feat(drift): scan template literal bodies for anti-patterns#181
Merged
Conversation
Extracts backtick template strings from .ts/.tsx/.js/.mjs files and scans their bodies against drift patterns, attributing violations to virtual filenames (e.g. src/foo.ts[template:0]). Catches security anti-patterns inside code-factory functions that emit string templates. No signature changes to scanForDrift. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Member
Author
|
Review pass complete for #181. No blocking issues found in the current diff. What I validated:
I’m comfortable merging this as-is. |
stackbilt-admin
added a commit
that referenced
this pull request
May 23, 2026
) Extracts backtick template strings from .ts/.tsx/.js/.mjs files and scans their bodies against drift patterns, attributing violations to virtual filenames (e.g. src/foo.ts[template:0]). Catches security anti-patterns inside code-factory functions that emit string templates. No signature changes to scanForDrift. Co-authored-by: Kurt Overmier <kurt@stackbilt.dev> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
stackbilt-admin
added a commit
that referenced
this pull request
May 23, 2026
) * feat(bootstrap): add --mode lean for fast, install-safe project onboarding (#139) Skips migrate, install, and populate phases. Install failure can no longer produce a `partial` status — lean mode emits a deterministic install command as the first required next step instead. Fully compatible with --yes, --ci, --force, and --security-sensitive. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat(drift): scan template literal bodies for anti-patterns (#102) (#181) Extracts backtick template strings from .ts/.tsx/.js/.mjs files and scans their bodies against drift patterns, attributing violations to virtual filenames (e.g. src/foo.ts[template:0]). Catches security anti-patterns inside code-factory functions that emit string templates. No signature changes to scanForDrift. Co-authored-by: Kurt Overmier <kurt@stackbilt.dev> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat(context-refresh): add repo-intel source for GitHub history snapshots (#138) (#182) New --sources repo-intel pulls open/closed issues, PRs, and release cadence via gh CLI and writes .charter/repo-intel/snapshot.json. Computes a summary (openIssueCount, stalledIssues, recurringLabels, mergeVelocity, releaseCadence) contributed to context.adf openWork/recentActivity sections. Fails gracefully when gh is unavailable or repo has no GitHub remote — emits a warning, not an error. Co-authored-by: Kurt Overmier <kurt@stackbilt.dev> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(bootstrap): gate lean-mode hook next-steps on inGitRepo Hooks cannot be installed outside a git repo. The non-lean path already gated these steps on inGitRepo; lean mode was missing the same guard. Tests updated to mock isGitRepo via git-helpers module mock (runGit uses execFileSync, not execSync, so the existing execSync override couldn't cover it). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Kurt Overmier <kurt@stackbilt.dev> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
stackbilt-admin
added a commit
that referenced
this pull request
May 23, 2026
…li (#127) (#183) * feat(bootstrap): add --mode lean for fast, install-safe project onboarding (#139) Skips migrate, install, and populate phases. Install failure can no longer produce a `partial` status — lean mode emits a deterministic install command as the first required next step instead. Fully compatible with --yes, --ci, --force, and --security-sensitive. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat(drift): scan template literal bodies for anti-patterns (#102) (#181) Extracts backtick template strings from .ts/.tsx/.js/.mjs files and scans their bodies against drift patterns, attributing violations to virtual filenames (e.g. src/foo.ts[template:0]). Catches security anti-patterns inside code-factory functions that emit string templates. No signature changes to scanForDrift. Co-authored-by: Kurt Overmier <kurt@stackbilt.dev> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat(context-refresh): add repo-intel source for GitHub history snapshots (#138) (#182) New --sources repo-intel pulls open/closed issues, PRs, and release cadence via gh CLI and writes .charter/repo-intel/snapshot.json. Computes a summary (openIssueCount, stalledIssues, recurringLabels, mergeVelocity, releaseCadence) contributed to context.adf openWork/recentActivity sections. Fails gracefully when gh is unavailable or repo has no GitHub remote — emits a warning, not an error. Co-authored-by: Kurt Overmier <kurt@stackbilt.dev> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(bootstrap): gate lean-mode hook next-steps on inGitRepo Hooks cannot be installed outside a git repo. The non-lean path already gated these steps on inGitRepo; lean mode was missing the same guard. Tests updated to mock isGitRepo via git-helpers module mock (runGit uses execFileSync, not execSync, so the existing execSync override couldn't cover it). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat(cli)!: remove commercial surface from @stackbilt/cli at Charter 1.0 (#127) Phase 4 of RFC #112. Deletes run/architect/scaffold/login commands, credentials.ts, http-client.ts, scaffold-contract-types.ts, and all related tests. Drops the `stackbilt` bin alias. Bumps @stackbilt/cli to 1.0.0. @stackbilt/build@0.1.0 is the new home for these commands. BREAKING CHANGE: run, architect, scaffold, login commands and stackbilt bin removed. Install @stackbilt/build for the long-term home. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(cli): add repo-intel to context-refresh help; ignore package-lock.json - HELP text for `context-refresh --sources` was missing the third valid value `repo-intel` (added in the repo-intel source commit on this branch) - Add `package-lock.json` to .gitignore — repo uses pnpm; the npm lockfile has no business being tracked here Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Kurt Overmier <kurt@stackbilt.dev> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #102.
Charter's drift scanner now extracts template literal bodies from
.ts,.tsx,.js, and.mjsfiles and scans them as virtual sub-files against the same anti-pattern rules. This catches security patterns (e.g. timing attacks, hardcoded secrets) inside code-factory functions that return multi-line string templates — patterns that are invisible to a file-level scan.src/foo.ts[template:0]scanForDriftsignature unchanged — additive onlyextractTemplateLiteralsexported for direct use/testingTest plan
filename[template:N][template:0],[template:1]🤖 Generated with Claude Code