@westbayberry/dg 1.3.2 → 2.0.0

package/dist/proxy/upstream-proxy.js

@@ -0,0 +1,102 @@
+import { connect } from "node:net";
+import { redactSecrets } from "../launcher/output-redaction.js";
+export function selectUpstreamProxy(target, env) {
+    const explicit = env.DG_UPSTREAM_PROXY;
+    const inherited = target.protocol === "https:"
+        ? env.HTTPS_PROXY ?? env.https_proxy ?? env.ALL_PROXY ?? env.all_proxy
+        : env.HTTP_PROXY ?? env.http_proxy ?? env.ALL_PROXY ?? env.all_proxy;
+    const raw = explicit ?? inherited;
+    if (!raw || (!explicit && matchesNoProxy(target.hostname, target.port, env.NO_PROXY ?? env.no_proxy))) {
+        return null;
+    }
+    const url = new URL(raw);
+    if (url.protocol !== "http:") {
+        throw new Error("only HTTP upstream proxies are supported for per-invocation proxy chaining");
+    }
+    const authorizationHeader = url.username || url.password
+        ? `Basic ${Buffer.from(`${decodeURIComponent(url.username)}:${decodeURIComponent(url.password)}`).toString("base64")}`
+        : undefined;
+    return {
+        url,
+        ...(authorizationHeader ? { authorizationHeader } : {}),
+        redactedUrl: redactSecrets(url.toString())
+    };
+}
+export function connectViaUpstreamProxy(target, upstream, extraHeaders = []) {
+    return new Promise((resolve, reject) => {
+        const socket = connect(Number(upstream.url.port || "80"), upstream.url.hostname);
+        const chunks = [];
+        const fail = (error) => {
+            socket.destroy();
+            reject(error);
+        };
+        socket.once("error", fail);
+        socket.once("connect", () => {
+            const authority = authorityFor(target);
+            const headers = [
+                `CONNECT ${authority} HTTP/1.1`,
+                `Host: ${authority}`,
+                "Proxy-Connection: keep-alive",
+                ...(upstream.authorizationHeader ? [`Proxy-Authorization: ${upstream.authorizationHeader}`] : []),
+                ...extraHeaders,
+                "",
+                ""
+            ];
+            socket.write(headers.join("\r\n"));
+        });
+        socket.on("data", function onData(chunk) {
+            chunks.push(chunk);
+            const buffered = Buffer.concat(chunks);
+            if (buffered.length > 64 * 1024) {
+                socket.off("data", onData);
+                socket.destroy();
+                reject(new Error("upstream proxy CONNECT response exceeded the 64KiB header limit"));
+                return;
+            }
+            const headerEnd = buffered.indexOf("\r\n\r\n");
+            if (headerEnd === -1) {
+                return;
+            }
+            socket.off("data", onData);
+            socket.off("error", fail);
+            const head = buffered.subarray(headerEnd + 4);
+            const statusLine = buffered.subarray(0, headerEnd).toString("latin1").split("\r\n")[0] ?? "";
+            if (!/^HTTP\/1\.[01] 2\d\d\b/.test(statusLine)) {
+                socket.destroy();
+                reject(new Error(`upstream proxy CONNECT failed: ${statusLine}`));
+                return;
+            }
+            if (head.length > 0) {
+                socket.unshift(head);
+            }
+            resolve(socket);
+        });
+    });
+}
+export function authorityFor(target) {
+    const port = target.port || (target.protocol === "https:" ? "443" : "80");
+    return `${target.hostname}:${port}`;
+}
+function matchesNoProxy(host, port, rawNoProxy) {
+    if (!rawNoProxy) {
+        return false;
+    }
+    const normalizedHost = host.toLowerCase();
+    const hostPort = `${normalizedHost}:${port}`;
+    for (const rawEntry of rawNoProxy.split(",")) {
+        const entry = rawEntry.trim().toLowerCase();
+        if (!entry) {
+            continue;
+        }
+        if (entry === "*") {
+            return true;
+        }
+        if (entry === normalizedHost || entry === hostPort) {
+            return true;
+        }
+        if (entry.startsWith(".") && normalizedHost.endsWith(entry)) {
+            return true;
+        }
+    }
+    return false;
+}

package/dist/proxy/worker.js

@@ -0,0 +1,39 @@
+import { readFileSync } from "node:fs";
+import { startProductionHttpProxy } from "./server.js";
+import { parseForceOverrideRequest } from "./enforcement.js";
+const sessionPath = process.argv[2];
+const apiBaseUrl = process.argv[3];
+const classificationJson = process.env.DG_PROXY_CLASSIFICATION;
+if (!sessionPath || !apiBaseUrl || !classificationJson) {
+    process.stderr.write("dg proxy worker missing startup arguments\n");
+    process.exit(1);
+}
+const session = JSON.parse(readFileSync(sessionPath, "utf8"));
+const classification = JSON.parse(classificationJson);
+const forceOverride = parseForceOverrideRequest(process.env.DG_FORCE_OVERRIDE_REQUEST);
+let handle = null;
+let closed = false;
+async function close() {
+    if (closed) {
+        return;
+    }
+    closed = true;
+    await handle?.close();
+}
+process.stdin.on("end", () => {
+    close().finally(() => process.exit(0));
+});
+process.on("SIGTERM", () => {
+    close().finally(() => process.exit(0));
+});
+process.on("SIGINT", () => {
+    close().finally(() => process.exit(0));
+});
+handle = await startProductionHttpProxy({
+    session,
+    apiBaseUrl,
+    classification,
+    env: process.env,
+    ...(forceOverride ? { forceOverride } : {})
+});
+process.stdout.write(`ready ${handle.port}\n`);

package/dist/publish-set/collect.js

@@ -0,0 +1,51 @@
+import { lstatSync, readFileSync, readlinkSync, realpathSync } from "node:fs";
+import { isAbsolute, join, relative, resolve, sep } from "node:path";
+export function buildAuditFile(root, relPath) {
+    const absolute = resolve(root, relPath);
+    let stat;
+    try {
+        stat = lstatSync(absolute);
+    }
+    catch {
+        return null;
+    }
+    const isSymlink = stat.isSymbolicLink();
+    let symlinkEscapes = false;
+    if (isSymlink) {
+        try {
+            const target = readlinkSync(absolute);
+            const resolved = isAbsolute(target) ? target : resolve(root, relPath, "..", target);
+            const real = realpathSync(resolved);
+            const rootReal = realpathSync(root);
+            symlinkEscapes = real !== rootReal && !real.startsWith(rootReal + sep);
+        }
+        catch {
+            symlinkEscapes = true;
+        }
+    }
+    if (!isSymlink && !stat.isFile()) {
+        return null;
+    }
+    return {
+        path: toDisplay(relPath),
+        size: stat.size,
+        isSymlink,
+        symlinkEscapes,
+        mode: stat.mode,
+        read: () => {
+            try {
+                return readFileSync(absolute);
+            }
+            catch {
+                return null;
+            }
+        }
+    };
+}
+export function toDisplay(relPath) {
+    const normalized = relative(".", relPath) || relPath;
+    return normalized.split(sep).join("/");
+}
+export function joinRel(dir, name) {
+    return toDisplay(join(dir, name));
+}

package/dist/publish-set/no-exec-shell.js

@@ -0,0 +1,19 @@
+import { chmodSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+export function noExecPackEnv(env, platform = process.platform) {
+    const dir = mkdtempSync(join(tmpdir(), "dg-noexec-shell-"));
+    const windows = platform === "win32";
+    const shellPath = join(dir, windows ? "noop.cmd" : "noop.sh");
+    if (windows) {
+        writeFileSync(shellPath, "@exit /b 0\r\n", "utf8");
+    }
+    else {
+        writeFileSync(shellPath, "#!/bin/sh\nexit 0\n", "utf8");
+        chmodSync(shellPath, 0o755);
+    }
+    return {
+        env: { ...env, npm_config_script_shell: shellPath },
+        cleanup: () => rmSync(dir, { recursive: true, force: true })
+    };
+}

package/dist/publish-set/npm.js

@@ -0,0 +1,109 @@
+import { spawnSync } from "node:child_process";
+import { existsSync, readdirSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { toDisplay } from "./collect.js";
+import { noExecPackEnv } from "./no-exec-shell.js";
+export function npmExecutable(platform = process.platform) {
+    return platform === "win32" ? "npm.cmd" : "npm";
+}
+const DEFAULT_EXCLUDED_DIRS = new Set([
+    "node_modules",
+    ".git",
+    ".svn",
+    ".hg",
+    "CVS",
+    ".venv",
+    "venv",
+    "__pycache__"
+]);
+const DEFAULT_EXCLUDED_NAMES = new Set([
+    ".npmignore",
+    ".gitignore",
+    ".DS_Store",
+    ".npmrc",
+    ".lock-wscript",
+    "npm-debug.log",
+    "package-lock.json"
+]);
+export function npmPublishSet(root, env = process.env) {
+    const hasAllowlist = npmHasAllowlist(root);
+    const packed = npmPackList(root, env);
+    if (packed) {
+        return { relPaths: packed, source: "npm-pack", hasAllowlist };
+    }
+    return { relPaths: fallbackWalk(root), source: "fallback", hasAllowlist };
+}
+function npmHasAllowlist(root) {
+    if (existsSync(join(root, ".npmignore"))) {
+        return true;
+    }
+    try {
+        const parsed = JSON.parse(readFileSync(join(root, "package.json"), "utf8"));
+        return Array.isArray(parsed.files) && parsed.files.length > 0;
+    }
+    catch {
+        return false;
+    }
+}
+function npmPackList(root, env) {
+    const shell = noExecPackEnv(env);
+    let result;
+    try {
+        result = spawnSync(npmExecutable(), ["pack", "--dry-run", "--json", "--ignore-scripts"], {
+            cwd: root,
+            env: shell.env,
+            encoding: "utf8",
+            timeout: 60_000,
+            maxBuffer: 64 * 1024 * 1024
+        });
+    }
+    finally {
+        shell.cleanup();
+    }
+    if (result.status !== 0 || !result.stdout) {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse(result.stdout);
+        const entry = parsed[0];
+        if (!entry || !Array.isArray(entry.files)) {
+            return null;
+        }
+        const paths = entry.files.map((file) => file.path).filter((path) => typeof path === "string");
+        return paths.length > 0 ? paths.map(toDisplay) : null;
+    }
+    catch {
+        return null;
+    }
+}
+function fallbackWalk(root) {
+    const out = [];
+    walk(root, "", 0, out);
+    return out.sort((left, right) => left.localeCompare(right));
+    function walk(absolute, rel, depth, acc) {
+        if (depth > 24) {
+            return;
+        }
+        let entries;
+        try {
+            entries = readdirSync(absolute, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            const childRel = rel ? `${rel}/${entry.name}` : entry.name;
+            if (entry.isDirectory()) {
+                if (!DEFAULT_EXCLUDED_DIRS.has(entry.name)) {
+                    walk(join(absolute, entry.name), childRel, depth + 1, acc);
+                }
+                continue;
+            }
+            if (entry.isFile() || entry.isSymbolicLink()) {
+                if (!DEFAULT_EXCLUDED_NAMES.has(entry.name)) {
+                    acc.push(toDisplay(childRel));
+                }
+            }
+        }
+    }
+}

package/dist/publish-set/pack.js

@@ -0,0 +1,36 @@
+import { spawnSync } from "node:child_process";
+import { createHash } from "node:crypto";
+import { mkdtempSync, readFileSync, readdirSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { npmExecutable } from "./npm.js";
+import { noExecPackEnv } from "./no-exec-shell.js";
+export function packNpmArtifact(root, env = process.env) {
+    const dest = mkdtempSync(join(tmpdir(), "dg-audit-pack-"));
+    const shell = noExecPackEnv(env);
+    try {
+        const result = spawnSync(npmExecutable(), ["pack", "--ignore-scripts", "--pack-destination", dest], {
+            cwd: root,
+            env: shell.env,
+            encoding: "utf8",
+            timeout: 120_000,
+            maxBuffer: 8 * 1024 * 1024
+        });
+        if (result.status !== 0) {
+            return { error: result.stderr ? result.stderr.trim().split("\n").pop() ?? "npm pack failed" : "npm pack failed" };
+        }
+        const tgz = readdirSync(dest).find((name) => name.endsWith(".tgz"));
+        if (!tgz) {
+            return { error: "npm pack produced no tarball" };
+        }
+        const bytes = readFileSync(join(dest, tgz));
+        return { bytes, sha256: createHash("sha256").update(bytes).digest("hex") };
+    }
+    catch (error) {
+        return { error: error instanceof Error ? error.message : "pack failed" };
+    }
+    finally {
+        shell.cleanup();
+        rmSync(dest, { recursive: true, force: true });
+    }
+}

package/dist/publish-set/pypi.js

@@ -0,0 +1,59 @@
+import { existsSync, readdirSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { toDisplay } from "./collect.js";
+const EXCLUDED_DIRS = new Set([
+    ".git",
+    ".svn",
+    ".hg",
+    ".venv",
+    "venv",
+    "__pycache__",
+    "build",
+    "dist",
+    ".tox",
+    ".mypy_cache",
+    ".pytest_cache",
+    ".eggs"
+]);
+export function pypiPublishSet(root) {
+    const hasAllowlist = pypiHasAllowlist(root);
+    const out = [];
+    walk(root, "", 0, out);
+    return { relPaths: out.sort((left, right) => left.localeCompare(right)), source: "fallback", hasAllowlist };
+    function walk(absolute, rel, depth, acc) {
+        if (depth > 24) {
+            return;
+        }
+        let entries;
+        try {
+            entries = readdirSync(absolute, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            const childRel = rel ? `${rel}/${entry.name}` : entry.name;
+            if (entry.isDirectory()) {
+                if (!EXCLUDED_DIRS.has(entry.name) && !entry.name.endsWith(".egg-info")) {
+                    walk(join(absolute, entry.name), childRel, depth + 1, acc);
+                }
+                continue;
+            }
+            if (entry.isFile() || entry.isSymbolicLink()) {
+                acc.push(toDisplay(childRel));
+            }
+        }
+    }
+}
+function pypiHasAllowlist(root) {
+    if (existsSync(join(root, "MANIFEST.in"))) {
+        return true;
+    }
+    try {
+        const pyproject = readFileSync(join(root, "pyproject.toml"), "utf8");
+        return /\[tool\.(setuptools|hatch|flit|poetry)[^\]]*\]/u.test(pyproject) && /include|packages|sdist/u.test(pyproject);
+    }
+    catch {
+        return false;
+    }
+}

package/dist/runtime/cli.js

@@ -0,0 +1,17 @@
+import { writeFileSync } from "node:fs";
+import { routeCommand } from "../commands/router.js";
+if (process.env.NODE_ENV === "test" && process.env.DG_TEST_RUNTIME_SENTINEL) {
+    writeFileSync(process.env.DG_TEST_RUNTIME_SENTINEL, "loaded\n", "utf8");
+}
+export function runCli(args) {
+    return routeCommand(args);
+}
+export function writeCliResult(result) {
+    if (result.stdout) {
+        process.stdout.write(result.stdout);
+    }
+    if (result.stderr) {
+        process.stderr.write(result.stderr);
+    }
+    process.exitCode = result.exitCode;
+}

package/dist/runtime/first-run.js

@@ -0,0 +1,60 @@
+import { existsSync, mkdirSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { isCiEnv } from "../presentation/mode.js";
+import { createTheme } from "../presentation/theme.js";
+import { resolveDgPaths } from "../state/index.js";
+const SKIP_COMMANDS = new Set([
+    "help",
+    "--help",
+    "-h",
+    "--help-all",
+    "version",
+    "--version",
+    "-v",
+    "completion",
+    "login",
+    "logout",
+    "update",
+    "upgrade",
+    "uninstall"
+]);
+export function firstRunMarkerPath(env = process.env) {
+    return join(resolveDgPaths(env).stateDir, "first-run-shown");
+}
+export function maybeShowFirstRun(args, options = {}) {
+    const env = options.env ?? process.env;
+    const stderr = options.stderr ?? process.stderr;
+    const command = args[0] ?? "";
+    if (!stderr.isTTY || isCiEnv(env)) {
+        return false;
+    }
+    if (SKIP_COMMANDS.has(command) || args.some((arg) => arg === "--json" || arg === "--sarif" || arg === "--quiet")) {
+        return false;
+    }
+    const marker = firstRunMarkerPath(env);
+    if (existsSync(marker)) {
+        return false;
+    }
+    const theme = createTheme(true);
+    const command_ = (text) => theme.paint("accent", text);
+    const lines = [
+        "",
+        `  ${theme.paint("pass", "✓")} Dependency Guardian is ready.`,
+        "",
+        `  ${theme.paint("muted", "dg npm install / dg pip install scan packages before they run.")}`,
+        `  ${theme.paint("muted", "Run")} ${command_("dg setup")} ${theme.paint("muted", "once to protect bare npm/pip installs too.")}`,
+        "",
+        `  Next: ${command_("dg login")} to connect your account.`,
+        "",
+        ""
+    ];
+    stderr.write(lines.join("\n"));
+    try {
+        mkdirSync(dirname(marker), { recursive: true, mode: 0o700 });
+        writeFileSync(marker, `${new Date().toISOString()}\n`, { encoding: "utf8", mode: 0o600 });
+    }
+    catch {
+        return true;
+    }
+    return true;
+}

package/dist/runtime/node-version.js

@@ -0,0 +1,58 @@
+const MINIMUM_NODE = Object.freeze({
+    major: 22,
+    minor: 14,
+    patch: 0
+});
+export function parseNodeVersion(version) {
+    const normalized = version.trim().replace(/^v/, "");
+    const match = /^(\d+)\.(\d+)\.(\d+)(?:-.+)?$/.exec(normalized);
+    if (!match) {
+        return null;
+    }
+    return {
+        major: Number(match[1]),
+        minor: Number(match[2]),
+        patch: Number(match[3])
+    };
+}
+export function isSupportedNode(version) {
+    const parsed = parseNodeVersion(version);
+    if (!parsed) {
+        return false;
+    }
+    if (parsed.major > MINIMUM_NODE.major) {
+        return true;
+    }
+    if (parsed.major < MINIMUM_NODE.major) {
+        return false;
+    }
+    if (parsed.minor > MINIMUM_NODE.minor) {
+        return true;
+    }
+    if (parsed.minor < MINIMUM_NODE.minor) {
+        return false;
+    }
+    return parsed.patch >= MINIMUM_NODE.patch;
+}
+export function assertSupportedNode(version) {
+    if (isSupportedNode(version)) {
+        return;
+    }
+    throw new Error(`dg requires Node.js >=22.14.0. Current runtime is ${version}. Upgrade Node before running dg.`);
+}
+export function currentNodeVersion() {
+    if (process.env.NODE_ENV === "test" && process.env.DG_TEST_NODE_VERSION) {
+        return process.env.DG_TEST_NODE_VERSION;
+    }
+    return process.version;
+}
+export function assertCurrentNode() {
+    try {
+        assertSupportedNode(currentNodeVersion());
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        process.stderr.write(`${message}\n`);
+        process.exit(1);
+    }
+}

package/dist/runtime/nudges.js

@@ -0,0 +1,105 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { authStatus } from "../auth/store.js";
+import { compareVersions, readLatestVersion } from "../commands/update.js";
+import { dgVersion } from "../commands/version.js";
+import { isCiEnv } from "../presentation/mode.js";
+import { createTheme } from "../presentation/theme.js";
+import { resolveDgPaths } from "../state/index.js";
+const UPDATE_THROTTLE_MS = 24 * 60 * 60 * 1000;
+const LOGIN_THROTTLE_MS = 7 * 24 * 60 * 60 * 1000;
+const LATEST_LOOKUP_TIMEOUT_MS = 1500;
+const SKIP_COMMANDS = new Set([
+    "help",
+    "--help",
+    "-h",
+    "--help-all",
+    "version",
+    "--version",
+    "-v",
+    "completion",
+    "login",
+    "logout",
+    "update",
+    "upgrade",
+    "uninstall",
+    "scan",
+    "licenses"
+]);
+export function nudgeStatePath(env = process.env) {
+    return join(resolveDgPaths(env).stateDir, "nudges.json");
+}
+export function maybeShowNudges(args, options = {}) {
+    const env = options.env ?? process.env;
+    const stderr = options.stderr ?? process.stderr;
+    const now = options.now ?? new Date();
+    const command = args[0] ?? "";
+    if (!stderr.isTTY || isCiEnv(env)) {
+        return;
+    }
+    if (SKIP_COMMANDS.has(command) || args.some((arg) => arg === "--json" || arg === "--sarif" || arg === "--quiet")) {
+        return;
+    }
+    const statePath = nudgeStatePath(env);
+    const state = readState(statePath);
+    const theme = createTheme(true);
+    const lines = [];
+    let stateChanged = false;
+    if (due(state.updateCheckedAt, UPDATE_THROTTLE_MS, now)) {
+        state.updateCheckedAt = now.toISOString();
+        stateChanged = true;
+        const latest = readLatestVersion(LATEST_LOOKUP_TIMEOUT_MS);
+        if (latest) {
+            state.updateLatest = latest;
+            if (compareVersions(latest, dgVersion()) > 0) {
+                lines.push(`${theme.paint("warn", "⚠")} ${theme.paint("muted", `Update available: ${dgVersion()} → ${latest}. Run`)} ${theme.paint("accent", "dg update")}${theme.paint("muted", ".")}`);
+            }
+        }
+    }
+    if (due(state.loginNudgedAt, LOGIN_THROTTLE_MS, now) && !isAuthenticated(env)) {
+        state.loginNudgedAt = now.toISOString();
+        stateChanged = true;
+        lines.push(`${theme.paint("muted", "Run")} ${theme.paint("accent", "dg login")} ${theme.paint("muted", "to connect your account.")}`);
+    }
+    if (lines.length > 0) {
+        stderr.write(`\n${lines.join("\n")}\n`);
+    }
+    if (stateChanged) {
+        writeState(statePath, state);
+    }
+}
+function isAuthenticated(env) {
+    try {
+        return authStatus(env).authenticated;
+    }
+    catch {
+        return true;
+    }
+}
+function due(last, throttleMs, now) {
+    if (!last) {
+        return true;
+    }
+    const parsed = Date.parse(last);
+    return !Number.isFinite(parsed) || now.getTime() - parsed >= throttleMs;
+}
+function readState(path) {
+    try {
+        if (!existsSync(path)) {
+            return {};
+        }
+        return JSON.parse(readFileSync(path, "utf8"));
+    }
+    catch {
+        return {};
+    }
+}
+function writeState(path, state) {
+    try {
+        mkdirSync(dirname(path), { recursive: true, mode: 0o700 });
+        writeFileSync(path, `${JSON.stringify(state, null, 2)}\n`, { encoding: "utf8", mode: 0o600 });
+    }
+    catch {
+        return;
+    }
+}

package/dist/scan/analyze-worker.js

@@ -0,0 +1,21 @@
+import { analyzePackages, mergeAnalyzeResponses } from "../api/analyze.js";
+async function main() {
+    const raw = process.argv[2];
+    if (!raw) {
+        process.stderr.write("analyze-worker: missing input payload\n");
+        process.exit(2);
+    }
+    const groups = JSON.parse(raw);
+    const responses = [];
+    for (const group of groups) {
+        if (group.packages.length === 0) {
+            continue;
+        }
+        responses.push(await analyzePackages(group.packages, { ecosystem: group.ecosystem }));
+    }
+    process.stdout.write(JSON.stringify(mergeAnalyzeResponses(responses)));
+}
+main().catch((error) => {
+    process.stderr.write(`analyze-worker: ${error instanceof Error ? error.message : "unknown error"}\n`);
+    process.exit(1);
+});