mirror of
https://github.com/azaion/ui.git
synced 2026-06-21 10:51:11 +00:00
Oleksandr Bezdieniezhnykh
1dd25edee3
AZ-466 — Destructive UX policy + ConfirmDialog a11y + no-alert (4pts):
src/components/ConfirmDialog.test.tsx (8 fast),
tests/destructive_ux.test.tsx (4 fast, AdminPage class-delete drift),
e2e/tests/destructive_ux.e2e.ts. New static checks STC-SEC7 (alert
allowlist) + STC-SEC8 (destructive-surfaces gated/drift) wired through
scripts/check-banned-deps.mjs reading tests/security/banned-deps.json.
AZ-475 — Numeric form input rejection (2pts):
tests/form_hygiene.test.tsx (3 fast). Documents two SettingsPage drifts:
silent zero coercion via parseInt(v)||0 and labels missing htmlFor.
AZ-462 — Overlay membership at in-window edges (2pts):
tests/overlay_membership.test.tsx (6 fast). Documents getTimeWindowDetections
strict < drift; AC-1 boundary tests are it.fails(); AC-2 / control PASS.
Mocks HTMLCanvasElement.getContext to capture strokeRect.
AZ-460 — Annotation save URL + payload contract (2pts):
tests/annotations_endpoint.test.tsx (6 fast),
e2e/tests/annotations_endpoint.e2e.ts. AC-1 URL canary PASSes; AC-2
payload missing 4 fields documented as it.fails(); AC-3 manual-draw
PASS, AI-suggestion-accept + bulk-edit-save QUARANTINE skip.
Test infrastructure:
- tests/setup.ts: NoopResizeObserver + NoopEventSource JSDOM polyfills.
- tests/msw/handlers/annotations.ts: doubly-prefixed paths matching
production calls (e.g. /api/annotations/annotations).
- tests/msw/handlers/flights.ts: plural /aircrafts paths.
Verification: bun run test:fast → 80 passed, 13 skipped (14 files).
scripts/run-tests.sh --static-only → 24/24 PASS (was 22; +STC-SEC7/SEC8).
Per-batch self-review verdict: PASS_WITH_WARNINGS. Cumulative review
of batches 04-06 due after batch 6 per implement/SKILL.md Step 14.5.
Report: _docs/03_implementation/batch_04_report.md.
Also includes the previously-untracked
_docs/03_implementation/cumulative_review_batches_01-03_report.md
generated at the start of this session before batch 4 began.
Co-authored-by: Cursor <cursoragent@cursor.com>
219 lines
6.9 KiB
JavaScript
Executable File
219 lines
6.9 KiB
JavaScript
Executable File
#!/usr/bin/env node
|
|
// AZ-482 — static deny-list enforcement driven by tests/security/banned-deps.json.
|
|
//
|
|
// One canonical implementation that the run-tests.sh static profile delegates to,
|
|
// so adding or removing a banned dependency / pattern is a one-file change visible
|
|
// in code review (per AZ-482 constraint).
|
|
//
|
|
// Usage:
|
|
// node scripts/check-banned-deps.mjs --kind=<key> [--root=<repo-root>]
|
|
//
|
|
// Exit code 0 on PASS (no hits); non-zero on FAIL (writes the hit list to stderr).
|
|
|
|
import { readFileSync, statSync, readdirSync } from 'node:fs'
|
|
import { join, dirname, resolve, relative } from 'node:path'
|
|
import { fileURLToPath } from 'node:url'
|
|
|
|
const __filename = fileURLToPath(import.meta.url)
|
|
const __dirname = dirname(__filename)
|
|
|
|
function parseArgs(argv) {
|
|
const out = { kind: null, root: resolve(__dirname, '..') }
|
|
for (const a of argv.slice(2)) {
|
|
if (a.startsWith('--kind=')) out.kind = a.slice('--kind='.length)
|
|
else if (a.startsWith('--root=')) out.root = resolve(a.slice('--root='.length))
|
|
else if (a === '-h' || a === '--help') {
|
|
// eslint-disable-next-line no-console
|
|
console.error('Usage: check-banned-deps.mjs --kind=<key> [--root=<repo-root>]')
|
|
process.exit(0)
|
|
}
|
|
}
|
|
if (!out.kind) {
|
|
process.stderr.write('check-banned-deps: --kind is required\n')
|
|
process.exit(2)
|
|
}
|
|
return out
|
|
}
|
|
|
|
function loadDenylist(root) {
|
|
const path = join(root, 'tests', 'security', 'banned-deps.json')
|
|
return JSON.parse(readFileSync(path, 'utf8'))
|
|
}
|
|
|
|
function loadPackageJson(root) {
|
|
return JSON.parse(readFileSync(join(root, 'package.json'), 'utf8'))
|
|
}
|
|
|
|
function namesFromPackageJson(pkg) {
|
|
return Object.keys({ ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) })
|
|
}
|
|
|
|
function checkPackageJson(section, root) {
|
|
const pkg = loadPackageJson(root)
|
|
const names = namesFromPackageJson(pkg)
|
|
const regexes = section.patterns.map((p) => new RegExp(p, 'i'))
|
|
const hits = []
|
|
for (const name of names) {
|
|
for (const re of regexes) {
|
|
if (re.test(name)) {
|
|
hits.push(`${name} matched /${re.source}/i`)
|
|
break
|
|
}
|
|
}
|
|
}
|
|
return hits
|
|
}
|
|
|
|
// File walker — yields paths under `dir` that match the included extensions.
|
|
// Skips dist/, node_modules/, test-output/, and any `*.test.{ts,tsx}` /
|
|
// `*.spec.{ts,tsx}` files (production source only, mirrors run-tests.sh src_grep).
|
|
const IGNORED_DIRS = new Set([
|
|
'node_modules', 'dist', 'build', 'test-output', 'test-results',
|
|
'coverage', '.git', '.cache', 'playwright-report', 'blob-report',
|
|
])
|
|
const SOURCE_EXT = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']
|
|
const TEST_NAME_RE = /\.(test|spec)\.(ts|tsx|js|jsx|mjs|cjs)$/i
|
|
|
|
function* walkSourceFiles(rootDir) {
|
|
let entries
|
|
try {
|
|
entries = readdirSync(rootDir, { withFileTypes: true })
|
|
} catch {
|
|
return
|
|
}
|
|
for (const entry of entries) {
|
|
const full = join(rootDir, entry.name)
|
|
if (entry.isDirectory()) {
|
|
if (IGNORED_DIRS.has(entry.name)) continue
|
|
yield* walkSourceFiles(full)
|
|
} else if (entry.isFile()) {
|
|
const ext = '.' + entry.name.split('.').pop()
|
|
if (!SOURCE_EXT.includes(ext)) continue
|
|
if (TEST_NAME_RE.test(entry.name)) continue
|
|
yield full
|
|
}
|
|
}
|
|
}
|
|
|
|
function checkSourceTree(section, root, subdirs) {
|
|
const regexes = section.patterns.map((p) => new RegExp(p, 'i'))
|
|
const allowlist = new Set((section.allowlist ?? []).map((p) => p.replaceAll('\\', '/')))
|
|
const hits = []
|
|
for (const sub of subdirs) {
|
|
const full = join(root, sub)
|
|
try { statSync(full) } catch { continue }
|
|
for (const file of walkSourceFiles(full)) {
|
|
const relPath = relative(root, file).replaceAll('\\', '/')
|
|
if (allowlist.has(relPath)) continue
|
|
let text
|
|
try { text = readFileSync(file, 'utf8') } catch { continue }
|
|
const lines = text.split('\n')
|
|
lines.forEach((line, idx) => {
|
|
for (const re of regexes) {
|
|
if (re.test(line)) {
|
|
hits.push(`${relPath}:${idx + 1}: ${line.trim().slice(0, 200)} (matched /${re.source}/i)`)
|
|
break
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
return hits
|
|
}
|
|
|
|
function checkDestructiveSurfaces(section, root, subdirs) {
|
|
const regexes = section.patterns.map((p) => new RegExp(p))
|
|
const gated = new Set((section.gated ?? []).map((p) => p.replaceAll('\\', '/')))
|
|
const drift = new Set((section.drift ?? []).map((p) => p.replaceAll('\\', '/')))
|
|
const known = new Set([...gated, ...drift])
|
|
const hits = []
|
|
for (const sub of subdirs) {
|
|
const full = join(root, sub)
|
|
try { statSync(full) } catch { continue }
|
|
for (const file of walkSourceFiles(full)) {
|
|
const relPath = relative(root, file).replaceAll('\\', '/')
|
|
let text
|
|
try { text = readFileSync(file, 'utf8') } catch { continue }
|
|
const matches = regexes.some((re) => re.test(text))
|
|
if (!matches) continue
|
|
if (known.has(relPath)) continue
|
|
hits.push(
|
|
`${relPath}: contains destructive call but is not in gated/drift allowlist; ` +
|
|
`add to tests/security/banned-deps.json (destructive_surfaces) with a code-review note`,
|
|
)
|
|
}
|
|
}
|
|
return hits
|
|
}
|
|
|
|
function* walkAnyFiles(rootDir) {
|
|
let entries
|
|
try {
|
|
entries = readdirSync(rootDir, { withFileTypes: true })
|
|
} catch {
|
|
return
|
|
}
|
|
for (const entry of entries) {
|
|
const full = join(rootDir, entry.name)
|
|
if (entry.isDirectory()) {
|
|
if (IGNORED_DIRS.has(entry.name)) continue
|
|
yield* walkAnyFiles(full)
|
|
} else if (entry.isFile()) {
|
|
yield full
|
|
}
|
|
}
|
|
}
|
|
|
|
function checkDistTree(section, root) {
|
|
const dist = join(root, 'dist')
|
|
try { statSync(dist) } catch {
|
|
process.stderr.write('dist/ missing — run `bun run build` before this check\n')
|
|
process.exit(1)
|
|
}
|
|
const hits = []
|
|
for (const file of walkAnyFiles(dist)) {
|
|
let text
|
|
try { text = readFileSync(file, 'utf8') } catch { continue }
|
|
for (const literal of section.patterns) {
|
|
if (text.includes(literal)) {
|
|
hits.push(`${relative(root, file)} contains banned literal: ${literal}`)
|
|
}
|
|
}
|
|
}
|
|
return hits
|
|
}
|
|
|
|
function main() {
|
|
const { kind, root } = parseArgs(process.argv)
|
|
const denylist = loadDenylist(root)
|
|
const section = denylist[kind]
|
|
if (!section) {
|
|
process.stderr.write(`unknown --kind=${kind}; available: ${Object.keys(denylist).filter((k) => !k.startsWith('$')).join(', ')}\n`)
|
|
process.exit(2)
|
|
}
|
|
|
|
let hits = []
|
|
if (kind === 'owm_key_in_dist') {
|
|
hits = checkDistTree(section, root)
|
|
} else if (
|
|
kind === 'legacy_integrations' ||
|
|
kind === 'concurrent_edit_patterns' ||
|
|
kind === 'alert_calls'
|
|
) {
|
|
hits = checkSourceTree(section, root, ['src', 'mission-planner'])
|
|
} else if (kind === 'destructive_surfaces') {
|
|
hits = checkDestructiveSurfaces(section, root, ['src'])
|
|
} else {
|
|
hits = checkPackageJson(section, root)
|
|
}
|
|
|
|
if (hits.length) {
|
|
process.stderr.write(`banned (${kind} / ${section.ac}):\n`)
|
|
for (const h of hits) process.stderr.write(` ${h}\n`)
|
|
process.exit(1)
|
|
}
|
|
process.exit(0)
|
|
}
|
|
|
|
main()
|