npm - @standards-kit/conform - Versions diffs - 0.1.0 - Mend

@standards-kit/conform 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/dist/artifactregistry-QQWBMEQN.js +38 -0
package/dist/artifactregistry-QQWBMEQN.js.map +1 -0
package/dist/chunk-J5S6GRGW.js +314 -0
package/dist/chunk-J5S6GRGW.js.map +1 -0
package/dist/chunk-KHO6NIAI.js +1367 -0
package/dist/chunk-KHO6NIAI.js.map +1 -0
package/dist/chunk-M7G73Q6P.js +662 -0
package/dist/chunk-M7G73Q6P.js.map +1 -0
package/dist/chunk-P7TIZJ4C.js +85 -0
package/dist/chunk-P7TIZJ4C.js.map +1 -0
package/dist/chunk-RXA4FO7L.js +279 -0
package/dist/chunk-RXA4FO7L.js.map +1 -0
package/dist/cli.js +7432 -0
package/dist/cli.js.map +1 -0
package/dist/cloudrun-O36R23SH.js +31 -0
package/dist/cloudrun-O36R23SH.js.map +1 -0
package/dist/cloudwatch-KSZ4A256.js +56 -0
package/dist/cloudwatch-KSZ4A256.js.map +1 -0
package/dist/dynamodb-5KVESCVJ.js +51 -0
package/dist/dynamodb-5KVESCVJ.js.map +1 -0
package/dist/ec2-HKPE6GZV.js +151 -0
package/dist/ec2-HKPE6GZV.js.map +1 -0
package/dist/ecs-OS3NJZTA.js +141 -0
package/dist/ecs-OS3NJZTA.js.map +1 -0
package/dist/elasticache-7TCRHYYM.js +151 -0
package/dist/elasticache-7TCRHYYM.js.map +1 -0
package/dist/elb-PEDLXW5R.js +151 -0
package/dist/elb-PEDLXW5R.js.map +1 -0
package/dist/generate-D4MFMOHP.js +28 -0
package/dist/generate-D4MFMOHP.js.map +1 -0
package/dist/iam-7H5HFWVQ.js +96 -0
package/dist/iam-7H5HFWVQ.js.map +1 -0
package/dist/iam-DJI64AGK.js +39 -0
package/dist/iam-DJI64AGK.js.map +1 -0
package/dist/index.js +7980 -0
package/dist/index.js.map +1 -0
package/dist/infra-UXM5XQX3.js +566 -0
package/dist/infra-UXM5XQX3.js.map +1 -0
package/dist/lambda-NFB5UILT.js +60 -0
package/dist/lambda-NFB5UILT.js.map +1 -0
package/dist/manifest-7AIL2FK2.js +23 -0
package/dist/manifest-7AIL2FK2.js.map +1 -0
package/dist/mcp-O5O7XVFG.js +204 -0
package/dist/mcp-O5O7XVFG.js.map +1 -0
package/dist/rds-KLG5O5SI.js +151 -0
package/dist/rds-KLG5O5SI.js.map +1 -0
package/dist/registry-V65CC7IN.js +15 -0
package/dist/registry-V65CC7IN.js.map +1 -0
package/dist/s3-2DH7PRVR.js +49 -0
package/dist/s3-2DH7PRVR.js.map +1 -0
package/dist/scan-EELS42BP.js +593 -0
package/dist/scan-EELS42BP.js.map +1 -0
package/dist/secretmanager-RDL62EFW.js +31 -0
package/dist/secretmanager-RDL62EFW.js.map +1 -0
package/dist/secretsmanager-MOOIHLAO.js +50 -0
package/dist/secretsmanager-MOOIHLAO.js.map +1 -0
package/dist/sns-Y36LVTWA.js +50 -0
package/dist/sns-Y36LVTWA.js.map +1 -0
package/dist/sqs-RRS3GRHK.js +61 -0
package/dist/sqs-RRS3GRHK.js.map +1 -0
package/dist/src-KZRTG3EU.js +45 -0
package/dist/src-KZRTG3EU.js.map +1 -0
package/dist/standards-RXK5G4IG.js +37 -0
package/dist/standards-RXK5G4IG.js.map +1 -0
package/dist/sync-RLYBGYNY.js +877 -0
package/dist/sync-RLYBGYNY.js.map +1 -0
package/dist/validate-AABLVQJS.js +327 -0
package/dist/validate-AABLVQJS.js.map +1 -0
package/dist/validator-6PL5I5EC.js +156 -0
package/dist/validator-6PL5I5EC.js.map +1 -0
package/package.json +91 -0

package/dist/scan-EELS42BP.js ADDED Viewed

@@ -0,0 +1,593 @@
+import {
+  ExitCode
+} from "./chunk-P7TIZJ4C.js";
+import {
+  loadConfigAsync
+} from "./chunk-KHO6NIAI.js";
+// src/process/scan/index.ts
+import chalk from "chalk";
+// src/process/scan/scanner.ts
+import { execa as execa2 } from "execa";
+// src/process/scan/remote-fetcher.ts
+import { execa } from "execa";
+var RemoteFetcherError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "RemoteFetcherError";
+  }
+};
+function parseRepoString(repo) {
+  const parts = repo.split("/");
+  if (parts.length !== 2 || !parts[0] || !parts[1]) {
+    throw new RemoteFetcherError(
+      `Invalid repository format: "${repo}". Expected "owner/repo" format.`,
+      "INVALID_REPO"
+    );
+  }
+  return { owner: parts[0], repo: parts[1] };
+}
+async function isGhAvailable() {
+  try {
+    await execa("gh", ["--version"]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function verifyRepoAccess(repoInfo) {
+  try {
+    await execa("gh", ["api", `repos/${repoInfo.owner}/${repoInfo.repo}`]);
+    return true;
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    if (errorMessage.includes("404") || errorMessage.includes("Not Found")) {
+      throw new RemoteFetcherError(
+        `Repository not found: ${repoInfo.owner}/${repoInfo.repo}`,
+        "NO_REPO"
+      );
+    }
+    if (errorMessage.includes("403") || errorMessage.includes("401")) {
+      throw new RemoteFetcherError(
+        `Cannot access repository: ${repoInfo.owner}/${repoInfo.repo}. Check your GITHUB_TOKEN permissions.`,
+        "NO_PERMISSION"
+      );
+    }
+    throw new RemoteFetcherError(
+      `Failed to verify repository access: ${errorMessage}`,
+      "API_ERROR"
+    );
+  }
+}
+async function checkRemoteFileExists(repoInfo, filePath) {
+  try {
+    await execa("gh", [
+      "api",
+      `repos/${repoInfo.owner}/${repoInfo.repo}/contents/${filePath}`,
+      "--silent"
+    ]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function checkRemoteFileWithAlternatives(repoInfo, config) {
+  const allPaths = [config.path, ...config.alternativePaths ?? []];
+  for (const path of allPaths) {
+    const exists = await checkRemoteFileExists(repoInfo, path);
+    if (exists) {
+      return { path: config.path, exists: true, checkedPaths: allPaths };
+    }
+  }
+  return { path: config.path, exists: false, checkedPaths: allPaths };
+}
+async function checkRemoteFiles(repoInfo, configs) {
+  const results = await Promise.all(
+    configs.map((config) => checkRemoteFileWithAlternatives(repoInfo, config))
+  );
+  return results;
+}
+var standardFileChecks = [
+  {
+    path: "CODEOWNERS",
+    alternativePaths: [".github/CODEOWNERS", "docs/CODEOWNERS"],
+    required: false,
+    description: "CODEOWNERS file for code review assignment"
+  },
+  {
+    path: ".github/PULL_REQUEST_TEMPLATE.md",
+    alternativePaths: [
+      ".github/pull_request_template.md",
+      "PULL_REQUEST_TEMPLATE.md",
+      "pull_request_template.md"
+    ],
+    required: false,
+    description: "Pull request template"
+  },
+  {
+    path: "README.md",
+    alternativePaths: ["readme.md", "README"],
+    required: false,
+    description: "Repository README"
+  },
+  {
+    path: ".github/workflows",
+    required: false,
+    description: "GitHub Actions workflows directory"
+  }
+];
+// src/process/scan/validators.ts
+function matchesBranch(patterns, branch) {
+  for (const pattern of patterns) {
+    const cleanPattern = pattern.replace(/^refs\/heads\//, "");
+    if (cleanPattern === branch) {
+      return true;
+    }
+    if (cleanPattern === "~DEFAULT_BRANCH" && branch === "main") {
+      return true;
+    }
+    if (cleanPattern === "~ALL") {
+      return true;
+    }
+    if (cleanPattern.includes("*")) {
+      const regex = new RegExp(`^${cleanPattern.replace(/\*/g, ".*")}$`);
+      if (regex.test(branch)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function findBranchRuleset(rulesets, branch) {
+  return rulesets.find(
+    (r) => r.target === "branch" && r.enforcement === "active" && matchesBranch(r.conditions?.ref_name?.include ?? [], branch)
+  );
+}
+function validateRulesets(rulesets, repoConfig) {
+  if (!repoConfig) {
+    return [];
+  }
+  const violations = [];
+  const rulesetConfig = repoConfig.ruleset;
+  const branch = rulesetConfig?.branch ?? "main";
+  const branchRuleset = findBranchRuleset(rulesets, branch);
+  if (repoConfig.require_branch_protection && !branchRuleset) {
+    violations.push({
+      rule: "process.repo.branch_protection",
+      tool: "scan",
+      message: `Branch '${branch}' does not have a branch protection ruleset`,
+      severity: "error"
+    });
+  }
+  if (branchRuleset && rulesetConfig) {
+    violations.push(...validateBranchRuleset(branchRuleset, rulesetConfig, branch));
+  }
+  if (repoConfig.tag_protection?.patterns?.length) {
+    violations.push(...validateTagProtection(rulesets, repoConfig.tag_protection));
+  }
+  return violations;
+}
+function validateBranchRuleset(ruleset, config, branch) {
+  if (!config) {
+    return [];
+  }
+  const violations = [];
+  const rules = ruleset.rules ?? [];
+  const prRule = rules.find((r) => r.type === "pull_request");
+  const statusRule = rules.find((r) => r.type === "required_status_checks");
+  violations.push(...validatePullRequestRule(prRule, config, branch));
+  violations.push(...validateStatusChecksRule(statusRule, config, branch));
+  violations.push(...validateSignedCommits(rules, config, branch));
+  violations.push(...validateBypassActors(ruleset.bypass_actors ?? [], config, branch));
+  return violations;
+}
+function validatePullRequestRule(prRule, config, branch) {
+  if (!config) {
+    return [];
+  }
+  const violations = [];
+  const params = prRule?.parameters;
+  if (config.required_reviews !== void 0) {
+    const actualReviews = params?.required_approving_review_count ?? 0;
+    if (actualReviews < config.required_reviews) {
+      violations.push({
+        rule: "process.repo.branch_protection.required_reviews",
+        tool: "scan",
+        message: `Branch '${branch}' requires ${actualReviews} reviews, expected at least ${config.required_reviews}`,
+        severity: "error"
+      });
+    }
+  }
+  if (config.dismiss_stale_reviews === true && !(params?.dismiss_stale_reviews_on_push ?? false)) {
+    violations.push({
+      rule: "process.repo.branch_protection.dismiss_stale_reviews",
+      tool: "scan",
+      message: `Branch '${branch}' does not dismiss stale reviews on new commits`,
+      severity: "error"
+    });
+  }
+  if (config.require_code_owner_reviews === true && !(params?.require_code_owner_review ?? false)) {
+    violations.push({
+      rule: "process.repo.branch_protection.require_code_owner_reviews",
+      tool: "scan",
+      message: `Branch '${branch}' does not require code owner reviews`,
+      severity: "error"
+    });
+  }
+  return violations;
+}
+function validateStatusChecksRule(statusRule, config, branch) {
+  if (!config) {
+    return [];
+  }
+  const violations = [];
+  const params = statusRule?.parameters;
+  if (config.require_status_checks && config.require_status_checks.length > 0) {
+    const actualChecks = params?.required_status_checks?.map((c) => c.context) ?? [];
+    const missingChecks = config.require_status_checks.filter(
+      (check) => !actualChecks.includes(check)
+    );
+    if (missingChecks.length > 0) {
+      violations.push({
+        rule: "process.repo.branch_protection.require_status_checks",
+        tool: "scan",
+        message: `Branch '${branch}' missing required status checks: ${missingChecks.join(", ")}`,
+        severity: "error"
+      });
+    }
+  }
+  if (config.require_branches_up_to_date === true && !(params?.strict_required_status_checks_policy ?? false)) {
+    violations.push({
+      rule: "process.repo.branch_protection.require_branches_up_to_date",
+      tool: "scan",
+      message: `Branch '${branch}' does not require branches to be up to date before merging`,
+      severity: "error"
+    });
+  }
+  return violations;
+}
+function validateSignedCommits(rules, config, branch) {
+  if (config?.require_signed_commits !== true) {
+    return [];
+  }
+  if (!rules.some((r) => r.type === "required_signatures")) {
+    return [
+      {
+        rule: "process.repo.branch_protection.require_signed_commits",
+        tool: "scan",
+        message: `Branch '${branch}' does not require signed commits`,
+        severity: "error"
+      }
+    ];
+  }
+  return [];
+}
+function validateBypassActors(actualBypass, config, branch) {
+  if (config?.enforce_admins !== true || actualBypass.length === 0) {
+    return [];
+  }
+  return [
+    {
+      rule: "process.repo.branch_protection.enforce_admins",
+      tool: "scan",
+      message: `Branch '${branch}' has bypass actors configured but enforce_admins requires no bypasses`,
+      severity: "error"
+    }
+  ];
+}
+function validateTagProtection(rulesets, tagConfig) {
+  if (!tagConfig?.patterns?.length) {
+    return [];
+  }
+  const violations = [];
+  const tagRuleset = rulesets.find((r) => r.target === "tag" && r.enforcement === "active");
+  if (!tagRuleset) {
+    return [
+      {
+        rule: "process.repo.tag_protection",
+        tool: "scan",
+        message: "No active tag protection ruleset found",
+        severity: "error"
+      }
+    ];
+  }
+  violations.push(...validateTagPatterns(tagConfig.patterns, tagRuleset));
+  violations.push(...validateTagRules(tagConfig, tagRuleset.rules ?? []));
+  return violations;
+}
+function validateTagPatterns(expectedPatterns, tagRuleset) {
+  const expected = expectedPatterns.map((p) => `refs/tags/${p}`).sort();
+  const actual = [...tagRuleset.conditions?.ref_name?.include ?? []].sort();
+  if (expected.length === actual.length && expected.every((v, i) => v === actual[i])) {
+    return [];
+  }
+  const found = actual.map((p) => p.replace(/^refs\/tags\//, "")).join(", ");
+  return [
+    {
+      rule: "process.repo.tag_protection.patterns",
+      tool: "scan",
+      message: `Tag protection patterns mismatch: expected [${expectedPatterns.join(", ")}], found [${found}]`,
+      severity: "error"
+    }
+  ];
+}
+function validateTagRules(tagConfig, rules) {
+  if (!tagConfig) {
+    return [];
+  }
+  const violations = [];
+  if (tagConfig.prevent_deletion !== false && !rules.some((r) => r.type === "deletion")) {
+    violations.push({
+      rule: "process.repo.tag_protection.prevent_deletion",
+      tool: "scan",
+      message: "Tag protection does not prevent deletion",
+      severity: "error"
+    });
+  }
+  if (tagConfig.prevent_update !== false && !rules.some((r) => r.type === "update")) {
+    violations.push({
+      rule: "process.repo.tag_protection.prevent_update",
+      tool: "scan",
+      message: "Tag protection does not prevent updates (force-push)",
+      severity: "error"
+    });
+  }
+  return violations;
+}
+// src/process/scan/scanner.ts
+async function fetchRulesets(repoInfo) {
+  const result = await execa2("gh", ["api", `repos/${repoInfo.owner}/${repoInfo.repo}/rulesets`]);
+  return JSON.parse(result.stdout);
+}
+function createSkippedResult(name, rule, reason, duration) {
+  return { name, rule, passed: true, violations: [], skipped: true, skipReason: reason, duration };
+}
+function createErrorResult(name, rule, message, duration) {
+  return {
+    name,
+    rule,
+    passed: false,
+    violations: [{ rule, tool: "scan", message, severity: "error" }],
+    skipped: false,
+    duration
+  };
+}
+function handleRulesetError(error, repoConfig, elapsed) {
+  const msg = error instanceof Error ? error.message : String(error);
+  if (msg.includes("403") || msg.includes("Must have admin rights")) {
+    return createSkippedResult(
+      "Repository Settings",
+      "process.repo",
+      "Cannot check rulesets: insufficient permissions (requires admin access)",
+      elapsed()
+    );
+  }
+  if (msg.includes("404")) {
+    const violations = [];
+    if (repoConfig?.require_branch_protection) {
+      violations.push({
+        rule: "process.repo.branch_protection",
+        tool: "scan",
+        message: "No branch protection rulesets configured",
+        severity: "error"
+      });
+    }
+    return {
+      name: "Repository Settings",
+      rule: "process.repo",
+      passed: violations.length === 0,
+      violations,
+      skipped: false,
+      duration: elapsed()
+    };
+  }
+  return createErrorResult(
+    "Repository Settings",
+    "process.repo",
+    `Failed to check rulesets: ${msg}`,
+    elapsed()
+  );
+}
+async function checkRulesets(repoInfo, config) {
+  const startTime = Date.now();
+  const elapsed = () => Date.now() - startTime;
+  const repoConfig = config.process?.repo;
+  if (!repoConfig?.enabled) {
+    return createSkippedResult(
+      "Repository Settings",
+      "process.repo",
+      "Repository settings check not enabled in config",
+      elapsed()
+    );
+  }
+  try {
+    const rulesets = await fetchRulesets(repoInfo);
+    const violations = validateRulesets(rulesets, repoConfig);
+    return {
+      name: "Repository Settings",
+      rule: "process.repo",
+      passed: violations.length === 0,
+      violations,
+      skipped: false,
+      duration: elapsed()
+    };
+  } catch (error) {
+    return handleRulesetError(error, repoConfig, elapsed);
+  }
+}
+function buildFileChecks(config) {
+  const fileChecks = [];
+  if (config.process?.repo?.require_codeowners) {
+    fileChecks.push({
+      path: "CODEOWNERS",
+      alternativePaths: [".github/CODEOWNERS", "docs/CODEOWNERS"],
+      required: true,
+      description: "CODEOWNERS file for code review assignment"
+    });
+  }
+  fileChecks.push(
+    ...standardFileChecks.filter((check) => !fileChecks.some((fc) => fc.path === check.path))
+  );
+  return fileChecks;
+}
+function fileResultsToViolations(results, fileChecks) {
+  const violations = [];
+  for (const result of results) {
+    const checkConfig = fileChecks.find((fc) => fc.path === result.path);
+    if (!result.exists && checkConfig?.required) {
+      violations.push({
+        rule: `process.scan.files.${result.path.replace(/[./]/g, "_")}`,
+        tool: "scan",
+        message: `Required file not found: ${result.path} (checked: ${result.checkedPaths.join(", ")})`,
+        severity: "error"
+      });
+    }
+  }
+  return violations;
+}
+async function checkFiles(repoInfo, config) {
+  const startTime = Date.now();
+  const elapsed = () => Date.now() - startTime;
+  const fileChecks = buildFileChecks(config);
+  if (fileChecks.length === 0) {
+    return createSkippedResult(
+      "Repository Files",
+      "process.scan.files",
+      "No file checks configured",
+      elapsed()
+    );
+  }
+  try {
+    const results = await checkRemoteFiles(repoInfo, fileChecks);
+    const violations = fileResultsToViolations(results, fileChecks);
+    return {
+      name: "Repository Files",
+      rule: "process.scan.files",
+      passed: violations.length === 0,
+      violations,
+      skipped: false,
+      duration: elapsed()
+    };
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    return createErrorResult(
+      "Repository Files",
+      "process.scan.files",
+      `Failed to check files: ${msg}`,
+      elapsed()
+    );
+  }
+}
+function aggregateResults(repoInfo, checks) {
+  const violations = checks.flatMap((c) => c.violations);
+  const passedChecks = checks.filter((c) => c.passed && !c.skipped).length;
+  const failedChecks = checks.filter((c) => !c.passed && !c.skipped).length;
+  const skippedChecks = checks.filter((c) => c.skipped).length;
+  return {
+    repoInfo,
+    checks,
+    violations,
+    passed: failedChecks === 0,
+    summary: { totalChecks: checks.length, passedChecks, failedChecks, skippedChecks }
+  };
+}
+async function scanRepository(repo, config) {
+  const repoInfo = parseRepoString(repo);
+  if (!await isGhAvailable()) {
+    throw new RemoteFetcherError(
+      "GitHub CLI (gh) not available. Install it from https://cli.github.com/",
+      "NO_GH"
+    );
+  }
+  await verifyRepoAccess(repoInfo);
+  const [rulesetsResult, filesResult] = await Promise.all([
+    checkRulesets(repoInfo, config),
+    checkFiles(repoInfo, config)
+  ]);
+  return aggregateResults(repoInfo, [rulesetsResult, filesResult]);
+}
+async function validateProcess(options) {
+  const { loadConfigAsync: loadConfigAsync2 } = await import("./src-KZRTG3EU.js");
+  const { config } = await loadConfigAsync2(options.config);
+  const result = await scanRepository(options.repo, config);
+  const fs = await import("fs");
+  const path = await import("path");
+  const { fileURLToPath } = await import("url");
+  const __dirname = path.dirname(fileURLToPath(import.meta.url));
+  const packageJsonPath = path.resolve(__dirname, "..", "..", "..", "package.json");
+  const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, "utf-8"));
+  return {
+    version: packageJson.version,
+    repoInfo: result.repoInfo,
+    domain: "process",
+    checks: result.checks,
+    summary: {
+      totalChecks: result.summary.totalChecks,
+      passedChecks: result.summary.passedChecks,
+      failedChecks: result.summary.failedChecks,
+      totalViolations: result.violations.length,
+      exitCode: result.passed ? ExitCode.SUCCESS : ExitCode.VIOLATIONS_FOUND
+    }
+  };
+}
+// src/process/scan/index.ts
+function formatScanText(result) {
+  const lines = [];
+  lines.push(`Repository: ${result.repoInfo.owner}/${result.repoInfo.repo}`);
+  lines.push("");
+  for (const check of result.checks) {
+    if (check.skipped) {
+      lines.push(chalk.yellow(`\u2298 ${check.name} (skipped: ${check.skipReason})`));
+    } else if (check.passed) {
+      lines.push(chalk.green(`\u2713 ${check.name}`));
+    } else {
+      lines.push(chalk.red(`\u2717 ${check.name}`));
+      for (const violation of check.violations) {
+        lines.push(chalk.red(`  \u2022 ${violation.message}`));
+      }
+    }
+  }
+  lines.push("");
+  lines.push(
+    `Summary: ${result.summary.passedChecks} passed, ${result.summary.failedChecks} failed, ${result.summary.skippedChecks} skipped`
+  );
+  return lines.join("\n");
+}
+function formatScanJson(result) {
+  return JSON.stringify(result, null, 2);
+}
+async function runScan(options) {
+  try {
+    const { config } = await loadConfigAsync(options.config);
+    const result = await scanRepository(options.repo, config);
+    const output = options.format === "json" ? formatScanJson(result) : formatScanText(result);
+    process.stdout.write(`${output}
+`);
+    process.exit(result.passed ? ExitCode.SUCCESS : ExitCode.VIOLATIONS_FOUND);
+  } catch (error) {
+    if (options.format === "json") {
+      const errorObj = {
+        error: true,
+        message: error instanceof Error ? error.message : String(error),
+        code: error.code ?? "UNKNOWN"
+      };
+      process.stdout.write(`${JSON.stringify(errorObj, null, 2)}
+`);
+    } else {
+      console.error(chalk.red(`Error: ${error instanceof Error ? error.message : String(error)}`));
+    }
+    process.exit(ExitCode.RUNTIME_ERROR);
+  }
+}
+export {
+  runScan,
+  scanRepository,
+  validateProcess
+};
+//# sourceMappingURL=scan-EELS42BP.js.map

package/dist/scan-EELS42BP.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/process/scan/index.ts","../src/process/scan/scanner.ts","../src/process/scan/remote-fetcher.ts","../src/process/scan/validators.ts"],"sourcesContent":["import chalk from \"chalk\";\n\nimport { loadConfigAsync } from \"@standards-kit/core\";\nimport { ExitCode } from \"@standards-kit/core\";\nimport { scanRepository } from \"./scanner.js\";\nimport { type ScanOptions, type ScanResult } from \"./types.js\";\n\n// Re-export public API types\nexport {\n type RemoteRepoInfo,\n type ScanOptions,\n type ScanResult,\n type ValidateProcessOptions,\n type ValidateProcessResult,\n} from \"./types.js\";\n\n// Re-export scanner\nexport { scanRepository, validateProcess } from \"./scanner.js\";\n\n/** Format scan result as text */\nfunction formatScanText(result: ScanResult): string {\n const lines: string[] = [];\n\n lines.push(`Repository: ${result.repoInfo.owner}/${result.repoInfo.repo}`);\n lines.push(\"\");\n\n for (const check of result.checks) {\n if (check.skipped) {\n lines.push(chalk.yellow(`⊘ ${check.name} (skipped: ${check.skipReason})`));\n } else if (check.passed) {\n lines.push(chalk.green(`✓ ${check.name}`));\n } else {\n lines.push(chalk.red(`✗ ${check.name}`));\n for (const violation of check.violations) {\n lines.push(chalk.red(` • ${violation.message}`));\n }\n }\n }\n\n lines.push(\"\");\n lines.push(\n `Summary: ${result.summary.passedChecks} passed, ` +\n `${result.summary.failedChecks} failed, ` +\n `${result.summary.skippedChecks} skipped`\n );\n\n return lines.join(\"\\n\");\n}\n\n/** Format scan result as JSON */\nfunction formatScanJson(result: ScanResult): string {\n return JSON.stringify(result, null, 2);\n}\n\n/** Run the scan command */\nexport async function runScan(options: ScanOptions): Promise<void> {\n try {\n const { config } = await loadConfigAsync(options.config);\n const result = await scanRepository(options.repo, config);\n\n const output = options.format === \"json\" ? formatScanJson(result) : formatScanText(result);\n\n process.stdout.write(`${output}\\n`);\n process.exit(result.passed ? ExitCode.SUCCESS : ExitCode.VIOLATIONS_FOUND);\n } catch (error) {\n if (options.format === \"json\") {\n const errorObj = {\n error: true,\n message: error instanceof Error ? error.message : String(error),\n code: (error as { code?: string }).code ?? \"UNKNOWN\",\n };\n process.stdout.write(`${JSON.stringify(errorObj, null, 2)}\\n`);\n } else {\n console.error(chalk.red(`Error: ${error instanceof Error ? error.message : String(error)}`));\n }\n process.exit(ExitCode.RUNTIME_ERROR);\n }\n}\n","import { execa } from \"execa\";\n\nimport { type Config } from \"@standards-kit/core\";\nimport { type CheckResult, ExitCode, type Violation } from \"@standards-kit/core\";\nimport {\n checkRemoteFiles,\n isGhAvailable,\n parseRepoString,\n RemoteFetcherError,\n standardFileChecks,\n verifyRepoAccess,\n} from \"./remote-fetcher.js\";\nimport {\n type FileCheckConfig,\n type RemoteRepoInfo,\n type ScanResult,\n type ValidateProcessOptions,\n type ValidateProcessResult,\n} from \"./types.js\";\nimport { type RulesetResponse, validateRulesets } from \"./validators.js\";\n\n/** Fetch rulesets from GitHub API */\nasync function fetchRulesets(repoInfo: RemoteRepoInfo): Promise<RulesetResponse[]> {\n const result = await execa(\"gh\", [\"api\", `repos/${repoInfo.owner}/${repoInfo.repo}/rulesets`]);\n return JSON.parse(result.stdout) as RulesetResponse[];\n}\n\n/** Create a skipped check result */\nfunction createSkippedResult(\n name: string,\n rule: string,\n reason: string,\n duration: number\n): CheckResult {\n return { name, rule, passed: true, violations: [], skipped: true, skipReason: reason, duration };\n}\n\n/** Create an error check result */\nfunction createErrorResult(\n name: string,\n rule: string,\n message: string,\n duration: number\n): CheckResult {\n return {\n name,\n rule,\n passed: false,\n violations: [{ rule, tool: \"scan\", message, severity: \"error\" }],\n skipped: false,\n duration,\n };\n}\n\n/** Handle API errors for ruleset fetching */\nfunction handleRulesetError(\n error: unknown,\n repoConfig: NonNullable<Config[\"process\"]>[\"repo\"],\n elapsed: () => number\n): CheckResult {\n const msg = error instanceof Error ? error.message : String(error);\n\n if (msg.includes(\"403\") || msg.includes(\"Must have admin rights\")) {\n return createSkippedResult(\n \"Repository Settings\",\n \"process.repo\",\n \"Cannot check rulesets: insufficient permissions (requires admin access)\",\n elapsed()\n );\n }\n\n if (msg.includes(\"404\")) {\n const violations: Violation[] = [];\n if (repoConfig?.require_branch_protection) {\n violations.push({\n rule: \"process.repo.branch_protection\",\n tool: \"scan\",\n message: \"No branch protection rulesets configured\",\n severity: \"error\",\n });\n }\n return {\n name: \"Repository Settings\",\n rule: \"process.repo\",\n passed: violations.length === 0,\n violations,\n skipped: false,\n duration: elapsed(),\n };\n }\n\n return createErrorResult(\n \"Repository Settings\",\n \"process.repo\",\n `Failed to check rulesets: ${msg}`,\n elapsed()\n );\n}\n\n/** Check repository rulesets and branch protection */\nasync function checkRulesets(repoInfo: RemoteRepoInfo, config: Config): Promise<CheckResult> {\n const startTime = Date.now();\n const elapsed = (): number => Date.now() - startTime;\n const repoConfig = config.process?.repo;\n\n if (!repoConfig?.enabled) {\n return createSkippedResult(\n \"Repository Settings\",\n \"process.repo\",\n \"Repository settings check not enabled in config\",\n elapsed()\n );\n }\n\n try {\n const rulesets = await fetchRulesets(repoInfo);\n const violations = validateRulesets(rulesets, repoConfig);\n\n return {\n name: \"Repository Settings\",\n rule: \"process.repo\",\n passed: violations.length === 0,\n violations,\n skipped: false,\n duration: elapsed(),\n };\n } catch (error) {\n return handleRulesetError(error, repoConfig, elapsed);\n }\n}\n\n/** Build file checks configuration from config */\nfunction buildFileChecks(config: Config): FileCheckConfig[] {\n const fileChecks: FileCheckConfig[] = [];\n\n if (config.process?.repo?.require_codeowners) {\n fileChecks.push({\n path: \"CODEOWNERS\",\n alternativePaths: [\".github/CODEOWNERS\", \"docs/CODEOWNERS\"],\n required: true,\n description: \"CODEOWNERS file for code review assignment\",\n });\n }\n\n fileChecks.push(\n ...standardFileChecks.filter((check) => !fileChecks.some((fc) => fc.path === check.path))\n );\n\n return fileChecks;\n}\n\n/** Convert file check results to violations */\nfunction fileResultsToViolations(\n results: { path: string; exists: boolean; checkedPaths: string[] }[],\n fileChecks: FileCheckConfig[]\n): Violation[] {\n const violations: Violation[] = [];\n\n for (const result of results) {\n const checkConfig = fileChecks.find((fc) => fc.path === result.path);\n if (!result.exists && checkConfig?.required) {\n violations.push({\n rule: `process.scan.files.${result.path.replace(/[./]/g, \"_\")}`,\n tool: \"scan\",\n message: `Required file not found: ${result.path} (checked: ${result.checkedPaths.join(\", \")})`,\n severity: \"error\",\n });\n }\n }\n\n return violations;\n}\n\n/** Check remote files for existence */\nasync function checkFiles(repoInfo: RemoteRepoInfo, config: Config): Promise<CheckResult> {\n const startTime = Date.now();\n const elapsed = (): number => Date.now() - startTime;\n const fileChecks = buildFileChecks(config);\n\n if (fileChecks.length === 0) {\n return createSkippedResult(\n \"Repository Files\",\n \"process.scan.files\",\n \"No file checks configured\",\n elapsed()\n );\n }\n\n try {\n const results = await checkRemoteFiles(repoInfo, fileChecks);\n const violations = fileResultsToViolations(results, fileChecks);\n\n return {\n name: \"Repository Files\",\n rule: \"process.scan.files\",\n passed: violations.length === 0,\n violations,\n skipped: false,\n duration: elapsed(),\n };\n } catch (error) {\n const msg = error instanceof Error ? error.message : String(error);\n return createErrorResult(\n \"Repository Files\",\n \"process.scan.files\",\n `Failed to check files: ${msg}`,\n elapsed()\n );\n }\n}\n\n/** Aggregate check results into scan result */\nfunction aggregateResults(repoInfo: RemoteRepoInfo, checks: CheckResult[]): ScanResult {\n const violations = checks.flatMap((c) => c.violations);\n const passedChecks = checks.filter((c) => c.passed && !c.skipped).length;\n const failedChecks = checks.filter((c) => !c.passed && !c.skipped).length;\n const skippedChecks = checks.filter((c) => c.skipped).length;\n\n return {\n repoInfo,\n checks,\n violations,\n passed: failedChecks === 0,\n summary: { totalChecks: checks.length, passedChecks, failedChecks, skippedChecks },\n };\n}\n\n/** Run all remote scans for a repository */\nexport async function scanRepository(repo: string, config: Config): Promise<ScanResult> {\n const repoInfo = parseRepoString(repo);\n\n if (!(await isGhAvailable())) {\n throw new RemoteFetcherError(\n \"GitHub CLI (gh) not available. Install it from https://cli.github.com/\",\n \"NO_GH\"\n );\n }\n\n await verifyRepoAccess(repoInfo);\n\n const [rulesetsResult, filesResult] = await Promise.all([\n checkRulesets(repoInfo, config),\n checkFiles(repoInfo, config),\n ]);\n\n return aggregateResults(repoInfo, [rulesetsResult, filesResult]);\n}\n\n/** Programmatic API for validating remote process checks */\nexport async function validateProcess(\n options: ValidateProcessOptions\n): Promise<ValidateProcessResult> {\n const { loadConfigAsync } = await import(\"@standards-kit/core\");\n const { config } = await loadConfigAsync(options.config);\n const result = await scanRepository(options.repo, config);\n\n const fs = await import(\"node:fs\");\n const path = await import(\"node:path\");\n const { fileURLToPath } = await import(\"node:url\");\n\n const __dirname = path.dirname(fileURLToPath(import.meta.url));\n const packageJsonPath = path.resolve(__dirname, \"..\", \"..\", \"..\", \"package.json\");\n const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, \"utf-8\")) as { version: string };\n\n return {\n version: packageJson.version,\n repoInfo: result.repoInfo,\n domain: \"process\",\n checks: result.checks,\n summary: {\n totalChecks: result.summary.totalChecks,\n passedChecks: result.summary.passedChecks,\n failedChecks: result.summary.failedChecks,\n totalViolations: result.violations.length,\n exitCode: result.passed ? ExitCode.SUCCESS : ExitCode.VIOLATIONS_FOUND,\n },\n };\n}\n","import { execa } from \"execa\";\n\nimport { type FileCheckConfig, type FileCheckResult, type RemoteRepoInfo } from \"./types.js\";\n\n/** Error thrown when remote fetcher encounters an issue */\nexport class RemoteFetcherError extends Error {\n constructor(\n message: string,\n public readonly code: \"NO_GH\" | \"NO_REPO\" | \"NO_PERMISSION\" | \"API_ERROR\" | \"INVALID_REPO\"\n ) {\n super(message);\n this.name = \"RemoteFetcherError\";\n }\n}\n\n/** Parse owner/repo string into RemoteRepoInfo */\nexport function parseRepoString(repo: string): RemoteRepoInfo {\n const parts = repo.split(\"/\");\n if (parts.length !== 2 || !parts[0] || !parts[1]) {\n throw new RemoteFetcherError(\n `Invalid repository format: \"${repo}\". Expected \"owner/repo\" format.`,\n \"INVALID_REPO\"\n );\n }\n return { owner: parts[0], repo: parts[1] };\n}\n\n/** Check if gh CLI is available */\nexport async function isGhAvailable(): Promise<boolean> {\n try {\n await execa(\"gh\", [\"--version\"]);\n return true;\n } catch {\n return false;\n }\n}\n\n/** Verify the repository exists and user has access */\nexport async function verifyRepoAccess(repoInfo: RemoteRepoInfo): Promise<boolean> {\n try {\n await execa(\"gh\", [\"api\", `repos/${repoInfo.owner}/${repoInfo.repo}`]);\n return true;\n } catch (error) {\n const errorMessage = error instanceof Error ? error.message : String(error);\n\n if (errorMessage.includes(\"404\") || errorMessage.includes(\"Not Found\")) {\n throw new RemoteFetcherError(\n `Repository not found: ${repoInfo.owner}/${repoInfo.repo}`,\n \"NO_REPO\"\n );\n }\n\n if (errorMessage.includes(\"403\") || errorMessage.includes(\"401\")) {\n throw new RemoteFetcherError(\n `Cannot access repository: ${repoInfo.owner}/${repoInfo.repo}. Check your GITHUB_TOKEN permissions.`,\n \"NO_PERMISSION\"\n );\n }\n\n throw new RemoteFetcherError(\n `Failed to verify repository access: ${errorMessage}`,\n \"API_ERROR\"\n );\n }\n}\n\n/** Check if a file exists in the remote repository via GitHub Contents API */\nexport async function checkRemoteFileExists(\n repoInfo: RemoteRepoInfo,\n filePath: string\n): Promise<boolean> {\n try {\n await execa(\"gh\", [\n \"api\",\n `repos/${repoInfo.owner}/${repoInfo.repo}/contents/${filePath}`,\n \"--silent\",\n ]);\n return true;\n } catch {\n // File doesn't exist or no access - both return false\n return false;\n }\n}\n\n/** Check multiple alternative paths for a file */\nasync function checkRemoteFileWithAlternatives(\n repoInfo: RemoteRepoInfo,\n config: FileCheckConfig\n): Promise<FileCheckResult> {\n const allPaths = [config.path, ...(config.alternativePaths ?? [])];\n\n for (const path of allPaths) {\n // Sequential check needed - stop on first match\n const exists = await checkRemoteFileExists(repoInfo, path);\n if (exists) {\n return { path: config.path, exists: true, checkedPaths: allPaths };\n }\n }\n\n return { path: config.path, exists: false, checkedPaths: allPaths };\n}\n\n/** Batch check multiple files in a repository */\nexport async function checkRemoteFiles(\n repoInfo: RemoteRepoInfo,\n configs: FileCheckConfig[]\n): Promise<FileCheckResult[]> {\n // Run checks in parallel for efficiency\n const results = await Promise.all(\n configs.map((config) => checkRemoteFileWithAlternatives(repoInfo, config))\n );\n return results;\n}\n\n/** Standard file checks for remote validation */\nexport const standardFileChecks: FileCheckConfig[] = [\n {\n path: \"CODEOWNERS\",\n alternativePaths: [\".github/CODEOWNERS\", \"docs/CODEOWNERS\"],\n required: false,\n description: \"CODEOWNERS file for code review assignment\",\n },\n {\n path: \".github/PULL_REQUEST_TEMPLATE.md\",\n alternativePaths: [\n \".github/pull_request_template.md\",\n \"PULL_REQUEST_TEMPLATE.md\",\n \"pull_request_template.md\",\n ],\n required: false,\n description: \"Pull request template\",\n },\n {\n path: \"README.md\",\n alternativePaths: [\"readme.md\", \"README\"],\n required: false,\n description: \"Repository README\",\n },\n {\n path: \".github/workflows\",\n required: false,\n description: \"GitHub Actions workflows directory\",\n },\n];\n","import { type Config } from \"@standards-kit/core\";\nimport { type Violation } from \"@standards-kit/core\";\n\n/** GitHub Ruleset response types */\ninterface RulesetBypassActor {\n actor_id: number | null;\n actor_type: string;\n bypass_mode: string;\n}\n\ninterface RulesetRule {\n type: string;\n parameters?: {\n required_approving_review_count?: number;\n dismiss_stale_reviews_on_push?: boolean;\n require_code_owner_review?: boolean;\n required_status_checks?: { context: string }[];\n strict_required_status_checks_policy?: boolean;\n };\n}\n\nexport interface RulesetResponse {\n id: number;\n name: string;\n target: string;\n enforcement: string;\n conditions?: { ref_name?: { include?: string[]; exclude?: string[] } };\n bypass_actors?: RulesetBypassActor[];\n rules?: RulesetRule[];\n}\n\ntype RulesetConfig = NonNullable<NonNullable<Config[\"process\"]>[\"repo\"]>[\"ruleset\"];\ntype TagProtectionConfig = NonNullable<NonNullable<Config[\"process\"]>[\"repo\"]>[\"tag_protection\"];\n\n/** Check if branch matches any of the include patterns */\nfunction matchesBranch(patterns: string[], branch: string): boolean {\n for (const pattern of patterns) {\n const cleanPattern = pattern.replace(/^refs\\/heads\\//, \"\");\n if (cleanPattern === branch) {\n return true;\n }\n if (cleanPattern === \"~DEFAULT_BRANCH\" && branch === \"main\") {\n return true;\n }\n if (cleanPattern === \"~ALL\") {\n return true;\n }\n if (cleanPattern.includes(\"*\")) {\n const regex = new RegExp(`^${cleanPattern.replace(/\\*/g, \".*\")}$`);\n if (regex.test(branch)) {\n return true;\n }\n }\n }\n return false;\n}\n\n/** Find branch ruleset matching the target branch */\nfunction findBranchRuleset(\n rulesets: RulesetResponse[],\n branch: string\n): RulesetResponse | undefined {\n return rulesets.find(\n (r) =>\n r.target === \"branch\" &&\n r.enforcement === \"active\" &&\n matchesBranch(r.conditions?.ref_name?.include ?? [], branch)\n );\n}\n\n/** Validate rulesets against config */\n// eslint-disable-next-line complexity\nexport function validateRulesets(\n rulesets: RulesetResponse[],\n repoConfig: NonNullable<Config[\"process\"]>[\"repo\"]\n): Violation[] {\n if (!repoConfig) {\n return [];\n }\n\n const violations: Violation[] = [];\n const rulesetConfig = repoConfig.ruleset;\n const branch = rulesetConfig?.branch ?? \"main\";\n const branchRuleset = findBranchRuleset(rulesets, branch);\n\n if (repoConfig.require_branch_protection && !branchRuleset) {\n violations.push({\n rule: \"process.repo.branch_protection\",\n tool: \"scan\",\n message: `Branch '${branch}' does not have a branch protection ruleset`,\n severity: \"error\",\n });\n }\n\n if (branchRuleset && rulesetConfig) {\n violations.push(...validateBranchRuleset(branchRuleset, rulesetConfig, branch));\n }\n\n if (repoConfig.tag_protection?.patterns?.length) {\n violations.push(...validateTagProtection(rulesets, repoConfig.tag_protection));\n }\n\n return violations;\n}\n\n/** Validate branch ruleset settings against config */\nfunction validateBranchRuleset(\n ruleset: RulesetResponse,\n config: RulesetConfig,\n branch: string\n): Violation[] {\n if (!config) {\n return [];\n }\n\n const violations: Violation[] = [];\n const rules = ruleset.rules ?? [];\n const prRule = rules.find((r) => r.type === \"pull_request\");\n const statusRule = rules.find((r) => r.type === \"required_status_checks\");\n\n violations.push(...validatePullRequestRule(prRule, config, branch));\n violations.push(...validateStatusChecksRule(statusRule, config, branch));\n violations.push(...validateSignedCommits(rules, config, branch));\n violations.push(...validateBypassActors(ruleset.bypass_actors ?? [], config, branch));\n\n return violations;\n}\n\n/** Validate pull request rule settings */\n// eslint-disable-next-line complexity\nfunction validatePullRequestRule(\n prRule: RulesetRule | undefined,\n config: RulesetConfig,\n branch: string\n): Violation[] {\n if (!config) {\n return [];\n }\n\n const violations: Violation[] = [];\n const params = prRule?.parameters;\n\n if (config.required_reviews !== undefined) {\n const actualReviews = params?.required_approving_review_count ?? 0;\n if (actualReviews < config.required_reviews) {\n violations.push({\n rule: \"process.repo.branch_protection.required_reviews\",\n tool: \"scan\",\n message: `Branch '${branch}' requires ${actualReviews} reviews, expected at least ${config.required_reviews}`,\n severity: \"error\",\n });\n }\n }\n\n if (config.dismiss_stale_reviews === true && !(params?.dismiss_stale_reviews_on_push ?? false)) {\n violations.push({\n rule: \"process.repo.branch_protection.dismiss_stale_reviews\",\n tool: \"scan\",\n message: `Branch '${branch}' does not dismiss stale reviews on new commits`,\n severity: \"error\",\n });\n }\n\n if (config.require_code_owner_reviews === true && !(params?.require_code_owner_review ?? false)) {\n violations.push({\n rule: \"process.repo.branch_protection.require_code_owner_reviews\",\n tool: \"scan\",\n message: `Branch '${branch}' does not require code owner reviews`,\n severity: \"error\",\n });\n }\n\n return violations;\n}\n\n/** Validate status checks rule settings */\n// eslint-disable-next-line complexity\nfunction validateStatusChecksRule(\n statusRule: RulesetRule | undefined,\n config: RulesetConfig,\n branch: string\n): Violation[] {\n if (!config) {\n return [];\n }\n\n const violations: Violation[] = [];\n const params = statusRule?.parameters;\n\n if (config.require_status_checks && config.require_status_checks.length > 0) {\n const actualChecks = params?.required_status_checks?.map((c) => c.context) ?? [];\n const missingChecks = config.require_status_checks.filter(\n (check) => !actualChecks.includes(check)\n );\n if (missingChecks.length > 0) {\n violations.push({\n rule: \"process.repo.branch_protection.require_status_checks\",\n tool: \"scan\",\n message: `Branch '${branch}' missing required status checks: ${missingChecks.join(\", \")}`,\n severity: \"error\",\n });\n }\n }\n\n if (\n config.require_branches_up_to_date === true &&\n !(params?.strict_required_status_checks_policy ?? false)\n ) {\n violations.push({\n rule: \"process.repo.branch_protection.require_branches_up_to_date\",\n tool: \"scan\",\n message: `Branch '${branch}' does not require branches to be up to date before merging`,\n severity: \"error\",\n });\n }\n\n return violations;\n}\n\n/** Validate signed commits requirement */\nfunction validateSignedCommits(\n rules: RulesetRule[],\n config: RulesetConfig,\n branch: string\n): Violation[] {\n if (config?.require_signed_commits !== true) {\n return [];\n }\n\n if (!rules.some((r) => r.type === \"required_signatures\")) {\n return [\n {\n rule: \"process.repo.branch_protection.require_signed_commits\",\n tool: \"scan\",\n message: `Branch '${branch}' does not require signed commits`,\n severity: \"error\",\n },\n ];\n }\n\n return [];\n}\n\n/** Validate bypass actors configuration */\nfunction validateBypassActors(\n actualBypass: RulesetBypassActor[],\n config: RulesetConfig,\n branch: string\n): Violation[] {\n if (config?.enforce_admins !== true || actualBypass.length === 0) {\n return [];\n }\n\n return [\n {\n rule: \"process.repo.branch_protection.enforce_admins\",\n tool: \"scan\",\n message: `Branch '${branch}' has bypass actors configured but enforce_admins requires no bypasses`,\n severity: \"error\",\n },\n ];\n}\n\n/** Validate tag protection rulesets */\nfunction validateTagProtection(\n rulesets: RulesetResponse[],\n tagConfig: TagProtectionConfig\n): Violation[] {\n if (!tagConfig?.patterns?.length) {\n return [];\n }\n\n const violations: Violation[] = [];\n const tagRuleset = rulesets.find((r) => r.target === \"tag\" && r.enforcement === \"active\");\n\n if (!tagRuleset) {\n return [\n {\n rule: \"process.repo.tag_protection\",\n tool: \"scan\",\n message: \"No active tag protection ruleset found\",\n severity: \"error\",\n },\n ];\n }\n\n violations.push(...validateTagPatterns(tagConfig.patterns, tagRuleset));\n violations.push(...validateTagRules(tagConfig, tagRuleset.rules ?? []));\n\n return violations;\n}\n\n/** Validate tag patterns match */\nfunction validateTagPatterns(expectedPatterns: string[], tagRuleset: RulesetResponse): Violation[] {\n const expected = expectedPatterns.map((p) => `refs/tags/${p}`).sort();\n const actual = [...(tagRuleset.conditions?.ref_name?.include ?? [])].sort();\n\n if (expected.length === actual.length && expected.every((v, i) => v === actual[i])) {\n return [];\n }\n\n const found = actual.map((p) => p.replace(/^refs\\/tags\\//, \"\")).join(\", \");\n return [\n {\n rule: \"process.repo.tag_protection.patterns\",\n tool: \"scan\",\n message: `Tag protection patterns mismatch: expected [${expectedPatterns.join(\", \")}], found [${found}]`,\n severity: \"error\",\n },\n ];\n}\n\n/** Validate tag protection rules */\nfunction validateTagRules(tagConfig: TagProtectionConfig, rules: RulesetRule[]): Violation[] {\n if (!tagConfig) {\n return [];\n }\n\n const violations: Violation[] = [];\n\n if (tagConfig.prevent_deletion !== false && !rules.some((r) => r.type === \"deletion\")) {\n violations.push({\n rule: \"process.repo.tag_protection.prevent_deletion\",\n tool: \"scan\",\n message: \"Tag protection does not prevent deletion\",\n severity: \"error\",\n });\n }\n\n if (tagConfig.prevent_update !== false && !rules.some((r) => r.type === \"update\")) {\n violations.push({\n rule: \"process.repo.tag_protection.prevent_update\",\n tool: \"scan\",\n message: \"Tag protection does not prevent updates (force-push)\",\n severity: \"error\",\n });\n }\n\n return violations;\n}\n"],"mappings":";;;;;;;;AAAA,OAAO,WAAW;;;ACAlB,SAAS,SAAAA,cAAa;;;ACAtB,SAAS,aAAa;AAKf,IAAM,qBAAN,cAAiC,MAAM;AAAA,EAC5C,YACE,SACgB,MAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAGO,SAAS,gBAAgB,MAA8B;AAC5D,QAAM,QAAQ,KAAK,MAAM,GAAG;AAC5B,MAAI,MAAM,WAAW,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG;AAChD,UAAM,IAAI;AAAA,MACR,+BAA+B,IAAI;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AACA,SAAO,EAAE,OAAO,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,EAAE;AAC3C;AAGA,eAAsB,gBAAkC;AACtD,MAAI;AACF,UAAM,MAAM,MAAM,CAAC,WAAW,CAAC;AAC/B,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAGA,eAAsB,iBAAiB,UAA4C;AACjF,MAAI;AACF,UAAM,MAAM,MAAM,CAAC,OAAO,SAAS,SAAS,KAAK,IAAI,SAAS,IAAI,EAAE,CAAC;AACrE,WAAO;AAAA,EACT,SAAS,OAAO;AACd,UAAM,eAAe,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAE1E,QAAI,aAAa,SAAS,KAAK,KAAK,aAAa,SAAS,WAAW,GAAG;AACtE,YAAM,IAAI;AAAA,QACR,yBAAyB,SAAS,KAAK,IAAI,SAAS,IAAI;AAAA,QACxD;AAAA,MACF;AAAA,IACF;AAEA,QAAI,aAAa,SAAS,KAAK,KAAK,aAAa,SAAS,KAAK,GAAG;AAChE,YAAM,IAAI;AAAA,QACR,6BAA6B,SAAS,KAAK,IAAI,SAAS,IAAI;AAAA,QAC5D;AAAA,MACF;AAAA,IACF;AAEA,UAAM,IAAI;AAAA,MACR,uCAAuC,YAAY;AAAA,MACnD;AAAA,IACF;AAAA,EACF;AACF;AAGA,eAAsB,sBACpB,UACA,UACkB;AAClB,MAAI;AACF,UAAM,MAAM,MAAM;AAAA,MAChB;AAAA,MACA,SAAS,SAAS,KAAK,IAAI,SAAS,IAAI,aAAa,QAAQ;AAAA,MAC7D;AAAA,IACF,CAAC;AACD,WAAO;AAAA,EACT,QAAQ;AAEN,WAAO;AAAA,EACT;AACF;AAGA,eAAe,gCACb,UACA,QAC0B;AAC1B,QAAM,WAAW,CAAC,OAAO,MAAM,GAAI,OAAO,oBAAoB,CAAC,CAAE;AAEjE,aAAW,QAAQ,UAAU;AAE3B,UAAM,SAAS,MAAM,sBAAsB,UAAU,IAAI;AACzD,QAAI,QAAQ;AACV,aAAO,EAAE,MAAM,OAAO,MAAM,QAAQ,MAAM,cAAc,SAAS;AAAA,IACnE;AAAA,EACF;AAEA,SAAO,EAAE,MAAM,OAAO,MAAM,QAAQ,OAAO,cAAc,SAAS;AACpE;AAGA,eAAsB,iBACpB,UACA,SAC4B;AAE5B,QAAM,UAAU,MAAM,QAAQ;AAAA,IAC5B,QAAQ,IAAI,CAAC,WAAW,gCAAgC,UAAU,MAAM,CAAC;AAAA,EAC3E;AACA,SAAO;AACT;AAGO,IAAM,qBAAwC;AAAA,EACnD;AAAA,IACE,MAAM;AAAA,IACN,kBAAkB,CAAC,sBAAsB,iBAAiB;AAAA,IAC1D,UAAU;AAAA,IACV,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,kBAAkB;AAAA,MAChB;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,UAAU;AAAA,IACV,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,kBAAkB,CAAC,aAAa,QAAQ;AAAA,IACxC,UAAU;AAAA,IACV,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,EACf;AACF;;;AC5GA,SAAS,cAAc,UAAoB,QAAyB;AAClE,aAAW,WAAW,UAAU;AAC9B,UAAM,eAAe,QAAQ,QAAQ,kBAAkB,EAAE;AACzD,QAAI,iBAAiB,QAAQ;AAC3B,aAAO;AAAA,IACT;AACA,QAAI,iBAAiB,qBAAqB,WAAW,QAAQ;AAC3D,aAAO;AAAA,IACT;AACA,QAAI,iBAAiB,QAAQ;AAC3B,aAAO;AAAA,IACT;AACA,QAAI,aAAa,SAAS,GAAG,GAAG;AAC9B,YAAM,QAAQ,IAAI,OAAO,IAAI,aAAa,QAAQ,OAAO,IAAI,CAAC,GAAG;AACjE,UAAI,MAAM,KAAK,MAAM,GAAG;AACtB,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAGA,SAAS,kBACP,UACA,QAC6B;AAC7B,SAAO,SAAS;AAAA,IACd,CAAC,MACC,EAAE,WAAW,YACb,EAAE,gBAAgB,YAClB,cAAc,EAAE,YAAY,UAAU,WAAW,CAAC,GAAG,MAAM;AAAA,EAC/D;AACF;AAIO,SAAS,iBACd,UACA,YACa;AACb,MAAI,CAAC,YAAY;AACf,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,aAA0B,CAAC;AACjC,QAAM,gBAAgB,WAAW;AACjC,QAAM,SAAS,eAAe,UAAU;AACxC,QAAM,gBAAgB,kBAAkB,UAAU,MAAM;AAExD,MAAI,WAAW,6BAA6B,CAAC,eAAe;AAC1D,eAAW,KAAK;AAAA,MACd,MAAM;AAAA,MACN,MAAM;AAAA,MACN,SAAS,WAAW,MAAM;AAAA,MAC1B,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAEA,MAAI,iBAAiB,eAAe;AAClC,eAAW,KAAK,GAAG,sBAAsB,eAAe,eAAe,MAAM,CAAC;AAAA,EAChF;AAEA,MAAI,WAAW,gBAAgB,UAAU,QAAQ;AAC/C,eAAW,KAAK,GAAG,sBAAsB,UAAU,WAAW,cAAc,CAAC;AAAA,EAC/E;AAEA,SAAO;AACT;AAGA,SAAS,sBACP,SACA,QACA,QACa;AACb,MAAI,CAAC,QAAQ;AACX,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,aAA0B,CAAC;AACjC,QAAM,QAAQ,QAAQ,SAAS,CAAC;AAChC,QAAM,SAAS,MAAM,KAAK,CAAC,MAAM,EAAE,SAAS,cAAc;AAC1D,QAAM,aAAa,MAAM,KAAK,CAAC,MAAM,EAAE,SAAS,wBAAwB;AAExE,aAAW,KAAK,GAAG,wBAAwB,QAAQ,QAAQ,MAAM,CAAC;AAClE,aAAW,KAAK,GAAG,yBAAyB,YAAY,QAAQ,MAAM,CAAC;AACvE,aAAW,KAAK,GAAG,sBAAsB,OAAO,QAAQ,MAAM,CAAC;AAC/D,aAAW,KAAK,GAAG,qBAAqB,QAAQ,iBAAiB,CAAC,GAAG,QAAQ,MAAM,CAAC;AAEpF,SAAO;AACT;AAIA,SAAS,wBACP,QACA,QACA,QACa;AACb,MAAI,CAAC,QAAQ;AACX,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,aAA0B,CAAC;AACjC,QAAM,SAAS,QAAQ;AAEvB,MAAI,OAAO,qBAAqB,QAAW;AACzC,UAAM,gBAAgB,QAAQ,mCAAmC;AACjE,QAAI,gBAAgB,OAAO,kBAAkB;AAC3C,iBAAW,KAAK;AAAA,QACd,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS,WAAW,MAAM,cAAc,aAAa,+BAA+B,OAAO,gBAAgB;AAAA,QAC3G,UAAU;AAAA,MACZ,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,0BAA0B,QAAQ,EAAE,QAAQ,iCAAiC,QAAQ;AAC9F,eAAW,KAAK;AAAA,MACd,MAAM;AAAA,MACN,MAAM;AAAA,MACN,SAAS,WAAW,MAAM;AAAA,MAC1B,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,+BAA+B,QAAQ,EAAE,QAAQ,6BAA6B,QAAQ;AAC/F,eAAW,KAAK;AAAA,MACd,MAAM;AAAA,MACN,MAAM;AAAA,MACN,SAAS,WAAW,MAAM;AAAA,MAC1B,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAIA,SAAS,yBACP,YACA,QACA,QACa;AACb,MAAI,CAAC,QAAQ;AACX,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,aAA0B,CAAC;AACjC,QAAM,SAAS,YAAY;AAE3B,MAAI,OAAO,yBAAyB,OAAO,sBAAsB,SAAS,GAAG;AAC3E,UAAM,eAAe,QAAQ,wBAAwB,IAAI,CAAC,MAAM,EAAE,OAAO,KAAK,CAAC;AAC/E,UAAM,gBAAgB,OAAO,sBAAsB;AAAA,MACjD,CAAC,UAAU,CAAC,aAAa,SAAS,KAAK;AAAA,IACzC;AACA,QAAI,cAAc,SAAS,GAAG;AAC5B,iBAAW,KAAK;AAAA,QACd,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS,WAAW,MAAM,qCAAqC,cAAc,KAAK,IAAI,CAAC;AAAA,QACvF,UAAU;AAAA,MACZ,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MACE,OAAO,gCAAgC,QACvC,EAAE,QAAQ,wCAAwC,QAClD;AACA,eAAW,KAAK;AAAA,MACd,MAAM;AAAA,MACN,MAAM;AAAA,MACN,SAAS,WAAW,MAAM;AAAA,MAC1B,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAGA,SAAS,sBACP,OACA,QACA,QACa;AACb,MAAI,QAAQ,2BAA2B,MAAM;AAC3C,WAAO,CAAC;AAAA,EACV;AAEA,MAAI,CAAC,MAAM,KAAK,CAAC,MAAM,EAAE,SAAS,qBAAqB,GAAG;AACxD,WAAO;AAAA,MACL;AAAA,QACE,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS,WAAW,MAAM;AAAA,QAC1B,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AAEA,SAAO,CAAC;AACV;AAGA,SAAS,qBACP,cACA,QACA,QACa;AACb,MAAI,QAAQ,mBAAmB,QAAQ,aAAa,WAAW,GAAG;AAChE,WAAO,CAAC;AAAA,EACV;AAEA,SAAO;AAAA,IACL;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,SAAS,WAAW,MAAM;AAAA,MAC1B,UAAU;AAAA,IACZ;AAAA,EACF;AACF;AAGA,SAAS,sBACP,UACA,WACa;AACb,MAAI,CAAC,WAAW,UAAU,QAAQ;AAChC,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,aAA0B,CAAC;AACjC,QAAM,aAAa,SAAS,KAAK,CAAC,MAAM,EAAE,WAAW,SAAS,EAAE,gBAAgB,QAAQ;AAExF,MAAI,CAAC,YAAY;AACf,WAAO;AAAA,MACL;AAAA,QACE,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,QACT,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AAEA,aAAW,KAAK,GAAG,oBAAoB,UAAU,UAAU,UAAU,CAAC;AACtE,aAAW,KAAK,GAAG,iBAAiB,WAAW,WAAW,SAAS,CAAC,CAAC,CAAC;AAEtE,SAAO;AACT;AAGA,SAAS,oBAAoB,kBAA4B,YAA0C;AACjG,QAAM,WAAW,iBAAiB,IAAI,CAAC,MAAM,aAAa,CAAC,EAAE,EAAE,KAAK;AACpE,QAAM,SAAS,CAAC,GAAI,WAAW,YAAY,UAAU,WAAW,CAAC,CAAE,EAAE,KAAK;AAE1E,MAAI,SAAS,WAAW,OAAO,UAAU,SAAS,MAAM,CAAC,GAAG,MAAM,MAAM,OAAO,CAAC,CAAC,GAAG;AAClF,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,QAAQ,OAAO,IAAI,CAAC,MAAM,EAAE,QAAQ,iBAAiB,EAAE,CAAC,EAAE,KAAK,IAAI;AACzE,SAAO;AAAA,IACL;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,SAAS,+CAA+C,iBAAiB,KAAK,IAAI,CAAC,aAAa,KAAK;AAAA,MACrG,UAAU;AAAA,IACZ;AAAA,EACF;AACF;AAGA,SAAS,iBAAiB,WAAgC,OAAmC;AAC3F,MAAI,CAAC,WAAW;AACd,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,aAA0B,CAAC;AAEjC,MAAI,UAAU,qBAAqB,SAAS,CAAC,MAAM,KAAK,CAAC,MAAM,EAAE,SAAS,UAAU,GAAG;AACrF,eAAW,KAAK;AAAA,MACd,MAAM;AAAA,MACN,MAAM;AAAA,MACN,SAAS;AAAA,MACT,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAEA,MAAI,UAAU,mBAAmB,SAAS,CAAC,MAAM,KAAK,CAAC,MAAM,EAAE,SAAS,QAAQ,GAAG;AACjF,eAAW,KAAK;AAAA,MACd,MAAM;AAAA,MACN,MAAM;AAAA,MACN,SAAS;AAAA,MACT,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAEA,SAAO;AACT;;;AF7TA,eAAe,cAAc,UAAsD;AACjF,QAAM,SAAS,MAAMC,OAAM,MAAM,CAAC,OAAO,SAAS,SAAS,KAAK,IAAI,SAAS,IAAI,WAAW,CAAC;AAC7F,SAAO,KAAK,MAAM,OAAO,MAAM;AACjC;AAGA,SAAS,oBACP,MACA,MACA,QACA,UACa;AACb,SAAO,EAAE,MAAM,MAAM,QAAQ,MAAM,YAAY,CAAC,GAAG,SAAS,MAAM,YAAY,QAAQ,SAAS;AACjG;AAGA,SAAS,kBACP,MACA,MACA,SACA,UACa;AACb,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,QAAQ;AAAA,IACR,YAAY,CAAC,EAAE,MAAM,MAAM,QAAQ,SAAS,UAAU,QAAQ,CAAC;AAAA,IAC/D,SAAS;AAAA,IACT;AAAA,EACF;AACF;AAGA,SAAS,mBACP,OACA,YACA,SACa;AACb,QAAM,MAAM,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAEjE,MAAI,IAAI,SAAS,KAAK,KAAK,IAAI,SAAS,wBAAwB,GAAG;AACjE,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI,IAAI,SAAS,KAAK,GAAG;AACvB,UAAM,aAA0B,CAAC;AACjC,QAAI,YAAY,2BAA2B;AACzC,iBAAW,KAAK;AAAA,QACd,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,QACT,UAAU;AAAA,MACZ,CAAC;AAAA,IACH;AACA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,QAAQ,WAAW,WAAW;AAAA,MAC9B;AAAA,MACA,SAAS;AAAA,MACT,UAAU,QAAQ;AAAA,IACpB;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,6BAA6B,GAAG;AAAA,IAChC,QAAQ;AAAA,EACV;AACF;AAGA,eAAe,cAAc,UAA0B,QAAsC;AAC3F,QAAM,YAAY,KAAK,IAAI;AAC3B,QAAM,UAAU,MAAc,KAAK,IAAI,IAAI;AAC3C,QAAM,aAAa,OAAO,SAAS;AAEnC,MAAI,CAAC,YAAY,SAAS;AACxB,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,cAAc,QAAQ;AAC7C,UAAM,aAAa,iBAAiB,UAAU,UAAU;AAExD,WAAO;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,QAAQ,WAAW,WAAW;AAAA,MAC9B;AAAA,MACA,SAAS;AAAA,MACT,UAAU,QAAQ;AAAA,IACpB;AAAA,EACF,SAAS,OAAO;AACd,WAAO,mBAAmB,OAAO,YAAY,OAAO;AAAA,EACtD;AACF;AAGA,SAAS,gBAAgB,QAAmC;AAC1D,QAAM,aAAgC,CAAC;AAEvC,MAAI,OAAO,SAAS,MAAM,oBAAoB;AAC5C,eAAW,KAAK;AAAA,MACd,MAAM;AAAA,MACN,kBAAkB,CAAC,sBAAsB,iBAAiB;AAAA,MAC1D,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,EACH;AAEA,aAAW;AAAA,IACT,GAAG,mBAAmB,OAAO,CAAC,UAAU,CAAC,WAAW,KAAK,CAAC,OAAO,GAAG,SAAS,MAAM,IAAI,CAAC;AAAA,EAC1F;AAEA,SAAO;AACT;AAGA,SAAS,wBACP,SACA,YACa;AACb,QAAM,aAA0B,CAAC;AAEjC,aAAW,UAAU,SAAS;AAC5B,UAAM,cAAc,WAAW,KAAK,CAAC,OAAO,GAAG,SAAS,OAAO,IAAI;AACnE,QAAI,CAAC,OAAO,UAAU,aAAa,UAAU;AAC3C,iBAAW,KAAK;AAAA,QACd,MAAM,sBAAsB,OAAO,KAAK,QAAQ,SAAS,GAAG,CAAC;AAAA,QAC7D,MAAM;AAAA,QACN,SAAS,4BAA4B,OAAO,IAAI,cAAc,OAAO,aAAa,KAAK,IAAI,CAAC;AAAA,QAC5F,UAAU;AAAA,MACZ,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAGA,eAAe,WAAW,UAA0B,QAAsC;AACxF,QAAM,YAAY,KAAK,IAAI;AAC3B,QAAM,UAAU,MAAc,KAAK,IAAI,IAAI;AAC3C,QAAM,aAAa,gBAAgB,MAAM;AAEzC,MAAI,WAAW,WAAW,GAAG;AAC3B,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI;AACF,UAAM,UAAU,MAAM,iBAAiB,UAAU,UAAU;AAC3D,UAAM,aAAa,wBAAwB,SAAS,UAAU;AAE9D,WAAO;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,QAAQ,WAAW,WAAW;AAAA,MAC9B;AAAA,MACA,SAAS;AAAA,MACT,UAAU,QAAQ;AAAA,IACpB;AAAA,EACF,SAAS,OAAO;AACd,UAAM,MAAM,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACjE,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA,0BAA0B,GAAG;AAAA,MAC7B,QAAQ;AAAA,IACV;AAAA,EACF;AACF;AAGA,SAAS,iBAAiB,UAA0B,QAAmC;AACrF,QAAM,aAAa,OAAO,QAAQ,CAAC,MAAM,EAAE,UAAU;AACrD,QAAM,eAAe,OAAO,OAAO,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,OAAO,EAAE;AAClE,QAAM,eAAe,OAAO,OAAO,CAAC,MAAM,CAAC,EAAE,UAAU,CAAC,EAAE,OAAO,EAAE;AACnE,QAAM,gBAAgB,OAAO,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE;AAEtD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,QAAQ,iBAAiB;AAAA,IACzB,SAAS,EAAE,aAAa,OAAO,QAAQ,cAAc,cAAc,cAAc;AAAA,EACnF;AACF;AAGA,eAAsB,eAAe,MAAc,QAAqC;AACtF,QAAM,WAAW,gBAAgB,IAAI;AAErC,MAAI,CAAE,MAAM,cAAc,GAAI;AAC5B,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,QAAM,iBAAiB,QAAQ;AAE/B,QAAM,CAAC,gBAAgB,WAAW,IAAI,MAAM,QAAQ,IAAI;AAAA,IACtD,cAAc,UAAU,MAAM;AAAA,IAC9B,WAAW,UAAU,MAAM;AAAA,EAC7B,CAAC;AAED,SAAO,iBAAiB,UAAU,CAAC,gBAAgB,WAAW,CAAC;AACjE;AAGA,eAAsB,gBACpB,SACgC;AAChC,QAAM,EAAE,iBAAAC,iBAAgB,IAAI,MAAM,OAAO,mBAAqB;AAC9D,QAAM,EAAE,OAAO,IAAI,MAAMA,iBAAgB,QAAQ,MAAM;AACvD,QAAM,SAAS,MAAM,eAAe,QAAQ,MAAM,MAAM;AAExD,QAAM,KAAK,MAAM,OAAO,IAAS;AACjC,QAAM,OAAO,MAAM,OAAO,MAAW;AACrC,QAAM,EAAE,cAAc,IAAI,MAAM,OAAO,KAAU;AAEjD,QAAM,YAAY,KAAK,QAAQ,cAAc,YAAY,GAAG,CAAC;AAC7D,QAAM,kBAAkB,KAAK,QAAQ,WAAW,MAAM,MAAM,MAAM,cAAc;AAChF,QAAM,cAAc,KAAK,MAAM,GAAG,aAAa,iBAAiB,OAAO,CAAC;AAExE,SAAO;AAAA,IACL,SAAS,YAAY;AAAA,IACrB,UAAU,OAAO;AAAA,IACjB,QAAQ;AAAA,IACR,QAAQ,OAAO;AAAA,IACf,SAAS;AAAA,MACP,aAAa,OAAO,QAAQ;AAAA,MAC5B,cAAc,OAAO,QAAQ;AAAA,MAC7B,cAAc,OAAO,QAAQ;AAAA,MAC7B,iBAAiB,OAAO,WAAW;AAAA,MACnC,UAAU,OAAO,SAAS,SAAS,UAAU,SAAS;AAAA,IACxD;AAAA,EACF;AACF;;;ADjQA,SAAS,eAAe,QAA4B;AAClD,QAAM,QAAkB,CAAC;AAEzB,QAAM,KAAK,eAAe,OAAO,SAAS,KAAK,IAAI,OAAO,SAAS,IAAI,EAAE;AACzE,QAAM,KAAK,EAAE;AAEb,aAAW,SAAS,OAAO,QAAQ;AACjC,QAAI,MAAM,SAAS;AACjB,YAAM,KAAK,MAAM,OAAO,UAAK,MAAM,IAAI,cAAc,MAAM,UAAU,GAAG,CAAC;AAAA,IAC3E,WAAW,MAAM,QAAQ;AACvB,YAAM,KAAK,MAAM,MAAM,UAAK,MAAM,IAAI,EAAE,CAAC;AAAA,IAC3C,OAAO;AACL,YAAM,KAAK,MAAM,IAAI,UAAK,MAAM,IAAI,EAAE,CAAC;AACvC,iBAAW,aAAa,MAAM,YAAY;AACxC,cAAM,KAAK,MAAM,IAAI,YAAO,UAAU,OAAO,EAAE,CAAC;AAAA,MAClD;AAAA,IACF;AAAA,EACF;AAEA,QAAM,KAAK,EAAE;AACb,QAAM;AAAA,IACJ,YAAY,OAAO,QAAQ,YAAY,YAClC,OAAO,QAAQ,YAAY,YAC3B,OAAO,QAAQ,aAAa;AAAA,EACnC;AAEA,SAAO,MAAM,KAAK,IAAI;AACxB;AAGA,SAAS,eAAe,QAA4B;AAClD,SAAO,KAAK,UAAU,QAAQ,MAAM,CAAC;AACvC;AAGA,eAAsB,QAAQ,SAAqC;AACjE,MAAI;AACF,UAAM,EAAE,OAAO,IAAI,MAAM,gBAAgB,QAAQ,MAAM;AACvD,UAAM,SAAS,MAAM,eAAe,QAAQ,MAAM,MAAM;AAExD,UAAM,SAAS,QAAQ,WAAW,SAAS,eAAe,MAAM,IAAI,eAAe,MAAM;AAEzF,YAAQ,OAAO,MAAM,GAAG,MAAM;AAAA,CAAI;AAClC,YAAQ,KAAK,OAAO,SAAS,SAAS,UAAU,SAAS,gBAAgB;AAAA,EAC3E,SAAS,OAAO;AACd,QAAI,QAAQ,WAAW,QAAQ;AAC7B,YAAM,WAAW;AAAA,QACf,OAAO;AAAA,QACP,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,QAC9D,MAAO,MAA4B,QAAQ;AAAA,MAC7C;AACA,cAAQ,OAAO,MAAM,GAAG,KAAK,UAAU,UAAU,MAAM,CAAC,CAAC;AAAA,CAAI;AAAA,IAC/D,OAAO;AACL,cAAQ,MAAM,MAAM,IAAI,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC,EAAE,CAAC;AAAA,IAC7F;AACA,YAAQ,KAAK,SAAS,aAAa;AAAA,EACrC;AACF;","names":["execa","execa","loadConfigAsync"]}