@substrate-ai/sdlc 0.20.57 → 0.20.58

package/dist/verification/checks/index.d.ts

@@ -15,4 +15,5 @@ export { AcceptanceCriteriaEvidenceCheck, extractAcceptanceCriteriaIds } from '.
 export { BuildCheck, BUILD_CHECK_TIMEOUT_MS, detectBuildCommand } from './build-check.js';
 export { RuntimeProbeCheck } from './runtime-probe-check.js';
 export type { RuntimeProbeExecutors } from './runtime-probe-check.js';
+export { SourceAcShelloutCheck, runShelloutCheck, scanFile, isCommentLine, isInStringLiteralContext, } from './source-ac-shellout-check.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/verification/checks/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/verification/checks/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,kBAAkB,EAAE,gCAAgC,EAAE,MAAM,2BAA2B,CAAA;AAChG,OAAO,EAAE,+BAA+B,EAAE,4BAA4B,EAAE,MAAM,yCAAyC,CAAA;AACvH,OAAO,EAAE,UAAU,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AACzF,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAA;AAC5D,YAAY,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/verification/checks/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,kBAAkB,EAAE,gCAAgC,EAAE,MAAM,2BAA2B,CAAA;AAChG,OAAO,EAAE,+BAA+B,EAAE,4BAA4B,EAAE,MAAM,yCAAyC,CAAA;AACvH,OAAO,EAAE,UAAU,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AACzF,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAA;AAC5D,YAAY,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAA;AACrE,OAAO,EACL,qBAAqB,EACrB,gBAAgB,EAChB,QAAQ,EACR,aAAa,EACb,wBAAwB,GACzB,MAAM,+BAA+B,CAAA"}

package/dist/verification/checks/index.js

@@ -14,4 +14,5 @@ export { TrivialOutputCheck, DEFAULT_TRIVIAL_OUTPUT_THRESHOLD } from './trivial-
 export { AcceptanceCriteriaEvidenceCheck, extractAcceptanceCriteriaIds } from './acceptance-criteria-evidence-check.js';
 export { BuildCheck, BUILD_CHECK_TIMEOUT_MS, detectBuildCommand } from './build-check.js';
 export { RuntimeProbeCheck } from './runtime-probe-check.js';
+export { SourceAcShelloutCheck, runShelloutCheck, scanFile, isCommentLine, isInStringLiteralContext, } from './source-ac-shellout-check.js';
 //# sourceMappingURL=index.js.map

package/dist/verification/checks/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/verification/checks/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,kBAAkB,EAAE,gCAAgC,EAAE,MAAM,2BAA2B,CAAA;AAChG,OAAO,EAAE,+BAA+B,EAAE,4BAA4B,EAAE,MAAM,yCAAyC,CAAA;AACvH,OAAO,EAAE,UAAU,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AACzF,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/verification/checks/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAC9D,OAAO,EAAE,kBAAkB,EAAE,gCAAgC,EAAE,MAAM,2BAA2B,CAAA;AAChG,OAAO,EAAE,+BAA+B,EAAE,4BAA4B,EAAE,MAAM,yCAAyC,CAAA;AACvH,OAAO,EAAE,UAAU,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AACzF,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAA;AAE5D,OAAO,EACL,qBAAqB,EACrB,gBAAgB,EAChB,QAAQ,EACR,aAAa,EACb,wBAAwB,GACzB,MAAM,+BAA+B,CAAA"}

package/dist/verification/checks/source-ac-shellout-check.d.ts

@@ -0,0 +1,64 @@
+/**
+ * SourceAcShelloutCheck — Story 67-3.
+ *
+ * Tier A static-analysis check that detects bare `npx <package>` invocations
+ * (without `--no-install`) in story-modified source files.
+ *
+ * Motivation: obs_2026-05-03_023 (dependency-confusion attack vector). When
+ * `npx <package>` is invoked without `--no-install`, npm silently falls back
+ * to the public registry if the package binary is not locally installed —
+ * making the binary name a potential dependency-confusion target.
+ *
+ * This check fires only when the `npx <package>` pattern appears inside a
+ * string-literal context (single-quoted, double-quoted, or template-literal),
+ * which is the canonical shape of shell-out code in TypeScript/JavaScript.
+ * Bare prose in comments is excluded.
+ */
+import type { VerificationCheck, VerificationContext, VerificationResult } from '../types.js';
+/**
+ * Returns `true` when the line (after trimming leading whitespace) starts with
+ * a single-line comment marker (`//` or `#`). Block comments (/* … *\/) are not
+ * matched here — they are handled by the string-literal context check.
+ */
+export declare function isCommentLine(line: string): boolean;
+/**
+ * Returns `true` when `matchIndex` falls inside a single-quoted (`'...'`),
+ * double-quoted (`"..."`), or template-literal (`` `...` ``) region of the line,
+ * OR when the line is a shebang (`#!...`).
+ *
+ * Implementation: scan character-by-character from index 0, toggling
+ * `inSingle`, `inDouble`, `inTemplate` flags at unescaped quote characters.
+ * An escaped quote is one where the immediately preceding character is `\`.
+ * (Note: this is a heuristic — it does not handle `\\` or complex escape
+ * sequences correctly. For a static-analysis severity:warn heuristic, the
+ * simplification is acceptable.)
+ */
+export declare function isInStringLiteralContext(line: string, matchIndex: number): boolean;
+/**
+ * Reads the file at `absolutePath` and returns every line/match pair where
+ * a bare `npx <name>` (without `--no-install`) appears inside a string-literal
+ * context on a non-comment line.
+ *
+ * Returns 1-indexed line numbers.
+ */
+export declare function scanFile(absolutePath: string): Array<{
+    lineNum: number;
+    name: string;
+}>;
+/**
+ * Standalone function implementing the shellout check logic.
+ * Exported separately so tests can call it directly without instantiating the class.
+ */
+export declare function runShelloutCheck(context: VerificationContext): Promise<VerificationResult>;
+/**
+ * VerificationCheck class for the shellout static-analysis gate.
+ *
+ * name  = 'source-ac-shellout'
+ * tier  = 'A' (fast — file I/O only, no LLM, no subprocess except optional git fallback)
+ */
+export declare class SourceAcShelloutCheck implements VerificationCheck {
+    readonly name = "source-ac-shellout";
+    readonly tier: "A";
+    run(context: VerificationContext): Promise<VerificationResult>;
+}
+//# sourceMappingURL=source-ac-shellout-check.d.ts.map

package/dist/verification/checks/source-ac-shellout-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"source-ac-shellout-check.d.ts","sourceRoot":"","sources":["../../../src/verification/checks/source-ac-shellout-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAMH,OAAO,KAAK,EACV,iBAAiB,EACjB,mBAAmB,EAEnB,kBAAkB,EACnB,MAAM,aAAa,CAAA;AAapB;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAGnD;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAwBlF;AAMD;;;;;;GAMG;AACH,wBAAgB,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,KAAK,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAwBvF;AAMD;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CA+E7B;AAED;;;;;GAKG;AACH,qBAAa,qBAAsB,YAAW,iBAAiB;IAC7D,QAAQ,CAAC,IAAI,wBAAuB;IACpC,QAAQ,CAAC,IAAI,EAAG,GAAG,CAAS;IAEtB,GAAG,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,kBAAkB,CAAC;CAGrE"}

package/dist/verification/checks/source-ac-shellout-check.js

@@ -0,0 +1,199 @@
+/**
+ * SourceAcShelloutCheck — Story 67-3.
+ *
+ * Tier A static-analysis check that detects bare `npx <package>` invocations
+ * (without `--no-install`) in story-modified source files.
+ *
+ * Motivation: obs_2026-05-03_023 (dependency-confusion attack vector). When
+ * `npx <package>` is invoked without `--no-install`, npm silently falls back
+ * to the public registry if the package binary is not locally installed —
+ * making the binary name a potential dependency-confusion target.
+ *
+ * This check fires only when the `npx <package>` pattern appears inside a
+ * string-literal context (single-quoted, double-quoted, or template-literal),
+ * which is the canonical shape of shell-out code in TypeScript/JavaScript.
+ * Bare prose in comments is excluded.
+ */
+import { execSync } from 'child_process';
+import * as fs from 'fs';
+import * as path from 'path';
+import { CATEGORY_SHELLOUT_NPX_FALLBACK, renderFindings } from '../findings.js';
+// ---------------------------------------------------------------------------
+// Detection pattern
+// ---------------------------------------------------------------------------
+/** Matches `npx <name>` but NOT `npx --no-install <name>`. */
+const NPX_PATTERN = /npx\s+(?!--no-install)([a-zA-Z0-9_@\-/]+)/g;
+// ---------------------------------------------------------------------------
+// Line-level classification helpers
+// ---------------------------------------------------------------------------
+/**
+ * Returns `true` when the line (after trimming leading whitespace) starts with
+ * a single-line comment marker (`//` or `#`). Block comments (/* … *\/) are not
+ * matched here — they are handled by the string-literal context check.
+ */
+export function isCommentLine(line) {
+    const trimmed = line.trimStart();
+    return trimmed.startsWith('//') || trimmed.startsWith('#');
+}
+/**
+ * Returns `true` when `matchIndex` falls inside a single-quoted (`'...'`),
+ * double-quoted (`"..."`), or template-literal (`` `...` ``) region of the line,
+ * OR when the line is a shebang (`#!...`).
+ *
+ * Implementation: scan character-by-character from index 0, toggling
+ * `inSingle`, `inDouble`, `inTemplate` flags at unescaped quote characters.
+ * An escaped quote is one where the immediately preceding character is `\`.
+ * (Note: this is a heuristic — it does not handle `\\` or complex escape
+ * sequences correctly. For a static-analysis severity:warn heuristic, the
+ * simplification is acceptable.)
+ */
+export function isInStringLiteralContext(line, matchIndex) {
+    // Shebang lines are shell string context
+    if (line.trimStart().startsWith('#!'))
+        return true;
+    let inSingle = false;
+    let inDouble = false;
+    let inTemplate = false;
+    for (let i = 0; i < matchIndex; i++) {
+        const char = line[i];
+        const escaped = i > 0 && line[i - 1] === '\\';
+        if (!escaped) {
+            if (char === "'" && !inDouble && !inTemplate) {
+                inSingle = !inSingle;
+            }
+            else if (char === '"' && !inSingle && !inTemplate) {
+                inDouble = !inDouble;
+            }
+            else if (char === '`' && !inSingle && !inDouble) {
+                inTemplate = !inTemplate;
+            }
+        }
+    }
+    return inSingle || inDouble || inTemplate;
+}
+// ---------------------------------------------------------------------------
+// File scanner
+// ---------------------------------------------------------------------------
+/**
+ * Reads the file at `absolutePath` and returns every line/match pair where
+ * a bare `npx <name>` (without `--no-install`) appears inside a string-literal
+ * context on a non-comment line.
+ *
+ * Returns 1-indexed line numbers.
+ */
+export function scanFile(absolutePath) {
+    const content = fs.readFileSync(absolutePath, 'utf-8');
+    const lines = content.split('\n');
+    const results = [];
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line === undefined)
+            continue;
+        if (isCommentLine(line))
+            continue;
+        // Reset regex state for each line
+        NPX_PATTERN.lastIndex = 0;
+        let match;
+        // Use a fresh copy of the regex for exec (avoids global state issues)
+        const linePattern = new RegExp(NPX_PATTERN.source, 'g');
+        while ((match = linePattern.exec(line)) !== null) {
+            const name = match[1];
+            if (name !== undefined && isInStringLiteralContext(line, match.index)) {
+                results.push({ lineNum: i + 1, name });
+            }
+        }
+    }
+    return results;
+}
+// ---------------------------------------------------------------------------
+// Check implementation
+// ---------------------------------------------------------------------------
+/**
+ * Standalone function implementing the shellout check logic.
+ * Exported separately so tests can call it directly without instantiating the class.
+ */
+export async function runShelloutCheck(context) {
+    const start = Date.now();
+    const findings = [];
+    // --- Resolve modified files ---
+    let modifiedFiles = context.devStoryResult?.files_modified ?? [];
+    if (modifiedFiles.length === 0) {
+        // Fallback: git diff HEAD~1
+        try {
+            const output = execSync('git diff --name-only HEAD~1', {
+                cwd: context.workingDir,
+                encoding: 'utf-8',
+            });
+            modifiedFiles = output
+                .trim()
+                .split('\n')
+                .filter((f) => f.length > 0);
+        }
+        catch {
+            // Git unavailable or no prior commit — skip check
+            return {
+                status: 'pass',
+                details: 'source-ac-shellout: no modified files available — skipping check',
+                duration_ms: Date.now() - start,
+                findings: [],
+            };
+        }
+    }
+    // --- Filter out .md files ---
+    const filesToCheck = modifiedFiles.filter((f) => !f.endsWith('.md'));
+    if (filesToCheck.length === 0) {
+        return {
+            status: 'pass',
+            details: 'source-ac-shellout: no non-.md modified files — skipping check',
+            duration_ms: Date.now() - start,
+            findings: [],
+        };
+    }
+    // --- Scan each file ---
+    for (const relPath of filesToCheck) {
+        const absPath = path.join(context.workingDir, relPath);
+        let matches;
+        try {
+            matches = scanFile(absPath);
+        }
+        catch {
+            // File unreadable or missing — skip silently
+            continue;
+        }
+        for (const { lineNum, name } of matches) {
+            findings.push({
+                category: CATEGORY_SHELLOUT_NPX_FALLBACK,
+                severity: 'warn',
+                message: `npx fallback detected in ${relPath}:${lineNum}: "npx ${name}" — bare \`npx <package>\` without \`--no-install\` falls through to the public npm registry on first use. If \`<package>\` isn't a registered binary in your dev dependencies, this is a dependency-confusion vector. Use absolute path or \`npx --no-install <package>\` instead.`,
+            });
+        }
+    }
+    // --- Derive status ---
+    const status = findings.some((f) => f.severity === 'error')
+        ? 'fail'
+        : findings.some((f) => f.severity === 'warn')
+            ? 'warn'
+            : 'pass';
+    return {
+        status,
+        details: findings.length > 0
+            ? renderFindings(findings)
+            : 'source-ac-shellout: no bare npx fallback patterns detected',
+        duration_ms: Date.now() - start,
+        findings,
+    };
+}
+/**
+ * VerificationCheck class for the shellout static-analysis gate.
+ *
+ * name  = 'source-ac-shellout'
+ * tier  = 'A' (fast — file I/O only, no LLM, no subprocess except optional git fallback)
+ */
+export class SourceAcShelloutCheck {
+    name = 'source-ac-shellout';
+    tier = 'A';
+    async run(context) {
+        return runShelloutCheck(context);
+    }
+}
+//# sourceMappingURL=source-ac-shellout-check.js.map

package/dist/verification/checks/source-ac-shellout-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"source-ac-shellout-check.js","sourceRoot":"","sources":["../../../src/verification/checks/source-ac-shellout-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AACxC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,EAAE,8BAA8B,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAA;AAQ/E,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,8DAA8D;AAC9D,MAAM,WAAW,GAAG,4CAA4C,CAAA;AAEhE,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,CAAA;IAChC,OAAO,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;AAC5D,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,wBAAwB,CAAC,IAAY,EAAE,UAAkB;IACvE,yCAAyC;IACzC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAElD,IAAI,QAAQ,GAAG,KAAK,CAAA;IACpB,IAAI,QAAQ,GAAG,KAAK,CAAA;IACpB,IAAI,UAAU,GAAG,KAAK,CAAA;IAEtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;QACpB,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,CAAA;QAE7C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,IAAI,IAAI,KAAK,GAAG,IAAI,CAAC,QAAQ,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC7C,QAAQ,GAAG,CAAC,QAAQ,CAAA;YACtB,CAAC;iBAAM,IAAI,IAAI,KAAK,GAAG,IAAI,CAAC,QAAQ,IAAI,CAAC,UAAU,EAAE,CAAC;gBACpD,QAAQ,GAAG,CAAC,QAAQ,CAAA;YACtB,CAAC;iBAAM,IAAI,IAAI,KAAK,GAAG,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAClD,UAAU,GAAG,CAAC,UAAU,CAAA;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,IAAI,QAAQ,IAAI,UAAU,CAAA;AAC3C,CAAC;AAED,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,QAAQ,CAAC,YAAoB;IAC3C,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;IACtD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,OAAO,GAA6C,EAAE,CAAA;IAE5D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAI,KAAK,SAAS;YAAE,SAAQ;QAChC,IAAI,aAAa,CAAC,IAAI,CAAC;YAAE,SAAQ;QAEjC,kCAAkC;QAClC,WAAW,CAAC,SAAS,GAAG,CAAC,CAAA;QACzB,IAAI,KAA6B,CAAA;QACjC,sEAAsE;QACtE,MAAM,WAAW,GAAG,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QACvD,OAAO,CAAC,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACjD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YACrB,IAAI,IAAI,KAAK,SAAS,IAAI,wBAAwB,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBACtE,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,CAAA;YACxC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAA4B;IAE5B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IACxB,MAAM,QAAQ,GAA0B,EAAE,CAAA;IAE1C,iCAAiC;IACjC,IAAI,aAAa,GAAa,OAAO,CAAC,cAAc,EAAE,cAAc,IAAI,EAAE,CAAA;IAE1E,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,4BAA4B;QAC5B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,QAAQ,CAAC,6BAA6B,EAAE;gBACrD,GAAG,EAAE,OAAO,CAAC,UAAU;gBACvB,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAA;YACF,aAAa,GAAG,MAAM;iBACnB,IAAI,EAAE;iBACN,KAAK,CAAC,IAAI,CAAC;iBACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,kDAAkD;YAClD,OAAO;gBACL,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,kEAAkE;gBAC3E,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;gBAC/B,QAAQ,EAAE,EAAE;aACb,CAAA;QACH,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;IAEpE,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO;YACL,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,gEAAgE;YACzE,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;YAC/B,QAAQ,EAAE,EAAE;SACb,CAAA;IACH,CAAC;IAED,yBAAyB;IACzB,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAA;QACtD,IAAI,OAAiD,CAAA;QACrD,IAAI,CAAC;YACH,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAA;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,6CAA6C;YAC7C,SAAQ;QACV,CAAC;QAED,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,CAAC;YACxC,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,8BAA8B;gBACxC,QAAQ,EAAE,MAAM;gBAChB,OAAO,EACL,4BAA4B,OAAO,IAAI,OAAO,UAAU,IAAI,qRAAqR;aACpV,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,MAAM,MAAM,GACV,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC;QAC1C,CAAC,CAAC,MAAM;QACR,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC;YAC3C,CAAC,CAAC,MAAM;YACR,CAAC,CAAC,MAAM,CAAA;IAEd,OAAO;QACL,MAAM;QACN,OAAO,EACL,QAAQ,CAAC,MAAM,GAAG,CAAC;YACjB,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC;YAC1B,CAAC,CAAC,4DAA4D;QAClE,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;QAC/B,QAAQ;KACT,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAG,oBAAoB,CAAA;IAC3B,IAAI,GAAG,GAAY,CAAA;IAE5B,KAAK,CAAC,GAAG,CAAC,OAA4B;QACpC,OAAO,gBAAgB,CAAC,OAAO,CAAC,CAAA;IAClC,CAAC;CACF"}

package/dist/verification/findings.d.ts

@@ -65,6 +65,16 @@ export interface VerificationFinding {
      */
     unrecognizedPlaceholder?: string;
 }
+/**
+ * source-ac-shellout-npx-fallback — Story 67-3, obs_2026-05-03_023 fix #3.
+ *
+ * Severity: warn. Emitted by SourceAcShelloutCheck when a bare `npx <package>`
+ * invocation (without `--no-install`) is detected in a story-modified source file.
+ * A bare `npx <package>` without `--no-install` falls through to the public npm
+ * registry on first use if the package binary is not locally installed —
+ * a dependency-confusion attack vector.
+ */
+export declare const CATEGORY_SHELLOUT_NPX_FALLBACK: "source-ac-shellout-npx-fallback";
 /**
  * Render a list of findings into the multi-line human-readable string that
  * populates VerificationResult.details. One line per finding:

package/dist/verification/findings.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"findings.d.ts","sourceRoot":"","sources":["../../src/verification/findings.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAMH;;;;;;;;GAQG;AACH,MAAM,MAAM,2BAA2B,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,CAAA;AAEnE;;;;;;;GAOG;AACH,MAAM,WAAW,mBAAmB;IAClC,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAA;IAChB,gEAAgE;IAChE,QAAQ,EAAE,2BAA2B,CAAA;IACrC,0CAA0C;IAC1C,OAAO,EAAE,MAAM,CAAA;IACf,qGAAqG;IACrG,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,0DAA0D;IAC1D,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,0DAA0D;IAC1D,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,cAAc,GAAG,0BAA0B,CAAA;IACzD;;;;;OAKG;IACH,uBAAuB,CAAC,EAAE,MAAM,CAAA;CACjC;AAYD;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,mBAAmB,EAAE,GAAG,MAAM,CAKtE"}
+{"version":3,"file":"findings.d.ts","sourceRoot":"","sources":["../../src/verification/findings.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAMH;;;;;;;;GAQG;AACH,MAAM,MAAM,2BAA2B,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,CAAA;AAEnE;;;;;;;GAOG;AACH,MAAM,WAAW,mBAAmB;IAClC,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAA;IAChB,gEAAgE;IAChE,QAAQ,EAAE,2BAA2B,CAAA;IACrC,0CAA0C;IAC1C,OAAO,EAAE,MAAM,CAAA;IACf,qGAAqG;IACrG,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,0DAA0D;IAC1D,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,0DAA0D;IAC1D,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,cAAc,GAAG,0BAA0B,CAAA;IACzD;;;;;OAKG;IACH,uBAAuB,CAAC,EAAE,MAAM,CAAA;CACjC;AAgBD;;;;;;;;GAQG;AACH,eAAO,MAAM,8BAA8B,EACzC,iCAA0C,CAAA;AAM5C;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,mBAAmB,EAAE,GAAG,MAAM,CAKtE"}

package/dist/verification/findings.js

@@ -20,6 +20,22 @@ const SEVERITY_PREFIX = {
     warn: 'WARN',
     info: 'INFO',
 };
+// ---------------------------------------------------------------------------
+// Story-allocated finding categories (stable cross-file identifiers)
+// ---------------------------------------------------------------------------
+/**
+ * source-ac-shellout-npx-fallback — Story 67-3, obs_2026-05-03_023 fix #3.
+ *
+ * Severity: warn. Emitted by SourceAcShelloutCheck when a bare `npx <package>`
+ * invocation (without `--no-install`) is detected in a story-modified source file.
+ * A bare `npx <package>` without `--no-install` falls through to the public npm
+ * registry on first use if the package binary is not locally installed —
+ * a dependency-confusion attack vector.
+ */
+export const CATEGORY_SHELLOUT_NPX_FALLBACK = 'source-ac-shellout-npx-fallback';
+// ---------------------------------------------------------------------------
+// Rendering
+// ---------------------------------------------------------------------------
 /**
  * Render a list of findings into the multi-line human-readable string that
  * populates VerificationResult.details. One line per finding:

package/dist/verification/findings.js.map

@@ -1 +1 @@
-{"version":3,"file":"findings.js","sourceRoot":"","sources":["../../src/verification/findings.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AA6DH,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,eAAe,GAAgD;IACnE,KAAK,EAAE,OAAO;IACd,IAAI,EAAE,MAAM;IACZ,IAAI,EAAE,MAAM;CACb,CAAA;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAAC,QAA+B;IAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAA;IACpC,OAAO,QAAQ;SACZ,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;SACzE,IAAI,CAAC,IAAI,CAAC,CAAA;AACf,CAAC"}
+{"version":3,"file":"findings.js","sourceRoot":"","sources":["../../src/verification/findings.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AA6DH,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,eAAe,GAAgD;IACnE,KAAK,EAAE,OAAO;IACd,IAAI,EAAE,MAAM;IACZ,IAAI,EAAE,MAAM;CACb,CAAA;AAED,8EAA8E;AAC9E,qEAAqE;AACrE,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,8BAA8B,GACzC,iCAA0C,CAAA;AAE5C,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAAC,QAA+B;IAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAA;IACpC,OAAO,QAAQ;SACZ,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;SACzE,IAAI,CAAC,IAAI,CAAC,CAAA;AACf,CAAC"}

package/dist/verification/verification-pipeline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verification-pipeline.d.ts","sourceRoot":"","sources":["../../src/verification/verification-pipeline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAC9C,OAAO,KAAK,EACV,iBAAiB,EACjB,mBAAmB,EAEnB,mBAAmB,EACpB,MAAM,YAAY,CAAA;AAGnB,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,kCAAkC,CAAA;AA6BhF;;;;;;GAMG;AACH,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,IAAI,CAA2B;IAChD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA0B;IAElD;;;OAGG;gBACS,GAAG,EAAE,aAAa,CAAC,UAAU,CAAC,EAAE,MAAM,GAAE,iBAAiB,EAAO;IAO5E;;;;;OAKG;IACH,QAAQ,CAAC,KAAK,EAAE,iBAAiB,GAAG,IAAI;IAIxC;;;;;;;;;;OAUG;IACG,GAAG,CAAC,OAAO,EAAE,mBAAmB,EAAE,IAAI,GAAE,GAAG,GAAG,GAAS,GAAG,OAAO,CAAC,mBAAmB,CAAC;CAqE7F;AAMD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,iCAAiC,CAC/C,GAAG,EAAE,aAAa,CAAC,UAAU,CAAC,EAC9B,MAAM,CAAC,EAAE,wBAAwB,GAChC,oBAAoB,CAUtB"}
+{"version":3,"file":"verification-pipeline.d.ts","sourceRoot":"","sources":["../../src/verification/verification-pipeline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAC9C,OAAO,KAAK,EACV,iBAAiB,EACjB,mBAAmB,EAEnB,mBAAmB,EACpB,MAAM,YAAY,CAAA;AAGnB,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,kCAAkC,CAAA;AA8BhF;;;;;;GAMG;AACH,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,IAAI,CAA2B;IAChD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA0B;IAElD;;;OAGG;gBACS,GAAG,EAAE,aAAa,CAAC,UAAU,CAAC,EAAE,MAAM,GAAE,iBAAiB,EAAO;IAO5E;;;;;OAKG;IACH,QAAQ,CAAC,KAAK,EAAE,iBAAiB,GAAG,IAAI;IAIxC;;;;;;;;;;OAUG;IACG,GAAG,CAAC,OAAO,EAAE,mBAAmB,EAAE,IAAI,GAAE,GAAG,GAAG,GAAS,GAAG,OAAO,CAAC,mBAAmB,CAAC;CAqE7F;AAMD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,iCAAiC,CAC/C,GAAG,EAAE,aAAa,CAAC,UAAU,CAAC,EAC9B,MAAM,CAAC,EAAE,wBAAwB,GAChC,oBAAoB,CAWtB"}

package/dist/verification/verification-pipeline.js

@@ -16,6 +16,7 @@ import { AcceptanceCriteriaEvidenceCheck } from './checks/acceptance-criteria-ev
 import { BuildCheck } from './checks/build-check.js';
 import { RuntimeProbeCheck } from './checks/runtime-probe-check.js';
 import { SourceAcFidelityCheck } from './source-ac-fidelity-check.js';
+import { SourceAcShelloutCheck } from './checks/source-ac-shellout-check.js';
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -165,6 +166,7 @@ export function createDefaultVerificationPipeline(bus, config) {
         new BuildCheck(), // story 51-4: runs late in Tier A (expensive, 60s worst-case)
         new RuntimeProbeCheck(), // Epic 55 Phase 2: runtime behavior verification
         new SourceAcFidelityCheck(), // Story 58-2: source AC fidelity gate
+        new SourceAcShelloutCheck(), // Story 67-3: bare npx fallback static-analysis gate (obs_2026-05-03_023 fix #3)
     ];
     return new VerificationPipeline(bus, checks);
 }

package/dist/verification/verification-pipeline.js.map

@@ -1 +1 @@
-{"version":3,"file":"verification-pipeline.js","sourceRoot":"","sources":["../../src/verification/verification-pipeline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAUH,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AAErE,OAAO,EAAE,+BAA+B,EAAE,MAAM,gDAAgD,CAAA;AAChG,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAA;AACnE,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAA;AAErE,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E;;;GAGG;AACH,SAAS,eAAe,CACtB,MAAiC;IAEjC,IAAI,MAAM,GAA6B,MAAM,CAAA;IAC7C,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM;YAAE,OAAO,MAAM,CAAA;QACtC,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM;YAAE,MAAM,GAAG,MAAM,CAAA;IAC1C,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,OAAO,oBAAoB;IACd,IAAI,CAA2B;IAC/B,OAAO,GAAwB,EAAE,CAAA;IAElD;;;OAGG;IACH,YAAY,GAA8B,EAAE,SAA8B,EAAE;QAC1E,IAAI,CAAC,IAAI,GAAG,GAAG,CAAA;QACf,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;QACtB,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,QAAQ,CAAC,KAAwB;QAC/B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC1B,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,GAAG,CAAC,OAA4B,EAAE,OAAkB,GAAG;QAC3D,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAA;QAC1D,MAAM,YAAY,GAA8B,EAAE,CAAA;QAElD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;YAC7B,IAAI,MAA+B,CAAA;YAEnC,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;gBAC1C,MAAM,GAAG;oBACP,SAAS,EAAE,KAAK,CAAC,IAAI;oBACrB,MAAM,EAAE,SAAS,CAAC,MAAM;oBACxB,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,WAAW,EAAE,SAAS,CAAC,WAAW;oBAClC,6DAA6D;oBAC7D,8DAA8D;oBAC9D,0DAA0D;oBAC1D,GAAG,CAAC,SAAS,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC9E,CAAA;YACH,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAA;gBACvC,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBAChE,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,kCAAkC,KAAK,CAAC,IAAI,mCAAmC,OAAO,IAAI,CAC3F,CAAA;gBACD,8DAA8D;gBAC9D,6DAA6D;gBAC7D,wDAAwD;gBACxD,MAAM,GAAG;oBACP,SAAS,EAAE,KAAK,CAAC,IAAI;oBACrB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,OAAO;oBAChB,WAAW,EAAE,OAAO;oBACpB,QAAQ,EAAE;wBACR;4BACE,QAAQ,EAAE,iBAAiB;4BAC3B,QAAQ,EAAE,MAAM;4BAChB,OAAO;yBACR;qBACF;iBACF,CAAA;YACH,CAAC;YAED,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;YAEzB,yDAAyD;YACzD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,6BAA6B,EAAE;gBAC5C,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,WAAW,EAAE,MAAM,CAAC,WAAW;aAChC,CAAC,CAAA;QACJ,CAAC;QAED,MAAM,OAAO,GAAwB;YACnC,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,MAAM,EAAE,YAAY;YACpB,MAAM,EAAE,eAAe,CAAC,YAAY,CAAC;YACrC,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa;SACxC,CAAA;QAED,0DAA0D;QAC1D,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,6BAA6B,EAAE,OAAO,CAAC,CAAA;QAEtD,OAAO,OAAO,CAAA;IAChB,CAAC;CACF;AAED,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,iCAAiC,CAC/C,GAA8B,EAC9B,MAAiC;IAEjC,MAAM,MAAM,GAAwB;QAClC,IAAI,kBAAkB,EAAE;QACxB,IAAI,kBAAkB,CAAC,MAAM,CAAC;QAC9B,IAAI,+BAA+B,EAAE;QACrC,IAAI,UAAU,EAAE,EAAE,8DAA8D;QAChF,IAAI,iBAAiB,EAAE,EAAE,iDAAiD;QAC1E,IAAI,qBAAqB,EAAE,EAAE,sCAAsC;KACpE,CAAA;IACD,OAAO,IAAI,oBAAoB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;AAC9C,CAAC"}
+{"version":3,"file":"verification-pipeline.js","sourceRoot":"","sources":["../../src/verification/verification-pipeline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAUH,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AAErE,OAAO,EAAE,+BAA+B,EAAE,MAAM,gDAAgD,CAAA;AAChG,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAA;AACnE,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAA;AACrE,OAAO,EAAE,qBAAqB,EAAE,MAAM,sCAAsC,CAAA;AAE5E,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E;;;GAGG;AACH,SAAS,eAAe,CACtB,MAAiC;IAEjC,IAAI,MAAM,GAA6B,MAAM,CAAA;IAC7C,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM;YAAE,OAAO,MAAM,CAAA;QACtC,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM;YAAE,MAAM,GAAG,MAAM,CAAA;IAC1C,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,OAAO,oBAAoB;IACd,IAAI,CAA2B;IAC/B,OAAO,GAAwB,EAAE,CAAA;IAElD;;;OAGG;IACH,YAAY,GAA8B,EAAE,SAA8B,EAAE;QAC1E,IAAI,CAAC,IAAI,GAAG,GAAG,CAAA;QACf,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;QACtB,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,QAAQ,CAAC,KAAwB;QAC/B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC1B,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,GAAG,CAAC,OAA4B,EAAE,OAAkB,GAAG;QAC3D,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAA;QAC1D,MAAM,YAAY,GAA8B,EAAE,CAAA;QAElD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;YAC7B,IAAI,MAA+B,CAAA;YAEnC,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;gBAC1C,MAAM,GAAG;oBACP,SAAS,EAAE,KAAK,CAAC,IAAI;oBACrB,MAAM,EAAE,SAAS,CAAC,MAAM;oBACxB,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,WAAW,EAAE,SAAS,CAAC,WAAW;oBAClC,6DAA6D;oBAC7D,8DAA8D;oBAC9D,0DAA0D;oBAC1D,GAAG,CAAC,SAAS,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC9E,CAAA;YACH,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAA;gBACvC,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBAChE,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,kCAAkC,KAAK,CAAC,IAAI,mCAAmC,OAAO,IAAI,CAC3F,CAAA;gBACD,8DAA8D;gBAC9D,6DAA6D;gBAC7D,wDAAwD;gBACxD,MAAM,GAAG;oBACP,SAAS,EAAE,KAAK,CAAC,IAAI;oBACrB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,OAAO;oBAChB,WAAW,EAAE,OAAO;oBACpB,QAAQ,EAAE;wBACR;4BACE,QAAQ,EAAE,iBAAiB;4BAC3B,QAAQ,EAAE,MAAM;4BAChB,OAAO;yBACR;qBACF;iBACF,CAAA;YACH,CAAC;YAED,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;YAEzB,yDAAyD;YACzD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,6BAA6B,EAAE;gBAC5C,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,WAAW,EAAE,MAAM,CAAC,WAAW;aAChC,CAAC,CAAA;QACJ,CAAC;QAED,MAAM,OAAO,GAAwB;YACnC,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,MAAM,EAAE,YAAY;YACpB,MAAM,EAAE,eAAe,CAAC,YAAY,CAAC;YACrC,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa;SACxC,CAAA;QAED,0DAA0D;QAC1D,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,6BAA6B,EAAE,OAAO,CAAC,CAAA;QAEtD,OAAO,OAAO,CAAA;IAChB,CAAC;CACF;AAED,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,iCAAiC,CAC/C,GAA8B,EAC9B,MAAiC;IAEjC,MAAM,MAAM,GAAwB;QAClC,IAAI,kBAAkB,EAAE;QACxB,IAAI,kBAAkB,CAAC,MAAM,CAAC;QAC9B,IAAI,+BAA+B,EAAE;QACrC,IAAI,UAAU,EAAE,EAAE,8DAA8D;QAChF,IAAI,iBAAiB,EAAE,EAAE,iDAAiD;QAC1E,IAAI,qBAAqB,EAAE,EAAE,sCAAsC;QACnE,IAAI,qBAAqB,EAAE,EAAE,iFAAiF;KAC/G,CAAA;IACD,OAAO,IAAI,oBAAoB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;AAC9C,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@substrate-ai/sdlc",
-  "version": "0.20.57",
+  "version": "0.20.58",
   "type": "module",
   "license": "MIT",
   "repository": {
@@ -24,7 +24,7 @@
     "node": ">=22.0.0"
   },
   "dependencies": {
-    "@substrate-ai/core": "0.20.57",
+    "@substrate-ai/core": "0.20.58",
     "js-yaml": "^4.1.1",
     "zod": "^4.3.6"
   },