refactor(manifest/bazel): walker takes injected prune policy; reuse IGNORED_DIRS

`findWorkspaceRoots` no longer hardcodes the directory-prune set —
callers pass `ignoreDirNames: ReadonlySet<string>` and
`ignoreDirPrefixes: readonly string[]` via options. Neither defaults
to anything; absent means no pruning. This keeps the walker decoupled
from any particular ignore policy and avoids duplicating the
codebase-wide `IGNORED_DIRS` list.

`src/utils/glob.mts` exports `IGNORED_DIRS` so the orchestrator can
compose it with Bazel-specific extras. The orchestrator's composed
set: `IGNORED_DIRS` plus `.hg`, `.idea`, `.pnpm-store`,
`.socket-auto-manifest`, `.svn`, `.vscode`; prefixes `bazel-` and
`dist`.

Also tighten `MAX_WALK_DEPTH` from 16 → 8. Deepest workspace marker
observed across the surveyed OSS corpus is 9 (bazel-self test
fixtures); deepest in realistic application code is 7 (checkmk's
thirdparty layout). The cap gives one level of headroom over the
realistic max while still guarding against pathological symlink loops
that slipped past any prefix prune the caller supplied.

Walker test rewritten against the new injected API: covers the
no-prune-by-default case (`node_modules/MODULE.bazel` surfaces unless
the caller ignores `node_modules`), injected name and prefix prunes,
and the bazel-* symlink case under the prefix injection.

Author: simonhj

src/commands/manifest/bazel/bazel-workspace-walk.mts

@@ -6,11 +6,13 @@
  * `examples/<name>/MODULE.bazel`); the per-workspace algorithm in the
  * orchestrator runs once per discovered root.
  *
- * Pruning matches the now-deleted `bazel-lockfile-discovery.mts`: skip
- * directories that obviously aren't Bazel workspaces (`.git`, `node_modules`,
- * `.socket-auto-manifest`, etc.) and Bazel's `bazel-*` convenience symlinks
- * that point into <output_base> (tens of GiB of generated state). Also
- * prunes `dist*` build-output directories.
+ * The walker is dependency-injected with the directory-prune policy:
+ * callers pass the set of basenames and basename prefixes the walk must
+ * refuse to descend into. This module intentionally hardcodes none of
+ * the "common" prunes (`.git`, `node_modules`, …) — Bazel callers compose
+ * the codebase-wide `IGNORED_DIRS` list (`src/utils/glob.mts`) with the
+ * Bazel-specific bits (`bazel-*` output_base symlinks,
+ * `.socket-auto-manifest`, build-output `dist*`).
  */
 
 import { readdirSync } from 'node:fs'
@@ -21,38 +23,43 @@ import { logger } from '@socketsecurity/registry/lib/logger'
 // Hard ceiling on number of workspace roots we will surface. Real monorepos
 // have well under 50; this cap is a guard against pathological inputs.
 const MAX_WORKSPACE_ROOTS = 256
-// Hard ceiling on directory walk depth. Real workspaces nest <8 deep; the
-// cap protects against pathological symlink loops that slipped past the
-// `bazel-*` prefix prune.
-const MAX_WALK_DEPTH = 16
-// Directory basenames the walk refuses to descend into. None of these
-// contain Bazel workspaces, and node_modules / .git can be enormous.
-const PRUNE_DIR_NAMES = new Set([
-  '.git',
-  '.hg',
-  '.idea',
-  '.pnpm-store',
-  '.socket-auto-manifest',
-  '.svn',
-  '.vscode',
-  'node_modules',
-])
-// Directory basename prefixes the walk refuses to descend into. Bazel's
-// `bazel-out`, `bazel-bin`, `bazel-testlogs`, and `bazel-<workspace>`
-// convenience symlinks all point into the output_base. `dist`-prefixed
-// directories are build artefacts, not workspaces.
-const PRUNE_DIR_PREFIXES = ['bazel-', 'dist']
+// Hard ceiling on directory walk depth. Deepest workspace marker observed
+// across the OSS corpus surveyed is 9 (bazel-self test fixtures); deepest
+// in realistic application code is 7 (checkmk's thirdparty layout). Cap
+// is set to 8 — one level of headroom over the realistic max, while still
+// guarding against pathological symlink loops that slipped past any
+// prefix prune.
+const MAX_WALK_DEPTH = 8
 // Files whose presence promotes a directory to a workspace root.
 const WORKSPACE_MARKER_FILES = new Set([
   'MODULE.bazel',
   'WORKSPACE',
   'WORKSPACE.bazel',
 ])
 
-// Walks the tree rooted at `cwd` and returns absolute paths to every
+export type FindWorkspaceRootsOptions = {
+  cwd: string
+  // Directory basenames to skip outright (exact match). Pass the union of
+  // the codebase-wide ignore set (`IGNORED_DIRS` in `src/utils/glob.mts`)
+  // and any caller-specific additions (e.g. `.socket-auto-manifest`).
+  ignoreDirNames?: ReadonlySet<string>
+  // Directory basename prefixes to skip. Bazel callers pass `['bazel-',
+  // 'dist']` so the walk never descends into Bazel's output_base symlinks
+  // or build-output directories.
+  ignoreDirPrefixes?: readonly string[]
+  verbose?: boolean
+}
+
+const EMPTY_SET: ReadonlySet<string> = new Set()
+const EMPTY_ARRAY: readonly string[] = []
+
+// Walks the tree rooted at `opts.cwd` and returns absolute paths to every
 // directory that contains at least one workspace marker file. Output is
 // sorted for determinism.
-export function findWorkspaceRoots(cwd: string, verbose?: boolean): string[] {
+export function findWorkspaceRoots(opts: FindWorkspaceRootsOptions): string[] {
+  const { cwd, verbose } = opts
+  const ignoreDirNames = opts.ignoreDirNames ?? EMPTY_SET
+  const ignoreDirPrefixes = opts.ignoreDirPrefixes ?? EMPTY_ARRAY
   const out: string[] = []
   // Tuple stack: [absolute dir, depth from cwd].
   const stack: Array<[string, number]> = [[cwd, 0]]
@@ -98,11 +105,11 @@ export function findWorkspaceRoots(cwd: string, verbose?: boolean): string[] {
         continue
       }
       const name = entry.name
-      if (PRUNE_DIR_NAMES.has(name)) {
+      if (ignoreDirNames.has(name)) {
         continue
       }
       let pruned = false
-      for (const prefix of PRUNE_DIR_PREFIXES) {
+      for (const prefix of ignoreDirPrefixes) {
         if (name.startsWith(prefix)) {
           pruned = true
           break

src/commands/manifest/bazel/bazel-workspace-walk.test.mts

@@ -17,6 +17,22 @@ function touch(file: string): void {
   writeFileSync(file, '')
 }
 
+// Standard prune set Bazel callers pass: the codebase-wide IGNORED_DIRS
+// (.git, node_modules, etc.) plus the walker's own output dir, plus
+// `bazel-*` output_base symlinks and `dist*` build outputs. Replicated
+// inline here so the test stays decoupled from `src/utils/glob.mts`.
+const BAZEL_IGNORE_NAMES: ReadonlySet<string> = new Set([
+  '.git',
+  '.hg',
+  '.idea',
+  '.pnpm-store',
+  '.socket-auto-manifest',
+  '.svn',
+  '.vscode',
+  'node_modules',
+])
+const BAZEL_IGNORE_PREFIXES: readonly string[] = ['bazel-', 'dist']
+
 describe('bazel-workspace-walk', () => {
   let tmp: string
 
@@ -31,48 +47,54 @@ describe('bazel-workspace-walk', () => {
   describe('findWorkspaceRoots', () => {
     it('returns the root when only the root has MODULE.bazel', () => {
       touch(path.join(tmp, 'MODULE.bazel'))
-      expect(findWorkspaceRoots(tmp)).toEqual([tmp])
+      expect(findWorkspaceRoots({ cwd: tmp })).toEqual([tmp])
     })
 
     it('detects WORKSPACE and WORKSPACE.bazel as root markers', () => {
       touch(path.join(tmp, 'WORKSPACE'))
-      expect(findWorkspaceRoots(tmp)).toEqual([tmp])
+      expect(findWorkspaceRoots({ cwd: tmp })).toEqual([tmp])
       rmSync(path.join(tmp, 'WORKSPACE'))
       touch(path.join(tmp, 'WORKSPACE.bazel'))
-      expect(findWorkspaceRoots(tmp)).toEqual([tmp])
+      expect(findWorkspaceRoots({ cwd: tmp })).toEqual([tmp])
     })
 
     it('finds nested workspaces at arbitrary depth', () => {
       touch(path.join(tmp, 'MODULE.bazel'))
       touch(path.join(tmp, 'examples', 'dagger', 'MODULE.bazel'))
       touch(path.join(tmp, 'examples', 'android', 'nested', 'WORKSPACE.bazel'))
-      const found = findWorkspaceRoots(tmp).map(p => path.relative(tmp, p))
-      expect(found).toEqual([
-        '',
-        'examples/android/nested',
-        'examples/dagger',
-      ])
+      const found = findWorkspaceRoots({ cwd: tmp }).map(p =>
+        path.relative(tmp, p),
+      )
+      expect(found).toEqual(['', 'examples/android/nested', 'examples/dagger'])
     })
 
     it('returns [] when there is no workspace root', () => {
       writeFileSync(path.join(tmp, 'README.md'), '')
-      expect(findWorkspaceRoots(tmp)).toEqual([])
+      expect(findWorkspaceRoots({ cwd: tmp })).toEqual([])
+    })
+
+    it('does NOT prune by default — pruning policy is caller-supplied', () => {
+      touch(path.join(tmp, 'MODULE.bazel'))
+      touch(path.join(tmp, 'node_modules', 'MODULE.bazel'))
+      const found = findWorkspaceRoots({ cwd: tmp }).map(p =>
+        path.relative(tmp, p),
+      )
+      expect(found).toEqual(['', 'node_modules'])
     })
 
-    it('prunes .git / node_modules / .socket-auto-manifest', () => {
+    it('prunes injected ignoreDirNames', () => {
       touch(path.join(tmp, 'MODULE.bazel'))
-      // Sub-MODULE.bazel files inside pruned dirs must not be surfaced.
       for (const dir of ['node_modules', '.git', '.socket-auto-manifest']) {
         touch(path.join(tmp, dir, 'sub', 'MODULE.bazel'))
       }
-      const found = findWorkspaceRoots(tmp).map(p => path.relative(tmp, p))
+      const found = findWorkspaceRoots({
+        cwd: tmp,
+        ignoreDirNames: BAZEL_IGNORE_NAMES,
+      }).map(p => path.relative(tmp, p))
       expect(found).toEqual([''])
     })
 
-    it('prunes bazel-* convenience symlinks', () => {
-      // Simulate `bazel-out` pointing at a directory that contains a copy of
-      // MODULE.bazel. The walk must skip it; otherwise discovery would
-      // surface generated workspaces from <output_base>.
+    it('prunes injected ignoreDirPrefixes (bazel-* symlinks)', () => {
       const fakeOutputBase = mkdtempSync(
         path.join(os.tmpdir(), 'sock-fake-outbase-'),
       )
@@ -83,42 +105,45 @@ describe('bazel-workspace-walk', () => {
         touch(path.join(fakeOutputBase, 'external', 'maven', 'MODULE.bazel'))
         symlinkSync(fakeOutputBase, path.join(tmp, 'bazel-out'))
         touch(path.join(tmp, 'MODULE.bazel'))
-        const found = findWorkspaceRoots(tmp).map(p => path.relative(tmp, p))
+        const found = findWorkspaceRoots({
+          cwd: tmp,
+          ignoreDirPrefixes: BAZEL_IGNORE_PREFIXES,
+        }).map(p => path.relative(tmp, p))
         expect(found).toEqual([''])
       } finally {
         rmSync(fakeOutputBase, { recursive: true, force: true })
       }
     })
 
-    it('prunes dist* build-output directories', () => {
+    it('prunes injected dist* prefix', () => {
       touch(path.join(tmp, 'MODULE.bazel'))
       touch(path.join(tmp, 'dist', 'MODULE.bazel'))
       touch(path.join(tmp, 'distribution', 'MODULE.bazel'))
-      const found = findWorkspaceRoots(tmp).map(p => path.relative(tmp, p))
+      const found = findWorkspaceRoots({
+        cwd: tmp,
+        ignoreDirPrefixes: BAZEL_IGNORE_PREFIXES,
+      }).map(p => path.relative(tmp, p))
       expect(found).toEqual([''])
     })
 
     it('returns absolute, sorted paths', () => {
       touch(path.join(tmp, 'z', 'MODULE.bazel'))
       touch(path.join(tmp, 'a', 'MODULE.bazel'))
       touch(path.join(tmp, 'm', 'MODULE.bazel'))
-      const found = findWorkspaceRoots(tmp)
+      const found = findWorkspaceRoots({ cwd: tmp })
       expect(found).toEqual([
         path.join(tmp, 'a'),
         path.join(tmp, 'm'),
         path.join(tmp, 'z'),
       ])
-      // Absolute.
       for (const p of found) {
         expect(path.isAbsolute(p)).toBe(true)
       }
     })
 
     it('handles an unreadable directory by skipping it (no throw)', () => {
       touch(path.join(tmp, 'MODULE.bazel'))
-      // Reference a path that does not exist as cwd; the walker must not
-      // throw — it should return [] (no entries to read).
-      expect(findWorkspaceRoots(path.join(tmp, 'nope'))).toEqual([])
+      expect(findWorkspaceRoots({ cwd: path.join(tmp, 'nope') })).toEqual([])
     })
   })
 })

src/commands/manifest/bazel/extract_bazel_to_maven.mts

@@ -30,6 +30,7 @@ import {
 } from './bazel-workspace-detect.mts'
 import { findWorkspaceRoots } from './bazel-workspace-walk.mts'
 import { getErrorCause } from '../../../utils/errors.mts'
+import { IGNORED_DIRS } from '../../../utils/glob.mts'
 
 import type {
   CqueryRepoResult,
@@ -101,6 +102,22 @@ type Sidecar = {
 const DEFAULT_PER_REPO_TIMEOUT_MS = 60_000
 const REAP_TIMEOUT_MS = 10_000
 
+// Composed prune policy passed to the workspace walker. Reuses the
+// codebase-wide `IGNORED_DIRS` and augments it with: the walker's own
+// output dir (`.socket-auto-manifest`), VCS/IDE dirs not in the shared
+// list (`.hg`, `.svn`, `.idea`, `.vscode`, `.pnpm-store`), Bazel's
+// `bazel-*` output_base symlinks, and `dist*` build-output dirs.
+const WORKSPACE_WALK_IGNORE_NAMES: ReadonlySet<string> = new Set([
+  ...IGNORED_DIRS,
+  '.hg',
+  '.idea',
+  '.pnpm-store',
+  '.socket-auto-manifest',
+  '.svn',
+  '.vscode',
+])
+const WORKSPACE_WALK_IGNORE_PREFIXES: readonly string[] = ['bazel-', 'dist']
+
 type CoordPair = { groupArtifact: string; version: string }
 
 // Splits "g:a:v" -> { groupArtifact: "g:a", version: "v" }.
@@ -396,7 +413,12 @@ export async function extractBazelToMaven(
   const allArtifacts: ExtractedArtifact[] = []
 
   try {
-    const workspaceRoots = findWorkspaceRoots(cwd, verbose)
+    const workspaceRoots = findWorkspaceRoots({
+      cwd,
+      ignoreDirNames: WORKSPACE_WALK_IGNORE_NAMES,
+      ignoreDirPrefixes: WORKSPACE_WALK_IGNORE_PREFIXES,
+      verbose,
+    })
     if (!workspaceRoots.length) {
       logger.warn(
         `No Bazel workspace found at ${cwd} or beneath (looked for MODULE.bazel / WORKSPACE / WORKSPACE.bazel).`,

src/utils/glob.mts

@@ -22,7 +22,7 @@ const DEFAULT_IGNORE_FOR_GIT_IGNORE = defaultIgnore.filter(
   p => !p.endsWith('.gitignore'),
 )
 
-const IGNORED_DIRS = [
+export const IGNORED_DIRS = [
   // Taken from ignore-by-default:
   // https://github.com/novemberborn/ignore-by-default/blob/v2.1.0/index.js
   '.git', // Git repository files, see <https://git-scm.com/>