@eduardbar/drift 1.2.0 → 1.4.0

package/tests/plugins.test.ts

@@ -0,0 +1,219 @@
+import { describe, it, expect, afterEach } from 'vitest'
+import { mkdtempSync, rmSync, writeFileSync } from 'node:fs'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { analyzeProject } from '../src/analyzer.js'
+
+describe('plugin contract hardening', () => {
+  let tmpDir = ''
+
+  afterEach(() => {
+    if (tmpDir) rmSync(tmpDir, { recursive: true, force: true })
+    tmpDir = ''
+  })
+
+  it('keeps legacy plugins compatible when apiVersion is missing', () => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'drift-plugin-legacy-compatible-'))
+    writeFileSync(join(tmpDir, 'index.ts'), 'export const foo = 1\n')
+    writeFileSync(join(tmpDir, 'legacy-plugin.js'), [
+      'module.exports = {',
+      "  name: 'legacy-plugin',",
+      '  rules: [',
+      '    {',
+      "      id: 'no-foo-export',",
+      "      severity: 'error',",
+      '      weight: 12,',
+      '      detect(file) {',
+      "        if (!file.getFullText().includes('foo')) return []",
+      '        return [{',
+      "          message: 'Avoid exporting foo',",
+      '          line: 1,',
+      '          column: 1,',
+      "          snippet: 'export const foo = 1',",
+      '        }]',
+      '      }',
+      '    },',
+      '    {',
+      "      id: 'Legacy Rule Name',",
+      '      detect() { return [] }',
+      '    }',
+      '  ]',
+      '}',
+    ].join('\n'))
+
+    const reports = analyzeProject(tmpDir, {
+      plugins: ['./legacy-plugin.js'],
+    })
+
+    const allIssues = reports.flatMap((report) => report.issues)
+    expect(allIssues.some((issue) => issue.rule === 'legacy-plugin/no-foo-export')).toBe(true)
+    expect(allIssues.some((issue) => issue.rule === 'plugin-error')).toBe(false)
+    expect(allIssues.some((issue) => issue.rule === 'plugin-warning' && issue.message.includes('[plugin-api-version-implicit]'))).toBe(true)
+    expect(allIssues.some((issue) => issue.rule === 'plugin-warning' && issue.message.includes('[plugin-rule-id-format-legacy]'))).toBe(true)
+  })
+
+  it('reports actionable diagnostics for invalid plugin contract', () => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'drift-plugin-invalid-contract-'))
+    writeFileSync(join(tmpDir, 'index.ts'), 'export const ok = true\n')
+    writeFileSync(join(tmpDir, 'broken-plugin.js'), [
+      'module.exports = {',
+      "  name: 'broken-plugin',",
+      "  apiVersion: 1,",
+      '  rules: [',
+      '    {',
+      "      name: 'broken rule id',",
+      "      severity: 'fatal',",
+      '      weight: 999,',
+      "      detect: 'not-a-function',",
+      '    }',
+      '  ]',
+      '}',
+    ].join('\n'))
+
+    const reports = analyzeProject(tmpDir, {
+      plugins: ['./broken-plugin.js'],
+    })
+
+    const pluginIssues = reports
+      .flatMap((report) => report.issues)
+      .filter((issue) => issue.rule === 'plugin-error')
+
+    expect(pluginIssues.length).toBeGreaterThan(0)
+    expect(pluginIssues.some((issue) => issue.message.includes('broken-plugin.js'))).toBe(true)
+    expect(pluginIssues.some((issue) => issue.message.includes('[plugin-rule-detect-invalid]'))).toBe(true)
+  })
+
+  it('rejects plugins with unsupported apiVersion', () => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'drift-plugin-version-mismatch-'))
+    writeFileSync(join(tmpDir, 'index.ts'), 'export const ok = true\n')
+    writeFileSync(join(tmpDir, 'version-mismatch-plugin.js'), [
+      'module.exports = {',
+      "  name: 'version-mismatch-plugin',",
+      '  apiVersion: 99,',
+      '  rules: [',
+      '    {',
+      "      id: 'valid-rule-id',",
+      '      detect() { return [] }',
+      '    }',
+      '  ]',
+      '}',
+    ].join('\n'))
+
+    const reports = analyzeProject(tmpDir, {
+      plugins: ['./version-mismatch-plugin.js'],
+    })
+
+    const issues = reports.flatMap((report) => report.issues)
+    expect(issues.some((issue) => issue.rule === 'plugin-error' && issue.message.includes('[plugin-api-version-unsupported]'))).toBe(true)
+    expect(issues.some((issue) => issue.rule === 'version-mismatch-plugin/valid-rule-id')).toBe(false)
+  })
+
+  it('rejects plugins with invalid apiVersion format', () => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'drift-plugin-version-invalid-'))
+    writeFileSync(join(tmpDir, 'index.ts'), 'export const ok = true\n')
+    writeFileSync(join(tmpDir, 'version-invalid-plugin.js'), [
+      'module.exports = {',
+      "  name: 'version-invalid-plugin',",
+      "  apiVersion: '1',",
+      '  rules: [',
+      '    {',
+      "      id: 'valid-rule-id',",
+      '      detect() { return [] }',
+      '    }',
+      '  ]',
+      '}',
+    ].join('\n'))
+
+    const reports = analyzeProject(tmpDir, {
+      plugins: ['./version-invalid-plugin.js'],
+    })
+
+    const issues = reports.flatMap((report) => report.issues)
+    expect(issues.some((issue) => issue.rule === 'plugin-error' && issue.message.includes('[plugin-api-version-invalid]'))).toBe(true)
+    expect(issues.some((issue) => issue.rule === 'version-invalid-plugin/valid-rule-id')).toBe(false)
+  })
+
+  it('rejects duplicate rule IDs within the same plugin', () => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'drift-plugin-duplicate-rules-'))
+    writeFileSync(join(tmpDir, 'index.ts'), 'export const ok = true\n')
+    writeFileSync(join(tmpDir, 'duplicate-rules-plugin.js'), [
+      'module.exports = {',
+      "  name: 'duplicate-rules-plugin',",
+      '  apiVersion: 1,',
+      '  rules: [',
+      '    {',
+      "      id: 'duplicate-rule',",
+      '      detect() {',
+      '        return [{',
+      "          message: 'first duplicate still runs',",
+      '          line: 1,',
+      '          column: 1,',
+      "          snippet: 'export const ok = true',",
+      '        }]',
+      '      }',
+      '    },',
+      '    {',
+      "      id: 'duplicate-rule',",
+      '      detect() { return [] }',
+      '    }',
+      '  ]',
+      '}',
+    ].join('\n'))
+
+    const reports = analyzeProject(tmpDir, {
+      plugins: ['./duplicate-rules-plugin.js'],
+    })
+
+    const issues = reports.flatMap((report) => report.issues)
+    expect(issues.some((issue) => issue.rule === 'plugin-error' && issue.message.includes('[plugin-rule-id-duplicate]'))).toBe(true)
+    expect(issues.some((issue) => issue.rule === 'duplicate-rules-plugin/duplicate-rule')).toBe(true)
+  })
+
+  it('isolates plugin runtime failures and continues analysis', () => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'drift-plugin-runtime-isolation-'))
+    writeFileSync(join(tmpDir, 'index.ts'), [
+      'export function run(input: any) {',
+      '  return input',
+      '}',
+    ].join('\n'))
+    writeFileSync(join(tmpDir, 'mixed-plugin.js'), [
+      'module.exports = {',
+      "  name: 'mixed-plugin',",
+      '  apiVersion: 1,',
+      '  capabilities: {',
+      '    fixes: true,',
+      '    runtimeSafe: true',
+      '  },',
+      '  rules: [',
+      '    {',
+      "      name: 'throwing-rule',",
+      '      detect() {',
+      "        throw new Error('boom')",
+      '      }',
+      '    },',
+      '    {',
+      "      name: 'safe-rule',",
+      '      detect() {',
+      '        return [{',
+      "          message: 'Safe rule still runs',",
+      '          line: 1,',
+      '          column: 1,',
+      "          snippet: 'export function run(input: any)',",
+      '        }]',
+      '      }',
+      '    }',
+      '  ]',
+      '}',
+    ].join('\n'))
+
+    const reports = analyzeProject(tmpDir, {
+      plugins: ['./mixed-plugin.js'],
+    })
+
+    const rules = reports.flatMap((report) => report.issues.map((issue) => issue.rule))
+    expect(rules).toContain('mixed-plugin/safe-rule')
+    expect(rules).toContain('plugin-error')
+    expect(rules).toContain('any-abuse')
+    expect(rules).not.toContain('plugin-warning')
+  })
+})

package/tests/rules.test.ts

@@ -124,6 +124,17 @@ describe('dead-code', () => {
     const code = `import fs from 'fs'\nconst x = 1`
     expect(getRules(code)).not.toContain('dead-code')
   })
+
+  it('keeps used named imports clean even with many identifiers', () => {
+    const code = [
+      `import { join } from 'path'`,
+      `const a = 'x'`,
+      `const b = 'y'`,
+      `const c = 'z'`,
+      `const p = join(a, b + c)`,
+    ].join('\n')
+    expect(getRules(code)).not.toContain('dead-code')
+  })
 })
 
 // ─────────────────────────────────────────────────────────────────────────────
@@ -262,6 +273,12 @@ describe('high-complexity', () => {
 }`
     expect(getRules(code)).toContain('high-complexity')
   })
+
+  it('detects high complexity in class methods', () => {
+    const ifs = Array.from({ length: 11 }, (_, i) => `      if (x === ${i}) return ${i}`).join('\n')
+    const code = `class C {\n  run(x: number): number {\n${ifs}\n    return -1\n  }\n}`
+    expect(getRules(code)).toContain('high-complexity')
+  })
 })
 
 // ─────────────────────────────────────────────────────────────────────────────
@@ -344,6 +361,11 @@ describe('too-many-params', () => {
     const code = `const fn = (a: string, b: number, c: boolean, d: string, e: number): void => {}`
     expect(getRules(code)).toContain('too-many-params')
   })
+
+  it('detects class method with too many params', () => {
+    const code = `class C {\n  run(a: string, b: number, c: boolean, d: string, e: number): void {}\n}`
+    expect(getRules(code)).toContain('too-many-params')
+  })
 })
 
 // ─────────────────────────────────────────────────────────────────────────────
@@ -685,7 +707,7 @@ abstract class Processor {
   abstract process(x: number): void
 }
 `
-    expect(getRules(code2, 'src/processor.ts')).toContain('unnecessary-abstraction')
+    expect(getRules(code2, undefined, 'src/processor.ts')).toContain('unnecessary-abstraction')
   })
 })
 

package/tests/saas-foundation.test.ts

@@ -4,7 +4,19 @@ import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 import { analyzeProject } from '../src/analyzer.js'
 import { buildReport } from '../src/reporter.js'
-import { ingestSnapshotFromReport, getSaasSummary } from '../src/saas.js'
+import {
+  SaasActorRequiredError,
+  SaasPermissionError,
+  assertSaasPermission,
+  changeOrganizationPlan,
+  getOrganizationEffectiveLimits,
+  getOrganizationUsageSnapshot,
+  getSaasEffectiveLimits,
+  getSaasSummary,
+  ingestSnapshotFromReport,
+  listOrganizationPlanChanges,
+  listSaasSnapshots,
+} from '../src/saas.js'
 
 function createProjectDir(prefix: string): string {
   const dir = mkdtempSync(join(tmpdir(), prefix))
@@ -104,4 +116,349 @@ describe('saas foundations', () => {
     expect(summary.phase).toBe('paid')
     expect(summary.freeUsersRemaining).toBe(0)
   })
+
+  it('isolates tenant data by organization and workspace filters', () => {
+    const projectDir = createProjectDir('drift-saas-tenant-scope-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-a',
+      workspaceId: 'ws-shared',
+      userId: 'u-1',
+      repoName: 'repo-a',
+      storeFile,
+    })
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-b',
+      workspaceId: 'ws-shared',
+      userId: 'u-2',
+      repoName: 'repo-b',
+      storeFile,
+    })
+
+    const orgASummary = getSaasSummary({ storeFile, organizationId: 'org-a' })
+    const orgBSummary = getSaasSummary({ storeFile, organizationId: 'org-b' })
+    const orgASnapshots = listSaasSnapshots({ storeFile, organizationId: 'org-a', workspaceId: 'ws-shared' })
+
+    expect(orgASummary.totalSnapshots).toBe(1)
+    expect(orgBSummary.totalSnapshots).toBe(1)
+    expect(orgASnapshots).toHaveLength(1)
+    expect(orgASnapshots[0]?.organizationId).toBe('org-a')
+  })
+
+  it('enforces workspace plan limit and allows plan upgrade', () => {
+    const projectDir = createProjectDir('drift-saas-plan-limit-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+    const policy = {
+      maxWorkspacesPerOrganizationByPlan: {
+        free: 1,
+        sponsor: 2,
+        team: 4,
+        business: 8,
+      },
+    }
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-plan',
+      workspaceId: 'ws-1',
+      userId: 'owner-1',
+      plan: 'free',
+      storeFile,
+      policy,
+    })
+
+    expect(() => {
+      ingestSnapshotFromReport(report, {
+        organizationId: 'org-plan',
+        workspaceId: 'ws-2',
+        userId: 'owner-1',
+        plan: 'free',
+        storeFile,
+        policy,
+      })
+    }).toThrow(/max workspaces/i)
+
+    expect(() => {
+      ingestSnapshotFromReport(report, {
+        organizationId: 'org-plan',
+        workspaceId: 'ws-2',
+        userId: 'owner-1',
+        plan: 'sponsor',
+        storeFile,
+        policy,
+      })
+    }).not.toThrow()
+  })
+
+  it('stores role primitives for workspace members', () => {
+    const projectDir = createProjectDir('drift-saas-roles-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+
+    const ownerSnapshot = ingestSnapshotFromReport(report, {
+      organizationId: 'org-role',
+      workspaceId: 'ws-role',
+      userId: 'u-owner',
+      storeFile,
+    })
+
+    const viewerSnapshot = ingestSnapshotFromReport(report, {
+      organizationId: 'org-role',
+      workspaceId: 'ws-role',
+      userId: 'u-viewer',
+      role: 'viewer',
+      storeFile,
+    })
+
+    expect(ownerSnapshot.role).toBe('owner')
+    expect(viewerSnapshot.role).toBe('viewer')
+  })
+
+  it('enforces deterministic permission errors when actor is unauthorized', () => {
+    const projectDir = createProjectDir('drift-saas-authz-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-auth',
+      workspaceId: 'ws-auth',
+      userId: 'u-owner',
+      storeFile,
+    })
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-auth',
+      workspaceId: 'ws-auth',
+      userId: 'u-viewer',
+      role: 'viewer',
+      storeFile,
+    })
+
+    expect(() => {
+      ingestSnapshotFromReport(report, {
+        organizationId: 'org-auth',
+        workspaceId: 'ws-auth',
+        userId: 'u-viewer',
+        actorUserId: 'u-viewer',
+        storeFile,
+      })
+    }).toThrowError(SaasPermissionError)
+
+    try {
+      ingestSnapshotFromReport(report, {
+        organizationId: 'org-auth',
+        workspaceId: 'ws-auth',
+        userId: 'u-viewer',
+        actorUserId: 'u-viewer',
+        storeFile,
+      })
+    } catch (error) {
+      expect(error).toBeInstanceOf(SaasPermissionError)
+      const permissionError = error as SaasPermissionError
+      expect(permissionError.code).toBe('SAAS_PERMISSION_DENIED')
+      expect(permissionError.operation).toBe('snapshot:write')
+      expect(permissionError.requiredRole).toBe('member')
+      expect(permissionError.actorRole).toBe('viewer')
+    }
+  })
+
+  it('tracks billing plan lifecycle and usage snapshots', () => {
+    const projectDir = createProjectDir('drift-saas-billing-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-billing',
+      workspaceId: 'ws-1',
+      userId: 'u-owner',
+      storeFile,
+      plan: 'free',
+    })
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-billing',
+      workspaceId: 'ws-1',
+      userId: 'u-owner',
+      repoName: 'repo-2',
+      storeFile,
+    })
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-billing',
+      workspaceId: 'ws-1',
+      userId: 'u-member',
+      role: 'member',
+      storeFile,
+    })
+
+    expect(() => {
+      changeOrganizationPlan({
+        organizationId: 'org-billing',
+        actorUserId: 'u-member',
+        newPlan: 'team',
+        storeFile,
+      })
+    }).toThrowError(SaasPermissionError)
+
+    const planChange = changeOrganizationPlan({
+      organizationId: 'org-billing',
+      actorUserId: 'u-owner',
+      newPlan: 'team',
+      reason: 'need more workspace capacity',
+      storeFile,
+    })
+
+    expect(planChange.fromPlan).toBe('free')
+    expect(planChange.toPlan).toBe('team')
+    expect(planChange.reason).toBe('need more workspace capacity')
+
+    const changes = listOrganizationPlanChanges({
+      organizationId: 'org-billing',
+      actorUserId: 'u-owner',
+      storeFile,
+    })
+    expect(changes).toHaveLength(1)
+    expect(changes[0]?.changedByUserId).toBe('u-owner')
+
+    const usage = getOrganizationUsageSnapshot({
+      organizationId: 'org-billing',
+      actorUserId: 'u-owner',
+      storeFile,
+    })
+    expect(usage.workspaceCount).toBe(1)
+    expect(usage.repoCount).toBe(2)
+    expect(usage.runCount).toBe(3)
+    expect(usage.runCountThisMonth).toBe(3)
+    expect(usage.plan).toBe('team')
+
+    const limitsByPlan = getSaasEffectiveLimits({ plan: 'team' })
+    const limitsByOrg = getOrganizationEffectiveLimits({ organizationId: 'org-billing', storeFile })
+    expect(limitsByPlan.plan).toBe('team')
+    expect(limitsByOrg.plan).toBe('team')
+    expect(limitsByOrg.maxWorkspaces).toBe(limitsByPlan.maxWorkspaces)
+  })
+
+  it('supports explicit authorization checks for scoped reads', () => {
+    const projectDir = createProjectDir('drift-saas-read-authz-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-read',
+      workspaceId: 'ws-read',
+      userId: 'u-owner',
+      storeFile,
+    })
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-read',
+      workspaceId: 'ws-read',
+      userId: 'u-viewer',
+      role: 'viewer',
+      storeFile,
+    })
+
+    const allowed = assertSaasPermission({
+      operation: 'summary:read',
+      organizationId: 'org-read',
+      workspaceId: 'ws-read',
+      actorUserId: 'u-viewer',
+      storeFile,
+    })
+    expect(allowed.requiredRole).toBe('viewer')
+    expect(allowed.actorRole).toBe('viewer')
+
+    expect(() => {
+      assertSaasPermission({
+        operation: 'billing:write',
+        organizationId: 'org-read',
+        actorUserId: 'u-viewer',
+        storeFile,
+      })
+    }).toThrowError(SaasPermissionError)
+  })
+
+  it('enforces missing actor deterministically when strict actor mode is enabled', () => {
+    const projectDir = createProjectDir('drift-saas-strict-actor-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+    const policy = { strictActorEnforcement: true }
+
+    expect(() => {
+      ingestSnapshotFromReport(report, {
+        organizationId: 'org-strict',
+        workspaceId: 'ws-strict',
+        userId: 'u-owner',
+        storeFile,
+        policy,
+      })
+    }).toThrowError(SaasActorRequiredError)
+
+    ingestSnapshotFromReport(report, {
+      organizationId: 'org-strict',
+      workspaceId: 'ws-strict',
+      userId: 'u-owner',
+      actorUserId: 'u-owner',
+      storeFile,
+      policy,
+    })
+
+    expect(() => {
+      getSaasSummary({
+        organizationId: 'org-strict',
+        workspaceId: 'ws-strict',
+        storeFile,
+        policy,
+      })
+    }).toThrowError(SaasActorRequiredError)
+
+    try {
+      getSaasSummary({
+        organizationId: 'org-strict',
+        workspaceId: 'ws-strict',
+        storeFile,
+        policy,
+      })
+    } catch (error) {
+      expect(error).toBeInstanceOf(SaasActorRequiredError)
+      const actorRequired = error as SaasActorRequiredError
+      expect(actorRequired.code).toBe('SAAS_ACTOR_REQUIRED')
+      expect(actorRequired.operation).toBe('summary:read')
+      expect(actorRequired.organizationId).toBe('org-strict')
+      expect(actorRequired.workspaceId).toBe('ws-strict')
+    }
+  })
+
+  it('keeps backward compatibility when strict actor mode is disabled', () => {
+    const projectDir = createProjectDir('drift-saas-compat-')
+    dirs.push(projectDir)
+    const storeFile = join(projectDir, '.drift-cloud', 'store.json')
+    const report = createReport(projectDir)
+
+    expect(() => {
+      ingestSnapshotFromReport(report, {
+        organizationId: 'org-compat',
+        workspaceId: 'ws-compat',
+        userId: 'u-owner',
+        storeFile,
+      })
+    }).not.toThrow()
+
+    const scopedSummary = getSaasSummary({
+      organizationId: 'org-compat',
+      workspaceId: 'ws-compat',
+      storeFile,
+    })
+
+    expect(scopedSummary.totalSnapshots).toBe(1)
+    expect(scopedSummary.usersRegistered).toBe(1)
+  })
 })