test: consolidate sessions_spawn and guardrail helpers

src/security/temp-path-guard.test.ts

@@ -2,8 +2,9 @@ import fs from "node:fs/promises";
 import path from "node:path";
 import ts from "typescript";
 import { describe, expect, it } from "vitest";
+import { listRepoFiles } from "../test-utils/repo-scan.js";
 
-const RUNTIME_ROOTS = ["src", "extensions"];
+const RUNTIME_ROOTS = ["src", "extensions"] as const;
 const SKIP_PATTERNS = [
   /\.test\.tsx?$/,
   /\.test-helpers\.tsx?$/,
@@ -83,28 +84,6 @@ function hasDynamicTmpdirJoin(source: string, filePath = "fixture.ts"): boolean
   return found;
 }
 
-async function listTsFiles(dir: string): Promise<string[]> {
-  const entries = await fs.readdir(dir, { withFileTypes: true });
-  const out: string[] = [];
-  for (const entry of entries) {
-    if (entry.name === "node_modules" || entry.name === "dist" || entry.name.startsWith(".")) {
-      continue;
-    }
-    const fullPath = path.join(dir, entry.name);
-    if (entry.isDirectory()) {
-      out.push(...(await listTsFiles(fullPath)));
-      continue;
-    }
-    if (!entry.isFile()) {
-      continue;
-    }
-    if (fullPath.endsWith(".ts") || fullPath.endsWith(".tsx")) {
-      out.push(fullPath);
-    }
-  }
-  return out;
-}
-
 describe("temp path guard", () => {
   it("skips test helper filename variants", () => {
     expect(shouldSkip("src/commands/test-helpers.ts")).toBe(true);
@@ -138,21 +117,22 @@ describe("temp path guard", () => {
     const repoRoot = process.cwd();
     const offenders: string[] = [];
 
-    for (const root of RUNTIME_ROOTS) {
-      const absRoot = path.join(repoRoot, root);
-      const files = await listTsFiles(absRoot);
-      for (const file of files) {
-        const relativePath = path.relative(repoRoot, file);
-        if (shouldSkip(relativePath)) {
-          continue;
-        }
-        const source = await fs.readFile(file, "utf-8");
-        if (!QUICK_TMPDIR_JOIN_PATTERN.test(source)) {
-          continue;
-        }
-        if (hasDynamicTmpdirJoin(source, relativePath)) {
-          offenders.push(relativePath);
-        }
+    const files = await listRepoFiles(repoRoot, {
+      roots: RUNTIME_ROOTS,
+      extensions: [".ts", ".tsx"],
+      skipHiddenDirectories: true,
+    });
+    for (const file of files) {
+      const relativePath = path.relative(repoRoot, file);
+      if (shouldSkip(relativePath)) {
+        continue;
+      }
+      const source = await fs.readFile(file, "utf-8");
+      if (!QUICK_TMPDIR_JOIN_PATTERN.test(source)) {
+        continue;
+      }
+      if (hasDynamicTmpdirJoin(source, relativePath)) {
+        offenders.push(relativePath);
       }
     }
 

src/security/weak-random-patterns.test.ts

@@ -1,68 +1,38 @@
-import fs from "node:fs";
+import fs from "node:fs/promises";
 import path from "node:path";
 import { describe, expect, it } from "vitest";
+import { listRepoFiles } from "../test-utils/repo-scan.js";
 
 const SCAN_ROOTS = ["src", "extensions"] as const;
-const SKIP_DIRS = new Set([".git", "dist", "node_modules"]);
 
-function collectTypeScriptFiles(rootDir: string): string[] {
-  const out: string[] = [];
-  const stack = [rootDir];
-  while (stack.length > 0) {
-    const current = stack.pop();
-    if (!current) {
-      continue;
-    }
-    for (const entry of fs.readdirSync(current, { withFileTypes: true })) {
-      const fullPath = path.join(current, entry.name);
-      if (entry.isDirectory()) {
-        if (!SKIP_DIRS.has(entry.name)) {
-          stack.push(fullPath);
-        }
-        continue;
-      }
-      if (!entry.isFile()) {
-        continue;
-      }
-      if (
-        !entry.name.endsWith(".ts") ||
-        entry.name.endsWith(".test.ts") ||
-        entry.name.endsWith(".d.ts")
-      ) {
-        continue;
-      }
-      out.push(fullPath);
-    }
-  }
-  return out;
+function isRuntimeTypeScriptFile(relativePath: string): boolean {
+  return !relativePath.endsWith(".test.ts") && !relativePath.endsWith(".d.ts");
 }
 
-function findWeakRandomPatternMatches(repoRoot: string): string[] {
+async function findWeakRandomPatternMatches(repoRoot: string): Promise<string[]> {
   const matches: string[] = [];
-  for (const scanRoot of SCAN_ROOTS) {
-    const root = path.join(repoRoot, scanRoot);
-    if (!fs.existsSync(root)) {
-      continue;
-    }
-    const files = collectTypeScriptFiles(root);
-    for (const filePath of files) {
-      const lines = fs.readFileSync(filePath, "utf8").split(/\r?\n/);
-      for (let idx = 0; idx < lines.length; idx += 1) {
-        const line = lines[idx] ?? "";
-        if (!line.includes("Date.now") || !line.includes("Math.random")) {
-          continue;
-        }
-        matches.push(`${path.relative(repoRoot, filePath)}:${idx + 1}`);
+  const files = await listRepoFiles(repoRoot, {
+    roots: SCAN_ROOTS,
+    extensions: [".ts"],
+    shouldIncludeFile: isRuntimeTypeScriptFile,
+  });
+  for (const filePath of files) {
+    const lines = (await fs.readFile(filePath, "utf8")).split(/\r?\n/);
+    for (let idx = 0; idx < lines.length; idx += 1) {
+      const line = lines[idx] ?? "";
+      if (!line.includes("Date.now") || !line.includes("Math.random")) {
+        continue;
       }
+      matches.push(`${path.relative(repoRoot, filePath)}:${idx + 1}`);
     }
   }
   return matches;
 }
 
 describe("weak random pattern guardrail", () => {
-  it("rejects Date.now + Math.random token/id patterns in runtime code", () => {
+  it("rejects Date.now + Math.random token/id patterns in runtime code", async () => {
     const repoRoot = path.resolve(process.cwd());
-    const matches = findWeakRandomPatternMatches(repoRoot);
+    const matches = await findWeakRandomPatternMatches(repoRoot);
     expect(matches).toEqual([]);
   });
 });