npm - @cardstack/boxel-cli - Versions diffs - 0.2.0-unstable.298 → 0.2.0-unstable.327 - Mend

@cardstack/boxel-cli 0.2.0-unstable.298 → 0.2.0-unstable.327

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js +156 -97
package/package.json +5 -3
package/src/build-program.ts +6 -0
package/src/commands/lint.ts +285 -0
package/src/commands/parse.ts +741 -0
package/src/commands/test.ts +728 -0
package/src/lib/find-package-root.ts +34 -0
package/src/lib/realm-relative-path.ts +46 -0

package/src/lib/find-package-root.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+/**
+ * Walk up from `__dirname` until we find the `@cardstack/boxel-cli`
+ * package.json. The single-file esbuild bundle places `__dirname` at
+ * `boxel-cli/dist`; the ts-node fallback places it inside `src/...`.
+ * Anchoring to the package.json keeps every downstream path stable
+ * regardless of which entry mode is active.
+ */
+export function findBoxelCliRoot(startDir: string): string {
+  let dir = startDir;
+  for (;;) {
+    let candidate = join(dir, 'package.json');
+    if (existsSync(candidate)) {
+      try {
+        let parsed = JSON.parse(readFileSync(candidate, 'utf8'));
+        if (parsed?.name === '@cardstack/boxel-cli') {
+          return dir;
+        }
+      } catch {
+        // ignore unparseable package.json and keep walking
+      }
+    }
+    let parent = dirname(dir);
+    if (parent === dir) {
+      throw new Error(
+        'Could not locate the @cardstack/boxel-cli package root walking up from ' +
+          startDir,
+      );
+    }
+    dir = parent;
+  }
+}

package/src/lib/realm-relative-path.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * Validate that an agent- or user-supplied `path` is a safe
+ * realm-relative path. Returns an error message if rejected, or null
+ * if the path is acceptable.
+ *
+ * Rejects:
+ * - empty / whitespace-only paths
+ * - absolute URLs with a scheme (`http:`, `file:`, etc.)
+ * - paths starting with `/`
+ * - backslash characters (ambiguous across URL/path handling layers;
+ *   e.g. `foo\..\bar` never splits on `/` so the `..` check below
+ *   misses it)
+ * - percent-encoded traversal segments — decodes once and rejects any
+ *   `..` segment after decoding, so `%2e%2e`, `%2E%2E`, `%2e.`, etc.
+ *   all collapse to a `..` and fail
+ * - malformed percent-encoded escapes
+ *
+ * Mirrors `packages/software-factory/src/realm-relative-path.ts` so
+ * both the SDK orchestrator and the boxel-cli validators apply the
+ * same gate before a path reaches realm-server URL handling.
+ */
+export function validateRealmRelativePath(path: string): string | null {
+  if (path.trim() === '') {
+    return `Path must be a non-empty realm-relative file path.`;
+  }
+  if (/^[a-z][a-z0-9+.-]*:/i.test(path)) {
+    return `Path "${path}" must be realm-relative — absolute URLs (with a scheme) are not accepted.`;
+  }
+  if (path.startsWith('/')) {
+    return `Path "${path}" must be realm-relative — paths starting with "/" are not accepted.`;
+  }
+  if (path.includes('\\')) {
+    return `Path "${path}" must not contain backslash characters.`;
+  }
+  let decoded: string;
+  try {
+    decoded = decodeURIComponent(path);
+  } catch {
+    return `Path "${path}" contains an invalid percent-encoded escape.`;
+  }
+  let segments = decoded.split('/');
+  if (segments.some((seg) => seg === '..')) {
+    return `Path "${path}" must not contain ".." segments — the path must stay inside the target realm.`;
+  }
+  return null;
+}