hadara 0.1.0-rc.0

package/dist/core/paths.js

@@ -0,0 +1,59 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveHadaraPaths = resolveHadaraPaths;
+exports.isInside = isInside;
+exports.normalizeHadaraPath = normalizeHadaraPath;
+exports.assertProjectStoreBoundary = assertProjectStoreBoundary;
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+function resolveHadaraPaths(input = {}) {
+    const projectRoot = normalizeHadaraPath(input.projectRoot ?? process.env.HADARA_PROJECT_ROOT ?? process.cwd());
+    const portableRoot = normalizeHadaraPath(input.portableRoot ?? process.env.HADARA_HOME ?? node_path_1.default.join(projectRoot, '.hadara', 'local', 'portable'));
+    const dataRoot = node_path_1.default.join(portableRoot, 'data');
+    const projectHadaraDir = node_path_1.default.join(projectRoot, '.hadara');
+    assertProjectStoreBoundary({ dataRoot, projectRoot });
+    return {
+        portableRoot,
+        dataRoot,
+        configDir: node_path_1.default.join(dataRoot, 'config'),
+        secretsDir: node_path_1.default.join(dataRoot, 'secrets'),
+        sessionsDir: node_path_1.default.join(dataRoot, 'sessions'),
+        logsDir: node_path_1.default.join(dataRoot, 'logs'),
+        auditDir: node_path_1.default.join(dataRoot, 'audit'),
+        exportsDir: node_path_1.default.join(dataRoot, 'exports'),
+        projectRoot,
+        projectHadaraDir,
+        projectDocsDir: node_path_1.default.join(projectRoot, 'docs'),
+        projectTasksDir: node_path_1.default.join(projectRoot, 'tasks'),
+        projectContextDir: node_path_1.default.join(projectHadaraDir, 'context')
+    };
+}
+function isInside(parent, child) {
+    const normalizedParent = normalizeHadaraPath(parent);
+    const normalizedChild = normalizeHadaraPath(child);
+    const relative = node_path_1.default.relative(realpathIfExists(normalizedParent), realpathIfExists(normalizedChild));
+    return relative === '' || (!relative.startsWith('..') && !node_path_1.default.isAbsolute(relative));
+}
+function normalizeHadaraPath(value) {
+    if (/^[A-Za-z]:[\\/]/.test(value)) {
+        return node_path_1.default.win32.normalize(value);
+    }
+    return node_path_1.default.resolve(value);
+}
+function assertProjectStoreBoundary(paths) {
+    const projectDataDir = node_path_1.default.join(paths.projectRoot, 'data');
+    if (isInside(projectDataDir, paths.dataRoot)) {
+        throw new Error('HADARA dataRoot must not use projectRoot/data. Set HADARA_HOME outside the repo or use .hadara/local.');
+    }
+}
+function realpathIfExists(value) {
+    try {
+        return node_fs_1.default.realpathSync.native(value);
+    }
+    catch {
+        return value;
+    }
+}

package/dist/core/redaction.js

@@ -0,0 +1,178 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REDACTION_PATTERNS = void 0;
+exports.redactSecrets = redactSecrets;
+exports.containsSecret = containsSecret;
+exports.hasBlockingRedactionFinding = hasBlockingRedactionFinding;
+exports.createRedactionReport = createRedactionReport;
+exports.REDACTION_PATTERNS = [
+    {
+        id: 'openai-api-key',
+        description: 'OpenAI-style API key',
+        regex: /sk-[A-Za-z0-9_-]{16,}/g,
+        severity: 'critical',
+        replacement: '[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'slack-token',
+        description: 'Slack token',
+        regex: /xox[baprs]-[A-Za-z0-9-]{10,}/g,
+        severity: 'high',
+        replacement: '[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'aws-access-key-id',
+        description: 'AWS access key id',
+        regex: /AKIA[0-9A-Z]{16}/g,
+        severity: 'high',
+        replacement: '[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'aws-secret-access-key',
+        description: 'AWS secret access key assignment',
+        regex: /(aws[_-]?secret[_-]?access[_-]?key\s*=\s*)[A-Za-z0-9/+=]{32,}/gi,
+        severity: 'critical',
+        replacement: '$1[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'github-token',
+        description: 'GitHub personal access token',
+        regex: /(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{20,}|github_pat_[A-Za-z0-9_]{20,}/g,
+        severity: 'critical',
+        replacement: '[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'gitlab-token',
+        description: 'GitLab personal access token',
+        regex: /glpat-[A-Za-z0-9_-]{20,}/g,
+        severity: 'critical',
+        replacement: '[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'google-api-key',
+        description: 'Google API key',
+        regex: /AIza[0-9A-Za-z_-]{35}/g,
+        severity: 'critical',
+        replacement: '[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'private-key-block',
+        description: 'Private key block',
+        regex: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g,
+        severity: 'critical',
+        replacement: '[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'openssh-private-key',
+        description: 'OpenSSH private key payload',
+        regex: /openssh-key-v1[A-Za-z0-9+/=\s-]*/gi,
+        severity: 'critical',
+        replacement: '[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'jwt',
+        description: 'JWT-like bearer token',
+        regex: /eyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}/g,
+        severity: 'high',
+        replacement: '[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'azure-connection-string',
+        description: 'Azure storage connection string with account key',
+        regex: /DefaultEndpointsProtocol=[^;\s]+;AccountName=[^;\s]+;AccountKey=[^;\s]+(?:;EndpointSuffix=[^;\s]+)?/gi,
+        severity: 'critical',
+        replacement: '[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'npm-token',
+        description: 'npm access token',
+        regex: /npm_[A-Za-z0-9]{20,}/g,
+        severity: 'critical',
+        replacement: '[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'sensitive-assignment',
+        description: 'Sensitive key assignment',
+        regex: /((?:api[_-]?key|token|password|secret|private[_-]?key)\s*=\s*)[^\s]+/gi,
+        severity: 'high',
+        replacement: '$1[REDACTED]',
+        enabledByDefault: true
+    },
+    {
+        id: 'authorization-bearer',
+        description: 'Authorization bearer token',
+        regex: /(authorization:\s*bearer\s+)[^\s]+/gi,
+        severity: 'high',
+        replacement: '$1[REDACTED]',
+        enabledByDefault: true
+    }
+];
+function redactSecrets(input) {
+    return createRedactionReport(input, { includeRedactedText: true }).redactedText ?? input;
+}
+function containsSecret(input) {
+    return createRedactionReport(input).findings.length > 0;
+}
+function hasBlockingRedactionFinding(report, minimumSeverity = 'high') {
+    const minimumRank = redactionSeverityRank(minimumSeverity);
+    return report.findings.some((finding) => redactionSeverityRank(finding.severity) >= minimumRank);
+}
+function createRedactionReport(input, options = {}) {
+    const enabledPatterns = (options.patterns ?? exports.REDACTION_PATTERNS).filter((pattern) => pattern.enabledByDefault);
+    const findings = scanRedactionFindings(input, enabledPatterns);
+    const redactedText = options.includeRedactedText ? redactWithPatterns(input, enabledPatterns) : undefined;
+    const output = redactedText ?? input;
+    return {
+        schemaVersion: 'hadara.redaction.report.v1',
+        ok: findings.length === 0,
+        inputBytes: Buffer.byteLength(input, 'utf8'),
+        outputBytes: Buffer.byteLength(output, 'utf8'),
+        findings,
+        ...(options.includeRedactedText ? { redactedText: output } : {})
+    };
+}
+function scanRedactionFindings(input, patterns) {
+    const findings = [];
+    for (const pattern of patterns) {
+        const regex = cloneGlobalRegex(pattern.regex);
+        const matches = input.match(regex);
+        if (matches?.length) {
+            findings.push({
+                patternId: pattern.id,
+                severity: pattern.severity,
+                count: matches.length
+            });
+        }
+    }
+    return findings;
+}
+function redactWithPatterns(input, patterns) {
+    return patterns.reduce((text, pattern) => text.replace(cloneGlobalRegex(pattern.regex), pattern.replacement), input);
+}
+function redactionSeverityRank(severity) {
+    switch (severity) {
+        case 'low':
+            return 1;
+        case 'medium':
+            return 2;
+        case 'high':
+            return 3;
+        case 'critical':
+            return 4;
+    }
+}
+function cloneGlobalRegex(regex) {
+    return new RegExp(regex.source, regex.flags.includes('g') ? regex.flags : `${regex.flags}g`);
+}

package/dist/core/schema.js

@@ -0,0 +1,253 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SchemaValidationError = void 0;
+exports.loadSchema = loadSchema;
+exports.validateSchema = validateSchema;
+exports.assertSchema = assertSchema;
+const schema_index_json_1 = __importDefault(require("../schemas/schema-index.json"));
+const active_run_projection_schema_json_1 = __importDefault(require("../schemas/active-run-projection.schema.json"));
+const active_run_resume_schema_json_1 = __importDefault(require("../schemas/active-run-resume.schema.json"));
+const clean_checkout_smoke_schema_json_1 = __importDefault(require("../schemas/clean-checkout-smoke.schema.json"));
+const context_export_schema_json_1 = __importDefault(require("../schemas/context-export.schema.json"));
+const evidence_list_schema_json_1 = __importDefault(require("../schemas/evidence-list.schema.json"));
+const event_schema_json_1 = __importDefault(require("../schemas/event.schema.json"));
+const feature_smoke_schema_json_1 = __importDefault(require("../schemas/feature-smoke.schema.json"));
+const install_plan_schema_json_1 = __importDefault(require("../schemas/install-plan.schema.json"));
+const package_smoke_schema_json_1 = __importDefault(require("../schemas/package-smoke.schema.json"));
+const private_evidence_schema_json_1 = __importDefault(require("../schemas/private-evidence.schema.json"));
+const provider_call_schema_json_1 = __importDefault(require("../schemas/provider-call.schema.json"));
+const provider_config_schema_json_1 = __importDefault(require("../schemas/provider-config.schema.json"));
+const release_artifact_manifest_schema_json_1 = __importDefault(require("../schemas/release-artifact-manifest.schema.json"));
+const release_artifact_schema_json_1 = __importDefault(require("../schemas/release-artifact.schema.json"));
+const release_dry_run_schema_json_1 = __importDefault(require("../schemas/release-dry-run.schema.json"));
+const release_gate_schema_json_1 = __importDefault(require("../schemas/release-gate.schema.json"));
+const release_publish_schema_json_1 = __importDefault(require("../schemas/release-publish.schema.json"));
+const smoke_evidence_summary_schema_json_1 = __importDefault(require("../schemas/smoke-evidence-summary.schema.json"));
+const tools_list_schema_json_1 = __importDefault(require("../schemas/tools-list.schema.json"));
+const write_preflight_schema_json_1 = __importDefault(require("../schemas/write-preflight.schema.json"));
+class SchemaValidationError extends Error {
+    schemaId;
+    issues;
+    constructor(schemaId, issues) {
+        const firstIssue = issues[0];
+        super(`Schema validation failed for ${schemaId}: ${firstIssue.path} ${firstIssue.message}`);
+        this.schemaId = schemaId;
+        this.issues = issues;
+        this.name = 'SchemaValidationError';
+    }
+}
+exports.SchemaValidationError = SchemaValidationError;
+const schemaIndex = schema_index_json_1.default;
+const registeredSchemas = {
+    'hadara.active_run.projection.v1': active_run_projection_schema_json_1.default,
+    'hadara.active_run.resume.v1': active_run_resume_schema_json_1.default,
+    'hadara.cleanCheckoutSmoke.v1': clean_checkout_smoke_schema_json_1.default,
+    'hadara.context.export.v1': context_export_schema_json_1.default,
+    'hadara.evidence.list.v1': evidence_list_schema_json_1.default,
+    'hadara.event.v1': event_schema_json_1.default,
+    'hadara.featureSmoke.v1': feature_smoke_schema_json_1.default,
+    'hadara.install.plan.v1': install_plan_schema_json_1.default,
+    'hadara.packageSmoke.v1': package_smoke_schema_json_1.default,
+    'hadara.privateEvidence.v1': private_evidence_schema_json_1.default,
+    'hadara.provider.call.v1': provider_call_schema_json_1.default,
+    'hadara.provider.config.v1': provider_config_schema_json_1.default,
+    'hadara.releaseArtifact.manifest.v1': release_artifact_manifest_schema_json_1.default,
+    'hadara.releaseArtifact.v1': release_artifact_schema_json_1.default,
+    'hadara.releaseDryRun.v1': release_dry_run_schema_json_1.default,
+    'hadara.releaseGate.v1': release_gate_schema_json_1.default,
+    'hadara.releasePublish.v1': release_publish_schema_json_1.default,
+    'hadara.smokeEvidenceSummary.v1': smoke_evidence_summary_schema_json_1.default,
+    'hadara.tools.list.v1': tools_list_schema_json_1.default,
+    'hadara.write.preflight.v1': write_preflight_schema_json_1.default
+};
+function loadSchema(schemaId) {
+    const indexEntry = schemaIndex.schemas.find((entry) => entry.id === schemaId);
+    const schema = registeredSchemas[schemaId];
+    if (!indexEntry || !schema) {
+        throw new Error(`Unknown HADARA schema: ${schemaId}`);
+    }
+    return schema;
+}
+function validateSchema(schemaId, value) {
+    const schema = loadSchema(schemaId);
+    const issues = [];
+    validateValue(value, schema, schema, '$', issues);
+    return {
+        ok: issues.length === 0,
+        schemaId,
+        issues
+    };
+}
+function assertSchema(schemaId, value) {
+    const result = validateSchema(schemaId, value);
+    if (!result.ok) {
+        throw new SchemaValidationError(schemaId, result.issues);
+    }
+}
+function validateValue(value, schema, rootSchema, valuePath, issues) {
+    const ref = stringProperty(schema, '$ref');
+    if (ref) {
+        validateValue(value, resolveLocalRef(rootSchema, ref), rootSchema, valuePath, issues);
+        return;
+    }
+    const oneOf = arrayProperty(schema, 'oneOf');
+    if (oneOf) {
+        const matchCount = oneOf.filter((candidate) => validateCandidate(value, candidate, rootSchema)).length;
+        if (matchCount !== 1) {
+            issues.push({
+                path: valuePath,
+                code: 'SCHEMA_ONE_OF_MISMATCH',
+                message: `must match exactly one schema option, matched ${matchCount}`
+            });
+        }
+        return;
+    }
+    const constValue = schema.const;
+    if (Object.prototype.hasOwnProperty.call(schema, 'const') && value !== constValue) {
+        issues.push({
+            path: valuePath,
+            code: 'SCHEMA_CONST_MISMATCH',
+            message: `must equal ${JSON.stringify(constValue)}`
+        });
+    }
+    const enumValues = arrayProperty(schema, 'enum');
+    if (enumValues && !enumValues.includes(value)) {
+        issues.push({
+            path: valuePath,
+            code: 'SCHEMA_ENUM_MISMATCH',
+            message: `must be one of ${enumValues.map((item) => JSON.stringify(item)).join(', ')}`
+        });
+    }
+    const schemaType = schema.type;
+    if (schemaType && !matchesType(value, schemaType)) {
+        issues.push({
+            path: valuePath,
+            code: 'SCHEMA_TYPE_MISMATCH',
+            message: `must be ${formatType(schemaType)}`
+        });
+        return;
+    }
+    if (typeof value === 'string') {
+        const minLength = numberProperty(schema, 'minLength');
+        if (minLength !== undefined && value.length < minLength) {
+            issues.push({
+                path: valuePath,
+                code: 'SCHEMA_MIN_LENGTH',
+                message: `must be at least ${minLength} character(s)`
+            });
+        }
+        const pattern = stringProperty(schema, 'pattern');
+        if (pattern && !new RegExp(pattern).test(value)) {
+            issues.push({
+                path: valuePath,
+                code: 'SCHEMA_PATTERN_MISMATCH',
+                message: `must match pattern ${pattern}`
+            });
+        }
+    }
+    if (isPlainObject(value)) {
+        validateObject(value, schema, rootSchema, valuePath, issues);
+    }
+    if (Array.isArray(value)) {
+        validateArray(value, schema, rootSchema, valuePath, issues);
+    }
+}
+function validateObject(value, schema, rootSchema, valuePath, issues) {
+    const required = arrayProperty(schema, 'required')?.filter((item) => typeof item === 'string') ?? [];
+    for (const key of required) {
+        if (!Object.prototype.hasOwnProperty.call(value, key)) {
+            issues.push({
+                path: `${valuePath}.${key}`,
+                code: 'SCHEMA_REQUIRED_MISSING',
+                message: 'is required'
+            });
+        }
+    }
+    const properties = objectProperty(schema, 'properties');
+    if (!properties)
+        return;
+    for (const [key, propertySchema] of Object.entries(properties)) {
+        if (!Object.prototype.hasOwnProperty.call(value, key))
+            continue;
+        if (!isPlainObject(propertySchema))
+            continue;
+        validateValue(value[key], propertySchema, rootSchema, `${valuePath}.${key}`, issues);
+    }
+}
+function validateArray(value, schema, rootSchema, valuePath, issues) {
+    const items = objectProperty(schema, 'items');
+    if (!items)
+        return;
+    value.forEach((item, index) => validateValue(item, items, rootSchema, `${valuePath}[${index}]`, issues));
+}
+function validateCandidate(value, schema, rootSchema) {
+    if (!isPlainObject(schema))
+        return false;
+    const issues = [];
+    validateValue(value, schema, rootSchema, '$', issues);
+    return issues.length === 0;
+}
+function resolveLocalRef(rootSchema, ref) {
+    if (!ref.startsWith('#/')) {
+        throw new Error(`Unsupported schema ref: ${ref}`);
+    }
+    let current = rootSchema;
+    for (const part of ref.slice(2).split('/')) {
+        if (!isPlainObject(current)) {
+            throw new Error(`Invalid schema ref: ${ref}`);
+        }
+        current = current[part];
+    }
+    if (!isPlainObject(current)) {
+        throw new Error(`Invalid schema ref: ${ref}`);
+    }
+    return current;
+}
+function matchesType(value, schemaType) {
+    if (Array.isArray(schemaType)) {
+        return schemaType.some((item) => matchesType(value, item));
+    }
+    switch (schemaType) {
+        case 'array':
+            return Array.isArray(value);
+        case 'boolean':
+            return typeof value === 'boolean';
+        case 'integer':
+            return Number.isInteger(value);
+        case 'null':
+            return value === null;
+        case 'number':
+            return typeof value === 'number' && Number.isFinite(value);
+        case 'object':
+            return isPlainObject(value);
+        case 'string':
+            return typeof value === 'string';
+        default:
+            return true;
+    }
+}
+function formatType(schemaType) {
+    return Array.isArray(schemaType) ? schemaType.map(String).join(' or ') : String(schemaType);
+}
+function isPlainObject(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function objectProperty(value, key) {
+    const property = value[key];
+    return isPlainObject(property) ? property : undefined;
+}
+function arrayProperty(value, key) {
+    const property = value[key];
+    return Array.isArray(property) ? property : undefined;
+}
+function stringProperty(value, key) {
+    const property = value[key];
+    return typeof property === 'string' ? property : undefined;
+}
+function numberProperty(value, key) {
+    const property = value[key];
+    return typeof property === 'number' ? property : undefined;
+}

package/dist/core/workspace.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WorkspaceFileError = void 0;
+exports.resolveProjectFile = resolveProjectFile;
+exports.assertInsideProject = assertInsideProject;
+exports.toProjectRelativePath = toProjectRelativePath;
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const paths_1 = require("./paths");
+class WorkspaceFileError extends Error {
+    code;
+    inputPath;
+    constructor(code, message, inputPath) {
+        super(message);
+        this.code = code;
+        this.inputPath = inputPath;
+        this.name = 'WorkspaceFileError';
+    }
+}
+exports.WorkspaceFileError = WorkspaceFileError;
+function resolveProjectFile(projectRoot, inputPath) {
+    const absolutePath = node_path_1.default.resolve(projectRoot, inputPath);
+    assertInsideProject(projectRoot, absolutePath, inputPath);
+    if (!node_fs_1.default.existsSync(absolutePath)) {
+        throw new WorkspaceFileError('WORKSPACE_FILE_NOT_FOUND', 'Workspace file input was not found.', inputPath);
+    }
+    if (!node_fs_1.default.statSync(absolutePath).isFile()) {
+        throw new WorkspaceFileError('WORKSPACE_FILE_NOT_FILE', 'Workspace file input must be a file.', inputPath);
+    }
+    assertInsideProject(projectRoot, node_fs_1.default.realpathSync.native(absolutePath), inputPath);
+    return {
+        absolutePath,
+        relativePath: toProjectRelativePath(projectRoot, absolutePath)
+    };
+}
+function assertInsideProject(projectRoot, candidatePath, inputPath = candidatePath) {
+    if (!(0, paths_1.isInside)(projectRoot, candidatePath)) {
+        throw new WorkspaceFileError('WORKSPACE_FILE_OUTSIDE', 'Workspace file input must be inside the project root.', inputPath);
+    }
+}
+function toProjectRelativePath(projectRoot, absolutePath) {
+    assertInsideProject(projectRoot, absolutePath);
+    return node_path_1.default.relative(projectRoot, absolutePath).split(node_path_1.default.sep).join('/');
+}