@westbayberry/dg 1.3.2 → 2.0.0

package/dist/commands/update.js

@@ -0,0 +1,210 @@
+import { spawnSync } from "node:child_process";
+import { npmExecutable } from "../publish-set/npm.js";
+import { EXIT_USAGE } from "./types.js";
+import { dgVersion } from "./version.js";
+const PACKAGE_NAME = "@westbayberry/dg";
+export const updateCommand = {
+    name: "update",
+    summary: "Check for dg CLI updates.",
+    usage: "dg update [--json]",
+    aliases: ["upgrade"],
+    flags: [{ flag: "--json", summary: "Machine-readable update info." }],
+    examples: ["dg update"],
+    details: [
+        "Checks the latest published dg version and prints the exact package-manager command to run.",
+        "The command does not run package managers, edit setup state, or mutate the installed npm package."
+    ],
+    handler: (context) => runUpdateCommand(context.args, context.commandPath[0] ?? "update")
+};
+function runUpdateCommand(args, commandName) {
+    const parsed = parseUpdateArgs(args);
+    if ("error" in parsed) {
+        return usageError(commandName, parsed.error);
+    }
+    const latestVersion = readLatestVersion();
+    const report = buildUpdateReport(latestVersion);
+    if (parsed.format === "json") {
+        return {
+            exitCode: report.status === "unknown" ? 1 : 0,
+            stdout: `${JSON.stringify(report, null, 2)}\n`,
+            stderr: ""
+        };
+    }
+    return {
+        exitCode: report.status === "unknown" ? 1 : 0,
+        stdout: renderUpdateText(report),
+        stderr: ""
+    };
+}
+function parseUpdateArgs(args) {
+    let format = "text";
+    for (const arg of args) {
+        if (!arg) {
+            return { error: "empty argument" };
+        }
+        if (arg === "--json") {
+            if (format !== "text") {
+                return { error: "choose only one output format" };
+            }
+            format = "json";
+            continue;
+        }
+        if (arg === "--yes" || arg === "-y") {
+            return { error: "--yes is not supported because dg update does not self-mutate; run the printed command explicitly" };
+        }
+        if (arg.startsWith("-")) {
+            return { error: `unknown option '${arg}'` };
+        }
+        return { error: "update does not accept positional arguments" };
+    }
+    return {
+        format
+    };
+}
+export function readLatestVersion(timeoutMs = 5000) {
+    const injected = process.env.DG_UPDATE_LATEST_VERSION;
+    if (injected) {
+        return injected;
+    }
+    const result = spawnSync(npmExecutable(), ["view", PACKAGE_NAME, "version", "--json"], {
+        encoding: "utf8",
+        env: {
+            ...process.env,
+            npm_config_ignore_scripts: "true"
+        },
+        timeout: timeoutMs
+    });
+    if (result.status !== 0) {
+        return null;
+    }
+    const raw = result.stdout.trim();
+    if (!raw) {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        return typeof parsed === "string" ? parsed : null;
+    }
+    catch {
+        return raw.replace(/^"|"$/gu, "");
+    }
+}
+function buildUpdateReport(latestVersion) {
+    if (!latestVersion) {
+        return {
+            currentVersion: dgVersion(),
+            latestVersion: null,
+            packageName: PACKAGE_NAME,
+            status: "unknown",
+            updateCommand: null
+        };
+    }
+    const available = compareVersions(latestVersion, dgVersion()) > 0;
+    return {
+        currentVersion: dgVersion(),
+        latestVersion,
+        packageName: PACKAGE_NAME,
+        status: available ? "available" : "current",
+        updateCommand: available ? `npm install -g ${PACKAGE_NAME}@${latestVersion}` : null
+    };
+}
+function renderUpdateText(report) {
+    const lines = [
+        "Dependency Guardian update",
+        `Current version: ${report.currentVersion}`
+    ];
+    if (report.status === "unknown") {
+        lines.push("Latest version: unknown");
+        lines.push("Status: registry metadata unavailable");
+        lines.push("No install command was run.");
+        return `${lines.join("\n")}\n`;
+    }
+    lines.push(`Latest version: ${report.latestVersion}`);
+    lines.push(`Status: ${report.status}`);
+    if (report.updateCommand) {
+        lines.push(`Run: ${report.updateCommand}`);
+    }
+    else {
+        lines.push("No update needed.");
+    }
+    lines.push("No package manager was executed.");
+    return `${lines.join("\n")}\n`;
+}
+export function compareVersions(left, right) {
+    const leftVersion = parseVersion(left);
+    const rightVersion = parseVersion(right);
+    const length = Math.max(leftVersion.release.length, rightVersion.release.length);
+    for (let index = 0; index < length; index += 1) {
+        const diff = (leftVersion.release[index] ?? 0) - (rightVersion.release[index] ?? 0);
+        if (diff !== 0) {
+            return diff;
+        }
+    }
+    return comparePrerelease(leftVersion.prerelease, rightVersion.prerelease);
+}
+function parseVersion(version) {
+    const core = version.replace(/^v/u, "").split("+", 1)[0] ?? "";
+    const dashIndex = core.indexOf("-");
+    const releaseText = dashIndex === -1 ? core : core.slice(0, dashIndex);
+    const prereleaseText = dashIndex === -1 ? "" : core.slice(dashIndex + 1);
+    const release = releaseText
+        .split(".")
+        .map((part) => Number.parseInt(part, 10))
+        .filter((part) => Number.isFinite(part));
+    const prerelease = prereleaseText ? prereleaseText.split(".") : [];
+    return { release, prerelease };
+}
+function comparePrerelease(left, right) {
+    if (left.length === 0 && right.length === 0) {
+        return 0;
+    }
+    if (left.length === 0) {
+        return 1;
+    }
+    if (right.length === 0) {
+        return -1;
+    }
+    const length = Math.max(left.length, right.length);
+    for (let index = 0; index < length; index += 1) {
+        const leftId = left[index];
+        const rightId = right[index];
+        if (leftId === undefined) {
+            return -1;
+        }
+        if (rightId === undefined) {
+            return 1;
+        }
+        const diff = comparePrereleaseIdentifier(leftId, rightId);
+        if (diff !== 0) {
+            return diff;
+        }
+    }
+    return 0;
+}
+function comparePrereleaseIdentifier(left, right) {
+    const leftNumeric = /^\d+$/u.test(left);
+    const rightNumeric = /^\d+$/u.test(right);
+    if (leftNumeric && rightNumeric) {
+        return Number.parseInt(left, 10) - Number.parseInt(right, 10);
+    }
+    if (leftNumeric) {
+        return -1;
+    }
+    if (rightNumeric) {
+        return 1;
+    }
+    if (left < right) {
+        return -1;
+    }
+    if (left > right) {
+        return 1;
+    }
+    return 0;
+}
+function usageError(commandName, message) {
+    return {
+        exitCode: EXIT_USAGE,
+        stdout: "",
+        stderr: `dg ${commandName}: ${message}. Usage: dg ${commandName} [--json]\n`
+    };
+}

package/dist/commands/verify.js

@@ -0,0 +1,151 @@
+import { EXIT_UNAVAILABLE, EXIT_USAGE } from "./types.js";
+import { writeFileSync } from "node:fs";
+import { existsSync } from "node:fs";
+import { resolve } from "node:path";
+import { renderVerifyJson, renderVerifySarif, renderVerifyText } from "../verify/render.js";
+import { resolvePresentation } from "../presentation/mode.js";
+import { createTheme } from "../presentation/theme.js";
+import { verifyLocalTarget } from "../verify/local.js";
+import { isSupportedLockfilePath, verifyLockfile, verifyPackageSpec } from "../verify/preflight.js";
+export const verifyCommand = {
+    name: "verify",
+    summary: "Verify a package spec, lockfile, or local artifact.",
+    usage: "dg verify <registry:package[@version]|path|lockfile> [--verbose] [--json|--sarif] [--output <path>]",
+    args: [
+        { name: "<target>", summary: "registry:package[@version] (npm:react), a local path, an artifact (.tgz/.whl), or a lockfile." }
+    ],
+    flags: [
+        { flag: "--verbose", summary: "Show every finding, not just the top ones (alias -v)." },
+        { flag: "--json", summary: "Machine-readable JSON report." },
+        { flag: "--sarif", summary: "SARIF report for code-scanning tools." },
+        { flag: "--output", value: "<path>", summary: "Write the report to a file instead of stdout (alias -o)." }
+    ],
+    examples: ["dg verify npm:react", "dg verify pypi:requests@2.31.0", "dg verify ./pkg.tgz --verbose", "dg verify package-lock.json --json"],
+    details: [
+        "dg verify npm:react (or pypi:requests, with an optional @version — defaults to latest) runs a real scanner check on a published package before you install it. This is a Pro/Team feature and requires dg login.",
+        "Local paths, workspaces, tgz/zip/wheel artifacts, and lockfiles are verified offline as advisory preflight (free); proxy enforcement remains authoritative for network artifact fetches."
+    ],
+    handler: (context) => {
+        const parsed = parseVerifyArgs(context.args);
+        if ("error" in parsed) {
+            return {
+                exitCode: EXIT_USAGE,
+                stdout: "",
+                stderr: `dg verify: ${parsed.error}. Usage: dg verify <spec|path|lockfile> [--verbose] [--json|--sarif] [--output <path>]\n`
+            };
+        }
+        let report;
+        try {
+            report = verifyTarget(parsed);
+        }
+        catch (error) {
+            return {
+                exitCode: EXIT_UNAVAILABLE,
+                stdout: "",
+                stderr: `dg verify could not verify ${parsed.target}: ${error instanceof Error ? error.message : "unknown verify error"}\n`
+            };
+        }
+        const rendered = renderVerifyReport(report, parsed.format, parsed.verbose);
+        if (parsed.outputPath) {
+            try {
+                writeFileSync(resolve(parsed.outputPath), rendered, "utf8");
+            }
+            catch (error) {
+                return {
+                    exitCode: 1,
+                    stdout: "",
+                    stderr: `dg verify could not write ${parsed.outputPath}: ${error instanceof Error ? error.message : "unknown write error"}\n`
+                };
+            }
+            return {
+                exitCode: exitCodeForReport(report),
+                stdout: `Wrote ${parsed.format} verify report to ${parsed.outputPath}\n`,
+                stderr: ""
+            };
+        }
+        return {
+            exitCode: exitCodeForReport(report),
+            stdout: rendered,
+            stderr: ""
+        };
+    }
+};
+function parseVerifyArgs(args) {
+    let format = "text";
+    let outputPath = null;
+    let target = null;
+    let verbose = false;
+    for (let index = 0; index < args.length; index += 1) {
+        const arg = args[index];
+        if (!arg) {
+            return { error: "empty argument" };
+        }
+        if (arg === "--json") {
+            if (format !== "text") {
+                return { error: "choose only one output format" };
+            }
+            format = "json";
+            continue;
+        }
+        if (arg === "--sarif") {
+            if (format !== "text") {
+                return { error: "choose only one output format" };
+            }
+            format = "sarif";
+            continue;
+        }
+        if (arg === "--verbose" || arg === "-v") {
+            verbose = true;
+            continue;
+        }
+        if (arg === "--output" || arg === "-o") {
+            const next = args[index + 1];
+            if (!next) {
+                return { error: `${arg} requires a path` };
+            }
+            outputPath = next;
+            index += 1;
+            continue;
+        }
+        if (arg.startsWith("-")) {
+            return { error: `unknown option '${arg}'` };
+        }
+        if (target) {
+            return { error: "verify accepts exactly one target" };
+        }
+        target = arg;
+    }
+    if (!target) {
+        return { error: "missing target" };
+    }
+    return {
+        format,
+        outputPath,
+        target,
+        verbose
+    };
+}
+function verifyTarget(parsed) {
+    if (isSupportedLockfilePath(parsed.target)) {
+        return verifyLockfile(parsed.target);
+    }
+    if (existsSync(resolve(parsed.target))) {
+        return verifyLocalTarget(parsed.target);
+    }
+    return verifyPackageSpec(parsed.target);
+}
+function renderVerifyReport(report, format, verbose) {
+    if (format === "json") {
+        return renderVerifyJson(report);
+    }
+    if (format === "sarif") {
+        return renderVerifySarif(report);
+    }
+    return renderVerifyText(report, createTheme(resolvePresentation().color), verbose);
+}
+function exitCodeForReport(report) {
+    if (report.status === "block") {
+        return 2;
+    }
+    return report.status === "warn" || report.status === "error" ? 1 : 0;
+}

package/dist/commands/version.js

@@ -0,0 +1,22 @@
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+function readPackageVersion() {
+    const packageJsonPath = fileURLToPath(new URL("../../package.json", import.meta.url));
+    const parsed = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+    if (!parsed.version) {
+        throw new Error("package.json is missing a version field — reinstall @westbayberry/dg");
+    }
+    return parsed.version;
+}
+let cachedVersion;
+export function dgVersion() {
+    cachedVersion ??= readPackageVersion();
+    return cachedVersion;
+}
+export function versionResult() {
+    return {
+        exitCode: 0,
+        stdout: `dg ${dgVersion()}\n`,
+        stderr: ""
+    };
+}

package/dist/commands/wrap.js

@@ -0,0 +1,55 @@
+import { runPackageManager } from "../launcher/run.js";
+import { packageManagerNames } from "../launcher/classify.js";
+import { optionalPackageManagerNames, optionalSupportGate } from "../setup/optional-support.js";
+const gatedPackageManagers = optionalPackageManagerNames();
+export const packageManagerCommandNames = packageManagerNames();
+export function packageManagerCommands() {
+    return packageManagerCommandNames.map((name) => ({
+        name,
+        summary: `Run ${name} through dg prefix-mode routing.`,
+        usage: `dg ${name} [--dg-force-install] [...args]`,
+        args: [{ name: "[...args]", summary: `Arguments passed straight through to ${name}.` }],
+        flags: [{ flag: "--dg-force-install", summary: "Proceed past a dg block where your policy permits an override." }],
+        examples: [`dg ${name} <args>`, `dg ${name} <args> --dg-force-install`],
+        details: commandDetails(name),
+        handler: (context) => {
+            const parsed = parsePrefixControlArgs(context.args);
+            return runPackageManager(name, parsed.args, {
+                onStdout: (chunk) => process.stdout.write(chunk),
+                onStderr: (chunk) => process.stderr.write(chunk),
+                ...(parsed.forceOverride ? { forceOverride: parsed.forceOverride } : {})
+            });
+        }
+    }));
+}
+function commandDetails(name) {
+    const details = ["Protected fetch and install commands start enforcement; passthrough commands do not."];
+    if (gatedPackageManagers.includes(name)) {
+        details.push(optionalSupportGate(name).message);
+    }
+    else if (name === "yarn") {
+        details.push("This build claims Yarn classic routing only. Yarn Berry remains gated and unclaimed until its explicit support gate passes.");
+    }
+    else {
+        details.push("Support for this ecosystem is required before the install-firewall task can complete.");
+    }
+    return details;
+}
+function parsePrefixControlArgs(args) {
+    const childArgs = [];
+    let force = false;
+    for (const arg of args) {
+        if (arg === "--dg-force-install") {
+            force = true;
+            continue;
+        }
+        childArgs.push(arg);
+    }
+    if (!force) {
+        return { args: childArgs };
+    }
+    return {
+        args: childArgs,
+        forceOverride: { force: true }
+    };
+}