qli-ext 0.1.1

Extension discovery, dispatch, and guardrails for the qli CLI.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225

//! Pre-spawn guards: banner, `requires_env`, confirm prompt.
//!
//! Each function corresponds to one numbered step in the Phase 1F dispatch
//! sequence. They are split out so unit tests can exercise each gate
//! independently and so failure paths return typed errors that the
//! dispatcher surfaces uniformly.

use std::io::IsTerminal;

use thiserror::Error;

use crate::manifest::Manifest;

/// Errors raised by pre-spawn guard checks.
#[derive(Debug, Error)]
pub enum GuardError {
    #[error("missing required env var `{key}` (manifest expects `{expected}`); set it with: export {key}={expected}")]
    EnvMissing { key: String, expected: String },
    #[error("env var `{key}` = `{actual}` does not match manifest requirement `{expected}`")]
    EnvMismatch {
        key: String,
        expected: String,
        actual: String,
    },
    #[error("`{group}` requires confirmation but stdin is not a TTY; pass --yes to run non-interactively")]
    NonInteractiveRefuse { group: String },
    #[error("user declined to proceed with `{group} {extension}`")]
    UserDeclined { group: String, extension: String },
}

/// Print the manifest banner to stderr, if any. Step 1 of the guard chain.
pub fn print_banner(manifest: &Manifest) {
    if let Some(banner) = &manifest.banner {
        eprintln!("{banner}");
    }
}

/// Step 2: enforce every `requires_env` entry.
pub fn check_requires_env(manifest: &Manifest) -> Result<(), GuardError> {
    for (key, expected) in &manifest.requires_env {
        match std::env::var(key) {
            Ok(actual) if actual == *expected => {}
            Ok(actual) => {
                return Err(GuardError::EnvMismatch {
                    key: key.clone(),
                    expected: expected.clone(),
                    actual,
                })
            }
            Err(_) => {
                return Err(GuardError::EnvMissing {
                    key: key.clone(),
                    expected: expected.clone(),
                })
            }
        }
    }
    Ok(())
}

/// Step 3: ask for confirmation if the manifest demands it.
///
/// `assume_yes` short-circuits the prompt (used by `--yes`). When stdin is
/// not a TTY and `assume_yes` is false, the dispatcher refuses rather than
/// silently proceeding.
///
/// `prompt` is injected so tests can drive a deterministic answer. Production
/// callers pass [`tty_confirm`] which uses [`dialoguer::Confirm`].
pub fn run_confirm(
    manifest: &Manifest,
    group: &str,
    extension: &str,
    assume_yes: bool,
    prompt: &dyn ConfirmPrompt,
) -> Result<(), GuardError> {
    if !manifest.confirm {
        return Ok(());
    }
    if assume_yes {
        return Ok(());
    }
    if !std::io::stdin().is_terminal() {
        return Err(GuardError::NonInteractiveRefuse {
            group: group.into(),
        });
    }
    let message = format!("Run `qli {group} {extension}`?");
    if prompt.ask(&message)? {
        Ok(())
    } else {
        Err(GuardError::UserDeclined {
            group: group.into(),
            extension: extension.into(),
        })
    }
}

/// Confirm-prompt strategy. Production code uses [`tty_confirm`]; tests pass
/// a stubbed implementation that returns a pre-set answer without touching
/// stdin/stderr.
pub trait ConfirmPrompt {
    /// Ask the user the question and return `true` for affirmative.
    /// Returning `Err` aborts the dispatch with a guard error.
    fn ask(&self, message: &str) -> Result<bool, GuardError>;
}

/// TTY-backed implementation of [`ConfirmPrompt`] using `dialoguer`.
#[derive(Debug, Default)]
pub struct TtyConfirm;

impl ConfirmPrompt for TtyConfirm {
    fn ask(&self, message: &str) -> Result<bool, GuardError> {
        // dialoguer prints to stderr and reads from stdin — both correct
        // for a CLI tool whose stdout is reserved for data.
        match dialoguer::Confirm::new()
            .with_prompt(message)
            .default(false)
            .interact()
        {
            Ok(answer) => Ok(answer),
            // dialoguer maps EOF / closed stdin to an error. Treat that as a
            // decline so the dispatcher refuses instead of surfacing an
            // I/O error. The non-TTY path is already gated above; this
            // branch handles "TTY went away mid-prompt".
            Err(_) => Ok(false),
        }
    }
}

/// Convenience constructor used by the dispatcher.
#[must_use]
pub fn tty_confirm() -> TtyConfirm {
    TtyConfirm
}

#[cfg(test)]
mod tests {
    use super::*;

    fn manifest_with(banner: Option<&str>, confirm: bool, env: &[(&str, &str)]) -> Manifest {
        Manifest {
            schema_version: 1,
            description: "test".into(),
            banner: banner.map(str::to_owned),
            requires_env: env
                .iter()
                .map(|(k, v)| ((*k).to_owned(), (*v).to_owned()))
                .collect(),
            confirm,
            audit_log: None,
            secrets: Vec::new(),
        }
    }

    #[test]
    #[serial_test::serial]
    fn check_requires_env_passes_when_match() {
        std::env::set_var("QLI_TEST_GUARD_OK", "yes");
        let m = manifest_with(None, false, &[("QLI_TEST_GUARD_OK", "yes")]);
        check_requires_env(&m).unwrap();
        std::env::remove_var("QLI_TEST_GUARD_OK");
    }

    #[test]
    #[serial_test::serial]
    fn check_requires_env_errors_when_missing() {
        std::env::remove_var("QLI_TEST_GUARD_MISSING");
        let m = manifest_with(None, false, &[("QLI_TEST_GUARD_MISSING", "yes")]);
        let err = check_requires_env(&m).unwrap_err();
        assert!(matches!(err, GuardError::EnvMissing { .. }));
    }

    #[test]
    #[serial_test::serial]
    fn check_requires_env_errors_when_mismatched() {
        std::env::set_var("QLI_TEST_GUARD_MISMATCH", "no");
        let m = manifest_with(None, false, &[("QLI_TEST_GUARD_MISMATCH", "yes")]);
        let err = check_requires_env(&m).unwrap_err();
        assert!(matches!(err, GuardError::EnvMismatch { .. }));
        std::env::remove_var("QLI_TEST_GUARD_MISMATCH");
    }

    struct YesPrompt;
    impl ConfirmPrompt for YesPrompt {
        fn ask(&self, _message: &str) -> Result<bool, GuardError> {
            Ok(true)
        }
    }

    struct NoPrompt;
    impl ConfirmPrompt for NoPrompt {
        fn ask(&self, _message: &str) -> Result<bool, GuardError> {
            Ok(false)
        }
    }

    #[test]
    fn run_confirm_skipped_when_disabled() {
        let m = manifest_with(None, false, &[]);
        run_confirm(&m, "dev", "hello", false, &YesPrompt).unwrap();
    }

    #[test]
    fn run_confirm_skipped_when_assume_yes() {
        let m = manifest_with(None, true, &[]);
        // NoPrompt would fail; --yes must short-circuit before asking.
        run_confirm(&m, "dev", "hello", true, &NoPrompt).unwrap();
    }

    #[test]
    fn run_confirm_declines_propagate() {
        // This test runs only when stdin is a TTY (i.e., locally, not in CI).
        // When stdin is not a TTY, the function returns NonInteractiveRefuse
        // before consulting the prompt, so we accept either decline path.
        let m = manifest_with(None, true, &[]);
        let err = run_confirm(&m, "dev", "hello", false, &NoPrompt).unwrap_err();
        assert!(
            matches!(
                err,
                GuardError::UserDeclined { .. } | GuardError::NonInteractiveRefuse { .. },
            ),
            "unexpected variant: {err:?}",
        );
    }
}