Files
openclaw/scripts/github/security-sensitive-guard.d.mts
Peter Steinberger fe261b0f59 chore(tooling): typecheck root test/** with a dedicated tsgo lane (#104475)
* chore(types): add declaration files for scripts/lib and scripts/e2e modules

* chore(types): add declaration files for top-level script modules (a-m)

* chore(types): add declaration files for top-level script modules (n-z)

* test: use a non-secret-shaped gateway token fixture

* test: type ci workflow guard helpers for the root test lane

* chore(tooling): typecheck root test/** with a dedicated tsgo lane

- test/tsconfig/tsconfig.test.root.json: root-test program (strict unused checks,
  fixtures excluded; two Docker E2E clients that import built dist/** stay out,
  same rationale as the scripts/e2e exclusion in tsconfig.scripts.json)
- tsgo:test:root wired into tsgo:test, check:test-types, scripts/check.mjs, and
  the ci.yml test-types shard, mirroring the tsgo:scripts lane (#104348)
- changed-lane routing: test/**/*.ts (excluding fixtures) and the lane tsconfig
  now trigger 'typecheck test root' in check:changed; previously test/ paths ran
  lint only, so harness type errors surfaced first in CI (#104287 envDir case)
- burn down all 1071 latent type errors in the program: precise param/local
  types across test/scripts, test/vitest, test/e2e, and transitive scripts/e2e
  program members; 205 sibling .d.mts declaration files for imported .mjs
  modules (committed separately); zero any, zero ts-expect-error
- resolve the pre-existing testing star-export ambiguity in
  scripts/e2e/parallels/common.ts with an explicit re-export

Closes #104388

* chore(types): correct declaration fidelity per structured review

- re-derive 51 .d.mts files from implementation data flow instead of
  initializers: fix a wrong never return (runTestProjectsDelegation returns
  the child), add encoding-sensitive exec/spawn overloads (plain-gh), restore
  the full release profile union, make parsed paths string | null, add missing
  parseArgs fields via help/non-help unions, add a missing sibling declaration
  (budget-number-args), drop 15 unused lint directives
- precise install-record/tuple typing removes the type-aware oxlint
  regressions the first declarations caused in scripts/e2e implementations
- route .mts declaration edits under test/ to the testRoot lane and reference
  the test-root project from tsconfig.projects.json so tsgo:all covers it
  (closes both review findings against the lane wiring)

* chore(scripts): keep telegram runner dist typing structural for the boundary guard

* chore(types): declare runtime pack and gateway readiness exports added on main

* test: pin the importTargetPlan form of the plugin-contract plan import

The guard expectation still referenced the raw await import( form that
7ae5996bb3 (#103975) replaced with the importTargetPlan fallback helper;
the assertion fails on current main.
2026-07-11 06:15:41 -07:00

77 lines
3.5 KiB
TypeScript

export const GITHUB_API_REQUEST_TIMEOUT_MS: number;
export const GITHUB_ERROR_BODY_MAX_BYTES: number;
export const GITHUB_RESPONSE_BODY_MAX_BYTES: number;
export const allowSecuritySensitiveCommand: string;
export const securitySensitiveGuardMarker: string;
type Comment = { body?: string; created_at?: string; html_url?: string; user?: { login?: string } };
type ActorCandidate = { login: string; source: string };
export function securitySensitiveFileDefinitions(): Array<{ path: string; reason: string }>;
export function securitySensitiveFileDefinition(
filename: string,
): { path: string; reason: string } | undefined;
export function isSecuritySensitiveFile(filename: string): boolean;
export function sanitizeDisplayValue(value: unknown): string;
export function markdownCode(value: unknown): string;
export function findSecuritySensitiveOverrideCommand(options: {
comments: Comment[];
expectedSha: string;
isSecurityMember: (login: string) => boolean;
newerThan?: string;
}): { login: string; reason: string | null; sha: string; url?: string } | null;
export function findSecuritySensitiveOverrideCommandAsync(options: {
comments: Comment[];
expectedSha: string;
isSecurityMember: (login: string) => Promise<boolean>;
newerThan?: string;
}): Promise<{ login: string; reason: string | null; sha: string; url?: string } | null>;
export function securitySensitiveGuardCommentHeadSha(comment: Comment): string | null;
export function securitySensitiveOverrideExpectedSha(
comment: Comment | null,
currentHeadSha: string,
): string | null;
export function isSecuritySensitiveGuardAuthorizedForHead(
comment: Comment,
currentHeadSha: string,
): boolean;
export function isSecuritySensitiveGuardTrustedForHead(
comment: Comment,
currentHeadSha: string,
): boolean;
export function securityApproverSet(value: unknown): Set<string>;
export function securitySensitiveGuardCommentAuthors(value?: unknown): Set<string>;
export function isSecuritySensitiveGuardMarkerComment(
comment: Comment,
trustedAuthors: Set<string>,
): boolean;
export function collectSecuritySensitiveChanges(
files: Array<{ filename: string; previous_filename?: string; status?: string }>,
): Array<Record<string, string>>;
export function renderSecuritySensitiveAwarenessComment(
changes: Array<Record<string, string>>,
): string;
export function renderAuthorizedSecuritySensitiveComment(override: Record<string, unknown>): string;
export function renderTrustedSecuritySensitiveComment(options: Record<string, unknown>): string;
export function renderClearedSecuritySensitiveGuardComment(options: { headSha: string }): string;
export function renderBlockedSecuritySensitiveComment(options: Record<string, unknown>): string;
export function securitySensitiveGuardTrustedActorCandidates(
options: Record<string, unknown>,
): ActorCandidate[];
export function findTrustedSecuritySensitiveGuardActor(options: {
candidates: ActorCandidate[];
isSecuritySensitiveApprover: (login: string) => Promise<string | null>;
}): Promise<{ login: string; reason: string } | null>;
export function githubApi(
token: string,
options?: { fetchImpl?: typeof fetch; responseMaxBodyBytes?: number; timeoutMs?: number },
): { request(path: string, options?: Record<string, unknown>): Promise<unknown> };
export function readBoundedGitHubErrorText(
response: Response,
maxBytes?: number,
options?: { signal?: AbortSignal },
): Promise<string>;
export function readBoundedGitHubJson(
response: Response,
maxBytes?: number,
options?: { signal?: AbortSignal },
): Promise<unknown>;