@pikku/inspector 0.12.12 → 0.12.14

package/src/add/pii-check.test.ts

@@ -0,0 +1,202 @@
+import { strict as assert } from 'assert'
+import { describe, test } from 'node:test'
+import { mkdtemp, rm, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { inspect } from '../inspector.js'
+import { ErrorCode } from '../error-codes.js'
+import type { InspectorLogger } from '../types.js'
+
+// ── helpers ──────────────────────────────────────────────────────────────────
+
+function makeLogger() {
+  const criticals: Array<{ code: ErrorCode; message: string }> = []
+  const logger: InspectorLogger = {
+    debug: () => {},
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    critical: (code, message) => criticals.push({ code, message }),
+    hasCriticalErrors: () => criticals.length > 0,
+  }
+  return { logger, criticals }
+}
+
+/**
+ * Inline Private<T>/Pii<T>/Secret<T> definitions that the test source files use.
+ * Mirrors what schema.d.ts emits so the TypeScript program sees the correct
+ * structural brand type even without @pikku/core being importable from /tmp.
+ */
+const BRAND_TYPES = `
+type Private<T> = T & { readonly __classification__: 'private' }
+type Pii<T> = T & { readonly __classification__: 'pii' }
+type Secret<T> = T & { readonly __classification__: 'secret' }
+`
+
+async function runInspect(sourceCode: string) {
+  const tmpDir = await mkdtemp(join(tmpdir(), 'pikku-pii-test-'))
+  const file = join(tmpDir, 'funcs.ts')
+  await writeFile(file, sourceCode)
+  const { logger, criticals } = makeLogger()
+  try {
+    await inspect(logger, [file], { rootDir: tmpDir })
+  } finally {
+    await rm(tmpDir, { recursive: true, force: true })
+  }
+  return criticals
+}
+
+// ── findPiiPaths unit tests via full inspect() round-trip ────────────────────
+
+describe('PII output check — PKU910', () => {
+  test('flags a top-level Private<string> field', async () => {
+    const criticals = await runInspect(`
+${BRAND_TYPES}
+import { pikkuFunc } from '@pikku/core'
+export const getUser = pikkuFunc({
+  func: async () => {
+    const email = 'test@example.com' as Private<string>
+    return { id: 1, email }
+  }
+})
+`)
+    const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
+    assert.ok(hit, `Expected PKU910 but got: ${JSON.stringify(criticals)}`)
+    assert.match(hit.message, /email/)
+  })
+
+  test('flags a top-level Secret<string> field', async () => {
+    const criticals = await runInspect(`
+${BRAND_TYPES}
+import { pikkuFunc } from '@pikku/core'
+export const getToken = pikkuFunc({
+  func: async () => {
+    const token = 'abc' as Secret<string>
+    return { token }
+  }
+})
+`)
+    const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
+    assert.ok(hit)
+    assert.match(hit.message, /token/)
+  })
+
+  test('flags a nested Private field', async () => {
+    const criticals = await runInspect(`
+${BRAND_TYPES}
+import { pikkuFunc } from '@pikku/core'
+export const getProfile = pikkuFunc({
+  func: async () => {
+    const email = 'x@y.com' as Private<string>
+    return { user: { id: 1, email } }
+  }
+})
+`)
+    const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
+    assert.ok(hit)
+    assert.match(hit.message, /user\.email/)
+  })
+
+  test('does not flag a plain string return', async () => {
+    const criticals = await runInspect(`
+import { pikkuFunc } from '@pikku/core'
+export const getPublicData = pikkuFunc({
+  func: async () => ({ id: 1, status: 'active', count: 42 })
+})
+`)
+    const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
+    assert.equal(
+      hit,
+      undefined,
+      `Expected no PKU910 but got: ${JSON.stringify(hit)}`
+    )
+  })
+
+  test('does not flag a void-returning function', async () => {
+    const criticals = await runInspect(`
+import { pikkuFunc } from '@pikku/core'
+export const doWork = pikkuFunc({
+  func: async () => { /* no return */ }
+})
+`)
+    const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
+    assert.equal(hit, undefined)
+  })
+
+  test('flags a function that returns a typed alias with Private field', async () => {
+    const criticals = await runInspect(`
+${BRAND_TYPES}
+import { pikkuFunc } from '@pikku/core'
+type UserRow = { id: number; email: Private<string> }
+export const getUser = pikkuFunc({
+  func: async (): Promise<UserRow> => {
+    return { id: 1, email: 'x' as Private<string> }
+  }
+})
+`)
+    const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
+    assert.ok(hit)
+    assert.match(hit.message, /email/)
+  })
+
+  test('flags across multiple functions in the same file', async () => {
+    const criticals = await runInspect(`
+${BRAND_TYPES}
+import { pikkuFunc } from '@pikku/core'
+export const getEmail = pikkuFunc({
+  func: async () => ({ email: 'x' as Private<string> })
+})
+export const getPhone = pikkuFunc({
+  func: async () => ({ phone: '555' as Private<string> })
+})
+export const getSafe = pikkuFunc({
+  func: async () => ({ name: 'Alice' })
+})
+`)
+    const hits = criticals.filter((c) => c.code === ErrorCode.PII_IN_OUTPUT)
+    assert.equal(hits.length, 2, `Expected 2 PKU910 but got ${hits.length}`)
+  })
+
+  test('flags branded values inside arrays', async () => {
+    const criticals = await runInspect(`
+${BRAND_TYPES}
+import { pikkuFunc } from '@pikku/core'
+export const getEmails = pikkuFunc({
+  func: async () => ({ emails: ['x@y.com' as Private<string>] })
+})
+`)
+    const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
+    assert.ok(hit, `Expected PKU910 but got: ${JSON.stringify(criticals)}`)
+    assert.match(hit.message, /emails/)
+  })
+
+  test('flags branded values inside string-indexed records', async () => {
+    const criticals = await runInspect(`
+${BRAND_TYPES}
+import { pikkuFunc } from '@pikku/core'
+export const getMap = pikkuFunc({
+  func: async () => ({ byId: { a: 'x@y.com' as Private<string> } as Record<string, Private<string>> })
+})
+`)
+    const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
+    assert.ok(hit, `Expected PKU910 but got: ${JSON.stringify(criticals)}`)
+    assert.match(hit.message, /byId/)
+  })
+
+  test('does not flag when branded field is stripped before return', async () => {
+    const criticals = await runInspect(`
+${BRAND_TYPES}
+import { pikkuFunc } from '@pikku/core'
+export const getUser = pikkuFunc({
+  func: async () => {
+    const raw: { email: Private<string> } = { email: 'x' as Private<string> }
+    const safe: { email: string } = { email: raw.email as string }
+    return safe
+  }
+})
+`)
+    // The explicit type annotation on 'safe' strips the brand from the inferred return type
+    const hit = criticals.find((c) => c.code === ErrorCode.PII_IN_OUTPUT)
+    assert.equal(hit, undefined)
+  })
+})

package/src/error-codes.ts

@@ -77,4 +77,7 @@ export enum ErrorCode {
 
   // Feature Flag
   WORKFLOW_MULTI_QUEUE_NOT_SUPPORTED = 'PKU901',
+
+  // Data classification errors
+  PII_IN_OUTPUT = 'PKU910',
 }

package/src/inspector.ts

@@ -145,6 +145,10 @@ export function getInitialInspectorState(rootDir: string): InspectorState {
       meta: {},
       files: new Set(),
     },
+    auth: {
+      providers: [],
+      files: new Set(),
+    },
     secrets: {
       definitions: [],
       files: new Set(),

package/src/types.ts

@@ -382,6 +382,10 @@ export interface InspectorState {
     meta: NodesMeta
     files: Set<string>
   }
+  auth: {
+    providers: string[]
+    files: Set<string>
+  }
   secrets: {
     definitions: SecretDefinitions
     files: Set<string>

package/src/utils/check-pii-output.ts

@@ -0,0 +1,82 @@
+import * as ts from 'typescript'
+
+/**
+ * Recursively walks a resolved TypeScript type looking for `__classification__` brands —
+ * the structural marker emitted by `Private<T>` and `Secret<T>`.
+ *
+ * `Private<T> = T & { readonly __classification__: 'private' }` shows up in the TS type
+ * system as an intersection whose constituents include a type with a `__classification__`
+ * property.  We detect that by checking whether any constituent of an
+ * intersection exposes a property named `__classification__`.
+ *
+ * Returns the list of dotted field paths where a brand was found
+ * (e.g. `['email', 'address.phone']`).  An empty array means clean.
+ */
+export function findPiiPaths(
+  checker: ts.TypeChecker,
+  type: ts.Type,
+  path = '',
+  depth = 0,
+  seen = new Set<ts.Type>()
+): string[] {
+  if (depth > 8 || seen.has(type)) return []
+  seen.add(type)
+
+  // ── Is this type itself branded? ─────────────────────────────────────────
+  // Private<T> = T & { readonly __classification__: 'private' }  →  isIntersection()
+  // where one constituent has a `__classification__` property.
+  if (type.isIntersection()) {
+    const branded = type.types.some((t) =>
+      t.getProperties().some((p) => p.name === '__classification__')
+    )
+    if (branded) {
+      return [path || '<return value>']
+    }
+  }
+
+  const violations: string[] = []
+
+  // ── Union: check every branch ─────────────────────────────────────────────
+  if (type.isUnion()) {
+    for (const branch of type.types) {
+      violations.push(...findPiiPaths(checker, branch, path, depth, seen))
+    }
+    return violations
+  }
+
+  // ── Object: recurse into named properties ─────────────────────────────────
+  if (type.flags & ts.TypeFlags.Object) {
+    const ref = type as ts.TypeReference
+    for (const arg of (ref as any).typeArguments ?? []) {
+      violations.push(...findPiiPaths(checker, arg, path, depth + 1, seen))
+    }
+
+    const numberIndex = checker.getIndexTypeOfType(type, ts.IndexKind.Number)
+    if (numberIndex) {
+      const idxPath = path ? `${path}[]` : '[]'
+      violations.push(
+        ...findPiiPaths(checker, numberIndex, idxPath, depth + 1, seen)
+      )
+    }
+    const stringIndex = checker.getIndexTypeOfType(type, ts.IndexKind.String)
+    if (stringIndex) {
+      const idxPath = path ? `${path}[*]` : '[*]'
+      violations.push(
+        ...findPiiPaths(checker, stringIndex, idxPath, depth + 1, seen)
+      )
+    }
+
+    for (const prop of type.getProperties()) {
+      if (prop.name.startsWith('__')) continue
+      const decl = prop.valueDeclaration ?? prop.declarations?.[0]
+      if (!decl) continue
+      const propType = checker.getTypeOfSymbolAtLocation(prop, decl)
+      const subPath = path ? `${path}.${prop.name}` : prop.name
+      violations.push(
+        ...findPiiPaths(checker, propType, subPath, depth + 1, seen)
+      )
+    }
+  }
+
+  return violations
+}

package/src/utils/serialize-inspector-state.ts

@@ -181,6 +181,10 @@ export interface SerializableInspectorState {
     meta: InspectorState['nodes']['meta']
     files: string[]
   }
+  auth: {
+    providers: string[]
+    files: string[]
+  }
   secrets: {
     definitions: InspectorState['secrets']['definitions']
     files: string[]
@@ -383,6 +387,10 @@ export function serializeInspectorState(
       meta: state.nodes.meta,
       files: Array.from(state.nodes.files),
     },
+    auth: {
+      providers: state.auth.providers,
+      files: Array.from(state.auth.files),
+    },
     secrets: {
       definitions: state.secrets.definitions,
       files: Array.from(state.secrets.files),
@@ -556,6 +564,10 @@ export function deserializeInspectorState(
       meta: data.nodes?.meta || {},
       files: new Set(data.nodes?.files || []),
     },
+    auth: {
+      providers: data.auth?.providers || [],
+      files: new Set(data.auth?.files || []),
+    },
     secrets: {
       definitions: data.secrets?.definitions || [],
       files: new Set(data.secrets?.files || []),

package/src/visit.ts

@@ -22,6 +22,7 @@ import { addWireAddon } from './add/add-wire-addon.js'
 import { addMiddleware } from './add/add-middleware.js'
 import { addPermission } from './add/add-permission.js'
 import { addCLI, addCLIRenderers } from './add/add-cli.js'
+import { addAuth } from './add/add-auth.js'
 import { addSecret } from './add/add-secret.js'
 import { addCredential } from './add/add-credential.js'
 import { addVariable } from './add/add-variable.js'
@@ -106,6 +107,7 @@ export const visitRoutes = (
   options: InspectorOptions
 ) => {
   addFunctions(logger, node, checker, state, options)
+  addAuth(logger, node, checker, state, options)
   addSecret(logger, node, checker, state, options)
   addCredential(logger, node, checker, state, options)
   addVariable(logger, node, checker, state, options)