From 8fe50a213620296460be213d14824ef6b6b04faa Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sat, 30 May 2026 22:04:54 +0100 Subject: [PATCH] build: classify release dependency ownership Classify release dependency ownership metadata so release evidence no longer reports current root dependencies as missing ownership metadata. Also recognizes command-explainer package-file lookups for tree-sitter-bash. Verification: jq empty scripts/lib/dependency-ownership.json; node scripts/dependency-ownership-surface-report.mjs --check; node scripts/root-dependency-ownership-audit.mjs --check; targeted Vitest for root dependency ownership and ownership surface reports; git diff --check; autoreview clean; PR CI green including Real behavior proof. --- scripts/lib/dependency-ownership.json | 115 ++++++++++++++++++ scripts/root-dependency-ownership-audit.mjs | 10 ++ .../root-dependency-ownership-audit.test.ts | 3 +- 3 files changed, 127 insertions(+), 1 deletion(-) diff --git a/scripts/lib/dependency-ownership.json b/scripts/lib/dependency-ownership.json index a8ca995aa95..1cbce6dc997 100644 --- a/scripts/lib/dependency-ownership.json +++ b/scripts/lib/dependency-ownership.json @@ -6,6 +6,16 @@ "class": "core-runtime", "risk": ["protocol-client"] }, + "@anthropic-ai/sdk": { + "owner": "provider:anthropic", + "class": "default-runtime-initially", + "risk": ["provider-sdk", "network"] + }, + "@clack/core": { + "owner": "core:cli", + "class": "core-runtime", + "risk": ["interactive-cli"] + }, "@clack/prompts": { "owner": "core:cli", "class": "core-runtime", @@ -21,6 +31,26 @@ "class": "tui-runtime", "risk": ["tui-runtime"] }, + "@google/genai": { + "owner": "provider:google", + "class": "default-runtime-initially", + "risk": ["provider-sdk", "network", "realtime"] + }, + "@grammyjs/runner": { + "owner": "plugin:telegram", + "class": "plugin-runtime", + "risk": ["telegram-bot-api", "polling"] + }, + "@grammyjs/transformer-throttler": { + "owner": "plugin:telegram", + "class": "plugin-runtime", + "risk": ["telegram-bot-api", "rate-limiting"] + }, + "@homebridge/ciao": { + "owner": "plugin:bonjour", + "class": "plugin-runtime", + "risk": ["mdns", "network"] + }, "@modelcontextprotocol/sdk": { "owner": "core:mcp", "class": "core-runtime", @@ -32,6 +62,16 @@ "activation": ["tools.web.fetch.readability", "plugins.entries.web-readability.enabled"], "risk": ["parser", "untrusted-html"] }, + "@mistralai/mistralai": { + "owner": "provider:mistral", + "class": "default-runtime-initially", + "risk": ["provider-sdk", "network"] + }, + "@openclaw/fs-safe": { + "owner": "core:filesystem-safety", + "class": "core-runtime", + "risk": ["filesystem", "path-safety"] + }, "chalk": { "owner": "core:cli", "class": "core-runtime", @@ -47,11 +87,21 @@ "class": "core-runtime", "risk": ["cli-parser"] }, + "cross-spawn": { + "owner": "core:child-process", + "class": "core-runtime", + "risk": ["process-spawn"] + }, "croner": { "owner": "core:scheduler", "class": "core-runtime", "risk": ["scheduler"] }, + "diff": { + "owner": "core:agent-editing", + "class": "core-runtime", + "risk": ["diff"] + }, "dotenv": { "owner": "core:config", "class": "core-runtime", @@ -67,6 +117,31 @@ "class": "core-runtime", "risk": ["file-sniffing", "untrusted-files"] }, + "glob": { + "owner": "core:package-manager", + "class": "core-runtime", + "risk": ["filesystem-glob"] + }, + "grammy": { + "owner": "plugin:telegram", + "class": "plugin-runtime", + "risk": ["telegram-bot-api", "network"] + }, + "highlight.js": { + "owner": "core:syntax-highlighting", + "class": "core-runtime", + "risk": ["syntax-highlighting"] + }, + "hosted-git-info": { + "owner": "core:git-utils", + "class": "core-runtime", + "risk": ["git-metadata-parser"] + }, + "ignore": { + "owner": "core:gitignore-matching", + "class": "core-runtime", + "risk": ["pattern-matching"] + }, "@openclaw/proxyline": { "owner": "core:proxy", "class": "core-runtime", @@ -103,16 +178,41 @@ "class": "core-runtime", "risk": ["parser", "markdown"] }, + "minimatch": { + "owner": "core:pattern-matching", + "class": "core-runtime", + "risk": ["pattern-matching"] + }, + "node-edge-tts": { + "owner": "plugin:microsoft", + "class": "plugin-runtime", + "risk": ["tts", "network"] + }, "openai": { "owner": "provider:openai", "class": "default-runtime-initially", "risk": ["provider-sdk", "network"] }, + "partial-json": { + "owner": "core:llm-json-parsing", + "class": "core-runtime", + "risk": ["streaming-json-parser"] + }, "playwright-core": { "owner": "core:browser", "class": "core-runtime", "risk": ["browser-automation", "cdp"] }, + "proper-lockfile": { + "owner": "core:session-storage", + "class": "core-runtime", + "risk": ["filesystem-locking"] + }, + "quickjs-wasi": { + "owner": "core:code-mode", + "class": "core-runtime", + "risk": ["wasm", "sandboxed-js"] + }, "clawpdf": { "owner": "plugin:document-extract", "class": "plugin-runtime", @@ -139,11 +239,21 @@ "class": "core-runtime", "risk": ["archive-parser", "untrusted-files"] }, + "tree-sitter-bash": { + "owner": "core:command-explainer", + "class": "core-runtime", + "risk": ["wasm", "parser", "untrusted-shell"] + }, "tslog": { "owner": "core:logging", "class": "core-runtime", "risk": ["logging"] }, + "typescript": { + "owner": "core:typescript-analysis", + "class": "core-runtime", + "risk": ["compiler-api"] + }, "typebox": { "owner": "core:json-schema-contracts", "class": "core-runtime", @@ -159,6 +269,11 @@ "class": "core-runtime", "risk": ["network", "push-notifications", "crypto"] }, + "web-tree-sitter": { + "owner": "core:command-explainer", + "class": "core-runtime", + "risk": ["wasm", "parser", "untrusted-shell"] + }, "ws": { "owner": "core:gateway-websocket", "class": "core-runtime", diff --git a/scripts/root-dependency-ownership-audit.mjs b/scripts/root-dependency-ownership-audit.mjs index 194bca91ec4..01e2f4be44d 100644 --- a/scripts/root-dependency-ownership-audit.mjs +++ b/scripts/root-dependency-ownership-audit.mjs @@ -19,6 +19,9 @@ const DYNAMIC_CONSTANT_IMPORT_PATTERNS = [ /\brequire\s*\(\s*([_$A-Za-z][\w$]*)\s*\)/g, /\b(?:require|[_$A-Za-z][\w$]*require[\w$]*)\.resolve\s*\(\s*([_$A-Za-z][\w$]*)\s*\)/gi, ]; +const PACKAGE_FILE_LOOKUP_PATTERNS = [ + /\bresolvePackageFileForCommandExplanation\s*\(\s*["']([^"']+)["']/g, +]; const ROOT_OWNED_EXTENSION_RUNTIME_DEPENDENCIES = new Map([ [ "@homebridge/ciao", @@ -85,6 +88,13 @@ export function collectModuleSpecifiers(source) { } } } + for (const pattern of PACKAGE_FILE_LOOKUP_PATTERNS) { + for (const match of source.matchAll(pattern)) { + if (match[1]) { + specifiers.add(match[1]); + } + } + } const stringConstants = new Map(); for (const match of source.matchAll(STRING_CONSTANT_PATTERN)) { if (match[1] && match[2]) { diff --git a/test/scripts/root-dependency-ownership-audit.test.ts b/test/scripts/root-dependency-ownership-audit.test.ts index c01adad1bc2..c01532e1510 100644 --- a/test/scripts/root-dependency-ownership-audit.test.ts +++ b/test/scripts/root-dependency-ownership-audit.test.ts @@ -37,8 +37,9 @@ describe("collectModuleSpecifiers", () => { const runtimeRequire = createRequire(runtimePackagePath); require.resolve("gaxios"); runtimeRequire.resolve("openshell/package.json"); + resolvePackageFileForCommandExplanation("tree-sitter-bash", "tree-sitter-bash.wasm"); `), - ]).toEqual(["gaxios", "openshell/package.json"]); + ]).toEqual(["gaxios", "openshell/package.json", "tree-sitter-bash"]); }); it("resolves simple string constants used by lazy runtime imports", () => {