@git-stunts/git-warp 10.8.0 → 11.3.3

package/bin/cli/commands/tree.js

@@ -0,0 +1,230 @@
+import { EXIT_CODES, usageError, parseCommandArgs } from '../infrastructure.js';
+import { openGraph, applyCursorCeiling, emitCursorWarning } from '../shared.js';
+import { z } from 'zod';
+
+/** @typedef {import('../types.js').CliOptions} CliOptions */
+
+const TREE_OPTIONS = {
+  edge: { type: 'string' },
+  prop: { type: 'string', multiple: true },
+  'max-depth': { type: 'string' },
+};
+
+const treeSchema = z.object({
+  edge: z.string().optional(),
+  prop: z.union([z.string(), z.array(z.string())]).optional(),
+  'max-depth': z.coerce.number().int().nonnegative().optional(),
+}).strict().transform((val) => ({
+  edgeLabel: val.edge ?? null,
+  props: Array.isArray(val.prop) ? val.prop : val.prop ? [val.prop] : [],
+  maxDepth: val['max-depth'],
+}));
+
+/**
+ * Builds a parent-to-children adjacency map from edges.
+ * @param {Array<{from: string, to: string, label?: string}>} edges
+ * @param {string|null} labelFilter
+ * @returns {Map<string, Array<{id: string, label: string}>>}
+ */
+function buildChildMap(edges, labelFilter) {
+  /** @type {Map<string, Array<{id: string, label: string}>>} */
+  const children = new Map();
+  /** @type {Set<string>} */
+  const hasParent = new Set();
+
+  for (const edge of edges) {
+    if (labelFilter && edge.label !== labelFilter) {
+      continue;
+    }
+    if (!children.has(edge.from)) {
+      children.set(edge.from, []);
+    }
+    const fromChildren = children.get(edge.from);
+    if (fromChildren) {
+      fromChildren.push({ id: edge.to, label: edge.label || '' });
+    }
+    hasParent.add(edge.to);
+  }
+
+  return children;
+}
+
+/**
+ * Finds root nodes (nodes with outgoing edges but no incoming edges in the filtered set).
+ * @param {string[]} nodeIds
+ * @param {Array<{from: string, to: string, label?: string}>} edges
+ * @param {string|null} labelFilter
+ * @returns {string[]}
+ */
+function findRoots(nodeIds, edges, labelFilter) {
+  const hasParent = new Set();
+  const hasChild = new Set();
+
+  for (const edge of edges) {
+    if (labelFilter && edge.label !== labelFilter) {
+      continue;
+    }
+    hasParent.add(edge.to);
+    hasChild.add(edge.from);
+  }
+
+  // Roots: nodes that have children but no parents in the filtered edge set
+  const roots = nodeIds.filter((id) => !hasParent.has(id) && hasChild.has(id));
+  if (roots.length > 0) {
+    return roots.sort();
+  }
+
+  // Fallback: nodes with no incoming edges at all
+  return nodeIds.filter((id) => !hasParent.has(id)).sort();
+}
+
+/**
+ * Formats annotation string for a node based on requested props.
+ * @param {Record<string, unknown>} nodeProps
+ * @param {string[]} propKeys
+ * @returns {string}
+ */
+function formatAnnotation(nodeProps, propKeys) {
+  if (propKeys.length === 0 || !nodeProps) {
+    return '';
+  }
+  const parts = [];
+  for (const key of propKeys) {
+    if (Object.prototype.hasOwnProperty.call(nodeProps, key)) {
+      parts.push(`${key}: ${nodeProps[key]}`);
+    }
+  }
+  return parts.length > 0 ? `  [${parts.join(', ')}]` : '';
+}
+
+/**
+ * Renders a tree structure as lines with box-drawing characters.
+ * @param {object} params
+ * @param {string} params.nodeId
+ * @param {Map<string, Array<{id: string, label: string}>>} params.childMap
+ * @param {Map<string, Record<string, unknown>>} params.propsMap
+ * @param {string[]} params.propKeys
+ * @param {string} params.prefix
+ * @param {boolean} params.isLast
+ * @param {Set<string>} params.visited
+ * @param {number} params.depth
+ * @param {number|undefined} params.maxDepth
+ * @param {string[]} params.lines
+ */
+function renderTreeNode({ nodeId, childMap, propsMap, propKeys, prefix, isLast, visited, depth, maxDepth, lines }) {
+  const connector = depth === 0 ? '' : (isLast ? '\u2514\u2500\u2500 ' : '\u251C\u2500\u2500 ');
+  const annotation = formatAnnotation(propsMap.get(nodeId) || {}, propKeys);
+  lines.push(`${prefix}${connector}${nodeId}${annotation}`);
+
+  if (visited.has(nodeId)) {
+    lines.push(`${prefix}${isLast ? '    ' : '\u2502   '}  (cycle)`);
+    return;
+  }
+  visited.add(nodeId);
+
+  if (maxDepth !== undefined && depth >= maxDepth) {
+    const kids = childMap.get(nodeId);
+    if (kids && kids.length > 0) {
+      lines.push(`${prefix}${isLast ? '    ' : '\u2502   '}  ... (${kids.length} children)`);
+    }
+    return;
+  }
+
+  const kids = childMap.get(nodeId) || [];
+  const childPrefix = depth === 0 ? '' : `${prefix}${isLast ? '    ' : '\u2502   '}`;
+  for (let i = 0; i < kids.length; i++) {
+    renderTreeNode({
+      nodeId: kids[i].id,
+      childMap,
+      propsMap,
+      propKeys,
+      prefix: childPrefix,
+      isLast: i === kids.length - 1,
+      visited,
+      depth: depth + 1,
+      maxDepth,
+      lines,
+    });
+  }
+}
+
+/**
+ * Handles the `tree` command: ASCII tree output from graph edges.
+ * @param {{options: CliOptions, args: string[]}} params
+ * @returns {Promise<{payload: unknown, exitCode: number}>}
+ */
+export default async function handleTree({ options, args }) {
+  const { values, positionals } = parseCommandArgs(
+    args, TREE_OPTIONS, treeSchema, { allowPositionals: true },
+  );
+  const { graph, graphName, persistence } = await openGraph(options);
+  const cursorInfo = await applyCursorCeiling(graph, persistence, graphName);
+  emitCursorWarning(cursorInfo, null);
+
+  const queryResult = await graph.query().run();
+  const edges = await graph.getEdges();
+  const rootArg = positionals[0] || null;
+
+  const nodeIds = queryResult.nodes.map((/** @type {{id: string}} */ n) => n.id);
+  const propsMap = new Map(queryResult.nodes.map((/** @type {{id: string, props?: Record<string, unknown>}} */ n) => [n.id, n.props || {}]));
+  const childMap = buildChildMap(edges, values.edgeLabel);
+
+  const roots = rootArg ? [rootArg] : findRoots(nodeIds, edges, values.edgeLabel);
+
+  if (rootArg && !nodeIds.includes(rootArg)) {
+    throw usageError(`Node not found: ${rootArg}`);
+  }
+
+  /** @type {string[]} */
+  const lines = [];
+  for (const root of roots) {
+    renderTreeNode({
+      nodeId: root,
+      childMap,
+      propsMap,
+      propKeys: values.props,
+      prefix: '',
+      isLast: true,
+      visited: new Set(),
+      depth: 0,
+      maxDepth: values.maxDepth,
+      lines,
+    });
+  }
+
+  // Collect orphans (nodes not reachable from any root)
+  const reachable = new Set();
+  collectReachable(roots, childMap, reachable);
+  const orphans = nodeIds.filter((/** @type {string} */ id) => !reachable.has(id));
+
+  const payload = {
+    graph: graphName,
+    roots,
+    tree: lines.join('\n'),
+    orphanCount: orphans.length,
+    orphans: orphans.length > 0 ? orphans : undefined,
+  };
+
+  return { payload, exitCode: EXIT_CODES.OK };
+}
+
+/**
+ * Collects all reachable node IDs via DFS.
+ * @param {string[]} roots
+ * @param {Map<string, Array<{id: string, label: string}>>} childMap
+ * @param {Set<string>} reachable
+ */
+function collectReachable(roots, childMap, reachable) {
+  const stack = [...roots];
+  while (stack.length > 0) {
+    const id = /** @type {string} */ (stack.pop());
+    if (reachable.has(id)) {
+      continue;
+    }
+    reachable.add(id);
+    const kids = childMap.get(id) || [];
+    for (const kid of kids) {
+      stack.push(kid.id);
+    }
+  }
+}

package/bin/cli/commands/trust.js

@@ -0,0 +1,154 @@
+/**
+ * CLI handler for `git warp trust`.
+ *
+ * Evaluates writer trust status against signed evidence in the trust
+ * record chain. Returns a TrustAssessment payload.
+ *
+ * @module cli/commands/trust
+ */
+
+import { EXIT_CODES, parseCommandArgs, getEnvVar } from '../infrastructure.js';
+import { trustSchema } from '../schemas.js';
+import { createPersistence, resolveGraphName } from '../shared.js';
+import defaultCodec from '../../../src/domain/utils/defaultCodec.js';
+import { TrustRecordService } from '../../../src/domain/trust/TrustRecordService.js';
+import { buildState } from '../../../src/domain/trust/TrustStateBuilder.js';
+import { evaluateWriters } from '../../../src/domain/trust/TrustEvaluator.js';
+
+/** @typedef {import('../types.js').CliOptions} CliOptions */
+
+const TRUST_OPTIONS = {
+  mode: { type: 'string' },
+  'trust-pin': { type: 'string' },
+};
+
+/**
+ * @param {string[]} args
+ * @returns {{ mode: string|null, trustPin: string|null }}
+ */
+export function parseTrustArgs(args) {
+  const { values } = parseCommandArgs(args, TRUST_OPTIONS, trustSchema);
+  return values;
+}
+
+/**
+ * Resolves the trust pin from CLI flag → env → live ref.
+ * @param {string|null} cliPin
+ * @returns {{pin: string|null, source: string, sourceDetail: string|null, status: string}}
+ */
+function resolveTrustPin(cliPin) {
+  if (cliPin) {
+    return { pin: cliPin, source: 'cli_pin', sourceDetail: cliPin, status: 'pinned' };
+  }
+  const envPin = getEnvVar('WARP_TRUST_PIN');
+  if (envPin) {
+    return { pin: envPin, source: 'env_pin', sourceDetail: envPin, status: 'pinned' };
+  }
+  return { pin: null, source: 'ref', sourceDetail: null, status: 'configured' };
+}
+
+/**
+ * Discovers all writer IDs from the writers prefix refs.
+ * @param {import('../types.js').Persistence} persistence
+ * @param {string} graphName
+ * @returns {Promise<string[]>}
+ */
+async function discoverWriterIds(persistence, graphName) {
+  const prefix = `refs/warp/${graphName}/writers/`;
+  const refs = await persistence.listRefs(prefix);
+  return refs
+    .map((/** @type {string} */ ref) => ref.slice(prefix.length))
+    .filter((/** @type {string} */ id) => id.length > 0)
+    .sort();
+}
+
+/**
+ * Builds a not_configured assessment when no trust records exist.
+ * @param {string} graphName
+ * @returns {{payload: *, exitCode: number}}
+ */
+function buildNotConfiguredResult(graphName) {
+  return {
+    payload: {
+      graph: graphName,
+      trustSchemaVersion: 1,
+      mode: 'signed_evidence_v1',
+      trustVerdict: 'not_configured',
+      trust: {
+        status: 'not_configured',
+        source: 'none',
+        sourceDetail: null,
+        evaluatedWriters: [],
+        untrustedWriters: [],
+        explanations: [],
+        evidenceSummary: {
+          recordsScanned: 0,
+          activeKeys: 0,
+          revokedKeys: 0,
+          activeBindings: 0,
+          revokedBindings: 0,
+        },
+      },
+    },
+    exitCode: EXIT_CODES.OK,
+  };
+}
+
+/**
+ * @param {{options: CliOptions, args: string[]}} params
+ * @returns {Promise<{payload: unknown, exitCode: number}>}
+ */
+export default async function handleTrust({ options, args }) {
+  const { mode, trustPin } = parseTrustArgs(args);
+  const { persistence } = await createPersistence(options.repo);
+  const graphName = await resolveGraphName(persistence, options.graph);
+
+  const recordService = new TrustRecordService({
+    persistence: /** @type {import('../../../src/domain/types/WarpPersistence.js').CorePersistence} */ (/** @type {unknown} */ (persistence)),
+    codec: defaultCodec,
+  });
+
+  // Resolve pin (determines source + status)
+  const { pin, source, sourceDetail, status } = resolveTrustPin(trustPin);
+
+  // Read trust records
+  const records = await recordService.readRecords(graphName, pin ? { tip: pin } : {});
+
+  if (records.length === 0) {
+    return buildNotConfiguredResult(graphName);
+  }
+
+  // Build trust state
+  const trustState = buildState(records);
+
+  // Discover writers
+  const writerIds = await discoverWriterIds(persistence, graphName);
+
+  // Build policy
+  const policy = {
+    schemaVersion: 1,
+    mode: mode ?? 'warn',
+    writerPolicy: 'all_writers_must_be_trusted',
+  };
+
+  // Evaluate
+  const assessment = evaluateWriters(writerIds, trustState, policy);
+
+  // Override source/status from pin resolution (evaluator sets defaults)
+  const payload = {
+    graph: graphName,
+    ...assessment,
+    trust: {
+      ...assessment.trust,
+      status,
+      source,
+      sourceDetail,
+    },
+  };
+
+  const exitCode = assessment.trustVerdict === 'fail' && (mode === 'enforce')
+    ? EXIT_CODES.TRUST_FAIL
+    : EXIT_CODES.OK;
+
+  return { payload, exitCode };
+}

package/bin/cli/commands/verify-audit.js

@@ -0,0 +1,114 @@
+import { AuditVerifierService } from '../../../src/domain/services/AuditVerifierService.js';
+import defaultCodec from '../../../src/domain/utils/defaultCodec.js';
+import { EXIT_CODES, parseCommandArgs, getEnvVar } from '../infrastructure.js';
+import { verifyAuditSchema } from '../schemas.js';
+import { createPersistence, resolveGraphName } from '../shared.js';
+
+/** @typedef {import('../types.js').CliOptions} CliOptions */
+
+/**
+ * Detects trust configuration from environment and returns a structured warning.
+ * Domain services never read process.env — detection happens at the CLI boundary.
+ * @returns {{ code: string, message: string, sources: string[] } | null}
+ */
+function detectTrustWarning() {
+  const sources = [];
+  if (getEnvVar('WARP_TRUSTED_ROOT')) {
+    sources.push('env');
+  }
+  if (sources.length === 0) {
+    return null;
+  }
+  return {
+    code: 'TRUST_CONFIG_PRESENT_UNENFORCED',
+    message: 'Trust root configured but signature verification is not implemented in v1',
+    sources,
+  };
+}
+
+const VERIFY_AUDIT_OPTIONS = {
+  since: { type: 'string' },
+  writer: { type: 'string' },
+  'trust-mode': { type: 'string' },
+  'trust-pin': { type: 'string' },
+};
+
+/** @param {string[]} args */
+export function parseVerifyAuditArgs(args) {
+  const { values } = parseCommandArgs(args, VERIFY_AUDIT_OPTIONS, verifyAuditSchema);
+  return {
+    since: values.since,
+    writerFilter: values.writer,
+    trustMode: values['trust-mode'],
+    trustPin: values['trust-pin'],
+  };
+}
+
+/**
+ * @param {{options: CliOptions, args: string[]}} params
+ * @returns {Promise<{payload: unknown, exitCode: number}>}
+ */
+export default async function handleVerifyAudit({ options, args }) {
+  const { since, writerFilter, trustMode, trustPin } = parseVerifyAuditArgs(args);
+  const { persistence } = await createPersistence(options.repo);
+  const graphName = await resolveGraphName(persistence, options.graph);
+  const verifier = new AuditVerifierService({
+    persistence: /** @type {import('../../../src/domain/types/WarpPersistence.js').CorePersistence} */ (/** @type {unknown} */ (persistence)),
+    codec: defaultCodec,
+  });
+
+  const trustWarning = detectTrustWarning();
+
+  /** @type {Record<string, unknown>} */
+  let payload;
+  if (writerFilter !== undefined) {
+    const chain = await verifier.verifyChain(graphName, writerFilter, { since });
+    const invalid = chain.status !== 'VALID' && chain.status !== 'PARTIAL' ? 1 : 0;
+    payload = {
+      graph: graphName,
+      verifiedAt: new Date().toISOString(),
+      summary: {
+        total: 1,
+        valid: chain.status === 'VALID' ? 1 : 0,
+        partial: chain.status === 'PARTIAL' ? 1 : 0,
+        invalid,
+      },
+      chains: [chain],
+      trustWarning,
+    };
+  } else {
+    payload = await verifier.verifyAll(graphName, { since, trustWarning });
+  }
+
+  // Attach trust assessment only when explicitly requested via --trust-mode
+  if (trustMode) {
+    try {
+      const trustAssessment = await verifier.evaluateTrust(graphName, {
+        pin: trustPin,
+        mode: trustMode,
+      });
+      payload.trustAssessment = trustAssessment;
+    } catch (err) {
+      if (trustMode === 'enforce') {
+        throw err;
+      }
+      payload.trustAssessment = {
+        trustSchemaVersion: 1,
+        mode: 'signed_evidence_v1',
+        trustVerdict: 'error',
+        error: err instanceof Error ? err.message : 'Trust evaluation failed',
+      };
+    }
+  }
+
+  const { summary, trustAssessment } = /** @type {{summary: {invalid: number}, trustAssessment?: {trustVerdict?: string}}} */ (payload);
+  const hasInvalid = summary.invalid > 0;
+  const trustFailed = trustMode === 'enforce' &&
+    trustAssessment?.trustVerdict === 'fail';
+  return {
+    payload,
+    exitCode: trustFailed ? EXIT_CODES.TRUST_FAIL
+      : hasInvalid ? EXIT_CODES.INTERNAL
+        : EXIT_CODES.OK,
+  };
+}

package/bin/cli/commands/view.js

@@ -0,0 +1,46 @@
+import process from 'node:process';
+import { parseCommandArgs, usageError } from '../infrastructure.js';
+import { viewSchema } from '../schemas.js';
+
+/** @typedef {import('../types.js').CliOptions} CliOptions */
+
+const VIEW_OPTIONS = {
+  list: { type: 'boolean', default: false },
+  log: { type: 'boolean', default: false },
+};
+
+/**
+ * @param {{options: CliOptions, args: string[]}} params
+ * @returns {Promise<{payload: unknown, exitCode: number}>}
+ */
+export default async function handleView({ options, args }) {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    throw usageError('view command requires an interactive terminal (TTY)');
+  }
+
+  const { values, positionals } = parseCommandArgs(args, VIEW_OPTIONS, viewSchema, { allowPositionals: true });
+  const viewMode = values.log || positionals[0] === 'log' ? 'log' : 'list';
+
+  try {
+    // @ts-expect-error — optional peer dependency, may not be installed
+    const { startTui } = await import('@git-stunts/git-warp-tui');
+    await startTui({
+      repo: options.repo || '.',
+      graph: options.graph || 'default',
+      mode: viewMode,
+    });
+  } catch (err) {
+    const errObj = /** @type {{code?: string, message?: string, specifier?: string}} */ (typeof err === 'object' && err !== null ? err : {});
+    const isMissing = errObj.code === 'ERR_MODULE_NOT_FOUND' || (errObj.message && errObj.message.includes('Cannot find module'));
+    const isTui = errObj.specifier?.includes('git-warp-tui') ||
+      /cannot find (?:package|module) ['"]@git-stunts\/git-warp-tui/i.test(errObj.message || '');
+    if (isMissing && isTui) {
+      throw usageError(
+        'Interactive TUI requires @git-stunts/git-warp-tui.\n' +
+        '  Install with: npm install -g @git-stunts/git-warp-tui',
+      );
+    }
+    throw err;
+  }
+  return { payload: undefined, exitCode: 0 };
+}