2026-02-22 12:34:39 +01:00
|
|
|
import fs from "node:fs/promises";
|
2026-02-22 10:14:55 +01:00
|
|
|
import path from "node:path";
|
|
|
|
|
import { describe, expect, it } from "vitest";
|
2026-02-22 12:34:39 +01:00
|
|
|
import { listRepoFiles } from "../test-utils/repo-scan.js";
|
2026-02-22 10:14:55 +01:00
|
|
|
|
|
|
|
|
const SCAN_ROOTS = ["src", "extensions"] as const;
|
|
|
|
|
|
2026-02-22 12:34:39 +01:00
|
|
|
function isRuntimeTypeScriptFile(relativePath: string): boolean {
|
|
|
|
|
return !relativePath.endsWith(".test.ts") && !relativePath.endsWith(".d.ts");
|
2026-02-22 10:14:55 +01:00
|
|
|
}
|
|
|
|
|
|
2026-02-22 12:34:39 +01:00
|
|
|
async function findWeakRandomPatternMatches(repoRoot: string): Promise<string[]> {
|
2026-02-22 10:14:55 +01:00
|
|
|
const matches: string[] = [];
|
2026-02-22 12:34:39 +01:00
|
|
|
const files = await listRepoFiles(repoRoot, {
|
|
|
|
|
roots: SCAN_ROOTS,
|
|
|
|
|
extensions: [".ts"],
|
|
|
|
|
shouldIncludeFile: isRuntimeTypeScriptFile,
|
|
|
|
|
});
|
|
|
|
|
for (const filePath of files) {
|
|
|
|
|
const lines = (await fs.readFile(filePath, "utf8")).split(/\r?\n/);
|
|
|
|
|
for (let idx = 0; idx < lines.length; idx += 1) {
|
|
|
|
|
const line = lines[idx] ?? "";
|
|
|
|
|
if (!line.includes("Date.now") || !line.includes("Math.random")) {
|
|
|
|
|
continue;
|
2026-02-22 10:14:55 +01:00
|
|
|
}
|
2026-02-22 12:34:39 +01:00
|
|
|
matches.push(`${path.relative(repoRoot, filePath)}:${idx + 1}`);
|
2026-02-22 10:14:55 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return matches;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
describe("weak random pattern guardrail", () => {
|
2026-02-22 12:34:39 +01:00
|
|
|
it("rejects Date.now + Math.random token/id patterns in runtime code", async () => {
|
2026-02-22 10:14:55 +01:00
|
|
|
const repoRoot = path.resolve(process.cwd());
|
2026-02-22 12:34:39 +01:00
|
|
|
const matches = await findWeakRandomPatternMatches(repoRoot);
|
2026-02-22 10:14:55 +01:00
|
|
|
expect(matches).toEqual([]);
|
|
|
|
|
});
|
|
|
|
|
});
|
