@ontrails/warden 1.0.0-beta.2 → 1.0.0-beta.21

package/src/trails/resource-mock-coverage.trail.ts

@@ -0,0 +1,40 @@
+import { resourceMockCoverage } from '../rules/resource-mock-coverage.js';
+import { wrapRule } from './wrap-rule.js';
+
+export const resourceMockCoverageTrail = wrapRule({
+  examples: [
+    {
+      expected: { diagnostics: [] },
+      input: {
+        filePath: 'clean.ts',
+        sourceCode: `const db = resource("db.main", {
+  create: () => Result.ok(openDatabase()),
+  mock: () => createInMemoryDb(),
+});`,
+      },
+      name: 'Resource declaring a mock factory passes',
+    },
+    {
+      expected: {
+        diagnostics: [
+          {
+            filePath: 'missing-mock.ts',
+            line: 1,
+            message:
+              'Resource "db.main" declares no mock factory. Add a mock() so testAll(app) runs without configuration, or declare unmockable: { reason } if it intentionally cannot be mocked.',
+            rule: 'resource-mock-coverage',
+            severity: 'warn',
+          },
+        ],
+      },
+      input: {
+        filePath: 'missing-mock.ts',
+        sourceCode: `const db = resource("db.main", {
+  create: () => Result.ok(openDatabase()),
+});`,
+      },
+      name: 'Resource without a mock factory or unmockable reason is flagged',
+    },
+  ],
+  rule: resourceMockCoverage,
+});

package/src/trails/run.ts

@@ -0,0 +1,162 @@
+/**
+ * Run file-scoped warden rule trails against a single source file.
+ *
+ * Returns a flat array of diagnostics from every source-aware rule. Built-in
+ * topo-aware rules are dispatched separately via `runTopoAwareWardenTrails()`
+ * so callers that loop files do not duplicate graph-level findings.
+ */
+
+import type { Intent, Topo } from '@ontrails/core';
+import { run } from '@ontrails/core';
+
+import { wardenTopoRules } from '../rules/index.js';
+import type { WardenDiagnostic } from '../rules/types.js';
+import type { WardenImportResolution } from '../resolve.js';
+import type { WardenPublicWorkspace } from '../workspaces.js';
+import type { RuleOutput } from './schema.js';
+import { wardenTopo } from './topo.js';
+
+/**
+ * Run all file-scoped warden rule trails for a given file and collect diagnostics.
+ *
+ * Each rule trail runs independently. Errors from individual trails are
+ * silently skipped so that one broken rule does not block the rest.
+ */
+const appendDiagnostics = (
+  target: WardenDiagnostic[],
+  diagnostics: readonly WardenDiagnostic[]
+): void => {
+  for (const diagnostic of diagnostics) {
+    target.push(diagnostic);
+  }
+};
+
+type TrailIntentMap = Readonly<Record<string, Intent>>;
+
+interface ProjectRuleOptions {
+  readonly contourReferencesByName?: Readonly<
+    Record<string, readonly string[]>
+  >;
+  readonly composeTargetTrailIds?: readonly string[];
+  readonly crudTableIds?: readonly string[];
+  readonly crudCoverageByEntity?: Readonly<Record<string, readonly string[]>>;
+  readonly knownContourIds?: readonly string[];
+  readonly importResolutionsByFile?: Readonly<
+    Record<string, readonly WardenImportResolution[]>
+  >;
+  readonly documentedImportResolutionsByFile?: Readonly<
+    Record<string, readonly WardenImportResolution[]>
+  >;
+  readonly knownResourceIds?: readonly string[];
+  readonly knownSignalIds?: readonly string[];
+  readonly knownTrailIds?: readonly string[];
+  readonly onTargetSignalIds?: readonly string[];
+  readonly publicWorkspaces?: Readonly<Record<string, WardenPublicWorkspace>>;
+  readonly reconcileTableIds?: readonly string[];
+  readonly trailIntentsById?: TrailIntentMap;
+}
+
+const PROJECT_OPTION_KEYS = [
+  'contourReferencesByName',
+  'composeTargetTrailIds',
+  'crudTableIds',
+  'crudCoverageByEntity',
+  'knownContourIds',
+  'importResolutionsByFile',
+  'documentedImportResolutionsByFile',
+  'knownResourceIds',
+  'knownSignalIds',
+  'knownTrailIds',
+  'onTargetSignalIds',
+  'publicWorkspaces',
+  'reconcileTableIds',
+  'trailIntentsById',
+] as const satisfies readonly (keyof ProjectRuleOptions)[];
+
+const hasProjectOptions = (options?: ProjectRuleOptions): boolean =>
+  Boolean(
+    options && PROJECT_OPTION_KEYS.some((key) => options[key] !== undefined)
+  );
+
+const collectProjectOptions = (
+  options?: ProjectRuleOptions
+): ProjectRuleOptions => {
+  if (!options) {
+    return {};
+  }
+
+  return Object.fromEntries(
+    PROJECT_OPTION_KEYS.flatMap((key) => {
+      const value = options[key];
+      return value === undefined ? [] : [[key, value] as const];
+    })
+  ) as ProjectRuleOptions;
+};
+
+const buildRuleInput = (
+  filePath: string,
+  sourceCode: string,
+  options?: ProjectRuleOptions
+): {
+  readonly filePath: string;
+  readonly sourceCode: string;
+} & ProjectRuleOptions => {
+  const base = { filePath, sourceCode };
+  if (!hasProjectOptions(options)) {
+    return base;
+  }
+
+  return { ...base, ...collectProjectOptions(options) };
+};
+
+const topoAwareTrailIds = new Set(
+  [...wardenTopoRules.keys()].map((ruleName) => `warden.rule.${ruleName}`)
+);
+
+export const runWardenTrails = async (
+  filePath: string,
+  sourceCode: string,
+  options?: ProjectRuleOptions
+): Promise<readonly WardenDiagnostic[]> => {
+  const allDiagnostics: WardenDiagnostic[] = [];
+  const input = buildRuleInput(filePath, sourceCode, options);
+
+  for (const id of wardenTopo.ids()) {
+    if (topoAwareTrailIds.has(id)) {
+      continue;
+    }
+    const result = await run(wardenTopo, id, input);
+    if (result.isOk()) {
+      appendDiagnostics(
+        allDiagnostics,
+        (result.value as RuleOutput).diagnostics
+      );
+    }
+  }
+
+  return allDiagnostics;
+};
+
+/**
+ * Run the built-in topo-aware warden rule trails once against a resolved topo.
+ *
+ * Unlike `runWardenTrails()`, which is file-scoped, topo-aware rules inspect
+ * the compiled graph and should only be dispatched once per topo.
+ */
+export const runTopoAwareWardenTrails = async (
+  topo: Topo
+): Promise<readonly WardenDiagnostic[]> => {
+  const allDiagnostics: WardenDiagnostic[] = [];
+
+  for (const id of topoAwareTrailIds) {
+    const result = await run(wardenTopo, id, { topo });
+    if (result.isOk()) {
+      appendDiagnostics(
+        allDiagnostics,
+        (result.value as RuleOutput).diagnostics
+      );
+    }
+  }
+
+  return allDiagnostics;
+};

package/src/trails/scheduled-destroy-intent.trail.ts

@@ -0,0 +1,56 @@
+import { Result, schedule, topo, trail } from '@ontrails/core';
+import { z } from 'zod';
+
+import { scheduledDestroyIntent } from '../rules/scheduled-destroy-intent.js';
+import { wrapTopoRule } from './wrap-rule.js';
+
+export const scheduledDestroyTrail = trail('billing.purge-expired', {
+  blaze: () => Result.ok({ ok: true }),
+  input: z.object({}),
+  intent: 'destroy',
+  on: [
+    schedule('schedule.billing.purge-expired', {
+      cron: '0 2 * * *',
+    }),
+  ],
+  output: z.object({ ok: z.boolean() }),
+  permit: { scopes: ['billing:purge'] },
+});
+
+const scheduledWriteTrail = trail('billing.reconcile', {
+  blaze: () => Result.ok({ ok: true }),
+  input: z.object({}),
+  on: [schedule('schedule.billing.reconcile', { cron: '0 * * * *' })],
+  output: z.object({ ok: z.boolean() }),
+});
+
+export const scheduledDestroyIntentTrail = wrapTopoRule({
+  examples: [
+    {
+      expected: {
+        diagnostics: [
+          {
+            filePath: '<topo>',
+            line: 1,
+            message:
+              'Trail "billing.purge-expired" declares intent: \'destroy\' and is activated by schedule source "schedule.billing.purge-expired". Scheduled destroy work should make cadence, permit scope, idempotency, and recovery explicit before it runs unattended.',
+            rule: 'scheduled-destroy-intent',
+            severity: 'warn',
+          },
+        ],
+      },
+      input: {
+        topo: topo('trl-457-scheduled-destroy', { scheduledDestroyTrail }),
+      },
+      name: 'Scheduled destroy trails emit coaching',
+    },
+    {
+      expected: { diagnostics: [] },
+      input: {
+        topo: topo('trl-457-scheduled-write', { scheduledWriteTrail }),
+      },
+      name: 'Scheduled write trails do not emit destroy coaching',
+    },
+  ],
+  rule: scheduledDestroyIntent,
+});

package/src/trails/schema.ts

@@ -0,0 +1,194 @@
+/**
+ * Shared Zod schemas for warden rule trails.
+ *
+ * Every rule trail shares the same input (source file) and output
+ * (array of diagnostics) shape.
+ */
+
+import { intentValues } from '@ontrails/core';
+import type { Topo } from '@ontrails/core';
+import type { TopoGraph } from '@ontrails/topographer';
+import { z } from 'zod';
+import { wardenImportResolutionErrorKinds } from '../resolve.js';
+import { wardenFixClasses, wardenFixSafeties } from '../rules/metadata.js';
+
+export const guidanceLinkSchema = z.object({
+  label: z.string(),
+  path: z.string().optional(),
+  url: z.string().optional(),
+});
+
+export const guidanceSchema = z.object({
+  commands: z.array(z.string()).readonly().optional(),
+  docs: z.array(guidanceLinkSchema).readonly().optional(),
+  relatedRules: z.array(z.string()).readonly().optional(),
+  steps: z.array(z.string()).readonly().optional(),
+  summary: z.string(),
+});
+
+export const fixEditSchema = z.object({
+  end: z.number(),
+  replacement: z.string(),
+  start: z.number(),
+});
+
+export const fixSchema = z.object({
+  class: z.enum(wardenFixClasses),
+  edits: z.array(fixEditSchema).readonly().optional(),
+  fixture: z.string().optional(),
+  reason: z.string(),
+  safety: z.enum(wardenFixSafeties),
+});
+
+/** A single diagnostic emitted by a warden rule trail. */
+export const diagnosticSchema = z.object({
+  code: z.string().optional().describe('Optional rule-local diagnostic code'),
+  filePath: z.string().describe('File path that was analyzed'),
+  fix: fixSchema.optional().describe('Structured fix metadata'),
+  guidance: guidanceSchema
+    .optional()
+    .describe('Structured remediation guidance'),
+  line: z.number().describe('1-based line number'),
+  message: z.string().describe('Human-readable diagnostic message'),
+  rule: z.string().describe('Rule name'),
+  severity: z.enum(['error', 'warn']).describe('Diagnostic severity'),
+});
+
+/** Input accepted by every warden rule trail. */
+export const ruleInput = z.object({
+  filePath: z.string().describe('Path to the source file'),
+  sourceCode: z.string().describe('Source code content'),
+});
+
+export const importResolutionSchema = z.object({
+  builtinModule: z.string().optional(),
+  crossesPackageBoundary: z.boolean(),
+  errorKind: z.enum(wardenImportResolutionErrorKinds).optional(),
+  errorMessage: z.string().optional(),
+  importSource: z.string(),
+  importerPath: z.string(),
+  isInternalTarget: z.boolean(),
+  line: z.number(),
+  packageName: z.string().optional(),
+  packageRoot: z.string().optional(),
+  resolvedPath: z.string().optional(),
+  usesPublicExport: z.boolean(),
+});
+
+export const publicWorkspaceSchema = z.object({
+  bin: z.record(z.string(), z.string()).optional(),
+  exportTargets: z.record(z.string(), z.string()).optional(),
+  files: z.array(z.string()).optional(),
+  hasExports: z.boolean(),
+  name: z.string(),
+  packageJsonPath: z.string(),
+  rootDir: z.string(),
+});
+
+/**
+ * Extended input for project-aware warden rule trails.
+ *
+ * Adds `knownTrailIds` so the caller can supply compose-file context and avoid
+ * false positives for `@see` references or compose-file contour relationships.
+ */
+export const projectAwareRuleInput = ruleInput.extend({
+  composeTargetTrailIds: z
+    .array(z.string())
+    .optional()
+    .describe('Trail IDs referenced by composes arrays across the project'),
+  contourReferencesByName: z
+    .record(z.string(), z.array(z.string()))
+    .optional()
+    .describe('Declared contour references keyed by source contour name'),
+  crudCoverageByEntity: z
+    .record(z.string(), z.array(z.string()))
+    .optional()
+    .describe(
+      'CRUD operation coverage per entity aggregated across the project'
+    ),
+  crudTableIds: z
+    .array(z.string())
+    .optional()
+    .describe('Store table IDs used with CRUD factories across the project'),
+  documentedImportResolutionsByFile: z
+    .record(z.string(), z.array(importResolutionSchema))
+    .optional()
+    .describe('Resolved docs/specifier facts keyed by documentation file path'),
+  importResolutionsByFile: z
+    .record(z.string(), z.array(importResolutionSchema))
+    .optional()
+    .describe('Resolved import facts keyed by importer file path'),
+  knownContourIds: z
+    .array(z.string())
+    .optional()
+    .describe('Contour names known across the project'),
+  knownResourceIds: z
+    .array(z.string())
+    .optional()
+    .describe('Resource IDs known across the project'),
+  knownSignalIds: z
+    .array(z.string())
+    .optional()
+    .describe('Signal IDs known across the project'),
+  knownTrailIds: z
+    .array(z.string())
+    .optional()
+    .describe('Trail IDs known across the project'),
+  onTargetSignalIds: z
+    .array(z.string())
+    .optional()
+    .describe('Signal IDs referenced by trail on arrays across the project'),
+  publicWorkspaces: z
+    .record(z.string(), publicWorkspaceSchema)
+    .optional()
+    .describe('Non-private published @ontrails workspaces by package name'),
+  reconcileTableIds: z
+    .array(z.string())
+    .optional()
+    .describe('Store table IDs used with reconcile trails across the project'),
+  trailIntentsById: z
+    .record(z.string(), z.enum(intentValues))
+    .optional()
+    .describe('Normalized trail intents keyed by trail ID'),
+});
+
+/**
+ * Input for topo-aware warden rule trails.
+ *
+ * The `Topo` graph is not a serializable value, so the schema accepts it
+ * as an opaque `z.custom`. Topo-aware rules are invoked from the warden
+ * runtime with a live, resolved topo reference — they are not expected
+ * to be called across a network boundary.
+ */
+export const topoAwareRuleInput = z.object({
+  graph: z
+    .custom<TopoGraph>(
+      (value) =>
+        typeof value === 'object' && value !== null && 'entries' in value,
+      { message: 'Expected a serialized TopoGraph object' }
+    )
+    .optional()
+    .describe('Optional derived TopoGraph with graph-only audit annotations'),
+  topo: z
+    .custom<Topo>(
+      (value) =>
+        typeof value === 'object' &&
+        value !== null &&
+        'trails' in value &&
+        'resources' in value &&
+        'contours' in value &&
+        'signals' in value,
+      { message: 'Expected a resolved Topo instance' }
+    )
+    .describe('Resolved topo graph under inspection'),
+});
+
+/** Output returned by every warden rule trail. */
+export const ruleOutput = z.object({
+  diagnostics: z.array(diagnosticSchema).describe('Diagnostics found'),
+});
+
+export type RuleInput = z.infer<typeof ruleInput>;
+export type ProjectAwareRuleInput = z.infer<typeof projectAwareRuleInput>;
+export type TopoAwareRuleInput = z.infer<typeof topoAwareRuleInput>;
+export type RuleOutput = z.infer<typeof ruleOutput>;

package/src/trails/signal-graph-coaching.trail.ts

@@ -0,0 +1,77 @@
+import { Result, resource, signal, topo, trail } from '@ontrails/core';
+import { z } from 'zod';
+
+import { signalGraphCoaching } from '../rules/signal-graph-coaching.js';
+import { wrapTopoRule } from './wrap-rule.js';
+
+const unusedSignal = signal('invoice.unused', {
+  payload: z.object({ invoiceId: z.string() }),
+});
+
+const producedSignal = signal('invoice.created', {
+  payload: z.object({ invoiceId: z.string() }),
+});
+
+const producerTrail = trail('invoice.create', {
+  blaze: async (_input, ctx) => {
+    await ctx.fire?.(producedSignal, { invoiceId: 'inv_1' });
+    return Result.ok({ invoiceId: 'inv_1' });
+  },
+  fires: [producedSignal],
+  input: z.object({}),
+  output: z.object({ invoiceId: z.string() }),
+});
+
+const resourceSignal = signal('store:invoice.created', {
+  payload: z.object({ invoiceId: z.string() }),
+});
+
+const invoiceStore = resource('store', {
+  create: () => Result.ok({ ok: true }),
+  signals: [resourceSignal],
+});
+
+export const signalGraphCoachingTrail = wrapTopoRule({
+  examples: [
+    {
+      expected: {
+        diagnostics: [
+          {
+            filePath: '<topo>',
+            line: 1,
+            message:
+              'Signal "invoice.created" is produced by producer trail "invoice.create" but has no consumer trails. Add an on: consumer if the signal is meant to drive reactive work, or remove the unused fires:/producer declaration.',
+            rule: 'signal-graph-coaching',
+            severity: 'warn',
+          },
+          {
+            filePath: '<topo>',
+            line: 1,
+            message:
+              'Signal "invoice.unused" is declared in the topo but has no producer trails, producer resources, or consumer trails. Add fires:/on: edges, attach producer metadata, or remove the unused signal contract.',
+            rule: 'signal-graph-coaching',
+            severity: 'warn',
+          },
+          {
+            filePath: '<topo>',
+            line: 1,
+            message:
+              'Signal "store:invoice.created" is produced by producer resource "store" but has no consumer trails. Add an on: consumer if the signal is meant to drive reactive work, or remove the unused fires:/producer declaration.',
+            rule: 'signal-graph-coaching',
+            severity: 'warn',
+          },
+        ],
+      },
+      input: {
+        topo: topo('trl-447-signal-graph-coaching', {
+          invoiceStore,
+          producedSignal,
+          producerTrail,
+          unusedSignal,
+        }),
+      },
+      name: 'Declared and produced signals without consumers get coaching',
+    },
+  ],
+  rule: signalGraphCoaching,
+});

package/src/trails/static-resource-accessor-preference.trail.ts

@@ -0,0 +1,25 @@
+import { staticResourceAccessorPreference } from '../rules/static-resource-accessor-preference.js';
+import { wrapRule } from './wrap-rule.js';
+
+export const staticResourceAccessorPreferenceTrail = wrapRule({
+  examples: [
+    {
+      expected: { diagnostics: [] },
+      input: {
+        filePath: 'clean.ts',
+        sourceCode: `const db = resource("db.main", {
+  create: () => Result.ok({ source: "factory" }),
+});
+
+trail("entity.show", {
+  resources: [db],
+  blaze: async (_input, ctx) => {
+    return Result.ok(db.from(ctx));
+  }
+})`,
+      },
+      name: 'Static resource helper access',
+    },
+  ],
+  rule: staticResourceAccessorPreference,
+});

package/src/trails/surface-facet-coherence.trail.ts

@@ -0,0 +1,25 @@
+import { surfaceFacetCoherence } from '../rules/surface-facet-coherence.js';
+import { wrapRule } from './wrap-rule.js';
+
+export const surfaceFacetCoherenceTrail = wrapRule({
+  examples: [
+    {
+      expected: { diagnostics: [] },
+      input: {
+        filePath: 'mcp-options.ts',
+        sourceCode: `export const facets = {
+  inspect: {
+    description: "Inspect topo state.",
+    trails: ["survey", "survey.brief"],
+  },
+  governance: {
+    description: "Run diagnostics.",
+    trails: ["warden", "doctor"],
+  },
+};`,
+      },
+      name: 'Reviewable surface facet map',
+    },
+  ],
+  rule: surfaceFacetCoherence,
+});

package/src/trails/topo.ts

@@ -0,0 +1,6 @@
+import { topo } from '@ontrails/core';
+
+import * as rules from './index.js';
+
+/** Topo collecting all warden rule trails. */
+export const wardenTopo = topo('warden', rules);

package/src/trails/unmaterialized-activation-source.trail.ts

@@ -0,0 +1,72 @@
+import { Result, schedule, signal, topo, trail, webhook } from '@ontrails/core';
+import { z } from 'zod';
+
+import { unmaterializedActivationSource } from '../rules/unmaterialized-activation-source.js';
+import { wrapTopoRule } from './wrap-rule.js';
+
+const invoicePaidWebhook = webhook('webhook.invoice.paid', {
+  parse: z.object({ invoiceId: z.string() }),
+  path: '/webhooks/invoice/paid',
+});
+
+const webhookConsumer = trail('invoice.audit-webhook', {
+  blaze: () => Result.ok({ ok: true }),
+  input: z.object({ invoiceId: z.string() }),
+  on: [invoicePaidWebhook],
+  output: z.object({ ok: z.boolean() }),
+});
+
+const invoiceCreated = signal('invoice.created', {
+  from: ['invoice.create'],
+  payload: z.object({ invoiceId: z.string() }),
+});
+
+const signalProducer = trail('invoice.create', {
+  blaze: async (_input, ctx) => {
+    await ctx.fire?.(invoiceCreated, { invoiceId: 'inv_1' });
+    return Result.ok({ invoiceId: 'inv_1' });
+  },
+  fires: [invoiceCreated],
+  input: z.object({}),
+  output: z.object({ invoiceId: z.string() }),
+});
+
+const signalConsumer = trail('invoice.index', {
+  blaze: () => Result.ok({ ok: true }),
+  input: z.object({ invoiceId: z.string() }),
+  on: [invoiceCreated],
+  output: z.object({ ok: z.boolean() }),
+});
+
+const scheduleConsumer = trail('invoice.reconcile', {
+  blaze: () => Result.ok({ ok: true }),
+  input: z.object({}),
+  on: [schedule('schedule.invoice.reconcile', { cron: '0 * * * *' })],
+  output: z.object({ ok: z.boolean() }),
+});
+
+export const unmaterializedActivationSourceTrail = wrapTopoRule({
+  examples: [
+    {
+      expected: { diagnostics: [] },
+      input: {
+        topo: topo('trl-461-webhook-materialized', { webhookConsumer }),
+      },
+      name: 'Webhook activation sources are materialized by HTTP',
+    },
+    {
+      expected: { diagnostics: [] },
+      input: {
+        topo: topo('trl-496-materialized-sources', {
+          invoiceCreated,
+          scheduleConsumer,
+          signalConsumer,
+          signalProducer,
+          webhookConsumer,
+        }),
+      },
+      name: 'Signal, schedule, and webhook activation sources are materialized',
+    },
+  ],
+  rule: unmaterializedActivationSource,
+});