@prodcycle/prodcycle 0.6.0 → 0.6.1

package/dist/cli.d.ts

@@ -13,3 +13,40 @@
  * by hand.
  */
 export declare function isCiEnvironment(env?: NodeJS.ProcessEnv): boolean;
+/**
+ * Resolve the files to scan for a `hook` invocation. Supports:
+ *   - `--file <path>` — read that file from disk
+ *   - stdin: `{"files": {path: content}}` (same as gate)
+ *   - stdin: `{"file_path": "...", "content": "..."}` (single file)
+ *   - stdin: Claude Code PostToolUse shape —
+ *       `{"tool_input": {"file_path": "...", "content"|"new_string": "..."}}`
+ *     When only `file_path` is given and we can read the file, we do.
+ */
+/**
+ * Convert the user-supplied `--file <path>` value into a repo-relative key.
+ *
+ * The compliance API rejects absolute paths (`File path must be relative`).
+ * Two failure modes the naive implementation hit on macOS:
+ *
+ *   1. Absolute paths under cwd silently became cryptic 400s. Fixed by
+ *      `path.relative(cwd, absolute)` — works on Linux.
+ *   2. macOS `/tmp` is a symlink to `/private/tmp`. `path.resolve()` does
+ *      NOT follow symlinks, but `process.cwd()` returns the physical path
+ *      via the kernel's `getcwd()`. Result: `path.resolve('/tmp/repo/x')`
+ *      = `/tmp/repo/x` while cwd is `/private/tmp/repo`, so the relative
+ *      path is `../../../tmp/repo/x` and the file is incorrectly rejected
+ *      as "outside cwd" — exactly the agent-hook scenario this targets.
+ *      Fix: realpath both sides before comparing.
+ *
+ * Pure function (no fs I/O of its own, no `process.exit`) so it's directly
+ * unit-testable. Caller passes the original input, the realpath of the
+ * resolved file (`fs.realpathSync(path.resolve(filePath))`), and the
+ * realpath of cwd. Tests construct realpath inputs themselves.
+ */
+export declare function resolveHookFileKey(inputPath: string, realpathFile: string, realpathCwd: string): {
+    ok: true;
+    key: string;
+} | {
+    ok: false;
+    error: string;
+};

package/dist/cli.js

@@ -35,6 +35,7 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.isCiEnvironment = isCiEnvironment;
+exports.resolveHookFileKey = resolveHookFileKey;
 const commander_1 = require("commander");
 const child_process_1 = require("child_process");
 const fs = __importStar(require("fs"));
@@ -237,14 +238,14 @@ program
 program
     .command('gate')
     .description('Evaluate a JSON payload of files from stdin (low-latency hook endpoint)')
-    .option('--framework <ids>', 'Comma-separated framework IDs to evaluate', 'soc2')
+    .option('--framework <ids>', 'Comma-separated framework IDs to evaluate', 'soc2,hipaa,nist-csf')
     .option('--format <format>', 'Output format: json, sarif, table, prompt', 'prompt')
     .option('--output <file>', 'Write report to file')
     .option('--api-url <url>', 'Compliance API base URL (or PC_API_URL env)')
     .option('--api-key <key>', 'API key for compliance API (or PC_API_KEY env)')
     .action(async (opts) => {
     try {
-        const frameworks = parseList(opts.framework) ?? ['soc2'];
+        const frameworks = parseList(opts.framework) ?? ['soc2', 'hipaa', 'nist-csf'];
         const format = (opts.format ?? 'prompt');
         const stdin = await readStdin();
         if (!stdin.trim()) {
@@ -331,7 +332,7 @@ program
 program
     .command('hook')
     .description('Run as coding-agent post-edit hook (reads stdin or --file)')
-    .option('--framework <ids>', 'Comma-separated framework IDs to evaluate', 'soc2')
+    .option('--framework <ids>', 'Comma-separated framework IDs to evaluate', 'soc2,hipaa,nist-csf')
     .option('--format <format>', 'Output format: json, sarif, table, prompt', 'prompt')
     .option('--file <path>', 'Scan this file from disk (alternative to reading content from stdin)')
     .option('--fail-on <levels>', 'Severities that cause non-zero exit', 'critical,high')
@@ -340,7 +341,7 @@ program
     .option('--api-key <key>', 'API key for compliance API (or PC_API_KEY env)')
     .action(async (opts) => {
     try {
-        const frameworks = parseList(opts.framework) ?? ['soc2'];
+        const frameworks = parseList(opts.framework) ?? ['soc2', 'hipaa', 'nist-csf'];
         const format = (opts.format ?? 'prompt');
         const files = await collectHookFiles(opts.file);
         if (!files || Object.keys(files).length === 0) {
@@ -371,6 +372,43 @@ program
  *       `{"tool_input": {"file_path": "...", "content"|"new_string": "..."}}`
  *     When only `file_path` is given and we can read the file, we do.
  */
+/**
+ * Convert the user-supplied `--file <path>` value into a repo-relative key.
+ *
+ * The compliance API rejects absolute paths (`File path must be relative`).
+ * Two failure modes the naive implementation hit on macOS:
+ *
+ *   1. Absolute paths under cwd silently became cryptic 400s. Fixed by
+ *      `path.relative(cwd, absolute)` — works on Linux.
+ *   2. macOS `/tmp` is a symlink to `/private/tmp`. `path.resolve()` does
+ *      NOT follow symlinks, but `process.cwd()` returns the physical path
+ *      via the kernel's `getcwd()`. Result: `path.resolve('/tmp/repo/x')`
+ *      = `/tmp/repo/x` while cwd is `/private/tmp/repo`, so the relative
+ *      path is `../../../tmp/repo/x` and the file is incorrectly rejected
+ *      as "outside cwd" — exactly the agent-hook scenario this targets.
+ *      Fix: realpath both sides before comparing.
+ *
+ * Pure function (no fs I/O of its own, no `process.exit`) so it's directly
+ * unit-testable. Caller passes the original input, the realpath of the
+ * resolved file (`fs.realpathSync(path.resolve(filePath))`), and the
+ * realpath of cwd. Tests construct realpath inputs themselves.
+ */
+function resolveHookFileKey(inputPath, realpathFile, realpathCwd) {
+    if (!path.isAbsolute(inputPath)) {
+        // Relative input passes through verbatim — no symlink ambiguity.
+        return { ok: true, key: inputPath };
+    }
+    const relative = path.relative(realpathCwd, realpathFile);
+    if (relative.startsWith('..') || path.isAbsolute(relative)) {
+        return {
+            ok: false,
+            error: `hook: --file ${inputPath} is outside the current directory ` +
+                `(${realpathCwd}). Pass a path relative to the repo root, or ` +
+                `cd into the repo first.`,
+        };
+    }
+    return { ok: true, key: relative };
+}
 async function collectHookFiles(filePath) {
     if (filePath) {
         const absolute = path.resolve(filePath);
@@ -379,7 +417,17 @@ async function collectHookFiles(filePath) {
             process.exit(2);
         }
         const content = fs.readFileSync(absolute, 'utf8');
-        return { [filePath]: content };
+        // Realpath both sides so the macOS `/tmp → /private/tmp` symlink doesn't
+        // make a valid agent-hook path (e.g. `/tmp/repo/main.tf`) appear outside
+        // cwd. See `resolveHookFileKey` JSDoc for the full rationale.
+        const realpathFile = fs.realpathSync(absolute);
+        const realpathCwd = fs.realpathSync(process.cwd());
+        const resolved = resolveHookFileKey(filePath, realpathFile, realpathCwd);
+        if (!resolved.ok) {
+            console.error(resolved.error);
+            process.exit(2);
+        }
+        return { [resolved.key]: content };
     }
     const stdin = await readStdin();
     if (!stdin.trim()) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prodcycle/prodcycle",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "description": "Multi-framework policy-as-code compliance scanner for infrastructure and application code.",
   "homepage": "https://docs.prodcycle.com",
   "repository": {