@modelstatus/cli 0.1.34 → 0.1.36

package/src/sources/scan-worker.js

@@ -0,0 +1,148 @@
+/* TRUE BACKGROUND SCAN — CHILD (worker) side.
+ *
+ * Runs inside a self-re-exec'd OS process: the parent spawns `process.execPath`
+ * with the hidden `__mm_scan_worker` sentinel as argv[2] (see src/index.js top
+ * dispatch + src/sources/scan-process.js). This module is dynamic-imported by
+ * that dispatch, so it pulls in ONLY filesystem.js + detect/core + registry
+ * (NO ink, NO upload, NO auth, NO telemetry, NO updater) — the worker's stdout
+ * must be PURE NDJSON.
+ *
+ * Protocol: one JSON object per line, newline-terminated, FLUSHED. Tags:
+ *   {t:"prog", filesScanned, dirsSeen, catalogsSkipped, currentDir}
+ *   {t:"cand", candidate}
+ *   {t:"skip", path, distinct, catalogsSkipped}
+ *   {t:"done", candidates, filesScanned, dirsSeen, catalogsSkipped, scannedAt}
+ *   {t:"err",  message}
+ *
+ * Lifecycle: SIGTERM -> AbortController.abort() (clean stop). SIGSTOP/SIGCONT
+ * are handled by the OS (pause/resume) and need no listener. The terminal
+ * done/err line is flushed by deferring process.exit into the write callback,
+ * so the parent never loses the final line on exit.
+ */
+import fs from "node:fs";
+import { scanFilesystemStreaming } from "./filesystem.js";
+import { compilePatterns } from "../detect/core.js";
+import { getRegistry } from "../registry/fetch.js";
+
+/** Parse the worker's own argv (process.argv.slice(3)) — light, no parseArgs dep. */
+function parseWorkerArgs(args) {
+  const out = { root: process.cwd(), exclude: [], registryCache: null };
+  for (let i = 0; i < args.length; i++) {
+    const a = args[i];
+    if (a === "--root") out.root = args[++i];
+    else if (a === "--exclude") out.exclude = (args[++i] || "").split(",").filter(Boolean);
+    else if (a === "--registry-cache") out.registryCache = args[++i];
+  }
+  return out;
+}
+
+/** Flush-safe NDJSON writer. When `exitCode` is given, exit INSIDE the write
+ * callback so the final line is fully flushed to the pipe before we exit, and
+ * return a never-resolving Promise so the caller's `await` HANGS until that
+ * deferred process.exit fires — this prevents the top-level worker dispatch in
+ * index.js from falling through to main() (which would print HELP) between the
+ * promise resolving and the async exit landing. */
+function makeEmitter() {
+  return function emit(obj, exitCode) {
+    const line = JSON.stringify(obj) + "\n";
+    if (typeof exitCode === "number") {
+      // Defer exit until this write drains — guarantees done/err is delivered.
+      process.stdout.write(line, () => process.exit(exitCode));
+      return new Promise(() => {}); // hang forever; the write cb exits the proc
+    }
+    process.stdout.write(line);
+    return undefined;
+  };
+}
+
+/**
+ * Worker entrypoint. `args` is process.argv.slice(3). Never returns (process.exit).
+ */
+export async function runWorker(args) {
+  const emit = makeEmitter();
+  const { root, exclude, registryCache } = parseWorkerArgs(args);
+
+  // (1) Registry snapshot: prefer the parent's pre-fetched cache file (skips the
+  // network); else fetch + verify ourselves. On total failure (offline, no
+  // cache) emit one err line and exit 1.
+  let snapshot;
+  try {
+    if (registryCache) {
+      snapshot = JSON.parse(fs.readFileSync(registryCache, "utf8"));
+    } else {
+      snapshot = await getRegistry();
+    }
+  } catch (e) {
+    return emit({ t: "err", message: `registry unavailable: ${e?.message ?? e}` }, 1);
+  }
+
+  // (2) Compile detection patterns once.
+  let compiled;
+  try {
+    compiled = compilePatterns(snapshot.detection);
+  } catch (e) {
+    return emit({ t: "err", message: `bad registry snapshot: ${e?.message ?? e}` }, 1);
+  }
+
+  // (7) Abort: parent SIGTERM -> abort the walk so the kill stops cleanly.
+  const ac = new AbortController();
+  process.on("SIGTERM", () => ac.abort());
+
+  // (4) Run the streaming scan, mapping the engine RAW onEvent protocol to NDJSON.
+  // yieldBudgetMs Infinity (count-only): the worker is ALONE in its event loop —
+  // no foreground frame loop to keep ticking — so the walk runs as fast as it
+  // can; the setImmediate-every-40-files yield still fires often enough to flush
+  // stdout + service the abort signal.
+  // Track the latest counters so the `done` line carries accurate finals even
+  // when the last event before completion was a candidate (which has no counts).
+  let filesScanned = 0;
+  let dirsSeen = 0;
+  let catalogsSkipped = 0;
+  try {
+    const candidates = await scanFilesystemStreaming(
+      { root, signal: ac.signal, exclude, env: process.env.MM_ENV, yieldBudgetMs: Infinity },
+      compiled,
+      (ev) => {
+        switch (ev.type) {
+          case "dir":
+            // Fold into a prog line carrying only the running dir count.
+            dirsSeen = ev.dirsSeen;
+            emit({ t: "prog", dirsSeen: ev.dirsSeen });
+            break;
+          case "candidate":
+            emit({ t: "cand", candidate: ev.candidate });
+            break;
+          case "skip":
+            catalogsSkipped = ev.catalogsSkipped;
+            emit({ t: "skip", path: ev.path, distinct: ev.distinct, catalogsSkipped: ev.catalogsSkipped });
+            break;
+          case "progress":
+            filesScanned = ev.filesScanned;
+            dirsSeen = ev.dirsSeen;
+            catalogsSkipped = ev.catalogsSkipped;
+            emit({
+              t: "prog",
+              filesScanned: ev.filesScanned,
+              dirsSeen: ev.dirsSeen,
+              catalogsSkipped: ev.catalogsSkipped,
+              currentDir: ev.currentDir,
+            });
+            break;
+          default:
+            break;
+        }
+      },
+    );
+
+    // (5) Final summary rides the done line — the full Candidate[] so the parent
+    // seeds the Scan view without buffering every cand. Exit 0 in the write cb;
+    // await the hang so the dispatch never falls through to main().
+    await emit(
+      { t: "done", candidates, filesScanned, dirsSeen, catalogsSkipped, scannedAt: Date.now() },
+      0,
+    );
+  } catch (e) {
+    // Aborted walks resolve (return the partial set), so a throw here is real.
+    await emit({ t: "err", message: `${e?.message ?? e}` }, 1);
+  }
+}

package/src/sources/supabase-edge.js

@@ -0,0 +1,183 @@
+import fs from "node:fs";
+import path from "node:path";
+import { hasCmd, run } from "./shell.js";
+import { detectInLine } from "../detect/core.js";
+import { redactValue } from "../redact.js";
+import { scanConfigEntries, entriesFromKV } from "./configscan.js";
+
+/* Pure parsers (unit-tested). All command-output shape knowledge lives here so
+ * the source body stays a thin orchestration layer that's easy to reason about. */
+
+/** `supabase secrets list` → secret NAMES only. Handles both the table output
+ * (NAME | DIGEST) and `--output json` ([{name}]). We NEVER fetch secret values:
+ * a secret VALUE could never be a useful model id, and pulling it would be a
+ * needless exfiltration risk. NAMES alone let `detectInLine` flag a name like
+ * OPENAI_MODEL_OVERRIDE without ever touching a value. */
+export function parseSupabaseSecrets(stdout) {
+  const s = String(stdout || "").trim();
+  // JSON form first (`--output json`).
+  try {
+    const j = JSON.parse(s);
+    if (Array.isArray(j)) return j.map((x) => x.name || x.NAME).filter(Boolean);
+  } catch {
+    /* fall through to table parse */
+  }
+  const names = [];
+  for (const raw of s.split(/\r?\n/)) {
+    const line = raw.trim();
+    if (!line) continue;
+    if (/^name\b/i.test(line)) continue; // header row
+    if (/^[-\s|]+$/.test(line)) continue; // separator rule
+    const name = line
+      .split(/\s{2,}|\t|\s\|\s|\|/)
+      .map((c) => c.trim())
+      .filter(Boolean)[0];
+    if (name && /^[A-Za-z_][A-Za-z0-9_]*$/.test(name)) names.push(name);
+  }
+  return names;
+}
+
+/** `supabase functions list` → edge-function slugs. Handles `--output json`
+ * ([{ name|slug }]) and the table output (header SLUG/NAME, then one per row). */
+export function parseFunctionList(stdout) {
+  const s = String(stdout || "").trim();
+  if (!s) return [];
+  try {
+    const j = JSON.parse(s);
+    if (Array.isArray(j)) return j.map((x) => x.slug || x.name || x.SLUG || x.NAME).filter(Boolean);
+  } catch {
+    /* fall through to table parse */
+  }
+  const slugs = [];
+  for (const raw of s.split(/\r?\n/)) {
+    const line = raw.trim();
+    if (!line) continue;
+    if (/^(slug|name|id)\b/i.test(line)) continue; // header row
+    if (/^[-\s|]+$/.test(line)) continue; // separator rule
+    const first = line
+      .split(/\s{2,}|\t|\s\|\s|\|/)
+      .map((c) => c.trim())
+      .filter(Boolean)[0];
+    // Edge-function slugs are url-safe: letters, digits, hyphens, underscores.
+    if (first && /^[A-Za-z0-9][A-Za-z0-9_-]*$/.test(first)) slugs.push(first);
+  }
+  return slugs;
+}
+
+/** Line-scan one edge-function source body → Candidates. Pure: takes text +
+ * locatorBase + compiled (+ optional env override), returns candidates with a
+ * #L<n> locator and a redacted, 160-capped snippet. detectInLine returns a Set,
+ * iterated with for…of (not .length). The snippet is redactValue'd FIRST then
+ * sliced so a secret straddling the 160-char boundary can't leak a half-token. */
+export function scanFunctionBody(text, locatorBase, compiled, env) {
+  const out = [];
+  const seen = new Set();
+  String(text || "")
+    .split(/\r?\n/)
+    .forEach((line, i) => {
+      for (const model_string of detectInLine(line, compiled)) {
+        const locator = `${locatorBase}#L${i + 1}`;
+        const key = `${model_string}|${locator}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        out.push({
+          model_string,
+          source_type: "supabase-edge",
+          location_label: locator,
+          source_path: locator,
+          source_line: i + 1,
+          environment: env || "unknown",
+          snippet: redactValue(line.trim()).slice(0, 160),
+        });
+      }
+    });
+  return out;
+}
+
+/** Supabase Edge Functions + secrets. LIVE integration: gated on the enabled
+ * toggle AND the `supabase` CLI (see sources/index.js's gate). Two surfaces, both
+ * through the redaction funnel:
+ *   (a) `supabase secrets list` → secret NAME-only entries (empty value, so no
+ *       value can ever leak) → scanConfigEntries.
+ *   (b) LOCAL edge-function source under <root>/supabase/functions, line-scanned
+ *       via detectInLine. We read the LOCAL repo (the same model as the
+ *       filesystem source) — we never `supabase functions download`, so no fetched
+ *       code is written to disk and the scan stays fully testable.
+ *
+ * available() is satisfied by the `supabase` CLI on PATH OR a SUPABASE_ACCESS_TOKEN
+ * in the environment (the token authenticates the CLI / Management API; the local
+ * function-body scan needs neither). opts: { root, supabaseProjectRef, env }. */
+export const supabaseEdgeSource = {
+  id: "supabase-edge",
+  label: "Supabase Edge Functions + secrets",
+  kind: "cli",
+  integration: true,
+  envTag: "unknown",
+  async available() {
+    return hasCmd("supabase") || !!process.env.SUPABASE_ACCESS_TOKEN;
+  },
+  /** Read-only identity probe (MAY spawn). Used by the TUI "test" key + verbose
+   * `mm sources`, NOT by the hot collect path. */
+  async authState() {
+    if (!hasCmd("supabase")) {
+      return {
+        connected: !!process.env.SUPABASE_ACCESS_TOKEN,
+        mode: "token",
+        reason: process.env.SUPABASE_ACCESS_TOKEN ? undefined : "supabase CLI not installed",
+      };
+    }
+    const r = await run("supabase", ["projects", "list"]);
+    if (!r.ok) return { connected: false, mode: "projects-list", reason: (r.stderr || "not authenticated").split("\n")[0] };
+    return { connected: true, mode: "projects-list" };
+  },
+  async collect(opts, compiled) {
+    const ref = opts?.supabaseProjectRef || "local";
+    const out = [];
+
+    // (a) Secret NAMES only (never values). Requires the CLI; skipped gracefully
+    // when only a token is present (no shell to list through).
+    if (hasCmd("supabase")) {
+      const refArg = opts?.supabaseProjectRef ? ["--project-ref", opts.supabaseProjectRef] : [];
+      const secrets = await run("supabase", ["secrets", "list", ...refArg]);
+      if (secrets.ok) {
+        for (const name of parseSupabaseSecrets(secrets.stdout)) {
+          // NAME as the entry key, EMPTY value → detectInLine runs on the name
+          // only; there is no value to leak.
+          const entries = entriesFromKV(name, "", `supabase-edge://${ref}/secrets#${name}`, ref);
+          out.push(...scanConfigEntries(entries, compiled, { sourceType: "supabase-edge", env: opts?.env }));
+        }
+      }
+    }
+
+    // (b) LOCAL edge-function source bodies (no network download → testable, no
+    // disk-write of fetched code). Walk <root>/supabase/functions one level deep.
+    const fnDir = path.join(opts?.root || ".", "supabase", "functions");
+    let slugs = [];
+    try {
+      slugs = fs
+        .readdirSync(fnDir, { withFileTypes: true })
+        .filter((d) => d.isDirectory())
+        .map((d) => d.name);
+    } catch {
+      /* no local functions dir — secrets-only is fine */
+    }
+    for (const slug of slugs) {
+      let files = [];
+      try {
+        files = fs.readdirSync(path.join(fnDir, slug)).filter((f) => /\.(ts|js|tsx|jsx|mjs)$/.test(f));
+      } catch {
+        continue;
+      }
+      for (const f of files) {
+        let text;
+        try {
+          text = fs.readFileSync(path.join(fnDir, slug, f), "utf8");
+        } catch {
+          continue;
+        }
+        out.push(...scanFunctionBody(text, `supabase-edge://${ref}/${slug}/${f}`, compiled, opts?.env));
+      }
+    }
+    return out;
+  },
+};

package/src/sources/supabase.js

@@ -0,0 +1,5 @@
+/** Compatibility shim. The canonical implementation now lives in
+ * sources/supabase-edge.js (matching the source id and the integration design).
+ * This file re-exports it so the registration in sources/index.js and existing
+ * imports keep resolving to ONE implementation with no behavior change. */
+export { supabaseEdgeSource, parseSupabaseSecrets, parseFunctionList, scanFunctionBody } from "./supabase-edge.js";

package/src/sources/vercel.js

@@ -0,0 +1,74 @@
+import { hasCmd, run } from "./shell.js";
+import { scanConfigEntries, entriesFromKV } from "./configscan.js";
+
+/** Deployment TARGET → environment. The target is AUTHORITATIVE (Vercel tells us
+ * exactly where an env var deploys), so it's mapped straight through and passed as
+ * the explicit env to scanConfigEntries — never guessed, and it overrides both the
+ * integration's declared envTag AND any global --env. */
+const TARGET_ENV = { production: "prod", preview: "staging", development: "dev" };
+
+/* Pure parser (unit-tested). Parses the `vercel env ls` table into NAME + target
+ * rows. We pull NAMES ONLY (never values) so no secret can leak — a model id in a
+ * Vercel env var lives in the NAME (e.g. OPENAI_MODEL), and the value of a model
+ * env var is rarely a registry id and never worth a secret-on-disk risk. */
+export function parseVercelEnvLs(stdout) {
+  const rows = [];
+  const lines = String(stdout || "").split(/\r?\n/);
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (!line) continue;
+    // Skip the header + any framing/prefix lines (no env-var name there).
+    if (/^(name\b|vercel cli|>|environment variables|retrieving)/i.test(line)) continue;
+    // Columns are whitespace-separated: NAME  VALUE(encrypted)  ENVIRONMENTS  …
+    const cols = line.split(/\s{2,}|\t/).map((c) => c.trim()).filter(Boolean);
+    if (!cols.length) continue;
+    const name = cols[0];
+    if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(name)) continue; // looks like an env-var name
+    // The environments column names one of production/preview/development.
+    const joined = cols.join(" ").toLowerCase();
+    const target = ["production", "preview", "development"].find((t) => joined.includes(t)) || "";
+    rows.push({ name, target });
+  }
+  return rows;
+}
+
+/** Vercel project env. LIVE integration: gated on the enabled toggle AND the
+ * `vercel` CLI being present (or a VERCEL_TOKEN in the env — the CLI auto-picks
+ * it up for non-interactive auth). Lists env-var NAMES only via `vercel env ls`
+ * (NEVER `vercel env pull` — that would write plaintext secrets to disk).
+ * opts: { vercelProject, vercelTeam }. */
+export const vercelSource = {
+  id: "vercel",
+  label: "Vercel project env",
+  kind: "cli",
+  integration: true,
+  envTag: "unknown",
+  async available() {
+    return hasCmd("vercel") || !!process.env.VERCEL_TOKEN;
+  },
+  async authState() {
+    const r = await run("vercel", ["whoami"]);
+    if (!r.ok) return { connected: false, mode: "whoami", reason: (r.stderr || "not logged in").split("\n")[0] };
+    return { connected: true, mode: "whoami", account: r.stdout.trim().split("\n").pop() };
+  },
+  async collect(opts, compiled) {
+    const scope = opts?.vercelTeam ? ["--scope", opts.vercelTeam] : [];
+    const project = opts?.vercelProject || "default";
+    const out = [];
+    // One pull per target so the env is authoritative + per-row correct. We ask
+    // for NAMES only; `vercel env ls <target>` prints the table without values.
+    for (const target of ["production", "preview", "development"]) {
+      const r = await run("vercel", ["env", "ls", target, ...scope]);
+      if (!r.ok) continue;
+      for (const { name } of parseVercelEnvLs(r.stdout)) {
+        // NAME-only entry: empty value → detectInLine runs on the name only, no
+        // value to leak. The TARGET is the authoritative env (overrides everything).
+        const entries = entriesFromKV(name, "", `vercel://${project}/${target}#${name}`, target);
+        out.push(...scanConfigEntries(entries, compiled, { sourceType: "vercel", env: TARGET_ENV[target] }));
+      }
+    }
+    return out;
+  },
+};
+
+export { TARGET_ENV };

package/src/tui/app.js

@@ -15,6 +15,7 @@ import { WhatsNewView, meta as whatsnewMeta } from "./views/whatsnew.js";
 import { AddView, meta as addMeta } from "./views/add.js";
 import { AlertsView, meta as alertsMeta } from "./views/alerts.js";
 import { AccountView, meta as accountMeta } from "./views/account.js";
+import { IntegrationsView, meta as integrationsMeta } from "./views/integrations.js";
 import { SignIn } from "./signin.js";
 
 // `needsAuth: true` views show a sign-in card when there's no apiKey; Local +
@@ -27,9 +28,12 @@ const VIEWS = [
   { key: "add", label: "Add", title: "add", Comp: AddView, meta: addMeta, needsAuth: true },
   { key: "alerts", label: "Alerts", title: "alerts", Comp: AlertsView, meta: alertsMeta, needsAuth: true },
   { key: "account", label: "Account", title: "account", Comp: AccountView, meta: accountMeta, needsAuth: false },
+  // Sources toggle — local-first (needsAuth:false): the enabled set persists in
+  // integrations.json and drives `mm scan`; the web mirror is best-effort.
+  { key: "integrations", label: "Sources", title: "sources", Comp: IntegrationsView, meta: integrationsMeta, needsAuth: false },
 ];
 
-const GATE_KEYS = [{ k: "1-7", label: "switch" }, { k: "7", label: "sign in" }];
+const GATE_KEYS = [{ k: "1-8", label: "switch" }, { k: "7", label: "sign in" }];
 
 // Lines of chrome around the body (topRule, lights, tabs, blank, prompt, blank,
 // toast, status, keybar, bottomRule) — the body fills whatever rows remain.
@@ -215,7 +219,46 @@ function Bootstrap(props) {
   return h(App, { ...props, apiKey, onSignedIn: (k) => { track("signed_in"); setApiKey(k); } });
 }
 
+// Module-level controller so a view (the Scan tab) can UNMOUNT the whole Ink
+// tree, run the direct-ANSI game loop (which owns its own raw mode + alt screen),
+// then REMOUNT a fresh tree at a chosen tab. The game subprocess scan survives
+// the unmount because it's a separate OS process, independent of Ink's lifecycle.
+export const appController = {
+  _instance: null,
+  _opts: null,
+  /** Tear down the current Ink tree (releases raw mode + stdin listeners). */
+  unmount() {
+    try { this._instance && this._instance.unmount(); } catch { /* already gone */ }
+    this._instance = null;
+  },
+  /** Mount a fresh Ink tree, merging the base opts with `next` (e.g. a tab). */
+  remount(next = {}) {
+    const opts = { ...(this._opts || {}), ...next };
+    this._opts = opts;
+    this._instance = render(h(Bootstrap, opts));
+    return this._instance;
+  },
+};
+
 export function runApp(opts) {
+  appController._opts = opts;
   const app = render(h(Bootstrap, opts));
-  return app.waitUntilExit();
+  appController._instance = app;
+  // waitUntilExit resolves when the CURRENT instance unmounts. A Scan-tab game
+  // launch unmounts + remounts, which would resolve this early; so we re-arm on
+  // each remount and only resolve when an instance exits WITHOUT a pending
+  // remount (i.e. a real quit). The `_exiting` flag is set by a clean exit().
+  return new Promise((resolve) => {
+    const arm = (inst) => {
+      inst.waitUntilExit().then(() => {
+        // If a remount happened (a new instance is live and differs), keep waiting.
+        if (appController._instance && appController._instance !== inst) {
+          arm(appController._instance);
+        } else {
+          resolve();
+        }
+      });
+    };
+    arm(app);
+  });
 }

package/src/tui/game/DkGame.js

@@ -0,0 +1,21 @@
+/* RETIRED. The old Ink-overlay Donkey Kong (a React component running a useTick
+ * frame loop, mounted as an overlay inside ScanView) has been replaced by the
+ * direct-ANSI, Ink-free game:
+ *
+ *   - src/tui/game/loop.js   — 60Hz fixed-timestep loop (own raw mode + alt screen)
+ *   - src/tui/game/term.js   — double-buffered diff renderer (never clears mid-play)
+ *   - src/tui/game/input.js  — raw-stdin held-key model
+ *   - src/tui/game/dk-core.js— pure sub-cell fixed-point physics engine
+ *
+ * Reached via `mm play` (standalone) or the Scan-tab P key, which UNMOUNTS Ink,
+ * runs the loop, then REMOUNTS the TUI (see src/tui/views/scan.js launchGame +
+ * src/tui/app.js appController). This file is kept only as a tombstone — nothing
+ * imports it. It intentionally exports nothing and pulls in no dependencies.
+ *
+ * This file can be deleted outright; it is retained as a no-op so an accidental
+ * stale import fails loudly rather than resurrecting the old flicker-prone path.
+ */
+throw new Error(
+  "DkGame.js is retired — the Ink overlay game was replaced by the direct-ANSI loop " +
+    "(src/tui/game/loop.js). Use `mm play` or the Scan-tab P key. Do not import DkGame.js.",
+);