@devtrack-solution/codesdd 1.2.2 → 1.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.sdd/skills/curated/api-clean-flask-langgraph/SKILL.md +17 -17
- package/.sdd/skills/curated/devtrack-api/SKILL.md +160 -28
- package/.sdd/skills/curated/devtrack-api/agents/openai.yaml +1 -1
- package/.sdd/skills/curated/devtrack-api/references/architecture-governance.md +8 -7
- package/.sdd/skills/curated/devtrack-api/references/consumer-sync-policy.md +93 -0
- package/.sdd/skills/curated/devtrack-api/references/contract-pack.yaml +317 -0
- package/.sdd/skills/curated/devtrack-api/references/field-validation-protocol.md +95 -0
- package/.sdd/skills/curated/devtrack-api/references/foundation-layout.md +295 -0
- package/.sdd/skills/curated/devtrack-api/references/implementation-checklist.md +4 -4
- package/.sdd/skills/curated/devtrack-api/references/imports-lint.md +4 -0
- package/.sdd/skills/curated/devtrack-api/references/testing-validation.md +2 -2
- package/LICENSE +1 -1
- package/README.md +243 -51
- package/bin/codesdd.js +3 -2
- package/dist/cli/index.d.ts +2 -2
- package/dist/cli/index.js +11 -558
- package/dist/cli/program.d.ts +14 -0
- package/dist/cli/program.js +645 -0
- package/dist/commands/change.js +5 -5
- package/dist/commands/completion.d.ts +1 -1
- package/dist/commands/completion.js +9 -2
- package/dist/commands/config.js +159 -20
- package/dist/commands/feedback.js +1 -1
- package/dist/commands/schema.d.ts +63 -0
- package/dist/commands/schema.js +12 -12
- package/dist/commands/sdd/backlog.d.ts +3 -0
- package/dist/commands/sdd/backlog.js +54 -0
- package/dist/commands/sdd/execution.js +147 -16
- package/dist/commands/sdd/plugin.d.ts +3 -0
- package/dist/commands/sdd/plugin.js +153 -0
- package/dist/commands/sdd/shared.js +2 -23
- package/dist/commands/sdd/skills.js +7 -0
- package/dist/commands/sdd.js +69 -12
- package/dist/commands/spec.js +9 -9
- package/dist/commands/validate.js +6 -6
- package/dist/commands/workflow/instructions.js +6 -6
- package/dist/commands/workflow/new-change.js +3 -3
- package/dist/commands/workflow/shared.d.ts +1 -1
- package/dist/commands/workflow/shared.js +4 -4
- package/dist/core/archive.js +15 -5
- package/dist/core/artifact-graph/instruction-loader.d.ts +1 -1
- package/dist/core/artifact-graph/instruction-loader.js +3 -3
- package/dist/core/artifact-graph/resolver.d.ts +4 -4
- package/dist/core/artifact-graph/resolver.js +6 -6
- package/dist/core/branding.js +3 -3
- package/dist/core/cli/command-matrix.js +10 -1
- package/dist/core/cli-command-quality.d.ts +27 -0
- package/dist/core/cli-command-quality.js +171 -0
- package/dist/core/command-generation/adapters/costrict.d.ts +1 -1
- package/dist/core/command-generation/adapters/costrict.js +2 -2
- package/dist/core/command-generation/types.d.ts +1 -1
- package/dist/core/completions/command-registry.d.ts +1 -1
- package/dist/core/completions/command-registry.js +155 -12
- package/dist/core/completions/completion-provider.d.ts +14 -1
- package/dist/core/completions/completion-provider.js +29 -1
- package/dist/core/completions/generators/bash-generator.d.ts +1 -1
- package/dist/core/completions/generators/bash-generator.js +20 -12
- package/dist/core/completions/generators/fish-generator.d.ts +9 -1
- package/dist/core/completions/generators/fish-generator.js +39 -25
- package/dist/core/completions/generators/powershell-generator.d.ts +1 -1
- package/dist/core/completions/generators/powershell-generator.js +21 -11
- package/dist/core/completions/generators/zsh-generator.d.ts +3 -6
- package/dist/core/completions/generators/zsh-generator.js +21 -42
- package/dist/core/completions/installers/bash-installer.js +6 -6
- package/dist/core/completions/installers/fish-installer.js +1 -1
- package/dist/core/completions/installers/powershell-installer.js +14 -14
- package/dist/core/completions/installers/zsh-installer.d.ts +7 -1
- package/dist/core/completions/installers/zsh-installer.js +36 -8
- package/dist/core/completions/templates/bash-templates.d.ts +1 -1
- package/dist/core/completions/templates/bash-templates.js +12 -6
- package/dist/core/completions/templates/fish-templates.d.ts +2 -2
- package/dist/core/completions/templates/fish-templates.js +20 -9
- package/dist/core/completions/templates/powershell-templates.d.ts +1 -1
- package/dist/core/completions/templates/powershell-templates.js +13 -4
- package/dist/core/completions/templates/zsh-templates.d.ts +1 -1
- package/dist/core/completions/templates/zsh-templates.js +18 -9
- package/dist/core/config-schema.d.ts +3 -1
- package/dist/core/config-schema.js +26 -1
- package/dist/core/config.d.ts +3 -3
- package/dist/core/config.js +4 -4
- package/dist/core/global-config.d.ts +41 -12
- package/dist/core/global-config.js +344 -27
- package/dist/core/index.d.ts +1 -1
- package/dist/core/index.js +2 -2
- package/dist/core/init.d.ts +6 -1
- package/dist/core/init.js +99 -77
- package/dist/core/legacy-cleanup.d.ts +17 -17
- package/dist/core/legacy-cleanup.js +96 -79
- package/dist/core/list.js +18 -4
- package/dist/core/migration.d.ts +3 -1
- package/dist/core/migration.js +7 -8
- package/dist/core/parsers/change-parser.js +1 -1
- package/dist/core/parsers/markdown-parser.js +2 -2
- package/dist/core/profile-sync-drift.d.ts +1 -1
- package/dist/core/profile-sync-drift.js +13 -13
- package/dist/core/project-config.d.ts +4 -4
- package/dist/core/project-config.js +11 -11
- package/dist/core/schemas/change.schema.d.ts +1 -1
- package/dist/core/schemas/change.schema.js +1 -1
- package/dist/core/schemas/spec.schema.d.ts +1 -1
- package/dist/core/schemas/spec.schema.js +1 -1
- package/dist/core/sdd/adr.js +23 -1
- package/dist/core/sdd/agent-binding.d.ts +346 -0
- package/dist/core/sdd/agent-binding.js +343 -0
- package/dist/core/sdd/backlog-cli.d.ts +16 -0
- package/dist/core/sdd/backlog-cli.js +146 -0
- package/dist/core/sdd/backlog-conflict-policy.d.ts +58 -0
- package/dist/core/sdd/backlog-conflict-policy.js +230 -0
- package/dist/core/sdd/backlog-projection.d.ts +8 -0
- package/dist/core/sdd/backlog-projection.js +89 -0
- package/dist/core/sdd/backlog-provider-contract.d.ts +252 -0
- package/dist/core/sdd/backlog-provider-contract.js +158 -0
- package/dist/core/sdd/bootstrap.js +2 -2
- package/dist/core/sdd/check.d.ts +42 -0
- package/dist/core/sdd/check.js +22 -22
- package/dist/core/sdd/contract.d.ts +13 -0
- package/dist/core/sdd/contract.js +36 -0
- package/dist/core/sdd/coordination/coordination-adapters.d.ts +38 -0
- package/dist/core/sdd/coordination/coordination-adapters.js +139 -1
- package/dist/core/sdd/deepagent-contracts.d.ts +276 -0
- package/dist/core/sdd/deepagent-contracts.js +173 -0
- package/dist/core/sdd/deepagents/adr-governor.d.ts +2 -0
- package/dist/core/sdd/deepagents/adr-governor.js +30 -0
- package/dist/core/sdd/deepagents/backend.d.ts +63 -0
- package/dist/core/sdd/deepagents/backend.js +174 -0
- package/dist/core/sdd/deepagents/codesdd-tools.d.ts +39 -0
- package/dist/core/sdd/deepagents/codesdd-tools.js +83 -0
- package/dist/core/sdd/deepagents/evidence-mapper.d.ts +86 -0
- package/dist/core/sdd/deepagents/evidence-mapper.js +178 -0
- package/dist/core/sdd/deepagents/model-provider.d.ts +53 -0
- package/dist/core/sdd/deepagents/model-provider.js +379 -0
- package/dist/core/sdd/deepagents/policy-enforcement.d.ts +30 -0
- package/dist/core/sdd/deepagents/policy-enforcement.js +90 -0
- package/dist/core/sdd/deepagents/policy.d.ts +75 -0
- package/dist/core/sdd/deepagents/policy.js +358 -0
- package/dist/core/sdd/deepagents/quality-witness.d.ts +3 -0
- package/dist/core/sdd/deepagents/quality-witness.js +77 -0
- package/dist/core/sdd/deepagents/reversa-subagents.d.ts +75 -0
- package/dist/core/sdd/deepagents/reversa-subagents.js +182 -0
- package/dist/core/sdd/deepagents/runtime-factory.d.ts +90 -0
- package/dist/core/sdd/deepagents/runtime-factory.js +231 -0
- package/dist/core/sdd/deepagents/runtime-loader.d.ts +16 -0
- package/dist/core/sdd/deepagents/runtime-loader.js +65 -0
- package/dist/core/sdd/default-bootstrap-files.d.ts +2 -2
- package/dist/core/sdd/default-bootstrap-files.js +36 -2
- package/dist/core/sdd/default-skills.d.ts +30 -0
- package/dist/core/sdd/default-skills.js +181 -5
- package/dist/core/sdd/devtrack-api-appliance.d.ts +84 -0
- package/dist/core/sdd/devtrack-api-appliance.js +257 -0
- package/dist/core/sdd/devtrack-api-architecture.d.ts +31 -0
- package/dist/core/sdd/devtrack-api-architecture.js +608 -0
- package/dist/core/sdd/devtrack-api-import-boundary.d.ts +19 -0
- package/dist/core/sdd/devtrack-api-import-boundary.js +32 -0
- package/dist/core/sdd/diagnose.d.ts +59 -0
- package/dist/core/sdd/diagnose.js +37 -37
- package/dist/core/sdd/docs-sync.js +33 -5
- package/dist/core/sdd/domain/post-active-validation.d.ts +7 -0
- package/dist/core/sdd/domain/post-active-validation.js +61 -0
- package/dist/core/sdd/domain/transition-engine.js +1 -0
- package/dist/core/sdd/entity-reference.d.ts +5 -0
- package/dist/core/sdd/entity-reference.js +22 -0
- package/dist/core/sdd/governance-backfill.d.ts +31 -0
- package/dist/core/sdd/governance-backfill.js +359 -0
- package/dist/core/sdd/governance-parser.d.ts +21 -0
- package/dist/core/sdd/governance-parser.js +91 -0
- package/dist/core/sdd/governance-schemas.d.ts +245 -0
- package/dist/core/sdd/governance-schemas.js +143 -0
- package/dist/core/sdd/{import-openspec.d.ts → import-legacy-spec.d.ts} +7 -7
- package/dist/core/sdd/{import-openspec.js → import-legacy-spec.js} +21 -29
- package/dist/core/sdd/init.d.ts +3 -0
- package/dist/core/sdd/init.js +6 -3
- package/dist/core/sdd/json-schema.js +100 -6
- package/dist/core/sdd/knowledge-graph.d.ts +45 -0
- package/dist/core/sdd/knowledge-graph.js +288 -0
- package/dist/core/sdd/legacy-operations.js +431 -43
- package/dist/core/sdd/lenses.d.ts +1 -0
- package/dist/core/sdd/lenses.js +29 -1
- package/dist/core/sdd/migrate-workspace.js +56 -2
- package/dist/core/sdd/migrate.d.ts +1 -1
- package/dist/core/sdd/migrate.js +36 -2
- package/dist/core/sdd/package-structure-gate.d.ts +83 -0
- package/dist/core/sdd/package-structure-gate.js +362 -0
- package/dist/core/sdd/parallel-feat-automation.d.ts +152 -0
- package/dist/core/sdd/parallel-feat-automation.js +212 -0
- package/dist/core/sdd/plugin-broker.d.ts +558 -0
- package/dist/core/sdd/plugin-broker.js +482 -0
- package/dist/core/sdd/plugin-certification.d.ts +79 -0
- package/dist/core/sdd/plugin-certification.js +453 -0
- package/dist/core/sdd/plugin-cli.d.ts +109 -0
- package/dist/core/sdd/plugin-cli.js +198 -0
- package/dist/core/sdd/plugin-evidence.d.ts +275 -0
- package/dist/core/sdd/plugin-evidence.js +307 -0
- package/dist/core/sdd/plugin-manifest.d.ts +164 -0
- package/dist/core/sdd/plugin-manifest.js +215 -0
- package/dist/core/sdd/plugin-policy-pack.d.ts +88 -0
- package/dist/core/sdd/plugin-policy-pack.js +236 -0
- package/dist/core/sdd/plugin-policy.d.ts +68 -0
- package/dist/core/sdd/plugin-policy.js +212 -0
- package/dist/core/sdd/plugin-registry.d.ts +311 -0
- package/dist/core/sdd/plugin-registry.js +138 -0
- package/dist/core/sdd/plugin-skill-binding.d.ts +151 -0
- package/dist/core/sdd/plugin-skill-binding.js +339 -0
- package/dist/core/sdd/quality-artifact-manifest-validator.d.ts +28 -0
- package/dist/core/sdd/quality-artifact-manifest-validator.js +167 -0
- package/dist/core/sdd/quality-evidence-renderer.d.ts +65 -0
- package/dist/core/sdd/quality-evidence-renderer.js +218 -0
- package/dist/core/sdd/quality-scenario-runner.d.ts +42 -0
- package/dist/core/sdd/quality-scenario-runner.js +613 -0
- package/dist/core/sdd/quality-validation.d.ts +547 -0
- package/dist/core/sdd/quality-validation.js +239 -0
- package/dist/core/sdd/resolve-project-root.d.ts +2 -2
- package/dist/core/sdd/resolve-project-root.js +11 -5
- package/dist/core/sdd/sanitize.d.ts +30 -1
- package/dist/core/sdd/sanitize.js +23 -23
- package/dist/core/sdd/services/agent-run.service.d.ts +65 -0
- package/dist/core/sdd/services/agent-run.service.js +189 -0
- package/dist/core/sdd/services/breakdown.service.js +2 -1
- package/dist/core/sdd/services/context.service.js +18 -16
- package/dist/core/sdd/services/debate.service.js +15 -2
- package/dist/core/sdd/services/feature-lint.service.d.ts +22 -0
- package/dist/core/sdd/services/feature-lint.service.js +105 -5
- package/dist/core/sdd/services/finalize.service.d.ts +80 -0
- package/dist/core/sdd/services/finalize.service.js +323 -24
- package/dist/core/sdd/services/frontend-gap.service.js +22 -7
- package/dist/core/sdd/services/governance-control-plane-runtime-adapters.d.ts +17 -0
- package/dist/core/sdd/services/governance-control-plane-runtime-adapters.js +38 -0
- package/dist/core/sdd/services/governance-control-plane.service.d.ts +66 -0
- package/dist/core/sdd/services/governance-control-plane.service.js +134 -0
- package/dist/core/sdd/services/ingest-deposito.service.js +1 -1
- package/dist/core/sdd/services/legacy-capability.service.d.ts +10 -7
- package/dist/core/sdd/services/legacy-capability.service.js +38 -21
- package/dist/core/sdd/services/mcp-runtime.service.d.ts +123 -8
- package/dist/core/sdd/services/mcp-runtime.service.js +1085 -33
- package/dist/core/sdd/services/onboard.service.js +2 -1
- package/dist/core/sdd/services/rebuild.service.js +6 -1
- package/dist/core/sdd/services/skills-sync.service.d.ts +17 -5
- package/dist/core/sdd/services/skills-sync.service.js +55 -2
- package/dist/core/sdd/services/start.service.js +6 -4
- package/dist/core/sdd/skill-bundles-curation-schema.d.ts +66 -0
- package/dist/core/sdd/skill-bundles-curation-schema.js +52 -0
- package/dist/core/sdd/skill-evidence.d.ts +19 -0
- package/dist/core/sdd/skill-evidence.js +38 -0
- package/dist/core/sdd/skill-policy-pool.d.ts +46 -0
- package/dist/core/sdd/skill-policy-pool.js +185 -0
- package/dist/core/sdd/state.d.ts +22 -0
- package/dist/core/sdd/state.js +66 -41
- package/dist/core/sdd/structural-health.d.ts +42 -42
- package/dist/core/sdd/types.d.ts +33 -7
- package/dist/core/sdd/types.js +17 -0
- package/dist/core/sdd/upgrade-to-codesdd.d.ts +45 -0
- package/dist/core/sdd/upgrade-to-codesdd.js +179 -0
- package/dist/core/sdd/workspace-schemas.d.ts +285 -14
- package/dist/core/sdd/workspace-schemas.js +148 -0
- package/dist/core/sdd/write-manifest.js +22 -4
- package/dist/core/shared/skill-generation.d.ts +1 -1
- package/dist/core/shared/skill-generation.js +15 -15
- package/dist/core/shared/tool-detection.d.ts +3 -3
- package/dist/core/shared/tool-detection.js +14 -14
- package/dist/core/specs-apply.js +6 -6
- package/dist/core/templates/index.d.ts +1 -1
- package/dist/core/templates/index.js +1 -1
- package/dist/core/templates/workflows/apply-change.js +14 -14
- package/dist/core/templates/workflows/archive-change.js +32 -32
- package/dist/core/templates/workflows/bulk-archive-change.js +25 -25
- package/dist/core/templates/workflows/continue-change.js +12 -12
- package/dist/core/templates/workflows/explore.js +29 -29
- package/dist/core/templates/workflows/feedback.js +6 -6
- package/dist/core/templates/workflows/ff-change.js +24 -24
- package/dist/core/templates/workflows/new-change.js +20 -20
- package/dist/core/templates/workflows/onboard.js +33 -33
- package/dist/core/templates/workflows/propose.js +23 -23
- package/dist/core/templates/workflows/sdd.js +8 -8
- package/dist/core/templates/workflows/sync-specs.js +19 -19
- package/dist/core/templates/workflows/verify-change.js +17 -17
- package/dist/core/update.d.ts +2 -2
- package/dist/core/update.js +16 -15
- package/dist/core/validation/constants.d.ts +1 -1
- package/dist/core/validation/constants.js +1 -1
- package/dist/core/view.js +11 -11
- package/dist/telemetry/config.d.ts +2 -1
- package/dist/telemetry/config.js +17 -8
- package/dist/telemetry/index.d.ts +10 -2
- package/dist/telemetry/index.js +40 -7
- package/dist/ui/ascii-patterns.d.ts +2 -2
- package/dist/ui/ascii-patterns.js +2 -2
- package/dist/ui/welcome-screen.js +2 -2
- package/dist/utils/change-metadata.d.ts +4 -4
- package/dist/utils/change-metadata.js +6 -6
- package/dist/utils/change-utils.d.ts +3 -3
- package/dist/utils/change-utils.js +5 -5
- package/dist/utils/file-system.js +1 -1
- package/dist/utils/interactive.js +1 -1
- package/dist/utils/item-discovery.js +4 -4
- package/dist/utils/legacy-spec-compat.d.ts +2 -0
- package/dist/utils/legacy-spec-compat.js +2 -0
- package/dist/utils/shell-detection.d.ts +1 -0
- package/dist/utils/shell-detection.js +16 -0
- package/package.json +27 -17
- package/schemas/sdd/1-spec.schema.json +1 -1
- package/schemas/sdd/2-plan.schema.json +73 -1
- package/schemas/sdd/3-tasks.schema.json +73 -1
- package/schemas/sdd/4-changelog.schema.json +1 -1
- package/schemas/sdd/5-quality.schema.json +442 -2
- package/schemas/sdd/adr.schema.json +148 -0
- package/schemas/sdd/agent-binding-adapter.schema.json +210 -0
- package/schemas/sdd/agent-binding-resolution.schema.json +338 -0
- package/schemas/sdd/backlog-projection-plan.schema.json +180 -0
- package/schemas/sdd/backlog-provider-contract.schema.json +260 -0
- package/schemas/sdd/codesdd-plugin.schema.json +474 -0
- package/schemas/sdd/debate.schema.json +244 -0
- package/schemas/sdd/deepagent-decision-evidence.schema.json +58 -0
- package/schemas/sdd/deepagent-env-contract.schema.json +143 -0
- package/schemas/sdd/deepagent-quality-evidence.schema.json +108 -0
- package/schemas/sdd/deepagent-run-evidence.schema.json +192 -0
- package/schemas/sdd/deepagent-run-plan.schema.json +197 -0
- package/schemas/sdd/deepagent-run-request.schema.json +321 -0
- package/schemas/sdd/deepagent-subagent-evidence.schema.json +110 -0
- package/schemas/sdd/deepagent-tool-call-evidence.schema.json +78 -0
- package/schemas/sdd/discarded.schema.json +127 -0
- package/schemas/sdd/epic.schema.json +147 -0
- package/schemas/sdd/insight.schema.json +136 -0
- package/schemas/sdd/parallel-feat-automation-plan.schema.json +215 -0
- package/schemas/sdd/parallel-feat-automation-request.schema.json +109 -0
- package/schemas/sdd/plugin-artifact-manifest.schema.json +150 -0
- package/schemas/sdd/plugin-compliance-index.schema.json +136 -0
- package/schemas/sdd/plugin-dry-run-plan.schema.json +260 -0
- package/schemas/sdd/plugin-evidence-manifest.schema.json +569 -0
- package/schemas/sdd/plugin-policy-evaluation.schema.json +92 -0
- package/schemas/sdd/plugin-policy-pack-evaluation.schema.json +94 -0
- package/schemas/sdd/plugin-policy-pack.schema.json +196 -0
- package/schemas/sdd/plugin-registry.schema.json +558 -0
- package/schemas/sdd/plugin-rollback-manifest.schema.json +87 -0
- package/schemas/sdd/plugin-runtime-invocation-plan.schema.json +845 -0
- package/schemas/sdd/plugin-skill-binding-resolution.schema.json +305 -0
- package/schemas/sdd/plugin-skill-binding.schema.json +88 -0
- package/schemas/sdd/plugin-validation-manifest.schema.json +123 -0
- package/schemas/sdd/quality-architecture-schema.schema.json +216 -0
- package/schemas/sdd/quality-evidence-bundle.schema.json +1228 -0
- package/schemas/sdd/quality-run.schema.json +197 -0
- package/schemas/sdd/quality-scenario.schema.json +252 -0
- package/schemas/sdd/workspace-catalog.schema.json +9841 -22
- package/schemas/spec-driven/schema.yaml +4 -4
- package/schemas/spec-driven/templates/proposal.md +1 -1
- package/dist/utils/openspec-compat.d.ts +0 -2
- package/dist/utils/openspec-compat.js +0 -2
|
@@ -0,0 +1,307 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
import { pluginArtifactManifestSchema, } from './plugin-broker.js';
|
|
3
|
+
import { pluginManifestSchema } from './plugin-manifest.js';
|
|
4
|
+
import { pluginPolicyEvaluationSchema } from './plugin-policy.js';
|
|
5
|
+
import { pluginPolicyPackEvaluationSchema, } from './plugin-policy-pack.js';
|
|
6
|
+
const FEATURE_REF_PATTERN = /^FEAT-\d{4}$/;
|
|
7
|
+
const OPERATION_ID_PATTERN = /^[a-z0-9][a-z0-9-]*$/;
|
|
8
|
+
const jsonObjectSchema = z.record(z.string(), z.unknown());
|
|
9
|
+
export const pluginValidationEvidenceSchema = z.object({
|
|
10
|
+
command: z.string().min(1),
|
|
11
|
+
status: z.enum(['pending', 'passed', 'failed', 'skipped']),
|
|
12
|
+
evidence_ref: z.string().optional(),
|
|
13
|
+
coverage: z
|
|
14
|
+
.object({
|
|
15
|
+
statements: z.number().min(0).max(100).optional(),
|
|
16
|
+
branches: z.number().min(0).max(100).optional(),
|
|
17
|
+
functions: z.number().min(0).max(100).optional(),
|
|
18
|
+
lines: z.number().min(0).max(100).optional(),
|
|
19
|
+
})
|
|
20
|
+
.optional(),
|
|
21
|
+
});
|
|
22
|
+
export const pluginValidationManifestSchema = z.object({
|
|
23
|
+
schema_version: z.literal(1),
|
|
24
|
+
operation_id: z.string().regex(OPERATION_ID_PATTERN),
|
|
25
|
+
generated_at: z.string().datetime(),
|
|
26
|
+
feature_ref: z.string().regex(FEATURE_REF_PATTERN),
|
|
27
|
+
plugin_ref: z.object({
|
|
28
|
+
id: z.string().min(1),
|
|
29
|
+
version: z.string().min(1),
|
|
30
|
+
}),
|
|
31
|
+
capability: z.string().min(1),
|
|
32
|
+
status: z.enum(['pending', 'passed', 'failed', 'partial']),
|
|
33
|
+
validations: z.array(pluginValidationEvidenceSchema).default([]),
|
|
34
|
+
});
|
|
35
|
+
export const pluginEvidenceManifestSchema = z.object({
|
|
36
|
+
schema_version: z.literal(1),
|
|
37
|
+
operation_id: z.string().regex(OPERATION_ID_PATTERN),
|
|
38
|
+
generated_at: z.string().datetime(),
|
|
39
|
+
feature_ref: z.string().regex(FEATURE_REF_PATTERN),
|
|
40
|
+
plugin_ref: z.object({
|
|
41
|
+
id: z.string().min(1),
|
|
42
|
+
version: z.string().min(1),
|
|
43
|
+
}),
|
|
44
|
+
capability: z.string().min(1),
|
|
45
|
+
artifact_manifest: pluginArtifactManifestSchema,
|
|
46
|
+
validation_manifest: pluginValidationManifestSchema,
|
|
47
|
+
policy_evaluation: pluginPolicyEvaluationSchema.optional(),
|
|
48
|
+
policy_pack_evaluation: pluginPolicyPackEvaluationSchema.optional(),
|
|
49
|
+
traceability_refs: z.array(z.string().min(1)).default([]),
|
|
50
|
+
quality_refs: z.array(z.string().min(1)).default([]),
|
|
51
|
+
residual_risks: z
|
|
52
|
+
.array(z.object({
|
|
53
|
+
code: z.string().min(1),
|
|
54
|
+
severity: z.enum(['low', 'medium', 'high', 'critical']),
|
|
55
|
+
description: z.string().min(1),
|
|
56
|
+
mitigation: z.string().min(1).optional(),
|
|
57
|
+
}))
|
|
58
|
+
.default([]),
|
|
59
|
+
metadata: jsonObjectSchema.default({}),
|
|
60
|
+
});
|
|
61
|
+
export const pluginComplianceCriterionSchema = z.object({
|
|
62
|
+
id: z.string().min(1),
|
|
63
|
+
label: z.string().min(1),
|
|
64
|
+
status: z.enum(['pass', 'warn', 'fail']),
|
|
65
|
+
score: z.number().min(0),
|
|
66
|
+
max_score: z.number().positive(),
|
|
67
|
+
evidence: z.string().min(1),
|
|
68
|
+
issues: z.array(z.string().min(1)).default([]),
|
|
69
|
+
});
|
|
70
|
+
export const pluginComplianceIndexSchema = z.object({
|
|
71
|
+
schema_version: z.literal(1),
|
|
72
|
+
generated_at: z.string().datetime(),
|
|
73
|
+
feature_ref: z.string().regex(FEATURE_REF_PATTERN),
|
|
74
|
+
operation_id: z.string().regex(OPERATION_ID_PATTERN),
|
|
75
|
+
plugin_ref: z.object({
|
|
76
|
+
id: z.string().min(1),
|
|
77
|
+
version: z.string().min(1),
|
|
78
|
+
}),
|
|
79
|
+
capability: z.string().min(1),
|
|
80
|
+
score: z.number().min(0).max(100),
|
|
81
|
+
decision: z.enum(['compliant', 'warning', 'non-compliant']),
|
|
82
|
+
criteria: z.array(pluginComplianceCriterionSchema).min(1),
|
|
83
|
+
evidence_refs: z.array(z.string().min(1)).default([]),
|
|
84
|
+
});
|
|
85
|
+
export function buildPluginEvidenceManifest(input) {
|
|
86
|
+
const artifactManifest = pluginArtifactManifestSchema.parse(input.artifact_manifest);
|
|
87
|
+
const validationManifest = input.validation_manifest ??
|
|
88
|
+
buildDefaultValidationManifestFromArtifact(artifactManifest, artifactManifest.generated_at);
|
|
89
|
+
return pluginEvidenceManifestSchema.parse({
|
|
90
|
+
schema_version: 1,
|
|
91
|
+
operation_id: artifactManifest.operation_id,
|
|
92
|
+
generated_at: artifactManifest.generated_at,
|
|
93
|
+
feature_ref: artifactManifest.feature_ref,
|
|
94
|
+
plugin_ref: artifactManifest.plugin_ref,
|
|
95
|
+
capability: artifactManifest.capability,
|
|
96
|
+
artifact_manifest: artifactManifest,
|
|
97
|
+
validation_manifest: validationManifest,
|
|
98
|
+
policy_evaluation: input.policy_evaluation,
|
|
99
|
+
policy_pack_evaluation: input.policy_pack_evaluation,
|
|
100
|
+
traceability_refs: input.traceability_refs ?? [],
|
|
101
|
+
quality_refs: input.quality_refs ?? [],
|
|
102
|
+
residual_risks: input.residual_risks ?? [],
|
|
103
|
+
metadata: input.metadata ?? {},
|
|
104
|
+
});
|
|
105
|
+
}
|
|
106
|
+
export function buildPluginComplianceIndex(input) {
|
|
107
|
+
const manifest = pluginManifestSchema.parse(input.manifest);
|
|
108
|
+
const evidence = pluginEvidenceManifestSchema.parse(input.evidence_manifest);
|
|
109
|
+
assertEvidenceMatchesManifest(manifest, evidence);
|
|
110
|
+
const criteria = [
|
|
111
|
+
manifestValidityCriterion(manifest),
|
|
112
|
+
policyGateCriterion(evidence.policy_evaluation),
|
|
113
|
+
policyPackCriterion(evidence.policy_pack_evaluation),
|
|
114
|
+
trustTierCriterion(manifest),
|
|
115
|
+
dryRunApplyCoverageCriterion(manifest),
|
|
116
|
+
artifactTraceabilityCriterion(evidence.artifact_manifest),
|
|
117
|
+
validationEvidenceCriterion(evidence.validation_manifest),
|
|
118
|
+
supplyChainDependencyCriterion(manifest),
|
|
119
|
+
residualRiskCriterion(evidence),
|
|
120
|
+
];
|
|
121
|
+
const score = roundScore(criteria.reduce((total, criterion) => total + criterion.score, 0));
|
|
122
|
+
return pluginComplianceIndexSchema.parse({
|
|
123
|
+
schema_version: 1,
|
|
124
|
+
generated_at: input.generated_at ?? evidence.generated_at,
|
|
125
|
+
feature_ref: evidence.feature_ref,
|
|
126
|
+
operation_id: evidence.operation_id,
|
|
127
|
+
plugin_ref: evidence.plugin_ref,
|
|
128
|
+
capability: evidence.capability,
|
|
129
|
+
score,
|
|
130
|
+
decision: score >= 90 && criteria.every((criterion) => criterion.status === 'pass')
|
|
131
|
+
? 'compliant'
|
|
132
|
+
: score >= 70 && !criteria.some((criterion) => criterion.status === 'fail')
|
|
133
|
+
? 'warning'
|
|
134
|
+
: 'non-compliant',
|
|
135
|
+
criteria,
|
|
136
|
+
evidence_refs: [
|
|
137
|
+
`artifact:${evidence.operation_id}`,
|
|
138
|
+
`validation:${evidence.operation_id}`,
|
|
139
|
+
...evidence.quality_refs,
|
|
140
|
+
...evidence.traceability_refs,
|
|
141
|
+
],
|
|
142
|
+
});
|
|
143
|
+
}
|
|
144
|
+
function buildDefaultValidationManifestFromArtifact(artifactManifest, generatedAt) {
|
|
145
|
+
return pluginValidationManifestSchema.parse({
|
|
146
|
+
schema_version: 1,
|
|
147
|
+
operation_id: artifactManifest.operation_id,
|
|
148
|
+
generated_at: generatedAt,
|
|
149
|
+
feature_ref: artifactManifest.feature_ref,
|
|
150
|
+
plugin_ref: artifactManifest.plugin_ref,
|
|
151
|
+
capability: artifactManifest.capability,
|
|
152
|
+
status: resolveValidationStatus(artifactManifest.validation_evidence),
|
|
153
|
+
validations: artifactManifest.validation_evidence.map((validation) => ({
|
|
154
|
+
command: validation.command,
|
|
155
|
+
status: validation.status,
|
|
156
|
+
evidence_ref: validation.evidence_ref,
|
|
157
|
+
})),
|
|
158
|
+
});
|
|
159
|
+
}
|
|
160
|
+
function assertEvidenceMatchesManifest(manifest, evidence) {
|
|
161
|
+
const expectedPluginRef = `${manifest.id}@${manifest.version}`;
|
|
162
|
+
const evidencePluginRef = `${evidence.plugin_ref.id}@${evidence.plugin_ref.version}`;
|
|
163
|
+
if (expectedPluginRef !== evidencePluginRef) {
|
|
164
|
+
throw new Error(`Evidence plugin reference ${evidencePluginRef} does not match manifest ${expectedPluginRef}.`);
|
|
165
|
+
}
|
|
166
|
+
if (!manifest.capabilities.some((capability) => capability.name === evidence.capability)) {
|
|
167
|
+
throw new Error(`Evidence capability ${evidence.capability} is not declared by ${expectedPluginRef}.`);
|
|
168
|
+
}
|
|
169
|
+
}
|
|
170
|
+
function manifestValidityCriterion(manifest) {
|
|
171
|
+
return criterion('manifest-validity', 'Manifest validity', 10, 10, 'pass', `${manifest.id}@${manifest.version} is schema-valid.`);
|
|
172
|
+
}
|
|
173
|
+
function policyGateCriterion(policy) {
|
|
174
|
+
if (!policy) {
|
|
175
|
+
return criterion('policy-gate', 'Runtime policy gate', 0, 15, 'fail', 'No runtime policy evaluation was attached.', [
|
|
176
|
+
'POLICY_EVALUATION_MISSING',
|
|
177
|
+
]);
|
|
178
|
+
}
|
|
179
|
+
if (policy.decision === 'allow') {
|
|
180
|
+
return criterion('policy-gate', 'Runtime policy gate', 15, 15, 'pass', 'Runtime policy decision is allow.');
|
|
181
|
+
}
|
|
182
|
+
if (policy.decision === 'warn') {
|
|
183
|
+
return criterion('policy-gate', 'Runtime policy gate', 9, 15, 'warn', 'Runtime policy decision is warn.', issueCodes(policy.issues));
|
|
184
|
+
}
|
|
185
|
+
return criterion('policy-gate', 'Runtime policy gate', 0, 15, 'fail', 'Runtime policy decision is deny.', issueCodes(policy.issues));
|
|
186
|
+
}
|
|
187
|
+
function policyPackCriterion(evaluation) {
|
|
188
|
+
if (!evaluation) {
|
|
189
|
+
return criterion('policy-pack', 'Policy pack evaluation', 0, 15, 'fail', 'No policy pack evaluation was attached.', [
|
|
190
|
+
'POLICY_PACK_EVALUATION_MISSING',
|
|
191
|
+
]);
|
|
192
|
+
}
|
|
193
|
+
if (evaluation.decision === 'allow') {
|
|
194
|
+
return criterion('policy-pack', 'Policy pack evaluation', 15, 15, 'pass', 'Policy pack decision is allow.');
|
|
195
|
+
}
|
|
196
|
+
if (evaluation.decision === 'warn') {
|
|
197
|
+
return criterion('policy-pack', 'Policy pack evaluation', 9, 15, 'warn', 'Policy pack decision is warn.', issueCodes(evaluation.issues));
|
|
198
|
+
}
|
|
199
|
+
return criterion('policy-pack', 'Policy pack evaluation', 0, 15, 'fail', 'Policy pack decision is deny.', issueCodes(evaluation.issues));
|
|
200
|
+
}
|
|
201
|
+
function trustTierCriterion(manifest) {
|
|
202
|
+
const scoreByTrustTier = {
|
|
203
|
+
'enterprise-approved': 10,
|
|
204
|
+
'local-dev': 6,
|
|
205
|
+
experimental: 3,
|
|
206
|
+
blocked: 0,
|
|
207
|
+
};
|
|
208
|
+
const score = scoreByTrustTier[manifest.governance.trust_tier];
|
|
209
|
+
return criterion('trust-tier', 'Trust tier', score, 10, score >= 10 ? 'pass' : score > 0 ? 'warn' : 'fail', `Trust tier is ${manifest.governance.trust_tier}.`);
|
|
210
|
+
}
|
|
211
|
+
function dryRunApplyCoverageCriterion(manifest) {
|
|
212
|
+
const mutatingCapabilities = manifest.capabilities.filter((capability) => capability.write_scope.length > 0);
|
|
213
|
+
const missingDryRun = mutatingCapabilities.filter((capability) => !capability.supports_dry_run).map((capability) => capability.name);
|
|
214
|
+
const applyWithoutRollback = mutatingCapabilities
|
|
215
|
+
.filter((capability) => capability.supports_apply && !capability.supports_rollback)
|
|
216
|
+
.map((capability) => capability.name);
|
|
217
|
+
const issues = [
|
|
218
|
+
...missingDryRun.map((name) => `MISSING_DRY_RUN:${name}`),
|
|
219
|
+
...applyWithoutRollback.map((name) => `APPLY_WITHOUT_ROLLBACK:${name}`),
|
|
220
|
+
];
|
|
221
|
+
if (issues.length === 0) {
|
|
222
|
+
return criterion('dry-run-apply-coverage', 'Dry-run and apply coverage', 10, 10, 'pass', 'All mutating capabilities support dry-run and apply-capable capabilities declare rollback.');
|
|
223
|
+
}
|
|
224
|
+
return criterion('dry-run-apply-coverage', 'Dry-run and apply coverage', 4, 10, 'warn', 'Some mutating capabilities have incomplete mode coverage.', issues);
|
|
225
|
+
}
|
|
226
|
+
function artifactTraceabilityCriterion(artifactManifest) {
|
|
227
|
+
const missingReasons = artifactManifest.artifacts.filter((artifact) => artifact.reason.trim().length === 0);
|
|
228
|
+
if (artifactManifest.artifacts.length === 0) {
|
|
229
|
+
return criterion('artifact-traceability', 'Artifact traceability', 0, 15, 'fail', 'Artifact manifest contains no artifacts.', [
|
|
230
|
+
'ARTIFACTS_MISSING',
|
|
231
|
+
]);
|
|
232
|
+
}
|
|
233
|
+
if (missingReasons.length > 0) {
|
|
234
|
+
return criterion('artifact-traceability', 'Artifact traceability', 8, 15, 'warn', 'Some artifacts are missing reasons.', [
|
|
235
|
+
'ARTIFACT_REASON_MISSING',
|
|
236
|
+
]);
|
|
237
|
+
}
|
|
238
|
+
return criterion('artifact-traceability', 'Artifact traceability', 15, 15, 'pass', `${artifactManifest.artifacts.length} artifacts are traceable.`);
|
|
239
|
+
}
|
|
240
|
+
function validationEvidenceCriterion(validationManifest) {
|
|
241
|
+
if (validationManifest.validations.length === 0) {
|
|
242
|
+
return criterion('validation-evidence', 'Validation evidence', 0, 10, 'fail', 'No validation evidence was attached.', [
|
|
243
|
+
'VALIDATION_EVIDENCE_MISSING',
|
|
244
|
+
]);
|
|
245
|
+
}
|
|
246
|
+
if (validationManifest.status === 'passed') {
|
|
247
|
+
return criterion('validation-evidence', 'Validation evidence', 10, 10, 'pass', 'All validations passed.');
|
|
248
|
+
}
|
|
249
|
+
if (validationManifest.status === 'pending' || validationManifest.status === 'partial') {
|
|
250
|
+
return criterion('validation-evidence', 'Validation evidence', 6, 10, 'warn', `Validation status is ${validationManifest.status}.`);
|
|
251
|
+
}
|
|
252
|
+
return criterion('validation-evidence', 'Validation evidence', 0, 10, 'fail', 'One or more validations failed.', [
|
|
253
|
+
'VALIDATION_FAILED',
|
|
254
|
+
]);
|
|
255
|
+
}
|
|
256
|
+
function supplyChainDependencyCriterion(manifest) {
|
|
257
|
+
const missing = [
|
|
258
|
+
...(manifest.supply_chain.checksum ? [] : ['CHECKSUM_MISSING']),
|
|
259
|
+
...(manifest.supply_chain.signature || manifest.supply_chain.provenance ? [] : ['SIGNATURE_OR_PROVENANCE_MISSING']),
|
|
260
|
+
...(manifest.supply_chain.sbom ? [] : ['SBOM_MISSING']),
|
|
261
|
+
...(manifest.validation.security_checks.length > 0 ? [] : ['SECURITY_CHECKS_MISSING']),
|
|
262
|
+
...(manifest.validation.dependency_checks.length > 0 ? [] : ['DEPENDENCY_CHECKS_MISSING']),
|
|
263
|
+
];
|
|
264
|
+
if (missing.length === 0) {
|
|
265
|
+
return criterion('supply-chain-dependencies', 'Supply-chain and dependency evidence', 10, 10, 'pass', 'Supply-chain, security, and dependency evidence is declared.');
|
|
266
|
+
}
|
|
267
|
+
return criterion('supply-chain-dependencies', 'Supply-chain and dependency evidence', 4, 10, 'warn', 'Supply-chain or dependency evidence is incomplete.', missing);
|
|
268
|
+
}
|
|
269
|
+
function residualRiskCriterion(evidence) {
|
|
270
|
+
const criticalOrHigh = evidence.residual_risks.filter((risk) => risk.severity === 'critical' || risk.severity === 'high');
|
|
271
|
+
if (criticalOrHigh.length > 0) {
|
|
272
|
+
return criterion('residual-risks', 'Residual risks', 0, 5, 'fail', 'High or critical residual risks remain.', criticalOrHigh.map((risk) => risk.code));
|
|
273
|
+
}
|
|
274
|
+
if (evidence.residual_risks.length > 0) {
|
|
275
|
+
return criterion('residual-risks', 'Residual risks', 3, 5, 'warn', 'Low or medium residual risks remain.', evidence.residual_risks.map((risk) => risk.code));
|
|
276
|
+
}
|
|
277
|
+
return criterion('residual-risks', 'Residual risks', 5, 5, 'pass', 'No residual risks were reported.');
|
|
278
|
+
}
|
|
279
|
+
function criterion(id, label, score, maxScore, status, evidence, issues = []) {
|
|
280
|
+
return pluginComplianceCriterionSchema.parse({
|
|
281
|
+
id,
|
|
282
|
+
label,
|
|
283
|
+
score,
|
|
284
|
+
max_score: maxScore,
|
|
285
|
+
status,
|
|
286
|
+
evidence,
|
|
287
|
+
issues,
|
|
288
|
+
});
|
|
289
|
+
}
|
|
290
|
+
function resolveValidationStatus(validations) {
|
|
291
|
+
if (validations.length === 0)
|
|
292
|
+
return 'pending';
|
|
293
|
+
if (validations.some((validation) => validation.status === 'failed'))
|
|
294
|
+
return 'failed';
|
|
295
|
+
if (validations.every((validation) => validation.status === 'passed'))
|
|
296
|
+
return 'passed';
|
|
297
|
+
if (validations.every((validation) => validation.status === 'pending'))
|
|
298
|
+
return 'pending';
|
|
299
|
+
return 'partial';
|
|
300
|
+
}
|
|
301
|
+
function issueCodes(issues) {
|
|
302
|
+
return issues.map((issue) => issue.code);
|
|
303
|
+
}
|
|
304
|
+
function roundScore(value) {
|
|
305
|
+
return Math.round(value * 100) / 100;
|
|
306
|
+
}
|
|
307
|
+
//# sourceMappingURL=plugin-evidence.js.map
|
|
@@ -0,0 +1,164 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
export declare const pluginCapabilitySchema: z.ZodObject<{
|
|
3
|
+
name: z.ZodString;
|
|
4
|
+
description: z.ZodString;
|
|
5
|
+
input_schema: z.ZodRecord<z.ZodString, z.ZodUnknown>;
|
|
6
|
+
output_schema: z.ZodRecord<z.ZodString, z.ZodUnknown>;
|
|
7
|
+
deterministic: z.ZodBoolean;
|
|
8
|
+
idempotent: z.ZodBoolean;
|
|
9
|
+
supports_dry_run: z.ZodBoolean;
|
|
10
|
+
supports_apply: z.ZodBoolean;
|
|
11
|
+
supports_rollback: z.ZodDefault<z.ZodBoolean>;
|
|
12
|
+
write_scope: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
13
|
+
risk_tier: z.ZodDefault<z.ZodEnum<{
|
|
14
|
+
low: "low";
|
|
15
|
+
medium: "medium";
|
|
16
|
+
high: "high";
|
|
17
|
+
critical: "critical";
|
|
18
|
+
}>>;
|
|
19
|
+
approval: z.ZodDefault<z.ZodEnum<{
|
|
20
|
+
none: "none";
|
|
21
|
+
maintainer: "maintainer";
|
|
22
|
+
security: "security";
|
|
23
|
+
"architecture-board": "architecture-board";
|
|
24
|
+
}>>;
|
|
25
|
+
}, z.core.$strip>;
|
|
26
|
+
export declare const pluginCompressionConfigSchema: z.ZodObject<{
|
|
27
|
+
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
28
|
+
engine: z.ZodDefault<z.ZodEnum<{
|
|
29
|
+
none: "none";
|
|
30
|
+
rtk: "rtk";
|
|
31
|
+
headroom: "headroom";
|
|
32
|
+
builtin: "builtin";
|
|
33
|
+
}>>;
|
|
34
|
+
mode: z.ZodDefault<z.ZodLiteral<"pretooluse">>;
|
|
35
|
+
exclude_commands: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
36
|
+
tee: z.ZodDefault<z.ZodEnum<{
|
|
37
|
+
never: "never";
|
|
38
|
+
failures: "failures";
|
|
39
|
+
always: "always";
|
|
40
|
+
}>>;
|
|
41
|
+
max_output_tokens: z.ZodDefault<z.ZodNumber>;
|
|
42
|
+
}, z.core.$strip>;
|
|
43
|
+
export declare const pluginManifestSchema: z.ZodObject<{
|
|
44
|
+
id: z.ZodString;
|
|
45
|
+
name: z.ZodString;
|
|
46
|
+
version: z.ZodString;
|
|
47
|
+
contract_version: z.ZodLiteral<1>;
|
|
48
|
+
vendor: z.ZodString;
|
|
49
|
+
codesdd_compat: z.ZodObject<{
|
|
50
|
+
versions: z.ZodString;
|
|
51
|
+
sdd_contract_versions: z.ZodArray<z.ZodNumber>;
|
|
52
|
+
}, z.core.$strip>;
|
|
53
|
+
technology: z.ZodObject<{
|
|
54
|
+
language: z.ZodString;
|
|
55
|
+
framework: z.ZodOptional<z.ZodString>;
|
|
56
|
+
runtime: z.ZodOptional<z.ZodString>;
|
|
57
|
+
package_manager: z.ZodOptional<z.ZodString>;
|
|
58
|
+
min_versions: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
59
|
+
}, z.core.$strip>;
|
|
60
|
+
capabilities: z.ZodArray<z.ZodObject<{
|
|
61
|
+
name: z.ZodString;
|
|
62
|
+
description: z.ZodString;
|
|
63
|
+
input_schema: z.ZodRecord<z.ZodString, z.ZodUnknown>;
|
|
64
|
+
output_schema: z.ZodRecord<z.ZodString, z.ZodUnknown>;
|
|
65
|
+
deterministic: z.ZodBoolean;
|
|
66
|
+
idempotent: z.ZodBoolean;
|
|
67
|
+
supports_dry_run: z.ZodBoolean;
|
|
68
|
+
supports_apply: z.ZodBoolean;
|
|
69
|
+
supports_rollback: z.ZodDefault<z.ZodBoolean>;
|
|
70
|
+
write_scope: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
71
|
+
risk_tier: z.ZodDefault<z.ZodEnum<{
|
|
72
|
+
low: "low";
|
|
73
|
+
medium: "medium";
|
|
74
|
+
high: "high";
|
|
75
|
+
critical: "critical";
|
|
76
|
+
}>>;
|
|
77
|
+
approval: z.ZodDefault<z.ZodEnum<{
|
|
78
|
+
none: "none";
|
|
79
|
+
maintainer: "maintainer";
|
|
80
|
+
security: "security";
|
|
81
|
+
"architecture-board": "architecture-board";
|
|
82
|
+
}>>;
|
|
83
|
+
}, z.core.$strip>>;
|
|
84
|
+
execution: z.ZodObject<{
|
|
85
|
+
command: z.ZodString;
|
|
86
|
+
args: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
87
|
+
timeout_seconds: z.ZodDefault<z.ZodNumber>;
|
|
88
|
+
env_allowlist: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
89
|
+
network: z.ZodDefault<z.ZodEnum<{
|
|
90
|
+
disabled: "disabled";
|
|
91
|
+
restricted: "restricted";
|
|
92
|
+
enabled: "enabled";
|
|
93
|
+
}>>;
|
|
94
|
+
process_spawn: z.ZodDefault<z.ZodEnum<{
|
|
95
|
+
forbidden: "forbidden";
|
|
96
|
+
declared: "declared";
|
|
97
|
+
}>>;
|
|
98
|
+
working_directory: z.ZodDefault<z.ZodString>;
|
|
99
|
+
}, z.core.$strip>;
|
|
100
|
+
artifacts: z.ZodObject<{
|
|
101
|
+
writes: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
102
|
+
forbidden_writes: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
103
|
+
naming_conventions: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
104
|
+
}, z.core.$strip>;
|
|
105
|
+
supply_chain: z.ZodObject<{
|
|
106
|
+
checksum: z.ZodOptional<z.ZodString>;
|
|
107
|
+
signature: z.ZodOptional<z.ZodString>;
|
|
108
|
+
provenance: z.ZodOptional<z.ZodString>;
|
|
109
|
+
sbom: z.ZodOptional<z.ZodString>;
|
|
110
|
+
}, z.core.$strip>;
|
|
111
|
+
governance: z.ZodObject<{
|
|
112
|
+
owner: z.ZodString;
|
|
113
|
+
support_sla: z.ZodString;
|
|
114
|
+
deprecation_window: z.ZodString;
|
|
115
|
+
policy_packs: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
116
|
+
trust_tier: z.ZodEnum<{
|
|
117
|
+
experimental: "experimental";
|
|
118
|
+
blocked: "blocked";
|
|
119
|
+
"local-dev": "local-dev";
|
|
120
|
+
"enterprise-approved": "enterprise-approved";
|
|
121
|
+
}>;
|
|
122
|
+
allowed_domains: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
123
|
+
risk_tier: z.ZodDefault<z.ZodEnum<{
|
|
124
|
+
low: "low";
|
|
125
|
+
medium: "medium";
|
|
126
|
+
high: "high";
|
|
127
|
+
critical: "critical";
|
|
128
|
+
}>>;
|
|
129
|
+
}, z.core.$strip>;
|
|
130
|
+
validation: z.ZodObject<{
|
|
131
|
+
commands: z.ZodArray<z.ZodString>;
|
|
132
|
+
coverage_target: z.ZodDefault<z.ZodNumber>;
|
|
133
|
+
security_checks: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
134
|
+
dependency_checks: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
135
|
+
}, z.core.$strip>;
|
|
136
|
+
compression: z.ZodDefault<z.ZodObject<{
|
|
137
|
+
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
138
|
+
engine: z.ZodDefault<z.ZodEnum<{
|
|
139
|
+
none: "none";
|
|
140
|
+
rtk: "rtk";
|
|
141
|
+
headroom: "headroom";
|
|
142
|
+
builtin: "builtin";
|
|
143
|
+
}>>;
|
|
144
|
+
mode: z.ZodDefault<z.ZodLiteral<"pretooluse">>;
|
|
145
|
+
exclude_commands: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
146
|
+
tee: z.ZodDefault<z.ZodEnum<{
|
|
147
|
+
never: "never";
|
|
148
|
+
failures: "failures";
|
|
149
|
+
always: "always";
|
|
150
|
+
}>>;
|
|
151
|
+
max_output_tokens: z.ZodDefault<z.ZodNumber>;
|
|
152
|
+
}, z.core.$strip>>;
|
|
153
|
+
}, z.core.$strip>;
|
|
154
|
+
export type PluginCapability = z.infer<typeof pluginCapabilitySchema>;
|
|
155
|
+
export type PluginManifest = z.infer<typeof pluginManifestSchema>;
|
|
156
|
+
export declare class PluginManifestValidationError extends Error {
|
|
157
|
+
readonly issues: string[];
|
|
158
|
+
constructor(sourceLabel: string, issues: string[]);
|
|
159
|
+
}
|
|
160
|
+
export declare function parsePluginManifest(content: string, sourceLabel?: string): PluginManifest;
|
|
161
|
+
export declare function loadPluginManifest(filePath: string): Promise<PluginManifest>;
|
|
162
|
+
export declare function validatePluginManifest(value: unknown, sourceLabel?: string): PluginManifest;
|
|
163
|
+
export declare function buildPluginManifestJsonSchema(): Record<string, unknown>;
|
|
164
|
+
//# sourceMappingURL=plugin-manifest.d.ts.map
|
|
@@ -0,0 +1,215 @@
|
|
|
1
|
+
import fs from 'node:fs/promises';
|
|
2
|
+
import path from 'node:path';
|
|
3
|
+
import { parse as parseYaml } from 'yaml';
|
|
4
|
+
import { toJSONSchema, z } from 'zod';
|
|
5
|
+
const JSON_SCHEMA_DRAFT = 'https://json-schema.org/draft/2020-12/schema';
|
|
6
|
+
const PLUGIN_ID_PATTERN = /^codesdd-plugin-[a-z0-9][a-z0-9-]*$/;
|
|
7
|
+
const SEMVER_PATTERN = /^\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/;
|
|
8
|
+
const CAPABILITY_NAME_PATTERN = /^[a-z][a-z0-9-]*(?:\.[a-z][a-z0-9-]*)+$/;
|
|
9
|
+
const WINDOWS_ABSOLUTE_PATH_PATTERN = /^[A-Za-z]:[\\/]/;
|
|
10
|
+
const jsonObjectSchema = z.record(z.string(), z.unknown());
|
|
11
|
+
const safeRelativePathSchema = z
|
|
12
|
+
.string()
|
|
13
|
+
.min(1)
|
|
14
|
+
.refine((value) => isSafeRelativePath(value), {
|
|
15
|
+
message: 'Path must be relative to the project root and must not contain traversal segments.',
|
|
16
|
+
});
|
|
17
|
+
export const pluginCapabilitySchema = z
|
|
18
|
+
.object({
|
|
19
|
+
name: z.string().regex(CAPABILITY_NAME_PATTERN),
|
|
20
|
+
description: z.string().min(20),
|
|
21
|
+
input_schema: jsonObjectSchema,
|
|
22
|
+
output_schema: jsonObjectSchema,
|
|
23
|
+
deterministic: z.boolean(),
|
|
24
|
+
idempotent: z.boolean(),
|
|
25
|
+
supports_dry_run: z.boolean(),
|
|
26
|
+
supports_apply: z.boolean(),
|
|
27
|
+
supports_rollback: z.boolean().default(false),
|
|
28
|
+
write_scope: z.array(safeRelativePathSchema).default([]),
|
|
29
|
+
risk_tier: z.enum(['low', 'medium', 'high', 'critical']).default('medium'),
|
|
30
|
+
approval: z.enum(['none', 'maintainer', 'security', 'architecture-board']).default('maintainer'),
|
|
31
|
+
})
|
|
32
|
+
.superRefine((capability, context) => {
|
|
33
|
+
if (capability.supports_apply && !capability.supports_dry_run) {
|
|
34
|
+
context.addIssue({
|
|
35
|
+
code: 'custom',
|
|
36
|
+
path: ['supports_dry_run'],
|
|
37
|
+
message: 'Apply-capable plugin capabilities must support dry-run mode.',
|
|
38
|
+
});
|
|
39
|
+
}
|
|
40
|
+
});
|
|
41
|
+
export const pluginCompressionConfigSchema = z
|
|
42
|
+
.object({
|
|
43
|
+
enabled: z.boolean().default(false),
|
|
44
|
+
engine: z.enum(['rtk', 'headroom', 'builtin', 'none']).default('none'),
|
|
45
|
+
mode: z.literal('pretooluse').default('pretooluse'),
|
|
46
|
+
exclude_commands: z.array(z.string().min(1)).default([]),
|
|
47
|
+
tee: z.enum(['failures', 'always', 'never']).default('failures'),
|
|
48
|
+
max_output_tokens: z.number().int().positive().max(64000).default(4000),
|
|
49
|
+
})
|
|
50
|
+
.superRefine((compression, context) => {
|
|
51
|
+
if (compression.enabled && compression.engine === 'none') {
|
|
52
|
+
context.addIssue({
|
|
53
|
+
code: 'custom',
|
|
54
|
+
path: ['engine'],
|
|
55
|
+
message: 'Compression engine must not be none when compression is enabled.',
|
|
56
|
+
});
|
|
57
|
+
}
|
|
58
|
+
});
|
|
59
|
+
export const pluginManifestSchema = z
|
|
60
|
+
.object({
|
|
61
|
+
id: z.string().regex(PLUGIN_ID_PATTERN),
|
|
62
|
+
name: z.string().min(3),
|
|
63
|
+
version: z.string().regex(SEMVER_PATTERN),
|
|
64
|
+
contract_version: z.literal(1),
|
|
65
|
+
vendor: z.string().min(2),
|
|
66
|
+
codesdd_compat: z.object({
|
|
67
|
+
versions: z.string().min(1),
|
|
68
|
+
sdd_contract_versions: z.array(z.number().int().positive()).min(1),
|
|
69
|
+
}),
|
|
70
|
+
technology: z.object({
|
|
71
|
+
language: z.string().min(1),
|
|
72
|
+
framework: z.string().optional(),
|
|
73
|
+
runtime: z.string().optional(),
|
|
74
|
+
package_manager: z.string().optional(),
|
|
75
|
+
min_versions: z.record(z.string(), z.string()).default({}),
|
|
76
|
+
}),
|
|
77
|
+
capabilities: z.array(pluginCapabilitySchema).min(1),
|
|
78
|
+
execution: z.object({
|
|
79
|
+
command: z.string().min(1),
|
|
80
|
+
args: z.array(z.string()).default([]),
|
|
81
|
+
timeout_seconds: z.number().int().positive().max(3600).default(120),
|
|
82
|
+
env_allowlist: z.array(z.string().regex(/^[A-Z_][A-Z0-9_]*$/)).default([]),
|
|
83
|
+
network: z.enum(['disabled', 'restricted', 'enabled']).default('disabled'),
|
|
84
|
+
process_spawn: z.enum(['forbidden', 'declared']).default('forbidden'),
|
|
85
|
+
working_directory: safeRelativePathSchema.default('.'),
|
|
86
|
+
}),
|
|
87
|
+
artifacts: z.object({
|
|
88
|
+
writes: z.array(safeRelativePathSchema).default([]),
|
|
89
|
+
forbidden_writes: z.array(safeRelativePathSchema).default([]),
|
|
90
|
+
naming_conventions: z.array(z.string().min(1)).default([]),
|
|
91
|
+
}),
|
|
92
|
+
supply_chain: z.object({
|
|
93
|
+
checksum: z.string().optional(),
|
|
94
|
+
signature: z.string().optional(),
|
|
95
|
+
provenance: z.string().optional(),
|
|
96
|
+
sbom: z.string().optional(),
|
|
97
|
+
}),
|
|
98
|
+
governance: z.object({
|
|
99
|
+
owner: z.string().min(2),
|
|
100
|
+
support_sla: z.string().min(1),
|
|
101
|
+
deprecation_window: z.string().min(1),
|
|
102
|
+
policy_packs: z.array(z.string().min(1)).default([]),
|
|
103
|
+
trust_tier: z.enum(['local-dev', 'experimental', 'enterprise-approved', 'blocked']),
|
|
104
|
+
allowed_domains: z.array(z.string().min(1)).default([]),
|
|
105
|
+
risk_tier: z.enum(['low', 'medium', 'high', 'critical']).default('medium'),
|
|
106
|
+
}),
|
|
107
|
+
validation: z.object({
|
|
108
|
+
commands: z.array(z.string().min(1)).min(1),
|
|
109
|
+
coverage_target: z.number().min(0).max(100).default(95),
|
|
110
|
+
security_checks: z.array(z.string().min(1)).default([]),
|
|
111
|
+
dependency_checks: z.array(z.string().min(1)).default([]),
|
|
112
|
+
}),
|
|
113
|
+
compression: pluginCompressionConfigSchema.default({
|
|
114
|
+
enabled: false,
|
|
115
|
+
engine: 'none',
|
|
116
|
+
mode: 'pretooluse',
|
|
117
|
+
exclude_commands: [],
|
|
118
|
+
tee: 'failures',
|
|
119
|
+
max_output_tokens: 4000,
|
|
120
|
+
}),
|
|
121
|
+
})
|
|
122
|
+
.superRefine((manifest, context) => {
|
|
123
|
+
const duplicateCapabilityNames = findDuplicates(manifest.capabilities.map((capability) => capability.name));
|
|
124
|
+
for (const duplicateName of duplicateCapabilityNames) {
|
|
125
|
+
context.addIssue({
|
|
126
|
+
code: 'custom',
|
|
127
|
+
path: ['capabilities'],
|
|
128
|
+
message: `Duplicate capability name: ${duplicateName}.`,
|
|
129
|
+
});
|
|
130
|
+
}
|
|
131
|
+
if (manifest.governance.trust_tier === 'enterprise-approved') {
|
|
132
|
+
if (!manifest.supply_chain.checksum) {
|
|
133
|
+
context.addIssue({
|
|
134
|
+
code: 'custom',
|
|
135
|
+
path: ['supply_chain', 'checksum'],
|
|
136
|
+
message: 'Enterprise-approved plugins must declare a checksum.',
|
|
137
|
+
});
|
|
138
|
+
}
|
|
139
|
+
if (!manifest.supply_chain.signature && !manifest.supply_chain.provenance) {
|
|
140
|
+
context.addIssue({
|
|
141
|
+
code: 'custom',
|
|
142
|
+
path: ['supply_chain', 'provenance'],
|
|
143
|
+
message: 'Enterprise-approved plugins must declare either a signature or provenance.',
|
|
144
|
+
});
|
|
145
|
+
}
|
|
146
|
+
if (!manifest.supply_chain.sbom) {
|
|
147
|
+
context.addIssue({
|
|
148
|
+
code: 'custom',
|
|
149
|
+
path: ['supply_chain', 'sbom'],
|
|
150
|
+
message: 'Enterprise-approved plugins must declare SBOM metadata.',
|
|
151
|
+
});
|
|
152
|
+
}
|
|
153
|
+
}
|
|
154
|
+
});
|
|
155
|
+
export class PluginManifestValidationError extends Error {
|
|
156
|
+
issues;
|
|
157
|
+
constructor(sourceLabel, issues) {
|
|
158
|
+
super(`Plugin manifest validation failed for ${sourceLabel}: ${issues.join('; ')}`);
|
|
159
|
+
this.name = 'PluginManifestValidationError';
|
|
160
|
+
this.issues = issues;
|
|
161
|
+
}
|
|
162
|
+
}
|
|
163
|
+
export function parsePluginManifest(content, sourceLabel = 'codesdd-plugin.yaml') {
|
|
164
|
+
let parsed;
|
|
165
|
+
try {
|
|
166
|
+
parsed = parseYaml(content);
|
|
167
|
+
}
|
|
168
|
+
catch (error) {
|
|
169
|
+
throw new PluginManifestValidationError(sourceLabel, [`YAML parse failed: ${String(error)}`]);
|
|
170
|
+
}
|
|
171
|
+
return validatePluginManifest(parsed, sourceLabel);
|
|
172
|
+
}
|
|
173
|
+
export async function loadPluginManifest(filePath) {
|
|
174
|
+
const content = await fs.readFile(filePath, 'utf8');
|
|
175
|
+
return parsePluginManifest(content, path.basename(filePath));
|
|
176
|
+
}
|
|
177
|
+
export function validatePluginManifest(value, sourceLabel = 'codesdd-plugin.yaml') {
|
|
178
|
+
const result = pluginManifestSchema.safeParse(value);
|
|
179
|
+
if (!result.success) {
|
|
180
|
+
throw new PluginManifestValidationError(sourceLabel, formatIssues(result.error.issues));
|
|
181
|
+
}
|
|
182
|
+
return result.data;
|
|
183
|
+
}
|
|
184
|
+
export function buildPluginManifestJsonSchema() {
|
|
185
|
+
return {
|
|
186
|
+
...toJSONSchema(pluginManifestSchema),
|
|
187
|
+
$schema: JSON_SCHEMA_DRAFT,
|
|
188
|
+
title: 'CodeSDD Enterprise Plugin Manifest',
|
|
189
|
+
description: 'Machine-readable contract for a CodeSDD enterprise plugin manifest.',
|
|
190
|
+
};
|
|
191
|
+
}
|
|
192
|
+
function isSafeRelativePath(value) {
|
|
193
|
+
if (value.startsWith('/') || WINDOWS_ABSOLUTE_PATH_PATTERN.test(value)) {
|
|
194
|
+
return false;
|
|
195
|
+
}
|
|
196
|
+
return !value.split(/[\\/]+/).some((segment) => segment === '..');
|
|
197
|
+
}
|
|
198
|
+
function findDuplicates(values) {
|
|
199
|
+
const seen = new Set();
|
|
200
|
+
const duplicates = new Set();
|
|
201
|
+
for (const value of values) {
|
|
202
|
+
if (seen.has(value)) {
|
|
203
|
+
duplicates.add(value);
|
|
204
|
+
}
|
|
205
|
+
seen.add(value);
|
|
206
|
+
}
|
|
207
|
+
return [...duplicates];
|
|
208
|
+
}
|
|
209
|
+
function formatIssues(issues) {
|
|
210
|
+
return issues.map((issue) => {
|
|
211
|
+
const issuePath = issue.path.length > 0 ? issue.path.join('.') : '<root>';
|
|
212
|
+
return `${issuePath}: ${issue.message}`;
|
|
213
|
+
});
|
|
214
|
+
}
|
|
215
|
+
//# sourceMappingURL=plugin-manifest.js.map
|