@prodcycle/prodcycle 0.4.2 → 0.6.0

package/dist/index.js

@@ -14,6 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.emitScannerErrorWarning = emitScannerErrorWarning;
 exports.scan = scan;
 exports.gate = gate;
 const api_client_1 = require("./api-client");
@@ -23,42 +24,107 @@ __exportStar(require("./formatters/table"), exports);
 __exportStar(require("./formatters/prompt"), exports);
 __exportStar(require("./formatters/sarif"), exports);
 /**
- * Scan a repository by collecting files and sending them to the API
+ * Format and write the scanner-error warning to stderr. Centralized so the
+ * wording stays consistent across `scan()`, `gate()`, and the `scans <id>`
+ * CLI subcommand.
+ */
+function emitScannerErrorWarning(scannerError) {
+    process.stderr.write(`⚠ Scanner error: ${scannerError.message}` +
+        (scannerError.errorClass ? ` (errorClass=${scannerError.errorClass})` : '') +
+        (scannerError.errorCode ? ` (errorCode=${scannerError.errorCode})` : '') +
+        '\n');
+}
+/**
+ * Scan a repository by collecting files and sending them to the API.
+ *
+ * Modes (selectable via `options.config`):
+ *   - default: synchronous validate; auto-falls-back to chunked sessions
+ *     if the server returns 413 with `suggestedEndpoint=/v1/compliance/scans`
+ *   - `mode: 'async'`: kicks off a 202 async-validate and polls until
+ *     terminal (returns same shape as default)
+ *   - `mode: 'chunked'`: explicit chunked-session flow regardless of size
  */
 async function scan(params) {
     const { repoPath, frameworks = ['soc2'], options = {} } = params;
-    // Collect files
     const files = await (0, fs_1.collectFiles)(repoPath, options.include, options.exclude);
     if (Object.keys(files).length === 0) {
         return {
             passed: true,
             exitCode: 0,
             findings: [],
-            report: null
+            report: null,
+            summary: undefined,
         };
     }
     const client = new api_client_1.ComplianceApiClient(options.apiUrl, options.apiKey);
-    const response = await client.validate(files, frameworks, options);
+    const mode = options.config?.mode ?? 'sync';
+    let response;
+    if (mode === 'async') {
+        response = await client.validateAndPoll(files, frameworks, options);
+    }
+    else if (mode === 'chunked') {
+        response = await client.validateChunked(files, frameworks, options);
+    }
+    else {
+        response = await client.validate(files, frameworks, options);
+    }
+    // Pull `scannerError` through if the API set it. Picking the field
+    // explicitly (rather than `...response`) so the CLI's public surface
+    // doesn't accidentally expose internal fields if the API adds them.
+    // `scannerError` lives in this module rather than `api-client.ts`, so the
+    // cast bridges the type boundary; `backfillError` is typed in
+    // `ScanResult` and needs no cast.
+    const scannerError = response.scannerError;
+    const backfillError = response.backfillError;
+    // Exit code semantics:
+    //   0 = passed (no actionable findings, no scanner error)
+    //   1 = findings present, code not clean
+    //   2 = scanner unavailable — could not certify either way; fail-closed
+    // Distinguish (1) from (2) so CI policy can decide whether a non-zero
+    // exit means "developer must fix code" or "operator must investigate
+    // scanner."
+    const exitCode = scannerError ? 2 : response.passed ? 0 : 1;
+    // Surface scanner errors prominently to stderr so the user sees the
+    // distinction between a clean pass and an undetermined result. The
+    // JSON output already carries the structured field for programmatic
+    // consumers; this is for humans running the CLI interactively.
+    if (scannerError)
+        emitScannerErrorWarning(scannerError);
     return {
+        scanId: response.scanId,
         passed: response.passed,
-        exitCode: response.passed ? 0 : 1,
-        findings: response.findings || [],
-        report: response.report, // The API should return the full report object if requested, or we synthesize it
-        summary: response.summary
+        exitCode,
+        findings: response.findings ?? [],
+        report: response.report ?? null,
+        summary: response.summary,
+        ...(scannerError ? { scannerError } : {}),
+        // Forward `backfillError` so SARIF/JSON consumers downstream of `scan()`
+        // can detect "summary is real but findings unavailable" without parsing
+        // stderr. validateChunked sets it when its enrichment GET fails.
+        ...(backfillError ? { backfillError } : {}),
     };
 }
 /**
- * Gate code strings directly without writing to disk
+ * Gate code strings directly without writing to disk (low-latency hook
+ * endpoint, used by coding-agent post-edit hooks).
  */
 async function gate(options) {
     const { files, frameworks = ['soc2'], ...scanOpts } = options;
     const client = new api_client_1.ComplianceApiClient(options.apiUrl, options.apiKey);
     const response = await client.hook(files, frameworks, scanOpts);
+    // Same scannerError plumbing as scan() above. Coding-agent hooks
+    // especially need to distinguish "code is clean" from "scanner is
+    // down" — agents should NOT proceed on the latter.
+    const scannerError = response.scannerError;
+    const exitCode = scannerError ? 2 : response.passed ? 0 : 1;
+    if (scannerError)
+        emitScannerErrorWarning(scannerError);
     return {
         passed: response.passed,
-        exitCode: response.passed ? 0 : 1,
-        findings: response.findings || [],
+        exitCode,
+        findings: response.findings ?? [],
         prompt: response.prompt,
-        summary: response.summary
+        summary: response.summary,
+        ...(scannerError ? { scannerError } : {}),
     };
 }

package/dist/utils/fs.js

@@ -38,7 +38,73 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const minimatch_1 = require("minimatch");
 const MAX_FILE_SIZE = 256 * 1024; // 256 KB
-const MAX_TOTAL_FILES = 10_000;
+/**
+ * Total file ceiling per scan. Hit on the OSS-CLI benchmark scanning
+ * `hapifhir/hapi-fhir` (~13k files) — the CLI silently dropped ~3k files
+ * past the cap. Default raised from the original 10k to 50k, and now
+ * overridable via `PRODCYCLE_MAX_FILES` for monorepos that need a
+ * different ceiling without patching/rebuilding. The API's chunked-
+ * session endpoint already supports up to 2,000 files per chunk, so a
+ * 50k-file repo is fed in 25+ chunks; the cap is here purely so a
+ * pathological symlink loop or `.git`-tracked-as-source repo doesn't
+ * exhaust the client's memory before the SCANNABLE_EXTENSIONS filter
+ * has a chance to drop most of the entries.
+ */
+const MAX_TOTAL_FILES = (() => {
+    const raw = process.env['PRODCYCLE_MAX_FILES'];
+    if (!raw)
+        return 50_000;
+    const parsed = parseInt(raw, 10);
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : 50_000;
+})();
+/**
+ * Extensions and exact filenames the server-side `isScannable` filter
+ * accepts. Pre-filtering client-side avoids:
+ *   - bloating the wire payload with images / fonts / docs / archives
+ *     that the API just drops on receipt
+ *   - hitting MAX_TOTAL_FILES on repos like hapi-fhir or the Linux
+ *     kernel where most files are not scannable
+ *
+ * Keep in lock-step with `api/src/domain/services/compliance-scan.service.ts`:
+ *   - APPLICATION_CODE_EXTENSIONS (the source-code allowlist)
+ *   - INFRASTRUCTURE_EXTENSIONS (.tf, .yaml, .yml, .json, .sql)
+ *   - INFRASTRUCTURE_FILENAMES (dockerfile, .env)
+ *
+ * Files outside this set are skipped during walk. Source-of-truth is
+ * the server filter; this is just an optimization so we don't pay the
+ * wire cost for files the server will reject anyway.
+ */
+const SCANNABLE_EXTENSIONS = new Set([
+    // Application code (must mirror APPLICATION_CODE_EXTENSIONS in the API)
+    '.ts',
+    '.tsx',
+    '.js',
+    '.jsx',
+    '.py',
+    '.go',
+    '.java',
+    '.rb',
+    '.php',
+    '.rs',
+    '.cs',
+    '.kt',
+    '.scala',
+    '.c',
+    '.cpp',
+    '.h',
+    '.hpp',
+    // Infrastructure-as-code (must mirror INFRASTRUCTURE_EXTENSIONS in the API)
+    '.tf',
+    '.yaml',
+    '.yml',
+    '.json',
+    '.sql',
+]);
+const SCANNABLE_FILENAMES = new Set([
+    'dockerfile',
+    'containerfile',
+    '.env',
+]);
 /**
  * Directories skipped unconditionally. Kept in parity with
  * `packages/compliance-code-scanner/src/ignore-utils.ts`.
@@ -79,7 +145,15 @@ const SKIP_DIRS = new Set([
 ]);
 const SKIP_DIR_SUFFIXES = ['.egg-info'];
 const SKIP_FILE_EXTENSIONS = ['.lock', '.min.js', '.min.css', '.map', '.bundle.js', '.tfstate', '.tfstate.backup'];
-const SKIP_FILE_NAMES = new Set(['package-lock.json']);
+// Files the server-side `isScannable` filter drops on receipt. Listing
+// them client-side avoids paying the wire cost just to have the API
+// throw the bytes away. Keep in lock-step with the server's filter in
+// `compliance-code-scanner/src/collector.ts`.
+const SKIP_FILE_NAMES = new Set([
+    'package-lock.json',
+    'package.json',
+    'tsconfig.json',
+]);
 /**
  * Load .gitignore patterns from the repo root.
  *
@@ -132,8 +206,15 @@ function shouldIgnore(name, relPath, ignores, userExcludes) {
         if (matchesAny(relPath, userExcludes))
             return true;
     }
-    // .env* files are always scanned, even if listed in .gitignore (common case)
-    if (name.startsWith('.env') || name.endsWith('.env'))
+    // .env-family files are always scanned even if .gitignored — the
+    // common case for `.env`, `.env.local`, `.env.production`, `.envrc`,
+    // etc., where the whole point of scanning is to catch hardcoded
+    // secrets. The previous `endsWith('.env')` half of this carve-out
+    // also matched arbitrary `foo.env` files (a build artifact, a config
+    // dump, etc.), which let unrelated files bypass gitignore. Restrict
+    // to names that start with `.env`. Keep in lock-step with
+    // `compliance-code-scanner/src/ignore-utils.ts`.
+    if (name.startsWith('.env'))
         return false;
     for (const pattern of ignores) {
         if (name === pattern ||
@@ -159,6 +240,30 @@ function shouldSkipFileByName(name) {
         return true;
     return SKIP_FILE_EXTENSIONS.some((ext) => name.endsWith(ext));
 }
+/**
+ * Mirror of the server's `isScannable` filter, applied client-side so we
+ * don't ship files the API will just drop. Also keeps repos like
+ * hapi-fhir (~13k files, mostly Java + some CSS/HTML/templates) from
+ * tripping MAX_TOTAL_FILES on non-scannable noise.
+ */
+function isScannableFilename(name) {
+    const lower = name.toLowerCase();
+    if (SCANNABLE_FILENAMES.has(lower))
+        return true;
+    // Dockerfile variants (dockerfile.prod, dockerfile.dev, …)
+    if (lower.startsWith('dockerfile.'))
+        return true;
+    // Any .env* file — kept in lock-step with the carve-out in `shouldIgnore`,
+    // which preserves the whole .env* family from gitignore. The server may
+    // drop unknown variants (e.g. .envrc) but it's better to forward them than
+    // silently diverge from the ignore policy.
+    if (lower.startsWith('.env'))
+        return true;
+    const dot = lower.lastIndexOf('.');
+    if (dot === -1)
+        return false;
+    return SCANNABLE_EXTENSIONS.has(lower.slice(dot));
+}
 async function collectFiles(baseDir, includePatterns, excludePatterns) {
     const repoRoot = path.resolve(baseDir);
     const ignores = loadGitignore(repoRoot);
@@ -195,6 +300,14 @@ function walk(dir, repoRoot, ignores, includePatterns, userExcludes, files, stat
             continue;
         if (shouldSkipFileByName(name))
             continue;
+        // Skip files the server-side `isScannable` filter will drop anyway.
+        // No point paying the wire cost. When `--include` patterns are given
+        // we honor those instead — explicit user intent overrides the
+        // server-shape allowlist.
+        if ((!includePatterns || includePatterns.length === 0) &&
+            !isScannableFilename(name)) {
+            continue;
+        }
         if (includePatterns && includePatterns.length > 0 && !matchesAny(relPath, includePatterns)) {
             continue;
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prodcycle/prodcycle",
-  "version": "0.4.2",
+  "version": "0.6.0",
   "description": "Multi-framework policy-as-code compliance scanner for infrastructure and application code.",
   "homepage": "https://docs.prodcycle.com",
   "repository": {
@@ -20,6 +20,7 @@
   },
   "scripts": {
     "build": "tsc",
+    "test": "npm run build && node --test test/*.test.mjs",
     "prepublishOnly": "npm run build"
   },
   "keywords": [