@westbayberry/dg 1.3.2 → 2.0.0

package/dist/service/trust-store.js

@@ -0,0 +1,234 @@
+import { X509Certificate } from "node:crypto";
+import { copyFileSync, existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+import { spawnSync } from "node:child_process";
+export class TrustStoreError extends Error {
+    constructor(message) {
+        super(message);
+    }
+}
+export function resolveTrustInstallPlan(caPath, env = process.env, platform = process.platform) {
+    const cert = readCertificateInfo(caPath);
+    const backend = env.DG_SERVICE_TRUST_STORE_BACKEND ?? "native";
+    if (backend === "file") {
+        const root = env.DG_SERVICE_TRUST_STORE_DIR;
+        if (!root) {
+            return unsupportedPlan(caPath, cert, "DG_SERVICE_TRUST_STORE_BACKEND=file requires DG_SERVICE_TRUST_STORE_DIR.");
+        }
+        const target = join(root, `dependency-guardian-${cert.fingerprintSha256.slice(0, 16)}.pem`);
+        return {
+            provider: "file",
+            supported: true,
+            adminRequired: false,
+            native: false,
+            caPath,
+            target,
+            fingerprintSha256: cert.fingerprintSha256,
+            fingerprintSha1: cert.fingerprintSha1,
+            installCommand: ["copy", caPath, target],
+            uninstallCommand: ["remove", target],
+            reason: undefined
+        };
+    }
+    if (backend !== "native") {
+        return unsupportedPlan(caPath, cert, `Unsupported DG_SERVICE_TRUST_STORE_BACKEND '${backend}'.`);
+    }
+    if (platform === "darwin") {
+        const keychain = env.DG_SERVICE_TRUST_KEYCHAIN ?? join(env.HOME ?? homedir(), "Library", "Keychains", "login.keychain-db");
+        return {
+            provider: "darwin-user-keychain",
+            supported: true,
+            adminRequired: false,
+            native: true,
+            caPath,
+            target: keychain,
+            fingerprintSha256: cert.fingerprintSha256,
+            fingerprintSha1: cert.fingerprintSha1,
+            installCommand: ["security", "add-trusted-cert", "-d", "-r", "trustRoot", "-k", keychain, caPath],
+            uninstallCommand: ["security", "delete-certificate", "-Z", cert.fingerprintSha1, keychain],
+            reason: undefined
+        };
+    }
+    if (platform === "linux") {
+        const target = join("/usr/local/share/ca-certificates", `dependency-guardian-${cert.fingerprintSha256.slice(0, 16)}.crt`);
+        const adminRequired = typeof process.getuid === "function" && process.getuid() !== 0;
+        return {
+            provider: adminRequired ? "unsupported" : "linux-system-ca",
+            supported: !adminRequired,
+            adminRequired,
+            native: true,
+            caPath,
+            target,
+            fingerprintSha256: cert.fingerprintSha256,
+            fingerprintSha1: cert.fingerprintSha1,
+            installCommand: ["install", "-m", "0644", caPath, target, "&&", "update-ca-certificates"],
+            uninstallCommand: ["rm", "-f", target, "&&", "update-ca-certificates"],
+            reason: adminRequired ? "Linux system trust-store installation requires admin/root privileges." : undefined
+        };
+    }
+    return unsupportedPlan(caPath, cert, `Native service trust-store mutation is not supported on ${platform} in this build.`);
+}
+export function renderTrustStorePlanLines(plan) {
+    if (!plan) {
+        return ["active service CA certificate: unavailable; run dg service start before trust install"];
+    }
+    const lines = [
+        `active service CA certificate: ${plan.caPath}`,
+        `certificate SHA-256 fingerprint: ${plan.fingerprintSha256}`,
+        `trust provider: ${plan.provider}`,
+        `trust target: ${plan.target}`,
+        `requires admin/root: ${plan.adminRequired ? "yes" : "no"}`,
+        `install action: ${plan.installCommand.join(" ")}`,
+        `uninstall action: ${plan.uninstallCommand.join(" ")}`
+    ];
+    return plan.reason ? [...lines, `support note: ${plan.reason}`] : lines;
+}
+export function applyTrustInstall(plan, installedAt, sentinel) {
+    if (!plan.supported || plan.provider === "unsupported") {
+        throw new TrustStoreError(plan.reason ?? "Service trust-store installation is unsupported on this platform.");
+    }
+    if (plan.provider === "file") {
+        mkdirSync(dirname(plan.target), {
+            recursive: true,
+            mode: 0o700
+        });
+        copyFileSync(plan.caPath, plan.target);
+    }
+    else if (plan.provider === "darwin-user-keychain") {
+        runNativeCommand(plan.installCommand, "macOS user keychain trust installation failed");
+    }
+    else {
+        mkdirSync(dirname(plan.target), {
+            recursive: true,
+            mode: 0o755
+        });
+        copyFileSync(plan.caPath, plan.target);
+        runNativeCommand(["update-ca-certificates"], "Linux trust-store refresh failed");
+    }
+    return {
+        version: 1,
+        sentinel,
+        installedAt: installedAt.toISOString(),
+        scope: plan.native ? "os-user-trust-store" : "ci-file-trust-store",
+        provider: plan.provider,
+        native: plan.native,
+        adminRequired: plan.adminRequired,
+        caPath: plan.caPath,
+        target: plan.target,
+        fingerprintSha256: plan.fingerprintSha256,
+        fingerprintSha1: plan.fingerprintSha1
+    };
+}
+export function applyTrustUninstall(record) {
+    if (record.provider === "file") {
+        rmSync(record.target, {
+            force: true
+        });
+        return;
+    }
+    if (record.provider === "darwin-user-keychain") {
+        runNativeCommand(["security", "delete-certificate", "-Z", record.fingerprintSha1, record.target], "macOS user keychain trust removal failed");
+        return;
+    }
+    rmSync(record.target, {
+        force: true
+    });
+    runNativeCommand(["update-ca-certificates"], "Linux trust-store refresh failed");
+}
+export function readServiceTrustRecord(path, sentinel) {
+    try {
+        if (!existsSync(path)) {
+            return undefined;
+        }
+        const parsed = JSON.parse(readFileSync(path, "utf8"));
+        if (parsed.version !== 1 ||
+            parsed.sentinel !== sentinel ||
+            !isTrustStoreProvider(parsed.provider) ||
+            typeof parsed.installedAt !== "string" ||
+            typeof parsed.native !== "boolean" ||
+            typeof parsed.adminRequired !== "boolean" ||
+            typeof parsed.caPath !== "string" ||
+            typeof parsed.target !== "string" ||
+            typeof parsed.fingerprintSha256 !== "string" ||
+            typeof parsed.fingerprintSha1 !== "string") {
+            return undefined;
+        }
+        return {
+            version: 1,
+            sentinel,
+            installedAt: parsed.installedAt,
+            scope: parsed.provider === "file" ? "ci-file-trust-store" : "os-user-trust-store",
+            provider: parsed.provider,
+            native: parsed.native,
+            adminRequired: parsed.adminRequired,
+            caPath: parsed.caPath,
+            target: parsed.target,
+            fingerprintSha256: parsed.fingerprintSha256,
+            fingerprintSha1: parsed.fingerprintSha1
+        };
+    }
+    catch {
+        return undefined;
+    }
+}
+export function readCertificateFingerprints(path) {
+    return readCertificateInfo(path);
+}
+export function writeServiceTrustRecord(path, record) {
+    mkdirSync(dirname(path), {
+        recursive: true,
+        mode: 0o700
+    });
+    writeFileSync(path, `${JSON.stringify(record, null, 2)}\n`, {
+        encoding: "utf8",
+        mode: 0o600
+    });
+}
+function readCertificateInfo(path) {
+    try {
+        const certificate = new X509Certificate(readFileSync(path));
+        return {
+            fingerprintSha256: normalizeFingerprint(certificate.fingerprint256),
+            fingerprintSha1: normalizeFingerprint(certificate.fingerprint)
+        };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        throw new TrustStoreError(`Cannot read active service CA certificate at ${path}: ${message}`);
+    }
+}
+function unsupportedPlan(caPath, cert, reason) {
+    return {
+        provider: "unsupported",
+        supported: false,
+        adminRequired: false,
+        native: true,
+        caPath,
+        target: "unsupported",
+        fingerprintSha256: cert.fingerprintSha256,
+        fingerprintSha1: cert.fingerprintSha1,
+        installCommand: [],
+        uninstallCommand: [],
+        reason
+    };
+}
+function normalizeFingerprint(value) {
+    return value.replaceAll(":", "").toLowerCase();
+}
+function isTrustStoreProvider(value) {
+    return value === "darwin-user-keychain" || value === "linux-system-ca" || value === "file";
+}
+function runNativeCommand(command, failureMessage) {
+    const [program, ...args] = command;
+    if (!program) {
+        throw new TrustStoreError(failureMessage);
+    }
+    const result = spawnSync(program, args, {
+        encoding: "utf8"
+    });
+    if (result.status !== 0) {
+        const detail = result.stderr.trim() || result.stdout.trim() || `exit ${result.status ?? "unknown"}`;
+        throw new TrustStoreError(`${failureMessage}: ${detail}`);
+    }
+}

package/dist/service/worker.js

@@ -0,0 +1,88 @@
+import { createServer } from "node:http";
+import { readFileSync, rmSync, writeFileSync } from "node:fs";
+import { startProductionHttpProxy } from "../proxy/server.js";
+const sessionPath = process.argv[2];
+const apiBaseUrl = process.argv[3];
+const runtimePath = process.argv[4];
+const classificationJson = process.env.DG_SERVICE_CLASSIFICATION;
+if (!sessionPath || !apiBaseUrl || !runtimePath || !classificationJson) {
+    process.stderr.write("dg service worker missing startup arguments\n");
+    process.exit(1);
+}
+const requiredSessionPath = sessionPath;
+const requiredApiBaseUrl = apiBaseUrl;
+const requiredRuntimePath = runtimePath;
+const requiredClassificationJson = classificationJson;
+const session = JSON.parse(readFileSync(requiredSessionPath, "utf8"));
+const classification = JSON.parse(requiredClassificationJson);
+let proxy = null;
+let healthServer = null;
+let closed = false;
+async function close() {
+    if (closed) {
+        return;
+    }
+    closed = true;
+    rmSync(requiredRuntimePath, {
+        force: true
+    });
+    await Promise.all([proxy?.close(), closeHealthServer(healthServer)]);
+}
+process.stdin.on("end", () => {
+    close().finally(() => process.exit(0));
+});
+process.on("SIGTERM", () => {
+    close().finally(() => process.exit(0));
+});
+process.on("SIGINT", () => {
+    close().finally(() => process.exit(0));
+});
+proxy = await startProductionHttpProxy({
+    session,
+    apiBaseUrl: requiredApiBaseUrl,
+    classification,
+    env: process.env
+});
+healthServer = await startHealthServer(proxy.port);
+const healthAddress = healthServer.address();
+if (typeof healthAddress !== "object" || healthAddress === null) {
+    throw new Error("service health endpoint did not bind a TCP port");
+}
+writeFileSync(requiredRuntimePath, `${JSON.stringify({
+    pid: process.pid,
+    proxyUrl: `http://127.0.0.1:${proxy.port}`,
+    healthUrl: `http://127.0.0.1:${healthAddress.port}/health`,
+    sessionDir: session.dir,
+    caPath: session.files.ca,
+    startedAt: new Date().toISOString()
+}, null, 2)}\n`, {
+    encoding: "utf8",
+    mode: 0o600
+});
+function startHealthServer(proxyPort) {
+    const server = createServer((_request, response) => {
+        response.writeHead(200, {
+            "Content-Type": "application/json"
+        });
+        response.end(`${JSON.stringify({
+            ok: true,
+            pid: process.pid,
+            proxyPort
+        })}\n`);
+    });
+    return new Promise((resolve, reject) => {
+        server.once("error", reject);
+        server.listen(0, "127.0.0.1", () => {
+            server.off("error", reject);
+            resolve(server);
+        });
+    });
+}
+function closeHealthServer(server) {
+    if (!server) {
+        return Promise.resolve();
+    }
+    return new Promise((resolve) => {
+        server.close(() => resolve());
+    });
+}

package/dist/setup/git-hook.js

@@ -0,0 +1,244 @@
+import { spawnSync } from "node:child_process";
+import { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, statSync, writeFileSync } from "node:fs";
+import { isAbsolute, join, resolve, sep } from "node:path";
+import { randomBytes } from "node:crypto";
+import { acquireLockSync, CLEANUP_REGISTRY_LOCK, resolveDgPaths } from "../state/index.js";
+import { gitTrimmed } from "../util/git.js";
+import { GUARD_HOOK_SENTINEL, SETUP_UNINSTALL_LOCK, SETUP_UNINSTALL_LOCK_STALE_MS, mergeRegistry, readRegistry, reverseGitHookEntry, writeRegistry } from "./plan.js";
+export { GUARD_HOOK_SENTINEL } from "./plan.js";
+export const GUARD_SELFTEST_ENV = "DG_GUARD_COMMIT_SELFTEST";
+function dgEntrypoint() {
+    const argv1 = process.argv[1];
+    return argv1 ? resolve(argv1) : "dg";
+}
+function resolveHooksDir(cwd, env, root) {
+    const configured = gitTrimmed(["config", "--get", "core.hooksPath"], { cwd, env });
+    if (configured) {
+        return { dir: isAbsolute(configured) ? configured : resolve(root, configured), configured: true };
+    }
+    const gitPath = gitTrimmed(["rev-parse", "--git-path", "hooks"], { cwd, env });
+    if (!gitPath) {
+        return null;
+    }
+    return { dir: isAbsolute(gitPath) ? gitPath : resolve(root, gitPath), configured: false };
+}
+export function resolveGitRepo(options = {}) {
+    const env = options.env ?? process.env;
+    const cwd = options.cwd ?? process.cwd();
+    const inside = gitTrimmed(["rev-parse", "--is-inside-work-tree"], { cwd, env });
+    if (inside !== "true") {
+        return { error: "not a git repository — run dg guard-commit inside a repo" };
+    }
+    const root = gitTrimmed(["rev-parse", "--show-toplevel"], { cwd, env });
+    if (!root) {
+        return { error: "could not resolve the repository root" };
+    }
+    const hooks = resolveHooksDir(cwd, env, root);
+    if (!hooks) {
+        return { error: "could not resolve the git hooks directory" };
+    }
+    return {
+        cwd,
+        root,
+        hooksDir: hooks.dir,
+        hookTarget: join(hooks.dir, "pre-commit"),
+        hooksPathConfigured: hooks.configured,
+        dgPath: options.dgPath ?? dgEntrypoint(),
+        paths: resolveDgPaths(env),
+        env
+    };
+}
+function secondLine(path) {
+    try {
+        return readFileSync(path, "utf8").split("\n", 2)[1] ?? "";
+    }
+    catch {
+        return "";
+    }
+}
+function isManaged(path) {
+    return existsSync(path) && secondLine(path).includes(GUARD_HOOK_SENTINEL);
+}
+function isExecutable(path) {
+    try {
+        return (statSync(path).mode & 0o111) !== 0;
+    }
+    catch {
+        return false;
+    }
+}
+export function gitHookState(context) {
+    if (!existsSync(context.hookTarget)) {
+        return "fresh";
+    }
+    return isManaged(context.hookTarget) ? "managed" : "foreign";
+}
+export function planGitHook(context) {
+    const state = gitHookState(context);
+    return { context, state, willChain: state === "foreign" };
+}
+function hookScript(dgPath, chainedOriginal) {
+    const lines = [
+        "#!/bin/sh",
+        `# ${GUARD_HOOK_SENTINEL}`,
+        `"${dgPath}" scan --staged --hook || exit $?`
+    ];
+    if (chainedOriginal) {
+        lines.push(`[ -x "${chainedOriginal}" ] && exec "${chainedOriginal}" "$@"`);
+    }
+    lines.push("exit 0");
+    return `${lines.join("\n")}\n`;
+}
+export function applyGitHook(context, now = new Date()) {
+    const lock = acquireLockSync(context.paths, SETUP_UNINSTALL_LOCK, { staleMs: SETUP_UNINSTALL_LOCK_STALE_MS });
+    let chainedOriginal = null;
+    try {
+        mkdirSync(context.hooksDir, { recursive: true });
+        if (gitHookState(context) === "foreign") {
+            const backup = join(context.hooksDir, `pre-commit.dg-chained-${randomBytes(4).toString("hex")}`);
+            renameSync(context.hookTarget, backup);
+            chainedOriginal = backup;
+        }
+        writeFileSync(context.hookTarget, hookScript(context.dgPath, chainedOriginal), { encoding: "utf8", mode: 0o755 });
+        chmodSync(context.hookTarget, 0o755);
+        const entry = {
+            kind: "git-hook",
+            path: context.hookTarget,
+            mode: "mode1",
+            sentinel: GUARD_HOOK_SENTINEL,
+            installedAt: now.toISOString(),
+            owner: "dg",
+            ...(chainedOriginal ? { original: chainedOriginal } : {})
+        };
+        const registryLock = acquireLockSync(context.paths, CLEANUP_REGISTRY_LOCK, { staleMs: SETUP_UNINSTALL_LOCK_STALE_MS });
+        try {
+            const registry = mergeRegistry(readRegistry(context.paths).registry, [entry]);
+            writeRegistry(context.paths, registry);
+        }
+        finally {
+            registryLock.release();
+        }
+    }
+    finally {
+        lock.release();
+    }
+    const checks = verifyGitHook(context);
+    return {
+        hookTarget: context.hookTarget,
+        chainedOriginal,
+        checks,
+        active: checks.every((check) => check.ok)
+    };
+}
+export function verifyGitHook(context) {
+    const checks = [];
+    const live = resolveHooksDir(context.cwd, context.env, context.root);
+    const liveMatches = live !== null && resolve(live.dir) === resolve(context.hooksDir);
+    checks.push({
+        name: "git-uses-this-dir",
+        ok: liveMatches,
+        detail: liveMatches
+            ? `git runs hooks from ${context.hooksDir}`
+            : `git runs hooks from ${live?.dir ?? "an unresolved dir"}, not ${context.hooksDir}`
+    });
+    const present = existsSync(context.hookTarget);
+    checks.push({
+        name: "hook-present",
+        ok: present,
+        detail: present ? `hook written at ${context.hookTarget}` : `no hook at ${context.hookTarget}`
+    });
+    const sentinel = isManaged(context.hookTarget);
+    checks.push({
+        name: "dg-owned",
+        ok: sentinel,
+        detail: sentinel ? "dg sentinel present" : "hook is not dg-owned"
+    });
+    const exec = isExecutable(context.hookTarget);
+    checks.push({
+        name: "executable",
+        ok: exec,
+        detail: exec ? "hook is executable" : "hook is not executable"
+    });
+    const dgOk = context.dgPath === "dg" || isExecutable(context.dgPath) || existsSync(context.dgPath);
+    checks.push({
+        name: "dg-runnable",
+        ok: dgOk,
+        detail: dgOk ? `dg resolves to ${context.dgPath}` : `dg path ${context.dgPath} is not runnable`
+    });
+    const fires = runSelfTest(context);
+    checks.push({
+        name: "fires-on-block",
+        ok: fires.ok,
+        detail: fires.detail
+    });
+    return checks;
+}
+function runSelfTest(context) {
+    if (!existsSync(context.hookTarget) || !isManaged(context.hookTarget)) {
+        return { ok: false, detail: "no dg hook to exercise" };
+    }
+    const result = spawnSync("sh", [context.hookTarget], {
+        cwd: context.root,
+        env: { ...context.env, [GUARD_SELFTEST_ENV]: "1" },
+        encoding: "utf8",
+        stdio: "ignore"
+    });
+    if (result.status === 2) {
+        return { ok: true, detail: "synthetic block aborts the commit (exit 2)" };
+    }
+    return {
+        ok: false,
+        detail: `self-test expected exit 2, got ${result.status === null ? "no exit" : result.status}`
+    };
+}
+function isUnderRoot(path, root) {
+    const a = resolve(path);
+    const b = resolve(root);
+    return a === b || a.startsWith(b + sep);
+}
+export function gitHookStatusState(options = {}) {
+    const context = resolveGitRepo(options);
+    if ("error" in context) {
+        return "not-a-repo";
+    }
+    if (isManaged(context.hookTarget) && isExecutable(context.hookTarget)) {
+        return "active";
+    }
+    const registry = readRegistry(context.paths).registry;
+    const installedHere = registry.entries.some((entry) => entry.kind === "git-hook" && entry.owner === "dg" && isUnderRoot(entry.path, context.root));
+    return installedHere ? "dead" : "off";
+}
+export function removeGitHookForRepo(context) {
+    const lock = acquireLockSync(context.paths, SETUP_UNINSTALL_LOCK, { staleMs: SETUP_UNINSTALL_LOCK_STALE_MS });
+    const removed = [];
+    const missing = [];
+    const warnings = [];
+    try {
+        const registryLock = acquireLockSync(context.paths, CLEANUP_REGISTRY_LOCK, { staleMs: SETUP_UNINSTALL_LOCK_STALE_MS });
+        try {
+            const registry = readRegistry(context.paths).registry;
+            const mine = registry.entries.filter((entry) => entry.kind === "git-hook" && entry.owner === "dg" && isUnderRoot(entry.path, context.root));
+            const targets = mine.length > 0
+                ? mine
+                : isManaged(context.hookTarget)
+                    ? [{ kind: "git-hook", path: context.hookTarget, mode: "mode1", sentinel: GUARD_HOOK_SENTINEL, installedAt: "", owner: "dg" }]
+                    : [];
+            for (const entry of targets) {
+                reverseGitHookEntry(entry, removed, missing, warnings);
+            }
+            if (mine.length > 0) {
+                writeRegistry(context.paths, {
+                    version: 1,
+                    entries: registry.entries.filter((entry) => !mine.includes(entry))
+                });
+            }
+            return { removed, missing, warnings, found: targets.length };
+        }
+        finally {
+            registryLock.release();
+        }
+    }
+    finally {
+        lock.release();
+    }
+}

package/dist/setup/optional-support.js

@@ -0,0 +1,58 @@
+export const OPTIONAL_SUPPORT_GATES = Object.freeze([
+    {
+        id: "windows",
+        label: "Windows support",
+        kind: "platform",
+        status: "unclaimed",
+        message: "Windows support is gated in this release; use dg prefix mode from a supported POSIX shell or run 'dg --help' for supported commands"
+    },
+    {
+        id: "python-hook",
+        label: "Python .pth hook",
+        kind: "hook",
+        status: "unclaimed",
+        message: "Python .pth hook support is gated in this release; use 'dg pip ...', 'dg pipx ...', 'dg uv ...', or 'dg uvx ...' prefix mode instead"
+    },
+    {
+        id: "bun",
+        label: "Bun and bunx",
+        kind: "package-manager",
+        status: "unclaimed",
+        standaloneCommand: true,
+        message: "Bun support is gated in this release; use 'dg npm ...', 'dg pnpm ...', or 'dg yarn ...' for supported JavaScript installs"
+    },
+    {
+        id: "yarn-berry",
+        label: "Yarn Berry",
+        kind: "package-manager",
+        status: "unclaimed",
+        standaloneCommand: false,
+        message: "Yarn Berry support is gated in this release; use Yarn classic through 'dg yarn ...' or another supported prefix manager"
+    },
+    {
+        id: "conda",
+        label: "Conda",
+        kind: "package-manager",
+        status: "unclaimed",
+        standaloneCommand: true,
+        message: "Conda support is gated in this release; use 'dg pip ...' or 'dg uv ...' for supported Python package installs"
+    },
+    {
+        id: "mamba",
+        label: "Mamba",
+        kind: "package-manager",
+        status: "unclaimed",
+        standaloneCommand: true,
+        message: "Mamba support is gated in this release; use 'dg pip ...' or 'dg uv ...' for supported Python package installs"
+    }
+]);
+export function optionalSupportGate(id) {
+    const gate = OPTIONAL_SUPPORT_GATES.find((candidate) => candidate.id === id);
+    if (!gate) {
+        throw new Error(`unknown optional support gate: ${id}`);
+    }
+    return gate;
+}
+export function optionalPackageManagerNames() {
+    return OPTIONAL_SUPPORT_GATES.filter((gate) => gate.kind === "package-manager" && gate.standaloneCommand === true).map((gate) => gate.id);
+}