bingo-light 2.1.1 → 2.1.3

package/bingo_core/dep_fork.py

@@ -0,0 +1,268 @@
+"""
+bingo_core.dep_fork — Fork-as-dependency tracking for npm projects.
+
+Scans package.json for git-based dependencies (github:user/repo, git+https://,
+etc.), detects drift from upstream releases, and updates fork refs.
+
+Python 3.8+ stdlib only.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import tempfile
+import urllib.request
+import urllib.error
+from typing import Any, Dict, List, Optional
+
+
+# Git dependency patterns in package.json
+_GIT_DEP_PATTERNS = [
+    re.compile(r'^github:(.+)$'),                          # github:user/repo#ref
+    re.compile(r'^git\+https?://github\.com/(.+?)(?:\.git)?(?:#(.+))?$'),  # git+https://
+    re.compile(r'^git\+ssh://git@github\.com[:/](.+?)(?:\.git)?(?:#(.+))?$'),  # git+ssh://
+    re.compile(r'^([a-zA-Z0-9_-]+/[a-zA-Z0-9._-]+)(?:#(.+))?$'),  # user/repo shorthand
+]
+
+
+class ForkTracker:
+    """Track git-based dependencies in npm projects."""
+
+    def __init__(self, cwd: str = "."):
+        self.cwd = os.path.abspath(cwd)
+
+    def _read_package_json(self) -> Optional[dict]:
+        pj = os.path.join(self.cwd, "package.json")
+        if not os.path.isfile(pj):
+            return None
+        try:
+            with open(pj) as f:
+                return json.load(f)
+        except (json.JSONDecodeError, IOError):
+            return None
+
+    def _write_package_json(self, data: dict) -> None:
+        pj = os.path.join(self.cwd, "package.json")
+        fd, tmp = tempfile.mkstemp(suffix=".tmp", dir=self.cwd)
+        try:
+            with os.fdopen(fd, "w") as f:
+                json.dump(data, f, indent=2)
+                f.write("\n")
+            os.replace(tmp, pj)
+        except Exception:
+            try:
+                os.unlink(tmp)
+            except FileNotFoundError:
+                pass
+            raise
+
+    def _parse_git_dep(self, value: str) -> Optional[dict]:
+        """Parse a git-based dependency value. Returns {repo, ref, protocol} or None."""
+        for pat in _GIT_DEP_PATTERNS:
+            m = pat.match(value)
+            if m:
+                groups = m.groups()
+                repo_part = groups[0]
+                ref = groups[1] if len(groups) > 1 and groups[1] else ""
+
+                # Handle github:user/repo#ref
+                if "#" in repo_part:
+                    repo_part, ref = repo_part.split("#", 1)
+
+                # Normalize repo
+                repo_part = repo_part.rstrip("/")
+
+                return {"repo": repo_part, "ref": ref, "raw": value}
+        return None
+
+    def _fetch_json(self, url: str) -> Optional[dict]:
+        """Fetch JSON from URL with timeout and error handling."""
+        headers = {"Accept": "application/json", "User-Agent": "bingo-light"}
+        # Use GITHUB_TOKEN if available
+        token = os.environ.get("GITHUB_TOKEN", "")
+        if token and "github" in url:
+            headers["Authorization"] = f"token {token}"
+
+        req = urllib.request.Request(url, headers=headers)
+        try:
+            with urllib.request.urlopen(req, timeout=15) as resp:
+                # Check GitHub rate limit
+                remaining = resp.headers.get("X-RateLimit-Remaining", "")
+                if remaining and int(remaining) <= 1:
+                    import sys
+                    print(
+                        "warning: GitHub API rate limit nearly exhausted. "
+                        "Set GITHUB_TOKEN env var for higher limits.",
+                        file=sys.stderr,
+                    )
+                return json.loads(resp.read().decode())
+        except (urllib.error.URLError, urllib.error.HTTPError, json.JSONDecodeError,
+                OSError, ValueError):
+            return None
+
+    @staticmethod
+    def _is_sha_like(ref: str) -> bool:
+        """Check if a ref looks like a commit SHA (hex string, 7+ chars)."""
+        return len(ref) >= 7 and all(c in "0123456789abcdef" for c in ref.lower())
+
+    def fork_list(self) -> dict:
+        """List all git-based dependencies in package.json.
+
+        Returns {"ok": True, "forks": [...], "count": N}
+        """
+        pj = self._read_package_json()
+        if pj is None:
+            return {"ok": True, "forks": [], "count": 0, "note": "No package.json"}
+
+        forks: List[dict] = []
+        for dep_type in ("dependencies", "devDependencies"):
+            deps = pj.get(dep_type, {})
+            for name, value in deps.items():
+                if not isinstance(value, str):
+                    continue
+                parsed = self._parse_git_dep(value)
+                if parsed:
+                    forks.append({
+                        "package": name,
+                        "repo": parsed["repo"],
+                        "ref": parsed["ref"],
+                        "dep_type": dep_type,
+                        "raw": parsed["raw"],
+                    })
+
+        return {"ok": True, "forks": forks, "count": len(forks)}
+
+    def fork_check(self) -> dict:
+        """Check fork drift against upstream npm releases and GitHub commits.
+
+        Returns {"ok": True, "forks": [...], "drifted": N}
+        """
+        list_result = self.fork_list()
+        forks = list_result.get("forks", [])
+        if not forks:
+            return {"ok": True, "forks": [], "drifted": 0}
+
+        results: List[dict] = []
+        drifted = 0
+
+        for fork in forks:
+            entry: Dict[str, Any] = {
+                "package": fork["package"],
+                "repo": fork["repo"],
+                "ref": fork["ref"],
+            }
+
+            # Check npm registry for latest published version
+            npm_url = f"https://registry.npmjs.org/{fork['package']}/latest"
+            npm_data = self._fetch_json(npm_url)
+            if npm_data:
+                entry["npm_latest"] = npm_data.get("version", "")
+            else:
+                entry["npm_latest"] = ""
+
+            # Check GitHub for latest commit on default branch
+            gh_url = f"https://api.github.com/repos/{fork['repo']}/commits?per_page=1"
+            gh_data = self._fetch_json(gh_url)
+            if gh_data and isinstance(gh_data, list) and len(gh_data) > 0:
+                latest_sha = gh_data[0].get("sha", "")[:12]
+                entry["latest_commit"] = latest_sha
+                entry["commit_date"] = gh_data[0].get("commit", {}).get(
+                    "committer", {}
+                ).get("date", "")
+
+                # Compare ref — handle SHA, tag, and branch refs
+                ref = fork["ref"]
+                if not ref:
+                    entry["status"] = "no_ref_pinned"
+                elif self._is_sha_like(ref):
+                    # ref looks like a commit SHA — compare directly
+                    if latest_sha.startswith(ref[:8]) or ref.startswith(latest_sha[:8]):
+                        entry["status"] = "up_to_date"
+                    else:
+                        entry["status"] = "drifted"
+                        drifted += 1
+                else:
+                    # ref is a tag or branch name — resolve via GitHub API
+                    ref_url = f"https://api.github.com/repos/{fork['repo']}/git/ref/tags/{ref}"
+                    ref_data = self._fetch_json(ref_url)
+                    if not ref_data:
+                        # Try as branch
+                        ref_url = f"https://api.github.com/repos/{fork['repo']}/git/ref/heads/{ref}"
+                        ref_data = self._fetch_json(ref_url)
+                    if ref_data and isinstance(ref_data, dict):
+                        ref_sha = ref_data.get("object", {}).get("sha", "")[:12]
+                        if ref_sha and (latest_sha.startswith(ref_sha[:8]) or ref_sha.startswith(latest_sha[:8])):
+                            entry["status"] = "up_to_date"
+                        else:
+                            entry["status"] = "drifted"
+                            entry["ref_resolved"] = ref_sha
+                            drifted += 1
+                    else:
+                        # Can't resolve ref — report as unknown
+                        entry["status"] = "unknown"
+                        entry["note"] = f"Cannot resolve ref '{ref}'"
+            else:
+                entry["latest_commit"] = ""
+                entry["status"] = "unknown"
+
+            results.append(entry)
+
+        return {"ok": True, "forks": results, "drifted": drifted}
+
+    def fork_sync(self, package: str) -> dict:
+        """Update a fork dependency ref to the latest commit.
+
+        Returns {"ok": True, "package": ..., "old_ref": ..., "new_ref": ...}
+        """
+        pj = self._read_package_json()
+        if pj is None:
+            return {"ok": False, "error": "No package.json found"}
+
+        # Find the package
+        found_type = None
+        old_value = None
+        for dep_type in ("dependencies", "devDependencies"):
+            deps = pj.get(dep_type, {})
+            if package in deps:
+                found_type = dep_type
+                old_value = deps[package]
+                break
+
+        if not found_type or not isinstance(old_value, str):
+            return {"ok": False, "error": f"Package '{package}' not found in dependencies"}
+
+        parsed = self._parse_git_dep(old_value)
+        if not parsed:
+            return {"ok": False, "error": f"'{package}' is not a git-based dependency"}
+
+        old_ref = parsed["ref"]
+
+        # Fetch latest commit from GitHub
+        gh_url = f"https://api.github.com/repos/{parsed['repo']}/commits?per_page=1"
+        gh_data = self._fetch_json(gh_url)
+        if not gh_data or not isinstance(gh_data, list) or len(gh_data) == 0:
+            return {"ok": False, "error": f"Cannot fetch latest commit for {parsed['repo']}"}
+
+        new_ref = gh_data[0].get("sha", "")[:12]
+        if not new_ref:
+            return {"ok": False, "error": "Empty commit SHA from GitHub"}
+
+        # Update the dependency value
+        if "#" in old_value:
+            new_value = old_value.rsplit("#", 1)[0] + "#" + new_ref
+        else:
+            new_value = old_value + "#" + new_ref
+
+        pj[found_type][package] = new_value
+        self._write_package_json(pj)
+
+        return {
+            "ok": True,
+            "package": package,
+            "old_ref": old_ref,
+            "new_ref": new_ref,
+            "old_value": old_value,
+            "new_value": new_value,
+        }

package/bingo_core/dep_npm.py

@@ -0,0 +1,113 @@
+"""
+bingo_core.dep_npm — npm/pnpm/yarn backend for dependency patching.
+
+Detects npm projects, fetches original packages from registry,
+resolves install paths in node_modules/.
+
+Python 3.8+ stdlib only.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import tarfile
+from typing import List, Optional
+from urllib.request import urlopen
+
+from bingo_core.dep import DepBackend
+
+
+class NpmBackend(DepBackend):
+    """Backend for npm/pnpm/yarn packages."""
+
+    name = "npm"
+
+    def detect(self, cwd: str) -> bool:
+        """Detect npm project by presence of package.json or node_modules/."""
+        return (
+            os.path.isfile(os.path.join(cwd, "package.json"))
+            or os.path.isdir(os.path.join(cwd, "node_modules"))
+        )
+
+    def get_installed_version(self, package: str, cwd: str) -> Optional[str]:
+        """Get installed version from node_modules/<package>/package.json."""
+        pkg_json = os.path.join(cwd, "node_modules", package, "package.json")
+        if not os.path.isfile(pkg_json):
+            # Try scoped package
+            if "/" in package:
+                pkg_json = os.path.join(cwd, "node_modules", package, "package.json")
+            if not os.path.isfile(pkg_json):
+                return None
+        try:
+            with open(pkg_json) as f:
+                data = json.load(f)
+            return data.get("version")
+        except (json.JSONDecodeError, OSError):
+            return None
+
+    def get_install_path(self, package: str, cwd: str) -> Optional[str]:
+        """Get the filesystem path of the installed package."""
+        path = os.path.join(cwd, "node_modules", package)
+        if os.path.isdir(path):
+            return path
+        return None
+
+    def fetch_original(self, package: str, version: str, dest: str) -> bool:
+        """Download original package from npm registry and extract to dest.
+
+        Uses the npm registry API to get the tarball URL, downloads and
+        extracts it. The tarball contains a 'package/' prefix which we strip.
+        """
+        try:
+            # Fetch package metadata from registry
+            # Handle scoped packages: @scope/name -> @scope%2Fname
+            encoded = package.replace("/", "%2F")
+            url = f"https://registry.npmjs.org/{encoded}/{version}"
+            with urlopen(url, timeout=30) as resp:
+                meta = json.loads(resp.read().decode())
+
+            tarball_url = meta.get("dist", {}).get("tarball")
+            if not tarball_url:
+                return False
+
+            # Download tarball
+            tmptar = os.path.join(dest, "_pkg.tgz")
+            with urlopen(tarball_url, timeout=60) as resp:
+                with open(tmptar, "wb") as f:
+                    f.write(resp.read())
+
+            # Extract (npm tarballs have a 'package/' prefix)
+            with tarfile.open(tmptar, "r:gz") as tar:
+                for member in tar.getmembers():
+                    # Strip the 'package/' prefix
+                    if member.name.startswith("package/"):
+                        member.name = member.name[len("package/"):]
+                    elif member.name == "package":
+                        continue
+                    # Security: skip absolute paths and ..
+                    if member.name.startswith("/") or ".." in member.name:
+                        continue
+                    tar.extract(member, dest, filter="data" if hasattr(tarfile, 'data_filter') else None)
+
+            os.remove(tmptar)
+            return True
+
+        except Exception:
+            return False
+
+    def list_files(self, package: str, cwd: str) -> List[str]:
+        """List all files in the installed package."""
+        install_path = self.get_install_path(package, cwd)
+        if not install_path:
+            return []
+        result = []
+        for root, _dirs, files in os.walk(install_path):
+            for f in files:
+                full = os.path.join(root, f)
+                rel = os.path.relpath(full, install_path)
+                result.append(rel)
+        return sorted(result)
+
+    def install_hook_command(self) -> str:
+        return "bingo-light dep apply"

package/bingo_core/dep_pip.py

@@ -0,0 +1,178 @@
+"""
+bingo_core.dep_pip — pip/pipx backend for dependency patching.
+
+Detects Python projects, fetches original packages from PyPI,
+resolves install paths in site-packages/.
+
+Python 3.8+ stdlib only.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import site
+import zipfile
+from typing import List, Optional
+from urllib.request import urlopen
+
+from bingo_core.dep import DepBackend
+
+
+class PipBackend(DepBackend):
+    """Backend for pip/pipx Python packages."""
+
+    name = "pip"
+
+    def detect(self, cwd: str) -> bool:
+        """Detect Python project by presence of requirements.txt, pyproject.toml, or venv."""
+        indicators = [
+            "requirements.txt",
+            "pyproject.toml",
+            "setup.py",
+            "setup.cfg",
+            "Pipfile",
+            ".venv",
+            "venv",
+        ]
+        return any(
+            os.path.exists(os.path.join(cwd, f)) for f in indicators
+        )
+
+    def _find_site_packages(self, cwd: str) -> List[str]:
+        """Find site-packages directories, preferring project venvs."""
+        dirs = []
+
+        # Check for project venv
+        for venv_name in (".venv", "venv"):
+            venv_path = os.path.join(cwd, venv_name)
+            if os.path.isdir(venv_path):
+                # Find site-packages inside venv
+                for root, dirnames, _files in os.walk(venv_path):
+                    if "site-packages" in dirnames:
+                        dirs.append(os.path.join(root, "site-packages"))
+                        break
+
+        # System/user site-packages
+        dirs.extend(site.getsitepackages())
+        user_site = site.getusersitepackages()
+        if isinstance(user_site, str):
+            dirs.append(user_site)
+
+        return [d for d in dirs if os.path.isdir(d)]
+
+    def get_installed_version(self, package: str, cwd: str) -> Optional[str]:
+        """Get installed version via importlib.metadata or dist-info."""
+        # Normalize package name
+        normalized = package.replace("-", "_").lower()
+
+        for sp_dir in self._find_site_packages(cwd):
+            # Check dist-info directories
+            for entry in os.listdir(sp_dir):
+                if entry.endswith(".dist-info"):
+                    dist_name = entry.rsplit("-", 1)[0].replace("-", "_").lower()
+                    if dist_name == normalized:
+                        metadata_path = os.path.join(sp_dir, entry, "METADATA")
+                        if os.path.isfile(metadata_path):
+                            with open(metadata_path) as f:
+                                for line in f:
+                                    if line.startswith("Version:"):
+                                        return line.split(":", 1)[1].strip()
+        return None
+
+    def get_install_path(self, package: str, cwd: str) -> Optional[str]:
+        """Get the filesystem path of the installed package."""
+        normalized = package.replace("-", "_").lower()
+
+        for sp_dir in self._find_site_packages(cwd):
+            # Direct package directory
+            for entry in os.listdir(sp_dir):
+                if entry.replace("-", "_").lower() == normalized:
+                    full = os.path.join(sp_dir, entry)
+                    if os.path.isdir(full):
+                        return full
+        return None
+
+    def fetch_original(self, package: str, version: str, dest: str) -> bool:
+        """Download original package from PyPI and extract to dest.
+
+        Prefers wheel (.whl) for consistency, falls back to sdist.
+        """
+        try:
+            # Fetch package metadata from PyPI JSON API
+            url = f"https://pypi.org/pypi/{package}/{version}/json"
+            with urlopen(url, timeout=30) as resp:
+                meta = json.loads(resp.read().decode())
+
+            # Find wheel URL (prefer), then sdist
+            download_url = None
+            is_wheel = False
+            for file_info in meta.get("urls", []):
+                if file_info.get("packagetype") == "bdist_wheel":
+                    download_url = file_info["url"]
+                    is_wheel = True
+                    break
+            if not download_url:
+                for file_info in meta.get("urls", []):
+                    if file_info.get("packagetype") == "sdist":
+                        download_url = file_info["url"]
+                        break
+
+            if not download_url:
+                return False
+
+            # Download
+            tmp_file = os.path.join(dest, "_pkg.tmp")
+            with urlopen(download_url, timeout=60) as resp:
+                with open(tmp_file, "wb") as f:
+                    f.write(resp.read())
+
+            if is_wheel:
+                # Wheel is a zip file
+                normalized = package.replace("-", "_").lower()
+                with zipfile.ZipFile(tmp_file) as zf:
+                    for member in zf.namelist():
+                        # Extract only the package directory
+                        parts = member.split("/")
+                        if parts[0].replace("-", "_").lower() == normalized:
+                            zf.extract(member, dest)
+                        elif parts[0].endswith(".dist-info") or parts[0].endswith(".data"):
+                            continue  # Skip metadata
+                        else:
+                            # Single-file module
+                            if member.endswith(".py"):
+                                zf.extract(member, dest)
+                # Move extracted package dir to dest root
+                extracted = os.path.join(dest, normalized)
+                if os.path.isdir(extracted):
+                    # Already in right place
+                    pass
+            else:
+                # Sdist: tar.gz — extract and find the package dir
+                import tarfile
+                with tarfile.open(tmp_file, "r:gz") as tar:
+                    tar.extractall(dest)
+                # Find the actual package inside the extracted tree
+                # Sdist typically has project-version/ at top level
+
+            os.remove(tmp_file)
+            return True
+
+        except Exception:
+            return False
+
+    def list_files(self, package: str, cwd: str) -> List[str]:
+        """List all files in the installed package."""
+        install_path = self.get_install_path(package, cwd)
+        if not install_path:
+            return []
+        result = []
+        for root, _dirs, files in os.walk(install_path):
+            for f in files:
+                full = os.path.join(root, f)
+                rel = os.path.relpath(full, install_path)
+                result.append(rel)
+        return sorted(result)
+
+    def install_hook_command(self) -> str:
+        return "bingo-light dep apply"