dw-kit 1.3.4 → 1.3.6

package/src/lib/sc-scanner.mjs

@@ -0,0 +1,321 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+
+export const LOCKFILE_NAMES = ['package-lock.json', 'npm-shrinkwrap.json'];
+
+export function findLockfile(rootDir = process.cwd()) {
+  for (const name of LOCKFILE_NAMES) {
+    const p = join(rootDir, name);
+    if (existsSync(p)) return p;
+  }
+  return null;
+}
+
+export function parsePackageLockfile(filepath) {
+  const raw = readFileSync(filepath, 'utf-8');
+  const data = JSON.parse(raw);
+
+  const out = new Map();
+
+  if (data.packages && typeof data.packages === 'object') {
+    for (const [key, info] of Object.entries(data.packages)) {
+      if (!key || key === '') continue;
+      if (!info || !info.version) continue;
+
+      const name = info.name || key.replace(/^node_modules\//, '').replace(/.*\/node_modules\//, '');
+      if (!name) continue;
+      if (!out.has(name)) out.set(name, info.version);
+    }
+    return out;
+  }
+
+  if (data.dependencies && typeof data.dependencies === 'object') {
+    walkDeps(data.dependencies, out);
+  }
+
+  return out;
+}
+
+function walkDeps(deps, out) {
+  for (const [name, info] of Object.entries(deps)) {
+    if (info && info.version && !out.has(name)) {
+      out.set(name, info.version);
+    }
+    if (info && info.dependencies) walkDeps(info.dependencies, out);
+  }
+}
+
+export function compareVersions(a, b) {
+  const norm = (v) => String(v).split('-')[0].split('+')[0].split('.').map((s) => parseInt(s, 10) || 0);
+  const pa = norm(a);
+  const pb = norm(b);
+  for (let i = 0; i < Math.max(pa.length, pb.length); i++) {
+    const x = pa[i] || 0;
+    const y = pb[i] || 0;
+    if (x !== y) return x - y;
+  }
+  return 0;
+}
+
+export function versionInRange(version, range) {
+  if (!range || !range.events || !Array.isArray(range.events)) return false;
+
+  let affected = false;
+  let lastIntroduced = null;
+  let lastFixed = null;
+
+  const events = range.events.slice().sort((e1, e2) => {
+    const v1 = e1.introduced || e1.fixed || e1.last_affected || '0.0.0';
+    const v2 = e2.introduced || e2.fixed || e2.last_affected || '0.0.0';
+    return compareVersions(v1, v2);
+  });
+
+  for (const evt of events) {
+    if (evt.introduced !== undefined) lastIntroduced = evt.introduced;
+    if (evt.fixed !== undefined) lastFixed = evt.fixed;
+    if (evt.last_affected !== undefined) lastFixed = evt.last_affected;
+  }
+
+  if (lastIntroduced !== null && compareVersions(version, lastIntroduced) >= 0) {
+    affected = true;
+  }
+  if (affected && lastFixed !== null && compareVersions(version, lastFixed) >= 0) {
+    if (range.type === 'SEMVER' || range.type === 'ECOSYSTEM') affected = false;
+  }
+
+  return affected;
+}
+
+export function matchAdvisory(packageName, version, advisory) {
+  if (!advisory || !advisory.affected) return null;
+
+  for (const aff of advisory.affected) {
+    const affName = aff.package?.name || aff.package_name || aff.name;
+    if (affName !== packageName) continue;
+
+    if (Array.isArray(aff.versions) && aff.versions.includes(version)) {
+      return buildMatch(packageName, version, advisory, aff);
+    }
+
+    if (Array.isArray(aff.ranges)) {
+      for (const range of aff.ranges) {
+        if (versionInRange(version, range)) {
+          return buildMatch(packageName, version, advisory, aff);
+        }
+      }
+    }
+  }
+  return null;
+}
+
+function buildMatch(packageName, version, advisory, aff) {
+  const fixVersions = [];
+  if (Array.isArray(aff.ranges)) {
+    for (const range of aff.ranges) {
+      if (Array.isArray(range.events)) {
+        for (const evt of range.events) {
+          if (evt.fixed) fixVersions.push(evt.fixed);
+        }
+      }
+    }
+  }
+
+  const severity = pickSeverity(advisory);
+
+  return {
+    package: packageName,
+    version,
+    advisory_id: advisory.id,
+    summary: advisory.summary || '',
+    severity,
+    fix_versions: fixVersions,
+    references: (advisory.references || []).map((r) => r.url || r).filter(Boolean),
+  };
+}
+
+function pickSeverity(advisory) {
+  if (Array.isArray(advisory.severity) && advisory.severity.length > 0) {
+    const cvss = advisory.severity.find((s) => s.type && s.type.startsWith('CVSS'));
+    if (cvss && cvss.score) return cvssToLabel(cvss.score);
+  }
+  if (advisory.database_specific?.severity) return String(advisory.database_specific.severity).toLowerCase();
+  return 'unknown';
+}
+
+function cvssToLabel(score) {
+  if (typeof score === 'string') {
+    const m = score.match(/\d+(\.\d+)?/);
+    if (m) score = parseFloat(m[0]);
+  }
+  if (typeof score !== 'number') return 'unknown';
+  if (score >= 9.0) return 'critical';
+  if (score >= 7.0) return 'high';
+  if (score >= 4.0) return 'medium';
+  if (score > 0) return 'low';
+  return 'unknown';
+}
+
+export function scanProject(rootDir, snapshot) {
+  const result = {
+    lockfile: null,
+    packages_scanned: 0,
+    matches: [],
+    snapshot_meta: snapshot ? { fetched_at: snapshot.fetched_at, source: snapshot.source } : null,
+  };
+
+  const lockPath = findLockfile(rootDir);
+  if (!lockPath) {
+    result.error = 'no_lockfile';
+    return result;
+  }
+  result.lockfile = lockPath;
+
+  if (!snapshot || !Array.isArray(snapshot.advisories)) {
+    result.error = 'no_snapshot';
+    return result;
+  }
+
+  const packages = parsePackageLockfile(lockPath);
+  result.packages_scanned = packages.size;
+
+  for (const [name, version] of packages) {
+    for (const adv of snapshot.advisories) {
+      const m = matchAdvisory(name, version, adv);
+      if (m) result.matches.push(m);
+    }
+  }
+
+  return result;
+}
+
+export function severityRank(label) {
+  return { critical: 4, high: 3, medium: 2, low: 1, unknown: 0 }[label] || 0;
+}
+
+export function worstSeverity(matches) {
+  if (!matches || matches.length === 0) return null;
+  return matches.reduce((acc, m) => (severityRank(m.severity) > severityRank(acc) ? m.severity : acc), 'unknown');
+}
+
+// ── Pre-install scan helpers (package.json without lockfile) ────────────────
+
+export function parsePackageJson(filepath) {
+  const raw = readFileSync(filepath, 'utf-8');
+  const data = JSON.parse(raw);
+  const out = new Map();
+  for (const section of ['dependencies', 'devDependencies', 'peerDependencies', 'optionalDependencies']) {
+    if (data[section] && typeof data[section] === 'object') {
+      for (const [name, range] of Object.entries(data[section])) {
+        if (typeof range === 'string' && !out.has(name)) out.set(name, range);
+      }
+    }
+  }
+  return out;
+}
+
+export function findPackageJson(rootDir = process.cwd()) {
+  const p = join(rootDir, 'package.json');
+  return existsSync(p) ? p : null;
+}
+
+export function matchPackageByName(packageName, advisories) {
+  const hits = [];
+  for (const adv of advisories || []) {
+    if (!adv.affected) continue;
+    for (const aff of adv.affected) {
+      const affName = aff.package?.name || aff.package_name || aff.name;
+      if (affName !== packageName) continue;
+
+      const fixVersions = [];
+      if (Array.isArray(aff.ranges)) {
+        for (const range of aff.ranges) {
+          if (Array.isArray(range.events)) {
+            for (const evt of range.events) if (evt.fixed) fixVersions.push(evt.fixed);
+          }
+        }
+      }
+      hits.push({
+        advisory_id: adv.id,
+        summary: adv.summary || '',
+        severity: pickSeverity(adv),
+        fix_versions: fixVersions,
+        references: (adv.references || []).map((r) => r.url || r).filter(Boolean),
+      });
+      break;
+    }
+  }
+  return hits;
+}
+
+function stripVersionPrefix(v) {
+  if (!v || typeof v !== 'string') return null;
+  const m = v.match(/(\d+\.\d+\.\d+[\w.\-+]*)/);
+  return m ? m[1] : null;
+}
+
+function isRangeSpec(v) {
+  if (!v || typeof v !== 'string') return false;
+  return /^[\^~]|\s|^[<>=]/.test(v.trim());
+}
+
+export function matchNamespaceFixture(packages, fixture) {
+  const now = new Date();
+  const hits = [];
+  for (const entry of fixture?.namespaces || []) {
+    if (entry.active_until && new Date(entry.active_until) < now) continue;
+    if (!entry.pattern) continue;
+
+    for (const [name, version] of packages) {
+      const prefixMatch = name.startsWith(entry.pattern) || name === entry.pattern;
+      if (!prefixMatch) continue;
+
+      // Version-aware gate (per ADR-0006):
+      //   - Concrete version (1.2.3) → strict in-range check; skip on miss (no FP)
+      //   - Range spec (^1.2.3, ~1.2.3, >=1.2.3) → ambiguity flag with downgrade
+      //     (resolve-on-install could land in affected range; warn but don't block)
+      //   - No affected_range → prefix-only, severity downgraded one tier
+      let versionCheck = 'no-range';
+      let severity = entry.severity || 'high';
+      if (entry.affected_range && version) {
+        const concrete = stripVersionPrefix(version);
+        if (concrete && !isRangeSpec(version)) {
+          if (versionInRange(concrete, entry.affected_range)) {
+            versionCheck = 'in-range';
+          } else {
+            continue;
+          }
+        } else if (concrete && isRangeSpec(version)) {
+          // package.json range — we don't know which version will resolve.
+          // Be cautious: flag with downgrade unless the range's lower bound is
+          // already beyond the fixed version (then certainly safe).
+          const fixedEvent = (entry.affected_range.events || []).find((e) => e.fixed);
+          if (fixedEvent && compareVersions(concrete, fixedEvent.fixed) >= 0) {
+            continue;
+          }
+          versionCheck = 'range-ambiguous';
+          if (severity === 'critical') severity = 'high';
+        } else {
+          versionCheck = 'unresolvable-range';
+          if (severity === 'critical') severity = 'high';
+          else if (severity === 'high') severity = 'medium';
+        }
+      } else if (!entry.affected_range) {
+        versionCheck = 'prefix-only';
+        if (severity === 'critical') severity = 'high';
+      }
+
+      hits.push({
+        package: name,
+        version: version || null,
+        namespace_pattern: entry.pattern,
+        reason: entry.reason,
+        advisory_url: entry.advisory,
+        active_until: entry.active_until,
+        guidance: entry.guidance,
+        severity,
+        version_check: versionCheck,
+      });
+    }
+  }
+  return hits;
+}

package/src/lib/sc-sync.mjs

@@ -0,0 +1,288 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+import { createHash } from 'node:crypto';
+import { parsePackageLockfile, findLockfile } from './sc-scanner.mjs';
+
+const SECURITY_DIR = '.dw/security';
+const SNAPSHOT_FILE = 'advisory-snapshot.json';
+const SCHEMA_VERSION = '1.0';
+const OSV_BATCH_ENDPOINT = 'https://api.osv.dev/v1/querybatch';
+const STALE_DAYS_DEFAULT = 7;
+const FETCH_TIMEOUT_MS = 15000;
+
+// OSV.dev /v1/querybatch hard cap is 1000 entries per request.
+// Concurrency=2 + jittered backoff keeps us polite to a public free-tier API.
+const OSV_BATCH_LIMIT = 1000;
+const OSV_BATCH_CONCURRENCY = 2;
+const OSV_BATCH_RETRY_MAX = 3;
+const OSV_BATCH_RETRY_BASE_MS = 500;
+
+export function snapshotPath(rootDir = process.cwd()) {
+  return join(rootDir, SECURITY_DIR, SNAPSHOT_FILE);
+}
+
+export function loadSnapshot(rootDir = process.cwd()) {
+  const p = snapshotPath(rootDir);
+  if (!existsSync(p)) return null;
+  try {
+    const raw = readFileSync(p, 'utf-8');
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+
+export function snapshotAgeDays(snapshot) {
+  if (!snapshot || !snapshot.fetched_at) return Infinity;
+  const fetched = new Date(snapshot.fetched_at).getTime();
+  if (!fetched) return Infinity;
+  return (Date.now() - fetched) / (1000 * 60 * 60 * 24);
+}
+
+export function isStale(snapshot, maxDays = STALE_DAYS_DEFAULT) {
+  return snapshotAgeDays(snapshot) > maxDays;
+}
+
+export function isSchemaCompatible(snapshot) {
+  if (!snapshot || !snapshot.schema_version) return false;
+  return snapshot.schema_version === SCHEMA_VERSION;
+}
+
+function ensureSecurityDir(rootDir) {
+  const dir = join(rootDir, SECURITY_DIR);
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  return dir;
+}
+
+export function saveSnapshot(snapshot, rootDir = process.cwd()) {
+  ensureSecurityDir(rootDir);
+  const target = snapshotPath(rootDir);
+
+  const body = JSON.stringify(snapshot, null, 2) + '\n';
+  const sha = createHash('sha256').update(body).digest('hex');
+  snapshot.snapshot_sha = `sha256:${sha.slice(0, 16)}`;
+
+  const finalBody = JSON.stringify(snapshot, null, 2) + '\n';
+  writeFileSync(target, finalBody, 'utf-8');
+  return target;
+}
+
+export async function fetchOsvBatch(queries, { timeoutMs = FETCH_TIMEOUT_MS } = {}) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetch(OSV_BATCH_ENDPOINT, {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ queries }),
+      signal: controller.signal,
+    });
+    if (!res.ok) {
+      const err = new Error(`OSV batch HTTP ${res.status}`);
+      err.status = res.status;
+      err.retryable = res.status === 429 || res.status === 503 || res.status === 502 || res.status === 504;
+      throw err;
+    }
+    return await res.json();
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+function chunkArray(arr, size) {
+  const out = [];
+  for (let i = 0; i < arr.length; i += size) out.push(arr.slice(i, i + size));
+  return out;
+}
+
+async function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+async function fetchOsvBatchWithRetry(queries, chunkIndex, { timeoutMs = FETCH_TIMEOUT_MS } = {}) {
+  let lastErr;
+  for (let attempt = 0; attempt < OSV_BATCH_RETRY_MAX; attempt++) {
+    try {
+      return await fetchOsvBatch(queries, { timeoutMs });
+    } catch (e) {
+      lastErr = e;
+      if (!e.retryable || attempt === OSV_BATCH_RETRY_MAX - 1) break;
+      const jitter = Math.floor(Math.random() * 200);
+      const delay = OSV_BATCH_RETRY_BASE_MS * Math.pow(2, attempt) + jitter;
+      await sleep(delay);
+    }
+  }
+  // Wrap with chunk diagnostics for the synthesis layer
+  const wrapped = new Error(`OSV batch chunk ${chunkIndex} failed: ${lastErr.message}`);
+  wrapped.cause = lastErr;
+  wrapped.chunkIndex = chunkIndex;
+  wrapped.retryable = lastErr.retryable;
+  throw wrapped;
+}
+
+export async function fetchOsvByName(packageName, ecosystem = 'npm', { timeoutMs = FETCH_TIMEOUT_MS } = {}) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetch('https://api.osv.dev/v1/query', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ package: { name: packageName, ecosystem } }),
+      signal: controller.signal,
+    });
+    if (!res.ok) throw new Error(`OSV name-query HTTP ${res.status}`);
+    return await res.json();
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+export async function fetchOsvDetail(vulnId, { timeoutMs = FETCH_TIMEOUT_MS } = {}) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetch(`https://api.osv.dev/v1/vulns/${vulnId}`, { signal: controller.signal });
+    if (!res.ok) throw new Error(`OSV detail HTTP ${res.status}`);
+    return await res.json();
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+export async function syncSnapshotForProject(rootDir = process.cwd(), { ecosystem = 'npm' } = {}) {
+  const lockPath = findLockfile(rootDir);
+  if (!lockPath) {
+    const err = new Error('No lockfile found (expected package-lock.json)');
+    err.code = 'NO_LOCKFILE';
+    throw err;
+  }
+
+  const packages = parsePackageLockfile(lockPath);
+  const queries = [];
+  const queryIndex = [];
+  for (const [name, version] of packages) {
+    queries.push({ package: { name, ecosystem }, version });
+    queryIndex.push({ name, version });
+  }
+
+  if (queries.length === 0) {
+    const empty = buildEmptySnapshot(ecosystem);
+    saveSnapshot(empty, rootDir);
+    return { snapshot: empty, advisoryCount: 0, packageCount: 0, partial: false, chunks: { total: 0, succeeded: 0, failed: 0 } };
+  }
+
+  const chunks = chunkArray(queries, OSV_BATCH_LIMIT);
+  const chunkOutcomes = [];
+  // Process with bounded concurrency. allSettled so a single chunk failure
+  // does not discard sibling successes — critical for fail-soft behavior.
+  for (let i = 0; i < chunks.length; i += OSV_BATCH_CONCURRENCY) {
+    const slice = chunks.slice(i, i + OSV_BATCH_CONCURRENCY);
+    const settled = await Promise.allSettled(
+      slice.map((chunk, j) => fetchOsvBatchWithRetry(chunk, i + j))
+    );
+    for (let j = 0; j < settled.length; j++) {
+      chunkOutcomes.push({ index: i + j, ...settled[j] });
+    }
+  }
+
+  const vulnIds = new Set();
+  const failedChunks = [];
+  for (const outcome of chunkOutcomes) {
+    if (outcome.status === 'fulfilled') {
+      const batchResults = outcome.value;
+      if (batchResults && Array.isArray(batchResults.results)) {
+        for (const r of batchResults.results) {
+          if (r && Array.isArray(r.vulns)) {
+            for (const v of r.vulns) if (v.id) vulnIds.add(v.id);
+          }
+        }
+      }
+    } else {
+      failedChunks.push({ index: outcome.index, message: outcome.reason?.message || String(outcome.reason) });
+    }
+  }
+
+  // Hard fail only when ALL chunks failed — otherwise emit partial snapshot.
+  if (failedChunks.length === chunkOutcomes.length) {
+    const err = new Error(`All ${chunkOutcomes.length} OSV batch chunk(s) failed; first: ${failedChunks[0].message}`);
+    err.code = 'SYNC_ALL_CHUNKS_FAILED';
+    err.failedChunks = failedChunks;
+    throw err;
+  }
+
+  const advisories = [];
+  for (const id of vulnIds) {
+    try {
+      const detail = await fetchOsvDetail(id);
+      if (detail) advisories.push(detail);
+    } catch {
+      // skip — do not fail entire sync on single detail failure
+    }
+  }
+
+  const partial = failedChunks.length > 0;
+  const snapshot = {
+    schema_version: SCHEMA_VERSION,
+    fetched_at: new Date().toISOString(),
+    source: 'osv.dev',
+    ecosystem,
+    package_count: queryIndex.length,
+    advisory_count: advisories.length,
+    advisories,
+    partial,
+    chunks: {
+      total: chunkOutcomes.length,
+      succeeded: chunkOutcomes.length - failedChunks.length,
+      failed: failedChunks.length,
+      failed_indices: failedChunks.map((c) => c.index),
+    },
+  };
+
+  saveSnapshot(snapshot, rootDir);
+  return {
+    snapshot,
+    advisoryCount: advisories.length,
+    packageCount: queryIndex.length,
+    partial,
+    chunks: snapshot.chunks,
+  };
+}
+
+function buildEmptySnapshot(ecosystem) {
+  return {
+    schema_version: SCHEMA_VERSION,
+    fetched_at: new Date().toISOString(),
+    source: 'osv.dev',
+    ecosystem,
+    package_count: 0,
+    advisory_count: 0,
+    advisories: [],
+    partial: false,
+    chunks: { total: 0, succeeded: 0, failed: 0, failed_indices: [] },
+  };
+}
+
+export function snapshotInfo(rootDir = process.cwd()) {
+  const p = snapshotPath(rootDir);
+  if (!existsSync(p)) {
+    return { exists: false };
+  }
+  const stat = statSync(p);
+  const snap = loadSnapshot(rootDir);
+  return {
+    exists: true,
+    path: p,
+    mtimeMs: stat.mtimeMs,
+    fetched_at: snap?.fetched_at || null,
+    source: snap?.source || null,
+    ecosystem: snap?.ecosystem || null,
+    schema_version: snap?.schema_version || null,
+    advisory_count: snap?.advisory_count ?? (Array.isArray(snap?.advisories) ? snap.advisories.length : 0),
+    package_count: snap?.package_count ?? 0,
+    age_days: snap ? snapshotAgeDays(snap) : Infinity,
+    stale: snap ? isStale(snap) : true,
+    schema_compatible: isSchemaCompatible(snap),
+    partial: snap?.partial === true,
+    chunks: snap?.chunks || null,
+  };
+}

package/src/lib/telemetry.mjs

@@ -62,11 +62,35 @@ export function summarize(events) {
   const bySkill = {};
   const byHook = {};
   const byTask = {};
+  const bySupplyChain = { scan_run: 0, block: 0, allow: 0, sync: 0 };
+  // ADR-0005 sunset review: separate OSV catches from fixture catches.
+  // A catch from a curated namespace fixture is NOT evidence the OSV-based
+  // guard worked; conflating them would compromise the 2026-08-12 retire/keep decision.
+  const supplyChainBySource = { osv: 0, fixture: 0, mixed: 0, unknown: 0 };
+  const supplyChainPartial = { partial_syncs: 0, partial_scans: 0 };
 
   for (const e of events) {
     if (e.event === 'skill') bySkill[e.name] = (bySkill[e.name] || 0) + 1;
     else if (e.event === 'hook') byHook[e.name] = (byHook[e.name] || 0) + 1;
     else if (e.event === 'task') byTask[e.action || 'unknown'] = (byTask[e.action || 'unknown'] || 0) + 1;
+    else if (e.event === 'sc_guard') {
+      const action = e.action || e.name || 'scan_run';
+      if (bySupplyChain[action] === undefined) bySupplyChain[action] = 0;
+      bySupplyChain[action]++;
+
+      // Track block/allow source for sunset-review integrity.
+      // Pre-install mode reports block_source explicitly (fixture vs osv vs mixed).
+      // Scan/JSON/update-db modes report source=osv directly.
+      if (action === 'block' || action === 'allow') {
+        const src = e.block_source || e.source || 'unknown';
+        const key = src === 'pre-install-mixed' ? 'mixed' : src.startsWith('fixture+') ? 'mixed' : src;
+        if (supplyChainBySource[key] === undefined) supplyChainBySource[key] = 0;
+        supplyChainBySource[key]++;
+      }
+
+      if (action === 'sync' && e.partial === true) supplyChainPartial.partial_syncs++;
+      if (action === 'scan_run' && e.partial_snapshot === true) supplyChainPartial.partial_scans++;
+    }
   }
 
   return {
@@ -74,6 +98,9 @@ export function summarize(events) {
     bySkill,
     byHook,
     byTask,
+    bySupplyChain,
+    supplyChainBySource,
+    supplyChainPartial,
     dateRange:
       events.length > 0 ? { from: events[0].ts, to: events[events.length - 1].ts } : null,
   };