ghcr-manager 0.9.6 → 0.9.8

package/dist/cleanup-summary/_cleanup-summary.js

@@ -1,10 +1,11 @@
+import { DeletePlanValidationStatuses } from "../db/index.js";
 export function buildCleanupSummary(plan, options) {
     const directTargetTagSet = new Set(plan.directTargetTags);
-    const roots = plan.rootDecisions.map((decision) => _mapRootDecision(decision, directTargetTagSet, options.listRootTags));
-    const fullyDeletableRoots = roots.filter((root) => root.validationStatus === "fully-deletable");
-    const blockedRoots = roots.filter((root) => root.validationStatus === "blocked");
-    const untagOnlyRoots = roots.filter((root) => root.validationStatus === "untag-only");
-    const affectedManifestDigests = options.listAffectedManifestDigests(fullyDeletableRoots.map((root) => root.digest));
+    const roots = plan.rootDecisions.map((decision) => _mapRootDecision(decision, directTargetTagSet, options.rootTagsByVersionId));
+    const fullyDeletableRoots = roots.filter((root) => root.validationStatus === DeletePlanValidationStatuses.fullyDeletable);
+    const blockedRoots = roots.filter((root) => root.validationStatus === DeletePlanValidationStatuses.blocked);
+    const untagOnlyRoots = roots.filter((root) => root.validationStatus === DeletePlanValidationStatuses.untagOnly);
+    const affectedManifests = _listAffectedManifests(plan, fullyDeletableRoots.map((root) => root.digest));
     return {
         command: "cleanup",
         owner: plan.owner,
@@ -17,14 +18,14 @@ export function buildCleanupSummary(plan, options) {
         fullyDeletableRoots,
         untagOnlyRoots,
         blockedRoots,
-        affectedManifests: affectedManifestDigests.map((digest) => ({ digest })),
-        deletedPackageVersions: options.executionSummary?.deletedPackageVersions ?? [],
-        untaggedTags: options.executionSummary?.untaggedTags ?? [],
-        unsupportedUntagRoots: options.executionSummary?.unsupportedUntagRoots ?? []
+        affectedManifests,
+        changes: options.changes,
+        deletedPackageVersionCount: options.executionSummary?.deletedPackageVersionCount ?? 0,
+        detachedTagCount: options.executionSummary?.detachedTagCount ?? 0
     };
 }
-function _mapRootDecision(decision, directTargetTagSet, listRootTags) {
-    const rootTags = listRootTags(decision.versionId);
+function _mapRootDecision(decision, directTargetTagSet, rootTagsByVersionId) {
+    const rootTags = rootTagsByVersionId.get(decision.versionId) ?? [];
     return {
         versionId: decision.versionId,
         digest: decision.digest,
@@ -42,3 +43,17 @@ function _mapRootDecision(decision, directTargetTagSet, listRootTags) {
         overlapManifestKind: decision.overlapManifestKind
     };
 }
+function _listAffectedManifests(plan, fullyDeletableRootDigests) {
+    const fullyDeletableRootDigestSet = new Set(fullyDeletableRootDigests);
+    const manifestsByDigest = new Map();
+    for (const manifest of plan.closureManifests) {
+        if (!fullyDeletableRootDigestSet.has(manifest.sourceDigest)) {
+            continue;
+        }
+        manifestsByDigest.set(manifest.memberDigest, {
+            digest: manifest.memberDigest,
+            manifestKind: manifest.memberManifestKind
+        });
+    }
+    return [...manifestsByDigest.values()].sort((left, right) => left.digest.localeCompare(right.digest));
+}

package/dist/cleanup-summary/index.d.ts

@@ -1,2 +1,2 @@
-export { buildCleanupSummary, type CleanupSummary, type CleanupSummaryAffectedManifest, type CleanupSummaryRoot } from "./_cleanup-summary.js";
+export { buildCleanupSummary, type CleanupSummary, type CleanupSummaryAffectedManifest, type CleanupSummaryChanges, type CleanupSummaryRoot } from "./_cleanup-summary.js";
 export { renderCleanupSummaryMarkdown } from "./_cleanup-summary-markdown.js";

package/dist/cli/_cleanup-command.js

@@ -1,7 +1,9 @@
+import { ManifestKinds } from "../core/index.js";
 import { buildCleanupSummary } from "../cleanup-summary/index.js";
 import { CleanupRunWriter, openDatabase, PlannerRepository } from "../db/index.js";
 import { executeDeletePlan } from "../execute/index.js";
 import { hasFlag, resolveLogLevel, resolveToken } from "./_args.js";
+import { writeJsonOutput } from "./_json-output.js";
 import { createLogger } from "./_logger.js";
 import { loadDeletePlan, resolvePlanCommandInputs } from "./_planner-options.js";
 import { resolveTagSelectors } from "./_tag-selector-resolver.js";
@@ -17,18 +19,19 @@ export async function handleCleanup(args) {
         const scanId = repository.getLatestCompletedScanId(inputs.owner, inputs.packageName);
         logger.debug(`Starting cleanup for ${inputs.owner}/${inputs.packageName}`);
         const plan = loadDeletePlan(repository, resolveTagSelectors(database, inputs));
-        cleanupRunWriter.persistCleanupRun(scanId, plan, {
+        const rootTagsByVersionId = _loadRootTagsByVersionId(database, inputs.owner, inputs.packageName, plan.rootDecisions.map((decision) => decision.versionId));
+        const cleanupRunId = cleanupRunWriter.persistCleanupRun(scanId, plan, {
             dryRun,
             cleanupStartedAt: new Date().toISOString()
         });
         if (dryRun) {
             const summary = buildCleanupSummary(plan, {
                 dryRun: true,
-                listRootTags: (versionId) => _listRootTags(database, inputs.owner, inputs.packageName, versionId),
-                listAffectedManifestDigests: (rootDigests) => _listAffectedManifestDigests(database, scanId, rootDigests)
+                rootTagsByVersionId,
+                changes: _loadSummaryChanges(database, cleanupRunId)
             });
             logger.debug(`Completed dry-run cleanup for ${inputs.owner}/${inputs.packageName}`);
-            console.log(JSON.stringify(summary));
+            writeJsonOutput(args, "--summary-json-path", summary);
             return 0;
         }
         const executionSummary = await executeDeletePlan(plan, {
@@ -38,34 +41,18 @@ export async function handleCleanup(args) {
         });
         const summary = buildCleanupSummary(plan, {
             dryRun: false,
-            listRootTags: (versionId) => _listRootTags(database, inputs.owner, inputs.packageName, versionId),
-            listAffectedManifestDigests: (rootDigests) => _listAffectedManifestDigests(database, scanId, rootDigests),
+            rootTagsByVersionId,
+            changes: _loadSummaryChanges(database, cleanupRunId),
             executionSummary
         });
         logger.debug(`Completed cleanup for ${inputs.owner}/${inputs.packageName}`);
-        console.log(JSON.stringify(summary));
+        writeJsonOutput(args, "--summary-json-path", summary);
         return 0;
     }
     finally {
         database.close();
     }
 }
-function _listAffectedManifestDigests(database, scanId, rootDigests) {
-    if (rootDigests.length === 0) {
-        return [];
-    }
-    const placeholders = rootDigests.map(() => "?").join(", ");
-    const rows = database
-        .prepare(`
-        SELECT DISTINCT descendant_digest AS digest
-        FROM manifest_reachability
-        WHERE scan_id = ?
-          AND ancestor_digest IN (${placeholders})
-        ORDER BY descendant_digest
-      `)
-        .all(scanId, ...rootDigests);
-    return rows.map((row) => row.digest);
-}
 function _listRootTags(database, owner, packageName, versionId) {
     const rows = database
         .prepare(`
@@ -81,3 +68,75 @@ function _listRootTags(database, owner, packageName, versionId) {
         .all(owner, packageName, versionId);
     return rows.map((row) => row.tag);
 }
+function _loadRootTagsByVersionId(database, owner, packageName, versionIds) {
+    const requestedVersionIds = new Set(versionIds);
+    const tagsByVersionId = new Map();
+    for (const versionId of requestedVersionIds) {
+        tagsByVersionId.set(versionId, []);
+    }
+    if (requestedVersionIds.size === 0) {
+        return tagsByVersionId;
+    }
+    const rows = database
+        .prepare(`
+        SELECT tags.version_id, tags.tag
+        FROM tags
+        INNER JOIN v_latest_scan_per_package latest_scan ON latest_scan.scan_id = tags.scan_id
+        WHERE latest_scan.owner = ?
+          AND latest_scan.package_name = ?
+          AND tags.is_digest_tag = 0
+        ORDER BY tags.version_id, tags.tag
+      `)
+        .all(owner, packageName);
+    for (const row of rows) {
+        if (!requestedVersionIds.has(row.version_id)) {
+            continue;
+        }
+        tagsByVersionId.get(row.version_id)?.push(row.tag);
+    }
+    return tagsByVersionId;
+}
+function _loadSummaryChanges(database, cleanupRunId) {
+    const deletedTags = database
+        .prepare(`
+          SELECT COUNT(*) AS count
+          FROM cleanup_selected_tags
+          WHERE cleanup_run_id = ?
+            AND is_deleted = 1
+        `)
+        .get(cleanupRunId).count;
+    const manifestCounts = database
+        .prepare(`
+        WITH fully_deletable_manifests AS (
+          SELECT DISTINCT
+            reachable.descendant_digest AS digest,
+            manifest.manifest_kind
+          FROM cleanup_root_decisions decision
+          JOIN manifest_reachability reachable
+            ON reachable.scan_id = decision.scan_id
+           AND reachable.ancestor_digest = decision.digest
+          JOIN manifests manifest
+            ON manifest.scan_id = reachable.scan_id
+           AND manifest.digest = reachable.descendant_digest
+          WHERE decision.cleanup_run_id = ?
+            AND decision.validation_status = 'fully-deletable'
+        )
+        SELECT
+          manifest_kind,
+          COUNT(*) AS count
+        FROM fully_deletable_manifests
+        GROUP BY manifest_kind
+      `)
+        .all(cleanupRunId);
+    const countsByKind = new Map(manifestCounts.map((row) => [row.manifest_kind ?? "", row.count]));
+    return {
+        deletedTags,
+        deletedImages: countsByKind.get(ManifestKinds.imageManifest) ?? 0,
+        deletedIndexes: countsByKind.get(ManifestKinds.indexManifest) ?? 0,
+        deletedMultiArchManifests: countsByKind.get(ManifestKinds.multiArchManifest) ?? 0,
+        deletedArtifactManifests: countsByKind.get(ManifestKinds.artifactManifest) ?? 0,
+        deletedAttestations: countsByKind.get(ManifestKinds.attestationManifest) ?? 0,
+        deletedSignatures: countsByKind.get(ManifestKinds.signatureManifest) ?? 0,
+        deletedTotal: manifestCounts.reduce((total, row) => total + row.count, 0)
+    };
+}

package/dist/cli/_json-output.d.ts

@@ -0,0 +1 @@
+export declare function writeJsonOutput(args: string[], optionName: string, payload: unknown): void;

package/dist/cli/_json-output.js

@@ -0,0 +1,11 @@
+import { writeFileSync } from "node:fs";
+import { findOption } from "./_args.js";
+export function writeJsonOutput(args, optionName, payload) {
+    const json = JSON.stringify(payload);
+    const outputPath = findOption(args, optionName);
+    if (outputPath) {
+        writeFileSync(outputPath, `${json}\n`, "utf8");
+        return;
+    }
+    console.log(json);
+}

package/dist/cli/_tag-selector-resolver.js

@@ -1,3 +1,7 @@
+const BrokenIndexModes = {
+    allMissing: "all-missing",
+    someMissing: "some-missing"
+};
 export function resolveTagSelectors(database, inputs) {
     if (!inputs.deleteGhostImages && !inputs.deletePartialImages && !inputs.deleteOrphanedImages) {
         return inputs;
@@ -14,13 +18,13 @@ export function resolveTagSelectors(database, inputs) {
     };
 }
 function _listLatestGhostTags(database, owner, packageName, cutoffTimestamp) {
-    return _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestamp, "all-missing");
+    return _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestamp, BrokenIndexModes.allMissing);
 }
 function _listLatestPartialTags(database, owner, packageName, cutoffTimestamp) {
-    return _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestamp, "some-missing");
+    return _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestamp, BrokenIndexModes.someMissing);
 }
 function _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestamp, mode) {
-    const havingClause = mode === "all-missing"
+    const havingClause = mode === BrokenIndexModes.allMissing
         ? "COUNT(*) > 0 AND COUNT(child.digest) = 0"
         : "COUNT(child.digest) > 0 AND COUNT(child.digest) < COUNT(*)";
     const rows = database
@@ -30,7 +34,6 @@ function _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestam
           FROM v_latest_scan_per_package
           WHERE owner = ?
             AND package_name = ?
-          LIMIT 1
         ),
         ghost_roots AS (
           SELECT
@@ -93,16 +96,36 @@ function _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestam
 function _listLatestOrphanedTags(database, owner, packageName, cutoffTimestamp) {
     const rows = database
         .prepare(`
-        SELECT DISTINCT dtr.tag
-        FROM v_digest_tag_relations dtr
-        INNER JOIN package_versions pv
-          ON pv.scan_id = dtr.scan_id
-         AND pv.version_id = dtr.artifact_version_id
-        WHERE dtr.owner = ?
-          AND dtr.package_name = ?
-          AND dtr.parent_exists = 0
+        WITH latest_scan AS (
+          SELECT scan_id
+          FROM v_latest_scan_per_package
+          WHERE owner = ?
+            AND package_name = ?
+        ),
+        digest_tag_artifacts AS (
+          SELECT
+            t.tag,
+            t.scan_id,
+            t.version_id AS artifact_version_id,
+            'sha256:' || SUBSTR(t.tag, 8, 64) AS parent_digest
+          FROM latest_scan ls
+          JOIN tags t
+            ON t.scan_id = ls.scan_id
+          WHERE t.is_digest_tag = 1
+        )
+        SELECT DISTINCT dta.tag
+        FROM digest_tag_artifacts dta
+        JOIN package_versions pv
+          ON pv.scan_id = dta.scan_id
+         AND pv.version_id = dta.artifact_version_id
+        WHERE NOT EXISTS (
+            SELECT 1
+            FROM manifests parent
+            WHERE parent.scan_id = dta.scan_id
+              AND parent.digest = dta.parent_digest
+          )
           AND (? IS NULL OR pv.created_at < ?)
-        ORDER BY dtr.tag
+        ORDER BY dta.tag
       `)
         .all(owner, packageName, cutoffTimestamp ?? null, cutoffTimestamp ?? null);
     return rows.map((row) => row.tag);

package/dist/cli/index.js

@@ -4,7 +4,6 @@ import { fileURLToPath } from "node:url";
 import { handleCleanup } from "./_cleanup-command.js";
 import { handleDbMerge } from "./_db-merge-command.js";
 import { handleScan } from "./_scan-command.js";
-import { handleUntag } from "./_untag-command.js";
 export async function main(argv) {
     const [command, ...rest] = argv;
     if (!command) {
@@ -18,18 +17,15 @@ export async function main(argv) {
             return handleDbMerge(rest);
         case "scan":
             return handleScan(rest);
-        case "untag":
-            return handleUntag(rest);
         default:
             throw new Error(`unknown command: ${command}`);
     }
 }
 function printUsage() {
     console.error(`Usage:
-  ghcr-manager cleanup --db <path> [--log-level <trace|debug|info|warn|error|silent>] [--dry-run] --owner <org> --package <name> [--token <token>] <cleanup selectors...> [--exclude-tag <tag> ...] [--use-regex] [--older-than <interval>]
+  ghcr-manager cleanup --db <path> [--log-level <trace|debug|info|warn|error|silent>] [--dry-run] [--summary-json-path <path>] --owner <org> --package <name> [--token <token>] <cleanup selectors...> [--exclude-tag <tag> ...] [--use-regex] [--older-than <interval>]
   ghcr-manager db-merge --db <target-path> --source-db <path> [--source-db <path> ...]
   ghcr-manager scan --db <path> [--log-level <trace|debug|info|warn|error|silent>] [--github-output <path>] --owner <org> --package <name> --token <token>
-  ghcr-manager untag [--log-level <trace|debug|info|warn|error|silent>] [--dry-run] --owner <org> --package <name> --token <token> --tag <tag> [--tag <tag> ...]
 
 Cleanup selectors:
   --delete-untagged

package/dist/core/_types.d.ts

@@ -1,4 +1,12 @@
-export type ManifestKind = "image_index" | "image_manifest" | "artifact_manifest" | "attestation_manifest" | "signature_manifest";
+export declare const ManifestKinds: {
+    readonly indexManifest: "index_manifest";
+    readonly multiArchManifest: "multi_arch_manifest";
+    readonly imageManifest: "image_manifest";
+    readonly artifactManifest: "artifact_manifest";
+    readonly attestationManifest: "attestation_manifest";
+    readonly signatureManifest: "signature_manifest";
+};
+export type ManifestKind = (typeof ManifestKinds)[keyof typeof ManifestKinds];
 export type ManifestEdgeKind = "image-child" | "referrer" | "digest-tag-referrer";
 export interface PackageVersionRecord {
     versionId: number;
@@ -19,11 +27,6 @@ export interface ManifestRecord {
     subjectDigest?: string;
     annotations?: Record<string, unknown>;
     manifestKind?: ManifestKind;
-    platform?: {
-        architecture?: string;
-        os?: string;
-        variant?: string;
-    };
 }
 export interface ManifestDescriptorRecord {
     parentDigest: string;

package/dist/core/_types.js

@@ -1 +1,8 @@
-export {};
+export const ManifestKinds = {
+    indexManifest: "index_manifest",
+    multiArchManifest: "multi_arch_manifest",
+    imageManifest: "image_manifest",
+    artifactManifest: "artifact_manifest",
+    attestationManifest: "attestation_manifest",
+    signatureManifest: "signature_manifest"
+};

package/dist/core/index.d.ts

@@ -1,4 +1,5 @@
 export type { ManifestEdgeKind, ManifestEdgeRecord, ManifestDescriptorRecord, ManifestKind, ManifestRecord, PackageSnapshot, PackageVersionRecord, TagRecord } from "./_types.js";
+export { ManifestKinds } from "./_types.js";
 export type { HttpErrorResponse } from "./_http-error.js";
 export { buildHttpErrorMessage } from "./_http-error.js";
 export { getOwnerURIComponent } from "./_github-package-owner.js";

package/dist/core/index.js

@@ -1,3 +1,4 @@
+export { ManifestKinds } from "./_types.js";
 export { buildHttpErrorMessage } from "./_http-error.js";
 export { getOwnerURIComponent } from "./_github-package-owner.js";
 export { digestFromDigestTag, isDigestTag } from "./_digest-tag.js";

package/dist/db/_cleanup-run-writer.d.ts

@@ -1,5 +1,5 @@
 import type Database from "better-sqlite3";
-import type { DeletePlan } from "./planner/index.js";
+import { type DeletePlan } from "./planner/index.js";
 export declare class CleanupRunWriter {
     #private;
     constructor(database: Database.Database);

package/dist/db/_cleanup-run-writer.js

@@ -1,8 +1,10 @@
 import { randomUUID } from "node:crypto";
 import { resolveGitHubActionsRunUrl } from "./_github-actions-run-url.js";
+import { DeletePlanValidationStatuses } from "./planner/index.js";
 export class CleanupRunWriter {
     #database;
     #insertSelectedTagStatement;
+    #updateSelectedTagsDeletedStatement;
     #insertRootDecisionStatement;
     #insertProtectedRootBlockStatement;
     #insertCleanupRunStatement;
@@ -12,9 +14,27 @@ export class CleanupRunWriter {
       INSERT INTO cleanup_selected_tags(
         cleanup_run_id,
         scan_id,
-        tag
+        tag,
+        is_deleted
       )
-      VALUES(?, ?, ?)
+      VALUES(?, ?, ?, 0)
+    `);
+        this.#updateSelectedTagsDeletedStatement = this.#database.prepare(`
+      UPDATE cleanup_selected_tags
+      SET is_deleted = 1
+      FROM cleanup_root_decisions decision
+      JOIN manifests manifest
+        ON manifest.scan_id = decision.scan_id
+       AND manifest.digest = decision.digest
+      JOIN tags
+        ON tags.scan_id = manifest.scan_id
+       AND tags.version_id = manifest.version_id
+      WHERE cleanup_selected_tags.cleanup_run_id = ?
+        AND cleanup_selected_tags.scan_id = ?
+        AND decision.cleanup_run_id = cleanup_selected_tags.cleanup_run_id
+        AND decision.scan_id = cleanup_selected_tags.scan_id
+        AND decision.validation_status != 'blocked'
+        AND tags.tag = cleanup_selected_tags.tag
     `);
         this.#insertRootDecisionStatement = this.#database.prepare(`
       INSERT INTO cleanup_root_decisions(
@@ -64,9 +84,6 @@ export class CleanupRunWriter {
     persistCleanupRun(scanId, plan, options) {
         return this.#database.transaction(() => {
             const cleanupRunId = this.#insertCleanupRun(scanId, plan, options);
-            for (const tag of plan.directTargetTags) {
-                this.#insertSelectedTagStatement.run(cleanupRunId, scanId, tag);
-            }
             for (const rootDecision of plan.rootDecisions) {
                 this.#insertRootDecisionStatement.run(cleanupRunId, scanId, rootDecision.digest, rootDecision.selectionMode, rootDecision.selectionReason, rootDecision.validationStatus, rootDecision.validationReasonCode, rootDecision.validationReason, rootDecision.blockingDigest ?? null, rootDecision.overlapDigest ?? null);
             }
@@ -75,6 +92,10 @@ export class CleanupRunWriter {
                     this.#insertProtectedRootBlockStatement.run(cleanupRunId, scanId, protectedRoot.digest, block.blockedDigest, block.blockReasonCode, block.overlapDigest);
                 }
             }
+            for (const tag of plan.directTargetTags) {
+                this.#insertSelectedTagStatement.run(cleanupRunId, scanId, tag);
+            }
+            this.#updateSelectedTagsDeletedStatement.run(cleanupRunId, scanId);
             return cleanupRunId;
         })();
     }
@@ -82,9 +103,9 @@ export class CleanupRunWriter {
         const directTargetTagCount = plan.directTargetTags.length;
         const directTargetRootCount = plan.directTargetRoots.length;
         const deleteRootCandidateCount = plan.directTargetRoots.filter((root) => root.selectionMode === "delete-root").length;
-        const untagOnlyRootCount = plan.rootDecisions.filter((decision) => decision.validationStatus === "untag-only").length;
+        const untagOnlyRootCount = plan.rootDecisions.filter((decision) => decision.validationStatus === DeletePlanValidationStatuses.untagOnly).length;
         const fullyDeletableRootCount = plan.fullyDeletableRoots.length;
-        const blockedDeleteRootCount = plan.rootDecisions.filter((decision) => decision.validationStatus === "blocked").length;
+        const blockedDeleteRootCount = plan.rootDecisions.filter((decision) => decision.validationStatus === DeletePlanValidationStatuses.blocked).length;
         const protectedRootCount = plan.protectedRoots.length;
         const result = this.#insertCleanupRunStatement.run(scanId, randomUUID(), options.cleanupStartedAt, resolveGitHubActionsRunUrl(), options.dryRun ? 1 : 0, JSON.stringify(plan.plannerInputs), directTargetTagCount, directTargetRootCount, deleteRootCandidateCount, untagOnlyRootCount, fullyDeletableRootCount, blockedDeleteRootCount, protectedRootCount);
         return Number(result.lastInsertRowid);

package/dist/db/_db-merge-cleanup-copy.js

@@ -112,12 +112,14 @@ export class DbMergeCleanupCopy {
       INSERT INTO cleanup_selected_tags(
         cleanup_run_id,
         scan_id,
-        tag
+        tag,
+        is_deleted
       )
       SELECT
         ?,
         ?,
-        tag
+        tag,
+        is_deleted
       FROM ${attachName}.cleanup_selected_tags
       WHERE cleanup_run_id = ?
         AND scan_id = ?

package/dist/db/_db-merge-scan-copy.js

@@ -26,11 +26,12 @@ export class DbMergeScanCopy {
             "package_versions(scan_id, version_id, created_at, updated_at)",
             "package_version_payloads(scan_id, version_id, raw_json)",
             "tags(scan_id, tag, version_id, is_digest_tag)",
-            "manifests(scan_id, version_id, digest, media_type, artifact_type, config_media_type, subject_digest, annotations_json, platform_os, platform_architecture, platform_variant, manifest_kind)",
+            "manifests(scan_id, version_id, digest, media_type, artifact_type, config_media_type, subject_digest, annotations_json, manifest_kind)",
             "manifest_descriptors(scan_id, parent_digest, child_digest, media_type, artifact_type, platform_os, platform_architecture, platform_variant)",
             "manifest_payloads(scan_id, digest, raw_json)",
             "manifest_edges(scan_id, parent_digest, child_digest, edge_kind)",
-            "manifest_reachability(scan_id, ancestor_digest, descendant_digest, min_distance)"
+            "manifest_reachability(scan_id, ancestor_digest, descendant_digest, min_distance)",
+            "manifest_graphs(scan_id, digest, graph_id)"
         ];
         for (const spec of copySpecs) {
             const [tableName, columnList] = spec.split("(");

package/dist/db/_manifest-reachability.js

@@ -3,14 +3,19 @@ export function rebuildManifestReachability(database, scanId) {
     const manifestDigests = _loadManifestDigests(database, scanId);
     const childDigestsByParent = new Map();
     const parentDigestsByChild = new Map();
+    const neighborDigestsByDigest = new Map();
     for (const digest of manifestDigests) {
         childDigestsByParent.set(digest, new Set());
         parentDigestsByChild.set(digest, new Set());
+        neighborDigestsByDigest.set(digest, new Set());
     }
     for (const manifestEdge of _loadManifestEdges(database, scanId)) {
         childDigestsByParent.get(manifestEdge.parent_digest)?.add(manifestEdge.child_digest);
         parentDigestsByChild.get(manifestEdge.child_digest)?.add(manifestEdge.parent_digest);
+        neighborDigestsByDigest.get(manifestEdge.parent_digest)?.add(manifestEdge.child_digest);
+        neighborDigestsByDigest.get(manifestEdge.child_digest)?.add(manifestEdge.parent_digest);
     }
+    const graphIdsByDigest = _buildGraphIdsByDigest(manifestDigests, neighborDigestsByDigest);
     const remainingChildrenCount = new Map();
     const descendantDistancesByDigest = new Map();
     const readyDigests = [];
@@ -61,9 +66,19 @@ export function rebuildManifestReachability(database, scanId) {
       )
       VALUES(?, ?, ?, ?)
     `);
+    const insertGraphRow = database.prepare(`
+      INSERT OR REPLACE INTO manifest_graphs(
+        scan_id,
+        digest,
+        graph_id
+      )
+      VALUES(?, ?, ?)
+    `);
     const rebuild = database.transaction(() => {
         database.prepare("DELETE FROM manifest_reachability WHERE scan_id = ?").run(scanId);
+        database.prepare("DELETE FROM manifest_graphs WHERE scan_id = ?").run(scanId);
         for (const digest of manifestDigests) {
+            insertGraphRow.run(scanId, digest, graphIdsByDigest.get(digest));
             for (const [descendantDigest, distance] of descendantDistancesByDigest.get(digest) ?? []) {
                 insertRow.run(scanId, digest, descendantDigest, distance);
             }
@@ -71,6 +86,32 @@ export function rebuildManifestReachability(database, scanId) {
     });
     rebuild();
 }
+function _buildGraphIdsByDigest(manifestDigests, neighborDigestsByDigest) {
+    const graphIdsByDigest = new Map();
+    let nextGraphId = 1;
+    for (const rootDigest of manifestDigests) {
+        if (graphIdsByDigest.has(rootDigest)) {
+            continue;
+        }
+        const pendingDigests = [rootDigest];
+        graphIdsByDigest.set(rootDigest, nextGraphId);
+        while (pendingDigests.length > 0) {
+            const digest = pendingDigests.pop();
+            if (!digest) {
+                continue;
+            }
+            for (const neighborDigest of neighborDigestsByDigest.get(digest) ?? []) {
+                if (graphIdsByDigest.has(neighborDigest)) {
+                    continue;
+                }
+                graphIdsByDigest.set(neighborDigest, nextGraphId);
+                pendingDigests.push(neighborDigest);
+            }
+        }
+        nextGraphId += 1;
+    }
+    return graphIdsByDigest;
+}
 function _refreshDigestTagEdges(database, scanId) {
     database.prepare("DELETE FROM manifest_edges WHERE scan_id = ? AND edge_kind = 'digest-tag-referrer'").run(scanId);
     database
@@ -78,20 +119,18 @@ function _refreshDigestTagEdges(database, scanId) {
         INSERT OR IGNORE INTO manifest_edges(scan_id, parent_digest, child_digest, edge_kind)
         SELECT
           t.scan_id,
-          'sha256:' || SUBSTR(t.tag, 8, 64) AS parent_digest,
-          m.digest AS child_digest,
+          m.digest AS parent_digest,
+          'sha256:' || SUBSTR(t.tag, 8, 64) AS child_digest,
           'digest-tag-referrer' AS edge_kind
         FROM tags t
         JOIN manifests m
           ON m.scan_id = t.scan_id
          AND m.version_id = t.version_id
-        JOIN manifests parent_manifest
-          ON parent_manifest.scan_id = t.scan_id
-         AND parent_manifest.digest = 'sha256:' || SUBSTR(t.tag, 8, 64)
+        JOIN manifests child_manifest
+          ON child_manifest.scan_id = t.scan_id
+         AND child_manifest.digest = 'sha256:' || SUBSTR(t.tag, 8, 64)
         WHERE t.scan_id = ?
-          AND t.tag LIKE 'sha256-%'
-          AND LENGTH(t.tag) >= 71
-          AND SUBSTR(t.tag, 8, 64) NOT GLOB '*[^0-9A-Fa-f]*'
+          AND t.is_digest_tag = 1
       `)
         .run(scanId);
 }

package/dist/db/_scan-writer.js

@@ -62,9 +62,6 @@ export class ScanWriter {
         config_media_type,
         subject_digest,
         annotations_json,
-        platform_os,
-        platform_architecture,
-        platform_variant,
         manifest_kind
       )
       VALUES(
@@ -76,9 +73,6 @@ export class ScanWriter {
         @configMediaType,
         @subjectDigest,
         @annotationsJson,
-        @platformOs,
-        @platformArchitecture,
-        @platformVariant,
         @manifestKind
       )
     `);
@@ -151,9 +145,6 @@ export class ScanWriter {
             configMediaType: manifest.configMediaType ?? null,
             subjectDigest: manifest.subjectDigest ?? null,
             annotationsJson: manifest.annotations ? JSON.stringify(manifest.annotations) : null,
-            platformOs: manifest.platform?.os ?? null,
-            platformArchitecture: manifest.platform?.architecture ?? null,
-            platformVariant: manifest.platform?.variant ?? null,
             manifestKind: manifest.manifestKind ?? null
         });
     }

package/dist/db/index.d.ts

@@ -4,6 +4,7 @@ export { CleanupRunWriter } from "./_cleanup-run-writer.js";
 export { DbMergeRepository } from "./_db-merge-repository.js";
 export { PlannerRepository } from "./planner/index.js";
 export { SnapshotRepository } from "./_snapshot-repository.js";
-export type { DeletePlan, DeletePlanBlockReasonCode, DeletePlanSelectionMode, DeletePlanSelectionReason } from "./planner/index.js";
+export type { DeletePlan, DeletePlanBlockReasonCode, DeletePlanSelectionMode, DeletePlanSelectionReason, DeletePlanValidationReasonCode, DeletePlanValidationStatus } from "./planner/index.js";
+export { DeletePlanValidationReasonCodes, DeletePlanValidationStatuses } from "./planner/index.js";
 export type { DbMergeSourceSummary } from "./_db-merge-repository.js";
 export declare function openDatabase(databasePath: string): Database.Database;

package/dist/db/index.js

@@ -5,6 +5,7 @@ export { CleanupRunWriter } from "./_cleanup-run-writer.js";
 export { DbMergeRepository } from "./_db-merge-repository.js";
 export { PlannerRepository } from "./planner/index.js";
 export { SnapshotRepository } from "./_snapshot-repository.js";
+export { DeletePlanValidationReasonCodes, DeletePlanValidationStatuses } from "./planner/index.js";
 export function openDatabase(databasePath) {
     const database = new Database(databasePath);
     initializeSchema(database);