@westbayberry/dg 2.0.10 → 2.1.0

package/dist/scan/command.js

@@ -1,5 +1,6 @@
-import { writeFileSync } from "node:fs";
-import { resolve } from "node:path";
+import { statSync, writeFileSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { findProjectRoot, loadDgFile, warnUnreadableDgFile } from "../project/dgfile.js";
 import { scanProject } from "./discovery.js";
 import { renderJsonReport, renderSarifReport, renderTextReport } from "./render.js";
 import { resolvePresentation } from "../presentation/mode.js";
@@ -18,12 +19,12 @@ export function runScanCommand(context) {
     const stagedTarget = parsed.sawTarget ? parsed.targetPath : null;
     const machineOutput = parsed.format !== "text" || parsed.outputPath !== null;
     if (parsed.staged && !machineOutput) {
-        return runStagedScan({ hook: parsed.hook, targetPath: stagedTarget });
+        return runStagedScan({ hook: parsed.hook, targetPath: stagedTarget, useDecisions: !parsed.noDecisions });
     }
     let report;
     let outcome;
     if (parsed.staged) {
-        const staged = stagedScanReport({ targetPath: stagedTarget });
+        const staged = stagedScanReport({ targetPath: stagedTarget, useDecisions: !parsed.noDecisions });
         if ("result" in staged) {
             return staged.result;
         }
@@ -58,7 +59,7 @@ export function runScanCommand(context) {
                 stderr: `dg scan failed: ${error instanceof Error ? error.message : "unknown scan error"}\n`
             };
         }
-        outcome = runScannerScan(parsed.targetPath, report);
+        outcome = runScannerScan(parsed.targetPath, report, process.env, parsed.noDecisions ? null : loadScanDecisions(parsed.targetPath));
     }
     if (outcome.kind === "report") {
         report = outcome.report;
@@ -99,6 +100,7 @@ function parseScanArgs(args) {
     let sawTarget = false;
     let staged = false;
     let hook = false;
+    let noDecisions = false;
     for (let index = 0; index < args.length; index += 1) {
         const arg = args[index];
         if (!arg) {
@@ -112,6 +114,10 @@ function parseScanArgs(args) {
             hook = true;
             continue;
         }
+        if (arg === "--no-decisions") {
+            noDecisions = true;
+            continue;
+        }
         if (arg === "--json") {
             if (format !== "text") {
                 return { error: "choose only one output format" };
@@ -150,16 +156,35 @@ function parseScanArgs(args) {
         targetPath,
         sawTarget,
         staged,
-        hook
+        hook,
+        noDecisions
     };
 }
 function usageError(message) {
     return {
         exitCode: EXIT_USAGE_VERDICT,
         stdout: "",
-        stderr: `dg scan: ${message}. Usage: dg scan [path] [--json|--sarif] [--output <path>]\n`
+        stderr: `dg scan: ${message}. Usage: dg scan [path] [--json|--sarif] [--output <path>] [--no-decisions]\n`
     };
 }
+function loadScanDecisions(targetPath, env = process.env) {
+    let dir = resolve(targetPath);
+    try {
+        if (!statSync(dir).isDirectory()) {
+            dir = dirname(dir);
+        }
+    }
+    catch {
+        return null;
+    }
+    const root = findProjectRoot(dir, env);
+    if (!root) {
+        return null;
+    }
+    const file = loadDgFile(root);
+    warnUnreadableDgFile(file);
+    return file.readable ? file : null;
+}
 function degradeReport(report, error) {
     const status = report.status === "block" || report.status === "warn" ? report.status : "unknown";
     return { ...report, status, scannerError: error };
@@ -184,7 +209,9 @@ function renderReport(report, format, scannerUnavailable, skipNotice) {
 }
 function exitCodeForReport(report) {
     if (report.scanner) {
-        return scanExitCode(report.scanner.action, loadUserConfig().policy.mode);
+        const mode = loadUserConfig().policy.mode;
+        const action = mode === "strict" ? report.scanner.action : report.decisions?.effectiveAction ?? report.scanner.action;
+        return scanExitCode(action, mode);
     }
     if (report.status === "block") {
         return 2;

package/dist/scan/discovery.js

@@ -1,3 +1,4 @@
+import { execFileSync } from "node:child_process";
 import { readdirSync, readFileSync, statSync } from "node:fs";
 import { basename, dirname, relative, resolve, sep } from "node:path";
 const IGNORED_DIRECTORIES = new Set([
@@ -75,10 +76,71 @@ function resolveStatus(counts) {
 }
 function discoverPackageManifests(root) {
     const manifests = [];
-    walk(root, 0, manifests);
+    walk(root, 0, manifests, gitIgnoredDirectories(root));
     return manifests.sort((left, right) => displayPath(root, left).localeCompare(displayPath(root, right)));
 }
-function walk(directory, depth, manifests) {
+export function gitIgnoredDirectories(root) {
+    const ignored = new Set();
+    if (!insideGitWorkTree(root)) {
+        return ignored;
+    }
+    let level = [root];
+    for (let depth = 0; depth <= MAX_DISCOVERY_DEPTH && level.length > 0; depth++) {
+        const candidates = [];
+        for (const directory of level) {
+            let entries;
+            try {
+                entries = readdirSync(directory, { withFileTypes: true });
+            }
+            catch {
+                continue;
+            }
+            for (const entry of entries) {
+                if (entry.isDirectory() && !IGNORED_DIRECTORIES.has(entry.name)) {
+                    candidates.push(resolve(directory, entry.name));
+                }
+            }
+        }
+        if (candidates.length === 0) {
+            break;
+        }
+        const flagged = checkIgnoreBatch(root, candidates);
+        for (const directory of flagged) {
+            ignored.add(directory);
+        }
+        level = candidates.filter((directory) => !flagged.has(directory));
+    }
+    return ignored;
+}
+function insideGitWorkTree(root) {
+    try {
+        const out = execFileSync("git", ["-C", root, "rev-parse", "--is-inside-work-tree"], {
+            encoding: "utf8",
+            timeout: 3000,
+            stdio: ["ignore", "pipe", "ignore"]
+        });
+        return out.trim() === "true";
+    }
+    catch {
+        return false;
+    }
+}
+function checkIgnoreBatch(root, directories) {
+    try {
+        const out = execFileSync("git", ["-C", root, "check-ignore", "--stdin", "-z"], {
+            input: directories.join("\0"),
+            encoding: "utf8",
+            timeout: 5000,
+            maxBuffer: 16 * 1024 * 1024,
+            stdio: ["pipe", "pipe", "ignore"]
+        });
+        return new Set(out.split("\0").filter(Boolean));
+    }
+    catch {
+        return new Set();
+    }
+}
+function walk(directory, depth, manifests, gitIgnored) {
     if (depth > MAX_DISCOVERY_DEPTH) {
         return;
     }
@@ -94,8 +156,8 @@ function walk(directory, depth, manifests) {
     for (const entry of entries) {
         const absolutePath = resolve(directory, entry.name);
         if (entry.isDirectory()) {
-            if (!IGNORED_DIRECTORIES.has(entry.name)) {
-                walk(absolutePath, depth + 1, manifests);
+            if (!IGNORED_DIRECTORIES.has(entry.name) && !gitIgnored.has(absolutePath)) {
+                walk(absolutePath, depth + 1, manifests, gitIgnored);
             }
             continue;
         }

package/dist/scan/render.js

@@ -21,17 +21,23 @@ export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(),
     const cleanProjects = report.projects.filter((project) => project.findings.length === 0);
     const findingProjects = report.projects.filter((project) => project.findings.length > 0);
     const shouldCollapseProjects = report.projects.length > DETAIL_PROJECT_LIMIT;
+    const acknowledgedCount = report.decisions?.acknowledgedCount ?? 0;
+    const activeFindings = report.findings.filter((finding) => !finding.acknowledged);
     const lines = [
         "Dependency Guardian scan",
         `Target: ${report.target}`,
         `Scanning: checked ${report.summary.projectCount} project manifest${report.summary.projectCount === 1 ? "" : "s"}.`,
-        `Status: ${theme.paint(SCAN_STATUS_ROLE[report.status], displayScanStatus(report))}`,
+        `Status: ${paintEffectiveStatus(report, theme)}`,
         `Projects: ${report.summary.projectCount}`,
         `Dependencies: ${report.summary.dependencyCount}`,
-        `Findings: ${report.summary.findingCount} (${report.summary.warnCount} warn, ${report.summary.blockCount} block)`,
+        `Findings: ${report.summary.findingCount} (${report.summary.warnCount} warn, ${report.summary.blockCount} block)${acknowledgedCount > 0 ? ` · ${acknowledgedCount} acknowledged` : ""}`,
+        ...(acknowledgedCount > 0
+            ? [`Acknowledged: ${acknowledgedCount} warn verdict${acknowledgedCount === 1 ? "" : "s"} accepted in dg.json — run 'dg decisions' to review`]
+            : []),
         ...(report.scanner
             ? [`Scanner: score ${report.scanner.score}, ${report.scanner.packages.length} packages verified`]
             : []),
+        ...(report.scanner ? provenanceDowngradeLines(report.scanner.packages, theme) : []),
         ""
     ];
     if (report.scannerError) {
@@ -52,7 +58,7 @@ export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(),
     }
     if (findingProjects.length > 0) {
         lines.push("Finding groups:");
-        for (const group of groupFindings(report.findings)) {
+        for (const group of groupFindings(activeFindings)) {
             const severityLabel = theme.paint(group.severity === "block" ? "block" : "warn", group.severity.toUpperCase());
             lines.push(`  ${severityLabel} ${group.id}: ${group.count} finding${group.count === 1 ? "" : "s"} across ${group.projectCount} project${group.projectCount === 1 ? "" : "s"}`);
             for (const finding of group.examples) {
@@ -94,6 +100,21 @@ export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(),
     }
     return `${lines.join("\n").replace(/\n{3,}/g, "\n\n").trimEnd()}\n`;
 }
+function provenanceDowngradeLines(packages, theme) {
+    return packages
+        .filter((pkg) => pkg.provenance?.downgrade)
+        .map((pkg) => theme.paint("warn", `Provenance downgrades: ${pkg.name}@${pkg.version} (was attested at ${pkg.provenance.downgrade.fromVersion})`));
+}
+function paintEffectiveStatus(report, theme) {
+    if (report.scanner && report.decisions && !report.scannerError) {
+        const action = report.decisions.effectiveAction;
+        if (action === "analysis_incomplete") {
+            return theme.paint("unknown", "analysis_incomplete");
+        }
+        return theme.paint(SCAN_STATUS_ROLE[action], action);
+    }
+    return theme.paint(SCAN_STATUS_ROLE[report.status], displayScanStatus(report));
+}
 function formatProject(project, width) {
     const lines = [];
     const version = project.version ? `@${project.version}` : "";
@@ -154,7 +175,17 @@ export function renderSarifReport(report) {
                                 }
                             }
                         }
-                    ]
+                    ],
+                    ...(finding.acknowledged
+                        ? {
+                            suppressions: [
+                                {
+                                    kind: "external",
+                                    justification: finding.acknowledged.reason || `accepted by ${finding.acknowledged.by}`
+                                }
+                            ]
+                        }
+                        : {})
                 }))
             }
         ]

package/dist/scan/scanner-report.js

@@ -3,6 +3,7 @@ import { randomUUID } from "node:crypto";
 import { existsSync } from "node:fs";
 import { resolve } from "node:path";
 import { fileURLToPath } from "node:url";
+import { applyDecisions, packageKey } from "../decisions/apply.js";
 import { sanitize } from "../security/sanitize.js";
 import { collectScanPackages, discoverScanProjects } from "./collect.js";
 const WORKER_TIMEOUT_BASE_MS = 180_000;
@@ -12,7 +13,7 @@ const WORKER_MAX_BUFFER = 64 * 1024 * 1024;
 export function scanWorkerTimeoutMs(packageCount) {
     return WORKER_TIMEOUT_BASE_MS + packageCount * Math.ceil(SERVER_PER_PACKAGE_WORST_CASE_MS / SERVER_SCAN_CONCURRENCY);
 }
-export function runScannerScan(targetPath, localReport, env = process.env) {
+export function runScannerScan(targetPath, localReport, env = process.env, decisionsFile = null) {
     const projects = discoverScanProjects(resolve(targetPath));
     if (projects.length === 0) {
         return { kind: "skipped", reason: "no_lockfiles" };
@@ -58,12 +59,38 @@ export function runScannerScan(targetPath, localReport, env = process.env) {
             error: { kind: "invalid_response", message: "scanner worker returned unreadable output" }
         };
     }
-    return { kind: "report", report: buildScannerReport(localReport, response, total) };
+    const report = buildScannerReport(localReport, response, total);
+    if (!decisionsFile?.readable) {
+        return { kind: "report", report };
+    }
+    const ecosystems = new Map();
+    for (const group of groups) {
+        for (const pkg of group.packages) {
+            ecosystems.set(packageKey(pkg.name, pkg.version), group.ecosystem);
+        }
+    }
+    return { kind: "report", report: annotateReportWithDecisions(report, decisionsFile, ecosystems) };
 }
-export function tryScannerScan(targetPath, localReport, env = process.env) {
-    const outcome = runScannerScan(targetPath, localReport, env);
+export function tryScannerScan(targetPath, localReport, env = process.env, decisionsFile = null) {
+    const outcome = runScannerScan(targetPath, localReport, env, decisionsFile);
     return outcome.kind === "report" ? outcome.report : null;
 }
+export function annotateReportWithDecisions(report, decisionsFile, ecosystems) {
+    if (!report.scanner || !decisionsFile.readable) {
+        return report;
+    }
+    const applied = applyDecisions(report.scanner.packages, (pkg) => ecosystems.get(packageKey(pkg.name, pkg.version)), decisionsFile, report.scanner.action);
+    const findings = report.findings.map((finding) => {
+        const acknowledged = applied.packages[finding.location]?.acknowledged;
+        return acknowledged && finding.severity === "warn" ? { ...finding, acknowledged } : finding;
+    });
+    return {
+        ...report,
+        findings,
+        summary: { ...report.summary, acknowledgedCount: applied.acknowledgedCount },
+        decisions: applied
+    };
+}
 export function workerFailure(worker, timeoutMs, packageCount) {
     if (worker.error?.code === "ETIMEDOUT") {
         return {

package/dist/scan/staged.js

@@ -4,6 +4,9 @@ import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "nod
 import { createTheme } from "../presentation/theme.js";
 import { resolvePresentation } from "../presentation/mode.js";
 import { loadUserConfig } from "../config/settings.js";
+import { offerRememberSync } from "../decisions/remember-prompt.js";
+import { packageKey } from "../decisions/apply.js";
+import { loadDgFile, resolveAcceptedBy, warnUnreadableDgFile } from "../project/dgfile.js";
 import { gitSync, gitTrimmed } from "../util/git.js";
 import { promptYesNo } from "../util/tty-prompt.js";
 import { GUARD_SELFTEST_ENV } from "../setup/git-hook.js";
@@ -85,16 +88,21 @@ export function runStagedScan(options) {
     if (scoped.length === 0) {
         return { exitCode: 0, stdout: "", stderr: "" };
     }
+    const dgFile = options.useDecisions === false ? null : loadDgFile(root);
+    if (dgFile) {
+        warnUnreadableDgFile(dgFile);
+    }
+    const usableDgFile = dgFile?.readable ? dgFile : null;
     const { dir, count } = materializeStaged(scoped, cwd, env);
     try {
         if (count === 0) {
             return failOpen(theme, "could not read the staged lockfile contents");
         }
-        const report = tryScannerScan(dir, emptyLocalReport(dir), env);
+        const report = tryScannerScan(dir, emptyLocalReport(dir), env, usableDgFile);
         if (!report || !report.scanner) {
             return failOpen(theme, "could not reach the scanner");
         }
-        return decideStagedVerdict(report, env, options.hook);
+        return decideStagedVerdict(report, env, options.hook, usableDgFile ? { root, file: usableDgFile } : undefined);
     }
     finally {
         rmSync(dir, { recursive: true, force: true });
@@ -119,12 +127,16 @@ export function stagedScanReport(options) {
     if (scoped.length === 0) {
         return { report: base, outcome: { kind: "skipped", reason: "no_lockfiles" } };
     }
+    const dgFile = options.useDecisions === false ? null : loadDgFile(root);
+    if (dgFile) {
+        warnUnreadableDgFile(dgFile);
+    }
     const { dir, count } = materializeStaged(scoped, cwd, env);
     try {
         if (count === 0) {
             return { report: base, outcome: { kind: "failed", error: { kind: "worker", message: "could not read the staged lockfile contents" } } };
         }
-        return { report: base, outcome: runScannerScan(dir, base, env) };
+        return { report: base, outcome: runScannerScan(dir, base, env, dgFile?.readable ? dgFile : null) };
     }
     finally {
         rmSync(dir, { recursive: true, force: true });
@@ -144,11 +156,13 @@ function notARepoResult() {
 function outsideRepoResult(targetPath) {
     return { exitCode: EXIT_USAGE_VERDICT, stdout: "", stderr: `dg scan --staged: ${targetPath} is outside this repository.\n` };
 }
-export function decideStagedVerdict(report, env = process.env, hook = false) {
+export function decideStagedVerdict(report, env = process.env, hook = false, decisionContext) {
     const theme = createTheme(resolvePresentation().color);
     const action = report.scanner?.action ?? report.status;
     const config = loadUserConfig(env);
     const count = report.summary.dependencyCount;
+    const effective = config.policy.mode === "strict" ? action : report.decisions?.effectiveAction ?? action;
+    const acknowledgedCount = report.decisions?.acknowledgedCount ?? 0;
     if (action === "block") {
         return { exitCode: 2, stdout: "", stderr: renderBlock(report.findings, theme) };
     }
@@ -156,17 +170,61 @@ export function decideStagedVerdict(report, env = process.env, hook = false) {
         return scannerUnavailable(theme);
     }
     if (action === "warn") {
-        return decideWarn(report.findings, theme, config.gitHook.onWarn, config.policy.mode, hook);
+        if (acknowledgedCount > 0 && effective === "pass") {
+            return {
+                exitCode: 0,
+                stdout: "",
+                stderr: `  ${theme.paint("pass", "✓")} ${theme.paint("muted", `DG verified ${count} staged package${count === 1 ? "" : "s"} — ${acknowledgedCount} warning${acknowledgedCount === 1 ? "" : "s"} previously accepted (dg.json)`)}\n`
+            };
+        }
+        if (acknowledgedCount > 0 && effective === "analysis_incomplete") {
+            return decideIncomplete(config.gitHook.onIncomplete, theme);
+        }
+        const activeFindings = report.findings.filter((finding) => !finding.acknowledged);
+        return decideWarn(activeFindings, theme, config.gitHook.onWarn, config.policy.mode, hook, stagedRememberOffer(report, decisionContext, env));
     }
     if (action === "analysis_incomplete") {
-        if (config.gitHook.onIncomplete === "block") {
-            return { exitCode: 1, stdout: "", stderr: incompleteNotice(theme, true) };
-        }
-        return { exitCode: 0, stdout: "", stderr: incompleteNotice(theme, false) };
+        return decideIncomplete(config.gitHook.onIncomplete, theme);
     }
     return { exitCode: 0, stdout: "", stderr: `  ${theme.paint("pass", "✓")} ${theme.paint("muted", `DG verified ${count} staged package${count === 1 ? "" : "s"} — clean`)}\n` };
 }
-function decideWarn(findings, theme, onWarn, policyMode, hook) {
+function decideIncomplete(onIncomplete, theme) {
+    if (onIncomplete === "block") {
+        return { exitCode: 1, stdout: "", stderr: incompleteNotice(theme, true) };
+    }
+    return { exitCode: 0, stdout: "", stderr: incompleteNotice(theme, false) };
+}
+export function stagedRememberOffer(report, decisionContext, env) {
+    if (!decisionContext || !report.scanner || !report.decisions) {
+        return undefined;
+    }
+    const annotations = report.decisions.packages;
+    const packages = [];
+    for (const pkg of report.scanner.packages) {
+        if ((pkg.action ?? "pass") !== "warn") {
+            continue;
+        }
+        const annotation = annotations[packageKey(pkg.name, pkg.version)];
+        if (!annotation || annotation.acknowledged) {
+            continue;
+        }
+        packages.push({ ecosystem: annotation.ecosystem, name: pkg.name, version: pkg.version, findings: pkg.findings });
+    }
+    if (packages.length === 0) {
+        return undefined;
+    }
+    return () => {
+        offerRememberSync({
+            file: decisionContext.file,
+            packages,
+            acceptedBy: resolveAcceptedBy(decisionContext.root, env),
+            surface: "guard-commit",
+            env,
+            ...(decisionContext.prompts ? { prompts: decisionContext.prompts } : {})
+        });
+    };
+}
+function decideWarn(findings, theme, onWarn, policyMode, hook, onAccepted) {
     const summary = warnSummary(findings, theme);
     if (onWarn === "allow") {
         return { exitCode: 0, stdout: "", stderr: `${summary}  ${theme.paint("muted", "proceeding (gitHook.onWarn=allow)")}\n` };
@@ -183,6 +241,7 @@ function decideWarn(findings, theme, onWarn, policyMode, hook) {
         return { exitCode: 1, stdout: "", stderr: `${summary}  ${theme.paint("muted", `commit blocked (no terminal; policy ${policyMode}). Use`)} ${theme.paint("accent", "git commit --no-verify")} ${theme.paint("muted", "to override.")}\n` };
     }
     if (answer) {
+        onAccepted?.();
         return { exitCode: 0, stdout: "", stderr: "" };
     }
     return { exitCode: 1, stdout: "", stderr: `  ${theme.paint("muted", "Nothing was committed.")}\n` };

package/dist/scan-ui/LegacyApp.js

@@ -9,7 +9,7 @@ import { ErrorView } from "./components/ErrorView.js";
 import { ProjectSelector } from "./components/ProjectSelector.js";
 import { SetupBanner } from "./components/SetupBanner.js";
 import { useTerminalSize } from "./hooks/useTerminalSize.js";
-import { scanExitCode } from "./shims.js";
+import { effectiveScanAction, scanExitCode } from "./shims.js";
 import { leaveTui, showCursor, tuiIsActive } from "./alt-screen.js";
 import { formatResetDate } from "../install-ui/block-render.js";
 export const App = ({ config, userStatus, scanUsage, setupIssues = [], initialView, updateAvailable }) => {
@@ -27,7 +27,7 @@ export const App = ({ config, userStatus, scanUsage, setupIssues = [], initialVi
     useEffect(() => () => leaveAltScreen(), [leaveAltScreen]);
     const handleResultsExit = useCallback(() => {
         if (state.phase === "results") {
-            process.exitCode = scanExitCode(state.result.action, config.mode);
+            process.exitCode = scanExitCode(effectiveScanAction(state.result.action, state.decisions?.effectiveAction, config.mode), config.mode);
         }
         leaveAltScreen();
         exit();
@@ -62,7 +62,7 @@ export const App = ({ config, userStatus, scanUsage, setupIssues = [], initialVi
         // not only when the user dismisses the view — a piped/killed/non-TTY exit
         // must still carry the right code (an unverified scan is never a silent 0).
         if (state.phase === "results") {
-            process.exitCode = scanExitCode(state.result.action, config.mode);
+            process.exitCode = scanExitCode(effectiveScanAction(state.result.action, state.decisions?.effectiveAction, config.mode), config.mode);
         }
     }, [state, config, exitWithMessage]);
     useInput((input, key) => {
@@ -97,7 +97,7 @@ export const App = ({ config, userStatus, scanUsage, setupIssues = [], initialVi
                         ? `batch ${state.batchIndex}/${state.batchCount}`
                         : undefined }));
             case "results":
-                return (_jsx(InteractiveResultsView, { result: state.result, config: config, durationMs: state.durationMs, onExit: handleResultsExit, onBack: restartSelection ?? undefined, discoveredTotal: state.discoveredTotal, userStatus: userStatus, scanUsage: scanUsage, initialView: initialView }));
+                return (_jsx(InteractiveResultsView, { result: state.result, config: config, durationMs: state.durationMs, onExit: handleResultsExit, onBack: restartSelection ?? undefined, discoveredTotal: state.discoveredTotal, userStatus: userStatus, scanUsage: scanUsage, initialView: initialView, decisions: state.decisions }));
             case "empty":
                 return _jsx(Text, { dimColor: true, children: state.message });
             case "error":