helen 0.1.0

Repository review gate.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165

//! Elenchus risk scanning.

use std::{ffi::OsStr, fmt::Write as _, path::Path};

/// Risk state detected from the current diff.
#[derive(Clone, Debug, Default)]
pub(super) struct RiskState {
    /// Human-readable risk reasons.
    pub(super) reasons: Vec<String>,
    /// Whether a reviewed risk token was accepted.
    pub(super) override_accepted: bool,
    /// Summary field for risk override status.
    pub(super) override_for_summary: &'static str,
    /// Accepted risk token, if any.
    pub(super) acceptance_token: String,
    /// Whether the elenchus reused a previous passing review.
    pub(super) review_reused: bool,
    /// Cached review hash recorded during token validation.
    pub(super) review_cache_hash: String,
}

impl RiskState {
    /// Creates the default risk state.
    pub(super) fn new() -> Self {
        Self {
            override_for_summary: "disabled",
            ..Self::default()
        }
    }

    /// Returns true when any risky-change reason was detected.
    pub(super) const fn has_reasons(&self) -> bool {
        !self.reasons.is_empty()
    }

    /// Renders reasons for the review prompt.
    pub(super) fn reasons_for_review(&self) -> String {
        if self.reasons.is_empty() {
            String::from("- none")
        } else {
            let mut text = String::new();
            for reason in &self.reasons {
                let _result = writeln!(&mut text, "- {reason}");
            }
            text
        }
    }
}

/// Detects risky-change reasons from changed paths and added lines.
pub(super) fn detect_risk_reasons(changed_files: &str, diff_u0: &str) -> Vec<String> {
    let mut reasons = Vec::new();
    let files = changed_files.lines().collect::<Vec<_>>();

    if files.iter().any(|file| {
        Path::new(file)
            .file_name()
            .and_then(OsStr::to_str)
            .is_some_and(|name| name == "Cargo.toml" || name == "Cargo.lock")
    }) {
        reasons.push(String::from("dependency or lockfile change"));
    }
    if files.iter().any(|file| {
        let path = Path::new(file);
        path.extension().and_then(OsStr::to_str) == Some("sql")
            || path.components().any(|component| {
                component.as_os_str().to_str().is_some_and(|value| {
                    matches!(value, "migration" | "migrations" | "schema" | "db")
                })
            })
    }) {
        reasons.push(String::from("database/schema/migration change"));
    }
    if added_lines(diff_u0).any(|line| contains_word(line, "unsafe")) {
        reasons.push(String::from("new unsafe usage"));
    }
    if added_lines(diff_u0).any(contains_public_api_surface) {
        reasons.push(String::from("public API surface change"));
    }
    if added_lines(diff_u0).any(|line| {
        [
            "auth",
            "token",
            "secret",
            "password",
            "crypto",
            "encrypt",
            "decrypt",
            "signature",
            "credential",
        ]
        .iter()
        .any(|word| contains_word_case_insensitive(line, word))
    }) {
        reasons.push(String::from("security-sensitive code path"));
    }

    reasons
}

/// Iterates added diff lines, excluding file headers.
fn added_lines(diff: &str) -> impl Iterator<Item = &str> {
    diff.lines()
        .filter(|line| line.starts_with('+') && !line.starts_with("+++"))
        .map(|line| &line[1..])
}

/// Returns true when a line adds a public Rust API item.
fn contains_public_api_surface(line: &str) -> bool {
    let words = words(line).collect::<Vec<_>>();
    words.windows(2).any(|window| {
        window[0] == "pub"
            && matches!(
                window[1],
                "trait" | "struct" | "enum" | "fn" | "type" | "mod"
            )
    })
}

/// Returns true when a line contains a case-sensitive identifier word.
fn contains_word(line: &str, needle: &str) -> bool {
    words(line).any(|word| word == needle)
}

/// Returns true when a line contains a case-insensitive identifier word.
fn contains_word_case_insensitive(line: &str, needle: &str) -> bool {
    words(line).any(|word| word.eq_ignore_ascii_case(needle))
}

/// Splits text into identifier-like words.
fn words(line: &str) -> impl Iterator<Item = &str> {
    line.split(|character: char| !character.is_ascii_alphanumeric() && character != '_')
        .filter(|word| !word.is_empty())
}

#[cfg(test)]
mod tests {
    //! Tests for elenchus risk scanning.

    use super::detect_risk_reasons;

    #[test]
    fn risk_scanner_matches_shell_gate_shapes() {
        let changed_files = "Cargo.toml\nsrc/auth/token.rs\ndb/schema.sql\n";
        let diff = "\
diff --git a/src/auth/token.rs b/src/auth/token.rs\n\
@@ -0,0 +1,3 @@\n\
+pub struct Token;\n\
+unsafe fn raw() {}\n\
+let secret = 1;\n";

        let reasons = detect_risk_reasons(changed_files, diff);

        assert_eq!(
            reasons,
            [
                "dependency or lockfile change",
                "database/schema/migration change",
                "new unsafe usage",
                "public API surface change",
                "security-sensitive code path"
            ]
        );
    }
}