@rainy-updates/cli 0.5.1 → 0.5.2-rc.2

package/dist/commands/licenses/runner.js

@@ -0,0 +1,163 @@
+import process from "node:process";
+import { discoverPackageDirs } from "../../workspace/discover.js";
+import { readManifest, collectDependencies, } from "../../parsers/package-json.js";
+import { asyncPool } from "../../utils/async-pool.js";
+import { stableStringify } from "../../utils/stable-json.js";
+import { writeFileAtomic } from "../../utils/io.js";
+import { generateSbom } from "./sbom.js";
+/**
+ * Entry point for `rup licenses`. Lazy-loaded by cli.ts.
+ *
+ * Fetches the SPDX license field from each dependency's packument,
+ * checks it against --allow/--deny lists, and optionally generates
+ * an SPDX 2.3 SBOM JSON document.
+ */
+export async function runLicenses(options) {
+    const result = {
+        packages: [],
+        violations: [],
+        totalViolations: 0,
+        errors: [],
+        warnings: [],
+    };
+    const packageDirs = await discoverPackageDirs(options.cwd, options.workspace);
+    const allDeps = new Map(); // name → resolved version
+    for (const packageDir of packageDirs) {
+        let manifest;
+        try {
+            manifest = await readManifest(packageDir);
+        }
+        catch (err) {
+            result.errors.push(`${packageDir}: ${String(err)}`);
+            continue;
+        }
+        const deps = collectDependencies(manifest, [
+            "dependencies",
+            "devDependencies",
+            "optionalDependencies",
+        ]);
+        for (const dep of deps) {
+            if (!allDeps.has(dep.name)) {
+                const bare = dep.range.replace(/^[~^>=<]/, "").split(" ")[0] ?? dep.range;
+                allDeps.set(dep.name, bare);
+            }
+        }
+    }
+    // Fetch license info from npm registry in parallel
+    const names = Array.from(allDeps.keys());
+    const fetchTasks = names.map((name) => async () => {
+        const version = allDeps.get(name) ?? "latest";
+        return fetchLicenseInfo(name, version, options.registryTimeoutMs);
+    });
+    const licenseInfos = await asyncPool(options.concurrency, fetchTasks);
+    for (const info of licenseInfos) {
+        if (!info || info instanceof Error)
+            continue;
+        result.packages.push(info);
+    }
+    // Evaluate allow/deny lists
+    for (const pkg of result.packages) {
+        if (isViolation(pkg, options)) {
+            result.violations.push(pkg);
+        }
+    }
+    result.totalViolations = result.violations.length;
+    // Render
+    process.stdout.write(renderLicenseTable(result) + "\n");
+    // SBOM output
+    if (options.sbomFile) {
+        const sbom = generateSbom(result.packages, options.cwd);
+        await writeFileAtomic(options.sbomFile, stableStringify(sbom, 2) + "\n");
+        process.stderr.write(`[licenses] SBOM written to ${options.sbomFile}\n`);
+    }
+    // JSON output
+    if (options.jsonFile) {
+        await writeFileAtomic(options.jsonFile, stableStringify(result, 2) + "\n");
+        process.stderr.write(`[licenses] JSON report written to ${options.jsonFile}\n`);
+    }
+    return result;
+}
+async function fetchLicenseInfo(name, version, timeoutMs) {
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeoutMs);
+        const url = `https://registry.npmjs.org/${encodeURIComponent(name)}/${encodeURIComponent(version)}`;
+        const res = await fetch(url, {
+            signal: controller.signal,
+            headers: { accept: "application/json" },
+        });
+        clearTimeout(timer);
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        const rawLicense = data.license ?? "UNKNOWN";
+        const repo = typeof data.repository === "object"
+            ? data.repository?.url
+            : data.repository;
+        return {
+            name,
+            version,
+            license: rawLicense,
+            spdxExpression: normalizeSpdx(rawLicense),
+            homepage: data.homepage,
+            repository: repo,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/** Normalizes common license strings to SPDX identifiers. */
+function normalizeSpdx(raw) {
+    const known = {
+        MIT: "MIT",
+        ISC: "ISC",
+        "Apache-2.0": "Apache-2.0",
+        "BSD-2-Clause": "BSD-2-Clause",
+        "BSD-3-Clause": "BSD-3-Clause",
+        "GPL-3.0": "GPL-3.0",
+        "GPL-2.0": "GPL-2.0",
+        "LGPL-2.1": "LGPL-2.1",
+        "LGPL-3.0": "LGPL-3.0",
+        "MPL-2.0": "MPL-2.0",
+        "CC0-1.0": "CC0-1.0",
+        Unlicense: "Unlicense",
+        "AGPL-3.0": "AGPL-3.0",
+    };
+    return known[raw.trim()] ?? (raw.includes("-") ? raw : null);
+}
+function isViolation(pkg, options) {
+    const spdx = pkg.spdxExpression ?? pkg.license;
+    if (options.deny && options.deny.includes(spdx))
+        return true;
+    if (options.allow &&
+        options.allow.length > 0 &&
+        !options.allow.includes(spdx))
+        return true;
+    return false;
+}
+function renderLicenseTable(result) {
+    const lines = [];
+    if (result.violations.length > 0) {
+        lines.push(`\n✖ License violations (${result.violations.length}):\n`);
+        for (const pkg of result.violations) {
+            lines.push(`  \x1b[31m✖\x1b[0m ${pkg.name.padEnd(35)} ${pkg.spdxExpression ?? pkg.license}`);
+        }
+        lines.push("");
+    }
+    lines.push(`📄 ${result.packages.length} packages scanned:\n`);
+    lines.push("  " + "Package".padEnd(35) + "Version".padEnd(12) + "License");
+    lines.push("  " + "─".repeat(60));
+    for (const pkg of result.packages) {
+        const isViolating = result.violations.some((v) => v.name === pkg.name);
+        const prefix = isViolating ? "\x1b[31m" : "";
+        const suffix = isViolating ? "\x1b[0m" : "";
+        lines.push("  " +
+            prefix +
+            pkg.name.padEnd(35) +
+            pkg.version.padEnd(12) +
+            (pkg.spdxExpression ?? pkg.license) +
+            suffix);
+    }
+    return lines.join("\n");
+}

package/dist/commands/licenses/sbom.d.ts

@@ -0,0 +1,10 @@
+import type { PackageLicense, SbomDocument } from "../../types/index.js";
+/**
+ * Generates an SPDX 2.3 compliant SBOM JSON document from a list of
+ * scanned package licenses.
+ *
+ * SPDX 2.3 spec: https://spdx.github.io/spdx-spec/v2.3/
+ * Required by: CISA SBOM mandate, EU Cyber Resilience Act, many enterprise
+ * security standards.
+ */
+export declare function generateSbom(packages: PackageLicense[], projectName: string): SbomDocument;

package/dist/commands/licenses/sbom.js

@@ -0,0 +1,70 @@
+import { randomUUID } from "node:crypto";
+import path from "node:path";
+/**
+ * Generates an SPDX 2.3 compliant SBOM JSON document from a list of
+ * scanned package licenses.
+ *
+ * SPDX 2.3 spec: https://spdx.github.io/spdx-spec/v2.3/
+ * Required by: CISA SBOM mandate, EU Cyber Resilience Act, many enterprise
+ * security standards.
+ */
+export function generateSbom(packages, projectName) {
+    const docId = `SPDXRef-DOCUMENT`;
+    const rootId = `SPDXRef-Package-root`;
+    const timestamp = new Date().toISOString();
+    const namespace = `https://spdx.org/spdxdocs/${encodeURIComponent(path.basename(projectName))}-${randomUUID()}`;
+    const spdxPackages = [
+        // Root package entry
+        {
+            SPDXID: rootId,
+            name: path.basename(projectName),
+            versionInfo: "NOASSERTION",
+            downloadLocation: "NOASSERTION",
+            licenseConcluded: "NOASSERTION",
+            licenseDeclared: "NOASSERTION",
+            copyrightText: "NOASSERTION",
+        },
+        // One entry per dependency
+        ...packages.map((pkg) => ({
+            SPDXID: toSpdxId(pkg.name, pkg.version),
+            name: pkg.name,
+            versionInfo: pkg.version,
+            downloadLocation: pkg.repository
+                ? normalizeRepoUrl(pkg.repository)
+                : `https://www.npmjs.com/package/${encodeURIComponent(pkg.name)}`,
+            licenseConcluded: pkg.spdxExpression ?? "NOASSERTION",
+            licenseDeclared: pkg.spdxExpression ?? "NOASSERTION",
+            copyrightText: "NOASSERTION",
+        })),
+    ];
+    const relationships = [
+        {
+            spdxElementId: docId,
+            relationshipType: "DESCRIBES",
+            relatedSpdxElement: rootId,
+        },
+        ...packages.map((pkg) => ({
+            spdxElementId: rootId,
+            relationshipType: "DEPENDS_ON",
+            relatedSpdxElement: toSpdxId(pkg.name, pkg.version),
+        })),
+    ];
+    return {
+        spdxVersion: "SPDX-2.3",
+        dataLicense: "CC0-1.0",
+        name: `SBOM for ${path.basename(projectName)}`,
+        documentNamespace: namespace,
+        packages: spdxPackages,
+        relationships,
+    };
+}
+/** Converts a package name + version to a valid SPDX ID. */
+function toSpdxId(name, version) {
+    const safe = `${name}-${version}`.replace(/[^a-zA-Z0-9-.]/g, "-");
+    return `SPDXRef-Package-${safe}`;
+}
+/** Normalize various repository URL formats to a clean string. */
+function normalizeRepoUrl(raw) {
+    // git+https://... or git://...
+    return raw.replace(/^git\+/, "").replace(/\.git$/, "");
+}

package/dist/commands/resolve/graph/builder.d.ts

@@ -0,0 +1,20 @@
+import type { PeerGraph, ResolveOptions } from "../../../types/index.js";
+/**
+ * Builds an in-memory PeerGraph from the direct dependencies declared in
+ * package.json, enriched with peerDependency ranges fetched from the registry.
+ *
+ * Performance strategy:
+ *   - Collect all unique package names first (single pass)
+ *   - Check cache for packument data (zero network cost on cache hit)
+ *   - Fetch missing ones via asyncPool (parallel, up to options.concurrency)
+ *   - Build PeerGraph from merged results
+ *
+ * The graph only contains packages that declare peerDependencies — packages
+ * without peers are implicitly conflict-free and excluded to keep the graph lean.
+ */
+export declare function buildPeerGraph(options: ResolveOptions, 
+/**
+ * Optional override of the resolved versions map (used by --after-update mode
+ * to inject proposed upgrade versions before writing them to disk).
+ */
+resolvedVersionOverrides?: Map<string, string>): Promise<PeerGraph>;

package/dist/commands/resolve/graph/builder.js

@@ -0,0 +1,183 @@
+import { asyncPool } from "../../../utils/async-pool.js";
+import { VersionCache } from "../../../cache/cache.js";
+import { NpmRegistryClient } from "../../../registry/npm.js";
+import { readManifest, collectDependencies, } from "../../../parsers/package-json.js";
+import { discoverPackageDirs } from "../../../workspace/discover.js";
+/**
+ * Builds an in-memory PeerGraph from the direct dependencies declared in
+ * package.json, enriched with peerDependency ranges fetched from the registry.
+ *
+ * Performance strategy:
+ *   - Collect all unique package names first (single pass)
+ *   - Check cache for packument data (zero network cost on cache hit)
+ *   - Fetch missing ones via asyncPool (parallel, up to options.concurrency)
+ *   - Build PeerGraph from merged results
+ *
+ * The graph only contains packages that declare peerDependencies — packages
+ * without peers are implicitly conflict-free and excluded to keep the graph lean.
+ */
+export async function buildPeerGraph(options, 
+/**
+ * Optional override of the resolved versions map (used by --after-update mode
+ * to inject proposed upgrade versions before writing them to disk).
+ */
+resolvedVersionOverrides) {
+    const packageDirs = await discoverPackageDirs(options.cwd, options.workspace);
+    const cache = await VersionCache.create();
+    const registry = new NpmRegistryClient(options.cwd, {
+        timeoutMs: options.registryTimeoutMs,
+        retries: 2,
+    });
+    // ─ Step 1: collect all declared dependencies and their current versions ────
+    const declaredVersions = new Map(); // name → range/version
+    const roots = [];
+    for (const packageDir of packageDirs) {
+        let manifest;
+        try {
+            manifest = await readManifest(packageDir);
+        }
+        catch {
+            continue;
+        }
+        const deps = collectDependencies(manifest, [
+            "dependencies",
+            "devDependencies",
+            "optionalDependencies",
+        ]);
+        for (const dep of deps) {
+            if (!declaredVersions.has(dep.name)) {
+                // Strip range prefix to get a bare version for peer satisfaction checks
+                const bare = dep.range.replace(/^[~^>=<]/, "").split(" ")[0] ?? dep.range;
+                declaredVersions.set(dep.name, bare);
+                roots.push(dep.name);
+            }
+        }
+    }
+    // Apply version overrides (--after-update mode)
+    if (resolvedVersionOverrides) {
+        for (const [name, version] of resolvedVersionOverrides) {
+            declaredVersions.set(name, version);
+        }
+    }
+    const packageNames = Array.from(declaredVersions.keys());
+    // ─ Step 2: fetch peer dependency data ─────────────────────────────────────
+    // Check cache first, then fetch missing ones from registry
+    const peerDataByName = new Map();
+    const uncached = [];
+    for (const name of packageNames) {
+        const cached = await cache.getAny(name, "latest");
+        const resolvedVersion = resolvedVersionOverrides?.get(name) ??
+            declaredVersions.get(name) ??
+            "0.0.0";
+        if (cached) {
+            // We have cached packument; peer deps would need a separate field.
+            // For now, initialize with empty peers (fetched below if needed).
+            peerDataByName.set(name, {
+                resolvedVersion,
+                peerRequirements: new Map(),
+            });
+        }
+        else {
+            uncached.push(name);
+        }
+    }
+    // Fetch peer deps for packages not in cache
+    if (uncached.length > 0) {
+        const fetched = await registry.resolveManyPackageMetadata(uncached, {
+            concurrency: options.concurrency,
+            timeoutMs: options.registryTimeoutMs,
+            retries: 2,
+        });
+        for (const name of uncached) {
+            const resolvedVersion = resolvedVersionOverrides?.get(name) ??
+                declaredVersions.get(name) ??
+                "0.0.0";
+            peerDataByName.set(name, {
+                resolvedVersion,
+                peerRequirements: new Map(), // peer deps from packument handled below
+            });
+        }
+        // The registry packument includes peerDependencies in the version object.
+        // Fetch peer deps via a targeted per-package request for the resolved version.
+        const peerFetchTasks = uncached.map((name) => async () => {
+            const resolvedVersion = resolvedVersionOverrides?.get(name) ??
+                declaredVersions.get(name) ??
+                "0.0.0";
+            const peerDeps = await fetchPeerDepsForVersion(name, resolvedVersion, options.registryTimeoutMs);
+            const existing = peerDataByName.get(name);
+            if (existing) {
+                existing.peerRequirements = peerDeps;
+            }
+        });
+        await asyncPool(options.concurrency, peerFetchTasks);
+    }
+    // Also fetch peer deps for cached packages where we don't have peer data
+    const cachedPeerFetchTasks = packageNames
+        .filter((n) => !uncached.includes(n))
+        .map((name) => async () => {
+        const resolvedVersion = resolvedVersionOverrides?.get(name) ??
+            declaredVersions.get(name) ??
+            "0.0.0";
+        const peerDeps = await fetchPeerDepsForVersion(name, resolvedVersion, options.registryTimeoutMs);
+        const existing = peerDataByName.get(name);
+        if (existing && peerDeps.size > 0) {
+            existing.peerRequirements = peerDeps;
+        }
+    });
+    await asyncPool(options.concurrency, cachedPeerFetchTasks);
+    // ─ Step 3: assemble PeerGraph ─────────────────────────────────────────────
+    const nodes = new Map();
+    for (const [name, metadata] of peerDataByName) {
+        if (metadata.peerRequirements.size > 0) {
+            nodes.set(name, {
+                name,
+                resolvedVersion: metadata.resolvedVersion,
+                peerRequirements: metadata.peerRequirements,
+            });
+        }
+    }
+    // Also add nodes that are referenced AS peers (so the resolver can look them up)
+    for (const [, node] of nodes) {
+        for (const [peerName] of node.peerRequirements) {
+            if (!nodes.has(peerName) && declaredVersions.has(peerName)) {
+                const meta = peerDataByName.get(peerName);
+                nodes.set(peerName, {
+                    name: peerName,
+                    resolvedVersion: meta?.resolvedVersion ?? declaredVersions.get(peerName) ?? "0.0.0",
+                    peerRequirements: new Map(), // this node has no peer requirements of its own
+                });
+            }
+        }
+    }
+    return { nodes, roots: [...new Set(roots)] };
+}
+/**
+ * Fetches peerDependencies for a specific version of a package directly from
+ * the npm registry packument. Returns an empty Map on any failure.
+ */
+async function fetchPeerDepsForVersion(packageName, version, timeoutMs) {
+    const peerDeps = new Map();
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeoutMs);
+        const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
+        const response = await fetch(url, {
+            signal: controller.signal,
+            headers: { accept: "application/json" },
+        });
+        clearTimeout(timer);
+        if (!response.ok)
+            return peerDeps;
+        const packument = (await response.json());
+        const versionData = packument.versions?.[version];
+        if (!versionData?.peerDependencies)
+            return peerDeps;
+        for (const [peer, range] of Object.entries(versionData.peerDependencies)) {
+            peerDeps.set(peer, range);
+        }
+    }
+    catch {
+        // Network/parse failure — return empty peer map (no false positives)
+    }
+    return peerDeps;
+}

package/dist/commands/resolve/graph/conflict.d.ts

@@ -0,0 +1,20 @@
+import type { PeerConflict } from "../../../types/index.js";
+interface ConflictInput {
+    requester: string;
+    peer: string;
+    requiredRange: string;
+    resolvedVersion: string;
+    isInstalled: boolean;
+}
+/**
+ * Classifies a potential peer conflict and generates a human-readable suggestion.
+ *
+ * Severity rules:
+ *   "error"   — peer is not installed at all
+ *   "error"   — resolved version is outside the required range entirely
+ *               (would produce ERESOLVE in npm)
+ *   "warning" — resolved version satisfies a subrange of the requirement
+ *               but crosses a major boundary (soft peer warning in npm 7+)
+ */
+export declare function classifyConflict(input: ConflictInput): PeerConflict;
+export {};

package/dist/commands/resolve/graph/conflict.js

@@ -0,0 +1,52 @@
+import { parseVersion } from "../../../utils/semver.js";
+/**
+ * Classifies a potential peer conflict and generates a human-readable suggestion.
+ *
+ * Severity rules:
+ *   "error"   — peer is not installed at all
+ *   "error"   — resolved version is outside the required range entirely
+ *               (would produce ERESOLVE in npm)
+ *   "warning" — resolved version satisfies a subrange of the requirement
+ *               but crosses a major boundary (soft peer warning in npm 7+)
+ */
+export function classifyConflict(input) {
+    const severity = determineSeverity(input);
+    const suggestion = buildSuggestion(input);
+    return {
+        requester: input.requester,
+        peer: input.peer,
+        requiredRange: input.requiredRange,
+        resolvedVersion: input.resolvedVersion,
+        severity,
+        suggestion,
+    };
+}
+function determineSeverity(input) {
+    if (!input.isInstalled)
+        return "error";
+    // If we can parse both versions, check if they're in the same major series
+    const resolved = parseVersion(input.resolvedVersion);
+    const rangeVersion = extractBaseVersion(input.requiredRange);
+    if (!resolved || !rangeVersion) {
+        // Can't parse → assume it's a hard error to be safe
+        return "error";
+    }
+    // Different major → ERESOLVE-level incompatibility
+    if (resolved.major !== rangeVersion.major)
+        return "error";
+    // Same major but version is below the floor declared in the range → error
+    // (e.g. resolved=18.1.0 required=^18.3.0 — same major but concrete floor missed)
+    return "warning";
+}
+function extractBaseVersion(range) {
+    const stripped = range.trim().replace(/^[~^>=<]+/, "");
+    return parseVersion(stripped.split(" ")[0] ?? stripped);
+}
+function buildSuggestion(input) {
+    if (!input.isInstalled) {
+        return `Install ${input.peer}@${input.requiredRange} — required by ${input.requester} but not found in the dependency tree`;
+    }
+    const clean = input.requiredRange.replace(/^[~^]/, "");
+    return (`Upgrade ${input.peer} from ${input.resolvedVersion} to ${clean} ` +
+        `(required by ${input.requester}: "${input.peer}": "${input.requiredRange}")`);
+}

package/dist/commands/resolve/graph/resolver.d.ts

@@ -0,0 +1,17 @@
+import type { PeerGraph, PeerConflict } from "../../../types/index.js";
+/**
+ * Resolves peer conflicts in the given PeerGraph.
+ *
+ * Algorithm: single-pass BFS over the graph.
+ *   For each node N that has peer requirements:
+ *     For each (peerName, requiredRange) in N.peerRequirements:
+ *       1. Look up peerName in the graph (the resolved version we have)
+ *       2. Call satisfies(resolvedVersion, requiredRange)
+ *       3. If not satisfied → conflict
+ *
+ * Complexity: O(n × max_peers_per_package) — effectively O(n) since
+ * peerDependencies counts are always small (< 10 in practice).
+ *
+ * Returns an array of conflicts sorted by severity (errors first) then by name.
+ */
+export declare function resolvePeerConflicts(graph: PeerGraph): PeerConflict[];

package/dist/commands/resolve/graph/resolver.js

@@ -0,0 +1,71 @@
+import { satisfies } from "../../../utils/semver.js";
+import { classifyConflict } from "./conflict.js";
+/**
+ * Resolves peer conflicts in the given PeerGraph.
+ *
+ * Algorithm: single-pass BFS over the graph.
+ *   For each node N that has peer requirements:
+ *     For each (peerName, requiredRange) in N.peerRequirements:
+ *       1. Look up peerName in the graph (the resolved version we have)
+ *       2. Call satisfies(resolvedVersion, requiredRange)
+ *       3. If not satisfied → conflict
+ *
+ * Complexity: O(n × max_peers_per_package) — effectively O(n) since
+ * peerDependencies counts are always small (< 10 in practice).
+ *
+ * Returns an array of conflicts sorted by severity (errors first) then by name.
+ */
+export function resolvePeerConflicts(graph) {
+    const conflicts = [];
+    const queue = [...graph.roots];
+    const visited = new Set();
+    // BFS traversal so we process in dependency order (roots first)
+    while (queue.length > 0) {
+        const name = queue.shift();
+        if (visited.has(name))
+            continue;
+        visited.add(name);
+        const node = graph.nodes.get(name);
+        if (!node) {
+            // Queue children: any node that references `name` as a peer
+            // (they will be checked when processed)
+            continue;
+        }
+        for (const [peerName, requiredRange] of node.peerRequirements) {
+            const peerNode = graph.nodes.get(peerName);
+            if (!peerNode) {
+                // Package not in the dependency tree at all → hard error
+                conflicts.push(classifyConflict({
+                    requester: name,
+                    peer: peerName,
+                    requiredRange,
+                    resolvedVersion: "(not installed)",
+                    isInstalled: false,
+                }));
+                continue;
+            }
+            const peerVersion = peerNode.resolvedVersion;
+            const satisfied = satisfies(peerVersion, requiredRange);
+            if (!satisfied) {
+                conflicts.push(classifyConflict({
+                    requester: name,
+                    peer: peerName,
+                    requiredRange,
+                    resolvedVersion: peerVersion,
+                    isInstalled: true,
+                }));
+            }
+            // Always enqueue the peer for processing
+            if (!visited.has(peerName)) {
+                queue.push(peerName);
+            }
+        }
+    }
+    // Sort: errors first, then warnings; within category sort by requester name
+    return conflicts.sort((a, b) => {
+        if (a.severity !== b.severity) {
+            return a.severity === "error" ? -1 : 1;
+        }
+        return a.requester.localeCompare(b.requester);
+    });
+}

package/dist/commands/resolve/parser.d.ts

@@ -0,0 +1,2 @@
+import type { ResolveOptions } from "../../types/index.js";
+export declare function parseResolveArgs(args: string[]): ResolveOptions;