@westbayberry/dg 1.3.3 → 2.0.0

package/dist/verify/preflight.js

@@ -0,0 +1,698 @@
+import { existsSync, readFileSync } from "node:fs";
+import { basename, relative, resolve, sep } from "node:path";
+import { loadUserConfig } from "../config/settings.js";
+import { evaluatePackagePolicy, resolveEffectivePolicy } from "../policy/evaluate.js";
+const LOCKFILE_NAMES = new Set([
+    "Cargo.lock",
+    "Pipfile.lock",
+    "package-lock.json",
+    "pnpm-lock.yaml",
+    "poetry.lock",
+    "requirements.txt",
+    "yarn.lock"
+]);
+const REMOTE_SPEC_PREFIXES = [
+    "http://",
+    "https://",
+    "git+",
+    "git://",
+    "ssh://",
+    "github:"
+];
+export function isSupportedLockfilePath(target) {
+    return LOCKFILE_NAMES.has(basename(target));
+}
+export function verifyPackageSpec(spec, options = {}) {
+    const parsed = parsePackageSpec(spec);
+    const observations = parsed
+        ? [parsed]
+        : [blockedUnknownSpec(spec)];
+    return preflightReport({
+        target: spec,
+        inputKind: "package-spec",
+        preflight: {
+            advisory: true,
+            packageCount: observations.length,
+            identitySource: "package-spec",
+            message: "Package spec verification is advisory preflight; proxy enforcement remains authoritative for network fetches."
+        },
+        observations,
+        options
+    });
+}
+export function verifyLockfile(targetPath, options = {}) {
+    const cwd = resolve(options.cwd ?? process.cwd());
+    const absoluteTarget = resolve(cwd, targetPath);
+    const displayTarget = displayPath(cwd, absoluteTarget);
+    if (!existsSync(absoluteTarget)) {
+        return preflightReport({
+            target: displayTarget,
+            inputKind: "lockfile",
+            preflight: lockfileSummary(0),
+            observations: [],
+            options,
+            errors: [`lockfile does not exist: ${displayTarget}`]
+        });
+    }
+    let text;
+    try {
+        text = readFileSync(absoluteTarget, "utf8");
+    }
+    catch (error) {
+        return preflightReport({
+            target: displayTarget,
+            inputKind: "lockfile",
+            preflight: lockfileSummary(0),
+            observations: [],
+            options,
+            errors: [`could not read lockfile: ${error instanceof Error ? error.message : "unknown read error"}`]
+        });
+    }
+    const observations = parseLockfile(basename(absoluteTarget), text);
+    return preflightReport({
+        target: displayTarget,
+        inputKind: "lockfile",
+        preflight: lockfileSummary(observations.length),
+        observations,
+        options
+    });
+}
+function preflightReport(input) {
+    const policy = resolveEffectivePolicy({
+        userConfig: loadUserConfig()
+    });
+    const allowlists = (input.options.allowPackages ?? []).map((packageName) => ({
+        packageName,
+        reason: "dg verify command allowlist",
+        trustedBy: "user"
+    }));
+    const deniedLicenses = new Set((input.options.denyLicenses ?? []).map(normalizeLicense));
+    const findings = [];
+    for (const observation of input.observations) {
+        const packageName = packageDisplayName(observation.identity);
+        const licenseFinding = deniedLicenseFinding(observation.identity, deniedLicenses);
+        const packageVerdict = strongerVerdict(observation.verdict, licenseFinding ? "block" : "pass");
+        const evaluation = evaluatePackagePolicy({
+            verdict: packageVerdict,
+            packageName,
+            policy,
+            allowlists
+        });
+        const baseFinding = licenseFinding ?? observation.finding;
+        if (baseFinding && evaluation.action !== "pass") {
+            findings.push({
+                ...baseFinding,
+                severity: evaluation.action === "block" ? "block" : "warn",
+                message: `${baseFinding.message} (${evaluation.reason})`
+            });
+        }
+    }
+    const errors = [...(input.errors ?? [])];
+    return {
+        target: input.target,
+        inputKind: input.inputKind,
+        status: statusFor(policyActionFor(findings), errors),
+        sha256: null,
+        sizeBytes: null,
+        archive: null,
+        workspaceScan: null,
+        preflight: input.preflight,
+        packages: input.observations.map((observation) => observation.identity),
+        findings,
+        errors,
+        summary: summarize(findings, errors)
+    };
+}
+function parsePackageSpec(spec) {
+    const trimmed = spec.trim();
+    if (trimmed.length === 0 || /[\u0000-\u001f\u007f]/u.test(trimmed)) {
+        return null;
+    }
+    const lowered = trimmed.toLowerCase();
+    if (REMOTE_SPEC_PREFIXES.some((prefix) => lowered.startsWith(prefix)) || lowered.startsWith("file:")) {
+        return packageObservation({
+            ecosystem: "unknown",
+            name: trimmed,
+            version: null,
+            requested: spec,
+            sourceKind: "package-spec",
+            resolvedUrl: trimmed,
+            integrity: null,
+            license: null
+        }, "block", {
+            id: "unverified-network-spec",
+            title: "Unverified network package spec",
+            message: "direct URL, git, and file package specs require artifact verification before install",
+            location: spec
+        });
+    }
+    if (lowered.startsWith("npm:")) {
+        return parseNpmSpec(trimmed.slice(4), spec);
+    }
+    if (lowered.startsWith("pypi:")) {
+        return parsePypiSpec(trimmed.slice(5), spec);
+    }
+    if (lowered.startsWith("cargo:")) {
+        return parseCargoSpec(trimmed.slice(6), spec);
+    }
+    if (trimmed.includes("==")) {
+        return parsePypiSpec(trimmed, spec);
+    }
+    return parseNpmSpec(trimmed, spec);
+}
+function parseNpmSpec(value, requested) {
+    const parsed = splitNameVersion(value);
+    if (!parsed || !isValidPackageName(parsed.name)) {
+        return null;
+    }
+    return packageObservation({
+        ecosystem: "npm",
+        name: parsed.name,
+        version: parsed.version,
+        requested,
+        sourceKind: "package-spec",
+        resolvedUrl: null,
+        integrity: null,
+        license: null
+    }, exactVersionVerdict(parsed.version), exactVersionFinding(parsed.name, parsed.version, requested));
+}
+function parsePypiSpec(value, requested) {
+    const match = /^([A-Za-z0-9_.-]+)(?:==([^<>=!~\s]+))?$/.exec(value.trim());
+    if (!match?.[1]) {
+        return null;
+    }
+    const version = match[2] ?? null;
+    return packageObservation({
+        ecosystem: "pypi",
+        name: match[1],
+        version,
+        requested,
+        sourceKind: "package-spec",
+        resolvedUrl: null,
+        integrity: null,
+        license: null
+    }, exactVersionVerdict(version), exactVersionFinding(match[1], version, requested));
+}
+function parseCargoSpec(value, requested) {
+    const parsed = splitNameVersion(value);
+    if (!parsed || !/^[A-Za-z0-9_-]+$/.test(parsed.name)) {
+        return null;
+    }
+    return packageObservation({
+        ecosystem: "cargo",
+        name: parsed.name,
+        version: parsed.version,
+        requested,
+        sourceKind: "package-spec",
+        resolvedUrl: null,
+        integrity: null,
+        license: null
+    }, exactVersionVerdict(parsed.version), exactVersionFinding(parsed.name, parsed.version, requested));
+}
+function parseLockfile(name, text) {
+    if (name === "package-lock.json") {
+        return parsePackageLock(text);
+    }
+    if (name === "yarn.lock") {
+        return parseYarnLock(text);
+    }
+    if (name === "pnpm-lock.yaml") {
+        return parsePnpmLock(text);
+    }
+    if (name === "requirements.txt") {
+        return parseRequirements(text);
+    }
+    if (name === "Cargo.lock") {
+        return parseCargoLock(text);
+    }
+    if (name === "poetry.lock") {
+        return parsePoetryLock(text);
+    }
+    if (name === "Pipfile.lock") {
+        return parsePipfileLock(text);
+    }
+    return [];
+}
+function parsePackageLock(text) {
+    let parsed;
+    try {
+        parsed = JSON.parse(text);
+    }
+    catch (error) {
+        return [malformedLockfileObservation("package-lock.json", error)];
+    }
+    if (!isRecord(parsed)) {
+        return [malformedLockfileObservation("package-lock.json", new Error("root must be an object"))];
+    }
+    const observations = [];
+    const packages = isRecord(parsed.packages) ? parsed.packages : {};
+    for (const [path, rawPackage] of Object.entries(packages)) {
+        if (path.length === 0 || !isRecord(rawPackage)) {
+            continue;
+        }
+        const name = typeof rawPackage.name === "string" ? rawPackage.name : packageNameFromNodeModulesPath(path);
+        const version = typeof rawPackage.version === "string" ? rawPackage.version : null;
+        if (!name) {
+            continue;
+        }
+        observations.push(lockfileObservation({
+            ecosystem: "npm",
+            name,
+            version,
+            requested: path,
+            sourceKind: "lockfile",
+            resolvedUrl: stringOrNull(rawPackage.resolved),
+            integrity: stringOrNull(rawPackage.integrity),
+            license: stringOrNull(rawPackage.license)
+        }));
+    }
+    const dependencies = isRecord(parsed.dependencies) ? parsed.dependencies : {};
+    for (const [name, rawPackage] of Object.entries(dependencies)) {
+        if (!isRecord(rawPackage) || observations.some((observation) => observation.identity.name === name)) {
+            continue;
+        }
+        observations.push(lockfileObservation({
+            ecosystem: "npm",
+            name,
+            version: stringOrNull(rawPackage.version),
+            requested: name,
+            sourceKind: "lockfile",
+            resolvedUrl: stringOrNull(rawPackage.resolved),
+            integrity: stringOrNull(rawPackage.integrity),
+            license: stringOrNull(rawPackage.license)
+        }));
+    }
+    return observations;
+}
+function parseYarnLock(text) {
+    const observations = [];
+    const blocks = text.split(/\n(?=(?:"?@?[^"\s].*"?):\n)/u);
+    for (const block of blocks) {
+        const lines = block.split(/\r?\n/u);
+        const header = lines[0]?.trim().replace(/:$/u, "");
+        if (!header) {
+            continue;
+        }
+        const requested = header.split(",")[0]?.trim().replace(/^"|"$/gu, "") ?? header;
+        const name = packageNameFromYarnDescriptor(requested);
+        if (!name) {
+            continue;
+        }
+        const version = quotedValue(lines, "version");
+        const resolvedUrl = quotedValue(lines, "resolved");
+        const integrity = quotedValue(lines, "integrity");
+        observations.push(lockfileObservation({
+            ecosystem: "npm",
+            name,
+            version,
+            requested,
+            sourceKind: "lockfile",
+            resolvedUrl,
+            integrity,
+            license: null
+        }));
+    }
+    return observations;
+}
+function parsePnpmLock(text) {
+    const observations = [];
+    const lines = text.split(/\r?\n/u);
+    let current = null;
+    for (const line of lines) {
+        const packageMatch = /^\s{2}['"]?(?:\/)?((?:@[^/\s]+\/)?[^@\s:'"]+)@([^:\s'"]+)['"]?:\s*$/u.exec(line);
+        if (packageMatch?.[1] && packageMatch[2]) {
+            if (current) {
+                observations.push(lockfileObservation(current));
+            }
+            current = {
+                ecosystem: "npm",
+                name: packageMatch[1],
+                version: packageMatch[2],
+                requested: `${packageMatch[1]}@${packageMatch[2]}`,
+                sourceKind: "lockfile",
+                resolvedUrl: null,
+                integrity: null,
+                license: null
+            };
+            continue;
+        }
+        if (!current) {
+            continue;
+        }
+        const integrityMatch = /integrity:\s*([^,}\s]+)/u.exec(line);
+        const tarballMatch = /tarball:\s*([^,}\s]+)/u.exec(line);
+        if (integrityMatch?.[1]) {
+            current = {
+                ...current,
+                integrity: stripQuotes(integrityMatch[1])
+            };
+        }
+        if (tarballMatch?.[1]) {
+            current = {
+                ...current,
+                resolvedUrl: stripQuotes(tarballMatch[1])
+            };
+        }
+    }
+    if (current) {
+        observations.push(lockfileObservation(current));
+    }
+    return observations;
+}
+function parseRequirements(text) {
+    return text.split(/\r?\n/u)
+        .map((line) => line.trim())
+        .filter((line) => line.length > 0 && !line.startsWith("#"))
+        .map((line) => {
+        if (REMOTE_SPEC_PREFIXES.some((prefix) => line.toLowerCase().startsWith(prefix))) {
+            return packageObservation({
+                ecosystem: "pypi",
+                name: line,
+                version: null,
+                requested: line,
+                sourceKind: "lockfile-url-fallback",
+                resolvedUrl: line,
+                integrity: null,
+                license: null
+            }, "block", {
+                id: "lockfile-url-fallback",
+                title: "Lockfile URL fallback identity",
+                message: "lockfile entry uses a URL without package identity or hash metadata",
+                location: line
+            });
+        }
+        const hash = /--hash=([A-Za-z0-9:-]+)/u.exec(line)?.[1] ?? null;
+        const cleanLine = line.replace(/\s+--hash=[^\s]+/gu, "");
+        const match = /^([A-Za-z0-9_.-]+)(?:==([^;\s]+))?/u.exec(cleanLine);
+        if (!match?.[1]) {
+            return blockedUnknownSpec(line);
+        }
+        return lockfileObservation({
+            ecosystem: "pypi",
+            name: match[1],
+            version: match[2] ?? null,
+            requested: line,
+            sourceKind: "lockfile",
+            resolvedUrl: null,
+            integrity: hash,
+            license: null
+        });
+    });
+}
+function parseCargoLock(text) {
+    return lockBlocks(text, "[[package]]").map((block) => {
+        const name = tomlString(block, "name") ?? "unknown";
+        const version = tomlString(block, "version");
+        return lockfileObservation({
+            ecosystem: "cargo",
+            name,
+            version,
+            requested: `${name}@${version ?? "unknown"}`,
+            sourceKind: "lockfile",
+            resolvedUrl: tomlString(block, "source"),
+            integrity: tomlString(block, "checksum"),
+            license: null
+        });
+    }).filter((observation) => observation.identity.name !== "unknown");
+}
+function parsePoetryLock(text) {
+    return lockBlocks(text, "[[package]]").map((block) => {
+        const name = tomlString(block, "name") ?? "unknown";
+        const version = tomlString(block, "version");
+        return lockfileObservation({
+            ecosystem: "pypi",
+            name,
+            version,
+            requested: `${name}==${version ?? "unknown"}`,
+            sourceKind: "lockfile",
+            resolvedUrl: null,
+            integrity: null,
+            license: tomlString(block, "license")
+        });
+    }).filter((observation) => observation.identity.name !== "unknown");
+}
+function parsePipfileLock(text) {
+    let parsed;
+    try {
+        parsed = JSON.parse(text);
+    }
+    catch (error) {
+        return [malformedLockfileObservation("Pipfile.lock", error)];
+    }
+    if (!isRecord(parsed)) {
+        return [];
+    }
+    return ["default", "develop"].flatMap((section) => {
+        const packages = isRecord(parsed[section]) ? parsed[section] : {};
+        return Object.entries(packages).map(([name, rawPackage]) => {
+            const record = isRecord(rawPackage) ? rawPackage : {};
+            const version = stringOrNull(record.version)?.replace(/^==/u, "") ?? null;
+            const hashes = Array.isArray(record.hashes) ? record.hashes.filter((hash) => typeof hash === "string") : [];
+            return lockfileObservation({
+                ecosystem: "pypi",
+                name,
+                version,
+                requested: `${name}${version ? `==${version}` : ""}`,
+                sourceKind: "lockfile",
+                resolvedUrl: null,
+                integrity: hashes[0] ?? null,
+                license: null
+            });
+        });
+    });
+}
+function lockfileObservation(identity) {
+    if (identity.resolvedUrl && isUnsafeResolvedUrl(identity.resolvedUrl)) {
+        return packageObservation(identity, "block", {
+            id: "unverified-lockfile-url",
+            title: "Unverified lockfile URL",
+            message: "lockfile resolved artifact uses a direct URL or git source that requires proxy hash verification",
+            location: identity.requested
+        });
+    }
+    const integrityFinding = integrityPolicyFinding(identity);
+    if (integrityFinding) {
+        return packageObservation(identity, "warn", integrityFinding);
+    }
+    return packageObservation(identity, "pass", null);
+}
+function integrityPolicyFinding(identity) {
+    if (identity.integrity && isSupportedIntegrity(identity.integrity)) {
+        return null;
+    }
+    return {
+        id: "missing-artifact-integrity",
+        title: "Missing artifact integrity",
+        message: `${packageDisplayName(identity)} has no supported lockfile integrity or checksum metadata`,
+        location: identity.requested
+    };
+}
+function exactVersionFinding(name, version, location) {
+    if (version && isExactVersion(version)) {
+        return null;
+    }
+    return {
+        id: "unpinned-package-spec",
+        title: "Unpinned package spec",
+        message: `${name} is not pinned to an exact package version`,
+        location
+    };
+}
+function exactVersionVerdict(version) {
+    return version && isExactVersion(version) ? "pass" : "warn";
+}
+function deniedLicenseFinding(identity, deniedLicenses) {
+    if (!identity.license || !deniedLicenses.has(normalizeLicense(identity.license))) {
+        return null;
+    }
+    return {
+        id: "license-policy-denied",
+        title: "Denied package license",
+        message: `${packageDisplayName(identity)} declares denied license '${identity.license}'`,
+        location: identity.requested
+    };
+}
+function malformedLockfileObservation(lockfile, error) {
+    return packageObservation({
+        ecosystem: "unknown",
+        name: lockfile,
+        version: null,
+        requested: lockfile,
+        sourceKind: "lockfile",
+        resolvedUrl: null,
+        integrity: null,
+        license: null
+    }, "block", {
+        id: "malformed-lockfile",
+        title: "Malformed lockfile",
+        message: error instanceof Error ? error.message : "lockfile could not be parsed",
+        location: lockfile
+    });
+}
+function blockedUnknownSpec(spec) {
+    return packageObservation({
+        ecosystem: "unknown",
+        name: spec,
+        version: null,
+        requested: spec,
+        sourceKind: "package-spec",
+        resolvedUrl: null,
+        integrity: null,
+        license: null
+    }, "block", {
+        id: "unsupported-package-spec",
+        title: "Unsupported package spec",
+        message: "package spec could not be parsed without guessing identity",
+        location: spec
+    });
+}
+function packageObservation(identity, verdict, finding) {
+    return {
+        identity,
+        verdict,
+        finding
+    };
+}
+function splitNameVersion(value) {
+    const trimmed = value.trim();
+    if (trimmed.startsWith("@")) {
+        const index = trimmed.lastIndexOf("@");
+        if (index <= 0) {
+            return {
+                name: trimmed,
+                version: null
+            };
+        }
+        return {
+            name: trimmed.slice(0, index),
+            version: trimmed.slice(index + 1) || null
+        };
+    }
+    const index = trimmed.lastIndexOf("@");
+    if (index > 0) {
+        return {
+            name: trimmed.slice(0, index),
+            version: trimmed.slice(index + 1) || null
+        };
+    }
+    return {
+        name: trimmed,
+        version: null
+    };
+}
+function isValidPackageName(name) {
+    return /^(?:@[a-z0-9_.-]+\/)?[a-z0-9_.-]+$/iu.test(name) && !/[\\\s]/u.test(name);
+}
+function isExactVersion(version) {
+    return /^\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/u.test(version);
+}
+function isSupportedIntegrity(value) {
+    return /^(?:sha256|sha384|sha512)-[A-Za-z0-9+/=]+$/u.test(value)
+        || /^(?:sha256:)?[a-f0-9]{64}$/iu.test(value);
+}
+function isUnsafeResolvedUrl(value) {
+    const lower = value.toLowerCase();
+    return lower.startsWith("git+")
+        || lower.startsWith("git://")
+        || lower.startsWith("ssh://")
+        || lower.startsWith("github:");
+}
+function strongerVerdict(left, right) {
+    if (left === "block" || right === "block") {
+        return "block";
+    }
+    if (left === "warn" || right === "warn") {
+        return "warn";
+    }
+    return "pass";
+}
+function policyActionFor(findings) {
+    if (findings.some((finding) => finding.severity === "block")) {
+        return "block";
+    }
+    if (findings.some((finding) => finding.severity === "warn")) {
+        return "warn";
+    }
+    return "pass";
+}
+function statusFor(action, errors) {
+    if (errors.length > 0) {
+        return "error";
+    }
+    return action;
+}
+function summarize(findings, errors) {
+    return {
+        findingCount: findings.length,
+        warnCount: findings.filter((finding) => finding.severity === "warn").length,
+        blockCount: findings.filter((finding) => finding.severity === "block").length,
+        errorCount: errors.length
+    };
+}
+function lockfileSummary(packageCount) {
+    return {
+        advisory: true,
+        packageCount,
+        identitySource: "lockfile",
+        message: "Lockfile verification maps package identity and integrity for preflight only; proxy enforcement remains authoritative for network fetches."
+    };
+}
+function packageDisplayName(identity) {
+    const version = identity.version ? `@${identity.version}` : "";
+    return `${identity.ecosystem}:${identity.name}${version}`;
+}
+function packageNameFromNodeModulesPath(path) {
+    const parts = path.split("/");
+    const nodeModulesIndex = parts.lastIndexOf("node_modules");
+    if (nodeModulesIndex === -1) {
+        return null;
+    }
+    const first = parts[nodeModulesIndex + 1];
+    if (!first) {
+        return null;
+    }
+    if (first.startsWith("@") && parts[nodeModulesIndex + 2]) {
+        return `${first}/${parts[nodeModulesIndex + 2]}`;
+    }
+    return first;
+}
+function packageNameFromYarnDescriptor(descriptor) {
+    const value = descriptor.startsWith("@") ? descriptor.slice(1) : descriptor;
+    const index = value.lastIndexOf("@");
+    const name = descriptor.startsWith("@") ? `@${value.slice(0, index)}` : value.slice(0, index);
+    return name || null;
+}
+function quotedValue(lines, key) {
+    const pattern = new RegExp(`^\\s*${key}\\s+\"?([^\"\\n]+)\"?\\s*$`, "u");
+    for (const line of lines) {
+        const match = pattern.exec(line);
+        if (match?.[1]) {
+            return match[1];
+        }
+    }
+    return null;
+}
+function lockBlocks(text, marker) {
+    return text.split(marker).slice(1).map((block) => `${marker}${block}`);
+}
+function tomlString(block, key) {
+    const match = new RegExp(`^${key}\\s*=\\s*\"([^\"]*)\"`, "mu").exec(block);
+    return match?.[1] ?? null;
+}
+function stringOrNull(value) {
+    return typeof value === "string" && value.length > 0 ? value : null;
+}
+function stripQuotes(value) {
+    return value.replace(/^["']|["']$/gu, "");
+}
+function normalizeLicense(value) {
+    return value.trim().toLowerCase();
+}
+function displayPath(root, path) {
+    const relativePath = relative(resolve(root), resolve(path));
+    const display = relativePath.length === 0 ? "." : relativePath;
+    return display.split(sep).join("/");
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}