npm - @westbayberry/dg - Versions diffs - 2.0.1 → 2.0.3 - Mend

@westbayberry/dg 2.0.1 → 2.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/api/analyze.js +8 -0
package/dist/bin/dg.js +7 -2
package/dist/install-ui/LiveInstall.js +3 -3
package/dist/proxy/server.js +3 -1
package/dist/setup/plan.js +89 -5
package/package.json +1 -1

package/dist/api/analyze.js CHANGED Viewed

@@ -182,6 +182,14 @@ function resolveApiBaseUrl(env) {
 function resolveToken(env) {
     return envAuthToken(env) ?? readAuthStateSafe(env)?.token;
 }
+export function identityHeaders(env) {
+    const headers = { "X-Device-Id": getOrCreateDeviceId(env) };
+    const token = resolveToken(env);
+    if (token) {
+        headers.Authorization = `Bearer ${token}`;
+    }
+    return headers;
+}
 function readAuthStateSafe(env) {
     try {
         return readAuthState(env);

package/dist/bin/dg.js CHANGED Viewed

@@ -66,6 +66,11 @@ else {
 // The auth flows (browser login, paid-verify gate, deep audit upload) already
 // tell the user exactly what to do; the throttled nudges would just be noise.
 if (!deviceLogin.handled && !verifyPackage.handled && !audit.handled) {
-    const { maybeShowNudges } = await import("../runtime/nudges.js");
-    maybeShowNudges(args);
+    try {
+        const { maybeShowNudges } = await import("../runtime/nudges.js");
+        maybeShowNudges(args);
+    }
+    catch {
+        // dg deleted its own files mid-run (uninstall of itself); nudges are cosmetic.
+    }
 }

package/dist/install-ui/LiveInstall.js CHANGED Viewed

@@ -9,12 +9,12 @@ function rule() {
     return "─".repeat(width);
 }
 export const LiveInstall = ({ view }) => {
+    if (view.phase === "scanning") {
+        return (_jsxs(Box, { paddingX: 1, children: [_jsx(Text, { color: "cyan", children: _jsx(InkSpinner, { type: "dots" }) }), _jsxs(Text, { children: [" ", view.total === 0 ? "DG starting protection…" : `DG verifying ${packageCount(view.total)}…`] }), view.current ? _jsxs(Text, { dimColor: true, children: ["  ", view.current] }) : null] }));
+    }
     if (view.total === 0 && !view.blocked) {
         return null;
     }
-    if (view.phase === "scanning") {
-        return (_jsxs(Box, { paddingX: 1, children: [_jsx(Text, { color: "cyan", children: _jsx(InkSpinner, { type: "dots" }) }), _jsxs(Text, { children: [" DG verifying ", packageCount(view.total), "\u2026"] }), view.current ? _jsxs(Text, { dimColor: true, children: ["  ", view.current] }) : null] }));
-    }
     if (view.blocked) {
         const blocked = view.blocked;
         return (_jsxs(Box, { flexDirection: "column", paddingX: 1, children: [_jsx(Text, { color: "gray", children: rule() }), blocked.kind === "blocked" ? (_jsxs(Text, { color: "red", children: ["\u2718  DG blocked install \u2014 ", blocked.headline] })) : (_jsxs(Text, { color: "yellow", children: ["?  DG could not verify ", blocked.packageName, " \u2014 ", blocked.headline] })), _jsxs(Text, { children: ["   ", blocked.packageName, "   ", blocked.reason] }), blocked.override ? _jsxs(Text, { dimColor: true, children: ["   ", "Override: ", blocked.override] }) : null, blocked.nextStep ? _jsxs(Text, { dimColor: true, children: ["   ", "Next: ", blocked.nextStep] }) : null] }));

package/dist/proxy/server.js CHANGED Viewed

@@ -15,6 +15,7 @@ import { artifactDisplayName, artifactUrlHash, extractRegistryMetadataIdentities
 import { authorityFor, connectViaUpstreamProxy, selectUpstreamProxy } from "./upstream-proxy.js";
 import { redactSecrets } from "../launcher/output-redaction.js";
 import { envAuthToken } from "../auth/env-token.js";
+import { identityHeaders } from "../api/analyze.js";
 export async function startProductionHttpProxy(options) {
     const ca = createEphemeralCertificateAuthority(options.session.files.ca);
     const state = {
@@ -629,7 +630,8 @@ async function lookupVerdict(options, target, sha256, upstream, identity) {
         const response = await fetch(`${options.apiBaseUrl}/v1/install-verdict`, {
             method: "POST",
             headers: {
-                "Content-Type": "application/json"
+                "Content-Type": "application/json",
+                ...identityHeaders(options.env)
             },
             body: JSON.stringify({
                 manager: options.classification.manager,

package/dist/setup/plan.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { accessSync, constants, existsSync, mkdirSync, readFileSync, renameSync, rmSync, writeFileSync } from "node:fs";
+import { accessSync, constants, existsSync, mkdirSync, readdirSync, readFileSync, renameSync, rmSync, writeFileSync } from "node:fs";
 import { basename, delimiter, dirname, join, resolve } from "node:path";
 import { chmodSync } from "node:fs";
 import { createTheme } from "../presentation/theme.js";
@@ -21,6 +21,9 @@ const LEGACY_RC_MARKERS = [
     { begin: "# >>> dg-managed >>>", end: "# <<< dg-managed <<<" }
 ];
 const LEGACY_RC_CANDIDATES = [".zshrc", ".bashrc", ".bash_profile", ".profile", join(".config", "fish", "config.fish")];
+const LEGACY_PYTHON_HOOK_PY = "dg_pip_hook.py";
+const LEGACY_PYTHON_HOOK_PTH = "dg_pip_hook.pth";
+const LEGACY_PYTHON_HOOK_MARKER = "Dependency Guardian pip-install interceptor";
 export const SETUP_UNINSTALL_LOCK = "setup-uninstall";
 export const SETUP_UNINSTALL_LOCK_STALE_MS = 30 * 60 * 1000;
 export const STALE_SESSION_OLDER_THAN_MS = 24 * 60 * 60 * 1000;
@@ -38,6 +41,7 @@ const DOCTOR_GROUP_BY_NAME = {
     telemetry: "setup",
     shims: "setup",
     "shell-rc": "setup",
+    "python-hook-drift": "setup",
     path: "setup",
     "stale-sessions": "setup",
     service: "setup",
@@ -53,6 +57,7 @@ const DOCTOR_FIX_BY_NAME = {
     telemetry: "fix ~/.dg config",
     shims: "dg setup",
     "shell-rc": "dg setup",
+    "python-hook-drift": "dg uninstall, or re-run dg setup, to remove the stale pip hook",
     path: "reload your shell after setup",
     "stale-sessions": "clears on the next protected run",
     auth: "dg login"
@@ -142,6 +147,7 @@ export function applySetupPlan(plan, now = new Date()) {
     });
     writeFileSync(plan.rcPath, withRcBlock(readText(plan.rcPath), plan), "utf8");
     entries.push(cleanupEntry("rc", plan.rcPath, "mode1", now, RC_SENTINEL));
+    sweepLegacyPythonHooks(plan.paths.homeDir, [], []);
     const registry = withRegistryLock(plan.paths, () => {
         const merged = mergeRegistry(readRegistry(plan.paths).registry, entries);
         writeRegistry(plan.paths, merged);
@@ -196,6 +202,7 @@ export function uninstallSetup(options) {
             }
         }
         sweepLegacyRcBlocks(paths.homeDir, removed, warnings);
+        sweepLegacyPythonHooks(paths.homeDir, removed, warnings);
         if (!options.all && !registryRead.malformed && options.keepConfig) {
             writeRegistryWithLock(paths, {
                 version: 1,
@@ -271,6 +278,14 @@ export function doctorReport(options = {}) {
         status: rcEntries.length > 0 && missingRc.length === 0 ? "pass" : "warn",
         message: rcEntries.length === 0 ? "No dg shell rc block is registered" : `Registered shell rc blocks: ${rcEntries.length}`
     });
+    const staleHookSites = legacyPythonHookSites(paths.homeDir);
+    checks.push({
+        name: "python-hook-drift",
+        status: staleHookSites.length === 0 ? "pass" : "warn",
+        message: staleHookSites.length === 0
+            ? "No legacy dg pip hooks in user site-packages"
+            : `Legacy dg pip hooks break pip in: ${staleHookSites.join(", ")}`
+    });
     checks.push(pathPrecedenceCheck(env, shimDir));
     checks.push({
         name: "stale-sessions",
@@ -453,11 +468,31 @@ function reloadInstructions(shell) {
     }
     return ["start a new shell or run: source ~/.zshrc", "clear cached command paths with: rehash"];
 }
-// Absolute path: a bare `exec dg` resolves through PATH, so anything that
-// shadows dg (npm run prepending node_modules/.bin with a vendored copy)
-// hijacks every shimmed package manager.
+// The baked absolute dg path stops a PATH-shadowing dg from hijacking the shim;
+// the fallbacks make it fail open — a removed or moved dg (uninstall, mid-upgrade)
+// runs the real manager instead of bricking it.
 export function shimSource(command) {
-    return `#!/bin/sh\n# ${SHIM_SENTINEL}\nDG_SHIM_ACTIVE="\${DG_SHIM_ACTIVE:+$DG_SHIM_ACTIVE,}${command}:$$" exec "${escapeDoubleQuotedSh(dgEntrypoint())}" ${command} "$@"\n`;
+    const dg = escapeDoubleQuotedSh(dgEntrypoint());
+    const nonce = '"${DG_SHIM_ACTIVE:+$DG_SHIM_ACTIVE,}' + `${command}:$$"`;
+    return [
+        "#!/bin/sh",
+        `# ${SHIM_SENTINEL}`,
+        `if [ -x "${dg}" ]; then`,
+        `  DG_SHIM_ACTIVE=${nonce} exec "${dg}" ${command} "$@"`,
+        "fi",
+        `dg_path=$(printf '%s' "$PATH" | awk -v RS=':' -v ORS=':' '$0 != ENVIRON["HOME"] "/.dg/shims"' | sed 's/:$//')`,
+        `dg_bin=$(PATH="$dg_path" command -v dg 2>/dev/null)`,
+        `if [ -n "$dg_bin" ]; then`,
+        `  DG_SHIM_ACTIVE=${nonce} exec "$dg_bin" ${command} "$@"`,
+        "fi",
+        `real_bin=$(PATH="$dg_path" command -v ${command} 2>/dev/null)`,
+        `if [ -n "$real_bin" ]; then`,
+        `  exec "$real_bin" "$@"`,
+        "fi",
+        `echo "dg: protection unavailable and no real ${command} found on PATH" >&2`,
+        "exit 127",
+        ""
+    ].join("\n");
 }
 function escapeDoubleQuotedSh(value) {
     return value.replace(/[\\"$`]/g, "\\$&");
@@ -517,6 +552,55 @@ function sweepLegacyRcBlocks(homeDir, removed, warnings) {
         }
     }
 }
+export function legacyPythonHookSites(homeDir) {
+    return candidateSitePackagesDirs(homeDir).filter((dir) => existsSync(join(dir, LEGACY_PYTHON_HOOK_PTH)) || readText(join(dir, LEGACY_PYTHON_HOOK_PY)).includes(LEGACY_PYTHON_HOOK_MARKER));
+}
+function sweepLegacyPythonHooks(homeDir, removed, warnings) {
+    for (const dir of candidateSitePackagesDirs(homeDir)) {
+        const pyPath = join(dir, LEGACY_PYTHON_HOOK_PY);
+        const pthPath = join(dir, LEGACY_PYTHON_HOOK_PTH);
+        const pyIsHook = readText(pyPath).includes(LEGACY_PYTHON_HOOK_MARKER);
+        const pthPresent = existsSync(pthPath);
+        if (!pyIsHook && !pthPresent) {
+            continue;
+        }
+        if (pthPresent) {
+            removePythonHookFile(pthPath, removed, warnings);
+        }
+        if (pyIsHook) {
+            removePythonHookFile(pyPath, removed, warnings);
+        }
+    }
+}
+function removePythonHookFile(path, removed, warnings) {
+    try {
+        rmSync(path, { force: true });
+        removed.push(`${path} (legacy dg pip hook)`);
+    }
+    catch (error) {
+        warnings.push(`could not remove legacy dg pip hook ${path}: ${error instanceof Error ? error.message : "remove error"}`);
+    }
+}
+function candidateSitePackagesDirs(homeDir) {
+    const dirs = [];
+    for (const version of safeReaddir(join(homeDir, "Library", "Python"))) {
+        dirs.push(join(homeDir, "Library", "Python", version, "lib", "python", "site-packages"));
+    }
+    for (const entry of safeReaddir(join(homeDir, ".local", "lib"))) {
+        if (entry.startsWith("python")) {
+            dirs.push(join(homeDir, ".local", "lib", entry, "site-packages"));
+        }
+    }
+    return dirs;
+}
+function safeReaddir(dir) {
+    try {
+        return readdirSync(dir);
+    }
+    catch {
+        return [];
+    }
+}
 export function cleanupEntry(kind, path, mode, now, sentinel) {
     return {
         kind,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@westbayberry/dg",
-  "version": "2.0.1",
+  "version": "2.0.3",
   "description": "Dependency Guardian supply-chain firewall CLI",
   "type": "module",
   "bin": {