@doneisbetter/gds-compliance 2.6.4 → 2.6.5

package/index.js

@@ -16,6 +16,15 @@ const STRICT_COMPLIANCE_FIELDS = [
   'approvedListingPrimitives',
   'approvedActionPrimitives',
   'approvedTemporaryExceptions',
+  'approvedThemeLanes',
+  'themeOwnershipPaths',
+];
+const DEFAULT_APPROVED_THEME_LANES = [
+  'gdsTheme',
+  'gdsDarkPublicTheme',
+  'gdsFlatSurfaceTheme',
+  'gdsEditorialPublicTheme',
+  'createPublicBrandTheme',
 ];
 const EXCEPTION_CATEGORIES = new Set([
   'runtime-constraint',
@@ -33,6 +42,11 @@ const EXCEPTION_REQUIRED_FIELDS = [
   'exitCondition',
   'status',
 ];
+const PRODUCT_AUTHORED_REQUIRED_FIELDS = [
+  'a11yRequirements',
+  'testingRequirements',
+  'observabilityRequirements',
+];
 
 export function validateManifest(manifest) {
   const findings = [];
@@ -161,6 +175,22 @@ function validateApprovedExceptions(manifest) {
         message: `Approved exception "${exception.surface}" has an over-broad scope. Exception scopes must stay narrow and reviewable.`,
       });
     }
+
+    if (exception.category === 'product-authored-experience') {
+      const missingProductAuthoredFields = PRODUCT_AUTHORED_REQUIRED_FIELDS.filter((field) => {
+        const value = exception[field];
+        return !Array.isArray(value) || value.length === 0;
+      });
+
+      if (missingProductAuthoredFields.length > 0) {
+        findings.push({
+          rule: 'exception-product-authored-metadata',
+          severity: 'error',
+          file: exception.surface,
+          message: `Creator-authored experience exception "${exception.surface}" must define ${missingProductAuthoredFields.join(', ')} so accessibility, testing, and observability obligations remain explicit.`,
+        });
+      }
+    }
   }
 
   return findings;
@@ -188,6 +218,23 @@ function normalizePath(value) {
   return value.replace(/\\/g, '/');
 }
 
+function escapeRegex(value) {
+  return value.replace(/[|\\{}()[\]^$+?.]/g, '\\$&');
+}
+
+function globToRegExp(pattern) {
+  const normalized = normalizePath(pattern).replace(/^\.\//, '');
+  const escaped = escapeRegex(normalized)
+    .replace(/\\\*\\\*/g, '.*')
+    .replace(/\\\*/g, '[^/]*');
+  return new RegExp(`^${escaped}$`);
+}
+
+function matchesScope(relativePath, scopes) {
+  const normalizedRelativePath = normalizePath(relativePath).replace(/^\.\//, '');
+  return scopes.some((scope) => globToRegExp(scope).test(normalizedRelativePath));
+}
+
 function isForbiddenImport(source, allowedImports, forbiddenImports) {
   if (allowedImports.has(source)) {
     return false;
@@ -319,6 +366,106 @@ function runStrictCompliance({ manifest, manifestRoot, sourceFiles }) {
   return findings;
 }
 
+function validateApprovedExceptionsAgainstRepo({ manifestRoot, manifest, sourceFiles }) {
+  const findings = [];
+  const normalizedRoot = normalizePath(manifestRoot).replace(/\/$/, '');
+  const normalizedSourceFiles = sourceFiles.map((absolutePath) => ({
+    absolutePath,
+    relativePath: normalizePath(absolutePath).replace(`${normalizedRoot}/`, ''),
+  }));
+
+  for (const exception of manifest.approvedExceptions ?? []) {
+    const scopes = exception.scope ?? [];
+    if (!scopes.length) {
+      continue;
+    }
+
+    const matchingFiles = normalizedSourceFiles.filter((file) => matchesScope(file.relativePath, scopes));
+    if (!matchingFiles.length) {
+      findings.push({
+        rule: 'exception-scope-no-matches',
+        severity: 'error',
+        file: exception.surface,
+        message: `Approved exception "${exception.surface}" does not match any files in the repository. Remove the stale exception or narrow it to the real implementation path.`,
+      });
+    }
+  }
+
+  for (const adapter of manifest.localAdapters ?? []) {
+    if (adapter.status !== 'exception') {
+      continue;
+    }
+
+    const normalizedAdapterPath = normalizePath(adapter.path).replace(/^\.\//, '');
+    const coveredByApprovedException = (manifest.approvedExceptions ?? []).some((exception) =>
+      matchesScope(normalizedAdapterPath, exception.scope ?? []));
+
+    if (!coveredByApprovedException) {
+      findings.push({
+        rule: 'exception-adapter-outside-scope',
+        severity: 'error',
+        file: adapter.path,
+        message: `Local adapter exception "${adapter.contract}" is not covered by any approved exception scope. Tie exception adapters to a reviewed narrow exception instead of leaving local authority unbounded.`,
+      });
+    }
+  }
+
+  return findings;
+}
+
+function isCoveredByApprovedException(relativePath, approvedExceptions = []) {
+  return approvedExceptions.some((exception) => matchesScope(relativePath, exception.scope ?? []));
+}
+
+function findThemeOwnershipFiles({ manifestRoot, sourceFiles, themeOwnershipPaths = [] }) {
+  if (!themeOwnershipPaths.length) {
+    return [];
+  }
+
+  const normalizedRoot = normalizePath(manifestRoot).replace(/\/$/, '');
+  return sourceFiles.filter((absolutePath) => {
+    const relativePath = normalizePath(absolutePath).replace(`${normalizedRoot}/`, '');
+    return themeOwnershipPaths.some((scope) => matchesScope(relativePath, [scope]));
+  });
+}
+
+function scanThemeGovernance({ manifestRoot, manifest, sourceFiles }) {
+  const findings = [];
+  const approvedThemeLanes = new Set(manifest.compliance?.approvedThemeLanes ?? DEFAULT_APPROVED_THEME_LANES);
+  const themeOwnershipPaths = manifest.compliance?.themeOwnershipPaths ?? [];
+  const themeFiles = findThemeOwnershipFiles({ manifestRoot, sourceFiles, themeOwnershipPaths });
+  const normalizedRoot = normalizePath(manifestRoot).replace(/\/$/, '');
+
+  for (const filePath of themeFiles) {
+    const content = readFileSync(filePath, 'utf8');
+    const relativePath = normalizePath(filePath).replace(`${normalizedRoot}/`, '');
+
+    if (isCoveredByApprovedException(relativePath, manifest.approvedExceptions ?? [])) {
+      continue;
+    }
+
+    if (/import\s*\{[^}]*\bextendGdsTheme\b[^}]*\}\s*from\s*['"]@doneisbetter\/gds(?:-theme)?(?:\/(?:client|server))?['"]/.test(content)) {
+      findings.push({
+        rule: 'theme.noncanonical-extend-helper',
+        severity: 'error',
+        file: relativePath,
+        message: `Theme ownership file "${relativePath}" imports extendGdsTheme(...). Consumer repos must use approved theme lanes (${[...approvedThemeLanes].join(', ')}) instead of a custom branding-layer helper.`,
+      });
+    }
+
+    if (/\b(createTheme|mergeMantineTheme|mergeThemeOverrides)\s*\(/.test(content)) {
+      findings.push({
+        rule: 'theme.parallel-branding-layer',
+        severity: 'error',
+        file: relativePath,
+        message: `Theme ownership file "${relativePath}" creates a local Mantine theme layer outside the approved GDS theme lanes. Use a shipped preset or createPublicBrandTheme(...) instead of a parallel branding authority.`,
+      });
+    }
+  }
+
+  return findings;
+}
+
 export function runComplianceCheck({ manifestPath }) {
   const absoluteManifestPath = resolve(manifestPath);
   const manifestRoot = dirname(absoluteManifestPath);
@@ -393,6 +540,8 @@ export function runComplianceCheck({ manifestPath }) {
   }
 
   findings.push(...validateApprovedExceptions(manifest));
+  findings.push(...validateApprovedExceptionsAgainstRepo({ manifestRoot, manifest, sourceFiles }));
+  findings.push(...scanThemeGovernance({ manifestRoot, manifest, sourceFiles }));
 
   if (protectedSurfacePaths.length) {
     const normalizedProtectedSurfacePaths = protectedSurfacePaths.map((value) => normalizePath(resolve(manifestRoot, value)));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@doneisbetter/gds-compliance",
-  "version": "2.6.4",
+  "version": "2.6.5",
   "type": "module",
   "main": "./index.js",
   "bin": {