@archrad/deterministic 0.1.2 → 0.1.3

package/CHANGELOG.md

@@ -7,6 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.1.3] - 2026-04-04
+
+### Fixed
+
+- **CLI** (`validate`, `export`, `validate-drift`): a missing **`--ir`** file now reports **`archrad: --ir file not found: <path>`** instead of **`invalid JSON`**.
+
+### Changed
+
+- **`IR-LINT-MISSING-AUTH-010`** — HTTP entry detection uses **`ParsedLintGraph.inDegree`** (same counts as `buildParsedLintGraph`) instead of a separate scan; reverse adjacency for auth-as-gateway only includes edges whose endpoints exist in **`nodeById`**.
+- **Docs:** README documents **OpenAPI security → IR → `IR-LINT-MISSING-AUTH-010`** for the spec-to-compliance workflow.
+- **`graphPredicates.ts`:** clarified comments for **`isHttpEndpointType`** vs **`isHttpLikeType`** (`graphql` vs `gateway` / `bff` / `grpc`).
+
+### Added
+
+- **Tests:** structural **`IR-STRUCT-HTTP_*`** coverage for **`graphql`** (validated) vs **`gateway`** (excluded); regression tests locking lint message substrings for **`IR-LINT-DEAD-NODE-011`**, **`IR-LINT-DIRECT-DB-ACCESS-002`**, **`IR-LINT-SYNC-CHAIN-001`** (terminal copy / Show HN).
+- **Fixture** **`fixtures/e2e-no-security-openapi.yaml`** (OpenAPI with **no** `security` / `securitySchemes`) + test asserting **`openApiStringToCanonicalIr` → `validateIrLint` → `IR-LINT-MISSING-AUTH-010`** — same pipeline as **`archrad ingest openapi`** + **`archrad validate`**.
+
 ## [0.1.2] - 2026-03-28
 
 ### Fixed
@@ -71,7 +88,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Documented **codegen vs validation** for retry/timeout IR fields and **InkByte vs OSS** scope in README and structural/semantic doc.
 - README positioning: **deterministic compiler and linter for system architecture**; validation layers table (OSS vs Cloud); **`validate-drift`**, drift GIF / trust-loop recording docs, library **`runValidateDrift`** example.
 
-[Unreleased]: https://github.com/archradhq/arch-deterministic/compare/v0.1.2...HEAD
+[Unreleased]: https://github.com/archradhq/arch-deterministic/compare/v0.1.3...HEAD
+[0.1.3]: https://github.com/archradhq/arch-deterministic/releases/tag/v0.1.3
 [0.1.2]: https://github.com/archradhq/arch-deterministic/releases/tag/v0.1.2
 [0.1.1]: https://github.com/archradhq/arch-deterministic/releases/tag/v0.1.1
 [0.1.0]: https://github.com/archradhq/arch-deterministic/releases/tag/v0.1.0

package/README.md

@@ -105,6 +105,8 @@ archrad validate --ir ./graph.json
 archrad export --ir ./graph.json --target python --out ./out
 ```
 
+**OpenAPI security → IR → lint:** ingestion copies **global** and **per-operation** `security` requirement names onto each HTTP node as `config.security` (sorted, deterministic). An operation with explicit `security: []` becomes `config.authRequired: false` (intentionally public). If the spec declares **no** security at any level, nodes are left without those fields — then **`archrad validate`** can surface **`IR-LINT-MISSING-AUTH-010`** on HTTP-like entry nodes (compliance gap from the spec artifact alone).
+
 **YAML → JSON (lighter authoring):** edit **`fixtures/minimal-graph.yaml`** (or your own file) and compile to IR JSON, then validate or export:
 
 ```bash

package/dist/cli.js

@@ -21,6 +21,30 @@ async function writeTree(baseDir, files) {
         await writeFile(dest, content, 'utf8');
     }
 }
+/** Read and parse IR JSON; distinguish missing file from invalid JSON. */
+async function readIrJsonFromPath(irPath) {
+    let raw;
+    try {
+        raw = await readFile(irPath, 'utf8');
+    }
+    catch (e) {
+        const err = e;
+        if (err?.code === 'ENOENT') {
+            console.error(`archrad: --ir file not found: ${irPath}`);
+        }
+        else {
+            console.error(`archrad: could not read --ir file: ${irPath} (${err?.message ?? String(e)})`);
+        }
+        return null;
+    }
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        console.error('archrad: invalid JSON in --ir file');
+        return null;
+    }
+}
 function parseMaxWarnings(v) {
     if (v == null || v === '')
         return undefined;
@@ -48,12 +72,8 @@ program
     .option('--max-warnings <n>', 'Exit with error if warning count is greater than n (e.g. 0 allows no warnings)')
     .action(async (cmdOpts) => {
     const irPath = resolve(cmdOpts.ir);
-    let ir;
-    try {
-        ir = JSON.parse(await readFile(irPath, 'utf8'));
-    }
-    catch {
-        console.error('archrad: invalid JSON in --ir file');
+    const ir = await readIrJsonFromPath(irPath);
+    if (ir == null) {
         process.exitCode = 1;
         return;
     }
@@ -182,16 +202,12 @@ program
     .action(async (cmdOpts) => {
     const irPath = resolve(cmdOpts.ir);
     const outDir = resolve(cmdOpts.out);
-    const raw = await readFile(irPath, 'utf8');
-    let ir;
-    try {
-        ir = JSON.parse(raw);
-    }
-    catch {
-        console.error('archrad: invalid JSON in --ir file');
+    const parsed = await readIrJsonFromPath(irPath);
+    if (parsed == null) {
         process.exitCode = 1;
         return;
     }
+    const ir = parsed;
     const actualIR = ir.graph ? ir : { graph: ir };
     const hostPort = normalizeGoldenHostPort(cmdOpts.hostPort ?? process.env.ARCHRAD_HOST_PORT);
     if (!cmdOpts.skipHostPortCheck) {
@@ -266,15 +282,12 @@ program
     .action(async (cmdOpts) => {
     const irPath = resolve(cmdOpts.ir);
     const outDir = resolve(cmdOpts.out);
-    let ir;
-    try {
-        ir = JSON.parse(await readFile(irPath, 'utf8'));
-    }
-    catch {
-        console.error('archrad: invalid JSON in --ir file');
+    const parsed = await readIrJsonFromPath(irPath);
+    if (parsed == null) {
         process.exitCode = 1;
         return;
     }
+    const ir = parsed;
     const actualIR = ir.graph ? ir : { graph: ir };
     const hostPort = normalizeGoldenHostPort(cmdOpts.hostPort ?? process.env.ARCHRAD_HOST_PORT);
     if (!cmdOpts.skipHostPortCheck) {

package/dist/graphPredicates.d.ts

@@ -4,9 +4,10 @@
 /**
  * Narrow predicate: node types that carry a single HTTP endpoint (`config.url` + HTTP method).
  * Used by **structural validation** for `IR-STRUCT-HTTP_PATH` / `IR-STRUCT-HTTP_METHOD` checks.
- * `gateway`, `grpc`, and `bff` are intentionally excluded — they use different config shapes
+ * **`http` / `https` / `rest` / `api` / `graphql`** share this contract in the IR (GraphQL is one route + method in the IR model).
+ * **`gateway`**, **`grpc`**, and **`bff`** are intentionally **excluded** — they use different config shapes
  * (upstream routing, proto service/method, multi-route aggregation) and must not be required
- * to supply a REST-style url + HTTP method.
+ * to supply a REST-style `url` + HTTP method; they remain **`isHttpLikeType`** for lint (entries, health, sync chain, etc.).
  */
 export declare function isHttpEndpointType(t: string): boolean;
 /**

package/dist/graphPredicates.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graphPredicates.d.ts","sourceRoot":"","sources":["../src/graphPredicates.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAMrD;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAQjD;AAED,oEAAoE;AACpE,wBAAgB,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAM/C;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CASrD;AAED,iHAAiH;AACjH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAStD"}
+{"version":3,"file":"graphPredicates.d.ts","sourceRoot":"","sources":["../src/graphPredicates.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAMrD;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAQjD;AAED,oEAAoE;AACpE,wBAAgB,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAM/C;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CASrD;AAED,iHAAiH;AACjH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAStD"}

package/dist/graphPredicates.js

@@ -4,9 +4,10 @@
 /**
  * Narrow predicate: node types that carry a single HTTP endpoint (`config.url` + HTTP method).
  * Used by **structural validation** for `IR-STRUCT-HTTP_PATH` / `IR-STRUCT-HTTP_METHOD` checks.
- * `gateway`, `grpc`, and `bff` are intentionally excluded — they use different config shapes
+ * **`http` / `https` / `rest` / `api` / `graphql`** share this contract in the IR (GraphQL is one route + method in the IR model).
+ * **`gateway`**, **`grpc`**, and **`bff`** are intentionally **excluded** — they use different config shapes
  * (upstream routing, proto service/method, multi-route aggregation) and must not be required
- * to supply a REST-style url + HTTP method.
+ * to supply a REST-style `url` + HTTP method; they remain **`isHttpLikeType`** for lint (entries, health, sync chain, etc.).
  */
 export function isHttpEndpointType(t) {
     const s = String(t ?? '')

package/dist/lint-rules.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lint-rules.d.ts","sourceRoot":"","sources":["../src/lint-rules.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAcvD,8HAA8H;AAC9H,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CA6B5E;AAED,8BAA8B;AAC9B,wBAAgB,cAAc,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAkBxE;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAwDpF;AAED,iCAAiC;AACjC,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAsB3E;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAoB1E;AAED,6EAA6E;AAC7E,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CA0B3E;AAED,oCAAoC;AACpC,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAmB7E;AAED,wCAAwC;AACxC,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAkBjF;AAED,2HAA2H;AAC3H,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAkBjF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CA2D7E;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAsBtE;AAED;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,eAAe,KAAK,mBAAmB,EAAE,CAY3F,CAAC;AAEF,gGAAgG;AAChG,wBAAgB,sBAAsB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAEhF"}
+{"version":3,"file":"lint-rules.d.ts","sourceRoot":"","sources":["../src/lint-rules.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAcvD,8HAA8H;AAC9H,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CA6B5E;AAED,8BAA8B;AAC9B,wBAAgB,cAAc,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAkBxE;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAwDpF;AAED,iCAAiC;AACjC,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAsB3E;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAoB1E;AAED,6EAA6E;AAC7E,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CA0B3E;AAED,oCAAoC;AACpC,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAmB7E;AAED,wCAAwC;AACxC,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAkBjF;AAED,2HAA2H;AAC3H,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAkBjF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAoD7E;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAsBtE;AAED;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,eAAe,KAAK,mBAAmB,EAAE,CAY3F,CAAC;AAEF,gGAAgG;AAChG,wBAAgB,sBAAsB,CAAC,CAAC,EAAE,eAAe,GAAG,mBAAmB,EAAE,CAEhF"}

package/dist/lint-rules.js

@@ -284,23 +284,15 @@ export function ruleMultipleHttpEntries(g) {
  * for intentionally public endpoints (health, public assets, etc.).
  */
 export function ruleHttpMissingAuth(g) {
-    const { edges, nodeById, adj } = g;
-    // Build set of nodes that have an incoming sync edge (not entry nodes)
-    const hasIncomingEdge = new Set();
-    for (const e of edges) {
-        if (!e || typeof e !== 'object')
-            continue;
-        const { to } = edgeEndpoints(e);
-        if (to)
-            hasIncomingEdge.add(to);
-    }
-    // Build reverse adjacency: to → [from] for auth-coverage check #2
+    const { edges, nodeById, adj, inDegree } = g;
+    // Entry = no valid incoming edge (same counts as buildParsedLintGraph.inDegree)
+    // Build reverse adjacency: to → [from] for auth-coverage check #2 (valid endpoints only, same as adj)
     const reverseAdj = new Map();
     for (const e of edges) {
         if (!e || typeof e !== 'object')
             continue;
         const { from, to } = edgeEndpoints(e);
-        if (!from || !to)
+        if (!from || !to || !nodeById.has(from) || !nodeById.has(to))
             continue;
         if (!reverseAdj.has(to))
             reverseAdj.set(to, []);
@@ -310,7 +302,7 @@ export function ruleHttpMissingAuth(g) {
     for (const [id, n] of nodeById) {
         if (!isHttpLikeType(nodeType(n)))
             continue;
-        if (hasIncomingEdge.has(id))
+        if ((inDegree.get(id) ?? 0) > 0)
             continue; // not an entry node
         const cfg = (n.config ?? {});
         // Explicit opt-out: config.authRequired === false marks an intentionally public endpoint

package/fixtures/e2e-no-security-openapi.yaml

@@ -0,0 +1,11 @@
+openapi: 3.0.0
+info:
+  title: Test API
+  version: 1.0.0
+paths:
+  /payments:
+    post:
+      operationId: createPayment
+      responses:
+        '200':
+          description: OK

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@archrad/deterministic",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "A deterministic compiler and linter for system architecture. Validate your architecture before you write code. OSS: structural validation + basic architecture lint (rule-based); FastAPI/Express export; OpenAPI document-shape; golden Docker/Makefile — no LLM.",
   "keywords": [
     "archrad",