ailabs/puaros
1
0
Fork 0
mirror of https://github.com/samiyev/puaros.git synced 2025-12-27 23:06:54 +05:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: ailabs:v0.5.0
Branches Tags
ailabs:main
ailabs:ipuaro-v0.30.2 ailabs:ipuaro-v0.30.1 ailabs:ipuaro-v0.30.0 ailabs:ipuaro-v0.29.0 ailabs:ipuaro-v0.28.0 ailabs:ipuaro-v0.27.0 ailabs:ipuaro-v0.26.0 ailabs:ipuaro-v0.25.0 ailabs:ipuaro-v0.24.0 ailabs:ipuaro-v0.23.0 ailabs:ipuaro-v0.22.5 ailabs:ipuaro-v0.22.4 ailabs:ipuaro-v0.22.3 ailabs:ipuaro-v0.22.2 ailabs:ipuaro-v0.22.1 ailabs:ipuaro-v0.21.4 ailabs:ipuaro-v0.21.1 ailabs:ipuaro-v0.21.0 ailabs:ipuaro-v0.20.0 ailabs:ipuaro-v0.19.0 ailabs:ipuaro-v0.18.0 ailabs:ipuaro-v0.17.0 ailabs:ipuaro-v0.16.0 ailabs:ipuaro-v0.15.0 ailabs:ipuaro-v0.14.0 ailabs:ipuaro-v0.13.0 ailabs:ipuaro-v0.12.0 ailabs:ipuaro-v0.11.0 ailabs:ipuaro-v0.10.0 ailabs:ipuaro-v0.9.0 ailabs:ipuaro-v0.8.0 ailabs:ipuaro-v0.7.0 ailabs:ipuaro-v0.6.0 ailabs:ipuaro-v0.5.0 ailabs:ipuaro-v0.4.0 ailabs:guardian-v0.9.4 ailabs:ipuaro-v0.3.1 ailabs:ipuaro-v0.3.0 ailabs:ipuaro-v0.2.0 ailabs:ipuaro-v0.1.1 ailabs:guardian-v0.9.3 ailabs:ipuaro-v0.1.0 ailabs:v0.9.1 ailabs:v0.9.0 ailabs:v0.8.1 ailabs:v0.8.0 ailabs:v0.7.9 ailabs:v0.7.8 ailabs:v0.7.7 ailabs:v0.7.6 ailabs:v0.7.5 ailabs:v0.7.4 ailabs:v0.7.3 ailabs:v0.7.2 ailabs:v0.7.1 ailabs:v0.7.0 ailabs:v0.6.4 ailabs:v0.6.3 ailabs:v0.6.2 ailabs:v0.6.1 ailabs:v0.6.0 ailabs:v0.5.2 ailabs:v0.5.1 ailabs:v0.5.0 ailabs:v0.1.0 ailabs:v0.3.0 ailabs:v0.2.0
...
compare: ailabs:v0.7.1
Branches Tags
ailabs:main
ailabs:ipuaro-v0.30.2 ailabs:ipuaro-v0.30.1 ailabs:ipuaro-v0.30.0 ailabs:ipuaro-v0.29.0 ailabs:ipuaro-v0.28.0 ailabs:ipuaro-v0.27.0 ailabs:ipuaro-v0.26.0 ailabs:ipuaro-v0.25.0 ailabs:ipuaro-v0.24.0 ailabs:ipuaro-v0.23.0 ailabs:ipuaro-v0.22.5 ailabs:ipuaro-v0.22.4 ailabs:ipuaro-v0.22.3 ailabs:ipuaro-v0.22.2 ailabs:ipuaro-v0.22.1 ailabs:ipuaro-v0.21.4 ailabs:ipuaro-v0.21.1 ailabs:ipuaro-v0.21.0 ailabs:ipuaro-v0.20.0 ailabs:ipuaro-v0.19.0 ailabs:ipuaro-v0.18.0 ailabs:ipuaro-v0.17.0 ailabs:ipuaro-v0.16.0 ailabs:ipuaro-v0.15.0 ailabs:ipuaro-v0.14.0 ailabs:ipuaro-v0.13.0 ailabs:ipuaro-v0.12.0 ailabs:ipuaro-v0.11.0 ailabs:ipuaro-v0.10.0 ailabs:ipuaro-v0.9.0 ailabs:ipuaro-v0.8.0 ailabs:ipuaro-v0.7.0 ailabs:ipuaro-v0.6.0 ailabs:ipuaro-v0.5.0 ailabs:ipuaro-v0.4.0 ailabs:guardian-v0.9.4 ailabs:ipuaro-v0.3.1 ailabs:ipuaro-v0.3.0 ailabs:ipuaro-v0.2.0 ailabs:ipuaro-v0.1.1 ailabs:guardian-v0.9.3 ailabs:ipuaro-v0.1.0 ailabs:v0.9.1 ailabs:v0.9.0 ailabs:v0.8.1 ailabs:v0.8.0 ailabs:v0.7.9 ailabs:v0.7.8 ailabs:v0.7.7 ailabs:v0.7.6 ailabs:v0.7.5 ailabs:v0.7.4 ailabs:v0.7.3 ailabs:v0.7.2 ailabs:v0.7.1 ailabs:v0.7.0 ailabs:v0.6.4 ailabs:v0.6.3 ailabs:v0.6.2 ailabs:v0.6.1 ailabs:v0.6.0 ailabs:v0.5.2 ailabs:v0.5.1 ailabs:v0.5.0 ailabs:v0.1.0 ailabs:v0.3.0 ailabs:v0.2.0

17 Commits
v0.5.0 ... v0.7.1

Author SHA1 Message Date
imfozilbek
8dd445995d fix: eliminate magic strings and fix aggregate boundary detection 
- Extract DDD folder names and repository method suggestions to constants
- Fix regex pattern to support relative paths (domain/... without leading /)
- Add non-aggregate folder exclusions (constants, shared, factories, etc.)
- Remove findAll, exists, count from ORM_QUERY_METHODS (valid domain methods)
- Add exists, count, countBy patterns to domainMethodPatterns
- Add aggregate boundary test examples
 2025-11-25 00:29:02 +05:00
imfozilbek
c75738ba51 feat: add aggregate boundary validation (v0.7.0) 
Implement DDD aggregate boundary validation to detect and prevent direct
entity references across aggregate boundaries.

Features:
- Detect direct entity imports between aggregates
- Allow only ID or Value Object references
- Support multiple folder structures (domain/aggregates/*, domain/*, domain/entities/*)
- Filter allowed imports (value-objects, events, repositories, services)
- Critical severity level for violations
- 41 comprehensive tests with 92.55% coverage
- CLI output with detailed suggestions
- Examples of good and bad patterns

Breaking changes: None
Backwards compatible: Yes
 2025-11-24 23:54:16 +05:00
imfozilbek
83b5dccee4 fix: improve repository method name suggestions and patterns 
- Add smart context-aware suggestions for repository method names
  - queryUsers() → search, findBy[Property]
  - selectById() → findBy[Property], get[Entity]
  - insertUser() → create, add[Entity], store[Entity]
  - And more intelligent pattern matching

- Expand domain method patterns support
  - find*() methods (findNodes, findNodeById, findSimilar)
  - saveAll() batch operations
  - deleteBy*() methods (deleteByPath, deleteById)
  - deleteAll() clear operations
  - add*() methods (addRelationship, addItem)
  - initializeCollection() initialization

- Remove findAll from ORM blacklist (valid domain method)

- Reduce complexity in suggestDomainMethodName (22 → 9)

Version 0.6.4
 2025-11-24 23:49:49 +05:00
imfozilbek
5a648e2c29 fix: reduce false positives in Repository Pattern detection 
- Added 11 new valid DDD repository method patterns
- Support for has*(), is*(), exists*(), clear*(), store*() methods
- Support for lifecycle methods: initialize(), close(), connect(), disconnect()
- Fixes issue where valid DDD patterns were flagged as violations
- Better alignment with real-world Domain-Driven Design practices

This reduces false positives in projects using cache repositories,
connection management, and domain-specific query methods.

Version: 0.6.3
 2025-11-24 23:04:57 +05:00
imfozilbek
d50cbe1a97 docs: add research-backed documentation for v0.6.2 
- Added docs/WHY.md with user-friendly rule explanations and authoritative sources
- Added docs/RESEARCH_CITATIONS.md with 551 lines of academic and industry references
- Updated README.md with micro-citations under each feature
- Enhanced CLI help with 'BACKED BY RESEARCH' section
- Updated AI tools mentions across all docs (GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline)
- Organized documentation structure: moved RESEARCH_CITATIONS.md to docs/
- Version bump: 0.6.1 -> 0.6.2

Research backing includes:
- Academia: MIT Course 6.031, ScienceDirect studies
- Books: Clean Architecture (Martin 2017), DDD (Evans 2003)
- Industry: Google, Microsoft, Airbnb style guides, SonarQube
- Experts: Martin Fowler, Robert C. Martin, Eric Evans, Alistair Cockburn
 2025-11-24 22:51:35 +05:00
imfozilbek
3ddcff1be3 docs: enhance CLI help system for AI agents and users 
Improved guardian --help with comprehensive, actionable information:
- Add DETECTS section with quick fix instructions for all 8 violation types
- Add SEVERITY LEVELS explanation (CRITICAL → LOW)
- Add step-by-step WORKFLOW guide
- Add 7 practical EXAMPLES covering common use cases
- Add HOW TO FIX COMMON ISSUES reference section

Technical improvements:
- Extract all help text strings to CLI_HELP_TEXT constants
- Fix 17 hardcoded string violations
- Maintain Single Source of Truth principle
- Zero violations in Guardian's own codebase

The help system now provides complete context for autonomous AI agents
and clear guidance for human developers.
 2025-11-24 21:53:41 +05:00
imfozilbek
452d9aafd0 docs: update ROADMAP to v0.6.0 
- Mark v0.6.0 as released
- Add comprehensive v0.6.0 section with all features
- Shift future versions (0.7.0 → 0.8.0, etc.)
- Update last modified date
 2025-11-24 21:37:11 +05:00
imfozilbek
a72b4ce167 chore: bump version to 0.6.0 
- Update version to 0.6.0 (minor release)
- Add comprehensive CHANGELOG entry for v0.6.0
- Document all features, changes, fixes, and removals
 2025-11-24 21:31:50 +05:00
imfozilbek
7df48c0bd2 docs: add development workflow to CLAUDE.md 
- Add complete feature development & release workflow
- Document 6 phases: Planning, Quality Checks, Documentation, Verification, Commit & Version, Publication
- Add quick checklist for new features
- Add common workflows (CLI option, detector, technical debt)
- Add debugging tips for build, test, and coverage issues
- Update Important Notes with best practices
 2025-11-24 21:29:26 +05:00
imfozilbek
4c0fc7185a docs: update TODO with technical debt and recent changes 
- Add low-coverage files to technical debt (SourceFile, ProjectPath, RepositoryViolation, ValueObject)
- Update test statistics (10 test files, 292 tests, 90.63% coverage)
- Add v0.5.2 section with limit feature and ESLint cleanup
- Document all completed tasks from this release
 2025-11-24 21:29:02 +05:00
imfozilbek
b73d736d34 docs: update README with new features 
- Add Entity Exposure Detection to features
- Add Dependency Direction Enforcement to features
- Add Repository Pattern Validation to features
- Update API documentation with all 8 violation types
- Add severity levels to all interfaces
- Document --limit option with examples
- Update ProjectMetrics interface
- Update test statistics (292 tests, 90.63% coverage)
 2025-11-24 21:28:43 +05:00
imfozilbek
3169936c75 refactor: remove dead code 
- Remove unused IBaseRepository interface
- Remove IBaseRepository export from domain/index.ts
- Fix repository pattern violations detected by Guardian
 2025-11-24 21:28:21 +05:00
imfozilbek
8654beb43d fix: remove unused imports and variables 
- Remove unused SEVERITY_LEVELS import from AnalyzeProject.ts
- Prefix unused fileName variable with underscore in HardcodeDetector.ts
- Replace || with ?? for nullish coalescing
 2025-11-24 21:28:05 +05:00
imfozilbek
5e70ee1a38 refactor: optimize ESLint configuration 
- Add CLI-specific overrides (disable no-console, complexity, max-lines-per-function)
- Disable no-unsafe-* rules for CLI (Commander.js is untyped)
- Increase max-params to 8 for DDD patterns
- Exclude examples/, tests/, *.config.ts from linting
- Disable style rules (prefer-nullish-coalescing, no-unnecessary-condition, no-nested-ternary)
- Reduce warnings from 129 to 0
 2025-11-24 21:27:46 +05:00
imfozilbek
7e4de182ff feat: add --limit CLI option for output control 
- Add --limit/-l option to limit detailed violation output
- Implement limit logic in displayGroupedViolations function
- Show warning when violations exceed limit
- Works with severity filters (--only-critical, --min-severity)
- Extract severity labels and headers to constants
- Improve CLI maintainability with SEVERITY_DISPLAY_LABELS and SEVERITY_SECTION_HEADERS
 2025-11-24 21:27:27 +05:00
imfozilbek
88876a258b feat: add severity-based sorting and filtering for violations (v0.5.2) 
- Add CRITICAL/HIGH/MEDIUM/LOW severity levels to all violations
- Sort violations by severity automatically (most critical first)
- Add CLI flags: --min-severity and --only-critical
- Group violations by severity in CLI output with color-coded headers
- Update all violation interfaces to include severity field
- Maintain 90%+ test coverage with all tests passing
- Update CHANGELOG.md, ROADMAP.md, and package version to 0.5.2
 2025-11-24 20:41:52 +05:00
imfozilbek
a34ca85241 chore: refactor hardcoded values to constants (v0.5.1) 
Major internal refactoring to eliminate hardcoded values and improve
maintainability. Guardian now fully passes its own quality checks!

Changes:
- Extract all RepositoryViolation messages to domain constants
- Extract all framework leak template strings to centralized constants
- Extract all layer paths to infrastructure constants
- Extract all regex patterns to IMPORT_PATTERNS constant
- Add 30+ new constants for better maintainability

New files:
- src/infrastructure/constants/paths.ts (layer paths, patterns)
- src/domain/constants/Messages.ts (25+ repository messages)
- src/domain/constants/FrameworkCategories.ts (framework categories)
- src/shared/constants/layers.ts (layer names)

Impact:
- Reduced hardcoded values from 37 to 1 (97% improvement)
- Guardian passes its own src/ directory checks with 0 violations
- All 292 tests still passing (100% pass rate)
- No breaking changes - fully backwards compatible

Test results:
- 292 tests passing (100% pass rate)
- 96.77% statement coverage
- 83.82% branch coverage
 2025-11-24 20:12:08 +05:00
46 changed files with 4206 additions and 272 deletions
Expand all files Collapse all files

21
CHANGELOG.md
View File

@@ -7,6 +7,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
## [0.4.0] - 2025-11-24
### Added
- Dependency direction enforcement - validate that dependencies flow in the correct direction according to Clean Architecture principles
- Architecture layer violation detection for domain, application, and infrastructure layers
## [0.3.0] - 2025-11-24
### Added
- Entity exposure detection - identify when domain entities are exposed outside their module boundaries
- Enhanced architecture violation reporting
## [0.2.0] - 2025-11-24
### Added
- Framework leak detection - detect when domain layer imports framework code
- Framework leak reporting in CLI
- Framework leak examples and documentation
## [0.1.0] - 2025-11-24
### Added
- Initial monorepo setup with pnpm workspaces
- `@puaros/guardian` package - code quality guardian for vibe coders and enterprise teams

233
CLAUDE.md
View File

@@ -184,8 +184,239 @@ Development tools:
- `@vitest/ui` - Vitest UI for interactive testing
- `@vitest/coverage-v8` - Coverage reporting
## Development Workflow
### Complete Feature Development & Release Workflow
This workflow ensures high quality and consistency from feature implementation to package publication.
#### Phase 1: Feature Planning & Implementation
```bash
# 1. Create feature branch (if needed)
git checkout -b feature/your-feature-name
# 2. Implement feature following Clean Architecture
# - Add to appropriate layer (domain/application/infrastructure/cli)
# - Follow naming conventions
# - Keep functions small and focused
# 3. Update constants if adding CLI options
# Edit: packages/guardian/src/cli/constants.ts
```
#### Phase 2: Quality Checks (Run After Implementation)
```bash
# Navigate to package
cd packages/guardian
# 1. Format code (REQUIRED - 4 spaces indentation)
pnpm format
# 2. Build to check compilation
pnpm build
# 3. Run linter (must pass with 0 errors, 0 warnings)
cd ../.. && pnpm eslint "packages/**/*.ts" --fix
# 4. Run tests (all must pass)
pnpm test:run
# 5. Check coverage (must be ≥80%)
pnpm test:coverage
```
**Quality Gates:**
- ✅ Format: No changes after `pnpm format`
- ✅ Build: TypeScript compiles without errors
- ✅ Lint: 0 errors, 0 warnings
- ✅ Tests: All tests pass (292/292)
- ✅ Coverage: ≥80% on all metrics
#### Phase 3: Documentation Updates
```bash
# 1. Update README.md
# - Add new feature to Features section
# - Update CLI Usage examples if CLI changed
# - Update API documentation if public API changed
# - Update TypeScript interfaces
# 2. Update TODO.md
# - Mark completed tasks as done
# - Add new technical debt if discovered
# - Document coverage issues for new files
# - Update "Recent Updates" section with changes
# 3. Update CHANGELOG.md (for releases)
# - Add entry with version number
# - List all changes (features, fixes, improvements)
# - Follow Keep a Changelog format
```
#### Phase 4: Verification & Testing
```bash
# 1. Test CLI manually with examples
cd packages/guardian
node dist/cli/index.js check ./examples --limit 5
# 2. Test new feature with different options
node dist/cli/index.js check ./examples --only-critical
node dist/cli/index.js check ./examples --min-severity high
# 3. Verify output formatting and messages
# - Check that all violations display correctly
# - Verify severity labels and suggestions
# - Test edge cases and error handling
# 4. Run full quality check suite
pnpm format && pnpm eslint "packages/**/*.ts" && pnpm build && pnpm test:run
```
#### Phase 5: Commit & Version
```bash
# 1. Stage changes
git add .
# 2. Commit with Conventional Commits format
git commit -m "feat: add --limit option for output control"
# or
git commit -m "fix: resolve unused variable in detector"
# or
git commit -m "docs: update README with new features"
# Types: feat, fix, docs, style, refactor, test, chore
# 3. Update package version (if releasing)
cd packages/guardian
npm version patch # Bug fixes (0.5.2 → 0.5.3)
npm version minor # New features (0.5.2 → 0.6.0)
npm version major # Breaking changes (0.5.2 → 1.0.0)
# 4. Push changes
git push origin main # or your branch
git push --tags # Push version tags
```
#### Phase 6: Publication (Maintainers Only)
```bash
# 1. Final verification before publish
cd packages/guardian
pnpm build && pnpm test:run && pnpm test:coverage
# 2. Verify package contents
npm pack --dry-run
# 3. Publish to npm
npm publish --access public
# 4. Verify publication
npm info @samiyev/guardian
# 5. Test installation
npm install -g @samiyev/guardian@latest
guardian --version
```
### Quick Checklist for New Features
**Before Committing:**
- [ ] Feature implemented in correct layer
- [ ] Code formatted with `pnpm format`
- [ ] Lint passes: `pnpm eslint "packages/**/*.ts"`
- [ ] Build succeeds: `pnpm build`
- [ ] All tests pass: `pnpm test:run`
- [ ] Coverage ≥80%: `pnpm test:coverage`
- [ ] CLI tested manually if CLI changed
- [ ] README.md updated with examples
- [ ] TODO.md updated with progress
- [ ] No `console.log` in production code
- [ ] TypeScript interfaces documented
**Before Publishing:**
- [ ] CHANGELOG.md updated
- [ ] Version bumped in package.json
- [ ] All quality gates pass
- [ ] Examples work correctly
- [ ] Git tags pushed
### Common Workflows
**Adding a new CLI option:**
```bash
# 1. Add to cli/constants.ts (CLI_OPTIONS, CLI_DESCRIPTIONS)
# 2. Add option in cli/index.ts (.option() call)
# 3. Parse and use option in action handler
# 4. Test with: node dist/cli/index.js check ./examples --your-option
# 5. Update README.md CLI Usage section
# 6. Run quality checks
```
**Adding a new detector:**
```bash
# 1. Create value object in domain/value-objects/
# 2. Create detector in infrastructure/analyzers/
# 3. Add detector interface to domain/services/
# 4. Integrate in application/use-cases/AnalyzeProject.ts
# 5. Add CLI output in cli/index.ts
# 6. Write tests (aim for >90% coverage)
# 7. Update README.md Features section
# 8. Run full quality suite
```
**Fixing technical debt:**
```bash
# 1. Find issue in TODO.md
# 2. Implement fix
# 3. Run quality checks
# 4. Update TODO.md (mark as completed)
# 5. Commit with type: "refactor:" or "fix:"
```
### Debugging Tips
**Build errors:**
```bash
# Check TypeScript errors in detail
pnpm tsc --noEmit
# Check specific file
pnpm tsc --noEmit packages/guardian/src/path/to/file.ts
```
**Test failures:**
```bash
# Run single test file
pnpm vitest tests/path/to/test.test.ts
# Run tests with UI
pnpm test:ui
# Run tests in watch mode for debugging
pnpm test
```
**Coverage issues:**
```bash
# Generate detailed coverage report
pnpm test:coverage
# View HTML report
open coverage/index.html
# Check specific file coverage
pnpm vitest --coverage --reporter=verbose
```
## Important Notes
- **Always run `pnpm format` before committing** to ensure 4-space indentation
- **Fix ESLint warnings incrementally** - they indicate real type safety issues
- **Coverage is enforced** - maintain 80% coverage for all metrics when running `pnpm test:coverage`
- **Coverage is enforced** - maintain 80% coverage for all metrics when running `pnpm test:coverage`
- **Test CLI manually** - automated tests don't cover CLI output formatting
- **Update documentation** - README.md and TODO.md should always reflect current state
- **Follow Clean Architecture** - keep layers separate and dependencies flowing inward

31
eslint.config.mjs
View File

@@ -13,6 +13,9 @@ export default tseslint.config(
'**/coverage/**',
'**/.puaros/**',
'**/build/**',
'**/examples/**',
'**/tests/**',
'**/*.config.ts',
],
},
eslint.configs.recommended,
@@ -64,12 +67,12 @@ export default tseslint.config(
'@typescript-eslint/no-floating-promises': 'error',
'@typescript-eslint/await-thenable': 'error',
'@typescript-eslint/no-misused-promises': 'error',
'@typescript-eslint/prefer-nullish-coalescing': 'warn',
'@typescript-eslint/prefer-nullish-coalescing': 'off', // Allow || operator alongside ??
'@typescript-eslint/prefer-optional-chain': 'warn',
'@typescript-eslint/prefer-readonly': 'warn',
'@typescript-eslint/promise-function-async': 'warn',
'@typescript-eslint/require-await': 'warn',
'@typescript-eslint/no-unnecessary-condition': 'warn',
'@typescript-eslint/no-unnecessary-condition': 'off', // Sometimes useful for defensive coding
'@typescript-eslint/no-non-null-assertion': 'warn',
// ========================================
@@ -82,7 +85,7 @@ export default tseslint.config(
'prefer-const': 'error',
'prefer-arrow-callback': 'warn',
'prefer-template': 'warn',
'no-nested-ternary': 'warn',
'no-nested-ternary': 'off', // Allow nested ternaries when readable
'no-unneeded-ternary': 'error',
'no-else-return': 'warn',
eqeqeq: ['error', 'always'],
@@ -94,7 +97,7 @@ export default tseslint.config(
// ========================================
// Code Style (handled by Prettier mostly)
// ========================================
indent: ['error', 4, { SwitchCase: 1 }],
indent: 'off', // Let Prettier handle this
'@typescript-eslint/indent': 'off', // Let Prettier handle this
quotes: ['error', 'double', { avoidEscape: true }],
semi: ['error', 'never'],
@@ -156,4 +159,24 @@ export default tseslint.config(
],
},
},
{
// CLI-specific overrides
files: ['**/cli/**/*.ts', '**/cli/**/*.js'],
rules: {
'no-console': 'off', // Console is expected in CLI
'max-lines-per-function': 'off', // CLI action handlers can be long
complexity: 'off', // CLI logic can be complex
'@typescript-eslint/no-unsafe-member-access': 'off', // Commander options are untyped
'@typescript-eslint/no-unsafe-assignment': 'off',
'@typescript-eslint/no-unsafe-call': 'off',
'@typescript-eslint/no-unsafe-argument': 'off',
},
},
{
// Value Objects and Domain - allow more parameters for create methods
files: ['**/domain/value-objects/**/*.ts', '**/application/use-cases/**/*.ts'],
rules: {
'max-params': ['warn', 8], // DDD patterns often need more params
},
},
);

506
packages/guardian/CHANGELOG.md
View File

@@ -5,6 +5,509 @@ All notable changes to @samiyev/guardian will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [0.7.1] - 2025-11-25
### Fixed
- 🐛 **Aggregate Boundary Detection for relative paths:**
- Fixed regex pattern to support paths starting with `domain/` (without leading `/`)
- Now correctly detects violations in projects scanned from parent directories
- 🐛 **Reduced false positives in Repository Pattern detection:**
- Removed `findAll`, `exists`, `count` from ORM technical methods blacklist
- These are now correctly recognized as valid domain method names
- Added `exists`, `count`, `countBy[A-Z]` to domain method patterns
- 🐛 **Non-aggregate folder exclusions:**
- Added exclusions for standard DDD folders: `constants`, `shared`, `factories`, `ports`, `interfaces`
- Prevents false positives when domain layer has shared utilities
### Changed
- ♻️ **Extracted magic strings to constants:**
- DDD folder names (`entities`, `aggregates`, `value-objects`, etc.) moved to `DDD_FOLDER_NAMES`
- Repository method suggestions moved to `REPOSITORY_METHOD_SUGGESTIONS`
- Fallback suggestions moved to `REPOSITORY_FALLBACK_SUGGESTIONS`
### Added
- 📁 **Aggregate boundary test examples:**
- Added `examples/aggregate-boundary/domain/` with Order, User, Product aggregates
- Demonstrates cross-aggregate entity reference violations
## [0.7.0] - 2025-11-25
### Added
**🔒 Aggregate Boundary Validation**
New DDD feature to enforce aggregate boundaries and prevent tight coupling between aggregates.
-**Aggregate Boundary Detector:**
- Detects direct entity references across aggregate boundaries
- Validates that aggregates reference each other only by ID or Value Objects
- Supports multiple folder structure patterns:
- `domain/aggregates/order/Order.ts`
- `domain/order/Order.ts`
- `domain/entities/order/Order.ts`
-**Smart Import Analysis:**
- Parses ES6 imports and CommonJS require statements
- Identifies entity imports from other aggregates
- Allows imports from value-objects, events, services, specifications folders
-**Actionable Suggestions:**
- Reference by ID instead of entity
- Use Value Objects to store needed data from other aggregates
- Maintain aggregate independence
-**CLI Integration:**
- `--architecture` flag includes aggregate boundary checks
- CRITICAL severity for violations
- Detailed violation messages with file:line references
-**Test Coverage:**
- 41 new tests for aggregate boundary detection
- 333 total tests passing (100% pass rate)
- Examples in `examples/aggregate-boundary/`
### Technical
- New `AggregateBoundaryDetector` in infrastructure layer
- New `AggregateBoundaryViolation` value object in domain layer
- New `IAggregateBoundaryDetector` interface for dependency inversion
- Integrated into `AnalyzeProject` use case
## [0.6.4] - 2025-11-24
### Added
**🎯 Smart Context-Aware Suggestions for Repository Method Names**
Guardian now provides intelligent, context-specific suggestions when it detects non-domain method names in repositories.
-**Intelligent method name analysis:**
- `queryUsers()` → Suggests: `search`, `findBy[Property]`
- `selectById()` → Suggests: `findBy[Property]`, `get[Entity]`
- `insertUser()` → Suggests: `create`, `add[Entity]`, `store[Entity]`
- `updateRecord()` → Suggests: `update`, `modify[Entity]`
- `upsertUser()` → Suggests: `save`, `store[Entity]`
- `removeUser()` → Suggests: `delete`, `removeBy[Property]`
- `fetchUserData()` → Suggests: `findBy[Property]`, `get[Entity]`
- And more technical patterns detected automatically!
- 🎯 **Impact:**
- Developers get actionable, relevant suggestions instead of generic examples
- Faster refactoring with specific naming alternatives
- Better learning experience for developers new to DDD
### Fixed
-**Expanded domain method patterns support:**
- `find*()` methods - e.g., `findNodes()`, `findNodeById()`, `findSimilar()`
- `saveAll()` - batch save operations
- `deleteBy*()` methods - e.g., `deleteByPath()`, `deleteById()`
- `deleteAll()` - clear all entities
- `add*()` methods - e.g., `addRelationship()`, `addItem()`
- `initializeCollection()` - collection initialization
- 🐛 **Removed `findAll` from technical methods blacklist:**
- `findAll()` is now correctly recognized as a standard domain method
- Reduced false positives for repositories using this common pattern
### Technical
- Added `suggestDomainMethodName()` method in `RepositoryPatternDetector.ts` with keyword-based suggestion mapping
- Updated `getNonDomainMethodSuggestion()` in `RepositoryViolation.ts` to extract and use smart suggestions
- Refactored suggestion logic to reduce cyclomatic complexity (22 → 9)
- Enhanced `domainMethodPatterns` with 9 additional patterns
- All 333 tests passing
## [0.6.3] - 2025-11-24
### Fixed
**🐛 Repository Pattern Detection - Reduced False Positives**
Fixed overly strict repository method name validation that was flagging valid DDD patterns as violations.
-**Added support for common DDD repository patterns:**
- `has*()` methods - e.g., `hasProject()`, `hasPermission()`
- `is*()` methods - e.g., `isCached()`, `isActive()`
- `exists*()` methods - e.g., `existsById()`, `existsByEmail()`
- `clear*()` methods - e.g., `clearCache()`, `clearAll()`
- `store*()` methods - e.g., `storeMetadata()`, `storeFile()`
- Lifecycle methods: `initialize()`, `close()`, `connect()`, `disconnect()`
- 🎯 **Impact:**
- Reduced false positives in real-world DDD projects
- Better alignment with Domain-Driven Design best practices
- More practical for cache repositories, connection management, and business queries
- 📚 **Why these patterns are valid:**
- Martin Fowler's Repository Pattern allows domain-specific query methods
- DDD recommends using ubiquitous language in method names
- Lifecycle methods are standard for resource management in repositories
### Technical
- Updated `domainMethodPatterns` in `RepositoryPatternDetector.ts` with 11 additional valid patterns
- All existing functionality remains unchanged
## [0.6.2] - 2025-11-24
### Added
**📚 Research-Backed Documentation**
Guardian's detection rules are now backed by scientific research and industry standards!
-**New Documentation**
- `docs/WHY.md` - User-friendly explanations for each rule with authoritative sources
- `docs/RESEARCH_CITATIONS.md` - Complete academic and industry references (551 lines)
- Organized by detection type with quick navigation
-**Micro-Citations in README**
- Each feature now includes one-line citation with "Why?" link
- Examples: "Based on MIT 6.031, SonarQube RSPEC-109"
- Non-intrusive, opt-in for users who want to learn more
-**CLI Help Enhancement**
- Added "BACKED BY RESEARCH" section to `--help` output
- Mentions MIT, Martin Fowler, Robert C. Martin, industry standards
- Link to full documentation
### Changed
- **Documentation Structure**: Moved `RESEARCH_CITATIONS.md` to `docs/` directory for better organization
- **All internal links updated** to reflect new documentation structure
### Backed By
Our rules are supported by:
- 🎓 **Academia**: MIT Course 6.031, ScienceDirect peer-reviewed studies
- 📚 **Books**: Clean Architecture (Martin 2017), DDD (Evans 2003), Enterprise Patterns (Fowler 2002)
- 🏢 **Industry**: Google, Microsoft, Airbnb style guides, SonarQube standards
- 👨‍🏫 **Experts**: Martin Fowler, Robert C. Martin, Eric Evans, Alistair Cockburn
## [0.6.1] - 2025-11-24
### Improved
**📖 Enhanced CLI Help System**
Guardian's `--help` command is now comprehensive and AI-agent-friendly!
-**Detailed Main Help**
- Complete detector descriptions with quick fix instructions
- Severity level explanations (CRITICAL → LOW)
- Step-by-step workflow guide for fixing violations
- 7 practical usage examples
- "HOW TO FIX COMMON ISSUES" reference section
-**Better Organization**
- Clear DETECTS section with all 8 violation types
- Each detector includes → what to do to fix it
- Severity system with priority guidance
- Examples cover all major use cases
-**AI Agent Ready**
- Help output provides complete context for autonomous agents
- Actionable instructions for each violation type
- Clear workflow: run → review → fix → verify
### Fixed
- **Code Quality**: Extracted all hardcoded strings from help text to constants
- Moved 17 magic strings to `CLI_HELP_TEXT` constant
- Improved maintainability and i18n readiness
- Follows Clean Code principles (Single Source of Truth)
### Technical
- All CLI help strings now use `CLI_HELP_TEXT` from constants
- Zero hardcode violations in Guardian's own codebase
- Passes all quality checks (format, lint, build, self-check)
## [0.6.0] - 2025-11-24
### Added
**🎯 Output Limit Control**
Guardian now supports limiting detailed violation output for large codebases!
-**--limit Option**
- Limit detailed violation output per category: `guardian check src --limit 10`
- Short form: `-l <number>`
- Works with severity filters: `guardian check src --only-critical --limit 5`
- Shows warning when violations exceed limit
- Full statistics always displayed
**📋 Severity Display Constants**
- Extracted severity labels and headers to reusable constants
- Improved CLI maintainability and consistency
- `SEVERITY_DISPLAY_LABELS` and `SEVERITY_SECTION_HEADERS`
**📚 Complete Development Workflow**
- Added comprehensive workflow documentation to CLAUDE.md
- 6-phase development process (Planning → Quality → Documentation → Verification → Commit → Publication)
- Quick checklists for new features
- Common workflows and debugging tips
### Changed
- **ESLint Configuration**: Optimized with CLI-specific overrides, reduced warnings from 129 to 0
- **Documentation**: Updated README with all 8 detector types and latest statistics
- **TODO**: Added technical debt tracking for low-coverage files
### Fixed
- Removed unused `SEVERITY_LEVELS` import from AnalyzeProject.ts
- Fixed unused `fileName` variable in HardcodeDetector.ts
- Replaced `||` with `??` for nullish coalescing
### Removed
- Deleted unused `IBaseRepository` interface (dead code)
- Fixed repository pattern violations detected by Guardian on itself
### Technical Details
- All 292 tests passing (100% pass rate)
- Coverage: 90.63% statements, 82.19% branches, 83.51% functions
- ESLint: 0 errors, 0 warnings
- Guardian self-check: ✅ No issues found
- No breaking changes - fully backwards compatible
## [0.5.2] - 2025-11-24
### Added
**🎯 Severity-Based Prioritization**
Guardian now intelligently prioritizes violations by severity, helping teams focus on critical issues first!
-**Severity Levels**
- 🔴 **CRITICAL**: Circular dependencies, Repository pattern violations
- 🟠 **HIGH**: Dependency direction violations, Framework leaks, Entity exposures
- 🟡 **MEDIUM**: Naming violations, Architecture violations
- 🟢 **LOW**: Hardcoded values
-**Automatic Sorting**
- All violations automatically sorted by severity (most critical first)
- Applied in AnalyzeProject use case before returning results
- Consistent ordering across all detection types
-**CLI Filtering Options**
- `--min-severity <level>` - Show only violations at specified level and above
- `--only-critical` - Quick filter for critical issues only
- Examples:
- `guardian check src --only-critical`
- `guardian check src --min-severity high`
-**Enhanced CLI Output**
- Color-coded severity labels (🔴🟠🟡🟢)
- Visual severity group headers with separators
- Severity displayed for each violation
- Clear filtering messages when filters active
### Changed
- Updated all violation interfaces to include `severity: SeverityLevel` field
- Improved CLI presentation with grouped severity display
- Enhanced developer experience with visual prioritization
### Technical Details
- All 292 tests passing (100% pass rate)
- Coverage: 90.63% statements, 82.19% branches, 83.51% functions
- No breaking changes - fully backwards compatible
- Clean Architecture principles maintained
---
## [0.5.1] - 2025-11-24
### Changed
**🧹 Code Quality Refactoring**
Major internal refactoring to eliminate hardcoded values and improve maintainability - Guardian now fully passes its own quality checks!
-**Extracted Constants**
- All RepositoryViolation messages moved to domain constants (Messages.ts)
- All framework leak template strings centralized
- All layer paths moved to infrastructure constants (paths.ts)
- All regex patterns extracted to IMPORT_PATTERNS constant
- 30+ new constants added for better maintainability
-**New Constants Files**
- `src/infrastructure/constants/paths.ts` - Layer paths, CLI paths, import patterns
- Extended `src/domain/constants/Messages.ts` - 25+ repository pattern messages
- Extended `src/shared/constants/rules.ts` - Package placeholder constant
-**Self-Validation Achievement**
- Reduced hardcoded values from 37 to 1 (97% improvement)
- Guardian now passes its own `src/` directory checks with 0 violations
- Only acceptable hardcode remaining: bin/guardian.js entry point path
- All 292 tests still passing (100% pass rate)
-**Improved Code Organization**
- Better separation of concerns
- More maintainable codebase
- Easier to extend with new features
- Follows DRY principle throughout
### Technical Details
- No breaking changes - fully backwards compatible
- All functionality preserved
- Test suite: 292 tests passing
- Coverage: 96.77% statements, 83.82% branches
---
## [0.5.0] - 2025-11-24
### Added
**📚 Repository Pattern Validation**
Validate proper implementation of the Repository Pattern to ensure domain remains decoupled from infrastructure.
-**ORM Type Detection in Interfaces**
- Detects ORM-specific types (Prisma, TypeORM, Mongoose) in domain repository interfaces
- Ensures repository interfaces remain persistence-agnostic
- Supports detection of 25+ ORM type patterns
- Provides fix suggestions with clean domain examples
-**Concrete Repository Usage Detection**
- Identifies use cases depending on concrete repository implementations
- Enforces Dependency Inversion Principle
- Validates constructor and field dependency types
- Suggests using repository interfaces instead
-**Repository Instantiation Detection**
- Detects `new Repository()` in use cases
- Enforces Dependency Injection pattern
- Identifies hidden dependencies
- Provides DI container setup guidance
-**Domain Language Validation**
- Checks repository methods use domain terminology
- Rejects technical database terms (findOne, insert, query, execute)
- Promotes ubiquitous language across codebase
- Suggests business-oriented method names
-**Smart Violation Reporting**
- RepositoryViolation value object with detailed context
- Four violation types: ORM types, concrete repos, new instances, technical names
- Provides actionable fix suggestions
- Shows before/after code examples
-**Comprehensive Test Coverage**
- 31 new tests for repository pattern detection
- 292 total tests passing (100% pass rate)
- Integration tests for multiple violation types
- 96.77% statement coverage, 83.82% branch coverage
-**Documentation & Examples**
- 6 example files (3 bad patterns, 3 good patterns)
- Comprehensive README with patterns and principles
- Examples for ORM types, concrete repos, DI, and domain language
- Demonstrates Clean Architecture and SOLID principles
### Changed
- Updated test count: 261 → 292 tests
- Added REPOSITORY_PATTERN rule to constants
- Extended AnalyzeProject use case with repository pattern detection
- Added REPOSITORY_VIOLATION_TYPES constant with 4 violation types
- ROADMAP updated with completed repository pattern validation (v0.5.0)
---
## [0.4.0] - 2025-11-24
### Added
**🔀 Dependency Direction Enforcement**
Enforce Clean Architecture dependency rules to prevent architectural violations across layers.
-**Dependency Direction Detector**
- Validates that dependencies flow in the correct direction
- Domain layer can only import from Domain and Shared
- Application layer can only import from Domain, Application, and Shared
- Infrastructure layer can import from all layers
- Shared layer can be imported by all layers
-**Smart Violation Reporting**
- DependencyViolation value object with detailed context
- Provides fix suggestions with concrete examples
- Shows both violating import and suggested layer placement
- CLI output with severity indicators
-**Comprehensive Test Coverage**
- 43 new tests for dependency direction detection
- 100% test pass rate (261 total tests)
- Examples for both good and bad architecture patterns
-**Documentation & Examples**
- Good architecture examples for all layers
- Bad architecture examples showing common violations
- Demonstrates proper layer separation
### Changed
- Updated test count: 218 → 261 tests
- Optimized extractLayerFromImport method to reduce complexity
- Updated getExampleFix to avoid false positives
- ROADMAP updated with completed dependency direction feature
---
## [0.3.0] - 2025-11-24
### Added
**🚫 Entity Exposure Detection**
Prevent domain entities from leaking to API responses, enforcing proper DTO usage at boundaries.
-**Entity Exposure Detector**
- Detects when controllers/routes return domain entities instead of DTOs
- Scans infrastructure layer (controllers, routes, handlers, resolvers, gateways)
- Identifies PascalCase entities without Dto/Request/Response suffixes
- Parses async methods with Promise<T> return types
-**Smart Remediation Suggestions**
- EntityExposure value object with step-by-step fix guidance
- Suggests creating DTOs with proper naming
- Provides mapper implementation examples
- Shows how to separate domain from presentation concerns
-**Comprehensive Test Coverage**
- 24 new tests for entity exposure detection (98% coverage)
- EntityExposureDetector: 98.07% coverage
- Overall project: 90.6% statements, 83.97% branches
-**Documentation & Examples**
- BadUserController and BadOrderController examples
- GoodUserController showing proper DTO usage
- Integration with CLI for helpful output
### Changed
- Updated test count: 194 → 218 tests
- Added entity exposure to violation pipeline
- ROADMAP updated with completed entity exposure feature
---
## [0.2.0] - 2025-11-24
### Added
@@ -134,7 +637,7 @@ Code quality guardian for vibe coders and enterprise teams - your AI coding comp
#### Developer Experience
- 🤖 **Built for AI-Assisted Development**
- Perfect companion for Claude, GPT, Copilot, Cursor
- Perfect companion for GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline
- Catches common AI code smells (hardcoded values, architecture violations)
- Educational error messages with fix suggestions
- Designed for vibe coding workflow: AI writes → Guardian reviews → AI fixes → Ship
@@ -233,7 +736,6 @@ Code quality guardian for vibe coders and enterprise teams - your AI coding comp
## Future Releases
Planned features for upcoming versions:
- Entity exposure detection (domain entities in presentation layer)
- Configuration file support (.guardianrc)
- Custom rule definitions
- Plugin system

140
packages/guardian/README.md
View File

@@ -8,7 +8,7 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
> **Perfect for:**
> - 🚀 **Vibe Coders**: Ship fast with Claude, GPT, Copilot while maintaining quality
> - 🚀 **Vibe Coders**: Ship fast with GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT while maintaining quality
> - 🏢 **Enterprise Teams**: Enforce architectural standards and code quality at scale
> - 📚 **Code Review Automation**: Catch issues before human reviewers see them
@@ -19,12 +19,16 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- 📝 Magic strings (URLs, connection strings, etc.)
- 🎯 Smart context analysis
- 💡 Automatic constant name suggestions
- 📍 Suggested location for constants
- 📚 *Based on: MIT 6.031, SonarQube RSPEC-109, peer-reviewed research* → [Why?](./docs/WHY.md#hardcode-detection)
🔄 **Circular Dependency Detection**
- Detects import cycles in your codebase
- Shows complete dependency chain
- Helps maintain clean architecture
- Prevents maintenance nightmares
- Severity-based reporting
- 📚 *Based on: Martin Fowler's architecture patterns, Shopify Engineering* → [Why?](./docs/WHY.md#circular-dependencies)
📝 **Naming Convention Detection**
- Layer-based naming rules enforcement
@@ -33,6 +37,7 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- Infrastructure: Controllers (*Controller), Repositories (*Repository), Services (*Service/*Adapter)
- Smart exclusions for base classes
- Helpful fix suggestions
- 📚 *Based on: Google Style Guide, Airbnb JavaScript Style Guide, Microsoft Guidelines* → [Why?](./docs/WHY.md#naming-conventions)
🔌 **Framework Leak Detection**
- Detects framework-specific imports in domain layer
@@ -41,6 +46,40 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- Detects external service dependencies (AWS SDK, Firebase, Stripe, Twilio)
- Maintains clean domain boundaries
- Prevents infrastructure coupling in business logic
- 📚 *Based on: Hexagonal Architecture (Cockburn 2005), Clean Architecture (Martin 2017)* → [Why?](./docs/WHY.md#framework-leaks)
🎭 **Entity Exposure Detection**
- Detects domain entities exposed in API responses
- Prevents data leakage through direct entity returns
- Enforces DTO/Response object usage
- Layer-aware validation
- Smart suggestions for proper DTOs
- 📚 *Based on: Martin Fowler's Enterprise Patterns (2002)* → [Why?](./docs/WHY.md#entity-exposure)
⬆️ **Dependency Direction Enforcement**
- Validates Clean Architecture layer dependencies
- Domain → Application → Infrastructure flow
- Prevents backwards dependencies
- Maintains architectural boundaries
- Detailed violation reports
- 📚 *Based on: Robert C. Martin's Dependency Rule, SOLID principles* → [Why?](./docs/WHY.md#clean-architecture)
📦 **Repository Pattern Validation**
- Validates repository interface design
- Detects ORM/technical types in interfaces
- Checks for technical method names (findOne, save, etc.)
- Enforces domain language usage
- Prevents "new Repository()" anti-pattern
- 📚 *Based on: Martin Fowler's Repository Pattern, DDD (Evans 2003)* → [Why?](./docs/WHY.md#repository-pattern)
🔒 **Aggregate Boundary Validation** ✨ NEW
- Detects direct entity references across DDD aggregates
- Enforces reference-by-ID or Value Object pattern
- Prevents tight coupling between aggregates
- Supports multiple folder structures (domain/aggregates/*, domain/*, domain/entities/*)
- Filters allowed imports (value-objects, events, repositories, services)
- Critical severity for maintaining aggregate independence
- 📚 *Based on: Domain-Driven Design (Evans 2003), Implementing DDD (Vernon 2013)* → [Why?](./docs/WHY.md#aggregate-boundaries)
🏗️ **Clean Architecture Enforcement**
- Built with DDD principles
@@ -48,6 +87,7 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- TypeScript with strict type checking
- Fully tested (80%+ coverage)
- Enforces architectural boundaries across teams
- 📚 *Based on: Clean Architecture (Martin 2017), Domain-Driven Design (Evans 2003)* → [Why?](./docs/WHY.md#clean-architecture)
🚀 **Developer & Enterprise Friendly**
- Simple API for developers
@@ -64,11 +104,11 @@ Code quality guardian for vibe coders and enterprise teams - because AI writes f
- 🏗️ Enforces Clean Architecture that AI often ignores
- 💡 Smart suggestions you can feed back to your AI assistant
- 🔄 Closes the feedback loop: better prompts = cleaner AI code
- 🚀 Works with Claude, GPT, Copilot, Cursor, and any AI tool
- 🚀 Works with GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline, and any AI tool
## Why Guardian for Vibe Coding?
**The Problem:** AI assistants (Claude, GPT, Copilot) are incredible at shipping features fast, but they love hardcoding values and sometimes ignore architectural patterns. You're moving fast, but accumulating tech debt.
**The Problem:** AI assistants (GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT) are incredible at shipping features fast, but they love hardcoding values and sometimes ignore architectural patterns. You're moving fast, but accumulating tech debt.
**The Solution:** Guardian is your quality safety net. Code with AI at full speed, then let Guardian catch the issues before they hit production.
@@ -354,6 +394,17 @@ npx @samiyev/guardian check ./src --verbose
npx @samiyev/guardian check ./src --no-hardcode # Skip hardcode detection
npx @samiyev/guardian check ./src --no-architecture # Skip architecture checks
# Filter by severity
npx @samiyev/guardian check ./src --min-severity high # Show high, critical only
npx @samiyev/guardian check ./src --only-critical # Show only critical issues
# Limit detailed output (useful for large codebases)
npx @samiyev/guardian check ./src --limit 10 # Show first 10 violations per category
npx @samiyev/guardian check ./src -l 20 # Short form
# Combine options
npx @samiyev/guardian check ./src --only-critical --limit 5 # Top 5 critical issues
# Show help
npx @samiyev/guardian --help
@@ -450,9 +501,17 @@ interface AnalyzeProjectRequest {
```typescript
interface AnalyzeProjectResponse {
// Violations
hardcodeViolations: HardcodeViolation[]
architectureViolations: ArchitectureViolation[]
violations: ArchitectureViolation[]
circularDependencyViolations: CircularDependencyViolation[]
namingViolations: NamingViolation[]
frameworkLeakViolations: FrameworkLeakViolation[]
entityExposureViolations: EntityExposureViolation[]
dependencyDirectionViolations: DependencyDirectionViolation[]
repositoryPatternViolations: RepositoryPatternViolation[]
// Metrics
metrics: ProjectMetrics
}
@@ -463,21 +522,80 @@ interface HardcodeViolation {
type: "magic-number" | "magic-string"
value: string | number
context: string
suggestedConstantName: string
suggestedLocation: string
severity: "critical" | "high" | "medium" | "low"
suggestion: {
constantName: string
location: string
}
}
interface CircularDependencyViolation {
rule: "circular-dependency"
message: string
cycle: string[]
severity: "error"
severity: "critical" | "high" | "medium" | "low"
}
interface NamingViolation {
file: string
fileName: string
layer: string
type: string
message: string
suggestion?: string
severity: "critical" | "high" | "medium" | "low"
}
interface FrameworkLeakViolation {
file: string
packageName: string
category: string
categoryDescription: string
layer: string
rule: string
message: string
suggestion: string
severity: "critical" | "high" | "medium" | "low"
}
interface EntityExposureViolation {
file: string
line?: number
entityName: string
returnType: string
methodName?: string
layer: string
rule: string
message: string
suggestion: string
severity: "critical" | "high" | "medium" | "low"
}
interface DependencyDirectionViolation {
file: string
fromLayer: string
toLayer: string
importPath: string
message: string
suggestion: string
severity: "critical" | "high" | "medium" | "low"
}
interface RepositoryPatternViolation {
file: string
layer: string
violationType: string
details: string
message: string
suggestion: string
severity: "critical" | "high" | "medium" | "low"
}
interface ProjectMetrics {
totalFiles: number
analyzedFiles: number
totalLines: number
totalFunctions: number
totalImports: number
layerDistribution: Record<string, number>
}
```
@@ -852,7 +970,7 @@ Based on testing Guardian with AI-generated codebases:
A: No! Run it after AI generates code, not during. Analysis takes 1-2 seconds for most projects.
**Q: Can I use this with any AI coding assistant?**
A: Yes! Works with Claude, GPT, Copilot, Cursor, or any tool that generates TypeScript/JavaScript.
A: Yes! Works with GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline, or any tool that generates TypeScript/JavaScript.
**Q: Does Guardian replace ESLint/Prettier?**
A: No, it complements them. ESLint checks syntax, Guardian checks architecture and hardcodes.
@@ -861,7 +979,7 @@ A: No, it complements them. ESLint checks syntax, Guardian checks architecture a
A: Perfect use case! Guardian helps you identify tech debt so you can decide what to fix before production.
**Q: Can AI fix Guardian's findings automatically?**
A: Yes! Copy Guardian's output, paste into Claude/GPT with "fix these issues", and watch the magic.
A: Yes! Copy Guardian's output, paste into Claude, ChatGPT, or your AI assistant with "fix these issues", and watch the magic.
## Contributing

191
packages/guardian/ROADMAP.md
View File

@@ -2,7 +2,7 @@
This document outlines the current features and future plans for @puaros/guardian.
## Current Version: 0.4.0 ✅ RELEASED
## Current Version: 0.6.0 ✅ RELEASED
**Released:** 2025-11-24
@@ -36,7 +36,7 @@ This document outlines the current features and future plans for @puaros/guardia
- ✅ Extracted constants for better maintainability
**🎯 Built For:**
- ✅ Vibe coders using AI assistants (Claude, GPT, Copilot, Cursor)
- ✅ Vibe coders using AI assistants (GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline)
- ✅ Enterprise teams enforcing architectural standards
- ✅ Code review automation
@@ -114,10 +114,9 @@ import { User } from '../../domain/entities/User' // OK
---
## Future Roadmap
## Version 0.5.0 - Repository Pattern Validation 📚 ✅ RELEASED
### Version 0.5.0 - Repository Pattern Validation 📚
**Target:** Q1 2026
**Released:** 2025-11-24
**Priority:** HIGH
Validate correct implementation of Repository Pattern:
@@ -148,19 +147,120 @@ class CreateUser {
}
```
**Planned Features:**
- Check repository interfaces for ORM-specific types
- Detect concrete repository usage in use cases
- Detect `new Repository()` in use cases (should use DI)
- Validate repository methods follow domain language
- Check for data mapper pattern usage
**Implemented Features:**
- Check repository interfaces for ORM-specific types (Prisma, TypeORM, Mongoose, Sequelize, etc.)
- Detect concrete repository usage in use cases
- Detect `new Repository()` in use cases (should use DI)
- Validate repository methods follow domain language
- ✅ 31 tests covering all repository pattern scenarios
- ✅ 96.77% statement coverage, 83.82% branch coverage
- ✅ Examples for both good and bad patterns
- ✅ Comprehensive README with patterns and principles
---
### Version 0.6.0 - Aggregate Boundary Validation 🔒
**Target:** Q1 2026
## Version 0.5.2 - Severity-Based Prioritization 🎯 ✅ RELEASED
**Released:** 2025-11-24
**Priority:** HIGH
Intelligently prioritize violations by severity to help teams focus on critical issues first:
```bash
# Show only critical issues
guardian check src --only-critical
# Show high severity and above
guardian check src --min-severity high
```
**Severity Levels:**
- 🔴 **CRITICAL**: Circular dependencies, Repository pattern violations
- 🟠 **HIGH**: Dependency direction violations, Framework leaks, Entity exposures
- 🟡 **MEDIUM**: Naming violations, Architecture violations
- 🟢 **LOW**: Hardcoded values
**Implemented Features:**
- ✅ Automatic sorting by severity (most critical first)
- ✅ CLI flags: `--min-severity <level>` and `--only-critical`
- ✅ Color-coded severity labels in output (🔴🟠🟡🟢)
- ✅ Visual severity group headers with separators
- ✅ Filtering messages when filters active
- ✅ All violation interfaces include severity field
- ✅ 292 tests passing with 90%+ coverage
- ✅ Backwards compatible - no breaking changes
**Benefits:**
- Focus on critical architectural violations first
- Gradual technical debt reduction
- Better CI/CD integration (fail on critical only)
- Improved developer experience with visual prioritization
---
## Version 0.6.0 - Output Limit Control & ESLint Optimization 🎯 ✅ RELEASED
**Released:** 2025-11-24
**Priority:** MEDIUM
Control output verbosity for large codebases and achieve perfect code quality:
```bash
# Limit detailed output for large codebases
guardian check src --limit 10
# Combine with severity filters
guardian check src --only-critical --limit 5
# Short form
guardian check src -l 20
```
**Implemented Features:**
-`--limit` option to control detailed violation output per category
- ✅ Short form `-l <number>` for convenience
- ✅ Works seamlessly with `--only-critical` and `--min-severity` filters
- ✅ Warning message when violations exceed limit
- ✅ Full statistics always displayed at the end
- ✅ Severity display constants extracted (`SEVERITY_DISPLAY_LABELS`, `SEVERITY_SECTION_HEADERS`)
- ✅ ESLint configuration optimized (reduced warnings from 129 to 0)
- ✅ CLI-specific overrides for no-console, complexity, max-lines-per-function
- ✅ Dead code removal (unused IBaseRepository interface)
- ✅ Complete development workflow added to CLAUDE.md
- ✅ 292 tests passing with 90.63% coverage
- ✅ Guardian self-check: ✅ 0 issues found
**Benefits:**
- Better experience with large codebases
- Faster CI/CD output
- Improved CLI maintainability with constants
- Perfect ESLint score (0 errors, 0 warnings)
- Guardian now passes its own quality checks
---
## Version 0.5.1 - Code Quality Refactoring 🧹 ✅ RELEASED
**Released:** 2025-11-24
**Priority:** MEDIUM
Internal refactoring to eliminate hardcoded values and improve maintainability:
**Implemented Features:**
- ✅ Extracted 30+ constants from hardcoded strings
- ✅ New constants files: paths.ts, extended Messages.ts
- ✅ Reduced hardcoded values from 37 to 1 (97% improvement)
- ✅ Guardian passes its own checks (0 violations in src/)
- ✅ All 292 tests passing
- ✅ No breaking changes - fully backwards compatible
---
## Version 0.7.0 - Aggregate Boundary Validation 🔒 ✅ RELEASED
**Released:** 2025-11-24
**Priority:** CRITICAL
Validate aggregate boundaries in DDD:
```typescript
@@ -185,16 +285,23 @@ class Order {
}
```
**Planned Features:**
- Detect entity references across aggregates
- Allow only ID or Value Object references
- Detect circular dependencies between aggregates
- Validate aggregate root access patterns
- Support for aggregate folder structure
**Implemented Features:**
- Detect entity references across aggregates
- Allow only ID or Value Object references from other aggregates
- ✅ Filter allowed imports (value-objects, events, repositories, services)
- ✅ Support for multiple aggregate folder structures (domain/aggregates/name, domain/name, domain/entities/name)
- ✅ 41 comprehensive tests with 100% pass rate
- ✅ Examples of good and bad patterns
- ✅ CLI output with 🔒 icon and detailed violation info
- ✅ Critical severity level for aggregate boundary violations
---
### Version 0.7.0 - Anemic Domain Model Detection 🩺
## Future Roadmap
---
### Version 0.8.0 - Anemic Domain Model Detection 🩺
**Target:** Q2 2026
**Priority:** MEDIUM
@@ -235,7 +342,7 @@ class Order {
---
### Version 0.7.0 - Domain Event Usage Validation 📢
### Version 0.8.0 - Domain Event Usage Validation 📢
**Target:** Q2 2026
**Priority:** MEDIUM
@@ -274,7 +381,7 @@ class Order {
---
### Version 0.8.0 - Value Object Immutability Check 🔐
### Version 0.9.0 - Value Object Immutability Check 🔐
**Target:** Q2 2026
**Priority:** MEDIUM
@@ -317,7 +424,7 @@ class Email {
---
### Version 0.9.0 - Use Case Single Responsibility 🎯
### Version 0.10.0 - Use Case Single Responsibility 🎯
**Target:** Q2 2026
**Priority:** LOW
@@ -354,7 +461,7 @@ class SendWelcomeEmail {
---
### Version 0.10.0 - Interface Segregation Validation 🔌
### Version 0.11.0 - Interface Segregation Validation 🔌
**Target:** Q2 2026
**Priority:** LOW
@@ -399,7 +506,7 @@ interface IUserExporter {
---
### Version 0.11.0 - Port-Adapter Pattern Validation 🔌
### Version 0.12.0 - Port-Adapter Pattern Validation 🔌
**Target:** Q2 2026
**Priority:** MEDIUM
@@ -438,7 +545,7 @@ class TwilioAdapter implements INotificationPort {
---
### Version 0.12.0 - Configuration File Support ⚙️
### Version 0.13.0 - Configuration File Support ⚙️
**Target:** Q3 2026
**Priority:** MEDIUM
@@ -489,7 +596,7 @@ export default {
---
### Version 0.13.0 - Command Query Separation (CQS/CQRS) 📝
### Version 0.14.0 - Command Query Separation (CQS/CQRS) 📝
**Target:** Q3 2026
**Priority:** MEDIUM
@@ -550,7 +657,7 @@ class GetUser { // Query
---
### Version 0.14.0 - Factory Pattern Validation 🏭
### Version 0.15.0 - Factory Pattern Validation 🏭
**Target:** Q3 2026
**Priority:** LOW
@@ -633,7 +740,7 @@ class Order {
---
### Version 0.15.0 - Specification Pattern Detection 🔍
### Version 0.16.0 - Specification Pattern Detection 🔍
**Target:** Q3 2026
**Priority:** MEDIUM
@@ -705,7 +812,7 @@ class ApproveOrder {
---
### Version 0.16.0 - Layered Service Anti-pattern Detection ⚠️
### Version 0.17.0 - Layered Service Anti-pattern Detection ⚠️
**Target:** Q3 2026
**Priority:** MEDIUM
@@ -782,7 +889,7 @@ class OrderService {
---
### Version 0.17.0 - Bounded Context Leak Detection 🚧
### Version 0.18.0 - Bounded Context Leak Detection 🚧
**Target:** Q3 2026
**Priority:** LOW
@@ -847,7 +954,7 @@ class ProductPriceChangedHandler {
---
### Version 0.18.0 - Transaction Script vs Domain Model Detection 📜
### Version 0.19.0 - Transaction Script vs Domain Model Detection 📜
**Target:** Q3 2026
**Priority:** LOW
@@ -914,7 +1021,7 @@ class Order {
---
### Version 0.19.0 - Persistence Ignorance Validation 💾
### Version 0.20.0 - Persistence Ignorance Validation 💾
**Target:** Q3 2026
**Priority:** MEDIUM
@@ -1000,7 +1107,7 @@ class UserEntityMapper {
---
### Version 0.20.0 - Null Object Pattern Detection 🎭
### Version 0.21.0 - Null Object Pattern Detection 🎭
**Target:** Q3 2026
**Priority:** LOW
@@ -1082,7 +1189,7 @@ class ProcessOrder {
---
### Version 0.21.0 - Primitive Obsession in Methods 🔢
### Version 0.22.0 - Primitive Obsession in Methods 🔢
**Target:** Q3 2026
**Priority:** MEDIUM
@@ -1149,7 +1256,7 @@ class Order {
---
### Version 0.22.0 - Service Locator Anti-pattern 🔍
### Version 0.23.0 - Service Locator Anti-pattern 🔍
**Target:** Q4 2026
**Priority:** MEDIUM
@@ -1209,7 +1316,7 @@ class CreateUser {
---
### Version 0.23.0 - Double Dispatch Pattern Validation 🎯
### Version 0.24.0 - Double Dispatch Pattern Validation 🎯
**Target:** Q4 2026
**Priority:** LOW
@@ -1286,7 +1393,7 @@ class ShippingCostCalculator implements IOrderItemVisitor {
---
### Version 0.24.0 - Entity Identity Validation 🆔
### Version 0.25.0 - Entity Identity Validation 🆔
**Target:** Q4 2026
**Priority:** MEDIUM
@@ -1379,7 +1486,7 @@ class UserId {
---
### Version 0.25.0 - Saga Pattern Detection 🔄
### Version 0.26.0 - Saga Pattern Detection 🔄
**Target:** Q4 2026
**Priority:** LOW
@@ -1477,7 +1584,7 @@ abstract class SagaStep {
---
### Version 0.26.0 - Anti-Corruption Layer Detection 🛡️
### Version 0.27.0 - Anti-Corruption Layer Detection 🛡️
**Target:** Q4 2026
**Priority:** MEDIUM
@@ -1563,7 +1670,7 @@ interface IOrderSyncPort {
---
### Version 0.27.0 - Ubiquitous Language Validation 📖
### Version 0.28.0 - Ubiquitous Language Validation 📖
**Target:** Q4 2026
**Priority:** HIGH
@@ -1751,4 +1858,4 @@ Until we reach 1.0.0, minor version bumps (0.x.0) may include breaking changes a
---
**Last Updated:** 2025-11-24
**Current Version:** 0.4.0
**Current Version:** 0.6.0

61
packages/guardian/TODO.md
View File

@@ -94,19 +94,38 @@ This file tracks technical debt, known issues, and improvements needed in the co
### Testing
- [x] ~~**Increase test coverage**~~**FIXED**
- ~~Current: 85.71% (target: 80%+)~~
- **New: 90.06%** (exceeds 80% target!)
- **New: 90.63%** (exceeds 80% target!)
- ~~But only 2 test files (Guards, BaseEntity)~~
- **Now: 7 test files** with 187 tests total
- **Now: 10 test files** with 292 tests total
- ~~Need tests for:~~
- ~~HardcodeDetector (main logic!)~~ ✅ 49 tests added
- ~~HardcodedValue~~ ✅ 28 tests added
- ~~FrameworkLeakDetector~~ ✅ 28 tests added
- ~~FrameworkLeakDetector~~ ✅ 35 tests added
- ~~NamingConventionDetector~~ ✅ 55 tests added
- ~~DependencyDirectionDetector~~ ✅ 43 tests added
- ~~EntityExposureDetector~~ ✅ 24 tests added
- ~~RepositoryPatternDetector~~ ✅ 31 tests added
- AnalyzeProject use case (pending)
- CLI commands (pending)
- FileScanner (pending)
- CodeParser (pending)
- Completed on: 2025-11-24
- [ ] **Improve test coverage for low-coverage files**
- **SourceFile.ts**: 44.82% coverage (entity, not critical but needs improvement)
- Missing: Property getters, metadata methods, dependency management
- Target: 80%+
- **ProjectPath.ts**: 50% coverage (value object)
- Missing: Path validation methods, edge cases
- Target: 80%+
- **RepositoryViolation.ts**: 55.26% coverage (value object)
- Missing: Violation type methods, details formatting
- Target: 80%+
- **ValueObject.ts**: 25% coverage (base class)
- Missing: equals() and other base methods
- Target: 80%+
- Priority: Medium (overall coverage is good, but these specific files need attention)
- [ ] **Add integration tests**
- Test full workflow: scan → parse → detect → report
- Test CLI end-to-end
@@ -179,7 +198,37 @@ When implementing these, consider semantic versioning:
## 📝 Recent Updates (2025-11-24)
### Completed Tasks
### v0.5.2 - Limit Feature & ESLint Cleanup
1.**Added --limit CLI option**
- Limits detailed output to specified number of violations per category
- Short form: `-l <number>`
- Works with severity filters (--only-critical, --min-severity)
- Shows warning when violations exceed limit
- Example: `guardian check ./src --limit 10`
- Updated CLI constants, index, and README documentation
2.**ESLint configuration cleanup**
- Reduced warnings from 129 to 0 ✨
- Added CLI-specific overrides (no-console, complexity, max-lines-per-function)
- Disabled no-unsafe-* rules for CLI (Commander.js is untyped)
- Increased max-params to 8 for DDD patterns
- Excluded examples/, tests/, *.config.ts from linting
- Disabled style rules (prefer-nullish-coalescing, no-unnecessary-condition, no-nested-ternary)
3.**Fixed remaining ESLint errors**
- Removed unused SEVERITY_LEVELS import from AnalyzeProject.ts
- Fixed unused fileName variable in HardcodeDetector.ts (prefixed with _)
- Replaced || with ?? for nullish coalescing
4.**Updated README.md**
- Added all new detectors to Features section (Entity Exposure, Dependency Direction, Repository Pattern)
- Updated API documentation with all 8 violation types
- Added severity levels to all interfaces
- Documented --limit option with examples
- Updated ProjectMetrics interface
- Updated test statistics (292 tests, 90.63% coverage)
### v0.5.0-0.5.1 - Architecture Enhancements
1.**Added comprehensive tests for HardcodeDetector** (49 tests)
- Magic numbers detection (setTimeout, retries, ports, limits)
- Magic strings detection (URLs, connection strings)
@@ -203,9 +252,9 @@ When implementing these, consider semantic versioning:
- Fixed constant truthiness errors
5.**Improved test coverage**
- From 85.71% to 90.06% (statements)
- From 85.71% to 90.63% (statements)
- All metrics now exceed 80% threshold
- Total tests: 16 → 187 tests
- Total tests: 16 → 292 tests
6.**Implemented Framework Leak Detection (v0.2.0)**
- Created FrameworkLeakDetector with 10 framework categories

553
packages/guardian/docs/RESEARCH_CITATIONS.md Normal file
View File

@@ -0,0 +1,553 @@
# Research Citations for Code Quality Detection Rules
This document provides authoritative sources, academic papers, industry standards, and expert references that support the code quality detection rules implemented in Guardian. These rules are not invented but based on established software engineering principles and best practices.
---
## Table of Contents
1. [Hardcode Detection (Magic Numbers & Strings)](#1-hardcode-detection-magic-numbers--strings)
2. [Circular Dependencies](#2-circular-dependencies)
3. [Clean Architecture / Layered Architecture](#3-clean-architecture--layered-architecture)
4. [Framework Leak Detection](#4-framework-leak-detection)
5. [Entity Exposure (DTO Pattern)](#5-entity-exposure-dto-pattern)
6. [Repository Pattern](#6-repository-pattern)
7. [Naming Conventions](#7-naming-conventions)
8. [General Software Quality Standards](#8-general-software-quality-standards)
9. [Code Complexity Metrics](#9-code-complexity-metrics)
10. [Additional Authoritative Sources](#10-additional-authoritative-sources)
---
## 1. Hardcode Detection (Magic Numbers & Strings)
### Academic Research
**What do developers consider magic literals? A smalltalk perspective** (2022)
- Published in ScienceDirect
- Conducted qualitative and quantitative studies on magic literals
- Analyzed 26 developers reviewing about 24,000 literals from more than 3,500 methods
- Studies ranged from small (four classes) to large (7,700 classes) systems
- Reference: [ScienceDirect Article](https://www.sciencedirect.com/science/article/abs/pii/S0950584922000908)
### Industry Standards
**MIT Course 6.031: Software Construction - Code Review**
- Magic numbers fail three key measures of code quality:
- Not safe from bugs (SFB)
- Not easy to understand (ETU)
- Not ready for change (RFC)
- Reference: [MIT Reading 4: Code Review](https://web.mit.edu/6.031/www/sp17/classes/04-code-review/)
**SonarQube Static Analysis Rules**
- Rule RSPEC-109: "Magic numbers should not be used"
- Identifies hardcoded values and magic numbers as code smells
- Reference: [SonarSource C Rule RSPEC-109](https://rules.sonarsource.com/c/rspec-109/)
### Historical Context
**Wikipedia: Magic Number (Programming)**
- Anti-pattern that breaks one of the oldest rules of programming
- Dating back to COBOL, FORTRAN, and PL/1 manuals of the 1960s
- Defined as "using a numeric literal in source code that has a special meaning that is less than clear"
- Reference: [Wikipedia - Magic Number](https://en.wikipedia.org/wiki/Magic_number_(programming))
### Best Practices
**DRY Principle Violation**
- Magic numbers violate the DRY (Don't Repeat Yourself) principle
- Encourage duplicated hardcoded values instead of centralized definitions
- Make code brittle and prone to errors
- Reference: [Stack Overflow - What are magic numbers](https://stackoverflow.com/questions/47882/what-are-magic-numbers-and-why-do-some-consider-them-bad)
---
## 2. Circular Dependencies
### Expert Opinion
**Martin Fowler on Breaking Cycles**
- "Putting abstract classes in supertype package is good way of breaking cycles in the dependency structure"
- Suggests using abstraction as a technique to break circular dependencies
- Reference: [TechTarget - Circular Dependencies in Microservices](https://www.techtarget.com/searchapparchitecture/tip/The-vicious-cycle-of-circular-dependencies-in-microservices)
### Impact on Software Quality
**Maintainability Issues**
- Circular dependencies make code difficult to read and maintain over time
- Open the door to error-prone applications that are difficult to test
- Changes to a single module cause a large ripple effect of errors
- Reference: [TechTarget - Circular Dependencies](https://www.techtarget.com/searchapparchitecture/tip/The-vicious-cycle-of-circular-dependencies-in-microservices)
**Component Coupling**
- "You can't change or evolve components independently of each other"
- Services become hardly maintainable and highly coupled
- Components cannot be tested in isolation
- Reference: [DEV Community - Circular Dependencies Between Microservices](https://dev.to/cloudx/circular-dependencies-between-microservices-11hn)
### Solution Patterns
**Shopify Engineering: Repository Pattern**
- "Remove Circular Dependencies by Using Dependency Injection and the Repository Pattern in Ruby"
- Demonstrates practical application of breaking circular dependencies
- Reference: [Shopify Engineering](https://shopify.engineering/repository-pattern-ruby)
---
## 3. Clean Architecture / Layered Architecture
### The Dependency Rule - Robert C. Martin
**Book: Clean Architecture: A Craftsman's Guide to Software Structure and Design** (2017)
- Author: Robert C. Martin (Uncle Bob)
- Publisher: Prentice Hall
- ISBN: 978-0134494166
- Available at: [Amazon](https://www.amazon.com/Clean-Architecture-Craftsmans-Software-Structure/dp/0134494164)
**The Dependency Rule (Core Principle)**
- "Source code dependencies can only point inwards"
- "Nothing in an inner circle can know anything at all about something in an outer circle"
- "The name of something declared in an outer circle must not be mentioned by the code in the inner circle"
- Reference: [The Clean Architecture Blog Post](https://blog.cleancoder.com/uncle-bob/2012/08/13/the-clean-architecture.html)
**Layer Organization**
- Dependencies flow towards higher-level policies and domain logic
- Inner layers (domain) should not depend on outer layers (infrastructure)
- Use dynamic polymorphism to create source code dependencies that oppose the flow of control
- Reference: [Clean Architecture Beginner's Guide](https://betterprogramming.pub/the-clean-architecture-beginners-guide-e4b7058c1165)
**O'Reilly Resources**
- Complete book available through O'Reilly Learning Platform
- Reference: [O'Reilly - Clean Architecture](https://www.oreilly.com/library/view/clean-architecture-a/9780134494272/)
### SOLID Principles - Robert C. Martin
**Paper: Design Principles and Design Patterns** (2000)
- Author: Robert C. Martin
- Introduced the basic principles of SOLID design
- SOLID acronym coined by Michael Feathers around 2004
- Reference: [Wikipedia - SOLID](https://en.wikipedia.org/wiki/SOLID)
**Dependency Inversion Principle (DIP)**
- High-level modules should not depend on low-level modules; both should depend on abstractions
- Abstractions should not depend on details; details should depend on abstractions
- Enables loosely coupled components and simpler testing
- Reference: [DigitalOcean - SOLID Principles](https://www.digitalocean.com/community/conceptual-articles/s-o-l-i-d-the-first-five-principles-of-object-oriented-design)
**Single Responsibility Principle (SRP)**
- "There should never be more than one reason for a class to change"
- Every class should have only one responsibility
- Classes with single responsibility are easier to understand, test, and modify
- Reference: [Real Python - SOLID Principles](https://realpython.com/solid-principles-python/)
---
## 4. Framework Leak Detection
### Hexagonal Architecture (Ports & Adapters)
**Original Paper: The Hexagonal (Ports & Adapters) Architecture** (2005)
- Author: Alistair Cockburn
- Document: HaT Technical Report 2005.02
- Date: 2005-09-04 (v 0.9)
- Intent: "Allow an application to equally be driven by users, programs, automated test or batch scripts, and to be developed and tested in isolation from its eventual run-time devices and databases"
- Reference: [Alistair Cockburn - Hexagonal Architecture](https://alistair.cockburn.us/hexagonal-architecture)
### Domain-Driven Design (DDD) and Hexagonal Architecture
**Domain-Driven Hexagon Repository**
- Comprehensive guide combining DDD with hexagonal architecture
- "Application Core shouldn't depend on frameworks or access external resources directly"
- "External calls should be done through ports (interfaces)"
- Reference: [GitHub - Domain-Driven Hexagon](https://github.com/Sairyss/domain-driven-hexagon)
**AWS Prescriptive Guidance**
- "The hexagonal architecture pattern is used to isolate business logic (domain logic) from related infrastructure code"
- Outer layers can depend on inner layers, but inner layers never depend on outer layers
- Reference: [AWS - Hexagonal Architecture Pattern](https://docs.aws.amazon.com/prescriptive-guidance/latest/cloud-design-patterns/hexagonal-architecture.html)
### Preventing Logic Leakage
**Ports and Adapters Benefits**
- Shields domain logic from leaking out of application's core
- Prevents technical details (like JPA entities) and libraries (like O/R mappers) from leaking into application
- Keeps application agnostic of external actors
- Reference: [Medium - Hexagonal Architecture](https://medium.com/ssense-tech/hexagonal-architecture-there-are-always-two-sides-to-every-story-bc0780ed7d9c)
**Herberto Graca's Explicit Architecture**
- "DDD, Hexagonal, Onion, Clean, CQRS, … How I put it all together"
- Comprehensive guide on preventing architectural leakage
- Reference: [Herberto Graca's Blog](https://herbertograca.com/2017/11/16/explicit-architecture-01-ddd-hexagonal-onion-clean-cqrs-how-i-put-it-all-together/)
---
## 5. Entity Exposure (DTO Pattern)
### Martin Fowler's Pattern Definition
**Book: Patterns of Enterprise Application Architecture** (2002)
- Author: Martin Fowler
- Publisher: Addison-Wesley
- First introduced the Data Transfer Object (DTO) pattern
- Reference: [Martin Fowler - Data Transfer Object](https://martinfowler.com/eaaCatalog/dataTransferObject.html)
**DTO Pattern Purpose**
- "The main reason for using a Data Transfer Object is to batch up what would be multiple remote calls into a single call"
- "DTOs are called Data Transfer Objects because their whole purpose is to shift data in expensive remote calls"
- Part of implementing a coarse-grained interface needed for remote performance
- Reference: [Martin Fowler's EAA Catalog](https://martinfowler.com/eaaCatalog/dataTransferObject.html)
### LocalDTO Anti-Pattern
**Martin Fowler on Local DTOs**
- "In a local context, DTOs are not just unnecessary but actually harmful"
- Harmful because coarse-grained API is more difficult to use
- Requires extra work moving data from domain/data source layer into DTOs
- Reference: [Martin Fowler - LocalDTO](https://martinfowler.com/bliki/LocalDTO.html)
### Security and Encapsulation Benefits
**Baeldung: The DTO Pattern**
- DTOs provide only relevant information to the client
- Hide sensitive data like passwords for security reasons
- Decoupling persistence model from domain model reduces risk of exposing domain model
- Reference: [Baeldung - DTO Pattern](https://www.baeldung.com/java-dto-pattern)
**Wikipedia: Data Transfer Object**
- Carries data between processes
- Reduces the number of method calls
- Industry-standard pattern for API design
- Reference: [Wikipedia - Data Transfer Object](https://en.wikipedia.org/wiki/Data_transfer_object)
---
## 6. Repository Pattern
### Martin Fowler's Pattern Definition
**Book: Patterns of Enterprise Application Architecture** (2002)
- Author: Martin Fowler
- Publisher: Addison-Wesley
- ISBN: 978-0321127426
- Available at: [Internet Archive](https://archive.org/details/PatternsOfEnterpriseApplicationArchitectureByMartinFowler)
**Repository Pattern Definition**
- "Mediates between the domain and data mapping layers using a collection-like interface for accessing domain objects"
- Listed under Data Source Architectural Patterns
- Main goal: separate domain logic from data persistence logic
- Reference: [Martin Fowler - Repository](https://martinfowler.com/eaaCatalog/repository.html)
**Pattern Purpose**
- "Adding this layer helps minimize duplicate query logic"
- Original definition: "all about minimizing duplicate query logic"
- Chapter 13 of online ebook at O'Reilly
- Reference: [Martin Fowler's EAA Catalog](https://martinfowler.com/eaaCatalog/)
### Microsoft Guidance
**Microsoft Learn: Infrastructure Persistence Layer Design**
- "Designing the infrastructure persistence layer" for microservices and DDD
- Official Microsoft documentation on repository pattern usage
- Reference: [Microsoft Learn - Repository Pattern](https://learn.microsoft.com/en-us/dotnet/architecture/microservices/microservice-ddd-cqrs-patterns/infrastructure-persistence-layer-design)
### Domain-Driven Design Context
**Eric Evans Reference**
- "You can also find a good write-up of this pattern in Domain Driven Design"
- Repository is a key tactical pattern in DDD
- Reference: [Stack Overflow - Repository Pattern Author](https://softwareengineering.stackexchange.com/questions/132813/whos-the-author-creator-of-the-repository-pattern)
---
## 7. Naming Conventions
### Use Case Naming
**Use Case Naming Convention: Verb + Noun**
- Default naming pattern: "(Actor) Verb Noun" with actor being optional
- Name must be in the form of VERB-OBJECT with verb in imperative mode
- Examples: "Customer Process Order", "Send Notification"
- Reference: [TM Forum - Use Case Naming Conventions](https://tmforum-oda.github.io/oda-ca-docs/canvas/usecase-library/use-case-naming-conventions.html)
**Good Use Case Names**
- Use meaningful verbs, not generic ones like "Process"
- Specific actions like "Validate the Ordered Items"
- Name must be unique
- Reference: [Tyner Blain - How to Write Good Use Case Names](https://tynerblain.com/blog/2007/01/22/how-to-write-good-use-case-names/)
### Industry Style Guides
**Google Java Style Guide**
- Method names are written in lowerCamelCase
- Class names should be in PascalCase
- Class names are typically nouns or noun phrases (e.g., Character, ImmutableList)
- Reference: [Google Java Style Guide](https://google.github.io/styleguide/javaguide.html)
**Airbnb JavaScript Style Guide**
- Avoid single letter names; be descriptive with naming
- Use camelCase when naming objects, functions, and instances
- Use PascalCase when exporting constructor/class/singleton
- Filename should be identical to function's name
- Reference: [Airbnb JavaScript Style Guide](https://github.com/airbnb/javascript)
**Microsoft Naming Conventions**
- Variables, methods, instance fields: camelCase
- Class and interface names: PascalCase (capitalized CamelCase)
- Constants: CONSTANT_CASE (all uppercase with underscores)
- Reference: [GeeksforGeeks - Java Naming Conventions](https://www.geeksforgeeks.org/java/java-naming-conventions/)
### General Naming Patterns
**Wikipedia: Naming Conventions**
- Classes are nouns or noun phrases
- Methods/functions are verbs or verb phrases to identify actions
- Established convention across multiple programming languages
- Reference: [Wikipedia - Naming Convention](https://en.wikipedia.org/wiki/Naming_convention_(programming))
**Devopedia: Naming Conventions**
- Comprehensive coverage of naming conventions across languages
- Historical context and evolution of naming standards
- Reference: [Devopedia - Naming Conventions](https://devopedia.org/naming-conventions)
---
## 8. General Software Quality Standards
### ISO/IEC 25010 Software Quality Model
**ISO/IEC 25010:2011 (Updated 2023)**
- Title: "Systems and software engineering Systems and software Quality Requirements and Evaluation (SQuaRE) System and software quality models"
- Defines eight software quality characteristics
- Reference: [ISO 25010 Official Standard](https://www.iso.org/standard/35733.html)
**Eight Quality Characteristics**
1. Functional suitability
2. Performance efficiency
3. Compatibility
4. Usability
5. Reliability
6. Security
7. Maintainability
8. Portability
**Maintainability Sub-characteristics**
- **Modularity**: Components can be changed with minimal impact on other components
- **Reusability**: Assets can be used in more than one system
- **Analysability**: Effectiveness of impact assessment and failure diagnosis
- **Modifiability**: System can be modified without introducing defects
- **Testability**: Test criteria effectiveness and execution
- Reference: [ISO 25000 Portal](https://iso25000.com/index.php/en/iso-25000-standards/iso-25010)
**Practical Application**
- Used throughout software development lifecycle
- Define quality requirements and evaluate products
- Static analysis plays key role in security and maintainability
- Reference: [Perforce - What is ISO 25010](https://www.perforce.com/blog/qac/what-is-iso-25010)
### SQuaRE Framework
**ISO/IEC 25000 Series**
- System and Software Quality Requirements and Evaluation (SQuaRE)
- Contains framework to evaluate software product quality
- Derived from earlier ISO/IEC 9126 standard
- Reference: [Codacy Blog - ISO 25010 Software Quality Model](https://blog.codacy.com/iso-25010-software-quality-model)
---
## 9. Code Complexity Metrics
### Cyclomatic Complexity
**Original Work: Thomas McCabe** (1976)
- Developed by Thomas McCabe in 1976
- Derived from graph theory
- Measures "the amount of decision logic in a source code function"
- Quantifies the number of independent paths through program's source code
- Reference: [Wikipedia - Cyclomatic Complexity](https://en.wikipedia.org/wiki/Cyclomatic_complexity)
**NIST Recommendations**
- NIST235 indicates that a limit of 10 is a good starting point
- Original limit of 10 proposed by McCabe has significant supporting evidence
- Limits as high as 15 have been used successfully
- Reference: [Microsoft Learn - Cyclomatic Complexity](https://learn.microsoft.com/en-us/visualstudio/code-quality/code-metrics-cyclomatic-complexity)
**Research Findings**
- Positive correlation between cyclomatic complexity and defects
- Functions with highest complexity tend to contain the most defects
- "The SATC has found the most effective evaluation is a combination of size and (Cyclomatic) complexity"
- Modules with both high complexity and large size have lowest reliability
- Reference: [Wikipedia - Cyclomatic Complexity](https://en.wikipedia.org/wiki/Cyclomatic_complexity)
### Cognitive Complexity - SonarQube
**Cognitive Complexity Definition**
- Measure of how hard it is to understand code's control flow
- Code with high cognitive complexity is hard to read, understand, test, and modify
- Incremented when code breaks normal linear reading flow
- Reference: [SonarSource - Cognitive Complexity](https://www.sonarsource.com/blog/5-clean-code-tips-for-reducing-cognitive-complexity/)
**Recommended Thresholds**
- General rule: aim for scores below 15
- SonarQube default maximum complexity: 15
- Method Cognitive Complexity greater than 20 commonly used as quality gate
- Reference: [Medium - Cognitive Complexity by SonarQube](https://medium.com/@himanshuganglani/clean-code-cognitive-complexity-by-sonarqube-659d49a6837d)
**Calculation Method**
- Counts if/else conditions, nested loops (for, forEach, do/while)
- Includes try/catch blocks and switch statements
- Mixed operators in conditions increase complexity
- Reference: [SonarQube Documentation - Metrics Definition](https://docs.sonarsource.com/sonarqube-server/10.8/user-guide/code-metrics/metrics-definition)
### Academic Research on Software Maintainability
**Tool-Based Perspective on Software Code Maintainability Metrics** (2020)
- Authors: Ardito et al.
- Published in: Scientific Programming (Wiley Online Library)
- Systematic Literature Review on maintainability metrics
- Reference: [Wiley - Software Code Maintainability Metrics](https://onlinelibrary.wiley.com/doi/10.1155/2020/8840389)
**Code Reviews and Complexity** (2024)
- Paper: "The utility of complexity metrics during code reviews for CSE software projects"
- Published in: ScienceDirect
- Analyzes metrics gathered via GitHub Actions for pull requests
- Techniques to guide code review considering cyclomatic complexity levels
- Reference: [ScienceDirect - Complexity Metrics](https://www.sciencedirect.com/science/article/abs/pii/S0167739X2400270X)
---
## 10. Additional Authoritative Sources
### Code Smells and Refactoring
**Book: Refactoring: Improving the Design of Existing Code** (1999, 2nd Edition 2018)
- Author: Martin Fowler
- Publisher: Addison-Wesley
- ISBN (1st Ed): 978-0201485677
- ISBN (2nd Ed): 978-0134757599
- Term "code smell" first coined by Kent Beck
- Featured in the 1999 Refactoring book
- Reference: [Martin Fowler - Code Smell](https://martinfowler.com/bliki/CodeSmell.html)
**Code Smell Definition**
- "Certain structures in the code that indicate violation of fundamental design principles"
- "Surface indication that usually corresponds to a deeper problem in the system"
- Heuristics to indicate when to refactor
- Reference: [Wikipedia - Code Smell](https://en.wikipedia.org/wiki/Code_smell)
**Duplication as Major Code Smell**
- Duplication is one of the biggest code smells
- Spotting duplicate code and removing it leads to improved design
- Reference: [Coding Horror - Code Smells](https://blog.codinghorror.com/code-smells/)
### Domain-Driven Design
**Book: Domain-Driven Design: Tackling Complexity in the Heart of Software** (2003)
- Author: Eric Evans
- Publisher: Addison-Wesley Professional
- ISBN: 978-0321125217
- Available at: [Amazon](https://www.amazon.com/Domain-Driven-Design-Tackling-Complexity-Software/dp/0321125215)
**DDD Reference Document**
- Official Domain-Driven Design Reference by Eric Evans
- PDF: Domain-­Driven Design Reference (2015)
- Reference: [Domain Language - DDD Reference](https://www.domainlanguage.com/wp-content/uploads/2016/05/DDD_Reference_2015-03.pdf)
**Key DDD Concepts**
- Entities: Defined by their identity
- Value Objects: Defined by their attributes
- Aggregates: Clusters of entities that behave as single unit
- Repositories: Separate domain logic from persistence
- Reference: [Martin Fowler - Domain Driven Design](https://martinfowler.com/bliki/DomainDrivenDesign.html)
### Code Complete - Steve McConnell
**Book: Code Complete: A Practical Handbook of Software Construction** (1993, 2nd Edition 2004)
- Author: Steve McConnell
- Publisher: Microsoft Press
- ISBN: 978-0735619678
- Won Jolt Award in 1993
- Best-selling, best-reviewed software development book
- Reference: [Amazon - Code Complete](https://www.amazon.com/Code-Complete-Practical-Handbook-Construction/dp/0735619670)
**Key Topics Covered**
- Naming variables to deciding when to write a subroutine
- Architecture, coding standards, testing, integration
- Software craftsmanship nature
- Main activities: detailed design, construction planning, coding, debugging, testing
- Reference: [Wikipedia - Code Complete](https://en.wikipedia.org/wiki/Code_Complete)
### Architecture Testing Tools
**ArchUnit - Java Architecture Testing**
- Free, simple, and extensible library for checking architecture
- Define rules for architecture using plain Java unit tests
- Out-of-the-box functionality for layered architecture and onion architecture
- Enforce naming conventions, class access, prevention of cycles
- Reference: [ArchUnit Official Site](https://www.archunit.org/)
**ArchUnit Examples**
- Layered Architecture Test examples on GitHub
- Define layers and add constraints for each layer
- Reference: [GitHub - ArchUnit Examples](https://github.com/TNG/ArchUnit-Examples/blob/main/example-plain/src/test/java/com/tngtech/archunit/exampletest/LayeredArchitectureTest.java)
**NetArchTest - .NET Alternative**
- Inspired by ArchUnit for Java
- Enforce architecture conventions in .NET codebases
- Can be used with any unit test framework
- Reference: [GitHub - NetArchTest](https://github.com/BenMorris/NetArchTest)
**InfoQ Article on ArchUnit**
- "ArchUnit Verifies Architecture Rules for Java Applications"
- Professional coverage of architecture verification
- Reference: [InfoQ - ArchUnit](https://www.infoq.com/news/2022/10/archunit/)
---
## Conclusion
The code quality detection rules implemented in Guardian are firmly grounded in:
1. **Academic Research**: Peer-reviewed papers on software maintainability, complexity metrics, and code quality
2. **Industry Standards**: ISO/IEC 25010, SonarQube rules, Google and Airbnb style guides
3. **Authoritative Books**:
- Robert C. Martin's "Clean Architecture" (2017)
- Eric Evans' "Domain-Driven Design" (2003)
- Martin Fowler's "Patterns of Enterprise Application Architecture" (2002)
- Martin Fowler's "Refactoring" (1999, 2018)
- Steve McConnell's "Code Complete" (1993, 2004)
4. **Expert Guidance**: Martin Fowler, Robert C. Martin (Uncle Bob), Eric Evans, Alistair Cockburn, Kent Beck
5. **Open Source Tools**: ArchUnit, SonarQube, ESLint - widely adopted in enterprise environments
These rules represent decades of software engineering wisdom, empirical research, and battle-tested practices from the world's leading software organizations and thought leaders.
---
## Additional Resources
### Online Catalogs and References
- Martin Fowler's Enterprise Application Architecture Catalog: https://martinfowler.com/eaaCatalog/
- Martin Fowler's Bliki (Blog + Wiki): https://martinfowler.com/bliki/
- Robert C. Martin's Principles Collection: http://principles-wiki.net/collections:robert_c._martin_s_principle_collection
- Domain Language (Eric Evans): https://www.domainlanguage.com/
### GitHub Repositories
- Airbnb JavaScript Style Guide: https://github.com/airbnb/javascript
- Google Style Guides: https://google.github.io/styleguide/
- Domain-Driven Hexagon: https://github.com/Sairyss/domain-driven-hexagon
- ArchUnit Examples: https://github.com/TNG/ArchUnit-Examples
### Educational Institutions
- MIT Course 6.031: Software Construction: https://web.mit.edu/6.031/www/
- Cornell CS Java Style Guide: https://www.cs.cornell.edu/courses/JavaAndDS/JavaStyle.html
---
**Document Version**: 1.0
**Last Updated**: 2025-11-24
**Questions or want to contribute research?**
- 📧 Email: fozilbek.samiyev@gmail.com
- 🐙 GitHub: https://github.com/samiyev/puaros/issues
**Based on research as of**: November 2025

391
packages/guardian/docs/WHY.md Normal file
View File

@@ -0,0 +1,391 @@
# Why Guardian's Rules Matter
Guardian's detection rules are not invented - they're based on decades of software engineering research, industry standards, and expert opinion from leading authorities.
**Quick Navigation:**
- [Hardcode Detection](#hardcode-detection)
- [Circular Dependencies](#circular-dependencies)
- [Clean Architecture](#clean-architecture)
- [Framework Leaks](#framework-leaks)
- [Entity Exposure](#entity-exposure)
- [Repository Pattern](#repository-pattern)
- [Naming Conventions](#naming-conventions)
- [Full Research Citations](#full-research-citations)
---
## Hardcode Detection
### Why it matters
Magic numbers and strings make code:
-**Hard to maintain** - Changing a value requires finding all occurrences
-**Error-prone** - Typos in repeated values cause bugs
-**Difficult to understand** - What does `3000` mean without context?
-**Not ready for change** - Configuration changes require code modifications
### Who says so?
**Academia:**
- **MIT Course 6.031: Software Construction**
> "Magic numbers fail three key measures: Safe from bugs, Easy to understand, Ready for change"
- Used in MIT's software engineering curriculum
- [Read the course material](https://web.mit.edu/6.031/www/sp17/classes/04-code-review/)
**Industry Standards:**
- **SonarQube Rule RSPEC-109**: "Magic numbers should not be used"
- Used by 400,000+ organizations worldwide
- Identifies hardcoded values as code smells
- [View the rule](https://rules.sonarsource.com/c/rspec-109/)
**Research:**
- **2022 ScienceDirect Study**: "What do developers consider magic literals?"
- Analyzed 24,000 literals from 3,500+ methods
- Surveyed 26 professional developers
- [Read the paper](https://www.sciencedirect.com/science/article/abs/pii/S0950584922000908)
**Historical Context:**
- Anti-pattern dating back to 1960s COBOL/FORTRAN manuals
- One of the oldest rules of programming
[Read full research →](./RESEARCH_CITATIONS.md#1-hardcode-detection-magic-numbers--strings)
---
## Circular Dependencies
### Why it matters
Circular dependencies create:
-**Tight coupling** - Components cannot evolve independently
-**Testing difficulties** - Impossible to test modules in isolation
-**Maintenance nightmares** - Changes cause ripple effects across codebase
-**Build complexity** - Compilation order becomes problematic
### Who says so?
**Expert Opinion:**
- **Martin Fowler**: Enterprise architecture patterns expert
> "Putting abstract classes in supertype package is good way of breaking cycles in the dependency structure"
- Recommends using abstraction to break cycles
- [Read on TechTarget](https://www.techtarget.com/searchapparchitecture/tip/The-vicious-cycle-of-circular-dependencies-in-microservices)
**Real-world Solutions:**
- **Shopify Engineering**: "Remove Circular Dependencies by Using Dependency Injection"
- Demonstrates practical application of Repository Pattern
- Production-proven solution from major tech company
- [Read the article](https://shopify.engineering/repository-pattern-ruby)
**Impact Studies:**
- Services become hardly maintainable and highly coupled
- Open the door to error-prone applications
- Components cannot be tested in isolation
[Read full research →](./RESEARCH_CITATIONS.md#2-circular-dependencies)
---
## Clean Architecture
### Why it matters
Clean Architecture principles ensure:
-**Independence** - Business rules don't depend on frameworks
-**Testability** - Business logic can be tested without UI/DB
-**Flexibility** - Easy to swap frameworks and tools
-**Maintainability** - Clear boundaries and responsibilities
### The Dependency Rule
**Robert C. Martin's Core Principle:**
> "Source code dependencies can only point inwards. Nothing in an inner circle can know anything about something in an outer circle."
**Layer Flow:**
```
Domain (innermost) ← Application ← Infrastructure (outermost)
```
### Who says so?
**The Definitive Book:**
- **Robert C. Martin (Uncle Bob): "Clean Architecture" (2017)**
- Published by O'Reilly (Prentice Hall)
- Based on SOLID principles and decades of experience
- [Get the book](https://www.amazon.com/Clean-Architecture-Craftsmans-Software-Structure/dp/0134494164)
**Core Principles:**
- **SOLID Principles (2000)**: Foundation of Clean Architecture
- Single Responsibility Principle
- Open-Closed Principle
- Liskov Substitution Principle
- Interface Segregation Principle
- **Dependency Inversion Principle** (critical for layer separation)
- [Learn SOLID](https://www.digitalocean.com/community/conceptual-articles/s-o-l-i-d-the-first-five-principles-of-object-oriented-design)
**The Clean Architecture Blog:**
- Original blog post by Uncle Bob (2012)
- Defines the concentric circles architecture
- [Read the original](https://blog.cleancoder.com/uncle-bob/2012/08/13/the-clean-architecture.html)
[Read full research →](./RESEARCH_CITATIONS.md#3-clean-architecture--layered-architecture)
---
## Framework Leaks
### Why it matters
Framework dependencies in domain layer:
-**Coupling to infrastructure** - Business logic tied to technical details
-**Testing difficulties** - Cannot test without framework setup
-**Framework lock-in** - Migration becomes impossible
-**Violates Clean Architecture** - Breaks the Dependency Rule
### Who says so?
**Original Research:**
- **Alistair Cockburn (2005): "Hexagonal Architecture"**
- HaT Technical Report 2005.02
> "Create your application to work without either a UI or a database so you can run automated regression-tests against the application, work when the database becomes unavailable, and link applications together without any user involvement."
- Original Ports & Adapters pattern
- [Read the original paper](https://alistair.cockburn.us/hexagonal-architecture)
**Industry Adoption:**
- **Robert C. Martin: "Clean Architecture" (2017)**
> "Frameworks are tools, not architectures"
- Frameworks belong in outer layers only
- **AWS Prescriptive Guidance**: Documents hexagonal architecture patterns
- **GitHub: Domain-Driven Hexagon**: Comprehensive implementation guide
- [View the guide](https://github.com/Sairyss/domain-driven-hexagon)
**Key Insight:**
The goal is to isolate the application's business logic from external resources like databases, message queues, HTTP frameworks, etc.
[Read full research →](./RESEARCH_CITATIONS.md#4-framework-leak-detection)
---
## Entity Exposure
### Why it matters
Exposing domain entities directly:
-**Breaks encapsulation** - Exposes internal domain structure
-**Security risks** - May leak sensitive data (passwords, tokens)
-**Coupling** - API tied to domain model changes
-**Violates Single Responsibility** - Entities serve two purposes
### Use DTOs Instead
**Data Transfer Object (DTO) Pattern:**
- Transform domain entities into simple data structures
- Control exactly what data is exposed
- Decouple API contracts from domain model
- Separate concerns: domain logic vs. data transfer
### Who says so?
**The Definitive Source:**
- **Martin Fowler: "Patterns of Enterprise Application Architecture" (2002)**
- Defines the DTO pattern
- Published by Addison-Wesley
> "An object that carries data between processes in order to reduce the number of method calls"
- [Read on martinfowler.com](https://martinfowler.com/eaaCatalog/dataTransferObject.html)
**Purpose:**
- Originally designed to batch remote calls and reduce network overhead
- Modern use: Separate domain model from external representation
- Prevents "God objects" that do too much
**Warning: LocalDTO Anti-pattern:**
Martin Fowler also warns about overusing DTOs in local contexts where they add unnecessary complexity.
[Read full research →](./RESEARCH_CITATIONS.md#5-entity-exposure-dto-pattern)
---
## Repository Pattern
### Why it matters
Repository pattern provides:
-**Abstraction** - Domain doesn't know about persistence details
-**Testability** - Easy to mock data access in tests
-**Centralized queries** - Single place for data access logic
-**Clean separation** - Domain logic separate from data access
### Common Violations
Guardian detects:
- ORM types leaking into repository interfaces
- Technical method names (`findOne`, `save`) instead of domain language
- Direct ORM/database usage in use cases
- `new Repository()` instantiation (should use DI)
### Who says so?
**The Definitive Source:**
- **Martin Fowler: Enterprise Application Architecture Catalog**
> "Mediates between the domain and data mapping layers using a collection-like interface for accessing domain objects"
- Part of the Domain Logic Patterns
- [Read on martinfowler.com](https://martinfowler.com/eaaCatalog/repository.html)
**Key Benefits:**
- Minimizes duplicate query logic
- Allows multiple repositories for different storage needs
- Domain layer doesn't know about SQL, MongoDB, or any specific technology
**Additional Support:**
- **Microsoft Learn**: Official documentation on Repository Pattern
- **Eric Evans**: Referenced in Domain-Driven Design book
- **Listed as**: Data Source Architectural Pattern
**Real-world Example:**
```typescript
// ❌ Bad: ORM leak in interface
interface IUserRepository {
findOne(query: PrismaWhereInput): Promise<User>
}
// ✅ Good: Domain language
interface IUserRepository {
findByEmail(email: Email): Promise<User | null>
findById(id: UserId): Promise<User | null>
}
```
[Read full research →](./RESEARCH_CITATIONS.md#6-repository-pattern)
---
## Naming Conventions
### Why it matters
Consistent naming:
-**Readability** - Code is self-documenting
-**Predictability** - Developers know what to expect
-**Maintainability** - Easier to navigate large codebases
-**Team alignment** - Everyone follows same patterns
### Guardian's Conventions
**Domain Layer:**
- Entities: `User.ts`, `Order.ts` (PascalCase nouns)
- Services: `UserService.ts` (PascalCase + Service suffix)
- Repositories: `IUserRepository.ts` (I prefix for interfaces)
**Application Layer:**
- Use cases: `CreateUser.ts`, `PlaceOrder.ts` (Verb + Noun)
- DTOs: `UserDto.ts`, `CreateUserRequest.ts` (Dto/Request/Response suffix)
- Mappers: `UserMapper.ts` (Mapper suffix)
**Infrastructure Layer:**
- Controllers: `UserController.ts` (Controller suffix)
- Repositories: `MongoUserRepository.ts` (implementation name + Repository)
### Who says so?
**Industry Style Guides:**
- **Google Java Style Guide**
- PascalCase for classes
- camelCase for methods and variables
- [Read the guide](https://google.github.io/styleguide/javaguide.html)
- **Airbnb JavaScript Style Guide**
- 145,000+ GitHub stars
- Industry standard for JavaScript/TypeScript
- [Read the guide](https://github.com/airbnb/javascript)
- **Microsoft .NET Guidelines**
- PascalCase for types and public members
- Consistent across entire .NET ecosystem
- Widely adopted in C# and TypeScript communities
**Use Case Naming:**
- **TM Forum Standard**: Verb + Noun pattern for operations
- Actions start with verbs: Create, Update, Delete, Get, Process
- Clear intent from filename
- Examples: `ProcessOrder.ts`, `ValidateInput.ts`
**General Principle:**
- **Wikipedia: Naming Convention (Programming)**
- "Classes are nouns, methods are verbs"
- Widely accepted across languages and paradigms
[Read full research →](./RESEARCH_CITATIONS.md#7-naming-conventions)
---
## Full Research Citations
For complete academic papers, books, and authoritative sources, see:
📚 **[RESEARCH_CITATIONS.md](./RESEARCH_CITATIONS.md)**
This document contains:
- 50+ authoritative references
- Academic papers with DOI/URLs
- Book citations with authors and publication years
- Industry standards from Google, Microsoft, AWS
- Expert blogs from Martin Fowler, Uncle Bob, Kent Beck
- Historical context dating back to 1960s
---
## Quality Standards
Guardian's rules align with international standards:
**ISO/IEC 25010:2011 (Software Quality Standard)**
- Eight quality characteristics including **Maintainability**
- Sub-characteristics: Modularity, Reusability, Analysability, Modifiability, Testability
- [Learn more](https://www.iso.org/standard/35733.html)
**SQuaRE Framework:**
- System and Software Quality Requirements and Evaluation
- Used throughout software development lifecycle
---
## Summary: Why Trust Guardian?
Guardian's rules are backed by:
**5 Seminal Books** (1993-2017)
- Clean Architecture (Robert C. Martin, 2017)
- Domain-Driven Design (Eric Evans, 2003)
- Patterns of Enterprise Application Architecture (Martin Fowler, 2002)
- Refactoring (Martin Fowler, 1999)
- Code Complete (Steve McConnell, 1993)
**Academic Research** (1976-2024)
- MIT Course 6.031
- ScienceDirect peer-reviewed studies
- Cyclomatic Complexity (Thomas McCabe, 1976)
**International Standards**
- ISO/IEC 25010:2011
**Industry Giants**
- Google, Microsoft, Airbnb style guides
- SonarQube (400,000+ organizations)
- AWS documentation
**Thought Leaders**
- Martin Fowler, Robert C. Martin (Uncle Bob), Eric Evans
- Alistair Cockburn, Kent Beck, Thomas McCabe
---
**Questions or want to contribute research?**
- 📧 Email: fozilbek.samiyev@gmail.com
- 🐙 GitHub: https://github.com/samiyev/puaros/issues
- 📚 Full citations: [RESEARCH_CITATIONS.md](./RESEARCH_CITATIONS.md)
---
*Last updated: 2025-11-24*

40
packages/guardian/examples/aggregate-boundary/bad/Order-DirectEntityReference.ts Normal file
View File

@@ -0,0 +1,40 @@
/**
* ❌ BAD EXAMPLE: Direct Entity Reference Across Aggregates
*
* Violation: Order aggregate directly imports and uses User entity from User aggregate
*
* Problems:
* 1. Creates tight coupling between aggregates
* 2. Changes to User entity affect Order aggregate
* 3. Violates aggregate boundary principles in DDD
* 4. Makes aggregates not independently modifiable
*/
import { User } from "../user/User"
import { Product } from "../product/Product"
export class Order {
private id: string
private user: User
private product: Product
private quantity: number
constructor(id: string, user: User, product: Product, quantity: number) {
this.id = id
this.user = user
this.product = product
this.quantity = quantity
}
getUserEmail(): string {
return this.user.email
}
getProductPrice(): number {
return this.product.price
}
calculateTotal(): number {
return this.product.price * this.quantity
}
}

16
packages/guardian/examples/aggregate-boundary/domain/aggregates/order/Order.ts Normal file
View File

@@ -0,0 +1,16 @@
import { User } from "../user/User"
import { Product } from "../product/Product"
export class Order {
private id: string
private user: User
private product: Product
private quantity: number
constructor(id: string, user: User, product: Product, quantity: number) {
this.id = id
this.user = user
this.product = product
this.quantity = quantity
}
}

7
packages/guardian/examples/aggregate-boundary/domain/aggregates/product/Product.ts Normal file
View File

@@ -0,0 +1,7 @@
export class Product {
public price: number
constructor(price: number) {
this.price = price
}
}

7
packages/guardian/examples/aggregate-boundary/domain/aggregates/user/User.ts Normal file
View File

@@ -0,0 +1,7 @@
export class User {
public email: string
constructor(email: string) {
this.email = email
}
}

40
packages/guardian/examples/aggregate-boundary/good/Order-IdReference.ts Normal file
View File

@@ -0,0 +1,40 @@
/**
* ✅ GOOD EXAMPLE: Reference by ID
*
* Best Practice: Order aggregate references other aggregates only by their IDs
*
* Benefits:
* 1. Loose coupling between aggregates
* 2. Each aggregate can be modified independently
* 3. Follows DDD aggregate boundary principles
* 4. Clear separation of concerns
*/
import { UserId } from "../user/value-objects/UserId"
import { ProductId } from "../product/value-objects/ProductId"
export class Order {
private id: string
private userId: UserId
private productId: ProductId
private quantity: number
constructor(id: string, userId: UserId, productId: ProductId, quantity: number) {
this.id = id
this.userId = userId
this.productId = productId
this.quantity = quantity
}
getUserId(): UserId {
return this.userId
}
getProductId(): ProductId {
return this.productId
}
getQuantity(): number {
return this.quantity
}
}

61
packages/guardian/examples/aggregate-boundary/good/Order-ValueObject.ts Normal file
View File

@@ -0,0 +1,61 @@
/**
* ✅ GOOD EXAMPLE: Using Value Objects for Needed Data
*
* Best Practice: When Order needs specific data from other aggregates,
* use Value Objects to store that data (denormalization)
*
* Benefits:
* 1. Order aggregate has all data it needs
* 2. No runtime dependency on other aggregates
* 3. Better performance (no joins needed)
* 4. Clear contract through Value Objects
*/
import { UserId } from "../user/value-objects/UserId"
import { ProductId } from "../product/value-objects/ProductId"
export class CustomerInfo {
constructor(
readonly customerId: UserId,
readonly customerName: string,
readonly customerEmail: string,
) {}
}
export class ProductInfo {
constructor(
readonly productId: ProductId,
readonly productName: string,
readonly productPrice: number,
) {}
}
export class Order {
private id: string
private customer: CustomerInfo
private product: ProductInfo
private quantity: number
constructor(id: string, customer: CustomerInfo, product: ProductInfo, quantity: number) {
this.id = id
this.customer = customer
this.product = product
this.quantity = quantity
}
getCustomerEmail(): string {
return this.customer.customerEmail
}
calculateTotal(): number {
return this.product.productPrice * this.quantity
}
getCustomerInfo(): CustomerInfo {
return this.customer
}
getProductInfo(): ProductInfo {
return this.product
}
}

4
packages/guardian/package.json
View File

@@ -1,7 +1,7 @@
{
"name": "@samiyev/guardian",
"version": "0.5.0",
"description": "Code quality guardian for vibe coders and enterprise teams - catch hardcodes, architecture violations, and circular deps. Enforce Clean Architecture at scale. Works with Claude, GPT, Copilot.",
"version": "0.7.1",
"description": "Research-backed code quality guardian for AI-assisted development. Detects hardcodes, circular deps, framework leaks, entity exposure, and 8 architecture violations. Enforces Clean Architecture/DDD principles. Works with GitHub Copilot, Cursor, Windsurf, Claude, ChatGPT, Cline, and any AI coding tool.",
"keywords": [
"puaros",
"guardian",

5
packages/guardian/src/api.ts
View File

@@ -11,6 +11,7 @@ import { IFrameworkLeakDetector } from "./domain/services/IFrameworkLeakDetector
import { IEntityExposureDetector } from "./domain/services/IEntityExposureDetector"
import { IDependencyDirectionDetector } from "./domain/services/IDependencyDirectionDetector"
import { IRepositoryPatternDetector } from "./domain/services/RepositoryPatternDetectorService"
import { IAggregateBoundaryDetector } from "./domain/services/IAggregateBoundaryDetector"
import { FileScanner } from "./infrastructure/scanners/FileScanner"
import { CodeParser } from "./infrastructure/parsers/CodeParser"
import { HardcodeDetector } from "./infrastructure/analyzers/HardcodeDetector"
@@ -19,6 +20,7 @@ import { FrameworkLeakDetector } from "./infrastructure/analyzers/FrameworkLeakD
import { EntityExposureDetector } from "./infrastructure/analyzers/EntityExposureDetector"
import { DependencyDirectionDetector } from "./infrastructure/analyzers/DependencyDirectionDetector"
import { RepositoryPatternDetector } from "./infrastructure/analyzers/RepositoryPatternDetector"
import { AggregateBoundaryDetector } from "./infrastructure/analyzers/AggregateBoundaryDetector"
import { ERROR_MESSAGES } from "./shared/constants"
/**
@@ -76,6 +78,7 @@ export async function analyzeProject(
const dependencyDirectionDetector: IDependencyDirectionDetector =
new DependencyDirectionDetector()
const repositoryPatternDetector: IRepositoryPatternDetector = new RepositoryPatternDetector()
const aggregateBoundaryDetector: IAggregateBoundaryDetector = new AggregateBoundaryDetector()
const useCase = new AnalyzeProject(
fileScanner,
codeParser,
@@ -85,6 +88,7 @@ export async function analyzeProject(
entityExposureDetector,
dependencyDirectionDetector,
repositoryPatternDetector,
aggregateBoundaryDetector,
)
const result = await useCase.execute(options)
@@ -107,5 +111,6 @@ export type {
EntityExposureViolation,
DependencyDirectionViolation,
RepositoryPatternViolation,
AggregateBoundaryViolation,
ProjectMetrics,
} from "./application/use-cases/AnalyzeProject"

105
packages/guardian/src/application/use-cases/AnalyzeProject.ts
View File

@@ -8,6 +8,7 @@ import { IFrameworkLeakDetector } from "../../domain/services/IFrameworkLeakDete
import { IEntityExposureDetector } from "../../domain/services/IEntityExposureDetector"
import { IDependencyDirectionDetector } from "../../domain/services/IDependencyDirectionDetector"
import { IRepositoryPatternDetector } from "../../domain/services/RepositoryPatternDetectorService"
import { IAggregateBoundaryDetector } from "../../domain/services/IAggregateBoundaryDetector"
import { SourceFile } from "../../domain/entities/SourceFile"
import { DependencyGraph } from "../../domain/entities/DependencyGraph"
import { ProjectPath } from "../../domain/value-objects/ProjectPath"
@@ -19,7 +20,9 @@ import {
REGEX_PATTERNS,
REPOSITORY_VIOLATION_TYPES,
RULES,
SEVERITY_LEVELS,
SEVERITY_ORDER,
type SeverityLevel,
VIOLATION_SEVERITY_MAP,
} from "../../shared/constants"
export interface AnalyzeProjectRequest {
@@ -39,6 +42,7 @@ export interface AnalyzeProjectResponse {
entityExposureViolations: EntityExposureViolation[]
dependencyDirectionViolations: DependencyDirectionViolation[]
repositoryPatternViolations: RepositoryPatternViolation[]
aggregateBoundaryViolations: AggregateBoundaryViolation[]
metrics: ProjectMetrics
}
@@ -47,6 +51,7 @@ export interface ArchitectureViolation {
message: string
file: string
line?: number
severity: SeverityLevel
}
export interface HardcodeViolation {
@@ -64,13 +69,14 @@ export interface HardcodeViolation {
constantName: string
location: string
}
severity: SeverityLevel
}
export interface CircularDependencyViolation {
rule: typeof RULES.CIRCULAR_DEPENDENCY
message: string
cycle: string[]
severity: typeof SEVERITY_LEVELS.ERROR
severity: SeverityLevel
}
export interface NamingConventionViolation {
@@ -88,6 +94,7 @@ export interface NamingConventionViolation {
actual: string
message: string
suggestion?: string
severity: SeverityLevel
}
export interface FrameworkLeakViolation {
@@ -100,6 +107,7 @@ export interface FrameworkLeakViolation {
line?: number
message: string
suggestion: string
severity: SeverityLevel
}
export interface EntityExposureViolation {
@@ -112,6 +120,7 @@ export interface EntityExposureViolation {
methodName?: string
message: string
suggestion: string
severity: SeverityLevel
}
export interface DependencyDirectionViolation {
@@ -123,6 +132,7 @@ export interface DependencyDirectionViolation {
line?: number
message: string
suggestion: string
severity: SeverityLevel
}
export interface RepositoryPatternViolation {
@@ -138,6 +148,20 @@ export interface RepositoryPatternViolation {
details: string
message: string
suggestion: string
severity: SeverityLevel
}
export interface AggregateBoundaryViolation {
rule: typeof RULES.AGGREGATE_BOUNDARY
fromAggregate: string
toAggregate: string
entityName: string
importPath: string
file: string
line?: number
message: string
suggestion: string
severity: SeverityLevel
}
export interface ProjectMetrics {
@@ -163,6 +187,7 @@ export class AnalyzeProject extends UseCase<
private readonly entityExposureDetector: IEntityExposureDetector,
private readonly dependencyDirectionDetector: IDependencyDirectionDetector,
private readonly repositoryPatternDetector: IRepositoryPatternDetector,
private readonly aggregateBoundaryDetector: IAggregateBoundaryDetector,
) {
super()
}
@@ -207,14 +232,27 @@ export class AnalyzeProject extends UseCase<
}
}
const violations = this.detectViolations(sourceFiles)
const hardcodeViolations = this.detectHardcode(sourceFiles)
const circularDependencyViolations = this.detectCircularDependencies(dependencyGraph)
const namingViolations = this.detectNamingConventions(sourceFiles)
const frameworkLeakViolations = this.detectFrameworkLeaks(sourceFiles)
const entityExposureViolations = this.detectEntityExposures(sourceFiles)
const dependencyDirectionViolations = this.detectDependencyDirections(sourceFiles)
const repositoryPatternViolations = this.detectRepositoryPatternViolations(sourceFiles)
const violations = this.sortBySeverity(this.detectViolations(sourceFiles))
const hardcodeViolations = this.sortBySeverity(this.detectHardcode(sourceFiles))
const circularDependencyViolations = this.sortBySeverity(
this.detectCircularDependencies(dependencyGraph),
)
const namingViolations = this.sortBySeverity(this.detectNamingConventions(sourceFiles))
const frameworkLeakViolations = this.sortBySeverity(
this.detectFrameworkLeaks(sourceFiles),
)
const entityExposureViolations = this.sortBySeverity(
this.detectEntityExposures(sourceFiles),
)
const dependencyDirectionViolations = this.sortBySeverity(
this.detectDependencyDirections(sourceFiles),
)
const repositoryPatternViolations = this.sortBySeverity(
this.detectRepositoryPatternViolations(sourceFiles),
)
const aggregateBoundaryViolations = this.sortBySeverity(
this.detectAggregateBoundaryViolations(sourceFiles),
)
const metrics = this.calculateMetrics(sourceFiles, totalFunctions, dependencyGraph)
return ResponseDto.ok({
@@ -228,6 +266,7 @@ export class AnalyzeProject extends UseCase<
entityExposureViolations,
dependencyDirectionViolations,
repositoryPatternViolations,
aggregateBoundaryViolations,
metrics,
})
} catch (error) {
@@ -294,6 +333,7 @@ export class AnalyzeProject extends UseCase<
rule: RULES.CLEAN_ARCHITECTURE,
message: `Layer "${file.layer}" cannot import from "${importedLayer}"`,
file: file.path.relative,
severity: VIOLATION_SEVERITY_MAP.ARCHITECTURE,
})
}
}
@@ -336,6 +376,7 @@ export class AnalyzeProject extends UseCase<
constantName: hardcoded.suggestConstantName(),
location: hardcoded.suggestLocation(file.layer),
},
severity: VIOLATION_SEVERITY_MAP.HARDCODE,
})
}
}
@@ -355,7 +396,7 @@ export class AnalyzeProject extends UseCase<
rule: RULES.CIRCULAR_DEPENDENCY,
message: `Circular dependency detected: ${cycleChain}`,
cycle,
severity: SEVERITY_LEVELS.ERROR,
severity: VIOLATION_SEVERITY_MAP.CIRCULAR_DEPENDENCY,
})
}
@@ -383,6 +424,7 @@ export class AnalyzeProject extends UseCase<
actual: violation.actual,
message: violation.getMessage(),
suggestion: violation.suggestion,
severity: VIOLATION_SEVERITY_MAP.NAMING_CONVENTION,
})
}
}
@@ -411,6 +453,7 @@ export class AnalyzeProject extends UseCase<
line: leak.line,
message: leak.getMessage(),
suggestion: leak.getSuggestion(),
severity: VIOLATION_SEVERITY_MAP.FRAMEWORK_LEAK,
})
}
}
@@ -439,6 +482,7 @@ export class AnalyzeProject extends UseCase<
methodName: exposure.methodName,
message: exposure.getMessage(),
suggestion: exposure.getSuggestion(),
severity: VIOLATION_SEVERITY_MAP.ENTITY_EXPOSURE,
})
}
}
@@ -466,6 +510,7 @@ export class AnalyzeProject extends UseCase<
line: violation.line,
message: violation.getMessage(),
suggestion: violation.getSuggestion(),
severity: VIOLATION_SEVERITY_MAP.DEPENDENCY_DIRECTION,
})
}
}
@@ -499,6 +544,38 @@ export class AnalyzeProject extends UseCase<
details: violation.details,
message: violation.getMessage(),
suggestion: violation.getSuggestion(),
severity: VIOLATION_SEVERITY_MAP.REPOSITORY_PATTERN,
})
}
}
return violations
}
private detectAggregateBoundaryViolations(
sourceFiles: SourceFile[],
): AggregateBoundaryViolation[] {
const violations: AggregateBoundaryViolation[] = []
for (const file of sourceFiles) {
const boundaryViolations = this.aggregateBoundaryDetector.detectViolations(
file.content,
file.path.relative,
file.layer,
)
for (const violation of boundaryViolations) {
violations.push({
rule: RULES.AGGREGATE_BOUNDARY,
fromAggregate: violation.fromAggregate,
toAggregate: violation.toAggregate,
entityName: violation.entityName,
importPath: violation.importPath,
file: file.path.relative,
line: violation.line,
message: violation.getMessage(),
suggestion: violation.getSuggestion(),
severity: VIOLATION_SEVERITY_MAP.AGGREGATE_BOUNDARY,
})
}
}
@@ -528,4 +605,10 @@ export class AnalyzeProject extends UseCase<
layerDistribution,
}
}
private sortBySeverity<T extends { severity: SeverityLevel }>(violations: T[]): T[] {
return violations.sort((a, b) => {
return SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]
})
}
}

91
packages/guardian/src/cli/constants.ts
View File

@@ -13,13 +13,43 @@ export const CLI_COMMANDS = {
} as const
export const CLI_DESCRIPTIONS = {
MAIN: "🛡️ Code quality guardian - detect hardcoded values and architecture violations",
CHECK: "Analyze project for code quality issues",
PATH_ARG: "Path to analyze",
EXCLUDE_OPTION: "Directories to exclude",
VERBOSE_OPTION: "Verbose output",
NO_HARDCODE_OPTION: "Skip hardcode detection",
NO_ARCHITECTURE_OPTION: "Skip architecture checks",
MAIN:
"🛡️ Guardian - Code quality analyzer for TypeScript/JavaScript projects\n\n" +
"DETECTS:\n" +
" • Hardcoded values (magic numbers/strings) - extract to constants\n" +
" • Circular dependencies - refactor module structure\n" +
" • Framework leaks in domain - move framework imports to infrastructure\n" +
" • Naming violations - rename files to match layer conventions\n" +
" • Architecture violations - respect Clean Architecture layers\n" +
" • Entity exposure - use DTOs instead of returning entities\n" +
" • Dependency direction - ensure dependencies flow inward\n" +
" • Repository pattern - enforce repository interfaces in domain\n\n" +
"SEVERITY LEVELS:\n" +
" 🔴 CRITICAL - Must fix immediately (breaks architecture)\n" +
" 🟠 HIGH - Should fix soon (major quality issue)\n" +
" 🟡 MEDIUM - Should fix (moderate quality issue)\n" +
" 🟢 LOW - Nice to fix (minor quality issue)\n\n" +
"BACKED BY RESEARCH:\n" +
" Guardian's rules are based on established software engineering principles\n" +
" from MIT, Martin Fowler, Robert C. Martin, and industry standards.\n" +
" Learn more: https://github.com/samiyev/puaros/blob/main/packages/guardian/docs/WHY.md",
CHECK:
"Analyze project for code quality and architecture issues\n\n" +
"WORKFLOW:\n" +
" 1. Run: guardian check ./src\n" +
" 2. Review violations by severity\n" +
" 3. Read the suggestion for each violation\n" +
" 4. Fix violations starting with CRITICAL\n" +
" 5. Re-run to verify fixes",
PATH_ARG: "Path to analyze (e.g., ./src or ./packages/api)",
EXCLUDE_OPTION:
"Exclude dirs/patterns (default: node_modules,dist,build,coverage,tests,**/*.test.ts)",
VERBOSE_OPTION: "Show additional help and analysis details",
NO_HARDCODE_OPTION: "Skip hardcode detection (only check architecture)",
NO_ARCHITECTURE_OPTION: "Skip architecture checks (only check hardcodes)",
MIN_SEVERITY_OPTION: "Filter by severity: critical|high|medium|low (e.g., --min-severity high)",
ONLY_CRITICAL_OPTION: "Show only 🔴 CRITICAL issues (shortcut for --min-severity critical)",
LIMIT_OPTION: "Limit violations shown per category (e.g., -l 10 shows first 10)",
} as const
export const CLI_OPTIONS = {
@@ -27,6 +57,24 @@ export const CLI_OPTIONS = {
VERBOSE: "-v, --verbose",
NO_HARDCODE: "--no-hardcode",
NO_ARCHITECTURE: "--no-architecture",
MIN_SEVERITY: "--min-severity <level>",
ONLY_CRITICAL: "--only-critical",
LIMIT: "-l, --limit <number>",
} as const
export const SEVERITY_DISPLAY_LABELS = {
CRITICAL: "🔴 CRITICAL",
HIGH: "🟠 HIGH",
MEDIUM: "🟡 MEDIUM",
LOW: "🟢 LOW",
} as const
export const SEVERITY_SECTION_HEADERS = {
CRITICAL:
"\n═══════════════════════════════════════════\n🔴 CRITICAL SEVERITY\n═══════════════════════════════════════════",
HIGH: "\n═══════════════════════════════════════════\n🟠 HIGH SEVERITY\n═══════════════════════════════════════════",
MEDIUM: "\n═══════════════════════════════════════════\n🟡 MEDIUM SEVERITY\n═══════════════════════════════════════════",
LOW: "\n═══════════════════════════════════════════\n🟢 LOW SEVERITY\n═══════════════════════════════════════════",
} as const
export const CLI_ARGUMENTS = {
@@ -74,3 +122,32 @@ export const CLI_LABELS = {
HARDCODE_VIOLATIONS: "hardcoded values:",
ISSUES_TOTAL: "issues total",
} as const
export const CLI_HELP_TEXT = {
POSITION: "after",
EXAMPLES_HEADER: "\nEXAMPLES:\n",
EXAMPLE_BASIC: " $ guardian check ./src # Analyze src directory\n",
EXAMPLE_CRITICAL:
" $ guardian check ./src --only-critical # Show only critical issues\n",
EXAMPLE_SEVERITY:
" $ guardian check ./src --min-severity high # Show high and critical\n",
EXAMPLE_LIMIT:
" $ guardian check ./src --limit 10 # Limit output to 10 per category\n",
EXAMPLE_NO_HARDCODE:
" $ guardian check ./src --no-hardcode # Skip hardcode detection\n",
EXAMPLE_NO_ARCHITECTURE:
" $ guardian check ./src --no-architecture # Skip architecture checks\n",
EXAMPLE_EXCLUDE:
" $ guardian check ./src -e dist build # Exclude additional dirs\n\n",
FIX_HEADER: "HOW TO FIX COMMON ISSUES:\n",
FIX_HARDCODE: " Hardcoded values → Extract to constants file\n",
FIX_CIRCULAR: " Circular deps → Break cycle by extracting shared code\n",
FIX_FRAMEWORK: " Framework leaks → Move Express/NestJS imports to infrastructure layer\n",
FIX_NAMING: " Naming violations → Rename file (e.g., UserEntity.ts, CreateUserUseCase.ts)\n",
FIX_ENTITY: " Entity exposure → Create DTO and map entity to DTO before returning\n",
FIX_DEPENDENCY:
" Dependency direction → Move import to correct layer (domain ← app ← infra)\n",
FIX_REPOSITORY:
" Repository pattern → Create IUserRepository in domain, implement in infra\n\n",
FOOTER: "Each violation includes a 💡 Suggestion with specific fix instructions.\n",
} as const

418
packages/guardian/src/cli/index.ts
View File

@@ -6,15 +6,124 @@ import {
CLI_ARGUMENTS,
CLI_COMMANDS,
CLI_DESCRIPTIONS,
CLI_HELP_TEXT,
CLI_LABELS,
CLI_MESSAGES,
CLI_OPTIONS,
DEFAULT_EXCLUDES,
SEVERITY_DISPLAY_LABELS,
SEVERITY_SECTION_HEADERS,
} from "./constants"
import { SEVERITY_LEVELS, SEVERITY_ORDER, type SeverityLevel } from "../shared/constants"
const SEVERITY_LABELS: Record<SeverityLevel, string> = {
[SEVERITY_LEVELS.CRITICAL]: SEVERITY_DISPLAY_LABELS.CRITICAL,
[SEVERITY_LEVELS.HIGH]: SEVERITY_DISPLAY_LABELS.HIGH,
[SEVERITY_LEVELS.MEDIUM]: SEVERITY_DISPLAY_LABELS.MEDIUM,
[SEVERITY_LEVELS.LOW]: SEVERITY_DISPLAY_LABELS.LOW,
}
const SEVERITY_HEADER: Record<SeverityLevel, string> = {
[SEVERITY_LEVELS.CRITICAL]: SEVERITY_SECTION_HEADERS.CRITICAL,
[SEVERITY_LEVELS.HIGH]: SEVERITY_SECTION_HEADERS.HIGH,
[SEVERITY_LEVELS.MEDIUM]: SEVERITY_SECTION_HEADERS.MEDIUM,
[SEVERITY_LEVELS.LOW]: SEVERITY_SECTION_HEADERS.LOW,
}
function groupBySeverity<T extends { severity: SeverityLevel }>(
violations: T[],
): Map<SeverityLevel, T[]> {
const grouped = new Map<SeverityLevel, T[]>()
for (const violation of violations) {
const existing = grouped.get(violation.severity) ?? []
existing.push(violation)
grouped.set(violation.severity, existing)
}
return grouped
}
function filterBySeverity<T extends { severity: SeverityLevel }>(
violations: T[],
minSeverity?: SeverityLevel,
): T[] {
if (!minSeverity) {
return violations
}
const minSeverityOrder = SEVERITY_ORDER[minSeverity]
return violations.filter((v) => SEVERITY_ORDER[v.severity] <= minSeverityOrder)
}
function displayGroupedViolations<T extends { severity: SeverityLevel }>(
violations: T[],
displayFn: (v: T, index: number) => void,
limit?: number,
): void {
const grouped = groupBySeverity(violations)
const severities: SeverityLevel[] = [
SEVERITY_LEVELS.CRITICAL,
SEVERITY_LEVELS.HIGH,
SEVERITY_LEVELS.MEDIUM,
SEVERITY_LEVELS.LOW,
]
let totalDisplayed = 0
const totalAvailable = violations.length
for (const severity of severities) {
const items = grouped.get(severity)
if (items && items.length > 0) {
console.warn(SEVERITY_HEADER[severity])
console.warn(`Found ${String(items.length)} issue(s)\n`)
const itemsToDisplay =
limit !== undefined ? items.slice(0, limit - totalDisplayed) : items
itemsToDisplay.forEach((item, index) => {
displayFn(item, totalDisplayed + index)
})
totalDisplayed += itemsToDisplay.length
if (limit !== undefined && totalDisplayed >= limit) {
break
}
}
}
if (limit !== undefined && totalAvailable > limit) {
console.warn(
`\n⚠ Showing first ${String(limit)} of ${String(totalAvailable)} issues (use --limit to adjust)\n`,
)
}
}
const program = new Command()
program.name(CLI_COMMANDS.NAME).description(CLI_DESCRIPTIONS.MAIN).version(version)
program
.name(CLI_COMMANDS.NAME)
.description(CLI_DESCRIPTIONS.MAIN)
.version(version)
.addHelpText(
CLI_HELP_TEXT.POSITION,
CLI_HELP_TEXT.EXAMPLES_HEADER +
CLI_HELP_TEXT.EXAMPLE_BASIC +
CLI_HELP_TEXT.EXAMPLE_CRITICAL +
CLI_HELP_TEXT.EXAMPLE_SEVERITY +
CLI_HELP_TEXT.EXAMPLE_LIMIT +
CLI_HELP_TEXT.EXAMPLE_NO_HARDCODE +
CLI_HELP_TEXT.EXAMPLE_NO_ARCHITECTURE +
CLI_HELP_TEXT.EXAMPLE_EXCLUDE +
CLI_HELP_TEXT.FIX_HEADER +
CLI_HELP_TEXT.FIX_HARDCODE +
CLI_HELP_TEXT.FIX_CIRCULAR +
CLI_HELP_TEXT.FIX_FRAMEWORK +
CLI_HELP_TEXT.FIX_NAMING +
CLI_HELP_TEXT.FIX_ENTITY +
CLI_HELP_TEXT.FIX_DEPENDENCY +
CLI_HELP_TEXT.FIX_REPOSITORY +
CLI_HELP_TEXT.FOOTER,
)
program
.command(CLI_COMMANDS.CHECK)
@@ -24,6 +133,9 @@ program
.option(CLI_OPTIONS.VERBOSE, CLI_DESCRIPTIONS.VERBOSE_OPTION, false)
.option(CLI_OPTIONS.NO_HARDCODE, CLI_DESCRIPTIONS.NO_HARDCODE_OPTION)
.option(CLI_OPTIONS.NO_ARCHITECTURE, CLI_DESCRIPTIONS.NO_ARCHITECTURE_OPTION)
.option(CLI_OPTIONS.MIN_SEVERITY, CLI_DESCRIPTIONS.MIN_SEVERITY_OPTION)
.option(CLI_OPTIONS.ONLY_CRITICAL, CLI_DESCRIPTIONS.ONLY_CRITICAL_OPTION, false)
.option(CLI_OPTIONS.LIMIT, CLI_DESCRIPTIONS.LIMIT_OPTION)
.action(async (path: string, options) => {
try {
console.log(CLI_MESSAGES.ANALYZING)
@@ -33,16 +145,61 @@ program
exclude: options.exclude,
})
const {
const { metrics } = result
let {
hardcodeViolations,
violations,
circularDependencyViolations,
namingViolations,
frameworkLeakViolations,
entityExposureViolations,
metrics,
dependencyDirectionViolations,
repositoryPatternViolations,
aggregateBoundaryViolations,
} = result
const minSeverity: SeverityLevel | undefined = options.onlyCritical
? SEVERITY_LEVELS.CRITICAL
: options.minSeverity
? (options.minSeverity.toLowerCase() as SeverityLevel)
: undefined
const limit: number | undefined = options.limit
? parseInt(options.limit, 10)
: undefined
if (minSeverity) {
violations = filterBySeverity(violations, minSeverity)
hardcodeViolations = filterBySeverity(hardcodeViolations, minSeverity)
circularDependencyViolations = filterBySeverity(
circularDependencyViolations,
minSeverity,
)
namingViolations = filterBySeverity(namingViolations, minSeverity)
frameworkLeakViolations = filterBySeverity(frameworkLeakViolations, minSeverity)
entityExposureViolations = filterBySeverity(entityExposureViolations, minSeverity)
dependencyDirectionViolations = filterBySeverity(
dependencyDirectionViolations,
minSeverity,
)
repositoryPatternViolations = filterBySeverity(
repositoryPatternViolations,
minSeverity,
)
aggregateBoundaryViolations = filterBySeverity(
aggregateBoundaryViolations,
minSeverity,
)
if (options.onlyCritical) {
console.log("\n🔴 Filtering: Showing only CRITICAL severity issues\n")
} else {
console.log(
`\n⚠ Filtering: Showing ${minSeverity.toUpperCase()} severity and above\n`,
)
}
}
// Display metrics
console.log(CLI_MESSAGES.METRICS_HEADER)
console.log(` ${CLI_LABELS.FILES_ANALYZED} ${String(metrics.totalFiles)}`)
@@ -59,118 +216,220 @@ program
// Architecture violations
if (options.architecture && violations.length > 0) {
console.log(
`${CLI_MESSAGES.VIOLATIONS_HEADER} ${String(violations.length)} ${CLI_LABELS.ARCHITECTURE_VIOLATIONS}\n`,
`\n${CLI_MESSAGES.VIOLATIONS_HEADER} ${String(violations.length)} ${CLI_LABELS.ARCHITECTURE_VIOLATIONS}`,
)
violations.forEach((v, index) => {
console.log(`${String(index + 1)}. ${v.file}`)
console.log(` Rule: ${v.rule}`)
console.log(` ${v.message}`)
console.log("")
})
displayGroupedViolations(
violations,
(v, index) => {
console.log(`${String(index + 1)}. ${v.file}`)
console.log(` Severity: ${SEVERITY_LABELS[v.severity]}`)
console.log(` Rule: ${v.rule}`)
console.log(` ${v.message}`)
console.log("")
},
limit,
)
}
// Circular dependency violations
if (options.architecture && circularDependencyViolations.length > 0) {
console.log(
`${CLI_MESSAGES.CIRCULAR_DEPS_HEADER} ${String(circularDependencyViolations.length)} ${CLI_LABELS.CIRCULAR_DEPENDENCIES}\n`,
`\n${CLI_MESSAGES.CIRCULAR_DEPS_HEADER} ${String(circularDependencyViolations.length)} ${CLI_LABELS.CIRCULAR_DEPENDENCIES}`,
)
circularDependencyViolations.forEach((cd, index) => {
console.log(`${String(index + 1)}. ${cd.message}`)
console.log(` Severity: ${cd.severity}`)
console.log(" Cycle path:")
cd.cycle.forEach((file, i) => {
console.log(` ${String(i + 1)}. ${file}`)
})
console.log(
` ${String(cd.cycle.length + 1)}. ${cd.cycle[0]} (back to start)`,
)
console.log("")
})
displayGroupedViolations(
circularDependencyViolations,
(cd, index) => {
console.log(`${String(index + 1)}. ${cd.message}`)
console.log(` Severity: ${SEVERITY_LABELS[cd.severity]}`)
console.log(" Cycle path:")
cd.cycle.forEach((file, i) => {
console.log(` ${String(i + 1)}. ${file}`)
})
console.log(
` ${String(cd.cycle.length + 1)}. ${cd.cycle[0]} (back to start)`,
)
console.log("")
},
limit,
)
}
// Naming convention violations
if (options.architecture && namingViolations.length > 0) {
console.log(
`${CLI_MESSAGES.NAMING_VIOLATIONS_HEADER} ${String(namingViolations.length)} ${CLI_LABELS.NAMING_VIOLATIONS}\n`,
`\n${CLI_MESSAGES.NAMING_VIOLATIONS_HEADER} ${String(namingViolations.length)} ${CLI_LABELS.NAMING_VIOLATIONS}`,
)
namingViolations.forEach((nc, index) => {
console.log(`${String(index + 1)}. ${nc.file}`)
console.log(` File: ${nc.fileName}`)
console.log(` Layer: ${nc.layer}`)
console.log(` Type: ${nc.type}`)
console.log(` Message: ${nc.message}`)
if (nc.suggestion) {
console.log(` 💡 Suggestion: ${nc.suggestion}`)
}
console.log("")
})
displayGroupedViolations(
namingViolations,
(nc, index) => {
console.log(`${String(index + 1)}. ${nc.file}`)
console.log(` Severity: ${SEVERITY_LABELS[nc.severity]}`)
console.log(` File: ${nc.fileName}`)
console.log(` Layer: ${nc.layer}`)
console.log(` Type: ${nc.type}`)
console.log(` Message: ${nc.message}`)
if (nc.suggestion) {
console.log(` 💡 Suggestion: ${nc.suggestion}`)
}
console.log("")
},
limit,
)
}
// Framework leak violations
if (options.architecture && frameworkLeakViolations.length > 0) {
console.log(
`\n🏗 Found ${String(frameworkLeakViolations.length)} framework leak(s):\n`,
`\n🏗 Found ${String(frameworkLeakViolations.length)} framework leak(s)`,
)
frameworkLeakViolations.forEach((fl, index) => {
console.log(`${String(index + 1)}. ${fl.file}`)
console.log(` Package: ${fl.packageName}`)
console.log(` Category: ${fl.categoryDescription}`)
console.log(` Layer: ${fl.layer}`)
console.log(` Rule: ${fl.rule}`)
console.log(` ${fl.message}`)
console.log(` 💡 Suggestion: ${fl.suggestion}`)
console.log("")
})
displayGroupedViolations(
frameworkLeakViolations,
(fl, index) => {
console.log(`${String(index + 1)}. ${fl.file}`)
console.log(` Severity: ${SEVERITY_LABELS[fl.severity]}`)
console.log(` Package: ${fl.packageName}`)
console.log(` Category: ${fl.categoryDescription}`)
console.log(` Layer: ${fl.layer}`)
console.log(` Rule: ${fl.rule}`)
console.log(` ${fl.message}`)
console.log(` 💡 Suggestion: ${fl.suggestion}`)
console.log("")
},
limit,
)
}
// Entity exposure violations
if (options.architecture && entityExposureViolations.length > 0) {
console.log(
`\n🎭 Found ${String(entityExposureViolations.length)} entity exposure(s):\n`,
`\n🎭 Found ${String(entityExposureViolations.length)} entity exposure(s)`,
)
entityExposureViolations.forEach((ee, index) => {
const location = ee.line ? `${ee.file}:${String(ee.line)}` : ee.file
console.log(`${String(index + 1)}. ${location}`)
console.log(` Entity: ${ee.entityName}`)
console.log(` Return Type: ${ee.returnType}`)
if (ee.methodName) {
console.log(` Method: ${ee.methodName}`)
}
console.log(` Layer: ${ee.layer}`)
console.log(` Rule: ${ee.rule}`)
console.log(` ${ee.message}`)
console.log(" 💡 Suggestion:")
ee.suggestion.split("\n").forEach((line) => {
if (line.trim()) {
console.log(` ${line}`)
displayGroupedViolations(
entityExposureViolations,
(ee, index) => {
const location = ee.line ? `${ee.file}:${String(ee.line)}` : ee.file
console.log(`${String(index + 1)}. ${location}`)
console.log(` Severity: ${SEVERITY_LABELS[ee.severity]}`)
console.log(` Entity: ${ee.entityName}`)
console.log(` Return Type: ${ee.returnType}`)
if (ee.methodName) {
console.log(` Method: ${ee.methodName}`)
}
})
console.log("")
})
console.log(` Layer: ${ee.layer}`)
console.log(` Rule: ${ee.rule}`)
console.log(` ${ee.message}`)
console.log(" 💡 Suggestion:")
ee.suggestion.split("\n").forEach((line) => {
if (line.trim()) {
console.log(` ${line}`)
}
})
console.log("")
},
limit,
)
}
// Dependency direction violations
if (options.architecture && dependencyDirectionViolations.length > 0) {
console.log(
`\n⚠ Found ${String(dependencyDirectionViolations.length)} dependency direction violation(s)`,
)
displayGroupedViolations(
dependencyDirectionViolations,
(dd, index) => {
console.log(`${String(index + 1)}. ${dd.file}`)
console.log(` Severity: ${SEVERITY_LABELS[dd.severity]}`)
console.log(` From Layer: ${dd.fromLayer}`)
console.log(` To Layer: ${dd.toLayer}`)
console.log(` Import: ${dd.importPath}`)
console.log(` ${dd.message}`)
console.log(` 💡 Suggestion: ${dd.suggestion}`)
console.log("")
},
limit,
)
}
// Repository pattern violations
if (options.architecture && repositoryPatternViolations.length > 0) {
console.log(
`\n📦 Found ${String(repositoryPatternViolations.length)} repository pattern violation(s)`,
)
displayGroupedViolations(
repositoryPatternViolations,
(rp, index) => {
console.log(`${String(index + 1)}. ${rp.file}`)
console.log(` Severity: ${SEVERITY_LABELS[rp.severity]}`)
console.log(` Layer: ${rp.layer}`)
console.log(` Type: ${rp.violationType}`)
console.log(` Details: ${rp.details}`)
console.log(` ${rp.message}`)
console.log(` 💡 Suggestion: ${rp.suggestion}`)
console.log("")
},
limit,
)
}
// Aggregate boundary violations
if (options.architecture && aggregateBoundaryViolations.length > 0) {
console.log(
`\n🔒 Found ${String(aggregateBoundaryViolations.length)} aggregate boundary violation(s)`,
)
displayGroupedViolations(
aggregateBoundaryViolations,
(ab, index) => {
const location = ab.line ? `${ab.file}:${String(ab.line)}` : ab.file
console.log(`${String(index + 1)}. ${location}`)
console.log(` Severity: ${SEVERITY_LABELS[ab.severity]}`)
console.log(` From Aggregate: ${ab.fromAggregate}`)
console.log(` To Aggregate: ${ab.toAggregate}`)
console.log(` Entity: ${ab.entityName}`)
console.log(` Import: ${ab.importPath}`)
console.log(` ${ab.message}`)
console.log(" 💡 Suggestion:")
ab.suggestion.split("\n").forEach((line) => {
if (line.trim()) {
console.log(` ${line}`)
}
})
console.log("")
},
limit,
)
}
// Hardcode violations
if (options.hardcode && hardcodeViolations.length > 0) {
console.log(
`${CLI_MESSAGES.HARDCODE_VIOLATIONS_HEADER} ${String(hardcodeViolations.length)} ${CLI_LABELS.HARDCODE_VIOLATIONS}\n`,
`\n${CLI_MESSAGES.HARDCODE_VIOLATIONS_HEADER} ${String(hardcodeViolations.length)} ${CLI_LABELS.HARDCODE_VIOLATIONS}`,
)
hardcodeViolations.forEach((hc, index) => {
console.log(
`${String(index + 1)}. ${hc.file}:${String(hc.line)}:${String(hc.column)}`,
)
console.log(` Type: ${hc.type}`)
console.log(` Value: ${JSON.stringify(hc.value)}`)
console.log(` Context: ${hc.context.trim()}`)
console.log(` 💡 Suggested: ${hc.suggestion.constantName}`)
console.log(` 📁 Location: ${hc.suggestion.location}`)
console.log("")
})
displayGroupedViolations(
hardcodeViolations,
(hc, index) => {
console.log(
`${String(index + 1)}. ${hc.file}:${String(hc.line)}:${String(hc.column)}`,
)
console.log(` Severity: ${SEVERITY_LABELS[hc.severity]}`)
console.log(` Type: ${hc.type}`)
console.log(` Value: ${JSON.stringify(hc.value)}`)
console.log(` Context: ${hc.context.trim()}`)
console.log(` 💡 Suggested: ${hc.suggestion.constantName}`)
console.log(` 📁 Location: ${hc.suggestion.location}`)
console.log("")
},
limit,
)
}
// Summary
@@ -180,7 +439,10 @@ program
circularDependencyViolations.length +
namingViolations.length +
frameworkLeakViolations.length +
entityExposureViolations.length
entityExposureViolations.length +
dependencyDirectionViolations.length +
repositoryPatternViolations.length +
aggregateBoundaryViolations.length
if (totalIssues === 0) {
console.log(CLI_MESSAGES.NO_ISSUES)

31
packages/guardian/src/domain/constants/FrameworkCategories.ts Normal file
View File

@@ -0,0 +1,31 @@
export const FRAMEWORK_CATEGORY_NAMES = {
ORM: "ORM",
WEB_FRAMEWORK: "WEB_FRAMEWORK",
HTTP_CLIENT: "HTTP_CLIENT",
VALIDATION: "VALIDATION",
DI_CONTAINER: "DI_CONTAINER",
LOGGER: "LOGGER",
CACHE: "CACHE",
MESSAGE_QUEUE: "MESSAGE_QUEUE",
EMAIL: "EMAIL",
STORAGE: "STORAGE",
TESTING: "TESTING",
TEMPLATE_ENGINE: "TEMPLATE_ENGINE",
} as const
export const FRAMEWORK_CATEGORY_DESCRIPTIONS = {
[FRAMEWORK_CATEGORY_NAMES.ORM]: "Database ORM/ODM",
[FRAMEWORK_CATEGORY_NAMES.WEB_FRAMEWORK]: "Web Framework",
[FRAMEWORK_CATEGORY_NAMES.HTTP_CLIENT]: "HTTP Client",
[FRAMEWORK_CATEGORY_NAMES.VALIDATION]: "Validation Library",
[FRAMEWORK_CATEGORY_NAMES.DI_CONTAINER]: "DI Container",
[FRAMEWORK_CATEGORY_NAMES.LOGGER]: "Logger",
[FRAMEWORK_CATEGORY_NAMES.CACHE]: "Cache",
[FRAMEWORK_CATEGORY_NAMES.MESSAGE_QUEUE]: "Message Queue",
[FRAMEWORK_CATEGORY_NAMES.EMAIL]: "Email Service",
[FRAMEWORK_CATEGORY_NAMES.STORAGE]: "Storage Service",
[FRAMEWORK_CATEGORY_NAMES.TESTING]: "Testing Framework",
[FRAMEWORK_CATEGORY_NAMES.TEMPLATE_ENGINE]: "Template Engine",
} as const
export const DEFAULT_FRAMEWORK_CATEGORY_DESCRIPTION = "Framework Package"

62
packages/guardian/src/domain/constants/Messages.ts Normal file
View File

@@ -0,0 +1,62 @@
export const DEPENDENCY_VIOLATION_MESSAGES = {
DOMAIN_INDEPENDENCE: "Domain layer should be independent and not depend on other layers",
DOMAIN_MOVE_TO_DOMAIN:
"Move the imported code to the domain layer if it contains business logic",
DOMAIN_USE_DI:
"Use dependency inversion: define an interface in domain and implement it in infrastructure",
APPLICATION_NO_INFRA: "Application layer should not depend on infrastructure",
APPLICATION_DEFINE_PORT: "Define an interface (Port) in application layer",
APPLICATION_IMPLEMENT_ADAPTER: "Implement the interface (Adapter) in infrastructure layer",
APPLICATION_USE_DI: "Use dependency injection to provide the implementation",
}
export const ENTITY_EXPOSURE_MESSAGES = {
METHOD_DEFAULT: "Method",
METHOD_DEFAULT_NAME: "getEntity",
}
export const FRAMEWORK_LEAK_MESSAGES = {
DEFAULT_MESSAGE: "Domain layer should not depend on external frameworks",
}
export const REPOSITORY_PATTERN_MESSAGES = {
UNKNOWN_TYPE: "Unknown",
CONSTRUCTOR: "constructor",
DEFAULT_SUGGESTION: "Follow Repository Pattern best practices",
NO_EXAMPLE: "// No example available",
STEP_REMOVE_ORM_TYPES: "1. Remove ORM-specific types from repository interface",
STEP_USE_DOMAIN_TYPES: "2. Use domain types (entities, value objects) instead",
STEP_KEEP_CLEAN: "3. Keep repository interface clean and persistence-agnostic",
STEP_DEPEND_ON_INTERFACE: "1. Depend on repository interface (IUserRepository) in constructor",
STEP_MOVE_TO_INFRASTRUCTURE: "2. Move concrete implementation to infrastructure layer",
STEP_USE_DI: "3. Use dependency injection to provide implementation",
STEP_REMOVE_NEW: "1. Remove 'new Repository()' from use case",
STEP_INJECT_CONSTRUCTOR: "2. Inject repository through constructor",
STEP_CONFIGURE_DI: "3. Configure dependency injection container",
STEP_RENAME_METHOD: "1. Rename method to use domain language",
STEP_REFLECT_BUSINESS: "2. Method names should reflect business operations",
STEP_AVOID_TECHNICAL: "3. Avoid technical database terms (query, insert, select)",
EXAMPLE_PREFIX: "Example:",
BAD_ORM_EXAMPLE: "❌ Bad: findOne(query: Prisma.UserWhereInput)",
GOOD_DOMAIN_EXAMPLE: "✅ Good: findById(id: UserId): Promise<User | null>",
BAD_NEW_REPO: "❌ Bad: const repo = new UserRepository()",
GOOD_INJECT_REPO: "✅ Good: constructor(private readonly userRepo: IUserRepository) {}",
SUGGESTION_FINDONE: "findById",
SUGGESTION_FINDMANY: "findAll or findByFilter",
SUGGESTION_INSERT: "save or create",
SUGGESTION_UPDATE: "save",
SUGGESTION_DELETE: "remove or delete",
SUGGESTION_QUERY: "find or search",
}
export const REPOSITORY_FALLBACK_SUGGESTIONS = {
DEFAULT: "findById() or findByEmail()",
}
export const AGGREGATE_VIOLATION_MESSAGES = {
USE_ID_REFERENCE: "1. Reference other aggregates by ID (UserId, OrderId) instead of entity",
USE_VALUE_OBJECT:
"2. Use Value Objects to store needed data from other aggregates (CustomerInfo, ProductSummary)",
AVOID_DIRECT_REFERENCE: "3. Avoid direct entity references to maintain aggregate independence",
MAINTAIN_INDEPENDENCE: "4. Each aggregate should be independently modifiable and deployable",
}

2
packages/guardian/src/domain/entities/DependencyGraph.ts
View File

@@ -94,7 +94,7 @@ export class DependencyGraph extends BaseEntity {
totalDependencies: number
avgDependencies: number
maxDependencies: number
} {
} {
const nodes = Array.from(this.nodes.values())
const totalFiles = nodes.length
const totalDependencies = nodes.reduce((sum, node) => sum + node.dependencies.length, 0)

1
packages/guardian/src/domain/index.ts
View File

@@ -6,7 +6,6 @@ export * from "./value-objects/ProjectPath"
export * from "./value-objects/HardcodedValue"
export * from "./value-objects/NamingViolation"
export * from "./value-objects/RepositoryViolation"
export * from "./repositories/IBaseRepository"
export * from "./services/IFileScanner"
export * from "./services/ICodeParser"
export * from "./services/IHardcodeDetector"

14
packages/guardian/src/domain/repositories/IBaseRepository.ts
View File

@@ -1,14 +0,0 @@
import { BaseEntity } from "../entities/BaseEntity"
/**
* Generic repository interface
* Defines standard CRUD operations for entities
*/
export interface IRepository<T extends BaseEntity> {
findById(id: string): Promise<T | null>
findAll(): Promise<T[]>
save(entity: T): Promise<T>
update(entity: T): Promise<T>
delete(id: string): Promise<boolean>
exists(id: string): Promise<boolean>
}

45
packages/guardian/src/domain/services/IAggregateBoundaryDetector.ts Normal file
View File

@@ -0,0 +1,45 @@
import { AggregateBoundaryViolation } from "../value-objects/AggregateBoundaryViolation"
/**
* Interface for detecting aggregate boundary violations in DDD
*
* Aggregate boundary violations occur when an entity from one aggregate
* directly references an entity from another aggregate. In DDD, aggregates
* should reference each other only by ID or Value Objects to maintain
* loose coupling and independence.
*/
export interface IAggregateBoundaryDetector {
/**
* Detects aggregate boundary violations in the given code
*
* Analyzes import statements to identify direct entity references
* across aggregate boundaries.
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @param layer - The architectural layer of the file (should be 'domain')
* @returns Array of detected aggregate boundary violations
*/
detectViolations(
code: string,
filePath: string,
layer: string | undefined,
): AggregateBoundaryViolation[]
/**
* Checks if a file path belongs to an aggregate
*
* @param filePath - The file path to check
* @returns The aggregate name if found, undefined otherwise
*/
extractAggregateFromPath(filePath: string): string | undefined
/**
* Checks if an import path references an entity from another aggregate
*
* @param importPath - The import path to analyze
* @param currentAggregate - The aggregate of the current file
* @returns True if the import crosses aggregate boundaries inappropriately
*/
isAggregateBoundaryViolation(importPath: string, currentAggregate: string): boolean
}

137
packages/guardian/src/domain/value-objects/AggregateBoundaryViolation.ts Normal file
View File

@@ -0,0 +1,137 @@
import { ValueObject } from "./ValueObject"
import { AGGREGATE_VIOLATION_MESSAGES } from "../constants/Messages"
interface AggregateBoundaryViolationProps {
readonly fromAggregate: string
readonly toAggregate: string
readonly entityName: string
readonly importPath: string
readonly filePath: string
readonly line?: number
}
/**
* Represents an aggregate boundary violation in the codebase
*
* Aggregate boundary violations occur when an entity from one aggregate
* directly references an entity from another aggregate, violating DDD principles:
* - Aggregates should reference each other only by ID or Value Objects
* - Direct entity references create tight coupling between aggregates
* - Changes to one aggregate should not require changes to another
*
* @example
* ```typescript
* // Bad: Direct entity reference across aggregates
* const violation = AggregateBoundaryViolation.create(
* 'order',
* 'user',
* 'User',
* '../user/User',
* 'src/domain/aggregates/order/Order.ts',
* 5
* )
*
* console.log(violation.getMessage())
* // "Order aggregate should not directly reference User entity from User aggregate"
* ```
*/
export class AggregateBoundaryViolation extends ValueObject<AggregateBoundaryViolationProps> {
private constructor(props: AggregateBoundaryViolationProps) {
super(props)
}
public static create(
fromAggregate: string,
toAggregate: string,
entityName: string,
importPath: string,
filePath: string,
line?: number,
): AggregateBoundaryViolation {
return new AggregateBoundaryViolation({
fromAggregate,
toAggregate,
entityName,
importPath,
filePath,
line,
})
}
public get fromAggregate(): string {
return this.props.fromAggregate
}
public get toAggregate(): string {
return this.props.toAggregate
}
public get entityName(): string {
return this.props.entityName
}
public get importPath(): string {
return this.props.importPath
}
public get filePath(): string {
return this.props.filePath
}
public get line(): number | undefined {
return this.props.line
}
public getMessage(): string {
return `${this.capitalizeFirst(this.props.fromAggregate)} aggregate should not directly reference ${this.props.entityName} entity from ${this.capitalizeFirst(this.props.toAggregate)} aggregate`
}
public getSuggestion(): string {
const suggestions: string[] = [
AGGREGATE_VIOLATION_MESSAGES.USE_ID_REFERENCE,
AGGREGATE_VIOLATION_MESSAGES.USE_VALUE_OBJECT,
AGGREGATE_VIOLATION_MESSAGES.AVOID_DIRECT_REFERENCE,
AGGREGATE_VIOLATION_MESSAGES.MAINTAIN_INDEPENDENCE,
]
return suggestions.join("\n")
}
public getExampleFix(): string {
return `
// ❌ Bad: Direct entity reference across aggregates
// domain/aggregates/order/Order.ts
import { User } from '../user/User'
class Order {
constructor(private user: User) {}
}
// ✅ Good: Reference by ID
// domain/aggregates/order/Order.ts
import { UserId } from '../user/value-objects/UserId'
class Order {
constructor(private userId: UserId) {}
}
// ✅ Good: Use Value Object for needed data
// domain/aggregates/order/value-objects/CustomerInfo.ts
class CustomerInfo {
constructor(
readonly customerId: string,
readonly customerName: string,
readonly customerEmail: string
) {}
}
// domain/aggregates/order/Order.ts
class Order {
constructor(private customerInfo: CustomerInfo) {}
}`
}
private capitalizeFirst(str: string): string {
return str.charAt(0).toUpperCase() + str.slice(1)
}
}

31
packages/guardian/src/domain/value-objects/DependencyViolation.ts
View File

@@ -1,4 +1,10 @@
import { ValueObject } from "./ValueObject"
import {
LAYER_APPLICATION,
LAYER_DOMAIN,
LAYER_INFRASTRUCTURE,
} from "../../shared/constants/layers"
import { DEPENDENCY_VIOLATION_MESSAGES } from "../constants/Messages"
interface DependencyViolationProps {
readonly fromLayer: string
@@ -81,18 +87,18 @@ export class DependencyViolation extends ValueObject<DependencyViolationProps> {
public getSuggestion(): string {
const suggestions: string[] = []
if (this.props.fromLayer === "domain") {
if (this.props.fromLayer === LAYER_DOMAIN) {
suggestions.push(
"Domain layer should be independent and not depend on other layers",
"Move the imported code to the domain layer if it contains business logic",
"Use dependency inversion: define an interface in domain and implement it in infrastructure",
DEPENDENCY_VIOLATION_MESSAGES.DOMAIN_INDEPENDENCE,
DEPENDENCY_VIOLATION_MESSAGES.DOMAIN_MOVE_TO_DOMAIN,
DEPENDENCY_VIOLATION_MESSAGES.DOMAIN_USE_DI,
)
} else if (this.props.fromLayer === "application") {
} else if (this.props.fromLayer === LAYER_APPLICATION) {
suggestions.push(
"Application layer should not depend on infrastructure",
"Define an interface (Port) in application layer",
"Implement the interface (Adapter) in infrastructure layer",
"Use dependency injection to provide the implementation",
DEPENDENCY_VIOLATION_MESSAGES.APPLICATION_NO_INFRA,
DEPENDENCY_VIOLATION_MESSAGES.APPLICATION_DEFINE_PORT,
DEPENDENCY_VIOLATION_MESSAGES.APPLICATION_IMPLEMENT_ADAPTER,
DEPENDENCY_VIOLATION_MESSAGES.APPLICATION_USE_DI,
)
}
@@ -100,7 +106,7 @@ export class DependencyViolation extends ValueObject<DependencyViolationProps> {
}
public getExampleFix(): string {
if (this.props.fromLayer === "domain" && this.props.toLayer === "infrastructure") {
if (this.props.fromLayer === LAYER_DOMAIN && this.props.toLayer === LAYER_INFRASTRUCTURE) {
return `
// ❌ Bad: Domain depends on Infrastructure (PrismaClient)
// domain/services/UserService.ts
@@ -128,7 +134,10 @@ class PrismaUserRepository implements IUserRepository {
}`
}
if (this.props.fromLayer === "application" && this.props.toLayer === "infrastructure") {
if (
this.props.fromLayer === LAYER_APPLICATION &&
this.props.toLayer === LAYER_INFRASTRUCTURE
) {
return `
// ❌ Bad: Application depends on Infrastructure (SmtpEmailService)
// application/use-cases/SendEmail.ts

9
packages/guardian/src/domain/value-objects/EntityExposure.ts
View File

@@ -1,4 +1,5 @@
import { ValueObject } from "./ValueObject"
import { ENTITY_EXPOSURE_MESSAGES } from "../constants/Messages"
interface EntityExposureProps {
readonly entityName: string
@@ -80,7 +81,9 @@ export class EntityExposure extends ValueObject<EntityExposureProps> {
}
public getMessage(): string {
const method = this.props.methodName ? `Method '${this.props.methodName}'` : "Method"
const method = this.props.methodName
? `Method '${this.props.methodName}'`
: ENTITY_EXPOSURE_MESSAGES.METHOD_DEFAULT
return `${method} returns domain entity '${this.props.entityName}' instead of DTO`
}
@@ -96,12 +99,12 @@ export class EntityExposure extends ValueObject<EntityExposureProps> {
public getExampleFix(): string {
return `
// ❌ Bad: Exposing domain entity
async ${this.props.methodName || "getEntity"}(): Promise<${this.props.entityName}> {
async ${this.props.methodName || ENTITY_EXPOSURE_MESSAGES.METHOD_DEFAULT_NAME}(): Promise<${this.props.entityName}> {
return await this.service.find()
}
// ✅ Good: Using DTO
async ${this.props.methodName || "getEntity"}(): Promise<${this.props.entityName}ResponseDto> {
async ${this.props.methodName || ENTITY_EXPOSURE_MESSAGES.METHOD_DEFAULT_NAME}(): Promise<${this.props.entityName}ResponseDto> {
const entity = await this.service.find()
return ${this.props.entityName}Mapper.toDto(entity)
}`

42
packages/guardian/src/domain/value-objects/FrameworkLeak.ts
View File

@@ -1,5 +1,9 @@
import { ValueObject } from "./ValueObject"
import { FRAMEWORK_LEAK_MESSAGES } from "../../shared/constants/rules"
import {
DEFAULT_FRAMEWORK_CATEGORY_DESCRIPTION,
FRAMEWORK_CATEGORY_DESCRIPTIONS,
} from "../constants/FrameworkCategories"
interface FrameworkLeakProps {
readonly packageName: string
@@ -72,7 +76,10 @@ export class FrameworkLeak extends ValueObject<FrameworkLeakProps> {
}
public getMessage(): string {
return FRAMEWORK_LEAK_MESSAGES.DOMAIN_IMPORT.replace("{package}", this.props.packageName)
return FRAMEWORK_LEAK_MESSAGES.DOMAIN_IMPORT.replace(
FRAMEWORK_LEAK_MESSAGES.PACKAGE_PLACEHOLDER,
this.props.packageName,
)
}
public getSuggestion(): string {
@@ -80,33 +87,10 @@ export class FrameworkLeak extends ValueObject<FrameworkLeakProps> {
}
public getCategoryDescription(): string {
switch (this.props.category) {
case "ORM":
return "Database ORM/ODM"
case "WEB_FRAMEWORK":
return "Web Framework"
case "HTTP_CLIENT":
return "HTTP Client"
case "VALIDATION":
return "Validation Library"
case "DI_CONTAINER":
return "DI Container"
case "LOGGER":
return "Logger"
case "CACHE":
return "Cache"
case "MESSAGE_QUEUE":
return "Message Queue"
case "EMAIL":
return "Email Service"
case "STORAGE":
return "Storage Service"
case "TESTING":
return "Testing Framework"
case "TEMPLATE_ENGINE":
return "Template Engine"
default:
return "Framework Package"
}
return (
FRAMEWORK_CATEGORY_DESCRIPTIONS[
this.props.category as keyof typeof FRAMEWORK_CATEGORY_DESCRIPTIONS
] || DEFAULT_FRAMEWORK_CATEGORY_DESCRIPTION
)
}
}

11
packages/guardian/src/domain/value-objects/RepositoryViolation.ts
View File

@@ -1,6 +1,6 @@
import { ValueObject } from "./ValueObject"
import { REPOSITORY_VIOLATION_TYPES } from "../../shared/constants/rules"
import { REPOSITORY_PATTERN_MESSAGES } from "../constants/Messages"
import { REPOSITORY_FALLBACK_SUGGESTIONS, REPOSITORY_PATTERN_MESSAGES } from "../constants/Messages"
interface RepositoryViolationProps {
readonly violationType:
@@ -177,6 +177,9 @@ export class RepositoryViolation extends ValueObject<RepositoryViolationProps> {
}
private getNonDomainMethodSuggestion(): string {
const detailsMatch = /Consider: (.+)$/.exec(this.props.details)
const smartSuggestion = detailsMatch ? detailsMatch[1] : null
const technicalToDomain = {
findOne: REPOSITORY_PATTERN_MESSAGES.SUGGESTION_FINDONE,
findMany: REPOSITORY_PATTERN_MESSAGES.SUGGESTION_FINDMANY,
@@ -186,8 +189,10 @@ export class RepositoryViolation extends ValueObject<RepositoryViolationProps> {
query: REPOSITORY_PATTERN_MESSAGES.SUGGESTION_QUERY,
}
const suggestion =
const fallbackSuggestion =
technicalToDomain[this.props.methodName as keyof typeof technicalToDomain]
const finalSuggestion =
smartSuggestion || fallbackSuggestion || REPOSITORY_FALLBACK_SUGGESTIONS.DEFAULT
return [
REPOSITORY_PATTERN_MESSAGES.STEP_RENAME_METHOD,
@@ -196,7 +201,7 @@ export class RepositoryViolation extends ValueObject<RepositoryViolationProps> {
"",
REPOSITORY_PATTERN_MESSAGES.EXAMPLE_PREFIX,
`❌ Bad: ${this.props.methodName || "findOne"}()`,
`✅ Good: ${suggestion || "findById() or findByEmail()"}`,
`✅ Good: ${finalSuggestion}`,
].join("\n")
}

342
packages/guardian/src/infrastructure/analyzers/AggregateBoundaryDetector.ts Normal file
View File

@@ -0,0 +1,342 @@
import { IAggregateBoundaryDetector } from "../../domain/services/IAggregateBoundaryDetector"
import { AggregateBoundaryViolation } from "../../domain/value-objects/AggregateBoundaryViolation"
import { LAYERS } from "../../shared/constants/rules"
import { IMPORT_PATTERNS } from "../constants/paths"
import { DDD_FOLDER_NAMES } from "../constants/detectorPatterns"
/**
* Detects aggregate boundary violations in Domain-Driven Design
*
* This detector enforces DDD aggregate rules:
* - Aggregates should reference each other only by ID or Value Objects
* - Direct entity references across aggregates create tight coupling
* - Each aggregate should be independently modifiable
*
* Folder structure patterns detected:
* - domain/aggregates/order/Order.ts
* - domain/order/Order.ts (aggregate name from parent folder)
* - domain/entities/order/Order.ts
*
* @example
* ```typescript
* const detector = new AggregateBoundaryDetector()
*
* // Detect violations in order aggregate
* const code = `
* import { User } from '../user/User'
* import { UserId } from '../user/value-objects/UserId'
* `
* const violations = detector.detectViolations(
* code,
* 'src/domain/aggregates/order/Order.ts',
* 'domain'
* )
*
* // violations will contain 1 violation for direct User entity import
* // but not for UserId (value object is allowed)
* console.log(violations.length) // 1
* ```
*/
export class AggregateBoundaryDetector implements IAggregateBoundaryDetector {
private readonly entityFolderNames = new Set<string>([
DDD_FOLDER_NAMES.ENTITIES,
DDD_FOLDER_NAMES.AGGREGATES,
])
private readonly valueObjectFolderNames = new Set<string>([
DDD_FOLDER_NAMES.VALUE_OBJECTS,
DDD_FOLDER_NAMES.VO,
])
private readonly allowedFolderNames = new Set<string>([
DDD_FOLDER_NAMES.VALUE_OBJECTS,
DDD_FOLDER_NAMES.VO,
DDD_FOLDER_NAMES.EVENTS,
DDD_FOLDER_NAMES.DOMAIN_EVENTS,
DDD_FOLDER_NAMES.REPOSITORIES,
DDD_FOLDER_NAMES.SERVICES,
DDD_FOLDER_NAMES.SPECIFICATIONS,
])
private readonly nonAggregateFolderNames = new Set<string>([
DDD_FOLDER_NAMES.VALUE_OBJECTS,
DDD_FOLDER_NAMES.VO,
DDD_FOLDER_NAMES.EVENTS,
DDD_FOLDER_NAMES.DOMAIN_EVENTS,
DDD_FOLDER_NAMES.REPOSITORIES,
DDD_FOLDER_NAMES.SERVICES,
DDD_FOLDER_NAMES.SPECIFICATIONS,
DDD_FOLDER_NAMES.ENTITIES,
DDD_FOLDER_NAMES.CONSTANTS,
DDD_FOLDER_NAMES.SHARED,
DDD_FOLDER_NAMES.FACTORIES,
DDD_FOLDER_NAMES.PORTS,
DDD_FOLDER_NAMES.INTERFACES,
])
/**
* Detects aggregate boundary violations in the given code
*
* Analyzes import statements to identify direct entity references
* across aggregate boundaries in the domain layer.
*
* @param code - Source code to analyze
* @param filePath - Path to the file being analyzed
* @param layer - The architectural layer of the file (should be 'domain')
* @returns Array of detected aggregate boundary violations
*/
public detectViolations(
code: string,
filePath: string,
layer: string | undefined,
): AggregateBoundaryViolation[] {
if (layer !== LAYERS.DOMAIN) {
return []
}
const currentAggregate = this.extractAggregateFromPath(filePath)
if (!currentAggregate) {
return []
}
const violations: AggregateBoundaryViolation[] = []
const lines = code.split("\n")
for (let i = 0; i < lines.length; i++) {
const line = lines[i]
const lineNumber = i + 1
const imports = this.extractImports(line)
for (const importPath of imports) {
if (this.isAggregateBoundaryViolation(importPath, currentAggregate)) {
const targetAggregate = this.extractAggregateFromImport(importPath)
const entityName = this.extractEntityName(importPath)
if (targetAggregate && entityName) {
violations.push(
AggregateBoundaryViolation.create(
currentAggregate,
targetAggregate,
entityName,
importPath,
filePath,
lineNumber,
),
)
}
}
}
}
return violations
}
/**
* Checks if a file path belongs to an aggregate
*
* Extracts aggregate name from paths like:
* - domain/aggregates/order/Order.ts → 'order'
* - domain/order/Order.ts → 'order'
* - domain/entities/order/Order.ts → 'order'
*
* @param filePath - The file path to check
* @returns The aggregate name if found, undefined otherwise
*/
public extractAggregateFromPath(filePath: string): string | undefined {
const normalizedPath = filePath.toLowerCase().replace(/\\/g, "/")
const domainMatch = /(?:^|\/)(domain)\//.exec(normalizedPath)
if (!domainMatch) {
return undefined
}
const domainEndIndex = domainMatch.index + domainMatch[0].length
const pathAfterDomain = normalizedPath.substring(domainEndIndex)
const segments = pathAfterDomain.split("/").filter(Boolean)
if (segments.length < 2) {
return undefined
}
if (this.entityFolderNames.has(segments[0])) {
if (segments.length < 3) {
return undefined
}
const aggregate = segments[1]
if (this.nonAggregateFolderNames.has(aggregate)) {
return undefined
}
return aggregate
}
const aggregate = segments[0]
if (this.nonAggregateFolderNames.has(aggregate)) {
return undefined
}
return aggregate
}
/**
* Checks if an import path references an entity from another aggregate
*
* @param importPath - The import path to analyze
* @param currentAggregate - The aggregate of the current file
* @returns True if the import crosses aggregate boundaries inappropriately
*/
public isAggregateBoundaryViolation(importPath: string, currentAggregate: string): boolean {
const normalizedPath = importPath.replace(IMPORT_PATTERNS.QUOTE, "").toLowerCase()
if (!normalizedPath.includes("/")) {
return false
}
if (!normalizedPath.startsWith(".") && !normalizedPath.startsWith("/")) {
return false
}
const targetAggregate = this.extractAggregateFromImport(normalizedPath)
if (!targetAggregate || targetAggregate === currentAggregate) {
return false
}
if (this.isAllowedImport(normalizedPath)) {
return false
}
return this.seemsLikeEntityImport(normalizedPath)
}
/**
* Checks if the import path is from an allowed folder (value-objects, events, etc.)
*/
private isAllowedImport(normalizedPath: string): boolean {
for (const folderName of this.allowedFolderNames) {
if (normalizedPath.includes(`/${folderName}/`)) {
return true
}
}
return false
}
/**
* Checks if the import seems to be an entity (not a value object, event, etc.)
*
* Note: normalizedPath is already lowercased, so we check if the first character
* is a letter (indicating it was likely PascalCase originally)
*/
private seemsLikeEntityImport(normalizedPath: string): boolean {
const pathParts = normalizedPath.split("/")
const lastPart = pathParts[pathParts.length - 1]
if (!lastPart) {
return false
}
const filename = lastPart.replace(/\.(ts|js)$/, "")
if (filename.length > 0 && /^[a-z][a-z]/.exec(filename)) {
return true
}
return false
}
/**
* Extracts the aggregate name from an import path
*
* Handles both absolute and relative paths:
* - ../user/User → user
* - ../../domain/user/User → user
* - ../user/value-objects/UserId → user (but filtered as value object)
*/
private extractAggregateFromImport(importPath: string): string | undefined {
const normalizedPath = importPath.replace(IMPORT_PATTERNS.QUOTE, "").toLowerCase()
const segments = normalizedPath.split("/").filter((seg) => seg !== ".." && seg !== ".")
if (segments.length === 0) {
return undefined
}
for (let i = 0; i < segments.length; i++) {
if (
segments[i] === DDD_FOLDER_NAMES.DOMAIN ||
segments[i] === DDD_FOLDER_NAMES.AGGREGATES
) {
if (i + 1 < segments.length) {
if (
this.entityFolderNames.has(segments[i + 1]) ||
segments[i + 1] === DDD_FOLDER_NAMES.AGGREGATES
) {
if (i + 2 < segments.length) {
return segments[i + 2]
}
} else {
return segments[i + 1]
}
}
}
}
if (segments.length >= 2) {
const secondLastSegment = segments[segments.length - 2]
if (
!this.entityFolderNames.has(secondLastSegment) &&
!this.valueObjectFolderNames.has(secondLastSegment) &&
!this.allowedFolderNames.has(secondLastSegment) &&
secondLastSegment !== DDD_FOLDER_NAMES.DOMAIN
) {
return secondLastSegment
}
}
if (segments.length === 1) {
return undefined
}
return undefined
}
/**
* Extracts the entity name from an import path
*/
private extractEntityName(importPath: string): string | undefined {
const normalizedPath = importPath.replace(IMPORT_PATTERNS.QUOTE, "")
const segments = normalizedPath.split("/")
const lastSegment = segments[segments.length - 1]
if (lastSegment) {
return lastSegment.replace(/\.(ts|js)$/, "")
}
return undefined
}
/**
* Extracts import paths from a line of code
*
* Handles various import statement formats:
* - import { X } from 'path'
* - import X from 'path'
* - import * as X from 'path'
* - const X = require('path')
*
* @param line - A line of code to analyze
* @returns Array of import paths found in the line
*/
private extractImports(line: string): string[] {
const imports: string[] = []
let match = IMPORT_PATTERNS.ES_IMPORT.exec(line)
while (match) {
imports.push(match[1])
match = IMPORT_PATTERNS.ES_IMPORT.exec(line)
}
match = IMPORT_PATTERNS.REQUIRE.exec(line)
while (match) {
imports.push(match[1])
match = IMPORT_PATTERNS.REQUIRE.exec(line)
}
return imports
}
}

24
packages/guardian/src/infrastructure/analyzers/DependencyDirectionDetector.ts
View File

@@ -1,6 +1,7 @@
import { IDependencyDirectionDetector } from "../../domain/services/IDependencyDirectionDetector"
import { DependencyViolation } from "../../domain/value-objects/DependencyViolation"
import { LAYERS } from "../../shared/constants/rules"
import { IMPORT_PATTERNS, LAYER_PATHS } from "../constants/paths"
/**
* Detects dependency direction violations between architectural layers
@@ -118,13 +119,13 @@ export class DependencyDirectionDetector implements IDependencyDirectionDetector
* @returns The layer name if detected, undefined otherwise
*/
public extractLayerFromImport(importPath: string): string | undefined {
const normalizedPath = importPath.replace(/['"]/g, "").toLowerCase()
const normalizedPath = importPath.replace(IMPORT_PATTERNS.QUOTE, "").toLowerCase()
const layerPatterns: Array<[string, string]> = [
[LAYERS.DOMAIN, "/domain/"],
[LAYERS.APPLICATION, "/application/"],
[LAYERS.INFRASTRUCTURE, "/infrastructure/"],
[LAYERS.SHARED, "/shared/"],
const layerPatterns: [string, string][] = [
[LAYERS.DOMAIN, LAYER_PATHS.DOMAIN],
[LAYERS.APPLICATION, LAYER_PATHS.APPLICATION],
[LAYERS.INFRASTRUCTURE, LAYER_PATHS.INFRASTRUCTURE],
[LAYERS.SHARED, LAYER_PATHS.SHARED],
]
for (const [layer, pattern] of layerPatterns) {
@@ -163,19 +164,16 @@ export class DependencyDirectionDetector implements IDependencyDirectionDetector
private extractImports(line: string): string[] {
const imports: string[] = []
const esImportRegex =
/import\s+(?:{[^}]*}|[\w*]+(?:\s+as\s+\w+)?|\*\s+as\s+\w+)\s+from\s+['"]([^'"]+)['"]/g
let match = esImportRegex.exec(line)
let match = IMPORT_PATTERNS.ES_IMPORT.exec(line)
while (match) {
imports.push(match[1])
match = esImportRegex.exec(line)
match = IMPORT_PATTERNS.ES_IMPORT.exec(line)
}
const requireRegex = /require\s*\(\s*['"]([^'"]+)['"]\s*\)/g
match = requireRegex.exec(line)
match = IMPORT_PATTERNS.REQUIRE.exec(line)
while (match) {
imports.push(match[1])
match = requireRegex.exec(line)
match = IMPORT_PATTERNS.REQUIRE.exec(line)
}
return imports

29
packages/guardian/src/infrastructure/analyzers/EntityExposureDetector.ts
View File

@@ -1,6 +1,7 @@
import { IEntityExposureDetector } from "../../domain/services/IEntityExposureDetector"
import { EntityExposure } from "../../domain/value-objects/EntityExposure"
import { LAYERS } from "../../shared/constants/rules"
import { DTO_SUFFIXES, NULLABLE_TYPES, PRIMITIVE_TYPES } from "../constants/type-patterns"
/**
* Detects domain entity exposure in controller/route return types
@@ -29,15 +30,7 @@ import { LAYERS } from "../../shared/constants/rules"
* ```
*/
export class EntityExposureDetector implements IEntityExposureDetector {
private readonly dtoSuffixes = [
"Dto",
"DTO",
"Request",
"Response",
"Command",
"Query",
"Result",
]
private readonly dtoSuffixes = DTO_SUFFIXES
private readonly controllerPatterns = [
/Controller/i,
/Route/i,
@@ -167,7 +160,9 @@ export class EntityExposureDetector implements IEntityExposureDetector {
if (cleanType.includes("|")) {
const types = cleanType.split("|").map((t) => t.trim())
const nonNullTypes = types.filter((t) => t !== "null" && t !== "undefined")
const nonNullTypes = types.filter(
(t) => !(NULLABLE_TYPES as readonly string[]).includes(t),
)
if (nonNullTypes.length > 0) {
cleanType = nonNullTypes[0]
}
@@ -180,19 +175,7 @@ export class EntityExposureDetector implements IEntityExposureDetector {
* Checks if a type is a primitive type
*/
private isPrimitiveType(type: string): boolean {
const primitives = [
"string",
"number",
"boolean",
"void",
"any",
"unknown",
"null",
"undefined",
"object",
"never",
]
return primitives.includes(type.toLowerCase())
return (PRIMITIVE_TYPES as readonly string[]).includes(type.toLowerCase())
}
/**

16
packages/guardian/src/infrastructure/analyzers/HardcodeDetector.ts
View File

@@ -34,11 +34,27 @@ export class HardcodeDetector implements IHardcodeDetector {
* @returns Array of detected hardcoded values with suggestions
*/
public detectAll(code: string, filePath: string): HardcodedValue[] {
if (this.isConstantsFile(filePath)) {
return []
}
const magicNumbers = this.detectMagicNumbers(code, filePath)
const magicStrings = this.detectMagicStrings(code, filePath)
return [...magicNumbers, ...magicStrings]
}
/**
* Check if a file is a constants definition file
*/
private isConstantsFile(filePath: string): boolean {
const _fileName = filePath.split("/").pop() ?? ""
const constantsPatterns = [
/^constants?\.(ts|js)$/i,
/constants?\/.*\.(ts|js)$/i,
/\/(constants|config|settings|defaults)\.ts$/i,
]
return constantsPatterns.some((pattern) => pattern.test(filePath))
}
/**
* Check if a line is inside an exported constant definition
*/

3
packages/guardian/src/infrastructure/analyzers/NamingConventionDetector.ts
View File

@@ -13,6 +13,7 @@ import {
PATH_PATTERNS,
PATTERN_WORDS,
} from "../constants/detectorPatterns"
import { NAMING_SUGGESTION_DEFAULT } from "../constants/naming-patterns"
/**
* Detects naming convention violations based on Clean Architecture layers
@@ -72,7 +73,7 @@ export class NamingConventionDetector implements INamingConventionDetector {
filePath,
NAMING_ERROR_MESSAGES.DOMAIN_FORBIDDEN,
fileName,
"Move to application or infrastructure layer, or rename to follow domain patterns",
NAMING_SUGGESTION_DEFAULT,
),
)
return violations

96
packages/guardian/src/infrastructure/analyzers/RepositoryPatternDetector.ts
View File

@@ -3,6 +3,7 @@ import { RepositoryViolation } from "../../domain/value-objects/RepositoryViolat
import { LAYERS, REPOSITORY_VIOLATION_TYPES } from "../../shared/constants/rules"
import { ORM_QUERY_METHODS } from "../constants/orm-methods"
import { REPOSITORY_PATTERN_MESSAGES } from "../../domain/constants/Messages"
import { REPOSITORY_METHOD_SUGGESTIONS } from "../constants/detectorPatterns"
/**
* Detects Repository Pattern violations in the codebase
@@ -68,16 +69,39 @@ export class RepositoryPatternDetector implements IRepositoryPatternDetector {
private readonly domainMethodPatterns = [
/^findBy[A-Z]/,
/^findAll/,
/^findAll$/,
/^find[A-Z]/,
/^save$/,
/^saveAll$/,
/^create$/,
/^update$/,
/^delete$/,
/^deleteBy[A-Z]/,
/^deleteAll$/,
/^remove$/,
/^removeBy[A-Z]/,
/^removeAll$/,
/^add$/,
/^add[A-Z]/,
/^get[A-Z]/,
/^getAll$/,
/^search/,
/^list/,
/^has[A-Z]/,
/^is[A-Z]/,
/^exists$/,
/^exists[A-Z]/,
/^existsBy[A-Z]/,
/^clear[A-Z]/,
/^clearAll$/,
/^store[A-Z]/,
/^initialize$/,
/^initializeCollection$/,
/^close$/,
/^connect$/,
/^disconnect$/,
/^count$/,
/^countBy[A-Z]/,
]
private readonly concreteRepositoryPatterns = [
@@ -226,6 +250,73 @@ export class RepositoryPatternDetector implements IRepositoryPatternDetector {
return violations
}
/**
* Suggests better domain method names based on the original method name
*/
private suggestDomainMethodName(methodName: string): string {
const lowerName = methodName.toLowerCase()
const suggestions: string[] = []
const suggestionMap: Record<string, string[]> = {
query: [
REPOSITORY_METHOD_SUGGESTIONS.SEARCH,
REPOSITORY_METHOD_SUGGESTIONS.FIND_BY_PROPERTY,
],
select: [
REPOSITORY_METHOD_SUGGESTIONS.FIND_BY_PROPERTY,
REPOSITORY_METHOD_SUGGESTIONS.GET_ENTITY,
],
insert: [
REPOSITORY_METHOD_SUGGESTIONS.CREATE,
REPOSITORY_METHOD_SUGGESTIONS.ADD_ENTITY,
REPOSITORY_METHOD_SUGGESTIONS.STORE_ENTITY,
],
update: [
REPOSITORY_METHOD_SUGGESTIONS.UPDATE,
REPOSITORY_METHOD_SUGGESTIONS.MODIFY_ENTITY,
],
upsert: [
REPOSITORY_METHOD_SUGGESTIONS.SAVE,
REPOSITORY_METHOD_SUGGESTIONS.STORE_ENTITY,
],
remove: [
REPOSITORY_METHOD_SUGGESTIONS.DELETE,
REPOSITORY_METHOD_SUGGESTIONS.REMOVE_BY_PROPERTY,
],
fetch: [
REPOSITORY_METHOD_SUGGESTIONS.FIND_BY_PROPERTY,
REPOSITORY_METHOD_SUGGESTIONS.GET_ENTITY,
],
retrieve: [
REPOSITORY_METHOD_SUGGESTIONS.FIND_BY_PROPERTY,
REPOSITORY_METHOD_SUGGESTIONS.GET_ENTITY,
],
load: [
REPOSITORY_METHOD_SUGGESTIONS.FIND_BY_PROPERTY,
REPOSITORY_METHOD_SUGGESTIONS.GET_ENTITY,
],
}
for (const [keyword, keywords] of Object.entries(suggestionMap)) {
if (lowerName.includes(keyword)) {
suggestions.push(...keywords)
}
}
if (lowerName.includes("get") && lowerName.includes("all")) {
suggestions.push(
REPOSITORY_METHOD_SUGGESTIONS.FIND_ALL,
REPOSITORY_METHOD_SUGGESTIONS.LIST_ALL,
)
}
if (suggestions.length === 0) {
return REPOSITORY_METHOD_SUGGESTIONS.DEFAULT_SUGGESTION
}
return `Consider: ${suggestions.slice(0, 3).join(", ")}`
}
/**
* Detects non-domain method names in repository interfaces
*/
@@ -247,13 +338,14 @@ export class RepositoryPatternDetector implements IRepositoryPatternDetector {
const methodName = methodMatch[1]
if (!this.isDomainMethodName(methodName) && !line.trim().startsWith("//")) {
const suggestion = this.suggestDomainMethodName(methodName)
violations.push(
RepositoryViolation.create(
REPOSITORY_VIOLATION_TYPES.NON_DOMAIN_METHOD_NAME,
filePath,
layer || LAYERS.DOMAIN,
lineNumber,
`Method '${methodName}' uses technical name instead of domain language`,
`Method '${methodName}' uses technical name instead of domain language. ${suggestion}`,
undefined,
undefined,
methodName,

4
packages/guardian/src/infrastructure/constants/defaults.ts
View File

@@ -8,6 +8,10 @@ export const DEFAULT_EXCLUDES = [
"coverage",
".git",
".puaros",
"tests",
"test",
"__tests__",
"examples",
] as const
export const DEFAULT_EXTENSIONS = [".ts", ".tsx", ".js", ".jsx"] as const

42
packages/guardian/src/infrastructure/constants/detectorPatterns.ts
View File

@@ -64,3 +64,45 @@ export const NAMING_ERROR_MESSAGES = {
USE_VERB_NOUN: "Use verb + noun in PascalCase (e.g., CreateUser.ts, UpdateProfile.ts)",
USE_CASE_START_VERB: "Use cases should start with a verb",
} as const
/**
* DDD folder names for aggregate boundary detection
*/
export const DDD_FOLDER_NAMES = {
ENTITIES: "entities",
AGGREGATES: "aggregates",
VALUE_OBJECTS: "value-objects",
VO: "vo",
EVENTS: "events",
DOMAIN_EVENTS: "domain-events",
REPOSITORIES: "repositories",
SERVICES: "services",
SPECIFICATIONS: "specifications",
DOMAIN: "domain",
CONSTANTS: "constants",
SHARED: "shared",
FACTORIES: "factories",
PORTS: "ports",
INTERFACES: "interfaces",
} as const
/**
* Repository method suggestions for domain language
*/
export const REPOSITORY_METHOD_SUGGESTIONS = {
SEARCH: "search",
FIND_BY_PROPERTY: "findBy[Property]",
GET_ENTITY: "get[Entity]",
CREATE: "create",
ADD_ENTITY: "add[Entity]",
STORE_ENTITY: "store[Entity]",
UPDATE: "update",
MODIFY_ENTITY: "modify[Entity]",
SAVE: "save",
DELETE: "delete",
REMOVE_BY_PROPERTY: "removeBy[Property]",
FIND_ALL: "findAll",
LIST_ALL: "listAll",
DEFAULT_SUGGESTION:
"Use domain-specific names like: findBy[Property], save, create, delete, update, add[Entity]",
} as const

3
packages/guardian/src/infrastructure/constants/orm-methods.ts
View File

@@ -2,7 +2,6 @@ export const ORM_QUERY_METHODS = [
"findOne",
"findMany",
"findFirst",
"findAll",
"findAndCountAll",
"insert",
"insertMany",
@@ -17,8 +16,6 @@ export const ORM_QUERY_METHODS = [
"run",
"exec",
"aggregate",
"count",
"exists",
] as const
export type OrmQueryMethod = (typeof ORM_QUERY_METHODS)[number]

17
packages/guardian/src/infrastructure/constants/paths.ts Normal file
View File

@@ -0,0 +1,17 @@
export const LAYER_PATHS = {
DOMAIN: "/domain/",
APPLICATION: "/application/",
INFRASTRUCTURE: "/infrastructure/",
SHARED: "/shared/",
} as const
export const CLI_PATHS = {
DIST_CLI_INDEX: "../dist/cli/index.js",
} as const
export const IMPORT_PATTERNS = {
ES_IMPORT:
/import\s+(?:{[^}]*}|[\w*]+(?:\s+as\s+\w+)?|\*\s+as\s+\w+)\s+from\s+['"]([^'"]+)['"]/g,
REQUIRE: /require\s*\(\s*['"]([^'"]+)['"]\s*\)/g,
QUOTE: /['"]/g,
} as const

8
packages/guardian/src/infrastructure/scanners/FileScanner.ts
View File

@@ -3,6 +3,7 @@ import * as path from "path"
import { FileScanOptions, IFileScanner } from "../../domain/services/IFileScanner"
import { DEFAULT_EXCLUDES, DEFAULT_EXTENSIONS, FILE_ENCODING } from "../constants/defaults"
import { ERROR_MESSAGES } from "../../shared/constants"
import { TEST_FILE_EXTENSIONS, TEST_FILE_SUFFIXES } from "../constants/type-patterns"
/**
* Scans project directory for source files
@@ -56,7 +57,12 @@ export class FileScanner implements IFileScanner {
}
private shouldExclude(name: string, excludePatterns: string[]): boolean {
return excludePatterns.some((pattern) => name.includes(pattern))
const isExcludedDirectory = excludePatterns.some((pattern) => name.includes(pattern))
const isTestFile =
(TEST_FILE_EXTENSIONS as readonly string[]).some((ext) => name.includes(ext)) ||
(TEST_FILE_SUFFIXES as readonly string[]).some((suffix) => name.endsWith(suffix))
return isExcludedDirectory || isTestFile
}
public async readFile(filePath: string): Promise<string> {

34
packages/guardian/src/shared/constants/index.ts
View File

@@ -64,9 +64,37 @@ export const PLACEHOLDERS = {
* Violation severity levels
*/
export const SEVERITY_LEVELS = {
ERROR: "error",
WARNING: "warning",
INFO: "info",
CRITICAL: "critical",
HIGH: "high",
MEDIUM: "medium",
LOW: "low",
} as const
export type SeverityLevel = (typeof SEVERITY_LEVELS)[keyof typeof SEVERITY_LEVELS]
/**
* Severity order for sorting (lower number = more critical)
*/
export const SEVERITY_ORDER: Record<SeverityLevel, number> = {
[SEVERITY_LEVELS.CRITICAL]: 0,
[SEVERITY_LEVELS.HIGH]: 1,
[SEVERITY_LEVELS.MEDIUM]: 2,
[SEVERITY_LEVELS.LOW]: 3,
} as const
/**
* Violation type to severity mapping
*/
export const VIOLATION_SEVERITY_MAP = {
CIRCULAR_DEPENDENCY: SEVERITY_LEVELS.CRITICAL,
REPOSITORY_PATTERN: SEVERITY_LEVELS.CRITICAL,
AGGREGATE_BOUNDARY: SEVERITY_LEVELS.CRITICAL,
DEPENDENCY_DIRECTION: SEVERITY_LEVELS.HIGH,
FRAMEWORK_LEAK: SEVERITY_LEVELS.HIGH,
ENTITY_EXPOSURE: SEVERITY_LEVELS.HIGH,
NAMING_CONVENTION: SEVERITY_LEVELS.MEDIUM,
ARCHITECTURE: SEVERITY_LEVELS.MEDIUM,
HARDCODE: SEVERITY_LEVELS.LOW,
} as const
export * from "./rules"

15
packages/guardian/src/shared/constants/layers.ts Normal file
View File

@@ -0,0 +1,15 @@
export const LAYER_DOMAIN = "domain"
export const LAYER_APPLICATION = "application"
export const LAYER_INFRASTRUCTURE = "infrastructure"
export const LAYER_SHARED = "shared"
export const LAYER_CLI = "cli"
export const LAYERS = [
LAYER_DOMAIN,
LAYER_APPLICATION,
LAYER_INFRASTRUCTURE,
LAYER_SHARED,
LAYER_CLI,
] as const
export type Layer = (typeof LAYERS)[number]

1
packages/guardian/src/shared/constants/rules.ts
View File

@@ -10,6 +10,7 @@ export const RULES = {
ENTITY_EXPOSURE: "entity-exposure",
DEPENDENCY_DIRECTION: "dependency-direction",
REPOSITORY_PATTERN: "repository-pattern",
AGGREGATE_BOUNDARY: "aggregate-boundary",
} as const
/**

538
packages/guardian/tests/AggregateBoundaryDetector.test.ts Normal file
View File

@@ -0,0 +1,538 @@
import { describe, it, expect } from "vitest"
import { AggregateBoundaryDetector } from "../src/infrastructure/analyzers/AggregateBoundaryDetector"
import { LAYERS } from "../src/shared/constants/rules"
describe("AggregateBoundaryDetector", () => {
const detector = new AggregateBoundaryDetector()
describe("extractAggregateFromPath", () => {
it("should extract aggregate from domain/aggregates/name path", () => {
expect(detector.extractAggregateFromPath("src/domain/aggregates/order/Order.ts")).toBe(
"order",
)
expect(detector.extractAggregateFromPath("src/domain/aggregates/user/User.ts")).toBe(
"user",
)
expect(
detector.extractAggregateFromPath("src/domain/aggregates/product/Product.ts"),
).toBe("product")
})
it("should extract aggregate from domain/name path", () => {
expect(detector.extractAggregateFromPath("src/domain/order/Order.ts")).toBe("order")
expect(detector.extractAggregateFromPath("src/domain/user/User.ts")).toBe("user")
expect(detector.extractAggregateFromPath("src/domain/cart/ShoppingCart.ts")).toBe(
"cart",
)
})
it("should extract aggregate from domain/entities/name path", () => {
expect(detector.extractAggregateFromPath("src/domain/entities/order/Order.ts")).toBe(
"order",
)
expect(detector.extractAggregateFromPath("src/domain/entities/user/User.ts")).toBe(
"user",
)
})
it("should return undefined for non-domain paths", () => {
expect(
detector.extractAggregateFromPath("src/application/use-cases/CreateUser.ts"),
).toBeUndefined()
expect(
detector.extractAggregateFromPath(
"src/infrastructure/repositories/UserRepository.ts",
),
).toBeUndefined()
expect(detector.extractAggregateFromPath("src/shared/types/Result.ts")).toBeUndefined()
})
it("should return undefined for paths without aggregate structure", () => {
expect(detector.extractAggregateFromPath("src/domain/User.ts")).toBeUndefined()
expect(detector.extractAggregateFromPath("src/User.ts")).toBeUndefined()
})
it("should handle Windows-style paths", () => {
expect(
detector.extractAggregateFromPath("src\\domain\\aggregates\\order\\Order.ts"),
).toBe("order")
expect(detector.extractAggregateFromPath("src\\domain\\user\\User.ts")).toBe("user")
})
})
describe("isAggregateBoundaryViolation", () => {
it("should detect direct entity import from another aggregate", () => {
expect(detector.isAggregateBoundaryViolation("../user/User", "order")).toBe(true)
expect(detector.isAggregateBoundaryViolation("../../user/User", "order")).toBe(true)
expect(
detector.isAggregateBoundaryViolation("../../../domain/user/User", "order"),
).toBe(true)
})
it("should NOT detect import from same aggregate", () => {
expect(detector.isAggregateBoundaryViolation("../order/Order", "order")).toBe(false)
expect(detector.isAggregateBoundaryViolation("./OrderItem", "order")).toBe(false)
})
it("should NOT detect value object imports", () => {
expect(
detector.isAggregateBoundaryViolation("../user/value-objects/UserId", "order"),
).toBe(false)
expect(detector.isAggregateBoundaryViolation("../user/vo/Email", "order")).toBe(false)
})
it("should NOT detect event imports", () => {
expect(
detector.isAggregateBoundaryViolation("../user/events/UserCreatedEvent", "order"),
).toBe(false)
expect(
detector.isAggregateBoundaryViolation(
"../user/domain-events/UserRegisteredEvent",
"order",
),
).toBe(false)
})
it("should NOT detect repository interface imports", () => {
expect(
detector.isAggregateBoundaryViolation(
"../user/repositories/IUserRepository",
"order",
),
).toBe(false)
})
it("should NOT detect service imports", () => {
expect(
detector.isAggregateBoundaryViolation("../user/services/UserService", "order"),
).toBe(false)
})
it("should NOT detect external package imports", () => {
expect(detector.isAggregateBoundaryViolation("express", "order")).toBe(false)
expect(detector.isAggregateBoundaryViolation("@nestjs/common", "order")).toBe(false)
})
it("should NOT detect imports without path separator", () => {
expect(detector.isAggregateBoundaryViolation("User", "order")).toBe(false)
})
})
describe("detectViolations", () => {
describe("Domain layer aggregate boundary violations", () => {
it("should detect direct entity import from another aggregate", () => {
const code = `
import { User } from '../user/User'
export class Order {
constructor(private user: User) {}
}`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
expect(violations[0].fromAggregate).toBe("order")
expect(violations[0].toAggregate).toBe("user")
expect(violations[0].entityName).toBe("User")
expect(violations[0].importPath).toBe("../user/User")
expect(violations[0].line).toBe(2)
})
it("should detect multiple entity imports from different aggregates", () => {
const code = `
import { User } from '../user/User'
import { Product } from '../product/Product'
import { Category } from '../catalog/Category'
export class Order {
constructor(
private user: User,
private product: Product,
private category: Category
) {}
}`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(3)
expect(violations[0].entityName).toBe("User")
expect(violations[1].entityName).toBe("Product")
expect(violations[2].entityName).toBe("Category")
})
it("should NOT detect value object imports", () => {
const code = `
import { UserId } from '../user/value-objects/UserId'
import { ProductId } from '../product/value-objects/ProductId'
export class Order {
constructor(
private userId: UserId,
private productId: ProductId
) {}
}`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(0)
})
it("should NOT detect event imports", () => {
const code = `
import { UserCreatedEvent } from '../user/events/UserCreatedEvent'
import { ProductAddedEvent } from '../product/domain-events/ProductAddedEvent'
export class Order {
handle(event: UserCreatedEvent): void {}
}`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(0)
})
it("should NOT detect repository interface imports", () => {
const code = `
import { IUserRepository } from '../user/repositories/IUserRepository'
export class OrderService {
constructor(private userRepo: IUserRepository) {}
}`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/OrderService.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(0)
})
it("should NOT detect imports from same aggregate", () => {
const code = `
import { OrderItem } from './OrderItem'
import { OrderStatus } from './value-objects/OrderStatus'
export class Order {
constructor(
private items: OrderItem[],
private status: OrderStatus
) {}
}`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(0)
})
})
describe("Non-domain layers", () => {
it("should return empty array for application layer", () => {
const code = `
import { User } from '../../domain/aggregates/user/User'
import { Order } from '../../domain/aggregates/order/Order'
export class CreateOrder {
constructor() {}
}`
const violations = detector.detectViolations(
code,
"src/application/use-cases/CreateOrder.ts",
LAYERS.APPLICATION,
)
expect(violations).toHaveLength(0)
})
it("should return empty array for infrastructure layer", () => {
const code = `
import { User } from '../../domain/aggregates/user/User'
export class UserController {
constructor() {}
}`
const violations = detector.detectViolations(
code,
"src/infrastructure/controllers/UserController.ts",
LAYERS.INFRASTRUCTURE,
)
expect(violations).toHaveLength(0)
})
it("should return empty array for undefined layer", () => {
const code = `import { User } from '../user/User'`
const violations = detector.detectViolations(code, "src/utils/helper.ts", undefined)
expect(violations).toHaveLength(0)
})
})
describe("Import statement formats", () => {
it("should detect violations in named imports", () => {
const code = `import { User, UserProfile } from '../user/User'`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
})
it("should detect violations in default imports", () => {
const code = `import User from '../user/User'`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
})
it("should detect violations in namespace imports", () => {
const code = `import * as UserAggregate from '../user/User'`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
})
it("should detect violations in require statements", () => {
const code = `const User = require('../user/User')`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
})
})
describe("Different path structures", () => {
it("should detect violations in domain/aggregates/name structure", () => {
const code = `import { User } from '../user/User'`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
expect(violations[0].fromAggregate).toBe("order")
expect(violations[0].toAggregate).toBe("user")
})
it("should detect violations in domain/name structure", () => {
const code = `import { User } from '../user/User'`
const violations = detector.detectViolations(
code,
"src/domain/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
expect(violations[0].fromAggregate).toBe("order")
expect(violations[0].toAggregate).toBe("user")
})
it("should detect violations in domain/entities/name structure", () => {
const code = `import { User } from '../../user/User'`
const violations = detector.detectViolations(
code,
"src/domain/entities/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
expect(violations[0].fromAggregate).toBe("order")
expect(violations[0].toAggregate).toBe("user")
})
})
describe("Edge cases", () => {
it("should handle empty code", () => {
const violations = detector.detectViolations(
"",
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(0)
})
it("should handle code with no imports", () => {
const code = `
export class Order {
constructor(private id: string) {}
}`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(0)
})
it("should handle file without aggregate in path", () => {
const code = `import { User } from '../user/User'`
const violations = detector.detectViolations(
code,
"src/domain/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(0)
})
it("should handle comments in imports", () => {
const code = `
// This is a comment
import { User } from '../user/User' // Bad import
`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
})
})
describe("getMessage", () => {
it("should return correct violation message", () => {
const code = `import { User } from '../user/User'`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations[0].getMessage()).toBe(
"Order aggregate should not directly reference User entity from User aggregate",
)
})
it("should capitalize aggregate names in message", () => {
const code = `import { Product } from '../product/Product'`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/cart/ShoppingCart.ts",
LAYERS.DOMAIN,
)
expect(violations[0].getMessage()).toContain("Cart aggregate")
expect(violations[0].getMessage()).toContain("Product aggregate")
})
})
describe("getSuggestion", () => {
it("should return suggestions for fixing aggregate boundary violations", () => {
const code = `import { User } from '../user/User'`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
const suggestion = violations[0].getSuggestion()
expect(suggestion).toContain("Reference other aggregates by ID")
expect(suggestion).toContain("Use Value Objects")
expect(suggestion).toContain("Avoid direct entity references")
expect(suggestion).toContain("independently modifiable")
})
})
describe("getExampleFix", () => {
it("should return example fix for aggregate boundary violation", () => {
const code = `import { User } from '../user/User'`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
const example = violations[0].getExampleFix()
expect(example).toContain("// ❌ Bad")
expect(example).toContain("// ✅ Good")
expect(example).toContain("UserId")
expect(example).toContain("CustomerInfo")
})
})
})
describe("Complex scenarios", () => {
it("should detect mixed valid and invalid imports", () => {
const code = `
import { User } from '../user/User' // VIOLATION
import { UserId } from '../user/value-objects/UserId' // OK
import { Product } from '../product/Product' // VIOLATION
import { ProductId } from '../product/value-objects/ProductId' // OK
import { OrderItem } from './OrderItem' // OK - same aggregate
export class Order {
constructor(
private user: User,
private userId: UserId,
private product: Product,
private productId: ProductId,
private items: OrderItem[]
) {}
}`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(2)
expect(violations[0].entityName).toBe("User")
expect(violations[1].entityName).toBe("Product")
})
it("should handle deeply nested import paths", () => {
const code = `import { User } from '../../../domain/aggregates/user/entities/User'`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
expect(violations[0].entityName).toBe("User")
})
it("should detect violations with .ts extension in import", () => {
const code = `import { User } from '../user/User.ts'`
const violations = detector.detectViolations(
code,
"src/domain/aggregates/order/Order.ts",
LAYERS.DOMAIN,
)
expect(violations).toHaveLength(1)
expect(violations[0].entityName).toBe("User")
})
})
})