cerber-core 1.1.6 → 1.1.8

package/dev/templates/cerber-guardian.mjs.tpl

@@ -1,148 +1,255 @@
-#!/usr/bin/env node
-// Generated by Cerber init - DO NOT EDIT MANUALLY
-// To regenerate: npx cerber init --force
-
-import { execSync } from 'child_process';
-import fs from 'fs';
-import { join } from 'path';
-
-const SCHEMA_FILE = '{{SCHEMA_FILE}}';
-const APPROVALS_TAG = '{{APPROVALS_TAG}}';
-
-async function main() {
-  console.log('🛡️  Cerber Guardian: Validating staged files...');
-
-  if (!fs.existsSync(SCHEMA_FILE)) {
-    console.error(`❌ Schema file not found: ${SCHEMA_FILE}`);
-    console.error('Create your schema file to enable validation.');
-    console.error(`Example: npx cerber init --print-schema-template > ${SCHEMA_FILE}`);
-    process.exit(1);
-  }
-
-  // Import schema
-  let schema;
-  try {
-    const schemaPath = join(process.cwd(), SCHEMA_FILE);
-    const schemaModule = await import(`file://${schemaPath}`);
-    schema = schemaModule.BACKEND_SCHEMA || schemaModule.default || schemaModule;
-  } catch (err) {
-    console.error(`❌ Failed to load schema from ${SCHEMA_FILE}:`, err.message);
-    process.exit(1);
-  }
-
-  // Get staged files
-  let stagedFiles;
-  try {
-    stagedFiles = execSync('git diff --cached --name-only', { encoding: 'utf-8' })
-      .trim()
-      .split('\n')
-      .filter(Boolean);
-  } catch (err) {
-    console.error('❌ Failed to get staged files');
-    process.exit(1);
-  }
-
-  if (stagedFiles.length === 0) {
-    console.log('✅ No files staged for commit');
-    return;
-  }
-
-  console.log(`Checking ${stagedFiles.length} file(s)...`);
-
-  const violations = [];
-
-  // Validate each staged file
-  for (const file of stagedFiles) {
-    if (!fs.existsSync(file)) continue;
-
-    const content = fs.readFileSync(file, 'utf-8');
-
-    // Check forbidden patterns
-    if (schema.forbiddenPatterns && Array.isArray(schema.forbiddenPatterns)) {
-      for (const rule of schema.forbiddenPatterns) {
-        if (!rule.pattern) continue;
-
-        const pattern = typeof rule.pattern === 'string' 
-          ? new RegExp(rule.pattern, rule.flags || 'i') 
-          : rule.pattern;
-        
-        // Check if file is in exceptions
-        if (rule.exceptions && rule.exceptions.some(ex => file.includes(ex))) {
-          continue;
-        }
-
-        if (pattern.test(content)) {
-          // Check for architect approval
-          const hasApproval = content.includes(APPROVALS_TAG);
-          
-          if (!hasApproval) {
-            violations.push({
-              file,
-              rule: rule.name || 'Unnamed rule',
-              severity: rule.severity || 'error'
-            });
-          }
-        }
-      }
-    }
-
-    // Check required imports (rules)
-    if (schema.rules && Array.isArray(schema.rules)) {
-      for (const rule of schema.rules) {
-        if (!rule.pattern || !rule.requiredImports) continue;
-
-        const filePattern = typeof rule.pattern === 'string' ? new RegExp(rule.pattern) : rule.pattern;
-        
-        if (!filePattern.test(file)) continue;
-
-        // Check if file is in exceptions
-        if (rule.exceptions && rule.exceptions.some(ex => file.includes(ex))) {
-          continue;
-        }
-
-        // Check each required import
-        for (const requiredImport of rule.requiredImports) {
-          const importPattern = new RegExp(`import.*${requiredImport}`, 'i');
-          
-          if (!importPattern.test(content)) {
-            // Check for architect approval
-            const hasApproval = content.includes(APPROVALS_TAG);
-            
-            if (!hasApproval) {
-              violations.push({
-                file,
-                rule: `${rule.name || 'Unnamed rule'}: missing import '${requiredImport}'`,
-                severity: rule.severity || 'error'
-              });
-            }
-          }
-        }
-      }
-    }
-  }
-
-  // Report violations
-  if (violations.length > 0) {
-    console.error('\n❌ Architecture violations detected:\n');
-    
-    for (const v of violations) {
-      const icon = v.severity === 'error' ? '🔴' : '⚠️';
-      console.error(`${icon} [${v.severity.toUpperCase()}] ${v.file}`);
-      console.error(`   ${v.rule}`);
-      console.error(`   Add ${APPROVALS_TAG} comment to override\n`);
-    }
-    
-    const errorCount = violations.filter(v => v.severity === 'error').length;
-    if (errorCount > 0) {
-      console.error(`\n❌ Commit blocked: ${errorCount} error(s) found`);
-      process.exit(1);
-    }
-  }
-
-  console.log('✅ All checks passed');
-}
-
-main().catch(err => {
-  console.error('❌ Guardian check failed:', err?.message || err);
-  process.exit(1);
-});
+#!/usr/bin/env node
+// Generated by Cerber init - DO NOT EDIT MANUALLY
+// To regenerate: npx cerber init --force
+
+import { execSync } from 'child_process';
+import fs from 'fs';
+import { join } from 'path';
+
+const APPROVALS_TAG = '{{APPROVALS_TAG}}';
+
+function readYamlValue(text, key) {
+  const re = new RegExp(`^\\s*${key}\\s*:\\s*(.*)\\s*$`, "m");
+  const m = text.match(re);
+  if (!m) return "";
+  let v = (m[1] ?? "").trim();
+
+  // Remove quotes
+  v = v.replace(/^["']/,"").replace(/["']$/,"");
+  return v.trim();
+}
+
+function parseOverride(cerberContent) {
+  const enabledRaw = readYamlValue(cerberContent, "enabled");
+  const enabled = enabledRaw.toLowerCase() === "true";
+
+  const reason = readYamlValue(cerberContent, "reason");
+  const expiresRaw = readYamlValue(cerberContent, "expires");
+  const approvedBy = readYamlValue(cerberContent, "approvedBy");
+
+  if (!enabled) return { state: "DISABLED", reason, expires: expiresRaw, approvedBy };
+
+  if (!expiresRaw) return { state: "ACTIVE", reason, expires: "", approvedBy };
+
+  const expiresDate = new Date(expiresRaw);
+  if (Number.isNaN(expiresDate.getTime())) {
+    return { state: "INVALID", reason, expires: expiresRaw, approvedBy };
+  }
+
+  if (expiresDate.getTime() < Date.now()) {
+    return { state: "EXPIRED", reason, expires: expiresRaw, approvedBy };
+  }
+
+  return { state: "ACTIVE", reason, expires: expiresRaw, approvedBy };
+}
+
+async function main() {
+  console.log('🛡️  Cerber Guardian: Validating staged files...');
+
+  // Check for emergency override
+  const cerberMdPath = join(process.cwd(), 'CERBER.md');
+  if (fs.existsSync(cerberMdPath)) {
+    const cerberContent = fs.readFileSync(cerberMdPath, 'utf-8');
+    const overrideMatch = cerberContent.match(/CERBER_OVERRIDE:\s*\n\s*enabled:\s*(true|false)/);
+    
+    if (overrideMatch && overrideMatch[1] === 'true') {
+      const override = parseOverride(cerberContent);
+      const { state, reason, expires, approvedBy } = override;
+      
+      if (state === 'ACTIVE') {
+        // Override ACTIVE - allow commit with warning
+        console.log('');
+        console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+        console.log('⚠️  CERBER EMERGENCY OVERRIDE ACTIVE');
+        console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+        console.log('');
+        console.log(`Status:      ACTIVE`);
+        console.log(`Reason:      ${reason}`);
+        console.log(`Expires:     ${expires}`);
+        console.log(`Approved By: ${approvedBy}`);
+        console.log('');
+        console.log('Guardian checks: BYPASSED WITH WARNING');
+        console.log('Self-protection: STILL ACTIVE (cerber-integrity runs)');
+        console.log('');
+        console.log('⚠️  Create follow-up PR to fix properly + disable override');
+        console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+        console.log('');
+        process.exit(0);  // Allow commit
+      } else if (state === 'EXPIRED') {
+        console.log('⚠️  Override expired - proceeding with normal validation');
+      } else {
+        console.log('⚠️  Override invalid (missing required fields) - proceeding with normal validation');
+      }
+    }
+  }
+
+  // Load schema from CERBER.md
+  if (!fs.existsSync(cerberMdPath)) {
+    console.error('❌ CERBER.md not found');
+    console.error('Run: npx cerber init');
+    process.exit(5);
+  }
+
+  const cerberContent = fs.readFileSync(cerberMdPath, 'utf-8');
+  
+  // Parse SCHEMA section
+  const schemaMatch = cerberContent.match(/SCHEMA:\s*\n\s*mode:\s*(\w+)/);
+  if (!schemaMatch) {
+    console.error('❌ SCHEMA section not found in CERBER.md');
+    console.error('Add SCHEMA section with mode: required or mode: disabled');
+    process.exit(5);
+  }
+
+  const schemaMode = schemaMatch[1];
+  if (schemaMode === 'disabled') {
+    console.log('⚠️  Schema validation disabled (SCHEMA.mode: disabled)');
+    console.log('✅ Bypassing validation');
+    return;
+  }
+
+  // Extract forbidden patterns
+  const forbiddenPatterns = [];
+  const patternsMatch = cerberContent.match(/forbiddenPatterns:\s*\n([\s\S]*?)(?=\n\w|\nSCHEMA:|$)/);
+  if (patternsMatch) {
+    const patternLines = patternsMatch[1].match(/- "([^"]+)"/g);
+    if (patternLines) {
+      patternLines.forEach(line => {
+        const pattern = line.match(/- "([^"]+)"/)?.[1];
+        if (pattern) {
+          forbiddenPatterns.push({
+            pattern: pattern,
+            name: `Forbidden: ${pattern}`,
+            severity: 'error'
+          });
+        }
+      });
+    }
+  }
+
+  if (schemaMode === 'required' && forbiddenPatterns.length === 0) {
+    console.error('❌ SCHEMA.mode: required but no rules defined');
+    console.error('Add forbiddenPatterns to SCHEMA section in CERBER.md');
+    process.exit(5);
+  }
+
+  const schema = {
+    forbiddenPatterns: forbiddenPatterns,
+    rules: []
+  };
+
+  // Get staged files
+  let stagedFiles;
+  try {
+    stagedFiles = execSync('git diff --cached --name-only', { encoding: 'utf-8' })
+      .trim()
+      .split('\n')
+      .filter(Boolean);
+  } catch (err) {
+    console.error('❌ Failed to get staged files');
+    process.exit(1);
+  }
+
+  if (stagedFiles.length === 0) {
+    console.log('✅ No files staged for commit');
+    return;
+  }
+
+  console.log(`Checking ${stagedFiles.length} file(s)...`);
+
+  const violations = [];
+
+  // Validate each staged file
+  for (const file of stagedFiles) {
+    if (!fs.existsSync(file)) continue;
+
+    const content = fs.readFileSync(file, 'utf-8');
+
+    // Check forbidden patterns
+    if (schema.forbiddenPatterns && Array.isArray(schema.forbiddenPatterns)) {
+      for (const rule of schema.forbiddenPatterns) {
+        if (!rule.pattern) continue;
+
+        const pattern = typeof rule.pattern === 'string' 
+          ? new RegExp(rule.pattern, rule.flags || 'i') 
+          : rule.pattern;
+        
+        // Check if file is in exceptions
+        if (rule.exceptions && rule.exceptions.some(ex => file.includes(ex))) {
+          continue;
+        }
+
+        if (pattern.test(content)) {
+          // Check for architect approval
+          const hasApproval = content.includes(APPROVALS_TAG);
+          
+          if (!hasApproval) {
+            violations.push({
+              file,
+              rule: rule.name || 'Unnamed rule',
+              severity: rule.severity || 'error'
+            });
+          }
+        }
+      }
+    }
+
+    // Check required imports (rules)
+    if (schema.rules && Array.isArray(schema.rules)) {
+      for (const rule of schema.rules) {
+        if (!rule.pattern || !rule.requiredImports) continue;
+
+        const filePattern = typeof rule.pattern === 'string' ? new RegExp(rule.pattern) : rule.pattern;
+        
+        if (!filePattern.test(file)) continue;
+
+        // Check if file is in exceptions
+        if (rule.exceptions && rule.exceptions.some(ex => file.includes(ex))) {
+          continue;
+        }
+
+        // Check each required import
+        for (const requiredImport of rule.requiredImports) {
+          const importPattern = new RegExp(`import.*${requiredImport}`, 'i');
+          
+          if (!importPattern.test(content)) {
+            // Check for architect approval
+            const hasApproval = content.includes(APPROVALS_TAG);
+            
+            if (!hasApproval) {
+              violations.push({
+                file,
+                rule: `${rule.name || 'Unnamed rule'}: missing import '${requiredImport}'`,
+                severity: rule.severity || 'error'
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+
+  // Report violations
+  if (violations.length > 0) {
+    console.error('\n❌ Architecture violations detected:\n');
+    
+    for (const v of violations) {
+      const icon = v.severity === 'error' ? '🔴' : '⚠️';
+      console.error(`${icon} [${v.severity.toUpperCase()}] ${v.file}`);
+      console.error(`   ${v.rule}`);
+      console.error(`   Add ${APPROVALS_TAG} comment to override\n`);
+    }
+    
+    const errorCount = violations.filter(v => v.severity === 'error').length;
+    if (errorCount > 0) {
+      console.error(`\n❌ Commit blocked: ${errorCount} error(s) found`);
+      process.exit(1);
+    }
+  }
+
+  console.log('✅ All checks passed');
+}
+
+main().catch(err => {
+  console.error('❌ Guardian check failed:', err?.message || err);
+  process.exit(1);
+});

package/dev/templates/cerber.yml.tpl

@@ -1,53 +1,96 @@
-# Generated by Cerber init
-name: Cerber CI
-
-on:
-  push:
-    branches: {{CI_BRANCHES}}
-  pull_request:
-    branches: {{CI_BRANCHES}}
-  workflow_dispatch:
-
-jobs:
-  cerber-ci:
-    name: Cerber CI
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build (if script exists)
-        run: |
-          if npm run | grep -q "build"; then
-            npm run build
-          else
-            echo "No build script defined; skipping"
-          fi
-
-      - name: Test (if script exists)
-        run: |
-          if npm run | grep -q "test"; then
-            npm test
-          else
-            echo "No test script defined; skipping"
-          fi
-
-      - name: Run Guardian
-        run: |
-          if npm run | grep -q "cerber:guardian"; then
-            npm run cerber:guardian
-          else
-            node scripts/cerber-guardian.mjs
-          fi
-
-{{POST_DEPLOY_BLOCK}}
+# Generated by Cerber init
+name: Cerber CI
+
+on:
+  push:
+    branches: {{CI_BRANCHES}}
+  pull_request:
+    branches: {{CI_BRANCHES}}
+  workflow_dispatch:
+
+jobs:
+  cerber-integrity:
+    name: Cerber Self-Protection
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Verify protected files exist
+        run: |
+          echo "🛡️ Cerber Integrity Check"
+          MISSING=0
+          
+          # Check core files
+          [ ! -f "CERBER.md" ] && echo "❌ CERBER.md missing" && MISSING=1
+          [ ! -f ".github/workflows/cerber.yml" ] && echo "❌ cerber.yml missing" && MISSING=1
+          [ ! -f "scripts/cerber-guardian.mjs" ] && echo "❌ cerber-guardian.mjs missing" && MISSING=1
+          [ ! -f ".husky/pre-commit" ] && echo "❌ pre-commit hook missing" && MISSING=1
+          
+          # Check schema file (strict mode only)
+          SCHEMA_MODE=$(grep -A 10 "^schema:" CERBER.md | grep "mode:" | awk '{print $2}' | head -1)
+          if [ "$SCHEMA_MODE" = "strict" ]; then
+            SCHEMA_FILE=$(grep -A 10 "^schema:" CERBER.md | grep "file:" | awk '{print $2}' | head -1)
+            [ ! -f "$SCHEMA_FILE" ] && echo "❌ Schema file $SCHEMA_FILE missing (strict mode)" && MISSING=1
+          fi
+          
+          if [ $MISSING -eq 1 ]; then
+            echo "🚨 Protected files missing. Cerber self-protection compromised."
+            exit 1
+          fi
+          
+          echo "✅ All protected files present"
+
+      - name: Verify cerber-ci job exists
+        run: |
+          if ! grep -q "cerber-ci:" .github/workflows/cerber.yml; then
+            echo "🚨 Job 'cerber-ci' not found in cerber.yml"
+            echo "Never rename or remove the cerber-ci job ID"
+            exit 1
+          fi
+          echo "✅ cerber-ci job ID intact"
+
+  cerber-ci:
+    name: Cerber CI
+    runs-on: ubuntu-latest
+    needs: [cerber-integrity]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build (if script exists)
+        run: |
+          if npm run | grep -q "build"; then
+            npm run build
+          else
+            echo "No build script defined; skipping"
+          fi
+
+      - name: Test (if script exists)
+        run: |
+          if npm run | grep -q "test"; then
+            npm test
+          else
+            echo "No test script defined; skipping"
+          fi
+
+      - name: Run Guardian
+        run: |
+          if npm run | grep -q "cerber:guardian"; then
+            npm run cerber:guardian
+          else
+            node scripts/cerber-guardian.mjs
+          fi
+
+{{POST_DEPLOY_BLOCK}}

package/dev/templates/pre-commit.tpl

@@ -1,4 +1,4 @@
-#!/bin/sh
-# Generated by Cerber init
-
-npm run cerber:guardian
+#!/bin/sh
+# Generated by Cerber init
+
+npm run cerber:guardian

package/dist/cli/contract-parser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"contract-parser.d.ts","sourceRoot":"","sources":["../../src/cli/contract-parser.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAMjE,wBAAsB,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAU3F;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,mBAAmB,CA8EpE;AAyID,wBAAgB,kBAAkB,CAAC,IAAI,GAAE,MAAM,GAAG,KAAK,GAAG,MAAc,GAAG,cAAc,CAqCxF"}
+{"version":3,"file":"contract-parser.d.ts","sourceRoot":"","sources":["../../src/cli/contract-parser.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAMjE,wBAAsB,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAU3F;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,mBAAmB,CA4HpE;AA+HD,wBAAgB,kBAAkB,CAAC,IAAI,GAAE,MAAM,GAAG,KAAK,GAAG,MAAc,GAAG,cAAc,CAqCxF"}