@opensip-cli/output 0.1.0

package/dist/sink/http-egress.js

@@ -0,0 +1,158 @@
+/**
+ * Shared chunked cloud-egress transport (ADR-0008).
+ *
+ * Both cloud paths POST through here: `reportToCloud` (SARIF, `--report-to`)
+ * and the OpenSIP Cloud signal sink. The transport is the *mechanism*; each
+ * caller supplies its own *policy* (Strategy) and applies its own failure
+ * semantics to the returned {@link EgressResult} — `reportToCloud` maps failure
+ * to exit 4, the signal sink swallows. **`postChunked` never throws.**
+ *
+ * Unlike the prior SARIF-only loop (which only retried `fetch` *throws* and
+ * dropped a chunk on an HTTP `429`/`5xx`), this retries `429`/`5xx` at the
+ * chunk level, honors `Retry-After`, bounds total work by an overall deadline,
+ * and sends a stable `Idempotency-Key` per chunk so a retried-but-stored chunk
+ * is de-duplicated server-side.
+ */
+import { logger } from '@opensip-cli/core';
+const MODULE_TAG = 'http-egress';
+function isTransient(status) {
+    return status >= 500 || status === 429;
+}
+/** Parse `Retry-After` (delta-seconds or HTTP-date) into a delay in ms. */
+function parseRetryAfter(headerVal, now) {
+    if (!headerVal)
+        return undefined;
+    const secs = Number(headerVal);
+    if (Number.isFinite(secs))
+        return Math.max(0, secs * 1000);
+    const when = Date.parse(headerVal);
+    return Number.isNaN(when) ? undefined : Math.max(0, when - now);
+}
+/** Exponential backoff with jitter (mirrors core's withRetry shape). */
+function backoffMs(attempt) {
+    const base = 500 * 2 ** (attempt - 1);
+    return Math.min(base + Math.random() * base * 0.5, 5000);
+}
+const defaultSleep = (ms) => new Promise((r) => setTimeout(r, ms));
+/**
+ * POST each chunk with bounded per-chunk retries on `429`/`5xx`/transport
+ * errors, honoring `Retry-After`, an overall deadline, and stable idempotency
+ * keys. Returns an {@link EgressResult}; never throws.
+ */
+// eslint-disable-next-line sonarjs/cognitive-complexity -- network transport: per-chunk retry with status classification, Retry-After, and an overall deadline; the phases read better inline than split across helpers
+export async function postChunked(args) {
+    const { chunks, policy, evtPrefix } = args;
+    const fetchImpl = args.fetchImpl ?? fetch;
+    const now = args.now ?? Date.now;
+    const sleep = args.sleep ?? defaultSleep;
+    const started = now();
+    const headersBase = { 'Content-Type': 'application/json' };
+    if (args.apiKey)
+        headersBase['X-API-Key'] = args.apiKey;
+    const chunkResults = Array.from({ length: chunks.length }, () => false);
+    const errors = [];
+    let acceptedChunks = 0;
+    let authRejected = false;
+    let throttled = false;
+    let deadlineExceeded = false;
+    const deadlineLeft = () => policy.overallDeadlineMs - (now() - started);
+    outer: for (let ci = 0; ci < chunks.length; ci++) {
+        for (let attempt = 1; attempt <= policy.maxAttempts; attempt++) {
+            if (deadlineLeft() <= 0) {
+                deadlineExceeded = true;
+                break outer;
+            }
+            let retryAfterMs;
+            try {
+                const res = await fetchImpl(args.url, {
+                    method: 'POST',
+                    headers: { ...headersBase, 'Idempotency-Key': args.idempotencyKeyFor(ci) },
+                    body: JSON.stringify(chunks[ci]),
+                    signal: AbortSignal.timeout(args.timeoutFor(chunks[ci], ci)),
+                });
+                if (res.ok) {
+                    chunkResults[ci] = true;
+                    acceptedChunks++;
+                    logger.info({
+                        evt: `${evtPrefix}.chunk`,
+                        module: MODULE_TAG,
+                        chunk: `${ci + 1}/${chunks.length}`,
+                        status: res.status,
+                    });
+                    continue outer;
+                }
+                errors.push(`${res.status} ${res.statusText}`.trim());
+                if (res.status === 401 || res.status === 403) {
+                    authRejected = true;
+                    logger.warn({
+                        evt: `${evtPrefix}.auth-rejected`,
+                        module: MODULE_TAG,
+                        status: res.status,
+                    });
+                    break outer; // permanent auth failure — stop everything
+                }
+                if (!isTransient(res.status)) {
+                    logger.warn({
+                        evt: `${evtPrefix}.abort`,
+                        module: MODULE_TAG,
+                        status: res.status,
+                        remaining: chunks.length - ci - 1,
+                    });
+                    break outer; // other 4xx — retrying won't help; abort remaining
+                }
+                if (res.status === 429) {
+                    throttled = true;
+                    if (policy.honorRetryAfter)
+                        retryAfterMs = parseRetryAfter(res.headers.get('Retry-After'), now());
+                }
+                else if (res.status === 503 && policy.honorRetryAfter) {
+                    retryAfterMs = parseRetryAfter(res.headers.get('Retry-After'), now());
+                }
+            }
+            catch (error) {
+                // Network error / timeout — transient.
+                errors.push(error instanceof Error ? error.message : String(error));
+            }
+            // Transient: retry if attempts remain and the deadline allows.
+            if (attempt >= policy.maxAttempts) {
+                logger.warn({
+                    evt: `${evtPrefix}.error`,
+                    module: MODULE_TAG,
+                    chunk: `${ci + 1}/${chunks.length}`,
+                    attempts: attempt,
+                });
+                continue outer; // give up on this chunk, try the next
+            }
+            const wanted = retryAfterMs ?? backoffMs(attempt);
+            const delay = Math.min(wanted, Math.max(0, deadlineLeft()));
+            if (deadlineLeft() - delay <= 0) {
+                deadlineExceeded = true;
+                break outer;
+            }
+            logger.info({
+                evt: throttled ? `${evtPrefix}.throttled` : `${evtPrefix}.retry`,
+                module: MODULE_TAG,
+                chunk: `${ci + 1}/${chunks.length}`,
+                attempt,
+                delayMs: delay,
+                retryAfterMs,
+            });
+            await sleep(delay);
+        }
+    }
+    let outcome = 'partial';
+    if (acceptedChunks === chunks.length)
+        outcome = 'ok';
+    else if (acceptedChunks === 0)
+        outcome = 'failed';
+    return {
+        acceptedChunks,
+        chunkResults,
+        outcome,
+        authRejected,
+        throttled,
+        deadlineExceeded,
+        errors,
+    };
+}
+//# sourceMappingURL=http-egress.js.map

package/dist/sink/http-egress.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-egress.js","sourceRoot":"","sources":["../../src/sink/http-egress.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AA+C3C,MAAM,UAAU,GAAG,aAAa,CAAC;AAEjC,SAAS,WAAW,CAAC,MAAc;IACjC,OAAO,MAAM,IAAI,GAAG,IAAI,MAAM,KAAK,GAAG,CAAC;AACzC,CAAC;AAED,2EAA2E;AAC3E,SAAS,eAAe,CAAC,SAAwB,EAAE,GAAW;IAC5D,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,MAAM,IAAI,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;IAC/B,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC,CAAC;IAC3D,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACnC,OAAO,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,GAAG,CAAC,CAAC;AAClE,CAAC;AAED,wEAAwE;AACxE,SAAS,SAAS,CAAC,OAAe;IAChC,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;IACtC,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,GAAG,GAAG,EAAE,IAAI,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,YAAY,GAAG,CAAC,EAAU,EAAiB,EAAE,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAE1F;;;;GAIG;AACH,wNAAwN;AACxN,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAqB;IACrD,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;IAC3C,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,YAAY,CAAC;IACzC,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC;IAEtB,MAAM,WAAW,GAA2B,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;IACnF,IAAI,IAAI,CAAC,MAAM;QAAE,WAAW,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC;IAExD,MAAM,YAAY,GAAc,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;IACnF,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,IAAI,gBAAgB,GAAG,KAAK,CAAC;IAE7B,MAAM,YAAY,GAAG,GAAW,EAAE,CAAC,MAAM,CAAC,iBAAiB,GAAG,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,CAAC;IAEhF,KAAK,EAAE,KAAK,IAAI,EAAE,GAAG,CAAC,EAAE,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC;QACjD,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,MAAM,CAAC,WAAW,EAAE,OAAO,EAAE,EAAE,CAAC;YAC/D,IAAI,YAAY,EAAE,IAAI,CAAC,EAAE,CAAC;gBACxB,gBAAgB,GAAG,IAAI,CAAC;gBACxB,MAAM,KAAK,CAAC;YACd,CAAC;YAED,IAAI,YAAgC,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE;oBACpC,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,GAAG,WAAW,EAAE,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC,EAAE;oBAC1E,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;oBAChC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;iBAC7D,CAAC,CAAC;gBAEH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;oBACX,YAAY,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC;oBACxB,cAAc,EAAE,CAAC;oBACjB,MAAM,CAAC,IAAI,CAAC;wBACV,GAAG,EAAE,GAAG,SAAS,QAAQ;wBACzB,MAAM,EAAE,UAAU;wBAClB,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE;wBACnC,MAAM,EAAE,GAAG,CAAC,MAAM;qBACnB,CAAC,CAAC;oBACH,SAAS,KAAK,CAAC;gBACjB,CAAC;gBAED,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;gBAEtD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC7C,YAAY,GAAG,IAAI,CAAC;oBACpB,MAAM,CAAC,IAAI,CAAC;wBACV,GAAG,EAAE,GAAG,SAAS,gBAAgB;wBACjC,MAAM,EAAE,UAAU;wBAClB,MAAM,EAAE,GAAG,CAAC,MAAM;qBACnB,CAAC,CAAC;oBACH,MAAM,KAAK,CAAC,CAAC,2CAA2C;gBAC1D,CAAC;gBACD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC7B,MAAM,CAAC,IAAI,CAAC;wBACV,GAAG,EAAE,GAAG,SAAS,QAAQ;wBACzB,MAAM,EAAE,UAAU;wBAClB,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,SAAS,EAAE,MAAM,CAAC,MAAM,GAAG,EAAE,GAAG,CAAC;qBAClC,CAAC,CAAC;oBACH,MAAM,KAAK,CAAC,CAAC,mDAAmD;gBAClE,CAAC;gBACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACvB,SAAS,GAAG,IAAI,CAAC;oBACjB,IAAI,MAAM,CAAC,eAAe;wBACxB,YAAY,GAAG,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC1E,CAAC;qBAAM,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;oBACxD,YAAY,GAAG,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;gBACxE,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,uCAAuC;gBACvC,MAAM,CAAC,IAAI,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YACtE,CAAC;YAED,+DAA+D;YAC/D,IAAI,OAAO,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBAClC,MAAM,CAAC,IAAI,CAAC;oBACV,GAAG,EAAE,GAAG,SAAS,QAAQ;oBACzB,MAAM,EAAE,UAAU;oBAClB,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE;oBACnC,QAAQ,EAAE,OAAO;iBAClB,CAAC,CAAC;gBACH,SAAS,KAAK,CAAC,CAAC,sCAAsC;YACxD,CAAC;YACD,MAAM,MAAM,GAAG,YAAY,IAAI,SAAS,CAAC,OAAO,CAAC,CAAC;YAClD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;YAC5D,IAAI,YAAY,EAAE,GAAG,KAAK,IAAI,CAAC,EAAE,CAAC;gBAChC,gBAAgB,GAAG,IAAI,CAAC;gBACxB,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,CAAC,IAAI,CAAC;gBACV,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC,GAAG,SAAS,YAAY,CAAC,CAAC,CAAC,GAAG,SAAS,QAAQ;gBAChE,MAAM,EAAE,UAAU;gBAClB,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE;gBACnC,OAAO;gBACP,OAAO,EAAE,KAAK;gBACd,YAAY;aACb,CAAC,CAAC;YACH,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAED,IAAI,OAAO,GAA4B,SAAS,CAAC;IACjD,IAAI,cAAc,KAAK,MAAM,CAAC,MAAM;QAAE,OAAO,GAAG,IAAI,CAAC;SAChD,IAAI,cAAc,KAAK,CAAC;QAAE,OAAO,GAAG,QAAQ,CAAC;IAElD,OAAO;QACL,cAAc;QACd,YAAY;QACZ,OAAO;QACP,YAAY;QACZ,SAAS;QACT,gBAAgB;QAChB,MAAM;KACP,CAAC;AACJ,CAAC"}

package/dist/sink/repo-identity.d.ts

@@ -0,0 +1,4 @@
+import type { RepoIdentity } from '@opensip-cli/core';
+/** Best-effort repo identity (HEAD sha + origin remote). Never throws. */
+export declare function resolveRepoIdentity(cwd: string): RepoIdentity;
+//# sourceMappingURL=repo-identity.d.ts.map

package/dist/sink/repo-identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"repo-identity.d.ts","sourceRoot":"","sources":["../../src/sink/repo-identity.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAgBtD,0EAA0E;AAC1E,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,YAAY,CAK7D"}

package/dist/sink/repo-identity.js

@@ -0,0 +1,32 @@
+// @fitness-ignore-file error-handling-quality -- best-effort repo-identity detection (ADR-0008): a missing git binary, a non-repo cwd, or a spawn failure must degrade silently to an undefined field; it never blocks, slows, or fails the user's run.
+/**
+ * resolveRepoIdentity — best-effort git repo identity (HEAD sha + origin
+ * remote) for cloud signal egress (ADR-0008).
+ *
+ * The composition root resolves this once per run and threads it into
+ * `deliverEnvelope`, so the cloud `SignalBatch` carries provenance. Pure
+ * inputs in, no throw: any git failure leaves the field `undefined`.
+ */
+import { execFileSync } from 'node:child_process';
+function git(cwd, args) {
+    try {
+        const out = execFileSync('git', args, {
+            cwd,
+            stdio: ['ignore', 'pipe', 'ignore'],
+            encoding: 'utf8',
+            timeout: 2000,
+        }).trim();
+        return out || undefined;
+    }
+    catch {
+        return undefined; // not a git repo / git absent → leave the field undefined
+    }
+}
+/** Best-effort repo identity (HEAD sha + origin remote). Never throws. */
+export function resolveRepoIdentity(cwd) {
+    return {
+        commit: git(cwd, ['rev-parse', 'HEAD']),
+        remoteUrl: git(cwd, ['config', '--get', 'remote.origin.url']),
+    };
+}
+//# sourceMappingURL=repo-identity.js.map

package/dist/sink/repo-identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"repo-identity.js","sourceRoot":"","sources":["../../src/sink/repo-identity.ts"],"names":[],"mappings":"AAAA,wPAAwP;AACxP;;;;;;;GAOG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAIlD,SAAS,GAAG,CAAC,GAAW,EAAE,IAAuB;IAC/C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE;YACpC,GAAG;YACH,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;YACnC,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,IAAI;SACd,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,GAAG,IAAI,SAAS,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC,CAAC,0DAA0D;IAC9E,CAAC;AACH,CAAC;AAED,0EAA0E;AAC1E,MAAM,UAAU,mBAAmB,CAAC,GAAW;IAC7C,OAAO;QACL,MAAM,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QACvC,SAAS,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,mBAAmB,CAAC,CAAC;KAC9D,CAAC;AACJ,CAAC"}

package/dist/sink/resolve-signal-sink.d.ts

@@ -0,0 +1,17 @@
+import type { SignalSink } from '@opensip-cli/core';
+/** Built-in OpenSIP Cloud base URL; the sink appends `/signals`. Overridable via config. */
+export declare const DEFAULT_CLOUD_ENDPOINT = "https://opensip.ai/api";
+export interface ResolveSignalSinkInput {
+    readonly apiKey?: string;
+    readonly cloud?: {
+        readonly sync?: boolean;
+        readonly endpoint?: string;
+    };
+    /** `--no-cloud` per-run opt-out. */
+    readonly noCloud?: boolean;
+    /** Directory for the entitlement cache (user-level). */
+    readonly cacheDir: string;
+    readonly fetchImpl?: typeof fetch;
+}
+export declare function resolveSignalSink(input: ResolveSignalSinkInput): SignalSink;
+//# sourceMappingURL=resolve-signal-sink.d.ts.map

package/dist/sink/resolve-signal-sink.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-signal-sink.d.ts","sourceRoot":"","sources":["../../src/sink/resolve-signal-sink.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAA2B,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE7E,4FAA4F;AAC5F,eAAO,MAAM,sBAAsB,2BAA2B,CAAC;AAI/D,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,KAAK,CAAC,EAAE;QAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACzE,oCAAoC;IACpC,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B,wDAAwD;IACxD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CACnC;AA4BD,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,sBAAsB,GAAG,UAAU,CAyC3E"}

package/dist/sink/resolve-signal-sink.js

@@ -0,0 +1,87 @@
+// @fitness-ignore-file error-handling-quality -- best-effort sink selection + first-run notice (ADR-0008): a failed marker read/write just re-shows the notice, and the entitlement/egress paths degrade silently. Cloud sync never blocks the user's run.
+/**
+ * resolveSignalSink — choose the SignalSink for a run (ADR-0008).
+ *
+ * Sync and cheap: the opt-out paths (no API key, `cloud.sync: false`,
+ * `--no-cloud`, a non-https endpoint) return `noopSignalSink` with zero IO, so
+ * non-signal commands and the keyless OSS majority pay nothing. When cloud sync
+ * is viable it returns a **deferred** sink: the entitlement check runs lazily on
+ * the first `emit` (and is cached), so only signal-producing runs incur it, and
+ * a revoked plan (401/403) busts the entitlement cache so it stops within one run.
+ */
+import { access, mkdir, writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { logger, noopSignalSink } from '@opensip-cli/core';
+import { createCloudSignalSink } from './cloud-signal-sink.js';
+import { checkEntitlement, invalidateEntitlement } from './entitlement.js';
+/** Built-in OpenSIP Cloud base URL; the sink appends `/signals`. Overridable via config. */
+export const DEFAULT_CLOUD_ENDPOINT = 'https://opensip.ai/api';
+const MODULE_TAG = 'resolve-signal-sink';
+/**
+ * One-time privacy notice the first time the cloud sink goes active, telling
+ * the user what is synced and how to opt out (ADR-0008). Marker lives in the
+ * entitlement cache dir; best-effort — a failure just shows it again next run.
+ */
+async function maybeShowFirstRunNotice(cacheDir) {
+    const marker = join(cacheDir, 'signal-sync-notice');
+    try {
+        await access(marker);
+        return; // already shown
+    }
+    catch {
+        /* not shown yet */
+    }
+    try {
+        await mkdir(cacheDir, { recursive: true });
+        await writeFile(marker, new Date().toISOString());
+        process.stderr.write('OpenSIP Cloud signal sync is on: each run sends its signals (file paths,\n' +
+            'messages, suggestions, code-location hints) to your OpenSIP Cloud account.\n' +
+            'Local results are unaffected. Disable with --no-cloud or `cloud.sync: false`.\n');
+    }
+    catch {
+        /* best-effort */
+    }
+}
+export function resolveSignalSink(input) {
+    const { apiKey } = input;
+    // Cheap opt-out paths — no IO.
+    if (!apiKey)
+        return noopSignalSink;
+    if (input.noCloud || input.cloud?.sync === false)
+        return noopSignalSink;
+    const endpoint = input.cloud?.endpoint ?? DEFAULT_CLOUD_ENDPOINT;
+    if (!endpoint.startsWith('https://')) {
+        // Never send the credential-bearing X-API-Key over plaintext.
+        logger.warn({ evt: 'cli.signal-sync.insecure-endpoint', module: MODULE_TAG, endpoint });
+        return noopSignalSink;
+    }
+    const cloudSink = createCloudSignalSink({ endpoint, apiKey, fetchImpl: input.fetchImpl });
+    // Deferred sink: entitlement is checked lazily/cached on first emit.
+    return {
+        async emit(batch) {
+            try {
+                const ent = await checkEntitlement({
+                    apiKey,
+                    endpoint,
+                    now: Date.now(),
+                    cacheDir: input.cacheDir,
+                    fetchImpl: input.fetchImpl,
+                });
+                if (!ent.entitled)
+                    return { accepted: 0, authRejected: false, skippedReason: 'unentitled' };
+                // @fitness-ignore-next-line async-waterfall-detection -- the first-run notice must print BEFORE the emit; deliberately sequential, not parallelized
+                await maybeShowFirstRunNotice(input.cacheDir);
+                const result = await cloudSink.emit(batch);
+                if (result.authRejected) {
+                    await invalidateEntitlement({ apiKey, cacheDir: input.cacheDir });
+                }
+                return result;
+            }
+            catch {
+                // Belt and suspenders — emit MUST NOT throw into the run.
+                return { accepted: 0, authRejected: false, skippedReason: 'error' };
+            }
+        },
+    };
+}
+//# sourceMappingURL=resolve-signal-sink.js.map

package/dist/sink/resolve-signal-sink.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-signal-sink.js","sourceRoot":"","sources":["../../src/sink/resolve-signal-sink.ts"],"names":[],"mappings":"AAAA,2PAA2P;AAC3P;;;;;;;;;GASG;AACH,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAI3E,4FAA4F;AAC5F,MAAM,CAAC,MAAM,sBAAsB,GAAG,wBAAwB,CAAC;AAE/D,MAAM,UAAU,GAAG,qBAAqB,CAAC;AAYzC;;;;GAIG;AACH,KAAK,UAAU,uBAAuB,CAAC,QAAgB;IACrD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAC;IACpD,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;QACrB,OAAO,CAAC,gBAAgB;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,mBAAmB;IACrB,CAAC;IACD,IAAI,CAAC;QACH,MAAM,KAAK,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3C,MAAM,SAAS,CAAC,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;QAClD,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,4EAA4E;YAC1E,8EAA8E;YAC9E,iFAAiF,CACpF,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,iBAAiB;IACnB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,KAA6B;IAC7D,MAAM,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;IACzB,+BAA+B;IAC/B,IAAI,CAAC,MAAM;QAAE,OAAO,cAAc,CAAC;IACnC,IAAI,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,KAAK,EAAE,IAAI,KAAK,KAAK;QAAE,OAAO,cAAc,CAAC;IAExE,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,EAAE,QAAQ,IAAI,sBAAsB,CAAC;IACjE,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACrC,8DAA8D;QAC9D,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,mCAAmC,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC,CAAC;QACxF,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,MAAM,SAAS,GAAG,qBAAqB,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;IAE1F,qEAAqE;IACrE,OAAO;QACL,KAAK,CAAC,IAAI,CAAC,KAAkB;YAC3B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC;oBACjC,MAAM;oBACN,QAAQ;oBACR,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE;oBACf,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,SAAS,EAAE,KAAK,CAAC,SAAS;iBAC3B,CAAC,CAAC;gBACH,IAAI,CAAC,GAAG,CAAC,QAAQ;oBAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC;gBAE5F,oJAAoJ;gBACpJ,MAAM,uBAAuB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;gBAC9C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAC3C,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;oBACxB,MAAM,qBAAqB,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;gBACpE,CAAC;gBACD,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,MAAM,CAAC;gBACP,0DAA0D;gBAC1D,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC;YACtE,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@opensip-cli/output",
+  "version": "0.1.0",
+  "license": "Apache-2.0",
+  "description": "Output layer for OpenSIP CLI — pure signal-envelope formatters (json/sarif/table) and effectful sinks (file/cloud)",
+  "keywords": [
+    "opensip-cli",
+    "static-analysis",
+    "code-quality",
+    "sarif",
+    "output"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/opensip-ai/opensip-cli.git",
+    "directory": "packages/output"
+  },
+  "homepage": "https://github.com/opensip-ai/opensip-cli",
+  "bugs": {
+    "url": "https://github.com/opensip-ai/opensip-cli/issues"
+  },
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": "./dist/index.js"
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "NOTICE"
+  ],
+  "dependencies": {
+    "@opensip-cli/contracts": "0.1.0",
+    "@opensip-cli/core": "0.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^24.13.2",
+    "typescript": "~6.0.3",
+    "vitest": "^4.1.8"
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run --passWithNoTests",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist"
+  }
+}