@prodcycle/prodcycle 0.6.11 → 0.6.12

package/dist/api-client.d.ts

@@ -88,7 +88,7 @@ export declare class ComplianceApiClient {
      * '/v1/compliance/scans'`, silently falls back to the chunked-session
      * flow so large-repo CI jobs don't have to know the difference.
      */
-    validate(files: Record<string, string>, frameworks: string[], options?: ScanOptions): Promise<ScanResult>;
+    validate(files: Record<string, string>, frameworks: string[], options?: ScanOptions, vcsLocalOnly?: string[]): Promise<ScanResult>;
     /**
      * Hook endpoint — small per-write call from coding agents. No
      * suggestedEndpoint fallback because /hook keeps the historical 50 MB
@@ -102,7 +102,7 @@ export declare class ComplianceApiClient {
      * 30 minutes by default — abandoned sessions self-clean via the
      * stale-session reaper.
      */
-    openSession(frameworks: string[], options?: ScanOptions): Promise<{
+    openSession(frameworks: string[], options?: ScanOptions, vcsLocalOnly?: string[]): Promise<{
         scanId: string;
         chunkSizeBytes: number;
         maxFilesPerChunk: number;
@@ -131,7 +131,7 @@ export declare class ComplianceApiClient {
      * Caller can pre-set `chunkMaxBytes` / `chunkMaxFiles` on `options.config`
      * to override the conservative defaults.
      */
-    validateChunked(files: Record<string, string>, frameworks: string[], options?: ScanOptions): Promise<ScanResult>;
+    validateChunked(files: Record<string, string>, frameworks: string[], options?: ScanOptions, vcsLocalOnly?: string[]): Promise<ScanResult>;
     /**
      * Some server versions of `POST /scans/:id/complete` return only the summary,
      * leaving `findings` empty even when `summary.total > 0`. The findings are
@@ -153,7 +153,7 @@ export declare class ComplianceApiClient {
      * `getScan(scanId)` until status is COMPLETED or FAILED. Useful for CI
      * runners that don't want to hold a connection for a 60 s scan.
      */
-    validateAsync(files: Record<string, string>, frameworks: string[], options?: ScanOptions): Promise<{
+    validateAsync(files: Record<string, string>, frameworks: string[], options?: ScanOptions, vcsLocalOnly?: string[]): Promise<{
         scanId: string;
     }>;
     /**
@@ -164,7 +164,7 @@ export declare class ComplianceApiClient {
      * High-level helper: kicks off an async-validate, polls until terminal,
      * returns the same shape as `validate()`.
      */
-    validateAndPoll(files: Record<string, string>, frameworks: string[], options?: ScanOptions): Promise<ScanResult>;
+    validateAndPoll(files: Record<string, string>, frameworks: string[], options?: ScanOptions, vcsLocalOnly?: string[]): Promise<ScanResult>;
     private buildOptions;
     /**
      * Single HTTP request with:

package/dist/api-client.js

@@ -121,12 +121,17 @@ class ComplianceApiClient {
      * '/v1/compliance/scans'`, silently falls back to the chunked-session
      * flow so large-repo CI jobs don't have to know the difference.
      */
-    async validate(files, frameworks, options = {}) {
+    async validate(files, frameworks, options = {}, vcsLocalOnly = []) {
         try {
             return await this.request('POST', '/v1/compliance/validate', {
                 files,
                 frameworks,
                 options: this.buildOptions(options),
+                // Top-level hint (sibling of `files`/`frameworks`, NOT an option) so
+                // the scanner can downgrade secrets that exist only in the local
+                // working tree. Omitted entirely when empty so payloads are unchanged
+                // for repos without local-only files.
+                ...(vcsLocalOnly.length > 0 && { vcsLocalOnly }),
             });
         }
         catch (err) {
@@ -136,7 +141,7 @@ class ComplianceApiClient {
                 // Server says: this payload won't fit, use chunked sessions instead.
                 // Fall back transparently — the caller asked for `validate`, the
                 // semantics (single scanId with final findings) are preserved.
-                return this.validateChunked(files, frameworks, options);
+                return this.validateChunked(files, frameworks, options, vcsLocalOnly);
             }
             throw err;
         }
@@ -161,10 +166,13 @@ class ComplianceApiClient {
      * 30 minutes by default — abandoned sessions self-clean via the
      * stale-session reaper.
      */
-    async openSession(frameworks, options = {}) {
+    async openSession(frameworks, options = {}, vcsLocalOnly = []) {
         return this.request('POST', '/v1/compliance/scans', {
             frameworks,
             options: this.buildOptions(options),
+            // Sent once at session-open (NOT on appendChunk) — the scanner applies
+            // it to the whole chunked scan. Omitted when empty (see `validate`).
+            ...(vcsLocalOnly.length > 0 && { vcsLocalOnly }),
         });
     }
     /**
@@ -192,10 +200,10 @@ class ComplianceApiClient {
      * Caller can pre-set `chunkMaxBytes` / `chunkMaxFiles` on `options.config`
      * to override the conservative defaults.
      */
-    async validateChunked(files, frameworks, options = {}) {
+    async validateChunked(files, frameworks, options = {}, vcsLocalOnly = []) {
         const chunkMaxBytes = options.config?.chunkMaxBytes ?? DEFAULT_CHUNK_MAX_BYTES;
         const chunkMaxFiles = options.config?.chunkMaxFiles ?? DEFAULT_CHUNK_MAX_FILES;
-        const session = await this.openSession(frameworks, options);
+        const session = await this.openSession(frameworks, options, vcsLocalOnly);
         const chunks = chunkFiles(files, chunkMaxBytes, chunkMaxFiles);
         for (const chunk of chunks) {
             await this.appendChunk(session.scanId, chunk);
@@ -281,11 +289,13 @@ class ComplianceApiClient {
      * `getScan(scanId)` until status is COMPLETED or FAILED. Useful for CI
      * runners that don't want to hold a connection for a 60 s scan.
      */
-    async validateAsync(files, frameworks, options = {}) {
+    async validateAsync(files, frameworks, options = {}, vcsLocalOnly = []) {
         return this.request('POST', '/v1/compliance/validate?async=true', {
             files,
             frameworks,
             options: this.buildOptions(options),
+            // Top-level local-only hint; omitted when empty (see `validate`).
+            ...(vcsLocalOnly.length > 0 && { vcsLocalOnly }),
         });
     }
     /**
@@ -298,8 +308,8 @@ class ComplianceApiClient {
      * High-level helper: kicks off an async-validate, polls until terminal,
      * returns the same shape as `validate()`.
      */
-    async validateAndPoll(files, frameworks, options = {}) {
-        const { scanId } = await this.validateAsync(files, frameworks, options);
+    async validateAndPoll(files, frameworks, options = {}, vcsLocalOnly = []) {
+        const { scanId } = await this.validateAsync(files, frameworks, options, vcsLocalOnly);
         const deadline = Date.now() + ASYNC_POLL_TIMEOUT_MS;
         // Always poll at least once, and always do one final poll *after*
         // the last sleep before declaring a timeout — otherwise a scan that

package/dist/index.js

@@ -19,6 +19,7 @@ exports.scan = scan;
 exports.gate = gate;
 const api_client_1 = require("./api-client");
 const fs_1 = require("./utils/fs");
+const vcs_1 = require("./utils/vcs");
 __exportStar(require("./api-client"), exports);
 __exportStar(require("./formatters/table"), exports);
 __exportStar(require("./formatters/prompt"), exports);
@@ -56,17 +57,24 @@ async function scan(params) {
             summary: undefined,
         };
     }
+    // Compute the local-only files (git-ignored AND untracked) from the real
+    // `.git` in this checkout. The hosted API collects files in a sandbox
+    // without a real `.git`, so it can't derive this itself — we send it as a
+    // top-level `vcsLocalOnly` hint so the scanner downgrades secrets that live
+    // only in the local working tree (e.g. a developer's `.env`). Fail-safe:
+    // returns [] on any git error / non-repo, in which case nothing changes.
+    const vcsLocalOnly = await (0, vcs_1.computeVcsLocalOnly)(repoPath, Object.keys(files));
     const client = new api_client_1.ComplianceApiClient(options.apiUrl, options.apiKey);
     const mode = options.config?.mode ?? 'sync';
     let response;
     if (mode === 'async') {
-        response = await client.validateAndPoll(files, frameworks, options);
+        response = await client.validateAndPoll(files, frameworks, options, vcsLocalOnly);
     }
     else if (mode === 'chunked') {
-        response = await client.validateChunked(files, frameworks, options);
+        response = await client.validateChunked(files, frameworks, options, vcsLocalOnly);
     }
     else {
-        response = await client.validate(files, frameworks, options);
+        response = await client.validate(files, frameworks, options, vcsLocalOnly);
     }
     // Pull `scannerError` through if the API set it. Picking the field
     // explicitly (rather than `...response`) so the CLI's public surface

package/dist/utils/vcs.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Repo-relative paths (subset of candidatePaths) that are local-only: git
+ * IGNORES them, does NOT track them, AND they were never committed in any
+ * reachable history. Async (non-blocking) variant of the engine's
+ * `computeVcsLocalOnly` in @prodcycle/compliance-code-scanner; the LOGIC is
+ * identical, so keep the two in sync. The hosted API (which collects in a
+ * sandbox without a real `.git`) relies on this hint to downgrade secrets in
+ * local-only files.
+ *
+ * Recall-safe by construction:
+ *  - tracked files (even force-added past `.gitignore`) are filtered out before
+ *    the ignore check, so a currently-committed secret is never local-only;
+ *  - a file that was committed then `rm --cached`'d + gitignored is untracked
+ *    AND ignored, yet still recoverable from `git log --all` — the history
+ *    check excludes it so its secret stays critical (the real-leak case).
+ * Fail-safe: returns [] on any git error / non-repo / shallow clone — a
+ * truncated history can't prove a path was never committed, so we downgrade
+ * nothing rather than risk masking a leak.
+ */
+export declare function computeVcsLocalOnly(repoRoot: string, candidatePaths: string[]): Promise<string[]>;

package/dist/utils/vcs.js

@@ -0,0 +1,139 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeVcsLocalOnly = computeVcsLocalOnly;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = require("node:fs");
+const node_path_1 = __importDefault(require("node:path"));
+const GIT_TIMEOUT_MS = 10_000;
+const toPosix = (p) => p.split(node_path_1.default.sep).join('/');
+/**
+ * Run `git -C <repoRoot> <args>` WITHOUT blocking the event loop — the CLI runs
+ * this mid-scan alongside async HTTP, and `git ls-files` on a large repo can
+ * take seconds. Optional `input` is written to stdin (for `check-ignore
+ * --stdin`). Resolves with stdout + exit code; rejects only when git cannot be
+ * spawned (e.g. not installed).
+ */
+function runGit(repoRoot, args, input) {
+    return new Promise((resolve, reject) => {
+        const child = (0, node_child_process_1.spawn)('git', ['-C', repoRoot, ...args], {
+            stdio: ['pipe', 'pipe', 'ignore'],
+            timeout: GIT_TIMEOUT_MS,
+        });
+        let stdout = '';
+        child.stdout.setEncoding('utf-8');
+        child.stdout.on('data', (chunk) => {
+            stdout += chunk;
+        });
+        child.once('error', reject); // git missing / spawn failure
+        child.once('close', (code) => resolve({ stdout, code: code ?? 1 }));
+        if (input !== undefined)
+            child.stdin.write(input);
+        child.stdin.end();
+    });
+}
+/**
+ * Repo-relative paths (subset of candidatePaths) that are local-only: git
+ * IGNORES them, does NOT track them, AND they were never committed in any
+ * reachable history. Async (non-blocking) variant of the engine's
+ * `computeVcsLocalOnly` in @prodcycle/compliance-code-scanner; the LOGIC is
+ * identical, so keep the two in sync. The hosted API (which collects in a
+ * sandbox without a real `.git`) relies on this hint to downgrade secrets in
+ * local-only files.
+ *
+ * Recall-safe by construction:
+ *  - tracked files (even force-added past `.gitignore`) are filtered out before
+ *    the ignore check, so a currently-committed secret is never local-only;
+ *  - a file that was committed then `rm --cached`'d + gitignored is untracked
+ *    AND ignored, yet still recoverable from `git log --all` — the history
+ *    check excludes it so its secret stays critical (the real-leak case).
+ * Fail-safe: returns [] on any git error / non-repo / shallow clone — a
+ * truncated history can't prove a path was never committed, so we downgrade
+ * nothing rather than risk masking a leak.
+ */
+async function computeVcsLocalOnly(repoRoot, candidatePaths) {
+    if (candidatePaths.length === 0)
+        return [];
+    const root = node_path_1.default.resolve(repoRoot);
+    let tracked;
+    try {
+        const { stdout, code } = await runGit(root, ['ls-files', '-z']);
+        if (code !== 0)
+            return []; // not a git work tree / git error → fail safe
+        tracked = new Set(stdout.split('\0').filter(Boolean));
+    }
+    catch {
+        return []; // git not available → fail safe
+    }
+    const candidates = [...new Set(candidatePaths.map(toPosix))].filter((p) => !tracked.has(p));
+    if (candidates.length === 0)
+        return [];
+    let ignoredUntracked;
+    try {
+        // check-ignore exits 0 when ≥1 path is ignored, 1 when none (stdout empty),
+        // 128 on error. Treat anything other than 0/1 as a failure → fail safe.
+        const { stdout, code } = await runGit(root, ['check-ignore', '--stdin', '-z'], candidates.join('\0'));
+        if (code !== 0 && code !== 1)
+            return [];
+        const ignored = new Set(stdout.split('\0').filter(Boolean));
+        ignoredUntracked = candidates.filter((p) => ignored.has(p));
+    }
+    catch {
+        return [];
+    }
+    if (ignoredUntracked.length === 0)
+        return [];
+    // Truncated history can't disprove a past commit → keep everything critical.
+    // Detect shallowness via the marker file located with `--git-path shallow`
+    // (git ≥ 2.5) rather than `--is-shallow-repository` (git ≥ 2.15), so the
+    // downgrade feature isn't silently disabled on older git toolchains.
+    try {
+        const { stdout, code } = await runGit(root, ['rev-parse', '--git-path', 'shallow']);
+        if (code !== 0)
+            return []; // old/unsupported git → fail safe
+        const marker = stdout.trim();
+        if (!marker)
+            return [];
+        const abs = node_path_1.default.isAbsolute(marker) ? marker : node_path_1.default.join(root, marker);
+        if ((0, node_fs_1.existsSync)(abs))
+            return []; // shallow clone → downgrade nothing
+    }
+    catch {
+        return [];
+    }
+    // Exclude any candidate that appears in committed history (every branch, tag,
+    // remote-tracking ref). `--all` walks all refs; `--diff-filter=A` emits only
+    // ADDED entries so a wide commit contributes just the candidate's
+    // introduction (proving it was once in history) while keeping output small.
+    // `-m` decomposes merge commits into per-parent diffs — without it, a merge's
+    // COMBINED diff omits a file added on only one side of a true 2-parent merge
+    // (a recall hole); `-m` surfaces it as "A" against the mainline parent.
+    // `--no-renames` keeps names literal so a renamed-away path still matches its
+    // old name. The `-- <paths>` pathspec restricts the walk to our candidates.
+    try {
+        const { stdout, code } = await runGit(root, [
+            'log',
+            '--all',
+            '-m',
+            '--no-renames',
+            '--diff-filter=A',
+            '--format=',
+            '--name-only',
+            '-z',
+            '--',
+            ...ignoredUntracked,
+        ]);
+        if (code !== 0)
+            return []; // fail safe: assume in history
+        const candSet = new Set(ignoredUntracked);
+        // -z separates with NUL; an empty --format still emits stray newlines. Split
+        // on both and keep only candidate tokens (membership is all we need).
+        const everCommitted = new Set(stdout.split(/[\0\n]/).filter((t) => candSet.has(t)));
+        return ignoredUntracked.filter((p) => !everCommitted.has(p));
+    }
+    catch {
+        return [];
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prodcycle/prodcycle",
-  "version": "0.6.11",
+  "version": "0.6.12",
   "description": "Multi-framework policy-as-code compliance scanner for infrastructure and application code.",
   "homepage": "https://docs.prodcycle.com",
   "repository": {