mcp-wordpress 2.11.13 → 3.0.0

package/dist/security/SecurityCIPipeline.js

@@ -1,6 +1,11 @@
 /**
  * Security CI/CD Pipeline Integration
  * Provides security checks and gates for continuous integration and deployment
+ *
+ * This module orchestrates security gates using:
+ * - SecurityGateExecutor: Handles gate and check execution
+ * - SecurityReportGenerator: Handles report generation and statistics
+ * - SecurityTypes: Shared type definitions
  */
 import { AISecurityScanner } from "./AISecurityScanner.js";
 import { AutomatedRemediation } from "./AutomatedRemediation.js";
@@ -8,6 +13,8 @@ import { SecurityReviewer } from "./SecurityReviewer.js";
 import { SecurityConfigManager } from "./SecurityConfigManager.js";
 import { SecurityUtils } from "./SecurityConfig.js";
 import { LoggerFactory } from "../utils/logger.js";
+import { SecurityGateExecutor } from "./SecurityGateExecutor.js";
+import { SecurityReportGenerator } from "./SecurityReportGenerator.js";
 const logger = LoggerFactory.security();
 /**
  * Security CI/CD Pipeline Manager
@@ -20,7 +27,8 @@ export class SecurityCIPipeline {
     configManager;
     config;
     gates = new Map();
-    reports = [];
+    gateExecutor;
+    reportGenerator;
     constructor(config = { projectPath: "/" }, deps) {
         // Basic validation expected by tests
         const configWithPath = config;
@@ -31,46 +39,51 @@ export class SecurityCIPipeline {
             throw new Error("Invalid scanner configuration");
         }
         this.config = config;
-        // Instantiate components (tests provide vi.mocks which should replace constructors in the dist/ runtime)
         // Allow dependency injection for tests to provide mocked implementations
         this.scanner = (deps && deps.scanner) || new AISecurityScanner();
         this.remediation = (deps && deps.remediation) || new AutomatedRemediation();
         this.reviewer = (deps && deps.reviewer) || new SecurityReviewer();
         this.configManager = (deps && deps.configManager) || new SecurityConfigManager();
-        // Small helper: ensure methods exist and are spyable under vitest without overwriting existing mocks
-        const makeMockable = (obj, methods) => {
-            const _objRecord = obj;
-            // Only ensure missing methods exist. Never overwrite or wrap existing properties so test-provided
-            // mocks are not replaced.
-            const viRef = globalThis.vi;
-            if (!obj)
-                return;
-            for (const m of methods) {
-                try {
-                    const current = _objRecord[m];
-                    // If method already exists (mock or real), do not replace it.
-                    if (typeof current !== "undefined")
-                        continue;
-                    if (viRef && typeof viRef.fn === "function") {
-                        _objRecord[m] = viRef.fn();
-                    }
-                    else {
-                        // Provide a harmless default implementation when tests aren't present
-                        _objRecord[m] = () => Promise.resolve(null);
-                    }
+        // Ensure methods exist and are spyable under vitest
+        this.makeMockable(this.scanner, ["scanCodeForVulnerabilities", "performScan", "scanDependencies", "scanSecrets"]);
+        this.makeMockable(this.reviewer, ["reviewCode", "reviewDirectory", "reviewConfiguration"]);
+        this.makeMockable(this.remediation, ["autoFix", "generateRecommendations"]);
+        this.makeMockable(this.configManager, ["getSecurityConfig", "validateConfiguration", "initialize"]);
+        // Initialize executor and report generator
+        this.gateExecutor = new SecurityGateExecutor({
+            scanner: this.scanner,
+            reviewer: this.reviewer,
+            configManager: this.configManager,
+        });
+        this.reportGenerator = new SecurityReportGenerator();
+        this.initializeDefaultGates();
+    }
+    /**
+     * Helper to make methods mockable in tests
+     */
+    makeMockable(obj, methods) {
+        const _objRecord = obj;
+        const viRef = globalThis.vi;
+        if (!obj)
+            return;
+        for (const m of methods) {
+            try {
+                const current = _objRecord[m];
+                if (typeof current !== "undefined")
+                    continue;
+                if (viRef && typeof viRef.fn === "function") {
+                    _objRecord[m] = viRef.fn();
                 }
-                catch (_e) {
-                    // ignore and continue
+                else {
+                    _objRecord[m] = () => Promise.resolve(null);
                 }
             }
-        };
-        makeMockable(this.scanner, ["scanCodeForVulnerabilities", "performScan", "scanDependencies", "scanSecrets"]);
-        makeMockable(this.reviewer, ["reviewCode", "reviewDirectory", "reviewConfiguration"]);
-        makeMockable(this.remediation, ["autoFix", "generateRecommendations"]);
-        makeMockable(this.configManager, ["getSecurityConfig", "validateConfiguration", "initialize"]);
-        this.initializeDefaultGates();
+            catch (_e) {
+                // ignore and continue
+            }
+        }
     }
-    // --- Public API expected by tests ---
+    // --- Public Gate Execution API ---
     async executePreCommitGate(options = {}) {
         const context = this.buildDefaultContext();
         return this.executeSecurityGates("pre-commit", context, options);
@@ -83,7 +96,7 @@ export class SecurityCIPipeline {
         const context = this.buildDefaultContext();
         return this.executeSecurityGates("pre-deploy", context, options);
     }
-    // Convenience runners for individual checks used by tests
+    // --- Individual Check Runners ---
     async runVulnerabilityCheck(opts = {}) {
         const check = {
             id: "vulnerability-scan",
@@ -102,7 +115,7 @@ export class SecurityCIPipeline {
             try {
                 const scanPromise = scanner.scanCodeForVulnerabilities
                     ? scanner.scanCodeForVulnerabilities()
-                    : scanner.performScan?.() ?? Promise.resolve({ vulnerabilities: [], riskScore: 0 });
+                    : (scanner.performScan?.() ?? Promise.resolve({ vulnerabilities: [], riskScore: 0 }));
                 if (opts.timeout && opts.timeout > 0) {
                     const res = await Promise.race([
                         scanPromise,
@@ -111,17 +124,12 @@ export class SecurityCIPipeline {
                     if (res && res.__timeout) {
                         return { checkId: check.id, status: "timeout" };
                     }
-                    // treat the scan result like a successful check
                     return { checkId: check.id, status: "passed", result: res };
                 }
                 const res = await scanPromise;
-                // Validate response: treat null/undefined as invalid, but accept objects that may not include
-                // a vulnerabilities array (normalize to empty array). This keeps tests' mocked scanner
-                // results compatible while still flagging truly malformed responses.
                 if (res === null || typeof res === "undefined") {
                     return { checkId: check.id, status: "failed", error: "Invalid response" };
                 }
-                // Normalize vulnerabilities field
                 const resWithVulns = res;
                 if (!Array.isArray(resWithVulns.vulnerabilities)) {
                     resWithVulns.vulnerabilities = [];
@@ -132,7 +140,6 @@ export class SecurityCIPipeline {
                 if (attempts >= maxAttempts) {
                     return { checkId: check.id, status: "failed", error: String(err) };
                 }
-                // otherwise retry
             }
         }
         return { checkId: check.id, status: "failed", error: "Retries exhausted" };
@@ -148,13 +155,12 @@ export class SecurityCIPipeline {
         return { checkId: "secrets-scan", status: "passed", result: res };
     }
     async runCodeReviewCheck() {
-        // Prefer reviewCode if present in mocked reviewer, else fallback
         const reviewer = this.reviewer;
         const reviewFn = reviewer.reviewCode ?? reviewer.reviewDirectory;
         const res = (await reviewFn?.("src/")) ?? { issues: [] };
         return { checkId: "code-review", status: "passed", result: res };
     }
-    // Gate management
+    // --- Gate Management ---
     configureGate(gate) {
         if (!gate || !gate.id || !gate.stage) {
             throw new Error("Invalid gate configuration");
@@ -187,27 +193,41 @@ export class SecurityCIPipeline {
         const g = this.gates.get(gateId);
         return !!g && g.enabled;
     }
-    // Reporting
+    getSecurityGate(gateId) {
+        return this.gates.get(gateId) || null;
+    }
+    updateSecurityGate(gateId, updates) {
+        const gate = this.gates.get(gateId);
+        if (!gate) {
+            return false;
+        }
+        const updatedGate = { ...gate, ...updates, id: gateId };
+        this.gates.set(gateId, updatedGate);
+        logger.info(`Updated security gate: ${updatedGate.name}`, { gateName: updatedGate.name });
+        return true;
+    }
+    // --- Reporting ---
     async generateReport() {
-        if (this.reports.length > 0)
-            return this.reports[this.reports.length - 1];
-        return this.createEmptyReport(SecurityUtils.generateSecureToken(8), "summary", Date.now());
+        const latest = this.reportGenerator.getLatestReport();
+        if (latest)
+            return latest;
+        return this.reportGenerator.createEmptyReport(SecurityUtils.generateSecureToken(8), "summary", Date.now());
     }
     async exportReport(format) {
         const report = await this.generateReport();
-        if (format === "html")
-            return `<html><body>${JSON.stringify(report)}</body></html>`;
-        if (format === "xml")
-            return `<report>${JSON.stringify(report)}</report>`;
-        return JSON.stringify(report);
+        return this.reportGenerator.exportReport(report, format);
     }
     async calculateSecurityMetrics() {
         const report = await this.generateReport();
-        const overallScore = report.summary.securityScore ?? 100;
-        const riskLevel = overallScore > 80 ? "low" : overallScore > 50 ? "medium" : "high";
-        return { overallScore, riskLevel, complianceStatus: report.summary.compliance };
+        return this.reportGenerator.calculateSecurityMetrics(report);
+    }
+    getReports(options = {}) {
+        return this.reportGenerator.getReports(options);
     }
-    // Automated remediation
+    getStatistics() {
+        return this.reportGenerator.getStatistics();
+    }
+    // --- Remediation ---
     async executeAutoRemediation() {
         try {
             const remediation = this.remediation;
@@ -222,7 +242,7 @@ export class SecurityCIPipeline {
         const remediation = this.remediation;
         return remediation.generateRecommendations?.() ?? [];
     }
-    // Full pipeline orchestration
+    // --- Full Pipeline Orchestration ---
     async executeFullPipeline() {
         const start = Date.now();
         const stages = [];
@@ -252,7 +272,7 @@ export class SecurityCIPipeline {
         }
         return { stages, overallStatus, duration: Math.max(1, Date.now() - start) };
     }
-    // Notifications
+    // --- Notifications ---
     sendNotification(payload) {
         logger.info("Sending notification", { payload });
     }
@@ -261,45 +281,26 @@ export class SecurityCIPipeline {
         const body = `Stage: ${data.stage}\nStatus: ${data.status}\ncritical: ${data.criticalIssues ?? 0}`;
         return { subject, body };
     }
-    // Configuration reloading
+    // --- Configuration ---
     reloadConfiguration(newConfig) {
         if (!newConfig || newConfig.projectPath == null)
             throw new Error("Invalid configuration");
-        // preserve gate enabled/disabled states
         const state = {};
         for (const [id, g] of this.gates.entries())
             state[id] = g.enabled;
         this.config = newConfig;
-        // reapply states
         for (const [id, enabled] of Object.entries(state)) {
             const g = this.gates.get(id);
             if (g)
                 g.enabled = enabled;
         }
     }
-    // Helper to build a default pipeline context
-    buildDefaultContext() {
-        return {
-            repositoryUrl: this.config.repositoryUrl ?? "",
-            branch: this.config.branch ?? "main",
-            commit: this.config.commitHash ?? "",
-            author: this.config.author ?? "",
-            environment: this.config.environment ?? "test",
-            buildNumber: this.config.buildNumber ?? "0",
-            artifacts: this.config.artifacts ?? [],
-        };
-    }
-    /**
-     * Initialize the security pipeline
-     */
     async initialize() {
         logger.info("Initializing security CI/CD pipeline");
         await this.configManager.initialize();
         logger.info("Security pipeline ready");
     }
-    /**
-     * Execute security gates for a pipeline stage
-     */
+    // --- Core Gate Execution ---
     async executeSecurityGates(stage, context, options = {}) {
         const reportId = SecurityUtils.generateSecureToken(16);
         const startTime = Date.now();
@@ -311,23 +312,22 @@ export class SecurityCIPipeline {
         const applicableGates = Array.from(this.gates.values()).filter((gate) => gate.stage === stage && gate.enabled);
         if (applicableGates.length === 0) {
             logger.warn(`No security gates configured for stage: ${stage}`, { stage });
-            return this.createEmptyReport(reportId, stage, startTime);
+            return this.reportGenerator.createEmptyReport(reportId, stage, startTime);
         }
         const gateResults = [];
         let overallStatus = "passed";
         for (const gate of applicableGates) {
             logger.info(`Executing gate: ${gate.name}`, { gateName: gate.name });
             try {
-                const gateResult = await this.executeSecurityGate(gate, context, options);
+                const gateResult = await this.gateExecutor.executeGate(gate, context, options);
                 gateResults.push(gateResult);
-                // Update overall status
                 if (gateResult.status === "failed" && gate.blocking) {
                     overallStatus = "failed";
                 }
                 else if (gateResult.status === "warning" && overallStatus === "passed") {
                     overallStatus = "warning";
                 }
-                // Send notification for failed gates (tests expect notification on failure)
+                // Send notification for failed gates
                 try {
                     if (gateResult.status === "failed") {
                         const criticalCount = gateResult.checks
@@ -337,16 +337,15 @@ export class SecurityCIPipeline {
                     }
                 }
                 catch (_e) {
-                    // ignore notification errors during test runs
+                    // ignore notification errors
                 }
-                // Stop on blocking failure unless continuing on failure
                 if (gateResult.status === "failed" && gate.blocking && !options.continueOnFailure) {
                     logger.error(`Stopping pipeline due to blocking gate failure: ${gate.name}`, { gateName: gate.name });
                     break;
                 }
             }
             catch (_error) {
-                logger.error(`Gate execution _error: ${gate.name}`, { gateName: gate.name, _error });
+                logger.error(`Gate execution error: ${gate.name}`, { gateName: gate.name, _error });
                 const errorResult = {
                     gateId: gate.id,
                     gateName: gate.name,
@@ -363,476 +362,23 @@ export class SecurityCIPipeline {
                 }
             }
         }
-        const report = this.generatePipelineReport(reportId, stage, startTime, overallStatus, gateResults, context);
-        this.reports.push(report);
+        const report = this.reportGenerator.generateReport(reportId, stage, startTime, overallStatus, gateResults, context);
+        this.reportGenerator.storeReport(report);
         logger.info(`${stage} gates completed`, { stage, status: overallStatus });
         return report;
     }
-    /**
-     * Execute a single security gate
-     */
-    async executeSecurityGate(gate, context, options = {}) {
-        const startTime = Date.now();
-        const checkResults = [];
-        for (const check of gate.checks) {
-            if (!check.enabled) {
-                continue;
-            }
-            logger.info(`Running check: ${check.name}`, { checkName: check.name });
-            try {
-                const checkResult = await this.executeSecurityCheck(check, context, options);
-                checkResults.push(checkResult);
-            }
-            catch (_error) {
-                logger.error(`Check execution _error: ${check.name}`, { checkName: check.name, _error });
-                checkResults.push({
-                    checkId: check.id,
-                    checkName: check.name,
-                    status: "error",
-                    duration: Date.now() - startTime,
-                    findings: [],
-                    details: `Check execution failed: ${_error instanceof Error ? _error.message : String(_error)}`,
-                    score: 0,
-                });
-            }
-        }
-        // Evaluate gate status based on check results and thresholds
-        const gateStatus = this.evaluateGateStatus(gate, checkResults);
-        return {
-            gateId: gate.id,
-            gateName: gate.id,
-            status: gateStatus.status,
-            duration: Date.now() - startTime,
-            checks: checkResults,
-            blocking: gate.blocking,
-            message: gateStatus.message,
-        };
-    }
-    /**
-     * Execute a single security check
-     */
-    async executeSecurityCheck(check, context, options = {}) {
-        const startTime = Date.now();
-        const findings = [];
-        let score = 100; // Initialize with safe default
-        let details = "";
-        if (options.dryRun) {
-            return {
-                checkId: check.id,
-                checkName: check.name,
-                status: "passed",
-                duration: Date.now() - startTime,
-                findings: [],
-                details: "Dry run - no actual checks performed",
-                score: 100,
-            };
-        }
-        try {
-            switch (check.type) {
-                case "scan":
-                    const scanResults = await this.executeScanCheck(check, context);
-                    findings.push(...scanResults.findings);
-                    score = scanResults.score;
-                    details = scanResults.details;
-                    break;
-                case "review":
-                    const reviewResults = await this.executeReviewCheck(check, context);
-                    findings.push(...reviewResults.findings);
-                    score = reviewResults.score;
-                    details = reviewResults.details;
-                    break;
-                case "dependency":
-                    const depResults = await this.executeDependencyCheck(check, context);
-                    findings.push(...depResults.findings);
-                    score = depResults.score;
-                    details = depResults.details;
-                    break;
-                case "configuration":
-                    const configResults = await this.executeConfigurationCheck(check, context);
-                    findings.push(...configResults.findings);
-                    score = configResults.score;
-                    details = configResults.details;
-                    break;
-                case "secrets":
-                    const secretResults = await this.executeSecretsCheck(check, context);
-                    findings.push(...secretResults.findings);
-                    score = secretResults.score;
-                    details = secretResults.details;
-                    break;
-                case "compliance":
-                    const complianceResults = await this.executeComplianceCheck(check, context);
-                    findings.push(...complianceResults.findings);
-                    score = complianceResults.score;
-                    details = complianceResults.details;
-                    break;
-                default:
-                    throw new Error(`Unknown check type: ${check.type}`);
-            }
-            // Determine check status based on findings
-            const criticalCount = findings.filter((f) => f.severity === "critical").length;
-            const highCount = findings.filter((f) => f.severity === "high").length;
-            let status;
-            if (criticalCount > 0) {
-                status = "failed";
-            }
-            else if (highCount > 0) {
-                status = "warning";
-            }
-            else {
-                status = "passed";
-            }
-            return {
-                checkId: check.id,
-                checkName: check.name,
-                status,
-                duration: Date.now() - startTime,
-                findings,
-                details,
-                score,
-            };
-        }
-        catch (_error) {
-            // Log the original error for observability while converting to warning
-            logger.warn(`Security check ${check.name} encountered error (converting to warning)`, {
-                checkId: check.id,
-                checkName: check.name,
-                error: String(_error),
-                errorStack: _error instanceof Error ? _error.stack : undefined,
-            });
-            // Instead of throwing (which produced 'error' status externally and failed gates),
-            // convert this into a non-blocking warning result so default gates pass unless
-            // tests intentionally inject critical/high findings.
-            return {
-                checkId: check.id,
-                checkName: check.name,
-                status: "warning",
-                duration: Date.now() - startTime,
-                findings: [],
-                details: `Check execution issue treated as warning: ${String(_error)}`,
-                // Use 90 as neutral score to indicate uncertainty (lower than perfect 100 but still passing)
-                score: Math.min(score ?? 100, 90),
-            };
-        }
-    }
-    /**
-     * Execute security scan check
-     */
-    async executeScanCheck(check, context) {
-        const scanParams = check.parameters;
-        // Prefer explicit scanner APIs when present (tests mock these). Fall back to performScan when needed.
-        const scannerAny = this.scanner;
-        let scanResult;
-        if (typeof scannerAny.scanCodeForVulnerabilities === "function") {
-            scanResult = await scannerAny.scanCodeForVulnerabilities();
-        }
-        else if (typeof scannerAny.performScan === "function") {
-            scanResult = await scannerAny.performScan({
-                targets: scanParams.targets ?? ["src/"],
-                depth: scanParams.depth ?? "deep",
-                includeRuntime: scanParams.includeRuntime ?? false,
-                includeFileSystem: scanParams.includeFileSystem ?? true,
-            });
-        }
-        else {
-            scanResult = { vulnerabilities: [], summary: { total: 0, critical: 0, high: 0, medium: 0 } };
-        }
-        // Normalize scanResult shape if mocks provide only vulnerabilities without summary
-        const scanResultTyped = scanResult;
-        const vulns = Array.isArray(scanResultTyped?.vulnerabilities) ? scanResultTyped.vulnerabilities : [];
-        const summary = scanResultTyped?.summary
-            ? scanResultTyped.summary
-            : {
-                total: vulns.length,
-                critical: vulns.filter((v) => v?.severity === "critical").length,
-                high: vulns.filter((v) => v?.severity === "high").length,
-                medium: vulns.filter((v) => v?.severity === "medium").length,
-            };
-        const findings = (vulns || []).map((vuln) => {
-            const v = vuln;
-            return {
-                id: v.id || "unknown",
-                severity: v.severity || "medium",
-                type: v.type || "vulnerability",
-                description: v.description || "No description",
-                file: v.location?.file,
-                line: v.location?.line,
-                remediation: v.remediation?.suggested,
-            };
-        });
-        const summaryTyped = summary;
-        const score = Math.max(0, 100 - ((summaryTyped.critical || 0) * 10 + (summaryTyped.high || 0) * 5 + (summaryTyped.medium || 0) * 2));
-        return {
-            findings,
-            score,
-            details: `Scanned codebase: ${summary.total} vulnerabilities found`,
-        };
-    }
-    /**
-     * Execute code review check
-     */
-    async executeReviewCheck(check, context) {
-        const reviewParams = check.parameters;
-        // Support either reviewer.reviewDirectory (returns array) or reviewer.reviewCode (returns single summary)
-        const reviewerAny = this.reviewer;
-        const raw = typeof reviewerAny.reviewDirectory === "function"
-            ? await reviewerAny.reviewDirectory("src/", {
-                recursive: true,
-                rules: reviewParams.rules ?? [],
-                excludeRules: reviewParams.excludeRules ?? [],
-                aiAnalysis: reviewParams.aiAnalysis ?? false,
-            })
-            : typeof reviewerAny.reviewCode === "function"
-                ? await reviewerAny.reviewCode("src/", {
-                    rules: reviewParams.rules ?? [],
-                    aiAnalysis: reviewParams.aiAnalysis ?? false,
-                })
-                : [];
-        const reviewResults = Array.isArray(raw) ? raw : raw ? [raw] : [];
-        const allFindings = [];
-        let totalScore = 0;
-        for (const result of reviewResults) {
-            const resultTyped = result;
-            const resultFindings = (resultTyped.findings || []).map((finding) => {
-                const f = finding;
-                return {
-                    id: f.id || "unknown",
-                    severity: f.severity || "medium",
-                    type: f.category || f.type || "review",
-                    description: f.message || f.description || "No description",
-                    file: resultTyped.file,
-                    line: f.line,
-                    remediation: f.recommendation || f.remediation,
-                };
-            });
-            allFindings.push(...resultFindings);
-            totalScore += this.calculateFileScore(result.findings || []);
-        }
-        const averageScore = reviewResults.length > 0 ? totalScore / reviewResults.length : 100;
-        return {
-            findings: allFindings,
-            score: averageScore,
-            details: `Reviewed ${reviewResults.length} files: ${allFindings.length} security issues found`,
-        };
-    }
-    /**
-     * Execute dependency check
-     */
-    async executeDependencyCheck(check, context) {
-        // This would integrate with npm audit, Snyk, or similar tools
-        logger.info("Dependency check - integration with external tools required");
-        return {
-            findings: [],
-            score: 100,
-            details: "Dependency check completed - no vulnerabilities found",
-        };
-    }
-    /**
-     * Execute configuration check
-     */
-    async executeConfigurationCheck(check, context) {
-        // Some test mocks provide validateCompliance, others may not. Fall back to compliant=true when unavailable.
-        let compliance = { compliant: true, violations: [] };
-        try {
-            const configManager = this.configManager;
-            if (typeof configManager.validateCompliance === "function") {
-                compliance = await configManager.validateCompliance(context.environment);
-            }
-            else if (typeof configManager.getSecurityConfig === "function") {
-                // derive basic compliance from config when validateCompliance is not available
-                const cfg = configManager.getSecurityConfig() || {};
-                compliance = { compliant: !!cfg.compliant, violations: cfg.violations ?? [] };
-            }
-        }
-        catch (_e) {
-            compliance = { compliant: true, violations: [] };
-        }
-        const findings = compliance.violations.map((violation, index) => ({
-            id: `config-${index}`,
-            severity: "medium",
-            type: "Configuration",
-            description: violation,
-            remediation: "Review security configuration",
-        }));
-        const score = compliance.compliant ? 100 : Math.max(0, 100 - compliance.violations.length * 10);
-        return {
-            findings,
-            score,
-            details: `Configuration compliance: ${compliance.compliant ? "compliant" : "non-compliant"}`,
-        };
-    }
-    /**
-     * Execute secrets check
-     */
-    async executeSecretsCheck(check, context) {
-        // This would integrate with tools like TruffleHog, GitLeaks, etc.
-        logger.info("Secrets check - integration with secret scanning tools required");
-        return {
-            findings: [],
-            score: 100,
-            details: "Secrets scan completed - no exposed secrets found",
-        };
-    }
-    /**
-     * Execute compliance check
-     */
-    async executeComplianceCheck(check, context) {
-        const complianceParams = check.parameters;
-        const frameworks = complianceParams.frameworks ?? ["OWASP", "CWE"];
-        const findings = [];
-        // Check for compliance with security frameworks
-        for (const framework of frameworks) {
-            // This would integrate with compliance checking tools
-            logger.info(`Checking ${framework} compliance`, { framework });
-        }
-        return {
-            findings,
-            score: 100,
-            details: `Compliance check completed for frameworks: ${frameworks.join(", ")}`,
-        };
-    }
-    /**
-     * Calculate security score for file findings
-     */
-    calculateFileScore(findings) {
-        const severityWeights = { critical: 20, high: 10, medium: 5, low: 2, info: 1 };
-        const penalty = findings.reduce((sum, finding) => {
-            return sum + (severityWeights[finding.severity] || 0);
-        }, 0);
-        return Math.max(0, 100 - penalty);
-    }
-    /**
-     * Evaluate gate status based on check results and thresholds
-     */
-    evaluateGateStatus(gate, checkResults) {
-        const allFindings = checkResults.flatMap((result) => result.findings);
-        const criticalCount = allFindings.filter((f) => f.severity === "critical").length;
-        const highCount = allFindings.filter((f) => f.severity === "high").length;
-        const mediumCount = allFindings.filter((f) => f.severity === "medium").length;
-        // Exclude error checks from average score calculation
-        const validChecks = checkResults.filter((result) => result.status !== "error");
-        const averageScore = validChecks.length > 0 ? validChecks.reduce((sum, result) => sum + result.score, 0) / validChecks.length : 100;
-        // Check thresholds
-        if (criticalCount > gate.thresholds.maxCritical) {
-            return {
-                status: "failed",
-                message: `Critical vulnerabilities (${criticalCount}) exceed threshold (${gate.thresholds.maxCritical})`,
-            };
-        }
-        if (highCount > gate.thresholds.maxHigh) {
-            return {
-                status: "failed",
-                message: `High-severity vulnerabilities (${highCount}) exceed threshold (${gate.thresholds.maxHigh})`,
-            };
-        }
-        if (averageScore < gate.thresholds.minSecurityScore) {
-            return {
-                status: "failed",
-                message: `Security score (${averageScore.toFixed(1)}) below threshold (${gate.thresholds.minSecurityScore})`,
-            };
-        }
-        if (mediumCount > gate.thresholds.maxMedium) {
-            return {
-                status: "warning",
-                message: `Medium-severity vulnerabilities (${mediumCount}) exceed threshold (${gate.thresholds.maxMedium})`,
-            };
-        }
-        return {
-            status: "passed",
-            message: "All security checks passed",
-        };
-    }
-    /**
-     * Generate pipeline security report
-     */
-    generatePipelineReport(reportId, stage, startTime, status, gateResults, context) {
-        const allFindings = gateResults.flatMap((gate) => gate.checks.flatMap((check) => check.findings));
-        const summary = {
-            totalIssues: allFindings.length,
-            criticalIssues: allFindings.filter((f) => f.severity === "critical").length,
-            highIssues: allFindings.filter((f) => f.severity === "high").length,
-            mediumIssues: allFindings.filter((f) => f.severity === "medium").length,
-            lowIssues: allFindings.filter((f) => f.severity === "low").length,
-            securityScore: this.calculateOverallSecurityScore(gateResults),
-            compliance: status === "passed",
-        };
-        const recommendations = this.generateRecommendations(gateResults, summary);
-        return {
-            reportId,
-            timestamp: new Date(),
-            stage,
-            status,
-            duration: Date.now() - startTime,
-            gates: gateResults,
-            summary,
-            recommendations,
-            artifacts: this.generateArtifacts(reportId, gateResults),
-        };
-    }
-    /**
-     * Calculate overall security score
-     */
-    calculateOverallSecurityScore(gateResults) {
-        const allChecks = gateResults.flatMap((gate) => gate.checks);
-        if (allChecks.length === 0) {
-            return 100;
-        }
-        const totalScore = allChecks.reduce((sum, check) => sum + check.score, 0);
-        return totalScore / allChecks.length;
-    }
-    /**
-     * Generate recommendations based on results
-     */
-    generateRecommendations(gateResults, summary) {
-        const recommendations = [];
-        if (summary.criticalIssues > 0) {
-            recommendations.push("Address critical security vulnerabilities immediately before deployment");
-        }
-        if (summary.highIssues > 5) {
-            recommendations.push("Review and remediate high-severity security issues");
-        }
-        if (summary.securityScore < 80) {
-            recommendations.push("Improve overall security posture through code review and security training");
-        }
-        const failedGates = gateResults.filter((gate) => gate.status === "failed");
-        if (failedGates.length > 0) {
-            recommendations.push(`Review failed security gates: ${failedGates.map((g) => g.gateName).join(", ")}`);
-        }
-        return recommendations;
-    }
-    /**
-     * Generate artifacts for the security report
-     */
-    generateArtifacts(reportId, gateResults) {
-        // In a real implementation, this would generate SARIF files, security reports, etc.
-        return [`security-report-${reportId}.json`, `security-findings-${reportId}.sarif`];
-    }
-    /**
-     * Create empty report for stages with no gates
-     */
-    createEmptyReport(reportId, stage, startTime) {
+    // --- Private Helpers ---
+    buildDefaultContext() {
         return {
-            reportId,
-            timestamp: new Date(),
-            stage,
-            status: "passed",
-            duration: Date.now() - startTime,
-            gates: [],
-            summary: {
-                totalIssues: 0,
-                criticalIssues: 0,
-                highIssues: 0,
-                mediumIssues: 0,
-                lowIssues: 0,
-                securityScore: 100,
-                compliance: true,
-            },
-            recommendations: [],
-            artifacts: [],
+            repositoryUrl: this.config.repositoryUrl ?? "",
+            branch: this.config.branch ?? "main",
+            commit: this.config.commitHash ?? "",
+            author: this.config.author ?? "",
+            environment: this.config.environment ?? "test",
+            buildNumber: this.config.buildNumber ?? "0",
+            artifacts: this.config.artifacts ?? [],
         };
     }
-    /**
-     * Initialize default security gates
-     */
     initializeDefaultGates() {
         // Pre-commit gate
         this.gates.set("pre-commit", {
@@ -958,95 +504,5 @@ export class SecurityCIPipeline {
             exceptions: [],
         });
     }
-    /**
-     * Get security gate configuration
-     */
-    getSecurityGate(gateId) {
-        return this.gates.get(gateId) || null;
-    }
-    /**
-     * Update security gate configuration
-     */
-    updateSecurityGate(gateId, updates) {
-        const gate = this.gates.get(gateId);
-        if (!gate) {
-            return false;
-        }
-        const updatedGate = { ...gate, ...updates, id: gateId };
-        this.gates.set(gateId, updatedGate);
-        logger.info(`Updated security gate: ${updatedGate.name}`, { gateName: updatedGate.name });
-        return true;
-    }
-    /**
-     * Get pipeline reports
-     */
-    getReports(options = {}) {
-        let reports = [...this.reports];
-        if (options.stage) {
-            reports = reports.filter((r) => r.stage === options.stage);
-        }
-        if (options.status) {
-            reports = reports.filter((r) => r.status === options.status);
-        }
-        if (options.since) {
-            reports = reports.filter((r) => r.timestamp >= options.since);
-        }
-        // Sort by timestamp (newest first)
-        reports.sort((a, b) => b.timestamp.getTime() - a.timestamp.getTime());
-        if (options.limit) {
-            reports = reports.slice(0, options.limit);
-        }
-        return reports;
-    }
-    /**
-     * Get pipeline statistics
-     */
-    getStatistics() {
-        const totalReports = this.reports.length;
-        const passedReports = this.reports.filter((r) => r.status === "passed").length;
-        const passRate = totalReports > 0 ? passedReports / totalReports : 1;
-        const averageSecurityScore = totalReports > 0 ? this.reports.reduce((sum, r) => sum + r.summary.securityScore, 0) / totalReports : 100;
-        // Count issue types
-        const issueTypes = {};
-        this.reports.forEach((report) => {
-            report.gates.forEach((gate) => {
-                gate.checks.forEach((check) => {
-                    check.findings.forEach((finding) => {
-                        issueTypes[finding.type] = (issueTypes[finding.type] || 0) + 1;
-                    });
-                });
-            });
-        });
-        const mostCommonIssues = Object.entries(issueTypes)
-            .map(([type, count]) => ({ type, count }))
-            .sort((a, b) => b.count - a.count)
-            .slice(0, 5);
-        // Calculate gate performance
-        const gateStats = {};
-        this.reports.forEach((report) => {
-            report.gates.forEach((gate) => {
-                if (!gateStats[gate.gateId]) {
-                    gateStats[gate.gateId] = { total: 0, passed: 0, totalDuration: 0 };
-                }
-                gateStats[gate.gateId].total++;
-                gateStats[gate.gateId].totalDuration += gate.duration;
-                if (gate.status === "passed") {
-                    gateStats[gate.gateId].passed++;
-                }
-            });
-        });
-        const gatePerformance = Object.entries(gateStats).map(([gateId, stats]) => ({
-            gateId,
-            successRate: stats.total > 0 ? stats.passed / stats.total : 0,
-            averageDuration: stats.total > 0 ? stats.totalDuration / stats.total : 0,
-        }));
-        return {
-            totalReports,
-            passRate,
-            averageSecurityScore,
-            mostCommonIssues,
-            gatePerformance,
-        };
-    }
 }
 //# sourceMappingURL=SecurityCIPipeline.js.map