Add corgea advisories check: pre-install package advisory queries for agents#129
Add corgea advisories check: pre-install package advisory queries for agents#129juangaitanv wants to merge 1 commit into
Conversation
Implement read-only pre-install advisory lookup against Corgea vuln-api: - New advisories.rs subcommand with <ecosystem> <package>[@Version] args - Reuses /check client for versioned package lookups - New package-profile endpoint query for unversioned threat-modeling - Human-readable output plus --json mode - Exit codes: 0 (clean), 1 (advisories found), 2 (error) - Extends vuln_api client and precheck rendering - Includes comprehensive test fixtures and CLI integration tests - Updated SKILL.md with command documentation
| let response = send_package_check_with_retry(client, &url, token)?; | ||
| // Unlike /check, a 404 here is a legitimate data answer: the package has | ||
| // no row in the advisory database. | ||
| if response.status().as_u16() == 404 { |
There was a problem hiding this comment.
This 404 handling is too broad. Evidence: fetch_package_profile returns Ok(None) for any HTTP 404 before reading or validating the response body, while /check correctly treats 404 as a route/base-url error. Impact: if CORGEA_VULN_API_URL points at the wrong host/path, an older vuln-api deployment does not have /v1/packages/:eco/:name, or a proxy/CDN returns a generic 404, corgea advisories check npm axios exits 0 and reports “not found in the advisory database (no known advisories)” instead of failing. That is a false clean result for the new pre-install advisory workflow. Concrete fix: only map the route's explicit package-miss response (e.g. parse/compare {"error":"Package not found"} or another stable server sentinel) to Ok(None); treat all other 404 bodies as Err("vuln-api route not found ..."), and add a test for a generic 404/wrong route returning exit 2.
Summary
Adds a read-only
corgea advisories checkcommand so agents (and humans) can query the Corgea vuln-api before deciding to install a package or while threat modeling — instead of only learning a package is bad when thecorgea npm|pip|...install-wrap gate blocks it.All lookups go to the vuln-api at
https://cve-worker-staging.corgea.workers.dev(the existingDEFAULT_VULN_API_URL), overridable viaCORGEA_VULN_API_URL.Usage
Exit codes:
0clean / not in advisory DB,1advisories found,2error.Design
/checkclient — identical verdict semantics and guards on both surfaces; no drift between "check said fine" and "install blocked"./v1/packages/:ecosystem/:nameprofile route via a newfetch_package_profile(tolerant structs, 404 → "not in advisory database", capped listing flagged as truncated).resolve_vuln_api_access— a customCORGEA_VULN_API_URLnever receives the Corgea token unlessCORGEA_VULN_API_SEND_TOKEN_TO_CUSTOM_URL=1. Verified by a live header-capture test during validation.shared_status_error,verify_response_identity) deduped between/checkand the profile route so the confused-deputy guards can't drift.skills/corgea/SKILL.mdgains an### Advisoriessection instructing agents to check before installing (server-side skill publish is a follow-up; installed agents fetch skill content from the server).Testing
tests/cli_advisories.rs) against the hermetic vuln-api stub: both forms × text/json × exit codes, stdout purity.tests/vuln_api_contract.rs,--ignored) round-trip live staging responses through the CLI deserializers../harness checkclean (strict clippy, fmt, skill-drift).axios@0.21.0→ exit 1 (23 advisories, safe version 0.32.0); unknown package → exit 0;--jsonemits one valid document.