@telora/daemon 0.15.37 → 0.15.40

package/dist/security-auto-inject.js

@@ -0,0 +1,148 @@
+/**
+ * Severity-gated auto-injection for security findings.
+ *
+ * When the scanner engine writes a finding at or above the configured
+ * auto_inject_severity_threshold, this module:
+ *   1. Resolves the product's Security focus (focus_kind='security').
+ *   2. Creates or reuses an entity node representing the vulnerable surface.
+ *   3. Creates an injection node on the focus's reality tree with
+ *      statement = advisory summary; targets the entity node via a
+ *      reality_tree_edge of kind 'targets'.
+ *   4. Creates a delivery on the Security focus linked to the injection
+ *      via the delivery's injection_id column.
+ *   5. Sets finding.linked_injection_id.
+ *   6. Writes a security_finding_audit row with action='auto_injected'.
+ *
+ * Below-threshold findings are not auto-injected; the FindingsView UI
+ * offers click-to-remediate that calls this same function with a
+ * `force: true` flag (single code path for both auto and manual).
+ *
+ * Suppressed findings (suppression jsonb non-null and not expired) are
+ * skipped entirely.
+ *
+ * @module security-auto-inject
+ */
+import { callApi } from './queries/shared.js';
+// ---------------------------------------------------------------------------
+// Severity comparison
+// ---------------------------------------------------------------------------
+const SEVERITY_RANK = {
+    low: 1,
+    medium: 2,
+    high: 3,
+    critical: 4,
+};
+/** Returns true when `severity` is at or above `threshold`. */
+export function meetsThreshold(severity, threshold) {
+    return SEVERITY_RANK[severity] >= SEVERITY_RANK[threshold];
+}
+function isSuppressedAndActive(finding, now = new Date()) {
+    if (finding.status !== 'suppressed')
+        return false;
+    if (!finding.suppression)
+        return false;
+    const s = finding.suppression;
+    if (!s.expires_at)
+        return true;
+    return new Date(s.expires_at).getTime() > now.getTime();
+}
+// ---------------------------------------------------------------------------
+// Statement + label builders
+// ---------------------------------------------------------------------------
+function buildAdvisorySummary(finding) {
+    const payload = finding.payload;
+    const candidates = [
+        typeof payload.title === 'string' ? payload.title : null,
+        typeof payload.summary === 'string' ? payload.summary : null,
+        typeof payload.advisory_text === 'string' ? payload.advisory_text : null,
+    ].filter((s) => Boolean(s));
+    const head = candidates[0] ?? `Security finding ${finding.identifier}`;
+    return `${head} (${finding.iocClass}, severity=${finding.severity})`;
+}
+function buildEntityLabel(finding) {
+    return `${finding.iocClass}:${finding.identifier}`;
+}
+export async function processNewFinding(finding, options, deps) {
+    if (finding.linkedInjectionId)
+        return { status: 'skipped_already_linked' };
+    if (isSuppressedAndActive(finding))
+        return { status: 'skipped_suppressed' };
+    if (!options.force && !meetsThreshold(finding.severity, options.autoInjectThreshold)) {
+        return { status: 'skipped_below_threshold' };
+    }
+    const focus = await deps.resolveSecurityFocus(finding.productId);
+    if (!focus)
+        return { status: 'skipped_no_security_focus' };
+    const entity = await deps.upsertEntityNode({
+        treeId: focus.treeId,
+        organizationId: finding.organizationId,
+        label: buildEntityLabel(finding),
+        payload: { ioc_class: finding.iocClass, identifier: finding.identifier },
+    });
+    const injection = await deps.createInjection({
+        treeId: focus.treeId,
+        organizationId: finding.organizationId,
+        statement: buildAdvisorySummary(finding),
+        targetNodeId: entity.nodeId,
+        sourcePayload: {
+            finding_id: finding.id,
+            ioc_class: finding.iocClass,
+            severity: finding.severity,
+            identifier: finding.identifier,
+        },
+    });
+    const delivery = await deps.createDelivery({
+        focusId: focus.focusId,
+        productId: finding.productId,
+        organizationId: finding.organizationId,
+        name: `Remediate ${buildEntityLabel(finding)}`,
+        description: buildAdvisorySummary(finding),
+        injectionNodeId: injection.nodeId,
+    });
+    await deps.linkFinding(finding.id, injection.nodeId);
+    await deps.writeAudit({
+        findingId: finding.id,
+        organizationId: finding.organizationId,
+        action: options.force ? 'manually_remediated' : 'auto_injected',
+        actorUserId: options.actorUserId,
+        reason: options.force ? 'click_to_remediate' : 'severity_threshold_met',
+        payload: {
+            severity: finding.severity,
+            threshold: options.autoInjectThreshold,
+            delivery_id: delivery.deliveryId,
+            injection_node_id: injection.nodeId,
+        },
+    });
+    return {
+        status: 'injected',
+        injectionNodeId: injection.nodeId,
+        deliveryId: delivery.deliveryId,
+    };
+}
+// ---------------------------------------------------------------------------
+// Default Deps -- daemon-side wiring via callApi.
+// ---------------------------------------------------------------------------
+export function buildDefaultAutoInjectDeps() {
+    return {
+        resolveSecurityFocus: async (productId) => {
+            const res = await callApi('daemon_resolve_security_focus', { productId });
+            return res?.focus ?? null;
+        },
+        upsertEntityNode: async (input) => {
+            return callApi('daemon_upsert_security_entity_node', input);
+        },
+        createInjection: async (input) => {
+            return callApi('daemon_create_security_injection', input);
+        },
+        createDelivery: async (input) => {
+            return callApi('daemon_create_security_delivery', input);
+        },
+        linkFinding: async (findingId, injectionNodeId) => {
+            await callApi('daemon_link_finding_to_injection', { findingId, injectionNodeId });
+        },
+        writeAudit: async (input) => {
+            await callApi('daemon_write_security_finding_audit', input);
+        },
+    };
+}
+//# sourceMappingURL=security-auto-inject.js.map

package/dist/security-auto-inject.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-auto-inject.js","sourceRoot":"","sources":["../src/security-auto-inject.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAmF9C,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,MAAM,aAAa,GAA6B;IAC9C,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,+DAA+D;AAC/D,MAAM,UAAU,cAAc,CAAC,QAAkB,EAAE,SAAmB;IACpE,OAAO,aAAa,CAAC,QAAQ,CAAC,IAAI,aAAa,CAAC,SAAS,CAAC,CAAC;AAC7D,CAAC;AAUD,SAAS,qBAAqB,CAAC,OAA4B,EAAE,MAAY,IAAI,IAAI,EAAE;IACjF,IAAI,OAAO,CAAC,MAAM,KAAK,YAAY;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,CAAC,OAAO,CAAC,WAAW;QAAE,OAAO,KAAK,CAAC;IACvC,MAAM,CAAC,GAAG,OAAO,CAAC,WAA+B,CAAC;IAClD,IAAI,CAAC,CAAC,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC/B,OAAO,IAAI,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;AAC1D,CAAC;AAED,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E,SAAS,oBAAoB,CAAC,OAA4B;IACxD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAkC,CAAC;IAC3D,MAAM,UAAU,GAAG;QACjB,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI;QACxD,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;QAC5D,OAAO,OAAO,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI;KACzE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,oBAAoB,OAAO,CAAC,UAAU,EAAE,CAAC;IACvE,OAAO,GAAG,IAAI,KAAK,OAAO,CAAC,QAAQ,cAAc,OAAO,CAAC,QAAQ,GAAG,CAAC;AACvE,CAAC;AAED,SAAS,gBAAgB,CAAC,OAA4B;IACpD,OAAO,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;AACrD,CAAC;AAYD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAA4B,EAC5B,OAA0B,EAC1B,IAAoB;IAEpB,IAAI,OAAO,CAAC,iBAAiB;QAAE,OAAO,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;IAC3E,IAAI,qBAAqB,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;IAC5E,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACrF,OAAO,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;IAC/C,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACjE,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;IAE3D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC;QACzC,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC;QAChC,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,QAAQ,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE;KACzE,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC;QAC3C,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,SAAS,EAAE,oBAAoB,CAAC,OAAO,CAAC;QACxC,YAAY,EAAE,MAAM,CAAC,MAAM;QAC3B,aAAa,EAAE;YACb,UAAU,EAAE,OAAO,CAAC,EAAE;YACtB,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;SAC/B;KACF,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC;QACzC,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,IAAI,EAAE,aAAa,gBAAgB,CAAC,OAAO,CAAC,EAAE;QAC9C,WAAW,EAAE,oBAAoB,CAAC,OAAO,CAAC;QAC1C,eAAe,EAAE,SAAS,CAAC,MAAM;KAClC,CAAC,CAAC;IAEH,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IAErD,MAAM,IAAI,CAAC,UAAU,CAAC;QACpB,SAAS,EAAE,OAAO,CAAC,EAAE;QACrB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,eAAe;QAC/D,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,wBAAwB;QACvE,OAAO,EAAE;YACP,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,SAAS,EAAE,OAAO,CAAC,mBAAmB;YACtC,WAAW,EAAE,QAAQ,CAAC,UAAU;YAChC,iBAAiB,EAAE,SAAS,CAAC,MAAM;SACpC;KACF,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,UAAU;QAClB,eAAe,EAAE,SAAS,CAAC,MAAM;QACjC,UAAU,EAAE,QAAQ,CAAC,UAAU;KAChC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,kDAAkD;AAClD,8EAA8E;AAE9E,MAAM,UAAU,0BAA0B;IACxC,OAAO;QACL,oBAAoB,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE;YACxC,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,+BAA+B,EAC/B,EAAE,SAAS,EAAE,CACd,CAAC;YACF,OAAO,GAAG,EAAE,KAAK,IAAI,IAAI,CAAC;QAC5B,CAAC;QACD,gBAAgB,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAChC,OAAO,OAAO,CAAqB,oCAAoC,EAAE,KAAK,CAAC,CAAC;QAClF,CAAC;QACD,eAAe,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC/B,OAAO,OAAO,CAAqB,kCAAkC,EAAE,KAAK,CAAC,CAAC;QAChF,CAAC;QACD,cAAc,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC9B,OAAO,OAAO,CAAyB,iCAAiC,EAAE,KAAK,CAAC,CAAC;QACnF,CAAC;QACD,WAAW,EAAE,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE,EAAE;YAChD,MAAM,OAAO,CAAC,kCAAkC,EAAE,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC,CAAC;QACpF,CAAC;QACD,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC1B,MAAM,OAAO,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC9D,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/security-rescan-resolution.d.ts

@@ -0,0 +1,84 @@
+/**
+ * Re-scan resolution: when a scan run completes that covered a finding's
+ * IOC class but did not re-produce a previously-open finding, flip the
+ * finding to 'resolved' and (if the linked injection's delivery is done)
+ * auto-verify the injection.
+ *
+ * Called by the scanner engine immediately after a run finishes writing
+ * its findings, before suppression-expiry sweeps and before the next
+ * tick begins.
+ *
+ * @module security-rescan-resolution
+ */
+export interface OpenFindingRow {
+    id: string;
+    organizationId: string;
+    productId: string;
+    iocClass: string;
+    identifier: string;
+    linkedInjectionId: string | null;
+}
+export interface ResolutionDeps {
+    /**
+     * Find all 'open' findings for the product that match the IOC classes
+     * the just-completed scan run covered. The engine knows which classes
+     * ran so the caller filters down to those.
+     */
+    listOpenFindings: (productId: string, iocClasses: string[]) => Promise<OpenFindingRow[]>;
+    /** Set the finding to 'resolved' with resolved_at = now(). */
+    markFindingResolved: (findingId: string) => Promise<void>;
+    /** Append audit row for the resolution. */
+    writeAudit: (input: {
+        findingId: string;
+        organizationId: string;
+        action: 'resolved';
+        payload: Record<string, unknown>;
+    }) => Promise<void>;
+    /**
+     * Returns the execution_status of the delivery linked to the injection,
+     * or null if there is no such delivery.
+     */
+    getInjectionDeliveryStatus: (injectionNodeId: string) => Promise<string | null>;
+    /** Compound op: retire the injection + promote FRT overlays to CRT. */
+    verifyInjection: (injectionNodeId: string) => Promise<void>;
+}
+/**
+ * Map of identifiers that the current run did emit, per IOC class.
+ */
+export interface ScanRunFindingSet {
+    iocClass: string;
+    identifiers: Set<string>;
+}
+/**
+ * Resolve previously-open findings that didn't re-appear in this run.
+ *
+ * @returns the list of finding ids that were flipped to 'resolved'.
+ */
+export declare function resolveStaleFindings(productId: string, observedSets: ScanRunFindingSet[], deps: ResolutionDeps): Promise<string[]>;
+export declare function buildDefaultResolutionDeps(): ResolutionDeps;
+export interface SuppressionExpirySweepDeps {
+    /** Returns findings where status='suppressed' and suppression.expires_at < now(). */
+    listExpiredSuppressions: () => Promise<Array<{
+        id: string;
+        organizationId: string;
+    }>>;
+    /** Set status='open', suppression=null. */
+    unsuppressFinding: (findingId: string) => Promise<void>;
+    /** Append audit row with action='unsuppressed' and reason='suppression_expired'. */
+    writeAudit: (input: {
+        findingId: string;
+        organizationId: string;
+        action: 'unsuppressed';
+        payload: Record<string, unknown>;
+    }) => Promise<void>;
+}
+/**
+ * Sweep suppressions whose expires_at has passed and flip them back to
+ * 'open'. Idempotent: a suppression already expired is a no-op on the
+ * second call because the predicate now matches status='open'.
+ *
+ * @returns the finding ids whose suppression was lifted.
+ */
+export declare function runSuppressionExpirySweep(deps: SuppressionExpirySweepDeps): Promise<string[]>;
+export declare function buildDefaultSuppressionExpirySweepDeps(): SuppressionExpirySweepDeps;
+//# sourceMappingURL=security-rescan-resolution.d.ts.map

package/dist/security-rescan-resolution.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-rescan-resolution.d.ts","sourceRoot":"","sources":["../src/security-rescan-resolution.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;CAClC;AAED,MAAM,WAAW,cAAc;IAC7B;;;;OAIG;IACH,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;IACzF,8DAA8D;IAC9D,mBAAmB,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,2CAA2C;IAC3C,UAAU,EAAE,CAAC,KAAK,EAAE;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,cAAc,EAAE,MAAM,CAAC;QACvB,MAAM,EAAE,UAAU,CAAC;QACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpB;;;OAGG;IACH,0BAA0B,EAAE,CAAC,eAAe,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAChF,uEAAuE;IACvE,eAAe,EAAE,CAAC,eAAe,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7D;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CAC1B;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,iBAAiB,EAAE,EACjC,IAAI,EAAE,cAAc,GACnB,OAAO,CAAC,MAAM,EAAE,CAAC,CAqCnB;AAMD,wBAAgB,0BAA0B,IAAI,cAAc,CA0B3D;AAMD,MAAM,WAAW,0BAA0B;IACzC,qFAAqF;IACrF,uBAAuB,EAAE,MAAM,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,cAAc,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC,CAAC;IACtF,2CAA2C;IAC3C,iBAAiB,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACxD,oFAAoF;IACpF,UAAU,EAAE,CAAC,KAAK,EAAE;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,cAAc,EAAE,MAAM,CAAC;QACvB,MAAM,EAAE,cAAc,CAAC;QACvB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrB;AAED;;;;;;GAMG;AACH,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,0BAA0B,GAC/B,OAAO,CAAC,MAAM,EAAE,CAAC,CAcnB;AAED,wBAAgB,sCAAsC,IAAI,0BAA0B,CAgBnF"}

package/dist/security-rescan-resolution.js

@@ -0,0 +1,114 @@
+/**
+ * Re-scan resolution: when a scan run completes that covered a finding's
+ * IOC class but did not re-produce a previously-open finding, flip the
+ * finding to 'resolved' and (if the linked injection's delivery is done)
+ * auto-verify the injection.
+ *
+ * Called by the scanner engine immediately after a run finishes writing
+ * its findings, before suppression-expiry sweeps and before the next
+ * tick begins.
+ *
+ * @module security-rescan-resolution
+ */
+import { callApi } from './queries/shared.js';
+/**
+ * Resolve previously-open findings that didn't re-appear in this run.
+ *
+ * @returns the list of finding ids that were flipped to 'resolved'.
+ */
+export async function resolveStaleFindings(productId, observedSets, deps) {
+    const iocClasses = observedSets.map((s) => s.iocClass);
+    if (iocClasses.length === 0)
+        return [];
+    const openFindings = await deps.listOpenFindings(productId, iocClasses);
+    const observedByClass = new Map();
+    for (const set of observedSets) {
+        observedByClass.set(set.iocClass, set.identifiers);
+    }
+    const resolvedIds = [];
+    for (const finding of openFindings) {
+        const observedInClass = observedByClass.get(finding.iocClass);
+        if (!observedInClass)
+            continue;
+        if (observedInClass.has(finding.identifier))
+            continue;
+        // Finding was open, its class was covered, but it didn't re-appear.
+        await deps.markFindingResolved(finding.id);
+        await deps.writeAudit({
+            findingId: finding.id,
+            organizationId: finding.organizationId,
+            action: 'resolved',
+            payload: { reason: 'absent_in_rescan', ioc_class: finding.iocClass },
+        });
+        resolvedIds.push(finding.id);
+        // Auto-verify the linked injection if its delivery has reached 'done'.
+        if (finding.linkedInjectionId) {
+            const status = await deps.getInjectionDeliveryStatus(finding.linkedInjectionId);
+            if (status === 'done') {
+                await deps.verifyInjection(finding.linkedInjectionId);
+            }
+        }
+    }
+    return resolvedIds;
+}
+// ---------------------------------------------------------------------------
+// Default Deps -- daemon-side wiring via callApi.
+// ---------------------------------------------------------------------------
+export function buildDefaultResolutionDeps() {
+    return {
+        listOpenFindings: async (productId, iocClasses) => {
+            const res = await callApi('daemon_list_open_security_findings', { productId, iocClasses });
+            return res.items ?? [];
+        },
+        markFindingResolved: async (findingId) => {
+            await callApi('daemon_resolve_security_finding', { findingId });
+        },
+        writeAudit: async (input) => {
+            await callApi('daemon_write_security_finding_audit', input);
+        },
+        getInjectionDeliveryStatus: async (injectionNodeId) => {
+            const res = await callApi('daemon_get_injection_delivery_status', { injectionNodeId });
+            return res.status;
+        },
+        verifyInjection: async (injectionNodeId) => {
+            await callApi('reality_tree_verify_injection', { injectionNodeId });
+        },
+    };
+}
+/**
+ * Sweep suppressions whose expires_at has passed and flip them back to
+ * 'open'. Idempotent: a suppression already expired is a no-op on the
+ * second call because the predicate now matches status='open'.
+ *
+ * @returns the finding ids whose suppression was lifted.
+ */
+export async function runSuppressionExpirySweep(deps) {
+    const expired = await deps.listExpiredSuppressions();
+    const lifted = [];
+    for (const finding of expired) {
+        await deps.unsuppressFinding(finding.id);
+        await deps.writeAudit({
+            findingId: finding.id,
+            organizationId: finding.organizationId,
+            action: 'unsuppressed',
+            payload: { reason: 'suppression_expired' },
+        });
+        lifted.push(finding.id);
+    }
+    return lifted;
+}
+export function buildDefaultSuppressionExpirySweepDeps() {
+    return {
+        listExpiredSuppressions: async () => {
+            const res = await callApi('daemon_list_expired_security_suppressions', {});
+            return res.items ?? [];
+        },
+        unsuppressFinding: async (findingId) => {
+            await callApi('daemon_unsuppress_security_finding', { findingId });
+        },
+        writeAudit: async (input) => {
+            await callApi('daemon_write_security_finding_audit', input);
+        },
+    };
+}
+//# sourceMappingURL=security-rescan-resolution.js.map

package/dist/security-rescan-resolution.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-rescan-resolution.js","sourceRoot":"","sources":["../src/security-rescan-resolution.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AA4C9C;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,SAAiB,EACjB,YAAiC,EACjC,IAAoB;IAEpB,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IACvD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEvC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACxE,MAAM,eAAe,GAAG,IAAI,GAAG,EAAuB,CAAC;IACvD,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,WAAW,GAAa,EAAE,CAAC;IAEjC,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,eAAe,GAAG,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9D,IAAI,CAAC,eAAe;YAAE,SAAS;QAC/B,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC;YAAE,SAAS;QAEtD,oEAAoE;QACpE,MAAM,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC3C,MAAM,IAAI,CAAC,UAAU,CAAC;YACpB,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,SAAS,EAAE,OAAO,CAAC,QAAQ,EAAE;SACrE,CAAC,CAAC;QACH,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAE7B,uEAAuE;QACvE,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAChF,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,8EAA8E;AAC9E,kDAAkD;AAClD,8EAA8E;AAE9E,MAAM,UAAU,0BAA0B;IACxC,OAAO;QACL,gBAAgB,EAAE,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,EAAE;YAChD,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,oCAAoC,EACpC,EAAE,SAAS,EAAE,UAAU,EAAE,CAC1B,CAAC;YACF,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;QACzB,CAAC;QACD,mBAAmB,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE;YACvC,MAAM,OAAO,CAAC,iCAAiC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;QAClE,CAAC;QACD,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC1B,MAAM,OAAO,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC9D,CAAC;QACD,0BAA0B,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE;YACpD,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,sCAAsC,EACtC,EAAE,eAAe,EAAE,CACpB,CAAC;YACF,OAAO,GAAG,CAAC,MAAM,CAAC;QACpB,CAAC;QACD,eAAe,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE;YACzC,MAAM,OAAO,CAAC,+BAA+B,EAAE,EAAE,eAAe,EAAE,CAAC,CAAC;QACtE,CAAC;KACF,CAAC;AACJ,CAAC;AAoBD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,IAAgC;IAEhC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,uBAAuB,EAAE,CAAC;IACrD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,OAAO,IAAI,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACzC,MAAM,IAAI,CAAC,UAAU,CAAC;YACpB,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,MAAM,EAAE,cAAc;YACtB,OAAO,EAAE,EAAE,MAAM,EAAE,qBAAqB,EAAE;SAC3C,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,sCAAsC;IACpD,OAAO;QACL,uBAAuB,EAAE,KAAK,IAAI,EAAE;YAClC,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,2CAA2C,EAC3C,EAAE,CACH,CAAC;YACF,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;QACzB,CAAC;QACD,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE;YACrC,MAAM,OAAO,CAAC,oCAAoC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;QACrE,CAAC;QACD,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC1B,MAAM,OAAO,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC9D,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/security-scan-engine.d.ts

@@ -0,0 +1,96 @@
+/**
+ * Security scan engine.
+ *
+ * Polls security_scan_configs for due scans (cron-due or manual_run_requested_at
+ * set), dispatches pluggable Scanner implementations per IOC class, writes
+ * one security_scan_runs row plus N security_findings rows per execution,
+ * and (downstream) hands findings to security-auto-inject for severity-gated
+ * injection materialization.
+ *
+ * Activation: gated by shouldRunLoop('TELORA_SECURITY_SCAN_LOOP') in
+ * unified-shell.ts. Opt-out semantics match the other daemon loop ticks
+ * (unset/anything-but-'0' = enabled, '0' = disabled). See
+ * docs/runbook-loop-activation.md.
+ *
+ * Pattern reference: verification-engine.ts (pluggable strategies + Deps).
+ *
+ * @module security-scan-engine
+ */
+import type { DaemonConfig } from './types.js';
+import { type AutoInjectDeps } from './security-auto-inject.js';
+import { type ResolutionDeps } from './security-rescan-resolution.js';
+export type Severity = 'low' | 'medium' | 'high' | 'critical';
+/** Configuration row driving an individual product's scan cadence. */
+export interface ScanConfig {
+    id: string;
+    organizationId: string;
+    productId: string;
+    scheduleCron: string;
+    enabledIocClasses: string[];
+    autoInjectSeverityThreshold: Severity;
+    enabled: boolean;
+    manualRunRequestedAt: string | null;
+    lastRunAt: string | null;
+}
+/** Per-scan context passed to each Scanner. */
+export interface ScanContext {
+    config: ScanConfig;
+    repoPath: string;
+}
+/** Single finding draft emitted by a Scanner. Stored in security_findings. */
+export interface FindingDraft {
+    iocClass: string;
+    severity: Severity;
+    identifier: string;
+    payload: Record<string, unknown>;
+}
+/** Per-scanner output for a single scan run. */
+export interface ScanResult {
+    findings: FindingDraft[];
+    /** Coverage breadcrumb (e.g. packages_audited, files_scanned) + any warnings. */
+    coverage: Record<string, unknown>;
+}
+/** Pluggable Scanner contract -- one per IOC class. */
+export interface Scanner {
+    /** IOC class slug, matched against ScanConfig.enabledIocClasses. */
+    iocClass: string;
+    scan(ctx: ScanContext): Promise<ScanResult>;
+}
+export declare function registerScanner(scanner: Scanner): void;
+export declare function getRegisteredScanners(): Scanner[];
+export interface SecurityScanDeps {
+    getDueScanConfigs: () => Promise<ScanConfig[]>;
+    startRun: (configId: string, trigger: 'schedule' | 'manual') => Promise<string>;
+    finishRun: (runId: string, update: {
+        status: 'succeeded' | 'failed' | 'partial';
+        coverageSummary: Record<string, unknown>;
+        findingsCountBySeverity: Record<Severity, number>;
+        durationMs: number;
+    }) => Promise<void>;
+    /**
+     * Persist a finding and return its DB-assigned id so downstream
+     * hooks (auto-injection, resolution) can reference it.
+     */
+    writeFinding: (runId: string, productId: string, organizationId: string, finding: FindingDraft) => Promise<{
+        findingId: string;
+    }>;
+    clearManualRunRequest: (configId: string) => Promise<void>;
+    resolveCwd: (productId: string) => string;
+    scanners: Scanner[];
+    /**
+     * Optional severity-gated auto-injection hook. When set, each newly
+     * written finding is passed to processNewFinding so the daemon can
+     * materialize a remediation injection + delivery for it.
+     */
+    autoInjectDeps?: AutoInjectDeps;
+    /**
+     * Optional re-scan resolution hook. When set, after every scan run
+     * finishes, the engine asks the resolution module to flip previously
+     * open findings whose identifiers did not re-appear to 'resolved'.
+     */
+    resolutionDeps?: ResolutionDeps;
+}
+export declare function runScanForConfig(config: ScanConfig, trigger: 'schedule' | 'manual', deps: SecurityScanDeps): Promise<void>;
+export declare function runSecurityScanTick(deps: SecurityScanDeps): Promise<void>;
+export declare function buildDefaultSecurityScanDeps(config: DaemonConfig): SecurityScanDeps;
+//# sourceMappingURL=security-scan-engine.d.ts.map

package/dist/security-scan-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-scan-engine.d.ts","sourceRoot":"","sources":["../src/security-scan-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,OAAO,EAGL,KAAK,cAAc,EAGpB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAGL,KAAK,cAAc,EAEpB,MAAM,iCAAiC,CAAC;AAMzC,MAAM,MAAM,QAAQ,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE9D,sEAAsE;AACtE,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,2BAA2B,EAAE,QAAQ,CAAC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,+CAA+C;AAC/C,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,UAAU,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,8EAA8E;AAC9E,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,gDAAgD;AAChD,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,iFAAiF;IACjF,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,uDAAuD;AACvD,MAAM,WAAW,OAAO;IACtB,oEAAoE;IACpE,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CAC7C;AAQD,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAEtD;AAED,wBAAgB,qBAAqB,IAAI,OAAO,EAAE,CAEjD;AAMD,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB,EAAE,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IAC/C,QAAQ,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,QAAQ,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAChF,SAAS,EAAE,CACT,KAAK,EAAE,MAAM,EACb,MAAM,EAAE;QACN,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,SAAS,CAAC;QAC3C,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACzC,uBAAuB,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAClD,UAAU,EAAE,MAAM,CAAC;KACpB,KACE,OAAO,CAAC,IAAI,CAAC,CAAC;IACnB;;;OAGG;IACH,YAAY,EAAE,CACZ,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,EACtB,OAAO,EAAE,YAAY,KAClB,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACpC,qBAAqB,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3D,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,MAAM,CAAC;IAC1C,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB;;;;OAIG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;;;OAIG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,UAAU,EAClB,OAAO,EAAE,UAAU,GAAG,QAAQ,EAC9B,IAAI,EAAE,gBAAgB,GACrB,OAAO,CAAC,IAAI,CAAC,CA8Gf;AAMD,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAa/E;AAMD,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,YAAY,GAAG,gBAAgB,CA0CnF"}

package/dist/security-scan-engine.js

@@ -0,0 +1,189 @@
+/**
+ * Security scan engine.
+ *
+ * Polls security_scan_configs for due scans (cron-due or manual_run_requested_at
+ * set), dispatches pluggable Scanner implementations per IOC class, writes
+ * one security_scan_runs row plus N security_findings rows per execution,
+ * and (downstream) hands findings to security-auto-inject for severity-gated
+ * injection materialization.
+ *
+ * Activation: gated by shouldRunLoop('TELORA_SECURITY_SCAN_LOOP') in
+ * unified-shell.ts. Opt-out semantics match the other daemon loop ticks
+ * (unset/anything-but-'0' = enabled, '0' = disabled). See
+ * docs/runbook-loop-activation.md.
+ *
+ * Pattern reference: verification-engine.ts (pluggable strategies + Deps).
+ *
+ * @module security-scan-engine
+ */
+import { callApi } from './queries/shared.js';
+import { configForProduct } from './config.js';
+import { buildDefaultAutoInjectDeps, processNewFinding, } from './security-auto-inject.js';
+import { resolveStaleFindings, buildDefaultResolutionDeps, } from './security-rescan-resolution.js';
+// ---------------------------------------------------------------------------
+// Default registry -- scanners self-register here in their own modules
+// ---------------------------------------------------------------------------
+const DEFAULT_REGISTRY = new Map();
+export function registerScanner(scanner) {
+    DEFAULT_REGISTRY.set(scanner.iocClass, scanner);
+}
+export function getRegisteredScanners() {
+    return [...DEFAULT_REGISTRY.values()];
+}
+export async function runScanForConfig(config, trigger, deps) {
+    const runId = await deps.startRun(config.id, trigger);
+    const startedAt = Date.now();
+    const coverage = {};
+    const warnings = [];
+    const counts = { low: 0, medium: 0, high: 0, critical: 0 };
+    let anyFailure = false;
+    let anySuccess = false;
+    const enabledScanners = deps.scanners.filter((s) => config.enabledIocClasses.includes(s.iocClass));
+    // Per-class observed identifier sets for re-scan resolution. Only
+    // classes whose scanner ran without error contribute -- a failed
+    // scanner can't claim coverage for its class.
+    const observedByClass = new Map();
+    for (const scanner of enabledScanners) {
+        try {
+            const result = await scanner.scan({
+                config,
+                repoPath: deps.resolveCwd(config.productId),
+            });
+            coverage[scanner.iocClass] = result.coverage;
+            anySuccess = true;
+            const observed = new Set();
+            for (const finding of result.findings) {
+                const { findingId } = await deps.writeFinding(runId, config.productId, config.organizationId, finding);
+                counts[finding.severity] = (counts[finding.severity] ?? 0) + 1;
+                observed.add(finding.identifier);
+                // Severity-gated auto-injection. Run per-finding so a failing
+                // injection for one finding does not block the others.
+                if (deps.autoInjectDeps) {
+                    try {
+                        const forInjection = {
+                            id: findingId,
+                            organizationId: config.organizationId,
+                            productId: config.productId,
+                            iocClass: finding.iocClass,
+                            severity: finding.severity,
+                            identifier: finding.identifier,
+                            payload: finding.payload,
+                            status: 'open',
+                            suppression: null,
+                            linkedInjectionId: null,
+                        };
+                        const options = {
+                            autoInjectThreshold: config.autoInjectSeverityThreshold,
+                        };
+                        await processNewFinding(forInjection, options, deps.autoInjectDeps);
+                    }
+                    catch (err) {
+                        warnings.push(`auto-inject ${finding.identifier}: ${err.message}`);
+                    }
+                }
+            }
+            observedByClass.set(scanner.iocClass, observed);
+        }
+        catch (err) {
+            anyFailure = true;
+            warnings.push(`${scanner.iocClass}: ${err.message}`);
+            coverage[scanner.iocClass] = { error: err.message };
+        }
+    }
+    // Re-scan resolution: previously-open findings whose class was
+    // covered by this run but whose identifier did not re-appear are
+    // flipped to 'resolved'. Failures here are non-fatal -- the run
+    // already succeeded for its primary purpose (finding fresh issues).
+    if (deps.resolutionDeps && observedByClass.size > 0) {
+        try {
+            const observedSets = Array.from(observedByClass.entries()).map(([iocClass, identifiers]) => ({ iocClass, identifiers }));
+            const resolved = await resolveStaleFindings(config.productId, observedSets, deps.resolutionDeps);
+            if (resolved.length > 0) {
+                coverage.resolved_findings = resolved.length;
+            }
+        }
+        catch (err) {
+            warnings.push(`resolution: ${err.message}`);
+        }
+    }
+    if (warnings.length > 0) {
+        coverage.warnings = warnings;
+    }
+    const status = anyFailure
+        ? anySuccess
+            ? 'partial'
+            : 'failed'
+        : 'succeeded';
+    await deps.finishRun(runId, {
+        status,
+        coverageSummary: coverage,
+        findingsCountBySeverity: counts,
+        durationMs: Date.now() - startedAt,
+    });
+    if (trigger === 'manual') {
+        await deps.clearManualRunRequest(config.id);
+    }
+}
+// ---------------------------------------------------------------------------
+// Loop tick -- invoked by unified-shell on a fixed cadence
+// ---------------------------------------------------------------------------
+export async function runSecurityScanTick(deps) {
+    const configs = await deps.getDueScanConfigs();
+    for (const config of configs) {
+        if (!config.enabled)
+            continue;
+        const trigger = config.manualRunRequestedAt ? 'manual' : 'schedule';
+        try {
+            await runScanForConfig(config, trigger, deps);
+        }
+        catch {
+            // Per-config failures are swallowed so a single broken product
+            // does not stop the engine from servicing others. The run row
+            // already records the failure status.
+        }
+    }
+}
+// ---------------------------------------------------------------------------
+// Default Deps -- daemon-side wiring via callApi
+// ---------------------------------------------------------------------------
+export function buildDefaultSecurityScanDeps(config) {
+    const resolveCwd = (productId) => {
+        const product = config.products.find((p) => p.id === productId);
+        if (!product)
+            return config.repoPath;
+        return configForProduct(config, product).repoPath;
+    };
+    return {
+        getDueScanConfigs: async () => {
+            const res = await callApi('daemon_get_due_security_scan_configs', {});
+            return res.items ?? [];
+        },
+        startRun: async (configId, trigger) => {
+            const res = await callApi('daemon_start_security_scan_run', {
+                configId,
+                trigger,
+            });
+            return res.runId;
+        },
+        finishRun: async (runId, update) => {
+            await callApi('daemon_finish_security_scan_run', { runId, ...update });
+        },
+        writeFinding: async (runId, productId, organizationId, finding) => {
+            const res = await callApi('daemon_write_security_finding', {
+                runId,
+                productId,
+                organizationId,
+                ...finding,
+            });
+            return { findingId: res.findingId };
+        },
+        clearManualRunRequest: async (configId) => {
+            await callApi('daemon_clear_manual_scan_request', { configId });
+        },
+        resolveCwd,
+        scanners: getRegisteredScanners(),
+        autoInjectDeps: buildDefaultAutoInjectDeps(),
+        resolutionDeps: buildDefaultResolutionDeps(),
+    };
+}
+//# sourceMappingURL=security-scan-engine.js.map