@westbayberry/dg 1.3.2 → 2.0.0

package/dist/verify/local.js

@@ -0,0 +1,400 @@
+import { createHash } from "node:crypto";
+import { existsSync, readFileSync, statSync } from "node:fs";
+import { basename, relative, resolve, sep } from "node:path";
+import { gunzipSync, inflateRawSync } from "node:zlib";
+import { scanProject } from "../scan/discovery.js";
+const MAX_ARTIFACT_BYTES = 100 * 1024 * 1024;
+const MAX_UNPACKED_BYTES = 250 * 1024 * 1024;
+const MAX_ARCHIVE_ENTRIES = 20000;
+const MAX_ARCHIVE_PATH_LENGTH = 240;
+const TAR_BLOCK_SIZE = 512;
+export function verifyLocalTarget(targetPath, cwd = process.cwd()) {
+    const absoluteTarget = resolve(cwd, targetPath);
+    if (!existsSync(absoluteTarget)) {
+        throw new Error(`path does not exist: ${targetPath}`);
+    }
+    const targetInfo = statSync(absoluteTarget);
+    if (targetInfo.isDirectory()) {
+        return verifyPackageProjectTarget(absoluteTarget, cwd);
+    }
+    if (!targetInfo.isFile()) {
+        throw new Error(`path is neither a file nor a directory: ${targetPath}`);
+    }
+    if (basename(absoluteTarget) === "package.json") {
+        return verifyPackageProjectTarget(absoluteTarget, cwd);
+    }
+    const inputKind = archiveInputKind(absoluteTarget);
+    if (!inputKind) {
+        throw new Error(`unsupported local verify input: ${targetPath}`);
+    }
+    if (targetInfo.size > MAX_ARTIFACT_BYTES) {
+        return archiveReport({
+            absoluteTarget,
+            archive: {
+                errors: [`artifact is ${targetInfo.size} bytes, above the ${MAX_ARTIFACT_BYTES} byte local verification limit`],
+                findings: [],
+                summary: {
+                    entryCount: 0,
+                    packageManifestCount: 0,
+                    unpackedSizeBytes: null
+                }
+            },
+            cwd,
+            inputKind,
+            sha256: sha256File(absoluteTarget),
+            sizeBytes: targetInfo.size
+        });
+    }
+    const bytes = readFileSync(absoluteTarget);
+    const archive = inputKind === "tarball"
+        ? scanTarball(bytes, absoluteTarget)
+        : scanZipLike(bytes, absoluteTarget);
+    return archiveReport({
+        absoluteTarget,
+        archive,
+        cwd,
+        inputKind,
+        sha256: sha256Buffer(bytes),
+        sizeBytes: targetInfo.size
+    });
+}
+function verifyPackageProjectTarget(absoluteTarget, cwd) {
+    const workspaceScan = scanProject({
+        cwd,
+        targetPath: absoluteTarget
+    });
+    const findings = workspaceScan.findings.map(scanFindingToVerifyFinding);
+    const errors = workspaceScan.errors.map((error) => `${error.location}: ${error.message}`);
+    const inputKind = workspaceScan.summary.projectCount > 1 ? "workspace" : "package-directory";
+    return {
+        target: displayPath(cwd, absoluteTarget),
+        inputKind,
+        status: workspaceScan.status,
+        sha256: null,
+        sizeBytes: null,
+        archive: null,
+        workspaceScan,
+        preflight: null,
+        packages: [],
+        findings,
+        errors,
+        summary: summarize(findings, errors)
+    };
+}
+function archiveReport(options) {
+    return {
+        target: displayPath(options.cwd, options.absoluteTarget),
+        inputKind: options.inputKind,
+        status: statusFor(options.archive.findings, options.archive.errors),
+        sha256: options.sha256,
+        sizeBytes: options.sizeBytes,
+        archive: options.archive.summary,
+        workspaceScan: null,
+        preflight: null,
+        packages: [],
+        findings: options.archive.findings,
+        errors: options.archive.errors,
+        summary: summarize(options.archive.findings, options.archive.errors)
+    };
+}
+function scanTarball(bytes, path) {
+    let tarBytes = bytes;
+    if (path.endsWith(".tgz") || path.endsWith(".tar.gz")) {
+        try {
+            tarBytes = gunzipSync(bytes);
+        }
+        catch (error) {
+            return archiveError(`could not decompress tarball: ${error instanceof Error ? error.message : "unknown gzip error"}`);
+        }
+    }
+    if (tarBytes.length > MAX_UNPACKED_BYTES) {
+        return archiveError(`unpacked tarball is above the ${MAX_UNPACKED_BYTES} byte local verification limit`);
+    }
+    const findings = [];
+    const errors = [];
+    const entries = [];
+    let offset = 0;
+    let unpackedSizeBytes = 0;
+    while (offset + TAR_BLOCK_SIZE <= tarBytes.length) {
+        const header = tarBytes.subarray(offset, offset + TAR_BLOCK_SIZE);
+        if (header.every((byte) => byte === 0)) {
+            break;
+        }
+        const name = tarEntryName(header);
+        const size = tarEntrySize(header);
+        const bodyOffset = offset + TAR_BLOCK_SIZE;
+        const nextOffset = bodyOffset + Math.ceil(size / TAR_BLOCK_SIZE) * TAR_BLOCK_SIZE;
+        if (name.length === 0 || nextOffset > tarBytes.length) {
+            errors.push("tar archive has a malformed entry header");
+            break;
+        }
+        unpackedSizeBytes += size;
+        entries.push({
+            name,
+            body: tarBytes.subarray(bodyOffset, bodyOffset + size)
+        });
+        findings.push(...pathSafetyFindings(name));
+        if (entries.length > MAX_ARCHIVE_ENTRIES) {
+            findings.push(limitFinding("archive has too many entries"));
+            break;
+        }
+        if (unpackedSizeBytes > MAX_UNPACKED_BYTES) {
+            findings.push(limitFinding("archive expands beyond the local verification limit"));
+            break;
+        }
+        offset = nextOffset;
+    }
+    findings.push(...packageManifestFindings(entries));
+    return {
+        findings,
+        errors,
+        summary: {
+            entryCount: entries.length,
+            packageManifestCount: packageManifestCount(entries.map((entry) => entry.name)),
+            unpackedSizeBytes
+        }
+    };
+}
+function scanZipLike(bytes, path) {
+    const findings = [];
+    const errors = [];
+    const entries = [];
+    let offset = 0;
+    let unpackedSizeBytes = 0;
+    while (offset + 30 <= bytes.length) {
+        const signature = bytes.readUInt32LE(offset);
+        if (signature !== 0x04034b50) {
+            break;
+        }
+        const flags = bytes.readUInt16LE(offset + 6);
+        const method = bytes.readUInt16LE(offset + 8);
+        const compressedSize = bytes.readUInt32LE(offset + 18);
+        const uncompressedSize = bytes.readUInt32LE(offset + 22);
+        const fileNameLength = bytes.readUInt16LE(offset + 26);
+        const extraLength = bytes.readUInt16LE(offset + 28);
+        const nameStart = offset + 30;
+        const dataStart = nameStart + fileNameLength + extraLength;
+        const dataEnd = dataStart + compressedSize;
+        if (dataEnd > bytes.length) {
+            errors.push(`${basename(path)} has a malformed zip entry`);
+            break;
+        }
+        const name = bytes.subarray(nameStart, nameStart + fileNameLength).toString("utf8");
+        findings.push(...pathSafetyFindings(name));
+        if ((flags & 0x1) !== 0) {
+            findings.push({
+                id: "encrypted-archive-entry",
+                severity: "block",
+                title: "Encrypted archive entry",
+                message: "encrypted archive entries cannot be inspected locally",
+                location: name
+            });
+        }
+        const body = readZipBody(bytes.subarray(dataStart, dataEnd), method, name, errors);
+        unpackedSizeBytes += uncompressedSize;
+        entries.push({
+            name,
+            body
+        });
+        if ((flags & 0x8) !== 0) {
+            findings.push({
+                id: "zip-data-descriptor",
+                severity: "warn",
+                title: "Zip data descriptor",
+                message: "zip entry uses a data descriptor, so byte-size validation is conservative",
+                location: name
+            });
+        }
+        if (entries.length > MAX_ARCHIVE_ENTRIES) {
+            findings.push(limitFinding("archive has too many entries"));
+            break;
+        }
+        if (unpackedSizeBytes > MAX_UNPACKED_BYTES) {
+            findings.push(limitFinding("archive expands beyond the local verification limit"));
+            break;
+        }
+        offset = dataEnd;
+    }
+    findings.push(...packageManifestFindings(entries));
+    return {
+        findings,
+        errors,
+        summary: {
+            entryCount: entries.length,
+            packageManifestCount: packageManifestCount(entries.map((entry) => entry.name)),
+            unpackedSizeBytes
+        }
+    };
+}
+function readZipBody(data, method, name, errors) {
+    if (method === 0) {
+        return data;
+    }
+    if (method === 8) {
+        try {
+            return inflateRawSync(data);
+        }
+        catch (error) {
+            errors.push(`${name}: could not inflate zip entry: ${error instanceof Error ? error.message : "unknown inflate error"}`);
+            return Buffer.alloc(0);
+        }
+    }
+    errors.push(`${name}: unsupported zip compression method ${method}`);
+    return Buffer.alloc(0);
+}
+function packageManifestFindings(entries) {
+    const findings = [];
+    for (const entry of entries) {
+        if (!entry.name.endsWith("package.json")) {
+            continue;
+        }
+        try {
+            const parsed = JSON.parse(entry.body.toString("utf8"));
+            if (isRecord(parsed) && isRecord(parsed.scripts)) {
+                for (const scriptName of Object.keys(parsed.scripts).sort()) {
+                    if (["preinstall", "install", "postinstall", "prepare"].includes(scriptName)) {
+                        findings.push({
+                            id: "npm-lifecycle-script",
+                            severity: "warn",
+                            title: "Install lifecycle script present",
+                            message: `script '${scriptName}' can execute during package manager installs`,
+                            location: `${entry.name}:scripts.${scriptName}`
+                        });
+                    }
+                }
+            }
+        }
+        catch (error) {
+            findings.push({
+                id: "malformed-package-manifest",
+                severity: "block",
+                title: "Malformed package manifest",
+                message: error instanceof Error ? error.message : "package.json could not be parsed",
+                location: entry.name
+            });
+        }
+    }
+    return findings;
+}
+function pathSafetyFindings(entryPath) {
+    const findings = [];
+    if (!isSafeArchivePath(entryPath)) {
+        findings.push({
+            id: "archive-path-traversal",
+            severity: "block",
+            title: "Unsafe archive path",
+            message: "archive entry escapes the extraction root or uses an unsafe absolute path",
+            location: entryPath
+        });
+    }
+    if (entryPath.length > MAX_ARCHIVE_PATH_LENGTH) {
+        findings.push({
+            id: "archive-path-too-long",
+            severity: "block",
+            title: "Archive path too long",
+            message: `archive entry path is longer than ${MAX_ARCHIVE_PATH_LENGTH} characters`,
+            location: entryPath
+        });
+    }
+    return findings;
+}
+function isSafeArchivePath(entryPath) {
+    if (entryPath.length === 0 || entryPath.includes("\\") || entryPath.startsWith("/") || /^[a-zA-Z]:/.test(entryPath)) {
+        return false;
+    }
+    const parts = entryPath.split("/");
+    return !parts.some((part) => part === "..");
+}
+function archiveInputKind(path) {
+    if (path.endsWith(".whl")) {
+        return "wheel";
+    }
+    if (path.endsWith(".zip")) {
+        return "zip";
+    }
+    if (path.endsWith(".tgz") || path.endsWith(".tar.gz") || path.endsWith(".tar")) {
+        return "tarball";
+    }
+    return null;
+}
+function archiveError(message) {
+    return {
+        findings: [],
+        errors: [message],
+        summary: {
+            entryCount: 0,
+            packageManifestCount: 0,
+            unpackedSizeBytes: null
+        }
+    };
+}
+function scanFindingToVerifyFinding(finding) {
+    return {
+        id: finding.id,
+        severity: finding.severity,
+        title: finding.title,
+        message: finding.message,
+        location: finding.location
+    };
+}
+function packageManifestCount(paths) {
+    return paths.filter((path) => path.endsWith("package.json")).length;
+}
+function limitFinding(message) {
+    return {
+        id: "archive-size-limit",
+        severity: "block",
+        title: "Archive safety limit exceeded",
+        message,
+        location: "archive"
+    };
+}
+function statusFor(findings, errors) {
+    if (errors.length > 0) {
+        return "error";
+    }
+    if (findings.some((finding) => finding.severity === "block")) {
+        return "block";
+    }
+    if (findings.some((finding) => finding.severity === "warn")) {
+        return "warn";
+    }
+    return "pass";
+}
+function summarize(findings, errors) {
+    return {
+        findingCount: findings.length,
+        warnCount: findings.filter((finding) => finding.severity === "warn").length,
+        blockCount: findings.filter((finding) => finding.severity === "block").length,
+        errorCount: errors.length
+    };
+}
+function tarEntryName(header) {
+    const name = readNullTerminated(header, 0, 100);
+    const prefix = readNullTerminated(header, 345, 155);
+    return prefix.length > 0 ? `${prefix}/${name}` : name;
+}
+function tarEntrySize(header) {
+    const value = readNullTerminated(header, 124, 12).trim();
+    const parsed = Number.parseInt(value || "0", 8);
+    return Number.isFinite(parsed) ? parsed : 0;
+}
+function readNullTerminated(buffer, start, length) {
+    const slice = buffer.subarray(start, start + length);
+    const end = slice.indexOf(0);
+    return slice.subarray(0, end === -1 ? slice.length : end).toString("utf8");
+}
+function sha256File(path) {
+    return sha256Buffer(readFileSync(path));
+}
+function sha256Buffer(buffer) {
+    return createHash("sha256").update(buffer).digest("hex");
+}
+function displayPath(root, path) {
+    const relativePath = relative(resolve(root), resolve(path));
+    const display = relativePath.length === 0 ? "." : relativePath;
+    return display.split(sep).join("/");
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}

package/dist/verify/package-check.js

@@ -0,0 +1,240 @@
+import { existsSync, writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+import { analyzePackages, AnalyzeError } from "../api/analyze.js";
+import { createTheme } from "../presentation/theme.js";
+import { resolvePresentation } from "../presentation/mode.js";
+import { isSupportedLockfilePath } from "./preflight.js";
+import { authStatus } from "../auth/store.js";
+import { EXIT_TOOL_ERROR, EXIT_UNAVAILABLE } from "../commands/types.js";
+const REGISTRIES = { npm: "npm", pypi: "pypi" };
+const DEEP_VERIFY_HINT = "deep verify supports npm and pypi: dg verify npm:<package> or pypi:<package>";
+function parseSpec(target) {
+    const colon = target.indexOf(":");
+    if (colon < 0) {
+        return null;
+    }
+    const registry = target.slice(0, colon).toLowerCase();
+    const ecosystem = REGISTRIES[registry];
+    if (!ecosystem) {
+        return { error: `unknown registry '${registry}'. ${DEEP_VERIFY_HINT}` };
+    }
+    const rest = target.slice(colon + 1).trim();
+    if (!rest) {
+        return { error: `missing package name. ${DEEP_VERIFY_HINT}` };
+    }
+    const separator = ecosystem === "pypi" ? "==" : "@";
+    const at = ecosystem === "npm" ? rest.lastIndexOf("@") : rest.indexOf("==");
+    if (ecosystem === "npm" && (at <= 0)) {
+        return { ecosystem, name: rest, version: null };
+    }
+    if (ecosystem === "pypi" && at < 0) {
+        return { ecosystem, name: rest, version: null };
+    }
+    const name = rest.slice(0, at);
+    const version = rest.slice(at + separator.length).trim() || null;
+    return { ecosystem, name, version };
+}
+async function resolveLatest(ecosystem, name, fetchImpl) {
+    try {
+        if (ecosystem === "npm") {
+            const response = await fetchImpl(`https://registry.npmjs.org/${name.replace("/", "%2F")}`);
+            if (!response.ok) {
+                return null;
+            }
+            const body = (await response.json());
+            return body["dist-tags"]?.latest ?? null;
+        }
+        const response = await fetchImpl(`https://pypi.org/pypi/${encodeURIComponent(name)}/json`);
+        if (!response.ok) {
+            return null;
+        }
+        const body = (await response.json());
+        return body.info?.version ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+function renderResult(spec, version, result, theme, verbose) {
+    const action = result.action ?? "pass";
+    const badge = theme.badge(action);
+    const lines = [`${badge}  ${result.name}@${version} (${spec.ecosystem})  ${theme.paint("muted", `score ${result.score}`)}`];
+    const reasons = verbose ? result.reasons : result.reasons.slice(0, 6);
+    for (const reason of reasons) {
+        const glyph = action === "block" ? theme.paint("block", "✘") : action === "warn" ? theme.paint("warn", "⚠") : theme.paint("muted", "·");
+        lines.push(`  ${glyph} ${reason}`);
+    }
+    if (!verbose && result.reasons.length > reasons.length) {
+        lines.push(`  ${theme.paint("muted", `… ${result.reasons.length - reasons.length} more — rerun with --verbose`)}`);
+    }
+    if (verbose) {
+        for (const finding of result.findings) {
+            lines.push(`  ${theme.paint("muted", `finding: ${finding.title}`)}`);
+        }
+    }
+    if (reasons.length === 0 && action === "pass") {
+        lines.push(`  ${theme.paint("muted", "no risk signals")}`);
+    }
+    if (result.recommendation) {
+        lines.push(`  ${theme.paint("muted", result.recommendation)}`);
+    }
+    return `${lines.join("\n")}\n`;
+}
+function exitCodeFor(action) {
+    if (action === "block") {
+        return 2;
+    }
+    if (action === "warn") {
+        return 1;
+    }
+    if (action === "analysis_incomplete") {
+        return 4;
+    }
+    return 0;
+}
+export async function runPackageCheck(target, io = {}, options = {}) {
+    const fetchImpl = io.fetchImpl ?? fetch;
+    const theme = createTheme(resolvePresentation().color);
+    if (!authStatus(io.env).authenticated) {
+        const accent = (text) => theme.paint("accent", text);
+        const muted = (text) => theme.paint("muted", text);
+        return {
+            exitCode: EXIT_UNAVAILABLE,
+            stdout: "",
+            stderr: `\n  ${theme.paint("warn", "⚠")} Checking a package before you install it requires ${accent("sign-in")}.\n` +
+                `  ${accent("dg login")}${muted("  ·  see plans at")} ${accent("westbayberry.com/pricing")}\n\n`
+        };
+    }
+    const parsed = parseSpec(target);
+    if (parsed === null) {
+        return {
+            exitCode: 2,
+            stdout: "",
+            stderr: `dg verify: add a registry, e.g. dg verify npm:${target} or dg verify pypi:${target}\n`
+        };
+    }
+    if ("error" in parsed) {
+        return { exitCode: 2, stdout: "", stderr: `dg verify: ${parsed.error}\n` };
+    }
+    let version = parsed.version;
+    if (!version) {
+        version = await resolveLatest(parsed.ecosystem, parsed.name, fetchImpl);
+        if (!version) {
+            return {
+                exitCode: 1,
+                stdout: "",
+                stderr: `dg verify: could not resolve the latest version of ${parsed.name} on ${parsed.ecosystem}\n`
+            };
+        }
+    }
+    let result;
+    try {
+        const response = await analyzePackages([{ name: parsed.name, version }], {
+            ecosystem: parsed.ecosystem,
+            fetchImpl,
+            ...(io.env ? { env: io.env } : {})
+        });
+        result = response.packages.find((entry) => entry.name === parsed.name) ?? response.packages[0];
+    }
+    catch (error) {
+        const message = error instanceof AnalyzeError ? error.message : error instanceof Error ? error.message : "could not reach the scanner";
+        return { exitCode: 1, stdout: "", stderr: `dg verify: ${message}\n` };
+    }
+    if (!result) {
+        return { exitCode: 1, stdout: "", stderr: `dg verify: scanner returned no result for ${parsed.name}\n` };
+    }
+    const action = result.action ?? "pass";
+    const rendered = options.format === "json"
+        ? `${JSON.stringify({
+            target,
+            ecosystem: parsed.ecosystem,
+            name: result.name,
+            version,
+            action,
+            score: result.score,
+            reasons: result.reasons,
+            findings: result.findings,
+            ...(result.recommendation ? { recommendation: result.recommendation } : {})
+        }, null, 2)}\n`
+        : renderResult(parsed, version, result, theme, options.verbose ?? false);
+    if (options.outputPath) {
+        try {
+            writeFileSync(resolve(options.outputPath), rendered, "utf8");
+        }
+        catch (error) {
+            return {
+                exitCode: EXIT_TOOL_ERROR,
+                stdout: "",
+                stderr: `dg verify could not write ${options.outputPath}: ${error instanceof Error ? error.message : "write error"}\n`
+            };
+        }
+        return { exitCode: exitCodeFor(action), stdout: `Wrote verify report to ${options.outputPath}\n`, stderr: "" };
+    }
+    return { exitCode: exitCodeFor(action), stdout: rendered, stderr: "" };
+}
+// Registry specs run the real scanner check here; local paths/lockfiles fall
+// through to the advisory handler. --sarif errors rather than silently downgrading.
+export async function maybeVerifyPackage(args) {
+    const noop = { exitCode: 0, stdout: "", stderr: "" };
+    if (args[0] !== "verify") {
+        return { handled: false, result: noop };
+    }
+    const rest = args.slice(1);
+    if (rest.some((arg) => ["--help", "-h", "help"].includes(arg))) {
+        return { handled: false, result: noop };
+    }
+    let format = "text";
+    let verbose = false;
+    let sarif = false;
+    let outputPath = null;
+    let target;
+    let unknownFlag;
+    for (let index = 0; index < rest.length; index += 1) {
+        const arg = rest[index];
+        if (!arg) {
+            continue;
+        }
+        if (arg === "--json") {
+            format = "json";
+        }
+        else if (arg === "--verbose" || arg === "-v") {
+            verbose = true;
+        }
+        else if (arg === "--sarif") {
+            sarif = true;
+        }
+        else if (arg === "--output" || arg === "-o") {
+            outputPath = rest[index + 1] ?? null;
+            index += 1;
+        }
+        else if (arg.startsWith("-")) {
+            unknownFlag = unknownFlag ?? arg;
+        }
+        else {
+            target = target ?? arg;
+        }
+    }
+    if (!target) {
+        return { handled: false, result: noop };
+    }
+    if (isSupportedLockfilePath(target) || existsSync(resolve(target))) {
+        return { handled: false, result: noop };
+    }
+    if (unknownFlag) {
+        return {
+            handled: true,
+            result: { exitCode: 2, stdout: "", stderr: `dg verify: unknown option '${unknownFlag}'. Run 'dg verify --help'.\n` }
+        };
+    }
+    if (sarif) {
+        return {
+            handled: true,
+            result: {
+                exitCode: 2,
+                stdout: "",
+                stderr: "dg verify: --sarif applies to local artifacts and lockfiles; registry package checks support --json.\n"
+            }
+        };
+    }
+    return { handled: true, result: await runPackageCheck(target, {}, { format, verbose, outputPath }) };
+}