@pikku/inspector 0.12.20 → 0.12.22

package/src/add/add-functions.test.ts

@@ -39,6 +39,9 @@ describe('addFunctions duplicate name handling', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: ({ code, message }) => {
+        criticals.push({ code, message })
+      },
       critical: (code: ErrorCode, message: string) => {
         criticals.push({ code, message })
       },
@@ -91,6 +94,9 @@ describe('addFunctions duplicate name handling', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: ({ code, message }) => {
+        criticals.push({ code, message })
+      },
       critical: (code: ErrorCode, message: string) => {
         criticals.push({ code, message })
       },
@@ -142,6 +148,7 @@ describe('addFunctions duplicate name handling', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: () => {},
       critical: () => {},
       hasCriticalErrors: () => false,
     }
@@ -204,6 +211,9 @@ describe('addFunctions duplicate name handling', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: ({ code, message }) => {
+        criticals.push({ code, message })
+      },
       critical: (code: ErrorCode, message: string) => {
         criticals.push({ code, message })
       },
@@ -250,6 +260,7 @@ describe('addFunctions implementationHash', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: () => {},
       critical: () => {},
       hasCriticalErrors: () => false,
     }
@@ -296,6 +307,7 @@ describe('addFunctions implementationHash', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: () => {},
       critical: () => {},
       hasCriticalErrors: () => false,
     }
@@ -349,6 +361,7 @@ describe('pikkuChannelConnectionFunc generic mapping', () => {
       info: () => {},
       warn: () => {},
       error: () => {},
+      diagnostic: () => {},
       critical: () => {},
       hasCriticalErrors: () => false,
     }

package/src/add/add-functions.ts

@@ -931,23 +931,27 @@ export const addFunctions: AddWiring = (
         .map((f) => f.path)
 
       if (secretPaths.length > 0) {
-        logger.critical(
-          ErrorCode.PII_IN_OUTPUT,
-          `Function '${name}' exposes secret-classified field(s) in its return type: ` +
+        logger.diagnostic({
+          severity: 'error',
+          code: ErrorCode.PII_IN_OUTPUT,
+          message:
+            `Function '${name}' exposes secret-classified field(s) in its return type: ` +
             secretPaths.map((p) => `'${p}'`).join(', ') +
             `.\n  Secret fields must never appear in function output. ` +
-            `Strip these fields before returning or change the column classification.`
-        )
+            `Strip these fields before returning or change the column classification.`,
+        })
       }
 
       if (sessionless && privatePaths.length > 0) {
-        logger.critical(
-          ErrorCode.PII_IN_OUTPUT,
-          `Sessionless function '${name}' exposes private-classified field(s) in its return type: ` +
+        logger.diagnostic({
+          severity: 'error',
+          code: ErrorCode.PII_IN_OUTPUT,
+          message:
+            `Sessionless function '${name}' exposes private-classified field(s) in its return type: ` +
             privatePaths.map((p) => `'${p}'`).join(', ') +
             `.\n  Private fields are only safe to return from authenticated (sessioned) functions. ` +
-            `Either require a session (use pikkuFunc) or mark the column @public if it is safe to expose publicly.`
-        )
+            `Either require a session (use pikkuFunc) or mark the column @public if it is safe to expose publicly.`,
+        })
       }
     }
   }

package/src/add/add-workflow-fanout.test.ts

@@ -0,0 +1,106 @@
+import { strict as assert } from 'assert'
+import { describe, test } from 'node:test'
+import { mkdtemp, rm, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { inspect } from '../inspector.js'
+import type { InspectorLogger } from '../types.js'
+
+function makeLogger(
+  criticals: Array<{ code: string; message: string }>
+): InspectorLogger {
+  return {
+    debug: () => {},
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    diagnostic: ({ code, message }) => {
+      criticals.push({ code, message })
+    },
+    critical: (code: any, message: string) => {
+      criticals.push({ code, message })
+    },
+    hasCriticalErrors: () => criticals.length > 0,
+  }
+}
+
+const STEP_FILE = [
+  "import { pikkuSessionlessFunc } from '@pikku/core'",
+  'export const processEventLeadsStep = pikkuSessionlessFunc({',
+  '  func: async ({ logger }) => ({ persistedCount: 1 }),',
+  '})',
+].join('\n')
+
+describe('addWorkflow — Promise.all fanout RPC detection', () => {
+  test('registers fanout RPC when captured with `const x = await Promise.all(map(...))`', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-fanout-const-'))
+    const wfFile = join(rootDir, 'leads.workflow.ts')
+    const stepFile = join(rootDir, 'leads.steps.ts')
+
+    await writeFile(stepFile, STEP_FILE)
+    await writeFile(
+      wfFile,
+      [
+        "import { pikkuWorkflowFunc } from '@pikku/core/workflow'",
+        'export const extractLeadsWorkflow = pikkuWorkflowFunc(async (_, data, { workflow }) => {',
+        '  const events = [{ id: "a", name: "x" }]',
+        '  const processed = await Promise.all(',
+        '    events.map((event) =>',
+        "      workflow.do(`Enrich event ${event.id ?? event.name}`, 'processEventLeadsStep', { event })",
+        '    )',
+        '  )',
+        '  return { count: processed.length }',
+        '})',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: string; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [stepFile, wfFile], {
+        rootDir,
+      })
+      assert.ok(
+        state.rpc.invokedFunctions.has('processEventLeadsStep'),
+        'processEventLeadsStep should be registered when fanout is captured with const'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('registers fanout RPC with string-concatenation (`+`) step name, same as template literal', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-fanout-concat-'))
+    const wfFile = join(rootDir, 'leads.workflow.ts')
+    const stepFile = join(rootDir, 'leads.steps.ts')
+
+    await writeFile(stepFile, STEP_FILE)
+    await writeFile(
+      wfFile,
+      [
+        "import { pikkuWorkflowFunc } from '@pikku/core/workflow'",
+        'export const extractLeadsWorkflow = pikkuWorkflowFunc(async (_, data, { workflow }) => {',
+        '  const events = [{ id: "a", name: "x" }]',
+        '  await Promise.all(',
+        '    events.map((event) =>',
+        "      workflow.do('Enrich event ' + (event.id ?? event.name), 'processEventLeadsStep', { event })",
+        '    )',
+        '  )',
+        '  return { ok: true }',
+        '})',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: string; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [stepFile, wfFile], {
+        rootDir,
+      })
+      assert.ok(
+        state.rpc.invokedFunctions.has('processEventLeadsStep'),
+        'processEventLeadsStep should be registered even when the step name uses `+` concatenation with a non-static operand'
+      )
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+})

package/src/add/add-workflow.test.ts

@@ -14,6 +14,9 @@ function makeLogger(
     info: () => {},
     warn: () => {},
     error: () => {},
+    diagnostic: ({ code, message }) => {
+      criticals.push({ code, message })
+    },
     critical: (code: any, message: string) => {
       criticals.push({ code, message })
     },

package/src/add/add-workflow.ts

@@ -16,6 +16,20 @@ import {
   getPropertyValue,
 } from '../utils/get-property-value.js'
 import { extractDSLWorkflow } from '../utils/workflow/dsl/extract-dsl-workflow.js'
+import { getSourceText } from '../utils/workflow/dsl/patterns.js'
+
+/**
+ * Extract a workflow step's display name without letting a non-static name
+ * (e.g. a function call) abort the scan. The step name is cosmetic, so a
+ * resolution failure must never prevent the RPC from being registered.
+ */
+function extractStepName(node: ts.Node, checker: ts.TypeChecker): string {
+  try {
+    return extractStringLiteral(node, checker)
+  } catch {
+    return getSourceText(node)
+  }
+}
 
 /**
  * Recursively check if any step has inline type (non-serializable)
@@ -99,7 +113,7 @@ function getWorkflowInvocations(
           const optionsArg =
             args.length >= 4 ? args[args.length - 1] : undefined
 
-          const stepName = extractStringLiteral(stepNameArg, checker)
+          const stepName = extractStepName(stepNameArg, checker)
           const description =
             extractDescription(optionsArg, checker) ?? undefined
 
@@ -126,7 +140,7 @@ function getWorkflowInvocations(
           const stepNameArg = args[0]
           const durationArg = args[1]
 
-          const stepName = extractStringLiteral(stepNameArg, checker)
+          const stepName = extractStepName(stepNameArg, checker)
           const duration = extractDuration(durationArg, checker)
 
           steps.push({

package/src/add/pii-check.test.ts

@@ -10,12 +10,16 @@ import type { InspectorLogger } from '../types.js'
 // ── helpers ──────────────────────────────────────────────────────────────────
 
 function makeLogger() {
+  // Collects every coded diagnostic regardless of severity. PKU910 is now
+  // emitted at 'error' severity (surface, don't block the dev server) so it
+  // arrives via `diagnostic`, not `critical`.
   const criticals: Array<{ code: ErrorCode; message: string }> = []
   const logger: InspectorLogger = {
     debug: () => {},
     info: () => {},
     warn: () => {},
     error: () => {},
+    diagnostic: ({ code, message }) => criticals.push({ code, message }),
     critical: (code, message) => criticals.push({ code, message }),
     hasCriticalErrors: () => criticals.length > 0,
   }

package/src/add/wire-name-literal.test.ts

@@ -13,6 +13,9 @@ const makeLogger = (criticals: Array<{ code: ErrorCode; message: string }>) =>
     info: () => {},
     warn: () => {},
     error: () => {},
+    diagnostic: ({ code, message }) => {
+      criticals.push({ code, message })
+    },
     critical: (code: ErrorCode, message: string) => {
       criticals.push({ code, message })
     },

package/src/error-codes.ts

@@ -85,3 +85,17 @@ export enum ErrorCode {
   // Data classification errors
   PII_IN_OUTPUT = 'PKU910',
 }
+
+/**
+ * Severity of a tracked, coded diagnostic. `critical` always blocks the build;
+ * `error`/`warn` only block when the CLI is told to via `--fail-on-error` /
+ * `--fail-on-warn` (default: critical only). All severities are still printed.
+ */
+export type DiagnosticSeverity = 'warn' | 'error' | 'critical'
+
+/** A coded diagnostic emitted via `logger.diagnostic(...)`. */
+export interface CodedDiagnostic {
+  severity: DiagnosticSeverity
+  code: ErrorCode
+  message: string
+}

package/src/index.ts

@@ -3,6 +3,7 @@ export type { TypesMap } from './types-map.js'
 export type * from './types.js'
 export type { FilesAndMethodsErrors } from './utils/get-files-and-methods.js'
 export { ErrorCode } from './error-codes.js'
+export type { DiagnosticSeverity, CodedDiagnostic } from './error-codes.js'
 export { AUTH_HANDLER_FUNC_ID } from './add/add-auth.js'
 export {
   serializeInspectorState,

package/src/inspector.ts

@@ -256,9 +256,16 @@ export const inspect = async (
   const rootDir = options.rootDir || findCommonAncestor(routeFiles)
 
   const startSourceFiles = performance.now()
+  // node_modules under rootDir (e.g. a locally-installed addon) is a
+  // dependency, not project source — scanning it double-counts the addon's
+  // own application types (CoreConfig/Services/SingletonServices).
   const sourceFiles = program
     .getSourceFiles()
-    .filter((sf) => sf.fileName.startsWith(rootDir))
+    .filter(
+      (sf) =>
+        sf.fileName.startsWith(rootDir) &&
+        !sf.fileName.includes('/node_modules/')
+    )
   logger.debug(
     `Got source files in ${(performance.now() - startSourceFiles).toFixed(2)}ms`
   )

package/src/types.ts

@@ -25,7 +25,7 @@ import type {
   JSONValue,
 } from '@pikku/core'
 import type { OpenAPISpecInfo } from './utils/serialize-openapi-json.js'
-import type { ErrorCode } from './error-codes.js'
+import type { ErrorCode, CodedDiagnostic } from './error-codes.js'
 import type {
   VersionManifest,
   VersionValidateError,
@@ -238,6 +238,15 @@ export interface InspectorLogger {
   error: (message: string) => void
   warn: (message: string) => void
   debug: (message: string) => void
+  /**
+   * Emit a tracked, coded diagnostic. It is recorded and printed; `error`/`warn`
+   * only block the build when the CLI is run with `--fail-on-error` /
+   * `--fail-on-warn` (default: critical only). Use this for issues worth
+   * surfacing (e.g. data-classification leaks) that should not stop the dev
+   * server from starting.
+   */
+  diagnostic: (diagnostic: CodedDiagnostic) => void
+  /** Sugar for `diagnostic({ severity: 'critical', code, message })`. */
   critical: (code: ErrorCode, message: string) => void
   hasCriticalErrors: () => boolean
 }
@@ -318,6 +327,9 @@ export interface AuthDefinition {
    *  `auth-meta.gen.json` so the console SSO page can show which plugins are
    *  enabled. */
   plugins: string[]
+  /** Whether `session.cookieCache` is enabled — drives the stateless session
+   * middleware split in the auth codegen. Absent/false ⇒ stateful middleware. */
+  cookieCache?: boolean
   /**
    * Singleton services the generated auth handler must have available at
    * runtime — the services the `pikkuBetterAuth` factory reaches for (either

package/src/utils/extract-node-value.test.ts

@@ -1,7 +1,7 @@
 import { test, describe } from 'node:test'
 import { strict as assert } from 'node:assert'
 import * as ts from 'typescript'
-import { extractDescription } from './extract-node-value'
+import { extractDescription, extractStringLiteral } from './extract-node-value'
 
 const createChecker = (source: string) => {
   const sourceFile = ts.createSourceFile(
@@ -67,3 +67,51 @@ describe('extractDescription', () => {
     assert.equal(extractDescription(sourceFile, checker), null)
   })
 })
+
+describe('extractStringLiteral — concatenation/template symmetry', () => {
+  const findInitializer = (node: ts.Node): ts.Expression | undefined => {
+    if (ts.isVariableDeclaration(node) && node.initializer) {
+      return node.initializer
+    }
+    let result: ts.Expression | undefined
+    ts.forEachChild(node, (child) => {
+      if (!result) result = findInitializer(child)
+    })
+    return result
+  }
+
+  test('a `+` operand that cannot be statically resolved becomes a ${...} placeholder', () => {
+    const { checker, sourceFile } = createChecker(
+      `const x = 'Enrich event ' + (event.id ?? event.name)`
+    )
+    const init = findInitializer(sourceFile)!
+    assert.equal(
+      extractStringLiteral(init, checker),
+      'Enrich event ${event.id ?? event.name}'
+    )
+  })
+
+  test('`+` concatenation and template literal produce the same display string', () => {
+    const concat = createChecker(
+      `const x = 'Enrich event ' + (event.id ?? event.name)`
+    )
+    const template = createChecker(
+      'const x = `Enrich event ${event.id ?? event.name}`'
+    )
+    const concatValue = extractStringLiteral(
+      findInitializer(concat.sourceFile)!,
+      concat.checker
+    )
+    const templateValue = extractStringLiteral(
+      findInitializer(template.sourceFile)!,
+      template.checker
+    )
+    assert.equal(concatValue, templateValue)
+  })
+
+  test('still resolves fully-static concatenation exactly', () => {
+    const { checker, sourceFile } = createChecker(`const x = 'a' + 'b' + 'c'`)
+    const init = findInitializer(sourceFile)!
+    assert.equal(extractStringLiteral(init, checker), 'abc')
+  })
+})

package/src/utils/extract-node-value.ts

@@ -37,8 +37,8 @@ export function extractStringLiteral(
     node.operatorToken.kind === ts.SyntaxKind.PlusToken
   ) {
     return (
-      extractStringLiteral(node.left, checker) +
-      extractStringLiteral(node.right, checker)
+      extractConcatOperand(node.left, checker) +
+      extractConcatOperand(node.right, checker)
     )
   }
 
@@ -59,6 +59,23 @@ export function extractStringLiteral(
   throw new Error('Unable to extract string literal from node')
 }
 
+/**
+ * Resolve one operand of a `+` string concatenation.
+ *
+ * An operand that can't be statically resolved (e.g. `a ?? b`) becomes a
+ * `${...}` placeholder rather than throwing — mirroring the TemplateExpression
+ * branch above, so `'x ' + expr` and `` `x ${expr}` `` produce the same string.
+ * This keeps an unresolvable display name from aborting the whole extraction.
+ */
+function extractConcatOperand(node: ts.Node, checker: ts.TypeChecker): string {
+  try {
+    return extractStringLiteral(node, checker)
+  } catch {
+    const inner = ts.isParenthesizedExpression(node) ? node.expression : node
+    return '${' + inner.getText() + '}'
+  }
+}
+
 /**
  * Check if node is string-like (string literal or template expression)
  */

package/src/utils/filter-inspector-state.test.ts

@@ -344,6 +344,7 @@ const mockLogger = {
   error: () => {},
   warn: () => {},
   debug: () => {},
+  diagnostic: () => {},
   critical: () => {},
   hasCriticalErrors: () => false,
 }

package/src/utils/filter-utils.test.ts

@@ -10,6 +10,7 @@ describe('matchesFilters', () => {
     error: () => {},
     warn: () => {},
     debug: () => {},
+    diagnostic: () => {},
     critical: () => {},
     hasCriticalErrors: () => false,
   }

package/src/utils/resolve-versions.test.ts

@@ -43,6 +43,7 @@ function makeLogger() {
       info: () => {},
       warn: () => {},
       error: (msg: string) => errors.push(msg),
+      diagnostic: ({ message }: { message: string }) => errors.push(message),
       critical: (_code: string, msg: string) => errors.push(msg),
     },
     errors,

package/src/utils/workflow/dsl/extract-dsl-workflow.ts

@@ -386,6 +386,22 @@ function extractVariableDeclaration(
         return step
       }
     }
+
+    // Promise.all fanout/group captured into a variable
+    // (const results = await Promise.all(array.map(...)))
+    if (isParallelFanout(call) || isParallelGroup(call)) {
+      const step = isParallelFanout(call)
+        ? extractParallelFanout(call, context)
+        : extractParallelGroup(call, context)
+      if (step) {
+        const type = context.checker.getTypeAtLocation(decl)
+        context.outputVars.set(varName, { type, node: decl })
+        if (isArrayType(type, context.checker)) {
+          context.arrayVars.add(varName)
+        }
+        return step
+      }
+    }
   }
 
   // Check for array.filter(...)