@skillsmith/core 0.4.9 → 0.4.10

package/dist/src/services/quarantine/QuarantineService.js

@@ -0,0 +1,406 @@
+/**
+ * SMI-2269: Quarantine Service with Authentication
+ *
+ * Service layer for quarantine operations that enforces authentication
+ * and authorization. Wraps QuarantineRepository with security controls.
+ *
+ * VP Engineering Guidance:
+ * - Auth belongs in service/handler layer, not repository
+ * - Repositories should be pure data access
+ *
+ * Security Controls:
+ * - QUA-002: Requires authenticated session for review operations
+ * - Enforces security_reviewer permission for review access
+ * - Multi-approval workflow for MALICIOUS severity
+ * - Audit logs include verified reviewer identity
+ *
+ * @module @skillsmith/core/services/quarantine/QuarantineService
+ */
+import { QuarantineServiceError, requirePermission } from './types.js';
+// ============================================================================
+// Configuration
+// ============================================================================
+/**
+ * Number of approvals required for MALICIOUS severity reviews
+ */
+const MALICIOUS_APPROVAL_COUNT = 2;
+/**
+ * Multi-approval timeout in milliseconds (24 hours)
+ */
+const MULTI_APPROVAL_TIMEOUT_MS = 24 * 60 * 60 * 1000;
+// ============================================================================
+// Service Implementation
+// ============================================================================
+/**
+ * Quarantine Service with Authentication
+ *
+ * Provides authenticated access to quarantine operations with:
+ * - Session validation
+ * - Permission checks (security_reviewer role)
+ * - Multi-approval workflow for MALICIOUS severity
+ * - Audit logging with verified identities
+ *
+ * @example
+ * ```typescript
+ * const service = new QuarantineService(repository, auditLogger)
+ *
+ * // Review a quarantined skill (requires authentication)
+ * const result = await service.review(
+ *   session,
+ *   quarantineId,
+ *   { reviewStatus: 'approved', reviewNotes: 'Verified safe' }
+ * )
+ * ```
+ */
+export class QuarantineService {
+    repository;
+    auditLogger;
+    /**
+     * In-memory store for pending multi-approvals
+     * Key: quarantineId, Value: MultiApprovalStatus
+     *
+     * Note: In production, this should be persisted to database
+     */
+    pendingApprovals = new Map();
+    constructor(repository, auditLogger) {
+        this.repository = repository;
+        this.auditLogger = auditLogger;
+    }
+    // ==========================================================================
+    // Read Operations (require quarantine:read permission)
+    // ==========================================================================
+    /**
+     * Find a quarantine entry by ID
+     *
+     * @param session - Authenticated session
+     * @param id - Quarantine entry ID
+     * @returns Quarantine entry or null
+     */
+    findById(session, id) {
+        requirePermission(session, 'quarantine:read');
+        return this.repository.findById(id);
+    }
+    /**
+     * Find quarantine entries for a skill
+     *
+     * @param session - Authenticated session
+     * @param skillId - Skill ID
+     * @returns Array of quarantine entries
+     */
+    findBySkillId(session, skillId) {
+        requirePermission(session, 'quarantine:read');
+        return this.repository.findBySkillId(skillId);
+    }
+    /**
+     * Find all quarantine entries with optional filtering
+     *
+     * @param session - Authenticated session
+     * @param filter - Query filters
+     * @returns Paginated quarantine results
+     */
+    findAll(session, filter) {
+        requirePermission(session, 'quarantine:read');
+        return this.repository.findAll(filter);
+    }
+    /**
+     * Get quarantine statistics
+     *
+     * @param session - Authenticated session
+     * @returns Quarantine statistics
+     */
+    getStats(session) {
+        requirePermission(session, 'quarantine:read');
+        return this.repository.getStats();
+    }
+    // ==========================================================================
+    // Review Operations (require quarantine:review permission)
+    // ==========================================================================
+    /**
+     * Review a quarantine entry with authentication
+     *
+     * This is the secure replacement for QuarantineRepository.review().
+     * It enforces:
+     * - Valid authenticated session
+     * - security_reviewer permission (quarantine:review)
+     * - Multi-approval for MALICIOUS severity (quarantine:review_malicious)
+     * - Audit logging with verified reviewer identity
+     *
+     * @param session - Authenticated session (verified by auth layer)
+     * @param quarantineId - Quarantine entry ID to review
+     * @param input - Review decision and notes
+     * @returns Review result with verified reviewer identity
+     * @throws QuarantineServiceError on auth/permission failure
+     */
+    review(session, quarantineId, input) {
+        // Validate session and require review permission
+        requirePermission(session, 'quarantine:review');
+        // Get the quarantine entry
+        const entry = this.repository.findById(quarantineId);
+        if (!entry) {
+            throw new QuarantineServiceError(`Quarantine entry not found: ${quarantineId}`, 'NOT_FOUND', {
+                quarantineId,
+            });
+        }
+        // Check if already reviewed
+        if (entry.reviewStatus !== 'pending') {
+            throw new QuarantineServiceError(`Quarantine entry already reviewed: ${entry.reviewStatus}`, 'ALREADY_REVIEWED', { quarantineId, currentStatus: entry.reviewStatus });
+        }
+        // For MALICIOUS severity, require multi-approval workflow
+        if (entry.severity === 'MALICIOUS' && input.reviewStatus === 'approved') {
+            return this.handleMaliciousApproval(session, quarantineId, entry.skillId, input);
+        }
+        // For MALICIOUS severity rejection or non-MALICIOUS, check elevated permission
+        if (entry.severity === 'MALICIOUS') {
+            requirePermission(session, 'quarantine:review_malicious');
+        }
+        // Perform the review with verified identity
+        const reviewResult = this.repository.review(quarantineId, {
+            reviewedBy: session.email, // Verified email from session
+            reviewStatus: input.reviewStatus,
+            reviewNotes: input.reviewNotes,
+        });
+        if (!reviewResult) {
+            throw new QuarantineServiceError('Failed to review quarantine entry', 'INVALID_INPUT', {
+                quarantineId,
+            });
+        }
+        // Log audit event with full session details
+        this.auditLogger.log({
+            event_type: 'quarantine_authenticated_review',
+            actor: 'reviewer',
+            resource: entry.skillId,
+            action: 'review',
+            result: 'success',
+            metadata: {
+                quarantineId,
+                reviewStatus: input.reviewStatus,
+                reviewer: {
+                    userId: session.userId,
+                    email: session.email,
+                    displayName: session.displayName,
+                },
+                sessionId: session.sessionId,
+                severity: entry.severity,
+                canImport: reviewResult.canImport,
+            },
+        });
+        return {
+            success: true,
+            approved: reviewResult.approved,
+            skillId: reviewResult.skillId,
+            severity: reviewResult.severity,
+            canImport: reviewResult.canImport,
+            warnings: reviewResult.warnings,
+            reviewedBy: {
+                userId: session.userId,
+                email: session.email,
+                displayName: session.displayName,
+            },
+        };
+    }
+    // ==========================================================================
+    // Multi-Approval Workflow (MALICIOUS Severity)
+    // ==========================================================================
+    /**
+     * Handle approval for MALICIOUS severity skills
+     *
+     * MALICIOUS severity requires multiple reviewers to approve
+     * before a skill can be unquarantined. This prevents single
+     * reviewer compromise from allowing malicious skills.
+     *
+     * @param session - Authenticated session
+     * @param quarantineId - Quarantine entry ID
+     * @param skillId - Skill ID
+     * @param input - Review input
+     * @returns Review result with multi-approval status
+     */
+    handleMaliciousApproval(session, quarantineId, skillId, input) {
+        // Require elevated permission for MALICIOUS review
+        requirePermission(session, 'quarantine:review_malicious');
+        // Get or create pending approval status
+        let approvalStatus = this.pendingApprovals.get(quarantineId);
+        if (!approvalStatus) {
+            // Start new multi-approval workflow
+            approvalStatus = {
+                quarantineId,
+                requiredApprovals: MALICIOUS_APPROVAL_COUNT,
+                currentApprovals: [],
+                isComplete: false,
+                startedAt: new Date(),
+            };
+            this.pendingApprovals.set(quarantineId, approvalStatus);
+        }
+        // Check if this reviewer already approved
+        const existingApproval = approvalStatus.currentApprovals.find((a) => a.reviewerId === session.userId);
+        if (existingApproval) {
+            throw new QuarantineServiceError('You have already approved this entry', 'ALREADY_REVIEWED', {
+                quarantineId,
+                previousApprovalAt: existingApproval.approvedAt.toISOString(),
+            });
+        }
+        // Check for approval timeout
+        const timeSinceStart = Date.now() - approvalStatus.startedAt.getTime();
+        if (timeSinceStart > MULTI_APPROVAL_TIMEOUT_MS) {
+            // Reset approval workflow
+            this.pendingApprovals.delete(quarantineId);
+            throw new QuarantineServiceError('Multi-approval workflow timed out. Please start again.', 'INVALID_INPUT', { quarantineId, timeoutMs: MULTI_APPROVAL_TIMEOUT_MS });
+        }
+        // Add this approval
+        const approval = {
+            reviewerId: session.userId,
+            reviewerEmail: session.email,
+            approvedAt: new Date(),
+            notes: input.reviewNotes,
+        };
+        approvalStatus.currentApprovals.push(approval);
+        // Log the approval
+        this.auditLogger.log({
+            event_type: 'quarantine_multi_approval',
+            actor: 'reviewer',
+            resource: skillId,
+            action: 'approve',
+            result: 'success',
+            metadata: {
+                quarantineId,
+                approvalNumber: approvalStatus.currentApprovals.length,
+                requiredApprovals: approvalStatus.requiredApprovals,
+                reviewer: {
+                    userId: session.userId,
+                    email: session.email,
+                },
+            },
+        });
+        // Check if we have enough approvals
+        if (approvalStatus.currentApprovals.length >= approvalStatus.requiredApprovals) {
+            // Complete the approval workflow
+            approvalStatus.isComplete = true;
+            approvalStatus.completedAt = new Date();
+            // Perform the actual review
+            const reviewResult = this.repository.review(quarantineId, {
+                reviewedBy: approvalStatus.currentApprovals.map((a) => a.reviewerEmail).join(', '),
+                reviewStatus: 'approved',
+                reviewNotes: `Multi-approval complete: ${approvalStatus.currentApprovals.length} reviewers approved. ${input.reviewNotes || ''}`,
+            });
+            // Clean up pending approval
+            this.pendingApprovals.delete(quarantineId);
+            // Log completion
+            this.auditLogger.log({
+                event_type: 'quarantine_multi_approval_complete',
+                actor: 'reviewer',
+                resource: skillId,
+                action: 'complete',
+                result: 'success',
+                metadata: {
+                    quarantineId,
+                    approvals: approvalStatus.currentApprovals.map((a) => ({
+                        reviewerId: a.reviewerId,
+                        email: a.reviewerEmail,
+                        approvedAt: a.approvedAt.toISOString(),
+                    })),
+                },
+            });
+            return {
+                success: true,
+                approved: true,
+                skillId,
+                severity: 'MALICIOUS',
+                canImport: reviewResult?.canImport ?? false,
+                warnings: [
+                    'MALICIOUS skill approved through multi-approval workflow',
+                    `Approved by: ${approvalStatus.currentApprovals.map((a) => a.reviewerEmail).join(', ')}`,
+                ],
+                reviewedBy: {
+                    userId: session.userId,
+                    email: session.email,
+                    displayName: session.displayName,
+                },
+                multiApprovalStatus: approvalStatus,
+            };
+        }
+        // Need more approvals
+        return {
+            success: true,
+            approved: false,
+            skillId,
+            severity: 'MALICIOUS',
+            canImport: false,
+            warnings: [
+                `Multi-approval in progress: ${approvalStatus.currentApprovals.length}/${approvalStatus.requiredApprovals} approvals received`,
+                `Requires ${approvalStatus.requiredApprovals - approvalStatus.currentApprovals.length} more approval(s)`,
+            ],
+            reviewedBy: {
+                userId: session.userId,
+                email: session.email,
+                displayName: session.displayName,
+            },
+            multiApprovalStatus: approvalStatus,
+        };
+    }
+    /**
+     * Get pending multi-approval status for a quarantine entry
+     *
+     * @param session - Authenticated session
+     * @param quarantineId - Quarantine entry ID
+     * @returns Multi-approval status or null
+     */
+    getMultiApprovalStatus(session, quarantineId) {
+        requirePermission(session, 'quarantine:read');
+        return this.pendingApprovals.get(quarantineId) ?? null;
+    }
+    /**
+     * Cancel a pending multi-approval workflow
+     *
+     * @param session - Authenticated session (requires admin)
+     * @param quarantineId - Quarantine entry ID
+     * @returns Whether the cancellation was successful
+     */
+    cancelMultiApproval(session, quarantineId) {
+        requirePermission(session, 'quarantine:admin');
+        const status = this.pendingApprovals.get(quarantineId);
+        if (!status) {
+            return false;
+        }
+        this.pendingApprovals.delete(quarantineId);
+        this.auditLogger.log({
+            event_type: 'quarantine_multi_approval_cancelled',
+            actor: 'reviewer',
+            resource: quarantineId,
+            action: 'cancel',
+            result: 'success',
+            metadata: {
+                quarantineId,
+                cancelledBy: session.email,
+                pendingApprovals: status.currentApprovals.length,
+            },
+        });
+        return true;
+    }
+    // ==========================================================================
+    // Admin Operations (require quarantine:admin permission)
+    // ==========================================================================
+    /**
+     * Create a quarantine entry (admin only)
+     *
+     * @param session - Authenticated session
+     * @param input - Quarantine creation input
+     * @returns Created quarantine entry
+     */
+    create(session, input) {
+        requirePermission(session, 'quarantine:create');
+        return this.repository.create(input);
+    }
+    /**
+     * Delete a quarantine entry (admin only)
+     *
+     * @param session - Authenticated session
+     * @param id - Quarantine entry ID
+     * @returns Whether the entry was deleted
+     */
+    delete(session, id) {
+        requirePermission(session, 'quarantine:delete');
+        // Cancel any pending multi-approval
+        this.pendingApprovals.delete(id);
+        return this.repository.delete(id);
+    }
+}
+//# sourceMappingURL=QuarantineService.js.map

package/dist/src/services/quarantine/QuarantineService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"QuarantineService.js","sourceRoot":"","sources":["../../../../src/services/quarantine/QuarantineService.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAWH,OAAO,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAA;AAEtE,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,wBAAwB,GAAG,CAAC,CAAA;AAElC;;GAEG;AACH,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;AAErD,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,OAAO,iBAAiB;IAUT;IACA;IAVnB;;;;;OAKG;IACK,gBAAgB,GAAqC,IAAI,GAAG,EAAE,CAAA;IAEtE,YACmB,UAAgC,EAChC,WAAwB;QADxB,eAAU,GAAV,UAAU,CAAsB;QAChC,gBAAW,GAAX,WAAW,CAAa;IACxC,CAAC;IAEJ,6EAA6E;IAC7E,uDAAuD;IACvD,6EAA6E;IAE7E;;;;;;OAMG;IACH,QAAQ,CAAC,OAA6B,EAAE,EAAU;QAChD,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAA;QAC7C,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAA;IACrC,CAAC;IAED;;;;;;OAMG;IACH,aAAa,CAAC,OAA6B,EAAE,OAAe;QAC1D,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAA;QAC7C,OAAO,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,OAAO,CAAC,CAAA;IAC/C,CAAC;IAED;;;;;;OAMG;IACH,OAAO,CAAC,OAA6B,EAAE,MAAuD;QAC5F,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAA;QAC7C,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;IACxC,CAAC;IAED;;;;;OAKG;IACH,QAAQ,CAAC,OAA6B;QACpC,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAA;QAC7C,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAA;IACnC,CAAC;IAED,6EAA6E;IAC7E,2DAA2D;IAC3D,6EAA6E;IAE7E;;;;;;;;;;;;;;;OAeG;IACH,MAAM,CACJ,OAA6B,EAC7B,YAAoB,EACpB,KAA+B;QAE/B,iDAAiD;QACjD,iBAAiB,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAA;QAE/C,2BAA2B;QAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QACpD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,sBAAsB,CAAC,+BAA+B,YAAY,EAAE,EAAE,WAAW,EAAE;gBAC3F,YAAY;aACb,CAAC,CAAA;QACJ,CAAC;QAED,4BAA4B;QAC5B,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,sBAAsB,CAC9B,sCAAsC,KAAK,CAAC,YAAY,EAAE,EAC1D,kBAAkB,EAClB,EAAE,YAAY,EAAE,aAAa,EAAE,KAAK,CAAC,YAAY,EAAE,CACpD,CAAA;QACH,CAAC;QAED,0DAA0D;QAC1D,IAAI,KAAK,CAAC,QAAQ,KAAK,WAAW,IAAI,KAAK,CAAC,YAAY,KAAK,UAAU,EAAE,CAAC;YACxE,OAAO,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,YAAY,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;QAClF,CAAC;QAED,+EAA+E;QAC/E,IAAI,KAAK,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACnC,iBAAiB,CAAC,OAAO,EAAE,6BAA6B,CAAC,CAAA;QAC3D,CAAC;QAED,4CAA4C;QAC5C,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,YAAY,EAAE;YACxD,UAAU,EAAE,OAAO,CAAC,KAAK,EAAE,8BAA8B;YACzD,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,WAAW,EAAE,KAAK,CAAC,WAAW;SAC/B,CAAC,CAAA;QAEF,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,sBAAsB,CAAC,mCAAmC,EAAE,eAAe,EAAE;gBACrF,YAAY;aACb,CAAC,CAAA;QACJ,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;YACnB,UAAU,EAAE,iCAAiC;YAC7C,KAAK,EAAE,UAAU;YACjB,QAAQ,EAAE,KAAK,CAAC,OAAO;YACvB,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE;gBACR,YAAY;gBACZ,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,QAAQ,EAAE;oBACR,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,WAAW,EAAE,OAAO,CAAC,WAAW;iBACjC;gBACD,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,SAAS,EAAE,YAAY,CAAC,SAAS;aAClC;SACF,CAAC,CAAA;QAEF,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,YAAY,CAAC,QAAQ;YAC/B,OAAO,EAAE,YAAY,CAAC,OAAO;YAC7B,QAAQ,EAAE,YAAY,CAAC,QAAQ;YAC/B,SAAS,EAAE,YAAY,CAAC,SAAS;YACjC,QAAQ,EAAE,YAAY,CAAC,QAAQ;YAC/B,UAAU,EAAE;gBACV,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC;SACF,CAAA;IACH,CAAC;IAED,6EAA6E;IAC7E,+CAA+C;IAC/C,6EAA6E;IAE7E;;;;;;;;;;;;OAYG;IACK,uBAAuB,CAC7B,OAA6B,EAC7B,YAAoB,EACpB,OAAe,EACf,KAA+B;QAE/B,mDAAmD;QACnD,iBAAiB,CAAC,OAAO,EAAE,6BAA6B,CAAC,CAAA;QAEzD,wCAAwC;QACxC,IAAI,cAAc,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QAE5D,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,oCAAoC;YACpC,cAAc,GAAG;gBACf,YAAY;gBACZ,iBAAiB,EAAE,wBAAwB;gBAC3C,gBAAgB,EAAE,EAAE;gBACpB,UAAU,EAAE,KAAK;gBACjB,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAA;YACD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,YAAY,EAAE,cAAc,CAAC,CAAA;QACzD,CAAC;QAED,0CAA0C;QAC1C,MAAM,gBAAgB,GAAG,cAAc,CAAC,gBAAgB,CAAC,IAAI,CAC3D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,OAAO,CAAC,MAAM,CACvC,CAAA;QACD,IAAI,gBAAgB,EAAE,CAAC;YACrB,MAAM,IAAI,sBAAsB,CAAC,sCAAsC,EAAE,kBAAkB,EAAE;gBAC3F,YAAY;gBACZ,kBAAkB,EAAE,gBAAgB,CAAC,UAAU,CAAC,WAAW,EAAE;aAC9D,CAAC,CAAA;QACJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,CAAC,SAAS,CAAC,OAAO,EAAE,CAAA;QACtE,IAAI,cAAc,GAAG,yBAAyB,EAAE,CAAC;YAC/C,0BAA0B;YAC1B,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;YAC1C,MAAM,IAAI,sBAAsB,CAC9B,wDAAwD,EACxD,eAAe,EACf,EAAE,YAAY,EAAE,SAAS,EAAE,yBAAyB,EAAE,CACvD,CAAA;QACH,CAAC;QAED,oBAAoB;QACpB,MAAM,QAAQ,GAAmB;YAC/B,UAAU,EAAE,OAAO,CAAC,MAAM;YAC1B,aAAa,EAAE,OAAO,CAAC,KAAK;YAC5B,UAAU,EAAE,IAAI,IAAI,EAAE;YACtB,KAAK,EAAE,KAAK,CAAC,WAAW;SACzB,CAAA;QACD,cAAc,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAE9C,mBAAmB;QACnB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;YACnB,UAAU,EAAE,2BAA2B;YACvC,KAAK,EAAE,UAAU;YACjB,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE;gBACR,YAAY;gBACZ,cAAc,EAAE,cAAc,CAAC,gBAAgB,CAAC,MAAM;gBACtD,iBAAiB,EAAE,cAAc,CAAC,iBAAiB;gBACnD,QAAQ,EAAE;oBACR,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB;aACF;SACF,CAAC,CAAA;QAEF,oCAAoC;QACpC,IAAI,cAAc,CAAC,gBAAgB,CAAC,MAAM,IAAI,cAAc,CAAC,iBAAiB,EAAE,CAAC;YAC/E,iCAAiC;YACjC,cAAc,CAAC,UAAU,GAAG,IAAI,CAAA;YAChC,cAAc,CAAC,WAAW,GAAG,IAAI,IAAI,EAAE,CAAA;YAEvC,4BAA4B;YAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,YAAY,EAAE;gBACxD,UAAU,EAAE,cAAc,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;gBAClF,YAAY,EAAE,UAAU;gBACxB,WAAW,EAAE,4BAA4B,cAAc,CAAC,gBAAgB,CAAC,MAAM,wBAAwB,KAAK,CAAC,WAAW,IAAI,EAAE,EAAE;aACjI,CAAC,CAAA;YAEF,4BAA4B;YAC5B,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;YAE1C,iBAAiB;YACjB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;gBACnB,UAAU,EAAE,oCAAoC;gBAChD,KAAK,EAAE,UAAU;gBACjB,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,SAAS;gBACjB,QAAQ,EAAE;oBACR,YAAY;oBACZ,SAAS,EAAE,cAAc,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;wBACrD,UAAU,EAAE,CAAC,CAAC,UAAU;wBACxB,KAAK,EAAE,CAAC,CAAC,aAAa;wBACtB,UAAU,EAAE,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE;qBACvC,CAAC,CAAC;iBACJ;aACF,CAAC,CAAA;YAEF,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,IAAI;gBACd,OAAO;gBACP,QAAQ,EAAE,WAAW;gBACrB,SAAS,EAAE,YAAY,EAAE,SAAS,IAAI,KAAK;gBAC3C,QAAQ,EAAE;oBACR,0DAA0D;oBAC1D,gBAAgB,cAAc,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;iBACzF;gBACD,UAAU,EAAE;oBACV,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,WAAW,EAAE,OAAO,CAAC,WAAW;iBACjC;gBACD,mBAAmB,EAAE,cAAc;aACpC,CAAA;QACH,CAAC;QAED,sBAAsB;QACtB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,KAAK;YACf,OAAO;YACP,QAAQ,EAAE,WAAW;YACrB,SAAS,EAAE,KAAK;YAChB,QAAQ,EAAE;gBACR,+BAA+B,cAAc,CAAC,gBAAgB,CAAC,MAAM,IAAI,cAAc,CAAC,iBAAiB,qBAAqB;gBAC9H,YAAY,cAAc,CAAC,iBAAiB,GAAG,cAAc,CAAC,gBAAgB,CAAC,MAAM,mBAAmB;aACzG;YACD,UAAU,EAAE;gBACV,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC;YACD,mBAAmB,EAAE,cAAc;SACpC,CAAA;IACH,CAAC;IAED;;;;;;OAMG;IACH,sBAAsB,CACpB,OAA6B,EAC7B,YAAoB;QAEpB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAA;QAC7C,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,IAAI,CAAA;IACxD,CAAC;IAED;;;;;;OAMG;IACH,mBAAmB,CAAC,OAA6B,EAAE,YAAoB;QACrE,iBAAiB,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAA;QAE9C,MAAM,MAAM,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACtD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;QAE1C,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;YACnB,UAAU,EAAE,qCAAqC;YACjD,KAAK,EAAE,UAAU;YACjB,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE;gBACR,YAAY;gBACZ,WAAW,EAAE,OAAO,CAAC,KAAK;gBAC1B,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,CAAC,MAAM;aACjD;SACF,CAAC,CAAA;QAEF,OAAO,IAAI,CAAA;IACb,CAAC;IAED,6EAA6E;IAC7E,yDAAyD;IACzD,6EAA6E;IAE7E;;;;;;OAMG;IACH,MAAM,CAAC,OAA6B,EAAE,KAAoD;QACxF,iBAAiB,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAA;QAC/C,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IACtC,CAAC;IAED;;;;;;OAMG;IACH,MAAM,CAAC,OAA6B,EAAE,EAAU;QAC9C,iBAAiB,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAA;QAE/C,oCAAoC;QACpC,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;QAEhC,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;IACnC,CAAC;CACF"}

package/dist/src/services/quarantine/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * SMI-2269: Quarantine Service Module
+ *
+ * Authenticated quarantine operations with multi-approval workflow.
+ *
+ * @module @skillsmith/core/services/quarantine
+ */
+export { QuarantineService } from './QuarantineService.js';
+export { type QuarantinePermission, type AuthenticatedSession, type ApprovalRecord, type MultiApprovalStatus, type AuthenticatedReviewInput, type AuthenticatedReviewResult, type QuarantineServiceErrorCode, QuarantineServiceError, hasPermission, isSessionValid, requirePermission, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/services/quarantine/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/services/quarantine/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAC1D,OAAO,EAEL,KAAK,oBAAoB,EACzB,KAAK,oBAAoB,EACzB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,EAE/B,sBAAsB,EAEtB,aAAa,EACb,cAAc,EACd,iBAAiB,GAClB,MAAM,YAAY,CAAA"}

package/dist/src/services/quarantine/index.js

@@ -0,0 +1,14 @@
+/**
+ * SMI-2269: Quarantine Service Module
+ *
+ * Authenticated quarantine operations with multi-approval workflow.
+ *
+ * @module @skillsmith/core/services/quarantine
+ */
+export { QuarantineService } from './QuarantineService.js';
+export { 
+// Error class
+QuarantineServiceError, 
+// Helper functions
+hasPermission, isSessionValid, requirePermission, } from './types.js';
+//# sourceMappingURL=index.js.map

package/dist/src/services/quarantine/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/services/quarantine/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAC1D,OAAO;AASL,cAAc;AACd,sBAAsB;AACtB,mBAAmB;AACnB,aAAa,EACb,cAAc,EACd,iBAAiB,GAClB,MAAM,YAAY,CAAA"}

package/dist/src/services/quarantine/types.d.ts

@@ -0,0 +1,127 @@
+/**
+ * SMI-2269: Quarantine Service Types
+ *
+ * Authentication and authorization types for quarantine review operations.
+ * Part of QUA-002 security fix: No authentication on quarantine review.
+ *
+ * @module @skillsmith/core/services/quarantine/types
+ */
+import type { QuarantineSeverity, QuarantineReviewStatus } from '../../db/quarantine-schema.js';
+/**
+ * User permissions for quarantine operations
+ */
+export type QuarantinePermission = 'quarantine:read' | 'quarantine:create' | 'quarantine:review' | 'quarantine:review_malicious' | 'quarantine:delete' | 'quarantine:admin';
+/**
+ * Authenticated session for quarantine operations
+ *
+ * All quarantine review operations require a valid session with
+ * appropriate permissions. This ensures audit trails contain
+ * verified reviewer identities.
+ */
+export interface AuthenticatedSession {
+    /** Unique user identifier (from auth provider) */
+    userId: string;
+    /** User's email address (verified) */
+    email: string;
+    /** User's display name */
+    displayName: string;
+    /** User's assigned permissions */
+    permissions: QuarantinePermission[];
+    /** Session token ID for audit logging */
+    sessionId: string;
+    /** Session expiration timestamp */
+    expiresAt: Date;
+    /** Organization/team ID (for team-based permissions) */
+    organizationId?: string;
+}
+/**
+ * Approval record for multi-approval workflow
+ */
+export interface ApprovalRecord {
+    /** Reviewer user ID */
+    reviewerId: string;
+    /** Reviewer email */
+    reviewerEmail: string;
+    /** Timestamp of approval */
+    approvedAt: Date;
+    /** Optional notes from reviewer */
+    notes?: string;
+}
+/**
+ * Multi-approval status for MALICIOUS severity reviews
+ */
+export interface MultiApprovalStatus {
+    /** Quarantine entry ID */
+    quarantineId: string;
+    /** Required number of approvals */
+    requiredApprovals: number;
+    /** Current approvals received */
+    currentApprovals: ApprovalRecord[];
+    /** Whether all required approvals have been received */
+    isComplete: boolean;
+    /** Timestamp when first approval was received */
+    startedAt: Date;
+    /** Timestamp when approval completed (if complete) */
+    completedAt?: Date;
+}
+/**
+ * Input for authenticated review operation
+ */
+export interface AuthenticatedReviewInput {
+    /** Review status decision */
+    reviewStatus: QuarantineReviewStatus;
+    /** Optional review notes */
+    reviewNotes?: string;
+}
+/**
+ * Result from authenticated review operation
+ */
+export interface AuthenticatedReviewResult {
+    /** Whether the review was successful */
+    success: boolean;
+    /** Whether the skill is approved for import */
+    approved: boolean;
+    /** Skill ID that was reviewed */
+    skillId: string;
+    /** Severity of the quarantined skill */
+    severity: QuarantineSeverity;
+    /** Whether the skill can be imported */
+    canImport: boolean;
+    /** Any warnings about the skill */
+    warnings: string[];
+    /** Verified reviewer identity */
+    reviewedBy: {
+        userId: string;
+        email: string;
+        displayName: string;
+    };
+    /** For MALICIOUS severity: multi-approval status */
+    multiApprovalStatus?: MultiApprovalStatus;
+}
+/**
+ * Error codes for quarantine service operations
+ */
+export type QuarantineServiceErrorCode = 'UNAUTHORIZED' | 'FORBIDDEN' | 'SESSION_EXPIRED' | 'INSUFFICIENT_PERMISSIONS' | 'MULTI_APPROVAL_REQUIRED' | 'ALREADY_REVIEWED' | 'NOT_FOUND' | 'INVALID_INPUT';
+/**
+ * Service error with typed error codes
+ */
+export declare class QuarantineServiceError extends Error {
+    readonly code: QuarantineServiceErrorCode;
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(message: string, code: QuarantineServiceErrorCode, details?: Record<string, unknown> | undefined);
+}
+/**
+ * Check if session has a specific permission
+ */
+export declare function hasPermission(session: AuthenticatedSession, permission: QuarantinePermission): boolean;
+/**
+ * Check if session is valid (not expired)
+ */
+export declare function isSessionValid(session: AuthenticatedSession): boolean;
+/**
+ * Validate session and check permission
+ *
+ * @throws QuarantineServiceError if session is invalid or lacks permission
+ */
+export declare function requirePermission(session: AuthenticatedSession, permission: QuarantinePermission): void;
+//# sourceMappingURL=types.d.ts.map

package/dist/src/services/quarantine/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/services/quarantine/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAA;AAM/F;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAC5B,iBAAiB,GACjB,mBAAmB,GACnB,mBAAmB,GACnB,6BAA6B,GAC7B,mBAAmB,GACnB,kBAAkB,CAAA;AAEtB;;;;;;GAMG;AACH,MAAM,WAAW,oBAAoB;IACnC,kDAAkD;IAClD,MAAM,EAAE,MAAM,CAAA;IAEd,sCAAsC;IACtC,KAAK,EAAE,MAAM,CAAA;IAEb,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAA;IAEnB,kCAAkC;IAClC,WAAW,EAAE,oBAAoB,EAAE,CAAA;IAEnC,yCAAyC;IACzC,SAAS,EAAE,MAAM,CAAA;IAEjB,mCAAmC;IACnC,SAAS,EAAE,IAAI,CAAA;IAEf,wDAAwD;IACxD,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAMD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAA;IAElB,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAA;IAErB,4BAA4B;IAC5B,UAAU,EAAE,IAAI,CAAA;IAEhB,mCAAmC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,0BAA0B;IAC1B,YAAY,EAAE,MAAM,CAAA;IAEpB,mCAAmC;IACnC,iBAAiB,EAAE,MAAM,CAAA;IAEzB,iCAAiC;IACjC,gBAAgB,EAAE,cAAc,EAAE,CAAA;IAElC,wDAAwD;IACxD,UAAU,EAAE,OAAO,CAAA;IAEnB,iDAAiD;IACjD,SAAS,EAAE,IAAI,CAAA;IAEf,sDAAsD;IACtD,WAAW,CAAC,EAAE,IAAI,CAAA;CACnB;AAMD;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,6BAA6B;IAC7B,YAAY,EAAE,sBAAsB,CAAA;IAEpC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,wCAAwC;IACxC,OAAO,EAAE,OAAO,CAAA;IAEhB,+CAA+C;IAC/C,QAAQ,EAAE,OAAO,CAAA;IAEjB,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAA;IAEf,wCAAwC;IACxC,QAAQ,EAAE,kBAAkB,CAAA;IAE5B,wCAAwC;IACxC,SAAS,EAAE,OAAO,CAAA;IAElB,mCAAmC;IACnC,QAAQ,EAAE,MAAM,EAAE,CAAA;IAElB,iCAAiC;IACjC,UAAU,EAAE;QACV,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,MAAM,CAAA;QACb,WAAW,EAAE,MAAM,CAAA;KACpB,CAAA;IAED,oDAAoD;IACpD,mBAAmB,CAAC,EAAE,mBAAmB,CAAA;CAC1C;AAMD;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAClC,cAAc,GACd,WAAW,GACX,iBAAiB,GACjB,0BAA0B,GAC1B,yBAAyB,GACzB,kBAAkB,GAClB,WAAW,GACX,eAAe,CAAA;AAEnB;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,KAAK;aAG7B,IAAI,EAAE,0BAA0B;aAChC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;gBAFjD,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,0BAA0B,EAChC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,YAAA;CAKpD;AAMD;;GAEG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,oBAAoB,EAC7B,UAAU,EAAE,oBAAoB,GAC/B,OAAO,CAMT;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAErE;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,oBAAoB,EAC7B,UAAU,EAAE,oBAAoB,GAC/B,IAAI,CAiBN"}

package/dist/src/services/quarantine/types.js

@@ -0,0 +1,59 @@
+/**
+ * SMI-2269: Quarantine Service Types
+ *
+ * Authentication and authorization types for quarantine review operations.
+ * Part of QUA-002 security fix: No authentication on quarantine review.
+ *
+ * @module @skillsmith/core/services/quarantine/types
+ */
+/**
+ * Service error with typed error codes
+ */
+export class QuarantineServiceError extends Error {
+    code;
+    details;
+    constructor(message, code, details) {
+        super(message);
+        this.code = code;
+        this.details = details;
+        this.name = 'QuarantineServiceError';
+    }
+}
+// ============================================================================
+// Permission Helpers
+// ============================================================================
+/**
+ * Check if session has a specific permission
+ */
+export function hasPermission(session, permission) {
+    // Admin has all permissions
+    if (session.permissions.includes('quarantine:admin')) {
+        return true;
+    }
+    return session.permissions.includes(permission);
+}
+/**
+ * Check if session is valid (not expired)
+ */
+export function isSessionValid(session) {
+    return session.expiresAt > new Date();
+}
+/**
+ * Validate session and check permission
+ *
+ * @throws QuarantineServiceError if session is invalid or lacks permission
+ */
+export function requirePermission(session, permission) {
+    if (!isSessionValid(session)) {
+        throw new QuarantineServiceError('Session has expired', 'SESSION_EXPIRED', {
+            expiresAt: session.expiresAt.toISOString(),
+        });
+    }
+    if (!hasPermission(session, permission)) {
+        throw new QuarantineServiceError(`Permission denied: ${permission} required`, 'INSUFFICIENT_PERMISSIONS', {
+            required: permission,
+            available: session.permissions,
+        });
+    }
+}
+//# sourceMappingURL=types.js.map

package/dist/src/services/quarantine/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/services/quarantine/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA8JH;;GAEG;AACH,MAAM,OAAO,sBAAuB,SAAQ,KAAK;IAG7B;IACA;IAHlB,YACE,OAAe,EACC,IAAgC,EAChC,OAAiC;QAEjD,KAAK,CAAC,OAAO,CAAC,CAAA;QAHE,SAAI,GAAJ,IAAI,CAA4B;QAChC,YAAO,GAAP,OAAO,CAA0B;QAGjD,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAA;IACtC,CAAC;CACF;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,aAAa,CAC3B,OAA6B,EAC7B,UAAgC;IAEhC,4BAA4B;IAC5B,IAAI,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACrD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;AACjD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAA6B;IAC1D,OAAO,OAAO,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAA;AACvC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAC/B,OAA6B,EAC7B,UAAgC;IAEhC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,sBAAsB,CAAC,qBAAqB,EAAE,iBAAiB,EAAE;YACzE,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE;SAC3C,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,UAAU,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,sBAAsB,CAC9B,sBAAsB,UAAU,WAAW,EAC3C,0BAA0B,EAC1B;YACE,QAAQ,EAAE,UAAU;YACpB,SAAS,EAAE,OAAO,CAAC,WAAW;SAC/B,CACF,CAAA;IACH,CAAC;AACH,CAAC"}

package/dist/src/types/skill.d.ts

@@ -3,8 +3,13 @@
  */
 /**
  * SMI-1809: Added 'local' for local skills from ~/.claude/skills/
+ *
+ * NOTE: 'local' is a client-only tier for skills discovered on disk.
+ * It is NOT stored in the database — the skills table CHECK constraint
+ * only allows: verified, curated, community, experimental, unknown.
+ * Never pass 'local' to database upsert operations.
  */
-export type TrustTier = 'verified' | 'community' | 'experimental' | 'unknown' | 'local';
+export type TrustTier = 'verified' | 'curated' | 'community' | 'experimental' | 'unknown' | 'local';
 /**
  * SMI-1631: Skill roles for role-based recommendations
  * Used to filter and prioritize skills based on their primary purpose