@soulbatical/tetra-dev-toolkit 1.16.1 → 1.16.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -135,50 +135,53 @@ export async function run(config, projectRoot) {
|
|
|
135
135
|
|
|
136
136
|
if (whitelistMatch) {
|
|
137
137
|
const rawLines = whitelistMatch[1].split('\n')
|
|
138
|
-
let
|
|
138
|
+
let groupComment = null
|
|
139
139
|
|
|
140
140
|
for (let i = 0; i < rawLines.length; i++) {
|
|
141
141
|
const line = rawLines[i].trim()
|
|
142
142
|
|
|
143
|
-
// Track comments —
|
|
144
|
-
|
|
145
|
-
if (
|
|
146
|
-
|
|
143
|
+
// Track group comments — a comment line that is NOT inline with an entry
|
|
144
|
+
// Group comments apply to ALL entries below them until the next group comment
|
|
145
|
+
if (/^\s*\/\//.test(line) && !line.match(/['"][^'"]+['"]/)) {
|
|
146
|
+
const commentText = line.replace(/^\s*\/\/\s*/, '').trim()
|
|
147
|
+
if (commentText.length > 0) {
|
|
148
|
+
groupComment = commentText
|
|
149
|
+
}
|
|
147
150
|
continue
|
|
148
151
|
}
|
|
149
152
|
|
|
153
|
+
// Skip empty lines (don't reset group comment)
|
|
154
|
+
if (!line || line === ',') continue
|
|
155
|
+
|
|
150
156
|
const entryMatch = line.match(/['"]([^'"]+)['"]/)
|
|
151
|
-
if (!entryMatch)
|
|
157
|
+
if (!entryMatch) continue
|
|
152
158
|
|
|
153
159
|
const entry = entryMatch[1]
|
|
154
160
|
whitelist.add(entry)
|
|
155
161
|
|
|
156
162
|
// Check for inline comment: 'entry', // reason
|
|
157
163
|
const inlineCommentMatch = line.match(/['"][^'"]+['"]\s*,?\s*\/\/\s*(.+)/)
|
|
158
|
-
const
|
|
164
|
+
const inlineReason = inlineCommentMatch ? inlineCommentMatch[1].trim() : null
|
|
165
|
+
|
|
166
|
+
// Entry is justified if it has an inline comment OR falls under a group comment
|
|
167
|
+
const hasJustification = inlineReason || groupComment
|
|
159
168
|
|
|
160
|
-
|
|
161
|
-
|
|
169
|
+
if (!hasJustification) {
|
|
170
|
+
// Find line number in original file
|
|
171
|
+
const entryLineInFile = systemDbContent.substring(0, systemDbContent.indexOf(entry)).split('\n').length
|
|
162
172
|
|
|
163
|
-
if (!reason) {
|
|
164
173
|
results.findings.push({
|
|
165
174
|
file: systemDbPath.replace(projectRoot + '/', ''),
|
|
166
175
|
line: entryLineInFile,
|
|
167
176
|
type: 'whitelist-no-justification',
|
|
168
177
|
severity: 'high',
|
|
169
|
-
message: `systemDB whitelist entry '${entry}' has NO comment explaining WHY it needs service role key access.
|
|
178
|
+
message: `systemDB whitelist entry '${entry}' has NO comment explaining WHY it needs service role key access. Add a group comment above or an inline comment.`,
|
|
170
179
|
fix: `Add a comment explaining why '${entry}' cannot use adminDB/userDB. Example:\n // OAuth callback — browser redirect, no JWT in header\n '${entry}',`
|
|
171
180
|
})
|
|
172
181
|
results.summary.high++
|
|
173
182
|
results.summary.total++
|
|
174
183
|
results.passed = false
|
|
175
184
|
}
|
|
176
|
-
|
|
177
|
-
// Reset lastComment after consuming it for a non-dynamic entry
|
|
178
|
-
// (don't reset for "// Dynamic:" comments which apply to patterns, not specific entries)
|
|
179
|
-
if (lastComment && !lastComment.toLowerCase().startsWith('dynamic')) {
|
|
180
|
-
lastComment = null
|
|
181
|
-
}
|
|
182
185
|
}
|
|
183
186
|
}
|
|
184
187
|
|