fix: Address PR review feedback for shared packages

This commit addresses all "Should Fix" items from the PR review: 1. Security Documentation (platform package) - Added comprehensive inline documentation in security.ts explaining why path validation is disabled - Added Security Model section to platform README.md - Documented rationale, implications, and future re-enabling steps 2. Model Resolver Tests - Created comprehensive test suite (34 tests, 100% coverage) - Added vitest configuration with strict coverage thresholds - Tests cover: alias resolution, full model strings, priority handling, edge cases, and integration scenarios - Updated package.json with test scripts and vitest dependency 3. Feature Loader Logging Migration - Replaced all console.log/warn/error calls with @automaker/utils logger - Consistent with rest of codebase logging pattern - Updated corresponding tests to match new logger format 4. Module Format Consistency - Verified all packages use consistent module formats (ESM) - No changes needed All tests passing (632 tests across 31 test files). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 08:53:36 +00:00 · 2025-12-21 00:05:42 +01:00
parent d6baf4583a
commit 49a5a7448c
8 changed files with 429 additions and 20 deletions
--- a/apps/server/src/services/feature-loader.ts
+++ b/apps/server/src/services/feature-loader.ts
@@ -6,6 +6,7 @@
 import path from "path";
 import fs from "fs/promises";
 import type { Feature } from "@automaker/types";
 import { createLogger } from "@automaker/utils";
 import {
  getFeaturesDir,
  getFeatureDir,
@@ -13,6 +14,8 @@ import {
  ensureAutomakerDir,
 } from "@automaker/platform";
 const logger = createLogger("FeatureLoader");
 // Re-export Feature type for convenience
 export type { Feature };
@@ -57,10 +60,10 @@ export class FeatureLoader {
        try {
          // Paths are now absolute
          await fs.unlink(oldPath);
-          console.log(`[FeatureLoader] Deleted orphaned image: ${oldPath}`);
+          logger.info(`Deleted orphaned image: ${oldPath}`);
        } catch (error) {
          // Ignore errors when deleting (file may already be gone)
-          console.warn(
+          logger.warn(
            `[FeatureLoader] Failed to delete image: ${oldPath}`,
            error
          );
@@ -109,7 +112,7 @@ export class FeatureLoader {
        try {
          await fs.access(fullOriginalPath);
        } catch {
-          console.warn(
+          logger.warn(
            `[FeatureLoader] Image not found, skipping: ${fullOriginalPath}`
          );
          continue;
@@ -121,7 +124,7 @@ export class FeatureLoader {
        // Copy the file
        await fs.copyFile(fullOriginalPath, newPath);
-        console.log(
+        logger.info(
          `[FeatureLoader] Copied image: ${originalPath} -> ${newPath}`
        );
@@ -139,7 +142,7 @@ export class FeatureLoader {
          updatedPaths.push({ ...imagePath, path: newPath });
        }
      } catch (error) {
-        console.error(`[FeatureLoader] Failed to migrate image:`, error);
+        logger.error(`Failed to migrate image:`, error);
        // Keep original path if migration fails
        updatedPaths.push(imagePath);
      }
@@ -205,7 +208,7 @@ export class FeatureLoader {
          const feature = JSON.parse(content);
          if (!feature.id) {
-            console.warn(
+            logger.warn(
              `[FeatureLoader] Feature ${featureId} missing required 'id' field, skipping`
            );
            continue;
@@ -216,11 +219,11 @@ export class FeatureLoader {
          if ((error as NodeJS.ErrnoException).code === "ENOENT") {
            continue;
          } else if (error instanceof SyntaxError) {
-            console.warn(
+            logger.warn(
              `[FeatureLoader] Failed to parse feature.json for ${featureId}: ${error.message}`
            );
          } else {
-            console.error(
+            logger.error(
              `[FeatureLoader] Failed to load feature ${featureId}:`,
              (error as Error).message
            );
@@ -237,7 +240,7 @@ export class FeatureLoader {
      return features;
    } catch (error) {
-      console.error("[FeatureLoader] Failed to get all features:", error);
+      logger.error("Failed to get all features:", error);
      return [];
    }
  }
@@ -254,7 +257,7 @@ export class FeatureLoader {
      if ((error as NodeJS.ErrnoException).code === "ENOENT") {
        return null;
      }
-      console.error(
+      logger.error(
        `[FeatureLoader] Failed to get feature ${featureId}:`,
        error
      );
@@ -302,7 +305,7 @@ export class FeatureLoader {
      "utf-8"
    );
-    console.log(`[FeatureLoader] Created feature ${featureId}`);
+    logger.info(`Created feature ${featureId}`);
    return feature;
  }
@@ -354,7 +357,7 @@ export class FeatureLoader {
      "utf-8"
    );
-    console.log(`[FeatureLoader] Updated feature ${featureId}`);
+    logger.info(`Updated feature ${featureId}`);
    return updatedFeature;
  }
@@ -365,10 +368,10 @@ export class FeatureLoader {
    try {
      const featureDir = this.getFeatureDir(projectPath, featureId);
      await fs.rm(featureDir, { recursive: true, force: true });
-      console.log(`[FeatureLoader] Deleted feature ${featureId}`);
+      logger.info(`Deleted feature ${featureId}`);
      return true;
    } catch (error) {
-      console.error(
+      logger.error(
        `[FeatureLoader] Failed to delete feature ${featureId}:`,
        error
      );
@@ -391,7 +394,7 @@ export class FeatureLoader {
      if ((error as NodeJS.ErrnoException).code === "ENOENT") {
        return null;
      }
-      console.error(
+      logger.error(
        `[FeatureLoader] Failed to get agent output for ${featureId}:`,
        error
      );
--- a/apps/server/tests/unit/services/feature-loader.test.ts
+++ b/apps/server/tests/unit/services/feature-loader.test.ts
@@ -144,6 +144,7 @@ describe("feature-loader.ts", () => {
      expect(result).toHaveLength(1);
      expect(result[0].id).toBe("feature-2");
      expect(consoleSpy).toHaveBeenCalledWith(
        "[FeatureLoader]",
        expect.stringContaining("missing required 'id' field")
      );
@@ -189,7 +190,10 @@ describe("feature-loader.ts", () => {
      const result = await loader.getAll(testProjectPath);
      expect(result).toEqual([]);
-      expect(consoleSpy).toHaveBeenCalled();
+      expect(consoleSpy).toHaveBeenCalledWith(
        "[FeatureLoader]",
        expect.stringContaining("Failed to parse feature.json")
      );
      consoleSpy.mockRestore();
    });
@@ -362,6 +366,11 @@ describe("feature-loader.ts", () => {
      const result = await loader.delete(testProjectPath, "feature-123");
      expect(result).toBe(false);
      expect(consoleSpy).toHaveBeenCalledWith(
        "[FeatureLoader]",
        expect.stringContaining("Failed to delete feature"),
        expect.objectContaining({ message: "Permission denied" })
      );
      consoleSpy.mockRestore();
    });
  });
--- a/libs/model-resolver/package.json
+++ b/libs/model-resolver/package.json
@@ -6,7 +6,9 @@
  "types": "dist/index.d.ts",
  "scripts": {
    "build": "tsc",
-    "watch": "tsc --watch"
+    "watch": "tsc --watch",
    "test": "vitest run",
    "test:watch": "vitest"
  },
  "keywords": ["automaker", "model", "resolver"],
  "author": "AutoMaker Team",
@@ -16,6 +18,7 @@
  },
  "devDependencies": {
    "@types/node": "^22.10.5",
-    "typescript": "^5.7.3"
+    "typescript": "^5.7.3",
    "vitest": "^4.0.16"
  }
 }
--- a/libs/model-resolver/tests/resolver.test.ts
+++ b/libs/model-resolver/tests/resolver.test.ts
@@ -0,0 +1,315 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
 import { resolveModelString, getEffectiveModel } from "../src/resolver";
 import { CLAUDE_MODEL_MAP, DEFAULT_MODELS } from "@automaker/types";
 describe("model-resolver", () => {
  let consoleLogSpy: ReturnType<typeof vi.spyOn>;
  let consoleWarnSpy: ReturnType<typeof vi.spyOn>;
  beforeEach(() => {
    consoleLogSpy = vi.spyOn(console, "log").mockImplementation(() => {});
    consoleWarnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
  });
  afterEach(() => {
    consoleLogSpy.mockRestore();
    consoleWarnSpy.mockRestore();
  });
  describe("resolveModelString", () => {
    describe("with undefined/null input", () => {
      it("should return default model when modelKey is undefined", () => {
        const result = resolveModelString(undefined);
        expect(result).toBe(DEFAULT_MODELS.claude);
      });
      it("should return custom default when modelKey is undefined", () => {
        const customDefault = "claude-opus-4-20241113";
        const result = resolveModelString(undefined, customDefault);
        expect(result).toBe(customDefault);
      });
      it("should return default when modelKey is empty string", () => {
        const result = resolveModelString("");
        expect(result).toBe(DEFAULT_MODELS.claude);
      });
    });
    describe("with full Claude model strings", () => {
      it("should pass through full Claude model string unchanged", () => {
        const fullModel = "claude-sonnet-4-20250514";
        const result = resolveModelString(fullModel);
        expect(result).toBe(fullModel);
        expect(consoleLogSpy).toHaveBeenCalledWith(
          expect.stringContaining("Using full Claude model string")
        );
      });
      it("should handle claude-opus model strings", () => {
        const fullModel = "claude-opus-4-20241113";
        const result = resolveModelString(fullModel);
        expect(result).toBe(fullModel);
      });
      it("should handle claude-haiku model strings", () => {
        const fullModel = "claude-3-5-haiku-20241022";
        const result = resolveModelString(fullModel);
        expect(result).toBe(fullModel);
      });
      it("should handle any string containing 'claude-'", () => {
        const customModel = "claude-custom-experimental-v1";
        const result = resolveModelString(customModel);
        expect(result).toBe(customModel);
      });
    });
    describe("with model aliases", () => {
      it("should resolve 'sonnet' alias", () => {
        const result = resolveModelString("sonnet");
        expect(result).toBe(CLAUDE_MODEL_MAP.sonnet);
        expect(consoleLogSpy).toHaveBeenCalledWith(
          expect.stringContaining('Resolved model alias: "sonnet"')
        );
      });
      it("should resolve 'opus' alias", () => {
        const result = resolveModelString("opus");
        expect(result).toBe(CLAUDE_MODEL_MAP.opus);
        expect(consoleLogSpy).toHaveBeenCalledWith(
          expect.stringContaining('Resolved model alias: "opus"')
        );
      });
      it("should resolve 'haiku' alias", () => {
        const result = resolveModelString("haiku");
        expect(result).toBe(CLAUDE_MODEL_MAP.haiku);
      });
      it("should log the resolution for aliases", () => {
        resolveModelString("sonnet");
        expect(consoleLogSpy).toHaveBeenCalledWith(
          expect.stringContaining("Resolved model alias")
        );
        expect(consoleLogSpy).toHaveBeenCalledWith(
          expect.stringContaining(CLAUDE_MODEL_MAP.sonnet)
        );
      });
    });
    describe("with unknown model keys", () => {
      it("should return default for unknown model key", () => {
        const result = resolveModelString("unknown-model");
        expect(result).toBe(DEFAULT_MODELS.claude);
      });
      it("should warn about unknown model key", () => {
        resolveModelString("unknown-model");
        expect(consoleWarnSpy).toHaveBeenCalledWith(
          expect.stringContaining("Unknown model key")
        );
        expect(consoleWarnSpy).toHaveBeenCalledWith(
          expect.stringContaining("unknown-model")
        );
      });
      it("should use custom default for unknown model key", () => {
        const customDefault = "claude-opus-4-20241113";
        const result = resolveModelString("gpt-4", customDefault);
        expect(result).toBe(customDefault);
      });
      it("should warn and show default being used", () => {
        const customDefault = "claude-custom-default";
        resolveModelString("invalid-key", customDefault);
        expect(consoleWarnSpy).toHaveBeenCalledWith(
          expect.stringContaining(customDefault)
        );
      });
    });
    describe("case sensitivity", () => {
      it("should be case-sensitive for aliases", () => {
        const resultUpper = resolveModelString("SONNET");
        const resultLower = resolveModelString("sonnet");
        // Uppercase should not resolve (falls back to default)
        expect(resultUpper).toBe(DEFAULT_MODELS.claude);
        // Lowercase should resolve
        expect(resultLower).toBe(CLAUDE_MODEL_MAP.sonnet);
      });
      it("should handle mixed case in claude- strings", () => {
        const result = resolveModelString("Claude-Sonnet-4-20250514");
        // Capital 'C' means it won't match 'claude-', falls back to default
        expect(result).toBe(DEFAULT_MODELS.claude);
      });
    });
    describe("edge cases", () => {
      it("should handle model key with whitespace", () => {
        const result = resolveModelString("  sonnet  ");
        // Will not match due to whitespace, falls back to default
        expect(result).toBe(DEFAULT_MODELS.claude);
      });
      it("should handle special characters in model key", () => {
        const result = resolveModelString("model@123");
        expect(result).toBe(DEFAULT_MODELS.claude);
      });
    });
  });
  describe("getEffectiveModel", () => {
    describe("priority handling", () => {
      it("should prioritize explicit model over all others", () => {
        const explicit = "claude-opus-4-20241113";
        const session = "claude-sonnet-4-20250514";
        const defaultModel = "claude-3-5-haiku-20241022";
        const result = getEffectiveModel(explicit, session, defaultModel);
        expect(result).toBe(explicit);
      });
      it("should use session model when explicit is undefined", () => {
        const session = "claude-sonnet-4-20250514";
        const defaultModel = "claude-3-5-haiku-20241022";
        const result = getEffectiveModel(undefined, session, defaultModel);
        expect(result).toBe(session);
      });
      it("should use default model when both explicit and session are undefined", () => {
        const defaultModel = "claude-opus-4-20241113";
        const result = getEffectiveModel(undefined, undefined, defaultModel);
        expect(result).toBe(defaultModel);
      });
      it("should use system default when all are undefined", () => {
        const result = getEffectiveModel(undefined, undefined, undefined);
        expect(result).toBe(DEFAULT_MODELS.claude);
      });
    });
    describe("with aliases", () => {
      it("should resolve explicit model alias", () => {
        const result = getEffectiveModel("opus", "sonnet");
        expect(result).toBe(CLAUDE_MODEL_MAP.opus);
      });
      it("should resolve session model alias when explicit is undefined", () => {
        const result = getEffectiveModel(undefined, "haiku");
        expect(result).toBe(CLAUDE_MODEL_MAP.haiku);
      });
      it("should prioritize explicit alias over session full string", () => {
        const result = getEffectiveModel(
          "sonnet",
          "claude-opus-4-20241113"
        );
        expect(result).toBe(CLAUDE_MODEL_MAP.sonnet);
      });
    });
    describe("with empty strings", () => {
      it("should treat empty explicit string as undefined", () => {
        const session = "claude-sonnet-4-20250514";
        const result = getEffectiveModel("", session);
        expect(result).toBe(session);
      });
      it("should treat empty session string as undefined", () => {
        const defaultModel = "claude-opus-4-20241113";
        const result = getEffectiveModel(undefined, "", defaultModel);
        expect(result).toBe(defaultModel);
      });
      it("should handle all empty strings", () => {
        const result = getEffectiveModel("", "", "");
        // Empty strings are falsy, so explicit || session becomes "" || ""  = ""
        // Then resolveModelString("", "") returns "" (not in CLAUDE_MODEL_MAP, not containing "claude-")
        // This actually returns the custom default which is ""
        expect(result).toBe("");
      });
    });
    describe("integration scenarios", () => {
      it("should handle user overriding session model with alias", () => {
        const sessionModel = "claude-sonnet-4-20250514";
        const userChoice = "opus";
        const result = getEffectiveModel(userChoice, sessionModel);
        expect(result).toBe(CLAUDE_MODEL_MAP.opus);
      });
      it("should handle fallback chain: unknown -> session -> default", () => {
        const result = getEffectiveModel(
          "invalid",
          "also-invalid",
          "claude-opus-4-20241113"
        );
        // Both invalid models fall back to default
        expect(result).toBe("claude-opus-4-20241113");
      });
      it("should handle session with alias, no explicit", () => {
        const result = getEffectiveModel(undefined, "haiku");
        expect(result).toBe(CLAUDE_MODEL_MAP.haiku);
      });
    });
  });
  describe("CLAUDE_MODEL_MAP integration", () => {
    it("should have valid mappings for all known aliases", () => {
      const aliases = ["sonnet", "opus", "haiku"];
      for (const alias of aliases) {
        const resolved = resolveModelString(alias);
        expect(resolved).toBeDefined();
        expect(resolved).toContain("claude-");
        expect(resolved).toBe(CLAUDE_MODEL_MAP[alias]);
      }
    });
  });
  describe("DEFAULT_MODELS integration", () => {
    it("should use DEFAULT_MODELS.claude as fallback", () => {
      const result = resolveModelString(undefined);
      expect(result).toBe(DEFAULT_MODELS.claude);
      expect(DEFAULT_MODELS.claude).toBeDefined();
      expect(DEFAULT_MODELS.claude).toContain("claude-");
    });
  });
 });
--- a/libs/model-resolver/vitest.config.ts
+++ b/libs/model-resolver/vitest.config.ts
@@ -0,0 +1,21 @@
 import { defineConfig } from "vitest/config";
 export default defineConfig({
  test: {
    globals: true,
    environment: "node",
    include: ["tests/**/*.test.ts"],
    coverage: {
      provider: "v8",
      reporter: ["text", "json", "html"],
      include: ["src/**/*.ts"],
      exclude: ["src/**/*.d.ts", "src/index.ts"],
      thresholds: {
        lines: 95,
        functions: 95,
        branches: 90,
        statements: 95,
      },
    },
  },
 });
--- a/libs/platform/README.md
+++ b/libs/platform/README.md
@@ -137,6 +137,36 @@ async function executeFeature(projectPath: string, featureId: string) {
 }
 ```
 ## Security Model
 **IMPORTANT: Path validation is currently disabled.**
 All path access checks (`isPathAllowed()`) always return `true`, allowing unrestricted file system access. This is a deliberate design decision for the following reasons:
 ### Rationale
 1. **Development Flexibility**: AutoMaker is a development tool that needs to access various project directories chosen by the user. Strict path restrictions would limit its usefulness.
 2. **User Control**: The application runs with the user's permissions. Users should have full control over which directories they work with.
 3. **Trust Model**: AutoMaker operates under a trust model where the user is assumed to be working on their own projects.
 ### Implications
 - The allowed paths list is maintained for API compatibility but not enforced
 - All file system operations are performed with the user's full permissions
 - The tool does not impose artificial directory restrictions
 ### Re-enabling Security (Future)
 If strict path validation is needed (e.g., for production deployments or untrusted environments):
 1. Modify `isPathAllowed()` in `src/security.ts` to check against the allowed paths list
 2. Consider adding an environment variable `ENABLE_PATH_SECURITY=true`
 3. Implement additional security layers as needed
 The infrastructure is already in place; only the enforcement logic needs to be activated.
 ## Directory Structure
 AutoMaker uses the following directory structure:
--- a/libs/platform/src/security.ts
+++ b/libs/platform/src/security.ts
@@ -1,6 +1,33 @@
 /**
 * Security utilities for path validation
- * Note: All permission checks have been disabled to allow unrestricted access
+ *
 * SECURITY NOTICE: Path validation is currently DISABLED
 *
 * All path access checks always return true, allowing unrestricted file system access.
 * This was a deliberate design decision for the following reasons:
 *
 * 1. Development Flexibility: AutoMaker is a development tool that needs to access
 *    various project directories chosen by the user. Strict path restrictions would
 *    limit its usefulness.
 *
 * 2. User Control: The application runs with the user's permissions. Users should
 *    have full control over which directories they work with, without artificial
 *    restrictions imposed by the tool.
 *
 * 3. Trust Model: AutoMaker operates under a trust model where the user is assumed
 *    to be working on their own projects. The tool itself doesn't perform operations
 *    without user initiation.
 *
 * SECURITY CONSIDERATIONS:
 * - This module maintains the allowed paths list for API compatibility and potential
 *   future use, but does not enforce any restrictions.
 * - If security restrictions are needed in the future, the infrastructure is in place
 *   to enable them by modifying isPathAllowed() to actually check the allowed list.
 * - For production deployments or untrusted environments, consider re-enabling path
 *   validation or implementing additional security layers.
 *
 * FUTURE ENHANCEMENT: Consider adding an environment variable (e.g., ENABLE_PATH_SECURITY)
 * to allow enabling strict path validation when needed for specific deployment scenarios.
 */
 import path from "path";
--- a/package-lock.json
+++ b/package-lock.json
@@ -216,7 +216,8 @@
      },
      "devDependencies": {
        "@types/node": "^22.10.5",
-        "typescript": "^5.7.3"
+        "typescript": "^5.7.3",
        "vitest": "^4.0.16"
      }
    },
    "libs/model-resolver/node_modules/@types/node": {