BUILD PR: tighten shared extraction guard with strict detection rules. & BUILD PR: add self-test runner for shared extraction guard.

Author: DavidQ

docs/dev/CODEX_COMMANDS.md

@@ -1,8 +1,10 @@
 MODEL: GPT-5.3-codex
 REASONING: high
 COMMAND:
-Execute docs/pr/BUILD_PR_SHARED_EXTRACTION_23_GUARD_DOC_MINIMAL_USAGE.md exactly.
-Create only:
-- docs/dev/SHARED_EXTRACTION_GUARD_USAGE.md
+Execute docs/pr/BUILD_PR_SHARED_EXTRACTION_25_GUARD_SELFTEST_RUNNER.md exactly.
+Edit only these files:
+- tools/dev/checkSharedExtractionGuard.selftest.mjs (new file)
+- tools/dev/checkSharedExtractionGuard.mjs (only if a minimal export is strictly required)
+Fail fast if tools/dev/checkSharedExtractionGuard.mjs does not exist.
 Do not expand scope.
-Package delta to <project folder>/tmp/BUILD_PR_SHARED_EXTRACTION_23_GUARD_DOC_MINIMAL_USAGE_delta.zip
+Package the delta output to <project folder>/tmp/BUILD_PR_SHARED_EXTRACTION_25_GUARD_SELFTEST_RUNNER_delta.zip

docs/dev/COMMIT_COMMENT.txt

@@ -1 +1 @@
-BUILD PR: add minimal usage doc for shared extraction guard.
+BUILD PR: add self-test runner for shared extraction guard.

docs/dev/reports/change_summary.txt

@@ -1 +1 @@
-Adds guard usage documentation.
+Adds a temp-workspace self-test runner for the guard.

docs/dev/reports/validation_checklist.txt

@@ -1 +1 @@
-doc added correctly
+self-test runner added correctly

docs/pr/BUILD_PR_SHARED_EXTRACTION_24_GUARD_STRICT_MODE.md

@@ -0,0 +1,78 @@
+# BUILD_PR_SHARED_EXTRACTION_24_GUARD_STRICT_MODE
+
+## Purpose
+Tighten the shared-extraction guard to catch edge cases and prevent bypass patterns.
+
+## Single PR Purpose
+Enhance the existing guard script ONLY:
+
+tools/dev/checkSharedExtractionGuard.mjs
+
+## Exact Files Allowed
+1. tools/dev/checkSharedExtractionGuard.mjs
+
+Do not edit any other file.
+
+## Fail-Fast Gate
+Before editing:
+- confirm file exists
+
+If not:
+- stop
+- no changes
+- no ZIP
+
+## Exact Enhancements
+
+### 1. Add detection for inline arrow/function variants
+Detect:
+- `(value) => Number.isFinite`
+- `Number.isFinite(` (outside shared import context)
+- `typeof value === 'object' && value !== null`
+
+### 2. Add detection for renamed helper clones
+Detect patterns:
+- `finiteNumber`
+- `positiveInt`
+- `plainObj`
+(only when used in function declarations)
+
+### 3. Add detection for deep relative traversal attempts
+Detect:
+- '../../../../src/shared'
+- '../../../src/../shared'
+
+### 4. Improve output grouping
+Group results by:
+- violation type
+- file
+
+### 5. Output summary
+At end print:
+- total files scanned
+- total violations
+- types of violations found
+
+### 6. Maintain strict exit behavior
+- 0 = clean
+- 1 = violations
+
+## Hard Constraints
+- do not change existing checks
+- only extend detection
+- no new files
+- no config changes
+- no performance-heavy scanning
+- keep script readable
+
+## Validation Checklist
+1. Script still runs
+2. New patterns detected
+3. Existing patterns still detected
+4. Output clearer
+5. Exit codes correct
+
+## Non-Goals
+- no CI
+- no lint
+- no repo-wide changes

docs/pr/BUILD_PR_SHARED_EXTRACTION_25_GUARD_SELFTEST_RUNNER.md

@@ -0,0 +1,116 @@
+# BUILD_PR_SHARED_EXTRACTION_25_GUARD_SELFTEST_RUNNER
+
+## Purpose
+Add a narrow self-test runner for the shared-extraction guard so the guard logic can be verified without modifying repo source files.
+
+## Single PR Purpose
+Create one new self-test runner:
+
+- `tools/dev/checkSharedExtractionGuard.selftest.mjs`
+
+This BUILD does not change the guard script itself unless a tiny export is already present and needed. Default expectation: create the self-test runner only.
+
+## Exact Files Allowed
+Edit only these files:
+
+1. `tools/dev/checkSharedExtractionGuard.selftest.mjs` **(new file)**
+2. `tools/dev/checkSharedExtractionGuard.mjs` **only if a minimal export is strictly required to support the self-test runner**
+
+Do not edit any other file.
+
+## Fail-Fast Gate
+Before editing:
+1. confirm `tools/dev/checkSharedExtractionGuard.mjs` exists
+
+If not:
+- stop
+- no changes
+- no ZIP
+
+## Exact New File
+Create:
+
+`tools/dev/checkSharedExtractionGuard.selftest.mjs`
+
+## Exact Self-Test Requirements
+
+### 1) Execution model
+The self-test runner must:
+- create a temporary workspace under OS temp
+- create small synthetic `.js` files that intentionally violate guard rules
+- invoke the existing guard script against that temp workspace
+- verify the guard exits with failure on violation cases
+- verify the guard exits clean on a compliant case
+- clean up the temp workspace when done
+
+### 2) Required test cases
+Include at least these cases:
+
+#### violation: local helper definition
+Synthetic file containing one of:
+- `function asFiniteNumber(`
+Expected:
+- guard fails
+
+#### violation: disallowed shared relative import
+Synthetic file containing:
+- `../../../src/shared/utils/numberUtils.js`
+Expected:
+- guard fails
+
+#### violation: alias usage
+Synthetic file containing:
+- `@shared/utils/numberUtils.js`
+Expected:
+- guard fails
+
+#### clean case
+Synthetic file with no banned helper definitions or banned import strings
+Expected:
+- guard passes
+
+### 3) Output
+Print a concise pass/fail line for each case.
+Print a final summary:
+- tests run
+- tests passed
+- tests failed
+
+### 4) Exit behavior
+- exit code `0` if all self-tests pass
+- exit code `1` if any self-test fails
+
+## Guard Integration Rules
+Preferred:
+- call the existing guard script as a child process
+
+Allowed fallback only if strictly necessary:
+- make the minimum export change in `tools/dev/checkSharedExtractionGuard.mjs` to support invocation from the self-test runner
+
+If fallback is used:
+- do not change detection rules
+- do not change guard behavior
+- do not add unrelated refactor
+
+## Hard Constraints
+- no package.json changes
+- no CI changes
+- no npm script changes
+- no source/runtime app changes
+- no guard rule changes in this PR unless a tiny export is strictly required
+- keep one PR purpose only
+
+## Validation Checklist
+1. Confirm no more than the 2 listed files changed
+2. Confirm the self-test runner creates and cleans temp test inputs
+3. Confirm violation cases fail
+4. Confirm clean case passes
+5. Confirm self-test summary and exit code behavior are correct
+6. Confirm guard detection logic itself was not altered unless a minimal export was strictly required
+
+## Non-Goals
+- no new guard rules
+- no repo source scanning changes
+- no CI wiring
+- no package.json wiring
+- no documentation changes

tools/dev/checkSharedExtractionGuard.mjs

@@ -22,6 +22,23 @@ const DIRECT_SHARED_IMPORT_RULES = [
 ];
 
 const ALIAS_RULE = { rule: "shared-alias-import-disallowed", regex: /@shared\//g, label: "rule:shared-alias-marker" };
+const NUMBER_UTIL_IMPORT_HINT = /from\s+["'][^"']*shared\/utils\/numberUtils\.js["']/;
+
+const INLINE_HELPER_VARIANT_RULES = [
+  { rule: "inline-helper-clone", regex: /\(value\)\s*=>\s*Number\.isFinite/g, label: "rule:inline-arrow-number-is-finite" },
+  { rule: "inline-helper-clone", regex: /typeof\s+value\s*===\s*'object'\s*&&\s*value\s*!==\s*null/g, label: "rule:inline-plain-object-check" }
+];
+
+const RENAMED_HELPER_FUNCTION_RULES = [
+  { rule: "renamed-helper-clone", regex: /function\s+finiteNumber\s*\(/g, label: "rule:renamed-helper-finiteNumber" },
+  { rule: "renamed-helper-clone", regex: /function\s+positiveInt\s*\(/g, label: "rule:renamed-helper-positiveInt" },
+  { rule: "renamed-helper-clone", regex: /function\s+plainObj\s*\(/g, label: "rule:renamed-helper-plainObj" }
+];
+
+const DEEP_RELATIVE_TRAVERSAL_RULES = [
+  { rule: "deep-relative-shared-traversal", regex: /\.\.\/\.\.\/\.\.\/\.\.\/src\/shared/g, label: "rule:deep-relative-src-shared-traversal" },
+  { rule: "deep-relative-shared-traversal", regex: /\.\.\/\.\.\/\.\.\/src\/\.\.\/shared/g, label: "rule:relative-src-parent-shared-traversal" }
+];
 
 async function pathExists(targetPath) {
   try {
@@ -86,9 +103,101 @@ function findViolations(fileContent, filePathFromRoot) {
     });
   }
 
+  for (const check of INLINE_HELPER_VARIANT_RULES) {
+    const matches = fileContent.match(check.regex) || [];
+    for (const _match of matches) {
+      violations.push({
+        file: filePathFromRoot,
+        type: check.rule,
+        match: check.label
+      });
+    }
+  }
+
+  for (const check of RENAMED_HELPER_FUNCTION_RULES) {
+    const matches = fileContent.match(check.regex) || [];
+    for (const _match of matches) {
+      violations.push({
+        file: filePathFromRoot,
+        type: check.rule,
+        match: check.label
+      });
+    }
+  }
+
+  for (const check of DEEP_RELATIVE_TRAVERSAL_RULES) {
+    const matches = fileContent.match(check.regex) || [];
+    for (const _match of matches) {
+      violations.push({
+        file: filePathFromRoot,
+        type: check.rule,
+        match: check.label
+      });
+    }
+  }
+
+  const finiteMatches = [...fileContent.matchAll(/Number\.isFinite\s*\(/g)];
+  for (const finiteMatch of finiteMatches) {
+    const matchIndex = finiteMatch.index ?? -1;
+    if (matchIndex < 0) continue;
+    const lineStart = fileContent.lastIndexOf("\n", matchIndex) + 1;
+    const lineEndCandidate = fileContent.indexOf("\n", matchIndex);
+    const lineEnd = lineEndCandidate === -1 ? fileContent.length : lineEndCandidate;
+    const lineText = fileContent.slice(lineStart, lineEnd);
+
+    if (NUMBER_UTIL_IMPORT_HINT.test(lineText)) continue;
+
+    violations.push({
+      file: filePathFromRoot,
+      type: "inline-helper-clone",
+      match: "rule:number-is-finite-usage"
+    });
+  }
+
   return violations;
 }
 
+function summarizeViolationLabels(violations) {
+  const counts = new Map();
+  for (const violation of violations) {
+    const next = (counts.get(violation.match) || 0) + 1;
+    counts.set(violation.match, next);
+  }
+  return [...counts.entries()].sort(([a], [b]) => a.localeCompare(b));
+}
+
+function printGroupedViolations(violations) {
+  const byType = new Map();
+  for (const violation of violations) {
+    if (!byType.has(violation.type)) byType.set(violation.type, new Map());
+    const byFile = byType.get(violation.type);
+    if (!byFile.has(violation.file)) byFile.set(violation.file, []);
+    byFile.get(violation.file).push(violation);
+  }
+
+  const typeEntries = [...byType.entries()].sort(([a], [b]) => a.localeCompare(b));
+  for (const [type, filesMap] of typeEntries) {
+    console.error(`TYPE: ${type}`);
+    const fileEntries = [...filesMap.entries()].sort(([a], [b]) => a.localeCompare(b));
+    for (const [file, fileViolations] of fileEntries) {
+      console.error(`  FILE: ${file}`);
+      const summaries = summarizeViolationLabels(fileViolations);
+      for (const [label, count] of summaries) {
+        console.error(`    MATCH: ${label}${count > 1 ? ` (x${count})` : ""}`);
+      }
+    }
+  }
+}
+
+function printSummary(filesScanned, violations, useErrorStream = false) {
+  const out = useErrorStream ? console.error : console.log;
+  const types = [...new Set(violations.map((violation) => violation.type))].sort();
+  const typeSummary = types.length > 0 ? types.join(", ") : "none";
+  out(`Summary: files_scanned=${filesScanned}`);
+  out(`Summary: total_violations=${violations.length}`);
+  out(`Summary: violation_types=${typeSummary}`);
+}
+
 async function run() {
   const repoRoot = process.cwd();
   const filesToScan = [];
@@ -108,15 +217,13 @@ async function run() {
 
   if (violations.length === 0) {
     console.log("Shared extraction guard passed. No violations found.");
+    printSummary(filesToScan.length, violations);
     process.exit(0);
   }
 
   console.error(`Shared extraction guard failed with ${violations.length} violation(s).`);
-  for (const violation of violations) {
-    console.error(
-      `${violation.file} | ${violation.type} | ${violation.match}`
-    );
-  }
+  printGroupedViolations(violations);
+  printSummary(filesToScan.length, violations, true);
   process.exit(1);
 }