tlc-claude-code 1.6.4 → 1.7.0

package/server/lib/code-gate/rules/database-rules.js

@@ -0,0 +1,158 @@
+/**
+ * Database Rules
+ *
+ * Detects new Date() in ORM .set() blocks (should use sql`now()`)
+ * and inline billing math that should use shared calculation utilities.
+ *
+ * Derived from production bugs: timestamp drift, copy-paste billing errors.
+ * See: WALL_OF_SHAME.md Bug #29 (missing VAT), Lesson #3 (timestamps)
+ *
+ * @module code-gate/rules/database-rules
+ */
+
+/**
+ * @param {string} filePath
+ * @returns {boolean}
+ */
+function isTestFile(filePath) {
+  return /\.(test|spec)\.[jt]sx?$/.test(filePath) || filePath.includes('__tests__');
+}
+
+/**
+ * Detect new Date() inside ORM .set({}) blocks.
+ * Database timestamps should use sql`now()` for consistent DB-server time.
+ * new Date() uses app-server time which can drift.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array<{severity: string, rule: string, line: number, message: string, fix: string}>}
+ */
+function checkNewDateInSet(filePath, content) {
+  if (isTestFile(filePath)) return [];
+  const findings = [];
+  const lines = content.split('\n');
+
+  let inSetBlock = false;
+  let braceDepth = 0;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+
+    // Detect .set({ or .set( { start
+    if (/\.set\s*\(\s*\{/.test(line)) {
+      inSetBlock = true;
+      braceDepth = 0;
+      // Count braces on this line
+      for (const ch of line) {
+        if (ch === '{') braceDepth++;
+        if (ch === '}') braceDepth--;
+      }
+      if (braceDepth <= 0) {
+        // Single-line .set({...}) — check this line
+        if (/new\s+Date\s*\(\s*\)/.test(line)) {
+          findings.push({
+            severity: 'block',
+            rule: 'no-new-date-in-set',
+            line: i + 1,
+            message: 'new Date() in .set() block — use sql`now()` for consistent DB timestamps',
+            fix: 'Replace new Date() with sql`now()` for database-server time consistency',
+          });
+        }
+        inSetBlock = false;
+        continue;
+      }
+      // Check the opening line too
+      if (/new\s+Date\s*\(\s*\)/.test(line)) {
+        findings.push({
+          severity: 'block',
+          rule: 'no-new-date-in-set',
+          line: i + 1,
+          message: 'new Date() in .set() block — use sql`now()` for consistent DB timestamps',
+          fix: 'Replace new Date() with sql`now()` for database-server time consistency',
+        });
+      }
+      continue;
+    }
+
+    if (inSetBlock) {
+      for (const ch of line) {
+        if (ch === '{') braceDepth++;
+        if (ch === '}') braceDepth--;
+      }
+
+      if (/new\s+Date\s*\(\s*\)/.test(line)) {
+        findings.push({
+          severity: 'block',
+          rule: 'no-new-date-in-set',
+          line: i + 1,
+          message: 'new Date() in .set() block — use sql`now()` for consistent DB timestamps',
+          fix: 'Replace new Date() with sql`now()` for database-server time consistency',
+        });
+      }
+
+      if (braceDepth <= 0) {
+        inSetBlock = false;
+      }
+    }
+  }
+
+  return findings;
+}
+
+/** Billing-related variable names that indicate inline math */
+const BILLING_VARS = [
+  'quantity', 'rate', 'price', 'cost', 'amount',
+  'subtotal', 'discount', 'tax', 'vat', 'total',
+  'lineTotal', 'grandTotal', 'unitPrice',
+];
+
+/**
+ * Detect inline billing math that should use shared calculation utilities.
+ * When billing calculations are scattered across files, bugs like missing VAT
+ * or wrong discount logic slip through.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array}
+ */
+function checkInlineBillingMath(filePath, content) {
+  if (isTestFile(filePath)) return [];
+
+  // Allow math in calculation utility files
+  const fileBase = filePath.toLowerCase();
+  if (fileBase.includes('calculation') || fileBase.includes('calc.') ||
+      fileBase.includes('calc/') || fileBase.includes('-calc')) {
+    return [];
+  }
+
+  const findings = [];
+  const lines = content.split('\n');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+    // Check for billing-variable arithmetic: quantity * rate, subtotal - discount, etc.
+    for (const varName of BILLING_VARS) {
+      const pattern = new RegExp(`\\b${varName}\\b\\s*[*+\\-]\\s*\\b(${BILLING_VARS.join('|')})\\b`);
+      if (pattern.test(line)) {
+        findings.push({
+          severity: 'warn',
+          rule: 'no-inline-billing-math',
+          line: i + 1,
+          message: 'Inline billing calculation — use shared calculation utility',
+          fix: 'Use calculateLineTotal(), calculateSubtotal(), or calculateGrandTotal() from billing-calculations module',
+        });
+        break; // One finding per line
+      }
+    }
+  }
+
+  return findings;
+}
+
+module.exports = {
+  checkNewDateInSet,
+  checkInlineBillingMath,
+};

package/server/lib/code-gate/rules/database-rules.test.js

@@ -0,0 +1,119 @@
+/**
+ * Database Rules Tests
+ *
+ * Detects new Date() in ORM .set() blocks and inline billing math.
+ */
+import { describe, it, expect } from 'vitest';
+
+const {
+  checkNewDateInSet,
+  checkInlineBillingMath,
+} = require('./database-rules.js');
+
+describe('Database Rules', () => {
+  describe('checkNewDateInSet', () => {
+    it('detects new Date() in .set({}) block', () => {
+      const code = `
+        db.update(leads).set({
+          status: "active",
+          updatedAt: new Date(),
+        });
+      `;
+      const findings = checkNewDateInSet('src/leads/leads.service.ts', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('block');
+      expect(findings[0].rule).toBe('no-new-date-in-set');
+      expect(findings[0].fix).toContain('sql');
+    });
+
+    it('detects new Date() in .set() with convertedAt', () => {
+      const code = `
+        db.update(leads).set({
+          convertedAt: new Date(),
+          updatedAt: new Date(),
+        });
+      `;
+      const findings = checkNewDateInSet('src/leads/leads.service.ts', code);
+      expect(findings.length).toBeGreaterThanOrEqual(1);
+    });
+
+    it('allows new Date() in logging context', () => {
+      const code = `
+        console.log('Started at', new Date());
+        const timestamp = new Date();
+      `;
+      const findings = checkNewDateInSet('src/utils/logger.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows sql`now()` in .set()', () => {
+      const code = `
+        db.update(leads).set({
+          status: "active",
+          updatedAt: sql\`now()\`,
+        });
+      `;
+      const findings = checkNewDateInSet('src/leads/leads.service.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const code = 'db.update(leads).set({ updatedAt: new Date() });';
+      const findings = checkNewDateInSet('src/leads/leads.test.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('detects across multiline .set() call', () => {
+      const code = [
+        'await db',
+        '  .update(invoices)',
+        '  .set({',
+        '    paidAt: new Date(),',
+        '    status: "paid",',
+        '  });',
+      ].join('\n');
+      const findings = checkNewDateInSet('src/invoices/invoices.service.ts', code);
+      expect(findings).toHaveLength(1);
+    });
+  });
+
+  describe('checkInlineBillingMath', () => {
+    it('detects quantity * rate pattern', () => {
+      const code = 'const lineTotal = quantity * rate;';
+      const findings = checkInlineBillingMath('src/invoices/editor.tsx', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('warn');
+      expect(findings[0].rule).toBe('no-inline-billing-math');
+    });
+
+    it('detects subtotal - discount pattern', () => {
+      const code = 'const total = subtotal - discount + tax;';
+      const findings = checkInlineBillingMath('src/invoices/sheet.tsx', code);
+      expect(findings).toHaveLength(1);
+    });
+
+    it('allows math in calculation utility files', () => {
+      const code = 'const lineTotal = quantity * rate;';
+      const findings = checkInlineBillingMath('src/lib/billing-calculations.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows math in files with "calc" in name', () => {
+      const code = 'const total = subtotal - discount;';
+      const findings = checkInlineBillingMath('src/utils/price-calc.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const code = 'const lineTotal = quantity * rate;';
+      const findings = checkInlineBillingMath('src/invoices/editor.test.tsx', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows non-billing arithmetic', () => {
+      const code = 'const area = width * height;';
+      const findings = checkInlineBillingMath('src/utils/geometry.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+  });
+});

package/server/lib/code-gate/rules/docker-rules.js

@@ -0,0 +1,201 @@
+/**
+ * Docker Rules
+ *
+ * Detects dangerous Docker patterns that can cause data loss:
+ * external volumes, missing volume names, destructive commands.
+ *
+ * Derived from Bug #27 (AI wiped production database via docker volume).
+ * See: TLC-BEST-PRACTICES.md Section 7 (Docker & Infrastructure)
+ *
+ * @module code-gate/rules/docker-rules
+ */
+
+/**
+ * File types where docker-compose rules apply.
+ * @param {string} filePath
+ * @returns {boolean}
+ */
+function isDockerComposeFile(filePath) {
+  const base = filePath.toLowerCase();
+  return base.includes('docker-compose') || base.includes('compose.y');
+}
+
+/**
+ * File types where shell command rules apply.
+ * @param {string} filePath
+ * @returns {boolean}
+ */
+function isShellOrCIFile(filePath) {
+  const base = filePath.toLowerCase();
+  return base.endsWith('.sh') || base.endsWith('.bash') ||
+         base.includes('.github/') || base.includes('.gitlab-ci') ||
+         base.includes('makefile') || base.includes('Makefile') ||
+         base.endsWith('.yml') || base.endsWith('.yaml');
+}
+
+/**
+ * Detect `external: true` in docker-compose volume definitions.
+ * External volumes create fragile cross-project dependencies
+ * and can silently reference wrong data.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array<{severity: string, rule: string, line: number, message: string, fix: string}>}
+ */
+function checkExternalVolumes(filePath, content) {
+  if (!isDockerComposeFile(filePath)) return [];
+  const findings = [];
+  const lines = content.split('\n');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (/^\s*external\s*:\s*true/.test(line)) {
+      findings.push({
+        severity: 'block',
+        rule: 'no-external-volumes',
+        line: i + 1,
+        message: 'Docker volume with external: true — creates fragile cross-project dependency',
+        fix: 'Remove external: true and use explicit name: property instead',
+      });
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Detect docker-compose volumes without explicit `name:` property.
+ * Without explicit names, Docker generates project-prefixed names
+ * that can collide or be accidentally deleted.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array}
+ */
+function checkMissingVolumeNames(filePath, content) {
+  if (!isDockerComposeFile(filePath)) return [];
+  const findings = [];
+  const lines = content.split('\n');
+
+  let inVolumesSection = false;
+  let currentVolume = null;
+  let currentVolumeHasName = false;
+  let currentVolumeLine = -1;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+
+    // Detect top-level volumes: section
+    if (/^volumes\s*:/.test(line)) {
+      inVolumesSection = true;
+      continue;
+    }
+
+    // Exit volumes section on next top-level key
+    if (inVolumesSection && /^\S/.test(line) && !/^\s/.test(line) && !line.startsWith('#')) {
+      // Flush last volume
+      if (currentVolume && !currentVolumeHasName) {
+        findings.push({
+          severity: 'warn',
+          rule: 'require-volume-names',
+          line: currentVolumeLine + 1,
+          message: `Volume '${currentVolume}' has no explicit name: — data may be lost on project rename`,
+          fix: `Add name: property: name: ${currentVolume}`,
+        });
+      }
+      inVolumesSection = false;
+      currentVolume = null;
+      continue;
+    }
+
+    if (inVolumesSection) {
+      // Volume key (indented once, ends with colon)
+      const volumeKey = line.match(/^\s{2}(\w[\w-]*)\s*:/);
+      if (volumeKey) {
+        // Flush previous volume
+        if (currentVolume && !currentVolumeHasName) {
+          findings.push({
+            severity: 'warn',
+            rule: 'require-volume-names',
+            line: currentVolumeLine + 1,
+            message: `Volume '${currentVolume}' has no explicit name: — data may be lost on project rename`,
+            fix: `Add name: property: name: ${currentVolume}`,
+          });
+        }
+        currentVolume = volumeKey[1];
+        currentVolumeLine = i;
+        currentVolumeHasName = false;
+      }
+
+      // Check for name: property (indented further)
+      if (currentVolume && /^\s+name\s*:/.test(line)) {
+        currentVolumeHasName = true;
+      }
+    }
+  }
+
+  // Flush final volume
+  if (inVolumesSection && currentVolume && !currentVolumeHasName) {
+    findings.push({
+      severity: 'warn',
+      rule: 'require-volume-names',
+      line: currentVolumeLine + 1,
+      message: `Volume '${currentVolume}' has no explicit name: — data may be lost on project rename`,
+      fix: `Add name: property: name: ${currentVolume}`,
+    });
+  }
+
+  return findings;
+}
+
+/**
+ * Detect dangerous Docker commands in scripts and CI files.
+ * `docker compose down -v` removes data volumes.
+ * `docker volume rm` deletes volumes directly.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array}
+ */
+function checkDangerousDockerCommands(filePath, content) {
+  if (!isShellOrCIFile(filePath)) return [];
+  const findings = [];
+  const lines = content.split('\n');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith('#')) continue;
+
+    // docker compose down -v (or docker-compose down -v)
+    if (/docker[\s-]compose\s+down\s+.*-v/.test(line) ||
+        /docker[\s-]compose\s+down\s+-v/.test(line)) {
+      findings.push({
+        severity: 'block',
+        rule: 'no-dangerous-docker',
+        line: i + 1,
+        message: 'docker compose down -v removes data volumes — potential data loss',
+        fix: 'Use docker compose down (without -v) to preserve data volumes',
+      });
+    }
+
+    // docker volume rm
+    if (/docker\s+volume\s+rm\b/.test(line)) {
+      findings.push({
+        severity: 'block',
+        rule: 'no-dangerous-docker',
+        line: i + 1,
+        message: 'docker volume rm — irreversible data deletion',
+        fix: 'Verify this is intentional. Use docker volume inspect first to check contents',
+      });
+    }
+  }
+
+  return findings;
+}
+
+module.exports = {
+  checkExternalVolumes,
+  checkMissingVolumeNames,
+  checkDangerousDockerCommands,
+};

package/server/lib/code-gate/rules/docker-rules.test.js

@@ -0,0 +1,104 @@
+/**
+ * Docker Rules Tests
+ *
+ * Detects dangerous Docker patterns: external volumes,
+ * missing volume names, and destructive commands.
+ */
+import { describe, it, expect } from 'vitest';
+
+const {
+  checkExternalVolumes,
+  checkMissingVolumeNames,
+  checkDangerousDockerCommands,
+} = require('./docker-rules.js');
+
+describe('Docker Rules', () => {
+  describe('checkExternalVolumes', () => {
+    it('detects external: true in docker-compose', () => {
+      const yaml = `
+volumes:
+  postgres_data:
+    external: true
+      `;
+      const findings = checkExternalVolumes('docker-compose.yml', yaml);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('block');
+      expect(findings[0].rule).toBe('no-external-volumes');
+    });
+
+    it('passes without external flag', () => {
+      const yaml = `
+volumes:
+  postgres_data:
+    name: myapp_postgres_data
+      `;
+      const findings = checkExternalVolumes('docker-compose.yml', yaml);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('only checks docker-compose files', () => {
+      const yaml = 'external: true';
+      const findings = checkExternalVolumes('src/config.yml', yaml);
+      expect(findings).toHaveLength(0);
+    });
+  });
+
+  describe('checkMissingVolumeNames', () => {
+    it('detects volumes without name property', () => {
+      const yaml = `
+volumes:
+  postgres_data:
+    driver: local
+  redis_data:
+      `;
+      const findings = checkMissingVolumeNames('docker-compose.yml', yaml);
+      expect(findings).toHaveLength(2); // both volumes lack name:
+      expect(findings[0].severity).toBe('warn');
+      expect(findings[0].rule).toBe('require-volume-names');
+    });
+
+    it('passes volume with explicit name', () => {
+      const yaml = `
+volumes:
+  postgres_data:
+    name: myapp_postgres_data
+      `;
+      const findings = checkMissingVolumeNames('docker-compose.yml', yaml);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('only checks docker-compose files', () => {
+      const yaml = 'volumes:\n  data:\n    driver: local';
+      const findings = checkMissingVolumeNames('src/config.ts', yaml);
+      expect(findings).toHaveLength(0);
+    });
+  });
+
+  describe('checkDangerousDockerCommands', () => {
+    it('detects docker compose down -v', () => {
+      const script = '#!/bin/bash\ndocker compose down -v\necho "Done"';
+      const findings = checkDangerousDockerCommands('scripts/reset.sh', script);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('block');
+      expect(findings[0].rule).toBe('no-dangerous-docker');
+    });
+
+    it('detects docker volume rm', () => {
+      const script = 'docker volume rm myapp_postgres_data';
+      const findings = checkDangerousDockerCommands('scripts/cleanup.sh', script);
+      expect(findings).toHaveLength(1);
+    });
+
+    it('allows docker compose down without -v', () => {
+      const script = 'docker compose down\necho "Stopped"';
+      const findings = checkDangerousDockerCommands('scripts/stop.sh', script);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('checks shell scripts and CI files', () => {
+      const script = 'docker compose down -v';
+      const findings = checkDangerousDockerCommands('.github/workflows/ci.yml', script);
+      expect(findings).toHaveLength(1);
+    });
+  });
+});