@standards-kit/conform 0.1.3 → 0.3.0

package/dist/index.js

@@ -26,7 +26,7 @@ import {
   getProjectRoot,
   loadConfig,
   loadConfigAsync
-} from "./chunk-PZ2NVKI7.js";
+} from "./chunk-FJZMUGYW.js";
 import {
   AccountIdSchema,
   AccountKeySchema,
@@ -71,6 +71,14 @@ import {
   validateMultiAccountManifest,
   validateStackExport
 } from "./chunk-M7G73Q6P.js";
+import {
+  AWS_DEFAULTS,
+  CACHE,
+  CONCURRENCY,
+  GITHUB_API,
+  STANDARDS_REPO,
+  TIMEOUTS
+} from "./chunk-RHM53NLG.js";
 
 // src/code/tools/base.ts
 import * as fs from "fs";
@@ -402,7 +410,7 @@ var CoverageRunRunner = class extends BaseToolRunner {
     const result = await execa(testCommand.cmd, testCommand.args, {
       cwd: projectRoot,
       reject: false,
-      timeout: 10 * 60 * 1e3,
+      timeout: TIMEOUTS.codeToolExtended,
       env: { ...process.env, CI: "true" }
     });
     return { exitCode: result.exitCode, stderr: result.stderr, stdout: result.stdout };
@@ -903,7 +911,7 @@ var ESLintRunner = class extends BaseToolRunner {
       const result = await execa2("npx", ["eslint", ...args], {
         cwd: projectRoot,
         reject: false,
-        timeout: 5 * 60 * 1e3
+        timeout: TIMEOUTS.codeTool
       });
       const violations = this.parseOutput(result.stdout, projectRoot);
       if (violations === null && result.exitCode !== 0 && result.stderr) {
@@ -987,7 +995,7 @@ var ESLintRunner = class extends BaseToolRunner {
       const result = await execa2("npx", ["eslint", "--print-config", sampleFile], {
         cwd: projectRoot,
         reject: false,
-        timeout: 30 * 1e3
+        timeout: TIMEOUTS.quick
       });
       if (result.exitCode !== 0) {
         return { error: `Failed to read ESLint config: ${result.stderr || "Unknown error"}` };
@@ -1311,7 +1319,7 @@ var GitleaksRunner = class extends BaseToolRunner {
       const result = await execa3("gitleaks", args, {
         cwd: projectRoot,
         reject: false,
-        timeout: 5 * 60 * 1e3
+        timeout: TIMEOUTS.codeTool
       });
       return this.processResult(result, elapsed);
     } catch (error) {
@@ -1391,7 +1399,7 @@ var GitleaksRunner = class extends BaseToolRunner {
       await execa3("gitleaks", ["version"], {
         cwd: projectRoot,
         reject: true,
-        timeout: 10 * 1e3
+        timeout: TIMEOUTS.versionCheck
       });
       return this.pass(Date.now() - startTime);
     } catch (error) {
@@ -1428,7 +1436,7 @@ var KnipRunner = class extends BaseToolRunner {
       const result = await execa4("npx", ["knip", "--reporter", "json"], {
         cwd: projectRoot,
         reject: false,
-        timeout: 5 * 60 * 1e3
+        timeout: TIMEOUTS.codeTool
       });
       const output = result.stdout || result.stderr;
       const violations = this.parseOutput(output, projectRoot);
@@ -1890,13 +1898,13 @@ var PipAuditRunner = class extends BaseToolRunner {
       return await execa5("uvx", args, {
         cwd: projectRoot,
         reject: false,
-        timeout: 5 * 60 * 1e3
+        timeout: TIMEOUTS.codeTool
       });
     } catch {
       return await execa5("pip-audit", args.slice(1), {
         cwd: projectRoot,
         reject: false,
-        timeout: 5 * 60 * 1e3
+        timeout: TIMEOUTS.codeTool
       });
     }
   }
@@ -2013,7 +2021,7 @@ var PnpmAuditRunner = class extends BaseToolRunner {
       const result = await execa6("pnpm", args, {
         cwd: projectRoot,
         reject: false,
-        timeout: 5 * 60 * 1e3
+        timeout: TIMEOUTS.codeTool
       });
       return this.processAuditResult(result, elapsed);
     } catch (error) {
@@ -2191,7 +2199,7 @@ var RuffRunner = class extends BaseToolRunner {
       const result = await execa7("ruff", this.buildCliArgs(), {
         cwd: projectRoot,
         reject: false,
-        timeout: 5 * 60 * 1e3
+        timeout: TIMEOUTS.codeTool
       });
       if (this.isBinaryNotFound(result)) {
         return this.skipNotInstalled(Date.now() - startTime);
@@ -2357,7 +2365,7 @@ var TscRunner = class extends BaseToolRunner {
     return execa8("npx", ["tsc", "--noEmit"], {
       cwd: projectRoot,
       reject: false,
-      timeout: 5 * 60 * 1e3
+      timeout: TIMEOUTS.codeTool
     });
   }
   processRunResult(result, projectRoot, elapsed) {
@@ -2588,7 +2596,7 @@ var TyRunner = class extends BaseToolRunner {
       const result = await execa9("uvx", ["ty", "check", "--output-format", "concise", "."], {
         cwd: projectRoot,
         reject: false,
-        timeout: 5 * 60 * 1e3
+        timeout: TIMEOUTS.codeTool
       });
       return this.handleExitCode(result, projectRoot, elapsed);
     } catch (error) {
@@ -2737,7 +2745,7 @@ var VultureRunner = class _VultureRunner extends BaseToolRunner {
       const result = await execa10("vulture", [".", "--exclude", excludePatterns], {
         cwd: projectRoot,
         reject: false,
-        timeout: 5 * 60 * 1e3
+        timeout: TIMEOUTS.codeTool
       });
       if (this.isBinaryNotFound(result)) {
         return this.skipNotInstalled(Date.now() - startTime);
@@ -3151,7 +3159,7 @@ var BackupsRunner = class extends BaseProcessToolRunner {
   }
   getS3Client() {
     return this.s3Client ?? new S3Client({
-      region: this.config.region ?? process.env.AWS_REGION ?? "us-east-1"
+      region: this.config.region ?? process.env.AWS_REGION ?? AWS_DEFAULTS.globalRegion
     });
   }
   createExistsViolation() {
@@ -5246,7 +5254,7 @@ var PrRunner = class extends BaseProcessToolRunner {
   /** Fetch a single page of PR files from GitHub API */
   async fetchPrFilesPage(repo, prNumber, page, token) {
     const response = await fetch(
-      `https://api.github.com/repos/${repo}/pulls/${prNumber}/files?per_page=100&page=${page}`,
+      `${GITHUB_API.baseUrl}/repos/${repo}/pulls/${prNumber}/files?per_page=${GITHUB_API.perPage}&page=${page}`,
       {
         headers: {
           Authorization: `Bearer ${token}`,
@@ -5577,7 +5585,6 @@ var RepoRunner = class extends BaseProcessToolRunner {
     violations.push(...this.checkBypassActorsSettings(ruleset, bpConfig, branch));
     return violations;
   }
-  // eslint-disable-next-line complexity
   checkPullRequestRuleSettings(prRule, bpConfig, branch) {
     const violations = [];
     const params = prRule?.parameters;
@@ -5614,7 +5621,6 @@ var RepoRunner = class extends BaseProcessToolRunner {
     }
     return violations;
   }
-  // eslint-disable-next-line complexity
   checkStatusChecksRuleSettings(statusRule, bpConfig, branch) {
     const violations = [];
     const params = statusRule?.parameters;
@@ -6657,7 +6663,7 @@ async function scanRepository(repo, config) {
   return aggregateResults(repoInfo, [rulesetsResult, filesResult]);
 }
 async function validateProcess(options) {
-  const { loadConfigAsync: loadConfigAsync2 } = await import("./core-KB2W6SE2.js");
+  const { loadConfigAsync: loadConfigAsync2 } = await import("./core-LFX2BFLG.js");
   const { config } = await loadConfigAsync2(options.config);
   const result = await scanRepository(options.repo, config);
   const fs22 = await import("fs");
@@ -6968,9 +6974,7 @@ import * as fs18 from "fs";
 import * as os from "os";
 import * as path17 from "path";
 import { execa as execa19 } from "execa";
-var DEFAULT_OWNER = "palindrom-ai";
-var DEFAULT_REPO = "standards";
-var CACHE_DIR = path17.join(os.tmpdir(), "cm-standards-cache");
+var CACHE_DIR = path17.join(os.tmpdir(), CACHE.standardsCacheDir);
 function parseGitHubSource(source) {
   const remainder = source.slice(7);
   const atIndex = remainder.indexOf("@");
@@ -7029,7 +7033,7 @@ function buildGitHubUrl(auth, owner, repo) {
 }
 async function updateExistingRepo(repoDir) {
   try {
-    await execa19("git", ["pull", "--ff-only"], { cwd: repoDir, timeout: 3e4 });
+    await execa19("git", ["pull", "--ff-only"], { cwd: repoDir, timeout: TIMEOUTS.git });
     return true;
   } catch {
     fs18.rmSync(repoDir, { recursive: true, force: true });
@@ -7047,12 +7051,12 @@ async function cloneRepo(repoDir, owner, repo, ref) {
     }
     args.push(url, repoDir);
     await execa19("git", args, {
-      timeout: 3e4
+      timeout: TIMEOUTS.git
     });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     if (message.includes("timed out")) {
-      throw new StandardsError(`Standards repo clone timed out after 30 seconds`);
+      throw new StandardsError(`Standards repo clone timed out after ${TIMEOUTS.git / 1e3} seconds`);
     }
     throw new StandardsError(`Failed to clone standards repo: ${message}`);
   }
@@ -7087,7 +7091,7 @@ async function fetchStandardsRepoFromSource(source, basePath) {
   return fetchGitHubRepo(parsed.owner, parsed.repo, parsed.ref);
 }
 async function fetchStandardsRepo() {
-  return fetchGitHubRepo(DEFAULT_OWNER, DEFAULT_REPO);
+  return fetchGitHubRepo(STANDARDS_REPO.owner, STANDARDS_REPO.repo);
 }
 function getGuidelinesDir(repoPath) {
   return path17.join(repoPath, "guidelines");
@@ -7112,7 +7116,7 @@ function parseGuideline(fileContent, filename) {
   const { data, content } = matter2(fileContent);
   const result = frontmatterSchema.safeParse(data);
   if (!result.success) {
-    const errors = result.error.errors.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ");
+    const errors = result.error.issues.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ");
     throw new StandardsError(`Invalid frontmatter in ${filename}: ${errors}`);
   }
   return {
@@ -7224,63 +7228,16 @@ ${guideline.content}`;
 }
 
 // src/validate/tier.ts
-import { execSync } from "child_process";
 import * as fs21 from "fs";
 import * as path20 from "path";
 import TOML from "@iarna/toml";
 import chalk4 from "chalk";
-import * as yaml3 from "js-yaml";
 
 // src/validate/types.ts
 var VALID_TIERS = ["production", "internal", "prototype"];
 
 // src/validate/tier.ts
 var DEFAULT_TIER = "internal";
-function findGitRoot(startDir) {
-  try {
-    const gitRoot = execSync("git rev-parse --show-toplevel", {
-      cwd: startDir,
-      encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"]
-    }).trim();
-    return gitRoot;
-  } catch {
-    return null;
-  }
-}
-function readFileContent2(filePath) {
-  if (!fs21.existsSync(filePath)) {
-    return null;
-  }
-  try {
-    return fs21.readFileSync(filePath, "utf-8");
-  } catch {
-    return null;
-  }
-}
-function parseYamlContent(content) {
-  try {
-    const parsed = yaml3.load(content);
-    if (parsed === void 0 || parsed === null) {
-      return { metadata: null, sourceDetail: "default (file empty)" };
-    }
-    return { metadata: parsed, sourceDetail: "repo-metadata.yaml" };
-  } catch (error) {
-    const parseError = error instanceof Error ? error.message : String(error);
-    return { metadata: null, sourceDetail: "default (parse error)", parseError };
-  }
-}
-function loadRepoMetadata(projectRoot) {
-  const metadataPath = path20.join(projectRoot, "repo-metadata.yaml");
-  const content = readFileContent2(metadataPath);
-  if (content === null) {
-    return { metadata: null, sourceDetail: "default (file not found)" };
-  }
-  if (!content.trim()) {
-    return { metadata: null, sourceDetail: "default (file empty)" };
-  }
-  return parseYamlContent(content);
-}
 function loadExtendsConfig(configPath) {
   try {
     const content = fs21.readFileSync(configPath, "utf-8");
@@ -7290,24 +7247,48 @@ function loadExtendsConfig(configPath) {
     return null;
   }
 }
-function getTier(metadataResult) {
-  const { metadata, sourceDetail } = metadataResult;
-  if (!metadata) {
-    return { tier: DEFAULT_TIER, source: "default", sourceDetail };
-  }
-  if (metadata.tier === void 0) {
-    return { tier: DEFAULT_TIER, source: "default", sourceDetail: "default (tier not specified)" };
+function loadTierFromStandardsToml(configPath) {
+  if (!fs21.existsSync(configPath)) {
+    return {
+      tier: DEFAULT_TIER,
+      source: "default",
+      sourceDetail: "default (file not found)"
+    };
   }
-  const tier = metadata.tier;
-  if (!VALID_TIERS.includes(tier)) {
+  try {
+    const content = fs21.readFileSync(configPath, "utf-8");
+    const parsed = TOML.parse(content);
+    if (!parsed.metadata) {
+      return {
+        tier: DEFAULT_TIER,
+        source: "default",
+        sourceDetail: "default (no metadata)"
+      };
+    }
+    if (parsed.metadata.tier === void 0) {
+      return {
+        tier: DEFAULT_TIER,
+        source: "default",
+        sourceDetail: "default (tier not specified)"
+      };
+    }
+    const tier = parsed.metadata.tier;
+    if (!VALID_TIERS.includes(tier)) {
+      return {
+        tier: DEFAULT_TIER,
+        source: "default",
+        sourceDetail: "default (invalid value)",
+        invalidValue: String(tier)
+      };
+    }
+    return { tier, source: "standards.toml", sourceDetail: "standards.toml" };
+  } catch {
     return {
       tier: DEFAULT_TIER,
       source: "default",
-      sourceDetail: "default (invalid value)",
-      invalidValue: String(tier)
+      sourceDetail: "default (file not found)"
     };
   }
-  return { tier, source: "repo-metadata.yaml", sourceDetail: "repo-metadata.yaml" };
 }
 function findMatchingRulesets(rulesets, tier) {
   const suffix = `-${tier}`;
@@ -7325,6 +7306,7 @@ function createNotFoundResult() {
     valid: false,
     tier: DEFAULT_TIER,
     tierSource: "default",
+    tierSourceDetail: "default (file not found)",
     rulesets: [],
     expectedPattern: `*-${DEFAULT_TIER}`,
     matchedRulesets: [],
@@ -7340,20 +7322,16 @@ function buildResult(options) {
     matchedRulesets,
     invalidTierValue,
     hasEmptyRulesets,
-    registryUrl,
-    parseError
+    registryUrl
   } = options;
   const warnings = options.warnings ?? [];
   const expectedPattern = `*-${tier}`;
   const valid = rulesets.length === 0 || matchedRulesets.length > 0;
   if (invalidTierValue) {
     warnings.push(
-      `Invalid tier '${invalidTierValue}' in repo-metadata.yaml. Valid values are: ${VALID_TIERS.join(", ")}`
+      `Invalid tier '${invalidTierValue}' in standards.toml [metadata]. Valid values are: ${VALID_TIERS.join(", ")}`
     );
   }
-  if (parseError) {
-    warnings.push(`Failed to parse repo-metadata.yaml: ${parseError}`);
-  }
   if (hasEmptyRulesets && registryUrl) {
     warnings.push(
       `[extends] is configured with registry '${registryUrl}' but rulesets is empty - no standards will be inherited`
@@ -7379,26 +7357,21 @@ function validateTierRuleset(options = {}) {
   if (!configPath) {
     return createNotFoundResult();
   }
-  const configDir = getProjectRoot(configPath);
-  const gitRoot = findGitRoot(configDir);
-  const metadataSearchPath = gitRoot ?? configDir;
-  const metadataResult = loadRepoMetadata(metadataSearchPath);
-  const { tier, source, sourceDetail, invalidValue } = getTier(metadataResult);
+  const tierResult = loadTierFromStandardsToml(configPath);
   const extendsConfig = loadExtendsConfig(configPath);
   const rulesets = extendsConfig?.rulesets ?? [];
-  const matchedRulesets = rulesets.length > 0 ? findMatchingRulesets(rulesets, tier) : [];
+  const matchedRulesets = rulesets.length > 0 ? findMatchingRulesets(rulesets, tierResult.tier) : [];
   const hasEmptyRulesets = extendsConfig !== null && rulesets.length === 0;
   const registryUrl = extendsConfig?.registry;
   return buildResult({
-    tier,
-    source,
-    sourceDetail,
+    tier: tierResult.tier,
+    source: tierResult.source,
+    sourceDetail: tierResult.sourceDetail,
     rulesets,
     matchedRulesets,
-    invalidTierValue: invalidValue,
+    invalidTierValue: tierResult.invalidValue,
     hasEmptyRulesets,
-    registryUrl,
-    parseError: metadataResult.parseError
+    registryUrl
   });
 }
 function formatWarnings(warnings) {
@@ -7432,7 +7405,7 @@ function formatFailedValidation(result, sourceDisplay) {
     lines.push("");
     lines.push(
       chalk4.cyan(
-        `  Hint: Update repo-metadata.yaml to use a valid tier value: ${VALID_TIERS.join(", ")}`
+        `  Hint: Update standards.toml [metadata].tier to use a valid value: ${VALID_TIERS.join(", ")}`
       )
     );
   }
@@ -7663,19 +7636,19 @@ function isSupportedService(service) {
   return SUPPORTED_SERVICES.includes(service);
 }
 var checkerFactories = {
-  s3: async () => (await import("./s3-2DH7PRVR.js")).S3Checker,
-  lambda: async () => (await import("./lambda-NFB5UILT.js")).LambdaChecker,
-  dynamodb: async () => (await import("./dynamodb-5KVESCVJ.js")).DynamoDBChecker,
-  sqs: async () => (await import("./sqs-RRS3GRHK.js")).SQSChecker,
-  sns: async () => (await import("./sns-Y36LVTWA.js")).SNSChecker,
-  iam: async () => (await import("./iam-7H5HFWVQ.js")).IAMChecker,
-  secretsmanager: async () => (await import("./secretsmanager-MOOIHLAO.js")).SecretsManagerChecker,
-  logs: async () => (await import("./cloudwatch-KSZ4A256.js")).CloudWatchLogsChecker,
-  ecs: async () => (await import("./ecs-OS3NJZTA.js")).ECSChecker,
-  rds: async () => (await import("./rds-KLG5O5SI.js")).RDSChecker,
-  ec2: async () => (await import("./ec2-HKPE6GZV.js")).EC2Checker,
-  elasticache: async () => (await import("./elasticache-7TCRHYYM.js")).ElastiCacheChecker,
-  elasticloadbalancing: async () => (await import("./elb-PEDLXW5R.js")).ELBChecker
+  s3: async () => (await import("./s3-53UELUWT.js")).S3Checker,
+  lambda: async () => (await import("./lambda-YTJOCYV5.js")).LambdaChecker,
+  dynamodb: async () => (await import("./dynamodb-HQH3IMAI.js")).DynamoDBChecker,
+  sqs: async () => (await import("./sqs-MHBW6UFC.js")).SQSChecker,
+  sns: async () => (await import("./sns-RV64OMK2.js")).SNSChecker,
+  iam: async () => (await import("./iam-YXMHK2MV.js")).IAMChecker,
+  secretsmanager: async () => (await import("./secretsmanager-FJKTPIXI.js")).SecretsManagerChecker,
+  logs: async () => (await import("./cloudwatch-3LTDYG6G.js")).CloudWatchLogsChecker,
+  ecs: async () => (await import("./ecs-UHKCH5A7.js")).ECSChecker,
+  rds: async () => (await import("./rds-GZ5RVPIU.js")).RDSChecker,
+  ec2: async () => (await import("./ec2-AEPT735A.js")).EC2Checker,
+  elasticache: async () => (await import("./elasticache-5Y6K7GKJ.js")).ElastiCacheChecker,
+  elasticloadbalancing: async () => (await import("./elb-CN6ELVM5.js")).ELBChecker
 };
 var checkerCache = /* @__PURE__ */ new Map();
 async function getChecker(service) {
@@ -7719,9 +7692,8 @@ async function getGcpChecker(service) {
 }
 
 // src/infra/scan.ts
-var DEFAULT_CONCURRENCY = 10;
 async function scanManifest(manifest, manifestPath, options = {}) {
-  const concurrency = options.concurrency ?? DEFAULT_CONCURRENCY;
+  const concurrency = options.concurrency ?? CONCURRENCY.infraScan;
   if (isMultiAccountManifest(manifest)) {
     return scanMultiAccountManifest(manifest, manifestPath, options);
   }
@@ -7736,7 +7708,7 @@ async function scanManifest(manifest, manifestPath, options = {}) {
   };
 }
 async function scanMultiAccountManifest(manifest, manifestPath, options = {}) {
-  const concurrency = options.concurrency ?? DEFAULT_CONCURRENCY;
+  const concurrency = options.concurrency ?? CONCURRENCY.infraScan;
   const accountResults = {};
   const allResults = [];
   const accountsToScan = filterAccounts(manifest, options.account);