claude-crap 0.4.5 → 0.4.7

package/src/tests/gatekeeper-rules.test.ts

@@ -0,0 +1,173 @@
+/**
+ * Characterization tests for the PreToolUse gatekeeper rule primitives.
+ *
+ * The rule module exports pure helpers that decide whether a proposed
+ * tool call should be blocked. These tests pin three behaviours the
+ * helpers must guarantee:
+ *
+ *   1. Destructive `rm` detection blocks every realistic variant that
+ *      targets the filesystem root, a critical system directory, or
+ *      the user's home, while leaving safe project-relative removals
+ *      (and quoted `rm -rf /` text inside `echo`) untouched.
+ *   2. Emitted SARIF rule IDs carry exactly one category prefix
+ *      (`SONAR-SEC-...` or `SONAR-BASH-...`). No rule entry in the
+ *      tables may embed the category in its own `id` field — the
+ *      emitter is the single source of the prefix.
+ *   3. The `AKIA...` AWS access-key regex allowlists canonical
+ *      AWS-published example keys so the gatekeeper does not reject
+ *      its own documentation and fixtures, while still catching
+ *      real-shape keys.
+ *
+ * The tests import the rule module directly so each assertion runs
+ * against the pure helper — no subprocess, no stdin parsing — which
+ * keeps failure diagnostics tight.
+ *
+ * NOTE: real-looking AWS key shapes and canonical example keys are
+ * constructed from split literals so the source of this test file
+ * itself does not match the gatekeeper regex that scans the `content`
+ * field of Write/Edit tool calls.
+ *
+ * @module tests/gatekeeper-rules.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+
+// The rule module lives under `plugin/hooks/lib/` so the hook entry
+// points (pure JS, zero deps) can load it at runtime without going
+// through the TypeScript build. tsx resolves the .mjs import at
+// test-time; tsc never sees it (plugin/ is outside rootDir).
+// @ts-expect-error — .mjs file, no .d.ts declarations (intentional)
+import {
+  findDestructiveBashHit,
+  findSecretHits,
+  formatSecretRuleId,
+  formatBashRuleId,
+  HARDCODED_SECRET_PATTERNS,
+  DESTRUCTIVE_BASH_PATTERNS,
+} from "../../plugin/hooks/lib/gatekeeper-rules.mjs";
+
+// ── Destructive rm detection ──────────────────────────────────────────
+
+describe("destructive rm blocks filesystem root, system dirs, and $HOME", () => {
+  const MUST_BLOCK: ReadonlyArray<string> = [
+    // Filesystem root in every common shape.
+    "rm -rf /",
+    "rm -rf  /",
+    "rm -rf / ",
+    'rm -rf "/"',
+    "rm -rf /*",
+    "sudo rm -rf /",
+    "rm --force /",
+    "rm --recursive /",
+    "rm -rfv /",
+    // Critical system directories.
+    "rm -rf /usr",
+    "rm -rf /etc",
+    "rm -rf /var/log",
+    "rm -rf /bin",
+    "rm -rf /boot",
+    "rm -rf /System",
+    // Home directory, exact and prefix forms.
+    "rm -rf $HOME",
+    "rm -rf $HOME/foo",
+    "rm -rf $HOME/*",
+    "rm -rf ~/",
+    "rm -rf ~/stuff",
+    "rm -rf ~/*",
+    // Shell control operators must not let the target "stick" and bypass
+    // classification. `/;echo` was previously a single bare token whose
+    // first component failed the system-dir regex, passing the check.
+    "rm -rf /;echo done",
+    "rm -rf /&&ls",
+    "rm -rf /|tee log",
+    "rm -rf /;rm -rf /tmp/x",
+    // Path-qualified rm must be caught on basename. Absolute, relative,
+    // and parent-relative forms are all real invocations the shell honors.
+    "/bin/rm -rf /",
+    "/usr/bin/rm -rf /",
+    "./rm -rf /",
+    "../bin/rm -rf /",
+  ];
+
+  for (const cmd of MUST_BLOCK) {
+    it(`blocks: ${cmd}`, () => {
+      const hit = findDestructiveBashHit(cmd);
+      assert.ok(hit, `expected block, got pass for: ${cmd}`);
+    });
+  }
+
+  const MUST_PASS: ReadonlyArray<string> = [
+    "rm -rf /tmp/foo",        // /tmp is scratch, fine
+    "rm -rf ./build",         // relative path
+    "rm -rf node_modules",    // named target, no leading /
+    "rm -rf dist",
+    "echo 'rm -rf /'",        // text inside echo, not an rm target
+  ];
+
+  for (const cmd of MUST_PASS) {
+    it(`passes: ${cmd}`, () => {
+      const hit = findDestructiveBashHit(cmd);
+      assert.equal(hit, null, `expected pass, got block for: ${cmd}`);
+    });
+  }
+});
+
+// ── SARIF rule-ID formatting ──────────────────────────────────────────
+
+describe("SARIF rule IDs carry exactly one category prefix", () => {
+  it("formatSecretRuleId prepends SONAR-SEC exactly once", () => {
+    assert.equal(formatSecretRuleId({ id: "AWS" }), "SONAR-SEC-AWS");
+    assert.equal(formatSecretRuleId({ id: "PRIVKEY" }), "SONAR-SEC-PRIVKEY");
+  });
+
+  it("formatBashRuleId prepends SONAR-BASH exactly once", () => {
+    assert.equal(formatBashRuleId({ id: "RMROOT" }), "SONAR-BASH-RMROOT");
+    assert.equal(formatBashRuleId({ id: "RMHOME" }), "SONAR-BASH-RMHOME");
+  });
+
+  it("no secret rule embeds its category in id", () => {
+    for (const pat of HARDCODED_SECRET_PATTERNS as ReadonlyArray<{ id: string }>) {
+      assert.ok(
+        !/^SEC-/.test(pat.id),
+        `rule id leaks category (should be stripped): ${pat.id}`,
+      );
+    }
+  });
+
+  it("no bash rule embeds its category in id", () => {
+    for (const pat of DESTRUCTIVE_BASH_PATTERNS as ReadonlyArray<{ id: string }>) {
+      assert.ok(
+        !/^BASH-/.test(pat.id),
+        `rule id leaks category (should be stripped): ${pat.id}`,
+      );
+    }
+  });
+});
+
+// ── AWS example-key allowlist ─────────────────────────────────────────
+
+describe("canonical AWS example keys are allowlisted, real-shape keys are not", () => {
+  // Split so this very file doesn't match the regex it is testing.
+  const CANONICAL_EXAMPLE = "AKIA" + "IOSFODNN7" + "EXAMPLE";
+  const REAL_SHAPE = "AKIA" + "J7NVPZZZAB12CDEF"; // 20 chars, AKIA + 16 upper-alnum
+
+  it(`canonical example key '${CANONICAL_EXAMPLE}' is not flagged`, () => {
+    const hits = findSecretHits(`aws_access_key_id="${CANONICAL_EXAMPLE}"`);
+    const awsHits = hits.filter((h: { id: string }) => h.id === "AWS");
+    assert.equal(
+      awsHits.length,
+      0,
+      `canonical example must not match: got ${JSON.stringify(awsHits)}`,
+    );
+  });
+
+  it("real-shape AWS key is still flagged", () => {
+    const hits = findSecretHits(`aws_access_key_id="${REAL_SHAPE}"`);
+    const awsHits = hits.filter((h: { id: string }) => h.id === "AWS");
+    assert.ok(
+      awsHits.length >= 1,
+      `real-shape key must flag: ${REAL_SHAPE}`,
+    );
+  });
+});

package/src/tests/project-map.test.ts

@@ -299,4 +299,220 @@ describe("persistProjectMap / loadProjectMap", () => {
       rmSync(dir, { recursive: true, force: true });
     }
   });
+
+  it("non-monorepo map round-trips through persist + load", async () => {
+    // list_projects and /api/score rely on projects.json existing after
+    // a discovery run, even when the workspace has no sub-projects. The
+    // persist + load pair must handle `isMonorepo: false` the same as
+    // monorepo maps.
+    const dir = makeTmpDir();
+    try {
+      const original: ProjectMap = {
+        generatedAt: new Date().toISOString(),
+        workspaceRoot: dir,
+        isMonorepo: false,
+        projects: [],
+      };
+
+      await persistProjectMap(original, dir);
+      const loaded = loadProjectMap(dir);
+
+      assert.ok(loaded !== null, "non-monorepo map did not persist");
+      assert.equal(loaded.isMonorepo, false);
+      assert.deepEqual(loaded, original);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+});
+
+// ── .slnx / Directory.Build.props detection ──────────────────────────
+
+describe("discoverProjectMap — .NET project markers", () => {
+  it(".slnx (.NET 9 XML solution) marks csharp", async () => {
+    const dir = makeTmpDir();
+    try {
+      mkdirSync(join(dir, "apps", "api"), { recursive: true });
+      writeFileSync(join(dir, "apps", "api", "MyApp.slnx"), "<Solution></Solution>");
+
+      const map = await discoverProjectMap(dir);
+      const api = findProject(map, "apps/api");
+      assert.equal(api.type, "csharp", "expected .slnx to classify as csharp");
+      assert.equal(api.scanner, "dotnet_format");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("Directory.Build.props alone marks csharp", async () => {
+    const dir = makeTmpDir();
+    try {
+      mkdirSync(join(dir, "apps", "shared-lib"), { recursive: true });
+      writeFileSync(
+        join(dir, "apps", "shared-lib", "Directory.Build.props"),
+        "<Project></Project>",
+      );
+
+      const map = await discoverProjectMap(dir);
+      const p = findProject(map, "apps/shared-lib");
+      assert.equal(p.type, "csharp", "Directory.Build.props should classify as csharp");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+});
+
+// ── pnpm-workspace.yaml discovery ────────────────────────────────────
+
+describe("discoverProjectMap — pnpm-workspace.yaml", () => {
+  it("reads pnpm-workspace.yaml and discovers declared packages", async () => {
+    const dir = makeTmpDir();
+    try {
+      // Non-conventional parent dir that the built-in apps/packages scan
+      // would never find. pnpm-workspace must be the only source of truth.
+      writeFileSync(join(dir, "package.json"), JSON.stringify({ name: "root" }));
+      writeFileSync(
+        join(dir, "pnpm-workspace.yaml"),
+        ["packages:", "  - \"tooling/*\"", ""].join("\n"),
+      );
+
+      mkdirSync(join(dir, "tooling", "cli"), { recursive: true });
+      writeFileSync(join(dir, "tooling", "cli", "package.json"), JSON.stringify({ name: "cli" }));
+      writeFileSync(join(dir, "tooling", "cli", "tsconfig.json"), "{}");
+
+      const map = await discoverProjectMap(dir);
+      const cli = findProject(map, "tooling/cli");
+      assert.equal(cli.type, "typescript");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("handles plain-path entries in pnpm-workspace.yaml", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "package.json"), JSON.stringify({ name: "root" }));
+      writeFileSync(
+        join(dir, "pnpm-workspace.yaml"),
+        ["packages:", "  - 'clients/mobile'", ""].join("\n"),
+      );
+
+      mkdirSync(join(dir, "clients", "mobile"), { recursive: true });
+      writeFileSync(
+        join(dir, "clients", "mobile", "package.json"),
+        JSON.stringify({ name: "mobile" }),
+      );
+
+      const map = await discoverProjectMap(dir);
+      const mobile = findProject(map, "clients/mobile");
+      assert.equal(mobile.type, "javascript"); // no tsconfig → js
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("falls back gracefully when pnpm-workspace.yaml is malformed", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "package.json"), JSON.stringify({ name: "root" }));
+      writeFileSync(
+        join(dir, "pnpm-workspace.yaml"),
+        "this: is: not: actually: valid: yaml\n",
+      );
+
+      // Must not throw, and must fall back to non-monorepo with zero
+      // sub-projects so downstream scans do not try to walk phantom paths.
+      const map = await discoverProjectMap(dir);
+      assert.equal(map.isMonorepo, false);
+      assert.equal(map.projects.length, 0);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("preserves literal '#' inside a quoted pnpm-workspace entry", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "package.json"), JSON.stringify({ name: "root" }));
+      // Quoted entry with a '#' — naive comment stripping would truncate
+      // it to `"packages/` and the project would silently disappear.
+      writeFileSync(
+        join(dir, "pnpm-workspace.yaml"),
+        ["packages:", "  - \"tooling/#oddly-named\"", ""].join("\n"),
+      );
+
+      mkdirSync(join(dir, "tooling", "#oddly-named"), { recursive: true });
+      writeFileSync(
+        join(dir, "tooling", "#oddly-named", "package.json"),
+        JSON.stringify({ name: "oddly" }),
+      );
+
+      const map = await discoverProjectMap(dir);
+      const entry = findProject(map, "tooling/#oddly-named");
+      assert.equal(entry.type, "javascript");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+});
+
+// ── Workspace containment guard ──────────────────────────────────────
+
+describe("discoverProjectMap — workspace containment", () => {
+  it("drops pnpm-workspace patterns that escape the workspace root", async () => {
+    // Sibling directory outside the workspace — if the containment
+    // guard fails, the walker would scan it and inflate the TDR.
+    const parent = makeTmpDir();
+    try {
+      const workspace = join(parent, "workspace");
+      const sibling = join(parent, "sibling");
+      mkdirSync(join(sibling, "pkg"), { recursive: true });
+      writeFileSync(join(sibling, "pkg", "package.json"), JSON.stringify({ name: "escapee" }));
+
+      mkdirSync(workspace, { recursive: true });
+      writeFileSync(join(workspace, "package.json"), JSON.stringify({ name: "root" }));
+      writeFileSync(
+        join(workspace, "pnpm-workspace.yaml"),
+        ["packages:", "  - \"../sibling/*\"", ""].join("\n"),
+      );
+
+      const map = await discoverProjectMap(workspace);
+
+      const escapee = map.projects.find((p) => p.path.includes("sibling"));
+      assert.equal(
+        escapee,
+        undefined,
+        `expected no project outside workspace, got: ${JSON.stringify(escapee)}`,
+      );
+    } finally {
+      rmSync(parent, { recursive: true, force: true });
+    }
+  });
+});
+
+// ── projectDirs + .NET-only project marker ───────────────────────────
+
+describe("discoverProjectMap — configured projectDirs with .NET-only markers", () => {
+  it("treats a user-configured directory holding only a .slnx as a project", async () => {
+    const dir = makeTmpDir();
+    try {
+      // Configured projectDir pointing at a directory whose only marker
+      // is an .slnx solution file — the single-filename PROJECT_MARKERS
+      // list alone would miss this and the dir would be scanned one
+      // level deep as if it were a parent directory.
+      mkdirSync(join(dir, "services", "api"), { recursive: true });
+      writeFileSync(
+        join(dir, "services", "api", "Api.slnx"),
+        "<Solution></Solution>",
+      );
+
+      const map = await discoverProjectMap(dir, {
+        projectDirs: ["services/api"],
+      });
+      const api = findProject(map, "services/api");
+      assert.equal(api.type, "csharp");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
 });

package/src/tests/workspace-walker.test.ts

@@ -0,0 +1,94 @@
+/**
+ * Integration tests for the workspace walker's default exclusions.
+ *
+ * The LOC denominator of the Technical Debt Ratio must reflect code
+ * the team actually writes, not build outputs. Real repositories
+ * commonly host Electron-builder outputs (`dist-electron/`,
+ * `release/`), .NET outputs (`bin/`, `obj/`, `publish/`), CI outputs
+ * (`artifacts/`), and Xcode caches (`DerivedData/`, `Pods/`,
+ * `Carthage/`) — all of which would inflate LOC if walked.
+ *
+ * This suite creates a scratch workspace that seeds a single real
+ * source file (`src/app.ts`) alongside populated build-artefact
+ * directories, then asserts the walker only counts the real source.
+ *
+ * @module tests/workspace-walker.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, writeFileSync, mkdirSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+
+import { estimateWorkspaceLoc } from "../metrics/workspace-walker.js";
+
+function makeTmpDir(): string {
+  return mkdtempSync(join(tmpdir(), "crap-walker-"));
+}
+
+function touch(absPath: string, content = ""): void {
+  mkdirSync(join(absPath, ".."), { recursive: true });
+  writeFileSync(absPath, content, "utf8");
+}
+
+describe("estimateWorkspaceLoc — default skip dirs exclude common build artefacts", () => {
+  it("skips Electron/Xcode/.NET/CI build outputs by default", async () => {
+    const dir = makeTmpDir();
+    try {
+      // Single real source file — the only thing that must count.
+      touch(join(dir, "src/app.ts"), "export const x = 1;\n");
+
+      // Noise that prior versions would have counted.
+      touch(join(dir, "dist-electron/main.js"), "console.log('electron');\n");
+      touch(join(dir, "release/MyApp/contents.js"), "console.log('release');\n");
+      touch(join(dir, "artifacts/build.js"), "console.log('ci');\n");
+      touch(join(dir, "publish/netcoreapp.dll.js"), "// dotnet publish\n");
+      touch(join(dir, "bin/Debug/net8.0/app.cs"), "// stale bin output\n");
+      touch(join(dir, "obj/project.assets.ts"), "export {};\n");
+      touch(join(dir, "Pods/PodStub.swift"), "struct S {}\n");
+      touch(join(dir, "DerivedData/ModuleCache/foo.swift"), "struct F {}\n");
+      touch(join(dir, "Carthage/Build/cache.swift"), "struct C {}\n");
+
+      const result = await estimateWorkspaceLoc(dir);
+
+      assert.equal(
+        result.fileCount,
+        1,
+        `expected only src/app.ts to count, got fileCount=${result.fileCount}`,
+      );
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("skips generated test coverage report bundles", async () => {
+    // Regression: the dashboard flagged GanttLite.Server/coverage-report/main.js
+    // (ReportGenerator output) as the hottest file in the project with
+    // four CC-80+ errors, all coming from minified `main.js` / `class.js`.
+    // The walker must not descend into any coverage-report variant.
+    const dir = makeTmpDir();
+    try {
+      touch(join(dir, "src/real.ts"), "export const x = 1;\n");
+
+      touch(join(dir, "coverage-report/main.js"), "function gG(){return 1}\n");
+      touch(join(dir, "coverage-report/class.js"), "function N(){return 1}\n");
+      touch(join(dir, "CoverageReport/index.js"), "function a(){}\n");
+      touch(join(dir, "coveragereport/bundle.js"), "function b(){}\n");
+      touch(join(dir, "TestResults/report.js"), "function c(){}\n");
+      touch(join(dir, "cobertura/cobertura.js"), "function d(){}\n");
+      touch(join(dir, "lcov-report/prettify.js"), "function e(){}\n");
+      touch(join(dir, "htmlcov/pycov.js"), "function f(){}\n");
+
+      const result = await estimateWorkspaceLoc(dir);
+
+      assert.equal(
+        result.fileCount,
+        1,
+        `coverage-report bundles leaked into walk — fileCount=${result.fileCount}`,
+      );
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+});