codex-plugin-doctor 1.13.0 → 1.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/core/review-bundle.d.ts +4 -0
- package/dist/core/review-bundle.js +135 -18
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -358,9 +358,9 @@ jobs:
|
|
|
358
358
|
runs-on: ubuntu-latest
|
|
359
359
|
steps:
|
|
360
360
|
- uses: actions/checkout@v5
|
|
361
|
-
- uses: Esquetta/CodexPluginDoctor@v1.
|
|
361
|
+
- uses: Esquetta/CodexPluginDoctor@v1.15.0
|
|
362
362
|
with:
|
|
363
|
-
version: "1.
|
|
363
|
+
version: "1.15.0"
|
|
364
364
|
path: .
|
|
365
365
|
runtime: "true"
|
|
366
366
|
policy: codex-publish
|
|
@@ -71,6 +71,10 @@ export interface DoctorReviewBundleVerificationReport {
|
|
|
71
71
|
status: "pass" | "fail";
|
|
72
72
|
message: string;
|
|
73
73
|
}>;
|
|
74
|
+
failedChecks: Array<{
|
|
75
|
+
id: string;
|
|
76
|
+
message: string;
|
|
77
|
+
}>;
|
|
74
78
|
attestation: DoctorAttestationVerificationReport | null;
|
|
75
79
|
releaseEvidence: DoctorReleaseEvidenceVerificationReport | null;
|
|
76
80
|
}
|
|
@@ -47,21 +47,120 @@ function isManifestIntegrity(value) {
|
|
|
47
47
|
isPlainObject(value.files) &&
|
|
48
48
|
Object.values(value.files).every(isIntegrityEntry);
|
|
49
49
|
}
|
|
50
|
+
function valueType(value) {
|
|
51
|
+
return Array.isArray(value) ? "array" : value === null ? "null" : typeof value;
|
|
52
|
+
}
|
|
53
|
+
function describeExpectedType(pathName, expected, actual) {
|
|
54
|
+
return `${pathName} expected ${expected}, got ${valueType(actual)}.`;
|
|
55
|
+
}
|
|
56
|
+
function validateManifestFileMap(value) {
|
|
57
|
+
if (!isPlainObject(value)) {
|
|
58
|
+
return [describeExpectedType("files", "object", value)];
|
|
59
|
+
}
|
|
60
|
+
const expectedKeys = Object.keys(relativeBundleFiles());
|
|
61
|
+
const actualKeys = Object.keys(value);
|
|
62
|
+
const errors = [];
|
|
63
|
+
for (const key of expectedKeys) {
|
|
64
|
+
if (!(key in value)) {
|
|
65
|
+
errors.push(`files.${key} is missing.`);
|
|
66
|
+
}
|
|
67
|
+
else if (typeof value[key] !== "string") {
|
|
68
|
+
errors.push(describeExpectedType(`files.${key}`, "string", value[key]));
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
for (const key of actualKeys) {
|
|
72
|
+
if (!expectedKeys.includes(key)) {
|
|
73
|
+
errors.push(`files.${key} is unexpected.`);
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
return errors;
|
|
77
|
+
}
|
|
78
|
+
function validateManifestIntegrity(value) {
|
|
79
|
+
if (value === undefined) {
|
|
80
|
+
return [];
|
|
81
|
+
}
|
|
82
|
+
if (!isPlainObject(value)) {
|
|
83
|
+
return [describeExpectedType("integrity", "object", value)];
|
|
84
|
+
}
|
|
85
|
+
const errors = [];
|
|
86
|
+
if (value.algorithm !== "sha256") {
|
|
87
|
+
errors.push(`integrity.algorithm expected sha256, got ${String(value.algorithm)}.`);
|
|
88
|
+
}
|
|
89
|
+
if (!isPlainObject(value.files)) {
|
|
90
|
+
errors.push(describeExpectedType("integrity.files", "object", value.files));
|
|
91
|
+
return errors;
|
|
92
|
+
}
|
|
93
|
+
for (const [key, entry] of Object.entries(value.files)) {
|
|
94
|
+
if (!isPlainObject(entry)) {
|
|
95
|
+
errors.push(describeExpectedType(`integrity.files.${key}`, "object", entry));
|
|
96
|
+
continue;
|
|
97
|
+
}
|
|
98
|
+
if (typeof entry.path !== "string") {
|
|
99
|
+
errors.push(describeExpectedType(`integrity.files.${key}.path`, "string", entry.path));
|
|
100
|
+
}
|
|
101
|
+
if (typeof entry.digest !== "string" || !/^sha256:[a-f0-9]{64}$/.test(entry.digest)) {
|
|
102
|
+
errors.push(`integrity.files.${key}.digest expected sha256 digest, got ${valueType(entry.digest)}.`);
|
|
103
|
+
}
|
|
104
|
+
if (typeof entry.bytes !== "number" || !Number.isSafeInteger(entry.bytes) || entry.bytes < 0) {
|
|
105
|
+
errors.push(describeExpectedType(`integrity.files.${key}.bytes`, "non-negative safe integer", entry.bytes));
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
return errors;
|
|
109
|
+
}
|
|
110
|
+
function validateDoctorReviewBundleManifest(value) {
|
|
111
|
+
if (!isPlainObject(value)) {
|
|
112
|
+
return [describeExpectedType("manifest", "object", value)];
|
|
113
|
+
}
|
|
114
|
+
const errors = [];
|
|
115
|
+
if (value.schemaVersion !== "1.0.0") {
|
|
116
|
+
errors.push(`schemaVersion expected 1.0.0, got ${String(value.schemaVersion)}.`);
|
|
117
|
+
}
|
|
118
|
+
if (value.kind !== "doctor.review.bundle") {
|
|
119
|
+
errors.push(`kind expected doctor.review.bundle, got ${String(value.kind)}.`);
|
|
120
|
+
}
|
|
121
|
+
if (typeof value.generatedAt !== "string") {
|
|
122
|
+
errors.push(describeExpectedType("generatedAt", "string", value.generatedAt));
|
|
123
|
+
}
|
|
124
|
+
if (typeof value.version !== "string") {
|
|
125
|
+
errors.push(describeExpectedType("version", "string", value.version));
|
|
126
|
+
}
|
|
127
|
+
if (typeof value.targetPath !== "string") {
|
|
128
|
+
errors.push(describeExpectedType("targetPath", "string", value.targetPath));
|
|
129
|
+
}
|
|
130
|
+
if (typeof value.outputDirectory !== "string") {
|
|
131
|
+
errors.push(describeExpectedType("outputDirectory", "string", value.outputDirectory));
|
|
132
|
+
}
|
|
133
|
+
if (!isStatus(value.status)) {
|
|
134
|
+
errors.push(`status expected pass, warn, or fail, got ${String(value.status)}.`);
|
|
135
|
+
}
|
|
136
|
+
if (value.exitCode !== 0 && value.exitCode !== 1) {
|
|
137
|
+
errors.push(`exitCode expected 0 or 1, got ${String(value.exitCode)}.`);
|
|
138
|
+
}
|
|
139
|
+
if (!isPlainObject(value.summary)) {
|
|
140
|
+
errors.push(describeExpectedType("summary", "object", value.summary));
|
|
141
|
+
}
|
|
142
|
+
else {
|
|
143
|
+
if (!isRuntimePolicyDecision(value.summary.runtimePolicy)) {
|
|
144
|
+
errors.push(`summary.runtimePolicy expected allow, review, sandbox_recommended, or deny, got ${String(value.summary.runtimePolicy)}.`);
|
|
145
|
+
}
|
|
146
|
+
if (typeof value.summary.releaseReady !== "boolean") {
|
|
147
|
+
errors.push(describeExpectedType("summary.releaseReady", "boolean", value.summary.releaseReady));
|
|
148
|
+
}
|
|
149
|
+
if (!isStatus(value.summary.attestation)) {
|
|
150
|
+
errors.push(`summary.attestation expected pass, warn, or fail, got ${String(value.summary.attestation)}.`);
|
|
151
|
+
}
|
|
152
|
+
if (value.summary.releaseEvidence !== "pass" && value.summary.releaseEvidence !== "fail") {
|
|
153
|
+
errors.push(`summary.releaseEvidence expected pass or fail, got ${String(value.summary.releaseEvidence)}.`);
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
errors.push(...validateManifestFileMap(value.files));
|
|
157
|
+
errors.push(...validateManifestIntegrity(value.integrity));
|
|
158
|
+
return errors;
|
|
159
|
+
}
|
|
50
160
|
function isDoctorReviewBundleManifest(value) {
|
|
51
|
-
return
|
|
52
|
-
value
|
|
53
|
-
value.kind === "doctor.review.bundle" &&
|
|
54
|
-
typeof value.generatedAt === "string" &&
|
|
55
|
-
typeof value.version === "string" &&
|
|
56
|
-
typeof value.targetPath === "string" &&
|
|
57
|
-
typeof value.outputDirectory === "string" &&
|
|
58
|
-
isStatus(value.status) &&
|
|
59
|
-
(value.exitCode === 0 || value.exitCode === 1) &&
|
|
161
|
+
return validateDoctorReviewBundleManifest(value).length === 0 &&
|
|
162
|
+
isPlainObject(value) &&
|
|
60
163
|
isPlainObject(value.summary) &&
|
|
61
|
-
isRuntimePolicyDecision(value.summary.runtimePolicy) &&
|
|
62
|
-
typeof value.summary.releaseReady === "boolean" &&
|
|
63
|
-
isStatus(value.summary.attestation) &&
|
|
64
|
-
(value.summary.releaseEvidence === "pass" || value.summary.releaseEvidence === "fail") &&
|
|
65
164
|
isBundleFileMap(value.files) &&
|
|
66
165
|
(value.integrity === undefined || isManifestIntegrity(value.integrity));
|
|
67
166
|
}
|
|
@@ -383,7 +482,8 @@ export async function verifyDoctorReviewBundle(bundleDirectory, options) {
|
|
|
383
482
|
let integrityStatus = "pass";
|
|
384
483
|
try {
|
|
385
484
|
const manifestArtifact = await readBundleJsonFile(resolvedBundleDirectory, "manifest.json");
|
|
386
|
-
|
|
485
|
+
const manifestErrors = validateDoctorReviewBundleManifest(manifestArtifact);
|
|
486
|
+
if (manifestErrors.length === 0 && isDoctorReviewBundleManifest(manifestArtifact)) {
|
|
387
487
|
manifest = manifestArtifact;
|
|
388
488
|
checks.push({
|
|
389
489
|
id: "review_bundle.manifest.valid",
|
|
@@ -395,7 +495,7 @@ export async function verifyDoctorReviewBundle(bundleDirectory, options) {
|
|
|
395
495
|
checks.push({
|
|
396
496
|
id: "review_bundle.manifest.valid",
|
|
397
497
|
status: "fail",
|
|
398
|
-
message:
|
|
498
|
+
message: `The review bundle manifest is invalid: ${manifestErrors.slice(0, 3).join(" ")}`
|
|
399
499
|
});
|
|
400
500
|
}
|
|
401
501
|
}
|
|
@@ -597,7 +697,12 @@ export async function verifyDoctorReviewBundle(bundleDirectory, options) {
|
|
|
597
697
|
message: "The bundled release evidence could not be verified."
|
|
598
698
|
});
|
|
599
699
|
}
|
|
600
|
-
const failedChecks = checks
|
|
700
|
+
const failedChecks = checks
|
|
701
|
+
.filter((check) => check.status === "fail")
|
|
702
|
+
.map((check) => ({
|
|
703
|
+
id: check.id,
|
|
704
|
+
message: check.message
|
|
705
|
+
}));
|
|
601
706
|
const fileChecks = checks.filter((check) => check.id.startsWith("review_bundle.file."));
|
|
602
707
|
const manifestStatus = checks.find((check) => check.id === "review_bundle.manifest.valid")?.status ?? "fail";
|
|
603
708
|
return {
|
|
@@ -617,6 +722,7 @@ export async function verifyDoctorReviewBundle(bundleDirectory, options) {
|
|
|
617
722
|
releaseEvidence: releaseEvidence?.status ?? "fail"
|
|
618
723
|
},
|
|
619
724
|
checks,
|
|
725
|
+
failedChecks,
|
|
620
726
|
attestation,
|
|
621
727
|
releaseEvidence
|
|
622
728
|
};
|
|
@@ -637,10 +743,21 @@ export function renderDoctorReviewBundleVerification(report) {
|
|
|
637
743
|
`Runtime policy: ${report.summary.runtimePolicy.toUpperCase()}`,
|
|
638
744
|
`Attestation: ${report.summary.attestation.toUpperCase()}`,
|
|
639
745
|
`Release evidence: ${report.summary.releaseEvidence.toUpperCase()}`,
|
|
746
|
+
`Failed checks: ${report.failedChecks.length}`,
|
|
640
747
|
"",
|
|
641
|
-
"Checks",
|
|
642
|
-
"
|
|
748
|
+
"Failed Checks",
|
|
749
|
+
"-------------"
|
|
643
750
|
];
|
|
751
|
+
if (report.failedChecks.length === 0) {
|
|
752
|
+
lines.push("None.");
|
|
753
|
+
}
|
|
754
|
+
else {
|
|
755
|
+
for (const check of report.failedChecks) {
|
|
756
|
+
lines.push(`FAIL ${check.id}`);
|
|
757
|
+
lines.push(` ${check.message}`);
|
|
758
|
+
}
|
|
759
|
+
}
|
|
760
|
+
lines.push("", "Checks", "------");
|
|
644
761
|
for (const check of report.checks) {
|
|
645
762
|
lines.push(`${check.status === "pass" ? "PASS" : "FAIL"} ${check.id}`);
|
|
646
763
|
lines.push(` ${check.message}`);
|
package/package.json
CHANGED