Skip to content

feat: add trust level computation core module #138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dreyfus92 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add trust level computation core module #138

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
09404ed
feat: add trust level computation core module
dreyfus92 Dec 20, 2025
974ca36
format
dreyfus92 Dec 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions src/core/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
/**
* Core modules containing pure, reusable logic that can be imported
* by external tools like the e18e GitHub Action.
*/
export * from './trust.js';
Copy link
Contributor

@43081j 43081j Jan 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i wonder if we should drop this barrel file as we export them in the root anyway

instead of this re-exporting everything, and the root re-exporting them again. we can just put this in the root

Copy link
Contributor Author

@dreyfus92 dreyfus92 Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the reasoning behind having this barrel file was the aim of expanding core modules, if you think this won't be the case, then yes this would be unnecessary.

Copy link
Contributor

@43081j 43081j Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it will be the case. But things like the GitHub action will import them from the root. So we will just be exporting them twice internally if we keep this as it is.

Internally I think we should be avoiding barrel files. The only place we should really have one is the root entry point.

So everywhere that imports these should get them directly or from the root

Copy link
Contributor Author

@dreyfus92 dreyfus92 Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good, will drop this as well

161 changes: 161 additions & 0 deletions src/core/trust.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
/**
* Trust level computation for npm packages based on provenance attestations.
*
* This module provides pure functions for computing trust levels without
* making network calls. The actual package metadata must be fetched separately.
*/

/**
* The provenance status of a package, indicating its level of trust.
*
* - `trusted-with-provenance`: Published by a trusted publisher with provenance attestations
* - `provenance`: Has provenance attestations but not from a trusted publisher
* - `none`: No provenance attestations
*/
export type ProvenanceStatus =
| 'trusted-with-provenance'
| 'provenance'
| 'none';

/**
* Metadata about an npm package version, containing provenance information.
* This is a subset of the full npm registry metadata.
*/
export interface PackageProvenanceMetadata {
Copy link
Contributor

@43081j 43081j Jan 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

presumably there's a util which fetches the metadata and uses this type too?

do we want to include that in here? where does the action have it today?

Copy link
Contributor Author

@dreyfus92 dreyfus92 Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i can't recall why i added that type tbh, i think i wanted to implement the type cause i was thinking of adding an utility in core. but it has passed a month already since i worked on this.

Copy link
Contributor

@43081j 43081j Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

its basically the response type of the npm API by the looks of it

so we should either drop it for now, or introduce the helper function that hits the npm api and uses it

Copy link
Contributor Author

@dreyfus92 dreyfus92 Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'll drop this for now so we can discuss and refine the details together during Friday's meeting.

name: string;
version: string;
dist?: {
attestations?: {
url: string;
provenance?: unknown;
};
};
_npmUser?: {
name: string;
email: string;
trustedPublisher?: unknown;
};
}

/**
* Result of computing the minimum trust level across a set of packages.
*/
export interface MinTrustLevelResult {
level: number;
status: ProvenanceStatus;
}

/**
* Summary of trust levels across a set of dependencies.
*/
export interface TrustSummary {
trusted: number;
provenance: number;
untrusted: number;
total: number;
}

/**
* Determines the provenance status of a package from its metadata.
*
* @param meta - Package metadata from the npm registry
* @returns The provenance status of the package
*/
export function getProvenance(
meta: PackageProvenanceMetadata
): ProvenanceStatus {
if (meta._npmUser?.trustedPublisher) {
return 'trusted-with-provenance';
}
if (meta.dist?.attestations?.provenance) {
return 'provenance';
}
return 'none';
}

/**
* Converts a provenance status to a numeric trust level.
*
* Higher numbers indicate higher trust:
* - 2: trusted-with-provenance
* - 1: provenance
* - 0: none
*
* @param status - The provenance status
* @returns The numeric trust level (0-2)
*/
export function getTrustLevel(status: ProvenanceStatus): number {
switch (status) {
case 'trusted-with-provenance':
return 2;
case 'provenance':
return 1;
case 'none':
return 0;
default:
return 0;
}
}

/**
* Finds the minimum trust level across a set of provenance statuses.
*
* This is useful for determining the overall trust level of a dependency tree,
* where the weakest link determines the overall security.
*
* @param statuses - An iterable of provenance statuses
* @returns The minimum trust level and its corresponding status
*/
export function getMinTrustLevel(
statuses: Iterable<ProvenanceStatus>
): MinTrustLevelResult {
let result: MinTrustLevelResult | null = null;

for (const status of statuses) {
const level = getTrustLevel(status);
if (result === null || level < result.level) {
result = {level, status};
}
}

if (!result) {
return {level: 0, status: 'none'};
}

return result;
}

/**
* Computes a summary of trust levels from a collection of provenance statuses.
*
* @param statuses - An iterable of provenance statuses
* @returns A summary with counts for each trust category
*/
export function computeTrustSummary(
statuses: Iterable<ProvenanceStatus>
): TrustSummary {
let trusted = 0;
let provenance = 0;
let untrusted = 0;

for (const status of statuses) {
switch (status) {
case 'trusted-with-provenance':
trusted++;
break;
case 'provenance':
provenance++;
break;
case 'none':
untrusted++;
break;
}
}

return {
trusted,
provenance,
untrusted,
total: trusted + provenance + untrusted
};
}
3 changes: 3 additions & 0 deletions src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,6 @@ import type {PackageModuleType} from './compute-type.js';
export type {Message, Options, PackageModuleType, Stat};

export {report} from './analyze/report.js';

// Core modules - reusable logic for external tools
export * from './core/index.js';
Loading