invar-tools 1.15.6__py3-none-any.whl → 1.17.0__py3-none-any.whl

invar/core/format_strategies.py

@@ -159,11 +159,13 @@ def text_with_pattern(
     )
     noise_lines = st.lists(noise_line, min_size=0, max_size=10)
 
+    # Note: Hypothesis will automatically explore different orderings of the lines,
+    # so explicit shuffling is unnecessary. The concatenation order is sufficient.
     return st.builds(
         lambda p, n: "\n".join(p + n),
         pattern_lines,
         noise_lines,
-    ).map(lambda x: "\n".join(sorted(x.split("\n"), key=lambda _: __import__("random").random())))
+    )
 
 
 @pre(lambda pattern: len(pattern) > 0)

invar/mcp/handlers.py

@@ -24,6 +24,11 @@ def _validate_path(path: str) -> tuple[bool, str]:
 
     Returns (is_valid, error_message).
     Rejects paths that could be interpreted as shell commands or flags.
+
+    Note: This validation is for MCP (Model Context Protocol) handlers, which
+    are designed to provide AI agents with access to the project filesystem.
+    We validate format and reject shell injection patterns, but do not restrict
+    to working directory (unlike CLI tools) since MCP is a trusted local protocol.
     """
     if not path:
         return True, ""  # Empty path defaults to "." in handlers
@@ -38,9 +43,13 @@ def _validate_path(path: str) -> tuple[bool, str]:
         if char in path:
             return False, f"Invalid path: contains forbidden character: {char!r}"
 
-    # Try to resolve path - this catches malformed paths
+    # Resolve path to canonical form, following symlinks
+    # This ensures path is valid and catches directory traversal attempts
     try:
         Path(path).resolve()
+        # Note: We don't restrict to cwd here because MCP handlers are designed
+        # to access the full project. If path restriction is needed, implement
+        # at the MCP server level, not per-handler.
     except (OSError, ValueError) as e:
         return False, f"Invalid path: {e}"
 

invar/node_tools/.gitignore

@@ -0,0 +1,17 @@
+# Embedded Node.js tools - runtime dependencies
+# These are installed by scripts/embed_node_tools.py
+# Run that script before building or testing
+
+*/node_modules/
+*/package.json
+
+# eslint-plugin is unbundled (entire dist/ directory)
+# All other tools are bundled (single cli.js file)
+eslint-plugin/
+
+# Common generated/temp files
+*.log
+.DS_Store
+.npm/
+npm-debug.log*
+node_modules/.cache/

invar/node_tools/MANIFEST

@@ -2,6 +2,7 @@
 # Auto-generated by scripts/embed_node_tools.py
 # Do not edit manually
 
+eslint-plugin
 fc-runner
 quick-check
 ts-analyzer

invar/node_tools/eslint-plugin/cli.js

@@ -0,0 +1,163 @@
+#!/usr/bin/env node
+/**
+ * CLI for @invar/eslint-plugin
+ *
+ * Runs ESLint with @invar/* rules pre-configured.
+ * Outputs standard ESLint JSON format for integration with guard_ts.py.
+ *
+ * Usage:
+ *   node cli.js [path] [--config=recommended|strict]
+ *
+ * Options:
+ *   path              Project directory to lint (default: current directory)
+ *   --config          Use 'recommended' or 'strict' preset (default: recommended)
+ *   --help            Show help message
+ */
+import { ESLint } from 'eslint';
+import { resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { statSync, realpathSync } from 'fs';
+import plugin from './index.js';
+// Get directory containing this CLI script (for resolving node_modules)
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+function parseArgs(args) {
+    const projectPath = args.find(arg => !arg.startsWith('--')) || '.';
+    const configArg = args.find(arg => arg.startsWith('--config='));
+    const config = configArg?.split('=')[1] === 'strict' ? 'strict' : 'recommended';
+    const help = args.includes('--help') || args.includes('-h');
+    return { projectPath, config, help };
+}
+function printHelp() {
+    console.log(`
+@invar/eslint-plugin - ESLint with Invar-specific rules
+
+Usage:
+  node cli.js [path] [options]
+
+Arguments:
+  path              Project directory to lint (default: current directory)
+
+Options:
+  --config=MODE     Use 'recommended' or 'strict' preset (default: recommended)
+  --help, -h        Show this help message
+
+Examples:
+  node cli.js                           # Lint current directory (recommended mode)
+  node cli.js ./src                     # Lint specific directory
+  node cli.js --config=strict           # Use strict mode (all rules as errors)
+
+Output:
+  JSON format compatible with ESLint's --format=json
+  Exit code 0 if no errors, 1 if errors found
+`);
+}
+async function main() {
+    const args = parseArgs(process.argv.slice(2));
+    if (args.help) {
+        printHelp();
+        process.exit(0);
+    }
+    const projectPath = resolve(args.projectPath);
+    // Validate resolved path is within current working directory
+    // This prevents path traversal attacks via "../../../etc/passwd" patterns
+    // and symlink-based bypasses (e.g., "./symlink_inside/../../../etc/passwd")
+    const cwd = process.cwd();
+    try {
+        // Use realpath to resolve symlinks and prevent bypass attacks
+        const realProjectPath = realpathSync(projectPath);
+        const realCwd = realpathSync(cwd);
+        if (!realProjectPath.startsWith(realCwd)) {
+            console.error(`Error: Project path must be within current directory`);
+            console.error(`  Requested: ${args.projectPath}`);
+            console.error(`  Resolved: ${realProjectPath}`);
+            console.error(`  Working dir: ${realCwd}`);
+            process.exit(1);
+        }
+    }
+    catch (error) {
+        // If realpath fails (path doesn't exist), fall back to string comparison
+        // This allows error messages to be more specific
+        if (!projectPath.startsWith(cwd)) {
+            console.error(`Error: Project path must be within current directory`);
+            console.error(`  Requested: ${args.projectPath}`);
+            console.error(`  Resolved: ${projectPath}`);
+            console.error(`  Working dir: ${cwd}`);
+            process.exit(1);
+        }
+    }
+    try {
+        // Get the rules config for the selected mode
+        const selectedConfig = plugin.configs?.[args.config];
+        if (!selectedConfig || !selectedConfig.rules) {
+            console.error(`Config "${args.config}" not found or invalid`);
+            process.exit(1);
+        }
+        // Create ESLint instance with programmatic configuration
+        // Set cwd to CLI directory so ESLint can find parser in our node_modules
+        const eslint = new ESLint({
+            useEslintrc: false, // Don't load .eslintrc files
+            cwd: __dirname, // Set working directory to CLI location for module resolution
+            baseConfig: {
+                parser: '@typescript-eslint/parser',
+                parserOptions: {
+                    ecmaVersion: 2022,
+                    sourceType: 'module',
+                },
+                plugins: ['@invar'],
+                rules: selectedConfig.rules,
+            },
+            plugins: {
+                '@invar': plugin, // Register our plugin programmatically
+            },
+        }); // Type assertion for ESLint config complexity
+        // Lint the project - detect if path is a file or directory
+        // ESLint defaults to .js only, so we need glob patterns for .ts/.tsx
+        let filesToLint;
+        try {
+            const stats = statSync(projectPath);
+            // Note: Advisory check for optimization - TOCTOU race condition is acceptable
+            // because ESLint will handle file system changes gracefully during actual linting
+            if (stats.isFile()) {
+                // Single file - lint it directly
+                filesToLint = [projectPath];
+            }
+            else if (stats.isDirectory()) {
+                // Directory - use glob patterns for TypeScript files primarily
+                // Note: Focus on TypeScript files as this is a TypeScript Guard tool
+                filesToLint = [
+                    `${projectPath}/**/*.ts`,
+                    `${projectPath}/**/*.tsx`,
+                ];
+            }
+            else {
+                console.error(`Error: Path is neither a file nor a directory: ${projectPath}`);
+                process.exit(1);
+            }
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            console.error(`Error: Cannot access path: ${errorMessage}`);
+            process.exit(1);
+        }
+        const results = await eslint.lintFiles(filesToLint);
+        // Output in standard ESLint JSON format (compatible with guard_ts.py)
+        const formatter = await eslint.loadFormatter('json');
+        const resultText = await Promise.resolve(formatter.format(results, {
+            cwd: projectPath,
+            rulesMeta: eslint.getRulesMetaForResults(results),
+        }));
+        console.log(resultText);
+        // Exit with error code if there are errors
+        const hasErrors = results.some(result => result.errorCount > 0);
+        process.exit(hasErrors ? 1 : 0);
+    }
+    catch (error) {
+        // Sanitize error message to avoid leaking file paths or system information
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+        console.error(`ESLint failed: ${errorMessage}`);
+        process.exit(1);
+    }
+}
+main();
+//# sourceMappingURL=cli.js.map