@telora/daemon 0.15.40 → 0.15.45

package/dist/scanners/workflow.d.ts

@@ -23,11 +23,19 @@
  * @module scanners/workflow
  */
 import type { Scanner } from '../security-scan-engine.js';
+import { type IocFeedEntry } from '../feeds/local.js';
 export interface WorkflowScannerDeps {
     /** List workflow files in the repo's `.github/workflows/` directory. */
     readWorkflowsDir: (repoPath: string) => Promise<string[]>;
     /** Read a workflow file's contents as UTF-8. */
     readFile: (path: string) => Promise<string>;
+    /**
+     * Load org-local IOC feed entries with `ioc_class='workflow'`. Each
+     * entry's pattern is tested against the workflow file's full text and
+     * against every step's `uses`, `run`, and `name` value. Default loads
+     * from the daemon edge function; tests inject a stub.
+     */
+    loadLocalIocFeed?: (organizationId: string, iocClass?: string) => Promise<IocFeedEntry[]>;
 }
 export declare function createWorkflowScanner(deps?: WorkflowScannerDeps): Scanner;
 export declare const workflowScanner: Scanner;

package/dist/scanners/workflow.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"workflow.d.ts","sourceRoot":"","sources":["../../src/scanners/workflow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAKH,OAAO,KAAK,EAAyC,OAAO,EAAE,MAAM,4BAA4B,CAAC;AAMjG,MAAM,WAAW,mBAAmB;IAClC,wEAAwE;IACxE,gBAAgB,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1D,gDAAgD;IAChD,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CAC7C;AAmKD,wBAAgB,qBAAqB,CAAC,IAAI,GAAE,mBAAiC,GAAG,OAAO,CA4DtF;AAWD,eAAO,MAAM,eAAe,EAAE,OAAiC,CAAC"}
+{"version":3,"file":"workflow.d.ts","sourceRoot":"","sources":["../../src/scanners/workflow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAKH,OAAO,KAAK,EAAyC,OAAO,EAAE,MAAM,4BAA4B,CAAC;AACjG,OAAO,EAAoC,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAMxF,MAAM,WAAW,mBAAmB;IAClC,wEAAwE;IACxE,gBAAgB,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1D,gDAAgD;IAChD,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5C;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,CAAC,cAAc,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;CAC3F;AAoMD,wBAAgB,qBAAqB,CAAC,IAAI,GAAE,mBAAiC,GAAG,OAAO,CAkHtF;AAWD,eAAO,MAAM,eAAe,EAAE,OAAiC,CAAC"}

package/dist/scanners/workflow.js

@@ -25,6 +25,7 @@
 import { readdir, readFile } from 'node:fs/promises';
 import { join } from 'node:path';
 import { parse as parseYaml } from 'yaml';
+import { loadLocalIocFeed, matchesPattern } from '../feeds/local.js';
 const WORKFLOW_EXTENSIONS = ['.yml', '.yaml'];
 const CHECKOUT_REF_HEAD_SHA = '${{ github.event.pull_request.head.sha }}';
 const CHECKOUT_REF_HEAD_REF = '${{ github.event.pull_request.head.ref }}';
@@ -46,6 +47,7 @@ const defaultDeps = {
             .map((name) => join(dir, name));
     },
     readFile: (path) => readFile(path, 'utf8'),
+    loadLocalIocFeed,
 };
 // ---------------------------------------------------------------------------
 // Type guards -- narrow `unknown` parsed YAML
@@ -168,13 +170,58 @@ function analyzeJob(job) {
 // Factory
 // ---------------------------------------------------------------------------
 const PATTERN_LABEL = 'pull_request_target + checkout-head + cache-write';
+/**
+ * Collect every string from a parsed workflow tree that an IOC pattern
+ * could meaningfully match: the full file text, every step's `uses`,
+ * `run`, and `name`. Each entry carries a label so emitted findings can
+ * cite where the match occurred.
+ */
+function collectIocCandidates(workflowFileName, rawText, parsed) {
+    const out = [];
+    out.push({ label: `${workflowFileName} (full text)`, value: rawText });
+    const jobs = parsed.jobs;
+    if (!isRecord(jobs))
+        return out;
+    for (const [jobName, jobValue] of Object.entries(jobs)) {
+        if (!isRecord(jobValue))
+            continue;
+        const steps = jobValue.steps;
+        if (!Array.isArray(steps))
+            continue;
+        steps.forEach((raw, idx) => {
+            const step = asStep(raw);
+            if (!step)
+                return;
+            const stepLabel = `${workflowFileName}:${jobName}#${idx}`;
+            if (step.uses)
+                out.push({ label: `${stepLabel}.uses`, value: step.uses });
+            if (step.run)
+                out.push({ label: `${stepLabel}.run`, value: step.run });
+            if (step.name)
+                out.push({ label: `${stepLabel}.name`, value: step.name });
+        });
+    }
+    return out;
+}
 export function createWorkflowScanner(deps = defaultDeps) {
+    const loadFeed = deps.loadLocalIocFeed ?? loadLocalIocFeed;
     return {
         iocClass: 'workflow',
         async scan(ctx) {
             const files = await deps.readWorkflowsDir(ctx.repoPath);
             const findings = [];
             let parseErrors = 0;
+            const warnings = [];
+            // Org-local custom workflow IOCs. Resilient: a feed error is captured
+            // as a warning, never an exception — a missing feed must not abort
+            // the built-in pull_request_target check.
+            const iocEntries = await loadFeed(ctx.config.organizationId, 'workflow').catch((err) => {
+                warnings.push(`local-ioc-feed: ${err.message}`);
+                return [];
+            });
+            // Dedupe findings across the file's pattern match and the IOC scan
+            // when both fire for the same identifier shape.
+            const seen = new Set();
             for (const file of files) {
                 let raw;
                 try {
@@ -194,37 +241,76 @@ export function createWorkflowScanner(deps = defaultDeps) {
                 }
                 if (!isRecord(parsed))
                     continue;
-                if (!hasPullRequestTargetTrigger(parsed.on))
-                    continue;
-                const jobs = parsed.jobs;
-                if (!isRecord(jobs))
-                    continue;
                 const workflowFileName = baseName(file);
-                for (const [jobName, jobValue] of Object.entries(jobs)) {
-                    const analysis = analyzeJob(jobValue);
-                    if (!analysis.hasCheckoutOfForkHead || !analysis.cacheWriteAfterCheckout)
-                        continue;
-                    findings.push({
-                        iocClass: 'workflow',
-                        severity: 'high',
-                        identifier: `${workflowFileName}:${jobName}`,
-                        payload: {
-                            workflow: workflowFileName,
-                            job: jobName,
-                            pattern: PATTERN_LABEL,
-                            matched_lines: analysis.matchedLines,
-                        },
-                    });
+                // Built-in pull_request_target + checkout-head + cache-write check.
+                if (hasPullRequestTargetTrigger(parsed.on)) {
+                    const jobs = parsed.jobs;
+                    if (isRecord(jobs)) {
+                        for (const [jobName, jobValue] of Object.entries(jobs)) {
+                            const analysis = analyzeJob(jobValue);
+                            if (!analysis.hasCheckoutOfForkHead || !analysis.cacheWriteAfterCheckout)
+                                continue;
+                            const identifier = `${workflowFileName}:${jobName}`;
+                            if (seen.has(identifier))
+                                continue;
+                            seen.add(identifier);
+                            findings.push({
+                                iocClass: 'workflow',
+                                severity: 'high',
+                                identifier,
+                                payload: {
+                                    workflow: workflowFileName,
+                                    job: jobName,
+                                    pattern: PATTERN_LABEL,
+                                    matched_lines: analysis.matchedLines,
+                                },
+                            });
+                        }
+                    }
+                }
+                // Local IOC feed pass: test every entry's pattern against the file
+                // text and every step `uses`/`run`/`name` value. One finding per
+                // (entry, file) so multiple matches inside one file collapse into a
+                // single finding referencing the strongest match location.
+                if (iocEntries.length > 0) {
+                    const candidates = collectIocCandidates(workflowFileName, raw, parsed);
+                    for (const entry of iocEntries) {
+                        if (entry.iocClass !== 'workflow')
+                            continue;
+                        const match = candidates.find((c) => matchesPattern(c.value, entry));
+                        if (!match)
+                            continue;
+                        const identifier = `${workflowFileName}#ioc:${entry.id}`;
+                        if (seen.has(identifier))
+                            continue;
+                        seen.add(identifier);
+                        findings.push({
+                            iocClass: 'workflow',
+                            severity: entry.severity,
+                            identifier,
+                            payload: {
+                                source: 'local_ioc_feed',
+                                entry_id: entry.id,
+                                pattern_type: entry.patternType,
+                                pattern: entry.pattern,
+                                advisory_text: entry.advisoryText,
+                                workflow: workflowFileName,
+                                matched_at: match.label,
+                            },
+                        });
+                    }
                 }
             }
-            return {
-                findings,
-                coverage: {
-                    workflows_scanned: files.length,
-                    risky_patterns: findings.length,
-                    parse_errors: parseErrors,
-                },
+            const coverage = {
+                workflows_scanned: files.length,
+                risky_patterns: findings.length,
+                parse_errors: parseErrors,
+                local_ioc_entries: iocEntries.length,
             };
+            if (warnings.length > 0) {
+                coverage.warnings = warnings;
+            }
+            return { findings, coverage };
         },
     };
 }

package/dist/scanners/workflow.js.map

@@ -1 +1 @@
-{"version":3,"file":"workflow.js","sourceRoot":"","sources":["../../src/scanners/workflow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAc1C,MAAM,mBAAmB,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE9C,MAAM,qBAAqB,GAAG,2CAA2C,CAAC;AAC1E,MAAM,qBAAqB,GAAG,2CAA2C,CAAC;AAE1E,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,MAAM,WAAW,GAAwB;IACvC,gBAAgB,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;QACnD,IAAI,OAAiB,CAAC;QACtB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;aACvE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;IACpC,CAAC;IACD,QAAQ,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CAC3C,CAAC;AAEF,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AAC3E,CAAC;AAED,qFAAqF;AACrF,SAAS,2BAA2B,CAAC,EAAW;IAC9C,IAAI,OAAO,EAAE,KAAK,QAAQ;QAAE,OAAO,EAAE,KAAK,qBAAqB,CAAC;IAChE,IAAI,aAAa,CAAC,EAAE,CAAC;QAAE,OAAO,EAAE,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;IACjE,IAAI,QAAQ,CAAC,EAAE,CAAC;QAAE,OAAO,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,EAAE,qBAAqB,CAAC,CAAC;IACzF,OAAO,KAAK,CAAC;AACf,CAAC;AAYD,SAAS,MAAM,CAAC,KAAc;IAC5B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,MAAM,IAAI,GAAiB,EAAE,CAAC;IAC9B,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;QAAE,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IAC3D,IAAI,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ;QAAE,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;IACxD,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;QAAE,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IAC3D,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC;QAAE,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IACjD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,2EAA2E;IAC3E,yEAAyE;IACzE,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAChC,OAAO,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAClD,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAkB;IAC1C,IAAI,CAAC,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAC7B,OAAO,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,kBAAkB,CAAC;AACzD,CAAC;AAED,SAAS,cAAc,CAAC,IAAkB;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC;IAC3B,OAAO,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9C,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAkB;IACjD,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC/B,OAAO,GAAG,KAAK,qBAAqB,IAAI,GAAG,KAAK,qBAAqB,CAAC;AACxE,CAAC;AAED,wGAAwG;AACxG,SAAS,mBAAmB,CAAC,IAAkB;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC;IAC/B,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC9C,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,KAAK,OAAO,IAAI,UAAU,KAAK,GAAG,CAAC;IAC/E,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAkB;IAC1C,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxC,+EAA+E;QAC/E,IAAI,MAAM,KAAK,eAAe;YAAE,OAAO,IAAI,CAAC;QAC5C,uEAAuE;QACvE,IAAI,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,IAAI,mBAAmB,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IACpF,CAAC;IACD,mFAAmF;IACnF,IAAI,mBAAmB,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,KAAK,CAAC;AACf,CAAC;AAQD,SAAS,UAAU,CAAC,GAAY;IAC9B,MAAM,MAAM,GAAgB;QAC1B,qBAAqB,EAAE,KAAK;QAC5B,uBAAuB,EAAE,KAAK;QAC9B,YAAY,EAAE,EAAE;KACjB,CAAC;IACF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,MAAM,CAAC;IAClC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;IACxB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAEzC,IAAI,mBAAmB,GAAG,KAAK,CAAC;IAChC,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,uBAAuB,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5D,mBAAmB,GAAG,IAAI,CAAC;YAC3B,MAAM,CAAC,qBAAqB,GAAG,IAAI,CAAC;YACpC,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACvC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,cAAc,GAAG,EAAE,CAAC,CAAC;YAChE,SAAS;QACX,CAAC;QAED,IAAI,mBAAmB,IAAI,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;YAClD,MAAM,CAAC,uBAAuB,GAAG,IAAI,CAAC;YACtC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBACd,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC;gBAC/B,MAAM,SAAS,GAAG,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,YAAY,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1E,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,GAAG,SAAS,EAAE,CAAC,CAAC;YAC7D,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,IAAI,WAAW,aAAa,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,aAAa,GAAG,mDAAmD,CAAC;AAE1E,MAAM,UAAU,qBAAqB,CAAC,OAA4B,WAAW;IAC3E,OAAO;QACL,QAAQ,EAAE,UAAU;QACpB,KAAK,CAAC,IAAI,CAAC,GAAgB;YACzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACxD,MAAM,QAAQ,GAAmB,EAAE,CAAC;YACpC,IAAI,WAAW,GAAG,CAAC,CAAC;YAEpB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,GAAW,CAAC;gBAChB,IAAI,CAAC;oBACH,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAClC,CAAC;gBAAC,MAAM,CAAC;oBACP,WAAW,IAAI,CAAC,CAAC;oBACjB,SAAS;gBACX,CAAC;gBAED,IAAI,MAAe,CAAC;gBACpB,IAAI,CAAC;oBACH,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;gBAC1B,CAAC;gBAAC,MAAM,CAAC;oBACP,WAAW,IAAI,CAAC,CAAC;oBACjB,SAAS;gBACX,CAAC;gBAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAAE,SAAS;gBAChC,IAAI,CAAC,2BAA2B,CAAC,MAAM,CAAC,EAAE,CAAC;oBAAE,SAAS;gBAEtD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;gBACzB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAE9B,MAAM,gBAAgB,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;gBACxC,KAAK,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvD,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;oBACtC,IAAI,CAAC,QAAQ,CAAC,qBAAqB,IAAI,CAAC,QAAQ,CAAC,uBAAuB;wBAAE,SAAS;oBAEnF,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,UAAU;wBACpB,QAAQ,EAAE,MAAM;wBAChB,UAAU,EAAE,GAAG,gBAAgB,IAAI,OAAO,EAAE;wBAC5C,OAAO,EAAE;4BACP,QAAQ,EAAE,gBAAgB;4BAC1B,GAAG,EAAE,OAAO;4BACZ,OAAO,EAAE,aAAa;4BACtB,aAAa,EAAE,QAAQ,CAAC,YAAY;yBACrC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,OAAO;gBACL,QAAQ;gBACR,QAAQ,EAAE;oBACR,iBAAiB,EAAE,KAAK,CAAC,MAAM;oBAC/B,cAAc,EAAE,QAAQ,CAAC,MAAM;oBAC/B,YAAY,EAAE,WAAW;iBAC1B;aACF,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS;IACzB,MAAM,KAAK,GAAG,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E,MAAM,CAAC,MAAM,eAAe,GAAY,qBAAqB,EAAE,CAAC"}
+{"version":3,"file":"workflow.js","sourceRoot":"","sources":["../../src/scanners/workflow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAE1C,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAqB,MAAM,mBAAmB,CAAC;AAoBxF,MAAM,mBAAmB,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE9C,MAAM,qBAAqB,GAAG,2CAA2C,CAAC;AAC1E,MAAM,qBAAqB,GAAG,2CAA2C,CAAC;AAE1E,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,MAAM,WAAW,GAAwB;IACvC,gBAAgB,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;QACnD,IAAI,OAAiB,CAAC;QACtB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;aACvE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;IACpC,CAAC;IACD,QAAQ,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAC1C,gBAAgB;CACjB,CAAC;AAEF,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AAC3E,CAAC;AAED,qFAAqF;AACrF,SAAS,2BAA2B,CAAC,EAAW;IAC9C,IAAI,OAAO,EAAE,KAAK,QAAQ;QAAE,OAAO,EAAE,KAAK,qBAAqB,CAAC;IAChE,IAAI,aAAa,CAAC,EAAE,CAAC;QAAE,OAAO,EAAE,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;IACjE,IAAI,QAAQ,CAAC,EAAE,CAAC;QAAE,OAAO,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,EAAE,qBAAqB,CAAC,CAAC;IACzF,OAAO,KAAK,CAAC;AACf,CAAC;AAYD,SAAS,MAAM,CAAC,KAAc;IAC5B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,MAAM,IAAI,GAAiB,EAAE,CAAC;IAC9B,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;QAAE,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IAC3D,IAAI,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ;QAAE,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;IACxD,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;QAAE,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IAC3D,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC;QAAE,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IACjD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,2EAA2E;IAC3E,yEAAyE;IACzE,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAChC,OAAO,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAClD,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAkB;IAC1C,IAAI,CAAC,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAC7B,OAAO,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,kBAAkB,CAAC;AACzD,CAAC;AAED,SAAS,cAAc,CAAC,IAAkB;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC;IAC3B,OAAO,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9C,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAkB;IACjD,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC/B,OAAO,GAAG,KAAK,qBAAqB,IAAI,GAAG,KAAK,qBAAqB,CAAC;AACxE,CAAC;AAED,wGAAwG;AACxG,SAAS,mBAAmB,CAAC,IAAkB;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC;IAC/B,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC9C,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,KAAK,OAAO,IAAI,UAAU,KAAK,GAAG,CAAC;IAC/E,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAkB;IAC1C,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxC,+EAA+E;QAC/E,IAAI,MAAM,KAAK,eAAe;YAAE,OAAO,IAAI,CAAC;QAC5C,uEAAuE;QACvE,IAAI,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,IAAI,mBAAmB,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IACpF,CAAC;IACD,mFAAmF;IACnF,IAAI,mBAAmB,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,KAAK,CAAC;AACf,CAAC;AAQD,SAAS,UAAU,CAAC,GAAY;IAC9B,MAAM,MAAM,GAAgB;QAC1B,qBAAqB,EAAE,KAAK;QAC5B,uBAAuB,EAAE,KAAK;QAC9B,YAAY,EAAE,EAAE;KACjB,CAAC;IACF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,MAAM,CAAC;IAClC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;IACxB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAEzC,IAAI,mBAAmB,GAAG,KAAK,CAAC;IAChC,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,uBAAuB,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5D,mBAAmB,GAAG,IAAI,CAAC;YAC3B,MAAM,CAAC,qBAAqB,GAAG,IAAI,CAAC;YACpC,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACvC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,cAAc,GAAG,EAAE,CAAC,CAAC;YAChE,SAAS;QACX,CAAC;QAED,IAAI,mBAAmB,IAAI,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;YAClD,MAAM,CAAC,uBAAuB,GAAG,IAAI,CAAC;YACtC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBACd,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC;gBAC/B,MAAM,SAAS,GAAG,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,YAAY,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1E,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,GAAG,SAAS,EAAE,CAAC,CAAC;YAC7D,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,IAAI,WAAW,aAAa,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,aAAa,GAAG,mDAAmD,CAAC;AAE1E;;;;;GAKG;AACH,SAAS,oBAAoB,CAC3B,gBAAwB,EACxB,OAAe,EACf,MAA+B;IAE/B,MAAM,GAAG,GAA4C,EAAE,CAAC;IACxD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,gBAAgB,cAAc,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IAEvE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;IACzB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC;IAChC,KAAK,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACvD,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAAE,SAAS;QAClC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;QAC7B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;YAAE,SAAS;QACpC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACzB,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;YACzB,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,MAAM,SAAS,GAAG,GAAG,gBAAgB,IAAI,OAAO,IAAI,GAAG,EAAE,CAAC;YAC1D,IAAI,IAAI,CAAC,IAAI;gBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,SAAS,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1E,IAAI,IAAI,CAAC,GAAG;gBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,SAAS,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACvE,IAAI,IAAI,CAAC,IAAI;gBAAE,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,SAAS,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAC5E,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAA4B,WAAW;IAC3E,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,IAAI,gBAAgB,CAAC;IAC3D,OAAO;QACL,QAAQ,EAAE,UAAU;QACpB,KAAK,CAAC,IAAI,CAAC,GAAgB;YACzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACxD,MAAM,QAAQ,GAAmB,EAAE,CAAC;YACpC,IAAI,WAAW,GAAG,CAAC,CAAC;YACpB,MAAM,QAAQ,GAAa,EAAE,CAAC;YAE9B,sEAAsE;YACtE,mEAAmE;YACnE,0CAA0C;YAC1C,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC,KAAK,CAC5E,CAAC,GAAY,EAAE,EAAE;gBACf,QAAQ,CAAC,IAAI,CAAC,mBAAoB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC3D,OAAO,EAAoB,CAAC;YAC9B,CAAC,CACF,CAAC;YAEF,mEAAmE;YACnE,gDAAgD;YAChD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;YAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,GAAW,CAAC;gBAChB,IAAI,CAAC;oBACH,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAClC,CAAC;gBAAC,MAAM,CAAC;oBACP,WAAW,IAAI,CAAC,CAAC;oBACjB,SAAS;gBACX,CAAC;gBAED,IAAI,MAAe,CAAC;gBACpB,IAAI,CAAC;oBACH,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;gBAC1B,CAAC;gBAAC,MAAM,CAAC;oBACP,WAAW,IAAI,CAAC,CAAC;oBACjB,SAAS;gBACX,CAAC;gBAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAAE,SAAS;gBAChC,MAAM,gBAAgB,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAExC,oEAAoE;gBACpE,IAAI,2BAA2B,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;oBAC3C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;oBACzB,IAAI,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;wBACnB,KAAK,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;4BACvD,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;4BACtC,IAAI,CAAC,QAAQ,CAAC,qBAAqB,IAAI,CAAC,QAAQ,CAAC,uBAAuB;gCAAE,SAAS;4BAEnF,MAAM,UAAU,GAAG,GAAG,gBAAgB,IAAI,OAAO,EAAE,CAAC;4BACpD,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;gCAAE,SAAS;4BACnC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;4BACrB,QAAQ,CAAC,IAAI,CAAC;gCACZ,QAAQ,EAAE,UAAU;gCACpB,QAAQ,EAAE,MAAM;gCAChB,UAAU;gCACV,OAAO,EAAE;oCACP,QAAQ,EAAE,gBAAgB;oCAC1B,GAAG,EAAE,OAAO;oCACZ,OAAO,EAAE,aAAa;oCACtB,aAAa,EAAE,QAAQ,CAAC,YAAY;iCACrC;6BACF,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,mEAAmE;gBACnE,iEAAiE;gBACjE,oEAAoE;gBACpE,2DAA2D;gBAC3D,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC1B,MAAM,UAAU,GAAG,oBAAoB,CAAC,gBAAgB,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;oBACvE,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;wBAC/B,IAAI,KAAK,CAAC,QAAQ,KAAK,UAAU;4BAAE,SAAS;wBAC5C,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;wBACrE,IAAI,CAAC,KAAK;4BAAE,SAAS;wBACrB,MAAM,UAAU,GAAG,GAAG,gBAAgB,QAAQ,KAAK,CAAC,EAAE,EAAE,CAAC;wBACzD,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;4BAAE,SAAS;wBACnC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;wBACrB,QAAQ,CAAC,IAAI,CAAC;4BACZ,QAAQ,EAAE,UAAU;4BACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;4BACxB,UAAU;4BACV,OAAO,EAAE;gCACP,MAAM,EAAE,gBAAgB;gCACxB,QAAQ,EAAE,KAAK,CAAC,EAAE;gCAClB,YAAY,EAAE,KAAK,CAAC,WAAW;gCAC/B,OAAO,EAAE,KAAK,CAAC,OAAO;gCACtB,aAAa,EAAE,KAAK,CAAC,YAAY;gCACjC,QAAQ,EAAE,gBAAgB;gCAC1B,UAAU,EAAE,KAAK,CAAC,KAAK;6BACxB;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,MAAM,QAAQ,GAA4B;gBACxC,iBAAiB,EAAE,KAAK,CAAC,MAAM;gBAC/B,cAAc,EAAE,QAAQ,CAAC,MAAM;gBAC/B,YAAY,EAAE,WAAW;gBACzB,iBAAiB,EAAE,UAAU,CAAC,MAAM;aACrC,CAAC;YACF,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,QAAQ,CAAC,QAAQ,GAAG,QAAQ,CAAC;YAC/B,CAAC;YAED,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;QAChC,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS;IACzB,MAAM,KAAK,GAAG,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E,MAAM,CAAC,MAAM,eAAe,GAAY,qBAAqB,EAAE,CAAC"}

package/dist/security-auto-inject.d.ts

@@ -1,9 +1,9 @@
 /**
- * Severity-gated auto-injection for security findings.
+ * Auto-injection for security findings.
  *
- * When the scanner engine writes a finding at or above the configured
- * auto_inject_severity_threshold, this module:
- *   1. Resolves the product's Security focus (focus_kind='security').
+ * Every open finding that the engine sees -- newly observed or with no
+ * linked remediation -- is handed to processNewFinding. The function:
+ *   1. Finds-or-creates the product's active Security focus + tree.
  *   2. Creates or reuses an entity node representing the vulnerable surface.
  *   3. Creates an injection node on the focus's reality tree with
  *      statement = advisory summary; targets the entity node via a
@@ -13,12 +13,9 @@
  *   5. Sets finding.linked_injection_id.
  *   6. Writes a security_finding_audit row with action='auto_injected'.
  *
- * Below-threshold findings are not auto-injected; the FindingsView UI
- * offers click-to-remediate that calls this same function with a
- * `force: true` flag (single code path for both auto and manual).
- *
- * Suppressed findings (suppression jsonb non-null and not expired) are
- * skipped entirely.
+ * No severity gate -- AI attempts every finding. The only short-circuit
+ * is `skipped_already_linked` when the finding already carries a
+ * remediation injection.
  *
  * @module security-auto-inject
  */
@@ -31,28 +28,19 @@ export interface FindingForInjection {
     severity: Severity;
     identifier: string;
     payload: Record<string, unknown>;
-    status: 'open' | 'resolved' | 'suppressed';
-    suppression: Record<string, unknown> | null;
+    status: 'open' | 'remediating' | 'resolved' | 'escalated';
     linkedInjectionId: string | null;
 }
-export interface AutoInjectOptions {
-    /** Threshold from the scan config (default 'critical'). */
-    autoInjectThreshold: Severity;
+export type AutoInjectOptions = Record<string, never>;
+export interface AutoInjectDeps {
     /**
-     * When true, bypass the severity threshold (used by the UI's
-     * 'Click to remediate' button on below-threshold findings). The
-     * suppression and already-linked checks still apply.
+     * Find an open product_focus carrying the Security workflow for this
+     * product, or create one. Always returns a focus + its reality tree.
      */
-    force?: boolean;
-    /** Actor user id, if the action came from a UI button rather than the daemon. */
-    actorUserId?: string;
-}
-export interface AutoInjectDeps {
-    /** Look up the Security focus id + tree id for a product. */
-    resolveSecurityFocus: (productId: string) => Promise<{
+    findOrCreateActiveSecurityFocus: (productId: string, organizationId: string) => Promise<{
         focusId: string;
         treeId: string;
-    } | null>;
+    }>;
     /**
      * Create or find an entity node representing the vulnerable surface
      * (one per identifier per focus, deduplicated server-side).
@@ -96,19 +84,16 @@ export interface AutoInjectDeps {
     writeAudit: (input: {
         findingId: string;
         organizationId: string;
-        action: 'auto_injected' | 'manually_remediated';
-        actorUserId?: string;
+        action: 'auto_injected';
         reason?: string;
         payload?: Record<string, unknown>;
     }) => Promise<void>;
 }
-/** Returns true when `severity` is at or above `threshold`. */
-export declare function meetsThreshold(severity: Severity, threshold: Severity): boolean;
 export interface ProcessNewFindingResult {
-    status: 'injected' | 'skipped_below_threshold' | 'skipped_already_linked' | 'skipped_suppressed' | 'skipped_no_security_focus';
+    status: 'injected' | 'skipped_already_linked';
     injectionNodeId?: string;
     deliveryId?: string;
 }
-export declare function processNewFinding(finding: FindingForInjection, options: AutoInjectOptions, deps: AutoInjectDeps): Promise<ProcessNewFindingResult>;
+export declare function processNewFinding(finding: FindingForInjection, _options: AutoInjectOptions, deps: AutoInjectDeps): Promise<ProcessNewFindingResult>;
 export declare function buildDefaultAutoInjectDeps(): AutoInjectDeps;
 //# sourceMappingURL=security-auto-inject.d.ts.map

package/dist/security-auto-inject.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security-auto-inject.d.ts","sourceRoot":"","sources":["../src/security-auto-inject.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAM1D,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,YAAY,CAAC;IAC3C,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC5C,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;CAClC;AAED,MAAM,WAAW,iBAAiB;IAChC,2DAA2D;IAC3D,mBAAmB,EAAE,QAAQ,CAAC;IAC9B;;;;OAIG;IACH,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,iFAAiF;IACjF,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,6DAA6D;IAC7D,oBAAoB,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC;QACnD,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;KAChB,GAAG,IAAI,CAAC,CAAC;IACV;;;OAGG;IACH,gBAAgB,EAAE,CAAC,KAAK,EAAE;QACxB,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,CAAC;QACvB,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClC,KAAK,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClC;;OAEG;IACH,eAAe,EAAE,CAAC,KAAK,EAAE;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,CAAC;QACvB,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACxC,KAAK,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClC;;OAEG;IACH,cAAc,EAAE,CAAC,KAAK,EAAE;QACtB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,cAAc,EAAE,MAAM,CAAC;QACvB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;KACzB,KAAK,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtC,+DAA+D;IAC/D,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,kCAAkC;IAClC,UAAU,EAAE,CAAC,KAAK,EAAE;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,cAAc,EAAE,MAAM,CAAC;QACvB,MAAM,EAAE,eAAe,GAAG,qBAAqB,CAAC;QAChD,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACnC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrB;AAaD,+DAA+D;AAC/D,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,GAAG,OAAO,CAE/E;AAyCD,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,UAAU,GAAG,yBAAyB,GAAG,wBAAwB,GAAG,oBAAoB,GAAG,2BAA2B,CAAC;IAC/H,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,mBAAmB,EAC5B,OAAO,EAAE,iBAAiB,EAC1B,IAAI,EAAE,cAAc,GACnB,OAAO,CAAC,uBAAuB,CAAC,CA4DlC;AAMD,wBAAgB,0BAA0B,IAAI,cAAc,CAyB3D"}
+{"version":3,"file":"security-auto-inject.d.ts","sourceRoot":"","sources":["../src/security-auto-inject.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAM1D,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,UAAU,GAAG,WAAW,CAAC;IAC1D,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;CAClC;AAED,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAEtD,MAAM,WAAW,cAAc;IAC7B;;;OAGG;IACH,+BAA+B,EAAE,CAC/B,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,KACnB,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClD;;;OAGG;IACH,gBAAgB,EAAE,CAAC,KAAK,EAAE;QACxB,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,CAAC;QACvB,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClC,KAAK,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClC;;OAEG;IACH,eAAe,EAAE,CAAC,KAAK,EAAE;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,CAAC;QACvB,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACxC,KAAK,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClC;;OAEG;IACH,cAAc,EAAE,CAAC,KAAK,EAAE;QACtB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,cAAc,EAAE,MAAM,CAAC;QACvB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;KACzB,KAAK,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtC,+DAA+D;IAC/D,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,kCAAkC;IAClC,UAAU,EAAE,CAAC,KAAK,EAAE;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,cAAc,EAAE,MAAM,CAAC;QACvB,MAAM,EAAE,eAAe,CAAC;QACxB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACnC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrB;AAyBD,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,UAAU,GAAG,wBAAwB,CAAC;IAC9C,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,mBAAmB,EAC5B,QAAQ,EAAE,iBAAiB,EAC3B,IAAI,EAAE,cAAc,GACnB,OAAO,CAAC,uBAAuB,CAAC,CAwDlC;AAMD,wBAAgB,0BAA0B,IAAI,cAAc,CAwB3D"}

package/dist/security-auto-inject.js

@@ -1,9 +1,9 @@
 /**
- * Severity-gated auto-injection for security findings.
+ * Auto-injection for security findings.
  *
- * When the scanner engine writes a finding at or above the configured
- * auto_inject_severity_threshold, this module:
- *   1. Resolves the product's Security focus (focus_kind='security').
+ * Every open finding that the engine sees -- newly observed or with no
+ * linked remediation -- is handed to processNewFinding. The function:
+ *   1. Finds-or-creates the product's active Security focus + tree.
  *   2. Creates or reuses an entity node representing the vulnerable surface.
  *   3. Creates an injection node on the focus's reality tree with
  *      statement = advisory summary; targets the entity node via a
@@ -13,40 +13,14 @@
  *   5. Sets finding.linked_injection_id.
  *   6. Writes a security_finding_audit row with action='auto_injected'.
  *
- * Below-threshold findings are not auto-injected; the FindingsView UI
- * offers click-to-remediate that calls this same function with a
- * `force: true` flag (single code path for both auto and manual).
- *
- * Suppressed findings (suppression jsonb non-null and not expired) are
- * skipped entirely.
+ * No severity gate -- AI attempts every finding. The only short-circuit
+ * is `skipped_already_linked` when the finding already carries a
+ * remediation injection.
  *
  * @module security-auto-inject
  */
 import { callApi } from './queries/shared.js';
 // ---------------------------------------------------------------------------
-// Severity comparison
-// ---------------------------------------------------------------------------
-const SEVERITY_RANK = {
-    low: 1,
-    medium: 2,
-    high: 3,
-    critical: 4,
-};
-/** Returns true when `severity` is at or above `threshold`. */
-export function meetsThreshold(severity, threshold) {
-    return SEVERITY_RANK[severity] >= SEVERITY_RANK[threshold];
-}
-function isSuppressedAndActive(finding, now = new Date()) {
-    if (finding.status !== 'suppressed')
-        return false;
-    if (!finding.suppression)
-        return false;
-    const s = finding.suppression;
-    if (!s.expires_at)
-        return true;
-    return new Date(s.expires_at).getTime() > now.getTime();
-}
-// ---------------------------------------------------------------------------
 // Statement + label builders
 // ---------------------------------------------------------------------------
 function buildAdvisorySummary(finding) {
@@ -62,17 +36,10 @@ function buildAdvisorySummary(finding) {
 function buildEntityLabel(finding) {
     return `${finding.iocClass}:${finding.identifier}`;
 }
-export async function processNewFinding(finding, options, deps) {
+export async function processNewFinding(finding, _options, deps) {
     if (finding.linkedInjectionId)
         return { status: 'skipped_already_linked' };
-    if (isSuppressedAndActive(finding))
-        return { status: 'skipped_suppressed' };
-    if (!options.force && !meetsThreshold(finding.severity, options.autoInjectThreshold)) {
-        return { status: 'skipped_below_threshold' };
-    }
-    const focus = await deps.resolveSecurityFocus(finding.productId);
-    if (!focus)
-        return { status: 'skipped_no_security_focus' };
+    const focus = await deps.findOrCreateActiveSecurityFocus(finding.productId, finding.organizationId);
     const entity = await deps.upsertEntityNode({
         treeId: focus.treeId,
         organizationId: finding.organizationId,
@@ -103,12 +70,10 @@ export async function processNewFinding(finding, options, deps) {
     await deps.writeAudit({
         findingId: finding.id,
         organizationId: finding.organizationId,
-        action: options.force ? 'manually_remediated' : 'auto_injected',
-        actorUserId: options.actorUserId,
-        reason: options.force ? 'click_to_remediate' : 'severity_threshold_met',
+        action: 'auto_injected',
+        reason: 'finding_observed',
         payload: {
             severity: finding.severity,
-            threshold: options.autoInjectThreshold,
             delivery_id: delivery.deliveryId,
             injection_node_id: injection.nodeId,
         },
@@ -124,9 +89,8 @@ export async function processNewFinding(finding, options, deps) {
 // ---------------------------------------------------------------------------
 export function buildDefaultAutoInjectDeps() {
     return {
-        resolveSecurityFocus: async (productId) => {
-            const res = await callApi('daemon_resolve_security_focus', { productId });
-            return res?.focus ?? null;
+        findOrCreateActiveSecurityFocus: async (productId, organizationId) => {
+            return callApi('daemon_find_or_create_active_security_focus', { productId, organizationId });
         },
         upsertEntityNode: async (input) => {
             return callApi('daemon_upsert_security_entity_node', input);

package/dist/security-auto-inject.js.map

@@ -1 +1 @@
-{"version":3,"file":"security-auto-inject.js","sourceRoot":"","sources":["../src/security-auto-inject.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAmF9C,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,MAAM,aAAa,GAA6B;IAC9C,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,+DAA+D;AAC/D,MAAM,UAAU,cAAc,CAAC,QAAkB,EAAE,SAAmB;IACpE,OAAO,aAAa,CAAC,QAAQ,CAAC,IAAI,aAAa,CAAC,SAAS,CAAC,CAAC;AAC7D,CAAC;AAUD,SAAS,qBAAqB,CAAC,OAA4B,EAAE,MAAY,IAAI,IAAI,EAAE;IACjF,IAAI,OAAO,CAAC,MAAM,KAAK,YAAY;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,CAAC,OAAO,CAAC,WAAW;QAAE,OAAO,KAAK,CAAC;IACvC,MAAM,CAAC,GAAG,OAAO,CAAC,WAA+B,CAAC;IAClD,IAAI,CAAC,CAAC,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC/B,OAAO,IAAI,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;AAC1D,CAAC;AAED,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E,SAAS,oBAAoB,CAAC,OAA4B;IACxD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAkC,CAAC;IAC3D,MAAM,UAAU,GAAG;QACjB,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI;QACxD,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;QAC5D,OAAO,OAAO,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI;KACzE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,oBAAoB,OAAO,CAAC,UAAU,EAAE,CAAC;IACvE,OAAO,GAAG,IAAI,KAAK,OAAO,CAAC,QAAQ,cAAc,OAAO,CAAC,QAAQ,GAAG,CAAC;AACvE,CAAC;AAED,SAAS,gBAAgB,CAAC,OAA4B;IACpD,OAAO,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;AACrD,CAAC;AAYD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAA4B,EAC5B,OAA0B,EAC1B,IAAoB;IAEpB,IAAI,OAAO,CAAC,iBAAiB;QAAE,OAAO,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;IAC3E,IAAI,qBAAqB,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;IAC5E,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACrF,OAAO,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;IAC/C,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACjE,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;IAE3D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC;QACzC,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC;QAChC,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,QAAQ,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE;KACzE,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC;QAC3C,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,SAAS,EAAE,oBAAoB,CAAC,OAAO,CAAC;QACxC,YAAY,EAAE,MAAM,CAAC,MAAM;QAC3B,aAAa,EAAE;YACb,UAAU,EAAE,OAAO,CAAC,EAAE;YACtB,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;SAC/B;KACF,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC;QACzC,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,IAAI,EAAE,aAAa,gBAAgB,CAAC,OAAO,CAAC,EAAE;QAC9C,WAAW,EAAE,oBAAoB,CAAC,OAAO,CAAC;QAC1C,eAAe,EAAE,SAAS,CAAC,MAAM;KAClC,CAAC,CAAC;IAEH,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IAErD,MAAM,IAAI,CAAC,UAAU,CAAC;QACpB,SAAS,EAAE,OAAO,CAAC,EAAE;QACrB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,eAAe;QAC/D,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,wBAAwB;QACvE,OAAO,EAAE;YACP,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,SAAS,EAAE,OAAO,CAAC,mBAAmB;YACtC,WAAW,EAAE,QAAQ,CAAC,UAAU;YAChC,iBAAiB,EAAE,SAAS,CAAC,MAAM;SACpC;KACF,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,UAAU;QAClB,eAAe,EAAE,SAAS,CAAC,MAAM;QACjC,UAAU,EAAE,QAAQ,CAAC,UAAU;KAChC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,kDAAkD;AAClD,8EAA8E;AAE9E,MAAM,UAAU,0BAA0B;IACxC,OAAO;QACL,oBAAoB,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE;YACxC,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,+BAA+B,EAC/B,EAAE,SAAS,EAAE,CACd,CAAC;YACF,OAAO,GAAG,EAAE,KAAK,IAAI,IAAI,CAAC;QAC5B,CAAC;QACD,gBAAgB,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAChC,OAAO,OAAO,CAAqB,oCAAoC,EAAE,KAAK,CAAC,CAAC;QAClF,CAAC;QACD,eAAe,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC/B,OAAO,OAAO,CAAqB,kCAAkC,EAAE,KAAK,CAAC,CAAC;QAChF,CAAC;QACD,cAAc,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC9B,OAAO,OAAO,CAAyB,iCAAiC,EAAE,KAAK,CAAC,CAAC;QACnF,CAAC;QACD,WAAW,EAAE,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE,EAAE;YAChD,MAAM,OAAO,CAAC,kCAAkC,EAAE,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC,CAAC;QACpF,CAAC;QACD,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC1B,MAAM,OAAO,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC9D,CAAC;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"security-auto-inject.js","sourceRoot":"","sources":["../src/security-auto-inject.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAyE9C,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E,SAAS,oBAAoB,CAAC,OAA4B;IACxD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAkC,CAAC;IAC3D,MAAM,UAAU,GAAG;QACjB,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI;QACxD,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;QAC5D,OAAO,OAAO,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI;KACzE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,oBAAoB,OAAO,CAAC,UAAU,EAAE,CAAC;IACvE,OAAO,GAAG,IAAI,KAAK,OAAO,CAAC,QAAQ,cAAc,OAAO,CAAC,QAAQ,GAAG,CAAC;AACvE,CAAC;AAED,SAAS,gBAAgB,CAAC,OAA4B;IACpD,OAAO,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;AACrD,CAAC;AAYD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAA4B,EAC5B,QAA2B,EAC3B,IAAoB;IAEpB,IAAI,OAAO,CAAC,iBAAiB;QAAE,OAAO,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;IAE3E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,+BAA+B,CACtD,OAAO,CAAC,SAAS,EACjB,OAAO,CAAC,cAAc,CACvB,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC;QACzC,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,KAAK,EAAE,gBAAgB,CAAC,OAAO,CAAC;QAChC,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,QAAQ,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE;KACzE,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC;QAC3C,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,SAAS,EAAE,oBAAoB,CAAC,OAAO,CAAC;QACxC,YAAY,EAAE,MAAM,CAAC,MAAM;QAC3B,aAAa,EAAE;YACb,UAAU,EAAE,OAAO,CAAC,EAAE;YACtB,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;SAC/B;KACF,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC;QACzC,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,IAAI,EAAE,aAAa,gBAAgB,CAAC,OAAO,CAAC,EAAE;QAC9C,WAAW,EAAE,oBAAoB,CAAC,OAAO,CAAC;QAC1C,eAAe,EAAE,SAAS,CAAC,MAAM;KAClC,CAAC,CAAC;IAEH,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IAErD,MAAM,IAAI,CAAC,UAAU,CAAC;QACpB,SAAS,EAAE,OAAO,CAAC,EAAE;QACrB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,MAAM,EAAE,eAAe;QACvB,MAAM,EAAE,kBAAkB;QAC1B,OAAO,EAAE;YACP,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,WAAW,EAAE,QAAQ,CAAC,UAAU;YAChC,iBAAiB,EAAE,SAAS,CAAC,MAAM;SACpC;KACF,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,UAAU;QAClB,eAAe,EAAE,SAAS,CAAC,MAAM;QACjC,UAAU,EAAE,QAAQ,CAAC,UAAU;KAChC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,kDAAkD;AAClD,8EAA8E;AAE9E,MAAM,UAAU,0BAA0B;IACxC,OAAO;QACL,+BAA+B,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,EAAE;YACnE,OAAO,OAAO,CACZ,6CAA6C,EAC7C,EAAE,SAAS,EAAE,cAAc,EAAE,CAC9B,CAAC;QACJ,CAAC;QACD,gBAAgB,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAChC,OAAO,OAAO,CAAqB,oCAAoC,EAAE,KAAK,CAAC,CAAC;QAClF,CAAC;QACD,eAAe,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC/B,OAAO,OAAO,CAAqB,kCAAkC,EAAE,KAAK,CAAC,CAAC;QAChF,CAAC;QACD,cAAc,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC9B,OAAO,OAAO,CAAyB,iCAAiC,EAAE,KAAK,CAAC,CAAC;QACnF,CAAC;QACD,WAAW,EAAE,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE,EAAE;YAChD,MAAM,OAAO,CAAC,kCAAkC,EAAE,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC,CAAC;QACpF,CAAC;QACD,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC1B,MAAM,OAAO,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC9D,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/security-finding-gate.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Deterministic check evaluator for the Security workflow verify-closed gate.
+ *
+ * The Security workflow declares its verify-closed stage with
+ * `agent_directive.gate = { kind: 'deterministic', check:
+ * 'security.finding_no_longer_present' }`. The gate's contract: a security
+ * remediation injection cannot be verified (retired) unless the linked
+ * security_findings row has flipped to status='resolved' (the re-scan
+ * resolution sweep clears the indicator).
+ *
+ * If the gate fails, the linked finding is flipped to status='escalated'
+ * with escalation_reason='verify_gate_failed'. After the D1 schema
+ * collapse, the Security workflow no longer carries a 'Reopen (failed)'
+ * transition — a failed verify-closed escalates and stays.
+ *
+ * Wired into verification-engine.ts: before calling verifyInjectionOnPass
+ * on a 'passed' outcome, the engine consults this gate. A 'passed' outcome
+ * is demoted to 'failed' when the finding is still open/remediating.
+ *
+ * @module security-finding-gate
+ */
+export type FindingStatusForGate = 'open' | 'remediating' | 'resolved' | 'escalated';
+export interface FindingLookupResult {
+    findingId: string;
+    status: FindingStatusForGate;
+}
+export interface SecurityFindingGateDeps {
+    /**
+     * Look up the security_findings row whose linked_injection_id matches the
+     * given injection node id. Returns null when no finding is linked
+     * (non-security injection -- gate is a no-op).
+     */
+    lookupFindingByInjection: (injectionNodeId: string) => Promise<FindingLookupResult | null>;
+    /**
+     * Flip the finding to status='escalated' and append a security_finding_audit
+     * row with action='escalated'. Idempotent at the DB layer.
+     */
+    escalateFinding: (findingId: string, reason: string) => Promise<void>;
+}
+export type SecurityFindingGateResult = {
+    passed: true;
+    findingId: null;
+    reason?: string;
+} | {
+    passed: true;
+    findingId: string;
+    reason?: string;
+} | {
+    passed: false;
+    findingId: string;
+    reason: string;
+};
+/**
+ * Evaluate the `security.finding_no_longer_present` deterministic check for
+ * a given injection node.
+ *
+ * Outcomes:
+ *   - No finding linked to this injection -> passes as a no-op.
+ *   - Linked finding has status 'resolved' -> passes.
+ *   - Linked finding has any other status  -> fails, returns the findingId
+ *     so the caller can escalate.
+ *
+ * The function does NOT mutate any state -- escalation is the caller's
+ * responsibility via `escalateOnGateFail`.
+ */
+export declare function evaluateFindingNoLongerPresent(injectionNodeId: string, deps: SecurityFindingGateDeps): Promise<SecurityFindingGateResult>;
+/**
+ * Best-effort escalation helper: when the gate fails, flip the linked
+ * finding to status='escalated'. Logs and swallows on error so a failed
+ * escalation does not throw out of the verification path.
+ */
+export declare function escalateOnGateFail(findingId: string, reason: string, deps: SecurityFindingGateDeps): Promise<void>;
+export declare function buildDefaultSecurityFindingGateDeps(): SecurityFindingGateDeps;
+//# sourceMappingURL=security-finding-gate.d.ts.map

package/dist/security-finding-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-finding-gate.d.ts","sourceRoot":"","sources":["../src/security-finding-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAQH,MAAM,MAAM,oBAAoB,GAAG,MAAM,GAAG,aAAa,GAAG,UAAU,GAAG,WAAW,CAAC;AAErF,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,oBAAoB,CAAC;CAC9B;AAED,MAAM,WAAW,uBAAuB;IACtC;;;;OAIG;IACH,wBAAwB,EAAE,CAAC,eAAe,EAAE,MAAM,KAAK,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAC;IAC3F;;;OAGG;IACH,eAAe,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACvE;AAED,MAAM,MAAM,yBAAyB,GACjC;IAAE,MAAM,EAAE,IAAI,CAAC;IAAC,SAAS,EAAE,IAAI,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GAClD;IAAE,MAAM,EAAE,IAAI,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GACpD;IAAE,MAAM,EAAE,KAAK,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAMzD;;;;;;;;;;;;GAYG;AACH,wBAAsB,8BAA8B,CAClD,eAAe,EAAE,MAAM,EACvB,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,yBAAyB,CAAC,CAapC;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAQf;AAMD,wBAAgB,mCAAmC,IAAI,uBAAuB,CAc7E"}

package/dist/security-finding-gate.js

@@ -0,0 +1,82 @@
+/**
+ * Deterministic check evaluator for the Security workflow verify-closed gate.
+ *
+ * The Security workflow declares its verify-closed stage with
+ * `agent_directive.gate = { kind: 'deterministic', check:
+ * 'security.finding_no_longer_present' }`. The gate's contract: a security
+ * remediation injection cannot be verified (retired) unless the linked
+ * security_findings row has flipped to status='resolved' (the re-scan
+ * resolution sweep clears the indicator).
+ *
+ * If the gate fails, the linked finding is flipped to status='escalated'
+ * with escalation_reason='verify_gate_failed'. After the D1 schema
+ * collapse, the Security workflow no longer carries a 'Reopen (failed)'
+ * transition — a failed verify-closed escalates and stays.
+ *
+ * Wired into verification-engine.ts: before calling verifyInjectionOnPass
+ * on a 'passed' outcome, the engine consults this gate. A 'passed' outcome
+ * is demoted to 'failed' when the finding is still open/remediating.
+ *
+ * @module security-finding-gate
+ */
+import { callApi } from './queries/shared.js';
+// ---------------------------------------------------------------------------
+// Pure evaluator
+// ---------------------------------------------------------------------------
+/**
+ * Evaluate the `security.finding_no_longer_present` deterministic check for
+ * a given injection node.
+ *
+ * Outcomes:
+ *   - No finding linked to this injection -> passes as a no-op.
+ *   - Linked finding has status 'resolved' -> passes.
+ *   - Linked finding has any other status  -> fails, returns the findingId
+ *     so the caller can escalate.
+ *
+ * The function does NOT mutate any state -- escalation is the caller's
+ * responsibility via `escalateOnGateFail`.
+ */
+export async function evaluateFindingNoLongerPresent(injectionNodeId, deps) {
+    const lookup = await deps.lookupFindingByInjection(injectionNodeId);
+    if (!lookup) {
+        return { passed: true, findingId: null, reason: 'no_linked_finding' };
+    }
+    if (lookup.status === 'resolved') {
+        return { passed: true, findingId: lookup.findingId, reason: 'finding_resolved' };
+    }
+    return {
+        passed: false,
+        findingId: lookup.findingId,
+        reason: `finding_status_is_${lookup.status}`,
+    };
+}
+/**
+ * Best-effort escalation helper: when the gate fails, flip the linked
+ * finding to status='escalated'. Logs and swallows on error so a failed
+ * escalation does not throw out of the verification path.
+ */
+export async function escalateOnGateFail(findingId, reason, deps) {
+    try {
+        await deps.escalateFinding(findingId, reason);
+    }
+    catch (err) {
+        console.warn(`[security-finding-gate] escalation failed for finding ${findingId}: ${err.message}`);
+    }
+}
+// ---------------------------------------------------------------------------
+// Default deps -- daemon-side wiring via callApi
+// ---------------------------------------------------------------------------
+export function buildDefaultSecurityFindingGateDeps() {
+    return {
+        lookupFindingByInjection: async (injectionNodeId) => {
+            const res = await callApi('daemon_lookup_finding_by_injection', { injectionNodeId });
+            if (!res?.findingId || !res.status)
+                return null;
+            return { findingId: res.findingId, status: res.status };
+        },
+        escalateFinding: async (findingId, reason) => {
+            await callApi('daemon_escalate_security_finding', { findingId, reason });
+        },
+    };
+}
+//# sourceMappingURL=security-finding-gate.js.map