octo-vec 1.0.0

package/dist/flows/index.js

@@ -0,0 +1,43 @@
+/**
+ * OCTO-FLOWS — named automated pipelines that agents can trigger as tools.
+ *
+ * Each flow is a TypeScript module that exports an executor function.
+ * The registry maps flow name → executor. To add a new flow:
+ *   1. Create src/flows/myFlow.ts exporting an async (ctx) => FlowResult
+ *   2. Register it in FLOW_REGISTRY below
+ *   3. It becomes available via the run_flow tool automatically
+ */
+import { codeScanFlow } from "./codeScanFlow.js";
+import { semgrepScanFlow } from "./semgrepScanFlow.js";
+import { gitleaksScanFlow } from "./gitleaksScanFlow.js";
+import { trivyScanFlow } from "./trivyScanFlow.js";
+// ── Registry ───────────────────────────────────────────────────────────────────
+const FLOW_REGISTRY = {
+    "code-scan": codeScanFlow,
+    "sast-scan": semgrepScanFlow,
+    "secret-scan": gitleaksScanFlow,
+    "sca-scan": trivyScanFlow,
+};
+/** All registered flow names — exposed for tool descriptions. */
+export const FLOW_NAMES = Object.keys(FLOW_REGISTRY);
+// ── Dispatcher ─────────────────────────────────────────────────────────────────
+export async function runFlow(name, ctx) {
+    const executor = FLOW_REGISTRY[name];
+    if (!executor) {
+        return {
+            success: false,
+            summary: `Unknown flow: '${name}'. Available flows: ${FLOW_NAMES.join(", ")}`,
+        };
+    }
+    try {
+        return await executor(ctx);
+    }
+    catch (err) {
+        return {
+            success: false,
+            summary: `Flow '${name}' threw an error: ${String(err)}`,
+            details: String(err),
+        };
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/flows/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/flows/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAyBnD,kFAAkF;AAElF,MAAM,aAAa,GAAiC;IAClD,WAAW,EAAE,YAAY;IACzB,WAAW,EAAE,eAAe;IAC5B,aAAa,EAAE,gBAAgB;IAC/B,UAAU,EAAE,aAAa;CAC1B,CAAC;AAEF,iEAAiE;AACjE,MAAM,CAAC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;AAErD,kFAAkF;AAElF,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAY,EAAE,GAAgB;IAC1D,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,kBAAkB,IAAI,uBAAuB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SAC9E,CAAC;IACJ,CAAC;IACD,IAAI,CAAC;QACH,OAAO,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,SAAS,IAAI,qBAAqB,MAAM,CAAC,GAAG,CAAC,EAAE;YACxD,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC;SACrB,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/flows/semgrepScanFlow.d.ts

@@ -0,0 +1,13 @@
+/**
+ * OCTO-FLOW: SAST Scan — runs Semgrep static analysis via Docker.
+ *
+ * Prerequisites:
+ *   - Docker available in PATH
+ *   - Internet access (Semgrep downloads rules on first run)
+ *
+ * The scanner runs as a Docker container (no local install needed).
+ * Uses `--config=auto` for the recommended ruleset (OWASP Top 10, injection, crypto, etc.).
+ */
+import type { FlowContext, FlowResult } from "./index.js";
+export declare function semgrepScanFlow(ctx: FlowContext): Promise<FlowResult>;
+//# sourceMappingURL=semgrepScanFlow.d.ts.map

package/dist/flows/semgrepScanFlow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"semgrepScanFlow.d.ts","sourceRoot":"","sources":["../../src/flows/semgrepScanFlow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAMH,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAY1D,wBAAsB,eAAe,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAkI3E"}

package/dist/flows/semgrepScanFlow.js

@@ -0,0 +1,211 @@
+/**
+ * OCTO-FLOW: SAST Scan — runs Semgrep static analysis via Docker.
+ *
+ * Prerequisites:
+ *   - Docker available in PATH
+ *   - Internet access (Semgrep downloads rules on first run)
+ *
+ * The scanner runs as a Docker container (no local install needed).
+ * Uses `--config=auto` for the recommended ruleset (OWASP Top 10, injection, crypto, etc.).
+ */
+import { execSync } from "child_process";
+import { mkdirSync, writeFileSync } from "fs";
+import path from "path";
+import { config, sharedWorkspace } from "../config.js";
+/** Severity levels in descending order of importance. */
+const SEVERITY_ORDER = ["ERROR", "WARNING", "INFO"];
+/** Map Semgrep severity → human-readable label. */
+const SEVERITY_LABEL = {
+    ERROR: "CRITICAL/HIGH",
+    WARNING: "MEDIUM",
+    INFO: "LOW",
+};
+export async function semgrepScanFlow(ctx) {
+    const { taskId, targetPath, options } = ctx;
+    // ── 1. Resolve absolute target path ──────────────────────────────────────
+    const absTarget = path.isAbsolute(targetPath)
+        ? targetPath
+        : path.resolve(config.workspace, targetPath);
+    // Safety: ensure the target is inside the workspace
+    const normalizedTarget = path.resolve(absTarget);
+    const normalizedWorkspace = path.resolve(config.workspace);
+    if (normalizedTarget !== normalizedWorkspace && !normalizedTarget.startsWith(normalizedWorkspace + path.sep)) {
+        return {
+            success: false,
+            summary: `Scan target "${targetPath}" resolves outside the workspace. Only workspace paths are allowed.`,
+        };
+    }
+    // ── 2. Severity threshold for pass/fail ────────────────────────────────
+    const failSeverity = (options?.fail_severity ?? "ERROR").toUpperCase();
+    // ── 3. Run Semgrep via Docker ──────────────────────────────────────────
+    const dockerMountPath = absTarget.replace(/\\/g, "/");
+    const semgrepCmd = [
+        "docker run --rm",
+        `-v "${dockerMountPath}:/src"`,
+        "semgrep/semgrep",
+        "semgrep scan",
+        "--config=auto",
+        "--json",
+        "--quiet",
+        "--no-git-ignore",
+        "/src",
+    ].join(" ");
+    let rawOutput = "";
+    let scanFailed = false;
+    try {
+        rawOutput = execSync(semgrepCmd, {
+            encoding: "utf-8",
+            timeout: 300_000, // 5 min for large projects
+            maxBuffer: 50 * 1024 * 1024, // 50MB — Semgrep JSON can be large
+            env: { ...process.env, MSYS_NO_PATHCONV: "1" }, // prevent Git Bash mangling /src on Windows
+        });
+    }
+    catch (err) {
+        // Semgrep exits non-zero when findings exist — check if we still got JSON
+        if (err?.stdout) {
+            rawOutput = err.stdout;
+        }
+        else {
+            scanFailed = true;
+            rawOutput = String(err?.stderr ?? err?.message ?? err);
+        }
+    }
+    // ── 4. Parse JSON results ──────────────────────────────────────────────
+    let findings = [];
+    let parseError = "";
+    if (!scanFailed) {
+        try {
+            const parsed = JSON.parse(rawOutput);
+            findings = (parsed.results ?? []).map((r) => ({
+                ruleId: r.check_id ?? "unknown",
+                severity: r.extra?.severity ?? "INFO",
+                message: r.extra?.message ?? r.message ?? "No message",
+                file: r.path ?? "unknown",
+                line: r.start?.line ?? 0,
+                endLine: r.end?.line ?? 0,
+                metadata: r.extra?.metadata ?? {},
+            }));
+        }
+        catch {
+            parseError = "Failed to parse Semgrep JSON output.";
+            scanFailed = true;
+        }
+    }
+    // ── 5. Build markdown report ───────────────────────────────────────────
+    const report = buildMarkdownReport({
+        taskId,
+        targetPath: absTarget,
+        scanFailed,
+        parseError,
+        rawOutput: scanFailed ? rawOutput : "",
+        findings,
+    });
+    // ── 6. Write report ───────────────────────────────────────────────────
+    const reportsDir = path.join(sharedWorkspace, "reports");
+    mkdirSync(reportsDir, { recursive: true });
+    const reportFileName = `sast-scan-${taskId.toLowerCase()}-${Date.now()}.md`;
+    const reportPath = path.join(reportsDir, reportFileName);
+    writeFileSync(reportPath, report, "utf-8");
+    const relativeReportPath = `shared/reports/${reportFileName}`;
+    // ── 7. Determine pass/fail based on severity threshold ─────────────────
+    const failSeverities = SEVERITY_ORDER.slice(0, SEVERITY_ORDER.indexOf(failSeverity) + 1);
+    const criticalFindings = findings.filter((f) => failSeverities.includes(f.severity));
+    const hasCritical = criticalFindings.length > 0;
+    // Build summary counts
+    const counts = { ERROR: 0, WARNING: 0, INFO: 0 };
+    for (const f of findings) {
+        if (f.severity in counts)
+            counts[f.severity]++;
+    }
+    const countStr = `${counts.ERROR} critical/high, ${counts.WARNING} medium, ${counts.INFO} low`;
+    if (scanFailed) {
+        return {
+            success: false,
+            summary: `SAST scan encountered errors. Partial report saved to ${relativeReportPath}.`,
+            reportPath: relativeReportPath,
+            details: (parseError || rawOutput).substring(0, 500),
+        };
+    }
+    return {
+        success: !hasCritical,
+        summary: hasCritical
+            ? `SAST scan FAILED — ${findings.length} findings (${countStr}). Report: ${relativeReportPath}`
+            : `SAST scan PASSED — ${findings.length} findings (${countStr}). Report: ${relativeReportPath}`,
+        reportPath: relativeReportPath,
+    };
+}
+function buildMarkdownReport(opts) {
+    const { taskId, targetPath, scanFailed, parseError, rawOutput, findings } = opts;
+    const now = new Date().toISOString();
+    const lines = [
+        `# SAST Scan Report — ${taskId}`,
+        ``,
+        `**Generated:** ${now}`,
+        `**Scanner:** Semgrep (config=auto)`,
+        `**Scanned Path:** \`${targetPath}\``,
+        `**Total Findings:** ${findings.length}`,
+        ``,
+    ];
+    if (scanFailed) {
+        lines.push(`> **WARNING:** Scanner encountered errors. Results below may be partial.`);
+        if (parseError)
+            lines.push(`> ${parseError}`);
+        if (rawOutput) {
+            lines.push(``, "```", rawOutput.substring(0, 1000), "```", ``);
+        }
+        lines.push(``);
+    }
+    // ── Summary table ───────────────────────────────────────────────────────
+    const counts = { ERROR: 0, WARNING: 0, INFO: 0 };
+    for (const f of findings) {
+        if (f.severity in counts)
+            counts[f.severity]++;
+    }
+    lines.push(`## Summary`);
+    lines.push(``);
+    lines.push(`| Severity | Count |`);
+    lines.push(`|----------|-------|`);
+    lines.push(`| Critical/High (ERROR) | ${counts.ERROR} |`);
+    lines.push(`| Medium (WARNING) | ${counts.WARNING} |`);
+    lines.push(`| Low (INFO) | ${counts.INFO} |`);
+    lines.push(``);
+    // ── Findings by severity ────────────────────────────────────────────────
+    if (!findings.length) {
+        lines.push(`## Findings`);
+        lines.push(``);
+        lines.push(`_No security findings detected. Code looks clean._`);
+        lines.push(``);
+    }
+    else {
+        lines.push(`## Findings`);
+        lines.push(``);
+        for (const sev of SEVERITY_ORDER) {
+            const group = findings.filter((f) => f.severity === sev);
+            if (!group.length)
+                continue;
+            const label = SEVERITY_LABEL[sev] ?? sev;
+            lines.push(`### ${label} (${group.length})`);
+            lines.push(``);
+            for (const f of group) {
+                // Strip /src/ prefix from Docker paths for readability
+                const cleanFile = f.file.replace(/^\/src\//, "");
+                const lineRef = f.line ? `:${f.line}` : "";
+                lines.push(`- **\`${cleanFile}${lineRef}\`** — ${f.message}`);
+                lines.push(`  - Rule: \`${f.ruleId}\``);
+                if (f.metadata?.cwe) {
+                    const cwes = Array.isArray(f.metadata.cwe) ? f.metadata.cwe.join(", ") : f.metadata.cwe;
+                    lines.push(`  - CWE: ${cwes}`);
+                }
+                if (f.metadata?.owasp) {
+                    const owasp = Array.isArray(f.metadata.owasp) ? f.metadata.owasp.join(", ") : f.metadata.owasp;
+                    lines.push(`  - OWASP: ${owasp}`);
+                }
+            }
+            lines.push(``);
+        }
+    }
+    lines.push(`---`);
+    lines.push(`_Generated by OCTO-FLOWS SAST Scan (Semgrep) | VEC-ATP_`);
+    return lines.join("\n");
+}
+//# sourceMappingURL=semgrepScanFlow.js.map

package/dist/flows/semgrepScanFlow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semgrepScanFlow.js","sourceRoot":"","sources":["../../src/flows/semgrepScanFlow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AAC9C,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAGvD,yDAAyD;AACzD,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,CAAU,CAAC;AAE7D,mDAAmD;AACnD,MAAM,cAAc,GAA2B;IAC7C,KAAK,EAAE,eAAe;IACtB,OAAO,EAAE,QAAQ;IACjB,IAAI,EAAE,KAAK;CACZ,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAgB;IACpD,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;IAE5C,4EAA4E;IAC5E,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAC3C,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAE/C,oDAAoD;IACpD,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,mBAAmB,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC3D,IAAI,gBAAgB,KAAK,mBAAmB,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,mBAAmB,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7G,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,gBAAgB,UAAU,qEAAqE;SACzG,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,MAAM,YAAY,GAAG,CAAC,OAAO,EAAE,aAAa,IAAI,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IAEvE,0EAA0E;IAC1E,MAAM,eAAe,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAEtD,MAAM,UAAU,GAAG;QACjB,iBAAiB;QACjB,OAAO,eAAe,QAAQ;QAC9B,iBAAiB;QACjB,cAAc;QACd,eAAe;QACf,QAAQ;QACR,SAAS;QACT,iBAAiB;QACjB,MAAM;KACP,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEZ,IAAI,SAAS,GAAG,EAAE,CAAC;IACnB,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,CAAC;QACH,SAAS,GAAG,QAAQ,CAAC,UAAU,EAAE;YAC/B,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,OAAO,EAAE,2BAA2B;YAC7C,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,mCAAmC;YAChE,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,gBAAgB,EAAE,GAAG,EAAE,EAAE,4CAA4C;SAC7F,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,0EAA0E;QAC1E,IAAI,GAAG,EAAE,MAAM,EAAE,CAAC;YAChB,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC;QACzB,CAAC;aAAM,CAAC;YACN,UAAU,GAAG,IAAI,CAAC;YAClB,SAAS,GAAG,MAAM,CAAC,GAAG,EAAE,MAAM,IAAI,GAAG,EAAE,OAAO,IAAI,GAAG,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,IAAI,QAAQ,GAAqB,EAAE,CAAC;IACpC,IAAI,UAAU,GAAG,EAAE,CAAC;IAEpB,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACrC,QAAQ,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC;gBACjD,MAAM,EAAE,CAAC,CAAC,QAAQ,IAAI,SAAS;gBAC/B,QAAQ,EAAE,CAAC,CAAC,KAAK,EAAE,QAAQ,IAAI,MAAM;gBACrC,OAAO,EAAE,CAAC,CAAC,KAAK,EAAE,OAAO,IAAI,CAAC,CAAC,OAAO,IAAI,YAAY;gBACtD,IAAI,EAAE,CAAC,CAAC,IAAI,IAAI,SAAS;gBACzB,IAAI,EAAE,CAAC,CAAC,KAAK,EAAE,IAAI,IAAI,CAAC;gBACxB,OAAO,EAAE,CAAC,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC;gBACzB,QAAQ,EAAE,CAAC,CAAC,KAAK,EAAE,QAAQ,IAAI,EAAE;aAClC,CAAC,CAAC,CAAC;QACN,CAAC;QAAC,MAAM,CAAC;YACP,UAAU,GAAG,sCAAsC,CAAC;YACpD,UAAU,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,MAAM,MAAM,GAAG,mBAAmB,CAAC;QACjC,MAAM;QACN,UAAU,EAAE,SAAS;QACrB,UAAU;QACV,UAAU;QACV,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;QACtC,QAAQ;KACT,CAAC,CAAC;IAEH,yEAAyE;IACzE,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC;IACzD,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE3C,MAAM,cAAc,GAAG,aAAa,MAAM,CAAC,WAAW,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC;IAC5E,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;IACzD,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAE3C,MAAM,kBAAkB,GAAG,kBAAkB,cAAc,EAAE,CAAC;IAE9D,0EAA0E;IAC1E,MAAM,cAAc,GAAG,cAAc,CAAC,KAAK,CACzC,CAAC,EACD,cAAc,CAAC,OAAO,CAAC,YAAmB,CAAC,GAAG,CAAC,CAChD,CAAC;IACF,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAC7C,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAe,CAAC,CAC3C,CAAC;IACF,MAAM,WAAW,GAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC;IAEhD,uBAAuB;IACvB,MAAM,MAAM,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IACjD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,QAAQ,IAAI,MAAM;YAAE,MAAM,CAAC,CAAC,CAAC,QAA+B,CAAC,EAAE,CAAC;IACxE,CAAC;IACD,MAAM,QAAQ,GAAG,GAAG,MAAM,CAAC,KAAK,mBAAmB,MAAM,CAAC,OAAO,YAAY,MAAM,CAAC,IAAI,MAAM,CAAC;IAE/F,IAAI,UAAU,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,yDAAyD,kBAAkB,GAAG;YACvF,UAAU,EAAE,kBAAkB;YAC9B,OAAO,EAAE,CAAC,UAAU,IAAI,SAAS,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;SACrD,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,CAAC,WAAW;QACrB,OAAO,EAAE,WAAW;YAClB,CAAC,CAAC,sBAAsB,QAAQ,CAAC,MAAM,cAAc,QAAQ,cAAc,kBAAkB,EAAE;YAC/F,CAAC,CAAC,sBAAsB,QAAQ,CAAC,MAAM,cAAc,QAAQ,cAAc,kBAAkB,EAAE;QACjG,UAAU,EAAE,kBAAkB;KAC/B,CAAC;AACJ,CAAC;AAyBD,SAAS,mBAAmB,CAAC,IAAmB;IAC9C,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;IACjF,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,MAAM,KAAK,GAAa;QACtB,wBAAwB,MAAM,EAAE;QAChC,EAAE;QACF,kBAAkB,GAAG,EAAE;QACvB,oCAAoC;QACpC,uBAAuB,UAAU,IAAI;QACrC,uBAAuB,QAAQ,CAAC,MAAM,EAAE;QACxC,EAAE;KACH,CAAC;IAEF,IAAI,UAAU,EAAE,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,0EAA0E,CAAC,CAAC;QACvF,IAAI,UAAU;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,UAAU,EAAE,CAAC,CAAC;QAC9C,IAAI,SAAS,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,2EAA2E;IAC3E,MAAM,MAAM,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IACjD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,QAAQ,IAAI,MAAM;YAAE,MAAM,CAAC,CAAC,CAAC,QAA+B,CAAC,EAAE,CAAC;IACxE,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACzB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,6BAA6B,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC;IAC1D,KAAK,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC;IACvD,KAAK,CAAC,IAAI,CAAC,kBAAkB,MAAM,CAAC,IAAI,IAAI,CAAC,CAAC;IAC9C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,2EAA2E;IAC3E,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;QACrB,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QACjE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC;YACzD,IAAI,CAAC,KAAK,CAAC,MAAM;gBAAE,SAAS;YAE5B,MAAM,KAAK,GAAG,cAAc,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC;YACzC,KAAK,CAAC,IAAI,CAAC,OAAO,KAAK,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;YAC7C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAEf,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,uDAAuD;gBACvD,MAAM,SAAS,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;gBACjD,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3C,KAAK,CAAC,IAAI,CAAC,SAAS,SAAS,GAAG,OAAO,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC9D,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;gBACxC,IAAI,CAAC,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC;oBACpB,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;oBACxF,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC;gBACjC,CAAC;gBACD,IAAI,CAAC,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC;oBACtB,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;oBAC/F,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,EAAE,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;IAEtE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/flows/trivyScanFlow.d.ts

@@ -0,0 +1,13 @@
+/**
+ * OCTO-FLOW: SCA Scan — runs Trivy via Docker to detect dependency vulnerabilities.
+ *
+ * Prerequisites:
+ *   - Docker available in PATH
+ *
+ * Scans a project's filesystem (package-lock.json, yarn.lock, etc.) for known
+ * CVEs in dependencies using the Trivy vulnerability database.
+ * Also detects secrets and misconfigurations as a bonus.
+ */
+import type { FlowContext, FlowResult } from "./index.js";
+export declare function trivyScanFlow(ctx: FlowContext): Promise<FlowResult>;
+//# sourceMappingURL=trivyScanFlow.d.ts.map

package/dist/flows/trivyScanFlow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trivyScanFlow.d.ts","sourceRoot":"","sources":["../../src/flows/trivyScanFlow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAMH,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAK1D,wBAAsB,aAAa,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CA6HzE"}

package/dist/flows/trivyScanFlow.js

@@ -0,0 +1,198 @@
+/**
+ * OCTO-FLOW: SCA Scan — runs Trivy via Docker to detect dependency vulnerabilities.
+ *
+ * Prerequisites:
+ *   - Docker available in PATH
+ *
+ * Scans a project's filesystem (package-lock.json, yarn.lock, etc.) for known
+ * CVEs in dependencies using the Trivy vulnerability database.
+ * Also detects secrets and misconfigurations as a bonus.
+ */
+import { execSync } from "child_process";
+import { mkdirSync, writeFileSync } from "fs";
+import path from "path";
+import { config, sharedWorkspace } from "../config.js";
+/** Trivy severity levels in descending order. */
+const SEVERITY_ORDER = ["CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN"];
+export async function trivyScanFlow(ctx) {
+    const { taskId, targetPath, options } = ctx;
+    // ── 1. Resolve absolute target path ──────────────────────────────────────
+    const absTarget = path.isAbsolute(targetPath)
+        ? targetPath
+        : path.resolve(config.workspace, targetPath);
+    const normalizedTarget = path.resolve(absTarget);
+    const normalizedWorkspace = path.resolve(config.workspace);
+    if (normalizedTarget !== normalizedWorkspace && !normalizedTarget.startsWith(normalizedWorkspace + path.sep)) {
+        return {
+            success: false,
+            summary: `Scan target "${targetPath}" resolves outside the workspace. Only workspace paths are allowed.`,
+        };
+    }
+    // ── 2. Severity threshold for pass/fail ────────────────────────────────
+    const failSeverity = (options?.fail_severity ?? "HIGH").toUpperCase();
+    // ── 3. Run Trivy via Docker ────────────────────────────────────────────
+    const dockerMountPath = absTarget.replace(/\\/g, "/");
+    // Trivy fs mode: scans filesystem for vulnerable dependencies + secrets
+    const trivyCmd = [
+        "docker run --rm",
+        `-v "${dockerMountPath}:/src"`,
+        "aquasec/trivy:latest",
+        "fs",
+        "--format=json",
+        "--scanners=vuln,secret",
+        "--skip-dirs=node_modules/.cache",
+        "/src",
+    ].join(" ");
+    let rawOutput = "";
+    let scanFailed = false;
+    try {
+        rawOutput = execSync(trivyCmd, {
+            encoding: "utf-8",
+            timeout: 300_000, // 5 min
+            maxBuffer: 50 * 1024 * 1024,
+            env: { ...process.env, MSYS_NO_PATHCONV: "1" },
+        });
+    }
+    catch (err) {
+        if (err?.stdout) {
+            rawOutput = err.stdout;
+        }
+        else {
+            scanFailed = true;
+            rawOutput = String(err?.stderr ?? err?.message ?? err);
+        }
+    }
+    // ── 4. Parse JSON results ──────────────────────────────────────────────
+    let findings = [];
+    let parseError = "";
+    if (!scanFailed) {
+        try {
+            const parsed = JSON.parse(rawOutput);
+            const results = parsed.Results ?? [];
+            for (const result of results) {
+                const vulns = result.Vulnerabilities ?? [];
+                for (const v of vulns) {
+                    findings.push({
+                        target: result.Target ?? "unknown",
+                        pkgName: v.PkgName ?? "unknown",
+                        installedVersion: v.InstalledVersion ?? "",
+                        fixedVersion: v.FixedVersion ?? "",
+                        severity: v.Severity ?? "UNKNOWN",
+                        vulnId: v.VulnerabilityID ?? "",
+                        title: v.Title ?? v.Description ?? "No description",
+                        primaryUrl: v.PrimaryURL ?? "",
+                    });
+                }
+            }
+        }
+        catch {
+            parseError = "Failed to parse Trivy JSON output.";
+            scanFailed = true;
+        }
+    }
+    // ── 5. Build markdown report ───────────────────────────────────────────
+    const report = buildMarkdownReport({ taskId, targetPath: absTarget, scanFailed, parseError, rawOutput: scanFailed ? rawOutput : "", findings });
+    // ── 6. Write report ───────────────────────────────────────────────────
+    const reportsDir = path.join(sharedWorkspace, "reports");
+    mkdirSync(reportsDir, { recursive: true });
+    const reportFileName = `sca-scan-${taskId.toLowerCase()}-${Date.now()}.md`;
+    const reportPath = path.join(reportsDir, reportFileName);
+    writeFileSync(reportPath, report, "utf-8");
+    const relativeReportPath = `shared/reports/${reportFileName}`;
+    // ── 7. Determine pass/fail based on severity threshold ─────────────────
+    const failIdx = SEVERITY_ORDER.indexOf(failSeverity);
+    const failSeverities = failIdx >= 0 ? SEVERITY_ORDER.slice(0, failIdx + 1) : ["CRITICAL", "HIGH"];
+    const criticalFindings = findings.filter((f) => failSeverities.includes(f.severity));
+    const hasCritical = criticalFindings.length > 0;
+    // Build summary counts
+    const counts = {};
+    for (const sev of SEVERITY_ORDER)
+        counts[sev] = 0;
+    for (const f of findings)
+        counts[f.severity] = (counts[f.severity] ?? 0) + 1;
+    const countStr = `${counts.CRITICAL} critical, ${counts.HIGH} high, ${counts.MEDIUM} medium, ${counts.LOW} low`;
+    if (scanFailed) {
+        return {
+            success: false,
+            summary: `SCA scan encountered errors. Partial report saved to ${relativeReportPath}.`,
+            reportPath: relativeReportPath,
+            details: (parseError || rawOutput).substring(0, 500),
+        };
+    }
+    return {
+        success: !hasCritical,
+        summary: hasCritical
+            ? `SCA scan FAILED — ${findings.length} vulnerable dependencies (${countStr}). Report: ${relativeReportPath}`
+            : `SCA scan PASSED — ${findings.length} findings (${countStr}). Report: ${relativeReportPath}`,
+        reportPath: relativeReportPath,
+    };
+}
+function buildMarkdownReport(opts) {
+    const { taskId, targetPath, scanFailed, parseError, rawOutput, findings } = opts;
+    const now = new Date().toISOString();
+    const lines = [
+        `# SCA Scan Report — ${taskId}`,
+        ``,
+        `**Generated:** ${now}`,
+        `**Scanner:** Trivy (filesystem mode — vuln + secret scanners)`,
+        `**Scanned Path:** \`${targetPath}\``,
+        `**Total Vulnerabilities:** ${findings.length}`,
+        ``,
+    ];
+    if (scanFailed) {
+        lines.push(`> **WARNING:** Scanner encountered errors. Results below may be partial.`);
+        if (parseError)
+            lines.push(`> ${parseError}`);
+        if (rawOutput) {
+            lines.push(``, "```", rawOutput.substring(0, 1000), "```", ``);
+        }
+        lines.push(``);
+    }
+    // ── Summary table ───────────────────────────────────────────────────────
+    const counts = {};
+    for (const sev of SEVERITY_ORDER)
+        counts[sev] = 0;
+    for (const f of findings)
+        counts[f.severity] = (counts[f.severity] ?? 0) + 1;
+    lines.push(`## Summary`);
+    lines.push(``);
+    lines.push(`| Severity | Count |`);
+    lines.push(`|----------|-------|`);
+    for (const sev of SEVERITY_ORDER) {
+        if (counts[sev] > 0 || sev === "CRITICAL" || sev === "HIGH") {
+            lines.push(`| ${sev} | ${counts[sev]} |`);
+        }
+    }
+    lines.push(``);
+    // ── Findings by severity ────────────────────────────────────────────────
+    if (!findings.length) {
+        lines.push(`## Vulnerabilities`);
+        lines.push(``);
+        lines.push(`_No known vulnerabilities found in dependencies._`);
+        lines.push(``);
+    }
+    else {
+        lines.push(`## Vulnerabilities`);
+        lines.push(``);
+        for (const sev of SEVERITY_ORDER) {
+            const group = findings.filter((f) => f.severity === sev);
+            if (!group.length)
+                continue;
+            lines.push(`### ${sev} (${group.length})`);
+            lines.push(``);
+            lines.push(`| Package | Installed | Fixed | CVE | Description |`);
+            lines.push(`|---------|-----------|-------|-----|-------------|`);
+            for (const f of group) {
+                const fixed = f.fixedVersion || "_no fix yet_";
+                const cve = f.primaryUrl ? `[${f.vulnId}](${f.primaryUrl})` : f.vulnId;
+                const title = f.title.length > 80 ? f.title.substring(0, 77) + "..." : f.title;
+                lines.push(`| ${f.pkgName} | ${f.installedVersion} | ${fixed} | ${cve} | ${title} |`);
+            }
+            lines.push(``);
+        }
+    }
+    lines.push(`---`);
+    lines.push(`_Generated by OCTO-FLOWS SCA Scan (Trivy) | VEC-ATP_`);
+    return lines.join("\n");
+}
+//# sourceMappingURL=trivyScanFlow.js.map

package/dist/flows/trivyScanFlow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trivyScanFlow.js","sourceRoot":"","sources":["../../src/flows/trivyScanFlow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AAC9C,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAGvD,iDAAiD;AACjD,MAAM,cAAc,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAU,CAAC;AAEjF,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAgB;IAClD,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;IAE5C,4EAA4E;IAC5E,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAC3C,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAE/C,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,mBAAmB,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC3D,IAAI,gBAAgB,KAAK,mBAAmB,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,mBAAmB,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7G,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,gBAAgB,UAAU,qEAAqE;SACzG,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,MAAM,YAAY,GAAG,CAAC,OAAO,EAAE,aAAa,IAAI,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;IAEtE,0EAA0E;IAC1E,MAAM,eAAe,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAEtD,wEAAwE;IACxE,MAAM,QAAQ,GAAG;QACf,iBAAiB;QACjB,OAAO,eAAe,QAAQ;QAC9B,sBAAsB;QACtB,IAAI;QACJ,eAAe;QACf,wBAAwB;QACxB,iCAAiC;QACjC,MAAM;KACP,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEZ,IAAI,SAAS,GAAG,EAAE,CAAC;IACnB,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,CAAC;QACH,SAAS,GAAG,QAAQ,CAAC,QAAQ,EAAE;YAC7B,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,OAAO,EAAE,QAAQ;YAC1B,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;YAC3B,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,gBAAgB,EAAE,GAAG,EAAE;SAC/C,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,IAAI,GAAG,EAAE,MAAM,EAAE,CAAC;YAChB,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC;QACzB,CAAC;aAAM,CAAC;YACN,UAAU,GAAG,IAAI,CAAC;YAClB,SAAS,GAAG,MAAM,CAAC,GAAG,EAAE,MAAM,IAAI,GAAG,EAAE,OAAO,IAAI,GAAG,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,IAAI,QAAQ,GAAgB,EAAE,CAAC;IAC/B,IAAI,UAAU,GAAG,EAAE,CAAC;IAEpB,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACrC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;YACrC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC;gBAC3C,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;oBACtB,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,SAAS;wBAClC,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,SAAS;wBAC/B,gBAAgB,EAAE,CAAC,CAAC,gBAAgB,IAAI,EAAE;wBAC1C,YAAY,EAAE,CAAC,CAAC,YAAY,IAAI,EAAE;wBAClC,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,SAAS;wBACjC,MAAM,EAAE,CAAC,CAAC,eAAe,IAAI,EAAE;wBAC/B,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,WAAW,IAAI,gBAAgB;wBACnD,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,EAAE;qBAC/B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,UAAU,GAAG,oCAAoC,CAAC;YAClD,UAAU,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,MAAM,MAAM,GAAG,mBAAmB,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;IAEhJ,yEAAyE;IACzE,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC;IACzD,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE3C,MAAM,cAAc,GAAG,YAAY,MAAM,CAAC,WAAW,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC;IAC3E,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;IACzD,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAE3C,MAAM,kBAAkB,GAAG,kBAAkB,cAAc,EAAE,CAAC;IAE9D,0EAA0E;IAC1E,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,YAAmB,CAAC,CAAC;IAC5D,MAAM,cAAc,GAAG,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAClG,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAC7C,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAe,CAAC,CAC3C,CAAC;IACF,MAAM,WAAW,GAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC;IAEhD,uBAAuB;IACvB,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,GAAG,IAAI,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAClD,KAAK,MAAM,CAAC,IAAI,QAAQ;QAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IAC7E,MAAM,QAAQ,GAAG,GAAG,MAAM,CAAC,QAAQ,cAAc,MAAM,CAAC,IAAI,UAAU,MAAM,CAAC,MAAM,YAAY,MAAM,CAAC,GAAG,MAAM,CAAC;IAEhH,IAAI,UAAU,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,wDAAwD,kBAAkB,GAAG;YACtF,UAAU,EAAE,kBAAkB;YAC9B,OAAO,EAAE,CAAC,UAAU,IAAI,SAAS,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;SACrD,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,CAAC,WAAW;QACrB,OAAO,EAAE,WAAW;YAClB,CAAC,CAAC,qBAAqB,QAAQ,CAAC,MAAM,6BAA6B,QAAQ,cAAc,kBAAkB,EAAE;YAC7G,CAAC,CAAC,qBAAqB,QAAQ,CAAC,MAAM,cAAc,QAAQ,cAAc,kBAAkB,EAAE;QAChG,UAAU,EAAE,kBAAkB;KAC/B,CAAC;AACJ,CAAC;AA0BD,SAAS,mBAAmB,CAAC,IAAmB;IAC9C,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;IACjF,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,MAAM,KAAK,GAAa;QACtB,uBAAuB,MAAM,EAAE;QAC/B,EAAE;QACF,kBAAkB,GAAG,EAAE;QACvB,+DAA+D;QAC/D,uBAAuB,UAAU,IAAI;QACrC,8BAA8B,QAAQ,CAAC,MAAM,EAAE;QAC/C,EAAE;KACH,CAAC;IAEF,IAAI,UAAU,EAAE,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,0EAA0E,CAAC,CAAC;QACvF,IAAI,UAAU;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,UAAU,EAAE,CAAC,CAAC;QAC9C,IAAI,SAAS,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,2EAA2E;IAC3E,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,GAAG,IAAI,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAClD,KAAK,MAAM,CAAC,IAAI,QAAQ;QAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IAE7E,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACzB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACnC,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;QACjC,IAAI,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,GAAG,KAAK,UAAU,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;YAC5D,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,2EAA2E;IAC3E,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;QACrB,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;QAChE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC;YACzD,IAAI,CAAC,KAAK,CAAC,MAAM;gBAAE,SAAS;YAE5B,KAAK,CAAC,IAAI,CAAC,OAAO,GAAG,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;YAC3C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YAClE,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YAElE,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,MAAM,KAAK,GAAG,CAAC,CAAC,YAAY,IAAI,cAAc,CAAC;gBAC/C,MAAM,GAAG,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACvE,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;gBAC/E,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,MAAM,CAAC,CAAC,gBAAgB,MAAM,KAAK,MAAM,GAAG,MAAM,KAAK,IAAI,CAAC,CAAC;YACxF,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;IAEnE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/identity.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Founder identity — loaded once from ITS_ME.md at startup.
+ * Use `founder.name`, `founder.agentKey`, etc. everywhere instead of hardcoding.
+ */
+export interface FounderProfile {
+    /** Display name of the founder (e.g. "Akhil"). */
+    name: string;
+    /** Their role (e.g. "Founder & CEO"). */
+    role: string;
+    /**
+     * System agent key — always "user".
+     * This is a routing constant in ATP and should not change.
+     */
+    agentKey: "user";
+    /** Formatted display name for message headers (e.g. "Akhil (Founder)"). */
+    displayName: string;
+    /** Full raw content of ITS_ME.md — injected into agent prompts for context. */
+    raw: string;
+}
+/** Singleton — loaded synchronously once when this module is first imported. */
+export declare const founder: FounderProfile;
+//# sourceMappingURL=identity.d.ts.map

package/dist/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,MAAM,WAAW,cAAc;IAC7B,kDAAkD;IAClD,IAAI,EAAE,MAAM,CAAC;IACb,yCAAyC;IACzC,IAAI,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB,2EAA2E;IAC3E,WAAW,EAAE,MAAM,CAAC;IACpB,+EAA+E;IAC/E,GAAG,EAAE,MAAM,CAAC;CACb;AA6BD,gFAAgF;AAChF,eAAO,MAAM,OAAO,gBAAS,CAAC"}

package/dist/identity.js

@@ -0,0 +1,34 @@
+/**
+ * Founder identity — loaded once from ITS_ME.md at startup.
+ * Use `founder.name`, `founder.agentKey`, etc. everywhere instead of hardcoding.
+ */
+import fs from "fs";
+import path from "path";
+import { USER_DATA_DIR } from "./config.js";
+function parseField(text, field) {
+    const m = new RegExp(`\\*\\*${field}:\\*\\*\\s*(.+)`).exec(text);
+    return m?.[1]?.trim() ?? "";
+}
+function load() {
+    const filePath = path.join(USER_DATA_DIR, "ITS_ME.md");
+    let raw = "";
+    try {
+        raw = fs.readFileSync(filePath, "utf-8");
+    }
+    catch {
+        // ITS_ME.md missing — fall back to bare minimum so the system still boots
+        raw = "**Name:** User\n**Role:** Founder & CEO";
+    }
+    const name = parseField(raw, "Name") || "User";
+    const role = parseField(raw, "Role") || "Founder & CEO";
+    return {
+        name,
+        role,
+        agentKey: "user",
+        displayName: `${name} (Founder)`,
+        raw,
+    };
+}
+/** Singleton — loaded synchronously once when this module is first imported. */
+export const founder = load();
+//# sourceMappingURL=identity.js.map

package/dist/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAkB5C,SAAS,UAAU,CAAC,IAAY,EAAE,KAAa;IAC7C,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,SAAS,KAAK,iBAAiB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjE,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AAC9B,CAAC;AAED,SAAS,IAAI;IACX,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;IACvD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;QAC1E,GAAG,GAAG,yCAAyC,CAAC;IAClD,CAAC;IAED,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC;IAC/C,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,eAAe,CAAC;IAExD,OAAO;QACL,IAAI;QACJ,IAAI;QACJ,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,GAAG,IAAI,YAAY;QAChC,GAAG;KACJ,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,MAAM,CAAC,MAAM,OAAO,GAAG,IAAI,EAAE,CAAC"}

package/dist/init.d.ts

@@ -0,0 +1,8 @@
+/**
+ * First-run bootstrapper — ensures USER_DATA_DIR exists and seeds
+ * required files (roster.json) from the package's core/ assets.
+ *
+ * Called once at the top of tower.ts main() before anything else.
+ */
+export declare function initUserDataDir(): void;
+//# sourceMappingURL=init.d.ts.map

package/dist/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,wBAAgB,eAAe,IAAI,IAAI,CAiBtC"}

package/dist/init.js

@@ -0,0 +1,27 @@
+/**
+ * First-run bootstrapper — ensures USER_DATA_DIR exists and seeds
+ * required files (roster.json) from the package's core/ assets.
+ *
+ * Called once at the top of tower.ts main() before anything else.
+ */
+import { existsSync, mkdirSync, copyFileSync } from "fs";
+import { join } from "path";
+import { USER_DATA_DIR, DEFAULT_ROSTER_PATH } from "./config.js";
+export function initUserDataDir() {
+    // Create the user data directory tree
+    const dirs = [
+        USER_DATA_DIR,
+        join(USER_DATA_DIR, "memory"),
+        join(USER_DATA_DIR, "agent-history"),
+    ];
+    for (const dir of dirs) {
+        mkdirSync(dir, { recursive: true });
+    }
+    // Seed roster.json from core/ if missing (first run)
+    const userRosterPath = join(USER_DATA_DIR, "roster.json");
+    if (!existsSync(userRosterPath)) {
+        copyFileSync(DEFAULT_ROSTER_PATH, userRosterPath);
+        console.log(`  [init] Created ${userRosterPath} from default template.`);
+    }
+}
+//# sourceMappingURL=init.js.map

package/dist/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AACzD,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAEjE,MAAM,UAAU,eAAe;IAC7B,sCAAsC;IACtC,MAAM,IAAI,GAAG;QACX,aAAa;QACb,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC;QAC7B,IAAI,CAAC,aAAa,EAAE,eAAe,CAAC;KACrC,CAAC;IACF,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;IAED,qDAAqD;IACrD,MAAM,cAAc,GAAG,IAAI,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;IAC1D,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAChC,YAAY,CAAC,mBAAmB,EAAE,cAAc,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,oBAAoB,cAAc,yBAAyB,CAAC,CAAC;IAC3E,CAAC;AACH,CAAC"}