decision-guardian 1.1.0

package/dist/adapters/github/github-provider.js

@@ -0,0 +1,260 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GitHubProvider = void 0;
+/**
+ * GitHubProvider — ISCMProvider for GitHub Actions context.
+ *
+ * Wraps the existing github-utils.ts logic behind the ISCMProvider interface.
+ * All @actions/github usage is contained here.
+ */
+const github = __importStar(require("@actions/github"));
+const metrics_1 = require("../../core/metrics");
+const comment_1 = require("./comment");
+const MAX_RETRIES = 3;
+const MAX_WAIT_TIME_MS = 6 * 60 * 1000; // 6 minutes
+class GitHubProvider {
+    octokit;
+    logger;
+    token;
+    owner;
+    repo;
+    pullNumber;
+    commentManager;
+    constructor(token, logger) {
+        this.token = token;
+        this.logger = logger;
+        this.octokit = github.getOctokit(token);
+        this.commentManager = new comment_1.CommentManager(token, logger);
+        const context = github.context;
+        if (!context.payload.pull_request) {
+            throw new Error('This action only works on pull_request events');
+        }
+        this.owner = context.repo.owner;
+        this.repo = context.repo.repo;
+        this.pullNumber = context.payload.pull_request.number;
+    }
+    /**
+     * Get list of changed file paths in the PR.
+     */
+    async getChangedFiles() {
+        const files = [];
+        let page = 1;
+        const MAX_PAGES = 30;
+        while (page <= MAX_PAGES) {
+            const { data } = await this.executeWithRateLimit(() => this.octokit.rest.pulls.listFiles({
+                owner: this.owner,
+                repo: this.repo,
+                pull_number: this.pullNumber,
+                per_page: 100,
+                page,
+            }), `fetch files page ${page}`);
+            files.push(...data.map((f) => f.filename.replace(/\\/g, '/')));
+            this.logger.debug(`Fetched page ${page}: ${data.length} files`);
+            if (data.length < 100)
+                break;
+            page++;
+        }
+        if (page > MAX_PAGES) {
+            throw new Error('PR too large for automatic verification');
+        }
+        return files;
+    }
+    /**
+     * Get file diffs with patch content for advanced rule matching.
+     */
+    async getFileDiffs() {
+        const firstPage = await this.executeWithRateLimit(() => this.octokit.rest.pulls.listFiles({
+            owner: this.owner,
+            repo: this.repo,
+            pull_number: this.pullNumber,
+            per_page: 100,
+            page: 1,
+        }), 'fetch files page 1');
+        if (firstPage.data.length < 100) {
+            this.logger.debug(`Fetched all ${firstPage.data.length} file diffs in single request`);
+            return firstPage.data.map((f) => ({
+                filename: f.filename.replace(/\\/g, '/'),
+                status: f.status,
+                additions: f.additions,
+                deletions: f.deletions,
+                changes: f.changes,
+                patch: f.patch || '',
+                previous_filename: f.previous_filename,
+            }));
+        }
+        const fileMap = new Map();
+        let page = 1;
+        const MAX_PAGES = 30;
+        while (page <= MAX_PAGES) {
+            const { data } = page === 1
+                ? firstPage
+                : await this.executeWithRateLimit(() => this.octokit.rest.pulls.listFiles({
+                    owner: this.owner,
+                    repo: this.repo,
+                    pull_number: this.pullNumber,
+                    per_page: 100,
+                    page,
+                }), `fetch diffs page ${page}`);
+            if (data.length === 0)
+                break;
+            for (const file of data) {
+                const normalized = file.filename.replace(/\\/g, '/');
+                fileMap.set(normalized, {
+                    filename: normalized,
+                    status: file.status,
+                    additions: file.additions,
+                    deletions: file.deletions,
+                    changes: file.changes,
+                    patch: file.patch || '',
+                    previous_filename: file.previous_filename,
+                });
+            }
+            this.logger.debug(`Fetched page ${page}: ${data.length} file diffs`);
+            if (data.length < 100)
+                break;
+            page++;
+        }
+        if (page > MAX_PAGES) {
+            throw new Error('PR too large for automatic verification');
+        }
+        return Array.from(fileMap.values());
+    }
+    /**
+     * Stream file diffs for very large PRs.
+     */
+    async *streamFileDiffs() {
+        let page = 1;
+        const MAX_PAGES = 30;
+        while (page <= MAX_PAGES) {
+            const { data } = await this.executeWithRateLimit(() => this.octokit.rest.pulls.listFiles({
+                owner: this.owner,
+                repo: this.repo,
+                pull_number: this.pullNumber,
+                per_page: 100,
+                page,
+            }), `stream diffs page ${page}`);
+            if (data.length === 0)
+                break;
+            yield data.map((f) => ({
+                filename: f.filename.replace(/\\/g, '/'),
+                status: f.status,
+                additions: f.additions,
+                deletions: f.deletions,
+                changes: f.changes,
+                patch: f.patch || '',
+                previous_filename: f.previous_filename,
+            }));
+            if (data.length < 100)
+                break;
+            page++;
+        }
+        if (page > MAX_PAGES) {
+            throw new Error('PR too large for automatic verification');
+        }
+    }
+    /**
+     * Post decision alerts as PR comment.
+     */
+    async postComment(matches) {
+        await this.commentManager.postAlert(matches, {
+            owner: this.owner,
+            repo: this.repo,
+            number: this.pullNumber,
+        });
+    }
+    /**
+     * Post "All Clear" status if previous alerts exist.
+     */
+    async postAllClear() {
+        await this.commentManager.postAllClear({
+            owner: this.owner,
+            repo: this.repo,
+            number: this.pullNumber,
+        });
+    }
+    /**
+     * Execute with rate limit handling (Circuit Breaker pattern).
+     */
+    async executeWithRateLimit(operation, description) {
+        let lastError;
+        for (let attempt = 1; attempt <= MAX_RETRIES; attempt++) {
+            try {
+                metrics_1.metrics.incrementApiCall();
+                return await operation();
+            }
+            catch (error) {
+                const err = error;
+                lastError = error instanceof Error ? error : new Error(String(error));
+                const isRateLimit = (err.status === 403 && err.response?.headers['x-ratelimit-remaining'] === '0') ||
+                    err.status === 429;
+                if (!isRateLimit) {
+                    metrics_1.metrics.incrementApiError();
+                    throw error;
+                }
+                if (attempt >= MAX_RETRIES) {
+                    metrics_1.metrics.incrementApiError();
+                    throw error;
+                }
+                let waitMs = 60000;
+                let calculated = false;
+                if (err.response?.headers['x-ratelimit-reset']) {
+                    const resetEpoch = parseInt(err.response.headers['x-ratelimit-reset'], 10);
+                    if (!isNaN(resetEpoch)) {
+                        waitMs = Math.max(resetEpoch * 1000 - Date.now() + 1000, 1000);
+                        calculated = true;
+                    }
+                }
+                if (!calculated && err.response?.headers['retry-after']) {
+                    const retrySeconds = parseInt(err.response.headers['retry-after'], 10);
+                    if (!isNaN(retrySeconds)) {
+                        waitMs = retrySeconds * 1000;
+                    }
+                }
+                if (waitMs > MAX_WAIT_TIME_MS) {
+                    this.logger.error(`Rate limit hit for ${description}. ` +
+                        `Wait time (${Math.round(waitMs / 60000)}m) exceeds limit.`);
+                    throw error;
+                }
+                metrics_1.metrics.incrementRateLimitHit();
+                this.logger.warning(`Rate limit hit for ${description}. ` +
+                    `Waiting ${Math.round(waitMs / 1000)}s before retry ${attempt}/${MAX_RETRIES}`);
+                await new Promise((resolve) => setTimeout(resolve, waitMs));
+            }
+        }
+        throw lastError || new Error('Operation failed');
+    }
+}
+exports.GitHubProvider = GitHubProvider;

package/dist/adapters/github/health.js

@@ -0,0 +1,56 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateToken = validateToken;
+/**
+ * GitHub-specific health check — validates GitHub token and API access.
+ */
+const github = __importStar(require("@actions/github"));
+/**
+ * Validate that the GitHub token has proper permissions.
+ */
+async function validateToken(token, logger) {
+    try {
+        const octokit = github.getOctokit(token);
+        const { owner, repo } = github.context.repo;
+        await octokit.rest.repos.get({ owner, repo });
+        return true;
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        logger.error(`GitHub token validation failed: ${message}`);
+        return false;
+    }
+}

package/dist/adapters/local/console-logger.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConsoleLogger = void 0;
+// ANSI color codes
+const RESET = '\x1b[0m';
+const BLUE = '\x1b[34m';
+const YELLOW = '\x1b[33m';
+const RED = '\x1b[31m';
+const GRAY = '\x1b[90m';
+const BOLD = '\x1b[1m';
+const CYAN = '\x1b[36m';
+class ConsoleLogger {
+    groupDepth = 0;
+    info(message) {
+        const indent = this.getIndent();
+        console.log(`${indent}${BLUE}ℹ${RESET} ${message}`);
+    }
+    warning(message) {
+        const indent = this.getIndent();
+        console.warn(`${indent}${YELLOW}⚠${RESET} ${YELLOW}${message}${RESET}`);
+    }
+    error(message) {
+        const indent = this.getIndent();
+        console.error(`${indent}${RED}✖${RESET} ${RED}${message}${RESET}`);
+    }
+    debug(message) {
+        if (process.env.DEBUG || process.env.VERBOSE) {
+            const indent = this.getIndent();
+            console.log(`${indent}${GRAY}[debug]${RESET} ${GRAY}${message}${RESET}`);
+        }
+    }
+    startGroup(name) {
+        const indent = this.getIndent();
+        console.log(`${indent}${BOLD}${CYAN}▸ ${name}${RESET}`);
+        this.groupDepth++;
+    }
+    endGroup() {
+        if (this.groupDepth > 0) {
+            this.groupDepth--;
+        }
+    }
+    getIndent() {
+        return '  '.repeat(this.groupDepth);
+    }
+}
+exports.ConsoleLogger = ConsoleLogger;

package/dist/adapters/local/local-git-provider.js

@@ -0,0 +1,247 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LocalGitProvider = void 0;
+/**
+ * LocalGitProvider — ISCMProvider for local git repositories.
+ *
+ * Uses `git diff` to get changed files and diffs.
+ * Configuration passed via constructor (diff mode, base branch, working directory).
+ */
+const child_process_1 = require("child_process");
+class LocalGitProvider {
+    config;
+    constructor(config) {
+        // Validate baseBranch to prevent shell injection
+        if (config.baseBranch && !this.isValidBranchName(config.baseBranch)) {
+            throw new Error(`Invalid baseBranch: "${config.baseBranch}". ` +
+                'Branch names must only contain alphanumeric characters, hyphens, underscores, slashes, and dots.');
+        }
+        this.config = {
+            mode: config.mode,
+            baseBranch: config.baseBranch || 'main',
+            cwd: config.cwd || process.cwd(),
+        };
+    }
+    /**
+     * Validate branch name to prevent shell injection.
+     * Allows: letters, numbers, -, _, /, .
+     * Git allows more, but we restrict to safe subset.
+     */
+    isValidBranchName(name) {
+        // Only allow safe characters: alphanumeric, -, _, /, .
+        // Reject shell metacharacters: ; & | $ ` \ " ' < > ( ) etc.
+        // eslint-disable-next-line no-useless-escape
+        return /^[a-zA-Z0-9\-_.\/]+$/.test(name) && name.length > 0 && name.length < 256; // Reasonable length limit
+    }
+    /**
+     * Get list of changed file paths from git diff.
+     * Uses NUL-terminated output to safely handle spaces/newlines/quotes.
+     */
+    async getChangedFiles() {
+        const diffArgs = this.buildDiffArgs();
+        const args = ['diff', ...diffArgs, '--name-only', '-z'];
+        const output = this.execGit(args);
+        return output
+            .split('\0')
+            .map((f) => f.trim())
+            .filter(Boolean)
+            .map((f) => this.normalizePath(f));
+    }
+    /**
+     * Get file diffs with patch content for advanced rule matching.
+     */
+    async getFileDiffs() {
+        const diffArgs = this.buildDiffArgs();
+        const numstatArgs = ['diff', ...diffArgs, '--numstat', '-z', '-M'];
+        const patchArgs = ['diff', ...diffArgs, '-U3', '-M'];
+        const numstatOutput = this.execGit(numstatArgs);
+        const patchOutput = this.execGit(patchArgs);
+        const files = this.parseNumstat(numstatOutput);
+        const patches = this.parsePatchesByFile(patchOutput);
+        return files.map((f) => ({
+            ...f,
+            patch: patches.get(f.filename) || '',
+        }));
+    }
+    /**
+     * Build git diff arguments based on configured mode.
+     * Returns an array of args (safe for execFileSync).
+     */
+    buildDiffArgs() {
+        switch (this.config.mode) {
+            case 'staged':
+                return ['--cached'];
+            case 'branch':
+                return [`${this.config.baseBranch}...HEAD`];
+            case 'all':
+                return ['HEAD'];
+            default:
+                return ['--cached'];
+        }
+    }
+    /**
+     * Execute a git command using execFileSync (no shell).
+     * Args is an array of git arguments (e.g. ['diff', '--name-only', '-z'])
+     */
+    execGit(args) {
+        try {
+            const out = (0, child_process_1.execFileSync)('git', args, {
+                cwd: this.config.cwd,
+                encoding: 'utf-8',
+                stdio: ['pipe', 'pipe', 'pipe'],
+                maxBuffer: 10 * 1024 * 1024, // 10MB for large diffs
+            });
+            // execFileSync with encoding returns string already
+            return String(out).trim();
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            throw new Error(`Git command failed: git ${args.join(' ')}\n${message}`);
+        }
+    }
+    /**
+     * Normalize path: unescape backslash escapes and use forward slashes.
+     */
+    normalizePath(raw) {
+        // Git may escape characters with backslashes in some outputs; unescape common escapes
+        // e.g. "a\\/b" or "file\\ name" -> remove the escaping backslash
+        const unescaped = raw.replace(/\\(.)/g, '$1');
+        return unescaped.replace(/\\/g, '/').trim();
+    }
+    /**
+     * Parse git diff --numstat -z output into FileDiff objects (without patches).
+     *
+     * Behavior handled:
+     *  - Normal: "<adds>\t<dels>\t<path>\0"
+     *  - Rename-like: "<adds>\t<dels>\0<old_path>\0<new_path>\0"
+     *
+     * We iterate NUL-separated tokens and robustly handle both shapes.
+     */
+    parseNumstat(output) {
+        if (!output)
+            return [];
+        const parts = output.split('\0');
+        const results = [];
+        let i = 0;
+        while (i < parts.length) {
+            const token = parts[i++];
+            if (!token)
+                continue;
+            // token usually looks like "<adds>\t<dels>\t<path>" but for some rename cases it might be "<adds>\t<dels>"
+            const tabParts = token.split('\t');
+            const additionsRaw = tabParts[0] ?? '-';
+            const deletionsRaw = tabParts[1] ?? '-';
+            const additions = additionsRaw === '-' ? 0 : parseInt(additionsRaw, 10) || 0;
+            const deletions = deletionsRaw === '-' ? 0 : parseInt(deletionsRaw, 10) || 0;
+            // prefer filename inline if present
+            if (tabParts.length >= 3) {
+                const filenameRaw = tabParts.slice(2).join('\t');
+                const filename = this.normalizePath(filenameRaw);
+                const status = additions > 0 && deletions === 0
+                    ? 'added'
+                    : additions === 0 && deletions > 0
+                        ? 'removed'
+                        : 'modified';
+                results.push({
+                    filename,
+                    status,
+                    additions,
+                    deletions,
+                    changes: additions + deletions,
+                });
+                continue;
+            }
+            // If we get here, the token did not include a filename -- filenames come in subsequent NUL-separated tokens.
+            // Consume next NUL parts for old/new.
+            const next1 = i < parts.length ? parts[i++] : '';
+            // Peek to see if there's another token (rename case)
+            const peek = i < parts.length ? parts[i] : undefined;
+            let filename = '';
+            let status = 'modified';
+            if (peek !== undefined && peek !== '') {
+                // Treat as rename: next1 = old, peek = new
+                const next2 = parts[i++];
+                filename = this.normalizePath(next2);
+                status = 'renamed';
+            }
+            else {
+                // Single following filename
+                filename = this.normalizePath(next1 || '');
+                status =
+                    additions > 0 && deletions === 0
+                        ? 'added'
+                        : additions === 0 && deletions > 0
+                            ? 'removed'
+                            : 'modified';
+            }
+            if (filename) {
+                results.push({
+                    filename,
+                    status,
+                    additions,
+                    deletions,
+                    changes: additions + deletions,
+                });
+            }
+        }
+        return results;
+    }
+    /**
+     * Parse unified diff output and split by file.
+     * Tries to robustly extract the b/<path> filename from the diff header whether
+     * paths are quoted or not, and unescapes where necessary.
+     */
+    parsePatchesByFile(output) {
+        const patches = new Map();
+        if (!output)
+            return patches;
+        // Split by diff header (keep header with section)
+        const sections = output.split(/(?=^diff --git )/m);
+        for (const section of sections) {
+            if (!section.trim())
+                continue;
+            // Several header forms:
+            // diff --git a/path b/path
+            // diff --git "a/path with space" "b/path with space"
+            // We capture both sides and prefer the b/ path
+            let filename;
+            // Try unquoted first
+            const standardMatch = section.match(/^diff --git a\/(.+?) b\/(.+?)(?:\s|$)/m);
+            if (standardMatch) {
+                filename = standardMatch[2];
+            }
+            else {
+                // Try quoted "a/..." "b/..."
+                const quotedMatch = section.match(/^diff --git "(?:a\/(.+?))" "(?:b\/(.+?))"(?:\s|$)/m);
+                if (quotedMatch) {
+                    filename = quotedMatch[2];
+                }
+                else {
+                    // As a last resort, try to parse rename/from/to lines
+                    const rnFrom = section.match(/^rename from (.+)$/m);
+                    const rnTo = section.match(/^rename to (.+)$/m);
+                    if (rnTo)
+                        filename = rnTo[1].trim();
+                    else if (rnFrom)
+                        filename = rnFrom[1].trim();
+                }
+            }
+            if (!filename)
+                continue;
+            filename = this.normalizePath(filename);
+            // Find first hunk start for patch contents
+            const hunkStart = section.search(/^@@/m);
+            if (hunkStart !== -1) {
+                // include the hunk(s) only for patch (from first @@ onward)
+                const patch = section.substring(hunkStart);
+                patches.set(filename, patch);
+            }
+            else {
+                // No hunks (maybe binary or mode-only changes); store whole section
+                patches.set(filename, section);
+            }
+        }
+        return patches;
+    }
+}
+exports.LocalGitProvider = LocalGitProvider;