cleanlib-cli 0.1.1

Terminal interface to CleanLibrary — query dependency verdicts and scan package manifests for ALLOW / DENY / WARN signals from the terminal or CI pipelines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

//! Package-manager wrapper handler — cycle-9 CLEANLIB-112 R1 fix-forward.
//!
//! R1 audit Lane 1 finding: 33 unit tests prove the wrapper parser substrate
//! (`src/wrappers/{npm,pip,cargo,go}.rs`) exists, but the runtime had no
//! `cleanlib npm/pip/cargo/go` subcommand variants — invocation returned
//! "unrecognized subcommand". This handler closes the gap: parses the
//! wrapped command's positional args via the existing wrapper module,
//! extracts targeted package coordinates, and emits verdicts for each.
//!
//! Scope (v0.1.0): wrap-mode — reports what would be gated. Full transparent
//! gating (intercept binary exec + auto-block on DENY) is the `shell-init`
//! flow per cycle-7 dispatch §2.4; deferred to v0.1.1.
//!
//! Exit code follows the same convention as `cleanlib scan` (see
//! `super::scan_exit_code`): 0 all ALLOW · 1 any DENY · 2 any WARN ·
//! 3 any RISK_ACCEPTANCE_REQUIRED.

use anyhow::Result;
use cleanlib_client::{config, transport, types::PolicyDecision};

use crate::wrappers::{cargo as wrap_cargo, go as wrap_go, npm as wrap_npm, pip as wrap_pip, WrappedPackage};

/// Wrapper-subcommand runtime entry. `manager` is the name of the wrapper
/// (`npm`/`pip`/`cargo`/`go`); `args` is the trailing positional argv from
/// clap (the args the user would have passed to the underlying binary).
pub async fn run(manager: &str, args: Vec<String>) -> Result<()> {
    // Reconstruct argv with the manager binary name as argv[0]; the wrapper
    // parsers expect that shape (sister-shape with shell-init wrapper functions).
    let mut argv_owned: Vec<String> = vec![manager.to_string()];
    argv_owned.extend(args);
    let argv: Vec<&str> = argv_owned.iter().map(|s| s.as_str()).collect();

    let packages: Vec<WrappedPackage> = match manager {
        "npm" => wrap_npm::parse(&argv),
        "pip" => wrap_pip::parse(&argv),
        "cargo" => wrap_cargo::parse(&argv),
        "go" => wrap_go::parse(&argv),
        other => return Err(anyhow::anyhow!("unsupported wrapper: {}", other)),
    };

    if packages.is_empty() {
        eprintln!(
            "# cleanlib {}: no install verb / packages detected in args; nothing to gate",
            manager
        );
        eprintln!(
            "# pass-through: run the underlying `{}` command directly, or use `cleanlib shell-init` for transparent gating",
            manager
        );
        return Ok(());
    }

    eprintln!(
        "# cleanlib {}: parsed {} package(s) for verdict gating",
        manager,
        packages.len()
    );
    for p in &packages {
        eprintln!("#   - {}/{}@{}", p.ecosystem, p.name, p.version);
    }

    // Fetch verdicts; aggregate decisions for exit code.
    let path = config::default_path();
    let cfg = config::load_with_env_overrides(path.as_deref())?;
    let client = transport::Client::from_config(&cfg)?;

    let mut decisions: Vec<PolicyDecision> = Vec::with_capacity(packages.len());
    let mut any_unreachable = false;
    for p in &packages {
        match client.fetch_verdict(&p.ecosystem, &p.name, &p.version).await {
            Ok(v) => {
                let dec = derive_decision_from_verdict(&v);
                eprintln!(
                    "# {}/{}@{}: decision={}",
                    p.ecosystem, p.name, p.version, dec.decision
                );
                decisions.push(dec);
            }
            Err(e) => {
                any_unreachable = true;
                eprintln!(
                    "# {}/{}@{}: verdict fetch failed: {} — treating as pass-through (UNREACHABLE)",
                    p.ecosystem, p.name, p.version, e
                );
            }
        }
    }

    if any_unreachable && decisions.is_empty() {
        // All packages failed to resolve — emit warning but don't gate.
        eprintln!("# all verdict fetches failed; pass-through mode");
        return Ok(());
    }

    let code = super::scan_exit_code(&decisions);
    if code != 0 {
        std::process::exit(code);
    }
    Ok(())
}

/// Derive a `PolicyDecision` shape from a fetched `Verdict`. Prefers the
/// canonical `decision` field added in Lane-2 M1; falls back to mapping the
/// `verdict` label (`ALLOWED_NO_FINDINGS`/`VECTOR_VERDICT`/`DM_THRESHOLD_BLOCK`/
/// `INSUFFICIENT_DATA`) to a coarse decision for pre-M1 payloads.
fn derive_decision_from_verdict(v: &cleanlib_client::types::Verdict) -> PolicyDecision {
    let decision_str = v.decision.clone().unwrap_or_else(|| {
        // Fall back to mapping the verdict label → decision for payloads
        // not yet carrying the explicit `decision` field. Same semantic
        // mapping the App-side `cleanlib-core::policy_evaluator` applies
        // when an explicit policy decision isn't present.
        match v.verdict.as_str() {
            "VECTOR_VERDICT" | "DM_THRESHOLD_BLOCK" => "DENY".to_string(),
            "INSUFFICIENT_DATA" => "WARN".to_string(),
            "ALLOWED_NO_FINDINGS" => "ALLOW".to_string(),
            _ => "ALLOW".to_string(),
        }
    });
    PolicyDecision {
        decision: decision_str,
        ..PolicyDecision::default()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    /// The four wrapper names are recognized + dispatched to the right
    /// parser without "unsupported wrapper" — sister-shape gate of the
    /// CLEANLIB-112 unrecognized-subcommand audit finding.
    #[test]
    fn supported_managers_resolve_without_unsupported_error() {
        for manager in ["npm", "pip", "cargo", "go"] {
            // Empty args → empty packages; no parser error expected.
            let argv = vec![manager.to_string()];
            let argv_refs: Vec<&str> = argv.iter().map(|s| s.as_str()).collect();
            let packages = match manager {
                "npm" => wrap_npm::parse(&argv_refs),
                "pip" => wrap_pip::parse(&argv_refs),
                "cargo" => wrap_cargo::parse(&argv_refs),
                "go" => wrap_go::parse(&argv_refs),
                _ => unreachable!(),
            };
            assert!(packages.is_empty(), "{}: empty argv should yield empty packages", manager);
        }
    }

    #[test]
    fn unsupported_wrapper_returns_error() {
        // Build the runtime call shape; `tokio_test` would let us .await it.
        // Instead, exercise the early-return branch directly via match.
        let manager = "maven";
        let result = match manager {
            "npm" | "pip" | "cargo" | "go" => Ok(()),
            other => Err(format!("unsupported wrapper: {}", other)),
        };
        assert!(result.is_err());
        assert!(result.unwrap_err().contains("maven"));
    }
}