depsentinel 0.1.2

package/dist/core/doctor-checks.js

@@ -0,0 +1,206 @@
+import { existsSync, readFileSync, readdirSync } from "node:fs";
+import path from "node:path";
+function readJsonSafe(filePath, fallback) {
+    try {
+        return JSON.parse(readFileSync(filePath, "utf8"));
+    }
+    catch {
+        return fallback;
+    }
+}
+function pass(id, category, title) {
+    return {
+        id,
+        category,
+        severity: "low",
+        status: "pass",
+        title,
+        detail: title,
+        remediation: "",
+        automated: true
+    };
+}
+function fail(id, category, severity, title, detail, remediation, automated = true) {
+    return { id, category, severity, status: "fail", title, detail, remediation, automated };
+}
+function skip(id, category, title, detail, remediation) {
+    return { id, category, severity: "low", status: "skipped", title, detail, remediation, automated: false };
+}
+export function collectDiagnoses(rootDir, facts) {
+    return [
+        checkNpmRc(rootDir),
+        checkNpmIgnore(rootDir),
+        checkPackageJsonFiles(rootDir),
+        checkPnpmWorkspace(rootDir, facts),
+        checkBunfig(rootDir, facts),
+        checkYarnRc(rootDir, facts),
+        checkLockfileCommitted(rootDir),
+        checkCiProvenance(rootDir),
+        checkLintLockfile(rootDir),
+        checkSbomScript(rootDir),
+        checkEnvPlaintext(rootDir),
+        checkNpxHardening(),
+        checkNpm2fa(),
+        checkDevContainer(rootDir),
+        checkNodeModulesGitignored(rootDir)
+    ];
+}
+function checkNpmRc(rootDir) {
+    const npmrc = path.join(rootDir, ".npmrc");
+    if (!existsSync(npmrc))
+        return fail("config.npmrc.missing", "config", "high", "Missing .npmrc security baseline", "No .npmrc found in project root.", "Run `depsentinel init` to generate a secure .npmrc baseline.");
+    const content = readFileSync(npmrc, "utf8");
+    const missing = [];
+    if (!content.includes("ignore-scripts=true"))
+        missing.push("ignore-scripts=true");
+    if (!content.includes("allow-git=none"))
+        missing.push("allow-git=none");
+    if (!content.includes("min-release-age"))
+        missing.push("min-release-age");
+    if (missing.length === 0)
+        return pass("config.npmrc.secure", "config", ".npmrc has secure baseline");
+    return fail("config.npmrc.incomplete", "config", "medium", `.npmrc missing: ${missing.join(", ")}`, "Your .npmrc lacks key security settings.", "Run `depsentinel init` to regenerate .npmrc.");
+}
+function checkNpmIgnore(rootDir) {
+    if (existsSync(path.join(rootDir, ".npmignore")))
+        return pass("config.npmignore.present", "config", ".npmignore present");
+    return fail("config.npmignore.missing", "config", "medium", "Missing .npmignore", "Without .npmignore, sensitive files may leak into published packages.", "Add a .npmignore file listing patterns to exclude from npm publish.");
+}
+function checkPackageJsonFiles(rootDir) {
+    const pkg = path.join(rootDir, "package.json");
+    if (!existsSync(pkg))
+        return skip("config.package-json.missing", "config", "No package.json found", "Cannot evaluate package.json settings.", "Ensure package.json exists.");
+    const parsed = readJsonSafe(pkg, { files: undefined, private: undefined });
+    if (parsed.private)
+        return pass("config.package-json.files-private", "config", "Private package (no publish risk)");
+    if (parsed.files && parsed.files.length > 0)
+        return pass("config.package-json.files-present", "config", "package.json has `files` allowlist");
+    return fail("config.package-json.files-missing", "config", "medium", "Missing `files` field in package.json", "Without `files`, npm publishes everything not excluded by .npmignore/.gitignore.", "Add a `files` array to package.json with only the dist/ entry point you want published.");
+}
+function checkPnpmWorkspace(rootDir, facts) {
+    const wsPath = path.join(rootDir, "pnpm-workspace.yaml");
+    if (!existsSync(wsPath)) {
+        if (facts.packageManager === "pnpm")
+            return fail("config.pnpm-workspace.missing", "config", "high", "pnpm workspace without security hardening", "pnpm is detected but pnpm-workspace.yaml is missing or lacks security settings.", "Run `depsentinel init --preset expo` or copy the security baseline into your pnpm-workspace.yaml.");
+        return skip("config.pnpm-workspace.non-pnpm", "config", "Not a pnpm project", "pnpm-workspace.yaml only applies to pnpm projects.", "No action needed unless you switch to pnpm.");
+    }
+    const content = readFileSync(wsPath, "utf8");
+    const missing = [];
+    if (!content.includes("minimumReleaseAge"))
+        missing.push("minimumReleaseAge");
+    if (!content.includes("trustPolicy"))
+        missing.push("trustPolicy: no-downgrade");
+    if (!content.includes("blockExoticSubdeps: true"))
+        missing.push("blockExoticSubdeps: true");
+    if (!content.includes("strictDepBuilds: true"))
+        missing.push("strictDepBuilds: true");
+    if (missing.length === 0)
+        return pass("config.pnpm-workspace.secure", "config", "pnpm-workspace.yaml has security baseline");
+    return fail("config.pnpm-workspace.incomplete", "config", "high", `pnpm-workspace.yaml missing: ${missing.join(", ")}`, "Your pnpm workspace lacks key security settings.", "Add the missing settings. Run `depsentinel init --preset expo` to see the baseline.");
+}
+function checkBunfig(rootDir, facts) {
+    if (facts.packageManager !== "bun")
+        return skip("config.bunfig.non-bun", "config", "Not a Bun project", "bunfig.toml only applies to Bun projects.", "No action needed unless you switch to Bun.");
+    const bunfigPath = path.join(rootDir, "bunfig.toml");
+    if (!existsSync(bunfigPath))
+        return fail("config.bunfig.missing", "config", "medium", "Bun project without bunfig.toml hardening", "Add a bunfig.toml with minimumReleaseAge and trustedDependencies.", "Create bunfig.toml with [install] section containing minimumReleaseAge and trustedDependencies.");
+    const content = readFileSync(bunfigPath, "utf8");
+    if (!content.includes("minimumReleaseAge"))
+        return fail("config.bunfig.no-cooldown", "config", "medium", "bunfig.toml missing minimumReleaseAge", "Bun has no cooldown configured for fresh packages.", "Add `minimumReleaseAge = 259200` to [install] section.");
+    return pass("config.bunfig.secure", "config", "bunfig.toml has security baseline");
+}
+function checkYarnRc(rootDir, facts) {
+    if (facts.packageManager !== "yarn")
+        return skip("config.yarnrc.non-yarn", "config", "Not a Yarn project", ".yarnrc.yml only applies to Yarn projects.", "No action needed.");
+    const yarnrcPath = path.join(rootDir, ".yarnrc.yml");
+    if (!existsSync(yarnrcPath))
+        return fail("config.yarnrc.missing", "config", "medium", "Yarn project without .yarnrc.yml hardening", "Yarn detected but no .yarnrc.yml or npmMinimalAgeGate.", "Create .yarnrc.yml with `npmMinimalAgeGate: \"3d\"`.");
+    const content = readFileSync(yarnrcPath, "utf8");
+    if (!content.includes("npmMinimalAgeGate"))
+        return fail("config.yarnrc.no-cooldown", "config", "medium", ".yarnrc.yml missing npmMinimalAgeGate", "Yarn has no cooldown for fresh packages.", "Add `npmMinimalAgeGate: \"3d\"` to .yarnrc.yml.");
+    return pass("config.yarnrc.secure", "config", ".yarnrc.yml has security baseline");
+}
+function checkLockfileCommitted(rootDir) {
+    const gitDir = path.join(rootDir, ".git");
+    if (!existsSync(gitDir))
+        return skip("ci.lockfile-committed.no-git", "ci", "Not a git repository", "Cannot check lockfile commit status without git.", "Initialize a git repository and commit your lockfile.");
+    const lockfile = path.join(rootDir, "package-lock.json");
+    if (!existsSync(lockfile))
+        return skip("ci.lockfile-committed.no-lockfile", "ci", "No lockfile to check", "No lockfile found to verify commit status.", "Generate a lockfile with `npm install` and commit it.");
+    return skip("ci.lockfile-committed.manual", "ci", "Verify lockfile committed", "Use `git ls-files package-lock.json` to confirm your lockfile is committed.", "Run `git add package-lock.json && git commit -m \"chore: add lockfile\"`.");
+}
+function checkCiProvenance(rootDir) {
+    const workflowsDir = path.join(rootDir, ".github", "workflows");
+    if (!existsSync(workflowsDir))
+        return fail("ci.provenance.no-workflows", "ci", "medium", "No GitHub Actions workflows found", "Cannot verify provenance/id-token configuration without CI workflows.", "Add `permissions: id-token: write` to your publish workflow for npm provenance.");
+    const files = readdirSync(workflowsDir).filter((f) => f.endsWith(".yml") || f.endsWith(".yaml"));
+    let hasIdToken = false;
+    for (const file of files) {
+        const content = readFileSync(path.join(workflowsDir, file), "utf8");
+        if (content.includes("id-token: write")) {
+            hasIdToken = true;
+            break;
+        }
+    }
+    if (hasIdToken)
+        return pass("ci.provenance.id-token", "ci", "CI workflow has id-token: write");
+    return fail("ci.provenance.missing", "ci", "medium", "CI workflows missing id-token: write for provenance", "Publishing with provenance requires `id-token: write` permission.", "Add `permissions:\\n  id-token: write` to your publish workflow.");
+}
+function checkLintLockfile(rootDir) {
+    const pkgPath = path.join(rootDir, "package.json");
+    if (!existsSync(pkgPath))
+        return skip("ci.lint-lockfile.no-pkg", "ci", "No package.json", "Cannot check lockfile lint scripts.", "Ensure package.json exists.");
+    const pkg = readJsonSafe(pkgPath, {});
+    const hasScript = pkg.scripts?.["lint:lockfile"] ?? false;
+    const hasDep = pkg.devDependencies?.["lockfile-lint"] ?? false;
+    if (hasScript && hasDep)
+        return pass("ci.lint-lockfile.configured", "ci", "lockfile-lint configured in package.json");
+    if (hasScript && !hasDep)
+        return fail("ci.lint-lockfile.no-dep", "ci", "medium", "lint:lockfile script exists but lockfile-lint not in devDependencies", "The lockfile lint script references a tool that is not installed.", "Run `npm install --save-dev lockfile-lint`.");
+    return fail("ci.lint-lockfile.missing", "ci", "medium", "Missing lockfile linting gate", "Without lockfile-lint, lockfile injection attacks go undetected.", "Install lockfile-lint and add `\"lint:lockfile\": \"lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https\"` to scripts.");
+}
+function checkSbomScript(rootDir) {
+    const pkgPath = path.join(rootDir, "package.json");
+    if (!existsSync(pkgPath))
+        return skip("ci.sbom.no-pkg", "ci", "No package.json", "Cannot check SBOM scripts.", "Ensure package.json exists.");
+    const pkg = readJsonSafe(pkgPath, {});
+    const hasSbom = pkg.scripts?.["sbom"] ?? pkg.scripts?.["generate:sbom"] ?? false;
+    if (hasSbom)
+        return pass("ci.sbom.present", "ci", "SBOM generation script configured");
+    return fail("ci.sbom.missing", "ci", "low", "No SBOM generation script", "SBOM helps track what was built and where inputs originated (supply chain transparency).", "Add a script: `\"sbom\": \"npx @cyclonedx/cyclonedx-npm --validate > sbom.json\"`.");
+}
+function checkEnvPlaintext(rootDir) {
+    const envPath = path.join(rootDir, ".env");
+    if (!existsSync(envPath))
+        return pass("maintainer.env.no-file", "maintainer", "No .env file in project root");
+    const content = readFileSync(envPath, "utf8");
+    const lines = content.split("\n").filter((l) => l.trim() && !l.trim().startsWith("#"));
+    const secretLines = lines.filter((l) => {
+        const val = l.split("=").slice(1).join("=").trim();
+        return val.length > 0 && !val.startsWith("op://") && !val.startsWith("infisical://") && !val.includes("${");
+    });
+    if (secretLines.length === 0)
+        return pass("maintainer.env.secure", "maintainer", ".env uses secret references (not plaintext)");
+    return fail("maintainer.env.plaintext", "maintainer", "critical", `${secretLines.length} plaintext secrets in .env`, "Plaintext secrets in .env are exfiltratable by any compromised dependency.", "Replace plaintext values with references (op:// or infisical://) and use a secrets manager CLI at runtime.");
+}
+function checkNpxHardening() {
+    return skip("maintainer.npx-hardening.manual", "maintainer", "Verify npx hardening", "npx can silently pull fresh malicious packages without lockfile verification.", "Create a dedicated workspace with pre-installed npx packages, and use `npx --offline --workspace <path>` to block network fetches. See docs/security-best-practices.md for step-by-step instructions.");
+}
+function checkNpm2fa() {
+    return skip("maintainer.2fa.manual", "maintainer", "Verify npm account 2FA", "Accounts without 2FA are vulnerable to credential theft and package takeover.", "Run `npm profile enable-2fa auth-and-writes` to enable 2FA for your npm account.");
+}
+function checkDevContainer(rootDir) {
+    const devContainerPath = path.join(rootDir, ".devcontainer", "devcontainer.json");
+    if (existsSync(devContainerPath))
+        return pass("maintainer.devcontainer.present", "maintainer", "Dev Container configured");
+    return fail("maintainer.devcontainer.missing", "maintainer", "low", "No Dev Container configured", "Dev Containers isolate npm execution from host system, limiting malware blast radius.", "Create `.devcontainer/devcontainer.json` with a Node.js image and `postCreateCommand: npm ci`.");
+}
+function checkNodeModulesGitignored(rootDir) {
+    const gitignorePath = path.join(rootDir, ".gitignore");
+    if (!existsSync(gitignorePath))
+        return fail("config.gitignore.missing", "config", "medium", "Missing .gitignore", "Without .gitignore, node_modules/ and secrets could be committed accidentally.", "Add a .gitignore file with `node_modules/` and `.env` patterns.");
+    const content = readFileSync(gitignorePath, "utf8");
+    if (content.includes("node_modules"))
+        return pass("config.gitignore.node-modules", "config", ".gitignore blocks node_modules");
+    return fail("config.gitignore.no-node-modules", "config", "medium", ".gitignore missing node_modules", "node_modules is not gitignored, risking accidental commits of thousands of files.", "Add `node_modules/` to .gitignore.");
+}

package/dist/core/evaluate.js

@@ -0,0 +1,25 @@
+const SEVERITY_ORDER = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3
+};
+export function sortFindings(findings) {
+    return [...findings].sort((a, b) => {
+        const bySeverity = SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity];
+        if (bySeverity !== 0) {
+            return bySeverity;
+        }
+        const byRuleId = a.ruleId.localeCompare(b.ruleId);
+        if (byRuleId !== 0) {
+            return byRuleId;
+        }
+        return a.message.localeCompare(b.message);
+    });
+}
+export function evaluatePolicies(facts, rules) {
+    const findings = rules
+        .map((rule) => rule.evaluate(facts))
+        .filter((finding) => finding !== null);
+    return sortFindings(findings);
+}

package/dist/core/install-decision.js

@@ -0,0 +1,11 @@
+export function deriveInstallDecision(findings, _score) {
+    const hasCritical = findings.some((finding) => finding.severity === "critical");
+    if (hasCritical) {
+        return "block";
+    }
+    const hasHigh = findings.some((finding) => finding.severity === "high");
+    if (hasHigh) {
+        return "warn";
+    }
+    return "allow";
+}

package/dist/core/overrides.js

@@ -0,0 +1,57 @@
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import path from "node:path";
+const CONFIG_FILE = "depsentinel.json";
+function defaults() {
+    return { schemaVersion: "1.0.0", preset: "base", policyCatalog: "v1", failOn: ["critical"], overrides: [] };
+}
+function readConfig(cwd) {
+    const filePath = path.join(cwd, CONFIG_FILE);
+    if (!existsSync(filePath))
+        return defaults();
+    try {
+        const raw = JSON.parse(readFileSync(filePath, "utf8"));
+        return {
+            schemaVersion: raw.schemaVersion ?? "1.0.0",
+            preset: raw.preset ?? "base",
+            policyCatalog: raw.policyCatalog ?? "v1",
+            failOn: raw.failOn ?? ["critical"],
+            overrides: raw.overrides ?? []
+        };
+    }
+    catch {
+        return defaults();
+    }
+}
+function writeConfig(cwd, config) {
+    writeFileSync(path.join(cwd, CONFIG_FILE), JSON.stringify(config, null, 2) + "\n", "utf8");
+}
+export function overrideAdd(options) {
+    const cwd = options.cwd ?? process.cwd();
+    const config = readConfig(cwd);
+    config.overrides = config.overrides.filter((e) => e.ruleId !== options.ruleId);
+    config.overrides.push({
+        ruleId: options.ruleId,
+        reason: options.reason,
+        expires: options.expires,
+        createdAt: new Date().toISOString().split("T")[0]
+    });
+    writeConfig(cwd, config);
+    return config;
+}
+export function overrideRemove(ruleId, cwd) {
+    const cwd_ = cwd ?? process.cwd();
+    const config = readConfig(cwd_);
+    config.overrides = config.overrides.filter((e) => e.ruleId !== ruleId);
+    writeConfig(cwd_, config);
+    return config;
+}
+export function overrideList(cwd) {
+    return readConfig(cwd ?? process.cwd());
+}
+export function isOverridden(ruleId, cwd) {
+    const config = readConfig(cwd ?? process.cwd());
+    const entry = config.overrides.find((e) => e.ruleId === ruleId);
+    if (!entry)
+        return false;
+    return new Date(entry.expires) >= new Date();
+}

package/dist/core/risk-score.js

@@ -0,0 +1,16 @@
+const SEVERITY_WEIGHTS = {
+    critical: 30,
+    high: 18,
+    medium: 10,
+    low: 4
+};
+function clamp(value, min, max) {
+    return Math.min(max, Math.max(min, value));
+}
+export function computeRiskScore(findings) {
+    const deduction = findings.reduce((acc, finding) => acc + SEVERITY_WEIGHTS[finding.severity], 0);
+    return clamp(100 - deduction, 0, 100);
+}
+export function getSeverityWeights() {
+    return { ...SEVERITY_WEIGHTS };
+}

package/dist/core/safe-write.js

@@ -0,0 +1,43 @@
+import { copyFileSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import path from "node:path";
+function nextBackupPath(filePath) {
+    let candidate = `${filePath}.bak`;
+    let counter = 1;
+    while (existsSync(candidate)) {
+        candidate = `${filePath}.bak.${counter}`;
+        counter += 1;
+    }
+    return candidate;
+}
+export function planSafeFile(filePath, content) {
+    if (!existsSync(filePath)) {
+        return { path: filePath, content, status: "create" };
+    }
+    const current = readFileSync(filePath, "utf8");
+    if (current === content) {
+        return { path: filePath, content, status: "noop" };
+    }
+    return {
+        path: filePath,
+        content,
+        status: "update",
+        backupPath: nextBackupPath(filePath)
+    };
+}
+export function applySafePlan(plan, options = {}) {
+    const dryRun = options.dryRun ?? false;
+    if (dryRun) {
+        return plan;
+    }
+    for (const file of plan) {
+        if (file.status === "noop") {
+            continue;
+        }
+        mkdirSync(path.dirname(file.path), { recursive: true });
+        if (file.status === "update" && file.backupPath) {
+            copyFileSync(file.path, file.backupPath);
+        }
+        writeFileSync(file.path, file.content, "utf8");
+    }
+    return plan;
+}

package/dist/core/tool-adapters.js

@@ -0,0 +1,87 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+const execFileAsync = promisify(execFile);
+export const DEFAULT_ADAPTER_TIMEOUT_MS = 5000;
+export function withTimeout(promise, ms) {
+    return Promise.race([
+        promise,
+        new Promise((_, reject) => {
+            setTimeout(() => reject(new Error(`Timed out after ${ms}ms`)), ms);
+        })
+    ]);
+}
+export async function spawnWithTimeout(command, args, tool, timeoutMs) {
+    try {
+        const result = await withTimeout(execFileAsync(command, args, {
+            timeout: timeoutMs,
+            windowsHide: true
+        }), timeoutMs);
+        return {
+            tool,
+            status: "executed",
+            output: result.stdout.trim() || result.stderr.trim() || "(no output)",
+            exitCode: 0
+        };
+    }
+    catch (error) {
+        const err = error;
+        const isTimeout = err.killed === true ||
+            err.code === "ETIMEDOUT" ||
+            (err.message && /timed out/i.test(err.message));
+        return {
+            tool,
+            status: "failed",
+            error: isTimeout ? `Adapter ${tool} timed out after ${timeoutMs}ms` : (err.message ?? String(error)),
+            exitCode: err.code === "ENOENT" ? undefined : (err.exitCode ?? 1),
+            output: err.stdout?.trim() || err.stderr?.trim() || undefined
+        };
+    }
+}
+function buildNpxAdapter(tool) {
+    return {
+        tool,
+        check: async (packageName, _cwd) => {
+            try {
+                // Try running npx <tool> --version to detect tool availability
+                await execFileAsync("npx", [tool, "--version"], {
+                    timeout: DEFAULT_ADAPTER_TIMEOUT_MS,
+                    windowsHide: true
+                });
+                // Tool is available — execute the actual check
+                return spawnWithTimeout("npx", [tool, packageName], tool, DEFAULT_ADAPTER_TIMEOUT_MS);
+            }
+            catch {
+                // Tool not available — skip gracefully
+                return { tool, status: "skipped" };
+            }
+        }
+    };
+}
+export function createToolAdapters() {
+    return [
+        buildNpxAdapter("npq"),
+        buildNpxAdapter("sfw"),
+        buildNpxAdapter("lockfile-lint")
+    ];
+}
+export async function runOptionalToolAdapters(adapters, packageName, cwd) {
+    const results = [];
+    for (const adapter of adapters) {
+        try {
+            const report = await adapter.check(packageName, cwd);
+            results.push(report);
+        }
+        catch (error) {
+            results.push({
+                tool: adapter.tool,
+                status: "failed",
+                error: error instanceof Error ? error.message : String(error)
+            });
+        }
+    }
+    return {
+        executed: results.filter((r) => r.status === "executed"),
+        skipped: results.filter((r) => r.status === "skipped"),
+        failed: results.filter((r) => r.status === "failed")
+    };
+}

package/dist/formatters/human.js

@@ -0,0 +1,39 @@
+export function formatScanHuman(envelope) {
+    const findingLines = envelope.result.findings.length
+        ? envelope.result.findings.map((finding) => `- [${finding.severity}] ${finding.ruleId}: ${finding.message}`).join("\n")
+        : "- none";
+    const commandLines = envelope.result.remediation_commands.length
+        ? envelope.result.remediation_commands.map((cmd) => `- ${cmd}`).join("\n")
+        : "- none";
+    return [
+        "depsentinel scan",
+        `risk score: ${envelope.result.risk_score}`,
+        `package manager: ${envelope.facts.packageManager}`,
+        "findings:",
+        findingLines,
+        "remediation:",
+        commandLines
+    ].join("\n");
+}
+export function formatInstallHuman(envelope) {
+    const findingLines = envelope.result.findings.length
+        ? envelope.result.findings
+            .map((f) => `- [${f.severity}] ${f.ruleId}: ${f.message}`)
+            .join("\n")
+        : "- none";
+    const remediationLines = envelope.result.remediationCommands.length
+        ? envelope.result.remediationCommands.map((cmd) => `- ${cmd}`).join("\n")
+        : "- none";
+    const overrideNote = envelope.result.forced ? " (forced override)" : "";
+    return [
+        "depsentinel install",
+        `decision: ${envelope.result.decision}${overrideNote}`,
+        `risk score: ${envelope.result.score}`,
+        `package manager: ${envelope.facts.packageManager}`,
+        "findings:",
+        findingLines,
+        "remediation:",
+        remediationLines,
+        `override: depsentinel install --force <package>`
+    ].join("\n");
+}

package/dist/formatters/json.js

@@ -0,0 +1,6 @@
+export function formatScanJson(envelope) {
+    return JSON.stringify(envelope, null, 2);
+}
+export function formatInstallJson(envelope) {
+    return JSON.stringify(envelope, null, 2);
+}

package/dist/policies/catalog.v1.js

@@ -0,0 +1,123 @@
+import { existsSync, readFileSync } from "node:fs";
+import path from "node:path";
+import { fixtureAdvisorySource } from "../advisories/fixture-source.js";
+function readJsonSafe(filePath, fallback) {
+    try {
+        return JSON.parse(readFileSync(filePath, "utf8"));
+    }
+    catch {
+        return fallback;
+    }
+}
+const DISALLOWED_PROTOCOLS = ["git+", "http:", "https:", "file:", "link:", "workspace:"];
+function critical(ruleId, message, meta) {
+    return {
+        ruleId,
+        severity: "critical",
+        message,
+        meta
+    };
+}
+export const policyCatalogV1 = [
+    {
+        id: "lockfile.required",
+        description: "Project must include lockfile",
+        severity: "critical",
+        evaluate: (facts) => {
+            if (facts.lockfile) {
+                return null;
+            }
+            return critical("lockfile.required", "Missing lockfile. Commit a lockfile to ensure reproducible installs.");
+        }
+    },
+    {
+        id: "dependency.protocol.disallowed",
+        description: "Dependencies cannot use disallowed protocols",
+        severity: "critical",
+        evaluate: (facts) => {
+            const violated = Object.entries(facts.dependencies).find(([, version]) => DISALLOWED_PROTOCOLS.some((protocol) => version.startsWith(protocol)));
+            if (!violated) {
+                return null;
+            }
+            const [name, version] = violated;
+            return critical("dependency.protocol.disallowed", `Dependency ${name} uses disallowed source ${version}.`, { dependency: name, source: version });
+        }
+    },
+    {
+        id: "advisory.critical.detected",
+        description: "Critical advisory source check",
+        severity: "critical",
+        evaluate: (facts) => {
+            const match = fixtureAdvisorySource.findCriticalMatch(facts);
+            if (!match) {
+                return null;
+            }
+            return critical("advisory.critical.detected", `Critical advisory ${match.advisoryId} for ${match.packageName}@${match.affectedVersion}: ${match.title}`, {
+                advisoryId: match.advisoryId,
+                package: match.packageName,
+                affectedVersion: match.affectedVersion
+            });
+        }
+    },
+    {
+        id: "maintainer.env.plaintext",
+        description: "Flag plaintext secrets in .env files",
+        severity: "critical",
+        evaluate: (facts) => {
+            const envPath = path.join(facts.rootDir, ".env");
+            if (!existsSync(envPath))
+                return null;
+            const content = readFileSync(envPath, "utf8");
+            const secretLines = content.split("\n").filter((l) => {
+                const trimmed = l.trim();
+                if (!trimmed || trimmed.startsWith("#"))
+                    return false;
+                const val = trimmed.split("=").slice(1).join("=").trim();
+                return val.length > 0 && !val.startsWith("op://") && !val.startsWith("infisical://") && !val.includes("${");
+            });
+            if (secretLines.length === 0)
+                return null;
+            return critical("maintainer.env.plaintext", `${secretLines.length} plaintext secrets found in .env. Replace with op:// or infisical:// references.`, { count: secretLines.length });
+        }
+    },
+    {
+        id: "ci.sbom.missing",
+        description: "Project should have an SBOM generation script",
+        severity: "low",
+        evaluate: (facts) => {
+            const pkgPath = path.join(facts.rootDir, "package.json");
+            if (!existsSync(pkgPath))
+                return null;
+            const pkg = readJsonSafe(pkgPath, {});
+            const hasSbom = pkg.scripts?.["sbom"] ?? pkg.scripts?.["generate:sbom"];
+            if (hasSbom)
+                return null;
+            return {
+                ruleId: "ci.sbom.missing",
+                severity: "low",
+                message: "No SBOM generation script. Add `sbom` script using @cyclonedx/cyclonedx-npm for supply chain transparency."
+            };
+        }
+    },
+    {
+        id: "config.files.allowlist",
+        description: "Non-private packages should define `files` allowlist",
+        severity: "medium",
+        evaluate: (facts) => {
+            const pkgPath = path.join(facts.rootDir, "package.json");
+            if (!existsSync(pkgPath))
+                return null;
+            const pkg = readJsonSafe(pkgPath, {});
+            if (pkg.private)
+                return null;
+            if (pkg.files && pkg.files.length > 0)
+                return null;
+            return {
+                ruleId: "config.files.allowlist",
+                severity: "medium",
+                message: "Public package missing `files` field in package.json. Without it, everything publishes."
+            };
+        }
+    }
+];
+policyCatalogV1.sort((a, b) => a.id.localeCompare(b.id));

package/dist/types/contracts.js

@@ -0,0 +1 @@
+export {};