@pikku/inspector 0.12.11 → 0.12.13

package/src/add/wire-name-literal.test.ts

@@ -0,0 +1,114 @@
+import { strict as assert } from 'assert'
+import { describe, test } from 'node:test'
+import { mkdtemp, rm, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { inspect } from '../inspector.js'
+import { ErrorCode } from '../error-codes.js'
+import type { InspectorLogger } from '../types.js'
+
+const makeLogger = (criticals: Array<{ code: ErrorCode; message: string }>) =>
+  ({
+    debug: () => {},
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    critical: (code: ErrorCode, message: string) => {
+      criticals.push({ code, message })
+    },
+    hasCriticalErrors: () => criticals.length > 0,
+  }) satisfies InspectorLogger
+
+describe('wiring name must be a string literal', () => {
+  test('logs a critical error when a queue worker name is a const reference', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-nonliteral-name-'))
+    const file = join(rootDir, 'queue.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { pikkuSessionlessFunc, wireQueueWorker } from '@pikku/core'",
+        'const QUEUE_NAME = "stripe-webhook-event"',
+        'export const handler = pikkuSessionlessFunc({',
+        '  func: async () => ({ ok: true })',
+        '})',
+        'wireQueueWorker({',
+        '  name: QUEUE_NAME,',
+        '  func: handler,',
+        '})',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      await inspect(makeLogger(criticals), [file], { rootDir })
+      const hit = criticals.find(
+        (entry) => entry.code === ErrorCode.NON_LITERAL_WIRE_NAME
+      )
+      assert.ok(hit, 'expected NON_LITERAL_WIRE_NAME critical')
+      assert.match(hit!.message, /QUEUE_NAME/)
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('logs a critical error when a secret id is a const reference', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-nonliteral-secret-'))
+    const file = join(rootDir, 'secret.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireSecret } from '@pikku/core'",
+        'const SECRET_ID = "STRIPE_SECRET_KEY"',
+        'wireSecret({',
+        '  secretId: SECRET_ID,',
+        "  name: 'Stripe secret key',",
+        "  displayName: 'Stripe secret key',",
+        '})',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      await inspect(makeLogger(criticals), [file], { rootDir })
+      const hit = criticals.find(
+        (entry) => entry.code === ErrorCode.NON_LITERAL_WIRE_NAME
+      )
+      assert.ok(hit, 'expected NON_LITERAL_WIRE_NAME critical')
+      assert.match(hit!.message, /SECRET_ID/)
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('does not flag a queue worker whose name is an inline literal', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-literal-name-'))
+    const file = join(rootDir, 'queue.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { pikkuSessionlessFunc, wireQueueWorker } from '@pikku/core'",
+        'export const handler = pikkuSessionlessFunc({',
+        '  func: async () => ({ ok: true })',
+        '})',
+        'wireQueueWorker({',
+        "  name: 'stripe-webhook-event',",
+        '  func: handler,',
+        '})',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      await inspect(makeLogger(criticals), [file], { rootDir })
+      const hit = criticals.find(
+        (entry) => entry.code === ErrorCode.NON_LITERAL_WIRE_NAME
+      )
+      assert.equal(hit, undefined)
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+})

package/src/error-codes.ts

@@ -10,6 +10,7 @@
 export enum ErrorCode {
   // Validation errors
   MISSING_NAME = 'PKU111',
+  NON_LITERAL_WIRE_NAME = 'PKU118',
   MISSING_DESCRIPTION = 'PKU123',
   INVALID_VALUE = 'PKU124',
   MISSING_URI = 'PKU220',
@@ -76,4 +77,7 @@ export enum ErrorCode {
 
   // Feature Flag
   WORKFLOW_MULTI_QUEUE_NOT_SUPPORTED = 'PKU901',
+
+  // Data classification errors
+  PII_IN_OUTPUT = 'PKU910',
 }

package/src/index.ts

@@ -9,6 +9,7 @@ export {
 } from './utils/serialize-inspector-state.js'
 export type { SerializableInspectorState } from './utils/serialize-inspector-state.js'
 export { filterInspectorState } from './utils/filter-inspector-state.js'
+export { resolveDeployTarget } from './utils/resolve-deploy-target.js'
 export {
   generateCustomTypes,
   sanitizeTypeName,

package/src/inspector.ts

@@ -12,7 +12,6 @@ import { findCommonAncestor } from './utils/find-root-dir.js'
 import {
   aggregateRequiredServices,
   validateAgentModels,
-  validateAgentOverrides,
   validateSecretOverrides,
   validateVariableOverrides,
   validateCredentialOverrides,
@@ -250,8 +249,6 @@ export const inspect = async (
   const rootDir = options.rootDir || findCommonAncestor(routeFiles)
 
   const startSourceFiles = performance.now()
-  // Filter source files to only include files within the project rootDir
-  // This prevents picking up types from external packages (including workspace symlinks)
   const sourceFiles = program
     .getSourceFiles()
     .filter((sf) => sf.fileName.startsWith(rootDir))
@@ -354,8 +351,7 @@ export const inspect = async (
       )
     }
 
-    validateAgentModels(logger, state, options.modelConfig)
-    validateAgentOverrides(logger, state, options.modelConfig)
+    validateAgentModels(logger, state)
     validateSecretOverrides(logger, state)
     validateVariableOverrides(logger, state)
     validateCredentialOverrides(logger, state)

package/src/types.ts

@@ -179,10 +179,28 @@ export interface InspectorPermissionState {
 export type InspectorFilters = {
   names?: string[] // Wildcard support: "email-*" matches "email-worker", "email-sender"
   tags?: string[]
-  types?: string[]
+  wires?: string[]
   directories?: string[]
   httpRoutes?: string[] // HTTP route patterns: "/api/*", "/webhooks/*"
   httpMethods?: string[] // HTTP methods: "GET", "POST", "DELETE", etc.
+
+  excludeNames?: string[]
+  excludeTags?: string[]
+  excludeWires?: string[]
+  excludeDirectories?: string[]
+  excludeHttpRoutes?: string[]
+  excludeHttpMethods?: string[]
+
+  // Keep only functions whose effective deploy target is in this list.
+  // A function's effective target is its explicit `deploy` field, or
+  // 'server' if any of its services are listed in `serverlessIncompatible`,
+  // otherwise 'serverless'.
+  target?: Array<'serverless' | 'server'>
+  excludeTarget?: Array<'serverless' | 'server'>
+  // Service names that, when consumed by a function, force its target
+  // to 'server'. Sourced from `pikku.config.json` →
+  // `deploy.serverlessIncompatible`. Used only when deploy filters are set.
+  serverlessIncompatible?: string[]
 }
 
 export type AddonConfig = {
@@ -192,19 +210,6 @@ export type AddonConfig = {
   forceInclude?: boolean
 }
 
-export type ModelConfigEntry =
-  | string
-  | { model: string; temperature?: number; maxSteps?: number }
-
-export type InspectorModelConfig = {
-  models?: Record<string, ModelConfigEntry>
-  agentDefaults?: { temperature?: number; maxSteps?: number }
-  agentOverrides?: Record<
-    string,
-    { model?: string; temperature?: number; maxSteps?: number }
-  >
-}
-
 export type InspectorOptions = Partial<{
   setupOnly: boolean
   rootDir: string
@@ -225,7 +230,6 @@ export type InspectorOptions = Partial<{
   }
   tags: string[]
   manifest: VersionManifest
-  modelConfig: InspectorModelConfig
   oldProgram: ts.Program | undefined
 }>
 

package/src/utils/check-pii-output.ts

@@ -0,0 +1,76 @@
+import * as ts from 'typescript'
+
+/**
+ * Recursively walks a resolved TypeScript type looking for `__pii__` brands —
+ * the structural marker emitted by `Private<T>` and `Secret<T>`.
+ *
+ * `Private<T> = T & { readonly __pii__: 'private' }` shows up in the TS type
+ * system as an intersection whose constituents include a type with a `__pii__`
+ * property.  We detect that by checking whether any constituent of an
+ * intersection exposes a property named `__pii__`.
+ *
+ * Returns the list of dotted field paths where a brand was found
+ * (e.g. `['email', 'address.phone']`).  An empty array means clean.
+ */
+export function findPiiPaths(
+  checker: ts.TypeChecker,
+  type: ts.Type,
+  path = '',
+  depth = 0,
+  seen = new Set<ts.Type>()
+): string[] {
+  if (depth > 8 || seen.has(type)) return []
+  seen.add(type)
+
+  // ── Is this type itself branded? ─────────────────────────────────────────
+  // Private<T> = T & { readonly __pii__: 'private' }  →  isIntersection()
+  // where one constituent has a `__pii__` property.
+  if (type.isIntersection()) {
+    const branded = type.types.some((t) =>
+      t.getProperties().some((p) => p.name === '__pii__')
+    )
+    if (branded) {
+      return [path || '<return value>']
+    }
+  }
+
+  const violations: string[] = []
+
+  // ── Union: check every branch ─────────────────────────────────────────────
+  if (type.isUnion()) {
+    for (const branch of type.types) {
+      violations.push(...findPiiPaths(checker, branch, path, depth, seen))
+    }
+    return violations
+  }
+
+  // ── Object: recurse into named properties ─────────────────────────────────
+  if (type.flags & ts.TypeFlags.Object) {
+    const ref = type as ts.TypeReference
+    for (const arg of (ref as any).typeArguments ?? []) {
+      violations.push(...findPiiPaths(checker, arg, path, depth + 1, seen))
+    }
+
+    const numberIndex = checker.getIndexTypeOfType(type, ts.IndexKind.Number)
+    if (numberIndex) {
+      const idxPath = path ? `${path}[]` : '[]'
+      violations.push(...findPiiPaths(checker, numberIndex, idxPath, depth + 1, seen))
+    }
+    const stringIndex = checker.getIndexTypeOfType(type, ts.IndexKind.String)
+    if (stringIndex) {
+      const idxPath = path ? `${path}[*]` : '[*]'
+      violations.push(...findPiiPaths(checker, stringIndex, idxPath, depth + 1, seen))
+    }
+
+    for (const prop of type.getProperties()) {
+      if (prop.name.startsWith('__')) continue
+      const decl = prop.valueDeclaration ?? prop.declarations?.[0]
+      if (!decl) continue
+      const propType = checker.getTypeOfSymbolAtLocation(prop, decl)
+      const subPath = path ? `${path}.${prop.name}` : prop.name
+      violations.push(...findPiiPaths(checker, propType, subPath, depth + 1, seen))
+    }
+  }
+
+  return violations
+}

package/src/utils/extract-function-name.ts

@@ -444,6 +444,14 @@ export function extractFunctionName(
   }
 
   if (result.version !== null) {
+    // Strip trailing VN suffix if it matches the version (e.g. createCardV1 + version:1 → createCard@v1)
+    const vSuffix = `V${result.version}`
+    if (
+      result.pikkuFuncId.endsWith(vSuffix) &&
+      result.pikkuFuncId.length > vSuffix.length
+    ) {
+      result.pikkuFuncId = result.pikkuFuncId.slice(0, -vSuffix.length)
+    }
     result.pikkuFuncId = formatVersionedId(result.pikkuFuncId, result.version)
   }