mcp-wordpress 2.11.13 → 3.0.0

package/src/security/SecurityCIPipeline.ts

@@ -1,6 +1,11 @@
 /**
  * Security CI/CD Pipeline Integration
  * Provides security checks and gates for continuous integration and deployment
+ *
+ * This module orchestrates security gates using:
+ * - SecurityGateExecutor: Handles gate and check execution
+ * - SecurityReportGenerator: Handles report generation and statistics
+ * - SecurityTypes: Shared type definitions
  */
 
 import { AISecurityScanner } from "./AISecurityScanner.js";
@@ -8,102 +13,24 @@ import { AutomatedRemediation } from "./AutomatedRemediation.js";
 import { SecurityReviewer } from "./SecurityReviewer.js";
 import { SecurityConfigManager } from "./SecurityConfigManager.js";
 import { SecurityUtils } from "./SecurityConfig.js";
-import { LoggerFactory } from "../utils/logger.js";
+import { LoggerFactory } from "@/utils/logger.js";
+import { SecurityGateExecutor } from "./SecurityGateExecutor.js";
+import { SecurityReportGenerator } from "./SecurityReportGenerator.js";
+import type {
+  SecurityGate,
+  SecurityCheck,
+  PipelineSecurityReport,
+  PipelineContext,
+  GateExecutionOptions,
+  PipelineStatistics,
+  ReportFilterOptions,
+} from "./SecurityTypes.js";
+
+// Re-export types for backward compatibility
+export type { PipelineSecurityReport } from "./SecurityTypes.js";
 
 const logger = LoggerFactory.security();
 
-interface SecurityGate {
-  id: string;
-  name: string;
-  stage: "pre-commit" | "pre-build" | "pre-deploy" | "post-deploy";
-  enabled: boolean;
-  blocking: boolean;
-  checks: SecurityCheck[];
-  thresholds: {
-    maxCritical: number;
-    maxHigh: number;
-    maxMedium: number;
-    minSecurityScore: number;
-  };
-  exceptions: string[];
-}
-
-interface SecurityCheck {
-  id: string;
-  name: string;
-  type: "scan" | "review" | "dependency" | "configuration" | "secrets" | "compliance";
-  enabled: boolean;
-  timeout: number;
-  retries: number;
-  parameters: Record<string, unknown>;
-}
-
-export interface PipelineSecurityReport {
-  reportId: string;
-  timestamp: Date;
-  stage: string;
-  status: "passed" | "failed" | "warning";
-  duration: number;
-  gates: GateResult[];
-  summary: {
-    totalIssues: number;
-    criticalIssues: number;
-    highIssues: number;
-    mediumIssues: number;
-    lowIssues: number;
-    securityScore: number;
-    compliance: boolean;
-  };
-  recommendations: string[];
-  artifacts: string[];
-}
-
-interface GateResult {
-  gateId: string;
-  gateName: string;
-  status: "passed" | "failed" | "warning" | "skipped";
-  duration: number;
-  checks: CheckResult[];
-  blocking: boolean;
-  message: string;
-}
-
-interface CheckResult {
-  checkId: string;
-  checkName: string;
-  status: "passed" | "failed" | "warning" | "error";
-  duration: number;
-  findings: SecurityFinding[];
-  details: string;
-  score: number;
-}
-
-interface SecurityFinding {
-  id: string;
-  severity: "critical" | "high" | "medium" | "low" | "info";
-  type: string;
-  description: string;
-  file?: string | undefined;
-  line?: number | undefined;
-  remediation?: string | undefined;
-}
-
-interface PipelineContext {
-  repositoryUrl: string;
-  branch: string;
-  commit: string;
-  author: string;
-  pullRequest?: {
-    id: string;
-    title: string;
-    source: string;
-    target: string;
-  };
-  environment: string;
-  buildNumber: string;
-  artifacts: string[];
-}
-
 /**
  * Security CI/CD Pipeline Manager
  */
@@ -114,8 +41,10 @@ export class SecurityCIPipeline {
   public reviewer: SecurityReviewer;
   public configManager: SecurityConfigManager;
   public config: Record<string, unknown>;
+
   private gates: Map<string, SecurityGate> = new Map();
-  private reports: PipelineSecurityReport[] = [];
+  private gateExecutor: SecurityGateExecutor;
+  private reportGenerator: SecurityReportGenerator;
 
   constructor(
     config: Record<string, unknown> = { projectPath: "/" },
@@ -140,77 +69,72 @@ export class SecurityCIPipeline {
 
     this.config = config;
 
-    // Instantiate components (tests provide vi.mocks which should replace constructors in the dist/ runtime)
     // Allow dependency injection for tests to provide mocked implementations
     this.scanner = (deps && deps.scanner) || new AISecurityScanner();
     this.remediation = (deps && deps.remediation) || new AutomatedRemediation();
     this.reviewer = (deps && deps.reviewer) || new SecurityReviewer();
     this.configManager = (deps && deps.configManager) || new SecurityConfigManager();
 
-    // Small helper: ensure methods exist and are spyable under vitest without overwriting existing mocks
-    const makeMockable = (obj: unknown, methods: string[]) => {
-      const _objRecord = obj as Record<string, unknown>;
-      // Only ensure missing methods exist. Never overwrite or wrap existing properties so test-provided
-      // mocks are not replaced.
-      const viRef = (globalThis as Record<string, unknown> & { vi?: Record<string, unknown> }).vi;
-      if (!obj) return;
+    // Ensure methods exist and are spyable under vitest
+    this.makeMockable(this.scanner, ["scanCodeForVulnerabilities", "performScan", "scanDependencies", "scanSecrets"]);
+    this.makeMockable(this.reviewer, ["reviewCode", "reviewDirectory", "reviewConfiguration"]);
+    this.makeMockable(this.remediation, ["autoFix", "generateRecommendations"]);
+    this.makeMockable(this.configManager, ["getSecurityConfig", "validateConfiguration", "initialize"]);
+
+    // Initialize executor and report generator
+    this.gateExecutor = new SecurityGateExecutor({
+      scanner: this.scanner,
+      reviewer: this.reviewer,
+      configManager: this.configManager,
+    });
+    this.reportGenerator = new SecurityReportGenerator();
 
-      for (const m of methods) {
-        try {
-          const current = _objRecord[m];
-          // If method already exists (mock or real), do not replace it.
-          if (typeof current !== "undefined") continue;
-
-          if (viRef && typeof viRef.fn === "function") {
-            _objRecord[m] = (viRef.fn as () => unknown)();
-          } else {
-            // Provide a harmless default implementation when tests aren't present
-            _objRecord[m] = () => Promise.resolve(null);
-          }
-        } catch (_e) {
-          // ignore and continue
-        }
-      }
-    };
+    this.initializeDefaultGates();
+  }
+
+  /**
+   * Helper to make methods mockable in tests
+   */
+  private makeMockable(obj: unknown, methods: string[]): void {
+    const _objRecord = obj as Record<string, unknown>;
+    const viRef = (globalThis as Record<string, unknown> & { vi?: Record<string, unknown> }).vi;
+    if (!obj) return;
 
-    makeMockable(this.scanner, ["scanCodeForVulnerabilities", "performScan", "scanDependencies", "scanSecrets"]);
-    makeMockable(this.reviewer, ["reviewCode", "reviewDirectory", "reviewConfiguration"]);
-    makeMockable(this.remediation, ["autoFix", "generateRecommendations"]);
-    makeMockable(this.configManager, ["getSecurityConfig", "validateConfiguration", "initialize"]);
+    for (const m of methods) {
+      try {
+        const current = _objRecord[m];
+        if (typeof current !== "undefined") continue;
 
-    this.initializeDefaultGates();
+        if (viRef && typeof viRef.fn === "function") {
+          _objRecord[m] = (viRef.fn as () => unknown)();
+        } else {
+          _objRecord[m] = () => Promise.resolve(null);
+        }
+      } catch (_e) {
+        // ignore and continue
+      }
+    }
   }
 
-  // --- Public API expected by tests ---
+  // --- Public Gate Execution API ---
 
   async executePreCommitGate(options: Record<string, unknown> = {}): Promise<PipelineSecurityReport> {
     const context = this.buildDefaultContext();
-    return this.executeSecurityGates(
-      "pre-commit",
-      context,
-      options as { skipNonBlocking?: boolean; continueOnFailure?: boolean; dryRun?: boolean },
-    );
+    return this.executeSecurityGates("pre-commit", context, options as GateExecutionOptions);
   }
 
   async executePreBuildGate(options: Record<string, unknown> = {}): Promise<PipelineSecurityReport> {
     const context = this.buildDefaultContext();
-    return this.executeSecurityGates(
-      "pre-build",
-      context,
-      options as { skipNonBlocking?: boolean; continueOnFailure?: boolean; dryRun?: boolean },
-    );
+    return this.executeSecurityGates("pre-build", context, options as GateExecutionOptions);
   }
 
   async executePreDeployGate(options: Record<string, unknown> = {}): Promise<PipelineSecurityReport> {
     const context = this.buildDefaultContext();
-    return this.executeSecurityGates(
-      "pre-deploy",
-      context,
-      options as { skipNonBlocking?: boolean; continueOnFailure?: boolean; dryRun?: boolean },
-    );
+    return this.executeSecurityGates("pre-deploy", context, options as GateExecutionOptions);
   }
 
-  // Convenience runners for individual checks used by tests
+  // --- Individual Check Runners ---
+
   async runVulnerabilityCheck(opts: { timeout?: number; retries?: number } = {}): Promise<Record<string, unknown>> {
     const check: SecurityCheck = {
       id: "vulnerability-scan",
@@ -237,7 +161,7 @@ export class SecurityCIPipeline {
       try {
         const scanPromise = scanner.scanCodeForVulnerabilities
           ? scanner.scanCodeForVulnerabilities()
-          : scanner.performScan?.() ?? Promise.resolve({ vulnerabilities: [], riskScore: 0 });
+          : (scanner.performScan?.() ?? Promise.resolve({ vulnerabilities: [], riskScore: 0 }));
 
         if (opts.timeout && opts.timeout > 0) {
           const res = await Promise.race([
@@ -249,19 +173,14 @@ export class SecurityCIPipeline {
             return { checkId: check.id, status: "timeout" };
           }
 
-          // treat the scan result like a successful check
           return { checkId: check.id, status: "passed", result: res } as Record<string, unknown>;
         }
 
         const res = await scanPromise;
-        // Validate response: treat null/undefined as invalid, but accept objects that may not include
-        // a vulnerabilities array (normalize to empty array). This keeps tests' mocked scanner
-        // results compatible while still flagging truly malformed responses.
         if (res === null || typeof res === "undefined") {
           return { checkId: check.id, status: "failed", error: "Invalid response" } as Record<string, unknown>;
         }
 
-        // Normalize vulnerabilities field
         const resWithVulns = res as Record<string, unknown> & { vulnerabilities?: unknown[] };
         if (!Array.isArray(resWithVulns.vulnerabilities)) {
           resWithVulns.vulnerabilities = [];
@@ -272,7 +191,6 @@ export class SecurityCIPipeline {
         if (attempts >= maxAttempts) {
           return { checkId: check.id, status: "failed", error: String(err) } as Record<string, unknown>;
         }
-        // otherwise retry
       }
     }
     return { checkId: check.id, status: "failed", error: "Retries exhausted" } as Record<string, unknown>;
@@ -291,7 +209,6 @@ export class SecurityCIPipeline {
   }
 
   async runCodeReviewCheck(): Promise<Record<string, unknown>> {
-    // Prefer reviewCode if present in mocked reviewer, else fallback
     const reviewer = this.reviewer as unknown as {
       reviewCode?: (path: string) => Promise<{ issues: unknown[] }>;
       reviewDirectory?: (path: string) => Promise<{ issues: unknown[] }>;
@@ -301,7 +218,8 @@ export class SecurityCIPipeline {
     return { checkId: "code-review", status: "passed", result: res };
   }
 
-  // Gate management
+  // --- Gate Management ---
+
   configureGate(gate: Partial<SecurityGate>): void {
     if (!gate || !gate.id || !gate.stage) {
       throw new Error("Invalid gate configuration");
@@ -337,27 +255,51 @@ export class SecurityCIPipeline {
     return !!g && g.enabled;
   }
 
-  // Reporting
+  getSecurityGate(gateId: string): SecurityGate | null {
+    return this.gates.get(gateId) || null;
+  }
+
+  updateSecurityGate(gateId: string, updates: Partial<SecurityGate>): boolean {
+    const gate = this.gates.get(gateId);
+    if (!gate) {
+      return false;
+    }
+
+    const updatedGate = { ...gate, ...updates, id: gateId };
+    this.gates.set(gateId, updatedGate);
+
+    logger.info(`Updated security gate: ${updatedGate.name}`, { gateName: updatedGate.name });
+    return true;
+  }
+
+  // --- Reporting ---
+
   async generateReport(): Promise<PipelineSecurityReport> {
-    if (this.reports.length > 0) return this.reports[this.reports.length - 1];
-    return this.createEmptyReport(SecurityUtils.generateSecureToken(8), "summary", Date.now());
+    const latest = this.reportGenerator.getLatestReport();
+    if (latest) return latest;
+    return this.reportGenerator.createEmptyReport(SecurityUtils.generateSecureToken(8), "summary", Date.now());
   }
 
   async exportReport(format: string): Promise<string> {
     const report = await this.generateReport();
-    if (format === "html") return `<html><body>${JSON.stringify(report)}</body></html>`;
-    if (format === "xml") return `<report>${JSON.stringify(report)}</report>`;
-    return JSON.stringify(report);
+    return this.reportGenerator.exportReport(report, format);
   }
 
   async calculateSecurityMetrics(): Promise<{ overallScore: number; riskLevel: string; complianceStatus: boolean }> {
     const report = await this.generateReport();
-    const overallScore = report.summary.securityScore ?? 100;
-    const riskLevel = overallScore > 80 ? "low" : overallScore > 50 ? "medium" : "high";
-    return { overallScore, riskLevel, complianceStatus: report.summary.compliance };
+    return this.reportGenerator.calculateSecurityMetrics(report);
+  }
+
+  getReports(options: ReportFilterOptions = {}): PipelineSecurityReport[] {
+    return this.reportGenerator.getReports(options);
   }
 
-  // Automated remediation
+  getStatistics(): PipelineStatistics {
+    return this.reportGenerator.getStatistics();
+  }
+
+  // --- Remediation ---
+
   async executeAutoRemediation(): Promise<Record<string, unknown>> {
     try {
       const remediation = this.remediation as unknown as Record<string, unknown> & { autoFix?: () => Promise<unknown> };
@@ -375,7 +317,8 @@ export class SecurityCIPipeline {
     return remediation.generateRecommendations?.() ?? [];
   }
 
-  // Full pipeline orchestration
+  // --- Full Pipeline Orchestration ---
+
   async executeFullPipeline(): Promise<Record<string, unknown>> {
     const start = Date.now();
     const stages: PipelineSecurityReport[] = [];
@@ -411,7 +354,8 @@ export class SecurityCIPipeline {
     return { stages, overallStatus, duration: Math.max(1, Date.now() - start) };
   }
 
-  // Notifications
+  // --- Notifications ---
+
   sendNotification(payload: Record<string, unknown>): void {
     logger.info("Sending notification", { payload });
   }
@@ -422,55 +366,33 @@ export class SecurityCIPipeline {
     return { subject, body };
   }
 
-  // Configuration reloading
+  // --- Configuration ---
+
   reloadConfiguration(newConfig: Record<string, unknown>): void {
     if (!newConfig || newConfig.projectPath == null) throw new Error("Invalid configuration");
-    // preserve gate enabled/disabled states
     const state: Record<string, boolean> = {};
     for (const [id, g] of this.gates.entries()) state[id] = g.enabled;
 
     this.config = newConfig;
 
-    // reapply states
     for (const [id, enabled] of Object.entries(state)) {
       const g = this.gates.get(id);
       if (g) g.enabled = enabled;
     }
   }
 
-  // Helper to build a default pipeline context
-  private buildDefaultContext(): PipelineContext {
-    return {
-      repositoryUrl: this.config.repositoryUrl ?? "",
-      branch: this.config.branch ?? "main",
-      commit: this.config.commitHash ?? "",
-      author: this.config.author ?? "",
-      environment: this.config.environment ?? "test",
-      buildNumber: this.config.buildNumber ?? "0",
-      artifacts: this.config.artifacts ?? [],
-    } as PipelineContext;
-  }
-
-  /**
-   * Initialize the security pipeline
-   */
   async initialize(): Promise<void> {
     logger.info("Initializing security CI/CD pipeline");
     await this.configManager.initialize();
     logger.info("Security pipeline ready");
   }
 
-  /**
-   * Execute security gates for a pipeline stage
-   */
+  // --- Core Gate Execution ---
+
   async executeSecurityGates(
     stage: SecurityGate["stage"],
     context: PipelineContext,
-    options: {
-      skipNonBlocking?: boolean;
-      continueOnFailure?: boolean;
-      dryRun?: boolean;
-    } = {},
+    options: GateExecutionOptions = {},
   ): Promise<PipelineSecurityReport> {
     const reportId = SecurityUtils.generateSecureToken(16);
     const startTime = Date.now();
@@ -485,27 +407,26 @@ export class SecurityCIPipeline {
 
     if (applicableGates.length === 0) {
       logger.warn(`No security gates configured for stage: ${stage}`, { stage });
-      return this.createEmptyReport(reportId, stage, startTime);
+      return this.reportGenerator.createEmptyReport(reportId, stage, startTime);
     }
 
-    const gateResults: GateResult[] = [];
+    const gateResults: import("./SecurityTypes.js").GateResult[] = [];
     let overallStatus: "passed" | "failed" | "warning" = "passed";
 
     for (const gate of applicableGates) {
       logger.info(`Executing gate: ${gate.name}`, { gateName: gate.name });
 
       try {
-        const gateResult = await this.executeSecurityGate(gate, context, options);
+        const gateResult = await this.gateExecutor.executeGate(gate, context, options);
         gateResults.push(gateResult);
 
-        // Update overall status
         if (gateResult.status === "failed" && gate.blocking) {
           overallStatus = "failed";
         } else if (gateResult.status === "warning" && overallStatus === "passed") {
           overallStatus = "warning";
         }
 
-        // Send notification for failed gates (tests expect notification on failure)
+        // Send notification for failed gates
         try {
           if (gateResult.status === "failed") {
             const criticalCount = gateResult.checks
@@ -516,18 +437,17 @@ export class SecurityCIPipeline {
             );
           }
         } catch (_e) {
-          // ignore notification errors during test runs
+          // ignore notification errors
         }
 
-        // Stop on blocking failure unless continuing on failure
         if (gateResult.status === "failed" && gate.blocking && !options.continueOnFailure) {
           logger.error(`Stopping pipeline due to blocking gate failure: ${gate.name}`, { gateName: gate.name });
           break;
         }
       } catch (_error) {
-        logger.error(`Gate execution _error: ${gate.name}`, { gateName: gate.name, _error });
+        logger.error(`Gate execution error: ${gate.name}`, { gateName: gate.name, _error });
 
-        const errorResult: GateResult = {
+        const errorResult: import("./SecurityTypes.js").GateResult = {
           gateId: gate.id,
           gateName: gate.name,
           status: "failed",
@@ -546,647 +466,29 @@ export class SecurityCIPipeline {
       }
     }
 
-    const report = this.generatePipelineReport(reportId, stage, startTime, overallStatus, gateResults, context);
+    const report = this.reportGenerator.generateReport(reportId, stage, startTime, overallStatus, gateResults, context);
 
-    this.reports.push(report);
+    this.reportGenerator.storeReport(report);
 
     logger.info(`${stage} gates completed`, { stage, status: overallStatus });
 
     return report;
   }
 
-  /**
-   * Execute a single security gate
-   */
-  private async executeSecurityGate(
-    gate: SecurityGate,
-    context: PipelineContext,
-    options: { dryRun?: boolean } = {},
-  ): Promise<GateResult> {
-    const startTime = Date.now();
-    const checkResults: CheckResult[] = [];
-
-    for (const check of gate.checks) {
-      if (!check.enabled) {
-        continue;
-      }
-
-      logger.info(`Running check: ${check.name}`, { checkName: check.name });
-
-      try {
-        const checkResult = await this.executeSecurityCheck(check, context, options);
-        checkResults.push(checkResult);
-      } catch (_error) {
-        logger.error(`Check execution _error: ${check.name}`, { checkName: check.name, _error });
-
-        checkResults.push({
-          checkId: check.id,
-          checkName: check.name,
-          status: "error",
-          duration: Date.now() - startTime,
-          findings: [],
-          details: `Check execution failed: ${_error instanceof Error ? _error.message : String(_error)}`,
-          score: 0,
-        });
-      }
-    }
-
-    // Evaluate gate status based on check results and thresholds
-    const gateStatus = this.evaluateGateStatus(gate, checkResults);
-
-    return {
-      gateId: gate.id,
-      gateName: gate.id,
-      status: gateStatus.status,
-      duration: Date.now() - startTime,
-      checks: checkResults,
-      blocking: gate.blocking,
-      message: gateStatus.message,
-    };
-  }
-
-  /**
-   * Execute a single security check
-   */
-  private async executeSecurityCheck(
-    check: SecurityCheck,
-    context: PipelineContext,
-    options: { dryRun?: boolean } = {},
-  ): Promise<CheckResult> {
-    const startTime = Date.now();
-    const findings: SecurityFinding[] = [];
-    let score: number = 100; // Initialize with safe default
-    let details = "";
-
-    if (options.dryRun) {
-      return {
-        checkId: check.id,
-        checkName: check.name,
-        status: "passed",
-        duration: Date.now() - startTime,
-        findings: [],
-        details: "Dry run - no actual checks performed",
-        score: 100,
-      };
-    }
-
-    try {
-      switch (check.type) {
-        case "scan":
-          const scanResults = await this.executeScanCheck(check, context);
-          findings.push(...scanResults.findings);
-          score = scanResults.score;
-          details = scanResults.details;
-          break;
-
-        case "review":
-          const reviewResults = await this.executeReviewCheck(check, context);
-          findings.push(...reviewResults.findings);
-          score = reviewResults.score;
-          details = reviewResults.details;
-          break;
-
-        case "dependency":
-          const depResults = await this.executeDependencyCheck(check, context);
-          findings.push(...depResults.findings);
-          score = depResults.score;
-          details = depResults.details;
-          break;
-
-        case "configuration":
-          const configResults = await this.executeConfigurationCheck(check, context);
-          findings.push(...configResults.findings);
-          score = configResults.score;
-          details = configResults.details;
-          break;
-
-        case "secrets":
-          const secretResults = await this.executeSecretsCheck(check, context);
-          findings.push(...secretResults.findings);
-          score = secretResults.score;
-          details = secretResults.details;
-          break;
-
-        case "compliance":
-          const complianceResults = await this.executeComplianceCheck(check, context);
-          findings.push(...complianceResults.findings);
-          score = complianceResults.score;
-          details = complianceResults.details;
-          break;
-
-        default:
-          throw new Error(`Unknown check type: ${check.type}`);
-      }
-
-      // Determine check status based on findings
-      const criticalCount = findings.filter((f) => f.severity === "critical").length;
-      const highCount = findings.filter((f) => f.severity === "high").length;
-
-      let status: CheckResult["status"];
-      if (criticalCount > 0) {
-        status = "failed";
-      } else if (highCount > 0) {
-        status = "warning";
-      } else {
-        status = "passed";
-      }
-
-      return {
-        checkId: check.id,
-        checkName: check.name,
-        status,
-        duration: Date.now() - startTime,
-        findings,
-        details,
-        score,
-      };
-    } catch (_error) {
-      // Log the original error for observability while converting to warning
-      logger.warn(`Security check ${check.name} encountered error (converting to warning)`, {
-        checkId: check.id,
-        checkName: check.name,
-        error: String(_error),
-        errorStack: _error instanceof Error ? _error.stack : undefined,
-      });
-
-      // Instead of throwing (which produced 'error' status externally and failed gates),
-      // convert this into a non-blocking warning result so default gates pass unless
-      // tests intentionally inject critical/high findings.
-      return {
-        checkId: check.id,
-        checkName: check.name,
-        status: "warning",
-        duration: Date.now() - startTime,
-        findings: [],
-        details: `Check execution issue treated as warning: ${String(_error)}`,
-        // Use 90 as neutral score to indicate uncertainty (lower than perfect 100 but still passing)
-        score: Math.min(score ?? 100, 90),
-      };
-    }
-  }
-
-  /**
-   * Execute security scan check
-   */
-  private async executeScanCheck(
-    check: SecurityCheck,
-    context: PipelineContext,
-  ): Promise<{
-    findings: SecurityFinding[];
-    score: number;
-    details: string;
-  }> {
-    const scanParams = check.parameters as {
-      targets?: string[];
-      depth?: "shallow" | "deep" | "comprehensive";
-      includeRuntime?: boolean;
-      includeFileSystem?: boolean;
-    };
-    // Prefer explicit scanner APIs when present (tests mock these). Fall back to performScan when needed.
-    const scannerAny = this.scanner as unknown as {
-      scanCodeForVulnerabilities?: () => Promise<unknown>;
-      performScan?: (opts?: unknown) => Promise<unknown>;
-    };
-
-    let scanResult: unknown;
-    if (typeof scannerAny.scanCodeForVulnerabilities === "function") {
-      scanResult = await scannerAny.scanCodeForVulnerabilities();
-    } else if (typeof scannerAny.performScan === "function") {
-      scanResult = await scannerAny.performScan({
-        targets: scanParams.targets ?? ["src/"],
-        depth: scanParams.depth ?? "deep",
-        includeRuntime: scanParams.includeRuntime ?? false,
-        includeFileSystem: scanParams.includeFileSystem ?? true,
-      });
-    } else {
-      scanResult = { vulnerabilities: [], summary: { total: 0, critical: 0, high: 0, medium: 0 } };
-    }
-
-    // Normalize scanResult shape if mocks provide only vulnerabilities without summary
-    const scanResultTyped = scanResult as
-      | { vulnerabilities?: unknown[]; summary?: Record<string, unknown> }
-      | null
-      | undefined;
-    const vulns = Array.isArray(scanResultTyped?.vulnerabilities) ? scanResultTyped.vulnerabilities : [];
-    const summary = scanResultTyped?.summary
-      ? scanResultTyped.summary
-      : {
-          total: vulns.length,
-          critical: vulns.filter((v: unknown) => (v as { severity?: string })?.severity === "critical").length,
-          high: vulns.filter((v: unknown) => (v as { severity?: string })?.severity === "high").length,
-          medium: vulns.filter((v: unknown) => (v as { severity?: string })?.severity === "medium").length,
-        };
-
-    const findings: SecurityFinding[] = (vulns || []).map((vuln: unknown) => {
-      const v = vuln as {
-        id?: string;
-        severity?: string;
-        type?: string;
-        description?: string;
-        location?: { file?: string; line?: number };
-        remediation?: { suggested?: string };
-      };
-      return {
-        id: v.id || "unknown",
-        severity: (v.severity as SecurityFinding["severity"]) || "medium",
-        type: v.type || "vulnerability",
-        description: v.description || "No description",
-        file: v.location?.file,
-        line: v.location?.line,
-        remediation: v.remediation?.suggested,
-      };
-    });
-    const summaryTyped = summary as { critical?: number; high?: number; medium?: number };
-    const score = Math.max(
-      0,
-      100 - ((summaryTyped.critical || 0) * 10 + (summaryTyped.high || 0) * 5 + (summaryTyped.medium || 0) * 2),
-    );
-
-    return {
-      findings,
-      score,
-      details: `Scanned codebase: ${summary.total} vulnerabilities found`,
-    };
-  }
-
-  /**
-   * Execute code review check
-   */
-  private async executeReviewCheck(
-    check: SecurityCheck,
-    context: PipelineContext,
-  ): Promise<{
-    findings: SecurityFinding[];
-    score: number;
-    details: string;
-  }> {
-    const reviewParams = check.parameters as { rules?: string[]; excludeRules?: string[]; aiAnalysis?: boolean };
-
-    // Support either reviewer.reviewDirectory (returns array) or reviewer.reviewCode (returns single summary)
-    const reviewerAny = this.reviewer as unknown as {
-      reviewDirectory?: (path: string, opts?: unknown) => Promise<unknown>;
-      reviewCode?: (path: string, opts?: unknown) => Promise<unknown>;
-    };
-
-    const raw =
-      typeof reviewerAny.reviewDirectory === "function"
-        ? await reviewerAny.reviewDirectory("src/", {
-            recursive: true,
-            rules: reviewParams.rules ?? [],
-            excludeRules: reviewParams.excludeRules ?? [],
-            aiAnalysis: reviewParams.aiAnalysis ?? false,
-          })
-        : typeof reviewerAny.reviewCode === "function"
-          ? await reviewerAny.reviewCode("src/", {
-              rules: reviewParams.rules ?? [],
-              aiAnalysis: reviewParams.aiAnalysis ?? false,
-            })
-          : [];
-
-    const reviewResults = Array.isArray(raw) ? raw : raw ? [raw] : [];
-
-    const allFindings: SecurityFinding[] = [];
-    let totalScore = 0;
-
-    for (const result of reviewResults) {
-      const resultTyped = result as { findings?: unknown[]; file?: string };
-      const resultFindings = (resultTyped.findings || []).map((finding: unknown) => {
-        const f = finding as {
-          id?: string;
-          severity?: string;
-          category?: string;
-          type?: string;
-          message?: string;
-          description?: string;
-          line?: number;
-          recommendation?: string;
-          remediation?: string;
-        };
-        return {
-          id: f.id || "unknown",
-          severity: (f.severity as SecurityFinding["severity"]) || "medium",
-          type: f.category || f.type || "review",
-          description: f.message || f.description || "No description",
-          file: resultTyped.file,
-          line: f.line,
-          remediation: f.recommendation || f.remediation,
-        };
-      });
-
-      allFindings.push(...resultFindings);
-      totalScore += this.calculateFileScore(result.findings || []);
-    }
-
-    const averageScore = reviewResults.length > 0 ? totalScore / reviewResults.length : 100;
-
-    return {
-      findings: allFindings,
-      score: averageScore,
-      details: `Reviewed ${reviewResults.length} files: ${allFindings.length} security issues found`,
-    };
-  }
-
-  /**
-   * Execute dependency check
-   */
-  private async executeDependencyCheck(
-    check: SecurityCheck,
-    context: PipelineContext,
-  ): Promise<{
-    findings: SecurityFinding[];
-    score: number;
-    details: string;
-  }> {
-    // This would integrate with npm audit, Snyk, or similar tools
-    logger.info("Dependency check - integration with external tools required");
-
-    return {
-      findings: [],
-      score: 100,
-      details: "Dependency check completed - no vulnerabilities found",
-    };
-  }
-
-  /**
-   * Execute configuration check
-   */
-  private async executeConfigurationCheck(
-    check: SecurityCheck,
-    context: PipelineContext,
-  ): Promise<{
-    findings: SecurityFinding[];
-    score: number;
-    details: string;
-  }> {
-    // Some test mocks provide validateCompliance, others may not. Fall back to compliant=true when unavailable.
-    let compliance: { compliant: boolean; violations: string[] } = { compliant: true, violations: [] };
-    try {
-      const configManager = this.configManager as unknown as Record<string, unknown> & {
-        validateCompliance?: (env: string) => Promise<{ compliant: boolean; violations: string[] }>;
-        getSecurityConfig?: () => Record<string, unknown> & { compliant?: boolean; violations?: string[] };
-      };
-
-      if (typeof configManager.validateCompliance === "function") {
-        compliance = await configManager.validateCompliance(context.environment);
-      } else if (typeof configManager.getSecurityConfig === "function") {
-        // derive basic compliance from config when validateCompliance is not available
-        const cfg = configManager.getSecurityConfig() || {};
-        compliance = { compliant: !!cfg.compliant, violations: cfg.violations ?? [] };
-      }
-    } catch (_e) {
-      compliance = { compliant: true, violations: [] };
-    }
-
-    const findings: SecurityFinding[] = compliance.violations.map((violation, index) => ({
-      id: `config-${index}`,
-      severity: "medium" as const,
-      type: "Configuration",
-      description: violation,
-      remediation: "Review security configuration",
-    }));
-
-    const score = compliance.compliant ? 100 : Math.max(0, 100 - compliance.violations.length * 10);
-
-    return {
-      findings,
-      score,
-      details: `Configuration compliance: ${compliance.compliant ? "compliant" : "non-compliant"}`,
-    };
-  }
-
-  /**
-   * Execute secrets check
-   */
-  private async executeSecretsCheck(
-    check: SecurityCheck,
-    context: PipelineContext,
-  ): Promise<{
-    findings: SecurityFinding[];
-    score: number;
-    details: string;
-  }> {
-    // This would integrate with tools like TruffleHog, GitLeaks, etc.
-    logger.info("Secrets check - integration with secret scanning tools required");
-
-    return {
-      findings: [],
-      score: 100,
-      details: "Secrets scan completed - no exposed secrets found",
-    };
-  }
-
-  /**
-   * Execute compliance check
-   */
-  private async executeComplianceCheck(
-    check: SecurityCheck,
-    context: PipelineContext,
-  ): Promise<{
-    findings: SecurityFinding[];
-    score: number;
-    details: string;
-  }> {
-    const complianceParams = check.parameters as { frameworks?: string[] };
-    const frameworks: string[] = complianceParams.frameworks ?? ["OWASP", "CWE"];
-    const findings: SecurityFinding[] = [];
-
-    // Check for compliance with security frameworks
-    for (const framework of frameworks) {
-      // This would integrate with compliance checking tools
-      logger.info(`Checking ${framework} compliance`, { framework });
-    }
-
-    return {
-      findings,
-      score: 100,
-      details: `Compliance check completed for frameworks: ${frameworks.join(", ")}`,
-    };
-  }
-
-  /**
-   * Calculate security score for file findings
-   */
-  private calculateFileScore(findings: Array<{ severity: string }>): number {
-    const severityWeights: Record<string, number> = { critical: 20, high: 10, medium: 5, low: 2, info: 1 };
-    const penalty = findings.reduce((sum: number, finding) => {
-      return sum + (severityWeights[finding.severity] || 0);
-    }, 0);
-    return Math.max(0, 100 - penalty);
-  }
-
-  /**
-   * Evaluate gate status based on check results and thresholds
-   */
-  private evaluateGateStatus(
-    gate: SecurityGate,
-    checkResults: CheckResult[],
-  ): {
-    status: "passed" | "failed" | "warning";
-    message: string;
-  } {
-    const allFindings = checkResults.flatMap((result) => result.findings);
-
-    const criticalCount = allFindings.filter((f) => f.severity === "critical").length;
-    const highCount = allFindings.filter((f) => f.severity === "high").length;
-    const mediumCount = allFindings.filter((f) => f.severity === "medium").length;
-
-    // Exclude error checks from average score calculation
-    const validChecks = checkResults.filter((result) => result.status !== "error");
-    const averageScore =
-      validChecks.length > 0 ? validChecks.reduce((sum, result) => sum + result.score, 0) / validChecks.length : 100;
-
-    // Check thresholds
-    if (criticalCount > gate.thresholds.maxCritical) {
-      return {
-        status: "failed",
-        message: `Critical vulnerabilities (${criticalCount}) exceed threshold (${gate.thresholds.maxCritical})`,
-      };
-    }
-
-    if (highCount > gate.thresholds.maxHigh) {
-      return {
-        status: "failed",
-        message: `High-severity vulnerabilities (${highCount}) exceed threshold (${gate.thresholds.maxHigh})`,
-      };
-    }
-
-    if (averageScore < gate.thresholds.minSecurityScore) {
-      return {
-        status: "failed",
-        message: `Security score (${averageScore.toFixed(1)}) below threshold (${gate.thresholds.minSecurityScore})`,
-      };
-    }
-
-    if (mediumCount > gate.thresholds.maxMedium) {
-      return {
-        status: "warning",
-        message: `Medium-severity vulnerabilities (${mediumCount}) exceed threshold (${gate.thresholds.maxMedium})`,
-      };
-    }
-
-    return {
-      status: "passed",
-      message: "All security checks passed",
-    };
-  }
-
-  /**
-   * Generate pipeline security report
-   */
-  private generatePipelineReport(
-    reportId: string,
-    stage: string,
-    startTime: number,
-    status: "passed" | "failed" | "warning",
-    gateResults: GateResult[],
-    context: PipelineContext,
-  ): PipelineSecurityReport {
-    const allFindings = gateResults.flatMap((gate) => gate.checks.flatMap((check) => check.findings));
-
-    const summary = {
-      totalIssues: allFindings.length,
-      criticalIssues: allFindings.filter((f) => f.severity === "critical").length,
-      highIssues: allFindings.filter((f) => f.severity === "high").length,
-      mediumIssues: allFindings.filter((f) => f.severity === "medium").length,
-      lowIssues: allFindings.filter((f) => f.severity === "low").length,
-      securityScore: this.calculateOverallSecurityScore(gateResults),
-      compliance: status === "passed",
-    };
-
-    const recommendations = this.generateRecommendations(gateResults, summary);
-
-    return {
-      reportId,
-      timestamp: new Date(),
-      stage,
-      status,
-      duration: Date.now() - startTime,
-      gates: gateResults,
-      summary,
-      recommendations,
-      artifacts: this.generateArtifacts(reportId, gateResults),
-    };
-  }
-
-  /**
-   * Calculate overall security score
-   */
-  private calculateOverallSecurityScore(gateResults: GateResult[]): number {
-    const allChecks = gateResults.flatMap((gate) => gate.checks);
-
-    if (allChecks.length === 0) {
-      return 100;
-    }
-
-    const totalScore = allChecks.reduce((sum, check) => sum + check.score, 0);
-    return totalScore / allChecks.length;
-  }
-
-  /**
-   * Generate recommendations based on results
-   */
-  private generateRecommendations(
-    gateResults: GateResult[],
-    summary: { criticalIssues: number; highIssues: number; securityScore: number; [key: string]: unknown },
-  ): string[] {
-    const recommendations: string[] = [];
-
-    if (summary.criticalIssues > 0) {
-      recommendations.push("Address critical security vulnerabilities immediately before deployment");
-    }
-
-    if (summary.highIssues > 5) {
-      recommendations.push("Review and remediate high-severity security issues");
-    }
+  // --- Private Helpers ---
 
-    if (summary.securityScore < 80) {
-      recommendations.push("Improve overall security posture through code review and security training");
-    }
-
-    const failedGates = gateResults.filter((gate) => gate.status === "failed");
-    if (failedGates.length > 0) {
-      recommendations.push(`Review failed security gates: ${failedGates.map((g) => g.gateName).join(", ")}`);
-    }
-
-    return recommendations;
-  }
-
-  /**
-   * Generate artifacts for the security report
-   */
-  private generateArtifacts(reportId: string, gateResults: GateResult[]): string[] {
-    // In a real implementation, this would generate SARIF files, security reports, etc.
-    return [`security-report-${reportId}.json`, `security-findings-${reportId}.sarif`];
-  }
-
-  /**
-   * Create empty report for stages with no gates
-   */
-  private createEmptyReport(reportId: string, stage: string, startTime: number): PipelineSecurityReport {
+  private buildDefaultContext(): PipelineContext {
     return {
-      reportId,
-      timestamp: new Date(),
-      stage,
-      status: "passed",
-      duration: Date.now() - startTime,
-      gates: [],
-      summary: {
-        totalIssues: 0,
-        criticalIssues: 0,
-        highIssues: 0,
-        mediumIssues: 0,
-        lowIssues: 0,
-        securityScore: 100,
-        compliance: true,
-      },
-      recommendations: [],
-      artifacts: [],
-    };
+      repositoryUrl: this.config.repositoryUrl ?? "",
+      branch: this.config.branch ?? "main",
+      commit: this.config.commitHash ?? "",
+      author: this.config.author ?? "",
+      environment: this.config.environment ?? "test",
+      buildNumber: this.config.buildNumber ?? "0",
+      artifacts: this.config.artifacts ?? [],
+    } as PipelineContext;
   }
 
-  /**
-   * Initialize default security gates
-   */
   private initializeDefaultGates(): void {
     // Pre-commit gate
     this.gates.set("pre-commit", {
@@ -1314,129 +616,4 @@ export class SecurityCIPipeline {
       exceptions: [],
     });
   }
-
-  /**
-   * Get security gate configuration
-   */
-  getSecurityGate(gateId: string): SecurityGate | null {
-    return this.gates.get(gateId) || null;
-  }
-
-  /**
-   * Update security gate configuration
-   */
-  updateSecurityGate(gateId: string, updates: Partial<SecurityGate>): boolean {
-    const gate = this.gates.get(gateId);
-    if (!gate) {
-      return false;
-    }
-
-    const updatedGate = { ...gate, ...updates, id: gateId };
-    this.gates.set(gateId, updatedGate);
-
-    logger.info(`Updated security gate: ${updatedGate.name}`, { gateName: updatedGate.name });
-    return true;
-  }
-
-  /**
-   * Get pipeline reports
-   */
-  getReports(
-    options: {
-      stage?: string;
-      status?: string;
-      since?: Date;
-      limit?: number;
-    } = {},
-  ): PipelineSecurityReport[] {
-    let reports = [...this.reports];
-
-    if (options.stage) {
-      reports = reports.filter((r) => r.stage === options.stage);
-    }
-
-    if (options.status) {
-      reports = reports.filter((r) => r.status === options.status);
-    }
-
-    if (options.since) {
-      reports = reports.filter((r) => r.timestamp >= options.since!);
-    }
-
-    // Sort by timestamp (newest first)
-    reports.sort((a, b) => b.timestamp.getTime() - a.timestamp.getTime());
-
-    if (options.limit) {
-      reports = reports.slice(0, options.limit);
-    }
-
-    return reports;
-  }
-
-  /**
-   * Get pipeline statistics
-   */
-  getStatistics(): {
-    totalReports: number;
-    passRate: number;
-    averageSecurityScore: number;
-    mostCommonIssues: { type: string; count: number }[];
-    gatePerformance: { gateId: string; successRate: number; averageDuration: number }[];
-  } {
-    const totalReports = this.reports.length;
-    const passedReports = this.reports.filter((r) => r.status === "passed").length;
-    const passRate = totalReports > 0 ? passedReports / totalReports : 1;
-
-    const averageSecurityScore =
-      totalReports > 0 ? this.reports.reduce((sum, r) => sum + r.summary.securityScore, 0) / totalReports : 100;
-
-    // Count issue types
-    const issueTypes: Record<string, number> = {};
-    this.reports.forEach((report) => {
-      report.gates.forEach((gate) => {
-        gate.checks.forEach((check) => {
-          check.findings.forEach((finding) => {
-            issueTypes[finding.type] = (issueTypes[finding.type] || 0) + 1;
-          });
-        });
-      });
-    });
-
-    const mostCommonIssues = Object.entries(issueTypes)
-      .map(([type, count]) => ({ type, count }))
-      .sort((a, b) => b.count - a.count)
-      .slice(0, 5);
-
-    // Calculate gate performance
-    const gateStats: Record<string, { total: number; passed: number; totalDuration: number }> = {};
-
-    this.reports.forEach((report) => {
-      report.gates.forEach((gate) => {
-        if (!gateStats[gate.gateId]) {
-          gateStats[gate.gateId] = { total: 0, passed: 0, totalDuration: 0 };
-        }
-
-        gateStats[gate.gateId].total++;
-        gateStats[gate.gateId].totalDuration += gate.duration;
-
-        if (gate.status === "passed") {
-          gateStats[gate.gateId].passed++;
-        }
-      });
-    });
-
-    const gatePerformance = Object.entries(gateStats).map(([gateId, stats]) => ({
-      gateId,
-      successRate: stats.total > 0 ? stats.passed / stats.total : 0,
-      averageDuration: stats.total > 0 ? stats.totalDuration / stats.total : 0,
-    }));
-
-    return {
-      totalReports,
-      passRate,
-      averageSecurityScore,
-      mostCommonIssues,
-      gatePerformance,
-    };
-  }
 }