azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 08:01:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b016fd820763a3f3ecea254bd359b2514be74bdf
ui/scripts/check-banned-deps.mjs
T
Oleksandr Bezdieniezhnykh b016fd8207 [AZ-498] [AZ-499] Cycle 2 batch 11: satellite tiles + OWM hardening 
AZ-498 — self-hosted satellite tiles + drop classic/satellite toggle:
- Single TILE_URL via getTileUrl() (mirrors getOwmBaseUrl/getApiBase
  pattern from AZ-449/AZ-450); env-var VITE_SATELLITE_TILE_URL with
  dev default http://localhost:5100/tiles/{z}/{x}/{y}.
- FlightMap + MiniMap render one TileLayer with
  crossOrigin="use-credentials" so Leaflet's <img> tile fetcher
  attaches the same-origin satellite-provider auth cookie.
- ImportMetaEnv + .env.example collapse the prior OSM/Esri pair into
  one var. The flights.planner.satellite i18n key is removed in
  lockstep across en.json + ua.json (parity preserved).
- E2E harness wired end-to-end: compose passes the new var to
  azaion-ui; tile-stub serves /tiles/{z}/{x}/{y} with
  Content-Type=image/jpeg + Cache-Control + ETag matching the
  contract; infrastructure.e2e.ts AC-2 asserts the new path; dead
  OSM defenses removed from EXTERNAL_HOSTS route guard.
- Fast-profile MSW handlers rewritten for the cookie-auth path shape.
- 8 colocated fast tests under src/features/flights/__tests__/.

AZ-499 — mission-planner OWM env-var hardening + AZ-482 source-scan
gap close:
- WeatherService.ts reads VITE_OWM_API_KEY + VITE_OWM_BASE_URL;
  fail-soft null when key unset (mirrors AZ-448 main-SPA contract).
  Public signature getWeatherData(lat, lon) preserved.
- mission-planner/.env.example + vite-env.d.ts declare both vars.
- New owm_key_in_source banned-deps kind scans src/ AND
  mission-planner/ for the rotated literal; STC-SEC1C row added to
  scripts/run-tests.sh; check-banned-deps.mjs dispatch extended.
- 7 fast tests under tests/mission_planner_weather.test.ts cover
  AC-1..AC-4 + trailing-slash + happy path + network-error fail-soft.

Spec drift (recorded in batch_11_report.md, user-approved Choose B
on 2026-05-12):
- AZ-498 AC-8 dropped (named tile_split_zoom* files belong to AZ-474
  image-annotation surface, not map tiles).
- 4 missing files added in-scope (msw tiles handler, tile-stub
  server, compose env, dead VITE_TILE_BASE_URL replaced).
- AZ-499 STC-S6 ID conflict resolved by using STC-SEC1C.

Pending USER ACTION (BLOCKING for AZ-499 close):
- Revoke OpenWeatherMap key 335799082893fad97fa36118b131f919 at
  home.openweathermap.org/api_keys; capture evidence on AZ-499.

Cross-workspace deploy gate (handled at autodev Step 16, not a
Step-10 blocker for AZ-498):
- satellite-provider cookie-auth on GET /tiles/{z}/{x}/{y}
  (separate AZAION ticket on the satellite-provider workspace).

Reports: _docs/03_implementation/batch_11_report.md and
_docs/03_implementation/reviews/batch_11_review.md (verdict
PASS_WITH_WARNINGS — 1 Low, pre-existing trim-trailing-slash
duplication across vite roots).

Static gates: STC-ARCH-01, STC-ARCH-02, STC-T1, STC-FP22, STC-FP23,
STC-SEC1C all PASS post-refactor. +15 fast tests; +1 STC-SEC1C row.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-12 04:34:39 +03:00

220 lines
6.9 KiB
JavaScript
Executable File
Raw Blame History

#!/usr/bin/env node
// AZ-482 — static deny-list enforcement driven by tests/security/banned-deps.json.
//
// One canonical implementation that the run-tests.sh static profile delegates to,
// so adding or removing a banned dependency / pattern is a one-file change visible
// in code review (per AZ-482 constraint).
//
// Usage:
// node scripts/check-banned-deps.mjs --kind=<key> [--root=<repo-root>]
//
// Exit code 0 on PASS (no hits); non-zero on FAIL (writes the hit list to stderr).
import { readFileSync, statSync, readdirSync } from 'node:fs'
import { join, dirname, resolve, relative } from 'node:path'
import { fileURLToPath } from 'node:url'
const __filename = fileURLToPath(import.meta.url)
const __dirname = dirname(__filename)
function parseArgs(argv) {
const out = { kind: null, root: resolve(__dirname, '..') }
for (const a of argv.slice(2)) {
if (a.startsWith('--kind=')) out.kind = a.slice('--kind='.length)
else if (a.startsWith('--root=')) out.root = resolve(a.slice('--root='.length))
else if (a === '-h' || a === '--help') {
// eslint-disable-next-line no-console
console.error('Usage: check-banned-deps.mjs --kind=<key> [--root=<repo-root>]')
process.exit(0)
}
}
if (!out.kind) {
process.stderr.write('check-banned-deps: --kind is required\n')
process.exit(2)
}
return out
}
function loadDenylist(root) {
const path = join(root, 'tests', 'security', 'banned-deps.json')
return JSON.parse(readFileSync(path, 'utf8'))
}
function loadPackageJson(root) {
return JSON.parse(readFileSync(join(root, 'package.json'), 'utf8'))
}
function namesFromPackageJson(pkg) {
return Object.keys({ ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) })
}
function checkPackageJson(section, root) {
const pkg = loadPackageJson(root)
const names = namesFromPackageJson(pkg)
const regexes = section.patterns.map((p) => new RegExp(p, 'i'))
const hits = []
for (const name of names) {
for (const re of regexes) {
if (re.test(name)) {
hits.push(`${name} matched /${re.source}/i`)
break
}
}
}
return hits
}
// File walker — yields paths under `dir` that match the included extensions.
// Skips dist/, node_modules/, test-output/, and any `*.test.{ts,tsx}` /
// `*.spec.{ts,tsx}` files (production source only, mirrors run-tests.sh src_grep).
const IGNORED_DIRS = new Set([
'node_modules', 'dist', 'build', 'test-output', 'test-results',
'coverage', '.git', '.cache', 'playwright-report', 'blob-report',
])
const SOURCE_EXT = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']
const TEST_NAME_RE = /\.(test|spec)\.(ts|tsx|js|jsx|mjs|cjs)$/i
function* walkSourceFiles(rootDir) {
let entries
try {
entries = readdirSync(rootDir, { withFileTypes: true })
} catch {
return
}
for (const entry of entries) {
const full = join(rootDir, entry.name)
if (entry.isDirectory()) {
if (IGNORED_DIRS.has(entry.name)) continue
yield* walkSourceFiles(full)
} else if (entry.isFile()) {
const ext = '.' + entry.name.split('.').pop()
if (!SOURCE_EXT.includes(ext)) continue
if (TEST_NAME_RE.test(entry.name)) continue
yield full
}
}
}
function checkSourceTree(section, root, subdirs) {
const regexes = section.patterns.map((p) => new RegExp(p, 'i'))
const allowlist = new Set((section.allowlist ?? []).map((p) => p.replaceAll('\\', '/')))
const hits = []
for (const sub of subdirs) {
const full = join(root, sub)
try { statSync(full) } catch { continue }
for (const file of walkSourceFiles(full)) {
const relPath = relative(root, file).replaceAll('\\', '/')
if (allowlist.has(relPath)) continue
let text
try { text = readFileSync(file, 'utf8') } catch { continue }
const lines = text.split('\n')
lines.forEach((line, idx) => {
for (const re of regexes) {
if (re.test(line)) {
hits.push(`${relPath}:${idx + 1}: ${line.trim().slice(0, 200)} (matched /${re.source}/i)`)
break
}
}
})
}
}
return hits
}
function checkDestructiveSurfaces(section, root, subdirs) {
const regexes = section.patterns.map((p) => new RegExp(p))
const gated = new Set((section.gated ?? []).map((p) => p.replaceAll('\\', '/')))
const drift = new Set((section.drift ?? []).map((p) => p.replaceAll('\\', '/')))
const known = new Set([...gated, ...drift])
const hits = []
for (const sub of subdirs) {
const full = join(root, sub)
try { statSync(full) } catch { continue }
for (const file of walkSourceFiles(full)) {
const relPath = relative(root, file).replaceAll('\\', '/')
let text
try { text = readFileSync(file, 'utf8') } catch { continue }
const matches = regexes.some((re) => re.test(text))
if (!matches) continue
if (known.has(relPath)) continue
hits.push(
`${relPath}: contains destructive call but is not in gated/drift allowlist; ` +
`add to tests/security/banned-deps.json (destructive_surfaces) with a code-review note`,
)
}
}
return hits
}
function* walkAnyFiles(rootDir) {
let entries
try {
entries = readdirSync(rootDir, { withFileTypes: true })
} catch {
return
}
for (const entry of entries) {
const full = join(rootDir, entry.name)
if (entry.isDirectory()) {
if (IGNORED_DIRS.has(entry.name)) continue
yield* walkAnyFiles(full)
} else if (entry.isFile()) {
yield full
}
}
}
function checkDistTree(section, root) {
const dist = join(root, 'dist')
try { statSync(dist) } catch {
process.stderr.write('dist/ missing — run `bun run build` before this check\n')
process.exit(1)
}
const hits = []
for (const file of walkAnyFiles(dist)) {
let text
try { text = readFileSync(file, 'utf8') } catch { continue }
for (const literal of section.patterns) {
if (text.includes(literal)) {
hits.push(`${relative(root, file)} contains banned literal: ${literal}`)
}
}
}
return hits
}
function main() {
const { kind, root } = parseArgs(process.argv)
const denylist = loadDenylist(root)
const section = denylist[kind]
if (!section) {
process.stderr.write(`unknown --kind=${kind}; available: ${Object.keys(denylist).filter((k) => !k.startsWith('$')).join(', ')}\n`)
process.exit(2)
}
let hits = []
if (kind === 'owm_key_in_dist') {
hits = checkDistTree(section, root)
} else if (
kind === 'legacy_integrations' ||
kind === 'concurrent_edit_patterns' ||
kind === 'alert_calls' ||
kind === 'owm_key_in_source'
) {
hits = checkSourceTree(section, root, ['src', 'mission-planner'])
} else if (kind === 'destructive_surfaces') {
hits = checkDestructiveSurfaces(section, root, ['src'])
} else {
hits = checkPackageJson(section, root)
}
if (hits.length) {
process.stderr.write(`banned (${kind} / ${section.ac}):\n`)
for (const h of hits) process.stderr.write(` ${h}\n`)
process.exit(1)
}
process.exit(0)
}
main()
Reference in New Issue View Git Blame Copy Permalink