codex-plugin-doctor 1.12.1 → 1.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/core/review-bundle.js +154 -8
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -358,9 +358,9 @@ jobs:
|
|
|
358
358
|
runs-on: ubuntu-latest
|
|
359
359
|
steps:
|
|
360
360
|
- uses: actions/checkout@v5
|
|
361
|
-
- uses: Esquetta/CodexPluginDoctor@v1.
|
|
361
|
+
- uses: Esquetta/CodexPluginDoctor@v1.14.0
|
|
362
362
|
with:
|
|
363
|
-
version: "1.
|
|
363
|
+
version: "1.14.0"
|
|
364
364
|
path: .
|
|
365
365
|
runtime: "true"
|
|
366
366
|
policy: codex-publish
|
|
@@ -10,14 +10,159 @@ import { readJsonFile } from "./read-json-file.js";
|
|
|
10
10
|
function isPlainObject(value) {
|
|
11
11
|
return typeof value === "object" && value !== null && !Array.isArray(value);
|
|
12
12
|
}
|
|
13
|
-
function
|
|
13
|
+
function hasExactKeys(value, keys) {
|
|
14
|
+
const actualKeys = Object.keys(value);
|
|
15
|
+
return actualKeys.length === keys.length && keys.every((key) => actualKeys.includes(key));
|
|
16
|
+
}
|
|
17
|
+
function isStatus(value) {
|
|
18
|
+
return value === "pass" || value === "warn" || value === "fail";
|
|
19
|
+
}
|
|
20
|
+
function isRuntimePolicyDecision(value) {
|
|
21
|
+
return value === "allow" ||
|
|
22
|
+
value === "review" ||
|
|
23
|
+
value === "sandbox_recommended" ||
|
|
24
|
+
value === "deny";
|
|
25
|
+
}
|
|
26
|
+
function isBundleFileMap(value) {
|
|
27
|
+
const expectedKeys = Object.keys(relativeBundleFiles());
|
|
28
|
+
return isPlainObject(value) &&
|
|
29
|
+
hasExactKeys(value, expectedKeys) &&
|
|
30
|
+
expectedKeys.every((key) => typeof value[key] === "string");
|
|
31
|
+
}
|
|
32
|
+
function isIntegrityEntry(value) {
|
|
33
|
+
if (!isPlainObject(value)) {
|
|
34
|
+
return false;
|
|
35
|
+
}
|
|
36
|
+
const bytes = value.bytes;
|
|
37
|
+
return typeof value.path === "string" &&
|
|
38
|
+
typeof value.digest === "string" &&
|
|
39
|
+
/^sha256:[a-f0-9]{64}$/.test(value.digest) &&
|
|
40
|
+
typeof bytes === "number" &&
|
|
41
|
+
Number.isSafeInteger(bytes) &&
|
|
42
|
+
bytes >= 0;
|
|
43
|
+
}
|
|
44
|
+
function isManifestIntegrity(value) {
|
|
14
45
|
return isPlainObject(value) &&
|
|
15
|
-
value.
|
|
16
|
-
value.
|
|
17
|
-
|
|
18
|
-
|
|
46
|
+
value.algorithm === "sha256" &&
|
|
47
|
+
isPlainObject(value.files) &&
|
|
48
|
+
Object.values(value.files).every(isIntegrityEntry);
|
|
49
|
+
}
|
|
50
|
+
function valueType(value) {
|
|
51
|
+
return Array.isArray(value) ? "array" : value === null ? "null" : typeof value;
|
|
52
|
+
}
|
|
53
|
+
function describeExpectedType(pathName, expected, actual) {
|
|
54
|
+
return `${pathName} expected ${expected}, got ${valueType(actual)}.`;
|
|
55
|
+
}
|
|
56
|
+
function validateManifestFileMap(value) {
|
|
57
|
+
if (!isPlainObject(value)) {
|
|
58
|
+
return [describeExpectedType("files", "object", value)];
|
|
59
|
+
}
|
|
60
|
+
const expectedKeys = Object.keys(relativeBundleFiles());
|
|
61
|
+
const actualKeys = Object.keys(value);
|
|
62
|
+
const errors = [];
|
|
63
|
+
for (const key of expectedKeys) {
|
|
64
|
+
if (!(key in value)) {
|
|
65
|
+
errors.push(`files.${key} is missing.`);
|
|
66
|
+
}
|
|
67
|
+
else if (typeof value[key] !== "string") {
|
|
68
|
+
errors.push(describeExpectedType(`files.${key}`, "string", value[key]));
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
for (const key of actualKeys) {
|
|
72
|
+
if (!expectedKeys.includes(key)) {
|
|
73
|
+
errors.push(`files.${key} is unexpected.`);
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
return errors;
|
|
77
|
+
}
|
|
78
|
+
function validateManifestIntegrity(value) {
|
|
79
|
+
if (value === undefined) {
|
|
80
|
+
return [];
|
|
81
|
+
}
|
|
82
|
+
if (!isPlainObject(value)) {
|
|
83
|
+
return [describeExpectedType("integrity", "object", value)];
|
|
84
|
+
}
|
|
85
|
+
const errors = [];
|
|
86
|
+
if (value.algorithm !== "sha256") {
|
|
87
|
+
errors.push(`integrity.algorithm expected sha256, got ${String(value.algorithm)}.`);
|
|
88
|
+
}
|
|
89
|
+
if (!isPlainObject(value.files)) {
|
|
90
|
+
errors.push(describeExpectedType("integrity.files", "object", value.files));
|
|
91
|
+
return errors;
|
|
92
|
+
}
|
|
93
|
+
for (const [key, entry] of Object.entries(value.files)) {
|
|
94
|
+
if (!isPlainObject(entry)) {
|
|
95
|
+
errors.push(describeExpectedType(`integrity.files.${key}`, "object", entry));
|
|
96
|
+
continue;
|
|
97
|
+
}
|
|
98
|
+
if (typeof entry.path !== "string") {
|
|
99
|
+
errors.push(describeExpectedType(`integrity.files.${key}.path`, "string", entry.path));
|
|
100
|
+
}
|
|
101
|
+
if (typeof entry.digest !== "string" || !/^sha256:[a-f0-9]{64}$/.test(entry.digest)) {
|
|
102
|
+
errors.push(`integrity.files.${key}.digest expected sha256 digest, got ${valueType(entry.digest)}.`);
|
|
103
|
+
}
|
|
104
|
+
if (typeof entry.bytes !== "number" || !Number.isSafeInteger(entry.bytes) || entry.bytes < 0) {
|
|
105
|
+
errors.push(describeExpectedType(`integrity.files.${key}.bytes`, "non-negative safe integer", entry.bytes));
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
return errors;
|
|
109
|
+
}
|
|
110
|
+
function validateDoctorReviewBundleManifest(value) {
|
|
111
|
+
if (!isPlainObject(value)) {
|
|
112
|
+
return [describeExpectedType("manifest", "object", value)];
|
|
113
|
+
}
|
|
114
|
+
const errors = [];
|
|
115
|
+
if (value.schemaVersion !== "1.0.0") {
|
|
116
|
+
errors.push(`schemaVersion expected 1.0.0, got ${String(value.schemaVersion)}.`);
|
|
117
|
+
}
|
|
118
|
+
if (value.kind !== "doctor.review.bundle") {
|
|
119
|
+
errors.push(`kind expected doctor.review.bundle, got ${String(value.kind)}.`);
|
|
120
|
+
}
|
|
121
|
+
if (typeof value.generatedAt !== "string") {
|
|
122
|
+
errors.push(describeExpectedType("generatedAt", "string", value.generatedAt));
|
|
123
|
+
}
|
|
124
|
+
if (typeof value.version !== "string") {
|
|
125
|
+
errors.push(describeExpectedType("version", "string", value.version));
|
|
126
|
+
}
|
|
127
|
+
if (typeof value.targetPath !== "string") {
|
|
128
|
+
errors.push(describeExpectedType("targetPath", "string", value.targetPath));
|
|
129
|
+
}
|
|
130
|
+
if (typeof value.outputDirectory !== "string") {
|
|
131
|
+
errors.push(describeExpectedType("outputDirectory", "string", value.outputDirectory));
|
|
132
|
+
}
|
|
133
|
+
if (!isStatus(value.status)) {
|
|
134
|
+
errors.push(`status expected pass, warn, or fail, got ${String(value.status)}.`);
|
|
135
|
+
}
|
|
136
|
+
if (value.exitCode !== 0 && value.exitCode !== 1) {
|
|
137
|
+
errors.push(`exitCode expected 0 or 1, got ${String(value.exitCode)}.`);
|
|
138
|
+
}
|
|
139
|
+
if (!isPlainObject(value.summary)) {
|
|
140
|
+
errors.push(describeExpectedType("summary", "object", value.summary));
|
|
141
|
+
}
|
|
142
|
+
else {
|
|
143
|
+
if (!isRuntimePolicyDecision(value.summary.runtimePolicy)) {
|
|
144
|
+
errors.push(`summary.runtimePolicy expected allow, review, sandbox_recommended, or deny, got ${String(value.summary.runtimePolicy)}.`);
|
|
145
|
+
}
|
|
146
|
+
if (typeof value.summary.releaseReady !== "boolean") {
|
|
147
|
+
errors.push(describeExpectedType("summary.releaseReady", "boolean", value.summary.releaseReady));
|
|
148
|
+
}
|
|
149
|
+
if (!isStatus(value.summary.attestation)) {
|
|
150
|
+
errors.push(`summary.attestation expected pass, warn, or fail, got ${String(value.summary.attestation)}.`);
|
|
151
|
+
}
|
|
152
|
+
if (value.summary.releaseEvidence !== "pass" && value.summary.releaseEvidence !== "fail") {
|
|
153
|
+
errors.push(`summary.releaseEvidence expected pass or fail, got ${String(value.summary.releaseEvidence)}.`);
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
errors.push(...validateManifestFileMap(value.files));
|
|
157
|
+
errors.push(...validateManifestIntegrity(value.integrity));
|
|
158
|
+
return errors;
|
|
159
|
+
}
|
|
160
|
+
function isDoctorReviewBundleManifest(value) {
|
|
161
|
+
return validateDoctorReviewBundleManifest(value).length === 0 &&
|
|
162
|
+
isPlainObject(value) &&
|
|
19
163
|
isPlainObject(value.summary) &&
|
|
20
|
-
|
|
164
|
+
isBundleFileMap(value.files) &&
|
|
165
|
+
(value.integrity === undefined || isManifestIntegrity(value.integrity));
|
|
21
166
|
}
|
|
22
167
|
function statusRank(status) {
|
|
23
168
|
return status === "fail" ? 2 : status === "warn" ? 1 : 0;
|
|
@@ -337,7 +482,8 @@ export async function verifyDoctorReviewBundle(bundleDirectory, options) {
|
|
|
337
482
|
let integrityStatus = "pass";
|
|
338
483
|
try {
|
|
339
484
|
const manifestArtifact = await readBundleJsonFile(resolvedBundleDirectory, "manifest.json");
|
|
340
|
-
|
|
485
|
+
const manifestErrors = validateDoctorReviewBundleManifest(manifestArtifact);
|
|
486
|
+
if (manifestErrors.length === 0 && isDoctorReviewBundleManifest(manifestArtifact)) {
|
|
341
487
|
manifest = manifestArtifact;
|
|
342
488
|
checks.push({
|
|
343
489
|
id: "review_bundle.manifest.valid",
|
|
@@ -349,7 +495,7 @@ export async function verifyDoctorReviewBundle(bundleDirectory, options) {
|
|
|
349
495
|
checks.push({
|
|
350
496
|
id: "review_bundle.manifest.valid",
|
|
351
497
|
status: "fail",
|
|
352
|
-
message:
|
|
498
|
+
message: `The review bundle manifest is invalid: ${manifestErrors.slice(0, 3).join(" ")}`
|
|
353
499
|
});
|
|
354
500
|
}
|
|
355
501
|
}
|
package/package.json
CHANGED