proof-pr 0.1.2 → 0.1.3

package/README.md

@@ -11,13 +11,14 @@ ProofPR 帮助维护者在投入深入 review 之前，先检查 PR 的证据、
 ```bash
 npx proof-pr init
 npx proof-pr scan --base origin/main --head HEAD
+npx proof-pr scan --base origin/main --head HEAD --locale zh-CN
 npx proof-pr scan --base origin/main --pr-body-file pr-body.md --format json
 ```
 
 ## GitHub Action
 
 ```yaml
-- uses: linsk27/proof-pr@v0.1.2
+- uses: linsk27/proof-pr@v0.1.3
   with:
     fail-on: high
 ```

package/dist/index.js

@@ -23111,7 +23111,9 @@ function preprocess(fn, schema) {
 
 
 const riskLevelSchema = schemas_enum(["low", "medium", "high"]);
+const localeSchema = schemas_enum(["en", "zh-CN"]);
 const configSchema = object({
+    locale: localeSchema.default("en"),
     riskThreshold: riskLevelSchema.default("high"),
     ignorePaths: array(schemas_string()).default([]),
     sensitivePaths: array(schemas_string())
@@ -23174,6 +23176,10 @@ function riskMeetsThreshold(risk, threshold) {
 function riskRank(risk) {
     return { low: 1, medium: 2, high: 3 }[risk];
 }
+function parseLocale(value, fallback = "en") {
+    const result = localeSchema.safeParse(value);
+    return result.success ? result.data : fallback;
+}
 function isMissingFileError(error) {
     return (typeof error === "object" &&
         error !== null &&
@@ -23183,35 +23189,11 @@ function isMissingFileError(error) {
 //# sourceMappingURL=config.js.map
 ;// CONCATENATED MODULE: ../core/dist/reporters.js
 const REPORT_MARKER = "<!-- proof-pr-report -->";
-function renderMarkdownReport(result) {
-    const lines = [
-        REPORT_MARKER,
-        "# ProofPR Review",
-        "",
-        `Risk: **${result.risk}**`,
-        "",
-        "## Evidence",
-        "",
-        `- Files changed: ${result.summary.filesChanged}`,
-        `- Additions: ${result.summary.additions}`,
-        `- Deletions: ${result.summary.deletions}`,
-        `- Test files changed: ${result.summary.testFilesChanged}`,
-        `- Sensitive files changed: ${result.summary.sensitiveFilesChanged}`,
-        `- PR description: ${result.summary.pullRequestDescription}`,
-        `- Verification evidence: ${formatBoolean(result.summary.verificationEvidence)}`,
-        `- Reproduction context: ${formatBoolean(result.summary.reproductionEvidence)}`,
-        ""
-    ];
-    if (result.findings.length === 0) {
-        lines.push("## Findings", "", "No review-risk findings detected by the enabled rules.", "");
-        return lines.join("\n");
+function renderMarkdownReport(result, locale = "en") {
+    if (locale === "zh-CN") {
+        return renderChineseMarkdownReport(result);
     }
-    lines.push("## Findings", "");
-    for (const finding of result.findings) {
-        lines.push(formatFinding(finding), "");
-    }
-    lines.push("## Maintainer Focus", "", ...maintainerFocus(result.findings).map((item) => `- ${item}`), "");
-    return lines.join("\n");
+    return renderEnglishMarkdownReport(result);
 }
 function getReportMarker() {
     return REPORT_MARKER;
@@ -23234,7 +23216,7 @@ function renderSarifReport(result) {
                 tool: {
                     driver: {
                         name: "ProofPR",
-                        informationUri: "https://github.com/proof-pr/proof-pr",
+                        informationUri: "https://github.com/linsk27/proof-pr",
                         rules: [...rules.values()]
                     }
                 },
@@ -23256,7 +23238,67 @@ function renderSarifReport(result) {
         ]
     }, null, 2);
 }
-function formatFinding(finding) {
+function renderEnglishMarkdownReport(result) {
+    const lines = [
+        REPORT_MARKER,
+        "# ProofPR Review",
+        "",
+        `Risk: **${result.risk}**`,
+        "",
+        "## Evidence",
+        "",
+        `- Files changed: ${result.summary.filesChanged}`,
+        `- Additions: ${result.summary.additions}`,
+        `- Deletions: ${result.summary.deletions}`,
+        `- Test files changed: ${result.summary.testFilesChanged}`,
+        `- Sensitive files changed: ${result.summary.sensitiveFilesChanged}`,
+        `- PR description: ${result.summary.pullRequestDescription}`,
+        `- Verification evidence: ${formatBoolean(result.summary.verificationEvidence)}`,
+        `- Reproduction context: ${formatBoolean(result.summary.reproductionEvidence)}`,
+        ""
+    ];
+    if (result.findings.length === 0) {
+        lines.push("## Findings", "", "No review-risk findings detected by the enabled rules.", "");
+        return lines.join("\n");
+    }
+    lines.push("## Findings", "");
+    for (const finding of result.findings) {
+        lines.push(formatEnglishFinding(finding), "");
+    }
+    lines.push("## Maintainer Focus", "", ...maintainerFocus(result.findings, "en").map((item) => `- ${item}`), "");
+    return lines.join("\n");
+}
+function renderChineseMarkdownReport(result) {
+    const lines = [
+        REPORT_MARKER,
+        "# ProofPR 审查报告",
+        "",
+        `风险等级：**${translateRisk(result.risk)}**`,
+        "",
+        "## 证据概览",
+        "",
+        `- 改动文件数：${result.summary.filesChanged}`,
+        `- 新增行数：${result.summary.additions}`,
+        `- 删除行数：${result.summary.deletions}`,
+        `- 测试文件改动数：${result.summary.testFilesChanged}`,
+        `- 敏感文件改动数：${result.summary.sensitiveFilesChanged}`,
+        `- PR 描述质量：${translateDescriptionState(result.summary.pullRequestDescription)}`,
+        `- 验证证据：${formatChineseBoolean(result.summary.verificationEvidence)}`,
+        `- 复现上下文：${formatChineseBoolean(result.summary.reproductionEvidence)}`,
+        ""
+    ];
+    if (result.findings.length === 0) {
+        lines.push("## 风险发现", "", "启用的规则没有发现需要优先关注的 review 风险。", "");
+        return lines.join("\n");
+    }
+    lines.push("## 风险发现", "");
+    for (const finding of result.findings) {
+        lines.push(formatChineseFinding(finding), "");
+    }
+    lines.push("## 维护者关注点", "", ...maintainerFocus(result.findings, "zh-CN").map((item) => `- ${item}`), "");
+    return lines.join("\n");
+}
+function formatEnglishFinding(finding) {
     const lines = [
         `### ${finding.title}`,
         "",
@@ -23276,39 +23318,166 @@ function formatFinding(finding) {
     }
     return lines.join("\n");
 }
-function maintainerFocus(findings) {
+function formatChineseFinding(finding) {
+    const translated = translateFinding(finding);
+    const lines = [
+        `### ${translated.title}`,
+        "",
+        `- 规则：\`${finding.ruleId}\``,
+        `- 严重程度：\`${translateSeverity(finding.severity)}\``,
+        finding.path ? `- 路径：\`${finding.path}\`` : undefined,
+        `- 详情：${translated.message}`
+    ].filter((line) => Boolean(line));
+    if (finding.evidence && finding.evidence.length > 0) {
+        lines.push("- 证据：");
+        for (const item of finding.evidence) {
+            lines.push(`  - \`${translateEvidence(item)}\``);
+        }
+    }
+    if (translated.recommendation) {
+        lines.push(`- 建议：${translated.recommendation}`);
+    }
+    return lines.join("\n");
+}
+function maintainerFocus(findings, locale) {
     const focus = new Set();
     for (const finding of findings) {
         if (finding.ruleId.startsWith("secret-detected")) {
-            focus.add("Rotate any exposed credential and block the PR until secrets are removed.");
+            focus.add(locale === "zh-CN"
+                ? "轮换任何可能暴露的凭证，并在移除 secret 前阻止合并。"
+                : "Rotate any exposed credential and block the PR until secrets are removed.");
         }
         else if (finding.ruleId === "workflow-permission-change") {
-            focus.add("Review GitHub Actions permissions before merging.");
+            focus.add(locale === "zh-CN"
+                ? "合并前重点审查 GitHub Actions 权限。"
+                : "Review GitHub Actions permissions before merging.");
         }
         else if (finding.ruleId === "missing-tests") {
-            focus.add("Ask for tests or a manual verification note.");
+            focus.add(locale === "zh-CN"
+                ? "要求补充测试或清晰的手动验证说明。"
+                : "Ask for tests or a manual verification note.");
         }
         else if (finding.ruleId === "thin-pr-description") {
-            focus.add("Ask for a clearer PR description before deep review.");
+            focus.add(locale === "zh-CN"
+                ? "深入 review 前要求补充更清楚的 PR 描述。"
+                : "Ask for a clearer PR description before deep review.");
         }
         else if (finding.ruleId === "missing-reproduction-context") {
-            focus.add("Ask for reproduction steps or before/after context.");
+            focus.add(locale === "zh-CN"
+                ? "要求补充复现步骤或 before/after 上下文。"
+                : "Ask for reproduction steps or before/after context.");
         }
         else if (finding.ruleId === "change-size") {
-            focus.add("Request a smaller PR or a file-by-file review guide.");
+            focus.add(locale === "zh-CN"
+                ? "要求拆分 PR，或提供逐文件 review 指南。"
+                : "Request a smaller PR or a file-by-file review guide.");
         }
         else if (finding.ruleId === "mcp-credential-risk") {
-            focus.add("Review MCP commands, args, and credential handling.");
+            focus.add(locale === "zh-CN"
+                ? "重点审查 MCP command、args 和凭证处理方式。"
+                : "Review MCP commands, args, and credential handling.");
         }
     }
     if (focus.size === 0) {
-        focus.add("Review the listed sensitive files and ask for evidence where context is thin.");
+        focus.add(locale === "zh-CN"
+            ? "审查列出的敏感文件；如果上下文不足，要求贡献者补充证据。"
+            : "Review the listed sensitive files and ask for evidence where context is thin.");
     }
     return [...focus];
 }
+function translateFinding(finding) {
+    if (finding.ruleId === "change-size") {
+        const files = finding.evidence?.find((item) => item.startsWith("files: "))?.replace("files: ", "");
+        const lines = finding.evidence?.find((item) => item.startsWith("changed lines: "))?.replace("changed lines: ", "");
+        return {
+            title: finding.severity === "high" ? "review 面积过大" : "review 面积偏大",
+            message: files && lines ? `该改动涉及 ${files} 个文件、${lines} 行变更。` : finding.message,
+            recommendation: finding.severity === "high"
+                ? "建议要求拆分 PR，或提供清晰的 review map 后再投入深度 review。"
+                : "建议要求贡献者解释改动边界，并标出最需要重点 review 的文件。"
+        };
+    }
+    if (finding.ruleId === "sensitive-path") {
+        return {
+            title: "敏感文件发生变更",
+            message: finding.path ? `${finding.path} 命中了敏感路径配置。` : finding.message,
+            recommendation: "请重点审查权限、凭证、发布、依赖和 CI 相关变更。"
+        };
+    }
+    if (finding.ruleId === "missing-tests") {
+        return {
+            title: "缺少验证证据",
+            message: "代码发生变更，但没有检测到测试文件改动或 PR 验证说明。",
+            recommendation: "建议要求补充测试，或提供清晰的手动验证说明后再深入 review。"
+        };
+    }
+    if (finding.ruleId === "thin-pr-description") {
+        const missing = finding.title.toLowerCase().includes("missing");
+        return {
+            title: missing ? "PR 描述为空" : "PR 描述过薄",
+            message: missing ? "PR 正文为空，维护者缺少 review 前的上下文。" : "PR 正文较短，可能不足以支撑有效 review。",
+            recommendation: "建议要求补充改动动机、验证证据、兼容性和发布影响说明。"
+        };
+    }
+    if (finding.ruleId === "missing-reproduction-context") {
+        return {
+            title: "缺少复现或 before/after 上下文",
+            message: "PR 未提到复现步骤、预期行为、实际行为或 before/after 说明。",
+            recommendation: "建议要求补充复现步骤或 before/after 说明，方便 reviewer 验证改动路径。"
+        };
+    }
+    if (finding.ruleId === "dependency-added") {
+        return {
+            title: "依赖清单发生变更",
+            message: finding.path ? `${finding.path} 中新增或修改了类似依赖的条目。` : finding.message,
+            recommendation: "请确认包名、许可证、来源可信度，以及 lockfile 是否匹配预期依赖变化。"
+        };
+    }
+    if (finding.ruleId === "workflow-permission-change") {
+        return {
+            title: "Workflow 权限发生变更",
+            message: finding.path ? `${finding.path} 新增或修改了 GitHub Actions 权限。` : finding.message,
+            recommendation: "请确认 workflow 是否真的需要写权限或 token 权限，并检查不可信 PR 是否能触达该 workflow。"
+        };
+    }
+    if (finding.ruleId === "mcp-credential-risk") {
+        return {
+            title: "MCP 配置需要重点审查",
+            message: finding.path ? `${finding.path} 新增了与命令或凭证相关的 MCP 配置。` : finding.message,
+            recommendation: "避免在 MCP 配置中提交凭证，并审查 command 与 args 是否会扩大本地执行面。"
+        };
+    }
+    if (finding.ruleId.startsWith("secret-detected")) {
+        return {
+            title: "可能提交了 secret",
+            message: finding.message.replace("Added line looks like it contains", "新增行疑似包含"),
+            recommendation: "请将凭证移到 secret manager 或 CI secret store，轮换任何已暴露的值，并只提交占位符。"
+        };
+    }
+    return finding;
+}
+function translateEvidence(item) {
+    return item
+        .replace("files: ", "文件数：")
+        .replace("changed lines: ", "变更行数：")
+        .replace("line ", "第 ")
+        .replace(": ", " 行：");
+}
+function translateRisk(risk) {
+    return { low: "低", medium: "中", high: "高" }[risk] ?? risk;
+}
+function translateSeverity(severity) {
+    return { info: "信息", low: "低", medium: "中", high: "高" }[severity] ?? severity;
+}
+function translateDescriptionState(state) {
+    return { unavailable: "不可用", missing: "缺失", thin: "过薄", present: "充足" }[state] ?? state;
+}
 function formatBoolean(value) {
     return value ? "yes" : "no";
 }
+function formatChineseBoolean(value) {
+    return value ? "有" : "无";
+}
 function sarifLevel(severity) {
     if (severity === "high") {
         return "error";
@@ -23579,6 +23748,29 @@ function redactLine(line) {
 
 
 
+const PACKAGE_JSON_NON_DEPENDENCY_KEYS = new Set([
+    "author",
+    "bin",
+    "bugs",
+    "description",
+    "engines",
+    "exports",
+    "files",
+    "homepage",
+    "keywords",
+    "license",
+    "main",
+    "module",
+    "name",
+    "packageManager",
+    "private",
+    "publishConfig",
+    "repository",
+    "scripts",
+    "type",
+    "types",
+    "version"
+]);
 function analyzeDiffFiles(files, config, pullRequest) {
     const activeFiles = files.filter((file) => !matchesAny(file.path, config.ignorePaths));
     const findings = [];
@@ -23738,7 +23930,15 @@ function analyzeDependencyChanges(files, config) {
 }
 function isDependencyLikeAddition(path, line) {
     if (path.endsWith("package.json")) {
-        return /^"[@A-Za-z0-9_.-]+"\s*:\s*"(?:\^|~|>=?|<=?|\d|workspace:|npm:|file:|link:|portal:|git\+|https?:|github:)[^"]*"/.test(line);
+        const match = /^"(?<key>[@A-Za-z0-9_.-]+)"\s*:\s*"(?<value>[^"]*)"/.exec(line);
+        if (!match?.groups) {
+            return false;
+        }
+        const { key, value } = match.groups;
+        if (!key || !value || PACKAGE_JSON_NON_DEPENDENCY_KEYS.has(key)) {
+            return false;
+        }
+        return /^(?:\^|~|>=?|<=?|\d|workspace:|npm:|file:|link:|portal:|git\+|https?:|github:)/.test(value);
     }
     if (path.endsWith("requirements.txt")) {
         return /^[A-Za-z0-9_.-]+(?:\[.*\])?\s*(?:==|>=|<=|~=|>|<)\s*[^#\s]+/.test(line);
@@ -23866,7 +24066,7 @@ const build_program = new Command();
 build_program
     .name("proof-pr")
     .description("Review pull request evidence, scope, and safety before maintainers spend time on it.")
-    .version("0.1.2");
+    .version("0.1.3");
 build_program
     .command("scan", { isDefault: true })
     .description("Scan a git diff and print a ProofPR report.")
@@ -23878,6 +24078,7 @@ build_program
     .option("--pr-body-file <path>", "Read a pull request body from a Markdown file.")
     .option("--config <path>", "Path to .proofpr.yml.", ".proofpr.yml")
     .option("--format <format>", "Output format: markdown, json, or sarif.", parseFormat, "markdown")
+    .option("--locale <locale>", "Report language: en or zh-CN.")
     .option("--fail-on <level>", "Exit with code 1 on risk level: low, medium, high, or never.", parseFailLevel, "never")
     .action(async (options) => {
     const diffText = options.diffFile
@@ -23889,7 +24090,8 @@ build_program
         ? { title: options.prTitle, body: prBody }
         : undefined;
     const result = scanDiff(diffText, { config, pullRequest });
-    const output = renderOutput(result, options.format);
+    const locale = parseLocale(options.locale, config.locale);
+    const output = renderOutput(result, options.format, locale);
     process.stdout.write(`${output}\n`);
     if (riskMeetsThreshold(result.risk, options.failOn)) {
         process.exitCode = 1;
@@ -23943,7 +24145,9 @@ async function pathExists(path) {
     }
 }
 function renderConfigTemplate() {
-    return `riskThreshold: high
+    return `locale: zh-CN
+
+riskThreshold: high
 
 sensitivePaths:
   - ".github/workflows/**"
@@ -23994,20 +24198,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: linsk27/proof-pr@v0.1.1
+      - uses: linsk27/proof-pr@v0.1.3
         with:
           fail-on: ${failOn}
           comment: "true"
 `;
 }
-function renderOutput(result, format) {
+function renderOutput(result, format, locale) {
     if (format === "json") {
         return JSON.stringify(result, null, 2);
     }
     if (format === "sarif") {
         return renderSarifReport(result);
     }
-    return renderMarkdownReport(result);
+    return renderMarkdownReport(result, locale);
 }
 function parseFormat(value) {
     if (value === "json" || value === "markdown" || value === "sarif") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "proof-pr",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "CLI for ProofPR, a maintainer-focused pull request evidence scanner.",
   "license": "MIT",
   "type": "module",