mirror of
https://github.com/Kaelio/ktx.git
synced 2026-07-01 08:59:39 +02:00
chore(workspace): gate dead-code with knip production mode (#196)
* refactor(workspace): relocate @ktx/llm source into packages/cli/src/llm * refactor(workspace): rewrite @ktx/llm imports to relative paths * refactor(workspace): fold internal packages into cli * chore(workspace): gate dead-code with knip production mode Turn on production-mode knip plus an autofix run in pre-commit and the `pnpm dead-code` script, document the `/** @internal */` convention for test-only exports in AGENTS.md, annotate test-only exports across the CLI with that JSDoc, and drop dead exports/wrappers the new gate surfaced (e.g. `cli-project.ts`, `lookerRuntimeSourceToFileAdapterSource`, `createLocalScanEnrichmentProvidersFromConfig`, `PGLITE_OWNER_PROCESS_BACKEND_CAPABILITIES`, stale type re-exports). Replace the loose `ignoreIssues` allowlist in `knip.json` with explicit production entries so cross-package barrel leaks are caught. * refactor(cli): delete internal barrel index.ts files The 34 `index.ts` re-export barrels inside `packages/cli/src/` were holdovers from the pre-fold multi-workspace structure. Post-fold-in they served no production purpose: external consumers go through the single package main entry, and in-repo callers mostly imported through them only because the path was short. Internally, knip flagged most barrel re-exports as production-dead (only reached via tests). This change: - Deletes every internal barrel except `packages/cli/src/index.ts` (the published package entry). - Rewrites ~270 source/test files to import each name directly from the file that defines it. - Moves `tools/warehouse-verification/index.ts` to `create-warehouse-verification-tools.ts` (the function it defined locally) and updates its single consumer. - Renames `search/backend-conformance.ts` → `.test-utils.ts` to match the existing test-helper file convention. - Deletes 13 dead test-only chains (dbt-descriptions/*, live-database/extracted-schema, live-database/structural-sync, relationship-* feedback/review chain) plus their tests and a cascading orphan integration test. - Updates test mocks that pointed at deleted barrel paths (notion-client, connector barrels in scan/local-scan-connectors tests) to mock the source files instead. - Points the maintainer benchmark script (`scripts/relationship-benchmark-report.mjs`) at source files instead of `dist/context/scan/index.js`. - Drops the barrel `!` entries from `knip.json`; adds explicit production entries only for the benchmark code reached via dist by the maintainer script. Net: 413 files changed, ~1.2k insertions, ~9.4k deletions. `pnpm run dead-code` (Biome + knip default + knip production) and `pnpm run type-check` are clean; 2277 tests pass. * refactor(workspace): rename @ktx/cli to @kaelio/ktx and pack it directly Promote the CLI workspace package to the public name `@kaelio/ktx` and drop the separate `scripts/build-public-npm-package.mjs` wrapper. The CLI package is now publishable in place (`publishConfig.access: public`, `provenance: true`), so artifact packing uses `pnpm pack` against `packages/cli/` instead of assembling a parallel package tree. Updates all workspace filter invocations, docs, tests, and release readiness checks to reference the new package name, and folds the tarball-name helper into `scripts/public-npm-release-metadata.mjs`. * docs: align "agent clients" and "data agents" terminology Replace "client agents" with "agent clients" and "database agents" with "data agents" across AGENTS.md, README.md, the docs-site copy, and the matching setup-agents test description, matching the canonical vocabulary in docs/terminology.md. Also moves packages/cli/tsconfig.json's tsBuildInfoFile from node_modules/.cache/ to dist/.tsbuildinfo so incremental builds survive node_modules reinstalls. * refactor(release): single source of truth for package version Make packages/cli/package.json the single source of truth for the @kaelio/ktx version. publicNpmPackageVersion() now reads it directly, so artifact filenames, release-readiness checks, and the Python wheel version all derive from one field. The duplicate release-policy.json.publicNpmPackageVersion is removed. Previously the two fields could drift: tarballs were named kaelio-ktx-0.4.1.tgz while internally containing @kaelio/ktx@0.0.0-private. - update-public-release-version.mjs rewrites both Python pyproject.toml files (ktx-daemon, ktx-sl) alongside the npm package.jsons, normalizing the version for PEP 440 (e.g. 0.1.0-rc.2 -> 0.1.0rc2). - semantic-release-config.cjs adds the two pyproject.toml files to @semantic-release/git assets so the release commit back to main carries every version source in lockstep. - The six "?? '0.0.0-private'" fallback literals across the CLI are replaced with "?? getKtxCliPackageInfo().version", and createDefaultKtxMcpServer makes its version arg required. - docs/release.md describes the actual commit-back model: the dev tree always reflects the most recent release; no sentinel pin to maintain. Verified: pnpm run artifacts:build now produces kaelio-ktx-0.4.1.tgz and kaelio_ktx-0.4.1-py3-none-any.whl with @kaelio/ktx@0.4.1 inside. Full type-check, dead-code, and 2287 vitests + 173 script tests pass. * refactor(cli): inject embedding provider resolution and detect sentence-transformers runtime Make resolveProjectEmbeddingProvider and runtimeIo injectable in ingest and scan command entrypoints so tests can stub them, and teach resolvePublicIngestRuntimeRequirements to flag the local-embeddings runtime feature when ktx.yaml selects sentence-transformers. * chore(cli): mark buildLocalStatsStatus and LocalStatsStatus as @internal Both symbols are consumed only by status-project.test.ts. Annotating with /** @internal */ keeps knip's production-mode check clean without changing runtime behavior. * fix(cli): use real package metadata in print-command-tree The stubbed package name embedded a forbidden product identifier that tripped the boundary check in CI. Read the metadata from package.json instead — keeps the rendered tree unchanged and removes a duplicate source of truth. * feat(cli): show embedding coverage in `ktx status`, drop duplicate disk counts Inline `(N embedded)` next to the Wiki scope counts and Semantic-layer source counts, computed with `SUM(embedding_json IS NOT NULL)` over `knowledge_pages` and `local_sl_sources`. Rename the "Knowledge" label to "Wiki" (canonical per `docs/terminology.md`) and rename the matching `localStats.knowledgePages` field to `localStats.wikiPages`. Drop `wiki=N md` and `semantic-layer=N yaml` from the Disk row — those duplicated the per-surface rows above. Disk now reports only actual byte usage (db, cache, raw-sources). The unused `wikiGlobalMarkdownCount` / `semanticLayerYamlCount` fields, the `isMarkdownEntry` / `isYamlEntry` helpers, and the `filter` arg on `summarizeDir` are removed.
This commit is contained in:
parent
a1cfb03d73
commit
2366b00301
1002 changed files with 2286 additions and 12051 deletions
183
packages/cli/src/context/scan/credentials.test.ts
Normal file
183
packages/cli/src/context/scan/credentials.test.ts
Normal file
|
|
@ -0,0 +1,183 @@
|
|||
import { describe, expect, it } from 'vitest';
|
||||
import { REDACTED_KTX_CREDENTIAL_VALUE } from '../core/redaction.js';
|
||||
import {
|
||||
redactKtxCredentialEnvelope,
|
||||
redactKtxCredentialValue,
|
||||
redactKtxScanMetadata,
|
||||
redactKtxScanReport,
|
||||
redactKtxScanWarning,
|
||||
} from './credentials.js';
|
||||
import type { KtxCredentialEnvelope, KtxScanReport, KtxScanWarning } from './types.js';
|
||||
|
||||
describe('KTX scan credential redaction', () => {
|
||||
it('keeps credential references inspectable', () => {
|
||||
const envReference: KtxCredentialEnvelope = { kind: 'env', name: 'DATABASE_URL' };
|
||||
const fileReference: KtxCredentialEnvelope = { kind: 'file', path: '~/.config/ktx/warehouse' };
|
||||
|
||||
expect(redactKtxCredentialEnvelope(envReference)).toEqual(envReference);
|
||||
expect(redactKtxCredentialEnvelope(fileReference)).toEqual(fileReference);
|
||||
});
|
||||
|
||||
it('redacts resolved credential envelope values recursively', () => {
|
||||
expect(
|
||||
redactKtxCredentialEnvelope({
|
||||
kind: 'resolved',
|
||||
source: 'host',
|
||||
values: {
|
||||
username: 'readonly',
|
||||
password: 'secret-password', // pragma: allowlist secret
|
||||
nested: {
|
||||
api_key: 'phx_123', // pragma: allowlist secret
|
||||
warehouse: 'compute_wh',
|
||||
},
|
||||
headers: [{ authorizationToken: 'token-value' }, { label: 'safe' }],
|
||||
},
|
||||
}),
|
||||
).toEqual({
|
||||
kind: 'resolved',
|
||||
source: 'host',
|
||||
redacted: true,
|
||||
values: {
|
||||
username: 'readonly',
|
||||
password: REDACTED_KTX_CREDENTIAL_VALUE,
|
||||
nested: {
|
||||
api_key: REDACTED_KTX_CREDENTIAL_VALUE,
|
||||
warehouse: 'compute_wh',
|
||||
},
|
||||
headers: [{ authorizationToken: REDACTED_KTX_CREDENTIAL_VALUE }, { label: 'safe' }],
|
||||
},
|
||||
});
|
||||
});
|
||||
|
||||
it('redacts scan metadata fields that commonly contain secrets', () => {
|
||||
expect(
|
||||
redactKtxScanMetadata({
|
||||
driver: 'postgres',
|
||||
url: 'postgres://user:pass@example.test/db', // pragma: allowlist secret
|
||||
serviceAccountJson: {
|
||||
client_email: 'reader@example.test',
|
||||
private_key: 'pem-value', // pragma: allowlist secret
|
||||
},
|
||||
safeCount: 3,
|
||||
}),
|
||||
).toEqual({
|
||||
driver: 'postgres',
|
||||
url: REDACTED_KTX_CREDENTIAL_VALUE,
|
||||
serviceAccountJson: {
|
||||
client_email: 'reader@example.test',
|
||||
private_key: REDACTED_KTX_CREDENTIAL_VALUE,
|
||||
},
|
||||
safeCount: 3,
|
||||
});
|
||||
});
|
||||
|
||||
it('redacts scan warning messages and metadata without hiding safe context', () => {
|
||||
const warning: KtxScanWarning = {
|
||||
code: 'sampling_failed',
|
||||
message: 'sample failed for postgres://reader:secret@example.test/db', // pragma: allowlist secret
|
||||
recoverable: true,
|
||||
metadata: {
|
||||
table: 'orders',
|
||||
url: 'postgres://reader:secret@example.test/db', // pragma: allowlist secret
|
||||
nested: {
|
||||
api_key: 'sk_test_123', // pragma: allowlist secret
|
||||
schema: 'public',
|
||||
},
|
||||
},
|
||||
};
|
||||
|
||||
expect(redactKtxScanWarning(warning)).toEqual({
|
||||
code: 'sampling_failed',
|
||||
message: 'sample failed for postgres://reader:<redacted>@example.test/db',
|
||||
recoverable: true,
|
||||
metadata: {
|
||||
table: 'orders',
|
||||
url: REDACTED_KTX_CREDENTIAL_VALUE,
|
||||
nested: {
|
||||
api_key: REDACTED_KTX_CREDENTIAL_VALUE,
|
||||
schema: 'public',
|
||||
},
|
||||
},
|
||||
});
|
||||
});
|
||||
|
||||
it('redacts scan report warning metadata recursively', () => {
|
||||
const report: KtxScanReport = {
|
||||
connectionId: 'warehouse',
|
||||
driver: 'postgres',
|
||||
syncId: 'sync-1',
|
||||
runId: 'run-1',
|
||||
trigger: 'cli',
|
||||
mode: 'structural',
|
||||
dryRun: false,
|
||||
artifactPaths: {
|
||||
rawSourcesDir: 'raw-sources/warehouse/live-database/sync-1',
|
||||
reportPath: 'raw-sources/warehouse/live-database/sync-1/scan-report.json',
|
||||
manifestShards: [],
|
||||
enrichmentArtifacts: [],
|
||||
},
|
||||
diffSummary: {
|
||||
tablesAdded: 0,
|
||||
tablesModified: 0,
|
||||
tablesDeleted: 0,
|
||||
tablesUnchanged: 0,
|
||||
columnsAdded: 0,
|
||||
columnsModified: 0,
|
||||
columnsDeleted: 0,
|
||||
},
|
||||
manifestShardsWritten: 0,
|
||||
structuralSyncStats: {
|
||||
tablesCreated: 0,
|
||||
tablesUpdated: 0,
|
||||
tablesDeleted: 0,
|
||||
columnsCreated: 0,
|
||||
columnsUpdated: 0,
|
||||
columnsDeleted: 0,
|
||||
},
|
||||
enrichment: {
|
||||
dataDictionary: 'skipped',
|
||||
tableDescriptions: 'skipped',
|
||||
columnDescriptions: 'skipped',
|
||||
embeddings: 'skipped',
|
||||
deterministicRelationships: 'skipped',
|
||||
llmRelationshipValidation: 'skipped',
|
||||
statisticalValidation: 'skipped',
|
||||
},
|
||||
capabilityGaps: [],
|
||||
warnings: [
|
||||
{
|
||||
code: 'credential_redacted',
|
||||
message: 'metadata redacted',
|
||||
recoverable: true,
|
||||
metadata: {
|
||||
credentials_json: '{"private_key":"pem-value"}', // pragma: allowlist secret
|
||||
safeCount: 2,
|
||||
},
|
||||
},
|
||||
],
|
||||
relationships: { accepted: 0, review: 0, rejected: 0, skipped: 0 },
|
||||
enrichmentState: {
|
||||
resumedStages: [],
|
||||
completedStages: [],
|
||||
failedStages: [],
|
||||
},
|
||||
createdAt: '2026-04-29T00:00:00.000Z',
|
||||
};
|
||||
|
||||
const redacted = redactKtxScanReport(report);
|
||||
|
||||
expect(redacted.warnings[0]?.metadata).toEqual({
|
||||
credentials_json: REDACTED_KTX_CREDENTIAL_VALUE,
|
||||
safeCount: 2,
|
||||
});
|
||||
expect(report.warnings[0]?.metadata).toEqual({
|
||||
credentials_json: '{"private_key":"pem-value"}', // pragma: allowlist secret
|
||||
safeCount: 2,
|
||||
});
|
||||
});
|
||||
|
||||
it('redacts standalone primitive credential values only when the field key is sensitive', () => {
|
||||
expect(redactKtxCredentialValue('password', 'abc')).toBe(REDACTED_KTX_CREDENTIAL_VALUE);
|
||||
expect(redactKtxCredentialValue('schema', 'public')).toBe('public');
|
||||
});
|
||||
});
|
||||
Loading…
Add table
Add a link
Reference in a new issue