@westbayberry/dg 2.0.11 → 2.1.0

package/dist/scripts/detect.js

@@ -0,0 +1,153 @@
+import { createHash } from "node:crypto";
+import { existsSync, readdirSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+const LIFECYCLE_HOOKS = ["preinstall", "install", "postinstall"];
+export function computeScriptsHash(scripts, hasGyp) {
+    const canonical = JSON.stringify({
+        preinstall: lifecycleCommand(scripts, "preinstall"),
+        install: lifecycleCommand(scripts, "install"),
+        postinstall: lifecycleCommand(scripts, "postinstall"),
+        gyp: hasGyp
+    });
+    return `sha256:${createHash("sha256").update(canonical).digest("hex")}`;
+}
+export function detectScriptWanters(projectDir) {
+    const nodeModules = join(projectDir, "node_modules");
+    const fromLockfile = wantersFromHiddenLockfile(projectDir, nodeModules);
+    const wanters = fromLockfile ?? wantersFromWalk(nodeModules);
+    const byName = new Map();
+    for (const wanter of wanters) {
+        if (!byName.has(wanter.name)) {
+            byName.set(wanter.name, wanter);
+        }
+    }
+    return [...byName.values()].sort((a, b) => a.name.localeCompare(b.name));
+}
+export function detectPnpmIgnoredBuilds(projectDir) {
+    const modulesYamlPath = join(projectDir, "node_modules", ".modules.yaml");
+    let content;
+    try {
+        content = readFileSync(modulesYamlPath, "utf8");
+    }
+    catch {
+        return [];
+    }
+    const lines = content.split("\n");
+    const startIndex = lines.findIndex((line) => /^ignoredBuilds:/.test(line));
+    if (startIndex === -1) {
+        return [];
+    }
+    const startLine = lines[startIndex] ?? "";
+    if (/\[\s*\]\s*$/.test(startLine)) {
+        return [];
+    }
+    const names = [];
+    for (const line of lines.slice(startIndex + 1)) {
+        const match = /^\s+-\s+(.+?)\s*$/.exec(line);
+        if (!match || !match[1]) {
+            break;
+        }
+        names.push(stripYamlQuotes(match[1]));
+    }
+    return names;
+}
+function stripYamlQuotes(value) {
+    if (value.length >= 2 && ((value.startsWith("'") && value.endsWith("'")) || (value.startsWith('"') && value.endsWith('"')))) {
+        return value.slice(1, -1);
+    }
+    return value;
+}
+function wantersFromHiddenLockfile(projectDir, nodeModules) {
+    const lockfilePath = join(nodeModules, ".package-lock.json");
+    let parsed;
+    try {
+        parsed = JSON.parse(readFileSync(lockfilePath, "utf8"));
+    }
+    catch {
+        return null;
+    }
+    if (!isPlainObject(parsed) || !isPlainObject(parsed.packages)) {
+        return null;
+    }
+    const wanters = [];
+    for (const [packagePath, entry] of Object.entries(parsed.packages)) {
+        if (!isPlainObject(entry) || entry.hasInstallScript !== true || !packagePath.startsWith("node_modules/")) {
+            continue;
+        }
+        const wanter = wanterFromManifestDir(join(projectDir, packagePath));
+        if (wanter) {
+            wanters.push(wanter);
+        }
+    }
+    return wanters;
+}
+function wantersFromWalk(nodeModules) {
+    const wanters = [];
+    for (const dir of packageDirs(nodeModules)) {
+        const wanter = wanterFromManifestDir(dir);
+        if (wanter) {
+            wanters.push(wanter);
+        }
+    }
+    return wanters;
+}
+function packageDirs(nodeModules) {
+    const dirs = [];
+    for (const entry of safeReaddir(nodeModules)) {
+        if (entry.startsWith(".")) {
+            continue;
+        }
+        if (entry.startsWith("@")) {
+            for (const scoped of safeReaddir(join(nodeModules, entry))) {
+                if (!scoped.startsWith(".")) {
+                    dirs.push(join(nodeModules, entry, scoped));
+                }
+            }
+            continue;
+        }
+        dirs.push(join(nodeModules, entry));
+    }
+    return dirs;
+}
+function wanterFromManifestDir(dir) {
+    let manifest;
+    try {
+        manifest = JSON.parse(readFileSync(join(dir, "package.json"), "utf8"));
+    }
+    catch {
+        return null;
+    }
+    if (!isPlainObject(manifest) || typeof manifest.name !== "string" || manifest.name.length === 0) {
+        return null;
+    }
+    const scripts = isPlainObject(manifest.scripts) ? manifest.scripts : {};
+    const hasGyp = existsSync(join(dir, "binding.gyp"));
+    const hooks = LIFECYCLE_HOOKS.filter((hook) => typeof lifecycleCommand(scripts, hook) === "string");
+    if (hasGyp) {
+        hooks.push("gyp");
+    }
+    if (hooks.length === 0) {
+        return null;
+    }
+    return {
+        name: manifest.name,
+        version: typeof manifest.version === "string" ? manifest.version : "",
+        hooks,
+        scriptsHash: computeScriptsHash(scripts, hasGyp)
+    };
+}
+function lifecycleCommand(scripts, hook) {
+    const command = scripts[hook];
+    return typeof command === "string" && command.length > 0 ? command : null;
+}
+function safeReaddir(dir) {
+    try {
+        return readdirSync(dir);
+    }
+    catch {
+        return [];
+    }
+}
+function isPlainObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}

package/dist/scripts/gate.js

@@ -0,0 +1,170 @@
+import { loadUserConfig } from "../config/settings.js";
+import { resolvePresentation } from "../presentation/mode.js";
+import { createTheme } from "../presentation/theme.js";
+import { loadDgFile, saveDgFile } from "../project/dgfile.js";
+import { detectPnpmIgnoredBuilds, detectScriptWanters } from "./detect.js";
+export function evaluateScriptGate(wanters, approvals) {
+    const approved = [];
+    const denied = [];
+    const pending = [];
+    const drifted = [];
+    for (const wanter of wanters) {
+        const entry = approvals[wanter.name];
+        if (!entry) {
+            pending.push(wanter);
+            continue;
+        }
+        if (entry.scriptsHash !== wanter.scriptsHash) {
+            drifted.push({ wanter, priorHash: entry.scriptsHash });
+            continue;
+        }
+        if (entry.decision === "allow") {
+            approved.push(wanter);
+        }
+        else {
+            denied.push(wanter);
+        }
+    }
+    return { approved, denied, pending, drifted };
+}
+export function applyScriptDecisions(file, decisions, now) {
+    if (decisions.length === 0) {
+        return file;
+    }
+    const npm = { ...file.scriptApprovals.npm };
+    for (const input of decisions) {
+        npm[input.wanter.name] = {
+            decision: input.decision,
+            scriptsHash: input.wanter.scriptsHash,
+            hooks: input.wanter.hooks,
+            ...(input.wanter.version ? { approvedVersion: input.wanter.version } : {}),
+            ...(input.reason ? { reason: input.reason } : {}),
+            approvedAt: now.toISOString(),
+            provenance: input.provenance ?? "prompt"
+        };
+    }
+    return {
+        ...file,
+        scriptApprovals: { ...file.scriptApprovals, npm }
+    };
+}
+export function recordScriptObservations(options) {
+    const file = loadDgFile(options.projectDir);
+    if (!file.readable || (!file.exists && !options.createIfMissing) || options.wanters.length === 0) {
+        return { written: false, path: file.path };
+    }
+    const observed = { ...file.scriptApprovals.observed };
+    let changed = false;
+    for (const wanter of options.wanters) {
+        const existing = observed[wanter.name];
+        if (existing &&
+            existing.version === wanter.version &&
+            existing.scriptsHash === wanter.scriptsHash &&
+            sameHooks(existing.hooks, wanter.hooks)) {
+            continue;
+        }
+        observed[wanter.name] = {
+            version: wanter.version,
+            hooks: wanter.hooks,
+            scriptsHash: wanter.scriptsHash,
+            firstSeen: existing ? existing.firstSeen : options.now.toISOString()
+        };
+        changed = true;
+    }
+    if (!changed) {
+        return { written: false, path: file.path };
+    }
+    saveDgFile({ ...file, scriptApprovals: { ...file.scriptApprovals, observed } });
+    return { written: true, path: file.path };
+}
+function sameHooks(a, b) {
+    return a.length === b.length && a.every((hook, index) => hook === b[index]);
+}
+export function hasExplicitScriptPreference(args, env) {
+    if (args.some((arg) => arg === "--ignore-scripts" || arg.startsWith("--ignore-scripts="))) {
+        return true;
+    }
+    return env.npm_config_ignore_scripts !== undefined && env.npm_config_ignore_scripts !== "";
+}
+export function scriptGateInstallArgs(options) {
+    if (options.mode !== "enforce") {
+        return options.args;
+    }
+    if (options.manager !== "npm" && options.manager !== "yarn") {
+        return options.args;
+    }
+    if (hasExplicitScriptPreference(options.args, options.env)) {
+        return options.args;
+    }
+    return [...options.args, "--ignore-scripts"];
+}
+export function scriptGateChildEnv(options) {
+    if (options.mode !== "enforce" || (options.manager !== "npm" && options.manager !== "yarn")) {
+        return {};
+    }
+    if (hasExplicitScriptPreference(options.args, options.env)) {
+        return {};
+    }
+    return { npm_config_ignore_scripts: "true" };
+}
+const REPORTED_NAME_LIMIT = 6;
+export function scriptGateReportLine(options) {
+    const theme = createTheme(resolvePresentation().color);
+    if (options.manager === "pnpm") {
+        const ignored = options.pnpmIgnoredBuilds ?? [];
+        if (ignored.length === 0) {
+            return "";
+        }
+        return `\n  ${theme.paint("muted", `dg scripts: pnpm natively blocked install scripts for ${formatNames(ignored)} — review with 'pnpm approve-builds'`)}\n`;
+    }
+    const wanters = options.wanters ?? [];
+    if (wanters.length === 0) {
+        return "";
+    }
+    const names = wanters.map((wanter) => (wanter.version ? `${wanter.name}@${wanter.version}` : wanter.name));
+    const noun = wanters.length === 1 ? "package ran" : "packages ran";
+    return `\n  ${theme.paint("muted", `dg scripts: ${wanters.length} ${noun} install scripts (${formatNames(names)}) — per-package approvals are coming; see 'dg explain script-gate'`)}\n`;
+}
+function formatNames(names) {
+    if (names.length <= REPORTED_NAME_LIMIT) {
+        return names.join(", ");
+    }
+    return `${names.slice(0, REPORTED_NAME_LIMIT).join(", ")}, +${names.length - REPORTED_NAME_LIMIT} more`;
+}
+const MUTATING_ACTIONS = {
+    npm: new Set(["install", "i", "ci", "add", "update", "dedupe"]),
+    yarn: new Set(["add", "install", "upgrade"]),
+    pnpm: new Set(["install", "i", "add", "update"])
+};
+export function runScriptGateAfterInstall(options) {
+    try {
+        const classification = options.classification;
+        if (classification.kind !== "protected" || classification.ecosystem !== "javascript") {
+            return "";
+        }
+        const mutatingActions = MUTATING_ACTIONS[classification.manager];
+        if (!mutatingActions || !mutatingActions.has(classification.action)) {
+            return "";
+        }
+        const config = loadUserConfig(options.env ?? process.env);
+        if (config.scriptGate.mode === "off") {
+            return "";
+        }
+        const projectDir = options.projectDir ?? process.cwd();
+        if (classification.manager === "pnpm") {
+            return scriptGateReportLine({ manager: "pnpm", pnpmIgnoredBuilds: detectPnpmIgnoredBuilds(projectDir) });
+        }
+        const wanters = detectScriptWanters(projectDir);
+        recordScriptObservations({
+            projectDir,
+            wanters,
+            createIfMissing: config.scriptGate.observe,
+            now: options.now ?? new Date()
+        });
+        return scriptGateReportLine({ manager: classification.manager, wanters });
+    }
+    catch {
+        // observing must never fail or block an install that already succeeded
+        return "";
+    }
+}

package/dist/scripts/rebuild.js

@@ -0,0 +1,28 @@
+export const ROOT_LIFECYCLE_HOOKS = ["preinstall", "install", "postinstall", "prepare"];
+export function buildScriptRebuildPlan(manager, packages, includeRootLifecycle) {
+    const binaryName = manager === "pnpm" ? "pnpm" : "npm";
+    const commands = [];
+    if (packages.length > 0) {
+        commands.push(binaryName === "pnpm" ? ["rebuild", ...packages] : ["rebuild", ...packages, "--foreground-scripts"]);
+    }
+    if (includeRootLifecycle && binaryName === "npm") {
+        for (const hook of ROOT_LIFECYCLE_HOOKS) {
+            commands.push(["run", "--if-present", hook]);
+        }
+    }
+    return { binaryName, commands };
+}
+export async function runScriptRebuild(options) {
+    const failures = [];
+    let exitCode = 0;
+    for (const args of options.plan.commands) {
+        const result = await options.spawner({ binary: options.binaryPath, args, env: options.env });
+        if (result.exitCode !== 0) {
+            failures.push({ args, exitCode: result.exitCode });
+            if (exitCode === 0) {
+                exitCode = result.exitCode;
+            }
+        }
+    }
+    return { exitCode, failures };
+}

package/dist/setup/plan.js

@@ -8,6 +8,7 @@ import { dgVersion } from "../commands/version.js";
 import { compareVersions, readLatestVersion } from "../commands/update.js";
 import { AuthError, authStatus, displayTier, readAuthState } from "../auth/store.js";
 import { ConfigError, loadUserConfig } from "../config/settings.js";
+import { describeCooldownSettings } from "../policy/cooldown.js";
 import { resolveRealBinary } from "../launcher/resolve-real-binary.js";
 import { packageManagerNames } from "../launcher/classify.js";
 import { readServiceState } from "../service/state.js";
@@ -42,6 +43,7 @@ const DOCTOR_GROUP_BY_NAME = {
     "cleanup-registry-stale-entries": "setup",
     config: "setup",
     policy: "setup",
+    "script-gate": "setup",
     telemetry: "setup",
     shims: "setup",
     "shell-rc": "setup",
@@ -275,6 +277,7 @@ export function doctorReport(options = {}) {
     checks.push(configCheck(paths, env));
     checks.push(authCheck(env));
     checks.push(policyCheck(env));
+    checks.push(scriptGateCheck(env));
     checks.push(telemetryCheck(env));
     const missingShims = SHIM_COMMANDS.filter((command) => !validShim(join(shimDir, command), command));
     checks.push({
@@ -1090,7 +1093,7 @@ function policyCheck(env) {
         return {
             name: "policy",
             status: "pass",
-            message: `Local policy mode ${config.policy.mode}; project allowlists trusted: ${config.policy.trustProjectAllowlists}`
+            message: `Local policy mode ${config.policy.mode}; project allowlists trusted: ${config.policy.trustProjectAllowlists}; release cooldown ${describeCooldownSettings(config, env)}`
         };
     }
     catch (error) {
@@ -1101,6 +1104,38 @@ function policyCheck(env) {
         };
     }
 }
+function scriptGateCheck(env) {
+    try {
+        const mode = loadUserConfig(env).scriptGate.mode;
+        if (mode === "off") {
+            return {
+                name: "script-gate",
+                status: "pass",
+                message: "Install-script gate is off; protected installs do not report script-running packages"
+            };
+        }
+        if (mode === "enforce") {
+            return {
+                name: "script-gate",
+                status: "warn",
+                message: "scriptGate.mode is enforce, but this dg release observes only — installs report script-running packages without blocking",
+                fix: "enforcement ships in an upcoming release; dg config set scriptGate.mode observe clears this warning"
+            };
+        }
+        return {
+            name: "script-gate",
+            status: "pass",
+            message: "Install-script gate observes: protected npm/yarn installs report packages that ran install scripts (pnpm blocks them natively)"
+        };
+    }
+    catch (error) {
+        return {
+            name: "script-gate",
+            status: "fail",
+            message: error instanceof ConfigError ? error.message : "Unable to read script gate config"
+        };
+    }
+}
 function telemetryCheck(env) {
     try {
         const config = loadUserConfig(env);

package/dist/util/json-file.js

@@ -0,0 +1,24 @@
+import { mkdirSync, renameSync, rmSync, writeFileSync } from "node:fs";
+import { randomUUID } from "node:crypto";
+import { dirname } from "node:path";
+export function writeJsonAtomic(path, value, options = {}) {
+    mkdirSync(dirname(path), {
+        recursive: true,
+        mode: options.dirMode ?? 0o700
+    });
+    const tempPath = `${path}.${process.pid}.${randomUUID()}.tmp`;
+    try {
+        writeFileSync(tempPath, `${JSON.stringify(value, null, 2)}\n`, {
+            encoding: "utf8",
+            flag: "wx",
+            mode: options.fileMode ?? 0o600
+        });
+        renameSync(tempPath, path);
+    }
+    catch (error) {
+        rmSync(tempPath, {
+            force: true
+        });
+        throw error;
+    }
+}

package/dist/util/tty-prompt.js

@@ -1,5 +1,16 @@
 import { closeSync, openSync, readSync } from "node:fs";
 export function promptYesNo(question, defaultYes, out = process.stderr) {
+    const answer = promptLine(`${question} ${defaultYes ? "[Y/n]" : "[y/N]"} `, out);
+    if (answer === null) {
+        return null;
+    }
+    const normalized = answer.trim().toLowerCase();
+    if (normalized === "") {
+        return defaultYes;
+    }
+    return normalized === "y" || normalized === "yes";
+}
+export function promptLine(question, out = process.stderr) {
     let tty;
     try {
         tty = openSync("/dev/tty", "rs");
@@ -8,7 +19,7 @@ export function promptYesNo(question, defaultYes, out = process.stderr) {
         return null;
     }
     try {
-        out.write(`${question} ${defaultYes ? "[Y/n]" : "[y/N]"} `);
+        out.write(question);
         const byte = Buffer.alloc(1);
         let answer = "";
         for (;;) {
@@ -31,11 +42,7 @@ export function promptYesNo(question, defaultYes, out = process.stderr) {
             }
             answer += char;
         }
-        const normalized = answer.trim().toLowerCase();
-        if (normalized === "") {
-            return defaultYes;
-        }
-        return normalized === "y" || normalized === "yes";
+        return answer;
     }
     finally {
         closeSync(tty);

package/dist/verify/package-check.js

@@ -2,6 +2,7 @@ import { existsSync, writeFileSync } from "node:fs";
 import { resolve } from "node:path";
 import { analyzePackages, AnalyzeError } from "../api/analyze.js";
 import { createTheme } from "../presentation/theme.js";
+import { provenanceLabel, provenanceDowngradeLine } from "../presentation/provenance.js";
 import { resolvePresentation } from "../presentation/mode.js";
 import { isRemotePackageSpec, isSupportedLockfilePath } from "./preflight.js";
 import { authStatus } from "../auth/store.js";
@@ -62,6 +63,16 @@ function renderResult(spec, version, result, theme, verbose) {
     const action = result.action ?? "pass";
     const badge = theme.badge(action);
     const lines = [`${badge}  ${result.name}@${version} (${spec.ecosystem})  ${theme.paint("muted", `score ${result.score}`)}`];
+    if (result.provenance) {
+        const label = verbose && result.provenance.predicateType
+            ? `provenance ${provenanceLabel(result.provenance)} · ${result.provenance.predicateType}`
+            : `provenance ${provenanceLabel(result.provenance)}`;
+        lines.push(`  ${theme.paint("muted", label)}`);
+        const downgrade = provenanceDowngradeLine(version, result.provenance);
+        if (downgrade) {
+            lines.push(`  ${theme.paint("warn", `⚠ ${downgrade}`)}`);
+        }
+    }
     const reasons = verbose ? result.reasons : result.reasons.slice(0, 6);
     for (const reason of reasons) {
         const glyph = action === "block" ? theme.paint("block", "✘") : action === "warn" ? theme.paint("warn", "⚠") : theme.paint("muted", "·");
@@ -157,6 +168,7 @@ export async function runPackageCheck(target, io = {}, options = {}) {
             score: result.score,
             reasons: result.reasons,
             findings: result.findings,
+            ...(result.provenance ? { provenance: result.provenance } : {}),
             ...(result.recommendation ? { recommendation: result.recommendation } : {})
         }, null, 2)}\n`
         : renderResult(parsed, version, result, theme, options.verbose ?? false);

package/package.json

@@ -1,7 +1,15 @@
 {
   "name": "@westbayberry/dg",
-  "version": "2.0.11",
+  "version": "2.1.0",
   "description": "Dependency Guardian supply-chain firewall CLI",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/WestBayBerry/DG_CLI.git"
+  },
+  "bugs": {
+    "url": "https://github.com/WestBayBerry/DG_CLI/issues"
+  },
+  "homepage": "https://github.com/WestBayBerry/DG_CLI#readme",
   "type": "module",
   "bin": {
     "dg": "./dist/bin/dg.js"