@oss-ma/tpl 1.0.5 → 1.0.25

package/dist/commands/check.js

@@ -1,10 +1,74 @@
+// cli/src/commands/check.ts
 import { Command } from "commander";
+import path from "node:path";
+import crypto from "node:crypto";
+import fs from "fs-extra";
 import pc from "picocolors";
 import { loadStandardSchema, checkAgainstStandard } from "../engine/validators/standard.js";
 import { readTemplateLock } from "../engine/readLock.js";
 import { validateReactTs } from "../engine/validators/reactTs.js";
 import { loadPack } from "../engine/packs/loadPack.js";
 import { validatePackRules } from "../engine/packs/validatePackRules.js";
+;
+// ── Integrity helpers 
+async function hashFile(filePath) {
+    const content = await fs.readFile(filePath);
+    return crypto.createHash("sha256").update(content).digest("hex");
+}
+async function collectFiles(dir) {
+    const entries = await fs.readdir(dir, { withFileTypes: true });
+    const results = [];
+    for (const entry of entries) {
+        const full = path.join(dir, entry.name);
+        if (entry.isDirectory())
+            results.push(...(await collectFiles(full)));
+        else if (entry.isFile())
+            results.push(full);
+    }
+    return results.sort();
+}
+async function verifyIntegrity(projectPath, manifest) {
+    const issues = [];
+    const abs = path.resolve(projectPath);
+    for (const [rel, expectedHash] of Object.entries(manifest)) {
+        const filePath = path.join(abs, rel);
+        if (!(await fs.pathExists(filePath))) {
+            issues.push({
+                code: "INTEGRITY_MISSING_FILE",
+                message: `File was deleted after generation: ${rel}`,
+                path: rel,
+                hint: "Restore the file or re-generate the project"
+            });
+            continue;
+        }
+        const actualHash = await hashFile(filePath);
+        if (actualHash !== expectedHash) {
+            issues.push({
+                code: "INTEGRITY_MODIFIED_FILE",
+                message: `File modified after generation: ${rel}`,
+                path: rel,
+                hint: "If intentional, re-run init to update template.lock"
+            });
+        }
+    }
+    const allFiles = await collectFiles(abs);
+    const manifestKeys = new Set(Object.keys(manifest));
+    for (const filePath of allFiles) {
+        const rel = path.relative(abs, filePath).replace(/\\/g, "/");
+        if (rel === "template.lock")
+            continue;
+        if (!manifestKeys.has(rel)) {
+            issues.push({
+                code: "INTEGRITY_ADDED_FILE",
+                message: `File added after generation: ${rel}`,
+                path: rel,
+                hint: "Expected for normal development. Re-run init to update template.lock if needed"
+            });
+        }
+    }
+    return issues;
+}
+// ── Output ───────────────────────────────────────────────────────────────────
 function printHuman(result) {
     if (result.ok) {
         console.log(pc.green(`✅ OK — Standard v${result.schemaVersion}`));
@@ -22,9 +86,11 @@ function printHuman(result) {
     console.log("");
     console.log(pc.yellow(`Total issues: ${result.issues.length}`));
 }
+// ── Command ──────────────────────────────────────────────────────────────────
 export const checkCommand = new Command("check")
     .option("--path <path>", "Project path", ".")
     .option("--json", "JSON output")
+    .option("--skip-integrity", "Skip template.lock integrity verification")
     .description("Check a project against the standard")
     .action(async (opts) => {
     try {
@@ -33,21 +99,24 @@ export const checkCommand = new Command("check")
         const standardResult = await checkAgainstStandard(opts.path, schema);
         // 2) Lock
         const lock = await readTemplateLock(standardResult.projectPath);
-        // 3) Template-specific
+        // 3) Integrity
+        let integrityIssues = [];
+        if (!opts.skipIntegrity && lock?.filesIntegrity) {
+            integrityIssues = await verifyIntegrity(standardResult.projectPath, lock.filesIntegrity);
+        }
+        // 4) Template-specific
         let templateIssues = [];
         if (lock?.template === "react-ts") {
             templateIssues = await validateReactTs(standardResult.projectPath);
         }
-        // 4) Packs
+        // 5) Packs
         let packIssues = [];
         if (lock?.packs?.length) {
             for (const packName of lock.packs) {
                 const pack = await loadPack(packName);
                 const issues = await validatePackRules(pack, standardResult.projectPath);
-                // enforcement (strict vs advisory)
                 const level = pack.spec.enforcement?.level ?? "strict";
                 if (level === "advisory") {
-                    // On garde l’info mais on ne bloque pas (on tag en WARNING)
                     packIssues.push(...issues.map((i) => ({
                         ...i,
                         code: `PACK_WARNING:${i.code}`,
@@ -59,13 +128,22 @@ export const checkCommand = new Command("check")
                 }
             }
         }
-        // 5) Combine
-        const issues = [...standardResult.issues, ...templateIssues, ...packIssues];
-        // advisory warnings don't fail build
+        // 6) Combine
+        const blockingIntegrityIssues = integrityIssues.filter((i) => i.code !== "INTEGRITY_ADDED_FILE");
+        const advisoryIntegrityIssues = integrityIssues.filter((i) => i.code === "INTEGRITY_ADDED_FILE");
         const blockingPackIssues = packIssues.filter((i) => !String(i.code).startsWith("PACK_WARNING:"));
-        const ok = standardResult.issues.length + templateIssues.length + blockingPackIssues.length === 0;
+        const issues = [
+            ...standardResult.issues,
+            ...blockingIntegrityIssues,
+            ...advisoryIntegrityIssues,
+            ...templateIssues,
+            ...packIssues
+        ];
+        const ok = standardResult.issues.length +
+            blockingIntegrityIssues.length +
+            templateIssues.length +
+            blockingPackIssues.length === 0;
         const result = { ...standardResult, issues, ok };
-        // 6) Output + exit
         if (opts.json)
             console.log(JSON.stringify(result, null, 2));
         else

package/dist/commands/init.js

@@ -1,3 +1,4 @@
+// cli/src/commands/init.ts
 import { Command } from "commander";
 import { initProject } from "../engine/initProject.js";
 function nowVars() {

package/dist/engine/copy.js

@@ -1,6 +1,10 @@
+// cli/src/engine/copy.ts
 import path from "node:path";
 import fs from "fs-extra";
 import { renderString } from "./render.js";
+/**
+ * Extensions treated as text files (template rendering applies).
+ */
 const TEXT_EXT = new Set([
     ".ts",
     ".tsx",
@@ -20,7 +24,10 @@ const TEXT_EXT = new Set([
     ".cjs",
     ".mjs"
 ]);
-// Files that ship without dot, but must be generated as dotfiles.
+/**
+ * Files that ship without dot but must be generated as dotfiles.
+ * (npm packaging limitation workaround)
+ */
 const DOTFILE_MAP = {
     "gitignore": ".gitignore",
     "editorconfig": ".editorconfig",
@@ -31,11 +38,37 @@ const DOTFILE_MAP = {
     "nvmrc": ".nvmrc",
     "node-version": ".node-version",
 };
+/**
+ * Prevent path traversal: ensure target stays inside baseDir.
+ */
+function safeJoin(baseDir, ...parts) {
+    const base = path.resolve(baseDir) + path.sep;
+    const target = path.resolve(baseDir, ...parts);
+    if (!target.startsWith(base)) {
+        throw new Error(`Path traversal detected: ${target}`);
+    }
+    return target;
+}
+/**
+ * Reject symlinks to prevent escaping the project directory.
+ */
+async function assertNoSymlink(p) {
+    const st = await fs.lstat(p);
+    if (st.isSymbolicLink()) {
+        throw new Error(`Symlink not allowed in template/pack: ${p}`);
+    }
+}
+/**
+ * Map template filename → destination filename (dotfiles handling).
+ */
 function mapDestName(name) {
     if (name.startsWith("."))
         return name;
     return DOTFILE_MAP[name] ?? name;
 }
+/**
+ * Detect whether a file should be treated as text.
+ */
 function isTextFile(filePath) {
     const ext = path.extname(filePath).toLowerCase();
     if (TEXT_EXT.has(ext))
@@ -56,7 +89,16 @@ function isTextFile(filePath) {
         return true;
     return false;
 }
+/**
+ * Copy a single file with rendering if applicable.
+ * - No symlinks
+ * - No overwrite
+ */
 async function copyOne(srcPath, destPath, vars) {
+    await assertNoSymlink(srcPath);
+    if (await fs.pathExists(destPath)) {
+        throw new Error(`Refusing to overwrite existing file: ${destPath}`);
+    }
     await fs.ensureDir(path.dirname(destPath));
     if (isTextFile(srcPath)) {
         const raw = await fs.readFile(srcPath, "utf8");
@@ -67,13 +109,21 @@ async function copyOne(srcPath, destPath, vars) {
         await fs.copyFile(srcPath, destPath);
     }
 }
+/**
+ * Recursively copy and render a directory.
+ * Security guarantees:
+ * - No path traversal
+ * - No symlinks
+ * - No overwrite
+ */
 export async function copyAndRenderDir(srcDir, destDir, vars) {
     await fs.ensureDir(destDir);
     const entries = await fs.readdir(srcDir, { withFileTypes: true });
     for (const entry of entries) {
         const srcPath = path.join(srcDir, entry.name);
+        await assertNoSymlink(srcPath);
         const destName = mapDestName(entry.name);
-        const destPath = path.join(destDir, destName);
+        const destPath = safeJoin(destDir, destName);
         if (entry.isDirectory()) {
             await copyAndRenderDir(srcPath, destPath, vars);
             continue;

package/dist/engine/hooks.js

@@ -1,13 +1,110 @@
+//  cli/src/engine/hooks.ts
 import { execa } from "execa";
-export async function runHooks(cmds, cwd) {
-    if (!cmds?.length)
+/**
+ * Safely parse a command string into [executable, ...args].
+ * Handles simple quoted strings but does NOT support pipes, redirects,
+ * or subshells — intentionally restricted to prevent injection.
+ *
+ * Examples:
+ *   "npm ci --ignore-scripts"        → ["npm", "ci", "--ignore-scripts"]
+ *   "git init"                        → ["git", "init"]
+ */
+export function parseCommand(cmd) {
+    const args = [];
+    let current = "";
+    let inSingle = false;
+    let inDouble = false;
+    for (let i = 0; i < cmd.length; i++) {
+        const ch = cmd[i];
+        if (ch === "'" && !inDouble) {
+            inSingle = !inSingle;
+        }
+        else if (ch === '"' && !inSingle) {
+            inDouble = !inDouble;
+        }
+        else if (ch === " " && !inSingle && !inDouble) {
+            if (current.length > 0) {
+                args.push(current);
+                current = "";
+            }
+        }
+        else {
+            current += ch;
+        }
+    }
+    if (current.length > 0)
+        args.push(current);
+    if (args.length === 0) {
+        throw new Error(`Empty command after parsing: "${cmd}"`);
+    }
+    // Security: reject shell metacharacters that should never appear
+    const FORBIDDEN = /[;&|`$<>\\]/;
+    for (const arg of args) {
+        if (FORBIDDEN.test(arg)) {
+            throw new Error(`Forbidden shell metacharacter in hook command: "${arg}" (from: "${cmd}")`);
+        }
+    }
+    return args;
+}
+/**
+ * Evaluate a `when` condition of the form:
+ *   "{{resolvedValue}} == expectedValue"
+ *
+ * The vars have already been substituted before this function is called,
+ * so `condition` looks like: "npm == npm" or "pnpm == npm".
+ */
+function evaluateWhen(condition) {
+    const m = condition.match(/^(.+?)\s*==\s*(.+)$/);
+    if (!m) {
+        throw new Error(`Invalid when condition format: "${condition}". Expected: "value == value"`);
+    }
+    return m[1].trim() === m[2].trim();
+}
+/**
+ * Resolve variables in a string using the vars map.
+ */
+function resolveVars(input, vars) {
+    return input.replace(/\{\{\s*([a-zA-Z0-9_]+)\s*\}\}/g, (_, key) => {
+        const v = vars[key];
+        return v !== undefined ? String(v) : `{{${key}}}`;
+    });
+}
+export async function runHooks(hooks, cwd, vars = {}) {
+    if (!hooks?.length)
         return;
-    for (const cmd of cmds) {
-        // simple shell execution (cross-platform)
-        await execa(cmd, {
+    for (const hook of hooks) {
+        // Support both legacy string[] and new Hook[] formats
+        const raw = typeof hook === "string" ? { run: hook } : hook;
+        // Resolve variables in `when` condition and evaluate it
+        if (raw.when !== undefined) {
+            const resolvedWhen = resolveVars(raw.when, vars);
+            if (!evaluateWhen(resolvedWhen)) {
+                continue; // skip this hook
+            }
+        }
+        // Resolve variables in the command itself
+        const resolvedCmd = resolveVars(raw.run, vars);
+        // Parse safely — no shell: true
+        const [bin, ...args] = parseCommand(resolvedCmd);
+        await execa(bin, args, {
             cwd,
-            shell: true,
+            shell: false, // ← explicit: never use shell
             stdio: "inherit"
         });
     }
 }
+// import { execa } from "execa";
+// export async function runHooks(
+//   cmds: string[] | undefined,
+//   cwd: string
+// ): Promise<void> {
+//   if (!cmds?.length) return;
+//   for (const cmd of cmds) {
+//     // simple shell execution (cross-platform)
+//     await execa(cmd, {
+//       cwd,
+//       shell: true,
+//       stdio: "inherit"
+//     });
+//   }
+// }

package/dist/engine/initProject.js

@@ -50,7 +50,7 @@ export async function initProject(params) {
         await applyPackFiles(pack, destDir, vars);
         appliedPacks.push(pack.spec.name);
     }
-    // 3) Write template.lock (includes packs)
+    // 3) Write template.lock (includes packs + file integrity hashes)
     await writeTemplateLock({
         destDir,
         template: spec.name,
@@ -59,10 +59,10 @@ export async function initProject(params) {
         packs: appliedPacks,
         generatedAt: sys.isoDate
     });
-    // 4) Hooks
+    // 4) Hooks — pass vars so `when` conditions can be evaluated
     if (!params.noHooks) {
-        const cmds = spec.hooks?.postGenerate?.map((h) => h.run.replace(/\{\{\s*([a-zA-Z0-9_]+)\s*\}\}/g, (_, k) => vars[k] ?? `{{${k}}}`));
-        await runHooks(cmds, destDir);
+        const hooks = (spec.hooks?.postGenerate ?? []).map((h) => typeof h === "string" ? { run: h } : h);
+        await runHooks(hooks, destDir, vars);
     }
     return { destDir };
 }

package/dist/engine/loadTemplate.js

@@ -1,3 +1,4 @@
+// cli/src/engine/loadTemplate.ts
 import path from "node:path";
 import fs from "fs-extra";
 import YAML from "yaml";

package/dist/engine/lock.js

@@ -1,13 +1,58 @@
+// cli/src/engine/lock.ts
 import path from "node:path";
+import crypto from "node:crypto";
 import fs from "fs-extra";
+/**
+ * Recursively collect all file paths under a directory.
+ */
+async function collectFiles(dir) {
+    const entries = await fs.readdir(dir, { withFileTypes: true });
+    const results = [];
+    for (const entry of entries) {
+        const full = path.join(dir, entry.name);
+        if (entry.isDirectory()) {
+            results.push(...(await collectFiles(full)));
+        }
+        else if (entry.isFile()) {
+            results.push(full);
+        }
+    }
+    return results.sort(); // deterministic order
+}
+/**
+ * Compute SHA-256 of a single file's content.
+ */
+async function hashFile(filePath) {
+    const content = await fs.readFile(filePath);
+    return crypto.createHash("sha256").update(content).digest("hex");
+}
+/**
+ * Compute a manifest of { relativePath -> sha256 } for all files in destDir.
+ * Excludes template.lock itself to avoid circular dependency.
+ */
+export async function computeFilesHash(destDir) {
+    const abs = path.resolve(destDir);
+    const files = await collectFiles(abs);
+    const manifest = {};
+    for (const filePath of files) {
+        const rel = path.relative(abs, filePath).replace(/\\/g, "/");
+        if (rel === "template.lock")
+            continue; // exclude lock file itself
+        manifest[rel] = await hashFile(filePath);
+    }
+    return manifest;
+}
 export async function writeTemplateLock(params) {
     const lockPath = path.join(params.destDir, "template.lock");
+    // Compute integrity manifest of all generated files
+    const filesIntegrity = await computeFilesHash(params.destDir);
     const data = {
         template: params.template,
         version: params.version,
         options: params.options,
         packs: params.packs ?? [],
-        generatedAt: params.generatedAt
+        generatedAt: params.generatedAt,
+        filesIntegrity
     };
     await fs.writeFile(lockPath, JSON.stringify(data, null, 2) + "\n", "utf8");
 }
@@ -20,6 +65,26 @@ export async function writeTemplateLock(params) {
 //   options: Record<string, string>;
 //   packs?: string[];
 //   generatedAt: string;
+// }): Promise<void> {
+//   const lockPath = path.join(params.destDir, "template.lock");
+//   const data = {
+//     template: params.template,
+//     version: params.version,
+//     options: params.options,
+//     packs: params.packs ?? [],
+//     generatedAt: params.generatedAt
+//   };
+//   await fs.writeFile(lockPath, JSON.stringify(data, null, 2) + "\n", "utf8");
+// }
+// import path from "node:path";
+// import fs from "fs-extra";
+// export async function writeTemplateLock(params: {
+//   destDir: string;
+//   template: string;
+//   version: string;
+//   options: Record<string, string>;
+//   packs?: string[];
+//   generatedAt: string;
 // }) {
 //   const lockPath = path.join(params.destDir, "template.lock");
 //   const data = {

package/dist/engine/packs/applyPackFiles.js

@@ -1,12 +1,27 @@
 import path from "node:path";
 import fs from "fs-extra";
 import { copyAndRenderDir } from "../copy.js";
+function safeJoin(baseDir, ...parts) {
+    const base = path.resolve(baseDir) + path.sep;
+    const target = path.resolve(baseDir, ...parts);
+    if (!target.startsWith(base)) {
+        throw new Error(`Path traversal detected: ${target}`);
+    }
+    return target;
+}
+async function assertNoSymlink(p) {
+    const st = await fs.lstat(p);
+    if (st.isSymbolicLink()) {
+        throw new Error(`Symlink not allowed in pack output: ${p}`);
+    }
+}
 async function mergeDir(srcDir, destDir, packName) {
     await fs.ensureDir(destDir);
     const entries = await fs.readdir(srcDir, { withFileTypes: true });
     for (const e of entries) {
         const src = path.join(srcDir, e.name);
-        const dest = path.join(destDir, e.name);
+        await assertNoSymlink(src);
+        const dest = safeJoin(destDir, e.name);
         if (e.isDirectory()) {
             if (await fs.pathExists(dest)) {
                 const stat = await fs.stat(dest);
@@ -19,7 +34,6 @@ async function mergeDir(srcDir, destDir, packName) {
         }
         if (e.isFile()) {
             if (await fs.pathExists(dest)) {
-                // Conflict only if the *same file path* already exists
                 throw new Error(`Pack "${packName}" conflict: file already exists: ${path.relative(destDir, dest)}`);
             }
             await fs.copyFile(src, dest);
@@ -35,13 +49,10 @@ export async function applyPackFiles(pack, projectDir, vars) {
     await fs.remove(tmpDir);
     await fs.ensureDir(tmpDir);
     try {
-        // Render pack files into tmpDir
         await copyAndRenderDir(pack.filesDir, tmpDir, vars);
-        // Merge tmpDir into projectDir (directories are merged, files must not overwrite)
         await mergeDir(tmpDir, projectDir, pack.spec.name);
     }
     finally {
-        // Always cleanup (even if we throw on conflict)
         await fs.remove(tmpRoot);
     }
 }