@telora/daemon 0.15.40 → 0.15.45
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build-info.json +2 -2
- package/dist/feeds/ghsa.d.ts +9 -0
- package/dist/feeds/ghsa.d.ts.map +1 -1
- package/dist/feeds/ghsa.js +7 -0
- package/dist/feeds/ghsa.js.map +1 -1
- package/dist/feeds/osv.d.ts +9 -0
- package/dist/feeds/osv.d.ts.map +1 -1
- package/dist/feeds/osv.js +12 -1
- package/dist/feeds/osv.js.map +1 -1
- package/dist/focus-completion.d.ts.map +1 -1
- package/dist/focus-completion.js +21 -6
- package/dist/focus-completion.js.map +1 -1
- package/dist/focus-engine.d.ts.map +1 -1
- package/dist/focus-engine.js +19 -12
- package/dist/focus-engine.js.map +1 -1
- package/dist/focus-merge.d.ts.map +1 -1
- package/dist/focus-merge.js +2 -0
- package/dist/focus-merge.js.map +1 -1
- package/dist/scanners/workflow.d.ts +8 -0
- package/dist/scanners/workflow.d.ts.map +1 -1
- package/dist/scanners/workflow.js +113 -27
- package/dist/scanners/workflow.js.map +1 -1
- package/dist/security-auto-inject.d.ts +17 -32
- package/dist/security-auto-inject.d.ts.map +1 -1
- package/dist/security-auto-inject.js +13 -49
- package/dist/security-auto-inject.js.map +1 -1
- package/dist/security-finding-gate.d.ts +74 -0
- package/dist/security-finding-gate.d.ts.map +1 -0
- package/dist/security-finding-gate.js +82 -0
- package/dist/security-finding-gate.js.map +1 -0
- package/dist/security-rescan-resolution.d.ts +1 -27
- package/dist/security-rescan-resolution.d.ts.map +1 -1
- package/dist/security-rescan-resolution.js +1 -38
- package/dist/security-rescan-resolution.js.map +1 -1
- package/dist/security-scan-engine.d.ts +43 -23
- package/dist/security-scan-engine.d.ts.map +1 -1
- package/dist/security-scan-engine.js +54 -72
- package/dist/security-scan-engine.js.map +1 -1
- package/dist/spawner-lifecycle.d.ts +2 -0
- package/dist/spawner-lifecycle.d.ts.map +1 -1
- package/dist/spawner-lifecycle.js +3 -2
- package/dist/spawner-lifecycle.js.map +1 -1
- package/dist/verification-engine.d.ts +9 -0
- package/dist/verification-engine.d.ts.map +1 -1
- package/dist/verification-engine.js +29 -3
- package/dist/verification-engine.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"security-finding-gate.js","sourceRoot":"","sources":["../src/security-finding-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAgC9C,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,eAAuB,EACvB,IAA6B;IAE7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAAC,eAAe,CAAC,CAAC;IACpE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IACxE,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;QACjC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IACnF,CAAC;IACD,OAAO;QACL,MAAM,EAAE,KAAK;QACb,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,MAAM,EAAE,qBAAqB,MAAM,CAAC,MAAM,EAAE;KAC7C,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAAiB,EACjB,MAAc,EACd,IAA6B;IAE7B,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CACV,yDAAyD,SAAS,KAAM,GAAa,CAAC,OAAO,EAAE,CAChG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,iDAAiD;AACjD,8EAA8E;AAE9E,MAAM,UAAU,mCAAmC;IACjD,OAAO;QACL,wBAAwB,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE;YAClD,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,oCAAoC,EACpC,EAAE,eAAe,EAAE,CACpB,CAAC;YACF,IAAI,CAAC,GAAG,EAAE,SAAS,IAAI,CAAC,GAAG,CAAC,MAAM;gBAAE,OAAO,IAAI,CAAC;YAChD,OAAO,EAAE,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC;QAC1D,CAAC;QACD,eAAe,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE;YAC3C,MAAM,OAAO,CAAC,kCAAkC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3E,CAAC;KACF,CAAC;AACJ,CAAC"}
|
|
@@ -5,8 +5,7 @@
|
|
|
5
5
|
* auto-verify the injection.
|
|
6
6
|
*
|
|
7
7
|
* Called by the scanner engine immediately after a run finishes writing
|
|
8
|
-
* its findings, before
|
|
9
|
-
* tick begins.
|
|
8
|
+
* its findings, before the next tick begins.
|
|
10
9
|
*
|
|
11
10
|
* @module security-rescan-resolution
|
|
12
11
|
*/
|
|
@@ -56,29 +55,4 @@ export interface ScanRunFindingSet {
|
|
|
56
55
|
*/
|
|
57
56
|
export declare function resolveStaleFindings(productId: string, observedSets: ScanRunFindingSet[], deps: ResolutionDeps): Promise<string[]>;
|
|
58
57
|
export declare function buildDefaultResolutionDeps(): ResolutionDeps;
|
|
59
|
-
export interface SuppressionExpirySweepDeps {
|
|
60
|
-
/** Returns findings where status='suppressed' and suppression.expires_at < now(). */
|
|
61
|
-
listExpiredSuppressions: () => Promise<Array<{
|
|
62
|
-
id: string;
|
|
63
|
-
organizationId: string;
|
|
64
|
-
}>>;
|
|
65
|
-
/** Set status='open', suppression=null. */
|
|
66
|
-
unsuppressFinding: (findingId: string) => Promise<void>;
|
|
67
|
-
/** Append audit row with action='unsuppressed' and reason='suppression_expired'. */
|
|
68
|
-
writeAudit: (input: {
|
|
69
|
-
findingId: string;
|
|
70
|
-
organizationId: string;
|
|
71
|
-
action: 'unsuppressed';
|
|
72
|
-
payload: Record<string, unknown>;
|
|
73
|
-
}) => Promise<void>;
|
|
74
|
-
}
|
|
75
|
-
/**
|
|
76
|
-
* Sweep suppressions whose expires_at has passed and flip them back to
|
|
77
|
-
* 'open'. Idempotent: a suppression already expired is a no-op on the
|
|
78
|
-
* second call because the predicate now matches status='open'.
|
|
79
|
-
*
|
|
80
|
-
* @returns the finding ids whose suppression was lifted.
|
|
81
|
-
*/
|
|
82
|
-
export declare function runSuppressionExpirySweep(deps: SuppressionExpirySweepDeps): Promise<string[]>;
|
|
83
|
-
export declare function buildDefaultSuppressionExpirySweepDeps(): SuppressionExpirySweepDeps;
|
|
84
58
|
//# sourceMappingURL=security-rescan-resolution.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security-rescan-resolution.d.ts","sourceRoot":"","sources":["../src/security-rescan-resolution.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"security-rescan-resolution.d.ts","sourceRoot":"","sources":["../src/security-rescan-resolution.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;CAClC;AAED,MAAM,WAAW,cAAc;IAC7B;;;;OAIG;IACH,gBAAgB,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;IACzF,8DAA8D;IAC9D,mBAAmB,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,2CAA2C;IAC3C,UAAU,EAAE,CAAC,KAAK,EAAE;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,cAAc,EAAE,MAAM,CAAC;QACvB,MAAM,EAAE,UAAU,CAAC;QACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpB;;;OAGG;IACH,0BAA0B,EAAE,CAAC,eAAe,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAChF,uEAAuE;IACvE,eAAe,EAAE,CAAC,eAAe,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7D;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CAC1B;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,iBAAiB,EAAE,EACjC,IAAI,EAAE,cAAc,GACnB,OAAO,CAAC,MAAM,EAAE,CAAC,CAqCnB;AAMD,wBAAgB,0BAA0B,IAAI,cAAc,CA0B3D"}
|
|
@@ -5,8 +5,7 @@
|
|
|
5
5
|
* auto-verify the injection.
|
|
6
6
|
*
|
|
7
7
|
* Called by the scanner engine immediately after a run finishes writing
|
|
8
|
-
* its findings, before
|
|
9
|
-
* tick begins.
|
|
8
|
+
* its findings, before the next tick begins.
|
|
10
9
|
*
|
|
11
10
|
* @module security-rescan-resolution
|
|
12
11
|
*/
|
|
@@ -75,40 +74,4 @@ export function buildDefaultResolutionDeps() {
|
|
|
75
74
|
},
|
|
76
75
|
};
|
|
77
76
|
}
|
|
78
|
-
/**
|
|
79
|
-
* Sweep suppressions whose expires_at has passed and flip them back to
|
|
80
|
-
* 'open'. Idempotent: a suppression already expired is a no-op on the
|
|
81
|
-
* second call because the predicate now matches status='open'.
|
|
82
|
-
*
|
|
83
|
-
* @returns the finding ids whose suppression was lifted.
|
|
84
|
-
*/
|
|
85
|
-
export async function runSuppressionExpirySweep(deps) {
|
|
86
|
-
const expired = await deps.listExpiredSuppressions();
|
|
87
|
-
const lifted = [];
|
|
88
|
-
for (const finding of expired) {
|
|
89
|
-
await deps.unsuppressFinding(finding.id);
|
|
90
|
-
await deps.writeAudit({
|
|
91
|
-
findingId: finding.id,
|
|
92
|
-
organizationId: finding.organizationId,
|
|
93
|
-
action: 'unsuppressed',
|
|
94
|
-
payload: { reason: 'suppression_expired' },
|
|
95
|
-
});
|
|
96
|
-
lifted.push(finding.id);
|
|
97
|
-
}
|
|
98
|
-
return lifted;
|
|
99
|
-
}
|
|
100
|
-
export function buildDefaultSuppressionExpirySweepDeps() {
|
|
101
|
-
return {
|
|
102
|
-
listExpiredSuppressions: async () => {
|
|
103
|
-
const res = await callApi('daemon_list_expired_security_suppressions', {});
|
|
104
|
-
return res.items ?? [];
|
|
105
|
-
},
|
|
106
|
-
unsuppressFinding: async (findingId) => {
|
|
107
|
-
await callApi('daemon_unsuppress_security_finding', { findingId });
|
|
108
|
-
},
|
|
109
|
-
writeAudit: async (input) => {
|
|
110
|
-
await callApi('daemon_write_security_finding_audit', input);
|
|
111
|
-
},
|
|
112
|
-
};
|
|
113
|
-
}
|
|
114
77
|
//# sourceMappingURL=security-rescan-resolution.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security-rescan-resolution.js","sourceRoot":"","sources":["../src/security-rescan-resolution.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"security-rescan-resolution.js","sourceRoot":"","sources":["../src/security-rescan-resolution.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AA4C9C;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,SAAiB,EACjB,YAAiC,EACjC,IAAoB;IAEpB,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IACvD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEvC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACxE,MAAM,eAAe,GAAG,IAAI,GAAG,EAAuB,CAAC;IACvD,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,WAAW,GAAa,EAAE,CAAC;IAEjC,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,eAAe,GAAG,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9D,IAAI,CAAC,eAAe;YAAE,SAAS;QAC/B,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC;YAAE,SAAS;QAEtD,oEAAoE;QACpE,MAAM,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC3C,MAAM,IAAI,CAAC,UAAU,CAAC;YACpB,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,SAAS,EAAE,OAAO,CAAC,QAAQ,EAAE;SACrE,CAAC,CAAC;QACH,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAE7B,uEAAuE;QACvE,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAChF,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,8EAA8E;AAC9E,kDAAkD;AAClD,8EAA8E;AAE9E,MAAM,UAAU,0BAA0B;IACxC,OAAO;QACL,gBAAgB,EAAE,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,EAAE;YAChD,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,oCAAoC,EACpC,EAAE,SAAS,EAAE,UAAU,EAAE,CAC1B,CAAC;YACF,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;QACzB,CAAC;QACD,mBAAmB,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE;YACvC,MAAM,OAAO,CAAC,iCAAiC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;QAClE,CAAC;QACD,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC1B,MAAM,OAAO,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC9D,CAAC;QACD,0BAA0B,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE;YACpD,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,sCAAsC,EACtC,EAAE,eAAe,EAAE,CACpB,CAAC;YACF,OAAO,GAAG,CAAC,MAAM,CAAC;QACpB,CAAC;QACD,eAAe,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE;YACzC,MAAM,OAAO,CAAC,+BAA+B,EAAE,EAAE,eAAe,EAAE,CAAC,CAAC;QACtE,CAAC;KACF,CAAC;AACJ,CAAC"}
|
|
@@ -2,24 +2,27 @@
|
|
|
2
2
|
* Security scan engine.
|
|
3
3
|
*
|
|
4
4
|
* Polls security_scan_configs for due scans (cron-due or manual_run_requested_at
|
|
5
|
-
* set), dispatches pluggable Scanner implementations per IOC class,
|
|
6
|
-
*
|
|
7
|
-
*
|
|
8
|
-
*
|
|
5
|
+
* set), dispatches pluggable Scanner implementations per IOC class, upserts
|
|
6
|
+
* security_findings rows (one per product/ioc_class/identifier), and hands
|
|
7
|
+
* any newly-observed or unremediated-open finding to security-auto-inject
|
|
8
|
+
* for remediation materialization.
|
|
9
|
+
*
|
|
10
|
+
* No longer writes scan-run rows -- the current-state model only persists
|
|
11
|
+
* findings. `last_run_at` on the config is updated directly at the end of
|
|
12
|
+
* runScanForConfig.
|
|
9
13
|
*
|
|
10
14
|
* Activation: gated by shouldRunLoop('TELORA_SECURITY_SCAN_LOOP') in
|
|
11
15
|
* unified-shell.ts. Opt-out semantics match the other daemon loop ticks
|
|
12
16
|
* (unset/anything-but-'0' = enabled, '0' = disabled). See
|
|
13
17
|
* docs/runbook-loop-activation.md.
|
|
14
18
|
*
|
|
15
|
-
* Pattern reference: verification-engine.ts (pluggable strategies + Deps).
|
|
16
|
-
*
|
|
17
19
|
* @module security-scan-engine
|
|
18
20
|
*/
|
|
19
21
|
import type { DaemonConfig } from './types.js';
|
|
20
22
|
import { type AutoInjectDeps } from './security-auto-inject.js';
|
|
21
23
|
import { type ResolutionDeps } from './security-rescan-resolution.js';
|
|
22
24
|
export type Severity = 'low' | 'medium' | 'high' | 'critical';
|
|
25
|
+
export type FindingStatus = 'open' | 'remediating' | 'resolved' | 'escalated';
|
|
23
26
|
/** Configuration row driving an individual product's scan cadence. */
|
|
24
27
|
export interface ScanConfig {
|
|
25
28
|
id: string;
|
|
@@ -58,29 +61,46 @@ export interface Scanner {
|
|
|
58
61
|
}
|
|
59
62
|
export declare function registerScanner(scanner: Scanner): void;
|
|
60
63
|
export declare function getRegisteredScanners(): Scanner[];
|
|
64
|
+
export interface UpsertFindingResult {
|
|
65
|
+
findingId: string;
|
|
66
|
+
/** True when this row was just inserted (vs an existing row was updated). */
|
|
67
|
+
wasNew: boolean;
|
|
68
|
+
status: FindingStatus;
|
|
69
|
+
linkedInjectionId: string | null;
|
|
70
|
+
}
|
|
71
|
+
/** Options that further narrow which due configs the tick should pick up. */
|
|
72
|
+
export interface DueScanConfigsOptions {
|
|
73
|
+
/**
|
|
74
|
+
* When true, return only configs with a pending manual-run request and
|
|
75
|
+
* skip cron evaluation entirely. Used by the fast (30s) request-drain
|
|
76
|
+
* loop so the click-to-run latency matches other queued-work pickups.
|
|
77
|
+
*/
|
|
78
|
+
manualOnly?: boolean;
|
|
79
|
+
}
|
|
61
80
|
export interface SecurityScanDeps {
|
|
62
|
-
getDueScanConfigs: () => Promise<ScanConfig[]>;
|
|
63
|
-
startRun: (configId: string, trigger: 'schedule' | 'manual') => Promise<string>;
|
|
64
|
-
finishRun: (runId: string, update: {
|
|
65
|
-
status: 'succeeded' | 'failed' | 'partial';
|
|
66
|
-
coverageSummary: Record<string, unknown>;
|
|
67
|
-
findingsCountBySeverity: Record<Severity, number>;
|
|
68
|
-
durationMs: number;
|
|
69
|
-
}) => Promise<void>;
|
|
81
|
+
getDueScanConfigs: (opts?: DueScanConfigsOptions) => Promise<ScanConfig[]>;
|
|
70
82
|
/**
|
|
71
|
-
*
|
|
72
|
-
*
|
|
83
|
+
* Insert or update one row of security_findings. Conflict on
|
|
84
|
+
* (product_id, ioc_class, identifier) updates last_seen_at, severity,
|
|
85
|
+
* and payload. first_seen_at is set on insert only.
|
|
73
86
|
*/
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
87
|
+
upsertFinding: (productId: string, organizationId: string, finding: FindingDraft) => Promise<UpsertFindingResult>;
|
|
88
|
+
/** Stamp last_run_at on the config after a scan completes. */
|
|
89
|
+
updateConfigLastRun: (configId: string) => Promise<void>;
|
|
77
90
|
clearManualRunRequest: (configId: string) => Promise<void>;
|
|
78
91
|
resolveCwd: (productId: string) => string;
|
|
92
|
+
/**
|
|
93
|
+
* Flush the OSV + GHSA feed caches. Invoked at the start of every
|
|
94
|
+
* manual-triggered scan so a user-clicked "Refresh feeds" pulls fresh
|
|
95
|
+
* upstream advisory data rather than the cached 15-minute window.
|
|
96
|
+
*/
|
|
97
|
+
clearFeedCaches: () => void;
|
|
79
98
|
scanners: Scanner[];
|
|
80
99
|
/**
|
|
81
|
-
* Optional
|
|
82
|
-
*
|
|
83
|
-
*
|
|
100
|
+
* Optional auto-injection hook. When set, each new finding (or
|
|
101
|
+
* existing open finding with no remediation) is passed to
|
|
102
|
+
* processNewFinding so the daemon can materialize a remediation
|
|
103
|
+
* injection + delivery for it.
|
|
84
104
|
*/
|
|
85
105
|
autoInjectDeps?: AutoInjectDeps;
|
|
86
106
|
/**
|
|
@@ -91,6 +111,6 @@ export interface SecurityScanDeps {
|
|
|
91
111
|
resolutionDeps?: ResolutionDeps;
|
|
92
112
|
}
|
|
93
113
|
export declare function runScanForConfig(config: ScanConfig, trigger: 'schedule' | 'manual', deps: SecurityScanDeps): Promise<void>;
|
|
94
|
-
export declare function runSecurityScanTick(deps: SecurityScanDeps): Promise<void>;
|
|
114
|
+
export declare function runSecurityScanTick(deps: SecurityScanDeps, opts?: DueScanConfigsOptions): Promise<void>;
|
|
95
115
|
export declare function buildDefaultSecurityScanDeps(config: DaemonConfig): SecurityScanDeps;
|
|
96
116
|
//# sourceMappingURL=security-scan-engine.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security-scan-engine.d.ts","sourceRoot":"","sources":["../src/security-scan-engine.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"security-scan-engine.d.ts","sourceRoot":"","sources":["../src/security-scan-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,OAAO,EAGL,KAAK,cAAc,EAEpB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAGL,KAAK,cAAc,EAEpB,MAAM,iCAAiC,CAAC;AAQzC,MAAM,MAAM,QAAQ,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAC9D,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,aAAa,GAAG,UAAU,GAAG,WAAW,CAAC;AAE9E,sEAAsE;AACtE,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,2BAA2B,EAAE,QAAQ,CAAC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,+CAA+C;AAC/C,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,UAAU,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,8EAA8E;AAC9E,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,gDAAgD;AAChD,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,iFAAiF;IACjF,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,uDAAuD;AACvD,MAAM,WAAW,OAAO;IACtB,oEAAoE;IACpE,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CAC7C;AAQD,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAEtD;AAED,wBAAgB,qBAAqB,IAAI,OAAO,EAAE,CAEjD;AAMD,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,aAAa,CAAC;IACtB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;CAClC;AAED,6EAA6E;AAC7E,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB,EAAE,CAAC,IAAI,CAAC,EAAE,qBAAqB,KAAK,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IAC3E;;;;OAIG;IACH,aAAa,EAAE,CACb,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,EACtB,OAAO,EAAE,YAAY,KAClB,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClC,8DAA8D;IAC9D,mBAAmB,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACzD,qBAAqB,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3D,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,MAAM,CAAC;IAC1C;;;;OAIG;IACH,eAAe,EAAE,MAAM,IAAI,CAAC;IAC5B,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;;;OAIG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,UAAU,EAClB,OAAO,EAAE,UAAU,GAAG,QAAQ,EAC9B,IAAI,EAAE,gBAAgB,GACrB,OAAO,CAAC,IAAI,CAAC,CA4Ff;AAMD,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,gBAAgB,EACtB,IAAI,GAAE,qBAA0B,GAC/B,OAAO,CAAC,IAAI,CAAC,CAYf;AAMD,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,YAAY,GAAG,gBAAgB,CAsCnF"}
|
|
@@ -2,24 +2,28 @@
|
|
|
2
2
|
* Security scan engine.
|
|
3
3
|
*
|
|
4
4
|
* Polls security_scan_configs for due scans (cron-due or manual_run_requested_at
|
|
5
|
-
* set), dispatches pluggable Scanner implementations per IOC class,
|
|
6
|
-
*
|
|
7
|
-
*
|
|
8
|
-
*
|
|
5
|
+
* set), dispatches pluggable Scanner implementations per IOC class, upserts
|
|
6
|
+
* security_findings rows (one per product/ioc_class/identifier), and hands
|
|
7
|
+
* any newly-observed or unremediated-open finding to security-auto-inject
|
|
8
|
+
* for remediation materialization.
|
|
9
|
+
*
|
|
10
|
+
* No longer writes scan-run rows -- the current-state model only persists
|
|
11
|
+
* findings. `last_run_at` on the config is updated directly at the end of
|
|
12
|
+
* runScanForConfig.
|
|
9
13
|
*
|
|
10
14
|
* Activation: gated by shouldRunLoop('TELORA_SECURITY_SCAN_LOOP') in
|
|
11
15
|
* unified-shell.ts. Opt-out semantics match the other daemon loop ticks
|
|
12
16
|
* (unset/anything-but-'0' = enabled, '0' = disabled). See
|
|
13
17
|
* docs/runbook-loop-activation.md.
|
|
14
18
|
*
|
|
15
|
-
* Pattern reference: verification-engine.ts (pluggable strategies + Deps).
|
|
16
|
-
*
|
|
17
19
|
* @module security-scan-engine
|
|
18
20
|
*/
|
|
19
21
|
import { callApi } from './queries/shared.js';
|
|
20
22
|
import { configForProduct } from './config.js';
|
|
21
23
|
import { buildDefaultAutoInjectDeps, processNewFinding, } from './security-auto-inject.js';
|
|
22
24
|
import { resolveStaleFindings, buildDefaultResolutionDeps, } from './security-rescan-resolution.js';
|
|
25
|
+
import { clearOsvCache } from './feeds/osv.js';
|
|
26
|
+
import { clearGhsaCache } from './feeds/ghsa.js';
|
|
23
27
|
// ---------------------------------------------------------------------------
|
|
24
28
|
// Default registry -- scanners self-register here in their own modules
|
|
25
29
|
// ---------------------------------------------------------------------------
|
|
@@ -31,13 +35,13 @@ export function getRegisteredScanners() {
|
|
|
31
35
|
return [...DEFAULT_REGISTRY.values()];
|
|
32
36
|
}
|
|
33
37
|
export async function runScanForConfig(config, trigger, deps) {
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
38
|
+
// Manual triggers carry the "Refresh feeds" intent: flush the OSV/GHSA
|
|
39
|
+
// TTL caches so this scan pulls fresh advisory data instead of replaying
|
|
40
|
+
// the 15-minute window. Scheduled triggers honour the cache to keep
|
|
41
|
+
// upstream load proportional to scan cadence.
|
|
42
|
+
if (trigger === 'manual') {
|
|
43
|
+
deps.clearFeedCaches();
|
|
44
|
+
}
|
|
41
45
|
const enabledScanners = deps.scanners.filter((s) => config.enabledIocClasses.includes(s.iocClass));
|
|
42
46
|
// Per-class observed identifier sets for re-scan resolution. Only
|
|
43
47
|
// classes whose scanner ran without error contribute -- a failed
|
|
@@ -49,77 +53,60 @@ export async function runScanForConfig(config, trigger, deps) {
|
|
|
49
53
|
config,
|
|
50
54
|
repoPath: deps.resolveCwd(config.productId),
|
|
51
55
|
});
|
|
52
|
-
coverage[scanner.iocClass] = result.coverage;
|
|
53
|
-
anySuccess = true;
|
|
54
56
|
const observed = new Set();
|
|
55
57
|
for (const finding of result.findings) {
|
|
56
|
-
const
|
|
57
|
-
counts[finding.severity] = (counts[finding.severity] ?? 0) + 1;
|
|
58
|
+
const upsert = await deps.upsertFinding(config.productId, config.organizationId, finding);
|
|
58
59
|
observed.add(finding.identifier);
|
|
59
|
-
//
|
|
60
|
-
//
|
|
61
|
-
|
|
60
|
+
// Trigger auto-inject when:
|
|
61
|
+
// * the finding is brand new, OR
|
|
62
|
+
// * the existing finding is open with no remediation in flight
|
|
63
|
+
// (e.g. previous delivery was cancelled).
|
|
64
|
+
const shouldRemediate = upsert.wasNew || (upsert.status === 'open' && upsert.linkedInjectionId === null);
|
|
65
|
+
if (deps.autoInjectDeps && shouldRemediate) {
|
|
62
66
|
try {
|
|
63
67
|
const forInjection = {
|
|
64
|
-
id: findingId,
|
|
68
|
+
id: upsert.findingId,
|
|
65
69
|
organizationId: config.organizationId,
|
|
66
70
|
productId: config.productId,
|
|
67
71
|
iocClass: finding.iocClass,
|
|
68
72
|
severity: finding.severity,
|
|
69
73
|
identifier: finding.identifier,
|
|
70
74
|
payload: finding.payload,
|
|
71
|
-
status:
|
|
72
|
-
|
|
73
|
-
linkedInjectionId: null,
|
|
74
|
-
};
|
|
75
|
-
const options = {
|
|
76
|
-
autoInjectThreshold: config.autoInjectSeverityThreshold,
|
|
75
|
+
status: upsert.status,
|
|
76
|
+
linkedInjectionId: upsert.linkedInjectionId,
|
|
77
77
|
};
|
|
78
|
-
await processNewFinding(forInjection,
|
|
78
|
+
await processNewFinding(forInjection, {}, deps.autoInjectDeps);
|
|
79
79
|
}
|
|
80
80
|
catch (err) {
|
|
81
|
-
|
|
81
|
+
console.warn(`[security-scan-engine] auto-inject ${finding.identifier}:`, err.message);
|
|
82
82
|
}
|
|
83
83
|
}
|
|
84
84
|
}
|
|
85
85
|
observedByClass.set(scanner.iocClass, observed);
|
|
86
86
|
}
|
|
87
87
|
catch (err) {
|
|
88
|
-
|
|
89
|
-
warnings.push(`${scanner.iocClass}: ${err.message}`);
|
|
90
|
-
coverage[scanner.iocClass] = { error: err.message };
|
|
88
|
+
console.warn(`[security-scan-engine] scanner ${scanner.iocClass} failed:`, err.message);
|
|
91
89
|
}
|
|
92
90
|
}
|
|
93
91
|
// Re-scan resolution: previously-open findings whose class was
|
|
94
92
|
// covered by this run but whose identifier did not re-appear are
|
|
95
|
-
// flipped to 'resolved'. Failures here are non-fatal
|
|
96
|
-
// already succeeded for its primary purpose (finding fresh issues).
|
|
93
|
+
// flipped to 'resolved'. Failures here are non-fatal.
|
|
97
94
|
if (deps.resolutionDeps && observedByClass.size > 0) {
|
|
98
95
|
try {
|
|
99
96
|
const observedSets = Array.from(observedByClass.entries()).map(([iocClass, identifiers]) => ({ iocClass, identifiers }));
|
|
100
|
-
|
|
101
|
-
if (resolved.length > 0) {
|
|
102
|
-
coverage.resolved_findings = resolved.length;
|
|
103
|
-
}
|
|
97
|
+
await resolveStaleFindings(config.productId, observedSets, deps.resolutionDeps);
|
|
104
98
|
}
|
|
105
99
|
catch (err) {
|
|
106
|
-
|
|
100
|
+
console.warn('[security-scan-engine] resolution sweep failed:', err.message);
|
|
107
101
|
}
|
|
108
102
|
}
|
|
109
|
-
|
|
110
|
-
|
|
103
|
+
// Stamp config.last_run_at so cadence recomputes.
|
|
104
|
+
try {
|
|
105
|
+
await deps.updateConfigLastRun(config.id);
|
|
106
|
+
}
|
|
107
|
+
catch (err) {
|
|
108
|
+
console.warn('[security-scan-engine] updateConfigLastRun failed:', err.message);
|
|
111
109
|
}
|
|
112
|
-
const status = anyFailure
|
|
113
|
-
? anySuccess
|
|
114
|
-
? 'partial'
|
|
115
|
-
: 'failed'
|
|
116
|
-
: 'succeeded';
|
|
117
|
-
await deps.finishRun(runId, {
|
|
118
|
-
status,
|
|
119
|
-
coverageSummary: coverage,
|
|
120
|
-
findingsCountBySeverity: counts,
|
|
121
|
-
durationMs: Date.now() - startedAt,
|
|
122
|
-
});
|
|
123
110
|
if (trigger === 'manual') {
|
|
124
111
|
await deps.clearManualRunRequest(config.id);
|
|
125
112
|
}
|
|
@@ -127,8 +114,8 @@ export async function runScanForConfig(config, trigger, deps) {
|
|
|
127
114
|
// ---------------------------------------------------------------------------
|
|
128
115
|
// Loop tick -- invoked by unified-shell on a fixed cadence
|
|
129
116
|
// ---------------------------------------------------------------------------
|
|
130
|
-
export async function runSecurityScanTick(deps) {
|
|
131
|
-
const configs = await deps.getDueScanConfigs();
|
|
117
|
+
export async function runSecurityScanTick(deps, opts = {}) {
|
|
118
|
+
const configs = await deps.getDueScanConfigs(opts);
|
|
132
119
|
for (const config of configs) {
|
|
133
120
|
if (!config.enabled)
|
|
134
121
|
continue;
|
|
@@ -138,8 +125,7 @@ export async function runSecurityScanTick(deps) {
|
|
|
138
125
|
}
|
|
139
126
|
catch {
|
|
140
127
|
// Per-config failures are swallowed so a single broken product
|
|
141
|
-
// does not stop the engine from servicing others.
|
|
142
|
-
// already records the failure status.
|
|
128
|
+
// does not stop the engine from servicing others.
|
|
143
129
|
}
|
|
144
130
|
}
|
|
145
131
|
}
|
|
@@ -154,33 +140,29 @@ export function buildDefaultSecurityScanDeps(config) {
|
|
|
154
140
|
return configForProduct(config, product).repoPath;
|
|
155
141
|
};
|
|
156
142
|
return {
|
|
157
|
-
getDueScanConfigs: async () => {
|
|
158
|
-
const res = await callApi('daemon_get_due_security_scan_configs', {});
|
|
143
|
+
getDueScanConfigs: async (opts) => {
|
|
144
|
+
const res = await callApi('daemon_get_due_security_scan_configs', opts?.manualOnly ? { manualOnly: true } : {});
|
|
159
145
|
return res.items ?? [];
|
|
160
146
|
},
|
|
161
|
-
|
|
162
|
-
const res = await callApi('
|
|
163
|
-
configId,
|
|
164
|
-
trigger,
|
|
165
|
-
});
|
|
166
|
-
return res.runId;
|
|
167
|
-
},
|
|
168
|
-
finishRun: async (runId, update) => {
|
|
169
|
-
await callApi('daemon_finish_security_scan_run', { runId, ...update });
|
|
170
|
-
},
|
|
171
|
-
writeFinding: async (runId, productId, organizationId, finding) => {
|
|
172
|
-
const res = await callApi('daemon_write_security_finding', {
|
|
173
|
-
runId,
|
|
147
|
+
upsertFinding: async (productId, organizationId, finding) => {
|
|
148
|
+
const res = await callApi('daemon_upsert_security_finding', {
|
|
174
149
|
productId,
|
|
175
150
|
organizationId,
|
|
176
151
|
...finding,
|
|
177
152
|
});
|
|
178
|
-
return
|
|
153
|
+
return res;
|
|
154
|
+
},
|
|
155
|
+
updateConfigLastRun: async (configId) => {
|
|
156
|
+
await callApi('daemon_update_scan_config_last_run', { configId });
|
|
179
157
|
},
|
|
180
158
|
clearManualRunRequest: async (configId) => {
|
|
181
159
|
await callApi('daemon_clear_manual_scan_request', { configId });
|
|
182
160
|
},
|
|
183
161
|
resolveCwd,
|
|
162
|
+
clearFeedCaches: () => {
|
|
163
|
+
clearOsvCache();
|
|
164
|
+
clearGhsaCache();
|
|
165
|
+
},
|
|
184
166
|
scanners: getRegisteredScanners(),
|
|
185
167
|
autoInjectDeps: buildDefaultAutoInjectDeps(),
|
|
186
168
|
resolutionDeps: buildDefaultResolutionDeps(),
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security-scan-engine.js","sourceRoot":"","sources":["../src/security-scan-engine.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"security-scan-engine.js","sourceRoot":"","sources":["../src/security-scan-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAE9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,GAGlB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,oBAAoB,EACpB,0BAA0B,GAG3B,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAkDjD,8EAA8E;AAC9E,uEAAuE;AACvE,8EAA8E;AAE9E,MAAM,gBAAgB,GAAyB,IAAI,GAAG,EAAE,CAAC;AAEzD,MAAM,UAAU,eAAe,CAAC,OAAgB;IAC9C,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,OAAO,CAAC,GAAG,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;AACxC,CAAC;AA8DD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAAkB,EAClB,OAA8B,EAC9B,IAAsB;IAEtB,uEAAuE;IACvE,yEAAyE;IACzE,oEAAoE;IACpE,8CAA8C;IAC9C,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,eAAe,EAAE,CAAC;IACzB,CAAC;IAED,MAAM,eAAe,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAEnG,kEAAkE;IAClE,iEAAiE;IACjE,8CAA8C;IAC9C,MAAM,eAAe,GAAG,IAAI,GAAG,EAAuB,CAAC;IACvD,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAChC,MAAM;gBACN,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC;aAC5C,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;YACnC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACtC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CACrC,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,cAAc,EACrB,OAAO,CACR,CAAC;gBACF,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;gBAEjC,4BAA4B;gBAC5B,mCAAmC;gBACnC,iEAAiE;gBACjE,8CAA8C;gBAC9C,MAAM,eAAe,GACnB,MAAM,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC,iBAAiB,KAAK,IAAI,CAAC,CAAC;gBACnF,IAAI,IAAI,CAAC,cAAc,IAAI,eAAe,EAAE,CAAC;oBAC3C,IAAI,CAAC;wBACH,MAAM,YAAY,GAAwB;4BACxC,EAAE,EAAE,MAAM,CAAC,SAAS;4BACpB,cAAc,EAAE,MAAM,CAAC,cAAc;4BACrC,SAAS,EAAE,MAAM,CAAC,SAAS;4BAC3B,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;4BAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;4BACxB,MAAM,EAAE,MAAM,CAAC,MAAM;4BACrB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;yBAC5C,CAAC;wBACF,MAAM,iBAAiB,CAAC,YAAY,EAAE,EAAE,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;oBACjE,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,OAAO,CAAC,IAAI,CACV,sCAAsC,OAAO,CAAC,UAAU,GAAG,EAC1D,GAAa,CAAC,OAAO,CACvB,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;YACD,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CACV,kCAAkC,OAAO,CAAC,QAAQ,UAAU,EAC3D,GAAa,CAAC,OAAO,CACvB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,iEAAiE;IACjE,sDAAsD;IACtD,IAAI,IAAI,CAAC,cAAc,IAAI,eAAe,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,YAAY,GAAwB,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CACjF,CAAC,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC,CACzD,CAAC;YACF,MAAM,oBAAoB,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;QAClF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,iDAAiD,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,oDAAoD,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;IAC7F,CAAC;IAED,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,MAAM,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC9C,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,2DAA2D;AAC3D,8EAA8E;AAE9E,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,IAAsB,EACtB,OAA8B,EAAE;IAEhC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACnD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,SAAS;QAC9B,MAAM,OAAO,GAA0B,MAAM,CAAC,oBAAoB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC;QAC3F,IAAI,CAAC;YACH,MAAM,gBAAgB,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,+DAA+D;YAC/D,kDAAkD;QACpD,CAAC;IACH,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,iDAAiD;AACjD,8EAA8E;AAE9E,MAAM,UAAU,4BAA4B,CAAC,MAAoB;IAC/D,MAAM,UAAU,GAAG,CAAC,SAAiB,EAAU,EAAE;QAC/C,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;QAChE,IAAI,CAAC,OAAO;YAAE,OAAO,MAAM,CAAC,QAAQ,CAAC;QACrC,OAAO,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC;IACpD,CAAC,CAAC;IAEF,OAAO;QACL,iBAAiB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;YAChC,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,sCAAsC,EACtC,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAC7C,CAAC;YACF,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;QACzB,CAAC;QACD,aAAa,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,OAAO,EAAE,EAAE;YAC1D,MAAM,GAAG,GAAG,MAAM,OAAO,CAAsB,gCAAgC,EAAE;gBAC/E,SAAS;gBACT,cAAc;gBACd,GAAG,OAAO;aACX,CAAC,CAAC;YACH,OAAO,GAAG,CAAC;QACb,CAAC;QACD,mBAAmB,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;YACtC,MAAM,OAAO,CAAC,oCAAoC,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QACpE,CAAC;QACD,qBAAqB,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;YACxC,MAAM,OAAO,CAAC,kCAAkC,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QAClE,CAAC;QACD,UAAU;QACV,eAAe,EAAE,GAAG,EAAE;YACpB,aAAa,EAAE,CAAC;YAChB,cAAc,EAAE,CAAC;QACnB,CAAC;QACD,QAAQ,EAAE,qBAAqB,EAAE;QACjC,cAAc,EAAE,0BAA0B,EAAE;QAC5C,cAAc,EAAE,0BAA0B,EAAE;KAC7C,CAAC;AACJ,CAAC"}
|
|
@@ -36,6 +36,8 @@ export declare function spawnResolutionAgent(params: {
|
|
|
36
36
|
integrationBranch: string;
|
|
37
37
|
conflictFiles: string[];
|
|
38
38
|
focusDescription: string;
|
|
39
|
+
/** Focus's pipelineConfig.model. Null/undefined falls back to the CLI default. */
|
|
40
|
+
model?: string | null;
|
|
39
41
|
}): Promise<{
|
|
40
42
|
success: boolean;
|
|
41
43
|
error?: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"spawner-lifecycle.d.ts","sourceRoot":"","sources":["../src/spawner-lifecycle.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAM7D;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,GACvC,OAAO,CA2BT;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,GACvC,IAAI,CAIN;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,GACvC,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,GACvC,MAAM,CAER;AAOD;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,EAAE;IACjD,MAAM,EAAE,YAAY,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"spawner-lifecycle.d.ts","sourceRoot":"","sources":["../src/spawner-lifecycle.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAM7D;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,GACvC,OAAO,CA2BT;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,GACvC,IAAI,CAIN;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,GACvC,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,GACvC,MAAM,CAER;AAOD;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,EAAE;IACjD,MAAM,EAAE,YAAY,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kFAAkF;IAClF,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAmFhD;AAID,gEAAgE;AAChE,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,YAAY,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,SAAS,MAAM,EAAE,CAAC;CACjC;AAED,yCAAyC;AACzC,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CAAC,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA2DxF"}
|
|
@@ -72,7 +72,7 @@ const RESOLUTION_AGENT_TIMEOUT_MS = 10 * 60 * 1000;
|
|
|
72
72
|
* worktree, and exits. No session DB record, no streaming, no team mode.
|
|
73
73
|
*/
|
|
74
74
|
export async function spawnResolutionAgent(params) {
|
|
75
|
-
const { config, worktreePath, branchName, integrationBranch, conflictFiles, focusDescription } = params;
|
|
75
|
+
const { config, worktreePath, branchName, integrationBranch, conflictFiles, focusDescription, model } = params;
|
|
76
76
|
const prompt = [
|
|
77
77
|
`You are resolving merge conflicts in a git worktree.`,
|
|
78
78
|
``,
|
|
@@ -99,11 +99,12 @@ export async function spawnResolutionAgent(params) {
|
|
|
99
99
|
'--print',
|
|
100
100
|
'--dangerously-skip-permissions',
|
|
101
101
|
'--setting-sources', 'project,local',
|
|
102
|
+
...(model ? ['--model', model] : []),
|
|
102
103
|
prompt,
|
|
103
104
|
];
|
|
104
105
|
// Build a clean environment (strip Claude Code session vars)
|
|
105
106
|
const spawnEnv = stripClaudeCodeEnvVars(process.env);
|
|
106
|
-
console.log(`[spawner] Spawning resolution agent for branch ${branchName} (${conflictFiles.length} conflicts)`);
|
|
107
|
+
console.log(`[spawner] Spawning resolution agent for branch ${branchName} (${conflictFiles.length} conflicts, model: ${model ?? 'default'})`);
|
|
107
108
|
return new Promise((resolve) => {
|
|
108
109
|
const proc = spawn(config.claudeCodePath, args, {
|
|
109
110
|
cwd: worktreePath,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"spawner-lifecycle.js","sourceRoot":"","sources":["../src/spawner-lifecycle.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAqB,MAAM,oBAAoB,CAAC;AAE9D,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9E,OAAO,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAE/D;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,SAAiB,EACjB,aAAwC;IAExC,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC3C,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IAEzB,wDAAwD;IACxD,IAAI,KAAK,CAAC,YAAY;QAAE,YAAY,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACzD,IAAI,KAAK,CAAC,YAAY;QAAE,YAAY,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IAEzD,IAAI,CAAC;QACH,kEAAkE;QAClE,KAAK,CAAC,WAAW,GAAG,eAAe,CAAC;QACpC,WAAW,CAAC,KAAK,CAAC,KAAK,EAAE,qEAAqE,CAAC,CAAC;QAEhG,+BAA+B;QAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,CAAC;QAEpD,mDAAmD;QACnD,UAAU,CAAC,GAAG,EAAE;YACd,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,OAAO;YAC1C,cAAc,CAAC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACvC,CAAC,EAAE,KAAK,CAAC,CAAC;QAEV,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,6BAA6B,SAAS,GAAG,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3G,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,aAAwC;IAExC,KAAK,MAAM,CAAC,SAAS,CAAC,IAAI,aAAa,EAAE,CAAC;QACxC,cAAc,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,SAAiB,EACjB,aAAwC;IAExC,OAAO,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,aAAwC;IAExC,OAAO,aAAa,CAAC,IAAI,CAAC;AAC5B,CAAC;AAED,wEAAwE;AAExE,qDAAqD;AACrD,MAAM,2BAA2B,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,
|
|
1
|
+
{"version":3,"file":"spawner-lifecycle.js","sourceRoot":"","sources":["../src/spawner-lifecycle.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAqB,MAAM,oBAAoB,CAAC;AAE9D,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9E,OAAO,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAE/D;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,SAAiB,EACjB,aAAwC;IAExC,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC3C,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IAEzB,wDAAwD;IACxD,IAAI,KAAK,CAAC,YAAY;QAAE,YAAY,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACzD,IAAI,KAAK,CAAC,YAAY;QAAE,YAAY,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IAEzD,IAAI,CAAC;QACH,kEAAkE;QAClE,KAAK,CAAC,WAAW,GAAG,eAAe,CAAC;QACpC,WAAW,CAAC,KAAK,CAAC,KAAK,EAAE,qEAAqE,CAAC,CAAC;QAEhG,+BAA+B;QAC/B,UAAU,CAAC,GAAG,EAAE,CAAC,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,CAAC;QAEpD,mDAAmD;QACnD,UAAU,CAAC,GAAG,EAAE;YACd,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,OAAO;YAC1C,cAAc,CAAC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACvC,CAAC,EAAE,KAAK,CAAC,CAAC;QAEV,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,6BAA6B,SAAS,GAAG,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3G,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,aAAwC;IAExC,KAAK,MAAM,CAAC,SAAS,CAAC,IAAI,aAAa,EAAE,CAAC;QACxC,cAAc,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,SAAiB,EACjB,aAAwC;IAExC,OAAO,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,aAAwC;IAExC,OAAO,aAAa,CAAC,IAAI,CAAC;AAC5B,CAAC;AAED,wEAAwE;AAExE,qDAAqD;AACrD,MAAM,2BAA2B,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,MAS1C;IACC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,iBAAiB,EAAE,aAAa,EAAE,gBAAgB,EAAE,KAAK,EAAE,GAAG,MAAM,CAAC;IAE/G,MAAM,MAAM,GAAG;QACb,sDAAsD;QACtD,EAAE;QACF,iBAAiB,YAAY,EAAE;QAC/B,eAAe,UAAU,EAAE;QAC3B,4BAA4B,iBAAiB,EAAE;QAC/C,EAAE;QACF,uBAAuB;QACvB,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;QACnC,EAAE;QACF,sBAAsB,gBAAgB,EAAE;QACxC,EAAE;QACF,mBAAmB;QACnB,6FAA6F;QAC7F,kDAAkD;QAClD,sDAAsD;QACtD,mCAAmC;QACnC,6EAA6E;QAC7E,EAAE;QACF,yGAAyG;QACzG,2CAA2C;KAC5C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,MAAM,IAAI,GAAG;QACX,SAAS;QACT,gCAAgC;QAChC,mBAAmB,EAAE,eAAe;QACpC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACpC,MAAM;KACP,CAAC;IAEF,6DAA6D;IAC7D,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,GAAyC,CAAC,CAAC;IAE3F,OAAO,CAAC,GAAG,CAAC,kDAAkD,UAAU,KAAK,aAAa,CAAC,MAAM,sBAAsB,KAAK,IAAI,SAAS,GAAG,CAAC,CAAC;IAE9I,OAAO,IAAI,OAAO,CAAuC,CAAC,OAAO,EAAE,EAAE;QACnE,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC,cAAc,EAAE,IAAI,EAAE;YAC9C,GAAG,EAAE,YAAY;YACjB,GAAG,EAAE,QAAQ;YACb,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QAEH,yDAAyD;QACzD,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC;QAElB,mCAAmC;QACnC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,OAAO,CAAC,IAAI,CAAC,8CAA8C,2BAA2B,GAAG,IAAI,YAAY,CAAC,CAAC;YAC3G,IAAI,CAAC;gBAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAI,EAAE,SAAS,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YAClE,UAAU,CAAC,GAAG,EAAE;gBACd,IAAI,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAI,EAAE,SAAS,CAAC,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YACpE,CAAC,EAAE,KAAK,CAAC,CAAC;QACZ,CAAC,EAAE,2BAA2B,CAAC,CAAC;QAEhC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,YAAY,CAAC,OAAO,CAAC,CAAC;YAEtB,6DAA6D;YAC7D,MAAM,cAAc,GAAG,UAAU,CAAC,CAAC,MAAM,EAAE,aAAa,EAAE,iBAAiB,CAAC,EAAE,YAAY,CAAC,CAAC;YAC5F,MAAM,aAAa,GAAG,cAAc,CAAC,OAAO;gBAC1C,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;gBACnD,CAAC,CAAC,EAAE,CAAC;YAEP,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,mDAAmD,UAAU,gBAAgB,IAAI,GAAG,CAAC,CAAC;gBAClG,OAAO,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7B,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,GAAG,wBAAwB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/D,OAAO,CAAC,IAAI,CAAC,gDAAgD,UAAU,KAAK,GAAG,EAAE,CAAC,CAAC;gBACnF,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACvB,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,OAAO,CAAC,KAAK,CAAC,2CAA2C,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACxE,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAwBD;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAuB;IAC3D,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC;IAEpG,MAAM,IAAI,GAAa;QACrB,SAAS;QACT,iBAAiB,EAAE,MAAM;QACzB,gCAAgC;QAChC,mBAAmB,EAAE,eAAe;QACpC,iBAAiB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QACzC,SAAS,EAAE,KAAK;KACjB,CAAC;IACF,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IACvC,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAElB,qEAAqE;IACrE,sEAAsE;IACtE,MAAM,QAAQ,GAAG,qBAAqB,CAAC,MAAM,EAAE;QAC7C,KAAK,EAAE,MAAM,CAAC,cAAc;QAC5B,OAAO;KACR,CAAC,CAAC;IACH,wEAAwE;IACxE,QAAQ,CAAC,yBAAyB,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC;IAEzD,OAAO,MAAM,IAAI,OAAO,CAAmB,CAAC,OAAO,EAAE,EAAE;QACrD,IAAI,KAAmB,CAAC;QACxB,IAAI,CAAC;YACH,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,cAAc,EAAE,IAAI,EAAE;gBACzC,GAAG,EAAE,YAAY,IAAI,MAAM,CAAC,QAAQ;gBACpC,GAAG,EAAE,sBAAsB,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,CAAC,sCAAsC,CAAC,EAAE,CAAC;gBAC7F,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,YAAY,EAAE,iBAAkB,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAC7G,OAAO;QACT,CAAC;QAED,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC;QAEnB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACnF,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEnF,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,IAAI,CAAC;gBAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QACvD,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,gBAAgB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAC3F,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -22,6 +22,7 @@ import { getPendingVerifications, type PendingVerification, type VerificationOut
|
|
|
22
22
|
import type { DaemonConfig } from './types.js';
|
|
23
23
|
import { type AiInspectionInputs } from './ai-inspection-context.js';
|
|
24
24
|
import { runAiInspection as defaultRunAiInspection, type InspectionResult } from './ai-inspection-runner.js';
|
|
25
|
+
import { type SecurityFindingGateDeps } from './security-finding-gate.js';
|
|
25
26
|
interface StrategyResult {
|
|
26
27
|
outcome: VerificationOutcome;
|
|
27
28
|
rationale?: string;
|
|
@@ -76,6 +77,14 @@ export interface VerificationDeps {
|
|
|
76
77
|
resolveAiInspectionInputs: (v: PendingVerification) => Promise<AiInspectionInputs | null>;
|
|
77
78
|
resolveCwd: (productId: string | null) => string;
|
|
78
79
|
integrationBranch: string;
|
|
80
|
+
/**
|
|
81
|
+
* Security workflow verify-closed gate. Consulted before
|
|
82
|
+
* `verifyInjection` so a security-linked injection cannot be retired
|
|
83
|
+
* unless the linked finding has flipped to 'resolved'. On failure the
|
|
84
|
+
* gate escalates the finding (status='escalated', reason='verify_gate_failed')
|
|
85
|
+
* and the engine demotes the verification outcome to 'failed'.
|
|
86
|
+
*/
|
|
87
|
+
securityFindingGate: SecurityFindingGateDeps;
|
|
79
88
|
}
|
|
80
89
|
/**
|
|
81
90
|
* Run verification for a single delivery.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verification-engine.d.ts","sourceRoot":"","sources":["../src/verification-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAGH,OAAO,EACL,uBAAuB,EAGvB,KAAK,mBAAmB,EAExB,KAAK,mBAAmB,EACzB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,EAEL,KAAK,kBAAkB,EACxB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,eAAe,IAAI,sBAAsB,EACzC,KAAK,gBAAgB,EACtB,MAAM,2BAA2B,CAAC;
|
|
1
|
+
{"version":3,"file":"verification-engine.d.ts","sourceRoot":"","sources":["../src/verification-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAGH,OAAO,EACL,uBAAuB,EAGvB,KAAK,mBAAmB,EAExB,KAAK,mBAAmB,EACzB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,EAEL,KAAK,kBAAkB,EACxB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,eAAe,IAAI,sBAAsB,EACzC,KAAK,gBAAgB,EACtB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAIL,KAAK,uBAAuB,EAC7B,MAAM,4BAA4B,CAAC;AASpC,UAAU,cAAc;IACtB,OAAO,EAAE,mBAAmB,CAAC;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACtC,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,cAAc,CAAC,CA2DzB;AAED,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,cAAc,CAAC,CAKhE;AAED,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,cAAc,CAAC,CAKrE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,uBAAuB,CAC3C,IAAI,EAAE,gBAAgB,EACtB,CAAC,EAAE,mBAAmB,GACrB,OAAO,CAAC,cAAc,GAAG;IAAE,UAAU,CAAC,EAAE,gBAAgB,CAAA;CAAE,CAAC,CAkB7D;AAMD,MAAM,WAAW,0BAA0B;IACzC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE;QACX,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;QACtB,IAAI,EAAE,kBAAkB,GAAG,UAAU,GAAG,aAAa,GAAG,kBAAkB,GAAG,gBAAgB,CAAC;QAC9F,QAAQ,EAAE,MAAM,CAAC;QACjB,mBAAmB,EAAE,MAAM,CAAC;KAC7B,CAAC;CACH;AAED,MAAM,WAAW,gBAAgB;IAC/B,uBAAuB,EAAE,OAAO,uBAAuB,CAAC;IACxD,aAAa,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,mBAAmB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACnF,eAAe,EAAE,CAAC,eAAe,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5D,qEAAqE;IACrE,iBAAiB,EAAE,CAAC,OAAO,EAAE,0BAA0B,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1E,gBAAgB,EAAE,OAAO,wBAAwB,CAAC;IAClD,eAAe,EAAE,OAAO,sBAAsB,CAAC;IAC/C,yBAAyB,EAAE,CAAC,CAAC,EAAE,mBAAmB,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAC1F,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,KAAK,MAAM,CAAC;IACjD,iBAAiB,EAAE,MAAM,CAAC;IAC1B;;;;;;OAMG;IACH,mBAAmB,EAAE,uBAAuB,CAAC;CAC9C;AA6CD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,0BAA0B,CAC9C,CAAC,EAAE,mBAAmB,EACtB,IAAI,EAAE,gBAAgB,GACrB,OAAO,CAAC,cAAc,CAAC,CAsEzB;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,YAAY,EACpB,IAAI,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAC/B,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CA6BlG"}
|