fix: expire warning (#299)

* fix: expire warings strict mode

* chore: expire warning json

Author: Chrilleweb

src/commands/scanUsage.ts

@@ -15,7 +15,11 @@ import { printComparisonError } from '../ui/scan/printComparisonError.js';
 import { hasIgnoreComment } from '../core/security/secretDetectors.js';
 import { frameworkValidator } from '../core/frameworks/frameworkValidator.js';
 import { detectSecretsInExample } from '../core/security/exampleSecretDetector.js';
-import { DEFAULT_EXAMPLE_FILE } from '../config/constants.js';
+import {
+  DEFAULT_EXAMPLE_FILE,
+  URGENT_EXPIRE_DAYS,
+  EXPIRE_THRESHOLD_DAYS,
+} from '../config/constants.js';
 import { promptNoEnvScenario } from './prompts/promptNoEnvScenario.js';
 
 /**
@@ -145,23 +149,30 @@ export async function scanUsage(opts: ScanUsageOptions): Promise<ExitResult> {
       scanResult.exampleWarnings ?? []
     ).some((w) => w.severity === 'high');
 
+    const hasUrgentExpireWarnings = (scanResult.expireWarnings ?? []).some(
+      (w) => w.daysLeft <= URGENT_EXPIRE_DAYS,
+    );
+
     return {
       exitWithError:
         scanResult.missing.length > 0 ||
         hasHighSeveritySecrets ||
+        hasUrgentExpireWarnings ||
         hasHighSeverityExampleWarnings ||
         !!(
-          (opts.strict &&
-            (scanResult.unused.length > 0 ||
-              (scanResult.duplicates?.env?.length ?? 0) > 0 ||
-              (scanResult.duplicates?.example?.length ?? 0) > 0 ||
-              (scanResult.secrets?.length ?? 0) > 0 ||
-              (scanResult.frameworkWarnings?.length ?? 0) > 0 ||
-              (scanResult.logged?.length ?? 0) > 0 ||
-              (scanResult.uppercaseWarnings?.length ?? 0) > 0 ||
-              (scanResult.expireWarnings?.length ?? 0) > 0 ||
-              (scanResult.inconsistentNamingWarnings?.length ?? 0) > 0)) ||
-          (scanResult.exampleWarnings?.length ?? 0) > 0
+          opts.strict &&
+          (scanResult.unused.length > 0 ||
+            (scanResult.duplicates?.env?.length ?? 0) > 0 ||
+            (scanResult.duplicates?.example?.length ?? 0) > 0 ||
+            (scanResult.secrets?.length ?? 0) > 0 ||
+            (scanResult.frameworkWarnings?.length ?? 0) > 0 ||
+            (scanResult.logged?.length ?? 0) > 0 ||
+            (scanResult.uppercaseWarnings?.length ?? 0) > 0 ||
+            (scanResult.expireWarnings?.filter(
+              (w) => w.daysLeft <= EXPIRE_THRESHOLD_DAYS,
+            ).length ?? 0) > 0 ||
+            (scanResult.inconsistentNamingWarnings?.length ?? 0) > 0 ||
+            (scanResult.exampleWarnings?.length ?? 0) > 0)
         ),
     };
   }

src/config/constants.ts

@@ -69,4 +69,9 @@ export const ALLOWED_CATEGORIES = [
 /** * Threshold in days for showing expiration warnings for environment variables.
  * Variables expiring within this number of days or already expired will trigger a warning.
  */
-export const EXPIRE_THRESHOLD_DAYS = 60;
+export const EXPIRE_THRESHOLD_DAYS = 20;
+
+/** Threshold in days for showing urgent expiration warnings.
+ * Variables expiring within this number of days or already expired will trigger a high-severity warning.
+ */
+export const URGENT_EXPIRE_DAYS = 7;

src/services/printScanResult.ts

@@ -9,6 +9,7 @@ import type {
 import {
   DEFAULT_ENV_FILE,
   EXPIRE_THRESHOLD_DAYS,
+  URGENT_EXPIRE_DAYS,
 } from '../config/constants.js';
 import { printHeader } from '../ui/scan/printHeader.js';
 import { printStats } from '../ui/scan/printStats.js';
@@ -107,7 +108,7 @@ export function printScanResult(
 
   // Expiration warnings
   if (scanResult.expireWarnings) {
-    printExpireWarnings(scanResult.expireWarnings);
+    printExpireWarnings(scanResult.expireWarnings, opts.strict);
   }
   // Check for high severity secrets - ALWAYS exit with error
   const hasHighSeveritySecrets = (scanResult.secrets ?? []).some(
@@ -127,6 +128,14 @@ export function printScanResult(
     exitWithError = true;
   }
 
+  const hasUrgentExpireWarnings = (scanResult.expireWarnings ?? []).some(
+    (w) => w.daysLeft <= URGENT_EXPIRE_DAYS,
+  );
+
+  if (hasUrgentExpireWarnings) {
+    exitWithError = true;
+  }
+
   // Gitignore check
   const gitignoreIssue = checkGitignoreStatus({
     cwd: opts.cwd,

src/ui/scan/printExpireWarnings.ts

@@ -1,5 +1,12 @@
 import type { ExpireWarning } from '../../config/types.js';
-import { label, value, accent, error, warning, divider, header } from '../theme.js';
+import {
+  label,
+  value,
+  error,
+  warning,
+  divider,
+  header,
+} from '../theme.js';
 import { EXPIRE_THRESHOLD_DAYS } from '../../config/constants.js';
 
 /**
@@ -8,18 +15,19 @@ import { EXPIRE_THRESHOLD_DAYS } from '../../config/constants.js';
  * @param warnings Array of expiration warnings
  * @returns void
  */
-export function printExpireWarnings(warnings: ExpireWarning[]): void {
+export function printExpireWarnings(
+  warnings: ExpireWarning[],
+  strict: boolean = false,
+): void {
   const relevant = warnings.filter((w) => w.daysLeft <= EXPIRE_THRESHOLD_DAYS);
   if (relevant.length === 0) return;
 
-  const mostUrgent = relevant.reduce((min, w) => Math.min(min, w.daysLeft), Infinity);
+  const mostUrgent = relevant.reduce(
+    (min, w) => Math.min(min, w.daysLeft),
+    Infinity,
+  );
 
-  const indicator =
-    mostUrgent <= 0
-      ? error('▸')
-      : mostUrgent <= 7
-        ? warning('▸')
-        : accent('▸');
+  const indicator = strict || mostUrgent <= 7 ? error('▸') : warning('▸');
 
   console.log();
   console.log(`${indicator} ${header('Expiration warnings')}`);
@@ -28,14 +36,19 @@ export function printExpireWarnings(warnings: ExpireWarning[]): void {
   const days = (n: number) => `${n} ${n === 1 ? 'day' : 'days'}`;
 
   for (const warn of relevant) {
-    const status =
+    const statusText =
       warn.daysLeft <= 0
-        ? error(`expired ${days(Math.abs(warn.daysLeft))} ago`)
-        : warn.daysLeft <= 7
-          ? warning(`expires in ${days(warn.daysLeft)}`)
-          : value(`expires in ${days(warn.daysLeft)}`);
+        ? `expired ${days(Math.abs(warn.daysLeft))} ago`
+        : `expires in ${days(warn.daysLeft)}`;
 
-    console.log(`${label(warn.key.padEnd(26))}${status}`);
+    const rowColor =
+      strict || warn.daysLeft <= 7
+        ? error
+        : warn.daysLeft <= EXPIRE_THRESHOLD_DAYS
+          ? warning
+          : value;
+
+    console.log(`${label(warn.key.padEnd(26))}${rowColor(statusText)}`);
   }
 
   console.log(`${divider}`);

test/e2e/cli.detectExpired.e2e.test.ts

@@ -50,7 +50,7 @@ describe('Expiration Warnings', () => {
 
     const res = runCli(cwd, []);
 
-    expect(res.status).toBe(0);
+    expect(res.status).toBe(1);
     expect(res.stdout).toContain('Expiration warnings');
     expect(res.stdout).toContain('EXPIRED_API_KEY');
     expect(res.stdout).toContain('EXPIRED');
@@ -78,7 +78,7 @@ describe('Expiration Warnings', () => {
 
     const res = runCli(cwd, []);
 
-    expect(res.status).toBe(0);
+    expect(res.status).toBe(1);
     expect(res.stdout).toContain('Expiration warnings');
     expect(res.stdout).toContain('SOON_EXPIRED_KEY');
     expect(res.stdout).toContain('expires in 3 days');
@@ -133,7 +133,7 @@ describe('Expiration Warnings', () => {
 
     const res = runCli(cwd, []);
 
-    expect(res.status).toBe(0);
+    expect(res.status).toBe(1);
     expect(res.stdout).toContain('Expiration warnings');
     expect(res.stdout).toContain('OLD_TOKEN');
     expect(res.stdout).toContain('NEW_TOKEN');
@@ -187,7 +187,7 @@ describe('Expiration Warnings', () => {
 
     const res = runCli(cwd, []);
 
-    expect(res.status).toBe(0);
+    expect(res.status).toBe(1);
     expect(res.stdout).toContain('Expiration warnings');
     expect(res.stdout).toContain('JS_STYLE_KEY');
     expect(res.stdout).toContain('SHELL_STYLE_KEY');
@@ -242,7 +242,7 @@ describe('Expiration Warnings', () => {
 
     const res = runCli(cwd, ['--json']);
 
-    expect(res.status).toBe(0);
+    expect(res.status).toBe(1);
     expect(res.stdout).not.toContain('Expiration warnings');
     expect(res.stdout).toContain('"expireWarnings"');
   });

test/unit/commands/scanUsage.test.ts

@@ -108,7 +108,9 @@ describe('scanUsage', () => {
     vi.mocked(determineComparisonFile).mockResolvedValue({ type: 'none' });
     vi.mocked(printScanResult).mockReturnValue({ exitWithError: false });
     vi.mocked(printMissingExample).mockReturnValue(false);
-    vi.mocked(promptNoEnvScenario).mockResolvedValue({ compareFile: undefined });
+    vi.mocked(promptNoEnvScenario).mockResolvedValue({
+      compareFile: undefined,
+    });
   });
 
   it('returns early when example missing in CI mode', async () => {
@@ -158,6 +160,24 @@ describe('scanUsage', () => {
     expect(result.exitWithError).toBe(true);
   });
 
+  it('does not return error in JSON mode for non-high example warnings when strict is false', async () => {
+    vi.mocked(scanCodebase).mockResolvedValue({
+      ...baseScanResult,
+      exampleWarnings: [
+        {
+          key: 'EXAMPLE_KEY',
+          value: 'placeholder-but-flagged',
+          reason: 'Entropy',
+          severity: 'medium',
+        },
+      ],
+    } as any);
+
+    const result = await scanUsage({ ...baseOpts, json: true, strict: false });
+
+    expect(result.exitWithError).toBe(false);
+  });
+
   it('returns strict error in JSON mode when strict violations exist', async () => {
     vi.mocked(scanCodebase).mockResolvedValue({
       ...baseScanResult,
@@ -173,40 +193,56 @@ describe('scanUsage', () => {
     expect(result.exitWithError).toBe(true);
   });
 
-it('skips prompt when type is none and isCiMode is true', async () => {
-  vi.mocked(determineComparisonFile).mockResolvedValue({ type: 'none' });
+  it('returns error in JSON mode when expiration warning is urgent (<=7 days)', async () => {
+    vi.mocked(scanCodebase).mockResolvedValue({
+      ...baseScanResult,
+      expireWarnings: [{ key: 'TOKEN', date: '2026-03-10', daysLeft: 7 }],
+    });
 
-  const result = await scanUsage({ ...baseOpts, isCiMode: true });
+    const result = await scanUsage({ ...baseOpts, json: true, strict: false });
 
-  expect(promptNoEnvScenario).not.toHaveBeenCalled();
-  expect(result.exitWithError).toBe(false);
-});
+    expect(result.exitWithError).toBe(true);
+  });
 
-it('skips prompt when type is none and json is true', async () => {
-  vi.mocked(determineComparisonFile).mockResolvedValue({ type: 'none' });
+  it('skips prompt when type is none and isCiMode is true', async () => {
+    vi.mocked(determineComparisonFile).mockResolvedValue({ type: 'none' });
 
-  const result = await scanUsage({ ...baseOpts, json: true });
+    const result = await scanUsage({ ...baseOpts, isCiMode: true });
 
-  expect(promptNoEnvScenario).not.toHaveBeenCalled();
-  expect(result.exitWithError).toBe(false);
-});
+    expect(promptNoEnvScenario).not.toHaveBeenCalled();
+    expect(result.exitWithError).toBe(false);
+  });
 
-  it('calls promptNoEnvScenario when type is none and not CI/json', async () => {
-  vi.mocked(promptNoEnvScenario).mockResolvedValue({
-    compareFile: { path: '/env/.env', name: '.env' },
+  it('skips prompt when type is none and json is true', async () => {
+    vi.mocked(determineComparisonFile).mockResolvedValue({ type: 'none' });
+
+    const result = await scanUsage({ ...baseOpts, json: true });
+
+    expect(promptNoEnvScenario).not.toHaveBeenCalled();
+    expect(result.exitWithError).toBe(false);
   });
-  vi.mocked(determineComparisonFile).mockResolvedValue({ type: 'none' });
-  vi.mocked(processComparisonFile).mockReturnValue({
-    scanResult: { ...baseScanResult },
-    comparedAgainst: '.env',
-    fix: { fixApplied: false, removedDuplicates: [], addedEnv: [], gitignoreUpdated: false },
-  } as any);
 
-  await scanUsage({ ...baseOpts, isCiMode: false, json: false });
+  it('calls promptNoEnvScenario when type is none and not CI/json', async () => {
+    vi.mocked(promptNoEnvScenario).mockResolvedValue({
+      compareFile: { path: '/env/.env', name: '.env' },
+    });
+    vi.mocked(determineComparisonFile).mockResolvedValue({ type: 'none' });
+    vi.mocked(processComparisonFile).mockReturnValue({
+      scanResult: { ...baseScanResult },
+      comparedAgainst: '.env',
+      fix: {
+        fixApplied: false,
+        removedDuplicates: [],
+        addedEnv: [],
+        gitignoreUpdated: false,
+      },
+    } as any);
+
+    await scanUsage({ ...baseOpts, isCiMode: false, json: false });
 
-  expect(promptNoEnvScenario).toHaveBeenCalled();
-  expect(processComparisonFile).toHaveBeenCalled();
-});
+    expect(promptNoEnvScenario).toHaveBeenCalled();
+    expect(processComparisonFile).toHaveBeenCalled();
+  });
 
   it('sets frameworkWarnings on scanResult when frameworkValidator returns results', async () => {
     const { frameworkValidator } =

test/unit/services/printScanResult.test.ts

@@ -301,6 +301,19 @@ describe('printScanResult', () => {
     expect(result.exitWithError).toBe(true);
   });
 
+  it('returns exitWithError true when expiration warning is urgent (<=7 days)', () => {
+    const result = printScanResult(
+      {
+        ...baseScanResult,
+        expireWarnings: [{ key: 'TOKEN', daysLeft: 7 } as any],
+      },
+      baseOpts,
+      '.env',
+    );
+
+    expect(result.exitWithError).toBe(true);
+  });
+
   it('checks gitignore status with cwd and default env file', () => {
     printScanResult(baseScanResult, baseOpts, '.env');