@westbayberry/dg 1.3.2 → 2.0.0

package/dist/config/settings.js

@@ -0,0 +1,302 @@
+import { existsSync, mkdirSync, readFileSync, renameSync, rmSync, writeFileSync } from "node:fs";
+import { randomUUID } from "node:crypto";
+import { dirname, join } from "node:path";
+import { resolveDgPaths } from "../state/index.js";
+export const CONFIG_KEYS = Object.freeze([
+    "api.baseUrl",
+    "org.id",
+    "policy.mode",
+    "policy.trustProjectAllowlists",
+    "policy.allowForceOverride",
+    "policy.scriptHardening",
+    "gitHook.onWarn",
+    "gitHook.onIncomplete",
+    "audit.upload",
+    "telemetry.enabled",
+    "webhooks.enabled"
+]);
+export const DEFAULT_CONFIG = Object.freeze({
+    version: 1,
+    api: {
+        baseUrl: "https://api.westbayberry.com"
+    },
+    org: {
+        id: ""
+    },
+    policy: {
+        mode: "block",
+        trustProjectAllowlists: false,
+        allowForceOverride: true,
+        scriptHardening: false
+    },
+    gitHook: {
+        onWarn: "prompt",
+        onIncomplete: "allow"
+    },
+    audit: {
+        upload: false
+    },
+    telemetry: {
+        enabled: false
+    },
+    webhooks: {
+        enabled: true
+    }
+});
+export class ConfigError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "ConfigError";
+    }
+}
+export function userConfigPath(paths) {
+    return join(paths.configDir, "config.json");
+}
+export function loadUserConfig(env = process.env) {
+    const paths = resolveDgPaths(env);
+    const path = userConfigPath(paths);
+    if (!existsSync(path)) {
+        return DEFAULT_CONFIG;
+    }
+    try {
+        const parsed = JSON.parse(readFileSync(path, "utf8"));
+        return normalizeConfig(parsed);
+    }
+    catch (error) {
+        throw new ConfigError(`Malformed dg config at ${path}: ${error instanceof Error ? error.message : "unknown error"}`);
+    }
+}
+export function saveUserConfig(config, env = process.env) {
+    const paths = resolveDgPaths(env);
+    writeJsonAtomic(userConfigPath(paths), config);
+}
+export function getConfigValue(config, key) {
+    if (key === "api.baseUrl") {
+        return config.api.baseUrl;
+    }
+    if (key === "org.id") {
+        return config.org.id;
+    }
+    if (key === "policy.mode") {
+        return config.policy.mode;
+    }
+    if (key === "policy.trustProjectAllowlists") {
+        return String(config.policy.trustProjectAllowlists);
+    }
+    if (key === "policy.allowForceOverride") {
+        return String(config.policy.allowForceOverride);
+    }
+    if (key === "policy.scriptHardening") {
+        return String(config.policy.scriptHardening);
+    }
+    if (key === "gitHook.onWarn") {
+        return config.gitHook.onWarn;
+    }
+    if (key === "gitHook.onIncomplete") {
+        return config.gitHook.onIncomplete;
+    }
+    if (key === "audit.upload") {
+        return String(config.audit.upload);
+    }
+    if (key === "telemetry.enabled") {
+        return String(config.telemetry.enabled);
+    }
+    return String(config.webhooks.enabled);
+}
+export function listConfig(config) {
+    return CONFIG_KEYS.map((key) => ({
+        key,
+        value: getConfigValue(config, key)
+    }));
+}
+export function setConfigValue(config, key, rawValue) {
+    if (key === "api.baseUrl") {
+        return {
+            ...config,
+            api: {
+                baseUrl: parseUrl(rawValue)
+            }
+        };
+    }
+    if (key === "org.id") {
+        return {
+            ...config,
+            org: {
+                id: rawValue.trim()
+            }
+        };
+    }
+    if (key === "policy.mode") {
+        return {
+            ...config,
+            policy: {
+                ...config.policy,
+                mode: parsePolicyMode(rawValue)
+            }
+        };
+    }
+    if (key === "policy.trustProjectAllowlists") {
+        return withPolicyBoolean(config, "trustProjectAllowlists", rawValue);
+    }
+    if (key === "policy.allowForceOverride") {
+        return withPolicyBoolean(config, "allowForceOverride", rawValue);
+    }
+    if (key === "policy.scriptHardening") {
+        return withPolicyBoolean(config, "scriptHardening", rawValue);
+    }
+    if (key === "gitHook.onWarn") {
+        return {
+            ...config,
+            gitHook: {
+                ...config.gitHook,
+                onWarn: parseOnWarn(rawValue)
+            }
+        };
+    }
+    if (key === "gitHook.onIncomplete") {
+        return {
+            ...config,
+            gitHook: {
+                ...config.gitHook,
+                onIncomplete: parseOnIncomplete(rawValue)
+            }
+        };
+    }
+    if (key === "audit.upload") {
+        return {
+            ...config,
+            audit: {
+                upload: parseBoolean(rawValue)
+            }
+        };
+    }
+    if (key === "telemetry.enabled") {
+        return {
+            ...config,
+            telemetry: {
+                enabled: parseBoolean(rawValue)
+            }
+        };
+    }
+    return {
+        ...config,
+        webhooks: {
+            enabled: parseBoolean(rawValue)
+        }
+    };
+}
+export function unsetConfigValue(config, key) {
+    return setConfigValue(config, key, getConfigValue(DEFAULT_CONFIG, key));
+}
+export function isConfigKey(value) {
+    return CONFIG_KEYS.includes(value);
+}
+function normalizeConfig(raw) {
+    if (raw.version !== undefined && raw.version !== 1) {
+        throw new ConfigError("unsupported config version");
+    }
+    return {
+        version: 1,
+        api: {
+            baseUrl: parseUrl(raw.api?.baseUrl ?? DEFAULT_CONFIG.api.baseUrl)
+        },
+        org: {
+            id: raw.org?.id ?? DEFAULT_CONFIG.org.id
+        },
+        policy: {
+            mode: parsePolicyMode(raw.policy?.mode ?? DEFAULT_CONFIG.policy.mode),
+            trustProjectAllowlists: raw.policy?.trustProjectAllowlists ?? DEFAULT_CONFIG.policy.trustProjectAllowlists,
+            allowForceOverride: raw.policy?.allowForceOverride ?? DEFAULT_CONFIG.policy.allowForceOverride,
+            scriptHardening: raw.policy?.scriptHardening ?? DEFAULT_CONFIG.policy.scriptHardening
+        },
+        gitHook: {
+            onWarn: parseOnWarn(raw.gitHook?.onWarn ?? DEFAULT_CONFIG.gitHook.onWarn),
+            onIncomplete: parseOnIncomplete(raw.gitHook?.onIncomplete ?? DEFAULT_CONFIG.gitHook.onIncomplete)
+        },
+        audit: {
+            upload: raw.audit?.upload ?? DEFAULT_CONFIG.audit.upload
+        },
+        telemetry: {
+            enabled: raw.telemetry?.enabled ?? DEFAULT_CONFIG.telemetry.enabled
+        },
+        webhooks: {
+            enabled: raw.webhooks?.enabled ?? DEFAULT_CONFIG.webhooks.enabled
+        }
+    };
+}
+function withPolicyBoolean(config, key, rawValue) {
+    if (key === "mode") {
+        return config;
+    }
+    return {
+        ...config,
+        policy: {
+            ...config.policy,
+            [key]: parseBoolean(rawValue)
+        }
+    };
+}
+function parsePolicyMode(value) {
+    if (value === "off" || value === "warn" || value === "block" || value === "strict") {
+        return value;
+    }
+    throw new ConfigError("policy.mode must be one of: off, warn, block, strict");
+}
+function parseOnWarn(value) {
+    if (value === "prompt" || value === "allow" || value === "block") {
+        return value;
+    }
+    throw new ConfigError("gitHook.onWarn must be one of: prompt, allow, block");
+}
+function parseOnIncomplete(value) {
+    if (value === "allow" || value === "block") {
+        return value;
+    }
+    throw new ConfigError("gitHook.onIncomplete must be one of: allow, block");
+}
+function parseBoolean(value) {
+    if (value === "true") {
+        return true;
+    }
+    if (value === "false") {
+        return false;
+    }
+    throw new ConfigError("boolean config values must be true or false");
+}
+function parseUrl(value) {
+    const trimmed = value.trim();
+    try {
+        const url = new URL(trimmed);
+        if (url.protocol !== "https:" && url.hostname !== "localhost" && url.hostname !== "127.0.0.1") {
+            throw new ConfigError("api.baseUrl must use https unless it targets localhost");
+        }
+        return url.toString().replace(/\/$/, "");
+    }
+    catch (error) {
+        if (error instanceof ConfigError) {
+            throw error;
+        }
+        throw new ConfigError("api.baseUrl must be an absolute URL");
+    }
+}
+function writeJsonAtomic(path, value) {
+    mkdirSync(dirname(path), {
+        recursive: true,
+        mode: 0o700
+    });
+    const tempPath = `${path}.${process.pid}.${randomUUID()}.tmp`;
+    try {
+        writeFileSync(tempPath, `${JSON.stringify(value, null, 2)}\n`, {
+            encoding: "utf8",
+            flag: "wx",
+            mode: 0o600
+        });
+        renameSync(tempPath, path);
+    }
+    catch (error) {
+        rmSync(tempPath, {
+            force: true
+        });
+        throw error;
+    }
+}

package/dist/install-ui/LiveInstall.js

@@ -0,0 +1,24 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { Box, Text } from "ink";
+import InkSpinner from "ink-spinner";
+function packageCount(n) {
+    return n === 1 ? "1 package" : `${n} packages`;
+}
+function rule() {
+    const width = Math.max(20, Math.min((process.stdout.columns ?? 80) - 4, 56));
+    return "─".repeat(width);
+}
+export const LiveInstall = ({ view }) => {
+    if (view.total === 0 && !view.blocked) {
+        return null;
+    }
+    if (view.phase === "scanning") {
+        return (_jsxs(Box, { paddingX: 1, children: [_jsx(Text, { color: "cyan", children: _jsx(InkSpinner, { type: "dots" }) }), _jsxs(Text, { children: [" DG verifying ", packageCount(view.total), "\u2026"] }), view.current ? _jsxs(Text, { dimColor: true, children: ["  ", view.current] }) : null] }));
+    }
+    if (view.blocked) {
+        const blocked = view.blocked;
+        return (_jsxs(Box, { flexDirection: "column", paddingX: 1, children: [_jsx(Text, { color: "gray", children: rule() }), blocked.kind === "blocked" ? (_jsxs(Text, { color: "red", children: ["\u2718  DG blocked install \u2014 ", blocked.headline] })) : (_jsxs(Text, { color: "yellow", children: ["?  DG could not verify ", blocked.packageName, " \u2014 ", blocked.headline] })), _jsxs(Text, { children: ["   ", blocked.packageName, "   ", blocked.reason] }), blocked.override ? _jsxs(Text, { dimColor: true, children: ["   ", "Override: ", blocked.override] }) : null, blocked.nextStep ? _jsxs(Text, { dimColor: true, children: ["   ", "Next: ", blocked.nextStep] }) : null] }));
+    }
+    const total = view.verified + view.flagged;
+    return (_jsx(Box, { paddingX: 1, children: view.flagged > 0 ? (_jsxs(Text, { color: "yellow", children: ["\u26A0  DG verified ", packageCount(total), " \u2014 ", view.flagged, " flagged"] })) : (_jsxs(Text, { color: "green", children: ["\u2713  DG verified ", packageCount(total), " \u2014 clean"] })) }));
+};

package/dist/install-ui/block-render.js

@@ -0,0 +1,83 @@
+const VERIFIED_BAD = new Set([
+    "malware",
+    "policy",
+    "license",
+    "hash-mismatch",
+    "private-upload-disabled"
+]);
+const HEADLINES = {
+    pass: "clean",
+    warn: "flagged",
+    malware: "confirmed malware",
+    policy: "blocked by policy",
+    license: "license policy",
+    "hash-mismatch": "artifact integrity mismatch",
+    "private-upload-disabled": "private artifact not scanned",
+    "api-unavailable": "scanner unavailable",
+    "quota-exceeded": "monthly scan limit reached",
+    "api-timeout": "scanner timed out",
+    "registry-timeout": "registry timed out",
+    "analysis-incomplete": "analysis incomplete",
+    "unsupported-manager": "unsupported package manager",
+    "proxy-setup-failure": "protection unavailable"
+};
+const NEXT_STEP = {
+    malware: "Do not install. Remove the dependency or pin a known-safe version.",
+    policy: "Adjust the dependency to satisfy policy, or ask your admin.",
+    license: "Replace the dependency or update your license policy.",
+    "hash-mismatch": "Clear your package cache and retry. If it persists, do not install.",
+    "private-upload-disabled": "Enable private artifact scanning to verify this package.",
+    "quota-exceeded": "Upgrade your plan or wait for your monthly limit to reset. See westbayberry.com/pricing."
+};
+export function describeBlockedInstall(decision) {
+    const verifiedBad = VERIFIED_BAD.has(decision.cause);
+    const override = decision.forceOverride && !decision.forceOverride.allowed
+        ? "not allowed by your policy"
+        : "re-run with --dg-force-install";
+    const nextStep = verifiedBad
+        ? NEXT_STEP[decision.cause]
+        : "Re-check later with 'dg verify', or override if you accept the risk.";
+    return {
+        kind: verifiedBad ? "blocked" : "unverified",
+        packageName: decision.packageName,
+        headline: HEADLINES[decision.cause],
+        reason: decision.reason,
+        ...(nextStep ? { nextStep } : {}),
+        ...(verifiedBad ? {} : { override })
+    };
+}
+export function renderInstallDecision(decision) {
+    if (decision.action === "pass") {
+        return `✓ DG verified ${decision.packageName} — clean\n`;
+    }
+    if (decision.action === "warn") {
+        if (decision.forceOverride?.allowed) {
+            return `⚠ DG override — installing ${decision.packageName} despite block (--dg-force-install)\n`;
+        }
+        return `⚠ DG flagged ${decision.packageName} (warn) — ${decision.reason}\n`;
+    }
+    const verifiedBad = VERIFIED_BAD.has(decision.cause);
+    const headline = HEADLINES[decision.cause];
+    const lines = [
+        verifiedBad
+            ? `✘ DG blocked install — ${headline}`
+            : `? DG could not verify ${decision.packageName} — ${headline}`,
+        `  ${decision.packageName}   ${decision.reason}`
+    ];
+    if (decision.dashboardUrl) {
+        lines.push(`  Evidence: ${decision.dashboardUrl}`);
+    }
+    if (decision.unauthenticated) {
+        lines.push("  Auth: local policy only (run 'dg login' for full coverage)");
+    }
+    lines.push(decision.forceOverride && !decision.forceOverride.allowed
+        ? "  Override: not allowed by your policy"
+        : "  Override: re-run with --dg-force-install");
+    const next = verifiedBad
+        ? NEXT_STEP[decision.cause]
+        : "Re-check later with 'dg verify', or override if you accept the risk.";
+    if (next) {
+        lines.push(`  Next: ${next}`);
+    }
+    return `${lines.join("\n")}\n`;
+}

package/dist/install-ui/live-install-app.js

@@ -0,0 +1,48 @@
+import React from "react";
+import { render, useApp } from "ink";
+import { LiveInstall } from "./LiveInstall.js";
+function createViewStore(initial) {
+    let current = initial;
+    const listeners = new Set();
+    return {
+        get: () => current,
+        set: (view) => {
+            current = view;
+            for (const listener of listeners) {
+                listener();
+            }
+        },
+        subscribe: (listener) => {
+            listeners.add(listener);
+            return () => {
+                listeners.delete(listener);
+            };
+        }
+    };
+}
+const App = ({ store }) => {
+    const view = React.useSyncExternalStore(store.subscribe, store.get, store.get);
+    const { exit } = useApp();
+    React.useEffect(() => {
+        if (view.phase !== "done") {
+            return undefined;
+        }
+        const timer = setTimeout(() => exit(), 30);
+        return () => clearTimeout(timer);
+    }, [view.phase, exit]);
+    return React.createElement(LiveInstall, { view });
+};
+export async function renderLiveInstall(run) {
+    const store = createViewStore({ phase: "scanning", total: 0, verified: 0, flagged: 0 });
+    const restoreCursor = () => process.stdout.write(String.fromCharCode(27) + "[?25h");
+    process.once("exit", restoreCursor);
+    const instance = render(React.createElement(App, { store }));
+    try {
+        return await run((view) => store.set(view));
+    }
+    finally {
+        store.set({ ...store.get(), phase: "done" });
+        await instance.waitUntilExit().catch(() => undefined);
+        process.off("exit", restoreCursor);
+    }
+}

package/dist/install-ui/prompt.js

@@ -0,0 +1,24 @@
+import { createInterface } from "node:readline";
+export function defaultPromptIo() {
+    return {
+        input: process.stdin,
+        output: process.stderr,
+        isTTY: Boolean(process.stdin.isTTY && process.stderr.isTTY)
+    };
+}
+export async function promptYesNo(question, io) {
+    if (!io.isTTY) {
+        return false;
+    }
+    const rl = createInterface({ input: io.input, output: io.output });
+    try {
+        const answer = await new Promise((resolve) => {
+            rl.question(`${question} [y/N] `, resolve);
+        });
+        const normalized = answer.trim().toLowerCase();
+        return normalized === "y" || normalized === "yes";
+    }
+    finally {
+        rl.close();
+    }
+}

package/dist/launcher/classify.js

@@ -0,0 +1,116 @@
+import { optionalPackageManagerNames, optionalSupportGate } from "../setup/optional-support.js";
+const supportedManagers = ["npm", "npx", "pnpm", "pnpx", "yarn", "pip", "pipx", "uv", "uvx", "cargo"];
+const gatedManagers = optionalPackageManagerNames();
+const jsProtected = new Set(["install", "i", "ci", "add", "update", "dedupe", "exec"]);
+const pnpmProtected = new Set(["install", "i", "add", "update", "dlx", "exec"]);
+const yarnProtected = new Set(["add", "install", "upgrade", "dlx"]);
+const pipProtected = new Set(["install", "download", "wheel"]);
+const pipxProtected = new Set(["install", "upgrade", "inject", "run"]);
+const uvProtected = new Set(["add", "sync"]);
+const cargoProtected = new Set(["add", "install", "fetch", "update", "build", "test", "check", "run"]);
+const passthrough = new Set(["help", "--help", "-h", "version", "--version", "-v", "list", "ls", "show", "freeze"]);
+export function packageManagerNames() {
+    return [...supportedManagers, ...gatedManagers];
+}
+export function isSupportedPackageManager(manager) {
+    return supportedManagers.includes(manager);
+}
+export function classifyPackageManagerInvocation(manager, args) {
+    if (!isSupportedPackageManager(manager)) {
+        return unsupportedClassification(manager, args);
+    }
+    if (manager === "npx" || manager === "pnpx" || manager === "uvx") {
+        return protectedClassification(manager, args, manager, `${manager} fetches and runs package artifacts`);
+    }
+    if (manager === "npm") {
+        return classifyByCommand(manager, args, "npm", jsProtected, "npm install/fetch command", "javascript");
+    }
+    if (manager === "pnpm") {
+        return classifyByCommand(manager, args, "pnpm", pnpmProtected, "pnpm install/fetch command", "javascript");
+    }
+    if (manager === "yarn") {
+        return classifyByCommand(manager, args, "yarn", yarnProtected, "Yarn classic install/fetch command", "javascript");
+    }
+    if (manager === "pip") {
+        return classifyByCommand(manager, args, "pip", pipProtected, "pip install/fetch command", "python");
+    }
+    if (manager === "pipx") {
+        return classifyByCommand(manager, args, "pipx", pipxProtected, "pipx install/fetch command", "python");
+    }
+    if (manager === "uv") {
+        return classifyUv(args);
+    }
+    return classifyByCommand(manager, args, "cargo", cargoProtected, "Cargo command can fetch crates", "rust");
+}
+function classifyByCommand(manager, args, realBinaryName, protectedCommands, protectedReason, ecosystem) {
+    const action = firstCommand(args);
+    if (protectedCommands.has(action) || containsFetchSpec(args)) {
+        return {
+            manager,
+            ecosystem,
+            kind: "protected",
+            action,
+            reason: protectedReason,
+            realBinaryName,
+            args
+        };
+    }
+    return {
+        manager,
+        ecosystem,
+        kind: "passthrough",
+        action,
+        reason: passthrough.has(action) ? "read-only or local package-manager command" : "not classified as an install/fetch command",
+        realBinaryName,
+        args
+    };
+}
+function classifyUv(args) {
+    const action = firstCommand(args);
+    if (action === "pip" && pipProtected.has(args[1] ?? "")) {
+        return protectedClassification("uv", args, "uv", "uv pip install/fetch command");
+    }
+    if (action === "tool" && args[1] === "run") {
+        return protectedClassification("uv", args, "uv", "uv tool run fetches package artifacts");
+    }
+    if (uvProtected.has(action) || containsFetchSpec(args)) {
+        return protectedClassification("uv", args, "uv", "uv install/fetch command");
+    }
+    return {
+        manager: "uv",
+        ecosystem: "python",
+        kind: "passthrough",
+        action,
+        reason: passthrough.has(action) ? "read-only or local uv command" : "not classified as an install/fetch command",
+        realBinaryName: "uv",
+        args
+    };
+}
+function protectedClassification(manager, args, realBinaryName, reason) {
+    return {
+        manager,
+        ecosystem: manager === "cargo" ? "rust" : manager === "pip" || manager === "pipx" || manager === "uv" || manager === "uvx" ? "python" : "javascript",
+        kind: "protected",
+        action: firstCommand(args),
+        reason,
+        realBinaryName,
+        args
+    };
+}
+function unsupportedClassification(manager, args) {
+    return {
+        manager,
+        ecosystem: "gated",
+        kind: "unsupported",
+        action: firstCommand(args),
+        reason: optionalSupportGate(manager).message,
+        realBinaryName: manager,
+        args
+    };
+}
+function firstCommand(args) {
+    return args.find((arg) => !arg.startsWith("-")) ?? "";
+}
+function containsFetchSpec(args) {
+    return args.some((arg) => /^https?:\/\//.test(arg) || /^git\+https?:\/\//.test(arg) || /\.t(ar\.)?gz(?:$|[#?])/.test(arg));
+}

package/dist/launcher/env.js

@@ -0,0 +1,53 @@
+export function buildProxyChildEnv(options) {
+    const env = {
+        ...options.baseEnv,
+        DG_PROXY_ACTIVE: "1"
+    };
+    const noProxy = mergeNoProxy(options.baseEnv.NO_PROXY ?? options.baseEnv.no_proxy, options.noProxyHosts ?? ["127.0.0.1", "localhost"]);
+    if (["npm", "npx", "pnpm", "pnpx", "yarn"].includes(options.manager)) {
+        env.HTTP_PROXY = options.proxyUrl;
+        env.HTTPS_PROXY = options.proxyUrl;
+        env.npm_config_proxy = options.proxyUrl;
+        env.npm_config_https_proxy = options.proxyUrl;
+        env.NO_PROXY = noProxy;
+        env.NODE_EXTRA_CA_CERTS = options.caBundlePath;
+        if (options.cacheDir) {
+            env.npm_config_cache = options.cacheDir;
+            if (options.manager === "yarn") {
+                env.YARN_CACHE_FOLDER = options.cacheDir;
+            }
+        }
+        return env;
+    }
+    if (options.manager === "pip" || options.manager === "pipx") {
+        env.http_proxy = options.proxyUrl;
+        env.https_proxy = options.proxyUrl;
+        env.no_proxy = noProxy;
+        env.REQUESTS_CA_BUNDLE = options.caBundlePath;
+        env.PIP_CERT = options.caBundlePath;
+        env.PIP_NO_CACHE_DIR = "1";
+        return env;
+    }
+    if (options.manager === "uv" || options.manager === "uvx") {
+        env.HTTP_PROXY = options.proxyUrl;
+        env.HTTPS_PROXY = options.proxyUrl;
+        env.ALL_PROXY = options.proxyUrl;
+        env.NO_PROXY = noProxy;
+        env.SSL_CERT_FILE = options.caBundlePath;
+        env.UV_NO_CACHE = "1";
+        return env;
+    }
+    env.HTTPS_PROXY = options.proxyUrl;
+    env.https_proxy = options.proxyUrl;
+    env.http_proxy = options.proxyUrl;
+    env.NO_PROXY = noProxy;
+    env.CARGO_HTTP_CAINFO = options.caBundlePath;
+    return env;
+}
+function mergeNoProxy(existing, required) {
+    const values = new Set((existing ?? "").split(",").map((part) => part.trim()).filter(Boolean));
+    for (const host of required) {
+        values.add(host);
+    }
+    return [...values].join(",");
+}