safe-push 0.2.1 → 0.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "safe-push",
-  "version": "0.2.1",
+  "version": "0.4.0",
   "description": "Git push safety checker - blocks pushes to forbidden areas",
   "type": "module",
   "bin": {
@@ -9,9 +9,15 @@
   "scripts": {
     "build": "bun build ./src/index.ts --outdir ./dist --target bun",
     "typecheck": "tsc --noEmit",
-    "dev": "bun run ./src/index.ts"
+    "dev": "bun run ./src/index.ts",
+    "generate-schema": "bun run ./scripts/generate-schema.ts"
   },
   "dependencies": {
+    "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/exporter-trace-otlp-http": "^0.212.0",
+    "@opentelemetry/resources": "^2.5.1",
+    "@opentelemetry/sdk-trace-base": "^2.5.1",
+    "@opentelemetry/semantic-conventions": "^1.39.0",
     "commander": "^12.1.0",
     "jsonc-parser": "^3.3.1",
     "zod": "^3.23.8"
@@ -19,6 +25,7 @@
   "devDependencies": {
     "@types/bun": "latest",
     "@types/node": "^22.10.0",
-    "typescript": "^5.7.2"
+    "typescript": "^5.7.2",
+    "zod-to-json-schema": "^3.25.1"
   }
 }

package/scripts/generate-schema.ts

@@ -0,0 +1,13 @@
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { zodToJsonSchema } from "zod-to-json-schema";
+import { ConfigSchema } from "../src/types";
+
+const jsonSchema = zodToJsonSchema(ConfigSchema, {
+  name: "SafePushConfig",
+  $refStrategy: "none",
+});
+
+const outPath = path.join(import.meta.dirname, "..", "config.schema.json");
+fs.writeFileSync(outPath, JSON.stringify(jsonSchema, null, 2) + "\n", "utf-8");
+console.log(`Generated ${outPath}`);

package/src/checker.ts

@@ -1,11 +1,52 @@
-import type { Config, CheckResult } from "./types";
+import type { Config, CheckResult, RepoVisibility } from "./types";
 import {
   getCurrentBranch,
   isNewBranch,
   getLastCommitAuthorEmail,
   getLocalEmail,
   getDiffFiles,
+  getRepoVisibility,
 } from "./git";
+import { withSpan } from "./telemetry";
+
+/**
+ * Visibility チェック結果
+ */
+export interface VisibilityCheckResult {
+  allowed: boolean;
+  reason: string;
+  visibility: string;
+}
+
+/**
+ * リポジトリの visibility が許可リストに含まれるかチェック
+ * allowedVisibility が未設定または空配列の場合は null を返す（チェック不要）
+ */
+export async function checkVisibility(
+  allowedVisibility?: RepoVisibility[]
+): Promise<VisibilityCheckResult | null> {
+  return withSpan("safe-push.check.visibility", async (span) => {
+    if (!allowedVisibility || allowedVisibility.length === 0) {
+      return null;
+    }
+
+    const visibility = await getRepoVisibility();
+    const allowed = allowedVisibility.includes(visibility as RepoVisibility);
+
+    span.addEvent("visibility.result", {
+      value: visibility,
+      allowed,
+    });
+
+    return {
+      allowed,
+      reason: allowed
+        ? `Repository visibility "${visibility}" is allowed`
+        : `Repository visibility "${visibility}" is not in allowed list: [${allowedVisibility.join(", ")}]`,
+      visibility,
+    };
+  });
+}
 
 /**
  * ファイルパスが禁止パターンにマッチするか判定
@@ -55,58 +96,69 @@ function findForbiddenFiles(
  * (禁止エリア変更なし) AND (新規ブランチ OR 最終コミットが自分)
  */
 export async function checkPush(config: Config): Promise<CheckResult> {
-  const currentBranch = await getCurrentBranch();
-  const newBranch = await isNewBranch();
-  const authorEmail = await getLastCommitAuthorEmail();
-  const localEmail = await getLocalEmail();
-  const diffFiles = await getDiffFiles();
-
-  const forbiddenFiles = findForbiddenFiles(diffFiles, config.forbiddenPaths);
-  const hasForbiddenChanges = forbiddenFiles.length > 0;
-  const isOwnLastCommit =
-    authorEmail.toLowerCase() === localEmail.toLowerCase();
+  return withSpan("safe-push.check.push", async (span) => {
+    const currentBranch = await getCurrentBranch();
+    const newBranch = await isNewBranch();
+    const authorEmail = await getLastCommitAuthorEmail();
+    const localEmail = await getLocalEmail();
+    const diffFiles = await getDiffFiles();
 
-  const details = {
-    isNewBranch: newBranch,
-    isOwnLastCommit,
-    hasForbiddenChanges,
-    forbiddenFiles,
-    currentBranch,
-    authorEmail,
-    localEmail,
-  };
+    const forbiddenFiles = findForbiddenFiles(diffFiles, config.forbiddenPaths);
+    const hasForbiddenChanges = forbiddenFiles.length > 0;
+    const isOwnLastCommit =
+      authorEmail.toLowerCase() === localEmail.toLowerCase();
 
-  // 禁止エリアに変更がある場合は常にブロック
-  if (hasForbiddenChanges) {
-    return {
-      allowed: false,
-      reason: `Forbidden files detected: ${forbiddenFiles.join(", ")}`,
-      details,
+    const details = {
+      isNewBranch: newBranch,
+      isOwnLastCommit,
+      hasForbiddenChanges,
+      forbiddenFiles,
+      currentBranch,
+      authorEmail,
+      localEmail,
     };
-  }
 
-  // 新規ブランチの場合は許可
-  if (newBranch) {
-    return {
-      allowed: true,
-      reason: "New branch - no restrictions",
-      details,
-    };
-  }
+    let result: CheckResult;
 
-  // 最終コミットが自分の場合は許可
-  if (isOwnLastCommit) {
-    return {
-      allowed: true,
-      reason: "Last commit is yours",
-      details,
-    };
-  }
+    // 禁止エリアに変更がある場合は常にブロック
+    if (hasForbiddenChanges) {
+      result = {
+        allowed: false,
+        reason: `Forbidden files detected: ${forbiddenFiles.join(", ")}`,
+        details,
+      };
+    } else if (newBranch) {
+      // 新規ブランチの場合は許可
+      result = {
+        allowed: true,
+        reason: "New branch - no restrictions",
+        details,
+      };
+    } else if (isOwnLastCommit) {
+      // 最終コミットが自分の場合は許可
+      result = {
+        allowed: true,
+        reason: "Last commit is yours",
+        details,
+      };
+    } else {
+      // それ以外はブロック
+      result = {
+        allowed: false,
+        reason: `Last commit is by someone else (${authorEmail})`,
+        details,
+      };
+    }
+
+    span.addEvent("check.result", {
+      allowed: result.allowed,
+      reason: result.reason,
+      isNewBranch: newBranch,
+      isOwnLastCommit,
+      hasForbiddenChanges,
+      forbiddenFileCount: forbiddenFiles.length,
+    });
 
-  // それ以外はブロック
-  return {
-    allowed: false,
-    reason: `Last commit is by someone else (${authorEmail})`,
-    details,
-  };
+    return result;
+  });
 }

package/src/commands/check.ts

@@ -1,8 +1,10 @@
 import { Command } from "commander";
 import { loadConfig } from "../config";
-import { checkPush } from "../checker";
+import { checkPush, checkVisibility } from "../checker";
 import { isGitRepository, hasCommits } from "../git";
 import { printError, printCheckResultJson, printCheckResultHuman } from "./utils";
+import { ExitError } from "../types";
+import { withSpan } from "../telemetry";
 
 /**
  * checkコマンドを作成
@@ -12,34 +14,59 @@ export function createCheckCommand(): Command {
     .description("Check if push is allowed")
     .option("--json", "Output result as JSON")
     .action(async (options: { json?: boolean }) => {
-      try {
+      await withSpan("safe-push.check", async (rootSpan) => {
         // Gitリポジトリ内か確認
         if (!(await isGitRepository())) {
           printError("Not a git repository");
-          process.exit(1);
+          throw new ExitError(1);
         }
 
         // コミットが存在するか確認
         if (!(await hasCommits())) {
           printError("No commits found");
-          process.exit(1);
+          throw new ExitError(1);
         }
 
         const config = loadConfig();
+
+        rootSpan.addEvent("config.loaded", {
+          forbiddenPaths: JSON.stringify(config.forbiddenPaths),
+          onForbidden: config.onForbidden,
+          hasVisibilityRule: !!(config.allowedVisibility && config.allowedVisibility.length > 0),
+        });
+
         const result = await checkPush(config);
 
+        // visibility チェック
+        if (config.allowedVisibility && config.allowedVisibility.length > 0) {
+          try {
+            const visibilityResult = await checkVisibility(config.allowedVisibility);
+            if (visibilityResult) {
+              result.details.repoVisibility = visibilityResult.visibility;
+              result.details.visibilityAllowed = visibilityResult.allowed;
+              if (!visibilityResult.allowed) {
+                result.allowed = false;
+                result.reason = visibilityResult.reason;
+              }
+            }
+          } catch (error) {
+            if (error instanceof ExitError) throw error;
+            result.details.repoVisibility = "unknown";
+            result.details.visibilityAllowed = false;
+            result.allowed = false;
+            result.reason = `Failed to check repository visibility. Ensure 'gh' CLI is installed and authenticated.`;
+          }
+        }
+
         if (options.json) {
           printCheckResultJson(result);
         } else {
           printCheckResultHuman(result);
         }
 
-        process.exit(result.allowed ? 0 : 1);
-      } catch (error) {
-        printError(
-          `Check failed: ${error instanceof Error ? error.message : String(error)}`
-        );
-        process.exit(1);
-      }
+        if (!result.allowed) {
+          throw new ExitError(1);
+        }
+      });
     });
 }

package/src/commands/config.ts

@@ -68,6 +68,9 @@ export function createConfigCommand(): Command {
             `  forbiddenPaths: ${JSON.stringify(configData.forbiddenPaths)}`
           );
           console.log(`  onForbidden: ${configData.onForbidden}`);
+          console.log(
+            `  allowedVisibility: ${configData.allowedVisibility ? JSON.stringify(configData.allowedVisibility) : "(not set - all visibilities allowed)"}`
+          );
           console.log("");
         }
       } catch (error) {

package/src/commands/push.ts

@@ -1,6 +1,6 @@
 import { Command } from "commander";
 import { loadConfig } from "../config";
-import { checkPush } from "../checker";
+import { checkPush, checkVisibility } from "../checker";
 import { isGitRepository, hasCommits, execPush } from "../git";
 import {
   printError,
@@ -9,6 +9,8 @@ import {
   printCheckResultHuman,
   promptConfirm,
 } from "./utils";
+import { ExitError } from "../types";
+import { withSpan } from "../telemetry";
 
 /**
  * pushコマンドを作成
@@ -21,37 +23,63 @@ export function createPushCommand(): Command {
     .allowUnknownOption()
     .action(async (options: { force?: boolean; dryRun?: boolean }, command: Command) => {
       const gitArgs = command.args;
-      try {
+      await withSpan("safe-push.push", async (rootSpan) => {
         // Gitリポジトリ内か確認
         if (!(await isGitRepository())) {
           printError("Not a git repository");
-          process.exit(1);
+          throw new ExitError(1);
         }
 
         // コミットが存在するか確認
         if (!(await hasCommits())) {
           printError("No commits found");
-          process.exit(1);
+          throw new ExitError(1);
         }
 
         const config = loadConfig();
 
+        rootSpan.addEvent("config.loaded", {
+          forbiddenPaths: JSON.stringify(config.forbiddenPaths),
+          onForbidden: config.onForbidden,
+          hasVisibilityRule: !!(config.allowedVisibility && config.allowedVisibility.length > 0),
+        });
+
+        // visibility チェック（--force でもバイパスできない）
+        if (config.allowedVisibility && config.allowedVisibility.length > 0) {
+          try {
+            const visibilityResult = await checkVisibility(config.allowedVisibility);
+            if (visibilityResult && !visibilityResult.allowed) {
+              printError(visibilityResult.reason);
+              throw new ExitError(1);
+            }
+          } catch (error) {
+            if (error instanceof ExitError) throw error;
+            printError(
+              `Failed to check repository visibility. Ensure 'gh' CLI is installed and authenticated.\n  ${error instanceof Error ? error.message : String(error)}`
+            );
+            throw new ExitError(1);
+          }
+        }
+
         // --forceオプションが指定されている場合はチェックをスキップ
         if (options.force) {
           printWarning("Safety checks bypassed with --force");
 
           if (options.dryRun) {
             printSuccess("Dry run: would push (checks bypassed)");
-            process.exit(0);
+            throw new ExitError(0);
           }
 
           const result = await execPush(gitArgs);
           if (result.success) {
+            if (result.output) {
+              console.log(result.output);
+            }
             printSuccess("Push successful");
-            process.exit(0);
+            return;
           } else {
             printError(`Push failed: ${result.output}`);
-            process.exit(1);
+            throw new ExitError(1);
           }
         }
 
@@ -72,45 +100,46 @@ export function createPushCommand(): Command {
             if (confirmed) {
               if (options.dryRun) {
                 printSuccess("Dry run: would push (user confirmed)");
-                process.exit(0);
+                throw new ExitError(0);
               }
 
               const result = await execPush(gitArgs);
               if (result.success) {
+                if (result.output) {
+                  console.log(result.output);
+                }
                 printSuccess("Push successful");
-                process.exit(0);
+                return;
               } else {
                 printError(`Push failed: ${result.output}`);
-                process.exit(1);
+                throw new ExitError(1);
               }
             } else {
               printError("Push cancelled by user");
-              process.exit(1);
+              throw new ExitError(1);
             }
           }
 
-          process.exit(1);
+          throw new ExitError(1);
         }
 
         // チェック通過、pushを実行
         if (options.dryRun) {
           printSuccess("Dry run: would push");
-          process.exit(0);
+          throw new ExitError(0);
         }
 
         const result = await execPush(gitArgs);
         if (result.success) {
+          if (result.output) {
+            console.log(result.output);
+          }
           printSuccess("Push successful");
-          process.exit(0);
+          return;
         } else {
           printError(`Push failed: ${result.output}`);
-          process.exit(1);
+          throw new ExitError(1);
         }
-      } catch (error) {
-        printError(
-          `Push failed: ${error instanceof Error ? error.message : String(error)}`
-        );
-        process.exit(1);
-      }
+      });
     });
 }

package/src/commands/utils.ts

@@ -60,6 +60,13 @@ export function printCheckResultHuman(result: CheckResult): void {
     `  Forbidden changes:   ${details.hasForbiddenChanges ? "Yes" : "No"}`
   );
 
+  if (details.repoVisibility !== undefined) {
+    console.log(`  Repo visibility:     ${details.repoVisibility}`);
+    console.log(
+      `  Visibility allowed:  ${details.visibilityAllowed ? "Yes" : "No"}`
+    );
+  }
+
   if (details.forbiddenFiles.length > 0) {
     console.log("");
     console.log("Forbidden files changed:");

package/src/config.ts

@@ -4,6 +4,9 @@ import * as os from "node:os";
 import * as jsonc from "jsonc-parser";
 import { ConfigSchema, ConfigError, type Config } from "./types";
 
+const CONFIG_SCHEMA_URL =
+  "https://raw.githubusercontent.com/shoppingjaws/safe-push/main/config.schema.json";
+
 /**
  * 設定ファイルのデフォルトパス
  */
@@ -88,11 +91,20 @@ export function saveConfig(config: Config, configPath?: string): void {
     fs.mkdirSync(dir, { recursive: true });
   }
 
+  const allowedVisibilitySection = config.allowedVisibility
+    ? `,\n  // 許可するリポジトリ visibility: "public" | "private" | "internal"\n  "allowedVisibility": ${JSON.stringify(config.allowedVisibility)}`
+    : "";
+
+  const traceSection = config.trace
+    ? `,\n  // トレーシング: "otlp" | "console" （省略で無効）\n  "trace": "${config.trace}"`
+    : "";
+
   const content = `{
+  "$schema": "${CONFIG_SCHEMA_URL}",
   // 禁止エリア（Globパターン）
   "forbiddenPaths": ${JSON.stringify(config.forbiddenPaths, null, 4).replace(/\n/g, "\n  ")},
   // 禁止時の動作: "error" | "prompt"
-  "onForbidden": "${config.onForbidden}"
+  "onForbidden": "${config.onForbidden}"${allowedVisibilitySection}${traceSection}
 }
 `;