
Security News
Package Maintainers Call for Improvements to GitHub’s New npm Security Plan
Maintainers back GitHub’s npm security overhaul but raise concerns about CI/CD workflows, enterprise support, and token management.
flowlock-inventory
Advanced tools
The inventory system automatically discovers and validates your runtime infrastructure (database schema, API endpoints, UI components) and cross-checks it against your UX specification for consistency.
The inventory system automatically discovers and validates your runtime infrastructure (database schema, API endpoints, UI components) and cross-checks it against your UX specification for consistency.
The inventory system serves three main purposes:
uxspec.json
that describe your data structureConfigure inventory discovery in your flowlock.config.json
:
{
"$schema": "https://schema.flowlock.dev/config.v1.json",
"projectName": "your-project",
"inventory": {
"db": {
"mode": "auto", // "schema" | "live" | "auto"
"dialect": "postgres", // "postgres" | "mysql" | "sqlite"
"urlEnv": "DATABASE_URL", // Environment variable with DB connection
"schemaFiles": [ // Schema files to scan
"prisma/schema.prisma",
"src/db/schema.ts",
"src/entities/**/*.entity.ts"
]
},
"api": {
"scan": [ // Glob patterns for API endpoints
"app/api/**/route.ts{,x}", // Next.js App Router
"src/**/*.controller.ts", // NestJS
"src/routes/**/*.ts", // Express
"openapi.{yml,yaml,json}" // OpenAPI spec
],
"jsdoc": true, // Parse JSDoc annotations
"openapiPrefer": true // Prefer OpenAPI over code scanning
},
"ui": {
"scan": [ // UI files to scan
"app/**/*.{tsx,jsx}",
"src/components/**/*.{tsx,jsx}"
],
"readAttribute": "data-fl-read", // Attribute for read bindings
"writeAttribute": "data-fl-write" // Attribute for write bindings
}
}
}
inventory.db
)Option | Type | Description | Default |
---|---|---|---|
mode | "schema" | "live" | "auto" | Discovery mode | "auto" |
dialect | "postgres" | "mysql" | "sqlite" | Database type | "postgres" |
urlEnv | string | Environment variable containing DB connection string | "DATABASE_URL" |
schemaFiles | string[] | Paths to schema files (Prisma, TypeORM, etc.) | [] |
Modes:
schema
: Only scan schema files (offline)live
: Only introspect live databaseauto
: Try schema files first, fall back to live DB if no entities foundinventory.api
)Option | Type | Description | Default |
---|---|---|---|
scan | string[] | Glob patterns for API files | [] |
jsdoc | boolean | Parse JSDoc @flowlock annotations | true |
openapiPrefer | boolean | Prefer OpenAPI spec over code scanning | true |
inventory.ui
)Option | Type | Description | Default |
---|---|---|---|
scan | string[] | Glob patterns for UI component files | [] |
readAttribute | string | HTML attribute for read bindings | "data-fl-read" |
writeAttribute | string | HTML attribute for write bindings | "data-fl-write" |
The generated artifacts/runtime_inventory.json
file contains:
type RuntimeInventory = {
// Database entities discovered from schema/introspection
db: {
dialect?: "postgres" | "mysql" | "sqlite";
entities: Array<{
id: string; // Entity name (e.g., "User", "Product")
fields: Array<{
id: string; // Field name (e.g., "email", "createdAt")
type?: string; // Database type (e.g., "varchar", "timestamp")
}>;
}>;
};
// API endpoints discovered from code/OpenAPI
api: {
endpoints: Array<{
path: string; // Endpoint path (e.g., "/api/users")
methods: string[]; // HTTP methods (e.g., ["GET", "POST"])
returns?: { // Optional return type info
entity: string; // Entity name
fields: string[]; // Field names returned
};
}>;
};
// UI data bindings discovered from components
ui: {
reads: string[]; // Fields read by UI (e.g., ["User.name", "Product.price"])
writes: string[]; // Fields written by UI (e.g., ["User.email", "Order.status"])
};
};
# Using npm
npm run flowlock inventory
# Using npx
npx flowlock inventory
# With custom config
npx flowlock inventory --config custom-config.json
# Output to custom location
npx flowlock inventory --output custom-inventory.json
# Run audit to check inventory matches spec
npx flowlock audit
# Specific checks
npx flowlock audit --checks INVENTORY
Schema File (prisma/schema.prisma
):
model User {
id String @id @default(uuid())
email String @unique
name String
role Role
createdAt DateTime @default(now())
posts Post[]
}
model Post {
id String @id @default(uuid())
title String
content String?
published Boolean @default(false)
authorId String
author User @relation(fields: [authorId], references: [id])
}
enum Role {
USER
ADMIN
}
Generated Inventory:
{
"db": {
"dialect": "postgres",
"entities": [
{
"id": "User",
"fields": [
{ "id": "id", "type": "String" },
{ "id": "email", "type": "String" },
{ "id": "name", "type": "String" },
{ "id": "role", "type": "Role" },
{ "id": "createdAt", "type": "DateTime" }
]
},
{
"id": "Post",
"fields": [
{ "id": "id", "type": "String" },
{ "id": "title", "type": "String" },
{ "id": "content", "type": "String?" },
{ "id": "published", "type": "Boolean" },
{ "id": "authorId", "type": "String" }
]
}
]
}
}
API Route (app/api/users/route.ts
):
/**
* @flowlock returns User {id,email,name,role}
*/
export async function GET() {
const users = await db.user.findMany();
return Response.json(users);
}
export async function POST(request: Request) {
const data = await request.json();
const user = await db.user.create({ data });
return Response.json(user);
}
Generated Inventory:
{
"api": {
"endpoints": [
{
"path": "/api/users",
"methods": ["GET", "POST"],
"returns": {
"entity": "User",
"fields": ["id", "email", "name", "role"]
}
}
]
}
}
Component (app/components/UserProfile.tsx
):
export function UserProfile({ userId }: { userId: string }) {
return (
<div>
<h1 data-fl-read="User.name">John Doe</h1>
<p data-fl-read="User.email">john@example.com</p>
<input
data-fl-write="User.bio"
placeholder="Tell us about yourself"
/>
</div>
);
}
Generated Inventory:
{
"ui": {
"reads": ["User.name", "User.email"],
"writes": ["User.bio"]
}
}
Entity (src/entities/Product.entity.ts
):
@Entity()
export class Product {
@PrimaryGeneratedColumn('uuid')
id: string;
@Column()
name: string;
@Column('decimal', { precision: 10, scale: 2 })
price: number;
@Column({ type: 'text', nullable: true })
description?: string;
@Column({ default: true })
inStock: boolean;
}
Generated Inventory:
{
"db": {
"dialect": "postgres",
"entities": [
{
"id": "Product",
"fields": [
{ "id": "id", "type": "unknown" },
{ "id": "name", "type": "unknown" },
{ "id": "price", "type": "unknown" },
{ "id": "description", "type": "unknown" },
{ "id": "inStock", "type": "unknown" }
]
}
]
}
}
The system discovers database entities through two methods:
Schema Scanning (Offline):
.prisma
)Live Introspection (Online):
The system discovers API endpoints through:
OpenAPI Specification (Preferred):
Code Scanning:
@flowlock
annotationsThe system discovers UI data bindings by:
data-fl-read
attributes for read operationsdata-fl-write
attributes for write operationsThe inventory check validates:
Solution: Run npx flowlock inventory
before running audit
Causes:
schemaFiles
configSolution:
schemaFiles
includes your schemaCauses:
derived
or external
)Solution:
derived: true
or external: true
in specCauses:
Solution:
writes
arrayDEBUG=flowlock:*
environment variableartifacts/runtime_inventory.json
npx glob-test "your/pattern/**/*.ts"
to test globssource
propertyruntime_inventory.json
for tracking changes# Generate inventory
flowlock inventory [options]
--config <path> Config file path (default: flowlock.config.json)
--output <path> Output file path (default: artifacts/runtime_inventory.json)
--verbose Show detailed output
# Validate inventory
flowlock audit --checks INVENTORY
import { buildInventory } from 'flowlock-inventory';
// Generate inventory
const inventoryPath = await buildInventory(
'flowlock.config.json', // Config path
'artifacts/runtime_inventory.json' // Output path
);
// Load and use inventory
import inventory from './artifacts/runtime_inventory.json';
// Access entities
inventory.db.entities.forEach(entity => {
console.log(`Entity: ${entity.id}`);
entity.fields.forEach(field => {
console.log(` - ${field.id}: ${field.type}`);
});
});
FAQs
The inventory system automatically discovers and validates your runtime infrastructure (database schema, API endpoints, UI components) and cross-checks it against your UX specification for consistency.
We found that flowlock-inventory demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Maintainers back GitHub’s npm security overhaul but raise concerns about CI/CD workflows, enterprise support, and token management.
Product
Socket Firewall is a free tool that blocks malicious packages at install time, giving developers proactive protection against rising supply chain attacks.
Research
Socket uncovers malicious Rust crates impersonating fast_log to steal Solana and Ethereum wallet keys from source code.