brainblast 0.5.3 → 0.6.1

package/dist/chunk-EAKU3L7F.js

@@ -0,0 +1,183 @@
+import {
+  __require
+} from "./chunk-3RG5ZIWI.js";
+
+// src/drift.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { join } from "path";
+var BASELINE_PATH = (dir) => join(dir, ".agent-research", "drift-baseline.json");
+function pkgKey(pkg) {
+  return `${pkg.ecosystem}:${pkg.name}@${pkg.version}`;
+}
+function loadBaseline(dir) {
+  const path = BASELINE_PATH(dir);
+  if (!existsSync(path)) return null;
+  try {
+    return JSON.parse(readFileSync(path, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function saveBaseline(dir, baseline) {
+  const outDir = join(dir, ".agent-research");
+  mkdirSync(outDir, { recursive: true });
+  writeFileSync(BASELINE_PATH(dir), JSON.stringify(baseline, null, 2));
+}
+async function queryOsvBatch(pkgs) {
+  const results = /* @__PURE__ */ new Map();
+  if (pkgs.length === 0) return results;
+  for (let i = 0; i < pkgs.length; i += 1e3) {
+    const batch = pkgs.slice(i, i + 1e3);
+    const body = JSON.stringify({
+      queries: batch.map((p) => ({
+        version: p.version,
+        package: { name: p.name, ecosystem: p.ecosystem }
+      }))
+    });
+    let res;
+    try {
+      res = await fetch("https://api.osv.dev/v1/querybatch", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body,
+        signal: AbortSignal.timeout(3e4)
+      });
+    } catch (e) {
+      throw new Error(`OSV batch request failed: ${e.message ?? String(e)}`);
+    }
+    if (!res.ok) throw new Error(`OSV batch API error: ${res.status} ${res.statusText}`);
+    const data = await res.json();
+    for (let j = 0; j < batch.length; j++) {
+      const pkg = batch[j];
+      const vulns = data.results[j]?.vulns ?? [];
+      const advisories = vulns.map((v) => {
+        const id = v["id"];
+        const severities = v["severity"] ?? [];
+        let severity = "high";
+        for (const sev of severities) {
+          if (sev.type === "CVSS_V3") {
+            const score = parseFloat(sev.score);
+            if (!isNaN(score)) {
+              severity = score >= 9 ? "critical" : score >= 7 ? "high" : score >= 4 ? "medium" : "low";
+              break;
+            }
+          }
+        }
+        const dbSpec = v["database_specific"] ?? {};
+        if (severity === "high") {
+          const ghsa = (dbSpec["severity"] ?? "").toUpperCase();
+          severity = { CRITICAL: "critical", HIGH: "high", MODERATE: "medium", LOW: "low" }[ghsa] ?? "high";
+        }
+        const rawSummary = v["summary"] ?? "";
+        const rawDetails = v["details"] ?? "";
+        return { id, severity, summary: rawSummary || rawDetails.slice(0, 200), url: `https://osv.dev/vulnerability/${id}` };
+      });
+      results.set(pkgKey(pkg), advisories);
+    }
+  }
+  return results;
+}
+function seedPackages(dir) {
+  const { execFileSync } = __require("child_process");
+  const scriptPaths = [
+    join(dir, "scripts", "seed-inventory.sh"),
+    join(__dirname, "..", "..", "scripts", "seed-inventory.sh")
+  ];
+  for (const script of scriptPaths) {
+    if (existsSync(script)) {
+      try {
+        const out = execFileSync("sh", [script, dir], { encoding: "utf8", timeout: 3e4 });
+        return JSON.parse(out);
+      } catch {
+      }
+    }
+  }
+  return [];
+}
+async function checkDrift(dir, opts = {}) {
+  const pkgs = opts.packages ?? seedPackages(dir);
+  const baseline = loadBaseline(dir);
+  const currentMap = await queryOsvBatch(pkgs);
+  const currentIds = {};
+  for (const pkg of pkgs) {
+    const key = pkgKey(pkg);
+    currentIds[key] = (currentMap.get(key) ?? []).map((a) => a.id);
+  }
+  const newAdvisories = [];
+  const resolvedAdvisories = [];
+  if (baseline) {
+    for (const pkg of pkgs) {
+      const key = pkgKey(pkg);
+      const prev = new Set(baseline.advisoryIds[key] ?? []);
+      const curr = currentMap.get(key) ?? [];
+      for (const adv of curr) {
+        if (!prev.has(adv.id)) {
+          newAdvisories.push({ ...adv, package: pkg.name, ecosystem: pkg.ecosystem, version: pkg.version });
+        }
+      }
+      const currIds = new Set(curr.map((a) => a.id));
+      for (const prevId of prev) {
+        if (!currIds.has(prevId)) {
+          resolvedAdvisories.push({
+            id: prevId,
+            severity: "low",
+            summary: "Advisory no longer reported by OSV",
+            url: `https://osv.dev/vulnerability/${prevId}`,
+            package: pkg.name,
+            ecosystem: pkg.ecosystem,
+            version: pkg.version
+          });
+        }
+      }
+    }
+  }
+  if (opts.updateBaseline || !baseline) {
+    saveBaseline(dir, {
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      packages: pkgs.length,
+      advisoryIds: currentIds
+    });
+  }
+  return {
+    newAdvisories,
+    resolvedAdvisories,
+    baselineExists: !!baseline,
+    baselineDate: baseline?.createdAt ?? null,
+    packagesChecked: pkgs.length
+  };
+}
+function renderDriftText(result) {
+  const lines = [];
+  if (!result.baselineExists) {
+    lines.push(`brainblast drift: baseline created \u2014 ${result.packagesChecked} packages indexed.`);
+    lines.push("Re-run without --update-baseline to detect new advisories.");
+    return lines.join("\n");
+  }
+  lines.push(`brainblast drift: checked ${result.packagesChecked} packages against baseline from ${result.baselineDate?.split("T")[0] ?? "unknown"}`);
+  if (result.newAdvisories.length === 0 && result.resolvedAdvisories.length === 0) {
+    lines.push("  No new advisories. Dependency risk profile unchanged.");
+    return lines.join("\n");
+  }
+  if (result.newAdvisories.length > 0) {
+    lines.push(`
+  NEW (${result.newAdvisories.length}):`);
+    for (const a of result.newAdvisories) {
+      lines.push(`    [${a.severity.toUpperCase()}] ${a.package}@${a.version} \u2014 ${a.id}: ${a.summary}`);
+      lines.push(`      ${a.url}`);
+    }
+  }
+  if (result.resolvedAdvisories.length > 0) {
+    lines.push(`
+  RESOLVED (${result.resolvedAdvisories.length}):`);
+    for (const a of result.resolvedAdvisories) {
+      lines.push(`    ${a.package}@${a.version} \u2014 ${a.id}`);
+    }
+  }
+  return lines.join("\n");
+}
+
+export {
+  seedPackages,
+  checkDrift,
+  renderDriftText
+};

package/dist/chunk-SC6RNNDW.js

@@ -0,0 +1,160 @@
+// src/osv.ts
+function mapSeverity(vuln) {
+  const severities = vuln["severity"] ?? [];
+  for (const sev of severities) {
+    if (sev.type === "CVSS_V3") {
+      const score = parseFloat(sev.score);
+      if (!isNaN(score)) {
+        if (score >= 9) return "critical";
+        if (score >= 7) return "high";
+        if (score >= 4) return "medium";
+        return "low";
+      }
+    }
+  }
+  const dbSpec = vuln["database_specific"] ?? {};
+  const ghsa = (dbSpec["severity"] ?? "").toUpperCase();
+  const map = {
+    CRITICAL: "critical",
+    HIGH: "high",
+    MODERATE: "medium",
+    LOW: "low"
+  };
+  return map[ghsa] ?? "high";
+}
+async function queryOsv(ecosystem, name, version) {
+  const body = JSON.stringify({ version, package: { name, ecosystem } });
+  let res;
+  try {
+    res = await fetch("https://api.osv.dev/v1/query", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body,
+      signal: AbortSignal.timeout(15e3)
+    });
+  } catch (e) {
+    throw new Error(`OSV API request failed: ${e.message ?? String(e)}`);
+  }
+  if (!res.ok) throw new Error(`OSV API error: ${res.status} ${res.statusText}`);
+  const data = await res.json();
+  return (data.vulns ?? []).map((v) => {
+    const id = v["id"];
+    const rawSummary = v["summary"] ?? "";
+    const rawDetails = v["details"] ?? "";
+    return {
+      id,
+      severity: mapSeverity(v),
+      summary: rawSummary || rawDetails.slice(0, 200),
+      url: `https://osv.dev/vulnerability/${id}`
+    };
+  });
+}
+
+// src/diff.ts
+async function diffVersions(ecosystem, packageName, fromVersion, toVersion) {
+  const [fromAdvisories, toAdvisories] = await Promise.all([
+    queryOsv(ecosystem, packageName, fromVersion),
+    queryOsv(ecosystem, packageName, toVersion)
+  ]);
+  const fromIds = new Set(fromAdvisories.map((a) => a.id));
+  const toIds = new Set(toAdvisories.map((a) => a.id));
+  return {
+    package: packageName,
+    ecosystem,
+    fromVersion,
+    toVersion,
+    resolved: fromAdvisories.filter((a) => !toIds.has(a.id)),
+    introduced: toAdvisories.filter((a) => !fromIds.has(a.id)),
+    unchanged: fromAdvisories.filter((a) => toIds.has(a.id))
+  };
+}
+var SEV_WEIGHT = { critical: 8, high: 4, medium: 2, low: 1 };
+function riskScore(result) {
+  const sum = (list) => list.reduce((n, a) => n + (SEV_WEIGHT[a.severity] ?? 0), 0);
+  return sum(result.introduced) - sum(result.resolved);
+}
+function badge(sev) {
+  return { critical: "[CRITICAL]", high: "[HIGH]", medium: "[MEDIUM]", low: "[LOW]" }[sev] ?? `[${sev.toUpperCase()}]`;
+}
+function renderDiffText(result) {
+  const lines = [];
+  lines.push(`brainblast diff: ${result.package} ${result.fromVersion} \u2192 ${result.toVersion} (${result.ecosystem})
+`);
+  const total = result.introduced.length + result.resolved.length + result.unchanged.length;
+  if (total === 0) {
+    lines.push("  No known OSV advisories for either version.");
+    return lines.join("\n");
+  }
+  if (result.introduced.length > 0) {
+    lines.push(`  INTRODUCED (${result.introduced.length}):`);
+    for (const a of result.introduced) {
+      lines.push(`    + ${badge(a.severity)} ${a.id} \u2014 ${a.summary}`);
+      lines.push(`      ${a.url}`);
+    }
+  }
+  if (result.resolved.length > 0) {
+    lines.push(`  RESOLVED (${result.resolved.length}):`);
+    for (const a of result.resolved) {
+      lines.push(`    - ${badge(a.severity)} ${a.id} \u2014 ${a.summary}`);
+      lines.push(`      ${a.url}`);
+    }
+  }
+  if (result.unchanged.length > 0) {
+    lines.push(`  UNCHANGED (${result.unchanged.length}):`);
+    for (const a of result.unchanged) {
+      lines.push(`    ~ ${badge(a.severity)} ${a.id} \u2014 ${a.summary}`);
+    }
+  }
+  return lines.join("\n");
+}
+function renderDiffMd(result) {
+  const lines = [];
+  lines.push(`## brainblast diff: \`${result.package}\` ${result.fromVersion} \u2192 ${result.toVersion} (${result.ecosystem})
+`);
+  const total = result.introduced.length + result.resolved.length + result.unchanged.length;
+  if (total === 0) {
+    lines.push("No known OSV advisories for either version.");
+    return lines.join("\n");
+  }
+  if (result.introduced.length > 0) {
+    lines.push(`### \u26A0\uFE0F Introduced (${result.introduced.length})
+`);
+    for (const a of result.introduced) {
+      lines.push(`- **${badge(a.severity)}** [${a.id}](${a.url}) \u2014 ${a.summary}`);
+    }
+    lines.push("");
+  }
+  if (result.resolved.length > 0) {
+    lines.push(`### \u2705 Resolved (${result.resolved.length})
+`);
+    for (const a of result.resolved) {
+      lines.push(`- **${badge(a.severity)}** [${a.id}](${a.url}) \u2014 ${a.summary}`);
+    }
+    lines.push("");
+  }
+  if (result.unchanged.length > 0) {
+    lines.push(`### ~ Unchanged (${result.unchanged.length})
+`);
+    for (const a of result.unchanged) {
+      lines.push(`- **${badge(a.severity)}** [${a.id}](${a.url}) \u2014 ${a.summary}`);
+    }
+    lines.push("");
+  }
+  const score = riskScore(result);
+  if (score > 0) {
+    lines.push(`> **\u26D4 Upgrade increases risk (score +${score}). Review introduced advisories before bumping.**`);
+  } else if (score < 0) {
+    lines.push(`> **\u2705 Upgrade decreases risk (score ${score}). Upgrade recommended.**`);
+  } else if (result.unchanged.length > 0) {
+    lines.push(`> **~ Risk profile unchanged (${result.unchanged.length} advisory${result.unchanged.length !== 1 ? "ies" : ""} persist).**`);
+  }
+  return lines.join("\n");
+}
+
+export {
+  queryOsv,
+  diffVersions,
+  riskScore,
+  renderDiffText,
+  renderDiffMd
+};