@westbayberry/dg 1.0.52 → 1.0.56

package/dist/packages/cli/src/alt-screen.js

@@ -0,0 +1,36 @@
+"use strict";
+// Alternate screen buffer helpers.
+//
+// Entered BEFORE Ink's render() is called — not from inside a React useEffect
+// — so Ink's very first paint lands in the alt buffer and its internal diff
+// tracker matches the actual terminal state from frame 1.
+//
+// If the enter happens inside a useEffect, Ink has already painted the first
+// frame to the main buffer; flipping to a fresh-empty alt buffer after the
+// fact leaves Ink's diff tracker stale, and the user stares at a blank screen
+// until some state change (usually a keypress via useInput) forces Ink to
+// re-emit a full redraw. That was the `dg kitty` "blank until keypress" bug.
+//
+// These helpers are idempotent and safe to call in either order multiple
+// times. The SIGINT/SIGTERM handlers in bin.ts call leaveAltScreen() so
+// Ctrl+C from inside the wizard restores the user's terminal cleanly.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.enterAltScreen = enterAltScreen;
+exports.leaveAltScreen = leaveAltScreen;
+exports.altScreenActive = altScreenActive;
+let active = false;
+function enterAltScreen() {
+    if (!process.stdout.isTTY || active)
+        return;
+    process.stdout.write("\x1b[?1049h\x1b[2J\x1b[H");
+    active = true;
+}
+function leaveAltScreen() {
+    if (!active)
+        return;
+    process.stdout.write("\x1b[?1049l\x1b[?25h");
+    active = false;
+}
+function altScreenActive() {
+    return active;
+}

package/dist/packages/cli/src/api.js

@@ -0,0 +1,322 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClientOutdatedError = exports.TrialExhaustedError = exports.APIError = void 0;
+exports.callAnalyzeAPI = callAnalyzeAPI;
+exports.callPyPIAnalyzeAPI = callPyPIAnalyzeAPI;
+const node_crypto_1 = require("node:crypto");
+const config_1 = require("./config");
+const sanitize_1 = require("./sanitize");
+const update_check_1 = require("./update-check");
+class APIError extends Error {
+    constructor(message, statusCode, body) {
+        super(message);
+        this.statusCode = statusCode;
+        this.body = body;
+        this.name = "APIError";
+    }
+}
+exports.APIError = APIError;
+class TrialExhaustedError extends Error {
+    constructor(scansUsed, maxScans) {
+        super("Free trial scans used up. Run `dg login` to create a free account and continue scanning.");
+        this.scansUsed = scansUsed;
+        this.maxScans = maxScans;
+        this.name = "TrialExhaustedError";
+    }
+}
+exports.TrialExhaustedError = TrialExhaustedError;
+class ClientOutdatedError extends Error {
+    constructor(minVersion, currentVersion, securityRelease) {
+        super(securityRelease
+            ? `Your CLI (${currentVersion}) is older than the minimum required version (${minVersion}) for this security release.`
+            : `Your CLI (${currentVersion}) is older than the minimum required version (${minVersion}).`);
+        this.minVersion = minVersion;
+        this.currentVersion = currentVersion;
+        this.securityRelease = securityRelease;
+        this.name = "ClientOutdatedError";
+    }
+}
+exports.ClientOutdatedError = ClientOutdatedError;
+const BATCH_SIZE = 200;
+const ANON_BATCH_SIZE = 200; // Same batch size for all users — monthly limit gates abuse
+const MAX_RETRIES = 2;
+const RETRY_DELAY_MS = 5000;
+// Single-threaded Node: callAnalyzeAPI and callPyPIAnalyzeAPI don't overlap.
+// Set at each public entry point; all batches within one scan share the same ID
+// so the server counts it as 1 scan.
+let _currentScanId = "";
+function buildHeaders(config) {
+    const headers = {
+        "Content-Type": "application/json",
+        "User-Agent": `dependency-guardian-cli/${(0, config_1.getVersion)()}`,
+    };
+    if (config.apiKey) {
+        headers["Authorization"] = `Bearer ${config.apiKey}`;
+    }
+    else {
+        headers["X-Device-Id"] = config.deviceId;
+    }
+    if (_currentScanId) {
+        headers["X-Scan-Id"] = _currentScanId;
+    }
+    return headers;
+}
+// Check the optional server-emitted version floor. If the server's minimum is
+// newer than what's installed, throw — the bin.ts main-catch prints a user-facing
+// "Run `dg update`" message. Absence of the field means "no floor" (graceful
+// degradation for older API deploys). Server may not emit minClientVersion on older
+// deploys — field was introduced alongside CLI 1.0.41 + the paired API build.
+// Delete this helper's `raw.minClientVersion &&` guard once all API replicas confirm
+// they emit the field.
+function checkVersionFloor(raw) {
+    const r = raw;
+    if (r.minClientVersion && (0, update_check_1.isNewer)(r.minClientVersion, (0, config_1.getVersion)())) {
+        throw new ClientOutdatedError(r.minClientVersion, (0, config_1.getVersion)(), r.securityRelease === true);
+    }
+}
+async function handleTrialExhausted(response) {
+    if (response.status === 403) {
+        const body = await response.json().catch(() => ({}));
+        if (body && body.trialExhausted) {
+            const b = body;
+            throw new TrialExhaustedError(b.scansUsed, b.maxScans);
+        }
+        throw new APIError("Forbidden", 403, JSON.stringify(body));
+    }
+}
+async function callAnalyzeAPI(packages, config, onProgress) {
+    const batchSize = config.apiKey ? BATCH_SIZE : ANON_BATCH_SIZE;
+    // One scan ID for all batches — server counts this as 1 scan, not N
+    _currentScanId = (0, node_crypto_1.randomUUID)();
+    if (packages.length <= batchSize) {
+        if (onProgress)
+            onProgress(0, packages.length, packages.map(p => p.name));
+        const result = await callBatchWithRetry(packages, config);
+        if (onProgress)
+            onProgress(packages.length, packages.length, packages.map(p => p.name));
+        return result;
+    }
+    const batches = [];
+    for (let i = 0; i < packages.length; i += batchSize) {
+        batches.push(packages.slice(i, i + batchSize));
+    }
+    // Process batches sequentially — the engine handles internal concurrency
+    const results = [];
+    let completed = 0;
+    const tTotal = Date.now();
+    // Fire an initial progress tick BEFORE the first batch so callers (e.g. the
+    // wizard's ProgressBar) can render immediately at 0/total instead of waiting
+    // up to 20s for the first batch to complete. Empty currentBatch matches the
+    // "last-completed names" convention used below (nothing has completed yet).
+    if (onProgress)
+        onProgress(0, packages.length, []);
+    for (let i = 0; i < batches.length; i++) {
+        const batch = batches[i];
+        const tBatch = Date.now();
+        const result = await callBatchWithRetry(batch, config);
+        if (process.env.DG_PERF)
+            console.error(`[CLI-PERF] batch ${i + 1}/${batches.length}: ${batch.length} packages → ${Date.now() - tBatch}ms`);
+        completed += batch.length;
+        if (onProgress) {
+            // Pass the JUST-COMPLETED batch names as currentBatch so callers can
+            // show "last completed" as the progress label — matches useScan's
+            // convention of `packages.slice(done - 15, done)`.
+            onProgress(completed, packages.length, batch.map(p => p.name));
+        }
+        results.push(result);
+    }
+    if (process.env.DG_PERF)
+        console.error(`[CLI-PERF] total: ${packages.length} packages → ${Date.now() - tTotal}ms`);
+    return mergeResponses(results);
+}
+async function callBatchWithRetry(packages, config) {
+    for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+        try {
+            return await callAnalyzeBatch(packages, config);
+        }
+        catch (error) {
+            const is504 = error instanceof APIError && error.statusCode === 504;
+            const isTimeout = error instanceof APIError && error.statusCode === 408;
+            const is429 = error instanceof APIError && error.statusCode === 429;
+            if ((is504 || isTimeout) && attempt < MAX_RETRIES) {
+                // Server is still working — wait, then retry.
+                // Packages that finished before the timeout are now cached.
+                const delay = RETRY_DELAY_MS * (attempt + 1);
+                process.stderr.write(`  Batch timed out, retrying in ${delay / 1000}s (attempt ${attempt + 2}/${MAX_RETRIES + 1})...\n`);
+                await new Promise((r) => setTimeout(r, delay));
+                continue;
+            }
+            if (is429 && attempt < MAX_RETRIES) {
+                // Honor Retry-After. The header is carried on APIError.body for 429.
+                // Clamp to [1, 60] seconds — refuse absurd values a misconfigured upstream might send.
+                const header = error.body;
+                const parsed = Number(header);
+                const seconds = Number.isFinite(parsed) && parsed > 0 ? Math.min(60, Math.max(1, Math.ceil(parsed))) : 5;
+                process.stderr.write(`  Rate limited, retrying in ${seconds}s (attempt ${attempt + 2}/${MAX_RETRIES + 1})...\n`);
+                await new Promise((r) => setTimeout(r, seconds * 1000));
+                continue;
+            }
+            throw error;
+        }
+    }
+    // Unreachable, but TypeScript needs it
+    throw new Error("Exhausted retries");
+}
+function mergeResponses(results) {
+    const allPackages = results.flatMap((r) => r.packages);
+    const maxScore = Math.max(0, ...allPackages.map((p) => p.score));
+    const action = maxScore >= 70
+        ? "block"
+        : maxScore >= 60
+            ? "warn"
+            : "pass";
+    const safeVersions = {};
+    for (const r of results) {
+        Object.assign(safeVersions, r.safeVersions);
+    }
+    return {
+        score: maxScore,
+        action: action,
+        packages: allPackages,
+        safeVersions,
+        // Sum, not max — batches run sequentially, total wall-clock is the sum
+        durationMs: results.reduce((s, r) => s + (r.durationMs || 0), 0),
+    };
+}
+function formatApiErrorMessage(status, rawBody, config) {
+    const truncated = rawBody.length > 200 ? rawBody.slice(0, 200) + "…" : rawBody;
+    if (config.debug) {
+        return `API returned ${status}: ${truncated}`;
+    }
+    if (status >= 500) {
+        return `API error (HTTP ${status}). Retry or contact support.`;
+    }
+    return `API returned ${status}: ${truncated}`;
+}
+async function callAnalyzeBatch(packages, config) {
+    const url = `${config.apiUrl}/v1/analyze`;
+    const payload = {
+        packages: packages.map((p) => ({
+            name: p.name,
+            version: p.version,
+            previousVersion: p.previousVersion,
+            isNew: p.isNew,
+        })),
+    };
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), 180000);
+    let response;
+    try {
+        response = await fetch(url, {
+            method: "POST",
+            headers: buildHeaders(config),
+            body: JSON.stringify(payload),
+            signal: controller.signal,
+        });
+    }
+    catch (error) {
+        clearTimeout(timeoutId);
+        if (error instanceof Error && error.name === "AbortError") {
+            throw new APIError("Request timed out after 180s. Try scanning fewer packages.", 408, "");
+        }
+        // Node.js fetch wraps the real error in .cause
+        const cause = error?.cause;
+        const causeMsg = cause?.message || cause?.code || "";
+        const errMsg = error instanceof Error ? error.message : String(error);
+        const detail = causeMsg ? `: ${causeMsg}` : errMsg !== "fetch failed" ? `: ${errMsg}` : "";
+        throw new Error(`API unreachable${detail}`);
+    }
+    clearTimeout(timeoutId);
+    await handleTrialExhausted(response);
+    if (response.status === 401) {
+        throw new APIError("Invalid API key. Run `dg logout` then `dg login` to re-authenticate.", 401, "");
+    }
+    if (response.status === 429) {
+        // Carry the Retry-After header on the error so callBatchWithRetry can honor it
+        const retryAfter = response.headers.get("retry-after") ?? "";
+        throw new APIError("Rate limit exceeded. Upgrade your plan at https://westbayberry.com/pricing", 429, retryAfter);
+    }
+    if (!response.ok) {
+        const body = await response.text();
+        throw new APIError(formatApiErrorMessage(response.status, body, config), response.status, body);
+    }
+    const raw = (await response.json());
+    if (!raw || typeof raw.score !== "number" || !Array.isArray(raw.packages)) {
+        throw new APIError("Invalid API response format", 0, "");
+    }
+    checkVersionFloor(raw);
+    return (0, sanitize_1.sanitizeResponse)(raw);
+}
+async function callPyPIAnalyzeAPI(packages, config, onProgress) {
+    const batchSize = config.apiKey ? BATCH_SIZE : ANON_BATCH_SIZE;
+    _currentScanId = (0, node_crypto_1.randomUUID)();
+    if (packages.length <= batchSize) {
+        return callPyPIBatch(packages, config);
+    }
+    const batches = [];
+    for (let i = 0; i < packages.length; i += batchSize) {
+        batches.push(packages.slice(i, i + batchSize));
+    }
+    const results = [];
+    let completed = 0;
+    for (const batch of batches) {
+        const result = await callPyPIBatch(batch, config);
+        completed += batch.length;
+        if (onProgress)
+            onProgress(completed, packages.length);
+        results.push(result);
+    }
+    return mergeResponses(results);
+}
+async function callPyPIBatch(packages, config) {
+    const url = `${config.apiUrl}/v1/pypi/analyze`;
+    const payload = {
+        packages: packages.map((p) => ({
+            name: p.name,
+            version: p.version,
+            previousVersion: p.previousVersion ?? null,
+            isNew: p.isNew ?? true,
+        })),
+    };
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), 180000);
+    let response;
+    try {
+        response = await fetch(url, {
+            method: "POST",
+            headers: buildHeaders(config),
+            body: JSON.stringify(payload),
+            signal: controller.signal,
+        });
+    }
+    catch (error) {
+        clearTimeout(timeoutId);
+        if (error instanceof Error && error.name === "AbortError") {
+            throw new APIError("Request timed out after 120s.", 408, "");
+        }
+        const cause = error instanceof Error
+            ? error.cause
+            : undefined;
+        const detail = cause ? `: ${cause.message || String(cause)}` : "";
+        throw new Error(`fetch failed${detail}`);
+    }
+    clearTimeout(timeoutId);
+    await handleTrialExhausted(response);
+    if (response.status === 401) {
+        throw new APIError("Invalid API key. Run `dg logout` then `dg login` to re-authenticate.", 401, "");
+    }
+    if (response.status === 429) {
+        const retryAfter = response.headers.get("retry-after") ?? "";
+        throw new APIError("Rate limit exceeded. Upgrade your plan at https://westbayberry.com/pricing", 429, retryAfter);
+    }
+    if (!response.ok) {
+        const body = await response.text();
+        throw new APIError(formatApiErrorMessage(response.status, body, config), response.status, body);
+    }
+    const raw = (await response.json());
+    if (!raw || typeof raw.score !== "number" || !Array.isArray(raw.packages)) {
+        throw new APIError("Invalid API response format", 0, "");
+    }
+    checkVersionFloor(raw);
+    return (0, sanitize_1.sanitizeResponse)(raw);
+}

package/dist/packages/cli/src/auth.js

@@ -0,0 +1,218 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthSession = createAuthSession;
+exports.pollAuthSession = pollAuthSession;
+exports.saveCredentials = saveCredentials;
+exports.clearCredentials = clearCredentials;
+exports.getStoredApiKey = getStoredApiKey;
+exports.maskKey = maskKey;
+exports.getOrCreateDeviceId = getOrCreateDeviceId;
+exports.getFirstRunCompletedAt = getFirstRunCompletedAt;
+exports.markFirstRunComplete = markFirstRunComplete;
+exports.openBrowser = openBrowser;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+const node_child_process_1 = require("node:child_process");
+const node_crypto_1 = require("node:crypto");
+const WEB_BASE = "https://westbayberry.com";
+const CONFIG_FILE = ".dgrc.json";
+/**
+ * Create a new CLI auth session by calling POST /cli/auth/sessions on the
+ * website. Returns session info including the user code and verification URL.
+ */
+async function createAuthSession() {
+    let res;
+    try {
+        res = await globalThis.fetch(`${WEB_BASE}/cli/auth/sessions`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+        });
+    }
+    catch {
+        throw new Error("Could not connect to westbayberry.com");
+    }
+    if (!res.ok) {
+        const body = await res.text().catch(() => "");
+        throw new Error(`Failed to create auth session (HTTP ${res.status})${body ? `: ${body}` : ""}`);
+    }
+    const json = (await res.json());
+    return {
+        sessionId: json.session_id,
+        verifyUrl: json.verify_url,
+        expiresIn: json.expires_in,
+    };
+}
+/**
+ * Poll for auth completion. Returns the current status of the session.
+ */
+async function pollAuthSession(sessionId) {
+    let res;
+    try {
+        res = await globalThis.fetch(`${WEB_BASE}/cli/auth/sessions/${sessionId}/token`);
+    }
+    catch {
+        return { status: "expired" };
+    }
+    if (res.status === 404) {
+        return { status: "expired" };
+    }
+    if (!res.ok) {
+        return { status: "expired" };
+    }
+    const json = (await res.json());
+    return {
+        status: json.status,
+        apiKey: json.api_key,
+        email: json.email,
+    };
+}
+function configPath() {
+    return (0, node_path_1.join)((0, node_os_1.homedir)(), CONFIG_FILE);
+}
+function readConfig() {
+    let raw;
+    try {
+        raw = (0, node_fs_1.readFileSync)(configPath(), "utf-8");
+    }
+    catch {
+        return {};
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+            return parsed;
+        }
+        return {};
+    }
+    catch {
+        process.stderr.write(`Warning: Failed to parse ${configPath()}, ignoring.\n`);
+        return {};
+    }
+}
+/** Write the dgrc config and ENFORCE 0o600 perms whether the file existed or
+ *  not. fs.writeFileSync's mode option only applies on file creation; if the
+ *  file pre-existed (e.g. from an older dg version, manual creation, or a
+ *  different umask) the mode is unchanged on write. We chmod afterwards to
+ *  guarantee the api key isn't world-readable.
+ *
+ *  chmodSync errors are swallowed because some filesystems (FAT, exotic
+ *  network mounts) don't support permission bits — failing here would prevent
+ *  saving credentials, which is worse than the perms not being tightened. */
+function writeDgrc(payload) {
+    const p = configPath();
+    (0, node_fs_1.writeFileSync)(p, JSON.stringify(payload, null, 2) + "\n", { encoding: "utf-8", mode: 0o600 });
+    try {
+        (0, node_fs_1.chmodSync)(p, 0o600);
+    }
+    catch { /* fs may not support perms */ }
+}
+function saveCredentials(apiKey) {
+    const data = readConfig();
+    data.apiKey = apiKey;
+    writeDgrc(data);
+}
+function clearCredentials() {
+    const p = configPath();
+    if (!(0, node_fs_1.existsSync)(p))
+        return;
+    const data = readConfig();
+    delete data.apiKey;
+    if (Object.keys(data).length === 0) {
+        (0, node_fs_1.unlinkSync)(p);
+    }
+    else {
+        writeDgrc(data);
+    }
+}
+function getStoredApiKey() {
+    const data = readConfig();
+    if (typeof data.apiKey === "string" && data.apiKey.length > 0) {
+        return data.apiKey;
+    }
+    return null;
+}
+// Display-safe mask for API keys. Never include any of the random suffix.
+function maskKey(key) {
+    if (key.startsWith("dg_test_"))
+        return "dg_test_****";
+    if (key.startsWith("dg_live_"))
+        return "dg_live_****";
+    return "dg_****";
+}
+function getOrCreateDeviceId() {
+    const data = readConfig();
+    if (typeof data.deviceId === "string" && data.deviceId.length > 0) {
+        return data.deviceId;
+    }
+    const deviceId = (0, node_crypto_1.randomUUID)();
+    data.deviceId = deviceId;
+    writeDgrc(data);
+    return deviceId;
+}
+// ── First-run sentinel ──────────────────────────────────────────────────────
+//
+// Tracks whether the user has completed (or explicitly dismissed) the first-run
+// guided tour wizard. Stored in ~/.dgrc.json as `firstRunCompletedAt: <ISO8601>`
+// so it lives next to apiKey + deviceId in the same per-user state file.
+//
+// Sticky once set: the wizard never re-prompts for a user who has already been
+// through it. To re-trigger, the user deletes the field manually from
+// ~/.dgrc.json (we deliberately do NOT add a `dg setup` command to satisfy
+// the re-run case — most users only need setup once per machine).
+/** Read the first-run sentinel timestamp. Returns null if the user has not
+ *  yet been through the first-run wizard on this machine. */
+function getFirstRunCompletedAt() {
+    const data = readConfig();
+    if (typeof data.firstRunCompletedAt === "string" && data.firstRunCompletedAt.length > 0) {
+        return data.firstRunCompletedAt;
+    }
+    return null;
+}
+/** Mark the first-run wizard as complete for this user. Idempotent — calling
+ *  twice updates the timestamp without crashing or clobbering apiKey/deviceId. */
+function markFirstRunComplete() {
+    const data = readConfig();
+    data.firstRunCompletedAt = new Date().toISOString();
+    writeDgrc(data);
+}
+/**
+ * Open a URL in the default browser.
+ * Fire-and-forget: errors are silently ignored.
+ */
+function openBrowser(url) {
+    // Validate URL is proper http(s) — no shell injection possible with spawn array args
+    try {
+        const parsed = new URL(url);
+        if (parsed.protocol !== "https:" && parsed.protocol !== "http:")
+            return;
+    }
+    catch {
+        return;
+    }
+    let cmd;
+    let args;
+    switch (process.platform) {
+        case "darwin":
+            cmd = "open";
+            args = [url];
+            break;
+        case "linux":
+            cmd = "xdg-open";
+            args = [url];
+            break;
+        case "win32":
+            cmd = "cmd.exe";
+            args = ["/c", "start", "", url];
+            break;
+        default:
+            return;
+    }
+    try {
+        const child = (0, node_child_process_1.spawn)(cmd, args, { stdio: "ignore", detached: true });
+        child.unref();
+    }
+    catch {
+        // Intentionally ignored — the URL is always printed as fallback.
+    }
+}