tlc-claude-code 1.6.4 → 1.8.0

package/server/lib/code-gate/rules/config-rules.js

@@ -0,0 +1,140 @@
+/**
+ * Config Rules
+ *
+ * Detects magic numbers (hardcoded timeouts, durations, thresholds)
+ * and hardcoded role strings that should live in config or database.
+ *
+ * Derived from Bug #18 (hardcoded role mappings) and Bug #23 (magic numbers).
+ *
+ * @module code-gate/rules/config-rules
+ */
+
+/**
+ * @param {string} filePath
+ * @returns {boolean}
+ */
+function isTestFile(filePath) {
+  return /\.(test|spec)\.[jt]sx?$/.test(filePath) || filePath.includes('__tests__');
+}
+
+/**
+ * @param {string} filePath
+ * @returns {boolean}
+ */
+function isConfigFile(filePath) {
+  const base = filePath.toLowerCase();
+  return base.includes('config') || base.includes('constants') ||
+         base.includes('.env') || base.endsWith('.json') ||
+         base.endsWith('.yml') || base.endsWith('.yaml');
+}
+
+/** Numbers that are safe to hardcode (HTTP status codes, common values) */
+const SAFE_NUMBERS = new Set([
+  0, 1, 2, 3, 4, 5, 10, 24, 60, 100,
+  200, 201, 204, 301, 302, 304, 400, 401, 403, 404, 409, 422, 429, 500, 502, 503,
+  1000, // 1 second in ms
+  1024, 2048, 4096, // byte sizes
+]);
+
+/** Threshold above which a number is suspicious (1 minute in ms) */
+const MAGIC_THRESHOLD = 60000;
+
+/**
+ * Detect large hardcoded numbers that look like timeouts or durations.
+ * Numbers >= 60000 in assignments (not in const UPPER_CASE declarations)
+ * are flagged as likely magic numbers.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array<{severity: string, rule: string, line: number, message: string, fix: string}>}
+ */
+function checkMagicNumbers(filePath, content) {
+  if (isTestFile(filePath)) return [];
+  if (isConfigFile(filePath)) return [];
+  const findings = [];
+  const lines = content.split('\n');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+    // Find number literals >= MAGIC_THRESHOLD
+    const numberMatches = line.matchAll(/\b(\d{5,})\b/g);
+    for (const match of numberMatches) {
+      const num = parseInt(match[1], 10);
+      if (num < MAGIC_THRESHOLD || SAFE_NUMBERS.has(num)) continue;
+
+      // Allow if it's a UPPER_CASE constant declaration
+      if (/\b(?:const|let|var)\s+[A-Z][A-Z0-9_]+\s*=/.test(line)) continue;
+
+      findings.push({
+        severity: 'warn',
+        rule: 'no-magic-numbers',
+        line: i + 1,
+        message: `Magic number ${num} — use a named constant or config value`,
+        fix: 'Extract to a named constant (e.g. const SESSION_TIMEOUT = ...) or use config',
+      });
+      break; // One finding per line
+    }
+  }
+
+  return findings;
+}
+
+/** Role-related keywords to detect in comparisons and object literals */
+const ROLE_STRINGS = [
+  'admin', 'manager', 'editor', 'viewer', 'user', 'moderator',
+  'owner', 'member', 'guest', 'superadmin', 'super_admin',
+];
+
+/**
+ * Detect hardcoded role strings in comparisons and object literals.
+ * Roles should come from constants, RBAC tables, or config — not inline strings.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array}
+ */
+function checkHardcodedRoles(filePath, content) {
+  if (isTestFile(filePath)) return [];
+
+  // Skip role definition files
+  const base = filePath.toLowerCase();
+  if (base.includes('role') || base.includes('permission') ||
+      base.includes('rbac') || isConfigFile(filePath)) {
+    return [];
+  }
+
+  const findings = [];
+  const lines = content.split('\n');
+  const rolePattern = new RegExp(
+    `(?:role|userRole|workspaceRole)\\s*(?:===?|!==?)\\s*['"\`](${ROLE_STRINGS.join('|')})['"\`]`
+  );
+  const roleLiteralPattern = new RegExp(
+    `\\brole\\s*:\\s*['"\`](${ROLE_STRINGS.join('|')})['"\`]`
+  );
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+    if (rolePattern.test(line) || roleLiteralPattern.test(line)) {
+      findings.push({
+        severity: 'warn',
+        rule: 'no-hardcoded-roles',
+        line: i + 1,
+        message: 'Hardcoded role string — use RBAC constants or database roles',
+        fix: 'Import role constants (e.g. ROLES.ADMIN) instead of string literals',
+      });
+    }
+  }
+
+  return findings;
+}
+
+module.exports = {
+  checkMagicNumbers,
+  checkHardcodedRoles,
+};

package/server/lib/code-gate/rules/config-rules.test.js

@@ -0,0 +1,103 @@
+/**
+ * Config Rules Tests
+ *
+ * Detects magic numbers (hardcoded timeouts/thresholds)
+ * and hardcoded role strings that should be in config/DB.
+ */
+import { describe, it, expect } from 'vitest';
+
+const {
+  checkMagicNumbers,
+  checkHardcodedRoles,
+} = require('./config-rules.js');
+
+describe('Config Rules', () => {
+  describe('checkMagicNumbers', () => {
+    it('detects hardcoded 86400000 (24h in ms)', () => {
+      const code = 'const sessionTimeout = 86400000;';
+      const findings = checkMagicNumbers('src/auth/session.ts', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('warn');
+      expect(findings[0].rule).toBe('no-magic-numbers');
+    });
+
+    it('detects hardcoded 3600000 (1h in ms)', () => {
+      const code = 'const resetExpiry = 3600000;';
+      const findings = checkMagicNumbers('src/auth/reset.ts', code);
+      expect(findings).toHaveLength(1);
+    });
+
+    it('allows named constants (const TIMEOUT = 86400000)', () => {
+      // Already a named constant at declaration — this is the pattern we want
+      const code = 'const SESSION_TIMEOUT = 86400000;';
+      const findings = checkMagicNumbers('src/config/constants.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows common safe numbers', () => {
+      const code = [
+        'const count = 0;',
+        'const index = 1;',
+        'const percent = 100;',
+        'return res.status(200).json(data);',
+        'return res.status(404).json({ error: "Not found" });',
+        'return res.status(500).json({ error: "Server error" });',
+      ].join('\n');
+      const findings = checkMagicNumbers('src/api/handler.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const code = 'const timeout = 86400000;';
+      const findings = checkMagicNumbers('src/auth/session.test.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips config and constants files', () => {
+      const code = 'const timeout = 86400000;';
+      const findings = checkMagicNumbers('src/config/timeouts.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+  });
+
+  describe('checkHardcodedRoles', () => {
+    it('detects role === "admin" comparison', () => {
+      const code = 'if (user.role === "admin") { allowAccess(); }';
+      const findings = checkHardcodedRoles('src/middleware/auth.ts', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('warn');
+      expect(findings[0].rule).toBe('no-hardcoded-roles');
+    });
+
+    it('detects role: "manager" in object literal', () => {
+      const code = 'const defaultUser = { name: "test", role: "manager" };';
+      const findings = checkHardcodedRoles('src/api/users.ts', code);
+      expect(findings).toHaveLength(1);
+    });
+
+    it('allows role variable references without string', () => {
+      const code = 'if (user.role === ROLES.ADMIN) { allowAccess(); }';
+      const findings = checkHardcodedRoles('src/middleware/auth.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows RBAC constant definitions', () => {
+      // This is WHERE roles are defined — that's fine
+      const code = 'const ROLES = { ADMIN: "admin", USER: "user" };';
+      const findings = checkHardcodedRoles('src/config/roles.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const code = 'if (user.role === "admin") {}';
+      const findings = checkHardcodedRoles('src/middleware/auth.test.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips role definition files', () => {
+      const code = 'role: "admin"';
+      const findings = checkHardcodedRoles('src/permissions/roles.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+  });
+});

package/server/lib/code-gate/rules/database-rules.js

@@ -0,0 +1,158 @@
+/**
+ * Database Rules
+ *
+ * Detects new Date() in ORM .set() blocks (should use sql`now()`)
+ * and inline billing math that should use shared calculation utilities.
+ *
+ * Derived from production bugs: timestamp drift, copy-paste billing errors.
+ * See: WALL_OF_SHAME.md Bug #29 (missing VAT), Lesson #3 (timestamps)
+ *
+ * @module code-gate/rules/database-rules
+ */
+
+/**
+ * @param {string} filePath
+ * @returns {boolean}
+ */
+function isTestFile(filePath) {
+  return /\.(test|spec)\.[jt]sx?$/.test(filePath) || filePath.includes('__tests__');
+}
+
+/**
+ * Detect new Date() inside ORM .set({}) blocks.
+ * Database timestamps should use sql`now()` for consistent DB-server time.
+ * new Date() uses app-server time which can drift.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array<{severity: string, rule: string, line: number, message: string, fix: string}>}
+ */
+function checkNewDateInSet(filePath, content) {
+  if (isTestFile(filePath)) return [];
+  const findings = [];
+  const lines = content.split('\n');
+
+  let inSetBlock = false;
+  let braceDepth = 0;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+
+    // Detect .set({ or .set( { start
+    if (/\.set\s*\(\s*\{/.test(line)) {
+      inSetBlock = true;
+      braceDepth = 0;
+      // Count braces on this line
+      for (const ch of line) {
+        if (ch === '{') braceDepth++;
+        if (ch === '}') braceDepth--;
+      }
+      if (braceDepth <= 0) {
+        // Single-line .set({...}) — check this line
+        if (/new\s+Date\s*\(\s*\)/.test(line)) {
+          findings.push({
+            severity: 'block',
+            rule: 'no-new-date-in-set',
+            line: i + 1,
+            message: 'new Date() in .set() block — use sql`now()` for consistent DB timestamps',
+            fix: 'Replace new Date() with sql`now()` for database-server time consistency',
+          });
+        }
+        inSetBlock = false;
+        continue;
+      }
+      // Check the opening line too
+      if (/new\s+Date\s*\(\s*\)/.test(line)) {
+        findings.push({
+          severity: 'block',
+          rule: 'no-new-date-in-set',
+          line: i + 1,
+          message: 'new Date() in .set() block — use sql`now()` for consistent DB timestamps',
+          fix: 'Replace new Date() with sql`now()` for database-server time consistency',
+        });
+      }
+      continue;
+    }
+
+    if (inSetBlock) {
+      for (const ch of line) {
+        if (ch === '{') braceDepth++;
+        if (ch === '}') braceDepth--;
+      }
+
+      if (/new\s+Date\s*\(\s*\)/.test(line)) {
+        findings.push({
+          severity: 'block',
+          rule: 'no-new-date-in-set',
+          line: i + 1,
+          message: 'new Date() in .set() block — use sql`now()` for consistent DB timestamps',
+          fix: 'Replace new Date() with sql`now()` for database-server time consistency',
+        });
+      }
+
+      if (braceDepth <= 0) {
+        inSetBlock = false;
+      }
+    }
+  }
+
+  return findings;
+}
+
+/** Billing-related variable names that indicate inline math */
+const BILLING_VARS = [
+  'quantity', 'rate', 'price', 'cost', 'amount',
+  'subtotal', 'discount', 'tax', 'vat', 'total',
+  'lineTotal', 'grandTotal', 'unitPrice',
+];
+
+/**
+ * Detect inline billing math that should use shared calculation utilities.
+ * When billing calculations are scattered across files, bugs like missing VAT
+ * or wrong discount logic slip through.
+ *
+ * @param {string} filePath
+ * @param {string} content
+ * @returns {Array}
+ */
+function checkInlineBillingMath(filePath, content) {
+  if (isTestFile(filePath)) return [];
+
+  // Allow math in calculation utility files
+  const fileBase = filePath.toLowerCase();
+  if (fileBase.includes('calculation') || fileBase.includes('calc.') ||
+      fileBase.includes('calc/') || fileBase.includes('-calc')) {
+    return [];
+  }
+
+  const findings = [];
+  const lines = content.split('\n');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+    // Check for billing-variable arithmetic: quantity * rate, subtotal - discount, etc.
+    for (const varName of BILLING_VARS) {
+      const pattern = new RegExp(`\\b${varName}\\b\\s*[*+\\-]\\s*\\b(${BILLING_VARS.join('|')})\\b`);
+      if (pattern.test(line)) {
+        findings.push({
+          severity: 'warn',
+          rule: 'no-inline-billing-math',
+          line: i + 1,
+          message: 'Inline billing calculation — use shared calculation utility',
+          fix: 'Use calculateLineTotal(), calculateSubtotal(), or calculateGrandTotal() from billing-calculations module',
+        });
+        break; // One finding per line
+      }
+    }
+  }
+
+  return findings;
+}
+
+module.exports = {
+  checkNewDateInSet,
+  checkInlineBillingMath,
+};

package/server/lib/code-gate/rules/database-rules.test.js

@@ -0,0 +1,119 @@
+/**
+ * Database Rules Tests
+ *
+ * Detects new Date() in ORM .set() blocks and inline billing math.
+ */
+import { describe, it, expect } from 'vitest';
+
+const {
+  checkNewDateInSet,
+  checkInlineBillingMath,
+} = require('./database-rules.js');
+
+describe('Database Rules', () => {
+  describe('checkNewDateInSet', () => {
+    it('detects new Date() in .set({}) block', () => {
+      const code = `
+        db.update(leads).set({
+          status: "active",
+          updatedAt: new Date(),
+        });
+      `;
+      const findings = checkNewDateInSet('src/leads/leads.service.ts', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('block');
+      expect(findings[0].rule).toBe('no-new-date-in-set');
+      expect(findings[0].fix).toContain('sql');
+    });
+
+    it('detects new Date() in .set() with convertedAt', () => {
+      const code = `
+        db.update(leads).set({
+          convertedAt: new Date(),
+          updatedAt: new Date(),
+        });
+      `;
+      const findings = checkNewDateInSet('src/leads/leads.service.ts', code);
+      expect(findings.length).toBeGreaterThanOrEqual(1);
+    });
+
+    it('allows new Date() in logging context', () => {
+      const code = `
+        console.log('Started at', new Date());
+        const timestamp = new Date();
+      `;
+      const findings = checkNewDateInSet('src/utils/logger.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows sql`now()` in .set()', () => {
+      const code = `
+        db.update(leads).set({
+          status: "active",
+          updatedAt: sql\`now()\`,
+        });
+      `;
+      const findings = checkNewDateInSet('src/leads/leads.service.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const code = 'db.update(leads).set({ updatedAt: new Date() });';
+      const findings = checkNewDateInSet('src/leads/leads.test.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('detects across multiline .set() call', () => {
+      const code = [
+        'await db',
+        '  .update(invoices)',
+        '  .set({',
+        '    paidAt: new Date(),',
+        '    status: "paid",',
+        '  });',
+      ].join('\n');
+      const findings = checkNewDateInSet('src/invoices/invoices.service.ts', code);
+      expect(findings).toHaveLength(1);
+    });
+  });
+
+  describe('checkInlineBillingMath', () => {
+    it('detects quantity * rate pattern', () => {
+      const code = 'const lineTotal = quantity * rate;';
+      const findings = checkInlineBillingMath('src/invoices/editor.tsx', code);
+      expect(findings).toHaveLength(1);
+      expect(findings[0].severity).toBe('warn');
+      expect(findings[0].rule).toBe('no-inline-billing-math');
+    });
+
+    it('detects subtotal - discount pattern', () => {
+      const code = 'const total = subtotal - discount + tax;';
+      const findings = checkInlineBillingMath('src/invoices/sheet.tsx', code);
+      expect(findings).toHaveLength(1);
+    });
+
+    it('allows math in calculation utility files', () => {
+      const code = 'const lineTotal = quantity * rate;';
+      const findings = checkInlineBillingMath('src/lib/billing-calculations.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows math in files with "calc" in name', () => {
+      const code = 'const total = subtotal - discount;';
+      const findings = checkInlineBillingMath('src/utils/price-calc.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('skips test files', () => {
+      const code = 'const lineTotal = quantity * rate;';
+      const findings = checkInlineBillingMath('src/invoices/editor.test.tsx', code);
+      expect(findings).toHaveLength(0);
+    });
+
+    it('allows non-billing arithmetic', () => {
+      const code = 'const area = width * height;';
+      const findings = checkInlineBillingMath('src/utils/geometry.ts', code);
+      expect(findings).toHaveLength(0);
+    });
+  });
+});