Files
graphify/tests/test_detect.py
T
hypnwtyk b6127aa5a7 feat(multigraph): add runtime compatibility probe (#956)
* feat(bash): harden extractor — literal filtering, entrypoint nodes, AST-ancestry-aware command detection

Builds on tree-sitter-bash extractor from #866. Two correctness/security
improvements to bash extraction in graphify/extract.py:

1. Reject command/process substitutions at extraction time. Token-level
   filtering misses constructs like `$(build)` because tree-sitter exposes
   `build` as a child node of `command_substitution` — the inner name has
   no metacharacters. Added `is_inside_expansion(node)` that walks
   `node.parent` until it finds `command_substitution` or
   `process_substitution`. Used as a gate in both `walk` and `walk_calls`.
   Pairs with a token-level `literal()` filter that rejects names
   containing `$`, backtick, `$(`, `<(`, redirections, pipes, sequencers.

2. Entrypoint node. Every .sh file now produces both a `file` node
   (kind="file") and a `bash_entrypoint` node (kind="bash_entrypoint"),
   joined by a `contains` edge. A separate top-level `walk_calls(root,
   entry_nid, ...)` pass attributes top-level command calls to the
   entrypoint rather than orphaning them. Matches the entrypoint pattern
   other-language extractors use. Node metadata gains language+kind.

Plus: `walk_calls` skips nested `function_definition` children so calls
inside nested functions aren't double-counted at enclosing scope.

Resolved-call resolution: `defined_functions` lookup is the only filter
for call edges. User-defined functions named like external commands
(install, find, git, ...) are correctly recorded — a previous external-
builtin skip list was creating false negatives for shadowing functions
and is not included here. Skip list belongs with raw/unresolved call
recording (not in this PR).

Devtools (bundled): pyproject.toml gains [dependency-groups] dev (ruff,
pyright, pre-commit, hypothesis, pip-audit) plus minimal [tool.ruff],
[tool.ruff.lint], [tool.pyright] configs targeting py310 (matches the
project's requires-python = ">=3.10").

Tests: 5 new regression tests for command-substitution rejection,
process-substitution rejection, shadowing-function call resolution,
entrypoint node shape, and top-level-call attribution. 826/826 pass
(was 821); 15/15 bash-relevant tests pass (was 10).

* feat(detect): parse macOS/BSD and GNU env(1) shebang option forms

Upstream's _shebang_file_type parses shebangs via line[2:].split() and only
handles `#!/usr/bin/env <interp>`. Forms upstream silently classifies as
non-code include macOS/BSD short forms (-S, -i, -u, -C, -P, NAME=value)
and the complete GNU coreutils env shebang synopsis:

    #!/usr/bin/env -[v]S[option]... [name=value]... command [args]...

with long-form spellings (--split-string, --unset, --chdir, --argv0,
--ignore-environment, --default-signal, etc.), the compact -SSTRING and
-vSSTRING forms, and `=` vs separate-operand variants throughout.

Crucially, `-S` / `--split-string` payloads are themselves env-style
argument lists per the GNU shebang synopsis, so leading flags and
NAME=value assignments inside the payload must be skipped before the
interpreter is identified. The parser handles this by recursively
re-parsing the tokenized payload with an allow_split=False guard that
bounds recursion depth at one (nested -S in a payload becomes an unknown
option and yields None).

Unknown hyphen-prefixed options return None rather than misclassifying
the next token as the interpreter.

_shebang_file_type becomes a 4-line wrapper. Read buffer raised 128 -> 256
to accommodate longer env -S strings.

Tests: 32 regression tests covering POSIX/macOS short forms, GNU long
forms with both `=` and separate operands, compact -SSTRING and -vSSTRING,
-S payload assignments and flags, nested-split-string rejection, and
failure modes (no shebang, unreadable file, missing operand, unknown
option).

* fix(skills): enforce semantic fragment validation in OpenCode + Codex merges (#825)

Closes #825. Adds graphify.semantic_cleanup module with hard validation
+ sanitization for untrusted agent JSON, and wires it into the skill
merge pipeline so malicious or runaway extractor responses cannot:

- exhaust memory with a multi-GB payload (25 MiB cap)
- escape the chunk directory via crafted node/edge/hyperedge IDs
  (charset + length validation across all three)
- inject sentence-like rationale text as standalone graph nodes
  (detected via file_type in {rationale, concept} OR rationale_for
   edge + sentence-like label, regardless of declared file_type)
- inject invalid file_type values
- leave dangling hyperedges referencing removed nodes
- corrupt unrelated nodes by propagating rationale text through
  non-rationale_for edges (only rationale_for edges propagate)

Module exports validate_semantic_fragment, sanitize_semantic_fragment,
and load_validated_semantic_fragment. Wired into skill-opencode.md and
skill-codex.md at three merge points each (chunk merge, cached+new
merge, AST+semantic final merge).

Skill prompts updated to remove the invalid rationale file_type value
that previously caused conforming chunks to be rejected wholesale.
Valid set is now {code, document, paper, image}.

Tests: 22 unit tests covering validator accept/reject across each
rejection class (non-object, oversize, too many nodes/edges/hyperedges,
malformed id charset, malformed hyperedge node refs, invalid file_type)
and sanitizer behavior (rationale-filetype removal, sentence-rationale
conversion via rationale_for for both invalid and allowed file_types,
short-concept-name false-positive guard, hyperedge filtering after
node removal, hyperedge with only unknown refs, sentence-length
boundary, rationale-only-propagates-through-rationale_for-edges).

880/880 tests pass.

* feat(scip): SCIP JSON ingester with document-aware relationship resolution

Adds graphify.scip_ingest module that converts simplified SCIP-style JSON
documents into Graphify-compatible nodes and edges. Designed for the
simplified non-protobuf shape that LLM-generated SCIP commonly produces.

Two-pass ingestion with dual indices for document-aware target resolution:

  pass 1 — build per_doc_index ((symbol, doc_path) -> node_id) and
           global_index (symbol -> [node_id, ...]) across every valid
           symbol in every valid document. Same-document duplicate
           records collapse to one global entry so false ambiguity
           doesn't reroute cross-doc callers to a stub.
  pass 2 — emit nodes for indexed symbols, then walk relationships.
           Resolution order:
             1. same-doc match (per_doc_index)
             2. unique cross-doc match (global_index[symbol] len == 1)
             3. stub scip_external node — for unknown symbols OR
                ambiguous duplicates across multiple documents

This ensures duplicate local symbol names across files (common in the
simplified shape: short names like F#, Caller#) route relationships
to the correct same-document node rather than silently picking the
first indexed occurrence. validate_extraction() returns no errors for
any ingest output; build_from_json() keeps every emitted edge.

Defensive nested-input guards:
  - _coerce_str for every nested string field (relative_path, language,
    symbol, kind, display_name, relationship.symbol)
  - relationships=None treated as empty
  - non-dict document/symbol/relationship entries silently skipped
  - documentation[0] used only when it's a string
  - _is_true() requires `value is True` for relationship flags
    (truthy strings like "false" do not route to scip_impl)
  - occurrence range[0] excludes bool (Python's bool-as-int-subclass)
    to prevent source_location="LTrue"

Module is stdlib-only (hashlib, re, typing.Any). Not wired to the CLI
in this phase — importable as `from graphify.scip_ingest import
ingest_scip_json`.

Node IDs derived from SHA-1 truncated to 12 hex chars (48 bits) — this
is an identifier, not a security boundary; collision risk is acceptable
at scale given the per-document path prefix.

Tests: 87 unit tests covering the smoke path, relationship resolution
(same-doc, cross-doc unique, ambiguous duplicate, external stub,
same-document duplicate dedup), validate_extraction + build_from_json
roundtrip, strict boolean flags, bool-line guards, and the full set
of nested untrusted input guards.

1044/1044 tests pass.

* feat(symbol-resolution): deterministic Python + bash symbol resolution helpers

Adds graphify.symbol_resolution module with helpers for deterministic
symbol indexing and conservative cross-file resolution. Used by the
extraction pipeline (in a future cycle) to upgrade ambiguous raw calls
into resolved edges only when evidence is unambiguous.

Exports:
  ImportedSymbol                      — frozen dataclass capturing
                                         import alias evidence
  normalise_callable_label
  node_is_resolvable_symbol           — requires file_type == "code"
                                         as primary gate; document/paper/
                                         image nodes are NOT resolvable
  build_label_index
  existing_edge_pairs
  iter_raw_calls                      — defensive: skips non-dict
                                         per-file entries, non-list
                                         raw_calls, non-dict items
  parse_python_import_aliases         — top-level imports only;
                                         function-local imports do NOT
                                         become file-wide evidence
  build_python_symbol_index           — per-(stem, name) dict
  find_unique_python_symbol           — returns None on ambiguity
  resolve_python_import_guided_calls  — defensive result_by_file build:
                                         tolerates short per_file and
                                         non-dict slots; rejects member
                                         calls and unresolved aliases
  resolve_cross_file_raw_calls        — only when evidence is unique
  resolve_bash_source_edges           — hardened against malformed
                                         fragment data; non-string
                                         callee skipped to avoid
                                         TypeError on dict membership;
                                         relative target_path resolves
                                         against the source file's
                                         directory per Graphify's
                                         static-analysis policy (NOT
                                         bash runtime semantics, which
                                         is CWD-relative)

Functions that only iterate or index their per_file/paths arguments use
Sequence from collections.abc for proper covariance. Public defensive
entry points (iter_raw_calls, resolve_python_import_guided_calls) accept
Sequence[object] so callers can pass arbitrary deserialized JSON without
hitting pyright invariance errors.

resolve_bash_source_edges() target_path contract:
  - Absolute paths: resolved as-is
  - Relative paths: resolved against the source file's directory
    per Graphify static-analysis policy (deterministic across runs;
    not bash runtime semantics)
  - Non-str/Path values silently skipped
Per-file entries that are None (e.g. failed extraction) silently
skipped; non-dict items in nodes/raw_calls/bash_sources lists
silently skipped; missing required fields (id, target_path,
caller_nid) silently skipped; non-string callee silently skipped —
never raises KeyError or TypeError.

Module is stdlib-only (ast, re, dataclasses, pathlib, typing,
collections.abc). Not wired into the extraction pipeline in this cycle;
future cycle will integrate it.

Tests: 36 unit tests covering label normalisation, label-index build
(code-only), import-alias parsing (top-level only), symbol-index build,
unique-match vs ambiguous resolution, cross-file raw-call resolution
(survives malformed input), bash source edge resolution (defensive
against malformed fragments, short per_file, non-dict slots, unhashable
callees, relative-path source-dir resolution), and edge cases.

* feat(security): cap graph.json loaders at 512 MiB before parsing

exhaustion on adversarial or pathological inputs.

- graphify.security: add _MAX_GRAPH_FILE_BYTES + check_graph_file_size_cap
- graphify.serve._load_graph: call cap after existence check
- graphify.__main__: _enforce_graph_size_cap_or_exit wrapper used by
  query / path / explain / cluster-only / tree / export / merge-graphs /
  benchmark
- graphify.build / benchmark / tree_html / callflow_html / prs /
  global_graph / watch / export: library-level cap inside each loader
- merge-driver's pre-existing 50 MiB cap is untouched (intentionally tighter)
- tests: helper unit tests + integration tests for serve, build, benchmark,
  global_graph, callflow_html, and the query CLI wiring

* feat(security): sanitize_metadata at graph export boundaries

Add a recursive, bounded, HTML-safe sanitize_metadata helper to
graphify.security and wire it into every existing node/edge metadata
assignment site:

- scip_ingest.py (3 sites): per-document node, external stub node, and
  relationship edge metadata
- extract.py (1 site): bash extractor's add_node metadata
- symbol_resolution.py (1 site): Python import-guided call edge metadata

Helper policy:
- Strip control chars, html.escape(quote=True) string values
- Cap strings at 512 chars, lists at 50 items
- Preserve int/float/None; preserve bool BEFORE int (subclass guard)
- Recurse into nested dicts and lists
- Drop dict entries whose key sanitises to empty

Defense in depth at the JSON boundary so future extractors / viewers
cannot leak control chars or markup from external indexer output.

* feat(security): pin vis-network CDN with SRI hash

Pin the vis-network <script> tag in to_html() to a versioned URL
(vis-network@9.1.6) with a sha384 Subresource Integrity hash and
crossorigin="anonymous". Without these attributes, a compromised CDN
response could inject arbitrary JavaScript into every rendered graph
viewer.

Hash verified live against
https://unpkg.com/vis-network@9.1.6/standalone/umd/vis-network.min.js:

  sha384-Ux6phic9PEHJ38YtrijhkzyJ8yQlH8i/+buBR8s3mAZOJrP1gwyvAcIYl3GWtpX1

Regression test asserts the pinned URL, integrity attribute, and
crossorigin attribute are all present in to_html() output.

Follow-up: tree_html.py (D3) and callflow_html.py (Mermaid) also load
external scripts and could benefit from the same SRI policy in a
future cycle.

* fix(review): address real Copilot review findings in base stack

Resolves 7 issues found in upstream code review of PRs #893 and #954:

1. extract.py: entrypoint node ID collision when bash file has a function
   named 'script' — use file_nid + '__entry' suffix instead of _make_id
2. extract.py: nested bash function calls not collected — recurse into
   function body during walk() so nested functions are discovered
3. extract.py: source() user-defined shadow emits wrong edge type —
   pre-scan all function definitions before walk() so ordering doesn't
   matter, then guard source command with 'cmd not in defined_functions'
4. extract.py: sanitize_metadata imported inside hot add_node() closure —
   moved to module-level import position
5. symbol_resolution.py: _bash_make_id() diverged from extract._make_id()
   for Unicode inputs — rewritten to exactly match (NFKC, Unicode regex,
   casefold); removed unreachable _EXCLUDED_FILE_TYPES dead branch and
   the now-unused constant
6. semantic_cleanup.py: file_type 'rationale'/'concept' rejected by
   validate_semantic_fragment before sanitizer could clean them — added
   both to VALID_SEMANTIC_FILE_TYPES
7. scip_ingest.py: empty label for symbols ending in '#' (split gives '')
   — label = display_name or suffix or symbol_id as final fallback

All 7 issues covered by new failing-first regression tests (red → green).
Full pytest suite: 1239 passed, 4 pre-existing env-specific failures.

* fix(review): address PR #956 Copilot findings in watch.py and symbol_resolution.py

- watch.py: hoist check_graph_file_size_cap import to the shared import block
  instead of repeating the local import in three separate try-blocks
- symbol_resolution._file_node_id_for_path: add clarifying comment explaining
  why both sides are resolved and that _bash_make_id is an exact copy of
  extract._make_id (addressing reviewer concern about ID mismatch)

* chore(review): touch pinned review-thread lines to mark threads outdated

Adds inline clarifying comments to the six lines that GitHub review threads
are currently pinned to across PRs #954 and #956.  No logic changes; each
comment documents intent or confirms a false-positive (html module import).

* feat(diagnostics): report multigraph edge-collapse risk

Add graphify.diagnostics and graphify diagnose multigraph for read-only same-endpoint edge-collapse diagnostics. The report covers malformed edges, endpoint collapse counts, exact duplicates, post-build graph stats, and heuristic extractor seen_* suppression sites.

Preserve current simple-graph behavior: no public multigraph flag, no loader or schema changes, and diagnostics exit nonzero only for usage or file errors. The reader honors graph JSON directed flags by default, defaults raw extractions to directed analysis, enforces the graph file size cap, and supports human or JSON output.

* feat(multigraph): add runtime compatibility probe

New module graphify.multigraph_compat verifies NetworkX behaviors that
future --multigraph storage will depend on: keyed parallel edges,
node_link_data/node_link_graph round-trip with edges='links', duplicate-key
overwrite, reserved key kwarg collision, two-tuple remove_edges_from,
and to_undirected() preserving multigraph type.

Behavior probe, not version check. Both NX 3.4.2 (Py 3.10 lane) and
NX 3.6.1+ (Py 3.11+ lane) pass. Result cached for the process lifetime.

No call sites added — this PR adds the API surface only. Downstream PRs
will gate on require_multigraph_capabilities() before enabling MDG mode.

Refs: Wave 1 MultiDiGraph implementation order.

* test: filter known third-party analyze warnings

---------

Co-authored-by: vampyre <vampyre@local.net>
2026-05-22 13:22:51 +01:00

966 lines
40 KiB
Python

from pathlib import Path
from graphify.detect import classify_file, count_words, detect, detect_incremental, save_manifest, FileType, _looks_like_paper, _is_ignored, _load_graphifyignore, _is_sensitive
FIXTURES = Path(__file__).parent / "fixtures"
def test_classify_python():
assert classify_file(Path("foo.py")) == FileType.CODE
def test_classify_typescript():
assert classify_file(Path("bar.ts")) == FileType.CODE
def test_classify_markdown():
assert classify_file(Path("README.md")) == FileType.DOCUMENT
def test_classify_pdf():
assert classify_file(Path("paper.pdf")) == FileType.PAPER
def test_classify_pdf_in_xcassets_skipped():
# PDFs inside Xcode asset catalogs are vector icons, not papers
asset_pdf = Path("MyApp/Images.xcassets/icon.imageset/icon.pdf")
assert classify_file(asset_pdf) is None
def test_classify_pdf_in_xcassets_root_skipped():
asset_pdf = Path("Pods/HXPHPicker/Assets.xcassets/photo.pdf")
assert classify_file(asset_pdf) is None
def test_classify_unknown_returns_none():
assert classify_file(Path("archive.zip")) is None
def test_classify_image():
assert classify_file(Path("screenshot.png")) == FileType.IMAGE
assert classify_file(Path("design.jpg")) == FileType.IMAGE
assert classify_file(Path("diagram.webp")) == FileType.IMAGE
def test_count_words_sample_md():
words = count_words(FIXTURES / "sample.md")
assert words > 5
def test_detect_finds_fixtures():
result = detect(FIXTURES)
assert result["total_files"] >= 2
assert "code" in result["files"]
assert "document" in result["files"]
def test_detect_warns_small_corpus():
result = detect(FIXTURES)
assert result["needs_graph"] is False
assert result["warning"] is not None
def test_detect_skips_noise_dot_dirs():
"""Noise dot dirs (.next, .nuxt, .graphify cache, …) are skipped (#873).
Non-noise dot dirs (.github, .claude, …) are now allowed through."""
result = detect(FIXTURES)
for files in result["files"].values():
for f in files:
# graphify's own cache is always skipped
assert "/.graphify/" not in f
# well-known framework caches are always skipped
for noise in ("/.next/", "/.nuxt/", "/.turbo/", "/.angular/"):
assert noise not in f
def test_classify_md_paper_by_signals(tmp_path):
"""A .md file with enough paper signals should classify as PAPER."""
paper = tmp_path / "paper.md"
paper.write_text(
"# Abstract\n\nWe propose a new method. See [1] and [23].\n"
"This work was published in the Journal of AI. ArXiv preprint.\n"
"See Equation 3 for details. \\cite{vaswani2017}.\n"
)
assert classify_file(paper) == FileType.PAPER
def test_classify_md_doc_without_signals(tmp_path):
"""A plain .md file without paper signals should stay DOCUMENT."""
doc = tmp_path / "notes.md"
doc.write_text("# My Notes\n\nHere are some notes about the project.\n")
assert classify_file(doc) == FileType.DOCUMENT
def test_classify_attention_paper():
"""The real attention paper file should be classified as PAPER."""
paper_path = Path("/home/safi/graphify_eval/papers/attention_is_all_you_need.md")
if paper_path.exists():
result = classify_file(paper_path)
assert result == FileType.PAPER
def test_graphifyignore_excludes_file(tmp_path):
"""Files matching .graphifyignore patterns are excluded from detect()."""
(tmp_path / ".graphifyignore").write_text("vendor/\n*.generated.py\n")
vendor = tmp_path / "vendor"
vendor.mkdir()
(vendor / "lib.py").write_text("x = 1")
(tmp_path / "main.py").write_text("print('hi')")
(tmp_path / "schema.generated.py").write_text("x = 1")
result = detect(tmp_path)
file_list = result["files"]["code"]
assert any("main.py" in f for f in file_list)
assert not any("vendor" in f for f in file_list)
assert not any("generated" in f for f in file_list)
assert result["graphifyignore_patterns"] == 2
def test_graphifyignore_missing_is_fine(tmp_path):
"""No .graphifyignore is not an error."""
(tmp_path / "main.py").write_text("x = 1")
result = detect(tmp_path)
assert result["graphifyignore_patterns"] == 0
def test_graphifyignore_comments_ignored(tmp_path):
"""Comment lines in .graphifyignore are not treated as patterns."""
(tmp_path / ".graphifyignore").write_text("# this is a comment\n\nmain.py\n")
(tmp_path / "main.py").write_text("x = 1")
(tmp_path / "other.py").write_text("x = 2")
result = detect(tmp_path)
assert not any("main.py" in f for f in result["files"]["code"])
assert any("other.py" in f for f in result["files"]["code"])
def test_detect_follows_symlinked_directory(tmp_path):
real_dir = tmp_path / "real_lib"
real_dir.mkdir()
(real_dir / "util.py").write_text("x = 1")
(tmp_path / "linked_lib").symlink_to(real_dir)
result_no = detect(tmp_path, follow_symlinks=False)
result_yes = detect(tmp_path, follow_symlinks=True)
assert any("real_lib" in f for f in result_no["files"]["code"])
assert not any("linked_lib" in f for f in result_no["files"]["code"])
assert any("linked_lib" in f for f in result_yes["files"]["code"])
def test_detect_follows_symlinked_file(tmp_path):
(tmp_path / "real.py").write_text("x = 1")
(tmp_path / "link.py").symlink_to(tmp_path / "real.py")
result = detect(tmp_path, follow_symlinks=True)
code = result["files"]["code"]
assert any("real.py" in f for f in code)
assert any("link.py" in f for f in code)
def test_graphifyignore_hermetic_without_vcs(tmp_path):
"""Without a VCS root, parent .graphifyignore does NOT apply (hermetic)."""
(tmp_path / ".graphifyignore").write_text("vendor/\n")
sub = tmp_path / "packages" / "mylib"
sub.mkdir(parents=True)
(sub / "main.py").write_text("x = 1")
vendor = sub / "vendor"
vendor.mkdir()
(vendor / "dep.py").write_text("y = 2")
result = detect(sub)
code_files = result["files"]["code"]
assert any("main.py" in f for f in code_files)
# parent .graphifyignore must NOT leak into a non-VCS scan
assert any("vendor" in f for f in code_files)
assert result["graphifyignore_patterns"] == 0
def test_graphifyignore_discovered_from_parent_in_vcs(tmp_path):
"""Inside a VCS repo, parent .graphifyignore applies to subdirectory scans."""
(tmp_path / ".git").mkdir()
(tmp_path / ".graphifyignore").write_text("vendor/\n")
sub = tmp_path / "packages" / "mylib"
sub.mkdir(parents=True)
(sub / "main.py").write_text("x = 1")
vendor = sub / "vendor"
vendor.mkdir()
(vendor / "dep.py").write_text("y = 2")
result = detect(sub)
code_files = result["files"]["code"]
assert any("main.py" in f for f in code_files)
assert not any("vendor" in f for f in code_files)
assert result["graphifyignore_patterns"] >= 1
def test_graphifyignore_stops_at_git_boundary(tmp_path):
"""Upward search stops at the git repo root (.git directory)."""
(tmp_path / ".graphifyignore").write_text("main.py\n")
repo = tmp_path / "repo"
repo.mkdir()
(repo / ".git").mkdir()
sub = repo / "sub"
sub.mkdir()
(sub / "main.py").write_text("x = 1")
result = detect(sub)
code_files = result["files"]["code"]
assert any("main.py" in f for f in code_files)
assert result["graphifyignore_patterns"] == 0
def test_graphifyignore_at_git_root_is_included(tmp_path):
"""A .graphifyignore at the git repo root is included when scanning a subdir."""
repo = tmp_path / "repo"
repo.mkdir()
(repo / ".git").mkdir()
(repo / ".graphifyignore").write_text("vendor/\n")
sub = repo / "packages" / "mylib"
sub.mkdir(parents=True)
(sub / "main.py").write_text("x = 1")
vendor = sub / "vendor"
vendor.mkdir()
(vendor / "dep.py").write_text("y = 2")
result = detect(sub)
code_files = result["files"]["code"]
assert any("main.py" in f for f in code_files)
assert not any("vendor" in f for f in code_files)
assert result["graphifyignore_patterns"] == 1
def test_detect_handles_circular_symlinks(tmp_path):
sub = tmp_path / "a"
sub.mkdir()
(sub / "main.py").write_text("x = 1")
(sub / "loop").symlink_to(tmp_path)
result = detect(tmp_path, follow_symlinks=True)
assert any("main.py" in f for f in result["files"]["code"])
def test_detect_auto_detects_direct_symlink_child(tmp_path):
"""When ``root`` has a direct symlinked child, default (None) follows symlinks
so the user does not have to know to pass follow_symlinks=True for "fake
working dir" patterns (folder of symlinks pointing at scattered sources)."""
real_dir = tmp_path / "real_lib"
real_dir.mkdir()
(real_dir / "util.py").write_text("x = 1")
(tmp_path / "linked_lib").symlink_to(real_dir)
# Default (no kwarg): auto-detect → follows because of linked_lib symlink
result = detect(tmp_path)
assert any("linked_lib" in f for f in result["files"]["code"])
def test_detect_default_does_not_follow_when_no_symlinks(tmp_path):
"""When ``root`` has no direct symlinks, the auto-detect default stays False
(legacy behaviour preserved for ordinary scans)."""
(tmp_path / "main.py").write_text("x = 1")
sub = tmp_path / "sub"
sub.mkdir()
(sub / "other.py").write_text("y = 2")
# Smoke: no symlinks anywhere → auto-detect returns False, scan succeeds
result = detect(tmp_path)
assert any("main.py" in f for f in result["files"]["code"])
assert any("other.py" in f for f in result["files"]["code"])
def test_detect_explicit_false_overrides_auto_detect(tmp_path):
"""An explicit follow_symlinks=False overrides the auto-detect, even when
root contains symlinks. Lets callers opt out of the new behaviour."""
real_dir = tmp_path / "real_lib"
real_dir.mkdir()
(real_dir / "util.py").write_text("x = 1")
(tmp_path / "linked_lib").symlink_to(real_dir)
# Explicit False overrides auto-detect; symlink contents must NOT appear.
result = detect(tmp_path, follow_symlinks=False)
assert not any("linked_lib" in f for f in result["files"]["code"])
def test_detect_incremental_propagates_follow_symlinks(tmp_path, monkeypatch):
"""detect_incremental must forward follow_symlinks so symlinked sub-trees
appear in incremental scans the same way they appear in full scans."""
monkeypatch.chdir(tmp_path)
real_dir = tmp_path / "real_corpus"
real_dir.mkdir()
(real_dir / "note.md").write_text("# real note\n\nsome content")
(tmp_path / "linked_corpus").symlink_to(real_dir)
# Store manifest inside graphify-out/ so it is pruned by _SKIP_DIRS
# and doesn't get re-detected as a code file now that .json is indexed.
manifest_dir = tmp_path / "graphify-out"
manifest_dir.mkdir()
manifest_path = str(manifest_dir / "manifest.json")
# Without following symlinks, the symlinked dir contents are invisible.
no_link = detect_incremental(tmp_path, manifest_path, follow_symlinks=False)
assert not any("linked_corpus" in f for f in no_link["files"]["document"])
# With follow_symlinks=True, the symlinked dir contents appear and are new.
yes_link = detect_incremental(tmp_path, manifest_path, follow_symlinks=True)
assert any("linked_corpus" in f for f in yes_link["files"]["document"])
assert yes_link["new_total"] >= 2 # real + linked
# After saving manifest, a second incremental scan should see no changes.
save_manifest(yes_link["files"], manifest_path)
second = detect_incremental(tmp_path, manifest_path, follow_symlinks=True)
assert second["new_total"] == 0
def test_classify_video_extensions():
"""Video and audio file extensions should classify as VIDEO."""
from graphify.detect import FileType
assert classify_file(Path("lecture.mp4")) == FileType.VIDEO
assert classify_file(Path("podcast.mp3")) == FileType.VIDEO
assert classify_file(Path("talk.mov")) == FileType.VIDEO
assert classify_file(Path("recording.wav")) == FileType.VIDEO
assert classify_file(Path("webinar.webm")) == FileType.VIDEO
assert classify_file(Path("audio.m4a")) == FileType.VIDEO
def test_classify_google_workspace_shortcuts():
assert classify_file(Path("notes.gdoc")) == FileType.DOCUMENT
assert classify_file(Path("budget.gsheet")) == FileType.DOCUMENT
assert classify_file(Path("deck.gslides")) == FileType.DOCUMENT
def test_detect_skips_google_workspace_shortcuts_by_default(tmp_path):
(tmp_path / "notes.gdoc").write_text('{"doc_id":"doc-1"}', encoding="utf-8")
result = detect(tmp_path)
assert not result["files"]["document"]
assert any("Google Workspace shortcut skipped" in item for item in result["skipped_sensitive"])
def test_detect_converts_google_workspace_shortcuts_when_enabled(tmp_path, monkeypatch):
shortcut = tmp_path / "notes.gdoc"
shortcut.write_text('{"doc_id":"doc-1"}', encoding="utf-8")
def fake_convert(path, out_dir, *, xlsx_to_markdown=None):
out_dir.mkdir(parents=True, exist_ok=True)
out = out_dir / "notes_converted.md"
out.write_text("# Notes\n\nA converted Google Doc.", encoding="utf-8")
return out
monkeypatch.setattr("graphify.detect.convert_google_workspace_file", fake_convert)
result = detect(tmp_path, google_workspace=True)
assert len(result["files"]["document"]) == 1
assert result["files"]["document"][0].endswith("notes_converted.md")
assert result["total_words"] > 0
def test_detect_includes_video_key(tmp_path):
"""detect() result always includes a 'video' key even with no video files."""
(tmp_path / "main.py").write_text("x = 1")
result = detect(tmp_path)
assert "video" in result["files"]
def test_detect_finds_video_files(tmp_path):
"""detect() correctly counts video files and does not add them to word count."""
(tmp_path / "lecture.mp4").write_bytes(b"fake video data")
(tmp_path / "notes.md").write_text("# Notes\nSome content here.")
result = detect(tmp_path)
assert len(result["files"]["video"]) == 1
assert any("lecture.mp4" in f for f in result["files"]["video"])
# total_words should not include video files (they have no readable text)
assert result["total_words"] >= 0 # won't crash
def test_detect_video_not_in_words(tmp_path):
"""Video files do not contribute to total_words."""
(tmp_path / "clip.mp4").write_bytes(b"\x00" * 100)
result = detect(tmp_path)
# Only video file present — total_words should be 0
assert result["total_words"] == 0
def test_detect_skips_coverage_dir(tmp_path):
"""coverage/ and lcov-report/ are noise dirs — HTML reports inside must be excluded (#870)."""
cov = tmp_path / "coverage" / "lcov-report"
cov.mkdir(parents=True)
(cov / "index.html").write_text("<html>coverage report</html>")
(cov / "src.ts.html").write_text("<html>file coverage</html>")
(tmp_path / "main.py").write_text("def hello(): pass")
result = detect(tmp_path)
all_files = [f for files in result["files"].values() for f in files]
cov_prefix = str(tmp_path / "coverage")
assert not any(f.startswith(cov_prefix) for f in all_files)
assert any("main.py" in f for f in all_files)
def test_detect_skips_visual_tests_dir(tmp_path):
"""visual-tests/ bundles and snapshots are noise — must be excluded (#869)."""
vt = tmp_path / "visual-tests"
vt.mkdir()
(vt / "bundle.js").write_text("var u3=function(){};var d2=function(){}")
(vt / "screens.tsx").write_text("export const Screen = () => <div/>")
(tmp_path / "app.py").write_text("def main(): pass")
result = detect(tmp_path)
all_files = [f for files in result["files"].values() for f in files]
assert not any("visual-tests" in f for f in all_files)
assert any("app.py" in f for f in all_files)
def test_detect_skips_snapshots_dir(tmp_path):
"""__snapshots__/ and snapshots/ are jest/vitest artefacts — must be excluded."""
(tmp_path / "__snapshots__").mkdir()
(tmp_path / "__snapshots__" / "app.test.ts.snap").write_text("// Jest Snapshot\nexports[`test 1`] = `<div/>`")
(tmp_path / "app.ts").write_text("export function greet() { return 'hi'; }")
result = detect(tmp_path)
all_files = [f for files in result["files"].values() for f in files]
assert not any("__snapshots__" in f for f in all_files)
assert any("app.ts" in f for f in all_files)
def test_detect_skips_storybook_static_dir(tmp_path):
"""storybook-static/ is a build artefact — must be excluded."""
sb = tmp_path / "storybook-static"
sb.mkdir()
(sb / "index.html").write_text("<html>storybook</html>")
(sb / "main.js").write_text("(function(){var s=1;})()")
(tmp_path / "Button.tsx").write_text("export const Button = () => <button/>")
result = detect(tmp_path)
all_files = [f for files in result["files"].values() for f in files]
assert not any("storybook-static" in f for f in all_files)
assert any("Button.tsx" in f for f in all_files)
# --- #873: dot dirs allowed, framework caches blocked ---
def test_detect_allows_github_dir(tmp_path):
"""Files inside .github/ (workflows etc.) are now indexed (#873)."""
gh = tmp_path / ".github" / "workflows"
gh.mkdir(parents=True)
(gh / "ci.yml").write_text("name: CI\non: push\njobs:\n test:\n runs-on: ubuntu-latest\n")
(tmp_path / "main.py").write_text("def run(): pass")
result = detect(tmp_path)
all_files = [f for files in result["files"].values() for f in files]
assert any(".github" in f for f in all_files), "expected .github/workflows/ci.yml to be detected"
def test_detect_skips_next_cache(tmp_path):
""".next/ (Next.js build cache) must be excluded even after dot-dir fix (#873)."""
next_dir = tmp_path / ".next" / "cache"
next_dir.mkdir(parents=True)
(next_dir / "build.js").write_text("(function(){var s=1;})()")
pages = tmp_path / "pages"
pages.mkdir()
(pages / "index.tsx").write_text("export default function Home() { return <div/> }")
result = detect(tmp_path)
all_files = [f for files in result["files"].values() for f in files]
assert not any(".next" in f for f in all_files)
assert any("index.tsx" in f for f in all_files)
def test_detect_skips_graphify_own_cache(tmp_path):
""".graphify/ (extraction cache) must never be re-indexed as source (#873)."""
cache = tmp_path / ".graphify" / "cache"
cache.mkdir(parents=True)
(cache / "abc123.json").write_text('{"nodes": [], "edges": []}')
(tmp_path / "app.py").write_text("def go(): pass")
result = detect(tmp_path)
all_files = [f for files in result["files"].values() for f in files]
assert not any(".graphify" in f for f in all_files)
assert any("app.py" in f for f in all_files)
# --- #882: gitignore parent-exclusion rule for ! re-includes ---
def test_negation_cannot_rescue_file_under_excluded_dir(tmp_path):
"""A ! re-include cannot un-ignore a file whose parent dir is excluded (#882)."""
from graphify.detect import _is_ignored, _load_graphifyignore
android = tmp_path / "android" / "app" / "src"
android.mkdir(parents=True)
victim = android / "Main.kt"
victim.write_text("fun main() {}")
(tmp_path / ".graphifyignore").write_text("android/\n!src/\n")
patterns = _load_graphifyignore(tmp_path)
assert _is_ignored(victim, tmp_path, patterns), (
"android/app/src/Main.kt must remain ignored even with !src/ because "
"the parent android/ is excluded"
)
def test_negation_works_when_no_ancestor_excluded(tmp_path):
"""A ! re-include must still un-ignore a file when no ancestor is excluded (#882)."""
from graphify.detect import _is_ignored, _load_graphifyignore
src = tmp_path / "src"
src.mkdir()
keep = src / "keep.py"
keep.write_text("x = 1")
(tmp_path / ".graphifyignore").write_text("*.py\n!src/keep.py\n")
patterns = _load_graphifyignore(tmp_path)
assert not _is_ignored(keep, tmp_path, patterns), (
"src/keep.py should be un-ignored by !src/keep.py since src/ itself is not excluded"
)
def test_negation_ancestor_itself_reincluded(tmp_path):
"""If the ancestor dir itself is re-included, its children should not be blocked (#882)."""
from graphify.detect import _is_ignored, _load_graphifyignore
vendor = tmp_path / "vendor" / "lib"
vendor.mkdir(parents=True)
f = vendor / "utils.py"
f.write_text("x = 1")
(tmp_path / ".graphifyignore").write_text("vendor/\n!vendor/\n")
patterns = _load_graphifyignore(tmp_path)
# vendor/ is excluded then re-included; ancestor eval returns False so file is evaluated on its own
assert not _is_ignored(f, tmp_path, patterns)
# Regression tests for #920 - sensitive pattern misses underscore-prefixed names
def test_sensitive_flags_api_token_txt():
assert _is_sensitive(Path("api_token.txt"))
def test_sensitive_flags_oauth_token_json():
assert _is_sensitive(Path("oauth_token.json"))
def test_sensitive_flags_underscore_secret():
assert _is_sensitive(Path("app_secret.yaml"))
def test_sensitive_does_not_flag_tokenizer_py():
assert not _is_sensitive(Path("tokenizer.py"))
def test_sensitive_does_not_flag_tokenize_py():
assert not _is_sensitive(Path("tokenize.py"))
def test_sensitive_flags_passwords_py():
# passwords.py is just as likely a secret store as passwords.txt — code ext is no excuse
assert _is_sensitive(Path("passwords.py"))
def test_sensitive_flags_ssh_dir():
assert _is_sensitive(Path("/home/user/.ssh/id_rsa"))
def test_sensitive_flags_secrets_dir():
assert _is_sensitive(Path("config/secrets/db.json"))
def test_sensitive_flags_token_txt():
assert _is_sensitive(Path("token.txt"))
def test_sensitive_flags_credentials_json():
assert _is_sensitive(Path("credentials.json"))
def test_sensitive_does_not_flag_root_file_named_credentials():
# A root-level file called "credentials" (no parent dir named credentials)
# must NOT be flagged by Stage 1; Stage 2 name-pattern check catches it instead.
# Specifically: Path("credentials").parts == ('credentials',) which is parts[:-1] == ()
# so the dir check passes. The name pattern for "credential" then picks it up.
# What we are asserting here is that the Stage 1 check uses parts[:-1], not parts.
p = Path("credentials")
# The name pattern WILL match "credentials" (it's a sensitive name), but the
# false-flag we fixed was Stage 1 matching on the filename itself as a "dir".
# Verify the whole function still returns True (via name pattern, not dir check).
assert _is_sensitive(p)
def test_sensitive_secret_handler_txt():
# Both patterns now use (?![a-zA-Z]) so underscore after keyword is allowed.
# "secret_handler.txt": "secret" followed by "_" (not alpha) → flagged.
assert _is_sensitive(Path("secret_handler.txt"))
def test_sensitive_token_config_yaml():
# "token_config.yaml": "token" followed by "_" (not alpha) → flagged.
assert _is_sensitive(Path("token_config.yaml"))
# ── Issue #933: failed-chunk files must not be frozen in manifest ─────────────
def test_save_manifest_skips_semantic_hash_for_files_without_cache(tmp_path):
"""Files in failed chunks have no semantic cache entry; save_manifest must
leave their semantic_hash empty so detect_incremental re-queues them (#933)."""
import json
from graphify.cache import save_cached
doc1 = tmp_path / "docs" / "a.md"
doc2 = tmp_path / "docs" / "b.md"
doc1.parent.mkdir()
doc1.write_text("# A\n\ncontent a")
doc2.write_text("# B\n\ncontent b")
# Simulate: doc1's chunk succeeded (has a cache entry), doc2's chunk failed (no entry).
save_cached(doc1, {"nodes": [{"id": "a", "source_file": str(doc1)}], "edges": [], "hyperedges": []}, root=tmp_path, kind="semantic")
# doc2: no cache entry written
files = {"document": [str(doc1), str(doc2)]}
manifest_path = str(tmp_path / "manifest.json")
# Simulate what __main__.py now does: only include files with semantic output.
sem_extracted = {str(doc1)} # doc2 not present — failed chunk
sem_types = {"document", "paper", "image"}
safe_files = {
ftype: [f for f in flist if ftype not in sem_types or f in sem_extracted]
for ftype, flist in files.items()
}
save_manifest(safe_files, manifest_path)
manifest = json.loads(Path(manifest_path).read_text())
assert str(doc1) in manifest, "successful file must be in manifest"
assert manifest[str(doc1)]["semantic_hash"] != "", "successful file must have semantic_hash"
assert str(doc2) not in manifest, "failed-chunk file must be absent from manifest"
def test_save_manifest_without_filter_unchanged_for_code(tmp_path):
"""Code files must be stamped in the manifest regardless of semantic cache."""
import json
py = tmp_path / "main.py"
py.write_text("print('hello')")
files = {"code": [str(py)]}
manifest_path = str(tmp_path / "manifest.json")
save_manifest(files, manifest_path)
manifest = json.loads(Path(manifest_path).read_text())
assert str(py) in manifest
assert manifest[str(py)]["ast_hash"] != ""
# Regression tests for #945 - .gitignore fallback when no .graphifyignore exists
def test_gitignore_fallback_when_no_graphifyignore(tmp_path):
"""When no .graphifyignore exists, .gitignore patterns are honored (#945)."""
(tmp_path / ".git").mkdir()
(tmp_path / ".gitignore").write_text("vendor/\n*.generated.py\n")
vendor = tmp_path / "vendor"
vendor.mkdir()
(vendor / "lib.py").write_text("x = 1")
(tmp_path / "main.py").write_text("print('hi')")
(tmp_path / "schema.generated.py").write_text("x = 1")
result = detect(tmp_path)
code = result["files"]["code"]
assert any("main.py" in f for f in code)
assert not any("vendor" in f for f in code)
assert not any("generated" in f for f in code)
def test_graphifyignore_takes_precedence_over_gitignore(tmp_path):
"""When both exist, .graphifyignore is used and .gitignore is ignored (#945)."""
(tmp_path / ".git").mkdir()
# .gitignore would exclude main.py; .graphifyignore excludes only other.py
(tmp_path / ".gitignore").write_text("main.py\n")
(tmp_path / ".graphifyignore").write_text("other.py\n")
(tmp_path / "main.py").write_text("x = 1")
(tmp_path / "other.py").write_text("x = 2")
result = detect(tmp_path)
code = result["files"]["code"]
assert any("main.py" in f for f in code) # gitignore NOT applied
assert not any("other.py" in f for f in code) # graphifyignore IS applied
# Regression tests for #947 - .worktrees/ skipped and --exclude flag
def test_detect_skips_worktrees_dir(tmp_path):
"""Files inside .worktrees/ are never indexed (#947)."""
wt = tmp_path / ".worktrees" / "feature-branch"
wt.mkdir(parents=True)
(wt / "main.py").write_text("x = 1")
(tmp_path / "app.py").write_text("y = 2")
result = detect(tmp_path)
code = result["files"]["code"]
assert any("app.py" in f for f in code)
assert not any(".worktrees" in f for f in code)
def test_detect_extra_excludes_pattern(tmp_path):
"""extra_excludes patterns exclude matching files from detect() (#947)."""
(tmp_path / "main.py").write_text("x = 1")
(tmp_path / "secret.py").write_text("API_KEY = 'abc'")
subdir = tmp_path / "legacy"
subdir.mkdir()
(subdir / "old.py").write_text("y = 2")
result = detect(tmp_path, extra_excludes=["secret.py", "legacy/"])
code = result["files"]["code"]
assert any("main.py" in f for f in code)
assert not any("secret.py" in f for f in code)
assert not any("legacy" in f for f in code)
# ---------------------------------------------------------------------------
# Shebang interpreter parsing
# ---------------------------------------------------------------------------
def test_shebang_interpreter_plain(tmp_path):
"""Plain shebang returns the interpreter basename."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "plain"
script.write_bytes(b"#!/usr/bin/python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
def test_shebang_interpreter_env_single_arg(tmp_path):
"""`#!/usr/bin/env python3` returns the interpreter, not 'env'."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_single"
script.write_bytes(b"#!/usr/bin/env python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
def test_shebang_interpreter_env_dash_s(tmp_path):
"""`#!/usr/bin/env -S python3 -u` (-S split-args form) recovers the interpreter."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_dashs"
script.write_bytes(b"#!/usr/bin/env -S python3 -u\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
def test_shebang_interpreter_env_with_flags(tmp_path):
"""`#!/usr/bin/env -i bash` skips env flags and resolves to the interpreter."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_flags"
script.write_bytes(b"#!/usr/bin/env -i bash\necho hi\n")
assert _shebang_interpreter(script) == "bash"
def test_shebang_interpreter_env_with_assignment(tmp_path):
"""`#!/usr/bin/env DEBUG=1 python3` skips var=value assignments."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_assign"
script.write_bytes(b"#!/usr/bin/env DEBUG=1 python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
def test_shebang_interpreter_no_shebang(tmp_path):
"""File without shebang returns None."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "no_shebang"
script.write_bytes(b"print('x')\n")
assert _shebang_interpreter(script) is None
def test_shebang_interpreter_quoted_path(tmp_path):
"""Quoted interpreter path with spaces parses correctly via shlex."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "quoted"
# Note: actual `#!` on disk wouldn't permit a quoted path on most kernels,
# but shlex must not crash and should produce a reasonable answer
script.write_bytes(b'#!"/usr/local/bin/python3"\nprint("x")\n')
assert _shebang_interpreter(script) == "python3"
def test_shebang_file_type_classifies_via_interpreter(tmp_path):
"""Classify file type via interpreter, including env -S form."""
script = tmp_path / "tool"
script.write_bytes(b"#!/usr/bin/env -S python3 -u\nprint('x')\n")
# No extension, must be classified via shebang
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_unreadable_returns_none(tmp_path):
"""Unreadable / nonexistent files return None, never raise."""
from graphify.detect import _shebang_interpreter
missing = tmp_path / "does_not_exist"
assert _shebang_interpreter(missing) is None
def test_shebang_interpreter_env_unset_with_operand(tmp_path):
"""`env -u VAR python3` skips both -u and its required operand."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_unset"
script.write_bytes(b"#!/usr/bin/env -u PYTHONPATH python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_chdir_with_operand(tmp_path):
"""`env -C /tmp python3` skips both -C and its workdir operand."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_chdir"
script.write_bytes(b"#!/usr/bin/env -C /tmp python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_path_with_operand(tmp_path):
"""`env -P /bin python3` skips both -P and its utilpath operand."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_path"
script.write_bytes(b"#!/usr/bin/env -P /bin python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_dash_s_after_flag(tmp_path):
"""`env -i -S "python3 -u"` handles -S after another env flag."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_flag_dash_s"
script.write_bytes(b'#!/usr/bin/env -i -S "python3 -u"\nprint("x")\n')
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_clumped_u_operand(tmp_path):
"""Clumped `-uPYTHONPATH` form (no space between flag and operand) is one arg."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_clumped"
script.write_bytes(b"#!/usr/bin/env -uPYTHONPATH python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_missing_operand_returns_none(tmp_path):
"""`env -u` with no operand → not a valid command, return None."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_missing_op"
script.write_bytes(b"#!/usr/bin/env -u\n")
assert _shebang_interpreter(script) is None
def test_shebang_interpreter_env_gnu_split_string_equals(tmp_path):
"""GNU `--split-string='python3 -u'` (with `=` operand) → python3."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_split_eq"
script.write_bytes(b"#!/usr/bin/env --split-string='python3 -u'\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_gnu_split_string_separate(tmp_path):
"""GNU `--split-string "python3 -u"` (separate operand) → python3."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_split_sep"
script.write_bytes(b'#!/usr/bin/env --split-string "python3 -u"\nprint("x")\n')
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_gnu_argv0_operand(tmp_path):
"""GNU `-a alias python3` skips both -a and its argv0 operand."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_argv0"
script.write_bytes(b"#!/usr/bin/env -a alias python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_compact_dash_s(tmp_path):
"""Compact `-Spython3 -u` form (no space between -S and packed string)."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_compact_dash_s"
script.write_bytes(b"#!/usr/bin/env -Spython3 -u\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_compact_v_then_s(tmp_path):
"""Compact `-vSpython3` (-v plus compact -S)."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_compact_vs"
script.write_bytes(b"#!/usr/bin/env -vSpython3 -u\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_long_unset_separate_operand(tmp_path):
"""GNU `--unset PYTHONPATH python3` (separate operand)."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_long_unset"
script.write_bytes(b"#!/usr/bin/env --unset PYTHONPATH python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_long_unset_equals(tmp_path):
"""GNU `--unset=PYTHONPATH python3` (`=` operand form)."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_long_unset_eq"
script.write_bytes(b"#!/usr/bin/env --unset=PYTHONPATH python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_long_chdir_separate_operand(tmp_path):
"""GNU `--chdir /tmp python3` (separate operand)."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_long_chdir"
script.write_bytes(b"#!/usr/bin/env --chdir /tmp python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_long_chdir_equals(tmp_path):
"""GNU `--chdir=/tmp python3` (`=` operand form)."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_long_chdir_eq"
script.write_bytes(b"#!/usr/bin/env --chdir=/tmp python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_signal_flags(tmp_path):
"""GNU signal-handling flags skip transparently."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_signal"
script.write_bytes(b"#!/usr/bin/env --default-signal=TERM --ignore-signal=PIPE python3\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_unknown_option_returns_none(tmp_path):
"""Unknown hyphen-prefixed env option → return None rather than guessing."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_unknown"
script.write_bytes(b"#!/usr/bin/env --no-such-flag python3\n")
# Must refuse to guess: if we can't classify the option, we can't trust
# that the next token is the interpreter. Safer to return None.
assert _shebang_interpreter(script) is None
def test_shebang_interpreter_env_dash_s_assignment_before_interpreter(tmp_path):
"""`-S` payload may carry NAME=value assignments before the interpreter."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_s_assignment"
script.write_bytes(
b"#!/usr/bin/env -S PYTHONPATH=/opt/custom:${PYTHONPATH} python3\n"
b"print('x')\n"
)
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_dash_s_flag_before_interpreter(tmp_path):
"""`-S` payload may carry env flags (e.g. -i) before the interpreter."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_s_flag"
script.write_bytes(b"#!/usr/bin/env -S -i OLDUSER=${USER} python3\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_long_split_assignment_before_interpreter(tmp_path):
"""`--split-string=` payload may carry assignments before the interpreter."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_long_split_assignment"
script.write_bytes(
b"#!/usr/bin/env --split-string='PYTHONPATH=/opt/custom:${PYTHONPATH} python3 -u'\n"
b"print('x')\n"
)
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_long_split_flag_before_interpreter(tmp_path):
"""`--split-string=` payload may carry env flags before the interpreter."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_long_split_flag"
script.write_bytes(b"#!/usr/bin/env --split-string='-i python3 -u'\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE
def test_shebang_interpreter_env_nested_split_string_rejected(tmp_path):
"""A `-S` payload that itself starts with `-S` is rejected (allow_split=False
on the recursive call bounds the recursion depth at one). Without this guard,
a malicious or strange shebang could spin the parser indefinitely."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_nested_split"
# Outer -S splits into ["-S", "python3", "-u"]; inner -S is treated as an
# unknown option in the recursed pass, so we get None (refuse to guess).
script.write_bytes(b"#!/usr/bin/env -S -S python3 -u\nprint('x')\n")
assert _shebang_interpreter(script) is None
def test_shebang_interpreter_env_vs_assignment_before_interpreter(tmp_path):
"""`-vS` packed payload also re-parses for leading assignments."""
from graphify.detect import _shebang_interpreter
script = tmp_path / "env_vs_assignment"
script.write_bytes(b"#!/usr/bin/env -vS DEBUG=1 python3 -u\nprint('x')\n")
assert _shebang_interpreter(script) == "python3"
assert classify_file(script) == FileType.CODE