@westbayberry/dg 1.3.3 → 2.0.0

package/dist/commands/licenses.js

@@ -0,0 +1,435 @@
+import { mkdirSync, readdirSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
+import { launchScanTui, shouldLaunchScanTui } from "../scan-ui/launch.js";
+import { basename, dirname, relative, resolve, sep } from "node:path";
+import { scanProject } from "../scan/discovery.js";
+import { isSupportedLockfilePath, verifyLockfile } from "../verify/preflight.js";
+import { EXIT_USAGE } from "./types.js";
+const LICENSE_RISKS = [
+    "network-copyleft",
+    "no-license",
+    "permissive",
+    "strong-copyleft",
+    "unknown",
+    "unlicensed",
+    "weak-copyleft"
+];
+const IGNORED_DIRECTORIES = new Set([
+    ".git",
+    ".hg",
+    ".svn",
+    "coverage",
+    "dist",
+    "node_modules",
+    "vendor"
+]);
+const MAX_DISCOVERY_DEPTH = 8;
+export const licensesCommand = {
+    name: "licenses",
+    summary: "Report dependency licenses and policy results.",
+    usage: "dg licenses [path] [--json|--csv|--markdown] [--fail-on <risk[,risk...]>]",
+    args: [{ name: "[path]", summary: "Project directory to report on (default: current directory)." }],
+    flags: [
+        { flag: "--json", summary: "JSON output." },
+        { flag: "--csv", summary: "CSV output." },
+        { flag: "--markdown", summary: "Markdown table output." },
+        { flag: "--output", value: "<path>", summary: "Write the report to a file (alias -o)." },
+        { flag: "--fail-on", value: "<risk[,risk...]>", summary: "Exit non-zero on these risks: permissive, weak-copyleft, strong-copyleft, network-copyleft, no-license, unlicensed, unknown." },
+        { flag: "--deny-license", value: "<id>", summary: "Fail if this SPDX license appears (repeatable)." }
+    ],
+    examples: ["dg licenses", "dg licenses --markdown -o licenses.md", "dg licenses --fail-on strong-copyleft,network-copyleft"],
+    details: [
+        "Reports project and lockfile license metadata without running package managers or package code.",
+        "License exports support text, JSON, CSV, and Markdown with stable exit codes for policy gates."
+    ],
+    handler: (context) => runLicensesCommand(context.args)
+};
+async function runLicensesCommand(args) {
+    const parsed = parseLicensesArgs(args);
+    if ("error" in parsed) {
+        return usageError(parsed.error);
+    }
+    if (parsed.deniedLicenses.length === 0 &&
+        parsed.failOn.length === 0 &&
+        shouldLaunchScanTui({
+            targetPath: parsed.target,
+            format: parsed.format,
+            outputPath: parsed.outputPath ?? undefined
+        })) {
+        try {
+            await launchScanTui("licenses");
+        }
+        catch (error) {
+            return {
+                exitCode: 1,
+                stdout: "",
+                stderr: `dg licenses TUI failed: ${error instanceof Error ? error.message : "unknown error"}\n`
+            };
+        }
+        return {
+            exitCode: 0,
+            stdout: "",
+            stderr: ""
+        };
+    }
+    let report;
+    try {
+        report = buildLicenseReport(parsed);
+    }
+    catch (error) {
+        return {
+            exitCode: 1,
+            stdout: "",
+            stderr: `dg licenses failed: ${error instanceof Error ? error.message : "unknown license error"}\n`
+        };
+    }
+    const rendered = renderLicenseReport(report, parsed.format);
+    if (parsed.outputPath) {
+        try {
+            writeReportAtomic(resolve(parsed.outputPath), rendered);
+        }
+        catch (error) {
+            return {
+                exitCode: 1,
+                stdout: "",
+                stderr: `dg licenses could not write ${parsed.outputPath}: ${error instanceof Error ? error.message : "unknown write error"}\n`
+            };
+        }
+        return {
+            exitCode: exitCodeForReport(report),
+            stdout: `Wrote ${parsed.format} license report to ${parsed.outputPath}\n`,
+            stderr: ""
+        };
+    }
+    return {
+        exitCode: exitCodeForReport(report),
+        stdout: rendered,
+        stderr: ""
+    };
+}
+function parseLicensesArgs(args) {
+    let format = "text";
+    let outputPath = null;
+    let target = ".";
+    let sawTarget = false;
+    const deniedLicenses = [];
+    const failOn = [];
+    for (let index = 0; index < args.length; index += 1) {
+        const arg = args[index];
+        if (!arg) {
+            return { error: "empty argument" };
+        }
+        if (arg === "--json" || arg === "--csv" || arg === "--markdown") {
+            if (format !== "text") {
+                return { error: "choose only one output format" };
+            }
+            format = arg === "--json" ? "json" : arg === "--csv" ? "csv" : "markdown";
+            continue;
+        }
+        if (arg === "--output" || arg === "-o") {
+            const next = args[index + 1];
+            if (!next) {
+                return { error: `${arg} requires a path` };
+            }
+            outputPath = next;
+            index += 1;
+            continue;
+        }
+        if (arg === "--fail-on") {
+            const next = args[index + 1];
+            if (!next) {
+                return { error: "--fail-on requires a comma-separated risk list" };
+            }
+            const parsed = parseRiskList(next);
+            if ("error" in parsed) {
+                return parsed;
+            }
+            failOn.push(...parsed.risks);
+            index += 1;
+            continue;
+        }
+        if (arg.startsWith("--fail-on=")) {
+            const parsed = parseRiskList(arg.slice("--fail-on=".length));
+            if ("error" in parsed) {
+                return parsed;
+            }
+            failOn.push(...parsed.risks);
+            continue;
+        }
+        if (arg === "--deny-license") {
+            const next = args[index + 1];
+            if (!next) {
+                return { error: "--deny-license requires a license id" };
+            }
+            deniedLicenses.push(next);
+            index += 1;
+            continue;
+        }
+        if (arg.startsWith("-")) {
+            return { error: `unknown option '${arg}'` };
+        }
+        if (sawTarget) {
+            return { error: "licenses accepts at most one path" };
+        }
+        target = arg;
+        sawTarget = true;
+    }
+    return {
+        deniedLicenses,
+        failOn: uniqueRisks(failOn),
+        format,
+        outputPath,
+        target
+    };
+}
+function parseRiskList(value) {
+    const risks = [];
+    for (const raw of value.split(",")) {
+        const risk = raw.trim();
+        if (!isLicenseRisk(risk)) {
+            return { error: `unknown license risk '${risk}'` };
+        }
+        risks.push(risk);
+    }
+    return { risks };
+}
+function buildLicenseReport(parsed) {
+    const targetPath = resolve(parsed.target);
+    const targetInfo = statSync(targetPath);
+    const root = targetInfo.isFile() ? dirname(targetPath) : targetPath;
+    const lockfiles = targetInfo.isFile() && isSupportedLockfilePath(targetPath)
+        ? [targetPath]
+        : discoverLockfiles(root);
+    const entries = dedupeEntries([
+        ...manifestLicenseEntries(parsed.target),
+        ...lockfiles.flatMap((lockfile) => lockfileLicenseEntries(root, lockfile))
+    ]);
+    const denied = new Set(parsed.deniedLicenses.map(normalizeLicense));
+    const failOn = new Set(parsed.failOn);
+    const blocked = entries.filter((entry) => {
+        const normalizedLicense = normalizeLicense(entry.license ?? "");
+        return (entry.license ? denied.has(normalizedLicense) : false) || failOn.has(entry.risk);
+    });
+    const byRisk = Object.fromEntries(LICENSE_RISKS.map((risk) => [risk, 0]));
+    for (const entry of entries) {
+        byRisk[entry.risk] += 1;
+    }
+    return {
+        target: displayPath(process.cwd(), targetPath),
+        status: blocked.length > 0 ? "block" : "pass",
+        entries,
+        policy: {
+            deniedLicenses: [...denied].sort(),
+            failOn: [...failOn].sort()
+        },
+        summary: {
+            packageCount: entries.length,
+            blockedCount: blocked.length,
+            byRisk
+        }
+    };
+}
+function manifestLicenseEntries(target) {
+    const report = scanProject({
+        targetPath: target
+    });
+    return report.projects.map((project) => ({
+        ecosystem: ecosystemForManifest(project.manifestPath),
+        license: project.license,
+        location: project.manifestPath,
+        name: project.name,
+        risk: classifyLicense(project.license),
+        source: "manifest",
+        version: project.version
+    }));
+}
+const MANIFEST_ECOSYSTEMS = {
+    "package.json": "npm",
+    "pyproject.toml": "pypi",
+    "setup.py": "pypi",
+    "setup.cfg": "pypi",
+    "Cargo.toml": "cargo"
+};
+function ecosystemForManifest(manifestPath) {
+    return MANIFEST_ECOSYSTEMS[basename(manifestPath)] ?? "unknown";
+}
+function lockfileLicenseEntries(root, lockfile) {
+    const report = verifyLockfile(lockfile);
+    return report.packages.map((identity) => licenseEntryFromIdentity(root, lockfile, identity));
+}
+function licenseEntryFromIdentity(root, lockfile, identity) {
+    return {
+        ecosystem: identity.ecosystem,
+        license: identity.license,
+        location: displayPath(root, lockfile),
+        name: identity.name,
+        risk: classifyLicense(identity.license),
+        source: "lockfile",
+        version: identity.version
+    };
+}
+function discoverLockfiles(root) {
+    const lockfiles = [];
+    walk(root, 0, lockfiles);
+    return lockfiles.sort((left, right) => displayPath(root, left).localeCompare(displayPath(root, right)));
+}
+function walk(directory, depth, lockfiles) {
+    if (depth > MAX_DISCOVERY_DEPTH) {
+        return;
+    }
+    const entries = readdirSync(directory, {
+        withFileTypes: true
+    }).sort((left, right) => left.name.localeCompare(right.name));
+    for (const entry of entries) {
+        const absolutePath = resolve(directory, entry.name);
+        if (entry.isDirectory()) {
+            if (!IGNORED_DIRECTORIES.has(entry.name)) {
+                walk(absolutePath, depth + 1, lockfiles);
+            }
+            continue;
+        }
+        if (entry.isFile() && isSupportedLockfilePath(absolutePath)) {
+            lockfiles.push(absolutePath);
+        }
+    }
+}
+function classifyLicense(license) {
+    if (!license) {
+        return "no-license";
+    }
+    const normalized = normalizeLicense(license);
+    if (normalized === "UNLICENSED" || normalized === "NOASSERTION") {
+        return "unlicensed";
+    }
+    if (/\bAGPL\b/u.test(normalized)) {
+        return "network-copyleft";
+    }
+    if (/\bGPL\b/u.test(normalized)) {
+        return "strong-copyleft";
+    }
+    if (/\bLGPL\b|\bMPL\b|\bEPL\b|\bCDDL\b/u.test(normalized)) {
+        return "weak-copyleft";
+    }
+    if (/\bMIT\b|\bISC\b|\bBSD\b|\bAPACHE\b|\b0BSD\b/u.test(normalized)) {
+        return "permissive";
+    }
+    return "unknown";
+}
+function renderLicenseReport(report, format) {
+    if (format === "json") {
+        return `${JSON.stringify(report, null, 2)}\n`;
+    }
+    if (format === "csv") {
+        return renderCsv(report);
+    }
+    if (format === "markdown") {
+        return renderMarkdown(report);
+    }
+    return renderText(report);
+}
+function renderText(report) {
+    const lines = [
+        "Dependency Guardian licenses",
+        `Target: ${report.target}`,
+        `Status: ${report.status}`,
+        `Packages: ${report.summary.packageCount}`,
+        `Policy blocks: ${report.summary.blockedCount}`,
+        ""
+    ];
+    if (report.entries.length === 0) {
+        lines.push("No license metadata found.");
+    }
+    else {
+        for (const entry of report.entries) {
+            const version = entry.version ? `@${entry.version}` : "";
+            lines.push(`- ${entry.ecosystem}:${entry.name}${version} license=${entry.license ?? "none"} risk=${entry.risk} source=${entry.source} location=${entry.location}`);
+        }
+    }
+    return `${lines.join("\n").trimEnd()}\n`;
+}
+function renderCsv(report) {
+    const rows = [
+        ["ecosystem", "name", "version", "license", "risk", "source", "location"],
+        ...report.entries.map((entry) => [
+            entry.ecosystem,
+            entry.name,
+            entry.version ?? "",
+            entry.license ?? "",
+            entry.risk,
+            entry.source,
+            entry.location
+        ])
+    ];
+    return `${rows.map((row) => row.map(csvCell).join(",")).join("\n")}\n`;
+}
+function renderMarkdown(report) {
+    const lines = [
+        "# Dependency Guardian licenses",
+        "",
+        `- Target: ${report.target}`,
+        `- Status: ${report.status}`,
+        `- Packages: ${report.summary.packageCount}`,
+        `- Policy blocks: ${report.summary.blockedCount}`,
+        "",
+        "| Ecosystem | Package | Version | License | Risk | Source |",
+        "| --- | --- | --- | --- | --- | --- |"
+    ];
+    for (const entry of report.entries) {
+        lines.push(`| ${markdownCell(entry.ecosystem)} | ${markdownCell(entry.name)} | ${markdownCell(entry.version ?? "")} | ${markdownCell(entry.license ?? "")} | ${markdownCell(entry.risk)} | ${markdownCell(entry.source)} |`);
+    }
+    return `${lines.join("\n")}\n`;
+}
+function exitCodeForReport(report) {
+    return report.status === "block" ? 1 : 0;
+}
+function usageError(message) {
+    return {
+        exitCode: EXIT_USAGE,
+        stdout: "",
+        stderr: `dg licenses: ${message}. Usage: dg licenses [path] [--json|--csv|--markdown] [--output <path>] [--fail-on <risk[,risk...]>] [--deny-license <id>]\n`
+    };
+}
+function writeReportAtomic(outputPath, contents) {
+    const directory = dirname(outputPath);
+    mkdirSync(directory, { recursive: true });
+    const temporaryPath = `${outputPath}.${process.pid}.${Date.now()}.tmp`;
+    try {
+        writeFileSync(temporaryPath, contents, "utf8");
+        renameSync(temporaryPath, outputPath);
+    }
+    catch (error) {
+        rmSync(temporaryPath, { force: true });
+        throw error;
+    }
+}
+function dedupeEntries(entries) {
+    const seen = new Set();
+    const deduped = [];
+    for (const entry of entries) {
+        const key = `${entry.ecosystem}|${entry.name}|${entry.version ?? ""}|${entry.license ?? ""}|${entry.source}|${entry.location}`;
+        if (!seen.has(key)) {
+            seen.add(key);
+            deduped.push(entry);
+        }
+    }
+    return deduped.sort((left, right) => `${left.ecosystem}:${left.name}`.localeCompare(`${right.ecosystem}:${right.name}`));
+}
+function uniqueRisks(risks) {
+    return [...new Set(risks)].sort();
+}
+function isLicenseRisk(value) {
+    return LICENSE_RISKS.includes(value);
+}
+function normalizeLicense(value) {
+    return value.trim().toUpperCase().replace(/\s+/gu, "-");
+}
+function displayPath(root, path) {
+    const relativePath = relative(root, path);
+    const display = relativePath.length === 0 ? "." : relativePath;
+    return display.split(sep).join("/");
+}
+function csvCell(value) {
+    return /[",\n\r]/u.test(value) ? `"${value.replace(/"/gu, "\"\"")}"` : value;
+}
+function markdownCell(value) {
+    return value.replace(/\|/gu, "\\|");
+}

package/dist/commands/login.js

@@ -0,0 +1,81 @@
+import { EXIT_USAGE } from "./types.js";
+import { AuthError, writeAuthState } from "../auth/store.js";
+import { ConfigError, loadUserConfig } from "../config/settings.js";
+export const loginCommand = {
+    name: "login",
+    summary: "Authenticate this machine with Dependency Guardian.",
+    usage: "dg login [--token <token>]",
+    flags: [
+        { flag: "--token", value: "<token>", summary: "Authenticate with an API key instead of the browser (for CI/headless)." }
+    ],
+    examples: ["dg login", "dg login --token dg_live_…", "DG_API_TOKEN=dg_live_… dg login"],
+    details: [
+        "In a terminal, 'dg login' opens your browser to sign in — no token to copy.",
+        "For CI and headless shells, pass --token <key> or set the DG_API_TOKEN environment variable instead.",
+        "Stores dg-owned auth state under the user config directory; never executes project-local code or weakens install enforcement."
+    ],
+    handler: (context) => loginHandler(context.args)
+};
+function loginHandler(args) {
+    const parsed = parseLoginArgs(args);
+    if ("error" in parsed) {
+        return {
+            exitCode: EXIT_USAGE,
+            stdout: "",
+            stderr: `dg login: ${parsed.error}. Run 'dg login --help'.\n`
+        };
+    }
+    try {
+        const config = loadUserConfig();
+        const state = writeAuthState({
+            token: parsed.token,
+            apiBaseUrl: config.api.baseUrl,
+            orgId: config.org.id
+        });
+        return {
+            exitCode: 0,
+            stdout: `Logged in to ${state.apiBaseUrl}${state.orgId ? ` for org ${state.orgId}` : ""} with token ${state.tokenPreview}\n`,
+            stderr: ""
+        };
+    }
+    catch (error) {
+        if (error instanceof AuthError || error instanceof ConfigError) {
+            return {
+                exitCode: EXIT_USAGE,
+                stdout: "",
+                stderr: `dg login: ${error.message}\n`
+            };
+        }
+        throw error;
+    }
+}
+function parseLoginArgs(args) {
+    let token = "";
+    for (let index = 0; index < args.length; index += 1) {
+        const arg = args[index];
+        if (arg === "--token") {
+            const value = args[index + 1];
+            if (!value) {
+                return {
+                    error: "--token requires a value"
+                };
+            }
+            token = value;
+            index += 1;
+        }
+        else if (arg?.startsWith("--token=")) {
+            token = arg.slice("--token=".length);
+        }
+        else {
+            return {
+                error: `unknown option '${arg ?? ""}'`
+            };
+        }
+    }
+    if (!token) {
+        return {
+            error: "run 'dg login' in a terminal to sign in via your browser, or pass --token <key> (or set DG_API_TOKEN) for CI"
+        };
+    }
+    return { token };
+}

package/dist/commands/logout.js

@@ -0,0 +1,37 @@
+import { EXIT_USAGE } from "./types.js";
+import { clearAuthState } from "../auth/store.js";
+export const logoutCommand = {
+    name: "logout",
+    summary: "Remove local Dependency Guardian authentication.",
+    usage: "dg logout [--yes]",
+    flags: [{ flag: "--yes", summary: "Required confirmation flag; logout removes the local token only when it is passed." }],
+    details: ["Removes dg-owned auth material without deleting unrelated user content."],
+    handler: (context) => logoutHandler(context.args)
+};
+function logoutHandler(args, env = process.env) {
+    const unknown = args.find((arg) => arg !== "--yes");
+    if (unknown) {
+        return {
+            exitCode: EXIT_USAGE,
+            stdout: "",
+            stderr: `dg logout: unknown option '${unknown}'. Run 'dg logout --help'.\n`
+        };
+    }
+    if (!args.includes("--yes")) {
+        return {
+            exitCode: EXIT_USAGE,
+            stdout: "This removes the dg-owned local auth token only. Config and setup files are not changed.\n",
+            stderr: "dg logout requires --yes to confirm.\n"
+        };
+    }
+    const removed = clearAuthState();
+    const lines = [removed ? "Removed local dg auth token." : "No local dg auth token was present."];
+    if (env.DG_API_TOKEN) {
+        lines.push("DG_API_TOKEN is still set, so env-var auth remains active (file token removed only).");
+    }
+    return {
+        exitCode: 0,
+        stdout: `${lines.join("\n")}\n`,
+        stderr: ""
+    };
+}

package/dist/commands/router.js

@@ -0,0 +1,98 @@
+import { configCommand } from "./config.js";
+import { completionCommand } from "./completion.js";
+import { auditCommand } from "./audit.js";
+import { doctorCommand } from "./doctor.js";
+import { explainCommand } from "./explain.js";
+import { guardCommitCommand } from "./guard-commit.js";
+import { renderCommandHelp, renderRootHelp } from "./help.js";
+import { licensesCommand } from "./licenses.js";
+import { loginCommand } from "./login.js";
+import { logoutCommand } from "./logout.js";
+import { packageManagerCommands } from "./wrap.js";
+import { scanCommand } from "./scan.js";
+import { serviceCommand } from "./service.js";
+import { setupCommand } from "./setup.js";
+import { statusCommand } from "./status.js";
+import { closestCommand } from "./suggest.js";
+import { EXIT_USAGE } from "./types.js";
+import { uninstallCommand } from "./uninstall.js";
+import { updateCommand } from "./update.js";
+import { verifyCommand } from "./verify.js";
+import { dgVersion, versionResult } from "./version.js";
+export const commandCatalog = [
+    scanCommand,
+    verifyCommand,
+    setupCommand,
+    guardCommitCommand,
+    uninstallCommand,
+    doctorCommand,
+    statusCommand,
+    ...packageManagerCommands(),
+    loginCommand,
+    logoutCommand,
+    explainCommand,
+    configCommand,
+    completionCommand,
+    licensesCommand,
+    auditCommand,
+    updateCommand,
+    serviceCommand
+];
+function commandNames() {
+    const names = new Set(["help", "version", "upgrade"]);
+    for (const command of commandCatalog) {
+        names.add(command.name);
+        for (const alias of command.aliases ?? []) {
+            names.add(alias);
+        }
+    }
+    return [...names];
+}
+export async function routeCommand(args) {
+    const [commandName, ...rest] = args;
+    if (commandName === "--help-all" || commandName === "help-all") {
+        return {
+            exitCode: 0,
+            stdout: renderRootHelp(dgVersion(), commandCatalog, { all: true }),
+            stderr: ""
+        };
+    }
+    if (!commandName || commandName === "--help" || commandName === "-h" || commandName === "help") {
+        return {
+            exitCode: 0,
+            stdout: renderRootHelp(dgVersion(), commandCatalog),
+            stderr: ""
+        };
+    }
+    if (commandName === "--version" || commandName === "-v" || commandName === "version") {
+        return versionResult();
+    }
+    if (commandName === "upgrade") {
+        return updateCommand.handler({
+            commandPath: ["upgrade"],
+            args: rest
+        });
+    }
+    const command = commandCatalog.find((candidate) => candidate.name === commandName || candidate.aliases?.includes(commandName));
+    if (!command) {
+        const suggestion = closestCommand(commandName, commandNames());
+        const hint = suggestion ? ` Did you mean '${suggestion}'?` : "";
+        return {
+            exitCode: EXIT_USAGE,
+            stdout: "",
+            stderr: `dg: unknown command '${commandName}'.${hint} Run 'dg --help'.\n`
+        };
+    }
+    const [firstArg] = rest;
+    if (firstArg === "--help" || firstArg === "-h" || firstArg === "help") {
+        return {
+            exitCode: 0,
+            stdout: renderCommandHelp(command),
+            stderr: ""
+        };
+    }
+    return command.handler({
+        commandPath: [commandName],
+        args: rest
+    });
+}

package/dist/commands/scan.js

@@ -0,0 +1,18 @@
+import { runScanCommand } from "../scan/command.js";
+export const scanCommand = {
+    name: "scan",
+    summary: "Scan a project and show Dependency Guardian findings.",
+    usage: "dg scan [path] [--json|--sarif] [--output <path>]",
+    args: [{ name: "[path]", summary: "Project directory or a package.json to scan (default: current directory)." }],
+    flags: [
+        { flag: "--json", summary: "Machine-readable JSON report." },
+        { flag: "--sarif", summary: "SARIF report for code-scanning tools." },
+        { flag: "--output", value: "<path>", summary: "Write the report to a file instead of stdout (alias -o)." },
+        { flag: "--staged", summary: "Scan only the git-staged lockfile changes (what dg guard-commit runs)." }
+    ],
+    examples: ["dg scan", "dg scan ./packages/api", "dg scan --json -o scan.json", "dg scan --staged"],
+    details: [
+        "Reads lockfiles, scores each dependency through the scanner, and never changes project files. In a terminal it opens the full-screen results browser; piped or with --json/--sarif it prints machine output. Exit codes: 0 clean, 1 warn, 2 block, 4 analysis incomplete."
+    ],
+    handler: runScanCommand
+};