@nathapp/nax 0.18.6 → 0.20.0

package/test/unit/execution/post-verify-regression.test.ts

@@ -1,18 +1,18 @@
 /**
- * BUG-026: Regression gate timeout accepts scoped pass instead of escalating
+ * BUG-026: Regression gate timeout acceptance
  *
- * Tests that runRegressionGate (via runPostAgentVerification):
+ * Tests that runPostAgentVerification:
  * - Returns passed when regression gate TIMES OUT and acceptOnTimeout=true (default)
  * - Returns failed when regression gate TIMES OUT and acceptOnTimeout=false
- * - Returns failed when regression gate returns TEST_FAILURE (existing behavior unchanged)
+ * - Returns failed when regression gate returns TEST_FAILURE
  * - Defaults acceptOnTimeout to true when not set in config
  *
- * These are behavioral tests that call the actual function with mocked dependencies.
- * They complement the type-level tests already in post-verify.test.ts.
+ * With the removal of scoped verification, post-verify now ONLY runs the full-suite regression gate.
+ * These behavioral tests call the actual function with mocked dependencies.
  */
 
 import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
-import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { mkdtempSync, rmSync } from "node:fs";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
 import type { NaxConfig } from "../../../src/config";
@@ -37,7 +37,7 @@ const mockRunVerification = mock(async (): Promise<VerResult> => {
   return resp;
 });
 
-const mockRevertStoriesOnFailure = mock(async ({ prd }: { prd: PRD; [k: string]: unknown }) => prd);
+const mockRevertStoriesOnFailure = mock(async (opts: any) => opts.prd);
 const mockRunRectificationLoop = mock(async () => false);
 
 // ---------------------------------------------------------------------------
@@ -53,47 +53,10 @@ const _origPostVerifyDeps = { ..._postVerifyDeps };
 // Fixtures
 // ---------------------------------------------------------------------------
 
-/** Run a git command in a directory using Bun-native spawn. */
-function gitSync(args: string[], cwd: string): void {
-  const proc = Bun.spawnSync(["git", ...args], { cwd, stdin: "ignore", stdout: "ignore", stderr: "ignore" });
-  if (proc.exitCode !== 0) {
-    throw new Error(`git ${args[0]} failed in ${cwd}`);
-  }
-}
-
-/** Read stdout from a git command. */
-function gitOutput(args: string[], cwd: string): string {
-  const proc = Bun.spawnSync(["git", ...args], { cwd, stdin: "ignore", stdout: "pipe", stderr: "ignore" });
-  return new TextDecoder().decode(proc.stdout).trim();
-}
-
-/**
- * Create a temp git repo with two commits so that `git diff storyGitRef HEAD`
- * returns at least one test file — needed for the regression gate to activate.
- */
-function makeGitRepo(): { dir: string; storyGitRef: string } {
-  const dir = mkdtempSync(join(tmpdir(), "nax-bug026-"));
-
-  gitSync(["init"], dir);
-  gitSync(["config", "user.email", "test@example.com"], dir);
-  gitSync(["config", "user.name", "test"], dir);
-
-  // Initial commit → becomes storyGitRef
-  writeFileSync(join(dir, "src.ts"), "export const x = 1;");
-  gitSync(["add", "."], dir);
-  gitSync(["commit", "-m", "initial"], dir);
-  const storyGitRef = gitOutput(["rev-parse", "HEAD"], dir);
-
-  // Second commit: adds a test file (changed after storyGitRef)
-  mkdirSync(join(dir, "test"), { recursive: true });
-  writeFileSync(
-    join(dir, "test", "example.test.ts"),
-    'import { test, expect } from "bun:test";\ntest("x", () => expect(1).toBe(1));',
-  );
-  gitSync(["add", "."], dir);
-  gitSync(["commit", "-m", "add test"], dir);
-
-  return { dir, storyGitRef };
+/** Create a temp directory for test fixtures. */
+function makeTempDir(): string {
+  const dir = mkdtempSync(join(tmpdir(), "nax-post-verify-"));
+  return dir;
 }
 
 function makeConfig(
@@ -139,6 +102,7 @@ function makeConfig(
       regressionGate: {
         enabled: true,
         timeoutSeconds: 120,
+        mode: "per-story",
         ...regressionGateOverrides,
       },
       contextProviderTokenBudget: 2000,
@@ -216,7 +180,6 @@ function makePRD(story: UserStory): PRD {
 
 function makeOpts(
   workdir: string,
-  storyGitRef: string,
   config: NaxConfig,
   story: UserStory,
   prd: PRD,
@@ -230,7 +193,6 @@ function makeOpts(
     storiesToExecute: [story],
     allStoryMetrics: [] as StoryMetrics[],
     timeoutRetryCountMap: new Map<string, number>(),
-    storyGitRef,
   };
 }
 
@@ -239,19 +201,14 @@ function makeOpts(
 // ---------------------------------------------------------------------------
 
 let tempDir: string;
-let storyGitRef: string;
 
 beforeEach(() => {
   // Wire _postVerifyDeps to mocks
   _postVerifyDeps.runVerification = mockRunVerification as typeof _postVerifyDeps.runVerification;
-  _postVerifyDeps.parseTestOutput = () => ({ passCount: 5, failCount: 0, isEnvironmentalFailure: false }) as any;
-  _postVerifyDeps.getEnvironmentalEscalationThreshold = () => 3;
   _postVerifyDeps.revertStoriesOnFailure = mockRevertStoriesOnFailure as typeof _postVerifyDeps.revertStoriesOnFailure;
   _postVerifyDeps.runRectificationLoop = mockRunRectificationLoop as typeof _postVerifyDeps.runRectificationLoop;
   _postVerifyDeps.getExpectedFiles = () => [];
   _postVerifyDeps.savePRD = mock(async () => {}) as typeof _postVerifyDeps.savePRD;
-  _postVerifyDeps.appendProgress = mock(async () => {}) as typeof _postVerifyDeps.appendProgress;
-  _postVerifyDeps.getTierConfig = () => undefined as any;
   _postVerifyDeps.parseBunTestOutput = () => ({ failed: 0, passed: 5, failures: [] }) as any;
   mockRunVerification.mockClear();
   mockRevertStoriesOnFailure.mockClear();
@@ -259,9 +216,7 @@ beforeEach(() => {
   _verificationResponses = [];
   _verificationCallIndex = 0;
 
-  const repo = makeGitRepo();
-  tempDir = repo.dir;
-  storyGitRef = repo.storyGitRef;
+  tempDir = makeTempDir();
 });
 
 afterEach(() => {
@@ -276,9 +231,8 @@ afterEach(() => {
 
 describe("BUG-026: regression gate TIMEOUT acceptance", () => {
   test("TIMEOUT + acceptOnTimeout=true → runPostAgentVerification returns passed", async () => {
-    // Call 1: scoped verification passes; Call 2: regression gate times out
+    // Now only one call: regression gate times out with acceptOnTimeout=true
     _verificationResponses = [
-      { success: true, status: "SUCCESS", countsTowardEscalation: true, output: "pass 5" },
       { success: false, status: "TIMEOUT", countsTowardEscalation: false },
     ];
 
@@ -286,14 +240,13 @@ describe("BUG-026: regression gate TIMEOUT acceptance", () => {
     const story = makeStory();
     const prd = makePRD(story);
 
-    const result = await runPostAgentVerification(makeOpts(tempDir, storyGitRef, config, story, prd));
+    const result = await runPostAgentVerification(makeOpts(tempDir, config, story, prd));
 
     expect(result.passed).toBe(true);
   });
 
   test("TIMEOUT + acceptOnTimeout=true → revertStoriesOnFailure is NOT called", async () => {
     _verificationResponses = [
-      { success: true, status: "SUCCESS", countsTowardEscalation: true, output: "pass 5" },
       { success: false, status: "TIMEOUT", countsTowardEscalation: false },
     ];
 
@@ -301,14 +254,13 @@ describe("BUG-026: regression gate TIMEOUT acceptance", () => {
     const story = makeStory();
     const prd = makePRD(story);
 
-    await runPostAgentVerification(makeOpts(tempDir, storyGitRef, config, story, prd));
+    await runPostAgentVerification(makeOpts(tempDir, config, story, prd));
 
     expect(mockRevertStoriesOnFailure).not.toHaveBeenCalled();
   });
 
   test("TIMEOUT + acceptOnTimeout=false → runPostAgentVerification returns failed", async () => {
     _verificationResponses = [
-      { success: true, status: "SUCCESS", countsTowardEscalation: true, output: "pass 5" },
       { success: false, status: "TIMEOUT", countsTowardEscalation: false },
     ];
 
@@ -316,14 +268,13 @@ describe("BUG-026: regression gate TIMEOUT acceptance", () => {
     const story = makeStory();
     const prd = makePRD(story);
 
-    const result = await runPostAgentVerification(makeOpts(tempDir, storyGitRef, config, story, prd));
+    const result = await runPostAgentVerification(makeOpts(tempDir, config, story, prd));
 
     expect(result.passed).toBe(false);
   });
 
   test("TIMEOUT + acceptOnTimeout=false → revertStoriesOnFailure IS called", async () => {
     _verificationResponses = [
-      { success: true, status: "SUCCESS", countsTowardEscalation: true, output: "pass 5" },
       { success: false, status: "TIMEOUT", countsTowardEscalation: false },
     ];
 
@@ -331,14 +282,13 @@ describe("BUG-026: regression gate TIMEOUT acceptance", () => {
     const story = makeStory();
     const prd = makePRD(story);
 
-    await runPostAgentVerification(makeOpts(tempDir, storyGitRef, config, story, prd));
+    await runPostAgentVerification(makeOpts(tempDir, config, story, prd));
 
     expect(mockRevertStoriesOnFailure).toHaveBeenCalledTimes(1);
   });
 
   test("TIMEOUT + acceptOnTimeout not set → defaults to true → returns passed", async () => {
     _verificationResponses = [
-      { success: true, status: "SUCCESS", countsTowardEscalation: true, output: "pass 5" },
       { success: false, status: "TIMEOUT", countsTowardEscalation: false },
     ];
 
@@ -347,14 +297,13 @@ describe("BUG-026: regression gate TIMEOUT acceptance", () => {
     const story = makeStory();
     const prd = makePRD(story);
 
-    const result = await runPostAgentVerification(makeOpts(tempDir, storyGitRef, config, story, prd));
+    const result = await runPostAgentVerification(makeOpts(tempDir, config, story, prd));
 
     expect(result.passed).toBe(true);
   });
 
   test("TEST_FAILURE in regression gate → returns failed regardless of acceptOnTimeout", async () => {
     _verificationResponses = [
-      { success: true, status: "SUCCESS", countsTowardEscalation: true, output: "pass 5" },
       { success: false, status: "TEST_FAILURE", countsTowardEscalation: true, output: "FAIL 1" },
     ];
 
@@ -362,14 +311,13 @@ describe("BUG-026: regression gate TIMEOUT acceptance", () => {
     const story = makeStory();
     const prd = makePRD(story);
 
-    const result = await runPostAgentVerification(makeOpts(tempDir, storyGitRef, config, story, prd));
+    const result = await runPostAgentVerification(makeOpts(tempDir, config, story, prd));
 
     expect(result.passed).toBe(false);
   });
 
   test("TEST_FAILURE in regression gate → revertStoriesOnFailure IS called", async () => {
     _verificationResponses = [
-      { success: true, status: "SUCCESS", countsTowardEscalation: true, output: "pass 5" },
       { success: false, status: "TEST_FAILURE", countsTowardEscalation: true, output: "FAIL 1" },
     ];
 
@@ -377,39 +325,38 @@ describe("BUG-026: regression gate TIMEOUT acceptance", () => {
     const story = makeStory();
     const prd = makePRD(story);
 
-    await runPostAgentVerification(makeOpts(tempDir, storyGitRef, config, story, prd));
+    await runPostAgentVerification(makeOpts(tempDir, config, story, prd));
 
     expect(mockRevertStoriesOnFailure).toHaveBeenCalledTimes(1);
   });
 
-  test("regression gate runs second → runVerification called twice (scoped + full suite)", async () => {
+  test("full-suite regression gate passes → returns passed (one call to runVerification)", async () => {
     _verificationResponses = [
       { success: true, status: "SUCCESS", countsTowardEscalation: true, output: "pass 5" },
-      { success: false, status: "TIMEOUT", countsTowardEscalation: false },
     ];
 
     const config = makeConfig({ acceptOnTimeout: true });
     const story = makeStory();
     const prd = makePRD(story);
 
-    await runPostAgentVerification(makeOpts(tempDir, storyGitRef, config, story, prd));
+    const result = await runPostAgentVerification(makeOpts(tempDir, config, story, prd));
 
-    // Once for scoped verification, once for regression gate
-    expect(mockRunVerification).toHaveBeenCalledTimes(2);
+    // Post-verify now ONLY runs the full-suite regression gate (no scoped verification)
+    expect(result.passed).toBe(true);
+    expect(mockRunVerification).toHaveBeenCalledTimes(1);
   });
 
-  test("regression gate disabled → only scoped test runs (one call to runVerification)", async () => {
-    _verificationResponses = [
-      { success: true, status: "SUCCESS", countsTowardEscalation: true, output: "pass 5" },
-    ];
+  test("regression gate disabled → returns passed (skips regression gate)", async () => {
+    _verificationResponses = [];
 
     const config = makeConfig({ enabled: false, timeoutSeconds: 120 });
     const story = makeStory();
     const prd = makePRD(story);
 
-    const result = await runPostAgentVerification(makeOpts(tempDir, storyGitRef, config, story, prd));
+    const result = await runPostAgentVerification(makeOpts(tempDir, config, story, prd));
 
     expect(result.passed).toBe(true);
-    expect(mockRunVerification).toHaveBeenCalledTimes(1);
+    // No verification calls when regression gate is disabled
+    expect(mockRunVerification).toHaveBeenCalledTimes(0);
   });
 });

package/test/unit/execution/post-verify.test.ts

@@ -1,10 +1,13 @@
 /**
- * Unit tests for post-verify regression gate (BUG-009)
+ * Unit tests for regression gate configuration and behavior
  *
- * Tests the logic for:
- * - Running regression gate after scoped verification passes
- * - Skipping regression gate when scoped verification already ran full suite
- * - Feeding regression failures into rectification loop
+ * Tests the configuration and type-level logic for:
+ * - Regression gate enabled/disabled state
+ * - Timeout configuration and acceptOnTimeout behavior (BUG-026)
+ * - Story state transitions on regression failure
+ * - Metrics removal on regression failure
+ *
+ * Behavioral tests are in post-verify-regression.test.ts
  */
 
 import { describe, expect, test } from "bun:test";
@@ -41,44 +44,28 @@ describe("RegressionGateConfig", () => {
 });
 
 describe("Regression Gate Logic", () => {
-  test("should run regression gate when scoped tests were run (changed files > 0)", () => {
-    const changedTestFiles = ["test/foo.test.ts", "test/bar.test.ts"];
-    const regressionGateEnabled = true;
-    const scopedTestsWereRun = changedTestFiles.length > 0;
-
-    // Logic: regression gate should run
-    const shouldRunRegressionGate = regressionGateEnabled && scopedTestsWereRun;
-    expect(shouldRunRegressionGate).toBe(true);
-  });
-
-  test("should skip regression gate when scoped tests ran full suite (changed files = 0)", () => {
-    const changedTestFiles: string[] = [];
+  test("regression gate should run when enabled (post-verify always runs full suite)", () => {
     const regressionGateEnabled = true;
-    const scopedTestsWereRun = changedTestFiles.length > 0;
 
-    // Logic: regression gate should NOT run (full suite already ran)
-    const shouldRunRegressionGate = regressionGateEnabled && scopedTestsWereRun;
-    expect(shouldRunRegressionGate).toBe(false);
+    // Post-verify now ONLY runs full-suite regression gate (no scoped logic)
+    expect(regressionGateEnabled).toBe(true);
   });
 
-  test("should skip regression gate when disabled in config", () => {
-    const changedTestFiles = ["test/foo.test.ts"];
+  test("regression gate should skip when disabled in config", () => {
     const regressionGateEnabled = false;
-    const scopedTestsWereRun = changedTestFiles.length > 0;
 
-    // Logic: regression gate should NOT run (disabled)
-    const shouldRunRegressionGate = regressionGateEnabled && scopedTestsWereRun;
-    expect(shouldRunRegressionGate).toBe(false);
+    // Logic: regression gate should NOT run
+    expect(regressionGateEnabled).toBe(false);
   });
 
-  test("should skip regression gate when both disabled AND no changed files", () => {
-    const changedTestFiles: string[] = [];
-    const regressionGateEnabled = false;
-    const scopedTestsWereRun = changedTestFiles.length > 0;
+  test("post-verify removes scoped verification (always runs full suite)", () => {
+    // With the removal of scoped verification, post-verify always:
+    // 1. Runs the full-suite regression gate (if enabled)
+    // 2. Reverts on failure
+    // 3. Optionally runs rectification on test failures
 
-    // Logic: regression gate should NOT run
-    const shouldRunRegressionGate = regressionGateEnabled && scopedTestsWereRun;
-    expect(shouldRunRegressionGate).toBe(false);
+    const hasNoScopedVerification = true;
+    expect(hasNoScopedVerification).toBe(true);
   });
 });
 
@@ -104,27 +91,20 @@ describe("Regression Failure Handling", () => {
 
 describe("Rectification Prompt for Regression", () => {
   test("should include REGRESSION prefix in rectification prompt", () => {
-    const basePrompt = `# Rectification Required
-
-Your changes caused test regressions. Fix these without breaking existing logic.`;
-
-    const regressionPrompt = `# REGRESSION: Cross-Story Test Failures
-
-Your changes passed scoped tests but broke unrelated tests. Fix these regressions.
+    const regressionPrompt = `# REGRESSION: Full-Suite Test Failures
 
-${basePrompt}`;
+Your changes broke tests in the full suite. Fix these regressions.`;
 
     expect(regressionPrompt).toContain("# REGRESSION:");
-    expect(regressionPrompt).toContain("passed scoped tests but broke unrelated tests");
-    expect(regressionPrompt).toContain(basePrompt);
+    expect(regressionPrompt).toContain("Full-Suite Test Failures");
   });
 
-  test("regression prompt should emphasize cross-story nature", () => {
+  test("regression prompt should emphasize full-suite nature", () => {
     const regressionPrompt =
-      "# REGRESSION: Cross-Story Test Failures\n\nYour changes passed scoped tests but broke unrelated tests.";
+      "# REGRESSION: Full-Suite Test Failures\n\nYour changes broke tests in the full suite.";
 
-    expect(regressionPrompt).toContain("Cross-Story");
-    expect(regressionPrompt).toContain("unrelated tests");
+    expect(regressionPrompt).toContain("Full-Suite");
+    expect(regressionPrompt).toContain("broke tests");
   });
 });
 

package/test/unit/formatters.test.ts

@@ -44,9 +44,8 @@ describe("formatConsole", () => {
 
     const output = formatConsole(entry);
 
-    // Should not contain brackets around storyId
-    const bracketCount = (output.match(/\[/g) || []).length;
-    expect(bracketCount).toBe(2); // Only timestamp and stage
+    // Visibility test instead of raw bracket count (avoid ANSI issues)
+    expect(output).not.toContain("[user-auth-001]");
   });
 
   test("formats data as pretty JSON on new line", () => {

package/test/unit/hooks/shell-security.test.ts

@@ -0,0 +1,40 @@
+import { describe, expect, test } from "bun:test";
+// Access internal functions for testing
+// @ts-ignore
+import { hasShellOperators, validateHookCommand } from "../../../src/hooks/runner";
+
+describe("Hook Shell Security (SEC-3)", () => {
+  test("hasShellOperators detects backticks", () => {
+    // @ts-ignore
+    expect(hasShellOperators("echo `whoami`")).toBe(true);
+  });
+
+  test("hasShellOperators detects pipes and redirects", () => {
+    // @ts-ignore
+    expect(hasShellOperators("echo hi | grep h")).toBe(true);
+    // @ts-ignore
+    expect(hasShellOperators("echo hi > file.txt")).toBe(true);
+  });
+
+  test("validateHookCommand blocks backtick substitution", () => {
+    // @ts-ignore
+    expect(() => validateHookCommand("echo `whoami`")).toThrow(/dangerous pattern/);
+  });
+
+  test("validateHookCommand blocks $(...) substitution", () => {
+    // @ts-ignore
+    expect(() => validateHookCommand("echo $(whoami)")).toThrow(/dangerous pattern/);
+  });
+
+  test("validateHookCommand blocks eval", () => {
+    // @ts-ignore
+    expect(() => validateHookCommand("eval 'echo hi'")).toThrow(/dangerous pattern/);
+  });
+
+  test("allows safe commands", () => {
+    // @ts-ignore
+    expect(() => validateHookCommand("echo 'Hello World'")).not.toThrow();
+    // @ts-ignore
+    expect(() => validateHookCommand("bun test")).not.toThrow();
+  });
+});