relionhq 2.0.3 → 2.1.0

package/dist/index.js

@@ -217,14 +217,42 @@ function printReceipt(opts) {
   console.log(`\u2514${"\u2500".repeat(width + 2)}\u2518`);
   console.log("");
 }
+function stripAnsi(s) {
+  return s.replace(/\x1b\[[0-9;]*m/g, "");
+}
+function wordWrap(text, maxWidth) {
+  const words = text.split(" ");
+  const lines = [];
+  let current = "";
+  for (const word of words) {
+    if (current.length === 0) {
+      current = word;
+    } else if (current.length + 1 + word.length <= maxWidth) {
+      current += " " + word;
+    } else {
+      lines.push(current);
+      current = word;
+    }
+  }
+  if (current) lines.push(current);
+  return lines.length ? lines : [""];
+}
+function boxLine(content, width) {
+  const stripped = stripAnsi(content);
+  const gap = Math.max(0, width - stripped.length);
+  return `\u2502  ${content}${" ".repeat(gap)}  \u2502`;
+}
+function blankLine(width) {
+  return `\u2502${" ".repeat(width + 2)}\u2502`;
+}
 function printPredeployReceipt(opts) {
   if (QUIET) return;
-  const width = 60;
+  const width = 62;
   const line = "\u2500".repeat(width);
   const pad = (label, value) => {
-    const stripped = value.replace(/\x1b\[[0-9;]*m/g, "");
-    const gap = width - label.length - stripped.length - 2;
-    return `\u2502  ${label}${" ".repeat(Math.max(1, gap))}${value}  \u2502`;
+    const stripped = stripAnsi(value);
+    const gap = Math.max(1, width - label.length - stripped.length - 2);
+    return `\u2502  ${label}${" ".repeat(gap)}${value}  \u2502`;
   };
   const verdictLabel = opts.verdict === "safe" ? color.green("\u2713 SAFE") : opts.verdict === "caution" ? color.yellow("\u26A0 CAUTION") : opts.verdict === "high_risk" ? color.red("\u2717 HIGH RISK") : opts.verdict === "blocked" ? color.red("\u2717 BLOCKED") : color.dim("\u2014 OFFLINE");
   console.log("");
@@ -232,7 +260,7 @@ function printPredeployReceipt(opts) {
   console.log(`\u2502  ${color.bold("Relion Pre-Deploy Check")}${" ".repeat(width - 22)}  \u2502`);
   console.log(`\u251C${line}\u2524`);
   if (opts.branch || opts.commit) {
-    const meta = [opts.branch, opts.commit ? opts.commit.slice(0, 7) : ""].filter(Boolean).join(" \u2192 ");
+    const meta = [opts.branch, opts.commit ? opts.commit.slice(0, 7) : ""].filter(Boolean).join("  \xB7  ");
     console.log(pad("Branch:", color.dim(meta)));
   }
   if (opts.baseBranch) console.log(pad("Comparing against:", color.dim(opts.baseBranch)));
@@ -245,23 +273,57 @@ function printPredeployReceipt(opts) {
   console.log(pad("Verdict:", verdictLabel));
   const nonSafe = opts.findings.filter((f) => f.riskLevel !== "safe" && f.riskLevel !== "info");
   if (nonSafe.length > 0) {
-    console.log(`\u2502${" ".repeat(width + 2)}\u2502`);
-    for (const finding of nonSafe.slice(0, 5)) {
+    console.log(`\u251C${line}\u2524`);
+    for (const finding of nonSafe) {
+      console.log(blankLine(width));
       const icon = finding.riskLevel === "blocked" ? color.red("\u2717") : finding.riskLevel === "high_risk" ? color.red("!") : color.yellow("\u26A0");
-      const text = `  ${icon} ${finding.vendorName}: ${finding.description}`;
-      console.log(`\u2502${text.slice(0, width + 2).padEnd(width + 2)}\u2502`);
+      const badge = finding.riskLevel === "blocked" ? color.red("[BLOCKED]") : finding.riskLevel === "high_risk" ? color.red("[HIGH RISK]") : color.yellow("[CAUTION]");
+      const sourceTag = finding.source === "probe_failure" ? color.dim(" \xB7 live probe") : finding.source === "vendor_change" ? color.dim(" \xB7 spec change") : finding.source === "alert" ? color.dim(" \xB7 alert") : "";
+      const headerText = `${icon} ${badge} ${color.bold(finding.vendorName)}${sourceTag}`;
+      console.log(boxLine(headerText, width));
+      const title = finding.title ?? finding.description;
+      if (title) {
+        const titleLines = wordWrap(title, width - 4);
+        for (const tl of titleLines) {
+          console.log(boxLine(`    ${color.dim(tl)}`, width));
+        }
+      }
+      if (finding.versionFrom || finding.versionTo) {
+        const vRange = [finding.versionFrom, finding.versionTo].filter(Boolean).join(color.dim(" \u2192 "));
+        console.log(boxLine(`    ${color.dim("v")}${vRange}`, width));
+      }
+      const body = finding.summary ?? finding.description;
+      if (body) {
+        const bodyLines = wordWrap(body, width - 4);
+        console.log(blankLine(width));
+        for (const bl of bodyLines) {
+          console.log(boxLine(`    ${bl}`, width));
+        }
+      }
+      if (finding.recommendation) {
+        const recLines = wordWrap(finding.recommendation, width - 7);
+        console.log(blankLine(width));
+        for (let i = 0; i < recLines.length; i++) {
+          const prefix = i === 0 ? `    ${color.cyan("\u2192")} ` : "      ";
+          console.log(boxLine(`${prefix}${recLines[i]}`, width));
+        }
+      }
     }
-    if (nonSafe.length > 5) {
-      console.log(`\u2502  ${color.dim(`...and ${nonSafe.length - 5} more findings`)}${" ".repeat(Math.max(0, width - 20 - String(nonSafe.length - 5).length))}  \u2502`);
+    console.log(blankLine(width));
+    if (nonSafe.length > 1) {
+      console.log(boxLine(color.dim(`  ${nonSafe.length} finding${nonSafe.length === 1 ? "" : "s"} total`), width));
     }
   }
   if (opts.dashboardUrl) {
     console.log(`\u251C${line}\u2524`);
-    console.log(`\u2502  ${color.cyan("View on dashboard:")}${" ".repeat(width - 18)}  \u2502`);
-    console.log(`\u2502  ${color.dim("\u2192")} ${opts.dashboardUrl.slice(0, width - 2).padEnd(width - 2)}  \u2502`);
+    console.log(boxLine(`${color.cyan("View:")} ${color.dim(opts.dashboardUrl)}`, width));
   }
   console.log(`\u2514${"\u2500".repeat(width + 2)}\u2518`);
   console.log("");
+  if (opts.verdict === "safe" && !QUIET) {
+    console.log(`${color.green("\u2713")}  No API risk detected. Safe to deploy.
+`);
+  }
 }
 function printError(msg, hint) {
   console.error(`
@@ -355,6 +417,81 @@ for (const v of VENDORS) {
   for (const pfx of v.envPrefixes) PREFIX_TO_VENDOR.set(pfx, v);
   for (const dom of v.domains) DOMAIN_TO_VENDOR.set(dom, v);
 }
+var PYTHON_PACKAGE_TO_VENDOR = /* @__PURE__ */ new Map([
+  ["stripe", VENDORS.find((v) => v.key === "stripe")],
+  ["openai", VENDORS.find((v) => v.key === "openai")],
+  ["anthropic", VENDORS.find((v) => v.key === "anthropic")],
+  ["twilio", VENDORS.find((v) => v.key === "twilio")],
+  ["sendgrid", VENDORS.find((v) => v.key === "sendgrid")],
+  ["sendgrid-python", VENDORS.find((v) => v.key === "sendgrid")],
+  ["plaid-python", VENDORS.find((v) => v.key === "plaid")],
+  ["slack-sdk", VENDORS.find((v) => v.key === "slack")],
+  ["slack-bolt", VENDORS.find((v) => v.key === "slack")],
+  ["PyGithub", VENDORS.find((v) => v.key === "github")],
+  ["shopifyapi", VENDORS.find((v) => v.key === "shopify")],
+  ["boto3", VENDORS.find((v) => v.key === "aws")],
+  ["botocore", VENDORS.find((v) => v.key === "aws")],
+  ["google-cloud-storage", VENDORS.find((v) => v.key === "google_cloud")],
+  ["google-cloud-bigquery", VENDORS.find((v) => v.key === "google_cloud")],
+  ["google-api-python-client", VENDORS.find((v) => v.key === "google_cloud")],
+  ["datadog", VENDORS.find((v) => v.key === "datadog")],
+  ["analytics-python", VENDORS.find((v) => v.key === "segment")],
+  ["hubspot", VENDORS.find((v) => v.key === "hubspot")],
+  ["simple-salesforce", VENDORS.find((v) => v.key === "salesforce")],
+  ["pdpyras", VENDORS.find((v) => v.key === "pagerduty")],
+  ["resend", VENDORS.find((v) => v.key === "resend")],
+  ["supabase", VENDORS.find((v) => v.key === "supabase")],
+  ["firebase-admin", VENDORS.find((v) => v.key === "firebase")],
+  ["notion-client", VENDORS.find((v) => v.key === "notion")],
+  ["airtable", VENDORS.find((v) => v.key === "airtable")]
+]);
+var GO_MODULE_TO_VENDOR = /* @__PURE__ */ new Map([
+  ["github.com/stripe/stripe-go", VENDORS.find((v) => v.key === "stripe")],
+  ["github.com/sashabaranov/go-openai", VENDORS.find((v) => v.key === "openai")],
+  ["github.com/anthropics/anthropic-sdk-go", VENDORS.find((v) => v.key === "anthropic")],
+  ["github.com/twilio/twilio-go", VENDORS.find((v) => v.key === "twilio")],
+  ["github.com/sendgrid/sendgrid-go", VENDORS.find((v) => v.key === "sendgrid")],
+  ["github.com/plaid/plaid-go", VENDORS.find((v) => v.key === "plaid")],
+  ["github.com/slack-go/slack", VENDORS.find((v) => v.key === "slack")],
+  ["github.com/google/go-github", VENDORS.find((v) => v.key === "github")],
+  ["github.com/aws/aws-sdk-go", VENDORS.find((v) => v.key === "aws")],
+  ["github.com/aws/aws-sdk-go-v2", VENDORS.find((v) => v.key === "aws")],
+  ["google.golang.org/api", VENDORS.find((v) => v.key === "google_cloud")],
+  ["cloud.google.com/go", VENDORS.find((v) => v.key === "google_cloud")],
+  ["github.com/DataDog/datadog-go", VENDORS.find((v) => v.key === "datadog")],
+  ["github.com/PagerDuty/go-pagerduty", VENDORS.find((v) => v.key === "pagerduty")],
+  ["github.com/supabase-community/supabase-go", VENDORS.find((v) => v.key === "supabase")],
+  ["firebase.google.com/go", VENDORS.find((v) => v.key === "firebase")],
+  ["github.com/jomei/notionapi", VENDORS.find((v) => v.key === "notion")]
+]);
+var RUBY_GEM_TO_VENDOR = /* @__PURE__ */ new Map([
+  ["stripe", VENDORS.find((v) => v.key === "stripe")],
+  ["ruby-openai", VENDORS.find((v) => v.key === "openai")],
+  ["anthropic-rb", VENDORS.find((v) => v.key === "anthropic")],
+  ["twilio-ruby", VENDORS.find((v) => v.key === "twilio")],
+  ["sendgrid-ruby", VENDORS.find((v) => v.key === "sendgrid")],
+  ["plaid", VENDORS.find((v) => v.key === "plaid")],
+  ["slack-ruby-client", VENDORS.find((v) => v.key === "slack")],
+  ["octokit", VENDORS.find((v) => v.key === "github")],
+  ["shopify_api", VENDORS.find((v) => v.key === "shopify")],
+  ["aws-sdk", VENDORS.find((v) => v.key === "aws")],
+  ["google-apis-core", VENDORS.find((v) => v.key === "google_cloud")],
+  ["dogapi", VENDORS.find((v) => v.key === "datadog")],
+  ["hubspot-api-client", VENDORS.find((v) => v.key === "hubspot")],
+  ["restforce", VENDORS.find((v) => v.key === "salesforce")],
+  ["supabase", VENDORS.find((v) => v.key === "supabase")]
+]);
+var RUST_CRATE_TO_VENDOR = /* @__PURE__ */ new Map([
+  ["stripe", VENDORS.find((v) => v.key === "stripe")],
+  ["async-openai", VENDORS.find((v) => v.key === "openai")],
+  ["twilio", VENDORS.find((v) => v.key === "twilio")],
+  ["aws-sdk-s3", VENDORS.find((v) => v.key === "aws")],
+  ["aws-sdk-dynamodb", VENDORS.find((v) => v.key === "aws")],
+  ["aws-config", VENDORS.find((v) => v.key === "aws")],
+  ["google-cloud-storage", VENDORS.find((v) => v.key === "google_cloud")],
+  ["octocrab", VENDORS.find((v) => v.key === "github")],
+  ["slack-morphism", VENDORS.find((v) => v.key === "slack")]
+]);
 
 // src/engines/detect.ts
 var MAX_FILE_BYTES = 256e3;
@@ -486,6 +623,73 @@ function detectVendorsInRoot(root) {
   matchPackageJson(content, map, "package.json");
   return [...map.values()];
 }
+function matchRequirementsTxt(content, map, filePath) {
+  for (const rawLine of content.split("\n")) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#") || line.startsWith("-")) continue;
+    const pkgName = line.split(/[=<>!~\[;]/)[0].trim().toLowerCase();
+    const vendor = PYTHON_PACKAGE_TO_VENDOR.get(pkgName) ?? PYTHON_PACKAGE_TO_VENDOR.get(line.split(/[=<>!~\[;]/)[0].trim());
+    if (vendor) upsert(map, vendor, "strong", `requirements.txt: ${pkgName}`, filePath);
+  }
+}
+function matchPyprojectToml(content, map, filePath) {
+  const depRe = /^([a-zA-Z0-9_\-]+)\s*=/gm;
+  let m;
+  while ((m = depRe.exec(content)) !== null) {
+    const pkgName = m[1].toLowerCase().replace(/_/g, "-");
+    const vendor = PYTHON_PACKAGE_TO_VENDOR.get(pkgName) ?? PYTHON_PACKAGE_TO_VENDOR.get(m[1].toLowerCase());
+    if (vendor) upsert(map, vendor, "strong", `pyproject.toml: ${pkgName}`, filePath);
+  }
+}
+function matchGoMod(content, map, filePath) {
+  const reqRe = /^\s+([a-zA-Z0-9.\-/]+)\s+v[\d.]+/gm;
+  let m;
+  while ((m = reqRe.exec(content)) !== null) {
+    const modPath = m[1];
+    for (const [key, vendor] of GO_MODULE_TO_VENDOR) {
+      if (modPath === key || modPath.startsWith(key + "/") || key.startsWith(modPath)) {
+        upsert(map, vendor, "strong", `go.mod: ${modPath}`, filePath);
+        break;
+      }
+    }
+  }
+}
+function matchGemfile(content, map, filePath) {
+  const gemRe = /^\s*gem\s+['"]([a-zA-Z0-9_\-]+)['"]/gm;
+  let m;
+  while ((m = gemRe.exec(content)) !== null) {
+    const gemName = m[1];
+    const vendor = RUBY_GEM_TO_VENDOR.get(gemName);
+    if (vendor) upsert(map, vendor, "strong", `Gemfile: ${gemName}`, filePath);
+  }
+}
+function matchCargoToml(content, map, filePath) {
+  const depRe = /^\s*([a-zA-Z0-9_\-]+)\s*=/gm;
+  let m;
+  while ((m = depRe.exec(content)) !== null) {
+    const crateName = m[1].replace(/_/g, "-");
+    const vendor = RUST_CRATE_TO_VENDOR.get(crateName) ?? RUST_CRATE_TO_VENDOR.get(m[1]);
+    if (vendor) upsert(map, vendor, "strong", `Cargo.toml: ${crateName}`, filePath);
+  }
+}
+function scanProjectManifests(root) {
+  const map = /* @__PURE__ */ new Map();
+  const manifests = [
+    { file: "package.json", handler: matchPackageJson },
+    { file: "requirements.txt", handler: matchRequirementsTxt },
+    { file: "requirements.in", handler: matchRequirementsTxt },
+    { file: "pyproject.toml", handler: matchPyprojectToml },
+    { file: "go.mod", handler: matchGoMod },
+    { file: "Gemfile", handler: matchGemfile },
+    { file: "Cargo.toml", handler: matchCargoToml }
+  ];
+  for (const { file, handler } of manifests) {
+    const absPath = path2.join(root, file);
+    const content = readSafe(absPath);
+    if (content) handler(content, map, file);
+  }
+  return [...map.values()];
+}
 
 // src/commands/scan.ts
 async function scanCommand(targetPath, flags) {
@@ -799,6 +1003,18 @@ ${color.bold("Last scan")} ${color.dim("(cached)")}`);
 var path4 = __toESM(require("path"));
 
 // src/engines/api.ts
+function severityToRiskLevel(severity) {
+  switch (severity?.toLowerCase()) {
+    case "critical":
+      return "blocked";
+    case "high":
+      return "high_risk";
+    case "medium":
+      return "caution";
+    default:
+      return "info";
+  }
+}
 async function apiFetch(url, token, method = "GET", body) {
   const opts = {
     method,
@@ -812,16 +1028,72 @@ async function apiFetch(url, token, method = "GET", body) {
 }
 async function lookupRisk(vendorKeys, token, apiUrl) {
   if (vendorKeys.length === 0) return [];
-  const qs = vendorKeys.map((k) => `vendorKeys=${encodeURIComponent(k)}`).join("&");
+  const qs = `vendors=${vendorKeys.map(encodeURIComponent).join(",")}`;
   const url = `${apiUrl.replace(/\/$/, "")}/api/predeploy/risk?${qs}`;
+  let data;
   try {
     const res = await apiFetch(url, token);
     if (!res.ok) return [];
-    const data = await res.json();
-    return data.findings ?? [];
+    data = await res.json();
   } catch {
     return [];
   }
+  const findings = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const a of data.alerts ?? []) {
+    const key = `alert:${a.id}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    findings.push({
+      vendorKey: a.vendorKey ?? "",
+      vendorName: a.vendorName ?? a.title,
+      riskLevel: severityToRiskLevel(a.severity),
+      findingType: "alert",
+      source: "alert",
+      title: a.title,
+      description: a.vendorChange?.summary ?? a.summary,
+      summary: a.summary,
+      versionFrom: void 0,
+      versionTo: void 0,
+      detectedAt: a.createdAt
+    });
+  }
+  for (const vc of data.vendorChanges ?? []) {
+    const key = `vc:${vc.id}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    findings.push({
+      vendorKey: vc.vendorKey,
+      vendorName: vc.vendorKey,
+      riskLevel: severityToRiskLevel(vc.severity),
+      findingType: "vendor_change",
+      source: "vendor_change",
+      title: vc.title,
+      description: vc.summary,
+      summary: vc.summary,
+      versionFrom: vc.versionFrom ?? void 0,
+      versionTo: vc.versionTo ?? void 0,
+      detectedAt: vc.detectedAt
+    });
+  }
+  for (const p of data.probeFailures ?? []) {
+    const key = `probe:${p.id}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    findings.push({
+      vendorKey: p.vendorKey ?? "",
+      vendorName: p.vendorName ?? p.name,
+      riskLevel: p.consecutiveFailures >= 3 ? "high_risk" : "caution",
+      findingType: "probe_failure",
+      source: "probe_failure",
+      title: `${p.name} endpoint is failing`,
+      description: p.lastError ?? `${p.consecutiveFailures} consecutive failures on ${p.targetUrl}`,
+      summary: `Live probe ${p.name} has failed ${p.consecutiveFailures} times in a row. Last error: ${p.lastError ?? "unknown"}`,
+      recommendation: "Check the endpoint status before deploying changes that depend on it.",
+      detectedAt: p.lastRunAt ?? void 0
+    });
+  }
+  return findings;
 }
 async function submitCheck(payload, token, apiUrl) {
   const url = `${apiUrl.replace(/\/$/, "")}/api/predeploy/check`;
@@ -878,8 +1150,21 @@ Relion pre-deploy check \u2014 ${scopeLabel}
     }
     spinner.succeed(`${changedFiles.length} changed file${changedFiles.length === 1 ? "" : "s"}`);
     spinner.start("Detecting API dependencies");
-    const detected = detectVendorsInFiles(root, changedFiles);
-    spinner.succeed(detected.length > 0 ? `${detected.length} API vendor${detected.length === 1 ? "" : "s"} detected` : "No vendor APIs detected in changed files");
+    const fromDiff = detectVendorsInFiles(root, changedFiles);
+    const fromManifests = scanProjectManifests(root);
+    const vendorMap = new Map(fromDiff.map((v) => [v.key, v]));
+    for (const v of fromManifests) {
+      if (!vendorMap.has(v.key)) {
+        vendorMap.set(v.key, { ...v, signals: v.signals.map((s) => `[project] ${s}`) });
+      } else {
+        const existing = vendorMap.get(v.key);
+        for (const s of v.signals) {
+          if (!existing.signals.includes(s)) existing.signals.push(`[project] ${s}`);
+        }
+      }
+    }
+    const detected = [...vendorMap.values()];
+    spinner.succeed(detected.length > 0 ? `${detected.length} API vendor${detected.length === 1 ? "" : "s"} detected` : "No vendor APIs detected");
     let findings = [];
     if (!offline && config.token && detected.length > 0) {
       spinner.start("Checking risk against monitored APIs");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "relionhq",
-  "version": "2.0.3",
+  "version": "2.1.0",
   "description": "Relion CLI — pre-deploy API risk detection and monitoring client.",
   "license": "MIT",
   "bin": {