@paths.design/caws-cli 3.3.0 → 3.4.0

package/dist/utils/typescript-detector.js

@@ -100,24 +100,257 @@ function detectTestFramework(projectDir = process.cwd(), packageJson = null) {
   };
 }
 
+/**
+ * Get workspace directories from package.json
+ * @param {string} projectDir - Project directory path
+ * @returns {string[]} Array of workspace directories
+ */
+/**
+ * Get workspace directories from npm/yarn package.json workspaces
+ * @param {string} projectDir - Project directory path
+ * @returns {string[]} Array of workspace directories
+ */
+function getNpmWorkspaces(projectDir) {
+  const packageJsonPath = path.join(projectDir, 'package.json');
+
+  if (!fs.existsSync(packageJsonPath)) {
+    return [];
+  }
+
+  try {
+    const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+    const workspaces = packageJson.workspaces || [];
+
+    // Convert glob patterns to actual directories (simple implementation)
+    const workspaceDirs = [];
+    for (const ws of workspaces) {
+      // Handle simple patterns like "packages/*" or "iterations/*"
+      if (ws.includes('*')) {
+        const baseDir = ws.split('*')[0];
+        const fullBaseDir = path.join(projectDir, baseDir);
+
+        if (fs.existsSync(fullBaseDir)) {
+          const entries = fs.readdirSync(fullBaseDir, { withFileTypes: true });
+          for (const entry of entries) {
+            if (entry.isDirectory()) {
+              const wsPath = path.join(fullBaseDir, entry.name);
+              if (fs.existsSync(path.join(wsPath, 'package.json'))) {
+                workspaceDirs.push(wsPath);
+              }
+            }
+          }
+        }
+      } else {
+        // Direct path
+        const wsPath = path.join(projectDir, ws);
+        if (fs.existsSync(path.join(wsPath, 'package.json'))) {
+          workspaceDirs.push(wsPath);
+        }
+      }
+    }
+
+    return workspaceDirs;
+  } catch (error) {
+    return [];
+  }
+}
+
+/**
+ * Get workspace directories from pnpm-workspace.yaml
+ * @param {string} projectDir - Project directory path
+ * @returns {string[]} Array of workspace directories
+ */
+function getPnpmWorkspaces(projectDir) {
+  const pnpmFile = path.join(projectDir, 'pnpm-workspace.yaml');
+
+  if (!fs.existsSync(pnpmFile)) {
+    return [];
+  }
+
+  try {
+    const yaml = require('js-yaml');
+    const config = yaml.load(fs.readFileSync(pnpmFile, 'utf8'));
+    const workspacePatterns = config.packages || [];
+
+    // Convert glob patterns to actual directories
+    const workspaceDirs = [];
+    for (const pattern of workspacePatterns) {
+      if (pattern.includes('*')) {
+        const baseDir = pattern.split('*')[0];
+        const fullBaseDir = path.join(projectDir, baseDir);
+
+        if (fs.existsSync(fullBaseDir)) {
+          const entries = fs.readdirSync(fullBaseDir, { withFileTypes: true });
+          for (const entry of entries) {
+            if (entry.isDirectory()) {
+              const wsPath = path.join(fullBaseDir, entry.name);
+              if (fs.existsSync(path.join(wsPath, 'package.json'))) {
+                workspaceDirs.push(wsPath);
+              }
+            }
+          }
+        }
+      } else {
+        // Direct path
+        const wsPath = path.join(projectDir, pattern);
+        if (fs.existsSync(path.join(wsPath, 'package.json'))) {
+          workspaceDirs.push(wsPath);
+        }
+      }
+    }
+
+    return workspaceDirs;
+  } catch (error) {
+    return [];
+  }
+}
+
+/**
+ * Get workspace directories from lerna.json
+ * @param {string} projectDir - Project directory path
+ * @returns {string[]} Array of workspace directories
+ */
+function getLernaWorkspaces(projectDir) {
+  const lernaFile = path.join(projectDir, 'lerna.json');
+
+  if (!fs.existsSync(lernaFile)) {
+    return [];
+  }
+
+  try {
+    const config = JSON.parse(fs.readFileSync(lernaFile, 'utf8'));
+    const workspacePatterns = config.packages || ['packages/*'];
+
+    // Convert glob patterns to actual directories
+    const workspaceDirs = [];
+    for (const pattern of workspacePatterns) {
+      if (pattern.includes('*')) {
+        const baseDir = pattern.split('*')[0];
+        const fullBaseDir = path.join(projectDir, baseDir);
+
+        if (fs.existsSync(fullBaseDir)) {
+          const entries = fs.readdirSync(fullBaseDir, { withFileTypes: true });
+          for (const entry of entries) {
+            if (entry.isDirectory()) {
+              const wsPath = path.join(fullBaseDir, entry.name);
+              if (fs.existsSync(path.join(wsPath, 'package.json'))) {
+                workspaceDirs.push(wsPath);
+              }
+            }
+          }
+        }
+      } else {
+        // Direct path
+        const wsPath = path.join(projectDir, pattern);
+        if (fs.existsSync(path.join(wsPath, 'package.json'))) {
+          workspaceDirs.push(wsPath);
+        }
+      }
+    }
+
+    return workspaceDirs;
+  } catch (error) {
+    return [];
+  }
+}
+
+/**
+ * Check if a dependency exists in hoisted node_modules
+ * @param {string} depName - Dependency name to check
+ * @param {string} projectDir - Project directory path
+ * @returns {boolean} True if dependency found in hoisted node_modules
+ */
+function checkHoistedDependency(depName, projectDir) {
+  const hoistedPath = path.join(projectDir, 'node_modules', depName, 'package.json');
+  return fs.existsSync(hoistedPath);
+}
+
+function getWorkspaceDirectories(projectDir = process.cwd()) {
+  const workspaceDirs = [
+    ...getNpmWorkspaces(projectDir),
+    ...getPnpmWorkspaces(projectDir),
+    ...getLernaWorkspaces(projectDir),
+  ];
+
+  // Remove duplicates
+  return [...new Set(workspaceDirs)];
+}
+
 /**
  * Check if TypeScript project needs test configuration
  * @param {string} projectDir - Project directory path
  * @returns {Object} Configuration status
  */
 function checkTypeScriptTestConfig(projectDir = process.cwd()) {
-  const tsDetection = detectTypeScript(projectDir);
-  const testDetection = detectTestFramework(projectDir, tsDetection.packageJson);
+  // First check root directory
+  const rootTsDetection = detectTypeScript(projectDir);
+  const rootTestDetection = detectTestFramework(projectDir, rootTsDetection.packageJson);
+
+  // Get workspace directories and check them too
+  const workspaceDirs = getWorkspaceDirectories(projectDir);
+  const workspaceResults = [];
+
+  for (const wsDir of workspaceDirs) {
+    const wsTsDetection = detectTypeScript(wsDir);
+    const wsTestDetection = detectTestFramework(wsDir, wsTsDetection.packageJson);
+
+    workspaceResults.push({
+      directory: path.relative(projectDir, wsDir),
+      tsDetection: wsTsDetection,
+      testDetection: wsTestDetection,
+    });
+  }
+
+  // Determine overall status - prefer workspace results if they exist
+  let primaryTsDetection = rootTsDetection;
+  let primaryTestDetection = rootTestDetection;
+  let primaryWorkspace = null;
+
+  // Find the workspace with the most complete TypeScript setup
+  for (const wsResult of workspaceResults) {
+    if (wsResult.tsDetection.isTypeScript) {
+      if (
+        !primaryTsDetection.isTypeScript ||
+        (wsResult.tsDetection.hasTsConfig && !primaryTsDetection.hasTsConfig) ||
+        (wsResult.testDetection.framework !== 'none' && primaryTestDetection.framework === 'none')
+      ) {
+        primaryTsDetection = wsResult.tsDetection;
+        primaryTestDetection = wsResult.testDetection;
+        primaryWorkspace = wsResult.directory;
+      }
+    }
+  }
+
+  // Check for ts-jest in workspaces and hoisted node_modules
+  let hasTsJestAnywhere = primaryTestDetection.hasTsJest;
+
+  // If not found in primary workspace, check all workspaces
+  if (!hasTsJestAnywhere) {
+    hasTsJestAnywhere = workspaceResults.some((ws) => ws.testDetection.hasTsJest);
+  }
+
+  // If still not found, check hoisted node_modules
+  if (!hasTsJestAnywhere) {
+    hasTsJestAnywhere = checkHoistedDependency('ts-jest', projectDir);
+  }
 
   const needsConfig =
-    tsDetection.isTypeScript && testDetection.framework === 'jest' && !testDetection.hasTsJest;
+    primaryTsDetection.isTypeScript &&
+    primaryTestDetection.framework === 'jest' &&
+    !hasTsJestAnywhere;
 
   return {
-    ...tsDetection,
-    testFramework: testDetection,
-    needsJestConfig: tsDetection.isTypeScript && !testDetection.isConfigured,
+    ...primaryTsDetection,
+    testFramework: primaryTestDetection,
+    needsJestConfig: primaryTsDetection.isTypeScript && !primaryTestDetection.isConfigured,
     needsTsJest: needsConfig,
-    recommendations: generateRecommendations(tsDetection, testDetection),
+    recommendations: generateRecommendations(primaryTsDetection, primaryTestDetection),
+    workspaceInfo: {
+      hasWorkspaces: workspaceDirs.length > 0,
+      workspaceCount: workspaceDirs.length,
+      primaryWorkspace,
+      allWorkspaces: workspaceResults.map((ws) => ws.directory),
+    },
   };
 }
 
@@ -179,6 +412,11 @@ function displayTypeScriptDetection(detection) {
 module.exports = {
   detectTypeScript,
   detectTestFramework,
+  getWorkspaceDirectories,
+  getNpmWorkspaces,
+  getPnpmWorkspaces,
+  getLernaWorkspaces,
+  checkHoistedDependency,
   checkTypeScriptTestConfig,
   generateRecommendations,
   displayTypeScriptDetection,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@paths.design/caws-cli",
-  "version": "3.3.0",
+  "version": "3.4.0",
   "description": "CAWS CLI - Coding Agent Workflow System command line tools",
   "main": "dist/index.js",
   "bin": {
@@ -52,9 +52,11 @@
   },
   "dependencies": {
     "ajv": "^8.12.0",
+    "chalk": "4.1.2",
     "commander": "^11.0.0",
     "fs-extra": "^11.0.0",
-    "inquirer": "8.2.7"
+    "inquirer": "8.2.7",
+    "js-yaml": "4.1.0"
   },
   "devDependencies": {
     "@eslint/js": "^9.0.0",
@@ -66,10 +68,9 @@
     "@types/inquirer": "^8.2.6",
     "@types/js-yaml": "^4.0.0",
     "@types/node": "^20.0.0",
-    "chalk": "4.1.2",
+    "esbuild": "0.25.10",
     "eslint": "^9.0.0",
     "jest": "30.1.3",
-    "js-yaml": "4.1.0",
     "lint-staged": "15.5.2",
     "prettier": "^3.0.0",
     "semantic-release": "25.0.0-beta.6",

package/templates/OIDC_SETUP.md

@@ -0,0 +1,300 @@
+# OIDC Trusted Publisher Setup
+
+This guide helps you set up OIDC (OpenID Connect) trusted publisher for automated publishing to package registries.
+
+## Overview
+
+OIDC trusted publisher allows you to publish packages without storing long-lived tokens or passwords in your CI/CD environment. Instead, it uses short-lived tokens issued by the OIDC provider.
+
+## Supported Registries
+
+- **npm**: npm Registry
+- **PyPI**: Python Package Index
+- **Maven Central**: Java packages
+- **NuGet**: .NET packages
+
+## Setup Process
+
+### 1. Configure OIDC Provider
+
+Most CI/CD platforms (GitHub Actions, GitLab CI, etc.) provide built-in OIDC support.
+
+**GitHub Actions Example:**
+
+```yaml
+# .github/workflows/publish.yml
+name: Publish Package
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+      - name: Install dependencies
+        run: npm ci
+      - name: Build package
+        run: npm run build
+      - name: Publish to npm
+        run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+```
+
+### 2. Registry Configuration
+
+#### npm Registry
+
+1. **Create OIDC Integration**:
+
+   ```bash
+   # Using npm CLI
+   npm profile enable-2fa auth-and-writes
+   ```
+
+2. **Configure Trusted Publisher**:
+   - Go to npmjs.com → Account Settings → Access Tokens
+   - Create "Automation" token
+   - Configure OIDC integration
+
+3. **Repository Settings**:
+   ```json
+   // package.json
+   {
+     "publishConfig": {
+       "registry": "https://registry.npmjs.org/"
+     }
+   }
+   ```
+
+#### PyPI (Python)
+
+1. **Create API Token**:
+
+   ```bash
+   # Using twine
+   twine upload --config-file ~/.pypirc dist/*
+   ```
+
+2. **OIDC Configuration**:
+   ```yaml
+   # .github/workflows/publish.yml
+   - name: Publish to PyPI
+     uses: pypa/gh-action-pypi-publish@release/v1
+     with:
+       password: ${{ secrets.PYPI_API_TOKEN }}
+   ```
+
+### 3. Security Best Practices
+
+#### Token Management
+
+- ✅ **Use short-lived tokens** (1-6 hours)
+- ✅ **Scope tokens to specific repositories**
+- ✅ **Rotate tokens regularly**
+- ❌ **Never store long-lived tokens in code**
+- ❌ **Never commit tokens to version control**
+
+#### Environment Variables
+
+```bash
+# Good: Short-lived, scoped token
+NODE_AUTH_TOKEN=gho_shortlivedtoken123
+
+# Bad: Long-lived, broad token
+NPM_TOKEN=longlivedbroadtoken456
+```
+
+#### Repository Secrets
+
+Store sensitive tokens in repository secrets:
+
+**GitHub**: Settings → Secrets and variables → Actions
+**GitLab**: Settings → CI/CD → Variables
+**Azure DevOps**: Pipelines → Library → Variable groups
+
+### 4. Testing the Setup
+
+#### Local Testing
+
+```bash
+# Test with dry run
+npm publish --dry-run
+
+# Test with local registry
+npm publish --registry http://localhost:4873
+```
+
+#### CI/CD Testing
+
+```yaml
+# Add to your workflow for testing
+- name: Test publish (dry run)
+  run: npm publish --dry-run
+  env:
+    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+```
+
+### 5. Troubleshooting
+
+#### Common Issues
+
+**Token Expired**:
+
+```
+npm ERR! code E401
+npm ERR! Unable to authenticate, need: Basic
+```
+
+**Solution**: Check token expiration and refresh if needed.
+
+**Insufficient Permissions**:
+
+```
+npm ERR! code E403
+npm ERR! Forbidden
+```
+
+**Solution**: Verify token has publish permissions for the package.
+
+**OIDC Provider Issues**:
+
+```
+Error: Failed to get OIDC token
+```
+
+**Solution**: Check OIDC provider configuration and permissions.
+
+#### Debug Mode
+
+Enable debug logging:
+
+```bash
+# npm
+npm config set loglevel verbose
+
+# Python
+export TWINE_VERBOSE=1
+
+# Maven
+mvn deploy -X
+```
+
+### 6. Migration from Legacy Tokens
+
+If you're migrating from username/password or long-lived tokens:
+
+1. **Audit existing tokens**:
+
+   ```bash
+   # npm
+   npm profile get
+
+   # List all tokens
+   npm token list
+   ```
+
+2. **Revoke old tokens**:
+
+   ```bash
+   npm token delete <token-id>
+   ```
+
+3. **Update CI/CD workflows**:
+   - Replace `NPM_TOKEN` with `NODE_AUTH_TOKEN`
+   - Add OIDC permissions
+   - Test in staging environment
+
+### 7. Monitoring and Alerts
+
+Set up monitoring for:
+
+- **Publish failures**: Alert on failed deployments
+- **Token expiration**: Proactive token renewal
+- **Security events**: Unusual publish patterns
+- **Registry status**: External service health
+
+#### Example Monitoring
+
+```yaml
+# .github/workflows/monitor.yml
+name: Monitor Publishing
+
+on:
+  workflow_run:
+    workflows: ['Publish Package']
+    types: [completed]
+
+jobs:
+  monitor:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check publish status
+        if: ${{ github.event.workflow_run.conclusion == 'failure' }}
+        run: |
+          echo "Publish failed! Check logs."
+          # Send alert to Slack/Teams/etc.
+```
+
+## CAWS Integration
+
+For CAWS projects, OIDC setup integrates with:
+
+- **Provenance tracking**: Automatic attestation of published packages
+- **Security scanning**: Validation of published artifacts
+- **Quality gates**: Ensure packages meet standards before publish
+
+### CAWS-Specific Configuration
+
+```yaml
+# .caws/working-spec.yaml
+non_functional:
+  security:
+    - 'oidc-authentication'
+    - 'token-rotation'
+    - 'publish-attestation'
+```
+
+### Automated Provenance
+
+CAWS automatically generates provenance information:
+
+```bash
+# Generate SBOM and attestation
+caws attest --format=slsa
+
+# Validate before publish
+caws validate --security-scan
+```
+
+## Resources
+
+- [npm OIDC Documentation](https://docs.npmjs.com/about-access-tokens)
+- [GitHub Actions OIDC](https://docs.github.com/en/actions/deployment/security/hardening-your-deployments/about-security-hardening-with-openid-connect)
+- [PyPI Trusted Publishing](https://docs.pypi.org/trusted-publishing/)
+- [OIDC Specification](https://openid.net/connect/)
+
+## Support
+
+For issues with OIDC setup:
+
+1. Check the troubleshooting section above
+2. Review registry-specific documentation
+3. Open an issue in the CAWS repository
+4. Contact your organization's security team
+
+---
+
+**Note**: This guide provides general OIDC setup instructions. Always follow your organization's specific security policies and procedures.
+