From d770693bac655da4a21144b4cae7592536fecb8b Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Fri, 8 May 2026 23:22:34 +0900
Subject: fix(audit): align with Composer's AuditCommand pipeline

- Add mozart-core::advisory::{AuditFormat, AbandonedHandling, AuditConfig}
  mirroring Composer\Advisory\AuditConfig; reads audit.ignore,
  audit.ignore-severity, audit.ignore-abandoned, audit.abandoned,
  audit.block-insecure, audit.block-abandoned, audit.ignore-unreachable
  from composer.json config with full apply-scope support
- Add mozart-registry::advisory::Auditor mirroring Composer\Advisory\Auditor;
  process_advisories() filters by package name, advisory ID, CVE, source
  remote ID, and severity; filter_abandoned_packages() respects ignore-abandoned
- Add RepositorySet::get_matching_security_advisories() wrapping
  fetch_security_advisories with version-matching and unreachable-repo tracking
- JSON output now includes ignored-advisories and unreachable-repositories keys
- --abandoned falls back to audit.abandoned config (was hardcoded to "fail")
- --ignore-severity merges with audit.ignore-severity config
- --ignore-unreachable ORs with audit.ignore-unreachable config
- Move normalize_or_separator into repository/mod.rs alongside version matching

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 crates/mozart/src/commands/repository.rs | 39 ++++++++++++++++++--------------
 1 file changed, 22 insertions(+), 17 deletions(-)

(limited to 'crates/mozart/src/commands/repository.rs')

diff --git a/crates/mozart/src/commands/repository.rs b/crates/mozart/src/commands/repository.rs
index 318450a..27c822c 100644
--- a/crates/mozart/src/commands/repository.rs
+++ b/crates/mozart/src/commands/repository.rs
@@ -89,10 +89,7 @@ fn list_repositories(
     let mut display_repos = repos;
     if !packagist_present {
         let mut m = serde_json::Map::new();
-        m.insert(
-            "packagist.org".to_string(),
-            serde_json::Value::Bool(false),
-        );
+        m.insert("packagist.org".to_string(), serde_json::Value::Bool(false));
         display_repos.push(serde_json::Value::Object(m));
     }
 
@@ -119,10 +116,7 @@ fn list_repositories(
             .get("type")
             .and_then(|t| t.as_str())
             .unwrap_or("unknown");
-        let url = entry
-            .get("url")
-            .map(render_value)
-            .unwrap_or_default();
+        let url = entry.get("url").map(render_value).unwrap_or_default();
 
         console_writeln!(console, &format!("[{name}] {repo_type} {url}"));
     }
@@ -139,12 +133,15 @@ fn host_ends_with_packagist_org(url: &str) -> bool {
 
 fn execute_add(ctx: &BaseConfigContext, args: &RepositoryArgs) -> anyhow::Result<()> {
     let name = args.name.as_deref().ok_or_else(|| {
-        anyhow!("You must pass a repository name. Example: mozart repo add foo vcs https://example.org")
+        anyhow!(
+            "You must pass a repository name. Example: mozart repo add foo vcs https://example.org"
+        )
     })?;
 
-    let arg1 = args.arg1.as_deref().ok_or_else(|| {
-        anyhow!("You must pass the type and a url, or a JSON string.")
-    })?;
+    let arg1 = args
+        .arg1
+        .as_deref()
+        .ok_or_else(|| anyhow!("You must pass the type and a url, or a JSON string."))?;
 
     // Mirror Composer's `Preg::isMatch('{^\s*\{}', $arg1)` check.
     let repo_config = if arg1.trim_start().starts_with('{') {
@@ -186,8 +183,11 @@ fn execute_remove(ctx: &BaseConfigContext, args: &RepositoryArgs) -> anyhow::Res
         // Removing packagist means disabling it (Composer behaviour).
         // Default append=false so the disable entry goes to the front when
         // the user didn't pass --append.
-        ctx.config_source
-            .add_repository("packagist.org", &serde_json::Value::Bool(false), args.append)?;
+        ctx.config_source.add_repository(
+            "packagist.org",
+            &serde_json::Value::Bool(false),
+            args.append,
+        )?;
     }
 
     Ok(())
@@ -251,12 +251,17 @@ fn execute_disable(ctx: &BaseConfigContext, args: &RepositoryArgs) -> anyhow::Re
         .ok_or_else(|| anyhow!("Usage: mozart repo disable packagist.org"))?;
 
     if name == "packagist.org" || name == "packagist" {
-        ctx.config_source
-            .add_repository("packagist.org", &serde_json::Value::Bool(false), args.append)?;
+        ctx.config_source.add_repository(
+            "packagist.org",
+            &serde_json::Value::Bool(false),
+            args.append,
+        )?;
         return Ok(());
     }
 
-    anyhow::bail!("Only packagist.org can be enabled/disabled using this command. Use add/remove for other repositories.");
+    anyhow::bail!(
+        "Only packagist.org can be enabled/disabled using this command. Use add/remove for other repositories."
+    );
 }
 
 fn execute_enable(ctx: &BaseConfigContext, args: &RepositoryArgs) -> anyhow::Result<()> {
-- 
cgit v1.3.1