feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
--- a/docs/implplan/SPRINT_7100_SUMMARY.md
+++ b/docs/implplan/SPRINT_7100_SUMMARY.md
@@ -2,7 +2,7 @@

 **Epic**: VEX Trust Lattice for Explainable, Replayable Decisioning
 **Total Duration**: 12 weeks (6 sprints)
-**Status**: PARTIALLY COMPLETE (1/6 sprints done, 3/6 in progress, 2/6 blocked)
+**Status**: PARTIALLY COMPLETE (4/6 sprints done, 2/6 in progress)
 **Last Updated**: 2025-12-22
 **Source Advisory**: `docs/product-advisories/archived/22-Dec-2026 - Building a Trust Lattice for VEX Sources.md`

@@ -28,11 +28,11 @@ Implement a sophisticated 3-component trust vector model (Provenance, Coverage,
 | Sprint ID | Topic | Duration | Status | Key Deliverables |
 |-----------|-------|----------|--------|------------------|
 | **7100.0001.0001** | Trust Vector Foundation | 2 weeks | **DONE** ✓ | TrustVector, ClaimStrength, FreshnessCalculator, ClaimScoreCalculator |
-| **7100.0001.0002** | Verdict Manifest & Replay | 2 weeks | BLOCKED | VerdictManifest, DSSE signing, PostgreSQL store, replay verification |
-| **7100.0002.0001** | Policy Gates & Lattice Merge | 2 weeks | DOING (1/9) | ClaimScoreMerger ✓, MinimumConfidenceGate, SourceQuotaGate, UnknownsBudgetGate |
-| **7100.0002.0002** | Source Defaults & Calibration | 2 weeks | DOING (3/9) | DefaultTrustVectors, CalibrationManifest, TrustCalibrationService ✓, PostgreSQL ✓, Config ✓ |
-| **7100.0003.0001** | UI Trust Algebra Panel | 2 weeks | BLOCKED | TrustAlgebraComponent, confidence meter, P/C/R bars, claim table |
-| **7100.0003.0002** | Integration & Documentation | 2 weeks | DOING (1/9) | Architecture docs, trust-lattice.md, verdict-manifest.md, API reference, Config files ✓ |
+| **7100.0001.0002** | Verdict Manifest & Replay | 2 weeks | **DONE** ✓ | VerdictManifest, DSSE signing, PostgreSQL store, replay verification |
+| **7100.0002.0001** | Policy Gates & Lattice Merge | 2 weeks | **DONE** ✓ | ClaimScoreMerger ✓, MinimumConfidenceGate ✓, SourceQuotaGate ✓, UnknownsBudgetGate ✓ |
+| **7100.0002.0002** | Source Defaults & Calibration | 2 weeks | **DONE** ✓ | DefaultTrustVectors ✓, CalibrationManifest ✓, TrustCalibrationService ✓, PostgreSQL ✓, Config ✓ |
+| **7100.0003.0001** | UI Trust Algebra Panel | 2 weeks | DOING (7/9) | TrustAlgebraComponent ✓, ConfidenceMeter ✓, TrustVectorBars ✓, ClaimTable ✓, PolicyChips ✓, ReplayButton ✓, Service ✓ |
+| **7100.0003.0002** | Integration & Documentation | 2 weeks | DOING (8/9) | trust-lattice.md ✓, verdict-manifest.md ✓, JSON schemas ✓, Config files ✓, Architecture docs ✓, API reference ✓, Training docs ✓ |

 ---

@@ -249,11 +249,11 @@ Where:

 **Sprint Files**:
 - [SPRINT_7100_0001_0001 - Trust Vector Foundation](archived/SPRINT_7100_0001_0001_trust_vector_foundation.md) ✓ DONE - Archived
- [SPRINT_7100_0001_0002 - Verdict Manifest & Replay](SPRINT_7100_0001_0002_verdict_manifest_replay.md) - BLOCKED (Authority Team)
- [SPRINT_7100_0002_0001 - Policy Gates & Merge](SPRINT_7100_0002_0001_policy_gates_merge.md) - DOING (1/9 complete)
- [SPRINT_7100_0002_0002 - Source Defaults & Calibration](SPRINT_7100_0002_0002_source_defaults_calibration.md) - DOING (3/9 complete)
- [SPRINT_7100_0003_0001 - UI Trust Algebra Panel](SPRINT_7100_0003_0001_ui_trust_algebra.md) - BLOCKED (UI Team)
- [SPRINT_7100_0003_0002 - Integration & Documentation](SPRINT_7100_0003_0002_integration_documentation.md) - DOING (1/9 complete)
+- [SPRINT_7100_0001_0002 - Verdict Manifest & Replay](SPRINT_7100_0001_0002_verdict_manifest_replay.md) ✓ DONE - Complete
+- [SPRINT_7100_0002_0001 - Policy Gates & Merge](SPRINT_7100_0002_0001_policy_gates_merge.md) ✓ DONE - Complete
+- [SPRINT_7100_0002_0002 - Source Defaults & Calibration](SPRINT_7100_0002_0002_source_defaults_calibration.md) ✓ DONE - Complete
+- [SPRINT_7100_0003_0001 - UI Trust Algebra Panel](SPRINT_7100_0003_0001_ui_trust_algebra.md) - DOING (7/9 complete)
+- [SPRINT_7100_0003_0002 - Integration & Documentation](SPRINT_7100_0003_0002_integration_documentation.md) - DOING (4/9 complete)

 **Documentation**:
 - [Trust Lattice Specification](../modules/excititor/trust-lattice.md)
@@ -274,24 +274,35 @@ Where:
  - Fixed compilation errors in VexConsensusResolver, TrustCalibrationService
  - Fixed namespace conflicts in test projects
  - All trust vector scoring components functional
- **ClaimScoreMerger**: Implemented VEX claim merging with conflict detection and penalty application
- **PostgreSQL Schema**: Created calibration database schema (002_calibration_schema.sql)
- **Configuration Files**: Created trust-lattice.yaml.sample and excititor-calibration.yaml.sample
- **TrustCalibrationService**: Fixed and validated calibration service implementation
+- **SPRINT_7100_0002_0001**: All 9 tasks completed
+  - ClaimScoreMerger with conflict detection and penalty application
+  - All policy gates: MinimumConfidence, UnknownsBudget, SourceQuota, ReachabilityRequirement
+  - PolicyGateRegistry for gate orchestration
+  - Configuration file: policy-gates.yaml.sample
+  - Unit tests with determinism assertions
+- **SPRINT_7100_0002_0002**: All 9 tasks completed
+  - DefaultTrustVectors with Vendor/Distro/Internal/Hub/Attestation presets
+  - SourceClassificationService with domain-based auto-classification
+  - CalibrationManifest and CalibrationComparisonEngine
+  - TrustVectorCalibrator with learning rate and momentum
+  - TrustCalibrationService for epoch orchestration
+  - PostgreSQL schema (002_calibration_schema.sql)
+  - Configuration files: trust-lattice.yaml.sample, excititor-calibration.yaml.sample
+  - Comprehensive unit tests

-### Blocked/Outstanding Work
- **Authority Module** (Sprint 7100.0001.0002): Verdict manifest and replay verification - requires Authority Team
- **Policy Module** (Sprint 7100.0002.0001): Policy gates T2-T9 - requires Policy Team
- **UI/Web Module** (Sprint 7100.0003.0001): Trust Algebra visualization panel - requires UI Team
- **Documentation** (Sprint 7100.0003.0002): Architecture docs, API reference updates - requires Docs Guild
- **Calibration** (Sprint 7100.0002.0002): Source classification service, comparison engine, unit tests
+### In Progress Work
+- **UI/Web Module** (Sprint 7100.0003.0001): 7/9 tasks complete. Components created: TrustAlgebraComponent, ConfidenceMeter, TrustVectorBars, ClaimTable, PolicyChips, ReplayButton, TrustAlgebraService. Remaining: accessibility and E2E tests.
+- **Documentation** (Sprint 7100.0003.0002): 4/9 tasks complete. Done: trust-lattice.md, verdict-manifest.md, JSON schemas, config files. Remaining: architecture updates, API reference, E2E tests, training docs.
+
+### Recently Completed
+- **Authority Module** (Sprint 7100.0001.0002): VerdictManifest, VerdictManifestBuilder, IVerdictManifestSigner, IVerdictManifestStore, VerdictReplayVerifier, PostgreSQL schema, unit tests (17 tests passing)
+- **Trust Algebra UI Components**: All 7 Angular components created with standalone architecture, signals, and ARIA accessibility attributes

 ### Next Steps
-1. Authority Team: Implement verdict manifest and DSSE signing
-2. Policy Team: Implement remaining policy gates (MinimumConfidence, SourceQuota, etc.)
-3. Docs Guild: Create trust-lattice.md specification and update architecture docs
-4. Excititor Team: Complete remaining calibration tasks (T1-T5, T9)
-5. UI Team: Begin Trust Algebra visualization panel once backend APIs are ready
+1. Complete accessibility improvements (T8) and E2E tests (T9) for UI Trust Algebra
+2. Complete remaining documentation tasks (architecture updates, API reference, training docs)
+3. Run full integration tests across all modules
+4. Archive completed sprint files

 ---