@westbayberry/dg 2.0.8 → 2.0.11

package/dist/proxy/ca.js

@@ -1,9 +1,43 @@
 import { randomBytes } from "node:crypto";
-import { mkdirSync, writeFileSync } from "node:fs";
+import { mkdirSync, renameSync, rmSync, writeFileSync } from "node:fs";
 import { dirname } from "node:path";
 import { isIP } from "node:net";
 import forge from "node-forge";
-export function createEphemeralCertificateAuthority(caPath) {
+export const CA_LIFETIME_MS = 24 * 60 * 60 * 1_000;
+export const CA_ROTATE_AFTER_FRACTION = 0.75;
+const ROTATION_CHECK_INTERVAL_MS = 60_000;
+export function createEphemeralCertificateAuthority(caPath, options = {}) {
+    const lifetimeMs = options.lifetimeMs ?? CA_LIFETIME_MS;
+    const now = options.now ?? Date.now;
+    let active = issueAuthority(caPath, lifetimeMs, now(), undefined);
+    const leafs = new Map();
+    const rotateIfDue = () => {
+        if (now() < active.rotateAtMs) {
+            return;
+        }
+        active = issueAuthority(caPath, lifetimeMs, now(), active.certPem);
+        leafs.clear();
+    };
+    setInterval(rotateIfDue, ROTATION_CHECK_INTERVAL_MS).unref();
+    return {
+        get caCertPem() {
+            return active.certPem;
+        },
+        caPath,
+        leafForHost(host) {
+            rotateIfDue();
+            const normalized = normalizeHost(host);
+            const existing = leafs.get(normalized);
+            if (existing) {
+                return existing;
+            }
+            const leaf = createLeafCertificate(normalized, active, lifetimeMs, now());
+            leafs.set(normalized, leaf);
+            return leaf;
+        }
+    };
+}
+function issueAuthority(caPath, lifetimeMs, nowMs, previousCertPem) {
     const keys = forge.pki.rsa.generateKeyPair({
         bits: 2048,
         workers: -1
@@ -11,8 +45,8 @@ export function createEphemeralCertificateAuthority(caPath) {
     const cert = forge.pki.createCertificate();
     cert.publicKey = keys.publicKey;
     cert.serialNumber = serialNumber();
-    cert.validity.notBefore = new Date(Date.now() - 60_000);
-    cert.validity.notAfter = new Date(Date.now() + 24 * 60 * 60 * 1_000);
+    cert.validity.notBefore = new Date(nowMs - 60_000);
+    cert.validity.notAfter = new Date(nowMs + lifetimeMs);
     const attrs = [{
             name: "commonName",
             value: "Dependency Guardian per-session proxy CA"
@@ -36,32 +70,38 @@ export function createEphemeralCertificateAuthority(caPath) {
         }
     ]);
     cert.sign(keys.privateKey, forge.md.sha256.create());
-    const caCertPem = forge.pki.certificateToPem(cert);
+    const certPem = forge.pki.certificateToPem(cert);
+    writeCaBundleAtomic(caPath, previousCertPem ? `${certPem}${previousCertPem}` : certPem);
+    return {
+        cert,
+        privateKey: keys.privateKey,
+        certPem,
+        notAfterMs: nowMs + lifetimeMs,
+        rotateAtMs: nowMs + Math.floor(lifetimeMs * CA_ROTATE_AFTER_FRACTION)
+    };
+}
+function writeCaBundleAtomic(caPath, bundle) {
     mkdirSync(dirname(caPath), {
         recursive: true,
         mode: 0o700
     });
-    writeFileSync(caPath, caCertPem, {
-        encoding: "utf8",
-        mode: 0o600
-    });
-    const leafs = new Map();
-    return {
-        caCertPem,
-        caPath,
-        leafForHost(host) {
-            const normalized = normalizeHost(host);
-            const existing = leafs.get(normalized);
-            if (existing) {
-                return existing;
-            }
-            const leaf = createLeafCertificate(normalized, cert, keys.privateKey);
-            leafs.set(normalized, leaf);
-            return leaf;
-        }
-    };
+    const tempPath = `${caPath}.${process.pid}.${randomBytes(6).toString("hex")}.tmp`;
+    try {
+        writeFileSync(tempPath, bundle, {
+            encoding: "utf8",
+            flag: "wx",
+            mode: 0o600
+        });
+        renameSync(tempPath, caPath);
+    }
+    catch (error) {
+        rmSync(tempPath, {
+            force: true
+        });
+        throw error;
+    }
 }
-function createLeafCertificate(host, issuerCert, issuerKey) {
+function createLeafCertificate(host, issuer, lifetimeMs, nowMs) {
     const keys = forge.pki.rsa.generateKeyPair({
         bits: 2048,
         workers: -1
@@ -69,13 +109,13 @@ function createLeafCertificate(host, issuerCert, issuerKey) {
     const cert = forge.pki.createCertificate();
     cert.publicKey = keys.publicKey;
     cert.serialNumber = serialNumber();
-    cert.validity.notBefore = new Date(Date.now() - 60_000);
-    cert.validity.notAfter = new Date(Date.now() + 24 * 60 * 60 * 1_000);
+    cert.validity.notBefore = new Date(nowMs - 60_000);
+    cert.validity.notAfter = new Date(Math.min(nowMs + lifetimeMs, issuer.notAfterMs));
     cert.setSubject([{
             name: "commonName",
             value: host
         }]);
-    cert.setIssuer(issuerCert.subject.attributes);
+    cert.setIssuer(issuer.cert.subject.attributes);
     cert.setExtensions([
         {
             name: "basicConstraints",
@@ -97,7 +137,7 @@ function createLeafCertificate(host, issuerCert, issuerKey) {
             altNames: subjectAlternativeNames(host)
         }
     ]);
-    cert.sign(issuerKey, forge.md.sha256.create());
+    cert.sign(issuer.privateKey, forge.md.sha256.create());
     return {
         certPem: forge.pki.certificateToPem(cert),
         keyPem: forge.pki.privateKeyToPem(keys.privateKey)

package/dist/proxy/enforcement.js

@@ -83,9 +83,47 @@ function failClosedVerdict(classification) {
         reason: "per-invocation proxy enforcement is not available, so protected installs fail closed"
     };
 }
-function derivePackageName(classification) {
-    const spec = classification.args.find((arg) => !arg.startsWith("-") && arg !== classification.action);
-    return spec ?? `${classification.manager}:${classification.action || "install"}`;
+const VALUE_CONSUMING_FLAGS = {
+    javascript: new Set([
+        "--registry", "--userconfig", "--globalconfig", "--cache", "--prefix", "--loglevel",
+        "--tag", "--workspace", "-w", "--filter", "-C", "--dir", "--cwd", "--modules-folder",
+        "--otp", "--script-shell", "--network-concurrency", "--mutex"
+    ]),
+    python: new Set([
+        "--index-url", "-i", "--extra-index-url", "--find-links", "-f", "--trusted-host",
+        "--proxy", "--requirement", "-r", "--constraint", "-c", "--target", "-t", "--prefix",
+        "--root", "--src", "--platform", "--python", "--python-version", "--implementation",
+        "--abi", "--cache-dir", "--timeout", "--retries", "--cert", "--client-cert", "--log",
+        "--progress-bar", "--upgrade-strategy", "--no-binary", "--only-binary", "--report",
+        "--editable", "-e", "--index", "--default-index"
+    ]),
+    rust: new Set([
+        "--registry", "--index", "--git", "--branch", "--tag", "--rev", "--path", "--vers",
+        "--version", "--features", "-F", "--package", "-p", "--manifest-path", "--target-dir",
+        "--profile", "--jobs", "-j", "--target", "--config", "-Z"
+    ]),
+    gated: new Set()
+};
+export function derivePackageName(classification) {
+    const valueFlags = VALUE_CONSUMING_FLAGS[classification.ecosystem];
+    const args = classification.args;
+    for (let index = 0; index < args.length; index += 1) {
+        const arg = args[index];
+        if (!arg) {
+            continue;
+        }
+        if (arg.startsWith("-")) {
+            if (valueFlags.has(arg)) {
+                index += 1;
+            }
+            continue;
+        }
+        if (arg === classification.action) {
+            continue;
+        }
+        return arg;
+    }
+    return `${classification.manager}:${classification.action || "install"}`;
 }
 function causeFromVerdict(verdict, action) {
     if (verdict === "pass" && action === "pass") {

package/dist/proxy/worker.js

@@ -1,6 +1,8 @@
-import { readFileSync } from "node:fs";
+import { readFileSync, writeFileSync } from "node:fs";
 import { startProductionHttpProxy } from "./server.js";
 import { parseForceOverrideRequest } from "./enforcement.js";
+import { cleanupSessionSync } from "../state/index.js";
+const PARENT_POLL_MS = 500;
 const sessionPath = process.argv[2];
 const apiBaseUrl = process.argv[3];
 const classificationJson = process.env.DG_PROXY_CLASSIFICATION;
@@ -11,6 +13,10 @@ if (!sessionPath || !apiBaseUrl || !classificationJson) {
 const session = JSON.parse(readFileSync(sessionPath, "utf8"));
 const classification = JSON.parse(classificationJson);
 const forceOverride = parseForceOverrideRequest(process.env.DG_FORCE_OVERRIDE_REQUEST);
+writeFileSync(session.files.pid, `${process.pid}\n`, {
+    encoding: "utf8",
+    mode: 0o600
+});
 let handle = null;
 let closed = false;
 async function close() {
@@ -19,16 +25,22 @@ async function close() {
     }
     closed = true;
     await handle?.close();
+    cleanupSessionSync(session);
 }
-process.stdin.on("end", () => {
-    close().finally(() => process.exit(0));
-});
-process.on("SIGTERM", () => {
-    close().finally(() => process.exit(0));
-});
-process.on("SIGINT", () => {
+function shutdown() {
     close().finally(() => process.exit(0));
-});
+}
+process.stdin.resume();
+process.stdin.on("end", shutdown);
+process.stdin.on("error", shutdown);
+process.on("SIGTERM", shutdown);
+process.on("SIGINT", shutdown);
+const parentWatch = setInterval(() => {
+    if (process.ppid === 1) {
+        shutdown();
+    }
+}, PARENT_POLL_MS);
+parentWatch.unref();
 handle = await startProductionHttpProxy({
     session,
     apiBaseUrl,

package/dist/runtime/first-run.js

@@ -1,7 +1,9 @@
-import { existsSync, mkdirSync, writeFileSync } from "node:fs";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
+import { dgVersion } from "../commands/version.js";
 import { isCiEnv } from "../presentation/mode.js";
 import { createTheme } from "../presentation/theme.js";
+import { sweepLegacyPythonHooks } from "../setup/plan.js";
 import { resolveDgPaths } from "../state/index.js";
 const SKIP_COMMANDS = new Set([
     "help",
@@ -18,17 +20,46 @@ const SKIP_COMMANDS = new Set([
     "upgrade",
     "uninstall"
 ]);
+const MACHINE_OUTPUT_FLAGS = new Set([
+    "--json",
+    "--sarif",
+    "--csv",
+    "--markdown",
+    "--output",
+    "-o",
+    "--quiet"
+]);
 export function firstRunMarkerPath(env = process.env) {
     return join(resolveDgPaths(env).stateDir, "first-run-shown");
 }
+export function lastRunVersionMarkerPath(env = process.env) {
+    return join(resolveDgPaths(env).stateDir, "last-run-version");
+}
+export function sweepLegacyHooksOnVersionChange(env = process.env, version = dgVersion()) {
+    try {
+        const marker = lastRunVersionMarkerPath(env);
+        const recorded = existsSync(marker) ? readFileSync(marker, "utf8").trim() : undefined;
+        if (recorded === version) {
+            return false;
+        }
+        sweepLegacyPythonHooks(resolveDgPaths(env).homeDir, [], []);
+        mkdirSync(dirname(marker), { recursive: true, mode: 0o700 });
+        writeFileSync(marker, `${version}\n`, { encoding: "utf8", mode: 0o600 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
 export function maybeShowFirstRun(args, options = {}) {
     const env = options.env ?? process.env;
     const stderr = options.stderr ?? process.stderr;
     const command = args[0] ?? "";
+    sweepLegacyHooksOnVersionChange(env);
     if (!stderr.isTTY || isCiEnv(env)) {
         return false;
     }
-    if (SKIP_COMMANDS.has(command) || args.some((arg) => arg === "--json" || arg === "--sarif" || arg === "--quiet")) {
+    if (SKIP_COMMANDS.has(command) || args.some((arg) => MACHINE_OUTPUT_FLAGS.has(arg))) {
         return false;
     }
     const marker = firstRunMarkerPath(env);

package/dist/runtime/nudges.js

@@ -46,11 +46,11 @@ export function maybeShowNudges(args, options = {}) {
     const lines = [];
     let stateChanged = false;
     if (due(state.updateCheckedAt, UPDATE_THROTTLE_MS, now)) {
-        state.updateCheckedAt = now.toISOString();
-        stateChanged = true;
         const latest = readLatestVersion(LATEST_LOOKUP_TIMEOUT_MS);
         if (latest) {
+            state.updateCheckedAt = now.toISOString();
             state.updateLatest = latest;
+            stateChanged = true;
             if (compareVersions(latest, dgVersion()) > 0) {
                 lines.push(`${theme.paint("warn", "⚠")} ${theme.paint("muted", `Update available: ${dgVersion()} → ${latest}. Run`)} ${theme.paint("accent", "dg update")}${theme.paint("muted", ".")}`);
             }
@@ -68,6 +68,13 @@ export function maybeShowNudges(args, options = {}) {
         writeState(statePath, state);
     }
 }
+export function pendingUpdate(env = process.env) {
+    const latest = readState(nudgeStatePath(env)).updateLatest;
+    if (!latest || compareVersions(latest, dgVersion()) <= 0) {
+        return null;
+    }
+    return { current: dgVersion(), latest };
+}
 function isAuthenticated(env) {
     try {
         return authStatus(env).authenticated;

package/dist/scan/analyze-worker.js

@@ -1,21 +1,31 @@
-import { analyzePackages, mergeAnalyzeResponses } from "../api/analyze.js";
+import { analyzePackages, mergeAnalyzeResponses, scannerErrorFromUnknown } from "../api/analyze.js";
+async function readStdin() {
+    process.stdin.setEncoding("utf8");
+    let raw = "";
+    for await (const chunk of process.stdin) {
+        raw += chunk;
+    }
+    return raw;
+}
 async function main() {
-    const raw = process.argv[2];
+    const raw = (await readStdin()).trim();
     if (!raw) {
-        process.stderr.write("analyze-worker: missing input payload\n");
-        process.exit(2);
+        throw new Error("analyze-worker: missing input payload");
     }
-    const groups = JSON.parse(raw);
+    const payload = JSON.parse(raw);
     const responses = [];
-    for (const group of groups) {
+    for (const group of payload.groups) {
         if (group.packages.length === 0) {
             continue;
         }
-        responses.push(await analyzePackages(group.packages, { ecosystem: group.ecosystem }));
+        responses.push(await analyzePackages(group.packages, {
+            ecosystem: group.ecosystem,
+            ...(payload.scanId ? { scanId: payload.scanId } : {})
+        }));
     }
     process.stdout.write(JSON.stringify(mergeAnalyzeResponses(responses)));
 }
 main().catch((error) => {
-    process.stderr.write(`analyze-worker: ${error instanceof Error ? error.message : "unknown error"}\n`);
+    process.stdout.write(JSON.stringify({ scannerError: scannerErrorFromUnknown(error) }));
     process.exit(1);
 });

package/dist/scan/collect.js

@@ -1,6 +1,7 @@
 import { readdirSync } from "node:fs";
 import { join, relative } from "node:path";
-import { verifyLockfile } from "../verify/preflight.js";
+import { gitIgnoredDirectories } from "./discovery.js";
+import { parseLockfilePackages } from "../verify/preflight.js";
 export const LOCKFILE_ECOSYSTEMS = {
     "package-lock.json": "npm",
     "npm-shrinkwrap.json": "npm",
@@ -8,6 +9,7 @@ export const LOCKFILE_ECOSYSTEMS = {
     "pnpm-lock.yaml": "npm",
     "Pipfile.lock": "pypi",
     "poetry.lock": "pypi",
+    "uv.lock": "pypi",
     "requirements.txt": "pypi"
 };
 export function isLockfileName(name) {
@@ -34,19 +36,29 @@ function readDirents(directory) {
         return [];
     }
 }
-function firstLockfile(entries) {
+function lockfilesPerEcosystem(entries) {
+    const matches = [];
+    const claimed = new Set();
     for (const [lockfile, ecosystem] of Object.entries(LOCKFILE_ECOSYSTEMS)) {
+        if (claimed.has(ecosystem)) {
+            continue;
+        }
         if (entries.some((entry) => entry.name === lockfile && entry.isFile())) {
-            return [lockfile, ecosystem];
+            matches.push([lockfile, ecosystem]);
+            claimed.add(ecosystem);
         }
     }
-    return null;
+    return matches;
 }
-function shouldDescend(entry) {
-    return entry.isDirectory() && !IGNORED_DIRECTORIES.has(entry.name) && !entry.name.startsWith(".");
+function shouldDescend(entry, directory, gitIgnored) {
+    return (entry.isDirectory() &&
+        !IGNORED_DIRECTORIES.has(entry.name) &&
+        !entry.name.startsWith(".") &&
+        !gitIgnored.has(join(directory, entry.name)));
 }
 export function discoverScanProjects(root) {
     const projects = [];
+    const gitIgnored = gitIgnoredDirectories(root);
     walk(root, 0);
     return projects;
     function walk(directory, depth) {
@@ -54,18 +66,17 @@ export function discoverScanProjects(root) {
             return;
         }
         const entries = readDirents(directory);
-        const match = firstLockfile(entries);
-        if (match) {
+        for (const [depFile, ecosystem] of lockfilesPerEcosystem(entries)) {
             projects.push({
                 path: directory,
                 relativePath: relative(root, directory) || ".",
-                ecosystem: match[1],
-                depFile: match[0],
-                packageCount: countLockfilePackages(join(directory, match[0]))
+                ecosystem,
+                depFile,
+                packageCount: countLockfilePackages(join(directory, depFile))
             });
         }
         for (const entry of entries) {
-            if (shouldDescend(entry)) {
+            if (shouldDescend(entry, directory, gitIgnored)) {
                 walk(join(directory, entry.name), depth + 1);
             }
         }
@@ -73,6 +84,7 @@ export function discoverScanProjects(root) {
 }
 export async function discoverScanProjectsAsync(root, onProgress) {
     const projects = [];
+    const gitIgnored = gitIgnoredDirectories(root);
     let lastYield = Date.now();
     await walk(root, 0);
     return projects;
@@ -85,20 +97,19 @@ export async function discoverScanProjectsAsync(root, onProgress) {
             lastYield = Date.now();
         }
         const entries = readDirents(directory);
-        const match = firstLockfile(entries);
-        if (match) {
+        for (const [depFile, ecosystem] of lockfilesPerEcosystem(entries)) {
             const relativePath = relative(root, directory) || ".";
             projects.push({
                 path: directory,
                 relativePath,
-                ecosystem: match[1],
-                depFile: match[0],
-                packageCount: countLockfilePackages(join(directory, match[0]))
+                ecosystem,
+                depFile,
+                packageCount: countLockfilePackages(join(directory, depFile))
             });
-            onProgress?.({ path: relativePath === "." ? match[0] : `${relativePath}/${match[0]}`, found: projects.length });
+            onProgress?.({ path: relativePath === "." ? depFile : `${relativePath}/${depFile}`, found: projects.length });
         }
         for (const entry of entries) {
-            if (shouldDescend(entry)) {
+            if (shouldDescend(entry, directory, gitIgnored)) {
                 await walk(join(directory, entry.name), depth + 1);
             }
         }
@@ -110,27 +121,29 @@ function yieldToEventLoop() {
     });
 }
 function countLockfilePackages(lockfilePath) {
-    try {
-        return verifyLockfile(lockfilePath).packages.length;
-    }
-    catch {
-        return 0;
-    }
+    return parseLockfilePackages(lockfilePath).packages.length;
 }
 export function collectScanPackages(projects) {
     const byEcosystem = new Map();
     const seen = new Set();
+    const skippedPackages = [];
+    const parseErrors = [];
     let skipped = 0;
     for (const project of projects) {
-        let identities;
-        try {
-            identities = verifyLockfile(join(project.path, project.depFile)).packages;
+        const depFilePath = project.relativePath === "." ? project.depFile : `${project.relativePath}/${project.depFile}`;
+        const parsed = parseLockfilePackages(join(project.path, project.depFile));
+        for (const skippedPackage of parsed.skipped) {
+            skippedPackages.push({ ...skippedPackage, location: `${depFilePath}: ${skippedPackage.location}` });
+            skipped += 1;
         }
-        catch {
+        if (parsed.parseError) {
+            parseErrors.push({
+                file: parsed.parseError.file === project.depFile ? depFilePath : parsed.parseError.file,
+                reason: parsed.parseError.reason
+            });
             skipped += 1;
-            continue;
         }
-        for (const identity of identities) {
+        for (const identity of parsed.packages) {
             if (identity.ecosystem !== "npm" && identity.ecosystem !== "pypi") {
                 skipped += 1;
                 continue;
@@ -149,5 +162,5 @@ export function collectScanPackages(projects) {
             byEcosystem.set(identity.ecosystem, list);
         }
     }
-    return { byEcosystem, skipped };
+    return { byEcosystem, skipped, skippedPackages, parseErrors };
 }