feat: implement robustness guards

tests/unit/guards/api-route-contract-guard.test.ts

@@ -0,0 +1,53 @@
+import { describe, expect, it } from 'vitest'
+import {
+  API_HANDLER_ALLOWLIST,
+  PUBLIC_ROUTE_ALLOWLIST,
+  inspectRouteContract,
+} from '../../../scripts/guards/api-route-contract-guard.mjs'
+
+describe('api route contract guard', () => {
+  it('allows explicit public and framework-managed exceptions', () => {
+    expect(API_HANDLER_ALLOWLIST.has('src/app/api/auth/[...nextauth]/route.ts')).toBe(true)
+    expect(PUBLIC_ROUTE_ALLOWLIST.has('src/app/api/system/boot-id/route.ts')).toBe(true)
+    expect(
+      inspectRouteContract(
+        'src/app/api/system/boot-id/route.ts',
+        'export async function GET() { return Response.json({ bootId: "x" }) }',
+      ),
+    ).toEqual([])
+  })
+
+  it('passes protected routes that use apiHandler and explicit auth', () => {
+    const content = `
+      import { requireUserAuth } from '@/lib/api-auth'
+      import { apiHandler } from '@/lib/api-errors'
+      export const GET = apiHandler(async () => {
+        await requireUserAuth()
+        return Response.json({ ok: true })
+      })
+    `
+
+    expect(inspectRouteContract('src/app/api/user/secure/route.ts', content)).toEqual([])
+  })
+
+  it('flags protected routes that skip apiHandler or auth', () => {
+    const missingApiHandler = `
+      import { requireUserAuth } from '@/lib/api-auth'
+      export async function GET() {
+        await requireUserAuth()
+        return Response.json({ ok: true })
+      }
+    `
+    const missingAuth = `
+      import { apiHandler } from '@/lib/api-errors'
+      export const GET = apiHandler(async () => Response.json({ ok: true }))
+    `
+
+    expect(inspectRouteContract('src/app/api/user/secure/route.ts', missingApiHandler)).toEqual([
+      'src/app/api/user/secure/route.ts missing apiHandler wrapper',
+    ])
+    expect(inspectRouteContract('src/app/api/user/secure/route.ts', missingAuth)).toEqual([
+      'src/app/api/user/secure/route.ts missing requireUserAuth/requireProjectAuth/requireProjectAuthLight',
+    ])
+  })
+})

tests/unit/guards/image-reference-normalization-guard.test.ts

@@ -0,0 +1,53 @@
+import { describe, expect, it } from 'vitest'
+import {
+  NORMALIZATION_HELPER_ALLOWLIST,
+  inspectImageReferenceNormalization,
+} from '../../../scripts/guards/image-reference-normalization-guard.mjs'
+
+describe('image reference normalization guard', () => {
+  it('allows shared helper exceptions explicitly', () => {
+    expect(NORMALIZATION_HELPER_ALLOWLIST.has('src/lib/workers/handlers/image-task-handler-shared.ts')).toBe(true)
+    expect(
+      inspectImageReferenceNormalization(
+        'src/lib/workers/handlers/image-task-handler-shared.ts',
+        'resolveImageSourceFromGeneration(job, { options: params.options })\nreferenceImages?: string[]',
+      ),
+    ).toEqual([])
+  })
+
+  it('passes handlers that normalize reference images before generation', () => {
+    const content = `
+      import { normalizeReferenceImagesForGeneration } from '@/lib/media/outbound-image'
+      async function run() {
+        const normalizedRefs = await normalizeReferenceImagesForGeneration(refs)
+        return await resolveImageSourceFromGeneration(job, {
+          options: {
+            referenceImages: normalizedRefs,
+          },
+        })
+      }
+    `
+
+    expect(
+      inspectImageReferenceNormalization('src/lib/workers/handlers/panel-image-task-handler.ts', content),
+    ).toEqual([])
+  })
+
+  it('flags handlers that send referenceImages without normalization markers', () => {
+    const content = `
+      async function run() {
+        return await resolveImageSourceFromGeneration(job, {
+          options: {
+            referenceImages: refs,
+          },
+        })
+      }
+    `
+
+    expect(
+      inspectImageReferenceNormalization('src/lib/workers/handlers/bad-handler.ts', content),
+    ).toEqual([
+      'src/lib/workers/handlers/bad-handler.ts uses resolveImageSourceFromGeneration with referenceImages but does not reference normalizeReferenceImagesForGeneration/normalizeToBase64ForGeneration/generateLabeledImageToCos',
+    ])
+  })
+})

tests/unit/guards/task-submit-compensation-guard.test.ts

@@ -0,0 +1,43 @@
+import { describe, expect, it } from 'vitest'
+import { inspectTaskSubmitCompensation } from '../../../scripts/guards/task-submit-compensation-guard.mjs'
+
+describe('task submit compensation guard', () => {
+  it('passes routes that create data before submitTask and define rollback handling', () => {
+    const content = `
+      async function rollbackCreatedRecord() {}
+      export const POST = apiHandler(async () => {
+        await prisma.panel.create({ data: {} })
+        try {
+          return await submitTask({})
+        } catch (error) {
+          await rollbackCreatedRecord()
+          throw error
+        }
+      })
+    `
+
+    expect(
+      inspectTaskSubmitCompensation('src/app/api/novel-promotion/[projectId]/panel-variant/route.ts', content),
+    ).toEqual([])
+  })
+
+  it('ignores routes that do not combine create and submitTask', () => {
+    expect(inspectTaskSubmitCompensation('src/app/api/user/api-config/route.ts', 'await submitTask({})')).toEqual([])
+    expect(inspectTaskSubmitCompensation('src/app/api/projects/route.ts', 'await prisma.project.create({ data: {} })')).toEqual([])
+  })
+
+  it('flags routes that create data before submitTask without compensation marker', () => {
+    const content = `
+      export const POST = apiHandler(async () => {
+        await prisma.panel.create({ data: {} })
+        return await submitTask({})
+      })
+    `
+
+    expect(
+      inspectTaskSubmitCompensation('src/app/api/example/route.ts', content),
+    ).toEqual([
+      'src/app/api/example/route.ts creates data before submitTask without explicit rollback/compensation marker',
+    ])
+  })
+})