Add corgea deps offline inventory (scan/graph/explain/diff/sbom/policy)#93
Open
juangaitanv wants to merge 13 commits into
Open
Add corgea deps offline inventory (scan/graph/explain/diff/sbom/policy)#93juangaitanv wants to merge 13 commits into
juangaitanv wants to merge 13 commits into
Conversation
Zero-dep bash runner (check/fix/lint/test/audit/coverage/pre-commit/ci/ post-edit/setup-hooks/suppressions/install) wrapping cargo + git. ./harness ci is the single source of truth for the strict gate: clippy -D warnings, fmt check, cargo audit, and cargo-llvm-cov tests with a --fail-under-lines floor (13% baseline, will ratchet up as more code ships with tests). GitHub Actions test.yml runs the same gate so cloud CI matches local. AGENTS.md documents the commands. CLAUDE.md and .claude/ are gitignored so personal agent configs stay local.
Reformats per rustfmt and applies clippy lints (needless_return,
collapsible_if, eq_ignore_ascii_case, double_ended_iterator_last,
print_with_newline, contains_key, needless_late_init,
useless_format/vec, borrowed_box, etc.) so ./harness ci's strict
clippy gate passes.
Adds unit tests for utils::api::{is_jwt, auth_headers,
check_for_warnings} so the coverage gate isn't sitting on 0%.
Pure refactor + tests: no behavior change.
…able Pre-commit now mirrors CI (strict clippy + fmt --check + tests) instead of running autofix, which could rewrite the working tree behind the commit. Drops the unimplemented `install` from harness docs. Extracts `should_warn_deprecated` from `check_for_warnings` so the 299 deprecation contract is covered by tests; deleting the branch now fails the suite.
Offline dependency inventory for npm, Python, and Java: detects manifests and lockfiles, builds the resolved graph, and evaluates a pinning policy (DEP rules) with table/JSON/SARIF/CycloneDX output. Fully offline — no token or network. Carved out of #89 as chunk2 (stacks on the chunk1 harness branch). Excludes the network surface deferred to chunk3: `deps verify`, registry freshness, --check-cve / vuln-api, the vuln-api-stub binary, and the npm/pip/etc. install wrappers. Wires `corgea deps <subcommand>` into main.rs with no auth/token check. Adds 83 unit + integration tests; overall line coverage 13% -> 36%.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Chunk 2 of the dependency tooling split (#89). Stacked on #92 (chunk1/harness) — review/merge that first; base will retarget to
mainonce #92 lands.Adds the fully offline
corgea depsinventory surface for npm, Python, and Java:scan,graph,explain,diff,sbom,policy.main.rswith no auth/token check.Out of scope (chunk 3)
The network surface stays deferred:
deps verify, registry freshness,--check-cve/ vuln-api client, the vuln-api-stub binary, and the npm/pip/etc. install wrappers.Coverage
83 unit + integration tests. Overall line coverage 13% → 36% (well above the 13% floor from chunk 1).
Test plan
main./harness cipasses (clippy strict, fmt, tests + coverage)corgea deps scan/graph/explain/diff/sbom/policyrun with no token or config presentdepssubcommandDemo
https://corgea-cli-deps.vercel.app/