@nexural/factory 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,16 @@
+# @nexural/factory
+
+## 0.1.0
+
+Initial release — Phase 1 scope.
+
+- `loadRecipe(rawManifest, revocationList, options?)` — parse + revocation check (ADRs 0002, 0009)
+- `checkRevocation(name, version, list)` — direct revocation check
+- `buildLockfile(input)` — validated `ForgedLockfile` constructor (ADR-0006)
+- `runLicenseGate(sbom, commercialRestrictedOk?)` — fail forge on GPL/AGPL/BUSL/unknown (ADR-0006 §4)
+  - `ALLOWED_BY_DEFAULT`, `STRONG_COPYLEFT`, `COMMERCIAL_RESTRICTED` sets
+- `detectTyposquats(candidates, options?)` — Levenshtein-based typosquat detection (ADR-0009 §1.7)
+  - `HIGH_PRIORITY_PACKAGES` curated target list
+  - `levenshtein(a, b)` exported for direct use
+
+Deferred to Phase 5 (when recipes ship): cosign signature shell-out, template emission engine, op:// secret resolution, pre/post-emit hooks.

package/README.md

@@ -0,0 +1,41 @@
+# @nexural/factory
+
+Codegen engine for `nx forge`. Phase-1 scope: validation primitives + lockfile + safety gates.
+
+## What ships at v0.1.0
+
+- **`loadRecipe(raw, revocationList, options?)`** — parse a `recipe.yaml` against `RecipeManifest`, fail on revoked.
+- **`buildLockfile(input)`** — produces a schema-valid `.nexural/forged.lock.yaml` for emitted apps (ADR-0006 §1).
+- **`runLicenseGate(sbom, commercialRestrictedOk?)`** — fail forge on GPL/AGPL/BUSL/unknown license. Allowed by default: MIT, Apache-2.0, ISC, BSD, MPL-2.0, CC0, Unlicense, 0BSD.
+- **`detectTyposquats(candidates, options?)`** — Levenshtein distance check against `HIGH_PRIORITY_PACKAGES` (per ADR-0009 §1.7).
+- **`checkRevocation(name, version, list)`** — direct lookup against the revocation list (per ADR-0009 §1.6).
+
+## Deferred to Phase 5
+
+Template emission, cosign shell-out, op:// secret resolution, pre/post-emit hooks land when recipes themselves ship.
+
+## Usage outline (Phase 5 — illustrative)
+
+```ts
+import { loadRecipe, runLicenseGate, detectTyposquats, buildLockfile } from "@nexural/factory";
+
+// 1. Load + revocation check
+const { recipe } = loadRecipe(parsedYaml, revocationList);
+
+// 2. (cosign verify-attestation — outside this lib)
+// 3. (Generate SBOM via cyclonedx-npm — outside this lib)
+
+// 4. License gate
+const gate = runLicenseGate(sbom, recipe.commercial_restricted_ok);
+if (!gate.passed) throw new Error(`License gate failed: ${JSON.stringify(gate.failures)}`);
+
+// 5. Typosquat check
+const squats = detectTyposquats(sbom.map((s) => s.name));
+if (squats.length) throw new Error(`Typosquat suspects: ${JSON.stringify(squats)}`);
+
+// 6. Emit lockfile
+const lockfile = buildLockfile({
+  /* ... */
+});
+await writeFile(".nexural/forged.lock.yaml", yaml.dump(lockfile), "utf8");
+```

package/dist/index.d.ts

@@ -0,0 +1,145 @@
+import { RevokedRecipesList, ForgedLockfile, RecipeManifest } from '@nexural/schema';
+
+/**
+ * License composition gate per ADR-0006 §4.
+ *
+ * Forge fails if any direct or transitive dep is:
+ *   - Strong copyleft (GPL, AGPL, LGPL)
+ *   - Source-available commercial-restricted (BUSL, SSPL, Elastic-2.0)
+ *       UNLESS recipe explicitly opts in via `commercial_restricted_ok: true`
+ *   - Unknown license
+ */
+declare const ALLOWED_BY_DEFAULT: ReadonlySet<string>;
+declare const STRONG_COPYLEFT: ReadonlySet<string>;
+declare const COMMERCIAL_RESTRICTED: ReadonlySet<string>;
+interface SbomEntry {
+    readonly name: string;
+    readonly version: string;
+    readonly license: string | null;
+}
+type GateFailureCode = "strong_copyleft" | "commercial_restricted" | "unknown_license";
+interface GateFailure {
+    readonly package: string;
+    readonly version: string;
+    readonly license: string | null;
+    readonly code: GateFailureCode;
+}
+interface GateResult {
+    readonly passed: boolean;
+    readonly failures: ReadonlyArray<GateFailure>;
+}
+/**
+ * Run the license gate on a list of SBOM entries.
+ *
+ * @param sbom dep tree from cyclonedx-npm or equivalent
+ * @param commercialRestrictedOk if true, BUSL/SSPL/Elastic are accepted (per recipe declaration)
+ */
+declare function runLicenseGate(sbom: ReadonlyArray<SbomEntry>, commercialRestrictedOk?: boolean): GateResult;
+
+/**
+ * Typosquat detection per ADR-0009 §1.7.
+ *
+ * For each package in the to-be-emitted dep tree, compare against a known
+ * high-priority package list. If Levenshtein distance is small (1-2 chars),
+ * flag as suspicious.
+ *
+ * Recipes that legitimately depend on a similarly-named package opt in via
+ * explicit allowlist in recipe.yaml (out of scope here; consumed by `nx forge`).
+ */
+/**
+ * High-priority package names — common typosquat targets.
+ * Update as the ecosystem evolves; sourced from npm download statistics.
+ */
+declare const HIGH_PRIORITY_PACKAGES: ReadonlyArray<string>;
+/**
+ * Levenshtein distance (edit distance).
+ */
+declare function levenshtein(a: string, b: string): number;
+interface TyposquatHit {
+    readonly suspectName: string;
+    readonly knownTarget: string;
+    readonly distance: number;
+}
+/**
+ * Check each candidate name against the high-priority list.
+ * Returns hits where distance ≤ `maxDistance` AND names differ (exact matches excluded).
+ *
+ * Default maxDistance = 2 per ADR-0009 §1.7.
+ */
+declare function detectTyposquats(candidates: ReadonlyArray<string>, options?: {
+    readonly knownTargets?: ReadonlyArray<string>;
+    readonly maxDistance?: number;
+}): ReadonlyArray<TyposquatHit>;
+
+/**
+ * Recipe revocation check per ADR-0009 §1.6.
+ *
+ * `nx forge` consults `nexural-meta/security/revoked-recipes.yaml` before
+ * emitting. Revoked recipe + version → forge fails immediately.
+ */
+
+interface RevocationCheckResult {
+    readonly revoked: boolean;
+    readonly reason?: string;
+    readonly revokedAt?: string;
+    readonly ticket?: string;
+}
+/**
+ * Check whether a (name, version) pair is on the revocation list.
+ *
+ * Exact name AND exact version must match (per ADR-0009 — revocations are precise).
+ */
+declare function checkRevocation(recipeName: string, recipeVersion: string, list: RevokedRecipesList): RevocationCheckResult;
+
+/**
+ * Forged-app lockfile writer per ADR-0006 §1.
+ *
+ * Every `nx forge` writes `.nexural/forged.lock.yaml` in the emitted app.
+ * The lockfile pins recipe + warehouse SHAs, inputs, and SBOM hash.
+ * `nx upgrade` reads this file to compute clean diffs.
+ */
+
+/**
+ * Build (but don't write to disk) a forged lockfile.
+ * Validates the result against the schema.
+ */
+declare function buildLockfile(input: {
+    forgedByNxVersion: string;
+    recipe: ForgedLockfile["recipe"];
+    warehousesConsumed: ForgedLockfile["warehouses_consumed"];
+    inputs: Record<string, unknown>;
+    modelFamiliesUsed: ReadonlyArray<string>;
+    sbomHash: string;
+    forgedAtMs?: number;
+}): ForgedLockfile;
+
+/**
+ * Recipe manifest loader per ADRs 0002, 0006.
+ *
+ * Parses `recipe.yaml` against RecipeManifest schema.
+ * Verifies the recipe is NOT in the revocation list.
+ * (Signature verification happens via `cosign` shell-out — that is the
+ *  responsibility of the `nx forge` command, not this library.)
+ */
+
+interface LoadResult {
+    readonly recipe: RecipeManifest;
+    readonly revocation: RevocationCheckResult;
+}
+type LoadError = {
+    readonly code: "parse_error";
+    readonly message: string;
+} | {
+    readonly code: "revoked";
+    readonly revocation: RevocationCheckResult;
+};
+/**
+ * Parse + check revocation. Throws on parse error or revocation.
+ *
+ * Pass `{ allowRevoked: true }` to bypass revocation check (audit-only consumers).
+ */
+declare function loadRecipe(rawManifest: unknown, revocationList: RevokedRecipesList, options?: {
+    allowRevoked?: boolean;
+}): LoadResult;
+
+export { ALLOWED_BY_DEFAULT, COMMERCIAL_RESTRICTED, type GateFailure, type GateFailureCode, type GateResult, HIGH_PRIORITY_PACKAGES, type LoadError, type LoadResult, type RevocationCheckResult, STRONG_COPYLEFT, type SbomEntry, type TyposquatHit, buildLockfile, checkRevocation, detectTyposquats, levenshtein, loadRecipe, runLicenseGate };

package/dist/index.js

@@ -0,0 +1,220 @@
+// src/license-gate.ts
+var ALLOWED_BY_DEFAULT = /* @__PURE__ */ new Set([
+  "MIT",
+  "Apache-2.0",
+  "ISC",
+  "BSD-2-Clause",
+  "BSD-3-Clause",
+  "MPL-2.0",
+  "CC0-1.0",
+  "Unlicense",
+  "0BSD"
+]);
+var STRONG_COPYLEFT = /* @__PURE__ */ new Set([
+  "GPL-2.0",
+  "GPL-2.0-only",
+  "GPL-2.0-or-later",
+  "GPL-3.0",
+  "GPL-3.0-only",
+  "GPL-3.0-or-later",
+  "AGPL-3.0",
+  "AGPL-3.0-only",
+  "AGPL-3.0-or-later",
+  "LGPL-2.1",
+  "LGPL-2.1-only",
+  "LGPL-2.1-or-later",
+  "LGPL-3.0",
+  "LGPL-3.0-only",
+  "LGPL-3.0-or-later"
+]);
+var COMMERCIAL_RESTRICTED = /* @__PURE__ */ new Set([
+  "BUSL-1.1",
+  "SSPL-1.0",
+  "Elastic-2.0"
+]);
+function runLicenseGate(sbom, commercialRestrictedOk = false) {
+  const failures = [];
+  for (const entry of sbom) {
+    if (entry.license === null) {
+      failures.push({
+        package: entry.name,
+        version: entry.version,
+        license: null,
+        code: "unknown_license"
+      });
+      continue;
+    }
+    if (STRONG_COPYLEFT.has(entry.license)) {
+      failures.push({
+        package: entry.name,
+        version: entry.version,
+        license: entry.license,
+        code: "strong_copyleft"
+      });
+      continue;
+    }
+    if (COMMERCIAL_RESTRICTED.has(entry.license) && !commercialRestrictedOk) {
+      failures.push({
+        package: entry.name,
+        version: entry.version,
+        license: entry.license,
+        code: "commercial_restricted"
+      });
+      continue;
+    }
+    if (!ALLOWED_BY_DEFAULT.has(entry.license) && !COMMERCIAL_RESTRICTED.has(entry.license)) {
+      failures.push({
+        package: entry.name,
+        version: entry.version,
+        license: entry.license,
+        code: "unknown_license"
+      });
+    }
+  }
+  return { passed: failures.length === 0, failures };
+}
+
+// src/typosquat.ts
+var HIGH_PRIORITY_PACKAGES = [
+  // React ecosystem
+  "react",
+  "react-dom",
+  "react-router",
+  "react-router-dom",
+  // Next
+  "next",
+  // Vue / Svelte
+  "vue",
+  "svelte",
+  // Tooling
+  "vite",
+  "vitest",
+  "webpack",
+  "rollup",
+  "esbuild",
+  "typescript",
+  "tsup",
+  "turbo",
+  // Utils
+  "lodash",
+  "lodash-es",
+  "axios",
+  "node-fetch",
+  "zod",
+  "yup",
+  // Auth / data
+  "next-auth",
+  "stripe",
+  "@supabase/supabase-js",
+  // Email
+  "resend",
+  "nodemailer",
+  // LLM
+  "@anthropic-ai/sdk",
+  "openai",
+  // AWS / cloud
+  "aws-sdk",
+  "@aws-sdk/client-s3",
+  // Misc top packages
+  "express",
+  "cors",
+  "dotenv",
+  "uuid"
+];
+function levenshtein(a, b) {
+  if (a === b) return 0;
+  if (a.length === 0) return b.length;
+  if (b.length === 0) return a.length;
+  const prev = new Array(b.length + 1);
+  const curr = new Array(b.length + 1);
+  for (let j = 0; j <= b.length; j++) prev[j] = j;
+  for (let i = 1; i <= a.length; i++) {
+    curr[0] = i;
+    for (let j = 1; j <= b.length; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      curr[j] = Math.min((curr[j - 1] ?? 0) + 1, (prev[j] ?? 0) + 1, (prev[j - 1] ?? 0) + cost);
+    }
+    for (let j = 0; j <= b.length; j++) prev[j] = curr[j] ?? 0;
+  }
+  return prev[b.length] ?? 0;
+}
+function detectTyposquats(candidates, options = {}) {
+  const known = options.knownTargets ?? HIGH_PRIORITY_PACKAGES;
+  const maxDist = options.maxDistance ?? 2;
+  const hits = [];
+  for (const suspect of candidates) {
+    for (const target of known) {
+      if (suspect === target) continue;
+      const dist = levenshtein(suspect, target);
+      if (dist > 0 && dist <= maxDist) {
+        hits.push({ suspectName: suspect, knownTarget: target, distance: dist });
+      }
+    }
+  }
+  return hits;
+}
+
+// src/revocation.ts
+function checkRevocation(recipeName, recipeVersion, list) {
+  for (const entry of list.entries) {
+    if (entry.recipe_name === recipeName && entry.recipe_version === recipeVersion) {
+      return {
+        revoked: true,
+        reason: entry.reason,
+        revokedAt: entry.revoked_at,
+        ...entry.ticket ? { ticket: entry.ticket } : {}
+      };
+    }
+  }
+  return { revoked: false };
+}
+
+// src/lockfile.ts
+import { ForgedLockfile as ForgedLockfileSchema } from "@nexural/schema";
+function buildLockfile(input) {
+  const forgedAt = new Date(input.forgedAtMs ?? Date.now()).toISOString();
+  const lockfile = {
+    schema_version: 1,
+    forged_at: forgedAt,
+    forged_by_nx_version: input.forgedByNxVersion,
+    recipe: input.recipe,
+    warehouses_consumed: [...input.warehousesConsumed],
+    inputs: input.inputs,
+    model_families_used: [...input.modelFamiliesUsed],
+    sbom_hash: input.sbomHash
+  };
+  return ForgedLockfileSchema.parse(lockfile);
+}
+
+// src/recipe-loader.ts
+import { RecipeManifest as RecipeManifestSchema } from "@nexural/schema";
+function loadRecipe(rawManifest, revocationList, options = {}) {
+  let recipe;
+  try {
+    recipe = RecipeManifestSchema.parse(rawManifest);
+  } catch (e) {
+    const message = e instanceof Error ? e.message : "invalid recipe manifest";
+    const err = { code: "parse_error", message };
+    throw Object.assign(new Error(message), { cause: err });
+  }
+  const revocation = checkRevocation(recipe.name, recipe.version, revocationList);
+  if (revocation.revoked && !options.allowRevoked) {
+    const message = `Recipe ${recipe.name}@${recipe.version} is revoked: ${revocation.reason ?? "unknown reason"}`;
+    const err = { code: "revoked", revocation };
+    throw Object.assign(new Error(message), { cause: err });
+  }
+  return { recipe, revocation };
+}
+export {
+  ALLOWED_BY_DEFAULT,
+  COMMERCIAL_RESTRICTED,
+  HIGH_PRIORITY_PACKAGES,
+  STRONG_COPYLEFT,
+  buildLockfile,
+  checkRevocation,
+  detectTyposquats,
+  levenshtein,
+  loadRecipe,
+  runLicenseGate
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/license-gate.ts","../src/typosquat.ts","../src/revocation.ts","../src/lockfile.ts","../src/recipe-loader.ts"],"sourcesContent":["/**\n * License composition gate per ADR-0006 §4.\n *\n * Forge fails if any direct or transitive dep is:\n *   - Strong copyleft (GPL, AGPL, LGPL)\n *   - Source-available commercial-restricted (BUSL, SSPL, Elastic-2.0)\n *       UNLESS recipe explicitly opts in via `commercial_restricted_ok: true`\n *   - Unknown license\n */\n\nexport const ALLOWED_BY_DEFAULT: ReadonlySet<string> = new Set([\n  \"MIT\",\n  \"Apache-2.0\",\n  \"ISC\",\n  \"BSD-2-Clause\",\n  \"BSD-3-Clause\",\n  \"MPL-2.0\",\n  \"CC0-1.0\",\n  \"Unlicense\",\n  \"0BSD\",\n]);\n\nexport const STRONG_COPYLEFT: ReadonlySet<string> = new Set([\n  \"GPL-2.0\",\n  \"GPL-2.0-only\",\n  \"GPL-2.0-or-later\",\n  \"GPL-3.0\",\n  \"GPL-3.0-only\",\n  \"GPL-3.0-or-later\",\n  \"AGPL-3.0\",\n  \"AGPL-3.0-only\",\n  \"AGPL-3.0-or-later\",\n  \"LGPL-2.1\",\n  \"LGPL-2.1-only\",\n  \"LGPL-2.1-or-later\",\n  \"LGPL-3.0\",\n  \"LGPL-3.0-only\",\n  \"LGPL-3.0-or-later\",\n]);\n\nexport const COMMERCIAL_RESTRICTED: ReadonlySet<string> = new Set([\n  \"BUSL-1.1\",\n  \"SSPL-1.0\",\n  \"Elastic-2.0\",\n]);\n\nexport interface SbomEntry {\n  readonly name: string;\n  readonly version: string;\n  readonly license: string | null;\n}\n\nexport type GateFailureCode = \"strong_copyleft\" | \"commercial_restricted\" | \"unknown_license\";\n\nexport interface GateFailure {\n  readonly package: string;\n  readonly version: string;\n  readonly license: string | null;\n  readonly code: GateFailureCode;\n}\n\nexport interface GateResult {\n  readonly passed: boolean;\n  readonly failures: ReadonlyArray<GateFailure>;\n}\n\n/**\n * Run the license gate on a list of SBOM entries.\n *\n * @param sbom dep tree from cyclonedx-npm or equivalent\n * @param commercialRestrictedOk if true, BUSL/SSPL/Elastic are accepted (per recipe declaration)\n */\nexport function runLicenseGate(\n  sbom: ReadonlyArray<SbomEntry>,\n  commercialRestrictedOk = false,\n): GateResult {\n  const failures: GateFailure[] = [];\n  for (const entry of sbom) {\n    if (entry.license === null) {\n      failures.push({\n        package: entry.name,\n        version: entry.version,\n        license: null,\n        code: \"unknown_license\",\n      });\n      continue;\n    }\n    if (STRONG_COPYLEFT.has(entry.license)) {\n      failures.push({\n        package: entry.name,\n        version: entry.version,\n        license: entry.license,\n        code: \"strong_copyleft\",\n      });\n      continue;\n    }\n    if (COMMERCIAL_RESTRICTED.has(entry.license) && !commercialRestrictedOk) {\n      failures.push({\n        package: entry.name,\n        version: entry.version,\n        license: entry.license,\n        code: \"commercial_restricted\",\n      });\n      continue;\n    }\n    // Unknown-but-not-banned licenses also fail — explicit allowlist only.\n    if (!ALLOWED_BY_DEFAULT.has(entry.license) && !COMMERCIAL_RESTRICTED.has(entry.license)) {\n      failures.push({\n        package: entry.name,\n        version: entry.version,\n        license: entry.license,\n        code: \"unknown_license\",\n      });\n    }\n  }\n  return { passed: failures.length === 0, failures };\n}\n","/**\n * Typosquat detection per ADR-0009 §1.7.\n *\n * For each package in the to-be-emitted dep tree, compare against a known\n * high-priority package list. If Levenshtein distance is small (1-2 chars),\n * flag as suspicious.\n *\n * Recipes that legitimately depend on a similarly-named package opt in via\n * explicit allowlist in recipe.yaml (out of scope here; consumed by `nx forge`).\n */\n\n/**\n * High-priority package names — common typosquat targets.\n * Update as the ecosystem evolves; sourced from npm download statistics.\n */\nexport const HIGH_PRIORITY_PACKAGES: ReadonlyArray<string> = [\n  // React ecosystem\n  \"react\",\n  \"react-dom\",\n  \"react-router\",\n  \"react-router-dom\",\n  // Next\n  \"next\",\n  // Vue / Svelte\n  \"vue\",\n  \"svelte\",\n  // Tooling\n  \"vite\",\n  \"vitest\",\n  \"webpack\",\n  \"rollup\",\n  \"esbuild\",\n  \"typescript\",\n  \"tsup\",\n  \"turbo\",\n  // Utils\n  \"lodash\",\n  \"lodash-es\",\n  \"axios\",\n  \"node-fetch\",\n  \"zod\",\n  \"yup\",\n  // Auth / data\n  \"next-auth\",\n  \"stripe\",\n  \"@supabase/supabase-js\",\n  // Email\n  \"resend\",\n  \"nodemailer\",\n  // LLM\n  \"@anthropic-ai/sdk\",\n  \"openai\",\n  // AWS / cloud\n  \"aws-sdk\",\n  \"@aws-sdk/client-s3\",\n  // Misc top packages\n  \"express\",\n  \"cors\",\n  \"dotenv\",\n  \"uuid\",\n];\n\n/**\n * Levenshtein distance (edit distance).\n */\nexport function levenshtein(a: string, b: string): number {\n  if (a === b) return 0;\n  if (a.length === 0) return b.length;\n  if (b.length === 0) return a.length;\n  const prev: number[] = new Array<number>(b.length + 1);\n  const curr: number[] = new Array<number>(b.length + 1);\n  for (let j = 0; j <= b.length; j++) prev[j] = j;\n  for (let i = 1; i <= a.length; i++) {\n    curr[0] = i;\n    for (let j = 1; j <= b.length; j++) {\n      const cost = a[i - 1] === b[j - 1] ? 0 : 1;\n      curr[j] = Math.min((curr[j - 1] ?? 0) + 1, (prev[j] ?? 0) + 1, (prev[j - 1] ?? 0) + cost);\n    }\n    for (let j = 0; j <= b.length; j++) prev[j] = curr[j] ?? 0;\n  }\n  return prev[b.length] ?? 0;\n}\n\nexport interface TyposquatHit {\n  readonly suspectName: string;\n  readonly knownTarget: string;\n  readonly distance: number;\n}\n\n/**\n * Check each candidate name against the high-priority list.\n * Returns hits where distance ≤ `maxDistance` AND names differ (exact matches excluded).\n *\n * Default maxDistance = 2 per ADR-0009 §1.7.\n */\nexport function detectTyposquats(\n  candidates: ReadonlyArray<string>,\n  options: {\n    readonly knownTargets?: ReadonlyArray<string>;\n    readonly maxDistance?: number;\n  } = {},\n): ReadonlyArray<TyposquatHit> {\n  const known = options.knownTargets ?? HIGH_PRIORITY_PACKAGES;\n  const maxDist = options.maxDistance ?? 2;\n  const hits: TyposquatHit[] = [];\n  for (const suspect of candidates) {\n    for (const target of known) {\n      if (suspect === target) continue; // exact match is fine\n      const dist = levenshtein(suspect, target);\n      if (dist > 0 && dist <= maxDist) {\n        hits.push({ suspectName: suspect, knownTarget: target, distance: dist });\n      }\n    }\n  }\n  return hits;\n}\n","/**\n * Recipe revocation check per ADR-0009 §1.6.\n *\n * `nx forge` consults `nexural-meta/security/revoked-recipes.yaml` before\n * emitting. Revoked recipe + version → forge fails immediately.\n */\n\nimport type { RevokedRecipesList } from \"@nexural/schema\";\n\nexport interface RevocationCheckResult {\n  readonly revoked: boolean;\n  readonly reason?: string;\n  readonly revokedAt?: string;\n  readonly ticket?: string;\n}\n\n/**\n * Check whether a (name, version) pair is on the revocation list.\n *\n * Exact name AND exact version must match (per ADR-0009 — revocations are precise).\n */\nexport function checkRevocation(\n  recipeName: string,\n  recipeVersion: string,\n  list: RevokedRecipesList,\n): RevocationCheckResult {\n  for (const entry of list.entries) {\n    if (entry.recipe_name === recipeName && entry.recipe_version === recipeVersion) {\n      return {\n        revoked: true,\n        reason: entry.reason,\n        revokedAt: entry.revoked_at,\n        ...(entry.ticket ? { ticket: entry.ticket } : {}),\n      };\n    }\n  }\n  return { revoked: false };\n}\n","/**\n * Forged-app lockfile writer per ADR-0006 §1.\n *\n * Every `nx forge` writes `.nexural/forged.lock.yaml` in the emitted app.\n * The lockfile pins recipe + warehouse SHAs, inputs, and SBOM hash.\n * `nx upgrade` reads this file to compute clean diffs.\n */\n\nimport type { ForgedLockfile } from \"@nexural/schema\";\nimport { ForgedLockfile as ForgedLockfileSchema } from \"@nexural/schema\";\n\n/**\n * Build (but don't write to disk) a forged lockfile.\n * Validates the result against the schema.\n */\nexport function buildLockfile(input: {\n  forgedByNxVersion: string;\n  recipe: ForgedLockfile[\"recipe\"];\n  warehousesConsumed: ForgedLockfile[\"warehouses_consumed\"];\n  inputs: Record<string, unknown>;\n  modelFamiliesUsed: ReadonlyArray<string>;\n  sbomHash: string;\n  forgedAtMs?: number;\n}): ForgedLockfile {\n  const forgedAt = new Date(input.forgedAtMs ?? Date.now()).toISOString();\n  const lockfile: ForgedLockfile = {\n    schema_version: 1,\n    forged_at: forgedAt,\n    forged_by_nx_version: input.forgedByNxVersion,\n    recipe: input.recipe,\n    warehouses_consumed: [...input.warehousesConsumed],\n    inputs: input.inputs,\n    model_families_used: [...input.modelFamiliesUsed],\n    sbom_hash: input.sbomHash,\n  };\n  // Re-parse to enforce schema invariants (and throw on misuse).\n  return ForgedLockfileSchema.parse(lockfile);\n}\n","/**\n * Recipe manifest loader per ADRs 0002, 0006.\n *\n * Parses `recipe.yaml` against RecipeManifest schema.\n * Verifies the recipe is NOT in the revocation list.\n * (Signature verification happens via `cosign` shell-out — that is the\n *  responsibility of the `nx forge` command, not this library.)\n */\n\nimport type { RecipeManifest, RevokedRecipesList } from \"@nexural/schema\";\nimport { RecipeManifest as RecipeManifestSchema } from \"@nexural/schema\";\nimport { checkRevocation, type RevocationCheckResult } from \"./revocation.js\";\n\nexport interface LoadResult {\n  readonly recipe: RecipeManifest;\n  readonly revocation: RevocationCheckResult;\n}\n\nexport type LoadError =\n  | { readonly code: \"parse_error\"; readonly message: string }\n  | { readonly code: \"revoked\"; readonly revocation: RevocationCheckResult };\n\n/**\n * Parse + check revocation. Throws on parse error or revocation.\n *\n * Pass `{ allowRevoked: true }` to bypass revocation check (audit-only consumers).\n */\nexport function loadRecipe(\n  rawManifest: unknown,\n  revocationList: RevokedRecipesList,\n  options: { allowRevoked?: boolean } = {},\n): LoadResult {\n  let recipe: RecipeManifest;\n  try {\n    recipe = RecipeManifestSchema.parse(rawManifest);\n  } catch (e) {\n    const message = e instanceof Error ? e.message : \"invalid recipe manifest\";\n    const err: LoadError = { code: \"parse_error\", message };\n    throw Object.assign(new Error(message), { cause: err });\n  }\n\n  const revocation = checkRevocation(recipe.name, recipe.version, revocationList);\n  if (revocation.revoked && !options.allowRevoked) {\n    const message = `Recipe ${recipe.name}@${recipe.version} is revoked: ${revocation.reason ?? \"unknown reason\"}`;\n    const err: LoadError = { code: \"revoked\", revocation };\n    throw Object.assign(new Error(message), { cause: err });\n  }\n  return { recipe, revocation };\n}\n"],"mappings":";AAUO,IAAM,qBAA0C,oBAAI,IAAI;AAAA,EAC7D;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,IAAM,kBAAuC,oBAAI,IAAI;AAAA,EAC1D;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,IAAM,wBAA6C,oBAAI,IAAI;AAAA,EAChE;AAAA,EACA;AAAA,EACA;AACF,CAAC;AA4BM,SAAS,eACd,MACA,yBAAyB,OACb;AACZ,QAAM,WAA0B,CAAC;AACjC,aAAW,SAAS,MAAM;AACxB,QAAI,MAAM,YAAY,MAAM;AAC1B,eAAS,KAAK;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,SAAS,MAAM;AAAA,QACf,SAAS;AAAA,QACT,MAAM;AAAA,MACR,CAAC;AACD;AAAA,IACF;AACA,QAAI,gBAAgB,IAAI,MAAM,OAAO,GAAG;AACtC,eAAS,KAAK;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,SAAS,MAAM;AAAA,QACf,SAAS,MAAM;AAAA,QACf,MAAM;AAAA,MACR,CAAC;AACD;AAAA,IACF;AACA,QAAI,sBAAsB,IAAI,MAAM,OAAO,KAAK,CAAC,wBAAwB;AACvE,eAAS,KAAK;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,SAAS,MAAM;AAAA,QACf,SAAS,MAAM;AAAA,QACf,MAAM;AAAA,MACR,CAAC;AACD;AAAA,IACF;AAEA,QAAI,CAAC,mBAAmB,IAAI,MAAM,OAAO,KAAK,CAAC,sBAAsB,IAAI,MAAM,OAAO,GAAG;AACvF,eAAS,KAAK;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,SAAS,MAAM;AAAA,QACf,SAAS,MAAM;AAAA,QACf,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO,EAAE,QAAQ,SAAS,WAAW,GAAG,SAAS;AACnD;;;ACrGO,IAAM,yBAAgD;AAAA;AAAA,EAE3D;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAKO,SAAS,YAAY,GAAW,GAAmB;AACxD,MAAI,MAAM,EAAG,QAAO;AACpB,MAAI,EAAE,WAAW,EAAG,QAAO,EAAE;AAC7B,MAAI,EAAE,WAAW,EAAG,QAAO,EAAE;AAC7B,QAAM,OAAiB,IAAI,MAAc,EAAE,SAAS,CAAC;AACrD,QAAM,OAAiB,IAAI,MAAc,EAAE,SAAS,CAAC;AACrD,WAAS,IAAI,GAAG,KAAK,EAAE,QAAQ,IAAK,MAAK,CAAC,IAAI;AAC9C,WAAS,IAAI,GAAG,KAAK,EAAE,QAAQ,KAAK;AAClC,SAAK,CAAC,IAAI;AACV,aAAS,IAAI,GAAG,KAAK,EAAE,QAAQ,KAAK;AAClC,YAAM,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,IAAI;AACzC,WAAK,CAAC,IAAI,KAAK,KAAK,KAAK,IAAI,CAAC,KAAK,KAAK,IAAI,KAAK,CAAC,KAAK,KAAK,IAAI,KAAK,IAAI,CAAC,KAAK,KAAK,IAAI;AAAA,IAC1F;AACA,aAAS,IAAI,GAAG,KAAK,EAAE,QAAQ,IAAK,MAAK,CAAC,IAAI,KAAK,CAAC,KAAK;AAAA,EAC3D;AACA,SAAO,KAAK,EAAE,MAAM,KAAK;AAC3B;AAcO,SAAS,iBACd,YACA,UAGI,CAAC,GACwB;AAC7B,QAAM,QAAQ,QAAQ,gBAAgB;AACtC,QAAM,UAAU,QAAQ,eAAe;AACvC,QAAM,OAAuB,CAAC;AAC9B,aAAW,WAAW,YAAY;AAChC,eAAW,UAAU,OAAO;AAC1B,UAAI,YAAY,OAAQ;AACxB,YAAM,OAAO,YAAY,SAAS,MAAM;AACxC,UAAI,OAAO,KAAK,QAAQ,SAAS;AAC/B,aAAK,KAAK,EAAE,aAAa,SAAS,aAAa,QAAQ,UAAU,KAAK,CAAC;AAAA,MACzE;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;AC9FO,SAAS,gBACd,YACA,eACA,MACuB;AACvB,aAAW,SAAS,KAAK,SAAS;AAChC,QAAI,MAAM,gBAAgB,cAAc,MAAM,mBAAmB,eAAe;AAC9E,aAAO;AAAA,QACL,SAAS;AAAA,QACT,QAAQ,MAAM;AAAA,QACd,WAAW,MAAM;AAAA,QACjB,GAAI,MAAM,SAAS,EAAE,QAAQ,MAAM,OAAO,IAAI,CAAC;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AACA,SAAO,EAAE,SAAS,MAAM;AAC1B;;;AC5BA,SAAS,kBAAkB,4BAA4B;AAMhD,SAAS,cAAc,OAQX;AACjB,QAAM,WAAW,IAAI,KAAK,MAAM,cAAc,KAAK,IAAI,CAAC,EAAE,YAAY;AACtE,QAAM,WAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,WAAW;AAAA,IACX,sBAAsB,MAAM;AAAA,IAC5B,QAAQ,MAAM;AAAA,IACd,qBAAqB,CAAC,GAAG,MAAM,kBAAkB;AAAA,IACjD,QAAQ,MAAM;AAAA,IACd,qBAAqB,CAAC,GAAG,MAAM,iBAAiB;AAAA,IAChD,WAAW,MAAM;AAAA,EACnB;AAEA,SAAO,qBAAqB,MAAM,QAAQ;AAC5C;;;AC3BA,SAAS,kBAAkB,4BAA4B;AAiBhD,SAAS,WACd,aACA,gBACA,UAAsC,CAAC,GAC3B;AACZ,MAAI;AACJ,MAAI;AACF,aAAS,qBAAqB,MAAM,WAAW;AAAA,EACjD,SAAS,GAAG;AACV,UAAM,UAAU,aAAa,QAAQ,EAAE,UAAU;AACjD,UAAM,MAAiB,EAAE,MAAM,eAAe,QAAQ;AACtD,UAAM,OAAO,OAAO,IAAI,MAAM,OAAO,GAAG,EAAE,OAAO,IAAI,CAAC;AAAA,EACxD;AAEA,QAAM,aAAa,gBAAgB,OAAO,MAAM,OAAO,SAAS,cAAc;AAC9E,MAAI,WAAW,WAAW,CAAC,QAAQ,cAAc;AAC/C,UAAM,UAAU,UAAU,OAAO,IAAI,IAAI,OAAO,OAAO,gBAAgB,WAAW,UAAU,gBAAgB;AAC5G,UAAM,MAAiB,EAAE,MAAM,WAAW,WAAW;AACrD,UAAM,OAAO,OAAO,IAAI,MAAM,OAAO,GAAG,EAAE,OAAO,IAAI,CAAC;AAAA,EACxD;AACA,SAAO,EAAE,QAAQ,WAAW;AAC9B;","names":[]}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@nexural/factory",
+  "version": "0.1.0",
+  "description": "Codegen engine for nx forge. Recipe loading + signature verification + SBOM license gate + lockfile writer + typosquat detection + revocation list check. Per ADRs 0002, 0006, 0009.",
+  "license": "MIT",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "CHANGELOG.md"
+  ],
+  "dependencies": {
+    "zod": "^3.24.1",
+    "@nexural/schema": "^0.1.0"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/JasonTeixeira/nexural-meta.git",
+    "directory": "packages/factory"
+  },
+  "homepage": "https://github.com/JasonTeixeira/nexural-meta/tree/main/packages/factory#readme",
+  "bugs": {
+    "url": "https://github.com/JasonTeixeira/nexural-meta/issues"
+  },
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
+    "lint": "eslint src test",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist .turbo"
+  }
+}