fix(policies): widen floating-pin detection + pin CycloneDX tool version

Address Codex review findings (stackbilt_llc#12):

1. Broaden floating-ref regex from @vN-only to any non-SHA ref.
   Old: `@v[\d]+` — missed @main, @master, semver tags (@v4.3.1)
   New: `@(?![0-9a-f]{40}(?:\s|$|#))` — flags everything except a
   40-char hex SHA. Applies to detect.ts, patch.ts, and the embedded
   FLOATING_PIN_PATTERN constant in generate.ts.

2. resolveActionSha now also queries refs/heads/<tag> so branch refs
   (@main, @master) can be patched to commit SHAs.

3. Test mock updated to return correct ref lines for both tag and branch
   lookups; adds @main branch-ref patch test.

Governed-By: Stackbilt-dev/stackbilt_llc#11
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: kovermier

packages/cli/src/__tests__/stamp-policies.test.ts

@@ -26,6 +26,7 @@ function makeOptions(overrides: Partial<CLIOptions> = {}): CLIOptions {
 }
 
 const FAKE_REF = 'a'.repeat(40);
+const fakeConfig = { packageManager: 'npm' as const, nodeVersion: '20', existingWorkflows: [], floatingPins: [], hasSupplyChainWorkflow: false };
 
 beforeEach(() => {
   vi.clearAllMocks();
@@ -36,6 +37,7 @@ beforeEach(() => {
   });
   // Default: apply returns updated
   mockApply.mockResolvedValue({
+    config: fakeConfig,
     pinsPatched: 2,
     workflowsPatched: ['.github/workflows/ci.yml'],
     supplyChainWorkflowAdded: true,
@@ -83,6 +85,7 @@ describe('stampPoliciesCommand', () => {
 
   it('returns exit 0 when already compliant', async () => {
     mockApply.mockResolvedValue({
+      config: fakeConfig,
       pinsPatched: 0,
       workflowsPatched: [],
       supplyChainWorkflowAdded: false,

packages/policies/src/__tests__/policies.test.ts

@@ -21,15 +21,22 @@ function makeTempRepo(files: Record<string, string>): string {
   return dir;
 }
 
-// Mock child_process.exec so tests never hit GitHub
+const FAKE_SHA = 'a'.repeat(40);
+
+// Mock child_process.exec so tests never hit GitHub.
+// Returns a line for each ref type so both tag (@vN) and branch (@main) lookups resolve.
 vi.mock('node:child_process', () => ({
   exec: (
-    _cmd: string,
+    cmd: string,
     _opts: unknown,
     cb: (err: null, stdout: string) => void,
   ) => {
-    // Return a fake 40-char SHA for any tag lookup
-    cb(null, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\trefs/tags/v4\n');
+    const tagM = cmd.match(/"refs\/tags\/([^"^]+)"/);
+    const branchM = cmd.match(/"refs\/heads\/([^"]+)"/);
+    const lines: string[] = [];
+    if (tagM) lines.push(`${FAKE_SHA}\trefs/tags/${tagM[1]}`);
+    if (branchM) lines.push(`${FAKE_SHA}\trefs/heads/${branchM[1]}`);
+    cb(null, (lines.length ? lines.join('\n') : `${FAKE_SHA}\trefs/tags/v4`) + '\n');
   },
 }));
 
@@ -59,17 +66,19 @@ jobs:
     expect(detectRepoConfig(dir).packageManager).toBe('pnpm');
   });
 
-  it('detects floating pins in workflow', () => {
+  it('detects floating pins in workflow — tags and branch refs', () => {
     const dir = makeTempRepo({
       '.github/workflows/ci.yml': `
 steps:
   - uses: actions/checkout@v4
   - uses: actions/setup-node@v4
+  - uses: actions/cache@main
 `,
     });
     const config = detectRepoConfig(dir);
-    expect(config.floatingPins).toHaveLength(2);
+    expect(config.floatingPins).toHaveLength(3);
     expect(config.floatingPins[0].tag).toBe('v4');
+    expect(config.floatingPins[2].tag).toBe('main');
   });
 
   it('does not flag SHA-pinned or local refs as floating', () => {
@@ -104,7 +113,14 @@ describe('patchFloatingActionPins', () => {
     const content = `steps:\n  - uses: actions/checkout@v4\n`;
     const { patched, replacements } = await patchFloatingActionPins(content);
     expect(replacements).toHaveLength(1);
-    expect(patched).toContain('actions/checkout@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa # v4');
+    expect(patched).toContain(`actions/checkout@${FAKE_SHA} # v4`);
+  });
+
+  it('replaces @main branch ref with mocked SHA + comment', async () => {
+    const content = `steps:\n  - uses: actions/cache@main\n`;
+    const { patched, replacements } = await patchFloatingActionPins(content);
+    expect(replacements).toHaveLength(1);
+    expect(patched).toContain(`actions/cache@${FAKE_SHA} # main`);
   });
 
   it('leaves SHA-pinned lines unchanged', async () => {
@@ -203,7 +219,7 @@ describe('applyPolicies', () => {
     expect(fs.existsSync(path.join(dir, '.github/workflows/supply-chain.yml'))).toBe(true);
     // pin patched
     const ciContent = fs.readFileSync(path.join(dir, '.github/workflows/ci.yml'), 'utf-8');
-    expect(ciContent).toContain('@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa # v4');
+    expect(ciContent).toContain(`@${FAKE_SHA} # v4`);
     // charter config created
     expect(fs.existsSync(path.join(dir, '.charter/config.json'))).toBe(true);
     // floating-action-pins pattern installed

packages/policies/src/detect.ts

@@ -16,8 +16,9 @@ export interface RepoConfig {
   hasSupplyChainWorkflow: boolean;
 }
 
-// Matches `uses: owner/action@vN[.N.N]` — excludes local (./) and Stackbilt-dev refs
-const FLOATING_PIN_LINE_RE = /uses:\s+(?!Stackbilt-dev\/)(?!\.\/)[^\s@]+@(v[\d][\d.]*)/;
+// Matches any non-SHA ref (@vN, @main, @master, semver tags) — excludes local (./) and Stackbilt-dev refs.
+// A 40-char hex SHA followed by whitespace, EOL, or # comment is the only exempt form.
+const FLOATING_PIN_LINE_RE = /uses:\s+(?!Stackbilt-dev\/)(?!\.\/)[^\s@]+@(?![0-9a-f]{40}(\s|$|#))(\S+)/;
 
 export function detectRepoConfig(repoPath: string): RepoConfig {
   const abs = path.resolve(repoPath);
@@ -44,7 +45,7 @@ export function detectRepoConfig(repoPath: string): RepoConfig {
     content.split('\n').forEach((line, idx) => {
       const m = line.match(FLOATING_PIN_LINE_RE);
       if (m) {
-        floatingPins.push({ file: wfPath, line: idx + 1, uses: line.trim(), tag: m[1] });
+        floatingPins.push({ file: wfPath, line: idx + 1, uses: line.trim(), tag: m[2] });
       }
     });
   }

packages/policies/src/generate.ts

@@ -29,11 +29,11 @@ export const FLOATING_PIN_PATTERN = {
   name: 'Floating Action Pins',
   category: 'SECURITY',
   status: 'ACTIVE',
-  anti_patterns: 'uses: (?!Stackbilt-dev/)(?!\\./)[^@]+@v[\\d]',
+  anti_patterns: 'uses: (?!Stackbilt-dev/)(?!\\./)[^\\s@]+@(?![0-9a-f]{40}(\\s|$|#))[^\\s]',
   blessed_solution:
     'Pin to full commit SHA with a # vX.Y.Z comment: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4',
   rationale:
-    'Tag-based action pins are mutable — a supply chain attacker can move the tag to a malicious commit. SHA pins are immutable.',
+    'Any non-SHA ref (@vN, @main, @master, semver tags) is mutable — only a 40-char hex SHA is immutable.',
   created_at: '2026-05-20T00:00:00.000Z',
 } as const;
 

packages/policies/src/patch.ts

@@ -11,8 +11,9 @@ export interface PatchResult {
   replacements: PatchReplacement[];
 }
 
-// Matches a `uses:` line with a floating tag — excludes local and Stackbilt-dev refs
-const FLOATING_USES_RE = /^(\s*-?\s*uses:\s+)((?!Stackbilt-dev\/)(?!\.\/)[^\s@]+)@(v[\d][\d.]*)(.*)$/;
+// Matches any non-SHA ref (@vN, @main, @master, semver) — excludes local (./) and Stackbilt-dev refs.
+// A 40-char hex SHA is the only exempt form.
+const FLOATING_USES_RE = /^(\s*-?\s*uses:\s+)((?!Stackbilt-dev\/)(?!\.\/)[^\s@]+)@(?![0-9a-f]{40}(?:\s|$|#))([^\s#]+)(.*)$/;
 
 export async function patchFloatingActionPins(content: string): Promise<PatchResult> {
   const replacements: PatchReplacement[] = [];
@@ -46,14 +47,15 @@ export async function patchFloatingActionPins(content: string): Promise<PatchRes
 function resolveActionSha(action: string, tag: string): Promise<string | null> {
   return new Promise((resolve) => {
     const url = `https://github.com/${action}`;
-    const cmd = `git ls-remote "${url}" "refs/tags/${tag}" "refs/tags/${tag}^{}"`;
+    // Try annotated tag deref, plain tag, then branch head (covers @main, @master, etc.)
+    const cmd = `git ls-remote "${url}" "refs/tags/${tag}" "refs/tags/${tag}^{}" "refs/heads/${tag}"`;
     exec(cmd, { timeout: 20000 }, (err, stdout) => {
       if (err || !stdout.trim()) { resolve(null); return; }
       const lines = stdout.trim().split('\n');
-      // Prefer dereferenced annotated tag (^{}) — gives the commit SHA, not tag object SHA
       const deref = lines.find((l) => l.includes(`refs/tags/${tag}^{}`));
       const plain = lines.find((l) => l.includes(`refs/tags/${tag}`) && !l.includes('^{}'));
-      const winner = deref ?? plain;
+      const branch = lines.find((l) => l.includes(`refs/heads/${tag}`));
+      const winner = deref ?? plain ?? branch;
       if (!winner) { resolve(null); return; }
       const sha = winner.split('\t')[0].trim();
       resolve(sha.length === 40 ? sha : null);