vaspera 2.13.0 → 2.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +78 -0
- package/README.md +15 -2
- package/dist/__tests__/antagonist-integration.test.d.ts +6 -0
- package/dist/__tests__/antagonist-integration.test.d.ts.map +1 -0
- package/dist/__tests__/antagonist-integration.test.js +239 -0
- package/dist/__tests__/antagonist-integration.test.js.map +1 -0
- package/dist/__tests__/certification/agent-certificate-e2e.test.d.ts +2 -0
- package/dist/__tests__/certification/agent-certificate-e2e.test.d.ts.map +1 -0
- package/dist/__tests__/certification/agent-certificate-e2e.test.js +90 -0
- package/dist/__tests__/certification/agent-certificate-e2e.test.js.map +1 -0
- package/dist/__tests__/certification/agent-certificate-map.test.d.ts +2 -0
- package/dist/__tests__/certification/agent-certificate-map.test.d.ts.map +1 -0
- package/dist/__tests__/certification/agent-certificate-map.test.js +107 -0
- package/dist/__tests__/certification/agent-certificate-map.test.js.map +1 -0
- package/dist/__tests__/certification/agent-certificate.test.d.ts +2 -0
- package/dist/__tests__/certification/agent-certificate.test.d.ts.map +1 -0
- package/dist/__tests__/certification/agent-certificate.test.js +78 -0
- package/dist/__tests__/certification/agent-certificate.test.js.map +1 -0
- package/dist/__tests__/certification/verify-endpoint.test.d.ts +2 -0
- package/dist/__tests__/certification/verify-endpoint.test.d.ts.map +1 -0
- package/dist/__tests__/certification/verify-endpoint.test.js +81 -0
- package/dist/__tests__/certification/verify-endpoint.test.js.map +1 -0
- package/dist/__tests__/compliance/ai-frameworks.test.d.ts +2 -0
- package/dist/__tests__/compliance/ai-frameworks.test.d.ts.map +1 -0
- package/dist/__tests__/compliance/ai-frameworks.test.js +87 -0
- package/dist/__tests__/compliance/ai-frameworks.test.js.map +1 -0
- package/dist/__tests__/eval/llm-analyzer.test.d.ts +2 -0
- package/dist/__tests__/eval/llm-analyzer.test.d.ts.map +1 -0
- package/dist/__tests__/eval/llm-analyzer.test.js +93 -0
- package/dist/__tests__/eval/llm-analyzer.test.js.map +1 -0
- package/dist/__tests__/eval/redteam-harness.test.d.ts +2 -0
- package/dist/__tests__/eval/redteam-harness.test.d.ts.map +1 -0
- package/dist/__tests__/eval/redteam-harness.test.js +136 -0
- package/dist/__tests__/eval/redteam-harness.test.js.map +1 -0
- package/dist/__tests__/evidence/evidence.test.d.ts +2 -0
- package/dist/__tests__/evidence/evidence.test.d.ts.map +1 -0
- package/dist/__tests__/evidence/evidence.test.js +240 -0
- package/dist/__tests__/evidence/evidence.test.js.map +1 -0
- package/dist/__tests__/history/decisions.test.d.ts +2 -0
- package/dist/__tests__/history/decisions.test.d.ts.map +1 -0
- package/dist/__tests__/history/decisions.test.js +54 -0
- package/dist/__tests__/history/decisions.test.js.map +1 -0
- package/dist/__tests__/http-auth.test.d.ts +2 -0
- package/dist/__tests__/http-auth.test.d.ts.map +1 -0
- package/dist/__tests__/http-auth.test.js +55 -0
- package/dist/__tests__/http-auth.test.js.map +1 -0
- package/dist/__tests__/http-policy.test.d.ts +2 -0
- package/dist/__tests__/http-policy.test.d.ts.map +1 -0
- package/dist/__tests__/http-policy.test.js +69 -0
- package/dist/__tests__/http-policy.test.js.map +1 -0
- package/dist/__tests__/http-server-transport.test.d.ts +2 -0
- package/dist/__tests__/http-server-transport.test.d.ts.map +1 -0
- package/dist/__tests__/http-server-transport.test.js +132 -0
- package/dist/__tests__/http-server-transport.test.js.map +1 -0
- package/dist/__tests__/integration/destructive-guards.test.d.ts +2 -0
- package/dist/__tests__/integration/destructive-guards.test.d.ts.map +1 -0
- package/dist/__tests__/integration/destructive-guards.test.js +49 -0
- package/dist/__tests__/integration/destructive-guards.test.js.map +1 -0
- package/dist/__tests__/logger-redaction.test.d.ts +2 -0
- package/dist/__tests__/logger-redaction.test.d.ts.map +1 -0
- package/dist/__tests__/logger-redaction.test.js +74 -0
- package/dist/__tests__/logger-redaction.test.js.map +1 -0
- package/dist/__tests__/manifest-schema.test.d.ts +2 -0
- package/dist/__tests__/manifest-schema.test.d.ts.map +1 -0
- package/dist/__tests__/manifest-schema.test.js +43 -0
- package/dist/__tests__/manifest-schema.test.js.map +1 -0
- package/dist/__tests__/scanners/builtin-rules.test.d.ts +2 -0
- package/dist/__tests__/scanners/builtin-rules.test.d.ts.map +1 -0
- package/dist/__tests__/scanners/builtin-rules.test.js +51 -0
- package/dist/__tests__/scanners/builtin-rules.test.js.map +1 -0
- package/dist/__tests__/scanners/runtime/golden-path-runner.test.js +13 -1
- package/dist/__tests__/scanners/runtime/golden-path-runner.test.js.map +1 -1
- package/dist/__tests__/tool-guard.test.d.ts +2 -0
- package/dist/__tests__/tool-guard.test.d.ts.map +1 -0
- package/dist/__tests__/tool-guard.test.js +97 -0
- package/dist/__tests__/tool-guard.test.js.map +1 -0
- package/dist/__tests__/util/contained-file.test.d.ts +2 -0
- package/dist/__tests__/util/contained-file.test.d.ts.map +1 -0
- package/dist/__tests__/util/contained-file.test.js +78 -0
- package/dist/__tests__/util/contained-file.test.js.map +1 -0
- package/dist/__tests__/util/subprocess.test.d.ts +2 -0
- package/dist/__tests__/util/subprocess.test.d.ts.map +1 -0
- package/dist/__tests__/util/subprocess.test.js +48 -0
- package/dist/__tests__/util/subprocess.test.js.map +1 -0
- package/dist/action/diff-mode.d.ts.map +1 -1
- package/dist/action/diff-mode.js +31 -12
- package/dist/action/diff-mode.js.map +1 -1
- package/dist/agents/antagonist/challenger.d.ts +46 -0
- package/dist/agents/antagonist/challenger.d.ts.map +1 -0
- package/dist/agents/antagonist/challenger.js +257 -0
- package/dist/agents/antagonist/challenger.js.map +1 -0
- package/dist/agents/antagonist/index.d.ts +31 -0
- package/dist/agents/antagonist/index.d.ts.map +1 -0
- package/dist/agents/antagonist/index.js +175 -0
- package/dist/agents/antagonist/index.js.map +1 -0
- package/dist/agents/antagonist/prioritizer.d.ts +27 -0
- package/dist/agents/antagonist/prioritizer.d.ts.map +1 -0
- package/dist/agents/antagonist/prioritizer.js +181 -0
- package/dist/agents/antagonist/prioritizer.js.map +1 -0
- package/dist/agents/antagonist/prompts.d.ts +12 -0
- package/dist/agents/antagonist/prompts.d.ts.map +1 -0
- package/dist/agents/antagonist/prompts.js +155 -0
- package/dist/agents/antagonist/prompts.js.map +1 -0
- package/dist/agents/antagonist/synthesizer.d.ts +34 -0
- package/dist/agents/antagonist/synthesizer.d.ts.map +1 -0
- package/dist/agents/antagonist/synthesizer.js +451 -0
- package/dist/agents/antagonist/synthesizer.js.map +1 -0
- package/dist/agents/antagonist/types.d.ts +145 -0
- package/dist/agents/antagonist/types.d.ts.map +1 -0
- package/dist/agents/antagonist/types.js +63 -0
- package/dist/agents/antagonist/types.js.map +1 -0
- package/dist/agents/index.d.ts +1 -0
- package/dist/agents/index.d.ts.map +1 -1
- package/dist/agents/index.js +2 -0
- package/dist/agents/index.js.map +1 -1
- package/dist/certification/agent-certificate-map.d.ts +51 -0
- package/dist/certification/agent-certificate-map.d.ts.map +1 -0
- package/dist/certification/agent-certificate-map.js +265 -0
- package/dist/certification/agent-certificate-map.js.map +1 -0
- package/dist/certification/agent-certificate-sample.d.ts +25 -0
- package/dist/certification/agent-certificate-sample.d.ts.map +1 -0
- package/dist/certification/agent-certificate-sample.js +207 -0
- package/dist/certification/agent-certificate-sample.js.map +1 -0
- package/dist/certification/agent-certificate.d.ts +1981 -0
- package/dist/certification/agent-certificate.d.ts.map +1 -0
- package/dist/certification/agent-certificate.js +309 -0
- package/dist/certification/agent-certificate.js.map +1 -0
- package/dist/certification/autofix.d.ts.map +1 -1
- package/dist/certification/autofix.js +5 -3
- package/dist/certification/autofix.js.map +1 -1
- package/dist/certification/consensus.test.js +2 -0
- package/dist/certification/consensus.test.js.map +1 -1
- package/dist/certification/store.d.ts.map +1 -1
- package/dist/certification/store.js +11 -3
- package/dist/certification/store.js.map +1 -1
- package/dist/certification/types.d.ts +1 -1
- package/dist/certification/types.d.ts.map +1 -1
- package/dist/certification/types.js +2 -0
- package/dist/certification/types.js.map +1 -1
- package/dist/certification/verify-endpoint.d.ts +48 -0
- package/dist/certification/verify-endpoint.d.ts.map +1 -0
- package/dist/certification/verify-endpoint.js +79 -0
- package/dist/certification/verify-endpoint.js.map +1 -0
- package/dist/compliance/index.d.ts +2 -0
- package/dist/compliance/index.d.ts.map +1 -1
- package/dist/compliance/index.js +4 -0
- package/dist/compliance/index.js.map +1 -1
- package/dist/compliance/iso42001.d.ts +21 -0
- package/dist/compliance/iso42001.d.ts.map +1 -0
- package/dist/compliance/iso42001.js +160 -0
- package/dist/compliance/iso42001.js.map +1 -0
- package/dist/compliance/mapper.d.ts.map +1 -1
- package/dist/compliance/mapper.js +12 -0
- package/dist/compliance/mapper.js.map +1 -1
- package/dist/compliance/nist-ai-rmf.d.ts +20 -0
- package/dist/compliance/nist-ai-rmf.d.ts.map +1 -0
- package/dist/compliance/nist-ai-rmf.js +140 -0
- package/dist/compliance/nist-ai-rmf.js.map +1 -0
- package/dist/config/flags.d.ts +4 -4
- package/dist/eval/fixtures.d.ts.map +1 -1
- package/dist/eval/fixtures.js +161 -119
- package/dist/eval/fixtures.js.map +1 -1
- package/dist/eval/fixtures.test.js +4 -2
- package/dist/eval/fixtures.test.js.map +1 -1
- package/dist/eval/llm-analyzer.d.ts +40 -0
- package/dist/eval/llm-analyzer.d.ts.map +1 -0
- package/dist/eval/llm-analyzer.js +154 -0
- package/dist/eval/llm-analyzer.js.map +1 -0
- package/dist/eval/redteam-harness.d.ts +95 -0
- package/dist/eval/redteam-harness.d.ts.map +1 -0
- package/dist/eval/redteam-harness.js +137 -0
- package/dist/eval/redteam-harness.js.map +1 -0
- package/dist/evidence/collector.d.ts.map +1 -1
- package/dist/evidence/collector.js +21 -1
- package/dist/evidence/collector.js.map +1 -1
- package/dist/evidence/store.d.ts.map +1 -1
- package/dist/evidence/store.js +29 -5
- package/dist/evidence/store.js.map +1 -1
- package/dist/evidence/types.d.ts +16 -9
- package/dist/evidence/types.d.ts.map +1 -1
- package/dist/history/decisions.d.ts +63 -0
- package/dist/history/decisions.d.ts.map +1 -0
- package/dist/history/decisions.js +60 -0
- package/dist/history/decisions.js.map +1 -0
- package/dist/history/index.d.ts +2 -0
- package/dist/history/index.d.ts.map +1 -1
- package/dist/history/index.js +2 -0
- package/dist/history/index.js.map +1 -1
- package/dist/history/types.d.ts +34 -5
- package/dist/history/types.d.ts.map +1 -1
- package/dist/history/types.js +2 -0
- package/dist/history/types.js.map +1 -1
- package/dist/http-auth.d.ts +22 -0
- package/dist/http-auth.d.ts.map +1 -0
- package/dist/http-auth.js +58 -0
- package/dist/http-auth.js.map +1 -0
- package/dist/http-policy.d.ts +30 -0
- package/dist/http-policy.d.ts.map +1 -0
- package/dist/http-policy.js +54 -0
- package/dist/http-policy.js.map +1 -0
- package/dist/http-server.js +195 -12
- package/dist/http-server.js.map +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +411 -15
- package/dist/index.js.map +1 -1
- package/dist/logger.d.ts.map +1 -1
- package/dist/logger.js +56 -2
- package/dist/logger.js.map +1 -1
- package/dist/plugins/types.d.ts +2 -2
- package/dist/sbom/provenance.test.js +2 -2
- package/dist/sbom/provenance.test.js.map +1 -1
- package/dist/sbom/signing.d.ts.map +1 -1
- package/dist/sbom/signing.js +5 -3
- package/dist/sbom/signing.js.map +1 -1
- package/dist/scanners/agent/prompt-injection-fuzzer.d.ts.map +1 -1
- package/dist/scanners/agent/prompt-injection-fuzzer.js +26 -0
- package/dist/scanners/agent/prompt-injection-fuzzer.js.map +1 -1
- package/dist/scanners/agent/types.d.ts +10 -10
- package/dist/scanners/bandit.d.ts.map +1 -1
- package/dist/scanners/bandit.js +35 -29
- package/dist/scanners/bandit.js.map +1 -1
- package/dist/scanners/binary-analysis.d.ts.map +1 -1
- package/dist/scanners/binary-analysis.js +24 -49
- package/dist/scanners/binary-analysis.js.map +1 -1
- package/dist/scanners/brakeman.d.ts.map +1 -1
- package/dist/scanners/brakeman.js +19 -33
- package/dist/scanners/brakeman.js.map +1 -1
- package/dist/scanners/builtin-rules.d.ts +24 -0
- package/dist/scanners/builtin-rules.d.ts.map +1 -0
- package/dist/scanners/builtin-rules.js +175 -0
- package/dist/scanners/builtin-rules.js.map +1 -0
- package/dist/scanners/dast.d.ts.map +1 -1
- package/dist/scanners/dast.js +24 -34
- package/dist/scanners/dast.js.map +1 -1
- package/dist/scanners/deploy/types.d.ts +6 -6
- package/dist/scanners/eslint.d.ts.map +1 -1
- package/dist/scanners/eslint.js +15 -24
- package/dist/scanners/eslint.js.map +1 -1
- package/dist/scanners/gosec.d.ts.map +1 -1
- package/dist/scanners/gosec.js +14 -62
- package/dist/scanners/gosec.js.map +1 -1
- package/dist/scanners/index.d.ts.map +1 -1
- package/dist/scanners/index.js +38 -7
- package/dist/scanners/index.js.map +1 -1
- package/dist/scanners/memory-safety.d.ts.map +1 -1
- package/dist/scanners/memory-safety.js +27 -28
- package/dist/scanners/memory-safety.js.map +1 -1
- package/dist/scanners/openapi.d.ts.map +1 -1
- package/dist/scanners/openapi.js +14 -22
- package/dist/scanners/openapi.js.map +1 -1
- package/dist/scanners/race-condition.d.ts.map +1 -1
- package/dist/scanners/race-condition.js +17 -16
- package/dist/scanners/race-condition.js.map +1 -1
- package/dist/scanners/runtime/types.d.ts +4 -4
- package/dist/scanners/rust.d.ts.map +1 -1
- package/dist/scanners/rust.js +38 -37
- package/dist/scanners/rust.js.map +1 -1
- package/dist/scanners/scale/types.d.ts +16 -16
- package/dist/scanners/secrets.d.ts.map +1 -1
- package/dist/scanners/secrets.js +66 -78
- package/dist/scanners/secrets.js.map +1 -1
- package/dist/scanners/semgrep.d.ts +2 -0
- package/dist/scanners/semgrep.d.ts.map +1 -1
- package/dist/scanners/semgrep.js +12 -0
- package/dist/scanners/semgrep.js.map +1 -1
- package/dist/scanners/terraform.d.ts.map +1 -1
- package/dist/scanners/terraform.js +47 -40
- package/dist/scanners/terraform.js.map +1 -1
- package/dist/scanners/trivy.d.ts.map +1 -1
- package/dist/scanners/trivy.js +38 -30
- package/dist/scanners/trivy.js.map +1 -1
- package/dist/tool-guard.d.ts +40 -0
- package/dist/tool-guard.d.ts.map +1 -0
- package/dist/tool-guard.js +55 -0
- package/dist/tool-guard.js.map +1 -0
- package/dist/util/index.d.ts +2 -1
- package/dist/util/index.d.ts.map +1 -1
- package/dist/util/index.js +2 -1
- package/dist/util/index.js.map +1 -1
- package/dist/util/paths.d.ts +20 -3
- package/dist/util/paths.d.ts.map +1 -1
- package/dist/util/paths.js +84 -4
- package/dist/util/paths.js.map +1 -1
- package/dist/util/subprocess.d.ts +51 -0
- package/dist/util/subprocess.d.ts.map +1 -0
- package/dist/util/subprocess.js +77 -0
- package/dist/util/subprocess.js.map +1 -0
- package/package.json +12 -2
- package/dist/eval/fixtures/healthcare/audit-gaps.d.ts +0 -28
- package/dist/eval/fixtures/healthcare/audit-gaps.d.ts.map +0 -1
- package/dist/eval/fixtures/healthcare/audit-gaps.js +0 -90
- package/dist/eval/fixtures/healthcare/audit-gaps.js.map +0 -1
- package/dist/eval/fixtures/healthcare/consent-bypass.d.ts +0 -31
- package/dist/eval/fixtures/healthcare/consent-bypass.d.ts.map +0 -1
- package/dist/eval/fixtures/healthcare/consent-bypass.js +0 -61
- package/dist/eval/fixtures/healthcare/consent-bypass.js.map +0 -1
- package/dist/eval/fixtures/healthcare/phi-in-logs.d.ts +0 -24
- package/dist/eval/fixtures/healthcare/phi-in-logs.d.ts.map +0 -1
- package/dist/eval/fixtures/healthcare/phi-in-logs.js +0 -41
- package/dist/eval/fixtures/healthcare/phi-in-logs.js.map +0 -1
|
@@ -0,0 +1,207 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Sample agent certificate builder.
|
|
3
|
+
*
|
|
4
|
+
* Produces a realistic certificate body for the Vaspera Hardening MCP
|
|
5
|
+
* server itself — the dogfood. It reflects the actual hardened state of
|
|
6
|
+
* this codebase, so the sample doubles as proof the platform certifies
|
|
7
|
+
* its own primary use case.
|
|
8
|
+
*
|
|
9
|
+
* @module certification/agent-certificate-sample
|
|
10
|
+
*/
|
|
11
|
+
import { AGENT_CERTIFICATE_SCHEMA } from "./agent-certificate.js";
|
|
12
|
+
/**
|
|
13
|
+
* Build a sample certificate body certifying the vaspera-hardening MCP
|
|
14
|
+
* server. Values mirror the real hardening work landed this cycle.
|
|
15
|
+
*/
|
|
16
|
+
export function buildSampleCertificateBody(options) {
|
|
17
|
+
const { toolVersion, issuedAt, expiresAt, certificateId } = options;
|
|
18
|
+
return {
|
|
19
|
+
schemaVersion: AGENT_CERTIFICATE_SCHEMA,
|
|
20
|
+
certificateId,
|
|
21
|
+
subject: {
|
|
22
|
+
kind: "mcp-server",
|
|
23
|
+
name: "vaspera-hardening-mcp-server",
|
|
24
|
+
version: toolVersion,
|
|
25
|
+
identifier: "https://github.com/RCOLKITT/hardening-mcp",
|
|
26
|
+
description: "MCP server that certifies AI-generated code and AI agents for production readiness.",
|
|
27
|
+
},
|
|
28
|
+
issuer: {
|
|
29
|
+
name: "Vaspera",
|
|
30
|
+
tool: "vaspera-hardening-mcp",
|
|
31
|
+
toolVersion,
|
|
32
|
+
actor: { type: "system", id: "vaspera-self-certification" },
|
|
33
|
+
},
|
|
34
|
+
issuedAt,
|
|
35
|
+
expiresAt,
|
|
36
|
+
level: "CERTIFIED",
|
|
37
|
+
overallScore: 94,
|
|
38
|
+
dimensions: {
|
|
39
|
+
security: {
|
|
40
|
+
status: "pass",
|
|
41
|
+
score: 96,
|
|
42
|
+
summary: "Bearer-auth enforced on the HTTP surface, command injection eliminated across scanner adapters, untrusted paths contained, secrets redacted in logs.",
|
|
43
|
+
checks: [
|
|
44
|
+
{
|
|
45
|
+
id: "http-auth-required",
|
|
46
|
+
title: "HTTP MCP endpoint requires a bearer token (fails closed)",
|
|
47
|
+
status: "pass",
|
|
48
|
+
severity: "critical",
|
|
49
|
+
category: "auth-bypass",
|
|
50
|
+
},
|
|
51
|
+
{
|
|
52
|
+
id: "no-shell-exec",
|
|
53
|
+
title: "Scanner adapters use execFile (no string-concat shell)",
|
|
54
|
+
status: "pass",
|
|
55
|
+
severity: "critical",
|
|
56
|
+
category: "command-injection",
|
|
57
|
+
},
|
|
58
|
+
{
|
|
59
|
+
id: "path-containment",
|
|
60
|
+
title: "project_path and secondary file args are containment-checked",
|
|
61
|
+
status: "pass",
|
|
62
|
+
severity: "high",
|
|
63
|
+
category: "path-traversal",
|
|
64
|
+
},
|
|
65
|
+
{
|
|
66
|
+
id: "http-tool-policy",
|
|
67
|
+
title: "Only read-only tools are exposed over HTTP by default",
|
|
68
|
+
status: "pass",
|
|
69
|
+
severity: "high",
|
|
70
|
+
category: "excessive-agency",
|
|
71
|
+
},
|
|
72
|
+
{
|
|
73
|
+
id: "log-redaction",
|
|
74
|
+
title: "Secrets (incl. embedded tokens) redacted from logs",
|
|
75
|
+
status: "pass",
|
|
76
|
+
severity: "medium",
|
|
77
|
+
category: "sensitive-disclosure",
|
|
78
|
+
},
|
|
79
|
+
],
|
|
80
|
+
},
|
|
81
|
+
scalability: {
|
|
82
|
+
status: "pass",
|
|
83
|
+
score: 88,
|
|
84
|
+
summary: "Stateless per-request transport with a serialization mutex and a hard request timeout; no unbounded request bodies.",
|
|
85
|
+
checks: [
|
|
86
|
+
{
|
|
87
|
+
id: "request-timeout",
|
|
88
|
+
title: "Per-request timeout prevents a hung handler from wedging the endpoint",
|
|
89
|
+
status: "pass",
|
|
90
|
+
severity: "high",
|
|
91
|
+
category: "resource-exhaustion",
|
|
92
|
+
},
|
|
93
|
+
{
|
|
94
|
+
id: "body-size-cap",
|
|
95
|
+
title: "Request bodies capped at 10MB",
|
|
96
|
+
status: "pass",
|
|
97
|
+
severity: "medium",
|
|
98
|
+
},
|
|
99
|
+
{
|
|
100
|
+
id: "load-profile",
|
|
101
|
+
title: "Sustained-load profile not yet benchmarked",
|
|
102
|
+
status: "warn",
|
|
103
|
+
severity: "low",
|
|
104
|
+
detail: "Scalability benchmark is a planned addition.",
|
|
105
|
+
},
|
|
106
|
+
],
|
|
107
|
+
},
|
|
108
|
+
quality: {
|
|
109
|
+
status: "pass",
|
|
110
|
+
score: 93,
|
|
111
|
+
summary: "TypeScript strict mode, 1800+ passing tests, and a constitution-as-code ratchet that blocks new shell-exec / raw JSON.parse / bare throws.",
|
|
112
|
+
checks: [
|
|
113
|
+
{
|
|
114
|
+
id: "tests-green",
|
|
115
|
+
title: "Full test suite passes (97 files / 1839 tests)",
|
|
116
|
+
status: "pass",
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
id: "constitution-ratchet",
|
|
120
|
+
title: "Constitution baseline ratchet enforced in CI",
|
|
121
|
+
status: "pass",
|
|
122
|
+
},
|
|
123
|
+
{
|
|
124
|
+
id: "self-certify-gate",
|
|
125
|
+
title: "Self-certification is a blocking CI gate",
|
|
126
|
+
status: "pass",
|
|
127
|
+
},
|
|
128
|
+
{
|
|
129
|
+
id: "debt-baseline",
|
|
130
|
+
title: "Legacy JSON.parse/throw debt grandfathered (burning down)",
|
|
131
|
+
status: "warn",
|
|
132
|
+
severity: "low",
|
|
133
|
+
},
|
|
134
|
+
],
|
|
135
|
+
},
|
|
136
|
+
explainability: {
|
|
137
|
+
status: "pass",
|
|
138
|
+
score: 90,
|
|
139
|
+
summary: "Tamper-evident hash-chained audit trail records certification decisions; findings carry evidence and reproducible scoring.",
|
|
140
|
+
checks: [
|
|
141
|
+
{
|
|
142
|
+
id: "audit-hash-chain",
|
|
143
|
+
title: "Decision/audit entries are hash-chained (tamper-evident)",
|
|
144
|
+
status: "pass",
|
|
145
|
+
severity: "high",
|
|
146
|
+
},
|
|
147
|
+
{
|
|
148
|
+
id: "signed-evidence",
|
|
149
|
+
title: "Evidence bundles are digest-addressed and Sigstore-signable",
|
|
150
|
+
status: "pass",
|
|
151
|
+
},
|
|
152
|
+
{
|
|
153
|
+
id: "decision-provenance",
|
|
154
|
+
title: "Per-decision runtime provenance capture (planned extension)",
|
|
155
|
+
status: "warn",
|
|
156
|
+
severity: "low",
|
|
157
|
+
},
|
|
158
|
+
],
|
|
159
|
+
},
|
|
160
|
+
compliance: {
|
|
161
|
+
status: "pass",
|
|
162
|
+
score: 91,
|
|
163
|
+
summary: "Mapped to OWASP LLM Top 10 today; ISO 42001 / NIST AI RMF mappings staged as the next certification-layer addition.",
|
|
164
|
+
frameworks: [
|
|
165
|
+
{
|
|
166
|
+
framework: "OWASP-LLM",
|
|
167
|
+
controlsTotal: 10,
|
|
168
|
+
controlsSatisfied: 9,
|
|
169
|
+
controlsAtRisk: 1,
|
|
170
|
+
controlsFailed: 0,
|
|
171
|
+
},
|
|
172
|
+
{
|
|
173
|
+
framework: "NIST-AI-RMF",
|
|
174
|
+
controlsTotal: 4,
|
|
175
|
+
controlsSatisfied: 3,
|
|
176
|
+
controlsAtRisk: 1,
|
|
177
|
+
controlsFailed: 0,
|
|
178
|
+
controls: [
|
|
179
|
+
{ controlId: "GOVERN", title: "Governance & policy", status: "satisfied" },
|
|
180
|
+
{ controlId: "MAP", title: "Context mapping", status: "satisfied" },
|
|
181
|
+
{ controlId: "MEASURE", title: "Measurement & metrics", status: "at_risk" },
|
|
182
|
+
{ controlId: "MANAGE", title: "Risk management", status: "satisfied" },
|
|
183
|
+
],
|
|
184
|
+
},
|
|
185
|
+
],
|
|
186
|
+
},
|
|
187
|
+
aiBom: {
|
|
188
|
+
status: "pass",
|
|
189
|
+
score: 92,
|
|
190
|
+
summary: "Deterministic scanners + multi-model consensus + agent-security scanners; 110 MCP tools enumerated.",
|
|
191
|
+
components: [
|
|
192
|
+
{ name: "semgrep", kind: "tool", role: "SAST scanner" },
|
|
193
|
+
{ name: "trivy", kind: "tool", role: "SCA / IaC scanner" },
|
|
194
|
+
{ name: "gitleaks", kind: "tool", role: "secret scanner" },
|
|
195
|
+
{ name: "prompt-injection-fuzzer", kind: "tool", role: "agent-security scanner" },
|
|
196
|
+
{ name: "exfil-path-graph", kind: "tool", role: "agent-security scanner" },
|
|
197
|
+
{ name: "multi-model-consensus", kind: "model", role: "LLM analysis consensus" },
|
|
198
|
+
],
|
|
199
|
+
},
|
|
200
|
+
},
|
|
201
|
+
provenance: {
|
|
202
|
+
decisionRecords: 0,
|
|
203
|
+
},
|
|
204
|
+
evidence: [],
|
|
205
|
+
};
|
|
206
|
+
}
|
|
207
|
+
//# sourceMappingURL=agent-certificate-sample.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"agent-certificate-sample.js","sourceRoot":"","sources":["../../src/certification/agent-certificate-sample.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AAYlE;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAsB;IAC/D,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;IAEpE,OAAO;QACL,aAAa,EAAE,wBAAwB;QACvC,aAAa;QACb,OAAO,EAAE;YACP,IAAI,EAAE,YAAY;YAClB,IAAI,EAAE,8BAA8B;YACpC,OAAO,EAAE,WAAW;YACpB,UAAU,EAAE,2CAA2C;YACvD,WAAW,EACT,qFAAqF;SACxF;QACD,MAAM,EAAE;YACN,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,uBAAuB;YAC7B,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,4BAA4B,EAAE;SAC5D;QACD,QAAQ;QACR,SAAS;QACT,KAAK,EAAE,WAAW;QAClB,YAAY,EAAE,EAAE;QAChB,UAAU,EAAE;YACV,QAAQ,EAAE;gBACR,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,EAAE;gBACT,OAAO,EACL,sJAAsJ;gBACxJ,MAAM,EAAE;oBACN;wBACE,EAAE,EAAE,oBAAoB;wBACxB,KAAK,EAAE,0DAA0D;wBACjE,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,UAAU;wBACpB,QAAQ,EAAE,aAAa;qBACxB;oBACD;wBACE,EAAE,EAAE,eAAe;wBACnB,KAAK,EAAE,wDAAwD;wBAC/D,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,UAAU;wBACpB,QAAQ,EAAE,mBAAmB;qBAC9B;oBACD;wBACE,EAAE,EAAE,kBAAkB;wBACtB,KAAK,EAAE,8DAA8D;wBACrE,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,gBAAgB;qBAC3B;oBACD;wBACE,EAAE,EAAE,kBAAkB;wBACtB,KAAK,EAAE,uDAAuD;wBAC9D,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,kBAAkB;qBAC7B;oBACD;wBACE,EAAE,EAAE,eAAe;wBACnB,KAAK,EAAE,oDAAoD;wBAC3D,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,QAAQ;wBAClB,QAAQ,EAAE,sBAAsB;qBACjC;iBACF;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,EAAE;gBACT,OAAO,EACL,qHAAqH;gBACvH,MAAM,EAAE;oBACN;wBACE,EAAE,EAAE,iBAAiB;wBACrB,KAAK,EAAE,uEAAuE;wBAC9E,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,qBAAqB;qBAChC;oBACD;wBACE,EAAE,EAAE,eAAe;wBACnB,KAAK,EAAE,+BAA+B;wBACtC,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,QAAQ;qBACnB;oBACD;wBACE,EAAE,EAAE,cAAc;wBAClB,KAAK,EAAE,4CAA4C;wBACnD,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,KAAK;wBACf,MAAM,EAAE,8CAA8C;qBACvD;iBACF;aACF;YACD,OAAO,EAAE;gBACP,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,EAAE;gBACT,OAAO,EACL,4IAA4I;gBAC9I,MAAM,EAAE;oBACN;wBACE,EAAE,EAAE,aAAa;wBACjB,KAAK,EAAE,gDAAgD;wBACvD,MAAM,EAAE,MAAM;qBACf;oBACD;wBACE,EAAE,EAAE,sBAAsB;wBAC1B,KAAK,EAAE,8CAA8C;wBACrD,MAAM,EAAE,MAAM;qBACf;oBACD;wBACE,EAAE,EAAE,mBAAmB;wBACvB,KAAK,EAAE,0CAA0C;wBACjD,MAAM,EAAE,MAAM;qBACf;oBACD;wBACE,EAAE,EAAE,eAAe;wBACnB,KAAK,EAAE,2DAA2D;wBAClE,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,KAAK;qBAChB;iBACF;aACF;YACD,cAAc,EAAE;gBACd,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,EAAE;gBACT,OAAO,EACL,4HAA4H;gBAC9H,MAAM,EAAE;oBACN;wBACE,EAAE,EAAE,kBAAkB;wBACtB,KAAK,EAAE,0DAA0D;wBACjE,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,MAAM;qBACjB;oBACD;wBACE,EAAE,EAAE,iBAAiB;wBACrB,KAAK,EAAE,6DAA6D;wBACpE,MAAM,EAAE,MAAM;qBACf;oBACD;wBACE,EAAE,EAAE,qBAAqB;wBACzB,KAAK,EAAE,6DAA6D;wBACpE,MAAM,EAAE,MAAM;wBACd,QAAQ,EAAE,KAAK;qBAChB;iBACF;aACF;YACD,UAAU,EAAE;gBACV,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,EAAE;gBACT,OAAO,EACL,qHAAqH;gBACvH,UAAU,EAAE;oBACV;wBACE,SAAS,EAAE,WAAW;wBACtB,aAAa,EAAE,EAAE;wBACjB,iBAAiB,EAAE,CAAC;wBACpB,cAAc,EAAE,CAAC;wBACjB,cAAc,EAAE,CAAC;qBAClB;oBACD;wBACE,SAAS,EAAE,aAAa;wBACxB,aAAa,EAAE,CAAC;wBAChB,iBAAiB,EAAE,CAAC;wBACpB,cAAc,EAAE,CAAC;wBACjB,cAAc,EAAE,CAAC;wBACjB,QAAQ,EAAE;4BACR,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,qBAAqB,EAAE,MAAM,EAAE,WAAW,EAAE;4BAC1E,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,WAAW,EAAE;4BACnE,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,uBAAuB,EAAE,MAAM,EAAE,SAAS,EAAE;4BAC3E,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,EAAE,WAAW,EAAE;yBACvE;qBACF;iBACF;aACF;YACD,KAAK,EAAE;gBACL,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,EAAE;gBACT,OAAO,EACL,qGAAqG;gBACvG,UAAU,EAAE;oBACV,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE;oBACvD,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,EAAE;oBAC1D,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,EAAE;oBAC1D,EAAE,IAAI,EAAE,yBAAyB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,wBAAwB,EAAE;oBACjF,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,wBAAwB,EAAE;oBAC1E,EAAE,IAAI,EAAE,uBAAuB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,wBAAwB,EAAE;iBACjF;aACF;SACF;QACD,UAAU,EAAE;YACV,eAAe,EAAE,CAAC;SACnB;QACD,QAAQ,EAAE,EAAE;KACb,CAAC;AACJ,CAAC"}
|