Files
apf_portal/scripts/check-catalogue-drift.mjs
T
julien 2eb01f59b3
CI / check (push) Successful in 3m4s
CI / commits (push) Has been skipped
CI / scan (push) Successful in 2m53s
CI / a11y (push) Successful in 3m50s
CI / perf (push) Successful in 5m23s
Docs site / build (push) Successful in 5m26s
feat(ci): catalogue-drift gate for @RequirePrivilege/@RequireRole literals (ADR-0025) (#211)
## Summary

Phase 3 (and last) of [ADR-0025](docs/decisions/0025-authorization-model-privileges-roles-scopes.md)'s implementation phasing (§"More Information" / §347): a small CI gate that asserts every string literal passed to the authorization decorators belongs to the closed catalogue declared in `libs/shared/auth/src/lib/authorization.types.ts`.

The TypeScript decorator signatures (`(...privileges: [Privilege, ...Privilege[]])`) already enforce this at compile time. The gate is **defence-in-depth** against the escape hatches the type system cannot catch:

- explicit `as Privilege` / `as FunctionalRole` casts (`'Portal.Foo' as Privilege`),
- the rare case where a developer hand-edits the catalogue type union without updating the runtime constant.

Runs in `<1s`, so it rides the existing `check` CI job rather than spinning up its own.

## What lands

| File | Role |
| --- | --- |
| `scripts/check-catalogue-drift.mjs` | The gate. TypeScript compiler API. Parses `authorization.types.ts` to extract the catalogues, walks every `.ts` file under `apps/` and `libs/`, finds each `CallExpression` whose callee identifier matches `RequirePrivilege` / `RequireRole`, validates every string-literal argument. Non-literal args are skipped (the TypeScript signature catches them already). Reports grouped by file with `line:column` per violation, exits 1 on drift. |
| `scripts/check-catalogue-drift.spec.mjs` | 13 tests via `node --test` (built-in runner, no Vitest dep). Covers catalogue parsing, file-level violation detection, workspace-wide aggregation, skipped folders, gen-stub exclusion, line/column reporting. |
| `package.json` | `ci:catalogue-drift` + `ci:catalogue-drift:test` scripts. |
| `.gitea/workflows/ci.yml` | The existing `check` job now runs the gate's unit tests first (fail-fast if the gate itself is broken), then the gate against the live workspace. |

## Notes for the reviewer

- **Why not an ESLint custom rule.** ADR-0025 §347 floats either option. The ESLint route would give editor-time feedback (red squiggles) but means standing up a local ESLint plugin lib — net ~300 lines of plumbing for a gate the TypeScript signature already enforces in real time via the literal-union types. The pnpm-script route mirrors the existing `ci:gzip-budgets` pattern; ~250 lines including tests; runs in the same `check` CI job that already installs deps. Editor feedback is **already provided by `tsc`**, so the gate's job reduces to "catch escape hatches in CI", which the script does fine.

- **Why `node --test` rather than Vitest / Jest.** The script lives in `scripts/`, outside any Nx project. Wiring Vitest for one spec file would mean a vitest.config + tsconfig.spec + Nx project just to host it. Node's built-in test runner ships with the runtime we already pin (Node 24 in `.nvmrc`), no config, ~250ms wall clock for 13 tests.

- **Generated gRPC stubs are skipped.** `apps/portal-bff/src/grpc/gen/apf-ai/common.ts` defines a `roles: string[]` proto field used by the AI-bridge — entirely unrelated to the ADR-0025 functional-role catalogue. The skip list is explicit (`SKIPPED_SUBPATHS`); adding a new codegen output later is one line.

- **Spec files are NOT skipped.** `auth-guards.persona-matrix.spec.ts` references catalogue values via the decorators in its test fixtures. Those are deliberate references and must stay in sync — if a future ADR amendment removes a role, the spec catches it on the same run as the production code. Explicitly tested in `does NOT skip spec files`.

- **Non-literal arguments (variable indirection) are skipped.** A pattern like `const slug = getRole(); @RequireRole(slug)` would not be caught by string-literal inspection. This is intentional: the TypeScript decorator signature already requires `slug` to be typed `FunctionalRole`, so the type system handles it; the gate's value-add is on literal misspellings the type system cannot see past an `as Privilege` cast.

- **Self-test confirmed the gate works.** Injected `RequirePrivilege('Portal.RogueDrift')` and `RequireRole('rogue-role-x')` into an existing spec, ran `pnpm ci:catalogue-drift`, observed:

  ```
  catalogue-drift: violations found

    apps/portal-bff/src/auth/require-privilege.guard.spec.ts
      135:18  @RequirePrivilege('Portal.RogueDrift') — not in PRIVILEGES
      136:13  @RequireRole('rogue-role-x') — not in FUNCTIONAL_ROLES
  ```

  Exit code 1. Reverted the injection; gate green again.

- **Adding a third decorator** (per ADR-0025's anticipated growth) is one line in `DECORATOR_TO_CATALOGUE` plus the matching test fixture. The script does not hardcode the decorator name list beyond that map.

- **Why no scope-kind check.** `@RequireScope` takes an `(req) => ScopableResource` extractor, not literals. The scope `kind` values are constrained by the `ScopeKind` discriminated union, which TypeScript enforces at every `{ kind: ... }` construction site. No literal escape hatch worth gating in v1.

## Test plan

- [x] `pnpm ci:catalogue-drift:test` — 13/13 green via `node --test`.
- [x] `pnpm ci:catalogue-drift` — clean against the live workspace: `catalogue-drift: clean (catalogues: 4 privileges, 24 roles).`
- [x] Self-test by injection — script catches `'Portal.RogueDrift'` and `'rogue-role-x'` with file:line:column, exits 1.
- [x] `pnpm exec prettier --check` on the new files — clean.
- [ ] CI run on this PR exercises the new step in the `check` job.

## What's next

ADR-0025's phasing closes with this PR. Remaining authorization work waits on [ADR-0026](docs/decisions/) (proposed) — the `Person` + `User` schema brings the Prisma-backed `user_scopes` table; that PR replaces `StubScopeResolver` with a `PrismaScopeResolver` and unlocks the first concrete `@RequireScope` consumer surfaces.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #211
2026-05-24 01:07:13 +02:00

274 lines
9.2 KiB
JavaScript

#!/usr/bin/env node
/**
* Catalogue-vs-code drift gate per
* [ADR-0025 §"Confirmation"](../docs/decisions/0025-authorization-model-privileges-roles-scopes.md).
*
* Asserts that every string literal passed to the authorization
* decorators in the codebase belongs to the closed catalogue
* declared in `libs/shared/auth/src/lib/authorization.types.ts`:
*
* - `@RequirePrivilege('Portal.X', …)` → every arg ∈ PRIVILEGES
* - `@RequireRole('rh', …)` → every arg ∈ FUNCTIONAL_ROLES
*
* The TypeScript type system enforces the same constraint at
* compile time — the decorator signatures are typed against the
* `Privilege` / `FunctionalRole` literal unions — so the gate is
* defence-in-depth against escape hatches:
*
* - explicit `as Privilege` casts (`'Portal.Foo' as Privilege`),
* - indirection through a `string`-typed local
* (`const slug = 'rh'; @RequireRole(slug)` — non-literal
* args are skipped here, but the gate at least catches the
* literal misspellings),
* - and the rarer case where a developer hand-edits the
* catalogue type union without updating the runtime constant.
*
* Implementation: the script parses the catalogue file and every
* `.ts` file under `apps/` and `libs/` with the TypeScript compiler
* API. For each `CallExpression` whose callee identifier matches
* one of the decorator names, every string-literal argument is
* checked against the catalogue. Non-literal arguments are
* skipped silently; the gate is best-effort for those, but they
* are caught by the TypeScript signature anyway.
*
* Exit code: 0 if no drift, 1 with a grouped report if drift is
* found. The script does not consume any env vars; running it
* directly (`node scripts/check-catalogue-drift.mjs`) and via
* `pnpm ci:catalogue-drift` are equivalent.
*/
import { readFileSync, readdirSync, statSync } from 'node:fs';
import { dirname, join, relative, resolve } from 'node:path';
import { fileURLToPath } from 'node:url';
import ts from 'typescript';
const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename);
const WORKSPACE_ROOT = resolve(__dirname, '..');
const CATALOGUE_PATH = join(WORKSPACE_ROOT, 'libs/shared/auth/src/lib/authorization.types.ts');
/**
* Decorator name → catalogue array name. Adding a third decorator
* (per ADR-0025's anticipated growth) is one line here plus the
* matching test fixture.
*/
const DECORATOR_TO_CATALOGUE = {
RequirePrivilege: 'PRIVILEGES',
RequireRole: 'FUNCTIONAL_ROLES',
};
/**
* Folders to skip when walking the workspace. Stays small on
* purpose: every other path under `apps/` and `libs/` is fair
* game for catalogue references, including specs (the persona
* matrix in `auth-guards.persona-matrix.spec.ts` is a deliberate
* usage and must stay in sync).
*/
const SKIPPED_DIRS = new Set([
'node_modules',
'dist',
'coverage',
'.nx',
'.angular',
'__screenshots__',
]);
/**
* Files / subpaths to skip outright. The generated gRPC stubs
* under `apps/portal-bff/src/grpc/gen/` carry their own
* `roles[]` field that has nothing to do with the ADR-0025
* functional-role catalogue — skipping the whole dir keeps the
* scanner focused on hand-written code.
*/
const SKIPPED_SUBPATHS = ['apps/portal-bff/src/grpc/gen'];
/**
* Parse `authorization.types.ts` and extract the catalogue
* arrays as `Set<string>` keyed on the constant's name.
* Returns `{ PRIVILEGES: Set, FUNCTIONAL_ROLES: Set }`.
*
* Exported for the spec — keeps the parser logic testable without
* spawning the CLI.
*/
export function extractCatalogues(sourceFilePath = CATALOGUE_PATH) {
const text = readFileSync(sourceFilePath, 'utf8');
const sourceFile = ts.createSourceFile(sourceFilePath, text, ts.ScriptTarget.Latest, true);
const out = {};
for (const stmt of sourceFile.statements) {
if (!ts.isVariableStatement(stmt)) continue;
for (const decl of stmt.declarationList.declarations) {
if (!ts.isIdentifier(decl.name) || !decl.initializer) continue;
const name = decl.name.text;
if (!Object.values(DECORATOR_TO_CATALOGUE).includes(name)) continue;
// Catalogues are declared as `[...] as const`; strip the
// type assertion to reach the array literal.
let init = decl.initializer;
if (ts.isAsExpression(init)) init = init.expression;
if (!ts.isArrayLiteralExpression(init)) continue;
const values = new Set();
for (const el of init.elements) {
if (ts.isStringLiteral(el) || ts.isNoSubstitutionTemplateLiteral(el)) {
values.add(el.text);
}
}
out[name] = values;
}
}
for (const expected of Object.values(DECORATOR_TO_CATALOGUE)) {
if (!out[expected]) {
throw new Error(
`Failed to extract catalogue "${expected}" from ${sourceFilePath}` +
`the script expected a top-level "export const ${expected} = [...] as const" declaration.`,
);
}
}
return out;
}
/**
* Walk `dir` recursively and yield every `.ts` file path
* (excluding declaration files and the dirs listed in
* SKIPPED_DIRS / SKIPPED_SUBPATHS).
*/
function* walkTsFiles(dir, rootForRelative) {
let entries;
try {
entries = readdirSync(dir);
} catch {
return;
}
for (const entry of entries) {
if (SKIPPED_DIRS.has(entry) || entry.startsWith('.')) continue;
const full = join(dir, entry);
const rel = relative(rootForRelative, full).replaceAll('\\', '/');
if (SKIPPED_SUBPATHS.some((skip) => rel === skip || rel.startsWith(skip + '/'))) {
continue;
}
let st;
try {
st = statSync(full);
} catch {
continue;
}
if (st.isDirectory()) {
yield* walkTsFiles(full, rootForRelative);
} else if (entry.endsWith('.ts') && !entry.endsWith('.d.ts')) {
yield full;
}
}
}
/**
* Find every catalogue-violation in a single source file.
* Returns an array of `{ file, line, column, callee, value,
* catalogue }` records. Exported for the spec.
*/
export function findViolationsInFile(filePath, catalogues, sourceText) {
const text = sourceText ?? readFileSync(filePath, 'utf8');
const sourceFile = ts.createSourceFile(filePath, text, ts.ScriptTarget.Latest, true);
const violations = [];
function visit(node) {
if (ts.isCallExpression(node) && ts.isIdentifier(node.expression)) {
const callee = node.expression.text;
const catalogueName = DECORATOR_TO_CATALOGUE[callee];
if (catalogueName) {
const valid = catalogues[catalogueName];
for (const arg of node.arguments) {
if (ts.isStringLiteral(arg) || ts.isNoSubstitutionTemplateLiteral(arg)) {
if (!valid.has(arg.text)) {
const { line, character } = sourceFile.getLineAndCharacterOfPosition(arg.getStart());
violations.push({
file: filePath,
line: line + 1,
column: character + 1,
callee,
value: arg.text,
catalogue: catalogueName,
});
}
}
}
}
}
ts.forEachChild(node, visit);
}
visit(sourceFile);
return violations;
}
/**
* Top-level scan: walk `apps/` and `libs/`, accumulate
* violations, return them all. Pure (no I/O outside the file
* reads it does itself). Exported for the spec.
*/
export function scanWorkspace(workspaceRoot = WORKSPACE_ROOT) {
const catalogues = extractCatalogues(
join(workspaceRoot, 'libs/shared/auth/src/lib/authorization.types.ts'),
);
const out = [];
for (const dirName of ['apps', 'libs']) {
const dir = join(workspaceRoot, dirName);
for (const file of walkTsFiles(dir, workspaceRoot)) {
out.push(...findViolationsInFile(file, catalogues));
}
}
return { violations: out, catalogues };
}
function main() {
const { violations, catalogues } = scanWorkspace();
if (violations.length === 0) {
const privCount = catalogues.PRIVILEGES.size;
const roleCount = catalogues.FUNCTIONAL_ROLES.size;
console.log(
`catalogue-drift: clean (catalogues: ${privCount} privileges, ${roleCount} roles).`,
);
process.exit(0);
}
console.error('catalogue-drift: violations found');
console.error('');
// Group by file for a readable report. Within a file, sort by
// line so the output mirrors the editor's view.
const byFile = new Map();
for (const v of violations) {
if (!byFile.has(v.file)) byFile.set(v.file, []);
byFile.get(v.file).push(v);
}
for (const [file, list] of byFile) {
list.sort((a, b) => a.line - b.line || a.column - b.column);
const rel = relative(WORKSPACE_ROOT, file).replaceAll('\\', '/');
console.error(` ${rel}`);
for (const v of list) {
console.error(
` ${v.line}:${v.column} @${v.callee}('${v.value}') — not in ${v.catalogue}`,
);
}
}
console.error('');
console.error(
`Catalogues are closed in v1 per ADR-0025. To add a value, amend ` +
`the ADR and the corresponding constant in ` +
`libs/shared/auth/src/lib/authorization.types.ts.`,
);
process.exit(1);
}
// Only run main() when invoked as a CLI (not when imported by the
// spec).
const isMain =
import.meta.url === `file://${process.argv[1]}` ||
import.meta.url === `file://${resolve(process.argv[1])}`;
if (isMain) {
main();
}