sinapse-ai 1.8.0 → 1.9.1

package/packages/installer/tests/unit/generate-settings-json/generate-settings-json.test.js

@@ -1,310 +0,0 @@
-'use strict';
-
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-
-const {
-  generate,
-  validateBoundaryPath,
-  readBoundaryConfig,
-  expandProtectedPaths,
-  expandExceptionPaths,
-  generatePermissions,
-  writeSettingsJson,
-} = require('../../../../../.sinapse-ai/infrastructure/scripts/generate-settings-json');
-
-function createTempProject(boundary, existingSettings) {
-  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'gen-settings-'));
-
-  // Create core-config.yaml with boundary section
-  const sinapseCoreDir = path.join(tmpDir, '.sinapse-ai');
-  fs.mkdirSync(sinapseCoreDir, { recursive: true });
-
-  const yamlContent = [
-    'boundary:',
-    `  frameworkProtection: ${boundary.frameworkProtection}`,
-    '  protected:',
-    ...boundary.protected.map(p => `    - ${p}`),
-    '  exceptions:',
-    ...boundary.exceptions.map(p => `    - ${p}`),
-  ].join('\n') + '\n';
-
-  fs.writeFileSync(path.join(tmpDir, '.sinapse-ai', 'core-config.yaml'), yamlContent, 'utf8');
-
-  // Create directory structure for expansion tests
-  if (boundary.protected.includes('.sinapse-ai/core/**')) {
-    const coreDir = path.join(tmpDir, '.sinapse-ai', 'core');
-    fs.mkdirSync(coreDir, { recursive: true });
-    fs.mkdirSync(path.join(coreDir, 'utils'), { recursive: true });
-    fs.mkdirSync(path.join(coreDir, 'events'), { recursive: true });
-    fs.writeFileSync(path.join(coreDir, 'index.js'), '', 'utf8');
-  }
-
-  // Create .claude directory and optionally existing settings
-  const claudeDir = path.join(tmpDir, '.claude');
-  fs.mkdirSync(claudeDir, { recursive: true });
-
-  if (existingSettings) {
-    fs.writeFileSync(
-      path.join(claudeDir, 'settings.json'),
-      JSON.stringify(existingSettings, null, 2) + '\n',
-      'utf8'
-    );
-  }
-
-  return tmpDir;
-}
-
-function cleanupTempProject(tmpDir) {
-  fs.rmSync(tmpDir, { recursive: true, force: true });
-}
-
-describe('generate-settings-json', () => {
-  describe('readBoundaryConfig', () => {
-    test('reads boundary config from core-config.yaml', () => {
-      const tmpDir = createTempProject({
-        frameworkProtection: true,
-        protected: ['.sinapse-ai/core/**', 'bin/sinapse.js'],
-        exceptions: ['.sinapse-ai/data/**'],
-      });
-
-      try {
-        const config = readBoundaryConfig(tmpDir);
-
-        expect(config.frameworkProtection).toBe(true);
-        expect(config.protected).toContain('.sinapse-ai/core/**');
-        expect(config.protected).toContain('bin/sinapse.js');
-        expect(config.exceptions).toContain('.sinapse-ai/data/**');
-      } finally {
-        cleanupTempProject(tmpDir);
-      }
-    });
-
-    test('throws when core-config.yaml not found', () => {
-      expect(() => readBoundaryConfig('/nonexistent/path')).toThrow('core-config.yaml not found');
-    });
-
-    test('rejects path traversal in protected paths', () => {
-      const tmpDir = createTempProject({
-        frameworkProtection: true,
-        protected: ['../../etc/passwd'],
-        exceptions: [],
-      });
-
-      try {
-        expect(() => readBoundaryConfig(tmpDir)).toThrow('Path traversal detected');
-      } finally {
-        cleanupTempProject(tmpDir);
-      }
-    });
-
-    test('rejects absolute paths in boundary config', () => {
-      const tmpDir = createTempProject({
-        frameworkProtection: true,
-        protected: ['/etc/passwd'],
-        exceptions: [],
-      });
-
-      try {
-        expect(() => readBoundaryConfig(tmpDir)).toThrow('Absolute path not allowed');
-      } finally {
-        cleanupTempProject(tmpDir);
-      }
-    });
-  });
-
-  describe('generatePermissions — frameworkProtection: true', () => {
-    test('generates deny rules covering all protected paths', () => {
-      const tmpDir = createTempProject({
-        frameworkProtection: true,
-        protected: ['.sinapse-ai/core/**', '.sinapse-ai/infrastructure/**', 'bin/sinapse.js'],
-        exceptions: ['.sinapse-ai/data/**'],
-      });
-
-      // Create infrastructure dir (no expansion for non-core paths)
-      fs.mkdirSync(path.join(tmpDir, '.sinapse-ai', 'infrastructure'), { recursive: true });
-
-      try {
-        const boundary = readBoundaryConfig(tmpDir);
-        const permissions = generatePermissions(boundary, tmpDir);
-
-        // Should have deny rules for core subdirs (events/**, utils/**, index.js) + infrastructure/** + bin/sinapse.js
-        expect(permissions.deny.length).toBeGreaterThan(0);
-
-        // Core expansion: events/**, utils/**, index.js → 6 deny rules (3 paths x 2 tools)
-        expect(permissions.deny).toContain('Edit(.sinapse-ai/core/events/**)');
-        expect(permissions.deny).toContain('Write(.sinapse-ai/core/events/**)');
-        expect(permissions.deny).toContain('Edit(.sinapse-ai/core/utils/**)');
-        expect(permissions.deny).toContain('Write(.sinapse-ai/core/utils/**)');
-        expect(permissions.deny).toContain('Edit(.sinapse-ai/core/index.js)');
-        expect(permissions.deny).toContain('Write(.sinapse-ai/core/index.js)');
-
-        // Non-core paths stay as globs
-        expect(permissions.deny).toContain('Edit(.sinapse-ai/infrastructure/**)');
-        expect(permissions.deny).toContain('Write(.sinapse-ai/infrastructure/**)');
-        expect(permissions.deny).toContain('Edit(bin/sinapse.js)');
-        expect(permissions.deny).toContain('Write(bin/sinapse.js)');
-
-        // Allow rules from exceptions
-        expect(permissions.allow).toContain('Edit(.sinapse-ai/data/**)');
-        expect(permissions.allow).toContain('Write(.sinapse-ai/data/**)');
-        expect(permissions.allow).toContain('Read(.sinapse-ai/**)');
-      } finally {
-        cleanupTempProject(tmpDir);
-      }
-    });
-
-    test('all 9 protected paths from core-config produce deny rules', () => {
-      const projectRoot = path.resolve(__dirname, '../../../../..');
-      const boundary = readBoundaryConfig(projectRoot);
-      // Force frameworkProtection: true for this test (core-config may have it disabled for contributor mode)
-      boundary.frameworkProtection = true;
-      const permissions = generatePermissions(boundary, projectRoot);
-
-      // Verify all 9 config paths are covered
-      const protectedRoots = [
-        '.sinapse-ai/core/',
-        '.sinapse-ai/development/tasks/',
-        '.sinapse-ai/development/templates/',
-        '.sinapse-ai/development/checklists/',
-        '.sinapse-ai/development/workflows/',
-        '.sinapse-ai/infrastructure/',
-        '.sinapse-ai/constitution.md',
-        'bin/sinapse.js',
-        'bin/sinapse-init.js',
-      ];
-
-      for (const root of protectedRoots) {
-        const hasDenyRule = permissions.deny.some(r => r.includes(root));
-        expect(hasDenyRule).toBe(true);
-      }
-
-      // Verify deny rules use only Edit and Write (no MultiEdit)
-      for (const rule of permissions.deny) {
-        expect(rule).toMatch(/^(Edit|Write)\(/);
-      }
-    });
-  });
-
-  describe('generatePermissions — frameworkProtection: false', () => {
-    test('produces no boundary deny rules', () => {
-      const boundary = {
-        frameworkProtection: false,
-        protected: ['.sinapse-ai/core/**', '.sinapse-ai/infrastructure/**'],
-        exceptions: ['.sinapse-ai/data/**'],
-      };
-
-      const permissions = generatePermissions(boundary, '/tmp');
-
-      expect(permissions.deny).toEqual([]);
-      expect(permissions.allow).toEqual([]);
-    });
-  });
-
-  describe('idempotency', () => {
-    test('running generator twice produces identical output', () => {
-      const tmpDir = createTempProject({
-        frameworkProtection: true,
-        protected: ['.sinapse-ai/core/**', 'bin/sinapse.js'],
-        exceptions: ['.sinapse-ai/data/**'],
-      });
-
-      try {
-        // First run
-        generate(tmpDir);
-        const firstRun = fs.readFileSync(path.join(tmpDir, '.claude', 'settings.json'), 'utf8');
-
-        // Second run
-        generate(tmpDir);
-        const secondRun = fs.readFileSync(path.join(tmpDir, '.claude', 'settings.json'), 'utf8');
-
-        expect(firstRun).toBe(secondRun);
-      } finally {
-        cleanupTempProject(tmpDir);
-      }
-    });
-
-    test('JSON output is valid and parseable', () => {
-      const tmpDir = createTempProject({
-        frameworkProtection: true,
-        protected: ['.sinapse-ai/core/**'],
-        exceptions: ['.sinapse-ai/data/**'],
-      });
-
-      try {
-        generate(tmpDir);
-        const content = fs.readFileSync(path.join(tmpDir, '.claude', 'settings.json'), 'utf8');
-        const parsed = JSON.parse(content);
-
-        expect(parsed).toHaveProperty('permissions');
-        expect(parsed.permissions).toHaveProperty('deny');
-        expect(parsed.permissions).toHaveProperty('allow');
-        expect(Array.isArray(parsed.permissions.deny)).toBe(true);
-        expect(Array.isArray(parsed.permissions.allow)).toBe(true);
-      } finally {
-        cleanupTempProject(tmpDir);
-      }
-    });
-  });
-
-  describe('section preservation', () => {
-    test('preserves user-set language key after generator run', () => {
-      const tmpDir = createTempProject(
-        {
-          frameworkProtection: true,
-          protected: ['bin/sinapse.js'],
-          exceptions: [],
-        },
-        { language: 'pt', customSetting: true }
-      );
-
-      try {
-        generate(tmpDir);
-        const content = fs.readFileSync(path.join(tmpDir, '.claude', 'settings.json'), 'utf8');
-        const parsed = JSON.parse(content);
-
-        expect(parsed.language).toBe('pt');
-        expect(parsed.customSetting).toBe(true);
-        expect(parsed.permissions).toBeDefined();
-        expect(parsed.permissions.deny.length).toBeGreaterThan(0);
-      } finally {
-        cleanupTempProject(tmpDir);
-      }
-    });
-
-    test('frameworkProtection false preserves user settings and removes permissions', () => {
-      const tmpDir = createTempProject(
-        {
-          frameworkProtection: false,
-          protected: ['bin/sinapse.js'],
-          exceptions: [],
-        },
-        { language: 'pt', permissions: { deny: ['old-rule'], allow: [] } }
-      );
-
-      try {
-        generate(tmpDir);
-        const content = fs.readFileSync(path.join(tmpDir, '.claude', 'settings.json'), 'utf8');
-        const parsed = JSON.parse(content);
-
-        expect(parsed.language).toBe('pt');
-        expect(parsed.permissions).toBeUndefined();
-      } finally {
-        cleanupTempProject(tmpDir);
-      }
-    });
-  });
-
-  describe('CLI entry point', () => {
-    test('module exports required functions', () => {
-      expect(typeof generate).toBe('function');
-      expect(typeof readBoundaryConfig).toBe('function');
-      expect(typeof expandProtectedPaths).toBe('function');
-      expect(typeof expandExceptionPaths).toBe('function');
-      expect(typeof generatePermissions).toBe('function');
-      expect(typeof writeSettingsJson).toBe('function');
-    });
-  });
-});
-

package/packages/installer/tests/unit/git-hooks-installer.test.js

@@ -1,262 +0,0 @@
-'use strict';
-
-/**
- * Stream B (Frente 4.2) — git-hooks-installer propagation tests.
- *
- * Verifies that installGitHooks():
- *   - sets git core.hooksPath to the managed directory
- *   - writes a Node `.js` pre-commit hook with a `#!/usr/bin/env node` shebang
- *   - bundles the staged-secret-scan library so the hook is self-contained
- *   - is idempotent (running twice does not duplicate / corrupt)
- *   - detects husky and chains to it
- *   - actually BLOCKS a commit with a staged secret, and ALLOWS a placeholder
- *
- * All git is driven with `git -C <dir> ...` against a tmpdir created with
- * fs.mkdtempSync(os.tmpdir()) so the global workspace-routing PreToolUse hook
- * (which rewrites bare `git init` / `mkdir` outside the Workspace) is never
- * triggered — we never run `mkdir` or `git init` as a bare cwd-based command.
- */
-
-const fs = require('fs');
-const os = require('os');
-const path = require('path');
-
-const { runSafe } = require('../../../../.sinapse-ai/core/utils/spawn-safe');
-const {
-  installGitHooks,
-  detectHusky,
-  buildPreCommitHook,
-  getCoreHooksPath,
-  MANAGED_HOOKS_DIRNAME,
-  MANAGED_MARKER,
-} = require('../../src/installer/git-hooks-installer');
-
-const GIT_IDENTITY_ARGS = [
-  '-c', 'user.email=test@sinapse.local',
-  '-c', 'user.name=SINAPSE Test',
-  '-c', 'commit.gpgsign=false',
-];
-
-/** Create an isolated temp dir (no mkdir command — pure Node fs). */
-function makeTempDir() {
-  return fs.mkdtempSync(path.join(os.tmpdir(), 'snps-githooks-'));
-}
-
-/** Initialize a git repo at dir using `git -C` (avoids workspace-routing). */
-async function initRepo(dir) {
-  const res = await runSafe('git', ['-C', dir, 'init', '-q']);
-  if (!res.success) throw new Error(`git init failed: ${res.stderr}`);
-  // Ensure a deterministic default branch / identity for commits.
-  await runSafe('git', ['-C', dir, 'symbolic-ref', 'HEAD', 'refs/heads/main']);
-}
-
-/** Stage a file (write via Node fs, add via `git -C`). */
-async function writeAndStage(dir, relPath, content) {
-  const full = path.join(dir, relPath);
-  fs.mkdirSync(path.dirname(full), { recursive: true });
-  fs.writeFileSync(full, content, 'utf8');
-  const res = await runSafe('git', ['-C', dir, 'add', '--', relPath]);
-  if (!res.success) throw new Error(`git add failed: ${res.stderr}`);
-}
-
-/** Attempt a commit; returns the runSafe result ({success, code, stderr}). */
-async function commit(dir, message) {
-  return runSafe('git', [...GIT_IDENTITY_ARGS, '-C', dir, 'commit', '-m', message]);
-}
-
-function rmrf(dir) {
-  try {
-    fs.rmSync(dir, { recursive: true, force: true });
-  } catch {
-    /* best-effort cleanup */
-  }
-}
-
-describe('git-hooks-installer (Stream B propagation)', () => {
-  let gitAvailable = true;
-
-  beforeAll(async () => {
-    const res = await runSafe('git', ['--version']).catch(() => ({ success: false }));
-    gitAvailable = res.success === true;
-  });
-
-  describe('buildPreCommitHook (pure)', () => {
-    test('emits a Node hook with the node shebang and managed marker', () => {
-      const content = buildPreCommitHook();
-      expect(content.startsWith('#!/usr/bin/env node')).toBe(true);
-      expect(content).toContain(MANAGED_MARKER);
-      expect(content).toContain('staged-secret-scan.js');
-      // Never a shell or python hook.
-      expect(content).not.toMatch(/^#!\/usr\/bin\/env (sh|bash|python)/);
-    });
-
-    test('bakes an explicit chain path when provided', () => {
-      const content = buildPreCommitHook({ chainHookRel: '.git/hooks-old/pre-commit' });
-      expect(content).toContain('.git/hooks-old/pre-commit');
-    });
-  });
-
-  describe('detectHusky', () => {
-    test('reports false when no .husky/pre-commit exists', () => {
-      const dir = makeTempDir();
-      try {
-        expect(detectHusky(dir).hasHusky).toBe(false);
-      } finally {
-        rmrf(dir);
-      }
-    });
-
-    test('reports true when .husky/pre-commit exists', () => {
-      const dir = makeTempDir();
-      try {
-        const huskyDir = path.join(dir, '.husky');
-        fs.mkdirSync(huskyDir, { recursive: true });
-        fs.writeFileSync(path.join(huskyDir, 'pre-commit'), '#!/usr/bin/env sh\nexit 0\n');
-        expect(detectHusky(dir).hasHusky).toBe(true);
-      } finally {
-        rmrf(dir);
-      }
-    });
-  });
-
-  describe('installGitHooks (filesystem + git config)', () => {
-    test('writes a managed Node pre-commit and sets core.hooksPath', async () => {
-      if (!gitAvailable) return;
-      const dir = makeTempDir();
-      try {
-        await initRepo(dir);
-        const result = await installGitHooks({ projectDir: dir });
-
-        expect(result.success).toBe(true);
-        expect(result.coreHooksPathSet).toBe(true);
-
-        const hookPath = path.join(dir, MANAGED_HOOKS_DIRNAME, 'pre-commit');
-        expect(fs.existsSync(hookPath)).toBe(true);
-
-        const hookContent = fs.readFileSync(hookPath, 'utf8');
-        expect(hookContent.startsWith('#!/usr/bin/env node')).toBe(true);
-        expect(hookContent).toContain(MANAGED_MARKER);
-
-        // The scanner lib is bundled next to the hook.
-        const libScanner = path.join(dir, MANAGED_HOOKS_DIRNAME, 'lib', 'staged-secret-scan.js');
-        expect(fs.existsSync(libScanner)).toBe(true);
-
-        // git config points at the managed dir (forward-slash, project-relative).
-        const configured = await getCoreHooksPath(dir);
-        expect(configured).toBe('.sinapse-ai/git-hooks');
-      } finally {
-        rmrf(dir);
-      }
-    });
-
-    test('is idempotent — running twice keeps a single managed hook', async () => {
-      if (!gitAvailable) return;
-      const dir = makeTempDir();
-      try {
-        await initRepo(dir);
-        await installGitHooks({ projectDir: dir });
-        const firstContent = fs.readFileSync(path.join(dir, MANAGED_HOOKS_DIRNAME, 'pre-commit'), 'utf8');
-
-        const second = await installGitHooks({ projectDir: dir });
-        expect(second.success).toBe(true);
-
-        const secondContent = fs.readFileSync(path.join(dir, MANAGED_HOOKS_DIRNAME, 'pre-commit'), 'utf8');
-        expect(secondContent).toBe(firstContent);
-
-        // Exactly one pre-commit file in the managed dir (no .bak duplicates).
-        const entries = fs.readdirSync(path.join(dir, MANAGED_HOOKS_DIRNAME));
-        expect(entries.filter((e) => e.startsWith('pre-commit'))).toEqual(['pre-commit']);
-
-        // core.hooksPath is set once, not appended.
-        expect(await getCoreHooksPath(dir)).toBe('.sinapse-ai/git-hooks');
-      } finally {
-        rmrf(dir);
-      }
-    });
-
-    test('detects husky and chains to it', async () => {
-      if (!gitAvailable) return;
-      const dir = makeTempDir();
-      try {
-        await initRepo(dir);
-        const huskyDir = path.join(dir, '.husky');
-        fs.mkdirSync(huskyDir, { recursive: true });
-        fs.writeFileSync(path.join(huskyDir, 'pre-commit'), '#!/usr/bin/env sh\nexit 0\n');
-
-        const result = await installGitHooks({ projectDir: dir });
-        expect(result.success).toBe(true);
-        expect(result.huskyDetected).toBe(true);
-
-        const hookContent = fs.readFileSync(path.join(dir, MANAGED_HOOKS_DIRNAME, 'pre-commit'), 'utf8');
-        // The runtime chain auto-detects .husky/pre-commit.
-        expect(hookContent).toContain('.husky');
-        expect(hookContent).toContain('pre-commit');
-      } finally {
-        rmrf(dir);
-      }
-    });
-
-    test('rejects a missing projectDir', async () => {
-      const result = await installGitHooks({});
-      expect(result.success).toBe(false);
-      expect(result.error).toMatch(/projectDir/);
-    });
-  });
-
-  describe('end-to-end commit gating', () => {
-    test('BLOCKS a commit that stages a real secret', async () => {
-      if (!gitAvailable) return;
-      const dir = makeTempDir();
-      try {
-        await initRepo(dir);
-        await installGitHooks({ projectDir: dir });
-
-        // AWS access key — matches the scanner's AKIA pattern.
-        await writeAndStage(dir, 'config.js', 'const k = "AKIAIOSFODNN7EXAMPLE";\n');
-
-        const res = await commit(dir, 'should be blocked');
-        expect(res.success).toBe(false);
-        expect((res.stderr || '') + (res.stdout || '')).toMatch(/Secret Scan|blocked/i);
-      } finally {
-        rmrf(dir);
-      }
-    });
-
-    test('ALLOWS a commit of a placeholder .env.example', async () => {
-      if (!gitAvailable) return;
-      const dir = makeTempDir();
-      try {
-        await initRepo(dir);
-        await installGitHooks({ projectDir: dir });
-
-        await writeAndStage(dir, '.env.example', 'STRIPE_KEY=your-key-here\nDB_PASSWORD=changeme\n');
-
-        const res = await commit(dir, 'add example env');
-        expect(res.success).toBe(true);
-      } finally {
-        rmrf(dir);
-      }
-    });
-
-    test('fail-CLOSED: a broken scanner lib blocks the commit', async () => {
-      if (!gitAvailable) return;
-      const dir = makeTempDir();
-      try {
-        await initRepo(dir);
-        await installGitHooks({ projectDir: dir });
-
-        // Corrupt the bundled scanner so require() throws inside the hook.
-        const libScanner = path.join(dir, MANAGED_HOOKS_DIRNAME, 'lib', 'staged-secret-scan.js');
-        fs.writeFileSync(libScanner, 'throw new Error("corrupted scanner");\n', 'utf8');
-
-        await writeAndStage(dir, 'safe.txt', 'totally harmless content\n');
-
-        const res = await commit(dir, 'should still be blocked');
-        expect(res.success).toBe(false);
-        expect((res.stderr || '') + (res.stdout || '')).toMatch(/fail-closed|blocking commit/i);
-      } finally {
-        rmrf(dir);
-      }
-    });
-  });
-});