claude-dev-env 1.58.0 → 1.60.0

package/hooks/blocking/test_code_rules_enforcer_duplicate_body.py

@@ -0,0 +1,330 @@
+"""Tests for cross-file duplicate top-level function body detection.
+
+PR #567 added the 5th and 6th copies of a byte-identical ``strip_code_and_quotes``
+helper across sibling Stop-hook modules. This check blocks that violation class at
+Write time: a top-level function whose body matches a top-level function in a
+sibling ``.py`` module in the same directory is flagged so the author extracts one
+shared helper instead of copying it.
+
+The tests write real sibling files into a neutrally named temporary directory and
+run the check against them, so they exercise the on-disk directory scan rather
+than a stubbed view of the filesystem. The directory is named like a production
+package directory (no ``test_`` segment), because the check treats any path
+containing a test marker as exempt — the same way it would skip a real test file.
+"""
+
+from __future__ import annotations
+
+import importlib.util
+import pathlib
+import shutil
+import sys
+import tempfile
+from collections.abc import Iterator
+
+import pytest
+
+_HOOK_DIRECTORY = pathlib.Path(__file__).parent
+if str(_HOOK_DIRECTORY) not in sys.path:
+    sys.path.insert(0, str(_HOOK_DIRECTORY))
+
+_hook_spec = importlib.util.spec_from_file_location(
+    "code_rules_enforcer",
+    _HOOK_DIRECTORY / "code_rules_enforcer.py",
+)
+assert _hook_spec is not None
+assert _hook_spec.loader is not None
+_hook_module = importlib.util.module_from_spec(_hook_spec)
+_hook_spec.loader.exec_module(_hook_module)
+check_duplicate_function_body_across_files = _hook_module.check_duplicate_function_body_across_files
+
+
+SHARED_HELPER_SOURCE = (
+    "import re\n"
+    "\n"
+    "def strip_code_and_quotes(text: str) -> str:\n"
+    "    without_fences = re.sub(r'```.*?```', '', text, flags=re.DOTALL)\n"
+    "    without_inline = re.sub(r'`[^`]*`', '', without_fences)\n"
+    "    without_quotes = re.sub(r'(?m)^>.*$', '', without_inline)\n"
+    "    return without_quotes.strip()\n"
+)
+
+
+@pytest.fixture
+def module_dir() -> Iterator[pathlib.Path]:
+    base_directory = pathlib.Path(tempfile.mkdtemp())
+    package_directory = base_directory / "blocking"
+    package_directory.mkdir()
+    try:
+        yield package_directory
+    finally:
+        shutil.rmtree(base_directory, ignore_errors=False)
+
+
+def _write(directory: pathlib.Path, name: str, source: str) -> pathlib.Path:
+    target = directory / name
+    target.write_text(source, encoding="utf-8")
+    return target
+
+
+def test_should_flag_function_copied_from_sibling(module_dir: pathlib.Path) -> None:
+    _write(module_dir, "existing_blocker.py", SHARED_HELPER_SOURCE)
+    new_file = module_dir / "new_blocker.py"
+    issues = check_duplicate_function_body_across_files(SHARED_HELPER_SOURCE, str(new_file))
+    assert any("strip_code_and_quotes" in each_issue for each_issue in issues), (
+        f"Expected the copied helper to be flagged, got: {issues}"
+    )
+    assert any("existing_blocker.py" in each_issue for each_issue in issues), (
+        f"Expected the sibling source location named, got: {issues}"
+    )
+
+
+def test_should_not_flag_when_no_sibling_matches(module_dir: pathlib.Path) -> None:
+    _write(
+        module_dir,
+        "unrelated.py",
+        "def add(left: int, right: int) -> int:\n"
+        "    total = left + right\n"
+        "    doubled = total * 2\n"
+        "    return doubled\n",
+    )
+    new_file = module_dir / "new_blocker.py"
+    issues = check_duplicate_function_body_across_files(SHARED_HELPER_SOURCE, str(new_file))
+    assert issues == [], f"No matching sibling body must not flag, got: {issues}"
+
+
+def test_should_not_flag_trivial_short_body(module_dir: pathlib.Path) -> None:
+    trivial_source = "def noop() -> None:\n    return None\n"
+    _write(module_dir, "existing.py", trivial_source)
+    new_file = module_dir / "new.py"
+    issues = check_duplicate_function_body_across_files(trivial_source, str(new_file))
+    assert issues == [], (
+        f"A body under the minimum statement count is too common to flag, got: {issues}"
+    )
+
+
+def test_should_ignore_docstring_only_difference(module_dir: pathlib.Path) -> None:
+    with_docstring = (
+        "def compute(left: int, right: int) -> int:\n"
+        '    """Add then scale."""\n'
+        "    total = left + right\n"
+        "    scaled = total * 3\n"
+        "    return scaled\n"
+    )
+    without_docstring = (
+        "def compute(left: int, right: int) -> int:\n"
+        "    total = left + right\n"
+        "    scaled = total * 3\n"
+        "    return scaled\n"
+    )
+    _write(module_dir, "existing.py", with_docstring)
+    new_file = module_dir / "new.py"
+    issues = check_duplicate_function_body_across_files(without_docstring, str(new_file))
+    assert any("compute" in each_issue for each_issue in issues), (
+        f"A docstring-only difference must not hide the duplicate, got: {issues}"
+    )
+
+
+def test_should_skip_test_file_being_written(module_dir: pathlib.Path) -> None:
+    _write(module_dir, "existing.py", SHARED_HELPER_SOURCE)
+    test_file = module_dir / "test_new.py"
+    issues = check_duplicate_function_body_across_files(SHARED_HELPER_SOURCE, str(test_file))
+    assert issues == [], f"Test files are exempt on the writing side, got: {issues}"
+
+
+def test_should_skip_test_file_siblings(module_dir: pathlib.Path) -> None:
+    _write(module_dir, "test_existing.py", SHARED_HELPER_SOURCE)
+    new_file = module_dir / "new_blocker.py"
+    issues = check_duplicate_function_body_across_files(SHARED_HELPER_SOURCE, str(new_file))
+    assert issues == [], (
+        f"A matching body in a sibling test file must not flag production code, got: {issues}"
+    )
+
+
+def test_should_skip_dunder_init_being_written(module_dir: pathlib.Path) -> None:
+    _write(module_dir, "existing.py", SHARED_HELPER_SOURCE)
+    init_file = module_dir / "__init__.py"
+    issues = check_duplicate_function_body_across_files(SHARED_HELPER_SOURCE, str(init_file))
+    assert issues == [], f"__init__.py re-export surfaces are exempt, got: {issues}"
+
+
+def test_should_not_compare_against_self(module_dir: pathlib.Path) -> None:
+    existing = _write(module_dir, "blocker.py", SHARED_HELPER_SOURCE)
+    issues = check_duplicate_function_body_across_files(SHARED_HELPER_SOURCE, str(existing))
+    assert issues == [], (
+        f"A file must not be flagged as a duplicate of its own on-disk copy, got: {issues}"
+    )
+
+
+def test_should_return_empty_on_syntax_error(module_dir: pathlib.Path) -> None:
+    _write(module_dir, "existing.py", SHARED_HELPER_SOURCE)
+    new_file = module_dir / "broken.py"
+    issues = check_duplicate_function_body_across_files("def broken(\n", str(new_file))
+    assert issues == [], f"Unparseable content must return empty, got: {issues}"
+
+
+def test_should_skip_unparseable_sibling(module_dir: pathlib.Path) -> None:
+    _write(module_dir, "broken_sibling.py", "def broken(\n")
+    _write(module_dir, "good_sibling.py", SHARED_HELPER_SOURCE)
+    new_file = module_dir / "new.py"
+    issues = check_duplicate_function_body_across_files(SHARED_HELPER_SOURCE, str(new_file))
+    assert any("good_sibling.py" in each_issue for each_issue in issues), (
+        f"A broken sibling must be skipped without hiding a real match, got: {issues}"
+    )
+
+
+def test_should_not_flag_method_inside_class(module_dir: pathlib.Path) -> None:
+    class_source = (
+        "class Worker:\n"
+        "    def run(self, left: int, right: int) -> int:\n"
+        "        total = left + right\n"
+        "        scaled = total * 4\n"
+        "        return scaled\n"
+    )
+    _write(module_dir, "existing.py", class_source)
+    new_file = module_dir / "new.py"
+    issues = check_duplicate_function_body_across_files(class_source, str(new_file))
+    assert issues == [], f"Only module-scope functions are compared, not methods, got: {issues}"
+
+
+_UNRELATED_LEADING_FUNCTION = (
+    "def unrelated_helper(left: int, right: int) -> int:\n"
+    "    summed = left + right\n"
+    "    tripled = summed * 3\n"
+    "    return tripled\n"
+)
+
+
+def test_should_not_flag_when_edit_leaves_duplicate_outside_changed_lines(
+    module_dir: pathlib.Path,
+) -> None:
+    _write(module_dir, "existing.py", SHARED_HELPER_SOURCE)
+    new_file = module_dir / "new_blocker.py"
+    post_edit_content = _UNRELATED_LEADING_FUNCTION + "\n\n" + SHARED_HELPER_SOURCE
+    changed_lines_outside_duplicate = {1, 2, 3, 4}
+    issues = check_duplicate_function_body_across_files(
+        post_edit_content,
+        str(new_file),
+        all_changed_lines=changed_lines_outside_duplicate,
+    )
+    assert issues == [], (
+        "An Edit that never touches the duplicated function must not block, "
+        f"got: {issues}"
+    )
+
+
+def test_should_flag_when_edit_changed_lines_intersect_duplicate(
+    module_dir: pathlib.Path,
+) -> None:
+    _write(module_dir, "existing.py", SHARED_HELPER_SOURCE)
+    new_file = module_dir / "new_blocker.py"
+    post_edit_content = _UNRELATED_LEADING_FUNCTION + "\n\n" + SHARED_HELPER_SOURCE
+    duplicate_definition_line = post_edit_content.splitlines().index(
+        "def strip_code_and_quotes(text: str) -> str:"
+    ) + 1
+    changed_lines_inside_duplicate = {duplicate_definition_line + 1}
+    issues = check_duplicate_function_body_across_files(
+        post_edit_content,
+        str(new_file),
+        all_changed_lines=changed_lines_inside_duplicate,
+    )
+    assert any("strip_code_and_quotes" in each_issue for each_issue in issues), (
+        "An Edit whose changed lines touch the copied helper must still flag, "
+        f"got: {issues}"
+    )
+
+
+def test_should_flag_whole_file_write_when_changed_lines_is_none(
+    module_dir: pathlib.Path,
+) -> None:
+    _write(module_dir, "existing.py", SHARED_HELPER_SOURCE)
+    new_file = module_dir / "new_blocker.py"
+    issues = check_duplicate_function_body_across_files(
+        SHARED_HELPER_SOURCE,
+        str(new_file),
+        all_changed_lines=None,
+    )
+    assert any("strip_code_and_quotes" in each_issue for each_issue in issues), (
+        "A whole-file Write treats every line as in scope and must flag, "
+        f"got: {issues}"
+    )
+
+
+def test_should_scan_explicit_sibling_directory_for_relative_path(
+    module_dir: pathlib.Path,
+) -> None:
+    _write(module_dir, "existing_blocker.py", SHARED_HELPER_SOURCE)
+    issues = check_duplicate_function_body_across_files(
+        SHARED_HELPER_SOURCE,
+        "package/new_blocker.py",
+        sibling_directory=module_dir,
+    )
+    assert any("strip_code_and_quotes" in each_issue for each_issue in issues), (
+        "When given an explicit sibling directory, the check must scan it for a "
+        f"relative file_path rather than the path's CWD-relative parent, got: {issues}"
+    )
+    assert any("existing_blocker.py" in each_issue for each_issue in issues), (
+        f"Expected the sibling source location named, got: {issues}"
+    )
+
+
+def test_should_ignore_cwd_when_explicit_sibling_directory_given(
+    module_dir: pathlib.Path,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    _write(module_dir, "existing_blocker.py", SHARED_HELPER_SOURCE)
+    monkeypatch.chdir(module_dir.parent)
+    issues = check_duplicate_function_body_across_files(
+        SHARED_HELPER_SOURCE,
+        "package/new_blocker.py",
+        sibling_directory=module_dir,
+    )
+    assert any("strip_code_and_quotes" in each_issue for each_issue in issues), (
+        "An explicit sibling directory must anchor the scan independent of the "
+        f"process working directory, got: {issues}"
+    )
+
+
+def test_should_return_every_violation_when_scope_deferred_to_caller(
+    module_dir: pathlib.Path,
+) -> None:
+    _write(module_dir, "existing.py", SHARED_HELPER_SOURCE)
+    new_file = module_dir / "new_blocker.py"
+    post_edit_content = _UNRELATED_LEADING_FUNCTION + "\n\n" + SHARED_HELPER_SOURCE
+    changed_lines_outside_duplicate = {1, 2, 3, 4}
+    issues = check_duplicate_function_body_across_files(
+        post_edit_content,
+        str(new_file),
+        all_changed_lines=changed_lines_outside_duplicate,
+        defer_scope_to_caller=True,
+    )
+    assert any("strip_code_and_quotes" in each_issue for each_issue in issues), (
+        "The commit/push gate scopes by added line, so the check must return "
+        f"every violation when scope is deferred, got: {issues}"
+    )
+
+
+def test_should_carry_a_parseable_span_for_the_commit_gate_scoper(
+    module_dir: pathlib.Path,
+) -> None:
+    _write(module_dir, "existing.py", SHARED_HELPER_SOURCE)
+    new_file = module_dir / "new_blocker.py"
+    post_edit_content = _UNRELATED_LEADING_FUNCTION + "\n\n" + SHARED_HELPER_SOURCE
+    duplicate_definition_line = post_edit_content.splitlines().index(
+        "def strip_code_and_quotes(text: str) -> str:"
+    ) + 1
+    issues = check_duplicate_function_body_across_files(
+        post_edit_content,
+        str(new_file),
+        all_changed_lines=None,
+        defer_scope_to_caller=True,
+    )
+    matching_issues = [
+        each_issue for each_issue in issues if "strip_code_and_quotes" in each_issue
+    ]
+    assert matching_issues, f"expected a duplicate-body issue, got: {issues}"
+    expected_fragment = f"(duplicate body span at line {duplicate_definition_line}, spanning 5 lines)"
+    assert expected_fragment in matching_issues[0], (
+        "The commit gate's scope splitter parses the copied function's span from "
+        f"the message, so the message must carry it, got: {matching_issues[0]}"
+    )

package/hooks/blocking/test_code_rules_enforcer_duplicate_body_hook_routing.py

@@ -0,0 +1,179 @@
+"""Entry-point tests proving the duplicate-body check guards hook-infrastructure files.
+
+The cross-file duplicate-body check exists to catch a helper copied across sibling
+modules in the ``blocking/`` hook directory itself — the exact directory the rest of
+the code-rules suite exempts. These tests drive the real entry points (the ``main()``
+stdin path and the pre-check CLI) with a hook-infrastructure target so the deny fires
+on the same path a live Write would take, rather than calling the check function
+directly.
+
+Each test builds a temporary tree whose tail mirrors a production hook directory
+(``packages/claude-dev-env/hooks/blocking``) so ``is_hook_infrastructure`` matches the
+target path the same way it would for the real directory.
+"""
+
+from __future__ import annotations
+
+import io
+import json
+import pathlib
+import shutil
+import subprocess
+import sys
+import tempfile
+from collections.abc import Iterator
+from types import SimpleNamespace
+
+import pytest
+
+_HOOK_DIRECTORY = pathlib.Path(__file__).resolve().parent
+_HOOKS_PARENT = _HOOK_DIRECTORY.parent
+if str(_HOOK_DIRECTORY) not in sys.path:
+    sys.path.insert(0, str(_HOOK_DIRECTORY))
+if str(_HOOKS_PARENT) not in sys.path:
+    sys.path.insert(0, str(_HOOKS_PARENT))
+
+from code_rules_enforcer import main  # noqa: E402
+
+code_rules_enforcer = SimpleNamespace(main=main, sys=sys)
+
+_ENFORCER_SCRIPT_PATH = _HOOK_DIRECTORY / "code_rules_enforcer.py"
+
+SHARED_HELPER_SOURCE = (
+    "import re\n"
+    "\n"
+    "def strip_code_and_quotes(text: str) -> str:\n"
+    "    without_fences = re.sub(r'```.*?```', '', text, flags=re.DOTALL)\n"
+    "    without_inline = re.sub(r'`[^`]*`', '', without_fences)\n"
+    "    without_quotes = re.sub(r'(?m)^>.*$', '', without_inline)\n"
+    "    return without_quotes.strip()\n"
+)
+
+_HOOK_INFRASTRUCTURE_TAIL = pathlib.Path("packages") / "claude-dev-env" / "hooks" / "blocking"
+
+
+@pytest.fixture
+def hook_blocking_dir() -> Iterator[pathlib.Path]:
+    base_directory = pathlib.Path(tempfile.mkdtemp())
+    blocking_directory = base_directory / _HOOK_INFRASTRUCTURE_TAIL
+    blocking_directory.mkdir(parents=True)
+    try:
+        yield blocking_directory
+    finally:
+        shutil.rmtree(base_directory, ignore_errors=False)
+
+
+def _run_main_with_write_payload(
+    file_path: str,
+    content: str,
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture[str],
+) -> str:
+    """Drive ``main()`` through its stdin entry point for a Write and return stdout.
+
+    Args:
+        file_path: The on-disk path the Write targets.
+        content: The whole-file body the Write would create.
+        monkeypatch: The fixture used to redirect ``sys.stdin``.
+        capsys: The fixture used to capture the deny payload on stdout.
+
+    Returns:
+        The captured stdout, which holds the deny payload when violations fire.
+    """
+    write_payload = json.dumps(
+        {
+            "tool_name": "Write",
+            "tool_input": {"file_path": file_path, "content": content},
+        }
+    )
+    monkeypatch.setattr(code_rules_enforcer.sys, "stdin", io.StringIO(write_payload))
+    try:
+        code_rules_enforcer.main([])
+    except SystemExit:
+        pass
+    return capsys.readouterr().out
+
+
+def test_write_of_copied_helper_into_hook_directory_denies(
+    hook_blocking_dir: pathlib.Path,
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    """A Write that copies a sibling helper into a second hook file is denied.
+
+    The target lives under a hook-infrastructure path the rest of the code-rules
+    suite exempts, so this proves the duplicate-body check still guards the exact
+    directory its module docstring names as the primary target."""
+    (hook_blocking_dir / "existing_blocker.py").write_text(SHARED_HELPER_SOURCE, encoding="utf-8")
+    new_file = hook_blocking_dir / "new_blocker.py"
+    stdout = _run_main_with_write_payload(str(new_file), SHARED_HELPER_SOURCE, monkeypatch, capsys)
+    assert stdout != "", (
+        "A copied helper written into a second hook-infrastructure file must "
+        "produce a deny payload, got empty stdout"
+    )
+    deny_payload = json.loads(stdout)
+    decision = deny_payload["hookSpecificOutput"]["permissionDecision"]
+    reason = deny_payload["hookSpecificOutput"]["permissionDecisionReason"]
+    assert decision == "deny", f"expected deny, got: {decision!r}"
+    assert "strip_code_and_quotes" in reason, (
+        f"the deny reason must name the duplicated helper, got: {reason!r}"
+    )
+
+
+def test_write_of_unique_helper_into_hook_directory_allows(
+    hook_blocking_dir: pathlib.Path,
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    """A Write of a hook file with no sibling duplicate produces no deny payload.
+
+    Routing hook ``.py`` files to the duplicate-body check must not block a hook
+    file that introduces a genuinely new helper; only a copied body denies."""
+    (hook_blocking_dir / "existing_blocker.py").write_text(SHARED_HELPER_SOURCE, encoding="utf-8")
+    unique_helper_source = (
+        "def normalize_indices(left: int, right: int) -> int:\n"
+        "    combined = left + right\n"
+        "    widened = combined * 5\n"
+        "    return widened\n"
+    )
+    new_file = hook_blocking_dir / "unique_blocker.py"
+    stdout = _run_main_with_write_payload(str(new_file), unique_helper_source, monkeypatch, capsys)
+    assert stdout == "", f"a unique hook helper must not be denied, got stdout: {stdout!r}"
+
+
+def test_precheck_of_copied_helper_at_hook_target_exits_nonzero(
+    hook_blocking_dir: pathlib.Path,
+    tmp_path_factory: pytest.TempPathFactory,
+) -> None:
+    """The pre-check CLI flags a copied helper judged at a hook-infrastructure target.
+
+    Driving the real ``--check`` argv path proves the gate's pre-check mode also
+    routes a hook ``.py`` target through the duplicate-body check rather than
+    exiting clean on the blanket hook-infrastructure exemption."""
+    (hook_blocking_dir / "existing_blocker.py").write_text(SHARED_HELPER_SOURCE, encoding="utf-8")
+    staging_directory = tmp_path_factory.mktemp("staging")
+    candidate_file = staging_directory / "candidate.py"
+    candidate_file.write_text(SHARED_HELPER_SOURCE, encoding="utf-8")
+    target_path = str(hook_blocking_dir / "new_blocker.py")
+    completed = subprocess.run(
+        [
+            sys.executable,
+            str(_ENFORCER_SCRIPT_PATH),
+            "--check",
+            str(candidate_file),
+            "--as",
+            target_path,
+        ],
+        input="",
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+    assert completed.returncode == 1, (
+        "a copied helper at a hook target must exit nonzero, got: "
+        f"{completed.returncode}, stdout: {completed.stdout!r}, "
+        f"stderr: {completed.stderr!r}"
+    )
+    assert "strip_code_and_quotes" in completed.stdout, (
+        f"the pre-check must name the duplicated helper, got: {completed.stdout!r}"
+    )

package/hooks/blocking/test_code_rules_enforcer_magic_slice_bounds.py

@@ -0,0 +1,133 @@
+"""Tests for slice-bound magic values in the magic-value check.
+
+CODE_RULES.md states only 0, 1, -1 (plus 0.0, 1.0) are exempt from the
+magic-value check. A magic number used as a slice bound (``sha[:8]``,
+``timestamp[:10]``) is still a magic value, while a plain subscript index
+(``items[2]``) rides on the bracket exemption. The check distinguishes the
+two by the colon a slice carries between its brackets.
+"""
+
+from __future__ import annotations
+
+import importlib.util
+from pathlib import Path
+from types import ModuleType
+
+
+def _load_enforcer_module() -> ModuleType:
+    module_path = Path(__file__).parent / "code_rules_enforcer.py"
+    spec = importlib.util.spec_from_file_location("code_rules_enforcer", module_path)
+    assert spec is not None
+    assert spec.loader is not None
+    module = importlib.util.module_from_spec(spec)
+    spec.loader.exec_module(module)
+    return module
+
+
+code_rules_enforcer = _load_enforcer_module()
+
+
+PRODUCTION_FILE_PATH = "packages/claude-dev-env/skills/example/workflow/example_render.py"
+
+
+def test_check_magic_values_should_flag_short_sha_slice_bound() -> None:
+    source = (
+        "def render_fix(fix_record):\n"
+        "    short_sha = fix_record.new_sha[:8]\n"
+        "    label = short_sha\n"
+    )
+    issues = code_rules_enforcer.check_magic_values(source, PRODUCTION_FILE_PATH)
+    assert any(issue.endswith("Magic value 8 - extract to named constant") for issue in issues), (
+        f"Expected magic-value issue for slice bound 8, got: {issues}"
+    )
+
+
+def test_check_magic_values_should_flag_iso_date_prefix_slice_bound() -> None:
+    source = (
+        "def read_date(journal):\n"
+        "    timestamp = journal.get_timestamp()\n"
+        "    generated = timestamp[:10]\n"
+        "    label = generated\n"
+    )
+    issues = code_rules_enforcer.check_magic_values(source, PRODUCTION_FILE_PATH)
+    assert any(issue.endswith("Magic value 10 - extract to named constant") for issue in issues), (
+        f"Expected magic-value issue for slice bound 10, got: {issues}"
+    )
+
+
+def test_check_magic_values_should_flag_slice_bound_even_with_inline_guard() -> None:
+    source = (
+        "def read_date(journal):\n"
+        "    timestamp = journal.get_timestamp()\n"
+        '    generated = timestamp[:10] if len(timestamp) >= 10 else ""\n'
+        "    label = generated\n"
+    )
+    issues = code_rules_enforcer.check_magic_values(source, PRODUCTION_FILE_PATH)
+    assert any(issue.endswith("Magic value 10 - extract to named constant") for issue in issues), (
+        f"Expected magic-value issue for slice bound 10 on a guarded line, got: {issues}"
+    )
+
+
+def test_check_magic_values_should_still_exempt_plain_subscript_index() -> None:
+    source = "def pick_entry(all_entries):\n    chosen = all_entries[2]\n    label = chosen\n"
+    issues = code_rules_enforcer.check_magic_values(source, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Expected no issues for a plain subscript index, got: {issues}"
+
+
+def test_check_magic_values_should_allow_slice_bound_of_one() -> None:
+    source = "def first_character(text):\n    head = text[:1]\n    label = head\n"
+    issues = code_rules_enforcer.check_magic_values(source, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Expected no issues for an allowed slice bound 1, got: {issues}"
+
+
+def test_check_magic_values_should_flag_slice_bound_not_substring_subscript_on_same_line() -> None:
+    source = (
+        "def join_pair(key, value):\n"
+        "    pair = key[2] + value[:20]\n"
+        "    label = pair\n"
+    )
+    issues = code_rules_enforcer.check_magic_values(source, PRODUCTION_FILE_PATH)
+    assert any(issue.endswith("Magic value 20 - extract to named constant") for issue in issues), (
+        f"Expected the slice bound 20 to be flagged, got: {issues}"
+    )
+    assert not any(issue.endswith("Magic value 2 - extract to named constant") for issue in issues), (
+        f"Expected the subscript index 2 to stay exempt, got: {issues}"
+    )
+
+
+def test_check_magic_values_should_flag_first_token_of_two_sided_slice() -> None:
+    source = "def middle(chunk):\n    window = chunk[8:16]\n    label = window\n"
+    issues = code_rules_enforcer.check_magic_values(source, PRODUCTION_FILE_PATH)
+    assert any(issue.endswith("Magic value 8 - extract to named constant") for issue in issues), (
+        f"Expected the first slice bound 8 to be flagged, got: {issues}"
+    )
+
+
+def test_check_magic_values_should_exempt_walrus_subscript_index() -> None:
+    source = "def lookup(all_entries):\n    chosen = all_entries[(n := 4)]\n    label = chosen\n"
+    issues = code_rules_enforcer.check_magic_values(source, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Expected no issues for a walrus subscript index, got: {issues}"
+
+
+def test_check_magic_values_should_exempt_lambda_subscript_index() -> None:
+    source = "def lookup(sequence):\n    chosen = sequence[(lambda: 7)()]\n    label = chosen\n"
+    issues = code_rules_enforcer.check_magic_values(source, PRODUCTION_FILE_PATH)
+    assert issues == [], f"Expected no issues for a lambda subscript index, got: {issues}"
+
+
+def test_check_magic_values_should_flag_outer_slice_bound_not_inner_subscript() -> None:
+    source = "def window(first, second):\n    region = first[second[6]:9]\n    label = region\n"
+    issues = code_rules_enforcer.check_magic_values(source, PRODUCTION_FILE_PATH)
+    assert any(issue.endswith("Magic value 9 - extract to named constant") for issue in issues), (
+        f"Expected the outer slice bound 9 to be flagged, got: {issues}"
+    )
+    assert not any(issue.endswith("Magic value 6 - extract to named constant") for issue in issues), (
+        f"Expected the inner subscript index 6 to stay exempt, got: {issues}"
+    )
+
+
+def test_check_magic_values_should_pass_on_the_module_own_source() -> None:
+    module_path = Path(__file__).parent / "code_rules_magic_values.py"
+    source = module_path.read_text(encoding="utf-8")
+    issues = code_rules_enforcer.check_magic_values(source, str(module_path))
+    assert issues == [], f"Expected the module to pass its own magic-value check, got: {issues}"