repo-trust 0.1.1

A command-line tool that tells you whether an open-source repository deserves your trust — beyond the star count.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

//! Security & Readiness features.
//!
//! Pure functions — no I/O. Computed from
//! [`crate::collectors::security::SecurityRawData`] by [`compute`].

use serde::{Deserialize, Serialize};
use time::OffsetDateTime;

use crate::collectors::security::SecurityRawData;

#[derive(Debug, Clone, Default, Serialize, Deserialize, PartialEq)]
pub struct SecurityFeatures {
    /// `None` when Scorecard returned 404.
    pub scorecard_score: Option<f64>,
    /// Days since the Scorecard report was generated (`None` when no Scorecard).
    pub scorecard_age_days: Option<u64>,
    /// Names of Scorecard checks that scored < 5 (or had no data with score == -1).
    pub scorecard_checks_failed: Vec<String>,
    /// OSV count — always 0 in Day 2; Day 3 plugs in real data.
    pub osv_open_advisories: u64,
    pub has_security_md: bool,
    pub has_contributing_md: bool,
    pub has_code_of_conduct: bool,
    pub has_license: bool,
    pub has_codeowners: bool,
    pub has_ci_workflow: bool,
    /// `true` when every release tag matches `vX.Y.Z` or `X.Y.Z`.
    pub semver_consistent: bool,
    pub archived: bool,
}

#[must_use]
pub fn compute(raw: &SecurityRawData, now: OffsetDateTime) -> SecurityFeatures {
    let scorecard_score = raw.scorecard.as_ref().map(|r| r.score);
    let scorecard_age_days = raw
        .scorecard
        .as_ref()
        .map(|r| ((now - r.date).whole_days().max(0)) as u64);
    let scorecard_checks_failed = raw
        .scorecard
        .as_ref()
        .map(|r| {
            r.checks
                .iter()
                .filter(|c| c.score < 5)
                .map(|c| c.name.clone())
                .collect::<Vec<_>>()
        })
        .unwrap_or_default();

    SecurityFeatures {
        scorecard_score,
        scorecard_age_days,
        scorecard_checks_failed,
        osv_open_advisories: raw.osv_advisories.len() as u64,
        has_security_md: raw.has_security_md,
        has_contributing_md: raw.has_contributing_md,
        has_code_of_conduct: raw.has_code_of_conduct,
        has_license: raw.has_license,
        has_codeowners: raw.has_codeowners,
        has_ci_workflow: raw.has_ci_workflow,
        semver_consistent: semver_consistent(&raw.releases),
        archived: raw.archived,
    }
}

/// True when every non-draft release tag matches `vX.Y.Z` or `X.Y.Z`.
/// Returns **false** for repos with zero releases — no track record of
/// semver discipline yet (per `docs/day-5-polish.md` §2 decision A).
/// Scorer assigns the Neutral 50/100 sub-score in that case.
fn semver_consistent(releases: &[crate::api::github::ReleaseMeta]) -> bool {
    let mut any = false;
    for r in releases.iter().filter(|r| !r.draft) {
        any = true;
        if !is_semver_tag(&r.tag_name) {
            return false;
        }
    }
    any
}

fn is_semver_tag(tag: &str) -> bool {
    let trimmed = tag.strip_prefix('v').unwrap_or(tag);
    semver::Version::parse(trimmed).is_ok()
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn semver_with_v_prefix_accepted() {
        assert!(is_semver_tag("v1.2.3"));
    }

    #[test]
    fn semver_without_prefix_accepted() {
        assert!(is_semver_tag("1.2.3"));
    }

    #[test]
    fn semver_prerelease_accepted() {
        assert!(is_semver_tag("1.2.3-rc.1"));
    }

    #[test]
    fn non_semver_rejected() {
        assert!(!is_semver_tag("release-2026-01"));
        assert!(!is_semver_tag("foo"));
        assert!(!is_semver_tag("1.2"));
    }
}