sentinelayer-cli 0.8.10 → 0.8.12

package/src/legacy-cli.js

@@ -1237,7 +1237,10 @@ async function runLocalOmarGateCommand(args) {
         deterministic: {
           summary: detSummary,
           findings: detFindings,
+          scope: deterministic.scope || {},
+          layers: deterministic.layers || {},
           metadata: deterministic.metadata || {},
+          artifacts: deterministic.artifacts || {},
         },
         onEvent: streamHandler,
         includeOnly: includeOnly.length > 0 ? includeOnly : null,
@@ -1331,6 +1334,7 @@ async function runLocalOmarGateCommand(args) {
   const combinedP1 = combinedSummary.P1 || 0;
   const combinedP2 = combinedSummary.P2 || 0;
   const combinedP3 = combinedSummary.P3 || 0;
+  const omargateRunId = orchestratorResult?.runId || deterministic.runId;
 
   // Write per-phase artifacts alongside REVIEW_DETERMINISTIC so post-mortems
   // can inspect exactly what each layer contributed.
@@ -1376,6 +1380,7 @@ async function runLocalOmarGateCommand(args) {
   const report = `# Local Omar Gate Deep Scan
 
 Generated: ${nowIso()}
+Run ID: ${omargateRunId}
 Target: ${targetPath}
 Elapsed: ${totalElapsed}
 
@@ -1395,12 +1400,24 @@ ${formatFindingsMarkdown(allFindings)}
   const reportPath = await writeLocalCommandReport(targetPath, "omargate-deep", report, {
     outputDir: outputDirArg,
   });
+  const { writeOmarGateDeterministicCache } = await import("./review/omargate-cache.js");
+  const deterministicCache = await writeOmarGateDeterministicCache({
+    targetPath,
+    outputDir: outputDirArg,
+    runId: omargateRunId,
+    deterministic,
+    reportPath,
+  });
+  artifactPaths.deterministicCache = deterministicCache.artifactPath;
+  artifactPaths.latestOmarGate = deterministicCache.latestPath;
+
   if (asJson) {
     console.log(
       JSON.stringify(
         {
           command: "/omargate deep",
           targetPath,
+          runId: omargateRunId,
           reportPath,
           scannedFiles,
           p0: combinedP0,
@@ -1457,6 +1474,7 @@ async function runLocalAuditCommand(args) {
   const asJson = hasCommandOption(args, "--json");
   const pathArg = getCommandOptionValue(args, "--path") || ".";
   const outputDirArg = getCommandOptionValue(args, "--output-dir") || "";
+  const reuseOmarGate = getCommandOptionValue(args, "--reuse-omargate") || "";
   const targetPath = path.resolve(process.cwd(), pathArg);
   if (!fs.existsSync(targetPath) || !fs.statSync(targetPath).isDirectory()) {
     throw new Error(`Invalid --path target: ${targetPath}`);
@@ -1467,6 +1485,16 @@ async function runLocalAuditCommand(args) {
     printInfo(`Target: ${targetPath}`);
   }
 
+  const buildScanFromOmarGateCache = (cache) => {
+    const findings = Array.isArray(cache?.findings) ? cache.findings : [];
+    return {
+      scannedFiles: Number(cache?.scope?.scannedFiles || findings.length || 0),
+      findings,
+      p1: findings.filter((item) => item.severity === "P1").length,
+      p2: findings.filter((item) => item.severity === "P2").length,
+    };
+  };
+
   const requiredChecks = [
     {
       key: ".github/workflows/omar-gate.yml",
@@ -1488,7 +1516,44 @@ async function runLocalAuditCommand(args) {
     },
   ];
 
-  const scan = await runCredentialScan(targetPath);
+  let omargateReuse = {
+    requested: reuseOmarGate || "",
+    used: false,
+    runId: "",
+    artifactPath: "",
+    reason: reuseOmarGate ? "not_found" : "not_requested",
+  };
+  let scan = null;
+  if (reuseOmarGate) {
+    const { loadOmarGateDeterministicCache } = await import("./review/omargate-cache.js");
+    const reused = await loadOmarGateDeterministicCache({
+      targetPath,
+      outputDir: outputDirArg,
+      runIdOrLatest: reuseOmarGate,
+    });
+    if (reused.found) {
+      scan = buildScanFromOmarGateCache(reused.cache);
+      omargateReuse = {
+        requested: reuseOmarGate,
+        used: true,
+        runId: reused.runId,
+        deterministicRunId: reused.cache?.deterministicRunId || "",
+        artifactPath: reused.artifactPath,
+        reason: "",
+      };
+    } else {
+      omargateReuse = {
+        requested: reuseOmarGate,
+        used: false,
+        runId: "",
+        artifactPath: "",
+        reason: reused.reason || "not_found",
+      };
+    }
+  }
+  if (!scan) {
+    scan = await runCredentialScan(targetPath);
+  }
   const failedP1Checks = requiredChecks.filter((item) => !item.ok && item.severity === "P1").length;
   const failedP2Checks = requiredChecks.filter((item) => !item.ok && item.severity === "P2").length;
   const totalP1 = scan.p1 + failedP1Checks;
@@ -1506,11 +1571,13 @@ async function runLocalAuditCommand(args) {
 Generated: ${nowIso()}
 Target: ${targetPath}
 Overall status: ${overallStatus}
+OmarGate reuse: ${omargateReuse.used ? `yes (${omargateReuse.runId})` : omargateReuse.requested ? `requested ${omargateReuse.requested} (${omargateReuse.reason})` : "no"}
 
 Readiness checks:
 ${checkText}
 
 Scan summary:
+- Reused OmarGate run: ${omargateReuse.used ? omargateReuse.runId : "n/a"}
 - Files scanned: ${scan.scannedFiles}
 - P1 findings: ${scan.p1}
 - P2 findings: ${scan.p2}
@@ -1536,6 +1603,9 @@ ${formatFindingsMarkdown(scan.findings)}
           p1Total: totalP1,
           p2Total: totalP2,
           blocking: totalP1 > 0,
+          omargateReuse,
+          reusedOmarGateRunId: omargateReuse.used ? omargateReuse.runId : "",
+          reusedOmarGateDeterministicPath: omargateReuse.used ? omargateReuse.artifactPath : "",
         },
         null,
         2
@@ -1543,6 +1613,11 @@ ${formatFindingsMarkdown(scan.findings)}
     );
   } else {
     console.log(pc.cyan(`Report: ${reportPath}`));
+    if (omargateReuse.used) {
+      console.log(pc.gray(`Reused OmarGate run: ${omargateReuse.runId}`));
+    } else if (omargateReuse.requested) {
+      console.log(pc.gray(`OmarGate reuse unavailable: ${omargateReuse.reason}`));
+    }
     console.log(`Overall status: ${overallStatus}`);
     console.log(`P1 total: ${totalP1}`);
     console.log(`P2 total: ${totalP2}`);

package/src/review/omargate-cache.js

@@ -0,0 +1,285 @@
+import fsp from "node:fs/promises";
+import path from "node:path";
+
+import { resolveOutputRoot } from "../config/service.js";
+
+const CACHE_SCHEMA_VERSION = "1.0.0";
+const CACHE_KIND = "omargate-deterministic-cache";
+const LATEST_INDEX_NAME = "latest-omargate.json";
+
+function normalizeString(value) {
+  return String(value || "").trim();
+}
+
+function normalizeTargetPath(value) {
+  return path.resolve(String(value || "."));
+}
+
+function normalizeSummary(value = {}) {
+  const summary = value && typeof value === "object" ? value : {};
+  const P0 = Math.max(0, Math.floor(Number(summary.P0 || 0)));
+  const P1 = Math.max(0, Math.floor(Number(summary.P1 || 0)));
+  const P2 = Math.max(0, Math.floor(Number(summary.P2 || 0)));
+  const P3 = Math.max(0, Math.floor(Number(summary.P3 || 0)));
+  return {
+    P0,
+    P1,
+    P2,
+    P3,
+    blocking: summary.blocking === undefined ? P0 > 0 || P1 > 0 : Boolean(summary.blocking),
+  };
+}
+
+function sanitizeRunId(value) {
+  const normalized = normalizeString(value);
+  if (!normalized) {
+    return "";
+  }
+  return normalized.replace(/[^A-Za-z0-9._-]/g, "-").replace(/^-+|-+$/g, "");
+}
+
+function isSafeRequestedRunId(requested, sanitized) {
+  return Boolean(requested) && requested === sanitized && sanitized !== "." && sanitized !== "..";
+}
+
+function deterministicCachePath(outputRoot, runId) {
+  return path.join(outputRoot, "runs", runId, "deterministic.json");
+}
+
+async function readJsonFile(filePath) {
+  const content = await fsp.readFile(filePath, "utf-8");
+  return JSON.parse(content);
+}
+
+function isCacheForTarget(cache, normalizedTargetPath) {
+  const cacheTarget = normalizeString(cache?.targetPath);
+  if (!cacheTarget) {
+    return false;
+  }
+  return path.resolve(cacheTarget) === normalizedTargetPath;
+}
+
+function buildMissingResult({ outputRoot, requested = "latest", reason = "not_found" } = {}) {
+  return {
+    found: false,
+    requested,
+    reason,
+    outputRoot,
+  };
+}
+
+async function loadCacheFile({ filePath, outputRoot, requested, normalizedTargetPath }) {
+  let cache;
+  try {
+    cache = await readJsonFile(filePath);
+  } catch {
+    return buildMissingResult({
+      outputRoot,
+      requested,
+      reason: "malformed_or_missing_cache",
+    });
+  }
+
+  if (cache?.kind !== CACHE_KIND) {
+    return buildMissingResult({
+      outputRoot,
+      requested,
+      reason: "invalid_cache_kind",
+    });
+  }
+  if (!isCacheForTarget(cache, normalizedTargetPath)) {
+    return buildMissingResult({
+      outputRoot,
+      requested,
+      reason: "target_mismatch",
+    });
+  }
+
+  return {
+    found: true,
+    requested,
+    runId: normalizeString(cache.runId),
+    artifactPath: filePath,
+    outputRoot,
+    cache,
+  };
+}
+
+async function loadLatestFromIndex({ outputRoot, normalizedTargetPath }) {
+  const latestPath = path.join(outputRoot, "runs", LATEST_INDEX_NAME);
+  let index;
+  try {
+    index = await readJsonFile(latestPath);
+  } catch {
+    return null;
+  }
+
+  const runId = sanitizeRunId(index?.runId);
+  if (!runId || !isCacheForTarget(index, normalizedTargetPath)) {
+    return null;
+  }
+  const artifactPath = normalizeString(index.artifactPath) || deterministicCachePath(outputRoot, runId);
+  const loaded = await loadCacheFile({
+    filePath: artifactPath,
+    outputRoot,
+    requested: "latest",
+    normalizedTargetPath,
+  });
+  return loaded.found ? loaded : null;
+}
+
+async function loadLatestByScanning({ outputRoot, normalizedTargetPath }) {
+  const runsDir = path.join(outputRoot, "runs");
+  let entries = [];
+  try {
+    entries = await fsp.readdir(runsDir, { withFileTypes: true });
+  } catch {
+    return null;
+  }
+
+  const candidates = [];
+  for (const entry of entries) {
+    if (!entry.isDirectory()) {
+      continue;
+    }
+    const runId = sanitizeRunId(entry.name);
+    if (!isSafeRequestedRunId(entry.name, runId)) {
+      continue;
+    }
+    const artifactPath = deterministicCachePath(outputRoot, runId);
+    try {
+      const stat = await fsp.stat(artifactPath);
+      candidates.push({ runId, artifactPath, mtimeMs: Number(stat.mtimeMs || 0) });
+    } catch {
+      // Ignore incomplete run directories.
+    }
+  }
+
+  candidates.sort((left, right) => right.mtimeMs - left.mtimeMs);
+  for (const candidate of candidates) {
+    const loaded = await loadCacheFile({
+      filePath: candidate.artifactPath,
+      outputRoot,
+      requested: "latest",
+      normalizedTargetPath,
+    });
+    if (loaded.found) {
+      return loaded;
+    }
+  }
+  return null;
+}
+
+export async function writeOmarGateDeterministicCache({
+  targetPath,
+  outputDir = "",
+  runId,
+  deterministic = {},
+  reportPath = "",
+} = {}) {
+  const normalizedTargetPath = normalizeTargetPath(targetPath);
+  const outputRoot = await resolveOutputRoot({
+    cwd: normalizedTargetPath,
+    outputDirOverride: outputDir,
+    env: process.env,
+  });
+  const normalizedRunId = sanitizeRunId(runId || deterministic?.runId);
+  if (!normalizedRunId) {
+    throw new Error("OmarGate deterministic cache requires a runId.");
+  }
+
+  const runDirectory = path.join(outputRoot, "runs", normalizedRunId);
+  const artifactPath = path.join(runDirectory, "deterministic.json");
+  const latestPath = path.join(outputRoot, "runs", LATEST_INDEX_NAME);
+  await fsp.mkdir(runDirectory, { recursive: true });
+
+  const cache = {
+    schemaVersion: CACHE_SCHEMA_VERSION,
+    kind: CACHE_KIND,
+    runId: normalizedRunId,
+    targetPath: normalizedTargetPath,
+    generatedAt: new Date().toISOString(),
+    deterministicRunId: normalizeString(deterministic?.runId),
+    mode: normalizeString(deterministic?.mode) || "full",
+    summary: normalizeSummary(deterministic?.summary),
+    findings: Array.isArray(deterministic?.findings) ? deterministic.findings : [],
+    scope: deterministic?.scope && typeof deterministic.scope === "object" ? deterministic.scope : {},
+    layers: deterministic?.layers && typeof deterministic.layers === "object" ? deterministic.layers : {},
+    metadata: deterministic?.metadata && typeof deterministic.metadata === "object" ? deterministic.metadata : {},
+    artifacts: deterministic?.artifacts && typeof deterministic.artifacts === "object" ? deterministic.artifacts : {},
+    source: {
+      command: "/omargate deep",
+      reportPath: normalizeString(reportPath),
+    },
+  };
+  await fsp.writeFile(artifactPath, `${JSON.stringify(cache, null, 2)}\n`, "utf-8");
+  await fsp.writeFile(
+    latestPath,
+    `${JSON.stringify(
+      {
+        schemaVersion: CACHE_SCHEMA_VERSION,
+        kind: "omargate-latest-index",
+        runId: normalizedRunId,
+        targetPath: normalizedTargetPath,
+        artifactPath,
+        updatedAt: cache.generatedAt,
+      },
+      null,
+      2
+    )}\n`,
+    "utf-8"
+  );
+
+  return {
+    runId: normalizedRunId,
+    outputRoot,
+    runDirectory,
+    artifactPath,
+    latestPath,
+    cache,
+  };
+}
+
+export async function loadOmarGateDeterministicCache({
+  targetPath,
+  outputDir = "",
+  runIdOrLatest = "latest",
+} = {}) {
+  const normalizedTargetPath = normalizeTargetPath(targetPath);
+  const outputRoot = await resolveOutputRoot({
+    cwd: normalizedTargetPath,
+    outputDirOverride: outputDir,
+    env: process.env,
+  });
+  const requested = normalizeString(runIdOrLatest) || "latest";
+
+  if (requested.toLowerCase() === "latest") {
+    const latestFromIndex = await loadLatestFromIndex({
+      outputRoot,
+      normalizedTargetPath,
+    });
+    if (latestFromIndex) {
+      return latestFromIndex;
+    }
+    const latestFromScan = await loadLatestByScanning({
+      outputRoot,
+      normalizedTargetPath,
+    });
+    return latestFromScan || buildMissingResult({ outputRoot, requested, reason: "not_found" });
+  }
+
+  const runId = sanitizeRunId(requested);
+  if (!isSafeRequestedRunId(requested, runId)) {
+    return buildMissingResult({
+      outputRoot,
+      requested,
+      reason: "invalid_run_id",
+    });
+  }
+  return loadCacheFile({
+    filePath: deterministicCachePath(outputRoot, runId),
+    outputRoot,
+    requested,
+    normalizedTargetPath,
+  });
+}