codeslick-cli 1.2.2 → 1.2.4

package/dist/src/lib/security/epss-service.js

@@ -0,0 +1,256 @@
+"use strict";
+/**
+ * EPSS (Exploit Prediction Scoring System) Service
+ *
+ * Fetches exploit prediction scores from FIRST.org EPSS API
+ * Used for smart triage and vulnerability prioritization
+ *
+ * Feature 1 Phase 1 (Q1 2026): Alert Deduplication & AutoTriage
+ *
+ * API: https://api.first.org/data/v1/epss
+ * Docs: https://www.first.org/epss/api
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getEPSSScores = getEPSSScores;
+exports.getEPSSScore = getEPSSScore;
+exports.clearEPSSCache = clearEPSSCache;
+exports.getEPSSCacheStats = getEPSSCacheStats;
+exports.interpretEPSSScore = interpretEPSSScore;
+exports.getEPSSScoresBatch = getEPSSScoresBatch;
+/**
+ * In-memory cache for EPSS scores
+ * TTL: 24 hours (EPSS data updates daily)
+ */
+const epssCache = new Map();
+const CACHE_TTL = 24 * 60 * 60 * 1000; // 24 hours
+/**
+ * Rate limiting: Max 1 request per second to FIRST.org API
+ */
+let lastRequestTime = 0;
+const MIN_REQUEST_INTERVAL = 1000; // 1 second
+/**
+ * Fetch EPSS scores for given CVE IDs
+ *
+ * @param cveIds - Array of CVE IDs (e.g., ["CVE-2021-44228", "CVE-2022-12345"])
+ * @returns Array of EPSS scores (0 if not found or error)
+ */
+async function getEPSSScores(cveIds) {
+    console.log('[EPSS] getEPSSScores called with', cveIds.length, 'CVE IDs:', cveIds);
+    if (!cveIds || cveIds.length === 0) {
+        console.log('[EPSS] No CVE IDs provided, returning empty array');
+        return [];
+    }
+    // Filter out invalid CVE IDs and deduplicate
+    const validCveIds = [...new Set(cveIds.filter(isValidCveId))];
+    console.log('[EPSS] Valid CVE IDs after filtering:', validCveIds);
+    if (validCveIds.length === 0) {
+        console.log('[EPSS] No valid CVE IDs found, returning empty array');
+        return [];
+    }
+    const results = [];
+    const cveIdsToFetch = [];
+    // Check cache first
+    for (const cveId of validCveIds) {
+        const cached = epssCache.get(cveId);
+        if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+            results.push({ ...cached.score, cached: true });
+        }
+        else {
+            cveIdsToFetch.push(cveId);
+        }
+    }
+    // If all results are cached, return immediately
+    if (cveIdsToFetch.length === 0) {
+        return results;
+    }
+    // Fetch from API
+    try {
+        // Rate limiting: wait if needed
+        const now = Date.now();
+        const timeSinceLastRequest = now - lastRequestTime;
+        if (timeSinceLastRequest < MIN_REQUEST_INTERVAL) {
+            await new Promise(resolve => setTimeout(resolve, MIN_REQUEST_INTERVAL - timeSinceLastRequest));
+        }
+        lastRequestTime = Date.now();
+        // FIRST.org EPSS API supports bulk queries
+        // Format: ?cve=CVE-2021-44228,CVE-2022-12345
+        const cveParam = cveIdsToFetch.join(',');
+        const url = `https://api.first.org/data/v1/epss?cve=${encodeURIComponent(cveParam)}`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                'Accept': 'application/json',
+                'User-Agent': 'CodeSlick/1.0 (Security Analysis Tool)',
+            },
+            // 10 second timeout
+            signal: AbortSignal.timeout(10000),
+        });
+        if (!response.ok) {
+            console.warn(`[EPSS] API returned ${response.status}: ${response.statusText}`);
+            // Return default scores for unfetched CVEs
+            return [
+                ...results,
+                ...cveIdsToFetch.map(cveId => createDefaultScore(cveId)),
+            ];
+        }
+        const data = await response.json();
+        if (data.status !== 'OK') {
+            console.warn(`[EPSS] API status: ${data.status}`);
+            return [
+                ...results,
+                ...cveIdsToFetch.map(cveId => createDefaultScore(cveId)),
+            ];
+        }
+        // Parse and cache results
+        for (const item of data.data) {
+            const score = {
+                cve: item.cve,
+                epssScore: parseFloat(item.epss),
+                percentile: parseFloat(item.percentile),
+                date: item.date,
+                cached: false,
+            };
+            // Cache the result
+            epssCache.set(item.cve, {
+                score,
+                timestamp: Date.now(),
+            });
+            results.push(score);
+        }
+        // Add default scores for CVEs not found in API response
+        const foundCves = new Set(data.data.map(item => item.cve.toUpperCase()));
+        for (const cveId of cveIdsToFetch) {
+            if (!foundCves.has(cveId.toUpperCase())) {
+                const defaultScore = createDefaultScore(cveId);
+                // Cache default score (shorter TTL)
+                epssCache.set(cveId, {
+                    score: defaultScore,
+                    timestamp: Date.now(),
+                });
+                results.push(defaultScore);
+            }
+        }
+        return results;
+    }
+    catch (error) {
+        console.error('[EPSS] Error fetching scores:', error);
+        // Return default scores on error
+        return [
+            ...results,
+            ...cveIdsToFetch.map(cveId => createDefaultScore(cveId)),
+        ];
+    }
+}
+/**
+ * Fetch EPSS score for a single CVE
+ *
+ * @param cveId - CVE ID (e.g., "CVE-2021-44228")
+ * @returns EPSS score or null if not found
+ */
+async function getEPSSScore(cveId) {
+    const scores = await getEPSSScores([cveId]);
+    return scores.length > 0 ? scores[0] : null;
+}
+/**
+ * Validate CVE ID format
+ *
+ * @param cveId - CVE ID to validate
+ * @returns true if valid format
+ */
+function isValidCveId(cveId) {
+    if (!cveId || typeof cveId !== 'string') {
+        return false;
+    }
+    // CVE format: CVE-YYYY-NNNNN (year can be 1999-2999, number can be 1-99999)
+    return /^CVE-\d{4}-\d{1,7}$/i.test(cveId.trim());
+}
+/**
+ * Create default EPSS score for CVEs not found in API
+ *
+ * @param cveId - CVE ID
+ * @returns Default EPSS score (0.0)
+ */
+function createDefaultScore(cveId) {
+    return {
+        cve: cveId,
+        epssScore: 0.0, // Assume low exploit probability if not in EPSS database
+        percentile: 0.0,
+        date: new Date().toISOString().split('T')[0],
+        cached: false,
+    };
+}
+/**
+ * Clear EPSS cache (useful for testing or manual refresh)
+ */
+function clearEPSSCache() {
+    epssCache.clear();
+    console.log('[EPSS] Cache cleared');
+}
+/**
+ * Get cache statistics
+ */
+function getEPSSCacheStats() {
+    let oldestTimestamp = null;
+    for (const entry of epssCache.values()) {
+        if (oldestTimestamp === null || entry.timestamp < oldestTimestamp) {
+            oldestTimestamp = entry.timestamp;
+        }
+    }
+    return {
+        size: epssCache.size,
+        oldestEntry: oldestTimestamp,
+    };
+}
+/**
+ * Interpret EPSS score for human-readable risk level
+ *
+ * @param epssScore - EPSS score (0.0-1.0)
+ * @returns Human-readable risk level
+ */
+function interpretEPSSScore(epssScore) {
+    if (epssScore >= 0.7) {
+        return {
+            risk: 'critical',
+            description: 'Very high probability of exploitation (top 30% of all CVEs)',
+        };
+    }
+    else if (epssScore >= 0.3) {
+        return {
+            risk: 'high',
+            description: 'High probability of exploitation',
+        };
+    }
+    else if (epssScore >= 0.1) {
+        return {
+            risk: 'medium',
+            description: 'Moderate probability of exploitation',
+        };
+    }
+    else {
+        return {
+            risk: 'low',
+            description: 'Low probability of exploitation',
+        };
+    }
+}
+/**
+ * Batch fetch EPSS scores with chunking for large CVE lists
+ * FIRST.org API supports up to 100 CVEs per request
+ *
+ * @param cveIds - Array of CVE IDs
+ * @param chunkSize - Number of CVEs per API call (default: 50)
+ * @returns Array of EPSS scores
+ */
+async function getEPSSScoresBatch(cveIds, chunkSize = 50) {
+    const chunks = [];
+    for (let i = 0; i < cveIds.length; i += chunkSize) {
+        chunks.push(cveIds.slice(i, i + chunkSize));
+    }
+    const allScores = [];
+    for (const chunk of chunks) {
+        const scores = await getEPSSScores(chunk);
+        allScores.push(...scores);
+    }
+    return allScores;
+}
+//# sourceMappingURL=epss-service.js.map

package/dist/src/lib/security/epss-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"epss-service.js","sourceRoot":"","sources":["../../../../../../src/lib/security/epss-service.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AA+CH,sCA2HC;AAQD,oCAGC;AAmCD,wCAGC;AAKD,8CAaC;AAQD,gDAyBC;AAUD,gDAgBC;AA5QD;;;GAGG;AACH,MAAM,SAAS,GAAG,IAAI,GAAG,EAAmD,CAAC;AAC7E,MAAM,SAAS,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW;AAElD;;GAEG;AACH,IAAI,eAAe,GAAG,CAAC,CAAC;AACxB,MAAM,oBAAoB,GAAG,IAAI,CAAC,CAAC,WAAW;AAE9C;;;;;GAKG;AACI,KAAK,UAAU,aAAa,CAAC,MAAgB;IAClD,OAAO,CAAC,GAAG,CAAC,kCAAkC,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;IAEnF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;QACjE,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,6CAA6C;IAC7C,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAE9D,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,WAAW,CAAC,CAAC;IAElE,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;QACpE,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAgB,EAAE,CAAC;IAChC,MAAM,aAAa,GAAa,EAAE,CAAC;IAEnC,oBAAoB;IACpB,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;QAChC,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,SAAS,EAAE,CAAC;YACxD,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,iBAAiB;IACjB,IAAI,CAAC;QACH,gCAAgC;QAChC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,oBAAoB,GAAG,GAAG,GAAG,eAAe,CAAC;QACnD,IAAI,oBAAoB,GAAG,oBAAoB,EAAE,CAAC;YAChD,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,oBAAoB,GAAG,oBAAoB,CAAC,CAAC,CAAC;QACjG,CAAC;QACD,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,2CAA2C;QAC3C,6CAA6C;QAC7C,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,GAAG,GAAG,0CAA0C,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAErF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,QAAQ,EAAE,kBAAkB;gBAC5B,YAAY,EAAE,wCAAwC;aACvD;YACD,oBAAoB;YACpB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,CAAC,IAAI,CAAC,uBAAuB,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;YAC/E,2CAA2C;YAC3C,OAAO;gBACL,GAAG,OAAO;gBACV,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;aACzD,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAkB,CAAC;QAEnD,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CAAC,sBAAsB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YAClD,OAAO;gBACL,GAAG,OAAO;gBACV,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;aACzD,CAAC;QACJ,CAAC;QAED,0BAA0B;QAC1B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,KAAK,GAAc;gBACvB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,SAAS,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChC,UAAU,EAAE,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC;gBACvC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,MAAM,EAAE,KAAK;aACd,CAAC;YAEF,mBAAmB;YACnB,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE;gBACtB,KAAK;gBACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,CAAC,CAAC;YAEH,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;QAED,wDAAwD;QACxD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;QACzE,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAClC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBACxC,MAAM,YAAY,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;gBAC/C,oCAAoC;gBACpC,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE;oBACnB,KAAK,EAAE,YAAY;oBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;iBACtB,CAAC,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IAEjB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;QACtD,iCAAiC;QACjC,OAAO;YACL,GAAG,OAAO;YACV,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;SACzD,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,YAAY,CAAC,KAAa;IAC9C,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAC5C,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9C,CAAC;AAED;;;;;GAKG;AACH,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,4EAA4E;IAC5E,OAAO,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;AACnD,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,KAAa;IACvC,OAAO;QACL,GAAG,EAAE,KAAK;QACV,SAAS,EAAE,GAAG,EAAE,yDAAyD;QACzE,UAAU,EAAE,GAAG;QACf,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC5C,MAAM,EAAE,KAAK;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc;IAC5B,SAAS,CAAC,KAAK,EAAE,CAAC;IAClB,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB;IAC/B,IAAI,eAAe,GAAkB,IAAI,CAAC;IAE1C,KAAK,MAAM,KAAK,IAAI,SAAS,CAAC,MAAM,EAAE,EAAE,CAAC;QACvC,IAAI,eAAe,KAAK,IAAI,IAAI,KAAK,CAAC,SAAS,GAAG,eAAe,EAAE,CAAC;YAClE,eAAe,GAAG,KAAK,CAAC,SAAS,CAAC;QACpC,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI,EAAE,SAAS,CAAC,IAAI;QACpB,WAAW,EAAE,eAAe;KAC7B,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,kBAAkB,CAAC,SAAiB;IAIlD,IAAI,SAAS,IAAI,GAAG,EAAE,CAAC;QACrB,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,WAAW,EAAE,6DAA6D;SAC3E,CAAC;IACJ,CAAC;SAAM,IAAI,SAAS,IAAI,GAAG,EAAE,CAAC;QAC5B,OAAO;YACL,IAAI,EAAE,MAAM;YACZ,WAAW,EAAE,kCAAkC;SAChD,CAAC;IACJ,CAAC;SAAM,IAAI,SAAS,IAAI,GAAG,EAAE,CAAC;QAC5B,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sCAAsC;SACpD,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,OAAO;YACL,IAAI,EAAE,KAAK;YACX,WAAW,EAAE,iCAAiC;SAC/C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,kBAAkB,CACtC,MAAgB,EAChB,YAAoB,EAAE;IAEtB,MAAM,MAAM,GAAe,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,SAAS,EAAE,CAAC;QAClD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,SAAS,GAAgB,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;QAC1C,SAAS,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;IAC5B,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/src/lib/security/threshold-evaluator.d.ts

@@ -0,0 +1,73 @@
+/**
+ * Threshold Evaluator - Pass/Fail Security Gates
+ *
+ * Evaluates whether analysis results meet configured security thresholds.
+ * Used by:
+ * - GitHub PR checks (block merges)
+ * - CLI scans (exit codes)
+ * - Team dashboard (preview feature)
+ *
+ * Winter Roadmap WR2: Pass/Fail Thresholds
+ */
+import type { AggregatedResults } from '../github/types';
+/**
+ * Threshold configuration (from team settings)
+ */
+export interface ThresholdConfig {
+    enabled: boolean;
+    blockOnCritical: boolean;
+    blockOnHigh: boolean;
+    maxVulnerabilities: number;
+    maxEpss: number;
+    exemptPaths: string[];
+    failureMessage?: string;
+}
+/**
+ * Threshold evaluation result
+ */
+export interface ThresholdResult {
+    passed: boolean;
+    reason: string;
+    blockedBy: 'critical' | 'high' | 'count' | 'epss' | null;
+    vulnerabilityCount: number;
+    criticalCount: number;
+    highCount: number;
+    maxEpssFound: number;
+    exemptedCount: number;
+}
+/**
+ * Default threshold configuration
+ */
+export declare const DEFAULT_THRESHOLD_CONFIG: ThresholdConfig;
+/**
+ * Evaluate security thresholds against analysis results
+ *
+ * @param results - Aggregated analysis results
+ * @param config - Threshold configuration
+ * @returns Threshold evaluation result
+ *
+ * @example
+ * const result = evaluateThresholds(analysisResults, {
+ *   enabled: true,
+ *   blockOnCritical: true,
+ *   blockOnHigh: false,
+ *   maxVulnerabilities: 10,
+ *   maxEpss: 70,
+ *   exemptPaths: ['/test/ **', '** /*.test.ts'] // (remove spaces)
+ * });
+ *
+ * if (!result.passed) {
+ *   console.log('Threshold failed:', result.reason);
+ *   process.exit(1);
+ * }
+ */
+export declare function evaluateThresholds(results: AggregatedResults, config: ThresholdConfig): ThresholdResult;
+/**
+ * Format threshold result as GitHub status message (140 char limit)
+ */
+export declare function formatGitHubStatusMessage(result: ThresholdResult, customMessage?: string): string;
+/**
+ * Format threshold result for CLI output
+ */
+export declare function formatCLIOutput(result: ThresholdResult): string;
+//# sourceMappingURL=threshold-evaluator.d.ts.map

package/dist/src/lib/security/threshold-evaluator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"threshold-evaluator.d.ts","sourceRoot":"","sources":["../../../../../../src/lib/security/threshold-evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,OAAO,CAAC;IACzB,WAAW,EAAE,OAAO,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,UAAU,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC;IACzD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,eAAO,MAAM,wBAAwB,EAAE,eAOtC,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,iBAAiB,EAC1B,MAAM,EAAE,eAAe,GACtB,eAAe,CAqEjB;AA0GD;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,EAAE,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,CASjG;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM,CAqB/D"}

package/dist/src/lib/security/threshold-evaluator.js

@@ -0,0 +1,234 @@
+"use strict";
+/**
+ * Threshold Evaluator - Pass/Fail Security Gates
+ *
+ * Evaluates whether analysis results meet configured security thresholds.
+ * Used by:
+ * - GitHub PR checks (block merges)
+ * - CLI scans (exit codes)
+ * - Team dashboard (preview feature)
+ *
+ * Winter Roadmap WR2: Pass/Fail Thresholds
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_THRESHOLD_CONFIG = void 0;
+exports.evaluateThresholds = evaluateThresholds;
+exports.formatGitHubStatusMessage = formatGitHubStatusMessage;
+exports.formatCLIOutput = formatCLIOutput;
+const minimatch_1 = require("minimatch");
+/**
+ * Default threshold configuration
+ */
+exports.DEFAULT_THRESHOLD_CONFIG = {
+    enabled: false,
+    blockOnCritical: true,
+    blockOnHigh: false,
+    maxVulnerabilities: 50,
+    maxEpss: 70, // 70%
+    exemptPaths: [],
+};
+/**
+ * Evaluate security thresholds against analysis results
+ *
+ * @param results - Aggregated analysis results
+ * @param config - Threshold configuration
+ * @returns Threshold evaluation result
+ *
+ * @example
+ * const result = evaluateThresholds(analysisResults, {
+ *   enabled: true,
+ *   blockOnCritical: true,
+ *   blockOnHigh: false,
+ *   maxVulnerabilities: 10,
+ *   maxEpss: 70,
+ *   exemptPaths: ['/test/ **', '** /*.test.ts'] // (remove spaces)
+ * });
+ *
+ * if (!result.passed) {
+ *   console.log('Threshold failed:', result.reason);
+ *   process.exit(1);
+ * }
+ */
+function evaluateThresholds(results, config) {
+    // If thresholds disabled, always pass
+    if (!config.enabled) {
+        return {
+            passed: true,
+            reason: 'Thresholds disabled',
+            blockedBy: null,
+            vulnerabilityCount: results.totalVulnerabilities,
+            criticalCount: results.criticalCount,
+            highCount: results.highCount,
+            maxEpssFound: 0,
+            exemptedCount: 0,
+        };
+    }
+    // Filter vulnerabilities by exempt paths
+    const { filteredResults, exemptedCount } = filterExemptPaths(results, config.exemptPaths);
+    // Calculate max EPSS score found
+    const maxEpssFound = calculateMaxEpss(filteredResults);
+    // Build result object
+    const result = {
+        passed: true,
+        reason: '',
+        blockedBy: null,
+        vulnerabilityCount: filteredResults.totalVulnerabilities,
+        criticalCount: filteredResults.criticalCount,
+        highCount: filteredResults.highCount,
+        maxEpssFound,
+        exemptedCount,
+    };
+    // Check 1: Block on critical
+    if (config.blockOnCritical && filteredResults.criticalCount > 0) {
+        result.passed = false;
+        result.blockedBy = 'critical';
+        result.reason = `${filteredResults.criticalCount} critical vulnerabilit${filteredResults.criticalCount !== 1 ? 'ies' : 'y'} found`;
+        return result;
+    }
+    // Check 2: Block on high
+    if (config.blockOnHigh && filteredResults.highCount > 0) {
+        result.passed = false;
+        result.blockedBy = 'high';
+        result.reason = `${filteredResults.highCount} high priority vulnerabilit${filteredResults.highCount !== 1 ? 'ies' : 'y'} found`;
+        return result;
+    }
+    // Check 3: Max vulnerability count
+    if (config.maxVulnerabilities > 0 && filteredResults.totalVulnerabilities > config.maxVulnerabilities) {
+        result.passed = false;
+        result.blockedBy = 'count';
+        result.reason = `${filteredResults.totalVulnerabilities} vulnerabilities exceed limit of ${config.maxVulnerabilities}`;
+        return result;
+    }
+    // Check 4: EPSS threshold
+    if (config.maxEpss > 0 && maxEpssFound > config.maxEpss / 100) {
+        result.passed = false;
+        result.blockedBy = 'epss';
+        result.reason = `EPSS ${(maxEpssFound * 100).toFixed(1)}% exceeds threshold of ${config.maxEpss}%`;
+        return result;
+    }
+    // All checks passed
+    result.passed = true;
+    result.reason = formatPassReason(filteredResults);
+    return result;
+}
+/**
+ * Filter vulnerabilities by exempt paths (glob patterns)
+ */
+function filterExemptPaths(results, exemptPaths) {
+    // If no exempt paths, return original results
+    if (!exemptPaths || exemptPaths.length === 0) {
+        return { filteredResults: results, exemptedCount: 0 };
+    }
+    let exemptedCount = 0;
+    let criticalCount = 0;
+    let highCount = 0;
+    let mediumCount = 0;
+    let lowCount = 0;
+    // Filter file results
+    const filteredFileResults = results.fileResults.map(fileResult => {
+        const filteredVulnerabilities = fileResult.vulnerabilities.filter(vuln => {
+            // Check if file matches any exempt pattern
+            const isExempt = exemptPaths.some(pattern => (0, minimatch_1.minimatch)(fileResult.filename, pattern, { matchBase: true }));
+            if (isExempt) {
+                exemptedCount++;
+                return false; // Skip this vulnerability
+            }
+            // Count by severity
+            switch (vuln.severity) {
+                case 'critical':
+                    criticalCount++;
+                    break;
+                case 'high':
+                    highCount++;
+                    break;
+                case 'medium':
+                    mediumCount++;
+                    break;
+                case 'low':
+                    lowCount++;
+                    break;
+            }
+            return true; // Include this vulnerability
+        });
+        return {
+            ...fileResult,
+            vulnerabilities: filteredVulnerabilities,
+        };
+    });
+    // Build filtered results
+    const filteredResults = {
+        ...results,
+        fileResults: filteredFileResults,
+        totalVulnerabilities: criticalCount + highCount + mediumCount + lowCount,
+        criticalCount,
+        highCount,
+        mediumCount,
+        lowCount,
+    };
+    return { filteredResults, exemptedCount };
+}
+/**
+ * Calculate maximum EPSS score from all vulnerabilities
+ */
+function calculateMaxEpss(results) {
+    let maxEpss = 0;
+    for (const fileResult of results.fileResults) {
+        for (const vuln of fileResult.vulnerabilities) {
+            if (vuln.epssScore !== undefined && vuln.epssScore > maxEpss) {
+                maxEpss = vuln.epssScore;
+            }
+        }
+    }
+    return maxEpss;
+}
+/**
+ * Format pass reason (summary of results)
+ */
+function formatPassReason(results) {
+    if (results.totalVulnerabilities === 0) {
+        return 'No security vulnerabilities found';
+    }
+    const parts = [];
+    if (results.criticalCount > 0)
+        parts.push(`${results.criticalCount} critical`);
+    if (results.highCount > 0)
+        parts.push(`${results.highCount} high`);
+    if (results.mediumCount > 0)
+        parts.push(`${results.mediumCount} medium`);
+    if (results.lowCount > 0)
+        parts.push(`${results.lowCount} low`);
+    return `${results.totalVulnerabilities} vulnerabilities found (${parts.join(', ')})`;
+}
+/**
+ * Format threshold result as GitHub status message (140 char limit)
+ */
+function formatGitHubStatusMessage(result, customMessage) {
+    if (!result.passed && customMessage) {
+        return customMessage.substring(0, 140);
+    }
+    const prefix = result.passed ? '✅' : '❌';
+    const message = `${prefix} ${result.reason}`;
+    return message.substring(0, 140);
+}
+/**
+ * Format threshold result for CLI output
+ */
+function formatCLIOutput(result) {
+    if (result.passed) {
+        return `\n✅ THRESHOLD PASSED\n${result.reason}\n`;
+    }
+    let output = `\n❌ THRESHOLD FAILED\n`;
+    output += `Reason: ${result.reason}\n`;
+    output += `\nVulnerabilities (after exemptions):\n`;
+    output += `  Critical: ${result.criticalCount}\n`;
+    output += `  High: ${result.highCount}\n`;
+    output += `  Total: ${result.vulnerabilityCount}\n`;
+    if (result.exemptedCount > 0) {
+        output += `\nExempted: ${result.exemptedCount} vulnerabilities in exempt paths\n`;
+    }
+    if (result.maxEpssFound > 0) {
+        output += `Max EPSS: ${(result.maxEpssFound * 100).toFixed(1)}%\n`;
+    }
+    return output;
+}
+//# sourceMappingURL=threshold-evaluator.js.map

package/dist/src/lib/security/threshold-evaluator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"threshold-evaluator.js","sourceRoot":"","sources":["../../../../../../src/lib/security/threshold-evaluator.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AAkEH,gDAwEC;AA6GD,8DASC;AAKD,0CAqBC;AAxRD,yCAAsC;AA8BtC;;GAEG;AACU,QAAA,wBAAwB,GAAoB;IACvD,OAAO,EAAE,KAAK;IACd,eAAe,EAAE,IAAI;IACrB,WAAW,EAAE,KAAK;IAClB,kBAAkB,EAAE,EAAE;IACtB,OAAO,EAAE,EAAE,EAAE,MAAM;IACnB,WAAW,EAAE,EAAE;CAChB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAgB,kBAAkB,CAChC,OAA0B,EAC1B,MAAuB;IAEvB,sCAAsC;IACtC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,qBAAqB;YAC7B,SAAS,EAAE,IAAI;YACf,kBAAkB,EAAE,OAAO,CAAC,oBAAoB;YAChD,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,YAAY,EAAE,CAAC;YACf,aAAa,EAAE,CAAC;SACjB,CAAC;IACJ,CAAC;IAED,yCAAyC;IACzC,MAAM,EAAE,eAAe,EAAE,aAAa,EAAE,GAAG,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;IAE1F,iCAAiC;IACjC,MAAM,YAAY,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;IAEvD,sBAAsB;IACtB,MAAM,MAAM,GAAoB;QAC9B,MAAM,EAAE,IAAI;QACZ,MAAM,EAAE,EAAE;QACV,SAAS,EAAE,IAAI;QACf,kBAAkB,EAAE,eAAe,CAAC,oBAAoB;QACxD,aAAa,EAAE,eAAe,CAAC,aAAa;QAC5C,SAAS,EAAE,eAAe,CAAC,SAAS;QACpC,YAAY;QACZ,aAAa;KACd,CAAC;IAEF,6BAA6B;IAC7B,IAAI,MAAM,CAAC,eAAe,IAAI,eAAe,CAAC,aAAa,GAAG,CAAC,EAAE,CAAC;QAChE,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC;QACtB,MAAM,CAAC,SAAS,GAAG,UAAU,CAAC;QAC9B,MAAM,CAAC,MAAM,GAAG,GAAG,eAAe,CAAC,aAAa,yBAAyB,eAAe,CAAC,aAAa,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC;QACnI,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,yBAAyB;IACzB,IAAI,MAAM,CAAC,WAAW,IAAI,eAAe,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;QACxD,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC;QACtB,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC;QAC1B,MAAM,CAAC,MAAM,GAAG,GAAG,eAAe,CAAC,SAAS,8BAA8B,eAAe,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC;QAChI,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,mCAAmC;IACnC,IAAI,MAAM,CAAC,kBAAkB,GAAG,CAAC,IAAI,eAAe,CAAC,oBAAoB,GAAG,MAAM,CAAC,kBAAkB,EAAE,CAAC;QACtG,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC;QACtB,MAAM,CAAC,SAAS,GAAG,OAAO,CAAC;QAC3B,MAAM,CAAC,MAAM,GAAG,GAAG,eAAe,CAAC,oBAAoB,oCAAoC,MAAM,CAAC,kBAAkB,EAAE,CAAC;QACvH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,0BAA0B;IAC1B,IAAI,MAAM,CAAC,OAAO,GAAG,CAAC,IAAI,YAAY,GAAG,MAAM,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC;QAC9D,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC;QACtB,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC;QAC1B,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,YAAY,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,0BAA0B,MAAM,CAAC,OAAO,GAAG,CAAC;QACnG,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,oBAAoB;IACpB,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;IACrB,MAAM,CAAC,MAAM,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;IAClD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,OAA0B,EAC1B,WAAqB;IAErB,8CAA8C;IAC9C,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,EAAE,CAAC;IACxD,CAAC;IAED,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,sBAAsB;IACtB,MAAM,mBAAmB,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE;QAC/D,MAAM,uBAAuB,GAAG,UAAU,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;YACvE,2CAA2C;YAC3C,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAC1C,IAAA,qBAAS,EAAC,UAAU,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAC7D,CAAC;YAEF,IAAI,QAAQ,EAAE,CAAC;gBACb,aAAa,EAAE,CAAC;gBAChB,OAAO,KAAK,CAAC,CAAC,0BAA0B;YAC1C,CAAC;YAED,oBAAoB;YACpB,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACtB,KAAK,UAAU;oBACb,aAAa,EAAE,CAAC;oBAChB,MAAM;gBACR,KAAK,MAAM;oBACT,SAAS,EAAE,CAAC;oBACZ,MAAM;gBACR,KAAK,QAAQ;oBACX,WAAW,EAAE,CAAC;oBACd,MAAM;gBACR,KAAK,KAAK;oBACR,QAAQ,EAAE,CAAC;oBACX,MAAM;YACV,CAAC;YAED,OAAO,IAAI,CAAC,CAAC,6BAA6B;QAC5C,CAAC,CAAC,CAAC;QAEH,OAAO;YACL,GAAG,UAAU;YACb,eAAe,EAAE,uBAAuB;SACzC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,yBAAyB;IACzB,MAAM,eAAe,GAAsB;QACzC,GAAG,OAAO;QACV,WAAW,EAAE,mBAAmB;QAChC,oBAAoB,EAAE,aAAa,GAAG,SAAS,GAAG,WAAW,GAAG,QAAQ;QACxE,aAAa;QACb,SAAS;QACT,WAAW;QACX,QAAQ;KACT,CAAC;IAEF,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,OAA0B;IAClD,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,UAAU,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QAC7C,KAAK,MAAM,IAAI,IAAI,UAAU,CAAC,eAAe,EAAE,CAAC;YAC9C,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,SAAS,GAAG,OAAO,EAAE,CAAC;gBAC7D,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,OAA0B;IAClD,IAAI,OAAO,CAAC,oBAAoB,KAAK,CAAC,EAAE,CAAC;QACvC,OAAO,mCAAmC,CAAC;IAC7C,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,OAAO,CAAC,aAAa,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,aAAa,WAAW,CAAC,CAAC;IAC/E,IAAI,OAAO,CAAC,SAAS,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,SAAS,OAAO,CAAC,CAAC;IACnE,IAAI,OAAO,CAAC,WAAW,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,WAAW,SAAS,CAAC,CAAC;IACzE,IAAI,OAAO,CAAC,QAAQ,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,MAAM,CAAC,CAAC;IAEhE,OAAO,GAAG,OAAO,CAAC,oBAAoB,2BAA2B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;AACvF,CAAC;AAED;;GAEG;AACH,SAAgB,yBAAyB,CAAC,MAAuB,EAAE,aAAsB;IACvF,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,aAAa,EAAE,CAAC;QACpC,OAAO,aAAa,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IACzC,MAAM,OAAO,GAAG,GAAG,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;IAE7C,OAAO,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,MAAuB;IACrD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO,yBAAyB,MAAM,CAAC,MAAM,IAAI,CAAC;IACpD,CAAC;IAED,IAAI,MAAM,GAAG,wBAAwB,CAAC;IACtC,MAAM,IAAI,WAAW,MAAM,CAAC,MAAM,IAAI,CAAC;IACvC,MAAM,IAAI,yCAAyC,CAAC;IACpD,MAAM,IAAI,eAAe,MAAM,CAAC,aAAa,IAAI,CAAC;IAClD,MAAM,IAAI,WAAW,MAAM,CAAC,SAAS,IAAI,CAAC;IAC1C,MAAM,IAAI,YAAY,MAAM,CAAC,kBAAkB,IAAI,CAAC;IAEpD,IAAI,MAAM,CAAC,aAAa,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,eAAe,MAAM,CAAC,aAAa,oCAAoC,CAAC;IACpF,CAAC;IAED,IAAI,MAAM,CAAC,YAAY,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,aAAa,CAAC,MAAM,CAAC,YAAY,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;IACrE,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/src/lib/security/triage-service.d.ts

@@ -0,0 +1,76 @@
+/**
+ * Smart Triage Service
+ *
+ * Computes priority scores for security issues using multiple signals:
+ * - CVSS Score (base severity)
+ * - EPSS Score (exploit prediction)
+ * - OWASP Category (criticality weight)
+ * - Environment Context (production vs dev)
+ *
+ * Feature 1 Phase 1 (Q1 2026): Alert Deduplication & AutoTriage
+ *
+ * Priority Formula:
+ * priority = cvss * 0.5 + epss * 0.3 + owasp_weight * 0.2
+ */
+import { SecurityVulnerability } from '../analyzers/types';
+/**
+ * Environment context for triage
+ * Production issues get higher priority
+ */
+export interface EnvironmentContext {
+    isProduction?: boolean;
+    hasPublicExposure?: boolean;
+    hasSensitiveData?: boolean;
+}
+/**
+ * Triage configuration
+ */
+export interface TriageConfig {
+    cvssWeight?: number;
+    epssWeight?: number;
+    owaspWeight?: number;
+    environmentContext?: EnvironmentContext;
+}
+/**
+ * Triage result with priority and reasoning
+ */
+export interface TriageResult {
+    issue: SecurityVulnerability;
+    priorityScore: number;
+    priority: 'critical' | 'high' | 'medium' | 'low' | 'info';
+    triageReason: string;
+    epssScore?: number;
+}
+/**
+ * Triage multiple security issues with smart prioritization
+ *
+ * @param issues - Array of security issues to triage
+ * @param config - Triage configuration
+ * @returns Array of triage results sorted by priority (highest first)
+ */
+export declare function triageSecurityIssues(issues: SecurityVulnerability[], config?: TriageConfig): Promise<TriageResult[]>;
+/**
+ * Get triage statistics for a set of results
+ *
+ * @param results - Triage results
+ * @returns Triage statistics
+ */
+export declare function getTriageStats(results: TriageResult[]): {
+    total: number;
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+    info: number;
+    withEPSS: number;
+    averagePriority: number;
+};
+/**
+ * Filter triage results by minimum priority level
+ *
+ * @param results - Triage results
+ * @param minPriority - Minimum priority level ('critical' | 'high' | 'medium' | 'low')
+ * @returns Filtered results
+ */
+export declare function filterByPriority(results: TriageResult[], minPriority: 'critical' | 'high' | 'medium' | 'low'): TriageResult[];
+//# sourceMappingURL=triage-service.d.ts.map

package/dist/src/lib/security/triage-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"triage-service.d.ts","sourceRoot":"","sources":["../../../../../../src/lib/security/triage-service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AA4B3D;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IACjC,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,qBAAqB,CAAC;IAC7B,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAC1D,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAkOD;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,qBAAqB,EAAE,EAC/B,MAAM,GAAE,YAAiB,GACxB,OAAO,CAAC,YAAY,EAAE,CAAC,CA6CzB;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG;IACvD,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;CACzB,CAyBA;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,YAAY,EAAE,EACvB,WAAW,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAClD,YAAY,EAAE,CAKhB"}