npm - vaspera - Versions diffs - 2.13.0 → 2.15.0 - Mend

vaspera 2.13.0 → 2.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (300) hide show

package/CHANGELOG.md +78 -0
package/README.md +15 -2
package/dist/__tests__/antagonist-integration.test.d.ts +6 -0
package/dist/__tests__/antagonist-integration.test.d.ts.map +1 -0
package/dist/__tests__/antagonist-integration.test.js +239 -0
package/dist/__tests__/antagonist-integration.test.js.map +1 -0
package/dist/__tests__/certification/agent-certificate-e2e.test.d.ts +2 -0
package/dist/__tests__/certification/agent-certificate-e2e.test.d.ts.map +1 -0
package/dist/__tests__/certification/agent-certificate-e2e.test.js +90 -0
package/dist/__tests__/certification/agent-certificate-e2e.test.js.map +1 -0
package/dist/__tests__/certification/agent-certificate-map.test.d.ts +2 -0
package/dist/__tests__/certification/agent-certificate-map.test.d.ts.map +1 -0
package/dist/__tests__/certification/agent-certificate-map.test.js +107 -0
package/dist/__tests__/certification/agent-certificate-map.test.js.map +1 -0
package/dist/__tests__/certification/agent-certificate.test.d.ts +2 -0
package/dist/__tests__/certification/agent-certificate.test.d.ts.map +1 -0
package/dist/__tests__/certification/agent-certificate.test.js +78 -0
package/dist/__tests__/certification/agent-certificate.test.js.map +1 -0
package/dist/__tests__/certification/verify-endpoint.test.d.ts +2 -0
package/dist/__tests__/certification/verify-endpoint.test.d.ts.map +1 -0
package/dist/__tests__/certification/verify-endpoint.test.js +81 -0
package/dist/__tests__/certification/verify-endpoint.test.js.map +1 -0
package/dist/__tests__/compliance/ai-frameworks.test.d.ts +2 -0
package/dist/__tests__/compliance/ai-frameworks.test.d.ts.map +1 -0
package/dist/__tests__/compliance/ai-frameworks.test.js +87 -0
package/dist/__tests__/compliance/ai-frameworks.test.js.map +1 -0
package/dist/__tests__/eval/llm-analyzer.test.d.ts +2 -0
package/dist/__tests__/eval/llm-analyzer.test.d.ts.map +1 -0
package/dist/__tests__/eval/llm-analyzer.test.js +93 -0
package/dist/__tests__/eval/llm-analyzer.test.js.map +1 -0
package/dist/__tests__/eval/redteam-harness.test.d.ts +2 -0
package/dist/__tests__/eval/redteam-harness.test.d.ts.map +1 -0
package/dist/__tests__/eval/redteam-harness.test.js +136 -0
package/dist/__tests__/eval/redteam-harness.test.js.map +1 -0
package/dist/__tests__/evidence/evidence.test.d.ts +2 -0
package/dist/__tests__/evidence/evidence.test.d.ts.map +1 -0
package/dist/__tests__/evidence/evidence.test.js +240 -0
package/dist/__tests__/evidence/evidence.test.js.map +1 -0
package/dist/__tests__/history/decisions.test.d.ts +2 -0
package/dist/__tests__/history/decisions.test.d.ts.map +1 -0
package/dist/__tests__/history/decisions.test.js +54 -0
package/dist/__tests__/history/decisions.test.js.map +1 -0
package/dist/__tests__/http-auth.test.d.ts +2 -0
package/dist/__tests__/http-auth.test.d.ts.map +1 -0
package/dist/__tests__/http-auth.test.js +55 -0
package/dist/__tests__/http-auth.test.js.map +1 -0
package/dist/__tests__/http-policy.test.d.ts +2 -0
package/dist/__tests__/http-policy.test.d.ts.map +1 -0
package/dist/__tests__/http-policy.test.js +69 -0
package/dist/__tests__/http-policy.test.js.map +1 -0
package/dist/__tests__/http-server-transport.test.d.ts +2 -0
package/dist/__tests__/http-server-transport.test.d.ts.map +1 -0
package/dist/__tests__/http-server-transport.test.js +132 -0
package/dist/__tests__/http-server-transport.test.js.map +1 -0
package/dist/__tests__/integration/destructive-guards.test.d.ts +2 -0
package/dist/__tests__/integration/destructive-guards.test.d.ts.map +1 -0
package/dist/__tests__/integration/destructive-guards.test.js +49 -0
package/dist/__tests__/integration/destructive-guards.test.js.map +1 -0
package/dist/__tests__/logger-redaction.test.d.ts +2 -0
package/dist/__tests__/logger-redaction.test.d.ts.map +1 -0
package/dist/__tests__/logger-redaction.test.js +74 -0
package/dist/__tests__/logger-redaction.test.js.map +1 -0
package/dist/__tests__/manifest-schema.test.d.ts +2 -0
package/dist/__tests__/manifest-schema.test.d.ts.map +1 -0
package/dist/__tests__/manifest-schema.test.js +43 -0
package/dist/__tests__/manifest-schema.test.js.map +1 -0
package/dist/__tests__/scanners/builtin-rules.test.d.ts +2 -0
package/dist/__tests__/scanners/builtin-rules.test.d.ts.map +1 -0
package/dist/__tests__/scanners/builtin-rules.test.js +51 -0
package/dist/__tests__/scanners/builtin-rules.test.js.map +1 -0
package/dist/__tests__/scanners/runtime/golden-path-runner.test.js +13 -1
package/dist/__tests__/scanners/runtime/golden-path-runner.test.js.map +1 -1
package/dist/__tests__/tool-guard.test.d.ts +2 -0
package/dist/__tests__/tool-guard.test.d.ts.map +1 -0
package/dist/__tests__/tool-guard.test.js +97 -0
package/dist/__tests__/tool-guard.test.js.map +1 -0
package/dist/__tests__/util/contained-file.test.d.ts +2 -0
package/dist/__tests__/util/contained-file.test.d.ts.map +1 -0
package/dist/__tests__/util/contained-file.test.js +78 -0
package/dist/__tests__/util/contained-file.test.js.map +1 -0
package/dist/__tests__/util/subprocess.test.d.ts +2 -0
package/dist/__tests__/util/subprocess.test.d.ts.map +1 -0
package/dist/__tests__/util/subprocess.test.js +48 -0
package/dist/__tests__/util/subprocess.test.js.map +1 -0
package/dist/action/diff-mode.d.ts.map +1 -1
package/dist/action/diff-mode.js +31 -12
package/dist/action/diff-mode.js.map +1 -1
package/dist/agents/antagonist/challenger.d.ts +46 -0
package/dist/agents/antagonist/challenger.d.ts.map +1 -0
package/dist/agents/antagonist/challenger.js +257 -0
package/dist/agents/antagonist/challenger.js.map +1 -0
package/dist/agents/antagonist/index.d.ts +31 -0
package/dist/agents/antagonist/index.d.ts.map +1 -0
package/dist/agents/antagonist/index.js +175 -0
package/dist/agents/antagonist/index.js.map +1 -0
package/dist/agents/antagonist/prioritizer.d.ts +27 -0
package/dist/agents/antagonist/prioritizer.d.ts.map +1 -0
package/dist/agents/antagonist/prioritizer.js +181 -0
package/dist/agents/antagonist/prioritizer.js.map +1 -0
package/dist/agents/antagonist/prompts.d.ts +12 -0
package/dist/agents/antagonist/prompts.d.ts.map +1 -0
package/dist/agents/antagonist/prompts.js +155 -0
package/dist/agents/antagonist/prompts.js.map +1 -0
package/dist/agents/antagonist/synthesizer.d.ts +34 -0
package/dist/agents/antagonist/synthesizer.d.ts.map +1 -0
package/dist/agents/antagonist/synthesizer.js +451 -0
package/dist/agents/antagonist/synthesizer.js.map +1 -0
package/dist/agents/antagonist/types.d.ts +145 -0
package/dist/agents/antagonist/types.d.ts.map +1 -0
package/dist/agents/antagonist/types.js +63 -0
package/dist/agents/antagonist/types.js.map +1 -0
package/dist/agents/index.d.ts +1 -0
package/dist/agents/index.d.ts.map +1 -1
package/dist/agents/index.js +2 -0
package/dist/agents/index.js.map +1 -1
package/dist/certification/agent-certificate-map.d.ts +51 -0
package/dist/certification/agent-certificate-map.d.ts.map +1 -0
package/dist/certification/agent-certificate-map.js +265 -0
package/dist/certification/agent-certificate-map.js.map +1 -0
package/dist/certification/agent-certificate-sample.d.ts +25 -0
package/dist/certification/agent-certificate-sample.d.ts.map +1 -0
package/dist/certification/agent-certificate-sample.js +207 -0
package/dist/certification/agent-certificate-sample.js.map +1 -0
package/dist/certification/agent-certificate.d.ts +1981 -0
package/dist/certification/agent-certificate.d.ts.map +1 -0
package/dist/certification/agent-certificate.js +309 -0
package/dist/certification/agent-certificate.js.map +1 -0
package/dist/certification/autofix.d.ts.map +1 -1
package/dist/certification/autofix.js +5 -3
package/dist/certification/autofix.js.map +1 -1
package/dist/certification/consensus.test.js +2 -0
package/dist/certification/consensus.test.js.map +1 -1
package/dist/certification/store.d.ts.map +1 -1
package/dist/certification/store.js +11 -3
package/dist/certification/store.js.map +1 -1
package/dist/certification/types.d.ts +1 -1
package/dist/certification/types.d.ts.map +1 -1
package/dist/certification/types.js +2 -0
package/dist/certification/types.js.map +1 -1
package/dist/certification/verify-endpoint.d.ts +48 -0
package/dist/certification/verify-endpoint.d.ts.map +1 -0
package/dist/certification/verify-endpoint.js +79 -0
package/dist/certification/verify-endpoint.js.map +1 -0
package/dist/compliance/index.d.ts +2 -0
package/dist/compliance/index.d.ts.map +1 -1
package/dist/compliance/index.js +4 -0
package/dist/compliance/index.js.map +1 -1
package/dist/compliance/iso42001.d.ts +21 -0
package/dist/compliance/iso42001.d.ts.map +1 -0
package/dist/compliance/iso42001.js +160 -0
package/dist/compliance/iso42001.js.map +1 -0
package/dist/compliance/mapper.d.ts.map +1 -1
package/dist/compliance/mapper.js +12 -0
package/dist/compliance/mapper.js.map +1 -1
package/dist/compliance/nist-ai-rmf.d.ts +20 -0
package/dist/compliance/nist-ai-rmf.d.ts.map +1 -0
package/dist/compliance/nist-ai-rmf.js +140 -0
package/dist/compliance/nist-ai-rmf.js.map +1 -0
package/dist/config/flags.d.ts +4 -4
package/dist/eval/fixtures.d.ts.map +1 -1
package/dist/eval/fixtures.js +161 -119
package/dist/eval/fixtures.js.map +1 -1
package/dist/eval/fixtures.test.js +4 -2
package/dist/eval/fixtures.test.js.map +1 -1
package/dist/eval/llm-analyzer.d.ts +40 -0
package/dist/eval/llm-analyzer.d.ts.map +1 -0
package/dist/eval/llm-analyzer.js +154 -0
package/dist/eval/llm-analyzer.js.map +1 -0
package/dist/eval/redteam-harness.d.ts +95 -0
package/dist/eval/redteam-harness.d.ts.map +1 -0
package/dist/eval/redteam-harness.js +137 -0
package/dist/eval/redteam-harness.js.map +1 -0
package/dist/evidence/collector.d.ts.map +1 -1
package/dist/evidence/collector.js +21 -1
package/dist/evidence/collector.js.map +1 -1
package/dist/evidence/store.d.ts.map +1 -1
package/dist/evidence/store.js +29 -5
package/dist/evidence/store.js.map +1 -1
package/dist/evidence/types.d.ts +16 -9
package/dist/evidence/types.d.ts.map +1 -1
package/dist/history/decisions.d.ts +63 -0
package/dist/history/decisions.d.ts.map +1 -0
package/dist/history/decisions.js +60 -0
package/dist/history/decisions.js.map +1 -0
package/dist/history/index.d.ts +2 -0
package/dist/history/index.d.ts.map +1 -1
package/dist/history/index.js +2 -0
package/dist/history/index.js.map +1 -1
package/dist/history/types.d.ts +34 -5
package/dist/history/types.d.ts.map +1 -1
package/dist/history/types.js +2 -0
package/dist/history/types.js.map +1 -1
package/dist/http-auth.d.ts +22 -0
package/dist/http-auth.d.ts.map +1 -0
package/dist/http-auth.js +58 -0
package/dist/http-auth.js.map +1 -0
package/dist/http-policy.d.ts +30 -0
package/dist/http-policy.d.ts.map +1 -0
package/dist/http-policy.js +54 -0
package/dist/http-policy.js.map +1 -0
package/dist/http-server.js +195 -12
package/dist/http-server.js.map +1 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +411 -15
package/dist/index.js.map +1 -1
package/dist/logger.d.ts.map +1 -1
package/dist/logger.js +56 -2
package/dist/logger.js.map +1 -1
package/dist/plugins/types.d.ts +2 -2
package/dist/sbom/provenance.test.js +2 -2
package/dist/sbom/provenance.test.js.map +1 -1
package/dist/sbom/signing.d.ts.map +1 -1
package/dist/sbom/signing.js +5 -3
package/dist/sbom/signing.js.map +1 -1
package/dist/scanners/agent/prompt-injection-fuzzer.d.ts.map +1 -1
package/dist/scanners/agent/prompt-injection-fuzzer.js +26 -0
package/dist/scanners/agent/prompt-injection-fuzzer.js.map +1 -1
package/dist/scanners/agent/types.d.ts +10 -10
package/dist/scanners/bandit.d.ts.map +1 -1
package/dist/scanners/bandit.js +35 -29
package/dist/scanners/bandit.js.map +1 -1
package/dist/scanners/binary-analysis.d.ts.map +1 -1
package/dist/scanners/binary-analysis.js +24 -49
package/dist/scanners/binary-analysis.js.map +1 -1
package/dist/scanners/brakeman.d.ts.map +1 -1
package/dist/scanners/brakeman.js +19 -33
package/dist/scanners/brakeman.js.map +1 -1
package/dist/scanners/builtin-rules.d.ts +24 -0
package/dist/scanners/builtin-rules.d.ts.map +1 -0
package/dist/scanners/builtin-rules.js +175 -0
package/dist/scanners/builtin-rules.js.map +1 -0
package/dist/scanners/dast.d.ts.map +1 -1
package/dist/scanners/dast.js +24 -34
package/dist/scanners/dast.js.map +1 -1
package/dist/scanners/deploy/types.d.ts +6 -6
package/dist/scanners/eslint.d.ts.map +1 -1
package/dist/scanners/eslint.js +15 -24
package/dist/scanners/eslint.js.map +1 -1
package/dist/scanners/gosec.d.ts.map +1 -1
package/dist/scanners/gosec.js +14 -62
package/dist/scanners/gosec.js.map +1 -1
package/dist/scanners/index.d.ts.map +1 -1
package/dist/scanners/index.js +38 -7
package/dist/scanners/index.js.map +1 -1
package/dist/scanners/memory-safety.d.ts.map +1 -1
package/dist/scanners/memory-safety.js +27 -28
package/dist/scanners/memory-safety.js.map +1 -1
package/dist/scanners/openapi.d.ts.map +1 -1
package/dist/scanners/openapi.js +14 -22
package/dist/scanners/openapi.js.map +1 -1
package/dist/scanners/race-condition.d.ts.map +1 -1
package/dist/scanners/race-condition.js +17 -16
package/dist/scanners/race-condition.js.map +1 -1
package/dist/scanners/runtime/types.d.ts +4 -4
package/dist/scanners/rust.d.ts.map +1 -1
package/dist/scanners/rust.js +38 -37
package/dist/scanners/rust.js.map +1 -1
package/dist/scanners/scale/types.d.ts +16 -16
package/dist/scanners/secrets.d.ts.map +1 -1
package/dist/scanners/secrets.js +66 -78
package/dist/scanners/secrets.js.map +1 -1
package/dist/scanners/semgrep.d.ts +2 -0
package/dist/scanners/semgrep.d.ts.map +1 -1
package/dist/scanners/semgrep.js +12 -0
package/dist/scanners/semgrep.js.map +1 -1
package/dist/scanners/terraform.d.ts.map +1 -1
package/dist/scanners/terraform.js +47 -40
package/dist/scanners/terraform.js.map +1 -1
package/dist/scanners/trivy.d.ts.map +1 -1
package/dist/scanners/trivy.js +38 -30
package/dist/scanners/trivy.js.map +1 -1
package/dist/tool-guard.d.ts +40 -0
package/dist/tool-guard.d.ts.map +1 -0
package/dist/tool-guard.js +55 -0
package/dist/tool-guard.js.map +1 -0
package/dist/util/index.d.ts +2 -1
package/dist/util/index.d.ts.map +1 -1
package/dist/util/index.js +2 -1
package/dist/util/index.js.map +1 -1
package/dist/util/paths.d.ts +20 -3
package/dist/util/paths.d.ts.map +1 -1
package/dist/util/paths.js +84 -4
package/dist/util/paths.js.map +1 -1
package/dist/util/subprocess.d.ts +51 -0
package/dist/util/subprocess.d.ts.map +1 -0
package/dist/util/subprocess.js +77 -0
package/dist/util/subprocess.js.map +1 -0
package/package.json +12 -2
package/dist/eval/fixtures/healthcare/audit-gaps.d.ts +0 -28
package/dist/eval/fixtures/healthcare/audit-gaps.d.ts.map +0 -1
package/dist/eval/fixtures/healthcare/audit-gaps.js +0 -90
package/dist/eval/fixtures/healthcare/audit-gaps.js.map +0 -1
package/dist/eval/fixtures/healthcare/consent-bypass.d.ts +0 -31
package/dist/eval/fixtures/healthcare/consent-bypass.d.ts.map +0 -1
package/dist/eval/fixtures/healthcare/consent-bypass.js +0 -61
package/dist/eval/fixtures/healthcare/consent-bypass.js.map +0 -1
package/dist/eval/fixtures/healthcare/phi-in-logs.d.ts +0 -24
package/dist/eval/fixtures/healthcare/phi-in-logs.d.ts.map +0 -1
package/dist/eval/fixtures/healthcare/phi-in-logs.js +0 -41
package/dist/eval/fixtures/healthcare/phi-in-logs.js.map +0 -1

package/CHANGELOG.md CHANGED Viewed

@@ -1,21 +1,94 @@
 # Changelog
+## 2.15.0
+### Minor Changes
+- [#61](https://github.com/RCOLKITT/hardening-mcp/pull/61) [`1ecf11d`](https://github.com/RCOLKITT/hardening-mcp/commit/1ecf11dbc073af3430e6df17d0792e2b87ad2568) Thanks [@RCOLKITT](https://github.com/RCOLKITT)! - Agent Certification, independent verification, accuracy + red-team benchmarks, and hardening.
+  **Agent Certification**
+  - Versioned, signable agent certificate schema (six dimensions) with deterministic content digest; `agent_certificate_generate` / `agent_certificate_verify` MCP tools.
+  - ISO 42001 + NIST AI RMF compliance mappings and tamper-evident decision provenance (`decision_record`) on the hash chain.
+  - EU AI Act control mapping wired into the certification path (31 controls).
+  **Independent verification (don't trust us — verify)**
+  - Standalone certificate verifier: `npm run verify:cert` CLI and a public, unauthenticated `POST /verify` HTTP endpoint that re-checks schema, content digest, and signature without trusting the issuer.
+  **Measured accuracy + red-team**
+  - Accuracy benchmark (`npm run benchmark`, `npm run benchmark:llm`) over labeled fixtures with precision/recall/F1; built-in Semgrep taint rules took deterministic recall from ~10% to ~63% (added SQLi/cmd/SSRF, then insecure-deserialization + XXE), precision 100%.
+  - LLM-layer + Anthropic/OpenAI cross-model consensus benchmark.
+  - Red-team resistance harness (`npm run benchmark:redteam`) — reproducible prompt-injection resistance score + tool-scope/exfil exposure; fixed a false-positive bug that flagged 100% of tools.
+  **Integrity + supply chain**
+  - Evidence bundles can now be Sigstore-signed and their signatures are really verified (was a presence-only stub).
+  - Published manifest now exposes real per-tool input schemas (was an empty placeholder for all tools).
+  - Resolved a transitive esbuild advisory.
+  **Hardening (potentially breaking for three tools)**
+  - `deploy_vercel_promote`, `deploy_vercel_rollback`, and `consensus_clear` are now fail-closed: they return a no-op preview unless called with `confirm: true`. Callers that previously relied on these executing immediately must now pass `confirm: true`.
+## [2.14.0] - 2026-06-05
+### Added
+#### Antagonist Agent
+- New meta-analysis agent that runs after all other agents complete
+- **Synthesis mode**: Chains findings into attack narratives mapped to MITRE ATT&CK kill chain
+- **Challenger mode**: Internal critic that flags false positives, coverage gaps, and inconsistencies
+- Prioritized remediation recommendations based on attack surface reduction
+- New `antagonist_synthesize` tool - full analysis with narratives, challenges, and prioritization
+- New `antagonist_challenge` tool - manually challenge specific findings
+#### Attack Narrative Features
+- Builds attack graphs from findings and exploit chains
+- Maps vulnerabilities to 14 MITRE ATT&CK kill chain phases
+- Identifies bottleneck findings that block multiple attack paths
+- Generates human-readable attack stories with difficulty/likelihood ratings
+#### Challenger Features
+- Detects potential false positives (test files, low confidence, generic descriptions)
+- Identifies untested attack vectors (17 categories tracked)
+- Flags agents with zero findings as potentially incomplete
+- Calculates coverage score across attack surface
+### Fixed
+- Empty catch blocks in `store.ts` and `signing.ts` now log errors
+- Antagonist agent integration test types corrected
+### Changed
+- MCP tools increased from 108 to 110
+- New agent type `antagonist` with weight 0.15 (informs but doesn't dominate consensus)
+- Added to AGENT_VERIFICATION_MAP (verified by security, adversary, redteam)
 ## [2.13.0] - 2026-06-04
 ### Added
 #### False Positive Feedback System
 - New `feedback_submit` tool to mark findings as true/false positives
 - New `feedback_report` tool to view FP rates by scanner and rule
 - New `feedback_suppressions` tool to get rule suppression suggestions based on feedback
 - Feedback stored in `.vaspera/fp-feedback.json` with full audit trail
 #### Diff-Aware CI Scanning
 - New `certification_scan_diff` tool scans only changed files (git diff)
 - Estimates scan time savings vs full scan
 - Auto-detects security-critical files that always get scanned
 #### Standalone Autofix Preview
 - `autofix_preview` now works without certification_id
 - Provide file + pattern_id to preview fixes directly
 - Use `autofix_list_patterns` to see available fix patterns
@@ -23,27 +96,32 @@
 ### Fixed
 #### Persistence DB Fallback
 - Added JSON file fallback when SQLite is unavailable
 - New `src/persistence/json-fallback.ts` with atomic writes
 - Graceful degradation: warns but continues operating
 #### scale_bottlenecks False Positives
 - Added semantic analysis for workflow/pipeline patterns
 - Confidence scoring (60-100) based on context
 - Sequential workflows no longer flagged as N+1 queries
 #### ai_code_verify Diagnostics
 - Returns detailed diagnostics when 0 files found
 - Shows which extensions were searched
 - Reports which exclude patterns matched
 - Suggests alternative file extensions
 #### Scanner Error Messages
 - Added `ScannerErrorDetails` with actionable suggestions
 - tsc/eslint now report phase (init/scan/parse) and fix steps
 - Full error output available for debugging
 ### Changed
 - MCP tools increased from 103 to 108
 ## 2.10.0

package/README.md CHANGED Viewed

@@ -2,12 +2,25 @@
 Enterprise-grade security certification for codebases **and AI agent systems** with deterministic scanners, LLM-powered analysis, and signed attestations.
+[![Self-Certification](https://github.com/RCOLKITT/hardening-mcp/actions/workflows/certify.yml/badge.svg)](https://github.com/RCOLKITT/hardening-mcp/actions/workflows/certify.yml)
+[![CI](https://github.com/RCOLKITT/hardening-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/RCOLKITT/hardening-mcp/actions/workflows/ci.yml)
 ![npm version](https://img.shields.io/npm/v/vaspera)
 ![License](https://img.shields.io/badge/License-MIT-green)
-![Tools](https://img.shields.io/badge/MCP_Tools-78-purple)
+![Tools](https://img.shields.io/badge/MCP_Tools-113-purple)
 ![AI Frameworks](https://img.shields.io/badge/AI_Frameworks-5-blue)
 ![Scanners](https://img.shields.io/badge/Scanners-12-orange)
-![Tests](https://img.shields.io/badge/Tests-2942-brightgreen)
+![Tests](https://img.shields.io/badge/Tests-1891-brightgreen)
+> **We pass our own strictest certification on every commit.** The
+> Self-Certification badge above is the live result of running this
+> product against its own codebase as a blocking CI gate — the one claim
+> a scanner-wrapper can't fake. [How it works »](docs/SELF-CERTIFICATION.md)
+>
+> **Don't trust us — verify.** Any agent certificate can be checked
+> independently (`npm run verify:cert -- cert.json`, or `POST /verify`)
+> with no token and no trust in Vaspera: it recomputes the content digest
+> and checks the signature from the certificate itself.
+> [Verifying a certificate »](docs/VERIFYING-A-CERTIFICATE.md)
 ---

package/dist/__tests__/antagonist-integration.test.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Integration test for Antagonist Agent
+ * Tests the full pipeline on sample findings
+ */
+export {};
+//# sourceMappingURL=antagonist-integration.test.d.ts.map

package/dist/__tests__/antagonist-integration.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"antagonist-integration.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/antagonist-integration.test.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/__tests__/antagonist-integration.test.js ADDED Viewed

@@ -0,0 +1,239 @@
+/**
+ * Integration test for Antagonist Agent
+ * Tests the full pipeline on sample findings
+ */
+import { describe, it, expect } from "vitest";
+import { synthesizeNarrativesDeterministic } from "../agents/antagonist/synthesizer.js";
+import { runChallengerDeterministic } from "../agents/antagonist/challenger.js";
+import { prioritizeRemediations } from "../agents/antagonist/prioritizer.js";
+import { DEFAULT_ANTAGONIST_CONFIG } from "../agents/antagonist/types.js";
+// Sample findings that represent real security issues
+const sampleFindings = [
+    {
+        id: "find-001",
+        severity: "high",
+        category: "command-injection",
+        description: "Potential command injection via unsanitized user input",
+        evidence: "spawn(cmd, [userInput])",
+        confidence: 85,
+        verifications: [],
+        created_at: new Date().toISOString(),
+        file: "src/scanners/custom.ts",
+        line: 42,
+    },
+    {
+        id: "find-002",
+        severity: "medium",
+        category: "hardcoded-secret",
+        description: "Hardcoded API key detected",
+        evidence: "const API_KEY = 'sk-...'",
+        confidence: 90,
+        verifications: [],
+        created_at: new Date().toISOString(),
+        file: "src/config.ts",
+        line: 15,
+    },
+    {
+        id: "find-003",
+        severity: "high",
+        category: "auth-bypass",
+        description: "Missing authentication check on admin endpoint",
+        evidence: "No auth middleware on /admin route",
+        confidence: 75,
+        verifications: [],
+        created_at: new Date().toISOString(),
+        file: "src/routes/admin.ts",
+        line: 8,
+    },
+    {
+        id: "find-004",
+        severity: "critical",
+        category: "sql-injection",
+        description: "SQL injection vulnerability in query builder",
+        evidence: "db.query(`SELECT * FROM users WHERE id = ${userId}`)",
+        confidence: 95,
+        verifications: [],
+        created_at: new Date().toISOString(),
+        file: "src/db/queries.ts",
+        line: 22,
+    },
+    {
+        id: "find-005",
+        severity: "low",
+        category: "xss",
+        description: "Potential XSS in user-generated content",
+        evidence: "innerHTML = userContent",
+        confidence: 60,
+        verifications: [],
+        created_at: new Date().toISOString(),
+        file: "src/components/Comment.tsx",
+        line: 55,
+    },
+];
+// Sample exploit chains (matching ExploitChain type)
+const sampleChains = [
+    {
+        id: "chain-001",
+        name: "Auth Bypass to Data Exfil",
+        steps: [
+            {
+                findingId: "find-003",
+                finding: sampleFindings[2],
+                role: "entry",
+                enables: "find-004",
+                techniques: ["T1190"],
+            },
+            {
+                findingId: "find-004",
+                finding: sampleFindings[3],
+                role: "target",
+                prerequisite: "find-003",
+                techniques: ["T1213"],
+            },
+        ],
+        totalSeverity: "critical",
+        originalSeverities: ["high", "critical"],
+        confidence: 85,
+        attackScenario: "Attacker bypasses auth, then exfiltrates data via SQL injection",
+        mitreAttackIds: ["T1190", "T1213"],
+        impact: "Data breach - full database access",
+        difficulty: "easy",
+    },
+];
+// Agent summaries
+const agentSummaries = {
+    security: { completed: true, findingCount: 5 },
+    reliability: { completed: true, findingCount: 2 },
+    typesafety: { completed: true, findingCount: 1 },
+    performance: { completed: true, findingCount: 0 },
+    quality: { completed: true, findingCount: 3 },
+    redteam: { completed: true, findingCount: 1 },
+    "agent-redteam": { completed: false, findingCount: 0 },
+    "agent-privacy": { completed: false, findingCount: 0 },
+    "agent-integrity": { completed: false, findingCount: 0 },
+    adversary: { completed: false, findingCount: 0 },
+    antagonist: { completed: false, findingCount: 0 },
+};
+// Test config with all required fields
+const testConfig = {
+    ...DEFAULT_ANTAGONIST_CONFIG,
+    maxNarratives: 5,
+    minConfidence: 50,
+    challengeThreshold: 50,
+};
+describe("Antagonist Integration", () => {
+    describe("synthesizeNarrativesDeterministic", () => {
+        it("generates attack narratives from findings", () => {
+            const narratives = synthesizeNarrativesDeterministic(sampleFindings, sampleChains, [], testConfig);
+            expect(narratives.length).toBeGreaterThan(0);
+            expect(narratives[0]).toHaveProperty("id");
+            expect(narratives[0]).toHaveProperty("name");
+            expect(narratives[0]).toHaveProperty("phases");
+            expect(narratives[0]).toHaveProperty("narrative");
+            expect(narratives[0]).toHaveProperty("findingIds");
+            expect(narratives[0]).toHaveProperty("recommendations");
+        });
+        it("includes MITRE ATT&CK techniques", () => {
+            const narratives = synthesizeNarrativesDeterministic(sampleFindings, sampleChains, [], testConfig);
+            const narrativeWithTechniques = narratives.find((n) => n.mitreTechniques.length > 0);
+            expect(narrativeWithTechniques).toBeDefined();
+        });
+        it("maps findings to kill chain phases", () => {
+            const narratives = synthesizeNarrativesDeterministic(sampleFindings, sampleChains, [], testConfig);
+            const narrative = narratives[0];
+            expect(narrative.phases.length).toBeGreaterThan(0);
+            expect(narrative.phases[0]).toHaveProperty("phase");
+            expect(narrative.phases[0]).toHaveProperty("description");
+        });
+        it("prioritizes critical findings in narratives", () => {
+            const narratives = synthesizeNarrativesDeterministic(sampleFindings, sampleChains, [], testConfig);
+            const hasCritical = narratives.some((n) => n.findingIds.includes("find-004"));
+            expect(hasCritical).toBe(true);
+        });
+    });
+    describe("runChallengerDeterministic", () => {
+        it("identifies coverage gaps", () => {
+            const result = runChallengerDeterministic(sampleFindings, agentSummaries, testConfig);
+            expect(result.assessments).toBeDefined();
+            expect(result.gapAnalysis).toBeDefined();
+            expect(result.gapAnalysis).toHaveProperty("untestedAttackVectors");
+            expect(result.gapAnalysis).toHaveProperty("missingControls");
+            expect(result.gapAnalysis).toHaveProperty("coverageScore");
+        });
+        it("flags potential false positives", () => {
+            const findingsWithTestFile = [
+                ...sampleFindings,
+                {
+                    id: "find-test",
+                    severity: "medium",
+                    category: "sql-injection",
+                    description: "SQL injection in test",
+                    evidence: "test code",
+                    confidence: 60,
+                    verifications: [],
+                    created_at: new Date().toISOString(),
+                    file: "src/__tests__/db.test.ts",
+                    line: 10,
+                },
+            ];
+            const result = runChallengerDeterministic(findingsWithTestFile, agentSummaries, testConfig);
+            const testChallenge = result.assessments.find((c) => c.targetFindingId === "find-test" && c.type === "false_positive_likely");
+            expect(testChallenge).toBeDefined();
+            expect(testChallenge?.challenge).toContain("false positive");
+        });
+        it("warns about agents with zero findings", () => {
+            const summariesWithZero = {
+                ...agentSummaries,
+                performance: { completed: true, findingCount: 0 },
+            };
+            const result = runChallengerDeterministic(sampleFindings, summariesWithZero, testConfig);
+            const zeroFindingChallenge = result.assessments.find((c) => c.type === "missed_check" && c.targetAgent === "performance");
+            expect(zeroFindingChallenge).toBeDefined();
+        });
+    });
+    describe("prioritizeRemediations", () => {
+        it("generates prioritized remediation list", () => {
+            const narratives = synthesizeNarrativesDeterministic(sampleFindings, sampleChains, [], testConfig);
+            const prioritized = prioritizeRemediations(sampleFindings, narratives);
+            expect(prioritized.length).toBeGreaterThan(0);
+            expect(prioritized[0]).toHaveProperty("order");
+            expect(prioritized[0]).toHaveProperty("findingId");
+            expect(prioritized[0]).toHaveProperty("reason");
+            expect(prioritized[0]).toHaveProperty("effort");
+            expect(prioritized[0]).toHaveProperty("impact");
+        });
+        it("prioritizes critical findings first", () => {
+            const narratives = synthesizeNarrativesDeterministic(sampleFindings, sampleChains, [], testConfig);
+            const prioritized = prioritizeRemediations(sampleFindings, narratives);
+            const criticalPosition = prioritized.findIndex((p) => p.findingId === "find-004");
+            expect(criticalPosition).toBeLessThan(3);
+        });
+        it("considers bottleneck findings (appear in multiple narratives)", () => {
+            const narratives = synthesizeNarrativesDeterministic(sampleFindings, sampleChains, [], testConfig);
+            const prioritized = prioritizeRemediations(sampleFindings, narratives);
+            const hasBlocksNarratives = prioritized.some((p) => p.blocksNarratives && p.blocksNarratives.length > 0);
+            expect(hasBlocksNarratives).toBe(true);
+        });
+    });
+    describe("Full pipeline", () => {
+        it("runs complete antagonist analysis", () => {
+            const narratives = synthesizeNarrativesDeterministic(sampleFindings, sampleChains, [], testConfig);
+            const challengerResult = runChallengerDeterministic(sampleFindings, agentSummaries, testConfig);
+            const prioritized = prioritizeRemediations(sampleFindings, narratives);
+            expect(narratives.length).toBeGreaterThan(0);
+            expect(challengerResult.assessments).toBeDefined();
+            expect(challengerResult.gapAnalysis).toBeDefined();
+            expect(prioritized.length).toBeGreaterThan(0);
+            console.log("\n=== Antagonist Analysis Summary ===");
+            console.log(`Attack Narratives: ${narratives.length}`);
+            console.log(`Challenger Assessments: ${challengerResult.assessments.length}`);
+            console.log(`Coverage Score: ${challengerResult.gapAnalysis.coverageScore}%`);
+            console.log(`Prioritized Remediations: ${prioritized.length}`);
+            console.log("\nTop 3 Remediation Priorities:");
+            prioritized.slice(0, 3).forEach((p, i) => {
+                console.log(`  ${i + 1}. ${p.findingId}: ${p.reason}`);
+            });
+        });
+    });
+});
+//# sourceMappingURL=antagonist-integration.test.js.map

package/dist/__tests__/antagonist-integration.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"antagonist-integration.test.js","sourceRoot":"","sources":["../../src/__tests__/antagonist-integration.test.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,iCAAiC,EAAE,MAAM,qCAAqC,CAAC;AACxF,OAAO,EAAE,0BAA0B,EAAE,MAAM,oCAAoC,CAAC;AAChF,OAAO,EAAE,sBAAsB,EAAE,MAAM,qCAAqC,CAAC;AAC7E,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAI1E,sDAAsD;AACtD,MAAM,cAAc,GAAc;IAChC;QACE,EAAE,EAAE,UAAU;QACd,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,mBAAmB;QAC7B,WAAW,EAAE,wDAAwD;QACrE,QAAQ,EAAE,yBAAyB;QACnC,UAAU,EAAE,EAAE;QACd,aAAa,EAAE,EAAE;QACjB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,IAAI,EAAE,wBAAwB;QAC9B,IAAI,EAAE,EAAE;KACT;IACD;QACE,EAAE,EAAE,UAAU;QACd,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,kBAAkB;QAC5B,WAAW,EAAE,4BAA4B;QACzC,QAAQ,EAAE,0BAA0B;QACpC,UAAU,EAAE,EAAE;QACd,aAAa,EAAE,EAAE;QACjB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,IAAI,EAAE,eAAe;QACrB,IAAI,EAAE,EAAE;KACT;IACD;QACE,EAAE,EAAE,UAAU;QACd,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,aAAa;QACvB,WAAW,EAAE,gDAAgD;QAC7D,QAAQ,EAAE,oCAAoC;QAC9C,UAAU,EAAE,EAAE;QACd,aAAa,EAAE,EAAE;QACjB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,IAAI,EAAE,qBAAqB;QAC3B,IAAI,EAAE,CAAC;KACR;IACD;QACE,EAAE,EAAE,UAAU;QACd,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,eAAe;QACzB,WAAW,EAAE,8CAA8C;QAC3D,QAAQ,EAAE,sDAAsD;QAChE,UAAU,EAAE,EAAE;QACd,aAAa,EAAE,EAAE;QACjB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,IAAI,EAAE,mBAAmB;QACzB,IAAI,EAAE,EAAE;KACT;IACD;QACE,EAAE,EAAE,UAAU;QACd,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,yCAAyC;QACtD,QAAQ,EAAE,yBAAyB;QACnC,UAAU,EAAE,EAAE;QACd,aAAa,EAAE,EAAE;QACjB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,IAAI,EAAE,4BAA4B;QAClC,IAAI,EAAE,EAAE;KACT;CACF,CAAC;AAEF,qDAAqD;AACrD,MAAM,YAAY,GAAmB;IACnC;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,2BAA2B;QACjC,KAAK,EAAE;YACL;gBACE,SAAS,EAAE,UAAU;gBACrB,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC;gBAC1B,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,UAAU;gBACnB,UAAU,EAAE,CAAC,OAAO,CAAC;aACtB;YACD;gBACE,SAAS,EAAE,UAAU;gBACrB,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC;gBAC1B,IAAI,EAAE,QAAQ;gBACd,YAAY,EAAE,UAAU;gBACxB,UAAU,EAAE,CAAC,OAAO,CAAC;aACtB;SACF;QACD,aAAa,EAAE,UAAU;QACzB,kBAAkB,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;QACxC,UAAU,EAAE,EAAE;QACd,cAAc,EAAE,iEAAiE;QACjF,cAAc,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC;QAClC,MAAM,EAAE,oCAAoC;QAC5C,UAAU,EAAE,MAAM;KACnB;CACF,CAAC;AAEF,kBAAkB;AAClB,MAAM,cAAc,GAAoE;IACtF,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,EAAE;IAC9C,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,EAAE;IACjD,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,EAAE;IAChD,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,EAAE;IACjD,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,EAAE;IAC7C,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,EAAE;IAC7C,eAAe,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,EAAE;IACtD,eAAe,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,EAAE;IACtD,iBAAiB,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,EAAE;IACxD,SAAS,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,EAAE;IAChD,UAAU,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,EAAE;CAClD,CAAC;AAEF,uCAAuC;AACvC,MAAM,UAAU,GAAG;IACjB,GAAG,yBAAyB;IAC5B,aAAa,EAAE,CAAC;IAChB,aAAa,EAAE,EAAE;IACjB,kBAAkB,EAAE,EAAE;CACvB,CAAC;AAEF,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;QACjD,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;YACnD,MAAM,UAAU,GAAG,iCAAiC,CAClD,cAAc,EACd,YAAY,EACZ,EAAE,EACF,UAAU,CACX,CAAC;YAEF,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC7C,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YAC3C,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;YAC7C,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YAC/C,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC;YAClD,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC;YACnD,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,iBAAiB,CAAC,CAAC;QAC1D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,UAAU,GAAG,iCAAiC,CAClD,cAAc,EACd,YAAY,EACZ,EAAE,EACF,UAAU,CACX,CAAC;YAEF,MAAM,uBAAuB,GAAG,UAAU,CAAC,IAAI,CAC7C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,CACpC,CAAC;YACF,MAAM,CAAC,uBAAuB,CAAC,CAAC,WAAW,EAAE,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,UAAU,GAAG,iCAAiC,CAClD,cAAc,EACd,YAAY,EACZ,EAAE,EACF,UAAU,CACX,CAAC;YAEF,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;YAChC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACnD,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;YACpD,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;YACrD,MAAM,UAAU,GAAG,iCAAiC,CAClD,cAAc,EACd,YAAY,EACZ,EAAE,EACF,UAAU,CACX,CAAC;YAEF,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACxC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,CAClC,CAAC;YACF,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;QAC1C,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;YAClC,MAAM,MAAM,GAAG,0BAA0B,CACvC,cAAc,EACd,cAAc,EACd,UAAU,CACX,CAAC;YAEF,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;YACzC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;YACzC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,cAAc,CAAC,uBAAuB,CAAC,CAAC;YACnE,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,cAAc,CAAC,iBAAiB,CAAC,CAAC;YAC7D,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;QAC7D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;YACzC,MAAM,oBAAoB,GAAc;gBACtC,GAAG,cAAc;gBACjB;oBACE,EAAE,EAAE,WAAW;oBACf,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,eAAe;oBACzB,WAAW,EAAE,uBAAuB;oBACpC,QAAQ,EAAE,WAAW;oBACrB,UAAU,EAAE,EAAE;oBACd,aAAa,EAAE,EAAE;oBACjB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACpC,IAAI,EAAE,0BAA0B;oBAChC,IAAI,EAAE,EAAE;iBACT;aACF,CAAC;YAEF,MAAM,MAAM,GAAG,0BAA0B,CACvC,oBAAoB,EACpB,cAAc,EACd,UAAU,CACX,CAAC;YAEF,MAAM,aAAa,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAC3C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,KAAK,WAAW,IAAI,CAAC,CAAC,IAAI,KAAK,uBAAuB,CAC/E,CAAC;YACF,MAAM,CAAC,aAAa,CAAC,CAAC,WAAW,EAAE,CAAC;YACpC,MAAM,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,iBAAiB,GAAG;gBACxB,GAAG,cAAc;gBACjB,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,EAAE;aAClD,CAAC;YAEF,MAAM,MAAM,GAAG,0BAA0B,CACvC,cAAc,EACd,iBAAiB,EACjB,UAAU,CACX,CAAC;YAEF,MAAM,oBAAoB,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAClD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,cAAc,IAAI,CAAC,CAAC,WAAW,KAAK,aAAa,CACpE,CAAC;YACF,MAAM,CAAC,oBAAoB,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;QACtC,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,MAAM,UAAU,GAAG,iCAAiC,CAClD,cAAc,EACd,YAAY,EACZ,EAAE,EACF,UAAU,CACX,CAAC;YAEF,MAAM,WAAW,GAAG,sBAAsB,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;YAEvE,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;YAC/C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC;YACnD,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YAChD,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YAChD,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,MAAM,UAAU,GAAG,iCAAiC,CAClD,cAAc,EACd,YAAY,EACZ,EAAE,EACF,UAAU,CACX,CAAC;YAEF,MAAM,WAAW,GAAG,sBAAsB,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;YAEvE,MAAM,gBAAgB,GAAG,WAAW,CAAC,SAAS,CAC5C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,UAAU,CAClC,CAAC;YACF,MAAM,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;YACvE,MAAM,UAAU,GAAG,iCAAiC,CAClD,cAAc,EACd,YAAY,EACZ,EAAE,EACF,UAAU,CACX,CAAC;YAEF,MAAM,WAAW,GAAG,sBAAsB,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;YAEvE,MAAM,mBAAmB,GAAG,WAAW,CAAC,IAAI,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,gBAAgB,IAAI,CAAC,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAC3D,CAAC;YACF,MAAM,CAAC,mBAAmB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC7B,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;YAC3C,MAAM,UAAU,GAAG,iCAAiC,CAClD,cAAc,EACd,YAAY,EACZ,EAAE,EACF,UAAU,CACX,CAAC;YAEF,MAAM,gBAAgB,GAAG,0BAA0B,CACjD,cAAc,EACd,cAAc,EACd,UAAU,CACX,CAAC;YAEF,MAAM,WAAW,GAAG,sBAAsB,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;YAEvE,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC7C,MAAM,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;YACnD,MAAM,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;YACnD,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAE9C,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;YACrD,OAAO,CAAC,GAAG,CAAC,sBAAsB,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,2BAA2B,gBAAgB,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;YAC9E,OAAO,CAAC,GAAG,CAAC,mBAAmB,gBAAgB,CAAC,WAAW,CAAC,aAAa,GAAG,CAAC,CAAC;YAC9E,OAAO,CAAC,GAAG,CAAC,6BAA6B,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;YAC/D,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;YAC/C,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;gBACvC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;YACzD,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/certification/agent-certificate-e2e.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=agent-certificate-e2e.test.d.ts.map

package/dist/__tests__/certification/agent-certificate-e2e.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"agent-certificate-e2e.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/certification/agent-certificate-e2e.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/certification/agent-certificate-e2e.test.js ADDED Viewed

@@ -0,0 +1,90 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtemp, rm } from "fs/promises";
+import { tmpdir } from "os";
+import { join } from "path";
+import { recordDecision, getDecisionProvenance } from "../../history/decisions.js";
+import { certificationToCertificateBody } from "../../certification/agent-certificate-map.js";
+import { finalizeCertificate, verifyCertificate } from "../../certification/agent-certificate.js";
+function certification() {
+    return {
+        metadata: {
+            id: "cert_e2e",
+            project_name: "e2e-agent",
+            project_path: "/tmp/e2e-agent",
+            started_at: "2026-06-12T00:00:00.000Z",
+            completed_at: "2026-06-12T00:05:00.000Z",
+            status: "completed",
+            agents_requested: ["security"],
+            agents_completed: ["security"],
+            certification_level: "APPROVED",
+            final_score: 84,
+            project_hash: "deadbeef",
+        },
+        agents: {
+            security: {
+                agent: "security",
+                started_at: "2026-06-12T00:00:00.000Z",
+                completed_at: "2026-06-12T00:03:00.000Z",
+                status: "completed",
+                findings: [
+                    {
+                        id: "f1",
+                        severity: "high",
+                        category: "exfil-path",
+                        description: "Secret can reach the network",
+                        evidence: "…",
+                        confidence: 95,
+                        verifications: [],
+                        created_at: "2026-06-12T00:01:00.000Z",
+                    },
+                ],
+            },
+        },
+        cross_verifications: [],
+        red_team_challenges: [],
+    };
+}
+describe("agent certificate — full flow (decisions + frameworks + provenance)", () => {
+    let dir;
+    beforeEach(async () => {
+        dir = await mkdtemp(join(tmpdir(), "cert-e2e-"));
+    });
+    afterEach(async () => {
+        await rm(dir, { recursive: true, force: true });
+    });
+    it("records decisions, builds a certificate with real frameworks + provenance, verifies", async () => {
+        // 1) capture decision provenance on the hash chain
+        await recordDecision(dir, { decisionType: "tool_call", model: "m", input: "x", output: "y" });
+        await recordDecision(dir, { decisionType: "gen", model: "m", input: "p", output: "q" });
+        const provenance = await getDecisionProvenance(dir);
+        expect(provenance.decisionRecords).toBe(2);
+        // 2) build a certificate from a real certification + AI frameworks + provenance
+        const body = certificationToCertificateBody(certification(), {
+            toolVersion: "2.14.0",
+            issuedAt: "2026-06-12T00:00:00.000Z",
+            expiresAt: "2026-09-10T00:00:00.000Z",
+            certificateId: "vac_e2e_1",
+            complianceFrameworks: ["ISO-42001", "NIST-AI-RMF"],
+            provenance,
+        });
+        // compliance dimension is real (mapped controls, not a label)
+        expect(body.dimensions.compliance.frameworks.map((f) => f.framework)).toEqual([
+            "ISO-42001",
+            "NIST-AI-RMF",
+        ]);
+        expect(body.dimensions.compliance.frameworks[0].controlsTotal).toBeGreaterThan(0);
+        // the exfil-path finding should fail at least one control
+        const totalFailed = body.dimensions.compliance.frameworks.reduce((n, f) => n + f.controlsFailed, 0);
+        expect(totalFailed).toBeGreaterThan(0);
+        // explainability reflects the recorded decisions
+        expect(body.dimensions.explainability.checks.some((c) => c.id === "decision-provenance")).toBe(true);
+        expect(body.provenance.decisionRecords).toBe(2);
+        expect(body.provenance.auditTrailHead).toBe(provenance.auditTrailHead);
+        // 3) finalize + verify independently
+        const cert = await finalizeCertificate(body);
+        const result = await verifyCertificate(cert);
+        expect(result.valid).toBe(true);
+        expect(result.contentDigestValid).toBe(true);
+    });
+});
+//# sourceMappingURL=agent-certificate-e2e.test.js.map

package/dist/__tests__/certification/agent-certificate-e2e.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"agent-certificate-e2e.test.js","sourceRoot":"","sources":["../../../src/__tests__/certification/agent-certificate-e2e.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnF,OAAO,EAAE,8BAA8B,EAAE,MAAM,8CAA8C,CAAC;AAC9F,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AAGlG,SAAS,aAAa;IACpB,OAAO;QACL,QAAQ,EAAE;YACR,EAAE,EAAE,UAAU;YACd,YAAY,EAAE,WAAW;YACzB,YAAY,EAAE,gBAAgB;YAC9B,UAAU,EAAE,0BAA0B;YACtC,YAAY,EAAE,0BAA0B;YACxC,MAAM,EAAE,WAAW;YACnB,gBAAgB,EAAE,CAAC,UAAU,CAAC;YAC9B,gBAAgB,EAAE,CAAC,UAAU,CAAC;YAC9B,mBAAmB,EAAE,UAAU;YAC/B,WAAW,EAAE,EAAE;YACf,YAAY,EAAE,UAAU;SACzB;QACD,MAAM,EAAE;YACN,QAAQ,EAAE;gBACR,KAAK,EAAE,UAAU;gBACjB,UAAU,EAAE,0BAA0B;gBACtC,YAAY,EAAE,0BAA0B;gBACxC,MAAM,EAAE,WAAW;gBACnB,QAAQ,EAAE;oBACR;wBACE,EAAE,EAAE,IAAI;wBACR,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,YAAY;wBACtB,WAAW,EAAE,8BAA8B;wBAC3C,QAAQ,EAAE,GAAG;wBACb,UAAU,EAAE,EAAE;wBACd,aAAa,EAAE,EAAE;wBACjB,UAAU,EAAE,0BAA0B;qBACvC;iBACF;aACF;SACF;QACD,mBAAmB,EAAE,EAAE;QACvB,mBAAmB,EAAE,EAAE;KACxB,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,qEAAqE,EAAE,GAAG,EAAE;IACnF,IAAI,GAAW,CAAC;IAChB,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,WAAW,CAAC,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IACH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qFAAqF,EAAE,KAAK,IAAI,EAAE;QACnG,mDAAmD;QACnD,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,WAAW,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9F,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACxF,MAAM,UAAU,GAAG,MAAM,qBAAqB,CAAC,GAAG,CAAC,CAAC;QACpD,MAAM,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAE3C,gFAAgF;QAChF,MAAM,IAAI,GAAG,8BAA8B,CAAC,aAAa,EAAE,EAAE;YAC3D,WAAW,EAAE,QAAQ;YACrB,QAAQ,EAAE,0BAA0B;YACpC,SAAS,EAAE,0BAA0B;YACrC,aAAa,EAAE,WAAW;YAC1B,oBAAoB,EAAE,CAAC,WAAW,EAAE,aAAa,CAAC;YAClD,UAAU;SACX,CAAC,CAAC;QAEH,8DAA8D;QAC9D,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC;YAC5E,WAAW;YACX,aAAa;SACd,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAClF,0DAA0D;QAC1D,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC,MAAM,CAC9D,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,cAAc,EAC9B,CAAC,CACF,CAAC;QACF,MAAM,CAAC,WAAW,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAEvC,iDAAiD;QACjD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAC5F,IAAI,CACL,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;QAEvE,qCAAqC;QACrC,MAAM,IAAI,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/certification/agent-certificate-map.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=agent-certificate-map.test.d.ts.map

package/dist/__tests__/certification/agent-certificate-map.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"agent-certificate-map.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/certification/agent-certificate-map.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/certification/agent-certificate-map.test.js ADDED Viewed

@@ -0,0 +1,107 @@
+import { describe, it, expect } from "vitest";
+import { certificationToCertificateBody, baselineCertificateBody, } from "../../certification/agent-certificate-map.js";
+import { finalizeCertificate, verifyCertificate, } from "../../certification/agent-certificate.js";
+const opts = {
+    toolVersion: "2.14.0",
+    issuedAt: "2026-06-11T00:00:00.000Z",
+    expiresAt: "2026-09-09T00:00:00.000Z",
+    certificateId: "vac_map_0001",
+};
+function fakeCertification() {
+    return {
+        metadata: {
+            id: "cert_1",
+            project_name: "demo-agent",
+            project_path: "/tmp/demo-agent",
+            started_at: "2026-06-11T00:00:00.000Z",
+            completed_at: "2026-06-11T00:05:00.000Z",
+            status: "completed",
+            agents_requested: ["security", "quality"],
+            agents_completed: ["security", "quality"],
+            certification_level: "APPROVED",
+            final_score: 82,
+            project_hash: "abc123def456",
+        },
+        agents: {
+            security: {
+                agent: "security",
+                started_at: "2026-06-11T00:00:00.000Z",
+                completed_at: "2026-06-11T00:03:00.000Z",
+                status: "completed",
+                findings: [
+                    {
+                        id: "f1",
+                        severity: "high",
+                        category: "prompt-injection",
+                        file: "src/agent.ts",
+                        line: 42,
+                        description: "Untrusted input flows into the system prompt",
+                        evidence: "…",
+                        confidence: 90,
+                        verifications: [],
+                        created_at: "2026-06-11T00:01:00.000Z",
+                    },
+                    {
+                        id: "f2",
+                        severity: "low",
+                        category: "logging-failure",
+                        description: "Missing structured logging",
+                        evidence: "…",
+                        confidence: 70,
+                        verifications: [],
+                        created_at: "2026-06-11T00:02:00.000Z",
+                    },
+                ],
+            },
+            quality: {
+                agent: "quality",
+                started_at: "2026-06-11T00:00:00.000Z",
+                completed_at: "2026-06-11T00:04:00.000Z",
+                status: "completed",
+                findings: [],
+            },
+        },
+        cross_verifications: [],
+        red_team_challenges: [],
+    };
+}
+describe("certificationToCertificateBody", () => {
+    it("maps a real certification into a verifiable certificate", async () => {
+        const body = certificationToCertificateBody(fakeCertification(), opts);
+        expect(body.subject.name).toBe("demo-agent");
+        expect(body.subject.digest).toBe("abc123def456");
+        expect(body.level).toBe("APPROVED");
+        expect(body.overallScore).toBe(82);
+        // security has a high finding -> fail status, surfaced as a check
+        expect(body.dimensions.security.status).toBe("fail");
+        expect(body.dimensions.security.checks.some((c) => c.category === "prompt-injection")).toBe(true);
+        // quality had no findings -> pass
+        expect(body.dimensions.quality.status).toBe("pass");
+        // compliance not run -> not_assessed (never fabricated)
+        expect(body.dimensions.compliance.status).toBe("not_assessed");
+        const cert = await finalizeCertificate(body);
+        const result = await verifyCertificate(cert);
+        expect(result.valid).toBe(true);
+    });
+    it("surfaces the most severe findings first and caps the list", () => {
+        const c = fakeCertification();
+        const body = certificationToCertificateBody(c, opts);
+        expect(body.dimensions.security.checks[0].severity).toBe("high");
+    });
+    it("baseline body is honest — all dimensions not_assessed and verifiable", async () => {
+        const body = baselineCertificateBody({
+            ...opts,
+            subjectName: "fresh-agent",
+            subjectKind: "agent",
+            identifier: "/tmp/fresh-agent",
+        });
+        expect(body.overallScore).toBe(0);
+        expect(body.level).toBe("REVIEW_REQUIRED");
+        for (const dim of Object.values(body.dimensions)) {
+            expect(dim.status).toBe("not_assessed");
+        }
+        const cert = await finalizeCertificate(body);
+        expect((await verifyCertificate(cert)).valid).toBe(true);
+    });
+});
+//# sourceMappingURL=agent-certificate-map.test.js.map