RubyGems - sequra-style - Versions diffs - 1.13.0 → 1.14.0 - Mend

sequra-style 1.13.0 → 1.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +7 -0
data/Gemfile.lock +1 -1
data/default.yml +13 -0
data/lib/rubocop/cop/sequra/no_sidekiq_perform_stubs.rb +77 -0
data/lib/sequra/style/version.rb +1 -1
data/lib/sequra_style.rb +1 -0
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 638d231a616190beeb2b468652fe080b7b1e7e5b40f71aec06009ec44d14b17c
-  data.tar.gz: 27d7a897202882a5535cefb4af8de185132f7e05f2aa00be2735aff1df4848ed
+  metadata.gz: 3d6244fe18ea0a416aa78a3f808972f72e8951a5b1f4b8fe6d8bde547519a062
+  data.tar.gz: c6a4e0354de8afabe25ab07ab269109e07b572ef76f746ed8e194b2063e35c08
 SHA512:
-  metadata.gz: ea38ecc3ed4116d5c854683a74c3ff670a540c70a0b5ecbd609a4207a02874c469cfabefca9ec45bdc5d15da56beb42ec1aef5d8279dfdacf8f70f8413ae2241
-  data.tar.gz: cd260081df82a6e2fcb7b23d5338872f1571a4c9f380fd826b6647a57756def2e3996e7be3ea9ef84c32529d3411054687da1f56fac7e959fd322d51d1f968f7
+  metadata.gz: 48b797b66b13747ec048dd26121a5c8ca225e694e13527fdad286e825b42dd29d0177cf9cdf0f4bd7f10b674538b318e95a4538b2122a9dd5d0a3a3196c2b0ea
+  data.tar.gz: 80f63fb2c00f3f295fec302fb748aaa30de666ec002aa666a5bd2f10e98197f283f70f0d5400b6212ac4d926b5eac8e04a554f0a012cca0c1c5c047a0a531947

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,12 @@
 # Changelog
+## [1.14.0](https://github.com/sequra/sequra-style/compare/v1.13.0...v1.14.0) (2026-05-14)
+### Features
+* [COR-1992] Add Sequra/NoSidekiqPerformStubs cop ([#70](https://github.com/sequra/sequra-style/issues/70)) ([1a89ca4](https://github.com/sequra/sequra-style/commit/1a89ca4a9bcf2f12837f4d54d4aa5f4e7d54c899))
 ## [1.13.0](https://github.com/sequra/sequra-style/compare/v1.12.1...v1.13.0) (2026-04-24)

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    sequra-style (1.13.0)
+    sequra-style (1.14.0)
       rubocop (~> 1.75)
       rubocop-performance (~> 1.25)
       rubocop-rails (~> 2.31)

data/default.yml CHANGED Viewed

@@ -832,3 +832,16 @@ Sequra/AsyncJobPattern:
     - "packs/*/app/workers/**/*.rb"
   Exclude:
     - "**/application_job.rb"
+# Forbid stubbing/spying on Sidekiq enqueue methods in specs. Stubs bypass
+# `Sidekiq.strict_args!` validation, which has caused silent production
+# failures (COR-1923). Use `have_enqueued_sidekiq_job` or
+# `change(Job.jobs, :size)` instead. `.and_call_original` is exempt.
+# Ships disabled so consumer repos opt in on their own timeline (paired with
+# `.rubocop_todo.yml` to grandfather existing offenses).
+Sequra/NoSidekiqPerformStubs:
+  Enabled: false
+  Include:
+    - "**/*_spec.rb"
+    - "**/spec/support/**/*.rb"
+    - "**/spec/shared_examples/**/*.rb"

data/lib/rubocop/cop/sequra/no_sidekiq_perform_stubs.rb ADDED Viewed

@@ -0,0 +1,77 @@
+module RuboCop
+  module Cop
+    module Sequra
+      # Detects RSpec stubs and spy assertions on Sidekiq enqueue methods
+      # (`perform_async`, `perform_at`, `perform_in`).
+      #
+      # Stubbing these methods bypasses `Sidekiq.strict_args!` validation,
+      # which lets symbol-keyed hashes (and other non-JSON-native types)
+      # slip through unchecked. The same code would raise `ArgumentError`
+      # in production at enqueue time, and the bug only surfaces when the
+      # job actually runs — by which point retries, timing windows, and
+      # rescue-swallowers can mask the failure. This pattern caused a
+      # silent push-notification drop in COR-1923.
+      #
+      # Use `have_enqueued_sidekiq_job` (or `change(SomeJob.jobs, :size)`)
+      # instead. Both go through Sidekiq's client middleware chain, so
+      # `strict_args!` validates the arguments as it would in production.
+      #
+      # `.and_call_original` is exempt: the stub spies on the call but
+      # then runs the real `perform_*`, which still exercises the
+      # serialization contract.
+      #
+      # @example
+      #   # bad - stub bypasses strict_args! validation
+      #   allow(SomeJob).to receive(:perform_async)
+      #
+      #   # bad - even with arg matchers, the real enqueue is suppressed
+      #   expect(SomeJob).to receive(:perform_at).with(time, data)
+      #
+      #   # bad - negative assertion still bypasses the contract
+      #   expect(SomeJob).not_to receive(:perform_async)
+      #
+      #   # bad - spy verification on a stubbed enqueue
+      #   expect(SomeJob).to have_received(:perform_async).with(id)
+      #
+      #   # good - exercises strict_args! through Sidekiq's middleware
+      #   expect(SomeJob).to have_enqueued_sidekiq_job(id, name: "value")
+      #
+      #   # good - state-based assertion, also exercises the middleware
+      #   expect { subject }.to change(SomeJob.jobs, :size).by(1)
+      #
+      #   # good - escape hatch: spy AND run the real method
+      #   expect(SomeJob).to receive(:perform_async).and_call_original
+      #
+      class NoSidekiqPerformStubs < Base
+        MSG = "Avoid stubbing Sidekiq enqueue methods (`perform_async`/`perform_at`/`perform_in`). " \
+              "Stubs bypass `Sidekiq.strict_args!` validation and can hide symbol-keyed hash bugs " \
+              "(see COR-1923). Use `have_enqueued_sidekiq_job` or `change(Job.jobs, :size)` instead. " \
+              "Use `.and_call_original` only as an escape hatch.".freeze
+        def_node_matcher :perform_method_stub?, <<~PATTERN
+          (send nil? {:receive :have_received} (sym {:perform_async :perform_at :perform_in}))
+        PATTERN
+        def on_send(node)
+          return unless perform_method_stub?(node)
+          return if chained_with_call_original?(node)
+          add_offense(node)
+        end
+        private
+        def chained_with_call_original?(node)
+          current = node
+          loop do
+            parent = current.parent
+            return false unless parent&.send_type? && parent.receiver == current
+            return true if parent.method_name == :and_call_original
+            current = parent
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sequra/style/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Sequra
   module Style
-    VERSION = "1.13.0"
+    VERSION = "1.14.0"
   end
 end

data/lib/sequra_style.rb CHANGED Viewed

@@ -1,2 +1,3 @@
 require "rubocop"
 require_relative "rubocop/cop/sequra/async_job_pattern"
+require_relative "rubocop/cop/sequra/no_sidekiq_perform_stubs"

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sequra-style
 version: !ruby/object:Gem::Version
-  version: 1.13.0
+  version: 1.14.0
 platform: ruby
 authors:
 - Sequra engineering
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-04-24 00:00:00.000000000 Z
+date: 2026-05-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -135,6 +135,7 @@ files:
 - docs/decisions/index.md
 - docs/decisions/template.md
 - lib/rubocop/cop/sequra/async_job_pattern.rb
+- lib/rubocop/cop/sequra/no_sidekiq_perform_stubs.rb
 - lib/sequra/style.rb
 - lib/sequra/style/version.rb
 - lib/sequra_style.rb