@westbayberry/dg 2.0.8 → 2.0.11

package/dist/scan/command.js

@@ -5,53 +5,70 @@ import { renderJsonReport, renderSarifReport, renderTextReport } from "./render.
 import { resolvePresentation } from "../presentation/mode.js";
 import { createTheme } from "../presentation/theme.js";
 import { launchScanTui, shouldLaunchScanTui } from "../scan-ui/launch.js";
-import { tryScannerScan } from "./scanner-report.js";
-import { runStagedScan } from "./staged.js";
+import { runScannerScan } from "./scanner-report.js";
+import { runStagedScan, stagedScanReport } from "./staged.js";
 import { scanExitCode } from "../scan-ui/shims.js";
 import { loadUserConfig } from "../config/settings.js";
-import { EXIT_USAGE } from "../commands/types.js";
+import { EXIT_USAGE_VERDICT } from "../commands/types.js";
 export function runScanCommand(context) {
     const parsed = parseScanArgs(context.args);
     if ("error" in parsed) {
         return usageError(parsed.error);
     }
-    if (parsed.staged) {
-        return runStagedScan({ hook: parsed.hook });
-    }
-    if (shouldLaunchScanTui({
-        targetPath: parsed.targetPath,
-        format: parsed.format,
-        outputPath: parsed.outputPath ?? undefined
-    })) {
-        void launchScanTui().catch((error) => {
-            process.stderr.write(`dg scan TUI failed: ${error instanceof Error ? error.message : "unknown error"}\n`);
-            process.exitCode = 1;
-        });
-        return {
-            exitCode: 0,
-            stdout: "",
-            stderr: ""
-        };
+    const stagedTarget = parsed.sawTarget ? parsed.targetPath : null;
+    const machineOutput = parsed.format !== "text" || parsed.outputPath !== null;
+    if (parsed.staged && !machineOutput) {
+        return runStagedScan({ hook: parsed.hook, targetPath: stagedTarget });
     }
     let report;
-    try {
-        report = scanProject({
-            targetPath: parsed.targetPath
-        });
+    let outcome;
+    if (parsed.staged) {
+        const staged = stagedScanReport({ targetPath: stagedTarget });
+        if ("result" in staged) {
+            return staged.result;
+        }
+        report = staged.report;
+        outcome = staged.outcome;
     }
-    catch (error) {
-        return {
-            exitCode: 1,
-            stdout: "",
-            stderr: `dg scan failed: ${error instanceof Error ? error.message : "unknown scan error"}\n`
-        };
+    else {
+        if (shouldLaunchScanTui({
+            targetPath: parsed.targetPath,
+            format: parsed.format,
+            outputPath: parsed.outputPath ?? undefined
+        })) {
+            void launchScanTui().catch((error) => {
+                process.stderr.write(`dg scan TUI failed: ${error instanceof Error ? error.message : "unknown error"}\n`);
+                process.exitCode = 1;
+            });
+            return {
+                exitCode: 0,
+                stdout: "",
+                stderr: ""
+            };
+        }
+        try {
+            report = scanProject({
+                targetPath: parsed.targetPath
+            });
+        }
+        catch (error) {
+            return {
+                exitCode: 1,
+                stdout: "",
+                stderr: `dg scan failed: ${error instanceof Error ? error.message : "unknown scan error"}\n`
+            };
+        }
+        outcome = runScannerScan(parsed.targetPath, report);
+    }
+    if (outcome.kind === "report") {
+        report = outcome.report;
     }
-    const scannerReport = tryScannerScan(parsed.targetPath, report);
-    if (scannerReport) {
-        report = scannerReport;
+    else if (outcome.kind === "failed") {
+        report = degradeReport(report, outcome.error);
     }
-    const scannerUnavailable = scannerReport === null && report.summary.projectCount > 0;
-    const rendered = renderReport(report, parsed.format, scannerUnavailable);
+    const skipNotice = skipNoticeFor(outcome, report);
+    const scannerUnavailable = !report.scanner && report.summary.projectCount > 0;
+    const rendered = renderReport(report, parsed.format, scannerUnavailable, skipNotice);
     if (parsed.outputPath) {
         try {
             writeFileSync(resolve(parsed.outputPath), rendered, "utf8");
@@ -111,7 +128,7 @@ function parseScanArgs(args) {
         }
         if (arg === "--output" || arg === "-o") {
             const next = args[index + 1];
-            if (!next) {
+            if (!next || next.startsWith("-")) {
                 return { error: `${arg} requires a path` };
             }
             outputPath = next;
@@ -131,29 +148,52 @@ function parseScanArgs(args) {
         format,
         outputPath,
         targetPath,
+        sawTarget,
         staged,
         hook
     };
 }
 function usageError(message) {
     return {
-        exitCode: EXIT_USAGE,
+        exitCode: EXIT_USAGE_VERDICT,
         stdout: "",
         stderr: `dg scan: ${message}. Usage: dg scan [path] [--json|--sarif] [--output <path>]\n`
     };
 }
-function renderReport(report, format, scannerUnavailable) {
+function degradeReport(report, error) {
+    const status = report.status === "block" || report.status === "warn" ? report.status : "unknown";
+    return { ...report, status, scannerError: error };
+}
+function skipNoticeFor(outcome, report) {
+    if (outcome.kind !== "skipped") {
+        return undefined;
+    }
+    if (outcome.reason === "no_lockfiles") {
+        return report.summary.projectCount > 0 ? "no_lockfile" : undefined;
+    }
+    return "empty_lockfile";
+}
+function renderReport(report, format, scannerUnavailable, skipNotice) {
     if (format === "json") {
         return renderJsonReport(report, scannerUnavailable);
     }
     if (format === "sarif") {
         return renderSarifReport(report);
     }
-    return renderTextReport(report, undefined, createTheme(resolvePresentation().color), scannerUnavailable);
+    return renderTextReport(report, undefined, createTheme(resolvePresentation().color), skipNotice);
 }
 function exitCodeForReport(report) {
     if (report.scanner) {
         return scanExitCode(report.scanner.action, loadUserConfig().policy.mode);
     }
-    return report.status === "block" || report.status === "error" ? 1 : 0;
+    if (report.status === "block") {
+        return 2;
+    }
+    if (report.status === "warn") {
+        return 1;
+    }
+    if (report.status === "error" || report.status === "unknown") {
+        return 4;
+    }
+    return 0;
 }

package/dist/scan/discovery.js

@@ -1,3 +1,4 @@
+import { execFileSync } from "node:child_process";
 import { readdirSync, readFileSync, statSync } from "node:fs";
 import { basename, dirname, relative, resolve, sep } from "node:path";
 const IGNORED_DIRECTORIES = new Set([
@@ -75,21 +76,88 @@ function resolveStatus(counts) {
 }
 function discoverPackageManifests(root) {
     const manifests = [];
-    walk(root, 0, manifests);
+    walk(root, 0, manifests, gitIgnoredDirectories(root));
     return manifests.sort((left, right) => displayPath(root, left).localeCompare(displayPath(root, right)));
 }
-function walk(directory, depth, manifests) {
+export function gitIgnoredDirectories(root) {
+    const ignored = new Set();
+    if (!insideGitWorkTree(root)) {
+        return ignored;
+    }
+    let level = [root];
+    for (let depth = 0; depth <= MAX_DISCOVERY_DEPTH && level.length > 0; depth++) {
+        const candidates = [];
+        for (const directory of level) {
+            let entries;
+            try {
+                entries = readdirSync(directory, { withFileTypes: true });
+            }
+            catch {
+                continue;
+            }
+            for (const entry of entries) {
+                if (entry.isDirectory() && !IGNORED_DIRECTORIES.has(entry.name)) {
+                    candidates.push(resolve(directory, entry.name));
+                }
+            }
+        }
+        if (candidates.length === 0) {
+            break;
+        }
+        const flagged = checkIgnoreBatch(root, candidates);
+        for (const directory of flagged) {
+            ignored.add(directory);
+        }
+        level = candidates.filter((directory) => !flagged.has(directory));
+    }
+    return ignored;
+}
+function insideGitWorkTree(root) {
+    try {
+        const out = execFileSync("git", ["-C", root, "rev-parse", "--is-inside-work-tree"], {
+            encoding: "utf8",
+            timeout: 3000,
+            stdio: ["ignore", "pipe", "ignore"]
+        });
+        return out.trim() === "true";
+    }
+    catch {
+        return false;
+    }
+}
+function checkIgnoreBatch(root, directories) {
+    try {
+        const out = execFileSync("git", ["-C", root, "check-ignore", "--stdin", "-z"], {
+            input: directories.join("\0"),
+            encoding: "utf8",
+            timeout: 5000,
+            maxBuffer: 16 * 1024 * 1024,
+            stdio: ["pipe", "pipe", "ignore"]
+        });
+        return new Set(out.split("\0").filter(Boolean));
+    }
+    catch {
+        return new Set();
+    }
+}
+function walk(directory, depth, manifests, gitIgnored) {
     if (depth > MAX_DISCOVERY_DEPTH) {
         return;
     }
-    const entries = readdirSync(directory, {
-        withFileTypes: true
-    }).sort((left, right) => left.name.localeCompare(right.name));
+    let entries;
+    try {
+        entries = readdirSync(directory, {
+            withFileTypes: true
+        }).sort((left, right) => left.name.localeCompare(right.name));
+    }
+    catch {
+        return;
+    }
     for (const entry of entries) {
         const absolutePath = resolve(directory, entry.name);
         if (entry.isDirectory()) {
-            if (!IGNORED_DIRECTORIES.has(entry.name)) {
-                walk(absolutePath, depth + 1, manifests);
+            if (!IGNORED_DIRECTORIES.has(entry.name) && !gitIgnored.has(absolutePath)) {
+                walk(absolutePath, depth + 1, manifests, gitIgnored);
             }
             continue;
         }

package/dist/scan/render.js

@@ -9,7 +9,14 @@ const SCAN_STATUS_ROLE = {
     unknown: "unknown",
     error: "block"
 };
-export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(), theme = createTheme(false), scannerUnavailable = false) {
+export function displayScanStatus(report) {
+    return report.scannerError && report.status === "unknown" ? "analysis_incomplete" : report.status;
+}
+const SCANNER_SKIP_MESSAGES = {
+    no_lockfile: "no lockfile found — server verification skipped (local heuristics only)",
+    empty_lockfile: "lockfile contains no scannable packages — server verification skipped (local heuristics only)"
+};
+export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(), theme = createTheme(false), scannerNotice) {
     const width = Math.max(48, Math.min(terminalWidth, 140));
     const cleanProjects = report.projects.filter((project) => project.findings.length === 0);
     const findingProjects = report.projects.filter((project) => project.findings.length > 0);
@@ -18,7 +25,7 @@ export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(),
         "Dependency Guardian scan",
         `Target: ${report.target}`,
         `Scanning: checked ${report.summary.projectCount} project manifest${report.summary.projectCount === 1 ? "" : "s"}.`,
-        `Status: ${theme.paint(SCAN_STATUS_ROLE[report.status], report.status)}`,
+        `Status: ${theme.paint(SCAN_STATUS_ROLE[report.status], displayScanStatus(report))}`,
         `Projects: ${report.summary.projectCount}`,
         `Dependencies: ${report.summary.dependencyCount}`,
         `Findings: ${report.summary.findingCount} (${report.summary.warnCount} warn, ${report.summary.blockCount} block)`,
@@ -27,11 +34,20 @@ export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(),
             : []),
         ""
     ];
-    if (scannerUnavailable) {
-        lines.push("server scan unavailable — local heuristics only (run 'dg doctor' to diagnose)");
+    if (report.scannerError) {
+        const scannerError = report.scannerError;
+        lines.push(theme.paint(scannerError.kind === "quota_exceeded" ? "warn" : "block", `server scan failed: ${scannerError.message}`));
+        if (scannerError.scansUsed !== undefined || scannerError.scansLimit !== undefined) {
+            lines.push(`scans used: ${scannerError.scansUsed ?? "?"} of ${scannerError.scansLimit ?? "?"}`);
+        }
+        lines.push("local heuristics only — no server verdict (run 'dg doctor' to diagnose)");
+        lines.push("");
+    }
+    else if (scannerNotice) {
+        lines.push(SCANNER_SKIP_MESSAGES[scannerNotice]);
         lines.push("");
     }
-    if (report.projects.length === 0 && report.errors.length === 0) {
+    if (report.projects.length === 0 && report.errors.length === 0 && !report.scanner && !report.scannerError) {
         lines.push("No supported project manifests found.");
     }
     if (findingProjects.length > 0) {
@@ -96,7 +112,7 @@ function formatProject(project, width) {
     return lines;
 }
 export function renderJsonReport(report, scannerUnavailable = false) {
-    return `${JSON.stringify({ ...report, scannerUnavailable }, null, 2)}\n`;
+    return `${JSON.stringify({ ...report, status: displayScanStatus(report), scannerUnavailable }, null, 2)}\n`;
 }
 export function renderSarifReport(report) {
     const rules = uniqueFindings(report.findings).map((finding) => ({

package/dist/scan/scanner-report.js

@@ -1,43 +1,120 @@
 import { spawnSync } from "node:child_process";
+import { randomUUID } from "node:crypto";
 import { existsSync } from "node:fs";
 import { resolve } from "node:path";
 import { fileURLToPath } from "node:url";
+import { sanitize } from "../security/sanitize.js";
 import { collectScanPackages, discoverScanProjects } from "./collect.js";
-const WORKER_TIMEOUT_MS = 180_000;
-export function tryScannerScan(targetPath, localReport, env = process.env) {
+const WORKER_TIMEOUT_BASE_MS = 180_000;
+const SERVER_PER_PACKAGE_WORST_CASE_MS = 660_000;
+const SERVER_SCAN_CONCURRENCY = 64;
+const WORKER_MAX_BUFFER = 64 * 1024 * 1024;
+export function scanWorkerTimeoutMs(packageCount) {
+    return WORKER_TIMEOUT_BASE_MS + packageCount * Math.ceil(SERVER_PER_PACKAGE_WORST_CASE_MS / SERVER_SCAN_CONCURRENCY);
+}
+export function runScannerScan(targetPath, localReport, env = process.env) {
     const projects = discoverScanProjects(resolve(targetPath));
     if (projects.length === 0) {
-        return null;
+        return { kind: "skipped", reason: "no_lockfiles" };
     }
-    const { byEcosystem } = collectScanPackages(projects);
-    const groups = [...byEcosystem.entries()].map(([ecosystem, packages]) => ({ ecosystem, packages }));
+    const collected = collectScanPackages(projects);
+    const groups = [...collected.byEcosystem.entries()].map(([ecosystem, packages]) => ({ ecosystem, packages }));
     const total = groups.reduce((sum, group) => sum + group.packages.length, 0);
     if (total === 0) {
-        return null;
+        if (collected.skipped > 0) {
+            return { kind: "failed", error: lockfileParseError(projects, collected) };
+        }
+        return { kind: "skipped", reason: "no_packages" };
     }
     const workerPath = [
         fileURLToPath(new URL("./analyze-worker.js", import.meta.url)),
         fileURLToPath(new URL("../../dist/scan/analyze-worker.js", import.meta.url))
     ].find((candidate) => existsSync(candidate));
     if (!workerPath) {
-        return null;
+        return {
+            kind: "failed",
+            error: { kind: "worker", message: "scanner worker is missing — reinstall @westbayberry/dg" }
+        };
     }
-    const worker = spawnSync(process.execPath, [workerPath, JSON.stringify(groups)], {
+    const timeoutMs = scanWorkerTimeoutMs(total);
+    const worker = spawnSync(process.execPath, [workerPath], {
         encoding: "utf8",
         env,
-        timeout: WORKER_TIMEOUT_MS
+        input: JSON.stringify({ scanId: randomUUID(), groups }),
+        maxBuffer: WORKER_MAX_BUFFER,
+        timeout: timeoutMs
     });
-    if (worker.status !== 0 || !worker.stdout) {
-        return null;
+    const failure = workerFailure(worker, timeoutMs, total);
+    if (failure) {
+        return { kind: "failed", error: failure };
     }
     let response;
     try {
         response = JSON.parse(worker.stdout);
     }
+    catch {
+        return {
+            kind: "failed",
+            error: { kind: "invalid_response", message: "scanner worker returned unreadable output" }
+        };
+    }
+    return { kind: "report", report: buildScannerReport(localReport, response, total) };
+}
+export function tryScannerScan(targetPath, localReport, env = process.env) {
+    const outcome = runScannerScan(targetPath, localReport, env);
+    return outcome.kind === "report" ? outcome.report : null;
+}
+export function workerFailure(worker, timeoutMs, packageCount) {
+    if (worker.error?.code === "ETIMEDOUT") {
+        return {
+            kind: "timeout",
+            message: `server scan timed out after ${Math.round(timeoutMs / 1000)}s without finishing ${packageCount} package${packageCount === 1 ? "" : "s"}`
+        };
+    }
+    if (worker.error) {
+        return { kind: "worker", message: `scanner worker failed to start: ${worker.error.message}` };
+    }
+    if (worker.status === 0 && worker.stdout) {
+        return null;
+    }
+    const reported = parseWorkerError(worker.stdout);
+    if (reported) {
+        return reported;
+    }
+    const stderrLine = (worker.stderr ?? "").trim().split("\n")[0] ?? "";
+    return {
+        kind: "worker",
+        message: stderrLine ? `scanner worker failed: ${sanitize(stderrLine)}` : "scanner worker exited without a result"
+    };
+}
+function parseWorkerError(stdout) {
+    if (!stdout) {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse(stdout);
+        if (parsed.scannerError && typeof parsed.scannerError.message === "string" && typeof parsed.scannerError.kind === "string") {
+            return parsed.scannerError;
+        }
+    }
     catch {
         return null;
     }
-    return buildScannerReport(localReport, response, total);
+    return null;
+}
+function lockfileParseError(projects, collected) {
+    const parseErrors = collected.parseErrors ?? [];
+    const detail = parseErrors
+        .map((entry) => [entry.path, entry.message].filter(Boolean).join(": "))
+        .filter((line) => line.length > 0)
+        .join("; ");
+    const lockfiles = [...new Set(projects.map((project) => project.depFile))].join(", ");
+    return {
+        kind: "lockfile_unparsed",
+        message: detail
+            ? `could not parse lockfile${parseErrors.length === 1 ? "" : "s"}: ${detail}`
+            : `found ${projects.length} lockfile${projects.length === 1 ? "" : "s"} (${lockfiles}) but no packages could be parsed`
+    };
 }
 export function buildScannerReport(localReport, response, analyzedCount) {
     const findings = response.packages

package/dist/scan/staged.js

@@ -1,6 +1,6 @@
-import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { mkdirSync, mkdtempSync, realpathSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
-import { basename, dirname, join } from "node:path";
+import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "node:path";
 import { createTheme } from "../presentation/theme.js";
 import { resolvePresentation } from "../presentation/mode.js";
 import { loadUserConfig } from "../config/settings.js";
@@ -8,8 +8,8 @@ import { gitSync, gitTrimmed } from "../util/git.js";
 import { promptYesNo } from "../util/tty-prompt.js";
 import { GUARD_SELFTEST_ENV } from "../setup/git-hook.js";
 import { isLockfileName } from "./collect.js";
-import { tryScannerScan } from "./scanner-report.js";
-import { EXIT_USAGE } from "../commands/types.js";
+import { runScannerScan, tryScannerScan } from "./scanner-report.js";
+import { EXIT_USAGE_VERDICT } from "../commands/types.js";
 function emptyLocalReport(target) {
     return {
         target,
@@ -34,6 +34,20 @@ export function stagedLockfilePaths(cwd, env) {
     }
     return diff.stdout.split("\0").filter(Boolean).filter((path) => isLockfileName(basename(path)));
 }
+export function scopeStagedPaths(paths, root, cwd, targetPath) {
+    if (!targetPath) {
+        return [...paths];
+    }
+    const prefix = relative(safeRealpath(root), safeRealpath(resolve(safeRealpath(cwd), targetPath)));
+    if (prefix.startsWith("..") || isAbsolute(prefix)) {
+        return null;
+    }
+    if (prefix === "" || prefix === ".") {
+        return [...paths];
+    }
+    const normalized = prefix.split(sep).join("/");
+    return paths.filter((path) => path === normalized || path.startsWith(`${normalized}/`));
+}
 export function materializeStaged(relPaths, cwd, env) {
     const dir = mkdtempSync(join(tmpdir(), "dg-staged-"));
     let count = 0;
@@ -58,16 +72,20 @@ export function runStagedScan(options) {
     }
     const root = gitTrimmed(["rev-parse", "--show-toplevel"], { cwd, env });
     if (!root) {
-        return { exitCode: EXIT_USAGE, stdout: "", stderr: "dg scan --staged: not a git repository.\n" };
+        return notARepoResult();
     }
     const lockfiles = stagedLockfilePaths(cwd, env);
     if (lockfiles === null) {
         return failOpen(theme, "could not read staged changes");
     }
-    if (lockfiles.length === 0) {
+    const scoped = scopeStagedPaths(lockfiles, root, cwd, options.targetPath ?? null);
+    if (scoped === null) {
+        return outsideRepoResult(options.targetPath ?? "");
+    }
+    if (scoped.length === 0) {
         return { exitCode: 0, stdout: "", stderr: "" };
     }
-    const { dir, count } = materializeStaged(lockfiles, cwd, env);
+    const { dir, count } = materializeStaged(scoped, cwd, env);
     try {
         if (count === 0) {
             return failOpen(theme, "could not read the staged lockfile contents");
@@ -82,6 +100,50 @@ export function runStagedScan(options) {
         rmSync(dir, { recursive: true, force: true });
     }
 }
+export function stagedScanReport(options) {
+    const env = options.env ?? process.env;
+    const cwd = options.cwd ?? process.cwd();
+    const root = gitTrimmed(["rev-parse", "--show-toplevel"], { cwd, env });
+    if (!root) {
+        return { result: notARepoResult() };
+    }
+    const base = { ...emptyLocalReport(root), status: "pass" };
+    const lockfiles = stagedLockfilePaths(cwd, env);
+    if (lockfiles === null) {
+        return { report: base, outcome: { kind: "failed", error: { kind: "worker", message: "could not read staged changes" } } };
+    }
+    const scoped = scopeStagedPaths(lockfiles, root, cwd, options.targetPath ?? null);
+    if (scoped === null) {
+        return { result: outsideRepoResult(options.targetPath ?? "") };
+    }
+    if (scoped.length === 0) {
+        return { report: base, outcome: { kind: "skipped", reason: "no_lockfiles" } };
+    }
+    const { dir, count } = materializeStaged(scoped, cwd, env);
+    try {
+        if (count === 0) {
+            return { report: base, outcome: { kind: "failed", error: { kind: "worker", message: "could not read the staged lockfile contents" } } };
+        }
+        return { report: base, outcome: runScannerScan(dir, base, env) };
+    }
+    finally {
+        rmSync(dir, { recursive: true, force: true });
+    }
+}
+function safeRealpath(path) {
+    try {
+        return realpathSync(path);
+    }
+    catch {
+        return path;
+    }
+}
+function notARepoResult() {
+    return { exitCode: EXIT_USAGE_VERDICT, stdout: "", stderr: "dg scan --staged: not a git repository.\n" };
+}
+function outsideRepoResult(targetPath) {
+    return { exitCode: EXIT_USAGE_VERDICT, stdout: "", stderr: `dg scan --staged: ${targetPath} is outside this repository.\n` };
+}
 export function decideStagedVerdict(report, env = process.env, hook = false) {
     const theme = createTheme(resolvePresentation().color);
     const action = report.scanner?.action ?? report.status;