mustflow 2.84.0 → 2.85.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. package/README.md +11 -2
  2. package/dist/cli/commands/script-pack.js +4 -0
  3. package/dist/cli/i18n/en.js +79 -0
  4. package/dist/cli/i18n/es.js +79 -0
  5. package/dist/cli/i18n/fr.js +79 -0
  6. package/dist/cli/i18n/hi.js +79 -0
  7. package/dist/cli/i18n/ko.js +79 -0
  8. package/dist/cli/i18n/zh.js +79 -0
  9. package/dist/cli/lib/repo-map.js +27 -6
  10. package/dist/cli/lib/run-root-trust.js +15 -1
  11. package/dist/cli/lib/script-pack-registry.js +114 -0
  12. package/dist/cli/lib/validation/index.js +2 -2
  13. package/dist/cli/lib/validation/primitives.js +4 -1
  14. package/dist/cli/script-packs/code-change-impact.js +172 -0
  15. package/dist/cli/script-packs/code-dependency-graph.js +181 -0
  16. package/dist/cli/script-packs/repo-env-contract.js +156 -0
  17. package/dist/cli/script-packs/repo-secret-risk-scan.js +147 -0
  18. package/dist/core/change-impact.js +383 -0
  19. package/dist/core/change-verification.js +32 -5
  20. package/dist/core/config-loading.js +121 -4
  21. package/dist/core/dependency-graph.js +490 -0
  22. package/dist/core/env-contract.js +450 -0
  23. package/dist/core/line-endings.js +26 -13
  24. package/dist/core/public-json-contracts.js +51 -0
  25. package/dist/core/route-outline.js +57 -5
  26. package/dist/core/script-pack-suggestions.js +21 -1
  27. package/dist/core/secret-risk-scan.js +440 -0
  28. package/package.json +1 -1
  29. package/schemas/README.md +16 -0
  30. package/schemas/change-impact-report.schema.json +150 -0
  31. package/schemas/commands.schema.json +12 -0
  32. package/schemas/dependency-graph-report.schema.json +149 -0
  33. package/schemas/env-contract-report.schema.json +203 -0
  34. package/schemas/secret-risk-scan-report.schema.json +152 -0
  35. package/templates/default/i18n.toml +16 -10
  36. package/templates/default/locales/en/.mustflow/skills/INDEX.md +7 -2
  37. package/templates/default/locales/en/.mustflow/skills/architecture-deepening-review/SKILL.md +28 -11
  38. package/templates/default/locales/en/.mustflow/skills/astro-code-change/SKILL.md +71 -27
  39. package/templates/default/locales/en/.mustflow/skills/cross-agent-session-reference/SKILL.md +23 -8
  40. package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +3 -1
  41. package/templates/default/locales/en/.mustflow/skills/github-contribution-quality-gate/SKILL.md +48 -11
  42. package/templates/default/locales/en/.mustflow/skills/javascript-code-change/SKILL.md +15 -13
  43. package/templates/default/locales/en/.mustflow/skills/node-code-change/SKILL.md +16 -14
  44. package/templates/default/locales/en/.mustflow/skills/routes.toml +15 -9
  45. package/templates/default/locales/en/.mustflow/skills/security-privacy-review/SKILL.md +3 -1
  46. package/templates/default/locales/en/.mustflow/skills/test-suite-performance-review/SKILL.md +314 -0
  47. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +13 -10
  48. package/templates/default/manifest.toml +8 -1
@@ -0,0 +1,181 @@
1
+ import { printUsageError, renderHelp } from '../lib/cli-output.js';
2
+ import { t } from '../lib/i18n.js';
3
+ import { formatCliOptionParseError, getParsedCliStringOption, hasCliOptionToken, hasParsedCliOption, parseCliOptions, } from '../lib/option-parser.js';
4
+ import { resolveMustflowRoot } from '../lib/project-root.js';
5
+ import { DEPENDENCY_GRAPH_SCRIPT_REF, inspectDependencyGraph, } from '../../core/dependency-graph.js';
6
+ const DEPENDENCY_GRAPH_OPTIONS = [
7
+ { name: '--json', kind: 'boolean' },
8
+ { name: '--max-files', kind: 'string' },
9
+ { name: '--max-file-bytes', kind: 'string' },
10
+ { name: '--max-depth', kind: 'string' },
11
+ { name: '--max-nodes', kind: 'string' },
12
+ { name: '--max-edges', kind: 'string' },
13
+ ];
14
+ function parsePositiveInteger(value, option, lang) {
15
+ if (value === null) {
16
+ return { value: null };
17
+ }
18
+ if (!/^[1-9]\d*$/u.test(value)) {
19
+ return { value: null, error: t(lang, 'dependencyGraph.error.invalidPositiveInteger', { option, value }) };
20
+ }
21
+ const parsed = Number(value);
22
+ if (!Number.isSafeInteger(parsed)) {
23
+ return { value: null, error: t(lang, 'dependencyGraph.error.invalidPositiveInteger', { option, value }) };
24
+ }
25
+ return { value: parsed };
26
+ }
27
+ export function getCodeDependencyGraphHelp(lang = 'en') {
28
+ return renderHelp({
29
+ usage: 'mf script-pack run code/dependency-graph scan <path...> [options]',
30
+ summary: t(lang, 'dependencyGraph.help.summary'),
31
+ options: [
32
+ { label: '--max-depth <count>', description: t(lang, 'dependencyGraph.help.option.maxDepth') },
33
+ { label: '--max-files <count>', description: t(lang, 'dependencyGraph.help.option.maxFiles') },
34
+ { label: '--max-file-bytes <bytes>', description: t(lang, 'dependencyGraph.help.option.maxFileBytes') },
35
+ { label: '--max-nodes <count>', description: t(lang, 'dependencyGraph.help.option.maxNodes') },
36
+ { label: '--max-edges <count>', description: t(lang, 'dependencyGraph.help.option.maxEdges') },
37
+ { label: '--json', description: t(lang, 'cli.option.json') },
38
+ { label: '-h, --help', description: t(lang, 'cli.option.help') },
39
+ ],
40
+ examples: [
41
+ 'mf script-pack run code/dependency-graph scan src/cli/index.ts --json',
42
+ 'mf script-pack run code/dependency-graph scan src/core --max-depth 3 --json',
43
+ 'mf script-pack run code/dependency-graph scan src tests --max-nodes 120 --max-edges 300 --json',
44
+ ],
45
+ exitCodes: [
46
+ { label: '0', description: t(lang, 'dependencyGraph.help.exit.ok') },
47
+ { label: '1', description: t(lang, 'dependencyGraph.help.exit.fail') },
48
+ ],
49
+ }, lang);
50
+ }
51
+ function parseDependencyGraphOptions(args, lang) {
52
+ const [action, ...rest] = args;
53
+ const parsed = parseCliOptions(rest, DEPENDENCY_GRAPH_OPTIONS, { allowPositionals: true });
54
+ const json = hasParsedCliOption(parsed, '--json');
55
+ const maxFiles = parsePositiveInteger(getParsedCliStringOption(parsed, '--max-files'), '--max-files', lang);
56
+ const maxFileBytes = parsePositiveInteger(getParsedCliStringOption(parsed, '--max-file-bytes'), '--max-file-bytes', lang);
57
+ const maxDepth = parsePositiveInteger(getParsedCliStringOption(parsed, '--max-depth'), '--max-depth', lang);
58
+ const maxNodes = parsePositiveInteger(getParsedCliStringOption(parsed, '--max-nodes'), '--max-nodes', lang);
59
+ const maxEdges = parsePositiveInteger(getParsedCliStringOption(parsed, '--max-edges'), '--max-edges', lang);
60
+ const positiveOptions = [maxFiles, maxFileBytes, maxDepth, maxNodes, maxEdges];
61
+ if (action !== 'scan') {
62
+ return {
63
+ action: 'scan',
64
+ json,
65
+ paths: parsed.positionals,
66
+ maxFiles: maxFiles.value,
67
+ maxFileBytes: maxFileBytes.value,
68
+ maxDepth: maxDepth.value,
69
+ maxNodes: maxNodes.value,
70
+ maxEdges: maxEdges.value,
71
+ error: action ? t(lang, 'dependencyGraph.error.unknownAction', { action }) : t(lang, 'dependencyGraph.error.missingAction'),
72
+ };
73
+ }
74
+ if (parsed.error) {
75
+ return {
76
+ action,
77
+ json,
78
+ paths: parsed.positionals,
79
+ maxFiles: maxFiles.value,
80
+ maxFileBytes: maxFileBytes.value,
81
+ maxDepth: maxDepth.value,
82
+ maxNodes: maxNodes.value,
83
+ maxEdges: maxEdges.value,
84
+ error: formatCliOptionParseError(parsed.error, lang),
85
+ };
86
+ }
87
+ for (const candidate of positiveOptions) {
88
+ if (candidate.error) {
89
+ return {
90
+ action,
91
+ json,
92
+ paths: parsed.positionals,
93
+ maxFiles: maxFiles.value,
94
+ maxFileBytes: maxFileBytes.value,
95
+ maxDepth: maxDepth.value,
96
+ maxNodes: maxNodes.value,
97
+ maxEdges: maxEdges.value,
98
+ error: candidate.error,
99
+ };
100
+ }
101
+ }
102
+ if (parsed.positionals.length === 0) {
103
+ return {
104
+ action,
105
+ json,
106
+ paths: parsed.positionals,
107
+ maxFiles: maxFiles.value,
108
+ maxFileBytes: maxFileBytes.value,
109
+ maxDepth: maxDepth.value,
110
+ maxNodes: maxNodes.value,
111
+ maxEdges: maxEdges.value,
112
+ error: t(lang, 'dependencyGraph.error.missingPath'),
113
+ };
114
+ }
115
+ return {
116
+ action,
117
+ json,
118
+ paths: parsed.positionals,
119
+ maxFiles: maxFiles.value,
120
+ maxFileBytes: maxFileBytes.value,
121
+ maxDepth: maxDepth.value,
122
+ maxNodes: maxNodes.value,
123
+ maxEdges: maxEdges.value,
124
+ };
125
+ }
126
+ function renderDependencyGraphSummary(report, lang) {
127
+ const lines = [
128
+ t(lang, 'dependencyGraph.title'),
129
+ `${t(lang, 'scriptPack.label.script')}: ${DEPENDENCY_GRAPH_SCRIPT_REF}`,
130
+ `${t(lang, 'label.status')}: ${report.status}`,
131
+ `${t(lang, 'dependencyGraph.label.targets')}: ${report.targets.length}`,
132
+ `${t(lang, 'dependencyGraph.label.nodes')}: ${report.nodes.length}`,
133
+ `${t(lang, 'dependencyGraph.label.edges')}: ${report.edges.length}`,
134
+ `${t(lang, 'dependencyGraph.label.cycles')}: ${report.cycles.length}`,
135
+ `${t(lang, 'dependencyGraph.label.truncated')}: ${report.truncated ? t(lang, 'value.yes') : t(lang, 'value.no')}`,
136
+ ];
137
+ for (const edge of report.edges.slice(0, 40)) {
138
+ lines.push(`- ${edge.source_path}:${edge.line} -> ${edge.target_path} (${edge.kind}, ${edge.specifier})`);
139
+ }
140
+ if (report.cycles.length > 0) {
141
+ lines.push(t(lang, 'dependencyGraph.label.cycleList'));
142
+ for (const cycle of report.cycles) {
143
+ lines.push(`- ${cycle.join(' -> ')}`);
144
+ }
145
+ }
146
+ if (report.findings.length > 0) {
147
+ lines.push(t(lang, 'dependencyGraph.label.findings'), ...report.findings.map((finding) => `- ${finding.path}: ${finding.code} (${finding.message})`));
148
+ }
149
+ if (report.issues.length > 0) {
150
+ lines.push(t(lang, 'dependencyGraph.label.issues'), ...report.issues.map((issue) => `- ${issue}`));
151
+ }
152
+ if (report.edges.length === 0 && report.findings.length === 0 && report.issues.length === 0) {
153
+ lines.push(t(lang, 'dependencyGraph.clean'));
154
+ }
155
+ return lines.join('\n');
156
+ }
157
+ export function runCodeDependencyGraphScript(args, reporter, lang = 'en') {
158
+ if (hasCliOptionToken(args, '--help', ['-h'])) {
159
+ reporter.stdout(getCodeDependencyGraphHelp(lang));
160
+ return 0;
161
+ }
162
+ const options = parseDependencyGraphOptions(args, lang);
163
+ if (options.error) {
164
+ printUsageError(reporter, options.error, 'mf script-pack run code/dependency-graph --help', getCodeDependencyGraphHelp(lang), lang);
165
+ return 1;
166
+ }
167
+ const report = inspectDependencyGraph(resolveMustflowRoot(), {
168
+ paths: options.paths,
169
+ maxFiles: options.maxFiles ?? undefined,
170
+ maxFileBytes: options.maxFileBytes ?? undefined,
171
+ maxDepth: options.maxDepth ?? undefined,
172
+ maxNodes: options.maxNodes ?? undefined,
173
+ maxEdges: options.maxEdges ?? undefined,
174
+ });
175
+ if (options.json) {
176
+ reporter.stdout(JSON.stringify(report, null, 2));
177
+ return report.ok ? 0 : 1;
178
+ }
179
+ reporter.stdout(renderDependencyGraphSummary(report, lang));
180
+ return report.ok ? 0 : 1;
181
+ }
@@ -0,0 +1,156 @@
1
+ import { printUsageError, renderHelp } from '../lib/cli-output.js';
2
+ import { t } from '../lib/i18n.js';
3
+ import { formatCliOptionParseError, getParsedCliStringOption, hasCliOptionToken, hasParsedCliOption, parseCliOptions, } from '../lib/option-parser.js';
4
+ import { resolveMustflowRoot } from '../lib/project-root.js';
5
+ import { ENV_CONTRACT_SCRIPT_REF, inspectEnvContract } from '../../core/env-contract.js';
6
+ const ENV_CONTRACT_OPTIONS = [
7
+ { name: '--json', kind: 'boolean' },
8
+ { name: '--max-files', kind: 'string' },
9
+ { name: '--max-file-bytes', kind: 'string' },
10
+ { name: '--max-keys', kind: 'string' },
11
+ ];
12
+ function parsePositiveInteger(value, option, lang) {
13
+ if (value === null) {
14
+ return { value: null };
15
+ }
16
+ if (!/^[1-9]\d*$/u.test(value)) {
17
+ return { value: null, error: t(lang, 'envContract.error.invalidPositiveInteger', { option, value }) };
18
+ }
19
+ const parsed = Number(value);
20
+ if (!Number.isSafeInteger(parsed)) {
21
+ return { value: null, error: t(lang, 'envContract.error.invalidPositiveInteger', { option, value }) };
22
+ }
23
+ return { value: parsed };
24
+ }
25
+ export function getRepoEnvContractHelp(lang = 'en') {
26
+ return renderHelp({
27
+ usage: 'mf script-pack run repo/env-contract scan [path...] [options]',
28
+ summary: t(lang, 'envContract.help.summary'),
29
+ options: [
30
+ { label: '--max-files <count>', description: t(lang, 'envContract.help.option.maxFiles') },
31
+ { label: '--max-file-bytes <bytes>', description: t(lang, 'envContract.help.option.maxFileBytes') },
32
+ { label: '--max-keys <count>', description: t(lang, 'envContract.help.option.maxKeys') },
33
+ { label: '--json', description: t(lang, 'cli.option.json') },
34
+ { label: '-h, --help', description: t(lang, 'cli.option.help') },
35
+ ],
36
+ examples: [
37
+ 'mf script-pack run repo/env-contract scan --json',
38
+ 'mf script-pack run repo/env-contract scan src .env.example --json',
39
+ 'mf script-pack run repo/env-contract scan .github/workflows README.md --max-keys 120 --json',
40
+ ],
41
+ exitCodes: [
42
+ { label: '0', description: t(lang, 'envContract.help.exit.ok') },
43
+ { label: '1', description: t(lang, 'envContract.help.exit.fail') },
44
+ ],
45
+ }, lang);
46
+ }
47
+ function parseEnvContractOptions(args, lang) {
48
+ const [action, ...rest] = args;
49
+ const parsed = parseCliOptions(rest, ENV_CONTRACT_OPTIONS, { allowPositionals: true });
50
+ const json = hasParsedCliOption(parsed, '--json');
51
+ const maxFiles = parsePositiveInteger(getParsedCliStringOption(parsed, '--max-files'), '--max-files', lang);
52
+ const maxFileBytes = parsePositiveInteger(getParsedCliStringOption(parsed, '--max-file-bytes'), '--max-file-bytes', lang);
53
+ const maxKeys = parsePositiveInteger(getParsedCliStringOption(parsed, '--max-keys'), '--max-keys', lang);
54
+ if (action !== 'scan') {
55
+ return {
56
+ action: 'scan',
57
+ json,
58
+ paths: parsed.positionals,
59
+ maxFiles: maxFiles.value,
60
+ maxFileBytes: maxFileBytes.value,
61
+ maxKeys: maxKeys.value,
62
+ error: action ? t(lang, 'envContract.error.unknownAction', { action }) : t(lang, 'envContract.error.missingAction'),
63
+ };
64
+ }
65
+ if (parsed.error) {
66
+ return {
67
+ action,
68
+ json,
69
+ paths: parsed.positionals,
70
+ maxFiles: maxFiles.value,
71
+ maxFileBytes: maxFileBytes.value,
72
+ maxKeys: maxKeys.value,
73
+ error: formatCliOptionParseError(parsed.error, lang),
74
+ };
75
+ }
76
+ for (const candidate of [maxFiles, maxFileBytes, maxKeys]) {
77
+ if (candidate.error) {
78
+ return {
79
+ action,
80
+ json,
81
+ paths: parsed.positionals,
82
+ maxFiles: maxFiles.value,
83
+ maxFileBytes: maxFileBytes.value,
84
+ maxKeys: maxKeys.value,
85
+ error: candidate.error,
86
+ };
87
+ }
88
+ }
89
+ return {
90
+ action,
91
+ json,
92
+ paths: parsed.positionals,
93
+ maxFiles: maxFiles.value,
94
+ maxFileBytes: maxFileBytes.value,
95
+ maxKeys: maxKeys.value,
96
+ };
97
+ }
98
+ function renderEnvContractSummary(report, lang) {
99
+ const lines = [
100
+ t(lang, 'envContract.title'),
101
+ `${t(lang, 'scriptPack.label.script')}: ${ENV_CONTRACT_SCRIPT_REF}`,
102
+ `${t(lang, 'label.status')}: ${report.status}`,
103
+ `${t(lang, 'envContract.label.files')}: ${report.summary.file_count}`,
104
+ `${t(lang, 'envContract.label.keys')}: ${report.summary.key_count}`,
105
+ `${t(lang, 'envContract.label.findings')}: ${report.findings.length}`,
106
+ `${t(lang, 'envContract.label.truncated')}: ${report.truncated ? t(lang, 'value.yes') : t(lang, 'value.no')}`,
107
+ ];
108
+ for (const entry of report.keys.slice(0, 40)) {
109
+ const flags = [
110
+ entry.used_in_code ? 'code' : null,
111
+ entry.declared_in_example ? 'example' : null,
112
+ entry.documented ? 'docs' : null,
113
+ entry.referenced_in_ci ? 'ci' : null,
114
+ entry.secret_like ? 'secret-like' : null,
115
+ entry.public_like ? 'public-like' : null,
116
+ ].filter((flag) => flag !== null);
117
+ lines.push(`- ${entry.key}: ${flags.join(', ') || t(lang, 'value.none')} (${entry.source_count})`);
118
+ }
119
+ if (report.findings.length > 0) {
120
+ lines.push(t(lang, 'envContract.label.findings'));
121
+ for (const finding of report.findings.slice(0, 40)) {
122
+ const key = finding.key ? ` ${finding.key}` : '';
123
+ lines.push(`- ${finding.path}:${key} ${finding.code} (${finding.message})`);
124
+ }
125
+ }
126
+ if (report.issues.length > 0) {
127
+ lines.push(t(lang, 'envContract.label.issues'), ...report.issues.map((issue) => `- ${issue}`));
128
+ }
129
+ if (report.keys.length === 0 && report.findings.length === 0 && report.issues.length === 0) {
130
+ lines.push(t(lang, 'envContract.clean'));
131
+ }
132
+ return lines.join('\n');
133
+ }
134
+ export function runRepoEnvContractScript(args, reporter, lang = 'en') {
135
+ if (hasCliOptionToken(args, '--help', ['-h'])) {
136
+ reporter.stdout(getRepoEnvContractHelp(lang));
137
+ return 0;
138
+ }
139
+ const options = parseEnvContractOptions(args, lang);
140
+ if (options.error) {
141
+ printUsageError(reporter, options.error, 'mf script-pack run repo/env-contract --help', getRepoEnvContractHelp(lang), lang);
142
+ return 1;
143
+ }
144
+ const report = inspectEnvContract(resolveMustflowRoot(), {
145
+ paths: options.paths,
146
+ maxFiles: options.maxFiles ?? undefined,
147
+ maxFileBytes: options.maxFileBytes ?? undefined,
148
+ maxKeys: options.maxKeys ?? undefined,
149
+ });
150
+ if (options.json) {
151
+ reporter.stdout(JSON.stringify(report, null, 2));
152
+ return report.ok ? 0 : 1;
153
+ }
154
+ reporter.stdout(renderEnvContractSummary(report, lang));
155
+ return report.ok ? 0 : 1;
156
+ }
@@ -0,0 +1,147 @@
1
+ import { printUsageError, renderHelp } from '../lib/cli-output.js';
2
+ import { t } from '../lib/i18n.js';
3
+ import { formatCliOptionParseError, getParsedCliStringOption, hasCliOptionToken, hasParsedCliOption, parseCliOptions, } from '../lib/option-parser.js';
4
+ import { resolveMustflowRoot } from '../lib/project-root.js';
5
+ import { inspectSecretRiskScan, SECRET_RISK_SCAN_SCRIPT_REF } from '../../core/secret-risk-scan.js';
6
+ const SECRET_RISK_SCAN_OPTIONS = [
7
+ { name: '--json', kind: 'boolean' },
8
+ { name: '--max-files', kind: 'string' },
9
+ { name: '--max-file-bytes', kind: 'string' },
10
+ { name: '--max-findings', kind: 'string' },
11
+ ];
12
+ function parsePositiveInteger(value, option, lang) {
13
+ if (value === null) {
14
+ return { value: null };
15
+ }
16
+ if (!/^[1-9]\d*$/u.test(value)) {
17
+ return { value: null, error: t(lang, 'secretRiskScan.error.invalidPositiveInteger', { option, value }) };
18
+ }
19
+ const parsed = Number(value);
20
+ if (!Number.isSafeInteger(parsed)) {
21
+ return { value: null, error: t(lang, 'secretRiskScan.error.invalidPositiveInteger', { option, value }) };
22
+ }
23
+ return { value: parsed };
24
+ }
25
+ export function getRepoSecretRiskScanHelp(lang = 'en') {
26
+ return renderHelp({
27
+ usage: 'mf script-pack run repo/secret-risk-scan scan [path...] [options]',
28
+ summary: t(lang, 'secretRiskScan.help.summary'),
29
+ options: [
30
+ { label: '--max-files <count>', description: t(lang, 'secretRiskScan.help.option.maxFiles') },
31
+ { label: '--max-file-bytes <bytes>', description: t(lang, 'secretRiskScan.help.option.maxFileBytes') },
32
+ { label: '--max-findings <count>', description: t(lang, 'secretRiskScan.help.option.maxFindings') },
33
+ { label: '--json', description: t(lang, 'cli.option.json') },
34
+ { label: '-h, --help', description: t(lang, 'cli.option.help') },
35
+ ],
36
+ examples: [
37
+ 'mf script-pack run repo/secret-risk-scan scan --json',
38
+ 'mf script-pack run repo/secret-risk-scan scan src README.md --json',
39
+ 'mf script-pack run repo/secret-risk-scan scan .env.example docs --max-findings 50 --json',
40
+ ],
41
+ exitCodes: [
42
+ { label: '0', description: t(lang, 'secretRiskScan.help.exit.ok') },
43
+ { label: '1', description: t(lang, 'secretRiskScan.help.exit.fail') },
44
+ ],
45
+ }, lang);
46
+ }
47
+ function parseSecretRiskScanOptions(args, lang) {
48
+ const [action, ...rest] = args;
49
+ const parsed = parseCliOptions(rest, SECRET_RISK_SCAN_OPTIONS, { allowPositionals: true });
50
+ const json = hasParsedCliOption(parsed, '--json');
51
+ const maxFiles = parsePositiveInteger(getParsedCliStringOption(parsed, '--max-files'), '--max-files', lang);
52
+ const maxFileBytes = parsePositiveInteger(getParsedCliStringOption(parsed, '--max-file-bytes'), '--max-file-bytes', lang);
53
+ const maxFindings = parsePositiveInteger(getParsedCliStringOption(parsed, '--max-findings'), '--max-findings', lang);
54
+ if (action !== 'scan') {
55
+ return {
56
+ action: 'scan',
57
+ json,
58
+ paths: parsed.positionals,
59
+ maxFiles: maxFiles.value,
60
+ maxFileBytes: maxFileBytes.value,
61
+ maxFindings: maxFindings.value,
62
+ error: action ? t(lang, 'secretRiskScan.error.unknownAction', { action }) : t(lang, 'secretRiskScan.error.missingAction'),
63
+ };
64
+ }
65
+ if (parsed.error) {
66
+ return {
67
+ action,
68
+ json,
69
+ paths: parsed.positionals,
70
+ maxFiles: maxFiles.value,
71
+ maxFileBytes: maxFileBytes.value,
72
+ maxFindings: maxFindings.value,
73
+ error: formatCliOptionParseError(parsed.error, lang),
74
+ };
75
+ }
76
+ for (const candidate of [maxFiles, maxFileBytes, maxFindings]) {
77
+ if (candidate.error) {
78
+ return {
79
+ action,
80
+ json,
81
+ paths: parsed.positionals,
82
+ maxFiles: maxFiles.value,
83
+ maxFileBytes: maxFileBytes.value,
84
+ maxFindings: maxFindings.value,
85
+ error: candidate.error,
86
+ };
87
+ }
88
+ }
89
+ return {
90
+ action,
91
+ json,
92
+ paths: parsed.positionals,
93
+ maxFiles: maxFiles.value,
94
+ maxFileBytes: maxFileBytes.value,
95
+ maxFindings: maxFindings.value,
96
+ };
97
+ }
98
+ function renderSecretRiskScanSummary(report, lang) {
99
+ const lines = [
100
+ t(lang, 'secretRiskScan.title'),
101
+ `${t(lang, 'scriptPack.label.script')}: ${SECRET_RISK_SCAN_SCRIPT_REF}`,
102
+ `${t(lang, 'label.status')}: ${report.status}`,
103
+ `${t(lang, 'secretRiskScan.label.files')}: ${report.summary.file_count}`,
104
+ `${t(lang, 'secretRiskScan.label.findings')}: ${report.summary.finding_count}`,
105
+ `${t(lang, 'secretRiskScan.label.highOrCritical')}: ${report.summary.high_or_critical_count}`,
106
+ `${t(lang, 'secretRiskScan.label.skippedSecretFiles')}: ${report.summary.skipped_secret_file_count}`,
107
+ `${t(lang, 'secretRiskScan.label.truncated')}: ${report.truncated ? t(lang, 'value.yes') : t(lang, 'value.no')}`,
108
+ ];
109
+ if (report.findings.length > 0) {
110
+ lines.push(t(lang, 'secretRiskScan.label.findings'));
111
+ for (const finding of report.findings.slice(0, 40)) {
112
+ const line = finding.line ? `:${finding.line}` : '';
113
+ const detector = finding.detector ? ` ${finding.detector}` : '';
114
+ lines.push(`- ${finding.path}${line}: ${finding.code}${detector} (${finding.message})`);
115
+ }
116
+ }
117
+ if (report.issues.length > 0) {
118
+ lines.push(t(lang, 'secretRiskScan.label.issues'), ...report.issues.map((issue) => `- ${issue}`));
119
+ }
120
+ if (report.findings.length === 0 && report.issues.length === 0) {
121
+ lines.push(t(lang, 'secretRiskScan.clean'));
122
+ }
123
+ return lines.join('\n');
124
+ }
125
+ export function runRepoSecretRiskScanScript(args, reporter, lang = 'en') {
126
+ if (hasCliOptionToken(args, '--help', ['-h'])) {
127
+ reporter.stdout(getRepoSecretRiskScanHelp(lang));
128
+ return 0;
129
+ }
130
+ const options = parseSecretRiskScanOptions(args, lang);
131
+ if (options.error) {
132
+ printUsageError(reporter, options.error, 'mf script-pack run repo/secret-risk-scan --help', getRepoSecretRiskScanHelp(lang), lang);
133
+ return 1;
134
+ }
135
+ const report = inspectSecretRiskScan(resolveMustflowRoot(), {
136
+ paths: options.paths,
137
+ maxFiles: options.maxFiles ?? undefined,
138
+ maxFileBytes: options.maxFileBytes ?? undefined,
139
+ maxFindings: options.maxFindings ?? undefined,
140
+ });
141
+ if (options.json) {
142
+ reporter.stdout(JSON.stringify(report, null, 2));
143
+ return report.ok ? 0 : 1;
144
+ }
145
+ reporter.stdout(renderSecretRiskScanSummary(report, lang));
146
+ return report.ok ? 0 : 1;
147
+ }