@sentry/warden 0.0.0

package/src/triggers/matcher.test.ts

@@ -0,0 +1,277 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import {
+  matchGlob,
+  matchTrigger,
+  shouldFail,
+  countFindingsAtOrAbove,
+  countSeverity,
+  clearGlobCache,
+  getGlobCacheSize,
+} from './matcher.js';
+import type { Trigger } from '../config/schema.js';
+import { SEVERITY_ORDER } from '../types/index.js';
+import type { EventContext, SkillReport } from '../types/index.js';
+
+/** Test helper to create a SkillReport with given severities */
+function makeReport(severities: string[]): SkillReport {
+  return {
+    skill: 'test',
+    summary: 'Test report',
+    findings: severities.map((s, i) => ({
+      id: `finding-${i}`,
+      severity: s as 'critical' | 'high' | 'medium' | 'low' | 'info',
+      title: `Finding ${i}`,
+      description: 'Test finding',
+    })),
+  };
+}
+
+describe('matchGlob', () => {
+  beforeEach(() => {
+    clearGlobCache();
+  });
+
+  it('matches exact paths', () => {
+    expect(matchGlob('src/index.ts', 'src/index.ts')).toBe(true);
+    expect(matchGlob('src/index.ts', 'src/other.ts')).toBe(false);
+  });
+
+  it('matches single wildcard', () => {
+    expect(matchGlob('src/*.ts', 'src/index.ts')).toBe(true);
+    expect(matchGlob('src/*.ts', 'src/foo/index.ts')).toBe(false);
+    expect(matchGlob('*.ts', 'index.ts')).toBe(true);
+  });
+
+  it('matches double wildcard (globstar)', () => {
+    expect(matchGlob('src/**/*.ts', 'src/index.ts')).toBe(true);
+    expect(matchGlob('src/**/*.ts', 'src/foo/index.ts')).toBe(true);
+    expect(matchGlob('src/**/*.ts', 'src/foo/bar/index.ts')).toBe(true);
+    expect(matchGlob('**/*.ts', 'src/index.ts')).toBe(true);
+  });
+
+  it('matches question mark wildcard', () => {
+    expect(matchGlob('src/?.ts', 'src/a.ts')).toBe(true);
+    expect(matchGlob('src/?.ts', 'src/ab.ts')).toBe(false);
+  });
+
+  it('caches compiled patterns', () => {
+    matchGlob('src/*.ts', 'src/index.ts');
+    expect(getGlobCacheSize()).toBe(1);
+
+    // Same pattern should not increase cache size
+    matchGlob('src/*.ts', 'src/other.ts');
+    expect(getGlobCacheSize()).toBe(1);
+
+    // Different pattern should increase cache size
+    matchGlob('lib/*.js', 'lib/index.js');
+    expect(getGlobCacheSize()).toBe(2);
+  });
+
+  it('evicts oldest entry when cache exceeds max size', () => {
+    // Fill cache with 1000 patterns
+    for (let i = 0; i < 1000; i++) {
+      matchGlob(`pattern${i}/*.ts`, `pattern${i}/file.ts`);
+    }
+    expect(getGlobCacheSize()).toBe(1000);
+
+    // Adding one more should evict the oldest
+    matchGlob('newpattern/*.ts', 'newpattern/file.ts');
+    expect(getGlobCacheSize()).toBe(1000);
+
+    // The first pattern should be evicted (cache miss will re-add it)
+    // We can verify this by checking the cache size doesn't increase
+    // when we add it back
+    const sizeBefore = getGlobCacheSize();
+    matchGlob('pattern0/*.ts', 'pattern0/file.ts');
+    expect(getGlobCacheSize()).toBe(sizeBefore);
+  });
+
+  it('maintains LRU order by refreshing accessed entries', () => {
+    // Add patterns 0, 1, 2
+    matchGlob('pattern0/*.ts', 'pattern0/file.ts');
+    matchGlob('pattern1/*.ts', 'pattern1/file.ts');
+    matchGlob('pattern2/*.ts', 'pattern2/file.ts');
+
+    // Access pattern0 to make it most recently used
+    matchGlob('pattern0/*.ts', 'pattern0/file.ts');
+
+    // Fill cache to max (997 more patterns needed to reach 1000)
+    for (let i = 3; i < 1000; i++) {
+      matchGlob(`pattern${i}/*.ts`, `pattern${i}/file.ts`);
+    }
+    expect(getGlobCacheSize()).toBe(1000);
+
+    // Add one more - should evict pattern1 (oldest not-accessed)
+    matchGlob('newpattern/*.ts', 'newpattern/file.ts');
+    expect(getGlobCacheSize()).toBe(1000);
+  });
+});
+
+describe('matchTrigger', () => {
+  const baseContext: EventContext = {
+    eventType: 'pull_request',
+    action: 'opened',
+    repository: {
+      owner: 'test',
+      name: 'repo',
+      fullName: 'test/repo',
+      defaultBranch: 'main',
+    },
+    pullRequest: {
+      number: 1,
+      title: 'Test PR',
+      body: 'Test body',
+      author: 'user',
+      baseBranch: 'main',
+      headBranch: 'feature',
+      headSha: 'abc123',
+      files: [
+        { filename: 'src/index.ts', status: 'modified', additions: 10, deletions: 5 },
+        { filename: 'README.md', status: 'modified', additions: 2, deletions: 0 },
+      ],
+    },
+    repoPath: '/test/repo',
+  };
+
+  const baseTrigger: Trigger = {
+    name: 'test-trigger',
+    event: 'pull_request',
+    actions: ['opened', 'synchronize'],
+    skill: 'test-skill',
+  };
+
+  it('matches when event and action match', () => {
+    expect(matchTrigger(baseTrigger, baseContext)).toBe(true);
+  });
+
+  it('does not match wrong event type', () => {
+    const trigger = { ...baseTrigger, event: 'issues' as const };
+    expect(matchTrigger(trigger, baseContext)).toBe(false);
+  });
+
+  it('does not match wrong action', () => {
+    const trigger = { ...baseTrigger, actions: ['closed'] };
+    expect(matchTrigger(trigger, baseContext)).toBe(false);
+  });
+
+  it('matches with path filter', () => {
+    const trigger = { ...baseTrigger, filters: { paths: ['src/**/*.ts'] } };
+    expect(matchTrigger(trigger, baseContext)).toBe(true);
+  });
+
+  it('does not match when no files match path filter', () => {
+    const trigger = { ...baseTrigger, filters: { paths: ['lib/**/*.ts'] } };
+    expect(matchTrigger(trigger, baseContext)).toBe(false);
+  });
+
+  it('ignores files matching ignorePaths', () => {
+    const context = {
+      ...baseContext,
+      pullRequest: {
+        ...baseContext.pullRequest!,
+        files: [{ filename: 'README.md', status: 'modified' as const, additions: 1, deletions: 0 }],
+      },
+    };
+    const trigger = { ...baseTrigger, filters: { ignorePaths: ['*.md'] } };
+    expect(matchTrigger(trigger, context)).toBe(false);
+  });
+
+  it('fails when path filters defined but filenames undefined', () => {
+    const context = {
+      ...baseContext,
+      pullRequest: undefined,
+    };
+    const trigger = { ...baseTrigger, filters: { paths: ['src/**/*.ts'] } };
+    expect(matchTrigger(trigger, context)).toBe(false);
+  });
+
+  it('fails when ignorePaths defined but filenames undefined', () => {
+    const context = {
+      ...baseContext,
+      pullRequest: undefined,
+    };
+    const trigger = { ...baseTrigger, filters: { ignorePaths: ['*.md'] } };
+    expect(matchTrigger(trigger, context)).toBe(false);
+  });
+
+  it('fails when path filters defined but files array empty', () => {
+    const context = {
+      ...baseContext,
+      pullRequest: {
+        ...baseContext.pullRequest!,
+        files: [],
+      },
+    };
+    const trigger = { ...baseTrigger, filters: { paths: ['src/**/*.ts'] } };
+    expect(matchTrigger(trigger, context)).toBe(false);
+  });
+
+  it('matches when no filters defined and filenames unavailable', () => {
+    const context = {
+      ...baseContext,
+      pullRequest: undefined,
+    };
+    expect(matchTrigger(baseTrigger, context)).toBe(true);
+  });
+});
+
+describe('shouldFail', () => {
+  it('returns true when findings meet threshold', () => {
+    expect(shouldFail(makeReport(['high']), 'high')).toBe(true);
+    expect(shouldFail(makeReport(['critical']), 'high')).toBe(true);
+    expect(shouldFail(makeReport(['medium']), 'medium')).toBe(true);
+  });
+
+  it('returns false when findings below threshold', () => {
+    expect(shouldFail(makeReport(['low']), 'high')).toBe(false);
+    expect(shouldFail(makeReport(['info']), 'medium')).toBe(false);
+    expect(shouldFail(makeReport([]), 'info')).toBe(false);
+  });
+});
+
+describe('countFindingsAtOrAbove', () => {
+  it('counts findings at or above threshold', () => {
+    const report = makeReport(['critical', 'high', 'medium', 'low', 'info']);
+    expect(countFindingsAtOrAbove(report, 'critical')).toBe(1);
+    expect(countFindingsAtOrAbove(report, 'high')).toBe(2);
+    expect(countFindingsAtOrAbove(report, 'medium')).toBe(3);
+    expect(countFindingsAtOrAbove(report, 'low')).toBe(4);
+    expect(countFindingsAtOrAbove(report, 'info')).toBe(5);
+  });
+});
+
+describe('countSeverity', () => {
+  it('counts findings of specific severity across reports', () => {
+    const reports: SkillReport[] = [
+      {
+        skill: 'test1',
+        summary: 'Test',
+        findings: [
+          { id: '1', severity: 'high', title: 'High 1', description: 'desc' },
+          { id: '2', severity: 'medium', title: 'Medium 1', description: 'desc' },
+        ],
+      },
+      {
+        skill: 'test2',
+        summary: 'Test',
+        findings: [
+          { id: '3', severity: 'high', title: 'High 2', description: 'desc' },
+          { id: '4', severity: 'high', title: 'High 3', description: 'desc' },
+        ],
+      },
+    ];
+
+    expect(countSeverity(reports, 'high')).toBe(3);
+    expect(countSeverity(reports, 'medium')).toBe(1);
+    expect(countSeverity(reports, 'low')).toBe(0);
+  });
+});
+
+describe('SEVERITY_ORDER', () => {
+  it('has correct ordering (lower = more severe)', () => {
+    expect(SEVERITY_ORDER.critical).toBeLessThan(SEVERITY_ORDER.high);
+    expect(SEVERITY_ORDER.high).toBeLessThan(SEVERITY_ORDER.medium);
+    expect(SEVERITY_ORDER.medium).toBeLessThan(SEVERITY_ORDER.low);
+    expect(SEVERITY_ORDER.low).toBeLessThan(SEVERITY_ORDER.info);
+  });
+});

package/src/triggers/matcher.ts

@@ -0,0 +1,152 @@
+import type { Trigger } from '../config/schema.js';
+import { SEVERITY_ORDER } from '../types/index.js';
+import type { EventContext, Severity, SeverityThreshold, SkillReport } from '../types/index.js';
+
+/** Maximum number of patterns to cache (LRU eviction when exceeded) */
+const GLOB_CACHE_MAX_SIZE = 1000;
+
+/** Cache for compiled glob patterns with LRU eviction */
+const globCache = new Map<string, RegExp>();
+
+/** Clear the glob cache (useful for testing) */
+export function clearGlobCache(): void {
+  globCache.clear();
+}
+
+/** Get current cache size (useful for testing) */
+export function getGlobCacheSize(): number {
+  return globCache.size;
+}
+
+/**
+ * Convert a glob pattern to a regex (cached with LRU eviction).
+ */
+function globToRegex(pattern: string): RegExp {
+  const cached = globCache.get(pattern);
+  if (cached) {
+    // Move to end for LRU ordering (delete and re-add)
+    globCache.delete(pattern);
+    globCache.set(pattern, cached);
+    return cached;
+  }
+
+  // Use placeholders to avoid replacement conflicts
+  let regexPattern = pattern
+    // First, replace glob patterns with placeholders
+    .replace(/\*\*\//g, '\0GLOBSTAR_SLASH\0')
+    .replace(/\*\*/g, '\0GLOBSTAR\0')
+    .replace(/\*/g, '\0STAR\0')
+    .replace(/\?/g, '\0QUESTION\0');
+
+  // Escape regex special characters
+  regexPattern = regexPattern.replace(/[.+^${}()|[\]\\]/g, '\\$&');
+
+  // Replace placeholders with regex patterns
+  regexPattern = regexPattern
+    .replace(/\0GLOBSTAR_SLASH\0/g, '(?:.*/)?')  // **/ matches zero or more directories
+    .replace(/\0GLOBSTAR\0/g, '.*')               // ** matches anything
+    .replace(/\0STAR\0/g, '[^/]*')                // * matches anything except /
+    .replace(/\0QUESTION\0/g, '[^/]');            // ? matches single char except /
+
+  const regex = new RegExp(`^${regexPattern}$`);
+
+  // Evict oldest entry if cache is full
+  if (globCache.size >= GLOB_CACHE_MAX_SIZE) {
+    const oldestKey = globCache.keys().next().value;
+    if (oldestKey !== undefined) {
+      globCache.delete(oldestKey);
+    }
+  }
+
+  globCache.set(pattern, regex);
+  return regex;
+}
+
+/**
+ * Match a glob pattern against a file path.
+ * Supports ** for recursive matching and * for single directory matching.
+ */
+export function matchGlob(pattern: string, path: string): boolean {
+  return globToRegex(pattern).test(path);
+}
+
+/**
+ * Check if a trigger matches the given event context.
+ */
+export function matchTrigger(trigger: Trigger, context: EventContext): boolean {
+  if (trigger.event !== context.eventType) {
+    return false;
+  }
+
+  // Schedule events don't have actions - they match based on whether
+  // any files match the paths filter (context was already built with matching files)
+  if (trigger.event === 'schedule') {
+    return (context.pullRequest?.files.length ?? 0) > 0;
+  }
+
+  // For non-schedule events, actions must match
+  if (!trigger.actions?.includes(context.action)) {
+    return false;
+  }
+
+  const filenames = context.pullRequest?.files.map((f) => f.filename);
+  const pathPatterns = trigger.filters?.paths;
+  const ignorePatterns = trigger.filters?.ignorePaths;
+
+  // Fail trigger match when path filters are defined but filenames unavailable
+  // This prevents filters from being silently bypassed on API failures
+  if ((pathPatterns || ignorePatterns) && (!filenames || filenames.length === 0)) {
+    return false;
+  }
+
+  if (pathPatterns && filenames) {
+    const hasMatch = filenames.some((file) =>
+      pathPatterns.some((pattern) => matchGlob(pattern, file))
+    );
+    if (!hasMatch) {
+      return false;
+    }
+  }
+
+  if (ignorePatterns && filenames) {
+    const allIgnored = filenames.every((file) =>
+      ignorePatterns.some((pattern) => matchGlob(pattern, file))
+    );
+    if (allIgnored) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
+/**
+ * Check if a report has any findings at or above the given severity threshold.
+ * Returns false if failOn is 'off' (disabled).
+ */
+export function shouldFail(report: SkillReport, failOn: SeverityThreshold): boolean {
+  if (failOn === 'off') return false;
+  const threshold = SEVERITY_ORDER[failOn];
+  return report.findings.some((f) => SEVERITY_ORDER[f.severity] <= threshold);
+}
+
+/**
+ * Count findings at or above the given severity threshold.
+ * Returns 0 if failOn is 'off' (disabled).
+ */
+export function countFindingsAtOrAbove(report: SkillReport, failOn: SeverityThreshold): number {
+  if (failOn === 'off') return 0;
+  const threshold = SEVERITY_ORDER[failOn];
+  return report.findings.filter((f) => SEVERITY_ORDER[f.severity] <= threshold).length;
+}
+
+/**
+ * Count findings of a specific severity across multiple reports.
+ */
+export function countSeverity(reports: SkillReport[], severity: Severity): number {
+  return reports.reduce(
+    (count, report) =>
+      count + report.findings.filter((f) => f.severity === severity).length,
+    0
+  );
+}

package/src/types/index.ts

@@ -0,0 +1,194 @@
+import { z } from 'zod';
+
+// Severity levels for findings
+export const SeveritySchema = z.enum(['critical', 'high', 'medium', 'low', 'info']);
+export type Severity = z.infer<typeof SeveritySchema>;
+
+// Confidence levels for findings
+export const ConfidenceSchema = z.enum(['high', 'medium', 'low']);
+export type Confidence = z.infer<typeof ConfidenceSchema>;
+
+/**
+ * Confidence order for comparison (lower = more confident).
+ * Single source of truth for confidence ordering across the codebase.
+ */
+export const CONFIDENCE_ORDER: Record<Confidence, number> = {
+  high: 0,
+  medium: 1,
+  low: 2,
+};
+
+// Severity threshold for config options (includes 'off' to disable)
+export const SeverityThresholdSchema = z.enum(['off', 'critical', 'high', 'medium', 'low', 'info']);
+export type SeverityThreshold = z.infer<typeof SeverityThresholdSchema>;
+
+/**
+ * Severity order for comparison (lower = more severe).
+ * Single source of truth for severity ordering across the codebase.
+ */
+export const SEVERITY_ORDER: Record<Severity, number> = {
+  critical: 0,
+  high: 1,
+  medium: 2,
+  low: 3,
+  info: 4,
+};
+
+/**
+ * Filter findings to only include those at or above the given severity threshold.
+ * If no threshold is provided, returns all findings unchanged.
+ * If threshold is 'off', returns empty array (disabled).
+ */
+export function filterFindingsBySeverity(findings: Finding[], threshold?: SeverityThreshold): Finding[] {
+  if (!threshold) return findings;
+  if (threshold === 'off') return [];
+  const thresholdOrder = SEVERITY_ORDER[threshold];
+  return findings.filter((f) => SEVERITY_ORDER[f.severity] <= thresholdOrder);
+}
+
+// Location within a file
+export const LocationSchema = z.object({
+  path: z.string(),
+  startLine: z.number().int().positive(),
+  endLine: z.number().int().positive().optional(),
+});
+export type Location = z.infer<typeof LocationSchema>;
+
+// Suggested fix with diff
+export const SuggestedFixSchema = z.object({
+  description: z.string(),
+  diff: z.string(),
+});
+export type SuggestedFix = z.infer<typeof SuggestedFixSchema>;
+
+// Individual finding from a skill
+export const FindingSchema = z.object({
+  id: z.string(),
+  severity: SeveritySchema,
+  confidence: ConfidenceSchema.optional(),
+  title: z.string(),
+  description: z.string(),
+  location: LocationSchema.optional(),
+  suggestedFix: SuggestedFixSchema.optional(),
+  elapsedMs: z.number().nonnegative().optional(),
+});
+export type Finding = z.infer<typeof FindingSchema>;
+
+// Usage statistics from SDK
+export const UsageStatsSchema = z.object({
+  inputTokens: z.number().int().nonnegative(),
+  outputTokens: z.number().int().nonnegative(),
+  cacheReadInputTokens: z.number().int().nonnegative().optional(),
+  cacheCreationInputTokens: z.number().int().nonnegative().optional(),
+  costUSD: z.number().nonnegative(),
+});
+export type UsageStats = z.infer<typeof UsageStatsSchema>;
+
+// Skipped file info for chunking
+export const SkippedFileSchema = z.object({
+  filename: z.string(),
+  reason: z.enum(['pattern', 'builtin']),
+  pattern: z.string().optional(),
+});
+export type SkippedFile = z.infer<typeof SkippedFileSchema>;
+
+// Skill report output
+export const SkillReportSchema = z.object({
+  skill: z.string(),
+  summary: z.string(),
+  findings: z.array(FindingSchema),
+  metadata: z.record(z.string(), z.unknown()).optional(),
+  durationMs: z.number().nonnegative().optional(),
+  usage: UsageStatsSchema.optional(),
+  /** Files that were skipped due to chunking patterns */
+  skippedFiles: z.array(SkippedFileSchema).optional(),
+  /** Number of hunks that failed to analyze (SDK errors, API errors, etc.) */
+  failedHunks: z.number().int().nonnegative().optional(),
+});
+export type SkillReport = z.infer<typeof SkillReportSchema>;
+
+// GitHub event types
+export const GitHubEventTypeSchema = z.enum([
+  'pull_request',
+  'issues',
+  'issue_comment',
+  'pull_request_review',
+  'pull_request_review_comment',
+  'schedule',
+]);
+export type GitHubEventType = z.infer<typeof GitHubEventTypeSchema>;
+
+// Pull request actions
+export const PullRequestActionSchema = z.enum([
+  'opened',
+  'synchronize',
+  'reopened',
+  'closed',
+]);
+export type PullRequestAction = z.infer<typeof PullRequestActionSchema>;
+
+// File change info
+export const FileChangeSchema = z.object({
+  filename: z.string(),
+  status: z.enum(['added', 'removed', 'modified', 'renamed', 'copied', 'changed', 'unchanged']),
+  additions: z.number().int().nonnegative(),
+  deletions: z.number().int().nonnegative(),
+  patch: z.string().optional(),
+  chunks: z.number().int().nonnegative().optional(),
+});
+export type FileChange = z.infer<typeof FileChangeSchema>;
+
+/**
+ * Count the number of chunks/hunks in a patch string.
+ * Each chunk starts with @@ -X,Y +A,B @@
+ */
+export function countPatchChunks(patch: string | undefined): number {
+  if (!patch) return 0;
+  const matches = patch.match(/^@@\s/gm);
+  return matches?.length ?? 0;
+}
+
+// Pull request context
+export const PullRequestContextSchema = z.object({
+  number: z.number().int().positive(),
+  title: z.string(),
+  body: z.string().nullable(),
+  author: z.string(),
+  baseBranch: z.string(),
+  headBranch: z.string(),
+  headSha: z.string(),
+  files: z.array(FileChangeSchema),
+});
+export type PullRequestContext = z.infer<typeof PullRequestContextSchema>;
+
+// Repository context
+export const RepositoryContextSchema = z.object({
+  owner: z.string(),
+  name: z.string(),
+  fullName: z.string(),
+  defaultBranch: z.string(),
+});
+export type RepositoryContext = z.infer<typeof RepositoryContextSchema>;
+
+// Full event context
+export const EventContextSchema = z.object({
+  eventType: GitHubEventTypeSchema,
+  action: z.string(),
+  repository: RepositoryContextSchema,
+  pullRequest: PullRequestContextSchema.optional(),
+  repoPath: z.string(),
+});
+export type EventContext = z.infer<typeof EventContextSchema>;
+
+// Retry configuration for SDK calls
+export const RetryConfigSchema = z.object({
+  /** Maximum number of retry attempts (default: 3) */
+  maxRetries: z.number().int().nonnegative().default(3),
+  /** Initial delay in milliseconds before first retry (default: 1000) */
+  initialDelayMs: z.number().int().positive().default(1000),
+  /** Multiplier for exponential backoff (default: 2) */
+  backoffMultiplier: z.number().positive().default(2),
+  /** Maximum delay in milliseconds between retries (default: 30000) */
+  maxDelayMs: z.number().int().positive().default(30000),
+});
+export type RetryConfig = z.infer<typeof RetryConfigSchema>;

package/src/utils/async.ts

@@ -0,0 +1,18 @@
+/**
+ * Process items with limited concurrency using chunked batches.
+ */
+export async function processInBatches<T, R>(
+  items: T[],
+  fn: (item: T) => Promise<R>,
+  batchSize: number
+): Promise<R[]> {
+  const results: R[] = [];
+
+  for (let i = 0; i < items.length; i += batchSize) {
+    const batch = items.slice(i, i + batchSize);
+    const batchResults = await Promise.all(batch.map(fn));
+    results.push(...batchResults);
+  }
+
+  return results;
+}