@vibe-validate/config 0.9.0 → 0.9.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/loader.d.ts +29 -0
- package/dist/loader.d.ts.map +1 -1
- package/dist/loader.js +30 -1
- package/dist/schema.d.ts +8 -8
- package/dist/schema.d.ts.map +1 -1
- package/dist/schema.js +18 -5
- package/package.json +1 -1
package/dist/loader.d.ts
CHANGED
|
@@ -3,6 +3,35 @@
|
|
|
3
3
|
*
|
|
4
4
|
* Loads and resolves vibe-validate configuration from files,
|
|
5
5
|
* including preset resolution and config extension.
|
|
6
|
+
*
|
|
7
|
+
* SECURITY MODEL:
|
|
8
|
+
*
|
|
9
|
+
* This loader executes user-provided configuration files as code (TypeScript/JavaScript)
|
|
10
|
+
* or parses them as data (JSON). This is intentional and necessary for flexibility,
|
|
11
|
+
* but has security implications:
|
|
12
|
+
*
|
|
13
|
+
* **Trust Boundary**: Configuration files are treated as TRUSTED CODE.
|
|
14
|
+
* - Config files can execute arbitrary JavaScript/TypeScript
|
|
15
|
+
* - Config files define shell commands that will be executed during validation
|
|
16
|
+
* - Users MUST only use config files from trusted sources
|
|
17
|
+
*
|
|
18
|
+
* **No Sandboxing**: Configuration files run with full process permissions.
|
|
19
|
+
* - They have access to the file system, network, environment variables
|
|
20
|
+
* - They can import arbitrary npm packages
|
|
21
|
+
* - They can modify process.env or global state
|
|
22
|
+
*
|
|
23
|
+
* **Security Responsibilities**:
|
|
24
|
+
* - **Users**: Only use configs from trusted sources (own code, official presets)
|
|
25
|
+
* - **Preset Authors**: Ensure presets don't execute untrusted commands
|
|
26
|
+
* - **This Package**: Validate config schema, but cannot prevent malicious code execution
|
|
27
|
+
*
|
|
28
|
+
* **Mitigations**:
|
|
29
|
+
* - Configuration schema validation (Zod) ensures structure is correct
|
|
30
|
+
* - Git command injection prevention (array-based spawn, no shell)
|
|
31
|
+
* - No automatic config downloads from remote sources
|
|
32
|
+
* - Presets are vetted and included in this package
|
|
33
|
+
*
|
|
34
|
+
* See SECURITY.md for complete security considerations.
|
|
6
35
|
*/
|
|
7
36
|
import { type VibeValidateConfig } from './schema.js';
|
|
8
37
|
/**
|
package/dist/loader.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../src/loader.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../src/loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAKH,OAAO,EAAkB,KAAK,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAItE;;GAEG;AACH,eAAO,MAAM,iBAAiB,UAO7B,CAAC;AAEF;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,kBAAkB,CAAC,CAiC7B;AAED;;;;;;;GAOG;AACH,wBAAsB,iBAAiB,CACrC,GAAG,GAAE,MAAsB,GAC1B,OAAO,CAAC,kBAAkB,GAAG,SAAS,CAAC,CAazC;AA0DD;;;;;;;GAOG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,GAAE,MAAsB,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAc7B"}
|
package/dist/loader.js
CHANGED
|
@@ -3,6 +3,35 @@
|
|
|
3
3
|
*
|
|
4
4
|
* Loads and resolves vibe-validate configuration from files,
|
|
5
5
|
* including preset resolution and config extension.
|
|
6
|
+
*
|
|
7
|
+
* SECURITY MODEL:
|
|
8
|
+
*
|
|
9
|
+
* This loader executes user-provided configuration files as code (TypeScript/JavaScript)
|
|
10
|
+
* or parses them as data (JSON). This is intentional and necessary for flexibility,
|
|
11
|
+
* but has security implications:
|
|
12
|
+
*
|
|
13
|
+
* **Trust Boundary**: Configuration files are treated as TRUSTED CODE.
|
|
14
|
+
* - Config files can execute arbitrary JavaScript/TypeScript
|
|
15
|
+
* - Config files define shell commands that will be executed during validation
|
|
16
|
+
* - Users MUST only use config files from trusted sources
|
|
17
|
+
*
|
|
18
|
+
* **No Sandboxing**: Configuration files run with full process permissions.
|
|
19
|
+
* - They have access to the file system, network, environment variables
|
|
20
|
+
* - They can import arbitrary npm packages
|
|
21
|
+
* - They can modify process.env or global state
|
|
22
|
+
*
|
|
23
|
+
* **Security Responsibilities**:
|
|
24
|
+
* - **Users**: Only use configs from trusted sources (own code, official presets)
|
|
25
|
+
* - **Preset Authors**: Ensure presets don't execute untrusted commands
|
|
26
|
+
* - **This Package**: Validate config schema, but cannot prevent malicious code execution
|
|
27
|
+
*
|
|
28
|
+
* **Mitigations**:
|
|
29
|
+
* - Configuration schema validation (Zod) ensures structure is correct
|
|
30
|
+
* - Git command injection prevention (array-based spawn, no shell)
|
|
31
|
+
* - No automatic config downloads from remote sources
|
|
32
|
+
* - Presets are vetted and included in this package
|
|
33
|
+
*
|
|
34
|
+
* See SECURITY.md for complete security considerations.
|
|
6
35
|
*/
|
|
7
36
|
import { resolve, dirname } from 'path';
|
|
8
37
|
import { readFileSync } from 'fs';
|
|
@@ -72,7 +101,7 @@ export async function findAndLoadConfig(cwd = process.cwd()) {
|
|
|
72
101
|
try {
|
|
73
102
|
return await loadConfigFromFile(configPath);
|
|
74
103
|
}
|
|
75
|
-
catch (
|
|
104
|
+
catch (_err) {
|
|
76
105
|
// File doesn't exist or can't be loaded - try next
|
|
77
106
|
continue;
|
|
78
107
|
}
|
package/dist/schema.d.ts
CHANGED
|
@@ -195,7 +195,7 @@ export declare const ValidationConfigSchema: z.ZodObject<{
|
|
|
195
195
|
failFast?: boolean | undefined;
|
|
196
196
|
}>, "many">;
|
|
197
197
|
/** Caching configuration */
|
|
198
|
-
caching: z.ZodDefault<z.ZodObject<{
|
|
198
|
+
caching: z.ZodDefault<z.ZodOptional<z.ZodObject<{
|
|
199
199
|
/** Caching strategy (default: git-tree-hash) */
|
|
200
200
|
strategy: z.ZodDefault<z.ZodEnum<["git-tree-hash", "timestamp", "disabled"]>>;
|
|
201
201
|
/** Enable caching (default: true) */
|
|
@@ -210,7 +210,7 @@ export declare const ValidationConfigSchema: z.ZodObject<{
|
|
|
210
210
|
strategy?: "git-tree-hash" | "timestamp" | "disabled" | undefined;
|
|
211
211
|
enabled?: boolean | undefined;
|
|
212
212
|
statePath?: string | undefined;
|
|
213
|
-
}
|
|
213
|
+
}>>>;
|
|
214
214
|
}, "strip", z.ZodTypeAny, {
|
|
215
215
|
phases: {
|
|
216
216
|
name: string;
|
|
@@ -383,7 +383,7 @@ export declare const VibeValidateConfigSchema: z.ZodObject<{
|
|
|
383
383
|
failFast?: boolean | undefined;
|
|
384
384
|
}>, "many">;
|
|
385
385
|
/** Caching configuration */
|
|
386
|
-
caching: z.ZodDefault<z.ZodObject<{
|
|
386
|
+
caching: z.ZodDefault<z.ZodOptional<z.ZodObject<{
|
|
387
387
|
/** Caching strategy (default: git-tree-hash) */
|
|
388
388
|
strategy: z.ZodDefault<z.ZodEnum<["git-tree-hash", "timestamp", "disabled"]>>;
|
|
389
389
|
/** Enable caching (default: true) */
|
|
@@ -398,7 +398,7 @@ export declare const VibeValidateConfigSchema: z.ZodObject<{
|
|
|
398
398
|
strategy?: "git-tree-hash" | "timestamp" | "disabled" | undefined;
|
|
399
399
|
enabled?: boolean | undefined;
|
|
400
400
|
statePath?: string | undefined;
|
|
401
|
-
}
|
|
401
|
+
}>>>;
|
|
402
402
|
}, "strip", z.ZodTypeAny, {
|
|
403
403
|
phases: {
|
|
404
404
|
name: string;
|
|
@@ -443,7 +443,7 @@ export declare const VibeValidateConfigSchema: z.ZodObject<{
|
|
|
443
443
|
} | undefined;
|
|
444
444
|
}>;
|
|
445
445
|
/** Git integration configuration */
|
|
446
|
-
git: z.ZodDefault<z.ZodObject<{
|
|
446
|
+
git: z.ZodDefault<z.ZodOptional<z.ZodObject<{
|
|
447
447
|
/** Main branch name (default: main) */
|
|
448
448
|
mainBranch: z.ZodDefault<z.ZodString>;
|
|
449
449
|
/** Auto-sync with remote (default: false) */
|
|
@@ -458,9 +458,9 @@ export declare const VibeValidateConfigSchema: z.ZodObject<{
|
|
|
458
458
|
mainBranch?: string | undefined;
|
|
459
459
|
autoSync?: boolean | undefined;
|
|
460
460
|
warnIfBehind?: boolean | undefined;
|
|
461
|
-
}
|
|
461
|
+
}>>>;
|
|
462
462
|
/** Output formatting configuration */
|
|
463
|
-
output: z.ZodDefault<z.ZodObject<{
|
|
463
|
+
output: z.ZodDefault<z.ZodOptional<z.ZodObject<{
|
|
464
464
|
/** Output format (default: auto) */
|
|
465
465
|
format: z.ZodDefault<z.ZodEnum<["human", "yaml", "json", "auto"]>>;
|
|
466
466
|
/** Show progress indicators (default: true) */
|
|
@@ -479,7 +479,7 @@ export declare const VibeValidateConfigSchema: z.ZodObject<{
|
|
|
479
479
|
showProgress?: boolean | undefined;
|
|
480
480
|
verbose?: boolean | undefined;
|
|
481
481
|
noColor?: boolean | undefined;
|
|
482
|
-
}
|
|
482
|
+
}>>>;
|
|
483
483
|
/** Optional: Preset name (typescript-library, typescript-nodejs, etc.) */
|
|
484
484
|
preset: z.ZodOptional<z.ZodString>;
|
|
485
485
|
/** Optional: Extend another config file */
|
package/dist/schema.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AACH,eAAO,MAAM,oBAAoB;IAC/B,kEAAkE;;IAGlE,qDAAqD;;IAGrD,+EAA+E;;IAG/E,qDAAqD;;IAGrD,oDAAoD;;IAGpD,wEAAwE;;;;;;;;;;;;;;;;EAExE,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB;IAChC,wDAAwD;;IAGxD,iDAAiD;;IAGjD,kDAAkD;;IAGlD,qCAAqC;;QArCrC,kEAAkE;;QAGlE,qDAAqD;;QAGrD,+EAA+E;;QAG/E,qDAAqD;;QAGrD,oDAAoD;;QAGpD,wEAAwE;;;;;;;;;;;;;;;;;IAyBxE,qFAAqF;;IAGrF,gEAAgE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEhE,CAAC;AAGH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,qBAAqB,uDAIhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,sBAAsB;IACjC,mCAAmC;;QArCnC,wDAAwD;;QAGxD,iDAAiD;;QAGjD,kDAAkD;;QAGlD,qCAAqC;;YArCrC,kEAAkE;;YAGlE,qDAAqD;;YAGrD,+EAA+E;;YAG/E,qDAAqD;;YAGrD,oDAAoD;;YAGpD,wEAAwE;;;;;;;;;;;;;;;;;QAyBxE,qFAAqF;;QAGrF,gEAAgE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAyBhE,4BAA4B;;QAE1B,gDAAgD;;QAGhD,qCAAqC;;QAGrC,2DAA2D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AACH,eAAO,MAAM,oBAAoB;IAC/B,kEAAkE;;IAGlE,qDAAqD;;IAGrD,+EAA+E;;IAG/E,qDAAqD;;IAGrD,oDAAoD;;IAGpD,wEAAwE;;;;;;;;;;;;;;;;EAExE,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB;IAChC,wDAAwD;;IAGxD,iDAAiD;;IAGjD,kDAAkD;;IAGlD,qCAAqC;;QArCrC,kEAAkE;;QAGlE,qDAAqD;;QAGrD,+EAA+E;;QAG/E,qDAAqD;;QAGrD,oDAAoD;;QAGpD,wEAAwE;;;;;;;;;;;;;;;;;IAyBxE,qFAAqF;;IAGrF,gEAAgE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEhE,CAAC;AAGH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,qBAAqB,uDAIhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,sBAAsB;IACjC,mCAAmC;;QArCnC,wDAAwD;;QAGxD,iDAAiD;;QAGjD,kDAAkD;;QAGlD,qCAAqC;;YArCrC,kEAAkE;;YAGlE,qDAAqD;;YAGrD,+EAA+E;;YAG/E,qDAAqD;;YAGrD,oDAAoD;;YAGpD,wEAAwE;;;;;;;;;;;;;;;;;QAyBxE,qFAAqF;;QAGrF,gEAAgE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAyBhE,4BAA4B;;QAE1B,gDAAgD;;QAGhD,qCAAqC;;QAGrC,2DAA2D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAO7D,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE;;GAEG;AACH,eAAO,MAAM,kBAAkB,8CAK7B,CAAC;AAEH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAE9D;;GAEG;AACH,eAAO,MAAM,eAAe;IAC1B,uCAAuC;;IAGvC,6CAA6C;;IAG7C,sDAAsD;;;;;;;;;;EAEtD,CAAC;AAEH,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAExD;;GAEG;AACH,eAAO,MAAM,kBAAkB;IAC7B,oCAAoC;;IAGpC,+CAA+C;;IAG/C,uCAAuC;;IAGvC,4CAA4C;;;;;;;;;;;;EAE5C,CAAC;AAEH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAE9D;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;IACnC,+BAA+B;;QA3E/B,mCAAmC;;YArCnC,wDAAwD;;YAGxD,iDAAiD;;YAGjD,kDAAkD;;YAGlD,qCAAqC;;gBArCrC,kEAAkE;;gBAGlE,qDAAqD;;gBAGrD,+EAA+E;;gBAG/E,qDAAqD;;gBAGrD,oDAAoD;;gBAGpD,wEAAwE;;;;;;;;;;;;;;;;;YAyBxE,qFAAqF;;YAGrF,gEAAgE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAyBhE,4BAA4B;;YAE1B,gDAAgD;;YAGhD,qCAAqC;;YAGrC,2DAA2D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAmE7D,oCAAoC;;QAxCpC,uCAAuC;;QAGvC,6CAA6C;;QAG7C,sDAAsD;;;;;;;;;;;IAyCtD,sCAAsC;;QA/BtC,oCAAoC;;QAGpC,+CAA+C;;QAG/C,uCAAuC;;QAGvC,4CAA4C;;;;;;;;;;;;;IA8B5C,0EAA0E;;IAG1E,2CAA2C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAE3C,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAE1E;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,OAAO,GAAG,kBAAkB,CAElE;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,OAAO,GAAG;IACnD,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,kBAAkB,CAAC;IAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB,CAcA"}
|
package/dist/schema.js
CHANGED
|
@@ -66,7 +66,11 @@ export const ValidationConfigSchema = z.object({
|
|
|
66
66
|
enabled: z.boolean().default(true),
|
|
67
67
|
/** State file path (default: .vibe-validate-state.yaml) */
|
|
68
68
|
statePath: z.string().default('.vibe-validate-state.yaml'),
|
|
69
|
-
}).default({
|
|
69
|
+
}).optional().default({
|
|
70
|
+
strategy: 'git-tree-hash',
|
|
71
|
+
enabled: true,
|
|
72
|
+
statePath: '.vibe-validate-state.yaml',
|
|
73
|
+
}),
|
|
70
74
|
});
|
|
71
75
|
/**
|
|
72
76
|
* Output Format Schema
|
|
@@ -110,9 +114,18 @@ export const VibeValidateConfigSchema = z.object({
|
|
|
110
114
|
/** Validation configuration */
|
|
111
115
|
validation: ValidationConfigSchema,
|
|
112
116
|
/** Git integration configuration */
|
|
113
|
-
git: GitConfigSchema.default({
|
|
117
|
+
git: GitConfigSchema.optional().default({
|
|
118
|
+
mainBranch: 'main',
|
|
119
|
+
autoSync: false,
|
|
120
|
+
warnIfBehind: true,
|
|
121
|
+
}),
|
|
114
122
|
/** Output formatting configuration */
|
|
115
|
-
output: OutputConfigSchema.default({
|
|
123
|
+
output: OutputConfigSchema.optional().default({
|
|
124
|
+
format: 'auto',
|
|
125
|
+
showProgress: true,
|
|
126
|
+
verbose: false,
|
|
127
|
+
noColor: false,
|
|
128
|
+
}),
|
|
116
129
|
/** Optional: Preset name (typescript-library, typescript-nodejs, etc.) */
|
|
117
130
|
preset: z.string().optional(),
|
|
118
131
|
/** Optional: Extend another config file */
|
|
@@ -140,8 +153,8 @@ export function safeValidateConfig(config) {
|
|
|
140
153
|
return { success: true, data: result.data };
|
|
141
154
|
}
|
|
142
155
|
// Format Zod errors into readable messages
|
|
143
|
-
const errors = result.error.
|
|
144
|
-
const path = err.path.join('.');
|
|
156
|
+
const errors = result.error.issues.map(err => {
|
|
157
|
+
const path = err.path.map(String).join('.');
|
|
145
158
|
return `${path}: ${err.message}`;
|
|
146
159
|
});
|
|
147
160
|
return { success: false, errors };
|
package/package.json
CHANGED