refactor: tighten external-link policy and window.open guard

scripts/check-no-raw-window-open.mjs

@@ -3,6 +3,7 @@
 import { promises as fs } from "node:fs";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
+import ts from "typescript";
 
 const repoRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
 const uiSourceDir = path.join(repoRoot, "ui", "src", "ui");
@@ -39,20 +40,67 @@ async function collectTypeScriptFiles(dir) {
   return out;
 }
 
-function lineNumberAt(content, index) {
-  let lines = 1;
-  for (let i = 0; i < index; i++) {
-    if (content.charCodeAt(i) === 10) {
-      lines++;
+function unwrapExpression(expression) {
+  let current = expression;
+  while (true) {
+    if (ts.isParenthesizedExpression(current)) {
+      current = current.expression;
+      continue;
     }
+    if (ts.isAsExpression(current) || ts.isTypeAssertionExpression(current)) {
+      current = current.expression;
+      continue;
+    }
+    if (ts.isNonNullExpression(current)) {
+      current = current.expression;
+      continue;
+    }
+    return current;
   }
+}
+
+function asPropertyAccess(expression) {
+  if (ts.isPropertyAccessExpression(expression)) {
+    return expression;
+  }
+  if (typeof ts.isPropertyAccessChain === "function" && ts.isPropertyAccessChain(expression)) {
+    return expression;
+  }
+  return null;
+}
+
+function isRawWindowOpenCall(expression) {
+  const propertyAccess = asPropertyAccess(unwrapExpression(expression));
+  if (!propertyAccess || propertyAccess.name.text !== "open") {
+    return false;
+  }
+
+  const receiver = unwrapExpression(propertyAccess.expression);
+  return (
+    ts.isIdentifier(receiver) && (receiver.text === "window" || receiver.text === "globalThis")
+  );
+}
+
+export function findRawWindowOpenLines(content, fileName = "source.ts") {
+  const sourceFile = ts.createSourceFile(fileName, content, ts.ScriptTarget.Latest, true);
+  const lines = [];
+
+  const visit = (node) => {
+    if (ts.isCallExpression(node) && isRawWindowOpenCall(node.expression)) {
+      const line =
+        sourceFile.getLineAndCharacterOfPosition(node.expression.getStart(sourceFile)).line + 1;
+      lines.push(line);
+    }
+    ts.forEachChild(node, visit);
+  };
+
+  visit(sourceFile);
   return lines;
 }
 
-async function main() {
+export async function main() {
   const files = await collectTypeScriptFiles(uiSourceDir);
   const violations = [];
-  const rawWindowOpenRe = /\bwindow\s*\.\s*open\s*\(/g;
 
   for (const filePath of files) {
     if (allowedCallsites.has(filePath)) {
@@ -60,12 +108,9 @@ async function main() {
     }
 
     const content = await fs.readFile(filePath, "utf8");
-    let match = rawWindowOpenRe.exec(content);
-    while (match) {
-      const line = lineNumberAt(content, match.index);
+    for (const line of findRawWindowOpenLines(content, filePath)) {
       const relPath = path.relative(repoRoot, filePath);
       violations.push(`${relPath}:${line}`);
-      match = rawWindowOpenRe.exec(content);
     }
   }
 
@@ -81,7 +126,17 @@ async function main() {
   process.exit(1);
 }
 
-main().catch((error) => {
-  console.error(error);
-  process.exit(1);
-});
+const isDirectExecution = (() => {
+  const entry = process.argv[1];
+  if (!entry) {
+    return false;
+  }
+  return path.resolve(entry) === fileURLToPath(import.meta.url);
+})();
+
+if (isDirectExecution) {
+  main().catch((error) => {
+    console.error(error);
+    process.exit(1);
+  });
+}