feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
--- a/docs/09_API_CLI_REFERENCE.md
+++ b/docs/09_API_CLI_REFERENCE.md
@@ -1185,6 +1185,112 @@ Default **40 requests / second / token**.

 ---

+## 6.1 Trust Lattice API
+
+The Trust Lattice API provides endpoints for VEX claim scoring, verdict management, and calibration.
+
+### 6.1.1 Score Claims
+
+Score VEX claims using the trust lattice algorithm.
+
+```
+POST /api/v1/trustlattice/score
+Authorization: Bearer <token with vex.read>
+Content-Type: application/json
+```
+
+**Request:**
+
+```json
+{
+  "claims": [
+    {
+      "sourceId": "vendor:redhat",
+      "status": "not_affected",
+      "scopeSpecificity": 3,
+      "issuedAt": "2025-12-20T10:00:00Z",
+      "strength": "ConfigWithEvidence"
+    }
+  ],
+  "trustVectorVersion": "2025-12-01",
+  "evaluationTime": "2025-12-22T10:00:00Z"
+}
+```
+
+**Response 200:**
+
+```json
+{
+  "scores": [
+    {
+      "sourceId": "vendor:redhat",
+      "baseTrust": 0.77,
+      "strengthMultiplier": 0.80,
+      "freshnessMultiplier": 0.98,
+      "claimScore": 0.60
+    }
+  ],
+  "evaluatedAt": "2025-12-22T10:00:00Z"
+}
+```
+
+### 6.1.2 Merge Claims
+
+Merge scored claims into a verdict using the lattice algorithm.
+
+```
+POST /api/v1/trustlattice/merge
+Authorization: Bearer <token with vex.read>
+Content-Type: application/json
+```
+
+**Response 200:**
+
+```json
+{
+  "status": "not_affected",
+  "confidence": 0.82,
+  "hasConflicts": true,
+  "winningClaim": {
+    "sourceId": "vendor:redhat",
+    "status": "not_affected",
+    "adjustedScore": 0.40
+  },
+  "conflicts": [
+    { "sourceId": "hub:osv", "status": "affected", "reason": "status_conflict" }
+  ]
+}
+```
+
+### 6.1.3 Get Verdict Manifest
+
+```
+GET /api/v1/authority/verdicts/{manifestId}
+Authorization: Bearer <token with authority.verdicts.read>
+```
+
+Returns a stored verdict manifest with signature and optional Rekor entry.
+
+### 6.1.4 Replay Verdict
+
+```
+POST /api/v1/authority/verdicts/{manifestId}/replay
+Authorization: Bearer <token with authority.verdicts.replay>
+```
+
+Verifies a verdict can be reproduced from pinned inputs.
+
+### 6.1.5 Calibration Endpoints
+
+```
+POST /api/v1/calibration/epoch          # Trigger calibration
+GET  /api/v1/calibration/manifests/{id} # Get calibration history
+```
+
+See `docs/modules/excititor/trust-lattice.md` for complete API details.
+
+---
+
 ## 7 Planned Changes (Beyond 6 Months)

 These stay in *Feature Matrix → To Do* until design is frozen.