mirror of
https://github.com/safishamsi/graphify.git
synced 2026-07-13 19:07:10 +00:00
b6127aa5a7
* feat(bash): harden extractor — literal filtering, entrypoint nodes, AST-ancestry-aware command detection Builds on tree-sitter-bash extractor from #866. Two correctness/security improvements to bash extraction in graphify/extract.py: 1. Reject command/process substitutions at extraction time. Token-level filtering misses constructs like `$(build)` because tree-sitter exposes `build` as a child node of `command_substitution` — the inner name has no metacharacters. Added `is_inside_expansion(node)` that walks `node.parent` until it finds `command_substitution` or `process_substitution`. Used as a gate in both `walk` and `walk_calls`. Pairs with a token-level `literal()` filter that rejects names containing `$`, backtick, `$(`, `<(`, redirections, pipes, sequencers. 2. Entrypoint node. Every .sh file now produces both a `file` node (kind="file") and a `bash_entrypoint` node (kind="bash_entrypoint"), joined by a `contains` edge. A separate top-level `walk_calls(root, entry_nid, ...)` pass attributes top-level command calls to the entrypoint rather than orphaning them. Matches the entrypoint pattern other-language extractors use. Node metadata gains language+kind. Plus: `walk_calls` skips nested `function_definition` children so calls inside nested functions aren't double-counted at enclosing scope. Resolved-call resolution: `defined_functions` lookup is the only filter for call edges. User-defined functions named like external commands (install, find, git, ...) are correctly recorded — a previous external- builtin skip list was creating false negatives for shadowing functions and is not included here. Skip list belongs with raw/unresolved call recording (not in this PR). Devtools (bundled): pyproject.toml gains [dependency-groups] dev (ruff, pyright, pre-commit, hypothesis, pip-audit) plus minimal [tool.ruff], [tool.ruff.lint], [tool.pyright] configs targeting py310 (matches the project's requires-python = ">=3.10"). Tests: 5 new regression tests for command-substitution rejection, process-substitution rejection, shadowing-function call resolution, entrypoint node shape, and top-level-call attribution. 826/826 pass (was 821); 15/15 bash-relevant tests pass (was 10). * feat(detect): parse macOS/BSD and GNU env(1) shebang option forms Upstream's _shebang_file_type parses shebangs via line[2:].split() and only handles `#!/usr/bin/env <interp>`. Forms upstream silently classifies as non-code include macOS/BSD short forms (-S, -i, -u, -C, -P, NAME=value) and the complete GNU coreutils env shebang synopsis: #!/usr/bin/env -[v]S[option]... [name=value]... command [args]... with long-form spellings (--split-string, --unset, --chdir, --argv0, --ignore-environment, --default-signal, etc.), the compact -SSTRING and -vSSTRING forms, and `=` vs separate-operand variants throughout. Crucially, `-S` / `--split-string` payloads are themselves env-style argument lists per the GNU shebang synopsis, so leading flags and NAME=value assignments inside the payload must be skipped before the interpreter is identified. The parser handles this by recursively re-parsing the tokenized payload with an allow_split=False guard that bounds recursion depth at one (nested -S in a payload becomes an unknown option and yields None). Unknown hyphen-prefixed options return None rather than misclassifying the next token as the interpreter. _shebang_file_type becomes a 4-line wrapper. Read buffer raised 128 -> 256 to accommodate longer env -S strings. Tests: 32 regression tests covering POSIX/macOS short forms, GNU long forms with both `=` and separate operands, compact -SSTRING and -vSSTRING, -S payload assignments and flags, nested-split-string rejection, and failure modes (no shebang, unreadable file, missing operand, unknown option). * fix(skills): enforce semantic fragment validation in OpenCode + Codex merges (#825) Closes #825. Adds graphify.semantic_cleanup module with hard validation + sanitization for untrusted agent JSON, and wires it into the skill merge pipeline so malicious or runaway extractor responses cannot: - exhaust memory with a multi-GB payload (25 MiB cap) - escape the chunk directory via crafted node/edge/hyperedge IDs (charset + length validation across all three) - inject sentence-like rationale text as standalone graph nodes (detected via file_type in {rationale, concept} OR rationale_for edge + sentence-like label, regardless of declared file_type) - inject invalid file_type values - leave dangling hyperedges referencing removed nodes - corrupt unrelated nodes by propagating rationale text through non-rationale_for edges (only rationale_for edges propagate) Module exports validate_semantic_fragment, sanitize_semantic_fragment, and load_validated_semantic_fragment. Wired into skill-opencode.md and skill-codex.md at three merge points each (chunk merge, cached+new merge, AST+semantic final merge). Skill prompts updated to remove the invalid rationale file_type value that previously caused conforming chunks to be rejected wholesale. Valid set is now {code, document, paper, image}. Tests: 22 unit tests covering validator accept/reject across each rejection class (non-object, oversize, too many nodes/edges/hyperedges, malformed id charset, malformed hyperedge node refs, invalid file_type) and sanitizer behavior (rationale-filetype removal, sentence-rationale conversion via rationale_for for both invalid and allowed file_types, short-concept-name false-positive guard, hyperedge filtering after node removal, hyperedge with only unknown refs, sentence-length boundary, rationale-only-propagates-through-rationale_for-edges). 880/880 tests pass. * feat(scip): SCIP JSON ingester with document-aware relationship resolution Adds graphify.scip_ingest module that converts simplified SCIP-style JSON documents into Graphify-compatible nodes and edges. Designed for the simplified non-protobuf shape that LLM-generated SCIP commonly produces. Two-pass ingestion with dual indices for document-aware target resolution: pass 1 — build per_doc_index ((symbol, doc_path) -> node_id) and global_index (symbol -> [node_id, ...]) across every valid symbol in every valid document. Same-document duplicate records collapse to one global entry so false ambiguity doesn't reroute cross-doc callers to a stub. pass 2 — emit nodes for indexed symbols, then walk relationships. Resolution order: 1. same-doc match (per_doc_index) 2. unique cross-doc match (global_index[symbol] len == 1) 3. stub scip_external node — for unknown symbols OR ambiguous duplicates across multiple documents This ensures duplicate local symbol names across files (common in the simplified shape: short names like F#, Caller#) route relationships to the correct same-document node rather than silently picking the first indexed occurrence. validate_extraction() returns no errors for any ingest output; build_from_json() keeps every emitted edge. Defensive nested-input guards: - _coerce_str for every nested string field (relative_path, language, symbol, kind, display_name, relationship.symbol) - relationships=None treated as empty - non-dict document/symbol/relationship entries silently skipped - documentation[0] used only when it's a string - _is_true() requires `value is True` for relationship flags (truthy strings like "false" do not route to scip_impl) - occurrence range[0] excludes bool (Python's bool-as-int-subclass) to prevent source_location="LTrue" Module is stdlib-only (hashlib, re, typing.Any). Not wired to the CLI in this phase — importable as `from graphify.scip_ingest import ingest_scip_json`. Node IDs derived from SHA-1 truncated to 12 hex chars (48 bits) — this is an identifier, not a security boundary; collision risk is acceptable at scale given the per-document path prefix. Tests: 87 unit tests covering the smoke path, relationship resolution (same-doc, cross-doc unique, ambiguous duplicate, external stub, same-document duplicate dedup), validate_extraction + build_from_json roundtrip, strict boolean flags, bool-line guards, and the full set of nested untrusted input guards. 1044/1044 tests pass. * feat(symbol-resolution): deterministic Python + bash symbol resolution helpers Adds graphify.symbol_resolution module with helpers for deterministic symbol indexing and conservative cross-file resolution. Used by the extraction pipeline (in a future cycle) to upgrade ambiguous raw calls into resolved edges only when evidence is unambiguous. Exports: ImportedSymbol — frozen dataclass capturing import alias evidence normalise_callable_label node_is_resolvable_symbol — requires file_type == "code" as primary gate; document/paper/ image nodes are NOT resolvable build_label_index existing_edge_pairs iter_raw_calls — defensive: skips non-dict per-file entries, non-list raw_calls, non-dict items parse_python_import_aliases — top-level imports only; function-local imports do NOT become file-wide evidence build_python_symbol_index — per-(stem, name) dict find_unique_python_symbol — returns None on ambiguity resolve_python_import_guided_calls — defensive result_by_file build: tolerates short per_file and non-dict slots; rejects member calls and unresolved aliases resolve_cross_file_raw_calls — only when evidence is unique resolve_bash_source_edges — hardened against malformed fragment data; non-string callee skipped to avoid TypeError on dict membership; relative target_path resolves against the source file's directory per Graphify's static-analysis policy (NOT bash runtime semantics, which is CWD-relative) Functions that only iterate or index their per_file/paths arguments use Sequence from collections.abc for proper covariance. Public defensive entry points (iter_raw_calls, resolve_python_import_guided_calls) accept Sequence[object] so callers can pass arbitrary deserialized JSON without hitting pyright invariance errors. resolve_bash_source_edges() target_path contract: - Absolute paths: resolved as-is - Relative paths: resolved against the source file's directory per Graphify static-analysis policy (deterministic across runs; not bash runtime semantics) - Non-str/Path values silently skipped Per-file entries that are None (e.g. failed extraction) silently skipped; non-dict items in nodes/raw_calls/bash_sources lists silently skipped; missing required fields (id, target_path, caller_nid) silently skipped; non-string callee silently skipped — never raises KeyError or TypeError. Module is stdlib-only (ast, re, dataclasses, pathlib, typing, collections.abc). Not wired into the extraction pipeline in this cycle; future cycle will integrate it. Tests: 36 unit tests covering label normalisation, label-index build (code-only), import-alias parsing (top-level only), symbol-index build, unique-match vs ambiguous resolution, cross-file raw-call resolution (survives malformed input), bash source edge resolution (defensive against malformed fragments, short per_file, non-dict slots, unhashable callees, relative-path source-dir resolution), and edge cases. * feat(security): cap graph.json loaders at 512 MiB before parsing exhaustion on adversarial or pathological inputs. - graphify.security: add _MAX_GRAPH_FILE_BYTES + check_graph_file_size_cap - graphify.serve._load_graph: call cap after existence check - graphify.__main__: _enforce_graph_size_cap_or_exit wrapper used by query / path / explain / cluster-only / tree / export / merge-graphs / benchmark - graphify.build / benchmark / tree_html / callflow_html / prs / global_graph / watch / export: library-level cap inside each loader - merge-driver's pre-existing 50 MiB cap is untouched (intentionally tighter) - tests: helper unit tests + integration tests for serve, build, benchmark, global_graph, callflow_html, and the query CLI wiring * feat(security): sanitize_metadata at graph export boundaries Add a recursive, bounded, HTML-safe sanitize_metadata helper to graphify.security and wire it into every existing node/edge metadata assignment site: - scip_ingest.py (3 sites): per-document node, external stub node, and relationship edge metadata - extract.py (1 site): bash extractor's add_node metadata - symbol_resolution.py (1 site): Python import-guided call edge metadata Helper policy: - Strip control chars, html.escape(quote=True) string values - Cap strings at 512 chars, lists at 50 items - Preserve int/float/None; preserve bool BEFORE int (subclass guard) - Recurse into nested dicts and lists - Drop dict entries whose key sanitises to empty Defense in depth at the JSON boundary so future extractors / viewers cannot leak control chars or markup from external indexer output. * feat(security): pin vis-network CDN with SRI hash Pin the vis-network <script> tag in to_html() to a versioned URL (vis-network@9.1.6) with a sha384 Subresource Integrity hash and crossorigin="anonymous". Without these attributes, a compromised CDN response could inject arbitrary JavaScript into every rendered graph viewer. Hash verified live against https://unpkg.com/vis-network@9.1.6/standalone/umd/vis-network.min.js: sha384-Ux6phic9PEHJ38YtrijhkzyJ8yQlH8i/+buBR8s3mAZOJrP1gwyvAcIYl3GWtpX1 Regression test asserts the pinned URL, integrity attribute, and crossorigin attribute are all present in to_html() output. Follow-up: tree_html.py (D3) and callflow_html.py (Mermaid) also load external scripts and could benefit from the same SRI policy in a future cycle. * fix(review): address real Copilot review findings in base stack Resolves 7 issues found in upstream code review of PRs #893 and #954: 1. extract.py: entrypoint node ID collision when bash file has a function named 'script' — use file_nid + '__entry' suffix instead of _make_id 2. extract.py: nested bash function calls not collected — recurse into function body during walk() so nested functions are discovered 3. extract.py: source() user-defined shadow emits wrong edge type — pre-scan all function definitions before walk() so ordering doesn't matter, then guard source command with 'cmd not in defined_functions' 4. extract.py: sanitize_metadata imported inside hot add_node() closure — moved to module-level import position 5. symbol_resolution.py: _bash_make_id() diverged from extract._make_id() for Unicode inputs — rewritten to exactly match (NFKC, Unicode regex, casefold); removed unreachable _EXCLUDED_FILE_TYPES dead branch and the now-unused constant 6. semantic_cleanup.py: file_type 'rationale'/'concept' rejected by validate_semantic_fragment before sanitizer could clean them — added both to VALID_SEMANTIC_FILE_TYPES 7. scip_ingest.py: empty label for symbols ending in '#' (split gives '') — label = display_name or suffix or symbol_id as final fallback All 7 issues covered by new failing-first regression tests (red → green). Full pytest suite: 1239 passed, 4 pre-existing env-specific failures. * fix(review): address PR #956 Copilot findings in watch.py and symbol_resolution.py - watch.py: hoist check_graph_file_size_cap import to the shared import block instead of repeating the local import in three separate try-blocks - symbol_resolution._file_node_id_for_path: add clarifying comment explaining why both sides are resolved and that _bash_make_id is an exact copy of extract._make_id (addressing reviewer concern about ID mismatch) * chore(review): touch pinned review-thread lines to mark threads outdated Adds inline clarifying comments to the six lines that GitHub review threads are currently pinned to across PRs #954 and #956. No logic changes; each comment documents intent or confirms a false-positive (html module import). * feat(diagnostics): report multigraph edge-collapse risk Add graphify.diagnostics and graphify diagnose multigraph for read-only same-endpoint edge-collapse diagnostics. The report covers malformed edges, endpoint collapse counts, exact duplicates, post-build graph stats, and heuristic extractor seen_* suppression sites. Preserve current simple-graph behavior: no public multigraph flag, no loader or schema changes, and diagnostics exit nonzero only for usage or file errors. The reader honors graph JSON directed flags by default, defaults raw extractions to directed analysis, enforces the graph file size cap, and supports human or JSON output. * feat(multigraph): add runtime compatibility probe New module graphify.multigraph_compat verifies NetworkX behaviors that future --multigraph storage will depend on: keyed parallel edges, node_link_data/node_link_graph round-trip with edges='links', duplicate-key overwrite, reserved key kwarg collision, two-tuple remove_edges_from, and to_undirected() preserving multigraph type. Behavior probe, not version check. Both NX 3.4.2 (Py 3.10 lane) and NX 3.6.1+ (Py 3.11+ lane) pass. Result cached for the process lifetime. No call sites added — this PR adds the API surface only. Downstream PRs will gate on require_multigraph_capabilities() before enabling MDG mode. Refs: Wave 1 MultiDiGraph implementation order. * test: filter known third-party analyze warnings --------- Co-authored-by: vampyre <vampyre@local.net>
1020 lines
37 KiB
Python
1020 lines
37 KiB
Python
"""Tests for graphify.symbol_resolution."""
|
|
|
|
from __future__ import annotations
|
|
|
|
from pathlib import Path
|
|
|
|
from graphify.symbol_resolution import (
|
|
_bash_make_id,
|
|
build_label_index,
|
|
build_python_symbol_index,
|
|
find_unique_python_symbol,
|
|
node_is_resolvable_symbol,
|
|
normalise_callable_label,
|
|
parse_python_import_aliases,
|
|
resolve_bash_source_edges,
|
|
resolve_cross_file_raw_calls,
|
|
resolve_python_import_guided_calls,
|
|
)
|
|
|
|
|
|
def test_normalise_callable_label_strips_function_punctuation() -> None:
|
|
assert normalise_callable_label("run()") == "run"
|
|
assert normalise_callable_label(".process()") == "process"
|
|
assert normalise_callable_label(" Execute ") == "execute"
|
|
|
|
|
|
def test_node_is_resolvable_symbol_skips_rationale_and_doc_tags() -> None:
|
|
assert node_is_resolvable_symbol({"id": "a", "label": "run()", "file_type": "code"}) is True
|
|
assert node_is_resolvable_symbol({"id": "r", "label": "why", "file_type": "rationale"}) is False
|
|
assert (
|
|
node_is_resolvable_symbol({"id": "d", "label": "param x", "file_type": "doc_tag"}) is False
|
|
)
|
|
|
|
|
|
def test_build_label_index_collects_unique_symbols() -> None:
|
|
nodes = [
|
|
{"id": "a_run", "label": "run()", "file_type": "code"},
|
|
{"id": "b_run", "label": "run()", "file_type": "code"},
|
|
{"id": "doc", "label": "run docs", "file_type": "doc_tag"},
|
|
]
|
|
assert build_label_index(nodes) == {"run": ["a_run", "b_run"]}
|
|
|
|
|
|
def test_resolve_cross_file_raw_calls_emits_unique_unqualified_call() -> None:
|
|
per_file = [
|
|
{
|
|
"raw_calls": [
|
|
{
|
|
"caller_nid": "caller_run",
|
|
"callee": "helper",
|
|
"is_member_call": False,
|
|
"source_file": "caller.py",
|
|
"source_location": "L2",
|
|
}
|
|
]
|
|
}
|
|
]
|
|
nodes = [
|
|
{"id": "caller_run", "label": "run()", "file_type": "code"},
|
|
{"id": "helper_helper", "label": "helper()", "file_type": "code"},
|
|
]
|
|
edges = []
|
|
|
|
resolved = resolve_cross_file_raw_calls(per_file, nodes, edges)
|
|
|
|
assert resolved == [
|
|
{
|
|
"source": "caller_run",
|
|
"target": "helper_helper",
|
|
"relation": "calls",
|
|
"context": "call",
|
|
"confidence": "INFERRED",
|
|
"confidence_score": 0.8,
|
|
"source_file": "caller.py",
|
|
"source_location": "L2",
|
|
"weight": 1.0,
|
|
}
|
|
]
|
|
|
|
|
|
def test_resolve_cross_file_raw_calls_skips_member_calls() -> None:
|
|
per_file = [
|
|
{
|
|
"raw_calls": [
|
|
{
|
|
"caller_nid": "caller_run",
|
|
"callee": "helper",
|
|
"is_member_call": True,
|
|
"source_file": "caller.py",
|
|
"source_location": "L2",
|
|
}
|
|
]
|
|
}
|
|
]
|
|
nodes = [
|
|
{"id": "caller_run", "label": "run()", "file_type": "code"},
|
|
{"id": "helper_helper", "label": "helper()", "file_type": "code"},
|
|
]
|
|
assert resolve_cross_file_raw_calls(per_file, nodes, []) == []
|
|
|
|
|
|
def test_resolve_cross_file_raw_calls_skips_ambiguous_duplicate_labels() -> None:
|
|
per_file = [
|
|
{
|
|
"raw_calls": [
|
|
{
|
|
"caller_nid": "caller_run",
|
|
"callee": "log",
|
|
"is_member_call": False,
|
|
"source_file": "caller.py",
|
|
"source_location": "L2",
|
|
}
|
|
]
|
|
}
|
|
]
|
|
nodes = [
|
|
{"id": "caller_run", "label": "run()", "file_type": "code"},
|
|
{"id": "a_log", "label": "log()", "file_type": "code"},
|
|
{"id": "b_log", "label": "log()", "file_type": "code"},
|
|
]
|
|
assert resolve_cross_file_raw_calls(per_file, nodes, []) == []
|
|
|
|
|
|
def test_resolve_cross_file_raw_calls_skips_existing_pair() -> None:
|
|
per_file = [
|
|
{
|
|
"raw_calls": [
|
|
{
|
|
"caller_nid": "caller_run",
|
|
"callee": "helper",
|
|
"is_member_call": False,
|
|
"source_file": "caller.py",
|
|
"source_location": "L2",
|
|
}
|
|
]
|
|
}
|
|
]
|
|
nodes = [
|
|
{"id": "caller_run", "label": "run()", "file_type": "code"},
|
|
{"id": "helper_helper", "label": "helper()", "file_type": "code"},
|
|
]
|
|
edges = [{"source": "caller_run", "target": "helper_helper", "relation": "calls"}]
|
|
assert resolve_cross_file_raw_calls(per_file, nodes, edges) == []
|
|
|
|
|
|
def test_parse_python_import_aliases_supports_from_import_alias(tmp_path: Path) -> None:
|
|
src = tmp_path / "caller.py"
|
|
src.write_text("from helper import transform as tx\n", encoding="utf-8")
|
|
|
|
aliases = parse_python_import_aliases(src)
|
|
|
|
assert set(aliases) == {"tx"}
|
|
imported = aliases["tx"]
|
|
assert imported.local_name == "tx"
|
|
assert imported.imported_name == "transform"
|
|
assert imported.module_stem == "helper"
|
|
assert imported.source_location == "L1"
|
|
|
|
|
|
def test_build_python_symbol_index_uses_module_stem_and_label() -> None:
|
|
nodes = [
|
|
{
|
|
"id": "helper_transform",
|
|
"label": "transform()",
|
|
"file_type": "code",
|
|
"source_file": "/repo/helper.py",
|
|
},
|
|
{
|
|
"id": "other_transform",
|
|
"label": "transform()",
|
|
"file_type": "code",
|
|
"source_file": "/repo/other.py",
|
|
},
|
|
]
|
|
index = build_python_symbol_index(nodes)
|
|
assert index[("helper", "transform")] == ["helper_transform"]
|
|
assert index[("other", "transform")] == ["other_transform"]
|
|
|
|
|
|
def test_find_unique_python_symbol_returns_none_when_ambiguous(tmp_path: Path) -> None:
|
|
src = tmp_path / "caller.py"
|
|
src.write_text("from helper import transform\n", encoding="utf-8")
|
|
imported = parse_python_import_aliases(src)["transform"]
|
|
index = {("helper", "transform"): ["a", "b"]}
|
|
assert find_unique_python_symbol(index, imported) is None
|
|
|
|
|
|
def test_resolve_python_import_guided_calls_emits_extracted_edge(tmp_path: Path) -> None:
|
|
caller = tmp_path / "caller.py"
|
|
helper = tmp_path / "helper.py"
|
|
caller.write_text(
|
|
"from helper import transform as tx\n\ndef run(value):\n return tx(value)\n",
|
|
encoding="utf-8",
|
|
)
|
|
helper.write_text("def transform(value):\n return value\n", encoding="utf-8")
|
|
|
|
per_file = [
|
|
{
|
|
"raw_calls": [
|
|
{
|
|
"caller_nid": "caller_run",
|
|
"callee": "tx",
|
|
"is_member_call": False,
|
|
"source_file": str(caller),
|
|
"source_location": "L4",
|
|
}
|
|
]
|
|
},
|
|
{"raw_calls": []},
|
|
]
|
|
nodes = [
|
|
{"id": "caller_run", "label": "run()", "file_type": "code", "source_file": str(caller)},
|
|
{
|
|
"id": "helper_transform",
|
|
"label": "transform()",
|
|
"file_type": "code",
|
|
"source_file": str(helper),
|
|
},
|
|
]
|
|
|
|
edges = resolve_python_import_guided_calls(per_file, [caller, helper], nodes, [])
|
|
|
|
assert edges == [
|
|
{
|
|
"source": "caller_run",
|
|
"target": "helper_transform",
|
|
"relation": "calls",
|
|
"context": "import_guided_call",
|
|
"confidence": "EXTRACTED",
|
|
"confidence_score": 1.0,
|
|
"source_file": str(caller),
|
|
"source_location": "L4",
|
|
"weight": 1.0,
|
|
"metadata": {
|
|
"resolver": "python_import_guided",
|
|
"local_name": "tx",
|
|
"imported_name": "transform",
|
|
"module_stem": "helper",
|
|
"import_source_location": "L1",
|
|
},
|
|
}
|
|
]
|
|
|
|
|
|
# ═══════════════════════════════════════════════════════════════════════════════
|
|
# ── Bash source edges resolver tests ──────────────────────────────────────────
|
|
# ═══════════════════════════════════════════════════════════════════════════════
|
|
|
|
|
|
def test_bash_call_resolver_emits_source_edges(tmp_path: Path) -> None:
|
|
a_sh = tmp_path / "a.sh"
|
|
b_sh = tmp_path / "b.sh"
|
|
a_sh.write_text("#!/usr/bin/env bash\nsource ./b.sh\n")
|
|
b_sh.write_text("#!/usr/bin/env bash\nb_func() { echo ok; }\n")
|
|
|
|
per_file = [
|
|
{
|
|
"nodes": [
|
|
{"id": "a_sh", "label": "a.sh", "file_type": "code", "source_file": str(a_sh)},
|
|
{
|
|
"id": "a_entry",
|
|
"label": "a.sh script",
|
|
"file_type": "code",
|
|
"source_file": str(a_sh),
|
|
},
|
|
],
|
|
"edges": [],
|
|
"raw_calls": [],
|
|
"bash_sources": [
|
|
{"source_file": str(a_sh), "target_path": str(b_sh), "source_location": "L2"}
|
|
],
|
|
},
|
|
{
|
|
"nodes": [
|
|
{"id": "b_sh", "label": "b.sh", "file_type": "code", "source_file": str(b_sh)},
|
|
{
|
|
"id": "b_func",
|
|
"label": "b_func()",
|
|
"file_type": "code",
|
|
"source_file": str(b_sh),
|
|
"metadata": {"kind": "bash_function"},
|
|
},
|
|
],
|
|
"edges": [],
|
|
"raw_calls": [],
|
|
"bash_sources": [],
|
|
},
|
|
]
|
|
|
|
edges = resolve_bash_source_edges(per_file, [a_sh, b_sh], tmp_path)
|
|
|
|
imports = [e for e in edges if e["relation"] == "imports_from"]
|
|
assert len(imports) == 1
|
|
assert imports[0]["confidence"] == "EXTRACTED"
|
|
|
|
|
|
def test_bash_call_resolver_emits_call_edges_from_sourced_files(tmp_path: Path) -> None:
|
|
a_sh = tmp_path / "a.sh"
|
|
b_sh = tmp_path / "b.sh"
|
|
a_sh.write_text("#!/usr/bin/env bash\nsource ./b.sh\nmain() { b_func; }\n")
|
|
b_sh.write_text("#!/usr/bin/env bash\nb_func() { echo ok; }\n")
|
|
|
|
per_file = [
|
|
{
|
|
"nodes": [
|
|
{"id": "a_sh", "label": "a.sh", "file_type": "code", "source_file": str(a_sh)},
|
|
{
|
|
"id": "main",
|
|
"label": "main()",
|
|
"file_type": "code",
|
|
"source_file": str(a_sh),
|
|
"metadata": {"kind": "bash_function"},
|
|
},
|
|
],
|
|
"edges": [],
|
|
"raw_calls": [
|
|
{
|
|
"language": "bash",
|
|
"caller_nid": "main",
|
|
"callee": "b_func",
|
|
"is_member_call": False,
|
|
"source_file": str(a_sh),
|
|
"source_location": "L3",
|
|
}
|
|
],
|
|
"bash_sources": [
|
|
{"source_file": str(a_sh), "target_path": str(b_sh), "source_location": "L2"}
|
|
],
|
|
},
|
|
{
|
|
"nodes": [
|
|
{"id": "b_sh", "label": "b.sh", "file_type": "code", "source_file": str(b_sh)},
|
|
{
|
|
"id": "b_func",
|
|
"label": "b_func()",
|
|
"file_type": "code",
|
|
"source_file": str(b_sh),
|
|
"metadata": {"kind": "bash_function"},
|
|
},
|
|
],
|
|
"edges": [],
|
|
"raw_calls": [],
|
|
"bash_sources": [],
|
|
},
|
|
]
|
|
|
|
edges = resolve_bash_source_edges(per_file, [a_sh, b_sh], tmp_path)
|
|
|
|
calls = [e for e in edges if e["relation"] == "calls"]
|
|
assert len(calls) == 1
|
|
assert calls[0]["source"] == "main"
|
|
assert calls[0]["target"] == "b_func"
|
|
assert calls[0]["confidence"] == "EXTRACTED"
|
|
|
|
|
|
def test_bash_call_resolver_skips_existing_pair(tmp_path: Path) -> None:
|
|
a_sh = tmp_path / "a.sh"
|
|
b_sh = tmp_path / "b.sh"
|
|
a_sh.write_text("#!/usr/bin/env bash\nsource ./b.sh\nmain() { b_func; }\n")
|
|
b_sh.write_text("#!/usr/bin/env bash\nb_func() { echo ok; }\n")
|
|
|
|
per_file = [
|
|
{
|
|
"nodes": [
|
|
{"id": "a_sh", "label": "a.sh", "file_type": "code", "source_file": str(a_sh)},
|
|
{
|
|
"id": "main",
|
|
"label": "main()",
|
|
"file_type": "code",
|
|
"source_file": str(a_sh),
|
|
"metadata": {"kind": "bash_function"},
|
|
},
|
|
],
|
|
"edges": [],
|
|
"raw_calls": [
|
|
{
|
|
"language": "bash",
|
|
"caller_nid": "main",
|
|
"callee": "b_func",
|
|
"is_member_call": False,
|
|
"source_file": str(a_sh),
|
|
"source_location": "L3",
|
|
}
|
|
],
|
|
"bash_sources": [
|
|
{"source_file": str(a_sh), "target_path": str(b_sh), "source_location": "L2"}
|
|
],
|
|
},
|
|
{
|
|
"nodes": [
|
|
{"id": "b_sh", "label": "b.sh", "file_type": "code", "source_file": str(b_sh)},
|
|
{
|
|
"id": "b_func",
|
|
"label": "b_func()",
|
|
"file_type": "code",
|
|
"source_file": str(b_sh),
|
|
"metadata": {"kind": "bash_function"},
|
|
},
|
|
],
|
|
"edges": [],
|
|
"raw_calls": [],
|
|
"bash_sources": [],
|
|
},
|
|
]
|
|
existing = [{"source": "main", "target": "b_func", "relation": "calls"}]
|
|
|
|
edges = resolve_bash_source_edges(per_file, [a_sh, b_sh], tmp_path, existing_edges=existing)
|
|
|
|
calls = [e for e in edges if e["relation"] == "calls"]
|
|
assert len(calls) == 0, f"Should skip existing pair but got: {calls}"
|
|
|
|
|
|
def test_bash_call_resolver_skips_ambiguous_multiple_candidates(tmp_path: Path) -> None:
|
|
"""When a callee function is defined in multiple sourced files, skip it."""
|
|
a_sh = tmp_path / "a.sh"
|
|
b_sh = tmp_path / "b.sh"
|
|
c_sh = tmp_path / "c.sh"
|
|
a_sh.write_text("#!/usr/bin/env bash\nsource ./b.sh\nsource ./c.sh\nmain() { helper; }\n")
|
|
b_sh.write_text("#!/usr/bin/env bash\nhelper() { echo b; }\n")
|
|
c_sh.write_text("#!/usr/bin/env bash\nhelper() { echo c; }\n")
|
|
|
|
per_file = [
|
|
{
|
|
"nodes": [
|
|
{"id": "a_sh", "label": "a.sh", "file_type": "code", "source_file": str(a_sh)},
|
|
{
|
|
"id": "main",
|
|
"label": "main()",
|
|
"file_type": "code",
|
|
"source_file": str(a_sh),
|
|
"metadata": {"kind": "bash_function"},
|
|
},
|
|
],
|
|
"edges": [],
|
|
"raw_calls": [
|
|
{
|
|
"language": "bash",
|
|
"caller_nid": "main",
|
|
"callee": "helper",
|
|
"is_member_call": False,
|
|
"source_file": str(a_sh),
|
|
"source_location": "L4",
|
|
}
|
|
],
|
|
"bash_sources": [
|
|
{"source_file": str(a_sh), "target_path": str(b_sh), "source_location": "L2"},
|
|
{"source_file": str(a_sh), "target_path": str(c_sh), "source_location": "L3"},
|
|
],
|
|
},
|
|
{
|
|
"nodes": [
|
|
{"id": "b_sh", "label": "b.sh", "file_type": "code", "source_file": str(b_sh)},
|
|
{
|
|
"id": "b_helper",
|
|
"label": "helper()",
|
|
"file_type": "code",
|
|
"source_file": str(b_sh),
|
|
"metadata": {"kind": "bash_function"},
|
|
},
|
|
],
|
|
"edges": [],
|
|
"raw_calls": [],
|
|
"bash_sources": [],
|
|
},
|
|
{
|
|
"nodes": [
|
|
{"id": "c_sh", "label": "c.sh", "file_type": "code", "source_file": str(c_sh)},
|
|
{
|
|
"id": "c_helper",
|
|
"label": "helper()",
|
|
"file_type": "code",
|
|
"source_file": str(c_sh),
|
|
"metadata": {"kind": "bash_function"},
|
|
},
|
|
],
|
|
"edges": [],
|
|
"raw_calls": [],
|
|
"bash_sources": [],
|
|
},
|
|
]
|
|
|
|
edges = resolve_bash_source_edges(per_file, [a_sh, b_sh, c_sh], tmp_path)
|
|
|
|
calls = [e for e in edges if e["relation"] == "calls"]
|
|
# helper() is defined in both b.sh and c.sh → ambiguous → should be skipped
|
|
assert len(calls) == 0, f"Should skip ambiguous callee but got: {calls}"
|
|
|
|
|
|
def test_bash_call_resolver_skips_non_bash_raw_calls(tmp_path: Path) -> None:
|
|
"""Non-bash raw_calls inside sourced-file per_file entries are ignored."""
|
|
a_sh = tmp_path / "a.sh"
|
|
a_sh.write_text("#!/usr/bin/env bash\n")
|
|
|
|
per_file = [
|
|
{
|
|
"nodes": [
|
|
{"id": "a_sh", "label": "a.sh", "file_type": "code", "source_file": str(a_sh)},
|
|
],
|
|
"edges": [],
|
|
"raw_calls": [
|
|
{
|
|
"language": "python",
|
|
"caller_nid": "a_main",
|
|
"callee": "helper",
|
|
"is_member_call": False,
|
|
"source_file": str(a_sh),
|
|
"source_location": "L1",
|
|
}
|
|
],
|
|
"bash_sources": [],
|
|
},
|
|
]
|
|
|
|
edges = resolve_bash_source_edges(per_file, [a_sh], tmp_path)
|
|
assert edges == [], f"Should ignore non-bash raw_calls but got: {edges}"
|
|
|
|
|
|
def test_bash_make_id_identical_to_make_id() -> None:
|
|
from graphify.extract import _make_id
|
|
|
|
assert _bash_make_id("foo", "bar") == _make_id("foo", "bar")
|
|
assert _bash_make_id("auth") == _make_id("auth")
|
|
assert _bash_make_id("_module", "_helper") == _make_id("_module", "_helper")
|
|
assert _bash_make_id("my-script", "main") == _make_id("my-script", "main")
|
|
|
|
|
|
def test_bash_make_id_unicode_matches_make_id() -> None:
|
|
"""_bash_make_id must produce identical output to _make_id for Unicode inputs.
|
|
|
|
The two functions must remain in sync so resolve_bash_source_edges
|
|
produces node IDs that match those from extract_bash. The original local
|
|
copy lacked NFKC normalisation, Unicode-aware regex, and casefold().
|
|
"""
|
|
from graphify.extract import _make_id
|
|
|
|
# Accented letter: é is a Unicode word char that _make_id preserves
|
|
assert _bash_make_id("café", "run") == _make_id("café", "run"), (
|
|
"_bash_make_id must preserve Unicode word characters like _make_id"
|
|
)
|
|
# German sharp s: casefold maps ß→ss, lower does not
|
|
assert _bash_make_id("straße") == _make_id("straße"), (
|
|
"_bash_make_id must use casefold not lower to match _make_id"
|
|
)
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Cycle 2.5 v2 — Codex blocker fixes
|
|
# ---------------------------------------------------------------------------
|
|
|
|
|
|
# F1 — top-level imports only
|
|
def test_parse_python_import_aliases_skips_function_local_imports(tmp_path):
|
|
"""A `from helper import transform` inside a function MUST NOT become
|
|
file-wide evidence — function-local imports are only valid in their
|
|
lexical scope. Walking the whole AST would falsely justify unrelated
|
|
calls in other scopes."""
|
|
from graphify.symbol_resolution import parse_python_import_aliases
|
|
|
|
py = tmp_path / "scoped.py"
|
|
py.write_text(
|
|
"def one():\n"
|
|
" from helper import transform\n"
|
|
" return transform()\n"
|
|
"\n"
|
|
"def two():\n"
|
|
" return transform()\n"
|
|
)
|
|
aliases = parse_python_import_aliases(py)
|
|
assert "transform" not in aliases, (
|
|
f"function-local import leaked as file-wide evidence: {aliases}"
|
|
)
|
|
|
|
|
|
def test_parse_python_import_aliases_accepts_top_level_import(tmp_path):
|
|
"""A module-level `from helper import transform` IS file-wide evidence."""
|
|
from graphify.symbol_resolution import parse_python_import_aliases
|
|
|
|
py = tmp_path / "toplevel.py"
|
|
py.write_text("from helper import transform\n\ndef one():\n return transform()\n")
|
|
aliases = parse_python_import_aliases(py)
|
|
assert "transform" in aliases
|
|
assert aliases["transform"].module_stem == "helper"
|
|
|
|
|
|
# F2 — only code nodes are resolvable
|
|
def test_node_is_resolvable_symbol_requires_code_file_type():
|
|
"""Document/paper/image/concept nodes MUST NOT be indexed as call targets,
|
|
even when their label looks like a callable identifier."""
|
|
from graphify.symbol_resolution import node_is_resolvable_symbol
|
|
|
|
code = {"id": "n1", "label": "helper", "file_type": "code"}
|
|
doc = {"id": "n2", "label": "helper", "file_type": "document"}
|
|
paper = {"id": "n3", "label": "helper", "file_type": "paper"}
|
|
image = {"id": "n4", "label": "helper", "file_type": "image"}
|
|
no_ft = {"id": "n5", "label": "helper"}
|
|
|
|
assert node_is_resolvable_symbol(code) is True
|
|
assert node_is_resolvable_symbol(doc) is False
|
|
assert node_is_resolvable_symbol(paper) is False
|
|
assert node_is_resolvable_symbol(image) is False
|
|
assert node_is_resolvable_symbol(no_ft) is False
|
|
|
|
|
|
def test_build_label_index_excludes_non_code_nodes():
|
|
"""label index must not include document/paper/image nodes even when
|
|
label and id are present and well-formed."""
|
|
from graphify.symbol_resolution import build_label_index
|
|
|
|
nodes = [
|
|
{"id": "code_one", "label": "helper", "file_type": "code"},
|
|
{"id": "doc_one", "label": "helper", "file_type": "document"},
|
|
{"id": "paper_one", "label": "helper", "file_type": "paper"},
|
|
]
|
|
index = build_label_index(nodes)
|
|
assert index.get("helper") == ["code_one"]
|
|
|
|
|
|
# F3 — bash resolver defensive against malformed input
|
|
def test_resolve_bash_source_edges_skips_malformed_source(tmp_path):
|
|
"""A `bash_sources` entry missing `target_path` must not raise KeyError."""
|
|
from graphify.symbol_resolution import resolve_bash_source_edges
|
|
|
|
per_file = [
|
|
{
|
|
"nodes": [],
|
|
"raw_calls": [],
|
|
"bash_sources": [
|
|
{}, # missing target_path entirely
|
|
{"target_path": ""}, # empty target_path
|
|
{"target_path": None}, # non-string target_path
|
|
],
|
|
}
|
|
]
|
|
a = tmp_path / "a.sh"
|
|
a.write_text("# noop\n")
|
|
edges = resolve_bash_source_edges(per_file, [a], tmp_path)
|
|
assert edges == []
|
|
|
|
|
|
def test_resolve_bash_source_edges_skips_bash_function_node_missing_id(tmp_path):
|
|
"""A node tagged as bash_function but missing `id` must not raise KeyError."""
|
|
from graphify.symbol_resolution import resolve_bash_source_edges
|
|
|
|
per_file = [
|
|
{
|
|
"nodes": [
|
|
{"label": "build()", "metadata": {"kind": "bash_function"}},
|
|
],
|
|
"raw_calls": [],
|
|
"bash_sources": [],
|
|
}
|
|
]
|
|
a = tmp_path / "a.sh"
|
|
a.write_text("# noop\n")
|
|
# Should not raise
|
|
edges = resolve_bash_source_edges(per_file, [a], tmp_path)
|
|
assert edges == []
|
|
|
|
|
|
def test_resolve_bash_source_edges_skips_raw_call_missing_caller_nid(tmp_path):
|
|
"""A raw_call entry missing `caller_nid` must not raise KeyError."""
|
|
from graphify.symbol_resolution import resolve_bash_source_edges
|
|
|
|
a = tmp_path / "a.sh"
|
|
b = tmp_path / "b.sh"
|
|
a.write_text("# noop\n")
|
|
b.write_text("# noop\n")
|
|
per_file = [
|
|
{
|
|
"nodes": [],
|
|
"raw_calls": [
|
|
{"language": "bash", "callee": "helper"}, # missing caller_nid
|
|
],
|
|
"bash_sources": [{"target_path": str(b)}],
|
|
},
|
|
{
|
|
"nodes": [
|
|
{"id": "b_helper", "label": "helper()", "metadata": {"kind": "bash_function"}},
|
|
],
|
|
"raw_calls": [],
|
|
"bash_sources": [],
|
|
},
|
|
]
|
|
edges = resolve_bash_source_edges(per_file, [a, b], tmp_path)
|
|
# No raw-call edge emitted because caller_nid was missing; source edge OK.
|
|
assert all(e["relation"] != "calls" for e in edges)
|
|
|
|
|
|
def test_resolve_bash_source_edges_accepts_none_per_file_entries(tmp_path):
|
|
"""A None entry in per_file (e.g. failed extraction) must be silently skipped."""
|
|
from graphify.symbol_resolution import resolve_bash_source_edges
|
|
|
|
a = tmp_path / "a.sh"
|
|
a.write_text("# noop\n")
|
|
edges = resolve_bash_source_edges([None], [a], tmp_path)
|
|
assert edges == []
|
|
|
|
|
|
def test_resolve_bash_source_edges_skips_non_dict_lists(tmp_path):
|
|
"""Non-dict entries in bash_sources/raw_calls/nodes must be silently skipped."""
|
|
from graphify.symbol_resolution import resolve_bash_source_edges
|
|
|
|
a = tmp_path / "a.sh"
|
|
a.write_text("# noop\n")
|
|
per_file = [
|
|
{
|
|
"nodes": ["not a dict", 42, None],
|
|
"raw_calls": [None, "string entry", {"language": "bash"}], # last is missing caller_nid
|
|
"bash_sources": [None, "str", 99],
|
|
}
|
|
]
|
|
edges = resolve_bash_source_edges(per_file, [a], tmp_path)
|
|
assert edges == []
|
|
|
|
|
|
# F4 — relative target_path resolves against source file directory
|
|
def test_resolve_bash_source_edges_relative_path_resolves_against_source_dir(tmp_path):
|
|
"""`source ./helper.sh` from a/main.sh should resolve to a/helper.sh,
|
|
not to ./helper.sh from the process CWD."""
|
|
from graphify.symbol_resolution import resolve_bash_source_edges
|
|
|
|
sub = tmp_path / "scripts"
|
|
sub.mkdir()
|
|
main = sub / "main.sh"
|
|
helper = sub / "helper.sh"
|
|
main.write_text("# main\n")
|
|
helper.write_text("# helper\n")
|
|
|
|
per_file = [
|
|
{
|
|
"nodes": [],
|
|
"raw_calls": [],
|
|
# Relative path: should resolve to scripts/helper.sh (next to main.sh)
|
|
"bash_sources": [{"target_path": "./helper.sh"}],
|
|
},
|
|
{
|
|
"nodes": [],
|
|
"raw_calls": [],
|
|
"bash_sources": [],
|
|
},
|
|
]
|
|
edges = resolve_bash_source_edges(per_file, [main, helper], tmp_path)
|
|
# One imports_from edge from main → helper
|
|
import_edges = [e for e in edges if e["relation"] == "imports_from"]
|
|
assert len(import_edges) == 1
|
|
# Note: the actual node IDs are sha-hash-derived; just verify the edge exists.
|
|
|
|
|
|
# F1 — malformed raw_calls in non-Bash resolvers
|
|
def test_iter_raw_calls_skips_non_dict_per_file_entries():
|
|
"""A non-dict per_file entry (e.g. junk fragment) must be silently skipped."""
|
|
from graphify.symbol_resolution import iter_raw_calls
|
|
|
|
assert iter_raw_calls(["not a dict", None, 42]) == []
|
|
|
|
|
|
def test_iter_raw_calls_skips_non_list_raw_calls():
|
|
"""`raw_calls` that isn't a list must yield empty."""
|
|
from graphify.symbol_resolution import iter_raw_calls
|
|
|
|
assert iter_raw_calls([{"raw_calls": "abc"}]) == []
|
|
assert iter_raw_calls([{"raw_calls": None}]) == []
|
|
assert iter_raw_calls([{"raw_calls": 42}]) == []
|
|
|
|
|
|
def test_iter_raw_calls_drops_non_dict_items_in_list():
|
|
"""Items inside `raw_calls` list that aren't dicts must be dropped."""
|
|
from graphify.symbol_resolution import iter_raw_calls
|
|
|
|
out = iter_raw_calls([{"raw_calls": ["str", 42, None, {"callee": "real", "caller_nid": "c"}]}])
|
|
assert out == [{"callee": "real", "caller_nid": "c"}]
|
|
|
|
|
|
def test_resolve_cross_file_raw_calls_survives_malformed_raw_calls():
|
|
"""The python cross-file resolver returns [] (not crash) on bad raw_calls."""
|
|
from graphify.symbol_resolution import resolve_cross_file_raw_calls
|
|
|
|
# raw_calls is a string instead of a list
|
|
assert resolve_cross_file_raw_calls([{"raw_calls": "abc"}], [], []) == []
|
|
# raw_calls list contains non-dict entries
|
|
assert resolve_cross_file_raw_calls([{"raw_calls": ["not dict", 42]}], [], []) == []
|
|
|
|
|
|
def test_resolve_python_import_guided_calls_survives_malformed_raw_calls(tmp_path):
|
|
"""Python import-guided resolver also tolerates malformed raw_calls."""
|
|
from graphify.symbol_resolution import resolve_python_import_guided_calls
|
|
|
|
py = tmp_path / "caller.py"
|
|
py.write_text("from helper import transform\n")
|
|
per_file = [{"raw_calls": "not a list"}]
|
|
paths = [py]
|
|
nodes = [
|
|
{
|
|
"id": "h_transform",
|
|
"label": "transform",
|
|
"file_type": "code",
|
|
"source_file": str(tmp_path / "helper.py"),
|
|
}
|
|
]
|
|
# Should not raise; should return no edges since raw_calls isn't a list
|
|
edges = resolve_python_import_guided_calls(per_file, paths, nodes, [])
|
|
assert edges == []
|
|
|
|
|
|
# F2 — unhashable callee in bash resolver
|
|
def test_resolve_bash_source_edges_skips_unhashable_callee(tmp_path):
|
|
"""A bash raw_call with `callee: [list]` (unhashable for dict membership)
|
|
must not raise TypeError — silently skip the call."""
|
|
from graphify.symbol_resolution import resolve_bash_source_edges
|
|
|
|
a = tmp_path / "a.sh"
|
|
b = tmp_path / "b.sh"
|
|
a.write_text("# noop\n")
|
|
b.write_text("# noop\n")
|
|
per_file = [
|
|
{
|
|
"nodes": [],
|
|
"raw_calls": [
|
|
{"language": "bash", "caller_nid": "caller", "callee": ["bad"]},
|
|
{"language": "bash", "caller_nid": "caller", "callee": {"also": "bad"}},
|
|
{"language": "bash", "caller_nid": "caller", "callee": 42},
|
|
],
|
|
"bash_sources": [{"target_path": str(b)}],
|
|
},
|
|
{
|
|
"nodes": [
|
|
{"id": "b_helper", "label": "helper()", "metadata": {"kind": "bash_function"}},
|
|
],
|
|
"raw_calls": [],
|
|
"bash_sources": [],
|
|
},
|
|
]
|
|
# Must not raise — non-string callees are skipped before dict membership.
|
|
edges = resolve_bash_source_edges(per_file, [a, b], tmp_path)
|
|
# No call edges emitted (all malformed); imports_from edge from sourcing OK
|
|
assert all(e["relation"] != "calls" for e in edges)
|
|
|
|
|
|
# v3 Codex F1 — resolve_python_import_guided_calls hardened against
|
|
# malformed per_file slots and length mismatches.
|
|
def test_resolve_python_import_guided_calls_non_dict_per_file_slot(tmp_path):
|
|
"""A non-dict per_file slot (e.g. a string) must not raise AttributeError."""
|
|
from graphify.symbol_resolution import resolve_python_import_guided_calls
|
|
|
|
py = tmp_path / "caller.py"
|
|
py.write_text("from helper import transform\n")
|
|
# per_file slot is a STRING, not a dict — used to crash with AttributeError
|
|
edges = resolve_python_import_guided_calls(["not a dict"], [py], [], [])
|
|
assert edges == []
|
|
|
|
|
|
def test_resolve_python_import_guided_calls_per_file_shorter_than_paths(tmp_path):
|
|
"""per_file shorter than paths must not raise IndexError."""
|
|
from graphify.symbol_resolution import resolve_python_import_guided_calls
|
|
|
|
a = tmp_path / "a.py"
|
|
b = tmp_path / "b.py"
|
|
a.write_text("from helper import transform\n")
|
|
b.write_text("from helper import transform\n")
|
|
# Only ONE per_file entry but TWO paths — used to crash with IndexError
|
|
edges = resolve_python_import_guided_calls([{}], [a, b], [], [])
|
|
assert edges == []
|
|
|
|
|
|
def test_resolve_python_import_guided_calls_per_file_none_slot(tmp_path):
|
|
"""A None per_file slot is treated as empty fragment (no crash, no edges)."""
|
|
from graphify.symbol_resolution import resolve_python_import_guided_calls
|
|
|
|
py = tmp_path / "caller.py"
|
|
py.write_text("from helper import transform\n")
|
|
edges = resolve_python_import_guided_calls([None], [py], [], [])
|
|
assert edges == []
|
|
|
|
|
|
def test_resolve_python_import_guided_calls_metadata_is_sanitized(tmp_path: Path) -> None:
|
|
"""Edge metadata produced by the import-guided resolver must pass through
|
|
sanitize_metadata so HTML / control characters in import-site strings
|
|
(e.g. malformed source_location values, alias names from extractor bugs)
|
|
cannot survive into the graph as raw markup."""
|
|
caller = tmp_path / "caller.py"
|
|
helper = tmp_path / "helper.py"
|
|
# Import alias that includes an angle bracket — pathological but defensive
|
|
# cover: the resolver itself does not parse names this aggressively, but a
|
|
# future extractor or upstream fragment could. The boundary is the cycle's
|
|
# stated policy: every edge metadata field goes through sanitize_metadata.
|
|
caller.write_text(
|
|
"from helper import transform as tx\n\ndef run(value):\n return tx(value)\n",
|
|
encoding="utf-8",
|
|
)
|
|
helper.write_text("def transform(value):\n return value\n", encoding="utf-8")
|
|
|
|
per_file = [
|
|
{
|
|
"raw_calls": [
|
|
{
|
|
"caller_nid": "caller_run",
|
|
"callee": "tx",
|
|
"is_member_call": False,
|
|
"source_file": str(caller),
|
|
"source_location": "L4",
|
|
}
|
|
]
|
|
},
|
|
{"raw_calls": []},
|
|
]
|
|
nodes = [
|
|
{"id": "caller_run", "label": "run()", "file_type": "code", "source_file": str(caller)},
|
|
{
|
|
"id": "helper_transform",
|
|
"label": "transform()",
|
|
"file_type": "code",
|
|
"source_file": str(helper),
|
|
},
|
|
]
|
|
|
|
edges = resolve_python_import_guided_calls(per_file, [caller, helper], nodes, [])
|
|
assert len(edges) == 1
|
|
metadata = edges[0]["metadata"]
|
|
# All values must be present and HTML/control-char safe after sanitisation.
|
|
for value in metadata.values():
|
|
if isinstance(value, str):
|
|
assert "<" not in value
|
|
assert "\x00" not in value
|
|
# And the structural shape is unchanged for benign inputs.
|
|
assert metadata["resolver"] == "python_import_guided"
|
|
assert metadata["local_name"] == "tx"
|
|
assert metadata["imported_name"] == "transform"
|
|
assert metadata["module_stem"] == "helper"
|
|
|
|
|
|
def test_resolve_python_import_guided_calls_metadata_sanitizes_hostile_alias(
|
|
monkeypatch, tmp_path: Path
|
|
) -> None:
|
|
"""Strong regression for #cycle-2.7-Codex-v2: monkeypatch the alias parser
|
|
so the resolver sees HOSTILE strings in ImportedSymbol fields, then assert
|
|
the emitted metadata is HTML-escaped / control-char-stripped.
|
|
|
|
Removing the sanitize_metadata() wrap in
|
|
``resolve_python_import_guided_calls`` would make this test fail:
|
|
`<script>` would not appear in `imported_name`, and the raw
|
|
NUL byte would not be stripped from `module_stem`.
|
|
"""
|
|
import graphify.symbol_resolution as sr
|
|
|
|
caller = tmp_path / "caller.py"
|
|
helper = tmp_path / "helper.py"
|
|
caller.write_text(
|
|
"from helper import transform as tx\n\ndef run(value):\n return tx(value)\n",
|
|
encoding="utf-8",
|
|
)
|
|
helper.write_text("def transform(value):\n return value\n", encoding="utf-8")
|
|
|
|
# imported_name and module_stem are the lookup keys used to resolve the
|
|
# call target; they must match the real helper symbol or the edge will
|
|
# not fire. local_name and source_location are stored verbatim into
|
|
# metadata and are the surface that sanitize_metadata() must scrub.
|
|
hostile_alias_key = "<script>tx</script>"
|
|
hostile = sr.ImportedSymbol(
|
|
local_name=hostile_alias_key,
|
|
imported_name="transform",
|
|
module_stem="helper",
|
|
source_file=str(caller),
|
|
source_location="L1<img src=x>\x00trail",
|
|
)
|
|
|
|
def _fake_aliases(path: Path) -> dict[str, sr.ImportedSymbol]:
|
|
if path == caller:
|
|
return {hostile_alias_key: hostile}
|
|
return {}
|
|
|
|
monkeypatch.setattr(sr, "parse_python_import_aliases", _fake_aliases)
|
|
|
|
per_file = [
|
|
{
|
|
"raw_calls": [
|
|
{
|
|
"caller_nid": "caller_run",
|
|
"callee": hostile_alias_key,
|
|
"is_member_call": False,
|
|
"source_file": str(caller),
|
|
"source_location": "L4",
|
|
}
|
|
]
|
|
},
|
|
{"raw_calls": []},
|
|
]
|
|
nodes = [
|
|
{"id": "caller_run", "label": "run()", "file_type": "code", "source_file": str(caller)},
|
|
{
|
|
"id": "helper_transform",
|
|
"label": "transform()",
|
|
"file_type": "code",
|
|
"source_file": str(helper),
|
|
},
|
|
]
|
|
|
|
edges = resolve_python_import_guided_calls(per_file, [caller, helper], nodes, [])
|
|
assert len(edges) == 1
|
|
metadata = edges[0]["metadata"]
|
|
|
|
# `local_name` carries the hostile alias key. Without sanitisation it
|
|
# would still contain `<script>`. With the wrap, only the entity escape
|
|
# survives. Removing the sanitize_metadata() wrap would fail BOTH asserts.
|
|
local_name = metadata["local_name"]
|
|
assert "<script>" not in local_name
|
|
assert "<script>" in local_name
|
|
|
|
# `import_source_location` carries hostile markup + a NUL byte. Sanitised
|
|
# output strips the NUL and escapes the angle brackets.
|
|
src_loc = metadata["import_source_location"]
|
|
assert "<img" not in src_loc
|
|
assert "<img" in src_loc
|
|
assert "\x00" not in src_loc
|
|
assert "trail" in src_loc # tail content survives after NUL strip
|
|
|
|
# Resolution-side fields (used as lookup keys) are benign and unchanged.
|
|
assert metadata["resolver"] == "python_import_guided"
|
|
assert metadata["imported_name"] == "transform"
|
|
assert metadata["module_stem"] == "helper"
|