npm - mapterrain - Versions diffs - 0.1.0 → 0.1.2 - Mend

mapterrain 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md +15 -0
package/bin/terrain-installer.js +117 -0
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -58,6 +58,8 @@ terrain impact      "What validations matter for this change?"
 terrain explain     "Why did Terrain make this decision?"
 ```
+> **About the example outputs below.** The CLI dumps in this section illustrate the *shape* of Terrain's reports on a large pandas-style repository — they are not literal output from a single live run. A few specific signals shown (`xfailAccumulation` age, statistical flaky-test failure rates, the `0.91+` duplicate similarity threshold) are marked `[experimental]` or `[planned]` in 0.1.2; see [docs/release/feature-status.md](docs/release/feature-status.md) for what's stable, what's experimental, and what's planned. The headline "30 seconds" promise refers to small-to-medium repos (≤ 1,000 test files) on commodity hardware; expect 5–15 seconds on a typical service repo and longer on monorepos.
 ### 1. Analyze — understand the test system
 ```bash
@@ -215,6 +217,18 @@ Terrain is framework-agnostic and language-aware. The same analysis model applie
 The structural model is the same. The signals and recommendations adapt to the framework and test patterns detected.
+## AI Testing in CI
+Terrain gives AI components the same CI safety net as regular tests:
+- **Surface discovery** — automatically detects prompts, contexts, datasets, tool definitions, RAG pipelines, and eval scenarios in your code
+- **Impact-scoped selection** — `terrain ai run --base main` runs only the eval scenarios affected by your change
+- **Protection gaps** — `terrain pr` flags changed AI surfaces that have no eval scenario covering them
+- **Policy enforcement** — block PRs that modify uncovered AI surfaces, regress accuracy, or trigger safety failures
+- **GitHub Action** — drop-in `terrain-ai.yml` workflow template for AI CI gates
+The same structural graph that powers test selection for regular code also traces AI surface dependencies, so a change to a prompt template triggers the right eval scenarios automatically.
 ## How CI Optimization Emerges
 Terrain does not start with CI optimization. It starts with understanding.
@@ -225,6 +239,7 @@ When you run `terrain analyze`, Terrain builds a structural model: which tests e
 - **Redundancy reduction** — `terrain insights` surfaces duplicate test clusters. Removing or consolidating them directly reduces CI time without reducing coverage.
 - **Fanout control** — High-fanout fixtures that trigger thousands of tests on any change are identified and prioritized for splitting.
 - **Confidence-based runs** — Impact analysis assigns confidence scores. CI pipelines can run high-confidence tests immediately and defer low-confidence tests to nightly runs.
+- **What to test next** — `terrain insights` ranks untested source files by dependency count, telling you which test to write first for maximum impact.
 The result is faster CI that comes from *understanding the test system*, not from skipping tests and hoping for the best.

package/bin/terrain-installer.js CHANGED Viewed

@@ -78,6 +78,116 @@ function archiveDownloadUrl(version) {
   return `${baseUrl}/v${version}/${archiveFileName(version)}`;
 }
+function signatureDownloadUrl(version) {
+  return `${archiveDownloadUrl(version)}.sig`;
+}
+function certificateDownloadUrl(version) {
+  return `${archiveDownloadUrl(version)}.pem`;
+}
+function expectedSignerIdentity(version) {
+  // The keyless Sigstore signature is anchored to the GitHub Actions workflow
+  // that ran goreleaser at release time. The workflow runs on the v<version>
+  // tag, so the OIDC subject identity is deterministic.
+  return (
+    `https://github.com/${GITHUB_OWNER}/${GITHUB_REPO}` +
+    `/.github/workflows/release.yml@refs/tags/v${version}`
+  );
+}
+const SIGSTORE_OIDC_ISSUER = 'https://token.actions.githubusercontent.com';
+function isCosignAvailable() {
+  try {
+    execFileSync('cosign', ['version'], { stdio: 'pipe' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+// Best-effort signature verification. In 0.1.2 this is warn-only: a missing
+// cosign, missing signature artifact, or verification failure logs to stderr
+// and does NOT block install. The signing pipeline is still maturing and we
+// don't want to break npm installs while it stabilises.
+//
+// In 0.2 this becomes hard-fail unless TERRAIN_INSTALLER_SKIP_VERIFY=1 is set,
+// at which point the warning escalates to an error.
+async function verifySignatureBestEffort({
+  archivePath,
+  version,
+  tempDir,
+  quiet,
+  env,
+}) {
+  if (env.TERRAIN_INSTALLER_SKIP_VERIFY === '1') {
+    log(
+      'Skipping signature verification (TERRAIN_INSTALLER_SKIP_VERIFY=1).',
+      quiet
+    );
+    return { verified: false, reason: 'skipped-by-env' };
+  }
+  if (!isCosignAvailable()) {
+    log(
+      'cosign not found on PATH; skipping signature verification. ' +
+        'Install cosign (https://github.com/sigstore/cosign) for stronger ' +
+        'integrity guarantees in future releases.',
+      quiet
+    );
+    return { verified: false, reason: 'cosign-missing' };
+  }
+  const sigPath = path.join(tempDir, `${path.basename(archivePath)}.sig`);
+  const certPath = path.join(tempDir, `${path.basename(archivePath)}.pem`);
+  try {
+    await downloadFile(signatureDownloadUrl(version), sigPath);
+    await downloadFile(certificateDownloadUrl(version), certPath);
+  } catch (error) {
+    log(
+      `Could not fetch signature artifacts (${error.message}); ` +
+        'skipping verification.',
+      quiet
+    );
+    return { verified: false, reason: 'sig-download-failed' };
+  }
+  try {
+    execFileSync(
+      'cosign',
+      [
+        'verify-blob',
+        '--certificate',
+        certPath,
+        '--signature',
+        sigPath,
+        '--certificate-identity',
+        expectedSignerIdentity(version),
+        '--certificate-oidc-issuer',
+        SIGSTORE_OIDC_ISSUER,
+        archivePath,
+      ],
+      { stdio: 'pipe' }
+    );
+    log(
+      `Verified Sigstore signature for ${path.basename(archivePath)}.`,
+      quiet
+    );
+    return { verified: true, reason: 'ok' };
+  } catch (error) {
+    log(
+      `WARNING: cosign verify-blob failed for ${path.basename(archivePath)}. ` +
+        'The downloaded archive may be tampered with. Continuing install ' +
+        '(verification will become mandatory in 0.2). Error: ' +
+        (error.stderr ? error.stderr.toString().trim() : error.message),
+      quiet
+    );
+    return { verified: false, reason: 'verify-failed' };
+  }
+}
 async function ensureDirectory(dir) {
   await fs.mkdir(dir, { recursive: true });
 }
@@ -233,6 +343,13 @@ export async function ensureTerrainBinary({
       quiet
     );
     await downloadFile(archiveDownloadUrl(version), archivePath);
+    await verifySignatureBestEffort({
+      archivePath,
+      version,
+      tempDir,
+      quiet,
+      env,
+    });
     await ensureDirectory(extractDir);
     extractArchive(archivePath, extractDir);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mapterrain",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Terrain test intelligence CLI.",
   "type": "module",
   "bin": {
@@ -81,4 +81,4 @@
     "node": ">=22.0.0"
   },
   "sideEffects": false
-}
+}