tlc-claude-code 1.6.4 → 1.7.0

package/server/lib/code-gate/rules/architecture-rules.test.js

@@ -0,0 +1,155 @@
+/**
+ * Architecture Rules Tests
+ *
+ * Detects single-writer violations, fake API calls,
+ * stale re-exports, and raw API bypass patterns.
+ */
+import { describe, it, expect } from 'vitest';
+
+const {
+  checkSingleWriter,
+  checkFakeApiCalls,
+  checkStaleReexports,
+  checkRawApiRequests,
+} = require('./architecture-rules.js');
+
+describe('Architecture Rules', () => {
+  describe('checkSingleWriter', () => {
+    it('detects db.insert(users) outside users.service', () => {
+      const findings = checkSingleWriter(
+        'src/leads/leads.service.ts',
+        'const result = await db.insert(users).values(data);'
+      );
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('block');
+      expect(findings[0].rule).toBe('single-writer');
+      expect(findings[0].message).toContain('users');
+    });
+
+    it('passes when inside correct service file', () => {
+      const findings = checkSingleWriter(
+        'src/users/users.service.ts',
+        'const result = await db.insert(users).values(data);'
+      );
+      expect(findings).toHaveLength(0);
+    });
+
+    it('detects db.update(companies) outside company.service', () => {
+      const findings = checkSingleWriter(
+        'src/api/controller.ts',
+        'await db.update(companies).set({ status: "active" });'
+      );
+      expect(findings).toHaveLength(1);
+      expect(findings[0].message).toContain('companies');
+    });
+
+    it('handles singular service name for plural table', () => {
+      // company.service.ts should be allowed to write to companies table
+      const findings = checkSingleWriter(
+        'src/company/company.service.ts',
+        'await db.insert(companies).values(data);'
+      );
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const findings = checkSingleWriter(
+        'src/api/controller.test.ts',
+        'await db.insert(users).values(data);'
+      );
+      expect(findings).toHaveLength(0);
+    });
+  });
+
+  describe('checkFakeApiCalls', () => {
+    it('detects setTimeout + resolve mock pattern', () => {
+      const code = `
+        function getUsers() {
+          return new Promise((resolve) => {
+            setTimeout(() => resolve([{ id: 1, name: 'Test' }]), 500);
+          });
+        }
+      `;
+      const findings = checkFakeApiCalls('src/api/users.ts', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('block');
+      expect(findings[0].rule).toBe('no-fake-api');
+    });
+
+    it('allows real setTimeout with function callback', () => {
+      const code = `
+        setTimeout(() => {
+          refreshDashboard();
+        }, 1000);
+      `;
+      const findings = checkFakeApiCalls('src/ui/dashboard.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const code = 'setTimeout(() => resolve(mockData), 500);';
+      const findings = checkFakeApiCalls('src/api/users.test.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+  });
+
+  describe('checkStaleReexports', () => {
+    it('detects file with only module.exports = require(...)', () => {
+      const code = "module.exports = require('./new-location');";
+      const findings = checkStaleReexports('src/old-module.js', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('warn');
+      expect(findings[0].rule).toBe('stale-reexport');
+    });
+
+    it('passes file with real logic alongside export', () => {
+      const code = `
+        const helper = require('./utils');
+        function doWork() { return helper.process(); }
+        module.exports = { doWork };
+      `;
+      const findings = checkStaleReexports('src/module.js', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('detects export default re-export', () => {
+      const code = "export { default } from './new-location';";
+      const findings = checkStaleReexports('src/old-module.ts', code);
+      expect(findings).toHaveLength(1);
+    });
+  });
+
+  describe('checkRawApiRequests', () => {
+    it('detects apiRequest("POST", "/api/...")', () => {
+      const code = 'const result = await apiRequest("POST", "/api/companies", data);';
+      const findings = checkRawApiRequests('src/components/form.tsx', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('warn');
+      expect(findings[0].rule).toBe('no-raw-api');
+    });
+
+    it('detects raw fetch("/api/...")', () => {
+      const code = 'const res = await fetch("/api/leads", { method: "POST" });';
+      const findings = checkRawApiRequests('src/components/leads.tsx', code);
+      expect(findings).toHaveLength(1);
+    });
+
+    it('allows non-API fetch calls', () => {
+      const code = 'const res = await fetch("https://cdn.example.com/data.json");';
+      const findings = checkRawApiRequests('src/utils/loader.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows fetch in API helper files', () => {
+      const code = 'const res = await fetch("/api/companies");';
+      const findings = checkRawApiRequests('src/lib/api.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const code = 'await apiRequest("POST", "/api/test", data);';
+      const findings = checkRawApiRequests('src/components/form.test.tsx', code);
+      expect(findings).toHaveLength(0);
+    });
+  });
+});

package/server/lib/code-gate/rules/client-rules.js

@@ -0,0 +1,120 @@
+/**
+ * Client-Side Pattern Rules
+ *
+ * Detects Zustand stores without persistence middleware
+ * and Zod schemas using z.date() instead of z.coerce.date().
+ *
+ * Derived from Bug #13 (state lost on refresh) and Bug #12 (date coercion).
+ *
+ * @module code-gate/rules/client-rules
+ */
+
+/**
+ * @param {string} filePath
+ * @returns {boolean}
+ */
+function isTestFile(filePath) {
+  return /\.(test|spec)\.[jt]sx?$/.test(filePath) || filePath.includes('__tests__');
+}
+
+/** Store names that are intentionally ephemeral (UI state, not data) */
+const EPHEMERAL_PATTERNS = [
+  'ui-store', 'ui.store', 'uiStore',
+  'modal-store', 'modalStore',
+  'toast-store', 'toastStore',
+  'theme-store', 'themeStore',
+];
+
+/**
+ * Detect Zustand create() without persist middleware.
+ * Stores that hold user data should use persist() to survive page refreshes.
+ * UI-only stores (modals, toasts) are exempt.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array<{severity: string, rule: string, line: number, message: string, fix: string}>}
+ */
+function checkZustandPersistence(filePath, content) {
+  if (isTestFile(filePath)) return [];
+
+  // Only check store files
+  if (!filePath.includes('store')) return [];
+
+  // Skip ephemeral stores (UI state)
+  const fileBase = filePath.toLowerCase();
+  if (EPHEMERAL_PATTERNS.some(p => fileBase.includes(p))) return [];
+
+  // Check if file imports/uses zustand create
+  const hasZustandCreate = /\bcreate\s*[<(]/.test(content) &&
+    (content.includes("from 'zustand'") || content.includes('from "zustand"') ||
+     content.includes("require('zustand')") || content.includes('require("zustand")'));
+
+  if (!hasZustandCreate) return [];
+
+  // Check if persist is used
+  const hasPersist = content.includes('persist(') || content.includes('persist<');
+
+  if (!hasPersist) {
+    const findings = [];
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+      if (/\bcreate\s*[<(]/.test(lines[i])) {
+        findings.push({
+          severity: 'warn',
+          rule: 'zustand-needs-persist',
+          line: i + 1,
+          message: 'Zustand store without persist middleware — state lost on page refresh',
+          fix: "Wrap with persist(): create(persist((set) => ({...}), { name: 'store-name' }))",
+        });
+        break;
+      }
+    }
+    return findings;
+  }
+
+  return [];
+}
+
+/**
+ * Detect z.date() in schema files that should use z.coerce.date().
+ * When API clients send ISO strings, z.date() rejects them.
+ * z.coerce.date() handles both Date objects and ISO strings.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array}
+ */
+function checkZodDateCoercion(filePath, content) {
+  if (isTestFile(filePath)) return [];
+
+  // Only check schema-related files
+  const fileBase = filePath.toLowerCase();
+  if (!fileBase.includes('schema') && !fileBase.includes('schemas')) return [];
+
+  const findings = [];
+  const lines = content.split('\n');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+    // z.date() without coerce
+    if (/z\.date\s*\(/.test(line) && !line.includes('z.coerce.date')) {
+      findings.push({
+        severity: 'warn',
+        rule: 'zod-use-coerce-date',
+        line: i + 1,
+        message: 'z.date() rejects ISO strings from API clients — use z.coerce.date()',
+        fix: 'Replace z.date() with z.coerce.date() to accept both Date objects and ISO strings',
+      });
+    }
+  }
+
+  return findings;
+}
+
+module.exports = {
+  checkZustandPersistence,
+  checkZodDateCoercion,
+};

package/server/lib/code-gate/rules/client-rules.test.js

@@ -0,0 +1,121 @@
+/**
+ * Client-Side Pattern Rules Tests
+ *
+ * Detects Zustand stores without persistence and
+ * Zod schemas with z.date() instead of z.coerce.date().
+ */
+import { describe, it, expect } from 'vitest';
+
+const {
+  checkZustandPersistence,
+  checkZodDateCoercion,
+} = require('./client-rules.js');
+
+describe('Client Rules', () => {
+  describe('checkZustandPersistence', () => {
+    it('detects create() without persist', () => {
+      const code = `
+        import { create } from 'zustand';
+        const useFormStore = create((set) => ({
+          data: null,
+          setData: (data) => set({ data }),
+        }));
+      `;
+      const findings = checkZustandPersistence('src/stores/form-store.ts', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('warn');
+      expect(findings[0].rule).toBe('zustand-needs-persist');
+    });
+
+    it('passes create(persist(...))', () => {
+      const code = `
+        import { create } from 'zustand';
+        import { persist } from 'zustand/middleware';
+        const useFormStore = create(persist((set) => ({
+          data: null,
+        }), { name: 'form-store' }));
+      `;
+      const findings = checkZustandPersistence('src/stores/form-store.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows stores in ephemeral files', () => {
+      const code = `
+        import { create } from 'zustand';
+        const useUIStore = create((set) => ({ open: false }));
+      `;
+      const findings = checkZustandPersistence('src/stores/ui-store.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const code = `
+        import { create } from 'zustand';
+        const useTestStore = create((set) => ({ x: 1 }));
+      `;
+      const findings = checkZustandPersistence('src/stores/form.test.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('handles create<Type>() generic syntax', () => {
+      const code = `
+        import { create } from 'zustand';
+        interface FormState { data: string | null; }
+        const useFormStore = create<FormState>((set) => ({
+          data: null,
+        }));
+      `;
+      const findings = checkZustandPersistence('src/stores/form-store.ts', code);
+      expect(findings).toHaveLength(1);
+    });
+  });
+
+  describe('checkZodDateCoercion', () => {
+    it('detects z.date() in schema files', () => {
+      const code = `
+        const insertLeadSchema = z.object({
+          name: z.string(),
+          createdAt: z.date(),
+        });
+      `;
+      const findings = checkZodDateCoercion('src/db/schema/leads.ts', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('warn');
+      expect(findings[0].rule).toBe('zod-use-coerce-date');
+    });
+
+    it('passes z.coerce.date()', () => {
+      const code = `
+        const insertLeadSchema = z.object({
+          name: z.string(),
+          createdAt: z.coerce.date(),
+        });
+      `;
+      const findings = checkZodDateCoercion('src/db/schema/leads.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows z.date() in non-schema files', () => {
+      const code = 'const validator = z.date();';
+      const findings = checkZodDateCoercion('src/utils/helpers.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const code = 'const schema = z.object({ at: z.date() });';
+      const findings = checkZodDateCoercion('src/db/schema/leads.test.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('detects in insertSchema definitions', () => {
+      const code = `
+        export const insertQuoteSchema = z.object({
+          validUntil: z.date(),
+          amount: z.number(),
+        });
+      `;
+      const findings = checkZodDateCoercion('server/schemas/quotes.ts', code);
+      expect(findings).toHaveLength(1);
+    });
+  });
+});

package/server/lib/code-gate/rules/config-rules.js

@@ -0,0 +1,140 @@
+/**
+ * Config Rules
+ *
+ * Detects magic numbers (hardcoded timeouts, durations, thresholds)
+ * and hardcoded role strings that should live in config or database.
+ *
+ * Derived from Bug #18 (hardcoded role mappings) and Bug #23 (magic numbers).
+ *
+ * @module code-gate/rules/config-rules
+ */
+
+/**
+ * @param {string} filePath
+ * @returns {boolean}
+ */
+function isTestFile(filePath) {
+  return /\.(test|spec)\.[jt]sx?$/.test(filePath) || filePath.includes('__tests__');
+}
+
+/**
+ * @param {string} filePath
+ * @returns {boolean}
+ */
+function isConfigFile(filePath) {
+  const base = filePath.toLowerCase();
+  return base.includes('config') || base.includes('constants') ||
+         base.includes('.env') || base.endsWith('.json') ||
+         base.endsWith('.yml') || base.endsWith('.yaml');
+}
+
+/** Numbers that are safe to hardcode (HTTP status codes, common values) */
+const SAFE_NUMBERS = new Set([
+  0, 1, 2, 3, 4, 5, 10, 24, 60, 100,
+  200, 201, 204, 301, 302, 304, 400, 401, 403, 404, 409, 422, 429, 500, 502, 503,
+  1000, // 1 second in ms
+  1024, 2048, 4096, // byte sizes
+]);
+
+/** Threshold above which a number is suspicious (1 minute in ms) */
+const MAGIC_THRESHOLD = 60000;
+
+/**
+ * Detect large hardcoded numbers that look like timeouts or durations.
+ * Numbers >= 60000 in assignments (not in const UPPER_CASE declarations)
+ * are flagged as likely magic numbers.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array<{severity: string, rule: string, line: number, message: string, fix: string}>}
+ */
+function checkMagicNumbers(filePath, content) {
+  if (isTestFile(filePath)) return [];
+  if (isConfigFile(filePath)) return [];
+  const findings = [];
+  const lines = content.split('\n');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+    // Find number literals >= MAGIC_THRESHOLD
+    const numberMatches = line.matchAll(/\b(\d{5,})\b/g);
+    for (const match of numberMatches) {
+      const num = parseInt(match[1], 10);
+      if (num < MAGIC_THRESHOLD || SAFE_NUMBERS.has(num)) continue;
+
+      // Allow if it's a UPPER_CASE constant declaration
+      if (/\b(?:const|let|var)\s+[A-Z][A-Z0-9_]+\s*=/.test(line)) continue;
+
+      findings.push({
+        severity: 'warn',
+        rule: 'no-magic-numbers',
+        line: i + 1,
+        message: `Magic number ${num} — use a named constant or config value`,
+        fix: 'Extract to a named constant (e.g. const SESSION_TIMEOUT = ...) or use config',
+      });
+      break; // One finding per line
+    }
+  }
+
+  return findings;
+}
+
+/** Role-related keywords to detect in comparisons and object literals */
+const ROLE_STRINGS = [
+  'admin', 'manager', 'editor', 'viewer', 'user', 'moderator',
+  'owner', 'member', 'guest', 'superadmin', 'super_admin',
+];
+
+/**
+ * Detect hardcoded role strings in comparisons and object literals.
+ * Roles should come from constants, RBAC tables, or config — not inline strings.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array}
+ */
+function checkHardcodedRoles(filePath, content) {
+  if (isTestFile(filePath)) return [];
+
+  // Skip role definition files
+  const base = filePath.toLowerCase();
+  if (base.includes('role') || base.includes('permission') ||
+      base.includes('rbac') || isConfigFile(filePath)) {
+    return [];
+  }
+
+  const findings = [];
+  const lines = content.split('\n');
+  const rolePattern = new RegExp(
+    `(?:role|userRole|workspaceRole)\\s*(?:===?|!==?)\\s*['"\`](${ROLE_STRINGS.join('|')})['"\`]`
+  );
+  const roleLiteralPattern = new RegExp(
+    `\\brole\\s*:\\s*['"\`](${ROLE_STRINGS.join('|')})['"\`]`
+  );
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+    if (rolePattern.test(line) || roleLiteralPattern.test(line)) {
+      findings.push({
+        severity: 'warn',
+        rule: 'no-hardcoded-roles',
+        line: i + 1,
+        message: 'Hardcoded role string — use RBAC constants or database roles',
+        fix: 'Import role constants (e.g. ROLES.ADMIN) instead of string literals',
+      });
+    }
+  }
+
+  return findings;
+}
+
+module.exports = {
+  checkMagicNumbers,
+  checkHardcodedRoles,
+};

package/server/lib/code-gate/rules/config-rules.test.js

@@ -0,0 +1,103 @@
+/**
+ * Config Rules Tests
+ *
+ * Detects magic numbers (hardcoded timeouts/thresholds)
+ * and hardcoded role strings that should be in config/DB.
+ */
+import { describe, it, expect } from 'vitest';
+
+const {
+  checkMagicNumbers,
+  checkHardcodedRoles,
+} = require('./config-rules.js');
+
+describe('Config Rules', () => {
+  describe('checkMagicNumbers', () => {
+    it('detects hardcoded 86400000 (24h in ms)', () => {
+      const code = 'const sessionTimeout = 86400000;';
+      const findings = checkMagicNumbers('src/auth/session.ts', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('warn');
+      expect(findings[0].rule).toBe('no-magic-numbers');
+    });
+
+    it('detects hardcoded 3600000 (1h in ms)', () => {
+      const code = 'const resetExpiry = 3600000;';
+      const findings = checkMagicNumbers('src/auth/reset.ts', code);
+      expect(findings).toHaveLength(1);
+    });
+
+    it('allows named constants (const TIMEOUT = 86400000)', () => {
+      // Already a named constant at declaration — this is the pattern we want
+      const code = 'const SESSION_TIMEOUT = 86400000;';
+      const findings = checkMagicNumbers('src/config/constants.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows common safe numbers', () => {
+      const code = [
+        'const count = 0;',
+        'const index = 1;',
+        'const percent = 100;',
+        'return res.status(200).json(data);',
+        'return res.status(404).json({ error: "Not found" });',
+        'return res.status(500).json({ error: "Server error" });',
+      ].join('\n');
+      const findings = checkMagicNumbers('src/api/handler.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const code = 'const timeout = 86400000;';
+      const findings = checkMagicNumbers('src/auth/session.test.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips config and constants files', () => {
+      const code = 'const timeout = 86400000;';
+      const findings = checkMagicNumbers('src/config/timeouts.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+  });
+
+  describe('checkHardcodedRoles', () => {
+    it('detects role === "admin" comparison', () => {
+      const code = 'if (user.role === "admin") { allowAccess(); }';
+      const findings = checkHardcodedRoles('src/middleware/auth.ts', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('warn');
+      expect(findings[0].rule).toBe('no-hardcoded-roles');
+    });
+
+    it('detects role: "manager" in object literal', () => {
+      const code = 'const defaultUser = { name: "test", role: "manager" };';
+      const findings = checkHardcodedRoles('src/api/users.ts', code);
+      expect(findings).toHaveLength(1);
+    });
+
+    it('allows role variable references without string', () => {
+      const code = 'if (user.role === ROLES.ADMIN) { allowAccess(); }';
+      const findings = checkHardcodedRoles('src/middleware/auth.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows RBAC constant definitions', () => {
+      // This is WHERE roles are defined — that's fine
+      const code = 'const ROLES = { ADMIN: "admin", USER: "user" };';
+      const findings = checkHardcodedRoles('src/config/roles.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const code = 'if (user.role === "admin") {}';
+      const findings = checkHardcodedRoles('src/middleware/auth.test.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips role definition files', () => {
+      const code = 'role: "admin"';
+      const findings = checkHardcodedRoles('src/permissions/roles.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+  });
+});