@westbayberry/dg 1.3.2 → 2.0.0

package/dist/api/analyze.js

@@ -0,0 +1,210 @@
+import { randomUUID } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { readAuthState } from "../auth/store.js";
+import { envAuthToken } from "../auth/env-token.js";
+import { loadUserConfig } from "../config/settings.js";
+import { sanitize, sanitizeResponse } from "../security/sanitize.js";
+import { resolveDgPaths } from "../state/index.js";
+export class AnalyzeError extends Error {
+    statusCode;
+    body;
+    constructor(message, statusCode, body) {
+        super(message);
+        this.statusCode = statusCode;
+        this.body = body;
+        this.name = "AnalyzeError";
+    }
+}
+const ANALYZE_PATHS = {
+    npm: "/v1/analyze",
+    pypi: "/v1/pypi/analyze"
+};
+const BATCH_SIZE = 200;
+const DEFAULT_TIMEOUT_MS = 180_000;
+export async function analyzePackages(packages, options) {
+    const env = options.env ?? process.env;
+    const fetchImpl = options.fetchImpl ?? fetch;
+    const baseUrl = resolveApiBaseUrl(env);
+    const token = resolveToken(env);
+    const deviceId = getOrCreateDeviceId(env);
+    const url = `${baseUrl}${ANALYZE_PATHS[options.ecosystem]}`;
+    options.onProgress?.(0, packages.length, []);
+    const responses = [];
+    for (let index = 0; index < packages.length; index += BATCH_SIZE) {
+        const batch = packages.slice(index, index + BATCH_SIZE);
+        options.onProgress?.(index, packages.length, batch.map((entry) => entry.name));
+        responses.push(await analyzeBatchWithRetry(url, batch, token, deviceId, fetchImpl, options.timeoutMs ?? DEFAULT_TIMEOUT_MS));
+        options.onProgress?.(Math.min(index + batch.length, packages.length), packages.length, batch.map((entry) => entry.name));
+    }
+    return mergeAnalyzeResponses(responses);
+}
+const MAX_BATCH_ATTEMPTS = 3;
+async function analyzeBatchWithRetry(url, batch, token, deviceId, fetchImpl, timeoutMs) {
+    let lastError;
+    for (let attempt = 1; attempt <= MAX_BATCH_ATTEMPTS; attempt += 1) {
+        try {
+            return await analyzeBatch(url, batch, token, deviceId, fetchImpl, timeoutMs);
+        }
+        catch (error) {
+            lastError = error;
+            if (attempt === MAX_BATCH_ATTEMPTS || !isRetryableAnalyzeError(error)) {
+                break;
+            }
+            await delay(300 * attempt);
+        }
+    }
+    if (lastError instanceof AnalyzeError) {
+        throw lastError;
+    }
+    if (isNetworkFailure(lastError)) {
+        throw new AnalyzeError("could not reach the scanner — check your connection and try again", 0);
+    }
+    throw lastError;
+}
+function isNetworkFailure(error) {
+    if (error instanceof TypeError && error.message.toLowerCase().includes("fetch failed")) {
+        return true;
+    }
+    return error instanceof Error && error.name === "AbortError";
+}
+function isRetryableAnalyzeError(error) {
+    if (error instanceof AnalyzeError) {
+        return error.statusCode === 0 || error.statusCode >= 500;
+    }
+    return isNetworkFailure(error);
+}
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function analyzeBatch(url, batch, token, deviceId, fetchImpl, timeoutMs) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        const response = await fetchImpl(url, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "X-Device-Id": deviceId,
+                ...(token ? { Authorization: `Bearer ${token}` } : {})
+            },
+            body: JSON.stringify({
+                packages: batch.map((entry) => ({ name: entry.name, version: entry.version }))
+            }),
+            signal: controller.signal
+        });
+        if (!response.ok) {
+            const body = await response.json().catch(() => undefined);
+            const serverMessage = body && typeof body === "object" && "error" in body && typeof body.error === "string"
+                ? sanitize(body.error)
+                : `scanner returned ${response.status}`;
+            throw new AnalyzeError(serverMessage, response.status, body);
+        }
+        return normalizeAnalyzeResponse(await response.json());
+    }
+    catch (error) {
+        if (error instanceof Error && error.name === "AbortError") {
+            throw new AnalyzeError(`scanner did not respond within ${timeoutMs}ms`, 0);
+        }
+        throw error;
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+export function normalizeAnalyzeResponse(raw) {
+    const candidate = raw;
+    if (!candidate || typeof candidate.score !== "number" || !Array.isArray(candidate.packages)) {
+        throw new AnalyzeError("invalid scanner response shape", 0);
+    }
+    return sanitizeResponse({
+        score: candidate.score,
+        action: normalizeAction(candidate.action),
+        packages: candidate.packages.map((entry) => ({
+            ...entry,
+            action: entry.action === undefined ? undefined : normalizeAction(entry.action),
+            findings: Array.isArray(entry.findings) ? entry.findings : [],
+            reasons: Array.isArray(entry.reasons) ? entry.reasons : []
+        })),
+        safeVersions: candidate.safeVersions ?? {},
+        durationMs: typeof candidate.durationMs === "number" ? candidate.durationMs : 0,
+        ...(candidate.freeScansRemaining !== undefined ? { freeScansRemaining: candidate.freeScansRemaining } : {}),
+        ...(candidate.usage !== undefined ? { usage: candidate.usage } : {})
+    });
+}
+function normalizeAction(action) {
+    if (action === "block" || action === "warn" || action === "analysis_incomplete" || action === "pass") {
+        return action;
+    }
+    return "pass";
+}
+export function mergeAnalyzeResponses(responses) {
+    const first = responses[0];
+    if (!first) {
+        return {
+            score: 0,
+            action: "pass",
+            packages: [],
+            safeVersions: {},
+            durationMs: 0
+        };
+    }
+    if (responses.length === 1) {
+        return first;
+    }
+    const rank = {
+        pass: 0,
+        analysis_incomplete: 1,
+        warn: 2,
+        block: 3
+    };
+    return responses.reduce((merged, next) => ({
+        score: Math.max(merged.score, next.score),
+        action: rank[next.action] > rank[merged.action] ? next.action : merged.action,
+        packages: [...merged.packages, ...next.packages],
+        safeVersions: { ...merged.safeVersions, ...next.safeVersions },
+        durationMs: merged.durationMs + next.durationMs,
+        ...(next.freeScansRemaining !== undefined
+            ? { freeScansRemaining: next.freeScansRemaining }
+            : merged.freeScansRemaining !== undefined
+                ? { freeScansRemaining: merged.freeScansRemaining }
+                : {}),
+        ...(next.usage !== undefined ? { usage: next.usage } : merged.usage !== undefined ? { usage: merged.usage } : {})
+    }));
+}
+function resolveApiBaseUrl(env) {
+    const auth = readAuthStateSafe(env);
+    if (auth?.apiBaseUrl) {
+        return auth.apiBaseUrl;
+    }
+    return loadUserConfig(env).api.baseUrl;
+}
+function resolveToken(env) {
+    return envAuthToken(env) ?? readAuthStateSafe(env)?.token;
+}
+function readAuthStateSafe(env) {
+    try {
+        return readAuthState(env);
+    }
+    catch {
+        return undefined;
+    }
+}
+function getOrCreateDeviceId(env) {
+    const path = join(resolveDgPaths(env).stateDir, "device-id");
+    try {
+        if (existsSync(path)) {
+            const existing = readFileSync(path, "utf8").trim();
+            if (existing) {
+                return existing;
+            }
+        }
+        const id = randomUUID();
+        mkdirSync(dirname(path), { recursive: true, mode: 0o700 });
+        writeFileSync(path, `${id}\n`, { encoding: "utf8", mode: 0o600 });
+        return id;
+    }
+    catch {
+        return "anonymous";
+    }
+}

package/dist/audit/deep.js

@@ -0,0 +1,180 @@
+import { authStatus, readAuthState } from "../auth/store.js";
+import { envAuthToken } from "../auth/env-token.js";
+import { loadUserConfig } from "../config/settings.js";
+import { packNpmArtifact } from "../publish-set/pack.js";
+export function deepDecision(scope, local, env = process.env) {
+    if (local) {
+        return { upload: false, reason: "local mode (--local)" };
+    }
+    if (scope.ecosystem !== "npm") {
+        return { upload: false, reason: `npm packages only (this is ${scope.ecosystem})` };
+    }
+    let authed = false;
+    try {
+        authed = authStatus(env).authenticated;
+    }
+    catch {
+        authed = false;
+    }
+    if (!authed) {
+        return { upload: false, reason: "not signed in — run dg login to enable" };
+    }
+    if (!consentGiven(env)) {
+        return { upload: false, reason: "upload not enabled — set DG_AUDIT_UPLOAD=1 or consent in a terminal" };
+    }
+    return { upload: true, reason: "" };
+}
+export function consentGiven(env = process.env) {
+    if (env.DG_AUDIT_UPLOAD === "1" || env.DG_AUDIT_UPLOAD === "true") {
+        return true;
+    }
+    try {
+        return loadUserConfig(env).audit.upload === true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function runDeepUpload(scope, packageJson, deps = {}) {
+    const env = deps.env ?? process.env;
+    const fetchImpl = deps.fetchImpl ?? fetch;
+    const packed = packNpmArtifact(scope.root, env);
+    if ("error" in packed) {
+        return { ran: false, reason: `could not pack the package (${packed.error})` };
+    }
+    const token = resolveToken(env);
+    if (!token) {
+        return { ran: false, reason: "not signed in — run dg login to enable" };
+    }
+    const baseUrl = resolveBaseUrl(env);
+    const name = typeof packageJson?.name === "string" ? packageJson.name : scope.artifact.split("@")[0] ?? "unknown";
+    const version = typeof packageJson?.version === "string" ? packageJson.version : "0.0.0";
+    let response;
+    const controller = new AbortController();
+    const abortUpstream = () => controller.abort();
+    if (deps.signal?.aborted) {
+        controller.abort();
+    }
+    deps.signal?.addEventListener("abort", abortUpstream, { once: true });
+    try {
+        const timeout = setTimeout(() => controller.abort(), 600_000);
+        try {
+            response = await fetchImpl(`${baseUrl}/v1/scan-tarball`, {
+                method: "POST",
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                    "Content-Type": "application/octet-stream",
+                    "X-DG-Action": "audit",
+                    "X-DG-Artifact-SHA256": packed.sha256,
+                    "X-DG-Cache-Key": `sha256:${packed.sha256}`,
+                    "X-DG-Ecosystem": "npm",
+                    "X-DG-Manager": "dg-audit",
+                    "X-DG-Package-Name": name,
+                    "X-DG-Package-Version": version,
+                    "X-DG-Privacy": "private-artifact",
+                    "X-DG-Registry-Host": "registry.npmjs.org",
+                    "X-DG-Source-Kind": "pre-publish"
+                },
+                body: packed.bytes,
+                signal: controller.signal
+            });
+        }
+        finally {
+            clearTimeout(timeout);
+        }
+    }
+    catch {
+        return { ran: false, reason: "offline — could not reach the scanner (basic audit still ran)" };
+    }
+    finally {
+        deps.signal?.removeEventListener("abort", abortUpstream);
+    }
+    if (response.status === 402 || response.status === 403) {
+        const body = await safeJson(response);
+        return { ran: false, reason: deniedReason(body?.code) };
+    }
+    if (!response.ok) {
+        return { ran: true, action: "analysis_incomplete", reason: `scanner error (HTTP ${response.status})` };
+    }
+    const body = await safeJson(response);
+    const verdict = body?.verdict;
+    if (verdict === "pass" || verdict === "warn" || verdict === "block") {
+        return { ran: true, action: verdict, reason: typeof body?.reason === "string" ? body.reason : `behavioral verdict: ${verdict}` };
+    }
+    return { ran: true, action: "analysis_incomplete", reason: "scanner returned an incomplete verdict" };
+}
+export function deepSummary(deep) {
+    if (!deep.ran) {
+        return deep.reason;
+    }
+    const redundant = !deep.reason || deep.reason.startsWith("behavioral verdict");
+    return redundant ? deep.action : `${deep.action} — ${deep.reason}`;
+}
+export async function teamPolicyBlocksUpload(env = process.env, fetchImpl = fetch) {
+    const token = resolveToken(env);
+    if (!token) {
+        return false;
+    }
+    const baseUrl = resolveBaseUrl(env);
+    try {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 3_000);
+        let response;
+        try {
+            response = await fetchImpl(`${baseUrl}/v1/cli/policy`, {
+                method: "GET",
+                headers: { Authorization: `Bearer ${token}` },
+                signal: controller.signal
+            });
+        }
+        finally {
+            clearTimeout(timeout);
+        }
+        if (!response.ok) {
+            return false;
+        }
+        const body = (await response.json());
+        return body.source === "org" && body.privateArtifactUpload === "disabled";
+    }
+    catch {
+        return false;
+    }
+}
+function resolveToken(env) {
+    const fromEnv = envAuthToken(env);
+    if (fromEnv) {
+        return fromEnv;
+    }
+    try {
+        const state = readAuthState(env);
+        return state && typeof state.token === "string" && state.token.length > 0 ? state.token : null;
+    }
+    catch {
+        return null;
+    }
+}
+function resolveBaseUrl(env) {
+    try {
+        return loadUserConfig(env).api.baseUrl.replace(/\/$/u, "");
+    }
+    catch {
+        return "https://api.westbayberry.com";
+    }
+}
+function deniedReason(code) {
+    if (code === "artifact-upload-disabled") {
+        return "your team disabled artifact uploads — a team admin can re-enable it in dashboard policy settings";
+    }
+    if (code === "org-policy-required") {
+        return "your team hasn't enabled artifact uploads — a team admin can enable it in dashboard policy settings";
+    }
+    return "deep behavioral scan requires a paid plan";
+}
+async function safeJson(response) {
+    try {
+        return (await response.json());
+    }
+    catch {
+        return null;
+    }
+}

package/dist/audit/detectors.js

@@ -0,0 +1,247 @@
+import { BIDI_OVERRIDE_RE, CONTENT_RULES, DANGEROUS_SCRIPT_RE, FILENAME_RULES, INVISIBLE_UNICODE_RE, RISKY_SCRIPT_NAMES } from "./rules.js";
+export function findingLocation(finding) {
+    return finding.line ? `${finding.location}:${finding.line}` : finding.location;
+}
+function lineAt(body, index) {
+    let line = 1;
+    for (let cursor = 0; cursor < index && cursor < body.length; cursor += 1) {
+        if (body.charCodeAt(cursor) === 10) {
+            line += 1;
+        }
+    }
+    return line;
+}
+const MAX_CONTENT_BYTES = 5 * 1024 * 1024;
+export function detectFindings(files, context) {
+    const findings = [];
+    const seen = new Set();
+    const push = (finding) => {
+        const key = `${finding.id}|${finding.location}`;
+        if (seen.has(key)) {
+            return;
+        }
+        seen.add(key);
+        findings.push(finding);
+    };
+    for (const file of files) {
+        structuralFileChecks(file, push);
+        filenameChecks(file, push);
+        contentChecks(file, push);
+    }
+    const manifest = files.find((file) => file.path === "package.json");
+    structuralProjectChecks(context, push);
+    lifecycleChecks(context, push, manifest ? readText(manifest) : null);
+    return findings.sort((left, right) => right.severity - left.severity || left.location.localeCompare(right.location));
+}
+function structuralFileChecks(file, push) {
+    if (file.symlinkEscapes) {
+        push({
+            id: "symlink-escape",
+            category: "structural",
+            severity: 5,
+            title: "Symlink points outside the package",
+            recommendation: "Remove the symlink — it can leak host files or escape extraction.",
+            location: file.path,
+            evidence: `symlink: ${file.path}`
+        });
+    }
+    if ((file.mode & 0o4000) !== 0 || (file.mode & 0o2000) !== 0) {
+        push({
+            id: "setuid-bit",
+            category: "structural",
+            severity: 5,
+            title: "File has a setuid/setgid bit",
+            recommendation: "Strip the setuid/setgid bit — it is a privilege-escalation vector.",
+            location: file.path,
+            evidence: `mode: ${file.mode.toString(8)}`
+        });
+    }
+    if (INVISIBLE_UNICODE_RE.test(file.path)) {
+        push({
+            id: "trojan-source-filename",
+            category: "structural",
+            severity: 4,
+            title: "Invisible/bidi unicode in a filename",
+            recommendation: "Rename the file — hidden unicode can disguise a malicious filename.",
+            location: file.path,
+            evidence: "invisible unicode in path"
+        });
+    }
+}
+function filenameChecks(file, push) {
+    for (const rule of FILENAME_RULES) {
+        if (!rule.re.test(file.path)) {
+            continue;
+        }
+        if (rule.exempt && rule.exempt.test(file.path)) {
+            continue;
+        }
+        if (rule.gateContent) {
+            const body = readText(file);
+            if (body === null || !rule.gateContent.test(body)) {
+                continue;
+            }
+        }
+        push({
+            id: rule.id,
+            category: rule.category,
+            severity: rule.severity,
+            title: rule.title,
+            recommendation: rule.recommendation,
+            location: file.path,
+            evidence: `path: ${file.path}`
+        });
+    }
+}
+function contentChecks(file, push) {
+    const body = readText(file);
+    if (body === null) {
+        return;
+    }
+    const bidiIndex = body.search(BIDI_OVERRIDE_RE);
+    if (bidiIndex !== -1) {
+        push({
+            id: "trojan-source-content",
+            category: "structural",
+            severity: 4,
+            title: "Bidirectional-override unicode in source",
+            recommendation: "Remove the bidi control characters — they hide code from human review.",
+            location: file.path,
+            evidence: "bidi override character in file",
+            line: lineAt(body, bidiIndex)
+        });
+    }
+    for (const rule of CONTENT_RULES) {
+        const match = body.match(rule.re);
+        if (!match) {
+            continue;
+        }
+        if (rule.allow && rule.allow.test(match[0])) {
+            continue;
+        }
+        push({
+            id: rule.id,
+            category: rule.category,
+            severity: rule.severity,
+            title: rule.title,
+            recommendation: rule.recommendation,
+            location: file.path,
+            evidence: redact(match[0]),
+            line: lineAt(body, body.indexOf(match[0]))
+        });
+    }
+}
+function structuralProjectChecks(context, push) {
+    if (context.ecosystem === "npm" && context.packageJson) {
+        if (context.packageJson.private === true) {
+            push({
+                id: "publishing-private",
+                category: "structural",
+                severity: 4,
+                title: "Package is marked private but is being audited for publish",
+                recommendation: "A private package being published is almost always a mistake — remove \"private\" or do not publish.",
+                location: "package.json",
+                evidence: "\"private\": true"
+            });
+        }
+        if (!context.hasFilesAllowlist) {
+            push({
+                id: "no-files-allowlist",
+                category: "structural",
+                severity: 3,
+                title: "No publish allowlist — the whole directory may ship",
+                recommendation: "Add a \"files\" array to package.json (or an .npmignore) so only intended files publish.",
+                location: "package.json",
+                evidence: "no \"files\" field and no .npmignore"
+            });
+        }
+    }
+    if (context.ecosystem === "pypi" && !context.hasFilesAllowlist) {
+        push({
+            id: "no-manifest-discipline",
+            category: "structural",
+            severity: 3,
+            title: "No MANIFEST.in / packaging include discipline",
+            recommendation: "Define an explicit include set (MANIFEST.in or pyproject include) so the sdist does not sweep the repo.",
+            location: ".",
+            evidence: "no MANIFEST.in / include config"
+        });
+    }
+}
+function lifecycleChecks(context, push, manifestText = null) {
+    const scripts = context.packageJson && isRecord(context.packageJson.scripts) ? context.packageJson.scripts : null;
+    if (!scripts) {
+        return;
+    }
+    const scriptLine = (name) => {
+        if (!manifestText) {
+            return undefined;
+        }
+        const index = manifestText.indexOf(`"${name}"`);
+        return index === -1 ? undefined : lineAt(manifestText, index);
+    };
+    for (const [name, value] of Object.entries(scripts)) {
+        if (typeof value !== "string") {
+            continue;
+        }
+        const risky = RISKY_SCRIPT_NAMES.includes(name);
+        const line = scriptLine(name);
+        if (DANGEROUS_SCRIPT_RE.test(value)) {
+            push({
+                id: "lifecycle-dangerous",
+                category: "lifecycle-risk",
+                severity: risky ? 4 : 3,
+                title: `Dangerous shell pattern in the ${name} script`,
+                recommendation: `Review the ${name} script — it fetches-and-runs, evals, or pipes to a shell.`,
+                location: "package.json",
+                evidence: redact(`${name}: ${value}`, 90),
+                ...(line ? { line } : {})
+            });
+        }
+        else if (risky) {
+            push({
+                id: "lifecycle-present",
+                category: "lifecycle-risk",
+                severity: 2,
+                title: `Install-time ${name} script present`,
+                recommendation: `The ${name} script runs on every consumer's install — confirm it is intentional and safe.`,
+                location: "package.json",
+                evidence: redact(`${name}: ${value}`, 90),
+                ...(line ? { line } : {})
+            });
+        }
+    }
+}
+function readText(file) {
+    if (file.size === 0 || file.size > MAX_CONTENT_BYTES) {
+        return null;
+    }
+    const buffer = file.read();
+    if (buffer === null || buffer.length === 0) {
+        return null;
+    }
+    const sniffLength = Math.min(buffer.length, 8192);
+    for (let index = 0; index < sniffLength; index += 1) {
+        if (buffer[index] === 0) {
+            return null;
+        }
+    }
+    return buffer.toString("utf8");
+}
+export function redact(value, max = 64) {
+    const collapsed = value.replace(/[\r\n]+/gu, " ").trim();
+    const masked = collapsed.replace(/[A-Za-z0-9_+/=-]{16,}/gu, (match) => `${match.slice(0, 4)}***`);
+    return masked.length > max ? `${masked.slice(0, max - 1)}…` : masked;
+}
+export function actionForFindings(findings) {
+    if (findings.some((finding) => finding.severity >= 4)) {
+        return "block";
+    }
+    if (findings.some((finding) => finding.severity >= 3)) {
+        return "warn";
+    }
+    return "pass";
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}

package/dist/audit/events.js

@@ -0,0 +1,41 @@
+import { appendFileSync, mkdirSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { authStatus } from "../auth/store.js";
+import { loadUserConfig } from "../config/settings.js";
+import { resolveDgPaths } from "../state/index.js";
+export function auditLogPath(paths) {
+    return join(paths.stateDir, "audit.jsonl");
+}
+export function webhookOutboxPath(paths) {
+    return join(paths.stateDir, "webhooks.jsonl");
+}
+export function recordAuditEvent(event, env = process.env) {
+    const paths = resolveDgPaths(env);
+    appendJsonLine(auditLogPath(paths), event);
+}
+export function emitWebhookEvent(event, env = process.env) {
+    const config = loadUserConfig(env);
+    const status = authStatus(env);
+    if (!config.webhooks.enabled || !status.authenticated) {
+        return false;
+    }
+    const paths = resolveDgPaths(env);
+    appendJsonLine(webhookOutboxPath(paths), {
+        ...event,
+        auth: {
+            source: status.source,
+            token: status.tokenPreview
+        }
+    });
+    return true;
+}
+function appendJsonLine(path, value) {
+    mkdirSync(dirname(path), {
+        recursive: true,
+        mode: 0o700
+    });
+    appendFileSync(path, `${JSON.stringify(value)}\n`, {
+        encoding: "utf8",
+        mode: 0o600
+    });
+}