@salesforce/graphiti 10.10.2

package/src/lib/__tests__/auth.spec.ts

@@ -0,0 +1,292 @@
+/**
+ * Copyright (c) 2026, Salesforce, Inc.,
+ * All rights reserved.
+ * For full license text, see the LICENSE.txt file
+ */
+
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+vi.mock("@salesforce/core", () => ({
+	Org: { create: vi.fn() },
+	AuthInfo: { listAllAuthorizations: vi.fn() },
+}));
+
+const { Org, AuthInfo } = await import("@salesforce/core");
+const { clearOrgAuthCache, getOrgAuth, listOrgs } = await import("../auth.js");
+
+const orgCreateMock = vi.mocked(Org.create);
+// AuthInfo.listAllAuthorizations is exercised by listOrgs tests (re-enabled in Task 2)
+const listAuthsMock = vi.mocked(AuthInfo.listAllAuthorizations);
+
+function mockOrg(
+	fields: Record<string, unknown>,
+	opts: { accessToken?: string | null; instanceUrl?: string } = {},
+) {
+	return {
+		getConnection: () => ({
+			instanceUrl: opts.instanceUrl ?? "https://example.my.salesforce.com/",
+			accessToken: opts.accessToken === undefined ? "00Dxx!token" : opts.accessToken,
+			getAuthInfo: () => ({ getFields: () => fields }),
+		}),
+	} as unknown as Awaited<ReturnType<typeof Org.create>>;
+}
+
+describe("auth", () => {
+	beforeEach(() => {
+		clearOrgAuthCache();
+		orgCreateMock.mockReset();
+		listAuthsMock.mockReset();
+	});
+
+	afterEach(() => {
+		clearOrgAuthCache();
+	});
+
+	describe("getOrgAuth alias validation", () => {
+		const invalidAliases: [string, string][] = [
+			["semicolon", "good;rm -rf ~"],
+			["dollar", "good$(whoami)"],
+			["backtick", "good`whoami`"],
+			["newline", "good\nrm"],
+			["space", "good org"],
+			["leading hyphen (flag injection)", "-foo"],
+			["leading dot", ".foo"],
+			["embedded space in email", "user @example.com"],
+			["empty string", ""],
+			["over 253 chars", "a".repeat(254)],
+		];
+
+		for (const [label, alias] of invalidAliases) {
+			it(`rejects invalid alias: ${label}`, async () => {
+				await expect(getOrgAuth(alias)).rejects.toThrow(/alias or username/i);
+				expect(orgCreateMock).not.toHaveBeenCalled();
+			});
+		}
+
+		it("does not echo the offending alias verbatim into the error message", async () => {
+			const malicious = "evil;rm -rf ~";
+			await expect(getOrgAuth(malicious)).rejects.toThrow();
+			try {
+				await getOrgAuth(malicious);
+			} catch (err) {
+				expect((err as Error).message).not.toContain(malicious);
+			}
+		});
+	});
+
+	describe("getOrgAuth username/email acceptance", () => {
+		const validIdentifiers: [string, string][] = [
+			["simple alias", "MyOrg"],
+			["alias with hyphen and underscore", "MyOrg-1_2"],
+			["plain email username", "user@example.com"],
+			["email with sandbox suffix", "admin@my-company.com.sandbox"],
+			["email with plus tag and complex domain", "dev+build1@scratch-org-12.example.com"],
+			["org id", "00D5g00000ABCDE"],
+		];
+
+		for (const [label, identifier] of validIdentifiers) {
+			it(`accepts valid identifier: ${label}`, async () => {
+				orgCreateMock.mockResolvedValueOnce(
+					mockOrg({ username: "user@example.com", orgId: "00Dxx0000000000" }),
+				);
+				await expect(getOrgAuth(identifier)).resolves.not.toThrow();
+				expect(orgCreateMock).toHaveBeenCalledWith({ aliasOrUsername: identifier });
+			});
+		}
+	});
+
+	describe("getOrgAuth happy path", () => {
+		it("resolves via Org.create and maps fields", async () => {
+			orgCreateMock.mockResolvedValueOnce(
+				mockOrg({ username: "user@example.com", orgId: "00Dxx0000000000" }),
+			);
+			const auth = await getOrgAuth("MyOrg-1_2");
+			expect(orgCreateMock).toHaveBeenCalledWith({ aliasOrUsername: "MyOrg-1_2" });
+			expect(auth.accessToken).toBe("00Dxx!token");
+			expect(auth.instanceUrl).toBe("https://example.my.salesforce.com"); // trailing slash stripped
+			expect(auth.username).toBe("user@example.com");
+			expect(auth.orgId).toBe("00Dxx0000000000");
+			expect(auth.alias).toBe("MyOrg-1_2");
+		});
+
+		it("memoizes: a second call does not re-create the org", async () => {
+			orgCreateMock.mockResolvedValueOnce(mockOrg({ username: "u", orgId: "00D" }));
+			await getOrgAuth("CachedOrg");
+			await getOrgAuth("CachedOrg");
+			expect(orgCreateMock).toHaveBeenCalledTimes(1);
+		});
+
+		it("throws a re-auth hint when access token is missing", async () => {
+			orgCreateMock.mockResolvedValueOnce(
+				mockOrg({ username: "u", orgId: "00D" }, { accessToken: null }),
+			);
+			await expect(getOrgAuth("NoToken")).rejects.toThrow(/sf org login/i);
+		});
+
+		it("wraps Org.create failure with a re-auth hint and preserves the cause", async () => {
+			orgCreateMock.mockRejectedValue(new Error("NamedOrgNotFound"));
+			await expect(getOrgAuth("MissingOrg")).rejects.toThrow(/sf org login web --alias MissingOrg/);
+			await expect(getOrgAuth("MissingOrg")).rejects.toThrow(/NamedOrgNotFound/);
+		});
+
+		it('falls back to "unknown" when username/orgId are absent', async () => {
+			orgCreateMock.mockResolvedValueOnce(mockOrg({})); // empty fields
+			const auth = await getOrgAuth("SparseOrg");
+			expect(auth.username).toBe("unknown");
+			expect(auth.orgId).toBe("unknown");
+		});
+
+		it("accepts an alias starting with underscore", async () => {
+			orgCreateMock.mockResolvedValueOnce(
+				mockOrg({ username: "user@example.com", orgId: "00Dxx0000000000" }),
+			);
+			await expect(getOrgAuth("_internal")).resolves.not.toThrow();
+			expect(orgCreateMock).toHaveBeenCalledTimes(1);
+		});
+	});
+
+	describe("listOrgs", () => {
+		it("maps scratch and non-scratch and prefers alias over username", async () => {
+			listAuthsMock.mockResolvedValueOnce([
+				{
+					aliases: ["Prod"],
+					username: "p@example.com",
+					instanceUrl: "https://p.my.salesforce.com/",
+					orgId: "00DP",
+					isScratchOrg: false,
+					isExpired: false,
+					oauthMethod: "web",
+					configs: [],
+				},
+				{
+					aliases: ["Scr"],
+					username: "s@example.com",
+					instanceUrl: "https://s.my.salesforce.com",
+					orgId: "00DS",
+					isScratchOrg: true,
+					isExpired: false,
+					oauthMethod: "web",
+					configs: [],
+				},
+			] as never);
+			const orgs = await listOrgs();
+			expect(orgs).toHaveLength(2);
+			expect(orgs[0]).toMatchObject({
+				alias: "Prod",
+				type: "non-scratch",
+				instanceUrl: "https://p.my.salesforce.com",
+			});
+			expect(orgs[1]).toMatchObject({ alias: "Scr", type: "scratch" });
+		});
+
+		it("falls back to username when an org has no alias", async () => {
+			listAuthsMock.mockResolvedValueOnce([
+				{
+					aliases: null,
+					username: "noalias@example.com",
+					instanceUrl: "https://n.my.salesforce.com",
+					orgId: "00DN",
+					isScratchOrg: false,
+					isExpired: false,
+					oauthMethod: "web",
+					configs: [],
+				},
+			] as never);
+			const orgs = await listOrgs();
+			expect(orgs).toHaveLength(1);
+			expect(orgs[0].alias).toBe("noalias@example.com");
+			expect(orgs[0].username).toBe("noalias@example.com");
+		});
+
+		it("skips orgs with neither alias nor username", async () => {
+			listAuthsMock.mockResolvedValueOnce([
+				{
+					aliases: null,
+					username: "",
+					instanceUrl: "https://x.my.salesforce.com",
+					orgId: "00DX",
+					isScratchOrg: false,
+					isExpired: false,
+					oauthMethod: "web",
+					configs: [],
+				},
+			] as never);
+			expect(await listOrgs()).toHaveLength(0);
+		});
+
+		it("marks isConnected=true when a session's orgAlias matches one of the org's aliases", async () => {
+			const home = fs.mkdtempSync(path.join(os.tmpdir(), "graphiti-conn-"));
+			const sessionsDir = path.join(home, "sessions");
+			fs.mkdirSync(sessionsDir, { recursive: true });
+			fs.writeFileSync(path.join(sessionsDir, "s1.json"), JSON.stringify({ orgAlias: "Prod" }));
+			const prev = process.env.GRAPHITI_HOME;
+			process.env.GRAPHITI_HOME = home;
+			try {
+				listAuthsMock.mockResolvedValueOnce([
+					{
+						aliases: ["Prod"],
+						username: "p@example.com",
+						instanceUrl: "https://p.my.salesforce.com",
+						orgId: "00DP",
+						isScratchOrg: false,
+						isExpired: false,
+						oauthMethod: "web",
+						configs: [],
+					},
+					{
+						aliases: ["Other"],
+						username: "o@example.com",
+						instanceUrl: "https://o.my.salesforce.com",
+						orgId: "00DO",
+						isScratchOrg: false,
+						isExpired: false,
+						oauthMethod: "web",
+						configs: [],
+					},
+				] as never);
+				const orgs = await listOrgs();
+				expect(orgs.find((o) => o.alias === "Prod")?.isConnected).toBe(true);
+				expect(orgs.find((o) => o.alias === "Other")?.isConnected).toBe(false);
+			} finally {
+				if (prev === undefined) delete process.env.GRAPHITI_HOME;
+				else process.env.GRAPHITI_HOME = prev;
+				fs.rmSync(home, { recursive: true, force: true });
+			}
+		});
+
+		it("marks isConnected=true when a session's orgAlias matches the org's username (no alias)", async () => {
+			const home = fs.mkdtempSync(path.join(os.tmpdir(), "graphiti-conn-"));
+			const sessionsDir = path.join(home, "sessions");
+			fs.mkdirSync(sessionsDir, { recursive: true });
+			fs.writeFileSync(
+				path.join(sessionsDir, "s1.json"),
+				JSON.stringify({ orgAlias: "user@example.com" }),
+			);
+			const prev = process.env.GRAPHITI_HOME;
+			process.env.GRAPHITI_HOME = home;
+			try {
+				listAuthsMock.mockResolvedValueOnce([
+					{
+						aliases: null,
+						username: "user@example.com",
+						instanceUrl: "https://u.my.salesforce.com",
+						orgId: "00DU",
+						isScratchOrg: false,
+						isExpired: false,
+						oauthMethod: "web",
+						configs: [],
+					},
+				] as never);
+				const orgs = await listOrgs();
+				expect(orgs[0].isConnected).toBe(true);
+			} finally {
+				if (prev === undefined) delete process.env.GRAPHITI_HOME;
+				else process.env.GRAPHITI_HOME = prev;
+				fs.rmSync(home, { recursive: true, force: true });
+			}
+		});
+	});
+});

package/src/lib/__tests__/formatter.spec.ts

@@ -0,0 +1,86 @@
+/**
+ * Copyright (c) 2026, Salesforce, Inc.,
+ * All rights reserved.
+ * For full license text, see the LICENSE.txt file
+ */
+
+import { describe, expect, it } from "vitest";
+import { formatDirectoryListing, formatTypeInfo } from "../formatter.js";
+import type { FieldInfo } from "../walker.js";
+
+function mockField(name: string): FieldInfo {
+	return {
+		name,
+		typeName: `${name}Connection`,
+		typeKind: "OBJECT",
+		isNonNull: false,
+		isList: false,
+		description: null,
+		args: [],
+	};
+}
+
+describe("formatter", () => {
+	describe("formatDirectoryListing", () => {
+		it("hides Data Cloud fields and shows hint", () => {
+			const result = {
+				type: {} as never,
+				typeName: "RecordQuery",
+				kind: "OBJECT" as const,
+				fields: [
+					mockField("Account"),
+					mockField("ssot__Account__dlm"),
+					mockField("ssot__Contact__dlm"),
+					mockField("Case"),
+				],
+				args: [],
+				possibleTypes: [],
+				isLeaf: false,
+				inMutationRecord: false,
+				mutationHiddenFields: [],
+			};
+			const output = formatDirectoryListing(result, { all: true });
+			expect(output).not.toContain("ssot__Account__dlm");
+			expect(output).not.toContain("ssot__Contact__dlm");
+			expect(output).toContain("Account");
+			expect(output).toContain("Case");
+			expect(output).toContain("2 Data Cloud fields hidden");
+		});
+
+		it("shows Data Cloud fields with dataCloud opt", () => {
+			const result = {
+				type: {} as never,
+				typeName: "RecordQuery",
+				kind: "OBJECT" as const,
+				fields: [mockField("Account"), mockField("ssot__Account__dlm"), mockField("Case")],
+				args: [],
+				possibleTypes: [],
+				isLeaf: false,
+				inMutationRecord: false,
+				mutationHiddenFields: [],
+			};
+			const output = formatDirectoryListing(result, { all: true, dataCloud: true });
+			expect(output).toContain("ssot__Account__dlm");
+			expect(output).not.toContain("Data Cloud fields hidden");
+		});
+	});
+
+	describe("formatTypeInfo", () => {
+		it("hides Data Cloud fields and shows hint", () => {
+			const info = {
+				name: "RecordQuery",
+				kind: "OBJECT" as const,
+				description: null,
+				fields: [mockField("Account"), mockField("ssot__Account__dlm"), mockField("Case")],
+				inputFields: [],
+				enumValues: [],
+				possibleTypes: [],
+				interfaces: [],
+			};
+			const output = formatTypeInfo(info, undefined, {});
+			expect(output).not.toContain("ssot__Account__dlm");
+			expect(output).toContain("Account");
+			expect(output).toContain("1 Data Cloud fields hidden");
+		});
+	});
+});

package/src/lib/__tests__/graphql-name.spec.ts

@@ -0,0 +1,64 @@
+/**
+ * Copyright (c) 2026, Salesforce, Inc.,
+ * All rights reserved.
+ * For full license text, see the LICENSE.txt file
+ */
+
+import { describe, expect, it } from "vitest";
+import { assertGraphqlName, GRAPHQL_NAME_RE } from "../graphql-name.js";
+
+/**
+ * Single source of truth for the GraphQL Name guard shared by every intent
+ * builder. The exhaustive valid/invalid matrix lives here; each builder spec
+ * keeps just one representative case proving it wires the guard in.
+ */
+describe("lib/graphql-name", () => {
+	describe("assertGraphqlName", () => {
+		it.each(["Account", "Custom_Object__c", "_Foo", "_", "a", "a1_2b", "CreateAccount"])(
+			"accepts the valid GraphQL Name %j",
+			(value) => {
+				expect(() => assertGraphqlName(value, "buildX", "operationName")).not.toThrow();
+			},
+		);
+
+		it.each([
+			"", // empty
+			"1Bad", // leading digit
+			"my-op", // hyphen
+			"has spaces", // internal space
+			"$op", // leading $ (no stripping in the operation-name position)
+			"   ", // whitespace only
+			" leading", // leading space
+			"trailing ", // trailing space
+			"X { uiapi { __typename } } query Y", // the injection payload from W-22731343
+			"}}__schema{types{name", // brace injection
+		])("rejects the invalid GraphQL Name %j", (value) => {
+			expect(() => assertGraphqlName(value, "buildX", "operationName")).toThrow(
+				/is not a valid GraphQL Name/,
+			);
+		});
+
+		it("throws the exact builder- and field-prefixed message", () => {
+			expect(() => assertGraphqlName("my-op", "buildList", "operationName")).toThrow(
+				"buildList: operationName 'my-op' is not a valid GraphQL Name (must match /^[A-Za-z_][A-Za-z0-9_]*$/)",
+			);
+		});
+
+		it("uses the supplied builder and field labels verbatim", () => {
+			expect(() => assertGraphqlName("1x", "buildRaw", "typeName")).toThrow(
+				/^buildRaw: typeName '1x' is not a valid GraphQL Name/,
+			);
+		});
+	});
+
+	describe("GRAPHQL_NAME_RE", () => {
+		it("matches the GraphQL Name production and rejects non-conforming names", () => {
+			expect(GRAPHQL_NAME_RE.test("Account")).toBe(true);
+			expect(GRAPHQL_NAME_RE.test("_Foo")).toBe(true);
+			expect(GRAPHQL_NAME_RE.test("Custom_Object__c")).toBe(true);
+			expect(GRAPHQL_NAME_RE.test("1Bad")).toBe(false);
+			expect(GRAPHQL_NAME_RE.test("has spaces")).toBe(false);
+			expect(GRAPHQL_NAME_RE.test("")).toBe(false);
+		});
+	});
+});