@testzugang/pi-plugin-dependency-audit 0.1.0

package/skills/dependency-audit/scripts/pi-check-all-updates.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+echo "== Current global versions =="
+bash "$SCRIPT_DIR/pi-check-current-global-versions.sh" "$@"
+
+echo
+echo "== Latest npm versions =="
+bash "$SCRIPT_DIR/pi-check-latest-npm-versions.sh" "$@"
+
+echo
+echo "== Git source update status =="
+bash "$SCRIPT_DIR/pi-check-git-source-updates.sh"

package/skills/dependency-audit/scripts/pi-check-current-global-versions.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+DEFAULT_PACKAGES_FILE="$SCRIPT_DIR/pi-default-packages.txt"
+GLOBAL_ROOT="${NPM_GLOBAL_ROOT:-$(npm root -g 2>/dev/null || true)}"
+
+if [[ -z "$GLOBAL_ROOT" ]]; then
+  echo "Could not determine npm global root. Set NPM_GLOBAL_ROOT or ensure npm is available." >&2
+  exit 2
+fi
+
+read_packages() {
+  if (( $# > 0 )); then
+    printf '%s\n' "$@"
+    return
+  fi
+
+  if [[ ! -f "$DEFAULT_PACKAGES_FILE" ]]; then
+    echo "Missing package list: $DEFAULT_PACKAGES_FILE" >&2
+    exit 2
+  fi
+
+  grep -vE '^\s*(#|$)' "$DEFAULT_PACKAGES_FILE"
+}
+
+while IFS= read -r pkg; do
+  [[ -z "$pkg" ]] && continue
+  pkg_json="$GLOBAL_ROOT/$pkg/package.json"
+
+  if [[ -f "$pkg_json" ]]; then
+    version="$(node -p "require('$pkg_json').version" 2>/dev/null || echo UNKNOWN)"
+    echo "$pkg: current=$version"
+  else
+    echo "$pkg: NOT FOUND at $pkg_json"
+  fi
+done < <(read_packages "$@")

package/skills/dependency-audit/scripts/pi-check-git-source-updates.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+DEFAULT_REPOS_FILE="$SCRIPT_DIR/pi-default-git-repos.txt"
+
+read_repos() {
+  if (( $# > 0 )); then
+    printf '%s\n' "$@"
+    return
+  fi
+
+  if [[ ! -f "$DEFAULT_REPOS_FILE" ]]; then
+    echo "Missing repo list: $DEFAULT_REPOS_FILE" >&2
+    exit 2
+  fi
+
+  grep -vE '^\s*(#|$)' "$DEFAULT_REPOS_FILE"
+}
+
+while IFS= read -r repo; do
+  [[ -z "$repo" ]] && continue
+
+  if [[ ! -d "$repo" ]]; then
+    echo "Directory $repo NOT FOUND"
+    continue
+  fi
+
+  if ! git -C "$repo" rev-parse --git-dir >/dev/null 2>&1; then
+    echo "Directory $repo is not a git repository"
+    continue
+  fi
+
+  echo "--- $repo ---"
+
+  branch="$(git -C "$repo" rev-parse --abbrev-ref HEAD 2>/dev/null || echo DETACHED)"
+  current_commit="$(git -C "$repo" rev-parse HEAD 2>/dev/null || echo UNKNOWN)"
+
+  git -C "$repo" fetch --quiet origin 2>/dev/null || true
+
+  remote_commit="NO_REMOTE_BRANCH"
+  if [[ "$branch" != "HEAD" && "$branch" != "DETACHED" ]]; then
+    remote_commit="$(git -C "$repo" rev-parse "origin/$branch" 2>/dev/null || echo NO_REMOTE_BRANCH)"
+  fi
+
+  echo "Branch: $branch"
+  echo "Current Commit: $current_commit"
+  echo "Remote Commit:  $remote_commit"
+
+  if [[ "$remote_commit" == "NO_REMOTE_BRANCH" ]]; then
+    echo "Status: UNKNOWN"
+  elif [[ "$current_commit" != "$remote_commit" ]]; then
+    echo "Status: UPDATE_AVAILABLE"
+  else
+    echo "Status: UP_TO_DATE"
+  fi
+done < <(read_repos "$@")

package/skills/dependency-audit/scripts/pi-check-latest-npm-versions.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+DEFAULT_PACKAGES_FILE="$SCRIPT_DIR/pi-default-packages.txt"
+
+read_packages() {
+  if (( $# > 0 )); then
+    printf '%s\n' "$@"
+    return
+  fi
+
+  if [[ ! -f "$DEFAULT_PACKAGES_FILE" ]]; then
+    echo "Missing package list: $DEFAULT_PACKAGES_FILE" >&2
+    exit 2
+  fi
+
+  grep -vE '^\s*(#|$)' "$DEFAULT_PACKAGES_FILE"
+}
+
+while IFS= read -r pkg; do
+  [[ -z "$pkg" ]] && continue
+  latest="$(npm view "$pkg" version 2>/dev/null || echo NOT_IN_REGISTRY)"
+  echo "$pkg: latest=$latest"
+done < <(read_packages "$@")

package/skills/dependency-audit/scripts/pi-default-git-repos.txt

@@ -0,0 +1,4 @@
+# Default local git-based pi package checkouts.
+~/.pi/agent/git/github.com/testzugang/pi-plugins
+~/.pi/agent/git/github.com/fgladisch/pi-skills
+~/.pi/agent/git/github.com/hasit/pi-community-themes

package/skills/dependency-audit/scripts/pi-default-packages.txt

@@ -0,0 +1,16 @@
+# Default global pi-related npm packages to audit.
+pi-mcp-adapter
+pi-subagents
+pi-web-access
+pi-claude-bridge
+pi-mermaid
+pi-tool-display
+pi-total-recall
+pi-terminal-signals
+@aliou/pi-guardrails
+@fgladisch/pi-bash-approval
+@fgladisch/pi-persistent-history
+@fgladisch/pi-user-select
+@fgladisch/pi-welcome-message
+pi-powerline
+pi-suggest

package/skills/dependency-audit/scripts/pi-interactive-update.py

@@ -0,0 +1,151 @@
+#!/usr/bin/env python3
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+SCRIPT_DIR = Path(__file__).resolve().parent
+RUN_AUDIT_SCRIPT = SCRIPT_DIR / "run_pi_dependency_audit.py"
+AGGREGATED_JSON = Path("/tmp/pi_audit_aggregated.json")
+
+def main():
+    print("\n🛡️ Starte Sicherheits-Audit der Pi-Abhängigkeiten...")
+    
+    # 1. Run the audit script
+    audit_res = subprocess.run(["python3", str(RUN_AUDIT_SCRIPT)], text=True)
+    if audit_res.returncode != 0:
+        print("❌ Audit fehlgeschlagen oder abgebrochen.")
+        return 1
+        
+    if not AGGREGATED_JSON.exists():
+        print("❌ Audit-Ergebnisdatei nicht gefunden.")
+        return 1
+        
+    try:
+        results = json.loads(AGGREGATED_JSON.read_text(encoding="utf-8"))
+    except Exception as e:
+        print(f"❌ Fehler beim Lesen der Audit-Ergebnisse: {e}")
+        return 1
+        
+    # 2. Filter updates
+    updates = [i for i in results if i.get("status") in {"update_available", "too_fresh"}]
+    if not updates:
+        print("\n✅ Alle Pi-Erweiterungen sind auf dem neuesten Stand!")
+        return 0
+        
+    print("\n🔄 Ausstehende Updates und Audit-Ergebnisse:")
+    print("=" * 80)
+    
+    # Helper to get source name
+    def get_pi_source(item):
+        if item.get("type") == "npm":
+            return f"npm:{item['name']}"
+        source = item.get("source")
+        if source:
+            return str(source)
+        name = item.get("name", "")
+        if name == "pi-skills":
+            return "git:github.com/fgladisch/pi-skills"
+        if name == "pi-plugins":
+            return "git:github.com/testzugang/pi-plugins"
+        if name == "pi-community-themes":
+            return "git:https://github.com/hasit/pi-community-themes"
+        return f"git:github.com/testzugang/{name}"
+        
+    # Print menu
+    for idx, item in enumerate(updates, start=1):
+        name = item.get("name")
+        current = item.get("current")[:8] if item.get("type") == "git" and item.get("current") else item.get("current")
+        latest = item.get("latest")[:8] if item.get("type") == "git" and item.get("latest") else item.get("latest")
+        decision = item.get("decision", "UNKNOWN")
+        status = item.get("status")
+        
+        # Format decision string
+        if decision in {"QUARANTINE", "BLOCK_UNTIL_REVIEW"}:
+            dec_str = f"❌ {decision}"
+        elif decision == "REVIEW_BEFORE_USE":
+            dec_str = f"🟡 {decision}"
+        elif status == "too_fresh":
+            dec_str = f"⏱️ TOO FRESH (Alterssperre)"
+        else:
+            dec_str = f"✅ SAFE"
+            
+        print(f"[{idx}] {name} ({current} -> {latest})")
+        print(f"    Urteil: {dec_str} | Quelle: {get_pi_source(item)}")
+        print("-" * 80)
+        
+    print("\nOptionen:")
+    print(" - Gib die Nummern ein, die du aktualisieren willst (z.B. 1, 3, 5)")
+    print(" - 'safe' für alle als sicher eingestuften Updates")
+    print(" - 'all' für alle Updates (inkl. Warnungen/Quarantäne, auf eigene Gefahr!)")
+    print(" - 'q' zum Abbrechen")
+    
+    try:
+        user_input = input("\nDeine Auswahl: ").strip().lower()
+    except KeyboardInterrupt:
+        print("\nAbgebrochen.")
+        return 0
+        
+    if user_input in {"q", "quit", "exit", ""}:
+        print("Abgebrochen.")
+        return 0
+        
+    selected_items = []
+    
+    if user_input == "safe":
+        selected_items = [i for i in updates if i.get("decision") not in {"BLOCK_UNTIL_REVIEW", "QUARANTINE"} and i.get("status") != "too_fresh"]
+        if not selected_items:
+            print("Keine sicheren Updates vorhanden.")
+            return 0
+    elif user_input == "all":
+        selected_items = updates
+    else:
+        # Parse numbers
+        parts = [p.strip() for p in user_input.split(",")]
+        for p in parts:
+            try:
+                idx = int(p)
+                if 1 <= idx <= len(updates):
+                    selected_items.append(updates[idx - 1])
+                else:
+                    print(f"⚠️ Ungültige Nummer: {idx}")
+            except ValueError:
+                if p:
+                    print(f"⚠️ Ungültige Eingabe übersprungen: '{p}'")
+                
+    if not selected_items:
+        print("Keine Updates ausgewählt.")
+        return 0
+        
+    print(f"\n🚀 Folgende {len(selected_items)} Updates werden installiert:")
+    for item in selected_items:
+        print(f"  - {item.get('name')} ({get_pi_source(item)})")
+        
+    try:
+        confirm = input("\nFortfahren? [J/n]: ").strip().lower()
+    except KeyboardInterrupt:
+        print("\nAbgebrochen.")
+        return 0
+        
+    if confirm not in {"", "j", "ja", "yes", "y"}:
+        print("Abgebrochen.")
+        return 0
+        
+    # Execute actual pi update commands
+    for item in selected_items:
+        source = get_pi_source(item)
+        print(f"\n========================================================")
+        print(f"📦 Führe aus: pi update {source}")
+        print(f"========================================================")
+        subprocess.run(["pi", "update", source])
+        
+    print("\n✅ Update-Prozess beendet!")
+    return 0
+
+if __name__ == "__main__":
+    try:
+        sys.exit(main())
+    except KeyboardInterrupt:
+        print("\nAbgebrochen.")
+        sys.exit(0)