osv-security-cli 0.1.0 → 0.1.1

package/dist/bin/osv-security.js

@@ -25,6 +25,7 @@ var RuntimeConfigSchema = z.object({
   package_manager_js: z.string(),
   execution: z.enum(["docker", "local"]),
   docker_service: z.string(),
+  docker_workdir: z.string().optional(),
   test_command: z.string(),
   build_commands: z.object({
     frontend: z.string(),
@@ -82,7 +83,7 @@ var GateValidationError = class extends Error {
 };
 
 // src/config/loader.ts
-var DEFAULT_CONFIG_PATH = ".github/agents/project-config.yml";
+var DEFAULT_CONFIG_PATH = "project-config.yml";
 async function loadConfig(configPath, cwd = process.cwd()) {
   const absolutePath = resolve(cwd, configPath);
   let raw;
@@ -116,70 +117,66 @@ ${issues}`,
 }
 
 // src/config/generator.ts
-import { stringify } from "yaml";
 function generateConfigYaml(opts = {}) {
-  const config = {
-    project: {
-      name: opts.projectName ?? "My Laravel Project",
-      client: opts.client ?? "Client Name"
-    },
-    runtime: {
-      php: opts.phpVersion ?? "8.2",
-      laravel: opts.laravelVersion ?? "10.x",
-      node: opts.nodeVersion ?? "20.x",
-      package_manager_php: "composer",
-      package_manager_js: "npm",
-      execution: opts.execution ?? "docker",
-      docker_service: opts.dockerService ?? "app",
-      test_command: opts.testCommand ?? "php artisan test --compact",
-      build_commands: {
-        frontend: opts.frontendBuildCommand ?? "npm run development-frontend",
-        backend: opts.backendBuildCommand ?? "npm run development-backend"
-      }
-    },
-    protected_packages: {
-      composer: [
-        {
-          package: "laravel/framework",
-          constraint: "^10.0",
-          reason: "Major upgrade to Laravel 11 requires a dedicated project"
-        },
-        {
-          package: "livewire/livewire",
-          constraint: "^2.12",
-          reason: "Livewire 3 has breaking API changes; do not migrate without a project"
-        }
-      ],
-      npm: [
-        {
-          package: "alpinejs",
-          constraint: "^3.10.2",
-          reason: "Alpine v4 may have breaking syntax changes"
-        },
-        {
-          package: "tailwindcss",
-          constraint: "^3.3.3",
-          reason: "Tailwind v4 has breaking config and migration requirements"
-        }
-      ]
-    },
-    safe_update_policy: {
-      allow_patch_and_minor_within_constraints: true,
-      require_authorization_for_constraint_change: true,
-      authorization_format: "sim, confirmo breaking changes para [vendor/pacote]"
-    },
-    conflict_resolution: "stop_and_ask"
-  };
-  const header = [
-    "# OSV Security CLI \u2014 project configuration",
-    "# Generated by: osv-security init",
-    "# Documentation: https://github.com/google/osv-scanner",
-    "#",
-    "# - protected_packages: packages that must never be auto-upgraded beyond their constraint",
-    "# - safe_update_policy: patch/minor within constraints are auto-safe; constraint changes require authorization",
-    ""
-  ].join("\n");
-  return header + stringify(config, { lineWidth: 0 });
+  const projectName = opts.projectName ?? "My Laravel Project";
+  const client = opts.client ?? "Client Name";
+  const execution = opts.execution ?? "docker";
+  const dockerService = opts.dockerService ?? "app";
+  const dockerWorkdir = opts.dockerWorkdir;
+  const phpVersion = opts.phpVersion ?? "8.2";
+  const laravelVersion = opts.laravelVersion ?? "10.x";
+  const nodeVersion = opts.nodeVersion ?? "20.x";
+  const testCommand = opts.testCommand ?? "php artisan test --compact";
+  const frontendBuild = opts.frontendBuildCommand ?? "npm run development-frontend";
+  const backendBuild = opts.backendBuildCommand ?? "npm run development-backend";
+  const workdirLine = dockerWorkdir ? `
+  docker_workdir: '${dockerWorkdir}'` : "";
+  return `# OSV Security CLI \u2014 project configuration
+# Generated by: osv-security init
+# Documentation: https://github.com/google/osv-scanner
+#
+# protected_packages: packages that must NEVER be auto-upgraded beyond their stated constraint.
+#   Any update requiring a constraint change needs explicit per-package authorization.
+# safe_update_policy: patch/minor updates within existing constraints are auto-safe.
+
+project:
+  name: '${projectName}'
+  client: '${client}'
+
+runtime:
+  php: '${phpVersion}'
+  laravel: '${laravelVersion}'
+  node: '${nodeVersion}'
+  package_manager_php: 'composer'
+  package_manager_js: 'npm'
+  execution: '${execution}'
+  docker_service: '${dockerService}'${workdirLine}
+  test_command: '${testCommand}'
+  build_commands:
+    frontend: '${frontendBuild}'
+    backend: '${backendBuild}'
+
+# Add packages that must not be auto-upgraded beyond their constraint.
+# Examples:
+#   composer:
+#     - package: 'laravel/framework'
+#       constraint: '^10.0'
+#       reason: 'Major upgrade to Laravel 11 requires a dedicated project'
+#   npm:
+#     - package: 'tailwindcss'
+#       constraint: '^3.3.3'
+#       reason: 'Tailwind v4 has breaking config changes'
+protected_packages:
+  composer: []
+  npm: []
+
+safe_update_policy:
+  allow_patch_and_minor_within_constraints: true
+  require_authorization_for_constraint_change: true
+  authorization_format: 'sim, confirmo breaking changes para [vendor/pacote]'
+
+conflict_resolution: 'stop_and_ask'
+`;
 }
 
 // src/executor/local-executor.ts
@@ -233,19 +230,19 @@ var DockerExecutor = class {
   constructor(service, options = {}) {
     this.service = service;
     this.dryRun = options.dryRun ?? false;
+    this.workdir = options.workdir;
   }
   dryRun;
   environment = "docker";
+  workdir;
+  buildDockerCommand(command) {
+    const workdirFlag = this.workdir ? `--workdir ${this.workdir} ` : "";
+    return `docker-compose exec -T ${workdirFlag}${this.service} sh -c "${command.replace(/"/g, '\\"')}"`;
+  }
   async run(command, options = {}) {
-    const dockerCommand = `docker-compose exec -T ${this.service} sh -c "${command.replace(/"/g, '\\"')}"`;
+    const dockerCommand = this.buildDockerCommand(command);
     if (this.dryRun) {
-      return {
-        stdout: "",
-        stderr: "",
-        exitCode: 0,
-        command: dockerCommand,
-        dryRun: true
-      };
+      return { stdout: "", stderr: "", exitCode: 0, command: dockerCommand, dryRun: true };
     }
     try {
       const result = await execa2(dockerCommand, {
@@ -313,7 +310,7 @@ var logger = {
 };
 
 // src/environment/detector.ts
-async function detectEnvironment(preferredEnv, dockerService, cwd, dryRun = false) {
+async function detectEnvironment(preferredEnv, dockerService, cwd, dryRun = false, dockerWorkdir) {
   if (preferredEnv === "local") {
     logger.debug("Using local execution (configured preference)");
     return new LocalExecutor({ dryRun });
@@ -324,8 +321,9 @@ async function detectEnvironment(preferredEnv, dockerService, cwd, dryRun = fals
     { cwd }
   );
   if (result.exitCode === 0 && parseInt(result.stdout.trim(), 10) > 0) {
-    logger.debug(`Using Docker execution (service: ${dockerService})`);
-    return new DockerExecutor(dockerService, { dryRun });
+    const workdirInfo = dockerWorkdir ? ` (workdir: ${dockerWorkdir})` : "";
+    logger.debug(`Using Docker execution (service: ${dockerService}${workdirInfo})`);
+    return new DockerExecutor(dockerService, { dryRun, workdir: dockerWorkdir });
   }
   logger.warn(`Docker service "${dockerService}" not running \u2014 falling back to local execution`);
   return new LocalExecutor({ dryRun });
@@ -1085,11 +1083,24 @@ function executiveReportFilename(client, project) {
   return `[${client} ${project}] Report OSV Scanner - ${year}-${month} - ${monthEn}.md`;
 }
 
+// src/utils/prompt.ts
+import { createInterface } from "readline/promises";
+async function prompt(question, defaultValue) {
+  const hint = defaultValue ? ` (default: ${defaultValue})` : "";
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const answer = await rl.question(`${question}${hint}: `);
+    return answer.trim() || defaultValue || "";
+  } finally {
+    rl.close();
+  }
+}
+
 // bin/osv-security.ts
 var program = new Command();
 program.name("osv-security").description("OSV vulnerability scanning and safe dependency update CLI").version("0.1.0");
 var commonOptions = (cmd) => cmd.option("-c, --config <path>", "Path to project-config.yml", DEFAULT_CONFIG_PATH).option("--cwd <path>", "Working directory", process.cwd()).option("--dry-run", "Show commands without executing", false).option("-v, --verbose", "Verbose output", false).option("-q, --quiet", "Suppress all output except errors and final report", false).option("--json", "Output results as JSON", false).option("-o, --output <path>", "Write report to file");
-program.command("init").description("Generate a project-config.yml template in the current project").option("--project-name <name>", "Project name").option("--client <name>", "Client name").option("--execution <mode>", "Execution mode: docker or local", "docker").option("--docker-service <service>", "Docker Compose service name", "app").option("--php-version <version>", "PHP version", "8.2").option("--laravel-version <version>", "Laravel version", "10.x").option("--node-version <version>", "Node.js version", "20.x").option("--test-command <cmd>", "Test command", "php artisan test --compact").option("--cwd <path>", "Working directory", process.cwd()).option("--output <path>", "Output path (default: .github/agents/project-config.yml)").option("--force", "Overwrite existing file", false).action(async (opts) => {
+program.command("init").description("Generate a project-config.yml template in the current project").option("--project-name <name>", "Project name").option("--client <name>", "Client name").option("--execution <mode>", "Execution mode: docker or local", "docker").option("--docker-service <service>", "Docker Compose service name", "app").option("--docker-workdir <path>", "Working directory inside the container (e.g. /var/www/html)").option("--php-version <version>", "PHP version", "8.2").option("--laravel-version <version>", "Laravel version", "10.x").option("--node-version <version>", "Node.js version", "20.x").option("--test-command <cmd>", "Test command", "php artisan test --compact").option("--cwd <path>", "Working directory", process.cwd()).option("--output <path>", "Output path (default: .github/agents/project-config.yml)").option("--force", "Overwrite existing file", false).action(async (opts) => {
   const { access, mkdir } = await import("fs/promises");
   const { dirname } = await import("path");
   const outputPath = opts.output ? resolve2(opts.cwd, opts.output) : resolve2(opts.cwd, DEFAULT_CONFIG_PATH);
@@ -1105,11 +1116,14 @@ Use --force to overwrite.
     } catch {
     }
   }
+  const projectName = opts.projectName ?? await prompt("Project name", "My Laravel Project");
+  const client = opts.client ?? await prompt("Client name", "Client Name");
   const yaml = generateConfigYaml({
-    projectName: opts.projectName,
-    client: opts.client,
+    projectName,
+    client,
     execution: opts.execution,
     dockerService: opts.dockerService,
+    dockerWorkdir: opts.dockerWorkdir,
     phpVersion: opts.phpVersion,
     laravelVersion: opts.laravelVersion,
     nodeVersion: opts.nodeVersion,
@@ -1127,6 +1141,8 @@ Next steps:
   process.stdout.write(`  2. Review protected_packages \u2014 add any packages that must not be auto-upgraded
 `);
   process.stdout.write(`  3. Run: osv-security scan --cwd <your-project-dir>
+`);
+  process.stdout.write(`     (config will be loaded from project-config.yml at project root by default)
 `);
 });
 commonOptions(
@@ -1154,7 +1170,8 @@ async function runCommand(command, opts) {
       config.runtime.execution,
       config.runtime.docker_service,
       opts.cwd,
-      opts.dryRun
+      opts.dryRun,
+      config.runtime.docker_workdir
     );
     if (command === "scan") {
       const scanResult = await runScanner(runner, config, opts.cwd);