npm - @ossdeveloper/github-compliance - Versions diffs - 1.0.2 → 1.3.0 - Mend

@ossdeveloper/github-compliance 1.0.2 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/database.ts CHANGED Viewed

@@ -3,10 +3,10 @@
  *
  * Manages SQLite database for compliance records, audit logs, and failed attempts.
  * Uses centralized schema from schema.ts for all table/column names.
+ * Uses centralized content hashing from contracts.ts.
  */
 import Database from "bun:sqlite";
-import { createHash } from "crypto";
 import { mkdir } from "fs";
 import { homedir } from "os";
 import {
@@ -16,6 +16,7 @@ import {
   RECORD_CLEANUP_AGE_MS,
   CONTENT_PREVIEW_MAX_LENGTH
 } from "./schema";
+import { computeContentHash } from "./contracts";
 const DB_DIR = `${homedir()}/.opencode`;
 const DB_PATH = `${DB_DIR}/github-compliance.db`;
@@ -114,14 +115,6 @@ function uuid(): string {
   return crypto.randomUUID();
 }
-function computeContentHash(title: string | null, body: string): string {
-  const content = JSON.stringify({
-    title: title || "",
-    body: body || ""
-  });
-  return "sha256:" + createHash("sha256").update(content).digest("hex");
-}
 // ============================================================================
 // Database Initialization
 // ============================================================================

package/dist/plugin.js CHANGED Viewed

@@ -16,7 +16,6 @@ var __export = (target, all) => {
 // database.ts
 import Database from "bun:sqlite";
-import { createHash } from "crypto";
 import { mkdir } from "fs";
 import { homedir } from "os";
@@ -79,12 +78,32 @@ var RECORD_TTL_MS = 30 * 60 * 1000;
 var RECORD_CLEANUP_AGE_MS = 7 * 24 * 60 * 60 * 1000;
 var CONTENT_PREVIEW_MAX_LENGTH = 500;
-// database.ts
-var DB_DIR = `${homedir()}/.opencode`;
-var DB_PATH = `${DB_DIR}/github-compliance.db`;
-var db = null;
-function uuid() {
-  return crypto.randomUUID();
+// contracts.ts
+import { createHash } from "crypto";
+var TOOL_PREFIX_NORMALIZE = {
+  github_issue_write: "issue_write",
+  github_issue_update: "issue_update",
+  github_pull_request_write: "pull_request_write",
+  github_pull_request_update: "pull_request_update",
+  github_add_issue_comment: "add_issue_comment",
+  github_add_pull_request_comment: "add_pull_request_comment",
+  github_pull_request_review: "pull_request_review",
+  github_pull_request_review_comment: "pull_request_review_comment",
+  github_create_pull_request: "create_pull_request",
+  github_update_issue: "update_issue",
+  github_update_pull_request: "update_pull_request",
+  github_push_files: "push_files",
+  github_create_branch: "create_branch",
+  github_create_or_update_file: "create_or_update_file",
+  github_delete_file: "delete_file",
+  github_create_repository: "create_repository",
+  github_create_pull_request_with_copilot: "create_pull_request_with_copilot",
+  github_update_pull_request_branch: "update_pull_request_branch",
+  github_reply_to_pull_request_comment: "reply_to_pull_request_comment",
+  github_add_reply_to_pull_request_comment: "add_reply_to_pull_request_comment"
+};
+function normalizeToolName(toolName) {
+  return TOOL_PREFIX_NORMALIZE[toolName] || toolName;
 }
 function computeContentHash(title, body) {
   const content = JSON.stringify({
@@ -93,6 +112,39 @@ function computeContentHash(title, body) {
   });
   return "sha256:" + createHash("sha256").update(content).digest("hex");
 }
+function extractRecordFields(toolName, args) {
+  const normalizedToolName = normalizeToolName(toolName);
+  if (!args || typeof args !== "object") {
+    return {
+      toolName: normalizedToolName,
+      owner: "",
+      repo: "",
+      title: null,
+      body: null,
+      contentHash: computeContentHash(null, null)
+    };
+  }
+  const owner = args.owner || "";
+  const repo = args.repo || "";
+  const title = args.title || null;
+  const body = args.body || null;
+  return {
+    toolName: normalizedToolName,
+    owner,
+    repo,
+    title,
+    body,
+    contentHash: computeContentHash(title, body)
+  };
+}
+// database.ts
+var DB_DIR = `${homedir()}/.opencode`;
+var DB_PATH = `${DB_DIR}/github-compliance.db`;
+var db = null;
+function uuid() {
+  return crypto.randomUUID();
+}
 async function initDatabase() {
   if (db)
     return;
@@ -318,7 +370,6 @@ async function logFailedAttempt(entry) {
 }
 // compliance.ts
-import { createHash as createHash2 } from "crypto";
 var GITHUB_WRITE_TOOLS_UNPREFIXED = [
   "issue_write",
   "issue_update",
@@ -346,27 +397,6 @@ var GITHUB_WRITE_TOOLS = [...GITHUB_WRITE_TOOLS_UNPREFIXED, ...GITHUB_WRITE_TOOL
 function isGitHubWriteTool(toolName) {
   return GITHUB_WRITE_TOOLS.includes(toolName);
 }
-function extractToolInfo(toolName, args) {
-  const owner = args.owner || "";
-  const repo = args.repo || "";
-  const title = args.title || null;
-  const body = args.body || null;
-  return {
-    toolName,
-    owner,
-    repo,
-    title,
-    body,
-    contentHash: computeContentHash2(title, body)
-  };
-}
-function computeContentHash2(title, body) {
-  const content = JSON.stringify({
-    title: title || "",
-    body: body || ""
-  });
-  return "sha256:" + createHash2("sha256").update(content).digest("hex");
-}
 function extractGitHubId(result) {
   if (!result || typeof result !== "object")
     return null;
@@ -12856,6 +12886,77 @@ var tools = {
 };
 // plugin.ts
+function isMcpTool(toolName) {
+  return toolName.startsWith("github_");
+}
+function extractToolInfoFromArgs(toolName, args) {
+  const fields = extractRecordFields(toolName, args);
+  return {
+    toolName: fields.toolName,
+    owner: fields.owner,
+    repo: fields.repo,
+    title: fields.title,
+    body: fields.body,
+    contentHash: fields.contentHash
+  };
+}
+function extractArgs(input, output) {
+  if (output.args && typeof output.args === "object") {
+    return output.args;
+  }
+  if (input.arguments && typeof input.arguments === "object") {
+    return input.arguments;
+  }
+  if (input.args && typeof input.args === "object") {
+    return input.args;
+  }
+  if (typeof input.arguments === "string") {
+    try {
+      return JSON.parse(input.arguments);
+    } catch {}
+  }
+  return null;
+}
+async function validateAndProcess(toolName, owner, repo, contentHash, toolInfo) {
+  const record2 = await getComplianceRecord(toolName, owner, repo, contentHash);
+  const validation = await validateCompliance(record2, {
+    toolName,
+    owner,
+    repo,
+    contentHash
+  });
+  if (!validation.valid) {
+    await logFailedAttempt({
+      tool_name: toolName,
+      owner,
+      repo,
+      reason: validation.reason,
+      content_hash: contentHash,
+      provided_record_id: record2?.id || null,
+      error_details: validation.message
+    });
+    return { allowed: false, record: record2, validation };
+  }
+  await markRecordUsed(record2.id);
+  return { allowed: true, record: record2, validation };
+}
+async function logSuccess(toolInfo, record2, result) {
+  const githubUrl = extractGitHubUrl(result);
+  const githubId = extractGitHubId(result);
+  await logAudit({
+    compliance_record_id: record2.id,
+    tool_name: toolInfo.toolName,
+    owner: toolInfo.owner,
+    repo: toolInfo.repo,
+    github_username: record2.github_username,
+    status: "success",
+    error_message: null,
+    github_url: githubUrl,
+    github_id: githubId,
+    executed_at: new Date().toISOString(),
+    content_preview: toolInfo.body ? toolInfo.body.substring(0, 500) : null
+  });
+}
 var GitHubCompliancePlugin = async (_ctx) => {
   await initDatabase();
   return {
@@ -12864,10 +12965,16 @@ var GitHubCompliancePlugin = async (_ctx) => {
       if (!isGitHubWriteTool(input.tool)) {
         return;
       }
+      const isMcp = isMcpTool(input.tool);
+      if (isMcp) {
+        output.__needsMcpValidation = true;
+        output.__mcpToolName = input.tool;
+        return;
+      }
       let toolInfo;
-      let record2 = null;
       try {
-        toolInfo = extractToolInfo(input.tool, input.args);
+        const args = extractArgs(input, output);
+        toolInfo = extractToolInfoFromArgs(input.tool, args);
       } catch (error45) {
         await logFailedAttempt({
           tool_name: input.tool,
@@ -12884,21 +12991,10 @@ var GitHubCompliancePlugin = async (_ctx) => {
         }));
       }
       try {
-        record2 = await getComplianceRecord(toolInfo.toolName, toolInfo.owner, toolInfo.repo, toolInfo.contentHash);
-        const validation = await validateCompliance(record2, toolInfo);
-        if (!validation.valid) {
-          await logFailedAttempt({
-            tool_name: toolInfo.toolName,
-            owner: toolInfo.owner,
-            repo: toolInfo.repo,
-            reason: validation.reason,
-            content_hash: toolInfo.contentHash,
-            provided_record_id: record2?.id || null,
-            error_details: validation.message
-          });
+        const { allowed, record: record2, validation } = await validateAndProcess(toolInfo.toolName, toolInfo.owner, toolInfo.repo, toolInfo.contentHash, toolInfo);
+        if (!allowed) {
           throw new Error(buildBlockedError(validation));
         }
-        await markRecordUsed(record2.id);
         output.__complianceRecordId = record2.id;
         output.__toolInfo = toolInfo;
       } catch (error45) {
@@ -12908,10 +13004,10 @@ var GitHubCompliancePlugin = async (_ctx) => {
         await logFailedAttempt({
           tool_name: toolInfo.toolName,
           owner: toolInfo.owner,
-          repo: toolInfo.repo,
+          toolInfo: toolInfo.repo,
           reason: ERROR_REASONS.UNEXPECTED_ERROR,
           content_hash: toolInfo.contentHash,
-          provided_record_id: record2?.id || null,
+          provided_record_id: null,
           error_details: error45 instanceof Error ? error45.message : String(error45)
         });
         throw new Error(buildBlockedError({
@@ -12925,26 +13021,63 @@ var GitHubCompliancePlugin = async (_ctx) => {
       if (!isGitHubWriteTool(input.tool)) {
         return;
       }
+      const isMcp = isMcpTool(input.tool);
+      const needsMcpValidation = output.__needsMcpValidation === true;
+      if (isMcp && needsMcpValidation) {
+        let toolInfo2;
+        try {
+          const args = input.args;
+          toolInfo2 = extractToolInfoFromArgs(input.tool, args || null);
+        } catch (error45) {
+          await logFailedAttempt({
+            tool_name: input.tool,
+            owner: "unknown",
+            repo: "unknown",
+            reason: ERROR_REASONS.EXTRACTION_ERROR,
+            content_hash: null,
+            error_details: `Failed to extract MCP tool info in after hook: ${error45 instanceof Error ? error45.message : String(error45)}`
+          });
+          return;
+        }
+        try {
+          const { allowed, record: record3, validation } = await validateAndProcess(toolInfo2.toolName, toolInfo2.owner, toolInfo2.repo, toolInfo2.contentHash, toolInfo2);
+          if (!allowed) {
+            await logFailedAttempt({
+              tool_name: toolInfo2.toolName,
+              owner: toolInfo2.owner,
+              repo: toolInfo2.repo,
+              reason: validation.reason,
+              content_hash: toolInfo2.contentHash,
+              provided_record_id: record3?.id || null,
+              error_details: "MCP tool executed without valid compliance record"
+            });
+            return;
+          }
+          if (record3) {
+            await logSuccess(toolInfo2, record3, output.result);
+          }
+        } catch (error45) {
+          await logFailedAttempt({
+            tool_name: toolInfo2.toolName,
+            owner: toolInfo2.owner,
+            repo: toolInfo2.repo,
+            reason: ERROR_REASONS.UNEXPECTED_ERROR,
+            content_hash: toolInfo2.contentHash,
+            provided_record_id: null,
+            error_details: error45 instanceof Error ? error45.message : String(error45)
+          });
+        }
+        return;
+      }
       const complianceRecordId = output.__complianceRecordId;
       const toolInfo = output.__toolInfo;
       if (!complianceRecordId || !toolInfo) {
         return;
       }
-      const githubUrl = extractGitHubUrl(output.result);
-      const githubId = extractGitHubId(output.result);
-      await logAudit({
-        compliance_record_id: complianceRecordId,
-        tool_name: toolInfo.toolName,
-        owner: toolInfo.owner,
-        repo: toolInfo.repo,
-        github_username: "unknown",
-        status: "success",
-        error_message: null,
-        github_url: githubUrl,
-        github_id: githubId,
-        executed_at: new Date().toISOString(),
-        content_preview: toolInfo.body ? toolInfo.body.substring(0, 500) : null
-      });
+      const record2 = await getComplianceRecord(toolInfo.toolName, toolInfo.owner, toolInfo.repo, toolInfo.contentHash);
+      if (record2) {
+        await logSuccess(toolInfo, record2, output.result);
+      }
     }
   };
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ossdeveloper/github-compliance",
-  "version": "1.0.2",
+  "version": "1.3.0",
   "description": "GitHub compliance plugin for OpenCode - enforces human approval for write operations",
   "main": "dist/plugin.js",
   "type": "module",