periapsis 1.0.5 → 1.0.7

package/.github/workflows/periapsis-license-check.yml

@@ -63,7 +63,7 @@ jobs:
             exit 1
           fi
 
-          VIOLATION_COUNT=$(node -e "const fs=require('fs');const d=JSON.parse(fs.readFileSync('sbom-violations.json','utf8'));const count=Array.isArray(d)?d.length:(Array.isArray(d?.violations)?d.violations.length:0);process.stdout.write(String(count));")
+          VIOLATION_COUNT="$(node -e 'const fs = require("fs"); const data = JSON.parse(fs.readFileSync("sbom-violations.json", "utf8")); const count = Array.isArray(data) ? data.length : Array.isArray(data?.violations) ? data.violations.length : 0; process.stdout.write(String(count));')"
           echo "Detected violations: ${VIOLATION_COUNT}"
 
           if [ "${VIOLATION_COUNT}" -gt 0 ]; then

package/README.md

@@ -9,6 +9,8 @@ npm install
 npx periapsis --violations-out sbom-violations.json
 ```
 
+When working on the `periapsis` repository itself, prefer `node ./bin/periapsis.mjs ...` or `npm run policy:check` so you are exercising the checked-out CLI rather than any previously published copy.
+
 Initialize governed policy files:
 
 ```sh
@@ -312,6 +314,8 @@ Example:
 - run: npx periapsis --violations-out sbom-violations.json
 ```
 
+If you add an inline `node -e` follow-up check in GitHub Actions, wrap the JavaScript in single quotes. Backticks inside a double-quoted shell string are treated as command substitution by `bash`.
+
 When violations exist, Periapsis exits non-zero and prints deterministic markdown summary suitable for Actions logs.
 
 ## Troubleshooting Large Violation Sets

package/bin/periapsis.mjs

@@ -696,7 +696,16 @@ export async function main(argv = process.argv.slice(2)) {
   cmdCheck(root, args);
 }
 
-if (process.argv[1] && path.resolve(process.argv[1]) === __filename) {
+export function isDirectExecution(entryFilename = __filename, argv1 = process.argv[1]) {
+  if (!argv1) return false;
+  try {
+    return fs.realpathSync(argv1) === entryFilename;
+  } catch {
+    return path.resolve(argv1) === entryFilename;
+  }
+}
+
+if (isDirectExecution()) {
   main().catch((err) => {
     console.error(err.message);
     process.exit(1);

package/lib/periapsis-core.mjs

@@ -166,6 +166,10 @@ export function parseArgs(argv) {
   const args = { _: [] };
   for (let i = 0; i < argv.length; i++) {
     const arg = argv[i];
+    if (arg === '--') {
+      // Ignore npm/npx argument separators so forwarded flags still parse normally.
+      continue;
+    }
     if (arg === '--help' || arg === '-h') {
       args.help = true;
       continue;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "periapsis",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "private": false,
   "type": "module",
   "scripts": {
@@ -34,8 +34,5 @@
     "spdx",
     "cli"
   ],
-  "license": "MIT",
-  "devDependencies": {
-    "periapsis": "^1.0.1"
-  }
+  "license": "MIT"
 }

package/sbom-licenses.json

@@ -1,7 +1,7 @@
 [
   {
     "name": "ajv",
-    "version": "8.17.1",
+    "version": "8.18.0",
     "license": "MIT",
     "path": "node_modules/ajv",
     "repository": "ajv-validator/ajv",
@@ -61,19 +61,6 @@
       "dependencies"
     ]
   },
-  {
-    "name": "periapsis",
-    "version": "1.0.1",
-    "license": "MIT",
-    "path": "node_modules/periapsis",
-    "repository": {
-      "type": "git",
-      "url": "https://github.com/scfast/periapsis"
-    },
-    "dependencyTypes": [
-      "devDependencies"
-    ]
-  },
   {
     "name": "require-from-string",
     "version": "2.0.2",

package/test/cli.test.mjs

@@ -2,7 +2,8 @@ import test from 'node:test';
 import assert from 'node:assert/strict';
 import fs from 'fs';
 import path from 'path';
-import { createTempDir, runCli, writePolicyBundle } from '../testing/helpers.mjs';
+import { isDirectExecution } from '../bin/periapsis.mjs';
+import { BIN, createTempDir, runCli, writePolicyBundle } from '../testing/helpers.mjs';
 
 function setupTempProject() {
   const dir = createTempDir('periapsis-test-');
@@ -136,3 +137,11 @@ test('checker respects --dep-types filter', async () => {
   });
   assert.match(failOutput, /license-not-allowed/);
 });
+
+test('isDirectExecution resolves symlinked bin paths', () => {
+  const cwd = createTempDir('periapsis-bin-symlink-');
+  const symlinkPath = path.join(cwd, 'periapsis');
+  fs.symlinkSync(BIN, symlinkPath);
+
+  assert.equal(isDirectExecution(BIN, symlinkPath), true);
+});

package/test/commands.test.mjs

@@ -96,3 +96,32 @@ test('checker honors policy dependencyTypes when no CLI override is provided', a
   const sbom = JSON.parse(fs.readFileSync(path.join(cwd, 'sbom-licenses.json'), 'utf8'));
   assert.deepEqual(sbom.map((entry) => entry.name), ['a']);
 });
+
+test('checker accepts npm forwarded args after a standalone double-dash', async () => {
+  const cwd = createTempDir('periapsis-npm-forwarded-args-');
+  writePolicyBundle(cwd);
+  writeJson(path.join(cwd, 'package.json'), {
+    name: 'forwarded-args-app',
+    version: '1.0.0',
+    dependencies: { a: '1.0.0' }
+  });
+  writeJson(path.join(cwd, 'package-lock.json'), {
+    name: 'forwarded-args-app',
+    version: '1.0.0',
+    lockfileVersion: 3,
+    packages: {
+      '': {
+        name: 'forwarded-args-app',
+        version: '1.0.0',
+        dependencies: { a: '1.0.0' }
+      },
+      'node_modules/a': { version: '1.0.0', license: 'MIT' }
+    }
+  });
+  fs.mkdirSync(path.join(cwd, 'node_modules', 'a'), { recursive: true });
+
+  await runCli(cwd, ['--', '--violations-out', 'violations.json', '--quiet']);
+
+  const violations = JSON.parse(fs.readFileSync(path.join(cwd, 'violations.json'), 'utf8'));
+  assert.deepEqual(violations, []);
+});