@topogram/cli 0.3.43 → 0.3.45

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@topogram/cli",
-  "version": "0.3.43",
+  "version": "0.3.45",
   "description": "Topogram CLI for checking Topogram workspaces and generating app bundles.",
   "license": "Apache-2.0",
   "repository": {

package/src/cli.js

@@ -595,9 +595,9 @@ function printGeneratorHelp() {
   console.log("Inspects generator manifests and checks generator pack conformance.");
   console.log("");
   console.log("Notes:");
-  console.log("  - list shows bundled generators plus installed package-backed generators declared in package.json.");
-  console.log("  - show accepts an installed package name or a bundled fallback generator id.");
-  console.log("  - check validates a local generator package path or an already installed package.");
+  console.log("  - list shows bundled generators plus installed package-backed generators declared in package.json; it reads manifests only.");
+  console.log("  - show accepts an installed package name or a bundled fallback generator id; it does not load adapter code.");
+  console.log("  - check validates a local generator package path or an already installed package by loading the adapter and running smoke generation.");
   console.log("  - Topogram does not install generator packages during show or check.");
   console.log(`  - package-backed project generators are governed by ${GENERATOR_POLICY_FILE}; bundled topogram/* generators are allowed.`);
   console.log("");
@@ -1250,6 +1250,7 @@ function printGeneratorCheck(payload) {
     console.log(`Projection platforms: ${payload.manifest.projectionPlatforms.join(", ")}`);
     console.log(`Source mode: ${payload.manifest.source}`);
   }
+  console.log("Executes package code: yes (loads adapter and runs smoke generate)");
   console.log("");
   console.log("Checks:");
   for (const check of payload.checks || []) {
@@ -1285,6 +1286,8 @@ function generatorManifestSummary(manifest, metadata = {}) {
     stack: manifest.stack || {},
     capabilities: manifest.capabilities || {},
     source: manifest.source,
+    loadsAdapter: false,
+    executesPackageCode: false,
     ...(manifest.profile ? { profile: manifest.profile } : {}),
     ...(manifest.package ? { package: manifest.package } : {}),
     ...(installCommand ? { installCommand } : {}),
@@ -1496,6 +1499,8 @@ function printGeneratorList(payload) {
     const stack = Object.values(generator.stack || {}).join(" + ") || "not declared";
     console.log(`- ${id}${generator.version ? `@${generator.version}` : ""} (${generator.surface || "unknown"}, ${status})`);
     console.log(`  Source: ${generator.source}`);
+    console.log("  Adapter loaded: no");
+    console.log("  Executes package code: no");
     if (generator.source === "package") {
       console.log(`  Installed: ${generator.installed ? "yes" : "no"}`);
     }
@@ -1529,6 +1534,8 @@ function printGeneratorShow(payload) {
   console.log(`Generator: ${generator.id}@${generator.version}`);
   console.log(`Surface: ${generator.surface}`);
   console.log(`Source: ${generator.source}${generator.planned ? " (planned)" : ""}`);
+  console.log("Adapter loaded: no");
+  console.log("Executes package code: no");
   if (generator.source === "package") {
     console.log(`Installed: ${generator.installed ? "yes" : "no"}`);
   }
@@ -1631,7 +1638,7 @@ function dependencySpecForPackage(projectPackage, packageName) {
  * @param {string} packageName
  * @returns {{ version: string|null, resolved: string|null, integrity: string|null, entryPath: string|null }}
  */
-function lockfileInfoForPackage(lockfile, packageName) {
+function npmLockfileInfoForPackage(lockfile, packageName) {
   const packageEntryPath = `node_modules/${packageName}`;
   const packageEntry = lockfile?.packages?.[packageEntryPath];
   if (packageEntry && typeof packageEntry === "object") {
@@ -1659,16 +1666,62 @@ function lockfileInfoForPackage(lockfile, packageName) {
   };
 }
 
+/**
+ * @param {string} projectRoot
+ * @returns {{ kind: "npm"|"pnpm"|"yarn"|"bun"|null, path: string|null, data: Record<string, any>|null, note: string|null }}
+ */
+function lockfileMetadataForProject(projectRoot) {
+  const npmLockfilePath = path.join(projectRoot, "package-lock.json");
+  if (fs.existsSync(npmLockfilePath)) {
+    return {
+      kind: "npm",
+      path: npmLockfilePath,
+      data: readJsonIfPresent(npmLockfilePath),
+      note: null
+    };
+  }
+  const candidates = [
+    { kind: "pnpm", file: "pnpm-lock.yaml" },
+    { kind: "yarn", file: "yarn.lock" },
+    { kind: "bun", file: "bun.lock" },
+    { kind: "bun", file: "bun.lockb" }
+  ];
+  for (const candidate of candidates) {
+    const lockfilePath = path.join(projectRoot, candidate.file);
+    if (fs.existsSync(lockfilePath)) {
+      return {
+        kind: /** @type {"pnpm"|"yarn"|"bun"} */ (candidate.kind),
+        path: lockfilePath,
+        data: null,
+        note: `${candidate.file} found; package versions are not inspected by this command.`
+      };
+    }
+  }
+  return {
+    kind: null,
+    path: null,
+    data: null,
+    note: null
+  };
+}
+
 /**
  * @param {string} projectRoot
  * @param {string} packageName
- * @returns {{ dependencyField: string|null, dependencySpec: string|null, installedVersion: string|null, installedPackageJsonPath: string|null, lockfileVersion: string|null, lockfileResolved: string|null, lockfileIntegrity: string|null, lockfileEntryPath: string|null }}
+ * @returns {{ dependencyField: string|null, dependencySpec: string|null, installedVersion: string|null, installedPackageJsonPath: string|null, lockfileKind: "npm"|"pnpm"|"yarn"|"bun"|null, lockfilePath: string|null, lockfileVersion: string|null, lockfileResolved: string|null, lockfileIntegrity: string|null, lockfileEntryPath: string|null, lockfileNote: string|null }}
  */
 function packageInfoForGenerator(projectRoot, packageName) {
   const projectPackage = readJsonIfPresent(path.join(projectRoot, "package.json"));
   const dependency = dependencySpecForPackage(projectPackage, packageName);
-  const lockfile = readJsonIfPresent(path.join(projectRoot, "package-lock.json"));
-  const lockfileInfo = lockfileInfoForPackage(lockfile, packageName);
+  const lockfile = lockfileMetadataForProject(projectRoot);
+  const lockfileInfo = lockfile.kind === "npm"
+    ? npmLockfileInfoForPackage(lockfile.data, packageName)
+    : {
+        version: null,
+        resolved: null,
+        integrity: null,
+        entryPath: null
+      };
   const installedPackageJsonPath = path.join(projectRoot, "node_modules", ...packageName.split("/"), "package.json");
   const installedPackage = readJsonIfPresent(installedPackageJsonPath);
   return {
@@ -1676,13 +1729,31 @@ function packageInfoForGenerator(projectRoot, packageName) {
     dependencySpec: dependency.spec,
     installedVersion: typeof installedPackage?.version === "string" ? installedPackage.version : null,
     installedPackageJsonPath: installedPackage ? installedPackageJsonPath : null,
+    lockfileKind: lockfile.kind,
+    lockfilePath: lockfile.path,
     lockfileVersion: lockfileInfo.version,
     lockfileResolved: lockfileInfo.resolved,
     lockfileIntegrity: lockfileInfo.integrity,
-    lockfileEntryPath: lockfileInfo.entryPath
+    lockfileEntryPath: lockfileInfo.entryPath,
+    lockfileNote: lockfile.note
   };
 }
 
+/**
+ * @param {ReturnType<typeof packageInfoForGenerator>} packageInfo
+ * @returns {string}
+ */
+function formatGeneratorPackageLockfile(packageInfo) {
+  if (!packageInfo.lockfileKind || !packageInfo.lockfilePath) {
+    return "(not found)";
+  }
+  const label = path.basename(packageInfo.lockfilePath);
+  if (packageInfo.lockfileVersion) {
+    return `${packageInfo.lockfileKind} ${packageInfo.lockfileVersion}`;
+  }
+  return `${label} (version not inspected)`;
+}
+
 /**
  * @param {string} projectRoot
  * @param {import("./generator-policy.js").GeneratorPolicy} policy
@@ -1724,11 +1795,68 @@ function annotateGeneratorPolicyDiagnostics(diagnostics, bindings) {
       packageVersion: binding.packageInfo.installedVersion || binding.packageInfo.lockfileVersion || null,
       packageDependencyField: binding.packageInfo.dependencyField,
       packageDependencySpec: binding.packageInfo.dependencySpec,
+      packageLockfileKind: binding.packageInfo.lockfileKind,
+      packageLockfilePath: binding.packageInfo.lockfilePath,
       packageLockVersion: binding.packageInfo.lockfileVersion
     };
   });
 }
 
+/**
+ * @param {Array<ReturnType<typeof generatorPolicyBindingStatus>>} bindings
+ * @returns {any[]}
+ */
+function generatorPolicyPackageMetadataDiagnostics(bindings) {
+  const diagnostics = [];
+  for (const binding of bindings) {
+    if (!binding.packageInfo.dependencySpec) {
+      diagnostics.push({
+        code: "generator_package_dependency_missing",
+        severity: "warning",
+        message: `Component '${binding.componentId}' generator package '${binding.packageName}' is not declared in package.json dependencies.`,
+        path: binding.packageInfo.installedPackageJsonPath,
+        suggestedFix: `Declare '${binding.packageName}' in package.json devDependencies so generator adoption is visible in package review.`,
+        step: "generator-policy",
+        componentId: binding.componentId,
+        generatorId: binding.generatorId,
+        packageName: binding.packageName,
+        version: binding.version,
+        packageVersion: binding.packageInfo.installedVersion || binding.packageInfo.lockfileVersion || null,
+        packageDependencyField: binding.packageInfo.dependencyField,
+        packageDependencySpec: binding.packageInfo.dependencySpec,
+        packageLockfileKind: binding.packageInfo.lockfileKind,
+        packageLockfilePath: binding.packageInfo.lockfilePath,
+        packageLockVersion: binding.packageInfo.lockfileVersion
+      });
+    }
+    if (
+      binding.packageInfo.installedVersion &&
+      binding.packageInfo.lockfileVersion &&
+      binding.packageInfo.installedVersion !== binding.packageInfo.lockfileVersion
+    ) {
+      diagnostics.push({
+        code: "generator_package_version_drift",
+        severity: "warning",
+        message: `Component '${binding.componentId}' generator package '${binding.packageName}' is installed at '${binding.packageInfo.installedVersion}', but package-lock records '${binding.packageInfo.lockfileVersion}'.`,
+        path: binding.packageInfo.lockfilePath,
+        suggestedFix: "Run the package manager install command and review the resulting lockfile before pinning generator policy.",
+        step: "generator-policy",
+        componentId: binding.componentId,
+        generatorId: binding.generatorId,
+        packageName: binding.packageName,
+        version: binding.version,
+        packageVersion: binding.packageInfo.installedVersion,
+        packageDependencyField: binding.packageInfo.dependencyField,
+        packageDependencySpec: binding.packageInfo.dependencySpec,
+        packageLockfileKind: binding.packageInfo.lockfileKind,
+        packageLockfilePath: binding.packageInfo.lockfilePath,
+        packageLockVersion: binding.packageInfo.lockfileVersion
+      });
+    }
+  }
+  return diagnostics;
+}
+
 /**
  * @param {string} projectPath
  * @returns {{ ok: boolean, path: string, exists: boolean, policy: any, defaulted: boolean, bindings: Array<ReturnType<typeof generatorPolicyBindingStatus>>, diagnostics: any[], errors: string[] }}
@@ -1771,6 +1899,7 @@ function buildGeneratorPolicyCheckPayload(projectPath) {
     });
   }
   diagnostics.push(...generatorPolicyDiagnosticsForBindings(policyInfo, rawBindings, "generator-policy"));
+  diagnostics.push(...generatorPolicyPackageMetadataDiagnostics(bindings));
   const annotatedDiagnostics = annotateGeneratorPolicyDiagnostics(diagnostics, bindings);
   const errors = annotatedDiagnostics.filter((diagnostic) => diagnostic.severity === "error").map((diagnostic) => diagnostic.message);
   return {
@@ -1868,7 +1997,9 @@ function printGeneratorPolicyCheckPayload(payload) {
       console.log(`  dependency: ${binding.packageInfo.dependencyField} ${binding.packageInfo.dependencySpec}`);
     }
     if (binding.packageInfo.lockfileVersion) {
-      console.log(`  lockfile: ${binding.packageInfo.lockfileVersion}`);
+      console.log(`  lockfile: ${formatGeneratorPackageLockfile(binding.packageInfo)}`);
+    } else if (binding.packageInfo.lockfileKind) {
+      console.log(`  lockfile: ${formatGeneratorPackageLockfile(binding.packageInfo)}`);
     }
   }
   for (const diagnostic of payload.diagnostics) {
@@ -1906,7 +2037,7 @@ function printGeneratorPolicyStatusPayload(payload) {
     console.log(`  allowed: ${binding.allowed ? "yes" : "no"}`);
     console.log(`  npm package: ${binding.packageInfo.installedVersion || "(not installed)"}`);
     console.log(`  dependency: ${binding.packageInfo.dependencyField && binding.packageInfo.dependencySpec ? `${binding.packageInfo.dependencyField} ${binding.packageInfo.dependencySpec}` : "(not declared)"}`);
-    console.log(`  lockfile: ${binding.packageInfo.lockfileVersion || "(not locked)"}`);
+    console.log(`  lockfile: ${formatGeneratorPackageLockfile(binding.packageInfo)}`);
     console.log(`  policy pin: ${binding.pin.version ? `${binding.pin.key}@${binding.pin.version}` : "(none)"}`);
   }
   for (const diagnostic of payload.diagnostics) {
@@ -1918,6 +2049,9 @@ function printGeneratorPolicyStatusPayload(payload) {
     if (diagnostic.packageDependencySpec) {
       console.log(`  dependency: ${diagnostic.packageDependencyField} ${diagnostic.packageDependencySpec}`);
     }
+    if (diagnostic.packageLockfilePath) {
+      console.log(`  lockfile: ${path.basename(diagnostic.packageLockfilePath)}${diagnostic.packageLockVersion ? ` ${diagnostic.packageLockVersion}` : ""}`);
+    }
     if (diagnostic.suggestedFix) {
       console.log(`  fix: ${diagnostic.suggestedFix}`);
     }
@@ -2057,10 +2191,6 @@ function buildGeneratorPolicyPinPayload(projectPath, spec) {
     if (!allowedPackages.includes(pin.packageName)) {
       allowedPackages.push(pin.packageName);
     }
-    const scope = packageScopeFromName(pin.packageName);
-    if (scope && !allowedPackageScopes.includes(scope)) {
-      allowedPackageScopes.push(scope);
-    }
     pinnedVersions[pin.packageName] = pin.version;
   }
   const nextPolicy = {

package/src/generator/adapters.js

@@ -10,6 +10,10 @@ import {
   resolveGeneratorManifestForBinding,
   validateGeneratorManifest
 } from "./registry.js";
+import {
+  generatorPolicyDiagnosticsForBindings,
+  loadGeneratorPolicy
+} from "../generator-policy.js";
 import { generateDbContractGraph } from "./surfaces/databases/contract.js";
 import { generateDbLifecyclePlan } from "./surfaces/databases/lifecycle-shared.js";
 import {
@@ -252,6 +256,26 @@ function loadPackageGeneratorAdapter(manifest, component, options = {}) {
     throw new Error(`Component '${component?.id || "unknown"}' generator '${manifest.id}@${manifest.version}' is package-backed but does not declare a package.`);
   }
   const rootDir = options.configDir || options.rootDir || process.cwd();
+  const diagnostics = generatorPolicyDiagnosticsForBindings(
+    loadGeneratorPolicy(rootDir),
+    [{
+      componentId: String(component?.id || "unknown"),
+      componentType: String(component?.type || manifest.surface || "unknown"),
+      projection: String(component?.projection?.id || component?.projection || "unknown"),
+      generatorId: String(component?.generator?.id || manifest.id),
+      version: String(component?.generator?.version || manifest.version),
+      packageName
+    }],
+    "generator-adapter"
+  );
+  const errors = diagnostics.filter((diagnostic) => diagnostic.severity === "error");
+  if (errors.length > 0) {
+    throw new Error(errors.map((diagnostic) =>
+      diagnostic.suggestedFix
+        ? `${diagnostic.message} Suggested fix: ${diagnostic.suggestedFix}`
+        : diagnostic.message
+    ).join("\n"));
+  }
   let moduleValue;
   try {
     moduleValue = requireFromProject(rootDir)(packageName);

package/src/generator/check.js

@@ -25,6 +25,7 @@ import {
  * @property {Array<{ name: string, ok: boolean, message: string }>} checks
  * @property {string[]} errors
  * @property {{ files: number, artifacts: number, diagnostics: number }|null} smoke
+ * @property {boolean} executesPackageCode
  */
 
 /**
@@ -238,7 +239,8 @@ export function checkGeneratorPack(sourceSpec, options = {}) {
     manifest: null,
     checks: [],
     errors: [],
-    smoke: null
+    smoke: null,
+    executesPackageCode: true
   };
 
   /** @type {any|null} */

package/src/generator/surfaces/services/stateless.js

@@ -1,6 +1,7 @@
 // @ts-check
 
 import { getProjection } from "../shared.js";
+import { generateServerContract } from "./server-contract.js";
 
 function renderPackageJson(profile) {
   const dependencies = profile === "express"
@@ -41,10 +42,10 @@ function routePath(path) {
   return String(path || "/").replace(/:([A-Za-z0-9_]+)/g, ":$1");
 }
 
-function renderHonoIndex(projection) {
-  const routes = (projection.http || []).map((route) => {
+function renderHonoIndex(projection, contract) {
+  const routes = (contract.routes || []).map((route) => {
     const method = String(route.method || "GET").toLowerCase();
-    return `app.${method}("${routePath(route.path)}", (c) => c.json({ ok: true, capability: "${route.capabilityId}", input: { params: c.req.param(), query: c.req.query() } }, ${route.success || 200} as any));`;
+    return `app.${method}("${routePath(route.path)}", (c) => c.json({ ok: true, capability: "${route.capabilityId}", input: { params: c.req.param(), query: c.req.query() } }, ${route.successStatus || 200} as any));`;
   }).join("\n");
   return `import { serve } from "@hono/node-server";
 import { Hono } from "hono";
@@ -65,10 +66,10 @@ function expressPath(path) {
   return routePath(path);
 }
 
-function renderExpressIndex(projection) {
-  const routes = (projection.http || []).map((route) => {
+function renderExpressIndex(projection, contract) {
+  const routes = (contract.routes || []).map((route) => {
     const method = String(route.method || "GET").toLowerCase();
-    return `app.${method}("${expressPath(route.path)}", (req, res) => res.status(${route.success || 200}).json({ ok: true, capability: "${route.capabilityId}", input: { params: req.params, query: req.query } }));`;
+    return `app.${method}("${expressPath(route.path)}", (req, res) => res.status(${route.successStatus || 200}).json({ ok: true, capability: "${route.capabilityId}", input: { params: req.params, query: req.query } }));`;
   }).join("\n");
   return `import express from "express";
 
@@ -88,10 +89,11 @@ app.listen(port, () => {
 
 export function generateStatelessServer(graph, options = {}) {
   const projection = getProjection(graph, options.projectionId);
+  const contract = generateServerContract(graph, { ...options, projectionId: projection.id });
   const profile = options.profile === "express" ? "express" : "hono";
   return {
     "package.json": renderPackageJson(profile),
     "tsconfig.json": renderTsconfig(),
-    "src/index.ts": profile === "express" ? renderExpressIndex(projection) : renderHonoIndex(projection)
+    "src/index.ts": profile === "express" ? renderExpressIndex(projection, contract) : renderHonoIndex(projection, contract)
   };
 }