@westbayberry/dg 1.0.53 → 1.0.56

package/dist/packages/cli/src/pip-wrapper.js

@@ -0,0 +1,273 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parsePipArgs = parsePipArgs;
+exports.parseRequirementsFile = parseRequirementsFile;
+exports.parsePipSpec = parsePipSpec;
+exports.resolvePipVersion = resolvePipVersion;
+exports.resolvePackages = resolvePackages;
+exports.detectPipBinary = detectPipBinary;
+exports.runPip = runPip;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = require("node:fs");
+/** pip commands that install packages and should trigger a scan */
+const INSTALL_COMMANDS = new Set(["install", "update"]);
+/**
+ * Parse the argv after `dg pip ...` to extract the pip command and package specifiers.
+ */
+function parsePipArgs(args) {
+    let dgForce = false;
+    const filtered = [];
+    for (const arg of args) {
+        if (arg === "--dg-force") {
+            dgForce = true;
+        }
+        else {
+            filtered.push(arg);
+        }
+    }
+    const command = filtered[0] ?? "";
+    const shouldScan = INSTALL_COMMANDS.has(command);
+    const packages = [];
+    let requirementsFile;
+    if (shouldScan) {
+        for (let i = 1; i < filtered.length; i++) {
+            const arg = filtered[i];
+            // -r / --requirement
+            if (arg === "-r" || arg === "--requirement") {
+                if (i + 1 < filtered.length) {
+                    requirementsFile = filtered[i + 1];
+                    i++;
+                }
+                continue;
+            }
+            // Skip flags and their values
+            if (arg.startsWith("-")) {
+                if (pipFlagTakesValue(arg))
+                    i++;
+                continue;
+            }
+            packages.push(arg);
+        }
+    }
+    return {
+        command,
+        packages,
+        rawArgs: filtered,
+        dgForce,
+        shouldScan,
+        requirementsFile,
+    };
+}
+/** pip flags that consume the next argument as a value */
+function pipFlagTakesValue(flag) {
+    const valueFlags = [
+        "--index-url", "-i",
+        "--extra-index-url",
+        "--constraint", "-c",
+        "--requirement", "-r",
+        "--target", "-t",
+        "--prefix",
+        "--src",
+        "--root",
+        "--config-settings",
+    ];
+    for (const f of valueFlags) {
+        if (flag === f)
+            return true;
+    }
+    return false;
+}
+/**
+ * Parse a requirements.txt file into package specifiers.
+ *
+ * Handles:
+ * - name==version, name>=version, name~=version, name (bare)
+ * - Comments (# ...)
+ * - Inline comments (name==1.0  # comment)
+ * - Environment markers (name>=1.0; python_version >= "3.6")
+ *
+ * Skips:
+ * - Editable installs (-e ./local)
+ * - VCS URLs (git+https://...)
+ * - Nested -r includes
+ * - pip options (--index-url, etc.)
+ * - Empty lines
+ */
+function parseRequirementsFile(filePath) {
+    if (!(0, node_fs_1.existsSync)(filePath))
+        return [];
+    try {
+        const content = (0, node_fs_1.readFileSync)(filePath, "utf-8");
+        const specs = [];
+        for (const rawLine of content.split("\n")) {
+            let line = rawLine.trim();
+            if (!line)
+                continue;
+            // Skip comments
+            if (line.startsWith("#"))
+                continue;
+            // Skip editable installs
+            if (line.startsWith("-e") || line.startsWith("--editable"))
+                continue;
+            // Skip VCS URLs
+            if (/^(git|svn|hg|bzr)\+/.test(line))
+                continue;
+            // Skip nested -r includes
+            if (line.startsWith("-r") || line.startsWith("--requirement"))
+                continue;
+            // Skip pip options
+            if (line.startsWith("--"))
+                continue;
+            // Strip inline comments
+            const commentIdx = line.indexOf(" #");
+            if (commentIdx !== -1)
+                line = line.slice(0, commentIdx).trim();
+            // Strip environment markers (everything after ;)
+            const markerIdx = line.indexOf(";");
+            if (markerIdx !== -1)
+                line = line.slice(0, markerIdx).trim();
+            if (line)
+                specs.push(line);
+        }
+        return specs;
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Parse a pip package specifier like "requests", "flask>=2.0", "django==4.2.1"
+ * into { name, versionSpec }.
+ */
+function parsePipSpec(spec) {
+    // Split on version operators: ==, ===, >=, <=, ~=, !=, >, <
+    // pip's === is "arbitrary equality" for direct references
+    const match = spec.match(/^([a-zA-Z0-9][-a-zA-Z0-9._]*)((?:={2,3}|[><!~]=?).+)?$/);
+    if (!match)
+        return { name: spec, versionSpec: null };
+    return {
+        name: match[1],
+        versionSpec: match[2] ?? null,
+    };
+}
+/**
+ * Resolve version from PyPI JSON API.
+ * For "name==1.2.3" → verifies that exact version exists.
+ * For "name>=1.2.3" or bare "name" → fetches latest version.
+ */
+async function resolvePipVersion(spec) {
+    const { name, versionSpec } = parsePipSpec(spec);
+    // Exact version pin: verify it exists
+    if (versionSpec?.startsWith("==")) {
+        const version = versionSpec.slice(2);
+        try {
+            const controller = new AbortController();
+            const timer = setTimeout(() => controller.abort(), 15000);
+            const resp = await fetch(`https://pypi.org/pypi/${name}/${version}/json`, {
+                signal: controller.signal,
+            });
+            clearTimeout(timer);
+            if (resp.ok)
+                return version;
+            return null;
+        }
+        catch {
+            return null;
+        }
+    }
+    // Any other constraint or bare name: fetch latest
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), 15000);
+        const resp = await fetch(`https://pypi.org/pypi/${name}/json`, {
+            signal: controller.signal,
+        });
+        clearTimeout(timer);
+        if (!resp.ok)
+            return null;
+        const data = await resp.json();
+        return data.info?.version ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Build PackageInput[] from package specifiers by resolving versions in parallel.
+ */
+async function resolvePackages(specs) {
+    const results = await Promise.allSettled(specs.map(async (spec) => {
+        const { name } = parsePipSpec(spec);
+        const version = await resolvePipVersion(spec);
+        return { spec, name, version };
+    }));
+    const resolved = [];
+    const failed = [];
+    for (const result of results) {
+        if (result.status === "rejected") {
+            failed.push("unknown");
+            continue;
+        }
+        const { spec, name, version } = result.value;
+        if (version) {
+            resolved.push({
+                name,
+                version,
+                previousVersion: null,
+                isNew: true,
+            });
+        }
+        else {
+            failed.push(spec);
+        }
+    }
+    return { resolved, failed };
+}
+/** Cache the detected pip binary across calls in the same process. */
+let cachedPipBinary = null;
+/**
+ * Detect the working pip binary.
+ * Order: python -m pip (most reliable) → pip3 → pip
+ */
+async function detectPipBinary() {
+    if (cachedPipBinary)
+        return cachedPipBinary;
+    const candidates = ["python3 -m pip", "python -m pip", "pip3", "pip"];
+    for (const cmd of candidates) {
+        try {
+            const parts = cmd.split(" ");
+            const code = await new Promise((resolve) => {
+                const child = (0, node_child_process_1.spawn)(parts[0], [...parts.slice(1), "--version"], {
+                    stdio: ["pipe", "pipe", "pipe"],
+                    timeout: 5000,
+                });
+                child.on("close", (c) => resolve(c ?? 1));
+                child.on("error", () => resolve(1));
+            });
+            if (code === 0) {
+                cachedPipBinary = cmd;
+                return cmd;
+            }
+        }
+        catch {
+            // Try next candidate
+        }
+    }
+    throw new Error("pip not found. Install pip or ensure 'python -m pip' is available.");
+}
+/**
+ * Run the actual pip command, inheriting stdio.
+ * Returns the pip exit code.
+ */
+async function runPip(args) {
+    const pipCmd = await detectPipBinary();
+    const parts = pipCmd.split(" ");
+    return new Promise((resolve) => {
+        const child = (0, node_child_process_1.spawn)(parts[0], [...parts.slice(1), ...args], {
+            stdio: "inherit",
+            shell: false,
+        });
+        child.on("close", (code) => resolve(code ?? 1));
+        child.on("error", () => resolve(1));
+    });
+}

package/dist/packages/cli/src/sanitize.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitize = sanitize;
+exports.sanitizeResponse = sanitizeResponse;
+const node_util_1 = require("node:util");
+function sanitize(s) {
+    return (0, node_util_1.stripVTControlCharacters)(s);
+}
+function sanitizeFinding(f) {
+    const result = { severity: f.severity };
+    if (f.category !== undefined)
+        result.category = sanitize(f.category);
+    if (f.title !== undefined)
+        result.title = sanitize(f.title);
+    if (f.evidence !== undefined)
+        result.evidence = f.evidence.map(sanitize);
+    return result;
+}
+function sanitizeResponse(response) {
+    const packages = response.packages.map((pkg) => ({
+        name: sanitize(pkg.name),
+        version: sanitize(pkg.version),
+        score: pkg.score,
+        findings: (pkg.findings ?? []).map(sanitizeFinding),
+        reasons: (pkg.reasons ?? []).map(sanitize),
+        recommendation: pkg.recommendation ? sanitize(pkg.recommendation) : undefined,
+        cached: pkg.cached,
+        license: pkg.license,
+    }));
+    return {
+        score: response.score,
+        action: response.action,
+        packages,
+        safeVersions: response.safeVersions,
+        durationMs: response.durationMs,
+        trialScansRemaining: response.trialScansRemaining,
+    };
+}

package/dist/packages/cli/src/scan-core.js

@@ -0,0 +1,144 @@
+"use strict";
+// Shared scan primitive used by both useScan (the `dg scan` command) and
+// useInit (the `dg init` wizard's verify and first-scan phases).
+//
+// Why this exists: useScan does a lot of multi-project / interactive logic
+// (project selection, mixed npm+pypi, batched progress callbacks). useInit
+// only needs the simple thing: "scan whatever's in this directory once and
+// give me back the result and a wall-clock duration." Rather than copy-paste
+// the discovery+analyze sequence into useInit, we extract the primitive here
+// so both code paths use the same engine and the same result shape.
+//
+// useScan does NOT yet use this — it has more complex multi-project handling
+// that doesn't fit the single-call shape. A future refactor can fold useScan's
+// single-project path into this. For now this is consumed by useInit only.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanProjectAtPath = scanProjectAtPath;
+exports.projectAtCwd = projectAtCwd;
+const lockfile_1 = require("./lockfile");
+const api_1 = require("./api");
+const discover_1 = require("./discover");
+const EMPTY_OK_RESULT = (durationMs) => ({
+    result: {
+        score: 0,
+        action: "pass",
+        packages: [],
+        safeVersions: {},
+        durationMs,
+    },
+    durationMs,
+    scannedCount: 0,
+    skippedCount: 0,
+});
+async function scanProjectAtPath(cwd, config, onProgress) {
+    const startNs = process.hrtime.bigint();
+    const elapsedMs = () => Number((process.hrtime.bigint() - startNs) / 1000000n);
+    try {
+        // Step 1 — discover packages from the lockfile in cwd
+        let discovery;
+        try {
+            discovery = (0, lockfile_1.discoverChanges)(cwd, config);
+        }
+        catch (e) {
+            // discoverChanges throws if there's no lockfile at all. For the
+            // wizard's purposes that's a valid "nothing to scan" outcome, not
+            // an error — we just want to know how long the discovery took and
+            // report that the project has no scannable deps yet.
+            return {
+                status: "no_packages",
+                result: EMPTY_OK_RESULT(elapsedMs()),
+                message: e instanceof Error ? e.message : "no lockfile found",
+            };
+        }
+        const npmPackages = discovery.packages;
+        const pyPackages = discovery.pythonPackages ?? [];
+        const totalDiscovered = npmPackages.length + pyPackages.length;
+        if (totalDiscovered === 0) {
+            return {
+                status: "no_packages",
+                result: EMPTY_OK_RESULT(elapsedMs()),
+            };
+        }
+        // Step 2 — call the analyze API for each ecosystem present, then merge.
+        // Per-batch progress is surfaced to the optional onProgress callback so the
+        // wizard can render a progress bar; done counts cumulate across ecosystems
+        // so the bar fills monotonically from 0 → totalDiscovered.
+        const responses = [];
+        let cumulativeDone = 0;
+        if (npmPackages.length > 0) {
+            const npmOnProgress = onProgress
+                ? (done, _total, currentBatch) => {
+                    onProgress({
+                        done: cumulativeDone + done,
+                        total: totalDiscovered,
+                        current: currentBatch ?? [],
+                    });
+                }
+                : undefined;
+            const npmResp = await (0, api_1.callAnalyzeAPI)(npmPackages, config, npmOnProgress);
+            responses.push(npmResp);
+            cumulativeDone += npmPackages.length;
+        }
+        if (pyPackages.length > 0) {
+            // The PyPI analyze API takes the same shape as npm — discovery returns
+            // PackageInput[] which already matches PyPIPackageInput.
+            const pyOnProgress = onProgress
+                ? (done, _total) => {
+                    onProgress({ done: cumulativeDone + done, total: totalDiscovered, current: [] });
+                }
+                : undefined;
+            const pyResp = await (0, api_1.callPyPIAnalyzeAPI)(pyPackages, config, pyOnProgress);
+            responses.push(pyResp);
+            cumulativeDone += pyPackages.length;
+        }
+        // Step 3 — merge results across ecosystems
+        const allPackages = responses.flatMap((r) => r.packages);
+        const maxScore = allPackages.length > 0
+            ? Math.max(0, ...allPackages.map((p) => p.score))
+            : 0;
+        const action = maxScore >= 70 ? "block" : maxScore >= 60 ? "warn" : "pass";
+        const safeVersions = {};
+        for (const r of responses)
+            Object.assign(safeVersions, r.safeVersions);
+        const totalDuration = elapsedMs();
+        const merged = {
+            score: maxScore,
+            action,
+            packages: allPackages,
+            safeVersions,
+            durationMs: totalDuration,
+        };
+        return {
+            status: "ok",
+            result: {
+                result: merged,
+                durationMs: totalDuration,
+                scannedCount: allPackages.length,
+                skippedCount: discovery.skipped?.length ?? 0,
+            },
+        };
+    }
+    catch (e) {
+        if (e instanceof api_1.TrialExhaustedError) {
+            return {
+                status: "trial_exhausted",
+                result: null,
+                message: e.message,
+            };
+        }
+        return {
+            status: "error",
+            result: null,
+            error: e instanceof Error ? e : new Error(String(e)),
+            message: e instanceof Error ? e.message : String(e),
+        };
+    }
+}
+/** Quick lockfile presence check used by the wizard's "what does this project
+ *  even look like" detect phase. Returns the first project found in cwd, or
+ *  null if there's nothing scannable. Wraps discoverProjects() but with a
+ *  cheaper "any project at all?" semantic. */
+function projectAtCwd(cwd) {
+    const found = (0, discover_1.discoverProjects)(cwd);
+    return found.length > 0 ? found[0] : null;
+}

package/dist/packages/cli/src/setup-status.js

@@ -0,0 +1,46 @@
+"use strict";
+// Compute "is the user's setup complete?" for the running command.
+//
+// Used by `dg scan` and other commands to surface a visible alert when
+// something the wizard would have set up is missing. The aim is to make
+// incomplete state obvious every time the user interacts with DG, not
+// just on first run.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSetupIssues = getSetupIssues;
+const auth_1 = require("./auth");
+const hook_1 = require("./hook");
+/** Inspect the user's current state and return any setup gaps worth
+ *  surfacing. Empty array means everything's set up. Never throws. */
+function getSetupIssues(cwd) {
+    const issues = [];
+    try {
+        const key = (0, auth_1.getStoredApiKey)();
+        // A key is "present and valid-looking" only if it starts with the
+        // expected prefix. A stale or malformed key (e.g. dgk_test) should
+        // surface the same "not signed in" prompt so the user re-authenticates.
+        const hasValidKey = key !== null &&
+            (key.startsWith("dg_live_") || key.startsWith("dg_test_"));
+        if (!hasValidKey) {
+            issues.push({
+                id: "no_api_key",
+                label: key ? "API key looks invalid — try signing in again" : "Not signed in — running on the free trial",
+                fix: "dg login",
+            });
+        }
+    }
+    catch { /* best-effort */ }
+    try {
+        const hookInfo = (0, hook_1.detectHookFramework)(cwd);
+        if (!hookInfo.alreadyInstalled) {
+            issues.push({
+                id: "no_hook",
+                label: "No pre-commit hook — commits aren't scanned",
+                fix: "dg kitty",
+            });
+        }
+    }
+    catch {
+        // Some projects aren't git repos; treat as "no info" rather than missing.
+    }
+    return issues;
+}