ailabs/puaros
1
0
Fork 0
mirror of https://github.com/samiyev/puaros.git synced 2025-12-27 23:06:54 +05:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: ailabs:v0.1.0
Branches Tags
ailabs:main
ailabs:ipuaro-v0.30.2 ailabs:ipuaro-v0.30.1 ailabs:ipuaro-v0.30.0 ailabs:ipuaro-v0.29.0 ailabs:ipuaro-v0.28.0 ailabs:ipuaro-v0.27.0 ailabs:ipuaro-v0.26.0 ailabs:ipuaro-v0.25.0 ailabs:ipuaro-v0.24.0 ailabs:ipuaro-v0.23.0 ailabs:ipuaro-v0.22.5 ailabs:ipuaro-v0.22.4 ailabs:ipuaro-v0.22.3 ailabs:ipuaro-v0.22.2 ailabs:ipuaro-v0.22.1 ailabs:ipuaro-v0.21.4 ailabs:ipuaro-v0.21.1 ailabs:ipuaro-v0.21.0 ailabs:ipuaro-v0.20.0 ailabs:ipuaro-v0.19.0 ailabs:ipuaro-v0.18.0 ailabs:ipuaro-v0.17.0 ailabs:ipuaro-v0.16.0 ailabs:ipuaro-v0.15.0 ailabs:ipuaro-v0.14.0 ailabs:ipuaro-v0.13.0 ailabs:ipuaro-v0.12.0 ailabs:ipuaro-v0.11.0 ailabs:ipuaro-v0.10.0 ailabs:ipuaro-v0.9.0 ailabs:ipuaro-v0.8.0 ailabs:ipuaro-v0.7.0 ailabs:ipuaro-v0.6.0 ailabs:ipuaro-v0.5.0 ailabs:ipuaro-v0.4.0 ailabs:guardian-v0.9.4 ailabs:ipuaro-v0.3.1 ailabs:ipuaro-v0.3.0 ailabs:ipuaro-v0.2.0 ailabs:ipuaro-v0.1.1 ailabs:guardian-v0.9.3 ailabs:ipuaro-v0.1.0 ailabs:v0.9.1 ailabs:v0.9.0 ailabs:v0.8.1 ailabs:v0.8.0 ailabs:v0.7.9 ailabs:v0.7.8 ailabs:v0.7.7 ailabs:v0.7.6 ailabs:v0.7.5 ailabs:v0.7.4 ailabs:v0.7.3 ailabs:v0.7.2 ailabs:v0.7.1 ailabs:v0.7.0 ailabs:v0.6.4 ailabs:v0.6.3 ailabs:v0.6.2 ailabs:v0.6.1 ailabs:v0.6.0 ailabs:v0.5.2 ailabs:v0.5.1 ailabs:v0.5.0 ailabs:v0.1.0 ailabs:v0.3.0 ailabs:v0.2.0
...
compare: ailabs:v0.6.4
Branches Tags
ailabs:main
ailabs:ipuaro-v0.30.2 ailabs:ipuaro-v0.30.1 ailabs:ipuaro-v0.30.0 ailabs:ipuaro-v0.29.0 ailabs:ipuaro-v0.28.0 ailabs:ipuaro-v0.27.0 ailabs:ipuaro-v0.26.0 ailabs:ipuaro-v0.25.0 ailabs:ipuaro-v0.24.0 ailabs:ipuaro-v0.23.0 ailabs:ipuaro-v0.22.5 ailabs:ipuaro-v0.22.4 ailabs:ipuaro-v0.22.3 ailabs:ipuaro-v0.22.2 ailabs:ipuaro-v0.22.1 ailabs:ipuaro-v0.21.4 ailabs:ipuaro-v0.21.1 ailabs:ipuaro-v0.21.0 ailabs:ipuaro-v0.20.0 ailabs:ipuaro-v0.19.0 ailabs:ipuaro-v0.18.0 ailabs:ipuaro-v0.17.0 ailabs:ipuaro-v0.16.0 ailabs:ipuaro-v0.15.0 ailabs:ipuaro-v0.14.0 ailabs:ipuaro-v0.13.0 ailabs:ipuaro-v0.12.0 ailabs:ipuaro-v0.11.0 ailabs:ipuaro-v0.10.0 ailabs:ipuaro-v0.9.0 ailabs:ipuaro-v0.8.0 ailabs:ipuaro-v0.7.0 ailabs:ipuaro-v0.6.0 ailabs:ipuaro-v0.5.0 ailabs:ipuaro-v0.4.0 ailabs:guardian-v0.9.4 ailabs:ipuaro-v0.3.1 ailabs:ipuaro-v0.3.0 ailabs:ipuaro-v0.2.0 ailabs:ipuaro-v0.1.1 ailabs:guardian-v0.9.3 ailabs:ipuaro-v0.1.0 ailabs:v0.9.1 ailabs:v0.9.0 ailabs:v0.8.1 ailabs:v0.8.0 ailabs:v0.7.9 ailabs:v0.7.8 ailabs:v0.7.7 ailabs:v0.7.6 ailabs:v0.7.5 ailabs:v0.7.4 ailabs:v0.7.3 ailabs:v0.7.2 ailabs:v0.7.1 ailabs:v0.7.0 ailabs:v0.6.4 ailabs:v0.6.3 ailabs:v0.6.2 ailabs:v0.6.1 ailabs:v0.6.0 ailabs:v0.5.2 ailabs:v0.5.1 ailabs:v0.5.0 ailabs:v0.1.0 ailabs:v0.3.0 ailabs:v0.2.0

20 Commits
v0.1.0 ... v0.6.4

Author SHA1 Message Date
imfozilbek
83b5dccee4 fix: improve repository method name suggestions and patterns 
- Add smart context-aware suggestions for repository method names
  - queryUsers() → search, findBy[Property]
  - selectById() → findBy[Property], get[Entity]
  - insertUser() → create, add[Entity], store[Entity]
  - And more intelligent pattern matching

- Expand domain method patterns support
  - find*() methods (findNodes, findNodeById, findSimilar)
  - saveAll() batch operations
  - deleteBy*() methods (deleteByPath, deleteById)
  - deleteAll() clear operations
  - add*() methods (addRelationship, addItem)
  - initializeCollection() initialization

- Remove findAll from ORM blacklist (valid domain method)

- Reduce complexity in suggestDomainMethodName (22 → 9)

Version 0.6.4
 2025-11-24 23:49:49 +05:00
imfozilbek
5a648e2c29 fix: reduce false positives in Repository Pattern detection 
- Added 11 new valid DDD repository method patterns
- Support for has*(), is*(), exists*(), clear*(), store*() methods
- Support for lifecycle methods: initialize(), close(), connect(), disconnect()
- Fixes issue where valid DDD patterns were flagged as violations
- Better alignment with real-world Domain-Driven Design practices

This reduces false positives in projects using cache repositories,
connection management, and domain-specific query methods.

Version: 0.6.3
 2025-11-24 23:04:57 +05:00
imfozilbek
d50cbe1a97 docs: add research-backed documentation for v0.6.2 
- Added docs/WHY.md with user-friendly rule explanations and authoritative sources
- Added docs/RESEARCH_CITATIONS.md with 551 lines of academic and industry references
- Updated README.md with micro-citations under each feature
- Enhanced CLI help with 'BACKED BY RESEARCH' section
- Updated AI tools mentions across all docs (GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline)
- Organized documentation structure: moved RESEARCH_CITATIONS.md to docs/
- Version bump: 0.6.1 -> 0.6.2

Research backing includes:
- Academia: MIT Course 6.031, ScienceDirect studies
- Books: Clean Architecture (Martin 2017), DDD (Evans 2003)
- Industry: Google, Microsoft, Airbnb style guides, SonarQube
- Experts: Martin Fowler, Robert C. Martin, Eric Evans, Alistair Cockburn
 2025-11-24 22:51:35 +05:00
imfozilbek
3ddcff1be3 docs: enhance CLI help system for AI agents and users 
Improved guardian --help with comprehensive, actionable information:
- Add DETECTS section with quick fix instructions for all 8 violation types
- Add SEVERITY LEVELS explanation (CRITICAL → LOW)
- Add step-by-step WORKFLOW guide
- Add 7 practical EXAMPLES covering common use cases
- Add HOW TO FIX COMMON ISSUES reference section

Technical improvements:
- Extract all help text strings to CLI_HELP_TEXT constants
- Fix 17 hardcoded string violations
- Maintain Single Source of Truth principle
- Zero violations in Guardian's own codebase

The help system now provides complete context for autonomous AI agents
and clear guidance for human developers.
 2025-11-24 21:53:41 +05:00
imfozilbek
452d9aafd0 docs: update ROADMAP to v0.6.0 
- Mark v0.6.0 as released
- Add comprehensive v0.6.0 section with all features
- Shift future versions (0.7.0 → 0.8.0, etc.)
- Update last modified date
 2025-11-24 21:37:11 +05:00
imfozilbek
a72b4ce167 chore: bump version to 0.6.0 
- Update version to 0.6.0 (minor release)
- Add comprehensive CHANGELOG entry for v0.6.0
- Document all features, changes, fixes, and removals
 2025-11-24 21:31:50 +05:00
imfozilbek
7df48c0bd2 docs: add development workflow to CLAUDE.md 
- Add complete feature development & release workflow
- Document 6 phases: Planning, Quality Checks, Documentation, Verification, Commit & Version, Publication
- Add quick checklist for new features
- Add common workflows (CLI option, detector, technical debt)
- Add debugging tips for build, test, and coverage issues
- Update Important Notes with best practices
 2025-11-24 21:29:26 +05:00
imfozilbek
4c0fc7185a docs: update TODO with technical debt and recent changes 
- Add low-coverage files to technical debt (SourceFile, ProjectPath, RepositoryViolation, ValueObject)
- Update test statistics (10 test files, 292 tests, 90.63% coverage)
- Add v0.5.2 section with limit feature and ESLint cleanup
- Document all completed tasks from this release
 2025-11-24 21:29:02 +05:00
imfozilbek
b73d736d34 docs: update README with new features 
- Add Entity Exposure Detection to features
- Add Dependency Direction Enforcement to features
- Add Repository Pattern Validation to features
- Update API documentation with all 8 violation types
- Add severity levels to all interfaces
- Document --limit option with examples
- Update ProjectMetrics interface
- Update test statistics (292 tests, 90.63% coverage)
 2025-11-24 21:28:43 +05:00
imfozilbek
3169936c75 refactor: remove dead code 
- Remove unused IBaseRepository interface
- Remove IBaseRepository export from domain/index.ts
- Fix repository pattern violations detected by Guardian
 2025-11-24 21:28:21 +05:00
imfozilbek
8654beb43d fix: remove unused imports and variables 
- Remove unused SEVERITY_LEVELS import from AnalyzeProject.ts
- Prefix unused fileName variable with underscore in HardcodeDetector.ts
- Replace || with ?? for nullish coalescing
 2025-11-24 21:28:05 +05:00
imfozilbek
5e70ee1a38 refactor: optimize ESLint configuration 
- Add CLI-specific overrides (disable no-console, complexity, max-lines-per-function)
- Disable no-unsafe-* rules for CLI (Commander.js is untyped)
- Increase max-params to 8 for DDD patterns
- Exclude examples/, tests/, *.config.ts from linting
- Disable style rules (prefer-nullish-coalescing, no-unnecessary-condition, no-nested-ternary)
- Reduce warnings from 129 to 0
 2025-11-24 21:27:46 +05:00
imfozilbek
7e4de182ff feat: add --limit CLI option for output control 
- Add --limit/-l option to limit detailed violation output
- Implement limit logic in displayGroupedViolations function
- Show warning when violations exceed limit
- Works with severity filters (--only-critical, --min-severity)
- Extract severity labels and headers to constants
- Improve CLI maintainability with SEVERITY_DISPLAY_LABELS and SEVERITY_SECTION_HEADERS
 2025-11-24 21:27:27 +05:00
imfozilbek
88876a258b feat: add severity-based sorting and filtering for violations (v0.5.2) 
- Add CRITICAL/HIGH/MEDIUM/LOW severity levels to all violations
- Sort violations by severity automatically (most critical first)
- Add CLI flags: --min-severity and --only-critical
- Group violations by severity in CLI output with color-coded headers
- Update all violation interfaces to include severity field
- Maintain 90%+ test coverage with all tests passing
- Update CHANGELOG.md, ROADMAP.md, and package version to 0.5.2
 2025-11-24 20:41:52 +05:00
imfozilbek
a34ca85241 chore: refactor hardcoded values to constants (v0.5.1) 
Major internal refactoring to eliminate hardcoded values and improve
maintainability. Guardian now fully passes its own quality checks!

Changes:
- Extract all RepositoryViolation messages to domain constants
- Extract all framework leak template strings to centralized constants
- Extract all layer paths to infrastructure constants
- Extract all regex patterns to IMPORT_PATTERNS constant
- Add 30+ new constants for better maintainability

New files:
- src/infrastructure/constants/paths.ts (layer paths, patterns)
- src/domain/constants/Messages.ts (25+ repository messages)
- src/domain/constants/FrameworkCategories.ts (framework categories)
- src/shared/constants/layers.ts (layer names)

Impact:
- Reduced hardcoded values from 37 to 1 (97% improvement)
- Guardian passes its own src/ directory checks with 0 violations
- All 292 tests still passing (100% pass rate)
- No breaking changes - fully backwards compatible

Test results:
- 292 tests passing (100% pass rate)
- 96.77% statement coverage
- 83.82% branch coverage
 2025-11-24 20:12:08 +05:00
imfozilbek
0534fdf1bd feat: add repository pattern validation (v0.5.0) 
Add comprehensive Repository Pattern validation to detect violations
and ensure proper domain-infrastructure separation.

Features:
- ORM type detection in repository interfaces (25+ patterns)
- Concrete repository usage detection in use cases
- Repository instantiation detection (new Repository())
- Domain language validation for repository methods
- Smart violation reporting with fix suggestions

Tests:
- 31 new tests for repository pattern detection
- 292 total tests passing (100% pass rate)
- 96.77% statement coverage, 83.82% branch coverage

Examples:
- 8 example files (4 bad patterns, 4 good patterns)
- Demonstrates Clean Architecture and SOLID principles
 2025-11-24 20:11:43 +05:00
imfozilbek
3fecc98676 feat: add dependency direction enforcement (v0.4.0) 
Implement dependency direction detection to enforce Clean Architecture rules:
- Domain layer can only import from Domain and Shared
- Application layer can only import from Domain, Application, and Shared
- Infrastructure layer can import from all layers
- Shared layer can be imported by all layers

Added:
- IDependencyDirectionDetector interface in domain layer
- DependencyViolation value object with detailed suggestions and examples
- DependencyDirectionDetector implementation in infrastructure
- Integration with AnalyzeProject use case
- New DEPENDENCY_DIRECTION rule in constants
- 43 comprehensive tests covering all scenarios (100% passing)
- Good and bad examples in examples directory

Improvements:
- Optimized extractLayerFromImport method to reduce complexity
- Fixed indentation in DependencyGraph.ts
- Updated getExampleFix to avoid false positives in old detector

Test Results:
- All 261 tests passing
- Build successful
- Self-check: 0 architecture violations in src code
 2025-11-24 18:31:41 +05:00
imfozilbek
f46048172f feat: add entity exposure detection (v0.3.0) 
Implement entity exposure detection to prevent domain entities
from leaking to API responses. Detects when controllers/routes
return domain entities instead of DTOs.

Features:
- EntityExposure value object with detailed suggestions
- IEntityExposureDetector interface in domain layer
- EntityExposureDetector implementation in infrastructure
- Integration into AnalyzeProject use case
- CLI display with helpful suggestions
- 24 comprehensive unit tests (98% coverage)
- Examples for bad and good patterns

Detection scope:
- Infrastructure layer only (controllers, routes, handlers, resolvers, gateways)
- Identifies PascalCase entities without Dto/Request/Response suffixes
- Parses async methods with Promise<T> return types
- Provides step-by-step remediation suggestions

Test coverage:
- EntityExposureDetector: 98.07%
- Overall project: 90.6% statements, 83.97% branches
- 218 tests passing

BREAKING CHANGE: Version bump to 0.3.0
 2025-11-24 13:51:12 +05:00
imfozilbek
a3cd71070e feat: add 25 architectural features to roadmap (v0.3-0.27) 
Add comprehensive architectural validation features covering:

Architecture Patterns (v0.3-0.12):
- Dependency Direction Enforcement
- Repository Pattern Validation
- Aggregate Boundary Validation
- Anemic Domain Model Detection
- Domain Event Usage Validation
- Value Object Immutability Check
- Use Case Single Responsibility
- Interface Segregation Validation
- Port-Adapter Pattern Validation
- Configuration File Support

DDD Patterns (v0.13-0.21):
- Command Query Separation (CQS/CQRS)
- Factory Pattern Validation
- Specification Pattern Detection
- Layered Service Anti-pattern Detection
- Bounded Context Leak Detection
- Transaction Script vs Domain Model
- Persistence Ignorance Validation
- Null Object Pattern Detection
- Primitive Obsession in Methods

Advanced Patterns (v0.22-0.27):
- Service Locator Anti-pattern
- Double Dispatch Pattern Validation
- Entity Identity Validation
- Saga Pattern Detection
- Anti-Corruption Layer Detection
- Ubiquitous Language Validation

Each feature includes detailed examples, violation detection,
and planned implementation for Q1-Q4 2026.
 2025-11-24 13:30:08 +05:00
imfozilbek
ae361a4d60 chore: bump version to 0.2.0 for framework leak detection release 2025-11-24 12:57:41 +05:00
61 changed files with 8577 additions and 239 deletions
Expand all files Collapse all files

21
CHANGELOG.md
View File

@@ -7,6 +7,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
## [0.4.0] - 2025-11-24
### Added
- Dependency direction enforcement - validate that dependencies flow in the correct direction according to Clean Architecture principles
- Architecture layer violation detection for domain, application, and infrastructure layers
## [0.3.0] - 2025-11-24
### Added
- Entity exposure detection - identify when domain entities are exposed outside their module boundaries
- Enhanced architecture violation reporting
## [0.2.0] - 2025-11-24
### Added
- Framework leak detection - detect when domain layer imports framework code
- Framework leak reporting in CLI
- Framework leak examples and documentation
## [0.1.0] - 2025-11-24
### Added
- Initial monorepo setup with pnpm workspaces
- `@puaros/guardian` package - code quality guardian for vibe coders and enterprise teams

233
CLAUDE.md
View File

@@ -184,8 +184,239 @@ Development tools:
- `@vitest/ui` - Vitest UI for interactive testing
- `@vitest/coverage-v8` - Coverage reporting
## Development Workflow
### Complete Feature Development & Release Workflow
This workflow ensures high quality and consistency from feature implementation to package publication.
#### Phase 1: Feature Planning & Implementation
```bash
# 1. Create feature branch (if needed)
git checkout -b feature/your-feature-name
# 2. Implement feature following Clean Architecture
# - Add to appropriate layer (domain/application/infrastructure/cli)
# - Follow naming conventions
# - Keep functions small and focused
# 3. Update constants if adding CLI options
# Edit: packages/guardian/src/cli/constants.ts
```
#### Phase 2: Quality Checks (Run After Implementation)
```bash
# Navigate to package
cd packages/guardian
# 1. Format code (REQUIRED - 4 spaces indentation)
pnpm format
# 2. Build to check compilation
pnpm build
# 3. Run linter (must pass with 0 errors, 0 warnings)
cd ../.. && pnpm eslint "packages/**/*.ts" --fix
# 4. Run tests (all must pass)
pnpm test:run
# 5. Check coverage (must be ≥80%)
pnpm test:coverage
```
**Quality Gates:**
- ✅ Format: No changes after `pnpm format`
- ✅ Build: TypeScript compiles without errors
- ✅ Lint: 0 errors, 0 warnings
- ✅ Tests: All tests pass (292/292)
- ✅ Coverage: ≥80% on all metrics
#### Phase 3: Documentation Updates
```bash
# 1. Update README.md
# - Add new feature to Features section
# - Update CLI Usage examples if CLI changed
# - Update API documentation if public API changed
# - Update TypeScript interfaces
# 2. Update TODO.md
# - Mark completed tasks as done
# - Add new technical debt if discovered
# - Document coverage issues for new files
# - Update "Recent Updates" section with changes
# 3. Update CHANGELOG.md (for releases)
# - Add entry with version number
# - List all changes (features, fixes, improvements)
# - Follow Keep a Changelog format
```
#### Phase 4: Verification & Testing
```bash
# 1. Test CLI manually with examples
cd packages/guardian
node dist/cli/index.js check ./examples --limit 5
# 2. Test new feature with different options
node dist/cli/index.js check ./examples --only-critical
node dist/cli/index.js check ./examples --min-severity high
# 3. Verify output formatting and messages
# - Check that all violations display correctly
# - Verify severity labels and suggestions
# - Test edge cases and error handling
# 4. Run full quality check suite
pnpm format && pnpm eslint "packages/**/*.ts" && pnpm build && pnpm test:run
```
#### Phase 5: Commit & Version
```bash
# 1. Stage changes
git add .
# 2. Commit with Conventional Commits format
git commit -m "feat: add --limit option for output control"
# or
git commit -m "fix: resolve unused variable in detector"
# or
git commit -m "docs: update README with new features"
# Types: feat, fix, docs, style, refactor, test, chore
# 3. Update package version (if releasing)
cd packages/guardian
npm version patch # Bug fixes (0.5.2 → 0.5.3)
npm version minor # New features (0.5.2 → 0.6.0)
npm version major # Breaking changes (0.5.2 → 1.0.0)
# 4. Push changes
git push origin main # or your branch
git push --tags # Push version tags
```
#### Phase 6: Publication (Maintainers Only)
```bash
# 1. Final verification before publish
cd packages/guardian
pnpm build && pnpm test:run && pnpm test:coverage
# 2. Verify package contents
npm pack --dry-run
# 3. Publish to npm
npm publish --access public
# 4. Verify publication
npm info @samiyev/guardian
# 5. Test installation
npm install -g @samiyev/guardian@latest
guardian --version
```
### Quick Checklist for New Features
**Before Committing:**
- [ ] Feature implemented in correct layer
- [ ] Code formatted with `pnpm format`
- [ ] Lint passes: `pnpm eslint "packages/**/*.ts"`
- [ ] Build succeeds: `pnpm build`
- [ ] All tests pass: `pnpm test:run`
- [ ] Coverage ≥80%: `pnpm test:coverage`
- [ ] CLI tested manually if CLI changed
- [ ] README.md updated with examples
- [ ] TODO.md updated with progress
- [ ] No `console.log` in production code
- [ ] TypeScript interfaces documented
**Before Publishing:**
- [ ] CHANGELOG.md updated
- [ ] Version bumped in package.json
- [ ] All quality gates pass
- [ ] Examples work correctly
- [ ] Git tags pushed
### Common Workflows
**Adding a new CLI option:**
```bash
# 1. Add to cli/constants.ts (CLI_OPTIONS, CLI_DESCRIPTIONS)
# 2. Add option in cli/index.ts (.option() call)
# 3. Parse and use option in action handler
# 4. Test with: node dist/cli/index.js check ./examples --your-option
# 5. Update README.md CLI Usage section
# 6. Run quality checks
```
**Adding a new detector:**
```bash
# 1. Create value object in domain/value-objects/
# 2. Create detector in infrastructure/analyzers/
# 3. Add detector interface to domain/services/
# 4. Integrate in application/use-cases/AnalyzeProject.ts
# 5. Add CLI output in cli/index.ts
# 6. Write tests (aim for >90% coverage)
# 7. Update README.md Features section
# 8. Run full quality suite
```
**Fixing technical debt:**
```bash
# 1. Find issue in TODO.md
# 2. Implement fix
# 3. Run quality checks
# 4. Update TODO.md (mark as completed)
# 5. Commit with type: "refactor:" or "fix:"
```
### Debugging Tips
**Build errors:**
```bash
# Check TypeScript errors in detail
pnpm tsc --noEmit
# Check specific file
pnpm tsc --noEmit packages/guardian/src/path/to/file.ts
```
**Test failures:**
```bash
# Run single test file
pnpm vitest tests/path/to/test.test.ts
# Run tests with UI
pnpm test:ui
# Run tests in watch mode for debugging
pnpm test
```
**Coverage issues:**
```bash
# Generate detailed coverage report
pnpm test:coverage
# View HTML report
open coverage/index.html
# Check specific file coverage
pnpm vitest --coverage --reporter=verbose
```
## Important Notes
- **Always run `pnpm format` before committing** to ensure 4-space indentation
- **Fix ESLint warnings incrementally** - they indicate real type safety issues
- **Coverage is enforced** - maintain 80% coverage for all metrics when running `pnpm test:coverage`
- **Coverage is enforced** - maintain 80% coverage for all metrics when running `pnpm test:coverage`
- **Test CLI manually** - automated tests don't cover CLI output formatting
- **Update documentation** - README.md and TODO.md should always reflect current state
- **Follow Clean Architecture** - keep layers separate and dependencies flowing inward

31
eslint.config.mjs
View File

@@ -13,6 +13,9 @@ export default tseslint.config(
'**/coverage/**',
'**/.puaros/**',
'**/build/**',
'**/examples/**',
'**/tests/**',
'**/*.config.ts',
],
},
eslint.configs.recommended,
@@ -64,12 +67,12 @@ export default tseslint.config(
'@typescript-eslint/no-floating-promises': 'error',
'@typescript-eslint/await-thenable': 'error',
'@typescript-eslint/no-misused-promises': 'error',
'@typescript-eslint/prefer-nullish-coalescing': 'warn',
'@typescript-eslint/prefer-nullish-coalescing': 'off', // Allow || operator alongside ??
'@typescript-eslint/prefer-optional-chain': 'warn',
'@typescript-eslint/prefer-readonly': 'warn',
'@typescript-eslint/promise-function-async': 'warn',
'@typescript-eslint/require-await': 'warn',
'@typescript-eslint/no-unnecessary-condition': 'warn',
'@typescript-eslint/no-unnecessary-condition': 'off', // Sometimes useful for defensive coding
'@typescript-eslint/no-non-null-assertion': 'warn',
// ========================================
@@ -82,7 +85,7 @@ export default tseslint.config(
'prefer-const': 'error',
'prefer-arrow-callback': 'warn',
'prefer-template': 'warn',
'no-nested-ternary': 'warn',
'no-nested-ternary': 'off', // Allow nested ternaries when readable
'no-unneeded-ternary': 'error',
'no-else-return': 'warn',
eqeqeq: ['error', 'always'],
@@ -94,7 +97,7 @@ export default tseslint.config(
// ========================================
// Code Style (handled by Prettier mostly)
// ========================================
indent: ['error', 4, { SwitchCase: 1 }],
indent: 'off', // Let Prettier handle this
'@typescript-eslint/indent': 'off', // Let Prettier handle this
quotes: ['error', 'double', { avoidEscape: true }],
semi: ['error', 'never'],
@@ -156,4 +159,24 @@ export default tseslint.config(
],
},
},
{
// CLI-specific overrides
files: ['**/cli/**/*.ts', '**/cli/**/*.js'],
rules: {
'no-console': 'off', // Console is expected in CLI
'max-lines-per-function': 'off', // CLI action handlers can be long
complexity: 'off', // CLI logic can be complex
'@typescript-eslint/no-unsafe-member-access': 'off', // Commander options are untyped
'@typescript-eslint/no-unsafe-assignment': 'off',
'@typescript-eslint/no-unsafe-call': 'off',
'@typescript-eslint/no-unsafe-argument': 'off',
},
},
{
// Value Objects and Domain - allow more parameters for create methods
files: ['**/domain/value-objects/**/*.ts', '**/application/use-cases/**/*.ts'],
rules: {
'max-params': ['warn', 8], // DDD patterns often need more params
},
},
);

474
packages/guardian/CHANGELOG.md
View File

@@ -5,6 +5,477 @@ All notable changes to @samiyev/guardian will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [0.6.4] - 2025-11-24
### Added
**🎯 Smart Context-Aware Suggestions for Repository Method Names**
Guardian now provides intelligent, context-specific suggestions when it detects non-domain method names in repositories.
-**Intelligent method name analysis:**
- `queryUsers()` → Suggests: `search`, `findBy[Property]`
- `selectById()` → Suggests: `findBy[Property]`, `get[Entity]`
- `insertUser()` → Suggests: `create`, `add[Entity]`, `store[Entity]`
- `updateRecord()` → Suggests: `update`, `modify[Entity]`
- `upsertUser()` → Suggests: `save`, `store[Entity]`
- `removeUser()` → Suggests: `delete`, `removeBy[Property]`
- `fetchUserData()` → Suggests: `findBy[Property]`, `get[Entity]`
- And more technical patterns detected automatically!
- 🎯 **Impact:**
- Developers get actionable, relevant suggestions instead of generic examples
- Faster refactoring with specific naming alternatives
- Better learning experience for developers new to DDD
### Fixed
-**Expanded domain method patterns support:**
- `find*()` methods - e.g., `findNodes()`, `findNodeById()`, `findSimilar()`
- `saveAll()` - batch save operations
- `deleteBy*()` methods - e.g., `deleteByPath()`, `deleteById()`
- `deleteAll()` - clear all entities
- `add*()` methods - e.g., `addRelationship()`, `addItem()`
- `initializeCollection()` - collection initialization
- 🐛 **Removed `findAll` from technical methods blacklist:**
- `findAll()` is now correctly recognized as a standard domain method
- Reduced false positives for repositories using this common pattern
### Technical
- Added `suggestDomainMethodName()` method in `RepositoryPatternDetector.ts` with keyword-based suggestion mapping
- Updated `getNonDomainMethodSuggestion()` in `RepositoryViolation.ts` to extract and use smart suggestions
- Refactored suggestion logic to reduce cyclomatic complexity (22 → 9)
- Enhanced `domainMethodPatterns` with 9 additional patterns
- All 333 tests passing
## [0.6.3] - 2025-11-24
### Fixed
**🐛 Repository Pattern Detection - Reduced False Positives**
Fixed overly strict repository method name validation that was flagging valid DDD patterns as violations.
-**Added support for common DDD repository patterns:**
- `has*()` methods - e.g., `hasProject()`, `hasPermission()`
- `is*()` methods - e.g., `isCached()`, `isActive()`
- `exists*()` methods - e.g., `existsById()`, `existsByEmail()`
- `clear*()` methods - e.g., `clearCache()`, `clearAll()`
- `store*()` methods - e.g., `storeMetadata()`, `storeFile()`
- Lifecycle methods: `initialize()`, `close()`, `connect()`, `disconnect()`
- 🎯 **Impact:**
- Reduced false positives in real-world DDD projects
- Better alignment with Domain-Driven Design best practices
- More practical for cache repositories, connection management, and business queries
- 📚 **Why these patterns are valid:**
- Martin Fowler's Repository Pattern allows domain-specific query methods
- DDD recommends using ubiquitous language in method names
- Lifecycle methods are standard for resource management in repositories
### Technical
- Updated `domainMethodPatterns` in `RepositoryPatternDetector.ts` with 11 additional valid patterns
- All existing functionality remains unchanged
## [0.6.2] - 2025-11-24
### Added
**📚 Research-Backed Documentation**
Guardian's detection rules are now backed by scientific research and industry standards!
-**New Documentation**
- `docs/WHY.md` - User-friendly explanations for each rule with authoritative sources
- `docs/RESEARCH_CITATIONS.md` - Complete academic and industry references (551 lines)
- Organized by detection type with quick navigation
-**Micro-Citations in README**
- Each feature now includes one-line citation with "Why?" link
- Examples: "Based on MIT 6.031, SonarQube RSPEC-109"
- Non-intrusive, opt-in for users who want to learn more
-**CLI Help Enhancement**
- Added "BACKED BY RESEARCH" section to `--help` output
- Mentions MIT, Martin Fowler, Robert C. Martin, industry standards
- Link to full documentation
### Changed
- **Documentation Structure**: Moved `RESEARCH_CITATIONS.md` to `docs/` directory for better organization
- **All internal links updated** to reflect new documentation structure
### Backed By
Our rules are supported by:
- 🎓 **Academia**: MIT Course 6.031, ScienceDirect peer-reviewed studies
- 📚 **Books**: Clean Architecture (Martin 2017), DDD (Evans 2003), Enterprise Patterns (Fowler 2002)
- 🏢 **Industry**: Google, Microsoft, Airbnb style guides, SonarQube standards
- 👨‍🏫 **Experts**: Martin Fowler, Robert C. Martin, Eric Evans, Alistair Cockburn
## [0.6.1] - 2025-11-24
### Improved
**📖 Enhanced CLI Help System**
Guardian's `--help` command is now comprehensive and AI-agent-friendly!
-**Detailed Main Help**
- Complete detector descriptions with quick fix instructions
- Severity level explanations (CRITICAL → LOW)
- Step-by-step workflow guide for fixing violations
- 7 practical usage examples
- "HOW TO FIX COMMON ISSUES" reference section
-**Better Organization**
- Clear DETECTS section with all 8 violation types
- Each detector includes → what to do to fix it
- Severity system with priority guidance
- Examples cover all major use cases
-**AI Agent Ready**
- Help output provides complete context for autonomous agents
- Actionable instructions for each violation type
- Clear workflow: run → review → fix → verify
### Fixed
- **Code Quality**: Extracted all hardcoded strings from help text to constants
- Moved 17 magic strings to `CLI_HELP_TEXT` constant
- Improved maintainability and i18n readiness
- Follows Clean Code principles (Single Source of Truth)
### Technical
- All CLI help strings now use `CLI_HELP_TEXT` from constants
- Zero hardcode violations in Guardian's own codebase
- Passes all quality checks (format, lint, build, self-check)
## [0.6.0] - 2025-11-24
### Added
**🎯 Output Limit Control**
Guardian now supports limiting detailed violation output for large codebases!
-**--limit Option**
- Limit detailed violation output per category: `guardian check src --limit 10`
- Short form: `-l <number>`
- Works with severity filters: `guardian check src --only-critical --limit 5`
- Shows warning when violations exceed limit
- Full statistics always displayed
**📋 Severity Display Constants**
- Extracted severity labels and headers to reusable constants
- Improved CLI maintainability and consistency
- `SEVERITY_DISPLAY_LABELS` and `SEVERITY_SECTION_HEADERS`
**📚 Complete Development Workflow**
- Added comprehensive workflow documentation to CLAUDE.md
- 6-phase development process (Planning → Quality → Documentation → Verification → Commit → Publication)
- Quick checklists for new features
- Common workflows and debugging tips
### Changed
- **ESLint Configuration**: Optimized with CLI-specific overrides, reduced warnings from 129 to 0
- **Documentation**: Updated README with all 8 detector types and latest statistics
- **TODO**: Added technical debt tracking for low-coverage files
### Fixed
- Removed unused `SEVERITY_LEVELS` import from AnalyzeProject.ts
- Fixed unused `fileName` variable in HardcodeDetector.ts
- Replaced `||` with `??` for nullish coalescing
### Removed
- Deleted unused `IBaseRepository` interface (dead code)
- Fixed repository pattern violations detected by Guardian on itself
### Technical Details
- All 292 tests passing (100% pass rate)
- Coverage: 90.63% statements, 82.19% branches, 83.51% functions
- ESLint: 0 errors, 0 warnings
- Guardian self-check: ✅ No issues found
- No breaking changes - fully backwards compatible
## [0.5.2] - 2025-11-24
### Added
**🎯 Severity-Based Prioritization**
Guardian now intelligently prioritizes violations by severity, helping teams focus on critical issues first!
-**Severity Levels**
- 🔴 **CRITICAL**: Circular dependencies, Repository pattern violations
- 🟠 **HIGH**: Dependency direction violations, Framework leaks, Entity exposures
- 🟡 **MEDIUM**: Naming violations, Architecture violations
- 🟢 **LOW**: Hardcoded values
-**Automatic Sorting**
- All violations automatically sorted by severity (most critical first)
- Applied in AnalyzeProject use case before returning results
- Consistent ordering across all detection types
-**CLI Filtering Options**
- `--min-severity <level>` - Show only violations at specified level and above
- `--only-critical` - Quick filter for critical issues only
- Examples:
- `guardian check src --only-critical`
- `guardian check src --min-severity high`
-**Enhanced CLI Output**
- Color-coded severity labels (🔴🟠🟡🟢)
- Visual severity group headers with separators
- Severity displayed for each violation
- Clear filtering messages when filters active
### Changed
- Updated all violation interfaces to include `severity: SeverityLevel` field
- Improved CLI presentation with grouped severity display
- Enhanced developer experience with visual prioritization
### Technical Details
- All 292 tests passing (100% pass rate)
- Coverage: 90.63% statements, 82.19% branches, 83.51% functions
- No breaking changes - fully backwards compatible
- Clean Architecture principles maintained
---
## [0.5.1] - 2025-11-24
### Changed
**🧹 Code Quality Refactoring**
Major internal refactoring to eliminate hardcoded values and improve maintainability - Guardian now fully passes its own quality checks!
-**Extracted Constants**
- All RepositoryViolation messages moved to domain constants (Messages.ts)
- All framework leak template strings centralized
- All layer paths moved to infrastructure constants (paths.ts)
- All regex patterns extracted to IMPORT_PATTERNS constant
- 30+ new constants added for better maintainability
-**New Constants Files**
- `src/infrastructure/constants/paths.ts` - Layer paths, CLI paths, import patterns
- Extended `src/domain/constants/Messages.ts` - 25+ repository pattern messages
- Extended `src/shared/constants/rules.ts` - Package placeholder constant
-**Self-Validation Achievement**
- Reduced hardcoded values from 37 to 1 (97% improvement)
- Guardian now passes its own `src/` directory checks with 0 violations
- Only acceptable hardcode remaining: bin/guardian.js entry point path
- All 292 tests still passing (100% pass rate)
-**Improved Code Organization**
- Better separation of concerns
- More maintainable codebase
- Easier to extend with new features
- Follows DRY principle throughout
### Technical Details
- No breaking changes - fully backwards compatible
- All functionality preserved
- Test suite: 292 tests passing
- Coverage: 96.77% statements, 83.82% branches
---
## [0.5.0] - 2025-11-24
### Added
**📚 Repository Pattern Validation**
Validate proper implementation of the Repository Pattern to ensure domain remains decoupled from infrastructure.
-**ORM Type Detection in Interfaces**
- Detects ORM-specific types (Prisma, TypeORM, Mongoose) in domain repository interfaces
- Ensures repository interfaces remain persistence-agnostic
- Supports detection of 25+ ORM type patterns
- Provides fix suggestions with clean domain examples
-**Concrete Repository Usage Detection**
- Identifies use cases depending on concrete repository implementations
- Enforces Dependency Inversion Principle
- Validates constructor and field dependency types
- Suggests using repository interfaces instead
-**Repository Instantiation Detection**
- Detects `new Repository()` in use cases
- Enforces Dependency Injection pattern
- Identifies hidden dependencies
- Provides DI container setup guidance
-**Domain Language Validation**
- Checks repository methods use domain terminology
- Rejects technical database terms (findOne, insert, query, execute)
- Promotes ubiquitous language across codebase
- Suggests business-oriented method names
-**Smart Violation Reporting**
- RepositoryViolation value object with detailed context
- Four violation types: ORM types, concrete repos, new instances, technical names
- Provides actionable fix suggestions
- Shows before/after code examples
-**Comprehensive Test Coverage**
- 31 new tests for repository pattern detection
- 292 total tests passing (100% pass rate)
- Integration tests for multiple violation types
- 96.77% statement coverage, 83.82% branch coverage
-**Documentation & Examples**
- 6 example files (3 bad patterns, 3 good patterns)
- Comprehensive README with patterns and principles
- Examples for ORM types, concrete repos, DI, and domain language
- Demonstrates Clean Architecture and SOLID principles
### Changed
- Updated test count: 261 → 292 tests
- Added REPOSITORY_PATTERN rule to constants
- Extended AnalyzeProject use case with repository pattern detection
- Added REPOSITORY_VIOLATION_TYPES constant with 4 violation types
- ROADMAP updated with completed repository pattern validation (v0.5.0)
---
## [0.4.0] - 2025-11-24
### Added
**🔀 Dependency Direction Enforcement**
Enforce Clean Architecture dependency rules to prevent architectural violations across layers.
-**Dependency Direction Detector**
- Validates that dependencies flow in the correct direction
- Domain layer can only import from Domain and Shared
- Application layer can only import from Domain, Application, and Shared
- Infrastructure layer can import from all layers
- Shared layer can be imported by all layers
-**Smart Violation Reporting**
- DependencyViolation value object with detailed context
- Provides fix suggestions with concrete examples
- Shows both violating import and suggested layer placement
- CLI output with severity indicators
-**Comprehensive Test Coverage**
- 43 new tests for dependency direction detection
- 100% test pass rate (261 total tests)
- Examples for both good and bad architecture patterns
-**Documentation & Examples**
- Good architecture examples for all layers
- Bad architecture examples showing common violations
- Demonstrates proper layer separation
### Changed
- Updated test count: 218 → 261 tests
- Optimized extractLayerFromImport method to reduce complexity
- Updated getExampleFix to avoid false positives
- ROADMAP updated with completed dependency direction feature
---
## [0.3.0] - 2025-11-24
### Added
**🚫 Entity Exposure Detection**
Prevent domain entities from leaking to API responses, enforcing proper DTO usage at boundaries.
-**Entity Exposure Detector**
- Detects when controllers/routes return domain entities instead of DTOs
- Scans infrastructure layer (controllers, routes, handlers, resolvers, gateways)
- Identifies PascalCase entities without Dto/Request/Response suffixes
- Parses async methods with Promise<T> return types
-**Smart Remediation Suggestions**
- EntityExposure value object with step-by-step fix guidance
- Suggests creating DTOs with proper naming
- Provides mapper implementation examples
- Shows how to separate domain from presentation concerns
-**Comprehensive Test Coverage**
- 24 new tests for entity exposure detection (98% coverage)
- EntityExposureDetector: 98.07% coverage
- Overall project: 90.6% statements, 83.97% branches
-**Documentation & Examples**
- BadUserController and BadOrderController examples
- GoodUserController showing proper DTO usage
- Integration with CLI for helpful output
### Changed
- Updated test count: 194 → 218 tests
- Added entity exposure to violation pipeline
- ROADMAP updated with completed entity exposure feature
---
## [0.2.0] - 2025-11-24
### Added
**🔌 Framework Leak Detection**
Major new feature to detect framework-specific imports in domain layer, ensuring Clean Architecture compliance.
-**Framework Leak Detector**
- Detects 250+ framework patterns across 12 categories
- HTTP frameworks: Express, Fastify, Koa, Hapi, NestJS, etc.
- ORMs/Databases: Prisma, TypeORM, Sequelize, Mongoose, Drizzle, etc.
- Loggers: Winston, Pino, Bunyan, Log4js, etc.
- Caches: Redis, IORedis, Memcached, etc.
- Message Queues: Bull, BullMQ, KafkaJS, RabbitMQ, etc.
- And 7 more categories (HTTP clients, validation, DI, email, storage, testing, templates)
-**Smart Violation Reporting**
- Framework type categorization
- Detailed suggestions for proper abstraction
- CLI output with severity indicators
- Integration with existing violation pipeline
-**Comprehensive Test Coverage**
- 35 new tests for framework leak detection
- 100% coverage of detection logic
- Examples for all major framework types
-**Documentation & Examples**
- New bad architecture examples showing framework leaks
- Updated README with framework leak detection section
- Integration guides for preventing framework coupling
### Changed
- Updated test count: 159 → 194 tests across 7 files
- Updated examples: 36 → 38 files (29 good + 9 bad)
- CLI now reports 5 types of violations (added framework leaks)
---
## [0.1.0] - 2025-11-24
### Added
@@ -93,7 +564,7 @@ Code quality guardian for vibe coders and enterprise teams - your AI coding comp
#### Developer Experience
- 🤖 **Built for AI-Assisted Development**
- Perfect companion for Claude, GPT, Copilot, Cursor
- Perfect companion for GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline
- Catches common AI code smells (hardcoded values, architecture violations)
- Educational error messages with fix suggestions
- Designed for vibe coding workflow: AI writes → Guardian reviews → AI fixes → Ship
@@ -192,7 +663,6 @@ Code quality guardian for vibe coders and enterprise teams - your AI coding comp
## Future Releases
Planned features for upcoming versions:
- Entity exposure detection (domain entities in presentation layer)
- Configuration file support (.guardianrc)
- Custom rule definitions
- Plugin system

131
packages/guardian/README.md
View File

@@ -8,7 +8,7 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
> **Perfect for:**
> - 🚀 **Vibe Coders**: Ship fast with Claude, GPT, Copilot while maintaining quality
> - 🚀 **Vibe Coders**: Ship fast with GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT while maintaining quality
> - 🏢 **Enterprise Teams**: Enforce architectural standards and code quality at scale
> - 📚 **Code Review Automation**: Catch issues before human reviewers see them
@@ -19,12 +19,16 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- 📝 Magic strings (URLs, connection strings, etc.)
- 🎯 Smart context analysis
- 💡 Automatic constant name suggestions
- 📍 Suggested location for constants
- 📚 *Based on: MIT 6.031, SonarQube RSPEC-109, peer-reviewed research* → [Why?](./docs/WHY.md#hardcode-detection)
🔄 **Circular Dependency Detection**
- Detects import cycles in your codebase
- Shows complete dependency chain
- Helps maintain clean architecture
- Prevents maintenance nightmares
- Severity-based reporting
- 📚 *Based on: Martin Fowler's architecture patterns, Shopify Engineering* → [Why?](./docs/WHY.md#circular-dependencies)
📝 **Naming Convention Detection**
- Layer-based naming rules enforcement
@@ -33,6 +37,7 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- Infrastructure: Controllers (*Controller), Repositories (*Repository), Services (*Service/*Adapter)
- Smart exclusions for base classes
- Helpful fix suggestions
- 📚 *Based on: Google Style Guide, Airbnb JavaScript Style Guide, Microsoft Guidelines* → [Why?](./docs/WHY.md#naming-conventions)
🔌 **Framework Leak Detection**
- Detects framework-specific imports in domain layer
@@ -41,6 +46,31 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- Detects external service dependencies (AWS SDK, Firebase, Stripe, Twilio)
- Maintains clean domain boundaries
- Prevents infrastructure coupling in business logic
- 📚 *Based on: Hexagonal Architecture (Cockburn 2005), Clean Architecture (Martin 2017)* → [Why?](./docs/WHY.md#framework-leaks)
🎭 **Entity Exposure Detection**
- Detects domain entities exposed in API responses
- Prevents data leakage through direct entity returns
- Enforces DTO/Response object usage
- Layer-aware validation
- Smart suggestions for proper DTOs
- 📚 *Based on: Martin Fowler's Enterprise Patterns (2002)* → [Why?](./docs/WHY.md#entity-exposure)
⬆️ **Dependency Direction Enforcement**
- Validates Clean Architecture layer dependencies
- Domain → Application → Infrastructure flow
- Prevents backwards dependencies
- Maintains architectural boundaries
- Detailed violation reports
- 📚 *Based on: Robert C. Martin's Dependency Rule, SOLID principles* → [Why?](./docs/WHY.md#clean-architecture)
📦 **Repository Pattern Validation**
- Validates repository interface design
- Detects ORM/technical types in interfaces
- Checks for technical method names (findOne, save, etc.)
- Enforces domain language usage
- Prevents "new Repository()" anti-pattern
- 📚 *Based on: Martin Fowler's Repository Pattern, DDD (Evans 2003)* → [Why?](./docs/WHY.md#repository-pattern)
🏗️ **Clean Architecture Enforcement**
- Built with DDD principles
@@ -48,6 +78,7 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- TypeScript with strict type checking
- Fully tested (80%+ coverage)
- Enforces architectural boundaries across teams
- 📚 *Based on: Clean Architecture (Martin 2017), Domain-Driven Design (Evans 2003)* → [Why?](./docs/WHY.md#clean-architecture)
🚀 **Developer & Enterprise Friendly**
- Simple API for developers
@@ -64,11 +95,11 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- 🏗️ Enforces Clean Architecture that AI often ignores
- 💡 Smart suggestions you can feed back to your AI assistant
- 🔄 Closes the feedback loop: better prompts = cleaner AI code
- 🚀 Works with Claude, GPT, Copilot, Cursor, and any AI tool
- 🚀 Works with GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline, and any AI tool
## Why Guardian for Vibe Coding?
**The Problem:** AI assistants (Claude, GPT, Copilot) are incredible at shipping features fast, but they love hardcoding values and sometimes ignore architectural patterns. You're moving fast, but accumulating tech debt.
**The Problem:** AI assistants (GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT) are incredible at shipping features fast, but they love hardcoding values and sometimes ignore architectural patterns. You're moving fast, but accumulating tech debt.
**The Solution:** Guardian is your quality safety net. Code with AI at full speed, then let Guardian catch the issues before they hit production.
@@ -354,6 +385,17 @@ npx @samiyev/guardian check ./src --verbose
npx @samiyev/guardian check ./src --no-hardcode # Skip hardcode detection
npx @samiyev/guardian check ./src --no-architecture # Skip architecture checks
# Filter by severity
npx @samiyev/guardian check ./src --min-severity high # Show high, critical only
npx @samiyev/guardian check ./src --only-critical # Show only critical issues
# Limit detailed output (useful for large codebases)
npx @samiyev/guardian check ./src --limit 10 # Show first 10 violations per category
npx @samiyev/guardian check ./src -l 20 # Short form
# Combine options
npx @samiyev/guardian check ./src --only-critical --limit 5 # Top 5 critical issues
# Show help
npx @samiyev/guardian --help
@@ -450,9 +492,17 @@ interface AnalyzeProjectRequest {
```typescript
interface AnalyzeProjectResponse {
// Violations
hardcodeViolations: HardcodeViolation[]
architectureViolations: ArchitectureViolation[]
violations: ArchitectureViolation[]
circularDependencyViolations: CircularDependencyViolation[]
namingViolations: NamingViolation[]
frameworkLeakViolations: FrameworkLeakViolation[]
entityExposureViolations: EntityExposureViolation[]
dependencyDirectionViolations: DependencyDirectionViolation[]
repositoryPatternViolations: RepositoryPatternViolation[]
// Metrics
metrics: ProjectMetrics
}
@@ -463,21 +513,80 @@ interface HardcodeViolation {
type: "magic-number" | "magic-string"
value: string | number
context: string
suggestedConstantName: string
suggestedLocation: string
severity: "critical" | "high" | "medium" | "low"
suggestion: {
constantName: string
location: string
}
}
interface CircularDependencyViolation {
rule: "circular-dependency"
message: string
cycle: string[]
severity: "error"
severity: "critical" | "high" | "medium" | "low"
}
interface NamingViolation {
file: string
fileName: string
layer: string
type: string
message: string
suggestion?: string
severity: "critical" | "high" | "medium" | "low"
}
interface FrameworkLeakViolation {
file: string
packageName: string
category: string
categoryDescription: string
layer: string
rule: string
message: string
suggestion: string
severity: "critical" | "high" | "medium" | "low"
}
interface EntityExposureViolation {
file: string
line?: number
entityName: string
returnType: string
methodName?: string
layer: string
rule: string
message: string
suggestion: string
severity: "critical" | "high" | "medium" | "low"
}
interface DependencyDirectionViolation {
file: string
fromLayer: string
toLayer: string
importPath: string
message: string
suggestion: string
severity: "critical" | "high" | "medium" | "low"
}
interface RepositoryPatternViolation {
file: string
layer: string
violationType: string
details: string
message: string
suggestion: string
severity: "critical" | "high" | "medium" | "low"
}
interface ProjectMetrics {
totalFiles: number
analyzedFiles: number
totalLines: number
totalFunctions: number
totalImports: number
layerDistribution: Record<string, number>
}
```
@@ -852,7 +961,7 @@ Based on testing Guardian with AI-generated codebases:
A: No! Run it after AI generates code, not during. Analysis takes 1-2 seconds for most projects.
**Q: Can I use this with any AI coding assistant?**
A: Yes! Works with Claude, GPT, Copilot, Cursor, or any tool that generates TypeScript/JavaScript.
A: Yes! Works with GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline, or any tool that generates TypeScript/JavaScript.
**Q: Does Guardian replace ESLint/Prettier?**
A: No, it complements them. ESLint checks syntax, Guardian checks architecture and hardcodes.
@@ -861,7 +970,7 @@ A: No, it complements them. ESLint checks syntax, Guardian checks architecture a
A: Perfect use case! Guardian helps you identify tech debt so you can decide what to fix before production.
**Q: Can AI fix Guardian's findings automatically?**
A: Yes! Copy Guardian's output, paste into Claude/GPT with "fix these issues", and watch the magic.
A: Yes! Copy Guardian's output, paste into Claude, ChatGPT, or your AI assistant with "fix these issues", and watch the magic.
## Contributing

1684
packages/guardian/ROADMAP.md
View File

File diff suppressed because it is too large Load Diff

61
packages/guardian/TODO.md
View File

@@ -94,19 +94,38 @@ This file tracks technical debt, known issues, and improvements needed in the co
### Testing
- [x] ~~**Increase test coverage**~~**FIXED**
- ~~Current: 85.71% (target: 80%+)~~
- **New: 90.06%** (exceeds 80% target!)
- **New: 90.63%** (exceeds 80% target!)
- ~~But only 2 test files (Guards, BaseEntity)~~
- **Now: 7 test files** with 187 tests total
- **Now: 10 test files** with 292 tests total
- ~~Need tests for:~~
- ~~HardcodeDetector (main logic!)~~ ✅ 49 tests added
- ~~HardcodedValue~~ ✅ 28 tests added
- ~~FrameworkLeakDetector~~ ✅ 28 tests added
- ~~FrameworkLeakDetector~~ ✅ 35 tests added
- ~~NamingConventionDetector~~ ✅ 55 tests added
- ~~DependencyDirectionDetector~~ ✅ 43 tests added
- ~~EntityExposureDetector~~ ✅ 24 tests added
- ~~RepositoryPatternDetector~~ ✅ 31 tests added
- AnalyzeProject use case (pending)
- CLI commands (pending)
- FileScanner (pending)
- CodeParser (pending)
- Completed on: 2025-11-24
- [ ] **Improve test coverage for low-coverage files**
- **SourceFile.ts**: 44.82% coverage (entity, not critical but needs improvement)
- Missing: Property getters, metadata methods, dependency management
- Target: 80%+
- **ProjectPath.ts**: 50% coverage (value object)
- Missing: Path validation methods, edge cases
- Target: 80%+
- **RepositoryViolation.ts**: 55.26% coverage (value object)
- Missing: Violation type methods, details formatting
- Target: 80%+
- **ValueObject.ts**: 25% coverage (base class)
- Missing: equals() and other base methods
- Target: 80%+
- Priority: Medium (overall coverage is good, but these specific files need attention)
- [ ] **Add integration tests**
- Test full workflow: scan → parse → detect → report
- Test CLI end-to-end
@@ -179,7 +198,37 @@ When implementing these, consider semantic versioning:
## 📝 Recent Updates (2025-11-24)
### Completed Tasks
### v0.5.2 - Limit Feature & ESLint Cleanup
1.**Added --limit CLI option**
- Limits detailed output to specified number of violations per category
- Short form: `-l <number>`
- Works with severity filters (--only-critical, --min-severity)
- Shows warning when violations exceed limit
- Example: `guardian check ./src --limit 10`
- Updated CLI constants, index, and README documentation
2.**ESLint configuration cleanup**
- Reduced warnings from 129 to 0 ✨
- Added CLI-specific overrides (no-console, complexity, max-lines-per-function)
- Disabled no-unsafe-* rules for CLI (Commander.js is untyped)
- Increased max-params to 8 for DDD patterns
- Excluded examples/, tests/, *.config.ts from linting
- Disabled style rules (prefer-nullish-coalescing, no-unnecessary-condition, no-nested-ternary)
3.**Fixed remaining ESLint errors**
- Removed unused SEVERITY_LEVELS import from AnalyzeProject.ts
- Fixed unused fileName variable in HardcodeDetector.ts (prefixed with _)
- Replaced || with ?? for nullish coalescing
4.**Updated README.md**
- Added all new detectors to Features section (Entity Exposure, Dependency Direction, Repository Pattern)
- Updated API documentation with all 8 violation types
- Added severity levels to all interfaces
- Documented --limit option with examples
- Updated ProjectMetrics interface
- Updated test statistics (292 tests, 90.63% coverage)
### v0.5.0-0.5.1 - Architecture Enhancements
1.**Added comprehensive tests for HardcodeDetector** (49 tests)
- Magic numbers detection (setTimeout, retries, ports, limits)
- Magic strings detection (URLs, connection strings)
@@ -203,9 +252,9 @@ When implementing these, consider semantic versioning:
- Fixed constant truthiness errors
5.**Improved test coverage**
- From 85.71% to 90.06% (statements)
- From 85.71% to 90.63% (statements)
- All metrics now exceed 80% threshold
- Total tests: 16 → 187 tests
- Total tests: 16 → 292 tests
6.**Implemented Framework Leak Detection (v0.2.0)**
- Created FrameworkLeakDetector with 10 framework categories

553
packages/guardian/docs/RESEARCH_CITATIONS.md Normal file
View File

@@ -0,0 +1,553 @@
# Research Citations for Code Quality Detection Rules
This document provides authoritative sources, academic papers, industry standards, and expert references that support the code quality detection rules implemented in Guardian. These rules are not invented but based on established software engineering principles and best practices.
---
## Table of Contents
1. [Hardcode Detection (Magic Numbers & Strings)](#1-hardcode-detection-magic-numbers--strings)
2. [Circular Dependencies](#2-circular-dependencies)
3. [Clean Architecture / Layered Architecture](#3-clean-architecture--layered-architecture)
4. [Framework Leak Detection](#4-framework-leak-detection)
5. [Entity Exposure (DTO Pattern)](#5-entity-exposure-dto-pattern)
6. [Repository Pattern](#6-repository-pattern)
7. [Naming Conventions](#7-naming-conventions)
8. [General Software Quality Standards](#8-general-software-quality-standards)
9. [Code Complexity Metrics](#9-code-complexity-metrics)
10. [Additional Authoritative Sources](#10-additional-authoritative-sources)
---
## 1. Hardcode Detection (Magic Numbers & Strings)
### Academic Research
**What do developers consider magic literals? A smalltalk perspective** (2022)
- Published in ScienceDirect
- Conducted qualitative and quantitative studies on magic literals
- Analyzed 26 developers reviewing about 24,000 literals from more than 3,500 methods
- Studies ranged from small (four classes) to large (7,700 classes) systems
- Reference: [ScienceDirect Article](https://www.sciencedirect.com/science/article/abs/pii/S0950584922000908)
### Industry Standards
**MIT Course 6.031: Software Construction - Code Review**
- Magic numbers fail three key measures of code quality:
- Not safe from bugs (SFB)
- Not easy to understand (ETU)
- Not ready for change (RFC)
- Reference: [MIT Reading 4: Code Review](https://web.mit.edu/6.031/www/sp17/classes/04-code-review/)
**SonarQube Static Analysis Rules**
- Rule RSPEC-109: "Magic numbers should not be used"
- Identifies hardcoded values and magic numbers as code smells
- Reference: [SonarSource C Rule RSPEC-109](https://rules.sonarsource.com/c/rspec-109/)
### Historical Context
**Wikipedia: Magic Number (Programming)**
- Anti-pattern that breaks one of the oldest rules of programming
- Dating back to COBOL, FORTRAN, and PL/1 manuals of the 1960s
- Defined as "using a numeric literal in source code that has a special meaning that is less than clear"
- Reference: [Wikipedia - Magic Number](https://en.wikipedia.org/wiki/Magic_number_(programming))
### Best Practices
**DRY Principle Violation**
- Magic numbers violate the DRY (Don't Repeat Yourself) principle
- Encourage duplicated hardcoded values instead of centralized definitions
- Make code brittle and prone to errors
- Reference: [Stack Overflow - What are magic numbers](https://stackoverflow.com/questions/47882/what-are-magic-numbers-and-why-do-some-consider-them-bad)
---
## 2. Circular Dependencies
### Expert Opinion
**Martin Fowler on Breaking Cycles**
- "Putting abstract classes in supertype package is good way of breaking cycles in the dependency structure"
- Suggests using abstraction as a technique to break circular dependencies
- Reference: [TechTarget - Circular Dependencies in Microservices](https://www.techtarget.com/searchapparchitecture/tip/The-vicious-cycle-of-circular-dependencies-in-microservices)
### Impact on Software Quality
**Maintainability Issues**
- Circular dependencies make code difficult to read and maintain over time
- Open the door to error-prone applications that are difficult to test
- Changes to a single module cause a large ripple effect of errors
- Reference: [TechTarget - Circular Dependencies](https://www.techtarget.com/searchapparchitecture/tip/The-vicious-cycle-of-circular-dependencies-in-microservices)
**Component Coupling**
- "You can't change or evolve components independently of each other"
- Services become hardly maintainable and highly coupled
- Components cannot be tested in isolation
- Reference: [DEV Community - Circular Dependencies Between Microservices](https://dev.to/cloudx/circular-dependencies-between-microservices-11hn)
### Solution Patterns
**Shopify Engineering: Repository Pattern**
- "Remove Circular Dependencies by Using Dependency Injection and the Repository Pattern in Ruby"
- Demonstrates practical application of breaking circular dependencies
- Reference: [Shopify Engineering](https://shopify.engineering/repository-pattern-ruby)
---
## 3. Clean Architecture / Layered Architecture
### The Dependency Rule - Robert C. Martin
**Book: Clean Architecture: A Craftsman's Guide to Software Structure and Design** (2017)
- Author: Robert C. Martin (Uncle Bob)
- Publisher: Prentice Hall
- ISBN: 978-0134494166
- Available at: [Amazon](https://www.amazon.com/Clean-Architecture-Craftsmans-Software-Structure/dp/0134494164)
**The Dependency Rule (Core Principle)**
- "Source code dependencies can only point inwards"
- "Nothing in an inner circle can know anything at all about something in an outer circle"
- "The name of something declared in an outer circle must not be mentioned by the code in the inner circle"
- Reference: [The Clean Architecture Blog Post](https://blog.cleancoder.com/uncle-bob/2012/08/13/the-clean-architecture.html)
**Layer Organization**
- Dependencies flow towards higher-level policies and domain logic
- Inner layers (domain) should not depend on outer layers (infrastructure)
- Use dynamic polymorphism to create source code dependencies that oppose the flow of control
- Reference: [Clean Architecture Beginner's Guide](https://betterprogramming.pub/the-clean-architecture-beginners-guide-e4b7058c1165)
**O'Reilly Resources**
- Complete book available through O'Reilly Learning Platform
- Reference: [O'Reilly - Clean Architecture](https://www.oreilly.com/library/view/clean-architecture-a/9780134494272/)
### SOLID Principles - Robert C. Martin
**Paper: Design Principles and Design Patterns** (2000)
- Author: Robert C. Martin
- Introduced the basic principles of SOLID design
- SOLID acronym coined by Michael Feathers around 2004
- Reference: [Wikipedia - SOLID](https://en.wikipedia.org/wiki/SOLID)
**Dependency Inversion Principle (DIP)**
- High-level modules should not depend on low-level modules; both should depend on abstractions
- Abstractions should not depend on details; details should depend on abstractions
- Enables loosely coupled components and simpler testing
- Reference: [DigitalOcean - SOLID Principles](https://www.digitalocean.com/community/conceptual-articles/s-o-l-i-d-the-first-five-principles-of-object-oriented-design)
**Single Responsibility Principle (SRP)**
- "There should never be more than one reason for a class to change"
- Every class should have only one responsibility
- Classes with single responsibility are easier to understand, test, and modify
- Reference: [Real Python - SOLID Principles](https://realpython.com/solid-principles-python/)
---
## 4. Framework Leak Detection
### Hexagonal Architecture (Ports & Adapters)
**Original Paper: The Hexagonal (Ports & Adapters) Architecture** (2005)
- Author: Alistair Cockburn
- Document: HaT Technical Report 2005.02
- Date: 2005-09-04 (v 0.9)
- Intent: "Allow an application to equally be driven by users, programs, automated test or batch scripts, and to be developed and tested in isolation from its eventual run-time devices and databases"
- Reference: [Alistair Cockburn - Hexagonal Architecture](https://alistair.cockburn.us/hexagonal-architecture)
### Domain-Driven Design (DDD) and Hexagonal Architecture
**Domain-Driven Hexagon Repository**
- Comprehensive guide combining DDD with hexagonal architecture
- "Application Core shouldn't depend on frameworks or access external resources directly"
- "External calls should be done through ports (interfaces)"
- Reference: [GitHub - Domain-Driven Hexagon](https://github.com/Sairyss/domain-driven-hexagon)
**AWS Prescriptive Guidance**
- "The hexagonal architecture pattern is used to isolate business logic (domain logic) from related infrastructure code"
- Outer layers can depend on inner layers, but inner layers never depend on outer layers
- Reference: [AWS - Hexagonal Architecture Pattern](https://docs.aws.amazon.com/prescriptive-guidance/latest/cloud-design-patterns/hexagonal-architecture.html)
### Preventing Logic Leakage
**Ports and Adapters Benefits**
- Shields domain logic from leaking out of application's core
- Prevents technical details (like JPA entities) and libraries (like O/R mappers) from leaking into application
- Keeps application agnostic of external actors
- Reference: [Medium - Hexagonal Architecture](https://medium.com/ssense-tech/hexagonal-architecture-there-are-always-two-sides-to-every-story-bc0780ed7d9c)
**Herberto Graca's Explicit Architecture**
- "DDD, Hexagonal, Onion, Clean, CQRS, … How I put it all together"
- Comprehensive guide on preventing architectural leakage
- Reference: [Herberto Graca's Blog](https://herbertograca.com/2017/11/16/explicit-architecture-01-ddd-hexagonal-onion-clean-cqrs-how-i-put-it-all-together/)
---
## 5. Entity Exposure (DTO Pattern)
### Martin Fowler's Pattern Definition
**Book: Patterns of Enterprise Application Architecture** (2002)
- Author: Martin Fowler
- Publisher: Addison-Wesley
- First introduced the Data Transfer Object (DTO) pattern
- Reference: [Martin Fowler - Data Transfer Object](https://martinfowler.com/eaaCatalog/dataTransferObject.html)
**DTO Pattern Purpose**
- "The main reason for using a Data Transfer Object is to batch up what would be multiple remote calls into a single call"
- "DTOs are called Data Transfer Objects because their whole purpose is to shift data in expensive remote calls"
- Part of implementing a coarse-grained interface needed for remote performance
- Reference: [Martin Fowler's EAA Catalog](https://martinfowler.com/eaaCatalog/dataTransferObject.html)
### LocalDTO Anti-Pattern
**Martin Fowler on Local DTOs**
- "In a local context, DTOs are not just unnecessary but actually harmful"
- Harmful because coarse-grained API is more difficult to use
- Requires extra work moving data from domain/data source layer into DTOs
- Reference: [Martin Fowler - LocalDTO](https://martinfowler.com/bliki/LocalDTO.html)
### Security and Encapsulation Benefits
**Baeldung: The DTO Pattern**
- DTOs provide only relevant information to the client
- Hide sensitive data like passwords for security reasons
- Decoupling persistence model from domain model reduces risk of exposing domain model
- Reference: [Baeldung - DTO Pattern](https://www.baeldung.com/java-dto-pattern)
**Wikipedia: Data Transfer Object**
- Carries data between processes
- Reduces the number of method calls
- Industry-standard pattern for API design
- Reference: [Wikipedia - Data Transfer Object](https://en.wikipedia.org/wiki/Data_transfer_object)
---
## 6. Repository Pattern
### Martin Fowler's Pattern Definition
**Book: Patterns of Enterprise Application Architecture** (2002)
- Author: Martin Fowler
- Publisher: Addison-Wesley
- ISBN: 978-0321127426
- Available at: [Internet Archive](https://archive.org/details/PatternsOfEnterpriseApplicationArchitectureByMartinFowler)
**Repository Pattern Definition**
- "Mediates between the domain and data mapping layers using a collection-like interface for accessing domain objects"
- Listed under Data Source Architectural Patterns
- Main goal: separate domain logic from data persistence logic
- Reference: [Martin Fowler - Repository](https://martinfowler.com/eaaCatalog/repository.html)
**Pattern Purpose**
- "Adding this layer helps minimize duplicate query logic"
- Original definition: "all about minimizing duplicate query logic"
- Chapter 13 of online ebook at O'Reilly
- Reference: [Martin Fowler's EAA Catalog](https://martinfowler.com/eaaCatalog/)
### Microsoft Guidance
**Microsoft Learn: Infrastructure Persistence Layer Design**
- "Designing the infrastructure persistence layer" for microservices and DDD
- Official Microsoft documentation on repository pattern usage
- Reference: [Microsoft Learn - Repository Pattern](https://learn.microsoft.com/en-us/dotnet/architecture/microservices/microservice-ddd-cqrs-patterns/infrastructure-persistence-layer-design)
### Domain-Driven Design Context
**Eric Evans Reference**
- "You can also find a good write-up of this pattern in Domain Driven Design"
- Repository is a key tactical pattern in DDD
- Reference: [Stack Overflow - Repository Pattern Author](https://softwareengineering.stackexchange.com/questions/132813/whos-the-author-creator-of-the-repository-pattern)
---
## 7. Naming Conventions
### Use Case Naming
**Use Case Naming Convention: Verb + Noun**
- Default naming pattern: "(Actor) Verb Noun" with actor being optional
- Name must be in the form of VERB-OBJECT with verb in imperative mode
- Examples: "Customer Process Order", "Send Notification"
- Reference: [TM Forum - Use Case Naming Conventions](https://tmforum-oda.github.io/oda-ca-docs/canvas/usecase-library/use-case-naming-conventions.html)
**Good Use Case Names**
- Use meaningful verbs, not generic ones like "Process"
- Specific actions like "Validate the Ordered Items"
- Name must be unique
- Reference: [Tyner Blain - How to Write Good Use Case Names](https://tynerblain.com/blog/2007/01/22/how-to-write-good-use-case-names/)
### Industry Style Guides
**Google Java Style Guide**
- Method names are written in lowerCamelCase
- Class names should be in PascalCase
- Class names are typically nouns or noun phrases (e.g., Character, ImmutableList)
- Reference: [Google Java Style Guide](https://google.github.io/styleguide/javaguide.html)
**Airbnb JavaScript Style Guide**
- Avoid single letter names; be descriptive with naming
- Use camelCase when naming objects, functions, and instances
- Use PascalCase when exporting constructor/class/singleton
- Filename should be identical to function's name
- Reference: [Airbnb JavaScript Style Guide](https://github.com/airbnb/javascript)
**Microsoft Naming Conventions**
- Variables, methods, instance fields: camelCase
- Class and interface names: PascalCase (capitalized CamelCase)
- Constants: CONSTANT_CASE (all uppercase with underscores)
- Reference: [GeeksforGeeks - Java Naming Conventions](https://www.geeksforgeeks.org/java/java-naming-conventions/)
### General Naming Patterns
**Wikipedia: Naming Conventions**
- Classes are nouns or noun phrases
- Methods/functions are verbs or verb phrases to identify actions
- Established convention across multiple programming languages
- Reference: [Wikipedia - Naming Convention](https://en.wikipedia.org/wiki/Naming_convention_(programming))
**Devopedia: Naming Conventions**
- Comprehensive coverage of naming conventions across languages
- Historical context and evolution of naming standards
- Reference: [Devopedia - Naming Conventions](https://devopedia.org/naming-conventions)
---
## 8. General Software Quality Standards
### ISO/IEC 25010 Software Quality Model
**ISO/IEC 25010:2011 (Updated 2023)**
- Title: "Systems and software engineering Systems and software Quality Requirements and Evaluation (SQuaRE) System and software quality models"
- Defines eight software quality characteristics
- Reference: [ISO 25010 Official Standard](https://www.iso.org/standard/35733.html)
**Eight Quality Characteristics**
1. Functional suitability
2. Performance efficiency
3. Compatibility
4. Usability
5. Reliability
6. Security
7. Maintainability
8. Portability
**Maintainability Sub-characteristics**
- **Modularity**: Components can be changed with minimal impact on other components
- **Reusability**: Assets can be used in more than one system
- **Analysability**: Effectiveness of impact assessment and failure diagnosis
- **Modifiability**: System can be modified without introducing defects
- **Testability**: Test criteria effectiveness and execution
- Reference: [ISO 25000 Portal](https://iso25000.com/index.php/en/iso-25000-standards/iso-25010)
**Practical Application**
- Used throughout software development lifecycle
- Define quality requirements and evaluate products
- Static analysis plays key role in security and maintainability
- Reference: [Perforce - What is ISO 25010](https://www.perforce.com/blog/qac/what-is-iso-25010)
### SQuaRE Framework
**ISO/IEC 25000 Series**
- System and Software Quality Requirements and Evaluation (SQuaRE)
- Contains framework to evaluate software product quality
- Derived from earlier ISO/IEC 9126 standard
- Reference: [Codacy Blog - ISO 25010 Software Quality Model](https://blog.codacy.com/iso-25010-software-quality-model)
---
## 9. Code Complexity Metrics
### Cyclomatic Complexity
**Original Work: Thomas McCabe** (1976)
- Developed by Thomas McCabe in 1976
- Derived from graph theory
- Measures "the amount of decision logic in a source code function"
- Quantifies the number of independent paths through program's source code
- Reference: [Wikipedia - Cyclomatic Complexity](https://en.wikipedia.org/wiki/Cyclomatic_complexity)
**NIST Recommendations**
- NIST235 indicates that a limit of 10 is a good starting point
- Original limit of 10 proposed by McCabe has significant supporting evidence
- Limits as high as 15 have been used successfully
- Reference: [Microsoft Learn - Cyclomatic Complexity](https://learn.microsoft.com/en-us/visualstudio/code-quality/code-metrics-cyclomatic-complexity)
**Research Findings**
- Positive correlation between cyclomatic complexity and defects
- Functions with highest complexity tend to contain the most defects
- "The SATC has found the most effective evaluation is a combination of size and (Cyclomatic) complexity"
- Modules with both high complexity and large size have lowest reliability
- Reference: [Wikipedia - Cyclomatic Complexity](https://en.wikipedia.org/wiki/Cyclomatic_complexity)
### Cognitive Complexity - SonarQube
**Cognitive Complexity Definition**
- Measure of how hard it is to understand code's control flow
- Code with high cognitive complexity is hard to read, understand, test, and modify
- Incremented when code breaks normal linear reading flow
- Reference: [SonarSource - Cognitive Complexity](https://www.sonarsource.com/blog/5-clean-code-tips-for-reducing-cognitive-complexity/)
**Recommended Thresholds**
- General rule: aim for scores below 15
- SonarQube default maximum complexity: 15
- Method Cognitive Complexity greater than 20 commonly used as quality gate
- Reference: [Medium - Cognitive Complexity by SonarQube](https://medium.com/@himanshuganglani/clean-code-cognitive-complexity-by-sonarqube-659d49a6837d)
**Calculation Method**
- Counts if/else conditions, nested loops (for, forEach, do/while)
- Includes try/catch blocks and switch statements
- Mixed operators in conditions increase complexity
- Reference: [SonarQube Documentation - Metrics Definition](https://docs.sonarsource.com/sonarqube-server/10.8/user-guide/code-metrics/metrics-definition)
### Academic Research on Software Maintainability
**Tool-Based Perspective on Software Code Maintainability Metrics** (2020)
- Authors: Ardito et al.
- Published in: Scientific Programming (Wiley Online Library)
- Systematic Literature Review on maintainability metrics
- Reference: [Wiley - Software Code Maintainability Metrics](https://onlinelibrary.wiley.com/doi/10.1155/2020/8840389)
**Code Reviews and Complexity** (2024)
- Paper: "The utility of complexity metrics during code reviews for CSE software projects"
- Published in: ScienceDirect
- Analyzes metrics gathered via GitHub Actions for pull requests
- Techniques to guide code review considering cyclomatic complexity levels
- Reference: [ScienceDirect - Complexity Metrics](https://www.sciencedirect.com/science/article/abs/pii/S0167739X2400270X)
---
## 10. Additional Authoritative Sources
### Code Smells and Refactoring
**Book: Refactoring: Improving the Design of Existing Code** (1999, 2nd Edition 2018)
- Author: Martin Fowler
- Publisher: Addison-Wesley
- ISBN (1st Ed): 978-0201485677
- ISBN (2nd Ed): 978-0134757599
- Term "code smell" first coined by Kent Beck
- Featured in the 1999 Refactoring book
- Reference: [Martin Fowler - Code Smell](https://martinfowler.com/bliki/CodeSmell.html)
**Code Smell Definition**
- "Certain structures in the code that indicate violation of fundamental design principles"
- "Surface indication that usually corresponds to a deeper problem in the system"
- Heuristics to indicate when to refactor
- Reference: [Wikipedia - Code Smell](https://en.wikipedia.org/wiki/Code_smell)
**Duplication as Major Code Smell**
- Duplication is one of the biggest code smells
- Spotting duplicate code and removing it leads to improved design
- Reference: [Coding Horror - Code Smells](https://blog.codinghorror.com/code-smells/)
### Domain-Driven Design
**Book: Domain-Driven Design: Tackling Complexity in the Heart of Software** (2003)
- Author: Eric Evans
- Publisher: Addison-Wesley Professional
- ISBN: 978-0321125217
- Available at: [Amazon](https://www.amazon.com/Domain-Driven-Design-Tackling-Complexity-Software/dp/0321125215)
**DDD Reference Document**
- Official Domain-Driven Design Reference by Eric Evans
- PDF: Domain-­Driven Design Reference (2015)
- Reference: [Domain Language - DDD Reference](https://www.domainlanguage.com/wp-content/uploads/2016/05/DDD_Reference_2015-03.pdf)
**Key DDD Concepts**
- Entities: Defined by their identity
- Value Objects: Defined by their attributes
- Aggregates: Clusters of entities that behave as single unit
- Repositories: Separate domain logic from persistence
- Reference: [Martin Fowler - Domain Driven Design](https://martinfowler.com/bliki/DomainDrivenDesign.html)
### Code Complete - Steve McConnell
**Book: Code Complete: A Practical Handbook of Software Construction** (1993, 2nd Edition 2004)
- Author: Steve McConnell
- Publisher: Microsoft Press
- ISBN: 978-0735619678
- Won Jolt Award in 1993
- Best-selling, best-reviewed software development book
- Reference: [Amazon - Code Complete](https://www.amazon.com/Code-Complete-Practical-Handbook-Construction/dp/0735619670)
**Key Topics Covered**
- Naming variables to deciding when to write a subroutine
- Architecture, coding standards, testing, integration
- Software craftsmanship nature
- Main activities: detailed design, construction planning, coding, debugging, testing
- Reference: [Wikipedia - Code Complete](https://en.wikipedia.org/wiki/Code_Complete)
### Architecture Testing Tools
**ArchUnit - Java Architecture Testing**
- Free, simple, and extensible library for checking architecture
- Define rules for architecture using plain Java unit tests
- Out-of-the-box functionality for layered architecture and onion architecture
- Enforce naming conventions, class access, prevention of cycles
- Reference: [ArchUnit Official Site](https://www.archunit.org/)
**ArchUnit Examples**
- Layered Architecture Test examples on GitHub
- Define layers and add constraints for each layer
- Reference: [GitHub - ArchUnit Examples](https://github.com/TNG/ArchUnit-Examples/blob/main/example-plain/src/test/java/com/tngtech/archunit/exampletest/LayeredArchitectureTest.java)
**NetArchTest - .NET Alternative**
- Inspired by ArchUnit for Java
- Enforce architecture conventions in .NET codebases
- Can be used with any unit test framework
- Reference: [GitHub - NetArchTest](https://github.com/BenMorris/NetArchTest)
**InfoQ Article on ArchUnit**
- "ArchUnit Verifies Architecture Rules for Java Applications"
- Professional coverage of architecture verification
- Reference: [InfoQ - ArchUnit](https://www.infoq.com/news/2022/10/archunit/)
---
## Conclusion
The code quality detection rules implemented in Guardian are firmly grounded in:
1. **Academic Research**: Peer-reviewed papers on software maintainability, complexity metrics, and code quality
2. **Industry Standards**: ISO/IEC 25010, SonarQube rules, Google and Airbnb style guides
3. **Authoritative Books**:
- Robert C. Martin's "Clean Architecture" (2017)
- Eric Evans' "Domain-Driven Design" (2003)
- Martin Fowler's "Patterns of Enterprise Application Architecture" (2002)
- Martin Fowler's "Refactoring" (1999, 2018)
- Steve McConnell's "Code Complete" (1993, 2004)
4. **Expert Guidance**: Martin Fowler, Robert C. Martin (Uncle Bob), Eric Evans, Alistair Cockburn, Kent Beck
5. **Open Source Tools**: ArchUnit, SonarQube, ESLint - widely adopted in enterprise environments
These rules represent decades of software engineering wisdom, empirical research, and battle-tested practices from the world's leading software organizations and thought leaders.
---
## Additional Resources
### Online Catalogs and References
- Martin Fowler's Enterprise Application Architecture Catalog: https://martinfowler.com/eaaCatalog/
- Martin Fowler's Bliki (Blog + Wiki): https://martinfowler.com/bliki/
- Robert C. Martin's Principles Collection: http://principles-wiki.net/collections:robert_c._martin_s_principle_collection
- Domain Language (Eric Evans): https://www.domainlanguage.com/
### GitHub Repositories
- Airbnb JavaScript Style Guide: https://github.com/airbnb/javascript
- Google Style Guides: https://google.github.io/styleguide/
- Domain-Driven Hexagon: https://github.com/Sairyss/domain-driven-hexagon
- ArchUnit Examples: https://github.com/TNG/ArchUnit-Examples
### Educational Institutions
- MIT Course 6.031: Software Construction: https://web.mit.edu/6.031/www/
- Cornell CS Java Style Guide: https://www.cs.cornell.edu/courses/JavaAndDS/JavaStyle.html
---
**Document Version**: 1.0
**Last Updated**: 2025-11-24
**Questions or want to contribute research?**
- 📧 Email: fozilbek.samiyev@gmail.com
- 🐙 GitHub: https://github.com/samiyev/puaros/issues
**Based on research as of**: November 2025

391
packages/guardian/docs/WHY.md Normal file
View File

@@ -0,0 +1,391 @@
# Why Guardian's Rules Matter
Guardian's detection rules are not invented - they're based on decades of software engineering research, industry standards, and expert opinion from leading authorities.
**Quick Navigation:**
- [Hardcode Detection](#hardcode-detection)
- [Circular Dependencies](#circular-dependencies)
- [Clean Architecture](#clean-architecture)
- [Framework Leaks](#framework-leaks)
- [Entity Exposure](#entity-exposure)
- [Repository Pattern](#repository-pattern)
- [Naming Conventions](#naming-conventions)
- [Full Research Citations](#full-research-citations)
---
## Hardcode Detection
### Why it matters
Magic numbers and strings make code:
-**Hard to maintain** - Changing a value requires finding all occurrences
-**Error-prone** - Typos in repeated values cause bugs
-**Difficult to understand** - What does `3000` mean without context?
-**Not ready for change** - Configuration changes require code modifications
### Who says so?
**Academia:**
- **MIT Course 6.031: Software Construction**
> "Magic numbers fail three key measures: Safe from bugs, Easy to understand, Ready for change"
- Used in MIT's software engineering curriculum
- [Read the course material](https://web.mit.edu/6.031/www/sp17/classes/04-code-review/)
**Industry Standards:**
- **SonarQube Rule RSPEC-109**: "Magic numbers should not be used"
- Used by 400,000+ organizations worldwide
- Identifies hardcoded values as code smells
- [View the rule](https://rules.sonarsource.com/c/rspec-109/)
**Research:**
- **2022 ScienceDirect Study**: "What do developers consider magic literals?"
- Analyzed 24,000 literals from 3,500+ methods
- Surveyed 26 professional developers
- [Read the paper](https://www.sciencedirect.com/science/article/abs/pii/S0950584922000908)
**Historical Context:**
- Anti-pattern dating back to 1960s COBOL/FORTRAN manuals
- One of the oldest rules of programming
[Read full research →](./RESEARCH_CITATIONS.md#1-hardcode-detection-magic-numbers--strings)
---
## Circular Dependencies
### Why it matters
Circular dependencies create:
-**Tight coupling** - Components cannot evolve independently
-**Testing difficulties** - Impossible to test modules in isolation
-**Maintenance nightmares** - Changes cause ripple effects across codebase
-**Build complexity** - Compilation order becomes problematic
### Who says so?
**Expert Opinion:**
- **Martin Fowler**: Enterprise architecture patterns expert
> "Putting abstract classes in supertype package is good way of breaking cycles in the dependency structure"
- Recommends using abstraction to break cycles
- [Read on TechTarget](https://www.techtarget.com/searchapparchitecture/tip/The-vicious-cycle-of-circular-dependencies-in-microservices)
**Real-world Solutions:**
- **Shopify Engineering**: "Remove Circular Dependencies by Using Dependency Injection"
- Demonstrates practical application of Repository Pattern
- Production-proven solution from major tech company
- [Read the article](https://shopify.engineering/repository-pattern-ruby)
**Impact Studies:**
- Services become hardly maintainable and highly coupled
- Open the door to error-prone applications
- Components cannot be tested in isolation
[Read full research →](./RESEARCH_CITATIONS.md#2-circular-dependencies)
---
## Clean Architecture
### Why it matters
Clean Architecture principles ensure:
-**Independence** - Business rules don't depend on frameworks
-**Testability** - Business logic can be tested without UI/DB
-**Flexibility** - Easy to swap frameworks and tools
-**Maintainability** - Clear boundaries and responsibilities
### The Dependency Rule
**Robert C. Martin's Core Principle:**
> "Source code dependencies can only point inwards. Nothing in an inner circle can know anything about something in an outer circle."
**Layer Flow:**
```
Domain (innermost) ← Application ← Infrastructure (outermost)
```
### Who says so?
**The Definitive Book:**
- **Robert C. Martin (Uncle Bob): "Clean Architecture" (2017)**
- Published by O'Reilly (Prentice Hall)
- Based on SOLID principles and decades of experience
- [Get the book](https://www.amazon.com/Clean-Architecture-Craftsmans-Software-Structure/dp/0134494164)
**Core Principles:**
- **SOLID Principles (2000)**: Foundation of Clean Architecture
- Single Responsibility Principle
- Open-Closed Principle
- Liskov Substitution Principle
- Interface Segregation Principle
- **Dependency Inversion Principle** (critical for layer separation)
- [Learn SOLID](https://www.digitalocean.com/community/conceptual-articles/s-o-l-i-d-the-first-five-principles-of-object-oriented-design)
**The Clean Architecture Blog:**
- Original blog post by Uncle Bob (2012)
- Defines the concentric circles architecture
- [Read the original](https://blog.cleancoder.com/uncle-bob/2012/08/13/the-clean-architecture.html)
[Read full research →](./RESEARCH_CITATIONS.md#3-clean-architecture--layered-architecture)
---
## Framework Leaks
### Why it matters
Framework dependencies in domain layer:
-**Coupling to infrastructure** - Business logic tied to technical details
-**Testing difficulties** - Cannot test without framework setup
-**Framework lock-in** - Migration becomes impossible
-**Violates Clean Architecture** - Breaks the Dependency Rule
### Who says so?
**Original Research:**
- **Alistair Cockburn (2005): "Hexagonal Architecture"**
- HaT Technical Report 2005.02
> "Create your application to work without either a UI or a database so you can run automated regression-tests against the application, work when the database becomes unavailable, and link applications together without any user involvement."
- Original Ports & Adapters pattern
- [Read the original paper](https://alistair.cockburn.us/hexagonal-architecture)
**Industry Adoption:**
- **Robert C. Martin: "Clean Architecture" (2017)**
> "Frameworks are tools, not architectures"
- Frameworks belong in outer layers only
- **AWS Prescriptive Guidance**: Documents hexagonal architecture patterns
- **GitHub: Domain-Driven Hexagon**: Comprehensive implementation guide
- [View the guide](https://github.com/Sairyss/domain-driven-hexagon)
**Key Insight:**
The goal is to isolate the application's business logic from external resources like databases, message queues, HTTP frameworks, etc.
[Read full research →](./RESEARCH_CITATIONS.md#4-framework-leak-detection)
---
## Entity Exposure
### Why it matters
Exposing domain entities directly:
-**Breaks encapsulation** - Exposes internal domain structure
-**Security risks** - May leak sensitive data (passwords, tokens)
-**Coupling** - API tied to domain model changes
-**Violates Single Responsibility** - Entities serve two purposes
### Use DTOs Instead
**Data Transfer Object (DTO) Pattern:**
- Transform domain entities into simple data structures
- Control exactly what data is exposed
- Decouple API contracts from domain model
- Separate concerns: domain logic vs. data transfer
### Who says so?
**The Definitive Source:**
- **Martin Fowler: "Patterns of Enterprise Application Architecture" (2002)**
- Defines the DTO pattern
- Published by Addison-Wesley
> "An object that carries data between processes in order to reduce the number of method calls"
- [Read on martinfowler.com](https://martinfowler.com/eaaCatalog/dataTransferObject.html)
**Purpose:**
- Originally designed to batch remote calls and reduce network overhead
- Modern use: Separate domain model from external representation
- Prevents "God objects" that do too much
**Warning: LocalDTO Anti-pattern:**
Martin Fowler also warns about overusing DTOs in local contexts where they add unnecessary complexity.
[Read full research →](./RESEARCH_CITATIONS.md#5-entity-exposure-dto-pattern)
---
## Repository Pattern
### Why it matters
Repository pattern provides:
-**Abstraction** - Domain doesn't know about persistence details
-**Testability** - Easy to mock data access in tests
-**Centralized queries** - Single place for data access logic
-**Clean separation** - Domain logic separate from data access
### Common Violations
Guardian detects:
- ORM types leaking into repository interfaces
- Technical method names (`findOne`, `save`) instead of domain language
- Direct ORM/database usage in use cases
- `new Repository()` instantiation (should use DI)
### Who says so?
**The Definitive Source:**
- **Martin Fowler: Enterprise Application Architecture Catalog**
> "Mediates between the domain and data mapping layers using a collection-like interface for accessing domain objects"
- Part of the Domain Logic Patterns
- [Read on martinfowler.com](https://martinfowler.com/eaaCatalog/repository.html)
**Key Benefits:**
- Minimizes duplicate query logic
- Allows multiple repositories for different storage needs
- Domain layer doesn't know about SQL, MongoDB, or any specific technology
**Additional Support:**
- **Microsoft Learn**: Official documentation on Repository Pattern
- **Eric Evans**: Referenced in Domain-Driven Design book
- **Listed as**: Data Source Architectural Pattern
**Real-world Example:**
```typescript
// ❌ Bad: ORM leak in interface
interface IUserRepository {
findOne(query: PrismaWhereInput): Promise<User>
}
// ✅ Good: Domain language
interface IUserRepository {
findByEmail(email: Email): Promise<User | null>
findById(id: UserId): Promise<User | null>
}
```
[Read full research →](./RESEARCH_CITATIONS.md#6-repository-pattern)
---
## Naming Conventions
### Why it matters
Consistent naming:
-**Readability** - Code is self-documenting
-**Predictability** - Developers know what to expect
-**Maintainability** - Easier to navigate large codebases
-**Team alignment** - Everyone follows same patterns
### Guardian's Conventions
**Domain Layer:**
- Entities: `User.ts`, `Order.ts` (PascalCase nouns)
- Services: `UserService.ts` (PascalCase + Service suffix)
- Repositories: `IUserRepository.ts` (I prefix for interfaces)
**Application Layer:**
- Use cases: `CreateUser.ts`, `PlaceOrder.ts` (Verb + Noun)
- DTOs: `UserDto.ts`, `CreateUserRequest.ts` (Dto/Request/Response suffix)
- Mappers: `UserMapper.ts` (Mapper suffix)
**Infrastructure Layer:**
- Controllers: `UserController.ts` (Controller suffix)
- Repositories: `MongoUserRepository.ts` (implementation name + Repository)
### Who says so?
**Industry Style Guides:**
- **Google Java Style Guide**
- PascalCase for classes
- camelCase for methods and variables
- [Read the guide](https://google.github.io/styleguide/javaguide.html)
- **Airbnb JavaScript Style Guide**
- 145,000+ GitHub stars
- Industry standard for JavaScript/TypeScript
- [Read the guide](https://github.com/airbnb/javascript)
- **Microsoft .NET Guidelines**
- PascalCase for types and public members
- Consistent across entire .NET ecosystem
- Widely adopted in C# and TypeScript communities
**Use Case Naming:**
- **TM Forum Standard**: Verb + Noun pattern for operations
- Actions start with verbs: Create, Update, Delete, Get, Process
- Clear intent from filename
- Examples: `ProcessOrder.ts`, `ValidateInput.ts`
**General Principle:**
- **Wikipedia: Naming Convention (Programming)**
- "Classes are nouns, methods are verbs"
- Widely accepted across languages and paradigms
[Read full research →](./RESEARCH_CITATIONS.md#7-naming-conventions)
---
## Full Research Citations
For complete academic papers, books, and authoritative sources, see:
📚 **[RESEARCH_CITATIONS.md](./RESEARCH_CITATIONS.md)**
This document contains:
- 50+ authoritative references
- Academic papers with DOI/URLs
- Book citations with authors and publication years
- Industry standards from Google, Microsoft, AWS
- Expert blogs from Martin Fowler, Uncle Bob, Kent Beck
- Historical context dating back to 1960s
---
## Quality Standards
Guardian's rules align with international standards:
**ISO/IEC 25010:2011 (Software Quality Standard)**
- Eight quality characteristics including **Maintainability**
- Sub-characteristics: Modularity, Reusability, Analysability, Modifiability, Testability
- [Learn more](https://www.iso.org/standard/35733.html)
**SQuaRE Framework:**
- System and Software Quality Requirements and Evaluation
- Used throughout software development lifecycle
---
## Summary: Why Trust Guardian?
Guardian's rules are backed by:
**5 Seminal Books** (1993-2017)
- Clean Architecture (Robert C. Martin, 2017)
- Domain-Driven Design (Eric Evans, 2003)
- Patterns of Enterprise Application Architecture (Martin Fowler, 2002)
- Refactoring (Martin Fowler, 1999)
- Code Complete (Steve McConnell, 1993)
**Academic Research** (1976-2024)
- MIT Course 6.031
- ScienceDirect peer-reviewed studies
- Cyclomatic Complexity (Thomas McCabe, 1976)
**International Standards**
- ISO/IEC 25010:2011
**Industry Giants**
- Google, Microsoft, Airbnb style guides
- SonarQube (400,000+ organizations)
- AWS documentation
**Thought Leaders**
- Martin Fowler, Robert C. Martin (Uncle Bob), Eric Evans
- Alistair Cockburn, Kent Beck, Thomas McCabe
---
**Questions or want to contribute research?**
- 📧 Email: fozilbek.samiyev@gmail.com
- 🐙 GitHub: https://github.com/samiyev/puaros/issues
- 📚 Full citations: [RESEARCH_CITATIONS.md](./RESEARCH_CITATIONS.md)
---
*Last updated: 2025-11-24*

117
packages/guardian/examples/bad-architecture/dependency-direction/BadApplicationLayer.ts Normal file
View File

@@ -0,0 +1,117 @@
/**
* ❌ BAD: Application layer with incorrect dependencies
*
* Application importing from Infrastructure layer
* This violates Clean Architecture dependency rules!
*/
import { User } from "../../good-architecture/domain/entities/User"
import { Email } from "../../good-architecture/domain/value-objects/Email"
import { UserId } from "../../good-architecture/domain/value-objects/UserId"
/**
* ❌ VIOLATION: Application importing from Infrastructure layer
*/
import { PrismaClient } from "@prisma/client"
export class CreateUser {
/**
* ❌ VIOLATION: Application use case depending on concrete infrastructure (Prisma)
*/
constructor(private prisma: PrismaClient) {}
async execute(email: string): Promise<User> {
const userId = UserId.generate()
const emailVO = Email.create(email).value
/**
* ❌ VIOLATION: Application logic directly accessing database
*/
await this.prisma.user.create({
data: {
id: userId.getValue(),
email: emailVO.getValue(),
},
})
return new User(userId, emailVO)
}
}
/**
* ❌ VIOLATION: Application importing concrete email service from infrastructure
*/
import { SmtpEmailService } from "../../good-architecture/infrastructure/adapters/SmtpEmailService"
export class SendWelcomeEmail {
/**
* ❌ VIOLATION: Application depending on concrete infrastructure implementation
* Should depend on IEmailService interface instead
*/
constructor(
private prisma: PrismaClient,
private emailService: SmtpEmailService,
) {}
async execute(userId: string): Promise<void> {
const user = await this.prisma.user.findUnique({
where: { id: userId },
})
if (!user) {
throw new Error("User not found")
}
await this.emailService.sendWelcomeEmail(user.email)
}
}
/**
* ❌ VIOLATION: Application importing from infrastructure controller
*/
import { UserController } from "../../good-architecture/infrastructure/controllers/UserController"
export class ValidateUser {
/**
* ❌ VIOLATION: Application use case depending on infrastructure controller
* The dependency direction is completely wrong!
*/
constructor(private userController: UserController) {}
async execute(userId: string): Promise<boolean> {
return true
}
}
/**
* ❌ VIOLATION: Application importing HTTP framework
*/
import express from "express"
export class ProcessUserRequest {
/**
* ❌ VIOLATION: Application layer knows about HTTP/Express
* HTTP concerns should be in infrastructure layer
*/
async execute(req: express.Request): Promise<void> {
const email = req.body.email
console.log(`Processing user: ${email}`)
}
}
/**
* ❌ VIOLATION: Application importing infrastructure repository implementation
*/
import { InMemoryUserRepository } from "../../good-architecture/infrastructure/repositories/InMemoryUserRepository"
export class GetUser {
/**
* ❌ VIOLATION: Application depending on concrete repository implementation
* Should depend on IUserRepository interface from domain
*/
constructor(private userRepo: InMemoryUserRepository) {}
async execute(userId: string): Promise<User | null> {
return await this.userRepo.findById(UserId.from(userId))
}
}

90
packages/guardian/examples/bad-architecture/dependency-direction/BadDomainLayer.ts Normal file
View File

@@ -0,0 +1,90 @@
/**
* ❌ BAD: Domain layer with incorrect dependencies
*
* Domain importing from Application and Infrastructure layers
* This violates Clean Architecture dependency rules!
*/
import { Email } from "../../good-architecture/domain/value-objects/Email"
import { UserId } from "../../good-architecture/domain/value-objects/UserId"
/**
* ❌ VIOLATION: Domain importing from Application layer
*/
import { UserResponseDto } from "../../good-architecture/application/dtos/UserResponseDto"
export class User {
private readonly id: UserId
private email: Email
constructor(id: UserId, email: Email) {
this.id = id
this.email = email
}
/**
* ❌ VIOLATION: Domain entity returning DTO from application layer
*/
toDto(): UserResponseDto {
return {
id: this.id.getValue(),
email: this.email.getValue(),
createdAt: new Date().toISOString(),
}
}
}
/**
* ❌ VIOLATION: Domain importing from Infrastructure layer
*/
import { PrismaClient } from "@prisma/client"
export class UserService {
/**
* ❌ VIOLATION: Domain service depending on concrete infrastructure implementation
*/
constructor(private prisma: PrismaClient) {}
async createUser(email: string): Promise<User> {
const userId = UserId.generate()
const emailVO = Email.create(email).value
/**
* ❌ VIOLATION: Domain logic directly accessing database
*/
await this.prisma.user.create({
data: {
id: userId.getValue(),
email: emailVO.getValue(),
},
})
return new User(userId, emailVO)
}
}
/**
* ❌ VIOLATION: Domain importing email service from infrastructure
*/
import { SmtpEmailService } from "../../good-architecture/infrastructure/adapters/SmtpEmailService"
export class UserRegistration {
/**
* ❌ VIOLATION: Domain depending on infrastructure email service
*/
constructor(
private userService: UserService,
private emailService: SmtpEmailService,
) {}
async register(email: string): Promise<User> {
const user = await this.userService.createUser(email)
/**
* ❌ VIOLATION: Domain calling infrastructure service directly
*/
await this.emailService.sendWelcomeEmail(email)
return user
}
}

33
packages/guardian/examples/bad-architecture/entity-exposure/infrastructure/controllers/BadOrderController.ts Normal file
View File

@@ -0,0 +1,33 @@
// ❌ BAD: Exposing domain entity Order in API response
class Order {
constructor(
public id: string,
public items: OrderItem[],
public total: number,
public customerId: string,
) {}
}
class OrderItem {
constructor(
public productId: string,
public quantity: number,
public price: number,
) {}
}
class BadOrderController {
async getOrder(orderId: string): Promise<Order> {
return {
id: orderId,
items: [],
total: 100,
customerId: "customer-123",
}
}
async listOrders(): Promise<Order[]> {
return []
}
}

0
packages/guardian/examples/bad-architecture/entity-exposure/BadUserController.ts → packages/guardian/examples/bad-architecture/entity-exposure/infrastructure/controllers/BadUserController.ts
View File

91
packages/guardian/examples/good-architecture/dependency-direction/GoodApplicationLayer.ts Normal file
View File

@@ -0,0 +1,91 @@
/**
* ✅ GOOD: Application layer with correct dependencies
*
* Application should only import from:
* - Domain layer
* - Other application files
* - Shared utilities
*
* Application should NOT import from:
* - Infrastructure layer
*/
import { User } from "../domain/entities/User"
import { Email } from "../domain/value-objects/Email"
import { UserId } from "../domain/value-objects/UserId"
import { IUserRepository } from "../domain/repositories/IUserRepository"
import { Result } from "../../../src/shared/types/Result"
/**
* ✅ Use case depends on domain interfaces (IUserRepository)
* NOT on infrastructure implementations
*/
export class CreateUser {
constructor(private readonly userRepo: IUserRepository) {}
async execute(request: CreateUserRequest): Promise<Result<UserResponseDto>> {
const emailResult = Email.create(request.email)
if (emailResult.isFailure) {
return Result.fail(emailResult.error)
}
const userId = UserId.generate()
const user = new User(userId, emailResult.value)
await this.userRepo.save(user)
return Result.ok(UserMapper.toDto(user))
}
}
/**
* ✅ DTO in application layer
*/
export interface CreateUserRequest {
email: string
name: string
}
export interface UserResponseDto {
id: string
email: string
createdAt: string
}
/**
* ✅ Mapper in application layer converting domain to DTO
*/
export class UserMapper {
static toDto(user: User): UserResponseDto {
return {
id: user.getId().getValue(),
email: user.getEmail().getValue(),
createdAt: user.getCreatedAt().toISOString(),
}
}
}
/**
* ✅ Application defines Port (interface) for email service
* Infrastructure will provide the Adapter (implementation)
*/
export interface IEmailService {
sendWelcomeEmail(email: string): Promise<void>
}
export class SendWelcomeEmail {
constructor(
private readonly userRepo: IUserRepository,
private readonly emailService: IEmailService,
) {}
async execute(userId: string): Promise<Result<void>> {
const user = await this.userRepo.findById(UserId.from(userId))
if (!user) {
return Result.fail("User not found")
}
await this.emailService.sendWelcomeEmail(user.getEmail().getValue())
return Result.ok()
}
}

56
packages/guardian/examples/good-architecture/dependency-direction/GoodDomainLayer.ts Normal file
View File

@@ -0,0 +1,56 @@
/**
* ✅ GOOD: Domain layer with correct dependencies
*
* Domain should only import from:
* - Other domain files
* - Shared utilities
*
* Domain should NOT import from:
* - Application layer
* - Infrastructure layer
*/
import { Email } from "../domain/value-objects/Email"
import { UserId } from "../domain/value-objects/UserId"
import { Result } from "../../../src/shared/types/Result"
/**
* ✅ Domain entity using only domain value objects and shared types
*/
export class User {
private readonly id: UserId
private email: Email
private readonly createdAt: Date
constructor(id: UserId, email: Email, createdAt: Date = new Date()) {
this.id = id
this.email = email
this.createdAt = createdAt
}
public getId(): UserId {
return this.id
}
public getEmail(): Email {
return this.email
}
public changeEmail(newEmail: Email): Result<void> {
if (this.email.equals(newEmail)) {
return Result.fail("Email is the same")
}
this.email = newEmail
return Result.ok()
}
}
/**
* ✅ Domain repository interface (not importing from infrastructure)
*/
export interface IUserRepository {
findById(id: UserId): Promise<User | null>
save(user: User): Promise<void>
delete(id: UserId): Promise<void>
}

128
packages/guardian/examples/good-architecture/dependency-direction/GoodInfrastructureLayer.ts Normal file
View File

@@ -0,0 +1,128 @@
/**
* ✅ GOOD: Infrastructure layer with correct dependencies
*
* Infrastructure CAN import from:
* - Domain layer
* - Application layer
* - Other infrastructure files
* - Shared utilities
* - External libraries (ORM, frameworks, etc.)
*/
import { User } from "../domain/entities/User"
import { UserId } from "../domain/value-objects/UserId"
import { Email } from "../domain/value-objects/Email"
import { IUserRepository } from "../domain/repositories/IUserRepository"
import { CreateUser } from "../application/use-cases/CreateUser"
import { UserResponseDto } from "../application/dtos/UserResponseDto"
import { IEmailService } from "../application/ports/IEmailService"
/**
* ✅ Infrastructure implements domain interface
*/
export class InMemoryUserRepository implements IUserRepository {
private users: Map<string, User> = new Map()
async findById(id: UserId): Promise<User | null> {
return this.users.get(id.getValue()) ?? null
}
async save(user: User): Promise<void> {
this.users.set(user.getId().getValue(), user)
}
async delete(id: UserId): Promise<void> {
this.users.delete(id.getValue())
}
}
/**
* ✅ Infrastructure provides Adapter implementing application Port
*/
export class SmtpEmailService implements IEmailService {
constructor(
private readonly host: string,
private readonly port: number,
) {}
async sendWelcomeEmail(email: string): Promise<void> {
console.log(`Sending welcome email to ${email} via SMTP`)
}
}
/**
* ✅ Controller uses application use cases and DTOs
*/
export class UserController {
constructor(private readonly createUser: CreateUser) {}
async create(request: { email: string; name: string }): Promise<UserResponseDto> {
const result = await this.createUser.execute(request)
if (result.isFailure) {
throw new Error(result.error)
}
return result.value
}
}
/**
* ✅ Infrastructure can use external frameworks
*/
import express from "express"
export class ExpressServer {
private app = express()
constructor(private readonly userController: UserController) {
this.setupRoutes()
}
private setupRoutes(): void {
this.app.post("/users", async (req, res) => {
const user = await this.userController.create(req.body)
res.json(user)
})
}
}
/**
* ✅ Infrastructure can use ORM
*/
import { PrismaClient } from "@prisma/client"
export class PrismaUserRepository implements IUserRepository {
constructor(private readonly prisma: PrismaClient) {}
async findById(id: UserId): Promise<User | null> {
const userData = await this.prisma.user.findUnique({
where: { id: id.getValue() },
})
if (!userData) {
return null
}
return new User(UserId.from(userData.id), Email.create(userData.email).value)
}
async save(user: User): Promise<void> {
await this.prisma.user.upsert({
where: { id: user.getId().getValue() },
create: {
id: user.getId().getValue(),
email: user.getEmail().getValue(),
},
update: {
email: user.getEmail().getValue(),
},
})
}
async delete(id: UserId): Promise<void> {
await this.prisma.user.delete({
where: { id: id.getValue() },
})
}
}

42
packages/guardian/examples/good-architecture/entity-exposure/GoodUserController.ts Normal file
View File

@@ -0,0 +1,42 @@
// ✅ GOOD: Using DTOs and Mappers instead of exposing domain entities
class User {
constructor(
private readonly id: string,
private email: string,
private password: string,
) {}
getId(): string {
return this.id
}
getEmail(): string {
return this.email
}
}
class UserResponseDto {
constructor(
public readonly id: string,
public readonly email: string,
) {}
}
class UserMapper {
static toDto(user: User): UserResponseDto {
return new UserResponseDto(user.getId(), user.getEmail())
}
}
class GoodUserController {
async getUser(userId: string): Promise<UserResponseDto> {
const user = new User(userId, "user@example.com", "hashed-password")
return UserMapper.toDto(user)
}
async listUsers(): Promise<UserResponseDto[]> {
const users = [new User("1", "user1@example.com", "password")]
return users.map((user) => UserMapper.toDto(user))
}
}

220
packages/guardian/examples/repository-pattern/README.md Normal file
View File

@@ -0,0 +1,220 @@
# Repository Pattern Examples
This directory contains examples demonstrating proper and improper implementations of the Repository Pattern.
## Overview
The Repository Pattern provides an abstraction layer between domain logic and data access. A well-implemented repository:
1. Uses domain types, not ORM-specific types
2. Depends on interfaces, not concrete implementations
3. Uses dependency injection, not direct instantiation
4. Uses domain language, not technical database terms
## Examples
### ❌ Bad Examples
#### 1. ORM Types in Interface
**File:** `bad-orm-types-in-interface.ts`
**Problem:** Repository interface exposes Prisma-specific types (`Prisma.UserWhereInput`, `Prisma.UserCreateInput`). This couples the domain layer to infrastructure concerns.
**Violations:**
- Domain depends on ORM library
- Cannot swap ORM without changing domain
- Breaks Clean Architecture principles
#### 2. Concrete Repository in Use Case
**File:** `bad-concrete-repository-in-use-case.ts`
**Problem:** Use case depends on `PrismaUserRepository` instead of `IUserRepository` interface.
**Violations:**
- Violates Dependency Inversion Principle
- Cannot easily mock for testing
- Tightly coupled to specific implementation
#### 3. Creating Repository with 'new'
**File:** `bad-new-repository.ts`
**Problem:** Use case instantiates repositories with `new UserRepository()` instead of receiving them through constructor.
**Violations:**
- Violates Dependency Injection principle
- Hard to test (cannot mock dependencies)
- Hidden dependencies
- Creates tight coupling
#### 4. Technical Method Names
**File:** `bad-technical-method-names.ts`
**Problem:** Repository methods use database/SQL terminology (`findOne`, `insert`, `query`, `execute`).
**Violations:**
- Uses technical terms instead of domain language
- Exposes implementation details
- Not aligned with ubiquitous language
### ✅ Good Examples
#### 1. Clean Interface
**File:** `good-clean-interface.ts`
**Benefits:**
- Uses only domain types (UserId, Email, User)
- ORM-agnostic interface
- Easy to understand and maintain
- Follows Clean Architecture
```typescript
interface IUserRepository {
findById(id: UserId): Promise<User | null>
findByEmail(email: Email): Promise<User | null>
save(user: User): Promise<void>
delete(id: UserId): Promise<void>
}
```
#### 2. Interface in Use Case
**File:** `good-interface-in-use-case.ts`
**Benefits:**
- Depends on interface, not concrete class
- Easy to test with mocks
- Can swap implementations
- Follows Dependency Inversion Principle
```typescript
class CreateUser {
constructor(private readonly userRepo: IUserRepository) {}
async execute(data: CreateUserRequest): Promise<UserResponseDto> {
// Uses interface, not concrete implementation
}
}
```
#### 3. Dependency Injection
**File:** `good-dependency-injection.ts`
**Benefits:**
- All dependencies injected through constructor
- Explicit dependencies (no hidden coupling)
- Easy to test with mocks
- Follows SOLID principles
```typescript
class CreateUser {
constructor(
private readonly userRepo: IUserRepository,
private readonly emailService: IEmailService
) {}
}
```
#### 4. Domain Language
**File:** `good-domain-language.ts`
**Benefits:**
- Methods use business-oriented names
- Self-documenting interface
- Aligns with ubiquitous language
- Hides implementation details
```typescript
interface IUserRepository {
findById(id: UserId): Promise<User | null>
findByEmail(email: Email): Promise<User | null>
findActiveUsers(): Promise<User[]>
save(user: User): Promise<void>
search(criteria: UserSearchCriteria): Promise<User[]>
}
```
## Key Principles
### 1. Persistence Ignorance
Domain entities and repositories should not know about how data is persisted.
```typescript
// ❌ Bad: Domain knows about Prisma
interface IUserRepository {
find(query: Prisma.UserWhereInput): Promise<User>
}
// ✅ Good: Domain uses own types
interface IUserRepository {
findById(id: UserId): Promise<User | null>
}
```
### 2. Dependency Inversion
High-level modules (use cases) should not depend on low-level modules (repositories). Both should depend on abstractions (interfaces).
```typescript
// ❌ Bad: Use case depends on concrete repository
class CreateUser {
constructor(private repo: PrismaUserRepository) {}
}
// ✅ Good: Use case depends on interface
class CreateUser {
constructor(private repo: IUserRepository) {}
}
```
### 3. Dependency Injection
Don't create dependencies inside classes. Inject them through constructor.
```typescript
// ❌ Bad: Creates dependency
class CreateUser {
execute() {
const repo = new UserRepository()
}
}
// ✅ Good: Injects dependency
class CreateUser {
constructor(private readonly repo: IUserRepository) {}
}
```
### 4. Ubiquitous Language
Use domain language everywhere, including repository methods.
```typescript
// ❌ Bad: Technical terminology
interface IUserRepository {
findOne(id: string): Promise<User>
insert(user: User): Promise<void>
}
// ✅ Good: Domain language
interface IUserRepository {
findById(id: UserId): Promise<User | null>
save(user: User): Promise<void>
}
```
## Testing with Guardian
Run Guardian to detect Repository Pattern violations:
```bash
guardian check --root ./examples/repository-pattern
```
Guardian will detect:
- ORM types in repository interfaces
- Concrete repository usage in use cases
- Repository instantiation with 'new'
- Technical method names in repositories
## Further Reading
- [Clean Architecture by Robert C. Martin](https://blog.cleancoder.com/uncle-bob/2012/08/13/the-clean-architecture.html)
- [Domain-Driven Design by Eric Evans](https://www.domainlanguage.com/ddd/)
- [Repository Pattern - Martin Fowler](https://martinfowler.com/eaaCatalog/repository.html)
- [SOLID Principles](https://en.wikipedia.org/wiki/SOLID)

67
packages/guardian/examples/repository-pattern/bad-concrete-repository-in-use-case.ts Normal file
View File

@@ -0,0 +1,67 @@
/**
* ❌ BAD EXAMPLE: Concrete repository in use case
*
* Use case depends on concrete repository implementation instead of interface.
* This violates Dependency Inversion Principle.
*/
class CreateUser {
constructor(private userRepo: PrismaUserRepository) {}
async execute(data: CreateUserRequest): Promise<UserResponseDto> {
const user = User.create(data.email, data.name)
await this.userRepo.save(user)
return UserMapper.toDto(user)
}
}
class PrismaUserRepository {
constructor(private prisma: any) {}
async save(user: User): Promise<void> {
await this.prisma.user.create({
data: {
email: user.getEmail(),
name: user.getName(),
},
})
}
}
class User {
static create(email: string, name: string): User {
return new User(email, name)
}
constructor(
private email: string,
private name: string,
) {}
getEmail(): string {
return this.email
}
getName(): string {
return this.name
}
}
interface CreateUserRequest {
email: string
name: string
}
interface UserResponseDto {
email: string
name: string
}
class UserMapper {
static toDto(user: User): UserResponseDto {
return {
email: user.getEmail(),
name: user.getName(),
}
}
}

69
packages/guardian/examples/repository-pattern/bad-new-repository.ts Normal file
View File

@@ -0,0 +1,69 @@
/**
* ❌ BAD EXAMPLE: Creating repository with 'new' in use case
*
* Use case creates repository instances directly.
* This violates Dependency Injection principle and makes testing difficult.
*/
class CreateUser {
async execute(data: CreateUserRequest): Promise<UserResponseDto> {
const userRepo = new UserRepository()
const emailService = new EmailService()
const user = User.create(data.email, data.name)
await userRepo.save(user)
await emailService.sendWelcomeEmail(user.getEmail())
return UserMapper.toDto(user)
}
}
class UserRepository {
async save(user: User): Promise<void> {
console.warn("Saving user to database")
}
}
class EmailService {
async sendWelcomeEmail(email: string): Promise<void> {
console.warn(`Sending welcome email to ${email}`)
}
}
class User {
static create(email: string, name: string): User {
return new User(email, name)
}
constructor(
private email: string,
private name: string,
) {}
getEmail(): string {
return this.email
}
getName(): string {
return this.name
}
}
interface CreateUserRequest {
email: string
name: string
}
interface UserResponseDto {
email: string
name: string
}
class UserMapper {
static toDto(user: User): UserResponseDto {
return {
email: user.getEmail(),
name: user.getName(),
}
}
}

26
packages/guardian/examples/repository-pattern/bad-orm-types-in-interface.ts Normal file
View File

@@ -0,0 +1,26 @@
/**
* ❌ BAD EXAMPLE: ORM-specific types in repository interface
*
* This violates Repository Pattern by coupling domain layer to infrastructure (ORM).
* Domain should remain persistence-agnostic.
*/
import { Prisma, PrismaClient } from "@prisma/client"
interface IUserRepository {
findOne(query: Prisma.UserWhereInput): Promise<User | null>
findMany(query: Prisma.UserFindManyArgs): Promise<User[]>
create(data: Prisma.UserCreateInput): Promise<User>
update(id: string, data: Prisma.UserUpdateInput): Promise<User>
}
class User {
constructor(
public id: string,
public email: string,
public name: string,
) {}
}

32
packages/guardian/examples/repository-pattern/bad-technical-method-names.ts Normal file
View File

@@ -0,0 +1,32 @@
/**
* ❌ BAD EXAMPLE: Technical method names
*
* Repository interface uses database/ORM terminology instead of domain language.
* Methods should reflect business operations, not technical implementation.
*/
interface IUserRepository {
findOne(id: string): Promise<User | null>
findMany(filter: any): Promise<User[]>
insert(user: User): Promise<void>
updateOne(id: string, data: any): Promise<void>
deleteOne(id: string): Promise<void>
query(sql: string): Promise<any>
execute(command: string): Promise<void>
select(fields: string[]): Promise<User[]>
}
class User {
constructor(
public id: string,
public email: string,
public name: string,
) {}
}

61
packages/guardian/examples/repository-pattern/good-clean-interface.ts Normal file
View File

@@ -0,0 +1,61 @@
/**
* ✅ GOOD EXAMPLE: Clean repository interface
*
* Repository interface uses only domain types, keeping it persistence-agnostic.
* ORM implementation details stay in infrastructure layer.
*/
interface IUserRepository {
findById(id: UserId): Promise<User | null>
findByEmail(email: Email): Promise<User | null>
save(user: User): Promise<void>
delete(id: UserId): Promise<void>
findAll(criteria: UserSearchCriteria): Promise<User[]>
}
class UserId {
constructor(private readonly value: string) {}
getValue(): string {
return this.value
}
}
class Email {
constructor(private readonly value: string) {}
getValue(): string {
return this.value
}
}
class UserSearchCriteria {
constructor(
public readonly isActive?: boolean,
public readonly registeredAfter?: Date,
) {}
}
class User {
constructor(
private readonly id: UserId,
private email: Email,
private name: string,
) {}
getId(): UserId {
return this.id
}
getEmail(): Email {
return this.email
}
getName(): string {
return this.name
}
}

98
packages/guardian/examples/repository-pattern/good-dependency-injection.ts Normal file
View File

@@ -0,0 +1,98 @@
/**
* ✅ GOOD EXAMPLE: Dependency Injection
*
* Use case receives dependencies through constructor.
* This makes code testable and follows SOLID principles.
*/
class CreateUser {
constructor(
private readonly userRepo: IUserRepository,
private readonly emailService: IEmailService,
) {}
async execute(data: CreateUserRequest): Promise<UserResponseDto> {
const user = User.create(Email.from(data.email), data.name)
await this.userRepo.save(user)
await this.emailService.sendWelcomeEmail(user.getEmail())
return UserMapper.toDto(user)
}
}
interface IUserRepository {
save(user: User): Promise<void>
findByEmail(email: Email): Promise<User | null>
}
interface IEmailService {
sendWelcomeEmail(email: Email): Promise<void>
}
class Email {
private constructor(private readonly value: string) {}
static from(value: string): Email {
if (!value.includes("@")) {
throw new Error("Invalid email")
}
return new Email(value)
}
getValue(): string {
return this.value
}
}
class User {
static create(email: Email, name: string): User {
return new User(email, name)
}
private constructor(
private readonly email: Email,
private readonly name: string,
) {}
getEmail(): Email {
return this.email
}
getName(): string {
return this.name
}
}
interface CreateUserRequest {
email: string
name: string
}
interface UserResponseDto {
email: string
name: string
}
class UserMapper {
static toDto(user: User): UserResponseDto {
return {
email: user.getEmail().getValue(),
name: user.getName(),
}
}
}
class UserRepository implements IUserRepository {
async save(_user: User): Promise<void> {
console.warn("Saving user to database")
}
async findByEmail(_email: Email): Promise<User | null> {
return null
}
}
class EmailService implements IEmailService {
async sendWelcomeEmail(email: Email): Promise<void> {
console.warn(`Sending welcome email to ${email.getValue()}`)
}
}

81
packages/guardian/examples/repository-pattern/good-domain-language.ts Normal file
View File

@@ -0,0 +1,81 @@
/**
* ✅ GOOD EXAMPLE: Domain language in repository
*
* Repository interface uses domain-driven method names that reflect business operations.
* Method names are self-documenting and align with ubiquitous language.
*/
interface IUserRepository {
findById(id: UserId): Promise<User | null>
findByEmail(email: Email): Promise<User | null>
findActiveUsers(): Promise<User[]>
save(user: User): Promise<void>
delete(id: UserId): Promise<void>
search(criteria: UserSearchCriteria): Promise<User[]>
countActiveUsers(): Promise<number>
existsByEmail(email: Email): Promise<boolean>
}
class UserId {
constructor(private readonly value: string) {}
getValue(): string {
return this.value
}
}
class Email {
constructor(private readonly value: string) {}
getValue(): string {
return this.value
}
}
class UserSearchCriteria {
constructor(
public readonly isActive?: boolean,
public readonly registeredAfter?: Date,
public readonly department?: string,
) {}
}
class User {
constructor(
private readonly id: UserId,
private email: Email,
private name: string,
private isActive: boolean,
) {}
getId(): UserId {
return this.id
}
getEmail(): Email {
return this.email
}
getName(): string {
return this.name
}
isUserActive(): boolean {
return this.isActive
}
activate(): void {
this.isActive = true
}
deactivate(): void {
this.isActive = false
}
}

74
packages/guardian/examples/repository-pattern/good-interface-in-use-case.ts Normal file
View File

@@ -0,0 +1,74 @@
/**
* ✅ GOOD EXAMPLE: Repository interface in use case
*
* Use case depends on repository interface, not concrete implementation.
* This follows Dependency Inversion Principle.
*/
class CreateUser {
constructor(private readonly userRepo: IUserRepository) {}
async execute(data: CreateUserRequest): Promise<UserResponseDto> {
const user = User.create(Email.from(data.email), data.name)
await this.userRepo.save(user)
return UserMapper.toDto(user)
}
}
interface IUserRepository {
save(user: User): Promise<void>
findByEmail(email: Email): Promise<User | null>
}
class Email {
private constructor(private readonly value: string) {}
static from(value: string): Email {
if (!value.includes("@")) {
throw new Error("Invalid email")
}
return new Email(value)
}
getValue(): string {
return this.value
}
}
class User {
static create(email: Email, name: string): User {
return new User(email, name)
}
private constructor(
private readonly email: Email,
private readonly name: string,
) {}
getEmail(): Email {
return this.email
}
getName(): string {
return this.name
}
}
interface CreateUserRequest {
email: string
name: string
}
interface UserResponseDto {
email: string
name: string
}
class UserMapper {
static toDto(user: User): UserResponseDto {
return {
email: user.getEmail().getValue(),
name: user.getName(),
}
}
}

4
packages/guardian/package.json
View File

@@ -1,7 +1,7 @@
{
"name": "@samiyev/guardian",
"version": "0.1.0",
"description": "Code quality guardian for vibe coders and enterprise teams - catch hardcodes, architecture violations, and circular deps. Enforce Clean Architecture at scale. Works with Claude, GPT, Copilot.",
"version": "0.6.4",
"description": "Research-backed code quality guardian for AI-assisted development. Detects hardcodes, circular deps, framework leaks, entity exposure, and 8 architecture violations. Enforces Clean Architecture/DDD principles. Works with GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline, and any AI coding tool.",
"keywords": [
"puaros",
"guardian",

16
packages/guardian/src/api.ts
View File

@@ -8,11 +8,17 @@ import { ICodeParser } from "./domain/services/ICodeParser"
import { IHardcodeDetector } from "./domain/services/IHardcodeDetector"
import { INamingConventionDetector } from "./domain/services/INamingConventionDetector"
import { IFrameworkLeakDetector } from "./domain/services/IFrameworkLeakDetector"
import { IEntityExposureDetector } from "./domain/services/IEntityExposureDetector"
import { IDependencyDirectionDetector } from "./domain/services/IDependencyDirectionDetector"
import { IRepositoryPatternDetector } from "./domain/services/RepositoryPatternDetectorService"
import { FileScanner } from "./infrastructure/scanners/FileScanner"
import { CodeParser } from "./infrastructure/parsers/CodeParser"
import { HardcodeDetector } from "./infrastructure/analyzers/HardcodeDetector"
import { NamingConventionDetector } from "./infrastructure/analyzers/NamingConventionDetector"
import { FrameworkLeakDetector } from "./infrastructure/analyzers/FrameworkLeakDetector"
import { EntityExposureDetector } from "./infrastructure/analyzers/EntityExposureDetector"
import { DependencyDirectionDetector } from "./infrastructure/analyzers/DependencyDirectionDetector"
import { RepositoryPatternDetector } from "./infrastructure/analyzers/RepositoryPatternDetector"
import { ERROR_MESSAGES } from "./shared/constants"
/**
@@ -66,12 +72,19 @@ export async function analyzeProject(
const hardcodeDetector: IHardcodeDetector = new HardcodeDetector()
const namingConventionDetector: INamingConventionDetector = new NamingConventionDetector()
const frameworkLeakDetector: IFrameworkLeakDetector = new FrameworkLeakDetector()
const entityExposureDetector: IEntityExposureDetector = new EntityExposureDetector()
const dependencyDirectionDetector: IDependencyDirectionDetector =
new DependencyDirectionDetector()
const repositoryPatternDetector: IRepositoryPatternDetector = new RepositoryPatternDetector()
const useCase = new AnalyzeProject(
fileScanner,
codeParser,
hardcodeDetector,
namingConventionDetector,
frameworkLeakDetector,
entityExposureDetector,
dependencyDirectionDetector,
repositoryPatternDetector,
)
const result = await useCase.execute(options)
@@ -91,5 +104,8 @@ export type {
CircularDependencyViolation,
NamingConventionViolation,
FrameworkLeakViolation,
EntityExposureViolation,
DependencyDirectionViolation,
RepositoryPatternViolation,
ProjectMetrics,
} from "./application/use-cases/AnalyzeProject"

190
packages/guardian/src/application/use-cases/AnalyzeProject.ts
View File

@@ -5,6 +5,9 @@ import { ICodeParser } from "../../domain/services/ICodeParser"
import { IHardcodeDetector } from "../../domain/services/IHardcodeDetector"
import { INamingConventionDetector } from "../../domain/services/INamingConventionDetector"
import { IFrameworkLeakDetector } from "../../domain/services/IFrameworkLeakDetector"
import { IEntityExposureDetector } from "../../domain/services/IEntityExposureDetector"
import { IDependencyDirectionDetector } from "../../domain/services/IDependencyDirectionDetector"
import { IRepositoryPatternDetector } from "../../domain/services/RepositoryPatternDetectorService"
import { SourceFile } from "../../domain/entities/SourceFile"
import { DependencyGraph } from "../../domain/entities/DependencyGraph"
import { ProjectPath } from "../../domain/value-objects/ProjectPath"
@@ -14,8 +17,11 @@ import {
LAYERS,
NAMING_VIOLATION_TYPES,
REGEX_PATTERNS,
REPOSITORY_VIOLATION_TYPES,
RULES,
SEVERITY_LEVELS,
SEVERITY_ORDER,
type SeverityLevel,
VIOLATION_SEVERITY_MAP,
} from "../../shared/constants"
export interface AnalyzeProjectRequest {
@@ -32,6 +38,9 @@ export interface AnalyzeProjectResponse {
circularDependencyViolations: CircularDependencyViolation[]
namingViolations: NamingConventionViolation[]
frameworkLeakViolations: FrameworkLeakViolation[]
entityExposureViolations: EntityExposureViolation[]
dependencyDirectionViolations: DependencyDirectionViolation[]
repositoryPatternViolations: RepositoryPatternViolation[]
metrics: ProjectMetrics
}
@@ -40,6 +49,7 @@ export interface ArchitectureViolation {
message: string
file: string
line?: number
severity: SeverityLevel
}
export interface HardcodeViolation {
@@ -57,13 +67,14 @@ export interface HardcodeViolation {
constantName: string
location: string
}
severity: SeverityLevel
}
export interface CircularDependencyViolation {
rule: typeof RULES.CIRCULAR_DEPENDENCY
message: string
cycle: string[]
severity: typeof SEVERITY_LEVELS.ERROR
severity: SeverityLevel
}
export interface NamingConventionViolation {
@@ -81,6 +92,7 @@ export interface NamingConventionViolation {
actual: string
message: string
suggestion?: string
severity: SeverityLevel
}
export interface FrameworkLeakViolation {
@@ -93,6 +105,48 @@ export interface FrameworkLeakViolation {
line?: number
message: string
suggestion: string
severity: SeverityLevel
}
export interface EntityExposureViolation {
rule: typeof RULES.ENTITY_EXPOSURE
entityName: string
returnType: string
file: string
layer: string
line?: number
methodName?: string
message: string
suggestion: string
severity: SeverityLevel
}
export interface DependencyDirectionViolation {
rule: typeof RULES.DEPENDENCY_DIRECTION
fromLayer: string
toLayer: string
importPath: string
file: string
line?: number
message: string
suggestion: string
severity: SeverityLevel
}
export interface RepositoryPatternViolation {
rule: typeof RULES.REPOSITORY_PATTERN
violationType:
| typeof REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE
| typeof REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE
| typeof REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE
| typeof REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME
file: string
layer: string
line?: number
details: string
message: string
suggestion: string
severity: SeverityLevel
}
export interface ProjectMetrics {
@@ -115,6 +169,9 @@ export class AnalyzeProject extends UseCase<
private readonly hardcodeDetector: IHardcodeDetector,
private readonly namingConventionDetector: INamingConventionDetector,
private readonly frameworkLeakDetector: IFrameworkLeakDetector,
private readonly entityExposureDetector: IEntityExposureDetector,
private readonly dependencyDirectionDetector: IDependencyDirectionDetector,
private readonly repositoryPatternDetector: IRepositoryPatternDetector,
) {
super()
}
@@ -159,11 +216,24 @@ export class AnalyzeProject extends UseCase<
}
}
const violations = this.detectViolations(sourceFiles)
const hardcodeViolations = this.detectHardcode(sourceFiles)
const circularDependencyViolations = this.detectCircularDependencies(dependencyGraph)
const namingViolations = this.detectNamingConventions(sourceFiles)
const frameworkLeakViolations = this.detectFrameworkLeaks(sourceFiles)
const violations = this.sortBySeverity(this.detectViolations(sourceFiles))
const hardcodeViolations = this.sortBySeverity(this.detectHardcode(sourceFiles))
const circularDependencyViolations = this.sortBySeverity(
this.detectCircularDependencies(dependencyGraph),
)
const namingViolations = this.sortBySeverity(this.detectNamingConventions(sourceFiles))
const frameworkLeakViolations = this.sortBySeverity(
this.detectFrameworkLeaks(sourceFiles),
)
const entityExposureViolations = this.sortBySeverity(
this.detectEntityExposures(sourceFiles),
)
const dependencyDirectionViolations = this.sortBySeverity(
this.detectDependencyDirections(sourceFiles),
)
const repositoryPatternViolations = this.sortBySeverity(
this.detectRepositoryPatternViolations(sourceFiles),
)
const metrics = this.calculateMetrics(sourceFiles, totalFunctions, dependencyGraph)
return ResponseDto.ok({
@@ -174,6 +244,9 @@ export class AnalyzeProject extends UseCase<
circularDependencyViolations,
namingViolations,
frameworkLeakViolations,
entityExposureViolations,
dependencyDirectionViolations,
repositoryPatternViolations,
metrics,
})
} catch (error) {
@@ -240,6 +313,7 @@ export class AnalyzeProject extends UseCase<
rule: RULES.CLEAN_ARCHITECTURE,
message: `Layer "${file.layer}" cannot import from "${importedLayer}"`,
file: file.path.relative,
severity: VIOLATION_SEVERITY_MAP.ARCHITECTURE,
})
}
}
@@ -282,6 +356,7 @@ export class AnalyzeProject extends UseCase<
constantName: hardcoded.suggestConstantName(),
location: hardcoded.suggestLocation(file.layer),
},
severity: VIOLATION_SEVERITY_MAP.HARDCODE,
})
}
}
@@ -301,7 +376,7 @@ export class AnalyzeProject extends UseCase<
rule: RULES.CIRCULAR_DEPENDENCY,
message: `Circular dependency detected: ${cycleChain}`,
cycle,
severity: SEVERITY_LEVELS.ERROR,
severity: VIOLATION_SEVERITY_MAP.CIRCULAR_DEPENDENCY,
})
}
@@ -329,6 +404,7 @@ export class AnalyzeProject extends UseCase<
actual: violation.actual,
message: violation.getMessage(),
suggestion: violation.suggestion,
severity: VIOLATION_SEVERITY_MAP.NAMING_CONVENTION,
})
}
}
@@ -357,6 +433,98 @@ export class AnalyzeProject extends UseCase<
line: leak.line,
message: leak.getMessage(),
suggestion: leak.getSuggestion(),
severity: VIOLATION_SEVERITY_MAP.FRAMEWORK_LEAK,
})
}
}
return violations
}
private detectEntityExposures(sourceFiles: SourceFile[]): EntityExposureViolation[] {
const violations: EntityExposureViolation[] = []
for (const file of sourceFiles) {
const exposures = this.entityExposureDetector.detectExposures(
file.content,
file.path.relative,
file.layer,
)
for (const exposure of exposures) {
violations.push({
rule: RULES.ENTITY_EXPOSURE,
entityName: exposure.entityName,
returnType: exposure.returnType,
file: file.path.relative,
layer: exposure.layer,
line: exposure.line,
methodName: exposure.methodName,
message: exposure.getMessage(),
suggestion: exposure.getSuggestion(),
severity: VIOLATION_SEVERITY_MAP.ENTITY_EXPOSURE,
})
}
}
return violations
}
private detectDependencyDirections(sourceFiles: SourceFile[]): DependencyDirectionViolation[] {
const violations: DependencyDirectionViolation[] = []
for (const file of sourceFiles) {
const directionViolations = this.dependencyDirectionDetector.detectViolations(
file.content,
file.path.relative,
file.layer,
)
for (const violation of directionViolations) {
violations.push({
rule: RULES.DEPENDENCY_DIRECTION,
fromLayer: violation.fromLayer,
toLayer: violation.toLayer,
importPath: violation.importPath,
file: file.path.relative,
line: violation.line,
message: violation.getMessage(),
suggestion: violation.getSuggestion(),
severity: VIOLATION_SEVERITY_MAP.DEPENDENCY_DIRECTION,
})
}
}
return violations
}
private detectRepositoryPatternViolations(
sourceFiles: SourceFile[],
): RepositoryPatternViolation[] {
const violations: RepositoryPatternViolation[] = []
for (const file of sourceFiles) {
const patternViolations = this.repositoryPatternDetector.detectViolations(
file.content,
file.path.relative,
file.layer,
)
for (const violation of patternViolations) {
violations.push({
rule: RULES.REPOSITORY_PATTERN,
violationType: violation.violationType as
| typeof REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE
| typeof REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE
| typeof REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE
| typeof REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME,
file: file.path.relative,
layer: violation.layer,
line: violation.line,
details: violation.details,
message: violation.getMessage(),
suggestion: violation.getSuggestion(),
severity: VIOLATION_SEVERITY_MAP.REPOSITORY_PATTERN,
})
}
}
@@ -386,4 +554,10 @@ export class AnalyzeProject extends UseCase<
layerDistribution,
}
}
private sortBySeverity<T extends { severity: SeverityLevel }>(violations: T[]): T[] {
return violations.sort((a, b) => {
return SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]
})
}
}

106
packages/guardian/src/cli/constants.ts
View File

@@ -13,13 +13,43 @@ export const CLI_COMMANDS = {
} as const
export const CLI_DESCRIPTIONS = {
MAIN: "🛡️ Code quality guardian - detect hardcoded values and architecture violations",
CHECK: "Analyze project for code quality issues",
PATH_ARG: "Path to analyze",
EXCLUDE_OPTION: "Directories to exclude",
VERBOSE_OPTION: "Verbose output",
NO_HARDCODE_OPTION: "Skip hardcode detection",
NO_ARCHITECTURE_OPTION: "Skip architecture checks",
MAIN:
"🛡️ Guardian - Code quality analyzer for TypeScript/JavaScript projects\n\n" +
"DETECTS:\n" +
" • Hardcoded values (magic numbers/strings) - extract to constants\n" +
" • Circular dependencies - refactor module structure\n" +
" • Framework leaks in domain - move framework imports to infrastructure\n" +
" • Naming violations - rename files to match layer conventions\n" +
" • Architecture violations - respect Clean Architecture layers\n" +
" • Entity exposure - use DTOs instead of returning entities\n" +
" • Dependency direction - ensure dependencies flow inward\n" +
" • Repository pattern - enforce repository interfaces in domain\n\n" +
"SEVERITY LEVELS:\n" +
" 🔴 CRITICAL - Must fix immediately (breaks architecture)\n" +
" 🟠 HIGH - Should fix soon (major quality issue)\n" +
" 🟡 MEDIUM - Should fix (moderate quality issue)\n" +
" 🟢 LOW - Nice to fix (minor quality issue)\n\n" +
"BACKED BY RESEARCH:\n" +
" Guardian's rules are based on established software engineering principles\n" +
" from MIT, Martin Fowler, Robert C. Martin, and industry standards.\n" +
" Learn more: https://github.com/samiyev/puaros/blob/main/packages/guardian/docs/WHY.md",
CHECK:
"Analyze project for code quality and architecture issues\n\n" +
"WORKFLOW:\n" +
" 1. Run: guardian check ./src\n" +
" 2. Review violations by severity\n" +
" 3. Read the suggestion for each violation\n" +
" 4. Fix violations starting with CRITICAL\n" +
" 5. Re-run to verify fixes",
PATH_ARG: "Path to analyze (e.g., ./src or ./packages/api)",
EXCLUDE_OPTION:
"Exclude dirs/patterns (default: node_modules,dist,build,coverage,tests,**/*.test.ts)",
VERBOSE_OPTION: "Show additional help and analysis details",
NO_HARDCODE_OPTION: "Skip hardcode detection (only check architecture)",
NO_ARCHITECTURE_OPTION: "Skip architecture checks (only check hardcodes)",
MIN_SEVERITY_OPTION: "Filter by severity: critical|high|medium|low (e.g., --min-severity high)",
ONLY_CRITICAL_OPTION: "Show only 🔴 CRITICAL issues (shortcut for --min-severity critical)",
LIMIT_OPTION: "Limit violations shown per category (e.g., -l 10 shows first 10)",
} as const
export const CLI_OPTIONS = {
@@ -27,13 +57,44 @@ export const CLI_OPTIONS = {
VERBOSE: "-v, --verbose",
NO_HARDCODE: "--no-hardcode",
NO_ARCHITECTURE: "--no-architecture",
MIN_SEVERITY: "--min-severity <level>",
ONLY_CRITICAL: "--only-critical",
LIMIT: "-l, --limit <number>",
} as const
export const SEVERITY_DISPLAY_LABELS = {
CRITICAL: "🔴 CRITICAL",
HIGH: "🟠 HIGH",
MEDIUM: "🟡 MEDIUM",
LOW: "🟢 LOW",
} as const
export const SEVERITY_SECTION_HEADERS = {
CRITICAL:
"\n═══════════════════════════════════════════\n🔴 CRITICAL SEVERITY\n═══════════════════════════════════════════",
HIGH: "\n═══════════════════════════════════════════\n🟠 HIGH SEVERITY\n═══════════════════════════════════════════",
MEDIUM: "\n═══════════════════════════════════════════\n🟡 MEDIUM SEVERITY\n═══════════════════════════════════════════",
LOW: "\n═══════════════════════════════════════════\n🟢 LOW SEVERITY\n═══════════════════════════════════════════",
} as const
export const CLI_ARGUMENTS = {
PATH: "<path>",
} as const
export const DEFAULT_EXCLUDES = ["node_modules", "dist", "build", "coverage"] as const
export const DEFAULT_EXCLUDES = [
"node_modules",
"dist",
"build",
"coverage",
"tests",
"test",
"__tests__",
"examples",
"**/*.test.ts",
"**/*.test.js",
"**/*.spec.ts",
"**/*.spec.js",
] as const
export const CLI_MESSAGES = {
ANALYZING: "\n🛡 Guardian - Analyzing your code...\n",
@@ -61,3 +122,32 @@ export const CLI_LABELS = {
HARDCODE_VIOLATIONS: "hardcoded values:",
ISSUES_TOTAL: "issues total",
} as const
export const CLI_HELP_TEXT = {
POSITION: "after",
EXAMPLES_HEADER: "\nEXAMPLES:\n",
EXAMPLE_BASIC: " $ guardian check ./src # Analyze src directory\n",
EXAMPLE_CRITICAL:
" $ guardian check ./src --only-critical # Show only critical issues\n",
EXAMPLE_SEVERITY:
" $ guardian check ./src --min-severity high # Show high and critical\n",
EXAMPLE_LIMIT:
" $ guardian check ./src --limit 10 # Limit output to 10 per category\n",
EXAMPLE_NO_HARDCODE:
" $ guardian check ./src --no-hardcode # Skip hardcode detection\n",
EXAMPLE_NO_ARCHITECTURE:
" $ guardian check ./src --no-architecture # Skip architecture checks\n",
EXAMPLE_EXCLUDE:
" $ guardian check ./src -e dist build # Exclude additional dirs\n\n",
FIX_HEADER: "HOW TO FIX COMMON ISSUES:\n",
FIX_HARDCODE: " Hardcoded values → Extract to constants file\n",
FIX_CIRCULAR: " Circular deps → Break cycle by extracting shared code\n",
FIX_FRAMEWORK: " Framework leaks → Move Express/NestJS imports to infrastructure layer\n",
FIX_NAMING: " Naming violations → Rename file (e.g., UserEntity.ts, CreateUserUseCase.ts)\n",
FIX_ENTITY: " Entity exposure → Create DTO and map entity to DTO before returning\n",
FIX_DEPENDENCY:
" Dependency direction → Move import to correct layer (domain ← app ← infra)\n",
FIX_REPOSITORY:
" Repository pattern → Create IUserRepository in domain, implement in infra\n\n",
FOOTER: "Each violation includes a 💡 Suggestion with specific fix instructions.\n",
} as const

374
packages/guardian/src/cli/index.ts
View File

@@ -6,15 +6,124 @@ import {
CLI_ARGUMENTS,
CLI_COMMANDS,
CLI_DESCRIPTIONS,
CLI_HELP_TEXT,
CLI_LABELS,
CLI_MESSAGES,
CLI_OPTIONS,
DEFAULT_EXCLUDES,
SEVERITY_DISPLAY_LABELS,
SEVERITY_SECTION_HEADERS,
} from "./constants"
import { SEVERITY_LEVELS, SEVERITY_ORDER, type SeverityLevel } from "../shared/constants"
const SEVERITY_LABELS: Record<SeverityLevel, string> = {
[SEVERITY_LEVELS.CRITICAL]: SEVERITY_DISPLAY_LABELS.CRITICAL,
[SEVERITY_LEVELS.HIGH]: SEVERITY_DISPLAY_LABELS.HIGH,
[SEVERITY_LEVELS.MEDIUM]: SEVERITY_DISPLAY_LABELS.MEDIUM,
[SEVERITY_LEVELS.LOW]: SEVERITY_DISPLAY_LABELS.LOW,
}
const SEVERITY_HEADER: Record<SeverityLevel, string> = {
[SEVERITY_LEVELS.CRITICAL]: SEVERITY_SECTION_HEADERS.CRITICAL,
[SEVERITY_LEVELS.HIGH]: SEVERITY_SECTION_HEADERS.HIGH,
[SEVERITY_LEVELS.MEDIUM]: SEVERITY_SECTION_HEADERS.MEDIUM,
[SEVERITY_LEVELS.LOW]: SEVERITY_SECTION_HEADERS.LOW,
}
function groupBySeverity<T extends { severity: SeverityLevel }>(
violations: T[],
): Map<SeverityLevel, T[]> {
const grouped = new Map<SeverityLevel, T[]>()
for (const violation of violations) {
const existing = grouped.get(violation.severity) ?? []
existing.push(violation)
grouped.set(violation.severity, existing)
}
return grouped
}
function filterBySeverity<T extends { severity: SeverityLevel }>(
violations: T[],
minSeverity?: SeverityLevel,
): T[] {
if (!minSeverity) {
return violations
}
const minSeverityOrder = SEVERITY_ORDER[minSeverity]
return violations.filter((v) => SEVERITY_ORDER[v.severity] <= minSeverityOrder)
}
function displayGroupedViolations<T extends { severity: SeverityLevel }>(
violations: T[],
displayFn: (v: T, index: number) => void,
limit?: number,
): void {
const grouped = groupBySeverity(violations)
const severities: SeverityLevel[] = [
SEVERITY_LEVELS.CRITICAL,
SEVERITY_LEVELS.HIGH,
SEVERITY_LEVELS.MEDIUM,
SEVERITY_LEVELS.LOW,
]
let totalDisplayed = 0
const totalAvailable = violations.length
for (const severity of severities) {
const items = grouped.get(severity)
if (items && items.length > 0) {
console.warn(SEVERITY_HEADER[severity])
console.warn(`Found ${String(items.length)} issue(s)\n`)
const itemsToDisplay =
limit !== undefined ? items.slice(0, limit - totalDisplayed) : items
itemsToDisplay.forEach((item, index) => {
displayFn(item, totalDisplayed + index)
})
totalDisplayed += itemsToDisplay.length
if (limit !== undefined && totalDisplayed >= limit) {
break
}
}
}
if (limit !== undefined && totalAvailable > limit) {
console.warn(
`\n⚠ Showing first ${String(limit)} of ${String(totalAvailable)} issues (use --limit to adjust)\n`,
)
}
}
const program = new Command()
program.name(CLI_COMMANDS.NAME).description(CLI_DESCRIPTIONS.MAIN).version(version)
program
.name(CLI_COMMANDS.NAME)
.description(CLI_DESCRIPTIONS.MAIN)
.version(version)
.addHelpText(
CLI_HELP_TEXT.POSITION,
CLI_HELP_TEXT.EXAMPLES_HEADER +
CLI_HELP_TEXT.EXAMPLE_BASIC +
CLI_HELP_TEXT.EXAMPLE_CRITICAL +
CLI_HELP_TEXT.EXAMPLE_SEVERITY +
CLI_HELP_TEXT.EXAMPLE_LIMIT +
CLI_HELP_TEXT.EXAMPLE_NO_HARDCODE +
CLI_HELP_TEXT.EXAMPLE_NO_ARCHITECTURE +
CLI_HELP_TEXT.EXAMPLE_EXCLUDE +
CLI_HELP_TEXT.FIX_HEADER +
CLI_HELP_TEXT.FIX_HARDCODE +
CLI_HELP_TEXT.FIX_CIRCULAR +
CLI_HELP_TEXT.FIX_FRAMEWORK +
CLI_HELP_TEXT.FIX_NAMING +
CLI_HELP_TEXT.FIX_ENTITY +
CLI_HELP_TEXT.FIX_DEPENDENCY +
CLI_HELP_TEXT.FIX_REPOSITORY +
CLI_HELP_TEXT.FOOTER,
)
program
.command(CLI_COMMANDS.CHECK)
@@ -24,6 +133,9 @@ program
.option(CLI_OPTIONS.VERBOSE, CLI_DESCRIPTIONS.VERBOSE_OPTION, false)
.option(CLI_OPTIONS.NO_HARDCODE, CLI_DESCRIPTIONS.NO_HARDCODE_OPTION)
.option(CLI_OPTIONS.NO_ARCHITECTURE, CLI_DESCRIPTIONS.NO_ARCHITECTURE_OPTION)
.option(CLI_OPTIONS.MIN_SEVERITY, CLI_DESCRIPTIONS.MIN_SEVERITY_OPTION)
.option(CLI_OPTIONS.ONLY_CRITICAL, CLI_DESCRIPTIONS.ONLY_CRITICAL_OPTION, false)
.option(CLI_OPTIONS.LIMIT, CLI_DESCRIPTIONS.LIMIT_OPTION)
.action(async (path: string, options) => {
try {
console.log(CLI_MESSAGES.ANALYZING)
@@ -33,15 +145,56 @@ program
exclude: options.exclude,
})
const {
const { metrics } = result
let {
hardcodeViolations,
violations,
circularDependencyViolations,
namingViolations,
frameworkLeakViolations,
metrics,
entityExposureViolations,
dependencyDirectionViolations,
repositoryPatternViolations,
} = result
const minSeverity: SeverityLevel | undefined = options.onlyCritical
? SEVERITY_LEVELS.CRITICAL
: options.minSeverity
? (options.minSeverity.toLowerCase() as SeverityLevel)
: undefined
const limit: number | undefined = options.limit
? parseInt(options.limit, 10)
: undefined
if (minSeverity) {
violations = filterBySeverity(violations, minSeverity)
hardcodeViolations = filterBySeverity(hardcodeViolations, minSeverity)
circularDependencyViolations = filterBySeverity(
circularDependencyViolations,
minSeverity,
)
namingViolations = filterBySeverity(namingViolations, minSeverity)
frameworkLeakViolations = filterBySeverity(frameworkLeakViolations, minSeverity)
entityExposureViolations = filterBySeverity(entityExposureViolations, minSeverity)
dependencyDirectionViolations = filterBySeverity(
dependencyDirectionViolations,
minSeverity,
)
repositoryPatternViolations = filterBySeverity(
repositoryPatternViolations,
minSeverity,
)
if (options.onlyCritical) {
console.log("\n🔴 Filtering: Showing only CRITICAL severity issues\n")
} else {
console.log(
`\n⚠ Filtering: Showing ${minSeverity.toUpperCase()} severity and above\n`,
)
}
}
// Display metrics
console.log(CLI_MESSAGES.METRICS_HEADER)
console.log(` ${CLI_LABELS.FILES_ANALYZED} ${String(metrics.totalFiles)}`)
@@ -58,91 +211,191 @@ program
// Architecture violations
if (options.architecture && violations.length > 0) {
console.log(
`${CLI_MESSAGES.VIOLATIONS_HEADER} ${String(violations.length)} ${CLI_LABELS.ARCHITECTURE_VIOLATIONS}\n`,
`\n${CLI_MESSAGES.VIOLATIONS_HEADER} ${String(violations.length)} ${CLI_LABELS.ARCHITECTURE_VIOLATIONS}`,
)
violations.forEach((v, index) => {
console.log(`${String(index + 1)}. ${v.file}`)
console.log(` Rule: ${v.rule}`)
console.log(` ${v.message}`)
console.log("")
})
displayGroupedViolations(
violations,
(v, index) => {
console.log(`${String(index + 1)}. ${v.file}`)
console.log(` Severity: ${SEVERITY_LABELS[v.severity]}`)
console.log(` Rule: ${v.rule}`)
console.log(` ${v.message}`)
console.log("")
},
limit,
)
}
// Circular dependency violations
if (options.architecture && circularDependencyViolations.length > 0) {
console.log(
`${CLI_MESSAGES.CIRCULAR_DEPS_HEADER} ${String(circularDependencyViolations.length)} ${CLI_LABELS.CIRCULAR_DEPENDENCIES}\n`,
`\n${CLI_MESSAGES.CIRCULAR_DEPS_HEADER} ${String(circularDependencyViolations.length)} ${CLI_LABELS.CIRCULAR_DEPENDENCIES}`,
)
circularDependencyViolations.forEach((cd, index) => {
console.log(`${String(index + 1)}. ${cd.message}`)
console.log(` Severity: ${cd.severity}`)
console.log(" Cycle path:")
cd.cycle.forEach((file, i) => {
console.log(` ${String(i + 1)}. ${file}`)
})
console.log(
` ${String(cd.cycle.length + 1)}. ${cd.cycle[0]} (back to start)`,
)
console.log("")
})
displayGroupedViolations(
circularDependencyViolations,
(cd, index) => {
console.log(`${String(index + 1)}. ${cd.message}`)
console.log(` Severity: ${SEVERITY_LABELS[cd.severity]}`)
console.log(" Cycle path:")
cd.cycle.forEach((file, i) => {
console.log(` ${String(i + 1)}. ${file}`)
})
console.log(
` ${String(cd.cycle.length + 1)}. ${cd.cycle[0]} (back to start)`,
)
console.log("")
},
limit,
)
}
// Naming convention violations
if (options.architecture && namingViolations.length > 0) {
console.log(
`${CLI_MESSAGES.NAMING_VIOLATIONS_HEADER} ${String(namingViolations.length)} ${CLI_LABELS.NAMING_VIOLATIONS}\n`,
`\n${CLI_MESSAGES.NAMING_VIOLATIONS_HEADER} ${String(namingViolations.length)} ${CLI_LABELS.NAMING_VIOLATIONS}`,
)
namingViolations.forEach((nc, index) => {
console.log(`${String(index + 1)}. ${nc.file}`)
console.log(` File: ${nc.fileName}`)
console.log(` Layer: ${nc.layer}`)
console.log(` Type: ${nc.type}`)
console.log(` Message: ${nc.message}`)
if (nc.suggestion) {
console.log(` 💡 Suggestion: ${nc.suggestion}`)
}
console.log("")
})
displayGroupedViolations(
namingViolations,
(nc, index) => {
console.log(`${String(index + 1)}. ${nc.file}`)
console.log(` Severity: ${SEVERITY_LABELS[nc.severity]}`)
console.log(` File: ${nc.fileName}`)
console.log(` Layer: ${nc.layer}`)
console.log(` Type: ${nc.type}`)
console.log(` Message: ${nc.message}`)
if (nc.suggestion) {
console.log(` 💡 Suggestion: ${nc.suggestion}`)
}
console.log("")
},
limit,
)
}
// Framework leak violations
if (options.architecture && frameworkLeakViolations.length > 0) {
console.log(
`\n🏗 Found ${String(frameworkLeakViolations.length)} framework leak(s):\n`,
`\n🏗 Found ${String(frameworkLeakViolations.length)} framework leak(s)`,
)
frameworkLeakViolations.forEach((fl, index) => {
console.log(`${String(index + 1)}. ${fl.file}`)
console.log(` Package: ${fl.packageName}`)
console.log(` Category: ${fl.categoryDescription}`)
console.log(` Layer: ${fl.layer}`)
console.log(` Rule: ${fl.rule}`)
console.log(` ${fl.message}`)
console.log(` 💡 Suggestion: ${fl.suggestion}`)
console.log("")
})
displayGroupedViolations(
frameworkLeakViolations,
(fl, index) => {
console.log(`${String(index + 1)}. ${fl.file}`)
console.log(` Severity: ${SEVERITY_LABELS[fl.severity]}`)
console.log(` Package: ${fl.packageName}`)
console.log(` Category: ${fl.categoryDescription}`)
console.log(` Layer: ${fl.layer}`)
console.log(` Rule: ${fl.rule}`)
console.log(` ${fl.message}`)
console.log(` 💡 Suggestion: ${fl.suggestion}`)
console.log("")
},
limit,
)
}
// Entity exposure violations
if (options.architecture && entityExposureViolations.length > 0) {
console.log(
`\n🎭 Found ${String(entityExposureViolations.length)} entity exposure(s)`,
)
displayGroupedViolations(
entityExposureViolations,
(ee, index) => {
const location = ee.line ? `${ee.file}:${String(ee.line)}` : ee.file
console.log(`${String(index + 1)}. ${location}`)
console.log(` Severity: ${SEVERITY_LABELS[ee.severity]}`)
console.log(` Entity: ${ee.entityName}`)
console.log(` Return Type: ${ee.returnType}`)
if (ee.methodName) {
console.log(` Method: ${ee.methodName}`)
}
console.log(` Layer: ${ee.layer}`)
console.log(` Rule: ${ee.rule}`)
console.log(` ${ee.message}`)
console.log(" 💡 Suggestion:")
ee.suggestion.split("\n").forEach((line) => {
if (line.trim()) {
console.log(` ${line}`)
}
})
console.log("")
},
limit,
)
}
// Dependency direction violations
if (options.architecture && dependencyDirectionViolations.length > 0) {
console.log(
`\n⚠ Found ${String(dependencyDirectionViolations.length)} dependency direction violation(s)`,
)
displayGroupedViolations(
dependencyDirectionViolations,
(dd, index) => {
console.log(`${String(index + 1)}. ${dd.file}`)
console.log(` Severity: ${SEVERITY_LABELS[dd.severity]}`)
console.log(` From Layer: ${dd.fromLayer}`)
console.log(` To Layer: ${dd.toLayer}`)
console.log(` Import: ${dd.importPath}`)
console.log(` ${dd.message}`)
console.log(` 💡 Suggestion: ${dd.suggestion}`)
console.log("")
},
limit,
)
}
// Repository pattern violations
if (options.architecture && repositoryPatternViolations.length > 0) {
console.log(
`\n📦 Found ${String(repositoryPatternViolations.length)} repository pattern violation(s)`,
)
displayGroupedViolations(
repositoryPatternViolations,
(rp, index) => {
console.log(`${String(index + 1)}. ${rp.file}`)
console.log(` Severity: ${SEVERITY_LABELS[rp.severity]}`)
console.log(` Layer: ${rp.layer}`)
console.log(` Type: ${rp.violationType}`)
console.log(` Details: ${rp.details}`)
console.log(` ${rp.message}`)
console.log(` 💡 Suggestion: ${rp.suggestion}`)
console.log("")
},
limit,
)
}
// Hardcode violations
if (options.hardcode && hardcodeViolations.length > 0) {
console.log(
`${CLI_MESSAGES.HARDCODE_VIOLATIONS_HEADER} ${String(hardcodeViolations.length)} ${CLI_LABELS.HARDCODE_VIOLATIONS}\n`,
`\n${CLI_MESSAGES.HARDCODE_VIOLATIONS_HEADER} ${String(hardcodeViolations.length)} ${CLI_LABELS.HARDCODE_VIOLATIONS}`,
)
hardcodeViolations.forEach((hc, index) => {
console.log(
`${String(index + 1)}. ${hc.file}:${String(hc.line)}:${String(hc.column)}`,
)
console.log(` Type: ${hc.type}`)
console.log(` Value: ${JSON.stringify(hc.value)}`)
console.log(` Context: ${hc.context.trim()}`)
console.log(` 💡 Suggested: ${hc.suggestion.constantName}`)
console.log(` 📁 Location: ${hc.suggestion.location}`)
console.log("")
})
displayGroupedViolations(
hardcodeViolations,
(hc, index) => {
console.log(
`${String(index + 1)}. ${hc.file}:${String(hc.line)}:${String(hc.column)}`,
)
console.log(` Severity: ${SEVERITY_LABELS[hc.severity]}`)
console.log(` Type: ${hc.type}`)
console.log(` Value: ${JSON.stringify(hc.value)}`)
console.log(` Context: ${hc.context.trim()}`)
console.log(` 💡 Suggested: ${hc.suggestion.constantName}`)
console.log(` 📁 Location: ${hc.suggestion.location}`)
console.log("")
},
limit,
)
}
// Summary
@@ -151,7 +404,10 @@ program
hardcodeViolations.length +
circularDependencyViolations.length +
namingViolations.length +
frameworkLeakViolations.length
frameworkLeakViolations.length +
entityExposureViolations.length +
dependencyDirectionViolations.length +
repositoryPatternViolations.length
if (totalIssues === 0) {
console.log(CLI_MESSAGES.NO_ISSUES)

31
packages/guardian/src/domain/constants/FrameworkCategories.ts Normal file
View File

@@ -0,0 +1,31 @@
export const FRAMEWORK_CATEGORY_NAMES = {
ORM: "ORM",
WEB_FRAMEWORK: "WEB_FRAMEWORK",
HTTP_CLIENT: "HTTP_CLIENT",
VALIDATION: "VALIDATION",
DI_CONTAINER: "DI_CONTAINER",
LOGGER: "LOGGER",
CACHE: "CACHE",
MESSAGE_QUEUE: "MESSAGE_QUEUE",
EMAIL: "EMAIL",
STORAGE: "STORAGE",
TESTING: "TESTING",
TEMPLATE_ENGINE: "TEMPLATE_ENGINE",
} as const
export const FRAMEWORK_CATEGORY_DESCRIPTIONS = {
[FRAMEWORK_CATEGORY_NAMES.ORM]: "Database ORM/ODM",
[FRAMEWORK_CATEGORY_NAMES.WEB_FRAMEWORK]: "Web Framework",
[FRAMEWORK_CATEGORY_NAMES.HTTP_CLIENT]: "HTTP Client",
[FRAMEWORK_CATEGORY_NAMES.VALIDATION]: "Validation Library",
[FRAMEWORK_CATEGORY_NAMES.DI_CONTAINER]: "DI Container",
[FRAMEWORK_CATEGORY_NAMES.LOGGER]: "Logger",
[FRAMEWORK_CATEGORY_NAMES.CACHE]: "Cache",
[FRAMEWORK_CATEGORY_NAMES.MESSAGE_QUEUE]: "Message Queue",
[FRAMEWORK_CATEGORY_NAMES.EMAIL]: "Email Service",
[FRAMEWORK_CATEGORY_NAMES.STORAGE]: "Storage Service",
[FRAMEWORK_CATEGORY_NAMES.TESTING]: "Testing Framework",
[FRAMEWORK_CATEGORY_NAMES.TEMPLATE_ENGINE]: "Template Engine",
} as const
export const DEFAULT_FRAMEWORK_CATEGORY_DESCRIPTION = "Framework Package"

50
packages/guardian/src/domain/constants/Messages.ts Normal file
View File

@@ -0,0 +1,50 @@
export const DEPENDENCY_VIOLATION_MESSAGES = {
DOMAIN_INDEPENDENCE: "Domain layer should be independent and not depend on other layers",
DOMAIN_MOVE_TO_DOMAIN:
"Move the imported code to the domain layer if it contains business logic",
DOMAIN_USE_DI:
"Use dependency inversion: define an interface in domain and implement it in infrastructure",
APPLICATION_NO_INFRA: "Application layer should not depend on infrastructure",
APPLICATION_DEFINE_PORT: "Define an interface (Port) in application layer",
APPLICATION_IMPLEMENT_ADAPTER: "Implement the interface (Adapter) in infrastructure layer",
APPLICATION_USE_DI: "Use dependency injection to provide the implementation",
}
export const ENTITY_EXPOSURE_MESSAGES = {
METHOD_DEFAULT: "Method",
METHOD_DEFAULT_NAME: "getEntity",
}
export const FRAMEWORK_LEAK_MESSAGES = {
DEFAULT_MESSAGE: "Domain layer should not depend on external frameworks",
}
export const REPOSITORY_PATTERN_MESSAGES = {
UNKNOWN_TYPE: "Unknown",
CONSTRUCTOR: "constructor",
DEFAULT_SUGGESTION: "Follow Repository Pattern best practices",
NO_EXAMPLE: "// No example available",
STEP_REMOVE_ORM_TYPES: "1. Remove ORM-specific types from repository interface",
STEP_USE_DOMAIN_TYPES: "2. Use domain types (entities, value objects) instead",
STEP_KEEP_CLEAN: "3. Keep repository interface clean and persistence-agnostic",
STEP_DEPEND_ON_INTERFACE: "1. Depend on repository interface (IUserRepository) in constructor",
STEP_MOVE_TO_INFRASTRUCTURE: "2. Move concrete implementation to infrastructure layer",
STEP_USE_DI: "3. Use dependency injection to provide implementation",
STEP_REMOVE_NEW: "1. Remove 'new Repository()' from use case",
STEP_INJECT_CONSTRUCTOR: "2. Inject repository through constructor",
STEP_CONFIGURE_DI: "3. Configure dependency injection container",
STEP_RENAME_METHOD: "1. Rename method to use domain language",
STEP_REFLECT_BUSINESS: "2. Method names should reflect business operations",
STEP_AVOID_TECHNICAL: "3. Avoid technical database terms (query, insert, select)",
EXAMPLE_PREFIX: "Example:",
BAD_ORM_EXAMPLE: "❌ Bad: findOne(query: Prisma.UserWhereInput)",
GOOD_DOMAIN_EXAMPLE: "✅ Good: findById(id: UserId): Promise<User | null>",
BAD_NEW_REPO: "❌ Bad: const repo = new UserRepository()",
GOOD_INJECT_REPO: "✅ Good: constructor(private readonly userRepo: IUserRepository) {}",
SUGGESTION_FINDONE: "findById",
SUGGESTION_FINDMANY: "findAll or findByFilter",
SUGGESTION_INSERT: "save or create",
SUGGESTION_UPDATE: "save",
SUGGESTION_DELETE: "remove or delete",
SUGGESTION_QUERY: "find or search",
}

2
packages/guardian/src/domain/entities/DependencyGraph.ts
View File

@@ -94,7 +94,7 @@ export class DependencyGraph extends BaseEntity {
totalDependencies: number
avgDependencies: number
maxDependencies: number
} {
} {
const nodes = Array.from(this.nodes.values())
const totalFiles = nodes.length
const totalDependencies = nodes.reduce((sum, node) => sum + node.dependencies.length, 0)

3
packages/guardian/src/domain/index.ts
View File

@@ -5,9 +5,10 @@ export * from "./value-objects/ValueObject"
export * from "./value-objects/ProjectPath"
export * from "./value-objects/HardcodedValue"
export * from "./value-objects/NamingViolation"
export * from "./repositories/IBaseRepository"
export * from "./value-objects/RepositoryViolation"
export * from "./services/IFileScanner"
export * from "./services/ICodeParser"
export * from "./services/IHardcodeDetector"
export * from "./services/INamingConventionDetector"
export * from "./services/RepositoryPatternDetectorService"
export * from "./events/DomainEvent"

14
packages/guardian/src/domain/repositories/IBaseRepository.ts
View File

@@ -1,14 +0,0 @@
import { BaseEntity } from "../entities/BaseEntity"
/**
* Generic repository interface
* Defines standard CRUD operations for entities
*/
export interface IRepository<T extends BaseEntity> {
findById(id: string): Promise<T | null>
findAll(): Promise<T[]>
save(entity: T): Promise<T>
update(entity: T): Promise<T>
delete(id: string): Promise<boolean>
exists(id: string): Promise<boolean>
}

47
packages/guardian/src/domain/services/IDependencyDirectionDetector.ts Normal file
View File

@@ -0,0 +1,47 @@
import { DependencyViolation } from "../value-objects/DependencyViolation"
/**
* Interface for detecting dependency direction violations in the codebase
*
* Dependency direction violations occur when a layer imports from a layer
* that it should not depend on according to Clean Architecture principles:
* - Domain should not import from Application or Infrastructure
* - Application should not import from Infrastructure
* - Infrastructure can import from Application and Domain
* - Shared can be imported by all layers
*/
export interface IDependencyDirectionDetector {
/**
* Detects dependency direction violations in the given code
*
* Analyzes import statements to identify violations of dependency rules
* between architectural layers.
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @param layer - The architectural layer of the file (domain, application, infrastructure, shared)
* @returns Array of detected dependency direction violations
*/
detectViolations(
code: string,
filePath: string,
layer: string | undefined,
): DependencyViolation[]
/**
* Checks if an import violates dependency direction rules
*
* @param fromLayer - The layer that is importing
* @param toLayer - The layer being imported
* @returns True if the import violates dependency rules
*/
isViolation(fromLayer: string, toLayer: string): boolean
/**
* Extracts the layer from an import path
*
* @param importPath - The import path to analyze
* @returns The layer name if detected, undefined otherwise
*/
extractLayerFromImport(importPath: string): string | undefined
}

34
packages/guardian/src/domain/services/IEntityExposureDetector.ts Normal file
View File

@@ -0,0 +1,34 @@
import { EntityExposure } from "../value-objects/EntityExposure"
/**
* Interface for detecting entity exposure violations in the codebase
*
* Entity exposure occurs when domain entities are directly returned from
* controllers/routes instead of using DTOs (Data Transfer Objects).
* This violates separation of concerns and can expose internal domain logic.
*/
export interface IEntityExposureDetector {
/**
* Detects entity exposure violations in the given code
*
* Analyzes method return types in controllers/routes to identify
* domain entities being directly exposed to external clients.
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @param layer - The architectural layer of the file (domain, application, infrastructure, shared)
* @returns Array of detected entity exposure violations
*/
detectExposures(code: string, filePath: string, layer: string | undefined): EntityExposure[]
/**
* Checks if a return type is a domain entity
*
* Domain entities are typically PascalCase nouns without Dto/Request/Response suffixes
* and are defined in the domain layer.
*
* @param returnType - The return type to check
* @returns True if the return type appears to be a domain entity
*/
isDomainEntity(returnType: string): boolean
}

88
packages/guardian/src/domain/services/RepositoryPatternDetectorService.ts Normal file
View File

@@ -0,0 +1,88 @@
import { RepositoryViolation } from "../value-objects/RepositoryViolation"
/**
* Interface for detecting Repository Pattern violations in the codebase
*
* Repository Pattern violations include:
* - ORM-specific types in repository interfaces (domain layer)
* - Concrete repository usage in use cases instead of interfaces
* - Repository instantiation with 'new' in use cases (should use DI)
* - Non-domain method names in repository interfaces
*
* The Repository Pattern ensures that domain logic remains decoupled from
* infrastructure concerns like databases and ORMs.
*/
export interface IRepositoryPatternDetector {
/**
* Detects all Repository Pattern violations in the given code
*
* Analyzes code for proper implementation of the Repository Pattern,
* including interface purity, dependency inversion, and domain language usage.
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @param layer - The architectural layer of the file (domain, application, infrastructure, shared)
* @returns Array of detected Repository Pattern violations
*/
detectViolations(
code: string,
filePath: string,
layer: string | undefined,
): RepositoryViolation[]
/**
* Checks if a type is an ORM-specific type
*
* ORM-specific types include Prisma types, TypeORM decorators, Mongoose schemas, etc.
* These types should not appear in domain repository interfaces.
*
* @param typeName - The type name to check
* @returns True if the type is ORM-specific
*/
isOrmType(typeName: string): boolean
/**
* Checks if a method name follows domain language conventions
*
* Domain repository methods should use business-oriented names like:
* - findById, findByEmail, findByStatus
* - save, create, update
* - delete, remove
*
* Avoid technical database terms like:
* - findOne, findMany, query
* - insert, select, update (SQL terms)
*
* @param methodName - The method name to check
* @returns True if the method name uses domain language
*/
isDomainMethodName(methodName: string): boolean
/**
* Checks if a file is a repository interface
*
* Repository interfaces typically:
* - Are in the domain layer
* - Have names matching I*Repository pattern
* - Contain interface definitions
*
* @param filePath - The file path to check
* @param layer - The architectural layer
* @returns True if the file is a repository interface
*/
isRepositoryInterface(filePath: string, layer: string | undefined): boolean
/**
* Checks if a file is a use case
*
* Use cases typically:
* - Are in the application layer
* - Follow verb-noun naming pattern (CreateUser, UpdateProfile)
* - Contain class definitions for business operations
*
* @param filePath - The file path to check
* @param layer - The architectural layer
* @returns True if the file is a use case
*/
isUseCase(filePath: string, layer: string | undefined): boolean
}

171
packages/guardian/src/domain/value-objects/DependencyViolation.ts Normal file
View File

@@ -0,0 +1,171 @@
import { ValueObject } from "./ValueObject"
import {
LAYER_APPLICATION,
LAYER_DOMAIN,
LAYER_INFRASTRUCTURE,
} from "../../shared/constants/layers"
import { DEPENDENCY_VIOLATION_MESSAGES } from "../constants/Messages"
interface DependencyViolationProps {
readonly fromLayer: string
readonly toLayer: string
readonly importPath: string
readonly filePath: string
readonly line?: number
}
/**
* Represents a dependency direction violation in the codebase
*
* Dependency direction violations occur when a layer imports from a layer
* that it should not depend on according to Clean Architecture principles:
* - Domain → should not import from Application or Infrastructure
* - Application → should not import from Infrastructure
* - Infrastructure → can import from Application and Domain (allowed)
* - Shared → can be imported by all layers (allowed)
*
* @example
* ```typescript
* // Bad: Domain importing from Application
* const violation = DependencyViolation.create(
* 'domain',
* 'application',
* '../../application/dtos/UserDto',
* 'src/domain/entities/User.ts',
* 5
* )
*
* console.log(violation.getMessage())
* // "Domain layer should not import from Application layer"
* ```
*/
export class DependencyViolation extends ValueObject<DependencyViolationProps> {
private constructor(props: DependencyViolationProps) {
super(props)
}
public static create(
fromLayer: string,
toLayer: string,
importPath: string,
filePath: string,
line?: number,
): DependencyViolation {
return new DependencyViolation({
fromLayer,
toLayer,
importPath,
filePath,
line,
})
}
public get fromLayer(): string {
return this.props.fromLayer
}
public get toLayer(): string {
return this.props.toLayer
}
public get importPath(): string {
return this.props.importPath
}
public get filePath(): string {
return this.props.filePath
}
public get line(): number | undefined {
return this.props.line
}
public getMessage(): string {
return `${this.capitalizeFirst(this.props.fromLayer)} layer should not import from ${this.capitalizeFirst(this.props.toLayer)} layer`
}
public getSuggestion(): string {
const suggestions: string[] = []
if (this.props.fromLayer === LAYER_DOMAIN) {
suggestions.push(
DEPENDENCY_VIOLATION_MESSAGES.DOMAIN_INDEPENDENCE,
DEPENDENCY_VIOLATION_MESSAGES.DOMAIN_MOVE_TO_DOMAIN,
DEPENDENCY_VIOLATION_MESSAGES.DOMAIN_USE_DI,
)
} else if (this.props.fromLayer === LAYER_APPLICATION) {
suggestions.push(
DEPENDENCY_VIOLATION_MESSAGES.APPLICATION_NO_INFRA,
DEPENDENCY_VIOLATION_MESSAGES.APPLICATION_DEFINE_PORT,
DEPENDENCY_VIOLATION_MESSAGES.APPLICATION_IMPLEMENT_ADAPTER,
DEPENDENCY_VIOLATION_MESSAGES.APPLICATION_USE_DI,
)
}
return suggestions.join("\n")
}
public getExampleFix(): string {
if (this.props.fromLayer === LAYER_DOMAIN && this.props.toLayer === LAYER_INFRASTRUCTURE) {
return `
// ❌ Bad: Domain depends on Infrastructure (PrismaClient)
// domain/services/UserService.ts
class UserService {
constructor(private prisma: PrismaClient) {}
}
// ✅ Good: Domain defines interface, Infrastructure implements
// domain/repositories/IUserRepository.ts
interface IUserRepository {
findById(id: UserId): Promise<User | null>
save(user: User): Promise<void>
}
// domain/services/UserService.ts
class UserService {
constructor(private userRepo: IUserRepository) {}
}
// infrastructure/repositories/PrismaUserRepository.ts
class PrismaUserRepository implements IUserRepository {
constructor(private prisma: PrismaClient) {}
async findById(id: UserId): Promise<User | null> { }
async save(user: User): Promise<void> { }
}`
}
if (
this.props.fromLayer === LAYER_APPLICATION &&
this.props.toLayer === LAYER_INFRASTRUCTURE
) {
return `
// ❌ Bad: Application depends on Infrastructure (SmtpEmailService)
// application/use-cases/SendEmail.ts
class SendWelcomeEmail {
constructor(private emailService: SmtpEmailService) {}
}
// ✅ Good: Application defines Port, Infrastructure implements Adapter
// application/ports/IEmailService.ts
interface IEmailService {
send(to: string, subject: string, body: string): Promise<void>
}
// application/use-cases/SendEmail.ts
class SendWelcomeEmail {
constructor(private emailService: IEmailService) {}
}
// infrastructure/adapters/SmtpEmailService.ts
class SmtpEmailService implements IEmailService {
async send(to: string, subject: string, body: string): Promise<void> { }
}`
}
return ""
}
private capitalizeFirst(str: string): string {
return str.charAt(0).toUpperCase() + str.slice(1)
}
}

112
packages/guardian/src/domain/value-objects/EntityExposure.ts Normal file
View File

@@ -0,0 +1,112 @@
import { ValueObject } from "./ValueObject"
import { ENTITY_EXPOSURE_MESSAGES } from "../constants/Messages"
interface EntityExposureProps {
readonly entityName: string
readonly returnType: string
readonly filePath: string
readonly layer: string
readonly line?: number
readonly methodName?: string
}
/**
* Represents an entity exposure violation in the codebase
*
* Entity exposure occurs when a domain entity is directly exposed in API responses
* instead of using DTOs (Data Transfer Objects). This violates the separation of concerns
* and can lead to exposing internal domain logic to external clients.
*
* @example
* ```typescript
* // Bad: Controller returning domain entity
* const exposure = EntityExposure.create(
* 'User',
* 'User',
* 'src/infrastructure/controllers/UserController.ts',
* 'infrastructure',
* 25,
* 'getUser'
* )
*
* console.log(exposure.getMessage())
* // "Method 'getUser' returns domain entity 'User' instead of DTO"
* ```
*/
export class EntityExposure extends ValueObject<EntityExposureProps> {
private constructor(props: EntityExposureProps) {
super(props)
}
public static create(
entityName: string,
returnType: string,
filePath: string,
layer: string,
line?: number,
methodName?: string,
): EntityExposure {
return new EntityExposure({
entityName,
returnType,
filePath,
layer,
line,
methodName,
})
}
public get entityName(): string {
return this.props.entityName
}
public get returnType(): string {
return this.props.returnType
}
public get filePath(): string {
return this.props.filePath
}
public get layer(): string {
return this.props.layer
}
public get line(): number | undefined {
return this.props.line
}
public get methodName(): string | undefined {
return this.props.methodName
}
public getMessage(): string {
const method = this.props.methodName
? `Method '${this.props.methodName}'`
: ENTITY_EXPOSURE_MESSAGES.METHOD_DEFAULT
return `${method} returns domain entity '${this.props.entityName}' instead of DTO`
}
public getSuggestion(): string {
const suggestions = [
`Create a DTO class (e.g., ${this.props.entityName}ResponseDto) in the application layer`,
`Create a mapper to convert ${this.props.entityName} to ${this.props.entityName}ResponseDto`,
`Update the method to return ${this.props.entityName}ResponseDto instead of ${this.props.entityName}`,
]
return suggestions.join("\n")
}
public getExampleFix(): string {
return `
// ❌ Bad: Exposing domain entity
async ${this.props.methodName || ENTITY_EXPOSURE_MESSAGES.METHOD_DEFAULT_NAME}(): Promise<${this.props.entityName}> {
return await this.service.find()
}
// ✅ Good: Using DTO
async ${this.props.methodName || ENTITY_EXPOSURE_MESSAGES.METHOD_DEFAULT_NAME}(): Promise<${this.props.entityName}ResponseDto> {
const entity = await this.service.find()
return ${this.props.entityName}Mapper.toDto(entity)
}`
}
}

42
packages/guardian/src/domain/value-objects/FrameworkLeak.ts
View File

@@ -1,5 +1,9 @@
import { ValueObject } from "./ValueObject"
import { FRAMEWORK_LEAK_MESSAGES } from "../../shared/constants/rules"
import {
DEFAULT_FRAMEWORK_CATEGORY_DESCRIPTION,
FRAMEWORK_CATEGORY_DESCRIPTIONS,
} from "../constants/FrameworkCategories"
interface FrameworkLeakProps {
readonly packageName: string
@@ -72,7 +76,10 @@ export class FrameworkLeak extends ValueObject<FrameworkLeakProps> {
}
public getMessage(): string {
return FRAMEWORK_LEAK_MESSAGES.DOMAIN_IMPORT.replace("{package}", this.props.packageName)
return FRAMEWORK_LEAK_MESSAGES.DOMAIN_IMPORT.replace(
FRAMEWORK_LEAK_MESSAGES.PACKAGE_PLACEHOLDER,
this.props.packageName,
)
}
public getSuggestion(): string {
@@ -80,33 +87,10 @@ export class FrameworkLeak extends ValueObject<FrameworkLeakProps> {
}
public getCategoryDescription(): string {
switch (this.props.category) {
case "ORM":
return "Database ORM/ODM"
case "WEB_FRAMEWORK":
return "Web Framework"
case "HTTP_CLIENT":
return "HTTP Client"
case "VALIDATION":
return "Validation Library"
case "DI_CONTAINER":
return "DI Container"
case "LOGGER":
return "Logger"
case "CACHE":
return "Cache"
case "MESSAGE_QUEUE":
return "Message Queue"
case "EMAIL":
return "Email Service"
case "STORAGE":
return "Storage Service"
case "TESTING":
return "Testing Framework"
case "TEMPLATE_ENGINE":
return "Template Engine"
default:
return "Framework Package"
}
return (
FRAMEWORK_CATEGORY_DESCRIPTIONS[
this.props.category as keyof typeof FRAMEWORK_CATEGORY_DESCRIPTIONS
] || DEFAULT_FRAMEWORK_CATEGORY_DESCRIPTION
)
}
}

293
packages/guardian/src/domain/value-objects/RepositoryViolation.ts Normal file
View File

@@ -0,0 +1,293 @@
import { ValueObject } from "./ValueObject"
import { REPOSITORY_VIOLATION_TYPES } from "../../shared/constants/rules"
import { REPOSITORY_PATTERN_MESSAGES } from "../constants/Messages"
interface RepositoryViolationProps {
readonly violationType:
| typeof REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE
| typeof REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE
| typeof REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE
| typeof REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME
readonly filePath: string
readonly layer: string
readonly line?: number
readonly details: string
readonly ormType?: string
readonly repositoryName?: string
readonly methodName?: string
}
/**
* Represents a Repository Pattern violation in the codebase
*
* Repository Pattern violations occur when:
* 1. Repository interfaces contain ORM-specific types
* 2. Use cases depend on concrete repository implementations instead of interfaces
* 3. Repositories are instantiated with 'new' in use cases
* 4. Repository methods use technical names instead of domain language
*
* @example
* ```typescript
* // Violation: ORM type in interface
* const violation = RepositoryViolation.create(
* 'orm-type-in-interface',
* 'src/domain/repositories/IUserRepository.ts',
* 'domain',
* 15,
* 'Repository interface uses Prisma-specific type',
* 'Prisma.UserWhereInput'
* )
* ```
*/
export class RepositoryViolation extends ValueObject<RepositoryViolationProps> {
private constructor(props: RepositoryViolationProps) {
super(props)
}
public static create(
violationType:
| typeof REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE
| typeof REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE
| typeof REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE
| typeof REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME,
filePath: string,
layer: string,
line: number | undefined,
details: string,
ormType?: string,
repositoryName?: string,
methodName?: string,
): RepositoryViolation {
return new RepositoryViolation({
violationType,
filePath,
layer,
line,
details,
ormType,
repositoryName,
methodName,
})
}
public get violationType(): string {
return this.props.violationType
}
public get filePath(): string {
return this.props.filePath
}
public get layer(): string {
return this.props.layer
}
public get line(): number | undefined {
return this.props.line
}
public get details(): string {
return this.props.details
}
public get ormType(): string | undefined {
return this.props.ormType
}
public get repositoryName(): string | undefined {
return this.props.repositoryName
}
public get methodName(): string | undefined {
return this.props.methodName
}
public getMessage(): string {
switch (this.props.violationType) {
case REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE:
return `Repository interface uses ORM-specific type '${this.props.ormType || "unknown"}'. Domain should not depend on infrastructure concerns.`
case REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE:
return `Use case depends on concrete repository '${this.props.repositoryName || "unknown"}' instead of interface. Use dependency inversion.`
case REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE:
return `Use case creates repository with 'new ${this.props.repositoryName || "Repository"}()'. Use dependency injection instead.`
case REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME:
return `Repository method '${this.props.methodName || "unknown"}' uses technical name. Use domain language instead.`
default:
return `Repository pattern violation: ${this.props.details}`
}
}
public getSuggestion(): string {
switch (this.props.violationType) {
case REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE:
return this.getOrmTypeSuggestion()
case REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE:
return this.getConcreteRepositorySuggestion()
case REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE:
return this.getNewRepositorySuggestion()
case REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME:
return this.getNonDomainMethodSuggestion()
default:
return REPOSITORY_PATTERN_MESSAGES.DEFAULT_SUGGESTION
}
}
private getOrmTypeSuggestion(): string {
return [
REPOSITORY_PATTERN_MESSAGES.STEP_REMOVE_ORM_TYPES,
REPOSITORY_PATTERN_MESSAGES.STEP_USE_DOMAIN_TYPES,
REPOSITORY_PATTERN_MESSAGES.STEP_KEEP_CLEAN,
"",
REPOSITORY_PATTERN_MESSAGES.EXAMPLE_PREFIX,
REPOSITORY_PATTERN_MESSAGES.BAD_ORM_EXAMPLE,
REPOSITORY_PATTERN_MESSAGES.GOOD_DOMAIN_EXAMPLE,
].join("\n")
}
private getConcreteRepositorySuggestion(): string {
return [
REPOSITORY_PATTERN_MESSAGES.STEP_DEPEND_ON_INTERFACE,
REPOSITORY_PATTERN_MESSAGES.STEP_MOVE_TO_INFRASTRUCTURE,
REPOSITORY_PATTERN_MESSAGES.STEP_USE_DI,
"",
REPOSITORY_PATTERN_MESSAGES.EXAMPLE_PREFIX,
`❌ Bad: constructor(private repo: ${this.props.repositoryName || "UserRepository"})`,
`✅ Good: constructor(private repo: I${this.props.repositoryName?.replace(/^.*?([A-Z]\w+)$/, "$1") || "UserRepository"})`,
].join("\n")
}
private getNewRepositorySuggestion(): string {
return [
REPOSITORY_PATTERN_MESSAGES.STEP_REMOVE_NEW,
REPOSITORY_PATTERN_MESSAGES.STEP_INJECT_CONSTRUCTOR,
REPOSITORY_PATTERN_MESSAGES.STEP_CONFIGURE_DI,
"",
REPOSITORY_PATTERN_MESSAGES.EXAMPLE_PREFIX,
REPOSITORY_PATTERN_MESSAGES.BAD_NEW_REPO,
REPOSITORY_PATTERN_MESSAGES.GOOD_INJECT_REPO,
].join("\n")
}
private getNonDomainMethodSuggestion(): string {
const detailsMatch = /Consider: (.+)$/.exec(this.props.details)
const smartSuggestion = detailsMatch ? detailsMatch[1] : null
const technicalToDomain = {
findOne: REPOSITORY_PATTERN_MESSAGES.SUGGESTION_FINDONE,
findMany: REPOSITORY_PATTERN_MESSAGES.SUGGESTION_FINDMANY,
insert: REPOSITORY_PATTERN_MESSAGES.SUGGESTION_INSERT,
update: REPOSITORY_PATTERN_MESSAGES.SUGGESTION_UPDATE,
delete: REPOSITORY_PATTERN_MESSAGES.SUGGESTION_DELETE,
query: REPOSITORY_PATTERN_MESSAGES.SUGGESTION_QUERY,
}
const fallbackSuggestion =
technicalToDomain[this.props.methodName as keyof typeof technicalToDomain]
const finalSuggestion =
smartSuggestion || fallbackSuggestion || "findById() or findByEmail()"
return [
REPOSITORY_PATTERN_MESSAGES.STEP_RENAME_METHOD,
REPOSITORY_PATTERN_MESSAGES.STEP_REFLECT_BUSINESS,
REPOSITORY_PATTERN_MESSAGES.STEP_AVOID_TECHNICAL,
"",
REPOSITORY_PATTERN_MESSAGES.EXAMPLE_PREFIX,
`❌ Bad: ${this.props.methodName || "findOne"}()`,
`✅ Good: ${finalSuggestion}`,
].join("\n")
}
public getExampleFix(): string {
switch (this.props.violationType) {
case REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE:
return this.getOrmTypeExample()
case REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE:
return this.getConcreteRepositoryExample()
case REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE:
return this.getNewRepositoryExample()
case REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME:
return this.getNonDomainMethodExample()
default:
return REPOSITORY_PATTERN_MESSAGES.NO_EXAMPLE
}
}
private getOrmTypeExample(): string {
return `
// ❌ BAD: ORM-specific interface
// domain/repositories/IUserRepository.ts
interface IUserRepository {
findOne(query: { where: { id: string } }) // Prisma-specific
create(data: UserCreateInput) // ORM types in domain
}
// ✅ GOOD: Clean domain interface
interface IUserRepository {
findById(id: UserId): Promise<User | null>
save(user: User): Promise<void>
delete(id: UserId): Promise<void>
}`
}
private getConcreteRepositoryExample(): string {
return `
// ❌ BAD: Use Case with concrete implementation
class CreateUser {
constructor(private prisma: PrismaClient) {} // VIOLATION!
}
// ✅ GOOD: Use Case with interface
class CreateUser {
constructor(private userRepo: IUserRepository) {} // OK
}`
}
private getNewRepositoryExample(): string {
return `
// ❌ BAD: Creating repository in use case
class CreateUser {
async execute(data: CreateUserRequest) {
const repo = new UserRepository() // VIOLATION!
await repo.save(user)
}
}
// ✅ GOOD: Inject repository via constructor
class CreateUser {
constructor(private readonly userRepo: IUserRepository) {}
async execute(data: CreateUserRequest) {
await this.userRepo.save(user) // OK
}
}`
}
private getNonDomainMethodExample(): string {
return `
// ❌ BAD: Technical method names
interface IUserRepository {
findOne(id: string) // Database terminology
insert(user: User) // SQL terminology
query(filter: any) // Technical term
}
// ✅ GOOD: Domain language
interface IUserRepository {
findById(id: UserId): Promise<User | null>
save(user: User): Promise<void>
findByEmail(email: Email): Promise<User | null>
}`
}
}

181
packages/guardian/src/infrastructure/analyzers/DependencyDirectionDetector.ts Normal file
View File

@@ -0,0 +1,181 @@
import { IDependencyDirectionDetector } from "../../domain/services/IDependencyDirectionDetector"
import { DependencyViolation } from "../../domain/value-objects/DependencyViolation"
import { LAYERS } from "../../shared/constants/rules"
import { IMPORT_PATTERNS, LAYER_PATHS } from "../constants/paths"
/**
* Detects dependency direction violations between architectural layers
*
* This detector enforces Clean Architecture dependency rules:
* - Domain → should not import from Application or Infrastructure
* - Application → should not import from Infrastructure
* - Infrastructure → can import from Application and Domain (allowed)
* - Shared → can be imported by all layers (allowed)
*
* @example
* ```typescript
* const detector = new DependencyDirectionDetector()
*
* // Detect violations in domain file
* const code = `
* import { PrismaClient } from '@prisma/client'
* import { UserDto } from '../application/dtos/UserDto'
* `
* const violations = detector.detectViolations(code, 'src/domain/entities/User.ts', 'domain')
*
* // violations will contain 1 violation for domain importing from application
* console.log(violations.length) // 1
* console.log(violations[0].getMessage())
* // "Domain layer should not import from Application layer"
* ```
*/
export class DependencyDirectionDetector implements IDependencyDirectionDetector {
private readonly dependencyRules: Map<string, Set<string>>
constructor() {
this.dependencyRules = new Map([
[LAYERS.DOMAIN, new Set([LAYERS.DOMAIN, LAYERS.SHARED])],
[LAYERS.APPLICATION, new Set([LAYERS.DOMAIN, LAYERS.APPLICATION, LAYERS.SHARED])],
[
LAYERS.INFRASTRUCTURE,
new Set([LAYERS.DOMAIN, LAYERS.APPLICATION, LAYERS.INFRASTRUCTURE, LAYERS.SHARED]),
],
[
LAYERS.SHARED,
new Set([LAYERS.DOMAIN, LAYERS.APPLICATION, LAYERS.INFRASTRUCTURE, LAYERS.SHARED]),
],
])
}
/**
* Detects dependency direction violations in the given code
*
* Analyzes import statements to identify violations of dependency rules
* between architectural layers.
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @param layer - The architectural layer of the file (domain, application, infrastructure, shared)
* @returns Array of detected dependency direction violations
*/
public detectViolations(
code: string,
filePath: string,
layer: string | undefined,
): DependencyViolation[] {
if (!layer || layer === LAYERS.SHARED) {
return []
}
const violations: DependencyViolation[] = []
const lines = code.split("\n")
for (let i = 0; i < lines.length; i++) {
const line = lines[i]
const lineNumber = i + 1
const imports = this.extractImports(line)
for (const importPath of imports) {
const targetLayer = this.extractLayerFromImport(importPath)
if (targetLayer && this.isViolation(layer, targetLayer)) {
violations.push(
DependencyViolation.create(
layer,
targetLayer,
importPath,
filePath,
lineNumber,
),
)
}
}
}
return violations
}
/**
* Checks if an import violates dependency direction rules
*
* @param fromLayer - The layer that is importing
* @param toLayer - The layer being imported
* @returns True if the import violates dependency rules
*/
public isViolation(fromLayer: string, toLayer: string): boolean {
const allowedDependencies = this.dependencyRules.get(fromLayer)
if (!allowedDependencies) {
return false
}
return !allowedDependencies.has(toLayer)
}
/**
* Extracts the layer from an import path
*
* @param importPath - The import path to analyze
* @returns The layer name if detected, undefined otherwise
*/
public extractLayerFromImport(importPath: string): string | undefined {
const normalizedPath = importPath.replace(IMPORT_PATTERNS.QUOTE, "").toLowerCase()
const layerPatterns: [string, string][] = [
[LAYERS.DOMAIN, LAYER_PATHS.DOMAIN],
[LAYERS.APPLICATION, LAYER_PATHS.APPLICATION],
[LAYERS.INFRASTRUCTURE, LAYER_PATHS.INFRASTRUCTURE],
[LAYERS.SHARED, LAYER_PATHS.SHARED],
]
for (const [layer, pattern] of layerPatterns) {
if (this.containsLayerPattern(normalizedPath, pattern)) {
return layer
}
}
return undefined
}
/**
* Checks if the normalized path contains the layer pattern
*/
private containsLayerPattern(normalizedPath: string, pattern: string): boolean {
return (
normalizedPath.includes(pattern) ||
normalizedPath.includes(`.${pattern}`) ||
normalizedPath.includes(`..${pattern}`) ||
normalizedPath.includes(`...${pattern}`)
)
}
/**
* Extracts import paths from a line of code
*
* Handles various import statement formats:
* - import { X } from 'path'
* - import X from 'path'
* - import * as X from 'path'
* - const X = require('path')
*
* @param line - A line of code to analyze
* @returns Array of import paths found in the line
*/
private extractImports(line: string): string[] {
const imports: string[] = []
let match = IMPORT_PATTERNS.ES_IMPORT.exec(line)
while (match) {
imports.push(match[1])
match = IMPORT_PATTERNS.ES_IMPORT.exec(line)
}
match = IMPORT_PATTERNS.REQUIRE.exec(line)
while (match) {
imports.push(match[1])
match = IMPORT_PATTERNS.REQUIRE.exec(line)
}
return imports
}
}

197
packages/guardian/src/infrastructure/analyzers/EntityExposureDetector.ts Normal file
View File

@@ -0,0 +1,197 @@
import { IEntityExposureDetector } from "../../domain/services/IEntityExposureDetector"
import { EntityExposure } from "../../domain/value-objects/EntityExposure"
import { LAYERS } from "../../shared/constants/rules"
import { DTO_SUFFIXES, NULLABLE_TYPES, PRIMITIVE_TYPES } from "../constants/type-patterns"
/**
* Detects domain entity exposure in controller/route return types
*
* This detector identifies violations where controllers or route handlers
* directly return domain entities instead of using DTOs (Data Transfer Objects).
* This violates separation of concerns and can expose internal domain logic.
*
* @example
* ```typescript
* const detector = new EntityExposureDetector()
*
* // Detect exposures in a controller file
* const code = `
* class UserController {
* async getUser(id: string): Promise<User> {
* return this.userService.findById(id)
* }
* }
* `
* const exposures = detector.detectExposures(code, 'src/infrastructure/controllers/UserController.ts', 'infrastructure')
*
* // exposures will contain violation for returning User entity
* console.log(exposures.length) // 1
* console.log(exposures[0].entityName) // 'User'
* ```
*/
export class EntityExposureDetector implements IEntityExposureDetector {
private readonly dtoSuffixes = DTO_SUFFIXES
private readonly controllerPatterns = [
/Controller/i,
/Route/i,
/Handler/i,
/Resolver/i,
/Gateway/i,
]
/**
* Detects entity exposure violations in the given code
*
* Analyzes method return types in controllers/routes to identify
* domain entities being directly exposed to external clients.
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @param layer - The architectural layer of the file (domain, application, infrastructure, shared)
* @returns Array of detected entity exposure violations
*/
public detectExposures(
code: string,
filePath: string,
layer: string | undefined,
): EntityExposure[] {
if (layer !== LAYERS.INFRASTRUCTURE || !this.isControllerFile(filePath)) {
return []
}
const exposures: EntityExposure[] = []
const lines = code.split("\n")
for (let i = 0; i < lines.length; i++) {
const line = lines[i]
const lineNumber = i + 1
const methodMatches = this.findMethodReturnTypes(line)
for (const match of methodMatches) {
const { methodName, returnType } = match
if (this.isDomainEntity(returnType)) {
exposures.push(
EntityExposure.create(
returnType,
returnType,
filePath,
layer,
lineNumber,
methodName,
),
)
}
}
}
return exposures
}
/**
* Checks if a return type is a domain entity
*
* Domain entities are typically PascalCase nouns without Dto/Request/Response suffixes
* and are defined in the domain layer.
*
* @param returnType - The return type to check
* @returns True if the return type appears to be a domain entity
*/
public isDomainEntity(returnType: string): boolean {
if (!returnType || returnType.trim() === "") {
return false
}
const cleanType = this.extractCoreType(returnType)
if (this.isPrimitiveType(cleanType)) {
return false
}
if (this.hasAllowedSuffix(cleanType)) {
return false
}
return this.isPascalCase(cleanType)
}
/**
* Checks if the file is a controller/route file
*/
private isControllerFile(filePath: string): boolean {
return this.controllerPatterns.some((pattern) => pattern.test(filePath))
}
/**
* Finds method return types in a line of code
*/
private findMethodReturnTypes(line: string): { methodName: string; returnType: string }[] {
const matches: { methodName: string; returnType: string }[] = []
const methodRegex =
/(?:async\s+)?(\w+)\s*\([^)]*\)\s*:\s*Promise<([^>]+)>|(?:async\s+)?(\w+)\s*\([^)]*\)\s*:\s*([A-Z]\w+)/g
let match
while ((match = methodRegex.exec(line)) !== null) {
const methodName = match[1] || match[3]
const returnType = match[2] || match[4]
if (methodName && returnType) {
matches.push({ methodName, returnType })
}
}
return matches
}
/**
* Extracts core type from complex type annotations
* Examples:
* - "Promise<User>" -> "User"
* - "User[]" -> "User"
* - "User | null" -> "User"
*/
private extractCoreType(returnType: string): string {
let cleanType = returnType.trim()
cleanType = cleanType.replace(/Promise<([^>]+)>/, "$1")
cleanType = cleanType.replace(/\[\]$/, "")
if (cleanType.includes("|")) {
const types = cleanType.split("|").map((t) => t.trim())
const nonNullTypes = types.filter(
(t) => !(NULLABLE_TYPES as readonly string[]).includes(t),
)
if (nonNullTypes.length > 0) {
cleanType = nonNullTypes[0]
}
}
return cleanType.trim()
}
/**
* Checks if a type is a primitive type
*/
private isPrimitiveType(type: string): boolean {
return (PRIMITIVE_TYPES as readonly string[]).includes(type.toLowerCase())
}
/**
* Checks if a type has an allowed DTO/Response suffix
*/
private hasAllowedSuffix(type: string): boolean {
return this.dtoSuffixes.some((suffix) => type.endsWith(suffix))
}
/**
* Checks if a string is in PascalCase
*/
private isPascalCase(str: string): boolean {
if (!str || str.length === 0) {
return false
}
return /^[A-Z]([a-z0-9]+[A-Z]?)*[a-z0-9]*$/.test(str) && /[a-z]/.test(str)
}
}

16
packages/guardian/src/infrastructure/analyzers/HardcodeDetector.ts
View File

@@ -34,11 +34,27 @@ export class HardcodeDetector implements IHardcodeDetector {
* @returns Array of detected hardcoded values with suggestions
*/
public detectAll(code: string, filePath: string): HardcodedValue[] {
if (this.isConstantsFile(filePath)) {
return []
}
const magicNumbers = this.detectMagicNumbers(code, filePath)
const magicStrings = this.detectMagicStrings(code, filePath)
return [...magicNumbers, ...magicStrings]
}
/**
* Check if a file is a constants definition file
*/
private isConstantsFile(filePath: string): boolean {
const _fileName = filePath.split("/").pop() ?? ""
const constantsPatterns = [
/^constants?\.(ts|js)$/i,
/constants?\/.*\.(ts|js)$/i,
/\/(constants|config|settings|defaults)\.ts$/i,
]
return constantsPatterns.some((pattern) => pattern.test(filePath))
}
/**
* Check if a line is inside an exported constant definition
*/

3
packages/guardian/src/infrastructure/analyzers/NamingConventionDetector.ts
View File

@@ -13,6 +13,7 @@ import {
PATH_PATTERNS,
PATTERN_WORDS,
} from "../constants/detectorPatterns"
import { NAMING_SUGGESTION_DEFAULT } from "../constants/naming-patterns"
/**
* Detects naming convention violations based on Clean Architecture layers
@@ -72,7 +73,7 @@ export class NamingConventionDetector implements INamingConventionDetector {
filePath,
NAMING_ERROR_MESSAGES.DOMAIN_FORBIDDEN,
fileName,
"Move to application or infrastructure layer, or rename to follow domain patterns",
NAMING_SUGGESTION_DEFAULT,
),
)
return violations

444
packages/guardian/src/infrastructure/analyzers/RepositoryPatternDetector.ts Normal file
View File

@@ -0,0 +1,444 @@
import { IRepositoryPatternDetector } from "../../domain/services/RepositoryPatternDetectorService"
import { RepositoryViolation } from "../../domain/value-objects/RepositoryViolation"
import { LAYERS, REPOSITORY_VIOLATION_TYPES } from "../../shared/constants/rules"
import { ORM_QUERY_METHODS } from "../constants/orm-methods"
import { REPOSITORY_PATTERN_MESSAGES } from "../../domain/constants/Messages"
/**
* Detects Repository Pattern violations in the codebase
*
* This detector identifies violations where the Repository Pattern is not properly implemented:
* 1. ORM-specific types in repository interfaces (domain should be ORM-agnostic)
* 2. Concrete repository usage in use cases (violates dependency inversion)
* 3. Repository instantiation with 'new' in use cases (should use DI)
* 4. Non-domain method names in repositories (should use ubiquitous language)
*
* @example
* ```typescript
* const detector = new RepositoryPatternDetector()
*
* // Detect violations in a repository interface
* const code = `
* interface IUserRepository {
* findOne(query: Prisma.UserWhereInput): Promise<User>
* }
* `
* const violations = detector.detectViolations(
* code,
* 'src/domain/repositories/IUserRepository.ts',
* 'domain'
* )
*
* // violations will contain ORM type violation
* console.log(violations.length) // 1
* console.log(violations[0].violationType) // 'orm-type-in-interface'
* ```
*/
export class RepositoryPatternDetector implements IRepositoryPatternDetector {
private readonly ormTypePatterns = [
/Prisma\./,
/PrismaClient/,
/TypeORM/,
/@Entity/,
/@Column/,
/@PrimaryColumn/,
/@PrimaryGeneratedColumn/,
/@ManyToOne/,
/@OneToMany/,
/@ManyToMany/,
/@JoinColumn/,
/@JoinTable/,
/Mongoose\./,
/Schema/,
/Model</,
/Document/,
/Sequelize\./,
/DataTypes\./,
/FindOptions/,
/WhereOptions/,
/IncludeOptions/,
/QueryInterface/,
/MikroORM/,
/EntityManager/,
/EntityRepository/,
/Collection</,
]
private readonly technicalMethodNames = ORM_QUERY_METHODS
private readonly domainMethodPatterns = [
/^findBy[A-Z]/,
/^findAll/,
/^find[A-Z]/,
/^save$/,
/^saveAll$/,
/^create$/,
/^update$/,
/^delete$/,
/^deleteBy[A-Z]/,
/^deleteAll$/,
/^remove$/,
/^removeBy[A-Z]/,
/^removeAll$/,
/^add$/,
/^add[A-Z]/,
/^get[A-Z]/,
/^getAll/,
/^search/,
/^list/,
/^has[A-Z]/,
/^is[A-Z]/,
/^exists[A-Z]/,
/^existsBy[A-Z]/,
/^clear[A-Z]/,
/^clearAll$/,
/^store[A-Z]/,
/^initialize$/,
/^initializeCollection$/,
/^close$/,
/^connect$/,
/^disconnect$/,
]
private readonly concreteRepositoryPatterns = [
/PrismaUserRepository/,
/MongoUserRepository/,
/TypeOrmUserRepository/,
/SequelizeUserRepository/,
/InMemoryUserRepository/,
/PostgresUserRepository/,
/MySqlUserRepository/,
/Repository(?!Interface)/,
]
/**
* Detects all Repository Pattern violations in the given code
*/
public detectViolations(
code: string,
filePath: string,
layer: string | undefined,
): RepositoryViolation[] {
const violations: RepositoryViolation[] = []
if (this.isRepositoryInterface(filePath, layer)) {
violations.push(...this.detectOrmTypesInInterface(code, filePath, layer))
violations.push(...this.detectNonDomainMethodNames(code, filePath, layer))
}
if (this.isUseCase(filePath, layer)) {
violations.push(...this.detectConcreteRepositoryUsage(code, filePath, layer))
violations.push(...this.detectNewRepositoryInstantiation(code, filePath, layer))
}
return violations
}
/**
* Checks if a type is an ORM-specific type
*/
public isOrmType(typeName: string): boolean {
return this.ormTypePatterns.some((pattern) => pattern.test(typeName))
}
/**
* Checks if a method name follows domain language conventions
*/
public isDomainMethodName(methodName: string): boolean {
if ((this.technicalMethodNames as readonly string[]).includes(methodName)) {
return false
}
return this.domainMethodPatterns.some((pattern) => pattern.test(methodName))
}
/**
* Checks if a file is a repository interface
*/
public isRepositoryInterface(filePath: string, layer: string | undefined): boolean {
if (layer !== LAYERS.DOMAIN) {
return false
}
return /I[A-Z]\w*Repository\.ts$/.test(filePath) && /repositories?\//.test(filePath)
}
/**
* Checks if a file is a use case
*/
public isUseCase(filePath: string, layer: string | undefined): boolean {
if (layer !== LAYERS.APPLICATION) {
return false
}
return /use-cases?\//.test(filePath) && /[A-Z][a-z]+[A-Z]\w*\.ts$/.test(filePath)
}
/**
* Detects ORM-specific types in repository interfaces
*/
private detectOrmTypesInInterface(
code: string,
filePath: string,
layer: string | undefined,
): RepositoryViolation[] {
const violations: RepositoryViolation[] = []
const lines = code.split("\n")
for (let i = 0; i < lines.length; i++) {
const line = lines[i]
const lineNumber = i + 1
const methodMatch =
/(\w+)\s*\([^)]*:\s*([^)]+)\)\s*:\s*.*?(?:Promise<([^>]+)>|([A-Z]\w+))/.exec(line)
if (methodMatch) {
const params = methodMatch[2]
const returnType = methodMatch[3] || methodMatch[4]
if (this.isOrmType(params)) {
const ormType = this.extractOrmType(params)
violations.push(
RepositoryViolation.create(
REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE,
filePath,
layer || LAYERS.DOMAIN,
lineNumber,
`Method parameter uses ORM type: ${ormType}`,
ormType,
),
)
}
if (returnType && this.isOrmType(returnType)) {
const ormType = this.extractOrmType(returnType)
violations.push(
RepositoryViolation.create(
REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE,
filePath,
layer || LAYERS.DOMAIN,
lineNumber,
`Method return type uses ORM type: ${ormType}`,
ormType,
),
)
}
}
for (const pattern of this.ormTypePatterns) {
if (pattern.test(line) && !line.trim().startsWith("//")) {
const ormType = this.extractOrmType(line)
violations.push(
RepositoryViolation.create(
REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE,
filePath,
layer || LAYERS.DOMAIN,
lineNumber,
`Repository interface contains ORM-specific type: ${ormType}`,
ormType,
),
)
break
}
}
}
return violations
}
/**
* Suggests better domain method names based on the original method name
*/
private suggestDomainMethodName(methodName: string): string {
const lowerName = methodName.toLowerCase()
const suggestions: string[] = []
const suggestionMap: Record<string, string[]> = {
query: ["search", "findBy[Property]"],
select: ["findBy[Property]", "get[Entity]"],
insert: ["create", "add[Entity]", "store[Entity]"],
update: ["update", "modify[Entity]"],
upsert: ["save", "store[Entity]"],
remove: ["delete", "removeBy[Property]"],
fetch: ["findBy[Property]", "get[Entity]"],
retrieve: ["findBy[Property]", "get[Entity]"],
load: ["findBy[Property]", "get[Entity]"],
}
for (const [keyword, keywords] of Object.entries(suggestionMap)) {
if (lowerName.includes(keyword)) {
suggestions.push(...keywords)
}
}
if (lowerName.includes("get") && lowerName.includes("all")) {
suggestions.push("findAll", "listAll")
}
if (suggestions.length === 0) {
return "Use domain-specific names like: findBy[Property], save, create, delete, update, add[Entity]"
}
return `Consider: ${suggestions.slice(0, 3).join(", ")}`
}
/**
* Detects non-domain method names in repository interfaces
*/
private detectNonDomainMethodNames(
code: string,
filePath: string,
layer: string | undefined,
): RepositoryViolation[] {
const violations: RepositoryViolation[] = []
const lines = code.split("\n")
for (let i = 0; i < lines.length; i++) {
const line = lines[i]
const lineNumber = i + 1
const methodMatch = /^\s*(\w+)\s*\(/.exec(line)
if (methodMatch) {
const methodName = methodMatch[1]
if (!this.isDomainMethodName(methodName) && !line.trim().startsWith("//")) {
const suggestion = this.suggestDomainMethodName(methodName)
violations.push(
RepositoryViolation.create(
REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME,
filePath,
layer || LAYERS.DOMAIN,
lineNumber,
`Method '${methodName}' uses technical name instead of domain language. ${suggestion}`,
undefined,
undefined,
methodName,
),
)
}
}
}
return violations
}
/**
* Detects concrete repository usage in use cases
*/
private detectConcreteRepositoryUsage(
code: string,
filePath: string,
layer: string | undefined,
): RepositoryViolation[] {
const violations: RepositoryViolation[] = []
const lines = code.split("\n")
for (let i = 0; i < lines.length; i++) {
const line = lines[i]
const lineNumber = i + 1
const constructorParamMatch =
/constructor\s*\([^)]*(?:private|public|protected)\s+(?:readonly\s+)?(\w+)\s*:\s*([A-Z]\w*Repository)/.exec(
line,
)
if (constructorParamMatch) {
const repositoryType = constructorParamMatch[2]
if (!repositoryType.startsWith("I")) {
violations.push(
RepositoryViolation.create(
REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE,
filePath,
layer || LAYERS.APPLICATION,
lineNumber,
`Use case depends on concrete repository '${repositoryType}'`,
undefined,
repositoryType,
),
)
}
}
const fieldMatch =
/(?:private|public|protected)\s+(?:readonly\s+)?(\w+)\s*:\s*([A-Z]\w*Repository)/.exec(
line,
)
if (fieldMatch) {
const repositoryType = fieldMatch[2]
if (
!repositoryType.startsWith("I") &&
!line.includes(REPOSITORY_PATTERN_MESSAGES.CONSTRUCTOR)
) {
violations.push(
RepositoryViolation.create(
REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE,
filePath,
layer || LAYERS.APPLICATION,
lineNumber,
`Use case field uses concrete repository '${repositoryType}'`,
undefined,
repositoryType,
),
)
}
}
}
return violations
}
/**
* Detects 'new Repository()' instantiation in use cases
*/
private detectNewRepositoryInstantiation(
code: string,
filePath: string,
layer: string | undefined,
): RepositoryViolation[] {
const violations: RepositoryViolation[] = []
const lines = code.split("\n")
for (let i = 0; i < lines.length; i++) {
const line = lines[i]
const lineNumber = i + 1
const newRepositoryMatch = /new\s+([A-Z]\w*Repository)\s*\(/.exec(line)
if (newRepositoryMatch && !line.trim().startsWith("//")) {
const repositoryName = newRepositoryMatch[1]
violations.push(
RepositoryViolation.create(
REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE,
filePath,
layer || LAYERS.APPLICATION,
lineNumber,
`Use case creates repository with 'new ${repositoryName}()'`,
undefined,
repositoryName,
),
)
}
}
return violations
}
/**
* Extracts ORM type name from a code line
*/
private extractOrmType(line: string): string {
for (const pattern of this.ormTypePatterns) {
const match = line.match(pattern)
if (match) {
const startIdx = match.index || 0
const typeMatch = /[\w.]+/.exec(line.slice(startIdx))
return typeMatch ? typeMatch[0] : REPOSITORY_PATTERN_MESSAGES.UNKNOWN_TYPE
}
}
return REPOSITORY_PATTERN_MESSAGES.UNKNOWN_TYPE
}
}

4
packages/guardian/src/infrastructure/constants/defaults.ts
View File

@@ -8,6 +8,10 @@ export const DEFAULT_EXCLUDES = [
"coverage",
".git",
".puaros",
"tests",
"test",
"__tests__",
"examples",
] as const
export const DEFAULT_EXTENSIONS = [".ts", ".tsx", ".js", ".jsx"] as const

2
packages/guardian/src/infrastructure/constants/naming-patterns.ts Normal file
View File

@@ -0,0 +1,2 @@
export const NAMING_SUGGESTION_DEFAULT =
"Move to application or infrastructure layer, or rename to follow domain patterns"

24
packages/guardian/src/infrastructure/constants/orm-methods.ts Normal file
View File

@@ -0,0 +1,24 @@
export const ORM_QUERY_METHODS = [
"findOne",
"findMany",
"findFirst",
"findAll",
"findAndCountAll",
"insert",
"insertMany",
"insertOne",
"updateOne",
"updateMany",
"deleteOne",
"deleteMany",
"select",
"query",
"execute",
"run",
"exec",
"aggregate",
"count",
"exists",
] as const
export type OrmQueryMethod = (typeof ORM_QUERY_METHODS)[number]

17
packages/guardian/src/infrastructure/constants/paths.ts Normal file
View File

@@ -0,0 +1,17 @@
export const LAYER_PATHS = {
DOMAIN: "/domain/",
APPLICATION: "/application/",
INFRASTRUCTURE: "/infrastructure/",
SHARED: "/shared/",
} as const
export const CLI_PATHS = {
DIST_CLI_INDEX: "../dist/cli/index.js",
} as const
export const IMPORT_PATTERNS = {
ES_IMPORT:
/import\s+(?:{[^}]*}|[\w*]+(?:\s+as\s+\w+)?|\*\s+as\s+\w+)\s+from\s+['"]([^'"]+)['"]/g,
REQUIRE: /require\s*\(\s*['"]([^'"]+)['"]\s*\)/g,
QUOTE: /['"]/g,
} as const

28
packages/guardian/src/infrastructure/constants/type-patterns.ts Normal file
View File

@@ -0,0 +1,28 @@
export const DTO_SUFFIXES = [
"Dto",
"DTO",
"Request",
"Response",
"Command",
"Query",
"Result",
] as const
export const PRIMITIVE_TYPES = [
"string",
"number",
"boolean",
"void",
"any",
"unknown",
"null",
"undefined",
"object",
"never",
] as const
export const NULLABLE_TYPES = ["null", "undefined"] as const
export const TEST_FILE_EXTENSIONS = [".test.", ".spec."] as const
export const TEST_FILE_SUFFIXES = [".test.ts", ".test.js", ".spec.ts", ".spec.js"] as const

1
packages/guardian/src/infrastructure/index.ts
View File

@@ -1,3 +1,4 @@
export * from "./parsers/CodeParser"
export * from "./scanners/FileScanner"
export * from "./analyzers/HardcodeDetector"
export * from "./analyzers/RepositoryPatternDetector"

8
packages/guardian/src/infrastructure/scanners/FileScanner.ts
View File

@@ -3,6 +3,7 @@ import * as path from "path"
import { FileScanOptions, IFileScanner } from "../../domain/services/IFileScanner"
import { DEFAULT_EXCLUDES, DEFAULT_EXTENSIONS, FILE_ENCODING } from "../constants/defaults"
import { ERROR_MESSAGES } from "../../shared/constants"
import { TEST_FILE_EXTENSIONS, TEST_FILE_SUFFIXES } from "../constants/type-patterns"
/**
* Scans project directory for source files
@@ -56,7 +57,12 @@ export class FileScanner implements IFileScanner {
}
private shouldExclude(name: string, excludePatterns: string[]): boolean {
return excludePatterns.some((pattern) => name.includes(pattern))
const isExcludedDirectory = excludePatterns.some((pattern) => name.includes(pattern))
const isTestFile =
(TEST_FILE_EXTENSIONS as readonly string[]).some((ext) => name.includes(ext)) ||
(TEST_FILE_SUFFIXES as readonly string[]).some((suffix) => name.endsWith(suffix))
return isExcludedDirectory || isTestFile
}
public async readFile(filePath: string): Promise<string> {

33
packages/guardian/src/shared/constants/index.ts
View File

@@ -64,9 +64,36 @@ export const PLACEHOLDERS = {
* Violation severity levels
*/
export const SEVERITY_LEVELS = {
ERROR: "error",
WARNING: "warning",
INFO: "info",
CRITICAL: "critical",
HIGH: "high",
MEDIUM: "medium",
LOW: "low",
} as const
export type SeverityLevel = (typeof SEVERITY_LEVELS)[keyof typeof SEVERITY_LEVELS]
/**
* Severity order for sorting (lower number = more critical)
*/
export const SEVERITY_ORDER: Record<SeverityLevel, number> = {
[SEVERITY_LEVELS.CRITICAL]: 0,
[SEVERITY_LEVELS.HIGH]: 1,
[SEVERITY_LEVELS.MEDIUM]: 2,
[SEVERITY_LEVELS.LOW]: 3,
} as const
/**
* Violation type to severity mapping
*/
export const VIOLATION_SEVERITY_MAP = {
CIRCULAR_DEPENDENCY: SEVERITY_LEVELS.CRITICAL,
REPOSITORY_PATTERN: SEVERITY_LEVELS.CRITICAL,
DEPENDENCY_DIRECTION: SEVERITY_LEVELS.HIGH,
FRAMEWORK_LEAK: SEVERITY_LEVELS.HIGH,
ENTITY_EXPOSURE: SEVERITY_LEVELS.HIGH,
NAMING_CONVENTION: SEVERITY_LEVELS.MEDIUM,
ARCHITECTURE: SEVERITY_LEVELS.MEDIUM,
HARDCODE: SEVERITY_LEVELS.LOW,
} as const
export * from "./rules"

15
packages/guardian/src/shared/constants/layers.ts Normal file
View File

@@ -0,0 +1,15 @@
export const LAYER_DOMAIN = "domain"
export const LAYER_APPLICATION = "application"
export const LAYER_INFRASTRUCTURE = "infrastructure"
export const LAYER_SHARED = "shared"
export const LAYER_CLI = "cli"
export const LAYERS = [
LAYER_DOMAIN,
LAYER_APPLICATION,
LAYER_INFRASTRUCTURE,
LAYER_SHARED,
LAYER_CLI,
] as const
export type Layer = (typeof LAYERS)[number]

14
packages/guardian/src/shared/constants/rules.ts
View File

@@ -7,6 +7,9 @@ export const RULES = {
CIRCULAR_DEPENDENCY: "circular-dependency",
NAMING_CONVENTION: "naming-convention",
FRAMEWORK_LEAK: "framework-leak",
ENTITY_EXPOSURE: "entity-exposure",
DEPENDENCY_DIRECTION: "dependency-direction",
REPOSITORY_PATTERN: "repository-pattern",
} as const
/**
@@ -395,4 +398,15 @@ export const FRAMEWORK_LEAK_MESSAGES = {
DOMAIN_IMPORT:
'Domain layer imports framework-specific package "{package}". Use interfaces and dependency injection instead.',
SUGGESTION: "Create an interface in domain layer and implement it in infrastructure layer.",
PACKAGE_PLACEHOLDER: "{package}",
} as const
/**
* Repository pattern violation types
*/
export const REPOSITORY_VIOLATION_TYPES = {
ORM_TYPE_IN_INTERFACE: "orm-type-in-interface",
CONCRETE_REPOSITORY_IN_USE_CASE: "concrete-repository-in-use-case",
NEW_REPOSITORY_IN_USE_CASE: "new-repository-in-use-case",
NON_DOMAIN_METHOD_NAME: "non-domain-method-name",
} as const

511
packages/guardian/tests/DependencyDirectionDetector.test.ts Normal file
View File

@@ -0,0 +1,511 @@
import { describe, it, expect } from "vitest"
import { DependencyDirectionDetector } from "../src/infrastructure/analyzers/DependencyDirectionDetector"
import { LAYERS } from "../src/shared/constants/rules"
describe("DependencyDirectionDetector", () => {
const detector = new DependencyDirectionDetector()
describe("extractLayerFromImport", () => {
it("should extract domain layer from import path", () => {
expect(detector.extractLayerFromImport("../domain/entities/User")).toBe(LAYERS.DOMAIN)
expect(detector.extractLayerFromImport("../../domain/value-objects/Email")).toBe(
LAYERS.DOMAIN,
)
expect(detector.extractLayerFromImport("../../../domain/services/UserService")).toBe(
LAYERS.DOMAIN,
)
})
it("should extract application layer from import path", () => {
expect(detector.extractLayerFromImport("../application/use-cases/CreateUser")).toBe(
LAYERS.APPLICATION,
)
expect(detector.extractLayerFromImport("../../application/dtos/UserDto")).toBe(
LAYERS.APPLICATION,
)
expect(detector.extractLayerFromImport("../../../application/mappers/UserMapper")).toBe(
LAYERS.APPLICATION,
)
})
it("should extract infrastructure layer from import path", () => {
expect(
detector.extractLayerFromImport("../infrastructure/controllers/UserController"),
).toBe(LAYERS.INFRASTRUCTURE)
expect(
detector.extractLayerFromImport("../../infrastructure/repositories/UserRepository"),
).toBe(LAYERS.INFRASTRUCTURE)
})
it("should extract shared layer from import path", () => {
expect(detector.extractLayerFromImport("../shared/types/Result")).toBe(LAYERS.SHARED)
expect(detector.extractLayerFromImport("../../shared/constants/rules")).toBe(
LAYERS.SHARED,
)
})
it("should return undefined for non-layer imports", () => {
expect(detector.extractLayerFromImport("express")).toBeUndefined()
expect(detector.extractLayerFromImport("../utils/helper")).toBeUndefined()
expect(detector.extractLayerFromImport("../../lib/logger")).toBeUndefined()
})
})
describe("isViolation", () => {
it("should allow domain to import from domain", () => {
expect(detector.isViolation(LAYERS.DOMAIN, LAYERS.DOMAIN)).toBe(false)
})
it("should allow domain to import from shared", () => {
expect(detector.isViolation(LAYERS.DOMAIN, LAYERS.SHARED)).toBe(false)
})
it("should NOT allow domain to import from application", () => {
expect(detector.isViolation(LAYERS.DOMAIN, LAYERS.APPLICATION)).toBe(true)
})
it("should NOT allow domain to import from infrastructure", () => {
expect(detector.isViolation(LAYERS.DOMAIN, LAYERS.INFRASTRUCTURE)).toBe(true)
})
it("should allow application to import from domain", () => {
expect(detector.isViolation(LAYERS.APPLICATION, LAYERS.DOMAIN)).toBe(false)
})
it("should allow application to import from application", () => {
expect(detector.isViolation(LAYERS.APPLICATION, LAYERS.APPLICATION)).toBe(false)
})
it("should allow application to import from shared", () => {
expect(detector.isViolation(LAYERS.APPLICATION, LAYERS.SHARED)).toBe(false)
})
it("should NOT allow application to import from infrastructure", () => {
expect(detector.isViolation(LAYERS.APPLICATION, LAYERS.INFRASTRUCTURE)).toBe(true)
})
it("should allow infrastructure to import from domain", () => {
expect(detector.isViolation(LAYERS.INFRASTRUCTURE, LAYERS.DOMAIN)).toBe(false)
})
it("should allow infrastructure to import from application", () => {
expect(detector.isViolation(LAYERS.INFRASTRUCTURE, LAYERS.APPLICATION)).toBe(false)
})
it("should allow infrastructure to import from infrastructure", () => {
expect(detector.isViolation(LAYERS.INFRASTRUCTURE, LAYERS.INFRASTRUCTURE)).toBe(false)
})
it("should allow infrastructure to import from shared", () => {
expect(detector.isViolation(LAYERS.INFRASTRUCTURE, LAYERS.SHARED)).toBe(false)
})
it("should allow shared to import from any layer", () => {
expect(detector.isViolation(LAYERS.SHARED, LAYERS.DOMAIN)).toBe(false)
expect(detector.isViolation(LAYERS.SHARED, LAYERS.APPLICATION)).toBe(false)
expect(detector.isViolation(LAYERS.SHARED, LAYERS.INFRASTRUCTURE)).toBe(false)
expect(detector.isViolation(LAYERS.SHARED, LAYERS.SHARED)).toBe(false)
})
})
describe("detectViolations", () => {
describe("Domain layer violations", () => {
it("should detect domain importing from application", () => {
const code = `
import { UserDto } from '../../application/dtos/UserDto'
export class User {
constructor(private id: string) {}
}`
const violations = detector.detectViolations(
code,
"src/domain/entities/User.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
expect(violations[0].fromLayer).toBe(LAYERS.DOMAIN)
expect(violations[0].toLayer).toBe(LAYERS.APPLICATION)
expect(violations[0].importPath).toBe("../../application/dtos/UserDto")
expect(violations[0].line).toBe(2)
})
it("should detect domain importing from infrastructure", () => {
const code = `
import { PrismaClient } from '../../infrastructure/database/PrismaClient'
export class UserRepository {
constructor(private prisma: PrismaClient) {}
}`
const violations = detector.detectViolations(
code,
"src/domain/repositories/UserRepository.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
expect(violations[0].fromLayer).toBe(LAYERS.DOMAIN)
expect(violations[0].toLayer).toBe(LAYERS.INFRASTRUCTURE)
expect(violations[0].importPath).toBe("../../infrastructure/database/PrismaClient")
})
it("should NOT detect domain importing from domain", () => {
const code = `
import { Email } from '../value-objects/Email'
import { UserId } from '../value-objects/UserId'
export class User {
constructor(
private id: UserId,
private email: Email
) {}
}`
const violations = detector.detectViolations(
code,
"src/domain/entities/User.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(0)
})
it("should NOT detect domain importing from shared", () => {
const code = `
import { Result } from '../../shared/types/Result'
export class User {
static create(id: string): Result<User> {
return Result.ok(new User(id))
}
}`
const violations = detector.detectViolations(
code,
"src/domain/entities/User.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(0)
})
})
describe("Application layer violations", () => {
it("should detect application importing from infrastructure", () => {
const code = `
import { SmtpEmailService } from '../../infrastructure/email/SmtpEmailService'
export class SendWelcomeEmail {
constructor(private emailService: SmtpEmailService) {}
}`
const violations = detector.detectViolations(
code,
"src/application/use-cases/SendWelcomeEmail.ts",
LAYERS.APPLICATION,
)
expect(violations).toHaveLength(1)
expect(violations[0].fromLayer).toBe(LAYERS.APPLICATION)
expect(violations[0].toLayer).toBe(LAYERS.INFRASTRUCTURE)
expect(violations[0].getMessage()).toContain(
"Application layer should not import from Infrastructure layer",
)
})
it("should NOT detect application importing from domain", () => {
const code = `
import { User } from '../../domain/entities/User'
import { IUserRepository } from '../../domain/repositories/IUserRepository'
export class CreateUser {
constructor(private userRepo: IUserRepository) {}
}`
const violations = detector.detectViolations(
code,
"src/application/use-cases/CreateUser.ts",
LAYERS.APPLICATION,
)
expect(violations).toHaveLength(0)
})
it("should NOT detect application importing from application", () => {
const code = `
import { UserResponseDto } from '../dtos/UserResponseDto'
import { UserMapper } from '../mappers/UserMapper'
export class GetUser {
execute(id: string): UserResponseDto {
return UserMapper.toDto(user)
}
}`
const violations = detector.detectViolations(
code,
"src/application/use-cases/GetUser.ts",
LAYERS.APPLICATION,
)
expect(violations).toHaveLength(0)
})
it("should NOT detect application importing from shared", () => {
const code = `
import { Result } from '../../shared/types/Result'
export class CreateUser {
execute(): Result<User> {
return Result.ok(user)
}
}`
const violations = detector.detectViolations(
code,
"src/application/use-cases/CreateUser.ts",
LAYERS.APPLICATION,
)
expect(violations).toHaveLength(0)
})
})
describe("Infrastructure layer", () => {
it("should NOT detect infrastructure importing from domain", () => {
const code = `
import { User } from '../../domain/entities/User'
import { IUserRepository } from '../../domain/repositories/IUserRepository'
export class PrismaUserRepository implements IUserRepository {
async save(user: User): Promise<void> {}
}`
const violations = detector.detectViolations(
code,
"src/infrastructure/repositories/PrismaUserRepository.ts",
LAYERS.INFRASTRUCTURE,
)
expect(violations).toHaveLength(0)
})
it("should NOT detect infrastructure importing from application", () => {
const code = `
import { CreateUser } from '../../application/use-cases/CreateUser'
import { UserResponseDto } from '../../application/dtos/UserResponseDto'
export class UserController {
constructor(private createUser: CreateUser) {}
}`
const violations = detector.detectViolations(
code,
"src/infrastructure/controllers/UserController.ts",
LAYERS.INFRASTRUCTURE,
)
expect(violations).toHaveLength(0)
})
it("should NOT detect infrastructure importing from infrastructure", () => {
const code = `
import { DatabaseConnection } from '../database/DatabaseConnection'
export class PrismaUserRepository {
constructor(private db: DatabaseConnection) {}
}`
const violations = detector.detectViolations(
code,
"src/infrastructure/repositories/PrismaUserRepository.ts",
LAYERS.INFRASTRUCTURE,
)
expect(violations).toHaveLength(0)
})
})
describe("Multiple violations", () => {
it("should detect multiple violations in same file", () => {
const code = `
import { UserDto } from '../../application/dtos/UserDto'
import { EmailService } from '../../infrastructure/email/EmailService'
import { Logger } from '../../infrastructure/logging/Logger'
export class User {
constructor() {}
}`
const violations = detector.detectViolations(
code,
"src/domain/entities/User.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(3)
expect(violations[0].toLayer).toBe(LAYERS.APPLICATION)
expect(violations[1].toLayer).toBe(LAYERS.INFRASTRUCTURE)
expect(violations[2].toLayer).toBe(LAYERS.INFRASTRUCTURE)
})
})
describe("Import statement formats", () => {
it("should detect violations in named imports", () => {
const code = `import { UserDto, UserRequest } from '../../application/dtos/UserDto'`
const violations = detector.detectViolations(
code,
"src/domain/entities/User.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
})
it("should detect violations in default imports", () => {
const code = `import UserDto from '../../application/dtos/UserDto'`
const violations = detector.detectViolations(
code,
"src/domain/entities/User.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
})
it("should detect violations in namespace imports", () => {
const code = `import * as Dtos from '../../application/dtos'`
const violations = detector.detectViolations(
code,
"src/domain/entities/User.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
})
it("should detect violations in require statements", () => {
const code = `const UserDto = require('../../application/dtos/UserDto')`
const violations = detector.detectViolations(
code,
"src/domain/entities/User.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
})
})
describe("Edge cases", () => {
it("should return empty array for shared layer", () => {
const code = `
import { User } from '../../domain/entities/User'
import { CreateUser } from '../../application/use-cases/CreateUser'
`
const violations = detector.detectViolations(
code,
"src/shared/types/Result.ts",
LAYERS.SHARED,
)
expect(violations).toHaveLength(0)
})
it("should return empty array for undefined layer", () => {
const code = `import { UserDto } from '../../application/dtos/UserDto'`
const violations = detector.detectViolations(code, "src/utils/helper.ts", undefined)
expect(violations).toHaveLength(0)
})
it("should handle empty code", () => {
const violations = detector.detectViolations(
"",
"src/domain/entities/User.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(0)
})
})
describe("getMessage", () => {
it("should return correct message for domain -> application violation", () => {
const code = `import { UserDto } from '../../application/dtos/UserDto'`
const violations = detector.detectViolations(
code,
"src/domain/entities/User.ts",
LAYERS.DOMAIN,
)
expect(violations[0].getMessage()).toBe(
"Domain layer should not import from Application layer",
)
})
it("should return correct message for application -> infrastructure violation", () => {
const code = `import { SmtpEmailService } from '../../infrastructure/email/SmtpEmailService'`
const violations = detector.detectViolations(
code,
"src/application/use-cases/SendEmail.ts",
LAYERS.APPLICATION,
)
expect(violations[0].getMessage()).toBe(
"Application layer should not import from Infrastructure layer",
)
})
})
describe("getSuggestion", () => {
it("should return suggestions for domain layer violations", () => {
const code = `import { PrismaClient } from '../../infrastructure/database'`
const violations = detector.detectViolations(
code,
"src/domain/services/UserService.ts",
LAYERS.DOMAIN,
)
const suggestion = violations[0].getSuggestion()
expect(suggestion).toContain("Domain layer should be independent")
expect(suggestion).toContain("dependency inversion")
})
it("should return suggestions for application layer violations", () => {
const code = `import { SmtpEmailService } from '../../infrastructure/email/SmtpEmailService'`
const violations = detector.detectViolations(
code,
"src/application/use-cases/SendEmail.ts",
LAYERS.APPLICATION,
)
const suggestion = violations[0].getSuggestion()
expect(suggestion).toContain(
"Application layer should not depend on infrastructure",
)
expect(suggestion).toContain("Port")
expect(suggestion).toContain("Adapter")
})
})
describe("getExampleFix", () => {
it("should return example fix for domain -> infrastructure violation", () => {
const code = `import { PrismaClient } from '../../infrastructure/database'`
const violations = detector.detectViolations(
code,
"src/domain/services/UserService.ts",
LAYERS.DOMAIN,
)
const example = violations[0].getExampleFix()
expect(example).toContain("// ❌ Bad")
expect(example).toContain("// ✅ Good")
expect(example).toContain("IUserRepository")
})
it("should return example fix for application -> infrastructure violation", () => {
const code = `import { SmtpEmailService } from '../../infrastructure/email/SmtpEmailService'`
const violations = detector.detectViolations(
code,
"src/application/use-cases/SendEmail.ts",
LAYERS.APPLICATION,
)
const example = violations[0].getExampleFix()
expect(example).toContain("// ❌ Bad")
expect(example).toContain("// ✅ Good")
expect(example).toContain("IEmailService")
})
})
})
})

362
packages/guardian/tests/EntityExposureDetector.test.ts Normal file
View File

@@ -0,0 +1,362 @@
import { describe, it, expect, beforeEach } from "vitest"
import { EntityExposureDetector } from "../src/infrastructure/analyzers/EntityExposureDetector"
describe("EntityExposureDetector", () => {
let detector: EntityExposureDetector
beforeEach(() => {
detector = new EntityExposureDetector()
})
describe("detectExposures", () => {
it("should detect entity exposure in controller", () => {
const code = `
class UserController {
async getUser(id: string): Promise<User> {
return this.userService.findById(id)
}
}
`
const exposures = detector.detectExposures(
code,
"src/infrastructure/controllers/UserController.ts",
"infrastructure",
)
expect(exposures).toHaveLength(1)
expect(exposures[0].entityName).toBe("User")
expect(exposures[0].returnType).toBe("User")
expect(exposures[0].methodName).toBe("getUser")
expect(exposures[0].layer).toBe("infrastructure")
})
it("should detect multiple entity exposures", () => {
const code = `
class OrderController {
async getOrder(id: string): Promise<Order> {
return this.orderService.findById(id)
}
async getUser(userId: string): Promise<User> {
return this.userService.findById(userId)
}
}
`
const exposures = detector.detectExposures(
code,
"src/infrastructure/controllers/OrderController.ts",
"infrastructure",
)
expect(exposures).toHaveLength(2)
expect(exposures[0].entityName).toBe("Order")
expect(exposures[1].entityName).toBe("User")
})
it("should not detect DTO return types", () => {
const code = `
class UserController {
async getUser(id: string): Promise<UserResponseDto> {
const user = await this.userService.findById(id)
return UserMapper.toDto(user)
}
}
`
const exposures = detector.detectExposures(
code,
"src/infrastructure/controllers/UserController.ts",
"infrastructure",
)
expect(exposures).toHaveLength(0)
})
it("should not detect primitive return types", () => {
const code = `
class UserController {
async getUserCount(): Promise<number> {
return this.userService.count()
}
async getUserName(id: string): Promise<string> {
return this.userService.getName(id)
}
async deleteUser(id: string): Promise<void> {
await this.userService.delete(id)
}
}
`
const exposures = detector.detectExposures(
code,
"src/infrastructure/controllers/UserController.ts",
"infrastructure",
)
expect(exposures).toHaveLength(0)
})
it("should not detect exposures in non-controller files", () => {
const code = `
class UserService {
async findById(id: string): Promise<User> {
return this.repository.findById(id)
}
}
`
const exposures = detector.detectExposures(
code,
"src/application/services/UserService.ts",
"application",
)
expect(exposures).toHaveLength(0)
})
it("should not detect exposures outside infrastructure layer", () => {
const code = `
class CreateUser {
async execute(request: CreateUserRequest): Promise<User> {
return User.create(request)
}
}
`
const exposures = detector.detectExposures(
code,
"src/application/use-cases/CreateUser.ts",
"application",
)
expect(exposures).toHaveLength(0)
})
it("should detect exposures in route handlers", () => {
const code = `
class UserRoutes {
async getUser(id: string): Promise<User> {
return this.service.findById(id)
}
}
`
const exposures = detector.detectExposures(
code,
"src/infrastructure/routes/UserRoutes.ts",
"infrastructure",
)
expect(exposures).toHaveLength(1)
expect(exposures[0].entityName).toBe("User")
})
it("should detect exposures with async methods", () => {
const code = `
class UserHandler {
async handleGetUser(id: string): Promise<User> {
return this.service.findById(id)
}
}
`
const exposures = detector.detectExposures(
code,
"src/infrastructure/handlers/UserHandler.ts",
"infrastructure",
)
expect(exposures).toHaveLength(1)
})
it("should not detect Request/Response suffixes", () => {
const code = `
class UserController {
async createUser(request: CreateUserRequest): Promise<UserResponse> {
return this.service.create(request)
}
}
`
const exposures = detector.detectExposures(
code,
"src/infrastructure/controllers/UserController.ts",
"infrastructure",
)
expect(exposures).toHaveLength(0)
})
it("should handle undefined layer", () => {
const code = `
class UserController {
async getUser(id: string): Promise<User> {
return this.service.findById(id)
}
}
`
const exposures = detector.detectExposures(
code,
"src/controllers/UserController.ts",
undefined,
)
expect(exposures).toHaveLength(0)
})
})
describe("isDomainEntity", () => {
it("should identify PascalCase nouns as entities", () => {
expect(detector.isDomainEntity("User")).toBe(true)
expect(detector.isDomainEntity("Order")).toBe(true)
expect(detector.isDomainEntity("Product")).toBe(true)
})
it("should not identify DTOs", () => {
expect(detector.isDomainEntity("UserDto")).toBe(false)
expect(detector.isDomainEntity("UserDTO")).toBe(false)
expect(detector.isDomainEntity("UserResponse")).toBe(false)
expect(detector.isDomainEntity("CreateUserRequest")).toBe(false)
})
it("should not identify primitives", () => {
expect(detector.isDomainEntity("string")).toBe(false)
expect(detector.isDomainEntity("number")).toBe(false)
expect(detector.isDomainEntity("boolean")).toBe(false)
expect(detector.isDomainEntity("void")).toBe(false)
expect(detector.isDomainEntity("any")).toBe(false)
expect(detector.isDomainEntity("unknown")).toBe(false)
})
it("should handle Promise wrapped types", () => {
expect(detector.isDomainEntity("Promise<User>")).toBe(true)
expect(detector.isDomainEntity("Promise<UserDto>")).toBe(false)
})
it("should handle array types", () => {
expect(detector.isDomainEntity("User[]")).toBe(true)
expect(detector.isDomainEntity("UserDto[]")).toBe(false)
})
it("should handle union types", () => {
expect(detector.isDomainEntity("User | null")).toBe(true)
expect(detector.isDomainEntity("UserDto | null")).toBe(false)
})
it("should not identify non-PascalCase", () => {
expect(detector.isDomainEntity("user")).toBe(false)
expect(detector.isDomainEntity("USER")).toBe(false)
expect(detector.isDomainEntity("user_entity")).toBe(false)
})
it("should handle empty strings", () => {
expect(detector.isDomainEntity("")).toBe(false)
expect(detector.isDomainEntity(" ")).toBe(false)
})
it("should identify Command/Query/Result suffixes as allowed", () => {
expect(detector.isDomainEntity("CreateUserCommand")).toBe(false)
expect(detector.isDomainEntity("GetUserQuery")).toBe(false)
expect(detector.isDomainEntity("UserResult")).toBe(false)
})
})
describe("Real-world scenarios", () => {
it("should detect User entity exposure in REST API", () => {
const code = `
class UserController {
async getUser(req: Request, res: Response): Promise<User> {
const user = await this.userService.findById(req.params.id)
return user
}
}
`
const exposures = detector.detectExposures(
code,
"src/infrastructure/controllers/UserController.ts",
"infrastructure",
)
expect(exposures).toHaveLength(1)
expect(exposures[0].entityName).toBe("User")
expect(exposures[0].getMessage()).toContain("returns domain entity 'User'")
})
it("should detect Order entity exposure in GraphQL resolver", () => {
const code = `
class OrderResolver {
async getOrder(id: string): Promise<Order> {
return this.orderService.findById(id)
}
}
`
const exposures = detector.detectExposures(
code,
"src/infrastructure/resolvers/OrderResolver.ts",
"infrastructure",
)
expect(exposures).toHaveLength(1)
expect(exposures[0].entityName).toBe("Order")
})
it("should allow DTO usage in controller", () => {
const code = `
class UserController {
async getUser(id: string): Promise<UserResponseDto> {
const user = await this.userService.findById(id)
return UserMapper.toDto(user)
}
async createUser(request: CreateUserRequest): Promise<UserResponseDto> {
const user = await this.userService.create(request)
return UserMapper.toDto(user)
}
}
`
const exposures = detector.detectExposures(
code,
"src/infrastructure/controllers/UserController.ts",
"infrastructure",
)
expect(exposures).toHaveLength(0)
})
it("should detect mixed exposures and DTOs", () => {
const code = `
class UserController {
async getUser(id: string): Promise<User> {
return this.userService.findById(id)
}
async listUsers(): Promise<UserListResponse> {
const users = await this.userService.findAll()
return UserMapper.toListDto(users)
}
}
`
const exposures = detector.detectExposures(
code,
"src/infrastructure/controllers/UserController.ts",
"infrastructure",
)
expect(exposures).toHaveLength(1)
expect(exposures[0].methodName).toBe("getUser")
})
it("should provide helpful suggestions", () => {
const code = `
class UserController {
async getUser(id: string): Promise<User> {
return this.userService.findById(id)
}
}
`
const exposures = detector.detectExposures(
code,
"src/infrastructure/controllers/UserController.ts",
"infrastructure",
)
expect(exposures[0].getSuggestion()).toContain("UserResponseDto")
expect(exposures[0].getSuggestion()).toContain("mapper")
})
})
})

515
packages/guardian/tests/RepositoryPatternDetector.test.ts Normal file
View File

@@ -0,0 +1,515 @@
import { describe, it, expect, beforeEach } from "vitest"
import { RepositoryPatternDetector } from "../src/infrastructure/analyzers/RepositoryPatternDetector"
import { REPOSITORY_VIOLATION_TYPES } from "../src/shared/constants/rules"
describe("RepositoryPatternDetector", () => {
let detector: RepositoryPatternDetector
beforeEach(() => {
detector = new RepositoryPatternDetector()
})
describe("detectViolations - ORM Types in Interface", () => {
it("should detect Prisma types in repository interface", () => {
const code = `
interface IUserRepository {
findOne(query: Prisma.UserWhereInput): Promise<User>
create(data: Prisma.UserCreateInput): Promise<User>
}
`
const violations = detector.detectViolations(
code,
"src/domain/repositories/IUserRepository.ts",
"domain",
)
expect(violations.length).toBeGreaterThan(0)
const ormViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE,
)
expect(ormViolations.length).toBeGreaterThan(0)
expect(ormViolations[0].getMessage()).toContain("ORM-specific type")
})
it("should detect TypeORM decorators in repository interface", () => {
const code = `
interface IUserRepository {
@Column()
findById(id: string): Promise<User>
}
`
const violations = detector.detectViolations(
code,
"src/domain/repositories/IUserRepository.ts",
"domain",
)
const ormViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE,
)
expect(ormViolations.length).toBeGreaterThan(0)
})
it("should detect Mongoose types in repository interface", () => {
const code = `
interface IUserRepository {
find(query: Model<User>): Promise<User[]>
findOne(query: Schema): Promise<User>
}
`
const violations = detector.detectViolations(
code,
"src/domain/repositories/IUserRepository.ts",
"domain",
)
const ormViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE,
)
expect(ormViolations.length).toBeGreaterThan(0)
})
it("should not detect ORM types in clean interface", () => {
const code = `
interface IUserRepository {
findById(id: UserId): Promise<User | null>
save(user: User): Promise<void>
delete(id: UserId): Promise<void>
}
`
const violations = detector.detectViolations(
code,
"src/domain/repositories/IUserRepository.ts",
"domain",
)
const ormViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE,
)
expect(ormViolations).toHaveLength(0)
})
})
describe("detectViolations - Concrete Repository in Use Case", () => {
it("should detect concrete repository in constructor", () => {
const code = `
class CreateUser {
constructor(private userRepo: PrismaUserRepository) {}
}
`
const violations = detector.detectViolations(
code,
"src/application/use-cases/CreateUser.ts",
"application",
)
const concreteViolations = violations.filter(
(v) =>
v.violationType === REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE,
)
expect(concreteViolations).toHaveLength(1)
expect(concreteViolations[0].repositoryName).toBe("PrismaUserRepository")
})
it("should detect concrete repository as field", () => {
const code = `
class CreateUser {
private userRepo: MongoUserRepository
}
`
const violations = detector.detectViolations(
code,
"src/application/use-cases/CreateUser.ts",
"application",
)
const concreteViolations = violations.filter(
(v) =>
v.violationType === REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE,
)
expect(concreteViolations).toHaveLength(1)
})
it("should not detect interface in constructor", () => {
const code = `
class CreateUser {
constructor(private userRepo: IUserRepository) {}
}
`
const violations = detector.detectViolations(
code,
"src/application/use-cases/CreateUser.ts",
"application",
)
const concreteViolations = violations.filter(
(v) =>
v.violationType === REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE,
)
expect(concreteViolations).toHaveLength(0)
})
})
describe("detectViolations - new Repository() in Use Case", () => {
it("should detect repository instantiation with new", () => {
const code = `
class CreateUser {
async execute(data: CreateUserRequest) {
const repo = new UserRepository()
await repo.save(user)
}
}
`
const violations = detector.detectViolations(
code,
"src/application/use-cases/CreateUser.ts",
"application",
)
const newRepoViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE,
)
expect(newRepoViolations).toHaveLength(1)
expect(newRepoViolations[0].repositoryName).toBe("UserRepository")
})
it("should detect multiple repository instantiations", () => {
const code = `
class ComplexUseCase {
async execute() {
const userRepo = new UserRepository()
const orderRepo = new OrderRepository()
await userRepo.save(user)
await orderRepo.save(order)
}
}
`
const violations = detector.detectViolations(
code,
"src/application/use-cases/ComplexUseCase.ts",
"application",
)
const newRepoViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE,
)
expect(newRepoViolations).toHaveLength(2)
})
it("should not detect commented out new Repository()", () => {
const code = `
class CreateUser {
async execute(data: CreateUserRequest) {
// const repo = new UserRepository()
await this.userRepo.save(user)
}
}
`
const violations = detector.detectViolations(
code,
"src/application/use-cases/CreateUser.ts",
"application",
)
const newRepoViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE,
)
expect(newRepoViolations).toHaveLength(0)
})
})
describe("detectViolations - Non-Domain Method Names", () => {
it("should detect technical method names", () => {
const code = `
interface IUserRepository {
findOne(id: string): Promise<User>
findMany(filter: any): Promise<User[]>
insert(user: User): Promise<void>
updateOne(id: string, data: any): Promise<void>
}
`
const violations = detector.detectViolations(
code,
"src/domain/repositories/IUserRepository.ts",
"domain",
)
const methodViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME,
)
expect(methodViolations.length).toBeGreaterThan(0)
expect(methodViolations.some((v) => v.methodName === "findOne")).toBe(true)
expect(methodViolations.some((v) => v.methodName === "insert")).toBe(true)
})
it("should not detect domain language method names", () => {
const code = `
interface IUserRepository {
findById(id: UserId): Promise<User | null>
findByEmail(email: Email): Promise<User | null>
save(user: User): Promise<void>
delete(id: UserId): Promise<void>
search(criteria: SearchCriteria): Promise<User[]>
}
`
const violations = detector.detectViolations(
code,
"src/domain/repositories/IUserRepository.ts",
"domain",
)
const methodViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME,
)
expect(methodViolations).toHaveLength(0)
})
it("should detect SQL terminology", () => {
const code = `
interface IUserRepository {
select(id: string): Promise<User>
query(filter: any): Promise<User[]>
execute(sql: string): Promise<any>
}
`
const violations = detector.detectViolations(
code,
"src/domain/repositories/IUserRepository.ts",
"domain",
)
const methodViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME,
)
expect(methodViolations.length).toBeGreaterThan(0)
})
})
describe("isOrmType", () => {
it("should identify Prisma types", () => {
expect(detector.isOrmType("Prisma.UserWhereInput")).toBe(true)
expect(detector.isOrmType("PrismaClient")).toBe(true)
})
it("should identify TypeORM decorators", () => {
expect(detector.isOrmType("@Entity")).toBe(true)
expect(detector.isOrmType("@Column")).toBe(true)
expect(detector.isOrmType("@ManyToOne")).toBe(true)
})
it("should identify Mongoose types", () => {
expect(detector.isOrmType("Schema")).toBe(true)
expect(detector.isOrmType("Model<User>")).toBe(true)
expect(detector.isOrmType("Document")).toBe(true)
})
it("should not identify domain types", () => {
expect(detector.isOrmType("User")).toBe(false)
expect(detector.isOrmType("UserId")).toBe(false)
expect(detector.isOrmType("Email")).toBe(false)
})
})
describe("isDomainMethodName", () => {
it("should identify domain method names", () => {
expect(detector.isDomainMethodName("findById")).toBe(true)
expect(detector.isDomainMethodName("findByEmail")).toBe(true)
expect(detector.isDomainMethodName("save")).toBe(true)
expect(detector.isDomainMethodName("delete")).toBe(true)
expect(detector.isDomainMethodName("create")).toBe(true)
expect(detector.isDomainMethodName("search")).toBe(true)
})
it("should reject technical method names", () => {
expect(detector.isDomainMethodName("findOne")).toBe(false)
expect(detector.isDomainMethodName("findMany")).toBe(false)
expect(detector.isDomainMethodName("insert")).toBe(false)
expect(detector.isDomainMethodName("updateOne")).toBe(false)
expect(detector.isDomainMethodName("query")).toBe(false)
expect(detector.isDomainMethodName("execute")).toBe(false)
})
})
describe("isRepositoryInterface", () => {
it("should identify repository interfaces in domain", () => {
expect(
detector.isRepositoryInterface(
"src/domain/repositories/IUserRepository.ts",
"domain",
),
).toBe(true)
expect(
detector.isRepositoryInterface(
"src/domain/repositories/IOrderRepository.ts",
"domain",
),
).toBe(true)
})
it("should not identify repository implementations in infrastructure", () => {
expect(
detector.isRepositoryInterface(
"src/infrastructure/repositories/UserRepository.ts",
"infrastructure",
),
).toBe(false)
})
it("should not identify non-repository files", () => {
expect(detector.isRepositoryInterface("src/domain/entities/User.ts", "domain")).toBe(
false,
)
})
})
describe("isUseCase", () => {
it("should identify use cases", () => {
expect(
detector.isUseCase("src/application/use-cases/CreateUser.ts", "application"),
).toBe(true)
expect(
detector.isUseCase("src/application/use-cases/UpdateProfile.ts", "application"),
).toBe(true)
expect(
detector.isUseCase("src/application/use-cases/DeleteOrder.ts", "application"),
).toBe(true)
})
it("should not identify DTOs as use cases", () => {
expect(
detector.isUseCase("src/application/dtos/UserResponseDto.ts", "application"),
).toBe(false)
})
it("should not identify use cases in wrong layer", () => {
expect(detector.isUseCase("src/domain/use-cases/CreateUser.ts", "domain")).toBe(false)
})
})
describe("getMessage and getSuggestion", () => {
it("should provide helpful message for ORM type violations", () => {
const code = `
interface IUserRepository {
findOne(query: Prisma.UserWhereInput): Promise<User>
}
`
const violations = detector.detectViolations(
code,
"src/domain/repositories/IUserRepository.ts",
"domain",
)
const ormViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE,
)
expect(ormViolations[0].getMessage()).toContain("ORM-specific type")
expect(ormViolations[0].getSuggestion()).toContain("domain types")
})
it("should provide helpful message for concrete repository violations", () => {
const code = `
class CreateUser {
constructor(private userRepo: PrismaUserRepository) {}
}
`
const violations = detector.detectViolations(
code,
"src/application/use-cases/CreateUser.ts",
"application",
)
const concreteViolations = violations.filter(
(v) =>
v.violationType === REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE,
)
expect(concreteViolations[0].getMessage()).toContain("concrete repository")
expect(concreteViolations[0].getSuggestion()).toContain("interface")
})
it("should provide helpful message for new repository violations", () => {
const code = `
class CreateUser {
async execute() {
const repo = new UserRepository()
}
}
`
const violations = detector.detectViolations(
code,
"src/application/use-cases/CreateUser.ts",
"application",
)
const newRepoViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE,
)
expect(newRepoViolations[0].getMessage()).toContain("new")
expect(newRepoViolations[0].getSuggestion()).toContain("dependency injection")
})
it("should provide helpful message for non-domain method violations", () => {
const code = `
interface IUserRepository {
findOne(id: string): Promise<User>
}
`
const violations = detector.detectViolations(
code,
"src/domain/repositories/IUserRepository.ts",
"domain",
)
const methodViolations = violations.filter(
(v) => v.violationType === REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME,
)
expect(methodViolations[0].getMessage()).toContain("technical name")
expect(methodViolations[0].getSuggestion()).toContain("domain language")
})
})
describe("Integration tests", () => {
it("should detect multiple violation types in same file", () => {
const code = `
interface IUserRepository {
findOne(query: Prisma.UserWhereInput): Promise<User>
insert(user: User): Promise<void>
findById(id: UserId): Promise<User | null>
}
`
const violations = detector.detectViolations(
code,
"src/domain/repositories/IUserRepository.ts",
"domain",
)
expect(violations.length).toBeGreaterThan(1)
const types = violations.map((v) => v.violationType)
expect(types).toContain(REPOSITORY_VIOLATION_TYPES.ORM_TYPE_IN_INTERFACE)
expect(types).toContain(REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME)
})
it("should detect all violations in complex use case", () => {
const code = `
class CreateUser {
constructor(private userRepo: PrismaUserRepository) {}
async execute(data: CreateUserRequest) {
const repo = new OrderRepository()
await this.userRepo.save(user)
await repo.save(order)
}
}
`
const violations = detector.detectViolations(
code,
"src/application/use-cases/CreateUser.ts",
"application",
)
expect(violations.length).toBeGreaterThanOrEqual(2)
const types = violations.map((v) => v.violationType)
expect(types).toContain(REPOSITORY_VIOLATION_TYPES.CONCRETE_REPOSITORY_IN_USE_CASE)
expect(types).toContain(REPOSITORY_VIOLATION_TYPES.NEW_REPOSITORY_IN_USE_CASE)
})
})
})