2026-05-10 23:12:26 +02:00
|
|
|
import { describe, expect, it } from 'vitest';
|
chore(workspace): gate dead-code with knip production mode (#196)
* refactor(workspace): relocate @ktx/llm source into packages/cli/src/llm
* refactor(workspace): rewrite @ktx/llm imports to relative paths
* refactor(workspace): fold internal packages into cli
* chore(workspace): gate dead-code with knip production mode
Turn on production-mode knip plus an autofix run in pre-commit and the
`pnpm dead-code` script, document the `/** @internal */` convention for
test-only exports in AGENTS.md, annotate test-only exports across the
CLI with that JSDoc, and drop dead exports/wrappers the new gate
surfaced (e.g. `cli-project.ts`, `lookerRuntimeSourceToFileAdapterSource`,
`createLocalScanEnrichmentProvidersFromConfig`,
`PGLITE_OWNER_PROCESS_BACKEND_CAPABILITIES`, stale type re-exports).
Replace the loose `ignoreIssues` allowlist in `knip.json` with explicit
production entries so cross-package barrel leaks are caught.
* refactor(cli): delete internal barrel index.ts files
The 34 `index.ts` re-export barrels inside `packages/cli/src/` were
holdovers from the pre-fold multi-workspace structure. Post-fold-in they
served no production purpose: external consumers go through the single
package main entry, and in-repo callers mostly imported through them
only because the path was short. Internally, knip flagged most barrel
re-exports as production-dead (only reached via tests).
This change:
- Deletes every internal barrel except `packages/cli/src/index.ts`
(the published package entry).
- Rewrites ~270 source/test files to import each name directly from
the file that defines it.
- Moves `tools/warehouse-verification/index.ts` to
`create-warehouse-verification-tools.ts` (the function it defined
locally) and updates its single consumer.
- Renames `search/backend-conformance.ts` → `.test-utils.ts` to match
the existing test-helper file convention.
- Deletes 13 dead test-only chains (dbt-descriptions/*,
live-database/extracted-schema, live-database/structural-sync,
relationship-* feedback/review chain) plus their tests and a
cascading orphan integration test.
- Updates test mocks that pointed at deleted barrel paths
(notion-client, connector barrels in scan/local-scan-connectors
tests) to mock the source files instead.
- Points the maintainer benchmark script
(`scripts/relationship-benchmark-report.mjs`) at source files
instead of `dist/context/scan/index.js`.
- Drops the barrel `!` entries from `knip.json`; adds explicit
production entries only for the benchmark code reached via dist by
the maintainer script.
Net: 413 files changed, ~1.2k insertions, ~9.4k deletions.
`pnpm run dead-code` (Biome + knip default + knip production) and
`pnpm run type-check` are clean; 2277 tests pass.
* refactor(workspace): rename @ktx/cli to @kaelio/ktx and pack it directly
Promote the CLI workspace package to the public name `@kaelio/ktx` and
drop the separate `scripts/build-public-npm-package.mjs` wrapper. The
CLI package is now publishable in place (`publishConfig.access: public`,
`provenance: true`), so artifact packing uses `pnpm pack` against
`packages/cli/` instead of assembling a parallel package tree.
Updates all workspace filter invocations, docs, tests, and release
readiness checks to reference the new package name, and folds the
tarball-name helper into `scripts/public-npm-release-metadata.mjs`.
* docs: align "agent clients" and "data agents" terminology
Replace "client agents" with "agent clients" and "database agents" with
"data agents" across AGENTS.md, README.md, the docs-site copy, and the
matching setup-agents test description, matching the canonical
vocabulary in docs/terminology.md.
Also moves packages/cli/tsconfig.json's tsBuildInfoFile from
node_modules/.cache/ to dist/.tsbuildinfo so incremental builds survive
node_modules reinstalls.
* refactor(release): single source of truth for package version
Make packages/cli/package.json the single source of truth for the
@kaelio/ktx version. publicNpmPackageVersion() now reads it directly,
so artifact filenames, release-readiness checks, and the Python wheel
version all derive from one field. The duplicate
release-policy.json.publicNpmPackageVersion is removed.
Previously the two fields could drift: tarballs were named
kaelio-ktx-0.4.1.tgz while internally containing
@kaelio/ktx@0.0.0-private.
- update-public-release-version.mjs rewrites both Python pyproject.toml
files (ktx-daemon, ktx-sl) alongside the npm package.jsons,
normalizing the version for PEP 440 (e.g. 0.1.0-rc.2 -> 0.1.0rc2).
- semantic-release-config.cjs adds the two pyproject.toml files to
@semantic-release/git assets so the release commit back to main
carries every version source in lockstep.
- The six "?? '0.0.0-private'" fallback literals across the CLI are
replaced with "?? getKtxCliPackageInfo().version", and
createDefaultKtxMcpServer makes its version arg required.
- docs/release.md describes the actual commit-back model: the dev tree
always reflects the most recent release; no sentinel pin to
maintain.
Verified: pnpm run artifacts:build now produces
kaelio-ktx-0.4.1.tgz and kaelio_ktx-0.4.1-py3-none-any.whl with
@kaelio/ktx@0.4.1 inside. Full type-check, dead-code, and
2287 vitests + 173 script tests pass.
* refactor(cli): inject embedding provider resolution and detect sentence-transformers runtime
Make resolveProjectEmbeddingProvider and runtimeIo injectable in ingest and
scan command entrypoints so tests can stub them, and teach
resolvePublicIngestRuntimeRequirements to flag the local-embeddings runtime
feature when ktx.yaml selects sentence-transformers.
* chore(cli): mark buildLocalStatsStatus and LocalStatsStatus as @internal
Both symbols are consumed only by status-project.test.ts. Annotating with
/** @internal */ keeps knip's production-mode check clean without changing
runtime behavior.
* fix(cli): use real package metadata in print-command-tree
The stubbed package name embedded a forbidden product identifier that
tripped the boundary check in CI. Read the metadata from package.json
instead — keeps the rendered tree unchanged and removes a duplicate
source of truth.
* feat(cli): show embedding coverage in `ktx status`, drop duplicate disk counts
Inline `(N embedded)` next to the Wiki scope counts and Semantic-layer
source counts, computed with `SUM(embedding_json IS NOT NULL)` over
`knowledge_pages` and `local_sl_sources`. Rename the "Knowledge" label to
"Wiki" (canonical per `docs/terminology.md`) and rename the matching
`localStats.knowledgePages` field to `localStats.wikiPages`.
Drop `wiki=N md` and `semantic-layer=N yaml` from the Disk row — those
duplicated the per-surface rows above. Disk now reports only actual byte
usage (db, cache, raw-sources). The unused `wikiGlobalMarkdownCount` /
`semanticLayerYamlCount` fields, the `isMarkdownEntry` / `isYamlEntry`
helpers, and the `filter` arg on `summarizeDir` are removed.
2026-05-21 15:28:58 +02:00
|
|
|
import { REDACTED_KTX_CREDENTIAL_VALUE } from '../core/redaction.js';
|
2026-05-10 23:12:26 +02:00
|
|
|
import {
|
2026-05-10 23:51:24 +02:00
|
|
|
redactKtxCredentialEnvelope,
|
|
|
|
|
redactKtxCredentialValue,
|
|
|
|
|
redactKtxScanMetadata,
|
|
|
|
|
redactKtxScanReport,
|
|
|
|
|
redactKtxScanWarning,
|
2026-05-10 23:12:26 +02:00
|
|
|
} from './credentials.js';
|
2026-05-10 23:51:24 +02:00
|
|
|
import type { KtxCredentialEnvelope, KtxScanReport, KtxScanWarning } from './types.js';
|
2026-05-10 23:12:26 +02:00
|
|
|
|
2026-05-10 23:51:24 +02:00
|
|
|
describe('KTX scan credential redaction', () => {
|
2026-05-10 23:12:26 +02:00
|
|
|
it('keeps credential references inspectable', () => {
|
2026-05-10 23:51:24 +02:00
|
|
|
const envReference: KtxCredentialEnvelope = { kind: 'env', name: 'DATABASE_URL' };
|
|
|
|
|
const fileReference: KtxCredentialEnvelope = { kind: 'file', path: '~/.config/ktx/warehouse' };
|
2026-05-10 23:12:26 +02:00
|
|
|
|
2026-05-10 23:51:24 +02:00
|
|
|
expect(redactKtxCredentialEnvelope(envReference)).toEqual(envReference);
|
|
|
|
|
expect(redactKtxCredentialEnvelope(fileReference)).toEqual(fileReference);
|
2026-05-10 23:12:26 +02:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('redacts resolved credential envelope values recursively', () => {
|
|
|
|
|
expect(
|
2026-05-10 23:51:24 +02:00
|
|
|
redactKtxCredentialEnvelope({
|
2026-05-10 23:12:26 +02:00
|
|
|
kind: 'resolved',
|
|
|
|
|
source: 'host',
|
|
|
|
|
values: {
|
|
|
|
|
username: 'readonly',
|
|
|
|
|
password: 'secret-password', // pragma: allowlist secret
|
|
|
|
|
nested: {
|
|
|
|
|
api_key: 'phx_123', // pragma: allowlist secret
|
|
|
|
|
warehouse: 'compute_wh',
|
|
|
|
|
},
|
|
|
|
|
headers: [{ authorizationToken: 'token-value' }, { label: 'safe' }],
|
|
|
|
|
},
|
|
|
|
|
}),
|
|
|
|
|
).toEqual({
|
|
|
|
|
kind: 'resolved',
|
|
|
|
|
source: 'host',
|
|
|
|
|
redacted: true,
|
|
|
|
|
values: {
|
|
|
|
|
username: 'readonly',
|
2026-05-10 23:51:24 +02:00
|
|
|
password: REDACTED_KTX_CREDENTIAL_VALUE,
|
2026-05-10 23:12:26 +02:00
|
|
|
nested: {
|
2026-05-10 23:51:24 +02:00
|
|
|
api_key: REDACTED_KTX_CREDENTIAL_VALUE,
|
2026-05-10 23:12:26 +02:00
|
|
|
warehouse: 'compute_wh',
|
|
|
|
|
},
|
2026-05-10 23:51:24 +02:00
|
|
|
headers: [{ authorizationToken: REDACTED_KTX_CREDENTIAL_VALUE }, { label: 'safe' }],
|
2026-05-10 23:12:26 +02:00
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('redacts scan metadata fields that commonly contain secrets', () => {
|
|
|
|
|
expect(
|
2026-05-10 23:51:24 +02:00
|
|
|
redactKtxScanMetadata({
|
2026-05-10 23:12:26 +02:00
|
|
|
driver: 'postgres',
|
|
|
|
|
url: 'postgres://user:pass@example.test/db', // pragma: allowlist secret
|
|
|
|
|
serviceAccountJson: {
|
|
|
|
|
client_email: 'reader@example.test',
|
|
|
|
|
private_key: 'pem-value', // pragma: allowlist secret
|
|
|
|
|
},
|
|
|
|
|
safeCount: 3,
|
|
|
|
|
}),
|
|
|
|
|
).toEqual({
|
|
|
|
|
driver: 'postgres',
|
2026-05-10 23:51:24 +02:00
|
|
|
url: REDACTED_KTX_CREDENTIAL_VALUE,
|
2026-05-10 23:12:26 +02:00
|
|
|
serviceAccountJson: {
|
|
|
|
|
client_email: 'reader@example.test',
|
2026-05-10 23:51:24 +02:00
|
|
|
private_key: REDACTED_KTX_CREDENTIAL_VALUE,
|
2026-05-10 23:12:26 +02:00
|
|
|
},
|
|
|
|
|
safeCount: 3,
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('redacts scan warning messages and metadata without hiding safe context', () => {
|
2026-05-10 23:51:24 +02:00
|
|
|
const warning: KtxScanWarning = {
|
2026-05-10 23:12:26 +02:00
|
|
|
code: 'sampling_failed',
|
|
|
|
|
message: 'sample failed for postgres://reader:secret@example.test/db', // pragma: allowlist secret
|
|
|
|
|
recoverable: true,
|
|
|
|
|
metadata: {
|
|
|
|
|
table: 'orders',
|
|
|
|
|
url: 'postgres://reader:secret@example.test/db', // pragma: allowlist secret
|
|
|
|
|
nested: {
|
|
|
|
|
api_key: 'sk_test_123', // pragma: allowlist secret
|
|
|
|
|
schema: 'public',
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
2026-05-10 23:51:24 +02:00
|
|
|
expect(redactKtxScanWarning(warning)).toEqual({
|
2026-05-10 23:12:26 +02:00
|
|
|
code: 'sampling_failed',
|
|
|
|
|
message: 'sample failed for postgres://reader:<redacted>@example.test/db',
|
|
|
|
|
recoverable: true,
|
|
|
|
|
metadata: {
|
|
|
|
|
table: 'orders',
|
2026-05-10 23:51:24 +02:00
|
|
|
url: REDACTED_KTX_CREDENTIAL_VALUE,
|
2026-05-10 23:12:26 +02:00
|
|
|
nested: {
|
2026-05-10 23:51:24 +02:00
|
|
|
api_key: REDACTED_KTX_CREDENTIAL_VALUE,
|
2026-05-10 23:12:26 +02:00
|
|
|
schema: 'public',
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('redacts scan report warning metadata recursively', () => {
|
2026-05-10 23:51:24 +02:00
|
|
|
const report: KtxScanReport = {
|
2026-05-10 23:12:26 +02:00
|
|
|
connectionId: 'warehouse',
|
|
|
|
|
driver: 'postgres',
|
|
|
|
|
syncId: 'sync-1',
|
|
|
|
|
runId: 'run-1',
|
|
|
|
|
trigger: 'cli',
|
|
|
|
|
mode: 'structural',
|
|
|
|
|
dryRun: false,
|
|
|
|
|
artifactPaths: {
|
|
|
|
|
rawSourcesDir: 'raw-sources/warehouse/live-database/sync-1',
|
|
|
|
|
reportPath: 'raw-sources/warehouse/live-database/sync-1/scan-report.json',
|
|
|
|
|
manifestShards: [],
|
|
|
|
|
enrichmentArtifacts: [],
|
|
|
|
|
},
|
|
|
|
|
diffSummary: {
|
|
|
|
|
tablesAdded: 0,
|
|
|
|
|
tablesModified: 0,
|
|
|
|
|
tablesDeleted: 0,
|
|
|
|
|
tablesUnchanged: 0,
|
|
|
|
|
columnsAdded: 0,
|
|
|
|
|
columnsModified: 0,
|
|
|
|
|
columnsDeleted: 0,
|
|
|
|
|
},
|
|
|
|
|
manifestShardsWritten: 0,
|
|
|
|
|
structuralSyncStats: {
|
|
|
|
|
tablesCreated: 0,
|
|
|
|
|
tablesUpdated: 0,
|
|
|
|
|
tablesDeleted: 0,
|
|
|
|
|
columnsCreated: 0,
|
|
|
|
|
columnsUpdated: 0,
|
|
|
|
|
columnsDeleted: 0,
|
|
|
|
|
},
|
|
|
|
|
enrichment: {
|
|
|
|
|
dataDictionary: 'skipped',
|
|
|
|
|
tableDescriptions: 'skipped',
|
|
|
|
|
columnDescriptions: 'skipped',
|
|
|
|
|
embeddings: 'skipped',
|
|
|
|
|
deterministicRelationships: 'skipped',
|
|
|
|
|
llmRelationshipValidation: 'skipped',
|
|
|
|
|
statisticalValidation: 'skipped',
|
|
|
|
|
},
|
|
|
|
|
capabilityGaps: [],
|
|
|
|
|
warnings: [
|
|
|
|
|
{
|
|
|
|
|
code: 'credential_redacted',
|
|
|
|
|
message: 'metadata redacted',
|
|
|
|
|
recoverable: true,
|
|
|
|
|
metadata: {
|
|
|
|
|
credentials_json: '{"private_key":"pem-value"}', // pragma: allowlist secret
|
|
|
|
|
safeCount: 2,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
],
|
|
|
|
|
relationships: { accepted: 0, review: 0, rejected: 0, skipped: 0 },
|
|
|
|
|
enrichmentState: {
|
|
|
|
|
resumedStages: [],
|
|
|
|
|
completedStages: [],
|
|
|
|
|
failedStages: [],
|
|
|
|
|
},
|
|
|
|
|
createdAt: '2026-04-29T00:00:00.000Z',
|
|
|
|
|
};
|
|
|
|
|
|
2026-05-10 23:51:24 +02:00
|
|
|
const redacted = redactKtxScanReport(report);
|
2026-05-10 23:12:26 +02:00
|
|
|
|
|
|
|
|
expect(redacted.warnings[0]?.metadata).toEqual({
|
2026-05-10 23:51:24 +02:00
|
|
|
credentials_json: REDACTED_KTX_CREDENTIAL_VALUE,
|
2026-05-10 23:12:26 +02:00
|
|
|
safeCount: 2,
|
|
|
|
|
});
|
|
|
|
|
expect(report.warnings[0]?.metadata).toEqual({
|
|
|
|
|
credentials_json: '{"private_key":"pem-value"}', // pragma: allowlist secret
|
|
|
|
|
safeCount: 2,
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('redacts standalone primitive credential values only when the field key is sensitive', () => {
|
2026-05-10 23:51:24 +02:00
|
|
|
expect(redactKtxCredentialValue('password', 'abc')).toBe(REDACTED_KTX_CREDENTIAL_VALUE);
|
|
|
|
|
expect(redactKtxCredentialValue('schema', 'public')).toBe('public');
|
2026-05-10 23:12:26 +02:00
|
|
|
});
|
|
|
|
|
});
|