@eduardbar/drift 1.2.0 → 1.3.0

package/tests/saas-foundation.test.ts

@@ -4,7 +4,19 @@ import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 import { analyzeProject } from '../src/analyzer.js'
 import { buildReport } from '../src/reporter.js'
-import { ingestSnapshotFromReport, getSaasSummary } from '../src/saas.js'
+import {
+  SaasActorRequiredError,
+  SaasPermissionError,
+  assertSaasPermission,
+  changeOrganizationPlan,
+  getOrganizationEffectiveLimits,
+  getOrganizationUsageSnapshot,
+  getSaasEffectiveLimits,
+  getSaasSummary,
+  ingestSnapshotFromReport,
+  listOrganizationPlanChanges,
+  listSaasSnapshots,
+} from '../src/saas.js'
 
 function createProjectDir(prefix: string): string {
   const dir = mkdtempSync(join(tmpdir(), prefix))
@@ -104,4 +116,349 @@ describe('saas foundations', () => {
     expect(summary.phase).toBe('paid')
     expect(summary.freeUsersRemaining).toBe(0)
   })
+
+  it('isolates tenant data by organization and workspace filters', () => {
+    const projectDir = createProjectDir('drift-saas-tenant-scope-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-a',
+      workspaceId: 'ws-shared',
+      userId: 'u-1',
+      repoName: 'repo-a',
+      storeFile,
+    })
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-b',
+      workspaceId: 'ws-shared',
+      userId: 'u-2',
+      repoName: 'repo-b',
+      storeFile,
+    })
+
+    const orgASummary = getSaasSummary({ storeFile, organizationId: 'org-a' })
+    const orgBSummary = getSaasSummary({ storeFile, organizationId: 'org-b' })
+    const orgASnapshots = listSaasSnapshots({ storeFile, organizationId: 'org-a', workspaceId: 'ws-shared' })
+
+    expect(orgASummary.totalSnapshots).toBe(1)
+    expect(orgBSummary.totalSnapshots).toBe(1)
+    expect(orgASnapshots).toHaveLength(1)
+    expect(orgASnapshots[0]?.organizationId).toBe('org-a')
+  })
+
+  it('enforces workspace plan limit and allows plan upgrade', () => {
+    const projectDir = createProjectDir('drift-saas-plan-limit-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+    const policy = {
+      maxWorkspacesPerOrganizationByPlan: {
+        free: 1,
+        sponsor: 2,
+        team: 4,
+        business: 8,
+      },
+    }
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-plan',
+      workspaceId: 'ws-1',
+      userId: 'owner-1',
+      plan: 'free',
+      storeFile,
+      policy,
+    })
+
+    expect(() => {
+      ingestSnapshotFromReport(report, {
+        organizationId: 'org-plan',
+        workspaceId: 'ws-2',
+        userId: 'owner-1',
+        plan: 'free',
+        storeFile,
+        policy,
+      })
+    }).toThrow(/max workspaces/i)
+
+    expect(() => {
+      ingestSnapshotFromReport(report, {
+        organizationId: 'org-plan',
+        workspaceId: 'ws-2',
+        userId: 'owner-1',
+        plan: 'sponsor',
+        storeFile,
+        policy,
+      })
+    }).not.toThrow()
+  })
+
+  it('stores role primitives for workspace members', () => {
+    const projectDir = createProjectDir('drift-saas-roles-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+
+    const ownerSnapshot = ingestSnapshotFromReport(report, {
+      organizationId: 'org-role',
+      workspaceId: 'ws-role',
+      userId: 'u-owner',
+      storeFile,
+    })
+
+    const viewerSnapshot = ingestSnapshotFromReport(report, {
+      organizationId: 'org-role',
+      workspaceId: 'ws-role',
+      userId: 'u-viewer',
+      role: 'viewer',
+      storeFile,
+    })
+
+    expect(ownerSnapshot.role).toBe('owner')
+    expect(viewerSnapshot.role).toBe('viewer')
+  })
+
+  it('enforces deterministic permission errors when actor is unauthorized', () => {
+    const projectDir = createProjectDir('drift-saas-authz-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-auth',
+      workspaceId: 'ws-auth',
+      userId: 'u-owner',
+      storeFile,
+    })
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-auth',
+      workspaceId: 'ws-auth',
+      userId: 'u-viewer',
+      role: 'viewer',
+      storeFile,
+    })
+
+    expect(() => {
+      ingestSnapshotFromReport(report, {
+        organizationId: 'org-auth',
+        workspaceId: 'ws-auth',
+        userId: 'u-viewer',
+        actorUserId: 'u-viewer',
+        storeFile,
+      })
+    }).toThrowError(SaasPermissionError)
+
+    try {
+      ingestSnapshotFromReport(report, {
+        organizationId: 'org-auth',
+        workspaceId: 'ws-auth',
+        userId: 'u-viewer',
+        actorUserId: 'u-viewer',
+        storeFile,
+      })
+    } catch (error) {
+      expect(error).toBeInstanceOf(SaasPermissionError)
+      const permissionError = error as SaasPermissionError
+      expect(permissionError.code).toBe('SAAS_PERMISSION_DENIED')
+      expect(permissionError.operation).toBe('snapshot:write')
+      expect(permissionError.requiredRole).toBe('member')
+      expect(permissionError.actorRole).toBe('viewer')
+    }
+  })
+
+  it('tracks billing plan lifecycle and usage snapshots', () => {
+    const projectDir = createProjectDir('drift-saas-billing-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-billing',
+      workspaceId: 'ws-1',
+      userId: 'u-owner',
+      storeFile,
+      plan: 'free',
+    })
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-billing',
+      workspaceId: 'ws-1',
+      userId: 'u-owner',
+      repoName: 'repo-2',
+      storeFile,
+    })
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-billing',
+      workspaceId: 'ws-1',
+      userId: 'u-member',
+      role: 'member',
+      storeFile,
+    })
+
+    expect(() => {
+      changeOrganizationPlan({
+        organizationId: 'org-billing',
+        actorUserId: 'u-member',
+        newPlan: 'team',
+        storeFile,
+      })
+    }).toThrowError(SaasPermissionError)
+
+    const planChange = changeOrganizationPlan({
+      organizationId: 'org-billing',
+      actorUserId: 'u-owner',
+      newPlan: 'team',
+      reason: 'need more workspace capacity',
+      storeFile,
+    })
+
+    expect(planChange.fromPlan).toBe('free')
+    expect(planChange.toPlan).toBe('team')
+    expect(planChange.reason).toBe('need more workspace capacity')
+
+    const changes = listOrganizationPlanChanges({
+      organizationId: 'org-billing',
+      actorUserId: 'u-owner',
+      storeFile,
+    })
+    expect(changes).toHaveLength(1)
+    expect(changes[0]?.changedByUserId).toBe('u-owner')
+
+    const usage = getOrganizationUsageSnapshot({
+      organizationId: 'org-billing',
+      actorUserId: 'u-owner',
+      storeFile,
+    })
+    expect(usage.workspaceCount).toBe(1)
+    expect(usage.repoCount).toBe(2)
+    expect(usage.runCount).toBe(3)
+    expect(usage.runCountThisMonth).toBe(3)
+    expect(usage.plan).toBe('team')
+
+    const limitsByPlan = getSaasEffectiveLimits({ plan: 'team' })
+    const limitsByOrg = getOrganizationEffectiveLimits({ organizationId: 'org-billing', storeFile })
+    expect(limitsByPlan.plan).toBe('team')
+    expect(limitsByOrg.plan).toBe('team')
+    expect(limitsByOrg.maxWorkspaces).toBe(limitsByPlan.maxWorkspaces)
+  })
+
+  it('supports explicit authorization checks for scoped reads', () => {
+    const projectDir = createProjectDir('drift-saas-read-authz-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-read',
+      workspaceId: 'ws-read',
+      userId: 'u-owner',
+      storeFile,
+    })
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-read',
+      workspaceId: 'ws-read',
+      userId: 'u-viewer',
+      role: 'viewer',
+      storeFile,
+    })
+
+    const allowed = assertSaasPermission({
+      operation: 'summary:read',
+      organizationId: 'org-read',
+      workspaceId: 'ws-read',
+      actorUserId: 'u-viewer',
+      storeFile,
+    })
+    expect(allowed.requiredRole).toBe('viewer')
+    expect(allowed.actorRole).toBe('viewer')
+
+    expect(() => {
+      assertSaasPermission({
+        operation: 'billing:write',
+        organizationId: 'org-read',
+        actorUserId: 'u-viewer',
+        storeFile,
+      })
+    }).toThrowError(SaasPermissionError)
+  })
+
+  it('enforces missing actor deterministically when strict actor mode is enabled', () => {
+    const projectDir = createProjectDir('drift-saas-strict-actor-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+    const policy = { strictActorEnforcement: true }
+
+    expect(() => {
+      ingestSnapshotFromReport(report, {
+        organizationId: 'org-strict',
+        workspaceId: 'ws-strict',
+        userId: 'u-owner',
+        storeFile,
+        policy,
+      })
+    }).toThrowError(SaasActorRequiredError)
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-strict',
+      workspaceId: 'ws-strict',
+      userId: 'u-owner',
+      actorUserId: 'u-owner',
+      storeFile,
+      policy,
+    })
+
+    expect(() => {
+      getSaasSummary({
+        organizationId: 'org-strict',
+        workspaceId: 'ws-strict',
+        storeFile,
+        policy,
+      })
+    }).toThrowError(SaasActorRequiredError)
+
+    try {
+      getSaasSummary({
+        organizationId: 'org-strict',
+        workspaceId: 'ws-strict',
+        storeFile,
+        policy,
+      })
+    } catch (error) {
+      expect(error).toBeInstanceOf(SaasActorRequiredError)
+      const actorRequired = error as SaasActorRequiredError
+      expect(actorRequired.code).toBe('SAAS_ACTOR_REQUIRED')
+      expect(actorRequired.operation).toBe('summary:read')
+      expect(actorRequired.organizationId).toBe('org-strict')
+      expect(actorRequired.workspaceId).toBe('ws-strict')
+    }
+  })
+
+  it('keeps backward compatibility when strict actor mode is disabled', () => {
+    const projectDir = createProjectDir('drift-saas-compat-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+
+    expect(() => {
+      ingestSnapshotFromReport(report, {
+        organizationId: 'org-compat',
+        workspaceId: 'ws-compat',
+        userId: 'u-owner',
+        storeFile,
+      })
+    }).not.toThrow()
+
+    const scopedSummary = getSaasSummary({
+      organizationId: 'org-compat',
+      workspaceId: 'ws-compat',
+      storeFile,
+    })
+
+    expect(scopedSummary.totalSnapshots).toBe(1)
+    expect(scopedSummary.usersRegistered).toBe(1)
+  })
 })

package/tests/trust-kpi.test.ts

@@ -0,0 +1,120 @@
+import { afterEach, describe, expect, it } from 'vitest'
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { computeTrustKpis } from '../src/trust-kpi.js'
+
+describe('trust KPI aggregation', () => {
+  let tempDir = ''
+
+  afterEach(() => {
+    if (tempDir) rmSync(tempDir, { recursive: true, force: true })
+    tempDir = ''
+  })
+
+  it('aggregates trust KPIs and diff trends from JSON artifacts', () => {
+    tempDir = mkdtempSync(join(tmpdir(), 'drift-kpi-aggregate-'))
+
+    writeFileSync(join(tempDir, 'trust-a.json'), JSON.stringify({
+      trust_score: 80,
+      merge_risk: 'LOW',
+      diff_context: {
+        baseRef: 'origin/main',
+        status: 'improved',
+        scoreDelta: -5,
+        newIssues: 1,
+        resolvedIssues: 3,
+        filesChanged: 2,
+        penalty: 0,
+        bonus: 7,
+        netImpact: -7,
+      },
+    }, null, 2))
+
+    writeFileSync(join(tempDir, 'trust-b.json'), JSON.stringify({
+      trust_score: 60,
+      merge_risk: 'MEDIUM',
+      diff_context: {
+        baseRef: 'origin/main',
+        status: 'regressed',
+        scoreDelta: 8,
+        newIssues: 4,
+        resolvedIssues: 1,
+        filesChanged: 3,
+        penalty: 9,
+        bonus: 0,
+        netImpact: 9,
+      },
+    }, null, 2))
+
+    writeFileSync(join(tempDir, 'trust-c.json'), JSON.stringify({
+      trust_score: 30,
+      merge_risk: 'HIGH',
+    }, null, 2))
+
+    const kpi = computeTrustKpis(tempDir)
+
+    expect(kpi.files).toEqual({ matched: 3, parsed: 3, malformed: 0 })
+    expect(kpi.prsEvaluated).toBe(3)
+    expect(kpi.mergeRiskDistribution).toEqual({ LOW: 1, MEDIUM: 1, HIGH: 1, CRITICAL: 0 })
+    expect(kpi.highRiskRatio).toBe(0.3333)
+    expect(kpi.trustScore).toEqual({ average: 56.67, median: 60, min: 30, max: 80 })
+
+    expect(kpi.diffTrend.available).toBe(true)
+    expect(kpi.diffTrend.samples).toBe(2)
+    expect(kpi.diffTrend.statusDistribution).toEqual({ improved: 1, regressed: 1, neutral: 0 })
+    expect(kpi.diffTrend.scoreDelta).toEqual({ average: 1.5, median: 1.5 })
+    expect(kpi.diffTrend.issues).toEqual({ newTotal: 5, resolvedTotal: 4, netNew: 1 })
+    expect(kpi.diagnostics).toEqual([])
+  })
+
+  it('keeps parsing resilient and reports diagnostics for malformed artifacts', () => {
+    tempDir = mkdtempSync(join(tmpdir(), 'drift-kpi-parse-'))
+
+    writeFileSync(join(tempDir, 'valid.json'), JSON.stringify({
+      trust_score: 70,
+      merge_risk: 'MEDIUM',
+      diff_context: {
+        scoreDelta: 2,
+        newIssues: 3,
+        resolvedIssues: 1,
+      },
+    }, null, 2))
+
+    writeFileSync(join(tempDir, 'broken.json'), '{"trust_score":70')
+    writeFileSync(join(tempDir, 'invalid-shape.json'), JSON.stringify({ trust_score: 70 }, null, 2))
+    writeFileSync(join(tempDir, 'bad-diff.json'), JSON.stringify({
+      trust_score: 50,
+      merge_risk: 'HIGH',
+      diff_context: 'oops',
+    }, null, 2))
+
+    const kpi = computeTrustKpis(tempDir)
+
+    expect(kpi.files.matched).toBe(4)
+    expect(kpi.files.parsed).toBe(2)
+    expect(kpi.files.malformed).toBe(2)
+    expect(kpi.prsEvaluated).toBe(2)
+
+    const byCode = new Set(kpi.diagnostics.map((diagnostic) => diagnostic.code))
+    expect(byCode.has('parse-failed')).toBe(true)
+    expect(byCode.has('invalid-shape')).toBe(true)
+    expect(byCode.has('invalid-diff-context')).toBe(true)
+  })
+
+  it('supports glob input selection for trust artifacts', () => {
+    tempDir = mkdtempSync(join(tmpdir(), 'drift-kpi-glob-'))
+    mkdirSync(join(tempDir, 'nested'))
+
+    writeFileSync(join(tempDir, 'trust-1.json'), JSON.stringify({ trust_score: 90, merge_risk: 'LOW' }))
+    writeFileSync(join(tempDir, 'nested', 'trust-2.json'), JSON.stringify({ trust_score: 20, merge_risk: 'CRITICAL' }))
+    writeFileSync(join(tempDir, 'other.json'), JSON.stringify({ trust_score: 55, merge_risk: 'MEDIUM' }))
+
+    const pattern = join(tempDir, '**', 'trust-*.json')
+    const kpi = computeTrustKpis(pattern)
+
+    expect(kpi.files).toEqual({ matched: 2, parsed: 2, malformed: 0 })
+    expect(kpi.mergeRiskDistribution).toEqual({ LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 1 })
+    expect(kpi.trustScore.average).toBe(55)
+  })
+})