test: add SDK-to-CLI coverage audit snapshot tests

[romitg2]

test: add SDK-to-CLI coverage audit snapshot tests

Summary

Adds vitest snapshot tests that track which of the 272 generated SDK endpoint functions the CLI actually imports (214, ~79% coverage) and which 59 remain unused. When openapi.json changes — endpoints added, removed, or renamed — the snapshot diffs will surface the change and whether the CLI needs updating.

Changes:

• packages/cli/src/__tests__/sdk-cli-coverage-audit.test.ts — 6 snapshot tests:
  1. All exported SDK endpoint functions
  2. CLI-imported SDK functions
  3. Unused SDK functions (generated but not used by any CLI command)
  4. SDK imports by file (which command files import which functions)
  5. Hard assertion: no CLI imports reference non-existent SDK functions
  6. Coverage metrics (total, imported, unused, percent)
• packages/cli/package.json — adds vitest devDependency, test and test:update scripts
• bun.lock — updated with vitest dependency tree

This is PR 3 of 3:

• PR feat: add endpoint parameter contract snapshot tests for openapi.json #25: Endpoint parameter contract snapshot tests
• PR ci: add SDK freshness check and test runner jobs #26: CI freshness check + test runner jobs
• This PR: SDK↔CLI coverage audit

Review & Testing Checklist for Human

• Merge order matters. All 3 PRs independently add vitest + test scripts to packages/cli/package.json (branched off main). Merging the second/third will produce conflicts in package.json and bun.lock — plan the merge order accordingly.
• Regex-based parsing is fragile. getExportedSdkFunctions uses /^export const (\w+)\s*=/gm and getImportedSdkFunctions uses a regex to match import { ... } from '...generated/sdk.gen'. Verify these match the actual patterns in sdk.gen.ts and the CLI command files. Edge cases: multi-line imports with inline comments, or future changes to @hey-api/openapi-ts output format could silently produce wrong results rather than failing.
• client is hardcoded as the only non-endpoint export to skip. If @hey-api/openapi-ts introduces other infrastructure exports, this filter will need updating — consider whether a more robust heuristic is preferable. Note: client still appears in the "CLI-imported" snapshot (tracked for completeness) but is excluded from the hard assertion that checks for non-existent SDK functions.
• Coverage metric (79%) is a snapshot, not a threshold. The test will diff on any change but won't fail if coverage drops. Confirm this is the desired behavior vs. enforcing a minimum.

Suggested test plan

1. cd packages/cli && bun run test — all 6 tests should pass
2. Add a fake export const fooBarController = ... line to sdk.gen.ts → re-run → verify the "all SDK functions" and "unused functions" snapshots fail
3. Remove an import from a CLI command file → re-run → verify the "CLI-imported" and "imports by file" snapshots fail
4. Import a non-existent function from sdk.gen in a command file → re-run → verify the hard assertion (importedButMissing) fails

Notes

• The snapshot file is ~1000 lines (much smaller than PR feat: add endpoint parameter contract snapshot tests for openapi.json #25's 33K-line snapshot)
• All tests run fast (~20ms for the suite)
• Link to Devin session: https://app.devin.ai/sessions/b3fe168ceb994a049d4e314267f22fbc
• Requested by: @romitg2

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring