@decantr/verifier 1.0.1 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +71 -0
- package/dist/index.js.map +1 -1
- package/package.json +3 -3
package/dist/index.js
CHANGED
|
@@ -596,10 +596,13 @@ function auditProjectSourceTree(projectRoot) {
|
|
|
596
596
|
const summary = {
|
|
597
597
|
filesChecked: sourceFiles.length,
|
|
598
598
|
inlineStyles: createSourceAuditBucket(),
|
|
599
|
+
componentStyleTags: createSourceAuditBucket(),
|
|
599
600
|
localCssRuntimeSignals: createSourceAuditBucket(),
|
|
600
601
|
securityRiskPatterns: createSourceAuditBucket(),
|
|
601
602
|
localhostEndpointSignals: createSourceAuditBucket(),
|
|
602
603
|
placeholderRoutes: createSourceAuditBucket(),
|
|
604
|
+
commandPaletteSignals: createSourceAuditBucket(),
|
|
605
|
+
keyboardShortcutSignals: createSourceAuditBucket(),
|
|
603
606
|
protectedSurfaceSignals: createSourceAuditBucket(),
|
|
604
607
|
authProtectedRedirectSignals: createSourceAuditBucket(),
|
|
605
608
|
authAnonymousRedirectSignals: createSourceAuditBucket(),
|
|
@@ -666,11 +669,17 @@ function auditProjectSourceTree(projectRoot) {
|
|
|
666
669
|
const securityRiskPatternCount = signals.dangerousHtmlCount + signals.rawHtmlInjectionCount + signals.dynamicEvalCount + signals.hardcodedSecretSignalCount + signals.clientSecretEnvReferenceCount + signals.localhostEndpointCount + signals.wildcardPostMessageCount + signals.windowOpenWithoutNoopenerCount + signals.externalIframeWithoutSandboxCount + signals.insecureExternalIframeCount + signals.insecureFormActionCount + signals.insecureAuthFormMethodCount + signals.insecureTransportEndpointCount + signals.insecureExternalImageCount + signals.authCookieMissingHardeningCount + signals.authOpenRedirectSignalCount + signals.authExternalRedirectSignalCount + signals.authProviderStateMissingCount + signals.authProviderPkceMissingCount + signals.authProviderNonceMissingCount + signals.externalBlankLinkWithoutRelCount;
|
|
667
670
|
const authInputHintIssueCount = signals.emailAutocompleteMissingCount + signals.passwordAutocompleteMissingCount + signals.otpAutocompleteMissingCount + signals.authAutocompleteDisabledCount + signals.authAutocompleteSemanticMismatchCount + signals.authInputTypeMismatchCount;
|
|
668
671
|
const localCssRuntimeCount = /(?:^|\/)(?:lib|utils)\/css\.(?:[cm]?[jt]sx?)$/i.test(relativePath) || /(?:^|\/)styles\/atoms\.css$/i.test(relativePath) || /Lightweight @decantr\/css atom runtime/i.test(code) ? 1 : 0;
|
|
672
|
+
const componentStyleTagCount = countComponentStyleTagSignals(code);
|
|
673
|
+
const commandPaletteSignalCount = countCommandPaletteSignals(code);
|
|
674
|
+
const keyboardShortcutSignalCount = countKeyboardShortcutSignals(code);
|
|
669
675
|
recordSourceAudit(summary.inlineStyles, relativePath, signals.inlineStyleAttributeCount);
|
|
676
|
+
recordSourceAudit(summary.componentStyleTags, relativePath, componentStyleTagCount);
|
|
670
677
|
recordSourceAudit(summary.localCssRuntimeSignals, relativePath, localCssRuntimeCount);
|
|
671
678
|
recordSourceAudit(summary.securityRiskPatterns, relativePath, securityRiskPatternCount);
|
|
672
679
|
recordSourceAudit(summary.localhostEndpointSignals, relativePath, signals.localhostEndpointCount);
|
|
673
680
|
recordSourceAudit(summary.placeholderRoutes, relativePath, signals.placeholderNavigationTargetCount);
|
|
681
|
+
recordSourceAudit(summary.commandPaletteSignals, relativePath, commandPaletteSignalCount);
|
|
682
|
+
recordSourceAudit(summary.keyboardShortcutSignals, relativePath, keyboardShortcutSignalCount);
|
|
674
683
|
recordSourceAudit(summary.protectedSurfaceSignals, relativePath, signals.protectedSurfaceSignalCount);
|
|
675
684
|
recordSourceAudit(summary.authProtectedRedirectSignals, relativePath, signals.authProtectedRedirectSignalCount);
|
|
676
685
|
recordSourceAudit(summary.authAnonymousRedirectSignals, relativePath, signals.authAnonymousRedirectSignalCount);
|
|
@@ -1536,6 +1545,16 @@ function appendSourceAuditFindings(findings, sourceAudit, essence, reviewPack) {
|
|
|
1536
1545
|
suggestedFix: "Move inline styling into treatments, atoms, or design-token-backed classes so generation stays aligned with the Decantr contract."
|
|
1537
1546
|
}));
|
|
1538
1547
|
}
|
|
1548
|
+
if (sourceAudit.componentStyleTags.count > 0) {
|
|
1549
|
+
findings.push(makeFinding({
|
|
1550
|
+
id: "source-component-style-tags-present",
|
|
1551
|
+
category: "Source Audit",
|
|
1552
|
+
severity: "warn",
|
|
1553
|
+
message: "Source files inject component-scoped style tags or dynamic style elements, which bypass the compiled Decantr layer contract.",
|
|
1554
|
+
evidence: buildSourceAuditEvidence(sourceAudit, sourceAudit.componentStyleTags, "Component-level style tag signals"),
|
|
1555
|
+
suggestedFix: "Move shared keyframes, media queries, and visual rules into global.css or treatments.css so styling stays inside the reviewed Decantr layer stack."
|
|
1556
|
+
}));
|
|
1557
|
+
}
|
|
1539
1558
|
if (sourceAudit.localCssRuntimeSignals.count > 0) {
|
|
1540
1559
|
findings.push(makeFinding({
|
|
1541
1560
|
id: "source-local-css-runtime-stub-present",
|
|
@@ -1576,6 +1595,33 @@ function appendSourceAuditFindings(findings, sourceAudit, essence, reviewPack) {
|
|
|
1576
1595
|
suggestedFix: "Replace placeholder href/to values with the actual routes declared in the compiled packs and essence."
|
|
1577
1596
|
}));
|
|
1578
1597
|
}
|
|
1598
|
+
const navigation = essence && isV3(essence) ? essence.meta.navigation : null;
|
|
1599
|
+
if (navigation?.command_palette && sourceAudit.commandPaletteSignals.count === 0) {
|
|
1600
|
+
findings.push(makeFinding({
|
|
1601
|
+
id: "source-command-palette-missing",
|
|
1602
|
+
category: "Source Audit",
|
|
1603
|
+
severity: "warn",
|
|
1604
|
+
message: "The essence declares a command palette, but the source tree does not show an obvious command-palette implementation signal.",
|
|
1605
|
+
evidence: [
|
|
1606
|
+
`Source files checked: ${sourceAudit.filesChecked}`,
|
|
1607
|
+
"Command palette declared in essence navigation."
|
|
1608
|
+
],
|
|
1609
|
+
suggestedFix: "Implement a real command palette surface with its keyboard trigger instead of merely acknowledging the feature in copy or comments."
|
|
1610
|
+
}));
|
|
1611
|
+
}
|
|
1612
|
+
if (navigation?.hotkeys?.length && sourceAudit.keyboardShortcutSignals.count === 0) {
|
|
1613
|
+
findings.push(makeFinding({
|
|
1614
|
+
id: "source-hotkeys-missing",
|
|
1615
|
+
category: "Source Audit",
|
|
1616
|
+
severity: "warn",
|
|
1617
|
+
message: "The essence declares hotkeys, but the source tree does not show obvious keyboard-shortcut handling.",
|
|
1618
|
+
evidence: [
|
|
1619
|
+
`Source files checked: ${sourceAudit.filesChecked}`,
|
|
1620
|
+
`Hotkeys declared: ${navigation.hotkeys.length}`
|
|
1621
|
+
],
|
|
1622
|
+
suggestedFix: "Implement the declared hotkeys with real keydown handlers or a reviewed shortcut helper rather than leaving them as documentation-only features."
|
|
1623
|
+
}));
|
|
1624
|
+
}
|
|
1579
1625
|
if (sourceAudit.authStorageWrites.count > 0) {
|
|
1580
1626
|
findings.push(makeFinding({
|
|
1581
1627
|
id: "source-auth-storage-writes-present",
|
|
@@ -2470,6 +2516,19 @@ function findUtilityFrameworkSignals(code) {
|
|
|
2470
2516
|
const matches = code.match(/\b(?:bg|text|border|shadow|rounded|px|py|mx|my|gap|grid-cols|col-span|row-span|sm|md|lg|xl|hover):[-\w/.[\]]+/g) ?? [];
|
|
2471
2517
|
return [...new Set(matches)];
|
|
2472
2518
|
}
|
|
2519
|
+
function countComponentStyleTagSignals(code) {
|
|
2520
|
+
const jsxStyleTags = code.match(/<style(?:\s|>)/gi)?.length ?? 0;
|
|
2521
|
+
const dynamicStyleElements = code.match(/document\.createElement\((['"])style\1\)/g)?.length ?? 0;
|
|
2522
|
+
return jsxStyleTags + dynamicStyleElements;
|
|
2523
|
+
}
|
|
2524
|
+
function countCommandPaletteSignals(code) {
|
|
2525
|
+
const matches = code.match(/\b(?:commandpalette|command palette|cmd\+k|⌘k|openCommandPalette|setCommandPaletteOpen|paletteOpen|paletteTrigger)\b/gi) ?? [];
|
|
2526
|
+
return matches.length;
|
|
2527
|
+
}
|
|
2528
|
+
function countKeyboardShortcutSignals(code) {
|
|
2529
|
+
const matches = code.match(/\b(?:keydown|keyup|metaKey|ctrlKey|altKey|shiftKey|hotkey|shortcut)\b/gi) ?? [];
|
|
2530
|
+
return matches.length;
|
|
2531
|
+
}
|
|
2473
2532
|
function getScriptKind(filePath) {
|
|
2474
2533
|
switch (extname2(filePath).toLowerCase()) {
|
|
2475
2534
|
case ".tsx":
|
|
@@ -8016,6 +8075,18 @@ function critiqueSource({
|
|
|
8016
8075
|
suggestedFix: "Replace inline visual values with treatments, decorators, and CSS variables from the compiled contract."
|
|
8017
8076
|
}));
|
|
8018
8077
|
}
|
|
8078
|
+
const componentStyleTagSignals = countComponentStyleTagSignals(code);
|
|
8079
|
+
if (componentStyleTagSignals > 0) {
|
|
8080
|
+
findings.push(makeFinding({
|
|
8081
|
+
id: "anti-pattern-component-style-tags",
|
|
8082
|
+
category: "Anti-Patterns",
|
|
8083
|
+
severity: resolveSeverityFromChecks(reviewPack, "warn", ["review-contract-baseline", "theme-consistency"]),
|
|
8084
|
+
message: "Component-scoped style tags or dynamic style elements were detected in the reviewed file.",
|
|
8085
|
+
evidence: [filePath, `Component style tag signals: ${componentStyleTagSignals}`],
|
|
8086
|
+
file: filePath,
|
|
8087
|
+
suggestedFix: "Move shared keyframes, media queries, and visual rules into global.css or treatments.css so the file stays aligned with the Decantr layer contract."
|
|
8088
|
+
}));
|
|
8089
|
+
}
|
|
8019
8090
|
const hardcodedColors = antiPatternIds.has("hardcoded-colors") ? findHardcodedColors(code) : [];
|
|
8020
8091
|
if (hardcodedColors.length > 0) {
|
|
8021
8092
|
findings.push(makeFinding({
|