@westbayberry/dg 2.0.10 → 2.1.0

package/dist/setup/plan.js

@@ -8,6 +8,7 @@ import { dgVersion } from "../commands/version.js";
 import { compareVersions, readLatestVersion } from "../commands/update.js";
 import { AuthError, authStatus, displayTier, readAuthState } from "../auth/store.js";
 import { ConfigError, loadUserConfig } from "../config/settings.js";
+import { describeCooldownSettings } from "../policy/cooldown.js";
 import { resolveRealBinary } from "../launcher/resolve-real-binary.js";
 import { packageManagerNames } from "../launcher/classify.js";
 import { readServiceState } from "../service/state.js";
@@ -42,6 +43,7 @@ const DOCTOR_GROUP_BY_NAME = {
     "cleanup-registry-stale-entries": "setup",
     config: "setup",
     policy: "setup",
+    "script-gate": "setup",
     telemetry: "setup",
     shims: "setup",
     "shell-rc": "setup",
@@ -275,6 +277,7 @@ export function doctorReport(options = {}) {
     checks.push(configCheck(paths, env));
     checks.push(authCheck(env));
     checks.push(policyCheck(env));
+    checks.push(scriptGateCheck(env));
     checks.push(telemetryCheck(env));
     const missingShims = SHIM_COMMANDS.filter((command) => !validShim(join(shimDir, command), command));
     checks.push({
@@ -1090,7 +1093,7 @@ function policyCheck(env) {
         return {
             name: "policy",
             status: "pass",
-            message: `Local policy mode ${config.policy.mode}; project allowlists trusted: ${config.policy.trustProjectAllowlists}`
+            message: `Local policy mode ${config.policy.mode}; project allowlists trusted: ${config.policy.trustProjectAllowlists}; release cooldown ${describeCooldownSettings(config, env)}`
         };
     }
     catch (error) {
@@ -1101,6 +1104,38 @@ function policyCheck(env) {
         };
     }
 }
+function scriptGateCheck(env) {
+    try {
+        const mode = loadUserConfig(env).scriptGate.mode;
+        if (mode === "off") {
+            return {
+                name: "script-gate",
+                status: "pass",
+                message: "Install-script gate is off; protected installs do not report script-running packages"
+            };
+        }
+        if (mode === "enforce") {
+            return {
+                name: "script-gate",
+                status: "warn",
+                message: "scriptGate.mode is enforce, but this dg release observes only — installs report script-running packages without blocking",
+                fix: "enforcement ships in an upcoming release; dg config set scriptGate.mode observe clears this warning"
+            };
+        }
+        return {
+            name: "script-gate",
+            status: "pass",
+            message: "Install-script gate observes: protected npm/yarn installs report packages that ran install scripts (pnpm blocks them natively)"
+        };
+    }
+    catch (error) {
+        return {
+            name: "script-gate",
+            status: "fail",
+            message: error instanceof ConfigError ? error.message : "Unable to read script gate config"
+        };
+    }
+}
 function telemetryCheck(env) {
     try {
         const config = loadUserConfig(env);

package/dist/util/json-file.js

@@ -0,0 +1,24 @@
+import { mkdirSync, renameSync, rmSync, writeFileSync } from "node:fs";
+import { randomUUID } from "node:crypto";
+import { dirname } from "node:path";
+export function writeJsonAtomic(path, value, options = {}) {
+    mkdirSync(dirname(path), {
+        recursive: true,
+        mode: options.dirMode ?? 0o700
+    });
+    const tempPath = `${path}.${process.pid}.${randomUUID()}.tmp`;
+    try {
+        writeFileSync(tempPath, `${JSON.stringify(value, null, 2)}\n`, {
+            encoding: "utf8",
+            flag: "wx",
+            mode: options.fileMode ?? 0o600
+        });
+        renameSync(tempPath, path);
+    }
+    catch (error) {
+        rmSync(tempPath, {
+            force: true
+        });
+        throw error;
+    }
+}

package/dist/util/tty-prompt.js

@@ -1,5 +1,16 @@
 import { closeSync, openSync, readSync } from "node:fs";
 export function promptYesNo(question, defaultYes, out = process.stderr) {
+    const answer = promptLine(`${question} ${defaultYes ? "[Y/n]" : "[y/N]"} `, out);
+    if (answer === null) {
+        return null;
+    }
+    const normalized = answer.trim().toLowerCase();
+    if (normalized === "") {
+        return defaultYes;
+    }
+    return normalized === "y" || normalized === "yes";
+}
+export function promptLine(question, out = process.stderr) {
     let tty;
     try {
         tty = openSync("/dev/tty", "rs");
@@ -8,7 +19,7 @@ export function promptYesNo(question, defaultYes, out = process.stderr) {
         return null;
     }
     try {
-        out.write(`${question} ${defaultYes ? "[Y/n]" : "[y/N]"} `);
+        out.write(question);
         const byte = Buffer.alloc(1);
         let answer = "";
         for (;;) {
@@ -31,11 +42,7 @@ export function promptYesNo(question, defaultYes, out = process.stderr) {
             }
             answer += char;
         }
-        const normalized = answer.trim().toLowerCase();
-        if (normalized === "") {
-            return defaultYes;
-        }
-        return normalized === "y" || normalized === "yes";
+        return answer;
     }
     finally {
         closeSync(tty);

package/dist/verify/package-check.js

@@ -2,6 +2,7 @@ import { existsSync, writeFileSync } from "node:fs";
 import { resolve } from "node:path";
 import { analyzePackages, AnalyzeError } from "../api/analyze.js";
 import { createTheme } from "../presentation/theme.js";
+import { provenanceLabel, provenanceDowngradeLine } from "../presentation/provenance.js";
 import { resolvePresentation } from "../presentation/mode.js";
 import { isRemotePackageSpec, isSupportedLockfilePath } from "./preflight.js";
 import { authStatus } from "../auth/store.js";
@@ -62,6 +63,16 @@ function renderResult(spec, version, result, theme, verbose) {
     const action = result.action ?? "pass";
     const badge = theme.badge(action);
     const lines = [`${badge}  ${result.name}@${version} (${spec.ecosystem})  ${theme.paint("muted", `score ${result.score}`)}`];
+    if (result.provenance) {
+        const label = verbose && result.provenance.predicateType
+            ? `provenance ${provenanceLabel(result.provenance)} · ${result.provenance.predicateType}`
+            : `provenance ${provenanceLabel(result.provenance)}`;
+        lines.push(`  ${theme.paint("muted", label)}`);
+        const downgrade = provenanceDowngradeLine(version, result.provenance);
+        if (downgrade) {
+            lines.push(`  ${theme.paint("warn", `⚠ ${downgrade}`)}`);
+        }
+    }
     const reasons = verbose ? result.reasons : result.reasons.slice(0, 6);
     for (const reason of reasons) {
         const glyph = action === "block" ? theme.paint("block", "✘") : action === "warn" ? theme.paint("warn", "⚠") : theme.paint("muted", "·");
@@ -157,6 +168,7 @@ export async function runPackageCheck(target, io = {}, options = {}) {
             score: result.score,
             reasons: result.reasons,
             findings: result.findings,
+            ...(result.provenance ? { provenance: result.provenance } : {}),
             ...(result.recommendation ? { recommendation: result.recommendation } : {})
         }, null, 2)}\n`
         : renderResult(parsed, version, result, theme, options.verbose ?? false);

package/package.json

@@ -1,7 +1,15 @@
 {
   "name": "@westbayberry/dg",
-  "version": "2.0.10",
+  "version": "2.1.0",
   "description": "Dependency Guardian supply-chain firewall CLI",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/WestBayBerry/DG_CLI.git"
+  },
+  "bugs": {
+    "url": "https://github.com/WestBayBerry/DG_CLI/issues"
+  },
+  "homepage": "https://github.com/WestBayBerry/DG_CLI#readme",
   "type": "module",
   "bin": {
     "dg": "./dist/bin/dg.js"