feat(config-audit): cache-prefix stability scanner CPS (v5 N3) [skip-docs]

New CPS scanner walks CLAUDE.md cascade and flags volatile content between lines 31 and 150 — the cache-prefix window beyond TOK Pattern A's top-30 territory. Volatile content anywhere in the cached prefix forces a fresh cache write from that line down on every turn. Volatile-pattern set extends TOK Pattern A with: - shell-exec lines (! prefix) — common in CLAUDE.md to inject git/date - ${VAR} substitutions — vary per-shell, defeat cache reuse Severity: medium per finding. Skips lines 1-30 to avoid duplicating Pattern A's range; CPS' value is in the 31-150 zone. Wired into scan-orchestrator + scoring SCANNER_AREA_MAP. CPS shares the "Token Efficiency" area with TOK; scoreByArea now deduplicates by area name and combines counts across scanners contributing to the same area, so the 9-area scorecard contract holds. Fixtures volatile-mid-section/{volatile-line-60, volatile-line-200} verify both positive (line 60) and out-of-window (line 200) cases. [skip-docs] reason: v5 plan fences off README/CLAUDE.md badge updates to Session 5; Forgejo pre-commit-docs-gate hook requires this tag. Tests: 604 → 611 (+7). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 07:37:54 +02:00 · 2026-05-01 07:37:54 +02:00 · 65087e624f
commit 65087e624f
parent 0420b8cc4a
6 changed files with 517 additions and 9 deletions
--- a/plugins/config-audit/tests/scanners/cache-prefix.test.mjs
+++ b/plugins/config-audit/tests/scanners/cache-prefix.test.mjs
@ -0,0 +1,79 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { resetCounter } from '../../scanners/lib/output.mjs';
+import { scan } from '../../scanners/cache-prefix-scanner.mjs';
+import { discoverConfigFiles } from '../../scanners/lib/file-discovery.mjs';
+
+const __dirname = fileURLToPath(new URL('.', import.meta.url));
+const FIXTURES = resolve(__dirname, '../fixtures');
+
+async function runScanner(fixtureName) {
+  resetCounter();
+  const path = resolve(FIXTURES, fixtureName);
+  const discovery = await discoverConfigFiles(path);
+  return scan(path, discovery);
+}
+
+describe('CPS scanner — basic structure', () => {
+  it('reports scanner prefix CPS', async () => {
+    const result = await runScanner('volatile-mid-section/volatile-line-60');
+    assert.equal(result.scanner, 'CPS');
+  });
+
+  it('finding IDs match CA-CPS-NNN pattern', async () => {
+    const result = await runScanner('volatile-mid-section/volatile-line-60');
+    for (const f of result.findings) {
+      assert.match(f.id, /^CA-CPS-\d{3}$/);
+    }
+  });
+});
+
+describe('CPS scanner — volatile content within cached prefix', () => {
+  it('flags !git log at line 60 (medium severity)', async () => {
+    const result = await runScanner('volatile-mid-section/volatile-line-60');
+    const f = result.findings.find(x => /volatile content inside cached prefix/i.test(x.title || ''));
+    assert.ok(f, `expected volatile-prefix finding; got: ${result.findings.map(x => x.title).join(' | ')}`);
+    assert.equal(f.severity, 'medium', `expected medium, got ${f.severity}`);
+    assert.match(String(f.evidence || ''), /line 60/);
+    assert.match(String(f.evidence || ''), /shell-exec/i);
+  });
+});
+
+describe('CPS scanner — volatile content beyond cache window', () => {
+  it('does NOT flag volatility at line 200+ (outside 150-line window)', async () => {
+    const result = await runScanner('volatile-mid-section/volatile-line-200');
+    const f = result.findings.find(x => /volatile content inside cached prefix/i.test(x.title || ''));
+    assert.equal(f, undefined,
+      `expected no finding for line-200 fixture; got: ${f?.title}`);
+  });
+});
+
+describe('CPS scanner — does not duplicate TOK Pattern A territory', () => {
+  it('volatility at lines 1–30 is left for TOK Pattern A (no CPS finding)', async () => {
+    // The opus-47/cache-breaking fixture has volatile content at the very top.
+    // CPS skips lines 1–30 to avoid duplicating Pattern A's territory.
+    const result = await runScanner('opus-47/cache-breaking');
+    const f = result.findings.find(x => /volatile content inside cached prefix/i.test(x.title || ''));
+    assert.equal(f, undefined,
+      `expected no CPS finding when volatility is only in lines 1–30 (Pattern A's range)`);
+  });
+});
+
+describe('CPS scanner — orchestrator wiring', () => {
+  it('CPS appears in scan-orchestrator scanner list', async () => {
+    const orch = await import('../../scanners/scan-orchestrator.mjs');
+    const path = resolve(FIXTURES, 'volatile-mid-section/volatile-line-60');
+    const env = await orch.runAllScanners(path, { filterFixtures: false });
+    const cps = env.scanners.find(r => r.scanner === 'CPS');
+    assert.ok(cps, `expected CPS in orchestrator results; got: ${env.scanners.map(r => r.scanner).join(', ')}`);
+  });
+
+  it('CPS findings carry the token-efficiency category', async () => {
+    const result = await runScanner('volatile-mid-section/volatile-line-60');
+    const f = result.findings.find(x => /volatile content inside cached prefix/i.test(x.title || ''));
+    assert.ok(f);
+    assert.equal(f.category, 'token-efficiency');
+  });
+});