popeye-cli 1.8.0 → 1.9.1

package/src/workflow/index.ts

@@ -57,6 +57,11 @@ export * from './website-strategy.js';
 export * from './overview.js';
 export * from './db-state-machine.js';
 export * from './db-setup-runner.js';
+export * from './audit-scanner.js';
+export * from './audit-analyzer.js';
+export * from './audit-reporter.js';
+export * from './audit-recovery.js';
+export * from './audit-mode.js';
 
 /**
  * Workflow options

package/tests/cli/commands/review.test.ts

@@ -0,0 +1,52 @@
+/**
+ * Tests for the review CLI command.
+ */
+import { describe, it, expect } from 'vitest';
+import { createReviewCommand } from '../../../src/cli/commands/review.js';
+
+describe('createReviewCommand', () => {
+  it('should create a command named review', () => {
+    const cmd = createReviewCommand();
+    expect(cmd.name()).toBe('review');
+  });
+
+  it('should have audit as an alias', () => {
+    const cmd = createReviewCommand();
+    expect(cmd.aliases()).toContain('audit');
+  });
+
+  it('should accept the depth option', () => {
+    const cmd = createReviewCommand();
+    const depthOpt = cmd.options.find((o) => o.long === '--depth');
+    expect(depthOpt).toBeDefined();
+  });
+
+  it('should accept the strict option', () => {
+    const cmd = createReviewCommand();
+    const strictOpt = cmd.options.find((o) => o.long === '--strict');
+    expect(strictOpt).toBeDefined();
+  });
+
+  it('should accept the format option', () => {
+    const cmd = createReviewCommand();
+    const formatOpt = cmd.options.find((o) => o.long === '--format');
+    expect(formatOpt).toBeDefined();
+  });
+
+  it('should accept the no-recover option', () => {
+    const cmd = createReviewCommand();
+    const recoverOpt = cmd.options.find((o) => o.long === '--no-recover');
+    expect(recoverOpt).toBeDefined();
+  });
+
+  it('should accept the target option', () => {
+    const cmd = createReviewCommand();
+    const targetOpt = cmd.options.find((o) => o.long === '--target');
+    expect(targetOpt).toBeDefined();
+  });
+
+  it('should have a description', () => {
+    const cmd = createReviewCommand();
+    expect(cmd.description()).toBeTruthy();
+  });
+});

package/tests/types/audit.test.ts

@@ -0,0 +1,250 @@
+/**
+ * Tests for audit type schemas.
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  AuditSeveritySchema,
+  AuditCategorySchema,
+  ComponentKindSchema,
+  AuditEvidenceSchema,
+  DependencyManifestSchema,
+  FileEntrySchema,
+  ComponentScanSchema,
+  WiringMismatchSchema,
+  WiringMatrixSchema,
+  SearchMetadataSchema,
+  AuditFindingSchema,
+  ProjectSummaryReportSchema,
+  ProjectAuditReportSchema,
+  RecoveryTaskSchema,
+  RecoveryMilestoneSchema,
+  RecoveryPlanSchema,
+  AuditModeOptionsSchema,
+} from '../../src/types/audit.js';
+
+describe('AuditSeveritySchema', () => {
+  it('should accept valid severity values', () => {
+    expect(AuditSeveritySchema.parse('critical')).toBe('critical');
+    expect(AuditSeveritySchema.parse('major')).toBe('major');
+    expect(AuditSeveritySchema.parse('minor')).toBe('minor');
+    expect(AuditSeveritySchema.parse('info')).toBe('info');
+  });
+
+  it('should reject invalid values', () => {
+    expect(() => AuditSeveritySchema.parse('high')).toThrow();
+    expect(() => AuditSeveritySchema.parse('')).toThrow();
+  });
+});
+
+describe('AuditCategorySchema', () => {
+  it('should accept all valid categories', () => {
+    const categories = [
+      'feature-completeness',
+      'integration-wiring',
+      'test-coverage',
+      'config-deployment',
+      'dependency-sanity',
+      'consistency',
+      'security',
+      'documentation',
+    ];
+    for (const cat of categories) {
+      expect(AuditCategorySchema.parse(cat)).toBe(cat);
+    }
+  });
+
+  it('should reject invalid category', () => {
+    expect(() => AuditCategorySchema.parse('performance')).toThrow();
+  });
+});
+
+describe('ComponentKindSchema', () => {
+  it('should accept valid kinds', () => {
+    expect(ComponentKindSchema.parse('frontend')).toBe('frontend');
+    expect(ComponentKindSchema.parse('backend')).toBe('backend');
+    expect(ComponentKindSchema.parse('website')).toBe('website');
+    expect(ComponentKindSchema.parse('shared')).toBe('shared');
+    expect(ComponentKindSchema.parse('infra')).toBe('infra');
+  });
+
+  it('should reject unknown kind', () => {
+    expect(() => ComponentKindSchema.parse('mobile')).toThrow();
+  });
+});
+
+describe('ComponentScanSchema', () => {
+  const validComponent = {
+    kind: 'frontend',
+    rootDir: 'apps/frontend',
+    language: 'typescript',
+    framework: 'react',
+    entryPoints: ['src/main.tsx'],
+    routeFiles: ['src/App.tsx'],
+    testFiles: [{ path: 'tests/App.test.tsx', lines: 50 }],
+    sourceFiles: [{ path: 'src/main.tsx', lines: 20, extension: '.tsx' }],
+    dependencyManifests: [
+      { file: 'package.json', type: 'package.json', dependencies: { react: '^18.0.0' } },
+    ],
+  };
+
+  it('should validate a complete component scan', () => {
+    const result = ComponentScanSchema.parse(validComponent);
+    expect(result.kind).toBe('frontend');
+    expect(result.rootDir).toBe('apps/frontend');
+    expect(result.sourceFiles).toHaveLength(1);
+  });
+
+  it('should accept minimal component scan', () => {
+    const minimal = {
+      kind: 'backend',
+      rootDir: '.',
+      language: 'python',
+      entryPoints: [],
+      routeFiles: [],
+      testFiles: [],
+      sourceFiles: [],
+      dependencyManifests: [],
+    };
+    const result = ComponentScanSchema.parse(minimal);
+    expect(result.framework).toBeUndefined();
+  });
+
+  it('should reject invalid language', () => {
+    expect(() =>
+      ComponentScanSchema.parse({ ...validComponent, language: 'rust' })
+    ).toThrow();
+  });
+});
+
+describe('WiringMatrixSchema', () => {
+  it('should validate a complete wiring matrix', () => {
+    const wiring = {
+      frontendApiBaseEnvKeys: ['VITE_API_URL'],
+      frontendApiBaseResolved: 'http://localhost:3000',
+      backendCorsOrigins: ['http://localhost:5173'],
+      backendApiPrefix: '/api',
+      potentialMismatches: [
+        {
+          type: 'cors-origin-mismatch',
+          details: 'Frontend origin not in CORS list',
+          evidence: [{ file: '.env.example', snippet: 'VITE_API_URL=http://localhost:3000' }],
+        },
+      ],
+    };
+    const result = WiringMatrixSchema.parse(wiring);
+    expect(result.potentialMismatches).toHaveLength(1);
+  });
+
+  it('should accept empty mismatches', () => {
+    const wiring = {
+      frontendApiBaseEnvKeys: [],
+      potentialMismatches: [],
+    };
+    const result = WiringMatrixSchema.parse(wiring);
+    expect(result.potentialMismatches).toHaveLength(0);
+  });
+});
+
+describe('SearchMetadataSchema', () => {
+  it('should validate search metadata', () => {
+    const meta = {
+      serenaUsed: true,
+      serenaRetries: 1,
+      serenaErrors: ['timeout'],
+      fallbackUsed: true,
+      fallbackTool: 'grep',
+      searchQueries: ['find_symbol UserService'],
+    };
+    const result = SearchMetadataSchema.parse(meta);
+    expect(result.serenaUsed).toBe(true);
+    expect(result.serenaRetries).toBe(1);
+  });
+
+  it('should require all fields', () => {
+    expect(() => SearchMetadataSchema.parse({ serenaUsed: true })).toThrow();
+  });
+});
+
+describe('AuditFindingSchema', () => {
+  const validFinding = {
+    id: 'AUD-001',
+    category: 'test-coverage',
+    severity: 'major',
+    title: 'No tests for auth module',
+    description: 'The authentication module has zero test files.',
+    evidence: [{ file: 'src/auth/login.ts', description: 'No test file found' }],
+    recommendation: 'Add unit tests for auth handlers',
+    autoFixable: false,
+  };
+
+  it('should validate a complete finding', () => {
+    const result = AuditFindingSchema.parse(validFinding);
+    expect(result.id).toBe('AUD-001');
+    expect(result.autoFixable).toBe(false);
+  });
+
+  it('should reject missing required fields', () => {
+    const { recommendation, ...incomplete } = validFinding;
+    expect(() => AuditFindingSchema.parse(incomplete)).toThrow();
+  });
+
+  it('should reject invalid severity', () => {
+    expect(() =>
+      AuditFindingSchema.parse({ ...validFinding, severity: 'high' })
+    ).toThrow();
+  });
+});
+
+describe('RecoveryTaskSchema', () => {
+  it('should require appTarget', () => {
+    const task = {
+      name: 'Fix CORS config',
+      description: 'Update backend CORS settings',
+      findingIds: ['AUD-003'],
+      acceptanceCriteria: ['CORS allows frontend origin'],
+      appTarget: 'backend',
+    };
+    const result = RecoveryTaskSchema.parse(task);
+    expect(result.appTarget).toBe('backend');
+  });
+
+  it('should reject missing appTarget', () => {
+    const task = {
+      name: 'Fix something',
+      description: 'A task',
+      findingIds: ['AUD-001'],
+      acceptanceCriteria: ['Fixed'],
+    };
+    expect(() => RecoveryTaskSchema.parse(task)).toThrow();
+  });
+});
+
+describe('AuditModeOptionsSchema', () => {
+  it('should apply defaults', () => {
+    const result = AuditModeOptionsSchema.parse({ projectDir: '/tmp/proj' });
+    expect(result.depth).toBe(2);
+    expect(result.runTests).toBe(true);
+    expect(result.strict).toBe(false);
+    expect(result.format).toBe('both');
+    expect(result.autoRecover).toBe(true);
+    expect(result.target).toBe('all');
+  });
+
+  it('should accept overrides', () => {
+    const result = AuditModeOptionsSchema.parse({
+      projectDir: '/tmp/proj',
+      depth: 3,
+      strict: true,
+      target: 'frontend',
+    });
+    expect(result.depth).toBe(3);
+    expect(result.strict).toBe(true);
+    expect(result.target).toBe('frontend');
+  });
+
+  it('should reject depth out of range', () => {
+    expect(() =>
+      AuditModeOptionsSchema.parse({ projectDir: '/tmp/proj', depth: 5 })
+    ).toThrow();
+  });
+});

package/tests/workflow/audit-analyzer.test.ts

@@ -0,0 +1,281 @@
+/**
+ * Tests for the audit analyzer module.
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  buildAnalysisPrompt,
+  parseAuditFindings,
+  calculateAuditScores,
+} from '../../src/workflow/audit-analyzer.js';
+import type { ProjectScanResult } from '../../src/types/audit.js';
+import type { ProjectState } from '../../src/types/workflow.js';
+
+/**
+ * Minimal scan result for testing prompts.
+ */
+function makeScan(overrides: Partial<ProjectScanResult> = {}): ProjectScanResult {
+  return {
+    tree: 'src/\n  main.ts',
+    components: [],
+    detectedComposition: ['frontend'],
+    stateLanguage: 'typescript',
+    compositionMismatch: false,
+    sourceFiles: [],
+    testFiles: [],
+    configFiles: [],
+    entryPoints: [],
+    routeFiles: [],
+    dependencies: [],
+    totalSourceFiles: 10,
+    totalTestFiles: 3,
+    totalLinesOfCode: 500,
+    totalLinesOfTests: 100,
+    language: 'typescript',
+    docsIndex: [],
+    keyFileSnippets: [],
+    ...overrides,
+  };
+}
+
+/**
+ * Minimal project state for testing.
+ */
+function makeState(overrides: Partial<ProjectState> = {}): ProjectState {
+  return {
+    id: 'test-id',
+    name: 'Test Project',
+    idea: 'A test project',
+    language: 'typescript',
+    openaiModel: 'gpt-4',
+    phase: 'complete',
+    status: 'complete',
+    milestones: [],
+    currentMilestone: null,
+    currentTask: null,
+    consensusHistory: [],
+    createdAt: '2024-01-01T00:00:00Z',
+    updatedAt: '2024-01-01T00:00:00Z',
+    ...overrides,
+  } as ProjectState;
+}
+
+// ---------------------------------------------------------------------------
+// buildAnalysisPrompt
+// ---------------------------------------------------------------------------
+
+describe('buildAnalysisPrompt', () => {
+  it('should include project name and language', () => {
+    const prompt = buildAnalysisPrompt(makeScan(), makeState(), 2, false);
+    expect(prompt).toContain('Test Project');
+    expect(prompt).toContain('typescript');
+  });
+
+  it('should include component structure section', () => {
+    const scan = makeScan({
+      components: [
+        {
+          kind: 'frontend',
+          rootDir: 'apps/frontend',
+          language: 'typescript',
+          framework: 'react',
+          entryPoints: ['src/main.tsx'],
+          routeFiles: [],
+          testFiles: [],
+          sourceFiles: [],
+          dependencyManifests: [],
+        },
+      ],
+    });
+    const prompt = buildAnalysisPrompt(scan, makeState(), 2, false);
+    expect(prompt).toContain('frontend');
+    expect(prompt).toContain('react');
+    expect(prompt).toContain('apps/frontend');
+  });
+
+  it('should include wiring matrix when present', () => {
+    const scan = makeScan({
+      wiring: {
+        frontendApiBaseEnvKeys: ['VITE_API_URL'],
+        frontendApiBaseResolved: 'http://localhost:3000',
+        backendCorsOrigins: ['http://localhost:5173'],
+        backendApiPrefix: '/api',
+        potentialMismatches: [],
+      },
+    });
+    const prompt = buildAnalysisPrompt(scan, makeState(), 2, false);
+    expect(prompt).toContain('VITE_API_URL');
+    expect(prompt).toContain('Wiring Matrix');
+  });
+
+  it('should include CLAUDE.md content when present', () => {
+    const scan = makeScan({ claudeMdContent: '# Project Rules\nFollow PEP8.' });
+    const prompt = buildAnalysisPrompt(scan, makeState(), 2, false);
+    expect(prompt).toContain('Project Rules');
+  });
+
+  it('should include depth-2 checks', () => {
+    const prompt = buildAnalysisPrompt(makeScan(), makeState(), 2, false);
+    expect(prompt).toContain('Depth-2 Checks');
+  });
+
+  it('should include depth-3 checks at depth 3', () => {
+    const prompt = buildAnalysisPrompt(makeScan(), makeState(), 3, false);
+    expect(prompt).toContain('Depth-3 Checks');
+    expect(prompt).toContain('OWASP');
+  });
+
+  it('should indicate strict mode when enabled', () => {
+    const prompt = buildAnalysisPrompt(makeScan(), makeState(), 2, true);
+    expect(prompt).toContain('STRICT MODE');
+  });
+
+  it('should include milestone status', () => {
+    const state = makeState({
+      milestones: [
+        {
+          id: 'm1',
+          name: 'Setup',
+          description: 'Initial setup',
+          status: 'complete',
+          tasks: [
+            { id: 't1', name: 'Init', description: 'Init project', status: 'complete' },
+          ],
+        },
+      ],
+    });
+    const prompt = buildAnalysisPrompt(makeScan(), state, 2, false);
+    expect(prompt).toContain('Setup: complete');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// parseAuditFindings
+// ---------------------------------------------------------------------------
+
+describe('parseAuditFindings', () => {
+  it('should parse valid JSON findings from code fences', () => {
+    const raw = '```json\n[\n  {\n    "id": "AUD-001",\n    "category": "test-coverage",\n    "severity": "major",\n    "title": "No tests",\n    "description": "Missing tests.",\n    "evidence": [],\n    "recommendation": "Add tests.",\n    "autoFixable": false\n  }\n]\n```';
+    const findings = parseAuditFindings(raw);
+    expect(findings).toHaveLength(1);
+    expect(findings[0].id).toBe('AUD-001');
+  });
+
+  it('should parse JSON without code fences', () => {
+    const raw = '[{"id":"AUD-001","category":"security","severity":"critical","title":"SQL Injection","description":"Raw SQL used.","evidence":[],"recommendation":"Use ORM.","autoFixable":false}]';
+    const findings = parseAuditFindings(raw);
+    expect(findings).toHaveLength(1);
+    expect(findings[0].category).toBe('security');
+  });
+
+  it('should handle malformed JSON gracefully', () => {
+    const findings = parseAuditFindings('This is not JSON at all.');
+    expect(findings).toEqual([]);
+  });
+
+  it('should skip individual malformed findings', () => {
+    const raw = JSON.stringify([
+      {
+        id: 'AUD-001',
+        category: 'test-coverage',
+        severity: 'major',
+        title: 'Valid',
+        description: 'Valid finding.',
+        evidence: [],
+        recommendation: 'Fix it.',
+        autoFixable: false,
+      },
+      {
+        id: 'AUD-002',
+        // Missing required fields
+        title: 'Invalid',
+      },
+    ]);
+    const findings = parseAuditFindings(raw);
+    expect(findings).toHaveLength(1);
+    expect(findings[0].id).toBe('AUD-001');
+  });
+
+  it('should handle non-array JSON', () => {
+    const findings = parseAuditFindings('{"not": "an array"}');
+    expect(findings).toEqual([]);
+  });
+
+  it('should extract JSON array embedded in surrounding text', () => {
+    const raw = 'Here are the findings:\n[{"id":"AUD-001","category":"documentation","severity":"info","title":"Missing changelog","description":"No CHANGELOG.md","evidence":[],"recommendation":"Add one.","autoFixable":true}]\nEnd of findings.';
+    const findings = parseAuditFindings(raw);
+    expect(findings).toHaveLength(1);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// calculateAuditScores
+// ---------------------------------------------------------------------------
+
+describe('calculateAuditScores', () => {
+  it('should return 100 when no findings', () => {
+    const { overallScore, categoryScores } = calculateAuditScores([], makeScan());
+    expect(overallScore).toBe(100);
+    expect(categoryScores['test-coverage']).toBe(100);
+  });
+
+  it('should deduct for critical findings', () => {
+    const findings = [
+      {
+        id: 'AUD-001',
+        category: 'security' as const,
+        severity: 'critical' as const,
+        title: 'SQL Injection',
+        description: 'Found raw SQL.',
+        evidence: [],
+        recommendation: 'Use ORM.',
+        autoFixable: false,
+      },
+    ];
+    const { overallScore, categoryScores } = calculateAuditScores(findings, makeScan());
+    expect(categoryScores['security']).toBe(80); // 100 - 20
+    expect(overallScore).toBeLessThan(100);
+  });
+
+  it('should not go below 0', () => {
+    const findings = Array.from({ length: 10 }, (_, i) => ({
+      id: `AUD-${i}`,
+      category: 'security' as const,
+      severity: 'critical' as const,
+      title: `Finding ${i}`,
+      description: 'Critical issue.',
+      evidence: [],
+      recommendation: 'Fix it.',
+      autoFixable: false,
+    }));
+    const { categoryScores } = calculateAuditScores(findings, makeScan());
+    expect(categoryScores['security']).toBe(0);
+  });
+
+  it('should handle mixed severity findings', () => {
+    const findings = [
+      {
+        id: 'AUD-001',
+        category: 'test-coverage' as const,
+        severity: 'major' as const,
+        title: 'Low coverage',
+        description: 'Only 20% covered.',
+        evidence: [],
+        recommendation: 'Add tests.',
+        autoFixable: false,
+      },
+      {
+        id: 'AUD-002',
+        category: 'test-coverage' as const,
+        severity: 'info' as const,
+        title: 'Snapshot tests used',
+        description: 'Consider replacing with assertions.',
+        evidence: [],
+        recommendation: 'Optional.',
+        autoFixable: false,
+      },
+    ];
+    const { categoryScores } = calculateAuditScores(findings, makeScan());
+    // major = -10, info = 0
+    expect(categoryScores['test-coverage']).toBe(90);
+  });
+});