npm - sandstream-kit - Versions diffs - 1.8.0 → 1.11.0 - Mend

sandstream-kit 1.8.0 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/dist/cli.js +80 -5
package/dist/cli.js.map +1 -1
package/dist/config.d.ts +10 -0
package/dist/config.js +8 -1
package/dist/config.js.map +1 -1
package/dist/fix.js +3 -1
package/dist/fix.js.map +1 -1
package/dist/heal.d.ts +7 -0
package/dist/heal.js +45 -5
package/dist/heal.js.map +1 -1
package/dist/install.d.ts +15 -2
package/dist/install.js +18 -2
package/dist/install.js.map +1 -1
package/dist/memory/hook.js +32 -4
package/dist/memory/hook.js.map +1 -1
package/dist/triage-gate.d.ts +51 -0
package/dist/triage-gate.js +96 -0
package/dist/triage-gate.js.map +1 -0
package/dist/triage.d.ts +7 -0
package/dist/triage.js +31 -5
package/dist/triage.js.map +1 -1
package/dist/update-check.d.ts +9 -0
package/dist/update-check.js +35 -2
package/dist/update-check.js.map +1 -1
package/package.json +3 -2
package/skills/triage/SKILL.md +42 -0
package/skills/triage/scripts/triage.py +300 -0

package/dist/cli.js CHANGED Viewed

@@ -87,7 +87,10 @@ async function cmdHeal() {
     console.log(`${c.bold}${c.cyan}kit heal${c.reset}${dryRun ? `${c.dim} (dry-run)${c.reset}` : ""}`);
     console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
     const { runHeal } = await import("./heal.js");
-    const res = await runHeal({ dryRun });
+    // Progress goes to stderr: live feedback for a human watching, without
+    // polluting the machine-readable proposals on stdout (--agent).
+    const res = await runHeal({ dryRun, onProgress: (m) => console.error(`${c.dim}${m}${c.reset}`) });
+    console.log();
     if (dryRun) {
         if (res.plannedSafe.length > 0) {
             console.log(`${c.bold}Would auto-fix (safe):${c.reset}`);
@@ -322,6 +325,25 @@ async function cmdCheck() {
             console.log();
         }
         printSummary(toolResults, serviceResults, secretResults.keys, securityResults);
+        // Surface a stale kit (a newer published version) as a warn — a stale CLI
+        // can carry already-fixed bugs. Gated by [update].check; checkForUpdate
+        // also self-skips in CI and with KIT_NO_UPDATE_CHECK=1, and returns null
+        // when already on latest or the check fails.
+        if (config.update?.check !== false) {
+            const { checkForUpdate } = await import("./update-check.js");
+            const u = await checkForUpdate(KIT_VERSION);
+            if (u) {
+                if (config.update?.auto === true) {
+                    // Opt-in auto-update — still WATERTIGHT: selfUpgrade triages kit's own
+                    // package and installs ONLY on a triage PASS. Never installs on fail.
+                    console.log(`${c.yellow}! kit ${u.current} → ${u.latest} — auto-update on, triaging before install…${c.reset}`);
+                    await selfUpgrade();
+                }
+                else {
+                    console.log(`${c.yellow}! kit ${u.current} → ${u.latest} available${c.reset} ${c.dim}— run ${c.reset}${c.bold}kit upgrade --self${c.reset}${c.dim} (triages before installing)${c.reset}\n`);
+                }
+            }
+        }
         return allOk;
     });
 }
@@ -425,27 +447,46 @@ async function cmdInstall() {
         return true;
     }
     const toolsConfig = config.tools;
+    // WATERTIGHT: kit triages every third-party tool before installing it. The
+    // `--no-triage` override is a deliberate, audited security action — it must
+    // hold a one-shot elevation, or the install is refused.
+    let skipTriage = false;
+    if (hasFlag(process.argv, "--no-triage")) {
+        const elev = await consumeElevation("tools.install.no-triage");
+        if (!elev.ok) {
+            console.error(`${c.red}✗ --no-triage refused: ${elev.reason}${c.reset}`);
+            console.error(`${c.dim}Run 'kit auth elevate --scope tools.install.no-triage' first, or drop --no-triage to let triage run.${c.reset}`);
+            return false;
+        }
+        skipTriage = true;
+        console.log(`${c.yellow}⚠ --no-triage: triage gate bypassed (elevation consumed, audit-logged)${c.reset}`);
+    }
     console.log(`${c.bold}${c.cyan}Installing tools via mise...${c.reset}\n`);
     return await withGovernance(config, {
         operation: "tools.install",
         operationType: "write",
         metadata: {
             tools: Object.keys(toolsConfig),
+            skipTriage,
         },
     }, async () => {
-        const results = await installTools(toolsConfig);
+        const results = await installTools(toolsConfig, undefined, { skipTriage });
         let allOk = true;
         for (const r of results) {
             const icon = r.action === "failed"
                 ? `${c.red}✗${c.reset}`
-                : `${c.green}✓${c.reset}`;
+                : r.action === "blocked"
+                    ? `${c.yellow}⛔${c.reset}`
+                    : `${c.green}✓${c.reset}`;
             const label = r.action === "already_ok"
                 ? `${c.dim}already installed${c.reset}`
                 : r.action === "installed"
                     ? `${c.green}installed${c.reset}`
-                    : `${c.red}failed${c.reset}`;
+                    : r.action === "blocked"
+                        ? `${c.yellow}blocked by triage${c.reset}`
+                        : `${c.red}failed${c.reset}`;
             console.log(`  ${icon} ${r.name}  ${label}  ${c.dim}${r.detail}${c.reset}`);
-            if (r.action === "failed")
+            if (r.action === "failed" || r.action === "blocked")
                 allOk = false;
         }
         console.log();
@@ -1033,9 +1074,43 @@ async function cmdGovernance() {
     console.log();
     return true;
 }
+/**
+ * Governed self-upgrade: kit triages its OWN npm package before installing a new
+ * version of itself. WATERTIGHT — an untriaged kit is never installed; offline /
+ * triage-unavailable → blocked (fail-closed). The raw `npm i -g sandstream-kit`
+ * is still available to the user, but that path is outside kit's governance.
+ */
+async function selfUpgrade() {
+    const { gateInstall } = await import("./triage-gate.js");
+    console.log(`${c.dim}Triaging sandstream-kit before upgrading itself…${c.reset}`);
+    const verdict = await gateInstall("npm:sandstream-kit");
+    if (verdict.decision === "blocked") {
+        console.error(`${c.red}✗ self-upgrade blocked: ${verdict.reason}${c.reset}`);
+        console.error(`${c.dim}kit will not install an untriaged version of itself. Get online with the triage skill installed, then retry.${c.reset}`);
+        return false;
+    }
+    console.log(`${c.green}✓${c.reset} ${verdict.reason} — upgrading…\n`);
+    try {
+        const { exec } = await import("./utils/exec.js");
+        await exec("npm", ["install", "-g", "sandstream-kit@latest"], {
+            timeout: 180_000,
+            env: { ...process.env },
+        });
+        console.log(`\n${c.green}${c.bold}✓ kit upgraded${c.reset} — run ${c.bold}kit --version${c.reset} to confirm.`);
+        return true;
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`${c.red}✗ npm install failed: ${msg.split("\n")[0]}${c.reset}`);
+        return false;
+    }
+}
 async function cmdUpgrade() {
     console.log(`${c.bold}${c.cyan}kit upgrade${c.reset}`);
     console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
+    if (hasFlag(process.argv, "--self")) {
+        return await selfUpgrade();
+    }
     const config = await loadConfig(resolveConfigPath());
     // Update skills lock
     const skills = {};