@valence-ai/sdk 0.1.0 → 0.2.1

package/README.md

@@ -1,14 +1,17 @@
 # Valence SDK
 
-The Valence SDK adds pre-execution policy enforcement to tool-using applications.
+The Valence SDK is the integration layer for connecting an application to Valence AI.
 
-It sends tool execution requests to Valence before the tool runs and returns one of three outcomes:
+It is designed for teams that need a single integration path across development, CI, and live environments. The SDK provides the primitives required to run or report security scans, ingest security issues into Valence AI, stream live runtime telemetry, and optionally enforce review gates around sensitive actions. The objective is to connect an application directly to the Valence AI control plane without requiring persistent repository handover.
 
-- `ALLOW`
-- `BLOCK`
-- `REQUIRES_APPROVAL`
+It supports the full Valence AI flow:
 
-Use it at the tool execution boundary in your application or agent runtime.
+- run local or CI security scans
+- ingest security issues into Valence AI
+- send live runtime signals from local, staging, or production
+- add runtime review hooks for sensitive actions when needed
+
+Valence AI is security-issue first. Start with scan ingestion and runtime reporting, then enable runtime review controls only for workflows that require pre-execution validation.
 
 ## Package
 
@@ -23,14 +26,20 @@ npm install @valence-ai/sdk
 ## Environment variables
 
 ```env
-VALENCE_API_BASE_URL=http://localhost:3000
+VALENCE_API_BASE_URL=https://www.valenceai.co
 VALENCE_API_KEY=valence_pk_...
 VALENCE_WORKSPACE_ID=workspace-id
 VALENCE_PROJECT_ID=project-id
-VALENCE_AGENT_NAME=incidentos-agent
+VALENCE_SERVICE_NAME=web-app
 VALENCE_ENVIRONMENT=staging
 ```
 
+Optional for agent-control workflows:
+
+```env
+VALENCE_AGENT_NAME=incidentos-agent
+```
+
 ## Create a client
 
 ```ts
@@ -42,9 +51,153 @@ const client = createValenceClient({
 });
 ```
 
-## Guard a tool dispatcher
+## Run a local scan
+
+Use `runLocalSecurityScan` to scan the current project and ingest security issues into Valence AI through the shared issue pipeline.
+
+```ts
+import { createValenceClient, runLocalSecurityScan } from '@valence-ai/sdk';
+
+const client = createValenceClient({
+  baseUrl: process.env.VALENCE_API_BASE_URL!,
+  apiKey: process.env.VALENCE_API_KEY!,
+});
+
+const result = await runLocalSecurityScan(
+  {
+    baseUrl: process.env.VALENCE_API_BASE_URL!,
+    apiKey: process.env.VALENCE_API_KEY!,
+  },
+  {
+    cwd: process.cwd(),
+    environment: process.env.VALENCE_ENVIRONMENT as 'production' | 'staging' | 'sandbox',
+    projectId: process.env.VALENCE_PROJECT_ID!,
+    workspaceId: process.env.VALENCE_WORKSPACE_ID,
+    metadata: {
+      sourceLabel: 'Local developer scan',
+    },
+  }
+);
+
+console.log(`Uploaded ${result.findings.length} security issues`);
+```
+
+Current local scan coverage includes:
+
+- codebase checks for a narrow set of high-signal web-app issues
+- public environment variable exposure checks
+- dependency issues from `npm audit`
+
+## Report security issues directly
 
-This is the recommended integration model for real applications.
+If your CI job or custom scanner already produced issue records, upload them directly with `reportFindings`.
+
+```ts
+await client.reportFindings({
+  projectId: process.env.VALENCE_PROJECT_ID!,
+  workspaceId: process.env.VALENCE_WORKSPACE_ID,
+  environment: process.env.VALENCE_ENVIRONMENT as 'production' | 'staging' | 'sandbox',
+  source: 'CI_SCAN',
+  metadata: {
+    branch: process.env.GITHUB_REF_NAME,
+    commitSha: process.env.GITHUB_SHA,
+  },
+  findings: [
+    {
+      category: 'auth',
+      checkId: 'missing-httponly-cookie',
+      fingerprint: 'cookie-flag:session',
+      locationPath: 'app/api/session/route.ts',
+      locationLine: 18,
+      remediation: 'Set HttpOnly and Secure on session cookies.',
+      severity: 'HIGH',
+      summary: 'The session cookie appears to be missing one or more protective flags.',
+      title: 'Session cookie missing security flags',
+    },
+  ],
+});
+```
+
+## Report runtime security issues
+
+Use the runtime issue helpers when you want live application behavior to appear in Valence AI alongside scan results.
+
+### Hook runtime decisions automatically
+
+Use `createRuntimeFindingHooks` to convert runtime decisions into security issues ingested through the shared `/api/findings` pipeline.
+
+```ts
+import {
+  createRuntimeFindingHooks,
+  createToolExecutionGuard,
+  createValenceClient,
+} from '@valence-ai/sdk';
+
+const client = createValenceClient({
+  baseUrl: process.env.VALENCE_API_BASE_URL!,
+  apiKey: process.env.VALENCE_API_KEY!,
+});
+
+const runtimeHooks = createRuntimeFindingHooks(client, {
+  minimumRisk: 'HIGH',
+  serviceName: process.env.VALENCE_SERVICE_NAME ?? 'web-app',
+});
+
+const guard = createToolExecutionGuard(
+  client,
+  {
+    workspaceId: process.env.VALENCE_WORKSPACE_ID!,
+    projectId: process.env.VALENCE_PROJECT_ID!,
+    agentName: process.env.VALENCE_SERVICE_NAME ?? 'web-app',
+    environment: process.env.VALENCE_ENVIRONMENT as 'production' | 'staging' | 'sandbox',
+    goal: 'serve customer dashboard',
+  },
+  runtimeHooks
+);
+```
+
+By default, runtime security issues are created for:
+
+- blocked actions
+- review-required actions
+
+Enable `includeAllowDecisions` if you also want to retain allowed but high-risk actions.
+
+### Report a runtime decision directly
+
+If your application already has a decision and event object, you can report it directly.
+
+```ts
+import {
+  createValenceClient,
+  reportRuntimeDecisionFinding,
+} from '@valence-ai/sdk';
+
+await reportRuntimeDecisionFinding(
+  client,
+  {
+    workspaceId: process.env.VALENCE_WORKSPACE_ID!,
+    projectId: process.env.VALENCE_PROJECT_ID!,
+    agentName: process.env.VALENCE_SERVICE_NAME ?? 'web-app',
+    environment: 'production',
+    goal: 'export invoices',
+    tool: 'billing_export',
+    action: 'export',
+  },
+  {
+    decision: 'REQUIRES_APPROVAL',
+    reason: 'Billing exports require review in production.',
+    risk: 'HIGH',
+    policyId: 'policy_123',
+    approvalId: 'approval_123',
+    latencyMs: 14,
+  }
+);
+```
+
+## Add runtime review controls
+
+This is the optional advanced integration model for sensitive workflows and agentic products.
 
 ```ts
 import { createToolExecutionGuard } from '@valence-ai/sdk';
@@ -52,14 +205,14 @@ import { createToolExecutionGuard } from '@valence-ai/sdk';
 const guard = createToolExecutionGuard(client, {
   workspaceId: process.env.VALENCE_WORKSPACE_ID!,
   projectId: process.env.VALENCE_PROJECT_ID!,
-  agentName: process.env.VALENCE_AGENT_NAME!,
+  agentName: process.env.VALENCE_SERVICE_NAME ?? 'web-app',
   environment: process.env.VALENCE_ENVIRONMENT as 'production' | 'staging' | 'sandbox',
   goal: 'resolve_incident',
   sessionId: 'session-123',
 });
 ```
 
-## Run a guarded tool
+## Run a protected action
 
 ```ts
 const result = await guard.runTool(
@@ -74,7 +227,7 @@ const result = await guard.runTool(
 );
 ```
 
-## Use `withValenceGuard` for a single tool
+## Use `withValenceGuard` for one sensitive action
 
 ```ts
 import { withValenceGuard } from '@valence-ai/sdk';
@@ -94,7 +247,7 @@ const incident = await guardedReadIncident(async () => {
 });
 ```
 
-## Request contract
+## Runtime request contract
 
 ```ts
 type ToolEvent = {
@@ -128,13 +281,13 @@ type DecisionResponse = {
 
 ## Runtime behavior
 
-- normal requests go to `/api/decide`
-- `dryRun: true` goes to `/api/simulate`
-- `ALLOW` executes the wrapped tool
-- `BLOCK` throws `ValenceBlockError` before execution
-- `REQUIRES_APPROVAL` throws `ValenceApprovalRequiredError` before execution
+- local scan issues go to `/api/findings`
+- CI issues go to `/api/findings`
+- runtime issues go to `/api/findings`
+- sensitive runtime reviews go to `/api/decide`
+- `dryRun: true` uses `/api/simulate`
 
-Approval-required decisions are returned before execution so applications can route the request into an explicit review and retry workflow.
+The primary product path is security-issue ingestion. The decision endpoints only matter when you enable runtime review hooks for sensitive actions.
 
 ## Error handling
 
@@ -178,12 +331,16 @@ const decision = await guard.runTool(
 );
 ```
 
-Use dry-run when you want to preview the policy outcome without committing to a real operation.
+Use dry-run when you want to preview the runtime-control outcome without committing to a real operation.
 
 ## Exported API
 
 ```ts
 createValenceClient
+runLocalSecurityScan
+createRuntimeFindingHooks
+reportRuntimeDecisionFinding
+buildRuntimeDecisionFinding
 createToolExecutionGuard
 guardToolExecution
 withValenceGuard

package/dist/client.d.ts

@@ -1,5 +1,9 @@
-import type { DecisionResponse, ToolEvent, ValenceClientOptions } from './types.js';
+import type { DecisionResponse, FindingBatch, ToolEvent, ValenceClientOptions } from './types.js';
 export declare function createValenceClient(options: ValenceClientOptions): {
     decide(event: ToolEvent): Promise<DecisionResponse>;
+    reportFindings(batch: FindingBatch): Promise<{
+        ingested: number;
+        ok: true;
+    }>;
 };
 //# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,SAAS,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAEpF,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,oBAAoB;kBAMrC,SAAS,GAAG,OAAO,CAAC,gBAAgB,CAAC;EAwChE"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACR,gBAAgB,EAChB,YAAY,EACZ,SAAS,EACT,oBAAoB,EACvB,MAAM,YAAY,CAAC;AAEpB,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,oBAAoB;kBAOrC,SAAS,GAAG,OAAO,CAAC,gBAAgB,CAAC;0BAwC9C,YAAY,GACpB,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,IAAI,CAAA;KAAE,CAAC;EAoBjD"}

package/dist/client.js

@@ -1,6 +1,7 @@
 export function createValenceClient(options) {
     const request = options.fetch ?? fetch;
     const decidePath = options.decidePath ?? '/api/decide';
+    const findingsPath = options.findingsPath ?? '/api/findings';
     const simulatePath = options.simulatePath ?? '/api/simulate';
     return {
         async decide(event) {
@@ -36,6 +37,21 @@ export function createValenceClient(options) {
                 }
             }
         },
+        async reportFindings(batch) {
+            const response = await request(`${options.baseUrl}${findingsPath}`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'x-api-key': options.apiKey,
+                    ...options.headers,
+                },
+                body: JSON.stringify(batch),
+            });
+            if (!response.ok) {
+                throw new Error(`Valence findings request failed with ${response.status}`);
+            }
+            return (await response.json());
+        },
     };
 }
 //# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,mBAAmB,CAAC,OAA6B;IAC7D,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,IAAI,KAAK,CAAC;IACvC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,aAAa,CAAC;IACvD,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,eAAe,CAAC;IAE7D,OAAO;QACH,KAAK,CAAC,MAAM,CAAC,KAAgB;YACzB,MAAM,UAAU,GACZ,OAAO,eAAe,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,eAAe,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;YAC1E,MAAM,OAAO,GACT,UAAU,IAAI,OAAO,CAAC,SAAS;gBAC3B,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,SAAS,CAAC;gBACzD,CAAC,CAAC,IAAI,CAAC;YAEf,IAAI,CAAC;gBACD,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,UAAU,CAAC;gBACtD,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE;oBACxD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACL,cAAc,EAAE,kBAAkB;wBAClC,WAAW,EAAE,OAAO,CAAC,MAAM;wBAC3B,GAAG,OAAO,CAAC,OAAO;qBACrB;oBACD,MAAM,EAAE,UAAU,EAAE,MAAM;oBAC1B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACjB,GAAG,KAAK;wBACR,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACtD,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,KAAK;wBAC7B,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE;qBACrC,CAAC;iBACL,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACf,MAAM,IAAI,KAAK,CACX,wCAAwC,QAAQ,CAAC,MAAM,EAAE,CAC5D,CAAC;gBACN,CAAC;gBAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAqB,CAAC;YACvD,CAAC;oBAAS,CAAC;gBACP,IAAI,OAAO,EAAE,CAAC;oBACV,YAAY,CAAC,OAAO,CAAC,CAAC;gBAC1B,CAAC;YACL,CAAC;QACL,CAAC;KACJ,CAAC;AACN,CAAC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAOA,MAAM,UAAU,mBAAmB,CAAC,OAA6B;IAC7D,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,IAAI,KAAK,CAAC;IACvC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,aAAa,CAAC;IACvD,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,eAAe,CAAC;IAC7D,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,eAAe,CAAC;IAE7D,OAAO;QACH,KAAK,CAAC,MAAM,CAAC,KAAgB;YACzB,MAAM,UAAU,GACZ,OAAO,eAAe,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,eAAe,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;YAC1E,MAAM,OAAO,GACT,UAAU,IAAI,OAAO,CAAC,SAAS;gBAC3B,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,SAAS,CAAC;gBACzD,CAAC,CAAC,IAAI,CAAC;YAEf,IAAI,CAAC;gBACD,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,UAAU,CAAC;gBACtD,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE;oBACxD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACL,cAAc,EAAE,kBAAkB;wBAClC,WAAW,EAAE,OAAO,CAAC,MAAM;wBAC3B,GAAG,OAAO,CAAC,OAAO;qBACrB;oBACD,MAAM,EAAE,UAAU,EAAE,MAAM;oBAC1B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACjB,GAAG,KAAK;wBACR,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACtD,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,KAAK;wBAC7B,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE;qBACrC,CAAC;iBACL,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACf,MAAM,IAAI,KAAK,CACX,wCAAwC,QAAQ,CAAC,MAAM,EAAE,CAC5D,CAAC;gBACN,CAAC;gBAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAqB,CAAC;YACvD,CAAC;oBAAS,CAAC;gBACP,IAAI,OAAO,EAAE,CAAC;oBACV,YAAY,CAAC,OAAO,CAAC,CAAC;gBAC1B,CAAC;YACL,CAAC;QACL,CAAC;QACD,KAAK,CAAC,cAAc,CAChB,KAAmB;YAEnB,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,GAAG,YAAY,EAAE,EAAE;gBAChE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACL,cAAc,EAAE,kBAAkB;oBAClC,WAAW,EAAE,OAAO,CAAC,MAAM;oBAC3B,GAAG,OAAO,CAAC,OAAO;iBACrB;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;aAC9B,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CACX,wCAAwC,QAAQ,CAAC,MAAM,EAAE,CAC5D,CAAC;YACN,CAAC;YAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAmC,CAAC;QACrE,CAAC;KACJ,CAAC;AACN,CAAC"}

package/dist/index.d.ts

@@ -1,5 +1,7 @@
 export { createValenceClient } from './client.js';
+export { runLocalSecurityScan } from './local-scan.js';
+export { buildRuntimeDecisionFinding, createRuntimeFindingHooks, reportRuntimeDecisionFinding, } from './runtime-findings.js';
 export { createToolExecutionGuard, guardToolExecution, withValenceGuard, } from './wrap-tool.js';
 export { ValenceApprovalRequiredError, ValenceBlockError, ValenceDecisionError, isValenceDecisionError, } from './errors.js';
-export type { DecisionResponse, ToolDefinition, ToolEvent, ToolExecutionContext, ToolExecutionHooks, ToolExecutionRequest, ToolParameters, ValenceClientOptions, ValenceDecision, ValenceEnvironment, ValenceRisk, } from './types.js';
+export type { DecisionResponse, FindingBatch, FindingSeverity, FindingSource, ToolDefinition, ToolEvent, ToolExecutionContext, ToolExecutionHooks, ToolExecutionRequest, ToolParameters, ValenceClientOptions, ValenceDecision, ValenceEnvironment, ValenceFinding, ValenceLocalScanOptions, ValenceLocalScanResult, ValenceRuntimeFindingOptions, ValenceRisk, } from './types.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EACH,wBAAwB,EACxB,kBAAkB,EAClB,gBAAgB,GACnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACH,4BAA4B,EAC5B,iBAAiB,EACjB,oBAAoB,EACpB,sBAAsB,GACzB,MAAM,aAAa,CAAC;AACrB,YAAY,EACR,gBAAgB,EAChB,cAAc,EACd,SAAS,EACT,oBAAoB,EACpB,kBAAkB,EAClB,oBAAoB,EACpB,cAAc,EACd,oBAAoB,EACpB,eAAe,EACf,kBAAkB,EAClB,WAAW,GACd,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACH,2BAA2B,EAC3B,yBAAyB,EACzB,4BAA4B,GAC/B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACH,wBAAwB,EACxB,kBAAkB,EAClB,gBAAgB,GACnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACH,4BAA4B,EAC5B,iBAAiB,EACjB,oBAAoB,EACpB,sBAAsB,GACzB,MAAM,aAAa,CAAC;AACrB,YAAY,EACR,gBAAgB,EAChB,YAAY,EACZ,eAAe,EACf,aAAa,EACb,cAAc,EACd,SAAS,EACT,oBAAoB,EACpB,kBAAkB,EAClB,oBAAoB,EACpB,cAAc,EACd,oBAAoB,EACpB,eAAe,EACf,kBAAkB,EAClB,cAAc,EACd,uBAAuB,EACvB,sBAAsB,EACtB,4BAA4B,EAC5B,WAAW,GACd,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -1,4 +1,6 @@
 export { createValenceClient } from './client.js';
+export { runLocalSecurityScan } from './local-scan.js';
+export { buildRuntimeDecisionFinding, createRuntimeFindingHooks, reportRuntimeDecisionFinding, } from './runtime-findings.js';
 export { createToolExecutionGuard, guardToolExecution, withValenceGuard, } from './wrap-tool.js';
 export { ValenceApprovalRequiredError, ValenceBlockError, ValenceDecisionError, isValenceDecisionError, } from './errors.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EACH,wBAAwB,EACxB,kBAAkB,EAClB,gBAAgB,GACnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACH,4BAA4B,EAC5B,iBAAiB,EACjB,oBAAoB,EACpB,sBAAsB,GACzB,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACH,2BAA2B,EAC3B,yBAAyB,EACzB,4BAA4B,GAC/B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACH,wBAAwB,EACxB,kBAAkB,EAClB,gBAAgB,GACnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACH,4BAA4B,EAC5B,iBAAiB,EACjB,oBAAoB,EACpB,sBAAsB,GACzB,MAAM,aAAa,CAAC"}

package/dist/local-scan-rules.d.ts

@@ -0,0 +1,3 @@
+import type { ValenceFinding } from './types.js';
+export declare function findCodebaseFindings(file: string, content: string, cwd: string): ValenceFinding[];
+//# sourceMappingURL=local-scan-rules.d.ts.map

package/dist/local-scan-rules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-scan-rules.d.ts","sourceRoot":"","sources":["../src/local-scan-rules.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,oBAO9E"}

package/dist/local-scan-rules.js

@@ -0,0 +1,115 @@
+import { createHash } from 'node:crypto';
+export function findCodebaseFindings(file, content, cwd) {
+    return [
+        ...findDangerouslySetInnerHtml(file, content, cwd),
+        ...findTargetBlankWithoutRel(file, content, cwd),
+        ...findUnsafeRedirects(file, content, cwd),
+        ...findCookiesMissingSecurityFlags(file, content, cwd),
+    ];
+}
+function findDangerouslySetInnerHtml(file, content, cwd) {
+    const findings = [];
+    const lines = content.split(/\r?\n/);
+    lines.forEach((line, index) => {
+        if (!line.includes('dangerouslySetInnerHTML')) {
+            return;
+        }
+        findings.push({
+            category: 'app-security',
+            checkId: 'dangerously-set-inner-html',
+            fingerprint: fingerprint(`${file}:${index + 1}:dangerously-set-inner-html`),
+            locationLine: index + 1,
+            locationPath: normalizePath(cwd, file),
+            remediation: 'Avoid rendering raw HTML where possible. If required, sanitize the content before rendering and document the trust boundary.',
+            severity: 'HIGH',
+            summary: 'Direct HTML injection can introduce XSS risk when untrusted content reaches rendered markup.',
+            title: 'Potential XSS risk from dangerouslySetInnerHTML',
+        });
+    });
+    return findings;
+}
+function findTargetBlankWithoutRel(file, content, cwd) {
+    const findings = [];
+    const lines = content.split(/\r?\n/);
+    lines.forEach((line, index) => {
+        if (!line.includes('target="_blank"')) {
+            return;
+        }
+        if (line.includes('rel="noopener noreferrer"')) {
+            return;
+        }
+        findings.push({
+            category: 'app-security',
+            checkId: 'target-blank-without-rel',
+            fingerprint: fingerprint(`${file}:${index + 1}:target-blank-without-rel`),
+            locationLine: index + 1,
+            locationPath: normalizePath(cwd, file),
+            remediation: 'Add rel="noopener noreferrer" to links that open a new tab to prevent reverse-tabnabbing and opener access.',
+            severity: 'MEDIUM',
+            summary: 'Links that open a new tab without rel protection can expose opener-related security issues.',
+            title: 'External link opens in new tab without rel protection',
+        });
+    });
+    return findings;
+}
+function findUnsafeRedirects(file, content, cwd) {
+    const findings = [];
+    const lines = content.split(/\r?\n/);
+    lines.forEach((line, index) => {
+        const hasRedirectCall = line.includes('redirect(') ||
+            line.includes('router.push(') ||
+            line.includes('window.location');
+        const hasUntrustedInput = line.includes('searchParams.get(') ||
+            line.includes('nextUrl.searchParams.get(') ||
+            line.includes('params.get(');
+        if (!hasRedirectCall || !hasUntrustedInput) {
+            return;
+        }
+        findings.push({
+            category: 'app-security',
+            checkId: 'unsafe-redirect-input',
+            fingerprint: fingerprint(`${file}:${index + 1}:unsafe-redirect-input`),
+            locationLine: index + 1,
+            locationPath: normalizePath(cwd, file),
+            remediation: 'Validate redirect targets against an allowlist or restrict them to safe internal paths before redirecting.',
+            severity: 'HIGH',
+            summary: 'Redirect logic appears to consume URL parameters directly, which can introduce open-redirect issues.',
+            title: 'Potential open redirect from untrusted URL input',
+        });
+    });
+    return findings;
+}
+function findCookiesMissingSecurityFlags(file, content, cwd) {
+    const findings = [];
+    const lines = content.split(/\r?\n/);
+    lines.forEach((line, index) => {
+        if (!line.includes('cookies().set(') && !line.includes('Set-Cookie')) {
+            return;
+        }
+        const context = lines.slice(index, index + 4).join('\n');
+        const hasHttpOnly = context.includes('httpOnly: true') || context.includes('HttpOnly');
+        const hasSecure = context.includes('secure: true') || context.includes('Secure');
+        if (hasHttpOnly && hasSecure) {
+            return;
+        }
+        findings.push({
+            category: 'app-security',
+            checkId: 'cookie-missing-security-flags',
+            fingerprint: fingerprint(`${file}:${index + 1}:cookie-missing-security-flags`),
+            locationLine: index + 1,
+            locationPath: normalizePath(cwd, file),
+            remediation: 'Set sensitive cookies with both HttpOnly and Secure flags and review SameSite behavior for the session flow.',
+            severity: 'HIGH',
+            summary: 'Cookie-setting logic appears to miss one or more important security flags.',
+            title: 'Sensitive cookie may be missing security flags',
+        });
+    });
+    return findings;
+}
+function normalizePath(cwd, file) {
+    return file.replace(`${cwd}\\`, '').split('\\').join('/');
+}
+function fingerprint(input) {
+    return createHash('sha256').update(input).digest('hex');
+}
+//# sourceMappingURL=local-scan-rules.js.map

package/dist/local-scan-rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-scan-rules.js","sourceRoot":"","sources":["../src/local-scan-rules.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,MAAM,UAAU,oBAAoB,CAAC,IAAY,EAAE,OAAe,EAAE,GAAW;IAC3E,OAAO;QACH,GAAG,2BAA2B,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC;QAClD,GAAG,yBAAyB,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC;QAChD,GAAG,mBAAmB,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC;QAC1C,GAAG,+BAA+B,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC;KACzD,CAAC;AACN,CAAC;AAED,SAAS,2BAA2B,CAAC,IAAY,EAAE,OAAe,EAAE,GAAW;IAC3E,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAErC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC1B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,yBAAyB,CAAC,EAAE,CAAC;YAC5C,OAAO;QACX,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC;YACV,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,4BAA4B;YACrC,WAAW,EAAE,WAAW,CAAC,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,6BAA6B,CAAC;YAC3E,YAAY,EAAE,KAAK,GAAG,CAAC;YACvB,YAAY,EAAE,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC;YACtC,WAAW,EACP,8HAA8H;YAClI,QAAQ,EAAE,MAAM;YAChB,OAAO,EACH,8FAA8F;YAClG,KAAK,EAAE,iDAAiD;SAC3D,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC;AACpB,CAAC;AAED,SAAS,yBAAyB,CAAC,IAAY,EAAE,OAAe,EAAE,GAAW;IACzE,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAErC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC1B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACpC,OAAO;QACX,CAAC;QAED,IAAI,IAAI,CAAC,QAAQ,CAAC,2BAA2B,CAAC,EAAE,CAAC;YAC7C,OAAO;QACX,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC;YACV,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,0BAA0B;YACnC,WAAW,EAAE,WAAW,CAAC,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,2BAA2B,CAAC;YACzE,YAAY,EAAE,KAAK,GAAG,CAAC;YACvB,YAAY,EAAE,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC;YACtC,WAAW,EACP,6GAA6G;YACjH,QAAQ,EAAE,QAAQ;YAClB,OAAO,EACH,6FAA6F;YACjG,KAAK,EAAE,uDAAuD;SACjE,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC;AACpB,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAY,EAAE,OAAe,EAAE,GAAW;IACnE,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAErC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC1B,MAAM,eAAe,GACjB,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC1B,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC;YAC7B,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;QACrC,MAAM,iBAAiB,GACnB,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC;YAClC,IAAI,CAAC,QAAQ,CAAC,2BAA2B,CAAC;YAC1C,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAEjC,IAAI,CAAC,eAAe,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACzC,OAAO;QACX,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC;YACV,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,uBAAuB;YAChC,WAAW,EAAE,WAAW,CAAC,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,wBAAwB,CAAC;YACtE,YAAY,EAAE,KAAK,GAAG,CAAC;YACvB,YAAY,EAAE,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC;YACtC,WAAW,EACP,4GAA4G;YAChH,QAAQ,EAAE,MAAM;YAChB,OAAO,EACH,sGAAsG;YAC1G,KAAK,EAAE,kDAAkD;SAC5D,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC;AACpB,CAAC;AAED,SAAS,+BAA+B,CAAC,IAAY,EAAE,OAAe,EAAE,GAAW;IAC/E,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAErC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC1B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACnE,OAAO;QACX,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,MAAM,WAAW,GACb,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QACvE,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAEjF,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;YAC3B,OAAO;QACX,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC;YACV,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,+BAA+B;YACxC,WAAW,EAAE,WAAW,CAAC,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,gCAAgC,CAAC;YAC9E,YAAY,EAAE,KAAK,GAAG,CAAC;YACvB,YAAY,EAAE,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC;YACtC,WAAW,EACP,8GAA8G;YAClH,QAAQ,EAAE,MAAM;YAChB,OAAO,EACH,4EAA4E;YAChF,KAAK,EAAE,gDAAgD;SAC1D,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC;AACpB,CAAC;AAED,SAAS,aAAa,CAAC,GAAW,EAAE,IAAY;IAC5C,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC"}

package/dist/local-scan.d.ts

@@ -0,0 +1,3 @@
+import type { ValenceClientOptions, ValenceLocalScanOptions, ValenceLocalScanResult } from './types.js';
+export declare function runLocalSecurityScan(clientOptions: ValenceClientOptions, options: ValenceLocalScanOptions): Promise<ValenceLocalScanResult>;
+//# sourceMappingURL=local-scan.d.ts.map

package/dist/local-scan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-scan.d.ts","sourceRoot":"","sources":["../src/local-scan.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACR,oBAAoB,EAEpB,uBAAuB,EACvB,sBAAsB,EACzB,MAAM,YAAY,CAAC;AAcpB,wBAAsB,oBAAoB,CACtC,aAAa,EAAE,oBAAoB,EACnC,OAAO,EAAE,uBAAuB,GACjC,OAAO,CAAC,sBAAsB,CAAC,CAwBjC"}

package/dist/local-scan.js

@@ -0,0 +1,197 @@
+import { createHash } from 'node:crypto';
+import { execFile } from 'node:child_process';
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import { promisify } from 'node:util';
+import { createValenceClient } from './client.js';
+import { findCodebaseFindings } from './local-scan-rules.js';
+const execFileAsync = promisify(execFile);
+const MAX_FILE_BYTES = 256000;
+const CODE_FILE_EXTENSIONS = new Set(['.js', '.jsx', '.ts', '.tsx']);
+const IGNORE_SEGMENTS = new Set([
+    '.git',
+    '.next',
+    'coverage',
+    'dist',
+    'node_modules',
+]);
+const SECRET_KEYWORDS = ['API_KEY', 'PASSWORD', 'PRIVATE_KEY', 'SECRET', 'TOKEN'];
+export async function runLocalSecurityScan(clientOptions, options) {
+    const cwd = options.cwd ?? process.cwd();
+    const findings = dedupeFindings([
+        ...(await scanCodebase(cwd)),
+        ...(await scanEnvironmentFiles(cwd)),
+        ...(await scanDependencyAudit(cwd)),
+    ]);
+    if (findings.length > 0) {
+        const client = createValenceClient(clientOptions);
+        await client.reportFindings({
+            environment: options.environment,
+            findings,
+            metadata: options.metadata,
+            projectId: options.projectId,
+            source: 'LOCAL_SCAN',
+            workspaceId: options.workspaceId,
+        });
+    }
+    return {
+        findings,
+        uploaded: findings.length > 0,
+    };
+}
+async function scanCodebase(cwd) {
+    const files = await collectFiles(cwd);
+    const findings = [];
+    for (const file of files) {
+        const ext = path.extname(file);
+        if (!CODE_FILE_EXTENSIONS.has(ext)) {
+            continue;
+        }
+        const content = await safeReadFile(file);
+        if (!content) {
+            continue;
+        }
+        findings.push(...findCodebaseFindings(file, content, cwd));
+    }
+    return findings;
+}
+async function scanEnvironmentFiles(cwd) {
+    const entries = await fs.readdir(cwd, { withFileTypes: true });
+    const findings = [];
+    for (const entry of entries) {
+        if (!entry.isFile() || !entry.name.startsWith('.env')) {
+            continue;
+        }
+        const absolutePath = path.join(cwd, entry.name);
+        const content = await safeReadFile(absolutePath);
+        if (!content) {
+            continue;
+        }
+        const lines = content.split(/\r?\n/);
+        lines.forEach((line, index) => {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith('#')) {
+                return;
+            }
+            const equalsIndex = trimmed.indexOf('=');
+            if (equalsIndex === -1) {
+                return;
+            }
+            const key = trimmed.slice(0, equalsIndex).trim();
+            if (!key.startsWith('NEXT_PUBLIC_')) {
+                return;
+            }
+            const upperKey = key.toUpperCase();
+            if (!SECRET_KEYWORDS.some((keyword) => upperKey.includes(keyword))) {
+                return;
+            }
+            findings.push({
+                category: 'secrets',
+                checkId: 'public-env-secret',
+                fingerprint: fingerprint(`${absolutePath}:${key}:public-env-secret`),
+                locationLine: index + 1,
+                locationPath: normalizePath(cwd, absolutePath),
+                remediation: 'Move this value to a server-only environment variable and remove the public client exposure.',
+                severity: 'CRITICAL',
+                summary: 'A public environment variable appears to expose a credential-like value to the client bundle.',
+                title: 'Potential secret exposed through public environment variable',
+            });
+        });
+    }
+    return findings;
+}
+async function scanDependencyAudit(cwd) {
+    try {
+        await fs.access(path.join(cwd, 'package.json'));
+    }
+    catch {
+        return [];
+    }
+    let stdout = '';
+    try {
+        const result = await execFileAsync('npm', ['audit', '--json', '--omit=dev'], {
+            cwd,
+            windowsHide: true,
+        });
+        stdout = result.stdout;
+    }
+    catch (error) {
+        const failure = error;
+        stdout = failure.stdout ?? '';
+    }
+    if (!stdout) {
+        return [];
+    }
+    try {
+        const audit = JSON.parse(stdout);
+        return Object.entries(audit.vulnerabilities ?? {}).map(([pkg, details]) => {
+            const advisory = details.via?.find((item) => typeof item === 'object' && item !== null)?.title;
+            return {
+                category: 'dependencies',
+                checkId: 'npm-audit',
+                fingerprint: fingerprint(`npm-audit:${pkg}:${details.severity ?? 'low'}:${advisory ?? 'unknown'}`),
+                metadata: {
+                    advisory: advisory ?? null,
+                    fixAvailable: Boolean(details.fixAvailable),
+                    packageName: pkg,
+                },
+                remediation: 'Upgrade the package to a fixed version or replace it if no supported fix is available.',
+                severity: normalizeAuditSeverity(details.severity),
+                summary: advisory
+                    ? `${pkg} has a known vulnerability reported by npm audit: ${advisory}.`
+                    : `${pkg} has a known vulnerability reported by npm audit.`,
+                title: `Vulnerable dependency detected in ${pkg}`,
+            };
+        });
+    }
+    catch {
+        return [];
+    }
+}
+async function collectFiles(dir) {
+    const entries = await fs.readdir(dir, { withFileTypes: true });
+    const results = [];
+    for (const entry of entries) {
+        if (IGNORE_SEGMENTS.has(entry.name)) {
+            continue;
+        }
+        const absolutePath = path.join(dir, entry.name);
+        if (entry.isDirectory()) {
+            results.push(...(await collectFiles(absolutePath)));
+        }
+        else if (entry.isFile()) {
+            results.push(absolutePath);
+        }
+    }
+    return results;
+}
+async function safeReadFile(file) {
+    const stat = await fs.stat(file);
+    if (stat.size > MAX_FILE_BYTES) {
+        return null;
+    }
+    return fs.readFile(file, 'utf8');
+}
+function normalizePath(cwd, file) {
+    return path.relative(cwd, file).split(path.sep).join('/');
+}
+function normalizeAuditSeverity(severity) {
+    switch ((severity ?? '').toLowerCase()) {
+        case 'critical':
+            return 'CRITICAL';
+        case 'high':
+            return 'HIGH';
+        case 'moderate':
+        case 'medium':
+            return 'MEDIUM';
+        default:
+            return 'LOW';
+    }
+}
+function dedupeFindings(findings) {
+    return [...new Map(findings.map((item) => [item.fingerprint, item])).values()];
+}
+function fingerprint(input) {
+    return createHash('sha256').update(input).digest('hex');
+}
+//# sourceMappingURL=local-scan.js.map

package/dist/local-scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-scan.js","sourceRoot":"","sources":["../src/local-scan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAQ7D,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAC1C,MAAM,cAAc,GAAG,MAAO,CAAC;AAC/B,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;AACrE,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC5B,MAAM;IACN,OAAO;IACP,UAAU;IACV,MAAM;IACN,cAAc;CACjB,CAAC,CAAC;AACH,MAAM,eAAe,GAAG,CAAC,SAAS,EAAE,UAAU,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;AAElF,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACtC,aAAmC,EACnC,OAAgC;IAEhC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACzC,MAAM,QAAQ,GAAG,cAAc,CAAC;QAC5B,GAAG,CAAC,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;QAC5B,GAAG,CAAC,MAAM,oBAAoB,CAAC,GAAG,CAAC,CAAC;QACpC,GAAG,CAAC,MAAM,mBAAmB,CAAC,GAAG,CAAC,CAAC;KACtC,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAC;QAClD,MAAM,MAAM,CAAC,cAAc,CAAC;YACxB,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,QAAQ;YACR,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,YAAY;YACpB,WAAW,EAAE,OAAO,CAAC,WAAW;SACnC,CAAC,CAAC;IACP,CAAC;IAED,OAAO;QACH,QAAQ;QACR,QAAQ,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC;KAChC,CAAC;AACN,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,GAAW;IACnC,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAqB,EAAE,CAAC;IAEtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC/B,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,SAAS;QACb,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,SAAS;QACb,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,OAAO,QAAQ,CAAC;AACpB,CAAC;AAED,KAAK,UAAU,oBAAoB,CAAC,GAAW;IAC3C,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/D,MAAM,QAAQ,GAAqB,EAAE,CAAC;IAEtC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC1B,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACpD,SAAS;QACb,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,YAAY,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,SAAS;QACb,CAAC;QAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAErC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,OAAO;YACX,CAAC;YAED,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACzC,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;gBACrB,OAAO;YACX,CAAC;YAED,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,IAAI,EAAE,CAAC;YACjD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBAClC,OAAO;YACX,CAAC;YAED,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YACnC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBACjE,OAAO;YACX,CAAC;YAED,QAAQ,CAAC,IAAI,CAAC;gBACV,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,mBAAmB;gBAC5B,WAAW,EAAE,WAAW,CAAC,GAAG,YAAY,IAAI,GAAG,oBAAoB,CAAC;gBACpE,YAAY,EAAE,KAAK,GAAG,CAAC;gBACvB,YAAY,EAAE,aAAa,CAAC,GAAG,EAAE,YAAY,CAAC;gBAC9C,WAAW,EACP,8FAA8F;gBAClG,QAAQ,EAAE,UAAU;gBACpB,OAAO,EACH,+FAA+F;gBACnG,KAAK,EAAE,8DAA8D;aACxE,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;IACP,CAAC;IAED,OAAO,QAAQ,CAAC;AACpB,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,GAAW;IAC1C,IAAI,CAAC;QACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,EAAE,CAAC;IACd,CAAC;IAED,IAAI,MAAM,GAAG,EAAE,CAAC;IAEhB,IAAI,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,EAAE;YACzE,GAAG;YACH,WAAW,EAAE,IAAI;SACpB,CAAC,CAAC;QACH,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAC3B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,KAA4B,CAAC;QAC7C,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;IAClC,CAAC;IAED,IAAI,CAAC,MAAM,EAAE,CAAC;QACV,OAAO,EAAE,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAS9B,CAAC;QAEF,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,EAAE;YACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,CAC9B,CAAC,IAAI,EAA8B,EAAE,CACjC,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,CAChD,EAAE,KAAK,CAAC;YAET,OAAO;gBACH,QAAQ,EAAE,cAAc;gBACxB,OAAO,EAAE,WAAW;gBACpB,WAAW,EAAE,WAAW,CACpB,aAAa,GAAG,IAAI,OAAO,CAAC,QAAQ,IAAI,KAAK,IAAI,QAAQ,IAAI,SAAS,EAAE,CAC3E;gBACD,QAAQ,EAAE;oBACN,QAAQ,EAAE,QAAQ,IAAI,IAAI;oBAC1B,YAAY,EAAE,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC;oBAC3C,WAAW,EAAE,GAAG;iBACnB;gBACD,WAAW,EACP,wFAAwF;gBAC5F,QAAQ,EAAE,sBAAsB,CAAC,OAAO,CAAC,QAAQ,CAAC;gBAClD,OAAO,EAAE,QAAQ;oBACb,CAAC,CAAC,GAAG,GAAG,qDAAqD,QAAQ,GAAG;oBACxE,CAAC,CAAC,GAAG,GAAG,mDAAmD;gBAC/D,KAAK,EAAE,qCAAqC,GAAG,EAAE;aAC3B,CAAC;QAC/B,CAAC,CAAC,CAAC;IACP,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,EAAE,CAAC;IACd,CAAC;AACL,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,GAAW;IACnC,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/D,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC1B,IAAI,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YAClC,SAAS;QACb,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAEhD,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACtB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,YAAY,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACxD,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YACxB,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC/B,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,IAAY;IACpC,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,IAAI,CAAC,IAAI,GAAG,cAAc,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,OAAO,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,aAAa,CAAC,GAAW,EAAE,IAAY;IAC5C,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,sBAAsB,CAAC,QAA4B;IACxD,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QACrC,KAAK,UAAU;YACX,OAAO,UAAU,CAAC;QACtB,KAAK,MAAM;YACP,OAAO,MAAM,CAAC;QAClB,KAAK,UAAU,CAAC;QAChB,KAAK,QAAQ;YACT,OAAO,QAAQ,CAAC;QACpB;YACI,OAAO,KAAK,CAAC;IACrB,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,QAA0B;IAC9C,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AACnF,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC"}

package/dist/runtime-findings.d.ts

@@ -0,0 +1,14 @@
+import type { DecisionResponse, ToolEvent, ToolExecutionHooks, ValenceFinding, ValenceRuntimeFindingOptions } from './types.js';
+import { createValenceClient } from './client.js';
+type ValenceClient = Pick<ReturnType<typeof createValenceClient>, 'reportFindings'>;
+export declare function buildRuntimeDecisionFinding(event: ToolEvent, decision: DecisionResponse, options?: ValenceRuntimeFindingOptions): ValenceFinding | null;
+export declare function reportRuntimeDecisionFinding(client: ValenceClient, event: ToolEvent, decision: DecisionResponse, options?: ValenceRuntimeFindingOptions): Promise<{
+    reported: false;
+    finding?: undefined;
+} | {
+    finding: ValenceFinding;
+    reported: true;
+}>;
+export declare function createRuntimeFindingHooks(client: ValenceClient, options?: ValenceRuntimeFindingOptions): ToolExecutionHooks<unknown>;
+export {};
+//# sourceMappingURL=runtime-findings.d.ts.map

package/dist/runtime-findings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-findings.d.ts","sourceRoot":"","sources":["../src/runtime-findings.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACR,gBAAgB,EAChB,SAAS,EACT,kBAAkB,EAClB,cAAc,EACd,4BAA4B,EAE/B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAElD,KAAK,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,mBAAmB,CAAC,EAAE,gBAAgB,CAAC,CAAC;AAQpF,wBAAgB,2BAA2B,CACvC,KAAK,EAAE,SAAS,EAChB,QAAQ,EAAE,gBAAgB,EAC1B,OAAO,GAAE,4BAAiC,GAC3C,cAAc,GAAG,IAAI,CAwCvB;AAED,wBAAsB,4BAA4B,CAC9C,MAAM,EAAE,aAAa,EACrB,KAAK,EAAE,SAAS,EAChB,QAAQ,EAAE,gBAAgB,EAC1B,OAAO,GAAE,4BAAiC;;;;;;GAgB7C;AAED,wBAAgB,yBAAyB,CACrC,MAAM,EAAE,aAAa,EACrB,OAAO,GAAE,4BAAiC,GAC3C,kBAAkB,CAAC,OAAO,CAAC,CAM7B"}

package/dist/runtime-findings.js

@@ -0,0 +1,115 @@
+import { createHash } from 'node:crypto';
+const riskOrder = {
+    LOW: 0,
+    MEDIUM: 1,
+    HIGH: 2,
+};
+export function buildRuntimeDecisionFinding(event, decision, options = {}) {
+    if (!shouldReportDecision(decision, options)) {
+        return null;
+    }
+    const runtimeName = options.serviceName ?? event.agentName ?? 'unknown-runtime';
+    const title = getRuntimeFindingTitle(decision);
+    const summary = getRuntimeFindingSummary(event, decision, runtimeName);
+    return {
+        category: options.category ?? 'runtime-security',
+        checkId: options.checkId ?? `runtime-${decision.decision.toLowerCase()}`,
+        fingerprint: fingerprint([
+            event.projectId ?? 'unknown-project',
+            event.environment,
+            runtimeName,
+            event.tool,
+            event.action,
+            decision.decision,
+            decision.reason,
+        ].join(':')),
+        metadata: {
+            action: event.action,
+            approvalId: decision.approvalId,
+            goal: event.goal,
+            parameters: event.parameters ?? null,
+            policyId: decision.policyId,
+            reason: decision.reason,
+            risk: decision.risk,
+            runtimeName,
+            sessionId: event.sessionId ?? null,
+            tool: event.tool,
+        },
+        remediation: getRuntimeRemediation(decision),
+        severity: getRuntimeSeverity(decision),
+        summary,
+        title,
+    };
+}
+export async function reportRuntimeDecisionFinding(client, event, decision, options = {}) {
+    const finding = buildRuntimeDecisionFinding(event, decision, options);
+    if (!finding || !event.projectId) {
+        return { reported: false };
+    }
+    await client.reportFindings({
+        environment: event.environment,
+        findings: [finding],
+        projectId: event.projectId,
+        source: 'RUNTIME',
+        workspaceId: event.workspaceId,
+    });
+    return { finding, reported: true };
+}
+export function createRuntimeFindingHooks(client, options = {}) {
+    return {
+        async onDecision(decision, event) {
+            await reportRuntimeDecisionFinding(client, event, decision, options);
+        },
+    };
+}
+function shouldReportDecision(decision, options) {
+    if (decision.decision !== 'ALLOW') {
+        return true;
+    }
+    if (!options.includeAllowDecisions) {
+        return false;
+    }
+    const minimumRisk = options.minimumRisk ?? 'HIGH';
+    return riskOrder[decision.risk] >= riskOrder[minimumRisk];
+}
+function getRuntimeSeverity(decision) {
+    if (decision.decision === 'BLOCK') {
+        return 'CRITICAL';
+    }
+    if (decision.decision === 'REQUIRES_APPROVAL') {
+        return 'HIGH';
+    }
+    return decision.risk === 'HIGH' ? 'HIGH' : 'MEDIUM';
+}
+function getRuntimeFindingTitle(decision) {
+    if (decision.decision === 'BLOCK') {
+        return 'Blocked runtime action detected';
+    }
+    if (decision.decision === 'REQUIRES_APPROVAL') {
+        return 'Runtime action requires approval';
+    }
+    return 'High-risk runtime action allowed';
+}
+function getRuntimeFindingSummary(event, decision, runtimeName) {
+    const actionLabel = `${event.tool}.${event.action}`;
+    if (decision.decision === 'BLOCK') {
+        return `${runtimeName} attempted ${actionLabel} and Valence blocked it: ${decision.reason}`;
+    }
+    if (decision.decision === 'REQUIRES_APPROVAL') {
+        return `${runtimeName} attempted ${actionLabel} and Valence required approval: ${decision.reason}`;
+    }
+    return `${runtimeName} executed high-risk action ${actionLabel}. Review whether it should stay allowed: ${decision.reason}`;
+}
+function getRuntimeRemediation(decision) {
+    if (decision.decision === 'BLOCK') {
+        return 'Review the blocked workflow, narrow the trigger conditions, or update the custom check only if this behavior is expected.';
+    }
+    if (decision.decision === 'REQUIRES_APPROVAL') {
+        return 'Route this action through an explicit approval path or tighten the triggering conditions so only approved cases reach runtime.';
+    }
+    return 'Review whether this action should become a custom check, approval gate, or stricter runtime control before broader rollout.';
+}
+function fingerprint(input) {
+    return createHash('sha256').update(input).digest('hex');
+}
+//# sourceMappingURL=runtime-findings.js.map

package/dist/runtime-findings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-findings.js","sourceRoot":"","sources":["../src/runtime-findings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAazC,MAAM,SAAS,GAAgC;IAC3C,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;CACV,CAAC;AAEF,MAAM,UAAU,2BAA2B,CACvC,KAAgB,EAChB,QAA0B,EAC1B,UAAwC,EAAE;IAE1C,IAAI,CAAC,oBAAoB,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;QAC3C,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,KAAK,CAAC,SAAS,IAAI,iBAAiB,CAAC;IAChF,MAAM,KAAK,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAG,wBAAwB,CAAC,KAAK,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC;IAEvE,OAAO;QACH,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,kBAAkB;QAChD,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,WAAW,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE;QACxE,WAAW,EAAE,WAAW,CACpB;YACI,KAAK,CAAC,SAAS,IAAI,iBAAiB;YACpC,KAAK,CAAC,WAAW;YACjB,WAAW;YACX,KAAK,CAAC,IAAI;YACV,KAAK,CAAC,MAAM;YACZ,QAAQ,CAAC,QAAQ;YACjB,QAAQ,CAAC,MAAM;SAClB,CAAC,IAAI,CAAC,GAAG,CAAC,CACd;QACD,QAAQ,EAAE;YACN,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;YACpC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,WAAW;YACX,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;YAClC,IAAI,EAAE,KAAK,CAAC,IAAI;SACnB;QACD,WAAW,EAAE,qBAAqB,CAAC,QAAQ,CAAC;QAC5C,QAAQ,EAAE,kBAAkB,CAAC,QAAQ,CAAC;QACtC,OAAO;QACP,KAAK;KACR,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAC9C,MAAqB,EACrB,KAAgB,EAChB,QAA0B,EAC1B,UAAwC,EAAE;IAE1C,MAAM,OAAO,GAAG,2BAA2B,CAAC,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QAC/B,OAAO,EAAE,QAAQ,EAAE,KAAc,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,MAAM,CAAC,cAAc,CAAC;QACxB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,QAAQ,EAAE,CAAC,OAAO,CAAC;QACnB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,MAAM,EAAE,SAAS;QACjB,WAAW,EAAE,KAAK,CAAC,WAAW;KACjC,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,yBAAyB,CACrC,MAAqB,EACrB,UAAwC,EAAE;IAE1C,OAAO;QACH,KAAK,CAAC,UAAU,CAAC,QAAQ,EAAE,KAAK;YAC5B,MAAM,4BAA4B,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QACzE,CAAC;KACJ,CAAC;AACN,CAAC;AAED,SAAS,oBAAoB,CACzB,QAA0B,EAC1B,OAAqC;IAErC,IAAI,QAAQ,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,MAAM,CAAC;IAClD,OAAO,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,WAAW,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,kBAAkB,CAAC,QAA0B;IAClD,IAAI,QAAQ,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,OAAO,UAAU,CAAC;IACtB,CAAC;IAED,IAAI,QAAQ,CAAC,QAAQ,KAAK,mBAAmB,EAAE,CAAC;QAC5C,OAAO,MAAM,CAAC;IAClB,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC;AACxD,CAAC;AAED,SAAS,sBAAsB,CAAC,QAA0B;IACtD,IAAI,QAAQ,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,OAAO,iCAAiC,CAAC;IAC7C,CAAC;IAED,IAAI,QAAQ,CAAC,QAAQ,KAAK,mBAAmB,EAAE,CAAC;QAC5C,OAAO,kCAAkC,CAAC;IAC9C,CAAC;IAED,OAAO,kCAAkC,CAAC;AAC9C,CAAC;AAED,SAAS,wBAAwB,CAC7B,KAAgB,EAChB,QAA0B,EAC1B,WAAmB;IAEnB,MAAM,WAAW,GAAG,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;IAEpD,IAAI,QAAQ,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,OAAO,GAAG,WAAW,cAAc,WAAW,4BAA4B,QAAQ,CAAC,MAAM,EAAE,CAAC;IAChG,CAAC;IAED,IAAI,QAAQ,CAAC,QAAQ,KAAK,mBAAmB,EAAE,CAAC;QAC5C,OAAO,GAAG,WAAW,cAAc,WAAW,mCAAmC,QAAQ,CAAC,MAAM,EAAE,CAAC;IACvG,CAAC;IAED,OAAO,GAAG,WAAW,8BAA8B,WAAW,4CAA4C,QAAQ,CAAC,MAAM,EAAE,CAAC;AAChI,CAAC;AAED,SAAS,qBAAqB,CAAC,QAA0B;IACrD,IAAI,QAAQ,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,OAAO,2HAA2H,CAAC;IACvI,CAAC;IAED,IAAI,QAAQ,CAAC,QAAQ,KAAK,mBAAmB,EAAE,CAAC;QAC5C,OAAO,gIAAgI,CAAC;IAC5I,CAAC;IAED,OAAO,6HAA6H,CAAC;AACzI,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC"}

package/dist/types.d.ts

@@ -2,6 +2,8 @@ export type ValenceDecision = 'ALLOW' | 'BLOCK' | 'REQUIRES_APPROVAL';
 export type ValenceRisk = 'LOW' | 'MEDIUM' | 'HIGH';
 export type ValenceEnvironment = 'production' | 'staging' | 'sandbox';
 export type ToolParameters = Record<string, unknown>;
+export type FindingSource = 'LOCAL_SCAN' | 'CI_SCAN' | 'RUNTIME';
+export type FindingSeverity = 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
 export type ToolEvent = {
     agentId?: string;
     agentName: string;
@@ -24,6 +26,26 @@ export type DecisionResponse = {
     approvalId: string | null;
     latencyMs: number;
 };
+export type ValenceFinding = {
+    category: string;
+    checkId?: string;
+    fingerprint: string;
+    locationLine?: number;
+    locationPath?: string;
+    metadata?: Record<string, unknown>;
+    remediation: string;
+    severity: FindingSeverity;
+    summary: string;
+    title: string;
+};
+export type FindingBatch = {
+    environment?: ValenceEnvironment;
+    findings: ValenceFinding[];
+    metadata?: Record<string, unknown>;
+    projectId: string;
+    source: FindingSource;
+    workspaceId?: string;
+};
 export type ToolExecutionContext = Omit<ToolEvent, 'tool' | 'action' | 'parameters' | 'timestamp'>;
 export type ToolDefinition = {
     tool: string;
@@ -46,6 +68,25 @@ export type ValenceClientOptions = {
     timeoutMs?: number;
     headers?: Record<string, string>;
     decidePath?: string;
+    findingsPath?: string;
     simulatePath?: string;
 };
+export type ValenceLocalScanOptions = {
+    metadata?: Record<string, unknown>;
+    cwd?: string;
+    environment: ValenceEnvironment;
+    projectId: string;
+    workspaceId?: string;
+};
+export type ValenceLocalScanResult = {
+    findings: ValenceFinding[];
+    uploaded: boolean;
+};
+export type ValenceRuntimeFindingOptions = {
+    category?: string;
+    checkId?: string;
+    includeAllowDecisions?: boolean;
+    minimumRisk?: ValenceRisk;
+    serviceName?: string;
+};
 //# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,OAAO,GAAG,mBAAmB,CAAC;AACtE,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AACpD,MAAM,MAAM,kBAAkB,GAAG,YAAY,GAAG,SAAS,GAAG,SAAS,CAAC;AACtE,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAErD,MAAM,MAAM,SAAS,GAAG;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,kBAAkB,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC3B,QAAQ,EAAE,eAAe,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,WAAW,CAAC;IAClB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,IAAI,CACnC,SAAS,EACT,MAAM,GAAG,QAAQ,GAAG,YAAY,GAAG,WAAW,CACjD,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,cAAc,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,oBAAoB,GAAG,cAAc,CAAC;AAEzE,MAAM,MAAM,kBAAkB,CAAC,CAAC,IAAI;IAChC,UAAU,CAAC,EAAE,CACT,QAAQ,EAAE,gBAAgB,EAC1B,KAAK,EAAE,SAAS,KACf,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,gBAAgB,EAAE,KAAK,EAAE,SAAS,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACjF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,gBAAgB,EAAE,KAAK,EAAE,SAAS,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACjF,kBAAkB,CAAC,EAAE,CACjB,QAAQ,EAAE,gBAAgB,EAC1B,KAAK,EAAE,SAAS,KACf,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,UAAU,CAAC,EAAE,CACT,MAAM,EAAE,CAAC,EACT,QAAQ,EAAE,gBAAgB,EAC1B,KAAK,EAAE,SAAS,KACf,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG,OAAO,KAAK,CAAC;AAExC,MAAM,MAAM,oBAAoB,GAAG;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,OAAO,GAAG,mBAAmB,CAAC;AACtE,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AACpD,MAAM,MAAM,kBAAkB,GAAG,YAAY,GAAG,SAAS,GAAG,SAAS,CAAC;AACtE,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AACrD,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,SAAS,GAAG,SAAS,CAAC;AACjE,MAAM,MAAM,eAAe,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAErE,MAAM,MAAM,SAAS,GAAG;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,kBAAkB,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC3B,QAAQ,EAAE,eAAe,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,WAAW,CAAC;IAClB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,eAAe,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACvB,WAAW,CAAC,EAAE,kBAAkB,CAAC;IACjC,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,aAAa,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,IAAI,CACnC,SAAS,EACT,MAAM,GAAG,QAAQ,GAAG,YAAY,GAAG,WAAW,CACjD,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,cAAc,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,oBAAoB,GAAG,cAAc,CAAC;AAEzE,MAAM,MAAM,kBAAkB,CAAC,CAAC,IAAI;IAChC,UAAU,CAAC,EAAE,CACT,QAAQ,EAAE,gBAAgB,EAC1B,KAAK,EAAE,SAAS,KACf,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,gBAAgB,EAAE,KAAK,EAAE,SAAS,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACjF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,gBAAgB,EAAE,KAAK,EAAE,SAAS,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACjF,kBAAkB,CAAC,EAAE,CACjB,QAAQ,EAAE,gBAAgB,EAC1B,KAAK,EAAE,SAAS,KACf,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,UAAU,CAAC,EAAE,CACT,MAAM,EAAE,CAAC,EACT,QAAQ,EAAE,gBAAgB,EAC1B,KAAK,EAAE,SAAS,KACf,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG,OAAO,KAAK,CAAC;AAExC,MAAM,MAAM,oBAAoB,GAAG;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,kBAAkB,CAAC;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACjC,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,QAAQ,EAAE,OAAO,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,4BAA4B,GAAG;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@valence-ai/sdk",
-  "version": "0.1.0",
-  "description": "Pre-execution policy enforcement SDK for tool-using AI agents.",
+  "version": "0.2.1",
+  "description": "SDK for connecting applications to Valence AI for security issues, runtime signals, and optional runtime review flows.",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/praveensahu-dev/Valence-AI.git",
@@ -41,11 +41,12 @@
   },
   "keywords": [
     "ai",
-    "agent",
     "sdk",
     "security",
-    "tool-calling",
-    "guardrails",
-    "policy"
+    "appsec",
+    "issues",
+    "runtime",
+    "scanner",
+    "guardrails"
   ]
 }