koala-drift 1.0.4

Wiki ↔ code drift detector.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249

//! `adr.no-delete-accepted` — ADR-0008 forbids deletion (supersede
//! instead). The check fires on either signal:
//!
//! 1. **Gap in current sequence** — id 3 missing while 1, 2, 4 exist.
//!    Catches deletions that leave a gap.
//! 2. **Git history vs current tip** — `git log --diff-filter=D` lists
//!    every ADR ever deleted; if any deleted id isn't currently
//!    present, that's a deletion (catches the case where the *latest*
//!    ADR was deleted, leaving no gap).
//!
//! When `git` isn't reachable (e.g. running outside a checkout), the
//! check falls back to gap-only mode.

use crate::check::{Check, Finding, FindingKind, Severity};
use koala_adr::Registry as AdrRegistry;
use koala_core::invariant::Context;
use std::collections::HashSet;
use std::path::{Path, PathBuf};

pub struct AdrNoDelete;

impl Check for AdrNoDelete {
    fn id(&self) -> &'static str {
        "adr.no-delete-accepted"
    }

    fn intent(&self) -> &'static str {
        "Every ADR id ever committed must still be present at HEAD. \
         Gaps and deleted-tip ADRs both fail (ADR-0008: ADRs are \
         immutable, supersede instead)."
    }

    fn run(&self, ctx: &Context) -> Vec<Finding> {
        let Ok(reg) = AdrRegistry::load(ctx.root()) else {
            return Vec::new();
        };
        let mut current: Vec<u32> = reg.entries().iter().map(|e| e.frontmatter.id).collect();
        current.sort_unstable();
        let present: HashSet<u32> = current.iter().copied().collect();

        // Historical ids = current ∪ ever-deleted (per git log).
        let mut historical: HashSet<u32> = present.clone();
        if let Some(deleted) = git_deleted_adr_ids(ctx.root()) {
            historical.extend(deleted);
        }

        // Honest accounting: also flag gaps below max even if git is
        // unreachable. So the historical max defaults to the current
        // max if the git lookup returned nothing extra.
        let max = match historical.iter().max().copied() {
            Some(m) => m,
            None => return Vec::new(),
        };

        let display = PathBuf::from("wiki/decisions/");
        let mut out = Vec::new();
        for missing in 1..=max {
            if present.contains(&missing) {
                continue;
            }
            let was_deleted = historical.contains(&missing);
            let claim = if was_deleted {
                format!("ADR-{missing:04} once committed, now deleted")
            } else {
                format!("ADR-{missing:04} missing")
            };
            out.push(Finding {
                check_id: self.id(),
                file: display.clone(),
                line: 0,
                claim,
                kind: FindingKind::AdrIdGap { missing },
                severity: Severity::Hard,
                fix_hint: Some(format!(
                    "Restore ADR-{missing:04} (ADR-0008: ADRs are immutable). \
                     If it was wrongly created, mark it status=deprecated rather than deleting."
                )),
            });
        }
        out
    }
}

/// Parse `git log --diff-filter=D --name-only -- wiki/decisions/`
/// for ever-deleted ADR file paths and pull the leading id.
/// Returns `None` if git is unreachable / the path isn't a git
/// checkout (the check then degrades to gap-only mode).
fn git_deleted_adr_ids(root: &Path) -> Option<HashSet<u32>> {
    let out = std::process::Command::new("git")
        .arg("-C")
        .arg(root)
        .args([
            "log",
            "--all",
            "--diff-filter=D",
            "--name-only",
            "--pretty=format:",
            "--",
            "wiki/decisions/",
        ])
        .output()
        .ok()?;
    if !out.status.success() {
        return None;
    }
    let text = String::from_utf8_lossy(&out.stdout);
    let mut ids: HashSet<u32> = HashSet::new();
    for line in text.lines() {
        let trimmed = line.trim();
        if trimmed.is_empty() {
            continue;
        }
        let leaf = trimmed.split('/').next_back().unwrap_or(trimmed);
        if leaf.starts_with('_') {
            continue;
        }
        if let Some(prefix) = leaf.split('-').next() {
            if let Ok(n) = prefix.parse::<u32>() {
                ids.insert(n);
            }
        }
    }
    Some(ids)
}

#[cfg(test)]
mod tests {
    use super::*;
    use koala_core::invariant::Context;
    use std::fs;
    use tempfile::TempDir;

    fn write_adr(root: &std::path::Path, id: u32) {
        let dir = root.join("wiki/decisions");
        fs::create_dir_all(&dir).unwrap();
        let body = format!(
            "---\n\
id: {id:04}\n\
title: ADR {id}\n\
status: accepted\n\
date: 2026-01-01\n\
---\n\n# ADR-{id:04}: ADR {id}\n"
        );
        fs::write(dir.join(format!("{id:04}-adr.md")), body).unwrap();
    }

    #[test]
    fn contiguous_ids_pass() {
        let tmp = TempDir::new().unwrap();
        for id in 1..=3 {
            write_adr(tmp.path(), id);
        }
        let ctx = Context::new(tmp.path());
        let findings = AdrNoDelete.run(&ctx);
        assert!(findings.is_empty(), "{findings:?}");
    }

    #[test]
    fn empty_registry_passes() {
        let tmp = TempDir::new().unwrap();
        let ctx = Context::new(tmp.path());
        let findings = AdrNoDelete.run(&ctx);
        assert!(findings.is_empty());
    }

    #[test]
    fn accepted_adr_deletion_blocks() {
        let tmp = TempDir::new().unwrap();
        write_adr(tmp.path(), 1);
        write_adr(tmp.path(), 2);
        write_adr(tmp.path(), 4);
        let ctx = Context::new(tmp.path());
        let findings = AdrNoDelete.run(&ctx);
        assert_eq!(findings.len(), 1);
        let f = &findings[0];
        assert_eq!(f.check_id, "adr.no-delete-accepted");
        assert_eq!(f.severity, Severity::Hard);
        assert!(matches!(f.kind, FindingKind::AdrIdGap { missing: 3 }));
    }

    #[test]
    fn multiple_gaps_each_reported() {
        let tmp = TempDir::new().unwrap();
        write_adr(tmp.path(), 1);
        write_adr(tmp.path(), 5);
        let ctx = Context::new(tmp.path());
        let findings = AdrNoDelete.run(&ctx);
        let missing: Vec<u32> = findings
            .iter()
            .filter_map(|f| match f.kind {
                FindingKind::AdrIdGap { missing } => Some(missing),
                _ => None,
            })
            .collect();
        assert_eq!(missing, vec![2, 3, 4]);
    }

    /// Initialize a real git repo, commit two ADRs, delete the
    /// highest-numbered one. Without git history the gap detector
    /// would see only ADR-1 and pass — with git history we catch
    /// the deletion.
    #[test]
    fn deleted_tip_adr_caught_via_git_history() {
        let tmp = TempDir::new().unwrap();
        let root = tmp.path();

        // Real git init.
        let run = |args: &[&str]| {
            std::process::Command::new("git")
                .args(args)
                .current_dir(root)
                .output()
                .expect("git invocation")
        };
        run(&["init", "--initial-branch=main"]);
        run(&["config", "user.email", "test@example.com"]);
        run(&["config", "user.name", "Test"]);
        run(&["config", "commit.gpgsign", "false"]);

        write_adr(root, 1);
        write_adr(root, 2);
        run(&["add", "-A"]);
        run(&["commit", "-m", "two adrs"]);

        // Delete ADR-2 — leaves no gap (only ADR-1 remains).
        std::fs::remove_file(root.join("wiki/decisions/0002-adr.md")).unwrap();
        run(&["add", "-A"]);
        run(&["commit", "-m", "delete ADR-2"]);

        let ctx = Context::new(root);
        let findings = AdrNoDelete.run(&ctx);
        assert!(
            findings
                .iter()
                .any(|f| matches!(f.kind, FindingKind::AdrIdGap { missing: 2 })),
            "expected ADR-2 deletion to be caught, got {findings:?}"
        );
        // The claim should reflect "once committed".
        let claim = findings
            .iter()
            .find(|f| matches!(f.kind, FindingKind::AdrIdGap { missing: 2 }))
            .map(|f| f.claim.clone())
            .unwrap_or_default();
        assert!(
            claim.contains("once committed"),
            "claim should distinguish deletion from gap: {claim}"
        );
    }
}