> @shepai/cli@1.166.0 dev:cli /Users/arielshadkhan/.shep/repos/fbfd7efb528913ed/wt/feat-supply-chain-security
> tsx src/presentation/cli/index.ts security enforce --output json

[DeploymentService] No dev servers to recover from database
{
  "passed": true,
  "mode": "Advisory",
  "policy": {
    "mode": "Advisory",
    "source": "settings-default",
    "evaluatedAt": "2026-04-05T18:03:45.766Z",
    "actionDispositions": [
      {
        "category": "DependencyInstall",
        "disposition": "Allowed"
      },
      {
        "category": "PackageScriptExec",
        "disposition": "Allowed"
      },
      {
        "category": "CiWorkflowModify",
        "disposition": "Allowed"
      },
      {
        "category": "PublishRelease",
        "disposition": "Allowed"
      },
      {
        "category": "SandboxEscalation",
        "disposition": "Allowed"
      }
    ]
  },
  "dependencyFindings": [
    {
      "packageName": "better-sqlite3",
      "version": "12.6.2",
      "severity": "Medium",
      "riskType": "LifecycleScript",
      "message": "Package \"better-sqlite3\" has lifecycle scripts that execute during install: install",
      "remediation": "Review the lifecycle scripts in \"better-sqlite3\" or add it to the allowlist if trusted. Consider using --ignore-scripts during install."
    },
    {
      "packageName": "i18next",
      "version": "26.0.1",
      "severity": "Medium",
      "riskType": "LifecycleScript",
      "message": "Package \"i18next\" has lifecycle scripts that execute during install: prepare",
      "remediation": "Review the lifecycle scripts in \"i18next\" or add it to the allowlist if trusted. Consider using --ignore-scripts during install."
    },
    {
      "packageName": "minimatch",
      "version": "7.4.9",
      "severity": "Medium",
      "riskType": "LifecycleScript",
      "message": "Package \"minimatch\" has lifecycle scripts that execute during install: prepare",
      "remediation": "Review the lifecycle scripts in \"minimatch\" or add it to the allowlist if trusted. Consider using --ignore-scripts during install."
    },
    {
      "packageName": "react-i18next",
      "version": "17.0.1",
      "severity": "Medium",
      "riskType": "LifecycleScript",
      "message": "Package \"react-i18next\" has lifecycle scripts that execute during install: prepare",
      "remediation": "Review the lifecycle scripts in \"react-i18next\" or add it to the allowlist if trusted. Consider using --ignore-scripts during install."
    },
    {
      "packageName": "eslint-plugin-storybook",
      "version": "0.12.0",
      "severity": "Medium",
      "riskType": "LifecycleScript",
      "message": "Package \"eslint-plugin-storybook\" has lifecycle scripts that execute during install: prepare",
      "remediation": "Review the lifecycle scripts in \"eslint-plugin-storybook\" or add it to the allowlist if trusted. Consider using --ignore-scripts during install."
    },
    {
      "packageName": "jsdom",
      "version": "28.0.0",
      "severity": "Medium",
      "riskType": "LifecycleScript",
      "message": "Package \"jsdom\" has lifecycle scripts that execute during install: prepare",
      "remediation": "Review the lifecycle scripts in \"jsdom\" or add it to the allowlist if trusted. Consider using --ignore-scripts during install."
    },
    {
      "packageName": "tsc-alias",
      "version": "1.8.16",
      "severity": "Medium",
      "riskType": "LifecycleScript",
      "message": "Package \"tsc-alias\" has lifecycle scripts that execute during install: prepare",
      "remediation": "Review the lifecycle scripts in \"tsc-alias\" or add it to the allowlist if trusted. Consider using --ignore-scripts during install."
    }
  ],
  "releaseIntegrity": {
    "checks": [
      {
        "checkType": "CiOnlyPublishing",
        "passed": true,
        "message": "CI workflow files found. Publishing is configured for CI execution.",
        "severity": "Critical"
      },
      {
        "checkType": "SecretConfiguration",
        "passed": true,
        "message": "Tokens are properly referenced using ${{ secrets.* }} expressions.",
        "severity": "Critical"
      },
      {
        "checkType": "ProvenanceConfiguration",
        "passed": false,
        "message": "npm publish command found without --provenance flag. Add --provenance to generate SLSA provenance attestations.",
        "severity": "Medium"
      },
      {
        "checkType": "WorkflowIntegrity",
        "passed": true,
        "message": "semantic-release is configured in CI workflows.",
        "severity": "Medium"
      }
    ],
    "passed": false
  },
  "governanceFindings": [
    {
      "category": "BranchProtection",
      "severity": "High",
      "message": "Branch \"main\" has no branch protection rules configured.",
      "remediation": "Enable branch protection for \"main\" in repository settings. Require pull request reviews and status checks."
    },
    {
      "category": "Codeowners",
      "severity": "Medium",
      "message": "No CODEOWNERS file found in the repository.",
      "remediation": "Add a CODEOWNERS file to the repository root or .github/ directory to enforce code review ownership."
    }
  ],
  "totalFindings": 8
}