adding 3pl guard

Author: clavery

.github/PULL_REQUEST_TEMPLATE.md

@@ -6,6 +6,11 @@ Brief description of what this PR does.
 
 How was this tested?
 
+## Dependencies
+
+- [ ] No net-new third-party dependencies were added
+- [ ] If net-new third-party dependencies were added, rationale/discussion is included and `3pl-approved` is set by a maintainer
+
 ---
 
 - [ ] Tests pass (`pnpm test`)

.github/workflows/3pl-guard.yml

@@ -0,0 +1,203 @@
+name: 3PL Guard
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+      - labeled
+      - unlabeled
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  dependency-review:
+    name: Net-new 3PL check
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Detect net-new dependencies and enforce review label
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const reviewLabel = 'needs-3pl-review';
+            const approvalLabel = '3pl-approved';
+            const localProtocols = ['workspace:', 'file:', 'link:'];
+            const dependencySections = [
+              'dependencies',
+              'devDependencies',
+              'peerDependencies',
+              'optionalDependencies',
+            ];
+
+            const pr = context.payload.pull_request;
+            const baseRepo = pr.base.repo;
+            const headRepo = pr.head.repo;
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const pullNumber = pr.number;
+
+            async function ensureLabel(name, color, description) {
+              try {
+                await github.rest.issues.getLabel({ owner, repo, name });
+              } catch (error) {
+                if (error.status !== 404) throw error;
+                await github.rest.issues.createLabel({
+                  owner,
+                  repo,
+                  name,
+                  color,
+                  description,
+                });
+              }
+            }
+
+            async function removeLabelIfPresent(name) {
+              try {
+                await github.rest.issues.removeLabel({
+                  owner,
+                  repo,
+                  issue_number: pullNumber,
+                  name,
+                });
+              } catch (error) {
+                if (error.status !== 404) throw error;
+              }
+            }
+
+            async function addLabel(name) {
+              await github.rest.issues.addLabels({
+                owner,
+                repo,
+                issue_number: pullNumber,
+                labels: [name],
+              });
+            }
+
+            async function getPackageJson({ owner, repo, path, ref }) {
+              try {
+                const response = await github.rest.repos.getContent({
+                  owner,
+                  repo,
+                  path,
+                  ref,
+                });
+
+                if (!('content' in response.data)) return null;
+
+                const decoded = Buffer.from(response.data.content, 'base64').toString('utf8');
+                return JSON.parse(decoded);
+              } catch (error) {
+                if (error.status === 404) return null;
+                throw error;
+              }
+            }
+
+            function collectExternalDeps(packageJson) {
+              const deps = new Set();
+              if (!packageJson || typeof packageJson !== 'object') return deps;
+
+              for (const section of dependencySections) {
+                const values = packageJson[section];
+                if (!values || typeof values !== 'object') continue;
+
+                for (const [name, spec] of Object.entries(values)) {
+                  if (typeof spec !== 'string') continue;
+                  if (localProtocols.some((protocol) => spec.startsWith(protocol))) continue;
+                  deps.add(name);
+                }
+              }
+
+              return deps;
+            }
+
+            const files = await github.paginate(github.rest.pulls.listFiles, {
+              owner,
+              repo,
+              pull_number: pullNumber,
+              per_page: 100,
+            });
+
+            const changedPackageJsonFiles = files
+              .map((file) => file.filename)
+              .filter((filename) => filename.endsWith('package.json'));
+
+            const findings = [];
+
+            for (const path of changedPackageJsonFiles) {
+              const basePackageJson = await getPackageJson({
+                owner: baseRepo.owner.login,
+                repo: baseRepo.name,
+                path,
+                ref: pr.base.sha,
+              });
+              const headPackageJson = await getPackageJson({
+                owner: headRepo.owner.login,
+                repo: headRepo.name,
+                path,
+                ref: pr.head.sha,
+              });
+
+              const baseDeps = collectExternalDeps(basePackageJson);
+              const headDeps = collectExternalDeps(headPackageJson);
+              const added = [...headDeps].filter((dependency) => !baseDeps.has(dependency)).sort();
+
+              if (added.length > 0) {
+                findings.push({ path, added });
+              }
+            }
+
+            const allNetNewDeps = [...new Set(findings.flatMap((item) => item.added))].sort();
+            const hasApprovalLabel = pr.labels.some((label) => label.name === approvalLabel);
+
+            await ensureLabel(
+              reviewLabel,
+              'd73a4a',
+              'PR introduces net-new third-party dependencies and needs discussion',
+            );
+            await ensureLabel(
+              approvalLabel,
+              '0e8a16',
+              'Maintainer approved net-new third-party dependency additions',
+            );
+
+            core.summary.addHeading('3PL dependency guard');
+
+            if (allNetNewDeps.length === 0) {
+              await removeLabelIfPresent(reviewLabel);
+              await core.summary
+                .addRaw('No net-new third-party dependencies detected across changed package manifests.')
+                .write();
+              return;
+            }
+
+            const manifestLines = findings.map((finding) => {
+              const dependencies = finding.added.map((name) => `\`${name}\``).join(', ');
+              return `- \`${finding.path}\`: ${dependencies}`;
+            });
+
+            await core.summary
+              .addRaw('Net-new third-party dependencies detected:\n\n')
+              .addRaw(manifestLines.join('\n'))
+              .addRaw('\n\n')
+              .addRaw(`All net-new packages: ${allNetNewDeps.map((name) => `\`${name}\``).join(', ')}`)
+              .addRaw('\n\n')
+              .addRaw(
+                `Blocking until a maintainer adds the \`${approvalLabel}\` label after dependency review discussion.`,
+              )
+              .write();
+
+            if (hasApprovalLabel) {
+              await removeLabelIfPresent(reviewLabel);
+              return;
+            }
+
+            await addLabel(reviewLabel);
+            core.setFailed(
+              `Net-new third-party dependencies found: ${allNetNewDeps.join(', ')}. Add \`${approvalLabel}\` after review.`,
+            );

README.md

@@ -7,19 +7,18 @@
 
 Salesforce Commerce Cloud B2C Command Line Tools.
 
-
 > [!TIP]
 > **Just looking for the B2C CLI or MCP install instructions?** Visit the documentation site at [https://salesforcecommercecloud.github.io/b2c-developer-tooling/](https://salesforcecommercecloud.github.io/b2c-developer-tooling/) for the latest install guide and CLI reference.
 
 ## Packages
 
 This is a pnpm monorepo with the following packages:
 
-| Package | Description |
-|---------|-------------|
-| [`b2c-cli`](./packages/b2c-cli/README.md) | Command line interface built with oclif |
+| Package                                                   | Description                                                                          |
+| --------------------------------------------------------- | ------------------------------------------------------------------------------------ |
+| [`b2c-cli`](./packages/b2c-cli/README.md)                 | Command line interface built with oclif                                              |
 | [`b2c-tooling-sdk`](./packages/b2c-tooling-sdk/README.md) | SDK/library for B2C Commerce operations; supports the CLI and can be used standalone |
-| [`b2c-dx-mcp`](./packages/b2c-dx-mcp/README.md) | MCP server for B2C Commerce developer experience tools |
+| [`b2c-dx-mcp`](./packages/b2c-dx-mcp/README.md)           | MCP server for B2C Commerce developer experience tools                               |
 
 ## Development
 
@@ -85,6 +84,7 @@ pnpm mocha --grep "uploads a file" "test/**/*.test.ts"
 #### Coverage
 
 Coverage reports are generated in each package's `coverage/` directory:
+
 - `coverage/index.html` - HTML report
 - `coverage/lcov.info` - LCOV format for CI integration
 
@@ -184,9 +184,9 @@ Preview releases are available as tgz files on [GitHub Releases](https://github.
 The `@salesforce/b2c-tooling-sdk` package uses the `exports` field in package.json to define its public API surface. Each module is available as a subpath export:
 
 ```typescript
-import { OAuthStrategy } from '@salesforce/b2c-tooling-sdk/auth';
-import { B2CInstance } from '@salesforce/b2c-tooling-sdk/instance';
-import { getLogger } from '@salesforce/b2c-tooling-sdk/logging';
+import {OAuthStrategy} from '@salesforce/b2c-tooling-sdk/auth';
+import {B2CInstance} from '@salesforce/b2c-tooling-sdk/instance';
+import {getLogger} from '@salesforce/b2c-tooling-sdk/logging';
 ```
 
 The `development` condition in exports enables direct TypeScript source resolution when using `--conditions=development`, which is how `bin/dev.js` works for local development.
@@ -195,6 +195,17 @@ The `development` condition in exports enables direct TypeScript source resoluti
 
 We welcome contributions! Please see our [Contributing Guide](./CONTRIBUTING.md) for details on how to get started, submit pull requests, and our code of conduct.
 
+### Third-Party Dependency Review
+
+To prevent net-new third-party libraries from being added without discussion, PRs are checked by the `3PL Guard` workflow (`Net-new 3PL check`).
+
+- The check compares changed `package.json` files in the PR and detects net-new external dependencies.
+- If net-new dependencies are found, the PR is labeled `needs-3pl-review` and the check fails.
+- After discussion and approval, a maintainer adds the `3pl-approved` label to allow the check to pass.
+- If the net-new dependency is removed, `needs-3pl-review` is removed automatically.
+
+To enforce this as a merge gate, keep `Net-new 3PL check` as a required status check in branch protection.
+
 ## Security
 
 For security concerns, please review our [Security Policy](./SECURITY.md). Report any security issues to [security@salesforce.com](mailto:security@salesforce.com).