const hints = [];
+    const hasPermissions = /^\s*permissions:\s*$/m.test(body);
+    if (audit.postsComments && !hasPermissions) {
+        const block = leastPrivilegeBlock('azure', true);
+        hints.push({
+            code: 'add-azure-permissions-block',
+            severity: 'warning',
+            message: 'Pipeline posts PR comments without declaring a job-level `permissions:` block. Azure Pipelines now supports job-level permissions — use them to scope the System.AccessToken.',
+            explanation: 'When the job-level `permissions:` feature is enabled on the project, Azure Pipelines restricts System.AccessToken to the scopes you list. Without the block, the token defaults to the project-level setting.',
+            patch: body
+                ? makeInsertAfterTopLineMatchingPatch(audit.workflowFile, body, /^\s*(jobs|stages):\s*$/, block)
+                : undefined,
+            insertion: block,
+        });
+    }
+    else if (!audit.postsComments) {
+        hints.push({
+            code: 'no-action-required',
+            severity: 'info',
+            message: 'No PR-comment-posting step detected — the default Build Service token is read-only for repo metadata.',
+            explanation: 'Azure Pipelines defaults the System.AccessToken to project-scoped read; only enable write scopes when the pipeline mutates repo state.',
+        });
+    }
+    else {
+        hints.push({
+            code: 'requires-manual',
+            severity: 'info',
+            message: 'Pipeline already declares a `permissions:` block. Confirm it lists only the scopes the comment-posting job needs (typically `contents: read` + `pull-requests: write`).',
+            explanation: 'Azure Pipelines permissions blocks are additive per job — make sure broader scopes are not granted to unrelated jobs.',
+            insertion: leastPrivilegeBlock('azure', true),
+        });
+    }
+    return hints;
+}
+function emitJenkinsHints(audit) {
+    return [
+        {
+            code: 'requires-manual',
+            severity: audit.postsComments ? 'warning' : 'info',
+            message: audit.postsComments
+                ? 'Jenkinsfile posts PR comments — declarative pipelines cannot grant permissions; this is configured in Jenkins itself.'
+                : 'Jenkinsfile detected — declarative pipelines cannot grant permissions; this is configured in Jenkins itself.',
+            explanation: 'Jenkins permissions are administered via Manage Jenkins → Security → Authorization (Matrix-based or Role-based plugin). Edit there, not in the Jenkinsfile. The pipeline\'s `withCredentials(...)` block scopes secrets to a step but does not grant repository write access on its own.',
+            insertion: leastPrivilegeBlock('jenkins', audit.postsComments),
+        },
+    ];
+}
+function makeNarrowPermissionsPatch(file, body) {
+    // Find the broad permission lines and propose replacing each with
+    // `contents: read`.
+    const lines = body.split(/\r?\n/);
+    const out = [];
+    for (let i = 0; i < lines.length; i += 1) {
+        const m = /^(\s*)(contents|pull-requests|issues|deployments|actions):\s*write\b/.exec(lines[i]);
+        if (m) {
+            const indent = m[1] ?? '';
+            const scope = m[2] ?? 'contents';
+            out.push(`--- a/${file}`);
+            out.push(`+++ b/${file}`);
+            out.push(`@@ -${i + 1},1 +${i + 1},1 @@`);
+            out.push(`-${lines[i] ?? ''}`);
+            out.push(`+${indent}${scope === 'pull-requests' ? 'pull-requests: read' : 'contents: read'}`);
+        }
+    }
+    return out.length === 0 ? '' : out.join('\n') + '\n';
+}
+export function buildCiPermissionsFixPreview(audit) {
+    const hints = [];
+    if (!audit.exists) {
+        hints.push({
+            code: 'no-action-required',
+            severity: 'error',
+            message: 'Workflow file does not exist — nothing to fix.',
+            explanation: 'Run `shrk ci scaffold` first to produce a workflow, then re-run the audit.',
+        });
+        return {
+            schema: CI_PERMISSIONS_FIX_SCHEMA,
+            provider: audit.provider,
+            workflowFile: audit.workflowFile,
+            hints,
+            combinedPatch: '',
+        };
+    }
+    let body = '';
+    try {
+        body = existsSync(audit.workflowFile) ? readFileSync(audit.workflowFile, 'utf8') : '';
+    }
+    catch {
+        body = '';
+    }
+    // Non-GHA providers: emit provider-specific hints and return early.
+    if (audit.provider === 'gitlab') {
+        for (const h of emitGitlabHints(audit, body))
+            hints.push(h);
+        return finalize(audit, hints);
+    }
+    if (audit.provider === 'bitbucket') {
+        for (const h of emitBitbucketHints(audit, body))
+            hints.push(h);
+        return finalize(audit, hints);
+    }
+    if (audit.provider === 'azure') {
+        for (const h of emitAzureHints(audit, body))
+            hints.push(h);
+        return finalize(audit, hints);
+    }
+    if (audit.provider === 'jenkins') {
+        for (const h of emitJenkinsHints(audit))
+            hints.push(h);
+        return finalize(audit, hints);
+    }
+    const isGha = audit.provider === 'github-actions';
+    const missingPermsBlock = audit.findings.some((f) => f.code === 'permissions-block-missing');
+    // Case 1: comment-posting requested but no permissions block (or no pull-requests: write).
+    if (isGha && audit.postsComments && !audit.requestsWritePermissions) {
+        hints.push({
+            code: 'add-pull-requests-write',
+            severity: 'error',
+            message: 'Workflow posts PR comments but does not declare `pull-requests: write`. The comment step will 403 at runtime.',
+            explanation: 'Add a top-level `permissions:` block with `contents: read` + `pull-requests: write`. Scope to the comment-posting job if possible.',
+            patch: body ? makeAddPermissionsBlockPatch(audit.workflowFile, body, true) : undefined,
+            insertion: leastPrivilegeBlock(audit.provider, true),
+        });
+    }
+    // Case 2: pull-requests: write requested but no comment-posting step.
+    if (isGha && audit.requestsWritePermissions && !audit.postsComments) {
+        hints.push({
+            code: 'remove-pull-requests-write',
+            severity: 'warning',
+            message: '`pull-requests: write` requested but no comment-posting step detected — narrow to `contents: read`.',
+            explanation: 'Wider permission tokens leak more credentials when an action is compromised. Only enable write scopes on the step that needs them.',
+            patch: body ? makeNarrowPermissionsPatch(audit.workflowFile, body) : undefined,
+            insertion: leastPrivilegeBlock(audit.provider, false),
+        });
+    }
+    // Case 3: no permissions block at all.
+    if (isGha && missingPermsBlock && !audit.postsComments) {
+        hints.push({
+            code: 'add-permissions-block',
+            severity: 'info',
+            message: 'No top-level `permissions:` block — workflow inherits the repository default. Add `contents: read` to lock down the token explicitly.',
+            explanation: 'Even if the repo default looks read-only, explicit permissions blocks are reviewer-friendly and survive default changes.',
+            patch: body ? makeAddPermissionsBlockPatch(audit.workflowFile, body, false) : undefined,
+            insertion: leastPrivilegeBlock(audit.provider, false),
+        });
+    }
+    return finalize(audit, hints);
+}
+function finalize(audit, hints) {
+    // Supply-chain hints — provider-agnostic.
+    if (audit.externalActions.length > 0) {
+        hints.push({
+            code: 'pin-action-sha',
+            severity: 'info',
+            message: `Uses ${audit.externalActions.length} external action(s). Pin each to an immutable SHA when reproducibility matters.`,
+            explanation: 'Tag-based references (`@v4`) are mutable. Pinning the action SHA mitigates supply-chain swap-outs.',
+        });
+    }
+    if (audit.externalImages.length > 0) {
+        hints.push({
+            code: 'pin-image-digest',
+            severity: 'info',
+            message: `Uses ${audit.externalImages.length} external image(s). Consider pinning by digest.`,
+            explanation: 'Tag-based image references can be rewritten after a vulnerability. Pinning to `@sha256:…` is sturdier.',
+        });
+    }
+    if (hints.length === 0) {
+        hints.push({
+            code: 'no-action-required',
+            severity: 'info',
+            message: 'Permissions audit looks tight — no automated fix to suggest.',
+            explanation: 'The workflow already requests least privilege for its detected steps. Continue to review external actions on each upgrade.',
+        });
+    }
+    const combinedPatch = hints
+        .map((h) => h.patch)
+        .filter((p) => Boolean(p))
+        .join('\n');
+    return {
+        schema: CI_PERMISSIONS_FIX_SCHEMA,
+        provider: audit.provider,
+        workflowFile: audit.workflowFile,
+        hints,
+        combinedPatch,
+    };
+}
+export function renderCiPermissionsFixPreview(preview, format) {
+    if (format === 'json')
+        return JSON.stringify(preview, null, 2) + '\n';
+    if (format === 'patch') {
+        if (preview.combinedPatch)
+            return preview.combinedPatch;
+        return '# No actionable diff — see the markdown report for explanation.\n';
+    }
+    const lines = [];
+    lines.push(`# CI permissions fix preview — \`${preview.workflowFile}\``);
+    lines.push('');
+    lines.push(`Provider: \`${preview.provider}\``);
+    lines.push('');
+    for (const h of preview.hints) {
+        lines.push(`## ${h.code} _(${h.severity})_`);
+        lines.push('');
+        lines.push(h.message);
+        lines.push('');
+        lines.push(h.explanation);
+        if (h.insertion) {
+            lines.push('');
+            lines.push('Suggested insertion:');
+            lines.push('');
+            lines.push('```yaml');
+            lines.push(h.insertion.trimEnd());
+            lines.push('```');
+        }
+        if (h.patch) {
+            lines.push('');
+            lines.push('Suggested patch:');
+            lines.push('');
+            lines.push('```diff');
+            lines.push(h.patch.trimEnd());
+            lines.push('```');
+        }
+        lines.push('');
+    }
+    return lines.join('\n');
+}

package/dist/ci-permissions.d.ts ADDED Viewed

@@ -0,0 +1,51 @@
+/**
+ * CI workflow permissions audit.
+ *
+ * Reads a workflow YAML and produces a structured assessment of:
+ *  - which write scopes the workflow requests,
+ *  - whether the workflow posts comments,
+ *  - whether it uses external actions or container images,
+ *  - whether it uploads artifacts,
+ *  - a least-privilege recommendation.
+ *
+ * The audit is intentionally regex-based — no YAML parser, no network
+ * resolution. The goal is "deterministic explanation of what this file
+ * implies", not full schema validation.
+ */
+export declare const CI_PERMISSIONS_AUDIT_SCHEMA = "sharkcraft.ci-permissions-audit/v1";
+export type CiProviderForAudit = 'github-actions' | 'gitlab' | 'bitbucket' | 'azure' | 'jenkins';
+export interface ICiPermissionsFinding {
+    code: 'permissions-block-missing' | 'permissions-write-requested' | 'comment-posting-detected' | 'token-usage' | 'external-action' | 'external-image' | 'artifact-upload' | 'shell-step';
+    severity: 'info' | 'warning' | 'error';
+    message: string;
+    /** Lines (1-indexed) in the workflow where the finding was triggered. */
+    lines: readonly number[];
+    /** Optional remediation hint. */
+    suggestion?: string;
+}
+export interface ICiPermissionsAudit {
+    schema: typeof CI_PERMISSIONS_AUDIT_SCHEMA;
+    provider: CiProviderForAudit;
+    workflowFile: string;
+    exists: boolean;
+    /** Top-level summary booleans for quick consumption. */
+    postsComments: boolean;
+    requestsWritePermissions: boolean;
+    usesTokens: boolean;
+    externalActions: readonly string[];
+    externalImages: readonly string[];
+    uploadsArtifacts: boolean;
+    findings: readonly ICiPermissionsFinding[];
+    /** Recommended least-privilege block (provider-specific). */
+    recommendation: string;
+    /** Free-form notes for the human reviewer. */
+    notes: readonly string[];
+}
+export interface IAuditCiWorkflowInput {
+    /** Absolute path to the workflow file. */
+    file: string;
+    /** Override the detected provider (useful when the filename is non-standard). */
+    provider?: CiProviderForAudit | null;
+}
+export declare function auditCiWorkflow(input: IAuditCiWorkflowInput): ICiPermissionsAudit;
+//# sourceMappingURL=ci-permissions.d.ts.map

package/dist/ci-permissions.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ci-permissions.d.ts","sourceRoot":"","sources":["../src/ci-permissions.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,2BAA2B,uCAAuC,CAAC;AAEhF,MAAM,MAAM,kBAAkB,GAAG,gBAAgB,GAAG,QAAQ,GAAG,WAAW,GAAG,OAAO,GAAG,SAAS,CAAC;AAEjG,MAAM,WAAW,qBAAqB;IACpC,IAAI,EACA,2BAA2B,GAC3B,6BAA6B,GAC7B,0BAA0B,GAC1B,aAAa,GACb,iBAAiB,GACjB,gBAAgB,GAChB,iBAAiB,GACjB,YAAY,CAAC;IACjB,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,yEAAyE;IACzE,KAAK,EAAE,SAAS,MAAM,EAAE,CAAC;IACzB,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,OAAO,2BAA2B,CAAC;IAC3C,QAAQ,EAAE,kBAAkB,CAAC;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,OAAO,CAAC;IAChB,wDAAwD;IACxD,aAAa,EAAE,OAAO,CAAC;IACvB,wBAAwB,EAAE,OAAO,CAAC;IAClC,UAAU,EAAE,OAAO,CAAC;IACpB,eAAe,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,cAAc,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,QAAQ,EAAE,SAAS,qBAAqB,EAAE,CAAC;IAC3C,6DAA6D;IAC7D,cAAc,EAAE,MAAM,CAAC;IACvB,8CAA8C;IAC9C,KAAK,EAAE,SAAS,MAAM,EAAE,CAAC;CAC1B;AAwWD,MAAM,WAAW,qBAAqB;IACpC,0CAA0C;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,iFAAiF;IACjF,QAAQ,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACtC;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,qBAAqB,GAAG,mBAAmB,CAmEjF"}