@fragments-sdk/cli 0.15.10 → 0.17.0

package/dist/govern-scan-X6UEIOSV.js

@@ -0,0 +1,632 @@
+import { createRequire as __banner_createRequire } from 'module'; const require = __banner_createRequire(import.meta.url);
+import "./chunk-D2CDBRNU.js";
+import {
+  BRAND
+} from "./chunk-FFCI6OVZ.js";
+
+// src/commands/govern-scan.ts
+import pc from "picocolors";
+import { resolve as resolve2, relative as relative2 } from "path";
+import { existsSync, readFileSync } from "fs";
+import { execSync } from "child_process";
+
+// src/commands/govern-scan-report.ts
+import { resolve, dirname, relative } from "path";
+var SEVERITY_RANK = {
+  critical: 4,
+  serious: 3,
+  moderate: 2,
+  minor: 1
+};
+function mergeSeverity(a, b) {
+  return SEVERITY_RANK[a] >= SEVERITY_RANK[b] ? a : b;
+}
+function aggregateVerdicts(verdicts, computeScore, runner = "cli") {
+  if (verdicts.length === 0) {
+    return {
+      passed: true,
+      score: 100,
+      results: [],
+      metadata: {
+        runner,
+        duration: 0,
+        nodeCount: 0,
+        componentTypes: []
+      }
+    };
+  }
+  const byValidator = /* @__PURE__ */ new Map();
+  let duration = 0;
+  let nodeCount = 0;
+  const componentTypes = /* @__PURE__ */ new Set();
+  for (const verdict of verdicts) {
+    duration += verdict.metadata.duration;
+    nodeCount += verdict.metadata.nodeCount;
+    for (const type of verdict.metadata.componentTypes) {
+      componentTypes.add(type);
+    }
+    for (const result of verdict.results) {
+      const existing = byValidator.get(result.validator);
+      if (!existing) {
+        byValidator.set(result.validator, {
+          validator: result.validator,
+          severity: result.severity,
+          passed: result.passed,
+          violations: [...result.violations],
+          suggestions: result.suggestions ? [...result.suggestions] : void 0
+        });
+        continue;
+      }
+      existing.passed = existing.passed && result.passed;
+      existing.severity = mergeSeverity(existing.severity, result.severity);
+      existing.violations.push(...result.violations);
+      if (result.suggestions?.length) {
+        const merged = existing.suggestions ?? [];
+        merged.push(...result.suggestions);
+        existing.suggestions = merged;
+      }
+    }
+  }
+  const results = [...byValidator.values()].sort(
+    (a, b) => a.validator.localeCompare(b.validator)
+  );
+  const allViolations = results.flatMap((result) => result.violations);
+  return {
+    passed: verdicts.every((verdict) => verdict.passed),
+    score: computeScore(allViolations),
+    results,
+    metadata: {
+      runner,
+      duration,
+      nodeCount,
+      componentTypes: [...componentTypes].sort()
+    }
+  };
+}
+function flattenComponentUsage(usages, rootDir) {
+  const counts = /* @__PURE__ */ new Map();
+  for (const usage of usages) {
+    const relPath = relative(rootDir, usage.filePath);
+    const key = `${relPath}\0${usage.componentName}`;
+    counts.set(key, (counts.get(key) ?? 0) + 1);
+  }
+  return [...counts.entries()].map(([key, occurrences]) => {
+    const separatorIndex = key.indexOf("\0");
+    const file = key.slice(0, separatorIndex);
+    const component = key.slice(separatorIndex + 1);
+    return { component, file, occurrences };
+  }).sort(
+    (a, b) => a.file === b.file ? a.component.localeCompare(b.component) : a.file.localeCompare(b.file)
+  );
+}
+function buildComplianceSummary(health) {
+  const usageTotals = Object.values(health.components).reduce(
+    (acc, component) => {
+      acc.passingUsages += component.passed;
+      acc.totalUsages += component.total;
+      return acc;
+    },
+    { passingUsages: 0, totalUsages: 0 }
+  );
+  return {
+    complianceRate: health.overallCompliance,
+    passingUsages: usageTotals.passingUsages,
+    totalUsages: usageTotals.totalUsages,
+    contractedCount: health.contractedComponents,
+    detectedCount: health.totalComponents
+  };
+}
+async function writeGovernScanReport(path, report) {
+  const { mkdir, writeFile } = await import("fs/promises");
+  const absPath = resolve(path);
+  await mkdir(dirname(absPath), { recursive: true });
+  await writeFile(absPath, JSON.stringify(report, null, 2), "utf-8");
+}
+
+// src/commands/govern-scan.ts
+var SCANNABLE_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".tsx",
+  ".ts",
+  ".jsx",
+  ".js"
+]);
+function getChangedFiles(rootDir, base) {
+  try {
+    const baseRef = base || detectMergeBase(rootDir);
+    if (!baseRef) return null;
+    const output = execSync(
+      `git diff --name-only --diff-filter=ACMR ${baseRef}...HEAD`,
+      { cwd: rootDir, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }
+    );
+    return output.split("\n").map((f) => f.trim()).filter((f) => f && SCANNABLE_EXTENSIONS.has(f.slice(f.lastIndexOf(".")))).map((f) => resolve2(rootDir, f));
+  } catch {
+    return null;
+  }
+}
+function detectMergeBase(rootDir) {
+  try {
+    const remote = execSync("git rev-parse --abbrev-ref origin/HEAD", {
+      cwd: rootDir,
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    }).trim();
+    if (remote) return remote;
+  } catch {
+  }
+  for (const candidate of ["origin/main", "origin/master"]) {
+    try {
+      execSync(`git rev-parse --verify ${candidate}`, {
+        cwd: rootDir,
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "pipe"]
+      });
+      return candidate;
+    } catch {
+    }
+  }
+  return null;
+}
+var SCAN_DEFAULT_RULES = {
+  "safety/block-event-handlers": true,
+  "safety/block-dangerous-props": true,
+  "safety/block-controlled-props": true,
+  "safety/block-function-props": true,
+  "safety/sanitize-hrefs": true,
+  "tokens/require-design-tokens": true
+};
+function detectRootDir(cwd) {
+  const candidates = ["src", "app", "pages", "components"];
+  for (const dir of candidates) {
+    if (existsSync(resolve2(cwd, dir))) {
+      return cwd;
+    }
+  }
+  return cwd;
+}
+function groupByFile(usages) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const usage of usages) {
+    const existing = grouped.get(usage.filePath);
+    if (existing) {
+      existing.push(usage);
+    } else {
+      grouped.set(usage.filePath, [usage]);
+    }
+  }
+  return grouped;
+}
+async function governScan(options = {}) {
+  const {
+    loadPolicy,
+    createEngine,
+    buildAdaptersFromConfig,
+    formatVerdict,
+    computeComponentHealth,
+    computeScore
+  } = await import("@fragments-sdk/govern");
+  const { scanCodebase } = await import("./codebase-scanner-2T5QIDBA.js");
+  const { usagesToSpec } = await import("./converter-7XM3Y6NJ.js");
+  const format = options.format ?? "summary";
+  const quiet = options.quiet ?? false;
+  if (!quiet) {
+    console.log(pc.cyan(`
+${BRAND.name} Governance Scan
+`));
+  }
+  const rootDir = resolve2(options.dir ?? detectRootDir(process.cwd()));
+  if (!quiet) {
+    console.log(pc.dim(`  Root: ${rootDir}
+`));
+  }
+  let policy = await loadPolicy(options.config);
+  const hasRules = Object.keys(policy.rules).length > 0;
+  if (!hasRules) {
+    policy = { ...policy, rules: SCAN_DEFAULT_RULES };
+    if (!quiet) {
+      console.log(pc.dim("  No config found \u2014 using scan defaults (safety + tokens)\n"));
+    }
+  }
+  let registryMap;
+  let hasRegistry = false;
+  {
+    const fragmentsJsonPath = resolve2(rootDir, "fragments.json");
+    if (existsSync(fragmentsJsonPath)) {
+      try {
+        const raw = readFileSync(fragmentsJsonPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        if (parsed.fragments && Array.isArray(parsed.fragments)) {
+          const map = {};
+          for (const fragment of parsed.fragments) {
+            if (fragment.meta?.name) {
+              map[fragment.meta.name] = fragment;
+            }
+          }
+          registryMap = map;
+          hasRegistry = true;
+          if (!quiet) {
+            console.log(
+              pc.dim(`  Contract registry loaded (${parsed.fragments.length} components)
+`)
+            );
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  const adapters = buildAdaptersFromConfig(policy.audit);
+  const engine = createEngine(
+    policy,
+    adapters,
+    registryMap ? { registry: { fragments: registryMap } } : void 0
+  );
+  let diffFiles;
+  if (options.diff) {
+    const base = typeof options.diff === "string" ? options.diff : void 0;
+    const changed = getChangedFiles(rootDir, base);
+    if (changed && changed.length > 0) {
+      diffFiles = changed;
+      if (!quiet) {
+        console.log(pc.dim(`  Diff mode: scanning ${changed.length} changed file(s)...
+`));
+      }
+    } else if (changed && changed.length === 0) {
+      if (!quiet) {
+        console.log(pc.green("  No scannable files changed \u2014 all clear.\n"));
+      }
+      return { exitCode: 0 };
+    } else {
+      if (!quiet) {
+        console.log(pc.yellow("  Could not detect git diff \u2014 falling back to full scan.\n"));
+      }
+    }
+  }
+  if (!quiet && !diffFiles) {
+    console.log(pc.dim("  Scanning files...\n"));
+  }
+  const analysis = await scanCodebase({
+    rootDir,
+    useCache: true,
+    files: diffFiles,
+    onProgress: quiet ? void 0 : (progress) => {
+      if (progress.phase === "scanning") {
+        process.stdout.write(
+          `\r  ${pc.dim(`[${progress.current}/${progress.total}]`)} ${pc.dim(relative2(rootDir, progress.currentFile))}`
+        );
+      }
+    }
+  });
+  if (!quiet) {
+    process.stdout.write("\r" + " ".repeat(80) + "\r");
+    console.log(
+      pc.dim(`  Scanned ${analysis.totalFiles} files, found ${analysis.totalComponents} component types
+`)
+    );
+  }
+  const allUsages = [];
+  for (const comp of Object.values(analysis.components)) {
+    allUsages.push(...comp.usages);
+  }
+  if (allUsages.length === 0) {
+    if (!quiet) {
+      console.log(pc.yellow("  No component usages found.\n"));
+    }
+    if (options.report) {
+      const report = {
+        verdict: aggregateVerdicts([], computeScore, "ci"),
+        componentUsage: []
+      };
+      await writeGovernScanReport(options.report, report);
+      if (!quiet) {
+        console.log(pc.dim(`  Wrote governance report: ${resolve2(options.report)}
+`));
+      }
+    }
+    return { exitCode: 0 };
+  }
+  const grouped = groupByFile(allUsages);
+  let totalFiles = 0;
+  let passedFiles = 0;
+  let totalViolations = 0;
+  const violationCounts = /* @__PURE__ */ new Map();
+  const allVerdicts = [];
+  for (const [filePath, usages] of grouped) {
+    const spec = usagesToSpec(usages, filePath, rootDir);
+    const relPath = relative2(rootDir, filePath);
+    const verdict = await engine.check(spec, {
+      runner: "cli",
+      input: relPath
+    });
+    allVerdicts.push(verdict);
+    totalFiles++;
+    if (verdict.passed) {
+      passedFiles++;
+    } else {
+      if (!quiet) {
+        console.log(pc.red(`  \u2717 ${relPath}`));
+        if (format === "summary") {
+          for (const result of verdict.results) {
+            for (const v of result.violations) {
+              const count = violationCounts.get(v.rule) ?? 0;
+              violationCounts.set(v.rule, count + 1);
+              totalViolations++;
+              console.log(
+                pc.dim(`    ${v.severity} `) + pc.yellow(v.rule) + pc.dim(` \u2014 ${v.message}`)
+              );
+              if (v.nodeId) {
+                console.log(pc.dim(`      at ${v.nodeId}`));
+              }
+            }
+          }
+        }
+      }
+    }
+    if (verdict.passed && !quiet && format === "summary") {
+      console.log(pc.green(`  \u2713 ${relPath}`) + pc.dim(` (${usages.length} components, score: ${verdict.score}/100)`));
+    }
+    if (format === "json" || format === "sarif") {
+      const output = formatVerdict(verdict, format);
+      console.log(output);
+    }
+  }
+  const health = computeComponentHealth(allVerdicts, registryMap ?? {});
+  if (!quiet && format === "summary") {
+    console.log(pc.dim("\n  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"));
+    console.log(`  Files checked:  ${totalFiles}`);
+    console.log(`  Passed:         ${passedFiles}/${totalFiles}`);
+    console.log(`  Violations:     ${totalViolations}`);
+    if (violationCounts.size > 0) {
+      console.log(pc.dim("\n  Top violations:"));
+      const sorted = [...violationCounts.entries()].sort((a, b) => b[1] - a[1]);
+      for (const [rule, count] of sorted.slice(0, 5)) {
+        console.log(pc.dim(`    ${count}\xD7 `) + pc.yellow(rule));
+      }
+    }
+    console.log(pc.dim("\n  Component Health:"));
+    console.log(`    Contract coverage:  ${health.contractCoverage}% (${health.contractedComponents}/${health.totalComponents})`);
+    console.log(`    Compliance rate:    ${health.overallCompliance}%`);
+    if (health.uncontracted.length > 0) {
+      console.log(pc.dim(`    Uncontracted:       ${health.uncontracted.slice(0, 5).join(", ")}${health.uncontracted.length > 5 ? ` (+${health.uncontracted.length - 5} more)` : ""}`));
+    }
+    console.log();
+    if (passedFiles === totalFiles) {
+      console.log(pc.green(`  \u2713 All files passed governance checks
+`));
+    } else {
+      console.log(
+        pc.red(`  \u2717 ${totalFiles - passedFiles} file(s) failed governance checks
+`)
+      );
+    }
+  }
+  if (options.report) {
+    const report = {
+      verdict: aggregateVerdicts(allVerdicts, computeScore, "ci"),
+      componentUsage: flattenComponentUsage(allUsages, rootDir)
+    };
+    if (hasRegistry) {
+      report.complianceSummary = buildComplianceSummary(health);
+    }
+    await writeGovernScanReport(options.report, report);
+    if (!quiet) {
+      console.log(pc.dim(`  Wrote governance report: ${resolve2(options.report)}
+`));
+    }
+  }
+  if (options.apiKey) {
+    await reportToCloud({
+      apiKey: options.apiKey,
+      cloudUrl: options.cloudUrl,
+      verdicts: allVerdicts,
+      rootDir,
+      quiet,
+      diffOnly: !!diffFiles
+    });
+  }
+  return { exitCode: passedFiles === totalFiles ? 0 : 1 };
+}
+var DEFAULT_CLOUD_URL = "https://app.usefragments.com";
+function detectGitMetadata() {
+  const env = process.env;
+  const meta = {};
+  if (env.GITHUB_SHA) meta.commitSha = env.GITHUB_SHA;
+  if (env.GITHUB_REPOSITORY) meta.repoFullName = env.GITHUB_REPOSITORY;
+  if (env.GITHUB_REF_NAME) meta.branch = env.GITHUB_REF_NAME;
+  if (env.GITHUB_EVENT_NAME === "pull_request" && env.GITHUB_EVENT_PATH) {
+    try {
+      const event = JSON.parse(readFileSync(env.GITHUB_EVENT_PATH, "utf-8"));
+      if (event?.pull_request?.number) {
+        meta.pr = event.pull_request.number;
+      }
+      if (event?.pull_request?.head?.sha) {
+        meta.commitSha = event.pull_request.head?.sha;
+      }
+    } catch {
+    }
+  }
+  return meta;
+}
+async function reportToCloud(options) {
+  const { apiKey, verdicts, rootDir, quiet, diffOnly } = options;
+  const baseUrl = (options.cloudUrl ?? DEFAULT_CLOUD_URL).replace(/\/+$/, "");
+  const findings = [];
+  const { createHash } = await import("crypto");
+  for (const verdict of verdicts) {
+    for (const result of verdict.results) {
+      for (const v of result.violations) {
+        const severity = v.severity === "critical" || v.severity === "serious" ? "error" : v.severity === "moderate" ? "warning" : "info";
+        const fingerprint = createHash("sha256").update(`${v.rule}:${v.nodeType}:${v.nodeId}:${v.message}`).digest("hex").slice(0, 16);
+        let filePath;
+        let line;
+        let column;
+        if (v.filePath) {
+          filePath = v.filePath;
+          line = v.line;
+          column = v.column;
+        } else if (v.nodeId) {
+          const parts = v.nodeId.split(":");
+          if (parts.length >= 3) {
+            const col = parseInt(parts.pop(), 10);
+            const ln = parseInt(parts.pop(), 10);
+            const path = parts.join(":");
+            if (!isNaN(ln) && !isNaN(col) && path) {
+              filePath = path;
+              line = ln;
+              column = col;
+            }
+          }
+          if (!filePath) {
+            filePath = relative2(rootDir, v.nodeId);
+          }
+        }
+        findings.push({
+          ruleId: v.rule,
+          severity,
+          filePath,
+          line,
+          column,
+          rawValue: v.rawValue,
+          message: `[${result.validator}] ${v.message}`,
+          category: result.validator,
+          fingerprint,
+          suggestedToken: v.suggestion
+        });
+      }
+    }
+  }
+  if (!quiet) {
+    console.log(pc.dim(`  Reporting ${findings.length} finding(s) to Fragments Cloud...`));
+  }
+  const gitMeta = detectGitMetadata();
+  try {
+    const response = await fetch(`${baseUrl}/api/govern/ingest`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${apiKey}`
+      },
+      body: JSON.stringify({
+        findings,
+        source: "ci",
+        diffOnly: diffOnly ?? false,
+        ...gitMeta
+      })
+    });
+    if (!response.ok) {
+      const body2 = await response.json().catch(() => ({}));
+      const msg = body2.error ?? `HTTP ${response.status}`;
+      console.error(pc.red(`  \u2717 Cloud report failed: ${msg}
+`));
+      return;
+    }
+    const body = await response.json();
+    if (!quiet) {
+      console.log(
+        pc.green(`  \u2713 Reported ${body.ingested ?? findings.length} finding(s) to Cloud`) + (body.orgSlug ? pc.dim(` (${body.orgSlug})`) : "") + "\n"
+      );
+    }
+  } catch (err) {
+    console.error(
+      pc.red(`  \u2717 Cloud report failed: `) + pc.dim(err instanceof Error ? err.message : "Network error") + "\n"
+    );
+  }
+}
+async function governWatch(options = {}) {
+  const {
+    loadPolicy,
+    createEngine,
+    buildAdaptersFromConfig,
+    formatVerdict
+  } = await import("@fragments-sdk/govern");
+  const { scanFile } = await import("./scanner-4KZNOXAK.js");
+  const { usagesToSpec } = await import("./converter-7XM3Y6NJ.js");
+  const quiet = options.quiet ?? false;
+  const debounceMs = options.debounce ?? 300;
+  const format = options.format ?? "summary";
+  console.log(pc.cyan(`
+${BRAND.name} Governance Watch
+`));
+  const { exitCode } = await governScan(options);
+  if (!quiet) {
+    console.log(
+      pc.dim(`  Initial scan ${exitCode === 0 ? "passed" : "completed with violations"}
+`)
+    );
+  }
+  const rootDir = resolve2(options.dir ?? detectRootDir(process.cwd()));
+  let policy = await loadPolicy(options.config);
+  if (Object.keys(policy.rules).length === 0) {
+    policy = { ...policy, rules: SCAN_DEFAULT_RULES };
+  }
+  const adapters = buildAdaptersFromConfig(policy.audit);
+  const engine = createEngine(policy, adapters);
+  console.log(pc.dim("  Watching for changes... (Ctrl+C to stop)\n"));
+  const chokidar = await import("chokidar");
+  const watcher = chokidar.watch(
+    ["**/*.tsx", "**/*.ts", "**/*.jsx", "**/*.js"],
+    {
+      cwd: rootDir,
+      ignoreInitial: true,
+      ignored: [
+        "**/node_modules/**",
+        "**/dist/**",
+        "**/build/**",
+        "**/.next/**",
+        "**/*.test.*",
+        "**/*.spec.*",
+        "**/*.stories.*"
+      ],
+      awaitWriteFinish: { stabilityThreshold: debounceMs }
+    }
+  );
+  const handleChange = async (changedRelPath) => {
+    const absolutePath = resolve2(rootDir, changedRelPath);
+    try {
+      const { usages } = await scanFile(absolutePath);
+      if (usages.length === 0) {
+        if (!quiet) {
+          console.log(pc.dim(`  \u25CB ${changedRelPath} \u2014 no component usages`));
+        }
+        return;
+      }
+      const spec = usagesToSpec(usages, absolutePath, rootDir);
+      const verdict = await engine.check(spec, {
+        runner: "cli",
+        input: changedRelPath
+      });
+      if (verdict.passed) {
+        console.log(
+          pc.green(`  \u2713 ${changedRelPath}`) + pc.dim(` (${usages.length} components, score: ${verdict.score}/100)`)
+        );
+      } else {
+        console.log(pc.red(`  \u2717 ${changedRelPath}`));
+        if (format === "summary") {
+          for (const result of verdict.results) {
+            for (const v of result.violations) {
+              console.log(
+                pc.dim(`    ${v.severity} `) + pc.yellow(v.rule) + pc.dim(` \u2014 ${v.message}`)
+              );
+            }
+          }
+        } else {
+          console.log(formatVerdict(verdict, format));
+        }
+      }
+    } catch (error) {
+      if (!quiet) {
+        console.log(
+          pc.dim(`  \u26A0 ${changedRelPath} \u2014 `) + pc.yellow(error instanceof Error ? error.message : "parse error")
+        );
+      }
+    }
+  };
+  watcher.on("change", handleChange);
+  watcher.on("add", handleChange);
+  await new Promise(() => {
+  });
+}
+export {
+  governScan,
+  governWatch
+};
+//# sourceMappingURL=govern-scan-X6UEIOSV.js.map