feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
--- a/docs/attestor/schemas/calibration-manifest.schema.json
+++ b/docs/attestor/schemas/calibration-manifest.schema.json
@@ -0,0 +1,169 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stella-ops.org/schemas/calibration-manifest/1.0.0",
+  "title": "Calibration Manifest",
+  "description": "Record of trust vector calibration based on post-mortem truth comparison",
+  "type": "object",
+  "required": ["manifestId", "sourceId", "epochNumber", "calibratedAt"],
+  "properties": {
+    "manifestId": {
+      "type": "string",
+      "description": "Unique identifier for this calibration record"
+    },
+    "sourceId": {
+      "type": "string",
+      "description": "VEX source being calibrated"
+    },
+    "tenant": {
+      "type": "string",
+      "description": "Tenant scope (optional for global calibration)"
+    },
+    "epochNumber": {
+      "type": "integer",
+      "description": "Calibration epoch number",
+      "minimum": 1
+    },
+    "previousVector": {
+      "$ref": "#/$defs/TrustVectorValues"
+    },
+    "calibratedVector": {
+      "$ref": "#/$defs/TrustVectorValues"
+    },
+    "delta": {
+      "$ref": "#/$defs/CalibrationDelta"
+    },
+    "comparison": {
+      "$ref": "#/$defs/ComparisonResult"
+    },
+    "detectedBias": {
+      "type": "string",
+      "description": "Detected bias type, if any",
+      "enum": ["optimistic_bias", "pessimistic_bias", "scope_bias", "none"]
+    },
+    "configuration": {
+      "$ref": "#/$defs/CalibrationConfiguration"
+    },
+    "calibratedAt": {
+      "type": "string",
+      "description": "When calibration was performed",
+      "format": "date-time"
+    },
+    "manifestDigest": {
+      "type": "string",
+      "description": "SHA256 digest of this manifest",
+      "pattern": "^sha256:[a-f0-9]{64}$"
+    }
+  },
+  "$defs": {
+    "TrustVectorValues": {
+      "type": "object",
+      "description": "Trust vector component values",
+      "required": ["provenance", "coverage", "replayability"],
+      "properties": {
+        "provenance": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "coverage": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "replayability": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1
+        }
+      }
+    },
+    "CalibrationDelta": {
+      "type": "object",
+      "description": "Adjustment applied to trust vector",
+      "properties": {
+        "deltaP": {
+          "type": "number",
+          "description": "Change in provenance score"
+        },
+        "deltaC": {
+          "type": "number",
+          "description": "Change in coverage score"
+        },
+        "deltaR": {
+          "type": "number",
+          "description": "Change in replayability score"
+        }
+      }
+    },
+    "ComparisonResult": {
+      "type": "object",
+      "description": "Result of comparing claims to post-mortem truth",
+      "required": ["sourceId", "accuracy"],
+      "properties": {
+        "sourceId": {
+          "type": "string"
+        },
+        "accuracy": {
+          "type": "number",
+          "description": "Accuracy score (0-1)",
+          "minimum": 0,
+          "maximum": 1
+        },
+        "totalClaims": {
+          "type": "integer",
+          "description": "Total claims evaluated",
+          "minimum": 0
+        },
+        "correctClaims": {
+          "type": "integer",
+          "description": "Claims matching post-mortem truth",
+          "minimum": 0
+        },
+        "evaluationPeriodStart": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "evaluationPeriodEnd": {
+          "type": "string",
+          "format": "date-time"
+        }
+      }
+    },
+    "CalibrationConfiguration": {
+      "type": "object",
+      "description": "Configuration used for calibration",
+      "properties": {
+        "learningRate": {
+          "type": "number",
+          "description": "Learning rate per epoch",
+          "default": 0.02
+        },
+        "maxAdjustmentPerEpoch": {
+          "type": "number",
+          "description": "Maximum adjustment per epoch",
+          "default": 0.05
+        },
+        "minValue": {
+          "type": "number",
+          "description": "Minimum trust component value",
+          "default": 0.10
+        },
+        "maxValue": {
+          "type": "number",
+          "description": "Maximum trust component value",
+          "default": 1.00
+        },
+        "momentumFactor": {
+          "type": "number",
+          "description": "Momentum factor for smoothing",
+          "default": 0.9
+        },
+        "accuracyThreshold": {
+          "type": "number",
+          "description": "Threshold above which no calibration is needed",
+          "default": 0.95
+        }
+      }
+    }
+  }
+}