@xenonbyte/da-vinci-workflow 0.1.21 → 0.1.23

package/lib/audit.js

@@ -2,8 +2,33 @@ const fs = require("fs");
 const path = require("path");
 const { getStandardPenStatePath, readPenState, hashPenDocument, readPenDocument } = require("./pen-persistence");
 const { getSessionStatePath, readSessionState } = require("./pencil-session");
+const { isPathInside, listFilesRecursiveSafe } = require("./fs-safety");
+const {
+  normalizeCheckpointLabel,
+  parseCheckpointStatusMap,
+  hasContextDeltaExpectationSignals,
+  parseSupersedesTokens,
+  buildContextDeltaReferenceIndex,
+  resolveSupersedesReferenceIndices,
+  inspectContextDelta,
+  hasConfiguredDesignSupervisorReview,
+  isDesignSupervisorReviewRequired,
+  inspectDesignSupervisorReview
+} = require("./audit-parsers");
 
 const IMAGE_EXPORT_PATTERN = /\.(png|jpe?g|webp|pdf)$/i;
+const AUDIT_SCAN_LIMITS = Object.freeze({
+  maxDepth: 24,
+  maxEntries: 12000
+});
+const CHANGE_SCAN_LIMITS = Object.freeze({
+  maxDepth: 12,
+  maxEntries: 6000
+});
+const EXPORT_SCAN_LIMITS = Object.freeze({
+  maxDepth: 4,
+  maxEntries: 1200
+});
 
 function pathExists(targetPath) {
   return fs.existsSync(targetPath);
@@ -16,17 +41,10 @@ function readTextIfExists(targetPath) {
   return fs.readFileSync(targetPath, "utf8");
 }
 
-function listFilesRecursive(rootDir) {
-  if (!pathExists(rootDir)) {
-    return [];
-  }
-
-  return fs.readdirSync(rootDir, { withFileTypes: true }).flatMap((entry) => {
-    const fullPath = path.join(rootDir, entry.name);
-    if (entry.isDirectory()) {
-      return listFilesRecursive(fullPath);
-    }
-    return [fullPath];
+function listFilesRecursive(rootDir, limits = {}) {
+  return listFilesRecursiveSafe(rootDir, {
+    includeDotfiles: true,
+    ...limits
   });
 }
 
@@ -45,18 +63,35 @@ function relativeTo(projectRoot, targetPath) {
   return path.relative(projectRoot, targetPath) || ".";
 }
 
-function escapeRegExp(value) {
-  return String(value).replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-
 function collectRegisteredPenPaths(projectRoot, designRegistryPath) {
   const registryText = readTextIfExists(designRegistryPath);
   const matches = registryText.match(/\.da-vinci\/designs\/[^\s`]+\.pen/g) || [];
-  return [...new Set(matches)].map((relativePath) => path.join(projectRoot, relativePath));
+  const validPaths = [];
+  const escapedPaths = [];
+
+  for (const relativePath of [...new Set(matches)]) {
+    const resolvedPath = path.resolve(projectRoot, relativePath);
+    if (!isPathInside(projectRoot, resolvedPath)) {
+      escapedPaths.push({
+        relativePath,
+        resolvedPath
+      });
+      continue;
+    }
+    validPaths.push(resolvedPath);
+  }
+
+  return {
+    validPaths,
+    escapedPaths
+  };
 }
 
 function getNonEmptyChangeDirs(changesDir) {
-  return listChildDirs(changesDir).filter((changeDir) => listFilesRecursive(changeDir).length > 0);
+  return listChildDirs(changesDir).filter((changeDir) => {
+    const scan = listFilesRecursive(changeDir, CHANGE_SCAN_LIMITS);
+    return scan.files.length > 0;
+  });
 }
 
 function getExpectedChangeArtifacts(changeDir) {
@@ -127,440 +162,37 @@ function pushUnique(targetList, message) {
   }
 }
 
-function getMarkdownSection(text, heading) {
-  if (!text) {
-    return "";
-  }
-
-  const escapedHeading = escapeRegExp(heading);
-  const headingPattern = new RegExp(`^##\\s+${escapedHeading}\\s*$`, "i");
-  const anyHeadingPattern = /^##\s+/;
-  const lines = String(text).replace(/\r\n?/g, "\n").split("\n");
-  const sectionLines = [];
-  let capturing = false;
-
-  for (const line of lines) {
-    if (capturing && anyHeadingPattern.test(line)) {
-      break;
-    }
-
-    if (!capturing && headingPattern.test(line)) {
-      capturing = true;
-      continue;
-    }
-
-    if (capturing) {
-      sectionLines.push(line);
-    }
-  }
-
-  return sectionLines.join("\n").trim();
-}
-
-function normalizeCheckpointLabel(value) {
-  return String(value || "")
-    .toLowerCase()
-    .replace(/`/g, "")
-    .replace(/[_-]+/g, " ")
-    .replace(/\s+/g, " ")
-    .trim();
-}
-
-function parseCheckpointStatusMap(markdownText) {
-  const section = getMarkdownSection(markdownText, "Checkpoint Status");
-  if (!section) {
-    return {};
-  }
-
-  const statuses = {};
-  const matches = section.matchAll(/(?:^|\n)\s*-\s*`?([^`:\n]+?)`?\s*:\s*(PASS|WARN|BLOCK)\b/gi);
-  for (const match of matches) {
-    const label = normalizeCheckpointLabel(match[1]);
-    if (!label) {
-      continue;
-    }
-    statuses[label] = String(match[2]).toUpperCase();
-  }
-
-  return statuses;
-}
-
-function hasContextDeltaExpectationSignals(markdownText) {
-  const text = String(markdownText || "");
-  return (
-    /##\s+(Checkpoint Status|MCP Runtime Gate)\b/i.test(text) ||
-    /(?:^|\n)\s*(?:[-*]\s*)?`?Context Delta Required`?\s*:\s*(?:true|yes|on|1)\b/i.test(text)
-  );
-}
-
-function parseSupersedesTokens(value) {
-  return String(value || "")
-    .split(/[,\n;]/)
-    .map((token) => token.trim())
-    .filter(Boolean);
-}
-
-function normalizeTimeToken(value) {
-  const raw = String(value || "").trim();
-  if (!raw) {
-    return "";
-  }
-
-  const parseCandidates = [];
-  const rawWithT = raw.includes(" ") ? raw.replace(/\s+/, "T") : raw;
-  const hasExplicitTimezone = /(?:Z|[+-]\d{2}:?\d{2})$/i.test(rawWithT);
-
-  if (!hasExplicitTimezone && /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}/.test(rawWithT)) {
-    parseCandidates.push(`${rawWithT}Z`);
-  }
-
-  parseCandidates.push(rawWithT);
-  parseCandidates.push(raw);
-
-  for (const candidate of parseCandidates) {
-    const timestamp = Date.parse(candidate);
-    if (!Number.isFinite(timestamp)) {
-      continue;
-    }
-    return new Date(timestamp).toISOString();
-  }
-
-  return "";
-}
-
-function getTimeReferenceKeys(value) {
-  const raw = String(value || "").trim();
-  if (!raw) {
-    return [];
-  }
-
-  const keys = new Set([raw]);
-
-  if (raw.includes(" ")) {
-    keys.add(raw.replace(/\s+/, "T"));
-  }
-
-  if (raw.endsWith(".000Z")) {
-    keys.add(raw.replace(".000Z", "Z"));
-  }
-
-  const normalized = normalizeTimeToken(raw);
-  if (normalized) {
-    keys.add(normalized);
-    if (normalized.endsWith(".000Z")) {
-      keys.add(normalized.replace(".000Z", "Z"));
-    }
-  }
-
-  return [...keys];
-}
-
-function buildContextDeltaReferenceIndex(entries) {
-  const referenceIndex = new Map();
-
-  function addReference(key, entryIndex) {
-    const normalizedKey = String(key || "").trim();
-    if (!normalizedKey) {
-      return;
-    }
-
-    const existing = referenceIndex.get(normalizedKey) || [];
-    existing.push(entryIndex);
-    referenceIndex.set(normalizedKey, existing);
-  }
-
-  entries.forEach((entry, entryIndex) => {
-    if (entry.time) {
-      for (const timeKey of getTimeReferenceKeys(entry.time)) {
-        addReference(timeKey, entryIndex);
-        addReference(`time:${timeKey}`, entryIndex);
-      }
-    }
-
-    if (entry.checkpointType && entry.time) {
-      const normalizedCheckpointType = normalizeCheckpointLabel(entry.checkpointType);
-      for (const timeKey of getTimeReferenceKeys(entry.time)) {
-        addReference(`${entry.checkpointType}@${timeKey}`, entryIndex);
-        addReference(`${normalizedCheckpointType}@${timeKey}`, entryIndex);
-      }
-    }
-  });
-
-  return referenceIndex;
-}
-
-function getSupersedesCandidateKeys(token) {
-  const trimmed = String(token || "").trim();
-  if (!trimmed) {
-    return [];
+function appendTraversalWarnings(projectRoot, rootDir, scan, warnings) {
+  if (!scan) {
+    return;
   }
 
-  const keys = new Set([trimmed]);
-  const prefixedTimeMatch = trimmed.match(/^time\s*:\s*(.+)$/i);
-  if (prefixedTimeMatch) {
-    for (const timeKey of getTimeReferenceKeys(prefixedTimeMatch[1])) {
-      keys.add(timeKey);
-      keys.add(`time:${timeKey}`);
-    }
-  } else {
-    keys.add(`time:${trimmed}`);
-    for (const timeKey of getTimeReferenceKeys(trimmed)) {
-      keys.add(timeKey);
-      keys.add(`time:${timeKey}`);
-    }
-  }
+  const scope = relativeTo(projectRoot, rootDir);
 
-  const atIndex = trimmed.indexOf("@");
-  if (atIndex > 0 && atIndex < trimmed.length - 1) {
-    const checkpointType = trimmed.slice(0, atIndex).trim();
-    const time = trimmed.slice(atIndex + 1).trim();
-    if (checkpointType && time) {
-      const normalizedCheckpointType = normalizeCheckpointLabel(checkpointType);
-      for (const timeKey of getTimeReferenceKeys(time)) {
-        keys.add(`${checkpointType}@${timeKey}`);
-        keys.add(`${normalizedCheckpointType}@${timeKey}`);
-      }
-    }
+  if (scan.truncated) {
+    const reason = scan.entryLimitHit
+      ? `file limit ${scan.maxEntries} reached`
+      : `depth limit ${scan.maxDepth} reached`;
+    pushUnique(warnings, `File scan truncated under ${scope}: ${reason}.`);
   }
 
-  return [...keys];
-}
-
-function resolveSupersedesReferenceIndices(token, referenceIndex) {
-  const indices = new Set();
-  for (const key of getSupersedesCandidateKeys(token)) {
-    const matches = referenceIndex.get(key);
-    if (!matches) {
-      continue;
-    }
-    for (const entryIndex of matches) {
-      indices.add(entryIndex);
-    }
-  }
-  return [...indices].sort((a, b) => a - b);
-}
-
-function inspectContextDelta(markdownText) {
-  const section = getMarkdownSection(markdownText, "Context Delta");
-  if (!section) {
-    return {
-      found: false,
-      hasConcreteEntry: false,
-      entries: [],
-      incompleteEntryCount: 0
-    };
-  }
-
-  const lines = String(section).replace(/\r\n?/g, "\n").split("\n");
-  const entries = [];
-  let current = null;
-
-  function ensureCurrent() {
-    if (!current) {
-      current = {};
-    }
-  }
-
-  function flushCurrent() {
-    if (!current) {
-      return;
-    }
-
-    const hasAnyValue = [
-      current.time,
-      current.checkpointType,
-      current.goal,
-      current.decision,
-      current.constraints,
-      current.impact,
-      current.status,
-      current.nextAction,
-      current.supersedes
-    ].some((value) => Boolean(value));
-
-    if (hasAnyValue) {
-      entries.push(current);
-    }
-    current = null;
-  }
-
-  for (const rawLine of lines) {
-    const line = rawLine.trim();
-
-    if (!line) {
-      continue;
-    }
-
-    const timeMatch = line.match(/^-+\s*`?time`?\s*:\s*(.+)$/i);
-    if (timeMatch) {
-      flushCurrent();
-      current = {
-        time: timeMatch[1].trim()
-      };
-      continue;
-    }
-
-    const checkpointTypeMatch = line.match(/^-+\s*`?checkpoint(?:[_ -]?type)?`?\s*:\s*(.+)$/i);
-    if (checkpointTypeMatch) {
-      ensureCurrent();
-      current.checkpointType = checkpointTypeMatch[1].trim();
-      continue;
-    }
-
-    const goalMatch = line.match(/^-+\s*`?goal`?\s*:\s*(.+)$/i);
-    if (goalMatch) {
-      ensureCurrent();
-      current.goal = goalMatch[1].trim();
-      continue;
-    }
-
-    const decisionMatch = line.match(/^-+\s*`?decision`?\s*:\s*(.+)$/i);
-    if (decisionMatch) {
-      ensureCurrent();
-      current.decision = decisionMatch[1].trim();
-      continue;
-    }
-
-    const constraintsMatch = line.match(/^-+\s*`?constraints`?\s*:\s*(.+)$/i);
-    if (constraintsMatch) {
-      ensureCurrent();
-      current.constraints = constraintsMatch[1].trim();
-      continue;
-    }
-
-    const impactMatch = line.match(/^-+\s*`?impact`?\s*:\s*(.+)$/i);
-    if (impactMatch) {
-      ensureCurrent();
-      current.impact = impactMatch[1].trim();
-      continue;
-    }
-
-    const statusMatch = line.match(/^-+\s*`?status`?\s*:\s*(PASS|WARN|BLOCK)\b/i);
-    if (statusMatch) {
-      ensureCurrent();
-      current.status = String(statusMatch[1]).toUpperCase();
-      continue;
-    }
-
-    const nextActionMatch = line.match(/^-+\s*`?next(?:[_ -]?action)?`?\s*:\s*(.+)$/i);
-    if (nextActionMatch) {
-      ensureCurrent();
-      current.nextAction = nextActionMatch[1].trim();
-      continue;
-    }
-
-    const supersedesMatch = line.match(/^-+\s*`?supersedes`?\s*:\s*(.+)$/i);
-    if (supersedesMatch) {
-      ensureCurrent();
-      current.supersedes = supersedesMatch[1].trim();
-      continue;
-    }
-  }
-
-  flushCurrent();
-
-  const hasConcreteEntry = entries.some(
-    (entry) => entry.time || entry.checkpointType || entry.status || entry.decision || entry.nextAction
-  );
-  const incompleteEntryCount = entries.filter(
-    (entry) => !entry.time || !entry.checkpointType || !entry.status
-  ).length;
-
-  return {
-    found: true,
-    hasConcreteEntry,
-    entries,
-    incompleteEntryCount
-  };
-}
-
-function getVisualAssistFieldValues(daVinciText, fieldName) {
-  const section = getMarkdownSection(daVinciText, "Visual Assist");
-  if (!section) {
-    return [];
-  }
-
-  const fieldPattern = new RegExp(`^\\s*-\\s*${escapeRegExp(fieldName)}\\s*:\\s*(.*)$`, "i");
-  const nestedValuePattern = /^\s{2,}-\s*(.+?)\s*$/;
-  const nextFieldPattern = /^\s*-\s+[^:]+:\s*.*$/;
-  const values = [];
-  let capturing = false;
-
-  for (const rawLine of String(section).replace(/\r\n?/g, "\n").split("\n")) {
-    const fieldMatch = rawLine.match(fieldPattern);
-    if (!capturing && fieldMatch) {
-      capturing = true;
-      const inlineValue = (fieldMatch[1] || "").trim();
-      if (inlineValue) {
-        values.push(inlineValue);
-      }
-      continue;
-    }
-
-    if (capturing && nextFieldPattern.test(rawLine)) {
-      break;
-    }
-
-    if (capturing) {
-      const nestedMatch = rawLine.match(nestedValuePattern);
-      if (nestedMatch) {
-        const value = nestedMatch[1].trim();
-        if (value) {
-          values.push(value);
-        }
-      } else if (rawLine.trim() === "") {
-        continue;
-      } else {
-        break;
-      }
-    }
-  }
-
-  return values;
-}
-
-function hasConfiguredDesignSupervisorReview(daVinciText) {
-  return getVisualAssistFieldValues(daVinciText, "Design-supervisor reviewers").length > 0;
-}
-
-function isDesignSupervisorReviewRequired(daVinciText) {
-  return getVisualAssistFieldValues(daVinciText, "Require Supervisor Review").some((value) =>
-    /^true$/i.test(String(value).trim())
-  );
-}
-
-function inspectDesignSupervisorReview(pencilDesignText) {
-  const section = getMarkdownSection(pencilDesignText, "Design-Supervisor Review");
-  if (!section) {
-    return {
-      found: false,
-      status: null,
-      acceptedWarn: false,
-      hasIssueList: false,
-      hasRevisionOutcome: false
-    };
+  if (scan.skippedSymlinks > 0) {
+    pushUnique(
+      warnings,
+      `File scan skipped ${scan.skippedSymlinks} symbolic link entr${
+        scan.skippedSymlinks === 1 ? "y" : "ies"
+      } under ${scope}.`
+    );
   }
 
-  const statusMatch = section.match(/(?:^|\n)\s*-\s*(?:Status|状态)\s*:\s*(PASS|WARN|BLOCK)\b/i);
-  const status = statusMatch ? statusMatch[1].toUpperCase() : null;
-  const issueListMatch = section.match(/(?:^|\n)\s*-\s*(?:Issue list|问题列表)\s*:\s*(.+)$/im);
-  const revisionOutcomeMatch = section.match(
-    /(?:^|\n)\s*-\s*(?:Revision outcome|修订结果)\s*:\s*(.+)$/im
-  );
-  const revisionOutcome = revisionOutcomeMatch ? revisionOutcomeMatch[1].trim() : "";
-  const acceptedWarn =
-    status === "WARN" &&
-    /(accepted|accepted with follow-up|accepted warning|warn accepted|接受|已接受|接受警告)/i.test(
-      revisionOutcome
+  if (scan.readErrors.length > 0) {
+    pushUnique(
+      warnings,
+      `File scan hit ${scan.readErrors.length} read error${
+        scan.readErrors.length === 1 ? "" : "s"
+      } under ${scope}.`
     );
-
-  return {
-    found: true,
-    status,
-    acceptedWarn,
-    hasIssueList: Boolean(issueListMatch && issueListMatch[1].trim()),
-    hasRevisionOutcome: Boolean(revisionOutcome)
-  };
+  }
 }
 
 function auditProject(projectPathInput, options = {}) {
@@ -645,7 +277,9 @@ function auditProject(projectPathInput, options = {}) {
     }
   }
 
-  const daVinciFiles = listFilesRecursive(daVinciDir);
+  const daVinciScan = listFilesRecursive(daVinciDir, AUDIT_SCAN_LIMITS);
+  appendTraversalWarnings(projectRoot, daVinciDir, daVinciScan, warnings);
+  const daVinciFiles = daVinciScan.files;
   const misplacedExports = daVinciFiles.filter(
     (filePath) => IMAGE_EXPORT_PATTERN.test(filePath) && !isAllowedExportPath(projectRoot, filePath)
   );
@@ -659,7 +293,9 @@ function auditProject(projectPathInput, options = {}) {
     );
   }
 
-  const designFiles = listFilesRecursive(designsDir);
+  const designScan = listFilesRecursive(designsDir, AUDIT_SCAN_LIMITS);
+  appendTraversalWarnings(projectRoot, designsDir, designScan, warnings);
+  const designFiles = designScan.files;
   const penFiles = designFiles.filter((filePath) => filePath.endsWith(".pen"));
   const pollutedDesignFiles = designFiles.filter((filePath) => !filePath.endsWith(".pen"));
 
@@ -687,7 +323,21 @@ function auditProject(projectPathInput, options = {}) {
     );
   }
 
-  const registeredPenPaths = collectRegisteredPenPaths(projectRoot, designRegistryPath);
+  const {
+    validPaths: registeredPenPaths,
+    escapedPaths: escapedRegisteredPenPaths
+  } = collectRegisteredPenPaths(projectRoot, designRegistryPath);
+  for (const escapedPath of escapedRegisteredPenPaths) {
+    const message =
+      `Registered design source escapes project root and will be ignored: ${escapedPath.relativePath} ` +
+      `(${escapedPath.resolvedPath})`;
+    if (mode === "completion") {
+      failures.push(message);
+    } else {
+      warnings.push(message);
+    }
+  }
+
   for (const registeredPenPath of registeredPenPaths) {
     if (!pathExists(registeredPenPath)) {
       failures.push(
@@ -765,7 +415,9 @@ function auditProject(projectPathInput, options = {}) {
       : changeDirs;
 
   for (const changeDir of changeDirs) {
-    const changeFiles = listFilesRecursive(changeDir);
+    const changeScan = listFilesRecursive(changeDir, CHANGE_SCAN_LIMITS);
+    appendTraversalWarnings(projectRoot, changeDir, changeScan, warnings);
+    const changeFiles = changeScan.files;
     const changeRel = relativeTo(projectRoot, changeDir);
 
     if (changeFiles.length === 0) {
@@ -777,7 +429,9 @@ function auditProject(projectPathInput, options = {}) {
     }
 
     const exportsDir = path.join(changeDir, "exports");
-    const exportsFiles = listFilesRecursive(exportsDir);
+    const exportsScan = listFilesRecursive(exportsDir, EXPORT_SCAN_LIMITS);
+    appendTraversalWarnings(projectRoot, exportsDir, exportsScan, warnings);
+    const exportsFiles = exportsScan.files;
     if (exportsFiles.length > 0) {
       notes.push(`Detected review exports under ${relativeTo(projectRoot, exportsDir)}.`);
     }