@aspruyt/xfg 3.7.5 → 3.7.7

package/dist/{config.js → config/loader.js}

@@ -1,31 +1,10 @@
 import { readFileSync } from "node:fs";
 import { dirname } from "node:path";
 import { parse } from "yaml";
-import { validateRawConfig } from "./config-validator.js";
-import { normalizeConfig as normalizeConfigInternal } from "./config-normalizer.js";
-export { normalizeConfigInternal as normalizeConfig };
+import { validateRawConfig } from "./validator.js";
+import { normalizeConfig as normalizeConfigInternal } from "./normalizer.js";
 import { resolveFileReferencesInConfig } from "./file-reference-resolver.js";
-// Re-export formatter functions for backwards compatibility
-export { convertContentToString } from "./config-formatter.js";
-/**
- * Maps Ruleset config keys (camelCase) to GitHub API keys (snake_case).
- * TypeScript enforces this stays in sync with the Ruleset interface.
- */
-const RULESET_FIELD_MAP = {
-    target: "target",
-    enforcement: "enforcement",
-    bypassActors: "bypass_actors",
-    conditions: "conditions",
-    rules: "rules",
-};
-/**
- * Set of snake_case field names that are comparable between config and API.
- * Used as an allowlist — any API response field not in this set is ignored.
- */
-export const RULESET_COMPARABLE_FIELDS = new Set(Object.values(RULESET_FIELD_MAP));
-// =============================================================================
-// Public API
-// =============================================================================
+export { normalizeConfigInternal as normalizeConfig };
 /**
  * Load and validate raw config without normalization.
  * Use this when you need to perform command-specific validation before normalizing.

package/dist/{config-normalizer.d.ts → config/normalizer.d.ts}

@@ -1,4 +1,4 @@
-import type { RawConfig, Config, RepoSettings, RawRepoSettings } from "./config.js";
+import type { RawConfig, Config, RepoSettings, RawRepoSettings } from "./types.js";
 /**
  * Merges settings: per-repo settings deep merge with root settings.
  * Returns undefined if no settings are defined.

package/dist/{config-normalizer.js → config/normalizer.js}

@@ -1,5 +1,5 @@
 import { deepMerge, stripMergeDirectives, createMergeContext, isTextContent, mergeTextContent, } from "./merge.js";
-import { interpolateContent } from "./env.js";
+import { interpolateContent } from "../shared/env.js";
 /**
  * Normalizes header to array format.
  */

package/dist/{config.d.ts → config/types.d.ts}

@@ -1,7 +1,4 @@
 import type { ArrayMergeStrategy } from "./merge.js";
-import { normalizeConfig as normalizeConfigInternal } from "./config-normalizer.js";
-export { normalizeConfigInternal as normalizeConfig };
-export { convertContentToString } from "./config-formatter.js";
 export type MergeMode = "manual" | "auto" | "force" | "direct";
 export type MergeStrategy = "merge" | "squash" | "rebase";
 export interface PRMergeOptions {
@@ -210,6 +207,11 @@ export interface Ruleset {
     /** Rules to enforce */
     rules?: RulesetRule[];
 }
+/**
+ * Maps Ruleset config keys (camelCase) to GitHub API keys (snake_case).
+ * TypeScript enforces this stays in sync with the Ruleset interface.
+ */
+export declare const RULESET_FIELD_MAP: Record<keyof Ruleset, string>;
 /**
  * Set of snake_case field names that are comparable between config and API.
  * Used as an allowlist — any API response field not in this set is ignored.
@@ -337,9 +339,3 @@ export interface Config {
     deleteOrphaned?: boolean;
     settings?: RepoSettings;
 }
-/**
- * Load and validate raw config without normalization.
- * Use this when you need to perform command-specific validation before normalizing.
- */
-export declare function loadRawConfig(filePath: string): RawConfig;
-export declare function loadConfig(filePath: string): Config;

package/dist/config/types.js

@@ -0,0 +1,16 @@
+/**
+ * Maps Ruleset config keys (camelCase) to GitHub API keys (snake_case).
+ * TypeScript enforces this stays in sync with the Ruleset interface.
+ */
+export const RULESET_FIELD_MAP = {
+    target: "target",
+    enforcement: "enforcement",
+    bypassActors: "bypass_actors",
+    conditions: "conditions",
+    rules: "rules",
+};
+/**
+ * Set of snake_case field names that are comparable between config and API.
+ * Used as an allowlist — any API response field not in this set is ignored.
+ */
+export const RULESET_COMPARABLE_FIELDS = new Set(Object.values(RULESET_FIELD_MAP));

package/dist/{config-validator.d.ts → config/validator.d.ts}

@@ -1,13 +1,13 @@
-import type { RawConfig, RawRepoSettings } from "./config.js";
+import type { RawConfig, RawRepoSettings } from "./types.js";
+/**
+ * Validates settings object containing rulesets.
+ */
+export declare function validateSettings(settings: unknown, context: string, rootRulesetNames?: string[], hasRootRepoSettings?: boolean): void;
 /**
  * Validates raw config structure before normalization.
  * @throws Error if validation fails
  */
 export declare function validateRawConfig(config: RawConfig): void;
-/**
- * Validates settings object containing rulesets.
- */
-export declare function validateSettings(settings: unknown, context: string, rootRulesetNames?: string[], hasRootRepoSettings?: boolean): void;
 /**
  * Validates that config is suitable for the sync command.
  * @throws Error if files section is missing or empty

package/dist/{config-validator.js → config/validator.js}

@@ -1,29 +1,67 @@
-import { extname, isAbsolute } from "node:path";
-const VALID_STRATEGIES = ["replace", "append", "prepend"];
-/**
- * Check if content is text type (string or string[]).
- */
-function isTextContent(content) {
-    return (typeof content === "string" ||
-        (Array.isArray(content) &&
-            content.every((item) => typeof item === "string")));
-}
-/**
- * Check if content is object type (for JSON/YAML output).
- */
-function isObjectContent(content) {
-    return (typeof content === "object" && content !== null && !Array.isArray(content));
+import { isTextContent, isObjectContent, isStructuredFileExtension, validateFileName, VALID_STRATEGIES, } from "./validators/file-validator.js";
+import { validateRepoSettings } from "./validators/repo-settings-validator.js";
+import { validateRuleset } from "./validators/ruleset-validator.js";
+// Pattern for valid config ID: alphanumeric, hyphens, underscores
+const CONFIG_ID_PATTERN = /^[a-zA-Z0-9_-]+$/;
+const CONFIG_ID_MAX_LENGTH = 64;
+function getGitDisplayName(git) {
+    if (Array.isArray(git)) {
+        return git[0] || "unknown";
+    }
+    return git;
 }
 /**
- * Check if file extension is for structured output (JSON/YAML).
+ * Validates settings object containing rulesets.
  */
-function isStructuredFileExtension(fileName) {
-    const ext = extname(fileName).toLowerCase();
-    return (ext === ".json" || ext === ".json5" || ext === ".yaml" || ext === ".yml");
+export function validateSettings(settings, context, rootRulesetNames, hasRootRepoSettings) {
+    if (typeof settings !== "object" ||
+        settings === null ||
+        Array.isArray(settings)) {
+        throw new Error(`${context}: settings must be an object`);
+    }
+    const s = settings;
+    if (s.rulesets !== undefined) {
+        if (typeof s.rulesets !== "object" ||
+            s.rulesets === null ||
+            Array.isArray(s.rulesets)) {
+            throw new Error(`${context}: rulesets must be an object`);
+        }
+        const rulesets = s.rulesets;
+        for (const [name, ruleset] of Object.entries(rulesets)) {
+            // Skip reserved key
+            if (name === "inherit")
+                continue;
+            // Check for opt-out of non-existent root ruleset
+            if (ruleset === false) {
+                if (rootRulesetNames && !rootRulesetNames.includes(name)) {
+                    throw new Error(`${context}: Cannot opt out of '${name}' - not defined in root settings.rulesets`);
+                }
+                continue; // Skip further validation for false entries
+            }
+            validateRuleset(ruleset, name, context);
+        }
+    }
+    if (s.deleteOrphaned !== undefined && typeof s.deleteOrphaned !== "boolean") {
+        throw new Error(`${context}: settings.deleteOrphaned must be a boolean`);
+    }
+    // Validate repo settings
+    if (s.repo !== undefined) {
+        if (s.repo === false) {
+            if (!rootRulesetNames) {
+                // Root level — repo: false not valid here
+                throw new Error(`${context}: repo: false is not valid at root level. Define repo settings or remove the field.`);
+            }
+            // Per-repo level — check root has repo settings to opt out of
+            if (!hasRootRepoSettings) {
+                throw new Error(`${context}: Cannot opt out of repo settings — not defined in root settings.repo`);
+            }
+            // Valid opt-out, skip further repo validation
+        }
+        else {
+            validateRepoSettings(s.repo, context);
+        }
+    }
 }
-// Pattern for valid config ID: alphanumeric, hyphens, underscores
-const CONFIG_ID_PATTERN = /^[a-zA-Z0-9_-]+$/;
-const CONFIG_ID_MAX_LENGTH = 64;
 /**
  * Validates raw config structure before normalization.
  * @throws Error if validation fails
@@ -257,356 +295,6 @@ export function validateRawConfig(config) {
         }
     }
 }
-/**
- * Validates a file name for security issues
- */
-function validateFileName(fileName) {
-    if (!fileName || typeof fileName !== "string") {
-        throw new Error("File name must be a non-empty string");
-    }
-    // Validate fileName doesn't allow path traversal
-    if (fileName.includes("..") || isAbsolute(fileName)) {
-        throw new Error(`Invalid fileName '${fileName}': must be a relative path without '..' components`);
-    }
-    // Validate fileName doesn't contain control characters that could bypass shell escaping
-    if (/[\n\r\0]/.test(fileName)) {
-        throw new Error(`Invalid fileName '${fileName}': cannot contain newlines or null bytes`);
-    }
-}
-function getGitDisplayName(git) {
-    if (Array.isArray(git)) {
-        return git[0] || "unknown";
-    }
-    return git;
-}
-// =============================================================================
-// Repo Settings Validation
-// =============================================================================
-const VALID_VISIBILITY = ["public", "private", "internal"];
-const VALID_SQUASH_MERGE_COMMIT_TITLE = ["PR_TITLE", "COMMIT_OR_PR_TITLE"];
-const VALID_SQUASH_MERGE_COMMIT_MESSAGE = [
-    "PR_BODY",
-    "COMMIT_MESSAGES",
-    "BLANK",
-];
-const VALID_MERGE_COMMIT_TITLE = ["PR_TITLE", "MERGE_MESSAGE"];
-const VALID_MERGE_COMMIT_MESSAGE = ["PR_BODY", "PR_TITLE", "BLANK"];
-/**
- * Validates GitHub repository settings.
- */
-function validateRepoSettings(repo, context) {
-    if (typeof repo !== "object" || repo === null || Array.isArray(repo)) {
-        throw new Error(`${context}: repo must be an object`);
-    }
-    const r = repo;
-    // Validate boolean fields
-    const booleanFields = [
-        "hasIssues",
-        "hasProjects",
-        "hasWiki",
-        "hasDiscussions",
-        "isTemplate",
-        "allowForking",
-        "archived",
-        "allowSquashMerge",
-        "allowMergeCommit",
-        "allowRebaseMerge",
-        "allowAutoMerge",
-        "deleteBranchOnMerge",
-        "allowUpdateBranch",
-        "vulnerabilityAlerts",
-        "automatedSecurityFixes",
-        "secretScanning",
-        "secretScanningPushProtection",
-        "privateVulnerabilityReporting",
-        "webCommitSignoffRequired",
-    ];
-    for (const field of booleanFields) {
-        if (r[field] !== undefined && typeof r[field] !== "boolean") {
-            throw new Error(`${context}: ${field} must be a boolean`);
-        }
-    }
-    // Validate string fields
-    if (r.defaultBranch !== undefined && typeof r.defaultBranch !== "string") {
-        throw new Error(`${context}: defaultBranch must be a string`);
-    }
-    // Validate enum fields
-    if (r.visibility !== undefined &&
-        !VALID_VISIBILITY.includes(r.visibility)) {
-        throw new Error(`${context}: visibility must be one of: ${VALID_VISIBILITY.join(", ")}`);
-    }
-    if (r.squashMergeCommitTitle !== undefined &&
-        !VALID_SQUASH_MERGE_COMMIT_TITLE.includes(r.squashMergeCommitTitle)) {
-        throw new Error(`${context}: squashMergeCommitTitle must be one of: ${VALID_SQUASH_MERGE_COMMIT_TITLE.join(", ")}`);
-    }
-    if (r.squashMergeCommitMessage !== undefined &&
-        !VALID_SQUASH_MERGE_COMMIT_MESSAGE.includes(r.squashMergeCommitMessage)) {
-        throw new Error(`${context}: squashMergeCommitMessage must be one of: ${VALID_SQUASH_MERGE_COMMIT_MESSAGE.join(", ")}`);
-    }
-    if (r.mergeCommitTitle !== undefined &&
-        !VALID_MERGE_COMMIT_TITLE.includes(r.mergeCommitTitle)) {
-        throw new Error(`${context}: mergeCommitTitle must be one of: ${VALID_MERGE_COMMIT_TITLE.join(", ")}`);
-    }
-    if (r.mergeCommitMessage !== undefined &&
-        !VALID_MERGE_COMMIT_MESSAGE.includes(r.mergeCommitMessage)) {
-        throw new Error(`${context}: mergeCommitMessage must be one of: ${VALID_MERGE_COMMIT_MESSAGE.join(", ")}`);
-    }
-}
-// =============================================================================
-// Ruleset Validation
-// =============================================================================
-const VALID_RULESET_TARGETS = ["branch", "tag"];
-const VALID_ENFORCEMENT_LEVELS = ["active", "disabled", "evaluate"];
-const VALID_ACTOR_TYPES = ["Team", "User", "Integration"];
-const VALID_BYPASS_MODES = ["always", "pull_request"];
-const VALID_PATTERN_OPERATORS = [
-    "starts_with",
-    "ends_with",
-    "contains",
-    "regex",
-];
-const VALID_MERGE_METHODS = ["merge", "squash", "rebase"];
-const VALID_ALERTS_THRESHOLDS = [
-    "none",
-    "errors",
-    "errors_and_warnings",
-    "all",
-];
-const VALID_SECURITY_THRESHOLDS = [
-    "none",
-    "critical",
-    "high_or_higher",
-    "medium_or_higher",
-    "all",
-];
-const VALID_RULE_TYPES = [
-    "pull_request",
-    "required_status_checks",
-    "required_signatures",
-    "required_linear_history",
-    "non_fast_forward",
-    "creation",
-    "update",
-    "deletion",
-    "required_deployments",
-    "code_scanning",
-    "code_quality",
-    "workflows",
-    "commit_author_email_pattern",
-    "commit_message_pattern",
-    "committer_email_pattern",
-    "branch_name_pattern",
-    "tag_name_pattern",
-    "file_path_restriction",
-    "file_extension_restriction",
-    "max_file_path_length",
-    "max_file_size",
-];
-/**
- * Validates a single ruleset rule.
- */
-function validateRule(rule, context) {
-    if (typeof rule !== "object" || rule === null || Array.isArray(rule)) {
-        throw new Error(`${context}: rule must be an object`);
-    }
-    const r = rule;
-    if (!r.type || typeof r.type !== "string") {
-        throw new Error(`${context}: rule must have a 'type' string field`);
-    }
-    if (!VALID_RULE_TYPES.includes(r.type)) {
-        throw new Error(`${context}: invalid rule type '${r.type}'. Must be one of: ${VALID_RULE_TYPES.join(", ")}`);
-    }
-    // Validate parameters based on rule type
-    if (r.parameters !== undefined) {
-        if (typeof r.parameters !== "object" ||
-            r.parameters === null ||
-            Array.isArray(r.parameters)) {
-            throw new Error(`${context}: rule parameters must be an object`);
-        }
-        const params = r.parameters;
-        // Validate pattern rule parameters
-        if (r.type.toString().endsWith("_pattern")) {
-            if (params.operator !== undefined &&
-                !VALID_PATTERN_OPERATORS.includes(params.operator)) {
-                throw new Error(`${context}: pattern rule operator must be one of: ${VALID_PATTERN_OPERATORS.join(", ")}`);
-            }
-            if (params.pattern !== undefined && typeof params.pattern !== "string") {
-                throw new Error(`${context}: pattern rule pattern must be a string`);
-            }
-        }
-        // Validate pull_request parameters
-        if (r.type === "pull_request") {
-            if (params.requiredApprovingReviewCount !== undefined) {
-                const count = params.requiredApprovingReviewCount;
-                if (typeof count !== "number" ||
-                    !Number.isInteger(count) ||
-                    count < 0 ||
-                    count > 10) {
-                    throw new Error(`${context}: requiredApprovingReviewCount must be an integer between 0 and 10`);
-                }
-            }
-            if (params.allowedMergeMethods !== undefined) {
-                if (!Array.isArray(params.allowedMergeMethods)) {
-                    throw new Error(`${context}: allowedMergeMethods must be an array`);
-                }
-                for (const method of params.allowedMergeMethods) {
-                    if (!VALID_MERGE_METHODS.includes(method)) {
-                        throw new Error(`${context}: allowedMergeMethods values must be one of: ${VALID_MERGE_METHODS.join(", ")}`);
-                    }
-                }
-            }
-        }
-        // Validate code_scanning parameters
-        if (r.type === "code_scanning" && params.codeScanningTools !== undefined) {
-            if (!Array.isArray(params.codeScanningTools)) {
-                throw new Error(`${context}: codeScanningTools must be an array`);
-            }
-            for (const tool of params.codeScanningTools) {
-                if (typeof tool !== "object" || tool === null) {
-                    throw new Error(`${context}: each codeScanningTool must be an object`);
-                }
-                const t = tool;
-                if (t.alertsThreshold !== undefined &&
-                    !VALID_ALERTS_THRESHOLDS.includes(t.alertsThreshold)) {
-                    throw new Error(`${context}: alertsThreshold must be one of: ${VALID_ALERTS_THRESHOLDS.join(", ")}`);
-                }
-                if (t.securityAlertsThreshold !== undefined &&
-                    !VALID_SECURITY_THRESHOLDS.includes(t.securityAlertsThreshold)) {
-                    throw new Error(`${context}: securityAlertsThreshold must be one of: ${VALID_SECURITY_THRESHOLDS.join(", ")}`);
-                }
-            }
-        }
-    }
-}
-/**
- * Validates a single ruleset.
- */
-function validateRuleset(ruleset, name, context) {
-    if (typeof ruleset !== "object" ||
-        ruleset === null ||
-        Array.isArray(ruleset)) {
-        throw new Error(`${context}: ruleset '${name}' must be an object`);
-    }
-    const rs = ruleset;
-    if (rs.target !== undefined &&
-        !VALID_RULESET_TARGETS.includes(rs.target)) {
-        throw new Error(`${context}: ruleset '${name}' target must be one of: ${VALID_RULESET_TARGETS.join(", ")}`);
-    }
-    if (rs.enforcement !== undefined &&
-        !VALID_ENFORCEMENT_LEVELS.includes(rs.enforcement)) {
-        throw new Error(`${context}: ruleset '${name}' enforcement must be one of: ${VALID_ENFORCEMENT_LEVELS.join(", ")}`);
-    }
-    // Validate bypassActors
-    if (rs.bypassActors !== undefined) {
-        if (!Array.isArray(rs.bypassActors)) {
-            throw new Error(`${context}: ruleset '${name}' bypassActors must be an array`);
-        }
-        for (let i = 0; i < rs.bypassActors.length; i++) {
-            const actor = rs.bypassActors[i];
-            if (typeof actor !== "object" || actor === null) {
-                throw new Error(`${context}: ruleset '${name}' bypassActors[${i}] must be an object`);
-            }
-            if (typeof actor.actorId !== "number") {
-                throw new Error(`${context}: ruleset '${name}' bypassActors[${i}].actorId must be a number`);
-            }
-            if (!VALID_ACTOR_TYPES.includes(actor.actorType)) {
-                throw new Error(`${context}: ruleset '${name}' bypassActors[${i}].actorType must be one of: ${VALID_ACTOR_TYPES.join(", ")}`);
-            }
-            if (actor.bypassMode !== undefined &&
-                !VALID_BYPASS_MODES.includes(actor.bypassMode)) {
-                throw new Error(`${context}: ruleset '${name}' bypassActors[${i}].bypassMode must be one of: ${VALID_BYPASS_MODES.join(", ")}`);
-            }
-        }
-    }
-    // Validate conditions
-    if (rs.conditions !== undefined) {
-        if (typeof rs.conditions !== "object" ||
-            rs.conditions === null ||
-            Array.isArray(rs.conditions)) {
-            throw new Error(`${context}: ruleset '${name}' conditions must be an object`);
-        }
-        const conditions = rs.conditions;
-        if (conditions.refName !== undefined) {
-            const refName = conditions.refName;
-            if (typeof refName !== "object" ||
-                refName === null ||
-                Array.isArray(refName)) {
-                throw new Error(`${context}: ruleset '${name}' conditions.refName must be an object`);
-            }
-            if (refName.include !== undefined &&
-                (!Array.isArray(refName.include) ||
-                    !refName.include.every((s) => typeof s === "string"))) {
-                throw new Error(`${context}: ruleset '${name}' conditions.refName.include must be an array of strings`);
-            }
-            if (refName.exclude !== undefined &&
-                (!Array.isArray(refName.exclude) ||
-                    !refName.exclude.every((s) => typeof s === "string"))) {
-                throw new Error(`${context}: ruleset '${name}' conditions.refName.exclude must be an array of strings`);
-            }
-        }
-    }
-    // Validate rules array
-    if (rs.rules !== undefined) {
-        if (!Array.isArray(rs.rules)) {
-            throw new Error(`${context}: ruleset '${name}' rules must be an array`);
-        }
-        for (let i = 0; i < rs.rules.length; i++) {
-            validateRule(rs.rules[i], `${context}: ruleset '${name}' rules[${i}]`);
-        }
-    }
-}
-/**
- * Validates settings object containing rulesets.
- */
-export function validateSettings(settings, context, rootRulesetNames, hasRootRepoSettings) {
-    if (typeof settings !== "object" ||
-        settings === null ||
-        Array.isArray(settings)) {
-        throw new Error(`${context}: settings must be an object`);
-    }
-    const s = settings;
-    if (s.rulesets !== undefined) {
-        if (typeof s.rulesets !== "object" ||
-            s.rulesets === null ||
-            Array.isArray(s.rulesets)) {
-            throw new Error(`${context}: rulesets must be an object`);
-        }
-        const rulesets = s.rulesets;
-        for (const [name, ruleset] of Object.entries(rulesets)) {
-            // Skip reserved key
-            if (name === "inherit")
-                continue;
-            // Check for opt-out of non-existent root ruleset
-            if (ruleset === false) {
-                if (rootRulesetNames && !rootRulesetNames.includes(name)) {
-                    throw new Error(`${context}: Cannot opt out of '${name}' - not defined in root settings.rulesets`);
-                }
-                continue; // Skip further validation for false entries
-            }
-            validateRuleset(ruleset, name, context);
-        }
-    }
-    if (s.deleteOrphaned !== undefined && typeof s.deleteOrphaned !== "boolean") {
-        throw new Error(`${context}: settings.deleteOrphaned must be a boolean`);
-    }
-    // Validate repo settings
-    if (s.repo !== undefined) {
-        if (s.repo === false) {
-            if (!rootRulesetNames) {
-                // Root level — repo: false not valid here
-                throw new Error(`${context}: repo: false is not valid at root level. Define repo settings or remove the field.`);
-            }
-            // Per-repo level — check root has repo settings to opt out of
-            if (!hasRootRepoSettings) {
-                throw new Error(`${context}: Cannot opt out of repo settings — not defined in root settings.repo`);
-            }
-            // Valid opt-out, skip further repo validation
-        }
-        else {
-            validateRepoSettings(s.repo, context);
-        }
-    }
-}
 // =============================================================================
 // Command-Specific Validators
 // =============================================================================

package/dist/config/validators/file-validator.d.ts

@@ -0,0 +1,22 @@
+declare const VALID_STRATEGIES: string[];
+/**
+ * Check if content is text type (string or string[]).
+ */
+export declare function isTextContent(content: unknown): boolean;
+/**
+ * Check if content is object type (for JSON/YAML output).
+ */
+export declare function isObjectContent(content: unknown): boolean;
+/**
+ * Check if file extension is for structured output (JSON/YAML).
+ */
+export declare function isStructuredFileExtension(fileName: string): boolean;
+/**
+ * Validates a file name for security issues
+ */
+export declare function validateFileName(fileName: string): void;
+/**
+ * Validates that merge strategy is valid
+ */
+export declare function isValidMergeStrategy(strategy: string): boolean;
+export { VALID_STRATEGIES };

package/dist/config/validators/file-validator.js

@@ -0,0 +1,46 @@
+import { extname, isAbsolute } from "node:path";
+const VALID_STRATEGIES = ["replace", "append", "prepend"];
+/**
+ * Check if content is text type (string or string[]).
+ */
+export function isTextContent(content) {
+    return (typeof content === "string" ||
+        (Array.isArray(content) &&
+            content.every((item) => typeof item === "string")));
+}
+/**
+ * Check if content is object type (for JSON/YAML output).
+ */
+export function isObjectContent(content) {
+    return (typeof content === "object" && content !== null && !Array.isArray(content));
+}
+/**
+ * Check if file extension is for structured output (JSON/YAML).
+ */
+export function isStructuredFileExtension(fileName) {
+    const ext = extname(fileName).toLowerCase();
+    return (ext === ".json" || ext === ".json5" || ext === ".yaml" || ext === ".yml");
+}
+/**
+ * Validates a file name for security issues
+ */
+export function validateFileName(fileName) {
+    if (!fileName || typeof fileName !== "string") {
+        throw new Error("File name must be a non-empty string");
+    }
+    // Validate fileName doesn't allow path traversal
+    if (fileName.includes("..") || isAbsolute(fileName)) {
+        throw new Error(`Invalid fileName '${fileName}': must be a relative path without '..' components`);
+    }
+    // Validate fileName doesn't contain control characters that could bypass shell escaping
+    if (/[\n\r\0]/.test(fileName)) {
+        throw new Error(`Invalid fileName '${fileName}': cannot contain newlines or null bytes`);
+    }
+}
+/**
+ * Validates that merge strategy is valid
+ */
+export function isValidMergeStrategy(strategy) {
+    return VALID_STRATEGIES.includes(strategy);
+}
+export { VALID_STRATEGIES };

package/dist/config/validators/index.d.ts

@@ -0,0 +1,3 @@
+export { isTextContent, isObjectContent, isStructuredFileExtension, validateFileName, isValidMergeStrategy, VALID_STRATEGIES, } from "./file-validator.js";
+export { validateRepoSettings, VALID_VISIBILITY, VALID_SQUASH_MERGE_COMMIT_TITLE, VALID_SQUASH_MERGE_COMMIT_MESSAGE, VALID_MERGE_COMMIT_TITLE, VALID_MERGE_COMMIT_MESSAGE, } from "./repo-settings-validator.js";
+export { validateRule, validateRuleset, VALID_RULESET_TARGETS, VALID_ENFORCEMENT_LEVELS, VALID_ACTOR_TYPES, VALID_BYPASS_MODES, VALID_PATTERN_OPERATORS, VALID_MERGE_METHODS, VALID_ALERTS_THRESHOLDS, VALID_SECURITY_THRESHOLDS, VALID_RULE_TYPES, } from "./ruleset-validator.js";

package/dist/config/validators/index.js

@@ -0,0 +1,6 @@
+// File validation
+export { isTextContent, isObjectContent, isStructuredFileExtension, validateFileName, isValidMergeStrategy, VALID_STRATEGIES, } from "./file-validator.js";
+// Repo settings validation
+export { validateRepoSettings, VALID_VISIBILITY, VALID_SQUASH_MERGE_COMMIT_TITLE, VALID_SQUASH_MERGE_COMMIT_MESSAGE, VALID_MERGE_COMMIT_TITLE, VALID_MERGE_COMMIT_MESSAGE, } from "./repo-settings-validator.js";
+// Ruleset validation
+export { validateRule, validateRuleset, VALID_RULESET_TARGETS, VALID_ENFORCEMENT_LEVELS, VALID_ACTOR_TYPES, VALID_BYPASS_MODES, VALID_PATTERN_OPERATORS, VALID_MERGE_METHODS, VALID_ALERTS_THRESHOLDS, VALID_SECURITY_THRESHOLDS, VALID_RULE_TYPES, } from "./ruleset-validator.js";

package/dist/config/validators/repo-settings-validator.d.ts

@@ -0,0 +1,10 @@
+declare const VALID_VISIBILITY: string[];
+declare const VALID_SQUASH_MERGE_COMMIT_TITLE: string[];
+declare const VALID_SQUASH_MERGE_COMMIT_MESSAGE: string[];
+declare const VALID_MERGE_COMMIT_TITLE: string[];
+declare const VALID_MERGE_COMMIT_MESSAGE: string[];
+/**
+ * Validates GitHub repository settings.
+ */
+export declare function validateRepoSettings(repo: unknown, context: string): void;
+export { VALID_VISIBILITY, VALID_SQUASH_MERGE_COMMIT_TITLE, VALID_SQUASH_MERGE_COMMIT_MESSAGE, VALID_MERGE_COMMIT_TITLE, VALID_MERGE_COMMIT_MESSAGE, };