cli4ai 0.8.0

package/src/core/lockfile.test.ts

@@ -0,0 +1,337 @@
+/**
+ * Tests for lockfile.ts
+ */
+
+import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import { mkdtempSync, rmSync, readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { tmpdir } from 'os';
+import {
+  getLockfilePath,
+  lockfileExists,
+  loadLockfile,
+  saveLockfile,
+  lockPackage,
+  unlockPackage,
+  getLockedPackage,
+  getLockedPackages,
+  isPackageLocked,
+  clearLockfile,
+  formatLockfile,
+  LOCKFILE_NAME,
+  LOCKFILE_VERSION,
+  type Lockfile,
+  type LockedPackage
+} from './lockfile.js';
+
+describe('lockfile', () => {
+  let tempDir: string;
+
+  beforeEach(() => {
+    tempDir = mkdtempSync(join(tmpdir(), 'cli4ai-lockfile-test-'));
+  });
+
+  afterEach(() => {
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  describe('getLockfilePath', () => {
+    test('returns correct path', () => {
+      const path = getLockfilePath(tempDir);
+      expect(path).toBe(join(tempDir, LOCKFILE_NAME));
+    });
+  });
+
+  describe('lockfileExists', () => {
+    test('returns false when no lockfile', () => {
+      expect(lockfileExists(tempDir)).toBe(false);
+    });
+
+    test('returns true when lockfile exists', () => {
+      writeFileSync(join(tempDir, LOCKFILE_NAME), '{}');
+      expect(lockfileExists(tempDir)).toBe(true);
+    });
+  });
+
+  describe('loadLockfile', () => {
+    test('returns empty lockfile when none exists', () => {
+      const lockfile = loadLockfile(tempDir);
+
+      expect(lockfile.lockfileVersion).toBe(LOCKFILE_VERSION);
+      expect(lockfile.packages).toEqual({});
+    });
+
+    test('loads existing lockfile', () => {
+      const existing: Lockfile = {
+        lockfileVersion: 1,
+        packages: {
+          github: {
+            name: 'github',
+            version: '1.0.0',
+            resolved: '/path/to/github'
+          }
+        }
+      };
+
+      writeFileSync(
+        join(tempDir, LOCKFILE_NAME),
+        JSON.stringify(existing)
+      );
+
+      const lockfile = loadLockfile(tempDir);
+      expect(lockfile.packages.github.name).toBe('github');
+      expect(lockfile.packages.github.version).toBe('1.0.0');
+    });
+
+    test('handles invalid JSON gracefully', () => {
+      writeFileSync(join(tempDir, LOCKFILE_NAME), 'invalid json');
+
+      const lockfile = loadLockfile(tempDir);
+      expect(lockfile.lockfileVersion).toBe(LOCKFILE_VERSION);
+      expect(lockfile.packages).toEqual({});
+    });
+  });
+
+  describe('saveLockfile', () => {
+    test('saves lockfile to disk', () => {
+      const lockfile: Lockfile = {
+        lockfileVersion: 1,
+        packages: {
+          tool: {
+            name: 'tool',
+            version: '2.0.0',
+            resolved: '/some/path'
+          }
+        }
+      };
+
+      saveLockfile(tempDir, lockfile);
+
+      const content = readFileSync(join(tempDir, LOCKFILE_NAME), 'utf-8');
+      const parsed = JSON.parse(content);
+
+      expect(parsed.lockfileVersion).toBe(1);
+      expect(parsed.packages.tool.version).toBe('2.0.0');
+    });
+
+    test('formats JSON with indentation', () => {
+      const lockfile: Lockfile = {
+        lockfileVersion: 1,
+        packages: {}
+      };
+
+      saveLockfile(tempDir, lockfile);
+
+      const content = readFileSync(join(tempDir, LOCKFILE_NAME), 'utf-8');
+      expect(content).toContain('  '); // Has indentation
+      expect(content.endsWith('\n')).toBe(true); // Trailing newline
+    });
+  });
+
+  describe('lockPackage', () => {
+    test('adds new package to lockfile', () => {
+      const pkg: LockedPackage = {
+        name: 'new-tool',
+        version: '1.0.0',
+        resolved: '/path/to/tool'
+      };
+
+      lockPackage(tempDir, pkg);
+
+      const lockfile = loadLockfile(tempDir);
+      expect(lockfile.packages['new-tool']).toEqual(pkg);
+    });
+
+    test('updates existing package', () => {
+      lockPackage(tempDir, {
+        name: 'tool',
+        version: '1.0.0',
+        resolved: '/old/path'
+      });
+
+      lockPackage(tempDir, {
+        name: 'tool',
+        version: '2.0.0',
+        resolved: '/new/path'
+      });
+
+      const lockfile = loadLockfile(tempDir);
+      expect(lockfile.packages.tool.version).toBe('2.0.0');
+      expect(lockfile.packages.tool.resolved).toBe('/new/path');
+    });
+
+    test('preserves other packages when adding', () => {
+      lockPackage(tempDir, { name: 'a', version: '1.0.0', resolved: '/a' });
+      lockPackage(tempDir, { name: 'b', version: '1.0.0', resolved: '/b' });
+      lockPackage(tempDir, { name: 'c', version: '1.0.0', resolved: '/c' });
+
+      const lockfile = loadLockfile(tempDir);
+      expect(Object.keys(lockfile.packages)).toEqual(['a', 'b', 'c']);
+    });
+  });
+
+  describe('unlockPackage', () => {
+    test('removes package from lockfile', () => {
+      lockPackage(tempDir, { name: 'tool', version: '1.0.0', resolved: '/path' });
+      unlockPackage(tempDir, 'tool');
+
+      const lockfile = loadLockfile(tempDir);
+      expect(lockfile.packages.tool).toBeUndefined();
+    });
+
+    test('handles non-existent package gracefully', () => {
+      // Should not throw
+      unlockPackage(tempDir, 'nonexistent');
+
+      const lockfile = loadLockfile(tempDir);
+      expect(lockfile.packages.nonexistent).toBeUndefined();
+    });
+
+    test('preserves other packages when removing', () => {
+      lockPackage(tempDir, { name: 'a', version: '1.0.0', resolved: '/a' });
+      lockPackage(tempDir, { name: 'b', version: '1.0.0', resolved: '/b' });
+      lockPackage(tempDir, { name: 'c', version: '1.0.0', resolved: '/c' });
+
+      unlockPackage(tempDir, 'b');
+
+      const lockfile = loadLockfile(tempDir);
+      expect(Object.keys(lockfile.packages)).toEqual(['a', 'c']);
+    });
+  });
+
+  describe('getLockedPackage', () => {
+    test('returns package when found', () => {
+      lockPackage(tempDir, {
+        name: 'github',
+        version: '1.0.0',
+        resolved: '/path'
+      });
+
+      const pkg = getLockedPackage(tempDir, 'github');
+      expect(pkg).not.toBeNull();
+      expect(pkg?.name).toBe('github');
+    });
+
+    test('returns null when not found', () => {
+      const pkg = getLockedPackage(tempDir, 'nonexistent');
+      expect(pkg).toBeNull();
+    });
+  });
+
+  describe('getLockedPackages', () => {
+    test('returns empty array when no packages', () => {
+      const packages = getLockedPackages(tempDir);
+      expect(packages).toEqual([]);
+    });
+
+    test('returns all packages', () => {
+      lockPackage(tempDir, { name: 'a', version: '1.0.0', resolved: '/a' });
+      lockPackage(tempDir, { name: 'b', version: '2.0.0', resolved: '/b' });
+
+      const packages = getLockedPackages(tempDir);
+      expect(packages).toHaveLength(2);
+      expect(packages.map(p => p.name).sort()).toEqual(['a', 'b']);
+    });
+  });
+
+  describe('isPackageLocked', () => {
+    test('returns true when package is locked', () => {
+      lockPackage(tempDir, { name: 'tool', version: '1.0.0', resolved: '/path' });
+      expect(isPackageLocked(tempDir, 'tool')).toBe(true);
+    });
+
+    test('returns false when package not locked', () => {
+      expect(isPackageLocked(tempDir, 'nonexistent')).toBe(false);
+    });
+  });
+
+  describe('clearLockfile', () => {
+    test('removes all packages', () => {
+      lockPackage(tempDir, { name: 'a', version: '1.0.0', resolved: '/a' });
+      lockPackage(tempDir, { name: 'b', version: '1.0.0', resolved: '/b' });
+
+      clearLockfile(tempDir);
+
+      const lockfile = loadLockfile(tempDir);
+      expect(lockfile.packages).toEqual({});
+    });
+
+    test('preserves lockfile version', () => {
+      clearLockfile(tempDir);
+
+      const lockfile = loadLockfile(tempDir);
+      expect(lockfile.lockfileVersion).toBe(LOCKFILE_VERSION);
+    });
+  });
+
+  describe('formatLockfile', () => {
+    test('formats empty lockfile', () => {
+      const lockfile: Lockfile = {
+        lockfileVersion: 1,
+        packages: {}
+      };
+
+      const output = formatLockfile(lockfile);
+      expect(output).toContain('# cli4ai.lock');
+      expect(output).toContain('lockfileVersion: 1');
+    });
+
+    test('formats packages alphabetically', () => {
+      const lockfile: Lockfile = {
+        lockfileVersion: 1,
+        packages: {
+          zebra: { name: 'zebra', version: '1.0.0', resolved: '/z' },
+          apple: { name: 'apple', version: '2.0.0', resolved: '/a' },
+          monkey: { name: 'monkey', version: '3.0.0', resolved: '/m' }
+        }
+      };
+
+      const output = formatLockfile(lockfile);
+      const appleIndex = output.indexOf('apple@');
+      const monkeyIndex = output.indexOf('monkey@');
+      const zebraIndex = output.indexOf('zebra@');
+
+      expect(appleIndex).toBeLessThan(monkeyIndex);
+      expect(monkeyIndex).toBeLessThan(zebraIndex);
+    });
+
+    test('includes integrity when present', () => {
+      const lockfile: Lockfile = {
+        lockfileVersion: 1,
+        packages: {
+          tool: {
+            name: 'tool',
+            version: '1.0.0',
+            resolved: '/path',
+            integrity: 'sha256-abc123'
+          }
+        }
+      };
+
+      const output = formatLockfile(lockfile);
+      expect(output).toContain('integrity: sha256-abc123');
+    });
+
+    test('includes dependencies when present', () => {
+      const lockfile: Lockfile = {
+        lockfileVersion: 1,
+        packages: {
+          tool: {
+            name: 'tool',
+            version: '1.0.0',
+            resolved: '/path',
+            dependencies: {
+              'dep-a': '1.0.0',
+              'dep-b': '2.0.0'
+            }
+          }
+        }
+      };
+
+      const output = formatLockfile(lockfile);
+      expect(output).toContain('dependencies:');
+      expect(output).toContain('dep-a: "1.0.0"');
+      expect(output).toContain('dep-b: "2.0.0"');
+    });
+  });
+});

package/src/core/lockfile.ts

@@ -0,0 +1,308 @@
+/**
+ * Lock file management (cli4ai.lock)
+ *
+ * Tracks installed packages with exact versions and sources
+ * for reproducible installations.
+ *
+ * SECURITY: Includes SRI (Subresource Integrity) hash verification
+ * to detect tampered packages.
+ */
+
+import { readFileSync, writeFileSync, existsSync, readdirSync, statSync } from 'fs';
+import { resolve, join, relative } from 'path';
+import { createHash } from 'crypto';
+
+// ═══════════════════════════════════════════════════════════════════════════
+// TYPES
+// ═══════════════════════════════════════════════════════════════════════════
+
+export interface LockedPackage {
+  name: string;
+  version: string;
+  resolved: string;  // Source path or registry URL
+  integrity?: string; // Future: content hash
+  dependencies?: Record<string, string>;
+}
+
+export interface Lockfile {
+  lockfileVersion: number;
+  packages: Record<string, LockedPackage>;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// CONSTANTS
+// ═══════════════════════════════════════════════════════════════════════════
+
+export const LOCKFILE_NAME = 'cli4ai.lock';
+export const LOCKFILE_VERSION = 1;
+
+// ═══════════════════════════════════════════════════════════════════════════
+// INTEGRITY HASHING (SRI - Subresource Integrity)
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * Compute SHA-512 hash of a file and return SRI format string
+ */
+export function computeFileIntegrity(filePath: string): string {
+  const content = readFileSync(filePath);
+  const hash = createHash('sha512').update(content).digest('base64');
+  return `sha512-${hash}`;
+}
+
+/**
+ * Compute SHA-512 hash of a directory's contents (deterministic).
+ * Hashes all files in sorted order to produce a reproducible hash.
+ */
+export function computeDirectoryIntegrity(dirPath: string): string {
+  const hash = createHash('sha512');
+  const files: string[] = [];
+
+  // Recursively collect all files
+  function collectFiles(dir: string): void {
+    const entries = readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      // Skip node_modules and hidden directories
+      if (entry.name === 'node_modules' || entry.name.startsWith('.')) continue;
+
+      const fullPath = join(dir, entry.name);
+      if (entry.isDirectory()) {
+        collectFiles(fullPath);
+      } else if (entry.isFile()) {
+        files.push(fullPath);
+      }
+    }
+  }
+
+  collectFiles(dirPath);
+
+  // Sort files for deterministic ordering
+  files.sort();
+
+  // Hash each file's relative path and content
+  for (const filePath of files) {
+    const relativePath = relative(dirPath, filePath);
+    const content = readFileSync(filePath);
+
+    // Include path in hash for structural integrity
+    hash.update(relativePath);
+    hash.update(content);
+  }
+
+  return `sha512-${hash.digest('base64')}`;
+}
+
+/**
+ * Verify a package's integrity against stored hash
+ */
+export function verifyIntegrity(dirPath: string, expectedIntegrity: string): boolean {
+  if (!expectedIntegrity) return true; // No integrity check if not stored
+
+  try {
+    const actualIntegrity = computeDirectoryIntegrity(dirPath);
+    return actualIntegrity === expectedIntegrity;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Result of integrity verification
+ */
+export interface IntegrityCheckResult {
+  valid: boolean;
+  expected?: string;
+  actual?: string;
+  error?: string;
+}
+
+/**
+ * Check integrity of a locked package
+ */
+export function checkPackageIntegrity(
+  projectDir: string,
+  packageName: string,
+  packagePath: string
+): IntegrityCheckResult {
+  const locked = getLockedPackage(projectDir, packageName);
+
+  if (!locked) {
+    return { valid: true }; // No lock entry, can't verify
+  }
+
+  if (!locked.integrity) {
+    return { valid: true }; // No integrity hash stored
+  }
+
+  try {
+    const actualIntegrity = computeDirectoryIntegrity(packagePath);
+
+    if (actualIntegrity === locked.integrity) {
+      return { valid: true, expected: locked.integrity, actual: actualIntegrity };
+    }
+
+    return {
+      valid: false,
+      expected: locked.integrity,
+      actual: actualIntegrity,
+      error: 'Integrity mismatch - package may have been tampered with'
+    };
+  } catch (err) {
+    return {
+      valid: false,
+      expected: locked.integrity,
+      error: `Failed to compute integrity: ${err instanceof Error ? err.message : String(err)}`
+    };
+  }
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// FUNCTIONS
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * Get lock file path for a project
+ */
+export function getLockfilePath(projectDir: string): string {
+  return resolve(projectDir, LOCKFILE_NAME);
+}
+
+/**
+ * Check if lock file exists
+ */
+export function lockfileExists(projectDir: string): boolean {
+  return existsSync(getLockfilePath(projectDir));
+}
+
+/**
+ * Load lock file, returns empty lockfile if doesn't exist
+ */
+export function loadLockfile(projectDir: string): Lockfile {
+  const lockfilePath = getLockfilePath(projectDir);
+
+  if (!existsSync(lockfilePath)) {
+    return {
+      lockfileVersion: LOCKFILE_VERSION,
+      packages: {}
+    };
+  }
+
+  try {
+    const content = readFileSync(lockfilePath, 'utf-8');
+    const data = JSON.parse(content) as Lockfile;
+
+    // Validate version
+    if (data.lockfileVersion !== LOCKFILE_VERSION) {
+      console.error(`Warning: Lock file version mismatch (${data.lockfileVersion} vs ${LOCKFILE_VERSION})`);
+    }
+
+    return data;
+  } catch (err) {
+    console.error('Warning: Could not parse lock file, starting fresh');
+    return {
+      lockfileVersion: LOCKFILE_VERSION,
+      packages: {}
+    };
+  }
+}
+
+/**
+ * Save lock file
+ */
+export function saveLockfile(projectDir: string, lockfile: Lockfile): void {
+  const lockfilePath = getLockfilePath(projectDir);
+  const content = JSON.stringify(lockfile, null, 2) + '\n';
+  writeFileSync(lockfilePath, content);
+}
+
+/**
+ * Add or update a package in the lock file
+ */
+export function lockPackage(
+  projectDir: string,
+  pkg: LockedPackage
+): void {
+  const lockfile = loadLockfile(projectDir);
+  lockfile.packages[pkg.name] = pkg;
+  saveLockfile(projectDir, lockfile);
+}
+
+/**
+ * Remove a package from the lock file
+ */
+export function unlockPackage(projectDir: string, packageName: string): void {
+  const lockfile = loadLockfile(projectDir);
+
+  if (lockfile.packages[packageName]) {
+    delete lockfile.packages[packageName];
+    saveLockfile(projectDir, lockfile);
+  }
+}
+
+/**
+ * Get a locked package by name
+ */
+export function getLockedPackage(
+  projectDir: string,
+  packageName: string
+): LockedPackage | null {
+  const lockfile = loadLockfile(projectDir);
+  return lockfile.packages[packageName] || null;
+}
+
+/**
+ * Get all locked packages
+ */
+export function getLockedPackages(projectDir: string): LockedPackage[] {
+  const lockfile = loadLockfile(projectDir);
+  return Object.values(lockfile.packages);
+}
+
+/**
+ * Check if a package is locked
+ */
+export function isPackageLocked(projectDir: string, packageName: string): boolean {
+  const lockfile = loadLockfile(projectDir);
+  return packageName in lockfile.packages;
+}
+
+/**
+ * Clear all packages from lock file
+ */
+export function clearLockfile(projectDir: string): void {
+  saveLockfile(projectDir, {
+    lockfileVersion: LOCKFILE_VERSION,
+    packages: {}
+  });
+}
+
+/**
+ * Format lock file as human-readable string
+ */
+export function formatLockfile(lockfile: Lockfile): string {
+  const lines: string[] = [
+    `# cli4ai.lock - Auto-generated, do not edit`,
+    `# lockfileVersion: ${lockfile.lockfileVersion}`,
+    ``
+  ];
+
+  const sortedPackages = Object.values(lockfile.packages).sort((a, b) =>
+    a.name.localeCompare(b.name)
+  );
+
+  for (const pkg of sortedPackages) {
+    lines.push(`${pkg.name}@${pkg.version}:`);
+    lines.push(`  resolved: "${pkg.resolved}"`);
+    if (pkg.integrity) {
+      lines.push(`  integrity: ${pkg.integrity}`);
+    }
+    if (pkg.dependencies && Object.keys(pkg.dependencies).length > 0) {
+      lines.push(`  dependencies:`);
+      for (const [depName, depVersion] of Object.entries(pkg.dependencies)) {
+        lines.push(`    ${depName}: "${depVersion}"`);
+      }
+    }
+    lines.push(``);
+  }
+
+  return lines.join('\n');
+}